PacketFence Administration Guide-4.5.0

AdministrationGuide
forPacketFenceversion4.5.0
AdministrationGuide
byInverseInc.
Version4.5.0-Oct2014
Copyright2014Inverseinc.
Permissionisgrantedtocopy,distributeand/ormodifythisdocumentunderthetermsoftheGNUFreeDocumentationLicense,Version
1.2oranylaterversionpublishedbytheFreeSoftwareFoundation;withnoInvariantSections,noFront-CoverTexts,andnoBack-Cover
Texts.Acopyofthelicenseisincludedinthesectionentitled"GNUFreeDocumentationLicense".
ThefontsusedinthisguidearelicensedundertheSILOpenFontLicense,Version1.1.ThislicenseisavailablewithaFAQat:http://
scripts.sil.org/OFL
CopyrightukaszDziedzic,http://www.latofonts.com,withReservedFontName:"Lato".
CopyrightRaphLevien,http://levien.com/,withReservedFontName:"Inconsolata".
TableofContents
About this Guide ............................................................................................................... 1
Othersourcesofinformation......................................................................................1
Introduction ..................................................................................................................... 2
Features ................................................................................................................... 2
Network Integration .................................................................................................. 5
Components ............................................................................................................. 6
System Requirements ........................................................................................................ 7
Assumptions ............................................................................................................. 7
MinimumHardwareRequirements.............................................................................. 7
OperatingSystemRequirements................................................................................ 8
Installation ....................................................................................................................... 9
OS Installation .......................................................................................................... 9
Software Download ................................................................................................ 10
Software Installation ................................................................................................ 10
Configuration ................................................................................................................. 12
First Step ............................................................................................................... 12
Web-basedAdministrationInterface......................................................................... 13
Globalconfigurationfile(pf.conf)..............................................................................13
Apache Configuration .............................................................................................. 13
SELinux .................................................................................................................. 14
Roles Management ................................................................................................. 14
Authentication ........................................................................................................ 15
NetworkDevicesDefinition(switches.conf)............................................................... 17
DefaultVLAN/roleassignment................................................................................. 20
Inlineenforcementconfiguration.............................................................................. 21
Hybrid mode .......................................................................................................... 21
Web Auth mode ..................................................................................................... 22
DHCPandDNSServerConfiguration(networks.conf)................................................ 22
ProductionDHCPaccess.........................................................................................23
Routed Networks .................................................................................................... 25
FreeRADIUSConfiguration...................................................................................... 28
StartingPacketFenceServices.................................................................................. 35
Log files ................................................................................................................. 35
Passthrough ........................................................................................................... 35
Proxy Interception ................................................................................................... 36
Configurationbyexample................................................................................................ 37
Assumptions ........................................................................................................... 37
Network Interfaces ................................................................................................. 38
Switch Setup .......................................................................................................... 39
switches.conf .......................................................................................................... 40
pf.conf ................................................................................................................... 41
networks.conf ......................................................................................................... 42
Inlineenforcementspecifics..................................................................................... 43
Optional components ...................................................................................................... 45
Blockingmaliciousactivitieswithviolations............................................................... 45
Compliance Checks ................................................................................................. 49
RADIUS Accounting ................................................................................................ 52
Oinkmaster ............................................................................................................. 53
FloatingNetworkDevices....................................................................................... 53
Guests Management ............................................................................................... 55
StatementofHealth(SoH).......................................................................................58
iii
AppleandAndroidWirelessProvisioning.................................................................. 60
SNMP Traps Limit ................................................................................................... 61
Billing Engine ......................................................................................................... 62
Portal Profiles ......................................................................................................... 63
OAuth2Authentication........................................................................................... 64
Devices Registration ................................................................................................ 66
Eduroam ................................................................................................................ 66
VLAN Filter Definition ............................................................................................ 71
ActiveDirectoryIntegration...................................................................................... 72
Firewall SSO ................................................................................................................... 76
Fortigate ................................................................................................................ 76
PaloAlto ................................................................................................................. 77
OperatingSystemBestPractices...................................................................................... 79
IPTables ................................................................................................................. 79
Log Rotations ......................................................................................................... 79
High Availability ...................................................................................................... 79
Performanceoptimization................................................................................................ 87
MySQL optimizations .............................................................................................. 87
CaptivePortalOptimizations.................................................................................... 90
FrequentlyAskedQuestions............................................................................................ 91
TechnicalintroductiontoVLANenforcement.................................................................... 92
Introduction ........................................................................................................... 92
VLANassignmenttechniques...................................................................................92
MoreonSNMPtrapsVLANisolation....................................................................... 93
TechnicalintroductiontoInlineenforcement..................................................................... 96
Introduction ........................................................................................................... 96
Device configuration ............................................................................................... 96
Access control ........................................................................................................ 96
Limitations ............................................................................................................. 97
TechnicalintroductiontoHybridenforcement................................................................... 98
Introduction ........................................................................................................... 98
Device configuration ............................................................................................... 98
MoreonVoIPIntegration................................................................................................ 99
CDPandLLDPareyourfriend................................................................................ 99
VoIPandVLANassignmenttechniques.....................................................................99
WhatifCDP/LLDPfeatureismissing..................................................................... 100
Additional Information ................................................................................................... 101
CommercialSupportandContactInformation................................................................. 102
GNUFreeDocumentationLicense................................................................................. 103
A.AdministrationTools..................................................................................................104
pfcmd .................................................................................................................. 104
pfcmd_vlan ........................................................................................................... 106
Web Admin GUI ................................................................................................... 108
B.ManualFreeRADIUS2configuration.......................................................................... 109
Configuration ........................................................................................................ 109
Optional:WiredorWireless802.1Xconfiguration................................................... 110
iv
Chapter1
AboutthisGuide
This guide will walk you through the installation and the day to day administration of the
PacketFencesolution.
Thelatestversionofthisguideisavailableathttp://www.packetfence.org/documentation/
Othersourcesofinformation
NetworkDevicesConfigurationGuide
Covers switch, controllers and access

pointsconfiguration.
DevelopersGuide
Covers captive portal customization,

VLAN management customization and
instructionsforsupportingnewhardware.
CREDITS
Thisis,atleast,apartialfileofPacketFence
contributors.
NEWS.asciidoc
Covers
noteworthy
features,
improvementsandbugfixesbyrelease.
UPGRADE.asciidoc
Covers compatibility related changes,

manual instructions and general notes
aboutupgrading.
ChangeLog
Coversallchangestothesourcecode.
Thesefilesareincludedinthepackageandreleasetarballs.
AboutthisGuide
Chapter2
Introduction
PacketFence is a fully supported, trusted, Free and Open Source network access control (NAC)
system. Boosting an impressive feature set including a captive portal for registration and
remediation, centralized wired and wireless management, 802.1X support, layer-2 isolation of
problematicdevices,integrationwiththeSnort/SuricataIDSandtheNessusvulnerabilityscanner;
PacketFencecanbeusedtoeffectivelysecurenetworks-fromsmalltoverylargeheterogeneous
networks.
Features
Outofband(VLANEnforcement)
PacketFencesoperationiscompletelyout
of band when using VLAN enforcement
which allows the solution to scale
geographicallyandtobemoreresilientto
failures.
InBand(InlineEnforcement)
PacketFence can also be configured to

be in-band, especially when you have
non-manageable network switches or
accesspoints.PacketFencecanalsowork
with both VLAN and Inline enforcement
activated for maximum scalability and
securitywhileallowingolderhardwareto
stillbesecuredusingInlineenforcement.
Hybridsupport(InlineEnforcementwithRADIUS
support)
PacketFence can also be configured

as hybrid, if you have a manageable
device that supports 802.1X and/or
MAC-authentication. This feature can be
enabled using a RADIUS attribute (MAC
address, SSID, port) or using full inline
modeontheequipment.
Hotspotsupport(WebAuthEnforcement)
PacketFence can also be configured as

hotspot,ifyouhaveamanageabledevice
thatsupportanexternalcaptiveportal(like
CiscoWLCorArubaIAP).
VoiceoverIP(VoIP)support
Also called IP Telephony (IPT), VoIP is

fully supported (even in heterogeneous
environments)formultipleswitchvendors
Introduction
Chapter2
(Cisco, Edge-Core, HP, LinkSys, Nortel
Networksandmanymore).
802.1X
802.1X wireless and wired is supported

throughaFreeRADIUSmodule.
Wirelessintegration
PacketFence integrates perfectly with

wirelessnetworksthroughaFreeRADIUS
module. This allows you to secure your
wired and wireless networks the same
way using the same user database and
using the same captive portal, providing
a consistent user experience. Mixing
Access Points (AP) vendors and Wireless
Controllersissupported.
Registration
PacketFence supports an optional

registrationmechanismsimilarto"captive
portal"solutions.Contrarytomostcaptive
portal solutions, PacketFence remembers
users who previously registered and will
automatically give them access without
anotherauthentication.Ofcourse,thisis
configurable. An Acceptable Use Policy
can be specified such that users cannot
enable network access without first
acceptingit.
Detectionofabnormalnetworkactivities
Abnormal network activities (computer

virus, worms, spyware, traffic denied
by establishment policy, etc.) can be
detectedusinglocalandremoteSnortor
Suricatasensors.Beyondsimpledetection,
PacketFence layers its own alerting and
suppression mechanism on each alert
type.Asetofconfigurableactionsforeach
violationisavailabletoadministrators.
Proactivevulnerabilityscans
Either Nessus or OpenVAS vulnerability

scanscanbeperformeduponregistration,
scheduled or on an ad-hoc basis.
PacketFence correlates the scan engine
vulnerability IDs of each scan to
the violation configuration, returning
content specific web pages about which
vulnerabilitythehostmayhave.
Isolationofproblematicdevices
PacketFence supports several isolation

techniques,includingVLANisolationwith
VoIP support (even in heterogeneous
environments)formultipleswitchvendors.
Remediationthroughacaptiveportal
Once trapped, all network traffic is

terminated by the PacketFence system.
Introduction
Chapter2
Based on the nodes current status
(unregistered,openviolation,etc),theuser
is redirected to the appropriate URL. In
the case of a violation, the user will
be presented with instructions for the
particular situation he/she is in reducing
costlyhelpdeskintervention.
Command-lineandWeb-basedmanagement
Web-based and command-line interfaces

forallmanagementtasks.
GuestAccess
PacketFence supports a special guest

VLAN out of the box. You configure
your network so that the guest VLAN
only goes out to the Internet and the
registration VLAN and the captive portal
arethecomponentsusedtoexplaintothe
guesthowtoregisterforaccessandhow
his access works. This is usually branded
by the organization offering the access.
Several means of registering guests are
possible. PacketFence does also support
guestaccessbulkcreationsandimports.
Gamingdevicesregistration
AregisteredusercanaccessaspecialWeb
page to register a gaming device of his
own.Thisregistrationprocesswillrequire
loginfromtheuserandthenwillregister
gaming devices with pre-approved MAC
OUIintoaconfigurablecategory.
PacketFenceisdevelopedbyacommunityofdeveloperslocatedmainlyinNorthAmerica.More
informationcanbefoundathttp://www.packetfence.org.
Introduction
Chapter2
NetworkIntegration
VLANenforcementispicturedintheabovediagram.Inlineenforcementshouldbeseenasasimple
flatnetworkwherePacketFenceactsasafirewall/gateway.
Introduction
Chapter2
Components
Introduction
Chapter3
SystemRequirements
Assumptions
PacketFencereusesmanycomponentsinaninfrastructure.Thus,itrequiresthefollowingones:
Databaseserver(MySQLorMariaDB)
Webserver(Apache)
Dependingonyoursetupyoumayhavetoinstalladditionalcomponentslike:
DHCPserver(ISCDHCP)
RADIUSserver(FreeRADIUS)
NIDS(Snort/Suricata)
Inthisguide,weassumethatallthosecomponentsarerunningonthesameserver(i.e.,"localhost"
or"127.0.0.1")thatPacketFencewillbeinstalledon.
Good understanding of those underlying component and GNU/Linux is required to install
PacketFence. If you miss some of those required components, please refer to the appropriate
documentationandproceedwiththeinstallationoftheserequirementsbeforecontinuingwiththis
guide.
Thefollowingtableprovidesrecommendationsfortherequiredcomponents,togetherwithversion
numbers:
MySQLserver
MySQL5.1
Webserver
Apache2.2
DHCPserver
DHCP4.1
RADIUSserver
FreeRADIUS2.2.0
Snort
Snort2.9.1
Suricata
Suricata1.4.1
Morerecentversionsofthesoftwarementionedabovecanalsobeused.
MinimumHardwareRequirements
Thefollowingprovidesalistofserverhardwarerecommendations:
SystemRequirements
Chapter3
IntelorAMDCPU3GHz
4GBofRAM
100GBofdiskspace(RAID-1recommended)
1Networkcard
+1forhigh-availability
+1forintrusiondetection
OperatingSystemRequirements
PacketFencesupportsthefollowingoperatingsystemsonthei386orx86_64architectures:
RedHatEnterpriseLinux6.xServer
CommunityENTerpriseOperatingSystem(CentOS)6.x
Debian7.0(Wheezy)
Ubuntu12.04LTS
Makesurethatyoucaninstalladditionalpackagesfromyourstandarddistribution.Forexample,if
youareusingRedHatEnterpriseLinux,youhavetobesubscribedtotheRedHatNetworkbefore
continuingwiththePacketFencesoftwareinstallation.
OtherdistributionssuchasFedoraandGentooareknowntoworkbutthisdocumentdoesntcover
them.
Servicesstart-up
PacketFencetakescareofhandlingtheoperationofthefollowingservices:
Webserver(httpd)
DHCPserver(dhcpd)
FreeRADIUSserver(radiusd)
Snort/SuricataNetworkIDS(snort/suricata)
Firewall(iptables)
Makesurethatalltheotherservicesareautomaticallystartedbyyouroperatingsystem!
SystemRequirements
Chapter4
Installation
ThissectionwillguideyouthroughtheinstallationofPacketFencetogetherwithitsdependencies.
OSInstallation
Installyourdistributionwithminimalinstallationandnoadditionalpackages.Then:
DisableFirewall
DisableSELinux
DisableAppArmor
Disableresolvconf
Makesureyoursystemisuptodateandyouryumorapt-getdatabaseisupdated.OnaRHELbasedsystem,do:
yum update
OnaDebianorUbuntusystem,do:
apt-get update
apt-get upgrade
RedHat-basedsystems
Note
IncludesCentOSandScientificLinux.Bothi386andx86_64architecturessupported.
RHEL6.x
Note
TheseareextrastepsarerequiredforRHEL6systemsonly.DerivativessuchasCentOS
orScientificLinuxdontneedtotaketheextrasteps.
Installation
Chapter4
RedHatEnterpriseLinuxusersneedtotakeanadditionalsetupstep.IfyouarenotusingtheRHN
SubscriptionManagementfromRedHatyouneedtoenabletheoptionalchannelbyrunningthe
followingasroot:
rhn-channel --add --channel=rhel-`uname -m`-server-optional-6
DebianandUbuntu
AllthePacketFencedependenciesareavailablethroughtheofficialrepositories.
SoftwareDownload
PacketFenceprovidesaRPMrepositoryforRHEL/CentOSinsteadofasingleRPMfile.
ForDebianandUbuntu,PacketFencealsoprovidespackagerepositories.
TheserepositoriescontainallrequireddependenciestoinstallPacketFence.Thisprovidesnumerous
advantages:
easyinstallation
everythingispackagedasRPM/deb(nomoreCPANhassle)
easyupgrade
SoftwareInstallation
RHEL/CentOS
InordertousethePacketFencerepository:
# rpm -Uvh http://packetfence.org/downloads/PacketFence/RHEL6/`uname -i`/RPMS/
packetfence-release-1-1.el6.noarch.rpm
Once the repository is defined, you can install PacketFence with all its dependencies, and the
requiredexternalservices(Databaseserver,DHCPserver,RADIUSserver)using:
yum groupinstall --enablerepo=packetfence Packetfence-complete
Or,ifyouprefer,toinstallonlythecorePacketFencewithoutalltheexternalservices,youcanuse:
yum install --enablerepo=packetfence packetfence
Installation
10
Chapter4
DebianandUbuntu
Inordertousetherepository,createafilenamed/etc/apt/sources.list.d/packetfence.list
withthefollowingcontentwhenusingDebian7.0(Wheezy):
deb http://inverse.ca/downloads/PacketFence/debian wheezy wheezy
OrwhenusingUbuntu12.04LTS:
deb http://inverse.ca/downloads/PacketFence/ubuntu precise precise
Once the repository is defined, you can install PacketFence with all its dependencies, and the
requiredexternalservices(Databaseserver,DHCPserver,RADIUSserver)using:
sudo apt-key adv --keyserver keys.gnupg.net --recv-key 0x810273C4
sudo apt-get update
sudo apt-get install packetfence
Installation
11
Chapter5
Configuration
Inthissection,youlllearnhowtoconfigurePacketFence.PacketFencewilluseMySQL,Apache,
ISCDHCP,iptablesandFreeRADIUS.Aspreviouslymentioned,weassumethatthosecomponents
runonthesameserveronwhichPacketFenceisbeinginstalled.
FirstStep
Thefirststepafterinstallingthenecessarypackagesistheconfigurationstep.PacketFenceprovides
anhelpfulanddetailedweb-basedconfigurator.
Likementionedattheendofthepackagesinstallation,fireupawebbrowserandgotohttps://
@ip_of_packetfence:1443/configurator.Fromthere,theconfigurationprocessissplitedinsix(6)
distinctivesteps,afterwhichyoullhaveaworkingPacketFencesetup.
Step1:Enforcementtechnique.YoullchooseeitherVLANenforcement,inlineenforcementor
both;
Step2:Networkconfiguration.Youllbeabletoconfigurethenetworkinterfacesofthesystemas
wellasassigningthecorrectinterfacesforeachoftherequiredtypesofthechosenenforcement
technique(s);
Step3:Databaseconfiguration.ThisstepwillcreatethePacketFencedatabaseandpopulateit
withthecorrectstructure.AMySQLuserwillalsobecreatedandassignedtothenewlycreated
database;
Step 4: General configuration. You will need to configure some of the basic PacketFence
configurationparameters;
Step5:Administrativeuser.Thisstepwillaskyoutocreateanadministrativeuserthatwillbe
abletoaccesstheweb-basedadminsitrationinterfaceoncetheservicesarefunctionals;
Step6:Letsdothis!SeethestatusofyourconfigurationandstartyournewNAC!
Note
KeepinmindthattheresultingPacketFenceconfigurationwillbelocatedunder/usr/
local/pf/conf/andtheconfigurationfilescanalwaysbeadjustedbyhandafterward
orfromPacketFencesWebGUI.
Configuration
12
Chapter5
Web-basedAdministrationInterface
PacketFenceprovidesaweb-basedadministrationinterfaceforeasyconfigurationandoperational
management.IfyouwentthroughPacketFencesweb-basedconfigurationtool,youshouldhave
setthepasswordfortheadminuser.Ifnot,thedefaultpasswordisalsoadmin.
Once PacketFence is started, the administration interface is available at: https://
@ip_of_packetfence:1443/
Globalconfigurationfile(pf.conf)
The /usr/local/pf/conf/pf.conf file contains the PacketFence general configuration. For
example,thisistheplacewhereweinformPacketFenceitwillworkinVLANisolationmode.
All the default parameters and their descriptions are stored in /usr/local/pf/conf/
pf.conf.defaults.
Inordertooverrideadefaultparameter,defineitandsetitinpf.conf.
/usr/local/pf/conf/documentation.confholdsthecompletelistofallavailableparameters.
Alltheseparametersarealsoaccessiblethroughtheweb-basedadministrationinterfaceunderthe
Configurationtab.Itishighlyrecommendedthatyouusetheweb-basedadministrationinterface
ofPacketFenceforanyconfigurationchanges.
ApacheConfiguration
ThePacketFencesApacheconfigurationarelocatedin/usr/local/pf/conf/httpd.conf.d/.
Inthisdirectoryyouhavethreeimportantfiles:httpd.admin,httpd.portal,httpd.webservice.
httpd.adminisusedtomanagePacketFenceadmininterface
httpd.portalisusedtomanagePacketFencecaptiveportalinterface
httpd.webservicesisusedtomanagePacketFencewebservicesinterface
ThesefileshavebeenwrittenusingthePerllanguageandarecompletelydynamic-sotheyactivate
servicesonlyonthenetworkinterfacesprovidedforthispurpose.
TheotherfilesinthisdirectoryaremanagedbyPacketFenceusingtemplates,soitiseasytomodify
thesefilesbasedonyourconfiguration.SSLisenabledbydefaulttosecureaccess.
Configuration
13
Chapter5
UponPacketFenceinstallation,self-signedcertificateswillbecreatedin/usr/local/pf/conf/ssl
(server.key and server.crt). Those certificates can be replaced anytime by your 3rd-party or
existingwildcardcertificatewithoutproblems.PleasenotethattheCN(CommonName)needsto
bethesameastheonedefinedinthePacketFenceconfigurationfile(pf.conf).
CaptivePortal
Importantparameterstoconfigureregardingthecaptiveportalarethefollowing:
RedirectURLunderConfigurationPortalProfilePortalName
Forsomebrowsers,isitpreferabletoredirecttheusertoaspecificURLinsteadoftheURLthe
useroriginallyintendedtovisit.Forthesebrowsers,theURLdefinedinredirecturlwillbethe
onewheretheuserwillberedirected.AffectedbrowsersareFirefox3andlater.
IPunderConfigurationCaptiveportal
ThisIPisusedasthewebserverwhohoststhecommon/network-access-detection.gifwhich
isusedtodetectifnetworkaccesswasenabled.Itcannotbeadomainnamesinceitisusedin
registrationorquarantinewhereDNSisblack-holed.Itisrecommendedthatyouallowyourusers
toreachyourPacketFenceserverandputyourLANsPacketFenceIP.Bydefaultwewillmakethis
reachPacketFenceswebsiteasaneasierandmoreaccessiblesolution.
SELinux
Even if this feature may be wanted by some organizations, PacketFence will not run properly if
SELinuxissettoenforced.Youwillneedtoexplicitlydisableitinthe/etc/selinux/configfile.
RolesManagement
RolesinPacketFencecanbecreatedfromPacketFenceadministrativeGUI-fromtheConfiguration
Users Roles section. From this interface, you can also limit the number of devices users
belongingtocertainrolescanregister.
RolesaredynamicallycomputedbyPacketFence,basedontherules(ie.,asetofconditionsand
actions)fromauthenticationsources,usingafirst-matchwinsalgorithm.Rolesarethenmatchedto
VLANorinternalrolesonequipmentfromtheConfigurationNetworkSwitchesmodule.
Configuration
14
Chapter5
Authentication
PacketFence can authenticate users that register devices via the captive portal using various
methods.Amongthesupportedmethods,thereare:
ActiveDirectory
Apachehtpasswdfile
Email
Facebook(OAuth2)
Github(OAuth2)
Google(OAuth2)
Kerberos
LDAP
LinkedIn(OAuth2)
Null
RADIUS
SMS
SponsoredEmail
WindowsLive(OAuth2)
Moreover, PacketFence can also authenticate users defined in its own internal SQL database.
Authentication sources can be created from PacketFence administrative GUI - from the
ConfigurationUsersSourcessection.Alternatively(butnotrecommended),authentication
sources,rules,conditionsandactionscanbeconfiguredfromconf/authentication.conf.
Eachauthenticationsourcesyoudefinewillhaveasetofrules,conditionsandactions.
Multiple authentication sources can be defined, and will be tested in the order specified (note
thattheycanbereorderedfromtheGUIbydraggingitaround).Eachsourcecanhavemultiple
rules,whichwillalsobetestedintheorderspecified.Rulescanalsobereordered,justlikesources.
Finally,conditionscanbedefinedforaruletomatchcertaincriterias.Ifthecriteriasmatch(one
oremore),actionarethenappliedandrulestestingstop,acrossallsourcesasthisisa"firstmatch
wins"operation.
Whennoconditionisdefined,therulewillbeconsideredasafallback.Whenafallbackisdefined,
allactionswillbeappliedforyanyusersthatmatchintheauthenticationsource.
Onceasourceisdefined,itcanbeusedfromConfigurationPortalProfiles.Eachportalprofile
hasalistofauthenticationsourcestouse.
Configuration
15
Chapter5
Example
Letssaywehavetworoles:guestandemployee.First,wedefinethemConfigurationUsers
Roles.
Now,wewanttoauthenticateemployeesusingActiveDirectory(overLDAP),andguestsusing
PacketFencesinternaldatabase-bothusingPacketFencescaptiveportal.FromtheConfiguration
UsersSources,weselectAddsourceAD.Weprovidethefollowinginformation:
Name:ad1
Description:ActiveDirectoryforEmployees
Host:192.168.1.2:389withoutSSL/TLS
BaseDN:CN=Users,DC=acme,DC=local
Scope:One-level
UsernameAttribute:sAMAccountName
BindDN:CN=Administrator,CN=Users,DC=acme,DC=local
Password:acme123
Then,weaddarulebyclickingontheAddrulebuttonandprovidethefollowinginformation:
Name:employees
Description:Ruleforallemployees
Dontsetanycondition(asitsacatch-allrule)
Setthefollowingactions:
Setroleemployee
SetunregistrationdateJanuary1st,2020
Test the connection and save everything. Using the newly defined source, any username that
actuallymatchesinthesource(usingthesAMAccountName)willhavetheemployeeroleandan
unregistrationdatesettoJanuary1st,2020.
Now,sincewewanttoauthenticateguestsfromPacketFencesinternalSQLdatabase,accounts
mustbeprovisionnedmanually.YoucandosofromtheConfigurationUsersCreatesection.
Whencreatingguests,specify"guest"fortheSetroleaction,andsetanaccessdurationfor1day.
If you would like to differentiate user authentication and machine authentication using Active
Directory,onewaytodoitisbycreatingasecondauthenticationsources,formachines:
Name:ad1
Description:ActiveDirectoryforMachines
Host:192.168.1.2:389withoutSSL/TLS
BaseDN:CN=Computers,DC=acme,DC=local
Scope:One-level
UsernameAttribute:servicePrincipalName
BindDN:CN=Administrator,CN=Users,DC=acme,DC=local
Password:acme123
Then,weaddarule:
Name:machines
Configuration
16
Chapter5
Description:Ruleforallmachines
Dontsetanycondition(asitsacatch-allrule)
Setthefollowingactions:
Setrolemachineauth
SetunregistrationdateJanuary1st,2020
Notethatwhenaruleisdefinedasacatch-all,itwillalwaysmatchiftheusernameattributematches
thequeriedone.ThisappliesforActiveDirectory,LDAPandApachehtpasswdfilesources.Kerberos
andRADIUSwillactastruecatch-all,andaccepteverything.
NetworkDevicesDefinition(switches.conf)
ThissectionappliesonlyforVLANenforcement.Usersplanningtodoinlineenforcementonlycan
skipthissection.
PacketFenceneedstoknowwhichswitches,accesspointsorcontrollersitmanages,theirtypeand
configuration.Allthisinformationisstoredin/usr/local/pf/conf/switches.conf.Youcanmodify
theconfigurationdirectlyintheswitches.conffileoryoucandoitintheWebAdministrationpanel
underConfigurationNetworkSwitches.
Thisfilescontainsadefaultsectionincluding:
DefaultSNMPread/writecommunitiesfortheswitches
Defaultworkingmode(seenoteaboutworkingmodebelow)
andaswitchsectionforeachswitch(managedbyPacketFence)including:
SwitchIP
Switchvendor/type
Switchuplinkports(trunksandnon-managedports)
per-switchre-definitionoftheVLANs(ifrequired)
Note
switches.confisloadedatstartup.Areloadisrequiredwhenchangesaremanually
madetothisfile/usr/local/pf/bin/pfcmd configreload.
Workingmodes
Therearethreedifferentworkingmodes:
Testing
pfsetvlanwritesinthelogfileswhatitwouldnormallydo,butit
doesntdoanything.
Registration
pfsetvlan automatically-register all MAC addresses seen on the

