Developers guide
Chapter 5
Copyright © 2008-2013 Inverse inc.
Configuration 28
ip access-list extended PF_REGISTRATION
permit ip any host 192.168.2.1
permit udp any any eq 67
deny ip any any log
interface vlan 20
ip address 192.168.20.254 255.255.255.0
ip helper-address 192.168.2.1
ip access-group PF_REGISTRATION in
If your edge switches support vlan-isolation you can also apply the ACL there. This has the advantage of
preventing machines in isolation from attempting to attack each other.
FreeRADIUS Configuration
This section presents the FreeRADIUS configuration steps. In some occasions, a RADIUS server is mandatory
in order to give access to the network. For example, the usage of WPA2-Enterprise (Wireless 802.1X), MAC
authentication and Wired 802.1X all requires a RADIUS server to authenticate the users and the devices,
and then to push the proper VLAN to the network equipment.
Option 1: Dynamic switch configuration
Since PacketFence version 4.1 you are now be able to enable dynamic clients. It mean that when you add
a new switch configuration in PacketFence´s administration interface you don´t have to restart radiusd
service.
To enable this feature make a symlink in /usr/local/pf/raddb/site-enabled directory:
ln -s ../sites-available/dynamic-clients dynamic-clients
and of course restart radiusd:
/usr/local/pf/bin/pfcmd service radiusd restart
Option 2: Authentication against Active Directory (AD)
Replace /usr/local/pf/raddb/modules/mschap with the following configuration: