forked from inverse-inc/packetfence
-
Notifications
You must be signed in to change notification settings - Fork 0
/
README.network-devices
365 lines (323 loc) · 21 KB
/
README.network-devices
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
================
Wireless support
================
There are two approaches to wireless networks. One where a controller handles
the Access Points (AP) and one where AP act individually. PacketFence supports
both approaches.
Wireless controllers
--------------------
When using a controller, it does not matter to PacketFence what individual AP
are supported or not. As long as the AP itself is supported by your controller
and that your controller is supported by PacketFence it will work fine.
Packetfence supports the following wireless controllers:
- AeroHIVE AP Series
- Aruba Networks (200, 600 Series, 800, 2400, 3000 Series, 6000)
- Avaya Wireless Controllers
- Brocade RF Switches (Controllers)
- Cisco Wireless Services Module (WiSM, WiSM2)
- Cisco WLC (2100, 2500, 4400, 5500)
- Dlink DWS 3026
- Extricom EXSW Wireless Switches (Controllers)
- HP ProCurve MSM710 Mobility Controller
- Meru Networks Wireless controllers
- Motorola RF Switches (Controllers)
- Ruckus Wireless Controllers
- Trapeze Wireless Controllers
- Xirrus WiFi Arrays
Access points
-------------
Some Access Points behave the same if they are attached to a controller or not.
Because of that you might want to try a controller module if a controller from
the same vendor is supported in the list above.
Packetfence supports the following access points:
- AeroHIVE AP Series
- Belair Networks AP
- Cisco 1130AG
- Cisco 1240AG
- Cisco 1250
- Cisco Aironet in WDS mode
- Dlink DWL Access Points
- HP ProCurve
- Xirrus WiFi Arrays
Wireless hardware not on the list?
----------------------------------
Eventhough this list is small, PacketFence may support many other access points
as long as they have the following features:
- Definition of several SSID with several VLANs inside every SSID (minimum
of 2 VLANs per SSID)
- RADIUS authentication (MAC Authentication / 802.1X)
- Dynamic VLAN assignment through RADIUS attributes
- A means to de-associate or de-authenticate a client through CLI (Telnet or
SSH), SNMP, RADIUS Dyn-Auth* or WebServices
Most of these features work out of the box for enterprise grade Access Points
or Controllers. Where the situation starts to vary is for de-authentication
support.
- CLI (SSH or Telnet)
An error prone interface and requires preparation for the SSH access or is
insecure for Telnet. Not recommended if you can avoid it.
- SNMP
SNMP de-authentication works well when available. However Vendor support is
not consistent and the OID to use are not standard.
- RADIUS Dynamic Authorization (RFC3576)
RADIUS Dynamic Authorization also known as RADIUS Change of Authorization (CoA)
or RADIUS Disconnect Messages is supported by PacketFence starting with version 3.1.
When supported it is the preferred technique to perform de-authentication.
It is standard and requires less configuration from the user.
Wireless deauthentication support
---------------------------------
| SSH / | | |
| Telnet | SNMP | RADIUS* |
-----------------------------|----------|----------|----------|
AeroHIVE AP | xx | -- | XX |
-----------------------------|----------|----------|----------|
Aruba | xx | -- | XX |
-----------------------------|----------|----------|----------|
Avaya WC | -- | XX | -- |
-----------------------------|----------|----------|----------|
Belair Networks | -- | -- | XX |
-----------------------------|----------|----------|----------|
Brocade RF Switches | -- | xx | XX |
-----------------------------|----------|----------|----------|
Cisco Aironet | XX | -- | -- |
-----------------------------|----------|----------|----------|
Cisco Aironet (WDS) | -- | -- | XX |
-----------------------------|----------|----------|----------|
Cisco WiSM | -- | xx | XX |
-----------------------------|----------|----------|----------|
Cisco WiSM2 | -- | xx | XX |
-----------------------------|----------|----------|----------|
Cisco WLC 2100 Series | xx | -- | XX |
-----------------------------|----------|----------|----------|
Cisco WLC 2500 Series | -- | xx | XX |
-----------------------------|----------|----------|----------|
Cisco WLC 4400 Series | -- | xx | XX |
-----------------------------|----------|----------|----------|
Cisco WLC 5500 Series | -- | xx | XX |
-----------------------------|----------|----------|----------|
Dlink DWL | -- | XX | -- |
-----------------------------|----------|----------|----------|
Dlink DWS | -- | XX | -- |
