packetfence administration guide-4.7.0
DESCRIPTION
Administration Guideby Inverse Inc.Version 4.7.0 - Mar 2015Copyright © 2015 Inverse inc.This guide will walk you through the installation and the day to day administration of thePacketFence solution.The latest version of this guide is available at http://www.packetfence.org/documentation/TRANSCRIPT
-
AdministrationGuideforPacketFenceversion4.7.0
-
AdministrationGuidebyInverseInc.
Version4.7.0-Mar2015Copyright2015Inverseinc.
Permissionisgrantedtocopy,distributeand/ormodifythisdocumentunderthetermsoftheGNUFreeDocumentationLicense,Version1.2oranylaterversionpublishedbytheFreeSoftwareFoundation;withnoInvariantSections,noFront-CoverTexts,andnoBack-CoverTexts.Acopyofthelicenseisincludedinthesectionentitled"GNUFreeDocumentationLicense".
ThefontsusedinthisguidearelicensedundertheSILOpenFontLicense,Version1.1.ThislicenseisavailablewithaFAQat:http://scripts.sil.org/OFL
CopyrightukaszDziedzic,http://www.latofonts.com,withReservedFontName:"Lato".
CopyrightRaphLevien,http://levien.com/,withReservedFontName:"Inconsolata".
http://scripts.sil.org/OFLhttp://scripts.sil.org/OFLhttp://www.latofonts.com/http://levien.com/
-
Copyright2015Inverseinc. iii
TableofContentsAbout thisGuide ............................................................................................................... 1
Othersourcesof information...................................................................................... 1Introduction ..................................................................................................................... 2
Features ................................................................................................................... 2Network Integration .................................................................................................. 5Components ............................................................................................................. 6
SystemRequirements ........................................................................................................ 7Assumptions ............................................................................................................. 7MinimumHardwareRequirements.............................................................................. 7OperatingSystemRequirements................................................................................ 8
Installation ....................................................................................................................... 9OS Installation .......................................................................................................... 9SoftwareDownload ................................................................................................ 10Software Installation ................................................................................................ 10
Configuration ................................................................................................................. 12FirstStep ............................................................................................................... 12Web-basedAdministrationInterface......................................................................... 13Globalconfigurationfile(pf.conf) .............................................................................. 13ApacheConfiguration .............................................................................................. 13SELinux .................................................................................................................. 14RolesManagement ................................................................................................. 14Authentication ........................................................................................................ 15NetworkDevicesDefinition(switches.conf)............................................................... 17DefaultVLAN/roleassignment................................................................................. 20Inlineenforcementconfiguration.............................................................................. 21Hybridmode .......................................................................................................... 21WebAuthmode ..................................................................................................... 22DHCPandDNSServerConfiguration(networks.conf)................................................ 22ProductionDHCPaccess ......................................................................................... 23RoutedNetworks .................................................................................................... 25FreeRADIUSConfiguration ...................................................................................... 28StartingPacketFenceServices.................................................................................. 35Log files ................................................................................................................. 35Passthrough ........................................................................................................... 35Proxy Interception ................................................................................................... 36
Configurationbyexample ................................................................................................ 37Assumptions ........................................................................................................... 37Network Interfaces ................................................................................................. 38SwitchSetup .......................................................................................................... 39switches.conf .......................................................................................................... 40pf.conf ................................................................................................................... 41networks.conf ......................................................................................................... 42Inlineenforcementspecifics ..................................................................................... 43
Optionalcomponents ...................................................................................................... 45Blockingmaliciousactivitieswithviolations............................................................... 45ComplianceChecks ................................................................................................. 49RADIUSAccounting ................................................................................................ 52Oinkmaster .............................................................................................................53FloatingNetworkDevices ....................................................................................... 54GuestsManagement ............................................................................................... 55StatementofHealth (SoH) ....................................................................................... 58
-
Copyright2015Inverseinc. iv
AppleandAndroidWirelessProvisioning.................................................................. 60SNMPTrapsLimit ................................................................................................... 61BillingEngine ......................................................................................................... 62PortalProfiles ......................................................................................................... 63OAuth2Authentication ........................................................................................... 64DevicesRegistration ................................................................................................ 66Eduroam ................................................................................................................ 66VLANFilterDefinition ............................................................................................ 70ActiveDirectoryIntegration ...................................................................................... 72
FirewallSSO ...................................................................................................................76Fortigate ................................................................................................................ 76PaloAlto ................................................................................................................. 77
OperatingSystemBestPractices...................................................................................... 79IPTables ................................................................................................................. 79LogRotations ......................................................................................................... 79HighAvailability ...................................................................................................... 79
Performanceoptimization ................................................................................................ 87MySQLoptimizations .............................................................................................. 87CaptivePortalOptimizations .................................................................................... 90
FrequentlyAskedQuestions ............................................................................................ 91TechnicalintroductiontoVLANenforcement.................................................................... 92
Introduction ........................................................................................................... 92VLANassignmenttechniques...................................................................................92MoreonSNMPtrapsVLANisolation....................................................................... 93
TechnicalintroductiontoInlineenforcement..................................................................... 96Introduction ........................................................................................................... 96Deviceconfiguration ............................................................................................... 96Accesscontrol ........................................................................................................ 96Limitations ............................................................................................................. 97
TechnicalintroductiontoHybridenforcement................................................................... 98Introduction ........................................................................................................... 98Deviceconfiguration ............................................................................................... 98
MoreonVoIP Integration ................................................................................................ 99CDPandLLDPareyourfriend................................................................................ 99VoIPandVLANassignmenttechniques..................................................................... 99WhatifCDP/LLDPfeatureismissing..................................................................... 100
Additional Information ................................................................................................... 101CommercialSupportandContactInformation................................................................. 102GNUFreeDocumentationLicense................................................................................. 103A.AdministrationTools .................................................................................................. 104
pfcmd .................................................................................................................. 104pfcmd_vlan ........................................................................................................... 106WebAdminGUI ................................................................................................... 108
B.ManualFreeRADIUS2configuration.......................................................................... 109Configuration ........................................................................................................109Optional:WiredorWireless802.1Xconfiguration................................................... 110
-
Chapter1
Copyright2015Inverseinc. AboutthisGuide 1
AboutthisGuide
This guide will walk you through the installation and the day to day administration of thePacketFencesolution.
Thelatestversionofthisguideisavailableathttp://www.packetfence.org/documentation/
Othersourcesofinformation
NetworkDevicesConfigurationGuide Covers switch, controllers and accesspointsconfiguration.
DevelopersGuide Covers captive portal customization,VLAN management customization andinstructionsforsupportingnewhardware.
CREDITS Thisis,atleast,apartialfileofPacketFencecontributors.
NEWS.asciidoc Covers noteworthy features,improvementsandbugfixesbyrelease.
UPGRADE.asciidoc Covers compatibility related changes,manual instructions and general notesaboutupgrading.
ChangeLog Coversallchangestothesourcecode.
Thesefilesareincludedinthepackageandreleasetarballs.
http://www.packetfence.org/documentation/
-
Chapter2
Copyright2015Inverseinc. Introduction 2
Introduction
PacketFence isa fullysupported, trusted,FreeandOpenSourcenetworkaccesscontrol (NAC)system. Boosting an impressive feature set including a captive portal for registration andremediation, centralized wired and wireless management, 802.1X support, layer-2 isolation ofproblematicdevices,integrationwiththeSnort/SuricataIDSandtheNessusvulnerabilityscanner;PacketFencecanbeusedtoeffectivelysecurenetworks-fromsmalltoverylargeheterogeneousnetworks.
Features
Outofband(VLANEnforcement) PacketFencesoperationiscompletelyoutof band when using VLAN enforcementwhich allows the solution to scalegeographicallyandtobemoreresilienttofailures.
InBand(InlineEnforcement) PacketFence can also be configured tobe in-band, especially when you havenon-manageable network switches oraccesspoints.PacketFencecanalsoworkwith both VLAN and Inline enforcementactivated for maximum scalability andsecuritywhileallowingolderhardwaretostillbesecuredusingInlineenforcement.
Hybridsupport(InlineEnforcementwithRADIUSsupport)
PacketFence can also be configuredas hybrid, if you have a manageabledevice that supports 802.1X and/orMAC-authentication.This feature canbeenabled using a RADIUS attribute (MACaddress, SSID, port) or using full inlinemodeontheequipment.
Hotspotsupport(WebAuthEnforcement) PacketFence can also be configured ashotspot,ifyouhaveamanageabledevicethatsupportanexternalcaptiveportal(likeCiscoWLCorArubaIAP).
VoiceoverIP(VoIP)support Also called IP Telephony (IPT), VoIP isfully supported (even in heterogeneousenvironments)formultipleswitchvendors
-
Chapter2
Copyright2015Inverseinc. Introduction 3
(Cisco, Edge-Core, HP, LinkSys, NortelNetworksandmanymore).
802.1X 802.1X wireless and wired is supportedthroughaFreeRADIUSmodule.
Wirelessintegration PacketFence integrates perfectly withwirelessnetworksthroughaFreeRADIUSmodule. This allows you to secure yourwired and wireless networks the sameway using the same user database andusing the same captive portal, providinga consistent user experience. MixingAccessPoints (AP)vendorsandWirelessControllersissupported.
Registration PacketFence supports an optionalregistrationmechanismsimilarto"captiveportal"solutions.Contrarytomostcaptiveportal solutions,PacketFence remembersusers who previously registered andwillautomatically give them access withoutanotherauthentication.Ofcourse, this isconfigurable. An Acceptable Use Policycan be specified such that users cannotenable network access without firstacceptingit.
Detectionofabnormalnetworkactivities Abnormal network activities (computervirus, worms, spyware, traffic deniedby establishment policy, etc.) can bedetectedusinglocalandremoteSnortorSuricatasensors.Beyondsimpledetection,PacketFence layers its own alerting andsuppression mechanism on each alerttype.Asetofconfigurableactionsforeachviolationisavailabletoadministrators.
Proactivevulnerabilityscans Either Nessus or OpenVAS vulnerabilityscanscanbeperformeduponregistration,scheduled or on an ad-hoc basis.PacketFence correlates the scan enginevulnerability IDs of each scan tothe violation configuration, returningcontent specificweb pages aboutwhichvulnerabilitythehostmayhave.
Isolationofproblematicdevices PacketFence supports several isolationtechniques,includingVLANisolationwithVoIP support (even in heterogeneousenvironments)formultipleswitchvendors.
Remediationthroughacaptiveportal Once trapped, all network traffic isterminated by the PacketFence system.
http://www.freeradius.orghttp://www.freeradius.org/http://www.snort.org/http://www.nessus.org/nessus/http://www.openvas.org
-
Chapter2
Copyright2015Inverseinc. Introduction 4
Based on the nodes current status(unregistered,openviolation,etc),theuseris redirected to the appropriate URL. Inthe case of a violation, the user willbe presented with instructions for theparticular situation he/she is in reducingcostlyhelpdeskintervention.
Command-lineandWeb-basedmanagement Web-basedandcommand-line interfacesforallmanagementtasks.
GuestAccess PacketFence supports a special guestVLAN out of the box. You configureyour network so that the guest VLANonly goes out to the Internet and theregistrationVLANand the captiveportalarethecomponentsusedtoexplaintotheguesthowtoregisterforaccessandhowhisaccessworks.This isusuallybrandedby the organization offering the access.Several means of registering guests arepossible. PacketFence does also supportguestaccessbulkcreationsandimports.