switchports.Asintestingmode,noVLANchangesaredone.
Configuration
17
Chapter5
Production
pfsetvlan sends the SNMP writes to change the VLAN on the

switchports.
SNMPv1,v2candv3
PacketFenceusesSNMPtocommunicatewithmostswitches.Startingwith1.8,PacketFencenow
supportsSNMPv3.YoucanuseSNMPv3forcommunicationinbothdirections:fromtheswitch
toPacketFenceandfromPacketFencetotheswitch.
FromPacketFencetoaswitch
Edittheswitchconfigfile(/usr/local/pf/conf/switches.conf)andsetthefollowingparameters:
SNMPVersion = 3
SNMPUserNameRead = readUser
SNMPAuthProtocolRead = MD5
SNMPAuthPasswordRead = authpwdread
SNMPPrivProtocolRead = AES
SNMPPrivPasswordRead = privpwdread
SNMPUserNameWrite = writeUser
SNMPAuthProtocolWrite = MD5
SNMPAuthPasswordWrite = authpwdwrite
SNMPPrivProtocolWrite = AES
SNMPPrivPasswordWrite = privpwdwrite
FromaswitchtoPacketFence
Edittheswitchconfigfile(/usr/local/pf/conf/switches.conf)andsetthefollowingparameters:
SNMPVersionTrap = 3
SNMPUserNameTrap = readUser
SNMPAuthProtocolTrap = MD5
SNMPAuthPasswordTrap = authpwdread
SNMPPrivProtocolTrap = AES
SNMPPrivPasswordTrap = privpwdread
SwitchConfiguration
HereisaswitchconfigurationexampleinordertoenableSNMPv3inbothdirectionsonaCisco
Switch.
snmp-server engineID local AA5ED139B81D4A328D18ACD1
snmp-server group readGroup v3 priv
snmp-server group writeGroup v3 priv read v1default write v1default
snmp-server user readUser readGroup v3 auth md5 authpwdread priv aes 128
privpwdread
snmp-server user writeUser writeGroup v3 auth md5 authpwdwrite priv aes 128
privpwdwrite
snmp-server enable traps port-security
snmp-server enable traps port-security trap-rate 1
snmp-server host 192.168.0.50 version 3 priv readUser port-security
Configuration
18
Chapter5
Command-LineInterface:TelnetandSSH
Warning
PrivilegedetectionisdisabledinthecurrentPacketFenceversionduetosomeissues
(see#1370).SomakesurethatthecliUserandcliPwdyouprovidealwaysgetyou
intoaprivilegedmode(exceptforTrapezehardware).
PackeFenceneedssometimestoestablishaninteractivecommand-linesessionwithaswitch.This
canbedoneusingTelnet.Startingwith1.8,youcannowuseSSH.Inordertodoso,edittheswitch
configfile(/usr/local/pf/conf/switches.conf)andsetthefollowingparameters:
cliTransport = SSH (or Telnet)
cliUser = admin
cliPwd = admin_pwd
cliEnablePwd =
ItcanalsobedonethroughtheWebAdministrationInterfaceunderConfigurationSwitches.
WebServicesInterface
PackeFencesometimesneedstoestablishadialogwiththeWebServicescapabilitiesofaswitch.
In order to do so, edit the switch config file (/usr/local/pf/conf/switches.conf) and set the
followingparameters:
wsTransport = http (or https)
wsUser = admin
wsPwd = admin_pwd
Note
as of PacketFence 1.9.1 few switches require Web Services configuration in order
to work. It can also be done through the Web Administration Interface under
ConfigurationSwitches.
RadiusSecret
Forcertainauthenticationmechanism,suchas802.1XorMACAuthentication,theRADIUSserver
needstohavethenetworkdeviceinitsclientlist.AsofPacketFence3.0,wenowuseadatabase
backendtostoretheRADIUSclientinformation.Inordertodoso,edittheswitchconfigfile(/usr/
local/pf/conf/switches.conf)andsetthefollowingparameters:
radiusSecret= secretPassPhrase
Also, starting with PacketFence 3.1, the RADIUS secret is required for our support of RADIUS
DynamicAuthentication(ChangeofauthorizationorDisconnect)asdefinedinRFC3576.
Configuration
19
Chapter5
Role-basedenforcementsupport
Somenetworkdevicessupporttheassignmentofaspecificsetofrules(firewallorACLs)toauser.
The idea is that these rules can be a lot more precise to control what a user can or cannot do
comparedtoVLANwhichhavealargernetworkmanagementoverhead.
PacketFence supports assigning roles on devices that supports it. The current role assignment
strategyistoassignitalongwiththeVLAN(thatmaychangeinthefuture).Aspecialinternalrole
toexternalroleassignmentmustbeconfiguredintheswitchconfigurationfile(/usr/local/pf/
conf/switches.conf).
Thecurrentformatisthefollowing:
Format: <rolename>Role=<controller_role>
Andyouassignittotheglobalrolesparameterortheper-switchone.Forexample:
adminRole=full-access
engineeringRole=full-access
salesRole=little-access
wouldreturnthefull-accessroletothenodescategorizedasadminorengineeringandtherole
little-accesstonodescategorizedassales.
Caution
Makesurethattherolesareproperlydefinedonthenetworkdevicespriortoassigning
roles!
DefaultVLAN/roleassignment
ThissectionappliesonlyforVLANenforcement.Usersplanningtodoinlineenforcementonlycan
skipthissection.
The default VLAN assignment technique used in PacketFence is a per-switch one. The correct
defaultVLANforagivenMACisdeterminedbasedonthecomputedrolebyPacketFenceduringthe
registrationprocessforthedevice,ordynamicallyduringan802.1Xauthentication.Thecomputed
internalrolewillthenbemappedtoeitheraVLANoranexternalroleforthespecificequipement
theuserisconnectedto.
Thisallowsyoutodoeasyper-buildingVLAN/rolesegmentation.
IfyouneedmoreflexibilitythanwhatcanbedefinedfromthePacketFencesauthenticationsources
(rules/conditions/actions)takealookattheFAQentryCustomVLANassignmentbehavioravailable
online.
Configuration
20
Chapter5
Inlineenforcementconfiguration
ThissectionappliesonlyforInlineenforcement.UsersplanningtodoVLANenforcementonlycan
skipthissection.
Theinlineenforcementisaveryconvenientmethodofperformingaccesscontrolonoldernetwork
hardwarethatisnotcapableofdoingVLANenforcementorthatisnotsupportedbyPacketFence.
Thistechniqueiscoveredindetailsinthe"TechnicalintroductiontoInlineenforcement"section.
Animportantconfigurationparametertohaveinmindwhenconfiguringinlineenforcementisthat
theDNSreachedbytheseusersshouldbeyouractualproductionDNSserver-whichshouldntbe
inthesamebroadcastdomainasyourinlineusers.Thenextsectionshowsyouhowtoconfigurethe
properinlineinterfaceanditisinthissectionthatyoushouldrefertotheproperproductionDNS.
Inline enforcement uses ipset to mark nodes as registered, unregistered and isolated. It is also
now possible to use multiple inline interfaces. A node registered on the first inline interface is
markedwithanip:mactuple(forL2,onlyipforL3),sowhenthenodetriestoregisteronanother
inlineinterface,PacketFencedetectsthatthenodeisalreadyregisteredonthefirstVLAN.Itisalso
possibletoenableinline.should_reauth_on_vlan_changetoforceuserstoreauthenticatewhenthey
changeVLAN.
Theoutgoinginterfaceshouldbespecifiedbyaddinginpf.conftheoptioninterfaceSNATininline
section.Itisacommadelimitedlistofnetworkinterfaceslikeeth0,eth0.100.Itsalsopossibleto
specifyanetworkthatwillberoutedinsteadofusingNATbyaddinginconf/networks.confan
optionnat=nounderoneormorenetworksections.
Another important setting is the gateway statement. Since it this the only way to get the
PacketFenceserverinlineinterfaceIPaddress,itismandatorytosetittothisIP(whichissupposed
tobethesameasintheipstatementoftheinlineinterfaceinconf/pf.conf).
Hybridmode
Thissectionappliesforhybridsupportforthemanageabledevicesthatsupport802.1XorMACauthentication.
HybridenforcementisamixedmethodthatofferstheuseofinlineenforcementmodewithVLAN
enforcement mode on the same device. This technique is covered in details in the "Technical
introductiontoHybridenforcement"section
Configuration
21
Chapter5
WebAuthmode
This section applies for web authentication support for manageable devices that support web
authenticationwithanexternalcaptiveportal.
Webauthenticationisamethodontheswitchthatforwardshttptrafficofthedevicetothecaptive
portal.Withthismode,yourdevicewillneverchangeofVLANIDbutonlytheACLassociatedto
yourdevicewillchange.RefertotheNetworkDevicesConfigurationGuidetoseeasampleweb
authconfigurationonaCiscoWLC.
DHCPandDNSServerConfiguration
(networks.conf)
PacketFenceautomaticallygeneratestheDHCPconfigurationfilesforRegistration,Isolationand
InlineVLANs.Thisisdonebyeditingthenetworkinterfacesfromtheconfigurationmoduleofthe
administrationWebinterface(seetheFirstStepsection).
network
Networksubnet
netmask
Networkmask
gateway
PacketFenceIPaddressinthisnetwork
next_hop
Used only with routed networks; IP

addressoftherouterinthisnetwork(This
is used to locally create static routes to
the routed networks). See the Routed
Networkssection)
domain-name
DNSname
dns
PacketFenceIPaddressinthisnetwork.In
inlinetype,setittoavalidDNSproduction
server
dhcp_start
StartingIPaddressoftheDHCPscope
dhcp_end
EndingIPaddressoftheDHCPscope
dhcp_default_lease_time
DefaultDHCPleasetime
dhcp_max_lease_time
MaximumDHCPleasetime
type
vlan-registrationorvlan-isolationorinline
Configuration
22
Chapter5
named
IsPacketFencetheDNSforthisnetwork?
(Enabled/Disabled)setittoenabled
dhcpd
Is PacketFence the DHCP server for this

