Re: [PacketFence-users] VLAN isolation and routed networks

2020-04-23 Thread Erik via PacketFence-users 




On 23-04-2020 18:19, Ludovic Zammit wrote:

Hello Erik,

If you check the routed network documentation you can see an example 
for a remote site.


https://packetfence.org/doc/PacketFence_Installation_Guide.html#_routed_networks

With VLAN enforcement you would need to have one registration network 
- VLAN per remote site.


On that remote registration VLAN interface you would configure an IP 
helper toward your PacketFence layer2 registration interface. Once you 
create that, On PacketFence you create the remote registration network 
and PacketFence would know which IP to distribute based on the network.


I had seen that, thanks. But that seems to imply that PF must be 
configured with each individual network. And I want to avoid that. We 
are talking about many hundreds of sites/networks here. All of this is 
handled by the VPN system already. Each site is provisioned via a web 
portal, where the IP range is defined and sent to the sites DHCP-server.
I could add a module to the VPN system, that sends information about 
each site to PF. But the DHCP service must remain on site. If only to 
prevent problems should a site be unable to contact PF.




You would also need to create a switch configuration on PacketFence to 
authorize the radius authentication incoming from that remote switch. 
DHCP and Radius are two separate workflow.


Exactly. And I want to keep them separate. AAA by PF. And DHCP locally.
I don't actually have use case for profiling yet, but does it actually 
require PF to be the DHCP server. Or can it do profiling if a local DHCP 
helper somehow informs PF of which IP was locally assigned to which client?


I guess I will have to look into Fingerbank to see how that works in detail.


___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] VLAN isolation and routed networks

2020-04-23 Thread Erik via PacketFence-users 




On 23-04-2020 13:50, Ludovic Zammit wrote:

Hello Erik,


Hello Ludovic,



Yes it can assign VLAN only.


Ah, nice.

Do you want a captive portal to register your devices or just do 
802.1x/ mac authentication ?


To begin with, just 802.1x and/or MAC auth. Local equipment can handle a 
captive portal should that be necessary. May later via PF, but I don't 
see a specific need anytime soon.




There a lot of feature that rely on DHCP handled by PacketFence for 
the captive portal, for example you will lose a good part the 
Profiling with Fingerbank that relies on DHCP traffic.


Hmm, that might be interesting later on too. Will that require PF to 
actually be the DHCP-server, or will it suffice that PF is kept informed 
by the local DHCP-server?


If PF needs to be the DHCP-server in those cases, would it be able to 
select the correct IP range based on site specific attributes?
Because each site has its own specific IP range, but PF will see the 
entire VPN as one big IP block.


Like in the example below, where the entire range routed by the VPN 
concentrator is 10.64.0.0/10. Devices must receive an IP within the 
range of their own site. One way for PF to tell from which site the 
request is coming, might be the IP of the local switch (NAS).


PF (10.64.0.1/32)  VPN concentrator  site 1 (10.64.63.0/25)
         |     |-- site 2 (10.64.63.128/25)
     |-- site 3 (10.64.64.0/24)

Erik



___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] VLAN isolation and routed networks

2020-04-23 Thread Ludovic Zammit via PacketFence-users 
Hello Erik,

If you check the routed network documentation you can see an example for a 
remote site.

https://packetfence.org/doc/PacketFence_Installation_Guide.html#_routed_networks
 


With VLAN enforcement you would need to have one registration network - VLAN 
per remote site.

On that remote registration VLAN interface you would configure an IP helper 
toward your PacketFence layer2 registration interface. Once you create that, On 
PacketFence you create the remote registration network and PacketFence would 
know which IP to distribute based on the network.

You would also need to create a switch configuration on PacketFence to 
authorize the radius authentication incoming from that remote switch. DHCP and 
Radius are two separate workflow.

RADIUS = Authentication - Authorization

DHCP = Captive portal - Fingerbank profiling.

Thanks,

Ludovic Zammit
lzam...@inverse.ca  ::  +1.514.447.4918 (x145) ::  
www.inverse.ca 
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu ) 
and PacketFence (http://packetfence.org ) 