Gamingdevicesregistration AregisteredusercanaccessaspecialWebpage to register a gaming device of hisown.Thisregistrationprocesswillrequireloginfromtheuserandthenwillregistergaming devices with pre-approvedMACOUIintoaconfigurablecategory.
PacketFenceisdevelopedbyacommunityofdeveloperslocatedmainlyinNorthAmerica.Moreinformationcanbefoundathttp://www.packetfence.org.
http://www.packetfence.org
-
Chapter2
Copyright2015Inverseinc. Introduction 5
NetworkIntegration
VLANenforcementispicturedintheabovediagram.InlineenforcementshouldbeseenasasimpleflatnetworkwherePacketFenceactsasafirewall/gateway.
-
Chapter2
Copyright2015Inverseinc. Introduction 6
Components
-
Chapter3
Copyright2015Inverseinc. SystemRequirements 7
SystemRequirements
Assumptions
PacketFencereusesmanycomponentsinaninfrastructure.Thus,itrequiresthefollowingones:
Databaseserver(MySQLorMariaDB) Webserver(Apache)
Dependingonyoursetupyoumayhavetoinstalladditionalcomponentslike:
DHCPserver(ISCDHCP) RADIUSserver(FreeRADIUS) NIDS(Snort/Suricata)
Inthisguide,weassumethatallthosecomponentsarerunningonthesameserver(i.e.,"localhost"or"127.0.0.1")thatPacketFencewillbeinstalledon.
Good understanding of those underlying component and GNU/Linux is required to installPacketFence. If youmiss some of those required components, please refer to the appropriatedocumentationandproceedwiththeinstallationoftheserequirementsbeforecontinuingwiththisguide.
Thefollowingtableprovidesrecommendationsfortherequiredcomponents,togetherwithversionnumbers:
MySQLserver MySQL5.1
Webserver Apache2.2
DHCPserver DHCP4.1
RADIUSserver FreeRADIUS2.2.0
Snort Snort2.9.1
Suricata Suricata1.4.1
Morerecentversionsofthesoftwarementionedabovecanalsobeused.
MinimumHardwareRequirements
Thefollowingprovidesalistofserverhardwarerecommendations:
-
Chapter3
Copyright2015Inverseinc. SystemRequirements 8
IntelorAMDCPU3GHz 4GBofRAM 100GBofdiskspace(RAID-1recommended) 1Networkcard
+1forhigh-availability
+1forintrusiondetection
OperatingSystemRequirements
PacketFencesupportsthefollowingoperatingsystemsonthei386orx86_64architectures:
RedHatEnterpriseLinux6.xServer CommunityENTerpriseOperatingSystem(CentOS)6.x Debian7.0(Wheezy) Ubuntu12.04LTS
Makesurethatyoucaninstalladditionalpackagesfromyourstandarddistribution.Forexample,ifyouareusingRedHatEnterpriseLinux,youhavetobesubscribedtotheRedHatNetworkbeforecontinuingwiththePacketFencesoftwareinstallation.
OtherdistributionssuchasFedoraandGentooareknowntoworkbutthisdocumentdoesntcoverthem.
Servicesstart-upPacketFencetakescareofhandlingtheoperationofthefollowingservices:
Webserver(httpd) DHCPserver(dhcpd) FreeRADIUSserver(radiusd) Snort/SuricataNetworkIDS(snort/suricata) Firewall(iptables)
Makesurethatalltheotherservicesareautomaticallystartedbyyouroperatingsystem!
-
Chapter4
Copyright2015Inverseinc. Installation 9
Installation
ThissectionwillguideyouthroughtheinstallationofPacketFencetogetherwithitsdependencies.
OSInstallation
Installyourdistributionwithminimalinstallationandnoadditionalpackages.Then:
DisableFirewall DisableSELinux DisableAppArmor Disableresolvconf
Makesureyoursystemisuptodateandyouryumorapt-getdatabaseisupdated.OnaRHEL-basedsystem,do:
yum update
OnaDebianorUbuntusystem,do:
apt-get updateapt-get upgrade
RedHat-basedsystems
Note
IncludesCentOSandScientificLinux.Bothi386andx86_64architecturessupported.
RHEL6.x
Note
TheseareextrastepsarerequiredforRHEL6systemsonly.DerivativessuchasCentOSorScientificLinuxdontneedtotaketheextrasteps.
-
Chapter4
Copyright2015Inverseinc. Installation 10
RedHatEnterpriseLinuxusersneedtotakeanadditionalsetupstep.IfyouarenotusingtheRHNSubscriptionManagementfromRedHatyouneedtoenabletheoptionalchannelbyrunningthefollowingasroot:
rhn-channel --add --channel=rhel-`uname -m`-server-optional-6
DebianandUbuntuAllthePacketFencedependenciesareavailablethroughtheofficialrepositories.
SoftwareDownload
PacketFenceprovidesaRPMrepositoryforRHEL/CentOSinsteadofasingleRPMfile.
ForDebianandUbuntu,PacketFencealsoprovidespackagerepositories.
TheserepositoriescontainallrequireddependenciestoinstallPacketFence.Thisprovidesnumerousadvantages:
easyinstallation everythingispackagedasRPM/deb(nomoreCPANhassle) easyupgrade
SoftwareInstallation
RHEL/CentOSInordertousethePacketFencerepository:
# rpm -Uvh http://packetfence.org/downloads/PacketFence/RHEL6/`uname -i`/RPMS/packetfence-release-1-1.el6.noarch.rpm
Once the repository is defined, you can install PacketFencewith all its dependencies, and therequiredexternalservices(Databaseserver,DHCPserver,RADIUSserver)using:
yum groupinstall --enablerepo=packetfence Packetfence-complete
Or,ifyouprefer,toinstallonlythecorePacketFencewithoutalltheexternalservices,youcanuse:
yum install --enablerepo=packetfence packetfence
-
Chapter4
Copyright2015Inverseinc. Installation 11
DebianandUbuntuInordertousetherepository,createafilenamed/etc/apt/sources.list.d/packetfence.listwiththefollowingcontentwhenusingDebian7.0(Wheezy):
deb http://inverse.ca/downloads/PacketFence/debian wheezy wheezy
OrwhenusingUbuntu12.04LTS:
deb http://inverse.ca/downloads/PacketFence/ubuntu precise precise
Once the repository is defined, you can install PacketFencewith all its dependencies, and therequiredexternalservices(Databaseserver,DHCPserver,RADIUSserver)using:
sudo apt-key adv --keyserver keys.gnupg.net --recv-key 0x810273C4sudo apt-get updatesudo apt-get install packetfence
-
Chapter5
Copyright2015Inverseinc. Configuration 12
Configuration
Inthissection,youlllearnhowtoconfigurePacketFence.PacketFencewilluseMySQL,Apache,ISCDHCP,iptablesandFreeRADIUS.Aspreviouslymentioned,weassumethatthosecomponentsrunonthesameserveronwhichPacketFenceisbeinginstalled.
FirstStep
Thefirststepafterinstallingthenecessarypackagesistheconfigurationstep.PacketFenceprovidesanhelpfulanddetailedweb-basedconfigurator.
Likementionedattheendofthepackagesinstallation,fireupawebbrowserandgotohttps://@ip_of_packetfence:1443/configurator.Fromthere,theconfigurationprocessissplitedinsix(6)distinctivesteps,afterwhichyoullhaveaworkingPacketFencesetup.
Step1:Enforcementtechnique.YoullchooseeitherVLANenforcement,inlineenforcementorboth;
Step2:Networkconfiguration.Youllbeabletoconfigurethenetworkinterfacesofthesystemaswellasassigningthecorrectinterfacesforeachoftherequiredtypesofthechosenenforcementtechnique(s);
Step3:Databaseconfiguration.ThisstepwillcreatethePacketFencedatabaseandpopulateitwiththecorrectstructure.AMySQLuserwillalsobecreatedandassignedtothenewlycreateddatabase;
Step 4: General configuration. You will need to configure some of the basic PacketFenceconfigurationparameters;
Step5:Administrativeuser.Thisstepwillaskyoutocreateanadministrativeuserthatwillbeabletoaccesstheweb-basedadminsitrationinterfaceoncetheservicesarefunctionals;
Step6:Letsdothis!SeethestatusofyourconfigurationandstartyournewNAC!
Note
KeepinmindthattheresultingPacketFenceconfigurationwillbelocatedunder/usr/local/pf/conf/andtheconfigurationfilescanalwaysbeadjustedbyhandafterwardorfromPacketFencesWebGUI.
https://@ip_of_packetfence:1443/configuratorhttps://@ip_of_packetfence:1443/configurator
-
Chapter5
Copyright2015Inverseinc. Configuration 13
Web-basedAdministrationInterface
PacketFenceprovidesaweb-basedadministrationinterfaceforeasyconfigurationandoperationalmanagement.IfyouwentthroughPacketFencesweb-basedconfigurationtool,youshouldhavesetthepasswordfortheadminuser.Ifnot,thedefaultpasswordisalsoadmin.
Once PacketFence is started, the administration interface is available at: https://@ip_of_packetfence:1443/
Globalconfigurationfile(pf.conf)
The /usr/local/pf/conf/pf.conf file contains the PacketFence general configuration. Forexample,thisistheplacewhereweinformPacketFenceitwillworkinVLANisolationmode.
All the default parameters and their descriptions are stored in /usr/local/pf/conf/pf.conf.defaults.
Inordertooverrideadefaultparameter,defineitandsetitinpf.conf.
/usr/local/pf/conf/documentation.confholdsthecompletelistofallavailableparameters.
Alltheseparametersarealsoaccessiblethroughtheweb-basedadministrationinterfaceundertheConfigurationtab.Itishighlyrecommendedthatyouusetheweb-basedadministrationinterfaceofPacketFenceforanyconfigurationchanges.
ApacheConfiguration
ThePacketFencesApacheconfigurationarelocatedin/usr/local/pf/conf/httpd.conf.d/.
Inthisdirectoryyouhavethreeimportantfiles:httpd.admin,httpd.portal,httpd.webservice.
httpd.adminisusedtomanagePacketFenceadmininterface
httpd.portalisusedtomanagePacketFencecaptiveportalinterface
httpd.webservicesisusedtomanagePacketFencewebservicesinterface
ThesefileshavebeenwrittenusingthePerllanguageandarecompletelydynamic-sotheyactivateservicesonlyonthenetworkinterfacesprovidedforthispurpose.
TheotherfilesinthisdirectoryaremanagedbyPacketFenceusingtemplates,soitiseasytomodifythesefilesbasedonyourconfiguration.SSLisenabledbydefaulttosecureaccess.
https://@ip_of_packetfence:1443/https://@ip_of_packetfence:1443/
-
Chapter5
Copyright2015Inverseinc. Configuration 14
UponPacketFenceinstallation,self-signedcertificateswillbecreatedin/usr/local/pf/conf/ssl(server.key andserver.crt).Thosecertificates canbe replacedanytimebyyour3rd-partyorexistingwildcardcertificatewithoutproblems.PleasenotethattheCN(CommonName)needstobethesameastheonedefinedinthePacketFenceconfigurationfile(pf.conf).
CaptivePortalImportantparameterstoconfigureregardingthecaptiveportalarethefollowing:
RedirectURLunderConfigurationPortalProfilePortalName
Forsomebrowsers,itispreferabletoredirecttheusertoaspecificURLinsteadoftheURLtheuseroriginallyintendedtovisit.Forthesebrowsers,theURLdefinedinredirecturlwillbetheonewheretheuserwillberedirected.AffectedbrowsersareFirefox3andlater.
