Packetfence – Version 1.9.1

PacketFence – version 1.9.1

Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation; with no Invariant Sections, no Front-Cover Texts, and no Back-Cover Texts. A copy of the license is included in the section entitled “GNU Free Documentation License”. Version 1.9.1 – September 2010 Contents

Chapter 1 About this Guide ...... 3 Other sources of information ...... 3

Chapter 2 Introduction ...... 4 Features ...... 4 Network Integration ...... 6 Components ...... 7

Chapter 3 Administration Tools ...... 8 pfcmd ...... 8 pfcmd_vlan ...... 9 Web Admin GUI ...... 11

Chapter 4 VLAN isolation ...... 12 Introduction ...... 12 Supported Switches, Access points and Controllers ...... 14 Command-Line Interface: Telnet and SSH ...... 15 Web Services Interface ...... 16 SNMP v1, v2c and v3 ...... 16 Switch Confguration ...... 19 Routing, DHCPd and BIND ...... 39

Chapter 5 Integration with wireless networks ...... 43 MAC Authentication ...... 43 802.1x ...... 51

Chapter 6 Floating Network Devices ...... 62 Identifcation ...... 63

Chapter 7 Blocking malicious activities with violations ...... 64

Chapter 8 Performance optimization ...... 67 Snort signatures ...... 67 MySQL optimizations ...... 67

Chapter 9 High availability ...... 72 Creation of the DRBD partition ...... 73 DRBD and Linux-HA Installation ...... 73 DRBD Confguration and setup ...... 73 MySQL Confguration ...... 77 Heartbeat confguration ...... 78

Chapter 10 Frequently Asked Questions ...... 81 Services ...... 81 Web interface ...... 81 Switches ...... 83 Troubleshooting ...... 84

Chapter 11 Additional Software ...... 86 Nessus ...... 86 Snort ...... 87 Oinkmaster ...... 88

Chapter 12 Appendix A: Database Schema ...... 90

Chapter 13 Appendix B: Confguration parameter reference ...... 91

Chapter 14 Additional Information ...... 112

Chapter 15 Commercial Support and Contact Information ...... 113

Chapter 16 GNU Free Documentation License ...... 114 Chapter 1

1 About this Guide

This guide will walk you through the day to day administration of the PacketFence solution. It covers mainly VLAN isolation. The instructions are based on version 1.9.1 of PacketFence. The latest version of this guide is available at http://www.packetfence.org/download/documentation.html

Other sources of information

For the list of noteworthy changes since the last release see the NEWS fle.

For a list of compatibility related changes and notes about upgrading see the UPGRADE fle.

For more details and developer visible changes see the ChangeLog fle.

These fles are included in the package and tarball.

2 Introduction

PacketFence is a fully supported, trusted, Free and Open Source network access control (NAC) system. Boosting an impressive feature set including a captive-portal for registration and remediation, centralized wired and wireless management, 802.1X support, layer-2 isolation of problematic devices, integration with the Snort IDS and the Nessus vulnerability scanner; PacketFence can be used to effectively secure networks - from small to very large heterogeneous networks.

Features

❏ Out of band PacketFence's operation is completely out of band which allows the solution to scale geographically and to be more resilient to failures.

❏ Voice over IP (VoIP) support. Also called IP Telephony (IPT), VoIP is fully supported (even in heterogeneous environments) for multiple switch vendors (Cisco, Edge-Core, HP, LinkSys, Nortel Networks and many more).

❏ 802.1X 802.1X wireless and wired is supported through a FreeRADIUS module.

❏ Wireless integration PacketFence integrates perfectly with wireless networks through a FreeRADIUS module. This allows you to secure your wired and wireless networks the same way using the same user database and using the same captive portal, providing a consistent user experience. Mixing Access Points (AP) vendors and Wireless Controllers is supported.

❏ Registration PacketFence supports an optional registration mechanism similar to "captive portal" solutions. Contrary to most captive portal solutions, PacketFence remembers users who previously registered and will automatically give them access without another authentication. Of course, this is confgurable. An Acceptable Use Policy can be specifed such that users cannot enable network access without frst accepting it.

