Re: [PacketFence-users] Recommended setup for HA and efficiency

[Morris, Andi]

That works brilliantly, however it’s only stopping devices connecting to the 
main network. The registration network is still accessible by devices.

From: Tim DeNike [mailto:tim.den...@mcc.edu]
Sent: 22 October 2015 16:25
To: packetfence-users@lists.sourceforge.net
Subject: Re: [PacketFence-users] Recommended setup for HA and efficiency

Set the role vlan to -1. That should return reject.

Sent from my iPhone

On Oct 22, 2015, at 11:17 AM, Morris, Andi 
<amor...@cardiffmet.ac.uk<mailto:amor...@cardiffmet.ac.uk>> wrote:
I’ve been working on this today, and have successfully created a manually 
triggered violation that sends the device to the macdetection vlan (id 4), 
which doesn’t exist on our network. However, I can see the violation 
triggering, and access briefly drops on my test device, but it always connects 
back up to the network without issue and continues as normal.

Would creating a real vlan, which has no route to the internet be a better way 
to go about this? Or am I doing something wrong by sending them to the mac 
detection vlan?

Cheers,
Andi

From: Morris, Andi [mailto:amor...@cardiffmet.ac.uk]
Sent: 22 October 2015 09:45
To: 
packetfence-users@lists.sourceforge.net<mailto:packetfence-users@lists.sourceforge.net>
Subject: Re: [PacketFence-users] Recommended setup for HA and efficiency

Thanks Arthur,
That’s a really interesting idea. I’ll see if I can find a way to spot devices 
that are hanging around for a while and set something like this up.

From: Arthur Emerson [mailto:arthur.emer...@msmc.edu]
Sent: 21 October 2015 18:38
To: 
packetfence-users@lists.sourceforge.net<mailto:packetfence-users@lists.sourceforge.net>
Subject: Re: [PacketFence-users] Recommended setup for HA and efficiency

On 10/21/15, 12:35 PM, "Morris, Andi" 
<amor...@cardiffmet.ac.uk<mailto:amor...@cardiffmet.ac.uk>> wrote:

Has anyone else run into this sort of issue with devices sitting in the captive 
portal, and if so how do you combat it?

I made a local portal user ID for unregistered devices that are hanging
around for too long without registering.  Once the device is manually
registered to that user, I set a violation on the device, which sends it
to an unused VLAN (mac-detect?).  You can do the same thing with RADIUS
VLAN settings for the special user, as long as the device gets sent to
the naughty room (isolated on a dead VLAN).

I never automated this process, but it shouldn't be too difficult...

-Arthur

-
Arthur Emerson III Email:  
emer...@msmc.edu<mailto:emer...@msmc.edu>
Network Administrator  InterNIC:   AE81
Mount Saint Mary College   MaBell: (845) 561-0800 Ext. 3109
330 Powell Ave.Fax:(845) 562-6762
Newburgh, NY  12550SneakerNet: Aquinas Hall Room 8A



<http://www.cardiffmet.ac.uk/cardiffmet150>
--
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net<mailto:PacketFence-users@lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/packetfence-users
--
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Recommended setup for HA and efficiency

[Morris, Andi]

All sorted, I needed to enable mac authentication on the setup network.

Thanks all.

From: Morris, Andi [mailto:amor...@cardiffmet.ac.uk]
Sent: 23 October 2015 09:56
To: packetfence-users@lists.sourceforge.net
Subject: Re: [PacketFence-users] Recommended setup for HA and efficiency

That works brilliantly, however it’s only stopping devices connecting to the 
main network. The registration network is still accessible by devices.

From: Tim DeNike [mailto:tim.den...@mcc.edu]
Sent: 22 October 2015 16:25
To: 
packetfence-users@lists.sourceforge.net<mailto:packetfence-users@lists.sourceforge.net>
Subject: Re: [PacketFence-users] Recommended setup for HA and efficiency

Set the role vlan to -1. That should return reject.

