Hi, I am new to packetfence and would like to deploy it in a bit of a complicated network to control the access of students to the internet. NAC is a bit new to me, but I do have a good working knowledge of hardware, networking and server/client infrastructure as well as windows and linux (mostly debian)
I do not want to bore you with too much details, but if you ask I will answer. In detail. This is not my network. I have been tasked to do work on it. the switches in the network are manageable hp procurve switches (different models). there are already a few VLANs in use: - VLAN 20: WAN/LAN2: do not need to touch it, do not need to think about it - VLAN 30: WAN/LAN3: management of pf will be done from here - VLAN 10: WAN/LAN1: this is where I want to manage network access First, I plan to create a management network (mgmt-LAN, VLAN 1) and put my switches on there as well as the management interfaces of other stuff like the firewalls, ILO, hypervisor management, ... It shall be accessible from LAN3 but not LAN2 and not LAN1. This is no problem. there is no wifi yet, but it is planned (via ubiquity unifi controller+AP). I do not intend to use inline deployment. I intend to install packetfence via apt-get on debian jessie x64 (xen virtualized). I have much more experience with debian than with centos but if there is a good reason, centos will be a possibility... Packetfence will have two ethernet ports, eth0 to mgmt-LAN/VLAN 1 untagged, eth1 with tagged vlan to portal (LAN1?), registration and isolation (do not exist yet) Next, there are parts of the network I must isolate from Packetfence (VLAN 20, VLAN 30). I would set the HP switches to not secure those ports and not send traps. So far so good. Now, I would need a place where to create and store the actual users. I think LDAP is what I should use. QUESTION 1: Is there a inbuilt capability of packetfence for user management, preferably in LDAP ? Now, I need to setup freeradius to use my ldap users. Next, I would like to implement 802.1x for LAN1/VLAN 10 via Packetfence/the inbuilt freeradius. Right? Next, I would like to implement some kind of "self-service" portal where devices not 802.1x authenticated would either get a website with information to contact person x or have the ability to self-register (preferably also using radius to verify) The point of this should be: - firewall is used to block undesirable traffic - packetfence is used to have each student registered and have aver student have his/her own credentials - each unique credential is used to gain access to the network, therefore "logging" what port/mac/ip the user is currently using - when access needs to be revoked, packetfence will be used - devices incapable of 802.1x can be "unlocked" manually or even with a self service portal (still authenticating against user list) - a management user with less access than full admin should be created which can view some stuff, create/delete/modify users and (un)lock ports/mac addresses. the person doing this will not be working in IT, its probably more HR or administrative personal --> if we get a report of illegal activity on our network, we have the ability to identify which user is responsible. (logs should go back 6-12 months) I have a list which port of which switch goes where. Where is usually personally identifiable (person is living in this room) What I dont need: - see what websites are being visited - see what kind of traffic is sent/received, from to, ports, content. I dont care. QUESTION 2: Any critical error that forces me to abort right then and there? Any problem which might make what I need/want to do not work as expected/required? Wifi: When we get wifi, it should use wpa2-enterprise and use packetfence (freeradius) for auth. IF there is a reasonable way to use unifi wifi controller and packetfence to allow for devices incapable of 802.1x to still use radius auth backend (captive portal), I would try to implement, but it is not required. QUESTION 3: Any thoughts, ideas, problems, insults, encouragement? In general, I am eager to hear what you think. I am open for any of it and we can discuss everything. Please note, I do not want to use windows server for user management or instead of packetfence for radius (cals are expensive). I have built a small testing platform (also hp procurve switches, same VLANs, testing server with pf install) with which I can play around and test before implementing. It is possible to test stuff. I am currently trying to get packetfence talk to my switches via smtp v3 and to figure out how to use ldap and freeradius. THANK YOU I really appreciate any help and constructive comments. ------------------------------------------------------------------------------ What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic patterns at an interface-level. Reveals which users, apps, and protocols are consuming the most bandwidth. Provides multi-vendor support for NetFlow, J-Flow, sFlow and other flows. Make informed decisions using capacity planning reports.http://sdm.link/zohodev2dev _______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
