PacketFence Administration Guide for version 4.1.
PacketFence Administration Guide by Inverse Inc. Version 4.1.0 - December 2013 Copyright © 2008-2013 Inverse inc. Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation; with no Invariant Sections, no Front-Cover Texts, and no Back-Cover Texts. A copy of the license is included in the section entitled "GNU Free Documentation License".
Table of Contents About this Guide ................................................................................................................. 1 Other sources of information ......................................................................................... 1 Introduction ....................................................................................................................... 2 Features ................................................................................................
SNMP Traps Limit ...................................................................................................... Billing Engine ........................................................................................................... Portal Profiles ........................................................................................................... OAuth2 Authentication ...............................................................................................
Chapter 1 About this Guide This guide will walk you through the installation and the day to day administration of the PacketFence solution. The latest version of this guide is available at http://www.packetfence.org/documentation/ Other sources of information Network Devices Configuration Guide Covers switch, controllers and access points configuration. Developers Guide Covers captive portal customization, VLAN management customization and instructions for supporting new hardware.
Chapter 2 Introduction PacketFence is a fully supported, trusted, Free and Open Source network access control (NAC) system. Boosting an impressive feature set including a captive portal for registration and remediation, centralized wired and wireless management, 802.1X support, layer-2 isolation of problematic devices, integration with the Snort/Suricata IDS and the Nessus vulnerability scanner; PacketFence can be used to effectively secure networks - from small to very large heterogeneous networks.
Chapter 2 module. This allows you to secure your wired and wireless networks the same way using the same user database and using the same captive portal, providing a consistent user experience. Mixing Access Points (AP) vendors and Wireless Controllers is supported. Registration PacketFence supports an optional registration mechanism similar to "captive portal" solutions.
Chapter 2 Guest Access PacketFence supports a special guest VLAN out of the box. You configure your network so that the guest VLAN only goes out to the Internet and the registration VLAN and the captive portal are the components used to explain to the guest how to register for access and how his access works. This is usually branded by the organization offering the access. Several means of registering guests are possible. PacketFence does also support guest access bulk creations and imports.
Chapter 2 Network Integration VLAN enforcement is pictured in the above diagram. Inline enforcement should be seen as a simple flat network where PacketFence acts as a firewall / gateway. Copyright © 2008-2013 Inverse inc.
Chapter 2 Components Copyright © 2008-2013 Inverse inc.
Chapter 3 System Requirements Assumptions PacketFence reuses many components in an infrastructure. Thus, it requires the following ones: ∏ Database server (MySQL) ∏ Web server (Apache) Depending on your setup you may have to install additional components like: ∏ DHCP server (ISC DHCP) ∏ RADIUS server (FreeRADIUS) ∏ NIDS (Snort/Suricata) In this guide, we assume that all those components are running on the same server (i.e., "localhost" or "127.0.0.1") that PacketFence will be installed on.
Chapter 3 ∏ ∏ ∏ ∏ Intel or AMD CPU 3 GHz 4 GB of RAM 100 GB of disk space (RAID-1 recommended) 1 Network card ∏ +1 for high-availability ∏ +1 for intrusion detection Operating System Requirements PacketFence supports the following operating systems on the i386 or x86_64 architectures: ∏ ∏ ∏ ∏ Red Hat Enterprise Linux 6.x Server Community ENTerprise Operating System (CentOS) 6.x Debian 7.0 (Wheezy) Ubuntu 12.04 LTS Make sure that you can install additional packages from your standard distribution.
Chapter 4 Installation This section will guide you through the installation of PacketFence together with its dependencies. OS Installation Install your distribution with minimal installation and no additional packages. Then: ∏ ∏ ∏ ∏ Disable Disable Disable Disable Firewall SELinux AppArmor resolvconf Make sure your system is up to date and your yum or apt-get database is updated.
Chapter 4 # rpm -Uvh http://pkgs.repoforge.org/rpmforge-release/rpmforgerelease-0.5.3-1.el6.rf.`uname -m`.rpm # rpm -Uvh http://download.fedoraproject.org/pub/epel/6/`uname -i`/epelrelease-6-8.noarch.rpm # rpm -Uvh http://repo.openfusion.net/centos6-`uname -i`/openfusionrelease-0.6.2-1.of.el6.noarch.rpm Then disable these repositories by default. Under /etc/yum.repos.d/ edit rpmforge.repo, epel.repo and openfusion.repo and set enabled to 0 under every section like this: enabled = 0 Under RHEL 6.
Chapter 4 Software Download PacketFence provides a RPM repository for RHEL / CentOS instead of a single RPM file. For Debian and Ubuntu, PacketFence also provides package repositories. These repositories contain all required dependencies to install PacketFence. This provides numerous advantages: ∏ easy installation ∏ everything is packaged as RPM/deb (no more CPAN hassle) ∏ easy upgrade Software Installation RHEL / CentOS In order to use the repository, create a file named /etc/yum.repos.d/PacketFence.
