PacketFence version 1.7.

5
Installation Guide

Copyright 2008 Inverse inc. (http://inverse.ca) Permission is granted to copy, distrib te and/or modi!y this doc ment nder the terms o! the "#$ %ree &oc mentation 'icense, (ersion ).2 or any *ater version p b*ished by the %ree +o!t,are %o ndation- ,ith no Invariant +ections, no %ront.Cover /e0ts, and no 1ac2.Cover /e0ts. 3 copy o! the *icense is inc* ded in the section entit*ed 4"#$ %ree &oc mentation 'icense5. (ersion ).6.7 8 &ecember 2008

Contents

Chapter 1 Chapter 2

About this Guide .............................................................................................................. 2 System Requirements ...................................................................................................... 3 3ss mptions ............................................................................................................ 9 :inim m ;ard,are <e= irements ...........................................................................> ?perating +ystem <e= irements ...............................................................................7

Chapter 3

Installation .........................................................................................................................6 ?+ Insta**ation ......................................................................................................... @ +o!t,are &o,n*oad ................................................................................................. 6 +o!t,are Insta**ation .................................................................................................6

Chapter 4

Conf uration .....................................................................................................................! "enera* ConAg ration ..............................................................................................B 3pache ConAg ration .............................................................................................. B 3 thentication (Cat A*e, '&3P, <adi s) ..................................................................... B ('3# iso*ation ...................................................................................................... )) (io*ations .............................................................................................................. 20 +tarting +ervices .....................................................................................................20

Chapter "

#estin

...............................................................................................................................21

Pac2et%ence Deb Inter!ace .....................................................................................2) ('3# Iso*ation ...................................................................................................... 2) Chapter 6 Chapter % Chapter ' Additional In$ormation ................................................................................................. 23 Commer&ial Support and Conta&t In$ormation ......................................................... 24 G() *ree +o&umentation ,i&ense .............................................................................. 2"

Chapter )

1 About this Guide

/his g ide ,i** ,a*2 yo thro gh the insta**ation and conAg ration o! the Pac2et%ence so* tion. It covers ('3# iso*ation set p. /he instr ctions are based on version ).6.7 o! Pac2et%ence. /he *atest version o! this g ide is avai*ab*e http://inverse.ca/ p*oads/docs/Pac2et%enceEInsta**ationE" ide.pd!. on*ine at

2008 Inverse inc.

3bo t this " ide

Chapter 2

2 System Re uirements

Assum!tions
Pac2et%ence re ses many components in an in!rastr ct re. /h s, it re= ires the !o**o,ing ones: &atabase server (:y+F') Deb server (3pache)

&epending on yo r set p yo may have to insta** additiona* components *i2e: &;CP server (I+C &;CP) &#+ server (1I#&) #I&+ (+nort) In this g ide, ,e ass me that a** those components are r nning on the same server (i.e., 4localhost5 or 4127.0.0.15) that Pac2et%ence ,i** be insta**ed on. "ood nderstanding o! those nder*ying component and "#$/'in 0 is re= ired to insta** Pac2et%ence. I! yo miss some o! those re= ired components, p*ease re!er to the appropriate doc mentation and proceed ,ith the insta**ation and conAg ration o! these re= irements be!ore contin ing ,ith this g ide. /he !o**o,ing tab*e provides recommendations !or the re= ired components, together ,ith version n mbers : :y+F' server Deb server I+C &;CP I+C 1I#& +nort :y+F' >.) or 7.) 3pache 2 &;CP 9 1I#& B +nort 2.8

:ore recent versions o! the so!t,are mentioned above can a*so be sed.

2008 Inverse inc.

+ystem <e= irements

Chapter 2

"inimum #ard$are Re uirements

/he !o**o,ing tab*e provides hard,are recommendations !or the server and des2tops : +erver Inte* or 3:& CP$ 9 ";G 20>8 :1 o! <3: 20 "1 o! dis2 space (<3I& )) 9 #et,or2 cards