IPunderConfigurationCaptiveportal
ThisIPisusedasthewebserverwhohoststhecommon/network-access-detection.gifwhichisusedtodetectifnetworkaccesswasenabled.Itcannotbeadomainnamesinceit isusedinregistrationorquarantinewhereDNSisblack-holed.ItisrecommendedthatyouallowyouruserstoreachyourPacketFenceserverandputyourLANsPacketFenceIP.BydefaultwewillmakethisreachPacketFenceswebsiteasaneasierandmoreaccessiblesolution.
SELinux
Even if this featuremaybewantedbysomeorganizations,PacketFencewillnotrunproperly ifSELinuxissettoenforced.Youwillneedtoexplicitlydisableitinthe/etc/selinux/configfile.
RolesManagement
RolesinPacketFencecanbecreatedfromPacketFenceadministrativeGUI-fromtheConfigurationUsersRoles section. From this interface, you can also limit thenumberof devicesusersbelongingtocertainrolescanregister.
RolesaredynamicallycomputedbyPacketFence,basedontherules(ie.,asetofconditionsandactions)fromauthenticationsources,usingafirst-matchwinsalgorithm.RolesarethenmatchedtoVLANorinternalrolesonequipmentfromtheConfigurationNetworkSwitchesmodule.
-
Chapter5
Copyright2015Inverseinc. Configuration 15
Authentication
PacketFence can authenticate users that register devices via the captive portal using variousmethods.Amongthesupportedmethods,thereare:
ActiveDirectory
Apachehtpasswdfile
Email
Facebook(OAuth2)
Github(OAuth2)
Google(OAuth2)
Kerberos
LDAP
LinkedIn(OAuth2)
Null
RADIUS
SMS
SponsoredEmail
WindowsLive(OAuth2)
Moreover, PacketFence can also authenticate users defined in its own internal SQL database.Authentication sources can be created from PacketFence administrative GUI - from theConfigurationUsersSourcessection.Alternatively(butnotrecommended),authenticationsources,rules,conditionsandactionscanbeconfiguredfromconf/authentication.conf.
Eachauthenticationsourcesyoudefinewillhaveasetofrules,conditionsandactions.
Multiple authentication sources canbedefined, andwill be tested in theorder specified (notethattheycanbereorderedfromtheGUIbydraggingitaround).Eachsourcecanhavemultiplerules,whichwillalsobetestedintheorderspecified.Rulescanalsobereordered,justlikesources.Finally,conditionscanbedefinedforaruletomatchcertaincriterias.Ifthecriteriasmatch(oneormore),actionarethenappliedandrulestestingstop,acrossallsourcesasthisisa"firstmatchwins"operation.
Whennoconditionisdefined,therulewillbeconsideredasafallback.Whenafallbackisdefined,allactionswillbeappliedforanyusersthatmatchintheauthenticationsource.
Onceasourceisdefined,itcanbeusedfromConfigurationPortalProfiles.Eachportalprofilehasalistofauthenticationsourcestouse.
-
Chapter5
Copyright2015Inverseinc. Configuration 16
ExampleLetssaywehavetworoles:guestandemployee.First,wedefinethemConfigurationUsersRoles.
Now,wewanttoauthenticateemployeesusingActiveDirectory (overLDAP),andguestsusingPacketFencesinternaldatabase-bothusingPacketFencescaptiveportal.FromtheConfigurationUsersSources,weselectAddsourceAD.Weprovidethefollowinginformation:
Name:ad1 Description:ActiveDirectoryforEmployees Host:192.168.1.2:389withoutSSL/TLS BaseDN:CN=Users,DC=acme,DC=local Scope:One-level UsernameAttribute:sAMAccountName BindDN:CN=Administrator,CN=Users,DC=acme,DC=local Password:acme123
Then,weaddarulebyclickingontheAddrulebuttonandprovidethefollowinginformation:
Name:employees Description:Ruleforallemployees Dontsetanycondition(asitsacatch-allrule) Setthefollowingactions:
Setroleemployee
SetunregistrationdateJanuary1st,2020
Test the connection and save everything. Using the newly defined source, any username thatactuallymatchesinthesource(usingthesAMAccountName)willhavetheemployeeroleandanunregistrationdatesettoJanuary1st,2020.
Now,sincewewanttoauthenticateguestsfromPacketFencesinternalSQLdatabase,accountsmustbeprovisionnedmanually.YoucandosofromtheConfigurationUsersCreatesection.Whencreatingguests,specify"guest"fortheSetroleaction,andsetanaccessdurationfor1day.
If youwould like to differentiate user authentication andmachine authentication using ActiveDirectory,onewaytodoitisbycreatingasecondauthenticationsources,formachines:
Name:ad1 Description:ActiveDirectoryforMachines Host:192.168.1.2:389withoutSSL/TLS BaseDN:CN=Computers,DC=acme,DC=local Scope:One-level UsernameAttribute:servicePrincipalName BindDN:CN=Administrator,CN=Users,DC=acme,DC=local Password:acme123
Then,weaddarule:
Name:machines
-
Chapter5
Copyright2015Inverseinc. Configuration 17
Description:Ruleforallmachines Dontsetanycondition(asitsacatch-allrule) Setthefollowingactions:
Setrolemachineauth
SetunregistrationdateJanuary1st,2020
Notethatwhenaruleisdefinedasacatch-all,itwillalwaysmatchiftheusernameattributematchesthequeriedone.ThisappliesforActiveDirectory,LDAPandApachehtpasswdfilesources.KerberosandRADIUSwillactastruecatch-all,andaccepteverything.
NetworkDevicesDefinition(switches.conf)
ThissectionappliesonlyforVLANenforcement.Usersplanningtodoinlineenforcementonlycanskipthissection.
PacketFenceneedstoknowwhichswitches,accesspointsorcontrollersitmanages,theirtypeandconfiguration.Allthisinformationisstoredin/usr/local/pf/conf/switches.conf.Youcanmodifytheconfigurationdirectlyintheswitches.conffileoryoucandoitintheWebAdministrationpanelunderConfigurationNetworkSwitches.
Thisfilescontainsadefaultsectionincluding:
DefaultSNMPread/writecommunitiesfortheswitches Defaultworkingmode(seenoteaboutworkingmodebelow)
andaswitchsectionforeachswitch(managedbyPacketFence)including:
SwitchIP Switchvendor/type Switchuplinkports(trunksandnon-managedports) per-switchre-definitionoftheVLANs(ifrequired)
Note
switches.confisloadedatstartup.Areloadisrequiredwhenchangesaremanuallymadetothisfile/usr/local/pf/bin/pfcmd configreload.
WorkingmodesTherearethreedifferentworkingmodes:
Testing pfsetvlanwritesinthelogfileswhatitwouldnormallydo,butitdoesntdoanything.
Registration pfsetvlan automatically-register allMAC addresses seenon theswitchports.Asintestingmode,noVLANchangesaredone.
-
Chapter5
Copyright2015Inverseinc. Configuration 18
Production pfsetvlan sends the SNMPwrites to change the VLAN on theswitchports.
SNMPv1,v2candv3PacketFenceusesSNMPtocommunicatewithmostswitches.Startingwith1.8,PacketFencenowsupportsSNMPv3.YoucanuseSNMPv3forcommunicationinbothdirections:fromtheswitchtoPacketFenceandfromPacketFencetotheswitch.
FromPacketFencetoaswitchEdittheswitchconfigfile(/usr/local/pf/conf/switches.conf)andsetthefollowingparameters:
SNMPVersion = 3SNMPUserNameRead = readUserSNMPAuthProtocolRead = MD5SNMPAuthPasswordRead = authpwdreadSNMPPrivProtocolRead = AESSNMPPrivPasswordRead = privpwdreadSNMPUserNameWrite = writeUserSNMPAuthProtocolWrite = MD5SNMPAuthPasswordWrite = authpwdwriteSNMPPrivProtocolWrite = AESSNMPPrivPasswordWrite = privpwdwrite
FromaswitchtoPacketFenceEdittheswitchconfigfile(/usr/local/pf/conf/switches.conf)andsetthefollowingparameters:
SNMPVersionTrap = 3SNMPUserNameTrap = readUserSNMPAuthProtocolTrap = MD5SNMPAuthPasswordTrap = authpwdreadSNMPPrivProtocolTrap = AESSNMPPrivPasswordTrap = privpwdread
SwitchConfigurationHereisaswitchconfigurationexampleinordertoenableSNMPv3inbothdirectionsonaCiscoSwitch.
snmp-server engineID local AA5ED139B81D4A328D18ACD1snmp-server group readGroup v3 privsnmp-server group writeGroup v3 priv read v1default write v1defaultsnmp-server user readUser readGroup v3 auth md5 authpwdread priv aes 128 privpwdreadsnmp-server user writeUser writeGroup v3 auth md5 authpwdwrite priv aes 128 privpwdwritesnmp-server enable traps port-securitysnmp-server enable traps port-security trap-rate 1snmp-server host 192.168.0.50 version 3 priv readUser port-security
-
Chapter5
Copyright2015Inverseinc. Configuration 19
Command-LineInterface:TelnetandSSH
Warning
PrivilegedetectionisdisabledinthecurrentPacketFenceversionduetosomeissues(see#1370).SomakesurethatthecliUserandcliPwdyouprovidealwaysgetyouintoaprivilegedmode(exceptforTrapezehardware).
PackeFenceneedssometimestoestablishaninteractivecommand-linesessionwithaswitch.ThiscanbedoneusingTelnet.Startingwith1.8,youcannowuseSSH.Inordertodoso,edittheswitchconfigfile(/usr/local/pf/conf/switches.conf)andsetthefollowingparameters:
cliTransport = SSH (or Telnet)cliUser = admincliPwd = admin_pwdcliEnablePwd =
ItcanalsobedonethroughtheWebAdministrationInterfaceunderConfigurationSwitches.
WebServicesInterfacePackeFencesometimesneedstoestablishadialogwiththeWebServicescapabilitiesofaswitch.Inorder todo so,edit the switchconfig file (/usr/local/pf/conf/switches.conf) and set thefollowingparameters:
wsTransport = http (or https)wsUser = adminwsPwd = admin_pwd
Note
as of PacketFence1.9.1 few switches requireWebServices configuration in orderto work. It can also be done through the Web Administration Interface underConfigurationSwitches.
RadiusSecretForcertainauthenticationmechanism,suchas802.1XorMACAuthentication,theRADIUSserverneedstohavethenetworkdeviceinitsclientlist.AsofPacketFence3.0,wenowuseadatabasebackendtostoretheRADIUSclientinformation.Inordertodoso,edittheswitchconfigfile(/usr/local/pf/conf/switches.conf)andsetthefollowingparameters:
radiusSecret= secretPassPhrase
Also, startingwithPacketFence3.1, theRADIUS secret is required forour supportofRADIUSDynamicAuthentication(ChangeofauthorizationorDisconnect)asdefinedinRFC3576.
http://www.packetfence.org/bugs/view.php?id=1370
-
Chapter5
Copyright2015Inverseinc. Configuration 20
Role-basedenforcementsupportSomenetworkdevicessupporttheassignmentofaspecificsetofrules(firewallorACLs)toauser.The idea is that theserulescanbea lotmoreprecisetocontrolwhatausercanorcannotdocomparedtoVLANwhichhavealargernetworkmanagementoverhead.
