AdministrationGuide forPacketFenceversion6.0.3 AdministrationGuide byInverseInc. Version6.0.3-Jun2016 Copyright©2016Inverseinc.
Permissionisgrantedtocopy,distributeand/ormodifythisdocumentunderthetermsoftheGNUFreeDocumentationLicense,Version 1.2oranylaterversionpublishedbytheFreeSoftwareFoundation;withnoInvariantSections,noFront-CoverTexts,andnoBack-Cover Texts.Acopyofthelicenseisincludedinthesectionentitled"GNUFreeDocumentationLicense".
ThefontsusedinthisguidearelicensedundertheSILOpenFontLicense,Version1.1.ThislicenseisavailablewithaFAQat:http:// scripts.sil.org/OFL
Copyright©ŁukaszDziedzic,http://www.latofonts.com,withReservedFontName:"Lato".
Copyright©RaphLevien,http://levien.com/,withReservedFontName:"Inconsolata". TableofContents
AboutthisGuide...... 1 Othersourcesofinformation...... 1 Introduction...... 2 Features...... 2 NetworkIntegration...... 5 Components...... 5 SystemRequirements...... 7 Assumptions...... 7 MinimumHardwareRequirements...... 7 OperatingSystemRequirements...... 7 Installation...... 9 OSInstallation...... 9 SoftwareDownload...... 10 SoftwareInstallation...... 10 Getoffontherightfoot...... 12 TechnicalintroductiontoInlineenforcement...... 13 Introduction...... 13 Deviceconfiguration...... 13 Accesscontrol...... 13 Limitations...... 14 TechnicalintroductiontoOut-of-bandenforcement...... 15 Introduction...... 15 VLANassignmenttechniques...... 15 MoreonSNMPtrapsVLANisolation...... 17 TechnicalintroductiontoHybridenforcement...... 20 Introduction...... 20 Deviceconfiguration...... 20 Configuration...... 21 RolesManagement...... 21 Authentication...... 22 ExternalAPIauthentication...... 24 SAMLauthentication...... 25 NetworkDevicesDefinition(switches.conf)...... 27 PortalProfiles...... 31 FreeRADIUSConfiguration...... 32 PortalModules...... 43 Debugging...... 52 Logfiles...... 52 RADIUSDebugging...... 52 MoreonVoIPIntegration...... 54 CDPandLLDPareyourfriend...... 54 VoIPandVLANassignmenttechniques...... 54 WhatifCDP/LLDPfeatureismissing...... 55 Advancedtopics...... 56 AppleandAndroidWirelessProvisioning...... 56 BillingEngine...... 57 DevicesRegistration...... 69 Eduroam...... 70 Fingerbankintegration...... 74 FloatingNetworkDevices...... 75 OAuth2Authentication...... 77
Copyright©2016Inverseinc. iii Passthrough...... 79 ProductionDHCPaccess...... 80 ProxyInterception...... 81 RoutedNetworks...... 82 StatementofHealth(SoH)...... 85 VLANFilterDefinition...... 86 RADIUSFilterDefinition...... 88 DNSenforcement...... 90 Parkeddevices...... 90 Optionalcomponents...... 92 Blockingmaliciousactivitieswithviolations...... 92 ComplianceChecks...... 100 RADIUSAccounting...... 105 Oinkmaster...... 106 GuestsManagement...... 107 ActiveDirectoryIntegration...... 110 DHCPremotesensor...... 115 Switchloginaccess...... 117 OperatingSystemBestPractices...... 118 IPTables...... 118 LogRotations...... 118 Performanceoptimization...... 119 SNMPTrapsLimit...... 119 MySQLoptimizations...... 119 CaptivePortalOptimizations...... 122 DashboardOptimizations(statisticscollection)...... 123 AdditionalInformation...... 125 CommercialSupportandContactInformation...... 126 GNUFreeDocumentationLicense...... 127 A.AdministrationTools...... 128 pfcmd...... 128 pfcmd_vlan...... 129
Copyright©2016Inverseinc. iv Chapter1
AboutthisGuide
This guide will walk you through the installation and the day to day administration of the PacketFencesolution.
Thelatestversionofthisguideisavailableathttp://www.packetfence.org/documentation/
Othersourcesofinformation
Thefollowingdocumentsareincludedinthepackageandreleasetarballs.
NetworkDevicesConfigurationGuide(pdf) Covers switch, controllers and access pointsconfiguration.
Developer’sGuide(pdf) Covers captive portal customization, VLAN management customization and instructionsforsupportingnewhardware.
CREDITS Thisis,atleast,apartialfileofPacketFence contributors.
NEWS.asciidoc Covers noteworthy features, improvementsandbugfixesbyrelease.
UPGRADE.asciidoc Covers compatibility related changes, manual instructions and general notes aboutupgrading.
ChangeLog Coversallchangestothesourcecode.
Copyright©2016Inverseinc. AboutthisGuide 1 Chapter2
Introduction
PacketFenceisafullysupported,trusted,FreeandOpenSourcenetworkaccesscontrol(NAC) system. Boosting an impressive feature set including a captive portal for registration and remediation, centralized wired and wireless management, 802.1X support, layer-2 isolation of problematicdevices,integrationwithIDS,vulnerabilityscannersandfirewalls;PacketFencecanbe usedtoeffectivelysecurenetworks-fromsmalltoverylargeheterogeneousnetworks.
Features
Outofband(VLANEnforcement) PacketFence’soperationiscompletelyout of band when using VLAN enforcement which allows the solution to scale geographicallyandtobemoreresilientto failures.
InBand(InlineEnforcement) PacketFence can also be configured to be in-band, especially when you have non-manageable network switches or accesspoints.PacketFencecanalsowork with both VLAN and Inline enforcement activated for maximum scalability and securitywhileallowingolderhardwareto stillbesecuredusinginlineenforcement. Bothlayer-2andlayer-3aresupportedfor inlineenforcement.
Hybridsupport(InlineEnforcementwithRADIUS PacketFence can also be configured support) as hybrid, if you have a manageable device that supports 802.1X and/or MAC-authentication.Thisfeaturecanbe enabled using a RADIUS attribute (MAC address, SSID, port) or using full inline modeontheequipment.
Hotspotsupport(WebAuthEnforcement) PacketFence can also be configured as hotspot,ifyouhaveamanageabledevice that supports an external captive portal (likeCiscoWLCorArubaIAP).
VoiceoverIP(VoIP)support Also called IP Telephony (IPT), VoIP is fully supported (even in heterogeneous
Copyright©2016Inverseinc. Introduction 2 Chapter2
environments)formultipleswitchvendors (Cisco,Avaya,HPandmanymore).
802.1X 802.1X wireless and wired is supported throughourFreeRADIUSmodule.
Wirelessintegration PacketFence integrates perfectly with wireless networks through our FreeRADIUS module. This allows you to secure your wired and wireless networks the same way using the same user database and using the same captive portal, providing a consistent user experience. Mixing Access Points (AP) vendors and Wireless Controllers is supported.
Registration PacketFence supports an optional registrationmechanismsimilarto"captive portal"solutions.Contrarytomostcaptive portalsolutions,PacketFenceremembers users who previously registered and will automatically give them access without anotherauthentication.Ofcourse,thisis configurable. An Acceptable Use Policy can be specified such that users cannot enable network access without first acceptingit.
Detectionofabnormalnetworkactivities Abnormal network activities (computer virus, worms, spyware, traffic denied by establishment policy, etc.) can be detectedusinglocalandremoteSnortor Suricatasensors.Beyondsimpledetection, PacketFence layers its own alerting and suppression mechanism on each alert type.Asetofconfigurableactionsforeach violationisavailabletoadministrators.
Proactivevulnerabilityscans EitherNessus ,OpenVAS or WMI vulnerabilityscanscanbeperformedupon registration, scheduled or on an ad-hoc basis. PacketFence correlates the scan engine vulnerability ID’s of each scan to the violation configuration, returning content specific web pages about which vulnerabilitythehostmayhave.
Isolationofproblematicdevices PacketFence supports several isolation techniques,includingVLANisolationwith VoIP support (even in heterogeneous environments)formultipleswitchvendors.
Remediationthroughacaptiveportal Once trapped, all network traffic is terminated by the PacketFence system.
Copyright©2016Inverseinc. Introduction 3 Chapter2
Based on the node’s current status (unregistered,openviolation,etc),theuser is redirected to the appropriate URL. In the case of a violation, the user will be presented with instructions for the particular situation he/she is in reducing costlyhelpdeskintervention.
Firewallintegration PacketFence provides Single-Sign On features with many firewalls. Upon connection on the wired or wireless network, PacketFence can dynamically updatetheIP/userassociationonfirewalls forthemtoapply,ifrequired,per-useror per-groupfilteringpolicies.
Command-lineandWeb-basedmanagement Web-basedandcommand-lineinterfaces forallmanagementtasks.
GuestAccess PacketFence supports a special guest VLAN out of the box. You configure your network so that the guest VLAN only goes out to the Internet and the registration VLAN and the captive portal arethecomponentsusedtoexplaintothe guesthowtoregisterforaccessandhow hisaccessworks.Thisisusuallybranded by the organization offering the access. Several means of registering guests are possible. PacketFence does also support guestaccessbulkcreationsandimports.
Devicesregistration A registered user can access a special Web page to register a device of his own.Thisregistrationprocesswillrequire loginfromtheuserandthenwillregister deviceswithpre-approvedMACOUIinto aconfigurablecategory.
PacketFenceisdevelopedbyacommunityofdeveloperslocatedmainlyinNorthAmerica.More informationcanbefoundathttp://www.packetfence.org.
Copyright©2016Inverseinc. Introduction 4 Chapter2
NetworkIntegration
VLANenforcementispicturedintheabovediagram.Inlineenforcementshouldbeseenasasimple flatnetworkwherePacketFenceactsasafirewall/gateway.
Components
PacketFencerequiresvariouscomponentstoworksuchasaWebserver,adatabaseserver,anda RADIUSserver.Itinteractswithexternaltoolstoextenditsfunctionalities.
Copyright©2016Inverseinc. Introduction 5 Chapter2
Copyright©2016Inverseinc. Introduction 6 Chapter3
SystemRequirements
Assumptions
PacketFencereusesmanycomponentsinaninfrastructure.Thus,itrequiresthefollowingones:
▪ Databaseserver(MySQLorMariaDB) ▪ Webserver(Apache) ▪ DHCPserver(ISCDHCP) ▪ RADIUSserver(FreeRADIUS)
Dependingonyoursetupyoumayhavetoinstalladditionalcomponentslike:
▪ NIDS(Snort/Suricata)
Inthisguide,weassumethatallthosecomponentsarerunningonthesameserver(i.e.,"localhost" or"127.0.0.1")thatPacketFencewillbeinstalledon.
Good understanding of those underlying component and GNU/Linux is required to install PacketFence. If you miss some of those required components, please refer to the appropriate documentationandproceedwiththeinstallationoftheserequirementsbeforecontinuingwiththis guide.
MinimumHardwareRequirements
Thefollowingprovidesalistoftheminimumserverhardwarerecommendations:
▪ IntelorAMDCPU3GHz ▪ 8GBofRAM ▪ 100GBofdiskspace(RAID-1recommended) ▪ 1Networkcard(2recommended)
OperatingSystemRequirements
PacketFencesupportsthefollowingoperatingsystemsonthex86_64architectures:
Copyright©2016Inverseinc. SystemRequirements 7 Chapter3
▪ RedHatEnterpriseLinux6.xand7.xServer ▪ CommunityENTerpriseOperatingSystem(CentOS)6.xand7.x ▪ Debian7.0(Wheezy)and8.0(Jessie)
Makesurethatyoucaninstalladditionalpackagesfromyourstandarddistribution.Forexample,if youareusingRedHatEnterpriseLinux,youhavetobesubscribedtotheRedHatNetworkbefore continuingwiththePacketFencesoftwareinstallation.
OtherdistributionssuchasFedoraandGentooareknowntoworkbutthisdocumentdoesn’tcover them.
Servicesstart-up
PacketFencetakescareofhandlingtheoperationofthefollowingservices:
▪ Webserver(httpd) ▪ DHCPserver(dhcpd) ▪ FreeRADIUSserver(radiusd) ▪ Snort/SuricataNetworkIDS(snort/suricata) ▪ Firewall(iptables)
Makesurethatalltheotherservicesareautomaticallystartedbyyouroperatingsystem!
Copyright©2016Inverseinc. SystemRequirements 8 Chapter4
Installation
ThissectionwillguideyouthroughtheinstallationofPacketFencetogetherwithitsdependencies.
OSInstallation
Installyourdistributionwithminimalinstallationandnoadditionalpackages.Then:
▪ DisableFirewall ▪ DisableSELinux ▪ DisableAppArmor ▪ Disableresolvconf
Makesureyoursystemisuptodateandyouryumorapt-getdatabaseisupdated.OnaRHEL- basedsystem,do:
yum update
OnaDebianorUbuntusystem,do:
apt-get update apt-get upgrade
RegardingSELinuxorAppArmor,evenifthesefeaturesmaybewantedbysomeorganizations, PacketFencewillnotrunproperlyifSELinuxorAppArmorareenabled.Youwillneedtoexplicitly disableSELinuxinthe/etc/selinux/configfileandAppArmorwithupdate-rc.d-fapparmorstop, update-rc.d-fapparmorteardownandupdate-rc.d-fapparmorremove.Regardingresolvconf,you canremovethesymlinktothatfileandsimplycreatethe/etc/resolv.conffilewiththecontent youwant.
RedHat-basedsystems
Note
AppliestoCentOSandScientificLinuxbutonlythex86_64architectureissupported.
Copyright©2016Inverseinc. Installation 9 Chapter4
RHEL6.x
Note
TheseareextrastepsarerequiredforRHEL6systemsonly,excludingderivativessuch asCentOSorScientificLinux.
RedHatEnterpriseLinuxusersneedtotakeanadditionalsetupstep.IfyouarenotusingtheRHN SubscriptionManagementfromRedHatyouneedtoenabletheoptionalchannelbyrunningthe followingasroot:
rhn-channel --add --channel=rhel-`uname -m`-server-optional-6
Debian
AllthePacketFencedependenciesareavailablethroughtheofficialrepositories.
SoftwareDownload
PacketFenceprovidesaRPMrepositoryforRHEL/CentOSinsteadofasingleRPMfile.
ForDebian,PacketFencealsoprovidespackagerepositories.
TheserepositoriescontainallrequireddependenciestoinstallPacketFence.Thisprovidesnumerous advantages:
▪ easyinstallation ▪ everythingispackagedasRPM/deb(nomoreCPANhassle) ▪ easyupgrade
SoftwareInstallation
RHEL/CentOS
InordertousethePacketFencerepository:
# yum localinstall http://packetfence.org/downloads/PacketFence/RHEL6/`uname -i`/ RPMS/packetfence-release-1.2-5.1.noarch.rpm
Once the repository is defined, you can install PacketFence with all its dependencies, and the requiredexternalservices(Databaseserver,DHCPserver,RADIUSserver)using:
Copyright©2016Inverseinc. Installation 10 Chapter4
yum install perl yum install --enablerepo=packetfence packetfence
Onceinstalled,theWeb-basedconfigurationinterfacewillautomaticallybestarted.Youcanaccess itfromhttps://@ip_of_packetfence:1443/configurator
Debian
ForDebian7:
Inordertousetherepository,createafilenamed/etc/apt/sources.list.d/packetfence.list:
echo 'deb http://inverse.ca/downloads/PacketFence/debian wheezy wheezy' > /etc/ apt/sources.list.d/packetfence.list
ForDebian8:
Inordertousetherepository,createafilenamed/etc/apt/sources.list.d/packetfence.list:
echo 'deb http://inverse.ca/downloads/PacketFence/debian jessie jessie' > /etc/ apt/sources.list.d/packetfence.list
Once the repository is defined, you can install PacketFence with all its dependencies, and the requiredexternalservices(Databaseserver,DHCPserver,RADIUSserver)using:
sudo apt-key adv --keyserver keys.gnupg.net --recv-key 0x810273C4 sudo apt-get update sudo apt-get install packetfence
Copyright©2016Inverseinc. Installation 11 Chapter5
Getoffontherightfoot
PriorconfiguringPacketFence,youmustchoseanappropriateenforcementmodetobeusedby PacketFencewithyournetworkingequipment.Theenforcementmodeisthetechniqueusedto enforceregistrationandanysubsequentaccessofdevicesonyournetwork.PacketFencesupports thefollowingenforcementmodes:
▪ Inline ▪ Out-of-band ▪ Hybrid
Itisalsopossibletocombineenforcementmodes.Forexample,youcouldusetheout-of-band modeonyourwiredswitches,whileusingtheinlinemodeonyouroldWiFiaccesspoints.
The following sections will explain these enforcement modes. If you decide to use the inline mode,pleaserefertothePacketFenceInlineDeploymentQuickGuideusingZENforacomplete configurationexample.Ifyoudevicetousetheout-of-bandmode,pleaserefertothePacketFence Out-of-BandDeploymentQuickGuideusingZEN
Copyright©2016Inverseinc. Getoffontherightfoot 12 Chapter6
TechnicalintroductiontoInline enforcement
Introduction
Beforetheversion3.0ofPacketFence,itwasnotpossibletosupportunmanageabledevicessuch asentry-levelconsumerswitchesoraccess-points.Now,withthenewinlinemode,PacketFence canbeusein-bandforthosedevices.Soinotherwords,PacketFencewouldbecomethegatewayof thatinlinenetwork,andNATorroutethetrafficusingIPTables/IPSettotheInternet(ortoanother sectionofthenetwork).Letseehowitworks.
Deviceconfiguration
Nospecialconfigurationisneededontheunmanageabledevice.That’sthebeautyofit.Youonly needtoensurethatthedeviceis"talking"ontheinlineVLAN.Atthispoint,allthetrafficwillbe passingthroughPacketFencesinceitisthegatewayforthisVLAN.
Accesscontrol
TheaccesscontrolreliesentirelyonIPTables/IPSet.Whenauserisnotregistered,andconnects intheinlineVLAN,PacketFencewillgivehimanIPaddress.Atthispoint,theuserwillbemarked asunregisteredintheipsetsession,andalltheWebtrafficwillberedirectedtothecaptiveportal andothertrafficblocked.TheuserwillhavetoregisterthroughthecaptiveportalasinVLAN enforcement.Whenheregisters,PacketFencechangesthedevice´sipsetsessiontoallowtheuser’s macaddresstogothroughit.
Technicalintroduction Copyright©2016Inverseinc. toInlineenforcement 13 Chapter6
Limitations
Inlineenforcementbecauseofit’snaturehasseverallimitationsthatonemustbeawareof.
▪ EveryonebehindaninlineinterfaceisonthesameLayer2LAN ▪ EverypacketofauthorizedusersgoesthroughthePacketFenceserverincreasingtheservers' loadconsiderably:Planaheadforcapacity ▪ EverypacketofauthorizedusersgoesthroughthePacketFenceserver:itisasinglepointof failureforInternetaccess ▪ Ipsetcanstoreupto65536entries,soitisnotpossibletohaveainlinenetworkclassupper thanB
Thisiswhyitisconsideredapoorman’swayofdoingaccesscontrol.Wehaveavoideditfora longtimebecauseoftheabovementionedlimitations.Thatsaid,beingabletoperformbothinline andVLANenforcementonthesameserveratthesametimeisarealadvantage:itallowsusersto maintainmaximumsecuritywhiletheydeploynewandmorecapablenetworkhardwareproviding acleanmigrationpathtoVLANenforcement.
Technicalintroduction Copyright©2016Inverseinc. toInlineenforcement 14 Chapter7
TechnicalintroductiontoOut-of-band enforcement
Introduction
VLANassignmentiscurrentlyperformedusingseveraldifferenttechniques.Thesetechniquesare compatibleonetoanotherbutnotonthesameswitchport.Thismeansthatyoucanusethe moresecureandmoderntechniquesforyourlatestswitchesandanothertechniqueontheold switchesthatdoesn’tsupportlatesttechniques.Asit’snameimplies,VLANassignmentmeansthat PacketFenceistheserverthatassignstheVLANtoadevice.ThisVLANcanbeoneofyourVLANs oritcanbeaspecialVLANwherePacketFencepresentsthecaptiveportalforauthenticationor remediation.
VLANassignmenteffectivelyisolateyourhostsattheOSILayer2meaningthatitisthetrickiest methodtobypassandistheonewhichadaptsbesttoyourenvironmentsinceitgluesintoyour currentVLANassignmentmethodology.
VLANassignmenttechniques
Wired:802.1X+MACAuthentication
802.1Xprovidesport-basedauthentication,whichinvolvescommunicationsbetweenasupplicant, authenticator(knownasNAS),andauthenticationserver(knownasAAA).Thesupplicantisoften softwareonaclientdevice,suchasalaptop,theauthenticatorisawiredEthernetswitchorwireless accesspoint,andtheauthenticationserverisgenerallyaRADIUSserver.
Thesupplicant(i.e.,clientdevice)isnotallowedaccessthroughtheauthenticatortothenetwork untilthesupplicant’sidentityisauthorized.With802.1Xport-basedauthentication,thesupplicant provides credentials, such as user name / password or digital certificate, to the authenticator, andtheauthenticatorforwardsthecredentialstotheauthenticationserverforverification.Ifthe credentialsarevalid(intheauthenticationserverdatabase),thesupplicant(clientdevice)isallowed toaccessthenetwork.TheprotocolforauthenticationiscalledExtensibleAuthenticationProtocol (EAP)whichhavemanyvariants.Bothsupplicantandauthenticationserversneedtospeakthe sameEAPprotocol.MostpopularEAPvariantisPEAP-MsCHAPv2(supportedbyWindows/Mac OSX/LinuxforauthenticationagainstAD).
Technicalintroductionto Copyright©2016Inverseinc. Out-of-bandenforcement 15 Chapter7
Inthiscontext,PacketFencerunstheauthenticationserver(aFreeRADIUSinstance)andwillreturn theappropriateVLANtotheswitch.AmodulethatintegratesinFreeRADIUSdoesaremotecallto thePacketFenceservertoobtainthatinformation.Moreandmoredeviceshave802.1Xsupplicant whichmakesthisapproachmoreandmorepopular.
MACAuthenticationisanewmechanismintroducedbysomeswitchvendortohandlethecases wherea802.1Xsupplicantdoesnotexist.Differentvendorshavedifferentnamesforit.Cisco callsitMACAuthenticationBypass(MAB),JunipercallsitMACRADIUS,ExtremeNetworkscallsit Netlogin,etc.Afteratimeoutperiod,theswitchwillstoptryingtoperform802.1Xandwillfallback toMACAuthentication.Ithastheadvantageofusingthesameapproachas802.1Xexceptthat theMACaddressissentinsteadoftheusernameandthereisnoend-to-endEAPconversation (nostrongauthentication).UsingMACAuthentication,deviceslikenetworkprinterornon-802.1X capableIPPhonescanstillgainaccesstothenetworkandtherightVLAN.
Wireless:802.1X+MACauthentication
Wireless 802.1X works like wired 802.1X and MAC authentication is the same as wired MAC Authentication.Wherethingschangeisthatthe802.1Xisusedtosetupthesecuritykeysfor encryptedcommunication(WPA2-Enterprise)whileMACauthenticationisonlyusedtoauthorize (allowordisallow)aMAConthewirelessnetwork.
Onwirelessnetworks,theusualPacketFencesetupdictatethatyouconfiguretwoSSIDs:anopen oneandasecureone.Theopenoneisusedtohelpusersconfigurethesecureoneproperlyand requiresauthenticationoverthecaptiveportal(whichrunsinHTTPS).
Thefollowingdiagramdemonstratestheflowbetweenamobileenpoint,aWiFiaccesspoint,a WiFicontrollerandPacketFence:
1. UserinitiatesassociationtoWLANAPandtransmitsMACaddress.Ifuseraccessesnetworkvia aregistereddeviceinPacketFencegoto8
2. The WLAN controller transmits MAC address via RADIUS to the PacketFence server to authenticate/authorizethatMACaddressontheAP
3. PacketFenceserverconductsaddressauditinitsdatabase.IfitdoesnotrecognizetheMAC addressgoto4.Ifitdoesgoto8.
4. PacketFenceserverdirectsWLANcontrollerviaRADIUS(RFC2868attributes)toputthedevice inan"unauthenticatedrole“(setofACLsthatwouldlimit/redirecttheusertothePacketFence
Technicalintroductionto Copyright©2016Inverseinc. Out-of-bandenforcement 16 Chapter7
captiveportalforregistration,orwecanalsousearegistrationVLANinwhichPacketFencedoes DNSblackholingandistheDHCPserver)
5. Theuser’sdeviceissuesaDHCP/DNSrequesttoPacketFence(whichisaDHCP/DNSserver onthisVLANorforthisrole)whichsendstheIPandDNSinformation.Atthispoint,ACLsare limiting/redirectingtheusertothePacketFence’scaptiveportalforauthentication.PacketFence fingerprintsthedevice(user-agentattributes,DHCPinformation&MACaddresspatterns)to whichitcantakevariousactionsincluding:keepdeviceonregistrationportal,directtoalternate captive portal, auto-register the device, auto-block the device, etc. If the device remains on theregistrationportaltheuserregistersbyprovidingtheinformation(username/password,cell phonenumber,etc.).AtthistimePacketFencecouldalsorequirethedevicetogothrougha postureassessment(usingNessus,OpenVAS,etc.)
