Hi all,
I'm new to the list and I'm fairly new to the NAC concept. I played around
with PF a couple of years ago in an inline test environment and at the time,
the company I worked for decided to go a different route. I am now at a new
job at a small university. I recently started working on a proof of concept
for a NAC, PF, in a test environment. My goals are to use vlan/role
assignments and ACLs to protect the network better as well as make it more user
friendly. Right now, we don't support gaming devices on our wifi since most of
the game consoles don't support wpa2 enterprise and we get lots of request for
that. I am looking for best practices on how to accomplish the following.
Info:
1) Ubuntu 12.04
2) PF 4.06
3) Active Directory 2008 R2
4) Cisco Switches (2950, 2960, 35??)
5) Cisco Wireless Controller 5508
6) HP 7508? core
1) Network segmentation based on building, wired/wireless. and role(s)
2) Any computer that exist in Active Directory is automatically registered in
PF, regardless of where it's connected from
3) If the computer doesn't exist in AD, send to captive portal and if the
person has an account in AD can login with their AD credentials otherwise they
have to register for a guest account.
4) Be able to register gaming and media devices easily and associate them with
a user
5) (Maybe) Block home routers from gaining access to the network
6) Network traffic shaping based on role (Outside of PF's scope?)
7) ACLs based on vlan\role (I realize I will have to build this myself)
8) At some point, maybe use SNORT and OpenVAS/Nessus
9) I feel like I'm forgetting something but that's all I can think of at the
moment. lol
I want little to no impact for end users using our devices, unless they are
just blatantly doing something wrong (virus/unauthorized access). I want to
give students the easiest way to gain access to the internet and internal
resources that they need while adding some security and tracking ability to our
network.
I've got it working to a certain extent with SNMP traps, but that didn't auto
register the computers that are in AD. I've been trying to get 802.1x
authentication working, but have been having some FreeRadius issues that I'm
unfamiliar with. (EAP_TLS: Unknown CA errors)
I realize this has been a very generic message but I'd like just some feedback
of other users' experiences with PF and just make sure I don't waste time going
down the wrong path.
Any questions, suggestions, criticisms and what-not are welcome.
Thanks for your time,
WaltDjr
------------------------------------------------------------------------------
Sponsored by Intel(R) XDK
Develop, test and display web and hybrid apps with a single code base.
Download it for free now!
http://pubads.g.doubleclick.net/gampad/clk?id=111408631&iu=/4140/ostg.clktrk
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