> On Apr 23, 2020, at 11:52 AM, Erik  wrote:
> 
> 
> 
> On 23-04-2020 13:50, Ludovic Zammit wrote:
>> Hello Erik,
> 
> Hello Ludovic,
> 
>> 
>> Yes it can assign VLAN only.
> 
> Ah, nice.
> 
>> Do you want a captive portal to register your devices or just do 802.1x/ mac 
>> authentication ?
> 
> To begin with, just 802.1x and/or MAC auth. Local equipment can handle a 
> captive portal should that be necessary. May later via PF, but I don't see a 
> specific need anytime soon.
> 
>> 
>> There a lot of feature that rely on DHCP handled by PacketFence for the 
>> captive portal, for example you will lose a good part the Profiling with 
>> Fingerbank that relies on DHCP traffic.
> 
> Hmm, that might be interesting later on too. Will that require PF to actually 
> be the DHCP-server, or will it suffice that PF is kept informed by the local 
> DHCP-server?
> 
> If PF needs to be the DHCP-server in those cases, would it be able to select 
> the correct IP range based on site specific attributes?
> Because each site has its own specific IP range, but PF will see the entire 
> VPN as one big IP block.
> 
> Like in the example below, where the entire range routed by the VPN 
> concentrator is 10.64.0.0/10. Devices must receive an IP within the range of 
> their own site. One way for PF to tell from which site the request is coming, 
> might be the IP of the local switch (NAS).
> 
> PF (10.64.0.1/32)  VPN concentrator  site 1 (10.64.63.0/25)
>  | |-- site 2 (10.64.63.128/25)
>  |-- site 3 (10.64.64.0/24)
> 
> Erik
> 

___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] VLAN isolation and routed networks

2020-04-23 Thread Ludovic Zammit via PacketFence-users 
Hello Erik,

Yes it can assign VLAN only. Do you want a captive portal to register your 
devices or just do 802.1x/ mac authentication ?

There a lot of feature that rely on DHCP handled by PacketFence for the captive 
portal, for example you will lose a good part the Profiling with Fingerbank 
that relies on DHCP traffic.

Thanks,

Ludovic Zammit
lzam...@inverse.ca  ::  +1.514.447.4918 (x145) ::  
www.inverse.ca 
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu ) 
and PacketFence (http://packetfence.org ) 




> On Apr 23, 2020, at 7:22 AM, Erik via PacketFence-users 
>  wrote:
> 
> 
> 
> On 23-04-2020 00:24, Sallee, Jake via PacketFence-users wrote:
>> PF works great with routed networks and depending on the details of your VPN 
>> connection I think it should work in your situation.
> 
> Thanks, it's not the VPN I am wondering about, though.
> 
> The most important requirement is that PF only tells the switches which VLAN 
> to assign to the selected port, based on which client is connecting. It must 
> not do DHCP or DNS. That will be done locally. Nor must it keep track of 
> local DHCP assignments.
> 
> VPN routing and firewall has been set up such that PF that the switches can 
> talk to PF and vice versa.
> 
> I am considering using the same VLAN ids on all sites (there are hundreds). 
> To PF, the VPN presents the individual sites as one large network block, so 
> PF won't know that they are actually numerous individual segments. To the 
> individial locations it does not matter that VLAN ids are the same 
> everywhere, because VLAN ids are stripped by the VPN anyway.
> Communication between hosts on different locations is controlled by the VPN 
> firewall.
> 
> So the main question is, can PF assign VLAN only, without knowing or caring 
> about IPs?
> I am sure it can, as freeRADIUS can, but since I can't check myself yet, I am 
> really curious to know.
> 
> Erik
> 
> 
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users

___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] VLAN isolation and routed networks

2020-04-23 Thread Erik via PacketFence-users 




On 23-04-2020 00:24, Sallee, Jake via PacketFence-users wrote:

PF works great with routed networks and depending on the details of your VPN 
connection I think it should work in your situation.


Thanks, it's not the VPN I am wondering about, though.

The most important requirement is that PF only tells the switches which 
VLAN to assign to the selected port, based on which client is 
connecting. It must not do DHCP or DNS. That will be done locally. Nor 
must it keep track of local DHCP assignments.


VPN routing and firewall has been set up such that PF that the switches 
can talk to PF and vice versa.


I am considering using the same VLAN ids on all sites (there are 
hundreds). To PF, the VPN presents the individual sites as one large 
network block, so PF won't know that they are actually numerous 
individual segments. To the individial locations it does not matter that 
VLAN ids are the same everywhere, because VLAN ids are stripped by the 
VPN anyway.
Communication between hosts on different locations is controlled by the 
VPN firewall.


So the main question is, can PF assign VLAN only, without knowing or 
caring about IPs?
I am sure it can, as freeRADIUS can, but since I can't check myself yet, 
I am really curious to know.


Erik


___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] VLAN isolation and routed networks

2020-04-22 Thread Sallee, Jake via PacketFence-users 
What you are describing sounds similar to what we are doing.

PF works great with routed networks and depending on the details of your VPN 
connection I think it should work in your situation.

I have never setup a PF deployment like the one you are talking about however 
if your VPN is setup in a point-to-point configuration then it will very likely 
work.

Logically speaking the packets from the satellite locations are encapsulated 
and sent to your central site. Once there the encapsulation is stripped, they 
are routed and the replies are encapsulated and sent back.  If this is the case 
the presence of the VPN tunnel is invisible to PF and the deployment should be 
the same as any other routed deployment.

If my guess about they way your VPN is setup is correct then I see no reason 
why it would not work.

I would love to hear how your deployment goes, good luck!

