Re: [Packetfence-users] remote control of wireless access points

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

On Wed, 3 Feb 2010, Olivier Bilodeau wrote:

> Hi David,
>
> David Lang wrote:
>> I would like to use packetfence to watch a large wireless network, however to
>> do it's blocking and quarentining work on the packetfence box leaves the
>> wireless user connected to the rest of the wireless network (generating wasted
>> traffic, etc).
>
> Can you elaborate what you mean here?

I am going to be providing wireless at a large (1000+ person) opensource 
conference in a few weeks. In the past they have just put up access points and 
used QOS to limit the impact that wireless users could have on other users. 
Needless to say this has not produced great wireless access.

I had the thought that it may make sense to use packetfence in this situation 
(even though I am not useing a lot of the stuff that packetfence is designed 
for), there's no restriction on who can access the network, but it would let me 
put up a 'welcome to the network' page, and the snort/worm detection and 
isolation capability could be useful in limiting the damage that is done by one 
user.

I know that packetfence can be configured to use iptables to block the access 
for a particular user, but if I do this at the packetfence box the problem 
machine still has access to the rest of the wireless users. If there is a way 
for the packetfence box to send a command out to the APs at the edge of the 
network telling them to block/disconnect/redirect/etc the problem systems it 
would save more of the network.

> On a lot of APs it is possible for radius to return -1 for VLAN and it
> usually disassociate the client. We do that in certain cases in the
> rlm_perl_packetfence.pl script (in addons/802.1X/).
>
>
>> I am looking at using openwrt on the access points, which gives
>> me the capability to implement controlls there.
>
> The usual open SSID wireless scenario is with mac-filtering through
> radius. Radius returns the VLAN that the wireless client should be
> configured to. That's called AAA Override in Cisco speak. I would think
> that the openWRT can be configured to do that.
>
> The only missing piece would be to disassociate the wireless client.
> This is done for example upon successful registration (disconnect to
> re-connect and be put in production vlan this time) or for isolation.
>
> We usually implement disassociate with SNMP if supported by the vendor.
> If not we use telnet/ssh. Again, I'm sure there are options on the
> openwrt for both ways.

the access points I am using do not support this sort of functionality with the 
manufacturers firmware, if I can run openwrt on them something could be done.

>> Has anyone done anything that would allow a central packetfence box
> > to implement iptables and/or vlan isolation on remote linux boxes?
>
> I haven't heard of any effort in that direction. To maximize re-use,
> what you could do is an SNMP module for PacketFence (like those in
> lib/pf/SNMP/) and host an SNMP server on the linux box (net-snmp's
> snmpd) which would perform your desired action.
>
> This way, all the SNMP boilerplate is already done for you.

I am not thrilled with the thought of trying to use SNMP for this sort of thing 
on a hostile network.

David Lang