-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 (I'm not a PF "expert". Anyway, I probably can say something "useful" [..at least, I hope]) - ----------------------------------------------------------------------
Il 25/07/2016 18:38, Matthias Busch ha scritto: > QUESTION 1: Is there a inbuilt capability of packetfence for user > management, preferably in LDAP ? After a normal/fresh install of a PF box you'll have a MySQL DB configured with several tables including a "password" and a "person" table. If you will rely on PF for accounting and authorization (aka: PF will handle your user-base) than both table will be used. Nevertheless, you have _plenty_ of choises to "authenticate" your users based on your needs, by the way of pre-defined PERL-modules: - -------------------------------------------------------------- [root@pf-ch Source]# pwd /usr/local/pf/lib/pf/Authentication/Source [root@pf-ch Source]# ls -l total 104 - -rw-r--r-- 1 pf pf 1955 Jul 24 2015 ADSource.pm - -rw-r--r-- 1 pf pf 2606 Jul 24 2015 BlackholeSource.pm - -rw-r--r-- 1 pf pf 3382 Jul 24 2015 ChainedSource.pm - -rw-r--r-- 1 pf pf 2259 Jul 24 2015 EmailSource.pm - -rw-r--r-- 1 pf pf 2474 Jul 24 2015 FacebookSource.pm - -rw-r--r-- 1 pf pf 2473 Jul 24 2015 GithubSource.pm - -rw-r--r-- 1 pf pf 2618 Jul 24 2015 GoogleSource.pm - -rw-r--r-- 1 pf pf 3759 Jul 24 2015 HtpasswdSource.pm - -rw-r--r-- 1 pf pf 2520 Jul 24 2015 KerberosSource.pm - -rw-r--r-- 1 pf pf 18148 Jul 24 2015 LDAPSource.pm - -rw-r--r-- 1 pf pf 2227 Jul 24 2015 LinkedInSource.pm - -rw-r--r-- 1 pf pf 2825 Jul 24 2015 NullSource.pm - -rw-r--r-- 1 pf pf 2570 Jul 24 2015 OAuthSource.pm - -rw-r--r-- 1 pf pf 3195 Jul 24 2015 RADIUSSource.pm - -rw-r--r-- 1 pf pf 2594 Jul 24 2015 SMSSource.pm - -rw-r--r-- 1 pf pf 2206 Jul 24 2015 SponsorEmailSource.pm - -rw-r--r-- 1 pf pf 4302 Jul 24 2015 SQLSource.pm - -rw-r--r-- 1 pf pf 5993 Jul 24 2015 TwitterSource.pm - -rw-r--r-- 1 pf pf 2526 Jul 24 2015 WindowsLiveSource.pm [root@pf-ch Source]# - -------------------------------------------------------------- Please note the "LDAPSource.pm" presence. Also, with a slightly-more-than-basic knowledge of PERL, you're free to ADD your own modules. In our case, for example, we have added a "WebServiceSource.pm" PERL module to authenticate users via an external web-service. Once users are externally authenticated, PF will rely on the mysql "person" table to store a very limited set of attributes, for its own needs. To recap: PF can handle AUTH by itself, via MySQL (SQLSource, I guess). You can define your own AUTH methods with no big problems. > Now, I need to setup freeradius to use my ldap users. > > Next, I would like to implement 802.1x for LAN1/VLAN 10 via > Packetfence/the inbuilt freeradius. Right? PF will normally deploy freeradius with a predefined config. You're free to: - - adapt it's base configuration to your needs (being careful to _not_ break any required functionality); - - decide to have PF relying on _your_ freeradius (and not the "internal" one)... (being careful to setup all the needed [by PF] component in the PF-way). (BTW: Unfortunately I cannot tell more details, as we're not heavily relying on radius for our purposes.) > Next, I would like to implement some kind of "self-service" portal > where devices not 802.1x authenticated would either get a website > with information to contact person x or have the ability to > self-register That's definitely doable. No problem at all. > [...] (logs should go back 6-12> months) PF logging system is based on "Log4Perl" ( http://search.cpan.org/~mschilli/Log-Log4perl-1.47/lib/Log/Log4perl.pm ) that can be easily configured (via ./conf/log.conf) to ship logs to SYSLOG. Once logged to syslog, you can easily "get them", "process them", "relay them" and/or "store them" based on your "syslog" setup, in a completely-external-to-PF way. So it will be up to you to keep 1 month, 1 year, or 10 years of LOGs. And this will have nothing to do with PF. I'm referring to "standard" logs. Things are slightly different when you deal, for example, with radius accounting data... where things are stored inside some MySQL tables and... they can grow. In such a case, probably, you need some "self-made-procedures" to purge your "logs" according to your policy. (BTW: I cannot give further help. Sorry). > What I dont need: - see what websites are being visited - see what > kind of traffic is sent/received, from to, ports, content. I dont > care. That's good... 