Hello,
in fact it's not adding RADIUS additional daemon on the mgmt interface
(it's implicit) but have another network interface where you will enable
RADIUS and this interface will talk to the Ruckus controller.
Regards
Fabrice
Le 19-02-19 à 04 h 57, Murilo Calegari via PacketFence-users a écrit :
Hi,
Have you tried adding RADIUS as an additional daemon listening on the
management interface?
Regards,
Murilo
Em ter, 19 de fev de 2019 04:11, Tony W via PacketFence-users
<packetfence-users@lists.sourceforge.net
<mailto:packetfence-users@lists.sourceforge.net>> escreveu:
Hi Fabrice,
Thank you for your help so far.
My interface naming is all good, however, I am still having a small
issue understanding correctly.
You indicate that I should make the management interface the one with
Internet access.
The management interface is also used to talk to my Ruckus controller.
According to the documentation, I can only have 1 management
interface.
Example of what I am trying to do:
Ruckus 802.1x Auth eth0 <--> PF eth1 - No Internet access
Registration (VLAN 10) eth0.10 --> PF eth1 - No Internet access
User inline (VLAN 11) eth0.11 --> PF eth1 - Internet Access
User inline (VLAN12) eth0.12 --> PF eth1 - Internet Access
User inline (VLAN13) eth0.13 --> PF eth1 - Internet Access
---
eth1 = - Management - Public IP address
The Ruckus controller will do the 802.1x auth and radius in PF will
give the correct VLAN to Ruckus on successful auth and the visitor
will end up in the assigned VLAN.
I can not get my head around getting the Ruckus controller to talk to
the management interface when that is assigned to eth1.
Something is missing in my understanding. I guess I am thinking
traditional NAT/Firewall with 2 interfaces.
I prefer management VLAN to be un-tagged and on eth0, not on eth1.
Internet access should be on eth1.
I have 2 more interfaces so I could let the Ruckus (And other
equipment) use one of those (eth2 and eth3)
Sorry to be asking this again....
Tony
On Tue, 19 Feb 2019 at 01:20, Fabrice Durand via PacketFence-users
<packetfence-users@lists.sourceforge.net
<mailto:packetfence-users@lists.sourceforge.net>> wrote:
>
> Hello Tony,
>
> Le 19-02-17 à 23 h 22, Tony W via PacketFence-users a écrit :
> > Hi Fabrice,
> >
> > Thank you for that.
> >
> > So for PF, set 1 external interface (WAN) with Internet access
(Inline)
> No a management one with internet access
> > Then set at least 1 internal interface (LAN) with VLAN's, say
10 for SSID,
> > 11, 12, 13, 14....for the users to be allocated to once
authenticated.
> 11,12,13,14 as inline
> >
> > I do not need (Or want) Internet access on VLAN 10, only DHCP
for the
> > client devices.
> So 10 is a registration interface.
> > When the client device successfully authenticates, the client
traffic
> > will go to the
> > selected/allocated VLAN (11, 12, 13 or ....) and be given new IP
> > addresses by DHCP.
> It's what an inline interface do.
> > It is no big deal regarding people being on the initial VLAN
10 as not
> > many will be there at any one time.
> The registration interface on the vlan 10 will have short lease
time, by
> default we set it to 30s.
> >
> > Just a quick question specific to CentOS 7.6 and PF.
> >
> > CentOS 7.x issues interface names like em1, em2, p2p1, p2p2 etc.,
> > instead of the old style eth0, eth1...
> >
> > Will PF still work OK, if I change this to the old style (See
link below)?
> >
> >
https://sites.google.com/site/syscookbook/rhel/rhel-network-interface-rename-rhel7
> Yes it will work.
> >
> > I feel more comfortable using the old interface naming
convention and
> > the above procedure works well:-)
> >
> Regards
>
> Fabrice
>
>
> >
> >
> >
> >
> >
> > On Mon, 18 Feb 2019 at 12:09, Durand fabrice via PacketFence-users
> > <packetfence-users@lists.sourceforge.net
<mailto:packetfence-users@lists.sourceforge.net>> wrote:
> >> Hello Tony,
> >>
> >> you can set the vlan as inline in PacketFence.
> >>
> >> What i would do in this case is the following:
> >>
> >> - Create on pf all the VLAN's an inline interface, per
example eth1.10,
> >> eth1.11, eth1.12 .... (the vlan's you return when authenticated)
> >>
> >> - Set these vlan's id on the switch config (PacketFence side).
> >>
> >> That's it.
> >>
> >> The only issue you will have is when you unreg a device then
it will
> >> stay on the inline vlan but hit the portal on the inline
interface.
> >>
> >> If the device reconnect then it will go on the reg vlan.
> >>
> >> Regards
> >>
> >> Fabrice
> >>
> >>
> >>
> >> Le 19-02-17 à 19 h 35, Tony W via PacketFence-users a écrit :
> >>> Hi there,
> >>>
> >>> Trying to work out how to get PF to work as NAT/Firewall to the
> >>> internet whilst doing Radius and VLAN enforcement.
> >>>
> >>> Is this possible? Reading the documentation, it appears that the
> >>> current version will work in hybrid mode
> >>> (A combination of both) but seems to be for "flat" networks on
> >>> switches that can not be managed.
> >>>
> >>> I run a wireless network controller, where visitors connect
to an SSID
> >>> (Assigned to a specific VLAN). This VLAN has no
> >>> Internet access.
> >>> Authentication is 802.1x. Once authenticated, visitor is
directed to
> >>> one of a number of predetermined VLAN's by PF.
> >>> Each of the VLAN's shall have Internet access through the
same PF box.
> >>> PF tells Ruckus to put the visitor in the
> >>> assigned VLAn. DHCP is used on the initial connection and
each of the
> >>> VLAN's shall have their own DHCP scope.
> >>>
> >>> I have done this before using FreeRadius with DaloRadius and
a Ruckus
> >>> controller, configured manually on CentOS 7.3
> >>> with Firewall/NAT. That solution is lacking some of the nice
extra
> >>> stuff integrated in PF.
> >>>
> >>> Whilst not expecting someone to give me the whole solution, I am
> >>> looking for some pointers and confirmation that
> >>> PF is suitable for what I want to do.
> >>>
> >>> Thanks in advance
> >>>
> >>> Tony
> >>>
> >>>
> >>> _______________________________________________
> >>> PacketFence-users mailing list
> >>> PacketFence-users@lists.sourceforge.net
<mailto:PacketFence-users@lists.sourceforge.net>
> >>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
> >>
> >> _______________________________________________
> >> PacketFence-users mailing list
> >> PacketFence-users@lists.sourceforge.net
<mailto:PacketFence-users@lists.sourceforge.net>
> >> https://lists.sourceforge.net/lists/listinfo/packetfence-users
> >
> > _______________________________________________
> > PacketFence-users mailing list
> > PacketFence-users@lists.sourceforge.net
<mailto:PacketFence-users@lists.sourceforge.net>
> > https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
> --
> Fabrice Durand
> fdur...@inverse.ca <mailto:fdur...@inverse.ca> ::
+1.514.447.4918 (x135) :: www.inverse.ca <http://www.inverse.ca>
> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and
PacketFence (http://packetfence.org)
>
>
>
> _______________________________________________
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
<mailto:PacketFence-users@lists.sourceforge.net>
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
<mailto:PacketFence-users@lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/packetfence-users
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
