administrationguide - packetfence · or"127.0.0.1")thatpacketfencewillbeinstalledon
Post on 18-Jul-2018
219 Views
Preview:
TRANSCRIPT
-
AdministrationGuideforPacketFenceversion5.4.0
-
AdministrationGuidebyInverseInc.
Version5.4.0-Oct2015Copyright2015Inverseinc.
Permissionisgrantedtocopy,distributeand/ormodifythisdocumentunderthetermsoftheGNUFreeDocumentationLicense,Version1.2oranylaterversionpublishedbytheFreeSoftwareFoundation;withnoInvariantSections,noFront-CoverTexts,andnoBack-CoverTexts.Acopyofthelicenseisincludedinthesectionentitled"GNUFreeDocumentationLicense".
ThefontsusedinthisguidearelicensedundertheSILOpenFontLicense,Version1.1.ThislicenseisavailablewithaFAQat:http://scripts.sil.org/OFL
CopyrightukaszDziedzic,http://www.latofonts.com,withReservedFontName:"Lato".
CopyrightRaphLevien,http://levien.com/,withReservedFontName:"Inconsolata".
http://scripts.sil.org/OFLhttp://scripts.sil.org/OFLhttp://www.latofonts.com/http://levien.com/
-
Copyright2015Inverseinc. iii
TableofContentsAbout this Guide .............................................................................................................. 1
Othersourcesof information..................................................................................... 1Introduction ..................................................................................................................... 2
Features ................................................................................................................... 2Network Integration .................................................................................................. 5Components ............................................................................................................. 5
SystemRequirements ........................................................................................................ 7Assumptions ............................................................................................................. 7MinimumHardwareRequirements.............................................................................. 7OperatingSystemRequirements................................................................................ 8
Installation ....................................................................................................................... 9OS Installation .......................................................................................................... 9SoftwareDownload ................................................................................................ 10Software Installation ................................................................................................ 10
Getoffontherightfoot ................................................................................................. 12TechnicalintroductiontoInlineenforcement..................................................................... 13
Introduction ........................................................................................................... 13Deviceconfiguration ............................................................................................... 13Access control ........................................................................................................ 13Limitations ............................................................................................................. 14
TechnicalintroductiontoOut-of-bandenforcement........................................................... 15Introduction ........................................................................................................... 15VLANassignmenttechniques...................................................................................15MoreonSNMPtrapsVLANisolation....................................................................... 17
TechnicalintroductiontoHybridenforcement................................................................... 20Introduction ........................................................................................................... 20Deviceconfiguration ............................................................................................... 20
Configuration ................................................................................................................. 21RolesManagement ................................................................................................. 21Authentication ........................................................................................................ 22ExternalAPIauthentication ..................................................................................... 24NetworkDevicesDefinition(switches.conf)............................................................... 25Portal Profiles ......................................................................................................... 29FreeRADIUSConfiguration ...................................................................................... 30
Debugging ..................................................................................................................... 42Log files ................................................................................................................. 42RADIUSDebugging ................................................................................................ 42
MoreonVoIP Integration ................................................................................................ 44CDPandLLDPareyourfriend................................................................................ 44VoIPandVLANassignmenttechniques..................................................................... 44WhatifCDP/LLDPfeatureismissing....................................................................... 45
Advanced topics ............................................................................................................. 46AppleandAndroidWirelessProvisioning.................................................................. 46Billing Engine ......................................................................................................... 47DevicesRegistration ................................................................................................ 48Eduroam ................................................................................................................ 49Fingerbank integration ............................................................................................. 53FloatingNetworkDevices ....................................................................................... 54OAuth2Authentication ........................................................................................... 56Passthrough ........................................................................................................... 58ProductionDHCPaccess ......................................................................................... 58
-
Copyright2015Inverseinc. iv
Proxy Interception ................................................................................................... 60RoutedNetworks .................................................................................................... 60StatementofHealth (SoH) ....................................................................................... 63VLANFilterDefinition ............................................................................................ 65
Optionalcomponents ...................................................................................................... 68Blockingmaliciousactivitieswithviolations............................................................... 68ComplianceChecks ................................................................................................. 72RADIUSAccounting ................................................................................................ 78Oinkmaster ............................................................................................................. 79GuestsManagement ............................................................................................... 79ActiveDirectoryIntegration ...................................................................................... 83DHCPremotesensor .............................................................................................. 87
OperatingSystemBestPractices...................................................................................... 90IPTables ................................................................................................................. 90Log Rotations ......................................................................................................... 90
Performanceoptimization ................................................................................................ 91SNMPTrapsLimit ................................................................................................... 91MySQLoptimizations .............................................................................................. 91CaptivePortalOptimizations .................................................................................... 94
Additional Information ..................................................................................................... 96CommercialSupportandContactInformation................................................................... 97GNUFreeDocumentationLicense................................................................................... 98A.AdministrationTools ................................................................................................... 99
pfcmd .................................................................................................................... 99pfcmd_vlan ........................................................................................................... 100
-
Chapter1
Copyright2015Inverseinc. AboutthisGuide 1
AboutthisGuide
This guide will walk you through the installation and the day to day administration of thePacketFencesolution.
Thelatestversionofthisguideisavailableathttp://www.packetfence.org/documentation/
Othersourcesofinformation
Thefollowingdocumentsareincludedinthepackageandreleasetarballs.
NetworkDevicesConfigurationGuide(pdf) Covers switch, controllers and accesspointsconfiguration.
DevelopersGuide(pdf) Covers captive portal customization,VLAN management customization andinstructionsforsupportingnewhardware.
CREDITS Thisis,atleast,apartialfileofPacketFencecontributors.
NEWS.asciidoc Covers noteworthy features,improvementsandbugfixesbyrelease.
UPGRADE.asciidoc Covers compatibility related changes,manual instructions and general notesaboutupgrading.
ChangeLog Coversallchangestothesourcecode.
http://www.packetfence.org/documentation/
-
Chapter2
Copyright2015Inverseinc. Introduction 2
Introduction
PacketFence is a fully supported, trusted, Free and Open Source network access control (NAC)system. Boosting an impressive feature set including a captive portal for registration andremediation, centralized wired and wireless management, 802.1X support, layer-2 isolation ofproblematicdevices,integrationwithIDS,vulnerabilityscannersandfirewalls;PacketFencecanbeusedtoeffectivelysecurenetworks-fromsmalltoverylargeheterogeneousnetworks.
Features
Outofband(VLANEnforcement) PacketFencesoperationiscompletelyoutof band when using VLAN enforcementwhich allows the solution to scalegeographicallyandtobemoreresilienttofailures.
InBand(InlineEnforcement) PacketFence can also be configured tobe in-band, especially when you havenon-manageable network switches oraccesspoints.PacketFencecanalsoworkwith both VLAN and Inline enforcementactivated for maximum scalability andsecuritywhileallowingolderhardwaretostillbesecuredusing inlineenforcement.Bothlayer-2andlayer-3aresupportedforinlineenforcement.
Hybridsupport(InlineEnforcementwithRADIUSsupport)
PacketFence can also be configuredas hybrid, if you have a manageabledevice that supports 802.1X and/orMAC-authentication. This feature can beenabled using a RADIUS attribute (MACaddress, SSID, port) or using full inlinemodeontheequipment.
Hotspotsupport(WebAuthEnforcement) PacketFence can also be configured ashotspot,ifyouhaveamanageabledevicethat supports an external captive portal(likeCiscoWLCorArubaIAP).
VoiceoverIP(VoIP)support Also called IP Telephony (IPT), VoIP isfully supported (even in heterogeneous
-
Chapter2
Copyright2015Inverseinc. Introduction 3
environments)formultipleswitchvendors(Cisco,Avaya,HPandmanymore).
802.1X 802.1X wireless and wired is supportedthroughourFreeRADIUSmodule.
Wirelessintegration PacketFence integrates perfectly withwireless networks through ourFreeRADIUS module. This allows youto secure your wired and wirelessnetworks the same way using the sameuser database and using the samecaptive portal, providing a consistentuser experience. Mixing Access Points(AP) vendors and Wireless Controllers issupported.
Registration PacketFence supports an optionalregistrationmechanismsimilarto"captiveportal"solutions.Contrarytomostcaptiveportal solutions, PacketFence remembersusers who previously registered and willautomatically give them access withoutanotherauthentication.Ofcourse, this isconfigurable. An Acceptable Use Policycan be specified such that users cannotenable network access without firstacceptingit.
Detectionofabnormalnetworkactivities Abnormal network activities (computervirus, worms, spyware, traffic deniedby establishment policy, etc.) can bedetectedusinglocalandremoteSnortorSuricatasensors.Beyondsimpledetection,PacketFence layers its own alerting andsuppression mechanism on each alerttype.Asetofconfigurableactionsforeachviolationisavailabletoadministrators.
Proactivevulnerabilityscans Either Nessus , OpenVAS or WMIvulnerabilityscanscanbeperformeduponregistration, scheduled or on an ad-hocbasis. PacketFence correlates the scanengine vulnerability IDs of each scanto the violation configuration, returningcontent specific web pages about whichvulnerabilitythehostmayhave.
Isolationofproblematicdevices PacketFence supports several isolationtechniques,includingVLANisolationwithVoIP support (even in heterogeneousenvironments)formultipleswitchvendors.
Remediationthroughacaptiveportal Once trapped, all network traffic isterminated by the PacketFence system.
http://www.freeradius.orghttp://www.freeradius.org/http://www.snort.org/http://suricata-ids.org/http://www.nessus.org/nessus/http://www.openvas.org
-
Chapter2
Copyright2015Inverseinc. Introduction 4
Based on the nodes current status(unregistered,openviolation,etc),theuseris redirected to the appropriate URL. Inthe case of a violation, the user willbe presented with instructions for theparticular situation he/she is in reducingcostlyhelpdeskintervention.
Firewallintegration PacketFence provides Single-Sign Onfeatures with many firewalls. Uponconnection on the wired or wirelessnetwork, PacketFence can dynamicallyupdatetheIP/userassociationonfirewallsforthemtoapply,ifrequired,per-userorper-groupfilteringpolicies.
Command-lineandWeb-basedmanagement Web-based and command-line interfacesforallmanagementtasks.
GuestAccess PacketFence supports a special guestVLAN out of the box. You configureyour network so that the guest VLANonly goes out to the Internet and theregistration VLAN and the captive portalarethecomponentsusedtoexplaintotheguesthowtoregisterforaccessandhowhis access works. This is usually brandedby the organization offering the access.Several means of registering guests arepossible. PacketFence does also supportguestaccessbulkcreationsandimports.
Devicesregistration A registered user can access a specialWeb page to register a device of hisown.Thisregistrationprocesswillrequireloginfromtheuserandthenwillregisterdeviceswithpre-approvedMACOUIintoaconfigurablecategory.
PacketFenceisdevelopedbyacommunityofdeveloperslocatedmainlyinNorthAmerica.Moreinformationcanbefoundathttp://www.packetfence.org.
http://www.packetfence.org
-
Chapter2
Copyright2015Inverseinc. Introduction 5
NetworkIntegration
VLANenforcementispicturedintheabovediagram.InlineenforcementshouldbeseenasasimpleflatnetworkwherePacketFenceactsasafirewall/gateway.
Components
PacketFencerequiresvariouscomponentstoworksuchasaWebserver,adatabaseserver,andaRADIUSserver.Itinteractswithexternaltoolstoextenditsfunctionalities.