'cause as in "VLAN-enforcement mode", PF will know _NOTHING_ about "IP-traffic" generated by your users, 'cause IP packets do _NOT_ travel trough PF interfaces. > QUESTION 2: Any critical error that forces me to abort right then and > there? Any problem which might make what I need/want to do not work > as expected/required? Sorry but I'm missing your point/question. If you're asking about problems and or things that could suddenly break your deploy... I really don't see any of them (if you have "supported" network devices and if you have control over your whole infrastructure [auth-backend; network setup; etc.]) > Wifi: When we get wifi, it should use wpa2-enterprise and use > packetfence (freeradius) for auth. IF there is a reasonable way to use > unifi wifi controller and packetfence to allow for devices incapable > of 802.1x to still use radius auth backend (captive portal), I would > try to implement, but it is not required. IMHO, when dealing with wifi and WPA2-Enterprise with 802.1x, things starts getting _REALLY_ complex. A nice overview of the whole picture is, in my opinion, the EDUROAM documentation. Particularly, this: https://wiki.geant.org/display/H2eduroam/How+to+deploy+eduroam+on-site+or+on+campus#Howtodeployeduroamon-siteoroncampus-SelectingEAPtypes It's not strictly related to PF but... as EDUROAM is, by design, WPA2-Enterprise and radius-based, concepts are really overlapping. BTW: in our case, the wifi infrastructure is "simply" managed via PF captive portal. We have several "in-line" PF interfaces, each of which is connected to a WiFi VLAN. It's not the best setup of the world... but it works (it's good... and it's definetely better than the previous setup we had). > QUESTION 3: Any thoughts, ideas, problems, insults, encouragement? In > general, I am eager to hear what you think. I am open for any of it > and we can discuss everything. First of all, I have to say that in our deployment, we're using _INLINE_ mode, mainly due to our _really_wide_ set of devices (several vendor, with the main one _NOT_ being fully supported by PF). Having said this, IF your network devices are fully supported by PF, than I really see _NO_ reason to _NOT_ deploy a VLAN-Enforcement PF setup. PF is great. Definitely. And surely can handle your load. Here on this list there are people running really large deployments and (with exception below) I cannot remember any kind of serious problems. As for problems, I have to admit that, at least in our case: 1 - the development rate of PF is really.... high! New versions (minor at first; but also "major") are released with a _VERY_HIGH_ frequency! And the chance to end running an old/outdated version is really high! So, if you deploy PF, keep in mind that you need to allocate proper resources to keep it updated; 2 - during the few times where we tried to upgrade from on older to a newer version, we _ALWAYS_ encountered some problems (and "upgrade issues" are quite a frequent subject, here on this list). So, in the end, our current policy is: "install a fresh/new box with the new version and then reply the configuration from the older box". This, again, is time-consuming and error-prone. Keep it in mind. HTH. Bye, DV P.S.: as for: > [...] I intend to install packetfence via apt-get on debian jessie x64 > (xen virtualized).... Packetfence will have two ethernet ports, eth0 > to mgmt-LAN/VLAN 1 untagged, eth1 with tagged vlan to portal (LAN1?), > registration and isolation (do not exist yet) I really wonder how you'll be able to define your eth1 virtual-interface as a TRUNK within your VM as... I tried it (with XEN Server 6.5) and, to be succesfull, I ended assigning the phisical NIC (connected to the switch trunk) to the VM. Could you slightly elaborate on this? [as this is OT, here, probably a private-msg might be preferrable] - -- Damiano Verzulli e-mail: [email protected] - --- possible?ok:while(!possible){open_mindedness++} - --- "Technical people tend to fall into two categories: Specialists and Generalists. The Specialist learns more and more about a narrower and narrower field, until he eventually, in the limit, knows everything about nothing. The Generalist learns less and less about a wider and wider field, until eventually he knows nothing about everything." - William Stucke - AfrISPA http://elists.isoc.org/mailman/private/pubsoft/2007-December/001935.html -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.17 (GNU/Linux) iEYEARECAAYFAleWfUIACgkQcwT9fsMT4SzJvACdEMcQsnr0asQzYEICYegZI4g8 NT4AoJG/AXJ4+jWW50VxQPGd54zjVbn7 =4tbg -----END PGP SIGNATURE----- ------------------------------------------------------------------------------ What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic patterns at an interface-level. Reveals which users, apps, and protocols are consuming the most bandwidth. Provides multi-vendor support for NetFlow, J-Flow, sFlow and other flows. Make informed decisions using capacity planning reports.http://sdm.link/zohodev2dev _______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
