packetfence administration guide-4.7.0

AdministrationGuideforPacketFenceversion4.7.0

AdministrationGuidebyInverseInc.

Version4.7.0-Mar2015Copyright2015Inverseinc.

Permissionisgrantedtocopy,distributeand/ormodifythisdocumentunderthetermsoftheGNUFreeDocumentationLicense,Version1.2oranylaterversionpublishedbytheFreeSoftwareFoundation;withnoInvariantSections,noFront-CoverTexts,andnoBack-CoverTexts.Acopyofthelicenseisincludedinthesectionentitled"GNUFreeDocumentationLicense".

ThefontsusedinthisguidearelicensedundertheSILOpenFontLicense,Version1.1.ThislicenseisavailablewithaFAQat:http://scripts.sil.org/OFL

CopyrightukaszDziedzic,http://www.latofonts.com,withReservedFontName:"Lato".

CopyrightRaphLevien,http://levien.com/,withReservedFontName:"Inconsolata".

http://scripts.sil.org/OFLhttp://scripts.sil.org/OFLhttp://www.latofonts.com/http://levien.com/

Copyright2015Inverseinc. iii

TableofContentsAbout thisGuide ............................................................................................................... 1

Othersourcesof information...................................................................................... 1Introduction ..................................................................................................................... 2

Features ................................................................................................................... 2Network Integration .................................................................................................. 5Components ............................................................................................................. 6

SystemRequirements ........................................................................................................ 7Assumptions ............................................................................................................. 7MinimumHardwareRequirements.............................................................................. 7OperatingSystemRequirements................................................................................ 8

Installation ....................................................................................................................... 9OS Installation .......................................................................................................... 9SoftwareDownload ................................................................................................ 10Software Installation ................................................................................................ 10

Configuration ................................................................................................................. 12FirstStep ............................................................................................................... 12Web-basedAdministrationInterface......................................................................... 13Globalconfigurationfile(pf.conf) .............................................................................. 13ApacheConfiguration .............................................................................................. 13SELinux .................................................................................................................. 14RolesManagement ................................................................................................. 14Authentication ........................................................................................................ 15NetworkDevicesDefinition(switches.conf)............................................................... 17DefaultVLAN/roleassignment................................................................................. 20Inlineenforcementconfiguration.............................................................................. 21Hybridmode .......................................................................................................... 21WebAuthmode ..................................................................................................... 22DHCPandDNSServerConfiguration(networks.conf)................................................ 22ProductionDHCPaccess ......................................................................................... 23RoutedNetworks .................................................................................................... 25FreeRADIUSConfiguration ...................................................................................... 28StartingPacketFenceServices.................................................................................. 35Log files ................................................................................................................. 35Passthrough ........................................................................................................... 35Proxy Interception ................................................................................................... 36

Configurationbyexample ................................................................................................ 37Assumptions ........................................................................................................... 37Network Interfaces ................................................................................................. 38SwitchSetup .......................................................................................................... 39switches.conf .......................................................................................................... 40pf.conf ................................................................................................................... 41networks.conf ......................................................................................................... 42Inlineenforcementspecifics ..................................................................................... 43

Optionalcomponents ...................................................................................................... 45Blockingmaliciousactivitieswithviolations............................................................... 45ComplianceChecks ................................................................................................. 49RADIUSAccounting ................................................................................................ 52Oinkmaster .............................................................................................................53FloatingNetworkDevices ....................................................................................... 54GuestsManagement ............................................................................................... 55StatementofHealth (SoH) ....................................................................................... 58

Copyright2015Inverseinc. iv

AppleandAndroidWirelessProvisioning.................................................................. 60SNMPTrapsLimit ................................................................................................... 61BillingEngine ......................................................................................................... 62PortalProfiles ......................................................................................................... 63OAuth2Authentication ........................................................................................... 64DevicesRegistration ................................................................................................ 66Eduroam ................................................................................................................ 66VLANFilterDefinition ............................................................................................ 70ActiveDirectoryIntegration ...................................................................................... 72

FirewallSSO ...................................................................................................................76Fortigate ................................................................................................................ 76PaloAlto ................................................................................................................. 77

OperatingSystemBestPractices...................................................................................... 79IPTables ................................................................................................................. 79LogRotations ......................................................................................................... 79HighAvailability ...................................................................................................... 79

Performanceoptimization ................................................................................................ 87MySQLoptimizations .............................................................................................. 87CaptivePortalOptimizations .................................................................................... 90

FrequentlyAskedQuestions ............................................................................................ 91TechnicalintroductiontoVLANenforcement.................................................................... 92

Introduction ........................................................................................................... 92VLANassignmenttechniques...................................................................................92MoreonSNMPtrapsVLANisolation....................................................................... 93

TechnicalintroductiontoInlineenforcement..................................................................... 96Introduction ........................................................................................................... 96Deviceconfiguration ............................................................................................... 96Accesscontrol ........................................................................................................ 96Limitations ............................................................................................................. 97

TechnicalintroductiontoHybridenforcement................................................................... 98Introduction ........................................................................................................... 98Deviceconfiguration ............................................................................................... 98

MoreonVoIP Integration ................................................................................................ 99CDPandLLDPareyourfriend................................................................................ 99VoIPandVLANassignmenttechniques..................................................................... 99WhatifCDP/LLDPfeatureismissing..................................................................... 100

Additional Information ................................................................................................... 101CommercialSupportandContactInformation................................................................. 102GNUFreeDocumentationLicense................................................................................. 103A.AdministrationTools .................................................................................................. 104

pfcmd .................................................................................................................. 104pfcmd_vlan ........................................................................................................... 106WebAdminGUI ................................................................................................... 108

B.ManualFreeRADIUS2configuration.......................................................................... 109Configuration ........................................................................................................109Optional:WiredorWireless802.1Xconfiguration................................................... 110

Chapter1

Copyright2015Inverseinc. AboutthisGuide 1

AboutthisGuide

This guide will walk you through the installation and the day to day administration of thePacketFencesolution.

Thelatestversionofthisguideisavailableathttp://www.packetfence.org/documentation/

Othersourcesofinformation

NetworkDevicesConfigurationGuide Covers switch, controllers and accesspointsconfiguration.

DevelopersGuide Covers captive portal customization,VLAN management customization andinstructionsforsupportingnewhardware.

CREDITS Thisis,atleast,apartialfileofPacketFencecontributors.

NEWS.asciidoc Covers noteworthy features,improvementsandbugfixesbyrelease.

UPGRADE.asciidoc Covers compatibility related changes,manual instructions and general notesaboutupgrading.

ChangeLog Coversallchangestothesourcecode.

Thesefilesareincludedinthepackageandreleasetarballs.

http://www.packetfence.org/documentation/

Chapter2

Copyright2015Inverseinc. Introduction 2

Introduction

PacketFence isa fullysupported, trusted,FreeandOpenSourcenetworkaccesscontrol (NAC)system. Boosting an impressive feature set including a captive portal for registration andremediation, centralized wired and wireless management, 802.1X support, layer-2 isolation ofproblematicdevices,integrationwiththeSnort/SuricataIDSandtheNessusvulnerabilityscanner;PacketFencecanbeusedtoeffectivelysecurenetworks-fromsmalltoverylargeheterogeneousnetworks.

Features

Outofband(VLANEnforcement) PacketFencesoperationiscompletelyoutof band when using VLAN enforcementwhich allows the solution to scalegeographicallyandtobemoreresilienttofailures.

InBand(InlineEnforcement) PacketFence can also be configured tobe in-band, especially when you havenon-manageable network switches oraccesspoints.PacketFencecanalsoworkwith both VLAN and Inline enforcementactivated for maximum scalability andsecuritywhileallowingolderhardwaretostillbesecuredusingInlineenforcement.

Hybridsupport(InlineEnforcementwithRADIUSsupport)

PacketFence can also be configuredas hybrid, if you have a manageabledevice that supports 802.1X and/orMAC-authentication.This feature canbeenabled using a RADIUS attribute (MACaddress, SSID, port) or using full inlinemodeontheequipment.

Hotspotsupport(WebAuthEnforcement) PacketFence can also be configured ashotspot,ifyouhaveamanageabledevicethatsupportanexternalcaptiveportal(likeCiscoWLCorArubaIAP).

VoiceoverIP(VoIP)support Also called IP Telephony (IPT), VoIP isfully supported (even in heterogeneousenvironments)formultipleswitchvendors

Chapter2


(Cisco, Edge-Core, HP, LinkSys, NortelNetworksandmanymore).

802.1X 802.1X wireless and wired is supportedthroughaFreeRADIUSmodule.

Wirelessintegration PacketFence integrates perfectly withwirelessnetworksthroughaFreeRADIUSmodule. This allows you to secure yourwired and wireless networks the sameway using the same user database andusing the same captive portal, providinga consistent user experience. MixingAccessPoints (AP)vendorsandWirelessControllersissupported.

Registration PacketFence supports an optionalregistrationmechanismsimilarto"captiveportal"solutions.Contrarytomostcaptiveportal solutions,PacketFence remembersusers who previously registered andwillautomatically give them access withoutanotherauthentication.Ofcourse, this isconfigurable. An Acceptable Use Policycan be specified such that users cannotenable network access without firstacceptingit.

Detectionofabnormalnetworkactivities Abnormal network activities (computervirus, worms, spyware, traffic deniedby establishment policy, etc.) can bedetectedusinglocalandremoteSnortorSuricatasensors.Beyondsimpledetection,PacketFence layers its own alerting andsuppression mechanism on each alerttype.Asetofconfigurableactionsforeachviolationisavailabletoadministrators.

Proactivevulnerabilityscans Either Nessus or OpenVAS vulnerabilityscanscanbeperformeduponregistration,scheduled or on an ad-hoc basis.PacketFence correlates the scan enginevulnerability IDs of each scan tothe violation configuration, returningcontent specificweb pages aboutwhichvulnerabilitythehostmayhave.

Isolationofproblematicdevices PacketFence supports several isolationtechniques,includingVLANisolationwithVoIP support (even in heterogeneousenvironments)formultipleswitchvendors.

Remediationthroughacaptiveportal Once trapped, all network traffic isterminated by the PacketFence system.

http://www.freeradius.orghttp://www.freeradius.org/http://www.snort.org/http://www.nessus.org/nessus/http://www.openvas.org

Chapter2


Based on the nodes current status(unregistered,openviolation,etc),theuseris redirected to the appropriate URL. Inthe case of a violation, the user willbe presented with instructions for theparticular situation he/she is in reducingcostlyhelpdeskintervention.

Command-lineandWeb-basedmanagement Web-basedandcommand-line interfacesforallmanagementtasks.

GuestAccess PacketFence supports a special guestVLAN out of the box. You configureyour network so that the guest VLANonly goes out to the Internet and theregistrationVLANand the captiveportalarethecomponentsusedtoexplaintotheguesthowtoregisterforaccessandhowhisaccessworks.This isusuallybrandedby the organization offering the access.Several means of registering guests arepossible. PacketFence does also supportguestaccessbulkcreationsandimports.

