PacketFence Administration Guide-6.2.1

AdministrationGuide
forPacketFenceversion6.2.1
AdministrationGuide
byInverseInc.
Version6.2.1-Jul2016
Copyright2016Inverseinc.
Permissionisgrantedtocopy,distributeand/ormodifythisdocumentunderthetermsoftheGNUFreeDocumentationLicense,Version
1.2oranylaterversionpublishedbytheFreeSoftwareFoundation;withnoInvariantSections,noFront-CoverTexts,andnoBack-Cover
Texts.Acopyofthelicenseisincludedinthesectionentitled"GNUFreeDocumentationLicense".
ThefontsusedinthisguidearelicensedundertheSILOpenFontLicense,Version1.1.ThislicenseisavailablewithaFAQat:http://
scripts.sil.org/OFL
CopyrightukaszDziedzic,http://www.latofonts.com,withReservedFontName:"Lato".
CopyrightRaphLevien,http://levien.com/,withReservedFontName:"Inconsolata".
TableofContents
About this Guide .............................................................................................................. 1
Othersourcesofinformation..................................................................................... 1
Introduction ..................................................................................................................... 2
Features ................................................................................................................... 2
Network Integration .................................................................................................. 5
Components ............................................................................................................. 5
System Requirements ........................................................................................................ 7
Assumptions ............................................................................................................. 7
MinimumHardwareRequirements.............................................................................. 7
OperatingSystemRequirements................................................................................ 7
Installation ....................................................................................................................... 9
OS Installation .......................................................................................................... 9
Software Download ................................................................................................ 10
Software Installation ................................................................................................ 10
Getoffontherightfoot................................................................................................. 12
TechnicalintroductiontoInlineenforcement..................................................................... 13
Introduction ........................................................................................................... 13
Device configuration ............................................................................................... 13
Access control ........................................................................................................ 13
Limitations ............................................................................................................. 14
TechnicalintroductiontoOut-of-bandenforcement........................................................... 15
Introduction ........................................................................................................... 15
VLANassignmenttechniques...................................................................................15
MoreonSNMPtrapsVLANisolation....................................................................... 17
TechnicalintroductiontoHybridenforcement................................................................... 20
Introduction ........................................................................................................... 20
Device configuration ............................................................................................... 20
Configuration ................................................................................................................. 21
Roles Management ................................................................................................. 21
Authentication ........................................................................................................ 22
ExternalAPIauthentication..................................................................................... 24
SAML authentication ............................................................................................... 25
NetworkDevicesDefinition(switches.conf)............................................................... 27
Portal Profiles ......................................................................................................... 31
FreeRADIUSConfiguration...................................................................................... 32
Portal Modules ....................................................................................................... 43
Debugging ..................................................................................................................... 52
Log files ................................................................................................................. 52
RADIUS Debugging ................................................................................................ 52
MoreonVoIPIntegration................................................................................................ 54
CDPandLLDPareyourfriend................................................................................ 54
VoIPandVLANassignmenttechniques.....................................................................54
WhatifCDP/LLDPfeatureismissing....................................................................... 55
Advanced topics ............................................................................................................. 56
AppleandAndroidWirelessProvisioning.................................................................. 56
Billing Engine ......................................................................................................... 57
Devices Registration ................................................................................................ 69
Eduroam ................................................................................................................ 70
Fingerbank integration ............................................................................................. 74
FloatingNetworkDevices....................................................................................... 75
OAuth2Authentication........................................................................................... 77
iii
Passthrough ........................................................................................................... 79
ProductionDHCPaccess.........................................................................................80
Proxy Interception ................................................................................................... 81
Routed Networks .................................................................................................... 82
StatementofHealth(SoH).......................................................................................85
VLAN Filter Definition ............................................................................................ 86
RADIUSFilterDefinition......................................................................................... 88
DNS enforcement ................................................................................................... 90
Parked devices ....................................................................................................... 90
Optional components ...................................................................................................... 92
Blockingmaliciousactivitieswithviolations............................................................... 92
Compliance Checks ............................................................................................... 100
RADIUS Accounting .............................................................................................. 105
Oinkmaster ........................................................................................................... 106
Guests Management ............................................................................................. 107
ActiveDirectoryIntegration.................................................................................... 110
DHCPremotesensor............................................................................................ 115
Switch login access ............................................................................................... 117
OperatingSystemBestPractices.................................................................................... 118
IPTables ............................................................................................................... 118
Log Rotations ....................................................................................................... 118
Performanceoptimization.............................................................................................. 119
SNMP Traps Limit ................................................................................................. 119
MySQL optimizations ............................................................................................ 119
CaptivePortalOptimizations.................................................................................. 122
DashboardOptimizations(statisticscollection)......................................................... 123
Additional Information ................................................................................................... 125
CommercialSupportandContactInformation................................................................. 126
GNUFreeDocumentationLicense................................................................................. 127
A.AdministrationTools..................................................................................................128
pfcmd .................................................................................................................. 128
pfcmd_vlan ........................................................................................................... 129
iv
Chapter1
AboutthisGuide
This guide will walk you through the installation and the day to day administration of the
PacketFencesolution.
Thelatestversionofthisguideisavailableathttp://www.packetfence.org/documentation/
Othersourcesofinformation
Thefollowingdocumentsareincludedinthepackageandreleasetarballs.
NetworkDevicesConfigurationGuide(pdf)
Covers switch, controllers and access

pointsconfiguration.
DevelopersGuide(pdf)
Covers captive portal customization,

VLAN management customization and
instructionsforsupportingnewhardware.
CREDITS
Thisis,atleast,apartialfileofPacketFence
contributors.
NEWS.asciidoc
Covers
noteworthy
features,
improvementsandbugfixesbyrelease.
UPGRADE.asciidoc
Covers compatibility related changes,

manual instructions and general notes
aboutupgrading.
ChangeLog
Coversallchangestothesourcecode.
AboutthisGuide
Chapter2
Introduction
PacketFence is a fully supported, trusted, Free and Open Source network access control (NAC)
system. Boosting an impressive feature set including a captive portal for registration and
remediation, centralized wired and wireless management, 802.1X support, layer-2 isolation of
problematicdevices,integrationwithIDS,vulnerabilityscannersandfirewalls;PacketFencecanbe
usedtoeffectivelysecurenetworks-fromsmalltoverylargeheterogeneousnetworks.
Features
Outofband(VLANEnforcement)
PacketFencesoperationiscompletelyout
of band when using VLAN enforcement
which allows the solution to scale
geographicallyandtobemoreresilientto
failures.
InBand(InlineEnforcement)
PacketFence can also be configured to

be in-band, especially when you have
non-manageable network switches or
accesspoints.PacketFencecanalsowork
with both VLAN and Inline enforcement
activated for maximum scalability and
securitywhileallowingolderhardwareto
still be secured using inline enforcement.
Bothlayer-2andlayer-3aresupportedfor
inlineenforcement.
Hybridsupport(InlineEnforcementwithRADIUS
support)
PacketFence can also be configured

as hybrid, if you have a manageable
device that supports 802.1X and/or
MAC-authentication. This feature can be
enabled using a RADIUS attribute (MAC
address, SSID, port) or using full inline
modeontheequipment.
Hotspotsupport(WebAuthEnforcement)
PacketFence can also be configured as

hotspot,ifyouhaveamanageabledevice
that supports an external captive portal
(likeCiscoWLCorArubaIAP).
VoiceoverIP(VoIP)support
Also called IP Telephony (IPT), VoIP is

fully supported (even in heterogeneous
Introduction
Chapter2
environments)formultipleswitchvendors
(Cisco,Avaya,HPandmanymore).
802.1X
802.1X wireless and wired is supported

throughourFreeRADIUSmodule.
Wirelessintegration
PacketFence integrates perfectly with

wireless
networks
through
our
FreeRADIUS module. This allows you
to secure your wired and wireless
networks the same way using the same
user database and using the same
captive portal, providing a consistent
user experience. Mixing Access Points
(AP) vendors and Wireless Controllers is
supported.
Registration
PacketFence supports an optional

registrationmechanismsimilarto"captive
portal"solutions.Contrarytomostcaptive
portal solutions, PacketFence remembers
users who previously registered and will
automatically give them access without
anotherauthentication.Ofcourse,thisis
configurable. An Acceptable Use Policy
can be specified such that users cannot
enable network access without first
acceptingit.
Detectionofabnormalnetworkactivities
Abnormal network activities (computer

virus, worms, spyware, traffic denied
by establishment policy, etc.) can be
detectedusinglocalandremoteSnortor
Suricatasensors.Beyondsimpledetection,
PacketFence layers its own alerting and
suppression mechanism on each alert
type.Asetofconfigurableactionsforeach
violationisavailabletoadministrators.
Proactivevulnerabilityscans
Either Nessus , OpenVAS or WMI

vulnerabilityscanscanbeperformedupon
registration, scheduled or on an ad-hoc
basis. PacketFence correlates the scan
engine vulnerability IDs of each scan
to the violation configuration, returning
content specific web pages about which
vulnerabilitythehostmayhave.
Isolationofproblematicdevices
PacketFence supports several isolation

techniques,includingVLANisolationwith
VoIP support (even in heterogeneous
environments)formultipleswitchvendors.
Remediationthroughacaptiveportal
Once trapped, all network traffic is

terminated by the PacketFence system.
Introduction
Chapter2
Based on the nodes current status
(unregistered,openviolation,etc),theuser
is redirected to the appropriate URL. In
the case of a violation, the user will
be presented with instructions for the
particular situation he/she is in reducing
costlyhelpdeskintervention.
Firewallintegration
PacketFence provides Single-Sign On

features with many firewalls. Upon
connection on the wired or wireless
network, PacketFence can dynamically
updatetheIP/userassociationonfirewalls
forthemtoapply,ifrequired,per-useror
per-groupfilteringpolicies.
Command-lineandWeb-basedmanagement
Web-based and command-line interfaces

forallmanagementtasks.
GuestAccess
PacketFence supports a special guest

VLAN out of the box. You configure
your network so that the guest VLAN
only goes out to the Internet and the
registration VLAN and the captive portal
arethecomponentsusedtoexplaintothe
guesthowtoregisterforaccessandhow
his access works. This is usually branded
by the organization offering the access.
Several means of registering guests are
possible. PacketFence does also support
guestaccessbulkcreationsandimports.
Devicesregistration
A registered user can access a special

Web page to register a device of his
own.Thisregistrationprocesswillrequire
loginfromtheuserandthenwillregister
deviceswithpre-approvedMACOUIinto
aconfigurablecategory.
PacketFenceisdevelopedbyacommunityofdeveloperslocatedmainlyinNorthAmerica.More
informationcanbefoundathttp://www.packetfence.org.
Introduction
Chapter2
NetworkIntegration
VLANenforcementispicturedintheabovediagram.Inlineenforcementshouldbeseenasasimple
flatnetworkwherePacketFenceactsasafirewall/gateway.
Components
PacketFencerequiresvariouscomponentstoworksuchasaWebserver,adatabaseserver,anda
RADIUSserver.Itinteractswithexternaltoolstoextenditsfunctionalities.
Introduction
Chapter2
Introduction
Chapter3
SystemRequirements
Assumptions
PacketFencereusesmanycomponentsinaninfrastructure.Thus,itrequiresthefollowingones:
Databaseserver(MySQLorMariaDB)
Webserver(Apache)
DHCPserver(ISCDHCP)
RADIUSserver(FreeRADIUS)
Dependingonyoursetupyoumayhavetoinstalladditionalcomponentslike:
NIDS(Snort/Suricata)
Inthisguide,weassumethatallthosecomponentsarerunningonthesameserver(i.e.,"localhost"
or"127.0.0.1")thatPacketFencewillbeinstalledon.
Good understanding of those underlying component and GNU/Linux is required to install
PacketFence. If you miss some of those required components, please refer to the appropriate
documentationandproceedwiththeinstallationoftheserequirementsbeforecontinuingwiththis
guide.
MinimumHardwareRequirements
Thefollowingprovidesalistoftheminimumserverhardwarerecommendations:
IntelorAMDCPU3GHz
8GBofRAM
100GBofdiskspace(RAID-1recommended)
1Networkcard(2recommended)
OperatingSystemRequirements
PacketFencesupportsthefollowingoperatingsystemsonthex86_64architectures:
SystemRequirements
Chapter3
RedHatEnterpriseLinux6.xand7.xServer
CommunityENTerpriseOperatingSystem(CentOS)6.xand7.x
Debian7.0(Wheezy)and8.0(Jessie)
Makesurethatyoucaninstalladditionalpackagesfromyourstandarddistribution.Forexample,if
youareusingRedHatEnterpriseLinux,youhavetobesubscribedtotheRedHatNetworkbefore
continuingwiththePacketFencesoftwareinstallation.
OtherdistributionssuchasFedoraandGentooareknowntoworkbutthisdocumentdoesntcover
them.
Servicesstart-up
PacketFencetakescareofhandlingtheoperationofthefollowingservices:
Webserver(httpd)
DHCPserver(dhcpd)
FreeRADIUSserver(radiusd)
Snort/SuricataNetworkIDS(snort/suricata)
Firewall(iptables)
Makesurethatalltheotherservicesareautomaticallystartedbyyouroperatingsystem!
SystemRequirements
Chapter4
Installation
ThissectionwillguideyouthroughtheinstallationofPacketFencetogetherwithitsdependencies.
OSInstallation
Installyourdistributionwithminimalinstallationandnoadditionalpackages.Then:
DisableFirewall
DisableSELinux
DisableAppArmor
Disableresolvconf
Makesureyoursystemisuptodateandyouryumorapt-getdatabaseisupdated.OnaRHELbasedsystem,do:
yum update
OnaDebianorUbuntusystem,do:
apt-get update
apt-get upgrade
Regarding SELinux or AppArmor, even if these features may be wanted by some organizations,
PacketFencewillnotrunproperlyifSELinuxorAppArmorareenabled.Youwillneedtoexplicitly
disableSELinuxinthe/etc/selinux/configfileandAppArmorwithupdate-rc.d-fapparmorstop,
update-rc.d-fapparmorteardownandupdate-rc.d-fapparmorremove.Regardingresolvconf,you
canremovethesymlinktothatfileandsimplycreatethe/etc/resolv.conffilewiththecontent
youwant.
RedHat-basedsystems
Note
AppliestoCentOSandScientificLinuxbutonlythex86_64architectureissupported.
Installation
Chapter4
RHEL6.x
Note
TheseareextrastepsarerequiredforRHEL6systemsonly,excludingderivativessuch
asCentOSorScientificLinux.
RedHatEnterpriseLinuxusersneedtotakeanadditionalsetupstep.IfyouarenotusingtheRHN
SubscriptionManagementfromRedHatyouneedtoenabletheoptionalchannelbyrunningthe
followingasroot:
rhn-channel --add --channel=rhel-`uname -m`-server-optional-6
Debian
AllthePacketFencedependenciesareavailablethroughtheofficialrepositories.
SoftwareDownload
PacketFenceprovidesaRPMrepositoryforRHEL/CentOSinsteadofasingleRPMfile.
ForDebian,PacketFencealsoprovidespackagerepositories.
TheserepositoriescontainallrequireddependenciestoinstallPacketFence.Thisprovidesnumerous
advantages:
easyinstallation
everythingispackagedasRPM/deb(nomoreCPANhassle)
easyupgrade
SoftwareInstallation
RHEL/CentOS
InordertousethePacketFencerepository:
# yum localinstall http://packetfence.org/downloads/PacketFence/RHEL6/`uname -i`/
RPMS/packetfence-release-1.2-5.1.noarch.rpm
Once the repository is defined, you can install PacketFence with all its dependencies, and the
requiredexternalservices(Databaseserver,DHCPserver,RADIUSserver)using:
Installation
10
Chapter4
yum install perl