network ? (Enabled/Disabled) set it to
enabled
nat
IsPacketFencerouteorNATthetrafficfor
this network ? (yes/no) NAT enabled by
default,settonotoroute
When starting PacketFence generates the DHCP configuration files by reading the information
providedinnetworks.conf:
The DHCP configuration file is written to var/conf/dhcpd.conf using conf/dhcpd.conf as a
template.
ProductionDHCPaccess
In order to perform all of its access control duties, PacketFence needs to be able to map MAC
addressesintoIPaddresses.
Forallthenetworks/VLANswhereyouwantPacketFencetohavetheabilitytoisolateanodeor
tohaveIPinformationaboutnodes,youwillneedtoperformoneofthetechniquesbelow.
Alsonotethatthisdoesntneedtobedonefortheregistration,isolationVLANsandinlineinterfaces
sincePacketFenceactsastheDHCPserverinthesenetworks.
IPHelpers(recommended)
If you are already using IP Helpers for your production DHCP in your production VLANs this
approachisthesimplestoneandtheonethatworksthebest.
Add PacketFences management IP address as the last ip helper-address statement in your
networkequipment.AtthispointPacketFencewillreceiveacopyofallDHCPrequestsforthat
VLANandwillrecordwhatIPweredistributedtowhatnodeusingapfdhcplistenerdaemon.
BydefaultnoDHCPServershouldberunningonthatinterfacewhereyouaresendingtherequests.
ThisisbydesignotherwisePacketFencewouldreplytotheDHCPrequestswhichwouldbeabad
thing.
ObtainacopyoftheDHCPtraffic
GetacopyofalltheDHCPTraffictoadedicatedphysicalinterfaceinthePacketFenceserverand
runpfdhcplisteneronthatinterface.Itwillinvolveconfiguringyourswitchproperlytoperform
portmirroring(akanetworkspan)andaddinginPacketFencetheproperinterfacestatementatthe
operatingsystemlevelandinpf.conf.
/etc/sysconfig/network-scripts/ifcfg-eth2:
Configuration
23
Chapter5
DEVICE=eth2
ONBOOT=yes
BOOTPROTO=none
Addtopf.conf:(IPsarenotimportanttheyarethereonlysothatPacketFencewillstart)
[interface eth2]
mask=255.255.255.0
type=dhcp-listener
gateway=192.168.1.5
ip=192.168.1.1
RestartPacketFenceandyoushouldbegoodtogo.
InterfaceineveryVLAN
BecauseDHCPtrafficisbroadcasttraffic,analternativeforsmallnetworkswithfewlocalVLANs
istoputaVLANinterfaceforeveryVLANonthePacketFenceserverandhaveapfdhcplistener
listenonthatVLANinterface.
OnthenetworksideyouneedtomakesurethattheVLANtrulyreachesallthewayfromyour
clienttoyourDHCPinfrastructureuptothePacketFenceserver.
OnthePacketFenceside,firstyouneedanoperatingsystemVLANinterfaceliketheonebelow.
Storedin/etc/sysconfig/network-scripts/ifcfg-eth0.1010:
# Engineering VLAN
DEVICE=eth0.1010
ONBOOT=yes
BOOTPROTO=static
IPADDR=10.0.101.4
NETMASK=255.255.255.0
VLAN=yes
Thenyouneedtospecifyinpf.confthatyouareinterestedinthatVLANsDHCPbysettingtype
todhcp-listener.
[interface eth0.1010]
mask=255.255.255.0
type=dhcp-listener
gateway=10.0.101.1
ip=10.0.101.4
RepeattheaboveforallyourproductionVLANsthenrestartPacketFence.
HostproductionDHCPonPacketFence
Itsanoption.Justmodifyconf/dhcpd.confsothatitwillhostyourproductionDHCPproperly
andmakesurethatapfdhcplistenerrunsonthesameinterfacewhereproductionDHCPruns.
However,pleasenotethatthisisNOTrecommended.Seethistickettoseewhy.
Configuration
24
Chapter5
RoutedNetworks
If your isolation and registration networks are not locally-reachable (at layer 2) on the network,
but routed to the PacketFence server, youll have to let the PacketFence server know this.
PacketFencecanevenprovideDHCPandDNSintheseroutednetworksandprovidesaneasyto
useconfigurationinterface.
Fordhcpd,makesurethattheclientsDHCPrequestsarecorrectlyforwarded(IPHelpersinthe
remoterouters)tothePacketFenceserver.Thenmakesureyoufollowedtheinstructionsinthe
DHCPandDNSServerConfiguration(networks.conf)foryourlocallyaccessiblenetwork.
Ifweconsiderthenetworkarchitectureillustratedintheaboveschema,conf/pf.confwillinclude
thelocalregistrationandisolationinterfacesonly.
[interface eth0.2]
enforcement=vlan
ip=192.168.2.1
type=internal
mask=255.255.255.0
Configuration
25
Chapter5
[interface eth0.3]
enforcement=vlan
ip=192.168.3.1
type=internal
mask=255.255.255.0
Note
PacketFencewillnotstartunlessyouhaveatleastoneinternalinterface,soyouneed
tocreatelocalregistrationandisolationVLANsevenifyoudontintendtousethem.
Also,theinternalinterfacesaretheonlyonesonwhichdhcpdlistens,sotheremote
registrationandisolationsubnetsneedtopointtheirDHCPhelper-addresstothose
particularIPs.
ThenyouneedtoprovidetheroutednetworksinformationtoPacketFence.Youcandoitthrough
theGUIinAdministrationNetworks(orinconf/networks.conf).
conf/networks.confwilllooklikethis:
[192.168.2.0]
netmask=255.255.255.0
gateway=192.168.2.1
next_hop=
domain-name=registration.example.com
dns=192.168.2.1
dhcp_start=192.168.2.10
dhcp_end=192.168.2.200
dhcp_default_lease_time=300
dhcp_max_lease_time=600
type=vlan-registration
named=enabled
dhcpd=enabled
[192.168.3.0]
netmask=255.255.255.0
gateway=192.168.3.1
next_hop=
domain-name=isolation.example.com
dns=192.168.3.1
dhcp_start=192.168.3.10
dhcp_end=192.168.3.200
type=vlan-isolation
named=enabled
dhcpd=enabled
Configuration
26
Chapter5
[192.168.20.0]
netmask=255.255.255.0
gateway=192.168.20.254
next_hop=192.168.2.254
dns=192.168.2.1
dhcp_start=192.168.20.10
dhcp_end=192.168.20.200
named=enabled
dhcpd=enabled
[192.168.30.0]
netmask=255.255.255.0
gateway=192.168.30.254
next_hop=192.168.3.254
dns=192.168.3.1
dhcp_start=192.168.30.10
dhcp_end=192.168.30.200
type=vlan-isolation
named=enabled
dhcpd=enabled
DHCPclientsontheregistrationandisolationnetworksreceivethePFserverIPastheirDNSserver
(dns=x.x.x.x),andPFspoofsDNSresponsestoforceclientsviatheportal.However,clientscould
manuallyconfiguretheirDNSsettingstoescapetheportal.Topreventthisyouwillneedtoapply
anACLontheaccessrouternearesttheclients,permittingaccessonlytothePFserverandlocal
DHCPbroadcasttraffic.
Forexample,fortheVLAN20remoteregistrationnetwork:
ip access-list extended PF_REGISTRATION
permit ip any host 192.168.2.1
permit udp any any eq 67
deny ip any any log
interface vlan 20
ip address 192.168.20.254 255.255.255.0
ip helper-address 192.168.2.1
ip access-group PF_REGISTRATION in
Ifyouredgeswitchessupportvlan-isolationyoucanalsoapplytheACLthere.Thishastheadvantage
ofpreventingmachinesinisolationfromattemptingtoattackeachother.
Configuration
27
Chapter5
FreeRADIUSConfiguration
ThissectionpresentstheFreeRADIUSconfigurationsteps.Insomeoccasions,aRADIUSserver
ismandatoryinordertogiveaccesstothenetwork.Forexample,theusageofWPA2-Enterprise
(Wireless 802.1X), MAC authentication and Wired 802.1X all requires a RADIUS server to
authenticate the users and the devices, and then to push the proper VLAN to the network
equipment.
Option1:Dynamicswitchconfiguration
SincePacketFenceversion4.1youarenowbeabletoenabledynamicclients.Itmeanthatwhen
youaddanewswitchconfigurationinPacketFencesadministrationinterfaceyoudonthaveto
restartradiusdservice.
Toenablethisfeaturemakeasymlinkin/usr/local/pf/raddb/site-enableddirectory:
ln -s ../sites-available/dynamic-clients dynamic-clients
andofcourserestartradiusd:
/usr/local/pf/bin/pfcmd service radiusd restart
Option2:AuthenticationagainstActiveDirectory(AD)
Replace/usr/local/pf/raddb/modules/mschapwiththefollowingconfiguration:
mschap {
use_mppe = yes
require_encryption = yes
require_strong = yes
with_ntdomain_hack = yes
ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{%{StrippedUser-Name}:-%{mschap:User-Name:-None}} --challenge=%{mschap:Challenge:-00} --ntresponse=%{mschap:NT-Response:-00}"
}
Samba/Kerberos/Winbind
InstallSamba3andNOTSamba4.YoucaneitherusethesourcesorusethepackageforyourOS.
ForRHEL/CentOS,do:
yum install samba krb5-workstation
ForDebianandUbuntu,do:
Configuration
28
Chapter5
apt-get install samba winbind krb5-user
Note
IfyouhaveWindows7PCsinyournetwork,youneedtouseSambaversion3.5.0
(orgreater).
WhendonewiththeSambainstall,modifyyour/etc/hostsinordertoaddtheFQDNofyour
ActiveDirectoryservers.Then,youneedtomodify/etc/krb5.conf.Hereisanexampleforthe
DOMAIN.NETdomainforCentos/RHEL:
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = DOMAIN.NET
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
forwardable = yes
[realms]
DOMAIN.NET = {
kdc = adserver.domain.net:88
admin_server = adserver.domain.net:749
default_domain = domain.net
}
[domain_realm]
.domain.net = DOMAIN.NET
domain.net = DOMAIN.NET
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
ForDebianandUbuntu:
Configuration
29
Chapter5
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = DOMAIN.NET
ticket_lifetime = 24h
forwardable = yes
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
Next,edit/etc/samba/smb.conf.Again,hereisanexampleforourDOMAIN.NETforCentos/RHEL:
[global]
workgroup = DOMAIN
server string = %h
security = ads
passdb backend = tdbsam
realm = DOMAIN.NET
encrypt passwords = yes
winbind use default domain = yes
client NTLMv2 auth = yes
preferred master = no
domain master = no
local master = no
load printers = no
log level = 1 winbind:5 auth:3
winbind max clients = 750
winbind max domain connections = 15
ForDebianandUbuntu:
Configuration
30
Chapter5
[global]
workgroup = DOMAIN
server string = Samba Server Version %v
security = ads
realm = DOMAIN.NET
password server = 192.168.1.1
domain master = no
local master = no
preferred master = no
winbind separator = +
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = yes
winbind nested groups = yes
winbind refresh tickets = yes
template homedir = /home/%D/%U
template shell = /bin/bash
client use spnego = yes
client ntlmv2 auth = yes
encrypt passwords = yes
restrict anonymous = 2
log file = /var/log/samba/log.%m
max log size = 50
IssueakinitandklistinordertogetandverifytheKerberostoken:
# kinit administrator
# klist
Afterthat,youneedtostartsamba,andjointhemachinetothedomain:
# service smb start
# chkconfig --level 345 smb on
# net ads join -U administrator
NotethatforDebianandUbuntuyouwillprobablyhavethiserror:
# kinit succeeded but ads_sasl_spnego_krb5_bind failed: Invalid credentials
# Join to domain is not valid: Invalid credentials
ForCentos/RHEL:
# usermod -a -G wbpriv pf
Finally,startwinbind,andtestthesetupusingntlm_authandradtest:
# service winbind start
# chkconfig --level 345 winbind on
ForDebianandUbuntu:
Configuration
31
Chapter5
# usermod -a -G winbindd_priv pf
# ntlm_auth --username myDomainUser
# radtest -t mschap -x myDomainUser myDomainPassword localhost:18120 12
testing123
Sending Access-Request of id 108 to 127.0.0.1 port 18120
User-Name = "myDomainUser"
NAS-IP-Address = 10.0.0.1
NAS-Port = 12
Message-Authenticator = 0x00000000000000000000000000000000
MS-CHAP-Challenge = 0x79d62c9da4e55104
MS-CHAP-Response =
0x000100000000000000000000000000000000000000000000000091c843b420f0dec4228ed2f26bff07d5e49ad9a2974
rad_recv: Access-Accept packet from host 127.0.0.1 port 18120, id=108,
length=20
Option3:LocalAuthentication
Addyourusersentriesattheendofthe/usr/local/pf/raddb/usersfilewiththefollowingformat:
username Cleartext-Password := "password"
Option4:AuthenticationagainstOpenLDAP
To be contributed...
Option5:EAPGuestAuthenticationonemail,sponsor
andsmsregistration
ThegoalhereistobeabletousethecredentialPacketFencecreatedonguestaccessandusethis
oneonasecureconnection.FirstcreateaguestSSIDwiththeguestaccessyouwanttouse(Email,
SponsororSMS)andcheckAdduseronemailregistrationamd/orAdduseronsponsorregistration
inConfigurationSelfRegistrationsection.Attheendoftheguestregistration,PacketFencewill
sendaanemailwiththecredentialsforEmailandSponsor.ForSMSuseyourphonenumberand
thePINcode.
NotethatthisoptiondoesntcurrentlyworkwiththeReusedot1xcredentialsoptionofthecaptive
portal.
In/usr/local/pf/raddb/sites-available/packetfence-tunnelthereisanexampleonhowto
configureradiustoenablethisfeature(uncommenttomakeitwork).
In this example we activate this feature on a specific SSID name (Secure-Wireless), disabled by
defaultNTLMAuth,testemailcredential(pfguest),testsponsor(pfsponsor)andtestsms(pfsms).
IfallfailledthenwereactivateNTLMAuth.
Configuration
32
Chapter5
authorize {
suffix
ntdomain
eap {
ok = return
}
files
####Activate local user eap authentication based on a specific SSID ####
## Set Called-Station-SSID with the current SSID
#
set.called_station_ssid
#
if (Called-Station-SSID == 'Secure-Wireless') {
## Disable ntlm_auth
#
update control {
#
MS-CHAP-Use-NTLM-Auth := No
#
}
## Check temporary_password table with email and password for a sponsor
registration
#
pfguest
#
if (fail || notfound) {
## Check temporary_password table with email and password for a guest
registration
#
pfsponsor
#
## Check activation table with phone number and PIN code
#
pfsms
#
#
update control {
#
MS-CHAP-Use-NTLM-Auth := Yes
#
}
#
}
#
}
#
}
#
}
Option6:EAPLocaluserAuthentication
ThegoalhereistousethelocaluseryoucreatedintheadminGUIforEAPauthentication.The
logicisexactlythesamethaninoption5,thedifferenceisthatweuseanotherSSIDandweonly
uselocalaccounts.
Edit/usr/local/pf/raddb/sites-available/packetfence-tunnel
InthisexampleweactivatethisfeatureonaspecificSSIDname(Secure-local-Wireless),disabled
bydefaultNTLMAuthandtestlocalaccount.IfitfailledthenwereactivateNTLMAuth.
Configuration
33
Chapter5
####Activate local user eap authentication based on a specific SSID ####

## Set Called-Station-SSID with the current SSID
#
set.called_station_ssid
#
if (Called-Station-SSID == 'Secure-local-Wireless') {
## Disable ntlm_auth
#
update control {
#
MS-CHAP-Use-NTLM-Auth := No
#
}
## Check temporary_password table for local user
#
pflocal
#
#
update control {
#
MS-CHAP-Use-NTLM-Auth := Yes
#
}
#
}
#
}
Tests
Test your setup with radtest using the following command and make sure you get an AccessAcceptanswer:
# radtest dd9999 Abcd1234 localhost:18120 12 testing123
Sending Access-Request of id 74 to 127.0.0.1 port 18120
User-Name = "dd9999"
User-Password = "Abcd1234"
NAS-IP-Address = 255.255.255.255
NAS-Port = 12
rad_recv: Access-Accept packet from host 127.0.0.1:18120, id=74, length=20
Debug
First,checktheFreeRADIUSlogs.Thefileislocatedat/usr/local/pf/logs/radius.log.
Ifthisdidnthelp,runFreeRADIUSindebugmode.Todoso,startitusingthefollowingcommand:
# radiusd -X -d /usr/local/pf/raddb
Additionally there is a raddebug tool that can extract debug logs from a running FreeRADIUS
daemon.PacketFencesFreeRADIUSispreconfiguredwithsuchsupport.
Inordertohaveanoutputfromraddebug,youneedtoeither:
a. Makesureuserpfhasashellin/etc/passwd,add/usr/sbintoPATH(export PATH=/usr/sbin:
$PATH)andexecuteraddebugaspf
b. Runraddebugasroot(lesssecure!)
Nowyoucanrunraddebugeasily:
raddebug -t 300 -d /usr/local/pf/raddb
Configuration
34
Chapter5
TheabovewilloutputFreeRADIUS'debuglogsfor5minutes.Seeman raddebugforalltheoptions.
StartingPacketFenceServices
OncePacketFenceisfullyinstalledandconfigured,starttheservicesusingthefollowingcommand:
service packetfence start
YoumayverifyusingthechkconfigcommandthatthePacketFenceserviceisautomaticallystarted
atboottime.
Logfiles
HerearethemostimportantPacketFencelogfiles:
/usr/local/pf/logs/packetfence.logPacketFenceCoreLog
/usr/local/pf/logs/portal_access_logApacheCaptivePortalAccessLog
/usr/local/pf/logs/portal_error_logApacheCaptivePortalErrorLog
/usr/local/pf/logs/admin_access_logApacheWebAdmin/ServicesAccessLog
/usr/local/pf/logs/admin_error_logApacheWebAdmin/ServicesErrorLog
/usr/local/pf/logs/admin_debug_logApacheWebAdminDebugLog
/usr/local/pf/logs/webservices_access_logApacheWebservicesAccessLog
/usr/local/pf/logs/webservices_error_logApacheWebservicesErrorLog
Thereareotherlogfilesin/usr/local/pf/logs/thatcouldberelevantdependingonwhatissue
youareexperiencing.Makesureyoutakealookatthem.
The logging systems configuration file is /usr/local/pf/conf/log.conf. It contains the
configurationforthepacketfence.logfile(Log::Log4Perl)andyounormallydontneedtomodify
it.
Passthrough
In order to use the passthrough feature in PacketFence, you need to enable it from the GUI in
ConfigurationTrappingandcheckPassthrough.
Therearetwosolutionsforpassthroughs-oneusingDNSresolutionandiptablesandtheother
oneusingApachesmod_proxymodule.Whenenabled,PacketFencewillusepfdnsifyoudefined
Passthroughs,orApachemod-proxyifyoudefinedProxyPassthroughstoallowtrappeddevices
toreachwebsites.
Configuration
35
Chapter5
*DNS passthrough: Add a new FQDN (should be a wildcard domain like *.google.com) in the
Passthroughssection.WhenPacketFencereceivesaDNSrequestforthisdomain,itwillanswerthe
realIPaddressandpunchaholeinthefirewall(usingiptables)toallowaccess.Withthismethod,
PacketFencemustbethedefaultgatewayofyourdevice.
*mod_proxypassthrough:AddanewFQDN(shouldbeawildcarddomainlike*.google.com)inthe
ProxyPassthroughssection.ForthisFQDN,PacketFencewillanswertheIPaddressofthecaptive
portalandwhenadevicehitsthecaptiveportal,PacketFencewilldetectthatthisFQDNhasa
passthroughconfigurationandwillforwardthetraffictomod_proxy.
ThesetwomethodscanbeusedtogetherbutDNS-basedpassthroughshavehigherpriority.
ProxyInterception
PacketFenceenablesyoutointerceptproxyrequestsandforwardthemtothecaptiveportal.Itonly
worksinlayer2networkbecausePacketFencemustbethedefaultgateway.Inordertousethe
ProxyInterceptionfeature,youneedtoenableitfromtheGUIinConfigurationTrappingand
checkProxyInterception.
Addtheportyouwanttointercept(like8080or3128)andaddanewentryinthe/etc/hosts
filetoresolvethefullyqualifieddomainname(fqdn)ofthecaptiveportaltotheIPaddressofthe
registration interface. This modification is mandatory in order for Apache to receives the proxy
requests.
Configuration
36
Chapter6
Configurationbyexample
Hereisanend-to-endsampleconfigurationofPacketFencein"Hybrid"mode(VLANmodeand
Inlinemodeatthesametime).
Assumptions
Throughout this configuration example we use the following assumptions for our network
infrastructure:
Therearetwodifferenttypesofmanageableswitchesinournetwork:CiscoCatalyst2900XL
andCiscoCatalyst2960,andoneunmanageabledevice.
VLAN1isthe"normal"VLAN-userswiththe"default"rolewillbeassignedtoit
VLAN2istheregistrationVLAN(unregistereddeviceswillbeputinthisVLAN)
VLAN3istheisolationVLAN(isolateddeviceswillbeputinthisVLAN)
VLANs2and3arespannedthroughoutthenetwork
VLAN4istheinlineVLAN(In-Band,forunmanageabledevices)
WewanttoisolatecomputersusingLimewire(peer-to-peersoftware)
WeuseSnortasNIDS
ThetrafficmonitoredbySnortisspannedoneth1
TheDHCPserveronthePacketFenceboxthatwilltakecareofIPaddressdistributioninVLANs
2,3and4
TheDNSserveronthePacketFenceboxthatwilltakecareofdomainresolutioninVLANs2
and3and4
Thenetworksetuplookslikethis:
VLAN
ID
VLANName
Subnet
Gateway
PacketFenceAddress
Normal
192.168.1.0/24
192.168.1.1
192.168.1.5
Registration
192.168.2.0/24
192.168.2.1
192.168.2.1
Isolation
192.168.3.0/24
192.168.3.1
192.168.3.1
Inline
192.168.4.0/24
192.168.4.1
192.168.4.1
100
Voice
37
Chapter6
NetworkInterfaces
HerearetheNICsstartupscriptsonPacketFence.
/etc/sysconfig/network-scripts/ifcfg-eth0:
DEVICE=eth0
BROADCAST=192.168.1.255
IPADDR=192.168.1.5
NETMASK=255.255.255.0
NETWORK=192.168.1.0
ONBOOT=yes
TYPE=Ethernet
/etc/sysconfig/network-scripts/ifcfg-eth0.2:
DEVICE=eth0.2
ONBOOT=yes
BOOTPROTO=static
IPADDR=192.168.2.1
NETMASK=255.255.255.0
VLAN=yes
DEVICE=eth0.3
ONBOOT=yes
BOOTPROTO=static
IPADDR=192.168.3.1
NETMASK=255.255.255.0
VLAN=yes
DEVICE=eth0.4
ONBOOT=yes
BOOTPROTO=static
IPADDR=192.168.4.1
NETMASK=255.255.255.0
VLAN=yes
/etc/sysconfig/network-scripts/ifcfg-eth1. This NIC is used for the mirror of the traffic
monitoredbySnort.
DEVICE=eth1
ONBOOT=yes
BOOTPROTO=none
38
Chapter6
Trapreceiver
PacketFenceusessnmptrapdasthetrapreceiver.Itstoresthecommunitynameusedbytheswitch
tosendtrapsintheswitchconfigfile(/usr/local/pf/conf/switches.conf):
[default]
SNMPCommunityTrap = public
SwitchSetup
In our example, we enable inline on a Cisco 2900LX and Port Security on a Cisco Catalyst
2960.PleaseconsulttheNetworkDevicesConfigurationGuideforthecompletelistofsupported
switchesandconfigurationinstructions.
inline
Onthe2900XL.
oneachinterface
switchport mode access
switchport access vlan 4
PortSecurity
Onthe2960.
globalsetup
snmp-server
snmp-server
snmp-server
snmp-server
snmp-server
community public RO
community private RW
enable traps port-security
enable traps port-security trap-rate 1
host 192.168.1.5 version 2c public port-security
Oneachinterface,youneedtoinitializetheportsecuritybyauthorizingafakeMACaddresswith
thefollowingcommands
switchport
switchport
switchport
switchport
switchport
switchport
access vlan 1
port-security
port-security
port-security
port-security
port-security
maximum 2
maximum 1 vlan access
violation restrict
mac-address 0200.0000.00xx
39
Chapter6
wherexxstandsfortheinterfaceindex.
Note
Dontforgettoupdatethestartup-config.
switches.conf
Note
YoucanusetheWebAdministrationinterfaceinsteadofperformingtheconfiguration
intheflatfiles.
Hereisthe/usr/local/pf/conf/switches.conffileforoursetup.SeeNetworkDeviceDefinition
formoreinformationaboutthecontentofthisfile.
[default]
SNMPCommunityRead = public
SNMPCommunityWrite = private
SNMPommunityTrap = public
SNMPVersion = 1
defaultVlan = 1
registrationVlan = 2
isolationVlan = 3
macDetectionVlan = 5
VoIPEnabled = no
[192.168.1.100]
type = Cisco::Catalyst_2900XL
mode = production
uplink = 24
[192.168.1.101]
type = Cisco::Catalyst_2960
mode = production
uplink = 25
defaultVlan = 10
radiusSecret=useStrongerSecret
Ifyouwanttohaveadifferentread/writecommunitiesnameforeachswitch,declareitineach
switchsection.
40
Chapter6
pf.conf
Hereisthe/usr/local/pf/conf/pf.conffileforoursetup.Formoreinformationaboutpf.conf
seeGlobalconfigurationfile(pf.conf)section.
[general]
domain=yourdomain.org
#Put your External/Infra DNS servers here
dnsservers=4.2.2.2,4.2.2.1
dhcpservers=192.168.2.1,192.168.3.1,192.168.5.1
[trapping]
registration=enabled
detection=enabled
range=192.168.2.0/24,192.168.3.0/24,192.168.4.0/24
[interface eth0]
mask=255.255.255.0
type=management
gateway=192.168.1.1
ip=192.168.1.5
[interface eth0.2]
mask=255.255.255.0
type=internal
enforcement=vlan
gateway=192.168.2.1
ip=192.168.2.1
[interface eth0.3]
mask=255.255.255.0
type=internal
enforcement=vlan
gateway=192.168.3.1
ip=192.168.3.1
[interface eth0.4]
mask=255.255.255.0
type=internal
enforcement=inline
gateway=192.168.4.1
ip=192.168.4.1
[interface eth1]
mask=255.255.255.0
type=monitor
gateway=192.168.1.5
ip=192.168.1.1
41
Chapter6
Note
Ifyouarerunninginanhigh-availablesetup(withaclusterIP),makesuretoaddthe
vipparametertotheconfiguredmanagementinterfacesothatRADIUSdynamicauth
messagescanreachthenetworkequipmentcorrectly.
[interface eth0]
mask=255.255.255.0
type=management
gateway=192.168.1.1
ip=192.168.1.5
vip=192.168.1.6
networks.conf
Here is the /usr/local/pf/conf/networks.conf file for our setup. For more information about
networks.confseeDHCPandDNSServerconfiguration.
42
Chapter6
[192.168.2.0]
netmask=255.255.255.0
gateway=192.168.2.1
next_hop=192.168.2.254
dns=192.168.2.1
dhcp_start=192.168.2.10
dhcp_end=192.168.2.200
named=enabled
dhcpd=enabled
[192.168.3.0]
netmask=255.255.255.0
gateway=192.168.3.1
next_hop=192.168.3.254
dns=192.168.3.1
dhcp_start=192.168.3.10
dhcp_end=192.168.3.200
type=vlan-isolation
named=enabled
dhcpd=enabled
[192.168.4.0]
netmask=255.255.255.0
gateway=192.168.4.1
next_hop=
domain-name=inline.example.com
dns=4.2.2.2,4.2.2.1
dhcp_start=192.168.4.10
dhcp_end=192.168.4.254
type=inline
named=enabled
dhcpd=enabled
Inlineenforcementspecifics
Toseeanotherimportantoptionalparameterthatcanbealteredtodoinlineenforcementseethe
Inlineenforcementconfigurationsection.
Inordertohavetheinlinemodeproperlyworking,youneedtoenableIPforwardingonyourservers.
Todoitpermanently,lookinthe/etc/sysctl.conf,andsetthefollowingline:
43
Chapter6
# Controls IP packet forwarding