Jake Sallee
Godfather of Bandwidth
System Engineer and Security Specialist
University of Mary Hardin-Baylor
WWW.UMHB.EDU

900 College St.
Belton, Texas
76513

Fone: 254-295-4658
Phax: 254-295-4221


From: Erik via PacketFence-users 
Sent: Wednesday, April 22, 2020 9:43 AM
To: packetfence-users@lists.sourceforge.net
Cc: Erik
Subject: [PacketFence-users] VLAN isolation and routed networks

EXTERNAL Exercise Caution

Hi,

I have recently begun to investigate PacketFence to see if it can be
used under the circumstances I am faced with.
What I have found in the documentation sofar is rather little and tells
me that routed networks are possible, but the example does not match my
circumstances. I am guessing it is just an example and other options are
available. I will be building a test site as soon as the necessary
equipment arrives.

Hope I can pick your brains in the mean time.


So the circumstances are these.

There are several separate locations that are connected to one central
location via VPN (OpenVPN).
Every location has their own local network and none of the address
ranges overlap. Locations can talk to each other because the central
location, where the VPN server is, routes traffic between locations.

Every location is going to be split up into a trusted and untrusted LAN.
There is a local firewall on each location that can manage this, but I
am looking for a solution that can be managed at the central location.

So I thought of PacketFence and wondered if it might fit. The general
idea is that the switches on each location access the PacketFence at the
central location for authentication and that PacketFence tells them if
the client can be authenticated, into which VLAN they must be put.

The switches can communicate with PacketFence at the central location
via the VPN. The clients cannot, because by default they are blocked by
the firewall.

I do not need or want PacketFence to provide DNS or DHCP. Once the local
switch has put the client on the correct VLAN and has allowed the port
the client is on to forward traffic, the clients will get DHCP and DNS
from the local servers.

So basically, PacketFence will not needed to know about the local
networks. It will only have to authenticate credentials and let the
switch know what VLAN to use. The switches will use 802.1x for those
clients that support it and MAC authentication for those devices that don't.

I have used FreeRADIUS in the past with 802.1x and MAC authentication to
simply enable and disable switch ports. Back then the VLANs had been
fixed and defined on the switch. You either got access or you did not.
The current situation is similar with the notable exeption that now the
switch does not know the VLAN id beforehand and has to be told not just
whether to enable the port, but also in which VLAN to put it.


What do you think am I barking up the wrong tree here?

thanks for your time,
Erik van Linstee


___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.sourceforge.net_lists_listinfo_packetfence-2Dusers=DwICAg=61yQaCoNVjQr1ah003i6yA=hv6FWbB_1Tauwq1un9h_XR4pflYMFHr0Ag1rvcLKIQA=Zh9JRoxj0jirhMFSqM384cbN1cbabr-OQXzDkWzBlzs=rVGvx_Pwfde8evljeAcbeVumxYzzCgxDNKKtCaYLU_A=


___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] VLAN isolation and routed networks

2020-04-22 Thread Erik via PacketFence-users 

Hi,

I have recently begun to investigate PacketFence to see if it can be 
used under the circumstances I am faced with.
What I have found in the documentation sofar is rather little and tells 
me that routed networks are possible, but the example does not match my 
circumstances. I am guessing it is just an example and other options are 
available. I will be building a test site as soon as the necessary 
equipment arrives.


Hope I can pick your brains in the mean time.


So the circumstances are these.

There are several separate locations that are connected to one central 
location via VPN (OpenVPN).
Every location has their own local network and none of the address 
ranges overlap. Locations can talk to each other because the central 
location, where the VPN server is, routes traffic between locations.


Every location is going to be split up into a trusted and untrusted LAN. 
There is a local firewall on each location that can manage this, but I 
am looking for a solution that can be managed at the central location.


So I thought of PacketFence and wondered if it might fit. The general 
idea is that the switches on each location access the PacketFence at the 
central location for authentication and that PacketFence tells them if 
the client can be authenticated, into which VLAN they must be put.


The switches can communicate with PacketFence at the central location 
via the VPN. The clients cannot, because by default they are blocked by 
the firewall.


I do not need or want PacketFence to provide DNS or DHCP. Once the local 
switch has put the client on the correct VLAN and has allowed the port 
the client is on to forward traffic, the clients will get DHCP and DNS 
from the local servers.


So basically, PacketFence will not needed to know about the local 
networks. It will only have to authenticate credentials and let the 
switch know what VLAN to use. The switches will use 802.1x for those 
clients that support it and MAC authentication for those devices that don't.


I have used FreeRADIUS in the past with 802.1x and MAC authentication to 
simply enable and disable switch ports. Back then the VLANs had been 
fixed and defined on the switch. You either got access or you did not. 
The current situation is similar with the notable exeption that now the 
switch does not know the VLAN id beforehand and has to be told not just 
whether to enable the port, but also in which VLAN to put it.



What do you think am I barking up the wrong tree here?

thanks for your time,
Erik van Linstee


___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users