Chapter 4 Or when using Ubuntu 12.04 LTS: deb http://inverse.ca/downloads/PacketFence/ubuntu precise precise Once the repository is defined, you can install PacketFence with all its dependencies, and the required external services (Database server, DHCP server, RADIUS server) using: sudo apt-key adv --keyserver keys.gnupg.
Chapter 5 Configuration In this section, you’ll learn how to configure PacketFence. PacketFence will use MySQL, Apache, ISC DHCP, iptables and FreeRADIUS. As previously mentioned, we assume that those components run on the same server on which PacketFence is being installed. First Step The first step after installing the necessary packages is the configuration step. PacketFence provides an helpful and detailed web-based configurator.
Chapter 5 Web-based Administration Interface PacketFence provides a web-based administration interface for easy configuration and operational management. If you went through PacketFence’s web-based configuration tool, you should have set the password for the admin user. If not, the default password is also admin. Once PacketFence is started, @ip_of_packetfence>:1443/ the administration interface is available at: https:// Global configuration file (pf.conf) The /usr/local/pf/conf/pf.
Chapter 5 The other files in this directory are managed by PacketFence using templates, so it is easy to modify these files based on your configuration. SSL is enabled by default to secure access. Upon PacketFence installation, self-signed certificates will be created in /usr/local/pf/conf/ssl (server.key and server.crt). Those certificates can be replaced anytime by your 3rd-party or existing wildcard certificate without problems.
Chapter 5 Authentication PacketFence can authenticate users that register devices via the captive portal using various methods. Among the supported methods, there are: ∏ Active Directory ∏ Apache htpasswd file ∏ Email ∏ Facebook (OAuth 2) ∏ Github (OAuth 2) ∏ Google (OAuth 2) ∏ Kerberos ∏ LDAP ∏ Null ∏ RADIUS ∏ SMS ∏ Sponsored Email Moreover, PacketFence can also authenticate users defined in its own internal SQL database.
Chapter 5 Now, we want to authenticate employees using Active Directory (over LDAP), and guests using PacketFence’s internal database - both using PacketFence’s captive portal. From the Configuration � Users � Sources, we select Add source � AD. We provide the following information: ∏ ∏ ∏ ∏ ∏ ∏ ∏ ∏ Name: ad1 Description: Active Directory for Employees Host: 192.168.1.
Chapter 5 Network Devices Definition (switches.conf) This section applies only for VLAN enforcement. Users planning to do inline enforcement only can skip this section. PacketFence needs to know which switches, access points or controllers it manages, their type and configuration. All this information is stored in /usr/local/pf/conf/switches.conf. You can modify the configuration directly in the switches.conf file or you can do it in the Web Administration panel under Configuration � Network � Switches.
Chapter 5 From PacketFence to a switch Edit the switch config file (/usr/local/pf/conf/switches.
Chapter 5 PackeFence needs sometimes to establish an interactive command-line session with a switch. This can be done using Telnet. Starting with 1.8, you can now use SSH. In order to do so, edit the switch config file (/usr/local/pf/conf/switches.conf) and set the following parameters: cliTransport = SSH (or Telnet) cliUser = admin cliPwd = admin_pwd cliEnablePwd = It can also be done through the Web Administration Interface under Configuration � Switches.
Chapter 5 The current format is the following: Format: Role= And you assign it to the global roles parameter or the per-switch one. For example: adminRole=full-access engineeringRole=full-access salesRole=little-access would return the full-access role to the nodes categorized as admin or engineering and the role little-access to nodes categorized as sales.
Chapter 5 Inline enforcement uses ipset to mark nodes as registered, unregistered and isolated. It is also now possible to use multiple inline interfaces, a node registered on the first inline interface is mark with is couple ip:mac, so when the node try to register on an other inline interface PacketFence detect that the node is already registered on the first VLAN. It is also possible to enable inline.should_reauth_on_vlan_change to force user to reauthenticate when they change VLAN.
Chapter 5 dns PacketFence IP address in this network.
Chapter 5 By default no DHCP Server should be running on that interface where you are sending the requests. This is by design otherwise PacketFence would reply to the DHCP requests which would be a bad thing. Obtain a copy of the DHCP traffic Get a copy of all the DHCP Traffic to a dedicated physical interface in the PacketFence server and run pfdhcplistener on that interface.
Chapter 5 [interface eth0.1010] mask=255.255.255.0 type=dhcp-listener gateway=10.0.101.1 ip=10.0.101.4 Repeat the above for all your production VLANs then restart PacketFence. Host production DHCP on PacketFence It’s an option. Just modify conf/dhcpd.conf so that it will host your production DHCP properly and make sure that a pfdhcplistener runs on the same interface where production DHCP runs. However, please note that this is NOT recommended. See this ticket to see why.
