administrationguide - packetfence · or"127.0.0.1")thatpacketfencewillbeinstalledon

AdministrationGuideforPacketFenceversion5.4.0

AdministrationGuidebyInverseInc.

Version5.4.0-Oct2015Copyright2015Inverseinc.

Permissionisgrantedtocopy,distributeand/ormodifythisdocumentunderthetermsoftheGNUFreeDocumentationLicense,Version1.2oranylaterversionpublishedbytheFreeSoftwareFoundation;withnoInvariantSections,noFront-CoverTexts,andnoBack-CoverTexts.Acopyofthelicenseisincludedinthesectionentitled"GNUFreeDocumentationLicense".

ThefontsusedinthisguidearelicensedundertheSILOpenFontLicense,Version1.1.ThislicenseisavailablewithaFAQat:http://scripts.sil.org/OFL

CopyrightukaszDziedzic,http://www.latofonts.com,withReservedFontName:"Lato".

CopyrightRaphLevien,http://levien.com/,withReservedFontName:"Inconsolata".

http://scripts.sil.org/OFLhttp://scripts.sil.org/OFLhttp://www.latofonts.com/http://levien.com/

Copyright2015Inverseinc. iii

TableofContentsAbout this Guide .............................................................................................................. 1

Othersourcesof information..................................................................................... 1Introduction ..................................................................................................................... 2

Features ................................................................................................................... 2Network Integration .................................................................................................. 5Components ............................................................................................................. 5

SystemRequirements ........................................................................................................ 7Assumptions ............................................................................................................. 7MinimumHardwareRequirements.............................................................................. 7OperatingSystemRequirements................................................................................ 8

Installation ....................................................................................................................... 9OS Installation .......................................................................................................... 9SoftwareDownload ................................................................................................ 10Software Installation ................................................................................................ 10

Getoffontherightfoot ................................................................................................. 12TechnicalintroductiontoInlineenforcement..................................................................... 13

Introduction ........................................................................................................... 13Deviceconfiguration ............................................................................................... 13Access control ........................................................................................................ 13Limitations ............................................................................................................. 14

TechnicalintroductiontoOut-of-bandenforcement........................................................... 15Introduction ........................................................................................................... 15VLANassignmenttechniques...................................................................................15MoreonSNMPtrapsVLANisolation....................................................................... 17

TechnicalintroductiontoHybridenforcement................................................................... 20Introduction ........................................................................................................... 20Deviceconfiguration ............................................................................................... 20

Configuration ................................................................................................................. 21RolesManagement ................................................................................................. 21Authentication ........................................................................................................ 22ExternalAPIauthentication ..................................................................................... 24NetworkDevicesDefinition(switches.conf)............................................................... 25Portal Profiles ......................................................................................................... 29FreeRADIUSConfiguration ...................................................................................... 30

Debugging ..................................................................................................................... 42Log files ................................................................................................................. 42RADIUSDebugging ................................................................................................ 42

MoreonVoIP Integration ................................................................................................ 44CDPandLLDPareyourfriend................................................................................ 44VoIPandVLANassignmenttechniques..................................................................... 44WhatifCDP/LLDPfeatureismissing....................................................................... 45

Advanced topics ............................................................................................................. 46AppleandAndroidWirelessProvisioning.................................................................. 46Billing Engine ......................................................................................................... 47DevicesRegistration ................................................................................................ 48Eduroam ................................................................................................................ 49Fingerbank integration ............................................................................................. 53FloatingNetworkDevices ....................................................................................... 54OAuth2Authentication ........................................................................................... 56Passthrough ........................................................................................................... 58ProductionDHCPaccess ......................................................................................... 58

Copyright2015Inverseinc. iv

Proxy Interception ................................................................................................... 60RoutedNetworks .................................................................................................... 60StatementofHealth (SoH) ....................................................................................... 63VLANFilterDefinition ............................................................................................ 65

Optionalcomponents ...................................................................................................... 68Blockingmaliciousactivitieswithviolations............................................................... 68ComplianceChecks ................................................................................................. 72RADIUSAccounting ................................................................................................ 78Oinkmaster ............................................................................................................. 79GuestsManagement ............................................................................................... 79ActiveDirectoryIntegration ...................................................................................... 83DHCPremotesensor .............................................................................................. 87

OperatingSystemBestPractices...................................................................................... 90IPTables ................................................................................................................. 90Log Rotations ......................................................................................................... 90

Performanceoptimization ................................................................................................ 91SNMPTrapsLimit ................................................................................................... 91MySQLoptimizations .............................................................................................. 91CaptivePortalOptimizations .................................................................................... 94

Additional Information ..................................................................................................... 96CommercialSupportandContactInformation................................................................... 97GNUFreeDocumentationLicense................................................................................... 98A.AdministrationTools ................................................................................................... 99

pfcmd .................................................................................................................... 99pfcmd_vlan ........................................................................................................... 100

Chapter1

Copyright2015Inverseinc. AboutthisGuide 1

AboutthisGuide

This guide will walk you through the installation and the day to day administration of thePacketFencesolution.

Thelatestversionofthisguideisavailableathttp://www.packetfence.org/documentation/

Othersourcesofinformation

Thefollowingdocumentsareincludedinthepackageandreleasetarballs.

NetworkDevicesConfigurationGuide(pdf) Covers switch, controllers and accesspointsconfiguration.

DevelopersGuide(pdf) Covers captive portal customization,VLAN management customization andinstructionsforsupportingnewhardware.

CREDITS Thisis,atleast,apartialfileofPacketFencecontributors.

NEWS.asciidoc Covers noteworthy features,improvementsandbugfixesbyrelease.

UPGRADE.asciidoc Covers compatibility related changes,manual instructions and general notesaboutupgrading.

ChangeLog Coversallchangestothesourcecode.

http://www.packetfence.org/documentation/

Chapter2

Copyright2015Inverseinc. Introduction 2

Introduction

PacketFence is a fully supported, trusted, Free and Open Source network access control (NAC)system. Boosting an impressive feature set including a captive portal for registration andremediation, centralized wired and wireless management, 802.1X support, layer-2 isolation ofproblematicdevices,integrationwithIDS,vulnerabilityscannersandfirewalls;PacketFencecanbeusedtoeffectivelysecurenetworks-fromsmalltoverylargeheterogeneousnetworks.

Features

Outofband(VLANEnforcement) PacketFencesoperationiscompletelyoutof band when using VLAN enforcementwhich allows the solution to scalegeographicallyandtobemoreresilienttofailures.

InBand(InlineEnforcement) PacketFence can also be configured tobe in-band, especially when you havenon-manageable network switches oraccesspoints.PacketFencecanalsoworkwith both VLAN and Inline enforcementactivated for maximum scalability andsecuritywhileallowingolderhardwaretostillbesecuredusing inlineenforcement.Bothlayer-2andlayer-3aresupportedforinlineenforcement.

Hybridsupport(InlineEnforcementwithRADIUSsupport)

PacketFence can also be configuredas hybrid, if you have a manageabledevice that supports 802.1X and/orMAC-authentication. This feature can beenabled using a RADIUS attribute (MACaddress, SSID, port) or using full inlinemodeontheequipment.

Hotspotsupport(WebAuthEnforcement) PacketFence can also be configured ashotspot,ifyouhaveamanageabledevicethat supports an external captive portal(likeCiscoWLCorArubaIAP).

VoiceoverIP(VoIP)support Also called IP Telephony (IPT), VoIP isfully supported (even in heterogeneous

Chapter2


environments)formultipleswitchvendors(Cisco,Avaya,HPandmanymore).

802.1X 802.1X wireless and wired is supportedthroughourFreeRADIUSmodule.

Wirelessintegration PacketFence integrates perfectly withwireless networks through ourFreeRADIUS module. This allows youto secure your wired and wirelessnetworks the same way using the sameuser database and using the samecaptive portal, providing a consistentuser experience. Mixing Access Points(AP) vendors and Wireless Controllers issupported.

Registration PacketFence supports an optionalregistrationmechanismsimilarto"captiveportal"solutions.Contrarytomostcaptiveportal solutions, PacketFence remembersusers who previously registered and willautomatically give them access withoutanotherauthentication.Ofcourse, this isconfigurable. An Acceptable Use Policycan be specified such that users cannotenable network access without firstacceptingit.

Detectionofabnormalnetworkactivities Abnormal network activities (computervirus, worms, spyware, traffic deniedby establishment policy, etc.) can bedetectedusinglocalandremoteSnortorSuricatasensors.Beyondsimpledetection,PacketFence layers its own alerting andsuppression mechanism on each alerttype.Asetofconfigurableactionsforeachviolationisavailabletoadministrators.

Proactivevulnerabilityscans Either Nessus , OpenVAS or WMIvulnerabilityscanscanbeperformeduponregistration, scheduled or on an ad-hocbasis. PacketFence correlates the scanengine vulnerability IDs of each scanto the violation configuration, returningcontent specific web pages about whichvulnerabilitythehostmayhave.

Isolationofproblematicdevices PacketFence supports several isolationtechniques,includingVLANisolationwithVoIP support (even in heterogeneousenvironments)formultipleswitchvendors.

Remediationthroughacaptiveportal Once trapped, all network traffic isterminated by the PacketFence system.

http://www.freeradius.orghttp://www.freeradius.org/http://www.snort.org/http://suricata-ids.org/http://www.nessus.org/nessus/http://www.openvas.org

Chapter2


Based on the nodes current status(unregistered,openviolation,etc),theuseris redirected to the appropriate URL. Inthe case of a violation, the user willbe presented with instructions for theparticular situation he/she is in reducingcostlyhelpdeskintervention.

Firewallintegration PacketFence provides Single-Sign Onfeatures with many firewalls. Uponconnection on the wired or wirelessnetwork, PacketFence can dynamicallyupdatetheIP/userassociationonfirewallsforthemtoapply,ifrequired,per-userorper-groupfilteringpolicies.

Command-lineandWeb-basedmanagement Web-based and command-line interfacesforallmanagementtasks.

GuestAccess PacketFence supports a special guestVLAN out of the box. You configureyour network so that the guest VLANonly goes out to the Internet and theregistration VLAN and the captive portalarethecomponentsusedtoexplaintotheguesthowtoregisterforaccessandhowhis access works. This is usually brandedby the organization offering the access.Several means of registering guests arepossible. PacketFence does also supportguestaccessbulkcreationsandimports.

Devicesregistration A registered user can access a specialWeb page to register a device of hisown.Thisregistrationprocesswillrequireloginfromtheuserandthenwillregisterdeviceswithpre-approvedMACOUIintoaconfigurablecategory.

PacketFenceisdevelopedbyacommunityofdeveloperslocatedmainlyinNorthAmerica.Moreinformationcanbefoundathttp://www.packetfence.org.

http://www.packetfence.org

Chapter2


NetworkIntegration

VLANenforcementispicturedintheabovediagram.InlineenforcementshouldbeseenasasimpleflatnetworkwherePacketFenceactsasafirewall/gateway.

Components

PacketFencerequiresvariouscomponentstoworksuchasaWebserver,adatabaseserver,andaRADIUSserver.Itinteractswithexternaltoolstoextenditsfunctionalities.