2008 Inverse inc.

+ystem <e= irements

>

Chapter 2

%!eratin& System Re uirements

C rrent*y Pac2et%ence ).6.7 s pports the !o**o,ing 92.bit operating systems: <ed ;at Hnterprise 'in 0 7.0 +erver Comm nity H#/erprise ?perating +ystem (Cent?+) 7.0 :a2e s re the re= ired components are started a tomatica**y (e0cept +nort that is contro**ed by Pac2et%ence) at boot time and that they are r nning be!ore proceeding ,ith the Pac2et%ence conAg ration. 3*so ma2e s re that yo can insta** additiona* pac2ages !rom yo r standard distrib tion. %or e0amp*e, i! yo are sing <ed ;at Hnterprise 'in 0 7, yo have to be s bscribed to the <ed ;at #et,or2 be!ore contin ing ,ith the Pac2et%ence so!t,are insta**ation. ?ther distrib tions s ch as &ebian and %edora are 2no,n to ,or2 b t this doc ment ,onIt cover them.

2008 Inverse inc.

+ystem <e= irements

Chapter 9

' (nsta))ation

/his section ,i** g ide yo dependencies.

thro gh the insta**ation o! Pac2et%ence together ,ith its

%S (nsta))ation
Insta** Cent?+ 7 or <ed;at Hnterprise 'in 0 7 ,ith minima* insta**ation and no additiona* pac2ages. /hen: Hnab*e %ire,a** &isab*e +H'in 0

+ome Pac2et%ence dependencies are avai*ab*e thro gh the &3" repository (http://dag.,ieers.com/) so yo need to conAg re J$: to se it. %irst import the &3" <P: "P" 2ey:
rpm -import http://dag.wieers.com/rpm/packages/RPM-GPG-KE .dag.t!t

/hen insta** the *atest version o! (http://dag.,ieers.com/rpm/pac2ages/rpm!orge.re*ease/):

the

<P:%orge

pac2age

rpm -i rpm"orge-release-0.#.$-1.el%.r".i#&$.rpm

1e!ore yo contin e ,ith the insta**ation ,e recommended that yo go thro gh the section 4).) Priorities5 (http://,i2i.centos.org/3dditiona*<eso rces/<epositories/<P:%orge) in order to protect yo r base repository. $pdate yo r database repository and yo r system:
'(m (pdate

2008 Inverse inc.

Insta**ation

Chapter 9

So*t$are +o$n)oad
&o,n*oad Pac2et%ence pac2age !or Cent?+7 !rom the Pac2et%ence ,eb site (http://,,,.pac2et!ence.org/do,n*oad/re*eases.htm*).

So*t$are (nsta))ation
De recommend yo to insta** Pac2et%ence ,ith J m since J m ,i** satis!y a** possib*e dependencies !or yo :
'(m )*ogpgcheck i*stall packet"e*ce-1.7.%-1.el%.*oarch.rpm

I! yo insta** Pac2et%ence ,itho t J m, yo have to insta** the !o**o,ing dependencies be!ore: ch2conAg, core ti*s, g*ibc.common, grep, httpd, ipro te, *ibpcap, *ib0m*2, modEss*, mys=*, net. snmp, openss*, php, php.gd, sed, tar, ,get, G*ib, G*ib.deve* per* (KL 7.8.0), per*.3pache.;tpass,d, per*.ConAg.Ini%i*es, per*.C"I, per*.C"I.+ession, per*. &ate.Parse,.per*.&1&.:y+F', per*.%i*e.+pec, per*.%i*e./ai*, per*.'oca*e.gette0t, per*.'DP. $ser3gent, per*.#et.3pp*iance.+ession, per*.'og.'og>per* (KL ).))), per*.#et.:3C, per*.#et. :3C.(endor, per*.#et.#etmas2, per*.#et.Pcap (KL 0.)@), per*.#et.<a,IP (0.2), per*.#et.+#:P, per*.#et./e*net, per*.Parse.<ec&escent, per*.<<&s, per*.s idper*, per*./emp*ate, per*./erm. <eadMey, per*./hread.Poo*, per*./ime.;i<es, 3dd per*.#et.<a,IP in the *ist o! pac2ages to e0c* de !rom yo r pac2age manager pdates. %or J m, edit /etc/'(m.co*" and add the !o**o,ing *ine:
e!cl(de+perl-,et-Raw-P