net.ipv4.ip_forward = 1
Savethefile,andexecutesysctl -ptoreloadthekernelparameters.
44
Chapter7
Optionalcomponents
Blockingmaliciousactivitieswithviolations
Policyviolationsallowyoutorestrictclientsystemaccessbasedonviolationsofcertainpolicies.For
example,ifyoudonotallowP2Ptypetrafficonyournetwork,andyouarerunningtheappropriate
softwaretodetectitandtriggeraviolationforagivenclient,PacketFencewillgivethatclienta
"blocked"pagewhichcanbecustomizedtoyourwishes.
Inordertobeabletoblockmaliciousactivities,youneedtoinstallandconfiguretheSNORTor
SuricataIDStotalkwithPacketFence.
Snort
Installation
The installation procedure is quite simple for SNORT. We maintain a working version on the
PacketFencerepository.Toinstallit,simplyrunthefollowingcommand:
yum install snort
Configuration
PacketFenceprovidesabasicsnort.conftemplatethatyoumayneedtoeditdependingofthe
Snortversion.Thefileislocatedin/usr/local/pf/conf.Itisrarelynecessarytochangeanythingin
thatfiletomakeSnortworkandtrapalerts.DONOTeditthesnort.conflocatedin/usr/local/
pf/var/conf,allthemodificationwillbedestroyedoneachPacketFencerestart.
Suricata
Installation
SincethesuricataIDSisnotpackagedwiththedistros(exceptmaybeFedora,whichwedonot
officiallysupport),youneedtobuilditthe"old"way.
The OISF provides a really well written how-to for that. Its available here: https://
redmine.openinfosecfoundation.org/projects/suricata/wiki/CentOS5
Optionalcomponents
45
Chapter7
Configuration
PacketFence will provide you with a basic suricata.yaml that you can modify to suit you own
needs.Thefileislocatedin/usr/local/pf/conf.
Violations
InordertomakePacketFencereacttotheSnortalerts,youneedtoexplicitlytellthesoftwareto
doso.Otherwise,thealertswillbediscarded.Thisisquitesimpletoaccomplish.Infact,youneed
tocreateaviolationandaddtheSnortalertSIDinthetriggersectionofaViolation.
PacketFence policy violations are controlled using the /usr/local/pf/conf/violations.conf
configurationfile.Theviolationformatisasfollows:
[1234]
desc=Your Violation Description
priority=8
template=<template>
enable=Y
trigger=Detect::2200032,Nessus::11808
actions=email,log,trap
vlan=isolationVlan
whitelisted_categories=
[1234]
The violation ID. Any integer except 1200000-120099 which is reserved for
requiredadministrationviolations.
desc
singlelinedescriptionofviolation
priority
Range1-10,with1thehigestpriorityand10thelowest.Higherpriorityviolations
willbeaddressedfirstifahosthasmorethanone.
template
Templatenametousewhileinviolation.ItmustmatchaHTMLfilename(without
theextension)oftheviolationstemplatesdirectory.
enable
IfenableissettoN,thisviolationisdisabledandnoadditionalviolationsofthis
typewillbeadded.
trigger
Methodtoreferenceexternaldetectionmethods.Triggerisformattedasfollows
type::ID.ThetypecanbeDetect(Snort),Nessus,OpenVAS,OS(DHCPFingerprint
Detection), UserAgent (Browser signature), VendorMAC (MAC address class), SoH
(StatementofHealthfilter),Accounting,etc.Intheaboveexample,2000032isthe
SnortIDand11808istheNessuspluginnumber.TheSnortIDdoesNOThaveto
matchtheviolationID.
actions
Thisisthelistofactionsthatwillbeexecutedonaviolationaddition.Theactions
canbe:
log
Logamessagetothefilespecifiedin[alerting].log
email
Email the address specified in [alerting].emailaddr,

using[alerting].smtpserver.Multipleemailaddrcanbe
speratedbycomma.
trap
Isolate the host and place them in violation. It opens a

violationandleavesitopen.Iftrapisnotthere,aviolation
isopenedandthenautomaticallyclosed.
Optionalcomponents
46
Chapter7
vlan
winpopup
send a windows popup message. You need to configure

[alerting].winserver, [alerting].netbiosname in
pf.confwhenusingthisoption.
external
execute an external
[paths].externalapi.
close
closetheviolationIDspecifiedinthevclosefield.
role
change the nodes role to the one specified in the

target_categoryfield.
autoreg
registerthenode.
unreg
deregisterthenode.
command,
specified
in
DestinationVLANwherePacketFenceshouldputtheclientwhenaviolationofthis
typeisopen.TheVLANvaluecanbe:
isolationVlan
Isolation
VLAN
as
specified
in switches.conf. This is the
recommended value for most violation
types.
registrationVlan
Registration VLAN as specified in

switches.conf.
normalVlan
Normal VLAN as specified in

switches.conf.Note:Itispreferablenot
to trap than to trap and put in normal
VLAN.Makesureyouunderstandwhat
youaredoing.
whitelisted_categories
Nodes in a category listed in whitelisted_categories wont be affected by a
violationofthistype.Formatisacommaseparatedlistofcategorynames.
Alsoincludedinviolations.confisthedefaultssection.Thedefaultssectionwillsetadefault
valueforeveryviolationintheconfiguration.Ifaconfigurationvalueisnotspecifiedinthespecific
ID,thedefaultwillbeused:
[defaults]
priority=4
max_enable=3
actions=email,log
auto_enable=Y
enable=N
grace=120m
delay_by=0
window=0
vclose=
target_category=
button_text=Enable Network
snort_rules=local.rules,bleeding-attack_response.rules,bleedingexploit.rules,bleeding-p2p.rules,bleeding-scan.rules,bleeding-virus.rules
vlan=isolationVlan
whitelisted_categories=
Optionalcomponents
47
Chapter7
max_enable
Number of times a host will be able to try and self

remediatebeforetheyarelockedoutandhavetocallthe
help desk. This is useful for users who just click through
violationpages.
auto_enable
Specifiesifahostcanselfremediatetheviolation(enable
networkbutton)oriftheycannotandmustcallthehelp
desk.
grace
Amount of time before the violation can reoccur. This is

useful to allow hosts time (in the example 2 minutes) to
downloadtoolstofixtheirissue,orshutofftheirpeer-topeerapplication.
delay_by
Amountoftimebeforetheviolationactionwillrun.
window
Amount of time before a violation will be closed

automatically.Insteadofallowingpeopletoreactivatethe
network,youmaywanttoopenaviolationforadefined
amount of time instead. You can use the allowed time
modifiersorthedynamickeyword.Notethatthedynamic
keywordonlyworksforaccountingviolations.Dynamicwill
open the violation according to the time you set in the
accountingviolation(ie.Youhaveanaccountingviolation
for10GB/month.Ifyoubustthebandwidthafter3days,
theviolationwillopenandthereleasedatewillbesetfor
thelastdayofthecurrentmonth.)
vclose
Whenselectingthe"close"action,triggeringtheviolation
will close the one you select in the vclose field. This is
anexperimentalworkflowforMobileDeviceManagement
(MDM).
target_category
When selecting the "role" action, triggering the violation

will change the nodes role to the one you select in the
target_categoryfield.
button_text
Textdisplayedontheviolationformtohosts.
snort_rules
The Snort rules file is the administrators responsibility.