-
Chapter2
Copyright2015Inverseinc. Introduction 6
-
Chapter3
Copyright2015Inverseinc. SystemRequirements 7
SystemRequirements
Assumptions
PacketFencereusesmanycomponentsinaninfrastructure.Thus,itrequiresthefollowingones:
Databaseserver(MySQLorMariaDB) Webserver(Apache) DHCPserver(ISCDHCP) RADIUSserver(FreeRADIUS)
Dependingonyoursetupyoumayhavetoinstalladditionalcomponentslike:
NIDS(Snort/Suricata)
Inthisguide,weassumethatallthosecomponentsarerunningonthesameserver(i.e.,"localhost"or"127.0.0.1")thatPacketFencewillbeinstalledon.
Good understanding of those underlying component and GNU/Linux is required to installPacketFence. If you miss some of those required components, please refer to the appropriatedocumentationandproceedwiththeinstallationoftheserequirementsbeforecontinuingwiththisguide.
Thefollowingtableprovidesrecommendationsfortherequiredcomponents,togetherwithversionnumbers:
MySQLserver MySQL5.1
Webserver Apache2.2
DHCPserver DHCP4.1
RADIUSserver FreeRADIUS2.2.x
Snort Snort2.9.1
Suricata Suricata1.4.1
Morerecentversionsofthesoftwarementionedabovecanalsobeused.
MinimumHardwareRequirements
Thefollowingprovidesalistoftheminimumserverhardwarerecommendations:
-
Chapter3
Copyright2015Inverseinc. SystemRequirements 8
IntelorAMDCPU3GHz 8GBofRAM 100GBofdiskspace(RAID-1recommended) 1Networkcard(2recommended)
OperatingSystemRequirements
PacketFencesupportsthefollowingoperatingsystemsonthex86_64architectures:
RedHatEnterpriseLinux6.xServer CommunityENTerpriseOperatingSystem(CentOS)6.x Debian7.0(Wheezy) Ubuntu12.04LTS(PrecisePangolin)
Makesurethatyoucaninstalladditionalpackagesfromyourstandarddistribution.Forexample,ifyouareusingRedHatEnterpriseLinux,youhavetobesubscribedtotheRedHatNetworkbeforecontinuingwiththePacketFencesoftwareinstallation.
OtherdistributionssuchasFedoraandGentooareknowntoworkbutthisdocumentdoesntcoverthem.
Servicesstart-upPacketFencetakescareofhandlingtheoperationofthefollowingservices:
Webserver(httpd) DHCPserver(dhcpd) FreeRADIUSserver(radiusd) Snort/SuricataNetworkIDS(snort/suricata) Firewall(iptables)
Makesurethatalltheotherservicesareautomaticallystartedbyyouroperatingsystem!
-
Chapter4
Copyright2015Inverseinc. Installation 9
Installation
ThissectionwillguideyouthroughtheinstallationofPacketFencetogetherwithitsdependencies.
OSInstallation
Installyourdistributionwithminimalinstallationandnoadditionalpackages.Then:
DisableFirewall DisableSELinux DisableAppArmor Disableresolvconf
Makesureyoursystemisuptodateandyouryumorapt-getdatabaseisupdated.OnaRHEL-basedsystem,do:
yum update
OnaDebianorUbuntusystem,do:
apt-get updateapt-get upgrade
Regarding SELinux or AppArmor, even if these features may be wanted by some organizations,PacketFencewillnotrunproperlyifSELinuxorAppArmorareenabled.YouwillneedtoexplicitlydisableSELinuxinthe/etc/selinux/configfileandAppArmorwithupdate-rc.d-fapparmorstop,update-rc.d-fapparmorteardownandupdate-rc.d-fapparmorremove.Regardingresolvconf,youcanremovethesymlinktothatfileandsimplycreatethe/etc/resolv.conffilewiththecontentyouwant.
RedHat-basedsystems
Note
AppliestoCentOSandScientificLinuxbutonlythex86_64architectureissupported.
-
Chapter4
Copyright2015Inverseinc. Installation 10
RHEL6.x
NoteTheseareextrastepsarerequiredforRHEL6systemsonly,excludingderivativessuchasCentOSorScientificLinux.
RedHatEnterpriseLinuxusersneedtotakeanadditionalsetupstep.IfyouarenotusingtheRHNSubscriptionManagementfromRedHatyouneedtoenabletheoptionalchannelbyrunningthefollowingasroot:
rhn-channel --add --channel=rhel-`uname -m`-server-optional-6
DebianandUbuntuAllthePacketFencedependenciesareavailablethroughtheofficialrepositories.
SoftwareDownload
PacketFenceprovidesaRPMrepositoryforRHEL/CentOSinsteadofasingleRPMfile.
ForDebianandUbuntu,PacketFencealsoprovidespackagerepositories.
TheserepositoriescontainallrequireddependenciestoinstallPacketFence.Thisprovidesnumerousadvantages:
easyinstallation everythingispackagedasRPM/deb(nomoreCPANhassle) easyupgrade
SoftwareInstallation
RHEL/CentOSInordertousethePacketFencerepository:
# rpm -Uvh http://packetfence.org/downloads/PacketFence/RHEL6/`uname -i`/RPMS/packetfence-release-1-2.centos6.noarch.rpm
Once the repository is defined, you can install PacketFence with all its dependencies, and therequiredexternalservices(Databaseserver,DHCPserver,RADIUSserver)using:
-
Chapter4
Copyright2015Inverseinc. Installation 11
yum install --enablerepo=packetfence packetfence
Onceinstalled,theWeb-basedconfigurationinterfacewillautomaticallybestarted.Youcanaccessitfromhttps://@ip_of_packetfence:1443/configurator
DebianYoumustenablenon-freerepository:
Fornon-free,editthefile/etc/apt/source.listandaddnon-freelikethat:
deb http://debian.mirror.iweb.ca/debian/ wheezy main non-free
Inordertousetherepository,createafilenamed/etc/apt/sources.list.d/packetfence.list:
echo 'deb http://inverse.ca/downloads/PacketFence/debian wheezy wheezy' > /etc/apt/sources.list.d/packetfence.list
Once the repository is defined, you can install PacketFence with all its dependencies, and therequiredexternalservices(Databaseserver,DHCPserver,RADIUSserver)using:
sudo apt-key adv --keyserver keys.gnupg.net --recv-key 0x810273C4sudo apt-get updatesudo apt-get install packetfence
UbuntuInordertousetherepository,createafilenamed/etc/apt/sources.list.d/packetfence.list:
echo 'deb http://inverse.ca/downloads/PacketFence/ubuntu precise precise' > /etc/apt/sources.list.d/packetfence.list
Once the repository is defined, you can install PacketFence with all its dependencies, and therequiredexternalservices(Databaseserver,DHCPserver,RADIUSserver)using:
sudo apt-key adv --keyserver keys.gnupg.net --recv-key 0x810273C4sudo apt-get updatesudo apt-get install packetfence
Onceinstalled,theWeb-basedconfigurationinterfacewillautomaticallybestarted.Youcanaccessitfromhttps://@ip_of_packetfence:1443/configurator
https://@ip_of_packetfence:1443/configuratorhttps://@ip_of_packetfence:1443/configurator
-
Chapter5
Copyright2015Inverseinc. Getoffontherightfoot 12
Getoffontherightfoot
PriorconfiguringPacketFence,youmustchoseanappropriateenforcementmodetobeusedbyPacketFencewithyournetworkingequipment.Theenforcementmodeisthetechniqueusedtoenforceregistrationandanysubsequentaccessofdevicesonyournetwork.PacketFencesupportsthefollowingenforcementmodes:
Inline Out-of-band Hybrid
It isalsopossibletocombineenforcementmodes.Forexample,youcouldusetheout-of-bandmodeonyourwiredswitches,whileusingtheinlinemodeonyouroldWiFiaccesspoints.
The following sections will explain these enforcement modes. If you decide to use the inlinemode,pleaserefertothePacketFenceInlineDeploymentQuickGuideusingZENforacompleteconfigurationexample.Ifyoudevicetousetheout-of-bandmode,pleaserefertothePacketFenceOut-of-BandDeploymentQuickGuideusingZEN
-
Chapter6
Copyright2015Inverseinc.TechnicalintroductiontoInlineenforcement 13
TechnicalintroductiontoInlineenforcement
Introduction
Beforetheversion3.0ofPacketFence,itwasnotpossibletosupportunmanageabledevicessuchasentry-levelconsumerswitchesoraccess-points.Now,withthenewinlinemode,PacketFencecanbeusein-bandforthosedevices.Soinotherwords,PacketFencewouldbecomethegatewayofthatinlinenetwork,andNATorroutethetrafficusingIPTables/IPSettotheInternet(ortoanothersectionofthenetwork).Letseehowitworks.
Deviceconfiguration
Nospecialconfigurationisneededontheunmanageabledevice.Thatsthebeautyofit.Youonlyneedtoensurethatthedeviceis"talking"ontheinlineVLAN.Atthispoint,allthetrafficwillbepassingthroughPacketFencesinceitisthegatewayforthisVLAN.
Accesscontrol
TheaccesscontrolreliesentirelyonIPTables/IPSet.Whenauserisnotregistered,andconnectsintheinlineVLAN,PacketFencewillgivehimanIPaddress.Atthispoint,theuserwillbemarkedasunregisteredintheipsetsession,andalltheWebtrafficwillberedirectedtothecaptiveportaland other traffic blocked. The user will have to register through the captive portal as in VLANenforcement.Whenheregisters,PacketFencechangesthedevicesipsetsessiontoallowtheusersmacaddresstogothroughit.
-
Chapter6
Copyright2015Inverseinc.TechnicalintroductiontoInlineenforcement 14
Limitations
Inlineenforcementbecauseofitsnaturehasseverallimitationsthatonemustbeawareof.
EveryonebehindaninlineinterfaceisonthesameLayer2LAN EverypacketofauthorizedusersgoesthroughthePacketFenceserverincreasingtheservers'
loadconsiderably:Planaheadforcapacity Everypacketofauthorizedusersgoes throughthePacketFenceserver: it isasinglepointof
failureforInternetaccess Ipsetcanstoreupto65536entries,soitisnotpossibletohaveainlinenetworkclassupper
thanB
Thisiswhyit isconsideredapoormanswayofdoingaccesscontrol.Wehaveavoideditforalongtimebecauseoftheabovementionedlimitations.Thatsaid,beingabletoperformbothinlineandVLANenforcementonthesameserveratthesametimeisarealadvantage:itallowsuserstomaintainmaximumsecuritywhiletheydeploynewandmorecapablenetworkhardwareprovidingacleanmigrationpathtoVLANenforcement.
-
Chapter7
Copyright2015Inverseinc.Technicalintroductionto
Out-of-bandenforcement 15
TechnicalintroductiontoOut-of-bandenforcement
Introduction
VLANassignmentiscurrentlyperformedusingseveraldifferenttechniques.Thesetechniquesarecompatible one to another but not on the same switch port. This means that you can use themoresecureandmoderntechniquesforyour latestswitchesandanothertechniqueontheoldswitchesthatdoesntsupportlatesttechniques.Asitsnameimplies,VLANassignmentmeansthatPacketFenceistheserverthatassignstheVLANtoadevice.ThisVLANcanbeoneofyourVLANsoritcanbeaspecialVLANwherePacketFencepresentsthecaptiveportalforauthenticationorremediation.