$pdate *ine 67@ o! /(sr/li./perl%//e*dor0perl/%.&.&/,et/1el*et/2isco.pm:

ret(r* wa*tarra' 3 split /4/m5 40 : 406 7 8R9 i*stead3

Insta** the IP/ab*es::IPv> per* mod *e sing :CP3#:

perl -M2P:, -e ;i*stall -P1a.les::-P/<

and pdate *ine 7 o! /(sr/li./perl%/site0perl/%.&.&/i#&$-li*(!-threadm(lti/-P1a.les/-P/<.pm:

2008 Inverse inc.

Insta**ation

Chapter 9
m' =-P/<6

+et the timeGone in /etc/php.i*i. %or e0amp*e:

date.time>o*e+?:merica/Mo*treal

H0ec te the insta**er at /(sr/local/p"/i*staller.pl and !o**o, the instr ctions. ?nce comp*eted, Pac2et%ence ,i** be ! **y insta**ed on yo r server. Jo conAg re it. are no, ready to

2008 Inverse inc.

Insta**ation

Chapter >

, Con-&uration

In this section, yo I** *earn ho, to conAg re Pac2et%ence ,ith ('3# iso*ation. Pac2et%ence ,i** se :y+F', 3pache, I+C &;CP, I+C &#+. 3s previo s*y mentioned, ,e ass me that those components r n on the same server on ,hich Pac2et%ence is being insta**ed.

Genera) Con-&uration
H0ec te the conAg rator at /(sr/local/p"/co*"ig(rator.pl to conAg re Pac2et%ence according yo r needs.

A!ache Con-&uration
/he Pa c 2 e t %e n c e conAg ration !or 3pache is *ocated in
/(sr/local/p"/co*"/templates/httpd.co*".

$pon Pac2et%ence insta**ation, a de!a *t conAg ration A*e is created ,hich is s itab*e !or most conAg rations. ++' is enab*ed by de!a *t to sec re access. <emember that +H'in 0 m st be disab*ed.

Authentication ./at -)e0 1+AP0 Radius2

Pac2et%ence can a thenticate sers that register devices sing a Cat A*e, an '&3P server or a <adi s server.

F)at -)e
1y de!a *t, Pac2et%ence *oo2s into /(sr/local/p"/co*"/(ser.co*" to And sers a**o,ed to register devices. I! yo ,ant to se a di!!erent A*e, edit /(sr/local/p"/co*"/a(the*ticatio*/local.pm and change the !o**o,ing parameter :
m' 4passwd@ile + ;/(sr/local/p"/co*"/(ser.co*";6

2008 Inverse inc.

ConAg ration

Chapter > Jo need to encrypt the pass,ord o! each ser ,ith htpass,d *i2e this :
htpasswd /(sr/local/p"/co*"/(ser.co*" *ew(ser

Hnter the pass,ord t,ice

1+AP
Hdit /(sr/local/p"/co*"/a(the*ticatio*/ldap.pm and ma2e the necessary changes to the !o**o,ing parameters :
m' 4AB:PCserDase + ?o(+People5dc+domai*5dc+ed(?6 m' 4AB:PCserKe' + ?(id?6 m' 4AB:PCser9cope + ?o*e?6 m' 4AB:PDi*dB, + ?c*+ldap(ser5dc+domai*5dc+ed(?6 m' 4AB:PDi*dPassword + ?password?6 m' 4AB:P9er/er + ?127.0.0.1?6

Radius
Hdit /(sr/local/p"/co*"/a(the*ticatio*/radi(s.pm and ma2e the necessary changes to the !o**o,ing parameters :
m' 4Radi(s9er/er + ;localhost;6 m' 4Radi(s9ecret + ;testi*g12#;6

Se)ectin& an Authentication "ethod

/o c o n A g re a t h e n t i c a t i o n s e t t h e Eregistratio*F.a(th option in
/(sr/local/p"/co*"/p".co*": a(th+local5ldap5radi(s

I! more than one method are speciAed, P% ,i** disp*ay a p **.do,n *ist to a**o, sers to se*ect the pre!erred a thentication method.