Pleasechangethistopointtoyourviolationrulesfile(s).If
youdonotspecifyafullpath,thedefaultis/usr/local/
pf/conf/snort.Ifyouneedtoincludemorethanonefile,
justseparateeachfilenamewithacomma.
Note
violations.confisloadedatstartup.Arestartisrequiredwhenchangesaremade
tothisfile.
Exampleviolation
InourexamplewewanttoisolatepeopleusingLimewire.HereweassumeSnortisinstalledand
configuredtosendalertstoPacketFence.NowweneedtoconfigurePacketFenceisolation.
Optionalcomponents
48
Chapter7
EnableLimewireviolationin/usr/local/pf/conf/violations.confandconfigureittotrap.
[2001808]
desc=P2P (Limewire)
priority=8
template=p2p
actions=log,trap
enable=Y
max_enable=1
trigger=Detect::2001808
ComplianceChecks
PacketFencesupportseitherNessusorOpenVASasascanningengineforcompliancechecks.
Installation
Nessus
Pleasevisithttp://www.nessus.org/download/todownloadandinstalltheNessuspackageforyour
operatingsystem.YouwillalsoneedtoregisterfortheHomeFeed(ortheProfessionalFeed)inorder
togettheplugins.
AfteryouinstalledNessus,followtheNessusdocumentationfortheconfigurationoftheNessus
Server,andtocreateauserforPacketFence.
OpenVAS
Please visit http://www.openvas.org/install-packages.html#openvas4_centos_atomic to configure
thecorrectrepositorytobeabletoinstallthelatestOpenVASscanningengine.
Once installed, please make sure to follow the instructions to correctly configure the scanning
engineandcreateascanconfigurationthatwillfityourneeds.Youllalsoneedtocreateauserfor
PacketFencetobeabletocommunicatewiththeserver.
ItisimportanttogetthecorrectscanconfigIDandNBEreportformatIDtopopulatetheparameters
inthePacketFenceconfigurationfile.TheeasiestwaytogettheseIDsisbydownloadingbothof
thescanconfigurationandreportformatfromtheOpenVASwebguiandretrievetheIDsinthe
filenames.
Forexamplereport-format-f5c2a364-47d2-4700-b21d-0a7693daddab.xmlgivesreportformatID
f5c2a364-47d2-4700-b21d-0a7693daddab.
Configuration
In order for the compliance checks to correctly work with PacketFence (communication and
generateviolationsinsidePacketFence),youmustconfiguretwosections:
Optionalcomponents
49
Chapter7
pf.conf
Adjust the settings in the scan section like the following: Dont hesitate to refer to the
documentation.conffileforanyhelpontheseparamatersandwhichofthemtoconfigure.
UsingNessus:
[scan]
engine=nessus
host=127.0.0.1
nessus_clientpolicy=basic-policy
pass=nessusUserPassword
user=nessusUsername
Ofcoursethebasic-policymustexistonthenessusserver.Ifyouwanttouseadifferentnessus
policybycategory,youhavetoadjustsettingslikethefollowing:
[nessus_category_policy]
guest=guest_policy
wifi=wifi_policy
Anodewhoisregisterlikeaguestwillbescannedbytheguest_policy,etc
Youcanalsouseadifferentnessuspolicybasedonthedhcpfingerprint,youhavetoadjustsettings
likethefollowing:
[nessus_scan_by_fingerprint]
Android=Android
Mac OS X=MACOSX
Microsoft Windows=Windows
iPhone=IOS
AnodewithafingerprintcontainAndroidwillbescannedbytheAndroidpolicy,etc
NoteifthereisnopolicybasedondhcpfingerprintthenPacketFencewilltrytousepolicybased
on category and if it does not exist then PacketFence will use the default policy defined by
nessus_clientpolicy.
UsingOpenVAS:
[scan]
engine=openvas
host=127.0.0.1
openvas_configid=openvasScanConfigId
openvas_reportformatid=openvasNBEReportFormatId
pass=openvasUserPassword
user=openvasUsername
violations.conf
Youneedtocreateanewviolationsectionandhavetospecify:
Optionalcomponents
50
Chapter7
UsingNessus:
trigger=Nessus::<violationId>
UsingOpenVAS:
trigger=OpenVAS::<violationId>
WhereviolationIdiseithertheIDoftheNessuspluginortheOIDoftheOpenVASplugintocheck
for.Onceyouhavefinishedtheconfiguration,youneedtoreloadtheviolationrelateddatabase
contentsusing:
$ pfcmd reload violations
Note
Violationswilltriggerifthepluginishigherthanalowseverityvulnerability.
Scanonregistration
To perform a system scan before giving access to a host on the network you need to enable
thescan.registrationparameterinpf.conf.Ifyouwanttoscanadevicethathavebeenautoregistered as a 802.1X connection, you need to enable scan.dot1x parameter in pf.conf. The
defaultEAP-TypethatwillbescannedisMS-CHAP-V2butyoucanconfigureotherEAP-Type(such
asMD5-Challenge)byaddingthemtoscan.dot1x_typeasacomma-separatedlistofvalues(look
atdictionary.freeradius.internalfilebundledwithFreeRADIUSforthelistofEAP-Type).
Itisalsorecommendedtoadjustscan.durationtoreflecthowlongthescantakes.Aprogressbar
ofthisdurationwillbeshowntotheuserwhileheiswaiting.Bydefault,wesetthisvariableto60s.
HostingNessus/OpenVASremotely
BecauseoftheCPUintensivenatureofanautomatedvulnerabilityassessment,werecommendthat
itishostedonaseparateserverforlargeenvironments.Todoso,acoupleofthingsarerequired:
PacketFence needs to be able to communicate to the server on the port specified by the
vulnerabilityengineused
Thescanningserverneedtobeabletoaccessthetargets.Inotherwords,registrationVLAN
accessisrequiredifscanonregistrationisenabled.
IfyouareusingtheOpenVASscanningengine:
ThescanningserverneedtobeabletoreachPacketFencesAdmininterface(onport1443by
default)byitsDNSentry.OtherwisePacketFencewontbenotifiedofcompletedscans.
YoumusthaveavalidSSLcertificateonyourPacketFenceserver
IfyouareusingtheNessusscanningengine:
YoujusthavetochangethehostvaluebytheNessusserverIP.
Optionalcomponents
51
Chapter7
RADIUSAccounting
RADIUSAccountingisusuallyusedbyISPstobillclients.InPacketFence,weareabletousethis
informationtodetermineifthenodeisstillconnected,howmuchtimeithasbeenconnected,and
howmuchbandwitdhtheuserconsumed.
Violations
Using PacketFence, it is possible to add violations to limit bandwidth abuse. The format of the
triggerisverysimple:
Accounting::[DIRECTION][LIMIT][INTERVAL(optional)]
Letsexplaineachchunkproperly:
DIRECTION:Youcaneithersetalimittoinbound(IN),outbound(OUT),ortotal(TOT)bandwidth
LIMIT: You can set a number of bytes(B), kilobytes(KB), megabytes(MB), gigabytes(GB), or
petabytes(PB)
INTERVAL:Thisisactuallythetimewindowwewilllookforpotentialabuse.Youcansetanumber
ofdays(D),weeks(W),months(M),oryears(Y).
Exampletriggers
LookforIncoming(Download)trafficwitha50GB/month
Accounting::IN50GB1M
LookforOutgoing(Upload)trafficwitha500MB/day
Accounting::OUT500MB1D
LookforTotal(Download+Upload)trafficwitha200GBlimitinthelastweek
Accounting::TOT200GB1W
Graceperiod
Whenusingsuchviolationfeature,settingthegraceperiodisreallyimportant.Youdontwantto
putittoolow(ie.Auserre-enablehisnetwork,andgetcaughtafter1bytesistranmitted!)ortoo
high.Werecommendthatyousetthegraceperiodtooneintervalwindow.
Optionalcomponents
52
Chapter7
Oinkmaster
Oinkmasterisaperlscriptthatenablesthepossibilitytoupdatethedifferentsnortrulesveryeasily.
Itissimpletouse,andinstall.ThissectionwillshowyouhowtoimplementOinkmastertowork
withPacketFenceandSnort.
Pleasevisithttp://oinkmaster.sourceforge.net/download.shtmltodownloadoinkmaster.Asample
oinkmasterconfigurationfileisprovidedat/usr/local/pf/addons/snort/oinkmaster.conf.
Configuration
HerearethestepstomakeOinkmasterwork.Wewillassumethatyoualreadydownloadedthe
newestoinkmasterarchive:
1. UntarthefreshlydownloadedOinkmaster
2. Copytherequiredperlscriptsinto/usr/local/pf/oinkmaster.Youneedtocopyovercontrib
andoinkmaster.pl
3. Copytheoinkmaster.confprovidedbyPacketFence(seethesectionabove)in/usr/local/pf/
conf
4. Modifytheconfigurationtosuityourownneeds.Currently,theconfigurationfileissettofetch
thebleedingrules.
Rulesupdate
InordertogetperiodicupdatesforPacketFenceSnortrules,wesimplyneedtocreateacrontab
entrywiththerightinformation.Theexamplebelowshowsacrontabentrytofetchtheupdates
dailyat23:00PM:
0 23 * * * (cd /usr/local/pf; perl oinkmaster/oinkmaster.pl -C conf/
oinkmaster.conf -o conf/snort/)
FloatingNetworkDevices
Startingwithversion1.9,PacketFencenowsupportsfloatingnetworkdevices.AFloatingnetwork
deviceisadeviceforwhichPacketFencehasadifferentbehaviourcomparedtoaregulardevice.
ThisfunctionalitywasoriginallyaddedtosupportmobileAccessPoints.
Optionalcomponents
53
Chapter7
Caution
RightnowPacketFenceonlysupportsfloatingnetworkdevicesonCiscoandNortel
switchesconfiguredwithport-security.
For a regular device, PacketFence put it in the VLAN corresponding to its status (Registration,
QuarantineorRegularVlan)andauthorizesitontheport(port-security).
AfloatingnetworkdeviceisadevicethatPacketFencedoesnotmanageasaregulardevice.
Whenafloatingnetworkdeviceisplugged,PacketFencewilllet/allowalltheMACaddressesthat
willbeconnectedtothisdevice(orappearontheport)andifnecessary,configuretheportasmultivlan(trunk)andsetPVIDandtaggedVLANsontheport.
Whenanfloatingnetworkdeviceisunplugged,PacketFencewillreconfiguretheportlikebefore
itwasplugged.
Hereishowitworks:
Configuration
floatingnetworkdeviceshavetobeidentifiedusingtheirMACaddress.
linkup/linkdowntrapsarenotenabledontheswitches,onlyport-securitytrapsare.
WhenPacketFencereceivesaport-securitytrapforafloatingnetworkdevice,itchangestheport
configurationsothat:
itdisablesport-security
itsetsthePVID
iteventuallysetstheportasmulti-vlan(trunk)andsetsthetaggedVlans
itenableslinkdowntraps
WhenPFreceivesalinkdowntraponaportinwhichafloatingnetworkdevicewasplugged,it
changestheportconfigurationsothat:
itenablesport-security
itdisableslinkdowntraps
Identification
Aswementionedearlier,eachfloatingnetworkdevicehastobeidentified.Therearetwoways
todoit:
byeditingconf/floating_network_device.conf
throughtheWebGUI,inConfigurationNetworkFloatingdevices
Herearethesettingsthatareavailable:
MACAddress
MACaddressofthefloatingdevice
IPAddress
IPaddressofthefloatingdevice(notrequired,forinformationonly)
Optionalcomponents
54
Chapter7
trunkPort
Yes/no.Shouldtheportbeconfiguredasamuti-vlanport?
pvid
VLANinwhichPacketFenceshouldputtheport
taggedVlan
CommaseparatedlistofVLANs.Iftheportisamulti-vlan,theseare
theVlansthathavetobetaggedontheport.
GuestsManagement
PacketFencesupportstheabilitytomanageguestsbyestablishingexpiredatesandassigndifferent
roleswhichwillpermitdifferentaccessestothenetworkresources.
Guestscanself-registerthemselvesusinganactivationcodesenttotheirmobilephoneortheycan
usetheiremailaddressandreceiveandactivationlinktoactivatetheirnetworkaccess.
PacketFence has the option to have guests sponsored their access by local staff. Once a guest
requestsasponsoredaccessanemailissenttothesponsorandthesponsormustclickonalink
andauthenticateinordertoenablehisaccess.
Moreover, PacketFence also has the option for guests to request their access in advance.
Confirmationbyemailandbyasponsorarethetwopre-registrationtechniquessupportedatthis
point.
TheadminGUIallowPacketFenceadministratorsorguestsmanagerstocreatesingleaccounts,
multipleaccountsusingaprefix(ie.:guest1,guest2,guest3)orimportdatafromaCSVtocreate
accounts.Accessdurationandexpectedarrivaldatearealsocustomizable.
Usage
Guestself-registration
Self-registrationisenabledbydefault.Itispartofthecaptiveportalprofileandcanbeaccessedon
theregistrationpagebyclickingtheSignuplink.
Optionalcomponents
55
Chapter7
Managedguests
Partofthewebadministrationinterface,theguestsmanagementinterfaceisenabledbydefault.
ItisaccessiblethroughtheUsersCreatemenu.
Guestpre-registration
Pre-registrationisdisabledbydefault.Onceenabled,PacketFencesfirewallandApacheACLsallow
accesstothe/signuppageontheportalevenfromaremotelocation.Allthatshouldberequired
from the administrators is to open up their perimeter firewall to allow access to PacketFences
managementinterfaceIPonport443andmakesureadomainnametoreachsaidIPisconfigured
(andthattheSSLcertmatchesit).Thenyoucanpromotethepre-registrationlinkfromyourextranet
website:https://<hostname>/signup.
Caution
Pre-registrationincreasestheattacksurfaceofthePacketFencesystemsinceasubset
ofitsfunctionnalityisexposedontheInternet.Makesureyouunderstandtherisks,
applythecriticaloperatingsystemupdatesandapplyPacketFencessecurityfixes.
Optionalcomponents
56
Chapter7
Configuration
Guestself-registration
Itispossibletomodifythedefaultvaluesoftheguestself-registrationfeaturebyediting/usr/
local/pf/conf/pf.conf.
Defaultvaluesarelocatedin/usr/local/pf/conf/pf.conf.defaultsanddocumentationforevery
settingsisavailablein/usr/local/pf/conf/documentation.conf.
[guests_self_registration]
guest_pid=email
preregistration=disabled
sponsorship_cc=
TheseparameterscanalsobeconfiguredfromtheConfigurationSelfRegistrationsectionof
theWebadmininterface.
Availableregistrationmodesaredefinedonaper-portal-profilebasis.Theseareconfigurablefrom
Configuration Portal Profiles. To disable the self-registration feature, simply remove all selfregistrationsourcesfromtheportalprofiledefinition.Noticehoweverthatifyourdefaultportal
profilehasnosource,itwilluseallauthenticationsources.
Caution
AvalidMTAconfiguredinPacketFenceisneededtocorrectlyrelayemailsrelatedto
theguestmodule.Iflocalhostisusedassmtpserver,makesurethataMTAisinstalled
andconfiguredontheserver.
Self-registered guests are added under the users tab of the PacketFence Web administration
interface.
Managedguests
ItispossibletomodifythedefaultvaluesoftheguestscreatedfromtheWebadmininterfaceby
editing/usr/local/pf/conf/pf.conf.
Defaultvaluesarelocatedin/usr/local/pf/conf/pf.conf.defaultsanddocumentationforevery
settingsisavailablein/usr/local/pf/conf/documentations.conf.
[guests_admin_registration]
access_duration_choices=1h,3h,12h,1D,2D,3D,5D
default_access_duration=12h
Theformatofthedurationisasfollow:
<DURATION><DATETIME_UNIT>[<PERIOD_BASE><OPERATOR><DURATION><DATE_UNIT>]
Letsexplainthemeaningofeachparameter:
Optionalcomponents
57
Chapter7
DURATION:anumbercorrespondingtotheperiodduration.
DATETIME_UNIT: a character corresponding to the units of the date or time duration; either s
(seconds),m(minutes),h(hours),D(days),W(weeks),M(months),orY(years).
PERIOD_BASE:eitherF(fixed)orR(relative).Arelativeperiodiscomputedfromthebeginningof
theperiodunit.WeeksstartonMonday.
OPERATOR:either+or-.Thedurationfollowingtheoperatorisaddedorsubtractedfromthebase
duration.
DATE_UNIT:acharactercorrespondingtotheunitsoftheextendedduration.Limitedtodateunits
(D(days),W(weeks),M(months),orY(years)).
TheseparameterscanalsobeconfiguredfromtheConfigurationAdminRegistrationsectionof
theWebadmininterface.
From the Users page of the PacketFence Web admin interface, it is possible to set the access
durationofusers,changetheirpasswordandmore.
Guestpre-registration
Tominimallyconfigureguestpre-registration,youmustmakesurethatthefollowingstatementis
setunder[guests_self_registration]in/usr/local/pf/conf/pf.conf:
[guests_self_registration]
preregistration=enabled
ThisparametercanalsobeconfiguredfromtheConfigurationSelfRegistrationsection.
Finally,itisadvisedthatyoureadthewholeguestself-registrationsectionsincepre-registrationis
simplyatwistoftheself-registrationprocess.
Caution
AvalidMTAconfiguredinPacketFenceisneededtocorrectlyrelayemailsrelatedto
theguestmodule.Iflocalhostisusedassmtpserver,makesurethataMTAisinstalled
andconfiguredontheserver.
StatementofHealth(SoH)
TheStatementofHealth(SoH)isproductthathasbeendevelopedbyMicrosoft.IntheMicrosoft
world,thisisnamedNetworkAccessProtectionorNAP.OnWindowsversionsfromXPSP2to
Windows7,thereisaNAPserviceinstalledthatcanrelayhealthinformation(Anti-Virusupdate
status, Windows Update status, etc) to a RADIUS Server or a DHCP server. The section below
explainsyouhowtodoSoHpolicieswithPacketFence.
Installation
Bydefault,weturnSoHoff.Toenableitssupport,simplyuncommentthefollowinglinesin/usr/
local/pf/conf/radiusd/eap.conf.
Optionalcomponents
58
Chapter7
soh=yes
soh-virtual-server = "soh-server"
RestarttheRADIUSserviceafterward.
Ontheclientside,toenableSoHforEAP,dothefollowing(Windows7example):
sc config napagent start=auto
sc start napagent
:: Wired 802.1X
sc config dot3svc start=auto depend=napagent
sc start dot3svc
netsh nap client show config
:: get the "ID" value for the "EAP Quarantine Enforcement Client"
netsh nap client set enforce id=$ID admin=enable
Thelaststepistoselectthe"EnforceNetworkAccessProtection"checkboxundertheEAPprofile
settings.ThosestepscanbeeasilyconfiguredusingGPOs.
ConfigurationofSoHpolicy
InordertoenforceaSoHpolicy,weneedtocreateitfirst.ThisisdoneusingtheConfiguration
ComplianceStatementofHealthmodule.
Policyexample
Letswalkthroughanexamplesituation.Supposeyouwanttodisplayaremediationpagetoclients
thatdonothaveananti-virusenabled.
Thethreebroadstepsare:createaviolationclassforthecondition,thencreateanSoHfilterto
triggertheviolationwhen"anti-virusisdisabled",andfinally,reloadtheviolations.
First,createtheproperviolationeitherviatheAdminUI,orbyeditingtheconf/violations.conf
files:
[4000001]
desc=No anti-virus enabled
url=/remediation.php?template=noantivirus
actions=trap,email,log
enabled=Y
Note
Youmayalsowanttosetotherattributessuchasauto_enable,grace,etc.
Whendonewiththeviolation,visittheWebAdministrationunderConfigurationCompliance
StatementofHealthand(editthefilternamedDefault,or)usetheAddafilterbuttontocreate
Optionalcomponents
59
Chapter7
afilternamedantivirus.Clickonantivirusinthefilterlist,andselectTriggerviolationintheaction
drop-down.Enterthevidoftheviolationyoucreatedaboveintheinputboxthatappears.
Next, click on Add a condition, and select Anti-virus, is, and disabled in the drop-down boxes
that appear. Click on the Save filters button. Finally, reload the violations either by restarting
PacketFenceorusingthepfcmd reload violationscommand.
Thelaststepistocreateanewremediationtemplatecallednoantivirus.phponthefilesystem
inthehtml/captive-portal/violationsfolder.Editittoincludethetextyouwanttodisplayto
theusers.
AppleandAndroidWirelessProvisioning
Apple devices such as iPhones, iPads, iPods and Mac OS X (10.7+) support wireless profile
importation using a special XML file format (mobileconfig). Android is also able to support this
featurebyimportingthewirelessprofilewiththeAndroidPacketFenceAgent.Infact,installingsuch
fileonyourAppledevicewillautomaticallyconfigurethewirelesssettingsforagivenSSID.This
featureisoftenusedwhentheSSIDishidden,andyouwanttoeasetheconfigurationstepson
themobiledevice(becauseitisoftenpainfultoconfiguremanually).InPacketFence,wearegoing
further,wegeneratetheprofileaccordingtotheadministratorspreferenceandwepre-populatethe
filewiththeuserscredentials(withoutthepassword).Theusersimplyneedstoinstallitsgenerated
fileandhewillbeabletousethenewSSID.
Configurethefeature
Firstofall,youneedtoconfiguretheSSIDthatyourdeviceswilluseaftertheygothoughthe
authenticationprocess.
Inordertodothat,intheadministrationinterface,goinConfiguration/Provisioners.Thenselectthe
androidprovisioner.EntertheSSIDandsave.
Nowdothesamethingfortheiosprovisioner.
After,yousimplyneedtoaddtheandroidandiosprovisionerstoyourPortalProfileconfiguration
asshowninthisscreenshot.
Optionalcomponents
60
Chapter7
ForAndroid,youmustallowpassthroughsinyourconfigurationlikethis:
[trapping]
passthrough=enabled
passthroughs=*.ggpht.com,*.googleusercontent.com,android.clients.google.com,*.googleapis.com,*.and
Profilegeneration
Uponregistration,insteadofshowingthedefaultreleasepage,theuserwillbeshowinganother
versionofthepagesayingthatthewirelessprofilehasbeengeneratedwithaclickablelinkonit.
Toinstalltheprofile,Appleuserownersimplyneedtoclickonthatlink,andfollowtheinstructions
ontheirdevice.AndroiduserownersimplyclicktothelinkandwillbeforwardedtoGooglePlay
toinstallPacketFenceagent.Simplylaunchtheapplicationandclicktoconfigurewillcreatethe
secureSSIDprofile.Itisthatsimple.
SNMPTrapsLimit
PacketFencemainlyrelyonSNMPtrapstocommunicatewithequipment.Duetothefactthattraps
cominginfromapproved(configured)devicesareallprocessedbythedaemon,itispossiblefor
someonewhowanttogenerateacertainloadonthePacketFenceservertoforcethegeneration
ofnon-legitimateSNMPtrapsoraswitchcanrandomlygenerateahighquantityoftrapssentto
PacketFenceforanunknownreason.
Becauseofthat,itispossibletolimitthenumberofSNMPtrapscominginfromasingleswitchport
andtakeactionifthatlimitisreached.Forexample,ifover100trapsarereceivedbyPacketFence
fromthesameswitchportinaminute,theswitchportwillbeshutandanotificationemailwill
besent.
HeresthedefaultconfigfortheSNMPtrapslimitfeature.Asyoucansee,bydefault,PacketFence
will log the abnormal activity after 100 traps from the same switch port in a minute. These
configurationsareintheconf/pf.conffile:
Optionalcomponents
61
Chapter7
[vlan]
trap_limit = enabled
trap_limit_threshold = 100
trap_limit_action =
Alternatively,youcanconfiguretheseparametersfromthePacketFenceWebadministrativeGUI,
intheConfigurationSNMPsection.
BillingEngine
PacketFence integrates the ability to use a payment gateway to bill users to gain access to the
network.Whenconfigured,theuserwhowantstoaccessthenetwork/Internetispromptedbya
pageaskingforitspersonnalinformationaswellasitscreditcardinformation.
AtthismomentthereisonlyonepaymentgatewaybuiltintoPacketFence:Authorize.net.
Theconfigurationtousethefeatureisfairlysimple.Thegeneralconfigurationtoenable/disable
thebillingenginecanbedonethroughtheWebadministrationGUI(ConfigurationPortalProfiles
andPages)orfromtheconf/profiles.conffile:
[default]
billing_engine = enabled
...
Billingengineparametersarespecifiedinconf/pf.conforfromConfigurationBilling:
[billing]
gateway = authorize_net
authorizenet_posturl = The payment gateway processing URL
authorizenet_login = The merchant's unique API Login ID
authorizenet_trankey = The merchant's unique Transaction Key
Itisalsopossibletoconfiguremultiplenetworkaccesswithdifferentprices.Forexample,youmay
wanttoprovidebasicInternetaccesswithadecentspeedataspecificpriceandanotherpackage
withhighspeedconnectionatanotherprice.
To do so, some customizations is needed to the billing module. Youll need to redefined the
getAvailableTiersmethodinthelib/pf/billing/custom.pmfile.Anexampleisalreadyinplace
inthefile.
Toassignarolebytiers(example:slow,mediumandfast),editthefilelib/pf/billing/custom.pm
Optionalcomponents
62
Chapter7
my %tiers = (
tier1 => {
id => "tier1",
name => "Tier 1",
price => "1.00",
timeout => "7D",
usage_duration => '1D',
category => '',
description => "Tier 1 Internet Access", destination_url => "http://
www.packetfence.org"
},
);
idisusedastheitemvalueofthebillingtable.
nameisthenameofthetierusedonbilling.html.
priceisamountchargedonthecreditcard.
timeoutisusedtocomputetheunregistrationdateofthenode.
usage_durationistheamountofnon-contignuousaccesstimeforthenode,setasthetime_balance
valueofthenodetable.
categoryistheroleinwhichtoputthenode.
descriptionwillappearonthebilling.html.
destination_urlistheurlthatthedevicewillberedirectedafterasuccessfulauthentication.
Caution
TheuseofdifferentbillingtiersrequiresdifferentrolesinPacketFence.Makesureto
createtheserolesfirstotherwiseyouwillrunintoproblems.
PortalProfiles
In some cases, you may want to present a different captive portal (see below for the available
customizations)accordingtotheSSID,theVLAN,theswitchIP/MACortheURItheclientconnects
to.Todoso,PacketFencehastheconceptofportalprofileswhichgivesyouthispossibility.
Whenconfigured,portalprofileswilloverridedefaultvaluesforwhichitisconfigured.Whenno
valuesareconfiguredintheprofile,PacketFencewilltakeitsdefaultones(accordingtothe"default"
portalprofile).
Herearethedifferentconfigurationparametersthatcanbesetforeachportalprofiles.Theonly
mandatoryparameteris"filter",otherwise,PacketFencewontbeabletocorrectlyapplytheportal
profile.Theparametersmustbesetinconf/profiles.conf:
Optionalcomponents
63
Chapter7
[profilename1]
description = the description of your portal profile
filter = the name of the SSID for which you'd like to apply the profile, or the
VLAN number
billing_engine = either enabled or disabled
sources = comma-separated list of authentications sources (IDs) to use
Portal profiles should be managed from PacketFences Web administrative GUI - from the
ConfigurationPortalProfilessection.Addingaportalprofilefromthatinterfacewillcorrectly
copytemplatesover-whichcanthenbemodifiedasyouwish.
OAuth2Authentication
The captive portal of PacketFence allows a guest/user to register using his Google, Facebook,
LinkedIn,WindowsLiveorGithubaccount.
Foreachproviders,wemaintainanalloweddomainlisttopunchholesintothefirewallsotheuser
canhittheproviderloginpage.ThislistisavailableineachOAuth2authenticationsource.
Inordertohaveoauth2workingproperly,youneedtoenableIPforwardingonyourservers.Todo
itpermanently,lookinthe/etc/sysctl.conf,andsetthefollowingline:
# Controls IP packet forwarding
net.ipv4.ip_forward = 1
Savethefile,andissueasysctl -ptoupdatetheOSconfig.
You must also enable the passthrough option in your PacketFence configuration
(trapping.passthroughinpf.conf).
Google
InordertouseGoogleasaOAuth2provider,youneedtogetanAPIkeytoaccesstheirservices.
Signuphere:http://code.google.com/apis/console.MakesureyouusethisURIforthe"Redirect
URI"field:https://YOUR_PORTAL_HOSTNAME/oauth2/google.Ofcourse,replacethehostname
withthevaluesfromgeneral.hostnameandgeneral.domain.
Youcankeepthedefaultconfiguration,modifytheAppID&AppSecret(GivenbyGoogleonthe
developperplateform)andPortalURL(https://YOUR_PORTAL_HOSTNAME/oauth2/facebook).
Also, add the following Authorized domains : *.google.com, *.google.ca, *.google.fr,
*.gstatic.com,googleapis.com,accounts.youtube.com(Makesurethatyouhavethegoogledomain
fromyourcountrylikeCanada*.google.ca,France*.google.fr,etc)
Onceyouhaveyourclientid,andAPIkey,youneedtoconfiguretheOAuth2provider.Thiscanbe
donebyaddingaGoogleOAuth2authenticationsourcefromConfigurationSources.
Moreover,dontforgettoaddGoogleasaregistrationmodefromyourportalprofiledefinition,
availablefromConfigurationPortalProfilesandPages.
Optionalcomponents
64
Chapter7
Facebook
To use Facebook, you also need an API code and a secret key. To get one, go here: https://
developers.facebook.com/apps.WhenyoucreateyourApp,makesureyouspecifythefollowing
astheWebsiteURL:https://YOUR_PORTAL_HOSTNAME/oauth2/facebook
Ofcourse,replacethehostnamewiththevaluesfromgeneral.hostnameandgeneral.domain.
Youcankeepthedefaultconfiguration,modifytheAppID&AppSecret(GivenbyFaceBookonthe
developperplateform)andPortalURL(https://YOUR_PORTAL_HOSTNAME/oauth2/facebook).
Also, add the following Authorized domains : *.facebook.com, *.fbcdn.net, *.akamaihd.net (May
change)
Onceyouhaveyourinformation,youneedtoconfiguretheOAuth2provider.Thiscanbedoneby
addingaFacebookOAuth2authenticationsourcefromConfigurationSources.
Moreover,dontforgettoaddFacebookasaregistrationmodefromyourportalprofiledefinition,
Caution
ByallowingOAuththroughFacebook,youwillgiveFacebookaccesstotheuserswhile
theyaresittingintheregistrationVLAN.
GitHub
TouseGitHub,youalsoneedanAPIcodeandasecretkey.Togetone,youneedtocreateanApp
here:https://github.com/settings/applications.WhenyoucreateyourApp,makesureyouspecify
thefollowingastheCallbackURLhttps://YOUR_PORTAL_HOSTNAME/oauth2/github
addingaGitHubOAuth2authenticationsourcefromConfigurationSources.
Moreover,dontforgettoaddGitHubasaregistrationmodefromyourportalprofiledefinition,
LinkedIn
TouseLinkedIn,youalsoneedanAPIcodeandasecretkey.Togetone,youneedtocreatean
Apphere:https://developer.linkedin.com/.WhenyoucreateyourApp,makesureyouspecifythe
followingastheCallbackURLhttps://YOUR_PORTAL_HOSTNAME/oauth2/linkedin
addingaLinkedInOAuth2authenticationsourcefromConfigurationSources.
Moreover,dontforgettoaddLinkedInasaregistrationmodefromyourportalprofiledefinition,
Optionalcomponents
65
Chapter7
Also,LinkedInrequiresastateparameterfortheauthorizationURL.Ifyoumodifyit,makesureto
additattheendofyourURL.
WindowsLive
TouseWindowslive,youalsoneedanAPIcodeandasecretkey.Togetone,youneedtocreate
anApphere:https://account.live.com/developers/applications.WhenyoucreateyourApp,make
sureyouspecifythefollowingastheCallbackURLhttps://YOUR_PORTAL_HOSTNAME/oauth2/
windowslive
addingaWindowsLiveOAuth2authenticationsourcefromConfigurationSources.
Moreover, dont forget to add WindowsLive as a registration mode from your portal profile
definition,availablefromConfigurationPortalProfilesandPages.
DevicesRegistration
Usershavethepossibilitytoregistertheirdevices(MicrosoftXBOX/XBOX360,NintendoDS/Wii,
SonyPlayStationandsoon)rightfromaspecialportalpage.Whenaccessingthispage,userswillbe
promptedtologinasiftheywereregisteringthemselves.Onceloggedin,theportalwillaskthemto
enterthedeviceMACaddressthatwillthenbematchedagainstapredefinedlistofauthorizedMAC
OUI.Thedevicewillberegisteredwiththeusersidandcanbeassignedintoaspecificcategory
foreasiermanagement.
Hereshowtoconfigurethewholething.TheportalpagecanbeaccessedbythefollowingURL:
https://YOUR_PORTAL_HOSTNAME/device-registration This URL is accessible from within the
network,inanyVLANthatcanreachthePacketFenceserver.
Thefollowingcanbeconfiguredbyeditingthepf.conffile:
[registration]
device_registration = enabled
device_registration_role = gaming
MakesuretheroleexistsinPacketFenceotherwiseyouwillencounterregistrationerrors.Moreover,
makesuretherolemappingforyourparticularequipmentisdone.
TheseparameterscanalsobeconfiguredfromtheConfigurationRegistrationsection.
Eduroam
eduroam (education roaming) is the secure, world-wide roaming access service
developedfortheinternationalresearchandeducationcommunity.
Optionalcomponents
66
Chapter7
eduroamallowsstudents,researchersandstafffromparticipatinginstitutionsto
obtainInternetconnectivityacrosscampusandwhenvisitingotherparticipating
institutionsbysimplyopeningtheirlaptop.
eduroamhttps://www.eduroam.org/
PacketFencesupportsintegrationwitheduroamandallowsparticipatinginstitutionstoauthenticate
bothlocallyvisitingusersfromotherinstitutionsaswellasallowingotherinstitutionstoauthenticate
localusers.
In order for PacketFence to allow eduroam authentication, the FreeRADIUS configuration of
PacketFencemustbemodifiedtoallowtheeduroamserverstoconnecttoitasclientsaswellas
toproxyRADIUSauthenticationrequestsforusersfromoutsideinstitutions.
First,modifythe/usr/local/pf/raddb/clients.conffiletoallowtheeduroamserverstoconnectto
your PacketFence server. Add the eduroam servers as clients and make sure to add the proper
RADIUSsecret.Setashortnametorefertotheseclientsasyouwilllaterneedittoexcludethem
fromsomepartsofthePacketFenceconfiguration.
clients.confexample:
client tlrs1.eduroam.us {
secret = useStrongerSecret
shortname = tlrs1
}
client tlrs2.eduroam.us {
shortname = tlrs2
}
Secondly,modifythelistofdomainsandproxyserversin/usr/local/pf/raddb/proxy.conf.Youwill
needtodefineeachofyourdomainsaswellastheDEFAULTdomain.TheDEFAULTrealmwillapply
toanyclientthatattemptstoauthenticatewitharealmthatisnototherwisedefinedinproxy.conf
andwillbeproxiedtotheeduroamservers.
Defineoneormorehomeservers(serverstowhicheduroamrequestsshouldbeproxied).
proxy.confexample:
home_server tlrs1.eduroam.us {
type = auth
ipaddr = 257.128.1.1
port = 1812
require_message_authenticator = yes
}
Defineapoolofserverstogroupyoureduroamhomeserverstogether.
proxy.confexample:
Optionalcomponents
67
Chapter7
home_server_pool eduroam {
type = fail-over
home_server = tlrs1.eduroam.us
home_server = tlrs2.eduroam.us
}
Definerealmstoselectwhichrequestsshouldbeproxiedtotheeduroamserverpool.Thereshould
beonerealmforeachofyourdomains,andpossiblyonemoreperdomainifyouintendtoallow
usernamesoftheDOMAIN\userform.
The REALM is set based on the domain found by the suffix or ntdomain modules ( see raddb/
modules/realm).Thesuffixorntdomainmodulestrytofindadomaineitherwithan@domainor
suffix\username.
Ifnoneisfound,theREALMisNULL.
Ifadomainisfound,FreeRADIUStriestomatchoneoftheREALMSdefinedinthisfile.
Ifthedomainiseitherexample.eduorEXAMPLEFreeRADIUSsetsthecorrespondingREALM,
i.e.example.eduorEXAMPLE.
IftheREALMdoesnotmatcheither(anditisntNULL),thatmeanstherewasadomainotherthan
EXAMPLEorexample.eduandweassumeitismeanttobeproxiedtoeduroam.FreeRADIUS
setstheDEFAULTrealm(whichisproxiedtotheeduroamauthenticationpool).
The REALM determines where the request is sent to. If the REALM authenticates locally the
requestsareprocessedentirelybyFreeRADIUS.IftheREALMsetsadifferenthomeserverpool,
therequestsareproxiedtotheserversdefinedwithinthatpool.
proxy.confexample:
Optionalcomponents
68
Chapter7
# This realm is for requests which don't have an explicit realm

