Thanks Sent from my iPhone
> On Feb 21, 2021, at 8:26 PM, Charles Boening <[email protected]> wrote: > > > We use one (clustered pair) and really like it. Essentially it’s a captive > portal that does authentication. Think authenticated DHCP. > > You have a new customer. They connect their router and get a private IP. > That IP is forced to the Patriot system via policy routing. In our case, we > shove a couple private IP subnets into an MPLS VRF for transport then pop > them out and handle that last connection with a policy forcing a next hop to > the Patriot. Replies don’t traverse the VRF nor do they need to. > > The customer enters a username/password. The authentication can be done > locally within the Patriot system or externally via RADIUS. We use RADIUS. > > Once successfully authenticated, the customer reboots their device, pulls the > cable and plugs it back in, or wait a few minutes for then unauthenticated > lease to expire. At that point, they get online with their public IP. > > We use a web API to pre-auth customers who use a router we provide. Since we > know the MAC, username and password, we can pre-authenticate the device so > the customer never sees the login screen. This is also helpful for customers > with devices that don’t have a web interface for some reason. > > You can suspend a customer and they will go back to a private IP. In the > captive portal, you can relay a message that was entered when they were > suspended. The nice thing here is you don’t have to disable a customer > interface or something. Most customers will try a browser so they’ll see the > portal login with whatever suspend message. It seems to help keep them from > factory resetting things and playing with cables. > > Static IP pools are useful as well. The customer is authenticated and gets > the same IP every time. There are a couple of ways to do this but RADIUS and > a static pool works best for us. > > To prevent users from assigning static IPs, we turn MAC forced forwarding and > IP Source Verify on in our Calix systems. Not every system has the > capability but we use it where we can and monitor ARP tables for the rest. > You can easily use the Patriot API to dump all authenticated customers and > insert them into a database. You can do the same with your router ARP tables > then compare. > > The user interface isn’t fancy but works really well. It’s nice to be able > to search history for a customer including raw DHCP logs. You can also see > and search on Option 82 information. > > The portal splash page is customizable as well. > > Their customer service and support is top notch. > > Last, I have no affiliation with these guys. Just a happy customer. > > __________________________________ > > Charles Boening > Network Manager > 800-858-2399 | Office > [email protected] > > www.cot.net | Find us on Facebook > __________________________________ > Cal-Ore | Local. Trusted. Professional. > > From: AF <[email protected]> On Behalf Of Chuck McCown via AF > Sent: Saturday, February 20, 2021 10:48 AM > To: [email protected] > Cc: Chuck McCown <[email protected]> > Subject: [AFMUG] DHCPatriot > > EXTERNAL EMAIL - Use caution when opening attachments, clicking links, or > sharing sensitive information. > > A company I am partnered with uses DHCPatriot to serve all of its customers. > I have never understood what is magic about this compared to free DHCP. > > Does anyone here use it?
-- AF mailing list [email protected] http://af.afmug.com/mailman/listinfo/af_af.afmug.com