Gamingdevicesregistration AregisteredusercanaccessaspecialWebpage to register a gaming device of hisown.Thisregistrationprocesswillrequireloginfromtheuserandthenwillregistergaming devices with pre-approvedMACOUIintoaconfigurablecategory.

PacketFenceisdevelopedbyacommunityofdeveloperslocatedmainlyinNorthAmerica.Moreinformationcanbefoundathttp://www.packetfence.org.

http://www.packetfence.org

Chapter2


NetworkIntegration

VLANenforcementispicturedintheabovediagram.InlineenforcementshouldbeseenasasimpleflatnetworkwherePacketFenceactsasafirewall/gateway.

Chapter2


Components

Chapter3

Copyright2015Inverseinc. SystemRequirements 7

SystemRequirements

Assumptions

PacketFencereusesmanycomponentsinaninfrastructure.Thus,itrequiresthefollowingones:

Databaseserver(MySQLorMariaDB) Webserver(Apache)

Dependingonyoursetupyoumayhavetoinstalladditionalcomponentslike:

DHCPserver(ISCDHCP) RADIUSserver(FreeRADIUS) NIDS(Snort/Suricata)

Inthisguide,weassumethatallthosecomponentsarerunningonthesameserver(i.e.,"localhost"or"127.0.0.1")thatPacketFencewillbeinstalledon.

Good understanding of those underlying component and GNU/Linux is required to installPacketFence. If youmiss some of those required components, please refer to the appropriatedocumentationandproceedwiththeinstallationoftheserequirementsbeforecontinuingwiththisguide.

Thefollowingtableprovidesrecommendationsfortherequiredcomponents,togetherwithversionnumbers:

MySQLserver MySQL5.1

Webserver Apache2.2

DHCPserver DHCP4.1

RADIUSserver FreeRADIUS2.2.0

Snort Snort2.9.1

Suricata Suricata1.4.1

Morerecentversionsofthesoftwarementionedabovecanalsobeused.

MinimumHardwareRequirements

Thefollowingprovidesalistofserverhardwarerecommendations:

Chapter3

Copyright2015Inverseinc. SystemRequirements 8

IntelorAMDCPU3GHz 4GBofRAM 100GBofdiskspace(RAID-1recommended) 1Networkcard

+1forhigh-availability

+1forintrusiondetection

OperatingSystemRequirements

PacketFencesupportsthefollowingoperatingsystemsonthei386orx86_64architectures:

RedHatEnterpriseLinux6.xServer CommunityENTerpriseOperatingSystem(CentOS)6.x Debian7.0(Wheezy) Ubuntu12.04LTS

Makesurethatyoucaninstalladditionalpackagesfromyourstandarddistribution.Forexample,ifyouareusingRedHatEnterpriseLinux,youhavetobesubscribedtotheRedHatNetworkbeforecontinuingwiththePacketFencesoftwareinstallation.

OtherdistributionssuchasFedoraandGentooareknowntoworkbutthisdocumentdoesntcoverthem.

Servicesstart-upPacketFencetakescareofhandlingtheoperationofthefollowingservices:

Webserver(httpd) DHCPserver(dhcpd) FreeRADIUSserver(radiusd) Snort/SuricataNetworkIDS(snort/suricata) Firewall(iptables)

Makesurethatalltheotherservicesareautomaticallystartedbyyouroperatingsystem!

Chapter4

Copyright2015Inverseinc. Installation 9

Installation

ThissectionwillguideyouthroughtheinstallationofPacketFencetogetherwithitsdependencies.

OSInstallation

Installyourdistributionwithminimalinstallationandnoadditionalpackages.Then:

DisableFirewall DisableSELinux DisableAppArmor Disableresolvconf

Makesureyoursystemisuptodateandyouryumorapt-getdatabaseisupdated.OnaRHEL-basedsystem,do:

yum update

OnaDebianorUbuntusystem,do:

apt-get updateapt-get upgrade

RedHat-basedsystems

Note

IncludesCentOSandScientificLinux.Bothi386andx86_64architecturessupported.

RHEL6.x

Note

TheseareextrastepsarerequiredforRHEL6systemsonly.DerivativessuchasCentOSorScientificLinuxdontneedtotaketheextrasteps.

Chapter4


RedHatEnterpriseLinuxusersneedtotakeanadditionalsetupstep.IfyouarenotusingtheRHNSubscriptionManagementfromRedHatyouneedtoenabletheoptionalchannelbyrunningthefollowingasroot:

rhn-channel --add --channel=rhel-`uname -m`-server-optional-6

DebianandUbuntuAllthePacketFencedependenciesareavailablethroughtheofficialrepositories.

SoftwareDownload

PacketFenceprovidesaRPMrepositoryforRHEL/CentOSinsteadofasingleRPMfile.

ForDebianandUbuntu,PacketFencealsoprovidespackagerepositories.

TheserepositoriescontainallrequireddependenciestoinstallPacketFence.Thisprovidesnumerousadvantages:

easyinstallation everythingispackagedasRPM/deb(nomoreCPANhassle) easyupgrade

SoftwareInstallation

RHEL/CentOSInordertousethePacketFencerepository:

# rpm -Uvh http://packetfence.org/downloads/PacketFence/RHEL6/`uname -i`/RPMS/packetfence-release-1-1.el6.noarch.rpm

Once the repository is defined, you can install PacketFencewith all its dependencies, and therequiredexternalservices(Databaseserver,DHCPserver,RADIUSserver)using:

yum groupinstall --enablerepo=packetfence Packetfence-complete

Or,ifyouprefer,toinstallonlythecorePacketFencewithoutalltheexternalservices,youcanuse:

yum install --enablerepo=packetfence packetfence

Chapter4


DebianandUbuntuInordertousetherepository,createafilenamed/etc/apt/sources.list.d/packetfence.listwiththefollowingcontentwhenusingDebian7.0(Wheezy):

deb http://inverse.ca/downloads/PacketFence/debian wheezy wheezy

OrwhenusingUbuntu12.04LTS:

deb http://inverse.ca/downloads/PacketFence/ubuntu precise precise

Once the repository is defined, you can install PacketFencewith all its dependencies, and therequiredexternalservices(Databaseserver,DHCPserver,RADIUSserver)using:

sudo apt-key adv --keyserver keys.gnupg.net --recv-key 0x810273C4sudo apt-get updatesudo apt-get install packetfence

Chapter5

Copyright2015Inverseinc. Configuration 12

Configuration

Inthissection,youlllearnhowtoconfigurePacketFence.PacketFencewilluseMySQL,Apache,ISCDHCP,iptablesandFreeRADIUS.Aspreviouslymentioned,weassumethatthosecomponentsrunonthesameserveronwhichPacketFenceisbeinginstalled.

FirstStep

Thefirststepafterinstallingthenecessarypackagesistheconfigurationstep.PacketFenceprovidesanhelpfulanddetailedweb-basedconfigurator.

Likementionedattheendofthepackagesinstallation,fireupawebbrowserandgotohttps://@ip_of_packetfence:1443/configurator.Fromthere,theconfigurationprocessissplitedinsix(6)distinctivesteps,afterwhichyoullhaveaworkingPacketFencesetup.

Step1:Enforcementtechnique.YoullchooseeitherVLANenforcement,inlineenforcementorboth;

Step2:Networkconfiguration.Youllbeabletoconfigurethenetworkinterfacesofthesystemaswellasassigningthecorrectinterfacesforeachoftherequiredtypesofthechosenenforcementtechnique(s);

Step3:Databaseconfiguration.ThisstepwillcreatethePacketFencedatabaseandpopulateitwiththecorrectstructure.AMySQLuserwillalsobecreatedandassignedtothenewlycreateddatabase;

Step 4: General configuration. You will need to configure some of the basic PacketFenceconfigurationparameters;

Step5:Administrativeuser.Thisstepwillaskyoutocreateanadministrativeuserthatwillbeabletoaccesstheweb-basedadminsitrationinterfaceoncetheservicesarefunctionals;

Step6:Letsdothis!SeethestatusofyourconfigurationandstartyournewNAC!

Note

KeepinmindthattheresultingPacketFenceconfigurationwillbelocatedunder/usr/local/pf/conf/andtheconfigurationfilescanalwaysbeadjustedbyhandafterwardorfromPacketFencesWebGUI.

https://@ip_of_packetfence:1443/configuratorhttps://@ip_of_packetfence:1443/configurator

Chapter5


Web-basedAdministrationInterface

PacketFenceprovidesaweb-basedadministrationinterfaceforeasyconfigurationandoperationalmanagement.IfyouwentthroughPacketFencesweb-basedconfigurationtool,youshouldhavesetthepasswordfortheadminuser.Ifnot,thedefaultpasswordisalsoadmin.

Once PacketFence is started, the administration interface is available at: https://@ip_of_packetfence:1443/

Globalconfigurationfile(pf.conf)

The /usr/local/pf/conf/pf.conf file contains the PacketFence general configuration. Forexample,thisistheplacewhereweinformPacketFenceitwillworkinVLANisolationmode.

All the default parameters and their descriptions are stored in /usr/local/pf/conf/pf.conf.defaults.

Inordertooverrideadefaultparameter,defineitandsetitinpf.conf.

/usr/local/pf/conf/documentation.confholdsthecompletelistofallavailableparameters.

Alltheseparametersarealsoaccessiblethroughtheweb-basedadministrationinterfaceundertheConfigurationtab.Itishighlyrecommendedthatyouusetheweb-basedadministrationinterfaceofPacketFenceforanyconfigurationchanges.

ApacheConfiguration

ThePacketFencesApacheconfigurationarelocatedin/usr/local/pf/conf/httpd.conf.d/.

Inthisdirectoryyouhavethreeimportantfiles:httpd.admin,httpd.portal,httpd.webservice.

httpd.adminisusedtomanagePacketFenceadmininterface

httpd.portalisusedtomanagePacketFencecaptiveportalinterface

httpd.webservicesisusedtomanagePacketFencewebservicesinterface

ThesefileshavebeenwrittenusingthePerllanguageandarecompletelydynamic-sotheyactivateservicesonlyonthenetworkinterfacesprovidedforthispurpose.

TheotherfilesinthisdirectoryaremanagedbyPacketFenceusingtemplates,soitiseasytomodifythesefilesbasedonyourconfiguration.SSLisenabledbydefaulttosecureaccess.

https://@ip_of_packetfence:1443/https://@ip_of_packetfence:1443/

Chapter5


UponPacketFenceinstallation,self-signedcertificateswillbecreatedin/usr/local/pf/conf/ssl(server.key andserver.crt).Thosecertificates canbe replacedanytimebyyour3rd-partyorexistingwildcardcertificatewithoutproblems.PleasenotethattheCN(CommonName)needstobethesameastheonedefinedinthePacketFenceconfigurationfile(pf.conf).