Chapter 5 For dhcpd, make sure that the clients DHCP requests are correctly forwarded (IP Helpers in the remote routers) to the PacketFence server. Then make sure you followed the instructions in the DHCP and DNS Server Configuration (networks.conf) for your locally accessible network. If we consider the network architecture illustrated in the above schema, conf/pf.conf will include the local registration and isolation interfaces only. [interface eth0.2] enforcement=vlan ip=192.168.2.
Chapter 5 [192.168.3.0] netmask=255.255.255.0 gateway=192.168.3.1 next_hop= domain-name=isolation.example.com dns=192.168.3.1 dhcp_start=192.168.3.10 dhcp_end=192.168.3.200 dhcp_default_lease_time=300 dhcp_max_lease_time=600 type=vlan-isolation named=enabled dhcpd=enabled [192.168.20.0] netmask=255.255.255.0 gateway=192.168.20.254 next_hop=192.168.2.254 domain-name=registration.example.com dns=192.168.2.1 dhcp_start=192.168.20.10 dhcp_end=192.168.20.
Chapter 5 ip access-list extended PF_REGISTRATION permit ip any host 192.168.2.1 permit udp any any eq 67 deny ip any any log interface vlan 20 ip address 192.168.20.254 255.255.255.0 ip helper-address 192.168.2.1 ip access-group PF_REGISTRATION in If your edge switches support vlan-isolation you can also apply the ACL there. This has the advantage of preventing machines in isolation from attempting to attack each other. FreeRADIUS Configuration This section presents the FreeRADIUS configuration steps.
Chapter 5 mschap { use_mppe = yes require_encryption = yes require_strong = yes with_ntdomain_hack = yes ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{%{StrippedUser-Name}:-%{mschap:User-Name:-None}} --challenge=%{mschap:Challenge:-00} --ntresponse=%{mschap:NT-Response:-00}" } Samba / Kerberos / Winbind Install Samba 3 and NOT Samba 4. You can either use the sources or use the package for your OS.
Chapter 5 [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = DOMAIN.NET dns_lookup_realm = false dns_lookup_kdc = false ticket_lifetime = 24h forwardable = yes [realms] DOMAIN.NET = { kdc = adserver.domain.net:88 admin_server = adserver.domain.net:749 default_domain = domain.net } [domain_realm] .domain.net = DOMAIN.NET domain.net = DOMAIN.
Chapter 5 [global] workgroup = DOMAIN server string = pf_server_name security = ads passdb backend = tdbsam realm = DOMAIN.NET encrypt passwords = yes winbind use default domain = yes client NTLMv2 auth = yes preferred master = no domain master = no local master = no load printers = no log level = 1 winbind:5 auth:3 For Debian and Ubuntu: [global] workgroup = DOMAIN server string = Samba Server Version %v security = ads realm = DOMAIN.NET password server = 192.168.1.
Chapter 5 Note that for Debian and Ubuntu you will probably have this error: # kinit succeeded but ads_sasl_spnego_krb5_bind failed: Invalid credentials # Join to domain is not valid: Invalid credentials Finally, start winbind, and test the setup using ntlm_auth and radtest: # service winbind start # chkconfig --level 345 winbind on For Centos/RHEL: # usermod -a -G wbpriv pf For Debian and Ubuntu: # chgrp pf /var/run/samba/winbindd_privileged/ # ntlm_auth --username myDomainUser # radtest -t mschap -x myDo
Chapter 5 # radtest dd9999 Abcd1234 localhost:18120 12 testing123 Sending Access-Request of id 74 to 127.0.0.1 port 18120 User-Name = "dd9999" User-Password = "Abcd1234" NAS-IP-Address = 255.255.255.255 NAS-Port = 12 rad_recv: Access-Accept packet from host 127.0.0.1:18120, id=74, length=20 Debug First, check the FreeRADIUS logs. The file is located at /usr/local/pf/logs/radius.log. If this didn’t help, run FreeRADIUS in debug mode.
Chapter 5 Log files Here are the most important PacketFence log files: /usr/local/pf/logs/packetfence.
Chapter 5 Proxy Interception In PacketFence you are now able to intercept proxy request and forward them to the captive portal. It only work in layer 2 network because packetfence must be the default gateway of your device. In order to use the Proxy Interception feature, you need to enable it from the GUI in Configuration � Trapping and check Proxy Interception. Add the port you want to intercept, like 8080 3128 and add a new entry in the /etc/hosts file to resolv the fqdn of the captive portal to 127.0.0.
Chapter 6 Configuration by example Here is an end-to-end sample configuration of PacketFence in "Hybrid" mode (VLAN mode and Inline mode at the same time). Assumptions Throughout this configuration example we use the following assumptions for our network infrastructure: ∏ There are two different types of manageable switches in our network: Cisco Catalyst 2900XL and Cisco Catalyst 2960, and one unmanageable device.