VLANassignmenteffectivelyisolateyourhostsattheOSILayer2meaningthatitisthetrickiestmethodtobypassandistheonewhichadaptsbesttoyourenvironmentsinceitgluesintoyourcurrentVLANassignmentmethodology.
VLANassignmenttechniques
Wired:802.1X+MACAuthentication802.1Xprovidesport-basedauthentication,whichinvolvescommunicationsbetweenasupplicant,authenticator(knownasNAS),andauthenticationserver(knownasAAA).Thesupplicantisoftensoftwareonaclientdevice,suchasalaptop,theauthenticatorisawiredEthernetswitchorwirelessaccesspoint,andtheauthenticationserverisgenerallyaRADIUSserver.
Thesupplicant(i.e.,clientdevice)isnotallowedaccessthroughtheauthenticatortothenetworkuntilthesupplicantsidentityisauthorized.With802.1Xport-basedauthentication,thesupplicantprovides credentials, such as user name / password or digital certificate, to the authenticator,andtheauthenticatorforwardsthecredentialstotheauthenticationserverforverification.Ifthecredentialsarevalid(intheauthenticationserverdatabase),thesupplicant(clientdevice)isallowedtoaccessthenetwork.TheprotocolforauthenticationiscalledExtensibleAuthenticationProtocol(EAP) which have many variants. Both supplicant and authentication servers need to speak thesameEAPprotocol.MostpopularEAPvariantisPEAP-MsCHAPv2(supportedbyWindows/MacOSX/LinuxforauthenticationagainstAD).
-
Chapter7
Copyright2015Inverseinc.Technicalintroductionto
Out-of-bandenforcement 16
Inthiscontext,PacketFencerunstheauthenticationserver(aFreeRADIUSinstance)andwillreturntheappropriateVLANtotheswitch.AmodulethatintegratesinFreeRADIUSdoesaremotecalltothePacketFenceservertoobtainthatinformation.Moreandmoredeviceshave802.1Xsupplicantwhichmakesthisapproachmoreandmorepopular.
MACAuthenticationisanewmechanismintroducedbysomeswitchvendortohandlethecaseswhere a 802.1X supplicant does not exist. Different vendors have different names for it. CiscocallsitMACAuthenticationBypass(MAB),JunipercallsitMACRADIUS,ExtremeNetworkscallsitNetlogin,etc.Afteratimeoutperiod,theswitchwillstoptryingtoperform802.1XandwillfallbacktoMACAuthentication.Ithastheadvantageofusingthesameapproachas802.1XexceptthattheMACaddressissentinsteadoftheusernameandthereisnoend-to-endEAPconversation(nostrongauthentication).UsingMACAuthentication,deviceslikenetworkprinterornon-802.1XcapableIPPhonescanstillgainaccesstothenetworkandtherightVLAN.
Wireless:802.1X+MACauthenticationWireless 802.1X works like wired 802.1X and MAC authentication is the same as wired MACAuthentication. Where things change is that the 802.1X is used to setup the security keys forencryptedcommunication(WPA2-Enterprise)whileMACauthenticationisonlyusedtoauthorize(allowordisallow)aMAConthewirelessnetwork.
Onwirelessnetworks,theusualPacketFencesetupdictatethatyouconfiguretwoSSIDs:anopenoneandasecureone.Theopenoneisusedtohelpusersconfigurethesecureoneproperlyandrequiresauthenticationoverthecaptiveportal(whichrunsinHTTPS).
Thefollowingdiagramdemonstratestheflowbetweenamobileenpoint,aWiFiaccesspoint,aWiFicontrollerandPacketFence:
1. UserinitiatesassociationtoWLANAPandtransmitsMACaddress.IfuseraccessesnetworkviaaregistereddeviceinPacketFencegoto8
2. The WLAN controller transmits MAC address via RADIUS to the PacketFence server toauthenticate/authorizethatMACaddressontheAP
3. PacketFenceserverconductsaddressaudit in itsdatabase. If itdoesnotrecognizetheMACaddressgoto4.Ifitdoesgoto8.
4. PacketFenceserverdirectsWLANcontrollerviaRADIUS(RFC2868attributes)toputthedeviceinan"unauthenticatedrole(setofACLsthatwouldlimit/redirecttheusertothePacketFence
-
Chapter7
Copyright2015Inverseinc.Technicalintroductionto
Out-of-bandenforcement 17
captiveportalforregistration,orwecanalsousearegistrationVLANinwhichPacketFencedoesDNSblackholingandistheDHCPserver)
5. TheusersdeviceissuesaDHCP/DNSrequesttoPacketFence(whichisaDHCP/DNSserveronthisVLANorforthisrole)whichsendstheIPandDNSinformation.Atthispoint,ACLsarelimiting/redirectingtheusertothePacketFencescaptiveportalforauthentication.PacketFencefingerprintsthedevice(user-agentattributes,DHCPinformation&MACaddresspatterns)towhichitcantakevariousactionsincluding:keepdeviceonregistrationportal,directtoalternatecaptive portal, auto-register the device, auto-block the device, etc. If the device remains ontheregistrationportaltheuserregistersbyprovidingtheinformation(username/password,cellphonenumber,etc.).At this timePacketFencecouldalsorequire thedevicetogothroughapostureassessment(usingNessus,OpenVAS,etc.)
6. Ifauthentication is required (username/password) througha loginform,thosecredentialsarevalidatedviatheDirectoryserver(oranyotherauthenticationsources-likeLDAP,SQL,RADIUS,SMS,Facebook,Google+,etc.)whichprovidesuserattributestoPacketFencewhichcreatesuser+devicepolicyprofileinitsdatabase.
7. PacketFenceperformsaChangeofAuthorization(RFC3576)onthecontrollerandtheusermustbere-authenticated/reauthorized,sowegobackto1
8. PacketFenceserverdirectsWLANcontrollerviaRADIUStoputthedeviceinan"authenticatedrole,orinthe"normal"VLAN
WebAuthmodeWebauthenticationisamethodontheswitchthatforwardshttptrafficofthedevicetothecaptiveportal.Withthismode,yourdevicewillneverchangeofVLANIDbutonlytheACLassociatedtoyourdevicewillchange.RefertotheNetworkDevicesConfigurationGuidetoseeasamplewebauthconfigurationonaCiscoWLC.
Port-securityandSNMPReliesontheport-securitySNMPTraps.AfakestaticMACaddressisassignedtoalltheportsthiswayanyMACaddresswillgenerateasecurityviolationandatrapwillbesenttoPacketFence.ThesystemwillauthorizetheMACandsettheportintherightVLAN.VoIPsupportispossiblebuttricky.Itvariesalotdependingontheswitchvendor.CiscoiswellsupportedbutisolationofaPCbehindanIPPhoneleadstoaninterestingdilemma:eitheryoushuttheport(andthephoneatthesametime)oryouchangethedataVLANbutthePCdoesntdoDHCP(didntdetectlinkwasdown)soitcannotreachthecaptiveportal.
AsidefromtheVoIPisolationdilemma,itisthetechniquethathasproventobereliableandthathasthemostswitchvendorsupport.
MoreonSNMPtrapsVLANisolation
WhentheVLANisolationisworkingthroughSNMPtrapsallswitchports(onwhichVLANisolationshouldbedone)mustbeconfiguredtosendSNMPtrapstothePacketFencehost.OnPacketFence,
-
Chapter7
Copyright2015Inverseinc.Technicalintroductionto
Out-of-bandenforcement 18
weusesnmptrapdastheSNMPtrapreceiver.Asitreceivestraps,itreformatsandwritesthemintoaflatfile:/usr/local/pf/logs/snmptrapd.log.ThemultithreadedpfsetvlandaemonreadsthesetrapsfromtheflatfileandrespondstothembysettingtheswitchporttothecorrectVLAN.Currently,wesupportswitchesfromCisco,Edge-core,HP,Intel,LinksysandNortel(addingsupportfor switches from another vendor implies extending thepf::Switch class). Depending on yourswitchescapabilities,pfsetvlanwillactondifferenttypesofSNMPtraps.
YouneedtocreatearegistrationVLAN(withaDHCPserver,butnoroutingtootherVLANs)inwhichPacketFencewillputunregistereddevices.IfyouwanttoisolatecomputerswhichhaveopenviolationsinaseparateVLAN,anisolationVLANneedsalsotobecreated.
linkUp/linkDowntraps(deprecated)ThisisthemostbasicsetupanditneedsathirdVLAN:theMACdetectionVLAN.ThereshouldbenothinginthisVLAN(noDHCPserver)anditshouldnotberoutedanywhere;itisjustanvoidVLAN.
Whenahostconnectstoaswitchport,theswitchsendsalinkUptraptoPacketFence.SinceittakessometimebeforetheswitchlearnstheMACaddressofthenewlyconnecteddevice,PacketFenceimmediatelyputstheportintheMACdetectionVLANinwhichthedevicewillsendDHCPrequests(withnoanswer)inorderfortheswitchtolearnitsMACaddress.ThenpfsetvlanwillsendperiodicalSNMPqueriestotheswitchuntiltheswitchlearnstheMACofthedevice.WhentheMACaddressisknown,pfsetvlanchecksitsstatus(existing?registered?anyviolations?)inthedatabaseandputstheportintheappropriateVLAN.Whenadeviceisunplugged,theswitchsendsalinkDowntraptoPacketFencewhichputstheportintotheMACdetectionVLAN.
Whenacomputerboots,theinitializationoftheNICgeneratesseverallinkstatuschanges.AndeverytimetheswitchsendsalinkUpandalinkDowntraptoPacketFence.SincePacketFencehas
-
Chapter7
Copyright2015Inverseinc.Technicalintroductionto
Out-of-bandenforcement 19
toactoneachofthesetraps,thisgeneratesunfortunatelysomeunnecessaryloadonpfsetvlan.Inordertooptimizethetraptreatment,PacketFencestopseverythreadforalinkUptrapwhenitreceivesalinkDowntraponthesameport.ButusingonlylinkUp/linkDowntrapsisnotthemostscalableoption.Forexampleincaseofpowerfailure,ifhundredsofcomputersbootatthesametime,PacketFencewouldreceivea lotoftrapsalmost instantlyandthiscouldresult innetworkconnectionlatency.
MACnotificationtrapsIfyourswitchessupportMACnotificationtraps(MAClearnt,MACremoved),wesuggestthatyouactivatetheminadditiontothelinkUp/linkDowntraps.Thisway,pfsetvlandoesnotneed,afteralinkUptrap,toquerytheswitchcontinuouslyuntiltheMAChasfinallybeenlearned.WhenitreceivesalinkUptrapforaportonwhichMACnotificationtrapsarealsoenabled,itonlyneedstoputtheportintheMACdetectionVLANandcanthenfreethethread.WhentheswitchlearnstheMACaddressofthedeviceitsendsaMAClearnttrap(containingtheMACaddress)toPacketFence.
PortSecuritytrapsIn itsmostbasicform,thePortSecurityfeaturerememberstheMACaddressconnectedtotheswitchportandallowsonlythatMACaddresstocommunicateonthatport. IfanyotherMACaddress tries to communicate through the port, port security will not allow it and send a port-securitytrap.
Ifyourswitchessupportthisfeature,westronglyrecommendtouseitratherthanlinkUp/linkDownand/orMACnotifications.Why?BecauseaslongasaMACaddressisauthorizedonaportandistheonlyoneconnected,theswitchwillsendnotrapwhetherthedevicereboots,plugsinorunplugs.ThisdrasticallyreducestheSNMPinteractionsbetweentheswitchesandPacketFence.