6. Ifauthenticationisrequired(username/password)throughaloginform,thosecredentialsare validatedviatheDirectoryserver(oranyotherauthenticationsources-likeLDAP,SQL,RADIUS, SMS,Facebook,Google+,etc.)whichprovidesuserattributestoPacketFencewhichcreatesuser +devicepolicyprofileinitsdatabase.
7. PacketFenceperformsaChangeofAuthorization(RFC3576)onthecontrollerandtheusermust bere-authenticated/reauthorized,sowegobackto1
8. PacketFenceserverdirectsWLANcontrollerviaRADIUStoputthedeviceinan"authenticated role“,orinthe"normal"VLAN
WebAuthmode
Webauthenticationisamethodontheswitchthatforwardshttptrafficofthedevicetothecaptive portal.Withthismode,yourdevicewillneverchangeofVLANIDbutonlytheACLassociatedto yourdevicewillchange.RefertotheNetworkDevicesConfigurationGuidetoseeasampleweb authconfigurationonaCiscoWLC.
Port-securityandSNMP
Reliesontheport-securitySNMPTraps.AfakestaticMACaddressisassignedtoalltheportsthis wayanyMACaddresswillgenerateasecurityviolationandatrapwillbesenttoPacketFence.The systemwillauthorizetheMACandsettheportintherightVLAN.VoIPsupportispossiblebut tricky.Itvariesalotdependingontheswitchvendor.CiscoiswellsupportedbutisolationofaPC behindanIPPhoneleadstoaninterestingdilemma:eitheryoushuttheport(andthephoneat thesametime)oryouchangethedataVLANbutthePCdoesn’tdoDHCP(didn’tdetectlinkwas down)soitcannotreachthecaptiveportal.
AsidefromtheVoIPisolationdilemma,itisthetechniquethathasproventobereliableandthat hasthemostswitchvendorsupport.
MoreonSNMPtrapsVLANisolation
WhentheVLANisolationisworkingthroughSNMPtrapsallswitchports(onwhichVLANisolation shouldbedone)mustbeconfiguredtosendSNMPtrapstothePacketFencehost.OnPacketFence,
Technicalintroductionto Copyright©2016Inverseinc. Out-of-bandenforcement 17 Chapter7
weusesnmptrapdastheSNMPtrapreceiver.Asitreceivestraps,itreformatsandwritesthem intoaflatfile:/usr/local/pf/logs/snmptrapd.log.Themultithreadedpfsetvlandaemonreads thesetrapsfromtheflatfileandrespondstothembysettingtheswitchporttothecorrectVLAN. Currently,wesupportswitchesfromCisco,Edge-core,HP,Intel,LinksysandNortel(addingsupport forswitchesfromanothervendorimpliesextendingthepf::Switchclass).Dependingonyour switchescapabilities,pfsetvlanwillactondifferenttypesofSNMPtraps.
YouneedtocreatearegistrationVLAN(withaDHCPserver,butnoroutingtootherVLANs)in whichPacketFencewillputunregistereddevices.Ifyouwanttoisolatecomputerswhichhaveopen violationsinaseparateVLAN,anisolationVLANneedsalsotobecreated.
linkUp/linkDowntraps(deprecated)
ThisisthemostbasicsetupanditneedsathirdVLAN:theMACdetectionVLAN.Thereshouldbe nothinginthisVLAN(noDHCPserver)anditshouldnotberoutedanywhere;itisjustanvoidVLAN.
Whenahostconnectstoaswitchport,theswitchsendsalinkUptraptoPacketFence.Sinceittakes sometimebeforetheswitchlearnstheMACaddressofthenewlyconnecteddevice,PacketFence immediatelyputstheportintheMACdetectionVLANinwhichthedevicewillsendDHCPrequests (withnoanswer)inorderfortheswitchtolearnitsMACaddress.Thenpfsetvlanwillsendperiodical
Technicalintroductionto Copyright©2016Inverseinc. Out-of-bandenforcement 18 Chapter7
SNMPqueriestotheswitchuntiltheswitchlearnstheMACofthedevice.WhentheMACaddress isknown,pfsetvlanchecksitsstatus(existing?registered?anyviolations?)inthedatabaseand putstheportintheappropriateVLAN.Whenadeviceisunplugged,theswitchsendsalinkDown traptoPacketFencewhichputstheportintotheMACdetectionVLAN.
Whenacomputerboots,theinitializationoftheNICgeneratesseverallinkstatuschanges.And everytimetheswitchsendsalinkUpandalinkDowntraptoPacketFence.SincePacketFencehas toactoneachofthesetraps,thisgeneratesunfortunatelysomeunnecessaryloadonpfsetvlan. Inordertooptimizethetraptreatment,PacketFencestopseverythreadforalinkUptrapwhenit receivesalinkDowntraponthesameport.ButusingonlylinkUp/linkDowntrapsisnotthemost scalableoption.Forexampleincaseofpowerfailure,ifhundredsofcomputersbootatthesame time,PacketFencewouldreceivealotoftrapsalmostinstantlyandthiscouldresultinnetwork connectionlatency.
MACnotificationtraps
IfyourswitchessupportMACnotificationtraps(MAClearnt,MACremoved),wesuggestthatyou activatetheminadditiontothelinkUp/linkDowntraps.Thisway,pfsetvlandoesnotneed,after alinkUptrap,toquerytheswitchcontinuouslyuntiltheMAChasfinallybeenlearned.Whenit receivesalinkUptrapforaportonwhichMACnotificationtrapsarealsoenabled,itonlyneedsto puttheportintheMACdetectionVLANandcanthenfreethethread.Whentheswitchlearnsthe MACaddressofthedeviceitsendsaMAClearnttrap(containingtheMACaddress)toPacketFence.
PortSecuritytraps
Initsmostbasicform,thePortSecurityfeaturerememberstheMACaddressconnectedtothe switchportandallowsonlythatMACaddresstocommunicateonthatport.IfanyotherMAC addresstriestocommunicatethroughtheport,portsecuritywillnotallowitandsendaport- securitytrap.
Ifyourswitchessupportthisfeature,westronglyrecommendtouseitratherthanlinkUp/linkDown and/orMACnotifications.Why?BecauseaslongasaMACaddressisauthorizedonaportand istheonlyoneconnected,theswitchwillsendnotrapwhetherthedevicereboots,plugsinor unplugs.ThisdrasticallyreducestheSNMPinteractionsbetweentheswitchesandPacketFence.
WhenyouenableportsecuritytrapsyoushouldnotenablelinkUp/linkDownnorMACnotification traps.
Technicalintroductionto Copyright©2016Inverseinc. Out-of-bandenforcement 19 Chapter8
TechnicalintroductiontoHybrid enforcement
Introduction
In previous versions of PacketFence, it was not possible to have RADIUS enabled for inline enforcementmode.Nowwiththenewhybridmode,allthedevicesthatsupports802.1XorMAC- authenticationcanworkwiththismode.Let’sseehowitworks.
Deviceconfiguration
YouneedtoconfigureinlineenforcementmodeinPacketFenceandconfigureyourswitch(es)/ accesspoint(s)tousetheVLANassignementtechniques(802.1XorMAC-authentication).Youalso needtotakecareofaspecificparameterintheswitchconfigurationwindow,"Triggertoenable inlinemode".Thisparameterisworkinglikeatriggerandyouhavethepossibilitytodefinedifferent sortoftriggers:
ALWAYS,PORT, where ALWAYS means that the device is always in inline mode, PORT MAC,SSID specifytheifIndexoftheportwhichwilluseinlineenforcement,MACamac addressthatwillbeputininlineenforcementtechniqueratherthanVLAN enforcementandSSIDanssidname.Anexample:
SSID::GuestAccess,MAC::00:11:22:33:44:55
ThiswilltriggerallthenodesthatconnectstotheGuestAccessSSIDtouseinlineenforcementmode (PacketFencewillreturnavoidVLANortheinlineVlanifdefinedinswitchconfiguration)andthe MACaddress00:11:22:33:44:55clientifitconnectsonanotherSSID.
Technicalintroduction Copyright©2016Inverseinc. toHybridenforcement 20 Chapter9
Configuration
Atthispointinthedocumentation,PacketFenceshouldbeinstalled.Youwouldalsohavechosen therightenforcementmethodforyouandcompletedtheinitialconfigurationofPacketFence.The followingsectionpresentskeyconceptsandfeaturesinPacketFence.
PacketFenceprovidesaweb-basedadministrationinterfaceforeasyconfigurationandoperational management.IfyouwentthroughPacketFence’sweb-basedconfigurationtool,youshouldhave setthepasswordfortheadminuser.
Once PacketFence is started, the administration interface is available at:https:// @ip_of_packetfence:1443/
ThenextkeystepsareimportanttounderstandhowPacketFenceworks.Inordertogetthesolution working, you must first understand and configure the following aspects of the solution in this specificorder:
1. roles-aroleinPacketFencewillbeeventuallybemappedtoaVLAN,anACLoranexternalrole. Youmustdefinetherolestouseinyourorganizationfornetworkaccess
2. authentication-oncerolesaredefined,youmustcreateanappropraiteauthenticationsourcein PacketFence.ThatwillallowPacketFencetocomputetherightroletobeusedforanendpoint, ortheuserusingit
3. network devices - once your roles and authentication sources are defined, you must add switches,WiFicontrollersorAPstobemananagedbyPacketFence.Whendoingso,youwill configurehowrolesarebeingmappedtoVLAN,ACLsorexternalroles
4. portal profiles - at this point, you are almost ready to test. You will need to set which authenticationsourcesaretobeusedonthedefaultcaptiveportal,orcreateanotheroneto suityourneeds
5. test!
Note
Ifyouplantouse802.1X-pleaseseetheFreeRADIUSConfigurationsectionbelow.
RolesManagement
RolesinPacketFencecanbecreatedfromPacketFenceadministrativeGUI-fromtheConfiguration →Users→Roles section. From this interface, you can also limit the number of devices users belongingtocertainrolescanregister.
Copyright©2016Inverseinc. Configuration 21 Chapter9
RolesaredynamicallycomputedbyPacketFence,basedontherules(ie.,asetofconditionsand actions)fromauthenticationsources,usingafirst-matchwinsalgorithm.Rolesarethenmatched toVLANorinternalrolesorACLonequipmentfromtheConfiguration→Network→Switches module.
Authentication
PacketFence can authenticate users that register devices via the captive portal using various methods.Amongthesupportedmethods,thereare:
▪ ActiveDirectory
▪ Apachehtpasswdfile
▪ ExternalHTTPAPI
▪ Facebook(OAuth2)
▪ Github(OAuth2)
▪ Google(OAuth2)
▪ Kerberos
▪ LDAP
▪ LinkedIn(OAuth2)
▪ Null
▪ RADIUS
▪ SMS
▪ SponsoredEmail
▪ Twitter(OAuth2)
▪ WindowsLive(OAuth2)
Moreover, PacketFence can also authenticate users defined in its own internal SQL database. Authentication sources can be created from PacketFence administrative GUI - from the Configuration→Users→Sourcessection.Alternatively(butnotrecommended),authentication sources,rules,conditionsandactionscanbeconfiguredfromconf/authentication.conf.
Eachauthenticationsourcesyoudefinewillhaveasetofrules,conditionsandactions.
Multiple authentication sources can be defined, and will be tested in the order specified (note thattheycanbereorderedfromtheGUIbydraggingitaround).Eachsourcecanhavemultiple rules,whichwillalsobetestedintheorderspecified.Rulescanalsobereordered,justlikesources. Finally,conditionscanbedefinedforaruletomatchcertaincriterias.Ifthecriteriasmatch(one
Copyright©2016Inverseinc. Configuration 22 Chapter9
ormore),actionarethenappliedandrulestestingstop,acrossallsourcesasthisisa"firstmatch wins"operation.
Whennoconditionisdefined,therulewillbeconsideredasafallback.Whenafallbackisdefined, allactionswillbeappliedforanyusersthatmatchintheauthenticationsource.
Onceasourceisdefined,itcanbeusedfromConfiguration→PortalProfiles.Eachportalprofile hasalistofauthenticationsourcestouse.
Example
Let’ssaywehavetworoles:guestandemployee.First,wedefinethemConfiguration→Users →Roles.
Now,wewanttoauthenticateemployeesusingActiveDirectory(overLDAP),andguestsusing PacketFence’sinternaldatabase-bothusingPacketFence’scaptiveportal.FromtheConfiguration →Users→Sources,weselectAddsource→AD.Weprovidethefollowinginformation:
▪ Name:ad1 ▪ Description:ActiveDirectoryforEmployees ▪ Host:192.168.1.2:389withoutSSL/TLS ▪ BaseDN:CN=Users,DC=acme,DC=local ▪ Scope:One-level ▪ UsernameAttribute:sAMAccountName ▪ BindDN:CN=Administrator,CN=Users,DC=acme,DC=local ▪ Password:acme123
Then,weaddarulebyclickingontheAddrulebuttonandprovidethefollowinginformation:
▪ Name:employees ▪ Description:Ruleforallemployees ▪ Don’tsetanycondition(asit’sacatch-allrule) ▪ Setthefollowingactions:
▪ Setroleemployee
▪ SetunregistrationdateJanuary1st,2020
Testthe connection and save everything. Using the newly defined source, any username that actuallymatchesinthesource(usingthesAMAccountName)willhavetheemployeeroleandan unregistrationdatesettoJanuary1st,2020.
Now,sincewewanttoauthenticateguestsfromPacketFence’sinternalSQLdatabase,accounts mustbeprovisionnedmanually.YoucandosofromtheUsers→Createsection.Whencreating guests,specify"guest"fortheSetroleaction,andsetanaccessdurationfor1day.
If you would like to differentiate user authentication and machine authentication using Active Directory,onewaytodoitisbycreatingasecondauthenticationsources,formachines:
▪ Name:ad1 ▪ Description:ActiveDirectoryforMachines ▪ Host:192.168.1.2:389withoutSSL/TLS ▪ BaseDN:CN=Computers,DC=acme,DC=local ▪ Scope:One-level
Copyright©2016Inverseinc. Configuration 23 Chapter9
▪ UsernameAttribute:servicePrincipalName ▪ BindDN:CN=Administrator,CN=Users,DC=acme,DC=local ▪ Password:acme123
Then,weaddarule:
▪ Name:*machines ▪ Description:Ruleforallmachines ▪ Don’tsetanycondition(asit’sacatch-allrule) ▪ Setthefollowingactions:
▪ Setrolemachineauth
▪ SetunregistrationdateJanuary1st,2020
Note
Whenaruleisdefinedasacatch-all,itwillalwaysmatchiftheusernameattribute matchesthequeriedone.ThisappliesforActiveDirectory,LDAPandApachehtpasswd filesources.KerberosandRADIUSwillactastruecatch-all,andaccepteverything.
Note
IfyouwanttouseotherLDAPattributesinyourauthenticationsource,addthemin Configuration→Advanced→CustomLDAPattributes.Theywillthenbeavailableinthe rulesyoudefine.
ExternalAPIauthentication
PacketFencealsosupportscallinganexternalHTTPAPIasanauthenticationsource.Theexternal APIneedstoimplementanauthenticationactionandanauthorizationaction.
Authentication
Thisshouldprovidetheinformationaboutwhetherornottheusername/passwordcombination isvalid
TheseinformationareavailablethroughthePOSTfieldsoftherequest
TheservershouldreplywithtwoattributesinaJSONresponse
▪ result:shouldbe1forsuccess,0forfailure ▪ message:shouldbethereasonitsucceededorfailed
ExampleJSONresponse:
{"result":1,"message":"Valid username and password"}
Copyright©2016Inverseinc. Configuration 24 Chapter9
Authorization
Thisshouldprovidetheactionstoapplyonauserbasedonit’sattributes
The following attributes are available for the reply : access_duration,access_level , sponsor, unregdate,category.
SampleJSONresponse,notethatnotallattributesarenecessary,onlysendbackwhatyouneed.
{"access_duration":"1D","access_level":"ALL","sponsor":1 ,"unregdate":"2030-01-01","category":"default"}
Note
See /usr/local/pf/addons/example_external_auth for an example implementation compatiblewithPacketFence.
PacketFenceconfiguration
InPacketFence,youneedtoconfigureanHTTPsourceinordertouseanexternalAPI.
Hereisabriefdescriptionofthefields:
▪ Host:First,theprotocol,thentheIPaddressorhostnameoftheAPIandlastlytheportto connecttotheAPI. ▪ APIusernameandpassword:IfyourAPIimplementsHTTPbasicauthentication(RFC2617)you canaddtheminthesefields.LeavinganyofthosetwofieldsemptywillmakePacketFencedo therequestswithoutanyauthentication. ▪ AuthenticationURL:URLrelativetothehosttocallwhendoingtheauthenticationofauser. Notethatitisautomaticallyprefixedbyaslash. ▪ AuthorizationURL:URLrelativetothehosttocallwhendoingtheauthorizationofauser.Note thatitisautomaticallyprefixedbyaslash.
SAMLauthentication
PacketFence supports SAML authentication in the captive portal in combination with another internalsourcetodefinethelevelofauthorizationoftheuser.
First,transfertheIdentityProvidermetadataonthePacketFenceserver.Inthisexample,itwillbe underthepath/usr/local/pf/conf/idp-metadata.xml.
Then, transfer the certificate and CA certificate of the Identity provider on the server. In this example, they will be under the paths /usr/local/pf/conf/ssl/idp.crt and /usr/local/pf/ conf/ssl/idp-ca.crt.Ifitisaself-signedcertificate,thenyouwillbeabletouseitastheCAin thePacketFenceconfiguration.
Copyright©2016Inverseinc. Configuration 25 Chapter9
Then,toconfigureSAMLinPacketFence,goinConfiguration→Sourcesandthencreateanew InternalsourceofthetypeSAMLandconfigureit.
Where:
▪ ServiceProviderentityIDistheidentifieroftheServiceProvider(PacketFence).Makesurethis matchesyourIdentityProviderconfiguration. ▪ PathtoServiceProviderkeyisthepathtothekeythatwillbeusedbyPacketFencetosignits messagestotheIdentityProvider.Adefaultoneisprovidedunderthepath:/usr/local/pf/ conf/ssl/server.key ▪ PathtoServiceProvidercertisthepathtothecertificateassociatedtothekeyabove.Aself- signedoneisprovidedunderthepath:/usr/local/pf/conf/ssl/server.key ▪ PathtoIdentityProvidermetadataisthepathtothemetadatafileyoutransferedabove(should bein/usr/local/pf/conf/idp-metadata.xml) ▪ PathtoIdentityProvidercertisthepathtothecertificateoftheidentityprovideryoutransfered ontheserverabove(shouldbein/usr/local/pf/conf/ssl/idp.crt).
Copyright©2016Inverseinc. Configuration 26 Chapter9
▪ Path to Identity Provider CA cert is the path to the CA certificate of the identity provider youtransferedontheserverabove(shouldbein/usr/local/pf/conf/ssl/ca-idp.crt).Ifthe certificateaboveisself-signed,putthesamepathasaboveinthisfield. ▪ AttributeoftheusernameintheSAMLresponseistheattributethatcontainstheusername in the SAML assertion returned by your Identity Provider. The default should fit at least SimpleSAMLphp. ▪ Authorizationsourceisthesourcethatwillbeusedtomatchtheusernameagainsttherules definedinit.Thisallowstosettheroleandaccessdurationoftheuser.TheAuthenticationsection ofthisdocumentcontainsexplanationsonhowtoconfigureanLDAPsourcewhichcanthen beusedhere.
Oncethisisdone,savethesourceandyouwillbeabletodownloadtheServiceProvidermetadata forPacketFenceusingthelinkDownloadServiceProvidermetadataonthepage.
Configure your identity provider according to the generated metadata to complete the Trust betweenPacketFenceandyourIdentityProvider.
In the case of SimpleSAMLPHP,the following configuration was used in metadata/saml20-sp- remote.php:
$metadata['PF_ENTITY_ID'] = array( 'AssertionConsumerService' => 'http://PORTAL_HOSTNAME/saml/assertion', 'SingleLogoutService' => 'http://PORTAL_HOSTNAME/saml/logoff', );
Note
PacketFencedoesnotsupportlogoffontheSAMLIdentityProvider.Youcanstilldefine theURLinthemetadatabutitwillnotbeused.
Passthroughs
InorderforyouruserstobeabletoaccesstheIdentityProviderloginpage,youwillneedtoactivate passthroughsandaddtheIndentityProviderdomaintotheallowedpassthroughs.
Todoso,goinConfiguration→Trapping,thencheckPassthroughandaddtheIdentityProvider domainnametothePasshtroughslist.
Next, restart iptables and pfdns to apply your new passthroughs. Also make sure net.ipv4.ip_forward = 1isconfiguredin/etc/sysctl.conf.
NetworkDevicesDefinition(switches.conf)
ThissectionappliesonlyforVLANenforcement.Usersplanningtodoinlineenforcementonlycan skipthissection.
PacketFenceneedstoknowwhichswitches,accesspointsorcontrollersitmanages,theirtypeand configuration.Allthisinformationisstoredin/usr/local/pf/conf/switches.conf.Youcanmodify
Copyright©2016Inverseinc. Configuration 27 Chapter9
theconfigurationdirectlyintheswitches.conffileoryoucandoitfromtheWebAdministration panelunderConfiguration→Network→Switches-whichisnowthepreferredway.
The/usr/local/pf/conf/switches.confconfigurationfilecontainsadefaultsectionincluding:
▪ DefaultSNMPread/writecommunitiesfortheswitches ▪ Defaultworkingmode(seethenotebelowaboutpossibleworkingmodes)
andaswitchsectionforeachswitch(managedbyPacketFence)including:
▪ SwitchIP/Mac/Range ▪ Switchvendor/type ▪ Switchuplinkports(trunksandnon-managedIfIndex) ▪ per-switchre-definitionoftheVLANs(ifrequired)
Note
switches.confisloadedatstartup.Areloadisrequiredwhenchangesaremanually madetothisfile/usr/local/pf/bin/pfcmd configreload.
Workingmodes
TherearethreedifferentworkingmodesforaswitchinPacketFence:
Testing pfsetvlanwritesinthelogfileswhatitwouldnormallydo,butit doesn’tdoanything.
Registration pfsetvlan automatically-register all MAC addresses seen on the switchports.Asintestingmode,noVLANchangesaredone.
Production pfsetvlan sends the SNMP writes to change the VLAN on the switchports.
RADIUS
Toset the RADIUS secret, set it from the Web administrative interface when adding a switch. Alternatively,edittheswitchconfigfile(/usr/local/pf/conf/switches.conf)andsetthefollowing parameters:
radiusSecret = secretPassPhrase
Moreover,theRADIUSsecretisrequiredtosupporttheRADIUSDynamicAuthentication(Change ofauthorizationorDisconnect)asdefinedinRFC3576.
SNMPv1,v2candv3
PacketFenceusesSNMPtocommunicatewithmostswitches.PacketFencealsosupportsSNMP v3.YoucanuseSNMPv3forcommunicationinbothdirections:fromtheswitchtoPacketFence andfromPacketFencetotheswitch.SNMPusageisdiscouraged,youshouldnowuseRADIUS. However,evenifRADIUSisbeingused,someswitchesmightalsorequireSNMPtobeconfigured toworkproperlywithPacketFence.
Copyright©2016Inverseinc. Configuration 28 Chapter9
FromPacketFencetoaswitch
Edittheswitchconfigfile(/usr/local/pf/conf/switches.conf)andsetthefollowingparameters:
SNMPVersion = 3 SNMPUserNameRead = readUser SNMPAuthProtocolRead = MD5 SNMPAuthPasswordRead = authpwdread SNMPPrivProtocolRead = AES SNMPPrivPasswordRead = privpwdread SNMPUserNameWrite = writeUser SNMPAuthProtocolWrite = MD5 SNMPAuthPasswordWrite = authpwdwrite SNMPPrivProtocolWrite = AES SNMPPrivPasswordWrite = privpwdwrite
FromaswitchtoPacketFence
Edittheswitchconfigfile(/usr/local/pf/conf/switches.conf)andsetthefollowingparameters:
SNMPVersionTrap = 3 SNMPUserNameTrap = readUser SNMPAuthProtocolTrap = MD5 SNMPAuthPasswordTrap = authpwdread SNMPPrivProtocolTrap = AES SNMPPrivPasswordTrap = privpwdread
SwitchConfiguration
HereisaswitchconfigurationexampleinordertoenableSNMPv3inbothdirectionsonaCisco Switch.
snmp-server engineID local AA5ED139B81D4A328D18ACD1 snmp-server group readGroup v3 priv snmp-server group writeGroup v3 priv read v1default write v1default snmp-server user readUser readGroup v3 auth md5 authpwdread priv aes 128 privpwdread snmp-server user writeUser writeGroup v3 auth md5 authpwdwrite priv aes 128 privpwdwrite snmp-server enable traps port-security snmp-server enable traps port-security trap-rate 1 snmp-server host 192.168.0.50 version 3 priv readUser port-security
Command-LineInterface:TelnetandSSH
Warning
PrivilegedetectionisdisabledinthecurrentPacketFenceversionduetosomeissues (see#1370).SomakesurethatthecliUserandcliPwdyouprovidealwaysgetyou intoaprivilegedmode(exceptforTrapezehardware).
