Administration Guide

Permissionisgrantedtocopy,distributeand/ormodifythisdocumentunderthetermsoftheGNUFreeDocumentationLicense,Version 1.2oranylaterversionpublishedbytheFreeSoftwareFoundation;withnoInvariantSections,noFront-CoverTexts,andnoBack-Cover Texts.Acopyofthelicenseisincludedinthesectionentitled"GNUFreeDocumentationLicense".

ThefontsusedinthisguidearelicensedundertheSILOpenFontLicense,Version1.1.ThislicenseisavailablewithaFAQat:http:// scripts.sil.org/OFL

AboutthisGuide...... 1 Othersourcesofinformation...... 1 Introduction...... 2 Features...... 2 NetworkIntegration...... 5 Components...... 5 SystemRequirements...... 7 Assumptions...... 7 MinimumHardwareRequirements...... 7 OperatingSystemRequirements...... 7 Installation...... 9 OSInstallation...... 9 SoftwareDownload...... 10 SoftwareInstallation...... 10 Getoffontherightfoot...... 12 TechnicalintroductiontoInlineenforcement...... 13 Introduction...... 13 Deviceconfiguration...... 13 Accesscontrol...... 13 Limitations...... 14 TechnicalintroductiontoOut-of-bandenforcement...... 15 Introduction...... 15 VLANassignmenttechniques...... 15 MoreonSNMPtrapsVLANisolation...... 17 TechnicalintroductiontoHybridenforcement...... 20 Introduction...... 20 Deviceconfiguration...... 20 Configuration...... 21 RolesManagement...... 21 Authentication...... 22 ExternalAPIauthentication...... 24 SAMLauthentication...... 25 NetworkDevicesDefinition(switches.conf)...... 27 PortalProfiles...... 31 FreeRADIUSConfiguration...... 32 PortalModules...... 43 Debugging...... 52 Logfiles...... 52 RADIUSDebugging...... 52 MoreonVoIPIntegration...... 54 CDPandLLDPareyourfriend...... 54 VoIPandVLANassignmenttechniques...... 54 WhatifCDP/LLDPfeatureismissing...... 55 Advancedtopics...... 56 AppleandAndroidWirelessProvisioning...... 56 BillingEngine...... 57 DevicesRegistration...... 69 Eduroam...... 70 Fingerbankintegration...... 74 FloatingNetworkDevices...... 75 OAuth2Authentication...... 77

Copyright©2016Inverseinc. iii Passthrough...... 79 ProductionDHCPaccess...... 80 ProxyInterception...... 81 RoutedNetworks...... 82 StatementofHealth(SoH)...... 85 VLANFilterDefinition...... 86 RADIUSFilterDefinition...... 88 DNSenforcement...... 90 Parkeddevices...... 90 Optionalcomponents...... 92 Blockingmaliciousactivitieswithviolations...... 92 ComplianceChecks...... 100 RADIUSAccounting...... 105 Oinkmaster...... 106 GuestsManagement...... 107 ActiveDirectoryIntegration...... 110 DHCPremotesensor...... 115 Switchloginaccess...... 117 OperatingSystemBestPractices...... 118 IPTables...... 118 LogRotations...... 118 Performanceoptimization...... 119 SNMPTrapsLimit...... 119 MySQLoptimizations...... 119 CaptivePortalOptimizations...... 122 DashboardOptimizations(statisticscollection)...... 123 AdditionalInformation...... 125 CommercialSupportandContactInformation...... 126 GNUFreeDocumentationLicense...... 127 A.AdministrationTools...... 128 pfcmd...... 128 pfcmd_vlan...... 129

AboutthisGuide

This guide will walk you through the installation and the day to day administration of the PacketFencesolution.

Thelatestversionofthisguideisavailableathttp://www.packetfence.org/documentation/

Othersourcesofinformation

Thefollowingdocumentsareincludedinthepackageandreleasetarballs.

NetworkDevicesConfigurationGuide(pdf) Covers switch, controllers and access pointsconfiguration.

Developer’sGuide(pdf) Covers captive portal customization, VLAN management customization and instructionsforsupportingnewhardware.

CREDITS Thisis,atleast,apartialfileofPacketFence contributors.

NEWS.asciidoc Covers noteworthy features, improvementsandbugfixesbyrelease.

UPGRADE.asciidoc Covers compatibility related changes, manual instructions and general notes aboutupgrading.

ChangeLog Coversallchangestothesourcecode.

Introduction

PacketFenceisafullysupported,trusted,FreeandOpenSourcenetworkaccesscontrol(NAC) system. Boosting an impressive feature set including a captive portal for registration and remediation, centralized wired and wireless management, 802.1X support, layer-2 isolation of problematicdevices,integrationwithIDS,vulnerabilityscannersandfirewalls;PacketFencecanbe usedtoeffectivelysecurenetworks-fromsmalltoverylargeheterogeneousnetworks.

Features

Outofband(VLANEnforcement) PacketFence’soperationiscompletelyout of band when using VLAN enforcement which allows the solution to scale geographicallyandtobemoreresilientto failures.

InBand(InlineEnforcement) PacketFence can also be configured to be in-band, especially when you have non-manageable network switches or accesspoints.PacketFencecanalsowork with both VLAN and Inline enforcement activated for maximum scalability and securitywhileallowingolderhardwareto stillbesecuredusinginlineenforcement. Bothlayer-2andlayer-3aresupportedfor inlineenforcement.

Hybridsupport(InlineEnforcementwithRADIUS PacketFence can also be configured support) as hybrid, if you have a manageable device that supports 802.1X and/or MAC-authentication.Thisfeaturecanbe enabled using a RADIUS attribute (MAC address, SSID, port) or using full inline modeontheequipment.

Hotspotsupport(WebAuthEnforcement) PacketFence can also be configured as hotspot,ifyouhaveamanageabledevice that supports an external captive portal (likeCiscoWLCorArubaIAP).

VoiceoverIP(VoIP)support Also called IP Telephony (IPT), VoIP is fully supported (even in heterogeneous

environments)formultipleswitchvendors (Cisco,Avaya,HPandmanymore).

802.1X 802.1X wireless and wired is supported throughourFreeRADIUSmodule.

Wirelessintegration PacketFence integrates perfectly with wireless networks through our FreeRADIUS module. This allows you to secure your wired and wireless networks the same way using the same user database and using the same captive portal, providing a consistent user experience. Mixing Access Points (AP) vendors and Wireless Controllers is supported.

Registration PacketFence supports an optional registrationmechanismsimilarto"captive portal"solutions.Contrarytomostcaptive portalsolutions,PacketFenceremembers users who previously registered and will automatically give them access without anotherauthentication.Ofcourse,thisis configurable. An Acceptable Use Policy can be specified such that users cannot enable network access without first acceptingit.

Detectionofabnormalnetworkactivities Abnormal network activities (computer virus, worms, spyware, traffic denied by establishment policy, etc.) can be detectedusinglocalandremoteSnortor Suricatasensors.Beyondsimpledetection, PacketFence layers its own alerting and suppression mechanism on each alert type.Asetofconfigurableactionsforeach violationisavailabletoadministrators.

Proactivevulnerabilityscans EitherNessus ,OpenVAS or WMI vulnerabilityscanscanbeperformedupon registration, scheduled or on an ad-hoc basis. PacketFence correlates the scan engine vulnerability ID’s of each scan to the violation configuration, returning content specific web pages about which vulnerabilitythehostmayhave.

Isolationofproblematicdevices PacketFence supports several isolation techniques,includingVLANisolationwith VoIP support (even in heterogeneous environments)formultipleswitchvendors.

Remediationthroughacaptiveportal Once trapped, all network traffic is terminated by the PacketFence system.

Based on the node’s current status (unregistered,openviolation,etc),theuser is redirected to the appropriate URL. In the case of a violation, the user will be presented with instructions for the particular situation he/she is in reducing costlyhelpdeskintervention.

Firewallintegration PacketFence provides Single-Sign On features with many firewalls. Upon connection on the wired or wireless network, PacketFence can dynamically updatetheIP/userassociationonfirewalls forthemtoapply,ifrequired,per-useror per-groupfilteringpolicies.

Command-lineandWeb-basedmanagement Web-basedandcommand-lineinterfaces forallmanagementtasks.

GuestAccess PacketFence supports a special guest VLAN out of the box. You configure your network so that the guest VLAN only goes out to the Internet and the registration VLAN and the captive portal arethecomponentsusedtoexplaintothe guesthowtoregisterforaccessandhow hisaccessworks.Thisisusuallybranded by the organization offering the access. Several means of registering guests are possible. PacketFence does also support guestaccessbulkcreationsandimports.

Devicesregistration A registered user can access a special Web page to register a device of his own.Thisregistrationprocesswillrequire loginfromtheuserandthenwillregister deviceswithpre-approvedMACOUIinto aconfigurablecategory.

PacketFenceisdevelopedbyacommunityofdeveloperslocatedmainlyinNorthAmerica.More informationcanbefoundathttp://www.packetfence.org.

NetworkIntegration

VLANenforcementispicturedintheabovediagram.Inlineenforcementshouldbeseenasasimple flatnetworkwherePacketFenceactsasafirewall/gateway.

Components

PacketFencerequiresvariouscomponentstoworksuchasaWebserver,adatabaseserver,anda RADIUSserver.Itinteractswithexternaltoolstoextenditsfunctionalities.

SystemRequirements

Assumptions

PacketFencereusesmanycomponentsinaninfrastructure.Thus,itrequiresthefollowingones:

▪ Databaseserver(MySQLorMariaDB) ▪ Webserver(Apache) ▪ DHCPserver(ISCDHCP) ▪ RADIUSserver(FreeRADIUS)

Dependingonyoursetupyoumayhavetoinstalladditionalcomponentslike:

▪ NIDS(Snort/Suricata)

Inthisguide,weassumethatallthosecomponentsarerunningonthesameserver(i.e.,"localhost" or"127.0.0.1")thatPacketFencewillbeinstalledon.

Good understanding of those underlying component and GNU/Linux is required to install PacketFence. If you miss some of those required components, please refer to the appropriate documentationandproceedwiththeinstallationoftheserequirementsbeforecontinuingwiththis guide.

MinimumHardwareRequirements

Thefollowingprovidesalistoftheminimumserverhardwarerecommendations:

▪ IntelorAMDCPU3GHz ▪ 8GBofRAM ▪ 100GBofdiskspace(RAID-1recommended) ▪ 1Networkcard(2recommended)

OperatingSystemRequirements

PacketFencesupportsthefollowingoperatingsystemsonthex86_64architectures:

▪ RedHatEnterpriseLinux6.xand7.xServer ▪ CommunityENTerpriseOperatingSystem(CentOS)6.xand7.x ▪ Debian7.0(Wheezy)and8.0(Jessie)

Makesurethatyoucaninstalladditionalpackagesfromyourstandarddistribution.Forexample,if youareusingRedHatEnterpriseLinux,youhavetobesubscribedtotheRedHatNetworkbefore continuingwiththePacketFencesoftwareinstallation.

OtherdistributionssuchasFedoraandGentooareknowntoworkbutthisdocumentdoesn’tcover them.

Servicesstart-up

PacketFencetakescareofhandlingtheoperationofthefollowingservices:

▪ Webserver(httpd) ▪ DHCPserver(dhcpd) ▪ FreeRADIUSserver(radiusd) ▪ Snort/SuricataNetworkIDS(snort/suricata) ▪ Firewall(iptables)

Makesurethatalltheotherservicesareautomaticallystartedbyyouroperatingsystem!

Installation

ThissectionwillguideyouthroughtheinstallationofPacketFencetogetherwithitsdependencies.

OSInstallation

Installyourdistributionwithminimalinstallationandnoadditionalpackages.Then:

▪ DisableFirewall ▪ DisableSELinux ▪ DisableAppArmor ▪ Disableresolvconf

Makesureyoursystemisuptodateandyouryumorapt-getdatabaseisupdated.OnaRHEL- basedsystem,do:

yum update

OnaDebianorUbuntusystem,do:

apt-get update apt-get upgrade

RegardingSELinuxorAppArmor,evenifthesefeaturesmaybewantedbysomeorganizations, PacketFencewillnotrunproperlyifSELinuxorAppArmorareenabled.Youwillneedtoexplicitly disableSELinuxinthe/etc/selinux/configfileandAppArmorwithupdate-rc.d-fapparmorstop, update-rc.d-fapparmorteardownandupdate-rc.d-fapparmorremove.Regardingresolvconf,you canremovethesymlinktothatfileandsimplycreatethe/etc/resolv.conffilewiththecontent youwant.

RedHat-basedsystems

Note

AppliestoCentOSandScientificLinuxbutonlythex86_64architectureissupported.

RHEL6.x

Note

TheseareextrastepsarerequiredforRHEL6systemsonly,excludingderivativessuch asCentOSorScientificLinux.

RedHatEnterpriseLinuxusersneedtotakeanadditionalsetupstep.IfyouarenotusingtheRHN SubscriptionManagementfromRedHatyouneedtoenabletheoptionalchannelbyrunningthe followingasroot:

rhn-channel --add --channel=rhel-`uname -m`-server-optional-6

Debian

AllthePacketFencedependenciesareavailablethroughtheofficialrepositories.

SoftwareDownload

PacketFenceprovidesaRPMrepositoryforRHEL/CentOSinsteadofasingleRPMfile.

ForDebian,PacketFencealsoprovidespackagerepositories.

TheserepositoriescontainallrequireddependenciestoinstallPacketFence.Thisprovidesnumerous advantages:

▪ easyinstallation ▪ everythingispackagedasRPM/deb(nomoreCPANhassle) ▪ easyupgrade

SoftwareInstallation

RHEL/CentOS

InordertousethePacketFencerepository:

# yum localinstall http://packetfence.org/downloads/PacketFence/RHEL6/`uname -i`/ RPMS/packetfence-release-1.2-5.1.noarch.rpm

Once the repository is defined, you can install PacketFence with all its dependencies, and the requiredexternalservices(Databaseserver,DHCPserver,RADIUSserver)using:

yum install perl yum install --enablerepo=packetfence packetfence

Onceinstalled,theWeb-basedconfigurationinterfacewillautomaticallybestarted.Youcanaccess itfromhttps://@ip_of_packetfence:1443/configurator

Debian

ForDebian7:

Inordertousetherepository,createafilenamed/etc/apt/sources.list.d/packetfence.list:

echo 'deb http://inverse.ca/downloads/PacketFence/debian wheezy wheezy' > /etc/ apt/sources.list.d/packetfence.list

ForDebian8:

Inordertousetherepository,createafilenamed/etc/apt/sources.list.d/packetfence.list:

echo 'deb http://inverse.ca/downloads/PacketFence/debian jessie jessie' > /etc/ apt/sources.list.d/packetfence.list

Once the repository is defined, you can install PacketFence with all its dependencies, and the requiredexternalservices(Databaseserver,DHCPserver,RADIUSserver)using:

sudo apt-key adv --keyserver keys.gnupg.net --recv-key 0x810273C4 sudo apt-get update sudo apt-get install packetfence

Getoffontherightfoot

PriorconfiguringPacketFence,youmustchoseanappropriateenforcementmodetobeusedby PacketFencewithyournetworkingequipment.Theenforcementmodeisthetechniqueusedto enforceregistrationandanysubsequentaccessofdevicesonyournetwork.PacketFencesupports thefollowingenforcementmodes:

▪ Inline ▪ Out-of-band ▪ Hybrid

Itisalsopossibletocombineenforcementmodes.Forexample,youcouldusetheout-of-band modeonyourwiredswitches,whileusingtheinlinemodeonyouroldWiFiaccesspoints.

The following sections will explain these enforcement modes. If you decide to use the inline mode,pleaserefertothePacketFenceInlineDeploymentQuickGuideusingZENforacomplete configurationexample.Ifyoudevicetousetheout-of-bandmode,pleaserefertothePacketFence Out-of-BandDeploymentQuickGuideusingZEN

TechnicalintroductiontoInline enforcement

Introduction

Beforetheversion3.0ofPacketFence,itwasnotpossibletosupportunmanageabledevicessuch asentry-levelconsumerswitchesoraccess-points.Now,withthenewinlinemode,PacketFence canbeusein-bandforthosedevices.Soinotherwords,PacketFencewouldbecomethegatewayof thatinlinenetwork,andNATorroutethetrafficusingIPTables/IPSettotheInternet(ortoanother sectionofthenetwork).Letseehowitworks.

Deviceconfiguration

Nospecialconfigurationisneededontheunmanageabledevice.That’sthebeautyofit.Youonly needtoensurethatthedeviceis"talking"ontheinlineVLAN.Atthispoint,allthetrafficwillbe passingthroughPacketFencesinceitisthegatewayforthisVLAN.

Accesscontrol

TheaccesscontrolreliesentirelyonIPTables/IPSet.Whenauserisnotregistered,andconnects intheinlineVLAN,PacketFencewillgivehimanIPaddress.Atthispoint,theuserwillbemarked asunregisteredintheipsetsession,andalltheWebtrafficwillberedirectedtothecaptiveportal andothertrafficblocked.TheuserwillhavetoregisterthroughthecaptiveportalasinVLAN enforcement.Whenheregisters,PacketFencechangesthedevice´sipsetsessiontoallowtheuser’s macaddresstogothroughit.

Limitations

Inlineenforcementbecauseofit’snaturehasseverallimitationsthatonemustbeawareof.

▪ EveryonebehindaninlineinterfaceisonthesameLayer2LAN ▪ EverypacketofauthorizedusersgoesthroughthePacketFenceserverincreasingtheservers' loadconsiderably:Planaheadforcapacity ▪ EverypacketofauthorizedusersgoesthroughthePacketFenceserver:itisasinglepointof failureforInternetaccess ▪ Ipsetcanstoreupto65536entries,soitisnotpossibletohaveainlinenetworkclassupper thanB

Thisiswhyitisconsideredapoorman’swayofdoingaccesscontrol.Wehaveavoideditfora longtimebecauseoftheabovementionedlimitations.Thatsaid,beingabletoperformbothinline andVLANenforcementonthesameserveratthesametimeisarealadvantage:itallowsusersto maintainmaximumsecuritywhiletheydeploynewandmorecapablenetworkhardwareproviding acleanmigrationpathtoVLANenforcement.

TechnicalintroductiontoOut-of-band enforcement

Introduction

VLANassignmentiscurrentlyperformedusingseveraldifferenttechniques.Thesetechniquesare compatibleonetoanotherbutnotonthesameswitchport.Thismeansthatyoucanusethe moresecureandmoderntechniquesforyourlatestswitchesandanothertechniqueontheold switchesthatdoesn’tsupportlatesttechniques.Asit’snameimplies,VLANassignmentmeansthat PacketFenceistheserverthatassignstheVLANtoadevice.ThisVLANcanbeoneofyourVLANs oritcanbeaspecialVLANwherePacketFencepresentsthecaptiveportalforauthenticationor remediation.

VLANassignmenteffectivelyisolateyourhostsattheOSILayer2meaningthatitisthetrickiest methodtobypassandistheonewhichadaptsbesttoyourenvironmentsinceitgluesintoyour currentVLANassignmentmethodology.

VLANassignmenttechniques

Wired:802.1X+MACAuthentication

802.1Xprovidesport-basedauthentication,whichinvolvescommunicationsbetweenasupplicant, authenticator(knownasNAS),andauthenticationserver(knownasAAA).Thesupplicantisoften softwareonaclientdevice,suchasalaptop,theauthenticatorisawiredEthernetswitchorwireless accesspoint,andtheauthenticationserverisgenerallyaRADIUSserver.

Thesupplicant(i.e.,clientdevice)isnotallowedaccessthroughtheauthenticatortothenetwork untilthesupplicant’sidentityisauthorized.With802.1Xport-basedauthentication,thesupplicant provides credentials, such as user name / password or digital certificate, to the authenticator, andtheauthenticatorforwardsthecredentialstotheauthenticationserverforverification.Ifthe credentialsarevalid(intheauthenticationserverdatabase),thesupplicant(clientdevice)isallowed toaccessthenetwork.TheprotocolforauthenticationiscalledExtensibleAuthenticationProtocol (EAP)whichhavemanyvariants.Bothsupplicantandauthenticationserversneedtospeakthe sameEAPprotocol.MostpopularEAPvariantisPEAP-MsCHAPv2(supportedbyWindows/Mac OSX/LinuxforauthenticationagainstAD).

Inthiscontext,PacketFencerunstheauthenticationserver(aFreeRADIUSinstance)andwillreturn theappropriateVLANtotheswitch.AmodulethatintegratesinFreeRADIUSdoesaremotecallto thePacketFenceservertoobtainthatinformation.Moreandmoredeviceshave802.1Xsupplicant whichmakesthisapproachmoreandmorepopular.

MACAuthenticationisanewmechanismintroducedbysomeswitchvendortohandlethecases wherea802.1Xsupplicantdoesnotexist.Differentvendorshavedifferentnamesforit.Cisco callsitMACAuthenticationBypass(MAB),JunipercallsitMACRADIUS,ExtremeNetworkscallsit Netlogin,etc.Afteratimeoutperiod,theswitchwillstoptryingtoperform802.1Xandwillfallback toMACAuthentication.Ithastheadvantageofusingthesameapproachas802.1Xexceptthat theMACaddressissentinsteadoftheusernameandthereisnoend-to-endEAPconversation (nostrongauthentication).UsingMACAuthentication,deviceslikenetworkprinterornon-802.1X capableIPPhonescanstillgainaccesstothenetworkandtherightVLAN.

Wireless:802.1X+MACauthentication

Wireless 802.1X works like wired 802.1X and MAC authentication is the same as wired MAC Authentication.Wherethingschangeisthatthe802.1Xisusedtosetupthesecuritykeysfor encryptedcommunication(WPA2-Enterprise)whileMACauthenticationisonlyusedtoauthorize (allowordisallow)aMAConthewirelessnetwork.

Onwirelessnetworks,theusualPacketFencesetupdictatethatyouconfiguretwoSSIDs:anopen oneandasecureone.Theopenoneisusedtohelpusersconfigurethesecureoneproperlyand requiresauthenticationoverthecaptiveportal(whichrunsinHTTPS).

Thefollowingdiagramdemonstratestheflowbetweenamobileenpoint,aWiFiaccesspoint,a WiFicontrollerandPacketFence:

1. UserinitiatesassociationtoWLANAPandtransmitsMACaddress.Ifuseraccessesnetworkvia aregistereddeviceinPacketFencegoto8

2. The WLAN controller transmits MAC address via RADIUS to the PacketFence server to authenticate/authorizethatMACaddressontheAP

3. PacketFenceserverconductsaddressauditinitsdatabase.IfitdoesnotrecognizetheMAC addressgoto4.Ifitdoesgoto8.

4. PacketFenceserverdirectsWLANcontrollerviaRADIUS(RFC2868attributes)toputthedevice inan"unauthenticatedrole“(setofACLsthatwouldlimit/redirecttheusertothePacketFence

captiveportalforregistration,orwecanalsousearegistrationVLANinwhichPacketFencedoes DNSblackholingandistheDHCPserver)

5. Theuser’sdeviceissuesaDHCP/DNSrequesttoPacketFence(whichisaDHCP/DNSserver onthisVLANorforthisrole)whichsendstheIPandDNSinformation.Atthispoint,ACLsare limiting/redirectingtheusertothePacketFence’scaptiveportalforauthentication.PacketFence fingerprintsthedevice(user-agentattributes,DHCPinformation&MACaddresspatterns)to whichitcantakevariousactionsincluding:keepdeviceonregistrationportal,directtoalternate captive portal, auto-register the device, auto-block the device, etc. If the device remains on theregistrationportaltheuserregistersbyprovidingtheinformation(username/password,cell phonenumber,etc.).AtthistimePacketFencecouldalsorequirethedevicetogothrougha postureassessment(usingNessus,OpenVAS,etc.)