PacketFence supports assigning roles on devices that supports it. The current role assignmentstrategyistoassignitalongwiththeVLAN(thatmaychangeinthefuture).Aspecialinternalroletoexternalroleassignmentmustbeconfiguredintheswitchconfigurationfile(/usr/local/pf/conf/switches.conf).
Thecurrentformatisthefollowing:
Format: Role=
Andyouassignittotheglobalrolesparameterortheper-switchone.Forexample:
adminRole=full-accessengineeringRole=full-accesssalesRole=little-access
wouldreturnthefull-accessroletothenodescategorizedasadminorengineeringandtherolelittle-accesstonodescategorizedassales.
Caution
Makesurethattherolesareproperlydefinedonthenetworkdevicespriortoassigningroles!
DefaultVLAN/roleassignment
ThissectionappliesonlyforVLANenforcement.Usersplanningtodoinlineenforcementonlycanskipthissection.
ThedefaultVLANassignment techniqueused inPacketFence is aper-switchone.The correctdefaultVLANforagivenMACisdeterminedbasedonthecomputedrolebyPacketFenceduringtheregistrationprocessforthedevice,ordynamicallyduringan802.1Xauthentication.ThecomputedinternalrolewillthenbemappedtoeitheraVLANoranexternalroleforthespecificequipementtheuserisconnectedto.
Thisallowsyoutodoeasyper-buildingVLAN/rolesegmentation.
IfyouneedmoreflexibilitythanwhatcanbedefinedfromthePacketFencesauthenticationsources(rules/conditions/actions)takealookattheFAQentryCustomVLANassignmentbehavioravailableonline.
http://www.packetfence.org/support/faqs/article/custom-vlan-assignment-behavior.html
-
Chapter5
Copyright2015Inverseinc. Configuration 21
Inlineenforcementconfiguration
ThissectionappliesonlyforInlineenforcement.UsersplanningtodoVLANenforcementonlycanskipthissection.
TheinlineenforcementisaveryconvenientmethodofperformingaccesscontrolonoldernetworkhardwarethatisnotcapableofdoingVLANenforcementorthatisnotsupportedbyPacketFence.Thistechniqueiscoveredindetailsinthe"TechnicalintroductiontoInlineenforcement"section.
AnimportantconfigurationparametertohaveinmindwhenconfiguringinlineenforcementisthattheDNSreachedbytheseusersshouldbeyouractualproductionDNSserver-whichshouldntbeinthesamebroadcastdomainasyourinlineusers.ThenextsectionshowsyouhowtoconfiguretheproperinlineinterfaceanditisinthissectionthatyoushouldrefertotheproperproductionDNS.
Inlineenforcementusesipset tomarknodesas registered,unregisteredand isolated. It isalsonowpossible tousemultiple inline interfaces.Anode registeredon the first inline interface ismarkedwithanip:mactuple(forL2,onlyipforL3),sowhenthenodetriestoregisteronanotherinlineinterface,PacketFencedetectsthatthenodeisalreadyregisteredonthefirstVLAN.Itisalsopossibletoenableinline.should_reauth_on_vlan_changetoforceuserstoreauthenticatewhentheychangeVLAN.
Theoutgoinginterfaceshouldbespecifiedbyaddinginpf.conftheoptioninterfaceSNATininlinesection.Itisacommadelimitedlistofnetworkinterfaceslikeeth0,eth0.100.ItsalsopossibletospecifyanetworkthatwillberoutedinsteadofusingNATbyaddinginconf/networks.confanoptionnat=nounderoneormorenetworksections.
Another important setting is the gateway statement. Since it this the only way to get thePacketFenceserverinlineinterfaceIPaddress,itismandatorytosetittothisIP(whichissupposedtobethesameasintheipstatementoftheinlineinterfaceinconf/pf.conf).
Hybridmode
Thissectionappliesforhybridsupportforthemanageabledevicesthatsupport802.1XorMAC-authentication.
HybridenforcementisamixedmethodthatofferstheuseofinlineenforcementmodewithVLANenforcementmode on the same device. This technique is covered in details in the "TechnicalintroductiontoHybridenforcement"section
-
Chapter5
Copyright2015Inverseinc. Configuration 22
WebAuthmode
This section applies forweb authentication support formanageable devices that supportwebauthenticationwithanexternalcaptiveportal.
Webauthenticationisamethodontheswitchthatforwardshttptrafficofthedevicetothecaptiveportal.Withthismode,yourdevicewillneverchangeofVLANIDbutonlytheACLassociatedtoyourdevicewillchange.RefertotheNetworkDevicesConfigurationGuidetoseeasamplewebauthconfigurationonaCiscoWLC.
DHCPandDNSServerConfiguration(networks.conf)
PacketFenceautomaticallygeneratestheDHCPconfigurationfilesforRegistration,IsolationandInlineVLANs.ThisisdonebyeditingthenetworkinterfacesfromtheconfigurationmoduleoftheadministrationWebinterface(seetheFirstStepsection).
network Networksubnet
netmask Networkmask
gateway PacketFenceIPaddressinthisnetwork
next_hop Used only with routed networks; IPaddressoftherouterinthisnetwork(Thisis used to locally create static routes tothe routed networks). See the RoutedNetworkssection)
domain-name DNSname
dns PacketFenceIPaddressinthisnetwork.Ininlinetype,setittoavalidDNSproductionserver
dhcp_start StartingIPaddressoftheDHCPscope
dhcp_end EndingIPaddressoftheDHCPscope
dhcp_default_lease_time DefaultDHCPleasetime
dhcp_max_lease_time MaximumDHCPleasetime
type vlan-registrationorvlan-isolationorinline
-
Chapter5
Copyright2015Inverseinc. Configuration 23
named IsPacketFencetheDNSforthisnetwork?(Enabled/Disabled)setittoenabled
dhcpd IsPacketFence theDHCPserver for thisnetwork ? (Enabled/Disabled) set it toenabled
nat IsPacketFencerouteorNATthetrafficforthis network ? (yes/no) NAT enabled bydefault,settonotoroute
WhenstartingPacketFencegenerates theDHCPconfiguration filesby reading the informationprovidedinnetworks.conf:
The DHCP configuration file is written to var/conf/dhcpd.conf using conf/dhcpd.conf as atemplate.
ProductionDHCPaccess
Inorder toperformallof itsaccesscontrolduties,PacketFenceneedstobeable tomapMACaddressesintoIPaddresses.
Forallthenetworks/VLANswhereyouwantPacketFencetohavetheabilitytoisolateanodeortohaveIPinformationaboutnodes,youwillneedtoperformoneofthetechniquesbelow.
Alsonotethatthisdoesntneedtobedonefortheregistration,isolationVLANsandinlineinterfacessincePacketFenceactsastheDHCPserverinthesenetworks.
IPHelpers(recommended)If you are already using IPHelpers for your productionDHCP in your production VLANs thisapproachisthesimplestoneandtheonethatworksthebest.
Add PacketFences management IP address as the last ip helper-address statement in yournetworkequipment.AtthispointPacketFencewillreceiveacopyofallDHCPrequestsforthatVLANandwillrecordwhatIPweredistributedtowhatnodeusingapfdhcplistenerdaemon.
BydefaultnoDHCPServershouldberunningonthatinterfacewhereyouaresendingtherequests.ThisisbydesignotherwisePacketFencewouldreplytotheDHCPrequestswhichwouldbeabadthing.
ObtainacopyoftheDHCPtrafficGetacopyofalltheDHCPTraffictoadedicatedphysicalinterfaceinthePacketFenceserverandrunpfdhcplisteneronthatinterface.Itwillinvolveconfiguringyourswitchproperlytoperformportmirroring(akanetworkspan)andaddinginPacketFencetheproperinterfacestatementattheoperatingsystemlevelandinpf.conf.
/etc/sysconfig/network-scripts/ifcfg-eth2:
-
Chapter5
Copyright2015Inverseinc. Configuration 24
DEVICE=eth2ONBOOT=yesBOOTPROTO=none
Addtopf.conf:(IPsarenotimportanttheyarethereonlysothatPacketFencewillstart)
[interface eth2]mask=255.255.255.0type=dhcp-listenergateway=192.168.1.5ip=192.168.1.1
RestartPacketFenceandyoushouldbegoodtogo.
InterfaceineveryVLANBecauseDHCPtrafficisbroadcasttraffic,analternativeforsmallnetworkswithfewlocalVLANsistoputaVLANinterfaceforeveryVLANonthePacketFenceserverandhaveapfdhcplistenerlistenonthatVLANinterface.
OnthenetworksideyouneedtomakesurethattheVLANtrulyreachesallthewayfromyourclienttoyourDHCPinfrastructureuptothePacketFenceserver.
OnthePacketFenceside,firstyouneedanoperatingsystemVLANinterfaceliketheonebelow.Storedin/etc/sysconfig/network-scripts/ifcfg-eth0.1010:
# Engineering VLANDEVICE=eth0.1010ONBOOT=yesBOOTPROTO=staticIPADDR=10.0.101.4NETMASK=255.255.255.0VLAN=yes
Thenyouneedtospecifyinpf.confthatyouareinterestedinthatVLANsDHCPbysettingtypetodhcp-listener.
[interface eth0.1010]mask=255.255.255.0type=dhcp-listenergateway=10.0.101.1ip=10.0.101.4
RepeattheaboveforallyourproductionVLANsthenrestartPacketFence.
HostproductionDHCPonPacketFenceItsanoption.Justmodifyconf/dhcpd.confsothat itwillhostyourproductionDHCPproperlyandmakesurethatapfdhcplistenerrunsonthesameinterfacewhereproductionDHCPruns.However,pleasenotethatthisisNOTrecommended.Seethistickettoseewhy.
http://www.packetfence.org/bugs/view.php?id=1050
-
Chapter5
Copyright2015Inverseinc. Configuration 25
RoutedNetworks
Ifyour isolationandregistrationnetworksarenot locally-reachable (at layer2)onthenetwork,but routed to the PacketFence server, youll have to let the PacketFence server know this.PacketFencecanevenprovideDHCPandDNSintheseroutednetworksandprovidesaneasytouseconfigurationinterface.
Fordhcpd,makesurethattheclientsDHCPrequestsarecorrectlyforwarded(IPHelpersintheremoterouters)tothePacketFenceserver.ThenmakesureyoufollowedtheinstructionsintheDHCPandDNSServerConfiguration(networks.conf)foryourlocallyaccessiblenetwork.
Ifweconsiderthenetworkarchitectureillustratedintheaboveschema,conf/pf.confwillincludethelocalregistrationandisolationinterfacesonly.
[interface eth0.2]enforcement=vlanip=192.168.2.1type=internalmask=255.255.255.0
-
Chapter5
Copyright2015Inverseinc. Configuration 26
[interface eth0.3]enforcement=vlanip=192.168.3.1type=internalmask=255.255.255.0
Note
PacketFencewillnotstartunlessyouhaveatleastoneinternalinterface,soyouneedtocreatelocalregistrationandisolationVLANsevenifyoudontintendtousethem.Also,theinternalinterfacesaretheonlyonesonwhichdhcpdlistens,sotheremoteregistrationandisolationsubnetsneedtopointtheirDHCPhelper-addresstothoseparticularIPs.