Chapter2


Chapter3

Copyright2015Inverseinc. SystemRequirements 7

SystemRequirements

Assumptions

PacketFencereusesmanycomponentsinaninfrastructure.Thus,itrequiresthefollowingones:

Databaseserver(MySQLorMariaDB) Webserver(Apache) DHCPserver(ISCDHCP) RADIUSserver(FreeRADIUS)

Dependingonyoursetupyoumayhavetoinstalladditionalcomponentslike:

NIDS(Snort/Suricata)

Inthisguide,weassumethatallthosecomponentsarerunningonthesameserver(i.e.,"localhost"or"127.0.0.1")thatPacketFencewillbeinstalledon.

Good understanding of those underlying component and GNU/Linux is required to installPacketFence. If you miss some of those required components, please refer to the appropriatedocumentationandproceedwiththeinstallationoftheserequirementsbeforecontinuingwiththisguide.

Thefollowingtableprovidesrecommendationsfortherequiredcomponents,togetherwithversionnumbers:

MySQLserver MySQL5.1

Webserver Apache2.2

DHCPserver DHCP4.1

RADIUSserver FreeRADIUS2.2.x

Snort Snort2.9.1

Suricata Suricata1.4.1

Morerecentversionsofthesoftwarementionedabovecanalsobeused.

MinimumHardwareRequirements

Thefollowingprovidesalistoftheminimumserverhardwarerecommendations:

Chapter3

Copyright2015Inverseinc. SystemRequirements 8

IntelorAMDCPU3GHz 8GBofRAM 100GBofdiskspace(RAID-1recommended) 1Networkcard(2recommended)

OperatingSystemRequirements

PacketFencesupportsthefollowingoperatingsystemsonthex86_64architectures:

RedHatEnterpriseLinux6.xServer CommunityENTerpriseOperatingSystem(CentOS)6.x Debian7.0(Wheezy) Ubuntu12.04LTS(PrecisePangolin)

Makesurethatyoucaninstalladditionalpackagesfromyourstandarddistribution.Forexample,ifyouareusingRedHatEnterpriseLinux,youhavetobesubscribedtotheRedHatNetworkbeforecontinuingwiththePacketFencesoftwareinstallation.

OtherdistributionssuchasFedoraandGentooareknowntoworkbutthisdocumentdoesntcoverthem.

Servicesstart-upPacketFencetakescareofhandlingtheoperationofthefollowingservices:

Webserver(httpd) DHCPserver(dhcpd) FreeRADIUSserver(radiusd) Snort/SuricataNetworkIDS(snort/suricata) Firewall(iptables)

Makesurethatalltheotherservicesareautomaticallystartedbyyouroperatingsystem!

Chapter4

Copyright2015Inverseinc. Installation 9

Installation

ThissectionwillguideyouthroughtheinstallationofPacketFencetogetherwithitsdependencies.

OSInstallation

Installyourdistributionwithminimalinstallationandnoadditionalpackages.Then:

DisableFirewall DisableSELinux DisableAppArmor Disableresolvconf

Makesureyoursystemisuptodateandyouryumorapt-getdatabaseisupdated.OnaRHEL-basedsystem,do:

yum update

OnaDebianorUbuntusystem,do:

apt-get updateapt-get upgrade

Regarding SELinux or AppArmor, even if these features may be wanted by some organizations,PacketFencewillnotrunproperlyifSELinuxorAppArmorareenabled.YouwillneedtoexplicitlydisableSELinuxinthe/etc/selinux/configfileandAppArmorwithupdate-rc.d-fapparmorstop,update-rc.d-fapparmorteardownandupdate-rc.d-fapparmorremove.Regardingresolvconf,youcanremovethesymlinktothatfileandsimplycreatethe/etc/resolv.conffilewiththecontentyouwant.

RedHat-basedsystems

Note

AppliestoCentOSandScientificLinuxbutonlythex86_64architectureissupported.

Chapter4


RHEL6.x

NoteTheseareextrastepsarerequiredforRHEL6systemsonly,excludingderivativessuchasCentOSorScientificLinux.

RedHatEnterpriseLinuxusersneedtotakeanadditionalsetupstep.IfyouarenotusingtheRHNSubscriptionManagementfromRedHatyouneedtoenabletheoptionalchannelbyrunningthefollowingasroot:

rhn-channel --add --channel=rhel-`uname -m`-server-optional-6

DebianandUbuntuAllthePacketFencedependenciesareavailablethroughtheofficialrepositories.

SoftwareDownload

PacketFenceprovidesaRPMrepositoryforRHEL/CentOSinsteadofasingleRPMfile.

ForDebianandUbuntu,PacketFencealsoprovidespackagerepositories.

TheserepositoriescontainallrequireddependenciestoinstallPacketFence.Thisprovidesnumerousadvantages:

easyinstallation everythingispackagedasRPM/deb(nomoreCPANhassle) easyupgrade

SoftwareInstallation

RHEL/CentOSInordertousethePacketFencerepository:

# rpm -Uvh http://packetfence.org/downloads/PacketFence/RHEL6/`uname -i`/RPMS/packetfence-release-1-2.centos6.noarch.rpm

Once the repository is defined, you can install PacketFence with all its dependencies, and therequiredexternalservices(Databaseserver,DHCPserver,RADIUSserver)using:

Chapter4


yum install --enablerepo=packetfence packetfence

Onceinstalled,theWeb-basedconfigurationinterfacewillautomaticallybestarted.Youcanaccessitfromhttps://@ip_of_packetfence:1443/configurator

DebianYoumustenablenon-freerepository:

Fornon-free,editthefile/etc/apt/source.listandaddnon-freelikethat:

deb http://debian.mirror.iweb.ca/debian/ wheezy main non-free

Inordertousetherepository,createafilenamed/etc/apt/sources.list.d/packetfence.list:

echo 'deb http://inverse.ca/downloads/PacketFence/debian wheezy wheezy' > /etc/apt/sources.list.d/packetfence.list


sudo apt-key adv --keyserver keys.gnupg.net --recv-key 0x810273C4sudo apt-get updatesudo apt-get install packetfence

UbuntuInordertousetherepository,createafilenamed/etc/apt/sources.list.d/packetfence.list:

echo 'deb http://inverse.ca/downloads/PacketFence/ubuntu precise precise' > /etc/apt/sources.list.d/packetfence.list


sudo apt-key adv --keyserver keys.gnupg.net --recv-key 0x810273C4sudo apt-get updatesudo apt-get install packetfence

Onceinstalled,theWeb-basedconfigurationinterfacewillautomaticallybestarted.Youcanaccessitfromhttps://@ip_of_packetfence:1443/configurator

https://@ip_of_packetfence:1443/configuratorhttps://@ip_of_packetfence:1443/configurator

Chapter5

Copyright2015Inverseinc. Getoffontherightfoot 12

Getoffontherightfoot

PriorconfiguringPacketFence,youmustchoseanappropriateenforcementmodetobeusedbyPacketFencewithyournetworkingequipment.Theenforcementmodeisthetechniqueusedtoenforceregistrationandanysubsequentaccessofdevicesonyournetwork.PacketFencesupportsthefollowingenforcementmodes:

Inline Out-of-band Hybrid

It isalsopossibletocombineenforcementmodes.Forexample,youcouldusetheout-of-bandmodeonyourwiredswitches,whileusingtheinlinemodeonyouroldWiFiaccesspoints.

The following sections will explain these enforcement modes. If you decide to use the inlinemode,pleaserefertothePacketFenceInlineDeploymentQuickGuideusingZENforacompleteconfigurationexample.Ifyoudevicetousetheout-of-bandmode,pleaserefertothePacketFenceOut-of-BandDeploymentQuickGuideusingZEN

Chapter6

Copyright2015Inverseinc.TechnicalintroductiontoInlineenforcement 13

TechnicalintroductiontoInlineenforcement

Introduction

Beforetheversion3.0ofPacketFence,itwasnotpossibletosupportunmanageabledevicessuchasentry-levelconsumerswitchesoraccess-points.Now,withthenewinlinemode,PacketFencecanbeusein-bandforthosedevices.Soinotherwords,PacketFencewouldbecomethegatewayofthatinlinenetwork,andNATorroutethetrafficusingIPTables/IPSettotheInternet(ortoanothersectionofthenetwork).Letseehowitworks.

Deviceconfiguration

Nospecialconfigurationisneededontheunmanageabledevice.Thatsthebeautyofit.Youonlyneedtoensurethatthedeviceis"talking"ontheinlineVLAN.Atthispoint,allthetrafficwillbepassingthroughPacketFencesinceitisthegatewayforthisVLAN.

Accesscontrol

TheaccesscontrolreliesentirelyonIPTables/IPSet.Whenauserisnotregistered,andconnectsintheinlineVLAN,PacketFencewillgivehimanIPaddress.Atthispoint,theuserwillbemarkedasunregisteredintheipsetsession,andalltheWebtrafficwillberedirectedtothecaptiveportaland other traffic blocked. The user will have to register through the captive portal as in VLANenforcement.Whenheregisters,PacketFencechangesthedevicesipsetsessiontoallowtheusersmacaddresstogothroughit.

Chapter6

Copyright2015Inverseinc.TechnicalintroductiontoInlineenforcement 14

Limitations

Inlineenforcementbecauseofitsnaturehasseverallimitationsthatonemustbeawareof.

EveryonebehindaninlineinterfaceisonthesameLayer2LAN EverypacketofauthorizedusersgoesthroughthePacketFenceserverincreasingtheservers'

loadconsiderably:Planaheadforcapacity Everypacketofauthorizedusersgoes throughthePacketFenceserver: it isasinglepointof

failureforInternetaccess Ipsetcanstoreupto65536entries,soitisnotpossibletohaveainlinenetworkclassupper

thanB

Thisiswhyit isconsideredapoormanswayofdoingaccesscontrol.Wehaveavoideditforalongtimebecauseoftheabovementionedlimitations.Thatsaid,beingabletoperformbothinlineandVLANenforcementonthesameserveratthesametimeisarealadvantage:itallowsuserstomaintainmaximumsecuritywhiletheydeploynewandmorecapablenetworkhardwareprovidingacleanmigrationpathtoVLANenforcement.

Chapter7

Copyright2015Inverseinc.Technicalintroductionto

Out-of-bandenforcement 15

TechnicalintroductiontoOut-of-bandenforcement

Introduction

VLANassignmentiscurrentlyperformedusingseveraldifferenttechniques.Thesetechniquesarecompatible one to another but not on the same switch port. This means that you can use themoresecureandmoderntechniquesforyour latestswitchesandanothertechniqueontheoldswitchesthatdoesntsupportlatesttechniques.Asitsnameimplies,VLANassignmentmeansthatPacketFenceistheserverthatassignstheVLANtoadevice.ThisVLANcanbeoneofyourVLANsoritcanbeaspecialVLANwherePacketFencepresentsthecaptiveportalforauthenticationorremediation.

VLANassignmenteffectivelyisolateyourhostsattheOSILayer2meaningthatitisthetrickiestmethodtobypassandistheonewhichadaptsbesttoyourenvironmentsinceitgluesintoyourcurrentVLANassignmentmethodology.