6. Ifauthenticationisrequired(username/password)throughaloginform,thosecredentialsare validatedviatheDirectoryserver(oranyotherauthenticationsources-likeLDAP,SQL,RADIUS, SMS,Facebook,Google+,etc.)whichprovidesuserattributestoPacketFencewhichcreatesuser +devicepolicyprofileinitsdatabase.

7. PacketFenceperformsaChangeofAuthorization(RFC3576)onthecontrollerandtheusermust bere-authenticated/reauthorized,sowegobackto1

8. PacketFenceserverdirectsWLANcontrollerviaRADIUStoputthedeviceinan"authenticated role“,orinthe"normal"VLAN

WebAuthmode

Webauthenticationisamethodontheswitchthatforwardshttptrafficofthedevicetothecaptive portal.Withthismode,yourdevicewillneverchangeofVLANIDbutonlytheACLassociatedto yourdevicewillchange.RefertotheNetworkDevicesConfigurationGuidetoseeasampleweb authconfigurationonaCiscoWLC.

Port-securityandSNMP

Reliesontheport-securitySNMPTraps.AfakestaticMACaddressisassignedtoalltheportsthis wayanyMACaddresswillgenerateasecurityviolationandatrapwillbesenttoPacketFence.The systemwillauthorizetheMACandsettheportintherightVLAN.VoIPsupportispossiblebut tricky.Itvariesalotdependingontheswitchvendor.CiscoiswellsupportedbutisolationofaPC behindanIPPhoneleadstoaninterestingdilemma:eitheryoushuttheport(andthephoneat thesametime)oryouchangethedataVLANbutthePCdoesn’tdoDHCP(didn’tdetectlinkwas down)soitcannotreachthecaptiveportal.

AsidefromtheVoIPisolationdilemma,itisthetechniquethathasproventobereliableandthat hasthemostswitchvendorsupport.

MoreonSNMPtrapsVLANisolation

WhentheVLANisolationisworkingthroughSNMPtrapsallswitchports(onwhichVLANisolation shouldbedone)mustbeconfiguredtosendSNMPtrapstothePacketFencehost.OnPacketFence,

weusesnmptrapdastheSNMPtrapreceiver.Asitreceivestraps,itreformatsandwritesthem intoaflatfile:/usr/local/pf/logs/snmptrapd.log.Themultithreadedpfsetvlandaemonreads thesetrapsfromtheflatfileandrespondstothembysettingtheswitchporttothecorrectVLAN. Currently,wesupportswitchesfromCisco,Edge-core,HP,Intel,LinksysandNortel(addingsupport forswitchesfromanothervendorimpliesextendingthepf::Switchclass).Dependingonyour switchescapabilities,pfsetvlanwillactondifferenttypesofSNMPtraps.

YouneedtocreatearegistrationVLAN(withaDHCPserver,butnoroutingtootherVLANs)in whichPacketFencewillputunregistereddevices.Ifyouwanttoisolatecomputerswhichhaveopen violationsinaseparateVLAN,anisolationVLANneedsalsotobecreated.

linkUp/linkDowntraps(deprecated)

ThisisthemostbasicsetupanditneedsathirdVLAN:theMACdetectionVLAN.Thereshouldbe nothinginthisVLAN(noDHCPserver)anditshouldnotberoutedanywhere;itisjustanvoidVLAN.

Whenahostconnectstoaswitchport,theswitchsendsalinkUptraptoPacketFence.Sinceittakes sometimebeforetheswitchlearnstheMACaddressofthenewlyconnecteddevice,PacketFence immediatelyputstheportintheMACdetectionVLANinwhichthedevicewillsendDHCPrequests (withnoanswer)inorderfortheswitchtolearnitsMACaddress.Thenpfsetvlanwillsendperiodical

SNMPqueriestotheswitchuntiltheswitchlearnstheMACofthedevice.WhentheMACaddress isknown,pfsetvlanchecksitsstatus(existing?registered?anyviolations?)inthedatabaseand putstheportintheappropriateVLAN.Whenadeviceisunplugged,theswitchsendsalinkDown traptoPacketFencewhichputstheportintotheMACdetectionVLAN.

Whenacomputerboots,theinitializationoftheNICgeneratesseverallinkstatuschanges.And everytimetheswitchsendsalinkUpandalinkDowntraptoPacketFence.SincePacketFencehas toactoneachofthesetraps,thisgeneratesunfortunatelysomeunnecessaryloadonpfsetvlan. Inordertooptimizethetraptreatment,PacketFencestopseverythreadforalinkUptrapwhenit receivesalinkDowntraponthesameport.ButusingonlylinkUp/linkDowntrapsisnotthemost scalableoption.Forexampleincaseofpowerfailure,ifhundredsofcomputersbootatthesame time,PacketFencewouldreceivealotoftrapsalmostinstantlyandthiscouldresultinnetwork connectionlatency.

MACnotificationtraps

IfyourswitchessupportMACnotificationtraps(MAClearnt,MACremoved),wesuggestthatyou activatetheminadditiontothelinkUp/linkDowntraps.Thisway,pfsetvlandoesnotneed,after alinkUptrap,toquerytheswitchcontinuouslyuntiltheMAChasfinallybeenlearned.Whenit receivesalinkUptrapforaportonwhichMACnotificationtrapsarealsoenabled,itonlyneedsto puttheportintheMACdetectionVLANandcanthenfreethethread.Whentheswitchlearnsthe MACaddressofthedeviceitsendsaMAClearnttrap(containingtheMACaddress)toPacketFence.

PortSecuritytraps

Initsmostbasicform,thePortSecurityfeaturerememberstheMACaddressconnectedtothe switchportandallowsonlythatMACaddresstocommunicateonthatport.IfanyotherMAC addresstriestocommunicatethroughtheport,portsecuritywillnotallowitandsendaport- securitytrap.

Ifyourswitchessupportthisfeature,westronglyrecommendtouseitratherthanlinkUp/linkDown and/orMACnotifications.Why?BecauseaslongasaMACaddressisauthorizedonaportand istheonlyoneconnected,theswitchwillsendnotrapwhetherthedevicereboots,plugsinor unplugs.ThisdrasticallyreducestheSNMPinteractionsbetweentheswitchesandPacketFence.

WhenyouenableportsecuritytrapsyoushouldnotenablelinkUp/linkDownnorMACnotification traps.

TechnicalintroductiontoHybrid enforcement

Introduction

In previous versions of PacketFence, it was not possible to have RADIUS enabled for inline enforcementmode.Nowwiththenewhybridmode,allthedevicesthatsupports802.1XorMAC- authenticationcanworkwiththismode.Let’sseehowitworks.

Deviceconfiguration

YouneedtoconfigureinlineenforcementmodeinPacketFenceandconfigureyourswitch(es)/ accesspoint(s)tousetheVLANassignementtechniques(802.1XorMAC-authentication).Youalso needtotakecareofaspecificparameterintheswitchconfigurationwindow,"Triggertoenable inlinemode".Thisparameterisworkinglikeatriggerandyouhavethepossibilitytodefinedifferent sortoftriggers:

ALWAYS,PORT, where ALWAYS means that the device is always in inline mode, PORT MAC,SSID specifytheifIndexoftheportwhichwilluseinlineenforcement,MACamac addressthatwillbeputininlineenforcementtechniqueratherthanVLAN enforcementandSSIDanssidname.Anexample:

SSID::GuestAccess,MAC::00:11:22:33:44:55

ThiswilltriggerallthenodesthatconnectstotheGuestAccessSSIDtouseinlineenforcementmode (PacketFencewillreturnavoidVLANortheinlineVlanifdefinedinswitchconfiguration)andthe MACaddress00:11:22:33:44:55clientifitconnectsonanotherSSID.

Configuration

Atthispointinthedocumentation,PacketFenceshouldbeinstalled.Youwouldalsohavechosen therightenforcementmethodforyouandcompletedtheinitialconfigurationofPacketFence.The followingsectionpresentskeyconceptsandfeaturesinPacketFence.

PacketFenceprovidesaweb-basedadministrationinterfaceforeasyconfigurationandoperational management.IfyouwentthroughPacketFence’sweb-basedconfigurationtool,youshouldhave setthepasswordfortheadminuser.

Once PacketFence is started, the administration interface is available at:https:// @ip_of_packetfence:1443/

ThenextkeystepsareimportanttounderstandhowPacketFenceworks.Inordertogetthesolution working, you must first understand and configure the following aspects of the solution in this specificorder:

1. roles-aroleinPacketFencewillbeeventuallybemappedtoaVLAN,anACLoranexternalrole. Youmustdefinetherolestouseinyourorganizationfornetworkaccess

2. authentication-oncerolesaredefined,youmustcreateanappropraiteauthenticationsourcein PacketFence.ThatwillallowPacketFencetocomputetherightroletobeusedforanendpoint, ortheuserusingit

3. network devices - once your roles and authentication sources are defined, you must add switches,WiFicontrollersorAPstobemananagedbyPacketFence.Whendoingso,youwill configurehowrolesarebeingmappedtoVLAN,ACLsorexternalroles

4. portal profiles - at this point, you are almost ready to test. You will need to set which authenticationsourcesaretobeusedonthedefaultcaptiveportal,orcreateanotheroneto suityourneeds

5. test!

Note

Ifyouplantouse802.1X-pleaseseetheFreeRADIUSConfigurationsectionbelow.

RolesManagement

RolesinPacketFencecanbecreatedfromPacketFenceadministrativeGUI-fromtheConfiguration →Users→Roles section. From this interface, you can also limit the number of devices users belongingtocertainrolescanregister.

RolesaredynamicallycomputedbyPacketFence,basedontherules(ie.,asetofconditionsand actions)fromauthenticationsources,usingafirst-matchwinsalgorithm.Rolesarethenmatched toVLANorinternalrolesorACLonequipmentfromtheConfiguration→Network→Switches module.

Authentication

PacketFence can authenticate users that register devices via the captive portal using various methods.Amongthesupportedmethods,thereare:

▪ ActiveDirectory

▪ Apachehtpasswdfile

▪ Email

▪ ExternalHTTPAPI

▪ Facebook(OAuth2)

▪ Github(OAuth2)

▪ Google(OAuth2)

▪ Kerberos

▪ LDAP

▪ LinkedIn(OAuth2)

▪ Null

▪ RADIUS

▪ SMS

▪ SponsoredEmail

▪ Twitter(OAuth2)

▪ WindowsLive(OAuth2)

Moreover, PacketFence can also authenticate users defined in its own internal SQL database. Authentication sources can be created from PacketFence administrative GUI - from the Configuration→Users→Sourcessection.Alternatively(butnotrecommended),authentication sources,rules,conditionsandactionscanbeconfiguredfromconf/authentication.conf.

Eachauthenticationsourcesyoudefinewillhaveasetofrules,conditionsandactions.

Multiple authentication sources can be defined, and will be tested in the order specified (note thattheycanbereorderedfromtheGUIbydraggingitaround).Eachsourcecanhavemultiple rules,whichwillalsobetestedintheorderspecified.Rulescanalsobereordered,justlikesources. Finally,conditionscanbedefinedforaruletomatchcertaincriterias.Ifthecriteriasmatch(one

ormore),actionarethenappliedandrulestestingstop,acrossallsourcesasthisisa"firstmatch wins"operation.

Whennoconditionisdefined,therulewillbeconsideredasafallback.Whenafallbackisdefined, allactionswillbeappliedforanyusersthatmatchintheauthenticationsource.

Onceasourceisdefined,itcanbeusedfromConfiguration→PortalProfiles.Eachportalprofile hasalistofauthenticationsourcestouse.

Example

Let’ssaywehavetworoles:guestandemployee.First,wedefinethemConfiguration→Users →Roles.

Now,wewanttoauthenticateemployeesusingActiveDirectory(overLDAP),andguestsusing PacketFence’sinternaldatabase-bothusingPacketFence’scaptiveportal.FromtheConfiguration →Users→Sources,weselectAddsource→AD.Weprovidethefollowinginformation:

▪ Name:ad1 ▪ Description:ActiveDirectoryforEmployees ▪ Host:192.168.1.2:389withoutSSL/TLS ▪ BaseDN:CN=Users,DC=acme,DC=local ▪ Scope:One-level ▪ UsernameAttribute:sAMAccountName ▪ BindDN:CN=Administrator,CN=Users,DC=acme,DC=local ▪ Password:acme123

Then,weaddarulebyclickingontheAddrulebuttonandprovidethefollowinginformation:

▪ Name:employees ▪ Description:Ruleforallemployees ▪ Don’tsetanycondition(asit’sacatch-allrule) ▪ Setthefollowingactions:

▪ Setroleemployee

▪ SetunregistrationdateJanuary1st,2020

Testthe connection and save everything. Using the newly defined source, any username that actuallymatchesinthesource(usingthesAMAccountName)willhavetheemployeeroleandan unregistrationdatesettoJanuary1st,2020.

Now,sincewewanttoauthenticateguestsfromPacketFence’sinternalSQLdatabase,accounts mustbeprovisionnedmanually.YoucandosofromtheUsers→Createsection.Whencreating guests,specify"guest"fortheSetroleaction,andsetanaccessdurationfor1day.

If you would like to differentiate user authentication and machine authentication using Active Directory,onewaytodoitisbycreatingasecondauthenticationsources,formachines:

▪ Name:ad1 ▪ Description:ActiveDirectoryforMachines ▪ Host:192.168.1.2:389withoutSSL/TLS ▪ BaseDN:CN=Computers,DC=acme,DC=local ▪ Scope:One-level

▪ UsernameAttribute:servicePrincipalName ▪ BindDN:CN=Administrator,CN=Users,DC=acme,DC=local ▪ Password:acme123

Then,weaddarule:

▪ Name:*machines ▪ Description:Ruleforallmachines ▪ Don’tsetanycondition(asit’sacatch-allrule) ▪ Setthefollowingactions:

▪ Setrolemachineauth

▪ SetunregistrationdateJanuary1st,2020

Note

Whenaruleisdefinedasacatch-all,itwillalwaysmatchiftheusernameattribute matchesthequeriedone.ThisappliesforActiveDirectory,LDAPandApachehtpasswd filesources.KerberosandRADIUSwillactastruecatch-all,andaccepteverything.

Note

IfyouwanttouseotherLDAPattributesinyourauthenticationsource,addthemin Configuration→Advanced→CustomLDAPattributes.Theywillthenbeavailableinthe rulesyoudefine.

ExternalAPIauthentication

PacketFencealsosupportscallinganexternalHTTPAPIasanauthenticationsource.Theexternal APIneedstoimplementanauthenticationactionandanauthorizationaction.

Authentication

Thisshouldprovidetheinformationaboutwhetherornottheusername/passwordcombination isvalid

TheseinformationareavailablethroughthePOSTfieldsoftherequest

TheservershouldreplywithtwoattributesinaJSONresponse

▪ result:shouldbe1forsuccess,0forfailure ▪ message:shouldbethereasonitsucceededorfailed

ExampleJSONresponse:

{"result":1,"message":"Valid username and password"}

Authorization

Thisshouldprovidetheactionstoapplyonauserbasedonit’sattributes

The following attributes are available for the reply : access_duration,access_level , sponsor, unregdate,category.

SampleJSONresponse,notethatnotallattributesarenecessary,onlysendbackwhatyouneed.

{"access_duration":"1D","access_level":"ALL","sponsor":1 ,"unregdate":"2030-01-01","category":"default"}

Note

See /usr/local/pf/addons/example_external_auth for an example implementation compatiblewithPacketFence.

PacketFenceconfiguration

InPacketFence,youneedtoconfigureanHTTPsourceinordertouseanexternalAPI.

Hereisabriefdescriptionofthefields:

▪ Host:First,theprotocol,thentheIPaddressorhostnameoftheAPIandlastlytheportto connecttotheAPI. ▪ APIusernameandpassword:IfyourAPIimplementsHTTPbasicauthentication(RFC2617)you canaddtheminthesefields.LeavinganyofthosetwofieldsemptywillmakePacketFencedo therequestswithoutanyauthentication. ▪ AuthenticationURL:URLrelativetothehosttocallwhendoingtheauthenticationofauser. Notethatitisautomaticallyprefixedbyaslash. ▪ AuthorizationURL:URLrelativetothehosttocallwhendoingtheauthorizationofauser.Note thatitisautomaticallyprefixedbyaslash.

SAMLauthentication

PacketFence supports SAML authentication in the captive portal in combination with another internalsourcetodefinethelevelofauthorizationoftheuser.

First,transfertheIdentityProvidermetadataonthePacketFenceserver.Inthisexample,itwillbe underthepath/usr/local/pf/conf/idp-metadata.xml.

Then, transfer the certificate and CA certificate of the Identity provider on the server. In this example, they will be under the paths /usr/local/pf/conf/ssl/idp.crt and /usr/local/pf/ conf/ssl/idp-ca.crt.Ifitisaself-signedcertificate,thenyouwillbeabletouseitastheCAin thePacketFenceconfiguration.

Then,toconfigureSAMLinPacketFence,goinConfiguration→Sourcesandthencreateanew InternalsourceofthetypeSAMLandconfigureit.

Where:

▪ ServiceProviderentityIDistheidentifieroftheServiceProvider(PacketFence).Makesurethis matchesyourIdentityProviderconfiguration. ▪ PathtoServiceProviderkeyisthepathtothekeythatwillbeusedbyPacketFencetosignits messagestotheIdentityProvider.Adefaultoneisprovidedunderthepath:/usr/local/pf/ conf/ssl/server.key ▪ PathtoServiceProvidercertisthepathtothecertificateassociatedtothekeyabove.Aself- signedoneisprovidedunderthepath:/usr/local/pf/conf/ssl/server.key ▪ PathtoIdentityProvidermetadataisthepathtothemetadatafileyoutransferedabove(should bein/usr/local/pf/conf/idp-metadata.xml) ▪ PathtoIdentityProvidercertisthepathtothecertificateoftheidentityprovideryoutransfered ontheserverabove(shouldbein/usr/local/pf/conf/ssl/idp.crt).

▪ Path to Identity Provider CA cert is the path to the CA certificate of the identity provider youtransferedontheserverabove(shouldbein/usr/local/pf/conf/ssl/ca-idp.crt).Ifthe certificateaboveisself-signed,putthesamepathasaboveinthisfield. ▪ AttributeoftheusernameintheSAMLresponseistheattributethatcontainstheusername in the SAML assertion returned by your Identity Provider. The default should fit at least SimpleSAMLphp. ▪ Authorizationsourceisthesourcethatwillbeusedtomatchtheusernameagainsttherules definedinit.Thisallowstosettheroleandaccessdurationoftheuser.TheAuthenticationsection ofthisdocumentcontainsexplanationsonhowtoconfigureanLDAPsourcewhichcanthen beusedhere.

Oncethisisdone,savethesourceandyouwillbeabletodownloadtheServiceProvidermetadata forPacketFenceusingthelinkDownloadServiceProvidermetadataonthepage.

Configure your identity provider according to the generated metadata to complete the Trust betweenPacketFenceandyourIdentityProvider.

In the case of SimpleSAMLPHP,the following configuration was used in metadata/saml20-sp- remote.php:

$metadata['PF_ENTITY_ID'] = array( 'AssertionConsumerService' => 'http://PORTAL_HOSTNAME/saml/assertion', 'SingleLogoutService' => 'http://PORTAL_HOSTNAME/saml/logoff', );

Note

PacketFencedoesnotsupportlogoffontheSAMLIdentityProvider.Youcanstilldefine theURLinthemetadatabutitwillnotbeused.

Passthroughs

InorderforyouruserstobeabletoaccesstheIdentityProviderloginpage,youwillneedtoactivate passthroughsandaddtheIndentityProviderdomaintotheallowedpassthroughs.

Todoso,goinConfiguration→Trapping,thencheckPassthroughandaddtheIdentityProvider domainnametothePasshtroughslist.

Next, restart iptables and pfdns to apply your new passthroughs. Also make sure net.ipv4.ip_forward = 1isconfiguredin/etc/sysctl.conf.

NetworkDevicesDefinition(switches.conf)

ThissectionappliesonlyforVLANenforcement.Usersplanningtodoinlineenforcementonlycan skipthissection.

PacketFenceneedstoknowwhichswitches,accesspointsorcontrollersitmanages,theirtypeand configuration.Allthisinformationisstoredin/usr/local/pf/conf/switches.conf.Youcanmodify

theconfigurationdirectlyintheswitches.conffileoryoucandoitfromtheWebAdministration panelunderConfiguration→Network→Switches-whichisnowthepreferredway.

The/usr/local/pf/conf/switches.confconfigurationfilecontainsadefaultsectionincluding:

▪ DefaultSNMPread/writecommunitiesfortheswitches ▪ Defaultworkingmode(seethenotebelowaboutpossibleworkingmodes)

andaswitchsectionforeachswitch(managedbyPacketFence)including:

▪ SwitchIP/Mac/Range ▪ Switchvendor/type ▪ Switchuplinkports(trunksandnon-managedIfIndex) ▪ per-switchre-definitionoftheVLANs(ifrequired)

Note

switches.confisloadedatstartup.Areloadisrequiredwhenchangesaremanually madetothisfile/usr/local/pf/bin/pfcmd configreload.

Workingmodes

TherearethreedifferentworkingmodesforaswitchinPacketFence:

Testing pfsetvlanwritesinthelogfileswhatitwouldnormallydo,butit doesn’tdoanything.

Registration pfsetvlan automatically-register all MAC addresses seen on the switchports.Asintestingmode,noVLANchangesaredone.

Production pfsetvlan sends the SNMP writes to change the VLAN on the switchports.

RADIUS

Toset the RADIUS secret, set it from the Web administrative interface when adding a switch. Alternatively,edittheswitchconfigfile(/usr/local/pf/conf/switches.conf)andsetthefollowing parameters:

radiusSecret = secretPassPhrase

Moreover,theRADIUSsecretisrequiredtosupporttheRADIUSDynamicAuthentication(Change ofauthorizationorDisconnect)asdefinedinRFC3576.

SNMPv1,v2candv3

PacketFenceusesSNMPtocommunicatewithmostswitches.PacketFencealsosupportsSNMP v3.YoucanuseSNMPv3forcommunicationinbothdirections:fromtheswitchtoPacketFence andfromPacketFencetotheswitch.SNMPusageisdiscouraged,youshouldnowuseRADIUS. However,evenifRADIUSisbeingused,someswitchesmightalsorequireSNMPtobeconfigured toworkproperlywithPacketFence.

FromPacketFencetoaswitch

Edittheswitchconfigfile(/usr/local/pf/conf/switches.conf)andsetthefollowingparameters:

SNMPVersion = 3 SNMPUserNameRead = readUser SNMPAuthProtocolRead = MD5 SNMPAuthPasswordRead = authpwdread SNMPPrivProtocolRead = AES SNMPPrivPasswordRead = privpwdread SNMPUserNameWrite = writeUser SNMPAuthProtocolWrite = MD5 SNMPAuthPasswordWrite = authpwdwrite SNMPPrivProtocolWrite = AES SNMPPrivPasswordWrite = privpwdwrite

FromaswitchtoPacketFence

Edittheswitchconfigfile(/usr/local/pf/conf/switches.conf)andsetthefollowingparameters:

SNMPVersionTrap = 3 SNMPUserNameTrap = readUser SNMPAuthProtocolTrap = MD5 SNMPAuthPasswordTrap = authpwdread SNMPPrivProtocolTrap = AES SNMPPrivPasswordTrap = privpwdread

SwitchConfiguration

HereisaswitchconfigurationexampleinordertoenableSNMPv3inbothdirectionsonaCisco Switch.

snmp-server engineID local AA5ED139B81D4A328D18ACD1 snmp-server group readGroup v3 priv snmp-server group writeGroup v3 priv read v1default write v1default snmp-server user readUser readGroup v3 auth md5 authpwdread priv aes 128 privpwdread snmp-server user writeUser writeGroup v3 auth md5 authpwdwrite priv aes 128 privpwdwrite snmp-server enable traps port-security snmp-server enable traps port-security trap-rate 1 snmp-server host 192.168.0.50 version 3 priv readUser port-security

Command-LineInterface:TelnetandSSH

Warning

PrivilegedetectionisdisabledinthecurrentPacketFenceversionduetosomeissues (see#1370).SomakesurethatthecliUserandcliPwdyouprovidealwaysgetyou intoaprivilegedmode(exceptforTrapezehardware).