Chapter 6 Network Interfaces Here are the NICs startup scripts on PacketFence. /etc/sysconfig/network-scripts/ifcfg-eth0: DEVICE=eth0 BROADCAST=192.168.1.255 IPADDR=192.168.1.5 NETMASK=255.255.255.0 NETWORK=192.168.1.0 ONBOOT=yes TYPE=Ethernet /etc/sysconfig/network-scripts/ifcfg-eth0.2: DEVICE=eth0.2 ONBOOT=yes BOOTPROTO=static IPADDR=192.168.2.1 NETMASK=255.255.255.0 VLAN=yes /etc/sysconfig/network-scripts/ifcfg-eth0.3: DEVICE=eth0.3 ONBOOT=yes BOOTPROTO=static IPADDR=192.168.3.1 NETMASK=255.255.255.
Chapter 6 DEVICE=eth1 ONBOOT=yes BOOTPROTO=none Trap receiver PacketFence uses snmptrapd as the trap receiver. It stores the community name used by the switch to send traps in the switch config file (/usr/local/pf/conf/switches.conf): [default] SNMPCommunityTrap = public Switch Setup In our example, we enable linkUp/linkDown on a Cisco 2900LX and Port Security on a Cisco Catalyst 2960.
Chapter 6 snmp-server enable traps port-security snmp-server enable traps port-security trap-rate 1 snmp-server host 192.168.1.5 version 2c public port-security On each interface, you need to initialize the port security by authorizing a fake MAC address with the following commands switchport switchport switchport switchport switchport switchport access vlan 4 port-security port-security port-security port-security port-security maximum 2 maximum 1 vlan access violation restrict mac-address 0200.0000.
Chapter 6 [default] SNMPCommunityRead = public SNMPCommunityWrite = private SNMPommunityTrap = public SNMPVersion = 1 defaultVlan = 1 registrationVlan = 2 isolationVlan = 3 macDetectionVlan = 4 VoIPEnabled = no [192.168.1.100] type = Cisco::Catalyst_2900XL mode = production uplink = 24 [192.168.1.
Chapter 6 [general] domain=yourdomain.org #Put your External/Infra DNS servers here dnsservers=4.2.2.2,4.2.2.1 dhcpservers=192.168.2.1,192.168.3.1,192.168.5.1 [trapping] registration=enabled detection=enabled range=192.168.2.0/24,192.168.3.0/24,192.168.5.0/24 [interface eth0] mask=255.255.255.0 type=management gateway=192.168.1.1 ip=192.168.1.5 [interface eth0.2] mask=255.255.255.0 type=internal enforcement=vlan gateway=192.168.2.1 ip=192.168.2.1 [interface eth0.3] mask=255.255.255.
Chapter 6 [interface eth0] mask=255.255.255.0 type=management gateway=192.168.1.1 ip=192.168.1.5 vip=192.168.1.6 networks.conf Here is the /usr/local/pf/conf/networks.conf file for our setup. For more information about networks.conf see DHCP and DNS Server configuration. Copyright © 2008-2013 Inverse inc.
Chapter 6 [192.168.2.0] netmask=255.255.255.0 gateway=192.168.2.1 next_hop=192.168.2.254 domain-name=registration.example.com dns=192.168.2.1 dhcp_start=192.168.2.10 dhcp_end=192.168.2.200 dhcp_default_lease_time=300 dhcp_max_lease_time=600 type=vlan-registration named=enabled dhcpd=enabled [192.168.3.0] netmask=255.255.255.0 gateway=192.168.3.1 next_hop=192.168.3.254 domain-name=isolation.example.com dns=192.168.3.1 dhcp_start=192.168.3.10 dhcp_end=192.168.3.
Chapter 6 In order to have the inline mode properly working, you need to enable IP forwarding on your servers. To do it permanently, look in the /etc/sysctl.conf, and set the following line: # Controls IP packet forwarding net.ipv4.ip_forward = 1 Save the file, and execute sysctl -p to reload the kernel parameters. Copyright © 2008-2013 Inverse inc.
Chapter 7 Optional components Blocking malicious activities with violations Policy violations allow you to restrict client system access based on violations of certain policies. For example, if you do not allow P2P type traffic on your network, and you are running the appropriate software to detect it and trigger a violation for a given client, PacketFence will give that client a "blocked" page which can be customized to your wishes.
Chapter 7 Configuration PacketFence will provide you with a basic suricata.yaml that you can modify to suit you own needs. The file is located in /usr/local/pf/conf. Violations In order to make PacketFence react to the Snort alerts, you need to explicitly tell the software to do so. Otherwise, the alerts will be discarded. This is quite simple to accomplish. In fact, you need to create a violation and add the Snort alert SID in the trigger section of a Violation.
Chapter 7 vlan trap Isolate the host and place them in violation. It opens a violation and leaves it open. If trap is not there, a violation is opened and then automatically closed. winpopup send a windows popup message. You need to configure [alerting].winserver, [alerting].netbiosname in pf.conf when using this option. external execute an external [paths].externalapi. close close the violation ID specified in the vclose field.