yum install --enablerepo=packetfence packetfence
Onceinstalled,theWeb-basedconfigurationinterfacewillautomaticallybestarted.Youcanaccess
itfromhttps://@ip_of_packetfence:1443/configurator
Debian
ForDebian7:
Inordertousetherepository,createafilenamed/etc/apt/sources.list.d/packetfence.list:
echo 'deb http://inverse.ca/downloads/PacketFence/debian wheezy wheezy' > /etc/
apt/sources.list.d/packetfence.list
ForDebian8:
Inordertousetherepository,createafilenamed/etc/apt/sources.list.d/packetfence.list:
echo 'deb http://inverse.ca/downloads/PacketFence/debian jessie jessie' > /etc/
apt/sources.list.d/packetfence.list
Once the repository is defined, you can install PacketFence with all its dependencies, and the
requiredexternalservices(Databaseserver,DHCPserver,RADIUSserver)using:
sudo apt-key adv --keyserver keys.gnupg.net --recv-key 0x810273C4
sudo apt-get update
sudo apt-get install packetfence
Installation
11
Chapter5
Getoffontherightfoot
PriorconfiguringPacketFence,youmustchoseanappropriateenforcementmodetobeusedby
PacketFencewithyournetworkingequipment.Theenforcementmodeisthetechniqueusedto
enforceregistrationandanysubsequentaccessofdevicesonyournetwork.PacketFencesupports
thefollowingenforcementmodes:
Inline
Out-of-band
Hybrid
It is also possible to combine enforcement modes. For example, you could use the out-of-band
modeonyourwiredswitches,whileusingtheinlinemodeonyouroldWiFiaccesspoints.
The following sections will explain these enforcement modes. If you decide to use the inline
mode,pleaserefertothePacketFenceInlineDeploymentQuickGuideusingZENforacomplete
configurationexample.Ifyoudecidetousetheout-of-bandmode,pleaserefertothePacketFence
Out-of-BandDeploymentQuickGuideusingZEN
Getoffontherightfoot
12
Chapter6
TechnicalintroductiontoInline
enforcement
Introduction
Beforetheversion3.0ofPacketFence,itwasnotpossibletosupportunmanageabledevicessuch
asentry-levelconsumerswitchesoraccess-points.Now,withthenewinlinemode,PacketFence
canbeusein-bandforthosedevices.Soinotherwords,PacketFencewouldbecomethegatewayof
thatinlinenetwork,andNATorroutethetrafficusingIPTables/IPSettotheInternet(ortoanother
sectionofthenetwork).Letseehowitworks.
Deviceconfiguration
Nospecialconfigurationisneededontheunmanageabledevice.Thatsthebeautyofit.Youonly
needtoensurethatthedeviceis"talking"ontheinlineVLAN.Atthispoint,allthetrafficwillbe
passingthroughPacketFencesinceitisthegatewayforthisVLAN.
Accesscontrol
TheaccesscontrolreliesentirelyonIPTables/IPSet.Whenauserisnotregistered,andconnects
intheinlineVLAN,PacketFencewillgivehimanIPaddress.Atthispoint,theuserwillbemarked
asunregisteredintheipsetsession,andalltheWebtrafficwillberedirectedtothecaptiveportal
and other traffic blocked. The user will have to register through the captive portal as in VLAN
enforcement.Whenheregisters,PacketFencechangesthedevicesipsetsessiontoallowtheusers
macaddresstogothroughit.
Technicalintroduction
toInlineenforcement
13
Chapter6
Limitations
Inlineenforcementbecauseofitsnaturehasseverallimitationsthatonemustbeawareof.
EveryonebehindaninlineinterfaceisonthesameLayer2LAN
EverypacketofauthorizedusersgoesthroughthePacketFenceserverincreasingtheservers'
loadconsiderably:Planaheadforcapacity
Every packet of authorized users goes through the PacketFence server: it is a single point of
failureforInternetaccess
Ipsetcanstoreupto65536entries,soitisnotpossibletohaveainlinenetworkclassupper
thanB
Thisiswhyitisconsideredapoormanswayofdoingaccesscontrol.Wehaveavoideditfora
longtimebecauseoftheabovementionedlimitations.Thatsaid,beingabletoperformbothinline
andVLANenforcementonthesameserveratthesametimeisarealadvantage:itallowsusersto
maintainmaximumsecuritywhiletheydeploynewandmorecapablenetworkhardwareproviding
acleanmigrationpathtoVLANenforcement.
toInlineenforcement
14
Chapter7
TechnicalintroductiontoOut-of-band
enforcement
Introduction
VLANassignmentiscurrentlyperformedusingseveraldifferenttechniques.Thesetechniquesare
compatible one to another but not on the same switch port. This means that you can use the
moresecureandmoderntechniquesforyourlatestswitchesandanothertechniqueontheold
switchesthatdoesntsupportlatesttechniques.Asitsnameimplies,VLANassignmentmeansthat
PacketFenceistheserverthatassignstheVLANtoadevice.ThisVLANcanbeoneofyourVLANs
oritcanbeaspecialVLANwherePacketFencepresentsthecaptiveportalforauthenticationor
remediation.
VLANassignmenteffectivelyisolateyourhostsattheOSILayer2meaningthatitisthetrickiest
methodtobypassandistheonewhichadaptsbesttoyourenvironmentsinceitgluesintoyour
currentVLANassignmentmethodology.
VLANassignmenttechniques
Wired:802.1X+MACAuthentication
802.1Xprovidesport-basedauthentication,whichinvolvescommunicationsbetweenasupplicant,
authenticator(knownasNAS),andauthenticationserver(knownasAAA).Thesupplicantisoften
softwareonaclientdevice,suchasalaptop,theauthenticatorisawiredEthernetswitchorwireless
accesspoint,andtheauthenticationserverisgenerallyaRADIUSserver.
Thesupplicant(i.e.,clientdevice)isnotallowedaccessthroughtheauthenticatortothenetwork
untilthesupplicantsidentityisauthorized.With802.1Xport-basedauthentication,thesupplicant
provides credentials, such as user name / password or digital certificate, to the authenticator,
andtheauthenticatorforwardsthecredentialstotheauthenticationserverforverification.Ifthe
credentialsarevalid(intheauthenticationserverdatabase),thesupplicant(clientdevice)isallowed
toaccessthenetwork.TheprotocolforauthenticationiscalledExtensibleAuthenticationProtocol
(EAP) which have many variants. Both supplicant and authentication servers need to speak the
sameEAPprotocol.MostpopularEAPvariantisPEAP-MsCHAPv2(supportedbyWindows/Mac
OSX/LinuxforauthenticationagainstAD).
Technicalintroductionto
Out-of-bandenforcement
15
Chapter7
Inthiscontext,PacketFencerunstheauthenticationserver(aFreeRADIUSinstance)andwillreturn
theappropriateVLANtotheswitch.AmodulethatintegratesinFreeRADIUSdoesaremotecallto
thePacketFenceservertoobtainthatinformation.Moreandmoredeviceshave802.1Xsupplicant
whichmakesthisapproachmoreandmorepopular.
MACAuthenticationisanewmechanismintroducedbysomeswitchvendortohandlethecases
where a 802.1X supplicant does not exist. Different vendors have different names for it. Cisco
callsitMACAuthenticationBypass(MAB),JunipercallsitMACRADIUS,ExtremeNetworkscallsit
Netlogin,etc.Afteratimeoutperiod,theswitchwillstoptryingtoperform802.1Xandwillfallback
toMACAuthentication.Ithastheadvantageofusingthesameapproachas802.1Xexceptthat
theMACaddressissentinsteadoftheusernameandthereisnoend-to-endEAPconversation
(nostrongauthentication).UsingMACAuthentication,deviceslikenetworkprinterornon-802.1X
capableIPPhonescanstillgainaccesstothenetworkandtherightVLAN.
Wireless:802.1X+MACauthentication
Wireless 802.1X works like wired 802.1X and MAC authentication is the same as wired MAC
Authentication. Where things change is that the 802.1X is used to setup the security keys for
encryptedcommunication(WPA2-Enterprise)whileMACauthenticationisonlyusedtoauthorize
(allowordisallow)aMAConthewirelessnetwork.
Onwirelessnetworks,theusualPacketFencesetupdictatethatyouconfiguretwoSSIDs:anopen
oneandasecureone.Theopenoneisusedtohelpusersconfigurethesecureoneproperlyand
requiresauthenticationoverthecaptiveportal(whichrunsinHTTPS).
Thefollowingdiagramdemonstratestheflowbetweenamobileenpoint,aWiFiaccesspoint,a
WiFicontrollerandPacketFence:
1. UserinitiatesassociationtoWLANAPandtransmitsMACaddress.Ifuseraccessesnetworkvia
aregistereddeviceinPacketFencegoto8
2. The WLAN controller transmits MAC address via RADIUS to the PacketFence server to
authenticate/authorizethatMACaddressontheAP
3. PacketFenceserverconductsaddressauditinitsdatabase.IfitdoesnotrecognizetheMAC
addressgoto4.Ifitdoesgoto8.
4. PacketFenceserverdirectsWLANcontrollerviaRADIUS(RFC2868attributes)toputthedevice
inan"unauthenticatedrole(setofACLsthatwouldlimit/redirecttheusertothePacketFence
16
Chapter7
captiveportalforregistration,orwecanalsousearegistrationVLANinwhichPacketFencedoes
DNSblackholingandistheDHCPserver)
5. TheusersdeviceissuesaDHCP/DNSrequesttoPacketFence(whichisaDHCP/DNSserver
onthisVLANorforthisrole)whichsendstheIPandDNSinformation.Atthispoint,ACLsare
limiting/redirectingtheusertothePacketFencescaptiveportalforauthentication.PacketFence
fingerprintsthedevice(user-agentattributes,DHCPinformation&MACaddresspatterns)to
whichitcantakevariousactionsincluding:keepdeviceonregistrationportal,directtoalternate
captive portal, auto-register the device, auto-block the device, etc. If the device remains on
theregistrationportaltheuserregistersbyprovidingtheinformation(username/password,cell
phone number, etc.). At this time PacketFence could also require the device to go through a
postureassessment(usingNessus,OpenVAS,etc.)
6. If authentication is required (username/password) through a login form, those credentials are
validatedviatheDirectoryserver(oranyotherauthenticationsources-likeLDAP,SQL,RADIUS,
SMS,Facebook,Google+,etc.)whichprovidesuserattributestoPacketFencewhichcreatesuser
+devicepolicyprofileinitsdatabase.
7. PacketFenceperformsaChangeofAuthorization(RFC3576)onthecontrollerandtheusermust
bere-authenticated/reauthorized,sowegobackto1
8. PacketFenceserverdirectsWLANcontrollerviaRADIUStoputthedeviceinan"authenticated
role,orinthe"normal"VLAN
WebAuthmode
Webauthenticationisamethodontheswitchthatforwardshttptrafficofthedevicetothecaptive
portal.Withthismode,yourdevicewillneverchangeofVLANIDbutonlytheACLassociatedto
yourdevicewillchange.RefertotheNetworkDevicesConfigurationGuidetoseeasampleweb
authconfigurationonaCiscoWLC.
Port-securityandSNMP
Reliesontheport-securitySNMPTraps.AfakestaticMACaddressisassignedtoalltheportsthis
wayanyMACaddresswillgenerateasecurityviolationandatrapwillbesenttoPacketFence.The
systemwillauthorizetheMACandsettheportintherightVLAN.VoIPsupportispossiblebut
tricky.Itvariesalotdependingontheswitchvendor.CiscoiswellsupportedbutisolationofaPC
behindanIPPhoneleadstoaninterestingdilemma:eitheryoushuttheport(andthephoneat
thesametime)oryouchangethedataVLANbutthePCdoesntdoDHCP(didntdetectlinkwas
down)soitcannotreachthecaptiveportal.
AsidefromtheVoIPisolationdilemma,itisthetechniquethathasproventobereliableandthat
hasthemostswitchvendorsupport.
MoreonSNMPtrapsVLANisolation
WhentheVLANisolationisworkingthroughSNMPtrapsallswitchports(onwhichVLANisolation
shouldbedone)mustbeconfiguredtosendSNMPtrapstothePacketFencehost.OnPacketFence,
17
Chapter7
weusesnmptrapdastheSNMPtrapreceiver.Asitreceivestraps,itreformatsandwritesthem
intoaflatfile:/usr/local/pf/logs/snmptrapd.log.Themultithreadedpfsetvlandaemonreads
thesetrapsfromtheflatfileandrespondstothembysettingtheswitchporttothecorrectVLAN.
Currently,wesupportswitchesfromCisco,Edge-core,HP,Intel,LinksysandNortel(addingsupport
for switches from another vendor implies extending the pf::Switch class). Depending on your
switchescapabilities,pfsetvlanwillactondifferenttypesofSNMPtraps.
YouneedtocreatearegistrationVLAN(withaDHCPserver,butnoroutingtootherVLANs)in
whichPacketFencewillputunregistereddevices.Ifyouwanttoisolatecomputerswhichhaveopen
violationsinaseparateVLAN,anisolationVLANneedsalsotobecreated.
linkUp/linkDowntraps(deprecated)
ThisisthemostbasicsetupanditneedsathirdVLAN:theMACdetectionVLAN.Thereshouldbe
nothinginthisVLAN(noDHCPserver)anditshouldnotberoutedanywhere;itisjustanvoidVLAN.
Whenahostconnectstoaswitchport,theswitchsendsalinkUptraptoPacketFence.Sinceittakes
sometimebeforetheswitchlearnstheMACaddressofthenewlyconnecteddevice,PacketFence
immediatelyputstheportintheMACdetectionVLANinwhichthedevicewillsendDHCPrequests
(withnoanswer)inorderfortheswitchtolearnitsMACaddress.Thenpfsetvlanwillsendperiodical
18
Chapter7
SNMPqueriestotheswitchuntiltheswitchlearnstheMACofthedevice.WhentheMACaddress
isknown,pfsetvlanchecksitsstatus(existing?registered?anyviolations?)inthedatabaseand
putstheportintheappropriateVLAN.Whenadeviceisunplugged,theswitchsendsalinkDown
traptoPacketFencewhichputstheportintotheMACdetectionVLAN.
Whenacomputerboots,theinitializationoftheNICgeneratesseverallinkstatuschanges.And
everytimetheswitchsendsalinkUpandalinkDowntraptoPacketFence.SincePacketFencehas
toactoneachofthesetraps,thisgeneratesunfortunatelysomeunnecessaryloadonpfsetvlan.
Inordertooptimizethetraptreatment,PacketFencestopseverythreadforalinkUptrapwhenit
receivesalinkDowntraponthesameport.ButusingonlylinkUp/linkDowntrapsisnotthemost
scalableoption.Forexampleincaseofpowerfailure,ifhundredsofcomputersbootatthesame
time,PacketFencewouldreceivealotoftrapsalmostinstantlyandthiscouldresultinnetwork
connectionlatency.
MACnotificationtraps
IfyourswitchessupportMACnotificationtraps(MAClearnt,MACremoved),wesuggestthatyou
activatetheminadditiontothelinkUp/linkDowntraps.Thisway,pfsetvlandoesnotneed,after
alinkUptrap,toquerytheswitchcontinuouslyuntiltheMAChasfinallybeenlearned.Whenit
receivesalinkUptrapforaportonwhichMACnotificationtrapsarealsoenabled,itonlyneedsto
puttheportintheMACdetectionVLANandcanthenfreethethread.Whentheswitchlearnsthe
MACaddressofthedeviceitsendsaMAClearnttrap(containingtheMACaddress)toPacketFence.
PortSecuritytraps
Initsmostbasicform,thePortSecurityfeaturerememberstheMACaddressconnectedtothe
switch port and allows only that MAC address to communicate on that port. If any other MAC
address tries to communicate through the port, port security will not allow it and send a portsecuritytrap.
Ifyourswitchessupportthisfeature,westronglyrecommendtouseitratherthanlinkUp/linkDown
and/orMACnotifications.Why?BecauseaslongasaMACaddressisauthorizedonaportand
istheonlyoneconnected,theswitchwillsendnotrapwhetherthedevicereboots,plugsinor
unplugs.ThisdrasticallyreducestheSNMPinteractionsbetweentheswitchesandPacketFence.
WhenyouenableportsecuritytrapsyoushouldnotenablelinkUp/linkDownnorMACnotification
traps.
19
Chapter8
TechnicalintroductiontoHybrid
enforcement
Introduction
In previous versions of PacketFence, it was not possible to have RADIUS enabled for inline
enforcementmode.Nowwiththenewhybridmode,allthedevicesthatsupports802.1XorMACauthenticationcanworkwiththismode.Letsseehowitworks.
Deviceconfiguration
YouneedtoconfigureinlineenforcementmodeinPacketFenceandconfigureyourswitch(es)/
accesspoint(s)tousetheVLANassignementtechniques(802.1XorMAC-authentication).Youalso
needtotakecareofaspecificparameterintheswitchconfigurationwindow,"Triggertoenable
inlinemode".Thisparameterisworkinglikeatriggerandyouhavethepossibilitytodefinedifferent
sortoftriggers:
ALWAYS,PORT,
MAC,SSID
where ALWAYS means that the device is always in inline mode, PORT
specifytheifIndexoftheportwhichwilluseinlineenforcement,MACamac
addressthatwillbeputininlineenforcementtechniqueratherthanVLAN
enforcementandSSIDanssidname.Anexample:
SSID::GuestAccess,MAC::00:11:22:33:44:55
ThiswilltriggerallthenodesthatconnectstotheGuestAccessSSIDtouseinlineenforcementmode
(PacketFencewillreturnavoidVLANortheinlineVlanifdefinedinswitchconfiguration)andthe
MACaddress00:11:22:33:44:55clientifitconnectsonanotherSSID.
toHybridenforcement
20
Chapter9
Configuration
Atthispointinthedocumentation,PacketFenceshouldbeinstalled.Youwouldalsohavechosen
therightenforcementmethodforyouandcompletedtheinitialconfigurationofPacketFence.The
followingsectionpresentskeyconceptsandfeaturesinPacketFence.
PacketFenceprovidesaweb-basedadministrationinterfaceforeasyconfigurationandoperational
management.IfyouwentthroughPacketFencesweb-basedconfigurationtool,youshouldhave
setthepasswordfortheadminuser.
Once PacketFence is started, the administration interface is available at: https://
@ip_of_packetfence:1443/
ThenextkeystepsareimportanttounderstandhowPacketFenceworks.Inordertogetthesolution
working, you must first understand and configure the following aspects of the solution in this
specificorder:
1. roles-aroleinPacketFencewillbeeventuallybemappedtoaVLAN,anACLoranexternalrole.
Youmustdefinetherolestouseinyourorganizationfornetworkaccess
2. authentication-oncerolesaredefined,youmustcreateanappropraiteauthenticationsourcein
PacketFence.ThatwillallowPacketFencetocomputetherightroletobeusedforanendpoint,
ortheuserusingit
3. network devices - once your roles and authentication sources are defined, you must add
switches,WiFicontrollersorAPstobemananagedbyPacketFence.Whendoingso,youwill
configurehowrolesarebeingmappedtoVLAN,ACLsorexternalroles
4. portal profiles - at this point, you are almost ready to test. You will need to set which
authenticationsourcesaretobeusedonthedefaultcaptiveportal,orcreateanotheroneto
suityourneeds
5. test!
Note
Ifyouplantouse802.1X-pleaseseetheFreeRADIUSConfigurationsectionbelow.
RolesManagement
RolesinPacketFencecanbecreatedfromPacketFenceadministrativeGUI-fromtheConfiguration
Users Roles section. From this interface, you can also limit the number of devices users
belongingtocertainrolescanregister.
Configuration
21
Chapter9
RolesaredynamicallycomputedbyPacketFence,basedontherules(ie.,asetofconditionsand
actions)fromauthenticationsources,usingafirst-matchwinsalgorithm.Rolesarethenmatched
toVLANorinternalrolesorACLonequipmentfromtheConfigurationNetworkSwitches
module.
Authentication
PacketFence can authenticate users that register devices via the captive portal using various
methods.Amongthesupportedmethods,thereare:
ActiveDirectory
Apachehtpasswdfile
Email
ExternalHTTPAPI
Facebook(OAuth2)
Github(OAuth2)
Google(OAuth2)
Kerberos
LDAP
LinkedIn(OAuth2)
Null
RADIUS
SMS
SponsoredEmail
Twitter(OAuth2)
WindowsLive(OAuth2)
Moreover, PacketFence can also authenticate users defined in its own internal SQL database.
Authentication sources can be created from PacketFence administrative GUI - from the
ConfigurationUsersSourcessection.Alternatively(butnotrecommended),authentication
sources,rules,conditionsandactionscanbeconfiguredfromconf/authentication.conf.
Eachauthenticationsourcesyoudefinewillhaveasetofrules,conditionsandactions.
Multipleauthenticationsourcescanbedefined,andwillbetestedintheorderspecified(notethat
they can be reordered from the GUI by dragging them around). Each source can have multiple
rules,whichwillalsobetestedintheorderspecified.Rulescanalsobereordered,justlikesources.
Finally,conditionscanbedefinedforaruletomatchcertaincriteria.Ifthecriteriamatch(oneor
Configuration
22
Chapter9
more),actionarethenappliedandrulestestingstop,acrossallsourcesasthisisa"firstmatchwins"
operation.
Whennoconditionisdefined,therulewillbeconsideredasacatch-all.Whenacatch-allisdefined,
allactionswillbeappliedforanyusersthatmatchintheauthenticationsource.
Onceasourceisdefined,itcanbeusedfromConfigurationPortalProfiles.Eachportalprofile
hasalistofauthenticationsourcestouse.
Example
Letssaywehavetworoles:guestandemployee.First,wedefinethemConfigurationUsers
Roles.
Now,wewanttoauthenticateemployeesusingActiveDirectory(overLDAP),andguestsusing
PacketFencesinternaldatabase-bothusingPacketFencescaptiveportal.FromtheConfiguration
UsersSources,weselectAddsourceAD.Weprovidethefollowinginformation:
Name:ad1
Description:ActiveDirectoryforEmployees
Host:192.168.1.2:389withoutSSL/TLS
BaseDN:CN=Users,DC=acme,DC=local
Scope:One-level
UsernameAttribute:sAMAccountName
BindDN:CN=Administrator,CN=Users,DC=acme,DC=local
Password:acme123
Then,weaddarulebyclickingontheAddrulebuttonandprovidethefollowinginformation:
Name:employees
Description:Ruleforallemployees
Dontsetanycondition(asitsacatch-allrule)
Setthefollowingactions:
Setroleemployee
SetunregistrationdateJanuary1st,2020
Test the connection and save everything. Using the newly defined source, any username that
actuallymatchesinthesource(usingthesAMAccountName)willhavetheemployeeroleandan
unregistrationdatesettoJanuary1st,2020.
Now,sincewewanttoauthenticateguestsfromPacketFencesinternalSQLdatabase,accounts
mustbeprovisionnedmanually.YoucandosofromtheUsersCreatesection.Whencreating
guests,specify"guest"fortheSetroleaction,andsetanaccessdurationfor1day.
If you would like to differentiate user authentication and machine authentication using Active
Directory,onewaytodoitisbycreatingasecondauthenticationsources,formachines:
Name:ad1
Description:ActiveDirectoryforMachines
Host:192.168.1.2:389withoutSSL/TLS
BaseDN:CN=Computers,DC=acme,DC=local
Scope:One-level
Configuration
23
Chapter9
UsernameAttribute:servicePrincipalName
BindDN:CN=Administrator,CN=Users,DC=acme,DC=local
Password:acme123
Then,weaddarule:
Name:*machines
Description:Ruleforallmachines
Dontsetanycondition(asitsacatch-allrule)
Setthefollowingactions:
Setrolemachineauth
SetunregistrationdateJanuary1st,2020
Note
Whenaruleisdefinedasacatch-all,itwillalwaysmatchiftheusernameattribute
matchesthequeriedone.ThisappliesforActiveDirectory,LDAPandApachehtpasswd
filesources.KerberosandRADIUSwillactastruecatch-all,andaccepteverything.
Note
IfyouwanttouseotherLDAPattributesinyourauthenticationsource,addthemin
ConfigurationAdvancedCustomLDAPattributes.Theywillthenbeavailableinthe
rulesyoudefine.
ExternalAPIauthentication
PacketFencealsosupportscallinganexternalHTTPAPIasanauthenticationsource.Theexternal
APIneedstoimplementanauthenticationactionandanauthorizationaction.
Authentication
Thisshouldprovidetheinformationaboutwhetherornottheusername/passwordcombination
isvalid
TheseinformationareavailablethroughthePOSTfieldsoftherequest
TheservershouldreplywithtwoattributesinaJSONresponse
result:shouldbe1forsuccess,0forfailure
message:shouldbethereasonitsucceededorfailed
ExampleJSONresponse:
{"result":1,"message":"Valid username and password"}
Configuration
24
Chapter9
Authorization
Thisshouldprovidetheactionstoapplyonauserbasedonitsattributes
The following attributes are available for the reply : access_duration, access_level, sponsor,
unregdate,category.
SampleJSONresponse,notethatnotallattributesarenecessary,onlysendbackwhatyouneed.
{"access_duration":"1D","access_level":"ALL","sponsor":1
,"unregdate":"2030-01-01","category":"default"}
Note
See /usr/local/pf/addons/example_external_auth for an example implementation
compatiblewithPacketFence.
PacketFenceconfiguration
InPacketFence,youneedtoconfigureanHTTPsourceinordertouseanexternalAPI.
Hereisabriefdescriptionofthefields:
Host : First, the protocol, then the IP address or hostname of the API and lastly the port to
connecttotheAPI.
APIusernameandpassword:IfyourAPIimplementsHTTPbasicauthentication(RFC2617)you
canaddtheminthesefields.LeavinganyofthosetwofieldsemptywillmakePacketFencedo
therequestswithoutanyauthentication.
AuthenticationURL:URLrelativetothehosttocallwhendoingtheauthenticationofauser.
Notethatitisautomaticallyprefixedbyaslash.
AuthorizationURL:URLrelativetothehosttocallwhendoingtheauthorizationofauser.Note
thatitisautomaticallyprefixedbyaslash.
SAMLauthentication
PacketFence supports SAML authentication in the captive portal in combination with another
internalsourcetodefinethelevelofauthorizationoftheuser.
First,transfertheIdentityProvidermetadataonthePacketFenceserver.Inthisexample,itwillbe
underthepath/usr/local/pf/conf/idp-metadata.xml.
Then, transfer the certificate and CA certificate of the Identity provider on the server. In this
example, they will be under the paths /usr/local/pf/conf/ssl/idp.crt and /usr/local/pf/
conf/ssl/idp-ca.crt.Ifitisaself-signedcertificate,thenyouwillbeabletouseitastheCAin
thePacketFenceconfiguration.
Configuration
25
Chapter9
Then, to configure SAML in PacketFence, go in Configuration Sources and then create a new
InternalsourceofthetypeSAMLandconfigureit.
Where:
ServiceProviderentityIDistheidentifieroftheServiceProvider(PacketFence).Makesurethis
matchesyourIdentityProviderconfiguration.
PathtoServiceProviderkeyisthepathtothekeythatwillbeusedbyPacketFencetosignits
messagestotheIdentityProvider.Adefaultoneisprovidedunderthepath:/usr/local/pf/
conf/ssl/server.key
PathtoServiceProvidercertisthepathtothecertificateassociatedtothekeyabove.Aselfsignedoneisprovidedunderthepath:/usr/local/pf/conf/ssl/server.key
PathtoIdentityProvidermetadataisthepathtothemetadatafileyoutransferedabove(should
bein/usr/local/pf/conf/idp-metadata.xml)
PathtoIdentityProvidercertisthepathtothecertificateoftheidentityprovideryoutransfered
ontheserverabove(shouldbein/usr/local/pf/conf/ssl/idp.crt).
Configuration
26
Chapter9
Path to Identity Provider CA cert is the path to the CA certificate of the identity provider
youtransferedontheserverabove(shouldbein/usr/local/pf/conf/ssl/ca-idp.crt).Ifthe
certificateaboveisself-signed,putthesamepathasaboveinthisfield.
AttributeoftheusernameintheSAMLresponseistheattributethatcontainstheusername
in the SAML assertion returned by your Identity Provider. The default should fit at least
SimpleSAMLphp.
Authorizationsourceisthesourcethatwillbeusedtomatchtheusernameagainsttherules
definedinit.Thisallowstosettheroleandaccessdurationoftheuser.TheAuthenticationsection
ofthisdocumentcontainsexplanationsonhowtoconfigureanLDAPsourcewhichcanthen
beusedhere.
Oncethisisdone,savethesourceandyouwillbeabletodownloadtheServiceProvidermetadata
forPacketFenceusingthelinkDownloadServiceProvidermetadataonthepage.
Configure your identity provider according to the generated metadata to complete the Trust
betweenPacketFenceandyourIdentityProvider.
In the case of SimpleSAMLPHP, the following configuration was used in metadata/saml20-spremote.php:
$metadata['PF_ENTITY_ID'] = array(
'AssertionConsumerService' => 'http://PORTAL_HOSTNAME/saml/assertion',
'SingleLogoutService' => 'http://PORTAL_HOSTNAME/saml/logoff',
);
Note
PacketFencedoesnotsupportlogoffontheSAMLIdentityProvider.Youcanstilldefine
theURLinthemetadatabutitwillnotbeused.
Passthroughs
InorderforyouruserstobeabletoaccesstheIdentityProviderloginpage,youwillneedtoactivate
passthroughsandaddtheIndentityProviderdomaintotheallowedpassthroughs.
To do so, go in Configuration Trapping, then check Passthrough and add the Identity Provider
domainnametothePasshtroughslist.
Next, restart iptables and pfdns to apply your new passthroughs. Also make sure
net.ipv4.ip_forward = 1isconfiguredin/etc/sysctl.conf.
NetworkDevicesDefinition(switches.conf)
ThissectionappliesonlyforVLANenforcement.Usersplanningtodoinlineenforcementonlycan
skipthissection.
PacketFenceneedstoknowwhichswitches,accesspointsorcontrollersitmanages,theirtypeand
configuration.Allthisinformationisstoredin/usr/local/pf/conf/switches.conf.Youcanmodify
Configuration
27
Chapter9
theconfigurationdirectlyintheswitches.conffileoryoucandoitfromtheWebAdministration
panelunderConfigurationNetworkSwitches-whichisnowthepreferredway.
The/usr/local/pf/conf/switches.confconfigurationfilecontainsadefaultsectionincluding:
DefaultSNMPread/writecommunitiesfortheswitches
Defaultworkingmode(seethenotebelowaboutpossibleworkingmodes)
andaswitchsectionforeachswitch(managedbyPacketFence)including:
SwitchIP/Mac/Range
Switchvendor/type
Switchuplinkports(trunksandnon-managedIfIndex)
per-switchre-definitionoftheVLANs(ifrequired)
Note
switches.confisloadedatstartup.Areloadisrequiredwhenchangesaremanually
madetothisfile/usr/local/pf/bin/pfcmd configreload.
Workingmodes
TherearethreedifferentworkingmodesforaswitchinPacketFence:
Testing
pfsetvlanwritesinthelogfileswhatitwouldnormallydo,butit
doesntdoanything.
Registration
pfsetvlan automatically-register all MAC addresses seen on the

switchports.Asintestingmode,noVLANchangesaredone.
Production
pfsetvlan sends the SNMP writes to change the VLAN on the