CaptivePortalImportantparameterstoconfigureregardingthecaptiveportalarethefollowing:

RedirectURLunderConfigurationPortalProfilePortalName

Forsomebrowsers,itispreferabletoredirecttheusertoaspecificURLinsteadoftheURLtheuseroriginallyintendedtovisit.Forthesebrowsers,theURLdefinedinredirecturlwillbetheonewheretheuserwillberedirected.AffectedbrowsersareFirefox3andlater.

IPunderConfigurationCaptiveportal

ThisIPisusedasthewebserverwhohoststhecommon/network-access-detection.gifwhichisusedtodetectifnetworkaccesswasenabled.Itcannotbeadomainnamesinceit isusedinregistrationorquarantinewhereDNSisblack-holed.ItisrecommendedthatyouallowyouruserstoreachyourPacketFenceserverandputyourLANsPacketFenceIP.BydefaultwewillmakethisreachPacketFenceswebsiteasaneasierandmoreaccessiblesolution.

SELinux

Even if this featuremaybewantedbysomeorganizations,PacketFencewillnotrunproperly ifSELinuxissettoenforced.Youwillneedtoexplicitlydisableitinthe/etc/selinux/configfile.

RolesManagement

RolesinPacketFencecanbecreatedfromPacketFenceadministrativeGUI-fromtheConfigurationUsersRoles section. From this interface, you can also limit thenumberof devicesusersbelongingtocertainrolescanregister.

RolesaredynamicallycomputedbyPacketFence,basedontherules(ie.,asetofconditionsandactions)fromauthenticationsources,usingafirst-matchwinsalgorithm.RolesarethenmatchedtoVLANorinternalrolesonequipmentfromtheConfigurationNetworkSwitchesmodule.

Chapter5


Authentication

PacketFence can authenticate users that register devices via the captive portal using variousmethods.Amongthesupportedmethods,thereare:

ActiveDirectory

Apachehtpasswdfile

Email

Facebook(OAuth2)

Github(OAuth2)

Google(OAuth2)

Kerberos

LDAP

LinkedIn(OAuth2)

Null

RADIUS

SMS

SponsoredEmail

WindowsLive(OAuth2)

Moreover, PacketFence can also authenticate users defined in its own internal SQL database.Authentication sources can be created from PacketFence administrative GUI - from theConfigurationUsersSourcessection.Alternatively(butnotrecommended),authenticationsources,rules,conditionsandactionscanbeconfiguredfromconf/authentication.conf.

Eachauthenticationsourcesyoudefinewillhaveasetofrules,conditionsandactions.

Multiple authentication sources canbedefined, andwill be tested in theorder specified (notethattheycanbereorderedfromtheGUIbydraggingitaround).Eachsourcecanhavemultiplerules,whichwillalsobetestedintheorderspecified.Rulescanalsobereordered,justlikesources.Finally,conditionscanbedefinedforaruletomatchcertaincriterias.Ifthecriteriasmatch(oneormore),actionarethenappliedandrulestestingstop,acrossallsourcesasthisisa"firstmatchwins"operation.

Whennoconditionisdefined,therulewillbeconsideredasafallback.Whenafallbackisdefined,allactionswillbeappliedforanyusersthatmatchintheauthenticationsource.

Onceasourceisdefined,itcanbeusedfromConfigurationPortalProfiles.Eachportalprofilehasalistofauthenticationsourcestouse.

Chapter5


ExampleLetssaywehavetworoles:guestandemployee.First,wedefinethemConfigurationUsersRoles.

Now,wewanttoauthenticateemployeesusingActiveDirectory (overLDAP),andguestsusingPacketFencesinternaldatabase-bothusingPacketFencescaptiveportal.FromtheConfigurationUsersSources,weselectAddsourceAD.Weprovidethefollowinginformation:

Name:ad1 Description:ActiveDirectoryforEmployees Host:192.168.1.2:389withoutSSL/TLS BaseDN:CN=Users,DC=acme,DC=local Scope:One-level UsernameAttribute:sAMAccountName BindDN:CN=Administrator,CN=Users,DC=acme,DC=local Password:acme123

Then,weaddarulebyclickingontheAddrulebuttonandprovidethefollowinginformation:

Name:employees Description:Ruleforallemployees Dontsetanycondition(asitsacatch-allrule) Setthefollowingactions:

Setroleemployee

SetunregistrationdateJanuary1st,2020

Test the connection and save everything. Using the newly defined source, any username thatactuallymatchesinthesource(usingthesAMAccountName)willhavetheemployeeroleandanunregistrationdatesettoJanuary1st,2020.

Now,sincewewanttoauthenticateguestsfromPacketFencesinternalSQLdatabase,accountsmustbeprovisionnedmanually.YoucandosofromtheConfigurationUsersCreatesection.Whencreatingguests,specify"guest"fortheSetroleaction,andsetanaccessdurationfor1day.

If youwould like to differentiate user authentication andmachine authentication using ActiveDirectory,onewaytodoitisbycreatingasecondauthenticationsources,formachines:

Name:ad1 Description:ActiveDirectoryforMachines Host:192.168.1.2:389withoutSSL/TLS BaseDN:CN=Computers,DC=acme,DC=local Scope:One-level UsernameAttribute:servicePrincipalName BindDN:CN=Administrator,CN=Users,DC=acme,DC=local Password:acme123

Then,weaddarule:

Name:machines

Chapter5


Description:Ruleforallmachines Dontsetanycondition(asitsacatch-allrule) Setthefollowingactions:

Setrolemachineauth

SetunregistrationdateJanuary1st,2020

Notethatwhenaruleisdefinedasacatch-all,itwillalwaysmatchiftheusernameattributematchesthequeriedone.ThisappliesforActiveDirectory,LDAPandApachehtpasswdfilesources.KerberosandRADIUSwillactastruecatch-all,andaccepteverything.

NetworkDevicesDefinition(switches.conf)

ThissectionappliesonlyforVLANenforcement.Usersplanningtodoinlineenforcementonlycanskipthissection.

PacketFenceneedstoknowwhichswitches,accesspointsorcontrollersitmanages,theirtypeandconfiguration.Allthisinformationisstoredin/usr/local/pf/conf/switches.conf.Youcanmodifytheconfigurationdirectlyintheswitches.conffileoryoucandoitintheWebAdministrationpanelunderConfigurationNetworkSwitches.

Thisfilescontainsadefaultsectionincluding:

DefaultSNMPread/writecommunitiesfortheswitches Defaultworkingmode(seenoteaboutworkingmodebelow)

andaswitchsectionforeachswitch(managedbyPacketFence)including:

SwitchIP Switchvendor/type Switchuplinkports(trunksandnon-managedports) per-switchre-definitionoftheVLANs(ifrequired)

Note

switches.confisloadedatstartup.Areloadisrequiredwhenchangesaremanuallymadetothisfile/usr/local/pf/bin/pfcmd configreload.

WorkingmodesTherearethreedifferentworkingmodes:

Testing pfsetvlanwritesinthelogfileswhatitwouldnormallydo,butitdoesntdoanything.

Registration pfsetvlan automatically-register allMAC addresses seenon theswitchports.Asintestingmode,noVLANchangesaredone.

Chapter5


Production pfsetvlan sends the SNMPwrites to change the VLAN on theswitchports.

SNMPv1,v2candv3PacketFenceusesSNMPtocommunicatewithmostswitches.Startingwith1.8,PacketFencenowsupportsSNMPv3.YoucanuseSNMPv3forcommunicationinbothdirections:fromtheswitchtoPacketFenceandfromPacketFencetotheswitch.

FromPacketFencetoaswitchEdittheswitchconfigfile(/usr/local/pf/conf/switches.conf)andsetthefollowingparameters:

SNMPVersion = 3SNMPUserNameRead = readUserSNMPAuthProtocolRead = MD5SNMPAuthPasswordRead = authpwdreadSNMPPrivProtocolRead = AESSNMPPrivPasswordRead = privpwdreadSNMPUserNameWrite = writeUserSNMPAuthProtocolWrite = MD5SNMPAuthPasswordWrite = authpwdwriteSNMPPrivProtocolWrite = AESSNMPPrivPasswordWrite = privpwdwrite

FromaswitchtoPacketFenceEdittheswitchconfigfile(/usr/local/pf/conf/switches.conf)andsetthefollowingparameters:

SNMPVersionTrap = 3SNMPUserNameTrap = readUserSNMPAuthProtocolTrap = MD5SNMPAuthPasswordTrap = authpwdreadSNMPPrivProtocolTrap = AESSNMPPrivPasswordTrap = privpwdread

SwitchConfigurationHereisaswitchconfigurationexampleinordertoenableSNMPv3inbothdirectionsonaCiscoSwitch.

snmp-server engineID local AA5ED139B81D4A328D18ACD1snmp-server group readGroup v3 privsnmp-server group writeGroup v3 priv read v1default write v1defaultsnmp-server user readUser readGroup v3 auth md5 authpwdread priv aes 128 privpwdreadsnmp-server user writeUser writeGroup v3 auth md5 authpwdwrite priv aes 128 privpwdwritesnmp-server enable traps port-securitysnmp-server enable traps port-security trap-rate 1snmp-server host 192.168.0.50 version 3 priv readUser port-security

Chapter5


Command-LineInterface:TelnetandSSH

Warning

PrivilegedetectionisdisabledinthecurrentPacketFenceversionduetosomeissues(see#1370).SomakesurethatthecliUserandcliPwdyouprovidealwaysgetyouintoaprivilegedmode(exceptforTrapezehardware).

PackeFenceneedssometimestoestablishaninteractivecommand-linesessionwithaswitch.ThiscanbedoneusingTelnet.Startingwith1.8,youcannowuseSSH.Inordertodoso,edittheswitchconfigfile(/usr/local/pf/conf/switches.conf)andsetthefollowingparameters:

cliTransport = SSH (or Telnet)cliUser = admincliPwd = admin_pwdcliEnablePwd =

ItcanalsobedonethroughtheWebAdministrationInterfaceunderConfigurationSwitches.

WebServicesInterfacePackeFencesometimesneedstoestablishadialogwiththeWebServicescapabilitiesofaswitch.Inorder todo so,edit the switchconfig file (/usr/local/pf/conf/switches.conf) and set thefollowingparameters:

wsTransport = http (or https)wsUser = adminwsPwd = admin_pwd

Note

as of PacketFence1.9.1 few switches requireWebServices configuration in orderto work. It can also be done through the Web Administration Interface underConfigurationSwitches.

RadiusSecretForcertainauthenticationmechanism,suchas802.1XorMACAuthentication,theRADIUSserverneedstohavethenetworkdeviceinitsclientlist.AsofPacketFence3.0,wenowuseadatabasebackendtostoretheRADIUSclientinformation.Inordertodoso,edittheswitchconfigfile(/usr/local/pf/conf/switches.conf)andsetthefollowingparameters:

radiusSecret= secretPassPhrase

Also, startingwithPacketFence3.1, theRADIUS secret is required forour supportofRADIUSDynamicAuthentication(ChangeofauthorizationorDisconnect)asdefinedinRFC3576.

http://www.packetfence.org/bugs/view.php?id=1370

Chapter5


Role-basedenforcementsupportSomenetworkdevicessupporttheassignmentofaspecificsetofrules(firewallorACLs)toauser.The idea is that theserulescanbea lotmoreprecisetocontrolwhatausercanorcannotdocomparedtoVLANwhichhavealargernetworkmanagementoverhead.