# prefix or suffix. User names like "bob" will match this one.
# No authentication server is defined, thus the authentication is
# done locally.
realm NULL {
}
# This realm is for ntdomain users who might use the domain like
# this "EXAMPLE\username".
# done locally.
realm EXAMPLE {
}
# This realm is for suffix users who use the domain like this:
# "username@example.edu".
# done locally.
realm example.edu {
}
# This realm is for ALL OTHER requests. Meaning in this context,
# eduroam. The auth_pool is set to the eduroam pool and so the
# requests will be proxied.
realm DEFAULT {
auth_pool = eduroam
nostrip
}
Thirdly, you must configure the packetfence FreeRADIUS virtual servers to treat the requests
properly.
In/usr/local/pf/raddb/sites-enabled/packetfence,modifytheauthorizesectionlikethis:
raddb/sites-enabled/packetfenceexample:
Optionalcomponents
69
Chapter7
authorize {
# pay attention to the order of the modules. It matters.
ntdomain
suffix
preprocess
# uncomment this section if you want to block eduroam users from
# you other SSIDs. The attribute name ( Called-Station-Id ) may
# differ based on your controller
#if ( Called-Station-Id !~ /eduroam$/i) {
#
update control {
#
Proxy-To-Realm := local
#
}
#}
eap {
ok = return
}
files
expiration
logintime
packetfence
}
In/usr/local/pf/raddb/sites-enabled/packetfence-tunnel,modifythepost-authsectionlikethis.If
you omit this change the request will be sent to PacketFence where it will be failed since the
eduroamserversarenotpartofyourconfiguredswitches.
raddb/sites-enabled/packetfence-tunnelexample:
post-auth {
exec
# we skip packetfence when the request is coming from the eduroam servers
if ( "%{client:shortname}" != "tlrs1" && \
"%{client:shortname}" != "tlrs2"
) {
packetfence
}
Post-Auth-Type REJECT {
attr_filter.access_reject
}
}
Finally,makesurethattherealmsmoduleisconfiguredthisway(see/usr/local/pf/raddb/modules/
realm):
raddb/modules/realmexample:
Optionalcomponents
70
Chapter7
# 'username@realm'
realm suffix {
format = suffix
delimiter = "@"
}
# 'domain\user'
realm ntdomain {
format = prefix
delimiter = "\\"
ignore_null = yes
}
VLANFilterDefinition
Weaddedtheabilitytospecifyfiltersdirectlyintheportionofcodethatre-evaluatestheVLAN.
Theserulesareavailableindifferentscopes:
ViolationVlan
RegistrationVlan
NormalVlan
InlineVlan
AutoRegister
Andcanbedefinedusingdifferentcriterialike:
node_info
switch
ifIndex
mac
connection_type
username
ssid
time
owner
radius_request
Forexample,letsdefinearulethatpreventsadevicefromconnectingwhenitscategoryisthe
"default",whentheSSIDis"SECURE"andwhenthecurrenttimeisbetween11amand2pm:from
MondaytoFridaywhenittrytoconnectasaregistereddevice:
[category]
filter = node_info
attribute = category
operator = is
value = default
Optionalcomponents
71
Chapter7
[ssid]
filter = ssid
operator = is
value = SECURE
[time]
filter = time
operator = is
value = wd {Mon Tue Wed Thu Fri} hr {11am-2pm}
[1:category&ssid&time]
scope = NormalVlan
role = nointernet
Youcanhavealookinthefilevlan_filters.conf,therearesomeexamplesonhowtouseanddefine
filters.
ActiveDirectoryIntegration
DeletedAccount
Create the script unreg_node_deleted_account.ps1 on the Windows Server with the following
content.Makesuretochange@IP_PACKETFENCEtotheIPaddressofyourPacketFenceserver.Youll
alsoneedtochangetheusernameandpasswordastheymustmatchthecredentialsdefinedinthe
WebadmininterfaceunderConfigurationWebServices.
Optionalcomponents
72
Chapter7
#########################################################################################
#Powershell script to unregister deleted Active Directory account based on the
UserName.#
#########################################################################################
Get-EventLog -LogName Security -InstanceId 4726 |
Select ReplacementStrings,"Account name"|
% {
$url = "https://@IP_PACKETFENCE:9090/"
$username = "admin" # Username for the webservice
$password = "admin" # Password for the webservice
[System.Net.ServicePointManager]::ServerCertificateValidationCallback =
{$true}
$command = '{"jsonrpc": "2.0", "method": "unreg_node_for_pid", "params":
[{"pid": "'+$_.ReplacementStrings[0]+'"}]}'
$bytes = [System.Text.Encoding]::ASCII.GetBytes($command)
$web = [System.Net.WebRequest]::Create($url)
$web.Method = "POST"
$web.ContentLength = $bytes.Length
$web.ContentType = "application/json-rpc"
$web.Credentials = new-object System.Net.NetworkCredential($username,
$password)
$stream = $web.GetRequestStream()
$stream.Write($bytes,0,$bytes.Length)
$stream.close()
$reader = New-Object System.IO.Streamreader -ArgumentList
$web.GetResponse().GetResponseStream()
$reader.ReadToEnd()
$reader.Close()
}
CreatethescheduledtaskbasedonaneventID
StartRunTaskschd.msc
TaskSchedulerTaskSchedulerLibraryEventViewerTaskCreateTask
General
Name: PacketFence-Unreg_node-for-deleted-account
Check: Run whether user is logged on or not
Check: Run with highest privileges
TriggersNew
Begin on the task: On an event
Log: Security
Source: Microsoft Windows security auditing.
Event ID: 4726
ActionsNew
Optionalcomponents
73
Chapter7
Action: Start a program

Program/script: powershell.exe
Add arguments (optional): C:\scripts\unreg_node_deleted_account.ps1
Settings:
At the bottom, select in the list "Run a new instance in parallel" in order to
unregister multiple nodes at the same time.
ValidatewithOkandgivetheaccountwhowillrunthistask.(UsuallyDOMAIN\Administrator)
LockedAccount
Create the script unreg_node_locked_account.ps1 on the Windows Server with the following
content.Makesuretochange@IP_PACKETFENCEtotheIPaddressofyourPacketFenceserver.Youll
alsoneedtochangetheusernameandpasswordastheymustmatchthecredentialsdefinedinthe
WebadmininterfaceunderConfigurationWebServices.
#########################################################################################
#Powershell script to unregister locked Active Directory account based on the
UserName.#
#########################################################################################
Get-EventLog -LogName Security -InstanceId 4725 |
Select ReplacementStrings,"Account name"|
% {
$url = "https://@IP_PACKETFENCE:9090/"
$username = "admin" # Username for the webservice
$password = "admin" # Password for the webservice
[System.Net.ServicePointManager]::ServerCertificateValidationCallback =
{$true}
$command = '{"jsonrpc": "2.0", "method": "unreg_node_for_pid", "params":
[{"pid": "'+$_.ReplacementStrings[0]+'"}]}'
$bytes = [System.Text.Encoding]::ASCII.GetBytes($command)
$web = [System.Net.WebRequest]::Create($url)
$web.Method = "POST"
$web.ContentLength = $bytes.Length
$web.ContentType = "application/json-rpc"
$web.Credentials = new-object System.Net.NetworkCredential($username,
$password)
$stream = $web.GetRequestStream()
$stream.Write($bytes,0,$bytes.Length)
$stream.close()
$reader = New-Object System.IO.Streamreader -ArgumentList
$web.GetResponse().GetResponseStream()
$reader.ReadToEnd()
$reader.Close()
}
Optionalcomponents
74
Chapter7
CreatethescheduledtaskbasedonaneventID
StartRunTaskschd.msc
TaskSchedulerTaskSchedulerLibraryEventViewerTaskCreateTask
General
Name: PacketFence-Unreg_node-for-locked-account
Check: Run whether user is logged on or not
Check: Run with highest privileges
TriggersNew
Begin on the task: On an event
Log: Security
Source: Microsoft Windows security auditing.
Event ID: 4726
ActionsNew
Action: Start a program
Program/script: powershell.exe
Add arguments (optional): C:\scripts\unreg_node_locked_account.ps1
Settings:
At the bottom, select in the list "Run a new instance in parallel"
ValidatewithOkandgivetheaccountwhowillrunthistask.(UsuallyDOMAIN\Administrator)
Optionalcomponents
75
Chapter8
FirewallSSO
This SSO (Single Sign-On) feature is a way to match the Policies of your firewalls after a
valid authentication on the captive portal. You can apply policies based on PacketFences roles
(categories). We actually support two ways to inform the firewall: Accounting request and XML
request.
Fortigate
GotoyourFortigateadministrationwebpage.
AgentRSSOconfiguration
GotoUser&DeviceUserUserGroupsCreateNew
Name: RSSO_group
Type: RADIUS Single Sign-On (RSSO)
RADIUS Attribute Value: Guest (Put the rolename of PacketFence, it's case
sensitive)
YoucanalsoseethatinthewebpageatUser&DeviceMonitorFirewall
ActivatetheAccountingListening
GotoSystemNetworkInterfaces
Select the interface that will communicate with PacketFence and check : Listen for RADIUS
AccountingMessagesthanvalidatebyOK.
SSOConfigurationinPacketFence
GotoConfigurationFirewallSSOAddFirewallSSO
Hostname or IP
Firewall type:
Secret or Key:
Port: 1813
Roles: add the
Address: @IP of your firewall

Fortigate (Fortigate = Accounting request; PaloAlto = XML request)
secret (radius shared secret)
roles that you want to do SSO
FirewallSSO
76
Chapter8
Verification
Ifyouwanttoseeifitsworking,youcanlogintothefirewalloverSSHandrunthesefollowing
commands:
di debug enable
di debug application radiusd -1
PaloAlto
YouhavetologinthewebpageofyourPaloAltoFirewall.
CreateaSSOrole
GotoDeviceAdminRolesAdd
CreatetherolenameSSO_Role,undertheXMLAPItabenableeverythingandvalidateitwithOK.
CreatetheaccountinPAN-OS
GotoDeviceAdministratorAdd
Name: xmluser
Authentication Profile: None
Password: xmluser
Role: Role Based
Profile: SSO_Role (Previously created)
Password Profile: None
GettheXMLKey
Hit
the
following
page
in
your
type=keygen&user=xmluser&password=xmluser
browser:
https://@IP-of-PaloAlto/api/?
Itshoulddisplay:
<response status="success">
<result>
<key>
LUFRPT1jeFV6SHd1QnJHaU55dnYvRlFNSkJNeTR6Uzg9TDgzNVljL000eDVnWHg2VTdwNUJHMlFGcHFCVWpGeW55VjVvZTF0WE
</key>
</result>
</response>
FirewallSSO
77
Chapter8
SSOConfigurationPF
GotoConfigurationFirewallSSOAddFirewallSSO
Hostname or IP Address: @IP of your firewall