Sent from my iPhone

On Oct 22, 2015, at 11:17 AM, Morris, Andi 
<amor...@cardiffmet.ac.uk<mailto:amor...@cardiffmet.ac.uk>> wrote:
I’ve been working on this today, and have successfully created a manually 
triggered violation that sends the device to the macdetection vlan (id 4), 
which doesn’t exist on our network. However, I can see the violation 
triggering, and access briefly drops on my test device, but it always connects 
back up to the network without issue and continues as normal.

Would creating a real vlan, which has no route to the internet be a better way 
to go about this? Or am I doing something wrong by sending them to the mac 
detection vlan?

Cheers,
Andi

From: Morris, Andi [mailto:amor...@cardiffmet.ac.uk]
Sent: 22 October 2015 09:45
To: 
packetfence-users@lists.sourceforge.net<mailto:packetfence-users@lists.sourceforge.net>
Subject: Re: [PacketFence-users] Recommended setup for HA and efficiency

Thanks Arthur,
That’s a really interesting idea. I’ll see if I can find a way to spot devices 
that are hanging around for a while and set something like this up.

From: Arthur Emerson [mailto:arthur.emer...@msmc.edu]
Sent: 21 October 2015 18:38
To: 
packetfence-users@lists.sourceforge.net<mailto:packetfence-users@lists.sourceforge.net>
Subject: Re: [PacketFence-users] Recommended setup for HA and efficiency

On 10/21/15, 12:35 PM, "Morris, Andi" 
<amor...@cardiffmet.ac.uk<mailto:amor...@cardiffmet.ac.uk>> wrote:

Has anyone else run into this sort of issue with devices sitting in the captive 
portal, and if so how do you combat it?

I made a local portal user ID for unregistered devices that are hanging
around for too long without registering.  Once the device is manually
registered to that user, I set a violation on the device, which sends it
to an unused VLAN (mac-detect?).  You can do the same thing with RADIUS
VLAN settings for the special user, as long as the device gets sent to
the naughty room (isolated on a dead VLAN).

I never automated this process, but it shouldn't be too difficult...

-Arthur

-
Arthur Emerson III Email:  
emer...@msmc.edu<mailto:emer...@msmc.edu>
Network Administrator  InterNIC:   AE81
Mount Saint Mary College   MaBell: (845) 561-0800 Ext. 3109
330 Powell Ave.Fax:(845) 562-6762
Newburgh, NY  12550SneakerNet: Aquinas Hall Room 8A



<http://www.cardiffmet.ac.uk/cardiffmet150>
--
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net<mailto:PacketFence-users@lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/packetfence-users
--
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Recommended setup for HA and efficiency

[Morris, Andi]

Nice, thanks Tim. I’ll put that to my manager and see if we can do something 
like this.

Cheers,
Andi

From: Tim DeNike [mailto:tim.den...@mcc.edu]
Sent: 21 October 2015 17:51
To: packetfence-users@lists.sourceforge.net
Subject: Re: [PacketFence-users] Recommended setup for HA and efficiency

Move MySQL to a different server on fast storage.  I run 2 MySQL vms in ha on 
ssd storage and that helps.

Sent from my iPhone

On Oct 21, 2015, at 12:37 PM, Morris, Andi 
<amor...@cardiffmet.ac.uk<mailto:amor...@cardiffmet.ac.uk>> wrote:
Hi all,
I’ve recently come into some issues with the load on my PacketFence setup 
during peak times and so we’re now looking at seeing if we can split the 
service into separate components across servers, and also across our two sites 
for high availability.

Loads are currently around 2000 devices concurrently at peak times, all using 
802.1x through the freeradius mschap component to our backend active directory 
server. At peak times there are sometimes 500 devices sitting in the captive 
portal.