PacketFence supports assigning roles on devices that supports it. The current role assignmentstrategyistoassignitalongwiththeVLAN(thatmaychangeinthefuture).Aspecialinternalroletoexternalroleassignmentmustbeconfiguredintheswitchconfigurationfile(/usr/local/pf/conf/switches.conf).

Thecurrentformatisthefollowing:

Format: Role=

Andyouassignittotheglobalrolesparameterortheper-switchone.Forexample:

adminRole=full-accessengineeringRole=full-accesssalesRole=little-access

wouldreturnthefull-accessroletothenodescategorizedasadminorengineeringandtherolelittle-accesstonodescategorizedassales.

Caution

Makesurethattherolesareproperlydefinedonthenetworkdevicespriortoassigningroles!

DefaultVLAN/roleassignment

ThissectionappliesonlyforVLANenforcement.Usersplanningtodoinlineenforcementonlycanskipthissection.

ThedefaultVLANassignment techniqueused inPacketFence is aper-switchone.The correctdefaultVLANforagivenMACisdeterminedbasedonthecomputedrolebyPacketFenceduringtheregistrationprocessforthedevice,ordynamicallyduringan802.1Xauthentication.ThecomputedinternalrolewillthenbemappedtoeitheraVLANoranexternalroleforthespecificequipementtheuserisconnectedto.

Thisallowsyoutodoeasyper-buildingVLAN/rolesegmentation.

IfyouneedmoreflexibilitythanwhatcanbedefinedfromthePacketFencesauthenticationsources(rules/conditions/actions)takealookattheFAQentryCustomVLANassignmentbehavioravailableonline.

http://www.packetfence.org/support/faqs/article/custom-vlan-assignment-behavior.html

Chapter5


Inlineenforcementconfiguration

ThissectionappliesonlyforInlineenforcement.UsersplanningtodoVLANenforcementonlycanskipthissection.

TheinlineenforcementisaveryconvenientmethodofperformingaccesscontrolonoldernetworkhardwarethatisnotcapableofdoingVLANenforcementorthatisnotsupportedbyPacketFence.Thistechniqueiscoveredindetailsinthe"TechnicalintroductiontoInlineenforcement"section.

AnimportantconfigurationparametertohaveinmindwhenconfiguringinlineenforcementisthattheDNSreachedbytheseusersshouldbeyouractualproductionDNSserver-whichshouldntbeinthesamebroadcastdomainasyourinlineusers.ThenextsectionshowsyouhowtoconfiguretheproperinlineinterfaceanditisinthissectionthatyoushouldrefertotheproperproductionDNS.

Inlineenforcementusesipset tomarknodesas registered,unregisteredand isolated. It isalsonowpossible tousemultiple inline interfaces.Anode registeredon the first inline interface ismarkedwithanip:mactuple(forL2,onlyipforL3),sowhenthenodetriestoregisteronanotherinlineinterface,PacketFencedetectsthatthenodeisalreadyregisteredonthefirstVLAN.Itisalsopossibletoenableinline.should_reauth_on_vlan_changetoforceuserstoreauthenticatewhentheychangeVLAN.

Theoutgoinginterfaceshouldbespecifiedbyaddinginpf.conftheoptioninterfaceSNATininlinesection.Itisacommadelimitedlistofnetworkinterfaceslikeeth0,eth0.100.ItsalsopossibletospecifyanetworkthatwillberoutedinsteadofusingNATbyaddinginconf/networks.confanoptionnat=nounderoneormorenetworksections.

Another important setting is the gateway statement. Since it this the only way to get thePacketFenceserverinlineinterfaceIPaddress,itismandatorytosetittothisIP(whichissupposedtobethesameasintheipstatementoftheinlineinterfaceinconf/pf.conf).

Hybridmode

Thissectionappliesforhybridsupportforthemanageabledevicesthatsupport802.1XorMAC-authentication.

HybridenforcementisamixedmethodthatofferstheuseofinlineenforcementmodewithVLANenforcementmode on the same device. This technique is covered in details in the "TechnicalintroductiontoHybridenforcement"section

Chapter5


WebAuthmode

This section applies forweb authentication support formanageable devices that supportwebauthenticationwithanexternalcaptiveportal.

Webauthenticationisamethodontheswitchthatforwardshttptrafficofthedevicetothecaptiveportal.Withthismode,yourdevicewillneverchangeofVLANIDbutonlytheACLassociatedtoyourdevicewillchange.RefertotheNetworkDevicesConfigurationGuidetoseeasamplewebauthconfigurationonaCiscoWLC.

DHCPandDNSServerConfiguration(networks.conf)

PacketFenceautomaticallygeneratestheDHCPconfigurationfilesforRegistration,IsolationandInlineVLANs.ThisisdonebyeditingthenetworkinterfacesfromtheconfigurationmoduleoftheadministrationWebinterface(seetheFirstStepsection).

network Networksubnet

netmask Networkmask

gateway PacketFenceIPaddressinthisnetwork

next_hop Used only with routed networks; IPaddressoftherouterinthisnetwork(Thisis used to locally create static routes tothe routed networks). See the RoutedNetworkssection)

domain-name DNSname

dns PacketFenceIPaddressinthisnetwork.Ininlinetype,setittoavalidDNSproductionserver

dhcp_start StartingIPaddressoftheDHCPscope

dhcp_end EndingIPaddressoftheDHCPscope

dhcp_default_lease_time DefaultDHCPleasetime

dhcp_max_lease_time MaximumDHCPleasetime

type vlan-registrationorvlan-isolationorinline

Chapter5


named IsPacketFencetheDNSforthisnetwork?(Enabled/Disabled)setittoenabled

dhcpd IsPacketFence theDHCPserver for thisnetwork ? (Enabled/Disabled) set it toenabled

nat IsPacketFencerouteorNATthetrafficforthis network ? (yes/no) NAT enabled bydefault,settonotoroute

WhenstartingPacketFencegenerates theDHCPconfiguration filesby reading the informationprovidedinnetworks.conf:

The DHCP configuration file is written to var/conf/dhcpd.conf using conf/dhcpd.conf as atemplate.

ProductionDHCPaccess

Inorder toperformallof itsaccesscontrolduties,PacketFenceneedstobeable tomapMACaddressesintoIPaddresses.

Forallthenetworks/VLANswhereyouwantPacketFencetohavetheabilitytoisolateanodeortohaveIPinformationaboutnodes,youwillneedtoperformoneofthetechniquesbelow.

Alsonotethatthisdoesntneedtobedonefortheregistration,isolationVLANsandinlineinterfacessincePacketFenceactsastheDHCPserverinthesenetworks.

IPHelpers(recommended)If you are already using IPHelpers for your productionDHCP in your production VLANs thisapproachisthesimplestoneandtheonethatworksthebest.

Add PacketFences management IP address as the last ip helper-address statement in yournetworkequipment.AtthispointPacketFencewillreceiveacopyofallDHCPrequestsforthatVLANandwillrecordwhatIPweredistributedtowhatnodeusingapfdhcplistenerdaemon.

BydefaultnoDHCPServershouldberunningonthatinterfacewhereyouaresendingtherequests.ThisisbydesignotherwisePacketFencewouldreplytotheDHCPrequestswhichwouldbeabadthing.

ObtainacopyoftheDHCPtrafficGetacopyofalltheDHCPTraffictoadedicatedphysicalinterfaceinthePacketFenceserverandrunpfdhcplisteneronthatinterface.Itwillinvolveconfiguringyourswitchproperlytoperformportmirroring(akanetworkspan)andaddinginPacketFencetheproperinterfacestatementattheoperatingsystemlevelandinpf.conf.

/etc/sysconfig/network-scripts/ifcfg-eth2:

Chapter5


DEVICE=eth2ONBOOT=yesBOOTPROTO=none

Addtopf.conf:(IPsarenotimportanttheyarethereonlysothatPacketFencewillstart)

[interface eth2]mask=255.255.255.0type=dhcp-listenergateway=192.168.1.5ip=192.168.1.1

RestartPacketFenceandyoushouldbegoodtogo.

InterfaceineveryVLANBecauseDHCPtrafficisbroadcasttraffic,analternativeforsmallnetworkswithfewlocalVLANsistoputaVLANinterfaceforeveryVLANonthePacketFenceserverandhaveapfdhcplistenerlistenonthatVLANinterface.

OnthenetworksideyouneedtomakesurethattheVLANtrulyreachesallthewayfromyourclienttoyourDHCPinfrastructureuptothePacketFenceserver.

OnthePacketFenceside,firstyouneedanoperatingsystemVLANinterfaceliketheonebelow.Storedin/etc/sysconfig/network-scripts/ifcfg-eth0.1010:

# Engineering VLANDEVICE=eth0.1010ONBOOT=yesBOOTPROTO=staticIPADDR=10.0.101.4NETMASK=255.255.255.0VLAN=yes

Thenyouneedtospecifyinpf.confthatyouareinterestedinthatVLANsDHCPbysettingtypetodhcp-listener.

[interface eth0.1010]mask=255.255.255.0type=dhcp-listenergateway=10.0.101.1ip=10.0.101.4

RepeattheaboveforallyourproductionVLANsthenrestartPacketFence.

HostproductionDHCPonPacketFenceItsanoption.Justmodifyconf/dhcpd.confsothat itwillhostyourproductionDHCPproperlyandmakesurethatapfdhcplistenerrunsonthesameinterfacewhereproductionDHCPruns.However,pleasenotethatthisisNOTrecommended.Seethistickettoseewhy.

http://www.packetfence.org/bugs/view.php?id=1050

Chapter5


RoutedNetworks

Ifyour isolationandregistrationnetworksarenot locally-reachable (at layer2)onthenetwork,but routed to the PacketFence server, youll have to let the PacketFence server know this.PacketFencecanevenprovideDHCPandDNSintheseroutednetworksandprovidesaneasytouseconfigurationinterface.

Fordhcpd,makesurethattheclientsDHCPrequestsarecorrectlyforwarded(IPHelpersintheremoterouters)tothePacketFenceserver.ThenmakesureyoufollowedtheinstructionsintheDHCPandDNSServerConfiguration(networks.conf)foryourlocallyaccessiblenetwork.

Ifweconsiderthenetworkarchitectureillustratedintheaboveschema,conf/pf.confwillincludethelocalregistrationandisolationinterfacesonly.

[interface eth0.2]enforcement=vlanip=192.168.2.1type=internalmask=255.255.255.0

Chapter5


[interface eth0.3]enforcement=vlanip=192.168.3.1type=internalmask=255.255.255.0

Note

PacketFencewillnotstartunlessyouhaveatleastoneinternalinterface,soyouneedtocreatelocalregistrationandisolationVLANsevenifyoudontintendtousethem.Also,theinternalinterfacesaretheonlyonesonwhichdhcpdlistens,sotheremoteregistrationandisolationsubnetsneedtopointtheirDHCPhelper-addresstothoseparticularIPs.