ThenyouneedtoprovidetheroutednetworksinformationtoPacketFence.YoucandoitthroughtheGUIinAdministrationNetworks(orinconf/networks.conf).
conf/networks.confwilllooklikethis:
[192.168.2.0]netmask=255.255.255.0gateway=192.168.2.1next_hop=domain-name=registration.example.comdns=192.168.2.1dhcp_start=192.168.2.10dhcp_end=192.168.2.200dhcp_default_lease_time=300dhcp_max_lease_time=600type=vlan-registrationnamed=enableddhcpd=enabled
[192.168.3.0]netmask=255.255.255.0gateway=192.168.3.1next_hop=domain-name=isolation.example.comdns=192.168.3.1dhcp_start=192.168.3.10dhcp_end=192.168.3.200dhcp_default_lease_time=300dhcp_max_lease_time=600type=vlan-isolationnamed=enableddhcpd=enabled
-
Chapter5
Copyright2015Inverseinc. Configuration 27
[192.168.20.0]netmask=255.255.255.0gateway=192.168.20.254next_hop=192.168.2.254domain-name=registration.example.comdns=192.168.2.1dhcp_start=192.168.20.10dhcp_end=192.168.20.200dhcp_default_lease_time=300dhcp_max_lease_time=600type=vlan-registrationnamed=enableddhcpd=enabled
[192.168.30.0]netmask=255.255.255.0gateway=192.168.30.254next_hop=192.168.3.254domain-name=isolation.example.comdns=192.168.3.1dhcp_start=192.168.30.10dhcp_end=192.168.30.200dhcp_default_lease_time=300dhcp_max_lease_time=600type=vlan-isolationnamed=enableddhcpd=enabled
DHCPclientsontheregistrationandisolationnetworksreceivethePFserverIPastheirDNSserver(dns=x.x.x.x),andPFspoofsDNSresponsestoforceclientsviatheportal.However,clientscouldmanuallyconfiguretheirDNSsettingstoescapetheportal.TopreventthisyouwillneedtoapplyanACLontheaccessrouternearesttheclients,permittingaccessonlytothePFserverandlocalDHCPbroadcasttraffic.
Forexample,fortheVLAN20remoteregistrationnetwork:
ip access-list extended PF_REGISTRATION permit ip any host 192.168.2.1 permit udp any any eq 67 deny ip any any loginterface vlan 20 ip address 192.168.20.254 255.255.255.0 ip helper-address 192.168.2.1 ip access-group PF_REGISTRATION in
Ifyouredgeswitchessupportvlan-isolationyoucanalsoapplytheACLthere.Thishastheadvantageofpreventingmachinesinisolationfromattemptingtoattackeachother.
-
Chapter5
Copyright2015Inverseinc. Configuration 28
FreeRADIUSConfiguration
ThissectionpresentstheFreeRADIUSconfigurationsteps. Insomeoccasions,aRADIUSserverismandatoryinordertogiveaccesstothenetwork.Forexample,theusageofWPA2-Enterprise(Wireless 802.1X), MAC authentication and Wired 802.1X all requires a RADIUS server toauthenticate the users and the devices, and then to push the proper VLAN to the networkequipment.
Option1:DynamicswitchconfigurationSincePacketFenceversion4.1youarenowbeabletoenabledynamicclients.ItmeanthatwhenyouaddanewswitchconfigurationinPacketFencesadministrationinterfaceyoudonthavetorestartradiusdservice.
Toenablethisfeaturemakeasymlinkin/usr/local/pf/raddb/site-enableddirectory:
ln -s ../sites-available/dynamic-clients dynamic-clients
andofcourserestartradiusd:
/usr/local/pf/bin/pfcmd service radiusd restart
Option2:AuthenticationagainstActiveDirectory(AD)Samba/Kerberos/WinbindInstallSamba3andNOTSamba4.YoucaneitherusethesourcesorusethepackageforyourOS.ForRHEL/CentOS,do:
yum install samba krb5-workstation
ForDebianandUbuntu,do:
apt-get install samba winbind krb5-user
Note
IfyouhaveWindows7PCsinyournetwork,youneedtouseSambaversion3.5.0(orgreater).
WhendonewiththeSambainstall,modifyyour/etc/hosts inordertoaddtheFQDNofyourActiveDirectoryservers.Then,youneedtomodify/etc/krb5.conf.HereisanexamplefortheDOMAIN.NETdomainforCentos/RHEL:
-
Chapter5
Copyright2015Inverseinc. Configuration 29
[logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log
[libdefaults] default_realm = DOMAIN.NET dns_lookup_realm = false dns_lookup_kdc = false ticket_lifetime = 24h forwardable = yes
[realms] DOMAIN.NET = { kdc = adserver.domain.net:88 admin_server = adserver.domain.net:749 default_domain = domain.net }[domain_realm] .domain.net = DOMAIN.NET domain.net = DOMAIN.NET
[appdefaults] pam = { debug = false ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = false }
ForDebianandUbuntu:
[logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = DOMAIN.NET ticket_lifetime = 24h forwardable = yes [appdefaults] pam = { debug = false ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = false }
Next,edit/etc/samba/smb.conf.Again,hereisanexampleforourDOMAIN.NETforCentos/RHEL:
-
Chapter5
Copyright2015Inverseinc. Configuration 30
[global] workgroup = DOMAIN server string = %h security = ads passdb backend = tdbsam realm = DOMAIN.NET encrypt passwords = yes winbind use default domain = yes client NTLMv2 auth = yes preferred master = no domain master = no local master = no load printers = no log level = 1 winbind:5 auth:3 winbind max clients = 750 winbind max domain connections = 15
ForDebianandUbuntu:
[global] workgroup = DOMAIN server string = Samba Server Version %v security = ads realm = DOMAIN.NET password server = 192.168.1.1 domain master = no local master = no preferred master = no winbind separator = + winbind enum users = yes winbind enum groups = yes winbind use default domain = yes winbind nested groups = yes winbind refresh tickets = yes template homedir = /home/%D/%U template shell = /bin/bash client use spnego = yes client ntlmv2 auth = yes encrypt passwords = yes restrict anonymous = 2 log file = /var/log/samba/log.%m max log size = 50
IssueakinitandklistinordertogetandverifytheKerberostoken:
# kinit administrator# klist
Afterthat,youneedtostartsamba,andjointhemachinetothedomain:
-
Chapter5
Copyright2015Inverseinc. Configuration 31
# service smb start# chkconfig --level 345 smb on# net ads join -U administrator
NotethatforDebianandUbuntuyouwillprobablyhavethiserror:
# kinit succeeded but ads_sasl_spnego_krb5_bind failed: Invalid credentials# Join to domain is not valid: Invalid credentials
ForCentos/RHEL:
# usermod -a -G wbpriv pf
Finally,startwinbind,andtestthesetupusingntlm_authandradtest:
# service winbind start# chkconfig --level 345 winbind on
ForDebianandUbuntu:
# usermod -a -G winbindd_priv pf# ntlm_auth --username myDomainUser# radtest -t mschap -x myDomainUser myDomainPassword localhost:18120 12 testing123 Sending Access-Request of id 108 to 127.0.0.1 port 18120 User-Name = "myDomainUser" NAS-IP-Address = 10.0.0.1 NAS-Port = 12 Message-Authenticator = 0x00000000000000000000000000000000 MS-CHAP-Challenge = 0x79d62c9da4e55104 MS-CHAP-Response = 0x000100000000000000000000000000000000000000000000000091c843b420f0dec4228ed2f26bff07d5e49ad9a2974229e5 rad_recv: Access-Accept packet from host 127.0.0.1 port 18120, id=108, length=20
Option3:LocalAuthenticationAddyourusersentriesattheendofthe/usr/local/pf/raddb/usersfilewiththefollowingformat:
username Cleartext-Password := "password"
Option4:AuthenticationagainstOpenLDAP
To be contributed...
-
Chapter5
Copyright2015Inverseinc. Configuration 32
Option5:EAPGuestAuthenticationonemail,sponsorandsmsregistrationThegoalhereistobeabletousethecredentialPacketFencecreatedonguestaccessandusethisoneonasecureconnection.FirstcreateaguestSSIDwiththeguestaccessyouwanttouse(Email,SponsororSMS)andcheckAdduseronemailregistrationand/orAdduseronsponsorregistrationinConfigurationSelfRegistrationsection.Attheendoftheguestregistration,PacketFencewillsendanemailwiththecredentialsforEmailandSponsor.ForSMSuseyourphonenumberandthePINcode.
NotethatthisoptiondoesntcurrentlyworkwiththeReusedot1xcredentialsoptionofthecaptiveportal.
In/usr/local/pf/raddb/sites-available/packetfence-tunnelthereisanexampleonhowtoconfigureradiustoenablethisfeature(uncommenttomakeitwork).
In thisexampleweactivate this featureonaspecificSSIDname (Secure-Wireless),disabledbydefaultNTLMAuth,testemailcredential(pfguest),testsponsor(pfsponsor)andtestsms(pfsms).IfallfailledthenwereactivateNTLMAuth.
-
Chapter5
Copyright2015Inverseinc. Configuration 33
authorize { suffix ntdomain eap { ok = return } files####Activate local user eap authentication based on a specific SSID ###### Set Called-Station-SSID with the current SSID# set.called_station_ssid# if (Called-Station-SSID == 'Secure-Wireless') {## Disable ntlm_auth# update control {# MS-CHAP-Use-NTLM-Auth := No# }## Check temporary_password table with email and password for a sponsor registration# pfguest# if (fail || notfound) {## Check temporary_password table with email and password for a guest registration# pfsponsor# if (fail || notfound) {## Check activation table with phone number and PIN code# pfsms# if (fail || notfound) {# update control {# MS-CHAP-Use-NTLM-Auth := Yes# }# }# }# }# }
Option6:EAPLocaluserAuthenticationThegoalhereistousethelocaluseryoucreatedintheadminGUIforEAPauthentication.Thelogicisexactlythesamethaninoption5,thedifferenceisthatweuseanotherSSIDandweonlyuselocalaccounts.
Edit/usr/local/pf/raddb/sites-available/packetfence-tunnel
InthisexampleweactivatethisfeatureonaspecificSSIDname(Secure-local-Wireless),disabledbydefaultNTLMAuthandtestlocalaccount.IfitfailledthenwereactivateNTLMAuth.
-
Chapter5
Copyright2015Inverseinc. Configuration 34
####Activate local user eap authentication based on a specific SSID ###### Set Called-Station-SSID with the current SSID# set.called_station_ssid# if (Called-Station-SSID == 'Secure-local-Wireless') {## Disable ntlm_auth# update control {# MS-CHAP-Use-NTLM-Auth := No# }## Check temporary_password table for local user# pflocal# if (fail || notfound) {# update control {# MS-CHAP-Use-NTLM-Auth := Yes# }# }# }
TestsTestyoursetupwithradtestusingthefollowingcommandandmakesureyougetanAccess-Acceptanswer:
# radtest dd9999 Abcd1234 localhost:18120 12 testing123Sending Access-Request of id 74 to 127.0.0.1 port 18120 User-Name = "dd9999" User-Password = "Abcd1234" NAS-IP-Address = 255.255.255.255 NAS-Port = 12rad_recv: Access-Accept packet from host 127.0.0.1:18120, id=74, length=20
DebugFirst,checktheFreeRADIUSlogs.Thefileislocatedat/usr/local/pf/logs/radius.log.