-----------------------------|----------|----------|----------|
Extricom EXSW | -- | XX | -- |
-----------------------------|----------|----------|----------|
HP ProCurve MSM | -- | XX | -- |
-----------------------------|----------|----------|----------|
Meru Networks | XX | -- | -- |
-----------------------------|----------|----------|----------|
Motorola RF Switches | -- | xx | XX |
-----------------------------|----------|----------|----------|
Ruckus Wireless controllers | -- | -- | XX |
-----------------------------|----------|----------|----------|
Trapeze Wireless controllers | XX | -- | -- |
-----------------------------|----------|----------|----------|
Xirrus WiFi Arrays | -- | XX | -- |
-----------------------------|----------|----------|----------|
X: Supported and in use
x: supported, disabled by default
*: RADIUS Dynamic Authorization (RFC 3576) Change of Authorization (CoA) or
Disconnect-Messages (DM aka PoD)
========
Switches
========
Currently, PacketFence supports the following switches:
| /-------- SNMP --------\ | /-- RADIUS --\ |
| Link Up | MAC | Port | | |
| Down | Notif. | Security | MAC Auth | 802.1X |
-----------------------------|----------|----------|----------|----------|--------|
3COM E4800G | XX | -- | ?? | XX | XX |
-----------------------------|----------|----------|----------|----------|--------|
3COM E5500G | XX | -- | ?? | XX | XX |
-----------------------------|----------|----------|----------|----------|--------|
3COM NJ220 | XX | -- | -- | -- | -- |
-----------------------------|----------|----------|----------|----------|--------|
3COM SS4200 | XX | -- | -- | -- | -- |
-----------------------------|----------|----------|----------|----------|--------|
3COM SS4500 | XX | -- | ?? | -- | -- |
-----------------------------|----------|----------|----------|----------|--------|
3COM Switch 4200G | XX | -- | -- | XX | XX |
-----------------------------|----------|----------|----------|----------|--------|
Accton ES3526XA | XX | -- | -- | -- | -- |
-----------------------------|----------|----------|----------|----------|--------|
Accton ES3528M | XX | -- | -- | -- | ?? |
-----------------------------|----------|----------|----------|----------|--------|
Allied Telesis AT8000GS | -- | -- | -- | XX | XX |
-----------------------------|----------|----------|----------|----------|--------|
Amer SS2R24i | XX | -- | -- | -- | -- |
-----------------------------|----------|----------|----------|----------|--------|
Avaya (see Nortel) | XX | -- | XX | -- | -- |
-----------------------------|----------|----------|----------|----------|--------|
Brocade 6400 Series | -- | -- | -- | XX | XX |
-----------------------------|----------|----------|----------|----------|--------|
Cisco 2900XL Series | XX | XX | -- | ?? | ?? |
-----------------------------|----------|----------|----------|----------|--------|
Cisco 2950 | XX | XX | XX | -- | XX |
-----------------------------|----------|----------|----------|----------|--------|
Cisco 2960/2970 | XX | XX | XX | XX | XX |
-----------------------------|----------|----------|----------|----------|--------|
Cisco 3500XL Series | XX | XX | XX | -- | -- |
-----------------------------|----------|----------|----------|----------|--------|
Cisco 3550 | XX | XX | XX | XX | XX |
-----------------------------|----------|----------|----------|----------|--------|
Cisco 3560 | XX | XX | XX | XX | XX |
-----------------------------|----------|----------|----------|----------|--------|
Cisco 3750 | XX | XX | XX | XX | XX |
-----------------------------|----------|----------|----------|----------|--------|
Cisco 4500 Series | XX | XX | XX | XX | XX |
-----------------------------|----------|----------|----------|----------|--------|
Cisco 6500 Series | ?? | ?? | XX | ?? | ?? |
-----------------------------|----------|----------|----------|----------|--------|
Cisco ISR 1800 Series | XX | -- | -- | ?? | ?? |
-----------------------------|----------|----------|----------|----------|--------|
Dell PowerConnect 3424 | XX | -- | -- | -- | -- |
-----------------------------|----------|----------|----------|----------|--------|
Dlink DES3526 | XX | XX | -- | -- | -- |
-----------------------------|----------|----------|----------|----------|--------|
Dlink DES3550 | XX | XX | -- | -- | -- |
-----------------------------|----------|----------|----------|----------|--------|
Dlink DGS3100 | -- | -- | -- | XX | XX |
-----------------------------|----------|----------|----------|----------|--------|
Dlink DGS3200 | -- | -- | -- | XX | XX |
-----------------------------|----------|----------|----------|----------|--------|
