Re: [WIRELESS-LAN] Packetfence - Aruba Webauth
We should collaborate. We are running a cluster of three packetfence hosts; it will serve a captive portal with authentication using OAuth sources Facebook and Google, and also provide SMS and email based logins with verification. We are deploying out-of-band with webauth with two interfaces: management and portal. We have not gotten the CoA/webauth to work yet and I’m seeking details on how this is accomplished. -- Jason Trinklein Wireless Engineering Manager College of Charleston 81 St. Philip Street | Office 311D | Charleston, SC 29403 trinkle...@cofc.edu<mailto:trinkle...@cofc.edu> | (843) 300–8009 From: The EDUCAUSE Wireless Issues Constituent Group Listserv <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of Wesley Troy Scott <tsc...@uwyo.edu> Reply-To: The EDUCAUSE Wireless Issues Constituent Group Listserv <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Date: Tuesday, January 30, 2018 at 1:27 PM To: "WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU" <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Subject: Re: [WIRELESS-LAN] Packetfence - Aruba Webauth Hi Jason, The University of Wyoming is working on that now. Troy From: The EDUCAUSE Wireless Issues Constituent Group Listserv <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of Trinklein, Jason R <trinkle...@cofc.edu> Sent: Tuesday, January 30, 2018 8:52:06 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] Packetfence - Aruba Webauth Has anyone set up Packetfence webauth with Aruba for guest wireless access? -- Jason Trinklein Wireless Engineering Manager College of Charleston 81 St. Philip Street | Office 311D | Charleston, SC 29403 trinkle...@cofc.edu<mailto:trinkle...@cofc.edu> | (843) 300–8009 ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss<https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.educause.edu%2Fdiscuss=02%7C01%7C%7C1c34179bfd8e420bdfe008d5680de70c%7Ce285d438dbba4a4c941c593ba422deac%7C0%7C0%7C636529331278789362=siSDriEIZ%2F5es7aezYrwkRgBCu8KxxHegp%2B3OoNBb9M%3D=0>. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss<https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.educause.edu%2Fdiscuss=02%7C01%7C%7C1c34179bfd8e420bdfe008d5680de70c%7Ce285d438dbba4a4c941c593ba422deac%7C0%7C0%7C636529331278789362=siSDriEIZ%2F5es7aezYrwkRgBCu8KxxHegp%2B3OoNBb9M%3D=0>. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss.
Re: [WIRELESS-LAN] PacketFence
Hi Adam, My personal opinion is that NAC as a generic term has gotten almost too ambiguous to be useful. The Wikipedia entry for NAC says this: Initially 802.1X was also thought of as NAC. Some still consider 802.1X as the most simple form of NAC, but most people think of NAC as something more. I'm not sure by your description whether you want to continue to use traditional NAC components after you go straight 802.1x and Packet Fence. Can you elaborate on where you want to get with remediation and enforcement? I think many have found enforcing remediation of NAC to be problematic with an increasingly protected and sophisticated user base. Whether or not to do posture assessment and enforce remediation seems to me to be the main determinant of how much one needs to spend, rather than the vendor of the solution chosen. As I've mentioned before, Cisco ISE-Base is about 15k for 10k endpoints (with no cost to install an ISE failover unit), and also not NAC, at least on the understanding that only 802.1x and guest registration portals do not a NAC make. I have no brief for Cisco or any particular vendor, but this is at least one example of a major vendor with a cost-effective option for those not wishing to do posture assessment, remediation, and other traditional NAC things. Mark On Thu, Apr 26, 2012 at 10:06 AM, Adam T. Ferrero a...@temple.edu wrote: ** ** We have been using Packet Fence successfully since last summer. We reviewed it and a few other commercial offerings. It is our first NAC implementation and was prompted by the installation of 675 new wireless access points in our Residence Halls. We wanted a way to enforce a few rules on the students living on campus. Previously we have been running our own custom processes to ensure those rules (wildcard dns, captive portal, custom executables, all non 802.1x stuff). ** ** Since it was six figures less expensive than the next best commercial alternative and we have a talented staff that could support it, it wasn’t a difficult choice. It is a commercial open source offering, so we pay Inverse a few dollars so that we can call for help when we get stuck. ** ** We did a two months of testing, then a one building pilot for two weeks and then deployed to all locations last fall (we rushed it). During the winter intersession we added support to enterprise wide guest wireless credentialing (displacing another commercial solution). We have needed to continue to scale it upward just because of our size, but now we are architected so that we can do that fairly easily (with hardware load balancing). Next we need to enable the statement of health checking within Packet Fence. We integrated Packet Fence with our custom solution and executables to figure that out presently, but want to go straight 802.1x and Packet Fence. ** ** I’ve been very happy with the selection and with the support from Inverse. I’d be happy to share more experiences. ** ** Adam Ferrero Executive Director Network Services Temple University, Computer Services ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] PacketFence
Fair enough regarding NAC. Our custom Get Connected process has been in place for over a decade for wired Residence Hall connectivity. We have switch ports on a fixed vlan and we have two IP subnets on that vlan (call them registration and student). When the dhcp request comes across initially for a new student, they get an address on the registration vlan side. There they are served a dns server that wildcards everything to our captive portal registration page. Students log into that page and download a custom executable (for Windows or Macs). That executable is smart enough to detect antivirus software, remove it and install our own managed AV. Only after that is installed can they get to the final step of the registration. Through database and scripts behind the scenes, we then register the mac address of that device. After a certain time interval, their dhcp renews give them an IP address on the student IP subnet and off they go. That is all wired. For wireless we have a hybrid with WPA2/802.1x radius calls hitting Packet Fence and placing folks in registration or student vlans. Registration still goes to our custom Get Connected page. What