>> Are you running multiple Packetfence servers for performance or mainly for
>> redundancy (cluster)
Not really, we only have a single production PF server. However, it has proven
to be rock solid! We do have some plans for establishing a cluster and we will
be working with inverse sometime in the future to assist us in architecting
that solution.
Currently I am running a server with a 320 Gb RAID 1, 1 x Intel Xenon 4 core
2.6 GHz CPU, 8GB RAM. This server runs all the services except for MySQL. We
have an identical server for that, however in retrospect we probably should
have done a more monolithic setup and used the second box for clustering.
However, with our current setup I am supporting about 200 total switches and
APs across almost 1,000 vlans, with 13,032 unregistered devices and 11,298
registered devices.
My DB has a sustained 100 queries a second and bursts 300 to 400 / second under
peak conditions.
PF has not sputtered or hiccupped, or otherwise malfunctioned in anyway. I
have had almost zero down time due to crash / bugs. My only down time has been
maintenance windows and misconfigurations.
There was a FreeRADIUS bug that would cause FR to crash if a special packet was
sent but that was fixed with a yum update : ).
Jake Sallee
Godfather of Bandwidth
System Engineer
University of Mary Hardin-Baylor
900 College St.
Belton TX. 76513
Fone: 254-295-4658
Phax: 254-295-4221
HTTP://WWW.UMHB.EDU
From: Damian Mendoza [mailto:[email protected]]
Sent: Tuesday, April 30, 2013 11:28 AM
To: [email protected]
Subject: Re: [PacketFence-users] recommendations/ideas for Packetfence large
workstation school board
Jake,
Great feedback, Thank you!
Are you running multiple Packetfence servers for performance or mainly for
redundancy (cluster)
Hardware specs for Packetfence to support your user base?
Thanks,
Damian
On Tue, Apr 30, 2013 at 9:13 AM, Sallee, Stephen (Jake)
<[email protected]<mailto:[email protected]>> wrote:
We have a similar environment.
We opted for MAB (MAC Authentication Bypass) on the wire instead of 802.1x
because Microsoft's implementation of 802.1x is what can only be described as,
purposefully obtuse.
802.1x is a fantastic technology and once you get it setup it works very well.
However, the management is a nightmare wrapped in terror sent CoD courtesy of
Redmond.
There are several 3rd party vendors that offer suites to make the roll out and
management of 802.1x on windows easier but they are not free and you get what
you pay for.
MAB works very well and will do everything 802.1x does sans the encryption.
Best part? It requires no changes to the clients, MAB is configured on the
switch and the client is blissfully ignorant.
Wireless is another story, we use MAB there too. But since wireless is a
shared medium it is significantly easier to attempt to spoof a MAC and gain
access to the network. Just make sure you have some counter measures in place
to mitigate known attack vectors.
Jake Sallee
Godfather of Bandwidth
Network Engineer
University of Mary Hardin-Baylor
900 College St.
Belton, Texas
76513
Fone: 254-295-4658<tel:254-295-4658>
Phax: 254-295-4221<tel:254-295-4221>
________________________________
From: Damian Mendoza
[[email protected]<mailto:[email protected]>]
Sent: Tuesday, April 30, 2013 10:42 AM
To:
[email protected]<mailto:[email protected]>
Subject: [PacketFence-users] recommendations/ideas for Packetfence large
workstation school board
Hi,
Looking at installing Packetfence at a school district with 8,000 wired
workstations and 2,000 wireless devices across 26 schools.
The goal is to lock down the network so switch ports are not open for network
access unless approved by a on-site technician and wireless connections are
more secure than just using a basic SSID. Dynamic VLAN assignment would be a
plus for guest access.
Switches are all fairly Current Cisco models that support 802.1x
Does it make sense to use 802.1x on all wired devices? 90% of workstations are
Windows XP. If we went with link up/link down would we be looking at
performance issues on a single PF server? Would Multiple PF servers be
recommended?
Configuring 802.1x on 8,000 workstation would take some time since we would
have to push out scripts to enable it and configure it properly. Wired guest
workstations would also have to be configured with 802.1x which might not be
possible.
Any recommendations?
Thanks,
--
Damian Mendoza
[email protected]<mailto:[email protected]><mailto:[email protected]<mailto:[email protected]>>
------------------------------------------------------------------------------
Introducing AppDynamics Lite, a free troubleshooting tool for Java/.NET
Get 100% visibility into your production application - at no cost.
Code-level diagnostics for performance bottlenecks with <2% overhead
Download for free and get started troubleshooting in minutes.
http://p.sf.net/sfu/appdyn_d2d_ap1
_______________________________________________
PacketFence-users mailing list
[email protected]<mailto:[email protected]>
https://lists.sourceforge.net/lists/listinfo/packetfence-users
--
Damian Mendoza
XVR Software, LLC
949 218-3337
Ask me about how to access your mission critical servers when a disaster
occurs, SIS, BIS, eMail Servers, Transportation, etc.
------------------------------------------------------------------------------
Introducing AppDynamics Lite, a free troubleshooting tool for Java/.NET
Get 100% visibility into your production application - at no cost.
Code-level diagnostics for performance bottlenecks with <2% overhead
Download for free and get started troubleshooting in minutes.
http://p.sf.net/sfu/appdyn_d2d_ap1
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