Copyright©2016Inverseinc. Configuration 29 Chapter9
PackeFenceneedssometimestoestablishaninteractivecommand-linesessionwithaswitch.This canbedoneusingTelnet.YoucanalsouseSSH.Inordertodoso,edittheswitchconfigurationfile (/usr/local/pf/conf/switches.conf)andsetthefollowingparameters:
cliTransport = SSH (or Telnet) cliUser = admin cliPwd = admin_pwd cliEnablePwd =
ItcanalsobedonethroughtheWebAdministrationInterfaceunderConfiguration→Switches.
WebServicesInterface
PackeFencesometimesneedstoestablishadialogwiththeWebServicescapabilitiesofaswitch. Inordertodoso,edittheswitchconfigfile(/usr/local/pf/conf/switches.conf)andsetthe followingparameters:
wsTransport = http (or https) wsUser = admin wsPwd = admin_pwd
ItcanalsobedonethroughtheWebAdministrationInterfaceunderConfiguration→Switches.
Role-basedenforcementsupport
Somenetworkdevicessupporttheassignmentofaspecificsetofrules(firewallorACLs)toauser. Theideaisthattheserulescanbealotmoreaccuratetocontrolwhatausercanorcannotdo comparedtoVLANwhichhavealargernetworkmanagementoverhead.
PacketFencesupportsassigningrolesondevicesforswitchesandWiFicontrollersthatsupport it.ThecurrentroleassignmentstrategyistoassignitalongwiththeVLAN(thatmaychangein thefuture).Aspecialinternalroletoexternalroleassignmentmustbeconfiguredintheswitch configurationfile(/usr/local/pf/conf/switches.conf).
Thecurrentformatisthefollowing:
Format:
Andyouassignittotheglobalrolesparameterortheper-switchone.Forexample:
adminRole=full-access engineeringRole=full-access salesRole=little-access
wouldreturnthefull-accessroletothenodescategorizedasadminorengineeringandtherole little-accesstonodescategorizedassales.ItcanalsobedonethroughtheWebAdministration InterfaceunderConfiguration→Switches.
Copyright©2016Inverseinc. Configuration 30 Chapter9
Caution
Makesurethattherolesareproperlydefinedonthenetworkdevicespriortoassigning roles!
PortalProfiles
PacketFencecomeswithadefaultportalprofile.Thefollowparametersareimportanttoconfigure nomatterifyouusethedefaultportalprofileorcreateanewone:
▪ RedirectURLunderConfiguration→PortalProfile→PortalName
Forsomebrowsers,itispreferabletoredirecttheusertoaspecificURLinsteadoftheURLthe useroriginallyintendedtovisit.Forthesebrowsers,theURLdefinedinredirecturlwillbethe onewheretheuserwillberedirected.AffectedbrowsersareFirefox3andlater.
▪ IPunderConfiguration→Captiveportal
ThisIPisusedasthewebserverwhohoststhecommon/network-access-detection.gifwhich isusedtodetectifnetworkaccesswasenabled.Itcannotbeadomainnamesinceitisusedin registrationorquarantinewhereDNSisblack-holed.Itisrecommendedthatyouallowyourusers toreachyourPacketFenceserverandputyourLAN’sPacketFenceIP.Bydefaultwewillmakethis reachPacketFence’swebsiteasaneasierandmoreaccessiblesolution.
Insomecases,youmaywanttopresentadifferentcaptiveportal(seebelowfortheavailable customizations)accordingtotheSSID,theVLAN,theswitchIP/MACortheURItheclientconnects to.Todoso,PacketFencehastheconceptofportalprofileswhichgivesyouthispossibility.
Whenconfigured,portalprofileswilloverridedefaultvaluesforwhichitisconfigured.Whenno valuesareconfiguredintheprofile,PacketFencewilltakeitsdefaultones(accordingtothe"default" portalprofile).
Herearethedifferentconfigurationparametersthatcanbesetforeachportalprofiles.Theonly mandatoryparameteris"filter",otherwise,PacketFencewon’tbeabletocorrectlyapplytheportal profile.Theparametersmustbesetinconf/profiles.conf:
[profilename1] description = the description of your portal profile filter = the name of the SSID for which you'd like to apply the profile, or the VLAN number sources = comma-separated list of authentications sources (IDs) to use
Portal profiles should be managed from PacketFence’s Web administrative GUI - from the Configuration→PortalProfilessection.Addingaportalprofilefromthatinterfacewillcorrectly copytemplatesover-whichcanthenbemodifiedasyouwish.
▪ FiltersunderConfiguration→PortalProfile→PortalName→Fitlers
PacketFenceoffersthefollowingfilters:ConnectionType,Network,NodeRole,Port,realm,SSID, Switch,SwitchPort,URI,VLANandTimeperiod.
Copyright©2016Inverseinc. Configuration 31 Chapter9
Examplewiththemostcommonones:
▪ SSID:Guest-SSID
▪ VLAN:100
▪
▪ SwitchPort:
▪ Network:NetworkinCIDRformatoranIPaddress
Caution
Noderolewilltakeeffectonlywitha802.1xconnectionorifyouuseVLANfilters.
PacketFence relies extensively on Apache for its captive portal, administrative interface and Web services. The PacketFence´s Apache configuration are located in /usr/local/pf/conf/ httpd.conf.d/.
Inthisdirectoryyouhavethreeimportantfiles:httpd.admin,httpd.portal,httpd.webservices, httpd.aaa.
▪ httpd.adminisusedtomanagePacketFenceadmininterface
▪ httpd.portalisusedtomanagePacketFencecaptiveportalinterface
▪ httpd.webservicesisusedtomanagePacketFencewebservicesinterface
▪ httpd.aaaisusetomanageincomingRADIUSrequest
ThesefileshavebeenwrittenusingthePerllanguageandarecompletelydynamic-sotheyactivate servicesonlyonthenetworkinterfacesprovidedforthispurpose.
TheotherfilesinthisdirectoryaremanagedbyPacketFenceusingtemplates,soitiseasytomodify thesefilesbasedonyourconfiguration.SSLisenabledbydefaulttosecureaccess.
UponPacketFenceinstallation,self-signedcertificateswillbecreatedin/usr/local/pf/conf/ssl (server.keyandserver.crt).Thosecertificatescanbereplacedanytimebyyour3rd-partyor existingwildcardcertificatewithoutproblems.PleasenotethattheCN(CommonName)needsto bethesameastheonedefinedinthePacketFenceconfigurationfile(pf.conf).
FreeRADIUSConfiguration
ThissectionpresentstheFreeRADIUSconfigurationsteps.Insomeoccasions,aRADIUSserver ismandatoryinordertogiveaccesstothenetwork.Forexample,theusageofWPA2-Enterprise (Wireless 802.1X), MAC authentication and Wired 802.1X all require a RADIUS server to authenticatetheusersandthedevices,andthentopushtheproperrolesorVLANattributesto thenetworkequipment.
Copyright©2016Inverseinc. Configuration 32 Chapter9
Option1:AuthenticationagainstActiveDirectory(AD)
Caution
If you are using an Active/Active or Active/Passive cluster, please follow the instructionsunderOption1bsincetheinstructionsbelowdonotcurrentlyworkina cluster.
Inordertohavedomainauthenticationworkingproperly,youneedtoenableIPforwardingonyour server.Todoitpermanently,lookinthe/etc/sysctl.conf,andsetthefollowingline:
# Controls IP packet forwarding net.ipv4.ip_forward = 1
Nowexecutesysctl -ptoapplytheconfiguration
Next,gointheAdministrationinterfaceunderConfiguration→Domains.
Note
Ifyoucan’taccessthissectionandyouhavepreviouslyconfiguredyourservertobind toadomainexternallytoPacketFence,makesureyourun/usr/local/pf/addons/AD/ migrate.pl
ClickAddDomainandfillintheinformationsaboutyourdomain.
Copyright©2016Inverseinc. Configuration 33 Chapter9
Where:
▪ Identifierisauniqueidentifierforyourdomain.It’spurposeisonlyvisual.
▪ Workgroupistheworkgroupofyourdomainintheoldsyntax(likeNT4).
▪ DNSnameofthedomainistheFQDNofyourdomain.Theonethatsuffixesyouraccountnames.
▪ Thisserver’snameisthenamethattheserver’saccountwillhaveinyourActiveDirectory.
▪ DNSserveristheIPaddressoftheDNSserverofthisdomain.Makesurethattheserveryou puttherehastheproperDNSentriesforthisdomain.
▪ Usernameistheusernamethatwillbeusedforbindingtotheserver.Thisaccountmustbea domainadministrator.
▪ Passwordisthepasswordfortheusernamedefinedabove.
Copyright©2016Inverseinc. Configuration 34 Chapter9
Troubleshooting
▪ In order to troubleshoot unsuccessful binds, please refer to the following file : /chroots/
▪ Youcanvalidatethedomainbindusingthefollowingcommand:chroot /chroots/
▪ You can test the authentication process using the following command chroot /chroots/
Note
Undercertainconditions,thetestjoinmayshowasunsuccessfulintheAdministration interfacebuttheauthenticationprocesswillstillworkproperly.Trythetestabove beforedoinganyadditionnaltroubleshooting
Defaultdomainconfiguration
Youshouldnowdefinethedomainyouwanttouseasthedefaultonebycreatingthefollowing realminConfiguration→Realms
Next,restartPacketFenceinStatus→Services Multipledomainsauthentication
FirstconfigureyourdomainsinConfiguration→Domains.
Oncetheyareconfigured,goinConfiguration→Realms.
Copyright©2016Inverseinc. Configuration 35 Chapter9
CreateanewrealmthatmatchestheDNSnameofyourdomainANDonethatmatchesyour workgroup.Inthecaseofthisexample,itwillbeDOMAIN.NETandDOMAIN.
Where:
▪ RealmiseithertheDNSname(FQDN)ofyourdomainortheworkgroup
▪ RealmoptionsareanyrealmoptionsthatyouwanttoaddtotheFreeRADIUSconfiguration
▪ Domainisthedomainwhichisassociatedtothisrealm
Nowcreatethetwootherrealmsassociatedtoyourotherdomains.
Youshouldnowhavethefollowingrealmconfiguration
Copyright©2016Inverseinc. Configuration 36 Chapter9
Option1b:AuthenticationagainstActiveDirectory (AD)inacluster
Samba/Kerberos/Winbind
InstallSamba.YoucaneitherusethesourcesorusethepackageforyourOS.ForRHEL/CentOS,do:
yum install samba krb5-workstation
ForDebianandUbuntu,do:
apt-get install samba winbind krb5-user
Note
IfyouhaveWindows7PCsinyournetwork,youneedtouseSambaversion3.5.0 (orgreater).
WhendonewiththeSambainstall,modifyyour/etc/hostsinordertoaddtheFQDNofyour ActiveDirectoryservers.Then,youneedtomodify/etc/krb5.conf.Hereisanexampleforthe DOMAIN.NETdomainforCentos/RHEL:
Copyright©2016Inverseinc. Configuration 37 Chapter9
[logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log
[libdefaults] default_realm = DOMAIN.NET dns_lookup_realm = false dns_lookup_kdc = false ticket_lifetime = 24h forwardable = yes
[realms] DOMAIN.NET = { kdc = adserver.domain.net:88 admin_server = adserver.domain.net:749 default_domain = domain.net } [domain_realm] .domain.net = DOMAIN.NET domain.net = DOMAIN.NET
[appdefaults] pam = { debug = false ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = false }
ForDebianandUbuntu:
[logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = DOMAIN.NET ticket_lifetime = 24h forwardable = yes [appdefaults] pam = { debug = false ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = false }
Next,edit/etc/samba/smb.conf.Again,hereisanexampleforourDOMAIN.NETforCentos/RHEL:
Copyright©2016Inverseinc. Configuration 38 Chapter9
[global] workgroup = DOMAIN server string = %h security = ads passdb backend = tdbsam realm = DOMAIN.NET encrypt passwords = yes winbind use default domain = yes client NTLMv2 auth = yes preferred master = no domain master = no local master = no load printers = no log level = 1 winbind:5 auth:3 winbind max clients = 750 winbind max domain connections = 15 machine password timeout = 0
ForDebianandUbuntu:
[global] workgroup = DOMAIN server string = Samba Server Version %v security = ads realm = DOMAIN.NET password server = 192.168.1.1 domain master = no local master = no preferred master = no winbind separator = + winbind enum users = yes winbind enum groups = yes winbind use default domain = yes winbind nested groups = yes winbind refresh tickets = yes template homedir = /home/%D/%U template shell = /bin/bash client use spnego = yes client ntlmv2 auth = yes encrypt passwords = yes restrict anonymous = 2 log file = /var/log/samba/log.%m max log size = 50 machine password timeout = 0
IssueakinitandklistinordertogetandverifytheKerberostoken:
# kinit administrator # klist
Afterthat,youneedtostartsamba,andjointhemachinetothedomain:
Copyright©2016Inverseinc. Configuration 39 Chapter9
# service smb start # chkconfig --level 345 smb on # net ads join -U administrator
NotethatforDebianandUbuntuyouwillprobablyhavethiserror:
# kinit succeeded but ads_sasl_spnego_krb5_bind failed: Invalid credentials # Join to domain is not valid: Invalid credentials
ForCentos/RHEL:
# usermod -a -G wbpriv pf
Finally,startwinbind,andtestthesetupusingntlm_authandradtest:
# service winbind start # chkconfig --level 345 winbind on
ForDebianandUbuntu:
# usermod -a -G winbindd_priv pf # ntlm_auth --username myDomainUser # radtest -t mschap -x myDomainUser myDomainPassword localhost:18120 12 testing123 Sending Access-Request of id 108 to 127.0.0.1 port 18120 User-Name = "myDomainUser" NAS-IP-Address = 10.0.0.1 NAS-Port = 12 Message-Authenticator = 0x00000000000000000000000000000000 MS-CHAP-Challenge = 0x79d62c9da4e55104 MS-CHAP-Response = 0x000100000000000000000000000000000000000000000000000091c843b420f0dec4228ed2f26bff07d5e49ad9a2974229e5 rad_recv: Access-Accept packet from host 127.0.0.1 port 18120, id=108, length=20
Option2:LocalAuthentication
Addyouruser’sentriesattheendofthe/usr/local/pf/raddb/usersfilewiththefollowingformat:
username Cleartext-Password := "password"
Option3:EAPauthenticationagainstOpenLDAP
Toauthenticate802.1xconnectionagainstOpenLDAPyouneedtodefinetheldapconnectionin /usr/local/pf/raddb/modules/ldapandbesurethattheuserpasswordisdefineasaNTHASH orascleartext.
Copyright©2016Inverseinc. Configuration 40 Chapter9
ldap openldap { server = "ldap.acme.com" identity = "uid=admin,dc=acme,dc=com" password = "password" basedn = "dc=district,dc=acme,dc=com" filter = "(uid=%{mschap:User-Name})" ldap_connections_number = 5 timeout = 4 timelimit = 3 net_timeout = 1 tls { } dictionary_mapping = ${confdir}/ldap.attrmap edir_account_policy_check = no
keepalive { # LDAP_OPT_X_KEEPALIVE_IDLE idle = 60
# LDAP_OPT_X_KEEPALIVE_PROBES probes = 3
# LDAP_OPT_X_KEEPALIVE_INTERVAL interval = 3 } }
Next in/usr/local/pf/raddb/sites-available/packetfence-tunnel add in the authorize section:
authorize { suffix ntdomain eap { ok = return } files openldap }
Option4:EAPGuestAuthenticationonemail,sponsor andSMSregistration
Thissectionwillallowlocalcredentialscreatedduringguestregistrationtobeusedin802.1xEAP- PEAPconnections.
FirstcreateaguestSSIDwiththeguestaccessyouwanttouse(Email,SponsororSMS,…)and activateCreatelocalaccountonthatsource.
Attheendoftheguestregistration,PacketFencewillsendanemailwiththecredentialsforEmail andSponsor.ForSMSthephonenumberandthePINcodeshouldbeused.
Copyright©2016Inverseinc. Configuration 41 Chapter9
Note
Thisoptiondoesn’tcurrentlyworkwiththeReusedot1xcredentialsoptionofthecaptive portal.
In /usr/local/pf/conf/radiusd/packetfence-tunnel uncomment the line # packetfence- local-authandrestartradiusd.
ThiswillactivatethefeatureforanylocalaccountonthePacketFenceserver.Youcanrestrictwhich accounts can be used by commenting the appropriate line in/usr/local/pf/raddb/policy.d/ packetfence.Forexample,ifyouwouldwanttodeactivatethisfeatureforaccountscreatedvia SMS,youwouldhavethefollowing:
packetfence-local-auth { # Disable ntlm_auth update control { &MS-CHAP-Use-NTLM-Auth := No } # Check password table for local user pflocal if (fail || notfound) { # Check password table with email and password for a sponsor registration pfguest if (fail || notfound) { # Check password table with email and password for a guest registration pfsponsor if (fail || notfound) { # *Don't* check activation table with phone number and PIN code # pfsms <--- This line was commented out if (fail || notfound) { update control { &MS-CHAP-Use-NTLM-Auth := Yes } } } } } }
Note
For this feature to work, the users' passwords must be stored in cleartext in the database.Thisisconfigurableviaadvanced.hash_passwords.
Option5:EAPLocaluserAuthentication
ThegoalhereistousethelocaluseryoucreatedintheadminGUIforEAPauthentication.The logicisexactlythesamethaninoption4,thedifferenceisthatweuseanotherSSIDandweonly uselocalaccounts.
Copyright©2016Inverseinc. Configuration 42 Chapter9
Edit/usr/local/pf/raddb/sites-available/packetfence-tunnel
InthisexampleweactivatethisfeatureonaspecificSSIDname(Secure-local-Wireless),disabled bydefaultNTLMAuthandtestlocalaccount.IfitfailledthenwereactivateNTLMAuth.
####Activate local user eap authentication based on a specific SSID #### ## Set Called-Station-SSID with the current SSID # set.called_station_ssid # if (Called-Station-SSID == 'Secure-local-Wireless') { ## Disable ntlm_auth # update control { # MS-CHAP-Use-NTLM-Auth := No # } ## Check password table for local user # pflocal # if (fail || notfound) { # update control { # MS-CHAP-Use-NTLM-Auth := Yes # } # } # }
Caution
Youwillneedtodeasactivatepasswordhashinginthedatabaseforlocalauthentication to work. In the administration interface, go in Configuration → Advanced and set Databasepasswordshashingmethodtoplaintext
Tests
TestyoursetupwithradtestusingthefollowingcommandandmakesureyougetanAccess- Acceptanswer:
# radtest dd9999 Abcd1234 localhost:18120 12 testing123 Sending Access-Request of id 74 to 127.0.0.1 port 18120 User-Name = "dd9999" User-Password = "Abcd1234" NAS-IP-Address = 255.255.255.255 NAS-Port = 12 rad_recv: Access-Accept packet from host 127.0.0.1:18120, id=74, length=20
PortalModules
ThePacketFencecaptiveportalflowishighlycustomizable.ThissectionwillcoverthePortalModules whichareusedtodefinethebehaviorofthecaptiveportal.
Copyright©2016Inverseinc. Configuration 43 Chapter9
Note
Whenupgradingfromaversionthatdoesn’thavetheportalmodules,thePacketFence Portal Modules configuration already comes with defaults that will fit most cases and offers the same behavior as previous versions of PacketFence. Meaning, all the available Portal Profile sources are used for authentication, then the available provisionerswillbeused.
First,abriefdescriptionoftheavailablePortalModules:
▪ Root:Thisiswhereitallstarts,thismoduleisasimplecontainerthatdefinesallthemodules thatneedtobeappliedinachainedwaytotheuser.Oncetheuserhascompletedallmodules containedintheRoot,heisreleasedonthenetwork.
▪ Choice: This allows to give a choice between multiple modules to the user. The default_registration_policyisagoodexampleofachoicethatisofferedtotheuser.
▪ Chained:Thisallowsyoutodefinealistofmodulesthatauserneedstogothroughintheorder thattheyaredefined-ex:youwantyouruserstoregisterviaGoogle+andpayfortheiraccess usingPayPal.
▪ Message:Thisallowsyoutodisplayamessagetotheuser.Anexampleisavailablebelowin Displayingamessagetotheuseraftertheregistration
▪ Authentication:Theauthenticationmodulescanbeofalotoftypes.Youwouldwanttodefine oneofthesemodules,inordertooverridetherequiredfields,thesourcetouse,thetemplate oranyothermoduleattribute.
▪ Billing:Allowstodefineamodulebasedononeormorebillingsources
▪ Choice:Allowstodefineamodulebasedonmultiplesourcesandmoduleswithadvanced filteringoptions.SeethesectionAuthenticationChoicemodulebelowforadetailedexplanation.
▪ Login:Allowsyoutodefineausername/passwordbasedmodulewithmultipleinternalsources (ActiveDirectory,LDAP,…)
▪ Othermodules:Theothermodulesareallbasedonthesourcetypetheyareassignedto,they allowtoselectthesource,theAUPacceptance,andmandatoryfieldsifapplicable.
Examples
Thissectionwillcontainthefollowingexamples:
▪ Promptingforfieldswithoutauthentication.
▪ Promptingadditionnalfieldsduringtheauthentication.
▪ Chainedauthentication.
▪ MixingloginandSecureSSIDon-boardingontheportal.
▪ Displayingamessagetotheuseraftertheregistration.
Copyright©2016Inverseinc. Configuration 44 Chapter9
Creatingacustomrootmodule
First,createacustomrootmoduleforourexamplesinordertonotaffectthedefaultpolicy.In ordertodoso,goinConfiguration→PortalModules,thenclickAddPortalModuleandselectthe typeRoot.Giveittheidentifiermy_first_root_moduleandthedescriptionMy first root module, thenhitsave.
Next, head to Configuration → Portal Profiles, select the portal profile you use (most probably default)andthenunderRootPortalModule,assignMy first root modulethensaveyourprofile. Ifyouweretoaccessthecaptiveportalnow,anerrorwoulddisplaysincetheRootmodulewe configureddoesn’tcontainanything.
YoucouldaddsomeofthepreconfiguredmodulestothenewRootmoduleyoucreatedandthat wouldmaketheerrordisapear. Promptingforfieldswithoutauthentication
Inordertopromptfieldswithoutauthentication,youcanusetheNullsourcewiththeNullPortal Module.
PacketFencealreadycomeswithaNullsourcepreconfigured.Ifyouhaven’tmodifieditordeleted it,youcanuseitforthisexample.Otherwise,goinConfiguration→SourcesandcreateanewNull sourcewithacatchallrulethatassignsaroleandaccessduration.
ThengoinConfiguration→PortalModulesandclickAddPortalModuleandselectAuthentication→ Null.SettheIdentifiertoprompt_fieldsandconfigurethemodulewiththeMandatoryfieldsyou wantanduncheckRequireAUPsothattheuserdoesn’thavetoaccepttheAUPbeforesubmitting thesefields.
Next,addtheprompt_fieldsmoduleinmy_first_root_module(removinganypreviousmodules) andsaveit.Nowwhenvisitingtheportal,itshouldpromptyouforthefieldsyoudefineinthe
Copyright©2016Inverseinc. Configuration 45 Chapter9
module.Then,submittingtheseinformationswillassignyoutheroleandaccessdurationthatyou definedinthenullsource.
Promptingadditionnalfieldsduringtheauthentication
Ifyouwanttopromptadditionnalfieldsduringtheauthenticationprocessforamodule,youcan defineaModulebasedonthatsourcethatwillspecifytheadditionnalmandatoryfieldsforthis source.
Youcanalsoaddadditionnalmandatoryfieldstothedefaultpoliciesthatarealreadyconfigured.
Thisexamplewillmakethedefault_guest_policyrequiretheusertoenterafirstname,lastname andaddresssothatguestshavetoenterthesethreeinformationsbeforeregistering.
Go in Configuration → Portal Modules and click the default_guest_policy. Add firstname, lastnameandaddresstotheMandatoryfieldsandsave.
Next,addthedefault_guest_policytomy_first_root_module(removinganypreviousmodules). Nowwhenvisitingtheportal,selectinganyoftheguestsourceswillrequireyoutoenterboththe mandatoryfieldsofthesource(ex:phone+mobileprovider)andthemandatoryfieldsyoudefined inthedefault_guest_policy.
Note
Notallsourcessupportadditionnalmandatoryfields(ex:OAuthsourceslikeGoogle, Facebook,…).
Chainedauthentication
Theportalmodulesallowyoutochaintwoormoremodulestogetherinordertomaketheuser accomplishalloftheactionsinthemoduleinthedesiredsequence.