switchports.
RADIUS
To set the RADIUS secret, set it from the Web administrative interface when adding a switch.
Alternatively,edittheswitchconfigfile(/usr/local/pf/conf/switches.conf)andsetthefollowing
parameters:
radiusSecret = secretPassPhrase
Moreover,theRADIUSsecretisrequiredtosupporttheRADIUSDynamicAuthentication(Change
ofauthorizationorDisconnect)asdefinedinRFC3576.
SNMPv1,v2candv3
PacketFenceusesSNMPtocommunicatewithmostswitches.PacketFencealsosupportsSNMP
v3.YoucanuseSNMPv3forcommunicationinbothdirections:fromtheswitchtoPacketFence
andfromPacketFencetotheswitch.SNMPusageisdiscouraged,youshouldnowuseRADIUS.
However,evenifRADIUSisbeingused,someswitchesmightalsorequireSNMPtobeconfigured
toworkproperlywithPacketFence.
Configuration
28
Chapter9
FromPacketFencetoaswitch
Edittheswitchconfigfile(/usr/local/pf/conf/switches.conf)andsetthefollowingparameters:
SNMPVersion = 3
SNMPUserNameRead = readUser
SNMPAuthProtocolRead = MD5
SNMPAuthPasswordRead = authpwdread
SNMPPrivProtocolRead = AES
SNMPPrivPasswordRead = privpwdread
SNMPUserNameWrite = writeUser
SNMPAuthProtocolWrite = MD5
SNMPAuthPasswordWrite = authpwdwrite
SNMPPrivProtocolWrite = AES
SNMPPrivPasswordWrite = privpwdwrite
FromaswitchtoPacketFence
Edittheswitchconfigfile(/usr/local/pf/conf/switches.conf)andsetthefollowingparameters:
SNMPVersionTrap = 3
SNMPUserNameTrap = readUser
SNMPAuthProtocolTrap = MD5
SNMPAuthPasswordTrap = authpwdread
SNMPPrivProtocolTrap = AES
SNMPPrivPasswordTrap = privpwdread
SwitchConfiguration
HereisaswitchconfigurationexampleinordertoenableSNMPv3inbothdirectionsonaCisco
Switch.
snmp-server engineID local AA5ED139B81D4A328D18ACD1
snmp-server group readGroup v3 priv
snmp-server group writeGroup v3 priv read v1default write v1default
snmp-server user readUser readGroup v3 auth md5 authpwdread priv aes 128
privpwdread
snmp-server user writeUser writeGroup v3 auth md5 authpwdwrite priv aes 128
privpwdwrite
snmp-server enable traps port-security
snmp-server enable traps port-security trap-rate 1
snmp-server host 192.168.0.50 version 3 priv readUser port-security
Command-LineInterface:TelnetandSSH
Warning
PrivilegedetectionisdisabledinthecurrentPacketFenceversionduetosomeissues
(see#1370).SomakesurethatthecliUserandcliPwdyouprovidealwaysgetyou
intoaprivilegedmode(exceptforTrapezehardware).
Configuration
29
Chapter9
PackeFenceneedssometimestoestablishaninteractivecommand-linesessionwithaswitch.This
canbedoneusingTelnet.YoucanalsouseSSH.Inordertodoso,edittheswitchconfigurationfile
(/usr/local/pf/conf/switches.conf)andsetthefollowingparameters:
cliTransport = SSH (or Telnet)
cliUser = admin
cliPwd = admin_pwd
cliEnablePwd =
ItcanalsobedonethroughtheWebAdministrationInterfaceunderConfigurationSwitches.
WebServicesInterface
PackeFencesometimesneedstoestablishadialogwiththeWebServicescapabilitiesofaswitch.
In order to do so, edit the switch config file (/usr/local/pf/conf/switches.conf) and set the
followingparameters:
wsTransport = http (or https)
wsUser = admin
wsPwd = admin_pwd
ItcanalsobedonethroughtheWebAdministrationInterfaceunderConfigurationSwitches.
Role-basedenforcementsupport
Somenetworkdevicessupporttheassignmentofaspecificsetofrules(firewallorACLs)toauser.
Theideaisthattheserulescanbealotmoreaccuratetocontrolwhatausercanorcannotdo
comparedtoVLANwhichhavealargernetworkmanagementoverhead.
PacketFence supports assigning roles on devices for switches and WiFi controllers that support
it.ThecurrentroleassignmentstrategyistoassignitalongwiththeVLAN(thatmaychangein
thefuture).Aspecialinternalroletoexternalroleassignmentmustbeconfiguredintheswitch
configurationfile(/usr/local/pf/conf/switches.conf).
Thecurrentformatisthefollowing:
Format: <rolename>Role=<controller_role>
Andyouassignittotheglobalrolesparameterortheper-switchone.Forexample:
adminRole=full-access
engineeringRole=full-access
salesRole=little-access
wouldreturnthefull-accessroletothenodescategorizedasadminorengineeringandtherole
little-accesstonodescategorizedassales.ItcanalsobedonethroughtheWebAdministration
InterfaceunderConfigurationSwitches.
Configuration
30
Chapter9
Caution
Makesurethattherolesareproperlydefinedonthenetworkdevicespriortoassigning
roles!
PortalProfiles
PacketFencecomeswithadefaultportalprofile.Thefollowparametersareimportanttoconfigure
nomatterifyouusethedefaultportalprofileorcreateanewone:
RedirectURLunderConfigurationPortalProfilePortalName
Forsomebrowsers,itispreferabletoredirecttheusertoaspecificURLinsteadoftheURLthe
useroriginallyintendedtovisit.Forthesebrowsers,theURLdefinedinredirecturlwillbethe
onewheretheuserwillberedirected.AffectedbrowsersareFirefox3andlater.
IPunderConfigurationCaptiveportal
ThisIPisusedasthewebserverwhohoststhecommon/network-access-detection.gifwhich
isusedtodetectifnetworkaccesswasenabled.Itcannotbeadomainnamesinceitisusedin
registrationorquarantinewhereDNSisblack-holed.Itisrecommendedthatyouallowyourusers
toreachyourPacketFenceserverandputyourLANsPacketFenceIP.Bydefaultwewillmakethis
reachPacketFenceswebsiteasaneasierandmoreaccessiblesolution.
In some cases, you may want to present a different captive portal (see below for the available
customizations)accordingtotheSSID,theVLAN,theswitchIP/MACortheURItheclientconnects
to.Todoso,PacketFencehastheconceptofportalprofileswhichgivesyouthispossibility.
Whenconfigured,portalprofileswilloverridedefaultvaluesforwhichitisconfigured.Whenno
valuesareconfiguredintheprofile,PacketFencewilltakeitsdefaultones(accordingtothe"default"
portalprofile).
Herearethedifferentconfigurationparametersthatcanbesetforeachportalprofiles.Theonly
mandatoryparameteris"filter",otherwise,PacketFencewontbeabletocorrectlyapplytheportal
profile.Theparametersmustbesetinconf/profiles.conf:
[profilename1]
description = the description of your portal profile
filter = the name of the SSID for which you'd like to apply the profile, or the
VLAN number
sources = comma-separated list of authentications sources (IDs) to use
Portal profiles should be managed from PacketFences Web administrative GUI - from the
ConfigurationPortalProfilessection.Addingaportalprofilefromthatinterfacewillcorrectly
copytemplatesover-whichcanthenbemodifiedasyouwish.
FiltersunderConfigurationPortalProfilePortalNameFilters
PacketFenceoffersthefollowingfilters:ConnectionType,Network,NodeRole,Port,realm,SSID,
Switch,SwitchPort,URI,VLANandTimeperiod.
Configuration
31
Chapter9
Examplewiththemostcommonones:
SSID:Guest-SSID
VLAN:100
SwitchPort:<SwitchId>-<Port>
Network:NetworkinCIDRformatoranIPaddress
Caution
Noderolewilltakeeffectonlywitha802.1XconnectionorifyouuseVLANfilters.
PacketFencereliesextensivelyonApacheforitscaptiveportal,administrativeinterfaceandWeb
services.ThePacketFenceApacheconfigurationislocatedin/usr/local/pf/conf/httpd.conf.d/.
Inthisdirectoryyouhavethreeimportantfiles:httpd.admin,httpd.portal,httpd.webservices,
httpd.aaa.
httpd.adminisusedtomanagePacketFenceadmininterface
httpd.portalisusedtomanagePacketFencecaptiveportalinterface
httpd.webservicesisusedtomanagePacketFencewebservicesinterface
httpd.aaaisusetomanageincomingRADIUSrequest
ThesefileshavebeenwrittenusingthePerllanguageandarecompletelydynamic-sotheyactivate
servicesonlyonthenetworkinterfacesprovidedforthispurpose.
TheotherfilesinthisdirectoryaremanagedbyPacketFenceusingtemplates,soitiseasytomodify
thesefilesbasedonyourconfiguration.SSLisenabledbydefaulttosecureaccess.
UponPacketFenceinstallation,self-signedcertificateswillbecreatedin/usr/local/pf/conf/ssl
(server.key and server.crt). Those certificates can be replaced anytime by your 3rd-party or
existingwildcardcertificatewithoutproblems.PleasenotethattheCN(CommonName)needsto
bethesameastheonedefinedinthePacketFenceconfigurationfile(pf.conf).
FreeRADIUSConfiguration
ThissectionpresentstheFreeRADIUSconfigurationsteps.Insomeoccasions,aRADIUSserver
ismandatoryinordertogiveaccesstothenetwork.Forexample,theusageofWPA2-Enterprise
(Wireless 802.1X), MAC authentication and Wired 802.1X all require a RADIUS server to
authenticatetheusersandthedevices,andthentopushtheproperrolesorVLANattributesto
thenetworkequipment.
Configuration
32
Chapter9
Option1:AuthenticationagainstActiveDirectory(AD)
Caution
If you are using an Active/Active or Active/Passive cluster, please follow the
instructionsunderOption1bsincetheinstructionsbelowdonotcurrentlyworkina
cluster.
Inordertohavedomainauthenticationworkingproperly,youneedtoenableIPforwardingonyour
server.Todoitpermanently,lookinthe/etc/sysctl.conf,andsetthefollowingline:
# Controls IP packet forwarding
net.ipv4.ip_forward = 1
Nowexecutesysctl -ptoapplytheconfiguration
Next,gointheAdministrationinterfaceunderConfigurationDomains.
Note
Ifyoucantaccessthissectionandyouhavepreviouslyconfiguredyourservertobind
toadomainexternallytoPacketFence,makesureyourun/usr/local/pf/addons/AD/
migrate.pl
ClickAddDomainandfillintheinformationsaboutyourdomain.
Configuration
33
Chapter9
Where:
Identifierisauniqueidentifierforyourdomain.Itspurposeisonlyvisual.
Workgroupistheworkgroupofyourdomainintheoldsyntax(likeNT4).
DNSnameofthedomainistheFQDNofyourdomain.Theonethatsuffixesyouraccountnames.
ThisserversnameisthenamethattheserversaccountwillhaveinyourActiveDirectory.
DNSserveristheIPaddressoftheDNSserverofthisdomain.Makesurethattheserveryou
puttherehastheproperDNSentriesforthisdomain.
Usernameistheusernamethatwillbeusedforbindingtotheserver.Thisaccountmustbea
domainadministrator.
Passwordisthepasswordfortheusernamedefinedabove.
Configuration
34
Chapter9
Troubleshooting
In order to troubleshoot unsuccessful binds, please refer to the following file : /chroots/
<mydomain>/var/log/samba<mydomain>/log.winbindd.Replace<mydomain>withtheidentifier
yousetinthedomainconfiguration.
Youcanvalidatethedomainbindusingthefollowingcommand:chroot /chroots/<mydomain>
wbinfo -u
You can test the authentication process using the following command chroot /chroots/
<mydomain> ntlm_auth --username=administrator
Note
Undercertainconditions,thetestjoinmayshowasunsuccessfulintheAdministration
interface but the authentication process will still work properly. Try the test above
beforedoinganyadditionnaltroubleshooting
Defaultdomainconfiguration
Youshouldnowdefinethedomainyouwanttouseasthedefaultonebycreatingthefollowing
realminConfigurationRealms
Next,restartPacketFenceinStatusServices
Multipledomainsauthentication
FirstconfigureyourdomainsinConfigurationDomains.
Oncetheyareconfigured,goinConfigurationRealms.
Configuration
35
Chapter9
Create a new realm that matches the DNS name of your domain AND one that matches your
workgroup.Inthecaseofthisexample,itwillbeDOMAIN.NETandDOMAIN.
Where:
RealmiseithertheDNSname(FQDN)ofyourdomainortheworkgroup
RealmoptionsareanyrealmoptionsthatyouwanttoaddtotheFreeRADIUSconfiguration
Domainisthedomainwhichisassociatedtothisrealm
Nowcreatethetwootherrealmsassociatedtoyourotherdomains.
Youshouldnowhavethefollowingrealmconfiguration
Configuration
36
Chapter9
Option1b:AuthenticationagainstActiveDirectory
(AD)inacluster
Samba/Kerberos/Winbind
InstallSamba.YoucaneitherusethesourcesorusethepackageforyourOS.ForRHEL/CentOS,do:
yum install samba krb5-workstation
ForDebianandUbuntu,do:
apt-get install samba winbind krb5-user
Note
IfyouhaveWindows7PCsinyournetwork,youneedtouseSambaversion3.5.0
(orgreater).
WhendonewiththeSambainstall,modifyyour/etc/hostsinordertoaddtheFQDNofyour
ActiveDirectoryservers.Then,youneedtomodify/etc/krb5.conf.Hereisanexampleforthe
DOMAIN.NETdomainforCentos/RHEL:
Configuration
37
Chapter9
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = DOMAIN.NET
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
forwardable = yes
[realms]
DOMAIN.NET = {
kdc = adserver.domain.net:88
admin_server = adserver.domain.net:749
default_domain = domain.net
}
[domain_realm]
.domain.net = DOMAIN.NET
domain.net = DOMAIN.NET
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
ForDebianandUbuntu:
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = DOMAIN.NET
ticket_lifetime = 24h
forwardable = yes
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
Next,edit/etc/samba/smb.conf.Again,hereisanexampleforourDOMAIN.NETforCentos/RHEL:
Configuration
38
Chapter9
[global]
workgroup = DOMAIN
server string = %h
security = ads
passdb backend = tdbsam
realm = DOMAIN.NET
encrypt passwords = yes
winbind use default domain = yes
client NTLMv2 auth = yes
preferred master = no
domain master = no
local master = no
load printers = no
log level = 1 winbind:5 auth:3
winbind max clients = 750
winbind max domain connections = 15
machine password timeout = 0
ForDebianandUbuntu:
[global]
workgroup = DOMAIN
server string = Samba Server Version %v
security = ads
realm = DOMAIN.NET
password server = 192.168.1.1
domain master = no
local master = no
preferred master = no
winbind separator = +
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = yes
winbind nested groups = yes
winbind refresh tickets = yes
template homedir = /home/%D/%U
template shell = /bin/bash
client use spnego = yes
client ntlmv2 auth = yes
encrypt passwords = yes
restrict anonymous = 2
log file = /var/log/samba/log.%m
max log size = 50
machine password timeout = 0
IssueakinitandklistinordertogetandverifytheKerberostoken:
# kinit administrator
# klist
Afterthat,youneedtostartsamba,andjointhemachinetothedomain:
Configuration
39
Chapter9
# service smb start

# chkconfig --level 345 smb on
# net ads join -U administrator
NotethatforDebianandUbuntuyouwillprobablyhavethiserror:
# kinit succeeded but ads_sasl_spnego_krb5_bind failed: Invalid credentials
# Join to domain is not valid: Invalid credentials
ForCentos/RHEL:
# usermod -a -G wbpriv pf
Finally,startwinbind,andtestthesetupusingntlm_authandradtest:
# service winbind start
# chkconfig --level 345 winbind on
ForDebianandUbuntu:
# usermod -a -G winbindd_priv pf
# ntlm_auth --username myDomainUser
# radtest -t mschap -x myDomainUser myDomainPassword localhost:18120 12
testing123
Sending Access-Request of id 108 to 127.0.0.1 port 18120
User-Name = "myDomainUser"
NAS-IP-Address = 10.0.0.1
NAS-Port = 12
Message-Authenticator = 0x00000000000000000000000000000000
MS-CHAP-Challenge = 0x79d62c9da4e55104
MS-CHAP-Response =
0x000100000000000000000000000000000000000000000000000091c843b420f0dec4228ed2f26bff07d5e49ad9a2974
rad_recv: Access-Accept packet from host 127.0.0.1 port 18120, id=108,
length=20
Option2:LocalAuthentication
Addyourusersentriesattheendofthe/usr/local/pf/raddb/usersfilewiththefollowingformat:
username Cleartext-Password := "password"
Option3:EAPauthenticationagainstOpenLDAP
Toauthenticate802.1XconnectionagainstOpenLDAPyouneedtodefinetheLDAPconnection
in/usr/local/pf/raddb/modules/ldapandbesurethattheuserpasswordisdefineasaNTHASH
orascleartext.
Configuration
40
Chapter9
ldap openldap {
server = "ldap.acme.com"
identity = "uid=admin,dc=acme,dc=com"
password = "password"
basedn = "dc=district,dc=acme,dc=com"
filter = "(uid=%{mschap:User-Name})"
ldap_connections_number = 5
timeout = 4
timelimit = 3
net_timeout = 1
tls {
}
dictionary_mapping = ${confdir}/ldap.attrmap
edir_account_policy_check = no
keepalive {
# LDAP_OPT_X_KEEPALIVE_IDLE
idle = 60
# LDAP_OPT_X_KEEPALIVE_PROBES
probes = 3
# LDAP_OPT_X_KEEPALIVE_INTERVAL
interval = 3
}
}
Next in /usr/local/pf/raddb/sites-available/packetfence-tunnel add in the authorize
section:
authorize {
suffix
ntdomain
eap {
ok = return
}
files
openldap
}
Option4:EAPGuestAuthenticationonemail,sponsor
andSMSregistration
Thissectionwillallowlocalcredentialscreatedduringguestregistrationtobeusedin802.1XEAPPEAPconnections.
FirstcreateaguestSSIDwiththeguestaccessyouwanttouse(Email,SponsororSMS,)and
activateCreatelocalaccountonthatsource.
Attheendoftheguestregistration,PacketFencewillsendanemailwiththecredentialsforEmail
andSponsor.ForSMSthephonenumberandthePINcodeshouldbeused.
Configuration
41
Chapter9
Note
ThisoptiondoesntcurrentlyworkwiththeReusedot1xcredentialsoptionofthecaptive
portal.
In /usr/local/pf/conf/radiusd/packetfence-tunnel uncomment the line #
local-authandrestartradiusd.
packetfence-
ThiswillactivatethefeatureforanylocalaccountonthePacketFenceserver.Youcanrestrictwhich
accounts can be used by commenting the appropriate line in /usr/local/pf/raddb/policy.d/
packetfence.Forexample,ifyouwouldwanttodeactivatethisfeatureforaccountscreatedvia
SMS,youwouldhavethefollowing:
packetfence-local-auth {
# Disable ntlm_auth
update control {
&MS-CHAP-Use-NTLM-Auth := No
}
# Check password table for local user
pflocal
if (fail || notfound) {
# Check password table with email and password for a sponsor registration
pfguest
# Check password table with email and password for a guest
registration
pfsponsor
# *Don't* check activation table with phone number and PIN code
# pfsms <--- This line was commented out
update control {
&MS-CHAP-Use-NTLM-Auth := Yes
}
}
}
}
}
}
Note
For this feature to work, the users' passwords must be stored in cleartext in the
database.Thisisconfigurableviaadvanced.hash_passwords.
Option5:EAPLocaluserAuthentication
ThegoalhereistousethelocaluseryoucreatedintheadminGUIforEAPauthentication.The
logicisexactlythesamethaninoption4,thedifferenceisthatweuseanotherSSIDandweonly
uselocalaccounts.
Configuration
42
Chapter9
Edit/usr/local/pf/raddb/sites-available/packetfence-tunnel
InthisexampleweactivatethisfeatureonaspecificSSIDname(Secure-local-Wireless),disabled
bydefaultNTLMAuthandtestlocalaccount.IfitfailledthenwereactivateNTLMAuth.
####Activate local user eap authentication based on a specific SSID ####
## Set Called-Station-SSID with the current SSID
#
set.called_station_ssid
#
if (Called-Station-SSID == 'Secure-local-Wireless') {
## Disable ntlm_auth
#
update control {
#
MS-CHAP-Use-NTLM-Auth := No
#
}
## Check password table for local user
#
pflocal
#
#
update control {
#
MS-CHAP-Use-NTLM-Auth := Yes
#
}
#
}
#
}
Caution
Youwillneedtodeasactivatepasswordhashinginthedatabaseforlocalauthentication
to work. In the administration interface, go in Configuration Advanced and set
Databasepasswordshashingmethodtoplaintext
Tests
Test your setup with radtest using the following command and make sure you get an AccessAcceptanswer:
# radtest dd9999 Abcd1234 localhost:18120 12 testing123
Sending Access-Request of id 74 to 127.0.0.1 port 18120
User-Name = "dd9999"
User-Password = "Abcd1234"
NAS-IP-Address = 255.255.255.255
NAS-Port = 12
rad_recv: Access-Accept packet from host 127.0.0.1:18120, id=74, length=20
PortalModules
ThePacketFencecaptiveportalflowishighlycustomizable.ThissectionwillcoverthePortalModules
whichareusedtodefinethebehaviorofthecaptiveportal.
Configuration
43
Chapter9
Note
Whenupgradingfromaversionthatdoesnthavetheportalmodules,thePacketFence
Portal Modules configuration already comes with defaults that will fit most cases
and offers the same behavior as previous versions of PacketFence. Meaning, all
the available Portal Profile sources are used for authentication, then the available
provisionerswillbeused.
First,abriefdescriptionoftheavailablePortalModules:
Root:Thisiswhereitallstarts,thismoduleisasimplecontainerthatdefinesallthemodules
thatneedtobeappliedinachainedwaytotheuser.Oncetheuserhascompletedallmodules
containedintheRoot,heisreleasedonthenetwork.
Choice: This allows to give a choice between multiple modules to the user. The
default_registration_policyisagoodexampleofachoicethatisofferedtotheuser.
Chained:Thisallowsyoutodefinealistofmodulesthatauserneedstogothroughintheorder
thattheyaredefined-ex:youwantyouruserstoregisterviaGoogle+andpayfortheiraccess
usingPayPal.
Message: This allows you to display a message to the user. An example is available below in
Displayingamessagetotheuseraftertheregistration
URL:ThisallowsyoutoredirecttheusertoalocalorexternalURLwhichcanthencomeback
totheportaltocontinue.AnexampleisavailablebelowinCallinganexternalwebsite.
Authentication:Theauthenticationmodulescanbeofalotoftypes.Youwouldwanttodefine
oneofthesemodules,inordertooverridetherequiredfields,thesourcetouse,thetemplate
oranyothermoduleattribute.
Billing:Allowstodefineamodulebasedononeormorebillingsources
Choice: Allows to define a module based on multiple sources and modules with advanced
filteringoptions.SeethesectionAuthenticationChoicemodulebelowforadetailedexplanation.
Login:Allowsyoutodefineausername/passwordbasedmodulewithmultipleinternalsources
(ActiveDirectory,LDAP,)
Othermodules:Theothermodulesareallbasedonthesourcetypetheyareassignedto,they
allowtoselectthesource,theAUPacceptance,andmandatoryfieldsifapplicable.
Examples
Thissectionwillcontainthefollowingexamples:
Promptingforfieldswithoutauthentication.
Promptingadditionnalfieldsduringtheauthentication.
Chainedauthentication.
MixingloginandSecureSSIDon-boardingontheportal.
Displayingamessagetotheuseraftertheregistration.
Configuration
44
Chapter9
Creatingacustomrootmodule
First,createacustomrootmoduleforourexamplesinordertonotaffectthedefaultpolicy.In
ordertodoso,goinConfigurationPortalModules,thenclickAddPortalModuleandselectthe
typeRoot.Giveittheidentifiermy_first_root_moduleandthedescriptionMy first root module,
thenhitsave.
Next, head to Configuration Portal Profiles, select the portal profile you use (most probably
default)andthenunderRootPortalModule,assignMy first root modulethensaveyourprofile.
Ifyouweretoaccessthecaptiveportalnow,anerrorwoulddisplaysincetheRootmodulewe
configureddoesntcontainanything.
YoucouldaddsomeofthepreconfiguredmodulestothenewRootmoduleyoucreatedandthat
wouldmaketheerrordisapear.
Promptingforfieldswithoutauthentication
Inordertopromptfieldswithoutauthentication,youcanusetheNullsourcewiththeNullPortal
Module.
PacketFencealreadycomeswithaNullsourcepreconfigured.Ifyouhaventmodifieditordeleted
it,youcanuseitforthisexample.Otherwise,goinConfigurationSourcesandcreateanewNull
sourcewithacatchallrulethatassignsaroleandaccessduration.
ThengoinConfigurationPortalModulesandclickAddPortalModuleandselectAuthentication
Null.SettheIdentifiertoprompt_fieldsandconfigurethemodulewiththeMandatoryfieldsyou
wantanduncheckRequireAUPsothattheuserdoesnthavetoaccepttheAUPbeforesubmitting
thesefields.
Next,addtheprompt_fieldsmoduleinmy_first_root_module(removinganypreviousmodules)
andsaveit.Nowwhenvisitingtheportal,itshouldpromptyouforthefieldsyoudefineinthe
Configuration
45
Chapter9
module.Then,submittingtheseinformationswillassignyoutheroleandaccessdurationthatyou
definedinthenullsource.
Promptingadditionnalfieldsduringtheauthentication
Ifyouwanttopromptadditionnalfieldsduringtheauthenticationprocessforamodule,youcan
defineaModulebasedonthatsourcethatwillspecifytheadditionnalmandatoryfieldsforthis
source.
Youcanalsoaddadditionnalmandatoryfieldstothedefaultpoliciesthatarealreadyconfigured.
Thisexamplewillmakethedefault_guest_policyrequiretheusertoenterafirstname,lastname
andaddresssothatguestshavetoenterthesethreeinformationsbeforeregistering.
Go in Configuration Portal Modules and click the default_guest_policy. Add firstname,
lastnameandaddresstotheMandatoryfieldsandsave.
Next,addthedefault_guest_policytomy_first_root_module(removinganypreviousmodules).
Nowwhenvisitingtheportal,selectinganyoftheguestsourceswillrequireyoutoenterboththe
mandatoryfieldsofthesource(ex:phone+mobileprovider)andthemandatoryfieldsyoudefined
inthedefault_guest_policy.
Note
Notallsourcessupportadditionnalmandatoryfields(ex:OAuthsourceslikeGoogle,
Facebook,).
Chainedauthentication
Theportalmodulesallowyoutochaintwoormoremodulestogetherinordertomaketheuser
accomplishalloftheactionsinthemoduleinthedesiredsequence.
ThisexamplewillallowyoutoconfigureaChainedmodulethatwillrequiretheusertologinvia
anyconfiguredOAuthsource(Github,Google+,)andthenvalidatehisphonenumberusingSMS
registration.
FortheOAuthloginwewillusethedefault_oauth_policy,sojustmakesureyouhaveanOAuth
sourceconfiguredcorrectlyandavailableinyourPortalProfile.
Then,wewillcreateamodulethatwillcontainthedefinitionofourSMSregistration.
GoinConfigurationPortalModulesthenclickAddPortalModuleandselectAuthenticationSMS.
ConfiguretheportalmodulesothatitusesthesmssourceandunchecktheRequireAUPoption
sincetheuserwillhavealreadyacceptedtheAUPwhenregisteringusingOAuth.
Configuration
46
Chapter9
Then,addanotherPortalModuleoftypeChained.Nameitchained_oauth_sms,assignarelevant
descriptionandthenadddefault_oauth_policyandsmstotheModulesfields
Configuration
47
Chapter9
Next, add the chained_oauth_sms module in my_first_root_module (removing any previous
modules)andsaveit.Nowwhenvisitingtheportal,youshouldhavetoauthenticationusingan
OAuthsourceandthenusingSMSbasedregistration.
MixingloginandSecureSSIDon-boardingontheportal
Thisexamplewillguideyouthroughconfiguringaportalflowthatwillallowfordevicestoaccess
anopenSSIDusinganLDAPusername/passwordbutalsogivethechoicetoconfiguretheSecure
SSIDdirectlyfromtheportal.
First,weneedtoconfiguretheprovisionersfortheSecureSSIDonboarding.RefertosectionApple
andAndroidWirelessProvisioningofthisguidetoconfigureyourprovisionersandaddthemtothe
portalprofile.
CreateaprovisionerofthetypeDenyandadditwithyourotherprovisioners(puttinganyother
provisionerbeforeit).Thiswillmakesurethatifthereisnomatchontheotherprovisioners,itwill
notallowthedevicethrough.
AlsointheportalprofileaddyourLDAPsourcetotheavailablesourcessoitstheonlyoneavailable.
Next,createaProvisioningportalmodulebygoinginConfigurationPortalModules.SettheIdentifier
tosecure_boardingandthedescriptiontoBoard Secure SSID.AlsouncheckSkipablesotheuser
isforcedtoboardtheSSIDshoulditchoosethisoption.
Then,stillinthePortalModules,createaChoicemodule.SettheIdentifiertologin_or_boardingand
descriptiontoLoginorBoarding.Addsecure_boardinganddefault_login_policytotheModules
fieldandsave.
Configuration
48
Chapter9
Next, add the login_or_boarding module in my_first_root_module (removing any previous
modules)andsaveit.Nowwhenvisitingtheportal,youwillhavethechoicebetweenlogintothe
LDAPsourceandgainaccesstothenetworkordirectlyuseprovisioninginordertoconfigureyour
deviceforaSecureSSID.
Displayingamessagetotheuseraftertheregistration=
UsingtheMessagemoduleyoucandisplayacustommessagetotheuser.Youcanalsocustomize
thetemplatetodisplayinordertodisplayafullycustompage.
Go in Configuration Portal Modules, then click Add Portal Module and select Message. Set the
Identifiertohello_worldandthedescriptiontoHello World.
ThenputthefollowingintheMessagefield
Hello World !
<a href="www.packetfence.org">Click here to access the PacketFence website!</a>
Next, add default_registration_policy and hello_world in the Modules of