2008 Inverse inc.

ConAg ration

)0

Chapter >

31A4 iso)ation
Assum!tions
/hro gho t this conAg ration e0amp*e ,e in!rastr ct re: se the !o**o,ing ass mptions !or o r net,or2

/here are t,o di!!erent types o! manageab*e s,itches in o r net,or2: Cisco Cata*yst 2B00N' and Cisco Cata*yst 2B@0 ('3# ) is the 4reg *ar5 ('3# ('3# 2 is the registration ('3# ( nregistered devices ,i** be p t in this ('3#) ('3# 9 is the iso*ation ('3# (iso*ated devices ,i** be p t in this ('3#) ('3# > is the :3C detection ('3# (empty ('3#) ('3#s 2 and 9 are spanned thro gho t the net,or2 ('3# > m st be deAned on a** the s,itches that do not s pport port.sec rity (in o r e0amp*e Cata*yst 2B00N' do not s pport port.sec rity ,ith static :3C address). #o need to p t it in the tr n2 port. De ,ant to iso*ate comp ters sing 'ime,ire De se +nort as #I&+. <e!er to +nort ,eb site !or insta**ation and conAg ration instr ctions +ince +nort sees on*y the IP address o! the devices and Pac2et%enceIs database is inde0ed by :3C, ,e span the &;CP tra!Ac to Pac2et%ence so it a*,ays 2no,s the IP.:3C association. De se eth) on Pac2et%ence !or the &;CP span (<e!er to yo r s,itch conAg ration !or +P3# set p) /he tra!Ac monitored by +nort is spanned on eth2 /he &;CP server on the Pac2et%ence bo0 that ,i** ta2e care o! IP address distrib tion in ('3#s 2 and 9 /he &#+ server on the Pac2et%ence bo0 that ,i** ta2e care o! domain reso* tion in ('3#s 2 and 9 /he net,or2 set p *oo2s *i2e this: ('3# I& ) 2 9 > )00 ('3# #ame #orma* <egistration Iso*ation :ac &etection (oice + bnet )B2.)@8.).0/2> )B2.)@8.2.0/2> )B2.)@8.9.0/2> "ate,ay )B2.)@8.).) )B2.)@8.2.) )B2.)@8.2.) Pac2et%ence 3ddress )B2.)@8.).7 )B2.)@8.2.) )B2.)@8.2.)

4et$ork (nter*aces
;ere are the #ICs start p scripts on Pac2et%ence: 2008 Inverse inc. ConAg ration ))

Chapter >
/etc/s'sco*"ig/*etwork-scripts/i"c"g-eth0 BEG-2E+eth0 DR8:B2:91+1H2.1$&.1.2%% -P:BBR+1H2.1$&.1.% ,E1M:9K+2%%.2%%.2%%.0 ,E1I8RK+1H2.1$&.1.0 8,D881+'es 1 PE+Ether*et

/etc/s'sco*"ig/*etwork-scripts/i"c"g-eth0.2 BEG-2E+eth0.2 8,D881+*o D881PR818+static -P:BBR+1H2.1$&.2.1 ,E1M:9K+2%%.2%%.2%%.0 GA:,+'es

/etc/s'sco*"ig/*etwork-scripts/i"c"g-eth0.# BEG-2E+eth0.# 8,D881+*o D881PR818+static -P:BBR+1H2.1$&.#.1 ,E1M:9K+2%%.2%%.2%%.0 GA:,+'es

/etc/s'sco*"ig/*etwork-scripts/i"c"g-eth1. /his #IC is

sed !or the span o! &;CP

tra!Ac.
BEG-2E+eth1 8,D881+*o D881PR818+*o*e

/etc/s'sco*"ig/*etwork-scripts/i"c"g-eth2. /his #IC is

sed !or the span o! tra!Ac

monitored by +nort.
BEG-2E+eth2 8,D881+*o D881PR818+*o*e

5ra! receiver
Pac2et%ence ses snmptrapd as the trap receiver. It stores the comm nity name sed by the

2008 Inverse inc.

ConAg ration

)2

Chapter > s,itch to send traps in the s,itch conAg A*e (/(sr/local/p"/co*"/switches.co*") in the Ede"a(ltF section:
Ede"a(ltF comm(*it'1rap + p(.lic