VLANassignmenttechniques

Wired:802.1X+MACAuthentication802.1Xprovidesport-basedauthentication,whichinvolvescommunicationsbetweenasupplicant,authenticator(knownasNAS),andauthenticationserver(knownasAAA).Thesupplicantisoftensoftwareonaclientdevice,suchasalaptop,theauthenticatorisawiredEthernetswitchorwirelessaccesspoint,andtheauthenticationserverisgenerallyaRADIUSserver.

Thesupplicant(i.e.,clientdevice)isnotallowedaccessthroughtheauthenticatortothenetworkuntilthesupplicantsidentityisauthorized.With802.1Xport-basedauthentication,thesupplicantprovides credentials, such as user name / password or digital certificate, to the authenticator,andtheauthenticatorforwardsthecredentialstotheauthenticationserverforverification.Ifthecredentialsarevalid(intheauthenticationserverdatabase),thesupplicant(clientdevice)isallowedtoaccessthenetwork.TheprotocolforauthenticationiscalledExtensibleAuthenticationProtocol(EAP) which have many variants. Both supplicant and authentication servers need to speak thesameEAPprotocol.MostpopularEAPvariantisPEAP-MsCHAPv2(supportedbyWindows/MacOSX/LinuxforauthenticationagainstAD).

Chapter7



Inthiscontext,PacketFencerunstheauthenticationserver(aFreeRADIUSinstance)andwillreturntheappropriateVLANtotheswitch.AmodulethatintegratesinFreeRADIUSdoesaremotecalltothePacketFenceservertoobtainthatinformation.Moreandmoredeviceshave802.1Xsupplicantwhichmakesthisapproachmoreandmorepopular.

MACAuthenticationisanewmechanismintroducedbysomeswitchvendortohandlethecaseswhere a 802.1X supplicant does not exist. Different vendors have different names for it. CiscocallsitMACAuthenticationBypass(MAB),JunipercallsitMACRADIUS,ExtremeNetworkscallsitNetlogin,etc.Afteratimeoutperiod,theswitchwillstoptryingtoperform802.1XandwillfallbacktoMACAuthentication.Ithastheadvantageofusingthesameapproachas802.1XexceptthattheMACaddressissentinsteadoftheusernameandthereisnoend-to-endEAPconversation(nostrongauthentication).UsingMACAuthentication,deviceslikenetworkprinterornon-802.1XcapableIPPhonescanstillgainaccesstothenetworkandtherightVLAN.

Wireless:802.1X+MACauthenticationWireless 802.1X works like wired 802.1X and MAC authentication is the same as wired MACAuthentication. Where things change is that the 802.1X is used to setup the security keys forencryptedcommunication(WPA2-Enterprise)whileMACauthenticationisonlyusedtoauthorize(allowordisallow)aMAConthewirelessnetwork.

Onwirelessnetworks,theusualPacketFencesetupdictatethatyouconfiguretwoSSIDs:anopenoneandasecureone.Theopenoneisusedtohelpusersconfigurethesecureoneproperlyandrequiresauthenticationoverthecaptiveportal(whichrunsinHTTPS).

Thefollowingdiagramdemonstratestheflowbetweenamobileenpoint,aWiFiaccesspoint,aWiFicontrollerandPacketFence:

1. UserinitiatesassociationtoWLANAPandtransmitsMACaddress.IfuseraccessesnetworkviaaregistereddeviceinPacketFencegoto8

2. The WLAN controller transmits MAC address via RADIUS to the PacketFence server toauthenticate/authorizethatMACaddressontheAP

3. PacketFenceserverconductsaddressaudit in itsdatabase. If itdoesnotrecognizetheMACaddressgoto4.Ifitdoesgoto8.

4. PacketFenceserverdirectsWLANcontrollerviaRADIUS(RFC2868attributes)toputthedeviceinan"unauthenticatedrole(setofACLsthatwouldlimit/redirecttheusertothePacketFence

Chapter7



captiveportalforregistration,orwecanalsousearegistrationVLANinwhichPacketFencedoesDNSblackholingandistheDHCPserver)

5. TheusersdeviceissuesaDHCP/DNSrequesttoPacketFence(whichisaDHCP/DNSserveronthisVLANorforthisrole)whichsendstheIPandDNSinformation.Atthispoint,ACLsarelimiting/redirectingtheusertothePacketFencescaptiveportalforauthentication.PacketFencefingerprintsthedevice(user-agentattributes,DHCPinformation&MACaddresspatterns)towhichitcantakevariousactionsincluding:keepdeviceonregistrationportal,directtoalternatecaptive portal, auto-register the device, auto-block the device, etc. If the device remains ontheregistrationportaltheuserregistersbyprovidingtheinformation(username/password,cellphonenumber,etc.).At this timePacketFencecouldalsorequire thedevicetogothroughapostureassessment(usingNessus,OpenVAS,etc.)

6. Ifauthentication is required (username/password) througha loginform,thosecredentialsarevalidatedviatheDirectoryserver(oranyotherauthenticationsources-likeLDAP,SQL,RADIUS,SMS,Facebook,Google+,etc.)whichprovidesuserattributestoPacketFencewhichcreatesuser+devicepolicyprofileinitsdatabase.

7. PacketFenceperformsaChangeofAuthorization(RFC3576)onthecontrollerandtheusermustbere-authenticated/reauthorized,sowegobackto1

8. PacketFenceserverdirectsWLANcontrollerviaRADIUStoputthedeviceinan"authenticatedrole,orinthe"normal"VLAN

WebAuthmodeWebauthenticationisamethodontheswitchthatforwardshttptrafficofthedevicetothecaptiveportal.Withthismode,yourdevicewillneverchangeofVLANIDbutonlytheACLassociatedtoyourdevicewillchange.RefertotheNetworkDevicesConfigurationGuidetoseeasamplewebauthconfigurationonaCiscoWLC.

Port-securityandSNMPReliesontheport-securitySNMPTraps.AfakestaticMACaddressisassignedtoalltheportsthiswayanyMACaddresswillgenerateasecurityviolationandatrapwillbesenttoPacketFence.ThesystemwillauthorizetheMACandsettheportintherightVLAN.VoIPsupportispossiblebuttricky.Itvariesalotdependingontheswitchvendor.CiscoiswellsupportedbutisolationofaPCbehindanIPPhoneleadstoaninterestingdilemma:eitheryoushuttheport(andthephoneatthesametime)oryouchangethedataVLANbutthePCdoesntdoDHCP(didntdetectlinkwasdown)soitcannotreachthecaptiveportal.

AsidefromtheVoIPisolationdilemma,itisthetechniquethathasproventobereliableandthathasthemostswitchvendorsupport.

MoreonSNMPtrapsVLANisolation

WhentheVLANisolationisworkingthroughSNMPtrapsallswitchports(onwhichVLANisolationshouldbedone)mustbeconfiguredtosendSNMPtrapstothePacketFencehost.OnPacketFence,

Chapter7



weusesnmptrapdastheSNMPtrapreceiver.Asitreceivestraps,itreformatsandwritesthemintoaflatfile:/usr/local/pf/logs/snmptrapd.log.ThemultithreadedpfsetvlandaemonreadsthesetrapsfromtheflatfileandrespondstothembysettingtheswitchporttothecorrectVLAN.Currently,wesupportswitchesfromCisco,Edge-core,HP,Intel,LinksysandNortel(addingsupportfor switches from another vendor implies extending thepf::Switch class). Depending on yourswitchescapabilities,pfsetvlanwillactondifferenttypesofSNMPtraps.

YouneedtocreatearegistrationVLAN(withaDHCPserver,butnoroutingtootherVLANs)inwhichPacketFencewillputunregistereddevices.IfyouwanttoisolatecomputerswhichhaveopenviolationsinaseparateVLAN,anisolationVLANneedsalsotobecreated.

linkUp/linkDowntraps(deprecated)ThisisthemostbasicsetupanditneedsathirdVLAN:theMACdetectionVLAN.ThereshouldbenothinginthisVLAN(noDHCPserver)anditshouldnotberoutedanywhere;itisjustanvoidVLAN.

Whenahostconnectstoaswitchport,theswitchsendsalinkUptraptoPacketFence.SinceittakessometimebeforetheswitchlearnstheMACaddressofthenewlyconnecteddevice,PacketFenceimmediatelyputstheportintheMACdetectionVLANinwhichthedevicewillsendDHCPrequests(withnoanswer)inorderfortheswitchtolearnitsMACaddress.ThenpfsetvlanwillsendperiodicalSNMPqueriestotheswitchuntiltheswitchlearnstheMACofthedevice.WhentheMACaddressisknown,pfsetvlanchecksitsstatus(existing?registered?anyviolations?)inthedatabaseandputstheportintheappropriateVLAN.Whenadeviceisunplugged,theswitchsendsalinkDowntraptoPacketFencewhichputstheportintotheMACdetectionVLAN.

Whenacomputerboots,theinitializationoftheNICgeneratesseverallinkstatuschanges.AndeverytimetheswitchsendsalinkUpandalinkDowntraptoPacketFence.SincePacketFencehas

Chapter7



toactoneachofthesetraps,thisgeneratesunfortunatelysomeunnecessaryloadonpfsetvlan.Inordertooptimizethetraptreatment,PacketFencestopseverythreadforalinkUptrapwhenitreceivesalinkDowntraponthesameport.ButusingonlylinkUp/linkDowntrapsisnotthemostscalableoption.Forexampleincaseofpowerfailure,ifhundredsofcomputersbootatthesametime,PacketFencewouldreceivea lotoftrapsalmost instantlyandthiscouldresult innetworkconnectionlatency.

MACnotificationtrapsIfyourswitchessupportMACnotificationtraps(MAClearnt,MACremoved),wesuggestthatyouactivatetheminadditiontothelinkUp/linkDowntraps.Thisway,pfsetvlandoesnotneed,afteralinkUptrap,toquerytheswitchcontinuouslyuntiltheMAChasfinallybeenlearned.WhenitreceivesalinkUptrapforaportonwhichMACnotificationtrapsarealsoenabled,itonlyneedstoputtheportintheMACdetectionVLANandcanthenfreethethread.WhentheswitchlearnstheMACaddressofthedeviceitsendsaMAClearnttrap(containingtheMACaddress)toPacketFence.

PortSecuritytrapsIn itsmostbasicform,thePortSecurityfeaturerememberstheMACaddressconnectedtotheswitchportandallowsonlythatMACaddresstocommunicateonthatport. IfanyotherMACaddress tries to communicate through the port, port security will not allow it and send a port-securitytrap.

Ifyourswitchessupportthisfeature,westronglyrecommendtouseitratherthanlinkUp/linkDownand/orMACnotifications.Why?BecauseaslongasaMACaddressisauthorizedonaportandistheonlyoneconnected,theswitchwillsendnotrapwhetherthedevicereboots,plugsinorunplugs.ThisdrasticallyreducestheSNMPinteractionsbetweentheswitchesandPacketFence.