ThenyouneedtoprovidetheroutednetworksinformationtoPacketFence.YoucandoitthroughtheGUIinAdministrationNetworks(orinconf/networks.conf).

conf/networks.confwilllooklikethis:

[192.168.2.0]netmask=255.255.255.0gateway=192.168.2.1next_hop=domain-name=registration.example.comdns=192.168.2.1dhcp_start=192.168.2.10dhcp_end=192.168.2.200dhcp_default_lease_time=300dhcp_max_lease_time=600type=vlan-registrationnamed=enableddhcpd=enabled

[192.168.3.0]netmask=255.255.255.0gateway=192.168.3.1next_hop=domain-name=isolation.example.comdns=192.168.3.1dhcp_start=192.168.3.10dhcp_end=192.168.3.200dhcp_default_lease_time=300dhcp_max_lease_time=600type=vlan-isolationnamed=enableddhcpd=enabled

Chapter5


[192.168.20.0]netmask=255.255.255.0gateway=192.168.20.254next_hop=192.168.2.254domain-name=registration.example.comdns=192.168.2.1dhcp_start=192.168.20.10dhcp_end=192.168.20.200dhcp_default_lease_time=300dhcp_max_lease_time=600type=vlan-registrationnamed=enableddhcpd=enabled

[192.168.30.0]netmask=255.255.255.0gateway=192.168.30.254next_hop=192.168.3.254domain-name=isolation.example.comdns=192.168.3.1dhcp_start=192.168.30.10dhcp_end=192.168.30.200dhcp_default_lease_time=300dhcp_max_lease_time=600type=vlan-isolationnamed=enableddhcpd=enabled

DHCPclientsontheregistrationandisolationnetworksreceivethePFserverIPastheirDNSserver(dns=x.x.x.x),andPFspoofsDNSresponsestoforceclientsviatheportal.However,clientscouldmanuallyconfiguretheirDNSsettingstoescapetheportal.TopreventthisyouwillneedtoapplyanACLontheaccessrouternearesttheclients,permittingaccessonlytothePFserverandlocalDHCPbroadcasttraffic.

Forexample,fortheVLAN20remoteregistrationnetwork:

ip access-list extended PF_REGISTRATION permit ip any host 192.168.2.1 permit udp any any eq 67 deny ip any any loginterface vlan 20 ip address 192.168.20.254 255.255.255.0 ip helper-address 192.168.2.1 ip access-group PF_REGISTRATION in

Ifyouredgeswitchessupportvlan-isolationyoucanalsoapplytheACLthere.Thishastheadvantageofpreventingmachinesinisolationfromattemptingtoattackeachother.

Chapter5


FreeRADIUSConfiguration

ThissectionpresentstheFreeRADIUSconfigurationsteps. Insomeoccasions,aRADIUSserverismandatoryinordertogiveaccesstothenetwork.Forexample,theusageofWPA2-Enterprise(Wireless 802.1X), MAC authentication and Wired 802.1X all requires a RADIUS server toauthenticate the users and the devices, and then to push the proper VLAN to the networkequipment.

Option1:DynamicswitchconfigurationSincePacketFenceversion4.1youarenowbeabletoenabledynamicclients.ItmeanthatwhenyouaddanewswitchconfigurationinPacketFencesadministrationinterfaceyoudonthavetorestartradiusdservice.

Toenablethisfeaturemakeasymlinkin/usr/local/pf/raddb/site-enableddirectory:

ln -s ../sites-available/dynamic-clients dynamic-clients

andofcourserestartradiusd:

/usr/local/pf/bin/pfcmd service radiusd restart

Option2:AuthenticationagainstActiveDirectory(AD)Samba/Kerberos/WinbindInstallSamba3andNOTSamba4.YoucaneitherusethesourcesorusethepackageforyourOS.ForRHEL/CentOS,do:

yum install samba krb5-workstation

ForDebianandUbuntu,do:

apt-get install samba winbind krb5-user

Note

IfyouhaveWindows7PCsinyournetwork,youneedtouseSambaversion3.5.0(orgreater).

WhendonewiththeSambainstall,modifyyour/etc/hosts inordertoaddtheFQDNofyourActiveDirectoryservers.Then,youneedtomodify/etc/krb5.conf.HereisanexamplefortheDOMAIN.NETdomainforCentos/RHEL:

Chapter5


[logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log

[libdefaults] default_realm = DOMAIN.NET dns_lookup_realm = false dns_lookup_kdc = false ticket_lifetime = 24h forwardable = yes

[realms] DOMAIN.NET = { kdc = adserver.domain.net:88 admin_server = adserver.domain.net:749 default_domain = domain.net }[domain_realm] .domain.net = DOMAIN.NET domain.net = DOMAIN.NET

[appdefaults] pam = { debug = false ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = false }

ForDebianandUbuntu:

[logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = DOMAIN.NET ticket_lifetime = 24h forwardable = yes [appdefaults] pam = { debug = false ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = false }

Next,edit/etc/samba/smb.conf.Again,hereisanexampleforourDOMAIN.NETforCentos/RHEL:

Chapter5


[global] workgroup = DOMAIN server string = %h security = ads passdb backend = tdbsam realm = DOMAIN.NET encrypt passwords = yes winbind use default domain = yes client NTLMv2 auth = yes preferred master = no domain master = no local master = no load printers = no log level = 1 winbind:5 auth:3 winbind max clients = 750 winbind max domain connections = 15

ForDebianandUbuntu:

[global] workgroup = DOMAIN server string = Samba Server Version %v security = ads realm = DOMAIN.NET password server = 192.168.1.1 domain master = no local master = no preferred master = no winbind separator = + winbind enum users = yes winbind enum groups = yes winbind use default domain = yes winbind nested groups = yes winbind refresh tickets = yes template homedir = /home/%D/%U template shell = /bin/bash client use spnego = yes client ntlmv2 auth = yes encrypt passwords = yes restrict anonymous = 2 log file = /var/log/samba/log.%m max log size = 50

IssueakinitandklistinordertogetandverifytheKerberostoken:

# kinit administrator# klist

Afterthat,youneedtostartsamba,andjointhemachinetothedomain:

Chapter5


# service smb start# chkconfig --level 345 smb on# net ads join -U administrator

NotethatforDebianandUbuntuyouwillprobablyhavethiserror:

# kinit succeeded but ads_sasl_spnego_krb5_bind failed: Invalid credentials# Join to domain is not valid: Invalid credentials

ForCentos/RHEL:

# usermod -a -G wbpriv pf

Finally,startwinbind,andtestthesetupusingntlm_authandradtest:

# service winbind start# chkconfig --level 345 winbind on

ForDebianandUbuntu:

# usermod -a -G winbindd_priv pf# ntlm_auth --username myDomainUser# radtest -t mschap -x myDomainUser myDomainPassword localhost:18120 12 testing123 Sending Access-Request of id 108 to 127.0.0.1 port 18120 User-Name = "myDomainUser" NAS-IP-Address = 10.0.0.1 NAS-Port = 12 Message-Authenticator = 0x00000000000000000000000000000000 MS-CHAP-Challenge = 0x79d62c9da4e55104 MS-CHAP-Response = 0x000100000000000000000000000000000000000000000000000091c843b420f0dec4228ed2f26bff07d5e49ad9a2974229e5 rad_recv: Access-Accept packet from host 127.0.0.1 port 18120, id=108, length=20

Option3:LocalAuthenticationAddyourusersentriesattheendofthe/usr/local/pf/raddb/usersfilewiththefollowingformat:

username Cleartext-Password := "password"

Option4:AuthenticationagainstOpenLDAP

To be contributed...

Chapter5


Option5:EAPGuestAuthenticationonemail,sponsorandsmsregistrationThegoalhereistobeabletousethecredentialPacketFencecreatedonguestaccessandusethisoneonasecureconnection.FirstcreateaguestSSIDwiththeguestaccessyouwanttouse(Email,SponsororSMS)andcheckAdduseronemailregistrationand/orAdduseronsponsorregistrationinConfigurationSelfRegistrationsection.Attheendoftheguestregistration,PacketFencewillsendanemailwiththecredentialsforEmailandSponsor.ForSMSuseyourphonenumberandthePINcode.

NotethatthisoptiondoesntcurrentlyworkwiththeReusedot1xcredentialsoptionofthecaptiveportal.

In/usr/local/pf/raddb/sites-available/packetfence-tunnelthereisanexampleonhowtoconfigureradiustoenablethisfeature(uncommenttomakeitwork).

In thisexampleweactivate this featureonaspecificSSIDname (Secure-Wireless),disabledbydefaultNTLMAuth,testemailcredential(pfguest),testsponsor(pfsponsor)andtestsms(pfsms).IfallfailledthenwereactivateNTLMAuth.

Chapter5


authorize { suffix ntdomain eap { ok = return } files####Activate local user eap authentication based on a specific SSID ###### Set Called-Station-SSID with the current SSID# set.called_station_ssid# if (Called-Station-SSID == 'Secure-Wireless') {## Disable ntlm_auth# update control {# MS-CHAP-Use-NTLM-Auth := No# }## Check temporary_password table with email and password for a sponsor registration# pfguest# if (fail || notfound) {## Check temporary_password table with email and password for a guest registration# pfsponsor# if (fail || notfound) {## Check activation table with phone number and PIN code# pfsms# if (fail || notfound) {# update control {# MS-CHAP-Use-NTLM-Auth := Yes# }# }# }# }# }

Option6:EAPLocaluserAuthenticationThegoalhereistousethelocaluseryoucreatedintheadminGUIforEAPauthentication.Thelogicisexactlythesamethaninoption5,thedifferenceisthatweuseanotherSSIDandweonlyuselocalaccounts.

Edit/usr/local/pf/raddb/sites-available/packetfence-tunnel

InthisexampleweactivatethisfeatureonaspecificSSIDname(Secure-local-Wireless),disabledbydefaultNTLMAuthandtestlocalaccount.IfitfailledthenwereactivateNTLMAuth.

Chapter5


####Activate local user eap authentication based on a specific SSID ###### Set Called-Station-SSID with the current SSID# set.called_station_ssid# if (Called-Station-SSID == 'Secure-local-Wireless') {## Disable ntlm_auth# update control {# MS-CHAP-Use-NTLM-Auth := No# }## Check temporary_password table for local user# pflocal# if (fail || notfound) {# update control {# MS-CHAP-Use-NTLM-Auth := Yes# }# }# }

TestsTestyoursetupwithradtestusingthefollowingcommandandmakesureyougetanAccess-Acceptanswer:

# radtest dd9999 Abcd1234 localhost:18120 12 testing123Sending Access-Request of id 74 to 127.0.0.1 port 18120 User-Name = "dd9999" User-Password = "Abcd1234" NAS-IP-Address = 255.255.255.255 NAS-Port = 12rad_recv: Access-Accept packet from host 127.0.0.1:18120, id=74, length=20

DebugFirst,checktheFreeRADIUSlogs.Thefileislocatedat/usr/local/pf/logs/radius.log.