Chapter 7 [defaults] priority=4 max_enable=3 actions=email,log auto_enable=Y enable=N grace=120m window=0 vclose= target_category= button_text=Enable Network snort_rules=local.rules,bleeding-attack_response.rules,bleedingexploit.rules,bleeding-p2p.rules,bleeding-scan.rules,bleeding-virus.rules vlan=isolationVlan whitelisted_categories= max_enable Number of times a host will be able to try and self remediate before they are locked out and have to call the help desk.
Chapter 7 Note violations.conf is loaded at startup. A restart is required when changes are made to this file. Example violation In our example we want to isolate people using Limewire. Here we assume Snort is installed and configured to send alerts to PacketFence. Now we need to configure PacketFence isolation. Enable Limewire violation in /usr/local/pf/conf/violations.conf and configure it to trap. [2001808] desc=P2P (Limewire) priority=8 url=/content/index.
Chapter 7 It is important to get the correct scan config ID and NBE report format ID to populate the parameters in the PacketFence configuration file. The easiest way to get these IDs is by downloading both of the scan configuration and report format from the OpenVAS web gui and retrieve the IDs in the filenames. For example report-format-f5c2a364-47d2-4700-b21d-0a7693daddab.xml gives report format ID f5c2a364-47d2-4700-b21d-0a7693daddab.
Chapter 7 Using Nessus: trigger=Nessus:: Using OpenVAS: trigger=OpenVAS:: Where violationId is either the ID of the Nessus plugin or the OID of the OpenVAS plugin to check for. Once you have finished the configuration, you need to reload the violation related database contents using: $ pfcmd reload violations Note Violations will trigger if the plugin is higher than a low severity vulnerability.
Chapter 7 ∏ You just have to change the host value by the Nessus server IP. RADIUS Accounting RADIUS Accounting is usually used by ISPs to bill clients. In PacketFence, we are able to use this information to determine if the node is still connected, how much time it has been connected, and how much bandwitdh the user consumed. Violations Using PacketFence, it is possible to add violations to limit bandwidth abuse.
Chapter 7 Oinkmaster Oinkmaster is a perl script that enables the possibility to update the different snort rules very easily. It is simple to use, and install. This section will show you how to implement Oinkmaster to work with PacketFence and Snort. Please visit http://oinkmaster.sourceforge.net/download.shtml to download oinkmaster. A sample oinkmaster configuration file is provided at /usr/local/pf/addons/snort/oinkmaster.conf. Configuration Here are the steps to make Oinkmaster work.
Chapter 7 Caution Right now PacketFence only supports floating network devices on Cisco and Nortel switches configured with port-security. For a regular device, PacketFence put it in the VLAN corresponding to its status (Registration, Quarantine or Regular Vlan) and authorizes it on the port (port-security). A floating network device is a device that PacketFence does not manage as a regular device.
Chapter 7 trunkPort Yes/no. Should the port be configured as a muti-vlan port? pvid VLAN in which PacketFence should put the port taggedVlan Comma separated list of VLANs. If the port is a multi-vlan, these are the Vlans that have to be tagged on the port. Guests Management PacketFence supports the ability to manage guests by establishing expire dates and assign different roles which will permit different accesses to the network resources.
Chapter 7 Managed guests Part of the web administration interface, the guests management interface is enabled by default. It is accessible through the Configuration � Users � Create menu. Guest pre-registration Pre-registration is disabled by default. Once enabled, PacketFence’s firewall and Apache ACLs allow access to the /signup page on the portal even from a remote location.
Chapter 7 Configuration Guest self-registration It is possible to modify the default values of the guest self-registration feature by editing /usr/local/ pf/conf/pf.conf. Default values are located in /usr/local/pf/conf/pf.conf.defaults and documentation for every settings is available in /usr/local/pf/conf/documentation.conf.
Chapter 7 ∏ DURATION: a number corresponding to the period duration. ∏ DATETIME_UNIT: a character corresponding to the units of the date or time duration; either s (seconds), m (minutes), h (hours), D (days), W (weeks), M (months), or Y (years). ∏ PERIOD_BASE: either F (fixed) or R (relative). A relative period is computed from the beginning of the period unit. Weeks start on Monday. ∏ OPERATOR: either + or -. The duration following the operator is added or subtracted from the base duration.
Chapter 7 status, etc) to a RADIUS Server or a DHCP server. The section below explains you how to do SoH policies with PacketFence. Installation By default, we turn SoH off. To enable its support, simply uncomment the following lines in /usr/local/ pf/conf/radiusd/eap.conf. soh=yes soh-virtual-server = "soh-server" Restart the RADIUS service afterward. On the client side, to enable SoH for EAP, do the following (Windows 7 example): sc config napagent start=auto sc start napagent :: Wired 802.