my_first_root_module(removinganypreviousmodules)andsaveit.Nowwhenvisitingtheportal,
youshouldhavetoauthenticateusingthesourcesdefinedinyourportalprofileandyouwillthen
seethehelloworldmessage.
Configuration
49
Chapter9
Callinganexternalwebsite
Using the URL module, you can redirect the user to a local or external URL (as long as it is in
thepassthroughs).Thenyoucanmakeitsotheportalacceptsacallbackinorderfortheflowto
continue.
Inthisexample,theportalwillredirecttoanexternalyhostedPHPscriptthatwillgivearandom
tokentotheuserandthencallbacktheportaltocompletetheregistrationprocess.
The example script is located in addons/example_external_auth/token.php and a README is
availableinthatdirectorytosetitup.
OnceyouhavethescriptinstalledandworkingonURL:http://YOUR_PORTAL_HOSTNAME:10000/
token.php,youcanconfigurewhatyouneedonthePacketFenceside.
Go in Configuration Portal Modules, then click Add Portal Module and select URL. Set
the Identifier to token_system, the Description to Token system and the URL to http://
YOUR_PORTAL_HOSTNAME:10000/token.php.
Next, add default_registration_policy and token_system in the Modules of

my_first_root_module(removinganypreviousmodules)andsaveit.Nowwhenvisitingtheportal,
youshouldhavetoauthenticateusingthesourcesdefinedinyourportalprofileandthenyouwill
beredirectedtoexampletokensystem.Clickingthecontinuelinkonthatsystemwillbringyouback
totheportalandcompletetheregistrationprocess.
AuthenticationChoicemodule(advanced)
The Authentication Choice module allows to define a choice between multiple sources using
advancedfilteringrules,manualselectionofthesourcesandselectionofPortalModules.
Configuration
50
Chapter9
AllthesourcesthataredefinedintheSourcesfieldwillbeavailableforusagebytheuser.Same
goesforthemodulesdefinedinModules.
Youcanalsodefinewhichmandatoryfieldsyouwanttopromptfortheseauthenticationchoices.
AlthoughyoucanstillconfigurethemonanyAuthenticationChoicemodule,theywillonlybeshown
iftheyareapplicabletothesource.
InadditiontothemanualselectionaboveyoucandynamicallyselectsourcespartofthePortal
Profilebasedontheirobjectattribute(ObjectClass,Authenticationtype,AuthenticationClass).
Note
Youcanfindalltheauthenticationobjectsinlib/pf/Authentication/Source
Sourcesbyclass:Allowsyoutospecifytheperlclassnameofthesourcesyouwantavailable
ex: pf::Authentication::Source::SMSSource will select all the SMS sources.
pf::Authentication::Source::BillingSourcewillselectallthebillingsources(Paypal,Stripe,
)
Sourcesbytype:AllowsyoutofilteroutsourcesusingthetypeattributeoftheAuthentication
object
Sources by Auth Class: Allows you to filter our sources using the class attribute of the
Authenticationobject.
Youcanseethedefault_guest_policyanddefault_oauth_policyforexamplesofthismodule.
Configuration
51
Chapter10
Debugging
Logfiles
HerearethemostimportantPacketFencelogfiles:
/usr/local/pf/logs/packetfence.logPacketFenceCoreLog
/usr/local/pf/logs/httpd.portal.accessApacheCaptivePortalAccessLog
/usr/local/pf/logs/httpd.portal.errorApacheCaptivePortalErrorLog
/usr/local/pf/logs/httpd.admin.accessApacheWebAdmin/ServicesAccessLog
/usr/local/pf/logs/httpd.admin.errorApacheWebAdmin/ServicesErrorLog
/usr/local/pf/logs/httpd.webservices.accessApacheWebservicesAccessLog
/usr/local/pf/logs/httpd.webservices.errorApacheWebservicesErrorLog
/usr/local/pf/logs/httpd.aaa.accessApacheAAAAccessLog
/usr/local/pf/logs/httpd.aaa.errorApacheAAAErrorLog
Thereareotherlogfilesin/usr/local/pf/logs/thatcouldberelevantdependingonwhatissue
youareexperiencing.Makesureyoutakealookatthem.
Themainloggingconfigurationfileis/usr/local/pf/conf/log.conf.Itcontainstheconfiguration
forthepacketfence.logfile(Log::Log4Perl)andyounormallydontneedtomodifyit.Thelogging
configurationfilesforeveryservicearelocatedunder/usr/local/pf/conf/log.conf.d/.
RADIUSDebugging
First,checktheFreeRADIUSlogs.Thefileislocatedat/usr/local/pf/logs/radius.log.
Ifthisdidnthelp,runFreeRADIUSindebugmode.Todoso,startitusingthefollowingcommands.
Fortheauthenticationradiusprocess:
# radiusd -X -d /usr/local/pf/raddb -n auth
Fortheaccountingradiusprocess:
# radiusd -X -d /usr/local/pf/raddb -n acct
Debugging
52
Chapter10
Additionally there is a raddebug tool that can extract debug logs from a running FreeRADIUS
daemon.PacketFencesFreeRADIUSispreconfiguredwithsuchsupport.
Inordertohaveanoutputfromraddebug,youneedtoeither:
a. Makesureuserpfhasashellin/etc/passwd,add/usr/sbintoPATH(export PATH=/usr/sbin:
$PATH)andexecuteraddebugaspf
b. Runraddebugasroot(lesssecure!)
Nowyoucanrunraddebugeasily:
raddebug -t 300 -f /usr/local/pf/var/run/radiusd.sock
TheabovewilloutputFreeRADIUS'authenticationdebuglogsfor5minutes.
Usethefollowingtodebugradiusaccounting:
raddebug -t 300 -f /usr/local/pf/var/run/radiusd-acct.sock
Seeman raddebugforalltheoptions.
Debugging
53
Chapter11
MoreonVoIPIntegration
VoIPhasbeengrowinginpopularityonenterprisenetworks.Atfirstsight,theITadministratorsthink
thatdeployingVoIPwithaNACposesahugecomplicatedchallengetoresolve.Infact,depending
ofthehardwareyouhave,notreally.Inthissection,wewillseewhy.
CDPandLLDPareyourfriend
ForthoseofyouwhoareunawareoftheexistenceofCDPorLLDP(orLLDP-MED),Isuggest
youstartreadingonthistopic.CiscoDiscoveryProtocol(CDP)isdevice-discoveryprotocolthat
runsonallCisco-manufacturedequipmentincludingrouters,accessservers,bridges,andswitches.
Using CDP, a device can advertise its existence to other devices and receive information about
otherdevicesonthesameLANorontheremotesideofaWAN.IntheworldofVoIP,CDPisable
todetermineiftheconnectingdeviceisanIPPhoneornot,andtelltheIPPhonetotagitsethernet
frameusingtheconfiguredvoiceVLANontheswitchport.
Onmanyothervendors,youarelikelytofindLLDPorLLDP-MEDsupport.LinkLayerDiscovery
Protocol (LLDP) is a vendor-neutral Link Layer protocol in the Internet Protocol Suite used by
networkdevicesforadvertisingtheiridentity,capabilities,andneighbors.SameasCDP,LLDPcan
tellanIPPhonewhichVLANidisthevoiceVLAN.
VoIPandVLANassignmenttechniques
As you already know, PacketFence supports many VLAN assignment techniques such as portsecurity,macauthenticationor802.1X.LetsseehowVoIPisdoingwitheachofthose.
Port-security
Using port-security, the VoIP device rely on CDP/LLDP to tag its ethernet frame using the
configuredvoiceVLANontheswitchport.Afterthat,weensurethatasecuritytrapissentfrom
thevoiceVLANsothatPacketFencecanauthorizethemacaddressontheport.WhenthePC
connects,anothersecuritytrapwillbesent,butfromthedataVLAN.Thatway,wewillhave1mac
addressauthorizedonthevoiceVLAN,and1ontheaccessVLAN.
54
Chapter11
Note
Not all vendors support VoIP on port-security, please refer to the Network
ConfigurationGuide.
MACAuthenticationand802.1X
Ciscohardware
OnCiscoswitches,wearelookingatthemulti-domainconfiguration.Themulti-domainmeansthat
wecanhaveonedeviceontheVOICEdomain,andonedeviceontheDATAdomain.Thedomain
assignmentisdoneusingaCiscoVendor-SpecificAttributes(VSA).Whenthephoneconnectsto
theswitchport,PacketFencewillrespondwiththeproperVSAonly,noRADIUStunneledattributes.
CDPthentellsthephonetotagitsethernetframesusingtheconfiguredvoiceVLANontheport.
WhenaPCconnects,theRADIUSserverwillreturntunneledattributes,andtheswitchwillplace
theportintheprovidedaccessVLAN.
Non-Ciscohardware
Onothervendorhardware,itispossibletomakeVoIPworkusingRADIUSVSAs.Whenaphone
connectstoaswitchport,PacketFenceneedstoreturntheproperVSAtotelltheswitchtoallow
tagged frames from this device. When the PC will connect, we will be able to return standard
RADIUStunnelattributestotheswitch,thatwillbetheuntaggedVLAN.
Note
Again,refertotheNetworkConfigurationGuidetoseeifVoIPissupportedonyour
switchhardware.
WhatifCDP/LLDPfeatureismissing
ItispossiblethatyourphonedoesntsupportCDPorLLDP.Ifitsthecase,youareprobablylooking
atthe"DHCPway"ofprovisionningyourphonewithavoiceVLAN.Somemodelswillaskfora
specificDHCPoptionsothattheDHCPservercangivethephoneavoiceVLANid.Thephonewill
thenreboot,andtagitsethernetframeusingtheprovidedVLANtag.
In order to make this scenario work with PacketFence, you need to ensure that you tweak the
registrationandyourproductionDHCPservertoprovidetheDHCPoption.Youalsoneedtomake
sure there is a voice VLAN properly configured on the port, and that you auto-register your IP
Phones(Onthefirstconnect,thephonewillbeassignedontheregistrationVLAN).
55
Chapter12
Advancedtopics
This section covers advanced topics in PacketFence. Note that it is also possible to configure
PacketFencemanuallyusingitsconfigurationfilesinsteadofitsWebadministrativeinterface.Itis
stillrecommendedtousetheWebinterface.
Inanycase,the/usr/local/pf/conf/pf.conffilecontainsthePacketFencegeneralconfiguration.
Forexample,thisistheplacewhereweinformPacketFenceitwillworkinVLANisolationmode.
All the default parameters and their descriptions are stored in /usr/local/pf/conf/
pf.conf.defaults.
Inordertooverrideadefaultparameter,defineitandsetitinpf.conf.
/usr/local/pf/conf/documentation.confholdsthecompletelistofallavailableparameters.
Alltheseparametersarealsoaccessiblethroughtheweb-basedadministrationinterfaceunderthe
Configurationtab.Itishighlyrecommendedthatyouusetheweb-basedadministrationinterface
ofPacketFenceforanyconfigurationchanges.
AppleandAndroidWirelessProvisioning
Apple devices such as iPhones, iPads, iPods and Mac OS X (10.7+) support wireless profile
importation using a special XML file format (mobileconfig). Android is also able to support this
featurebyimportingthewirelessprofilewiththeAndroidPacketFenceAgent.Infact,installingsuch
fileonyourAppledevicewillautomaticallyconfigurethewirelesssettingsforagivenSSID.This
featureisoftenusedwhentheSSIDishidden,andyouwanttoeasetheconfigurationstepson
themobiledevice(becauseitisoftenpainfultoconfiguremanually).InPacketFence,wearegoing
further,wegeneratetheprofileaccordingtotheadministratorspreferenceandwepre-populatethe
filewiththeuserscredentials(withoutthepassword).Theusersimplyneedstoinstallitsgenerated
fileandhewillbeabletousethenewSSID.
Configurethefeature
Firstofall,youneedtoconfiguretheSSIDthatyourdeviceswilluseaftertheygothoughthe
authenticationprocess.
Inordertodothat,intheadministrationinterface,goinConfiguration/Provisioners.Thenselectthe
androidprovisioner.EntertheSSIDandsave.
NowdothesamethingfortheiOSprovisioner.
Advancedtopics
56
Chapter12
After,yousimplyneedtoaddtheAndroidandiOSprovisionerstoyourPortalProfileconfiguration.
ForAndroid,youmustallowpassthroughsinyourpf.confconfigurationfile:
[trapping]
passthrough=enabled
passthroughs=*.ggpht.com,*.googleusercontent.com,android.clients.google.com,*.googleapis.com,*.and
Profilegeneration
Uponregistration,insteadofshowingthedefaultreleasepage,theuserwillbeshowinganother
versionofthepagesayingthatthewirelessprofilehasbeengeneratedwithaclickablelinkonit.
Toinstalltheprofile,Appleuserownersimplyneedtoclickonthatlink,andfollowtheinstructions
ontheirdevice.AndroiduserownersimplyclicktothelinkandwillbeforwardedtoGooglePlay
toinstallPacketFenceagent.Simplylaunchtheapplicationandclicktoconfigurewillcreatethe
secureSSIDprofile.Itisthatsimple.
BillingEngine
PacketFence integrates the ability to use a payment gateway to bill users to gain access to the
network.Whenconfigured,theuserwhowantstoaccessthenetwork/Internetispromptedbya
pageaskingforitspersonnalinformationaswellasitscreditcardinformation.
PacketFencecurrentlysupportsfourpaymentgateways:Authorize.net,Mirapay,PaypalandStripe.
Inordertoactivatethebilling,youwillneedtoconfigurethefollowingcomponents:
Billingsource(s)
Billingtier(s)
Configuringabillingsource
Firstselectabillingproviderandfollowtheinstructionsbelow.
Paypal
Note
ThisproviderrequiresthatyourPacketFenceserverisaccessibleonthepublicdomain.
For this your PacketFence portal should be available on a public IP using the DNS
servernameconfiguredinPacketFence.
Ifyouhaveabusinessaccountanddonotwanttoconfigureatestenvironment,youcanskipthe
nextsection.
Advancedtopics
57
Chapter12
Sandboxaccount
To configure a sandbox paypal account for use in PacketFence, head to https://
developer.paypal.com/andeithersignuporloginintoyourexistingaccount.
ThenintheSandboxmenu,clickAccounts
CreateanaccountthathasthetypePersonalandonethathasthetypeBusiness.
Afterwards,gobackintoaccounts,andexpandthebusinessaccount,thenclickProfile
NowclicktheChangepasswordlinkandchangethepasswordandnoteit.
Dothesamethingwiththepersonalaccountyoucreated
Configuringthemerchantaccount
LoginintothePaypalbusinessaccountthatyoucreatedathttps://www.sandbox.paypal.com/ifyou
areusingasandboxaccountoronhttps://www.paypal.com/ifyouareusingarealaccount.
NextgoinMyAccountProfileinordertogointoyourprofileconfiguration.
NextintheSellingPreferencesyouwillneedtoselectWebsitePaymentPreferences
Advancedtopics
58
Chapter12
Configurethesettingssotheymatchthescreenshotbelow.
YoushouldturnonAutoReturn,setthereturnURLtohttps://YOUR_PORTAL_HOSTNAME/billing/
paypal/verify.
YoushouldalsotakenoteoftheIdentityTokenasitwillberequiredinthePacketFenceconfiguration.
NextgobackinyourprofileconfigurationMyaccountProfileandselectEncryptedPaymentSettings
NowonthispageyouwillneedtosubmitthecertificateusedbyPacketFencetoPaypal(/usr/local/
pf/conf/ssl/server.crtbydefault).
Once you have submitted it, note its associated Cert ID as you will need to configure it in
PacketFence.
Stillonthatpage,clicktheDownloadlinktodownloadthePaypalpubliccertificateandputiton
thePacketFenceserverunderpath:/usr/local/pf/conf/ssl/paypal.pem
Advancedtopics
59
Chapter12
Caution
ThecertificatewillNOTbethesameifyouuseasandboxaccountorarealaccount.
ConfiguringPacketFence
Now,inthePacketFenceadministrationinterface,goinConfigurationSourcesandcreateanew
sourceoftypeBillingPaypal.
Advancedtopics
60
Chapter12
Where:
IdentitytokenistheoneyounotedwhenontheWebsitePaymentPreferencespage.
CertIDistheoneyounotedwhenontheEncryptedPaymentSettings.
Paymenttypeiswhethertheaccessisdonationbased(notmandatorytopayforit).
Emailaddressistheemailaddressofthemerchantpaypalaccount.
CertfileisthepathtothePacketFencecertificate(/usr/local/pf/conf/ssl/server.crtbydefault).
KeyfileisthepathtothePacketFencecertificate(/usr/local/pf/conf/ssl/server.keybydefault).
Paypal cert file is the path to the Paypal certificate (/usr/local/pf/conf/ssl/paypal.pem in this
example).
Currencyisthecurrencythatwillbeusedinthetransactions.
Testmodeshouldbeactivatedifyouareusingasandboxaccount.
Stripe
Stripeaccount
Firstgoonhttps://dashboard.stripe.com,createanaccountandlogin.
NextonthetoprightclickYouraccountthenAccountsettings.
NavigatetotheAPIkeystabandnoteyourkeyandsecret.Thetestkeyshouldbeusedwhentesting
theconfigurationandthelivekeywhenputtingthesourceinproduction.
Advancedtopics
61
Chapter12
ConfiguringPacketFence
Now,inthePacketFenceadministrationinterface,goinConfigurationSourcesandcreateanew
sourceoftypeBillingStripe
Advancedtopics
62
Chapter12
Where:
SecretkeyisthesecretkeyyougotfromyourStripeaccount.
PublishablekeyisthepublishablekeyyougotfromyourStripeaccount.
Styleiswhetheryouaredoingaone-timechargeorsubscriptionbasedbilling(recurring).See
sectionSubscriptionbasedregistrationbelowfordetailsonhowtoconfigureit.
Testmodeshouldbeactivatedifyouareusingthetestkeyandsecretaccount.
Authorize.net
Creatinganaccount
First go on https://account.authorize.net to signup for a merchant account or http://
developer.authorize.net/forasandboxaccount.
AfteryoucreatedyouraccountyouwillbeshownyourAPIloginIDandTransactionkey.Noteboth
oftheseinformationsforusageinthePacketFenceconfiguration.
Thenloginintoyournewaccount.
ThenunderAccountclickSettings.
OnthesettingspageinthesectionSecuritysettings,clickMD5-Hash
Advancedtopics
63
Chapter12
Nowenterasecretthatwillbesharedbetweenauthorize.netandPacketFence.
PacketFenceconfiguration
NextinthePacketFenceadministrationinterface,goinConfigurationSourcesandcreateanew
sourceoftypeBillingAuthorizeNet.
Advancedtopics
64
Chapter12
Where:
APIloginIDistheoneyougotearlierwhilecreatingyouraccount.
Transactionkeyistheoneyougotearlierwhilecreatingyouraccount.
MD5hashtheoneyouconfiguredinyourAuthorize.netaccount.
Testmodeshouldbeactivatedifyouareusingasandboxaccount.
Mirapay
To be contributed...
Addingbillingtiers
Onceyouhaveconfiguredoneormorebillingsource,youneedtodefinebillingtierswhichwill
definethepriceandtargetauthenticationrulesfortheuser.
InthePacketFenceadministrationinterface,goinConfigurationBillingtiers
Advancedtopics
65
Chapter12
ThenclickAddbillingtierandconfigureit.
Where:
Billingtieristheuniqueidentifierofthebillingtier.
Nameisthefriendlynameofthebillingtier.
Descriptionisanextendeddescriptionofthebillingtier.
Priceistheamountthatwillbechargedtotheuser.
Accessdurationistheamountoftimetheuserwillbegrantedaccesstoyournetwork.
Roleisthetargetroletheusershouldbein.
Usetimebalancedefinesiftheaccessdurationshouldbecomputedonreal-timeaccessduration
meaningiftheuserbuys24hoursofaccesshecanusethenetworkfor24hoursindifferent
timeblocks.ThisrequiresavalidRADIUSaccountingconfiguration.
Note
Ifdontwanttouseallthebillingtiersthataredefined,youcanspecifytheonesthat
shouldbeactiveinthePortalprofile.
Advancedtopics
66
Chapter12
Subscriptionbasedregistration
PacketFencesupportssubscriptionbasedbillingusingStripeasabillingprovider.
Billingtier
Whenusingsubscriptionbasedbilling,itisadvisedtoconfigurethebillingtiersoithasanalmost
infiniteaccessduration(e.g.20years)asthebillingproviderwillbecontactingthePacketFence
serverwhenthesubscriptioniscanceled.
Youshouldconfigureabillingtierforeachsubscriptionplanyouwanttohave.Thisexamplewill
usetheplansimpleandadvancedconfiguredusingthefollowingparameters.
[simple]
name=Simple network access
description=Click here if you are poor
price=3.99
role=guest
access_duration=10Y
use_time_balance=disabled
[advanced]
name=Simple network access
description=Click here if you are poor
price=9.99
role=advanced_guest
access_duration=10Y
use_time_balance=disabled
Stripeconfiguration
TheninyourStripedashboard,youshouldgoinSubscriptionsPlans.
Thencreateanewplan.
Advancedtopics
67
Chapter12
Where:
ID is the billing tier identifier. It is important that this matches the ID of the billing tier in
PacketFence.
Amountisthepriceoftheplan.Itisimportantthatthismatchesthepriceofthebillingtierin
PacketFence.
Currencyisthecurrencythatwillbeusedinthetransactions.Itisimportantthatthismatches
thecurrencyoftheStripesourceinPacketFence.
Intervalistheintervalatwhichthecustomershouldbebilled.Inthecaseofthisexample,itis
monthly.
Now,followingthesameprocedure,createtheadvancedplan.
ReceivingupdatesfromStripe
Asthesubscriptioncanbecancelledbyauser,youneedtosetupyourPacketFenceinstallationto
receiveupdatesfromStripe.
UpdatesaresentusingHTTPrequestsonapublicIP.
YouneedtomakesurethatyourPacketFenceserverisavailablethroughapublicIPonport80and
thatyourPacketFenceserverhostnameresolvesonthepublicdomain.
Advancedtopics
68
Chapter12
Then,inStripe,configureaWebhooksoStripeinformsPacketFenceofanyeventthathappensin
thisStripemerchantaccount.
InordertodosogoinYourAccountAccountSettingsWebhooksandclickAddendpoint.
Where:
URListheURLtothePacketFenceserver.Thisshouldbehttp://YOUR_PORTAL_HOSTNAME/
hook/billing/stripe
Modeiswhetherthiswebhookisfortestingmodeorlivemode
Noweverytimeauserunsubscribesfromaplan,PacketFencewillbenotifiedandwillunregister
thatdevicefromyournetwork.
DevicesRegistration
Usershavethepossibilitytoregistertheirdevices(MicrosoftXBOX/XBOX360,NintendoDS/Wii,
SonyPlayStationandsoon)rightfromaspecialportalpage.Whenaccessingthispage,userswillbe
Advancedtopics
69
Chapter12
promptedtologinasiftheywereregisteringthemselves.Onceloggedin,theportalwillaskthemto
enterthedeviceMACaddressthatwillthenbematchedagainstapredefinedlistofauthorizedMAC
OUI.Thedevicewillberegisteredwiththeusersidandcanbeassignedintoaspecificcategory
foreasiermanagement.
Hereshowtoconfigurethewholething.TheportalpagecanbeaccessedbythefollowingURL:
https://YOUR_PORTAL_HOSTNAME/device-registration This URL is accessible from within the
network,inanyVLANthatcanreachthePacketFenceserver.
Thefollowingcanbeconfiguredbyeditingthepf.conffile:
[registration]
device_registration = enabled
device_registration_role = gaming
MakesuretheroleexistsinPacketFenceotherwiseyouwillencounterregistrationerrors.Moreover,
makesuretherolemappingforyourparticularequipmentisdone.
TheseparameterscanalsobeconfiguredfromtheConfigurationRegistrationsection.
Note
Aportalinterfacetypeisrequiredtousethisfeature.Aportalinterfacetypecanbe
addedtoanynetworkinterfaceusingthewebadminGUI.
Eduroam
eduroam (education roaming) is the secure, world-wide roaming access service
developedfortheinternationalresearchandeducationcommunity.
eduroamallowsstudents,researchersandstafffromparticipatinginstitutionsto
obtainInternetconnectivityacrosscampusandwhenvisitingotherparticipating
institutionsbysimplyopeningtheirlaptop.
eduroamhttps://www.eduroam.org/
PacketFencesupportsintegrationwitheduroamandallowsparticipatinginstitutionstoauthenticate
bothlocallyvisitingusersfromotherinstitutionsaswellasallowingotherinstitutionstoauthenticate
localusers.
In order for PacketFence to allow eduroam authentication, the FreeRADIUS configuration of
PacketFencemustbemodifiedtoallowtheeduroamserverstoconnecttoitasclientsaswellas
toproxyRADIUSauthenticationrequestsforusersfromoutsideinstitutions.
First,modifythe/usr/local/pf/raddb/clients.conffiletoallowtheeduroamserverstoconnectto
your PacketFence server. Add the eduroam servers as clients and make sure to add the proper
RADIUSsecret.Setashortnametorefertotheseclientsasyouwilllaterneedittoexcludethem
fromsomepartsofthePacketFenceconfiguration.
clients.confexample:
Advancedtopics
70
Chapter12
client tlrs1.eduroam.us {
secret = useStrongerSecret
shortname = tlrs1
}
client tlrs2.eduroam.us {
shortname = tlrs2
}
Secondly,modifythelistofdomainsandproxyserversin/usr/local/pf/raddb/proxy.conf.Youwill
needtodefineeachofyourdomainsaswellastheDEFAULTdomain.TheDEFAULTrealmwillapply
toanyclientthatattemptstoauthenticatewitharealmthatisnototherwisedefinedinproxy.conf
andwillbeproxiedtotheeduroamservers.
Defineoneormorehomeservers(serverstowhicheduroamrequestsshouldbeproxied).
proxy.confexample:
home_server tlrs1.eduroam.us {
type = auth
ipaddr = 257.128.1.1
port = 1812
require_message_authenticator = yes
}
Defineapoolofserverstogroupyoureduroamhomeserverstogether.
proxy.confexample:
home_server_pool eduroam {
type = fail-over
home_server = tlrs1.eduroam.us
home_server = tlrs2.eduroam.us
}
Definerealmstoselectwhichrequestsshouldbeproxiedtotheeduroamserverpool.Thereshould
beonerealmforeachofyourdomains,andpossiblyonemoreperdomainifyouintendtoallow
usernamesoftheDOMAIN\userform.
The REALM is set based on the domain found by the suffix or ntdomain modules ( see raddb/
modules/realm).Thesuffixorntdomainmodulestrytofindadomaineitherwithan@domainor
suffix\username.
Ifnoneisfound,theREALMisNULL.
Ifadomainisfound,FreeRADIUStriestomatchoneoftheREALMSdefinedinthisfile.
Ifthedomainiseitherexample.eduorEXAMPLEFreeRADIUSsetsthecorrespondingREALM,
i.e.example.eduorEXAMPLE.
IftheREALMdoesnotmatcheither(anditisntNULL),thatmeanstherewasadomainotherthan
EXAMPLEorexample.eduandweassumeitismeanttobeproxiedtoeduroam.FreeRADIUS
