Good evening Oliver,
T: 503.629.5279 M: 503.915.2955 F:503.214.6619
We are trying to setup PF in a reasonably complex environment after hearing about it on FLOSS Weekly a couple of months ago. The relevant pieces of the architecture are:
- 25 User VLANs, plus another 10 VLANs such as guest, intranet, backup, etc….along with the PF reg, iso, mac, etc.
- PacketFence and 5 Vyatta routers(in hub-spoke config) running on a XenServer installation. XenServer.
- Cisco Catalyst 2960G
- Cisco WLC 2106
- Cisco 1130 LAP's
- 1 Vyatta router has dhcp scopes for all VLANs except guest and registration. All other routers forward dhcp traffic to it and to the PF server.
- Each router mirrors all its user network traffic to an IDS network which is connected to the PF server.
- PF Server is connected to devicenet (all physical devices with management interfaces), registration, isolation, IDS/DHCP forwarding networks
- Clients are Macs, Unix, and Windows XP and 7 machines.
- VOIP devices are also present
- The 25 VLANs represent 25 organizations each of which needs to be able to hit their own LAN from either a wallport or a wireless access point.
- Large and Small Conferences are often held where internet access is needed during the conference for the guests.
The above architecture is in place, but we are doing final configuration between switches/WLC and PF.
In the process of doing so, I have found that there are a number of aspects regarding the flow of the 802.1x authentication that I am unclear on: (I have not taken the time to read through all the source code and pearl modules but have read the documentation and a fair number of posts)
1. Exactly what function does the PF radius module performs? It appears that authentication still flows from the switch/WLC to the radius server (EAP-* over radius), which presumably is answering the query as it normally would. But, is the PF Radius module validating against PF at that point, simply relaying authentication results back to PF, or both?
2. If the Radius module is querying PF for username/password, what is the preferred approach for linking specific VLANs to users, since that information would then be stored in PF (or an external LDAP based directory). Should custom.pm be modified to look up, for example the a VLAN value in the notes field and return that?
OR, would we be better off storing user inf/vlan assignment in OpenLDAP or AD? In that case, does FreeRadius query the external directory or does that go through PF first. If an external directory is used, either directly by FreeRadius or via PF, what is the intended flow of information including retrieving and assigning per user VLAN inf and correct place to write any custom code. Is it a preferred approach to store a "category" in the user account fields within in the LDAP directory and then use code in radius to link that to a VLAN to be assigned, or is direct storage of the VLAN ID within the user account fields equally acceptable? If FreeRadius directly queries an external LDAP based directory, at what point in the flow does PF become aware of the VLAN assigned.
The fact that there does not seem to be a way to set the user password except from the command line for PF users(persons), kind of suggest that it was not really intended to store user account information. I mention this as one of the requirements that we thought PF was going to fulfill for this project was a well-done user interface where users accounts, vlan assignments and general status would be available to non-technical users.
3. If the users file for FreeRadius is used to store/authenticate for 802.1x/EAP radius requests of known associations (user->VLANs), it would seem there would not need to be additional authentication performed but rather the PF system should considered the authenticated device as registered. Is that correct?
4. What does registration status convey. A VLAN assignment obviously occurs, but does registration also convey meaning for SNORT/Nexus as to which targets that should be considered targets?
5. A related question has to do with guest type access from a wireless origin. I believe I read in the PF documentation, that the best practice is to run 2 SSIDs on the WAPs ….one secure SSID using 802.1x and one open SSID presumably assigned to the registration VLAN…. where evidently the capture portal would intercept for registration. That seems really odd to me, due to the presumed requirement for the user to then manually switch SSIDs and re-authenticate after registering on the non-secure SSID. I am wondering why you would not just assign the Registration VLAN to everything that did not have a predefined security association (whether defined in Radius or PF) and then let them communicate with the portal before being switched over to the guest VLAN (assuming a successful registration).
6. Do you have knowledge on if PF can control 1130LAPs in H-REAP mode by still referrencing only the WLC in the switches.conf.
7. What should the Captive Portal IP address be set to? We have it set to the PF address on the registration network.
8. Information Flow. My current understanding is basically as follows: (will assume vlan port security and skip trapping for now). Please correct any misunderstanding I have.
a. A device attempts to connect, either via a wired/wireless connections using 802.1x/EAP
b. If a security association is present (user/password or certificate or MAC bypass), a VLAN is returned, PF registers the device and the device can start communicating. There is no need for a device to hit the registration portal if the system already knows ( a user account exists) about it.
c. If no security association is present, device is assigned to the registration VLAN and specified protocols are intercepted, redirecting to portal for registration. Once registered, a VLAN is assigned based on category and successful authentication. I assume that the various expiration methods would apply to all registered devices but simple auto renew for those accounts that were permanently in the system (either via PF or Radius user store)
d. When the device disconnects or timeout occurs, "port" is disassociated with assigned vlan and reset.
Registered devices are subject to network inspection by netflow, SNORT and Nexus scans and can be moved to the isolation VLAN at any time.
Thank you for your help. I will be happy to document what we have done when complete….and perhaps some information flow documents as well.
David H Smith MCSE, CCSP, CCA
Technical Solution Providers, Inc.
T: 503.629.5279 M: 503.915.2955 F:503.214.6619
------------------------------------------------------------------------------ BlackBerry® DevCon Americas, Oct. 18-20, San Francisco, CA The must-attend event for mobile developers. Connect with experts. Get tools for creating Super Apps. See the latest technologies. Sessions, hands-on labs, demos & much more. Register early & save! http://p.sf.net/sfu/rim-blackberry-1
_______________________________________________ Packetfence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