Enterasys D2 | XX | -- | XX | -- | -- |
-----------------------------|----------|----------|----------|----------|--------|
Enterasys Matrix N3 | XX | -- | XX | -- | -- |
-----------------------------|----------|----------|----------|----------|--------|
Enterasys SecureStack C2 | XX | -- | XX | -- | -- |
-----------------------------|----------|----------|----------|----------|--------|
Enterasys SecureStack C3 | XX | -- | XX | -- | -- |
-----------------------------|----------|----------|----------|----------|--------|
ExtremeNetworks Summit | XX | -- | XX | XX | XX |
-----------------------------|----------|----------|----------|----------|--------|
Foundry FastIron 4802 | XX | -- | XX | -- | -- |
-----------------------------|----------|----------|----------|----------|--------|
H3C S5120 | -- | -- | -- | XX | XX |
-----------------------------|----------|----------|----------|----------|--------|
HP E4800G | XX | -- | ?? | XX | XX |
-----------------------------|----------|----------|----------|----------|--------|
HP E5500G | XX | -- | ?? | XX | XX |
-----------------------------|----------|----------|----------|----------|--------|
HP ProCurve 2500 Series | XX | -- | XX | XX | XX |
-----------------------------|----------|----------|----------|----------|--------|
HP ProCurve 2600 Series | XX | -- | XX | XX | XX |
-----------------------------|----------|----------|----------|----------|--------|
HP ProCurve 3400cl Series | XX | -- | XX | ?? | ?? |
-----------------------------|----------|----------|----------|----------|--------|
HP ProCurve 4100 Series | XX | -- | XX | ?? | ?? |
-----------------------------|----------|----------|----------|----------|--------|
HP ProCurve 5300 Series | XX | -- | XX | XX | XX |
-----------------------------|----------|----------|----------|----------|--------|
HP ProCurve 5400 Series | XX | -- | XX | XX | XX |
-----------------------------|----------|----------|----------|----------|--------|
Intel Express 460 | XX | -- | -- | -- | -- |
-----------------------------|----------|----------|----------|----------|--------|
Intel Express 530 | XX | -- | -- | -- | -- |
-----------------------------|----------|----------|----------|----------|--------|
Juniper EX Series | -- | -- | -- | XX | -- |
-----------------------------|----------|----------|----------|----------|--------|
LG-Ericsson iPECS ES-4500G | XX | -- | XX | XX | XX |
-----------------------------|----------|----------|----------|----------|--------|
Linksys SRW224G4 | XX | -- | -- | -- | -- |
-----------------------------|----------|----------|----------|----------|--------|
Netgear FSM726v1 | -- | -- | XX | -- | -- |
-----------------------------|----------|----------|----------|----------|--------|
Netgear GS110 | XX | -- | -- | -- | ?? |
-----------------------------|----------|----------|----------|----------|--------|
Nortel BayStack 470 | XX | -- | XX | ?? | XX |
-----------------------------|----------|----------|----------|----------|--------|
Nortel BayStack 4550 | XX | -- | XX | ?? | XX |
-----------------------------|----------|----------|----------|----------|--------|
Nortel BayStack 5500 Series | XX | -- | XX | ?? | XX |
-----------------------------|----------|----------|----------|----------|--------|
Nortel ERS 2500 Series | XX | -- | XX | ?? | XX |
-----------------------------|----------|----------|----------|----------|--------|
Nortel ERS 4000 Series | XX | -- | XX | ?? | XX |
-----------------------------|----------|----------|----------|----------|--------|
Nortel ERS 5000 Series | XX | -- | XX | ?? | XX |
-----------------------------|----------|----------|----------|----------|--------|
Nortel ES325 | XX | -- | XX | ?? | XX |
-----------------------------|----------|----------|----------|----------|--------|
Nortel BPS2000 | XX | -- | XX | ?? | XX |
-----------------------------|----------|----------|----------|----------|--------|
SMC TS6128L2 | XX | -- | XX | -- | -- |
-----------------------------|----------|----------|----------|----------|--------|
SMC TS6224M | XX | -- | ?? | -- | -- |
-----------------------------|----------|----------|----------|----------|--------|
SMC SMC8824M - SMC8848M | XX | -- | XX | -- | -- |
-----------------------------|----------|----------|----------|----------|--------|
LinkUp/Down traps
-----------------
- the switch sends a LinkUp trap when the port ifOperStatus is set to 1
- the switch sends a LinkDown trap when the port ifOperStatus is set to 0
This is the most basic setup and it needs a VLAN called the MAC detection VLAN.