S$itch Setu!
In o r e0amp*e, ,e enab*e *in2$p/*in2&o,n O :3C #otiAcation on 2B00N' and Port +ec rity on 2B@0. *in2$p/*in2&o,n O :3C #otiAcation g*oba* set p
s*mp-ser/er e*a.le traps s*mp li*kdow* li*k(p s*mp-ser/er e*a.le traps mac-*oti"icatio* s*mp-ser/er host 1H2.1$&.1.% trap /ersio* 2c p(.lic s*mp mac*oti"icatio* mac-address-ta.le *oti"icatio* i*ter/al 0 mac-address-ta.le *oti"icatio* mac-address-ta.le agi*g-time #$00

?n each inter!ace
switchport mode access switchport access /la* < s*mp trap mac-*oti"icatio* added

/here are no parameters needed on each inter!ace !or *in2$p/*in2&o,n traps since these traps are enab*ed g*oba**y !or a** the ports. Port +ec rity g*oba* set p
s*mp-ser/er e*a.le traps port-sec(rit' s*mp-ser/er e*a.le traps port-sec(rit' trap-rate 1 s*mp-ser/er host 1H2.1$&.1.% /ersio* 2c p(.lic port-sec(rit'

?n each inter!ace, yo need to initia*iGe the port sec rity by a thoriGing a !a2e :3C address ,ith the !o**o,ing commands
switchport access /la* <

2008 Inverse inc.

ConAg ration

)9

Chapter >
switchport switchport switchport switchport switchport port-sec(rit' port-sec(rit' port-sec(rit' port-sec(rit' port-sec(rit'

ma!im(m 2 ma!im(m 1 /la* access /iolatio* restrict mac-address 0200.0000.00!!

,here 00 stands !or the inter!ace inde0 &onIt !orget to pdate the start p.conAg P*ease cons *t the 3dministration " ide !or the comp*ete *ist o! s pported s,itches conAg ration instr ctions.

1o&s
/he *og conAg A*e is /(sr/local/p"/co*"/log.co*". It contains the conAg ration !or 'og::'og>Per* and yo norma**y donIt need to modi!y it.

Custom 5ra! #and)in& Functions

P!setv*an is the daemon responsib*e o! trap hand*ing. Dhen it receives a trap, p!setv*an ses some ! nctions deAned in /(sr/local/p"/co*"/p"set/la*.pm in order to 2no, ,hat to do. %or e0amp*e, c(stom0get2orrectGla*JK a**o,s yo to deAne ,hat yo consider to be the correct ('3# !or a given s,itch port and connected :3C. In o r e0amp*e there is on*y one ('3# (('3# )) so the ! nction sho *d *oo2 *i2e
s(. c(stom0get2orrectGla* L m' J4switch0ip5 4i"-*de!5 4mac5 4stat(s5 4/la*5 4pidK + M06 m' 4logger + Aog::Aog<perl-Nget0loggerJK6 Aog::Aog<perl::MB2-Np(tJ;tid;5 threads-Nsel"-NtidJKK6 ret(r* 16 O

I! a** yo r ('3#s are spanned thro gho t the net,or2, yo might ,ant to 2eep the de!a *t deAnition, ,hich deAnes the ('3# saved in the node tab*e to be the correct de!a *t ('3# !or a given :3C. I! on the other hand, yo have many ('3#s depending on yo r physica* *ocation (s,itch, b i*ding, camp s), yo need to p t some more e!!ort into this ! nction to deAne that a given comp ter m st be p t into ('3# 3 ,hen connected into one s,itch and into ('3# 1 ,hen connected into another s,itch. ;ave *oo2 at the other ! nctions and ma2e s re they At yo r needs.

2008 Inverse inc.

ConAg ration

)>

Chapter >

S$itch +e-nition
Pac2et%ence needs to 2no, ,hich s,itches it manages and their type and conAg ration. 3** this in!ormation is stored in /(sr/local/p"/co*"/switches.co*". /his A*es contains a de!a *t section inc* ding:
&1 connection parameters 'ist o! ('3#s managed by Pac2et%ence &e!a *t +#:P read/,rite comm nities !or the s,itches &e!a *t ,or2ing mode (see note abo t ,or2ing mode be*o,)

and a s,itch section !or each s,itch (managed by Pac2et%ence) inc* ding:
+,itch IP +,itch vendor/type (so that the correct s bc*asses o! p!::+#:P are instantiated) +,itch p*in2 ports (tr n2s and non.managed ports)

Dor2ing modes /here are three di!!erent ,or2ing modes:

/esting: p!setv*an ,rites in the *og A*es ,hat it ,o *d norma**y do, b t it doesnIt do

anything.
<egistration: p!setv*an a tomatica**y.register a** :3C addresses seen on the s,itch ports.