PackeFenceneedssometimestoestablishaninteractivecommand-linesessionwithaswitch.This canbedoneusingTelnet.YoucanalsouseSSH.Inordertodoso,edittheswitchconfigurationfile (/usr/local/pf/conf/switches.conf)andsetthefollowingparameters:

cliTransport = SSH (or Telnet) cliUser = admin cliPwd = admin_pwd cliEnablePwd =

ItcanalsobedonethroughtheWebAdministrationInterfaceunderConfiguration→Switches.

WebServicesInterface

PackeFencesometimesneedstoestablishadialogwiththeWebServicescapabilitiesofaswitch. Inordertodoso,edittheswitchconfigfile(/usr/local/pf/conf/switches.conf)andsetthe followingparameters:

wsTransport = http (or https) wsUser = admin wsPwd = admin_pwd

ItcanalsobedonethroughtheWebAdministrationInterfaceunderConfiguration→Switches.

Role-basedenforcementsupport

Somenetworkdevicessupporttheassignmentofaspecificsetofrules(firewallorACLs)toauser. Theideaisthattheserulescanbealotmoreaccuratetocontrolwhatausercanorcannotdo comparedtoVLANwhichhavealargernetworkmanagementoverhead.

PacketFencesupportsassigningrolesondevicesforswitchesandWiFicontrollersthatsupport it.ThecurrentroleassignmentstrategyistoassignitalongwiththeVLAN(thatmaychangein thefuture).Aspecialinternalroletoexternalroleassignmentmustbeconfiguredintheswitch configurationfile(/usr/local/pf/conf/switches.conf).

Thecurrentformatisthefollowing:

Format: Role=

Andyouassignittotheglobalrolesparameterortheper-switchone.Forexample:

adminRole=full-access engineeringRole=full-access salesRole=little-access

wouldreturnthefull-accessroletothenodescategorizedasadminorengineeringandtherole little-accesstonodescategorizedassales.ItcanalsobedonethroughtheWebAdministration InterfaceunderConfiguration→Switches.

Caution

Makesurethattherolesareproperlydefinedonthenetworkdevicespriortoassigning roles!

PortalProfiles

PacketFencecomeswithadefaultportalprofile.Thefollowparametersareimportanttoconfigure nomatterifyouusethedefaultportalprofileorcreateanewone:

▪ RedirectURLunderConfiguration→PortalProfile→PortalName

Forsomebrowsers,itispreferabletoredirecttheusertoaspecificURLinsteadoftheURLthe useroriginallyintendedtovisit.Forthesebrowsers,theURLdefinedinredirecturlwillbethe onewheretheuserwillberedirected.AffectedbrowsersareFirefox3andlater.

▪ IPunderConfiguration→Captiveportal

ThisIPisusedasthewebserverwhohoststhecommon/network-access-detection.gifwhich isusedtodetectifnetworkaccesswasenabled.Itcannotbeadomainnamesinceitisusedin registrationorquarantinewhereDNSisblack-holed.Itisrecommendedthatyouallowyourusers toreachyourPacketFenceserverandputyourLAN’sPacketFenceIP.Bydefaultwewillmakethis reachPacketFence’swebsiteasaneasierandmoreaccessiblesolution.

Insomecases,youmaywanttopresentadifferentcaptiveportal(seebelowfortheavailable customizations)accordingtotheSSID,theVLAN,theswitchIP/MACortheURItheclientconnects to.Todoso,PacketFencehastheconceptofportalprofileswhichgivesyouthispossibility.

Whenconfigured,portalprofileswilloverridedefaultvaluesforwhichitisconfigured.Whenno valuesareconfiguredintheprofile,PacketFencewilltakeitsdefaultones(accordingtothe"default" portalprofile).

Herearethedifferentconfigurationparametersthatcanbesetforeachportalprofiles.Theonly mandatoryparameteris"filter",otherwise,PacketFencewon’tbeabletocorrectlyapplytheportal profile.Theparametersmustbesetinconf/profiles.conf:

[profilename1] description = the description of your portal profile filter = the name of the SSID for which you'd like to apply the profile, or the VLAN number sources = comma-separated list of authentications sources (IDs) to use

Portal profiles should be managed from PacketFence’s Web administrative GUI - from the Configuration→PortalProfilessection.Addingaportalprofilefromthatinterfacewillcorrectly copytemplatesover-whichcanthenbemodifiedasyouwish.

▪ FiltersunderConfiguration→PortalProfile→PortalName→Fitlers

PacketFenceoffersthefollowingfilters:ConnectionType,Network,NodeRole,Port,realm,SSID, Switch,SwitchPort,URI,VLANandTimeperiod.

Examplewiththemostcommonones:

▪ SSID:Guest-SSID

▪ VLAN:100

▪

▪ SwitchPort:-

▪ Network:NetworkinCIDRformatoranIPaddress

Caution

Noderolewilltakeeffectonlywitha802.1xconnectionorifyouuseVLANfilters.

PacketFence relies extensively on Apache for its captive portal, administrative interface and Web services. The PacketFence´s Apache configuration are located in /usr/local/pf/conf/ httpd.conf.d/.

Inthisdirectoryyouhavethreeimportantfiles:httpd.admin,httpd.portal,httpd.webservices, httpd.aaa.

▪ httpd.adminisusedtomanagePacketFenceadmininterface

▪ httpd.portalisusedtomanagePacketFencecaptiveportalinterface

▪ httpd.webservicesisusedtomanagePacketFencewebservicesinterface

▪ httpd.aaaisusetomanageincomingRADIUSrequest

ThesefileshavebeenwrittenusingthePerllanguageandarecompletelydynamic-sotheyactivate servicesonlyonthenetworkinterfacesprovidedforthispurpose.

TheotherfilesinthisdirectoryaremanagedbyPacketFenceusingtemplates,soitiseasytomodify thesefilesbasedonyourconfiguration.SSLisenabledbydefaulttosecureaccess.

UponPacketFenceinstallation,self-signedcertificateswillbecreatedin/usr/local/pf/conf/ssl (server.keyandserver.crt).Thosecertificatescanbereplacedanytimebyyour3rd-partyor existingwildcardcertificatewithoutproblems.PleasenotethattheCN(CommonName)needsto bethesameastheonedefinedinthePacketFenceconfigurationfile(pf.conf).

FreeRADIUSConfiguration

ThissectionpresentstheFreeRADIUSconfigurationsteps.Insomeoccasions,aRADIUSserver ismandatoryinordertogiveaccesstothenetwork.Forexample,theusageofWPA2-Enterprise (Wireless 802.1X), MAC authentication and Wired 802.1X all require a RADIUS server to authenticatetheusersandthedevices,andthentopushtheproperrolesorVLANattributesto thenetworkequipment.

Option1:AuthenticationagainstActiveDirectory(AD)

Caution

If you are using an Active/Active or Active/Passive cluster, please follow the instructionsunderOption1bsincetheinstructionsbelowdonotcurrentlyworkina cluster.

Inordertohavedomainauthenticationworkingproperly,youneedtoenableIPforwardingonyour server.Todoitpermanently,lookinthe/etc/sysctl.conf,andsetthefollowingline:

# Controls IP packet forwarding net.ipv4.ip_forward = 1

Nowexecutesysctl -ptoapplytheconfiguration

Next,gointheAdministrationinterfaceunderConfiguration→Domains.

Note

Ifyoucan’taccessthissectionandyouhavepreviouslyconfiguredyourservertobind toadomainexternallytoPacketFence,makesureyourun/usr/local/pf/addons/AD/ migrate.pl

ClickAddDomainandfillintheinformationsaboutyourdomain.

Where:

▪ Identifierisauniqueidentifierforyourdomain.It’spurposeisonlyvisual.

▪ Workgroupistheworkgroupofyourdomainintheoldsyntax(likeNT4).

▪ DNSnameofthedomainistheFQDNofyourdomain.Theonethatsuffixesyouraccountnames.

▪ Thisserver’snameisthenamethattheserver’saccountwillhaveinyourActiveDirectory.

▪ DNSserveristheIPaddressoftheDNSserverofthisdomain.Makesurethattheserveryou puttherehastheproperDNSentriesforthisdomain.

▪ Usernameistheusernamethatwillbeusedforbindingtotheserver.Thisaccountmustbea domainadministrator.

▪ Passwordisthepasswordfortheusernamedefinedabove.

Troubleshooting

▪ In order to troubleshoot unsuccessful binds, please refer to the following file : /chroots/ /var/log/samba/log.winbindd.Replacewiththeidentifier yousetinthedomainconfiguration.

▪ Youcanvalidatethedomainbindusingthefollowingcommand:chroot /chroots/ wbinfo -u

▪ You can test the authentication process using the following command chroot /chroots/ ntlm_auth --username=administrator

Note

Undercertainconditions,thetestjoinmayshowasunsuccessfulintheAdministration interfacebuttheauthenticationprocesswillstillworkproperly.Trythetestabove beforedoinganyadditionnaltroubleshooting

Defaultdomainconfiguration

Youshouldnowdefinethedomainyouwanttouseasthedefaultonebycreatingthefollowing realminConfiguration→Realms

Next,restartPacketFenceinStatus→Services Multipledomainsauthentication

FirstconfigureyourdomainsinConfiguration→Domains.

Oncetheyareconfigured,goinConfiguration→Realms.

CreateanewrealmthatmatchestheDNSnameofyourdomainANDonethatmatchesyour workgroup.Inthecaseofthisexample,itwillbeDOMAIN.NETandDOMAIN.

Where:

▪ RealmiseithertheDNSname(FQDN)ofyourdomainortheworkgroup

▪ RealmoptionsareanyrealmoptionsthatyouwanttoaddtotheFreeRADIUSconfiguration

▪ Domainisthedomainwhichisassociatedtothisrealm

Nowcreatethetwootherrealmsassociatedtoyourotherdomains.

Youshouldnowhavethefollowingrealmconfiguration

Option1b:AuthenticationagainstActiveDirectory (AD)inacluster

Samba/Kerberos/Winbind

InstallSamba.YoucaneitherusethesourcesorusethepackageforyourOS.ForRHEL/CentOS,do:

yum install samba krb5-workstation

ForDebianandUbuntu,do:

apt-get install samba winbind krb5-user

Note

IfyouhaveWindows7PCsinyournetwork,youneedtouseSambaversion3.5.0 (orgreater).

WhendonewiththeSambainstall,modifyyour/etc/hostsinordertoaddtheFQDNofyour ActiveDirectoryservers.Then,youneedtomodify/etc/krb5.conf.Hereisanexampleforthe DOMAIN.NETdomainforCentos/RHEL:

[logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log

[libdefaults] default_realm = DOMAIN.NET dns_lookup_realm = false dns_lookup_kdc = false ticket_lifetime = 24h forwardable = yes

[realms] DOMAIN.NET = { kdc = adserver.domain.net:88 admin_server = adserver.domain.net:749 default_domain = domain.net } [domain_realm] .domain.net = DOMAIN.NET domain.net = DOMAIN.NET

[appdefaults] pam = { debug = false ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = false }

ForDebianandUbuntu:

[logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = DOMAIN.NET ticket_lifetime = 24h forwardable = yes [appdefaults] pam = { debug = false ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = false }

Next,edit/etc/samba/smb.conf.Again,hereisanexampleforourDOMAIN.NETforCentos/RHEL:

[global] workgroup = DOMAIN server string = %h security = ads passdb backend = tdbsam realm = DOMAIN.NET encrypt passwords = yes winbind use default domain = yes client NTLMv2 auth = yes preferred master = no domain master = no local master = no load printers = no log level = 1 winbind:5 auth:3 winbind max clients = 750 winbind max domain connections = 15 machine password timeout = 0

ForDebianandUbuntu:

[global] workgroup = DOMAIN server string = Samba Server Version %v security = ads realm = DOMAIN.NET password server = 192.168.1.1 domain master = no local master = no preferred master = no winbind separator = + winbind enum users = yes winbind enum groups = yes winbind use default domain = yes winbind nested groups = yes winbind refresh tickets = yes template homedir = /home/%D/%U template shell = /bin/bash client use spnego = yes client ntlmv2 auth = yes encrypt passwords = yes restrict anonymous = 2 log file = /var/log/samba/log.%m max log size = 50 machine password timeout = 0

IssueakinitandklistinordertogetandverifytheKerberostoken:

# kinit administrator # klist

Afterthat,youneedtostartsamba,andjointhemachinetothedomain:

# service smb start # chkconfig --level 345 smb on # net ads join -U administrator

NotethatforDebianandUbuntuyouwillprobablyhavethiserror:

# kinit succeeded but ads_sasl_spnego_krb5_bind failed: Invalid credentials # Join to domain is not valid: Invalid credentials

ForCentos/RHEL:

# usermod -a -G wbpriv pf

Finally,startwinbind,andtestthesetupusingntlm_authandradtest:

# service winbind start # chkconfig --level 345 winbind on

ForDebianandUbuntu:

# usermod -a -G winbindd_priv pf # ntlm_auth --username myDomainUser # radtest -t mschap -x myDomainUser myDomainPassword localhost:18120 12 testing123 Sending Access-Request of id 108 to 127.0.0.1 port 18120 User-Name = "myDomainUser" NAS-IP-Address = 10.0.0.1 NAS-Port = 12 Message-Authenticator = 0x00000000000000000000000000000000 MS-CHAP-Challenge = 0x79d62c9da4e55104 MS-CHAP-Response = 0x000100000000000000000000000000000000000000000000000091c843b420f0dec4228ed2f26bff07d5e49ad9a2974229e5 rad_recv: Access-Accept packet from host 127.0.0.1 port 18120, id=108, length=20

Option2:LocalAuthentication

Addyouruser’sentriesattheendofthe/usr/local/pf/raddb/usersfilewiththefollowingformat:

username Cleartext-Password := "password"

Option3:EAPauthenticationagainstOpenLDAP

Toauthenticate802.1xconnectionagainstOpenLDAPyouneedtodefinetheldapconnectionin /usr/local/pf/raddb/modules/ldapandbesurethattheuserpasswordisdefineasaNTHASH orascleartext.

ldap openldap { server = "ldap.acme.com" identity = "uid=admin,dc=acme,dc=com" password = "password" basedn = "dc=district,dc=acme,dc=com" filter = "(uid=%{mschap:User-Name})" ldap_connections_number = 5 timeout = 4 timelimit = 3 net_timeout = 1 tls { } dictionary_mapping = ${confdir}/ldap.attrmap edir_account_policy_check = no

keepalive { # LDAP_OPT_X_KEEPALIVE_IDLE idle = 60

# LDAP_OPT_X_KEEPALIVE_PROBES probes = 3

# LDAP_OPT_X_KEEPALIVE_INTERVAL interval = 3 } }

Next in/usr/local/pf/raddb/sites-available/packetfence-tunnel add in the authorize section:

authorize { suffix ntdomain eap { ok = return } files openldap }

Option4:EAPGuestAuthenticationonemail,sponsor andSMSregistration

Thissectionwillallowlocalcredentialscreatedduringguestregistrationtobeusedin802.1xEAP- PEAPconnections.

FirstcreateaguestSSIDwiththeguestaccessyouwanttouse(Email,SponsororSMS,…)and activateCreatelocalaccountonthatsource.

Attheendoftheguestregistration,PacketFencewillsendanemailwiththecredentialsforEmail andSponsor.ForSMSthephonenumberandthePINcodeshouldbeused.

Note

Thisoptiondoesn’tcurrentlyworkwiththeReusedot1xcredentialsoptionofthecaptive portal.

In /usr/local/pf/conf/radiusd/packetfence-tunnel uncomment the line # packetfence- local-authandrestartradiusd.

ThiswillactivatethefeatureforanylocalaccountonthePacketFenceserver.Youcanrestrictwhich accounts can be used by commenting the appropriate line in/usr/local/pf/raddb/policy.d/ packetfence.Forexample,ifyouwouldwanttodeactivatethisfeatureforaccountscreatedvia SMS,youwouldhavethefollowing:

packetfence-local-auth { # Disable ntlm_auth update control { &MS-CHAP-Use-NTLM-Auth := No } # Check password table for local user pflocal if (fail || notfound) { # Check password table with email and password for a sponsor registration pfguest if (fail || notfound) { # Check password table with email and password for a guest registration pfsponsor if (fail || notfound) { # *Don't* check activation table with phone number and PIN code # pfsms <--- This line was commented out if (fail || notfound) { update control { &MS-CHAP-Use-NTLM-Auth := Yes } } } } } }

Note

For this feature to work, the users' passwords must be stored in cleartext in the database.Thisisconfigurableviaadvanced.hash_passwords.

Option5:EAPLocaluserAuthentication

ThegoalhereistousethelocaluseryoucreatedintheadminGUIforEAPauthentication.The logicisexactlythesamethaninoption4,thedifferenceisthatweuseanotherSSIDandweonly uselocalaccounts.

Edit/usr/local/pf/raddb/sites-available/packetfence-tunnel

InthisexampleweactivatethisfeatureonaspecificSSIDname(Secure-local-Wireless),disabled bydefaultNTLMAuthandtestlocalaccount.IfitfailledthenwereactivateNTLMAuth.

####Activate local user eap authentication based on a specific SSID #### ## Set Called-Station-SSID with the current SSID # set.called_station_ssid # if (Called-Station-SSID == 'Secure-local-Wireless') { ## Disable ntlm_auth # update control { # MS-CHAP-Use-NTLM-Auth := No # } ## Check password table for local user # pflocal # if (fail || notfound) { # update control { # MS-CHAP-Use-NTLM-Auth := Yes # } # } # }

Caution

Youwillneedtodeasactivatepasswordhashinginthedatabaseforlocalauthentication to work. In the administration interface, go in Configuration → Advanced and set Databasepasswordshashingmethodtoplaintext

Tests

TestyoursetupwithradtestusingthefollowingcommandandmakesureyougetanAccess- Acceptanswer:

# radtest dd9999 Abcd1234 localhost:18120 12 testing123 Sending Access-Request of id 74 to 127.0.0.1 port 18120 User-Name = "dd9999" User-Password = "Abcd1234" NAS-IP-Address = 255.255.255.255 NAS-Port = 12 rad_recv: Access-Accept packet from host 127.0.0.1:18120, id=74, length=20

PortalModules

ThePacketFencecaptiveportalflowishighlycustomizable.ThissectionwillcoverthePortalModules whichareusedtodefinethebehaviorofthecaptiveportal.

Note

Whenupgradingfromaversionthatdoesn’thavetheportalmodules,thePacketFence Portal Modules configuration already comes with defaults that will fit most cases and offers the same behavior as previous versions of PacketFence. Meaning, all the available Portal Profile sources are used for authentication, then the available provisionerswillbeused.

First,abriefdescriptionoftheavailablePortalModules:

▪ Root:Thisiswhereitallstarts,thismoduleisasimplecontainerthatdefinesallthemodules thatneedtobeappliedinachainedwaytotheuser.Oncetheuserhascompletedallmodules containedintheRoot,heisreleasedonthenetwork.

▪ Choice: This allows to give a choice between multiple modules to the user. The default_registration_policyisagoodexampleofachoicethatisofferedtotheuser.

▪ Chained:Thisallowsyoutodefinealistofmodulesthatauserneedstogothroughintheorder thattheyaredefined-ex:youwantyouruserstoregisterviaGoogle+andpayfortheiraccess usingPayPal.

▪ Message:Thisallowsyoutodisplayamessagetotheuser.Anexampleisavailablebelowin Displayingamessagetotheuseraftertheregistration

▪ Authentication:Theauthenticationmodulescanbeofalotoftypes.Youwouldwanttodefine oneofthesemodules,inordertooverridetherequiredfields,thesourcetouse,thetemplate oranyothermoduleattribute.

▪ Billing:Allowstodefineamodulebasedononeormorebillingsources

▪ Choice:Allowstodefineamodulebasedonmultiplesourcesandmoduleswithadvanced filteringoptions.SeethesectionAuthenticationChoicemodulebelowforadetailedexplanation.

▪ Login:Allowsyoutodefineausername/passwordbasedmodulewithmultipleinternalsources (ActiveDirectory,LDAP,…)

▪ Othermodules:Theothermodulesareallbasedonthesourcetypetheyareassignedto,they allowtoselectthesource,theAUPacceptance,andmandatoryfieldsifapplicable.

Examples

Thissectionwillcontainthefollowingexamples:

▪ Promptingforfieldswithoutauthentication.

▪ Promptingadditionnalfieldsduringtheauthentication.

▪ Chainedauthentication.

▪ MixingloginandSecureSSIDon-boardingontheportal.

▪ Displayingamessagetotheuseraftertheregistration.

Creatingacustomrootmodule

First,createacustomrootmoduleforourexamplesinordertonotaffectthedefaultpolicy.In ordertodoso,goinConfiguration→PortalModules,thenclickAddPortalModuleandselectthe typeRoot.Giveittheidentifiermy_first_root_moduleandthedescriptionMy first root module, thenhitsave.

Next, head to Configuration → Portal Profiles, select the portal profile you use (most probably default)andthenunderRootPortalModule,assignMy first root modulethensaveyourprofile. Ifyouweretoaccessthecaptiveportalnow,anerrorwoulddisplaysincetheRootmodulewe configureddoesn’tcontainanything.

YoucouldaddsomeofthepreconfiguredmodulestothenewRootmoduleyoucreatedandthat wouldmaketheerrordisapear. Promptingforfieldswithoutauthentication

Inordertopromptfieldswithoutauthentication,youcanusetheNullsourcewiththeNullPortal Module.

PacketFencealreadycomeswithaNullsourcepreconfigured.Ifyouhaven’tmodifieditordeleted it,youcanuseitforthisexample.Otherwise,goinConfiguration→SourcesandcreateanewNull sourcewithacatchallrulethatassignsaroleandaccessduration.

ThengoinConfiguration→PortalModulesandclickAddPortalModuleandselectAuthentication→ Null.SettheIdentifiertoprompt_fieldsandconfigurethemodulewiththeMandatoryfieldsyou wantanduncheckRequireAUPsothattheuserdoesn’thavetoaccepttheAUPbeforesubmitting thesefields.

Next,addtheprompt_fieldsmoduleinmy_first_root_module(removinganypreviousmodules) andsaveit.Nowwhenvisitingtheportal,itshouldpromptyouforthefieldsyoudefineinthe

module.Then,submittingtheseinformationswillassignyoutheroleandaccessdurationthatyou definedinthenullsource.

Promptingadditionnalfieldsduringtheauthentication

Ifyouwanttopromptadditionnalfieldsduringtheauthenticationprocessforamodule,youcan defineaModulebasedonthatsourcethatwillspecifytheadditionnalmandatoryfieldsforthis source.

Youcanalsoaddadditionnalmandatoryfieldstothedefaultpoliciesthatarealreadyconfigured.

Thisexamplewillmakethedefault_guest_policyrequiretheusertoenterafirstname,lastname andaddresssothatguestshavetoenterthesethreeinformationsbeforeregistering.

Go in Configuration → Portal Modules and click the default_guest_policy. Add firstname, lastnameandaddresstotheMandatoryfieldsandsave.

Next,addthedefault_guest_policytomy_first_root_module(removinganypreviousmodules). Nowwhenvisitingtheportal,selectinganyoftheguestsourceswillrequireyoutoenterboththe mandatoryfieldsofthesource(ex:phone+mobileprovider)andthemandatoryfieldsyoudefined inthedefault_guest_policy.

