>> How do state changes happen when devices need to go in/out of >> registration/isolation? Is it CoA (I thought that was only >> supported on wireless)? SNMP? Scripted CLI? > > With MAB, we just bounce the port (ifdown/ifup) using SNMP. With > 802.1X, we force a reauth using the PAE mib.
OK. I could try CoA, but there seems little benefit right now. One packet instead of two. >> [How] could I support multiple MACs per switch port? > > Normally, we recommend the usage of the host-mode multi-domain on > the Cisco for MAB/802.1X to allow VOIP + Data on the same port. > However, nothing refrain you to use another host-mode, such as > multi-host. That would have for effect to authenticate the first > user to connect to the port, and allow blindly every other host > that would connect afterward. This might be something to look at > for your hubs. Note that all other nodes will depend on the > status of the first one, and reg/isolation features won't work OK, this model is probably good enough for us, except when it's not. I could have 802.1X reauth kick in periodically -- so the switch would act blindly, but open its eyes for a peek every few hours, and if multiple devices with different registration status are connected, behavior would be random. Well, that's not good. So I guess it would be safer to turn reauth off, right? It "should" not really be necessary, right? The main risk would be that nodes plugged into hub ports cannot be isolated or even located with PF, but CDP/CAM tables are still effective. Does the PF port security model support multiple MACs any better? Alternatively, can someone recommend a cheap smart switch that plays well with PacketFence? Netgear GS108T is the cheapest I found that claims 802.1X and VLAN support, but it would also need to support 802.1X+MAB, and I don't see evidence of that. ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