WhenyouenableportsecuritytrapsyoushouldnotenablelinkUp/linkDownnorMACnotificationtraps.

Chapter8

Copyright2015Inverseinc.TechnicalintroductiontoHybridenforcement 20

TechnicalintroductiontoHybridenforcement

Introduction

In previous versions of PacketFence, it was not possible to have RADIUS enabled for inlineenforcementmode.Nowwiththenewhybridmode,allthedevicesthatsupports802.1XorMAC-authenticationcanworkwiththismode.Letsseehowitworks.

Deviceconfiguration

Youneedtoconfigure inlineenforcementmode inPacketFenceandconfigureyourswitch(es)/accesspoint(s)tousetheVLANassignementtechniques(802.1XorMAC-authentication).Youalsoneedtotakecareofaspecificparameterintheswitchconfigurationwindow,"Triggertoenableinlinemode".Thisparameterisworkinglikeatriggerandyouhavethepossibilitytodefinedifferentsortoftriggers:

ALWAYS,PORT,MAC,SSID

where ALWAYS means that the device is always in inline mode, PORTspecifytheifIndexoftheportwhichwilluseinlineenforcement,MACamacaddressthatwillbeputininlineenforcementtechniqueratherthanVLANenforcementandSSIDanssidname.Anexample:

SSID::GuestAccess,MAC::00:11:22:33:44:55

ThiswilltriggerallthenodesthatconnectstotheGuestAccessSSIDtouseinlineenforcementmode(PacketFencewillreturnavoidVLANortheinlineVlanifdefinedinswitchconfiguration)andtheMACaddress00:11:22:33:44:55clientifitconnectsonanotherSSID.

Chapter9

Copyright2015Inverseinc. Configuration 21

Configuration

Atthispointinthedocumentation,PacketFenceshouldbeinstalled.YouwouldalsohavechosentherightenforcementmethodforyouandcompletedtheinitialconfigurationofPacketFence.ThefollowingsectionpresentskeyconceptsandfeaturesinPacketFence.

PacketFenceprovidesaweb-basedadministrationinterfaceforeasyconfigurationandoperationalmanagement.IfyouwentthroughPacketFencesweb-basedconfigurationtool,youshouldhavesetthepasswordfortheadminuser.

Once PacketFence is started, the administration interface is available at: https://@ip_of_packetfence:1443/

ThenextkeystepsareimportanttounderstandhowPacketFenceworks.Inordertogetthesolutionworking, you must first understand and configure the following aspects of the solution in thisspecificorder:

1. roles-aroleinPacketFencewillbeeventuallybemappedtoaVLAN,anACLoranexternalrole.Youmustdefinetherolestouseinyourorganizationfornetworkaccess

2. authentication-oncerolesaredefined,youmustcreateanappropraiteauthenticationsourceinPacketFence.ThatwillallowPacketFencetocomputetherightroletobeusedforanendpoint,ortheuserusingit

3. network devices - once your roles and authentication sources are defined, you must addswitches,WiFicontrollersorAPstobemananagedbyPacketFence.Whendoingso,youwillconfigurehowrolesarebeingmappedtoVLAN,ACLsorexternalroles

4. portal profiles - at this point, you are almost ready to test. You will need to set whichauthenticationsourcesaretobeusedonthedefaultcaptiveportal,orcreateanotheronetosuityourneeds

5. test!

NoteIfyouplantouse802.1X-pleaseseetheFreeRADIUSConfigurationsectionbelow.

RolesManagement

RolesinPacketFencecanbecreatedfromPacketFenceadministrativeGUI-fromtheConfigurationUsersRoles section. From this interface, you can also limit the number of devices usersbelongingtocertainrolescanregister.

https://@ip_of_packetfence:1443/https://@ip_of_packetfence:1443/

Chapter9


RolesaredynamicallycomputedbyPacketFence,basedontherules(ie.,asetofconditionsandactions)fromauthenticationsources,usingafirst-matchwinsalgorithm.RolesarethenmatchedtoVLANorinternalrolesorACLonequipmentfromtheConfigurationNetworkSwitchesmodule.

Authentication

PacketFence can authenticate users that register devices via the captive portal using variousmethods.Amongthesupportedmethods,thereare:

ActiveDirectory

Apachehtpasswdfile

Email

ExternalHTTPAPI

Facebook(OAuth2)

Github(OAuth2)

Google(OAuth2)

Kerberos

LDAP

LinkedIn(OAuth2)

Null

RADIUS

SMS

SponsoredEmail

Twitter(OAuth2)

WindowsLive(OAuth2)

Moreover, PacketFence can also authenticate users defined in its own internal SQL database.Authentication sources can be created from PacketFence administrative GUI - from theConfigurationUsersSourcessection.Alternatively(butnotrecommended),authenticationsources,rules,conditionsandactionscanbeconfiguredfromconf/authentication.conf.

Eachauthenticationsourcesyoudefinewillhaveasetofrules,conditionsandactions.

Multiple authentication sources can be defined, and will be tested in the order specified (notethattheycanbereorderedfromtheGUIbydraggingitaround).Eachsourcecanhavemultiplerules,whichwillalsobetestedintheorderspecified.Rulescanalsobereordered,justlikesources.Finally,conditionscanbedefinedforaruletomatchcertaincriterias.Ifthecriteriasmatch(one

Chapter9


ormore),actionarethenappliedandrulestestingstop,acrossallsourcesasthisisa"firstmatchwins"operation.

Whennoconditionisdefined,therulewillbeconsideredasafallback.Whenafallbackisdefined,allactionswillbeappliedforanyusersthatmatchintheauthenticationsource.

Onceasourceisdefined,itcanbeusedfromConfigurationPortalProfiles.Eachportalprofilehasalistofauthenticationsourcestouse.

ExampleLetssaywehavetworoles:guestandemployee.First,wedefinethemConfigurationUsersRoles.

Now,wewanttoauthenticateemployeesusingActiveDirectory (overLDAP),andguestsusingPacketFencesinternaldatabase-bothusingPacketFencescaptiveportal.FromtheConfigurationUsersSources,weselectAddsourceAD.Weprovidethefollowinginformation:

Name:ad1 Description:ActiveDirectoryforEmployees Host:192.168.1.2:389withoutSSL/TLS BaseDN:CN=Users,DC=acme,DC=local Scope:One-level UsernameAttribute:sAMAccountName BindDN:CN=Administrator,CN=Users,DC=acme,DC=local Password:acme123

Then,weaddarulebyclickingontheAddrulebuttonandprovidethefollowinginformation:

Name:employees Description:Ruleforallemployees Dontsetanycondition(asitsacatch-allrule) Setthefollowingactions:

Setroleemployee

SetunregistrationdateJanuary1st,2020

Test the connection and save everything. Using the newly defined source, any username thatactuallymatchesinthesource(usingthesAMAccountName)willhavetheemployeeroleandanunregistrationdatesettoJanuary1st,2020.

Now,sincewewanttoauthenticateguestsfromPacketFencesinternalSQLdatabase,accountsmustbeprovisionnedmanually.YoucandosofromtheUsersCreatesection.Whencreatingguests,specify"guest"fortheSetroleaction,andsetanaccessdurationfor1day.

If you would like to differentiate user authentication and machine authentication using ActiveDirectory,onewaytodoitisbycreatingasecondauthenticationsources,formachines:

Name:ad1 Description:ActiveDirectoryforMachines Host:192.168.1.2:389withoutSSL/TLS BaseDN:CN=Computers,DC=acme,DC=local Scope:One-level

Chapter9


UsernameAttribute:servicePrincipalName BindDN:CN=Administrator,CN=Users,DC=acme,DC=local Password:acme123

Then,weaddarule:

Name:*machines Description:Ruleforallmachines Dontsetanycondition(asitsacatch-allrule) Setthefollowingactions:

Setrolemachineauth

SetunregistrationdateJanuary1st,2020

Note

Whenaruleisdefinedasacatch-all, itwillalwaysmatchiftheusernameattributematchesthequeriedone.ThisappliesforActiveDirectory,LDAPandApachehtpasswdfilesources.KerberosandRADIUSwillactastruecatch-all,andaccepteverything.

Note

IfyouwanttouseotherLDAPattributesinyourauthenticationsource,addtheminConfigurationAdvancedCustomLDAPattributes.Theywillthenbeavailableintherulesyoudefine.

ExternalAPIauthentication

PacketFencealsosupportscallinganexternalHTTPAPIasanauthenticationsource.TheexternalAPIneedstoimplementanauthenticationactionandanauthorizationaction.

AuthenticationThisshouldprovidetheinformationaboutwhetherornottheusername/passwordcombinationisvalid

TheseinformationareavailablethroughthePOSTfieldsoftherequest

TheservershouldreplywithtwoattributesinaJSONresponse

result:shouldbe1forsuccess,0forfailure message:shouldbethereasonitsucceededorfailed

ExampleJSONresponse:

{"result":1,"message":"Valid username and password"}

Chapter9


AuthorizationThisshouldprovidetheactionstoapplyonauserbasedonitsattributes

The following attributes are available for the reply : access_duration, access_level, sponsor,unregdate,category.

SampleJSONresponse,notethatnotallattributesarenecessary,onlysendbackwhatyouneed.

{"access_duration":"1D","access_level":"ALL","sponsor":1 ,"unregdate":"2030-01-01","category":"default"}

Note

See /usr/local/pf/addons/example_external_auth for an example implementationcompatiblewithPacketFence.

PacketFenceconfigurationInPacketFence,youneedtoconfigureanHTTPsourceinordertouseanexternalAPI.

Hereisabriefdescriptionofthefields:

Host : First, the protocol, then the IP address or hostname of the API and lastly the port toconnecttotheAPI.

APIusernameandpassword:IfyourAPIimplementsHTTPbasicauthentication(RFC2617)youcanaddtheminthesefields.LeavinganyofthosetwofieldsemptywillmakePacketFencedotherequestswithoutanyauthentication.

AuthenticationURL:URLrelativetothehosttocallwhendoingtheauthenticationofauser.Notethatitisautomaticallyprefixedbyaslash.

AuthorizationURL:URLrelativetothehosttocallwhendoingtheauthorizationofauser.Notethatitisautomaticallyprefixedbyaslash.

NetworkDevicesDefinition(switches.conf)

ThissectionappliesonlyforVLANenforcement.Usersplanningtodoinlineenforcementonlycanskipthissection.

PacketFenceneedstoknowwhichswitches,accesspointsorcontrollersitmanages,theirtypeandconfiguration.Allthisinformationisstoredin/usr/local/pf/conf/switches.conf.Youcanmodifytheconfigurationdirectlyintheswitches.conffileoryoucandoitfromtheWebAdministrationpanelunderConfigurationNetworkSwitches-whichisnowthepreferredway.

The/usr/local/pf/conf/switches.confconfigurationfilecontainsadefaultsectionincluding:

DefaultSNMPread/writecommunitiesfortheswitches

Chapter9


Defaultworkingmode(seethenotebelowaboutpossibleworkingmodes)

andaswitchsectionforeachswitch(managedbyPacketFence)including:

SwitchIP/Mac/Range Switchvendor/type Switchuplinkports(trunksandnon-managedIfIndex) per-switchre-definitionoftheVLANs(ifrequired)

Note

switches.confisloadedatstartup.Areloadisrequiredwhenchangesaremanuallymadetothisfile/usr/local/pf/bin/pfcmd configreload.

