Hello Fathi,
my answer bellow.
Le 2015-12-04 06:14, FATHI BEN NASR a écrit :
Hello,
I am planning a packetfence deployment on our corporate network,
consisting of various L2 and L3 models of switches from different
vendors, for nearly 2k active ip. Our network is split in vlans.
Nearly every flour of every building has one or more vlans for offices
spread all around the country. We own the biggest Fiber Optic operated
network in Tunisia and lease some of which to telco operators but
still rely on them for connecting many "isolated" railway stations to
our corporate network via mpls and other "techniques". This is for the
introduction.
The test pf server is located in the datacenter and i am configuring a
cisco catalyst 2960 updated to the latest firmware with port security
to use pf as its nac. This c2960 is located in one of the flours in a
separate vlan from the pf server and has to "cross" three L3
production swithes and a firewall to get to the server room.
I am planning a deployement in "*VLAN enforcement*" mode
My questions are:
I have to declare at least three vlans on pf server, registration
isolation and management, to get to the next step in the web
configurator. Do i have to declare these vlans also on the c2960 test
switch ?
Not the same vlan than the local vlan you will configure on the
packetfence side.
Let's say the local reg vlan is 10 (packetfence eth1.10 interface ip
10.10.0.1/24) and the remote reg vlan is the 20 (Cisco interface vlan
20: 10.20.0.1 255.255.0.0, ip-helper address 10.10.0.1)
And on the packetfence side you will configure a remote network
(configuration -> network) network: 10.20.0.0 mask 255.255.0.0 dns
10.10.0.1 remote gateway 10.20.0.1 gateway 10.10.0.2 (interface vlan 10
of your cisco switch) start address 10.20.0.10 end 10.20.255.254.
And in the switch configuration (Packetfence side) you will define the
registration role to vlan 20.
So when you will plug a laptop in the switch port (port sec or mac-auth)
then packetfence will put the device in the vlan 20.
Because you define packetfence as the ip-helper address in this vlan
then you will receive an ip address from packetfence server.
How endpoints placed in isloation or remediation vlans on a remote
switch, which the c2960 test one is, could connect to wsus or
antivirus server for remediation or ftp server for downloading ?
A network interface of the wsus/ antivirus server in the isolation vlan.
Do i have to declare the remediation vlan also on pf server ?
You mean isolation ?
Also have a look at the dACL and web auth if you use cisco switch, it
could be a good alternative to the VLAN enforcement.
Regards
Fabrice
TIA
Fathi Ben Nasr
------------------------------------------------------------------------------
Go from Idea to Many App Stores Faster with Intel(R) XDK
Give your users amazing mobile app experiences with Intel(R) XDK.
Use one codebase in this all-in-one HTML5 development environment.
Design, debug & build mobile apps & 2D/3D high-impact games for multiple OSs.
http://pubads.g.doubleclick.net/gampad/clk?id=254741911&iu=/4140
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
------------------------------------------------------------------------------
Go from Idea to Many App Stores Faster with Intel(R) XDK
Give your users amazing mobile app experiences with Intel(R) XDK.
Use one codebase in this all-in-one HTML5 development environment.
Design, debug & build mobile apps & 2D/3D high-impact games for multiple OSs.
http://pubads.g.doubleclick.net/gampad/clk?id=254741911&iu=/4140
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
