Hello,
answer bellow.
Fabrice
Le 2013-12-03 23:30, Walt A. Draffin a écrit :
Hi all,
I'm new to the list and I'm fairly new to the NAC concept. I played
around with PF a couple of years ago in an inline test environment and
at the time, the company I worked for decided to go a different
route. I am now at a new job at a small university. I recently
started working on a proof of concept for a NAC, PF, in a test
environment. My goals are to use vlan/role assignments and ACLs to
protect the network better as well as make it more user friendly.
Right now, we don't support gaming devices on our wifi since most of
the game consoles don't support wpa2 enterprise and we get lots of
request for that. I am looking for best practices on how to
accomplish the following.
Info:
1) Ubuntu 12.04
2) PF 4.06
Wait for the incoming 4.1
3) Active Directory 2008 R2
4) Cisco Switches (2950, 2960, 35??)
5) Cisco Wireless Controller 5508
6) HP 7508? core
1) Network segmentation based on building, wired/wireless. and role(s)
2) Any computer that exist in Active Directory is automatically
registered in PF, regardless of where it's connected from
autoregistration on machine auth and answer a vlan where the user can
contact the active directory
3) If the computer doesn't exist in AD, send to captive portal and if
the person has an account in AD can login with their AD credentials
otherwise they have to register for a guest account.
On a secure SSID :autoregistration on machine auth wan´t ok so if only
user auth then return the registration vlan. (captive portal with ad and
guest auth)
On a Open SSID: normal captive portal with ad auth and guest auth.
4) Be able to register gaming and media devices easily and associate
them with a user
Included in pf
5) (Maybe) Block home routers from gaining access to the network
Suricata or snort integration
6) Network traffic shaping based on role (Outside of PF's scope?)
Yes outside of scope
7) ACLs based on vlan\role (I realize I will have to build this myself)
You can use a role instead of a vlan id (the switch/controller must be
compatible)
8) At some point, maybe use SNORT and OpenVAS/Nessus
9) I feel like I'm forgetting something but that's all I can think of
at the moment. lol
I want little to no impact for end users using our devices, unless
they are just blatantly doing something wrong (virus/unauthorized
access). I want to give students the easiest way to gain access to
the internet and internal resources that they need while adding some
security and tracking ability to our network.
I've got it working to a certain extent with SNMP traps, but that
didn't auto register the computers that are in AD. I've been trying
to get 802.1x authentication working, but have been having some
FreeRadius issues that I'm unfamiliar with. (EAP_TLS: Unknown CA errors)
Uncheck verify certificate in your 802.1x profil
I realize this has been a very generic message but I'd like just some
feedback of other users' experiences with PF and just make sure I
don't waste time going down the wrong path.
Any questions, suggestions, criticisms and what-not are welcome.
Thanks for your time,
WaltDjr
------------------------------------------------------------------------------
Sponsored by Intel(R) XDK
Develop, test and display web and hybrid apps with a single code base.
Download it for free now!
http://pubads.g.doubleclick.net/gampad/clk?id=111408631&iu=/4140/ostg.clktrk
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
--
Fabrice Durand
[email protected] :: +1.514.447.4918 (x135) :: www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence
(http://packetfence.org)
------------------------------------------------------------------------------
Sponsored by Intel(R) XDK
Develop, test and display web and hybrid apps with a single code base.
Download it for free now!
http://pubads.g.doubleclick.net/gampad/clk?id=111408631&iu=/4140/ostg.clktrk
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
