> Oh yes, and this needs to be in full production no later than March 26. So > the less code that needs to be written and debugged, the better.
So you want a full 802.1x implementation from a new vendor in 1 month? You sir, have what we call an aggressive time table! You will want to take the age old HaE approach, that would be Hire an Expert. Call Inverse, buy their support. They are amazing. Also, your understanding of how PF assigns VLans is half right. A user's VLan is re-evaluated every time they associate with the network. If it was not then the registration/isolation feature would not work. We also place users in separate VLans depending on how they log in, in our case students get placed on one VLan and Faculty/Staff on another. This is decided by their credentials and if you configure the wireless connection NOT to cache the creds then users can associate with the new vlan without even logging out of the device. Defining a users access based on their credentials is part and parcel of how PF works. I think that if you hire Inverse you will be plesantly suprised by exactly how well PF will server your needs. Jake Sallee Godfather of Bandwidth Network Engineer University of Mary Hardin-Baylor 900 College St. Belton, Texas 76513 Fone: 254-295-4658 Phax: 254-295-4221 ________________________________ From: Rich Graves [[email protected]] Sent: Tuesday, February 28, 2012 10:38 PM To: [email protected] Subject: [Packetfence-users] PF and eduroam I see some archived posts from Peter at Goldsmiths 2-3 years ago referencing eduroam. If Peter's still here, I'm curious how things have worked out. Anyone else is free to chime in too, of course. Last year, we deployed eduroam (eduroam.org) as our only WPA2-Enterprise SSID. I have a small perl rlm (250 lines including comments) to do custom authorization and VLAN assignment. This year, I intend to put our open wireless and wired networks under PacketFence management. It would be nice to be able to manage all of this in the same system. I see several possible ways to approach this: 1) Merge my existing eduroam FreeRADIUS configuration with PacketFence's and turn the eduroam-specific FreeRADIUS servers off. Although PF has hooks for pf::radius::custom and pf::vlan::custom, this seems non-trivial, especially across upgrades. My biggest conceptual problem is that a VLAN or category is assigned to a node upon first registration, but I want it to happen dynamically every time that the 802.1X client authenticates. I like that the laptops we make available for short-term loan land in a different VLAN depending on who is logged on. I've been told that Inverse is looking into an option to recalculate the proper VLAN every time based on the 802.1X user, but I can't count on this being done in my time frame. 2) Use a Radius accounting hook on my eduroam FreeRADIUS server to inject "node" entries info PF. Violations could be opened and closed, etc. through PF administrative and captive portal interfaces. The eduroam FreeRADIUS server would then consult PF, through web services or more likely SQL queries, to see if a node should be quarantined. on the plus side, this seems fairly upgrade-safe and is in fact how I am obscuring the difference between eduroam and a legacy captive portal system (which is to be replaced by PF). 3) Maybe something can be done with proxy/federation purely at the RADIUS level. Oh yes, and this needs to be in full production no later than March 26. So the less code that needs to be written and debugged, the better. -- Rich Graves http://claimid.com/rcgraves Carleton.edu Sr UNIX and Security Admin ------------------------------------------------------------------------------ Virtualization & Cloud Management Using Capacity Planning Cloud computing makes use of virtualization - but cloud computing also focuses on allowing computing to be delivered as a service. http://www.accelacomm.com/jaw/sfnl/114/51521223/ _______________________________________________ Packetfence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
