Menu
▾
▴
Re: [Packetfence-users] Cisco causing me headaches ... again ...
|
From: Olivier B. <obi...@in...> - 2012-02-13 14:59:36
|
On 07/02/12 10:45 AM, Sallee, Stephen (Jake) wrote:
> OK! So! Due to our Cisco hardware not being capable of dynamic vlan assignment while in HREAP mode we will most likely not be able to use the vlan assignment feature in PF. Cisco has stated that the ability may be available in the future but not now.
>
FYI I just documented the limitation in our pf::SNMP::Cisco::Aironet and
pf::SNMP::Cisco::WiSM (same as WLC) modules. Thanks for letting us know.
> To that end we have devised a workaround that involves statically assigning the vlan based on the SSID. We need to disable the vlan assignment feature in PF and we would also like to change the violation feature's behavior from placing the user into a isolation vlan (which is now impossible ... thanks to Cisco) to simply denying them access completely.
>
> If any one has done something like this please share your experiences.
As Francois said off-list (pasting it here for future reference):
>
> I might have an idea. We did that at another client facilities. In fact, two options:
> - Modify vlan/custom.pm to return nothing if the request comes from a particular AP ($node_info->{'last_switch'} eq 'someip')
> - Modify radius/custom.pm to bump the tunnel attributes if we receive say VLAN id 9999. In switches.conf, we would set vlan 9999 for the AP.
>
> It might do what you want if I assume that you won't do registration or isolation on that particular AP.
Regards,
--
Olivier Bilodeau
obi...@in... :: +1.514.447.4918 *115 :: www.inverse.ca
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence
(www.packetfence.org)
|