Developers guide

Chapter 7

Optional components 59

status, etc) to a RADIUS Server or a DHCP server. The section below explains you how to do SoH policies

with PacketFence.

Installation

By default, we turn SoH off. To enable its support, simply uncomment the following lines in /usr/local/

pf/conf/radiusd/eap.conf.

soh=yes

soh-virtual-server = "soh-server"

Restart the RADIUS service afterward.

On the client side, to enable SoH for EAP, do the following (Windows 7 example):

sc config napagent start=auto

sc start napagent

:: Wired 802.1X

sc config dot3svc start=auto depend=napagent

sc start dot3svc

netsh nap client show config

:: get the "ID" value for the "EAP Quarantine Enforcement Client"

netsh nap client set enforce id=$ID admin=enable

The last step is to select the "Enforce Network Access Protection" checkbox under the EAP profile settings.

Those steps can be easily configured using GPOs.

Configuration of SoH policy

In order to enforce a SoH policy, we need to create it first. This is done using the Configuration �

Compliance � Statement of Health module.

Policy example

Let’s walk through an example situation. Suppose you want to display a remediation page to clients that

do not have an anti-virus enabled.

The three broad steps are: create a violation class for the condition, then create an SoH filter to trigger

the violation when "anti-virus is disabled", and finally, reload the violations.

First, create the proper violation either via the Admin UI, or by editing the conf/violations.conf files:

[4000001]

desc=No anti-virus enabled

url=/remediation.php?template=noantivirus

actions=trap,email,log

enabled=Y