There should be nothing in this VLAN (no DHCP server) and it should not be
routed anywhere, it is just an empty VLAN.
When a host connects to a switch port, the switch sends a LinkUp trap to
PacketFence. Since it takes some time before the switch learns the MAC address
of the newly connected device, PacketFence immediately puts the port in the MAC
detection VLAN in which the device will send DHCP requests (with no answer) in
order for the switch to learn its MAC address. Then pfsetvlan will send
periodical SNMP queries to the switch until the switch learns the MAC of the
device. When the MAC address is known, pfsetvlan checks its status (existing?
registered ?, any violations ?) in the database and puts the port in the
appropriate VLAN. When a device is unplugged, the switch sends a LinkDown
trap to PacketFence which puts the port into the MAC detection VLAN.
IMPORTANT:
When a computer boots, the initialization of the NIC generates several link
status changes. And every time the switch sends a linkup and a linkdown trap to
PacketFence. Since PacketFence has to act on each of these trap, this generates
unfortunately some unnecessary load on pfsetvlan. In order to optimize the trap
treatment, PacketFence stops every thread for a LinkUp trap when it receives a
LinkDown trap on the same port. But using only LinkUp/LinkDown traps is not the
most scalable option. For example in case of power failure, if hundreds of
computers boot at the same time, PacketFence would receive a lot of traps almost
instantly and this could result in network connection latency…
MAC notification traps
----------------------
If your switches support MAC notification traps (MAC learnt, MAC removed), we
suggest that you activate them in addition to the LinkUp/LinkDown traps. This
way, pfsetvlan does not need, after a link up trap, to query the switch
continuously until the MAC has finally been learned. When it receives a LinkUp
trap for a port on which MAC notification traps are also enabled, it only needs
to put the port in the MAC detection VLAN and can than free the thread. When the
switch learns the MAC address of the device it sends a MAC learnt trap
(containing the MAC address) to PacketFence.
Port Security traps
-------------------
In its most basic form, the Port Security feature remembers the MAC address
connected to the switch port and allows only that MAC address to communicate on
that port. If any other MAC address tries to communicate through the port, port
security will not allow it and send a port-security trap.
If your switches support this feature, we strongly recommend to use it rather
than LinkUp/LinkDown and/or MAC notifications. Why ? Because as long as a MAC
address is authorized on a port and is the only one connected, the switch will
send no trap whether the device reboots, plugs in or unplugs. This drastically
reduces the SNMP interactions between the switches and PacketFence.
NOTE:
When you enable port security traps you should not enable LinkUp/LinkDown nor
MAC notification traps.
802.1X
------
802.1X provides port-based authentication, which involves communications between
a supplicant, authenticator, and authentication server. The supplicant is often
software on a client device, such as a laptop, the authenticator is a wired
Ethernet switch or wireless access point, and an authentication server is
generally a RADIUS database.
The supplicant (i.e., client device) is not allowed access through the
authenticator to the network until the supplicant’s identity is authorized.
With 802.1X port-based authentication, the supplicant provides credentials, such
as user name / password or digital certificate, to the authenticator, and the
authenticator forwards the credentials to the authentication server for
verification. If the credentials are valid (in the authentication server
database), the supplicant (client device) is allowed to access the network.
==================================
Hardware apparently not supported?
==================================
Your network hardware is not on these lists? Chances are that it works with a
similar module already. Try this first and if it does work, let us know what
module you used on what hardware and your firmware version. You can
communicate that information to us by filing a ticket in our bug tracking
system under the category 'hardware modules':
http://www.packetfence.org/bugs/bug_report_page.php
Otherwise, we are always interested in adding new hardware support into
PacketFence. Please contact us at info@inverse.ca or via our web form:
http://www.inverse.ca/english/about/contact.html#c1538