WhenyouenableportsecuritytrapsyoushouldnotenablelinkUp/linkDownnorMACnotificationtraps.
-
Chapter8
Copyright2015Inverseinc.TechnicalintroductiontoHybridenforcement 20
TechnicalintroductiontoHybridenforcement
Introduction
In previous versions of PacketFence, it was not possible to have RADIUS enabled for inlineenforcementmode.Nowwiththenewhybridmode,allthedevicesthatsupports802.1XorMAC-authenticationcanworkwiththismode.Letsseehowitworks.
Deviceconfiguration
Youneedtoconfigure inlineenforcementmode inPacketFenceandconfigureyourswitch(es)/accesspoint(s)tousetheVLANassignementtechniques(802.1XorMAC-authentication).Youalsoneedtotakecareofaspecificparameterintheswitchconfigurationwindow,"Triggertoenableinlinemode".Thisparameterisworkinglikeatriggerandyouhavethepossibilitytodefinedifferentsortoftriggers:
ALWAYS,PORT,MAC,SSID
where ALWAYS means that the device is always in inline mode, PORTspecifytheifIndexoftheportwhichwilluseinlineenforcement,MACamacaddressthatwillbeputininlineenforcementtechniqueratherthanVLANenforcementandSSIDanssidname.Anexample:
SSID::GuestAccess,MAC::00:11:22:33:44:55
ThiswilltriggerallthenodesthatconnectstotheGuestAccessSSIDtouseinlineenforcementmode(PacketFencewillreturnavoidVLANortheinlineVlanifdefinedinswitchconfiguration)andtheMACaddress00:11:22:33:44:55clientifitconnectsonanotherSSID.
-
Chapter9
Copyright2015Inverseinc. Configuration 21
Configuration
Atthispointinthedocumentation,PacketFenceshouldbeinstalled.YouwouldalsohavechosentherightenforcementmethodforyouandcompletedtheinitialconfigurationofPacketFence.ThefollowingsectionpresentskeyconceptsandfeaturesinPacketFence.
PacketFenceprovidesaweb-basedadministrationinterfaceforeasyconfigurationandoperationalmanagement.IfyouwentthroughPacketFencesweb-basedconfigurationtool,youshouldhavesetthepasswordfortheadminuser.
Once PacketFence is started, the administration interface is available at: https://@ip_of_packetfence:1443/
ThenextkeystepsareimportanttounderstandhowPacketFenceworks.Inordertogetthesolutionworking, you must first understand and configure the following aspects of the solution in thisspecificorder:
1. roles-aroleinPacketFencewillbeeventuallybemappedtoaVLAN,anACLoranexternalrole.Youmustdefinetherolestouseinyourorganizationfornetworkaccess
2. authentication-oncerolesaredefined,youmustcreateanappropraiteauthenticationsourceinPacketFence.ThatwillallowPacketFencetocomputetherightroletobeusedforanendpoint,ortheuserusingit
3. network devices - once your roles and authentication sources are defined, you must addswitches,WiFicontrollersorAPstobemananagedbyPacketFence.Whendoingso,youwillconfigurehowrolesarebeingmappedtoVLAN,ACLsorexternalroles
4. portal profiles - at this point, you are almost ready to test. You will need to set whichauthenticationsourcesaretobeusedonthedefaultcaptiveportal,orcreateanotheronetosuityourneeds
5. test!
NoteIfyouplantouse802.1X-pleaseseetheFreeRADIUSConfigurationsectionbelow.
RolesManagement
RolesinPacketFencecanbecreatedfromPacketFenceadministrativeGUI-fromtheConfigurationUsersRoles section. From this interface, you can also limit the number of devices usersbelongingtocertainrolescanregister.
https://@ip_of_packetfence:1443/https://@ip_of_packetfence:1443/
-
Chapter9
Copyright2015Inverseinc. Configuration 22
RolesaredynamicallycomputedbyPacketFence,basedontherules(ie.,asetofconditionsandactions)fromauthenticationsources,usingafirst-matchwinsalgorithm.RolesarethenmatchedtoVLANorinternalrolesorACLonequipmentfromtheConfigurationNetworkSwitchesmodule.
Authentication
PacketFence can authenticate users that register devices via the captive portal using variousmethods.Amongthesupportedmethods,thereare:
ActiveDirectory
Apachehtpasswdfile
Email
ExternalHTTPAPI
Facebook(OAuth2)
Github(OAuth2)
Google(OAuth2)
Kerberos
LDAP
LinkedIn(OAuth2)
Null
RADIUS
SMS
SponsoredEmail
Twitter(OAuth2)
WindowsLive(OAuth2)
Moreover, PacketFence can also authenticate users defined in its own internal SQL database.Authentication sources can be created from PacketFence administrative GUI - from theConfigurationUsersSourcessection.Alternatively(butnotrecommended),authenticationsources,rules,conditionsandactionscanbeconfiguredfromconf/authentication.conf.
Eachauthenticationsourcesyoudefinewillhaveasetofrules,conditionsandactions.
Multiple authentication sources can be defined, and will be tested in the order specified (notethattheycanbereorderedfromtheGUIbydraggingitaround).Eachsourcecanhavemultiplerules,whichwillalsobetestedintheorderspecified.Rulescanalsobereordered,justlikesources.Finally,conditionscanbedefinedforaruletomatchcertaincriterias.Ifthecriteriasmatch(one
-
Chapter9
Copyright2015Inverseinc. Configuration 23
ormore),actionarethenappliedandrulestestingstop,acrossallsourcesasthisisa"firstmatchwins"operation.
Whennoconditionisdefined,therulewillbeconsideredasafallback.Whenafallbackisdefined,allactionswillbeappliedforanyusersthatmatchintheauthenticationsource.
Onceasourceisdefined,itcanbeusedfromConfigurationPortalProfiles.Eachportalprofilehasalistofauthenticationsourcestouse.
ExampleLetssaywehavetworoles:guestandemployee.First,wedefinethemConfigurationUsersRoles.
Now,wewanttoauthenticateemployeesusingActiveDirectory (overLDAP),andguestsusingPacketFencesinternaldatabase-bothusingPacketFencescaptiveportal.FromtheConfigurationUsersSources,weselectAddsourceAD.Weprovidethefollowinginformation:
Name:ad1 Description:ActiveDirectoryforEmployees Host:192.168.1.2:389withoutSSL/TLS BaseDN:CN=Users,DC=acme,DC=local Scope:One-level UsernameAttribute:sAMAccountName BindDN:CN=Administrator,CN=Users,DC=acme,DC=local Password:acme123
Then,weaddarulebyclickingontheAddrulebuttonandprovidethefollowinginformation:
Name:employees Description:Ruleforallemployees Dontsetanycondition(asitsacatch-allrule) Setthefollowingactions:
Setroleemployee
SetunregistrationdateJanuary1st,2020
Test the connection and save everything. Using the newly defined source, any username thatactuallymatchesinthesource(usingthesAMAccountName)willhavetheemployeeroleandanunregistrationdatesettoJanuary1st,2020.
Now,sincewewanttoauthenticateguestsfromPacketFencesinternalSQLdatabase,accountsmustbeprovisionnedmanually.YoucandosofromtheUsersCreatesection.Whencreatingguests,specify"guest"fortheSetroleaction,andsetanaccessdurationfor1day.
If you would like to differentiate user authentication and machine authentication using ActiveDirectory,onewaytodoitisbycreatingasecondauthenticationsources,formachines:
Name:ad1 Description:ActiveDirectoryforMachines Host:192.168.1.2:389withoutSSL/TLS BaseDN:CN=Computers,DC=acme,DC=local Scope:One-level
-
Chapter9
Copyright2015Inverseinc. Configuration 24
UsernameAttribute:servicePrincipalName BindDN:CN=Administrator,CN=Users,DC=acme,DC=local Password:acme123
Then,weaddarule:
Name:*machines Description:Ruleforallmachines Dontsetanycondition(asitsacatch-allrule) Setthefollowingactions:
Setrolemachineauth
SetunregistrationdateJanuary1st,2020
Note
Whenaruleisdefinedasacatch-all, itwillalwaysmatchiftheusernameattributematchesthequeriedone.ThisappliesforActiveDirectory,LDAPandApachehtpasswdfilesources.KerberosandRADIUSwillactastruecatch-all,andaccepteverything.
Note
IfyouwanttouseotherLDAPattributesinyourauthenticationsource,addtheminConfigurationAdvancedCustomLDAPattributes.Theywillthenbeavailableintherulesyoudefine.
ExternalAPIauthentication
PacketFencealsosupportscallinganexternalHTTPAPIasanauthenticationsource.TheexternalAPIneedstoimplementanauthenticationactionandanauthorizationaction.
AuthenticationThisshouldprovidetheinformationaboutwhetherornottheusername/passwordcombinationisvalid
TheseinformationareavailablethroughthePOSTfieldsoftherequest
TheservershouldreplywithtwoattributesinaJSONresponse
result:shouldbe1forsuccess,0forfailure message:shouldbethereasonitsucceededorfailed
ExampleJSONresponse:
{"result":1,"message":"Valid username and password"}
-
Chapter9
Copyright2015Inverseinc. Configuration 25
AuthorizationThisshouldprovidetheactionstoapplyonauserbasedonitsattributes
The following attributes are available for the reply : access_duration, access_level, sponsor,unregdate,category.
SampleJSONresponse,notethatnotallattributesarenecessary,onlysendbackwhatyouneed.
{"access_duration":"1D","access_level":"ALL","sponsor":1 ,"unregdate":"2030-01-01","category":"default"}
Note
See /usr/local/pf/addons/example_external_auth for an example implementationcompatiblewithPacketFence.
PacketFenceconfigurationInPacketFence,youneedtoconfigureanHTTPsourceinordertouseanexternalAPI.
Hereisabriefdescriptionofthefields:
Host : First, the protocol, then the IP address or hostname of the API and lastly the port toconnecttotheAPI.
APIusernameandpassword:IfyourAPIimplementsHTTPbasicauthentication(RFC2617)youcanaddtheminthesefields.LeavinganyofthosetwofieldsemptywillmakePacketFencedotherequestswithoutanyauthentication.
AuthenticationURL:URLrelativetothehosttocallwhendoingtheauthenticationofauser.Notethatitisautomaticallyprefixedbyaslash.
AuthorizationURL:URLrelativetothehosttocallwhendoingtheauthorizationofauser.Notethatitisautomaticallyprefixedbyaslash.
NetworkDevicesDefinition(switches.conf)
ThissectionappliesonlyforVLANenforcement.Usersplanningtodoinlineenforcementonlycanskipthissection.
PacketFenceneedstoknowwhichswitches,accesspointsorcontrollersitmanages,theirtypeandconfiguration.Allthisinformationisstoredin/usr/local/pf/conf/switches.conf.Youcanmodifytheconfigurationdirectlyintheswitches.conffileoryoucandoitfromtheWebAdministrationpanelunderConfigurationNetworkSwitches-whichisnowthepreferredway.
The/usr/local/pf/conf/switches.confconfigurationfilecontainsadefaultsectionincluding:
DefaultSNMPread/writecommunitiesfortheswitches
-
Chapter9
Copyright2015Inverseinc. Configuration 26
Defaultworkingmode(seethenotebelowaboutpossibleworkingmodes)
andaswitchsectionforeachswitch(managedbyPacketFence)including:
SwitchIP/Mac/Range Switchvendor/type Switchuplinkports(trunksandnon-managedIfIndex) per-switchre-definitionoftheVLANs(ifrequired)
Note
switches.confisloadedatstartup.Areloadisrequiredwhenchangesaremanuallymadetothisfile/usr/local/pf/bin/pfcmd configreload.