Note

Notallsourcessupportadditionnalmandatoryfields(ex:OAuthsourceslikeGoogle, Facebook,…).

Chainedauthentication

Theportalmodulesallowyoutochaintwoormoremodulestogetherinordertomaketheuser accomplishalloftheactionsinthemoduleinthedesiredsequence.

ThisexamplewillallowyoutoconfigureaChainedmodulethatwillrequiretheusertologinvia anyconfiguredOAuthsource(Github,Google+,…)andthenvalidatehisphonenumberusingSMS registration.

FortheOAuthloginwewillusethedefault_oauth_policy,sojustmakesureyouhaveanOAuth sourceconfiguredcorrectlyandavailableinyourPortalProfile.

Then,wewillcreateamodulethatwillcontainthedefinitionofourSMSregistration.

GoinConfiguration→PortalModulesthenclickAddPortalModuleandselectAuthentication→SMS.

ConfiguretheportalmodulesothatitusesthesmssourceandunchecktheRequireAUPoption sincetheuserwillhavealreadyacceptedtheAUPwhenregisteringusingOAuth.

Then,addanotherPortalModuleoftypeChained.Nameitchained_oauth_sms,assignarelevant descriptionandthenadddefault_oauth_policyandsmstotheModulesfields

Next, add the chained_oauth_sms module in my_first_root_module (removing any previous modules)andsaveit.Nowwhenvisitingtheportal,youshouldhavetoauthenticationusingan OAuthsourceandthenusingSMSbasedregistration. MixingloginandSecureSSIDon-boardingontheportal

Thisexamplewillguideyouthroughconfiguringaportalflowthatwillallowfordevicestoaccess anopenSSIDusinganLDAPusername/passwordbutalsogivethechoicetoconfiguretheSecure SSIDdirectlyfromtheportal.

First,weneedtoconfiguretheprovisionersfortheSecureSSIDonboarding.RefertosectionApple andAndroidWirelessProvisioningofthisguidetoconfigureyourprovisionersandaddthemtothe portalprofile.

CreateaprovisionerofthetypeDenyandadditwithyourotherprovisioners(puttinganyother provisionerbeforeit).Thiswillmakesurethatifthereisnomatchontheotherprovisioners,itwill notallowthedevicethrough.

AlsointheportalprofileaddyourLDAPsourcetotheavailablesourcessoitstheonlyoneavailable.

Next,createaProvisioningportalmodulebygoinginConfiguration→PortalModules.SettheIdentifier tosecure_boardingandthedescriptiontoBoard Secure SSID.AlsouncheckSkipablesotheuser isforcedtoboardtheSSIDshoulditchoosethisoption.

Then,stillinthePortalModules,createaChoicemodule.SettheIdentifiertologin_or_boardingand descriptiontoLoginorBoarding.Addsecure_boardinganddefault_login_policytotheModules fieldandsave.

Next, add the login_or_boarding module in my_first_root_module (removing any previous modules)andsaveit.Nowwhenvisitingtheportal,youwillhavethechoicebetweenlogintothe LDAPsourceandgainaccesstothenetworkordirectlyuseprovisioninginordertoconfigureyour deviceforaSecureSSID.

Displayingamessagetotheuseraftertheregistration=

UsingtheMessagemoduleyoucandisplayacustommessagetotheuser.Youcanalsocustomize thetemplatetodisplayinordertodisplayafullycustompage.

GoinConfiguration→PortalModules,thenclickAddPortalModuleandselectMessage.Setthe Identifiertohello_worldandthedescriptiontoHello World.

ThenputthefollowingintheMessagefield

Hello World ! Click here to access the PacketFence website!

Next, add default_registration_policy and hello_world in the Modules of my_first_root_module(removinganypreviousmodules)andsaveit.Nowwhenvisitingtheportal, youshouldhavetoauthenticateusingthesourcesdefinedinyourportalprofileandyouwillthen seethehelloworldmessage.

AuthenticationChoicemodule(advanced)

The Authentication Choice module allows to define a choice between multiple sources using advancedfilteringrules,manualselectionofthesourcesandselectionofPortalModules.

AllthesourcesthataredefinedintheSourcesfieldwillbeavailableforusagebytheuser.Same goesforthemodulesdefinedinModules.

Youcanalsodefinewhichmandatoryfieldsyouwanttopromptfortheseauthenticationchoices. AlthoughyoucanstillconfigurethemonanyAuthenticationChoicemodule,theywillonlybeshown iftheyareapplicabletothesource.

InadditiontothemanualselectionaboveyoucandynamicallyselectsourcespartofthePortal Profilebasedontheirobjectattribute(ObjectClass,Authenticationtype,AuthenticationClass).

Note

Youcanfindalltheauthenticationobjectsinlib/pf/Authentication/Source

▪ Sourcesbyclass:Allowsyoutospecifytheperlclassnameofthesourcesyouwantavailable

▪ ex:pf::Authentication::Source::SMSSource will select all the SMS sources. pf::Authentication::Source::BillingSourcewillselectallthebillingsources(Paypal,Stripe, …)

▪ Sourcesbytype:AllowsyoutofilteroutsourcesusingthetypeattributeoftheAuthentication object

▪ Sources by Auth Class: Allows you to filter our sources using the class attribute of the Authenticationobject.

Youcanseethedefault_guest_policyanddefault_oauth_policyforexamplesofthismodule.

Debugging

Logfiles

HerearethemostimportantPacketFencelogfiles:

▪ /usr/local/pf/logs/packetfence.log—PacketFenceCoreLog ▪ /usr/local/pf/logs/httpd.portal.access—Apache–CaptivePortalAccessLog ▪ /usr/local/pf/logs/httpd.portal.error—Apache–CaptivePortalErrorLog ▪ /usr/local/pf/logs/httpd.admin.access—Apache–WebAdmin/ServicesAccessLog ▪ /usr/local/pf/logs/httpd.admin.error—Apache–WebAdmin/ServicesErrorLog ▪ /usr/local/pf/logs/httpd.webservices.access—Apache–WebservicesAccessLog ▪ /usr/local/pf/logs/httpd.webservices.error—Apache–WebservicesErrorLog ▪ /usr/local/pf/logs/httpd.aaa.access—Apache–AAAAccessLog ▪ /usr/local/pf/logs/httpd.aaa.error—Apache–AAAErrorLog

Thereareotherlogfilesin/usr/local/pf/logs/thatcouldberelevantdependingonwhatissue youareexperiencing.Makesureyoutakealookatthem.

Themainloggingconfigurationfileis/usr/local/pf/conf/log.conf.Itcontainstheconfiguration forthepacketfence.logfile(Log::Log4Perl)andyounormallydon’tneedtomodifyit.Thelogging configurationfilesforeveryservicearelocatedunder/usr/local/pf/conf/log.conf.d/.

RADIUSDebugging

First,checktheFreeRADIUSlogs.Thefileislocatedat/usr/local/pf/logs/radius.log.

Ifthisdidn’thelp,runFreeRADIUSindebugmode.Todoso,startitusingthefollowingcommands.

Fortheauthenticationradiusprocess:

# radiusd -X -d /usr/local/pf/raddb -n auth

Fortheaccountingradiusprocess:

# radiusd -X -d /usr/local/pf/raddb -n acct

Additionally there is a raddebug tool that can extract debug logs from a running FreeRADIUS daemon.PacketFence’sFreeRADIUSispreconfiguredwithsuchsupport.

Inordertohaveanoutputfromraddebug,youneedtoeither:

a. Makesureuserpfhasashellin/etc/passwd,add/usr/sbintoPATH(export PATH=/usr/sbin: $PATH)andexecuteraddebugaspf

b. Runraddebugasroot(lesssecure!)

Nowyoucanrunraddebugeasily:

raddebug -t 300 -f /usr/local/pf/var/run/radiusd.sock

TheabovewilloutputFreeRADIUS'authenticationdebuglogsfor5minutes.

Usethefollowingtodebugradiusaccounting:

raddebug -t 300 -f /usr/local/pf/var/run/radiusd-acct.sock

Seeman raddebugforalltheoptions.

MoreonVoIPIntegration

VoIPhasbeengrowinginpopularityonenterprisenetworks.Atfirstsight,theITadministratorsthink thatdeployingVoIPwithaNACposesahugecomplicatedchallengetoresolve.Infact,depending ofthehardwareyouhave,notreally.Inthissection,wewillseewhy.

CDPandLLDPareyourfriend

ForthoseofyouwhoareunawareoftheexistenceofCDPorLLDP(orLLDP-MED),Isuggest youstartreadingonthistopic.CiscoDiscoveryProtocol(CDP)isdevice-discoveryprotocolthat runsonallCisco-manufacturedequipmentincludingrouters,accessservers,bridges,andswitches. UsingCDP,adevicecanadvertiseitsexistencetootherdevicesandreceiveinformationabout otherdevicesonthesameLANorontheremotesideofaWAN.IntheworldofVoIP,CDPisable todetermineiftheconnectingdeviceisanIPPhoneornot,andtelltheIPPhonetotagitsethernet frameusingtheconfiguredvoiceVLANontheswitchport.

Onmanyothervendors,youarelikelytofindLLDPorLLDP-MEDsupport.LinkLayerDiscovery Protocol (LLDP) is a vendor-neutral Link Layer protocol in the Internet Protocol Suite used by networkdevicesforadvertisingtheiridentity,capabilities,andneighbors.SameasCDP,LLDPcan tellanIPPhonewhichVLANidisthevoiceVLAN.

VoIPandVLANassignmenttechniques

As you already know, PacketFence supports many VLAN assignment techniques such as port- security,macauthenticationor802.1X.Let’sseehowVoIPisdoingwitheachofthose.

Port-security

Using port-security, the VoIP device rely on CDP/LLDP to tag its ethernet frame using the configuredvoiceVLANontheswitchport.Afterthat,weensurethatasecuritytrapissentfrom thevoiceVLANsothatPacketFencecanauthorizethemacaddressontheport.WhenthePC connects,anothersecuritytrapwillbesent,butfromthedataVLAN.Thatway,wewillhave1mac addressauthorizedonthevoiceVLAN,and1ontheaccessVLAN.

Note

Not all vendors support VoIP on port-security, please refer to the Network ConfigurationGuide.

MACAuthenticationand802.1X Ciscohardware

OnCiscoswitches,wearelookingatthemulti-domainconfiguration.Themulti-domainmeansthat wecanhaveonedeviceontheVOICEdomain,andonedeviceontheDATAdomain.Thedomain assignmentisdoneusingaCiscoVSA.Whenthephoneconnectstotheswitchport,PacketFence willrespondwiththeproperVSAonly,noRADIUStunneledattributes.CDPthentellsthephone totagitsethernetframesusingtheconfiguredvoiceVLANontheport.WhenaPCconnects,the RADIUSserverwillreturntunneledattributes,andtheswitchwillplacetheportintheprovided accessVLAN. Non-Ciscohardware

Onothervendorhardware,itispossibletomakeVoIPworkusingRADIUSVSAs.Whenaphone connectstoaswitchport,PacketFenceneedstoreturntheproperVSAtotelltheswitchtoallow taggedframesfromthisdevice.WhenthePCwillconnect,wewillbeabletoreturnstandard RADIUStunnelattributestotheswitch,thatwillbetheuntaggedVLAN.

Note

Again,refertotheNetworkConfigurationGuidetoseeifVoIPissupportedonyour switchhardware.

WhatifCDP/LLDPfeatureismissing

Itispossiblethatyourphonedoesn’tsupportCDPorLLDP.Ifit’sthecase,youareprobablylooking atthe"DHCPway"ofprovisionningyourphonewithavoiceVLAN.Somemodelswillaskfora specificDHCPoptionsothattheDHCPservercangivethephoneavoiceVLANid.Thephonewill thenreboot,andtagitsethernetframeusingtheprovidedVLANtag.

InordertomakethisscenarioworkwithPacketFence,youneedtoensurethatyoutweakthe registrationandyourproductionDHCPservertoprovidetheDHCPoption.Youalsoneedtomake surethereisavoiceVLANproperlyconfiguredontheport,andthatyouauto-registeryourIP Phones(Onthefirstconnect,thephonewillbeassignedontheregistrationVLAN).

Advancedtopics

This section covers advanced topics in PacketFence. Note that it is also possible to configure PacketFencemanuallyusingitsconfigurationfilesinsteadofitsWebadministrativeinterface.Itis stillrecommendedtousetheWebinterface.

Inanycase,the/usr/local/pf/conf/pf.conffilecontainsthePacketFencegeneralconfiguration. Forexample,thisistheplacewhereweinformPacketFenceitwillworkinVLANisolationmode.

All the default parameters and their descriptions are stored in /usr/local/pf/conf/ pf.conf.defaults.

Inordertooverrideadefaultparameter,defineitandsetitinpf.conf.

/usr/local/pf/conf/documentation.confholdsthecompletelistofallavailableparameters.

Alltheseparametersarealsoaccessiblethroughtheweb-basedadministrationinterfaceunderthe Configurationtab.Itishighlyrecommendedthatyouusetheweb-basedadministrationinterface ofPacketFenceforanyconfigurationchanges.

AppleandAndroidWirelessProvisioning

Apple devices such as iPhones, iPads, iPods and Mac OS X (10.7+) support wireless profile importation using a special XML file format (mobileconfig). Android is also able to support this featurebyimportingthewirelessprofilewiththeAndroidPacketFenceAgent.Infact,installingsuch fileonyourAppledevicewillautomaticallyconfigurethewirelesssettingsforagivenSSID.This featureisoftenusedwhentheSSIDishidden,andyouwanttoeasetheconfigurationstepson themobiledevice(becauseitisoftenpainfultoconfiguremanually).InPacketFence,wearegoing further,wegeneratetheprofileaccordingtotheadministrator’spreferenceandwepre-populatethe filewiththeuser’scredentials(withoutthepassword).Theusersimplyneedstoinstallitsgenerated fileandhewillbeabletousethenewSSID.

Configurethefeature

Firstofall,youneedtoconfiguretheSSIDthatyourdeviceswilluseaftertheygothoughthe authenticationprocess.

Inordertodothat,intheadministrationinterface,goinConfiguration/Provisioners.Thenselectthe androidprovisioner.EntertheSSIDandsave.

NowdothesamethingfortheiOSprovisioner.

After,yousimplyneedtoaddtheAndroidandiOSprovisionerstoyourPortalProfileconfiguration.

ForAndroid,youmustallowpassthroughsinyourpf.confconfigurationfile:

[trapping] passthrough=enabled passthroughs=*.ggpht.com,*.googleusercontent.com,android.clients.google.com,*.googleapis.com,*.android.clients.google.com,*.gvt1.com

Profilegeneration

Uponregistration,insteadofshowingthedefaultreleasepage,theuserwillbeshowinganother versionofthepagesayingthatthewirelessprofilehasbeengeneratedwithaclickablelinkonit. Toinstalltheprofile,Appleuserownersimplyneedtoclickonthatlink,andfollowtheinstructions ontheirdevice.AndroiduserownersimplyclicktothelinkandwillbeforwardedtoGooglePlay toinstallPacketFenceagent.Simplylaunchtheapplicationandclicktoconfigurewillcreatethe secureSSIDprofile.Itisthatsimple.

BillingEngine

PacketFenceintegratestheabilitytouseapaymentgatewaytobilluserstogainaccesstothe network.Whenconfigured,theuserwhowantstoaccessthenetwork/Internetispromptedbya pageaskingforit’spersonnalinformationaswellasit’screditcardinformation.

PacketFencecurrentlysupportsfourpaymentgateways:Authorize.net,Mirapay,PaypalandStripe.

Inordertoactivatethebilling,youwillneedtoconfigurethefollowingcomponents:

▪ Billingsource(s)

▪ Billingtier(s)

Configuringabillingsource

Firstselectabillingproviderandfollowtheinstructionsbelow.

Paypal

Note

ThisproviderrequiresthatyourPacketFenceserverisaccessibleonthepublicdomain. ForthisyourPacketFenceportalshouldbeavailableonapublicIPusingtheDNS servernameconfiguredinPacketFence.

Ifyouhaveabusinessaccountanddonotwanttoconfigureatestenvironment,youcanskipthe nextsection.

Sandboxaccount

To configure a sandbox paypal account for use in PacketFence, head to https:// developer.paypal.com/andeithersignuporloginintoyourexistingaccount.

ThenintheSandboxmenu,clickAccounts

CreateanaccountthathasthetypePersonalandonethathasthetypeBusiness.

Afterwards,gobackintoaccounts,andexpandthebusinessaccount,thenclickProfile

NowclicktheChangepasswordlinkandchangethepasswordandnoteit.

Dothesamethingwiththepersonalaccountyoucreated

Configuringthemerchantaccount

LoginintothePaypalbusinessaccountthatyoucreatedathttps://www.sandbox.paypal.com/ifyou areusingasandboxaccountoronhttps://www.paypal.com/ifyouareusingarealaccount.

NextgoinMyAccount→Profileinordertogointoyourprofileconfiguration.

NextintheSellingPreferencesyouwillneedtoselectWebsitePaymentPreferences

Configurethesettingssotheymatchthescreenshotbelow.

YoushouldturnonAutoReturn,setthereturnURLtohttps://YOUR_PORTAL_HOSTNAME/billing/ paypal/verify.

YoushouldalsotakenoteoftheIdentityTokenasitwillberequiredinthePacketFenceconfiguration.

NextgobackinyourprofileconfigurationMyaccount→ProfileandselectEncryptedPaymentSettings

NowonthispageyouwillneedtosubmitthecertificateusedbyPacketFencetoPaypal(/usr/local/ pf/conf/ssl/server.crtbydefault).

Once you have submitted it, note it’s associated Cert ID as you will need to configure it in PacketFence.

Stillonthatpage,clicktheDownloadlinktodownloadthePaypalpubliccertificateandputiton thePacketFenceserverunderpath:/usr/local/pf/conf/ssl/paypal.pem

Caution

ThecertificatewillNOTbethesameifyouuseasandboxaccountorarealaccount.

ConfiguringPacketFence

Now,inthePacketFenceadministrationinterface,goinConfiguration→Sourcesandcreateanew sourceoftypeBilling→Paypal.

Where:

▪ IdentitytokenistheoneyounotedwhenontheWebsitePaymentPreferencespage. ▪ CertIDistheoneyounotedwhenontheEncryptedPaymentSettings. ▪ Paymenttypeiswhethertheaccessisdonationbased(notmandatorytopayforit). ▪ Emailaddressistheemailaddressofthemerchantpaypalaccount. ▪ CertfileisthepathtothePacketFencecertificate(/usr/local/pf/conf/ssl/server.crtbydefault). ▪ KeyfileisthepathtothePacketFencecertificate(/usr/local/pf/conf/ssl/server.keybydefault). ▪ PaypalcertfileisthepathtothePaypalcertificate(/usr/local/pf/conf/ssl/paypal.peminthis example). ▪ Currencyisthecurrencythatwillbeusedinthetransactions. ▪ Testmodeshouldbeactivatedifyouareusingasandboxaccount. Stripe

Stripeaccount

Firstgoonhttps://dashboard.stripe.com,createanaccountandlogin.

NextonthetoprightclickYouraccountthenAccountsettings.

NavigatetotheAPIkeystabandnoteyourkeyandsecret.Thetestkeyshouldbeusedwhentesting theconfigurationandthelivekeywhenputtingthesourceinproduction.

ConfiguringPacketFence

Now,inthePacketFenceadministrationinterface,goinConfiguration→Sourcesandcreateanew sourceoftypeBilling→Stripe

Where:

▪ SecretkeyisthesecretkeyyougotfromyourStripeaccount. ▪ PublishablekeyisthepublishablekeyyougotfromyourStripeaccount. ▪ Styleiswhetheryouaredoingaone-timechargeorsubscriptionbasedbilling(recurring).See sectionSubscriptionbasedregistrationbelowfordetailsonhowtoconfigureit. ▪ Currencyisthecurrencythatwillbeusedinthetransactions. ▪ Testmodeshouldbeactivatedifyouareusingthetestkeyandsecretaccount. Authorize.net

Creatinganaccount

First go on https://account.authorize.net to signup for a merchant account orhttp:// developer.authorize.net/forasandboxaccount.

AfteryoucreatedyouraccountyouwillbeshownyourAPIloginIDandTransactionkey.Noteboth oftheseinformationsforusageinthePacketFenceconfiguration.

Thenloginintoyournewaccount.

ThenunderAccountclickSettings.

OnthesettingspageinthesectionSecuritysettings,clickMD5-Hash

Nowenterasecretthatwillbesharedbetweenauthorize.netandPacketFence.

PacketFenceconfiguration

NextinthePacketFenceadministrationinterface,goinConfiguration→Sourcesandcreateanew sourceoftypeBilling→AuthorizeNet.

Where:

▪ APIloginIDistheoneyougotearlierwhilecreatingyouraccount. ▪ Transactionkeyistheoneyougotearlierwhilecreatingyouraccount. ▪ MD5hashtheoneyouconfiguredinyourAuthorize.netaccount. ▪ Currencyisthecurrencythatwillbeusedinthetransactions. ▪ Testmodeshouldbeactivatedifyouareusingasandboxaccount. Mirapay

To be contributed...

Addingbillingtiers

Onceyouhaveconfiguredoneormorebillingsource,youneedtodefinebillingtierswhichwill definethepriceandtargetauthenticationrulesfortheuser.

InthePacketFenceadministrationinterface,goinConfiguration→Billingtiers

ThenclickAddbillingtierandconfigureit.

Where:

▪ Billingtieristheuniqueidentifierofthebillingtier. ▪ Nameisthefriendlynameofthebillingtier. ▪ Descriptionisanextendeddescriptionofthebillingtier. ▪ Priceistheamountthatwillbechargedtotheuser. ▪ Accessdurationistheamountoftimetheuserwillbegrantedaccesstoyournetwork. ▪ Roleisthetargetroletheusershouldbein. ▪ Usetimebalancedefinesiftheaccessdurationshouldbecomputedonreal-timeaccessduration meaningiftheuserbuys24hoursofaccesshecanusethenetworkfor24hoursindifferent timeblocks.ThisrequiresavalidRADIUSaccountingconfiguration.

Note

Ifdon’twanttouseallthebillingtiersthataredefined,youcanspecifytheonesthat shouldbeactiveinthePortalprofile.

Subscriptionbasedregistration

PacketFencesupportssubscriptionbasedbillingusingStripeasabillingprovider.

Billingtier

Whenusingsubscriptionbasedbilling,itisadvisedtoconfigurethebillingtiersoithasanalmost infiniteaccessduration(e.g.20years)asthebillingproviderwillbecontactingthePacketFence serverwhenthesubscriptioniscanceled.

Youshouldconfigureabillingtierforeachsubscriptionplanyouwanttohave.Thisexamplewill usetheplansimpleandadvancedconfiguredusingthefollowingparameters.

[simple] name=Simple network access description=Click here if you are poor price=3.99 role=guest access_duration=10Y use_time_balance=disabled

[advanced] name=Simple network access description=Click here if you are poor price=9.99 role=advanced_guest access_duration=10Y use_time_balance=disabled

Stripeconfiguration

TheninyourStripedashboard,youshouldgoinSubscriptions→Plans.

Thencreateanewplan.

Where:

▪ ID is the billing tier identifier. It is important that this matches the ID of the billing tier in PacketFence. ▪ Amountisthepriceoftheplan.Itisimportantthatthismatchesthepriceofthebillingtierin PacketFence. ▪ Currencyisthecurrencythatwillbeusedinthetransactions.Itisimportantthatthismatches thecurrencyoftheStripesourceinPacketFence. ▪ Intervalistheintervalatwhichthecustomershouldbebilled.Inthecaseofthisexample,itis monthly.