setstheDEFAULTrealm(whichisproxiedtotheeduroamauthenticationpool).
Advancedtopics
71
Chapter12
The REALM determines where the request is sent to. If the REALM authenticates locally the
requestsareprocessedentirelybyFreeRADIUS.IftheREALMsetsadifferenthomeserverpool,
therequestsareproxiedtotheserversdefinedwithinthatpool.
proxy.confexample:
# This realm is for requests which don't have an explicit realm
# prefix or suffix. User names like "bob" will match this one.
# No authentication server is defined, thus the authentication is
# done locally.
realm NULL {
}
# This realm is for ntdomain users who might use the domain like
# this "EXAMPLE\username".
# done locally.
realm EXAMPLE {
}
# This realm is for suffix users who use the domain like this:
# "username@example.edu".
# done locally.
realm example.edu {
}
# This realm is for ALL OTHER requests. Meaning in this context,
# eduroam. The auth_pool is set to the eduroam pool and so the
# requests will be proxied.
realm DEFAULT {
auth_pool = eduroam
nostrip
}
Thirdly, you must configure the packetfence FreeRADIUS virtual servers to treat the requests
properly.
In/usr/local/pf/raddb/sites-enabled/packetfence,modifytheauthorizesectionlikethis:
raddb/sites-enabled/packetfenceexample:
Advancedtopics
72
Chapter12
authorize {
# pay attention to the order of the modules. It matters.
ntdomain
suffix
preprocess
# uncomment this section if you want to block eduroam users from
# you other SSIDs. The attribute name ( Called-Station-Id ) may
# differ based on your controller
#if ( Called-Station-Id !~ /eduroam$/i) {
#
update control {
#
Proxy-To-Realm := local
#
}
#}
eap {
ok = return
}
files
expiration
logintime
packetfence
}
In/usr/local/pf/raddb/sites-enabled/packetfence-tunnel,modifythepost-authsectionlikethis.If
you omit this change the request will be sent to PacketFence where it will be failed since the
eduroamserversarenotpartofyourconfiguredswitches.
raddb/sites-enabled/packetfence-tunnelexample:
post-auth {
exec
# we skip packetfence when the request is coming from the eduroam servers
if ( "%{client:shortname}" != "tlrs1" && \
"%{client:shortname}" != "tlrs2"
) {
packetfence
}
Post-Auth-Type REJECT {
attr_filter.access_reject
}
}
Finally,makesurethattherealmsmoduleisconfiguredthisway(see/usr/local/pf/raddb/modules/
realm):
raddb/modules/realmexample:
Advancedtopics
73
Chapter12
# 'username@realm'
realm suffix {
format = suffix
delimiter = "@"
}
# 'domain\user'
realm ntdomain {
format = prefix
delimiter = "\\"
ignore_null = yes
}
Fingerbankintegration
Fingerbank,agreatdeviceprofilingtooldevelopedalongsideofPacketFence,nowintegrateswithit
topower-upthefeaturesetallowingaPacketFenceadministratortoeasilytriggerviolationsbased
ondifferentdevicetypes,deviceparents,DHCPfingerprints,DHCPvendorIDs,MACvendorsand
browseruseragents.
ThecoreofthatintegrationresidesintheabilityforaPacketFencesystem,tointeractwiththe
Fingerbankupstreamproject,whichthenallowadailybasisfingerprintsdatabaseupdate,sharing
unknowndatasothatmorecomplexalgorithmscanprocessthatnewdatatointegrateitinthe
globaldatabase,queryingtheglobalupstreamdatabaseinthecaseofanunknownmatchandmuch
more.
SincetheFingerbankintegrationisnowthe"defacto"deviceprofilingtoolofPacketFence,itwasa
requirementtomakeitassimpleaspossibletoconfigureandtouse.Fromthemomentaworking
PacketFencesystemisinplace,Fingerbankisalsoreadytobeused,butonlyina"local"mode,
whichmeans,nointeractionwiththeupstreamFingerbankproject.
Onboarding
TobenefitfromalltheadvantagesoftheFingerbankproject,theonboardingstepisrequiredto
create an API key that will then allow interaction with the upstream project. That can easily be
doneonlybygoinginthe"Settings"menuitemunderthe"Fingerbank"sectionofthePacketFence
"Configuration"tab.Fromthere,aneasyprocesstocreateandsaveanuser/organizationspecific
APIkeycanbefollowed.Oncecompleted,thefullfeaturesetofFingerbankcanbeused.
UpdateFingerbankdatabase
UpdatingtheFingerbankdatacantbeeasier.Theonlyrequirementistheonboardingprocesswhich
allowsyoutointeractwithupstreamproject.Oncedone,anoptionto"UpdateFingerbankDB"can
befoundontopofeverymenuitemsectionsunder"Fingerbank".Processmaytakeaminuteor
two,dependingonthesizeofthedatabaseandtheinternetconnectivity,afterwhichasuccessor
errormessagewillbeshowaccordingly."Local"recordsareNOTbeingmodifiedduringthisprocess.
Advancedtopics
74
Chapter12
Submitunknowndata
Sayingthatwedontknoweverythingisnotfalsemodesty.Inthatsense,the"SubmitUnknown/
UnmatchedFingerprints"optionismadeavailable(afteronboarding)sothatunknownfingerprinting
datagoinginandoutonyournetworkcaneasilybesubmittedtotheupstreamFingerbankproject
forfurtheranalysisandintegrationtheintheglobaldatabase.
Upstreaminterogation
Bydefault,PacketFenceisconfiguredtointerogatetheupstreamFingerbankproject(ifonboarding
hasbeencompleted)tofullfillaquerywithunmatchedlocalresults.Unmatchedlocalresultscan
resultofanolderversionoftheFingerbankdatabaseorarequirementforamorecomplexalgorithm
duetothedataset.Thatbehavioriscompletelytransparentandcanbemodifiedusingthe"Settings"
menuitemunderthe"Fingerbank"sectionofthePacketFence"Configuration"tab.
Localentries
Itispossibleforanadministratorwhowantstocustomizeanexistingrecord(orcreateanewone)
todosousingthe"Local"entries.Anupstreamrecord(DHCPFingerprint,DHCPVendor,MAC
Vendor,UserAgent,Devicetype,evenaCombination)canbeclonedandthenmodifiedonalocal
basisifneeded.Localrecordsarealwaysmatchedfirstsincetheirpurposeistooverrideanexisting
one.Alocalcombinationcanbecreatedtomatcheither"Local"or"Upstream"orbothentriesto
allowidentificationofadevice.
Settings
Fingerbanksettingscaneasilybemodifiedfromthe"Settings"menuitemunderthe"Fingerbank"
sectionofthePacketFence"Configuration"tab.Theresdocumentationforeachaneveryparameter
thatalloweasierunderstanding.
FloatingNetworkDevices
Startingwithversion1.9,PacketFencenowsupportsfloatingnetworkdevices.AFloatingnetwork
deviceisadeviceforwhichPacketFencehasadifferentbehaviourcomparedtoaregulardevice.
ThisfunctionalitywasoriginallyaddedtosupportmobileAccessPoints.
Caution
RightnowPacketFenceonlysupportsfloatingnetworkdevicesonCiscoandNortel
switchesconfiguredwithport-security.
For a regular device, PacketFence put it in the VLAN corresponding to its status (Registration,
QuarantineorRegularVlan)andauthorizesitontheport(port-security).
Advancedtopics
75
Chapter12
AfloatingnetworkdeviceisadevicethatPacketFencedoesnotmanageasaregulardevice.
Whenafloatingnetworkdeviceisplugged,PacketFencewilllet/allowalltheMACaddressesthat
willbeconnectedtothisdevice(orappearontheport)andifnecessary,configuretheportasmultivlan(trunk)andsetPVIDandtaggedVLANsontheport.
Whenanfloatingnetworkdeviceisunplugged,PacketFencewillreconfiguretheportlikebefore
itwasplugged.
Howitworks
Configuration:
floatingnetworkdeviceshavetobeidentifiedusingtheirMACaddress.
linkup/linkdowntrapsarenotenabledontheswitches,onlyport-securitytrapsare.
WhenPacketFencereceivesaport-securitytrapforafloatingnetworkdevice,itchangestheport
configurationsothat:
itdisablesport-security
itsetsthePVID
iteventuallysetstheportasmulti-vlan(trunk)andsetsthetaggedVlans
itenableslinkdowntraps
WhenPFreceivesalinkdowntraponaportinwhichafloatingnetworkdevicewasplugged,it
changestheportconfigurationsothat:
itenablesport-security
itdisableslinkdowntraps
Identification
Aswementionedearlier,eachfloatingnetworkdevicehastobeidentified.Therearetwoways
todoit:
byeditingconf/floating_network_device.conf
throughtheWebGUI,inConfigurationNetworkFloatingdevices
Herearethesettingsthatareavailable:
MACAddress
MACaddressofthefloatingdevice
IPAddress
IPaddressofthefloatingdevice(notrequired,forinformationonly)
trunkPort
Yes/no.Shouldtheportbeconfiguredasamuti-vlanport?
pvid
VLANinwhichPacketFenceshouldputtheport
taggedVlan
CommaseparatedlistofVLANs.Iftheportisamulti-vlan,theseare
theVlansthathavetobetaggedontheport.
Advancedtopics
76
Chapter12
OAuth2Authentication
Note
OAuth2authenticationdoesnotworkwithWebauthenforcement
The captive portal of PacketFence allows a guest/user to register using his Google, Facebook,
LinkedIn,WindowsLive,TwitterorGithubaccount.
Foreachproviders,wemaintainanalloweddomainlisttopunchholesintothefirewallsotheuser
canhittheproviderloginpage.ThislistisavailableineachOAuth2authenticationsource.
Inordertohaveoauth2workingproperly,youneedtoenableIPforwardingonyourservers.Todo
itpermanently,lookinthe/etc/sysctl.conf,andsetthefollowingline:
# Controls IP packet forwarding
net.ipv4.ip_forward = 1
Savethefile,andissueasysctl -ptoupdatetheOSconfig.
You must also enable the passthrough option in your PacketFence configuration
(trapping.passthroughinpf.conf).
Google
InordertouseGoogleasaOAuth2provider,youneedtogetanAPIkeytoaccesstheirservices.
Signuphere:http://code.google.com/apis/console.MakesureyouusethisURIforthe"Redirect
URI"field:https://YOUR_PORTAL_HOSTNAME/oauth2/callback.Ofcourse,replacethehostname
withthevaluesfromgeneral.hostnameandgeneral.domain.
Youcankeepthedefaultconfiguration,modifytheAppID&AppSecret(GivenbyGoogleonthe
developperplateform)andPortalURL(https://YOUR_PORTAL_HOSTNAME/oauth2/callback).
Also, add the following Authorized domains : *.google.com, *.google.ca, *.google.fr,
*.gstatic.com,googleapis.com,accounts.youtube.com(Makesurethatyouhavethegoogledomain
fromyourcountrylikeCanada*.google.ca,France*.google.fr,etc)
Onceyouhaveyourclientid,andAPIkey,youneedtoconfiguretheOAuth2provider.Thiscanbe
donebyaddingaGoogleOAuth2authenticationsourcefromConfigurationSources.
Moreover,dontforgettoaddGoogleasaregistrationmodefromyourportalprofiledefinition,
availablefromConfigurationPortalProfilesandPages.
Facebook
To use Facebook, you also need an API code and a secret key. To get one, go here: https://
developers.facebook.com/apps.WhenyoucreateyourApp,makesureyouspecifythefollowing
astheWebsiteURL:https://YOUR_PORTAL_HOSTNAME/oauth2/callback
Advancedtopics
77
Chapter12
Ofcourse,replacethehostnamewiththevaluesfromgeneral.hostnameandgeneral.domain.
Youcankeepthedefaultconfiguration,modifytheAppID&AppSecret(GivenbyFaceBookon
thedevelopperplateform)andPortalURL(https://YOUR_PORTAL_HOSTNAME/oauth2/callback).
Also, add the following Authorized domains : *.facebook.com, *.fbcdn.net, *.akamaihd.net (May
change)
Onceyouhaveyourinformation,youneedtoconfiguretheOAuth2provider.Thiscanbedoneby
addingaFacebookOAuth2authenticationsourcefromConfigurationSources.
Moreover,dontforgettoaddFacebookasaregistrationmodefromyourportalprofiledefinition,
Caution
ByallowingOAuththroughFacebook,youwillgiveFacebookaccesstotheuserswhile
theyaresittingintheregistrationVLAN.
GitHub
TouseGitHub,youalsoneedanAPIcodeandasecretkey.Togetone,youneedtocreateanApp
here:https://github.com/settings/applications.WhenyoucreateyourApp,makesureyouspecify
thefollowingastheCallbackURLhttps://YOUR_PORTAL_HOSTNAME/oauth2/callback
addingaGitHubOAuth2authenticationsourcefromConfigurationSources.
Moreover,dontforgettoaddGitHubasaregistrationmodefromyourportalprofiledefinition,
LinkedIn
TouseLinkedIn,youalsoneedanAPIcodeandasecretkey.Togetone,youneedtocreatean
Apphere:https://developer.linkedin.com/.WhenyoucreateyourApp,makesureyouspecifythe
followingastheCallbackURLhttps://YOUR_PORTAL_HOSTNAME/oauth2/callback
addingaLinkedInOAuth2authenticationsourcefromConfigurationSources.
Moreover,dontforgettoaddLinkedInasaregistrationmodefromyourportalprofiledefinition,
Also,LinkedInrequiresastateparameterfortheauthorizationURL.Ifyoumodifyit,makesureto
additattheendofyourURL.
Twitter
TouseTwitter,youalsoneedanAPIcodeandasecretkeywhichTwittercallsconsumerkeyand
consumersecret. Obtain this information by creating an new application from your Twitter Apps
Advancedtopics
78
Chapter12
Managementpage.WhenyoucreateyourApp,makesureyouspecifythefollowingastheCallback
URLhttps://YOUR_PORTAL_HOSTNAME/oauth2/callback
addingaTwitterOAuth2authenticationsourcefromConfigurationSources.
Moreover,dontforgettoaddTwitterasaregistrationmodefromyourportalprofiledefinition,
WindowsLive
TouseWindowslive,youalsoneedanAPIcodeandasecretkey.Togetone,youneedtocreate
anApphere:https://account.live.com/developers/applications.WhenyoucreateyourApp,make
sureyouspecifythefollowingastheCallbackURLhttps://YOUR_PORTAL_HOSTNAME/oauth2/
callback
addingaWindowsLiveOAuth2authenticationsourcefromConfigurationSources.
Moreover, dont forget to add WindowsLive as a registration mode from your portal profile
definition,availablefromConfigurationPortalProfilesandPages.
Passthrough
In order to use the passthrough feature in PacketFence, you need to enable it from the GUI in
ConfigurationTrappingandcheckPassthrough.
Therearetwosolutionsforpassthroughs-oneusingDNSresolutionandiptablesandtheother
oneusingApachesmod_proxymodule.Whenenabled,PacketFencewillusepfdnsifyoudefined
Passthroughs,orApachemod-proxyifyoudefinedProxyPassthroughstoallowtrappeddevices
toreachexternalwebsites.
DNS passthrough: Add a new FQDN (should be a wildcard domain like *.google.com) in the
Passthroughssection.WhenPacketFencereceivesaDNSrequestforthisdomain,itwillanswer
therealIPaddressandpunchaholeinthefirewall(usingiptables)toallowaccess.Withthis
method,PacketFencemustbethedefaultgatewayofyourdevice.
mod_proxypassthrough:AddanewFQDN(shouldbeawildcarddomainlike*.google.com)in
theProxyPassthroughssection.ForthisFQDN,PacketFencewillanswertheIPaddressofthe
captiveportalandwhenadevicehitsthecaptiveportal,PacketFencewilldetectthatthisFQDN
hasapassthroughconfigurationandwillforwardthetraffictomod_proxy.
ThesetwomethodscanbeusedtogetherbutDNS-basedpassthroughshavehigherpriority.
Advancedtopics
79
Chapter12
ProductionDHCPaccess
In order to perform all of its access control duties, PacketFence needs to be able to map MAC
addressesintoIPaddresses.
Forallthenetworks/VLANswhereyouwantPacketFencetohavetheabilitytoisolateanodeor
tohaveIPinformationaboutnodes,youwillneedtoperformoneofthetechniquesbelow.
Alsonotethatthisdoesntneedtobedonefortheregistration,isolationVLANsandinlineinterfaces
sincePacketFenceactsastheDHCPserverinthesenetworks.
IPHelpers(recommended)
If you are already using IP Helpers for your production DHCP in your production VLANs this
approachisthesimplestoneandtheonethatworksthebest.
Add PacketFences management IP address as the last ip helper-address statement in your
networkequipment.AtthispointPacketFencewillreceiveacopyofallDHCPrequestsforthat
VLANandwillrecordwhatIPweredistributedtowhatnodeusingapfdhcplistenerdaemon.
BydefaultnoDHCPServershouldberunningonthatinterfacewhereyouaresendingtherequests.
ThisisbydesignotherwisePacketFencewouldreplytotheDHCPrequestswhichwouldbeabad
thing.
ObtainacopyoftheDHCPtraffic
GetacopyofalltheDHCPTraffictoadedicatedphysicalinterfaceinthePacketFenceserverand
runpfdhcplisteneronthatinterface.Itwillinvolveconfiguringyourswitchproperlytoperform
portmirroring(akanetworkspan)andaddinginPacketFencetheproperinterfacestatementatthe
operatingsystemlevelandinpf.conf.
/etc/sysconfig/network-scripts/ifcfg-eth2:
DEVICE=eth2
ONBOOT=yes
BOOTPROTO=none
Addtopf.conf:(IPsarenotimportanttheyarethereonlysothatPacketFencewillstart)
[interface eth2]
mask=255.255.255.0
type=dhcp-listener
gateway=192.168.1.5
ip=192.168.1.1
RestartPacketFenceandyoushouldbegoodtogo.
Advancedtopics
80
Chapter12
InterfaceineveryVLAN
BecauseDHCPtrafficisbroadcasttraffic,analternativeforsmallnetworkswithfewlocalVLANs
istoputaVLANinterfaceforeveryVLANonthePacketFenceserverandhaveapfdhcplistener
listenonthatVLANinterface.
OnthenetworksideyouneedtomakesurethattheVLANtrulyreachesallthewayfromyour
clienttoyourDHCPinfrastructureuptothePacketFenceserver.
OnthePacketFenceside,firstyouneedanoperatingsystemVLANinterfaceliketheonebelow.
Storedin/etc/sysconfig/network-scripts/ifcfg-eth0.1010:
# Engineering VLAN
DEVICE=eth0.1010
ONBOOT=yes
BOOTPROTO=static
IPADDR=10.0.101.4
NETMASK=255.255.255.0
VLAN=yes
Thenyouneedtospecifyinpf.confthatyouareinterestedinthatVLANsDHCPbysettingtype
todhcp-listener.
[interface eth0.1010]
mask=255.255.255.0
type=dhcp-listener
gateway=10.0.101.1
ip=10.0.101.4
RepeattheaboveforallyourproductionVLANsthenrestartPacketFence.
HostproductionDHCPonPacketFence
Itsanoption.Justmodifyconf/dhcpd.confsothatitwillhostyourproductionDHCPproperly
andmakesurethatapfdhcplistenerrunsonthesameinterfacewhereproductionDHCPruns.
However,pleasenotethatthisisNOTrecommended.Seethistickettoseewhy.
ProxyInterception
PacketFenceenablesyoutointerceptproxyrequestsandforwardthemtothecaptiveportal.Itonly
worksonelayer-2networksbecausePacketFencemustbethedefaultgateway.Inordertousethe
ProxyInterceptionfeature,youneedtoenableitfromtheGUIinConfigurationTrappingand
checkProxyInterception.
Addtheportyouwanttointercept(like8080or3128)andaddanewentryinthe/etc/hosts
filetoresolvethefullyqualifieddomainname(fqdn)ofthecaptiveportaltotheIPaddressofthe
Advancedtopics
81
Chapter12
registration interface. This modification is mandatory in order for Apache to receives the proxy
requests.
RoutedNetworks
If your isolation and registration networks are not locally-reachable (at layer 2) on the network,
but routed to the PacketFence server, youll have to let the PacketFence server know this.
PacketFencecanevenprovideDHCPandDNSintheseroutednetworksandprovidesaneasyto
useconfigurationinterface.
Fordhcpd,makesurethattheclientsDHCPrequestsarecorrectlyforwarded(IPHelpersinthe
remoterouters)tothePacketFenceserver.Thenmakesureyoufollowedtheinstructionsinthe
DHCPandDNSServerConfiguration(networks.conf)foryourlocallyaccessiblenetwork.
Ifweconsiderthenetworkarchitectureillustratedintheaboveschema,conf/pf.confwillinclude
thelocalregistrationandisolationinterfacesonly.
[interface eth0.2]
enforcement=vlan
ip=192.168.2.1
type=internal
mask=255.255.255.0
Advancedtopics
82
Chapter12
[interface eth0.3]
enforcement=vlan
ip=192.168.3.1
type=internal
mask=255.255.255.0
Note
PacketFencewillnotstartunlessyouhaveatleastoneinternalinterface,soyouneed
tocreatelocalregistrationandisolationVLANsevenifyoudontintendtousethem.
Also,theinternalinterfacesaretheonlyonesonwhichdhcpdlistens,sotheremote
registrationandisolationsubnetsneedtopointtheirDHCPhelper-addresstothose
particularIPs.
ThenyouneedtoprovidetheroutednetworksinformationtoPacketFence.Youcandoitthrough
theGUIinAdministrationNetworks(orinconf/networks.conf).
conf/networks.confwilllooklikethis:
[192.168.2.0]
netmask=255.255.255.0
gateway=192.168.2.1
next_hop=
domain-name=registration.example.com
dns=192.168.2.1
dhcp_start=192.168.2.10
dhcp_end=192.168.2.200
dhcp_default_lease_time=300
dhcp_max_lease_time=600
type=vlan-registration
named=enabled
dhcpd=enabled
[192.168.3.0]
netmask=255.255.255.0
gateway=192.168.3.1
next_hop=
domain-name=isolation.example.com
dns=192.168.3.1
dhcp_start=192.168.3.10
dhcp_end=192.168.3.200
type=vlan-isolation
named=enabled
dhcpd=enabled
Advancedtopics
83
Chapter12
[192.168.20.0]
netmask=255.255.255.0
gateway=192.168.20.254
next_hop=192.168.2.254
domain-name=registration.example.com
dns=192.168.2.1
dhcp_start=192.168.20.10
dhcp_end=192.168.20.200
type=vlan-registration
named=enabled
dhcpd=enabled
[192.168.30.0]
netmask=255.255.255.0
gateway=192.168.30.254
next_hop=192.168.3.254
domain-name=isolation.example.com
dns=192.168.3.1
dhcp_start=192.168.30.10
dhcp_end=192.168.30.200
type=vlan-isolation
named=enabled
dhcpd=enabled
DHCPclientsontheregistrationandisolationnetworksreceivethePFserverIPastheirDNSserver
(dns=x.x.x.x),andPFspoofsDNSresponsestoforceclientsviatheportal.However,clientscould
manuallyconfiguretheirDNSsettingstoescapetheportal.Topreventthisyouwillneedtoapply
anACLontheaccessrouternearesttheclients,permittingaccessonlytothePFserverandlocal
DHCPbroadcasttraffic.
Forexample,fortheVLAN20remoteregistrationnetwork:
ip access-list extended PF_REGISTRATION
permit ip any host 192.168.2.1
permit udp any any eq 67
deny ip any any log
interface vlan 20
ip address 192.168.20.254 255.255.255.0
ip helper-address 192.168.2.1
ip access-group PF_REGISTRATION in
Ifyouredgeswitchessupportvlan-isolationyoucanalsoapplytheACLthere.Thishastheadvantage
ofpreventingmachinesinisolationfromattemptingtoattackeachother.
Advancedtopics
84
Chapter12
StatementofHealth(SoH)
TheStatementofHealth(SoH)isproductthathasbeendevelopedbyMicrosoft.IntheMicrosoft
world,thisisnamedNetworkAccessProtectionorNAP.OnWindowsversionsfromXPSP2to
Windows7,thereisaNAPserviceinstalledthatcanrelayhealthinformation(Anti-Virusupdate
status, Windows Update status, etc) to a RADIUS Server or a DHCP server. The section below
explainsyouhowtodoSoHpolicieswithPacketFence.
Installation
Bydefault,weturnSoHoff.Toenableitssupport,simplyuncommentthefollowinglinesin/usr/
local/pf/conf/radiusd/eap.conf.
soh=yes
soh-virtual-server = "soh-server"
RestarttheRADIUSserviceafterward.
Ontheclientside,toenableSoHforEAP,dothefollowing(Windows7example):
sc config napagent start=auto
sc start napagent
:: Wired 802.1X
sc config dot3svc start=auto depend=napagent
sc start dot3svc
netsh nap client show config
:: get the "ID" value for the "EAP Quarantine Enforcement Client"
netsh nap client set enforce id=$ID admin=enable
Thelaststepistoselectthe"EnforceNetworkAccessProtection"checkboxundertheEAPprofile
settings.ThosestepscanbeeasilyconfiguredusingGPOs.
ConfigurationofSoHpolicy
InordertoenforceaSoHpolicy,weneedtocreateitfirst.ThisisdoneusingtheConfiguration
ComplianceStatementofHealthmodule.
Policyexample
Letswalkthroughanexamplesituation.Supposeyouwanttodisplayaremediationpagetoclients
thatdonothaveananti-virusenabled.
Advancedtopics
85
Chapter12
Thethreebroadstepsare:createaviolationclassforthecondition,thencreateanSoHfilterto
triggertheviolationwhen"anti-virusisdisabled",andfinally,reloadtheviolations.
First,createtheproperviolationeitherviatheAdminUI,orbyeditingtheconf/violations.conf
files:
[4000001]
desc=No anti-virus enabled
url=/remediation.php?template=noantivirus
actions=reevaluate_access,email,log
enabled=Y
Note
Youmayalsowanttosetotherattributessuchasauto_enable,grace,etc.
Whendonewiththeviolation,visittheWebAdministrationunderConfigurationCompliance
StatementofHealthand(editthefilternamedDefault,or)usetheAddafilterbuttontocreate
afilternamedantivirus.Clickonantivirusinthefilterlist,andselectTriggerviolationintheaction
drop-down.Enterthevidoftheviolationyoucreatedaboveintheinputboxthatappears.
Next, click on Add a condition, and select Anti-virus, is, and disabled in the drop-down boxes
that appear. Click on the Save filters button. Finally, reload the violations either by restarting
PacketFenceorusingthepfcmd reload violationscommand.
Thelaststepistocreateanewremediationtemplatecallednoantivirus.phponthefilesystem
inthehtml/captive-portal/violationsfolder.Editittoincludethetextyouwanttodisplayto
theusers.
VLANFilterDefinition
Weaddedtheabilitytospecifyfiltersdirectlyintheportionofcodethatre-evaluatestheVLAN
ordoacalltotheAPI.
Theserulesareavailableindifferentscopes:
ViolationRole
RegistrationRole
RegisteredRole
InlineRole
AutoRegister
NodeInfoForAutoReg
Andcanbedefinedusingdifferentcriterialike:
Advancedtopics
86
Chapter12
node_info.attribute (like node_info.status)