Ifthisdidnthelp,runFreeRADIUSindebugmode.Todoso,startitusingthefollowingcommand:

# radiusd -X -d /usr/local/pf/raddb

Additionally there is a raddebug tool that can extract debug logs from a running FreeRADIUSdaemon.PacketFencesFreeRADIUSispreconfiguredwithsuchsupport.

Inordertohaveanoutputfromraddebug,youneedtoeither:

a. Makesureuserpfhasashellin/etc/passwd,add/usr/sbintoPATH(export PATH=/usr/sbin:$PATH)andexecuteraddebugaspf

b. Runraddebugasroot(lesssecure!)

Nowyoucanrunraddebugeasily:

raddebug -t 300 -d /usr/local/pf/raddb

Chapter5


TheabovewilloutputFreeRADIUS'debuglogsfor5minutes.Seeman raddebugforalltheoptions.

StartingPacketFenceServices

OncePacketFenceisfullyinstalledandconfigured,starttheservicesusingthefollowingcommand:

service packetfence start

YoumayverifyusingthechkconfigcommandthatthePacketFenceserviceisautomaticallystartedatboottime.

Logfiles

HerearethemostimportantPacketFencelogfiles:

/usr/local/pf/logs/packetfence.logPacketFenceCoreLog /usr/local/pf/logs/httpd.portal.accessApacheCaptivePortalAccessLog /usr/local/pf/logs/httpd.portal.errorApacheCaptivePortalErrorLog /usr/local/pf/logs/httpd.admin.accessApacheWebAdmin/ServicesAccessLog /usr/local/pf/logs/httpd.admin.errorApacheWebAdmin/ServicesErrorLog /usr/local/pf/logs/httpd.webservices.accessApacheWebservicesAccessLog /usr/local/pf/logs/httpd.webservices.errorApacheWebservicesErrorLog

Thereareotherlogfilesin/usr/local/pf/logs/thatcouldberelevantdependingonwhatissueyouareexperiencing.Makesureyoutakealookatthem.

The logging systems configuration file is /usr/local/pf/conf/log.conf. It contains theconfigurationforthepacketfence.logfile(Log::Log4Perl)andyounormallydontneedtomodifyit.

Passthrough

Inorder tousethepassthroughfeature inPacketFence,youneedtoenable it fromtheGUI inConfigurationTrappingandcheckPassthrough.

Therearetwosolutionsforpassthroughs-oneusingDNSresolutionandiptablesandtheotheroneusingApachesmod_proxymodule.Whenenabled,PacketFencewillusepfdnsifyoudefinedPassthroughs,orApachemod-proxyifyoudefinedProxyPassthroughstoallowtrappeddevicestoreachwebsites.

*DNS passthrough: Add a new FQDN (should be a wildcard domain like *.google.com) in thePassthroughssection.WhenPacketFencereceivesaDNSrequestforthisdomain,itwillanswerthe

Chapter5


realIPaddressandpunchaholeinthefirewall(usingiptables)toallowaccess.Withthismethod,PacketFencemustbethedefaultgatewayofyourdevice.

*mod_proxypassthrough:AddanewFQDN(shouldbeawildcarddomainlike*.google.com)intheProxyPassthroughssection.ForthisFQDN,PacketFencewillanswertheIPaddressofthecaptiveportalandwhenadevicehitsthecaptiveportal,PacketFencewilldetectthatthisFQDNhasapassthroughconfigurationandwillforwardthetraffictomod_proxy.

ThesetwomethodscanbeusedtogetherbutDNS-basedpassthroughshavehigherpriority.

ProxyInterception

PacketFenceenablesyoutointerceptproxyrequestsandforwardthemtothecaptiveportal.Itonlyworksinlayer2networkbecausePacketFencemustbethedefaultgateway.InordertousetheProxyInterceptionfeature,youneedtoenableitfromtheGUIinConfigurationTrappingandcheckProxyInterception.

Addtheportyouwanttointercept(like8080or3128)andaddanewentryinthe/etc/hostsfiletoresolvethefullyqualifieddomainname(fqdn)ofthecaptiveportaltotheIPaddressoftheregistration interface.Thismodification ismandatory inorder forApache to receives theproxyrequests.

Chapter6

Copyright2015Inverseinc. Configurationbyexample 37

Configurationbyexample

Hereisanend-to-endsampleconfigurationofPacketFencein"Hybrid"mode(VLANmodeandInlinemodeatthesametime).

Assumptions

Throughout this configuration example we use the following assumptions for our networkinfrastructure:

Therearetwodifferenttypesofmanageableswitchesinournetwork:CiscoCatalyst2900XLandCiscoCatalyst2960,andoneunmanageabledevice.

VLAN1isthe"normal"VLAN-userswiththe"default"rolewillbeassignedtoit VLAN2istheregistrationVLAN(unregistereddeviceswillbeputinthisVLAN) VLAN3istheisolationVLAN(isolateddeviceswillbeputinthisVLAN) VLANs2and3arespannedthroughoutthenetwork VLAN4istheinlineVLAN(In-Band,forunmanageabledevices) WewanttoisolatecomputersusingLimewire(peer-to-peersoftware) WeuseSnortasNIDS ThetrafficmonitoredbySnortisspannedoneth1 TheDHCPserveronthePacketFenceboxthatwilltakecareofIPaddressdistributioninVLANs2,3and4

TheDNSserveronthePacketFenceboxthatwilltakecareofdomainresolutioninVLANs2and3and4

Thenetworksetuplookslikethis:

VLANID

VLANName Subnet Gateway PacketFenceAddress

1 Normal 192.168.1.0/24 192.168.1.1 192.168.1.5

2 Registration 192.168.2.0/24 192.168.2.1 192.168.2.1

3 Isolation 192.168.3.0/24 192.168.3.1 192.168.3.1

4 Inline 192.168.4.0/24 192.168.4.1 192.168.4.1

100 Voice

Chapter6


NetworkInterfaces

HerearetheNICsstartupscriptsonPacketFence.

/etc/sysconfig/network-scripts/ifcfg-eth0:

DEVICE=eth0BROADCAST=192.168.1.255IPADDR=192.168.1.5NETMASK=255.255.255.0NETWORK=192.168.1.0ONBOOT=yesTYPE=Ethernet

/etc/sysconfig/network-scripts/ifcfg-eth0.2:

DEVICE=eth0.2ONBOOT=yesBOOTPROTO=staticIPADDR=192.168.2.1NETMASK=255.255.255.0VLAN=yes





/etc/sysconfig/network-scripts/ifcfg-eth1. This NIC is used for the mirror of the trafficmonitoredbySnort.

DEVICE=eth1ONBOOT=yesBOOTPROTO=none

Chapter6


TrapreceiverPacketFenceusessnmptrapdasthetrapreceiver.Itstoresthecommunitynameusedbytheswitchtosendtrapsintheswitchconfigfile(/usr/local/pf/conf/switches.conf):

[default]SNMPCommunityTrap = public

SwitchSetup

In our example, we enable inline on a Cisco 2900LX and Port Security on a Cisco Catalyst2960.PleaseconsulttheNetworkDevicesConfigurationGuideforthecompletelistofsupportedswitchesandconfigurationinstructions.

inlineOnthe2900XL.

oneachinterface

switchport mode accessswitchport access vlan 4

PortSecurityOnthe2960.

globalsetup

snmp-server community public ROsnmp-server community private RWsnmp-server enable traps port-securitysnmp-server enable traps port-security trap-rate 1snmp-server host 192.168.1.5 version 2c public port-security

Oneachinterface,youneedtoinitializetheportsecuritybyauthorizingafakeMACaddresswiththefollowingcommands

switchport access vlan 1switchport port-securityswitchport port-security maximum 2switchport port-security maximum 1 vlan accessswitchport port-security violation restrictswitchport port-security mac-address 0200.0000.00xx

http://www.packetfence.org/documentation/

Chapter6


wherexxstandsfortheinterfaceindex.

Note

Dontforgettoupdatethestartup-config.

switches.conf

Note

YoucanusetheWebAdministrationinterfaceinsteadofperformingtheconfigurationintheflatfiles.

Hereisthe/usr/local/pf/conf/switches.conffileforoursetup.SeeNetworkDeviceDefinitionformoreinformationaboutthecontentofthisfile.

[default]SNMPCommunityRead = publicSNMPCommunityWrite = privateSNMPommunityTrap = publicSNMPVersion = 1defaultVlan = 1registrationVlan = 2isolationVlan = 3macDetectionVlan = 5VoIPEnabled = no

[192.168.1.100]type = Cisco::Catalyst_2900XLmode = productionuplink = 24

[192.168.1.101]type = Cisco::Catalyst_2960mode = productionuplink = 25defaultVlan = 10radiusSecret=useStrongerSecret

Ifyouwanttohaveadifferentread/writecommunitiesnameforeachswitch,declareitineachswitchsection.

Chapter6


pf.conf

Hereisthe/usr/local/pf/conf/pf.conffileforoursetup.Formoreinformationaboutpf.confseeGlobalconfigurationfile(pf.conf)section.

[general]domain=yourdomain.org#Put your External/Infra DNS servers herednsservers=4.2.2.2,4.2.2.1dhcpservers=192.168.2.1,192.168.3.1,192.168.5.1

[trapping]registration=enableddetection=enabledrange=192.168.2.0/24,192.168.3.0/24,192.168.4.0/24

[interface eth0]mask=255.255.255.0type=managementgateway=192.168.1.1ip=192.168.1.5

[interface eth0.2]mask=255.255.255.0type=internalenforcement=vlangateway=192.168.2.1ip=192.168.2.1

[interface eth0.3]mask=255.255.255.0type=internalenforcement=vlangateway=192.168.3.1ip=192.168.3.1

[interface eth0.4]mask=255.255.255.0type=internalenforcement=inlinegateway=192.168.4.1ip=192.168.4.1

[interface eth1]mask=255.255.255.0type=monitorgateway=192.168.1.5ip=192.168.1.1

Chapter6


Note

Ifyouarerunninginanhigh-availablesetup(withaclusterIP),makesuretoaddthevipparametertotheconfiguredmanagementinterfacesothatRADIUSdynamicauthmessagescanreachthenetworkequipmentcorrectly.

[interface eth0]mask=255.255.255.0type=managementgateway=192.168.1.1ip=192.168.1.5vip=192.168.1.6

networks.conf

Here is the/usr/local/pf/conf/networks.conf file foroursetup.Formore informationaboutnetworks.confseeDHCPandDNSServerconfiguration.

