Thanks Julien.
Excellent information. I think I'll stay away from this for now!
Max
--
Max McGrath <https://www.linkedin.com/pub/max-mcgrath/1b/3a6/a21>
Network Administrator
Carthage College
262-552-5512
[email protected]
On Wed, Feb 17, 2016 at 1:08 PM, Julien Semaan <[email protected]> wrote:
> Hi Max,
>
> Floating devices are great and not great at the same time.
>
> The principle behind it is to remove the security on a switchport to allow
> like you said, an AP or another special device to have access to an access
> VLAN or a trunk port without going through RADIUS.
> The security is deactivated via SNMP.
> And reactivated when an SNMP up trap is sent to PacketFence (using the
> glorious pfsetvlan service)
>
> This means you need to activate pfsetvlan on your installation (which
> consumes quite a bit of RAM due to its threaded architecture).
>
> Now enough with how it works and lets talk pro/cons.
>
> Pros :
> - You can plug your APs anywhere and they will simply work as long as the
> VLANs are spanning correctly. That makes your job easier.
> - Thats about it...
>
> Cons :
> - Not supported on a lot of switches.
> - Right now we support it on a few switches in port-security
> enforcement and on HP, Juniper and Cisco in Mac Authentication (RADIUS)
> - This can will break because this mode is complex
> - Should a trap not reach PacketFence or the one of the services fail
> for a few seconds, your switchport will be left in open mode. Meaning
> anybody can connect and access the AP network on that port.
> - When a switch reboots, the SNMP traps can be delayed by the switch
> and the actions may not be taken in the exact order they should and that
> can mis-configure some ports.
> - As stated above, it is complex. There is a lot of SNMP exchange and
> should any command be not executed properly by the switch, it will break
> the chain.
> - As SNMP MIBs have a tendency to change for specialized features
> (like VLAN assignment or trunking), you may be forced to stay on an old
> firmware to keep support for this feature or may have Monday morning
> surprises after a firmware upgrade.
>
> Now my 2 cents :
> - Some specific use cases are good for this
> - You have access points that you may lend to trusted employees so
> they can spin up an SSID for a specific use.
> - You have a few 8 port switches you lend to people for some specific
> events
> - Don't use this for your APs that always (or almost) stay at the same
> place because a misconfiguration in SNMP will have an immediate impact to
> dozens of users.
>
> Cheers !
>
> - Julien
>
>
> On 02/17/2016 12:59 PM, Max McGrath wrote:
>
> Hi all -
>
> I'm interested about the floating network devices portion of PacketFence.
> We currently do not use it but I'm curious about it's use with access
> points.
>
> Does anybody put there entire fleet of APs under the floating devices
> config so all APs can be moved around without worrying about port config?
> Or is it more meant for a small number of APs and other devices?
>
> Max
> --
> Max McGrath <https://www.linkedin.com/pub/max-mcgrath/1b/3a6/a21>
> Network Administrator
> Carthage College
> 262-552-5512
> [email protected]
>
>
> ------------------------------------------------------------------------------
> Site24x7 APM Insight: Get Deep Visibility into Application Performance
> APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
> Monitor end-to-end web transactions and take corrective actions now
> Troubleshoot faster and improve end-user experience. Signup
> Now!http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140
>
>
>
> _______________________________________________
> PacketFence-users mailing
> [email protected]https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>
>
> --
> Julien
>
>
> ------------------------------------------------------------------------------
> Site24x7 APM Insight: Get Deep Visibility into Application Performance
> APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
> Monitor end-to-end web transactions and take corrective actions now
> Troubleshoot faster and improve end-user experience. Signup Now!
> http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140
> _______________________________________________
> PacketFence-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>
------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
