Hi, Officially, this is not supported, even using 802.1X. In multiple-host mode, the fist authenticated supplicant will define the untagged VLAN for the others. Even if you can have multiple devices authorized using 802.1X, you would still have only one untagged VLAN per port, and all the users will end on that VLAN. That breaks completely the captive portal feature and any potential threat isolation. Furthermore, keep in mind that 802.1X may have a limitation on how many supplicant you can have on one port.
Same deal using port-security, all the devices will need to be on the same untagged VLAN, and you won't be able to use any kind of captive portal to register the users since it is hosted on a different VLAN. Bottom-line, multiple devices per port *could* work with PF, but we do not advise to do so. > Hi Everyone > i would like to know if this mail has an answer > Regards > > 2010/11/10 Hsin-mu Tsai <[email protected]> > >> Hi, >> >> We are currently evaluating whether it is possible to use packetfence >> in our environment. I have done some research on the maillist but >> couldn't find an exact answer. >> >> Here is a short version of my question: does packetfence support the >> use case of having multiple devices (MAC addresses) under one switch >> port (in vlan mode)? >> >> Let me know explain a little bit more about our environment. Our core >> switch and access switches are mostly cisco (3750 and 2960) ones, >> which are supported by packetfence according to the documentation. >> However, the problem is that when the network cables are deployed >> throughout our building, each laboratory in our department only gets 3 >> cables (and, hence, 3 ports on the access switch). This is obviously >> not enough for the lab as they usually have 10-20 devices, and have >> their own unmanaged small switches. An obvious solution would be to >> renew the cable infrastructure and add more access switches, but we >> currently don't have the budget to do so. Hence, the multiple MAC >> addresses under one switch port problem. >> >> We want to implement a basic registration mechanism, so that all >> devices on our network are associated with a user in our department >> and if new devices without registration are plugged in they will be >> blocked. The registration process doesn't have to be done on the new >> device since we can ask the user to register new ones using an already >> registered computer or submit the request to the network administrator >> via e-mail. Can packetfence simply add registered devices to the >> secure MAC address list and increase the maximum allowed MAC on the >> switch? (and therefore, the switch will block any unregistered new >> devices) As for isolation, since all devices on the same switch port >> belong to the same lab, it is okay to put all of them to the isolation >> vlan if there's a violation from any of those devices. >> >> We understand that the feature we are interested in might need some >> modifications to the current version of packetfence. If that is the >> case, where do we start? >> >> Since we are obviously very new to packetfence, we would appreciate >> any advice to our particular use case. Looking forward to hearing from >> you guys. Many thanks. >> >> Best wishes, >> -Michael >> >> -- >> Hsin-Mu (Michael) Tsai >> Assistant Professor >> Department of Computer Science and Information Engineering/ >> Graduate Institute of Networking and Multimedia >> National Taiwan University >> E-Mail: [email protected] >> Office: +886-2-33663366 ext 50029 or +886-2-33664888 ext 316 >> >> >> ------------------------------------------------------------------------------ >> Centralized Desktop Delivery: Dell and VMware Reference Architecture >> Simplifying enterprise desktop deployment and management using >> Dell EqualLogic storage and VMware View: A highly scalable, end-to-end >> client virtualization framework. Read more! >> http://p.sf.net/sfu/dell-eql-dev2dev >> _______________________________________________ >> Packetfence-users mailing list >> [email protected] >> https://lists.sourceforge.net/lists/listinfo/packetfence-users >> > ------------------------------------------------------------------------------ > Learn how Oracle Real Application Clusters (RAC) One Node allows customers > to consolidate database storage, standardize their database environment, > and, > should the need arise, upgrade to a full multi-node Oracle RAC database > without downtime or disruption > http://p.sf.net/sfu/oracle-sfdevnl_______________________________________________ > Packetfence-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/packetfence-users > ------------------------------------------------------------------------------ Learn how Oracle Real Application Clusters (RAC) One Node allows customers to consolidate database storage, standardize their database environment, and, should the need arise, upgrade to a full multi-node Oracle RAC database without downtime or disruption http://p.sf.net/sfu/oracle-sfdevnl _______________________________________________ Packetfence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
