Hi Ludovic, 802.1X certificates for wifi/port auth.
Steve On Fri, Jun 18, 2021 at 4:54 AM Zammit, Ludovic <luza...@akamai.com> wrote: > Hello Steve, > > Which type of RADIUS authentication are you doing 802.1x or Mac > authentication ? > > Thanks, > > *Ludovic Zammit* > *Product Support Engineer Principal* > *Cell:* +1.613.670.8432 > Akamai Technologies - Inverse > 145 Broadway > Cambridge, MA 02142 > Connect with Us: <https://community.akamai.com> <http://blogs.akamai.com> > <https://twitter.com/akamai> <http://www.facebook.com/AkamaiTechnologies> > <http://www.linkedin.com/company/akamai-technologies> > <http://www.youtube.com/user/akamaitechnologies?feature=results_main> > > On Jun 17, 2021, at 12:21 PM, Steve Dainard via PacketFence-users < > packetfence-users@lists.sourceforge.net> wrote: > > Hello, > > First I'll say I'm just in the initial phase of spinning up a test > instance of packetfence so please excuse my ignorance. > > From the docs it seems like the more common deployment scenarios are > onprem, but I'd like to know how the following system design would work. > > We have multiple office sites, but the vast majority of our hosts are in > EC2. Currently we're using MS NPS for radius auth but it doesn't cluster so > we have to manually export/import configs, it doesn't have a web ui, and I > can't natively send accounting info as syslog to Palo Alto for userid. Also > we're more of a Linux shop and have a full config-management and deployment > system for Linux hosts. > > My initial design idea was to: > - launch 2 instances in our EC2/VPC region, each in a different AZ > - use a highly available RDS DB backend > - the instances might be behind an AWS load balancer (not sure on this due > to Juniper switches not accepting fqdn in radius server statements) > - the instances would all be assigned IP addresses via DHCP due to EC2 > environment > > Topology: > Onprem Network Devices -> (maybe/optionally) EC2 Load balancer -> > packetfence instances -> RDS DB backend. > > There is documentation on a layer 3 HA implementation but > the documentation is very focused on local DB's rather than just the > application so it's difficult to understand the implications of split-brain > if we're using an external DB. > > Because these are EC2 instances there are a few things made a bit more > difficult such as not getting the host IP address until the instance is > already provisioned but we should be able to handle this in config > management. Also there is no virtual ip capability. > > I'm wondering does my deployment design result in: > - active-active packetfence instances, ie. can they actively share the > same external db? > - ability to launch packetfence instances at will (configuration > management would handle config files) | replace packetfence instances on > the fly without concern of db corruption or service interruption > - Use any of the instances web UI for configuration changes > > Also this issue https://github.com/inverse-inc/packetfence/issues/6396 > <https://urldefense.com/v3/__https://github.com/inverse-inc/packetfence/issues/6396__;!!GjvTz_vk!D00_eOqWq16WwFrCSVh3I_UV7G_Lr7LUZj2CE7XjJ-Ec7wOQruu5roRqS7K4rUsH$> > perhaps points out there are some shortcomings and potentially a lack of > support in external db deployments. We would want some level of commercial > support for this system so perhaps we're out of luck until this issue is > addressed? > > Thanks for reading, > Steve > _______________________________________________ > PacketFence-users mailing list > PacketFence-users@lists.sourceforge.net > > https://urldefense.com/v3/__https://lists.sourceforge.net/lists/listinfo/packetfence-users__;!!GjvTz_vk!D00_eOqWq16WwFrCSVh3I_UV7G_Lr7LUZj2CE7XjJ-Ec7wOQruu5roRqS21riLtg$ > > >
_______________________________________________ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
