Manualshelf

Developers guide

ManualsBrandsRed Hat ManualsComputer equipmentNETWORK 4.1.0 -
21222324252627282930
Chapter 5
Copyright © 2008-2013 Inverse inc.
Configuration 21
The current format is the following:
Format: <rolename>Role=<controller_role>
And you assign it to the global roles parameter or the per-switch one. For example:
adminRole=full-access
engineeringRole=full-access
salesRole=little-access
would return the full-access role to the nodes categorized as admin or engineering and the role
little-access to nodes categorized as sales.
Caution
Make sure that the roles are properly defined on the network devices prior to assigning
roles!
Default VLAN/role assignment
This section applies only for VLAN enforcement. Users planning to do inline enforcement only can skip
this section.
The default VLAN assignment technique used in PacketFence is a per-switch one. The correct default VLAN
for a given MAC is determined based on the computed role by PacketFence during the registration process
for the device, or dynamically during an 802.1X authentication. The computed internal role will then be
mapped to either a VLAN or an external role for the specific equipement the user is connected to.
This allows you to do easy per-building VLAN/role segmentation.
If you need more flexibility than what can be defined from the PacketFence’s authentication sources
(rules/conditions/actions) take a look at the FAQ entry Custom VLAN assignment behavior available online.
Inline enforcement configuration
This section applies only for Inline enforcement. Users planning to do VLAN enforcement only can skip
this section.
The inline enforcement is a very convenient method of performing access control on older network
hardware who is not capable of doing VLAN enforcement or who is not compatible with PacketFence. This
technique is covered in details in the "Technical introduction to Inline enforcement" section.
An important configuration parameter to have in mind when configuring inline enforcement is that the
DNS reached by this users should be your actual production DNS server. The next section shows you how
to configure the proper inline interface and it is there that you should refer to the proper production DNS.