switch
ifIndex
mac
connection_type
username
ssid
time
owner.attribute (like owner.pid)
radius_request.attribute (like radius_request.Calling-Station-Id)
Forexample,letsdefinearulethatpreventsadevicefromconnectingwhenitscategoryisthe
"default",whentheSSIDis"SECURE"andwhenthecurrenttimeisbetween11amand2pm:from
MondaytoFridaywhenittrytoconnectasaregistereddevice:
[category]
filter = node_info.category
operator = is
value = default
[ssid]
filter = ssid
operator = is
value = SECURE
[time]
filter = time
operator = is
value = wd {Mon Tue Wed Thu Fri} hr {11am-2pm}
[1:category&ssid&time]
scope = RegisteredRole
role = nointernet
ThesecondexamplewillcreateaviolationiftheSSIDisOPENandtheownerisigmout
[igmout]
filter = owner.pid
operator = is
value = igmout
[open]
filter = ssid
operator = is
value = OPEN
Advancedtopics
87
Chapter12
[2:igmout&ssid]
scope = RegisteredRole
action = trigger_violation
action_param = mac = $mac, tid = 1100012, type = INTERNAL
Thethirdexamplewillautoregisterthedeviceandassigntherolestafftoeachdevicewherethe
usernameisigmout.
[igmout]
filter = username
operator = is
value = igmout
[secure]
filter = ssid
operator = is
value = SECURE
[3:igmout&secure]
scope = AutoRegister
role = staff
[4:igmout&secure]
scope = NodeInfoForAutoReg
role = staff
Youcanhavealookinthefilevlan_filters.conf,therearesomeexamplesonhowtouseanddefine
filters.
RADIUSFilterDefinition
Weaddedtheabilitytospecifyfiltersdirectlyintheportionofcodethatreturntheradiusanswer
ordoacalltotheAPI.
Theserulesareonlyavailableinonescope:
returnRadiusAccessAccept
Andcanbedefinedusingdifferentcriterialike:
Advancedtopics
88
Chapter12
node_info.attribute (like node_info.$attribute)

switch
ifIndex
mac
connection_type
username
ssid
time
owner.attribute (like owner.$attribute)
radius_request.attribute (like radius_request.$attribute)
violation
user_role
vlan
Forexample,letsdefinearulethatreturnAccessAcceptwhentheconnectionisEthernet-EAP
andwhenthereisnoviolation(merge_returnmeansthattheoriginalanswerofPacketFencewill
bemergewiththefilteranswerautomatically):
[violation]
filter = violation
operator = defined
[etherneteap]
filter = connection_type
operator = is
value = Ethernet-EAP
[1:etherneteap&!violation]
merge_answer = no
scope = returnRadiusAccessAccept
Inthisotherexamplewejustaddanewattributetotheoriginalanswerinthesameconditions
(here$user_rolewillbereplacedbytherealuserroleofthedeviceand${switch._portalURL}will
bereplacedbythevalueof_portalURLdefinedintheswitchconfig):
[1:etherneteap&!violation]
merge_answer = yes
scope = returnRadiusAccessAccept
answer1 = Cisco-AVPair => url-redirect-acl=$user_role;url-redirect=
${switch._portalURL}/cep$session_id
You can have a look in the file radius_filters.conf, there are some examples on how to use and
definefilters.
Advancedtopics
89
Chapter12
DNSenforcement
DNSenforcementallowsyoutocontrolthenetworkaccessofthedevicebyusingthepfdnsservice
onPacketFence.
The architecture of DNS enforcement is as following : - DHCP and DNS are provided by the
PacketFenceserver-ThePacketFenceDHCPserverwillprovidetheIPofyournetworkequipment
asthegatewayandtheIPaddressofthePacketFenceDNSservertoresolvenames.-Routingis
providedbyanotherequipmentonyournetwork(Coreswitch,Firewall,Router,)-Ifausershould
beshowntheportal,thepfdnsservicewillreturnapointertotheIPaddressofthecaptiveportal,
otherwisepfdnswillresolvethenameexternallyanduseitinthereply.
ThisenforcementmodeusedbyitselfcanbebypassedbythedevicebyusingadifferentDNS
serverorbyusingitsownDNScache.
ThefirstcanbepreventedusinganACLonyourroutingequipment,thesecondcanbeprevented
bycombiningDNSenforcementwithSingle-Sign-Ononyournetworkequipment.Pleaseseethe
FirewallSingle-Sign-Ondocumentationfordetailsonhowtoaccomplishthis.
In order to configure DNS enforcement, you first need to go in Configuration Interfaces then
selectoneofyourinterfacesandsetitinDNSenforcementmode.
After,youneedtoconfigurearoutednetworkforthisinterfacebyclickingAddroutednetwork.See
theRoutedNetworkssectionofthisdocumentfordetailsonhowtoconfigureit.
Note
Ifyouarenotusingaroutednetwork,youneedtouseInlineenforcementasDNS
enforcementcanonlybeusedforroutednetworks.
Oncethisisdone,youneedtorestartthedhcpdandpfdnsservices.
Parkeddevices
Intheeventthatyouaremanagingalargeregistrationnetworkwithdevicesthatstaythere(ex:
Studentsthatcantregisterinyourenvironment),thesedevicesconsumepreciousresourcesand
generateuselessloadonthecaptiveportalandregistrationDHCPserver.
Usingtheparkingfeature,youcanmakethesedeviceshavealongerleaseandhitanextremelly
lightweightcaptiveportalsothattheamountofresourcestheyconsumeisminimal.Inthatcaptive
portal, they will see a message explaining that they havent registered their device for a certain
amountoftime,andwillletthemleavetheparkedstatebypressingalink.
Theparkedvsunparkedstateiscontrolledthroughviolation1300003whichgetstriggeredaccording
totheparking.thresholdsetting(ConfigurationParking).
Advancedtopics
90
Chapter12
So,inordertoactivatetheparking,goinConfigurationParkingandsetthethresholdtoacertain
amountofseconds.Asuggestedvaluewouldbe21600whichis6hours.Thismeansthatifadevice
staysinyourregistrationnetworkformorethan6hoursinarow,itwilltriggerviolation1300003
andplacethatdeviceintotheparkedstate.
Inthatsamesection,youcandefinetheleaselengthoftheuserwhenheisintheparkedstate.
Note
ParkingisdetectedwhenadeviceasksforDHCP,ifPacketFenceisnotyourDHCP
serverfortheregistrationnetwork,thisfeaturewillnotwork.Also,ifthedevicegoes
intotheparkedstatewithaleasetimeof1hourandtheuserimmediatelyreleases
himselffromtheparkingstate,itwilltake1hourbeforethenextdetectiontakesplace
evenifyousetparking.thresholdtoalowervalue.
Violation1300003
Thisviolationcontrolswhathappenswhenauserisdetecteddoingparking.
Herearethemainsettings:
Youcanaddactionstothepredefinedones(likeEmailadminorExternalaction)inDefinition
Actions
TheamountoftimeausercanunparktheirdeviceiscontrolledthroughtheRemediationMax
enablesetting.
TheamountofgracetimebetweentwoparkingviolationsiscontrolledbytheRemediation
Gracesetting.Thismeans,onceauserreleasehimselffromtheparkedstate,hewillhaveatleast
thisamountoftimetoregisterbeforetheparkingtriggersagain.
Thedestinationrole(thusVLAN)oftheuseriscontrolledbyAdvancedRole.Youshouldleave
theuserintheregistrationrole,butshouldyouwanttodedicatearoleforparking,youcanset
itthere.
TheTemplateattributewillonlybeusedwhentheuserisonthenormalPacketFenceportaland
nottheonededicatedforparking.Ifyouwanttheusertoaccessthenon-parkingportal,disable
ShowparkingportalinConfigurationParking
Advancedtopics
91
Chapter13
Optionalcomponents
Blockingmaliciousactivitieswithviolations
Policyviolationsallowyoutorestrictclientsystemaccessbasedonviolationsofcertainpolicies.For
example,ifyoudonotallowP2Ptypetrafficonyournetwork,andyouarerunningtheappropriate
softwaretodetectitandtriggeraviolationforagivenclient,PacketFencewillgivethatclienta
"blocked"pagewhichcanbecustomizedtoyourwishes.
In order to be able to block malicious activities, installation and configuration of a PacketFence
compatibleIDSisrequired.PacketFencecurrentlysupportSnort,SuricataandSecurityOnion.
Snort
Installation
The installation procedure is quite simple for SNORT. We maintain a working version on the
PacketFencerepository.Toinstallit,simplyrunthefollowingcommand:
yum install snort
Configuration
PacketFenceprovidesabasicsnort.conftemplatethatyoumayneedtoeditdependingofthe
Snortversion.Thefileislocatedin/usr/local/pf/conf.Itisrarelynecessarytochangeanythingin
thatfiletomakeSnortworkandtrapalerts.DONOTeditthesnort.conflocatedin/usr/local/
pf/var/conf,allthemodificationwillbedestroyedoneachPacketFencerestart.
Suricata
Installation
SincethesuricataIDSisnotpackagedwiththedistros(exceptmaybeFedora,whichwedonot
officiallysupport),youneedtobuilditthe"old"way.
The OISF provides a really well written how-to for that. Its available here: https://
redmine.openinfosecfoundation.org/projects/suricata/wiki/CentOS5
Optionalcomponents
92
Chapter13
Note
TobenefittheOPSWATMetadefenderCloudintegration,Suricataneedstobebuilt
with libnss / libnspr support. Make sure to use JSON output. More information on
howtoachievethiscanbefoundthere:https://redmine.openinfosecfoundation.org/
projects/suricata/wiki/MD5
Configuration
Depending on whether or not Suricata is running on the PacketFence server, configuration is
different.
Whenrunninglocally,PacketFenceprovidesabasicsuricata.yamlthatcanbemodifiedtosuit
differentneeds.Thefileislocatedin/usr/local/pf/conf.
In the case that Suricata is running on a separate server, Suricata configuration will have to be
handledseparately,whichisnotthepurposeofthepresentguide.
OPSWATMetadefenderCloud
ItispossibletotriggerviolationsbasedonthreatlevelofdownloadedfilesusingtheMetadefender
CloudintegrationinconjunctionwiththeSuricataMD5extractionfeature.Withoutenteringinthe
details,herearethebasicstepstomakeitwork.
First,anOPSWATportalaccountisrequiredtomakeuseoftheAPI.Suchaccountcanbeobtained
throughtheOPSWATportal:https://portal.opswat.com.
OtherrequirementisaSuricataworkinginstallationbuiltwithlibnss/libnsprsupportasdescribed
intheupper"Installation"section.
AlongwiththeOPSWATAPIkeyforMetadefenderCloud(theycallitLicenseKey)andtheworking
Suricatainstallation,someconfiguration(PacketFencebasedANDSuricatabased)isalsorequired.
AssumingthatallthestepsforSuricataMD5extractionhavebeenfollowed,hereswhattodonext.
OntheSuricataserver(syslog-ngispreferredduetoeasierandmorepowerfulconfiguration.Ifnot
installed,itmightbeanidea):
Configure/etc/syslog-ng/syslog-ng.confbyaddingthefollowingtoenablesendingMD5file
storelogentriestoPacketFence:
### PacketFence / OPSWAT Metadefender Cloud integration
# This line specifies where the files-json.log file is located
# -> Make sure to configure the right path along with the right filename
source s_suricata_files { file("/MY_SURICATA_LOG_FILES_PATH/files-json.log"
program_override("suricata_files") flags(no-parse)); };
# This line tells syslog-ng to send the data read to the PacketFence management
interface IP address using UDP 514
# -> Make sure to configure the right PacketFence management interface IP address
destination d_packetfence { udp("PACKETFENCE_MGMT_IP" port(514)); };
# This line indicates syslog-ng to use the s_suricata_files source and send it to
the d_packetfence destination
log { source(s_suricata_files); destination(d_packetfence); };
Arestartofthesyslog-ngdaemonisrequired
Optionalcomponents
93
Chapter13
service syslog-ng restart