WorkingmodesTherearethreedifferentworkingmodesforaswitchinPacketFence:

Testing pfsetvlanwritesinthelogfileswhatitwouldnormallydo,butitdoesntdoanything.

Registration pfsetvlan automatically-register all MAC addresses seen on theswitchports.Asintestingmode,noVLANchangesaredone.

Production pfsetvlan sends the SNMP writes to change the VLAN on theswitchports.

RADIUSTo set the RADIUS secret, set it from the Web administrative interface when adding a switch.Alternatively,edittheswitchconfigfile(/usr/local/pf/conf/switches.conf)andsetthefollowingparameters:

radiusSecret = secretPassPhrase

Moreover,theRADIUSsecretisrequiredtosupporttheRADIUSDynamicAuthentication(ChangeofauthorizationorDisconnect)asdefinedinRFC3576.

SNMPv1,v2candv3PacketFenceusesSNMPtocommunicatewithmostswitches.PacketFencealsosupportsSNMPv3.YoucanuseSNMPv3forcommunicationinbothdirections:fromtheswitchtoPacketFenceandfromPacketFencetotheswitch.SNMPusageisdiscouraged,youshouldnowuseRADIUS.However,evenifRADIUSisbeingused,someswitchesmightalsorequireSNMPtobeconfiguredtoworkproperlywithPacketFence.

FromPacketFencetoaswitch

Edittheswitchconfigfile(/usr/local/pf/conf/switches.conf)andsetthefollowingparameters:

Chapter9


SNMPVersion = 3SNMPUserNameRead = readUserSNMPAuthProtocolRead = MD5SNMPAuthPasswordRead = authpwdreadSNMPPrivProtocolRead = AESSNMPPrivPasswordRead = privpwdreadSNMPUserNameWrite = writeUserSNMPAuthProtocolWrite = MD5SNMPAuthPasswordWrite = authpwdwriteSNMPPrivProtocolWrite = AESSNMPPrivPasswordWrite = privpwdwrite

FromaswitchtoPacketFenceEdittheswitchconfigfile(/usr/local/pf/conf/switches.conf)andsetthefollowingparameters:

SNMPVersionTrap = 3SNMPUserNameTrap = readUserSNMPAuthProtocolTrap = MD5SNMPAuthPasswordTrap = authpwdreadSNMPPrivProtocolTrap = AESSNMPPrivPasswordTrap = privpwdread

SwitchConfigurationHereisaswitchconfigurationexampleinordertoenableSNMPv3inbothdirectionsonaCiscoSwitch.

snmp-server engineID local AA5ED139B81D4A328D18ACD1snmp-server group readGroup v3 privsnmp-server group writeGroup v3 priv read v1default write v1defaultsnmp-server user readUser readGroup v3 auth md5 authpwdread priv aes 128 privpwdreadsnmp-server user writeUser writeGroup v3 auth md5 authpwdwrite priv aes 128 privpwdwritesnmp-server enable traps port-securitysnmp-server enable traps port-security trap-rate 1snmp-server host 192.168.0.50 version 3 priv readUser port-security

Command-LineInterface:TelnetandSSH

WarningPrivilegedetectionisdisabledinthecurrentPacketFenceversionduetosomeissues(see#1370).SomakesurethatthecliUserandcliPwdyouprovidealwaysgetyouintoaprivilegedmode(exceptforTrapezehardware).

PackeFenceneedssometimestoestablishaninteractivecommand-linesessionwithaswitch.ThiscanbedoneusingTelnet.YoucanalsouseSSH.Inordertodoso,edittheswitchconfigurationfile(/usr/local/pf/conf/switches.conf)andsetthefollowingparameters:

http://www.packetfence.org/bugs/view.php?id=1370

Chapter9


cliTransport = SSH (or Telnet)cliUser = admincliPwd = admin_pwdcliEnablePwd =

ItcanalsobedonethroughtheWebAdministrationInterfaceunderConfigurationSwitches.

WebServicesInterfacePackeFencesometimesneedstoestablishadialogwiththeWebServicescapabilitiesofaswitch.In order to do so, edit the switch config file (/usr/local/pf/conf/switches.conf) and set thefollowingparameters:

wsTransport = http (or https)wsUser = adminwsPwd = admin_pwd

ItcanalsobedonethroughtheWebAdministrationInterfaceunderConfigurationSwitches.

Role-basedenforcementsupportSomenetworkdevicessupporttheassignmentofaspecificsetofrules(firewallorACLs)toauser.TheideaisthattheserulescanbealotmoreaccuratetocontrolwhatausercanorcannotdocomparedtoVLANwhichhavealargernetworkmanagementoverhead.

PacketFencesupportsassigningrolesondevicesforswitchesandWiFicontrollers thatsupportit.ThecurrentroleassignmentstrategyistoassignitalongwiththeVLAN(thatmaychangeinthefuture).Aspecial internalroletoexternalroleassignmentmustbeconfigured intheswitchconfigurationfile(/usr/local/pf/conf/switches.conf).

Thecurrentformatisthefollowing:

Format: Role=

Andyouassignittotheglobalrolesparameterortheper-switchone.Forexample:

adminRole=full-accessengineeringRole=full-accesssalesRole=little-access

wouldreturnthefull-accessroletothenodescategorizedasadminorengineeringandtherolelittle-accesstonodescategorizedassales.ItcanalsobedonethroughtheWebAdministrationInterfaceunderConfigurationSwitches.

Caution

Makesurethattherolesareproperlydefinedonthenetworkdevicespriortoassigningroles!

Chapter9


PortalProfiles

PacketFencecomeswithadefaultportalprofile.Thefollowparametersareimportanttoconfigurenomatterifyouusethedefaultportalprofileorcreateanewone:

RedirectURLunderConfigurationPortalProfilePortalName

Forsomebrowsers,itispreferabletoredirecttheusertoaspecificURLinsteadoftheURLtheuseroriginallyintendedtovisit.Forthesebrowsers,theURLdefinedinredirecturlwillbetheonewheretheuserwillberedirected.AffectedbrowsersareFirefox3andlater.

IPunderConfigurationCaptiveportal

ThisIPisusedasthewebserverwhohoststhecommon/network-access-detection.gifwhichisusedtodetectifnetworkaccesswasenabled.Itcannotbeadomainnamesinceit isusedinregistrationorquarantinewhereDNSisblack-holed.ItisrecommendedthatyouallowyouruserstoreachyourPacketFenceserverandputyourLANsPacketFenceIP.BydefaultwewillmakethisreachPacketFenceswebsiteasaneasierandmoreaccessiblesolution.

In some cases, you may want to present a different captive portal (see below for the availablecustomizations)accordingtotheSSID,theVLAN,theswitchIP/MACortheURItheclientconnectsto.Todoso,PacketFencehastheconceptofportalprofileswhichgivesyouthispossibility.

Whenconfigured,portalprofileswilloverridedefaultvaluesforwhichitisconfigured.Whennovaluesareconfiguredintheprofile,PacketFencewilltakeitsdefaultones(accordingtothe"default"portalprofile).

Herearethedifferentconfigurationparametersthatcanbesetforeachportalprofiles.Theonlymandatoryparameteris"filter",otherwise,PacketFencewontbeabletocorrectlyapplytheportalprofile.Theparametersmustbesetinconf/profiles.conf:

[profilename1]description = the description of your portal profilefilter = the name of the SSID for which you'd like to apply the profile, or the VLAN numberbilling_engine = either enabled or disabledsources = comma-separated list of authentications sources (IDs) to use

Portal profiles should be managed from PacketFences Web administrative GUI - from theConfigurationPortalProfilessection.Addingaportalprofilefromthatinterfacewillcorrectlycopytemplatesover-whichcanthenbemodifiedasyouwish.

FiltersunderConfigurationPortalProfilePortalNameFitlers

PacketFenceoffersthefollowingfilters:ConnectionType,Network,NodeRole,Port,realm,SSID,Switch,SwitchPort,URIandVLAN.

Examplewiththemostcommonones:

SSID:Guest-SSID

Chapter9


VLAN:100

Caution

Noderolewilltakeeffectonlywitha802.1xconnectionorifyouuseVLANfilters.

PacketFence relies extensively on Apache for its captive portal, administrative interface andWeb services. The PacketFences Apache configuration are located in /usr/local/pf/conf/httpd.conf.d/.

Inthisdirectoryyouhavethreeimportantfiles:httpd.admin,httpd.portal,httpd.webservices,httpd.aaa.

httpd.adminisusedtomanagePacketFenceadmininterface

httpd.portalisusedtomanagePacketFencecaptiveportalinterface

httpd.webservicesisusedtomanagePacketFencewebservicesinterface

httpd.aaaisusetomanageincomingRADIUSrequest

ThesefileshavebeenwrittenusingthePerllanguageandarecompletelydynamic-sotheyactivateservicesonlyonthenetworkinterfacesprovidedforthispurpose.

TheotherfilesinthisdirectoryaremanagedbyPacketFenceusingtemplates,soitiseasytomodifythesefilesbasedonyourconfiguration.SSLisenabledbydefaulttosecureaccess.

UponPacketFenceinstallation,self-signedcertificateswillbecreatedin/usr/local/pf/conf/ssl(server.key andserver.crt). Those certificates can be replaced anytime by your 3rd-party orexistingwildcardcertificatewithoutproblems.PleasenotethattheCN(CommonName)needstobethesameastheonedefinedinthePacketFenceconfigurationfile(pf.conf).

FreeRADIUSConfiguration

ThissectionpresentstheFreeRADIUSconfigurationsteps. Insomeoccasions,aRADIUSserverismandatoryinordertogiveaccesstothenetwork.Forexample,theusageofWPA2-Enterprise(Wireless 802.1X), MAC authentication and Wired 802.1X all require a RADIUS server toauthenticatetheusersandthedevices,andthentopushtheproperrolesorVLANattributestothenetworkequipment.

Option1:AuthenticationagainstActiveDirectory(AD)

Caution

If you are using an Active/Active or Active/Passive cluster, please follow theinstructionsunderOption1bsincetheinstructionsbelowdonotcurrentlyworkinacluster.

Chapter9


Inordertohavedomainauthenticationworkingproperly,youneedtoenableIPforwardingonyourserver.Todoitpermanently,lookinthe/etc/sysctl.conf,andsetthefollowingline:

# Controls IP packet forwardingnet.ipv4.ip_forward = 1

Nowexecutesysctl -ptoapplytheconfiguration

Next,gointheAdministrationinterfaceunderConfigurationDomains.

Note

IfyoucantaccessthissectionandyouhavepreviouslyconfiguredyourservertobindtoadomainexternallytoPacketFence,makesureyourun/usr/local/pf/addons/AD/migrate.pl

ClickAddDomainandfillintheinformationsaboutyourdomain.

Chapter9


Where:

Identifierisauniqueidentifierforyourdomain.Itspurposeisonlyvisual.