WorkingmodesTherearethreedifferentworkingmodesforaswitchinPacketFence:
Testing pfsetvlanwritesinthelogfileswhatitwouldnormallydo,butitdoesntdoanything.
Registration pfsetvlan automatically-register all MAC addresses seen on theswitchports.Asintestingmode,noVLANchangesaredone.
Production pfsetvlan sends the SNMP writes to change the VLAN on theswitchports.
RADIUSTo set the RADIUS secret, set it from the Web administrative interface when adding a switch.Alternatively,edittheswitchconfigfile(/usr/local/pf/conf/switches.conf)andsetthefollowingparameters:
radiusSecret = secretPassPhrase
Moreover,theRADIUSsecretisrequiredtosupporttheRADIUSDynamicAuthentication(ChangeofauthorizationorDisconnect)asdefinedinRFC3576.
SNMPv1,v2candv3PacketFenceusesSNMPtocommunicatewithmostswitches.PacketFencealsosupportsSNMPv3.YoucanuseSNMPv3forcommunicationinbothdirections:fromtheswitchtoPacketFenceandfromPacketFencetotheswitch.SNMPusageisdiscouraged,youshouldnowuseRADIUS.However,evenifRADIUSisbeingused,someswitchesmightalsorequireSNMPtobeconfiguredtoworkproperlywithPacketFence.
FromPacketFencetoaswitch
Edittheswitchconfigfile(/usr/local/pf/conf/switches.conf)andsetthefollowingparameters:
-
Chapter9
Copyright2015Inverseinc. Configuration 27
SNMPVersion = 3SNMPUserNameRead = readUserSNMPAuthProtocolRead = MD5SNMPAuthPasswordRead = authpwdreadSNMPPrivProtocolRead = AESSNMPPrivPasswordRead = privpwdreadSNMPUserNameWrite = writeUserSNMPAuthProtocolWrite = MD5SNMPAuthPasswordWrite = authpwdwriteSNMPPrivProtocolWrite = AESSNMPPrivPasswordWrite = privpwdwrite
FromaswitchtoPacketFenceEdittheswitchconfigfile(/usr/local/pf/conf/switches.conf)andsetthefollowingparameters:
SNMPVersionTrap = 3SNMPUserNameTrap = readUserSNMPAuthProtocolTrap = MD5SNMPAuthPasswordTrap = authpwdreadSNMPPrivProtocolTrap = AESSNMPPrivPasswordTrap = privpwdread
SwitchConfigurationHereisaswitchconfigurationexampleinordertoenableSNMPv3inbothdirectionsonaCiscoSwitch.
snmp-server engineID local AA5ED139B81D4A328D18ACD1snmp-server group readGroup v3 privsnmp-server group writeGroup v3 priv read v1default write v1defaultsnmp-server user readUser readGroup v3 auth md5 authpwdread priv aes 128 privpwdreadsnmp-server user writeUser writeGroup v3 auth md5 authpwdwrite priv aes 128 privpwdwritesnmp-server enable traps port-securitysnmp-server enable traps port-security trap-rate 1snmp-server host 192.168.0.50 version 3 priv readUser port-security
Command-LineInterface:TelnetandSSH
WarningPrivilegedetectionisdisabledinthecurrentPacketFenceversionduetosomeissues(see#1370).SomakesurethatthecliUserandcliPwdyouprovidealwaysgetyouintoaprivilegedmode(exceptforTrapezehardware).
PackeFenceneedssometimestoestablishaninteractivecommand-linesessionwithaswitch.ThiscanbedoneusingTelnet.YoucanalsouseSSH.Inordertodoso,edittheswitchconfigurationfile(/usr/local/pf/conf/switches.conf)andsetthefollowingparameters:
http://www.packetfence.org/bugs/view.php?id=1370
-
Chapter9
Copyright2015Inverseinc. Configuration 28
cliTransport = SSH (or Telnet)cliUser = admincliPwd = admin_pwdcliEnablePwd =
ItcanalsobedonethroughtheWebAdministrationInterfaceunderConfigurationSwitches.
WebServicesInterfacePackeFencesometimesneedstoestablishadialogwiththeWebServicescapabilitiesofaswitch.In order to do so, edit the switch config file (/usr/local/pf/conf/switches.conf) and set thefollowingparameters:
wsTransport = http (or https)wsUser = adminwsPwd = admin_pwd
ItcanalsobedonethroughtheWebAdministrationInterfaceunderConfigurationSwitches.
Role-basedenforcementsupportSomenetworkdevicessupporttheassignmentofaspecificsetofrules(firewallorACLs)toauser.TheideaisthattheserulescanbealotmoreaccuratetocontrolwhatausercanorcannotdocomparedtoVLANwhichhavealargernetworkmanagementoverhead.
PacketFencesupportsassigningrolesondevicesforswitchesandWiFicontrollers thatsupportit.ThecurrentroleassignmentstrategyistoassignitalongwiththeVLAN(thatmaychangeinthefuture).Aspecial internalroletoexternalroleassignmentmustbeconfigured intheswitchconfigurationfile(/usr/local/pf/conf/switches.conf).
Thecurrentformatisthefollowing:
Format: Role=
Andyouassignittotheglobalrolesparameterortheper-switchone.Forexample:
adminRole=full-accessengineeringRole=full-accesssalesRole=little-access
wouldreturnthefull-accessroletothenodescategorizedasadminorengineeringandtherolelittle-accesstonodescategorizedassales.ItcanalsobedonethroughtheWebAdministrationInterfaceunderConfigurationSwitches.
Caution
Makesurethattherolesareproperlydefinedonthenetworkdevicespriortoassigningroles!
-
Chapter9
Copyright2015Inverseinc. Configuration 29
PortalProfiles
PacketFencecomeswithadefaultportalprofile.Thefollowparametersareimportanttoconfigurenomatterifyouusethedefaultportalprofileorcreateanewone:
RedirectURLunderConfigurationPortalProfilePortalName
Forsomebrowsers,itispreferabletoredirecttheusertoaspecificURLinsteadoftheURLtheuseroriginallyintendedtovisit.Forthesebrowsers,theURLdefinedinredirecturlwillbetheonewheretheuserwillberedirected.AffectedbrowsersareFirefox3andlater.
IPunderConfigurationCaptiveportal
ThisIPisusedasthewebserverwhohoststhecommon/network-access-detection.gifwhichisusedtodetectifnetworkaccesswasenabled.Itcannotbeadomainnamesinceit isusedinregistrationorquarantinewhereDNSisblack-holed.ItisrecommendedthatyouallowyouruserstoreachyourPacketFenceserverandputyourLANsPacketFenceIP.BydefaultwewillmakethisreachPacketFenceswebsiteasaneasierandmoreaccessiblesolution.
In some cases, you may want to present a different captive portal (see below for the availablecustomizations)accordingtotheSSID,theVLAN,theswitchIP/MACortheURItheclientconnectsto.Todoso,PacketFencehastheconceptofportalprofileswhichgivesyouthispossibility.
Whenconfigured,portalprofileswilloverridedefaultvaluesforwhichitisconfigured.Whennovaluesareconfiguredintheprofile,PacketFencewilltakeitsdefaultones(accordingtothe"default"portalprofile).
Herearethedifferentconfigurationparametersthatcanbesetforeachportalprofiles.Theonlymandatoryparameteris"filter",otherwise,PacketFencewontbeabletocorrectlyapplytheportalprofile.Theparametersmustbesetinconf/profiles.conf:
[profilename1]description = the description of your portal profilefilter = the name of the SSID for which you'd like to apply the profile, or the VLAN numberbilling_engine = either enabled or disabledsources = comma-separated list of authentications sources (IDs) to use
Portal profiles should be managed from PacketFences Web administrative GUI - from theConfigurationPortalProfilessection.Addingaportalprofilefromthatinterfacewillcorrectlycopytemplatesover-whichcanthenbemodifiedasyouwish.
FiltersunderConfigurationPortalProfilePortalNameFitlers
PacketFenceoffersthefollowingfilters:ConnectionType,Network,NodeRole,Port,realm,SSID,Switch,SwitchPort,URIandVLAN.
Examplewiththemostcommonones:
SSID:Guest-SSID
-
Chapter9
Copyright2015Inverseinc. Configuration 30
VLAN:100
Caution
Noderolewilltakeeffectonlywitha802.1xconnectionorifyouuseVLANfilters.
PacketFence relies extensively on Apache for its captive portal, administrative interface andWeb services. The PacketFences Apache configuration are located in /usr/local/pf/conf/httpd.conf.d/.
Inthisdirectoryyouhavethreeimportantfiles:httpd.admin,httpd.portal,httpd.webservices,httpd.aaa.
httpd.adminisusedtomanagePacketFenceadmininterface
httpd.portalisusedtomanagePacketFencecaptiveportalinterface
httpd.webservicesisusedtomanagePacketFencewebservicesinterface
httpd.aaaisusetomanageincomingRADIUSrequest
ThesefileshavebeenwrittenusingthePerllanguageandarecompletelydynamic-sotheyactivateservicesonlyonthenetworkinterfacesprovidedforthispurpose.
TheotherfilesinthisdirectoryaremanagedbyPacketFenceusingtemplates,soitiseasytomodifythesefilesbasedonyourconfiguration.SSLisenabledbydefaulttosecureaccess.
UponPacketFenceinstallation,self-signedcertificateswillbecreatedin/usr/local/pf/conf/ssl(server.key andserver.crt). Those certificates can be replaced anytime by your 3rd-party orexistingwildcardcertificatewithoutproblems.PleasenotethattheCN(CommonName)needstobethesameastheonedefinedinthePacketFenceconfigurationfile(pf.conf).
FreeRADIUSConfiguration
ThissectionpresentstheFreeRADIUSconfigurationsteps. Insomeoccasions,aRADIUSserverismandatoryinordertogiveaccesstothenetwork.Forexample,theusageofWPA2-Enterprise(Wireless 802.1X), MAC authentication and Wired 802.1X all require a RADIUS server toauthenticatetheusersandthedevices,andthentopushtheproperrolesorVLANattributestothenetworkequipment.
Option1:AuthenticationagainstActiveDirectory(AD)
Caution
If you are using an Active/Active or Active/Passive cluster, please follow theinstructionsunderOption1bsincetheinstructionsbelowdonotcurrentlyworkinacluster.
-
Chapter9
Copyright2015Inverseinc. Configuration 31
Inordertohavedomainauthenticationworkingproperly,youneedtoenableIPforwardingonyourserver.Todoitpermanently,lookinthe/etc/sysctl.conf,andsetthefollowingline:
# Controls IP packet forwardingnet.ipv4.ip_forward = 1
Nowexecutesysctl -ptoapplytheconfiguration
Next,gointheAdministrationinterfaceunderConfigurationDomains.
Note
IfyoucantaccessthissectionandyouhavepreviouslyconfiguredyourservertobindtoadomainexternallytoPacketFence,makesureyourun/usr/local/pf/addons/AD/migrate.pl
ClickAddDomainandfillintheinformationsaboutyourdomain.