Ifthisdidnthelp,runFreeRADIUSindebugmode.Todoso,startitusingthefollowingcommand:
# radiusd -X -d /usr/local/pf/raddb
Additionally there is a raddebug tool that can extract debug logs from a running FreeRADIUSdaemon.PacketFencesFreeRADIUSispreconfiguredwithsuchsupport.
Inordertohaveanoutputfromraddebug,youneedtoeither:
a. Makesureuserpfhasashellin/etc/passwd,add/usr/sbintoPATH(export PATH=/usr/sbin:$PATH)andexecuteraddebugaspf
b. Runraddebugasroot(lesssecure!)
Nowyoucanrunraddebugeasily:
raddebug -t 300 -d /usr/local/pf/raddb
-
Chapter5
Copyright2015Inverseinc. Configuration 35
TheabovewilloutputFreeRADIUS'debuglogsfor5minutes.Seeman raddebugforalltheoptions.
StartingPacketFenceServices
OncePacketFenceisfullyinstalledandconfigured,starttheservicesusingthefollowingcommand:
service packetfence start
YoumayverifyusingthechkconfigcommandthatthePacketFenceserviceisautomaticallystartedatboottime.
Logfiles
HerearethemostimportantPacketFencelogfiles:
/usr/local/pf/logs/packetfence.logPacketFenceCoreLog /usr/local/pf/logs/httpd.portal.accessApacheCaptivePortalAccessLog /usr/local/pf/logs/httpd.portal.errorApacheCaptivePortalErrorLog /usr/local/pf/logs/httpd.admin.accessApacheWebAdmin/ServicesAccessLog /usr/local/pf/logs/httpd.admin.errorApacheWebAdmin/ServicesErrorLog /usr/local/pf/logs/httpd.webservices.accessApacheWebservicesAccessLog /usr/local/pf/logs/httpd.webservices.errorApacheWebservicesErrorLog
Thereareotherlogfilesin/usr/local/pf/logs/thatcouldberelevantdependingonwhatissueyouareexperiencing.Makesureyoutakealookatthem.
The logging systems configuration file is /usr/local/pf/conf/log.conf. It contains theconfigurationforthepacketfence.logfile(Log::Log4Perl)andyounormallydontneedtomodifyit.
Passthrough
Inorder tousethepassthroughfeature inPacketFence,youneedtoenable it fromtheGUI inConfigurationTrappingandcheckPassthrough.
Therearetwosolutionsforpassthroughs-oneusingDNSresolutionandiptablesandtheotheroneusingApachesmod_proxymodule.Whenenabled,PacketFencewillusepfdnsifyoudefinedPassthroughs,orApachemod-proxyifyoudefinedProxyPassthroughstoallowtrappeddevicestoreachwebsites.
*DNS passthrough: Add a new FQDN (should be a wildcard domain like *.google.com) in thePassthroughssection.WhenPacketFencereceivesaDNSrequestforthisdomain,itwillanswerthe
-
Chapter5
Copyright2015Inverseinc. Configuration 36
realIPaddressandpunchaholeinthefirewall(usingiptables)toallowaccess.Withthismethod,PacketFencemustbethedefaultgatewayofyourdevice.
*mod_proxypassthrough:AddanewFQDN(shouldbeawildcarddomainlike*.google.com)intheProxyPassthroughssection.ForthisFQDN,PacketFencewillanswertheIPaddressofthecaptiveportalandwhenadevicehitsthecaptiveportal,PacketFencewilldetectthatthisFQDNhasapassthroughconfigurationandwillforwardthetraffictomod_proxy.
ThesetwomethodscanbeusedtogetherbutDNS-basedpassthroughshavehigherpriority.
ProxyInterception
PacketFenceenablesyoutointerceptproxyrequestsandforwardthemtothecaptiveportal.Itonlyworksinlayer2networkbecausePacketFencemustbethedefaultgateway.InordertousetheProxyInterceptionfeature,youneedtoenableitfromtheGUIinConfigurationTrappingandcheckProxyInterception.
Addtheportyouwanttointercept(like8080or3128)andaddanewentryinthe/etc/hostsfiletoresolvethefullyqualifieddomainname(fqdn)ofthecaptiveportaltotheIPaddressoftheregistration interface.Thismodification ismandatory inorder forApache to receives theproxyrequests.
-
Chapter6
Copyright2015Inverseinc. Configurationbyexample 37
Configurationbyexample
Hereisanend-to-endsampleconfigurationofPacketFencein"Hybrid"mode(VLANmodeandInlinemodeatthesametime).
Assumptions
Throughout this configuration example we use the following assumptions for our networkinfrastructure:
Therearetwodifferenttypesofmanageableswitchesinournetwork:CiscoCatalyst2900XLandCiscoCatalyst2960,andoneunmanageabledevice.
VLAN1isthe"normal"VLAN-userswiththe"default"rolewillbeassignedtoit VLAN2istheregistrationVLAN(unregistereddeviceswillbeputinthisVLAN) VLAN3istheisolationVLAN(isolateddeviceswillbeputinthisVLAN) VLANs2and3arespannedthroughoutthenetwork VLAN4istheinlineVLAN(In-Band,forunmanageabledevices) WewanttoisolatecomputersusingLimewire(peer-to-peersoftware) WeuseSnortasNIDS ThetrafficmonitoredbySnortisspannedoneth1 TheDHCPserveronthePacketFenceboxthatwilltakecareofIPaddressdistributioninVLANs2,3and4
TheDNSserveronthePacketFenceboxthatwilltakecareofdomainresolutioninVLANs2and3and4
Thenetworksetuplookslikethis:
VLANID
VLANName Subnet Gateway PacketFenceAddress
1 Normal 192.168.1.0/24 192.168.1.1 192.168.1.5
2 Registration 192.168.2.0/24 192.168.2.1 192.168.2.1
3 Isolation 192.168.3.0/24 192.168.3.1 192.168.3.1
4 Inline 192.168.4.0/24 192.168.4.1 192.168.4.1
100 Voice
-
Chapter6
Copyright2015Inverseinc. Configurationbyexample 38
NetworkInterfaces
HerearetheNICsstartupscriptsonPacketFence.
/etc/sysconfig/network-scripts/ifcfg-eth0:
DEVICE=eth0BROADCAST=192.168.1.255IPADDR=192.168.1.5NETMASK=255.255.255.0NETWORK=192.168.1.0ONBOOT=yesTYPE=Ethernet
/etc/sysconfig/network-scripts/ifcfg-eth0.2:
DEVICE=eth0.2ONBOOT=yesBOOTPROTO=staticIPADDR=192.168.2.1NETMASK=255.255.255.0VLAN=yes
/etc/sysconfig/network-scripts/ifcfg-eth0.3:
DEVICE=eth0.3ONBOOT=yesBOOTPROTO=staticIPADDR=192.168.3.1NETMASK=255.255.255.0VLAN=yes
/etc/sysconfig/network-scripts/ifcfg-eth0.4:
DEVICE=eth0.4ONBOOT=yesBOOTPROTO=staticIPADDR=192.168.4.1NETMASK=255.255.255.0VLAN=yes
/etc/sysconfig/network-scripts/ifcfg-eth1. This NIC is used for the mirror of the trafficmonitoredbySnort.
DEVICE=eth1ONBOOT=yesBOOTPROTO=none
-
Chapter6
Copyright2015Inverseinc. Configurationbyexample 39
TrapreceiverPacketFenceusessnmptrapdasthetrapreceiver.Itstoresthecommunitynameusedbytheswitchtosendtrapsintheswitchconfigfile(/usr/local/pf/conf/switches.conf):
[default]SNMPCommunityTrap = public
SwitchSetup
In our example, we enable inline on a Cisco 2900LX and Port Security on a Cisco Catalyst2960.PleaseconsulttheNetworkDevicesConfigurationGuideforthecompletelistofsupportedswitchesandconfigurationinstructions.
inlineOnthe2900XL.
oneachinterface
switchport mode accessswitchport access vlan 4
PortSecurityOnthe2960.
globalsetup
snmp-server community public ROsnmp-server community private RWsnmp-server enable traps port-securitysnmp-server enable traps port-security trap-rate 1snmp-server host 192.168.1.5 version 2c public port-security
Oneachinterface,youneedtoinitializetheportsecuritybyauthorizingafakeMACaddresswiththefollowingcommands
switchport access vlan 1switchport port-securityswitchport port-security maximum 2switchport port-security maximum 1 vlan accessswitchport port-security violation restrictswitchport port-security mac-address 0200.0000.00xx
http://www.packetfence.org/documentation/
-
Chapter6
Copyright2015Inverseinc. Configurationbyexample 40
wherexxstandsfortheinterfaceindex.
Note
Dontforgettoupdatethestartup-config.
switches.conf
Note
YoucanusetheWebAdministrationinterfaceinsteadofperformingtheconfigurationintheflatfiles.
Hereisthe/usr/local/pf/conf/switches.conffileforoursetup.SeeNetworkDeviceDefinitionformoreinformationaboutthecontentofthisfile.
[default]SNMPCommunityRead = publicSNMPCommunityWrite = privateSNMPommunityTrap = publicSNMPVersion = 1defaultVlan = 1registrationVlan = 2isolationVlan = 3macDetectionVlan = 5VoIPEnabled = no
[192.168.1.100]type = Cisco::Catalyst_2900XLmode = productionuplink = 24
[192.168.1.101]type = Cisco::Catalyst_2960mode = productionuplink = 25defaultVlan = 10radiusSecret=useStrongerSecret
Ifyouwanttohaveadifferentread/writecommunitiesnameforeachswitch,declareitineachswitchsection.
-
Chapter6
Copyright2015Inverseinc. Configurationbyexample 41
pf.conf
Hereisthe/usr/local/pf/conf/pf.conffileforoursetup.Formoreinformationaboutpf.confseeGlobalconfigurationfile(pf.conf)section.
[general]domain=yourdomain.org#Put your External/Infra DNS servers herednsservers=4.2.2.2,4.2.2.1dhcpservers=192.168.2.1,192.168.3.1,192.168.5.1
[trapping]registration=enableddetection=enabledrange=192.168.2.0/24,192.168.3.0/24,192.168.4.0/24
[interface eth0]mask=255.255.255.0type=managementgateway=192.168.1.1ip=192.168.1.5
[interface eth0.2]mask=255.255.255.0type=internalenforcement=vlangateway=192.168.2.1ip=192.168.2.1
[interface eth0.3]mask=255.255.255.0type=internalenforcement=vlangateway=192.168.3.1ip=192.168.3.1
[interface eth0.4]mask=255.255.255.0type=internalenforcement=inlinegateway=192.168.4.1ip=192.168.4.1
[interface eth1]mask=255.255.255.0type=monitorgateway=192.168.1.5ip=192.168.1.1
-
Chapter6
Copyright2015Inverseinc. Configurationbyexample 42
Note
Ifyouarerunninginanhigh-availablesetup(withaclusterIP),makesuretoaddthevipparametertotheconfiguredmanagementinterfacesothatRADIUSdynamicauthmessagescanreachthenetworkequipmentcorrectly.
[interface eth0]mask=255.255.255.0type=managementgateway=192.168.1.1ip=192.168.1.5vip=192.168.1.6
networks.conf
Here is the/usr/local/pf/conf/networks.conf file foroursetup.Formore informationaboutnetworks.confseeDHCPandDNSServerconfiguration.