Workgroupistheworkgroupofyourdomainintheoldsyntax(likeNT4).

DNSnameofthedomainistheFQDNofyourdomain.Theonethatsuffixesyouraccountnames.

ThisserversnameisthenamethattheserversaccountwillhaveinyourActiveDirectory.

DNSserveristheIPaddressoftheDNSserverofthisdomain.MakesurethattheserveryouputtherehastheproperDNSentriesforthisdomain.

Usernameistheusernamethatwillbeusedforbindingtotheserver.Thisaccountmustbeadomainadministrator.

Passwordisthepasswordfortheusernamedefinedabove.

Troubleshooting

In order to troubleshoot unsuccessful binds, please refer to the following file : /chroots//var/log/samba/log.winbindd.Replacewiththeidentifieryousetinthedomainconfiguration.

Youcanvalidatethedomainbindusingthefollowingcommand:chroot /chroots/wbinfo -u

You can test the authentication process using the following command chroot /chroots/ ntlm_auth --username=administrator

Note

Undercertainconditions,thetestjoinmayshowasunsuccessfulintheAdministrationinterface but the authentication process will still work properly. Try the test abovebeforedoinganyadditionnaltroubleshooting

Defaultdomainconfiguration

YoushouldnowdefinethedomainyouwanttouseasthedefaultonebycreatingthefollowingrealminConfigurationRealms

Chapter9


Next,restartPacketfenceinStatusServices

Multipledomainsauthentication

FirstconfigureyourdomainsinConfigurationDomains.

Oncetheyareconfigured,goinConfigurationRealms.

Create a new realm that matches the DNS name of your domainAND one that matches yourworkgroup.Inthecaseofthisexample,itwillbeDOMAIN.NETandDOMAIN.

Chapter9


Where:

RealmiseithertheDNSname(FQDN)ofyourdomainortheworkgroup

RealmoptionsareanyrealmoptionsthatyouwanttoaddtotheFreeRADIUSconfiguration

Domainisthedomainwhichisassociatedtothisrealm

Nowcreatethetwootherrealmsassociatedtoyourotherdomains.

Youshouldnowhavethefollowingrealmconfiguration

Chapter9


Option1b:AuthenticationagainstActiveDirectory(AD)inacluster

Samba/Kerberos/Winbind

InstallSamba.YoucaneitherusethesourcesorusethepackageforyourOS.ForRHEL/CentOS,do:

yum install samba krb5-workstation

ForDebianandUbuntu,do:

apt-get install samba winbind krb5-user

Note

IfyouhaveWindows7PCsinyournetwork,youneedtouseSambaversion3.5.0(orgreater).

WhendonewiththeSambainstall,modifyyour/etc/hosts inordertoaddtheFQDNofyourActiveDirectoryservers.Then,youneedtomodify/etc/krb5.conf.HereisanexamplefortheDOMAIN.NETdomainforCentos/RHEL:

Chapter9


[logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log

[libdefaults] default_realm = DOMAIN.NET dns_lookup_realm = false dns_lookup_kdc = false ticket_lifetime = 24h forwardable = yes

[realms] DOMAIN.NET = { kdc = adserver.domain.net:88 admin_server = adserver.domain.net:749 default_domain = domain.net }[domain_realm] .domain.net = DOMAIN.NET domain.net = DOMAIN.NET

[appdefaults] pam = { debug = false ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = false }

ForDebianandUbuntu:

[logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = DOMAIN.NET ticket_lifetime = 24h forwardable = yes [appdefaults] pam = { debug = false ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = false }

Next,edit/etc/samba/smb.conf.Again,hereisanexampleforourDOMAIN.NETforCentos/RHEL:

Chapter9


[global] workgroup = DOMAIN server string = %h security = ads passdb backend = tdbsam realm = DOMAIN.NET encrypt passwords = yes winbind use default domain = yes client NTLMv2 auth = yes preferred master = no domain master = no local master = no load printers = no log level = 1 winbind:5 auth:3 winbind max clients = 750 winbind max domain connections = 15

ForDebianandUbuntu:

[global] workgroup = DOMAIN server string = Samba Server Version %v security = ads realm = DOMAIN.NET password server = 192.168.1.1 domain master = no local master = no preferred master = no winbind separator = + winbind enum users = yes winbind enum groups = yes winbind use default domain = yes winbind nested groups = yes winbind refresh tickets = yes template homedir = /home/%D/%U template shell = /bin/bash client use spnego = yes client ntlmv2 auth = yes encrypt passwords = yes restrict anonymous = 2 log file = /var/log/samba/log.%m max log size = 50

IssueakinitandklistinordertogetandverifytheKerberostoken:

# kinit administrator# klist

Afterthat,youneedtostartsamba,andjointhemachinetothedomain:

Chapter9


# service smb start# chkconfig --level 345 smb on# net ads join -U administrator

NotethatforDebianandUbuntuyouwillprobablyhavethiserror:

# kinit succeeded but ads_sasl_spnego_krb5_bind failed: Invalid credentials# Join to domain is not valid: Invalid credentials

ForCentos/RHEL:

# usermod -a -G wbpriv pf

Finally,startwinbind,andtestthesetupusingntlm_authandradtest:

# service winbind start# chkconfig --level 345 winbind on

ForDebianandUbuntu:

# usermod -a -G winbindd_priv pf# ntlm_auth --username myDomainUser# radtest -t mschap -x myDomainUser myDomainPassword localhost:18120 12 testing123 Sending Access-Request of id 108 to 127.0.0.1 port 18120 User-Name = "myDomainUser" NAS-IP-Address = 10.0.0.1 NAS-Port = 12 Message-Authenticator = 0x00000000000000000000000000000000 MS-CHAP-Challenge = 0x79d62c9da4e55104 MS-CHAP-Response = 0x000100000000000000000000000000000000000000000000000091c843b420f0dec4228ed2f26bff07d5e49ad9a2974229e5 rad_recv: Access-Accept packet from host 127.0.0.1 port 18120, id=108, length=20

Option2:LocalAuthenticationAddyourusersentriesattheendofthe/usr/local/pf/raddb/usersfilewiththefollowingformat:

username Cleartext-Password := "password"

Option3:EAPauthenticationagainstOpenLDAPToauthenticate802.1xconnectionagainstOpenLDAPyouneedtodefinetheldapconnectionin/usr/local/pf/raddb/modules/ldapandbesurethattheuserpasswordisdefineasaNTHASHorascleartext.

Chapter9


ldap openldap { server = "ldap.acme.com" identity = "uid=admin,dc=acme,dc=com" password = "password" basedn = "dc=district,dc=acme,dc=com" filter = "(uid=%{mschap:User-Name})" ldap_connections_number = 5 timeout = 4 timelimit = 3 net_timeout = 1 tls { } dictionary_mapping = ${confdir}/ldap.attrmap edir_account_policy_check = no

keepalive { # LDAP_OPT_X_KEEPALIVE_IDLE idle = 60

# LDAP_OPT_X_KEEPALIVE_PROBES probes = 3

# LDAP_OPT_X_KEEPALIVE_INTERVAL interval = 3 } }

Next in /usr/local/pf/raddb/sites-available/packetfence-tunnel add in the authorizesection:

authorize { suffix ntdomain eap { ok = return } files openldap }

Option4:EAPGuestAuthenticationonemail,sponsorandSMSregistrationThegoalhereistobeabletousethecredentialPacketFencecreatedonguestaccessandusethisoneonasecureconnection.FirstcreateaguestSSIDwiththeguestaccessyouwanttouse(Email,SponsororSMS)andcheckAdduseronemailregistrationand/orAdduseronsponsorregistrationinConfigurationSelfRegistrationsection.Attheendoftheguestregistration,PacketFencewillsendanemailwiththecredentialsforEmailandSponsor.ForSMSuseyourphonenumberandthePINcode.

Chapter9


NotethatthisoptiondoesntcurrentlyworkwiththeReusedot1xcredentialsoptionofthecaptiveportal.

In/usr/local/pf/raddb/sites-available/packetfence-tunnelthereisanexampleonhowtoconfigureRADIUStoenablethisfeature(uncommenttomakeitwork).

In this example we activate this feature on a specific SSID name (Secure-Wireless), disabled bydefaultNTLMAuth,testemailcredential(pfguest),testsponsor(pfsponsor)andtestsms(pfsms).IfallfailledthenwereactivateNTLMAuth.

authorize { suffix ntdomain eap { ok = return } files####Activate local user eap authentication based on a specific SSID ###### Set Called-Station-SSID with the current SSID# set.called_station_ssid# if (Called-Station-SSID == 'Secure-Wireless') {## Disable ntlm_auth# update control {# MS-CHAP-Use-NTLM-Auth := No# }## Check password table with email and password for a sponsor registration# pfguest# if (fail || notfound) {## Check password table with email and password for a guest registration# pfsponsor# if (fail || notfound) {## Check activation table with phone number and PIN code# pfsms# if (fail || notfound) {# update control {# MS-CHAP-Use-NTLM-Auth := Yes# }# }# }# }# }

NoteFor this feature to work, the users' passwords must be stored in cleartext in thedatabase.

Option5:EAPLocaluserAuthenticationThegoalhereistousethelocaluseryoucreatedintheadminGUIforEAPauthentication.Thelogicisexactlythesamethaninoption4,thedifferenceisthatweuseanotherSSIDandweonlyuselocalaccounts.

Chapter9


Edit/usr/local/pf/raddb/sites-available/packetfence-tunnel

InthisexampleweactivatethisfeatureonaspecificSSIDname(Secure-local-Wireless),disabledbydefaultNTLMAuthandtestlocalaccount.IfitfailledthenwereactivateNTLMAuth.

####Activate local user eap authentication based on a specific SSID ###### Set Called-Station-SSID with the current SSID# set.called_station_ssid# if (Called-Station-SSID == 'Secure-local-Wireless') {## Disable ntlm_auth# update control {# MS-CHAP-Use-NTLM-Auth := No# }## Check password table for local user# pflocal# if (fail || notfound) {# update control {# MS-CHAP-Use-NTLM-Auth := Yes# }# }# }

Caution

Youwillneedtodeasactivatepasswordhashinginthedatabaseforlocalauthenticationto work. In the administration interface, go in Configuration Advanced and setDatabasepasswordshashingmethodtoplaintext

TestsTestyoursetupwithradtestusingthefollowingcommandandmakesureyougetanAccess-Acceptanswer:

# radtest dd9999 Abcd1234 localhost:18120 12 testing123Sending Access-Request of id 74 to 127.0.0.1 port 18120 User-Name = "dd9999" User-Password = "Abcd1234" NAS-IP-Address = 255.255.255.255 NAS-Port = 12rad_recv: Access-Accept packet from host 127.0.0.1:18120, id=74, length=20

Chapter10

Copyright2015Inverseinc. Debugging 42

Debugging

Logfiles

HerearethemostimportantPacketFencelogfiles:

/usr/local/pf/logs/packetfence.logPacketFenceCoreLog /usr/local/pf/logs/httpd.portal.accessApacheCaptivePortalAccessLog /usr/local/pf/logs/httpd.portal.errorApacheCaptivePortalErrorLog /usr/local/pf/logs/httpd.admin.accessApacheWebAdmin/ServicesAccessLog /usr/local/pf/logs/httpd.admin.errorApacheWebAdmin/ServicesErrorLog /usr/local/pf/logs/httpd.webservices.accessApacheWebservicesAccessLog /usr/local/pf/logs/httpd.webservices.errorApacheWebservicesErrorLog /usr/local/pf/logs/httpd.aaa.accessApacheAAAAccessLog /usr/local/pf/logs/httpd.aaa.errorApacheAAAErrorLog

Thereareotherlogfilesin/usr/local/pf/logs/thatcouldberelevantdependingonwhatissueyouareexperiencing.Makesureyoutakealookatthem.