OnthePacketFenceserver:
ModifyrsyslogconfigurationtoallowincomingUDPpacketsbyuncommentingthefollowingtwo
linesin/etc/rsyslog.conf:
$ModLoad imudp
$UDPServerRun 514
Configure/etc/rsyslog.d/suricata_files.confsoitcontainsthefollowingwhichwillredirect
SuricataMD5filestorelogentriesandstopfurtherprocessingofcurrentmatchedmessage:
if $programname == 'suricata_files' then /usr/local/pf/var/suricata_files
& ~
Makesurethereceivingalertpipe(FIFO)exists
mkfifo /usr/local/pf/var/suricata_files
Restartthersyslogdaemon
service rsyslog restart
Atthispoint,SuricatashouldbeabletoextractMD5checksumofdownloadedfilesandsendthe
relatedlogentrytoPacketFence.
Aconfigurationofanewsyslogparseraswellassomeviolationsaretheonlyremainingstepsto
makefullusageoftheOPSWATMetadefenderCloudintegration.
Configurationofanewsyslogparser(ConfigurationSyslogParsers)shouldusethefollowings:
Type: suricata_http
Alert pipe: the previously created alert pipe (FIFO) which is, in this case, /
usr/local/pf/var/suricata_files
Configurationofanewviolationcanusethefollowingtriggertypes:
Type: metadefender
Triggers ID: The scan result returned by Metadefender Cloud online
Type: suricata_md5
Trigger ID: The MD5 hash returned by Suricata
SecurityOnion
InstallationandConfiguration
SecurityOnionisaUbuntubasedsecuritysuite.Thelatestinstallationinstructionsareavailable
directly from the Security Onion website, https://github.com/Security-Onion-Solutions/securityonion/wiki/Installation
Optionalcomponents
94
Chapter13
Sinceasecuritysuiteconsistsofmultiplepiecesofsoftwaretiedtogether,youmaybepromptedfor
differentoptionsduringtheinstallationprocess.Adetailed"ProductionDeployment"guidecanalso
befounddirectlyfromtheSecurityOnionwebsite:https://github.com/Security-Onion-Solutions/
security-onion/wiki/ProductionDeployment
PacketFenceintegration
OnceSecurityOnionisinstalledandminimallyconfigured,integrationwithPacketFenceisrequired
tobeabletoraiseviolationsbasedonsensor(s)alerts.syslogisusedtoforwardsensor(s)alerts
fromSecurityOniontothePacketFencedetectionmechanisms.
The simplest way is as follow (based on https://github.com/Security-Onion-Solutions/securityonion/wiki/ThirdPartyIntegration);
OntheSecurityOnionserver:
Note
Mustbedoneonthemasterserverrunningsguild.
Configure/etc/syslog-ng/syslog-ng.confbyaddingthefollowingtoenablesendingsguildlog
entriestoPacketFence:
### PacketFence / IDS integration
# This line specifies where the sguild.log file is located
# -> Make sure to configure the right path along with the right filename (on a
Security Onion setup, that should be pretty much standard)
source s_sguil { file("/var/log/nsm/securityonion/sguild.log"
program_override("securityonion_ids")); };
# This line filters on the string Alert Received
filter f_sguil { match("Alert Received"); };
# This line tells syslog-ng to send the data read to the PacketFence management
IP address using UDP 514
# -> Make sure to configure the right PacketFence management interface IP address
destination d_packetfence { udp("PACKENTFENCE_MGMT_IP" port(514)); };
# This line indicates syslog-ng to use the s_sguil source, apply the f_sguil
filter and send it to the d_packetfence destination
log { source(s_sguil); filter(f_sguil); destination(d_packetfence); };
Sending sguild alert output to syslog requires DEBUG to be changed from 1 to 2 under /etc/
sguild/sguild.conf
set DEBUG 2
Arestartofthesguilddaemonisthenrequired
sudo nsm_server_ps-restart
Arestartofthesyslog-ngdaemonisthenrequired
service syslog-ng restart
Optionalcomponents
95
Chapter13
OnthePacketFenceserver:
ModifyrsyslogconfigurationtoallowincomingUDPpacketsbyuncommentingthefollowingtwo
linesin/etc/rsyslog.conf:
$ModLoad imudp
$UDPServerRun 514
Configure /etc/rsyslog.d/securityonion_ids.conf so it contains the following which will
redirectSecurityOnionsguildlogentriesandstopfurterprocessingofcurrentmatchedmessage:
if $programname == 'securityonion_ids' then /usr/local/pf/var/securityonion_ids
& ~
Makesurethereceivingalertpipe(FIFO)exists
mkfifo /usr/local/pf/var/securityonion_ids
Restartthersyslogdaemon
service rsyslog restart
Atthispoint,SecurityOnionshouldbeabletosenddetectedalertslogentriestoPacketFence.
Aconfigurationofanewsyslogparseraswellassomeviolationsaretheonlyremainingstepsto
makefullusageoftheSecurityOnionIDSintegration.
Configurationofanewsyslogparsershouldusethefollowings:
Type: security_onion
Alert pipe: the previously created alert pipe (FIFO) which is, in this case, /
usr/local/pf/var/securityonion_ids
Configurationofanewviolationcanusethefollowingtriggertypes:
Type: detect
Triggers ID: The IDS triggered rule ID
Type: suricata_event
Trigger ID: The rule class of the triggered IDS alert
Violations
InordertomakePacketFencereacttotheSnortalerts,youneedtoexplicitlytellthesoftwareto
doso.Otherwise,thealertswillbediscarded.Thisisquitesimpletoaccomplish.Infact,youneed
tocreateaviolationandaddtheSnortalertSIDinthetriggersectionofaViolation.
PacketFenceviolationsareconfiguredinConfigurationViolations
Optionalcomponents
96
Chapter13
Theexamplebelowwillguideyoutocreateaviolationthatwillisolatedevicethathavegenerated
Peer-to-peer traffic and that are using Mac OSX or have a malware and are using Microsoft
Windows
Violationdefinition
Firstyouneedtoconfiguretheviolationdefinition
Where:
Enablediswhetherornottheviolationiscurrentlyactivated(shouldbeON).
Identifier is the violation ID. Any integer except 1200000-120099 which is reserved for
requiredadministrationviolations.
Descriptionistheuserfriendlydescriptionoftheviolation.
Actionsisthelistofactionstobeexecutedwhenthisviolationisraised.
Unregister nodewillunregisterthenode.
Send email to ownerwillemailtheviolationdetailstotheownerofthedevice.Willonlywork
ifthepersonhasitsemailfieldpopulated.
Send email to admin will email the violation details to the address specified in
[alerting].emailaddr,using[alerting].smtpserver.Multipleemailaddrcanbesperated
bycomma.
Reevaluate accesswillplacethedeviceinthedestinationVLANconfiguredintheviolation.
It opens a violation and leaves it open. If it is not there, the violation is opened and then
automaticallyclosed.
Optionalcomponents
97
Chapter13
Log messagewilllogtheviolationinthelogfiledefinedin[alerting].log.
External command will execute a command on the operating system when this violation is
raised.
Close a violationwillcloseanexistingviolationforthisdevicewhenthisoneisraised.
Set rolewillmodifytheroleofthedevice.
Enforce provisioningwilltriggeracheckofcomplianceontheprovisionersdefinedforthe
device.
Prioritydefinestheorderontowhichviolationsshouldbehandledshouldtherebemorethan
oneforadevice.
Whitelisted Rolesisthelistofrolesthatarenotaffectedbythisviolation.
Triggers
Next,intheTriggerstab,youneedtodefinethetriggersthatwillraisetheviolation.Inthecase
ofthisexampleitwillbethesetwocases:*AdevicethathasgeneratedPeer-to-peertrafficand
thatisusingMACOSX.*AdevicethathasbeendetectedasbeingarogueDHCP.
Click the + sign at the top right in order to create a new trigger, then in the dropdown select
Suricata.
AmenuwillappearintowhichyoucanselectET P2PwhichwillmatchallP2PalertsfromSuricata.
Onceyouaddedthistrigger,selectDevicefromthedropdownandenter38whichisthedevice
identifierforMacOSX.
Nexthitthe<button,thenthe+toaddanothertrigger.
SelectthetypeInternal,theninthemenuthatappearsbelowit,selectRogue DHCP detection
andclickAdd.
Remediation
Next,intheRemediationtab,youcanconfigurethebehaviorwhenaclientgetsisolated.
Optionalcomponents
98
Chapter13
Where:
Auto Enableiswhetherornottheusercanreleasetheviolationhimselfafteracknoledgingthe
messageonthecaptiveportal.
Max EnablesistheamountoftimeausercanusetheAuto Enablefunctionnality.Afterthis
amountoftimes,hewillnotbeabletoreleasetheviolationanditwillhavetobemanuallyrelease
byanadministratorusingthePacketFenceadministrationinterface.
GraceisAmountoftimebeforetheviolationcanreoccur.Thisisusefultoallowhoststime(inthe
example2minutes)todownloadtoolstofixtheirissue,orshutofftheirpeer-to-peerapplication.
Dynamic Windowwillonlyworksforaccountingviolations.Theviolationwillbeopenedaccording
tothetimeyousetintheaccountingviolation(ie.Youhaveanaccountingviolationfor10GB/
month.Ifyoubustthebandwidthafter3days,theviolationwillopenandthereleasedatewill
besetforthelastdayofthecurrentmonth).
Windowistheamountoftimebeforeaviolationwillbeclosedautomatically.Insteadofallowing
peopletoreactivatethenetwork,youmaywanttoopenaviolationforadefinedamountof
timeinstead.
Optionalcomponents
99
Chapter13
Delay byisthedelaybeforetriggeringtheviolation.
TemplateistheHTMLtemplatethehostwillberedirectedtowhileinviolation.Youcancreate
newtemplatesfromthePortalProfilesconfigurationsection.
Button textisthetextofthebuttonthatisusedwhentheuserisreleasingtheviolationdirectly
fromthecaptiveportal.
Advanced
IntheAdvancedtabyouconfigurethedestinationVLANofthedevicewhenithastheReevaluate
accessactionanditsredirectionURLwhentheuserisreleased.
ComplianceChecks
PacketFence supports either Nessus, OpenVAS and WMI as a scanning engine for compliance
checks.SincePacketFencev5.1youarenowabletocreatemultiplesscanenginesconfiguration
andassignthemonspecificcaptiveportals.Itmeanperexamplethatyouarenowabletoactivea
scanforspecificOperatingSystemonlyonaspecificSSID.
Installation
Nessus
Please visit http://www.nessus.org/download/ to download Nessus v5 and install the Nessus
package for your operating system. You will also need to register for the HomeFeed (or the
ProfessionalFeed)inordertogettheplugins.
AfteryouinstalledNessus,followtheNessusdocumentationfortheconfigurationoftheNessus
Server,andtocreateauserforPacketFence.
Note
You may run into some issue while using Nessus with the Net::Nessus::XMLRPC
module(whichisthedefaultbehaviorinPacketFence).Pleaserefertothebugtracking
systemformoreinformation.
OpenVAS
Please visit http://www.openvas.org/install-packages.html#openvas4_centos_atomic to configure
thecorrectrepositorytobeabletoinstallthelatestOpenVASscanningengine.
Once installed, please make sure to follow the instructions to correctly configure the scanning
engineandcreateascanconfigurationthatwillfityourneeds.Youllalsoneedtocreateauserfor
PacketFencetobeabletocommunicatewiththeserver.
ItisimportanttogetthecorrectscanconfigIDandNBEreportformatIDtopopulatetheparameters
inthePacketFenceconfigurationfile.TheeasiestwaytogettheseIDsisbydownloadingbothof
thescanconfigurationandreportformatfromtheOpenVASwebguiandretrievetheIDsinthe
filenames.
Optionalcomponents
100
Chapter13
Forexamplereport-format-f5c2a364-47d2-4700-b21d-0a7693daddab.xmlgivesreportformatID
f5c2a364-47d2-4700-b21d-0a7693daddab.
WMI
YoujusthavetoenablewmioneachwindowsdeviceswithaGPOfromActiveDirectory.
Configuration
In order for the compliance checks to correctly work with PacketFence (communication and
generateviolationsinsidePacketFence),youneedtoconfigurethesesections:
ScannerDefinition
FirstgoinConfigurationandScannerDefinition:
Thenaddascan:
Therearecommonparametersforeachscanengines:
Name: the name of your scan engine
Roles: Only devices with these role(s) will be affected (Optional)
OS: Only devices with this Operating System will be affected (Optional)
Duration: Approximate duration of scan (Progress bar on the captive portal)
Scan before registration: Trigger the scan when the device appear on the
registration vlan
Scan after registration: Trigger the scan just after registration on the captive
portal
Scan after registration: Trigger the scan on the production network
(pfdhcplistener must receive production dhcp traffic)
802.1X: Even if the auto-registration has been enabled, the scan will be trigger
on a EAP connection
802.1X types: comma delimited EAP type that will trigger the scan if 802.1X above
has been enabled
SpecifictoNessus:
Hostname or IP Address: Hostname or IP Address where Nessus is running
Username: Username to connect to Nessus scan
Password: Password to connect to Nessus scan
Port of the service: port to connect (default 8834)
Nessus client policy: the name of the policy to use for the scan (Must be define
on the Nessus server)
SpecifictoOpenVAS:
Hostname or IP Address: Hostname or IP Address where OpenVAS is running
Username: Username to connect to OpenVAS scan
Password: Password to connect to OpenVAS scan
Port of the service: port to connect (default 9390)
OpenVAS config ID: the ID of scanning configuration on the OpenVAS server
Optionalcomponents
101
Chapter13
SpecifictoWMI:
Username: A username from Active Directory that is allowed to connect to wmi
Domain: Domain of the Active Directory
Password: Password of the account
WMI Rules: Ordered list of WMI rules you defined in Configuration -> WMI Rules
Definition
WMIRulesDefinition
IfyouhaveconfiguredaWMIscanenginethenyouneedtodefineWMIRules.WMIisasortof
databaseoneachwindowsdevices,toretreiveinformationonthedeviceyouneedtoknowthesql
request.InordertohelpyoutofindandmakearuleyoucanuseathirdpartytoollikeWMIExplorer.
GoinconfigurationWMIRulesDefinition:
Therearealready3rulesdefined:
Software_Installed
logged_user
Process_Running
LetstaketheSoftware_Installedrule:
request: select * from Win32_Product
Rules Actions:
[Google]
attribute = Caption
operator = match
value =Google
[1:Google]
action=trigger_violation
action_param = mac = $mac, tid = 888888, type = INTERNAL
Thisrulewilldothefollowing:
retreive all the installed software on the device and test if the attribute
Caption contain Google.
if it matched then we will trigger a violation (with the trigger
internal::888888) for the mac address of the device.
Thesecondone,logged_user:
request: select UserName from Win32_ComputerSystem
Optionalcomponents
102
Chapter13
Rules Actions:
[UserName]
attribute = UserName
operator = match
value = (.*)
[1:UserName]
action = dynamic_register_node
action_param = mac = $mac, username = $result->{'UserName'}
retreive the current logged user on the device and register the device based on
the user account.
Thelastone,Process_Running:
request: select Name from Win32_Process
Rules Actions:
[explorer]
attribute = Name
operator = match
value = explorer.exe
[1:explorer]
action = allow
retreive all the running process on the device and if one match explorer.exe then
we bypass the scan.
Rulessyntax
the syntax of the rules are simple to understand:
the request is the sql request you will launch on the remote device, you must
know what the request will return
to write the test.
Inside the Rules Actions we define 2 sorts of blocs:
The test bloc (ie [explorer]) and the action bloc (ie [1:explorer])
Optionalcomponents
103
Chapter13
The test bloc is a simple test based on the result of the request:
- attribute is the attribute you want to test
- operator can be:
is
is_not
match
match_not
- value is the value you want to compare
Feel free to define multiples test blocs
The action bloc is where you will define your logic, per example let's take
this one [1:google&explorer], this mean that if the google test is
true and explorer is true then we execute the action.
The logic can be more complex and can be something like that [1:!google|
(explorer&memory)] that mean if not google or (explorer and memory)
Violationsdefinition
Youneedtocreateanewviolationsectionandhavetospecify:
UsingNessus:
trigger=Nessus::<violationId>
UsingOpenVAS:
trigger=OpenVAS::<violationId>
WhereviolationIdiseithertheIDoftheNessuspluginortheOIDoftheOpenVASplugintocheck
for.Onceyouhavefinishedtheconfiguration,youneedtoreloadtheviolationrelateddatabase
contentsusing:
$ pfcmd reload violations
Note
Violationswilltriggerifthepluginishigherthanalowseverityvulnerability.
AssignScandefinitiontoportalprofiles
Thelaststepistoassignoneormorescanneryouconfiguredtooneormoreportalprofiles.Goin
ConfigurationPortalProfilesEditaPortalAddScan
HostingNessus/OpenVASremotely
BecauseoftheCPUintensivenatureofanautomatedvulnerabilityassessment,werecommendthat
itishostedonaseparateserverforlargeenvironments.Todoso,acoupleofthingsarerequired:
Optionalcomponents
104
Chapter13
PacketFence needs to be able to communicate to the server on the port specified by the
vulnerabilityengineused
Thescanningserverneedtobeabletoaccessthetargets.Inotherwords,registrationVLAN
accessisrequiredifscanonregistrationisenabled.
IfyouareusingtheOpenVASscanningengine:
ThescanningserverneedtobeabletoreachPacketFencesAdmininterface(onport1443by
default)byitsDNSentry.OtherwisePacketFencewontbenotifiedofcompletedscans.
YoumusthaveavalidSSLcertificateonyourPacketFenceserver
IfyouareusingtheNessusscanningengine:
YoujusthavetochangethehostvaluebytheNessusserverIP.
RADIUSAccounting
RADIUSAccountingisusuallyusedbyISPstobillclients.InPacketFence,weareabletousethis
informationtodetermineifthenodeisstillconnected,howmuchtimeithasbeenconnected,and
howmuchbandwitdhtheuserconsumed.
Violations
Using PacketFence, it is possible to add violations to limit bandwidth abuse. The format of the
triggerisverysimple:
Accounting::[DIRECTION][LIMIT][INTERVAL(optional)]
Letsexplaineachchunkproperly:
DIRECTION:Youcaneithersetalimittoinbound(IN),outbound(OUT),ortotal(TOT)bandwidth
LIMIT: You can set a number of bytes(B), kilobytes(KB), megabytes(MB), gigabytes(GB), or
petabytes(PB)
INTERVAL:Thisisactuallythetimewindowwewilllookforpotentialabuse.Youcansetanumber
ofdays(D),weeks(W),months(M),oryears(Y).
Exampletriggers
LookforIncoming(Download)trafficwitha50GB/month
Accounting::IN50GB1M
LookforOutgoing(Upload)trafficwitha500MB/day
Accounting::OUT500MB1D
LookforTotal(Download+Upload)trafficwitha200GBlimitinthelastweek
Optionalcomponents
105
Chapter13
Accounting::TOT200GB1W
Graceperiod
Whenusingsuchviolationfeature,settingthegraceperiodisreallyimportant.Youdontwantto
putittoolow(ie.Auserre-enablehisnetwork,andgetcaughtafter1bytesistranmitted!)ortoo
high.Werecommendthatyousetthegraceperiodtooneintervalwindow.
Oinkmaster
Oinkmasterisaperlscriptthatenablesthepossibilitytoupdatethedifferentsnortrulesveryeasily.
Itissimpletouse,andinstall.ThissectionwillshowyouhowtoimplementOinkmastertowork
withPacketFenceandSnort.
Pleasevisithttp://oinkmaster.sourceforge.net/download.shtmltodownloadoinkmaster.Asample
oinkmasterconfigurationfileisprovidedat/usr/local/pf/addons/snort/oinkmaster.conf.
Configuration
HerearethestepstomakeOinkmasterwork.Wewillassumethatyoualreadydownloadedthe
newestoinkmasterarchive:
1. UntarthefreshlydownloadedOinkmaster
2. Copytherequiredperlscriptsinto/usr/local/pf/oinkmaster.Youneedtocopyovercontrib
andoinkmaster.pl
3. Copytheoinkmaster.confprovidedbyPacketFence(seethesectionabove)in/usr/local/pf/
conf
4. Modifytheconfigurationtosuityourownneeds.Currently,theconfigurationfileissettofetch
thebleedingrules.
Rulesupdate
InordertogetperiodicupdatesforPacketFenceSnortrules,wesimplyneedtocreateacrontab
entrywiththerightinformation.Theexamplebelowshowsacrontabentrytofetchtheupdates
dailyat23:00PM:
0 23 * * * (cd /usr/local/pf; perl oinkmaster/oinkmaster.pl -C conf/
oinkmaster.conf -o conf/snort/)
Optionalcomponents
106
Chapter13
GuestsManagement
PacketFencesupportstheabilitytomanageguestsbyestablishingexpiredatesandassigndifferent
roleswhichwillpermitdifferentaccessestothenetworkresources.
Guestscanself-registerthemselvesusinganactivationcodesenttotheirmobilephoneortheycan
usetheiremailaddressandreceiveandactivationlinktoactivatetheirnetworkaccess.
PacketFence has the option to have guests sponsored their access by local staff. Once a guest
requestsasponsoredaccessanemailissenttothesponsorandthesponsormustclickonalink
andauthenticateinordertoenablehisaccess.
Moreover, PacketFence also has the option for guests to request their access in advance.
Confirmationbyemailandbyasponsorarethetwopre-registrationtechniquessupportedatthis
point.
TheadminGUIallowPacketFenceadministratorsorguestsmanagerstocreatesingleaccounts,
multipleaccountsusingaprefix(ie.:guest1,guest2,guest3)orimportdatafromaCSVtocreate
accounts.Accessdurationandexpectedarrivaldatearealsocustomizable.
Usage
Guestself-registration
Self-registrationisenabledbydefault.Itispartofthecaptiveportalprofileandcanbeaccessedon
theregistrationpagebyclickingtheSignuplink.
Optionalcomponents
107
Chapter13
Managedguests
Partofthewebadministrationinterface,theguestsmanagementinterfaceisenabledbydefault.
ItisaccessiblethroughtheUsersCreatemenu.
Guestpre-registration
Pre-registrationisdisabledbydefault.Onceenabled,PacketFencesfirewallandApacheACLsallow
accesstothe/signuppageontheportalevenfromaremotelocation.Allthatshouldberequired
from the administrators is to open up their perimeter firewall to allow access to PacketFences
managementinterfaceIPonport443andmakesureadomainnametoreachsaidIPisconfigured
(andthattheSSLcertmatchesit).Thenyoucanpromotethepre-registrationlinkfromyourextranet
website:https://<hostname>/signup.
Caution
Pre-registrationincreasestheattacksurfaceofthePacketFencesystemsinceasubset
ofitsfunctionnalityisexposedontheInternet.Makesureyouunderstandtherisks,
applythecriticaloperatingsystemupdatesandapplyPacketFencessecurityfixes.
Note
Optionalcomponents
108
Chapter13
Configuration
Guestself-registration
Itispossibletomodifythedefaultvaluesoftheguestself-registrationfeaturebyediting/usr/
local/pf/conf/pf.conf.
Defaultvaluesarelocatedin/usr/local/pf/conf/pf.conf.defaultsanddocumentationforevery
settingsisavailablein/usr/local/pf/conf/documentation.conf.
[guests_self_registration]
guest_pid=email
preregistration=disabled
TheseparameterscanalsobeconfiguredfromtheConfigurationSelfRegistrationsectionof
theWebadmininterface.
Availableregistrationmodesaredefinedonaper-portal-profilebasis.Theseareconfigurablefrom
Configuration Portal Profiles. To disable the self-registration feature, simply remove all selfregistrationsourcesfromtheportalprofiledefinition.Noticehoweverthatifyourdefaultportal
profilehasnosource,itwilluseallauthenticationsources.
Caution
AvalidMTAconfiguredinPacketFenceisneededtocorrectlyrelayemailsrelatedto
theguestmodule.Iflocalhostisusedassmtpserver,makesurethataMTAisinstalled
andconfiguredontheserver.
Note
Self-registered guests are added under the users tab of the PacketFence Web administration
interface.
Managedguests
ItispossibletomodifythedefaultvaluesoftheguestscreatedfromtheWebadmininterfaceby
editing/usr/local/pf/conf/pf.conf.
Defaultvaluesarelocatedin/usr/local/pf/conf/pf.conf.defaultsanddocumentationforevery
settingsisavailablein/usr/local/pf/conf/documentations.conf.
[guests_admin_registration]
access_duration_choices=1h,3h,12h,1D,2D,3D,5D
default_access_duration=12h
Theformatofthedurationisasfollow:
Optionalcomponents
109
Chapter13
<DURATION><DATETIME_UNIT>[<PERIOD_BASE><OPERATOR><DURATION><DATE_UNIT>]
Letsexplainthemeaningofeachparameter:
DURATION:anumbercorrespondingtotheperiodduration.
DATETIME_UNIT: a character corresponding to the units of the date or time duration; either s
(seconds),m(minutes),h(hours),D(days),W(weeks),M(months),orY(years).
PERIOD_BASE:eitherF(fixed)orR(relative).Arelativeperiodiscomputedfromthebeginningof
theperiodunit.WeeksstartonMonday.
OPERATOR:either+or-.Thedurationfollowingtheoperatorisaddedorsubtractedfromthebase
duration.
DATE_UNIT:acharactercorrespondingtotheunitsoftheextendedduration.Limitedtodateunits
(D(days),W(weeks),M(months),orY(years)).
TheseparameterscanalsobeconfiguredfromtheConfigurationAdminRegistrationsectionof
theWebadmininterface.
From the Users page of the PacketFence Web admin interface, it is possible to set the access
durationofusers,changetheirpasswordandmore.
Guestpre-registration
Tominimallyconfigureguestpre-registration,youmustmakesurethatthefollowingstatementis
setunder[guests_self_registration]in/usr/local/pf/conf/pf.conf:
[guests_self_registration]
preregistration=enabled
ThisparametercanalsobeconfiguredfromtheConfigurationSelfRegistrationsection.
Finally,itisadvisedthatyoureadthewholeguestself-registrationsectionsincepre-registrationis
simplyatwistoftheself-registrationprocess.
Caution
AvalidMTAconfiguredinPacketFenceisneededtocorrectlyrelayemailsrelatedto
theguestmodule.Iflocalhostisusedassmtpserver,makesurethataMTAisinstalled
andconfiguredontheserver.
ActiveDirectoryIntegration
DeletedAccount
Create the script unreg_node_deleted_account.ps1 on the Windows Server with the following
content.Makesuretochange@IP_PACKETFENCEtotheIPaddressofyourPacketFenceserver.Youll
alsoneedtochangetheusernameandpasswordastheymustmatchthecredentialsdefinedinthe
WebadmininterfaceunderConfigurationWebServices.
Optionalcomponents
110
Chapter13
#########################################################################################
#Powershell script to unregister deleted Active Directory account based on the
UserName.#
#########################################################################################
Get-EventLog -LogName Security -InstanceId 4726 |
Select ReplacementStrings,"Account name"|
% {
$url = "https://@IP_PACKETFENCE:9090/"
$username = "admin" # Username for the webservices
$password = "admin" # Password for the webservices
[System.Net.ServicePointManager]::ServerCertificateValidationCallback =
{$true}
$command = '{"jsonrpc": "2.0", "method": "unreg_node_for_pid", "params":
["pid", "'+$_.ReplacementStrings[0]+'"]}'
$bytes = [System.Text.Encoding]::ASCII.GetBytes($command)
$web = [System.Net.WebRequest]::Create($url)
$web.Method = "POST"
$web.ContentLength = $bytes.Length
$web.ContentType = "application/json-rpc"
$web.Credentials = new-object System.Net.NetworkCredential($username,
$password)
$stream = $web.GetRequestStream()
$stream.Write($bytes,0,$bytes.Length)
$stream.close()
$reader = New-Object System.IO.Streamreader -ArgumentList
$web.GetResponse().GetResponseStream()
$reader.ReadToEnd()
$reader.Close()
}
CreatethescheduledtaskbasedonaneventID
StartRunTaskschd.msc
TaskSchedulerTaskSchedulerLibraryEventViewerTaskCreateTask
General
Name: PacketFence-Unreg_node-for-deleted-account
Check: Run whether user is logged on or not
Check: Run with highest privileges
TriggersNew
Begin on the task: On an event
Log: Security
Source: Microsoft Windows security auditing.
Event ID: 4726
ActionsNew
Optionalcomponents
111
Chapter13
Action: Start a program