ThisexamplewillallowyoutoconfigureaChainedmodulethatwillrequiretheusertologinvia anyconfiguredOAuthsource(Github,Google+,…)andthenvalidatehisphonenumberusingSMS registration.
FortheOAuthloginwewillusethedefault_oauth_policy,sojustmakesureyouhaveanOAuth sourceconfiguredcorrectlyandavailableinyourPortalProfile.
Then,wewillcreateamodulethatwillcontainthedefinitionofourSMSregistration.
GoinConfiguration→PortalModulesthenclickAddPortalModuleandselectAuthentication→SMS.
ConfiguretheportalmodulesothatitusesthesmssourceandunchecktheRequireAUPoption sincetheuserwillhavealreadyacceptedtheAUPwhenregisteringusingOAuth.
Copyright©2016Inverseinc. Configuration 46 Chapter9
Then,addanotherPortalModuleoftypeChained.Nameitchained_oauth_sms,assignarelevant descriptionandthenadddefault_oauth_policyandsmstotheModulesfields
Copyright©2016Inverseinc. Configuration 47 Chapter9
Next, add the chained_oauth_sms module in my_first_root_module (removing any previous modules)andsaveit.Nowwhenvisitingtheportal,youshouldhavetoauthenticationusingan OAuthsourceandthenusingSMSbasedregistration. MixingloginandSecureSSIDon-boardingontheportal
Thisexamplewillguideyouthroughconfiguringaportalflowthatwillallowfordevicestoaccess anopenSSIDusinganLDAPusername/passwordbutalsogivethechoicetoconfiguretheSecure SSIDdirectlyfromtheportal.
First,weneedtoconfiguretheprovisionersfortheSecureSSIDonboarding.RefertosectionApple andAndroidWirelessProvisioningofthisguidetoconfigureyourprovisionersandaddthemtothe portalprofile.
CreateaprovisionerofthetypeDenyandadditwithyourotherprovisioners(puttinganyother provisionerbeforeit).Thiswillmakesurethatifthereisnomatchontheotherprovisioners,itwill notallowthedevicethrough.
AlsointheportalprofileaddyourLDAPsourcetotheavailablesourcessoitstheonlyoneavailable.
Next,createaProvisioningportalmodulebygoinginConfiguration→PortalModules.SettheIdentifier tosecure_boardingandthedescriptiontoBoard Secure SSID.AlsouncheckSkipablesotheuser isforcedtoboardtheSSIDshoulditchoosethisoption.
Then,stillinthePortalModules,createaChoicemodule.SettheIdentifiertologin_or_boardingand descriptiontoLoginorBoarding.Addsecure_boardinganddefault_login_policytotheModules fieldandsave.
Copyright©2016Inverseinc. Configuration 48 Chapter9
Next, add the login_or_boarding module in my_first_root_module (removing any previous modules)andsaveit.Nowwhenvisitingtheportal,youwillhavethechoicebetweenlogintothe LDAPsourceandgainaccesstothenetworkordirectlyuseprovisioninginordertoconfigureyour deviceforaSecureSSID.
Displayingamessagetotheuseraftertheregistration=
UsingtheMessagemoduleyoucandisplayacustommessagetotheuser.Youcanalsocustomize thetemplatetodisplayinordertodisplayafullycustompage.
GoinConfiguration→PortalModules,thenclickAddPortalModuleandselectMessage.Setthe Identifiertohello_worldandthedescriptiontoHello World.
ThenputthefollowingintheMessagefield
Hello World ! Click here to access the PacketFence website!
Next, add default_registration_policy and hello_world in the Modules of my_first_root_module(removinganypreviousmodules)andsaveit.Nowwhenvisitingtheportal, youshouldhavetoauthenticateusingthesourcesdefinedinyourportalprofileandyouwillthen seethehelloworldmessage.
Copyright©2016Inverseinc. Configuration 49 Chapter9
AuthenticationChoicemodule(advanced)
The Authentication Choice module allows to define a choice between multiple sources using advancedfilteringrules,manualselectionofthesourcesandselectionofPortalModules.
AllthesourcesthataredefinedintheSourcesfieldwillbeavailableforusagebytheuser.Same goesforthemodulesdefinedinModules.
Youcanalsodefinewhichmandatoryfieldsyouwanttopromptfortheseauthenticationchoices. AlthoughyoucanstillconfigurethemonanyAuthenticationChoicemodule,theywillonlybeshown iftheyareapplicabletothesource.
InadditiontothemanualselectionaboveyoucandynamicallyselectsourcespartofthePortal Profilebasedontheirobjectattribute(ObjectClass,Authenticationtype,AuthenticationClass).
Note
Youcanfindalltheauthenticationobjectsinlib/pf/Authentication/Source
▪ Sourcesbyclass:Allowsyoutospecifytheperlclassnameofthesourcesyouwantavailable
▪ ex:pf::Authentication::Source::SMSSource will select all the SMS sources. pf::Authentication::Source::BillingSourcewillselectallthebillingsources(Paypal,Stripe, …)
▪ Sourcesbytype:AllowsyoutofilteroutsourcesusingthetypeattributeoftheAuthentication object
▪ Sources by Auth Class: Allows you to filter our sources using the class attribute of the Authenticationobject.
Copyright©2016Inverseinc. Configuration 50 Chapter9
Youcanseethedefault_guest_policyanddefault_oauth_policyforexamplesofthismodule.
Copyright©2016Inverseinc. Configuration 51 Chapter10
Debugging
Logfiles
HerearethemostimportantPacketFencelogfiles:
▪ /usr/local/pf/logs/packetfence.log—PacketFenceCoreLog ▪ /usr/local/pf/logs/httpd.portal.access—Apache–CaptivePortalAccessLog ▪ /usr/local/pf/logs/httpd.portal.error—Apache–CaptivePortalErrorLog ▪ /usr/local/pf/logs/httpd.admin.access—Apache–WebAdmin/ServicesAccessLog ▪ /usr/local/pf/logs/httpd.admin.error—Apache–WebAdmin/ServicesErrorLog ▪ /usr/local/pf/logs/httpd.webservices.access—Apache–WebservicesAccessLog ▪ /usr/local/pf/logs/httpd.webservices.error—Apache–WebservicesErrorLog ▪ /usr/local/pf/logs/httpd.aaa.access—Apache–AAAAccessLog ▪ /usr/local/pf/logs/httpd.aaa.error—Apache–AAAErrorLog
Thereareotherlogfilesin/usr/local/pf/logs/thatcouldberelevantdependingonwhatissue youareexperiencing.Makesureyoutakealookatthem.
Themainloggingconfigurationfileis/usr/local/pf/conf/log.conf.Itcontainstheconfiguration forthepacketfence.logfile(Log::Log4Perl)andyounormallydon’tneedtomodifyit.Thelogging configurationfilesforeveryservicearelocatedunder/usr/local/pf/conf/log.conf.d/.
RADIUSDebugging
First,checktheFreeRADIUSlogs.Thefileislocatedat/usr/local/pf/logs/radius.log.
Ifthisdidn’thelp,runFreeRADIUSindebugmode.Todoso,startitusingthefollowingcommands.
Fortheauthenticationradiusprocess:
# radiusd -X -d /usr/local/pf/raddb -n auth
Fortheaccountingradiusprocess:
# radiusd -X -d /usr/local/pf/raddb -n acct
Copyright©2016Inverseinc. Debugging 52 Chapter10
Additionally there is a raddebug tool that can extract debug logs from a running FreeRADIUS daemon.PacketFence’sFreeRADIUSispreconfiguredwithsuchsupport.
Inordertohaveanoutputfromraddebug,youneedtoeither:
a. Makesureuserpfhasashellin/etc/passwd,add/usr/sbintoPATH(export PATH=/usr/sbin: $PATH)andexecuteraddebugaspf
b. Runraddebugasroot(lesssecure!)
Nowyoucanrunraddebugeasily:
raddebug -t 300 -f /usr/local/pf/var/run/radiusd.sock
TheabovewilloutputFreeRADIUS'authenticationdebuglogsfor5minutes.
Usethefollowingtodebugradiusaccounting:
raddebug -t 300 -f /usr/local/pf/var/run/radiusd-acct.sock
Seeman raddebugforalltheoptions.
Copyright©2016Inverseinc. Debugging 53 Chapter11
MoreonVoIPIntegration
VoIPhasbeengrowinginpopularityonenterprisenetworks.Atfirstsight,theITadministratorsthink thatdeployingVoIPwithaNACposesahugecomplicatedchallengetoresolve.Infact,depending ofthehardwareyouhave,notreally.Inthissection,wewillseewhy.
CDPandLLDPareyourfriend
ForthoseofyouwhoareunawareoftheexistenceofCDPorLLDP(orLLDP-MED),Isuggest youstartreadingonthistopic.CiscoDiscoveryProtocol(CDP)isdevice-discoveryprotocolthat runsonallCisco-manufacturedequipmentincludingrouters,accessservers,bridges,andswitches. UsingCDP,adevicecanadvertiseitsexistencetootherdevicesandreceiveinformationabout otherdevicesonthesameLANorontheremotesideofaWAN.IntheworldofVoIP,CDPisable todetermineiftheconnectingdeviceisanIPPhoneornot,andtelltheIPPhonetotagitsethernet frameusingtheconfiguredvoiceVLANontheswitchport.
Onmanyothervendors,youarelikelytofindLLDPorLLDP-MEDsupport.LinkLayerDiscovery Protocol (LLDP) is a vendor-neutral Link Layer protocol in the Internet Protocol Suite used by networkdevicesforadvertisingtheiridentity,capabilities,andneighbors.SameasCDP,LLDPcan tellanIPPhonewhichVLANidisthevoiceVLAN.
VoIPandVLANassignmenttechniques
As you already know, PacketFence supports many VLAN assignment techniques such as port- security,macauthenticationor802.1X.Let’sseehowVoIPisdoingwitheachofthose.
Port-security
Using port-security, the VoIP device rely on CDP/LLDP to tag its ethernet frame using the configuredvoiceVLANontheswitchport.Afterthat,weensurethatasecuritytrapissentfrom thevoiceVLANsothatPacketFencecanauthorizethemacaddressontheport.WhenthePC connects,anothersecuritytrapwillbesent,butfromthedataVLAN.Thatway,wewillhave1mac addressauthorizedonthevoiceVLAN,and1ontheaccessVLAN.
Copyright©2016Inverseinc. MoreonVoIPIntegration 54 Chapter11
Note
Not all vendors support VoIP on port-security, please refer to the Network ConfigurationGuide.
MACAuthenticationand802.1X Ciscohardware
OnCiscoswitches,wearelookingatthemulti-domainconfiguration.Themulti-domainmeansthat wecanhaveonedeviceontheVOICEdomain,andonedeviceontheDATAdomain.Thedomain assignmentisdoneusingaCiscoVSA.Whenthephoneconnectstotheswitchport,PacketFence willrespondwiththeproperVSAonly,noRADIUStunneledattributes.CDPthentellsthephone totagitsethernetframesusingtheconfiguredvoiceVLANontheport.WhenaPCconnects,the RADIUSserverwillreturntunneledattributes,andtheswitchwillplacetheportintheprovided accessVLAN. Non-Ciscohardware
Onothervendorhardware,itispossibletomakeVoIPworkusingRADIUSVSAs.Whenaphone connectstoaswitchport,PacketFenceneedstoreturntheproperVSAtotelltheswitchtoallow taggedframesfromthisdevice.WhenthePCwillconnect,wewillbeabletoreturnstandard RADIUStunnelattributestotheswitch,thatwillbetheuntaggedVLAN.
Note
Again,refertotheNetworkConfigurationGuidetoseeifVoIPissupportedonyour switchhardware.
WhatifCDP/LLDPfeatureismissing
Itispossiblethatyourphonedoesn’tsupportCDPorLLDP.Ifit’sthecase,youareprobablylooking atthe"DHCPway"ofprovisionningyourphonewithavoiceVLAN.Somemodelswillaskfora specificDHCPoptionsothattheDHCPservercangivethephoneavoiceVLANid.Thephonewill thenreboot,andtagitsethernetframeusingtheprovidedVLANtag.
InordertomakethisscenarioworkwithPacketFence,youneedtoensurethatyoutweakthe registrationandyourproductionDHCPservertoprovidetheDHCPoption.Youalsoneedtomake surethereisavoiceVLANproperlyconfiguredontheport,andthatyouauto-registeryourIP Phones(Onthefirstconnect,thephonewillbeassignedontheregistrationVLAN).
Copyright©2016Inverseinc. MoreonVoIPIntegration 55 Chapter12
Advancedtopics
This section covers advanced topics in PacketFence. Note that it is also possible to configure PacketFencemanuallyusingitsconfigurationfilesinsteadofitsWebadministrativeinterface.Itis stillrecommendedtousetheWebinterface.
Inanycase,the/usr/local/pf/conf/pf.conffilecontainsthePacketFencegeneralconfiguration. Forexample,thisistheplacewhereweinformPacketFenceitwillworkinVLANisolationmode.
All the default parameters and their descriptions are stored in /usr/local/pf/conf/ pf.conf.defaults.
Inordertooverrideadefaultparameter,defineitandsetitinpf.conf.
/usr/local/pf/conf/documentation.confholdsthecompletelistofallavailableparameters.
Alltheseparametersarealsoaccessiblethroughtheweb-basedadministrationinterfaceunderthe Configurationtab.Itishighlyrecommendedthatyouusetheweb-basedadministrationinterface ofPacketFenceforanyconfigurationchanges.
AppleandAndroidWirelessProvisioning
Apple devices such as iPhones, iPads, iPods and Mac OS X (10.7+) support wireless profile importation using a special XML file format (mobileconfig). Android is also able to support this featurebyimportingthewirelessprofilewiththeAndroidPacketFenceAgent.Infact,installingsuch fileonyourAppledevicewillautomaticallyconfigurethewirelesssettingsforagivenSSID.This featureisoftenusedwhentheSSIDishidden,andyouwanttoeasetheconfigurationstepson themobiledevice(becauseitisoftenpainfultoconfiguremanually).InPacketFence,wearegoing further,wegeneratetheprofileaccordingtotheadministrator’spreferenceandwepre-populatethe filewiththeuser’scredentials(withoutthepassword).Theusersimplyneedstoinstallitsgenerated fileandhewillbeabletousethenewSSID.
Configurethefeature
Firstofall,youneedtoconfiguretheSSIDthatyourdeviceswilluseaftertheygothoughthe authenticationprocess.
Inordertodothat,intheadministrationinterface,goinConfiguration/Provisioners.Thenselectthe androidprovisioner.EntertheSSIDandsave.
NowdothesamethingfortheiOSprovisioner.
Copyright©2016Inverseinc. Advancedtopics 56 Chapter12
After,yousimplyneedtoaddtheAndroidandiOSprovisionerstoyourPortalProfileconfiguration.
ForAndroid,youmustallowpassthroughsinyourpf.confconfigurationfile:
[trapping] passthrough=enabled passthroughs=*.ggpht.com,*.googleusercontent.com,android.clients.google.com,*.googleapis.com,*.android.clients.google.com,*.gvt1.com
Profilegeneration
Uponregistration,insteadofshowingthedefaultreleasepage,theuserwillbeshowinganother versionofthepagesayingthatthewirelessprofilehasbeengeneratedwithaclickablelinkonit. Toinstalltheprofile,Appleuserownersimplyneedtoclickonthatlink,andfollowtheinstructions ontheirdevice.AndroiduserownersimplyclicktothelinkandwillbeforwardedtoGooglePlay toinstallPacketFenceagent.Simplylaunchtheapplicationandclicktoconfigurewillcreatethe secureSSIDprofile.Itisthatsimple.
BillingEngine
PacketFenceintegratestheabilitytouseapaymentgatewaytobilluserstogainaccesstothe network.Whenconfigured,theuserwhowantstoaccessthenetwork/Internetispromptedbya pageaskingforit’spersonnalinformationaswellasit’screditcardinformation.
PacketFencecurrentlysupportsfourpaymentgateways:Authorize.net,Mirapay,PaypalandStripe.
Inordertoactivatethebilling,youwillneedtoconfigurethefollowingcomponents:
▪ Billingsource(s)
▪ Billingtier(s)
Configuringabillingsource
Firstselectabillingproviderandfollowtheinstructionsbelow.
Paypal
Note
ThisproviderrequiresthatyourPacketFenceserverisaccessibleonthepublicdomain. ForthisyourPacketFenceportalshouldbeavailableonapublicIPusingtheDNS servernameconfiguredinPacketFence.
Ifyouhaveabusinessaccountanddonotwanttoconfigureatestenvironment,youcanskipthe nextsection.
Copyright©2016Inverseinc. Advancedtopics 57 Chapter12
Sandboxaccount
To configure a sandbox paypal account for use in PacketFence, head to https:// developer.paypal.com/andeithersignuporloginintoyourexistingaccount.
ThenintheSandboxmenu,clickAccounts
CreateanaccountthathasthetypePersonalandonethathasthetypeBusiness.
Afterwards,gobackintoaccounts,andexpandthebusinessaccount,thenclickProfile
NowclicktheChangepasswordlinkandchangethepasswordandnoteit.
Dothesamethingwiththepersonalaccountyoucreated
Configuringthemerchantaccount
LoginintothePaypalbusinessaccountthatyoucreatedathttps://www.sandbox.paypal.com/ifyou areusingasandboxaccountoronhttps://www.paypal.com/ifyouareusingarealaccount.
NextgoinMyAccount→Profileinordertogointoyourprofileconfiguration.
NextintheSellingPreferencesyouwillneedtoselectWebsitePaymentPreferences
Copyright©2016Inverseinc. Advancedtopics 58 Chapter12
Configurethesettingssotheymatchthescreenshotbelow.
YoushouldturnonAutoReturn,setthereturnURLtohttps://YOUR_PORTAL_HOSTNAME/billing/ paypal/verify.
YoushouldalsotakenoteoftheIdentityTokenasitwillberequiredinthePacketFenceconfiguration.
NextgobackinyourprofileconfigurationMyaccount→ProfileandselectEncryptedPaymentSettings
NowonthispageyouwillneedtosubmitthecertificateusedbyPacketFencetoPaypal(/usr/local/ pf/conf/ssl/server.crtbydefault).
Once you have submitted it, note it’s associated Cert ID as you will need to configure it in PacketFence.
Stillonthatpage,clicktheDownloadlinktodownloadthePaypalpubliccertificateandputiton thePacketFenceserverunderpath:/usr/local/pf/conf/ssl/paypal.pem
Copyright©2016Inverseinc. Advancedtopics 59 Chapter12
Caution
ThecertificatewillNOTbethesameifyouuseasandboxaccountorarealaccount.
ConfiguringPacketFence
Now,inthePacketFenceadministrationinterface,goinConfiguration→Sourcesandcreateanew sourceoftypeBilling→Paypal.
Copyright©2016Inverseinc. Advancedtopics 60 Chapter12
Where:
▪ IdentitytokenistheoneyounotedwhenontheWebsitePaymentPreferencespage. ▪ CertIDistheoneyounotedwhenontheEncryptedPaymentSettings. ▪ Paymenttypeiswhethertheaccessisdonationbased(notmandatorytopayforit). ▪ Emailaddressistheemailaddressofthemerchantpaypalaccount. ▪ CertfileisthepathtothePacketFencecertificate(/usr/local/pf/conf/ssl/server.crtbydefault). ▪ KeyfileisthepathtothePacketFencecertificate(/usr/local/pf/conf/ssl/server.keybydefault). ▪ PaypalcertfileisthepathtothePaypalcertificate(/usr/local/pf/conf/ssl/paypal.peminthis example). ▪ Currencyisthecurrencythatwillbeusedinthetransactions. ▪ Testmodeshouldbeactivatedifyouareusingasandboxaccount. Stripe
Stripeaccount
Firstgoonhttps://dashboard.stripe.com,createanaccountandlogin.
NextonthetoprightclickYouraccountthenAccountsettings.
NavigatetotheAPIkeystabandnoteyourkeyandsecret.Thetestkeyshouldbeusedwhentesting theconfigurationandthelivekeywhenputtingthesourceinproduction.
Copyright©2016Inverseinc. Advancedtopics 61 Chapter12
ConfiguringPacketFence
Now,inthePacketFenceadministrationinterface,goinConfiguration→Sourcesandcreateanew sourceoftypeBilling→Stripe
Copyright©2016Inverseinc. Advancedtopics 62 Chapter12
Where:
▪ SecretkeyisthesecretkeyyougotfromyourStripeaccount. ▪ PublishablekeyisthepublishablekeyyougotfromyourStripeaccount. ▪ Styleiswhetheryouaredoingaone-timechargeorsubscriptionbasedbilling(recurring).See sectionSubscriptionbasedregistrationbelowfordetailsonhowtoconfigureit. ▪ Currencyisthecurrencythatwillbeusedinthetransactions. ▪ Testmodeshouldbeactivatedifyouareusingthetestkeyandsecretaccount. Authorize.net
Creatinganaccount
First go on https://account.authorize.net to signup for a merchant account orhttp:// developer.authorize.net/forasandboxaccount.
AfteryoucreatedyouraccountyouwillbeshownyourAPIloginIDandTransactionkey.Noteboth oftheseinformationsforusageinthePacketFenceconfiguration.
Thenloginintoyournewaccount.
ThenunderAccountclickSettings.
OnthesettingspageinthesectionSecuritysettings,clickMD5-Hash
Copyright©2016Inverseinc. Advancedtopics 63 Chapter12
Nowenterasecretthatwillbesharedbetweenauthorize.netandPacketFence.
PacketFenceconfiguration
NextinthePacketFenceadministrationinterface,goinConfiguration→Sourcesandcreateanew sourceoftypeBilling→AuthorizeNet.
Copyright©2016Inverseinc. Advancedtopics 64 Chapter12
Where:
▪ APIloginIDistheoneyougotearlierwhilecreatingyouraccount. ▪ Transactionkeyistheoneyougotearlierwhilecreatingyouraccount. ▪ MD5hashtheoneyouconfiguredinyourAuthorize.netaccount. ▪ Currencyisthecurrencythatwillbeusedinthetransactions. ▪ Testmodeshouldbeactivatedifyouareusingasandboxaccount. Mirapay
To be contributed...
Addingbillingtiers
Onceyouhaveconfiguredoneormorebillingsource,youneedtodefinebillingtierswhichwill definethepriceandtargetauthenticationrulesfortheuser.
InthePacketFenceadministrationinterface,goinConfiguration→Billingtiers
Copyright©2016Inverseinc. Advancedtopics 65 Chapter12
ThenclickAddbillingtierandconfigureit.
Where:
▪ Billingtieristheuniqueidentifierofthebillingtier. ▪ Nameisthefriendlynameofthebillingtier. ▪ Descriptionisanextendeddescriptionofthebillingtier. ▪ Priceistheamountthatwillbechargedtotheuser. ▪ Accessdurationistheamountoftimetheuserwillbegrantedaccesstoyournetwork. ▪ Roleisthetargetroletheusershouldbein. ▪ Usetimebalancedefinesiftheaccessdurationshouldbecomputedonreal-timeaccessduration meaningiftheuserbuys24hoursofaccesshecanusethenetworkfor24hoursindifferent timeblocks.ThisrequiresavalidRADIUSaccountingconfiguration.
Note
Ifdon’twanttouseallthebillingtiersthataredefined,youcanspecifytheonesthat shouldbeactiveinthePortalprofile.
Copyright©2016Inverseinc. Advancedtopics 66 Chapter12
Subscriptionbasedregistration
PacketFencesupportssubscriptionbasedbillingusingStripeasabillingprovider.
Billingtier
Whenusingsubscriptionbasedbilling,itisadvisedtoconfigurethebillingtiersoithasanalmost infiniteaccessduration(e.g.20years)asthebillingproviderwillbecontactingthePacketFence serverwhenthesubscriptioniscanceled.
Youshouldconfigureabillingtierforeachsubscriptionplanyouwanttohave.Thisexamplewill usetheplansimpleandadvancedconfiguredusingthefollowingparameters.
[simple] name=Simple network access description=Click here if you are poor price=3.99 role=guest access_duration=10Y use_time_balance=disabled
[advanced] name=Simple network access description=Click here if you are poor price=9.99 role=advanced_guest access_duration=10Y use_time_balance=disabled
Stripeconfiguration
TheninyourStripedashboard,youshouldgoinSubscriptions→Plans.
Thencreateanewplan.
Copyright©2016Inverseinc. Advancedtopics 67 Chapter12
Where:
▪ ID is the billing tier identifier. It is important that this matches the ID of the billing tier in PacketFence. ▪ Amountisthepriceoftheplan.Itisimportantthatthismatchesthepriceofthebillingtierin PacketFence. ▪ Currencyisthecurrencythatwillbeusedinthetransactions.Itisimportantthatthismatches thecurrencyoftheStripesourceinPacketFence. ▪ Intervalistheintervalatwhichthecustomershouldbebilled.Inthecaseofthisexample,itis monthly.
Now,followingthesameprocedure,createtheadvancedplan. ReceivingupdatesfromStripe
Asthesubscriptioncanbecancelledbyauser,youneedtosetupyourPacketFenceinstallationto receiveupdatesfromStripe.