Chapter6


[192.168.2.0]netmask=255.255.255.0gateway=192.168.2.1next_hop=192.168.2.254domain-name=registration.example.comdns=192.168.2.1dhcp_start=192.168.2.10dhcp_end=192.168.2.200dhcp_default_lease_time=300dhcp_max_lease_time=600type=vlan-registrationnamed=enableddhcpd=enabled

[192.168.3.0]netmask=255.255.255.0gateway=192.168.3.1next_hop=192.168.3.254domain-name=isolation.example.comdns=192.168.3.1dhcp_start=192.168.3.10dhcp_end=192.168.3.200dhcp_default_lease_time=300dhcp_max_lease_time=600type=vlan-isolationnamed=enableddhcpd=enabled

[192.168.4.0]netmask=255.255.255.0gateway=192.168.4.1next_hop=domain-name=inline.example.comdns=4.2.2.2,4.2.2.1dhcp_start=192.168.4.10dhcp_end=192.168.4.254dhcp_default_lease_time=300dhcp_max_lease_time=600type=inlinenamed=enableddhcpd=enabled

Inlineenforcementspecifics

ToseeanotherimportantoptionalparameterthatcanbealteredtodoinlineenforcementseetheInlineenforcementconfigurationsection.

Inordertohavetheinlinemodeproperlyworking,youneedtoenableIPforwardingonyourservers.Todoitpermanently,lookinthe/etc/sysctl.conf,andsetthefollowingline:

Chapter6


# Controls IP packet forwardingnet.ipv4.ip_forward = 1

Savethefile,andexecutesysctl -ptoreloadthekernelparameters.

Chapter7

Copyright2015Inverseinc. Optionalcomponents 45

Optionalcomponents

Blockingmaliciousactivitieswithviolations

Policyviolationsallowyoutorestrictclientsystemaccessbasedonviolationsofcertainpolicies.Forexample,ifyoudonotallowP2Ptypetrafficonyournetwork,andyouarerunningtheappropriatesoftwaretodetectitandtriggeraviolationforagivenclient,PacketFencewillgivethatclienta"blocked"pagewhichcanbecustomizedtoyourwishes.

Inordertobeabletoblockmaliciousactivities,youneedtoinstallandconfiguretheSNORTorSuricataIDStotalkwithPacketFence.

Snort

Installation

The installation procedure is quite simple for SNORT.We maintain a working version on thePacketFencerepository.Toinstallit,simplyrunthefollowingcommand:

yum install snort

Configuration

PacketFenceprovidesabasicsnort.conftemplatethatyoumayneedtoeditdependingoftheSnortversion.Thefileislocatedin/usr/local/pf/conf.ItisrarelynecessarytochangeanythinginthatfiletomakeSnortworkandtrapalerts.DONOTeditthesnort.conflocatedin/usr/local/pf/var/conf,allthemodificationwillbedestroyedoneachPacketFencerestart.

Suricata

Installation

SincethesuricataIDSisnotpackagedwiththedistros(exceptmaybeFedora,whichwedonotofficiallysupport),youneedtobuilditthe"old"way.

The OISF provides a really well written how-to for that. Its available here: https://redmine.openinfosecfoundation.org/projects/suricata/wiki/CentOS5

https://redmine.openinfosecfoundation.org/projects/suricata/wiki/CentOS5https://redmine.openinfosecfoundation.org/projects/suricata/wiki/CentOS5

Chapter7


ConfigurationPacketFencewillprovideyouwithabasicsuricata.yaml thatyoucanmodify tosuityouownneeds.Thefileislocatedin/usr/local/pf/conf.

ViolationsInordertomakePacketFencereacttotheSnortalerts,youneedtoexplicitlytellthesoftwaretodoso.Otherwise,thealertswillbediscarded.Thisisquitesimpletoaccomplish.Infact,youneedtocreateaviolationandaddtheSnortalertSIDinthetriggersectionofaViolation.

PacketFence policy violations are controlled using the /usr/local/pf/conf/violations.confconfigurationfile.Theviolationformatisasfollows:

[1234]desc=Your Violation Descriptionpriority=8template=enable=Ytrigger=Detect::2200032,Nessus::11808actions=email,log,trapvlan=isolationVlanwhitelisted_categories=

[1234] The violation ID. Any integer except 1200000-120099 which is reserved forrequiredadministrationviolations.

desc singlelinedescriptionofviolationpriority Range1-10,with1thehigestpriorityand10thelowest.Higherpriorityviolations

willbeaddressedfirstifahosthasmorethanone.template Templatenametousewhileinviolation.ItmustmatchaHTMLfilename(without

theextension)oftheviolationstemplatesdirectory.enable IfenableissettoN,thisviolationisdisabledandnoadditionalviolationsofthis

typewillbeadded.trigger Methodtoreferenceexternaldetectionmethods.Trigger isformattedasfollows

type::ID.ThetypecanbeDetect(Snort),Nessus,OpenVAS,OS(DHCPFingerprintDetection), UserAgent (Browser signature), VendorMAC (MAC address class), SoH(StatementofHealthfilter),Accounting,etc.Intheaboveexample,2000032istheSnortIDand11808istheNessuspluginnumber.TheSnortIDdoesNOThavetomatchtheviolationID.

actions Thisisthelistofactionsthatwillbeexecutedonaviolationaddition.Theactionscanbe:

log Logamessagetothefilespecifiedin[alerting].log

email Email the address specified in [alerting].emailaddr,using[alerting].smtpserver.Multipleemailaddrcanbesperatedbycomma.

trap Isolate the host and place them in violation. It opens aviolationandleavesitopen.Iftrapisnotthere,aviolationisopenedandthenautomaticallyclosed.

Chapter7


winpopup send a windows popupmessage. You need to configure[alerting].winserver, [alerting].netbiosname inpf.confwhenusingthisoption.

external execute an external command, specified in[paths].externalapi.

close closetheviolationIDspecifiedinthevclosefield.

role change the nodes role to the one specified in thetarget_categoryfield.

autoreg registerthenode.

unreg deregisterthenode.vlan DestinationVLANwherePacketFenceshouldputtheclientwhenaviolationofthis

typeisopen.TheVLANvaluecanbe:

isolationVlan Isolation VLAN asspecified inswitches.conf.Thisistherecommended value formostviolationtypes.

registrationVlan Registration VLAN asspecified inswitches.conf.

normalVlan NormalVLANasspecifiedinswitches.conf.Note:Itis preferable not to trapthan to trap and put innormal VLAN.Make sureyouunderstandwhatyouaredoing.

whitelisted_categories Nodesinacategorylistedinwhitelisted_categorieswont be affected by aviolation of this type.Format is a commaseparated list of categorynames.

Also includedinviolations.conf isthedefaultssection.Thedefaultssectionwillsetadefaultvalueforeveryviolationintheconfiguration.IfaconfigurationvalueisnotspecifiedinthespecificID,thedefaultwillbeused:

Chapter7


[defaults]priority=4max_enable=3actions=email,logauto_enable=Yenable=Ngrace=120mdelay_by=0window=0vclose=target_category=button_text=Enable Networksnort_rules=local.rules,bleeding-attack_response.rules,bleeding-exploit.rules,bleeding-p2p.rules,bleeding-scan.rules,bleeding-virus.rulesvlan=isolationVlanwhitelisted_categories=

max_enable Number of times a host will be able to try and selfremediatebeforetheyarelockedoutandhavetocallthehelp desk. This is useful for userswho just click throughviolationpages.

auto_enable Specifiesifahostcanselfremediatetheviolation(enablenetworkbutton)oriftheycannotandmustcallthehelpdesk.

grace Amountof timebefore theviolationcan reoccur.This isuseful toallowhosts time (in theexample2minutes) todownloadtoolstofixtheirissue,orshutofftheirpeer-to-peerapplication.

delay_by Amountoftimebeforetheviolationactionwillrun.

window Amount of time before a violation will be closedautomatically.Insteadofallowingpeopletoreactivatethenetwork,youmaywanttoopenaviolationforadefinedamount of time instead. You can use the allowed timemodifiersorthedynamickeyword.Notethatthedynamickeywordonlyworksforaccountingviolations.Dynamicwillopen the violation according to the time you set in theaccountingviolation(ie.Youhaveanaccountingviolationfor10GB/month.Ifyoubustthebandwidthafter3days,theviolationwillopenandthereleasedatewillbesetforthelastdayofthecurrentmonth.)

vclose Whenselectingthe"close"action,triggeringtheviolationwill close the one you select in the vclose field. This isanexperimentalworkflowforMobileDeviceManagement(MDM).

target_category When selecting the "role" action, triggering the violationwill change thenodes role to theoneyou select in thetarget_categoryfield.

button_text Textdisplayedontheviolationformtohosts.

Chapter7


snort_rules The Snort rules file is the administrators responsibility.Pleasechangethistopointtoyourviolationrulesfile(s).Ifyoudonotspecifyafullpath,thedefaultis/usr/local/pf/conf/snort.Ifyouneedtoincludemorethanonefile,justseparateeachfilenamewithacomma.

Note

violations.conf is loadedatstartup.Arestart isrequiredwhenchangesaremadetothisfile.

ExampleviolationInourexamplewewanttoisolatepeopleusingLimewire.HereweassumeSnortisinstalledandconfiguredtosendalertstoPacketFence.NowweneedtoconfigurePacketFenceisolation.

EnableLimewireviolationin/usr/local/pf/conf/violations.confandconfigureittotrap.

[2001808]desc=P2P (Limewire)priority=8template=p2pactions=log,trapenable=Ymax_enable=1trigger=Detect::2001808

ComplianceChecks

PacketFencesupportseitherNessusorOpenVASasascanningengineforcompliancechecks.

Installation

Nessus

Pleasevisithttp://www.nessus.org/download/todownloadandinstalltheNessuspackageforyouroperatingsystem.YouwillalsoneedtoregisterfortheHomeFeed(ortheProfessionalFeed)inordertogettheplugins.

AfteryouinstalledNessus,followtheNessusdocumentationfortheconfigurationoftheNessusServer,andtocreateauserforPacketFence.

http://www.nessus.org/download/

Chapter7


Note

You may run into some issue while using Nessus with the Net::Nessus::XMLRPCmodule(whichisthedefaultbehaviorinPacketFence).Pleaserefertothebugtrackingsystemformoreinformation.

OpenVASPleasevisithttp://www.openvas.org/install-packages.html#openvas4_centos_atomic toconfigurethecorrectrepositorytobeabletoinstallthelatestOpenVASscanningengine.

Once installed, pleasemake sure to follow the instructions to correctly configure the scanningengineandcreateascanconfigurationthatwillfityourneeds.YoullalsoneedtocreateauserforPacketFencetobeabletocommunicatewiththeserver.

ItisimportanttogetthecorrectscanconfigIDandNBEreportformatIDtopopulatetheparametersinthePacketFenceconfigurationfile.TheeasiestwaytogettheseIDsisbydownloadingbothofthescanconfigurationandreportformatfromtheOpenVASwebguiandretrievetheIDsinthefilenames.

Forexamplereport-format-f5c2a364-47d2-4700-b21d-0a7693daddab.xmlgivesreportformatIDf5c2a364-47d2-4700-b21d-0a7693daddab.