Now,followingthesameprocedure,createtheadvancedplan. ReceivingupdatesfromStripe

Asthesubscriptioncanbecancelledbyauser,youneedtosetupyourPacketFenceinstallationto receiveupdatesfromStripe.

UpdatesaresentusingHTTPrequestsonapublicIP.

YouneedtomakesurethatyourPacketFenceserverisavailablethroughapublicIPonport80and thatyourPacketFenceserverhostnameresolvesonthepublicdomain.

Then,inStripe,configureaWebhooksoStripeinformsPacketFenceofanyeventthathappensin thisStripemerchantaccount.

InordertodosogoinYourAccount→AccountSettings→WebhooksandclickAddendpoint.

Where:

▪ URListheURLtothePacketFenceserver.Thisshouldbehttp://YOUR_PORTAL_HOSTNAME/ hook/billing/stripe ▪ Modeiswhetherthiswebhookisfortestingmodeorlivemode

Noweverytimeauserunsubscribesfromaplan,PacketFencewillbenotifiedandwillunregister thatdevicefromyournetwork.

DevicesRegistration

Usershavethepossibilitytoregistertheirdevices(MicrosoftXBOX/XBOX360,NintendoDS/Wii, SonyPlayStationandsoon)rightfromaspecialportalpage.Whenaccessingthispage,userswillbe

promptedtologinasiftheywereregisteringthemselves.Onceloggedin,theportalwillaskthemto enterthedeviceMACaddressthatwillthenbematchedagainstapredefinedlistofauthorizedMAC OUI.Thedevicewillberegisteredwiththeuser’sidandcanbeassignedintoaspecificcategory foreasiermanagement.

Here’showtoconfigurethewholething.TheportalpagecanbeaccessedbythefollowingURL: https://YOUR_PORTAL_HOSTNAME/device-registration This URL is accessible from within the network,inanyVLANthatcanreachthePacketFenceserver.

Thefollowingcanbeconfiguredbyeditingthepf.conffile:

[registration] device_registration = enabled device_registration_role = gaming

MakesuretheroleexistsinPacketFenceotherwiseyouwillencounterregistrationerrors.Moreover, makesuretherolemappingforyourparticularequipmentisdone.

TheseparameterscanalsobeconfiguredfromtheConfiguration→Registrationsection.

Note

Aportalinterfacetypeisrequiredtousethisfeature.Aportalinterfacetypecanbe addedtoanynetworkinterfaceusingthewebadminGUI.

Eduroam

eduroam (education roaming) is the secure, world-wide roaming access service developedfortheinternationalresearchandeducationcommunity.

eduroamallowsstudents,researchersandstafffromparticipatinginstitutionsto obtainInternetconnectivityacrosscampusandwhenvisitingotherparticipating institutionsbysimplyopeningtheirlaptop. —eduroamhttps://www.eduroam.org/

PacketFencesupportsintegrationwitheduroamandallowsparticipatinginstitutionstoauthenticate bothlocallyvisitingusersfromotherinstitutionsaswellasallowingotherinstitutionstoauthenticate localusers.

In order for PacketFence to allow eduroam authentication, the FreeRADIUS configuration of PacketFencemustbemodifiedtoallowtheeduroamserverstoconnecttoitasclientsaswellas toproxyRADIUSauthenticationrequestsforusersfromoutsideinstitutions.

First,modifythe/usr/local/pf/raddb/clients.conffiletoallowtheeduroamserverstoconnectto yourPacketFenceserver.Addtheeduroamserversasclientsandmakesuretoaddtheproper RADIUSsecret.Setashortnametorefertotheseclientsasyouwilllaterneedittoexcludethem fromsomepartsofthePacketFenceconfiguration.

clients.confexample:

client tlrs1.eduroam.us { secret = useStrongerSecret shortname = tlrs1 }

client tlrs2.eduroam.us { secret = useStrongerSecret shortname = tlrs2 }

Secondly,modifythelistofdomainsandproxyserversin/usr/local/pf/raddb/proxy.conf.Youwill needtodefineeachofyourdomainsaswellastheDEFAULTdomain.TheDEFAULTrealmwillapply toanyclientthatattemptstoauthenticatewitharealmthatisnototherwisedefinedinproxy.conf andwillbeproxiedtotheeduroamservers.

Defineoneormorehomeservers(serverstowhicheduroamrequestsshouldbeproxied).

proxy.confexample:

home_server tlrs1.eduroam.us { type = auth ipaddr = 257.128.1.1 port = 1812 secret = useStrongerSecret require_message_authenticator = yes }

Defineapoolofserverstogroupyoureduroamhomeserverstogether.

proxy.confexample:

home_server_pool eduroam { type = fail-over home_server = tlrs1.eduroam.us home_server = tlrs2.eduroam.us }

Definerealmstoselectwhichrequestsshouldbeproxiedtotheeduroamserverpool.Thereshould beonerealmforeachofyourdomains,andpossiblyonemoreperdomainifyouintendtoallow usernamesoftheDOMAIN\userform.

TheREALMissetbasedonthedomainfoundbythesuffixorntdomainmodules(seeraddb/ modules/realm).Thesuffixorntdomainmodulestrytofindadomaineitherwithan@domainor suffix\username.

▪ Ifnoneisfound,theREALMisNULL.

▪ Ifadomainisfound,FreeRADIUStriestomatchoneoftheREALMSdefinedinthisfile.

▪ Ifthedomainiseitherexample.eduorEXAMPLEFreeRADIUSsetsthecorrespondingREALM, i.e.example.eduorEXAMPLE.

▪ IftheREALMdoesnotmatcheither(anditisn’tNULL),thatmeanstherewasadomainotherthan EXAMPLEorexample.eduandweassumeitismeanttobeproxiedtoeduroam.FreeRADIUS setstheDEFAULTrealm(whichisproxiedtotheeduroamauthenticationpool).

The REALM determines where the request is sent to. If the REALM authenticates locally the requestsareprocessedentirelybyFreeRADIUS.IftheREALMsetsadifferenthomeserverpool, therequestsareproxiedtotheserversdefinedwithinthatpool.

proxy.confexample:

# This realm is for requests which don't have an explicit realm # prefix or suffix. User names like "bob" will match this one. # No authentication server is defined, thus the authentication is # done locally. realm NULL { }

# This realm is for ntdomain users who might use the domain like # this "EXAMPLE\username". # No authentication server is defined, thus the authentication is # done locally. realm EXAMPLE { }

# This realm is for suffix users who use the domain like this: # "[email protected]". # No authentication server is defined, thus the authentication is # done locally. realm example.edu { }

# This realm is for ALL OTHER requests. Meaning in this context, # eduroam. The auth_pool is set to the eduroam pool and so the # requests will be proxied. realm DEFAULT { auth_pool = eduroam nostrip }

Thirdly, you must configure the packetfence FreeRADIUS virtual servers to treat the requests properly.

In/usr/local/pf/raddb/sites-enabled/packetfence,modifytheauthorizesectionlikethis:

raddb/sites-enabled/packetfenceexample:

authorize { # pay attention to the order of the modules. It matters. ntdomain suffix preprocess

# uncomment this section if you want to block eduroam users from # you other SSIDs. The attribute name ( Called-Station-Id ) may # differ based on your controller #if ( Called-Station-Id !~ /eduroam$/i) { # update control { # Proxy-To-Realm := local # } #}

eap { ok = return }

files expiration logintime packetfence }

In/usr/local/pf/raddb/sites-enabled/packetfence-tunnel,modifythepost-authsectionlikethis.If you omit this change the request will be sent to PacketFence where it will be failed since the eduroamserversarenotpartofyourconfiguredswitches.

raddb/sites-enabled/packetfence-tunnelexample:

post-auth { exec

# we skip packetfence when the request is coming from the eduroam servers if ( "%{client:shortname}" != "tlrs1" && \ "%{client:shortname}" != "tlrs2" ) { packetfence }

Post-Auth-Type REJECT { attr_filter.access_reject } }

Finally,makesurethattherealmsmoduleisconfiguredthisway(see/usr/local/pf/raddb/modules/ realm):

raddb/modules/realmexample:

# 'username@realm' realm suffix { format = suffix delimiter = "@" }

# 'domain\user' realm ntdomain { format = prefix delimiter = "\\" ignore_null = yes }

Fingerbankintegration

Fingerbank,agreatdeviceprofilingtooldevelopedalongsideofPacketFence,nowintegrateswithit topower-upthefeaturesetallowingaPacketFenceadministratortoeasilytriggerviolationsbased ondifferentdevicetypes,deviceparents,DHCPfingerprints,DHCPvendorIDs,MACvendorsand browseruseragents.

ThecoreofthatintegrationresidesintheabilityforaPacketFencesystem,tointeractwiththe Fingerbankupstreamproject,whichthenallowadailybasisfingerprintsdatabaseupdate,sharing unknowndatasothatmorecomplexalgorithmscanprocessthatnewdatatointegrateitinthe globaldatabase,queryingtheglobalupstreamdatabaseinthecaseofanunknownmatchandmuch more.

SincetheFingerbankintegrationisnowthe"defacto"deviceprofilingtoolofPacketFence,itwasa requirementtomakeitassimpleaspossibletoconfigureandtouse.Fromthemomentaworking PacketFencesystemisinplace,Fingerbankisalsoreadytobeused,butonlyina"local"mode, whichmeans,nointeractionwiththeupstreamFingerbankproject.

Onboarding

TobenefitfromalltheadvantagesoftheFingerbankproject,theonboardingstepisrequiredto createanAPIkeythatwillthenallowinteractionwiththeupstreamproject.Thatcaneasilybe doneonlybygoinginthe"Settings"menuitemunderthe"Fingerbank"sectionofthePacketFence "Configuration"tab.Fromthere,aneasyprocesstocreateandsaveanuser/organizationspecific APIkeycanbefollowed.Oncecompleted,thefullfeaturesetofFingerbankcanbeused.

UpdateFingerbankdatabase

UpdatingtheFingerbankdatacan’tbeeasier.Theonlyrequirementistheonboardingprocesswhich allowsyoutointeractwithupstreamproject.Oncedone,anoptionto"UpdateFingerbankDB"can befoundontopofeverymenuitemsectionsunder"Fingerbank".Processmaytakeaminuteor two,dependingonthesizeofthedatabaseandtheinternetconnectivity,afterwhichasuccessor errormessagewillbeshowaccordingly."Local"recordsareNOTbeingmodifiedduringthisprocess.

Submitunknowndata

Sayingthatwedon’tknoweverythingisnotfalsemodesty.Inthatsense,the"SubmitUnknown/ UnmatchedFingerprints"optionismadeavailable(afteronboarding)sothatunknownfingerprinting datagoinginandoutonyournetworkcaneasilybesubmittedtotheupstreamFingerbankproject forfurtheranalysisandintegrationtheintheglobaldatabase.

Upstreaminterogation

Bydefault,PacketFenceisconfiguredtointerogatetheupstreamFingerbankproject(ifonboarding hasbeencompleted)tofullfillaquerywithunmatchedlocalresults.Unmatchedlocalresultscan resultofanolderversionoftheFingerbankdatabaseorarequirementforamorecomplexalgorithm duetothedataset.Thatbehavioriscompletelytransparentandcanbemodifiedusingthe"Settings" menuitemunderthe"Fingerbank"sectionofthePacketFence"Configuration"tab.

Localentries

Itispossibleforanadministratorwhowantstocustomizeanexistingrecord(orcreateanewone) todosousingthe"Local"entries.Anupstreamrecord(DHCPFingerprint,DHCPVendor,MAC Vendor,UserAgent,Devicetype,evenaCombination)canbeclonedandthenmodifiedonalocal basisifneeded.Localrecordsarealwaysmatchedfirstsincetheirpurposeistooverrideanexisting one.Alocalcombinationcanbecreatedtomatcheither"Local"or"Upstream"orbothentriesto allowidentificationofadevice.

Settings

Fingerbanksettingscaneasilybemodifiedfromthe"Settings"menuitemunderthe"Fingerbank" sectionofthePacketFence"Configuration"tab.There’sdocumentationforeachaneveryparameter thatalloweasierunderstanding.

FloatingNetworkDevices

Startingwithversion1.9,PacketFencenowsupportsfloatingnetworkdevices.AFloatingnetwork deviceisadeviceforwhichPacketFencehasadifferentbehaviourcomparedtoaregulardevice. ThisfunctionalitywasoriginallyaddedtosupportmobileAccessPoints.

Caution

RightnowPacketFenceonlysupportsfloatingnetworkdevicesonCiscoandNortel switchesconfiguredwithport-security.

For a regular device, PacketFence put it in the VLAN corresponding to its status (Registration, QuarantineorRegularVlan)andauthorizesitontheport(port-security).

AfloatingnetworkdeviceisadevicethatPacketFencedoesnotmanageasaregulardevice.

Whenafloatingnetworkdeviceisplugged,PacketFencewilllet/allowalltheMACaddressesthat willbeconnectedtothisdevice(orappearontheport)andifnecessary,configuretheportasmulti- vlan(trunk)andsetPVIDandtaggedVLANsontheport.

Whenanfloatingnetworkdeviceisunplugged,PacketFencewillreconfiguretheportlikebefore itwasplugged.

Howitworks

Configuration:

▪ floatingnetworkdeviceshavetobeidentifiedusingtheirMACaddress. ▪ linkup/linkdowntrapsarenotenabledontheswitches,onlyport-securitytrapsare.

WhenPacketFencereceivesaport-securitytrapforafloatingnetworkdevice,itchangestheport configurationsothat:

▪ itdisablesport-security ▪ itsetsthePVID ▪ iteventuallysetstheportasmulti-vlan(trunk)andsetsthetaggedVlans ▪ itenableslinkdowntraps

WhenPFreceivesalinkdowntraponaportinwhichafloatingnetworkdevicewasplugged,it changestheportconfigurationsothat:

▪ itenablesport-security ▪ itdisableslinkdowntraps

Identification

Aswementionedearlier,eachfloatingnetworkdevicehastobeidentified.Therearetwoways todoit:

▪ byeditingconf/floating_network_device.conf ▪ throughtheWebGUI,inConfiguration→Network→Floatingdevices

Herearethesettingsthatareavailable:

MACAddress MACaddressofthefloatingdevice

IPAddress IPaddressofthefloatingdevice(notrequired,forinformationonly)

trunkPort Yes/no.Shouldtheportbeconfiguredasamuti-vlanport?

pvid VLANinwhichPacketFenceshouldputtheport

taggedVlan CommaseparatedlistofVLANs.Iftheportisamulti-vlan,theseare theVlansthathavetobetaggedontheport.

OAuth2Authentication

Note

OAuth2authenticationdoesnotworkwithWebauthenforcement

The captive portal of PacketFence allows a guest/user to register using his Google, Facebook, LinkedIn,WindowsLive,TwitterorGithubaccount.

Foreachproviders,wemaintainanalloweddomainlisttopunchholesintothefirewallsotheuser canhittheproviderloginpage.ThislistisavailableineachOAuth2authenticationsource.

Inordertohaveoauth2workingproperly,youneedtoenableIPforwardingonyourservers.Todo itpermanently,lookinthe/etc/sysctl.conf,andsetthefollowingline:

# Controls IP packet forwarding net.ipv4.ip_forward = 1

Savethefile,andissueasysctl -ptoupdatetheOSconfig.

You must also enable the passthrough option in your PacketFence configuration (trapping.passthroughinpf.conf).

Google

InordertouseGoogleasaOAuth2provider,youneedtogetanAPIkeytoaccesstheirservices. Signuphere:http://code.google.com/apis/console.MakesureyouusethisURIforthe"Redirect URI"field:https://YOUR_PORTAL_HOSTNAME/oauth2/callback.Ofcourse,replacethehostname withthevaluesfromgeneral.hostnameandgeneral.domain.

Youcankeepthedefaultconfiguration,modifytheAppID&AppSecret(GivenbyGoogleonthe developperplateform)andPortalURL(https://YOUR_PORTAL_HOSTNAME/oauth2/callback).

Also, add the following Authorized domains : *.google.com, *.google.ca, *.google.fr, *.gstatic.com,googleapis.com,accounts.youtube.com(Makesurethatyouhavethegoogledomain fromyourcountrylikeCanada*.google.ca,France*.google.fr,etc…)

Onceyouhaveyourclientid,andAPIkey,youneedtoconfiguretheOAuth2provider.Thiscanbe donebyaddingaGoogleOAuth2authenticationsourcefromConfiguration→Sources.

Moreover,don’tforgettoaddGoogleasaregistrationmodefromyourportalprofiledefinition, availablefromConfiguration→PortalProfilesandPages.

Facebook

Touse Facebook, you also need an API code and a secret key. Toget one, go here: https:// developers.facebook.com/apps.WhenyoucreateyourApp,makesureyouspecifythefollowing astheWebsiteURL:https://YOUR_PORTAL_HOSTNAME/oauth2/callback

Ofcourse,replacethehostnamewiththevaluesfromgeneral.hostnameandgeneral.domain.

Youcankeepthedefaultconfiguration,modifytheAppID&AppSecret(GivenbyFaceBookon thedevelopperplateform)andPortalURL(https://YOUR_PORTAL_HOSTNAME/oauth2/callback).

Also, add the following Authorized domains : *.facebook.com, *.fbcdn.net, *.akamaihd.net (May change)

Onceyouhaveyourinformation,youneedtoconfiguretheOAuth2provider.Thiscanbedoneby addingaFacebookOAuth2authenticationsourcefromConfiguration→Sources.

Moreover,don’tforgettoaddFacebookasaregistrationmodefromyourportalprofiledefinition, availablefromConfiguration→PortalProfilesandPages.

Caution

ByallowingOAuththroughFacebook,youwillgiveFacebookaccesstotheuserswhile theyaresittingintheregistrationVLAN.

GitHub

TouseGitHub,youalsoneedanAPIcodeandasecretkey.Togetone,youneedtocreateanApp here:https://github.com/settings/applications.WhenyoucreateyourApp,makesureyouspecify thefollowingastheCallbackURLhttps://YOUR_PORTAL_HOSTNAME/oauth2/callback

Ofcourse,replacethehostnamewiththevaluesfromgeneral.hostnameandgeneral.domain.

Onceyouhaveyourinformation,youneedtoconfiguretheOAuth2provider.Thiscanbedoneby addingaGitHubOAuth2authenticationsourcefromConfiguration→Sources.

Moreover,don’tforgettoaddGitHubasaregistrationmodefromyourportalprofiledefinition, availablefromConfiguration→PortalProfilesandPages.

TouseLinkedIn,youalsoneedanAPIcodeandasecretkey.Togetone,youneedtocreatean Apphere:https://developer.linkedin.com/.WhenyoucreateyourApp,makesureyouspecifythe followingastheCallbackURLhttps://YOUR_PORTAL_HOSTNAME/oauth2/callback

Ofcourse,replacethehostnamewiththevaluesfromgeneral.hostnameandgeneral.domain.

Onceyouhaveyourinformation,youneedtoconfiguretheOAuth2provider.Thiscanbedoneby addingaLinkedInOAuth2authenticationsourcefromConfiguration→Sources.

Moreover,don’tforgettoaddLinkedInasaregistrationmodefromyourportalprofiledefinition, availablefromConfiguration→PortalProfilesandPages.

Also,LinkedInrequiresastateparameterfortheauthorizationURL.Ifyoumodifyit,makesureto additattheendofyourURL.

Twitter

TouseTwitter,youalsoneedanAPIcodeandasecretkeywhichTwittercallsconsumerkeyand consumersecret.ObtainthisinformationbycreatingannewapplicationfromyourTwitterApps

Managementpage.WhenyoucreateyourApp,makesureyouspecifythefollowingastheCallback URLhttps://YOUR_PORTAL_HOSTNAME/oauth2/callback

Ofcourse,replacethehostnamewiththevaluesfromgeneral.hostnameandgeneral.domain.

Onceyouhaveyourinformation,youneedtoconfiguretheOAuth2provider.Thiscanbedoneby addingaTwitterOAuth2authenticationsourcefromConfiguration→Sources.

Moreover,don’tforgettoaddTwitterasaregistrationmodefromyourportalprofiledefinition, availablefromConfiguration→PortalProfilesandPages.

WindowsLive

TouseWindowslive,youalsoneedanAPIcodeandasecretkey.Togetone,youneedtocreate anApphere:https://account.live.com/developers/applications.WhenyoucreateyourApp,make sureyouspecifythefollowingastheCallbackURLhttps://YOUR_PORTAL_HOSTNAME/oauth2/ callback

Ofcourse,replacethehostnamewiththevaluesfromgeneral.hostnameandgeneral.domain.

Onceyouhaveyourinformation,youneedtoconfiguretheOAuth2provider.Thiscanbedoneby addingaWindowsLiveOAuth2authenticationsourcefromConfiguration→Sources.

Moreover, don’t forget to add WindowsLive as a registration mode from your portal profile definition,availablefromConfiguration→PortalProfilesandPages.

Passthrough

InordertousethepassthroughfeatureinPacketFence,youneedtoenableitfromtheGUIin Configuration→TrappingandcheckPassthrough.

Therearetwosolutionsforpassthroughs-oneusingDNSresolutionandiptablesandtheother oneusingApache’smod_proxymodule.Whenenabled,PacketFencewillusepfdnsifyoudefined Passthroughs,orApachemod-proxyifyoudefinedProxyPassthroughstoallowtrappeddevices toreachexternalwebsites.

▪ DNSpassthrough:AddanewFQDN(shouldbeawildcarddomainlike*.google.com)inthe Passthroughssection.WhenPacketFencereceivesaDNSrequestforthisdomain,itwillanswer therealIPaddressandpunchaholeinthefirewall(usingiptables)toallowaccess.Withthis method,PacketFencemustbethedefaultgatewayofyourdevice.

▪ mod_proxypassthrough:AddanewFQDN(shouldbeawildcarddomainlike*.google.com)in theProxyPassthroughssection.ForthisFQDN,PacketFencewillanswertheIPaddressofthe captiveportalandwhenadevicehitsthecaptiveportal,PacketFencewilldetectthatthisFQDN hasapassthroughconfigurationandwillforwardthetraffictomod_proxy.

ThesetwomethodscanbeusedtogetherbutDNS-basedpassthroughshavehigherpriority.

ProductionDHCPaccess

Inordertoperformallofitsaccesscontrolduties,PacketFenceneedstobeabletomapMAC addressesintoIPaddresses.

Forallthenetworks/VLANswhereyouwantPacketFencetohavetheabilitytoisolateanodeor tohaveIPinformationaboutnodes,youwillneedtoperformoneofthetechniquesbelow.

Alsonotethatthisdoesn’tneedtobedonefortheregistration,isolationVLANsandinlineinterfaces sincePacketFenceactsastheDHCPserverinthesenetworks.

IPHelpers(recommended)

If you are already using IP Helpers for your production DHCP in your production VLANs this approachisthesimplestoneandtheonethatworksthebest.

Add PacketFence’s management IP address as the last ip helper-address statement in your networkequipment.AtthispointPacketFencewillreceiveacopyofallDHCPrequestsforthat VLANandwillrecordwhatIPweredistributedtowhatnodeusingapfdhcplistenerdaemon.

BydefaultnoDHCPServershouldberunningonthatinterfacewhereyouaresendingtherequests. ThisisbydesignotherwisePacketFencewouldreplytotheDHCPrequestswhichwouldbeabad thing.

ObtainacopyoftheDHCPtraffic

GetacopyofalltheDHCPTraffictoadedicatedphysicalinterfaceinthePacketFenceserverand runpfdhcplisteneronthatinterface.Itwillinvolveconfiguringyourswitchproperlytoperform portmirroring(akanetworkspan)andaddinginPacketFencetheproperinterfacestatementatthe operatingsystemlevelandinpf.conf.