UpdatesaresentusingHTTPrequestsonapublicIP.
YouneedtomakesurethatyourPacketFenceserverisavailablethroughapublicIPonport80and thatyourPacketFenceserverhostnameresolvesonthepublicdomain.
Copyright©2016Inverseinc. Advancedtopics 68 Chapter12
Then,inStripe,configureaWebhooksoStripeinformsPacketFenceofanyeventthathappensin thisStripemerchantaccount.
InordertodosogoinYourAccount→AccountSettings→WebhooksandclickAddendpoint.
Where:
▪ URListheURLtothePacketFenceserver.Thisshouldbehttp://YOUR_PORTAL_HOSTNAME/ hook/billing/stripe ▪ Modeiswhetherthiswebhookisfortestingmodeorlivemode
Noweverytimeauserunsubscribesfromaplan,PacketFencewillbenotifiedandwillunregister thatdevicefromyournetwork.
DevicesRegistration
Usershavethepossibilitytoregistertheirdevices(MicrosoftXBOX/XBOX360,NintendoDS/Wii, SonyPlayStationandsoon)rightfromaspecialportalpage.Whenaccessingthispage,userswillbe
Copyright©2016Inverseinc. Advancedtopics 69 Chapter12
promptedtologinasiftheywereregisteringthemselves.Onceloggedin,theportalwillaskthemto enterthedeviceMACaddressthatwillthenbematchedagainstapredefinedlistofauthorizedMAC OUI.Thedevicewillberegisteredwiththeuser’sidandcanbeassignedintoaspecificcategory foreasiermanagement.
Here’showtoconfigurethewholething.TheportalpagecanbeaccessedbythefollowingURL: https://YOUR_PORTAL_HOSTNAME/device-registration This URL is accessible from within the network,inanyVLANthatcanreachthePacketFenceserver.
Thefollowingcanbeconfiguredbyeditingthepf.conffile:
[registration] device_registration = enabled device_registration_role = gaming
MakesuretheroleexistsinPacketFenceotherwiseyouwillencounterregistrationerrors.Moreover, makesuretherolemappingforyourparticularequipmentisdone.
TheseparameterscanalsobeconfiguredfromtheConfiguration→Registrationsection.
Note
Aportalinterfacetypeisrequiredtousethisfeature.Aportalinterfacetypecanbe addedtoanynetworkinterfaceusingthewebadminGUI.
Eduroam
eduroam (education roaming) is the secure, world-wide roaming access service developedfortheinternationalresearchandeducationcommunity.
eduroamallowsstudents,researchersandstafffromparticipatinginstitutionsto obtainInternetconnectivityacrosscampusandwhenvisitingotherparticipating institutionsbysimplyopeningtheirlaptop. —eduroamhttps://www.eduroam.org/
PacketFencesupportsintegrationwitheduroamandallowsparticipatinginstitutionstoauthenticate bothlocallyvisitingusersfromotherinstitutionsaswellasallowingotherinstitutionstoauthenticate localusers.
In order for PacketFence to allow eduroam authentication, the FreeRADIUS configuration of PacketFencemustbemodifiedtoallowtheeduroamserverstoconnecttoitasclientsaswellas toproxyRADIUSauthenticationrequestsforusersfromoutsideinstitutions.
First,modifythe/usr/local/pf/raddb/clients.conffiletoallowtheeduroamserverstoconnectto yourPacketFenceserver.Addtheeduroamserversasclientsandmakesuretoaddtheproper RADIUSsecret.Setashortnametorefertotheseclientsasyouwilllaterneedittoexcludethem fromsomepartsofthePacketFenceconfiguration.
clients.confexample:
Copyright©2016Inverseinc. Advancedtopics 70 Chapter12
client tlrs1.eduroam.us { secret = useStrongerSecret shortname = tlrs1 }
client tlrs2.eduroam.us { secret = useStrongerSecret shortname = tlrs2 }
Secondly,modifythelistofdomainsandproxyserversin/usr/local/pf/raddb/proxy.conf.Youwill needtodefineeachofyourdomainsaswellastheDEFAULTdomain.TheDEFAULTrealmwillapply toanyclientthatattemptstoauthenticatewitharealmthatisnototherwisedefinedinproxy.conf andwillbeproxiedtotheeduroamservers.
Defineoneormorehomeservers(serverstowhicheduroamrequestsshouldbeproxied).
proxy.confexample:
home_server tlrs1.eduroam.us { type = auth ipaddr = 257.128.1.1 port = 1812 secret = useStrongerSecret require_message_authenticator = yes }
Defineapoolofserverstogroupyoureduroamhomeserverstogether.
proxy.confexample:
home_server_pool eduroam { type = fail-over home_server = tlrs1.eduroam.us home_server = tlrs2.eduroam.us }
Definerealmstoselectwhichrequestsshouldbeproxiedtotheeduroamserverpool.Thereshould beonerealmforeachofyourdomains,andpossiblyonemoreperdomainifyouintendtoallow usernamesoftheDOMAIN\userform.
TheREALMissetbasedonthedomainfoundbythesuffixorntdomainmodules(seeraddb/ modules/realm).Thesuffixorntdomainmodulestrytofindadomaineitherwithan@domainor suffix\username.
▪ Ifnoneisfound,theREALMisNULL.
▪ Ifadomainisfound,FreeRADIUStriestomatchoneoftheREALMSdefinedinthisfile.
▪ Ifthedomainiseitherexample.eduorEXAMPLEFreeRADIUSsetsthecorrespondingREALM, i.e.example.eduorEXAMPLE.
▪ IftheREALMdoesnotmatcheither(anditisn’tNULL),thatmeanstherewasadomainotherthan EXAMPLEorexample.eduandweassumeitismeanttobeproxiedtoeduroam.FreeRADIUS setstheDEFAULTrealm(whichisproxiedtotheeduroamauthenticationpool).
Copyright©2016Inverseinc. Advancedtopics 71 Chapter12
The REALM determines where the request is sent to. If the REALM authenticates locally the requestsareprocessedentirelybyFreeRADIUS.IftheREALMsetsadifferenthomeserverpool, therequestsareproxiedtotheserversdefinedwithinthatpool.
proxy.confexample:
# This realm is for requests which don't have an explicit realm # prefix or suffix. User names like "bob" will match this one. # No authentication server is defined, thus the authentication is # done locally. realm NULL { }
# This realm is for ntdomain users who might use the domain like # this "EXAMPLE\username". # No authentication server is defined, thus the authentication is # done locally. realm EXAMPLE { }
# This realm is for suffix users who use the domain like this: # "[email protected]". # No authentication server is defined, thus the authentication is # done locally. realm example.edu { }
# This realm is for ALL OTHER requests. Meaning in this context, # eduroam. The auth_pool is set to the eduroam pool and so the # requests will be proxied. realm DEFAULT { auth_pool = eduroam nostrip }
Thirdly, you must configure the packetfence FreeRADIUS virtual servers to treat the requests properly.
In/usr/local/pf/raddb/sites-enabled/packetfence,modifytheauthorizesectionlikethis:
raddb/sites-enabled/packetfenceexample:
Copyright©2016Inverseinc. Advancedtopics 72 Chapter12
authorize { # pay attention to the order of the modules. It matters. ntdomain suffix preprocess
# uncomment this section if you want to block eduroam users from # you other SSIDs. The attribute name ( Called-Station-Id ) may # differ based on your controller #if ( Called-Station-Id !~ /eduroam$/i) { # update control { # Proxy-To-Realm := local # } #}
eap { ok = return }
files expiration logintime packetfence }
In/usr/local/pf/raddb/sites-enabled/packetfence-tunnel,modifythepost-authsectionlikethis.If you omit this change the request will be sent to PacketFence where it will be failed since the eduroamserversarenotpartofyourconfiguredswitches.
raddb/sites-enabled/packetfence-tunnelexample:
post-auth { exec
# we skip packetfence when the request is coming from the eduroam servers if ( "%{client:shortname}" != "tlrs1" && \ "%{client:shortname}" != "tlrs2" ) { packetfence }
Post-Auth-Type REJECT { attr_filter.access_reject } }
Finally,makesurethattherealmsmoduleisconfiguredthisway(see/usr/local/pf/raddb/modules/ realm):
raddb/modules/realmexample:
Copyright©2016Inverseinc. Advancedtopics 73 Chapter12
# 'username@realm' realm suffix { format = suffix delimiter = "@" }
# 'domain\user' realm ntdomain { format = prefix delimiter = "\\" ignore_null = yes }
Fingerbankintegration
Fingerbank,agreatdeviceprofilingtooldevelopedalongsideofPacketFence,nowintegrateswithit topower-upthefeaturesetallowingaPacketFenceadministratortoeasilytriggerviolationsbased ondifferentdevicetypes,deviceparents,DHCPfingerprints,DHCPvendorIDs,MACvendorsand browseruseragents.
ThecoreofthatintegrationresidesintheabilityforaPacketFencesystem,tointeractwiththe Fingerbankupstreamproject,whichthenallowadailybasisfingerprintsdatabaseupdate,sharing unknowndatasothatmorecomplexalgorithmscanprocessthatnewdatatointegrateitinthe globaldatabase,queryingtheglobalupstreamdatabaseinthecaseofanunknownmatchandmuch more.
SincetheFingerbankintegrationisnowthe"defacto"deviceprofilingtoolofPacketFence,itwasa requirementtomakeitassimpleaspossibletoconfigureandtouse.Fromthemomentaworking PacketFencesystemisinplace,Fingerbankisalsoreadytobeused,butonlyina"local"mode, whichmeans,nointeractionwiththeupstreamFingerbankproject.
Onboarding
TobenefitfromalltheadvantagesoftheFingerbankproject,theonboardingstepisrequiredto createanAPIkeythatwillthenallowinteractionwiththeupstreamproject.Thatcaneasilybe doneonlybygoinginthe"Settings"menuitemunderthe"Fingerbank"sectionofthePacketFence "Configuration"tab.Fromthere,aneasyprocesstocreateandsaveanuser/organizationspecific APIkeycanbefollowed.Oncecompleted,thefullfeaturesetofFingerbankcanbeused.
UpdateFingerbankdatabase
UpdatingtheFingerbankdatacan’tbeeasier.Theonlyrequirementistheonboardingprocesswhich allowsyoutointeractwithupstreamproject.Oncedone,anoptionto"UpdateFingerbankDB"can befoundontopofeverymenuitemsectionsunder"Fingerbank".Processmaytakeaminuteor two,dependingonthesizeofthedatabaseandtheinternetconnectivity,afterwhichasuccessor errormessagewillbeshowaccordingly."Local"recordsareNOTbeingmodifiedduringthisprocess.
Copyright©2016Inverseinc. Advancedtopics 74 Chapter12
Submitunknowndata
Sayingthatwedon’tknoweverythingisnotfalsemodesty.Inthatsense,the"SubmitUnknown/ UnmatchedFingerprints"optionismadeavailable(afteronboarding)sothatunknownfingerprinting datagoinginandoutonyournetworkcaneasilybesubmittedtotheupstreamFingerbankproject forfurtheranalysisandintegrationtheintheglobaldatabase.
Upstreaminterogation
Bydefault,PacketFenceisconfiguredtointerogatetheupstreamFingerbankproject(ifonboarding hasbeencompleted)tofullfillaquerywithunmatchedlocalresults.Unmatchedlocalresultscan resultofanolderversionoftheFingerbankdatabaseorarequirementforamorecomplexalgorithm duetothedataset.Thatbehavioriscompletelytransparentandcanbemodifiedusingthe"Settings" menuitemunderthe"Fingerbank"sectionofthePacketFence"Configuration"tab.
Localentries
Itispossibleforanadministratorwhowantstocustomizeanexistingrecord(orcreateanewone) todosousingthe"Local"entries.Anupstreamrecord(DHCPFingerprint,DHCPVendor,MAC Vendor,UserAgent,Devicetype,evenaCombination)canbeclonedandthenmodifiedonalocal basisifneeded.Localrecordsarealwaysmatchedfirstsincetheirpurposeistooverrideanexisting one.Alocalcombinationcanbecreatedtomatcheither"Local"or"Upstream"orbothentriesto allowidentificationofadevice.
Settings
Fingerbanksettingscaneasilybemodifiedfromthe"Settings"menuitemunderthe"Fingerbank" sectionofthePacketFence"Configuration"tab.There’sdocumentationforeachaneveryparameter thatalloweasierunderstanding.
FloatingNetworkDevices
Startingwithversion1.9,PacketFencenowsupportsfloatingnetworkdevices.AFloatingnetwork deviceisadeviceforwhichPacketFencehasadifferentbehaviourcomparedtoaregulardevice. ThisfunctionalitywasoriginallyaddedtosupportmobileAccessPoints.
Caution
RightnowPacketFenceonlysupportsfloatingnetworkdevicesonCiscoandNortel switchesconfiguredwithport-security.
For a regular device, PacketFence put it in the VLAN corresponding to its status (Registration, QuarantineorRegularVlan)andauthorizesitontheport(port-security).
Copyright©2016Inverseinc. Advancedtopics 75 Chapter12
AfloatingnetworkdeviceisadevicethatPacketFencedoesnotmanageasaregulardevice.
Whenafloatingnetworkdeviceisplugged,PacketFencewilllet/allowalltheMACaddressesthat willbeconnectedtothisdevice(orappearontheport)andifnecessary,configuretheportasmulti- vlan(trunk)andsetPVIDandtaggedVLANsontheport.
Whenanfloatingnetworkdeviceisunplugged,PacketFencewillreconfiguretheportlikebefore itwasplugged.
Howitworks
Configuration:
▪ floatingnetworkdeviceshavetobeidentifiedusingtheirMACaddress. ▪ linkup/linkdowntrapsarenotenabledontheswitches,onlyport-securitytrapsare.
WhenPacketFencereceivesaport-securitytrapforafloatingnetworkdevice,itchangestheport configurationsothat:
▪ itdisablesport-security ▪ itsetsthePVID ▪ iteventuallysetstheportasmulti-vlan(trunk)andsetsthetaggedVlans ▪ itenableslinkdowntraps
WhenPFreceivesalinkdowntraponaportinwhichafloatingnetworkdevicewasplugged,it changestheportconfigurationsothat:
▪ itenablesport-security ▪ itdisableslinkdowntraps
Identification
Aswementionedearlier,eachfloatingnetworkdevicehastobeidentified.Therearetwoways todoit:
▪ byeditingconf/floating_network_device.conf ▪ throughtheWebGUI,inConfiguration→Network→Floatingdevices
Herearethesettingsthatareavailable:
MACAddress MACaddressofthefloatingdevice
IPAddress IPaddressofthefloatingdevice(notrequired,forinformationonly)
trunkPort Yes/no.Shouldtheportbeconfiguredasamuti-vlanport?
pvid VLANinwhichPacketFenceshouldputtheport
taggedVlan CommaseparatedlistofVLANs.Iftheportisamulti-vlan,theseare theVlansthathavetobetaggedontheport.
Copyright©2016Inverseinc. Advancedtopics 76 Chapter12
OAuth2Authentication
Note
OAuth2authenticationdoesnotworkwithWebauthenforcement
The captive portal of PacketFence allows a guest/user to register using his Google, Facebook, LinkedIn,WindowsLive,TwitterorGithubaccount.
Foreachproviders,wemaintainanalloweddomainlisttopunchholesintothefirewallsotheuser canhittheproviderloginpage.ThislistisavailableineachOAuth2authenticationsource.
Inordertohaveoauth2workingproperly,youneedtoenableIPforwardingonyourservers.Todo itpermanently,lookinthe/etc/sysctl.conf,andsetthefollowingline:
# Controls IP packet forwarding net.ipv4.ip_forward = 1
Savethefile,andissueasysctl -ptoupdatetheOSconfig.
You must also enable the passthrough option in your PacketFence configuration (trapping.passthroughinpf.conf).
InordertouseGoogleasaOAuth2provider,youneedtogetanAPIkeytoaccesstheirservices. Signuphere:http://code.google.com/apis/console.MakesureyouusethisURIforthe"Redirect URI"field:https://YOUR_PORTAL_HOSTNAME/oauth2/callback.Ofcourse,replacethehostname withthevaluesfromgeneral.hostnameandgeneral.domain.
Youcankeepthedefaultconfiguration,modifytheAppID&AppSecret(GivenbyGoogleonthe developperplateform)andPortalURL(https://YOUR_PORTAL_HOSTNAME/oauth2/callback).
Also, add the following Authorized domains : *.google.com, *.google.ca, *.google.fr, *.gstatic.com,googleapis.com,accounts.youtube.com(Makesurethatyouhavethegoogledomain fromyourcountrylikeCanada*.google.ca,France*.google.fr,etc…)
Onceyouhaveyourclientid,andAPIkey,youneedtoconfiguretheOAuth2provider.Thiscanbe donebyaddingaGoogleOAuth2authenticationsourcefromConfiguration→Sources.
Moreover,don’tforgettoaddGoogleasaregistrationmodefromyourportalprofiledefinition, availablefromConfiguration→PortalProfilesandPages.
Touse Facebook, you also need an API code and a secret key. Toget one, go here: https:// developers.facebook.com/apps.WhenyoucreateyourApp,makesureyouspecifythefollowing astheWebsiteURL:https://YOUR_PORTAL_HOSTNAME/oauth2/callback
Copyright©2016Inverseinc. Advancedtopics 77 Chapter12
Ofcourse,replacethehostnamewiththevaluesfromgeneral.hostnameandgeneral.domain.
Youcankeepthedefaultconfiguration,modifytheAppID&AppSecret(GivenbyFaceBookon thedevelopperplateform)andPortalURL(https://YOUR_PORTAL_HOSTNAME/oauth2/callback).
Also, add the following Authorized domains : *.facebook.com, *.fbcdn.net, *.akamaihd.net (May change)
Onceyouhaveyourinformation,youneedtoconfiguretheOAuth2provider.Thiscanbedoneby addingaFacebookOAuth2authenticationsourcefromConfiguration→Sources.
Moreover,don’tforgettoaddFacebookasaregistrationmodefromyourportalprofiledefinition, availablefromConfiguration→PortalProfilesandPages.
Caution
ByallowingOAuththroughFacebook,youwillgiveFacebookaccesstotheuserswhile theyaresittingintheregistrationVLAN.
GitHub
TouseGitHub,youalsoneedanAPIcodeandasecretkey.Togetone,youneedtocreateanApp here:https://github.com/settings/applications.WhenyoucreateyourApp,makesureyouspecify thefollowingastheCallbackURLhttps://YOUR_PORTAL_HOSTNAME/oauth2/callback
Ofcourse,replacethehostnamewiththevaluesfromgeneral.hostnameandgeneral.domain.
Onceyouhaveyourinformation,youneedtoconfiguretheOAuth2provider.Thiscanbedoneby addingaGitHubOAuth2authenticationsourcefromConfiguration→Sources.
Moreover,don’tforgettoaddGitHubasaregistrationmodefromyourportalprofiledefinition, availablefromConfiguration→PortalProfilesandPages.
TouseLinkedIn,youalsoneedanAPIcodeandasecretkey.Togetone,youneedtocreatean Apphere:https://developer.linkedin.com/.WhenyoucreateyourApp,makesureyouspecifythe followingastheCallbackURLhttps://YOUR_PORTAL_HOSTNAME/oauth2/callback
Ofcourse,replacethehostnamewiththevaluesfromgeneral.hostnameandgeneral.domain.
Onceyouhaveyourinformation,youneedtoconfiguretheOAuth2provider.Thiscanbedoneby addingaLinkedInOAuth2authenticationsourcefromConfiguration→Sources.
Moreover,don’tforgettoaddLinkedInasaregistrationmodefromyourportalprofiledefinition, availablefromConfiguration→PortalProfilesandPages.
Also,LinkedInrequiresastateparameterfortheauthorizationURL.Ifyoumodifyit,makesureto additattheendofyourURL.
TouseTwitter,youalsoneedanAPIcodeandasecretkeywhichTwittercallsconsumerkeyand consumersecret.ObtainthisinformationbycreatingannewapplicationfromyourTwitterApps
Copyright©2016Inverseinc. Advancedtopics 78 Chapter12
Managementpage.WhenyoucreateyourApp,makesureyouspecifythefollowingastheCallback URLhttps://YOUR_PORTAL_HOSTNAME/oauth2/callback
Ofcourse,replacethehostnamewiththevaluesfromgeneral.hostnameandgeneral.domain.
Onceyouhaveyourinformation,youneedtoconfiguretheOAuth2provider.Thiscanbedoneby addingaTwitterOAuth2authenticationsourcefromConfiguration→Sources.
Moreover,don’tforgettoaddTwitterasaregistrationmodefromyourportalprofiledefinition, availablefromConfiguration→PortalProfilesandPages.
WindowsLive
TouseWindowslive,youalsoneedanAPIcodeandasecretkey.Togetone,youneedtocreate anApphere:https://account.live.com/developers/applications.WhenyoucreateyourApp,make sureyouspecifythefollowingastheCallbackURLhttps://YOUR_PORTAL_HOSTNAME/oauth2/ callback
Ofcourse,replacethehostnamewiththevaluesfromgeneral.hostnameandgeneral.domain.
Onceyouhaveyourinformation,youneedtoconfiguretheOAuth2provider.Thiscanbedoneby addingaWindowsLiveOAuth2authenticationsourcefromConfiguration→Sources.
Moreover, don’t forget to add WindowsLive as a registration mode from your portal profile definition,availablefromConfiguration→PortalProfilesandPages.
Passthrough
InordertousethepassthroughfeatureinPacketFence,youneedtoenableitfromtheGUIin Configuration→TrappingandcheckPassthrough.
Therearetwosolutionsforpassthroughs-oneusingDNSresolutionandiptablesandtheother oneusingApache’smod_proxymodule.Whenenabled,PacketFencewillusepfdnsifyoudefined Passthroughs,orApachemod-proxyifyoudefinedProxyPassthroughstoallowtrappeddevices toreachexternalwebsites.
▪ DNSpassthrough:AddanewFQDN(shouldbeawildcarddomainlike*.google.com)inthe Passthroughssection.WhenPacketFencereceivesaDNSrequestforthisdomain,itwillanswer therealIPaddressandpunchaholeinthefirewall(usingiptables)toallowaccess.Withthis method,PacketFencemustbethedefaultgatewayofyourdevice.
▪ mod_proxypassthrough:AddanewFQDN(shouldbeawildcarddomainlike*.google.com)in theProxyPassthroughssection.ForthisFQDN,PacketFencewillanswertheIPaddressofthe captiveportalandwhenadevicehitsthecaptiveportal,PacketFencewilldetectthatthisFQDN hasapassthroughconfigurationandwillforwardthetraffictomod_proxy.
ThesetwomethodscanbeusedtogetherbutDNS-basedpassthroughshavehigherpriority.
Copyright©2016Inverseinc. Advancedtopics 79 Chapter12
ProductionDHCPaccess
Inordertoperformallofitsaccesscontrolduties,PacketFenceneedstobeabletomapMAC addressesintoIPaddresses.
Forallthenetworks/VLANswhereyouwantPacketFencetohavetheabilitytoisolateanodeor tohaveIPinformationaboutnodes,youwillneedtoperformoneofthetechniquesbelow.
Alsonotethatthisdoesn’tneedtobedonefortheregistration,isolationVLANsandinlineinterfaces sincePacketFenceactsastheDHCPserverinthesenetworks.
IPHelpers(recommended)
If you are already using IP Helpers for your production DHCP in your production VLANs this approachisthesimplestoneandtheonethatworksthebest.
Add PacketFence’s management IP address as the last ip helper-address statement in your networkequipment.AtthispointPacketFencewillreceiveacopyofallDHCPrequestsforthat VLANandwillrecordwhatIPweredistributedtowhatnodeusingapfdhcplistenerdaemon.
BydefaultnoDHCPServershouldberunningonthatinterfacewhereyouaresendingtherequests. ThisisbydesignotherwisePacketFencewouldreplytotheDHCPrequestswhichwouldbeabad thing.
ObtainacopyoftheDHCPtraffic
GetacopyofalltheDHCPTraffictoadedicatedphysicalinterfaceinthePacketFenceserverand runpfdhcplisteneronthatinterface.Itwillinvolveconfiguringyourswitchproperlytoperform portmirroring(akanetworkspan)andaddinginPacketFencetheproperinterfacestatementatthe operatingsystemlevelandinpf.conf.
/etc/sysconfig/network-scripts/ifcfg-eth2:
DEVICE=eth2 ONBOOT=yes BOOTPROTO=none
Addtopf.conf:(IPsarenotimportanttheyarethereonlysothatPacketFencewillstart)
[interface eth2] mask=255.255.255.0 type=dhcp-listener gateway=192.168.1.5 ip=192.168.1.1
RestartPacketFenceandyoushouldbegoodtogo.
Copyright©2016Inverseinc. Advancedtopics 80 Chapter12
InterfaceineveryVLAN
BecauseDHCPtrafficisbroadcasttraffic,analternativeforsmallnetworkswithfewlocalVLANs istoputaVLANinterfaceforeveryVLANonthePacketFenceserverandhaveapfdhcplistener listenonthatVLANinterface.