Chapter 7 Note You may also want to set other attributes such as auto_enable, grace, etc. When done with the violation, visit the Web Administration under Configuration � Compliance � Statement of Health and (edit the filter named Default, or) use the Add a filter button to create a filter named antivirus. Click on antivirus in the filter list, and select Trigger violation in the action drop-down. Enter the vid of the violation you created above in the input box that appears.
Chapter 7 Alternatively, you can configure these parameters from the PacketFence Web administrative GUI, in the Configuration � Provisioning section. Profile generation Upon registration, instead of showing the default release page, the user will be showing another version of the page saying that the wireless profile has been generated with a clickable link on it. To install the profile, the user simply need to click on that link, and follow the instructions on their device. It is that simple.
Chapter 7 [default] billing_engine = enabled ... Billing engine parameters are specified in conf/pf.conf or from Configuration � Billing: [billing] gateway = authorize_net authorizenet_posturl = The payment gateway processing URL authorizenet_login = The merchant's unique API Login ID authorizenet_trankey = The merchant's unique Transaction Key It is also possible to configure multiple network access with different prices.
Chapter 7 OAuth2 Authentication The captive portal of PacketFence allows a guest/user to register using his Google, Facebook or Github account. For each providers, we maintain an allowed domain list to punch holes into the firewall so the user can hit the provider login page. This list is available in each OAuth2 authentication source. In order to have oauth2 working properly, you need to enable IP forwarding on your servers. To do it permanently, look in the /etc/sysctl.
Chapter 7 GitHub To use GitHub, you also need an API code and a secret key. To get one, you need to create an App here: https://github.com/settings/applications. When you create your App, make sure you input the following as the Callback URL https://YOUR_PORTAL_HOSTNAME/oauth2/github Of course, replace the hostname with the values from general.hostname and general.domain. Once you have your information, Once you have your information, you need to configure the OAuth2 provider.
Chapter 8 Operating System Best Practices Iptables IPTables is now entirely managed by PacketFence. However, if you need to perform some custom rules, you can modify conf/iptables.conf to your own needs. However, the default template should work for most users. Log Rotations PacketFence can generate a lot of log entries in huge production environments. This is why we recommend to use either logrotate or log4perl to periodically rotate your logs.
Chapter 8 Once you downloaded those packages, you need to modify the logging configuration file (conf/log.conf) with something like the following example. Note that log4perl is almost the same as log4j, so you should be able to find a lot of documentation online. log4perl.appender.LOGFILE=Log::Dispatch::FileRotate log4perl.appender.LOGFILE.filename=/usr/local/pf/logs/packetfence.log log4perl.appender.LOGFILE.mode=append log4perl.appender.LOGFILE.autoflush=1 log4perl.appender.LOGFILE.size=51200000 log4perl.
Chapter 8 ∏ ∏ ∏ ∏ pf2 is the second PacketFence server PacketFence is properly configured on each server the DRBD partition is 30G long we use HeartBeat v1 Creation of the DRBD partition During the OS installation, reduce the size of the main partition and create a new one (that will be used for the replicated MySQL database) of 30G. In order to do so, on VolGroup00: ∏ leave at least 30G of drive space for a new partition. Do not create that partition during the install process, we will do it later.
Chapter 8 global { usage-count yes; } common { protocol C; } resource mysql { syncer { rate 100M; al-extents 257; } startup { degr-wfc-timeout 120; # 2 minutes. } disk { on-io-error detach; } device /dev/drbd0; disk YOUR_PARTITION_DEVICE; meta-disk internal; on pf1_server_name { address x.x.x.x:7788; } on pf2_server_name { address y.y.y.y:7788; } } where: ∏ mysql is the name of the partition you created when installing the OS ∏ pf1_server_name and pf2_server_name by the real server names ∏ x.x.x.x and y.y.
Chapter 8 Make sure you see something like this in /proc/drbd: ... 0: cs:Connected ro:Secondary/Secondary ds:Inconsistent/Inconsistent C r---ns:0 nr:0 dw:0 dr:0 al:0 bm:0 lo:0 pe:0 ua:0 ap:0 ep:1 wo:b oos:30702640 Synchronize the servers by forcing one to become the primary. So on pf1 do: # drbdadm -- --overwrite-data-of-peer primary mysql After issuing this command, the initial full synchronization will start. You will be able to monitor its progress via /proc/drbd.
Chapter 8 ...
Chapter 8 ∏ eth0.z is the name of the NIC configuration file (/etc/sysconfig/network-scripts/ifcfg_eth0.z) dedicated to IP address in VLAN z (isolation for example). Create the /etc/ha.d/resource.d/IfUp script that will mount IP addresses in Registration, Isolation (eth0.y, eth0.z) with the following content: case "$2" in start) echo -n "Mounting $1" /sbin/ifup $1 echo "." ;; stop) echo -n "Unmounting $1" /sbin/ifdown $1 echo ".