/etc/sysconfig/network-scripts/ifcfg-eth2:

DEVICE=eth2 ONBOOT=yes BOOTPROTO=none

Addtopf.conf:(IPsarenotimportanttheyarethereonlysothatPacketFencewillstart)

[interface eth2] mask=255.255.255.0 type=dhcp-listener gateway=192.168.1.5 ip=192.168.1.1

RestartPacketFenceandyoushouldbegoodtogo.

InterfaceineveryVLAN

BecauseDHCPtrafficisbroadcasttraffic,analternativeforsmallnetworkswithfewlocalVLANs istoputaVLANinterfaceforeveryVLANonthePacketFenceserverandhaveapfdhcplistener listenonthatVLANinterface.

OnthenetworksideyouneedtomakesurethattheVLANtrulyreachesallthewayfromyour clienttoyourDHCPinfrastructureuptothePacketFenceserver.

OnthePacketFenceside,firstyouneedanoperatingsystemVLANinterfaceliketheonebelow. Storedin/etc/sysconfig/network-scripts/ifcfg-eth0.1010:

# Engineering VLAN DEVICE=eth0.1010 ONBOOT=yes BOOTPROTO=static IPADDR=10.0.101.4 NETMASK=255.255.255.0 VLAN=yes

Thenyouneedtospecifyinpf.confthatyouareinterestedinthatVLAN’sDHCPbysettingtype todhcp-listener.

[interface eth0.1010] mask=255.255.255.0 type=dhcp-listener gateway=10.0.101.1 ip=10.0.101.4

RepeattheaboveforallyourproductionVLANsthenrestartPacketFence.

HostproductionDHCPonPacketFence

It’sanoption.Justmodifyconf/dhcpd.confsothatitwillhostyourproductionDHCPproperly andmakesurethatapfdhcplistenerrunsonthesameinterfacewhereproductionDHCPruns. However,pleasenotethatthisisNOTrecommended.Seethistickettoseewhy.

ProxyInterception

PacketFenceenablesyoutointerceptproxyrequestsandforwardthemtothecaptiveportal.Itonly worksonelayer-2networksbecausePacketFencemustbethedefaultgateway.Inordertousethe ProxyInterceptionfeature,youneedtoenableitfromtheGUIinConfiguration→Trappingand checkProxyInterception.

Addtheportyouwanttointercept(like8080or3128)andaddanewentryinthe/etc/hosts filetoresolvethefullyqualifieddomainname(fqdn)ofthecaptiveportaltotheIPaddressofthe

registrationinterface.ThismodificationismandatoryinorderforApachetoreceivestheproxy requests.

RoutedNetworks

Ifyourisolationandregistrationnetworksarenotlocally-reachable(atlayer2)onthenetwork, but routed to the PacketFence server, you’ll have to let the PacketFence server know this. PacketFencecanevenprovideDHCPandDNSintheseroutednetworksandprovidesaneasyto useconfigurationinterface.

Fordhcpd,makesurethattheclientsDHCPrequestsarecorrectlyforwarded(IPHelpersinthe remoterouters)tothePacketFenceserver.Thenmakesureyoufollowedtheinstructionsinthe DHCPandDNSServerConfiguration(networks.conf)foryourlocallyaccessiblenetwork.

Ifweconsiderthenetworkarchitectureillustratedintheaboveschema,conf/pf.confwillinclude thelocalregistrationandisolationinterfacesonly.

[interface eth0.2] enforcement=vlan ip=192.168.2.1 type=internal mask=255.255.255.0

[interface eth0.3] enforcement=vlan ip=192.168.3.1 type=internal mask=255.255.255.0

Note

PacketFencewillnotstartunlessyouhaveatleastoneinternalinterface,soyouneed tocreatelocalregistrationandisolationVLANsevenifyoudon’tintendtousethem. Also,theinternalinterfacesaretheonlyonesonwhichdhcpdlistens,sotheremote registrationandisolationsubnetsneedtopointtheirDHCPhelper-addresstothose particularIPs.

ThenyouneedtoprovidetheroutednetworksinformationtoPacketFence.Youcandoitthrough theGUIinAdministration→Networks(orinconf/networks.conf).

conf/networks.confwilllooklikethis:

[192.168.2.0] netmask=255.255.255.0 gateway=192.168.2.1 next_hop= domain-name=registration.example.com dns=192.168.2.1 dhcp_start=192.168.2.10 dhcp_end=192.168.2.200 dhcp_default_lease_time=300 dhcp_max_lease_time=600 type=vlan-registration named=enabled dhcpd=enabled

[192.168.3.0] netmask=255.255.255.0 gateway=192.168.3.1 next_hop= domain-name=isolation.example.com dns=192.168.3.1 dhcp_start=192.168.3.10 dhcp_end=192.168.3.200 dhcp_default_lease_time=300 dhcp_max_lease_time=600 type=vlan-isolation named=enabled dhcpd=enabled

[192.168.20.0] netmask=255.255.255.0 gateway=192.168.20.254 next_hop=192.168.2.254 domain-name=registration.example.com dns=192.168.2.1 dhcp_start=192.168.20.10 dhcp_end=192.168.20.200 dhcp_default_lease_time=300 dhcp_max_lease_time=600 type=vlan-registration named=enabled dhcpd=enabled

[192.168.30.0] netmask=255.255.255.0 gateway=192.168.30.254 next_hop=192.168.3.254 domain-name=isolation.example.com dns=192.168.3.1 dhcp_start=192.168.30.10 dhcp_end=192.168.30.200 dhcp_default_lease_time=300 dhcp_max_lease_time=600 type=vlan-isolation named=enabled dhcpd=enabled

DHCPclientsontheregistrationandisolationnetworksreceivethePFserverIPastheirDNSserver (dns=x.x.x.x),andPFspoofsDNSresponsestoforceclientsviatheportal.However,clientscould manuallyconfiguretheirDNSsettingstoescapetheportal.Topreventthisyouwillneedtoapply anACLontheaccessrouternearesttheclients,permittingaccessonlytothePFserverandlocal DHCPbroadcasttraffic.

Forexample,fortheVLAN20remoteregistrationnetwork:

ip access-list extended PF_REGISTRATION permit ip any host 192.168.2.1 permit udp any any eq 67 deny ip any any log interface vlan 20 ip address 192.168.20.254 255.255.255.0 ip helper-address 192.168.2.1 ip access-group PF_REGISTRATION in

Ifyouredgeswitchessupportvlan-isolationyoucanalsoapplytheACLthere.Thishastheadvantage ofpreventingmachinesinisolationfromattemptingtoattackeachother.

StatementofHealth(SoH)

TheStatementofHealth(SoH)isproductthathasbeendevelopedbyMicrosoft.IntheMicrosoft world,thisisnamedNetworkAccessProtectionorNAP.OnWindowsversionsfromXPSP2to Windows7,thereisaNAPserviceinstalledthatcanrelayhealthinformation(Anti-Virusupdate status,WindowsUpdatestatus,etc)toaRADIUSServeroraDHCPserver.Thesectionbelow explainsyouhowtodoSoHpolicieswithPacketFence.

Installation

Bydefault,weturnSoHoff.Toenableitssupport,simplyuncommentthefollowinglinesin/usr/ local/pf/conf/radiusd/eap.conf.

soh=yes soh-virtual-server = "soh-server"

RestarttheRADIUSserviceafterward.

Ontheclientside,toenableSoHforEAP,dothefollowing(Windows7example):

sc config napagent start=auto sc start napagent

:: Wired 802.1X sc config dot3svc start=auto depend=napagent sc start dot3svc

netsh nap client show config

:: get the "ID" value for the "EAP Quarantine Enforcement Client" netsh nap client set enforce id=$ID admin=enable

Thelaststepistoselectthe"EnforceNetworkAccessProtection"checkboxundertheEAPprofile settings.ThosestepscanbeeasilyconfiguredusingGPOs.

ConfigurationofSoHpolicy

InordertoenforceaSoHpolicy,weneedtocreateitfirst.ThisisdoneusingtheConfiguration→ Compliance→StatementofHealthmodule.

Policyexample

Let’swalkthroughanexamplesituation.Supposeyouwanttodisplayaremediationpagetoclients thatdonothaveananti-virusenabled.

Thethreebroadstepsare:createaviolationclassforthecondition,thencreateanSoHfilterto triggertheviolationwhen"anti-virusisdisabled",andfinally,reloadtheviolations.

First,createtheproperviolationeitherviatheAdminUI,orbyeditingtheconf/violations.conf files:

[4000001] desc=No anti-virus enabled url=/remediation.php?template=noantivirus actions=reevaluate_access,email,log enabled=Y

Note

Youmayalsowanttosetotherattributessuchasauto_enable,grace,etc.

Whendonewiththeviolation,visittheWebAdministrationunderConfiguration→Compliance →StatementofHealthand(editthefilternamedDefault,or)usetheAddafilterbuttontocreate afilternamedantivirus.Clickonantivirusinthefilterlist,andselectTriggerviolationintheaction drop-down.Enterthevidoftheviolationyoucreatedaboveintheinputboxthatappears.

Next, click on Addacondition, and select Anti-virus,is , and disabled in the drop-down boxes that appear. Click on the Save filters button. Finally, reload the violations either by restarting PacketFenceorusingthepfcmd reload violationscommand.

Thelaststepistocreateanewremediationtemplatecallednoantivirus.phponthefilesystem inthehtml/captive-portal/violationsfolder.Editittoincludethetextyouwanttodisplayto theusers.

VLANFilterDefinition

Weaddedtheabilitytospecifyfiltersdirectlyintheportionofcodethatre-evaluatestheVLAN ordoacalltotheAPI.

Theserulesareavailableindifferentscopes:

ViolationRole RegistrationRole RegisteredRole InlineRole AutoRegister NodeInfoForAutoReg

Andcanbedefinedusingdifferentcriterialike:

node_info.attribute (like node_info.status) switch ifIndex mac connection_type username ssid time owner.attribute (like owner.pid) radius_request.attribute (like radius_request.Calling-Station-Id)

Forexample,letsdefinearulethatpreventsadevicefromconnectingwhenitscategoryisthe "default",whentheSSIDis"SECURE"andwhenthecurrenttimeisbetween11amand2pm:from MondaytoFridaywhenittrytoconnectasaregistereddevice:

[category] filter = node_info.category operator = is value = default

[ssid] filter = ssid operator = is value = SECURE

[time] filter = time operator = is value = wd {Mon Tue Wed Thu Fri} hr {11am-2pm}

[1:category&ssid&time] scope = RegisteredRole role = nointernet

ThesecondexamplewillcreateaviolationiftheSSIDisOPENandtheownerisigmout

[igmout] filter = owner.pid operator = is value = igmout

[open] filter = ssid operator = is value = OPEN

[2:igmout&ssid] scope = RegisteredRole action = trigger_violation action_param = mac = $mac, tid = 1100012, type = INTERNAL

Thethirdexamplewillautoregisterthedeviceandassigntherolestafftoeachdevicewherethe usernameisigmout.

[igmout] filter = username operator = is value = igmout

[secure] filter = ssid operator = is value = SECURE

[3:igmout&secure] scope = AutoRegister role = staff

[4:igmout&secure] scope = NodeInfoForAutoReg role = staff

Youcanhavealookinthefilevlan_filters.conf,therearesomeexamplesonhowtouseanddefine filters.

RADIUSFilterDefinition

Weaddedtheabilitytospecifyfiltersdirectlyintheportionofcodethatreturntheradiusanswer ordoacalltotheAPI.

Theserulesareonlyavailableinonescope:

returnRadiusAccessAccept

Andcanbedefinedusingdifferentcriterialike:

node_info.attribute (like node_info.$attribute) switch ifIndex mac connection_type username ssid time owner.attribute (like owner.$attribute) radius_request.attribute (like radius_request.$attribute) violation user_role vlan

Forexample,letsdefinearulethatreturnAccessAcceptwhentheconnectionisEthernet-EAP andwhenthereisnoviolation(merge_returnmeansthattheoriginalanswerofPacketFencewill bemergewiththefilteranswerautomatically):

[violation] filter = violation operator = defined

[etherneteap] filter = connection_type operator = is value = Ethernet-EAP

[1:etherneteap&!violation] merge_answer = no scope = returnRadiusAccessAccept

Inthisotherexamplewejustaddanewattributetotheoriginalanswerinthesameconditions (here$user_rolewillbereplacedbytherealuserroleofthedeviceand${switch._portalURL}will bereplacedbythevalueof_portalURLdefinedintheswitchconfig):

[1:etherneteap&!violation] merge_answer = yes scope = returnRadiusAccessAccept answer1 = Cisco-AVPair => url-redirect-acl=$user_role;url-redirect= ${switch._portalURL}/cep$session_id

Youcanhavealookinthefileradius_filters.conf,therearesomeexamplesonhowtouseand definefilters.

DNSenforcement

DNSenforcementallowsyoutocontrolthenetworkaccessofthedevicebyusingthepfdnsservice onPacketFence.

The architecture of DNS enforcement is as following : - DHCP and DNS are provided by the PacketFenceserver-ThePacketFenceDHCPserverwillprovidetheIPofyournetworkequipment asthegatewayandtheIPaddressofthePacketFenceDNSservertoresolvenames.-Routingis providedbyanotherequipmentonyournetwork(Coreswitch,Firewall,Router,…)-Ifausershould beshowntheportal,thepfdnsservicewillreturnapointertotheIPaddressofthecaptiveportal, otherwisepfdnswillresolvethenameexternallyanduseitinthereply.

ThisenforcementmodeusedbyitselfcanbebypassedbythedevicebyusingadifferentDNS serverorbyusingitsownDNScache.

ThefirstcanbepreventedusinganACLonyourroutingequipment,thesecondcanbeprevented bycombiningDNSenforcementwithSingle-Sign-Ononyournetworkequipment.Pleaseseethe FirewallSingle-Sign-Ondocumentationfordetailsonhowtoaccomplishthis.

InordertoconfigureDNSenforcement,youfirstneedtogoinConfiguration→Interfacesthen selectoneofyourinterfacesandsetitinDNSenforcementmode.

After,youneedtoconfigurearoutednetworkforthisinterfacebyclickingAddroutednetwork.See theRoutedNetworkssectionofthisdocumentfordetailsonhowtoconfigureit.

Note

Ifyouarenotusingaroutednetwork,youneedtouseInlineenforcementasDNS enforcementcanonlybeusedforroutednetworks.

Oncethisisdone,youneedtorestartthedhcpdandpfdnsservices.

Parkeddevices

Intheeventthatyouaremanagingalargeregistrationnetworkwithdevicesthatstaythere(ex: Studentsthatcan’tregisterinyourenvironment),thesedevicesconsumepreciousresourcesand generateuselessloadonthecaptiveportalandregistrationDHCPserver.

Usingtheparkingfeature,youcanmakethesedeviceshavealongerleaseandhitanextremelly lightweightcaptiveportalsothattheamountofresourcestheyconsumeisminimal.Inthatcaptive portal,theywillseeamessageexplainingthattheyhaven’tregisteredtheirdeviceforacertain amountoftime,andwillletthemleavetheparkedstatebypressingalink.

Theparkedvsunparkedstateiscontrolledthroughviolation1300003whichgetstriggeredaccording totheparking.thresholdsetting(Configuration→Parking).

So,inordertoactivatetheparking,goinConfiguration→Parkingandsetthethresholdtoacertain amountofseconds.Asuggestedvaluewouldbe21600whichis6hours.Thismeansthatifadevice staysinyourregistrationnetworkformorethan6hoursinarow,itwilltriggerviolation1300003 andplacethatdeviceintotheparkedstate.

Inthatsamesection,youcandefinetheleaselengthoftheuserwhenheisintheparkedstate.

Note

ParkingisdetectedwhenadeviceasksforDHCP,ifPacketFenceisnotyourDHCP serverfortheregistrationnetwork,thisfeaturewillnotwork.Also,ifthedevicegoes intotheparkedstatewithaleasetimeof1hourandtheuserimmediatelyreleases himselffromtheparkingstate,itwilltake1hourbeforethenextdetectiontakesplace evenifyousetparking.thresholdtoalowervalue.

Violation1300003

Thisviolationcontrolswhathappenswhenauserisdetecteddoingparking.

Herearethemainsettings:

▪ Youcanaddactionstothepredefinedones(likeEmailadminorExternalaction)inDefinition→ Actions

▪ TheamountoftimeausercanunparktheirdeviceiscontrolledthroughtheRemediation→Max enablesetting.

▪ TheamountofgracetimebetweentwoparkingviolationsiscontrolledbytheRemediation→ Gracesetting.Thismeans,onceauserreleasehimselffromtheparkedstate,hewillhaveatleast thisamountoftimetoregisterbeforetheparkingtriggersagain.

▪ Thedestinationrole(thusVLAN)oftheuseriscontrolledbyAdvanced→Role.Youshouldleave theuserintheregistrationrole,butshouldyouwanttodedicatearoleforparking,youcanset itthere.

▪ TheTemplateattributewillonlybeusedwhentheuserisonthenormalPacketFenceportaland nottheonededicatedforparking.Ifyouwanttheusertoaccessthenon-parkingportal,disable ShowparkingportalinConfiguration→Parking

Optionalcomponents

Blockingmaliciousactivitieswithviolations

Policyviolationsallowyoutorestrictclientsystemaccessbasedonviolationsofcertainpolicies.For example,ifyoudonotallowP2Ptypetrafficonyournetwork,andyouarerunningtheappropriate softwaretodetectitandtriggeraviolationforagivenclient,PacketFencewillgivethatclienta "blocked"pagewhichcanbecustomizedtoyourwishes.

Inordertobeabletoblockmaliciousactivities,installationandconfigurationofaPacketFence compatibleIDSisrequired.PacketFencecurrentlysupportSnort,SuricataandSecurityOnion.

Snort

Installation

The installation procedure is quite simple for SNORT. We maintain a working version on the PacketFencerepository.Toinstallit,simplyrunthefollowingcommand:

yum install snort

Configuration

PacketFenceprovidesabasicsnort.conftemplatethatyoumayneedtoeditdependingofthe Snortversion.Thefileislocatedin/usr/local/pf/conf.Itisrarelynecessarytochangeanythingin thatfiletomakeSnortworkandtrapalerts.DONOTeditthesnort.conflocatedin/usr/local/ pf/var/conf,allthemodificationwillbedestroyedoneachPacketFencerestart.

Suricata

Installation

SincethesuricataIDSisnotpackagedwiththedistros(exceptmaybeFedora,whichwedonot officiallysupport),youneedtobuilditthe"old"way.

The OISF provides a really well written how-to for that. It’s available here: https:// redmine.openinfosecfoundation.org/projects/suricata/wiki/CentOS5

Note

TobenefittheOPSWATMetadefenderCloudintegration,Suricataneedstobebuilt withlibnss/libnsprsupport.MakesuretouseJSONoutput.Moreinformationon howtoachievethiscanbefoundthere:https://redmine.openinfosecfoundation.org/ projects/suricata/wiki/MD5

Configuration

Depending on whether or not Suricata is running on the PacketFence server, configuration is different.

Whenrunninglocally,PacketFenceprovidesabasicsuricata.yamlthatcanbemodifiedtosuit differentneeds.Thefileislocatedin/usr/local/pf/conf.

InthecasethatSuricataisrunningonaseparateserver,Suricataconfigurationwillhavetobe handledseparately,whichisnotthepurposeofthepresentguide. OPSWATMetadefenderCloud

ItispossibletotriggerviolationsbasedonthreatlevelofdownloadedfilesusingtheMetadefender CloudintegrationinconjunctionwiththeSuricataMD5extractionfeature.Withoutenteringinthe details,herearethebasicstepstomakeitwork.

First,anOPSWATportalaccountisrequiredtomakeuseoftheAPI.Suchaccountcanbeobtained throughtheOPSWATportal:https://portal.opswat.com.

OtherrequirementisaSuricataworkinginstallationbuiltwithlibnss/libnsprsupportasdescribed intheupper"Installation"section.

AlongwiththeOPSWATAPIkeyforMetadefenderCloud(theycallitLicenseKey)andtheworking Suricatainstallation,someconfiguration(PacketFencebasedANDSuricatabased)isalsorequired.

AssumingthatallthestepsforSuricataMD5extractionhavebeenfollowed,here’swhattodonext.

OntheSuricataserver(syslog-ngispreferredduetoeasierandmorepowerfulconfiguration.Ifnot installed,itmightbeanidea):

Configure/etc/syslog-ng/syslog-ng.confbyaddingthefollowingtoenablesendingMD5file storelogentriestoPacketFence:

### PacketFence / OPSWAT Metadefender Cloud integration # This line specifies where the files-json.log file is located # -> Make sure to configure the right path along with the right filename source s_suricata_files { file("/MY_SURICATA_LOG_FILES_PATH/files-json.log" program_override("suricata_files") flags(no-parse)); }; # This line tells syslog-ng to send the data read to the PacketFence management interface IP address using UDP 514 # -> Make sure to configure the right PacketFence management interface IP address destination d_packetfence { udp("PACKETFENCE_MGMT_IP" port(514)); }; # This line indicates syslog-ng to use the s_suricata_files source and send it to the d_packetfence destination log { source(s_suricata_files); destination(d_packetfence); };

Arestartofthesyslog-ngdaemonisrequired

service syslog-ng restart

OnthePacketFenceserver:

ModifyrsyslogconfigurationtoallowincomingUDPpacketsbyuncommentingthefollowingtwo linesin/etc/rsyslog.conf:

$ModLoad imudp $UDPServerRun 514

Configure /etc/rsyslog.d/suricata_files.conf by adding the following which will enable receptionofSuricataMD5filestorelogentries:

if $programname == 'suricata_files' then /usr/local/pf/var/suricata_files & ~

Makesurethereceivingalertpipe(FIFO)exists

mkfifo /usr/local/pf/var/suricata_files

Restartthersyslogdaemon

service rsyslog restart

Atthispoint,SuricatashouldbeabletoextractMD5checksumofdownloadedfilesandsendthe relatedlogentrytoPacketFence.

Aconfigurationofanewsyslogparseraswellassomeviolationsaretheonlyremainingstepsto makefullusageoftheOPSWATMetadefenderCloudintegration.

Configurationofanewsyslogparsershouldusethefollowings:

Type: suricata_http Alert pipe: the previously created alert pipe (FIFO) which is, in this case, / usr/local/pf/var/suricata_files

Configurationofanewviolationcanusethefollowingtriggertypes:

Type: metascan Triggers ID: The scan result returned by Metadefender Cloud online

Type: suricata_md5 Trigger ID: The MD5 hash returned by Suricata

SecurityOnion InstallationandConfiguration

SecurityOnionisaUbuntubasedsecuritysuite.Thelatestinstallationinstructionsareavailable directly from the Security Onion website,https://github.com/Security-Onion-Solutions/securityonion/wiki/Installation

Sinceasecuritysuiteconsistsofmultiplepiecesofsoftwaretiedtogether,youmaybepromptedfor differentoptionsduringtheinstallationprocess.Adetailed"ProductionDeployment"guidecanalso befounddirectlyfromtheSecurityOnionwebsite:https://github.com/Security-Onion-Solutions/ security-onion/wiki/ProductionDeployment

PacketFenceintegration

OnceSecurityOnionisinstalledandminimallyconfigured,integrationwithPacketFenceisrequired tobeabletoraiseviolationsbasedonsensor(s)alerts.syslogisusedtoforwardsensor(s)alerts fromSecurityOniontothePacketFencedetectionmecanisms.

The simplest way is as follow (based on https://github.com/Security-Onion-Solutions/securityonion/wiki/ThirdPartyIntegration);

OntheSecurityOnionserver:

Note

Mustbedoneonthemasterserverrunningsguild.