OnthenetworksideyouneedtomakesurethattheVLANtrulyreachesallthewayfromyour clienttoyourDHCPinfrastructureuptothePacketFenceserver.
OnthePacketFenceside,firstyouneedanoperatingsystemVLANinterfaceliketheonebelow. Storedin/etc/sysconfig/network-scripts/ifcfg-eth0.1010:
# Engineering VLAN DEVICE=eth0.1010 ONBOOT=yes BOOTPROTO=static IPADDR=10.0.101.4 NETMASK=255.255.255.0 VLAN=yes
Thenyouneedtospecifyinpf.confthatyouareinterestedinthatVLAN’sDHCPbysettingtype todhcp-listener.
[interface eth0.1010] mask=255.255.255.0 type=dhcp-listener gateway=10.0.101.1 ip=10.0.101.4
RepeattheaboveforallyourproductionVLANsthenrestartPacketFence.
HostproductionDHCPonPacketFence
It’sanoption.Justmodifyconf/dhcpd.confsothatitwillhostyourproductionDHCPproperly andmakesurethatapfdhcplistenerrunsonthesameinterfacewhereproductionDHCPruns. However,pleasenotethatthisisNOTrecommended.Seethistickettoseewhy.
ProxyInterception
PacketFenceenablesyoutointerceptproxyrequestsandforwardthemtothecaptiveportal.Itonly worksonelayer-2networksbecausePacketFencemustbethedefaultgateway.Inordertousethe ProxyInterceptionfeature,youneedtoenableitfromtheGUIinConfiguration→Trappingand checkProxyInterception.
Addtheportyouwanttointercept(like8080or3128)andaddanewentryinthe/etc/hosts filetoresolvethefullyqualifieddomainname(fqdn)ofthecaptiveportaltotheIPaddressofthe
Copyright©2016Inverseinc. Advancedtopics 81 Chapter12
registrationinterface.ThismodificationismandatoryinorderforApachetoreceivestheproxy requests.
RoutedNetworks
Ifyourisolationandregistrationnetworksarenotlocally-reachable(atlayer2)onthenetwork, but routed to the PacketFence server, you’ll have to let the PacketFence server know this. PacketFencecanevenprovideDHCPandDNSintheseroutednetworksandprovidesaneasyto useconfigurationinterface.
Fordhcpd,makesurethattheclientsDHCPrequestsarecorrectlyforwarded(IPHelpersinthe remoterouters)tothePacketFenceserver.Thenmakesureyoufollowedtheinstructionsinthe DHCPandDNSServerConfiguration(networks.conf)foryourlocallyaccessiblenetwork.
Ifweconsiderthenetworkarchitectureillustratedintheaboveschema,conf/pf.confwillinclude thelocalregistrationandisolationinterfacesonly.
[interface eth0.2] enforcement=vlan ip=192.168.2.1 type=internal mask=255.255.255.0
Copyright©2016Inverseinc. Advancedtopics 82 Chapter12
[interface eth0.3] enforcement=vlan ip=192.168.3.1 type=internal mask=255.255.255.0
Note
PacketFencewillnotstartunlessyouhaveatleastoneinternalinterface,soyouneed tocreatelocalregistrationandisolationVLANsevenifyoudon’tintendtousethem. Also,theinternalinterfacesaretheonlyonesonwhichdhcpdlistens,sotheremote registrationandisolationsubnetsneedtopointtheirDHCPhelper-addresstothose particularIPs.
ThenyouneedtoprovidetheroutednetworksinformationtoPacketFence.Youcandoitthrough theGUIinAdministration→Networks(orinconf/networks.conf).
conf/networks.confwilllooklikethis:
[192.168.2.0] netmask=255.255.255.0 gateway=192.168.2.1 next_hop= domain-name=registration.example.com dns=192.168.2.1 dhcp_start=192.168.2.10 dhcp_end=192.168.2.200 dhcp_default_lease_time=300 dhcp_max_lease_time=600 type=vlan-registration named=enabled dhcpd=enabled
[192.168.3.0] netmask=255.255.255.0 gateway=192.168.3.1 next_hop= domain-name=isolation.example.com dns=192.168.3.1 dhcp_start=192.168.3.10 dhcp_end=192.168.3.200 dhcp_default_lease_time=300 dhcp_max_lease_time=600 type=vlan-isolation named=enabled dhcpd=enabled
Copyright©2016Inverseinc. Advancedtopics 83 Chapter12
[192.168.20.0] netmask=255.255.255.0 gateway=192.168.20.254 next_hop=192.168.2.254 domain-name=registration.example.com dns=192.168.2.1 dhcp_start=192.168.20.10 dhcp_end=192.168.20.200 dhcp_default_lease_time=300 dhcp_max_lease_time=600 type=vlan-registration named=enabled dhcpd=enabled
[192.168.30.0] netmask=255.255.255.0 gateway=192.168.30.254 next_hop=192.168.3.254 domain-name=isolation.example.com dns=192.168.3.1 dhcp_start=192.168.30.10 dhcp_end=192.168.30.200 dhcp_default_lease_time=300 dhcp_max_lease_time=600 type=vlan-isolation named=enabled dhcpd=enabled
DHCPclientsontheregistrationandisolationnetworksreceivethePFserverIPastheirDNSserver (dns=x.x.x.x),andPFspoofsDNSresponsestoforceclientsviatheportal.However,clientscould manuallyconfiguretheirDNSsettingstoescapetheportal.Topreventthisyouwillneedtoapply anACLontheaccessrouternearesttheclients,permittingaccessonlytothePFserverandlocal DHCPbroadcasttraffic.
Forexample,fortheVLAN20remoteregistrationnetwork:
ip access-list extended PF_REGISTRATION permit ip any host 192.168.2.1 permit udp any any eq 67 deny ip any any log interface vlan 20 ip address 192.168.20.254 255.255.255.0 ip helper-address 192.168.2.1 ip access-group PF_REGISTRATION in
Ifyouredgeswitchessupportvlan-isolationyoucanalsoapplytheACLthere.Thishastheadvantage ofpreventingmachinesinisolationfromattemptingtoattackeachother.
Copyright©2016Inverseinc. Advancedtopics 84 Chapter12
StatementofHealth(SoH)
TheStatementofHealth(SoH)isproductthathasbeendevelopedbyMicrosoft.IntheMicrosoft world,thisisnamedNetworkAccessProtectionorNAP.OnWindowsversionsfromXPSP2to Windows7,thereisaNAPserviceinstalledthatcanrelayhealthinformation(Anti-Virusupdate status,WindowsUpdatestatus,etc)toaRADIUSServeroraDHCPserver.Thesectionbelow explainsyouhowtodoSoHpolicieswithPacketFence.
Installation
Bydefault,weturnSoHoff.Toenableitssupport,simplyuncommentthefollowinglinesin/usr/ local/pf/conf/radiusd/eap.conf.
soh=yes soh-virtual-server = "soh-server"
RestarttheRADIUSserviceafterward.
Ontheclientside,toenableSoHforEAP,dothefollowing(Windows7example):
sc config napagent start=auto sc start napagent
:: Wired 802.1X sc config dot3svc start=auto depend=napagent sc start dot3svc
netsh nap client show config
:: get the "ID" value for the "EAP Quarantine Enforcement Client" netsh nap client set enforce id=$ID admin=enable
Thelaststepistoselectthe"EnforceNetworkAccessProtection"checkboxundertheEAPprofile settings.ThosestepscanbeeasilyconfiguredusingGPOs.
ConfigurationofSoHpolicy
InordertoenforceaSoHpolicy,weneedtocreateitfirst.ThisisdoneusingtheConfiguration→ Compliance→StatementofHealthmodule.
Policyexample
Let’swalkthroughanexamplesituation.Supposeyouwanttodisplayaremediationpagetoclients thatdonothaveananti-virusenabled.
Copyright©2016Inverseinc. Advancedtopics 85 Chapter12
Thethreebroadstepsare:createaviolationclassforthecondition,thencreateanSoHfilterto triggertheviolationwhen"anti-virusisdisabled",andfinally,reloadtheviolations.
First,createtheproperviolationeitherviatheAdminUI,orbyeditingtheconf/violations.conf files:
[4000001] desc=No anti-virus enabled url=/remediation.php?template=noantivirus actions=reevaluate_access,email,log enabled=Y
Note
Youmayalsowanttosetotherattributessuchasauto_enable,grace,etc.
Whendonewiththeviolation,visittheWebAdministrationunderConfiguration→Compliance →StatementofHealthand(editthefilternamedDefault,or)usetheAddafilterbuttontocreate afilternamedantivirus.Clickonantivirusinthefilterlist,andselectTriggerviolationintheaction drop-down.Enterthevidoftheviolationyoucreatedaboveintheinputboxthatappears.
Next, click on Addacondition, and select Anti-virus,is , and disabled in the drop-down boxes that appear. Click on the Save filters button. Finally, reload the violations either by restarting PacketFenceorusingthepfcmd reload violationscommand.
Thelaststepistocreateanewremediationtemplatecallednoantivirus.phponthefilesystem inthehtml/captive-portal/violationsfolder.Editittoincludethetextyouwanttodisplayto theusers.
VLANFilterDefinition
Weaddedtheabilitytospecifyfiltersdirectlyintheportionofcodethatre-evaluatestheVLAN ordoacalltotheAPI.
Theserulesareavailableindifferentscopes:
ViolationRole RegistrationRole RegisteredRole InlineRole AutoRegister NodeInfoForAutoReg
Andcanbedefinedusingdifferentcriterialike:
Copyright©2016Inverseinc. Advancedtopics 86 Chapter12
node_info.attribute (like node_info.status) switch ifIndex mac connection_type username ssid time owner.attribute (like owner.pid) radius_request.attribute (like radius_request.Calling-Station-Id)
Forexample,letsdefinearulethatpreventsadevicefromconnectingwhenitscategoryisthe "default",whentheSSIDis"SECURE"andwhenthecurrenttimeisbetween11amand2pm:from MondaytoFridaywhenittrytoconnectasaregistereddevice:
[category] filter = node_info.category operator = is value = default
[ssid] filter = ssid operator = is value = SECURE
[time] filter = time operator = is value = wd {Mon Tue Wed Thu Fri} hr {11am-2pm}
[1:category&ssid&time] scope = RegisteredRole role = nointernet
ThesecondexamplewillcreateaviolationiftheSSIDisOPENandtheownerisigmout
[igmout] filter = owner.pid operator = is value = igmout
[open] filter = ssid operator = is value = OPEN
Copyright©2016Inverseinc. Advancedtopics 87 Chapter12
[2:igmout&ssid] scope = RegisteredRole action = trigger_violation action_param = mac = $mac, tid = 1100012, type = INTERNAL
Thethirdexamplewillautoregisterthedeviceandassigntherolestafftoeachdevicewherethe usernameisigmout.
[igmout] filter = username operator = is value = igmout
[secure] filter = ssid operator = is value = SECURE
[3:igmout&secure] scope = AutoRegister role = staff
[4:igmout&secure] scope = NodeInfoForAutoReg role = staff
Youcanhavealookinthefilevlan_filters.conf,therearesomeexamplesonhowtouseanddefine filters.
RADIUSFilterDefinition
Weaddedtheabilitytospecifyfiltersdirectlyintheportionofcodethatreturntheradiusanswer ordoacalltotheAPI.
Theserulesareonlyavailableinonescope:
returnRadiusAccessAccept
Andcanbedefinedusingdifferentcriterialike:
Copyright©2016Inverseinc. Advancedtopics 88 Chapter12
node_info.attribute (like node_info.$attribute) switch ifIndex mac connection_type username ssid time owner.attribute (like owner.$attribute) radius_request.attribute (like radius_request.$attribute) violation user_role vlan
Forexample,letsdefinearulethatreturnAccessAcceptwhentheconnectionisEthernet-EAP andwhenthereisnoviolation(merge_returnmeansthattheoriginalanswerofPacketFencewill bemergewiththefilteranswerautomatically):
[violation] filter = violation operator = defined
[etherneteap] filter = connection_type operator = is value = Ethernet-EAP
[1:etherneteap&!violation] merge_answer = no scope = returnRadiusAccessAccept
Inthisotherexamplewejustaddanewattributetotheoriginalanswerinthesameconditions (here$user_rolewillbereplacedbytherealuserroleofthedeviceand${switch._portalURL}will bereplacedbythevalueof_portalURLdefinedintheswitchconfig):
[1:etherneteap&!violation] merge_answer = yes scope = returnRadiusAccessAccept answer1 = Cisco-AVPair => url-redirect-acl=$user_role;url-redirect= ${switch._portalURL}/cep$session_id
Youcanhavealookinthefileradius_filters.conf,therearesomeexamplesonhowtouseand definefilters.
Copyright©2016Inverseinc. Advancedtopics 89 Chapter12
DNSenforcement
DNSenforcementallowsyoutocontrolthenetworkaccessofthedevicebyusingthepfdnsservice onPacketFence.
The architecture of DNS enforcement is as following : - DHCP and DNS are provided by the PacketFenceserver-ThePacketFenceDHCPserverwillprovidetheIPofyournetworkequipment asthegatewayandtheIPaddressofthePacketFenceDNSservertoresolvenames.-Routingis providedbyanotherequipmentonyournetwork(Coreswitch,Firewall,Router,…)-Ifausershould beshowntheportal,thepfdnsservicewillreturnapointertotheIPaddressofthecaptiveportal, otherwisepfdnswillresolvethenameexternallyanduseitinthereply.
ThisenforcementmodeusedbyitselfcanbebypassedbythedevicebyusingadifferentDNS serverorbyusingitsownDNScache.
ThefirstcanbepreventedusinganACLonyourroutingequipment,thesecondcanbeprevented bycombiningDNSenforcementwithSingle-Sign-Ononyournetworkequipment.Pleaseseethe FirewallSingle-Sign-Ondocumentationfordetailsonhowtoaccomplishthis.
InordertoconfigureDNSenforcement,youfirstneedtogoinConfiguration→Interfacesthen selectoneofyourinterfacesandsetitinDNSenforcementmode.
After,youneedtoconfigurearoutednetworkforthisinterfacebyclickingAddroutednetwork.See theRoutedNetworkssectionofthisdocumentfordetailsonhowtoconfigureit.
Note
Ifyouarenotusingaroutednetwork,youneedtouseInlineenforcementasDNS enforcementcanonlybeusedforroutednetworks.
Oncethisisdone,youneedtorestartthedhcpdandpfdnsservices.
Parkeddevices
Intheeventthatyouaremanagingalargeregistrationnetworkwithdevicesthatstaythere(ex: Studentsthatcan’tregisterinyourenvironment),thesedevicesconsumepreciousresourcesand generateuselessloadonthecaptiveportalandregistrationDHCPserver.
Usingtheparkingfeature,youcanmakethesedeviceshavealongerleaseandhitanextremelly lightweightcaptiveportalsothattheamountofresourcestheyconsumeisminimal.Inthatcaptive portal,theywillseeamessageexplainingthattheyhaven’tregisteredtheirdeviceforacertain amountoftime,andwillletthemleavetheparkedstatebypressingalink.
Theparkedvsunparkedstateiscontrolledthroughviolation1300003whichgetstriggeredaccording totheparking.thresholdsetting(Configuration→Parking).
Copyright©2016Inverseinc. Advancedtopics 90 Chapter12
So,inordertoactivatetheparking,goinConfiguration→Parkingandsetthethresholdtoacertain amountofseconds.Asuggestedvaluewouldbe21600whichis6hours.Thismeansthatifadevice staysinyourregistrationnetworkformorethan6hoursinarow,itwilltriggerviolation1300003 andplacethatdeviceintotheparkedstate.
Inthatsamesection,youcandefinetheleaselengthoftheuserwhenheisintheparkedstate.
Note
ParkingisdetectedwhenadeviceasksforDHCP,ifPacketFenceisnotyourDHCP serverfortheregistrationnetwork,thisfeaturewillnotwork.Also,ifthedevicegoes intotheparkedstatewithaleasetimeof1hourandtheuserimmediatelyreleases himselffromtheparkingstate,itwilltake1hourbeforethenextdetectiontakesplace evenifyousetparking.thresholdtoalowervalue.
Violation1300003
Thisviolationcontrolswhathappenswhenauserisdetecteddoingparking.
Herearethemainsettings:
▪ Youcanaddactionstothepredefinedones(likeEmailadminorExternalaction)inDefinition→ Actions
▪ TheamountoftimeausercanunparktheirdeviceiscontrolledthroughtheRemediation→Max enablesetting.
▪ TheamountofgracetimebetweentwoparkingviolationsiscontrolledbytheRemediation→ Gracesetting.Thismeans,onceauserreleasehimselffromtheparkedstate,hewillhaveatleast thisamountoftimetoregisterbeforetheparkingtriggersagain.
▪ Thedestinationrole(thusVLAN)oftheuseriscontrolledbyAdvanced→Role.Youshouldleave theuserintheregistrationrole,butshouldyouwanttodedicatearoleforparking,youcanset itthere.
▪ TheTemplateattributewillonlybeusedwhentheuserisonthenormalPacketFenceportaland nottheonededicatedforparking.Ifyouwanttheusertoaccessthenon-parkingportal,disable ShowparkingportalinConfiguration→Parking
Copyright©2016Inverseinc. Advancedtopics 91 Chapter13
Optionalcomponents
Blockingmaliciousactivitieswithviolations
Policyviolationsallowyoutorestrictclientsystemaccessbasedonviolationsofcertainpolicies.For example,ifyoudonotallowP2Ptypetrafficonyournetwork,andyouarerunningtheappropriate softwaretodetectitandtriggeraviolationforagivenclient,PacketFencewillgivethatclienta "blocked"pagewhichcanbecustomizedtoyourwishes.
Inordertobeabletoblockmaliciousactivities,installationandconfigurationofaPacketFence compatibleIDSisrequired.PacketFencecurrentlysupportSnort,SuricataandSecurityOnion.
Snort
Installation
The installation procedure is quite simple for SNORT. We maintain a working version on the PacketFencerepository.Toinstallit,simplyrunthefollowingcommand:
yum install snort
Configuration
PacketFenceprovidesabasicsnort.conftemplatethatyoumayneedtoeditdependingofthe Snortversion.Thefileislocatedin/usr/local/pf/conf.Itisrarelynecessarytochangeanythingin thatfiletomakeSnortworkandtrapalerts.DONOTeditthesnort.conflocatedin/usr/local/ pf/var/conf,allthemodificationwillbedestroyedoneachPacketFencerestart.
Suricata
Installation
SincethesuricataIDSisnotpackagedwiththedistros(exceptmaybeFedora,whichwedonot officiallysupport),youneedtobuilditthe"old"way.
The OISF provides a really well written how-to for that. It’s available here: https:// redmine.openinfosecfoundation.org/projects/suricata/wiki/CentOS5
Copyright©2016Inverseinc. Optionalcomponents 92 Chapter13
Note
TobenefittheOPSWATMetadefenderCloudintegration,Suricataneedstobebuilt withlibnss/libnsprsupport.MakesuretouseJSONoutput.Moreinformationon howtoachievethiscanbefoundthere:https://redmine.openinfosecfoundation.org/ projects/suricata/wiki/MD5
Configuration
Depending on whether or not Suricata is running on the PacketFence server, configuration is different.
Whenrunninglocally,PacketFenceprovidesabasicsuricata.yamlthatcanbemodifiedtosuit differentneeds.Thefileislocatedin/usr/local/pf/conf.
InthecasethatSuricataisrunningonaseparateserver,Suricataconfigurationwillhavetobe handledseparately,whichisnotthepurposeofthepresentguide. OPSWATMetadefenderCloud
ItispossibletotriggerviolationsbasedonthreatlevelofdownloadedfilesusingtheMetadefender CloudintegrationinconjunctionwiththeSuricataMD5extractionfeature.Withoutenteringinthe details,herearethebasicstepstomakeitwork.
First,anOPSWATportalaccountisrequiredtomakeuseoftheAPI.Suchaccountcanbeobtained throughtheOPSWATportal:https://portal.opswat.com.
OtherrequirementisaSuricataworkinginstallationbuiltwithlibnss/libnsprsupportasdescribed intheupper"Installation"section.
AlongwiththeOPSWATAPIkeyforMetadefenderCloud(theycallitLicenseKey)andtheworking Suricatainstallation,someconfiguration(PacketFencebasedANDSuricatabased)isalsorequired.
AssumingthatallthestepsforSuricataMD5extractionhavebeenfollowed,here’swhattodonext.
OntheSuricataserver(syslog-ngispreferredduetoeasierandmorepowerfulconfiguration.Ifnot installed,itmightbeanidea):
Configure/etc/syslog-ng/syslog-ng.confbyaddingthefollowingtoenablesendingMD5file storelogentriestoPacketFence:
### PacketFence / OPSWAT Metadefender Cloud integration # This line specifies where the files-json.log file is located # -> Make sure to configure the right path along with the right filename source s_suricata_files { file("/MY_SURICATA_LOG_FILES_PATH/files-json.log" program_override("suricata_files") flags(no-parse)); }; # This line tells syslog-ng to send the data read to the PacketFence management interface IP address using UDP 514 # -> Make sure to configure the right PacketFence management interface IP address destination d_packetfence { udp("PACKETFENCE_MGMT_IP" port(514)); }; # This line indicates syslog-ng to use the s_suricata_files source and send it to the d_packetfence destination log { source(s_suricata_files); destination(d_packetfence); };
Arestartofthesyslog-ngdaemonisrequired
Copyright©2016Inverseinc. Optionalcomponents 93 Chapter13
service syslog-ng restart
OnthePacketFenceserver:
ModifyrsyslogconfigurationtoallowincomingUDPpacketsbyuncommentingthefollowingtwo linesin/etc/rsyslog.conf:
$ModLoad imudp $UDPServerRun 514
Configure /etc/rsyslog.d/suricata_files.conf by adding the following which will enable receptionofSuricataMD5filestorelogentries:
if $programname == 'suricata_files' then /usr/local/pf/var/suricata_files & ~
Makesurethereceivingalertpipe(FIFO)exists
mkfifo /usr/local/pf/var/suricata_files
Restartthersyslogdaemon
service rsyslog restart
Atthispoint,SuricatashouldbeabletoextractMD5checksumofdownloadedfilesandsendthe relatedlogentrytoPacketFence.
Aconfigurationofanewsyslogparseraswellassomeviolationsaretheonlyremainingstepsto makefullusageoftheOPSWATMetadefenderCloudintegration.
Configurationofanewsyslogparsershouldusethefollowings:
Type: suricata_http Alert pipe: the previously created alert pipe (FIFO) which is, in this case, / usr/local/pf/var/suricata_files
Configurationofanewviolationcanusethefollowingtriggertypes:
Type: metascan Triggers ID: The scan result returned by Metadefender Cloud online
Type: suricata_md5 Trigger ID: The MD5 hash returned by Suricata
SecurityOnion InstallationandConfiguration
SecurityOnionisaUbuntubasedsecuritysuite.Thelatestinstallationinstructionsareavailable directly from the Security Onion website,https://github.com/Security-Onion-Solutions/security- onion/wiki/Installation
Copyright©2016Inverseinc. Optionalcomponents 94 Chapter13
Sinceasecuritysuiteconsistsofmultiplepiecesofsoftwaretiedtogether,youmaybepromptedfor differentoptionsduringtheinstallationprocess.Adetailed"ProductionDeployment"guidecanalso befounddirectlyfromtheSecurityOnionwebsite:https://github.com/Security-Onion-Solutions/ security-onion/wiki/ProductionDeployment
PacketFenceintegration
OnceSecurityOnionisinstalledandminimallyconfigured,integrationwithPacketFenceisrequired tobeabletoraiseviolationsbasedonsensor(s)alerts.syslogisusedtoforwardsensor(s)alerts fromSecurityOniontothePacketFencedetectionmecanisms.
The simplest way is as follow (based on https://github.com/Security-Onion-Solutions/security- onion/wiki/ThirdPartyIntegration);
OntheSecurityOnionserver:
Note
Mustbedoneonthemasterserverrunningsguild.
Configure/etc/syslog-ng/syslog-ng.confbyaddingthefollowingtoenablesendingsguildlog entriestoPacketFence:
### PacketFence / IDS integration # This line specifies where the sguild.log file is located # -> Make sure to configure the right patch along with the right filename (on a Security Onion setup, that should be pretty much standard) source s_sguil { file("/var/log/nsm/securityonion/sguild.log" program_override("securityonion_ids")); }; # This line filters on the string “Alert Received” filter f_sguil { match("Alert Received"); }; # This line tells syslog-ng to send the data read to the PacketFence management IP address using UDP 514 # -> Make sure to configure the right PacketFence management interface IP address destination d_packetfence { udp("PACKENTFENCE_MGMT_IP" port(514)); }; # This line indicates syslog-ng to use the s_sguil source, apply the f_sguil filter and send it to the d_packetfence destination log { source(s_sguil); filter(f_sguil); destination(d_packetfence); };
Arestartofthesyslog-ngdaemonisthenrequired
service syslog-ng restart
OnthePacketFenceserver:
ModifyrsyslogconfigurationtoallowincomingUDPpacketsbyuncommentingthefollowingtwo linesin/etc/rsyslog.conf:
$ModLoad imudp $UDPServerRun 514
Copyright©2016Inverseinc. Optionalcomponents 95 Chapter13
Configure/etc/rsyslog.d/securityonion_ids.confbyaddingthefollowingswhichwillenable receptionofSecurityOnionsguildlogentries:
if $programname == 'securityonion_ids' then /usr/local/pf/var/securityonion_ids & ~
Makesurethereceivingalertpipe(FIFO)exists
mkfifo /usr/local/pf/var/securityonion_ids
Restartthersyslogdaemon
service rsyslog restart
Atthispoint,SecurityOnionshouldbeabletosenddetectedalertslogentriestoPacketFence.
