Manualshelf

Developers guide

ManualsBrandsRed Hat ManualsComputer equipmentNETWORK 4.1.0 -
21222324252627282930
Chapter 5
Copyright © 2008-2013 Inverse inc.
Configuration 20
PackeFence needs sometimes to establish an interactive command-line session with a switch. This can
be done using Telnet. Starting with 1.8, you can now use SSH. In order to do so, edit the switch config
file (/usr/local/pf/conf/switches.conf) and set the following parameters:
cliTransport = SSH (or Telnet)
cliUser = admin
cliPwd = admin_pwd
cliEnablePwd =
It can also be done through the Web Administration Interface under Configuration � Switches.
Web Services Interface
PackeFence sometimes needs to establish a dialog with the Web Services capabilities of a switch. In
order to do so, edit the switch config file (/usr/local/pf/conf/switches.conf) and set the following
parameters:
wsTransport = http (or https)
wsUser = admin
wsPwd = admin_pwd
Note
as of PacketFence 1.9.1 few switches require Web Services configuration in order to
work. It can also be done through the Web Administration Interface under Configuration
� Switches.
Radius Secret
For certain authentication mechanism, such as 802.1X or MAC Authentication, the RADIUS server needs
to have the network device in its client list. As of PacketFence 3.0, we now use a database backend to
store the RADIUS client information. In order to do so, edit the switch config file (/usr/local/pf/conf/
switches.conf) and set the following parameters:
radiusSecret= secretPassPhrase
Also, starting with PacketFence 3.1, the RADIUS secret is required for our support of RADIUS Dynamic
Authentication (Change of authorization or Disconnect) as defined in RFC3576.
Role-based enforcement support
Some network devices support the assignment of a specific set of rules (firewall or ACLs) to a user. The
idea is that these rules can be a lot more precise to control what a user can or cannot do compared to
VLAN which have a larger network management overhead.
PacketFence supports assigning roles on devices that supports it. The current role assignment strategy is
to assign it along with the VLAN (that may change in the future). A special internal role to external role
assignment must be configured in the switch configuration file (/usr/local/pf/conf/switches.conf).