Hi Max,
Floating devices are great and not great at the same time.
The principle behind it is to remove the security on a switchport to
allow like you said, an AP or another special device to have access to
an access VLAN or a trunk port without going through RADIUS.
The security is deactivated via SNMP.
And reactivated when an SNMP up trap is sent to PacketFence (using the
glorious pfsetvlan service)
This means you need to activate pfsetvlan on your installation (which
consumes quite a bit of RAM due to its threaded architecture).
Now enough with how it works and lets talk pro/cons.
Pros :
- You can plug your APs anywhere and they will simply work as long as
the VLANs are spanning correctly. That makes your job easier.
- Thats about it...
Cons :
- Not supported on a lot of switches.
- Right now we support it on a few switches in port-security
enforcement and on HP, Juniper and Cisco in Mac Authentication (RADIUS)
- This can will break because this mode is complex
- Should a trap not reach PacketFence or the one of the services
fail for a few seconds, your switchport will be left in open mode.
Meaning anybody can connect and access the AP network on that port.
- When a switch reboots, the SNMP traps can be delayed by the
switch and the actions may not be taken in the exact order they should
and that can mis-configure some ports.
- As stated above, it is complex. There is a lot of SNMP exchange
and should any command be not executed properly by the switch, it will
break the chain.
- As SNMP MIBs have a tendency to change for specialized features
(like VLAN assignment or trunking), you may be forced to stay on an old
firmware to keep support for this feature or may have Monday morning
surprises after a firmware upgrade.
Now my 2 cents :
- Some specific use cases are good for this
- You have access points that you may lend to trusted employees so
they can spin up an SSID for a specific use.
- You have a few 8 port switches you lend to people for some
specific events
- Don't use this for your APs that always (or almost) stay at the same
place because a misconfiguration in SNMP will have an immediate impact
to dozens of users.
Cheers !
- Julien
On 02/17/2016 12:59 PM, Max McGrath wrote:
Hi all -
I'm interested about the floating network devices portion of
PacketFence. We currently do not use it but I'm curious about it's
use with access points.
Does anybody put there entire fleet of APs under the floating devices
config so all APs can be moved around without worrying about port
config? Or is it more meant for a small number of APs and other devices?
Max
--
Max McGrath <https://www.linkedin.com/pub/max-mcgrath/1b/3a6/a21>
Network Administrator
Carthage College
262-552-5512 <tel:262-552-5512>
[email protected] <mailto:[email protected]>
------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
--
Julien
------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