-
Chapter9
Copyright2015Inverseinc. Configuration 32
Where:
Identifierisauniqueidentifierforyourdomain.Itspurposeisonlyvisual.
Workgroupistheworkgroupofyourdomainintheoldsyntax(likeNT4).
DNSnameofthedomainistheFQDNofyourdomain.Theonethatsuffixesyouraccountnames.
ThisserversnameisthenamethattheserversaccountwillhaveinyourActiveDirectory.
DNSserveristheIPaddressoftheDNSserverofthisdomain.MakesurethattheserveryouputtherehastheproperDNSentriesforthisdomain.
Usernameistheusernamethatwillbeusedforbindingtotheserver.Thisaccountmustbeadomainadministrator.
Passwordisthepasswordfortheusernamedefinedabove.
Troubleshooting
In order to troubleshoot unsuccessful binds, please refer to the following file : /chroots//var/log/samba/log.winbindd.Replacewiththeidentifieryousetinthedomainconfiguration.
Youcanvalidatethedomainbindusingthefollowingcommand:chroot /chroots/wbinfo -u
You can test the authentication process using the following command chroot /chroots/ ntlm_auth --username=administrator
Note
Undercertainconditions,thetestjoinmayshowasunsuccessfulintheAdministrationinterface but the authentication process will still work properly. Try the test abovebeforedoinganyadditionnaltroubleshooting
Defaultdomainconfiguration
YoushouldnowdefinethedomainyouwanttouseasthedefaultonebycreatingthefollowingrealminConfigurationRealms
-
Chapter9
Copyright2015Inverseinc. Configuration 33
Next,restartPacketfenceinStatusServices
Multipledomainsauthentication
FirstconfigureyourdomainsinConfigurationDomains.
Oncetheyareconfigured,goinConfigurationRealms.
Create a new realm that matches the DNS name of your domainAND one that matches yourworkgroup.Inthecaseofthisexample,itwillbeDOMAIN.NETandDOMAIN.
-
Chapter9
Copyright2015Inverseinc. Configuration 34
Where:
RealmiseithertheDNSname(FQDN)ofyourdomainortheworkgroup
RealmoptionsareanyrealmoptionsthatyouwanttoaddtotheFreeRADIUSconfiguration
Domainisthedomainwhichisassociatedtothisrealm
Nowcreatethetwootherrealmsassociatedtoyourotherdomains.
Youshouldnowhavethefollowingrealmconfiguration
-
Chapter9
Copyright2015Inverseinc. Configuration 35
Option1b:AuthenticationagainstActiveDirectory(AD)inacluster
Samba/Kerberos/Winbind
InstallSamba.YoucaneitherusethesourcesorusethepackageforyourOS.ForRHEL/CentOS,do:
yum install samba krb5-workstation
ForDebianandUbuntu,do:
apt-get install samba winbind krb5-user
Note
IfyouhaveWindows7PCsinyournetwork,youneedtouseSambaversion3.5.0(orgreater).
WhendonewiththeSambainstall,modifyyour/etc/hosts inordertoaddtheFQDNofyourActiveDirectoryservers.Then,youneedtomodify/etc/krb5.conf.HereisanexamplefortheDOMAIN.NETdomainforCentos/RHEL:
-
Chapter9
Copyright2015Inverseinc. Configuration 36
[logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log
[libdefaults] default_realm = DOMAIN.NET dns_lookup_realm = false dns_lookup_kdc = false ticket_lifetime = 24h forwardable = yes
[realms] DOMAIN.NET = { kdc = adserver.domain.net:88 admin_server = adserver.domain.net:749 default_domain = domain.net }[domain_realm] .domain.net = DOMAIN.NET domain.net = DOMAIN.NET
[appdefaults] pam = { debug = false ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = false }
ForDebianandUbuntu:
[logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = DOMAIN.NET ticket_lifetime = 24h forwardable = yes [appdefaults] pam = { debug = false ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = false }
Next,edit/etc/samba/smb.conf.Again,hereisanexampleforourDOMAIN.NETforCentos/RHEL:
-
Chapter9
Copyright2015Inverseinc. Configuration 37
[global] workgroup = DOMAIN server string = %h security = ads passdb backend = tdbsam realm = DOMAIN.NET encrypt passwords = yes winbind use default domain = yes client NTLMv2 auth = yes preferred master = no domain master = no local master = no load printers = no log level = 1 winbind:5 auth:3 winbind max clients = 750 winbind max domain connections = 15
ForDebianandUbuntu:
[global] workgroup = DOMAIN server string = Samba Server Version %v security = ads realm = DOMAIN.NET password server = 192.168.1.1 domain master = no local master = no preferred master = no winbind separator = + winbind enum users = yes winbind enum groups = yes winbind use default domain = yes winbind nested groups = yes winbind refresh tickets = yes template homedir = /home/%D/%U template shell = /bin/bash client use spnego = yes client ntlmv2 auth = yes encrypt passwords = yes restrict anonymous = 2 log file = /var/log/samba/log.%m max log size = 50
IssueakinitandklistinordertogetandverifytheKerberostoken:
# kinit administrator# klist
Afterthat,youneedtostartsamba,andjointhemachinetothedomain:
-
Chapter9
Copyright2015Inverseinc. Configuration 38
# service smb start# chkconfig --level 345 smb on# net ads join -U administrator
NotethatforDebianandUbuntuyouwillprobablyhavethiserror:
# kinit succeeded but ads_sasl_spnego_krb5_bind failed: Invalid credentials# Join to domain is not valid: Invalid credentials
ForCentos/RHEL:
# usermod -a -G wbpriv pf
Finally,startwinbind,andtestthesetupusingntlm_authandradtest:
# service winbind start# chkconfig --level 345 winbind on
ForDebianandUbuntu:
# usermod -a -G winbindd_priv pf# ntlm_auth --username myDomainUser# radtest -t mschap -x myDomainUser myDomainPassword localhost:18120 12 testing123 Sending Access-Request of id 108 to 127.0.0.1 port 18120 User-Name = "myDomainUser" NAS-IP-Address = 10.0.0.1 NAS-Port = 12 Message-Authenticator = 0x00000000000000000000000000000000 MS-CHAP-Challenge = 0x79d62c9da4e55104 MS-CHAP-Response = 0x000100000000000000000000000000000000000000000000000091c843b420f0dec4228ed2f26bff07d5e49ad9a2974229e5 rad_recv: Access-Accept packet from host 127.0.0.1 port 18120, id=108, length=20
Option2:LocalAuthenticationAddyourusersentriesattheendofthe/usr/local/pf/raddb/usersfilewiththefollowingformat:
username Cleartext-Password := "password"
Option3:EAPauthenticationagainstOpenLDAPToauthenticate802.1xconnectionagainstOpenLDAPyouneedtodefinetheldapconnectionin/usr/local/pf/raddb/modules/ldapandbesurethattheuserpasswordisdefineasaNTHASHorascleartext.
-
Chapter9
Copyright2015Inverseinc. Configuration 39
ldap openldap { server = "ldap.acme.com" identity = "uid=admin,dc=acme,dc=com" password = "password" basedn = "dc=district,dc=acme,dc=com" filter = "(uid=%{mschap:User-Name})" ldap_connections_number = 5 timeout = 4 timelimit = 3 net_timeout = 1 tls { } dictionary_mapping = ${confdir}/ldap.attrmap edir_account_policy_check = no
keepalive { # LDAP_OPT_X_KEEPALIVE_IDLE idle = 60
# LDAP_OPT_X_KEEPALIVE_PROBES probes = 3
# LDAP_OPT_X_KEEPALIVE_INTERVAL interval = 3 } }
Next in /usr/local/pf/raddb/sites-available/packetfence-tunnel add in the authorizesection:
authorize { suffix ntdomain eap { ok = return } files openldap }
Option4:EAPGuestAuthenticationonemail,sponsorandSMSregistrationThegoalhereistobeabletousethecredentialPacketFencecreatedonguestaccessandusethisoneonasecureconnection.FirstcreateaguestSSIDwiththeguestaccessyouwanttouse(Email,SponsororSMS)andcheckAdduseronemailregistrationand/orAdduseronsponsorregistrationinConfigurationSelfRegistrationsection.Attheendoftheguestregistration,PacketFencewillsendanemailwiththecredentialsforEmailandSponsor.ForSMSuseyourphonenumberandthePINcode.
-
Chapter9
Copyright2015Inverseinc. Configuration 40
NotethatthisoptiondoesntcurrentlyworkwiththeReusedot1xcredentialsoptionofthecaptiveportal.
In/usr/local/pf/raddb/sites-available/packetfence-tunnelthereisanexampleonhowtoconfigureRADIUStoenablethisfeature(uncommenttomakeitwork).
In this example we activate this feature on a specific SSID name (Secure-Wireless), disabled bydefaultNTLMAuth,testemailcredential(pfguest),testsponsor(pfsponsor)andtestsms(pfsms).IfallfailledthenwereactivateNTLMAuth.
authorize { suffix ntdomain eap { ok = return } files####Activate local user eap authentication based on a specific SSID ###### Set Called-Station-SSID with the current SSID# set.called_station_ssid# if (Called-Station-SSID == 'Secure-Wireless') {## Disable ntlm_auth# update control {# MS-CHAP-Use-NTLM-Auth := No# }## Check password table with email and password for a sponsor registration# pfguest# if (fail || notfound) {## Check password table with email and password for a guest registration# pfsponsor# if (fail || notfound) {## Check activation table with phone number and PIN code# pfsms# if (fail || notfound) {# update control {# MS-CHAP-Use-NTLM-Auth := Yes# }# }# }# }# }
NoteFor this feature to work, the users' passwords must be stored in cleartext in thedatabase.
Option5:EAPLocaluserAuthenticationThegoalhereistousethelocaluseryoucreatedintheadminGUIforEAPauthentication.Thelogicisexactlythesamethaninoption4,thedifferenceisthatweuseanotherSSIDandweonlyuselocalaccounts.
-
Chapter9
Copyright2015Inverseinc. Configuration 41
Edit/usr/local/pf/raddb/sites-available/packetfence-tunnel
InthisexampleweactivatethisfeatureonaspecificSSIDname(Secure-local-Wireless),disabledbydefaultNTLMAuthandtestlocalaccount.IfitfailledthenwereactivateNTLMAuth.
####Activate local user eap authentication based on a specific SSID ###### Set Called-Station-SSID with the current SSID# set.called_station_ssid# if (Called-Station-SSID == 'Secure-local-Wireless') {## Disable ntlm_auth# update control {# MS-CHAP-Use-NTLM-Auth := No# }## Check password table for local user# pflocal# if (fail || notfound) {# update control {# MS-CHAP-Use-NTLM-Auth := Yes# }# }# }
Caution
Youwillneedtodeasactivatepasswordhashinginthedatabaseforlocalauthenticationto work. In the administration interface, go in Configuration Advanced and setDatabasepasswordshashingmethodtoplaintext
TestsTestyoursetupwithradtestusingthefollowingcommandandmakesureyougetanAccess-Acceptanswer:
# radtest dd9999 Abcd1234 localhost:18120 12 testing123Sending Access-Request of id 74 to 127.0.0.1 port 18120 User-Name = "dd9999" User-Password = "Abcd1234" NAS-IP-Address = 255.255.255.255 NAS-Port = 12rad_recv: Access-Accept packet from host 127.0.0.1:18120, id=74, length=20
-
Chapter10
Copyright2015Inverseinc. Debugging 42
Debugging
Logfiles
HerearethemostimportantPacketFencelogfiles:
/usr/local/pf/logs/packetfence.logPacketFenceCoreLog /usr/local/pf/logs/httpd.portal.accessApacheCaptivePortalAccessLog /usr/local/pf/logs/httpd.portal.errorApacheCaptivePortalErrorLog /usr/local/pf/logs/httpd.admin.accessApacheWebAdmin/ServicesAccessLog /usr/local/pf/logs/httpd.admin.errorApacheWebAdmin/ServicesErrorLog /usr/local/pf/logs/httpd.webservices.accessApacheWebservicesAccessLog /usr/local/pf/logs/httpd.webservices.errorApacheWebservicesErrorLog /usr/local/pf/logs/httpd.aaa.accessApacheAAAAccessLog /usr/local/pf/logs/httpd.aaa.errorApacheAAAErrorLog
Thereareotherlogfilesin/usr/local/pf/logs/thatcouldberelevantdependingonwhatissueyouareexperiencing.Makesureyoutakealookatthem.