Aconfigurationofanewsyslogparseraswellassomeviolationsaretheonlyremainingstepsto makefullusageoftheSecurityOnionIDSintegration.
Configurationofanewsyslogparsershouldusethefollowings:
Type: security_onion Alert pipe: the previously created alert pipe (FIFO) which is, in this case, / usr/local/pf/var/securityonion_ids
Configurationofanewviolationcanusethefollowingtriggertypes:
Type: detect Triggers ID: The IDS triggered rule ID
Type: suricata_event Trigger ID: The rule class of the triggered IDS alert
Violations
InordertomakePacketFencereacttotheSnortalerts,youneedtoexplicitlytellthesoftwareto doso.Otherwise,thealertswillbediscarded.Thisisquitesimpletoaccomplish.Infact,youneed tocreateaviolationandaddtheSnortalertSIDinthetriggersectionofaViolation.
PacketFenceviolationsareconfiguredinConfiguration→Violations
Theexamplebelowwillguideyoutocreateaviolationthatwillisolatedevicethathavegenerated Peer-to-peer traffic and that are using Mac OSX or have a malware and are using Microsoft Windows Violationdefinition
Firstyouneedtoconfiguretheviolationdefinition
Copyright©2016Inverseinc. Optionalcomponents 96 Chapter13
Where:
▪ Enablediswhetherornottheviolationiscurrentlyactivated(shouldbeON). ▪ Identifier is the violation ID. Any integer except 1200000-120099 which is reserved for requiredadministrationviolations. ▪ Descriptionistheuserfriendlydescriptionoftheviolation. ▪ Actionsisthelistofactionstobeexecutedwhenthisviolationisraised.
▪ Unregister nodewillunregisterthenode.
▪ Send email to ownerwillemailtheviolationdetailstotheownerofthedevice.Willonlywork ifthepersonhasit’semailfieldpopulated.
▪ Send email to admin will email the violation details to the address specified in [alerting].emailaddr,using[alerting].smtpserver.Multipleemailaddrcanbesperated bycomma.
▪ Reevaluate accesswillplacethedeviceinthedestinationVLANconfiguredintheviolation. It opens a violation and leaves it open. If it is not there, the violation is opened and then automaticallyclosed.
▪ Log messagewilllogtheviolationinthelogfiledefinedin[alerting].log.
▪ External commandwillexecuteacommandontheoperatingsystemwhenthisviolationis raised.
▪ Close a violationwillcloseanexistingviolationforthisdevicewhenthisoneisraised.
▪ Set rolewillmodifytheroleofthedevice.
Copyright©2016Inverseinc. Optionalcomponents 97 Chapter13
▪ Enforce provisioningwilltriggeracheckofcomplianceontheprovisionersdefinedforthe device. ▪ Prioritydefinestheorderontowhichviolationsshouldbehandledshouldtherebemorethan oneforadevice. ▪ Whitelisted Rolesisthelistofrolesthatarenotaffectedbythisviolation.
Triggers
Next,intheTriggerstab,youneedtodefinethetriggersthatwillraisetheviolation.Inthecase ofthisexampleitwillbethesetwocases:*AdevicethathasgeneratedPeer-to-peertrafficand thatisusingMACOSX.*AdevicethathasbeendetectedasbeingarogueDHCP.
Click the+ sign at the top right in order to create a new trigger, then in the dropdown select Suricata.
AmenuwillappearintowhichyoucanselectET P2PwhichwillmatchallP2PalertsfromSuricata.
Onceyouaddedthistrigger,selectDevicefromthedropdownandenter38whichisthedevice identifierforMacOSX.
Nexthitthe<button,thenthe+toaddanothertrigger.
SelectthetypeInternal,theninthemenuthatappearsbelowit,selectRogue DHCP detection andclickAdd.
Remediation
Next,intheRemediationtab,youcanconfigurethebehaviorwhenaclientgetsisolated.
Copyright©2016Inverseinc. Optionalcomponents 98 Chapter13
Where:
▪ Auto Enableiswhetherornottheusercanreleasetheviolationhimselfafteracknoledgingthe messageonthecaptiveportal. ▪ Max EnablesistheamountoftimeausercanusetheAuto Enablefunctionnality.Afterthis amountoftimes,hewillnotbeabletoreleasetheviolationanditwillhavetobemanuallyrelease byanadministratorusingthePacketFenceadministrationinterface. ▪ GraceisAmountoftimebeforetheviolationcanreoccur.Thisisusefultoallowhoststime(inthe example2minutes)todownloadtoolstofixtheirissue,orshutofftheirpeer-to-peerapplication. ▪ Dynamic Windowwillonlyworksforaccountingviolations.Theviolationwillbeopenedaccording tothetimeyousetintheaccountingviolation(ie.Youhaveanaccountingviolationfor10GB/ month.Ifyoubustthebandwidthafter3days,theviolationwillopenandthereleasedatewill besetforthelastdayofthecurrentmonth). ▪ Windowistheamountoftimebeforeaviolationwillbeclosedautomatically.Insteadofallowing peopletoreactivatethenetwork,youmaywanttoopenaviolationforadefinedamountof timeinstead.
Copyright©2016Inverseinc. Optionalcomponents 99 Chapter13
▪ Delay byisthedelaybeforetriggeringtheviolation. ▪ TemplateistheHTMLtemplatethehostwillberedirectedtowhileinviolation.Youcancreate newtemplatesfromthePortalProfilesconfigurationsection. ▪ Button textisthetextofthebuttonthatisusedwhentheuserisreleasingtheviolationdirectly fromthecaptiveportal. Advanced
IntheAdvancedtabyouconfigurethedestinationVLANofthedevicewhenithastheReevaluate accessactionanditsredirectionURLwhentheuserisreleased.
ComplianceChecks
PacketFence supports either Nessus, OpenVAS and WMI as a scanning engine for compliance checks.SincePacketFencev5.1youarenowabletocreatemultiplesscanenginesconfiguration andassignthemonspecificcaptiveportals.Itmeanperexamplethatyouarenowabletoactivea scanforspecificOperatingSystemonlyonaspecificSSID.
Installation Nessus
Please visit http://www.nessus.org/download/ to download Nessus v5 and install the Nessus package for your operating system. You will also need to register for the HomeFeed (or the ProfessionalFeed)inordertogettheplugins.
AfteryouinstalledNessus,followtheNessusdocumentationfortheconfigurationoftheNessus Server,andtocreateauserforPacketFence.
Note
You may run into some issue while using Nessus with the Net::Nessus::XMLRPC module(whichisthedefaultbehaviorinPacketFence).Pleaserefertothebugtracking systemformoreinformation.
OpenVAS
Pleasevisithttp://www.openvas.org/install-packages.html#openvas4_centos_atomictoconfigure thecorrectrepositorytobeabletoinstallthelatestOpenVASscanningengine.
Once installed, please make sure to follow the instructions to correctly configure the scanning engineandcreateascanconfigurationthatwillfityourneeds.You’llalsoneedtocreateauserfor PacketFencetobeabletocommunicatewiththeserver.
ItisimportanttogetthecorrectscanconfigIDandNBEreportformatIDtopopulatetheparameters inthePacketFenceconfigurationfile.TheeasiestwaytogettheseIDsisbydownloadingbothof thescanconfigurationandreportformatfromtheOpenVASwebguiandretrievetheIDsinthe filenames.
Copyright©2016Inverseinc. Optionalcomponents 100 Chapter13
Forexamplereport-format-f5c2a364-47d2-4700-b21d-0a7693daddab.xmlgivesreportformatID f5c2a364-47d2-4700-b21d-0a7693daddab. WMI
YoujusthavetoenablewmioneachwindowsdeviceswithaGPOfromActiveDirectory.
Configuration
In order for the compliance checks to correctly work with PacketFence (communication and generateviolationsinsidePacketFence),youneedtoconfigurethesesections: ScannerDefinition
FirstgoinConfigurationandScannerDefinition:
Thenaddascan:
Therearecommonparametersforeachscanengines:
Name: the name of your scan engine Roles: Only devices with these role(s) will be affected (Optional) OS: Only devices with this Operating System will be affected (Optional) Duration: Approximate duration of scan (Progress bar on the captive portal) Scan before registration: Trigger the scan when the device appear on the registration vlan Scan after registration: Trigger the scan just after registration on the captive portal Scan after registration: Trigger the scan on the production network (pfdhcplistener must receive production dhcp traffic) 802.1x: Even if the auto-registration has been enabled, the scan will be trigger on a EAP connection 802.1x types: comma delimited EAP type that will trigger the scan if 802.1x above has been enabled
SpecifictoNessus:
Hostname or IP Address: Hostname or IP Address where Nessus is running Username: Username to connect to Nessus scan Password: Password to connect to Nessus scan Port of the service: port to connect (default 8834) Nessus client policy: the name of the policy to use for the scan (Must be define on the Nessus server)
SpecifictoOpenVAS:
Hostname or IP Address: Hostname or IP Address where OpenVAS is running Username: Username to connect to OpenVAS scan Password: Password to connect to OpenVAS scan Port of the service: port to connect (default 9390) OpenVAS config ID: the ID of scanning configuration on the OpenVAS server
Copyright©2016Inverseinc. Optionalcomponents 101 Chapter13
SpecifictoWMI:
Username: A username from Active Directory that is allowed to connect to wmi Domain: Domain of the Active Directory Password: Password of the account WMI Rules: Ordered list of WMI rules you defined in Configuration -> WMI Rules Definition
WMIRulesDefinition
IfyouhaveconfiguredaWMIscanenginethenyouneedtodefineWMIRules.WMIisasortof databaseoneachwindowsdevices,toretreiveinformationonthedeviceyouneedtoknowthesql request.InordertohelpyoutofindandmakearuleyoucanuseathirdpartytoollikeWMIExplorer.
Goinconfiguration→WMIRulesDefinition:
Therearealready3rulesdefined:
Software_Installed logged_user Process_Running
Let’staketheSoftware_Installedrule:
request: select * from Win32_Product
Rules Actions:
[Google] attribute = Caption operator = match value =Google
[1:Google] action=trigger_violation action_param = mac = $mac, tid = 888888, type = INTERNAL
Thisrulewilldothefollowing:
retreive all the installed software on the device and test if the attribute Caption contain Google. if it matched then we will trigger a violation (with the trigger internal::888888) for the mac address of the device.
Thesecondone,logged_user:
request: select UserName from Win32_ComputerSystem
Copyright©2016Inverseinc. Optionalcomponents 102 Chapter13
Rules Actions:
[UserName] attribute = UserName operator = match value = (.*)
[1:UserName] action = dynamic_register_node action_param = mac = $mac, username = $result->{'UserName'}
Thisrulewilldothefollowing:
retreive the current logged user on the device and register the device based on the user account.
Thelastone,Process_Running:
request: select Name from Win32_Process
Rules Actions:
[explorer] attribute = Name operator = match value = explorer.exe
[1:explorer] action = allow
Thisrulewilldothefollowing:
retreive all the running process on the device and if one match explorer.exe then we bypass the scan.
▪ Rulessyntax
the syntax of the rules are simple to understand:
the request is the sql request you will launch on the remote device, you must know what the request will return to write the test.
Inside the Rules Actions we define 2 sorts of blocs: The test bloc (ie [explorer]) and the action bloc (ie [1:explorer])
Copyright©2016Inverseinc. Optionalcomponents 103 Chapter13
The test bloc is a simple test based on the result of the request: - attribute is the attribute you want to test - operator can be: is is_not match match_not - value is the value you want to compare
Feel free to define multiples test blocs
The action bloc is where you will define your logic, per example let's take this one [1:google&explorer], this mean that if the google test is true and explorer is true then we execute the action. The logic can be more complex and can be something like that [1:!google| (explorer&memory)] that mean if not google or (explorer and memory)
Violationsdefinition
Youneedtocreateanewviolationsectionandhavetospecify:
UsingNessus:
trigger=Nessus::
UsingOpenVAS:
trigger=OpenVAS::
WhereviolationIdiseithertheIDoftheNessuspluginortheOIDoftheOpenVASplugintocheck for.Onceyouhavefinishedtheconfiguration,youneedtoreloadtheviolationrelateddatabase contentsusing:
$ pfcmd reload violations
Note
Violationswilltriggerifthepluginishigherthanalowseverityvulnerability.
AssignScandefinitiontoportalprofiles
Thelaststepistoassignoneormorescanneryouconfiguredtooneormoreportalprofiles.Goin Configuration→PortalProfiles→EditaPortal→AddScan
HostingNessus/OpenVASremotely
BecauseoftheCPUintensivenatureofanautomatedvulnerabilityassessment,werecommendthat itishostedonaseparateserverforlargeenvironments.Todoso,acoupleofthingsarerequired:
Copyright©2016Inverseinc. Optionalcomponents 104 Chapter13
▪ PacketFence needs to be able to communicate to the server on the port specified by the vulnerabilityengineused ▪ Thescanningserverneedtobeabletoaccessthetargets.Inotherwords,registrationVLAN accessisrequiredifscanonregistrationisenabled.
IfyouareusingtheOpenVASscanningengine:
▪ ThescanningserverneedtobeabletoreachPacketFence’sAdmininterface(onport1443by default)byitsDNSentry.OtherwisePacketFencewon’tbenotifiedofcompletedscans. ▪ YoumusthaveavalidSSLcertificateonyourPacketFenceserver
IfyouareusingtheNessusscanningengine:
▪ YoujusthavetochangethehostvaluebytheNessusserverIP.
RADIUSAccounting
RADIUSAccountingisusuallyusedbyISPstobillclients.InPacketFence,weareabletousethis informationtodetermineifthenodeisstillconnected,howmuchtimeithasbeenconnected,and howmuchbandwitdhtheuserconsumed.
Violations
UsingPacketFence,itispossibletoaddviolationstolimitbandwidthabuse.Theformatofthe triggerisverysimple:
Accounting::[DIRECTION][LIMIT][INTERVAL(optional)]
Let’sexplaineachchunkproperly:
▪ DIRECTION:Youcaneithersetalimittoinbound(IN),outbound(OUT),ortotal(TOT)bandwidth ▪ LIMIT: You can set a number of bytes(B), kilobytes(KB), megabytes(MB), gigabytes(GB), or petabytes(PB) ▪ INTERVAL:Thisisactuallythetimewindowwewilllookforpotentialabuse.Youcansetanumber ofdays(D),weeks(W),months(M),oryears(Y). Exampletriggers
▪ LookforIncoming(Download)trafficwitha50GB/month
Accounting::IN50GB1M
▪ LookforOutgoing(Upload)trafficwitha500MB/day
Accounting::OUT500MB1D
▪ LookforTotal(Download+Upload)trafficwitha200GBlimitinthelastweek
Copyright©2016Inverseinc. Optionalcomponents 105 Chapter13
Accounting::TOT200GB1W
Graceperiod
Whenusingsuchviolationfeature,settingthegraceperiodisreallyimportant.Youdon’twantto putittoolow(ie.Auserre-enablehisnetwork,andgetcaughtafter1bytesistranmitted!)ortoo high.Werecommendthatyousetthegraceperiodtooneintervalwindow.
Oinkmaster
Oinkmasterisaperlscriptthatenablesthepossibilitytoupdatethedifferentsnortrulesveryeasily. Itissimpletouse,andinstall.ThissectionwillshowyouhowtoimplementOinkmastertowork withPacketFenceandSnort.
Pleasevisithttp://oinkmaster.sourceforge.net/download.shtmltodownloadoinkmaster.Asample oinkmasterconfigurationfileisprovidedat/usr/local/pf/addons/snort/oinkmaster.conf.
Configuration
HerearethestepstomakeOinkmasterwork.Wewillassumethatyoualreadydownloadedthe newestoinkmasterarchive:
1. UntarthefreshlydownloadedOinkmaster
2. Copytherequiredperlscriptsinto/usr/local/pf/oinkmaster.Youneedtocopyovercontrib andoinkmaster.pl
3. Copytheoinkmaster.confprovidedbyPacketFence(seethesectionabove)in/usr/local/pf/ conf
4. Modifytheconfigurationtosuityourownneeds.Currently,theconfigurationfileissettofetch thebleedingrules.
Rulesupdate
InordertogetperiodicupdatesforPacketFenceSnortrules,wesimplyneedtocreateacrontab entrywiththerightinformation.Theexamplebelowshowsacrontabentrytofetchtheupdates dailyat23:00PM:
0 23 * * * (cd /usr/local/pf; perl oinkmaster/oinkmaster.pl -C conf/ oinkmaster.conf -o conf/snort/)
Copyright©2016Inverseinc. Optionalcomponents 106 Chapter13
GuestsManagement
PacketFencesupportstheabilitytomanageguestsbyestablishingexpiredatesandassigndifferent roleswhichwillpermitdifferentaccessestothenetworkresources.
Guestscanself-registerthemselvesusinganactivationcodesenttotheirmobilephoneortheycan usetheiremailaddressandreceiveandactivationlinktoactivatetheirnetworkaccess.
PacketFencehastheoptiontohaveguestssponsoredtheiraccessbylocalstaff.Onceaguest requestsasponsoredaccessanemailissenttothesponsorandthesponsormustclickonalink andauthenticateinordertoenablehisaccess.
Moreover, PacketFence also has the option for guests to request their access in advance. Confirmationbyemailandbyasponsorarethetwopre-registrationtechniquessupportedatthis point.
TheadminGUIallowPacketFenceadministratorsorguestsmanagerstocreatesingleaccounts, multipleaccountsusingaprefix(ie.:guest1,guest2,guest3…)orimportdatafromaCSVtocreate accounts.Accessdurationandexpectedarrivaldatearealsocustomizable.
Usage
Guestself-registration
Self-registrationisenabledbydefault.Itispartofthecaptiveportalprofileandcanbeaccessedon theregistrationpagebyclickingtheSignuplink.
Copyright©2016Inverseinc. Optionalcomponents 107 Chapter13
Managedguests
Partofthewebadministrationinterface,theguestsmanagementinterfaceisenabledbydefault. ItisaccessiblethroughtheUsers→Createmenu. Guestpre-registration
Pre-registrationisdisabledbydefault.Onceenabled,PacketFence’sfirewallandApacheACLsallow accesstothe/signuppageontheportalevenfromaremotelocation.Allthatshouldberequired fromtheadministratorsistoopenuptheirperimeterfirewalltoallowaccesstoPacketFence’s managementinterfaceIPonport443andmakesureadomainnametoreachsaidIPisconfigured (andthattheSSLcertmatchesit).Thenyoucanpromotethepre-registrationlinkfromyourextranet website:https://
Caution
Pre-registrationincreasestheattacksurfaceofthePacketFencesystemsinceasubset ofit’sfunctionnalityisexposedontheInternet.Makesureyouunderstandtherisks, applythecriticaloperatingsystemupdatesandapplyPacketFence’ssecurityfixes.
Note
Aportalinterfacetypeisrequiredtousethisfeature.Aportalinterfacetypecanbe addedtoanynetworkinterfaceusingthewebadminGUI.
Copyright©2016Inverseinc. Optionalcomponents 108 Chapter13
Configuration Guestself-registration
Itispossibletomodifythedefaultvaluesoftheguestself-registrationfeaturebyediting/usr/ local/pf/conf/pf.conf.
Defaultvaluesarelocatedin/usr/local/pf/conf/pf.conf.defaultsanddocumentationforevery settingsisavailablein/usr/local/pf/conf/documentation.conf.
[guests_self_registration] guest_pid=email preregistration=disabled
TheseparameterscanalsobeconfiguredfromtheConfiguration→SelfRegistrationsectionof theWebadmininterface.
Availableregistrationmodesaredefinedonaper-portal-profilebasis.Theseareconfigurablefrom Configuration→PortalProfiles. Todisable the self-registration feature, simply remove all self- registrationsourcesfromtheportalprofiledefinition.Noticehoweverthatifyourdefaultportal profilehasnosource,itwilluseallauthenticationsources.
Caution
AvalidMTAconfiguredinPacketFenceisneededtocorrectlyrelayemailsrelatedto theguestmodule.Iflocalhostisusedassmtpserver,makesurethataMTAisinstalled andconfiguredontheserver.
Note
Aportalinterfacetypeisrequiredtousethisfeature.Aportalinterfacetypecanbe addedtoanynetworkinterfaceusingthewebadminGUI.
Self-registered guests are added under the users tab of the PacketFence Web administration interface. Managedguests
ItispossibletomodifythedefaultvaluesoftheguestscreatedfromtheWebadmininterfaceby editing/usr/local/pf/conf/pf.conf.
Defaultvaluesarelocatedin/usr/local/pf/conf/pf.conf.defaultsanddocumentationforevery settingsisavailablein/usr/local/pf/conf/documentations.conf.
[guests_admin_registration] access_duration_choices=1h,3h,12h,1D,2D,3D,5D default_access_duration=12h
Theformatofthedurationisasfollow:
Copyright©2016Inverseinc. Optionalcomponents 109 Chapter13
Let’sexplainthemeaningofeachparameter:
▪ DURATION:anumbercorrespondingtotheperiodduration. ▪ DATETIME_UNIT:acharactercorrespondingtotheunitsofthedateortimeduration;eithers (seconds),m(minutes),h(hours),D(days),W(weeks),M(months),orY(years). ▪ PERIOD_BASE:eitherF(fixed)orR(relative).Arelativeperiodiscomputedfromthebeginningof theperiodunit.WeeksstartonMonday. ▪ OPERATOR:either+or-.Thedurationfollowingtheoperatorisaddedorsubtractedfromthebase duration. ▪ DATE_UNIT:acharactercorrespondingtotheunitsoftheextendedduration.Limitedtodateunits (D(days),W(weeks),M(months),orY(years)).
TheseparameterscanalsobeconfiguredfromtheConfiguration→AdminRegistrationsectionof theWebadmininterface.
From the Users page of the PacketFence Web admin interface, it is possible to set the access durationofusers,changetheirpasswordandmore. Guestpre-registration
Tominimallyconfigureguestpre-registration,youmustmakesurethatthefollowingstatementis setunder[guests_self_registration]in/usr/local/pf/conf/pf.conf:
[guests_self_registration] preregistration=enabled
ThisparametercanalsobeconfiguredfromtheConfiguration→SelfRegistrationsection.
Finally,itisadvisedthatyoureadthewholeguestself-registrationsectionsincepre-registrationis simplyatwistoftheself-registrationprocess.
Caution
AvalidMTAconfiguredinPacketFenceisneededtocorrectlyrelayemailsrelatedto theguestmodule.Iflocalhostisusedassmtpserver,makesurethataMTAisinstalled andconfiguredontheserver.
ActiveDirectoryIntegration
DeletedAccount
Createthescriptunreg_node_deleted_account.ps1ontheWindowsServerwiththefollowing content.Makesuretochange@IP_PACKETFENCEtotheIPaddressofyourPacketFenceserver.You’ll alsoneedtochangetheusernameandpasswordastheymustmatchthecredentialsdefinedinthe WebadmininterfaceunderConfiguration→WebServices.
Copyright©2016Inverseinc. Optionalcomponents 110 Chapter13
######################################################################################### #Powershell script to unregister deleted Active Directory account based on the UserName.# #########################################################################################
Get-EventLog -LogName Security -InstanceId 4726 | Select ReplacementStrings,"Account name"| % { $url = "https://@IP_PACKETFENCE:9090/" $username = "admin" # Username for the webservices $password = "admin" # Password for the webservices [System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true} $command = '{"jsonrpc": "2.0", "method": "unreg_node_for_pid", "params": ["pid", "'+$_.ReplacementStrings[0]+'"]}'
$bytes = [System.Text.Encoding]::ASCII.GetBytes($command) $web = [System.Net.WebRequest]::Create($url) $web.Method = "POST" $web.ContentLength = $bytes.Length $web.ContentType = "application/json-rpc" $web.Credentials = new-object System.Net.NetworkCredential($username, $password) $stream = $web.GetRequestStream() $stream.Write($bytes,0,$bytes.Length) $stream.close()
$reader = New-Object System.IO.Streamreader -ArgumentList $web.GetResponse().GetResponseStream() $reader.ReadToEnd() $reader.Close() }
CreatethescheduledtaskbasedonaneventID
Start→Run→Taskschd.msc
TaskScheduler→TaskSchedulerLibrary→EventViewerTask→CreateTask
General
Name: PacketFence-Unreg_node-for-deleted-account Check: Run whether user is logged on or not Check: Run with highest privileges
Triggers→New
Begin on the task: On an event Log: Security Source: Microsoft Windows security auditing. Event ID: 4726
Actions→New
Copyright©2016Inverseinc. Optionalcomponents 111 Chapter13
Action: Start a program Program/script: powershell.exe Add arguments (optional): C:\scripts\unreg_node_deleted_account.ps1
Settings:
At the bottom, select in the list "Run a new instance in parallel" in order to unregister multiple nodes at the same time.