Themainloggingconfigurationfileis/usr/local/pf/conf/log.conf.Itcontainstheconfigurationforthepacketfence.logfile(Log::Log4Perl)andyounormallydontneedtomodifyit.Theloggingconfigurationfilesforeveryservicearelocatedunder/usr/local/pf/conf/log.conf.d/.

RADIUSDebugging

First,checktheFreeRADIUSlogs.Thefileislocatedat/usr/local/pf/logs/radius.log.

Ifthisdidnthelp,runFreeRADIUSindebugmode.Todoso,startitusingthefollowingcommand:

# radiusd -X -d /usr/local/pf/raddb

Additionally there is a raddebug tool that can extract debug logs from a running FreeRADIUSdaemon.PacketFencesFreeRADIUSispreconfiguredwithsuchsupport.

Inordertohaveanoutputfromraddebug,youneedtoeither:

a. Makesureuserpfhasashellin/etc/passwd,add/usr/sbintoPATH(export PATH=/usr/sbin:$PATH)andexecuteraddebugaspf

Chapter10

Copyright2015Inverseinc. Debugging 43

b. Runraddebugasroot(lesssecure!)

Nowyoucanrunraddebugeasily:

raddebug -t 300 -d /usr/local/pf/raddb

TheabovewilloutputFreeRADIUS'debuglogsfor5minutes.Seeman raddebugforalltheoptions.

Chapter11

Copyright2015Inverseinc. MoreonVoIPIntegration 44

MoreonVoIPIntegration

VoIPhasbeengrowinginpopularityonenterprisenetworks.Atfirstsight,theITadministratorsthinkthatdeployingVoIPwithaNACposesahugecomplicatedchallengetoresolve.Infact,dependingofthehardwareyouhave,notreally.Inthissection,wewillseewhy.

CDPandLLDPareyourfriend

ForthoseofyouwhoareunawareoftheexistenceofCDPorLLDP(orLLDP-MED), Isuggestyoustartreadingonthistopic.CiscoDiscoveryProtocol(CDP)isdevice-discoveryprotocolthatrunsonallCisco-manufacturedequipmentincludingrouters,accessservers,bridges,andswitches.UsingCDP,adevicecanadvertise itsexistencetootherdevicesandreceive informationaboutotherdevicesonthesameLANorontheremotesideofaWAN.IntheworldofVoIP,CDPisabletodetermineiftheconnectingdeviceisanIPPhoneornot,andtelltheIPPhonetotagitsethernetframeusingtheconfiguredvoiceVLANontheswitchport.

Onmanyothervendors,youarelikelytofindLLDPorLLDP-MEDsupport.LinkLayerDiscoveryProtocol (LLDP) is a vendor-neutral Link Layer protocol in the Internet Protocol Suite used bynetworkdevicesforadvertisingtheiridentity,capabilities,andneighbors.SameasCDP,LLDPcantellanIPPhonewhichVLANidisthevoiceVLAN.

VoIPandVLANassignmenttechniques

As you already know, PacketFence supports many VLAN assignment techniques such as port-security,macauthenticationor802.1X.LetsseehowVoIPisdoingwitheachofthose.

Port-securityUsing port-security, the VoIP device rely on CDP/LLDP to tag its ethernet frame using theconfiguredvoiceVLANontheswitchport.Afterthat,weensurethatasecuritytrapissentfromthevoiceVLANsothatPacketFencecanauthorizethemacaddressontheport.WhenthePCconnects,anothersecuritytrapwillbesent,butfromthedataVLAN.Thatway,wewillhave1macaddressauthorizedonthevoiceVLAN,and1ontheaccessVLAN.

Chapter11

Copyright2015Inverseinc. MoreonVoIPIntegration 45

Note

Not all vendors support VoIP on port-security, please refer to the NetworkConfigurationGuide.

MacAuthenticationand802.1XCiscohardwareOnCiscoswitches,wearelookingatthemulti-domainconfiguration.Themulti-domainmeansthatwecanhaveonedeviceontheVOICEdomain,andonedeviceontheDATAdomain.ThedomainassignmentisdoneusingaCiscoVSA.Whenthephoneconnectstotheswitchport,PacketFencewillrespondwiththeproperVSAonly,noRADIUStunneledattributes.CDPthentellsthephonetotagitsethernetframesusingtheconfiguredvoiceVLANontheport.WhenaPCconnects,theRADIUSserverwillreturntunneledattributes,andtheswitchwillplacetheportintheprovidedaccessVLAN.

Non-CiscohardwareOnothervendorhardware,itispossibletomakeVoIPworkusingRADIUSVSAs.Whenaphoneconnectstoaswitchport,PacketFenceneedstoreturntheproperVSAtotelltheswitchtoallowtagged frames from this device. When the PC will connect, we will be able to return standardRADIUStunnelattributestotheswitch,thatwillbetheuntaggedVLAN.

Note

Again,refertotheNetworkConfigurationGuidetoseeifVoIPissupportedonyourswitchhardware.

WhatifCDP/LLDPfeatureismissing

ItispossiblethatyourphonedoesntsupportCDPorLLDP.Ifitsthecase,youareprobablylookingatthe"DHCPway"ofprovisionningyourphonewithavoiceVLAN.SomemodelswillaskforaspecificDHCPoptionsothattheDHCPservercangivethephoneavoiceVLANid.Thephonewillthenreboot,andtagitsethernetframeusingtheprovidedVLANtag.

In order to make this scenario work with PacketFence, you need to ensure that you tweak theregistrationandyourproductionDHCPservertoprovidetheDHCPoption.Youalsoneedtomakesure there isavoiceVLANproperlyconfiguredontheport,andthatyouauto-registeryour IPPhones(Onthefirstconnect,thephonewillbeassignedontheregistrationVLAN).

Chapter12

Copyright2015Inverseinc. Advancedtopics 46

Advancedtopics

This section covers advanced topics in PacketFence. Note that it is also possible to configurePacketFencemanuallyusingitsconfigurationfilesinsteadofitsWebadministrativeinterface.ItisstillrecommendedtousetheWebinterface.

Inanycase,the/usr/local/pf/conf/pf.conffilecontainsthePacketFencegeneralconfiguration.Forexample,thisistheplacewhereweinformPacketFenceitwillworkinVLANisolationmode.

All the default parameters and their descriptions are stored in /usr/local/pf/conf/pf.conf.defaults.

Inordertooverrideadefaultparameter,defineitandsetitinpf.conf.

/usr/local/pf/conf/documentation.confholdsthecompletelistofallavailableparameters.

Alltheseparametersarealsoaccessiblethroughtheweb-basedadministrationinterfaceundertheConfigurationtab.Itishighlyrecommendedthatyouusetheweb-basedadministrationinterfaceofPacketFenceforanyconfigurationchanges.

AppleandAndroidWirelessProvisioning

Apple devices such as iPhones, iPads, iPods and Mac OS X (10.7+) support wireless profileimportation using a special XML file format (mobileconfig). Android is also able to support thisfeaturebyimportingthewirelessprofilewiththeAndroidPacketFenceAgent.Infact,installingsuchfileonyourAppledevicewillautomaticallyconfigurethewirelesssettingsforagivenSSID.ThisfeatureisoftenusedwhentheSSIDishidden,andyouwanttoeasetheconfigurationstepsonthemobiledevice(becauseitisoftenpainfultoconfiguremanually).InPacketFence,wearegoingfurther,wegeneratetheprofileaccordingtotheadministratorspreferenceandwepre-populatethefilewiththeuserscredentials(withoutthepassword).TheusersimplyneedstoinstallitsgeneratedfileandhewillbeabletousethenewSSID.

ConfigurethefeatureFirstofall,youneedtoconfiguretheSSIDthatyourdeviceswilluseaftertheygothoughtheauthenticationprocess.

Inordertodothat,intheadministrationinterface,goinConfiguration/Provisioners.Thenselecttheandroidprovisioner.EntertheSSIDandsave.

NowdothesamethingfortheiOSprovisioner.

After,yousimplyneedtoaddtheAndroidandiOSprovisionerstoyourPortalProfileconfiguration.

Chapter12


ForAndroid,youmustallowpassthroughsinyourpf.confconfigurationfile:

[trapping]passthrough=enabledpassthroughs=*.ggpht.com,*.googleusercontent.com,android.clients.google.com,*.googleapis.com,*.android.clients.google.com,*.gvt1.com

ProfilegenerationUponregistration,insteadofshowingthedefaultreleasepage,theuserwillbeshowinganotherversionofthepagesayingthatthewirelessprofilehasbeengeneratedwithaclickablelinkonit.Toinstalltheprofile,Appleuserownersimplyneedtoclickonthatlink,andfollowtheinstructionsontheirdevice.AndroiduserownersimplyclicktothelinkandwillbeforwardedtoGooglePlaytoinstallPacketFenceagent.Simply launchtheapplicationandclicktoconfigurewillcreatethesecureSSIDprofile.Itisthatsimple.

BillingEngine

PacketFence integrates theability touseapaymentgatewaytobillusers togainaccess to thenetwork.Whenconfigured,theuserwhowantstoaccessthenetwork/Internetispromptedbyapageaskingforitspersonnalinformationaswellasitscreditcardinformation.

PacketFencecurrentlysupportstwopaymentgateways:Authorize.netandMirapay.

Theconfigurationtousethefeatureisfairlysimple.Thegeneralconfigurationtoenable/disablethebillingenginecanbedonethroughtheWebadministrationGUI(ConfigurationPortalProfilesandPages)orfromtheconf/profiles.conffile:

[default]billing_engine = enabled...

Billingengineparametersarespecifiedinconf/pf.conforfromConfigurationBilling:

[billing]gateway = authorize_netauthorizenet_posturl = The payment gateway processing URLauthorizenet_login = The merchant's unique API Login IDauthorizenet_trankey = The merchant's unique Transaction Key

Itisalsopossibletoconfiguremultiplenetworkaccesswithdifferentprices.Forexample,youmaywanttoprovidebasicInternetaccesswithadecentspeedataspecificpriceandanotherpackagewithhighspeedconnectionatanotherprice.

CautionTheuseofdifferentbillingtiersrequiresdifferentrolesinPacketFence.Makesuretocreatetheserolesfirstotherwiseyouwillrunintoproblems.

Chapter12


To do so, some customizations is needed to the billing module. Youll need to redefined thegetAvailableTiersmethodinthelib/pf/billing/custom.pmfile.Anexampleisalreadyinplaceinthefile.