Themainloggingconfigurationfileis/usr/local/pf/conf/log.conf.Itcontainstheconfigurationforthepacketfence.logfile(Log::Log4Perl)andyounormallydontneedtomodifyit.Theloggingconfigurationfilesforeveryservicearelocatedunder/usr/local/pf/conf/log.conf.d/.
RADIUSDebugging
First,checktheFreeRADIUSlogs.Thefileislocatedat/usr/local/pf/logs/radius.log.
Ifthisdidnthelp,runFreeRADIUSindebugmode.Todoso,startitusingthefollowingcommand:
# radiusd -X -d /usr/local/pf/raddb
Additionally there is a raddebug tool that can extract debug logs from a running FreeRADIUSdaemon.PacketFencesFreeRADIUSispreconfiguredwithsuchsupport.
Inordertohaveanoutputfromraddebug,youneedtoeither:
a. Makesureuserpfhasashellin/etc/passwd,add/usr/sbintoPATH(export PATH=/usr/sbin:$PATH)andexecuteraddebugaspf
-
Chapter10
Copyright2015Inverseinc. Debugging 43
b. Runraddebugasroot(lesssecure!)
Nowyoucanrunraddebugeasily:
raddebug -t 300 -d /usr/local/pf/raddb
TheabovewilloutputFreeRADIUS'debuglogsfor5minutes.Seeman raddebugforalltheoptions.
-
Chapter11
Copyright2015Inverseinc. MoreonVoIPIntegration 44
MoreonVoIPIntegration
VoIPhasbeengrowinginpopularityonenterprisenetworks.Atfirstsight,theITadministratorsthinkthatdeployingVoIPwithaNACposesahugecomplicatedchallengetoresolve.Infact,dependingofthehardwareyouhave,notreally.Inthissection,wewillseewhy.
CDPandLLDPareyourfriend
ForthoseofyouwhoareunawareoftheexistenceofCDPorLLDP(orLLDP-MED), Isuggestyoustartreadingonthistopic.CiscoDiscoveryProtocol(CDP)isdevice-discoveryprotocolthatrunsonallCisco-manufacturedequipmentincludingrouters,accessservers,bridges,andswitches.UsingCDP,adevicecanadvertise itsexistencetootherdevicesandreceive informationaboutotherdevicesonthesameLANorontheremotesideofaWAN.IntheworldofVoIP,CDPisabletodetermineiftheconnectingdeviceisanIPPhoneornot,andtelltheIPPhonetotagitsethernetframeusingtheconfiguredvoiceVLANontheswitchport.
Onmanyothervendors,youarelikelytofindLLDPorLLDP-MEDsupport.LinkLayerDiscoveryProtocol (LLDP) is a vendor-neutral Link Layer protocol in the Internet Protocol Suite used bynetworkdevicesforadvertisingtheiridentity,capabilities,andneighbors.SameasCDP,LLDPcantellanIPPhonewhichVLANidisthevoiceVLAN.
VoIPandVLANassignmenttechniques
As you already know, PacketFence supports many VLAN assignment techniques such as port-security,macauthenticationor802.1X.LetsseehowVoIPisdoingwitheachofthose.
Port-securityUsing port-security, the VoIP device rely on CDP/LLDP to tag its ethernet frame using theconfiguredvoiceVLANontheswitchport.Afterthat,weensurethatasecuritytrapissentfromthevoiceVLANsothatPacketFencecanauthorizethemacaddressontheport.WhenthePCconnects,anothersecuritytrapwillbesent,butfromthedataVLAN.Thatway,wewillhave1macaddressauthorizedonthevoiceVLAN,and1ontheaccessVLAN.
-
Chapter11
Copyright2015Inverseinc. MoreonVoIPIntegration 45
Note
Not all vendors support VoIP on port-security, please refer to the NetworkConfigurationGuide.
MacAuthenticationand802.1XCiscohardwareOnCiscoswitches,wearelookingatthemulti-domainconfiguration.Themulti-domainmeansthatwecanhaveonedeviceontheVOICEdomain,andonedeviceontheDATAdomain.ThedomainassignmentisdoneusingaCiscoVSA.Whenthephoneconnectstotheswitchport,PacketFencewillrespondwiththeproperVSAonly,noRADIUStunneledattributes.CDPthentellsthephonetotagitsethernetframesusingtheconfiguredvoiceVLANontheport.WhenaPCconnects,theRADIUSserverwillreturntunneledattributes,andtheswitchwillplacetheportintheprovidedaccessVLAN.
Non-CiscohardwareOnothervendorhardware,itispossibletomakeVoIPworkusingRADIUSVSAs.Whenaphoneconnectstoaswitchport,PacketFenceneedstoreturntheproperVSAtotelltheswitchtoallowtagged frames from this device. When the PC will connect, we will be able to return standardRADIUStunnelattributestotheswitch,thatwillbetheuntaggedVLAN.
Note
Again,refertotheNetworkConfigurationGuidetoseeifVoIPissupportedonyourswitchhardware.
WhatifCDP/LLDPfeatureismissing
ItispossiblethatyourphonedoesntsupportCDPorLLDP.Ifitsthecase,youareprobablylookingatthe"DHCPway"ofprovisionningyourphonewithavoiceVLAN.SomemodelswillaskforaspecificDHCPoptionsothattheDHCPservercangivethephoneavoiceVLANid.Thephonewillthenreboot,andtagitsethernetframeusingtheprovidedVLANtag.
In order to make this scenario work with PacketFence, you need to ensure that you tweak theregistrationandyourproductionDHCPservertoprovidetheDHCPoption.Youalsoneedtomakesure there isavoiceVLANproperlyconfiguredontheport,andthatyouauto-registeryour IPPhones(Onthefirstconnect,thephonewillbeassignedontheregistrationVLAN).
-
Chapter12
Copyright2015Inverseinc. Advancedtopics 46
Advancedtopics
This section covers advanced topics in PacketFence. Note that it is also possible to configurePacketFencemanuallyusingitsconfigurationfilesinsteadofitsWebadministrativeinterface.ItisstillrecommendedtousetheWebinterface.
Inanycase,the/usr/local/pf/conf/pf.conffilecontainsthePacketFencegeneralconfiguration.Forexample,thisistheplacewhereweinformPacketFenceitwillworkinVLANisolationmode.
All the default parameters and their descriptions are stored in /usr/local/pf/conf/pf.conf.defaults.
Inordertooverrideadefaultparameter,defineitandsetitinpf.conf.
/usr/local/pf/conf/documentation.confholdsthecompletelistofallavailableparameters.
Alltheseparametersarealsoaccessiblethroughtheweb-basedadministrationinterfaceundertheConfigurationtab.Itishighlyrecommendedthatyouusetheweb-basedadministrationinterfaceofPacketFenceforanyconfigurationchanges.
AppleandAndroidWirelessProvisioning
Apple devices such as iPhones, iPads, iPods and Mac OS X (10.7+) support wireless profileimportation using a special XML file format (mobileconfig). Android is also able to support thisfeaturebyimportingthewirelessprofilewiththeAndroidPacketFenceAgent.Infact,installingsuchfileonyourAppledevicewillautomaticallyconfigurethewirelesssettingsforagivenSSID.ThisfeatureisoftenusedwhentheSSIDishidden,andyouwanttoeasetheconfigurationstepsonthemobiledevice(becauseitisoftenpainfultoconfiguremanually).InPacketFence,wearegoingfurther,wegeneratetheprofileaccordingtotheadministratorspreferenceandwepre-populatethefilewiththeuserscredentials(withoutthepassword).TheusersimplyneedstoinstallitsgeneratedfileandhewillbeabletousethenewSSID.
ConfigurethefeatureFirstofall,youneedtoconfiguretheSSIDthatyourdeviceswilluseaftertheygothoughtheauthenticationprocess.
Inordertodothat,intheadministrationinterface,goinConfiguration/Provisioners.Thenselecttheandroidprovisioner.EntertheSSIDandsave.
NowdothesamethingfortheiOSprovisioner.
After,yousimplyneedtoaddtheAndroidandiOSprovisionerstoyourPortalProfileconfiguration.
-
Chapter12
Copyright2015Inverseinc. Advancedtopics 47
ForAndroid,youmustallowpassthroughsinyourpf.confconfigurationfile:
[trapping]passthrough=enabledpassthroughs=*.ggpht.com,*.googleusercontent.com,android.clients.google.com,*.googleapis.com,*.android.clients.google.com,*.gvt1.com
ProfilegenerationUponregistration,insteadofshowingthedefaultreleasepage,theuserwillbeshowinganotherversionofthepagesayingthatthewirelessprofilehasbeengeneratedwithaclickablelinkonit.Toinstalltheprofile,Appleuserownersimplyneedtoclickonthatlink,andfollowtheinstructionsontheirdevice.AndroiduserownersimplyclicktothelinkandwillbeforwardedtoGooglePlaytoinstallPacketFenceagent.Simply launchtheapplicationandclicktoconfigurewillcreatethesecureSSIDprofile.Itisthatsimple.
BillingEngine
PacketFence integrates theability touseapaymentgatewaytobillusers togainaccess to thenetwork.Whenconfigured,theuserwhowantstoaccessthenetwork/Internetispromptedbyapageaskingforitspersonnalinformationaswellasitscreditcardinformation.
PacketFencecurrentlysupportstwopaymentgateways:Authorize.netandMirapay.
Theconfigurationtousethefeatureisfairlysimple.Thegeneralconfigurationtoenable/disablethebillingenginecanbedonethroughtheWebadministrationGUI(ConfigurationPortalProfilesandPages)orfromtheconf/profiles.conffile:
[default]billing_engine = enabled...
Billingengineparametersarespecifiedinconf/pf.conforfromConfigurationBilling:
[billing]gateway = authorize_netauthorizenet_posturl = The payment gateway processing URLauthorizenet_login = The merchant's unique API Login IDauthorizenet_trankey = The merchant's unique Transaction Key
Itisalsopossibletoconfiguremultiplenetworkaccesswithdifferentprices.Forexample,youmaywanttoprovidebasicInternetaccesswithadecentspeedataspecificpriceandanotherpackagewithhighspeedconnectionatanotherprice.
CautionTheuseofdifferentbillingtiersrequiresdifferentrolesinPacketFence.Makesuretocreatetheserolesfirstotherwiseyouwillrunintoproblems.
-
Chapter12
Copyright2015Inverseinc. Advancedtopics 48
To do so, some customizations is needed to the billing module. Youll need to redefined thegetAvailableTiersmethodinthelib/pf/billing/custom.pmfile.Anexampleisalreadyinplaceinthefile.