3s in testing mode, no ('3# changes are done.

Prod ction: p!setv*an sends the +#:P ,rites to change the ('3# on the s,itch ports.

;ere are the parameters (other than the de!a *ts ones) !or o r e0amp*e
Ede"a(ltF comm(*it'Read + p(.lic comm(*it'Irite + pri/ate comm(*it'1rap + p(.lic /ersio* + 1 /la*s + 1525#5< *ormalGla* + 1 registratio*Gla* + 2 isolatio*Gla* + # macBetectio*Gla* + < Go-PE*a.led + *o E1H2.1$&.1.100F ip + 1H2.1$&.1.100 t'pe + 2isco::2atal'st02H00PA mode + prod(ctio* (pli*k + 2<

2008 Inverse inc.

ConAg ration

)7

Chapter >
E1H2.1$&.1.101F ip + 1H2.1$&.1.101 t'pe + 2isco::2atal'st02H$0 mode + prod(ctio* (pli*k + 2%

I! yo ,ant to have a di!!erent read/,rite comm nities name !or each s,itch, dec*are it in each s,itch section ?nce yo have modiAed switches.co*" !or yo r net,or2, yo can e0ec te some Arst tests (on*y +#:P reads) sing the s pp*ied /(sr/local/p"/test/co**ect0a*d0read.pl script.

!*.con*
/he /(sr/local/p"/co*"/p".co*" A*e contains the Pac2et%ence genera* conAg ration. %or e0amp*e, this is the p*ace ,here ,e in!orm Pac2et%ence it ,i** ,or2 in ('3# iso*ation mode. 3** the de!a *t parameters and their descriptions are stored in /(sr/local/p"/co*"/p".co*".de"a(lts. In order to override a de!a *t parameter, deAne it and set it in p".co*". +ee the 3dministration " ide !or the comp*ete *ist o! a** avai*ab*e parameters. ;ere is the p".co*" A*e !or o r set p:
Ege*eralF domai*+'o(rdomai*.org d*sser/ers+1H2.1$&.2.151H2.1$&.#.1 dhcpser/ers+1H2.1$&.2.151H2.1$&.#.1 E*etworkF /la*+e*a.led Etrappi*gF registratio*+e*a.led detectio*+e*a.led testi*g+disa.led ra*ge+1H2.1$&.2.0/2<51H2.1$&.#.0/2< Eregistratio*F a(th+ldap Ei*ter"ace eth0F mask+2%%.2%%.2%%.0 t'pe+i*ter*al5ma*aged gatewa'+1H2.1$&.1.1 ip+1H2.1$&.1.%

2008 Inverse inc.

ConAg ration

)@

Chapter >
Ei*ter"ace eth0.1F mask+2%%.2%%.2%%.0 t'pe+i*ter*al5registratio* gatewa'+1H2.1$&.2.1 ip+1H2.1$&.2.1 Ei*ter"ace eth0.2F mask+2%%.2%%.2%%.0 t'pe+i*ter*al5isolatio* gatewa'+1H2.1$&.#.1 ip+1H2.1$&.#.1 Ei*ter"ace eth1F mask+2%%.2%%.2%%.0 t'pe+dhcpliste*er gatewa'+1H2.1$&.1.% ip+1H2.1$&.1.2%< Ei*ter"ace eth2F mask+2%%.2%%.2%%.0 t'pe+mo*itor gatewa'+1H2.1$&.1.% ip+1H2.1$&.1.1

(!tab)es
Jo need to open some ports (79: &#+). 3dd the !o**o,ing *ines to
/(sr/local/p"/co*"/ipta.les.pre Q"ilter :-,PC1 :22EP1 E0:0F -: -,PC1 -p (dp -m (dp --dport %# -i eth0.2 -R :22EP1 -: -,PC1 -p (dp -m (dp --dport %# -i eth0.# -R :22EP1 28MM-1

+#CP
/he &;CP server ,i** manage IP distrib tion in ('3#s 2 and 9. P t the !o**o,ing *ine in /etc/s'sco*"ig/dhcpd:
BS2PB:RG9+?eth0.2 eth0.#?

