Packetfence 网络准入系统:
开源的准入系统,我公司现在有6-7百人吧,正在用。版本是5.7。现在最新的都出到6.多了
主要用户体验是:用户电脑接入网络,网页任何打开一个网页会自动跳转到一个登陆页面,注册后才可以进入内网。
主要特点:
1.旁路接入
2.支持802.1x或MAB认证
3.完美支持思科2960交换机,可分配VLAN
4.可以查到一个IP地址、MAC地址所在的交换机
5.其它功能可以自己发掘。 发现中国用这个系统的人也比较少。文档也很少。
安装参考:或者直接下载官网上做好的虚拟机。
yum update yum install mysql* yum install http* yum install php* yum install selinux 关闭 /etc/yum.repos.d/PacketFence.repo with the following content: [PacketFence] name=PacketFence Repository baseurl=http://inverse.ca/downloads/PacketFence/RHEL$releasever/$basearch gpgcheck=0 yum install --enablerepo=packetfence packetfence rpm -Uvh http://packetfence.org/downloads/PacketFence/RHEL6/`uname -i`/RPMS/packetfence-release-1-2.centos6.noarch.rpm yum install --enablerepo=packetfence packetfence DHCP: dd if=/dev/urandom bs=16 count=1 2>/dev/null | openssl enc -e -base64 cWm+adEfwNaes7VlBoyHdQ==
vi /etc/sysctl.conf # Controls IP packet forwarding net.ipv4.ip_forward = 1
建立网络:
除用户外的网段DHCP由Packetfence分配
vlan1 10.0.x.x 255.255.0.0 Management DHCP vlan2 192.168.120.1 255.255.252.0 RegistrationDHCP vlan3 192.168.130.1 255.255.252.0 Isolation DHCP vlan4 用户 DHCP Normal
思科2960交换机配置:
dot1x system-auth-control switchport mode access authentication order dot1x mab authentication priority dot1x mab authentication port-control auto authentication periodic authentication timer restart 10800 authentication timer reauthenticate 7200 mab no snmp trap link-status dot1x pae authenticator dot1x timeout quiet-period 2 dot1x timeout tx-period 3 aaa new-model aaa group server radius packetfence server 10.0.111.111 auth-port 1812 acct-port 1813 aaa authentication login default local aaa authentication dot1x default group packetfence aaa authorization network default group packetfence radius-server host 192.168.120.1 auth-port 1812 acct-port 1813 timeout 2 key password radius-server vsa send authentication snmp-server community public RW
交换机端口配置:
switchport mode access authentication host-mode multi-domain authentication order dot1x mab authentication priority dot1x mab authentication port-control auto authentication periodic authentication timer restart 10800 authentication timer reauthenticate 10800 mab no snmp trap link-status dot1x pae authenticator dot1x timeout quiet-period 2 dot1x timeout tx-period 3
其它需要花时间研究一下:
1. 逃生方案:fail-open 当准入系统故障时怎么处理------集群,或设置逃生返回VLAN
2. 用户自动注册------待研究
3. LDAP认证--- OK
4. 接入安全扫描检查-----配置snort Server做接口
转载于:https://blog.51cto.com/lazypaul/1912392