Firewall type: PalotAlto (Fortigate = Accounting request; PaloAlto = XML request)
Secret or Key:
LUFRPT1jeFV6SHd1QnJHaU55dnYvRlFNSkJNeTR6Uzg9TDgzNVljL000eDVnWHg2VTdwNUJHMlFGcHFCVWpGeW55VjVvZTF0W
(Put the key previoulsy generated)
Port: 443
Roles: add the roles that you want to do SSO
Verification
LoginoverSSHonthePaloAltofirewallandrunthiscommand:
show user ip-user-mapping all
FirewallSSO
78
Chapter9
OperatingSystemBestPractices
IPTables
IPTablesisnowentirelymanagedbyPacketFence.However,ifyouneedtoperformsomecustom
rules, you can modify conf/iptables.conf to your own needs. However, the default template
shouldworkformostusers.
LogRotations
PacketFencecangeneratealotoflogentriesinhugeproductionenvironments.Thisiswhywe
recommendtouselogrotatetoperiodicallyrotateyourlogs.Aworkinglogrotatescriptisprovided
withthePacketFencepackage.Thisscriptislocatedin/usr/local/pf/addons,anditsconfigured
to do a weekly log rotation and keeping old logs with compression. It has been added during
PacketFenceinitialinstallation.
HighAvailability
Ahighavailabilitysetup(active/passive)forPacketFencecanbecreatedusingtwoPacketFence
serversandthefollowingopensourceutilities:
Linux-HA
Adaemonthatprovidesclusterinfrastructuretoitsclients.Heartbeatwould
beresponsibleforstartingthePacketFenceservices,eventually
DRBD
Anetworkbasedraid-1.
Since PacketFence stores most of its information in a MySQL database, the two PacketFence
redundantserversneedtosharethisdatabaseinawayoranother.
TherearedifferentoptionstosharethedatabasebetweenthetwoPacketFenceservers:
AlocalMySQLdatabaseserveroneachPacketFenceboxconfiguredtostoreitsdatabasesona
remotepartition(aLUNonaSANforexample)
79
Chapter9
Caution
Youhavetomakesurethatonlyonedatabaseserverisrunningateachtime(dont
double-mountthepartition)
AlocalMySQLdatabaseserveroneachPacketFenceboxandreplicationofthedatabasepartition
usingDRBD
AremoteMySQLdatabaseserverwithitsownhighavailabilitysetup
Inthisdocument,wedescribethesecondoptionthatinvolvesDRBD.
Weassumethat:
youareusingRedHatEnterprise5orCentOS5.
pf1isthefirstPacketFenceserver
pf2isthesecondPacketFenceserver
PacketFenceisproperlyconfiguredoneachserver
theDRBDpartitionis30Glong
weuseHeartBeatv1
CreationoftheDRBDpartition
DuringtheOSinstallation,reducethesizeofthemainpartitionandcreateanewone(thatwill
beusedforthereplicatedMySQLdatabase)of30G.Donotcreatethatpartitionduringtheinstall
process,wewilldoitlater.
Partitioning
Aftertheinstall,youneedtocreatetheextrapartitionfordrbd.Usingfdisk,createyounewpartition
andsavethetable.Youwillprobablyneedtorebootyourserverafterthisstep.
DRBDandLinux-HAInstallation
CentOS6
AddtherepositoryELRepo.
rpm -Uvh http://www.elrepo.org/elrepo-release-6-6.el6.elrepo.noarch.rpm
EdittherepofiletodisableELRepobydefault:
/etc/yum.repos.d/elrepo.repo
80
Chapter9
[elrepo]
name=ELRepo.org Community Enterprise Linux Repository - el6
baseurl=http://elrepo.org/linux/elrepo/el6/$basearch/
mirrorlist=http://elrepo.org/mirrors-elrepo.el6
enabled=1
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-elrepo.org
protect=0
InstallnowthepackageDRBDv8.4enabling.
yum install kmod-drbd84 --enablerepo=elrepo
DRBDConfigurationandsetup
Caution
Initializing,configuringandtroubleshootingDRBDisnotstraightforward!Westrongly
recommendthatyoureadtheonlinedocumentationavailableonDRBDwebsiteso
youhaveabetterideaabouthowitworks.
Hereweassumethenameofthepartitionismysql.
LoadtheDRBDkernelmodule:
modprobe drbd
Edit/etc/drbd.d/global_common.confandputthefollowingcontent:
global {
usage-count yes;
}
common {
protocol C;
startup {
degr-wfc-timeout 120;
}
syncer {
rate 100M;
al-extents 257;
}
disk {
on-io-error
}
detach;
81
Chapter9
Createthefile/etc/drbd.d/mysql.reswiththefollowingcontent:
resource mysql {
on <pf1_server_name> {
device /dev/drbd0;
disk <storage_device>;
meta-disk internal;
address <ha_interface_ip_address_1>:7788;
}
on <pf2_server_name> {
device /dev/drbd0;
disk <storage_device>;
meta-disk internal;
address <ha_interface_ip_address_2>:7788;
}
handlers {
split-brain "/usr/lib/drbd/notify-split-brain.sh alert@acme.com";
}
}
where:
mysqlisthenameofthepartitionyoucreatedwheninstallingtheOS
pf1_server_nameandpf2_server_namebytherealservernames(FQDN)
ha_interface_ip_address_1andha_interface_ip_address_2bytheIPaddressesdedicatedto
DRBDoneachserver(useadedicatedNICforthis,notthemainonewithalltheIPs)
storage_deviceisthedevicetousefortheMySQLpartition(ie./dev/sda2)
Theninitializethepartition:
[root@pf1 ~]# drbdadm create-md mysql
Writing meta data...
initializing activity log
NOT initialized bitmap
New drbd meta data block successfully created.
success
StartDRBDonbothservers:
# /etc/init.d/drbd start
Youshouldseesomethingsimilartothiswhentypingcat/proc/drbd:
...
0: cs:Connected ro:Secondary/Secondary ds:Inconsistent/Inconsistent C r---ns:0 nr:0 dw:0 dr:0 al:0 bm:0 lo:0 pe:0 ua:0 ap:0 ep:1 wo:b oos:30702640
Synchronizetheserversbyforcingonetobecometheprimary.Soonpf1do:
# drbdadm primary --force mysql
82
Chapter9
Afterissuingthiscommand,theinitialfullsynchronizationwillstart.Youwillbeabletomonitorits
progressvia/proc/drbd.Itmaytakesometimedependingonthesizeofthedevice.Waituntil
itcompletes.
Whenthesynciscomplete,createthefilesystemontheprimarynodeonly:
# mkfs.ext4 /dev/drbd0
MakesureDRBDisstartedatboottime:
# chkconfig --level 2345 drbd on
Restartbothservers.
Whendone,lookin/proc/drbdandmakesureyousee:
...
0: cs:Connected ro:Primary/Secondary ds:UpToDate/UpToDate C r--ns:0 nr:0 dw:0 dr:0 al:0 bm:0 lo:0 pe:0 ua:0 ap:0 ep:1 wo:b oos:0
MySQLConfiguration
Note
BydefaultMySQLputsitsdatain/var/lib/mysql.Inordertoreplicatedatabetween
thetwoservers,wemounttheDRBDpartitionunder/var/lib/mysql.
WhenfirststartingMySQL,thepartitionmustbemounted.
Inordertodoso:
Onthemasterserver(theserveryouareworkingon),tellDRBDtobecometheprimarynodewith:
# drbdadm primary mysql
mysqlbeingthenameoftheDRBDpartition.
Thecommandcat /proc/drbdshoulddisplaysomethinglike:
...
0: cs:Connected ro:Primary/Secondary ds:UpToDate/UpToDate C r---ns:145068 nr:4448 dw:149516 dr:10490 al:31 bm:14 lo:0 pe:0 ua:0 ap:0 ep:1
wo:d oos:0
Mountthepartitionwith:
# mount /dev/drbd0 /var/lib/mysql
83
Chapter9
StartMySQL
# service mysqld start
Executethesecureinstallationscriptinordertosettherootpassword,removethetestdatabases
andanonymoususercreatedbydefault:
# /usr/bin/mysql_secure_installation
MakesureMySQLdoesnotstartatboottime:
# chkconfig --level 2345 mysqld off
Heartbeatconfiguration
Create/etc/ha.d/ha.cfwiththefollowingcontent:
bcast eth0
bcast eth1
keepalive 2
warntime 30
deadtime 60
auto_failback off
initdead 120
node pf1.example.org
node pf2.example.org
use_logd yes
HereweassumethattheredundantconnectionsfortheHeartbeatbetweenthe2serversareon
eth0andeth1.
Create/etc/ha.d/haresourceswiththefollowingcontent:
pf1.example.com Ipaddr2::x.x.x.x IfUp::eth0.y IfUp::eth0.z drbddisk::mysql
Filesystem::/dev/drbd0::/var/lib/mysql::ext3 mysqld packetfence
x.x.x.xisPFadminvirtualaddress
eth0.y is the name of the NIC configuration file (/etc/sysconfig/network-scripts/
ifcfg_eth0.y)dedicatedtoIPaddressinVLANy(registrationforexample).
eth0.z is the name of the NIC configuration file (/etc/sysconfig/network-scripts/
ifcfg_eth0.z)dedicatedtoIPaddressinVLANz(isolationforexample).
Createthe/etc/ha.d/resource.d/IfUpscriptthatwillmountIPaddressesinRegistration,Isolation
(eth0.y,eth0.z)withthefollowingcontent:
84
Chapter9
case "$2" in
start)
echo -n "Mounting $1"
/sbin/ifup $1
echo "."
;;
stop)
echo -n "Unmounting $1"
/sbin/ifdown $1
echo "."
;;
*)
echo "Usage: $0 {start|stop}"
exit 1
;;
esac
andmakeitexecutable:
# chmod 755 /etc/ha.d/resource.d/IfUp
Create/etc/ha.d/authkeyswiththefollowingcontent:
auth 1
1 sha1 10b245aa92161294df5126abc5b3b71d
andchangeitsrightslikethis:
# chmod 600 /etc/ha.d/authkeys
Create/etc/logd.cfwiththefollowingcontent:
debugfile /var/log/ha-debug
logfile /var/log/ha-log
logfacility daemon
Note
Makesureport694isopened(throughiptables)onbothservers
StartHeartbeat:
# service heartbeat start
LookatHeartbeatlogfile/var/log/ha-logtomakesurethateverythingisfine.
EnableHBautomaticstart
# chkconfig --level 345 heartbeat on
85
Chapter9
RADIUSHAconfiguration
IfyouconfiguredFreeRADIUSwithyourwirelesssetupandyouconfiguredredundancy,youcould
configureFreeRADIUStoanswerrequestsexclusivelycomingonthevirtualIP.Inordertodoso,
youneedtomodifytheRADIUSconfigurationandaddRADIUStothemanagedresources.
RADIUSConfiguration
Modify the listen statements in the radiusd.conf file per the following. Change the
[VIP_IPV4_ADDRSS]withyourvirtualIPaddress:
listen {
type =
ipaddr
port =
}
listen {
type =
ipaddr
port =
}
auth
= [VIP_IPV4_ADDRESS]
0
acct
= [VIP_IPV4_ADDRESS]
0
HeartbeatConfiguration
AddRADIUStothemanagedresources(in/etc/ha.d/haresources):
pf1.example.com Ipaddr2::x.x.x.x IfUp::eth0.y IfUp::eth0.z drbddisk::mysql
Filesystem::/dev/drbd0::/var/lib/mysql::ext3 mysqld packetfence radiusd
86
Chapter10
Performanceoptimization
MySQLoptimizations
TuningMySQL
IfyourePacketFencesystemisactingveryslow,thiscouldbeduetoyourMySQLconfiguration.
Youshoulddothefollowingtotuneperformance:
Checkthesystemload
# uptime
11:36:37 up 235 days,
1:21,
1 user, load average: 1.25, 1.05, 0.79
CheckiostatandCPU
# iostat 5
avg-cpu: %user
0.60
Device:
cciss/c0d0
avg-cpu: %user
0.60
Device:
cciss/c0d0
avg-cpu: %user
0.60
Device:
cciss/c0d0
avg-cpu: %user
0.60
Device:
cciss/c0d0
%nice
0.00
tps
32.40
%nice
0.00
tps
7.80
%nice
0.00
tps
31.40
%nice
0.00
tps
27.94
%sys %iowait
%idle
3.20
20.20
76.00
Blk_read/s
Blk_wrtn/s
0.00
1560.00
%sys %iowait
%idle
2.20
9.20
88.00
Blk_read/s
Blk_wrtn/s
0.00
73.60
%sys %iowait
%idle
1.80
23.80
73.80
Blk_read/s
Blk_wrtn/s
0.00
1427.20
%sys %iowait
%idle
2.40
18.16
78.84
Blk_read/s
Blk_wrtn/s
0.00
1173.65
Blk_read
0
Blk_wrtn
7800
Blk_read
0
Blk_wrtn
368
Blk_read
0
Blk_wrtn
7136
Blk_read
0
Blk_wrtn
5880
Asyoucansee,theloadis1.25andIOWaitispeakingat20%-thisisnotgood.IfyourIOwait
islowbutyourMySQListaking+%50CPUthisisalsonotgood.CheckyourMySQLinstallfor
thefollowingvariables:
87
Chapter10
mysql> show variables;

| innodb_additional_mem_pool_size
| innodb_autoextend_increment
| innodb_buffer_pool_awe_mem_mb
| innodb_buffer_pool_size
|
|
|
|
1048576
8
0
8388608
|
|
|
|
PacketFencereliesheavilyonInnoDB,soyoushouldincreasethebuffer_poolsizefromthedefault
values.
ShutdownPacketFenceandMySQL
# /etc/init.d/packetfence stop
Shutting down PacketFence...
[...]
# /etc/init.d/mysql stop
Stopping MySQL:
OK
OK
Edit/etc/my.cnf(oryourlocalmy.cnf):
[mysqld]
# Set buffer pool size to 50-80% of your computer's memory
innodb_buffer_pool_size=800M
innodb_additional_mem_pool_size=20M
innodb_flush_log_at_trx_commit=2
innodb_file_per_table
# allow more connections
max_connections=700
# set cache size
key_buffer_size=900M
table_cache=300
query_cache_size=256M
# enable slow query log
log_slow_queries = ON
StartupMySQLandPacketFence
# /etc/init.d/mysqld start
Starting MySQL:
# /etc/init.d/packetfence start
Starting PacketFence...
[...]
Wait10minutesforPacketFencetoinitialthenetworkmapandre-checkiostatandCPU
88
Chapter10
# uptime
12:01:58 up 235 days, 1:46, 1 user, load average: 0.15, 0.39, 0.52
# iostat 5
Device:
tps
Blk_read/s
Blk_wrtn/s
Blk_read
Blk_wrtn
cciss/c0d0
8.00
0.00
75.20
0
376
avg-cpu:
%user
0.60
%nice
0.00
Device:
cciss/c0d0
avg-cpu: %user
0.20
tps
14.97
%nice
0.00
Device:
cciss/c0d0
tps
4.80
%sys %iowait
2.99
13.37
%idle
83.03
Blk_read/s
Blk_wrtn/s
0.00
432.73
%sys %iowait
%idle
2.60
6.60
90.60
Blk_read
0
Blk_wrtn
2168
Blk_read/s
0.00
Blk_read
0
Blk_wrtn
240
Blk_wrtn/s
48.00
MySQLoptimizationtool
WerecommendthatyouruntheMySQLTunertoolonyourdatabasesetupafteracoupleofweeks
tohelpyouidentifyMySQLconfigurationimprovement.
http://blog.mysqltuner.com/download/
Keepingtablessmall
Overtime,someofthetableswillgrowlargeandthiswilldragdownperformance(thisisespecially
trueonawirelesssetup).
Onesuchtableisthelocationlogtable.Werecommendthatclosedentriesinthistablebemoved
to the archive table locationlog_history after some time. A closed record is one where the
end_timefieldissettoadate(stricklyspeakingitiswhenend_timeisnotnullandnotequalsto0).
Weprovideascriptcalleddatabase-backup-and-maintenance.shlocatedinaddons/thatperforms
thiscleanupinadditiontooptimizetablesonSundayanddailybackups.
Avoid"Toomanyconnections"problems
Inawirelesscontext,theretendstobealotofconnectionsmadetothedatabasebyourfreeradius
module. The default MySQL value tend to be low (100) so we encourage you to increase that
valuetoatleast300.Seehttp://dev.mysql.com/doc/refman/5.0/en/too-many-connections.htmlfor
details.
Avoid"Host<hostname>isblocked"problems
Inawirelesscontext,theretendtobealotofconnectionsmadetothedatabasebyourfreeradius
module.Whentheserverisloaded,theseconnectionattemptscantimeout.Ifaconnectiontimes
outduringconnection,MySQLwillconsiderthisaconnectionerrorandafter10ofthese(bydefault)
hewilllockthehostoutwitha:
89
Chapter10
Host 'host_name' is blocked because of many connection errors. Unblock with