-
Chapter6
Copyright2015Inverseinc. Configurationbyexample 43
[192.168.2.0]netmask=255.255.255.0gateway=192.168.2.1next_hop=192.168.2.254domain-name=registration.example.comdns=192.168.2.1dhcp_start=192.168.2.10dhcp_end=192.168.2.200dhcp_default_lease_time=300dhcp_max_lease_time=600type=vlan-registrationnamed=enableddhcpd=enabled
[192.168.3.0]netmask=255.255.255.0gateway=192.168.3.1next_hop=192.168.3.254domain-name=isolation.example.comdns=192.168.3.1dhcp_start=192.168.3.10dhcp_end=192.168.3.200dhcp_default_lease_time=300dhcp_max_lease_time=600type=vlan-isolationnamed=enableddhcpd=enabled
[192.168.4.0]netmask=255.255.255.0gateway=192.168.4.1next_hop=domain-name=inline.example.comdns=4.2.2.2,4.2.2.1dhcp_start=192.168.4.10dhcp_end=192.168.4.254dhcp_default_lease_time=300dhcp_max_lease_time=600type=inlinenamed=enableddhcpd=enabled
Inlineenforcementspecifics
ToseeanotherimportantoptionalparameterthatcanbealteredtodoinlineenforcementseetheInlineenforcementconfigurationsection.
Inordertohavetheinlinemodeproperlyworking,youneedtoenableIPforwardingonyourservers.Todoitpermanently,lookinthe/etc/sysctl.conf,andsetthefollowingline:
-
Chapter6
Copyright2015Inverseinc. Configurationbyexample 44
# Controls IP packet forwardingnet.ipv4.ip_forward = 1
Savethefile,andexecutesysctl -ptoreloadthekernelparameters.
-
Chapter7
Copyright2015Inverseinc. Optionalcomponents 45
Optionalcomponents
Blockingmaliciousactivitieswithviolations
Policyviolationsallowyoutorestrictclientsystemaccessbasedonviolationsofcertainpolicies.Forexample,ifyoudonotallowP2Ptypetrafficonyournetwork,andyouarerunningtheappropriatesoftwaretodetectitandtriggeraviolationforagivenclient,PacketFencewillgivethatclienta"blocked"pagewhichcanbecustomizedtoyourwishes.
Inordertobeabletoblockmaliciousactivities,youneedtoinstallandconfiguretheSNORTorSuricataIDStotalkwithPacketFence.
Snort
Installation
The installation procedure is quite simple for SNORT.We maintain a working version on thePacketFencerepository.Toinstallit,simplyrunthefollowingcommand:
yum install snort
Configuration
PacketFenceprovidesabasicsnort.conftemplatethatyoumayneedtoeditdependingoftheSnortversion.Thefileislocatedin/usr/local/pf/conf.ItisrarelynecessarytochangeanythinginthatfiletomakeSnortworkandtrapalerts.DONOTeditthesnort.conflocatedin/usr/local/pf/var/conf,allthemodificationwillbedestroyedoneachPacketFencerestart.
Suricata
Installation
SincethesuricataIDSisnotpackagedwiththedistros(exceptmaybeFedora,whichwedonotofficiallysupport),youneedtobuilditthe"old"way.
The OISF provides a really well written how-to for that. Its available here: https://redmine.openinfosecfoundation.org/projects/suricata/wiki/CentOS5
https://redmine.openinfosecfoundation.org/projects/suricata/wiki/CentOS5https://redmine.openinfosecfoundation.org/projects/suricata/wiki/CentOS5
-
Chapter7
Copyright2015Inverseinc. Optionalcomponents 46
ConfigurationPacketFencewillprovideyouwithabasicsuricata.yaml thatyoucanmodify tosuityouownneeds.Thefileislocatedin/usr/local/pf/conf.
ViolationsInordertomakePacketFencereacttotheSnortalerts,youneedtoexplicitlytellthesoftwaretodoso.Otherwise,thealertswillbediscarded.Thisisquitesimpletoaccomplish.Infact,youneedtocreateaviolationandaddtheSnortalertSIDinthetriggersectionofaViolation.
PacketFence policy violations are controlled using the /usr/local/pf/conf/violations.confconfigurationfile.Theviolationformatisasfollows:
[1234]desc=Your Violation Descriptionpriority=8template=enable=Ytrigger=Detect::2200032,Nessus::11808actions=email,log,trapvlan=isolationVlanwhitelisted_categories=
[1234] The violation ID. Any integer except 1200000-120099 which is reserved forrequiredadministrationviolations.
desc singlelinedescriptionofviolationpriority Range1-10,with1thehigestpriorityand10thelowest.Higherpriorityviolations
willbeaddressedfirstifahosthasmorethanone.template Templatenametousewhileinviolation.ItmustmatchaHTMLfilename(without
theextension)oftheviolationstemplatesdirectory.enable IfenableissettoN,thisviolationisdisabledandnoadditionalviolationsofthis
typewillbeadded.trigger Methodtoreferenceexternaldetectionmethods.Trigger isformattedasfollows
type::ID.ThetypecanbeDetect(Snort),Nessus,OpenVAS,OS(DHCPFingerprintDetection), UserAgent (Browser signature), VendorMAC (MAC address class), SoH(StatementofHealthfilter),Accounting,etc.Intheaboveexample,2000032istheSnortIDand11808istheNessuspluginnumber.TheSnortIDdoesNOThavetomatchtheviolationID.
actions Thisisthelistofactionsthatwillbeexecutedonaviolationaddition.Theactionscanbe:
log Logamessagetothefilespecifiedin[alerting].log
email Email the address specified in [alerting].emailaddr,using[alerting].smtpserver.Multipleemailaddrcanbesperatedbycomma.
trap Isolate the host and place them in violation. It opens aviolationandleavesitopen.Iftrapisnotthere,aviolationisopenedandthenautomaticallyclosed.
-
Chapter7
Copyright2015Inverseinc. Optionalcomponents 47
winpopup send a windows popupmessage. You need to configure[alerting].winserver, [alerting].netbiosname inpf.confwhenusingthisoption.
external execute an external command, specified in[paths].externalapi.
close closetheviolationIDspecifiedinthevclosefield.
role change the nodes role to the one specified in thetarget_categoryfield.
autoreg registerthenode.
unreg deregisterthenode.vlan DestinationVLANwherePacketFenceshouldputtheclientwhenaviolationofthis
typeisopen.TheVLANvaluecanbe:
isolationVlan Isolation VLAN asspecified inswitches.conf.Thisistherecommended value formostviolationtypes.
registrationVlan Registration VLAN asspecified inswitches.conf.
normalVlan NormalVLANasspecifiedinswitches.conf.Note:Itis preferable not to trapthan to trap and put innormal VLAN.Make sureyouunderstandwhatyouaredoing.
whitelisted_categories Nodesinacategorylistedinwhitelisted_categorieswont be affected by aviolation of this type.Format is a commaseparated list of categorynames.
Also includedinviolations.conf isthedefaultssection.Thedefaultssectionwillsetadefaultvalueforeveryviolationintheconfiguration.IfaconfigurationvalueisnotspecifiedinthespecificID,thedefaultwillbeused:
-
Chapter7
Copyright2015Inverseinc. Optionalcomponents 48
[defaults]priority=4max_enable=3actions=email,logauto_enable=Yenable=Ngrace=120mdelay_by=0window=0vclose=target_category=button_text=Enable Networksnort_rules=local.rules,bleeding-attack_response.rules,bleeding-exploit.rules,bleeding-p2p.rules,bleeding-scan.rules,bleeding-virus.rulesvlan=isolationVlanwhitelisted_categories=
max_enable Number of times a host will be able to try and selfremediatebeforetheyarelockedoutandhavetocallthehelp desk. This is useful for userswho just click throughviolationpages.
auto_enable Specifiesifahostcanselfremediatetheviolation(enablenetworkbutton)oriftheycannotandmustcallthehelpdesk.
grace Amountof timebefore theviolationcan reoccur.This isuseful toallowhosts time (in theexample2minutes) todownloadtoolstofixtheirissue,orshutofftheirpeer-to-peerapplication.
delay_by Amountoftimebeforetheviolationactionwillrun.
window Amount of time before a violation will be closedautomatically.Insteadofallowingpeopletoreactivatethenetwork,youmaywanttoopenaviolationforadefinedamount of time instead. You can use the allowed timemodifiersorthedynamickeyword.Notethatthedynamickeywordonlyworksforaccountingviolations.Dynamicwillopen the violation according to the time you set in theaccountingviolation(ie.Youhaveanaccountingviolationfor10GB/month.Ifyoubustthebandwidthafter3days,theviolationwillopenandthereleasedatewillbesetforthelastdayofthecurrentmonth.)
vclose Whenselectingthe"close"action,triggeringtheviolationwill close the one you select in the vclose field. This isanexperimentalworkflowforMobileDeviceManagement(MDM).
target_category When selecting the "role" action, triggering the violationwill change thenodes role to theoneyou select in thetarget_categoryfield.
button_text Textdisplayedontheviolationformtohosts.
-
Chapter7
Copyright2015Inverseinc. Optionalcomponents 49
snort_rules The Snort rules file is the administrators responsibility.Pleasechangethistopointtoyourviolationrulesfile(s).Ifyoudonotspecifyafullpath,thedefaultis/usr/local/pf/conf/snort.Ifyouneedtoincludemorethanonefile,justseparateeachfilenamewithacomma.
Note
violations.conf is loadedatstartup.Arestart isrequiredwhenchangesaremadetothisfile.
ExampleviolationInourexamplewewanttoisolatepeopleusingLimewire.HereweassumeSnortisinstalledandconfiguredtosendalertstoPacketFence.NowweneedtoconfigurePacketFenceisolation.
EnableLimewireviolationin/usr/local/pf/conf/violations.confandconfigureittotrap.
[2001808]desc=P2P (Limewire)priority=8template=p2pactions=log,trapenable=Ymax_enable=1trigger=Detect::2001808
ComplianceChecks
PacketFencesupportseitherNessusorOpenVASasascanningengineforcompliancechecks.
Installation
Nessus
Pleasevisithttp://www.nessus.org/download/todownloadandinstalltheNessuspackageforyouroperatingsystem.YouwillalsoneedtoregisterfortheHomeFeed(ortheProfessionalFeed)inordertogettheplugins.
AfteryouinstalledNessus,followtheNessusdocumentationfortheconfigurationoftheNessusServer,andtocreateauserforPacketFence.
http://www.nessus.org/download/
-
Chapter7
Copyright2015Inverseinc. Optionalcomponents 50
Note
You may run into some issue while using Nessus with the Net::Nessus::XMLRPCmodule(whichisthedefaultbehaviorinPacketFence).Pleaserefertothebugtrackingsystemformoreinformation.
OpenVASPleasevisithttp://www.openvas.org/install-packages.html#openvas4_centos_atomic toconfigurethecorrectrepositorytobeabletoinstallthelatestOpenVASscanningengine.
Once installed, pleasemake sure to follow the instructions to correctly configure the scanningengineandcreateascanconfigurationthatwillfityourneeds.YoullalsoneedtocreateauserforPacketFencetobeabletocommunicatewiththeserver.
ItisimportanttogetthecorrectscanconfigIDandNBEreportformatIDtopopulatetheparametersinthePacketFenceconfigurationfile.TheeasiestwaytogettheseIDsisbydownloadingbothofthescanconfigurationandreportformatfromtheOpenVASwebguiandretrievetheIDsinthefilenames.
Forexamplereport-format-f5c2a364-47d2-4700-b21d-0a7693daddab.xmlgivesreportformatIDf5c2a364-47d2-4700-b21d-0a7693daddab.