Toassignarolebytiers(example:slow,mediumandfast),editthefilelib/pf/billing/custom.pm
my %tiers = ( tier1 => { id => "tier1", name => "Tier 1", price => "1.00", timeout => "7D", usage_duration => '1D', category => '', description => "Tier 1 Internet Access", destination_url => "http://www.packetfence.org" },);
idisusedastheitemvalueofthebillingtable.
nameisthenameofthetierusedonbilling.html.
priceisamountchargedonthecreditcard.
timeoutisusedtocomputetheunregistrationdateofthenode.
usage_durationistheamountofnon-contignuousaccesstimeforthenode,setasthetime_balancevalueofthenodetable.
categoryistheroleinwhichtoputthenode.
descriptionwillappearonthebilling.html.
destination_urlistheurlthatthedevicewillberedirectedafterasuccessfulauthentication.
DevicesRegistration
Usershavethepossibilitytoregistertheirdevices(MicrosoftXBOX/XBOX360,NintendoDS/Wii,SonyPlayStationandsoon)rightfromaspecialportalpage.Whenaccessingthispage,userswillbepromptedtologinasiftheywereregisteringthemselves.Onceloggedin,theportalwillaskthemtoenterthedeviceMACaddressthatwillthenbematchedagainstapredefinedlistofauthorizedMACOUI.Thedevicewillberegisteredwiththeusersidandcanbeassignedintoaspecificcategoryforeasiermanagement.
Hereshowtoconfigurethewholething.TheportalpagecanbeaccessedbythefollowingURL:https://YOUR_PORTAL_HOSTNAME/device-registration This URL is accessible from within thenetwork,inanyVLANthatcanreachthePacketFenceserver.
Thefollowingcanbeconfiguredbyeditingthepf.conffile:
https://YOUR_PORTAL_HOSTNAME/device-registration
-
Chapter12
Copyright2015Inverseinc. Advancedtopics 49
[registration]device_registration = enableddevice_registration_role = gaming
MakesuretheroleexistsinPacketFenceotherwiseyouwillencounterregistrationerrors.Moreover,makesuretherolemappingforyourparticularequipmentisdone.
TheseparameterscanalsobeconfiguredfromtheConfigurationRegistrationsection.
Note
Aportalinterfacetypeisrequiredtousethisfeature.AportalinterfacetypecanbeaddedtoanynetworkinterfaceusingthewebadminGUI.
Eduroam
eduroam (education roaming) is the secure, world-wide roaming access servicedevelopedfortheinternationalresearchandeducationcommunity.
eduroamallowsstudents,researchersandstafffromparticipatinginstitutionstoobtainInternetconnectivityacrosscampusandwhenvisitingotherparticipatinginstitutionsbysimplyopeningtheirlaptop.
eduroamhttps://www.eduroam.org/
PacketFencesupportsintegrationwitheduroamandallowsparticipatinginstitutionstoauthenticatebothlocallyvisitingusersfromotherinstitutionsaswellasallowingotherinstitutionstoauthenticatelocalusers.
In order for PacketFence to allow eduroam authentication, the FreeRADIUS configuration ofPacketFencemustbemodifiedtoallowtheeduroamserverstoconnecttoitasclientsaswellastoproxyRADIUSauthenticationrequestsforusersfromoutsideinstitutions.
First,modifythe/usr/local/pf/raddb/clients.conffiletoallowtheeduroamserverstoconnecttoyourPacketFenceserver.Addtheeduroamserversasclientsandmakesure toaddtheproperRADIUSsecret.SetashortnametorefertotheseclientsasyouwilllaterneedittoexcludethemfromsomepartsofthePacketFenceconfiguration.
clients.confexample:
client tlrs1.eduroam.us { secret = useStrongerSecret shortname = tlrs1}
client tlrs2.eduroam.us { secret = useStrongerSecret shortname = tlrs2}
-
Chapter12
Copyright2015Inverseinc. Advancedtopics 50
Secondly,modifythelistofdomainsandproxyserversin/usr/local/pf/raddb/proxy.conf.YouwillneedtodefineeachofyourdomainsaswellastheDEFAULTdomain.TheDEFAULTrealmwillapplytoanyclientthatattemptstoauthenticatewitharealmthatisnototherwisedefinedinproxy.confandwillbeproxiedtotheeduroamservers.
Defineoneormorehomeservers(serverstowhicheduroamrequestsshouldbeproxied).
proxy.confexample:
home_server tlrs1.eduroam.us { type = auth ipaddr = 257.128.1.1 port = 1812 secret = useStrongerSecret require_message_authenticator = yes}
Defineapoolofserverstogroupyoureduroamhomeserverstogether.
proxy.confexample:
home_server_pool eduroam { type = fail-over home_server = tlrs1.eduroam.us home_server = tlrs2.eduroam.us}
Definerealmstoselectwhichrequestsshouldbeproxiedtotheeduroamserverpool.Thereshouldbeonerealmforeachofyourdomains,andpossiblyonemoreperdomainifyouintendtoallowusernamesoftheDOMAIN\userform.
TheREALMissetbasedonthedomainfoundbythesuffixorntdomainmodules (seeraddb/modules/realm).Thesuffixorntdomainmodulestrytofindadomaineitherwithan@domainorsuffix\username.
Ifnoneisfound,theREALMisNULL.
Ifadomainisfound,FreeRADIUStriestomatchoneoftheREALMSdefinedinthisfile.
Ifthedomainiseitherexample.eduorEXAMPLEFreeRADIUSsetsthecorrespondingREALM,i.e.example.eduorEXAMPLE.
IftheREALMdoesnotmatcheither(anditisntNULL),thatmeanstherewasadomainotherthanEXAMPLEorexample.eduandweassumeitismeanttobeproxiedtoeduroam.FreeRADIUSsetstheDEFAULTrealm(whichisproxiedtotheeduroamauthenticationpool).
The REALM determines where the request is sent to. If the REALM authenticates locally therequestsareprocessedentirelybyFreeRADIUS.IftheREALMsetsadifferenthomeserverpool,therequestsareproxiedtotheserversdefinedwithinthatpool.
proxy.confexample:
-
Chapter12
Copyright2015Inverseinc. Advancedtopics 51
# This realm is for requests which don't have an explicit realm# prefix or suffix. User names like "bob" will match this one.# No authentication server is defined, thus the authentication is# done locally.realm NULL {}
# This realm is for ntdomain users who might use the domain like# this "EXAMPLE\username".# No authentication server is defined, thus the authentication is# done locally.realm EXAMPLE {}
# This realm is for suffix users who use the domain like this:# "username@example.edu".# No authentication server is defined, thus the authentication is# done locally.realm example.edu {}
# This realm is for ALL OTHER requests. Meaning in this context,# eduroam. The auth_pool is set to the eduroam pool and so the# requests will be proxied.realm DEFAULT { auth_pool = eduroam nostrip}
Thirdly, you must configure the packetfence FreeRADIUS virtual servers to treat the requestsproperly.
In/usr/local/pf/raddb/sites-enabled/packetfence,modifytheauthorizesectionlikethis:
raddb/sites-enabled/packetfenceexample:
-
Chapter12
Copyright2015Inverseinc. Advancedtopics 52
authorize { # pay attention to the order of the modules. It matters. ntdomain suffix preprocess
# uncomment this section if you want to block eduroam users from # you other SSIDs. The attribute name ( Called-Station-Id ) may # differ based on your controller #if ( Called-Station-Id !~ /eduroam$/i) { # update control { # Proxy-To-Realm := local # } #}
eap { ok = return }
files expiration logintime packetfence}
In/usr/local/pf/raddb/sites-enabled/packetfence-tunnel,modifythepost-authsectionlikethis.Ifyou omit this change the request will be sent to PacketFence where it will be failed since theeduroamserversarenotpartofyourconfiguredswitches.
raddb/sites-enabled/packetfence-tunnelexample:
post-auth { exec
# we skip packetfence when the request is coming from the eduroam servers if ( "%{client:shortname}" != "tlrs1" && \ "%{client:shortname}" != "tlrs2" ) { packetfence }
Post-Auth-Type REJECT { attr_filter.access_reject }}
Finally,makesurethattherealmsmoduleisconfiguredthisway(see/usr/local/pf/raddb/modules/realm):
raddb/modules/realmexample:
-
Chapter12
Copyright2015Inverseinc. Advancedtopics 53
# 'username@realm'realm suffix { format = suffix delimiter = "@"}
# 'domain\user'realm ntdomain { format = prefix delimiter = "\\" ignore_null = yes}
Fingerbankintegration
Fingerbank,agreatdeviceprofilingtooldevelopedalongsideofPacketFence,nowintegrateswithittopower-upthefeaturesetallowingaPacketFenceadministratortoeasilytriggerviolationsbasedondifferentdevicetypes,deviceparents,DHCPfingerprints,DHCPvendorIDs,MACvendorsandbrowseruseragents.
Thecoreofthat integrationresides intheabilityforaPacketFencesystem,to interactwiththeFingerbankupstreamproject,whichthenallowadailybasisfingerprintsdatabaseupdate,sharingunknowndatasothatmorecomplexalgorithmscanprocessthatnewdatatointegrateitintheglobaldatabase,queryingtheglobalupstreamdatabaseinthecaseofanunknownmatchandmuchmore.
SincetheFingerbankintegrationisnowthe"defacto"deviceprofilingtoolofPacketFence,itwasarequirementtomakeitassimpleaspossibletoconfigureandtouse.FromthemomentaworkingPacketFencesystemis inplace,Fingerbank isalsoreadytobeused,butonly ina"local"mode,whichmeans,nointeractionwiththeupstreamFingerbankproject.
OnboardingTobenefitfromalltheadvantagesoftheFingerbankproject,theonboardingstepisrequiredtocreateanAPIkeythatwill thenallow interactionwiththeupstreamproject.Thatcaneasilybedoneonlybygoinginthe"Settings"menuitemunderthe"Fingerbank"sectionofthePacketFence"Configuration"tab.Fromthere,aneasyprocesstocreateandsaveanuser/organizationspecificAPIkeycanbefollowed.Oncecompleted,thefullfeaturesetofFingerbankcanbeused.
UpdateFingerbankdatabaseUpdatingtheFingerbankdatacantbeeasier.Theonlyrequirementistheonboardingprocesswhichallowsyoutointeractwithupstreamproject.Oncedone,anoptionto"UpdateFingerbankDB"canbefoundontopofeverymenuitemsectionsunder"Fingerbank".Processmaytakeaminuteortwo,dependingonthesizeofthedatabaseandtheinternetconnectivity,afterwhichasuccessorerrormessagewillbeshowaccordingly."Local"recordsareNOTbeingmodifiedduringthisprocess.
-
Chapter12
Copyright2015Inverseinc. Advancedtopics 54
SubmitunknowndataSayingthatwedontknoweverythingisnotfalsemodesty.Inthatsense,the"SubmitUnknown/UnmatchedFingerprints"optionismadeavailable(afteronboarding)sothatunknownfingerprintingdatagoinginandoutonyournetworkcaneasilybesubmittedtotheupstreamFingerbankprojectforfurtheranalysisandintegrationtheintheglobaldatabase.
UpstreaminterogationBydefault,PacketFenceisconfiguredtointerogatetheupstreamFingerbankproject(ifonboardinghasbeencompleted
top related