'mysqladmin flush-hosts'
This will grind PacketFence to a halt so you want to avoid that at all cost. One way to do so
istoincreasethenumberofmaximumconnections(seeabove),toperiodicallyflushhostsorto
allowmoreconnectionerrors.Seehttp://dev.mysql.com/doc/refman/5.0/en/blocked-host.htmlfor
details.
CaptivePortalOptimizations
Avoidcaptiveportaloverloadduetonon-browser
HTTPrequests
By default we allow every query to be redirected and reach PacketFence for the captive portal
operation.Inalotofcases,thismeansthatalotofnon-userinitiatedqueriesreachPacketFence
andwasteitsresourcesfornothingsincetheyarenotfrombrowsers.(iTunes,Windowsupdate,
MSNMessenger,GoogleDesktop,).
Sinceversion4.3ofPacketFence,youcandefineHTTPfiltersforApachefromtheconfiguration
ofPacketFence.
Someruleshavebeenenabledbydefault,likeonetorejectrequestswithnodefineduseragent.
Allrules,includingsomeexamples,aredefinedintheconfigurationfileapache_filters.conf.
Filtersaredefinedwithatleasttwoblocks.Firstarethetests.Forexample:
[get_ua_is_dalvik]
filter = user_agent
method = GET
operator = match
value = Dalvik
[get_uri_not_generate204]
filter = uri
method = GET
operator = match_not
value = /generate_204
Thelastblockdefinestherelationshipbetweenthetestsandthedesiredaction.Forexample:
[block_dalvik:get_ua_is_dalvik&get_uri_not_generate204]
action = 501
redirect_url =
Thisfilterwillreturnanerrorcode(501)iftheuseragentisDalvikandtheURIdoesntcontain
_/generate_204.
90
Chapter11
FrequentlyAskedQuestions
PacketFenceFAQisnowavailableonline.Pleasevisit:
http://www.packetfence.org/support/faqs.html
FrequentlyAskedQuestions
91
Chapter12
TechnicalintroductiontoVLAN
enforcement
Introduction
VLANassignmentiscurrentlyperformedusingseveraldifferenttechniques.Thesetechniquesare
compatible one to another but not on the same switch port. This means that you can use the
moresecureandmoderntechniquesforyourlatestswitchesandanothertechniqueontheold
switchesthatdoesntsupportlatesttechniques.Asitsnameimplies,VLANassignmentmeansthat
PacketFenceistheserverthatassignstheVLANtoadevice.ThisVLANcanbeoneofyourVLANs
oritcanbeaspecialVLANwherePacketFencepresentsthecaptiveportalforauthenticationor
remediation.
VLANassignmenteffectivelyisolateyourhostsattheOSILayer2meaningthatitisthetrickiest
methodtobypassandistheonewhichadaptsbesttoyourenvironmentsinceitgluesintoyour
currentVLANassignmentmethodology.
VLANassignmenttechniques
Port-securityandSNMP
Reliesontheport-securitySNMPTraps.AfakestaticMACaddressisassignedtoalltheportsthis
wayanyMACaddresswillgenerateasecurityviolationandatrapwillbesenttoPacketFence.The
systemwillauthorizetheMACandsettheportintherightVLAN.VoIPsupportispossiblebut
tricky.Itvariesalotdependingontheswitchvendor.CiscoiswellsupportedbutisolationofaPC
behindanIPPhoneleadstoaninterestingdilemma:eitheryoushuttheport(andthephoneat
thesametime)oryouchangethedataVLANbutthePCdoesntdoDHCP(didntdetectlinkwas
down)soitcannotreachthecaptiveportal.
AsidefromtheVoIPisolationdilemma,itisthetechniquethathasproventobereliableandthat
hasthemostswitchvendorsupport.
Wired:802.1X+MACAuthentication
802.1Xprovidesport-basedauthentication,whichinvolvescommunicationsbetweenasupplicant,
authenticator(knownasNAS),andauthenticationserver(knownasAAA).Thesupplicantisoften
Technicalintroduction
toVLANenforcement
92
Chapter12
softwareonaclientdevice,suchasalaptop,theauthenticatorisawiredEthernetswitchorwireless
accesspoint,andtheauthenticationserverisgenerallyaRADIUSserver.
Thesupplicant(i.e.,clientdevice)isnotallowedaccessthroughtheauthenticatortothenetwork
untilthesupplicantsidentityisauthorized.With802.1Xport-basedauthentication,thesupplicant
provides credentials, such as user name / password or digital certificate, to the authenticator,
andtheauthenticatorforwardsthecredentialstotheauthenticationserverforverification.Ifthe
credentialsarevalid(intheauthenticationserverdatabase),thesupplicant(clientdevice)isallowed
toaccessthenetwork.TheprotocolforauthenticationiscalledExtensibleAuthenticationProtocol
(EAP) which have many variants. Both supplicant and authentication servers need to speak the
sameEAPprotocol.MostpopularEAPvariantisPEAP-MsCHAPv2(supportedbyWindows/Mac
OSX/LinuxforauthenticationagainstAD).
Inthiscontext,PacketFencerunstheauthenticationserver(aFreeRADIUSinstance)andwillreturn
theappropriateVLANtotheswitch.AmodulethatintegratesinFreeRADIUSdoesaremotecallto
thePacketFenceservertoobtainthatinformation.Moreandmoredeviceshave802.1Xsupplicant
whichmakesthisapproachmoreandmorepopular.
MACAuthenticationisanewmechanismintroducedbysomeswitchvendortohandlethecases
where a 802.1X supplicant does not exist. Different vendors have different names for it. Cisco
callsitMACAuthenticationBypass(MAB),JunipercallsitMACRADIUS,ExtremeNetworkscallsit
Netlogin,etc.Afteratimeoutperiod,theswitchwillstoptryingtoperform802.1Xandwillfallback
toMACAuthentication.Ithastheadvantageofusingthesameapproachas802.1Xexceptthat
theMACaddressissentinsteadoftheusernameandthereisnoend-to-endEAPconversation
(nostrongauthentication).UsingMACAuthentication,deviceslikenetworkprinterornon-802.1X
capableIPPhonescanstillgainaccesstothenetworkandtherightVLAN.
Wireless:802.1X+MACauthentication
Wireless 802.1X works like wired 802.1X and MAC authentication is the same as wired MAC
Authentication. Where things change is that the 802.1X is used to setup the security keys for
encryptedcommunication(WPA2-Enterprise)whileMACauthenticationisonlyusedtoauthorize
(allowordisallow)aMAConthewirelessnetwork.
Onwirelessnetworks,theusualPacketFencesetupdictatethatyouconfiguretwoSSIDs:anopen
oneandasecureone.Theopenoneisusedtohelpusersconfigurethesecureoneproperlyand
requiresauthenticationoverthecaptiveportal(whichrunsinHTTPS).
MoreonSNMPtrapsVLANisolation
WhentheVLANisolationisworkingthroughSNMPtrapsallswitchports(onwhichVLANisolation
shouldbedone)mustbeconfiguredtosendSNMPtrapstothePacketFencehost.OnPacketFence,
weusesnmptrapdastheSNMPtrapreceiver.Asitreceivestraps,itreformatsandwritesthem
intoaflatfile:/usr/local/pf/logs/snmptrapd.log.Themultithreadedpfsetvlandaemonreads
thesetrapsfromtheflatfileandrespondstothembysettingtheswitchporttothecorrectVLAN.
Currently,wesupportswitchesfromCisco,Edge-core,HP,Intel,LinksysandNortel(addingsupport
for switches from another vendor implies extending the pf::Switch class). Depending on your
switchescapabilities,pfsetvlanwillactondifferenttypesofSNMPtraps.
toVLANenforcement
93
Chapter12
YouneedtocreatearegistrationVLAN(withaDHCPserver,butnoroutingtootherVLANs)in
whichPacketFencewillputunregistereddevices.Ifyouwanttoisolatecomputerswhichhaveopen
violationsinaseparateVLAN,anisolationVLANneedsalsotobecreated.
linkUp/linkDowntraps(deprecated)
ThisisthemostbasicsetupanditneedsathirdVLAN:theMACdetectionVLAN.Thereshouldbe
nothinginthisVLAN(noDHCPserver)anditshouldnotberoutedanywhere;itisjustanvoidVLAN.
Whenahostconnectstoaswitchport,theswitchsendsalinkUptraptoPacketFence.Sinceittakes
sometimebeforetheswitchlearnstheMACaddressofthenewlyconnecteddevice,PacketFence
immediatelyputstheportintheMACdetectionVLANinwhichthedevicewillsendDHCPrequests
(withnoanswer)inorderfortheswitchtolearnitsMACaddress.Thenpfsetvlanwillsendperiodical
SNMPqueriestotheswitchuntiltheswitchlearnstheMACofthedevice.WhentheMACaddress
isknown,pfsetvlanchecksitsstatus(existing?registered?anyviolations?)inthedatabaseand
putstheportintheappropriateVLAN.Whenadeviceisunplugged,theswitchsendsalinkDown
traptoPacketFencewhichputstheportintotheMACdetectionVLAN.
Whenacomputerboots,theinitializationoftheNICgeneratesseverallinkstatuschanges.And
everytimetheswitchsendsalinkUpandalinkDowntraptoPacketFence.SincePacketFencehas
toactoneachofthesetraps,thisgeneratesunfortunatelysomeunnecessaryloadonpfsetvlan.
Inordertooptimizethetraptreatment,PacketFencestopseverythreadforalinkUptrapwhenit
receivesalinkDowntraponthesameport.ButusingonlylinkUp/linkDowntrapsisnotthemost
scalableoption.Forexampleincaseofpowerfailure,ifhundredsofcomputersbootatthesame
time,PacketFencewouldreceivealotoftrapsalmostinstantlyandthiscouldresultinnetwork
connectionlatency
toVLANenforcement
94
Chapter12
MACnotificationtraps
IfyourswitchessupportMACnotificationtraps(MAClearnt,MACremoved),wesuggestthatyou
activatetheminadditiontothelinkUp/linkDowntraps.Thisway,pfsetvlandoesnotneed,after
alinkUptrap,toquerytheswitchcontinuouslyuntiltheMAChasfinallybeenlearned.Whenit
receivesalinkUptrapforaportonwhichMACnotificationtrapsarealsoenabled,itonlyneedsto
puttheportintheMACdetectionVLANandcanthenfreethethread.Whentheswitchlearnsthe
MACaddressofthedeviceitsendsaMAClearnttrap(containingtheMACaddress)toPacketFence.
PortSecuritytraps
Initsmostbasicform,thePortSecurityfeaturerememberstheMACaddressconnectedtothe
switch port and allows only that MAC address to communicate on that port. If any other MAC
address tries to communicate through the port, port security will not allow it and send a portsecuritytrap.
Ifyourswitchessupportthisfeature,westronglyrecommendtouseitratherthanlinkUp/linkDown
and/orMACnotifications.Why?BecauseaslongasaMACaddressisauthorizedonaportand
istheonlyoneconnected,theswitchwillsendnotrapwhetherthedevicereboots,plugsinor
unplugs.ThisdrasticallyreducestheSNMPinteractionsbetweentheswitchesandPacketFence.
WhenyouenableportsecuritytrapsyoushouldnotenablelinkUp/linkDownnorMACnotification
traps.
toVLANenforcement
95
Chapter13
TechnicalintroductiontoInline
enforcement
Introduction
Beforetheversion3.0ofPacketFence,itwasnotpossibletosupportunmanageabledevicessuch
asentry-levelconsumerswitchesoraccess-points.Now,withthenewinlinemode,PacketFence
canbeusein-bandforthosedevices.Soinotherwords,PacketFencewouldbecomethegatewayof
thatinlinenetwork,andNATorroutethetrafficusingIPTables/IPSettotheInternet(ortoanother
sectionofthenetwork).Letseehowitworks.
Deviceconfiguration
Nospecialconfigurationisneededontheunmanageabledevice.Thatsthebeautyofit.Youonly
needtoensurethatthedeviceis"talking"ontheinlineVLAN.Atthispoint,allthetrafficwillbe
passingthroughPacketFencesinceitisthegatewayforthisVLAN.
Accesscontrol
TheaccesscontrolreliesentirelyonIPTables/IPSet.Whenauserisnotregistered,andconnects
intheinlineVLAN,PacketFencewillgivehimanIPaddress.Atthispoint,theuserwillbemarked
asunregisteredintheipsetsession,andalltheWebtrafficwillberedirectedtothecaptiveportal
and other traffic blocked. The user will have to register through the captive portal as in VLAN
enforcement.Whenheregisters,PacketFencechangesthedevicesipsetsessiontoallowtheusers
macaddresstogothroughit.
toInlineenforcement
96
Chapter13
Limitations
Inlineenforcementbecauseofitsnaturehasseverallimitationsthatonemustbeawareof.
EveryonebehindaninlineinterfaceisonthesameLayer2LAN
EverypacketofauthorizedusersgoesthroughthePacketFenceserverincreasingtheservers'
loadconsiderably:Planaheadforcapacity
Every packet of authorized users goes through the PacketFence server: it is a single point of
failureforInternetaccess
Ipsetcanstoreupto65536entries,soitisnotpossibletohaveainlinenetworkclassupper
thanB
Thisiswhyitisconsideredapoormanswayofdoingaccesscontrol.Wehaveavoideditfora
longtimebecauseoftheabovementionedlimitations.Thatsaid,beingabletoperformbothinline
andVLANenforcementonthesameserveratthesametimeisarealadvantage:itallowsusersto
maintainmaximumsecuritywhiletheydeploynewandmorecapablenetworkhardwareproviding
acleanmigrationpathtoVLANenforcement.
toInlineenforcement
97
Chapter14
TechnicalintroductiontoHybrid
enforcement
Introduction
Before version 3.6 of PacketFence, it was not possible to have RADIUS enabled for inline
enforcementmode.Nowwiththenewhybridmode,allthedevicesthatsupports802.1XorMACauthenticationcanworkwiththismode.Letsseehowitworks.
Deviceconfiguration
YouneedtoconfigureinlineenforcementmodeinPacketFenceandconfigureyourswitch(es)/
accesspoint(s)tousetheVLANassignementtechniques(802.1XorMAC-authentication).Youalso
needtotakecareofaspecificparameterintheswitchconfigurationwindow,"Triggertoenable
inlinemode".Thisparameterisworkinglikeatriggerandyouhavethepossibilitytodefinedifferent
sortoftrigger:
ALWAYS,PORT,
MAC,SSID
where ALWAYS means that the device is always in inline mode, PORT
specifytheifIndexoftheportwhichwilluseinlineenforcement,MACamac
addressthatwillbeputininlineenforcementtechniqueratherthanVLAN
enforcementandSSIDanssidname.Anexample:
SSID::GuestAccess,MAC::00:11:22:33:44:55
Thiswilltriggerallthenodesthatconnectstothe"GuestAccess"SSIDtouseinlineenforcement
mode(PacketFencewillreturnavoidVLANortheinlineVlanifdefinedinswitchconfiguration)and
themacaddress00:11:22:33:44:55clientifitconnectsonanotherSSID.
toHybridenforcement
98
Chapter15
MoreonVoIPIntegration
VoIPhasbeengrowinginpopularityonenterprisenetworks.Atfirstsight,theITadministratorsthink
thatdeployingVoIPwithaNACposesahugecomplicatedchallengetoresolve.Infact,depending
ofthehardwareyouhave,notreally.Inthissection,wewillseewhy.
CDPandLLDPareyourfriend
ForthoseofyouwhoareunawareoftheexistenceofCDPorLLDP(orLLDP-MED),Isuggest
youstartreadingonthistopic.CiscoDiscoveryProtocol(CDP)isdevice-discoveryprotocolthat
runsonallCisco-manufacturedequipmentincludingrouters,accessservers,bridges,andswitches.
Using CDP, a device can advertise its existence to other devices and receive information about
otherdevicesonthesameLANorontheremotesideofaWAN.IntheworldofVoIP,CDPisable
todetermineiftheconnectingdeviceisanIPPhoneornot,andtelltheIPPhonetotagitsethernet
frameusingtheconfiguredvoiceVLANontheswitchport.
Onmanyothervendors,youarelikelytofindLLDPorLLDP-MEDsupport.LinkLayerDiscovery
Protocol (LLDP) is a vendor-neutral Link Layer protocol in the Internet Protocol Suite used by
networkdevicesforadvertisingtheiridentity,capabilities,andneighbors.SameasCDP,LLDPcan
tellanIPPhonewhichVLANidisthevoiceVLAN.
VoIPandVLANassignmenttechniques
As you already know, PacketFence supports many VLAN assignment techniques such as portsecurity,macauthenticationor802.1X.LetsseehowVoIPisdoingwitheachofthose.
Port-security
Using port-security, the VoIP device rely on CDP/LLDP to tag its ethernet frame using the
configuredvoiceVLANontheswitchport.Afterthat,weensurethatasecuritytrapissentfrom
thevoiceVLANsothatPacketFencecanauthorizethemacaddressontheport.WhenthePC
connects,anothersecuritytrapwillbesent,butfromthedataVLAN.Thatway,wewillhave1mac
addressauthorizedonthevoiceVLAN,and1ontheaccessVLAN.
99
Chapter15
Note
Not all vendors support VoIP on port-security, please refer to the Network
ConfigurationGuide.
MacAuthenticationand802.1X
Ciscohardware
OnCiscoswitches,wearelookingatthemulti-domainconfiguration.Themulti-domainmeansthat
wecanhaveonedeviceontheVOICEdomain,andonedeviceontheDATAdomain.Thedomain
assignmentisdoneusingaCiscoVSA.Whenthephoneconnectstotheswitchport,PacketFence
willrespondwiththeproperVSAonly,noRADIUStunneledattributes.CDPthentellsthephone
totagitsethernetframesusingtheconfiguredvoiceVLANontheport.WhenaPCconnects,the
RADIUSserverwillreturntunneledattributes,andtheswitchwillplacetheportintheprovided
accessVLAN.
Non-Ciscohardware
Onothervendorhardware,itispossibletomakeVoIPworkusingRADIUSVSAs.Whenaphone
connectstoaswitchport,PacketFenceneedstoreturntheproperVSAtotelltheswitchtoallow
tagged frames from this device. When the PC will connect, we will be able to return standard
RADIUStunnelattributestotheswitch,thatwillbetheuntaggedVLAN.
Note
Again,refertotheNetworkConfigurationGuidetoseeifVoIPissupportedonyour
switchhardware.
WhatifCDP/LLDPfeatureismissing
ItispossiblethatyourphonedoesntsupportCDPorLLDP.Ifitsthecase,youareprobablylooking
atthe"DHCPway"ofprovisionningyourphonewithavoiceVLAN.Somemodelswillaskfora
specificDHCPoptionsothattheDHCPservercangivethephoneavoiceVLANid.Thephonewill
thenreboot,andtagitsethernetframeusingtheprovidedVLANtag.
In order to make this scenario work with PacketFence, you need to ensure that you tweak the
registrationandyourproductionDHCPservertoprovidetheDHCPoption.Youalsoneedtomake
sure there is a voice VLAN properly configured on the port, and that you auto-register your IP
Phones(Onthefirstconnect,thephonewillbeassignedontheregistrationVLAN).
100
Chapter16
AdditionalInformation
Formoreinformation,pleaseconsultthemailingarchivesorpostyourquestionstoit.Fordetails,
see:
packetfence-announce@lists.sourceforge.net: Public announcements (new releases, security
warningsetc.)regardingPacketFence
packetfence-devel@lists.sourceforge.net:DiscussionofPacketFencedevelopment
packetfence-users@lists.sourceforge.net:Userandusagediscussions
AdditionalInformation
101
Chapter17
CommercialSupportandContact
Information
For any questions or comments, do not hesitate to contact us by writing an email to:
support@inverse.ca.
Inverse (http://inverse.ca) offers professional services around PacketFence to help organizations
deploythesolution,customize,migrateversionsorfromanothersystem,performancetuningor
aligningwithbestpractices.
Hourlyratesorsupportpackagesareofferedtobestsuityourneeds.
Pleasevisithttp://inverse.ca/support.htmlfordetails.
CommercialSupport
andContactInformation
102
Chapter18
GNUFreeDocumentationLicense
Pleaserefertohttp://www.gnu.org/licenses/fdl-1.2.txtforthefulllicense.
GNUFreeDocumentationLicense
103
Chapter18
AppendixA.AdministrationTools
pfcmd
pfcmdisthecommandlineinterfacetomostPacketFencefunctionalities.
Whenexecutedwithoutanyargumentspfcmdreturnsabasichelpmessagewithallmainoptions:
AdministrationTools
104
Chapter18
Usage: pfcmd.pl <command> [options]

cache
checkup
or warnings
class
config
paramaters
configfiles
configreload
floatingnetworkdeviceconfig
parameters
fingerprint
fixpermissions
graph
history
import
ifoctetshistorymac
ifoctetshistoryswitch
ifoctetshistoryuser
interfaceconfig
ipmachistory
locationhistorymac
locationhistoryswitch
lookup
manage
networkconfig
node
nodeaccounting
nodecategory
nodeuseragent
person
reload
report
schedule
service
switchconfig
parameters
switchlocation
traplog
switch IPs
trigger
ui
dashboard
update
useragent
version
violation
violationconfig
parameters
| manage the cache subsystem

| perform a sanity checkup and report any problems
| view violation classes
| query, set, or get help on pf.conf configuration
| push or pull configfiles into/from database
| reloads the configuration into the cache
| query/modify floating network device configuration
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
view DHCP Fingerprints

fix permissions of files
trending graphs
IP/MAC history
bulk import of information into the database
accounting history
accounting history
accounting history
query/modify interface configuration parameters
IP/MAC history
Switch/Port history
Switch/Port history
node or pid lookup against local data store
manage node entries
query/modify network configuration parameters
node manipulation
RADIUS accounting information
nodecategory manipulation
View User-Agent information associated to a node
person manipulation
rebuild fingerprints without restart
current usage reports
Nessus scan scheduling
start/stop/restart and get PF daemon status
query/modify switches.conf configuration
| view switchport description and location

| update traplog RRD files and graphs or obtain
| view and throw triggers
| used by web UI to create menu hierarchies and
|
|
|
|
|
download canonical fingerprint or OUI data

view User-Agent fingerprint information
output version information
violation manipulation
query/modify violations.conf configuration
Please view "pfcmd.pl help <command>" for details on each option
AdministrationTools
105
Chapter18
Thenodeviewoptionshowsallinformationcontainedinthenodedatabasetableforaspecified
MACaddress
# /usr/local/pf/bin/pfcmd node view 52:54:00:12:35:02
mac|pid|detect_date|regdate|unregdate|lastskip|status|user_agent|computername|
notes|last_arp|last_dhcp|switch|port|vlan|dhcp_fingerprint
52:54:00:12:35:02|1|2008-10-23 17:32:16||||unreg||||2008-10-23 21:12:21|||||
pfcmd_vlan
pfcmd_vlanisthecommandlineinterfacetomostVLANisolationrelatedfunctionality.
Again,whenexecutedwithoutanyarguments,ahelpscreenisshown.
AdministrationTools
106
Chapter18
Usage:
pfcmd_vlan command [options]
Command:
-deauthenticate
de-authenticate a dot11 client
-deauthenticateDot1x de-authenticate a dot1x client (pass ifIndex for
wired 802.1x and mac for wireless 802.1x)
-getAlias
show the description of the specified switch port
-getAllMACs
show all MACS on all switch ports
-getHubs
show switch ports with several MACs
-getIfOperStatus
show the operational status of the specified switch
port
-getIfType
show the ifType on the specified switch port
-getLocation
show at which switch port the MAC is found
-getSwitchLocation
show SNMP location of specified switch
-getMAC
show all MACs on the specified switch port
-getType
show switch type
-getUpLinks
show the upLinks of the specified switch
-getVersion
show switch OS version
-getVlan
show the VLAN on the specified switch port
-getVlanType
show the VLAN type on the specified port
-help
brief help message
-isolate
set the switch port to the isolation VLAN
-man
full documentation
-reAssignVlan
re-assign a switch port VLAN
-reevaluateAccess
reevaluate the current VLAN or firewall rules of a
given MAC
-runSwitchMethod
run a particular method call on a given switch (FOR
ADVANCED PURPOSES)
-setAlias
set the description of the specified switch port
-setDefaultVlan
set the switch port to the default VLAN
-setIfAdminStatus
set the admin status of the specified switch port
-setVlan
set VLAN on the specified switch port
-setVlanAllPort
set VLAN on all non-UpLink ports of the specified
switch
Options:
-alias
-ifAdminStatus
-ifIndex
-mac
-showPF
-switch
-verbose
-vlan
-vlanName
switch port description

ifAdminStatus
switch port ifIndex
MAC address
show additional information available in PF
switch description
log verbosity level
0 : fatal messages
1 : warn messages
2 : info messages
3 : debug
4 : trace
VLAN id
VLAN name (as in switches.conf)
AdministrationTools
107
Chapter18
WebAdminGUI
TheWebAdminGUI,accessibleusinghttpsonport1443,showsthesameinformationavailable
usingpfcmd.
AdministrationTools
108
Chapter18
AppendixB.ManualFreeRADIUS2
configuration
SinceweprovideaworkingRPMpackagethatcontainspre-builtRADIUSconfigurationfiles,those
filesdontneedtobemodifiedbyhandanymore.However,considerthissectionasareference.
Configuration
In/usr/local/pf/raddb/sites-enabled/default
Makesuretheauthorize{},authenticate{}andpost-auth{}sectionslooklikethis:
authorize {
preprocess
eap {
ok = return
}
files
expiration
logintime
perl
}
authenticate {
Auth-Type MS-CHAP {
mschap
}
eap
}
post-auth {
perl
}
In/usr/local/pf/raddb/sites-enabled/inner-tunnel
Makesuretheauthorize{},authenticate{}andpost-auth{}sectionslooklikethis:
ManualFreeRADIUS
2configuration
109
Chapter18
authorize {
preprocess
eap {
ok = return
}
files
expiration
logintime
}
authenticate {
Auth-Type MS-CHAP {
mschap
}
eap
}
post-auth {
perl
}
In/usr/local/pf/raddb/users
Add the following lines where we define that non-EAP messages should, by default, lead to an
authenticationacceptation.
DEFAULT EAP-Message !* "", Auth-Type := Accept
Commentordeleteallotherstatements.
Optional:WiredorWireless802.1X
configuration
GeneratecryptographicmaterialfortheEAPtunnel(802.1X)towork.Runasroot:
cd /usr/local/pf/raddb/certs
make
In/usr/local/pf/conf/radiusd/eap.conf
Makesurethisfilelookslike:
ManualFreeRADIUS
2configuration
110
Chapter18
eap {
default_eap_type = peap
timer_expire
= 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = 2048
md5 {
}
tls {
certdir = ${confdir}/certs
cadir = ${confdir}/certs
private_key_file = /usr/local/pf/conf/ssl/server.key
certificate_file = /usr/local/pf/conf/ssl/server.crt
dh_file = ${certdir}/dh
random_file = ${certdir}/random
cipher_list = "DEFAULT"
make_cert_command = "${certdir}/bootstrap"
cache {
enable = no
lifetime = 24 # hours
max_entries = 255
}
}
ttls {
default_eap_type = md5
copy_request_to_tunnel = yes
use_tunneled_reply = yes
virtual_server = "inner-tunnel"
}
peap {
default_eap_type = mschapv2
copy_request_to_tunnel = yes
use_tunneled_reply = yes
virtual_server = "inner-tunnel"
}
mschapv2 {
}
}
ManualFreeRADIUS
2configuration
111

PacketFence Administration Guide-4.5.0

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

PacketFence Administration Guide-4.5.0

Uploaded by

Copyright:

Available Formats

AdministrationGuide

Covers switch, controllers and access

Covers captive portal customization,

Covers compatibility related changes,

PacketFence can also be configured to

PacketFence can also be configured

PacketFence can also be configured as

Also called IP Telephony (IPT), VoIP is

802.1X wireless and wired is supported

PacketFence integrates perfectly with

PacketFence supports an optional

Abnormal network activities (computer

Either Nessus or OpenVAS vulnerability

PacketFence supports several isolation

Once trapped, all network traffic is

Web-based and command-line interfaces

PacketFence supports a special guest

pfsetvlan automatically-register all MAC addresses seen on the

pfsetvlan sends the SNMP writes to change the VLAN on the

Used only with routed networks; IP

Is PacketFence the DHCP server for this

apt-get install samba winbind krb5-user

####Activate local user eap authentication based on a specific SSID ####

# Controls IP packet forwarding

Email the address specified in [alerting].emailaddr,

Isolate the host and place them in violation. It opens a

send a windows popup message. You need to configure

change the nodes role to the one specified in the

Registration VLAN as specified in

Normal VLAN as specified in

Number of times a host will be able to try and self

Amount of time before the violation can reoccur. This is

Amount of time before a violation will be closed

When selecting the "role" action, triggering the violation

The Snort rules file is the administrators responsibility.

# This realm is for requests which don't have an explicit realm

Action: Start a program

Address: @IP of your firewall

Hostname or IP Address: @IP of your firewall

1 user, load average: 1.25, 1.05, 0.79

mysql> show variables;

Host 'host_name' is blocked because of many connection errors. Unblock with

Usage: pfcmd.pl <command> [options]

| manage the cache subsystem

view DHCP Fingerprints

| view switchport description and location

download canonical fingerprint or OUI data

Please view "pfcmd.pl help <command>" for details on each option

switch port description

You might also like