Chapter 8 Look at Heartbeat log file /var/log/ha-log to make sure that everything is fine. Enable HB automatic start # chkconfig --level 345 heartbeat on RADIUS HA configuration If you configured FreeRADIUS with your wireless setup and you configured redundancy, you could configure FreeRADIUS to answer requests exclusively coming on the virtual IP. In order to do so, you need to modify the RADIUS configuration and add RADIUS to the managed resources.
Chapter 9 Performance optimization MySQL optimizations Tuning MySQL itself If you’re PacketFence system is acting very slow, this could be due to your MySQL configuration. You should do the following to tune performance: Check the system load # uptime 11:36:37 up 235 days, 1:21, 1 user, load average: 1.25, 1.05, 0.79 Check iostat and CPU # iostat 5 avg-cpu: %user 0.60 Device: cciss/c0d0 avg-cpu: %user 0.60 Device: cciss/c0d0 avg-cpu: %user 0.60 Device: cciss/c0d0 avg-cpu: %user 0.
Chapter 9 mysql> show variables; | innodb_additional_mem_pool_size | innodb_autoextend_increment | innodb_buffer_pool_awe_mem_mb | innodb_buffer_pool_size | | | | 1048576 8 0 8388608 | | | | PacketFence relies heavily on InnoDB, so you should increase the buffer_pool size from the default values. Shutdown PacketFence and MySQL # /etc/init.d/packetfence stop Shutting down PacketFence... [...] # /etc/init.d/mysql stop Stopping MySQL: [ OK ] [ OK ] Edit /etc/my.cnf (or your local my.
Chapter 9 # uptime 12:01:58 up 235 days, 1:46, 1 user, load average: 0.15, 0.39, 0.52 # iostat 5 Device: tps Blk_read/s Blk_wrtn/s Blk_read Blk_wrtn cciss/c0d0 8.00 0.00 75.20 0 376 avg-cpu: %user 0.60 %nice 0.00 Device: cciss/c0d0 avg-cpu: %user 0.20 tps 14.97 %nice 0.00 Device: cciss/c0d0 tps 4.80 %sys %iowait 2.99 13.37 %idle 83.03 Blk_read/s Blk_wrtn/s 0.00 432.73 %sys %iowait %idle 2.60 6.60 90.60 Blk_read 0 Blk_wrtn 2168 Blk_read/s 0.00 Blk_read 0 Blk_wrtn 240 Blk_wrtn/s 48.
Chapter 9 Host 'host_name' is blocked because of many connection errors. Unblock with 'mysqladmin flush-hosts' This will grind PacketFence to a halt so you want to avoid that at all cost. One way to do so is to increase the number of maximum connections (see above), to periodically flush hosts or to allow more connection errors. See http://dev.mysql.com/doc/refman/5.0/en/blocked-host.html for details.
Chapter 10 Frequently Asked Questions PacketFence FAQ is now available online. Please visit: http://www.packetfence.org/support/faqs.html Copyright © 2008-2013 Inverse inc.
Chapter 11 Technical introduction to VLAN enforcement Introduction VLAN assignment is currently performed using several different techniques. These techniques are compatible one to another but not on the same switch port. This means that you can use the more secure and modern techniques for your latest switches and another technique on the old switches that doesn’t support latest techniques. As it’s name implies, VLAN assignment means that PacketFence is the server that assigns the VLAN to a device.
Chapter 11 The supplicant (i.e., client device) is not allowed access through the authenticator to the network until the supplicant’s identity is authorized. With 802.1X port-based authentication, the supplicant provides credentials, such as user name / password or digital certificate, to the authenticator, and the authenticator forwards the credentials to the authentication server for verification.
Chapter 11 You need to create a registration VLAN (with a DHCP server, but no routing to other VLANs) in which PacketFence will put unregistered devices. If you want to isolate computers which have open violations in a separate VLAN, an isolation VLAN needs also to be created. linkUp/linkDown traps This is the most basic setup and it needs a third VLAN: the MAC detection VLAN. There should be nothing in this VLAN (no DHCP server) and it should not be routed anywhere; it is just an void VLAN.
Chapter 11 MAC notification traps If your switches support MAC notification traps (MAC learnt, MAC removed), we suggest that you activate them in addition to the linkUp/linkDown traps. This way, pfsetvlan does not need, after a linkUp trap, to query the switch continuously until the MAC has finally been learned. When it receives a linkUp trap for a port on which MAC notification traps are also enabled, it only needs to put the port in the MAC detection VLAN and can then free the thread.
Chapter 12 Technical introduction to Inline enforcement Introduction Before the version 3.0 of PacketFence, it was not possible to support unmanageable devices such as entry-level consumer switches or access-points. Now, with the new inline mode, PacketFence can be use in-band for those devices. So in other words, PacketFence will become the gateway of that inline network, and NAT or route the traffic using IPTables to the Internet (or to another section of the network). Let see how it works.