Configure/etc/syslog-ng/syslog-ng.confbyaddingthefollowingtoenablesendingsguildlog entriestoPacketFence:

### PacketFence / IDS integration # This line specifies where the sguild.log file is located # -> Make sure to configure the right patch along with the right filename (on a Security Onion setup, that should be pretty much standard) source s_sguil { file("/var/log/nsm/securityonion/sguild.log" program_override("securityonion_ids")); }; # This line filters on the string “Alert Received” filter f_sguil { match("Alert Received"); }; # This line tells syslog-ng to send the data read to the PacketFence management IP address using UDP 514 # -> Make sure to configure the right PacketFence management interface IP address destination d_packetfence { udp("PACKENTFENCE_MGMT_IP" port(514)); }; # This line indicates syslog-ng to use the s_sguil source, apply the f_sguil filter and send it to the d_packetfence destination log { source(s_sguil); filter(f_sguil); destination(d_packetfence); };

Arestartofthesyslog-ngdaemonisthenrequired

service syslog-ng restart

OnthePacketFenceserver:

ModifyrsyslogconfigurationtoallowincomingUDPpacketsbyuncommentingthefollowingtwo linesin/etc/rsyslog.conf:

$ModLoad imudp $UDPServerRun 514

Configure/etc/rsyslog.d/securityonion_ids.confbyaddingthefollowingswhichwillenable receptionofSecurityOnionsguildlogentries:

if $programname == 'securityonion_ids' then /usr/local/pf/var/securityonion_ids & ~

Makesurethereceivingalertpipe(FIFO)exists

mkfifo /usr/local/pf/var/securityonion_ids

Restartthersyslogdaemon

service rsyslog restart

Atthispoint,SecurityOnionshouldbeabletosenddetectedalertslogentriestoPacketFence.

Aconfigurationofanewsyslogparseraswellassomeviolationsaretheonlyremainingstepsto makefullusageoftheSecurityOnionIDSintegration.

Configurationofanewsyslogparsershouldusethefollowings:

Type: security_onion Alert pipe: the previously created alert pipe (FIFO) which is, in this case, / usr/local/pf/var/securityonion_ids

Configurationofanewviolationcanusethefollowingtriggertypes:

Type: detect Triggers ID: The IDS triggered rule ID

Type: suricata_event Trigger ID: The rule class of the triggered IDS alert

Violations

InordertomakePacketFencereacttotheSnortalerts,youneedtoexplicitlytellthesoftwareto doso.Otherwise,thealertswillbediscarded.Thisisquitesimpletoaccomplish.Infact,youneed tocreateaviolationandaddtheSnortalertSIDinthetriggersectionofaViolation.

PacketFenceviolationsareconfiguredinConfiguration→Violations

Theexamplebelowwillguideyoutocreateaviolationthatwillisolatedevicethathavegenerated Peer-to-peer traffic and that are using Mac OSX or have a malware and are using Microsoft Windows Violationdefinition

Firstyouneedtoconfiguretheviolationdefinition

Where:

▪ Enablediswhetherornottheviolationiscurrentlyactivated(shouldbeON). ▪ Identifier is the violation ID. Any integer except 1200000-120099 which is reserved for requiredadministrationviolations. ▪ Descriptionistheuserfriendlydescriptionoftheviolation. ▪ Actionsisthelistofactionstobeexecutedwhenthisviolationisraised.

▪ Unregister nodewillunregisterthenode.

▪ Send email to ownerwillemailtheviolationdetailstotheownerofthedevice.Willonlywork ifthepersonhasit’semailfieldpopulated.

▪ Send email to admin will email the violation details to the address specified in [alerting].emailaddr,using[alerting].smtpserver.Multipleemailaddrcanbesperated bycomma.

▪ Reevaluate accesswillplacethedeviceinthedestinationVLANconfiguredintheviolation. It opens a violation and leaves it open. If it is not there, the violation is opened and then automaticallyclosed.

▪ Log messagewilllogtheviolationinthelogfiledefinedin[alerting].log.

▪ External commandwillexecuteacommandontheoperatingsystemwhenthisviolationis raised.

▪ Close a violationwillcloseanexistingviolationforthisdevicewhenthisoneisraised.

▪ Set rolewillmodifytheroleofthedevice.

▪ Enforce provisioningwilltriggeracheckofcomplianceontheprovisionersdefinedforthe device. ▪ Prioritydefinestheorderontowhichviolationsshouldbehandledshouldtherebemorethan oneforadevice. ▪ Whitelisted Rolesisthelistofrolesthatarenotaffectedbythisviolation.

Triggers

Next,intheTriggerstab,youneedtodefinethetriggersthatwillraisetheviolation.Inthecase ofthisexampleitwillbethesetwocases:*AdevicethathasgeneratedPeer-to-peertrafficand thatisusingMACOSX.*AdevicethathasbeendetectedasbeingarogueDHCP.

Click the+ sign at the top right in order to create a new trigger, then in the dropdown select Suricata.

AmenuwillappearintowhichyoucanselectET P2PwhichwillmatchallP2PalertsfromSuricata.

Onceyouaddedthistrigger,selectDevicefromthedropdownandenter38whichisthedevice identifierforMacOSX.

Nexthitthe<button,thenthe+toaddanothertrigger.

SelectthetypeInternal,theninthemenuthatappearsbelowit,selectRogue DHCP detection andclickAdd.

Remediation

Next,intheRemediationtab,youcanconfigurethebehaviorwhenaclientgetsisolated.

Where:

▪ Auto Enableiswhetherornottheusercanreleasetheviolationhimselfafteracknoledgingthe messageonthecaptiveportal. ▪ Max EnablesistheamountoftimeausercanusetheAuto Enablefunctionnality.Afterthis amountoftimes,hewillnotbeabletoreleasetheviolationanditwillhavetobemanuallyrelease byanadministratorusingthePacketFenceadministrationinterface. ▪ GraceisAmountoftimebeforetheviolationcanreoccur.Thisisusefultoallowhoststime(inthe example2minutes)todownloadtoolstofixtheirissue,orshutofftheirpeer-to-peerapplication. ▪ Dynamic Windowwillonlyworksforaccountingviolations.Theviolationwillbeopenedaccording tothetimeyousetintheaccountingviolation(ie.Youhaveanaccountingviolationfor10GB/ month.Ifyoubustthebandwidthafter3days,theviolationwillopenandthereleasedatewill besetforthelastdayofthecurrentmonth). ▪ Windowistheamountoftimebeforeaviolationwillbeclosedautomatically.Insteadofallowing peopletoreactivatethenetwork,youmaywanttoopenaviolationforadefinedamountof timeinstead.

▪ Delay byisthedelaybeforetriggeringtheviolation. ▪ TemplateistheHTMLtemplatethehostwillberedirectedtowhileinviolation.Youcancreate newtemplatesfromthePortalProfilesconfigurationsection. ▪ Button textisthetextofthebuttonthatisusedwhentheuserisreleasingtheviolationdirectly fromthecaptiveportal. Advanced

IntheAdvancedtabyouconfigurethedestinationVLANofthedevicewhenithastheReevaluate accessactionanditsredirectionURLwhentheuserisreleased.

ComplianceChecks

PacketFence supports either Nessus, OpenVAS and WMI as a scanning engine for compliance checks.SincePacketFencev5.1youarenowabletocreatemultiplesscanenginesconfiguration andassignthemonspecificcaptiveportals.Itmeanperexamplethatyouarenowabletoactivea scanforspecificOperatingSystemonlyonaspecificSSID.

Installation Nessus

Please visit http://www.nessus.org/download/ to download Nessus v5 and install the Nessus package for your operating system. You will also need to register for the HomeFeed (or the ProfessionalFeed)inordertogettheplugins.

AfteryouinstalledNessus,followtheNessusdocumentationfortheconfigurationoftheNessus Server,andtocreateauserforPacketFence.

Note

You may run into some issue while using Nessus with the Net::Nessus::XMLRPC module(whichisthedefaultbehaviorinPacketFence).Pleaserefertothebugtracking systemformoreinformation.

OpenVAS

Pleasevisithttp://www.openvas.org/install-packages.html#openvas4_centos_atomictoconfigure thecorrectrepositorytobeabletoinstallthelatestOpenVASscanningengine.

Once installed, please make sure to follow the instructions to correctly configure the scanning engineandcreateascanconfigurationthatwillfityourneeds.You’llalsoneedtocreateauserfor PacketFencetobeabletocommunicatewiththeserver.

ItisimportanttogetthecorrectscanconfigIDandNBEreportformatIDtopopulatetheparameters inthePacketFenceconfigurationfile.TheeasiestwaytogettheseIDsisbydownloadingbothof thescanconfigurationandreportformatfromtheOpenVASwebguiandretrievetheIDsinthe filenames.

Forexamplereport-format-f5c2a364-47d2-4700-b21d-0a7693daddab.xmlgivesreportformatID f5c2a364-47d2-4700-b21d-0a7693daddab. WMI

YoujusthavetoenablewmioneachwindowsdeviceswithaGPOfromActiveDirectory.

Configuration

In order for the compliance checks to correctly work with PacketFence (communication and generateviolationsinsidePacketFence),youneedtoconfigurethesesections: ScannerDefinition

FirstgoinConfigurationandScannerDefinition:

Thenaddascan:

Therearecommonparametersforeachscanengines:

Name: the name of your scan engine Roles: Only devices with these role(s) will be affected (Optional) OS: Only devices with this Operating System will be affected (Optional) Duration: Approximate duration of scan (Progress bar on the captive portal) Scan before registration: Trigger the scan when the device appear on the registration vlan Scan after registration: Trigger the scan just after registration on the captive portal Scan after registration: Trigger the scan on the production network (pfdhcplistener must receive production dhcp traffic) 802.1x: Even if the auto-registration has been enabled, the scan will be trigger on a EAP connection 802.1x types: comma delimited EAP type that will trigger the scan if 802.1x above has been enabled

SpecifictoNessus:

Hostname or IP Address: Hostname or IP Address where Nessus is running Username: Username to connect to Nessus scan Password: Password to connect to Nessus scan Port of the service: port to connect (default 8834) Nessus client policy: the name of the policy to use for the scan (Must be define on the Nessus server)

SpecifictoOpenVAS:

Hostname or IP Address: Hostname or IP Address where OpenVAS is running Username: Username to connect to OpenVAS scan Password: Password to connect to OpenVAS scan Port of the service: port to connect (default 9390) OpenVAS config ID: the ID of scanning configuration on the OpenVAS server

SpecifictoWMI:

Username: A username from Active Directory that is allowed to connect to wmi Domain: Domain of the Active Directory Password: Password of the account WMI Rules: Ordered list of WMI rules you defined in Configuration -> WMI Rules Definition

WMIRulesDefinition

IfyouhaveconfiguredaWMIscanenginethenyouneedtodefineWMIRules.WMIisasortof databaseoneachwindowsdevices,toretreiveinformationonthedeviceyouneedtoknowthesql request.InordertohelpyoutofindandmakearuleyoucanuseathirdpartytoollikeWMIExplorer.

Goinconfiguration→WMIRulesDefinition:

Therearealready3rulesdefined:

Software_Installed logged_user Process_Running

Let’staketheSoftware_Installedrule:

request: select * from Win32_Product

Rules Actions:

[Google] attribute = Caption operator = match value =Google

[1:Google] action=trigger_violation action_param = mac = $mac, tid = 888888, type = INTERNAL

Thisrulewilldothefollowing:

retreive all the installed software on the device and test if the attribute Caption contain Google. if it matched then we will trigger a violation (with the trigger internal::888888) for the mac address of the device.

Thesecondone,logged_user:

request: select UserName from Win32_ComputerSystem

Rules Actions:

[UserName] attribute = UserName operator = match value = (.*)

[1:UserName] action = dynamic_register_node action_param = mac = $mac, username = $result->{'UserName'}

Thisrulewilldothefollowing:

retreive the current logged user on the device and register the device based on the user account.

Thelastone,Process_Running:

request: select Name from Win32_Process

Rules Actions:

[explorer] attribute = Name operator = match value = explorer.exe

[1:explorer] action = allow

Thisrulewilldothefollowing:

retreive all the running process on the device and if one match explorer.exe then we bypass the scan.

▪ Rulessyntax

the syntax of the rules are simple to understand:

the request is the sql request you will launch on the remote device, you must know what the request will return to write the test.

Inside the Rules Actions we define 2 sorts of blocs: The test bloc (ie [explorer]) and the action bloc (ie [1:explorer])

The test bloc is a simple test based on the result of the request: - attribute is the attribute you want to test - operator can be: is is_not match match_not - value is the value you want to compare

Feel free to define multiples test blocs

The action bloc is where you will define your logic, per example let's take this one [1:google&explorer], this mean that if the google test is true and explorer is true then we execute the action. The logic can be more complex and can be something like that [1:!google| (explorer&memory)] that mean if not google or (explorer and memory)

Violationsdefinition

Youneedtocreateanewviolationsectionandhavetospecify:

UsingNessus:

trigger=Nessus::

UsingOpenVAS:

trigger=OpenVAS::

WhereviolationIdiseithertheIDoftheNessuspluginortheOIDoftheOpenVASplugintocheck for.Onceyouhavefinishedtheconfiguration,youneedtoreloadtheviolationrelateddatabase contentsusing:

$ pfcmd reload violations

Note

Violationswilltriggerifthepluginishigherthanalowseverityvulnerability.

AssignScandefinitiontoportalprofiles

Thelaststepistoassignoneormorescanneryouconfiguredtooneormoreportalprofiles.Goin Configuration→PortalProfiles→EditaPortal→AddScan

HostingNessus/OpenVASremotely

BecauseoftheCPUintensivenatureofanautomatedvulnerabilityassessment,werecommendthat itishostedonaseparateserverforlargeenvironments.Todoso,acoupleofthingsarerequired:

▪ PacketFence needs to be able to communicate to the server on the port specified by the vulnerabilityengineused ▪ Thescanningserverneedtobeabletoaccessthetargets.Inotherwords,registrationVLAN accessisrequiredifscanonregistrationisenabled.

IfyouareusingtheOpenVASscanningengine:

▪ ThescanningserverneedtobeabletoreachPacketFence’sAdmininterface(onport1443by default)byitsDNSentry.OtherwisePacketFencewon’tbenotifiedofcompletedscans. ▪ YoumusthaveavalidSSLcertificateonyourPacketFenceserver

IfyouareusingtheNessusscanningengine:

▪ YoujusthavetochangethehostvaluebytheNessusserverIP.

RADIUSAccounting

RADIUSAccountingisusuallyusedbyISPstobillclients.InPacketFence,weareabletousethis informationtodetermineifthenodeisstillconnected,howmuchtimeithasbeenconnected,and howmuchbandwitdhtheuserconsumed.

Violations

UsingPacketFence,itispossibletoaddviolationstolimitbandwidthabuse.Theformatofthe triggerisverysimple:

Accounting::[DIRECTION][LIMIT][INTERVAL(optional)]

Let’sexplaineachchunkproperly:

▪ DIRECTION:Youcaneithersetalimittoinbound(IN),outbound(OUT),ortotal(TOT)bandwidth ▪ LIMIT: You can set a number of bytes(B), kilobytes(KB), megabytes(MB), gigabytes(GB), or petabytes(PB) ▪ INTERVAL:Thisisactuallythetimewindowwewilllookforpotentialabuse.Youcansetanumber ofdays(D),weeks(W),months(M),oryears(Y). Exampletriggers

▪ LookforIncoming(Download)trafficwitha50GB/month

Accounting::IN50GB1M

▪ LookforOutgoing(Upload)trafficwitha500MB/day

Accounting::OUT500MB1D

▪ LookforTotal(Download+Upload)trafficwitha200GBlimitinthelastweek

Accounting::TOT200GB1W

Graceperiod

Whenusingsuchviolationfeature,settingthegraceperiodisreallyimportant.Youdon’twantto putittoolow(ie.Auserre-enablehisnetwork,andgetcaughtafter1bytesistranmitted!)ortoo high.Werecommendthatyousetthegraceperiodtooneintervalwindow.

Oinkmaster

Oinkmasterisaperlscriptthatenablesthepossibilitytoupdatethedifferentsnortrulesveryeasily. Itissimpletouse,andinstall.ThissectionwillshowyouhowtoimplementOinkmastertowork withPacketFenceandSnort.

Pleasevisithttp://oinkmaster.sourceforge.net/download.shtmltodownloadoinkmaster.Asample oinkmasterconfigurationfileisprovidedat/usr/local/pf/addons/snort/oinkmaster.conf.

Configuration

HerearethestepstomakeOinkmasterwork.Wewillassumethatyoualreadydownloadedthe newestoinkmasterarchive:

1. UntarthefreshlydownloadedOinkmaster

2. Copytherequiredperlscriptsinto/usr/local/pf/oinkmaster.Youneedtocopyovercontrib andoinkmaster.pl

3. Copytheoinkmaster.confprovidedbyPacketFence(seethesectionabove)in/usr/local/pf/ conf

4. Modifytheconfigurationtosuityourownneeds.Currently,theconfigurationfileissettofetch thebleedingrules.

Rulesupdate

InordertogetperiodicupdatesforPacketFenceSnortrules,wesimplyneedtocreateacrontab entrywiththerightinformation.Theexamplebelowshowsacrontabentrytofetchtheupdates dailyat23:00PM:

0 23 * * * (cd /usr/local/pf; perl oinkmaster/oinkmaster.pl -C conf/ oinkmaster.conf -o conf/snort/)

GuestsManagement

PacketFencesupportstheabilitytomanageguestsbyestablishingexpiredatesandassigndifferent roleswhichwillpermitdifferentaccessestothenetworkresources.

Guestscanself-registerthemselvesusinganactivationcodesenttotheirmobilephoneortheycan usetheiremailaddressandreceiveandactivationlinktoactivatetheirnetworkaccess.

PacketFencehastheoptiontohaveguestssponsoredtheiraccessbylocalstaff.Onceaguest requestsasponsoredaccessanemailissenttothesponsorandthesponsormustclickonalink andauthenticateinordertoenablehisaccess.

Moreover, PacketFence also has the option for guests to request their access in advance. Confirmationbyemailandbyasponsorarethetwopre-registrationtechniquessupportedatthis point.

TheadminGUIallowPacketFenceadministratorsorguestsmanagerstocreatesingleaccounts, multipleaccountsusingaprefix(ie.:guest1,guest2,guest3…)orimportdatafromaCSVtocreate accounts.Accessdurationandexpectedarrivaldatearealsocustomizable.

Usage

Guestself-registration

Self-registrationisenabledbydefault.Itispartofthecaptiveportalprofileandcanbeaccessedon theregistrationpagebyclickingtheSignuplink.

Managedguests

Partofthewebadministrationinterface,theguestsmanagementinterfaceisenabledbydefault. ItisaccessiblethroughtheUsers→Createmenu. Guestpre-registration

Pre-registrationisdisabledbydefault.Onceenabled,PacketFence’sfirewallandApacheACLsallow accesstothe/signuppageontheportalevenfromaremotelocation.Allthatshouldberequired fromtheadministratorsistoopenuptheirperimeterfirewalltoallowaccesstoPacketFence’s managementinterfaceIPonport443andmakesureadomainnametoreachsaidIPisconfigured (andthattheSSLcertmatchesit).Thenyoucanpromotethepre-registrationlinkfromyourextranet website:https:///signup.

Caution

Pre-registrationincreasestheattacksurfaceofthePacketFencesystemsinceasubset ofit’sfunctionnalityisexposedontheInternet.Makesureyouunderstandtherisks, applythecriticaloperatingsystemupdatesandapplyPacketFence’ssecurityfixes.

Note

Aportalinterfacetypeisrequiredtousethisfeature.Aportalinterfacetypecanbe addedtoanynetworkinterfaceusingthewebadminGUI.

Configuration Guestself-registration

Itispossibletomodifythedefaultvaluesoftheguestself-registrationfeaturebyediting/usr/ local/pf/conf/pf.conf.

Defaultvaluesarelocatedin/usr/local/pf/conf/pf.conf.defaultsanddocumentationforevery settingsisavailablein/usr/local/pf/conf/documentation.conf.

[guests_self_registration] guest_pid=email preregistration=disabled

TheseparameterscanalsobeconfiguredfromtheConfiguration→SelfRegistrationsectionof theWebadmininterface.

Availableregistrationmodesaredefinedonaper-portal-profilebasis.Theseareconfigurablefrom Configuration→PortalProfiles. Todisable the self-registration feature, simply remove all self- registrationsourcesfromtheportalprofiledefinition.Noticehoweverthatifyourdefaultportal profilehasnosource,itwilluseallauthenticationsources.

Caution

AvalidMTAconfiguredinPacketFenceisneededtocorrectlyrelayemailsrelatedto theguestmodule.Iflocalhostisusedassmtpserver,makesurethataMTAisinstalled andconfiguredontheserver.

Note

Aportalinterfacetypeisrequiredtousethisfeature.Aportalinterfacetypecanbe addedtoanynetworkinterfaceusingthewebadminGUI.

Self-registered guests are added under the users tab of the PacketFence Web administration interface. Managedguests

ItispossibletomodifythedefaultvaluesoftheguestscreatedfromtheWebadmininterfaceby editing/usr/local/pf/conf/pf.conf.

Defaultvaluesarelocatedin/usr/local/pf/conf/pf.conf.defaultsanddocumentationforevery settingsisavailablein/usr/local/pf/conf/documentations.conf.

[guests_admin_registration] access_duration_choices=1h,3h,12h,1D,2D,3D,5D default_access_duration=12h

Theformatofthedurationisasfollow:

[]

Let’sexplainthemeaningofeachparameter:

▪ DURATION:anumbercorrespondingtotheperiodduration. ▪ DATETIME_UNIT:acharactercorrespondingtotheunitsofthedateortimeduration;eithers (seconds),m(minutes),h(hours),D(days),W(weeks),M(months),orY(years). ▪ PERIOD_BASE:eitherF(fixed)orR(relative).Arelativeperiodiscomputedfromthebeginningof theperiodunit.WeeksstartonMonday. ▪ OPERATOR:either+or-.Thedurationfollowingtheoperatorisaddedorsubtractedfromthebase duration. ▪ DATE_UNIT:acharactercorrespondingtotheunitsoftheextendedduration.Limitedtodateunits (D(days),W(weeks),M(months),orY(years)).

TheseparameterscanalsobeconfiguredfromtheConfiguration→AdminRegistrationsectionof theWebadmininterface.

From the Users page of the PacketFence Web admin interface, it is possible to set the access durationofusers,changetheirpasswordandmore. Guestpre-registration

Tominimallyconfigureguestpre-registration,youmustmakesurethatthefollowingstatementis setunder[guests_self_registration]in/usr/local/pf/conf/pf.conf:

[guests_self_registration] preregistration=enabled

ThisparametercanalsobeconfiguredfromtheConfiguration→SelfRegistrationsection.

Finally,itisadvisedthatyoureadthewholeguestself-registrationsectionsincepre-registrationis simplyatwistoftheself-registrationprocess.

Caution

AvalidMTAconfiguredinPacketFenceisneededtocorrectlyrelayemailsrelatedto theguestmodule.Iflocalhostisusedassmtpserver,makesurethataMTAisinstalled andconfiguredontheserver.

ActiveDirectoryIntegration

DeletedAccount

Createthescriptunreg_node_deleted_account.ps1ontheWindowsServerwiththefollowing content.Makesuretochange@IP_PACKETFENCEtotheIPaddressofyourPacketFenceserver.You’ll alsoneedtochangetheusernameandpasswordastheymustmatchthecredentialsdefinedinthe WebadmininterfaceunderConfiguration→WebServices.