Program/script: powershell.exe
Add arguments (optional): C:\scripts\unreg_node_deleted_account.ps1
Settings:
At the bottom, select in the list "Run a new instance in parallel" in order to
unregister multiple nodes at the same time.
ValidatewithOkandgivetheaccountwhowillrunthistask.(UsuallyDOMAIN\Administrator)
DisabledAccount
Createthescriptunreg_node_disabled_account.ps1ontheWindowsServerwiththefollowing
##########################################################################################
#Powershell script to unregister disabled Active Directory account based on the
UserName.#
##########################################################################################
% {
{$true}
$password)
$stream.close()
$reader.ReadToEnd()
$reader.Close()
}
Optionalcomponents
112
Chapter13
General
Name: PacketFence-Unreg_node-for-disabled-account
TriggersNew
Log: Security
Event ID: 4725
ActionsNew
Add arguments (optional): C:\scripts\unreg_node_disabled_account.ps1
Settings:
At the bottom, select in the list "Run a new instance in parallel"
LockedAccount
Create the script unreg_node_locked_account.ps1 on the Windows Server with the following
Optionalcomponents
113
Chapter13
#########################################################################################
#Powershell script to unregister locked Active Directory account based on the
UserName.#
#########################################################################################
% {
{$true}
$password)
$stream.close()
$reader.ReadToEnd()
$reader.Close()
}
General
Name: PacketFence-Unreg_node-for-locked-account
TriggersNew
Log: Security
Event ID: 4740
Optionalcomponents
114
Chapter13
ActionsNew
Add arguments (optional): C:\scripts\unreg_node_locked_account.ps1
Settings:
At the bottom, select in the list "Run a new instance in parallel"
DHCPremotesensor
TheDHCPremotesensorconsistsofalightweightbinarythatisinstalledonyourproductionDHCP
serverinordertoreplicatetheDHCPtraffic1to1tothePacketFenceserver.Thissolutionismore
reliablethantheDHCPrelayingsincePacketFencereceivesacopyofallyourDHCPtrafficand
notonlythebroadcastedDHCPtraffic.SupportedDHCPserversareMicrosoftDHCPserverand
CentOS6and7.
ThesesensorsworkbycapturingthepacketsatthelowestlevelpossibleonyourDHCPserverand
forwardthemtothePacketFencemanagementinterface
MicrosoftDHCPsensor
YouwillfirstneedtodownloadandinstallWinPcapavailablefromhttp://www.winpcap.org/install/
YouwillalsoneedtodownloadandinstallMicrosoftVisualC++2010Redistributableavailablefrom
http://www.microsoft.com/download/details.aspx?id=5555
Note
You absolutely need to install the 32-bit version of Microsoft Visual C++ 2010
Redistributableevenifyouareusinga64-bitoperatingsystem.
Then get the remote sensor from Inverses download website http://inverse.ca/downloads/
PacketFence/udp-reflector/udp_reflector.exe
CreatethedirectoryC:\udp-reflectorandmovethedownloadedfileinside.
Nowwewillcreateaservicesothereflectorstartsonboot.
Firstdownloadandunzipnssmfromhttps://nssm.cc/download
Nextcreateabatchfileudpreflector.batinC:\udp-reflectorthatcontain:C:\udp-reflector
\udp_reflector.exe -s pcap0:67 -d 192.168.1.5:767 -b 25000
Where pcap0 is the interface where your DHCP is listening (use C:\udp-reflector
\udp_reflector.exe -ltolistinterfaces)
Optionalcomponents
115
Chapter13
Thenrunnssm install udpreflector
InApplication:
InPathsetittoC:\udp-reflector\udpreflector.bat
InStartupdirectorysetittoC:\udp-reflector\
InArgumentssetittonothing
InDetails:
InStartuptypeselectAutomatic
InLogon:
InLogonasselectLocalSystemaccount
ThenpressInstallservice
TheDHCPtrafficshouldnowbereflectedonyourPacketFenceserver.
Linuxbasedsensor
FirstdownloadtheRPMonyourDHCPserver.
CentOS6and7servers
ForCentOS6:
# for x86_64
# wget http://inverse.ca/downloads/PacketFence/CentOS6/extra/x86_64/RPMS/udpreflector-1.0-6.1.x86_64.rpm
ForCentOS7:
# for x86_64
# wget http://inverse.ca/downloads/PacketFence/CentOS7/extra/x86_64/RPMS/udpreflector-1.0-6.1.x86_64.rpm
Nowinstallthesensor:
# rpm -i udp-reflector-*.rpm
CompilingthesensorfromsourceonaLinuxsystem
Firstmakesureyouhavethefollowingpackagesinstalled:
libpcap
libpcap-devel
gcc-c++
Getthesourcecodeofthesensor:
Optionalcomponents
116
Chapter13
# mkdir -p ~/udp-reflector && cd ~/udp-reflector

# wget http://inverse.ca/downloads/PacketFence/udp-reflector/udp_reflector.cpp
# g++ udp_reflector.cpp -o /usr/local/bin/udp_reflector -lpcap
Configuringthesensor
Placethefollowinglinein/etc/rc.local
where pcap0 is the pcap interface where your DHCP server listens on. (List them using
udp_reflector -l)
where192.168.1.5isthemanagementIPofyourPacketFenceserver
/usr/local/bin/udp_reflector -s pcap0:67 -d 192.168.1.5:767 -b 25000 &
Startthesensor:
# /usr/local/bin/udp_reflector -s pcap0:67 -d 192.168.1.5:767 -b 25000 &
TheDHCPtrafficshouldnowbereflectedonyourPacketFenceserver.
Switchloginaccess
PacketFence is able to act as an authentication and authorization service
on the port 1815 for granting command-line interface (CLI) access to
switches. PacketFence currently supports Cisco switches and these must be
configuredusingthefollowingguide:http://www.cisco.com/c/en/us/support/docs/security-vpn/
remote-authentication-dial-user-service-radius/116291-configure-freeradius-00.html From the
PacketFences web admin interface, you must configure an Admin Access role
(ConfigurationAdminaccess)thatcontainstheactionSwitchesCLI-ReadorSwitchesCLI-Write
andassignthisroletoaninternaluserorinanAdministrationruleinaninternalsource.
Optionalcomponents
117
Chapter14
OperatingSystemBestPractices
IPTables
IPTablesisnowentirelymanagedbyPacketFence.However,ifyouneedtoperformsomecustom
rules, you can modify conf/iptables.conf to your own needs. However, the default template
shouldworkformostusers.
LogRotations
PacketFencecangeneratealotoflogentriesinhugeproductionenvironments.Thisiswhywe
recommendtouselogrotatetoperiodicallyrotateyourlogs.Aworkinglogrotatescriptisprovided
withthePacketFencepackage.Thisscriptislocatedin/usr/local/pf/addons,anditsconfigured
to do a weekly log rotation and keeping old logs with compression. It has been added during
PacketFenceinitialinstallation.
OperatingSystemBestPractices
118
Chapter15
Performanceoptimization
SNMPTrapsLimit
PacketFencemainlyrelyonSNMPtrapstocommunicatewithequipment.Duetothefactthattraps
cominginfromapproved(configured)devicesareallprocessedbythedaemon,itispossiblefor
someonewhowanttogenerateacertainloadonthePacketFenceservertoforcethegeneration
ofnon-legitimateSNMPtrapsoraswitchcanrandomlygenerateahighquantityoftrapssentto
PacketFenceforanunknownreason.
Becauseofthat,itispossibletolimitthenumberofSNMPtrapscominginfromasingleswitchport
andtakeactionifthatlimitisreached.Forexample,ifover100trapsarereceivedbyPacketFence
fromthesameswitchportinaminute,theswitchportwillbeshutandanotificationemailwill
besent.
HeresthedefaultconfigfortheSNMPtrapslimitfeature.Asyoucansee,bydefault,PacketFence
will log the abnormal activity after 100 traps from the same switch port in a minute. These
configurationsareintheconf/pf.conffile:
[vlan]
trap_limit = enabled
trap_limit_threshold = 100
trap_limit_action =
Alternatively,youcanconfiguretheseparametersfromthePacketFenceWebadministrativeGUI,
intheConfigurationSNMPsection.
MySQLoptimizations
TuningMySQL
IfyourePacketFencesystemisactingveryslow,thiscouldbeduetoyourMySQLconfiguration.
Youshoulddothefollowingtotuneperformance:
Checkthesystemload
# uptime
11:36:37 up 235 days,
1:21,
1 user, load average: 1.25, 1.05, 0.79
119
Chapter15
CheckiostatandCPU
# iostat 5
avg-cpu: %user
0.60
Device:
cciss/c0d0
avg-cpu: %user
0.60
Device:
cciss/c0d0
avg-cpu: %user
0.60
Device:
cciss/c0d0
avg-cpu: %user
0.60
Device:
cciss/c0d0
%nice
0.00
tps
32.40
%nice
0.00
tps
7.80
%nice
0.00
tps
31.40
%nice
0.00
tps
27.94
%sys %iowait
%idle
3.20
20.20
76.00
Blk_read/s
Blk_wrtn/s
0.00
1560.00
%sys %iowait
%idle
2.20
9.20
88.00
Blk_read/s
Blk_wrtn/s
0.00
73.60
%sys %iowait
%idle
1.80
23.80
73.80
Blk_read/s
Blk_wrtn/s
0.00
1427.20
%sys %iowait
%idle
2.40
18.16
78.84
Blk_read/s
Blk_wrtn/s
0.00
1173.65
Blk_read
0
Blk_wrtn
7800
Blk_read
0
Blk_wrtn
368
Blk_read
0
Blk_wrtn
7136
Blk_read
0
Blk_wrtn
5880
Asyoucansee,theloadis1.25andIOWaitispeakingat20%-thisisnotgood.IfyourIOwait
islowbutyourMySQListaking+%50CPUthisisalsonotgood.CheckyourMySQLinstallfor
thefollowingvariables:
mysql> show variables;
| innodb_additional_mem_pool_size
| innodb_autoextend_increment
| innodb_buffer_pool_awe_mem_mb
| innodb_buffer_pool_size
|
|
|
|
1048576
8
0
8388608
|
|
|
|
PacketFencereliesheavilyonInnoDB,soyoushouldincreasethebuffer_poolsizefromthedefault
values.
ShutdownPacketFenceandMySQL
# /etc/init.d/packetfence stop
Shutting down PacketFence...
[...]
# /etc/init.d/mysql stop
Stopping MySQL:
OK
Edit/etc/my.cnf(oryourlocalmy.cnf):
120
Chapter15
[mysqld]
# Set buffer pool size to 50-80% of your computer's memory
innodb_buffer_pool_size=800M
innodb_additional_mem_pool_size=20M
innodb_flush_log_at_trx_commit=2
innodb_file_per_table
# allow more connections
max_connections=700
# set cache size
key_buffer_size=900M
table_cache=300
query_cache_size=256M
# enable slow query log
log_slow_queries = ON
StartupMySQLandPacketFence
# /etc/init.d/mysqld start
Starting MySQL:
# /etc/init.d/packetfence start
Starting PacketFence...
[...]
OK
Wait10minutesforPacketFencetoinitialthenetworkmapandre-checkiostatandCPU
# uptime
12:01:58 up 235 days, 1:46, 1 user, load average: 0.15, 0.39, 0.52
# iostat 5
Device:
tps
Blk_read/s
Blk_wrtn/s
Blk_read
Blk_wrtn
cciss/c0d0
8.00
0.00
75.20
0
376
avg-cpu:
%user
0.60
%nice
0.00
Device:
cciss/c0d0
avg-cpu: %user
0.20
tps
14.97
%nice
0.00
Device:
cciss/c0d0
tps
4.80
%sys %iowait
2.99
13.37
%idle
83.03
Blk_read/s
Blk_wrtn/s
0.00
432.73
%sys %iowait
%idle
2.60
6.60
90.60
Blk_read
0
Blk_wrtn
2168
Blk_read/s
0.00
Blk_read
0
Blk_wrtn
240
Blk_wrtn/s
48.00
MySQLoptimizationtool
WerecommendthatyouruntheMySQLTuneronyourdatabasesetupafteracoupleofweeks
tohelpyouidentifyMySQLconfigurationimprovement.ThetoolisbundledwithPacketFenceand
canberunfromthecommand-line:
# /usr/local/bin/pftest mysql
121
Chapter15
Keepingtablessmall
Overtime,someofthetableswillgrowlargeandthiswilldragdownperformance(thisisespecially
trueonawirelesssetup).
Onesuchtableisthelocationlogtable.Werecommendthatclosedentriesinthistablebemoved
to the archive table locationlog_archive after some time. A closed record is one where the
end_timefieldissettoadate(stricklyspeakingitiswhenend_timeisnotnullandnotequalsto0).
Weprovideascriptcalleddatabase-backup-and-maintenance.shlocatedinaddons/thatperforms
thiscleanupinadditiontooptimizetablesonSundayanddailybackups.
Avoid"Toomanyconnections"problems
Inawirelesscontext,theretendstobealotofconnectionsmadetothedatabasebyourfreeradius
module. The default MySQL value tend to be low (100) so we encourage you to increase that
valuetoatleast300.Seehttp://dev.mysql.com/doc/refman/5.0/en/too-many-connections.htmlfor
details.
Avoid"Host<hostname>isblocked"problems
Inawirelesscontext,theretendtobealotofconnectionsmadetothedatabasebyourfreeradius
module.Whentheserverisloaded,theseconnectionattemptscantimeout.Ifaconnectiontimes
outduringconnection,MySQLwillconsiderthisaconnectionerrorandafter10ofthese(bydefault)
hewilllockthehostoutwitha:
Host 'host_name' is blocked because of many connection errors. Unblock with
'mysqladmin flush-hosts'
This will grind PacketFence to a halt so you want to avoid that at all cost. One way to do so
istoincreasethenumberofmaximumconnections(seeabove),toperiodicallyflushhostsorto
allowmoreconnectionerrors.Seehttp://dev.mysql.com/doc/refman/5.0/en/blocked-host.htmlfor
details.
CaptivePortalOptimizations
Avoidcaptiveportaloverloadduetonon-browser
HTTPrequests
By default we allow every query to be redirected and reach PacketFence for the captive portal
operation.Inalotofcases,thismeansthatalotofnon-userinitiatedqueriesreachPacketFence
andwasteitsresourcesfornothingsincetheyarenotfrombrowsers.(iTunes,Windowsupdate,
MSNMessenger,GoogleDesktop,).
122
Chapter15
Sinceversion4.3ofPacketFence,youcandefineHTTPfiltersforApachefromtheconfiguration
ofPacketFence.
Someruleshavebeenenabledbydefault,likeonetorejectrequestswithnodefineduseragent.
Allrules,includingsomeexamples,aredefinedintheconfigurationfileapache_filters.conf.
Filtersaredefinedwithatleasttwoblocks.Firstarethetests.Forexample:
[get_ua_is_dalvik]
filter = user_agent
method = GET
operator = match
value = Dalvik
[get_uri_not_generate204]
filter = uri
method = GET
operator = match_not
value = /generate_204
Thelastblockdefinestherelationshipbetweenthetestsandthedesiredaction.Forexample:
[block_dalvik:get_ua_is_dalvik&get_uri_not_generate204]
action = 501
redirect_url =
Thisfilterwillreturnanerrorcode(501)iftheuseragentisDalvikandtheURIdoesntcontain
_/generate_204.
DashboardOptimizations(statisticscollection)
The collection and aggregation of statistics in the whisper database can be I/O intensive per
moment.Thismeansthatitcanbebeneficialtoseperatethemonanotherdiskevenifitisavirtual
diskthatwillsharethesameunderlyingphysicaldisk.
First,addadiskinyourvirtualmachineorbaremetalserverandreboot(thisexamplewilluse/dev/
sdbasthenewdevice.
Makesurepacketfenceisstopped:
# service packetfence stop
Createanext4partition:
# mkfs.ext4 /dev/sdb
Thenmovetheolddatabasestoabackuppoint:
123
Chapter15
# mv /usr/local/pf/var/graphite /usr/local/pf/var/graphite.bak
Mountyournewdiskandcheckthatitismounted:
# echo "/dev/sdb /usr/local/pf/var/graphite
1" >> /etc/fstab
# mkdir /usr/local/pf/var/graphite
# mount -a
# dh -h
ext4
defaults
Applytheproperuserrightsandrestoreyourdatabasefromyourbackup
# chown pf.pf /usr/local/pf/var/graphite
# cp -frp /usr/local/pf/var/graphite.bak/* /usr/local/pf/var/graphite/
Startpacketfenceandmakesureyourstatsarestillthereandbeingcollectedproperly.Thenremove
thebackupyoumaderm -fr /usr/local/pf/var/graphite.bak/.
124
Chapter16
AdditionalInformation
Formoreinformation,pleaseconsultthemailingarchivesorpostyourquestionstoit.Fordetails,
see:
packetfence-announce@lists.sourceforge.net: Public announcements (new releases, security
warningsetc.)regardingPacketFence
packetfence-devel@lists.sourceforge.net:DiscussionofPacketFencedevelopment
packetfence-users@lists.sourceforge.net:Userandusagediscussions
AdditionalInformation
125
Chapter17
CommercialSupportandContact
Information
For any questions or comments, do not hesitate to contact us by writing an email to:
support@inverse.ca.
Inverse (http://inverse.ca) offers professional services around PacketFence to help organizations
deploythesolution,customize,migrateversionsorfromanothersystem,performancetuningor
aligningwithbestpractices.
Hourlyratesorsupportpackagesareofferedtobestsuityourneeds.
Pleasevisithttp://inverse.ca/fordetails.
CommercialSupport
andContactInformation
126
Chapter18
GNUFreeDocumentationLicense
Pleaserefertohttp://www.gnu.org/licenses/fdl-1.2.txtforthefulllicense.
GNUFreeDocumentationLicense
127
Chapter18
AppendixA.AdministrationTools
pfcmd
pfcmdisthecommandlineinterfacetomostPacketFencefunctionalities.
Whenexecutedwithoutanyargumentspfcmdreturnsabasichelpmessagewithallmainoptions:
AdministrationTools
128
Chapter18
Usage:
pfcmd <command> [options]
Commands
cache
checkup
problems
class
configfiles
configreload
floatingnetworkdeviceconfig
configuration parameters
help
ifoctetshistorymac
ifoctetshistoryswitch
ifoctetshistoryuser
import
ipmachistory
locationhistorymac
locationhistoryswitch
networkconfig
node
pfconfig
portalprofileconfig
parameters
reload
without restart
service
schedule
switchconfig
parameters
version
violationconfig
parameters
| manage the cache subsystem

| perform a sanity checkup and report any
|
|
|
|
view violation classes

push or pull configfiles into/from database
reload the configution
query/modify floating network devices
|
|
|
|
|
|
|
|
|
|
|
|
show help for pfcmd commands

accounting history
accounting history
accounting history
bulk import of information into the database
IP/MAC history
Switch/Port history
Switch/Port history
query/modify network configuration parameters
manipulate node entries
interact with pfconfig
query/modify portal profile configuration
| rebuild fingerprint or violations tables

| start/stop/restart and get PF daemon status
| Nessus scan scheduling
| query/modify switches.conf configuration
| output version information
| query/modify violations.conf configuration
Please view "pfcmd help <command>" for details on each option

Thenodeviewoptionshowsallinformationcontainedinthenodedatabasetableforaspecified
MACaddress
# /usr/local/pf/bin/pfcmd node view 52:54:00:12:35:02
mac|pid|detect_date|regdate|unregdate|lastskip|status|user_agent|computername|
notes|last_arp|last_dhcp|switch|port|vlan|dhcp_fingerprint
52:54:00:12:35:02|1|2008-10-23 17:32:16||||unreg||||2008-10-23 21:12:21|||||
pfcmd_vlan
pfcmd_vlanisthecommandlineinterfacetomostVLANisolationrelatedfunctionality.
AdministrationTools
129
Chapter18
Again,whenexecutedwithoutanyarguments,ahelpscreenisshown.
AdministrationTools
130

PacketFence Administration Guide-6.2.1

Enviado por

Dados do documento

Direitos autorais

Formatos disponíveis

Compartilhar este documento

Compartilhar ou incorporar documento

Opções de compartilhamento

Você considera este documento útil?

Este conteúdo é inapropriado?

Direitos autorais:

Formatos disponíveis

PacketFence Administration Guide-6.2.1

Enviado por

Direitos autorais:

Formatos disponíveis

AdministrationGuide

Covers switch, controllers and access

Covers captive portal customization,

Covers compatibility related changes,

PacketFence can also be configured to

PacketFence can also be configured

PacketFence can also be configured as

Also called IP Telephony (IPT), VoIP is

802.1X wireless and wired is supported

PacketFence integrates perfectly with

PacketFence supports an optional

Abnormal network activities (computer

Either Nessus , OpenVAS or WMI

PacketFence supports several isolation

Once trapped, all network traffic is

PacketFence provides Single-Sign On

Web-based and command-line interfaces

PacketFence supports a special guest

A registered user can access a special

yum install perl

pfsetvlan automatically-register all MAC addresses seen on the

pfsetvlan sends the SNMP writes to change the VLAN on the

# service smb start

Next, add default_registration_policy and hello_world in the Modules of

Next, add default_registration_policy and token_system in the Modules of

node_info.attribute (like node_info.status)

node_info.attribute (like node_info.$attribute)

service syslog-ng restart

Action: Start a program

# mkdir -p ~/udp-reflector && cd ~/udp-reflector

1 user, load average: 1.25, 1.05, 0.79

| manage the cache subsystem

view violation classes

show help for pfcmd commands

| rebuild fingerprint or violations tables

Please view "pfcmd help <command>" for details on each option

Você também pode gostar