Menu
▾
▴
Re: [Packetfence-users] remote control of wireless access points
|
From: Olivier B. <obi...@in...> - 2010-02-03 20:30:43
|
Hi David, David Lang wrote: > I would like to use packetfence to watch a large wireless network, however to > do it's blocking and quarentining work on the packetfence box leaves the > wireless user connected to the rest of the wireless network (generating wasted > traffic, etc). Can you elaborate what you mean here? On a lot of APs it is possible for radius to return -1 for VLAN and it usually disassociate the client. We do that in certain cases in the rlm_perl_packetfence.pl script (in addons/802.1X/). > I am looking at using openwrt on the access points, which gives > me the capability to implement controlls there. The usual open SSID wireless scenario is with mac-filtering through radius. Radius returns the VLAN that the wireless client should be configured to. That's called AAA Override in Cisco speak. I would think that the openWRT can be configured to do that. The only missing piece would be to disassociate the wireless client. This is done for example upon successful registration (disconnect to re-connect and be put in production vlan this time) or for isolation. We usually implement disassociate with SNMP if supported by the vendor. If not we use telnet/ssh. Again, I'm sure there are options on the openwrt for both ways. > Has anyone done anything that would allow a central packetfence box > to implement iptables and/or vlan isolation on remote linux boxes? I haven't heard of any effort in that direction. To maximize re-use, what you could do is an SNMP module for PacketFence (like those in lib/pf/SNMP/) and host an SNMP server on the linux box (net-snmp's snmpd) which would perform your desired action. This way, all the SNMP boilerplate is already done for you. -- Olivier Bilodeau obi...@in... :: +1.514.447.4918 *115 :: www.inverse.ca Inverse inc. :: Leaders behind SOGo (www.scalableogo.org) and PacketFence (www.packetfence.org) |