Hdit /etc/dhcpd.co*" and rep*ace its content ,ith:

2008 Inverse inc.

ConAg ration

)6

Chapter >
a(thoritati/e6 dd*s-(pdate-st'le *o*e6 ig*ore clie*t-(pdates6 s(.*et 1H2.1$&.2.0 *etmask 2%%.2%%.2%%.0 L optio* ro(ters 1H2.1$&.2.16 optio* s(.*et-mask 2%%.2%%.2%%.06 optio* domai*-*ame ?registratio*.e!ample.com?6 optio* domai*-*ame-ser/ers 1H2.1$&.2.16 ra*ge 1H2.1$&.2.2 1H2.1$&.2.2%<6 de"a(lt-lease-time #006 ma!-lease-time $006 O s(.*et 1H2.1$&.#.0 *etmask 2%%.2%%.2%%.0 L optio* ro(ters 1H2.1$&.#.16 optio* s(.*et-mask 2%%.2%%.2%%.06 optio* domai*-*ame ?isolatio*.e!ample.com?6 optio* domai*-*ame-ser/ers 1H2.1$&.#.16 ra*ge 1H2.1$&.#.2 1H2.1$&.#.2%<6 de"a(lt-lease-time #006 ma!-lease-time $006 O

+4S
/he &#+ server ,i** ans,er to a** domain reso* tion re= ests in ('3#s 2 and 9. Create /etc/*amed.co*" ,ith the !o**o,ing content:
optio*s L director' ?//ar/*amed?6 d(mp-"ile ?//ar/*amed/data/cache0d(mp.d.?6 statistics-"ile ?//ar/*amed/data/*amed0stats.t!t?6 liste*-o* L 1H2.1$&.2.16 1H2.1$&.#.16 O6 O6 co*trols L i*et 127.0.0.1 allow L localhost6 O ke's L r*dcke'6 O6 O6 /iew ?registratio*? L match-clie*ts L 1H2.1$&.2.0/2<6 O6 >o*e ?.? -, L t'pe master6 "ile ?*amed-registratio*.ca?6 O6 O6

2008 Inverse inc.

ConAg ration

)8

Chapter >
/iew ?isolatio*? L match-clie*ts L 1H2.1$&.#.0/2<6 O6 >o*e ?.? -, L t'pe master6 "ile ?*amed-isolatio*.ca?6 O6 O6 i*cl(de ?/etc/r*dc.ke'?6

Create //ar/*amed/*amed-registratio*.ca ,ith the !o**o,ing content:

411A #$00 . -, 98: p". admi*.e!ample.com J 200%0$1%01 6 serial 10&00 6 re"resh #$00 6 retr' $0<&00 6 e!pire &$<00 6 de"a(lt0ttl K -, ,9 p". -, : 1H2.1$&.2.1 -, MP % p". 1.2.1$&.1H2.i*-addr.arpa. -, Q.

P1R

p"

Create //ar/*amed/*amed-isolatio*.ca ,ith the !o**o,ing content:

411A #$00 . -, 98: p". admi*.e!ample.com J 200%0$1%01 6 serial 10&00 6 re"resh #$00 6 retr' $0<&00 6 e!pire &$<00 6 de"a(lt0ttl K -, ,9 p". -, : 1H2.1$&.#.1 -, MP % p". 1.#.1$&.1H2.i*-addr.arpa. -, Q.

P1R

p"

2008 Inverse inc.

ConAg ration

)B

Chapter >

3io)ations
In o r e0amp*e ,e ,ant to iso*ate peop*e sing 'ime,ire. ;ere ,e ass me +nort is insta**ed and conAg red to send a*erts to Pac2et%ence. #o, ,e need to conAg re Pac2et%ence iso*ation. Hnab*e 'ime,ire vio*ation in /(sr/local/p"/co*"//iolatio*s.co*" and conAg re it to e0ec te an e0terna* script
E2001&0&F desc+P2P JAimewireK priorit'+& (rl+/co*te*t/i*de!.php3template+p2p actio*s+log5trap disa.le+, ma!0e*a.le+1 trigger+Betect::2001&0&

Startin& Services
?nce Pac2et%ence is ! **y insta**ed and conAg red, start the services command :
ser/ice packet"e*ce start

sing the !o**o,ing

Jo may veri!y sing the chkco*"ig command that the Pac2et%ence service is a tomatica**y started at boot time.

