Developers guide
Chapter 11
Copyright © 2008-2013 Inverse inc.
Technical introduction
to VLAN enforcement 79
The supplicant (i.e., client device) is not allowed access through the authenticator to the network until
the supplicant’s identity is authorized. With 802.1X port-based authentication, the supplicant provides
credentials, such as user name / password or digital certificate, to the authenticator, and the authenticator
forwards the credentials to the authentication server for verification. If the credentials are valid (in the
authentication server database), the supplicant (client device) is allowed to access the network. The
protocol for authentication is called Extensible Authentication Protocol (EAP) which have many variants.
Both supplicant and authentication servers need to speak the same EAP protocol. Most popular EAP
variant is PEAP-MsCHAPv2 (supported by Windows / Mac OSX / Linux for authentication against AD).
In this context, PacketFence runs the authentication server (a FreeRADIUS instance) and will return
the appropriate VLAN to the switch. A module that integrates in FreeRADIUS does a remote call to the
PacketFence server to obtain that information. More and more devices have 802.1X supplicant which
makes this approach more and more popular.
MAC Authentication is a new mechanism introduced by some switch vendor to handle the cases where
a 802.1X supplicant does not exist. Different vendors have different names for it. Cisco calls it MAC
Authentication Bypass (MAB), Juniper calls it MAC RADIUS, Extreme Networks calls it Netlogin, etc. After
a timeout period, the switch will stop trying to perform 802.1X and will fallback to MAC Authentication.
It has the advantage of using the same approach as 802.1X except that the MAC address is sent instead
of the user name and there is no end-to-end EAP conversation (no strong authentication). Using MAC
Authentication, devices like network printer or non-802.1X capable IP Phones can still gain access to the
network and the right VLAN.
Wireless: 802.1X + MAC authentication
Wireless 802.1X works like wired 802.1X and MAC authentication is the same as wired MAC Authentication.
Where things change is that the 802.1X is used to setup the security keys for encrypted communication
(WPA2-Enterprise) while MAC authentication is only used to authorize (allow or disallow) a MAC on the
wireless network.
On wireless networks, the usual PacketFence setup dictate that you configure two SSIDs: an open one
and a secure one. The open one is used to help users configure the secure one properly and requires
authentication over the captive portal (which runs in HTTPS).
More on SNMP traps VLAN isolation
When the VLAN isolation is working through SNMP traps all switch ports (on which VLAN isolation should
be done) must be configured to send SNMP traps to the PacketFence host. On PacketFence, we use
snmptrapd as the SNMP trap receiver. As it receives traps, it reformats and writes them into a flat file:
/usr/local/pf/logs/snmptrapd.log. The multithreaded pfsetvlan daemon reads these traps from
the flat file and responds to them by setting the switch port to the correct VLAN. Currently, we support
switches from Cisco, Edge-core, HP, Intel, Linksys and Nortel (adding support for switches from another
vendor implies extending the pf::SNMP class). Depending on your switches capabilities, pfsetvlan will
act on different types of SNMP traps.