Our current setup is a VMWare server with 4vCPUs & 32GB of memory. Inverse have 
had a look and have suggested that our server is being battered by devices in 
our captive portal. However I’m not sure there’s much we can do to alleviate 
this, as it’s a BYOD environment, and we have little to no control over the 
devices that come into the network. I’ve added some apache filters to 501 
certain apps that are hitting the portal, but it doesn’t seem to be making a 
huge difference, and some apps are still hitting the portal even after the 501 
error is given.

So, some quick questions regarding this:

Will moving the MySQL component of the setup onto a dedicated server make a 
marked difference to the performance?

If I gave each university site a PF httpd/radius service, would they both need 
to access one single central MySQL server or would this cause deadlocks?

Is splitting PF into 3 separate components: apache, freeradius and MySQL also 
an option to bring server load down?

Has anyone else run into this sort of issue with devices sitting in the captive 
portal, and if so how do you combat it? Larger environments, what is your setup 
regarding PF hardware and services?

Cheers,
Andi


[Image removed by sender. Cardiff Metropolitan University - 150 years of 
nurturing talent]<http://www.cardiffmet.ac.uk/cardiffmet150>
--
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net<mailto:PacketFence-users@lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/packetfence-users
--
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Recommended setup for HA and efficiency

[Morris, Andi]

Thanks Arthur,
That’s a really interesting idea. I’ll see if I can find a way to spot devices 
that are hanging around for a while and set something like this up.

From: Arthur Emerson [mailto:arthur.emer...@msmc.edu]
Sent: 21 October 2015 18:38
To: packetfence-users@lists.sourceforge.net
Subject: Re: [PacketFence-users] Recommended setup for HA and efficiency

On 10/21/15, 12:35 PM, "Morris, Andi" 
<amor...@cardiffmet.ac.uk<mailto:amor...@cardiffmet.ac.uk>> wrote:

Has anyone else run into this sort of issue with devices sitting in the captive 
portal, and if so how do you combat it?

I made a local portal user ID for unregistered devices that are hanging
around for too long without registering.  Once the device is manually
registered to that user, I set a violation on the device, which sends it
to an unused VLAN (mac-detect?).  You can do the same thing with RADIUS
VLAN settings for the special user, as long as the device gets sent to
the naughty room (isolated on a dead VLAN).

I never automated this process, but it shouldn't be too difficult...

-Arthur

-
Arthur Emerson III Email:  
emer...@msmc.edu<mailto:emer...@msmc.edu>
Network Administrator  InterNIC:   AE81
Mount Saint Mary College   MaBell: (845) 561-0800 Ext. 3109
330 Powell Ave.Fax:(845) 562-6762
Newburgh, NY  12550SneakerNet: Aquinas Hall Room 8A



[Cardiff Metropolitan University - 150 years of nurturing 
talent]<http://www.cardiffmet.ac.uk/cardiffmet150>
--
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Recommended setup for HA and efficiency

[Tim DeNike]

Set the role vlan to -1. That should return reject.

Sent from my iPhone

On Oct 22, 2015, at 11:17 AM, Morris, Andi <amor...@cardiffmet.ac.uk> wrote:

I’ve been working on this today, and have successfully created a manually
triggered violation that sends the device to the macdetection vlan (id 4),
which doesn’t exist on our network. However, I can see the violation
triggering, and access briefly drops on my test device, but it always
connects back up to the network without issue and continues as normal.



Would creating a real vlan, which has no route to the internet be a better
way to go about this? Or am I doing something wrong by sending them to the
mac detection vlan?



Cheers,

Andi



*From:* Morris, Andi [mailto:amor...@cardiffmet.ac.uk
<amor...@cardiffmet.ac.uk>]
*Sent:* 22 October 2015 09:45
*To:* packetfence-users@lists.sourceforge.net
*Subject:* Re: [PacketFence-users] Recommended setup for HA and efficiency



Thanks Arthur,

That’s a really interesting idea. I’ll see if I can find a way to spot
devices that are hanging around for a while and set something like this up.