comes next is very simple posture assessments. We just want to make sure that there is antivirus installed and the definitions are not ridiculously out of date. Exact rules have yet to be determined, but the notion is simple enough (caveat - not much about NAC is simple). So, for wired I prefer that we use 802.1x on the switch ports and actually detect whether AV is running and current before placing them on the student vlan. We would want those folks to be able to get themselves remediated on their own too (your AV is out of date, so we will allow you to get the updates but not much else until then). It would eliminate our upkeep on the custom Get Connected processes (which is web servers, scripts, databases and executables). They have served us very well for almost 5,000 beds / semester, but I think we have a more elegant option available today. We did not look at Cisco Identity Services Engine so I cannot comment there. The solutions we looked at (just a handful seriously), were all very expensive. We were comparing six digits and up against very low five digits. It fit the bill for us. Residence Hall wireless and enterprise wide guest wireless credentialing with the hope of posture assessments in the future. Time will tell how we do there. Adam ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] PacketFence
The last time I looked at it (years and years ago), it used dns spoofing to capture/redirect clients? My first thought was that it would not work w/ dnssec, so I haven't looked at it since and would be curious if that changed. Dale Thus spake Johnson, Neil M (neil-john...@uiowa.edu) on Thu, Apr 12, 2012 at 02:16:12PM +: I would be interested in talking to anyone about their experiences using packetfence (http://www.packetfence.org) to register guest users on their wireless network. Thanks. -Neil -- Neil Johnson Network Engineer The University of Iowa Phone: 319 384-0938 Fax: 319 335-2951 Mobile: 319 540-2081 E-Mail: neil-john...@uiowa.edu ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] PacketFence
It used ARP spoofing (which is the last time I used it in a past job) and has changed quite a bit. I know Weber State uses it and Tristan (their network engineer) often promotes it on the NETMAN list, as shown in this post: http://listserv.educause.edu/cgi-bin/wa.exe?A2=ind11L=NETMANT=0F=S=P=326491. They might be able to help out :-) -Jesse On Thu, Apr 12, 2012 at 11:34 AM, Dale W. Carder dwcar...@wisc.edu wrote: The last time I looked at it (years and years ago), it used dns spoofing to capture/redirect clients? My first thought was that it would not work w/ dnssec, so I haven't looked at it since and would be curious if that changed. Dale Thus spake Johnson, Neil M (neil-john...@uiowa.edu) on Thu, Apr 12, 2012 at 02:16:12PM +: I would be interested in talking to anyone about their experiences using packetfence (http://www.packetfence.org) to register guest users on their wireless network. Thanks. -Neil -- Neil Johnson Network Engineer The University of Iowa Phone: 319 384-0938 Fax: 319 335-2951 Mobile: 319 540-2081 E-Mail: neil-john...@uiowa.edu ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. -- Jesse Safran Sr. Desktop Supervisor/Assist. Network Admin Green Mountain College 1 Brennan Circle Poultney, VT 05764 802-287-0105 (Cell) 802-287-8264 (IT Computer Support Line) safr...@greenmtn.edu safr...@greenmtn.edu ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] PacketFence
We started to look at PacketFence but before even getting to test it Cisco released ISE and then we switched to kicking the tires on that. Though I know some universities use PacketFence quite successfully, for all the strengths of the open source way the hassles of it in a product like that (poor documentation and such) are significant depending on how your IT staff is structured and their goals. The well-known tradeoffs between commercial products with good documentation and support and a do-it-yourself approach has ramifications that reach down even to staffing and turnover. Anyway, there were some portal limitations in ISE 1.0 such that we weren't happy with the usability so we decided to wait for the next release. It appears from the documentation that 1.1 may have dealt with these so we'll start testing that version soon. I have seen people talking about the high cost of ISE, but ISE base without the posture checking is quite reasonable. I think if you aren't doing posture checking or enforcing remediation anymore with your NAC solution or intending to do it with PacketFence I think ISE base should be the price comparison rather than the much more expensive ISE advanced add-on or whatever the name. From what I can see ISE is now very feature rich in regard to guest registration, though we've not used it in production yet. Mark On Thu, Apr 12, 2012 at 7:16 AM, Johnson, Neil M neil-john...@uiowa.eduwrote: I would be interested in talking to anyone about their experiences using packetfence (http://www.packetfence.org) to register guest users on their wireless network. Thanks. -Neil -- Neil Johnson Network Engineer The University of Iowa Phone: 319 384-0938 Fax: 319 335-2951 Mobile: 319 540-2081 E-Mail: neil-john...@uiowa.edu ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] Packetfence.
We use PacketFence in our residence system, but do not use it over wireless. The VLAN isolation model has worked tremendously for us. We have not implemented the NAC portion of it (basically it uses NEssus scanning from what I can tell), we're using it more for simple registration/tracking of student-owned computers. The documentation is a bit lacking on the website, but the support via the mailing list is excellent, and there is commercial support available. Cheers Matt Ashfield Network Analyst ITS - Communications and Network Services University of New Brunswick email: m...@unb.ca ph: 506.447.3033 -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Matthew Gracie Sent: April 2, 2009 2:42 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] Packetfence. We're looking at replacing our current NAC solution in the residence halls, and one of the contenders is Packetfence. 1) Has anyone used Packetfence as a Resnet NAC system? Any tips, horror stories, things to watch for? 2) Has anyone integrated a 4400-based Cisco LWAPP deployment with it? The web site says it's supported, but as with most open source products, the documentation seems a bit lacking. Thanks for any help, --Matt -- Matt Gracie (716) 888-8378 Information Security Administrator grac...@canisius.edu Canisius College ITSBuffalo, NY http://www2.canisius.edu/~graciem/graciem_public_key.gpg ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.