Hi Fabrice, That makes sense - I have been playing around with it all and did notice that option in "daemos" box.
Thank you Tony On Wed, 20 Feb 2019 at 12:22, Durand fabrice via PacketFence-users <packetfence-users@lists.sourceforge.net> wrote: > > Hello, > > in fact it's not adding RADIUS additional daemon on the mgmt interface (it's > implicit) but have another network interface where you will enable RADIUS and > this interface will talk to the Ruckus controller. > > Regards > > Fabrice > > > Le 19-02-19 à 04 h 57, Murilo Calegari via PacketFence-users a écrit : > > Hi, > > Have you tried adding RADIUS as an additional daemon listening on the > management interface? > > Regards, > > Murilo > > > Em ter, 19 de fev de 2019 04:11, Tony W via PacketFence-users > <packetfence-users@lists.sourceforge.net> escreveu: >> >> Hi Fabrice, >> >> Thank you for your help so far. >> >> My interface naming is all good, however, I am still having a small >> issue understanding correctly. >> >> You indicate that I should make the management interface the one with >> Internet access. >> The management interface is also used to talk to my Ruckus controller. >> >> According to the documentation, I can only have 1 management interface. >> >> Example of what I am trying to do: >> >> Ruckus 802.1x Auth eth0 <--> PF eth1 - No Internet access >> Registration (VLAN 10) eth0.10 --> PF eth1 - No Internet access >> User inline (VLAN 11) eth0.11 --> PF eth1 - Internet Access >> User inline (VLAN12) eth0.12 --> PF eth1 - Internet Access >> User inline (VLAN13) eth0.13 --> PF eth1 - Internet Access >> --- >> eth1 = - Management - Public IP address >> >> The Ruckus controller will do the 802.1x auth and radius in PF will >> give the correct VLAN to Ruckus on successful auth and the visitor >> will end up in the assigned VLAN. >> >> I can not get my head around getting the Ruckus controller to talk to >> the management interface when that is assigned to eth1. >> Something is missing in my understanding. I guess I am thinking >> traditional NAT/Firewall with 2 interfaces. >> I prefer management VLAN to be un-tagged and on eth0, not on eth1. >> Internet access should be on eth1. >> I have 2 more interfaces so I could let the Ruckus (And other >> equipment) use one of those (eth2 and eth3) >> >> Sorry to be asking this again.... >> >> Tony >> >> >> On Tue, 19 Feb 2019 at 01:20, Fabrice Durand via PacketFence-users >> <packetfence-users@lists.sourceforge.net> wrote: >> > >> > Hello Tony, >> > >> > Le 19-02-17 à 23 h 22, Tony W via PacketFence-users a écrit : >> > > Hi Fabrice, >> > > >> > > Thank you for that. >> > > >> > > So for PF, set 1 external interface (WAN) with Internet access (Inline) >> > No a management one with internet access >> > > Then set at least 1 internal interface (LAN) with VLAN's, say 10 for >> > > SSID, >> > > 11, 12, 13, 14....for the users to be allocated to once authenticated. >> > 11,12,13,14 as inline >> > > >> > > I do not need (Or want) Internet access on VLAN 10, only DHCP for the >> > > client devices. >> > So 10 is a registration interface. >> > > When the client device successfully authenticates, the client traffic >> > > will go to the >> > > selected/allocated VLAN (11, 12, 13 or ....) and be given new IP >> > > addresses by DHCP. >> > It's what an inline interface do. >> > > It is no big deal regarding people being on the initial VLAN 10 as not >> > > many will be there at any one time. >> > The registration interface on the vlan 10 will have short lease time, by >> > default we set it to 30s. >> > > >> > > Just a quick question specific to CentOS 7.6 and PF. >> > > >> > > CentOS 7.x issues interface names like em1, em2, p2p1, p2p2 etc., >> > > instead of the old style eth0, eth1... >> > > >> > > Will PF still work OK, if I change this to the old style (See link >> > > below)? >> > > >> > > https://sites.google.com/site/syscookbook/rhel/rhel-network-interface-rename-rhel7 >> > Yes it will work. >> > > >> > > I feel more comfortable using the old interface naming convention and >> > > the above procedure works well:-) >> > > >> > Regards >> > >> > Fabrice >> > >> > >> > > >> > > >> > > >> > > >> > > >> > > On Mon, 18 Feb 2019 at 12:09, Durand fabrice via PacketFence-users >> > > <packetfence-users@lists.sourceforge.net> wrote: >> > >> Hello Tony, >> > >> >> > >> you can set the vlan as inline in PacketFence. >> > >> >> > >> What i would do in this case is the following: >> > >> >> > >> - Create on pf all the VLAN's an inline interface, per example eth1.10, >> > >> eth1.11, eth1.12 .... (the vlan's you return when authenticated) >> > >> >> > >> - Set these vlan's id on the switch config (PacketFence side). >> > >> >> > >> That's it. >> > >> >> > >> The only issue you will have is when you unreg a device then it will >> > >> stay on the inline vlan but hit the portal on the inline interface. >> > >> >> > >> If the device reconnect then it will go on the reg vlan. >> > >> >> > >> Regards >> > >> >> > >> Fabrice >> > >> >> > >> >> > >> >> > >> Le 19-02-17 à 19 h 35, Tony W via PacketFence-users a écrit : >> > >>> Hi there, >> > >>> >> > >>> Trying to work out how to get PF to work as NAT/Firewall to the >> > >>> internet whilst doing Radius and VLAN enforcement. >> > >>> >> > >>> Is this possible? Reading the documentation, it appears that the >> > >>> current version will work in hybrid mode >> > >>> (A combination of both) but seems to be for "flat" networks on >> > >>> switches that can not be managed. >> > >>> >> > >>> I run a wireless network controller, where visitors connect to an SSID >> > >>> (Assigned to a specific VLAN). This VLAN has no >> > >>> Internet access. >> > >>> Authentication is 802.1x. Once authenticated, visitor is directed to >> > >>> one of a number of predetermined VLAN's by PF. >> > >>> Each of the VLAN's shall have Internet access through the same PF box. >> > >>> PF tells Ruckus to put the visitor in the >> > >>> assigned VLAn. DHCP is used on the initial connection and each of the >> > >>> VLAN's shall have their own DHCP scope. >> > >>> >> > >>> I have done this before using FreeRadius with DaloRadius and a Ruckus >> > >>> controller, configured manually on CentOS 7.3 >> > >>> with Firewall/NAT. That solution is lacking some of the nice extra >> > >>> stuff integrated in PF. >> > >>> >> > >>> Whilst not expecting someone to give me the whole solution, I am >> > >>> looking for some pointers and confirmation that >> > >>> PF is suitable for what I want to do. >> > >>> >> > >>> Thanks in advance >> > >>> >> > >>> Tony >> > >>> >> > >>> >> > >>> _______________________________________________ >> > >>> PacketFence-users mailing list >> > >>> PacketFence-users@lists.sourceforge.net >> > >>> https://lists.sourceforge.net/lists/listinfo/packetfence-users >> > >> >> > >> _______________________________________________ >> > >> PacketFence-users mailing list >> > >> PacketFence-users@lists.sourceforge.net >> > >> https://lists.sourceforge.net/lists/listinfo/packetfence-users >> > > >> > > _______________________________________________ >> > > PacketFence-users mailing list >> > > PacketFence-users@lists.sourceforge.net >> > > https://lists.sourceforge.net/lists/listinfo/packetfence-users >> > >> > -- >> > Fabrice Durand >> > fdur...@inverse.ca :: +1.514.447.4918 (x135) :: www.inverse.ca >> > Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence >> > (http://packetfence.org) >> > >> > >> > >> > _______________________________________________ >> > PacketFence-users mailing list >> > PacketFence-users@lists.sourceforge.net >> > https://lists.sourceforge.net/lists/listinfo/packetfence-users >> >> >> _______________________________________________ >> PacketFence-users mailing list >> PacketFence-users@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/packetfence-users > > > > _______________________________________________ > PacketFence-users mailing list > PacketFence-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/packetfence-users > > _______________________________________________ > PacketFence-users mailing list > PacketFence-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/packetfence-users _______________________________________________ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