*From:* Arthur Emerson [mailto:arthur.emer...@msmc.edu
<arthur.emer...@msmc.edu>]
*Sent:* 21 October 2015 18:38
*To:* packetfence-users@lists.sourceforge.net
*Subject:* Re: [PacketFence-users] Recommended setup for HA and efficiency



On 10/21/15, 12:35 PM, "Morris, Andi" <amor...@cardiffmet.ac.uk> wrote:



Has anyone else run into this sort of issue with devices sitting in the
captive portal, and if so how do you combat it?



I made a local portal user ID for unregistered devices that are hanging

around for too long without registering.  Once the device is manually

registered to that user, I set a violation on the device, which sends it

to an unused VLAN (mac-detect?).  You can do the same thing with RADIUS

VLAN settings for the special user, as long as the device gets sent to

the naughty room (isolated on a dead VLAN).



I never automated this process, but it shouldn't be too difficult...



-Arthur



-

Arthur Emerson III Email:  emer...@msmc.edu

Network Administrator  InterNIC:   AE81

Mount Saint Mary College   MaBell: (845) 561-0800 Ext. 3109

330 Powell Ave.Fax:(845) 562-6762

Newburgh, NY  12550SneakerNet: Aquinas Hall Room 8A


--


 <http://www.cardiffmet.ac.uk/cardiffmet150>

--

___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
--
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Recommended setup for HA and efficiency

[Morris, Andi]

I’ve been working on this today, and have successfully created a manually 
triggered violation that sends the device to the macdetection vlan (id 4), 
which doesn’t exist on our network. However, I can see the violation 
triggering, and access briefly drops on my test device, but it always connects 
back up to the network without issue and continues as normal.

Would creating a real vlan, which has no route to the internet be a better way 
to go about this? Or am I doing something wrong by sending them to the mac 
detection vlan?

Cheers,
Andi

From: Morris, Andi [mailto:amor...@cardiffmet.ac.uk]
Sent: 22 October 2015 09:45
To: packetfence-users@lists.sourceforge.net
Subject: Re: [PacketFence-users] Recommended setup for HA and efficiency

Thanks Arthur,
That’s a really interesting idea. I’ll see if I can find a way to spot devices 
that are hanging around for a while and set something like this up.

From: Arthur Emerson [mailto:arthur.emer...@msmc.edu]
Sent: 21 October 2015 18:38
To: packetfence-users@lists.sourceforge.net
Subject: Re: [PacketFence-users] Recommended setup for HA and efficiency

On 10/21/15, 12:35 PM, "Morris, Andi" 
<amor...@cardiffmet.ac.uk<mailto:amor...@cardiffmet.ac.uk>> wrote:

Has anyone else run into this sort of issue with devices sitting in the captive 
portal, and if so how do you combat it?

I made a local portal user ID for unregistered devices that are hanging
around for too long without registering.  Once the device is manually
registered to that user, I set a violation on the device, which sends it
to an unused VLAN (mac-detect?).  You can do the same thing with RADIUS
VLAN settings for the special user, as long as the device gets sent to
the naughty room (isolated on a dead VLAN).

I never automated this process, but it shouldn't be too difficult...

-Arthur

-
Arthur Emerson III Email:  
emer...@msmc.edu<mailto:emer...@msmc.edu>
Network Administrator  InterNIC:   AE81
Mount Saint Mary College   MaBell: (845) 561-0800 Ext. 3109
330 Powell Ave.Fax:(845) 562-6762
Newburgh, NY  12550SneakerNet: Aquinas Hall Room 8A



[Image removed by sender. Cardiff Metropolitan University - 150 years of 
nurturing talent]<http://www.cardiffmet.ac.uk/cardiffmet150>
--
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] Recommended setup for HA and efficiency

[Morris, Andi]

Hi all,
I've recently come into some issues with the load on my PacketFence setup 
during peak times and so we're now looking at seeing if we can split the 
service into separate components across servers, and also across our two sites 
for high availability.