ValidatewithOkandgivetheaccountwhowillrunthistask.(UsuallyDOMAIN\Administrator)
DisabledAccount
Createthescriptunreg_node_disabled_account.ps1ontheWindowsServerwiththefollowing content.Makesuretochange@IP_PACKETFENCEtotheIPaddressofyourPacketFenceserver.You’ll alsoneedtochangetheusernameandpasswordastheymustmatchthecredentialsdefinedinthe WebadmininterfaceunderConfiguration→WebServices.
########################################################################################## #Powershell script to unregister disabled Active Directory account based on the UserName.# ##########################################################################################
Get-EventLog -LogName Security -InstanceId 4725 | Select ReplacementStrings,"Account name"| % { $url = "https://@IP_PACKETFENCE:9090/" $username = "admin" # Username for the webservices $password = "admin" # Password for the webservices [System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true} $command = '{"jsonrpc": "2.0", "method": "unreg_node_for_pid", "params": ["pid", "'+$_.ReplacementStrings[0]+'"]}'
$bytes = [System.Text.Encoding]::ASCII.GetBytes($command) $web = [System.Net.WebRequest]::Create($url) $web.Method = "POST" $web.ContentLength = $bytes.Length $web.ContentType = "application/json-rpc" $web.Credentials = new-object System.Net.NetworkCredential($username, $password) $stream = $web.GetRequestStream() $stream.Write($bytes,0,$bytes.Length) $stream.close()
$reader = New-Object System.IO.Streamreader -ArgumentList $web.GetResponse().GetResponseStream() $reader.ReadToEnd() $reader.Close()
}
Copyright©2016Inverseinc. Optionalcomponents 112 Chapter13
CreatethescheduledtaskbasedonaneventID
Start→Run→Taskschd.msc
TaskScheduler→TaskSchedulerLibrary→EventViewerTask→CreateTask
General
Name: PacketFence-Unreg_node-for-disabled-account Check: Run whether user is logged on or not Check: Run with highest privileges
Triggers→New
Begin on the task: On an event Log: Security Source: Microsoft Windows security auditing. Event ID: 4725
Actions→New
Action: Start a program Program/script: powershell.exe Add arguments (optional): C:\scripts\unreg_node_disabled_account.ps1
Settings:
At the bottom, select in the list "Run a new instance in parallel"
ValidatewithOkandgivetheaccountwhowillrunthistask.(UsuallyDOMAIN\Administrator)
LockedAccount
Create the script unreg_node_locked_account.ps1 on the Windows Server with the following content.Makesuretochange@IP_PACKETFENCEtotheIPaddressofyourPacketFenceserver.You’ll alsoneedtochangetheusernameandpasswordastheymustmatchthecredentialsdefinedinthe WebadmininterfaceunderConfiguration→WebServices.
Copyright©2016Inverseinc. Optionalcomponents 113 Chapter13
######################################################################################### #Powershell script to unregister locked Active Directory account based on the UserName.# #########################################################################################
Get-EventLog -LogName Security -InstanceId 4740 | Select ReplacementStrings,"Account name"| % { $url = "https://@IP_PACKETFENCE:9090/" $username = "admin" # Username for the webservices $password = "admin" # Password for the webservices [System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true} $command = '{"jsonrpc": "2.0", "method": "unreg_node_for_pid", "params": ["pid", "'+$_.ReplacementStrings[0]+'"]}'
$bytes = [System.Text.Encoding]::ASCII.GetBytes($command) $web = [System.Net.WebRequest]::Create($url) $web.Method = "POST" $web.ContentLength = $bytes.Length $web.ContentType = "application/json-rpc" $web.Credentials = new-object System.Net.NetworkCredential($username, $password) $stream = $web.GetRequestStream() $stream.Write($bytes,0,$bytes.Length) $stream.close()
$reader = New-Object System.IO.Streamreader -ArgumentList $web.GetResponse().GetResponseStream() $reader.ReadToEnd() $reader.Close()
}
CreatethescheduledtaskbasedonaneventID
Start→Run→Taskschd.msc
TaskScheduler→TaskSchedulerLibrary→EventViewerTask→CreateTask
General
Name: PacketFence-Unreg_node-for-locked-account Check: Run whether user is logged on or not Check: Run with highest privileges
Triggers→New
Begin on the task: On an event Log: Security Source: Microsoft Windows security auditing. Event ID: 4740
Copyright©2016Inverseinc. Optionalcomponents 114 Chapter13
Actions→New
Action: Start a program Program/script: powershell.exe Add arguments (optional): C:\scripts\unreg_node_locked_account.ps1
Settings:
At the bottom, select in the list "Run a new instance in parallel"
ValidatewithOkandgivetheaccountwhowillrunthistask.(UsuallyDOMAIN\Administrator)
DHCPremotesensor
TheDHCPremotesensorconsistsofalightweightbinarythatisinstalledonyourproductionDHCP serverinordertoreplicatetheDHCPtraffic1to1tothePacketFenceserver.Thissolutionismore reliablethantheDHCPrelayingsincePacketFencereceivesacopyofallyourDHCPtrafficand notonlythebroadcastedDHCPtraffic.SupportedDHCPserversareMicrosoftDHCPserverand CentOS6and7.
ThesesensorsworkbycapturingthepacketsatthelowestlevelpossibleonyourDHCPserverand forwardthemtothePacketFencemanagementinterface
MicrosoftDHCPsensor
YouwillfirstneedtodownloadandinstallWinPcapavailablefromhttp://www.winpcap.org/install/
YouwillalsoneedtodownloadandinstallMicrosoftVisualC++2010Redistributableavailablefrom http://www.microsoft.com/download/details.aspx?id=5555
Note
You absolutely need to install the 32-bit version of Microsoft Visual C++ 2010 Redistributableevenifyouareusinga64-bitoperatingsystem.
Then get the remote sensor from Inverse’s download website http://inverse.ca/downloads/ PacketFence/udp-reflector/udp_reflector.exe
CreatethedirectoryC:\udp-reflectorandmovethedownloadedfileinside.
Nowwewillcreateaservicesothereflectorstartsonboot.
Firstdownloadandunzipnssmfromhttps://nssm.cc/download
Nextcreateabatchfileudpreflector.batinC:\udp-reflectorthatcontain:C:\udp-reflector \udp_reflector.exe -s pcap0:67 -d 192.168.1.5:767 -b 25000
Wherepcap0 is the interface where your DHCP is listening (use C:\udp-reflector \udp_reflector.exe -ltolistinterfaces)
Copyright©2016Inverseinc. Optionalcomponents 115 Chapter13
Thenrunnssm install udpreflector
InApplication:
▪ InPathsetittoC:\udp-reflector\udpreflector.bat ▪ InStartupdirectorysetittoC:\udp-reflector\ ▪ InArgumentssetittonothing
InDetails:
▪ InStartuptypeselectAutomatic
InLogon:
▪ InLogonasselectLocalSystemaccount
ThenpressInstallservice
TheDHCPtrafficshouldnowbereflectedonyourPacketFenceserver.
Linuxbasedsensor
FirstdownloadtheRPMonyourDHCPserver. CentOS6and7servers
ForCentOS6:
# for x86_64 # wget http://inverse.ca/downloads/PacketFence/CentOS6/extra/x86_64/RPMS/udp- reflector-1.0-6.1.x86_64.rpm
ForCentOS7:
# for x86_64 # wget http://inverse.ca/downloads/PacketFence/CentOS7/extra/x86_64/RPMS/udp- reflector-1.0-6.1.x86_64.rpm
Nowinstallthesensor:
# rpm -i udp-reflector-*.rpm
CompilingthesensorfromsourceonaLinuxsystem
Firstmakesureyouhavethefollowingpackagesinstalled:
▪ libpcap ▪ libpcap-devel ▪ gcc-c++
Getthesourcecodeofthesensor:
Copyright©2016Inverseinc. Optionalcomponents 116 Chapter13
# mkdir -p ~/udp-reflector && cd ~/udp-reflector # wget http://inverse.ca/downloads/PacketFence/udp-reflector/udp_reflector.cpp # g++ udp_reflector.cpp -o /usr/local/bin/udp_reflector -lpcap
Configuringthesensor
Placethefollowinglinein/etc/rc.local
▪ wherepcap0 is the pcap interface where your DHCP server listens on. (List them using udp_reflector -l) ▪ where192.168.1.5isthemanagementIPofyourPacketFenceserver
/usr/local/bin/udp_reflector -s pcap0:67 -d 192.168.1.5:767 -b 25000 &
Startthesensor:
# /usr/local/bin/udp_reflector -s pcap0:67 -d 192.168.1.5:767 -b 25000 &
TheDHCPtrafficshouldnowbereflectedonyourPacketFenceserver.
Switchloginaccess
PacketFenceisabletoactasanauthenticationandauthorizationserviceforgrantingcommand-line interface(CLI)accesstoswitches.PacketFencecurrentlysupportsCiscoswitchesandthesemustbe configuredusingthefollowingguide:http://www.cisco.com/c/en/us/support/docs/security-vpn/ remote-authentication-dial-user-service-radius/116291-configure-freeradius-00.html From the PacketFence’s web admin interface, you must configure an Admin Access role (Configuration→Adminaccess)thatcontainstheactionSwitchesCLI-ReadorSwitchesCLI-Write andassignthisroletoaninternaluserorinanAdministrationruleinaninternalsource.
Copyright©2016Inverseinc. Optionalcomponents 117 Chapter14
OperatingSystemBestPractices
IPTables
IPTablesisnowentirelymanagedbyPacketFence.However,ifyouneedtoperformsomecustom rules, you can modify conf/iptables.conf to your own needs. However, the default template shouldworkformostusers.
LogRotations
PacketFencecangeneratealotoflogentriesinhugeproductionenvironments.Thisiswhywe recommendtouselogrotatetoperiodicallyrotateyourlogs.Aworkinglogrotatescriptisprovided withthePacketFencepackage.Thisscriptislocatedin/usr/local/pf/addons,andit’sconfigured to do a weekly log rotation and keeping old logs with compression. It has been added during PacketFenceinitialinstallation.
Copyright©2016Inverseinc. OperatingSystemBestPractices 118 Chapter15
Performanceoptimization
SNMPTrapsLimit
PacketFencemainlyrelyonSNMPtrapstocommunicatewithequipment.Duetothefactthattraps cominginfromapproved(configured)devicesareallprocessedbythedaemon,itispossiblefor someonewhowanttogenerateacertainloadonthePacketFenceservertoforcethegeneration ofnon-legitimateSNMPtrapsoraswitchcanrandomlygenerateahighquantityoftrapssentto PacketFenceforanunknownreason.
Becauseofthat,itispossibletolimitthenumberofSNMPtrapscominginfromasingleswitchport andtakeactionifthatlimitisreached.Forexample,ifover100trapsarereceivedbyPacketFence fromthesameswitchportinaminute,theswitchportwillbeshutandanotificationemailwill besent.
Here’sthedefaultconfigfortheSNMPtrapslimitfeature.Asyoucansee,bydefault,PacketFence will log the abnormal activity after 100 traps from the same switch port in a minute. These configurationsareintheconf/pf.conffile:
[vlan] trap_limit = enabled trap_limit_threshold = 100 trap_limit_action =
Alternatively,youcanconfiguretheseparametersfromthePacketFenceWebadministrativeGUI, intheConfiguration→SNMPsection.
MySQLoptimizations
TuningMySQL
Ifyou’rePacketFencesystemisactingveryslow,thiscouldbeduetoyourMySQLconfiguration. Youshoulddothefollowingtotuneperformance:
Checkthesystemload
# uptime 11:36:37 up 235 days, 1:21, 1 user, load average: 1.25, 1.05, 0.79
Copyright©2016Inverseinc. Performanceoptimization 119 Chapter15
CheckiostatandCPU
# iostat 5 avg-cpu: %user %nice %sys %iowait %idle 0.60 0.00 3.20 20.20 76.00 Device: tps Blk_read/s Blk_wrtn/s Blk_read Blk_wrtn cciss/c0d0 32.40 0.00 1560.00 0 7800 avg-cpu: %user %nice %sys %iowait %idle 0.60 0.00 2.20 9.20 88.00 Device: tps Blk_read/s Blk_wrtn/s Blk_read Blk_wrtn cciss/c0d0 7.80 0.00 73.60 0 368 avg-cpu: %user %nice %sys %iowait %idle 0.60 0.00 1.80 23.80 73.80 Device: tps Blk_read/s Blk_wrtn/s Blk_read Blk_wrtn cciss/c0d0 31.40 0.00 1427.20 0 7136 avg-cpu: %user %nice %sys %iowait %idle 0.60 0.00 2.40 18.16 78.84 Device: tps Blk_read/s Blk_wrtn/s Blk_read Blk_wrtn cciss/c0d0 27.94 0.00 1173.65 0 5880
Asyoucansee,theloadis1.25andIOWaitispeakingat20%-thisisnotgood.IfyourIOwait islowbutyourMySQListaking+%50CPUthisisalsonotgood.CheckyourMySQLinstallfor thefollowingvariables:
mysql> show variables; | innodb_additional_mem_pool_size | 1048576 | | innodb_autoextend_increment | 8 | | innodb_buffer_pool_awe_mem_mb | 0 | | innodb_buffer_pool_size | 8388608 |
PacketFencereliesheavilyonInnoDB,soyoushouldincreasethebuffer_poolsizefromthedefault values.
ShutdownPacketFenceandMySQL
# /etc/init.d/packetfence stop Shutting down PacketFence... [...] # /etc/init.d/mysql stop Stopping MySQL: [ OK ]
Edit/etc/my.cnf(oryourlocalmy.cnf):
Copyright©2016Inverseinc. Performanceoptimization 120 Chapter15
[mysqld] # Set buffer pool size to 50-80% of your computer's memory innodb_buffer_pool_size=800M innodb_additional_mem_pool_size=20M innodb_flush_log_at_trx_commit=2 innodb_file_per_table # allow more connections max_connections=700 # set cache size key_buffer_size=900M table_cache=300 query_cache_size=256M # enable slow query log log_slow_queries = ON
StartupMySQLandPacketFence
# /etc/init.d/mysqld start Starting MySQL: [ OK ] # /etc/init.d/packetfence start Starting PacketFence... [...]
Wait10minutesforPacketFencetoinitialthenetworkmapandre-checkiostatandCPU
# uptime 12:01:58 up 235 days, 1:46, 1 user, load average: 0.15, 0.39, 0.52 # iostat 5 Device: tps Blk_read/s Blk_wrtn/s Blk_read Blk_wrtn cciss/c0d0 8.00 0.00 75.20 0 376
avg-cpu: %user %nice %sys %iowait %idle 0.60 0.00 2.99 13.37 83.03
Device: tps Blk_read/s Blk_wrtn/s Blk_read Blk_wrtn cciss/c0d0 14.97 0.00 432.73 0 2168 avg-cpu: %user %nice %sys %iowait %idle 0.20 0.00 2.60 6.60 90.60
Device: tps Blk_read/s Blk_wrtn/s Blk_read Blk_wrtn cciss/c0d0 4.80 0.00 48.00 0 240
MySQLoptimizationtool
WerecommendthatyouruntheMySQLTuneronyourdatabasesetupafteracoupleofweeks tohelpyouidentifyMySQLconfigurationimprovement.ThetoolisbundledwithPacketFenceand canberunfromthecommand-line:
# /usr/local/bin/pftest mysql
Copyright©2016Inverseinc. Performanceoptimization 121 Chapter15
Keepingtablessmall
Overtime,someofthetableswillgrowlargeandthiswilldragdownperformance(thisisespecially trueonawirelesssetup).
Onesuchtableisthelocationlogtable.Werecommendthatclosedentriesinthistablebemoved to the archive table locationlog_archive after some time. A closed record is one where the end_timefieldissettoadate(stricklyspeakingitiswhenend_timeisnotnullandnotequalsto0).
Weprovideascriptcalleddatabase-backup-and-maintenance.shlocatedinaddons/thatperforms thiscleanupinadditiontooptimizetablesonSundayanddailybackups.
Avoid"Toomanyconnections"problems
Inawirelesscontext,theretendstobealotofconnectionsmadetothedatabasebyourfreeradius module.ThedefaultMySQLvaluetendtobelow(100)soweencourageyoutoincreasethat valuetoatleast300.Seehttp://dev.mysql.com/doc/refman/5.0/en/too-many-connections.htmlfor details.
Avoid"Host
Inawirelesscontext,theretendtobealotofconnectionsmadetothedatabasebyourfreeradius module.Whentheserverisloaded,theseconnectionattemptscantimeout.Ifaconnectiontimes outduringconnection,MySQLwillconsiderthisaconnectionerrorandafter10ofthese(bydefault) hewilllockthehostoutwitha:
Host 'host_name' is blocked because of many connection errors. Unblock with 'mysqladmin flush-hosts'
This will grind PacketFence to a halt so you want to avoid that at all cost. One way to do so istoincreasethenumberofmaximumconnections(seeabove),toperiodicallyflushhostsorto allowmoreconnectionerrors.Seehttp://dev.mysql.com/doc/refman/5.0/en/blocked-host.htmlfor details.
CaptivePortalOptimizations
Avoidcaptiveportaloverloadduetonon-browser HTTPrequests
BydefaultwealloweveryquerytoberedirectedandreachPacketFenceforthecaptiveportal operation.Inalotofcases,thismeansthatalotofnon-userinitiatedqueriesreachPacketFence andwasteitsresourcesfornothingsincetheyarenotfrombrowsers.(iTunes,Windowsupdate, MSNMessenger,GoogleDesktop,…).
Copyright©2016Inverseinc. Performanceoptimization 122 Chapter15
Sinceversion4.3ofPacketFence,youcandefineHTTPfiltersforApachefromtheconfiguration ofPacketFence.
Someruleshavebeenenabledbydefault,likeonetorejectrequestswithnodefineduseragent. Allrules,includingsomeexamples,aredefinedintheconfigurationfileapache_filters.conf.
Filtersaredefinedwithatleasttwoblocks.Firstarethetests.Forexample:
[get_ua_is_dalvik] filter = user_agent method = GET operator = match value = Dalvik
[get_uri_not_generate204] filter = uri method = GET operator = match_not value = /generate_204
Thelastblockdefinestherelationshipbetweenthetestsandthedesiredaction.Forexample:
[block_dalvik:get_ua_is_dalvik&get_uri_not_generate204] action = 501 redirect_url =
Thisfilterwillreturnanerrorcode(501)iftheuseragentisDalvikandtheURIdoesn’tcontain _/generate_204.
DashboardOptimizations(statisticscollection)
The collection and aggregation of statistics in the whisper database can be I/O intensive per moment.Thismeansthatitcanbebeneficialtoseperatethemonanotherdiskevenifitisavirtual diskthatwillsharethesameunderlyingphysicaldisk.
First,addadiskinyourvirtualmachineorbaremetalserverandreboot(thisexamplewilluse/dev/ sdbasthenewdevice.
Makesurepacketfenceisstopped:
# service packetfence stop
Createanext4partition:
# mkfs.ext4 /dev/sdb
Thenmovetheolddatabasestoabackuppoint:
Copyright©2016Inverseinc. Performanceoptimization 123 Chapter15
# mv /usr/local/pf/var/graphite /usr/local/pf/var/graphite.bak
Mountyournewdiskandcheckthatitismounted:
# echo "/dev/sdb /usr/local/pf/var/graphite ext4 defaults 1 1" >> /etc/fstab # mkdir /usr/local/pf/var/graphite # mount -a # dh -h
Applytheproperuserrightsandrestoreyourdatabasefromyourbackup
# chown pf.pf /usr/local/pf/var/graphite # cp -frp /usr/local/pf/var/graphite.bak/* /usr/local/pf/var/graphite/
Startpacketfenceandmakesureyourstatsarestillthereandbeingcollectedproperly.Thenremove thebackupyoumaderm -fr /usr/local/pf/var/graphite.bak/.
Copyright©2016Inverseinc. Performanceoptimization 124 Chapter16
AdditionalInformation
Formoreinformation,pleaseconsultthemailingarchivesorpostyourquestionstoit.Fordetails, see:
▪ [email protected]: Public announcements (new releases, security warningsetc.)regardingPacketFence
▪ [email protected]:DiscussionofPacketFencedevelopment
▪ [email protected]:Userandusagediscussions
Copyright©2016Inverseinc. AdditionalInformation 125 Chapter17
CommercialSupportandContact Information
For any questions or comments, do not hesitate to contact us by writing an email to: [email protected].
Inverse(http://inverse.ca)offersprofessionalservicesaroundPacketFencetohelporganizations deploythesolution,customize,migrateversionsorfromanothersystem,performancetuningor aligningwithbestpractices.
Hourlyratesorsupportpackagesareofferedtobestsuityourneeds.
Pleasevisithttp://inverse.ca/fordetails.
CommercialSupport Copyright©2016Inverseinc. andContactInformation 126 Chapter18
GNUFreeDocumentationLicense
Pleaserefertohttp://www.gnu.org/licenses/fdl-1.2.txtforthefulllicense.
Copyright©2016Inverseinc. GNUFreeDocumentationLicense 127 Chapter18
AppendixA.AdministrationTools
pfcmd
pfcmdisthecommandlineinterfacetomostPacketFencefunctionalities.
Whenexecutedwithoutanyargumentspfcmdreturnsabasichelpmessagewithallmainoptions:
Copyright©2016Inverseinc. AdministrationTools 128 Chapter18
Usage: pfcmd
Commands cache | manage the cache subsystem checkup | perform a sanity checkup and report any problems class | view violation classes configfiles | push or pull configfiles into/from database configreload | reload the configution floatingnetworkdeviceconfig | query/modify floating network devices configuration parameters help | show help for pfcmd commands ifoctetshistorymac | accounting history ifoctetshistoryswitch | accounting history ifoctetshistoryuser | accounting history import | bulk import of information into the database ipmachistory | IP/MAC history locationhistorymac | Switch/Port history locationhistoryswitch | Switch/Port history networkconfig | query/modify network configuration parameters node | manipulate node entries pfconfig | interact with pfconfig portalprofileconfig | query/modify portal profile configuration parameters reload | rebuild fingerprint or violations tables without restart service | start/stop/restart and get PF daemon status schedule | Nessus scan scheduling switchconfig | query/modify switches.conf configuration parameters version | output version information violationconfig | query/modify violations.conf configuration parameters
Please view "pfcmd help
Thenodeviewoptionshowsallinformationcontainedinthenodedatabasetableforaspecified MACaddress
# /usr/local/pf/bin/pfcmd node view 52:54:00:12:35:02 mac|pid|detect_date|regdate|unregdate|lastskip|status|user_agent|computername| notes|last_arp|last_dhcp|switch|port|vlan|dhcp_fingerprint 52:54:00:12:35:02|1|2008-10-23 17:32:16||||unreg||||2008-10-23 21:12:21|||||
pfcmd_vlan
pfcmd_vlanisthecommandlineinterfacetomostVLANisolationrelatedfunctionality.
Copyright©2016Inverseinc. AdministrationTools 129 Chapter18
Again,whenexecutedwithoutanyarguments,ahelpscreenisshown.
Usage: pfcmd_vlan command [options]
Command: -deauthenticate de-authenticate a dot11 client -deauthenticateDot1x de-authenticate a dot1x client (pass ifIndex for wired 802.1x and mac for wireless 802.1x) -getAlias show the description of the specified switch port -getAllMACs show all MACS on all switch ports -getHubs show switch ports with several MACs -getIfOperStatus show the operational status of the specified switch port -getIfType show the ifType on the specified switch port -getLocation show at which switch port the MAC is found -getSwitchLocation show SNMP location of specified switch -getMAC show all MACs on the specified switch port -getType show switch type -getUpLinks show the upLinks of the specified switch -getVersion show switch OS version -getVlan show the VLAN on the specified switch port -getVlanType show the VLAN type on the specified port -help brief help message -isolate set the switch port to the isolation VLAN -man full documentation -reAssignVlan re-assign a switch port VLAN -reevaluateAccess reevaluate the current VLAN or firewall rules of a given MAC -runSwitchMethod run a particular method call on a given switch (FOR ADVANCED PURPOSES) -setAlias set the description of the specified switch port -setDefaultVlan set the switch port to the default VLAN -setIfAdminStatus set the admin status of the specified switch port -setVlan set VLAN on the specified switch port -setVlanAllPort set VLAN on all non-UpLink ports of the specified switch
Options: -alias switch port description -ifAdminStatus ifAdminStatus -ifIndex switch port ifIndex -mac MAC address -showPF show additional information available in PF -switch switch description -verbose log verbosity level 0 : fatal messages 1 : warn messages 2 : info messages 3 : debug 4 : trace -vlan VLAN id -vlanName VLAN name (as in switches.conf)
Copyright©2016Inverseinc. AdministrationTools 130