Chapter 12 ∏ Everyone behind an inline interface is on the same Layer 2 LAN ∏ Every packet of authorized users goes through the PacketFence server increasing the servers' load considerably: Plan ahead for capacity ∏ Every packet of authorized users goes through the PacketFence server: it is a single point of failure for Internet access ∏ Does not handle routed networks ∏ Ipset can store up to 65536 entries, so it is not possible to have a inline network class upper than B This is why it is considered a poor
Chapter 13 Technical introduction to Hybrid enforcement Introduction Before version 3.6 of PacketFence, it was not possible to have RADIUS enabled for inline enforcement mode. Now with the new hybrid mode, all the devices that supports 802.1x or mac-auth can work with this mode. Let’s see how it works. Device configuration You need to configure inline enforcement mode in PacketFence and configure your switch(es) / access point(s) to use the VLAN assignement techniques (802.1x, mac-auth).
Chapter 14 More on VoIP Integration VoIP has been growing in popularity on enterprise networks. At first sight, the IT administrators think that deploying VoIP with a NAC poses a huge complicated challenge to resolve. In fact, depending of the hardware you have, not really. In this section, we will see why. CDP and LLDP are your friend For those of you who are unaware of the existence of CDP or LLDP (or LLDP-MED), I suggest you start reading on this topic.
Chapter 14 Note Not all vendors support VoIP on port-security, please refer to the Network Configuration Guide. Mac Authentication and 802.1X Cisco hardware On Cisco switches, we are looking at the multi-domain configuration. The multi-domain means that we can have one device on the VOICE domain, and one device on the DATA domain. The domain assignment is done using a Cisco VSA. When the phone connects to the switchport, PacketFence will respond with the proper VSA only, no RADIUS tunneled attributes.
Chapter 15 Additional Information For more information, please consult the mailing archives or post your questions to it. For details, see: ∏ packetfence-announce@lists.sourceforge.net: Public announcements (new releases, security warnings etc.) regarding PacketFence ∏ packetfence-devel@lists.sourceforge.net: Discussion of PacketFence development ∏ packetfence-users@lists.sourceforge.net: User and usage discussions Copyright © 2008-2013 Inverse inc.
Chapter 16 Commercial Support and Contact Information For any questions or comments, do not hesitate to contact us by writing an email to: support@inverse.ca. Inverse (http://inverse.ca) offers professional services around PacketFence to help organizations deploy the solution, customize, migrate versions or from another system, performance tuning or aligning with best practices. Hourly rates or support packages are offered to best suit your needs. Please visit http://inverse.ca/support.html for details.
Chapter 17 GNU Free Documentation License Please refer to http://www.gnu.org/licenses/fdl-1.2.txt for the full license. Copyright © 2008-2013 Inverse inc.
Chapter 17 Appendix A. Administration Tools pfcmd pfcmd is the command line interface to most PacketFence functionalities. When executed without any arguments pfcmd returns a basic help message with all main options: Copyright © 2008-2013 Inverse inc.
Chapter 17 Usage: pfcmd.
Chapter 17 The node view option shows all information contained in the node database table for a specified MAC address # /usr/local/pf/bin/pfcmd node view 52:54:00:12:35:02 mac|pid|detect_date|regdate|unregdate|lastskip|status|user_agent|computername| notes|last_arp|last_dhcp|switch|port|vlan|dhcp_fingerprint 52:54:00:12:35:02|1|2008-10-23 17:32:16||||unreg||||2008-10-23 21:12:21||||| pfcmd_vlan pfcmd_vlan is the command line interface to most VLAN isolation related functionality.
Chapter 17 Usage: pfcmd_vlan command [options] Command: -deauthenticate de-authenticate a dot11 client -deauthenticateDot1x de-authenticate a dot1x client (pass ifIndex for wired 802.1x and mac for wireless 802.
Chapter 17 Web Admin GUI The Web Admin GUI, accessible using https on port 1443, shows the same information available using pfcmd. Copyright © 2008-2013 Inverse inc.
Chapter 17 Appendix B. Manual FreeRADIUS 2 configuration Since we provide a working RPM package that contains pre-built RADIUS configuration files, those files don’t need to be modified by hand anymore. However, consider this section as a reference.
Chapter 17 authorize { preprocess eap { ok = return } files expiration logintime } authenticate { Auth-Type MS-CHAP { mschap } eap } post-auth { perl } In /usr/local/pf/raddb/users Add the following lines where we define that non-EAP messages should, by default, lead to an authentication acceptation. DEFAULT EAP-Message !* "", Auth-Type := Accept Comment or delete all other statements. Optional: Wired or Wireless 802.1X configuration Generate cryptographic material for the EAP tunnel (802.1X) to work.
Chapter 17 eap { default_eap_type = peap timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = 2048 md5 { } tls { certdir = ${confdir}/certs cadir = ${confdir}/certs private_key_file = /usr/local/pf/conf/ssl/server.key certificate_file = /usr/local/pf/conf/ssl/server.