Loads are currently around 2000 devices concurrently at peak times, all using 
802.1x through the freeradius mschap component to our backend active directory 
server. At peak times there are sometimes 500 devices sitting in the captive 
portal.

Our current setup is a VMWare server with 4vCPUs & 32GB of memory. Inverse have 
had a look and have suggested that our server is being battered by devices in 
our captive portal. However I'm not sure there's much we can do to alleviate 
this, as it's a BYOD environment, and we have little to no control over the 
devices that come into the network. I've added some apache filters to 501 
certain apps that are hitting the portal, but it doesn't seem to be making a 
huge difference, and some apps are still hitting the portal even after the 501 
error is given.

So, some quick questions regarding this:

-  Will moving the MySQL component of the setup onto a dedicated server 
make a marked difference to the performance?

-  If I gave each university site a PF httpd/radius service, would they 
both need to access one single central MySQL server or would this cause 
deadlocks?

-  Is splitting PF into 3 separate components: apache, freeradius and 
MySQL also an option to bring server load down?

Has anyone else run into this sort of issue with devices sitting in the captive 
portal, and if so how do you combat it? Larger environments, what is your setup 
regarding PF hardware and services?

Cheers,
Andi


[Cardiff Metropolitan University - 150 years of nurturing 
talent]
--
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Recommended setup for HA and efficiency

[Tim DeNike]

Move MySQL to a different server on fast storage.  I run 2 MySQL vms in ha
on ssd storage and that helps.

Sent from my iPhone

On Oct 21, 2015, at 12:37 PM, Morris, Andi  wrote:

Hi all,

I’ve recently come into some issues with the load on my PacketFence setup
during peak times and so we’re now looking at seeing if we can split the
service into separate components across servers, and also across our two
sites for high availability.



Loads are currently around 2000 devices concurrently at peak times, all
using 802.1x through the freeradius mschap component to our backend active
directory server. At peak times there are sometimes 500 devices sitting in
the captive portal.



Our current setup is a VMWare server with 4vCPUs & 32GB of memory. Inverse
have had a look and have suggested that our server is being battered by
devices in our captive portal. However I’m not sure there’s much we can do
to alleviate this, as it’s a BYOD environment, and we have little to no
control over the devices that come into the network. I’ve added some apache
filters to 501 certain apps that are hitting the portal, but it doesn’t
seem to be making a huge difference, and some apps are still hitting the
portal even after the 501 error is given.



So, some quick questions regarding this:

-  Will moving the MySQL component of the setup onto a dedicated
server make a marked difference to the performance?

-  If I gave each university site a PF httpd/radius service, would
they both need to access one single central MySQL server or would this
cause deadlocks?

-  Is splitting PF into 3 separate components: apache, freeradius
and MySQL also an option to bring server load down?



Has anyone else run into this sort of issue with devices sitting in the
captive portal, and if so how do you combat it? Larger environments, what
is your setup regarding PF hardware and services?



Cheers,

Andi
--

[image: Cardiff Metropolitan University - 150 years of nurturing talent]


--

___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
--
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Recommended setup for HA and efficiency

[Arthur Emerson]

On 10/21/15, 12:35 PM, "Morris, Andi" 
> wrote:

Has anyone else run into this sort of issue with devices sitting in the captive 
portal, and if so how do you combat it?

I made a local portal user ID for unregistered devices that are hanging
around for too long without registering.  Once the device is manually
registered to that user, I set a violation on the device, which sends it
to an unused VLAN (mac-detect?).  You can do the same thing with RADIUS
VLAN settings for the special user, as long as the device gets sent to
the naughty room (isolated on a dead VLAN).

I never automated this process, but it shouldn't be too difficult...

-Arthur

-
Arthur Emerson III Email:  
emer...@msmc.edu
Network Administrator  InterNIC:   AE81
Mount Saint Mary College   MaBell: (845) 561-0800 Ext. 3109
330 Powell Ave.Fax:(845) 562-6762
Newburgh, NY  12550SneakerNet: Aquinas Hall Room 8A

--
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users