Hello Olivier:When you have a chance, I suggest experimenting with the VMware ESXi/vSphere virtual hypervisor. It is available for download free-of-charge, and provides what I believe is the best virtual environment. Unfortunately, their virtual switches are unmanaged. They support VLAN IDs, can be trunked, but being unmanaged means there is little they can do relating to SNMP traps. However, this is not really a problem, as there are no real clients that would connect to these switches and require registration. This is done through the Vyatta open appliance. As for Vyatta, they have done to routing/firewall what you have done to NAC, by offering a free software environment that provides advanced open networking routing, firewall and VPN capabilities. They do support a limited set of SNMP MIBs, and successfully sends traps to PF when new devices are connected to it. I looked with little success for some guidance on building a custom switch configuration file for Vyatta. Any suggestions?
The only problem I have seen is that unlike a Cisco switch, I have not been able to move devices from various VLAN IDs when they connect via Vyatta and its VPN. The VPN provides the IP address and default gateway. This is why I wanted to move away from the VLAN isolation method and try one of the other two. Can PF work with VPNs? What can PF do when the IP address of the client is fixed by the VPN gateway?
I installed the ARP patch, and spend several hours trying to get that to work. For some reason, PF was not poisoning the gateway MAC entry on the "unregistered" client, allowing them complete network access. I used configurator.pl and build numerous configuration files ... all with the same result of not being able to block access. Even looking at dozens of search results, many others seemed to have the same problem.
I am going to work with the Radius AAA approach you mention. This is actually where I wanted to end up ... I just didn't want to enable to many components too early. I am struggling with the FreeRADIUS configuration, as most of the documentation seems to address using this with wireless. Since I am relatively new to PF, it is hard to understand exactly what modules I will need to customize.
I am worried that I have hit a wall, because my limitation is that the "soft" switches will only support link change. Where can I read about the limitations of PF when using switches with such limited capabilities?
Appreciate your help.
------------------------------------------------------------------------------ Start uncovering the many advantages of virtual appliances and start using them to simplify application deployment and accelerate your shift to cloud computing. http://p.sf.net/sfu/novell-sfdev2dev
_______________________________________________ Packetfence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
