Hi Rich, > So, in a couple of months, PF 3.3+ will be taking over my wired network with > (nearly) 100% Cisco 3560's (various models), all running IOS 12.2(55) or > later. Very cool!
> > Most of the docs advise 802.1X/MAB. Fine. Yes, the new trend is to use AAA based authentication rather than port-security. > > How do state changes happen when devices need to go in/out of > registration/isolation? Is it CoA (I thought that was only supported on > wireless)? SNMP? Scripted CLI? With MAB, we just bounce the port (ifdown/ifup) using SNMP. With 802.1X, we force a reauth using the PAE mib. We could potentially use CoA as well, but the code for it is not there yet (although we tested it working with our test 2960). > > [How] could I support multiple MACs per switch port? Some of our buildings > have inadequate copper plant, so hubs are legitimately in use. I'd be OK with > a model that allowed all access to normalVlan if one connected device is > registered, and isolated the port if one connected device is in violation. > Does this require port security or link trap instead? (I guess buying a bunch > of cheap manageable switches as "roaming devices" is a possibility, with each > roaming device itself becoming PF-managed, but this requires boots on the > ground...) I will assume you don't have VoIP on your network where your hubs are. Normally, we recommend the usage of the host-mode multi-domain on the Cisco for MAB/802.1X to allow VOIP + Data on the same port. However, nothing refrain you to use another host-mode, such as multi-host. That would have for effect to authenticate the first user to connect to the port, and allow blindly every other host that would connect afterward. This might be something to look at for your hubs. Note that all other nodes will depend on the status of the first one, and reg/isolation features won't work very well. I hope it helps! -- Francois Gaudreault, ing. jr [email protected] :: +1.514.447.4918 (x130) :: www.inverse.ca Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (www.packetfence.org) ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
