Wireless security - Packetfence advice etc

[Fivetwelve]

Hi guys

Firstly - congrats on a great forum. I've been "lurking in the shadows" for a while reading some resources and it's great. Some really helpful, friendly and knowledgeable guys out there amongst you! But now I think the time has come to create a post and ask for a bit of advice.

At the high school where I'm working, they are taking the big step of introducing Wifi access. I've rolled this out with IAS authentication and it works great with staff authenticating against their AD account with their school laptops. I did this with help from some posts on this forum by the way!

However they want to take the next step of allowing 6th form students wifi access. Obviously I wouldn't want to just allow AD authentication as the security risk from unmanaged student laptops is astronomical.

I could go down the VLAN route but to be honest I don't see the point as a new school is being built and will be open in 12 months with all new kit, so there's not much point in investing in decent Layer 3 switches to cope.

Instead, I've read recommendations about PacketFence, and I'm interesting in getting this set up in ARP poisoning mode so it handles authentication of student laptops on the Wireless APs that way however I'm at a loss as to configuring this. I've read the documentation but, unless I'm missing something, I can't find how to configure this in ARP mode. The doc seems to only cover VLAN mode.

Can anyone spare any information as to configuring this and even better, point me to some online guide or resource that could help?

Many thanks in advance for any advice you may be able to spare.

[Geoff]

Code:

network.mode=arp

[Fivetwelve]

Code:

network.mode=arp

Cheers Geoff - I completely missed that!

My next question would be - currently we are in a NAC free environment, so if I configure PF, will there be chaos as every device on the network tries to register/authenticate itself? Or can I just allow everything as normal except for joining wireless clients?

Many thanks

[Geoff]

Only if you enable trapping. If you don't it'll just tell you what would of happened. One thing in particular you must do is white list your servers/switches/network printers.

[Fivetwelve]

Yeah that goes without saying. Wouldn't device registration etc play hell with XP clients logging onto the domain? E.g. all traffic is blocked until it's registered through the web page. Can it just be logged on as an admin and registered once for that MAC address?

[Geoff]

Indeed you can, probably with a really long expiry (like months). you may wish to look at the 'pfcmd node' stuff. It's all in there.

[Fivetwelve]

Thanks Geoff, you've been fantastic. I've downloaded the ZEN VMware image for PacketFence so I'll have a play with that with trapping disabled first and see how I get on.