Packetfence 网络准入系统:
开源的准入系统,我公司现在有 6-7 百人吧,正在用。版本是 5.7。现在最新的都出到 6. 多了
主要用户体验是:用户电脑接入网络,网页任何打开一个网页会自动跳转到一个登陆页面,注册后才可以进入内网。
主要特点:
1. 旁路接入
2. 支持 802.1x 或 MAB 认证
3. 完美支持思科 2960 交换机,可分配 VLAN
4. 可以查到一个 IP 地址、MAC 地址所在的交换机
5. 其它功能可以自己发掘。 发现中国用这个系统的人也比较少。文档也很少。
安装参考:或者直接下载官网上做好的虚拟机。
- yum update
- yum install mysql*
- yum install http*
- yum install php*
- yum install
- selinux 关闭
- /etc/yum.repos.d/PacketFence.repo with the following content:
- [PacketFence]
- name=PacketFence Repository
- baseurl=http://inverse.ca/downloads/PacketFence/RHEL$releasever/$basearch
- gpgcheck=0
- yum install --enablerepo=packetfence packetfence
- rpm -Uvh http://packetfence.org/downloads/PacketFence/RHEL6/`uname -i`/RPMS/packetfence-release-1-2.centos6.noarch.rpm
- yum install --enablerepo=packetfence packetfence
- DHCP:
- dd if=/dev/urandom bs=16 count=1 2>/dev/null | openssl enc -e -base64
- cWm+adEfwNaes7VlBoyHdQ==
- vi /etc/sysctl.conf
- # Controls IP packet forwarding
- net.ipv4.ip_forward = 1
建立网络:
除用户外的网段 DHCP 由 Packetfence 分配
- vlan1 10.0.x.x 255.255.0.0 Management DHCP
- vlan2 192.168.120.1 255.255.252.0 RegistrationDHCP
- vlan3 192.168.130.1 255.255.252.0 Isolation DHCP
- vlan4 用户 DHCP Normal
思科 2960 交换机配置:
- dot1x system-auth-control
- switchport mode access
- authentication order dot1x mab
- authentication priority dot1x mab
- authentication port-control auto
- authentication periodic
- authentication timer restart 10800
- authentication timer reauthenticate 7200
- mab
- no snmp trap link-status
- dot1x pae authenticator
- dot1x timeout quiet-period 2
- dot1x timeout tx-period 3
- aaa new-model
- aaa group server radius packetfence
- server 10.0.111.111 auth-port 1812 acct-port 1813
- aaa authentication login default local
- aaa authentication dot1x default group packetfence
- aaa authorization network default group packetfence
- radius-server host 192.168.120.1 auth-port 1812 acct-port 1813 timeout 2 key password
- radius-server vsa send authentication
- snmp-server community public RW
交换机端口配置:
- switchport mode access
- authentication host-mode multi-domain
- authentication order dot1x mab
- authentication priority dot1x mab
- authentication port-control auto
- authentication periodic
- authentication timer restart 10800
- authentication timer reauthenticate 10800
- mab
- no snmp trap link-status
- dot1x pae authenticator
- dot1x timeout quiet-period 2
- dot1x timeout tx-period 3
其它需要花时间研究一下:
1. 逃生方案:fail-open 当准入系统故障时怎么处理 ------ 集群,或设置逃生返回 VLAN
2. 用户自动注册 ------ 待研究
3. LDAP 认证 --- OK
4. 接入安全扫描检查 ----- 配置 snort Server 做接口
来源: http://www.bubuko.com/infodetail-2005293.html