ConfigurationIn order for the compliance checks to correctly work with PacketFence (communication andgenerateviolationsinsidePacketFence),youmustconfiguretwosections:
pf.confAdjust the settings in the scan section like the following: Dont hesitate to refer to thedocumentation.conffileforanyhelpontheseparamatersandwhichofthemtoconfigure.
UsingNessus:
[scan]engine=nessushost=127.0.0.1nessus_clientpolicy=basic-policypass=nessusUserPasswordregistration=enableduser=nessusUsername
Ofcoursethebasic-policymustexistonthenessusserver.Ifyouwanttouseadifferentnessuspolicybycategory,youhavetoadjustsettingslikethefollowing:
[nessus_category_policy]guest=guest_policywifi=wifi_policy
Anodewhoisregisterlikeaguestwillbescannedbytheguest_policy,etc
http://packetfence.org/bugs/view.php?id=1841http://packetfence.org/bugs/view.php?id=1841http://www.openvas.org/install-packages.html#openvas4_centos_atomic
-
Chapter7
Copyright2015Inverseinc. Optionalcomponents 51
Youcanalsouseadifferentnessuspolicybasedonthedhcpfingerprint,youhavetoadjustsettingslikethefollowing:
[nessus_scan_by_fingerprint]Android=AndroidMac OS X=MACOSXMicrosoft Windows=WindowsiPhone=IOS
AnodewithafingerprintcontainAndroidwillbescannedbytheAndroidpolicy,etc
NoteifthereisnopolicybasedondhcpfingerprintthenPacketFencewilltrytousepolicybasedon category and if it does not exist then PacketFence will use the default policy defined bynessus_clientpolicy.
UsingOpenVAS:
[scan]engine=openvashost=127.0.0.1openvas_configid=openvasScanConfigIdopenvas_reportformatid=openvasNBEReportFormatIdpass=openvasUserPasswordregistration=enableduser=openvasUsername
violations.conf
Youneedtocreateanewviolationsectionandhavetospecify:
UsingNessus:
trigger=Nessus::
UsingOpenVAS:
trigger=OpenVAS::
WhereviolationIdiseithertheIDoftheNessuspluginortheOIDoftheOpenVASplugintocheckfor.Onceyouhavefinishedtheconfiguration,youneedtoreloadtheviolationrelateddatabasecontentsusing:
$ pfcmd reload violations
Note
Violationswilltriggerifthepluginishigherthanalowseverityvulnerability.
-
Chapter7
Copyright2015Inverseinc. Optionalcomponents 52
ScanonregistrationTo perform a system scan before giving access to a host on the network you need to enablethescan.registrationparameterinpf.conf.Ifyouwanttoscanadevicethathavebeenauto-registeredasa802.1Xconnection, youneed toenablescan.dot1x parameter inpf.conf.ThedefaultEAP-TypethatwillbescannedisMS-CHAP-V2butyoucanconfigureotherEAP-Type(suchasMD5-Challenge)byaddingthemtoscan.dot1x_typeasacomma-separatedlistofvalues(lookatdictionary.freeradius.internalfilebundledwithFreeRADIUSforthelistofEAP-Type).
Itisalsorecommendedtoadjustscan.durationtoreflecthowlongthescantakes.Aprogressbarofthisdurationwillbeshowntotheuserwhileheiswaiting.Bydefault,wesetthisvariableto60s.
HostingNessus/OpenVASremotelyBecauseoftheCPUintensivenatureofanautomatedvulnerabilityassessment,werecommendthatitishostedonaseparateserverforlargeenvironments.Todoso,acoupleofthingsarerequired:
PacketFence needs to be able to communicate to the server on the port specified by thevulnerabilityengineused
Thescanningserverneedtobeabletoaccessthetargets. Inotherwords,registrationVLANaccessisrequiredifscanonregistrationisenabled.
IfyouareusingtheOpenVASscanningengine:
ThescanningserverneedtobeabletoreachPacketFencesAdmininterface(onport1443bydefault)byitsDNSentry.OtherwisePacketFencewontbenotifiedofcompletedscans.
YoumusthaveavalidSSLcertificateonyourPacketFenceserver
IfyouareusingtheNessusscanningengine:
YoujusthavetochangethehostvaluebytheNessusserverIP.
RADIUSAccounting
RADIUSAccountingisusuallyusedbyISPstobillclients.InPacketFence,weareabletousethisinformationtodetermineifthenodeisstillconnected,howmuchtimeithasbeenconnected,andhowmuchbandwitdhtheuserconsumed.
ViolationsUsingPacketFence, it ispossible toaddviolations to limitbandwidthabuse.The formatof thetriggerisverysimple:
Accounting::[DIRECTION][LIMIT][INTERVAL(optional)]
Letsexplaineachchunkproperly:
-
Chapter7
Copyright2015Inverseinc. Optionalcomponents 53
DIRECTION:Youcaneithersetalimittoinbound(IN),outbound(OUT),ortotal(TOT)bandwidth LIMIT: You can set a number of bytes(B), kilobytes(KB), megabytes(MB), gigabytes(GB), orpetabytes(PB)
INTERVAL:Thisisactuallythetimewindowwewilllookforpotentialabuse.Youcansetanumberofdays(D),weeks(W),months(M),oryears(Y).
Exampletriggers LookforIncoming(Download)trafficwitha50GB/month
Accounting::IN50GB1M
LookforOutgoing(Upload)trafficwitha500MB/day
Accounting::OUT500MB1D
LookforTotal(Download+Upload)trafficwitha200GBlimitinthelastweek
Accounting::TOT200GB1W
GraceperiodWhenusingsuchviolationfeature,settingthegraceperiodisreallyimportant.Youdontwanttoputittoolow(ie.Auserre-enablehisnetwork,andgetcaughtafter1bytesistranmitted!)ortoohigh.Werecommendthatyousetthegraceperiodtooneintervalwindow.
Oinkmaster
Oinkmasterisaperlscriptthatenablesthepossibilitytoupdatethedifferentsnortrulesveryeasily.Itissimpletouse,andinstall.ThissectionwillshowyouhowtoimplementOinkmastertoworkwithPacketFenceandSnort.
Pleasevisithttp://oinkmaster.sourceforge.net/download.shtmltodownloadoinkmaster.Asampleoinkmasterconfigurationfileisprovidedat/usr/local/pf/addons/snort/oinkmaster.conf.
ConfigurationHerearethestepstomakeOinkmasterwork.Wewillassumethatyoualreadydownloadedthenewestoinkmasterarchive:
1. UntarthefreshlydownloadedOinkmaster
2. Copytherequiredperlscriptsinto/usr/local/pf/oinkmaster.Youneedtocopyovercontribandoinkmaster.pl
3. Copytheoinkmaster.confprovidedbyPacketFence(seethesectionabove)in/usr/local/pf/conf
http://oinkmaster.sourceforge.net/download.shtml
-
Chapter7
Copyright2015Inverseinc. Optionalcomponents 54
4. Modifytheconfigurationtosuityourownneeds.Currently,theconfigurationfileissettofetchthebleedingrules.
RulesupdateInordertogetperiodicupdatesforPacketFenceSnortrules,wesimplyneedtocreateacrontabentrywiththerightinformation.Theexamplebelowshowsacrontabentrytofetchtheupdatesdailyat23:00PM:
0 23 * * * (cd /usr/local/pf; perl oinkmaster/oinkmaster.pl -C conf/oinkmaster.conf -o conf/snort/)
FloatingNetworkDevices
Startingwithversion1.9,PacketFencenowsupportsfloatingnetworkdevices.AFloatingnetworkdeviceisadeviceforwhichPacketFencehasadifferentbehaviourcomparedtoaregulardevice.ThisfunctionalitywasoriginallyaddedtosupportmobileAccessPoints.
Caution
RightnowPacketFenceonlysupportsfloatingnetworkdevicesonCiscoandNortelswitchesconfiguredwithport-security.
For a regular device, PacketFence put it in theVLAN corresponding to its status (Registration,QuarantineorRegularVlan)andauthorizesitontheport(port-security).
AfloatingnetworkdeviceisadevicethatPacketFencedoesnotmanageasaregulardevice.
Whenafloatingnetworkdeviceisplugged,PacketFencewilllet/allowalltheMACaddressesthatwillbeconnectedtothisdevice(orappearontheport)andifnecessary,configuretheportasmulti-vlan(trunk)andsetPVIDandtaggedVLANsontheport.
Whenanfloatingnetworkdeviceisunplugged,PacketFencewillreconfiguretheportlikebeforeitwasplugged.
Hereishowitworks:Configuration
floatingnetworkdeviceshavetobeidentifiedusingtheirMACaddress. linkup/linkdowntrapsarenotenabledontheswitches,onlyport-securitytrapsare.
WhenPacketFencereceivesaport-securitytrapforafloatingnetworkdevice,itchangestheportconfigurationsothat:
itdisablesport-security
-
Chapter7
Copyright2015Inverseinc. Optionalcomponents 55
itsetsthePVID iteventuallysetstheportasmulti-vlan(trunk)andsetsthetaggedVlans itenableslinkdowntraps
WhenPFreceivesa linkdowntraponaport inwhichafloatingnetworkdevicewasplugged, itchangestheportconfigurationsothat:
itenablesport-security itdisableslinkdowntraps
IdentificationAswementionedearlier,eachfloatingnetworkdevicehastobeidentified.Therearetwowaystodoit:
byeditingconf/floating_network_device.conf throughtheWebGUI,inConfigurationNetworkFloatingdevices
Herearethesettingsthatareavailable:
MACAddress MACaddressofthefloatingdevice
IPAddress IPaddressofthefloatingdevice(notrequired,forinformationonly)
trunkPort Yes/no.Shouldtheportbeconfiguredasamuti-vlanport?
pvid VLANinwhichPacketFenceshouldputtheport
taggedVlan CommaseparatedlistofVLANs.Iftheportisamulti-vlan,thesearetheVlansthathavetobetaggedontheport.
GuestsManagement
PacketFencesupportstheabilitytomanageguestsbyestablishingexpiredatesandassigndifferentroleswhichwillpermitdifferentaccessestothenetworkresources.
Guestscanself-registerthemselvesusinganactivationcodesenttotheirmobilephoneortheycanusetheiremailaddressandreceiveandactivationlinktoactivatetheirnetworkaccess.
PacketFencehas theoption tohaveguestssponsored theiraccessby local staff.Onceaguestrequestsasponsoredaccessanemailissenttothesponsorandthesponsormustclickonalinkandauthenticateinordertoenablehisaccess.
Moreover, PacketFence also has the option for guests to request their access in advance.Confirmationbyemailandbyasponsorarethetwopre-registrationtechniquessupportedatthispoint.
TheadminGUIallowPacketFenceadministratorsorguestsmanagerstocreatesingleaccounts,multipleaccountsusingaprefix(ie.:guest1,guest2,guest3)orimportdatafromaCSVtocreateaccounts.Accessdurationandexpectedarrivaldatearealsocustomizable.
-
Chapter7
Copyright2015Inverseinc. Optionalcomponents 56
Usage
Guestself-registration
Self-registrationisenabledbydefault.ItispartofthecaptiveportalprofileandcanbeaccessedontheregistrationpagebyclickingtheSignuplink.
Managedguests
Partofthewebadministrationinterface,theguestsmanagementinterfaceisenabledbydefault.ItisaccessiblethroughtheUsersCreatemenu.
Guestpre-re