Sure! Our setup is interesting ... each one of our buildings is given its own class B address space, in each of these buildings there are several VLans. Between all the buildings is a layer 3 routed link. In our NOC we have a dedicated server VLan where our PF servers live.
I have already said what out servers are like, nothing really special about them. The real magic is done by a Perl script on the FreeRADIUS server. We followed the deployment guide pretty much word for word but since this is a VLan'ed / routed environment we didn't need to have multiple physical links on the PF server. As I mentioned most of our clients are wireless, we are using a wireless vendor called Xirrus and the config on the Xirrus equipment is pretty straight forward. Most of my time was spent trying to get FreeRADIUS to work with Windows clients without any special config on the clients ... short answer ... you can't! That's not a FR issue, It's because of Microsoft ... I will leave my true feelings about that for another conversation >: ( I ended up writing a program to auto config our windows users' wifi connection. Inverse helped us with a very small customization, basically we have 2 AD trees; one for students and one for admin users. When you login to the network FR reports to PF what domain you logged into and PF sets the correct VLan for your user, combine that with the new auto registration feature and we are in 802.1x nirvana! Another trick we learned was to let the PF server handle DHCP and DNS for the registration and remediation VLans, PF likes to see the beginning of the conversation between the server and the endpoint, if PF doesn't see the DHCP transaction then it kinda freaks out a bit and will give you trouble when your users try to register. I believe the auto-register feature overrides this though. If I had it to do all over again I would probably do a redundant monolithic install where everything in on one beefy server that is mirrored to a twin for failover. For 6K hosts your hardware reqs may be a little higher than mine but more important than hardware is the number of authentications and authorizations per second AND what type. Wireless 802.1x has a higher network overhead than wired, plus wireless links tend to be slower than wired. Since you are just staring out it is hard to communicate everything, I hope I am giving you some useful information and not a bunch of junk. In the interest of full disclosure I will say that we are not what you might call PF experts! We are relatively new to the product also. It really helped me out a lot to spend some time learning Perl and looking into the source to see exactly what is going on. I hope that helps, if you have any questions please post them to the list, if I can I will answer them to the best of my ability. Oh! One last thing ... I don't know if you are a Linux guy or not, but I have found that managing the servers is MUCH easier to do from a Linux workstation. The PF GUI is web-based so no biggie there but the OS stuff seems easier from a Linux station, but that is just my $.02. Jake Sallee Godfather Of Bandwidth Network Engineer Fone: 254-295-4658 Phax: 254-295-4221 -----Original Message----- From: Willis, Ben [mailto:[email protected]] Sent: Tuesday, February 15, 2011 7:14 AM To: '[email protected]' Subject: Re: [Packetfence-users] Packetfence Deployment Jake, Would you be willing to share more details about your setup/configuration with me? I'm having trouble conceptualizing this and your setup is pretty close if not exactly like we want ours.... Thanks, Ben -----Original Message----- From: Sallee, Stephen (Jake) [mailto:[email protected]] Sent: Friday, February 11, 2011 10:49 AM To: [email protected] Subject: Re: [Packetfence-users] Packetfence Deployment I am not sure how much it will help but here is what we did / are doing: We have 50+ buildings that operate independently, so while not truly "remote" sites they are routed links so they are very similar. We are expecting about 3K hosts (expecting bec we are not in FULL production yet ... PF is ready now its management that has to give us the go ahead!) so you may want to factor that into what I am about to say, also the VAST majority of our hosts are wireless... We have 2 servers: 1 PF server, 1 FreeRADIUS/MYSQL. The servers are not HUGE, single quad core proc @ 2.4 Ghz 8GB Ram RAID 1 Given how PF works with MYSQL in retrospect I probably would have gone with the PF and MYSQL on the same server with better disk IO and possibly slightly better HW and let the FR server stand alone on a smaller box, but live and learn... As for routing your vlans, what we did is setup a containment vlan on each building (for you building = site) then let the Pf server handle DHCP and DNS for that vlan, it works quite well for us. Our servers are safely tucked away behind our firewall on a dedicated server network ... (depending on your topology) there shouldn't be any reason that the servers would need to be @ a gateway location ... unless I am misunderstanding your question... According to Inverse our current setup should be fine for the amount of users we are expecting. ***CAUTION*** This setup does not have ANY redundancy, if either PF / MYSQL / FR fail then the whole thing will stop working! We will soon be looking into redundancy, so any out there with it set up, please share : ) ***/CAUTION*** BTW: A word about support, in an enterprise deployment such as yours where you cannot afford downtime and/or the application is considered "mission critical", I would highly suggest you purchase some support. AFAIK the only company selling support for PF is Inverse, the people who make it. Unless you are a Perl expert and have time to burn, they are an invaluable asset when you encounter a bug or need a new feature added. We used them in helping us with our proof of concept and pilot deployment, with excellent results. I'm not trying to sound like a fan-boy(I know I have posted about Inverse before), I am only giving my honest opinion. Jake Sallee Godfather Of Bandwidth Network Engineer Fone: 254-295-4658 Phax: 254-295-4221 -----Original Message----- From: Willis, Ben [mailto:[email protected]] Sent: Friday, February 11, 2011 9:06 AM To: [email protected] Subject: [Packetfence-users] Packetfence Deployment Hi, I'm looking to possibly deploy Packetfence on my network but I have several questions. 1. In a fairly large, destributed, network with 6k hosts where should I place the NAC? Do I need an instance on each segment or will one installation at the internet gateway work? 2. If one instance can be used will I have to route my remote vlans to the interface on the NAC to get the quarantine finctionality? 3. Will a single installation be able to handle 6k hosts across 22 remote locations? Thanks to anyone willing to give me some direction! Ben ________________________________ ANDERSON SCHOOL DISTRICT FIVE NOTICE: This email may contain business related information that is PERSONAL AND CONFIDENTIAL. If you have received this email in error, this does not constitute permission to examine, copy or distribute the accompanying material. If you receive this message in error, please notify the sender immediately or call 864-260-5000. ------------------------------------------------------------------------------ The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE: Pinpoint memory and threading errors before they happen. Find and fix more than 250 security defects in the development cycle. Locate bottlenecks in serial and parallel code that limit performance. http://p.sf.net/sfu/intel-dev2devfeb _______________________________________________ Packetfence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users ------------------------------------------------------------------------------ The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE: Pinpoint memory and threading errors before they happen. Find and fix more than 250 security defects in the development cycle. Locate bottlenecks in serial and parallel code that limit performance. http://p.sf.net/sfu/intel-dev2devfeb _______________________________________________ Packetfence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users ANDERSON SCHOOL DISTRICT FIVE NOTICE: This email may contain business related information that is PERSONAL AND CONFIDENTIAL. If you have received this email in error, this does not constitute permission to examine, copy or distribute the accompanying material. If you receive this message in error, please notify the sender immediately or call 864-260-5000. ------------------------------------------------------------------------------ The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE: Pinpoint memory and threading errors before they happen. Find and fix more than 250 security defects in the development cycle. Locate bottlenecks in serial and parallel code that limit performance. http://p.sf.net/sfu/intel-dev2devfeb _______________________________________________ Packetfence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users ------------------------------------------------------------------------------ The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE: Pinpoint memory and threading errors before they happen. Find and fix more than 250 security defects in the development cycle. Locate bottlenecks in serial and parallel code that limit performance. http://p.sf.net/sfu/intel-dev2devfeb _______________________________________________ Packetfence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