ConfigurationIn order for the compliance checks to correctly work with PacketFence (communication andgenerateviolationsinsidePacketFence),youmustconfiguretwosections:

pf.confAdjust the settings in the scan section like the following: Dont hesitate to refer to thedocumentation.conffileforanyhelpontheseparamatersandwhichofthemtoconfigure.

UsingNessus:

[scan]engine=nessushost=127.0.0.1nessus_clientpolicy=basic-policypass=nessusUserPasswordregistration=enableduser=nessusUsername

Ofcoursethebasic-policymustexistonthenessusserver.Ifyouwanttouseadifferentnessuspolicybycategory,youhavetoadjustsettingslikethefollowing:

[nessus_category_policy]guest=guest_policywifi=wifi_policy

Anodewhoisregisterlikeaguestwillbescannedbytheguest_policy,etc

http://packetfence.org/bugs/view.php?id=1841http://packetfence.org/bugs/view.php?id=1841http://www.openvas.org/install-packages.html#openvas4_centos_atomic

Chapter7


Youcanalsouseadifferentnessuspolicybasedonthedhcpfingerprint,youhavetoadjustsettingslikethefollowing:

[nessus_scan_by_fingerprint]Android=AndroidMac OS X=MACOSXMicrosoft Windows=WindowsiPhone=IOS

AnodewithafingerprintcontainAndroidwillbescannedbytheAndroidpolicy,etc

NoteifthereisnopolicybasedondhcpfingerprintthenPacketFencewilltrytousepolicybasedon category and if it does not exist then PacketFence will use the default policy defined bynessus_clientpolicy.

UsingOpenVAS:

[scan]engine=openvashost=127.0.0.1openvas_configid=openvasScanConfigIdopenvas_reportformatid=openvasNBEReportFormatIdpass=openvasUserPasswordregistration=enableduser=openvasUsername

violations.conf

Youneedtocreateanewviolationsectionandhavetospecify:

UsingNessus:

trigger=Nessus::

UsingOpenVAS:

trigger=OpenVAS::

WhereviolationIdiseithertheIDoftheNessuspluginortheOIDoftheOpenVASplugintocheckfor.Onceyouhavefinishedtheconfiguration,youneedtoreloadtheviolationrelateddatabasecontentsusing:

$ pfcmd reload violations

Note

Violationswilltriggerifthepluginishigherthanalowseverityvulnerability.

Chapter7


ScanonregistrationTo perform a system scan before giving access to a host on the network you need to enablethescan.registrationparameterinpf.conf.Ifyouwanttoscanadevicethathavebeenauto-registeredasa802.1Xconnection, youneed toenablescan.dot1x parameter inpf.conf.ThedefaultEAP-TypethatwillbescannedisMS-CHAP-V2butyoucanconfigureotherEAP-Type(suchasMD5-Challenge)byaddingthemtoscan.dot1x_typeasacomma-separatedlistofvalues(lookatdictionary.freeradius.internalfilebundledwithFreeRADIUSforthelistofEAP-Type).

Itisalsorecommendedtoadjustscan.durationtoreflecthowlongthescantakes.Aprogressbarofthisdurationwillbeshowntotheuserwhileheiswaiting.Bydefault,wesetthisvariableto60s.

HostingNessus/OpenVASremotelyBecauseoftheCPUintensivenatureofanautomatedvulnerabilityassessment,werecommendthatitishostedonaseparateserverforlargeenvironments.Todoso,acoupleofthingsarerequired:

PacketFence needs to be able to communicate to the server on the port specified by thevulnerabilityengineused

Thescanningserverneedtobeabletoaccessthetargets. Inotherwords,registrationVLANaccessisrequiredifscanonregistrationisenabled.

IfyouareusingtheOpenVASscanningengine:

ThescanningserverneedtobeabletoreachPacketFencesAdmininterface(onport1443bydefault)byitsDNSentry.OtherwisePacketFencewontbenotifiedofcompletedscans.

YoumusthaveavalidSSLcertificateonyourPacketFenceserver

IfyouareusingtheNessusscanningengine:

YoujusthavetochangethehostvaluebytheNessusserverIP.

RADIUSAccounting

RADIUSAccountingisusuallyusedbyISPstobillclients.InPacketFence,weareabletousethisinformationtodetermineifthenodeisstillconnected,howmuchtimeithasbeenconnected,andhowmuchbandwitdhtheuserconsumed.

ViolationsUsingPacketFence, it ispossible toaddviolations to limitbandwidthabuse.The formatof thetriggerisverysimple:

Accounting::[DIRECTION][LIMIT][INTERVAL(optional)]

Letsexplaineachchunkproperly:

Chapter7


DIRECTION:Youcaneithersetalimittoinbound(IN),outbound(OUT),ortotal(TOT)bandwidth LIMIT: You can set a number of bytes(B), kilobytes(KB), megabytes(MB), gigabytes(GB), orpetabytes(PB)

INTERVAL:Thisisactuallythetimewindowwewilllookforpotentialabuse.Youcansetanumberofdays(D),weeks(W),months(M),oryears(Y).

Exampletriggers LookforIncoming(Download)trafficwitha50GB/month

Accounting::IN50GB1M

LookforOutgoing(Upload)trafficwitha500MB/day

Accounting::OUT500MB1D

LookforTotal(Download+Upload)trafficwitha200GBlimitinthelastweek

Accounting::TOT200GB1W

GraceperiodWhenusingsuchviolationfeature,settingthegraceperiodisreallyimportant.Youdontwanttoputittoolow(ie.Auserre-enablehisnetwork,andgetcaughtafter1bytesistranmitted!)ortoohigh.Werecommendthatyousetthegraceperiodtooneintervalwindow.

Oinkmaster

Oinkmasterisaperlscriptthatenablesthepossibilitytoupdatethedifferentsnortrulesveryeasily.Itissimpletouse,andinstall.ThissectionwillshowyouhowtoimplementOinkmastertoworkwithPacketFenceandSnort.

Pleasevisithttp://oinkmaster.sourceforge.net/download.shtmltodownloadoinkmaster.Asampleoinkmasterconfigurationfileisprovidedat/usr/local/pf/addons/snort/oinkmaster.conf.

ConfigurationHerearethestepstomakeOinkmasterwork.Wewillassumethatyoualreadydownloadedthenewestoinkmasterarchive:

1. UntarthefreshlydownloadedOinkmaster

2. Copytherequiredperlscriptsinto/usr/local/pf/oinkmaster.Youneedtocopyovercontribandoinkmaster.pl

3. Copytheoinkmaster.confprovidedbyPacketFence(seethesectionabove)in/usr/local/pf/conf

http://oinkmaster.sourceforge.net/download.shtml

Chapter7


4. Modifytheconfigurationtosuityourownneeds.Currently,theconfigurationfileissettofetchthebleedingrules.

RulesupdateInordertogetperiodicupdatesforPacketFenceSnortrules,wesimplyneedtocreateacrontabentrywiththerightinformation.Theexamplebelowshowsacrontabentrytofetchtheupdatesdailyat23:00PM:

0 23 * * * (cd /usr/local/pf; perl oinkmaster/oinkmaster.pl -C conf/oinkmaster.conf -o conf/snort/)

FloatingNetworkDevices

Startingwithversion1.9,PacketFencenowsupportsfloatingnetworkdevices.AFloatingnetworkdeviceisadeviceforwhichPacketFencehasadifferentbehaviourcomparedtoaregulardevice.ThisfunctionalitywasoriginallyaddedtosupportmobileAccessPoints.

Caution

RightnowPacketFenceonlysupportsfloatingnetworkdevicesonCiscoandNortelswitchesconfiguredwithport-security.

For a regular device, PacketFence put it in theVLAN corresponding to its status (Registration,QuarantineorRegularVlan)andauthorizesitontheport(port-security).

AfloatingnetworkdeviceisadevicethatPacketFencedoesnotmanageasaregulardevice.

Whenafloatingnetworkdeviceisplugged,PacketFencewilllet/allowalltheMACaddressesthatwillbeconnectedtothisdevice(orappearontheport)andifnecessary,configuretheportasmulti-vlan(trunk)andsetPVIDandtaggedVLANsontheport.

Whenanfloatingnetworkdeviceisunplugged,PacketFencewillreconfiguretheportlikebeforeitwasplugged.

Hereishowitworks:Configuration

floatingnetworkdeviceshavetobeidentifiedusingtheirMACaddress. linkup/linkdowntrapsarenotenabledontheswitches,onlyport-securitytrapsare.

WhenPacketFencereceivesaport-securitytrapforafloatingnetworkdevice,itchangestheportconfigurationsothat:

itdisablesport-security

Chapter7


itsetsthePVID iteventuallysetstheportasmulti-vlan(trunk)andsetsthetaggedVlans itenableslinkdowntraps

WhenPFreceivesa linkdowntraponaport inwhichafloatingnetworkdevicewasplugged, itchangestheportconfigurationsothat:

itenablesport-security itdisableslinkdowntraps

IdentificationAswementionedearlier,eachfloatingnetworkdevicehastobeidentified.Therearetwowaystodoit:

byeditingconf/floating_network_device.conf throughtheWebGUI,inConfigurationNetworkFloatingdevices

Herearethesettingsthatareavailable:

MACAddress MACaddressofthefloatingdevice

IPAddress IPaddressofthefloatingdevice(notrequired,forinformationonly)

trunkPort Yes/no.Shouldtheportbeconfiguredasamuti-vlanport?

pvid VLANinwhichPacketFenceshouldputtheport

taggedVlan CommaseparatedlistofVLANs.Iftheportisamulti-vlan,thesearetheVlansthathavetobetaggedontheport.

GuestsManagement

PacketFencesupportstheabilitytomanageguestsbyestablishingexpiredatesandassigndifferentroleswhichwillpermitdifferentaccessestothenetworkresources.

Guestscanself-registerthemselvesusinganactivationcodesenttotheirmobilephoneortheycanusetheiremailaddressandreceiveandactivationlinktoactivatetheirnetworkaccess.

PacketFencehas theoption tohaveguestssponsored theiraccessby local staff.Onceaguestrequestsasponsoredaccessanemailissenttothesponsorandthesponsormustclickonalinkandauthenticateinordertoenablehisaccess.

Moreover, PacketFence also has the option for guests to request their access in advance.Confirmationbyemailandbyasponsorarethetwopre-registrationtechniquessupportedatthispoint.

TheadminGUIallowPacketFenceadministratorsorguestsmanagerstocreatesingleaccounts,multipleaccountsusingaprefix(ie.:guest1,guest2,guest3)orimportdatafromaCSVtocreateaccounts.Accessdurationandexpectedarrivaldatearealsocustomizable.

Chapter7


Usage

Guestself-registration

Self-registrationisenabledbydefault.ItispartofthecaptiveportalprofileandcanbeaccessedontheregistrationpagebyclickingtheSignuplink.

Managedguests

Partofthewebadministrationinterface,theguestsmanagementinterfaceisenabledbydefault.ItisaccessiblethroughtheUsersCreatemenu.

Guestpre-re

packetfence administration guide-4.7.0

Documents

os installation

software installation

othersourcesof information

network integration