Hello Steve, As Nicolas in the bug release stated, the recent PF version is not meant to be pointed out to an external DB that is not hosted on PF yet.
On the paper it should work if you are using PF servers to host your DB and process your radius. PF works over layer 3 for EAP TLS. Thanks, Ludovic Zammit Product Support Engineer Principal Cell: +1.613.670.8432 Akamai Technologies - Inverse 145 Broadway Cambridge, MA 02142 Connect with Us: <https://community.akamai.com/> <http://blogs.akamai.com/> <https://twitter.com/akamai> <http://www.facebook.com/AkamaiTechnologies> <http://www.linkedin.com/company/akamai-technologies> <http://www.youtube.com/user/akamaitechnologies?feature=results_main> > On Jun 24, 2021, at 11:46 AM, Steve Dainard <sdain...@spd1.com> wrote: > > Hi Ludovic or other list members, just curious if there is any feedback. We > have a Clearpass demo this afternoon I was hoping to compare/contrast to > Packetfence. > > Thanks, > Steve > > On Mon, Jun 21, 2021 at 7:58 AM Steve Dainard <sdain...@spd1.com > <mailto:sdain...@spd1.com>> wrote: > Hi Ludovic, > > 802.1X certificates for wifi/port auth. > > > Steve > > On Fri, Jun 18, 2021 at 4:54 AM Zammit, Ludovic <luza...@akamai.com > <mailto:luza...@akamai.com>> wrote: > Hello Steve, > > Which type of RADIUS authentication are you doing 802.1x or Mac > authentication ? > > Thanks, > > Ludovic Zammit > Product Support Engineer Principal > > Cell: +1.613.670.8432 > Akamai Technologies - Inverse > 145 Broadway > Cambridge, MA 02142 > Connect with Us: <https://community.akamai.com/> > <http://blogs.akamai.com/> > <https://urldefense.com/v3/__https://twitter.com/akamai__;!!GjvTz_vk!H1p7Yn43Zviy608Ky7Ru4xfdocShCvaW_HGRdGCQgF5J_lI-LQofURcCTmxbJg$> > > <https://urldefense.com/v3/__http://www.facebook.com/AkamaiTechnologies__;!!GjvTz_vk!H1p7Yn43Zviy608Ky7Ru4xfdocShCvaW_HGRdGCQgF5J_lI-LQofURf2TdqKgQ$> > > <https://urldefense.com/v3/__http://www.linkedin.com/company/akamai-technologies__;!!GjvTz_vk!H1p7Yn43Zviy608Ky7Ru4xfdocShCvaW_HGRdGCQgF5J_lI-LQofURcjIoo14A$> > > <https://urldefense.com/v3/__http://www.youtube.com/user/akamaitechnologies?feature=results_main__;!!GjvTz_vk!H1p7Yn43Zviy608Ky7Ru4xfdocShCvaW_HGRdGCQgF5J_lI-LQofURdZA1UO1Q$> > >> On Jun 17, 2021, at 12:21 PM, Steve Dainard via PacketFence-users >> <packetfence-users@lists.sourceforge.net >> <mailto:packetfence-users@lists.sourceforge.net>> wrote: >> >> Hello, >> >> First I'll say I'm just in the initial phase of spinning up a test instance >> of packetfence so please excuse my ignorance. >> >> From the docs it seems like the more common deployment scenarios are onprem, >> but I'd like to know how the following system design would work. >> >> We have multiple office sites, but the vast majority of our hosts are in >> EC2. Currently we're using MS NPS for radius auth but it doesn't cluster so >> we have to manually export/import configs, it doesn't have a web ui, and I >> can't natively send accounting info as syslog to Palo Alto for userid. Also >> we're more of a Linux shop and have a full config-management and deployment >> system for Linux hosts. >> >> My initial design idea was to: >> - launch 2 instances in our EC2/VPC region, each in a different AZ >> - use a highly available RDS DB backend >> - the instances might be behind an AWS load balancer (not sure on this due >> to Juniper switches not accepting fqdn in radius server statements) >> - the instances would all be assigned IP addresses via DHCP due to EC2 >> environment >> >> Topology: >> Onprem Network Devices -> (maybe/optionally) EC2 Load balancer -> >> packetfence instances -> RDS DB backend. >> >> There is documentation on a layer 3 HA implementation but the documentation >> is very focused on local DB's rather than just the application so it's >> difficult to understand the implications of split-brain if we're using an >> external DB. >> >> Because these are EC2 instances there are a few things made a bit more >> difficult such as not getting the host IP address until the instance is >> already provisioned but we should be able to handle this in config >> management. Also there is no virtual ip capability. >> >> I'm wondering does my deployment design result in: >> - active-active packetfence instances, ie. can they actively share the same >> external db? >> - ability to launch packetfence instances at will (configuration management >> would handle config files) | replace packetfence instances on the fly >> without concern of db corruption or service interruption >> - Use any of the instances web UI for configuration changes >> >> Also this issue https://github.com/inverse-inc/packetfence/issues/6396 >> <https://urldefense.com/v3/__https://github.com/inverse-inc/packetfence/issues/6396__;!!GjvTz_vk!D00_eOqWq16WwFrCSVh3I_UV7G_Lr7LUZj2CE7XjJ-Ec7wOQruu5roRqS7K4rUsH$> >> perhaps points out there are some shortcomings and potentially a lack of >> support in external db deployments. We would want some level of commercial >> support for this system so perhaps we're out of luck until this issue is >> addressed? >> >> Thanks for reading, >> Steve >> _______________________________________________ >> PacketFence-users mailing list >> PacketFence-users@lists.sourceforge.net >> <mailto:PacketFence-users@lists.sourceforge.net> >> https://urldefense.com/v3/__https://lists.sourceforge.net/lists/listinfo/packetfence-users__;!!GjvTz_vk!D00_eOqWq16WwFrCSVh3I_UV7G_Lr7LUZj2CE7XjJ-Ec7wOQruu5roRqS21riLtg$ >> >> <https://urldefense.com/v3/__https://lists.sourceforge.net/lists/listinfo/packetfence-users__;!!GjvTz_vk!D00_eOqWq16WwFrCSVh3I_UV7G_Lr7LUZj2CE7XjJ-Ec7wOQruu5roRqS21riLtg$> >> >
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
