I've been keeping my eyes open for a NAC replacement... would potentially go with ISE but we don't have the licenses or money for it right now. We may pursue it in the future but I'm spending some time finding alternatives to what we have now that will allow us to continue moving forward with features. Packetfence has caught my eye.. I've been really impressed with the feature set and the number update schedule.
We're using a RADIUS based NAC for both wired and wireless access in our Residence Halls (as well as our academic wireless and guest networks) currently but not doing full 802.1x. Mostly it is MAB with devices auto-classifying based on a combination of fingerprinting factors. Devices that don't get classified currently require a call to our support center at which point we manually register it. Wireless is all Cisco and wired is mostly Cisco with a few Dell 6248 switches.
I'd like to move forward with 802.1x, MAB fallback with a portal sign-in page for devices that can't do 802.1x, and perhaps a self-registration portal so students can register devices that aren't capable of 802.1x and don't have a web browser. The goal would be for all devices to have a user-id associated with them and the ability for the students to self-manage their devices. I'd like to avoid requiring an install of a policy key on the end-user devices if possible. Also, I'm thinking a Layer 3 deployment would fit with our needs better so the Packetfence server would probably be on a DC network somewhere using our existing DNS and DHCP services. Ipv6 support would be great at some point as well.
I'm wondering if anyone with Packetfence has experience with such a deployment? If so, is this a reasonable deployment plan or am I looking at it incorrectly or outside the feature set?
Thanks in advance!
No comments:
Post a Comment