Matthias: Welcome to the PF community!
I think we may need to slow things down a bit. You have lots of questions, and that is good. But I don't want to get the cart before the horse. The type of questions you are asking are very general and apply to NAC as a whole, in short this is the kind of stuff one would ask if they were hiring an integrator to do the install for them. It seems like what you are looking for is assistance architecting a solution and not so much an answer to a specific question. Inverse does monitor this list and they very often give out free tech support but what you are asking is a bit much for free. Inverse will very happily work with you and get you setup with an awesome NAC solution, but it is not a free service, they have to eat too. : ) I do not work for Inverse. I am; however, a PF enthusiast and I happen to enjoy helping people get PF setup in their environment. We can have a conversation off-list and perhaps I can offer you some general NAC and PF assistance. Once you have progressed to needing help with a specific issue or configuration then we can come back to the list. I can also meet you on the PF IRC channel on freenode if you like. Just \join #packetfence I'll idle there as much as I can. I do have a full time job so I can't chat away all day, but I'll help if I can. You should be able to find me, I'm Elcrapocrew. To be clear: I am not selling anything. I am offering my help free of charge as a professional courtesy from one IT guy to another. Attn. Inverse / List Mods: Please let me know if I am speaking out of turn here about the nature of requests on the list. I have been a member for a while and I am only speaking out of my experience. If I am wrong please accept my apologies. Jake Sallee Godfather of Bandwidth System Engineer University of Mary Hardin-Baylor WWW.UMHB.EDU 900 College St. Belton, Texas 76513 Fone: 254-295-4658 Phax: 254-295-4221 ________________________________________ From: Matthias Busch <[email protected]> Sent: Tuesday, July 26, 2016 3:19 PM To: [email protected] Subject: Re: [PacketFence-users] New to packetfence, a few questions Hey Damiano, I really hope this will be posted correctly. I find this mailing list very confusing. Is there no way to disable all mails except replies to own posts? And I could not find any button where to "reply" to a post... nevermind, hopeing doing it by hand works... ------------------------------------------------------------- LDAP / MySQL / PERL Modules: I understand the basics of how PF is built. I probably did not express my thoughts precise and clear enought... Also, I probably lack the right terms yet... I realise there is a accounting feature. I was thinking I do not have to deal with accounting at all, there is no need to involve money or time credit or something similar. the term users is problematic. without looking I can think of three types of "users". to make matters simple, lets forget the third type. the remaining two types are people managing packetfence. users able to login to the webportal and do stuff there. like admin. lets call those types of users "operators" the other type are people trying to get on the network. my students. lets call them "customers" I am assuming the "operators" are put in the DB and there is a way to add and edit them. the user admin exists and has a password, so it must be implemented. I dont know if these operators are the same type/same access which I will need later for having HR manage some aspects of PF Now, my customers need a place to be. I realise there are many many ways to skin this cat. However, many inbuilt auth sources are not suited for my needs. I am guessing most people in a similar position to mine would put the users in Active Directory, something which I can not do. The next best thing would be to put them in LDAP. Also, I am aware of the combination of freeradius and ldap. I dont mind putting the users/customers in MySQL if freeradius will work with that as well... However, what I am really wondering about is how do I manage my "customers" in LDAP or SQL or whatever... Do I have to supply my own webfrontend/managementUI or does packetfence come with some kind of ability to manage customers in LDAP or SQL or ... ? ---------------------------------------------- Of course I would like to use the internal freeradius. I dont know how far it is pre-defined/setup. My first experiences with freeradius were not great and I am by no means a pro with it. I hope I can get it to work with PF. In PF, I know it is running but when I enter freeradius config in the admin webinterface, it wants to setup realm/domain, I dont know, have yet to read up on where to go from there. But first I need to figure out where to put my users :) --------------------------------------------- Self service. Is probably easy when the customers are working and I could really test around. We'll see. Good to know you are optimistic... --------------------------------------------- I know about the logs. I was just stating why I am doing all this and where it is supposed to lead and that I am aware of what needs to be done besides getting PF to work... But your info was valuable so know I know it is Log4perl... -------------------------------------------- Question 2 about the critical errors... What I wanted to say (badly apparently) is, does my existing networks, my plans and packetfence in any way cause someone concern? does it conflict? are there red flags which should make me abort my project before proceeding? ( for example, if packetfence would be incapable of working with ipv4, someone should tell me "dude, you realise packetfence is for ipv6 only, what you want to do is impossible!" ) -------------------------------------------- WIFI: I know wifi/wpa2-ent and 802.1x can be a bitch. I saved your link and will read when appropriate. thanks. If I come across anyother / easier way to implement the neccesary security, Ill gladly back down... A captive portal might work, but honestly, I rather use that as a secondary way to auth for the devices incapable of wpa2-ent but not the only way. I hate captive portals in wifi. and my customers arent guests or visitors, they live there. I dont want to ask them to auth on a captive portal every few hours. or worse, set it to stay for 6 months and have people fake MAC addresses to circumvent security... -------------------------------------------- Inline deployment: yeah, it would make many things much simpler. But its not an option VLAN is the way to go for me... PF is great when I can get it to work. I hope I can. If not, I have no idea how to do what I need to do except find another NAC, which is probably too expensive, or install another Windows Server instance, setup radius, 802.1x only, and shell out for 200 CALs for a radius server. I dont want to! -------------------------------------------- Development: It is good when the development is going strong and there are frequent updates. Thanks for warning me about the upgrade problems. good to know! -------------------------------------------- Xen-Server 6.5: I dont understand? Where is the problem? xen uses bridges... In xen, you have eth0 and eth1. do not setup vlans! Give the vm both networks as is connect eth0 to switchport 10, set VLAN to untagged in appropriate VLAN (lets say VLAN 1) connect eth1 to switchport 11, set VLAN to tagged where needed (lets say VLAN 10,11,12) in your vm, setup eth0 as needed, it will be connected to the VLAN 1 setup eth1 with vlans, eth1.10 - eth1.11 - eth1.12 your vm will tag the packets, your xen will bridge the connection to physical eth1 and the switch will understand the tagged packets... Maybe you misunderstood? my PF will use two phyiscal interfaces of the server, not one. ------------------------------------------------------------------------------ What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic patterns at an interface-level. Reveals which users, apps, and protocols are consuming the most bandwidth. Provides multi-vendor support for NetFlow, J-Flow, sFlow and other flows. Make informed decisions using capacity planning reports.http://sdm.link/zohodev2dev _______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users ------------------------------------------------------------------------------ What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic patterns at an interface-level. Reveals which users, apps, and protocols are consuming the most bandwidth. Provides multi-vendor support for NetFlow, J-Flow, sFlow and other flows. Make informed decisions using capacity planning reports.http://sdm.link/zohodev2dev _______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