2008 Inverse inc.

ConAg ration

20

Chapter 7

5 5estin&

PacketFence 6eb (nter*ace

/o t e s t t h e Pa c 2 e t % e n c e a d m i n i n t e r ! a c e , g o t o t h e ! o * * o , i n g $ < ' : https://p!.yo rdomain.org:)>>9. 'og in sing the 4admin5 ser and the 4=,erty5 pass,ord.

31A4 (so)ation
/here many tests that yo need to do in order to ma2e s re everything ,or2s Ane. :a2e s re that ('3#s 2,9 and > are not ro ted any,here and can not comm nicate ,ith the rest o! the net,or2:
any device in ('3# 2 can comm nicate ,ith Pac2et%ence thro gh (and on*y thro gh)

eth0.2
any device in ('3# 2 can not comm nicate ,ith any device in any other ('3# any device in ('3# 9 can comm nicate ,ith Pac2et%ence thro gh (and on*y thro gh)

eth0.9
any device in ('3# 9 can not comm nicate ,ith any device in any other ('3# any device in ('3# > can not comm nicate ,ith any device in any other ('3#

:a2e s re Pac2et%ence receives traps !rom the s,itches:

conAg re the Cata*yst 2B00 s,itch to send *in2$p/*in2&o,n traps to Pac2et%ence conAg re the Cata*yst 2B@0 s,itch to send port.sec rity traps to Pac2et%ence p* g a device on each s,itch ma2e s re s*mptrapd ,rites a *ine in /usr/local/pf/logs/snmptrapd.log ma2e s re each trap is correct*y decoded by p"set/la* in

/usr/local/pf/logs/pfsetvlan.log

2008 Inverse inc.

/esting

2)

Chapter 7

:a2e s re there are no error messages in /(sr/local/p"/logs/errorQ n o r i n //ar/log/messages ,hi*e Pac2et%ence starts P* g an nregistered comp ter in a s,itch and ma2e s re:
the port is p t in ('3# 2 the comp ter gets an IP in ('3# 2 any &#+ re= est reso*ves to Pac2et%ence ( se ns*oo2 p (!or e0amp*e) the comp ter can access the registration ,eb page

<egister the comp ter by !o**o,ing the instr ctions in the registration ,eb pages and ma2e s re that ,hen comp ter reboots it has access to ('3# ). Insta** 'ime,ire on the test comp ter (+nort *og its activity in //ar/log/s*ort/Q). +tart sing it and ma2e s re:
t h e c o m p t e r i s p t i n ( ' 3 # /(sr/local/p"/logs/p"se/la*.log)

( s e e //ar/log/messages

and

yo can see a message in the bro,ser e0p*aining ,hy the comp ter is iso*ated yo can re.enab*e yo r net,or2 access on yo r o,n

2008 Inverse inc.

/esting

22

Chapter @

7 Additiona) (n*ormation

%or more in!ormation, p*ease cons *t the mai*ing archives or post yo r = estions to it. %or detai*s, see : pac2et!ence.anno nceP*ists.so rce!orge.net: P b*ic anno ncements (ne, re*eases, sec rity ,arnings etc.) regarding Pac2et%ence pac2et!ence.deve*P*ists.so rce!orge.net: &isc ssion o! Pac2et%ence deve*opment pac2et!ence. sersP*ists.so rce!orge.net: $ser and sage disc ssions

2008 Inverse inc.

3dditiona* In!ormation

29

Chapter 6

7 Commercia) Su!!ort and Contact

(n*ormation

%or any = estions or comments, do not hesitate to contact s by ,riting an emai* to : s pportPinverse.ca Inverse (http://inverse.ca) o!!ers pro!essiona* services aro nd Pac2et%ence to he*p organiGations dep*oy the so* tion.

2008 Inverse inc.

Commercia* + pport and Contact In!ormation

2>

Chapter 8

8 G49 Free +ocumentation 1icense

P*ease re!er to http://,,,.gn .org/*icenses/!d*.).2.t0t !or the ! ** *icense.

2008 Inverse inc.

"#$ %ree &oc mentation 'icense

27