We use one (clustered pair) and really like it. Essentially it's a captive portal that does authentication. Think authenticated DHCP.
You have a new customer. They connect their router and get a private IP. That IP is forced to the Patriot system via policy routing. In our case, we shove a couple private IP subnets into an MPLS VRF for transport then pop them out and handle that last connection with a policy forcing a next hop to the Patriot. Replies don't traverse the VRF nor do they need to. The customer enters a username/password. The authentication can be done locally within the Patriot system or externally via RADIUS. We use RADIUS. Once successfully authenticated, the customer reboots their device, pulls the cable and plugs it back in, or wait a few minutes for then unauthenticated lease to expire. At that point, they get online with their public IP. We use a web API to pre-auth customers who use a router we provide. Since we know the MAC, username and password, we can pre-authenticate the device so the customer never sees the login screen. This is also helpful for customers with devices that don't have a web interface for some reason. You can suspend a customer and they will go back to a private IP. In the captive portal, you can relay a message that was entered when they were suspended. The nice thing here is you don't have to disable a customer interface or something. Most customers will try a browser so they'll see the portal login with whatever suspend message. It seems to help keep them from factory resetting things and playing with cables. Static IP pools are useful as well. The customer is authenticated and gets the same IP every time. There are a couple of ways to do this but RADIUS and a static pool works best for us. To prevent users from assigning static IPs, we turn MAC forced forwarding and IP Source Verify on in our Calix systems. Not every system has the capability but we use it where we can and monitor ARP tables for the rest. You can easily use the Patriot API to dump all authenticated customers and insert them into a database. You can do the same with your router ARP tables then compare. The user interface isn't fancy but works really well. It's nice to be able to search history for a customer including raw DHCP logs. You can also see and search on Option 82 information. The portal splash page is customizable as well. Their customer service and support is top notch. Last, I have no affiliation with these guys. Just a happy customer. __________________________________ Charles Boening Network Manager 800-858-2399 | Office charl...@calore.net<mailto:charl...@calore.net> www.cot.net<http://www.cot.net/> | Find us on Facebook<https://www.facebook.com/pages/Cal-Ore/205066716227707> __________________________________ Cal-Ore | Local. Trusted. Professional. From: AF <af-boun...@af.afmug.com> On Behalf Of Chuck McCown via AF Sent: Saturday, February 20, 2021 10:48 AM To: af@af.afmug.com Cc: Chuck McCown <ch...@go-mtc.com> Subject: [AFMUG] DHCPatriot EXTERNAL EMAIL - Use caution when opening attachments, clicking links, or sharing sensitive information. A company I am partnered with uses DHCPatriot to serve all of its customers. I have never understood what is magic about this compared to free DHCP. Does anyone here use it?
-- AF mailing list AF@af.afmug.com http://af.afmug.com/mailman/listinfo/af_af.afmug.com