Toassignarolebytiers(example:slow,mediumandfast),editthefilelib/pf/billing/custom.pm

my %tiers = ( tier1 => { id => "tier1", name => "Tier 1", price => "1.00", timeout => "7D", usage_duration => '1D', category => '', description => "Tier 1 Internet Access", destination_url => "http://www.packetfence.org" },);

idisusedastheitemvalueofthebillingtable.

nameisthenameofthetierusedonbilling.html.

priceisamountchargedonthecreditcard.

timeoutisusedtocomputetheunregistrationdateofthenode.

usage_durationistheamountofnon-contignuousaccesstimeforthenode,setasthetime_balancevalueofthenodetable.

categoryistheroleinwhichtoputthenode.

descriptionwillappearonthebilling.html.

destination_urlistheurlthatthedevicewillberedirectedafterasuccessfulauthentication.

DevicesRegistration

Usershavethepossibilitytoregistertheirdevices(MicrosoftXBOX/XBOX360,NintendoDS/Wii,SonyPlayStationandsoon)rightfromaspecialportalpage.Whenaccessingthispage,userswillbepromptedtologinasiftheywereregisteringthemselves.Onceloggedin,theportalwillaskthemtoenterthedeviceMACaddressthatwillthenbematchedagainstapredefinedlistofauthorizedMACOUI.Thedevicewillberegisteredwiththeusersidandcanbeassignedintoaspecificcategoryforeasiermanagement.

Hereshowtoconfigurethewholething.TheportalpagecanbeaccessedbythefollowingURL:https://YOUR_PORTAL_HOSTNAME/device-registration This URL is accessible from within thenetwork,inanyVLANthatcanreachthePacketFenceserver.

Thefollowingcanbeconfiguredbyeditingthepf.conffile:

https://YOUR_PORTAL_HOSTNAME/device-registration

Chapter12


[registration]device_registration = enableddevice_registration_role = gaming

MakesuretheroleexistsinPacketFenceotherwiseyouwillencounterregistrationerrors.Moreover,makesuretherolemappingforyourparticularequipmentisdone.

TheseparameterscanalsobeconfiguredfromtheConfigurationRegistrationsection.

Note

Aportalinterfacetypeisrequiredtousethisfeature.AportalinterfacetypecanbeaddedtoanynetworkinterfaceusingthewebadminGUI.

Eduroam

eduroam (education roaming) is the secure, world-wide roaming access servicedevelopedfortheinternationalresearchandeducationcommunity.

eduroamallowsstudents,researchersandstafffromparticipatinginstitutionstoobtainInternetconnectivityacrosscampusandwhenvisitingotherparticipatinginstitutionsbysimplyopeningtheirlaptop.

eduroamhttps://www.eduroam.org/

PacketFencesupportsintegrationwitheduroamandallowsparticipatinginstitutionstoauthenticatebothlocallyvisitingusersfromotherinstitutionsaswellasallowingotherinstitutionstoauthenticatelocalusers.

In order for PacketFence to allow eduroam authentication, the FreeRADIUS configuration ofPacketFencemustbemodifiedtoallowtheeduroamserverstoconnecttoitasclientsaswellastoproxyRADIUSauthenticationrequestsforusersfromoutsideinstitutions.

First,modifythe/usr/local/pf/raddb/clients.conffiletoallowtheeduroamserverstoconnecttoyourPacketFenceserver.Addtheeduroamserversasclientsandmakesure toaddtheproperRADIUSsecret.SetashortnametorefertotheseclientsasyouwilllaterneedittoexcludethemfromsomepartsofthePacketFenceconfiguration.

clients.confexample:

client tlrs1.eduroam.us { secret = useStrongerSecret shortname = tlrs1}

client tlrs2.eduroam.us { secret = useStrongerSecret shortname = tlrs2}

Chapter12


Secondly,modifythelistofdomainsandproxyserversin/usr/local/pf/raddb/proxy.conf.YouwillneedtodefineeachofyourdomainsaswellastheDEFAULTdomain.TheDEFAULTrealmwillapplytoanyclientthatattemptstoauthenticatewitharealmthatisnototherwisedefinedinproxy.confandwillbeproxiedtotheeduroamservers.

Defineoneormorehomeservers(serverstowhicheduroamrequestsshouldbeproxied).

proxy.confexample:

home_server tlrs1.eduroam.us { type = auth ipaddr = 257.128.1.1 port = 1812 secret = useStrongerSecret require_message_authenticator = yes}

Defineapoolofserverstogroupyoureduroamhomeserverstogether.

proxy.confexample:

home_server_pool eduroam { type = fail-over home_server = tlrs1.eduroam.us home_server = tlrs2.eduroam.us}

Definerealmstoselectwhichrequestsshouldbeproxiedtotheeduroamserverpool.Thereshouldbeonerealmforeachofyourdomains,andpossiblyonemoreperdomainifyouintendtoallowusernamesoftheDOMAIN\userform.

TheREALMissetbasedonthedomainfoundbythesuffixorntdomainmodules (seeraddb/modules/realm).Thesuffixorntdomainmodulestrytofindadomaineitherwithan@domainorsuffix\username.

Ifnoneisfound,theREALMisNULL.

Ifadomainisfound,FreeRADIUStriestomatchoneoftheREALMSdefinedinthisfile.

Ifthedomainiseitherexample.eduorEXAMPLEFreeRADIUSsetsthecorrespondingREALM,i.e.example.eduorEXAMPLE.

IftheREALMdoesnotmatcheither(anditisntNULL),thatmeanstherewasadomainotherthanEXAMPLEorexample.eduandweassumeitismeanttobeproxiedtoeduroam.FreeRADIUSsetstheDEFAULTrealm(whichisproxiedtotheeduroamauthenticationpool).

The REALM determines where the request is sent to. If the REALM authenticates locally therequestsareprocessedentirelybyFreeRADIUS.IftheREALMsetsadifferenthomeserverpool,therequestsareproxiedtotheserversdefinedwithinthatpool.

proxy.confexample:

Chapter12


# This realm is for requests which don't have an explicit realm# prefix or suffix. User names like "bob" will match this one.# No authentication server is defined, thus the authentication is# done locally.realm NULL {}

# This realm is for ntdomain users who might use the domain like# this "EXAMPLE\username".# No authentication server is defined, thus the authentication is# done locally.realm EXAMPLE {}

# This realm is for suffix users who use the domain like this:# "[email protected]".# No authentication server is defined, thus the authentication is# done locally.realm example.edu {}

# This realm is for ALL OTHER requests. Meaning in this context,# eduroam. The auth_pool is set to the eduroam pool and so the# requests will be proxied.realm DEFAULT { auth_pool = eduroam nostrip}

Thirdly, you must configure the packetfence FreeRADIUS virtual servers to treat the requestsproperly.

In/usr/local/pf/raddb/sites-enabled/packetfence,modifytheauthorizesectionlikethis:

raddb/sites-enabled/packetfenceexample:

Chapter12


authorize { # pay attention to the order of the modules. It matters. ntdomain suffix preprocess

# uncomment this section if you want to block eduroam users from # you other SSIDs. The attribute name ( Called-Station-Id ) may # differ based on your controller #if ( Called-Station-Id !~ /eduroam$/i) { # update control { # Proxy-To-Realm := local # } #}

eap { ok = return }

files expiration logintime packetfence}

In/usr/local/pf/raddb/sites-enabled/packetfence-tunnel,modifythepost-authsectionlikethis.Ifyou omit this change the request will be sent to PacketFence where it will be failed since theeduroamserversarenotpartofyourconfiguredswitches.

raddb/sites-enabled/packetfence-tunnelexample:

post-auth { exec

# we skip packetfence when the request is coming from the eduroam servers if ( "%{client:shortname}" != "tlrs1" && \ "%{client:shortname}" != "tlrs2" ) { packetfence }

Post-Auth-Type REJECT { attr_filter.access_reject }}

Finally,makesurethattherealmsmoduleisconfiguredthisway(see/usr/local/pf/raddb/modules/realm):

raddb/modules/realmexample:

Chapter12


# 'username@realm'realm suffix { format = suffix delimiter = "@"}

# 'domain\user'realm ntdomain { format = prefix delimiter = "\\" ignore_null = yes}

Fingerbankintegration

Fingerbank,agreatdeviceprofilingtooldevelopedalongsideofPacketFence,nowintegrateswithittopower-upthefeaturesetallowingaPacketFenceadministratortoeasilytriggerviolationsbasedondifferentdevicetypes,deviceparents,DHCPfingerprints,DHCPvendorIDs,MACvendorsandbrowseruseragents.

Thecoreofthat integrationresides intheabilityforaPacketFencesystem,to interactwiththeFingerbankupstreamproject,whichthenallowadailybasisfingerprintsdatabaseupdate,sharingunknowndatasothatmorecomplexalgorithmscanprocessthatnewdatatointegrateitintheglobaldatabase,queryingtheglobalupstreamdatabaseinthecaseofanunknownmatchandmuchmore.

SincetheFingerbankintegrationisnowthe"defacto"deviceprofilingtoolofPacketFence,itwasarequirementtomakeitassimpleaspossibletoconfigureandtouse.FromthemomentaworkingPacketFencesystemis inplace,Fingerbank isalsoreadytobeused,butonly ina"local"mode,whichmeans,nointeractionwiththeupstreamFingerbankproject.

OnboardingTobenefitfromalltheadvantagesoftheFingerbankproject,theonboardingstepisrequiredtocreateanAPIkeythatwill thenallow interactionwiththeupstreamproject.Thatcaneasilybedoneonlybygoinginthe"Settings"menuitemunderthe"Fingerbank"sectionofthePacketFence"Configuration"tab.Fromthere,aneasyprocesstocreateandsaveanuser/organizationspecificAPIkeycanbefollowed.Oncecompleted,thefullfeaturesetofFingerbankcanbeused.

UpdateFingerbankdatabaseUpdatingtheFingerbankdatacantbeeasier.Theonlyrequirementistheonboardingprocesswhichallowsyoutointeractwithupstreamproject.Oncedone,anoptionto"UpdateFingerbankDB"canbefoundontopofeverymenuitemsectionsunder"Fingerbank".Processmaytakeaminuteortwo,dependingonthesizeofthedatabaseandtheinternetconnectivity,afterwhichasuccessorerrormessagewillbeshowaccordingly."Local"recordsareNOTbeingmodifiedduringthisprocess.

Chapter12


SubmitunknowndataSayingthatwedontknoweverythingisnotfalsemodesty.Inthatsense,the"SubmitUnknown/UnmatchedFingerprints"optionismadeavailable(afteronboarding)sothatunknownfingerprintingdatagoinginandoutonyournetworkcaneasilybesubmittedtotheupstreamFingerbankprojectforfurtheranalysisandintegrationtheintheglobaldatabase.

UpstreaminterogationBydefault,PacketFenceisconfiguredtointerogatetheupstreamFingerbankproject(ifonboardinghasbeencompleted

administrationguide - packetfence · or"127.0.0.1")thatpacketfencewillbeinstalledon

Documents