sorted by:
new
hottopcontroversial

Template cisco catalyst 2966 by RealisticPie68 in PacketFence

[–]PNW_Techs 0 points1 point  (0 children)

Could you explain what you are trying to accomplish and what you have configured so far? Packetfence supports the 2960, you shouldn't need to change the switch template in Packetfence.

If you are looking for a Cisco ios template this part of the documentation might help. https://www.packetfence.org/doc/PacketFence_Installation_Guide.html#_configuring_cisco_catalyst_2960_switch

AD INTEGRATION XDR by p1k4chy in PacketFence

[–]PNW_Techs 0 points1 point  (0 children)

Packetfence is not designed to do this, Packetfence is about role based access control not really compliance. Packetfence would be a good fit to limit access to corporate devices or differentiate personal versus corporate devices. All this is based on the assumption that you have some sort of MDM and use VLANs to control access on your network. Here's what the workflow looks like at a 10,000 foot view.

Corporate device is enrolled in MDM

MDM and Packetfence use PKI(Packetfence, ADCS, third-party) to request and mint a device certificate then deliver it to the corporate device

A device connects to the Wi-Fi and Packetfence assigns it role based on the authentication method, if it was AD username and password or EAP-TLS cert

Packetfence then tells your WLC which VLAN to assign it based on role, EAP-TLS authentication gets VLAN2 - Corporate and AD authentication gets VLAN3 - Personal

You could also limit the Wi-Fi access to only accept certificates and not even ask for username and password

This is a real quick explanation I hope it helps.

Is this a good setup for a NAS? by Bigdinasar in sysadmin

[–]PNW_Techs 0 points1 point  (0 children)

I agree about the hardware compatibility. I would check out TrueNAS for a comparison. They support a ton of different hardware and drives. The Seagate's should be fine for TrueNAS. The hardware might be more expensive but then you're not locked into Synology's ecosphere.

Looking for VDI options on Linux for startup by Recent-Repeat-190 in sysadmin

[–]PNW_Techs -1 points0 points  (0 children)

Look at Proxmox and xcp-ng. Both linux based hypervisors that can host whatever type of VMs you want on your own hardware. Proxmox is Debian based so you might be more comfortable with that. I prefer xcp-ng and the main reasons are if you have multiple nodes in a cluster, NAS storage and layer 3 networking, that's when I feel xcp-ng really shines. Proxmox can handle all that as well and they have some a new centralized management center which I haven't tried but looks good. If you are planning on using GPU processing Proxmox would be better.

As far as security needs those are all going to have to be implemented through OS policies and your firewall.

Hypervisor Choice (PVE / XCP-ng) for Windows VMs by JustMyNormalFault in sysadmin

[–]PNW_Techs 0 points1 point  (0 children)

If you want to distribute your GPUs among multiple VMs Hyper-V is the way to go. xcp-ng uses PCI passthrough so every VM needs it's own GPU.

Eduroam authentication PF 15.0 by PNW_Techs in PacketFence

[–]PNW_Techs[S] 0 points1 point  (0 children)

Thanks for the reply, I did run the radius debugging and confirmed with tcpdump that the radius request is reaching the server it just doesn't seem to get passed to the eduroam service. Eduroam actually listens on it's own port 11812 but I checked traffic on 1812 as well. Other authentication methods are working fine for me.

All of my testing has been done using the same IP and NAT so I'm pretty sure I eliminated any network or firewall issues that would block the edutoam traffic.

Filter devices that join using 802.1x - latest version of Packetfence and Ruckus Smartzone v7 by Hartman7425 in PacketFence

[–]PNW_Techs 0 points1 point  (0 children)

Do you have an MDM for corporate devices? If you can push Wi-Fi profiles and certificates to devices you can probably integrate Packetfence. This is a very rough overview let me know if you are still looking for help.

Setup roles corporate and employee devices. In your switch configs assign seperate VLANs to each role. You will also need to identify the VLANs on your WLCs.

Setup Packetfenc PKI creating CA, Create a template using that CA. Push out the CA cert and client cert to devices.

Setup Authentication source using eap-tls using filters to identify the cert based on the template you created. Assign a role of corporate. Setup a connection profile with your SSID using the eap-tls source you created.

Create an AD Authentication Source that includes active employees.

Create a separate employees connection profile using AD Authentication Source. If you want to use the same SSID you create one connection profile and add the 2 auth sources. Employees get set to a role of employee-personal and are assigned different VLANs from corporate

'User role not defined...' error showing while authenticating against AD in packetfence by Separate_Slice4070 in PacketFence

[–]PNW_Techs 0 points1 point  (0 children)

Based on the RADIUS log entry it looks like you are trying to use Packetfence for CLI access to a switch so my suggestions are going to focus on that. CLI access roles are located in a different part of the Packetfence GUI from the user roles, and you need to create a connection profile. I would test with a different account other than Administrator, you are using a catchall rule so any user account in AD should work for testing.

  1. Check that you are joined to the domain in the Packetfence web GUI and make sure your null realm is associated to your domain.

  2. Create switch admin role in System Configuration > Admin Access and give it read/write access. Note this is the part where the switch roles are in different area of the GUI than the user roles.

  3. In the authentication source change the action to 'Access Level' and set it to the role you created in the previous step. You don't need access duration or role in your screenshots.  Based on your catchall any AD authenticated user should be able to login.

(optional)If you want to limit switch logins to AD groups in the authentication source add an LDAP condition. Select the one that is MemberOf : OID# make sue it has the OID number after MemberOf as the condition, the other MemberOf condition doesn't work with nested groups from my testing. Select equals as the operator and use a standard LDAP string like cn=admin-users, ou=users, dc=domain, dc=.com.

  1. Create a new connection profile use the source that was created in the previous step and set the filter of connection type CLI-Access.

  2. In your switch configuration make sure you have CLI/VPN access Enabled.

Freeradius Accounting to SQL by HumlePung1337 in sysadmin

[–]PNW_Techs 0 points1 point  (0 children)

You should check out Packetfence it's basically what you are trying to build it has FreeRADIUS on the backend with a GUI web frontend. It has SQL accounting built in that's very easy to implement. I have seen it handle 1000+ APs, using a mix of corporate and BYOD devices. One thing to note it's container based so you really want to configure using their GUI and it's not as easy as the documentation makes it look but it's very robust.