Hello Steve, Which type of RADIUS authentication are you doing 802.1x or Mac authentication ?
Thanks, Ludovic Zammit Product Support Engineer Principal Cell: +1.613.670.8432 Akamai Technologies - Inverse 145 Broadway Cambridge, MA 02142 Connect with Us: <https://community.akamai.com/> <http://blogs.akamai.com/> <https://twitter.com/akamai> <http://www.facebook.com/AkamaiTechnologies> <http://www.linkedin.com/company/akamai-technologies> <http://www.youtube.com/user/akamaitechnologies?feature=results_main> > On Jun 17, 2021, at 12:21 PM, Steve Dainard via PacketFence-users > <packetfence-users@lists.sourceforge.net> wrote: > > Hello, > > First I'll say I'm just in the initial phase of spinning up a test instance > of packetfence so please excuse my ignorance. > > From the docs it seems like the more common deployment scenarios are onprem, > but I'd like to know how the following system design would work. > > We have multiple office sites, but the vast majority of our hosts are in EC2. > Currently we're using MS NPS for radius auth but it doesn't cluster so we > have to manually export/import configs, it doesn't have a web ui, and I can't > natively send accounting info as syslog to Palo Alto for userid. Also we're > more of a Linux shop and have a full config-management and deployment system > for Linux hosts. > > My initial design idea was to: > - launch 2 instances in our EC2/VPC region, each in a different AZ > - use a highly available RDS DB backend > - the instances might be behind an AWS load balancer (not sure on this due to > Juniper switches not accepting fqdn in radius server statements) > - the instances would all be assigned IP addresses via DHCP due to EC2 > environment > > Topology: > Onprem Network Devices -> (maybe/optionally) EC2 Load balancer -> packetfence > instances -> RDS DB backend. > > There is documentation on a layer 3 HA implementation but the documentation > is very focused on local DB's rather than just the application so it's > difficult to understand the implications of split-brain if we're using an > external DB. > > Because these are EC2 instances there are a few things made a bit more > difficult such as not getting the host IP address until the instance is > already provisioned but we should be able to handle this in config > management. Also there is no virtual ip capability. > > I'm wondering does my deployment design result in: > - active-active packetfence instances, ie. can they actively share the same > external db? > - ability to launch packetfence instances at will (configuration management > would handle config files) | replace packetfence instances on the fly without > concern of db corruption or service interruption > - Use any of the instances web UI for configuration changes > > Also this issue https://github.com/inverse-inc/packetfence/issues/6396 > <https://urldefense.com/v3/__https://github.com/inverse-inc/packetfence/issues/6396__;!!GjvTz_vk!D00_eOqWq16WwFrCSVh3I_UV7G_Lr7LUZj2CE7XjJ-Ec7wOQruu5roRqS7K4rUsH$> > perhaps points out there are some shortcomings and potentially a lack of > support in external db deployments. We would want some level of commercial > support for this system so perhaps we're out of luck until this issue is > addressed? > > Thanks for reading, > Steve > _______________________________________________ > PacketFence-users mailing list > PacketFence-users@lists.sourceforge.net > https://urldefense.com/v3/__https://lists.sourceforge.net/lists/listinfo/packetfence-users__;!!GjvTz_vk!D00_eOqWq16WwFrCSVh3I_UV7G_Lr7LUZj2CE7XjJ-Ec7wOQruu5roRqS21riLtg$ >
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