######################################################################################### #Powershell script to unregister deleted Active Directory account based on the UserName.# #########################################################################################

Get-EventLog -LogName Security -InstanceId 4726 | Select ReplacementStrings,"Account name"| % { $url = "https://@IP_PACKETFENCE:9090/" $username = "admin" # Username for the webservices $password = "admin" # Password for the webservices [System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true} $command = '{"jsonrpc": "2.0", "method": "unreg_node_for_pid", "params": ["pid", "'+$_.ReplacementStrings[0]+'"]}'

$bytes = [System.Text.Encoding]::ASCII.GetBytes($command) $web = [System.Net.WebRequest]::Create($url) $web.Method = "POST" $web.ContentLength = $bytes.Length $web.ContentType = "application/json-rpc" $web.Credentials = new-object System.Net.NetworkCredential($username, $password) $stream = $web.GetRequestStream() $stream.Write($bytes,0,$bytes.Length) $stream.close()

$reader = New-Object System.IO.Streamreader -ArgumentList $web.GetResponse().GetResponseStream() $reader.ReadToEnd() $reader.Close() }

CreatethescheduledtaskbasedonaneventID

Start→Run→Taskschd.msc

TaskScheduler→TaskSchedulerLibrary→EventViewerTask→CreateTask

General

Name: PacketFence-Unreg_node-for-deleted-account Check: Run whether user is logged on or not Check: Run with highest privileges

Triggers→New

Begin on the task: On an event Log: Security Source: Microsoft Windows security auditing. Event ID: 4726

Actions→New

Action: Start a program Program/script: powershell.exe Add arguments (optional): C:\scripts\unreg_node_deleted_account.ps1

Settings:

At the bottom, select in the list "Run a new instance in parallel" in order to unregister multiple nodes at the same time.

ValidatewithOkandgivetheaccountwhowillrunthistask.(UsuallyDOMAIN\Administrator)

DisabledAccount

Createthescriptunreg_node_disabled_account.ps1ontheWindowsServerwiththefollowing content.Makesuretochange@IP_PACKETFENCEtotheIPaddressofyourPacketFenceserver.You’ll alsoneedtochangetheusernameandpasswordastheymustmatchthecredentialsdefinedinthe WebadmininterfaceunderConfiguration→WebServices.

########################################################################################## #Powershell script to unregister disabled Active Directory account based on the UserName.# ##########################################################################################

Get-EventLog -LogName Security -InstanceId 4725 | Select ReplacementStrings,"Account name"| % { $url = "https://@IP_PACKETFENCE:9090/" $username = "admin" # Username for the webservices $password = "admin" # Password for the webservices [System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true} $command = '{"jsonrpc": "2.0", "method": "unreg_node_for_pid", "params": ["pid", "'+$_.ReplacementStrings[0]+'"]}'

$reader = New-Object System.IO.Streamreader -ArgumentList $web.GetResponse().GetResponseStream() $reader.ReadToEnd() $reader.Close()

}

CreatethescheduledtaskbasedonaneventID

Start→Run→Taskschd.msc

TaskScheduler→TaskSchedulerLibrary→EventViewerTask→CreateTask

General

Name: PacketFence-Unreg_node-for-disabled-account Check: Run whether user is logged on or not Check: Run with highest privileges

Triggers→New

Begin on the task: On an event Log: Security Source: Microsoft Windows security auditing. Event ID: 4725

Actions→New

Action: Start a program Program/script: powershell.exe Add arguments (optional): C:\scripts\unreg_node_disabled_account.ps1

Settings:

At the bottom, select in the list "Run a new instance in parallel"

ValidatewithOkandgivetheaccountwhowillrunthistask.(UsuallyDOMAIN\Administrator)

LockedAccount

Create the script unreg_node_locked_account.ps1 on the Windows Server with the following content.Makesuretochange@IP_PACKETFENCEtotheIPaddressofyourPacketFenceserver.You’ll alsoneedtochangetheusernameandpasswordastheymustmatchthecredentialsdefinedinthe WebadmininterfaceunderConfiguration→WebServices.

######################################################################################### #Powershell script to unregister locked Active Directory account based on the UserName.# #########################################################################################

Get-EventLog -LogName Security -InstanceId 4740 | Select ReplacementStrings,"Account name"| % { $url = "https://@IP_PACKETFENCE:9090/" $username = "admin" # Username for the webservices $password = "admin" # Password for the webservices [System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true} $command = '{"jsonrpc": "2.0", "method": "unreg_node_for_pid", "params": ["pid", "'+$_.ReplacementStrings[0]+'"]}'

$reader = New-Object System.IO.Streamreader -ArgumentList $web.GetResponse().GetResponseStream() $reader.ReadToEnd() $reader.Close()

}

CreatethescheduledtaskbasedonaneventID

Start→Run→Taskschd.msc

TaskScheduler→TaskSchedulerLibrary→EventViewerTask→CreateTask

General

Name: PacketFence-Unreg_node-for-locked-account Check: Run whether user is logged on or not Check: Run with highest privileges

Triggers→New

Begin on the task: On an event Log: Security Source: Microsoft Windows security auditing. Event ID: 4740

Actions→New

Action: Start a program Program/script: powershell.exe Add arguments (optional): C:\scripts\unreg_node_locked_account.ps1

Settings:

At the bottom, select in the list "Run a new instance in parallel"

ValidatewithOkandgivetheaccountwhowillrunthistask.(UsuallyDOMAIN\Administrator)

DHCPremotesensor

TheDHCPremotesensorconsistsofalightweightbinarythatisinstalledonyourproductionDHCP serverinordertoreplicatetheDHCPtraffic1to1tothePacketFenceserver.Thissolutionismore reliablethantheDHCPrelayingsincePacketFencereceivesacopyofallyourDHCPtrafficand notonlythebroadcastedDHCPtraffic.SupportedDHCPserversareMicrosoftDHCPserverand CentOS6and7.

ThesesensorsworkbycapturingthepacketsatthelowestlevelpossibleonyourDHCPserverand forwardthemtothePacketFencemanagementinterface

MicrosoftDHCPsensor

YouwillfirstneedtodownloadandinstallWinPcapavailablefromhttp://www.winpcap.org/install/

YouwillalsoneedtodownloadandinstallMicrosoftVisualC++2010Redistributableavailablefrom http://www.microsoft.com/download/details.aspx?id=5555

Note

You absolutely need to install the 32-bit version of Microsoft Visual C++ 2010 Redistributableevenifyouareusinga64-bitoperatingsystem.

Then get the remote sensor from Inverse’s download website http://inverse.ca/downloads/ PacketFence/udp-reflector/udp_reflector.exe

CreatethedirectoryC:\udp-reflectorandmovethedownloadedfileinside.

Nowwewillcreateaservicesothereflectorstartsonboot.

Firstdownloadandunzipnssmfromhttps://nssm.cc/download

Nextcreateabatchfileudpreflector.batinC:\udp-reflectorthatcontain:C:\udp-reflector \udp_reflector.exe -s pcap0:67 -d 192.168.1.5:767 -b 25000

Wherepcap0 is the interface where your DHCP is listening (use C:\udp-reflector \udp_reflector.exe -ltolistinterfaces)

Thenrunnssm install udpreflector

InApplication:

▪ InPathsetittoC:\udp-reflector\udpreflector.bat ▪ InStartupdirectorysetittoC:\udp-reflector\ ▪ InArgumentssetittonothing

InDetails:

▪ InStartuptypeselectAutomatic

InLogon:

▪ InLogonasselectLocalSystemaccount

ThenpressInstallservice

TheDHCPtrafficshouldnowbereflectedonyourPacketFenceserver.

Linuxbasedsensor

FirstdownloadtheRPMonyourDHCPserver. CentOS6and7servers

ForCentOS6:

# for x86_64 # wget http://inverse.ca/downloads/PacketFence/CentOS6/extra/x86_64/RPMS/udp- reflector-1.0-6.1.x86_64.rpm

ForCentOS7:

# for x86_64 # wget http://inverse.ca/downloads/PacketFence/CentOS7/extra/x86_64/RPMS/udp- reflector-1.0-6.1.x86_64.rpm

Nowinstallthesensor:

# rpm -i udp-reflector-*.rpm

CompilingthesensorfromsourceonaLinuxsystem

Firstmakesureyouhavethefollowingpackagesinstalled:

▪ libpcap ▪ libpcap-devel ▪ gcc-c++

Getthesourcecodeofthesensor:

# mkdir -p ~/udp-reflector && cd ~/udp-reflector # wget http://inverse.ca/downloads/PacketFence/udp-reflector/udp_reflector.cpp # g++ udp_reflector.cpp -o /usr/local/bin/udp_reflector -lpcap

Configuringthesensor

Placethefollowinglinein/etc/rc.local

▪ wherepcap0 is the pcap interface where your DHCP server listens on. (List them using udp_reflector -l) ▪ where192.168.1.5isthemanagementIPofyourPacketFenceserver

/usr/local/bin/udp_reflector -s pcap0:67 -d 192.168.1.5:767 -b 25000 &

Startthesensor:

# /usr/local/bin/udp_reflector -s pcap0:67 -d 192.168.1.5:767 -b 25000 &

TheDHCPtrafficshouldnowbereflectedonyourPacketFenceserver.

Switchloginaccess

PacketFenceisabletoactasanauthenticationandauthorizationserviceforgrantingcommand-line interface(CLI)accesstoswitches.PacketFencecurrentlysupportsCiscoswitchesandthesemustbe configuredusingthefollowingguide:http://www.cisco.com/c/en/us/support/docs/security-vpn/ remote-authentication-dial-user-service-radius/116291-configure-freeradius-00.html From the PacketFence’s web admin interface, you must configure an Admin Access role (Configuration→Adminaccess)thatcontainstheactionSwitchesCLI-ReadorSwitchesCLI-Write andassignthisroletoaninternaluserorinanAdministrationruleinaninternalsource.

OperatingSystemBestPractices

IPTables

IPTablesisnowentirelymanagedbyPacketFence.However,ifyouneedtoperformsomecustom rules, you can modify conf/iptables.conf to your own needs. However, the default template shouldworkformostusers.

LogRotations

PacketFencecangeneratealotoflogentriesinhugeproductionenvironments.Thisiswhywe recommendtouselogrotatetoperiodicallyrotateyourlogs.Aworkinglogrotatescriptisprovided withthePacketFencepackage.Thisscriptislocatedin/usr/local/pf/addons,andit’sconfigured to do a weekly log rotation and keeping old logs with compression. It has been added during PacketFenceinitialinstallation.

Performanceoptimization

SNMPTrapsLimit

PacketFencemainlyrelyonSNMPtrapstocommunicatewithequipment.Duetothefactthattraps cominginfromapproved(configured)devicesareallprocessedbythedaemon,itispossiblefor someonewhowanttogenerateacertainloadonthePacketFenceservertoforcethegeneration ofnon-legitimateSNMPtrapsoraswitchcanrandomlygenerateahighquantityoftrapssentto PacketFenceforanunknownreason.

Becauseofthat,itispossibletolimitthenumberofSNMPtrapscominginfromasingleswitchport andtakeactionifthatlimitisreached.Forexample,ifover100trapsarereceivedbyPacketFence fromthesameswitchportinaminute,theswitchportwillbeshutandanotificationemailwill besent.

Here’sthedefaultconfigfortheSNMPtrapslimitfeature.Asyoucansee,bydefault,PacketFence will log the abnormal activity after 100 traps from the same switch port in a minute. These configurationsareintheconf/pf.conffile:

[vlan] trap_limit = enabled trap_limit_threshold = 100 trap_limit_action =

Alternatively,youcanconfiguretheseparametersfromthePacketFenceWebadministrativeGUI, intheConfiguration→SNMPsection.

MySQLoptimizations

TuningMySQL

Ifyou’rePacketFencesystemisactingveryslow,thiscouldbeduetoyourMySQLconfiguration. Youshoulddothefollowingtotuneperformance:

Checkthesystemload

# uptime 11:36:37 up 235 days, 1:21, 1 user, load average: 1.25, 1.05, 0.79

CheckiostatandCPU

# iostat 5 avg-cpu: %user %nice %sys %iowait %idle 0.60 0.00 3.20 20.20 76.00 Device: tps Blk_read/s Blk_wrtn/s Blk_read Blk_wrtn cciss/c0d0 32.40 0.00 1560.00 0 7800 avg-cpu: %user %nice %sys %iowait %idle 0.60 0.00 2.20 9.20 88.00 Device: tps Blk_read/s Blk_wrtn/s Blk_read Blk_wrtn cciss/c0d0 7.80 0.00 73.60 0 368 avg-cpu: %user %nice %sys %iowait %idle 0.60 0.00 1.80 23.80 73.80 Device: tps Blk_read/s Blk_wrtn/s Blk_read Blk_wrtn cciss/c0d0 31.40 0.00 1427.20 0 7136 avg-cpu: %user %nice %sys %iowait %idle 0.60 0.00 2.40 18.16 78.84 Device: tps Blk_read/s Blk_wrtn/s Blk_read Blk_wrtn cciss/c0d0 27.94 0.00 1173.65 0 5880

Asyoucansee,theloadis1.25andIOWaitispeakingat20%-thisisnotgood.IfyourIOwait islowbutyourMySQListaking+%50CPUthisisalsonotgood.CheckyourMySQLinstallfor thefollowingvariables:

mysql> show variables; | innodb_additional_mem_pool_size | 1048576 | | innodb_autoextend_increment | 8 | | innodb_buffer_pool_awe_mem_mb | 0 | | innodb_buffer_pool_size | 8388608 |

PacketFencereliesheavilyonInnoDB,soyoushouldincreasethebuffer_poolsizefromthedefault values.

ShutdownPacketFenceandMySQL

# /etc/init.d/packetfence stop Shutting down PacketFence... [...] # /etc/init.d/mysql stop Stopping MySQL: [ OK ]

Edit/etc/my.cnf(oryourlocalmy.cnf):

[mysqld] # Set buffer pool size to 50-80% of your computer's memory innodb_buffer_pool_size=800M innodb_additional_mem_pool_size=20M innodb_flush_log_at_trx_commit=2 innodb_file_per_table # allow more connections max_connections=700 # set cache size key_buffer_size=900M table_cache=300 query_cache_size=256M # enable slow query log log_slow_queries = ON

StartupMySQLandPacketFence

# /etc/init.d/mysqld start Starting MySQL: [ OK ] # /etc/init.d/packetfence start Starting PacketFence... [...]

Wait10minutesforPacketFencetoinitialthenetworkmapandre-checkiostatandCPU

# uptime 12:01:58 up 235 days, 1:46, 1 user, load average: 0.15, 0.39, 0.52 # iostat 5 Device: tps Blk_read/s Blk_wrtn/s Blk_read Blk_wrtn cciss/c0d0 8.00 0.00 75.20 0 376

avg-cpu: %user %nice %sys %iowait %idle 0.60 0.00 2.99 13.37 83.03

Device: tps Blk_read/s Blk_wrtn/s Blk_read Blk_wrtn cciss/c0d0 14.97 0.00 432.73 0 2168 avg-cpu: %user %nice %sys %iowait %idle 0.20 0.00 2.60 6.60 90.60

Device: tps Blk_read/s Blk_wrtn/s Blk_read Blk_wrtn cciss/c0d0 4.80 0.00 48.00 0 240

MySQLoptimizationtool

WerecommendthatyouruntheMySQLTuneronyourdatabasesetupafteracoupleofweeks tohelpyouidentifyMySQLconfigurationimprovement.ThetoolisbundledwithPacketFenceand canberunfromthecommand-line:

# /usr/local/bin/pftest mysql

Keepingtablessmall

Overtime,someofthetableswillgrowlargeandthiswilldragdownperformance(thisisespecially trueonawirelesssetup).

Onesuchtableisthelocationlogtable.Werecommendthatclosedentriesinthistablebemoved to the archive table locationlog_archive after some time. A closed record is one where the end_timefieldissettoadate(stricklyspeakingitiswhenend_timeisnotnullandnotequalsto0).

Weprovideascriptcalleddatabase-backup-and-maintenance.shlocatedinaddons/thatperforms thiscleanupinadditiontooptimizetablesonSundayanddailybackups.

Avoid"Toomanyconnections"problems

Inawirelesscontext,theretendstobealotofconnectionsmadetothedatabasebyourfreeradius module.ThedefaultMySQLvaluetendtobelow(100)soweencourageyoutoincreasethat valuetoatleast300.Seehttp://dev.mysql.com/doc/refman/5.0/en/too-many-connections.htmlfor details.

Avoid"Hostisblocked"problems

Inawirelesscontext,theretendtobealotofconnectionsmadetothedatabasebyourfreeradius module.Whentheserverisloaded,theseconnectionattemptscantimeout.Ifaconnectiontimes outduringconnection,MySQLwillconsiderthisaconnectionerrorandafter10ofthese(bydefault) hewilllockthehostoutwitha:

Host 'host_name' is blocked because of many connection errors. Unblock with 'mysqladmin flush-hosts'

This will grind PacketFence to a halt so you want to avoid that at all cost. One way to do so istoincreasethenumberofmaximumconnections(seeabove),toperiodicallyflushhostsorto allowmoreconnectionerrors.Seehttp://dev.mysql.com/doc/refman/5.0/en/blocked-host.htmlfor details.

CaptivePortalOptimizations

Avoidcaptiveportaloverloadduetonon-browser HTTPrequests

BydefaultwealloweveryquerytoberedirectedandreachPacketFenceforthecaptiveportal operation.Inalotofcases,thismeansthatalotofnon-userinitiatedqueriesreachPacketFence andwasteitsresourcesfornothingsincetheyarenotfrombrowsers.(iTunes,Windowsupdate, MSNMessenger,GoogleDesktop,…).

Sinceversion4.3ofPacketFence,youcandefineHTTPfiltersforApachefromtheconfiguration ofPacketFence.

Someruleshavebeenenabledbydefault,likeonetorejectrequestswithnodefineduseragent. Allrules,includingsomeexamples,aredefinedintheconfigurationfileapache_filters.conf.

Filtersaredefinedwithatleasttwoblocks.Firstarethetests.Forexample:

[get_ua_is_dalvik] filter = user_agent method = GET operator = match value = Dalvik

[get_uri_not_generate204] filter = uri method = GET operator = match_not value = /generate_204

Thelastblockdefinestherelationshipbetweenthetestsandthedesiredaction.Forexample:

[block_dalvik:get_ua_is_dalvik&get_uri_not_generate204] action = 501 redirect_url =

Thisfilterwillreturnanerrorcode(501)iftheuseragentisDalvikandtheURIdoesn’tcontain _/generate_204.

DashboardOptimizations(statisticscollection)

The collection and aggregation of statistics in the whisper database can be I/O intensive per moment.Thismeansthatitcanbebeneficialtoseperatethemonanotherdiskevenifitisavirtual diskthatwillsharethesameunderlyingphysicaldisk.

First,addadiskinyourvirtualmachineorbaremetalserverandreboot(thisexamplewilluse/dev/ sdbasthenewdevice.

Makesurepacketfenceisstopped:

# service packetfence stop

Createanext4partition:

# mkfs.ext4 /dev/sdb

Thenmovetheolddatabasestoabackuppoint:

# mv /usr/local/pf/var/graphite /usr/local/pf/var/graphite.bak

Mountyournewdiskandcheckthatitismounted:

# echo "/dev/sdb /usr/local/pf/var/graphite ext4 defaults 1 1" >> /etc/fstab # mkdir /usr/local/pf/var/graphite # mount -a # dh -h

Applytheproperuserrightsandrestoreyourdatabasefromyourbackup

# chown pf.pf /usr/local/pf/var/graphite # cp -frp /usr/local/pf/var/graphite.bak/* /usr/local/pf/var/graphite/

Startpacketfenceandmakesureyourstatsarestillthereandbeingcollectedproperly.Thenremove thebackupyoumaderm -fr /usr/local/pf/var/graphite.bak/.

AdditionalInformation

Formoreinformation,pleaseconsultthemailingarchivesorpostyourquestionstoit.Fordetails, see:

▪ [email protected]: Public announcements (new releases, security warningsetc.)regardingPacketFence

▪ [email protected]:DiscussionofPacketFencedevelopment

▪ [email protected]:Userandusagediscussions

CommercialSupportandContact Information

For any questions or comments, do not hesitate to contact us by writing an email to: [email protected].

Inverse(http://inverse.ca)offersprofessionalservicesaroundPacketFencetohelporganizations deploythesolution,customize,migrateversionsorfromanothersystem,performancetuningor aligningwithbestpractices.

Hourlyratesorsupportpackagesareofferedtobestsuityourneeds.

Pleasevisithttp://inverse.ca/fordetails.

GNUFreeDocumentationLicense

Pleaserefertohttp://www.gnu.org/licenses/fdl-1.2.txtforthefulllicense.

AppendixA.AdministrationTools

pfcmd

pfcmdisthecommandlineinterfacetomostPacketFencefunctionalities.

Whenexecutedwithoutanyargumentspfcmdreturnsabasichelpmessagewithallmainoptions:

Usage: pfcmd [options]

Commands cache | manage the cache subsystem checkup | perform a sanity checkup and report any problems class | view violation classes configfiles | push or pull configfiles into/from database configreload | reload the configution floatingnetworkdeviceconfig | query/modify floating network devices configuration parameters help | show help for pfcmd commands ifoctetshistorymac | accounting history ifoctetshistoryswitch | accounting history ifoctetshistoryuser | accounting history import | bulk import of information into the database ipmachistory | IP/MAC history locationhistorymac | Switch/Port history locationhistoryswitch | Switch/Port history networkconfig | query/modify network configuration parameters node | manipulate node entries pfconfig | interact with pfconfig portalprofileconfig | query/modify portal profile configuration parameters reload | rebuild fingerprint or violations tables without restart service | start/stop/restart and get PF daemon status schedule | Nessus scan scheduling switchconfig | query/modify switches.conf configuration parameters version | output version information violationconfig | query/modify violations.conf configuration parameters

Please view "pfcmd help " for details on each option

Thenodeviewoptionshowsallinformationcontainedinthenodedatabasetableforaspecified MACaddress

# /usr/local/pf/bin/pfcmd node view 52:54:00:12:35:02 mac|pid|detect_date|regdate|unregdate|lastskip|status|user_agent|computername| notes|last_arp|last_dhcp|switch|port|vlan|dhcp_fingerprint 52:54:00:12:35:02|1|2008-10-23 17:32:16||||unreg||||2008-10-23 21:12:21|||||

pfcmd_vlan

pfcmd_vlanisthecommandlineinterfacetomostVLANisolationrelatedfunctionality.

Again,whenexecutedwithoutanyarguments,ahelpscreenisshown.

Usage: pfcmd_vlan command [options]

Command: -deauthenticate de-authenticate a dot11 client -deauthenticateDot1x de-authenticate a dot1x client (pass ifIndex for wired 802.1x and mac for wireless 802.1x) -getAlias show the description of the specified switch port -getAllMACs show all MACS on all switch ports -getHubs show switch ports with several MACs -getIfOperStatus show the operational status of the specified switch port -getIfType show the ifType on the specified switch port -getLocation show at which switch port the MAC is found -getSwitchLocation show SNMP location of specified switch -getMAC show all MACs on the specified switch port -getType show switch type -getUpLinks show the upLinks of the specified switch -getVersion show switch OS version -getVlan show the VLAN on the specified switch port -getVlanType show the VLAN type on the specified port -help brief help message -isolate set the switch port to the isolation VLAN -man full documentation -reAssignVlan re-assign a switch port VLAN -reevaluateAccess reevaluate the current VLAN or firewall rules of a given MAC -runSwitchMethod run a particular method call on a given switch (FOR ADVANCED PURPOSES) -setAlias set the description of the specified switch port -setDefaultVlan set the switch port to the default VLAN -setIfAdminStatus set the admin status of the specified switch port -setVlan set VLAN on the specified switch port -setVlanAllPort set VLAN on all non-UpLink ports of the specified switch

Options: -alias switch port description -ifAdminStatus ifAdminStatus -ifIndex switch port ifIndex -mac MAC address -showPF show additional information available in PF -switch switch description -verbose log verbosity level 0 : fatal messages 1 : warn messages 2 : info messages 3 : debug 4 : trace -vlan VLAN id -vlanName VLAN name (as in switches.conf)