From: Ludovic M. <lma...@in...> - 2009-09-25 20:05:58
|
Peter Bates wrote: > Hello all... > > We probably have an unusual need/deployment method for Packetfence. > > We've spent some time setting up our systems (wireless APs, wired > switches) > to participate in 'eduroam' <http://www.eduroam.org> to allow access > for users > from other institutions - and vice versa. > > Wireless access is controlled by 802.1x and FreeRADIUS behind the > SSID 'eduroam', as per the requirements. > > Since deploying this system we've noted a few users (local in our case) > who clearly have infections (Conficker, etc.) - and we'd like to move > them > into a dead-end VLAN or deny their access. > > We have a Snort sensor at the perimeter noting this traffic - but at > the moment > the logs are monitored by me and we have no 'active response' in the way > PF handles violations. > > Obviously at the moment as well although we use PF to detect rogue > DHCP servers > we're not 'registering' anyone - so PF essentially just has a big > database of MAC addresses of unregistered clients - because they're > authenticating using 802.1x. > and how PacketFence captures that? > Is there anyone out there using PF in this way - specifically with > FreeRADIUS 2.x > or do you handle 'violations' in some other way? > You could use our PacketFence perl module for FreeRADIUS and handle VLAN assignments there. We do that all the time. Upon authentication, you push using RADIUS attributes the proper VLAN - which is handled by the PacketFence perl module. It'll also very well handle isolation (by pushing of course, the right VLAN) as PacketFence will send disassociation commands to your wireless AP/controller where the user is connected (if of course, your hardware does support it). Regards, -- Ludovic Marcotte lma...@in... :: +1.514.755.3630 :: www.inverse.ca Inverse inc. :: Leaders behind SOGo (www.scalableogo.org) and PacketFence (www.packetfence.org) |