❏ Detection of abnormal network activities Abnormal network activities (computer virus, worms, spyware, traffc denied by establishment policy, etc.) can be detected using local and remote Snort sensors. Beyond simple detection, PacketFence layers its own alerting and suppression mechanism on each alert type. A set of confgurable actions for each violation is available to administrators.

❏ Proactive vulnerability scans Nessus vulnerability scans can be performed upon registration, scheduled or on an ad-hoc basis. PacketFence correlates the Nessus vulnerability ID's of each scan to the violation confguration, returning content specifc web pages about which vulnerability the host may have.

❏ Isolation of problematic devices PacketFence supports several isolation techniques, including VLAN isolation with VoIP support (even in heterogeneous environments) for multiple switch vendors.

❏ Remediation through a captive portal Once trapped, all network traffc is terminated by the PacketFence system. Based on the node's current status (unregistered, open violation, etc), the user is redirected to the appropriate URL. In the case of a violation, the user will be presented with instructions for the particular situation he/she is in reducing costly help desk intervention.

❏ Command-line and Web-based management Web-based and command-line interfaces for all management tasks.

PacketFence is developed by a community of developers located mainly in North America. More information can be found on http://www.packetfence.org

Components

3 Administration Tools

pfcmd

pfcmd is the command line interface to most PacketFence functionalities. When executed without any arguments pfcmd returns a basic help message with all main options:

# /usr/local/pf/bin/pfcmd Usage: pfcmd [options]

schedule | Nessus scan scheduling service | start/stop/restart and get PF daemon status switchconfig | query/modify switches.conf configuration parameters switchlocation | view switchport description and location traplog | update traplog RRD files and graphs or obtain switch IPs trigger | view and throw triggers ui | used by web UI to create menu hierarchies and dashboard update | download canonical fingerprint or OUI data version | get installed PF version and database MD5s violation | violation manipulation violationconfig | query/modify violations.conf configuration parameters

Please view "pfcmd help " for details on each option

The node view option shows all information contained in the node database table for a specifed MAC address

# /usr/local/pf/bin/pfcmd node view 52:54:00:12:35:02 mac|pid|detect_date|regdate|unregdate|lastskip|status|user_agent| computername|notes|last_arp|last_dhcp|switch|port|vlan|dhcp_fingerprint 52:54:00:12:35:02|1|2008-10-23 17:32:16||||unreg||||2008-10-23 21:12:21|||||

pfcmd_vlan

pfcmd_vlan is the command line interface to most VLAN isolation related functionalitites. Again, when executed without any arguments, a help screen is shown.

# /usr/local/pf/bin/pfcmd_vlan Usage: pfcmd_vlan command [options]

Command: -deauthenticate de-authenticate a dot11 client -getAlias show the description of the specified switch port -getAllMACs show all MACS on all switch ports

-getHubs show switch ports with several MACs -getIfOperStatus show the operational status of the specified switch port -getIfType show the ifType on the specified switch port -getLocation show at which switch port the MAC is found -getMAC show all MACs on the specified switch port -getType show switch type -getUpLinks show the upLinks of the specified switch -getVersion show switch OS version -getVlan show the VLAN on the specified switch port -getVlanType show the type of the specified port -help brief help message -isolate set the switch port to the isolation VLAN -man full documentation -reAssignVlan re-assign a switch port VLAN -resetVlanAllPort reset VLAN on all non-UpLink ports of the specified switch -resetVlanNetwork reset VLAN on all non-UpLink ports of all managed switches -setAlias set the description of the specified switch port -setDefaultVlan set the switch port to the default VLAN -setIfAdminStatus set the admin status of the specified switch port -setVlan set VLAN on the specified switch port -setVlanAllPort set VLAN on all non-UpLink ports of the specified switch

Options: -alias switch port description -ifAdminStatus ifAdminStatus -ifIndex switch port ifIndex -mac MAC address -showMACVendor show the MAC vendor -showPF show additional information available in PF -switch switch description -verbose log verbosity level 0 : fatal messages 1 : warn messages 2 : info messages > 2 : full debug -vlan VLAN

The Web Admin GUI, accessible using https on port 1443, shows the same information available using pfcmd.

4 VLAN isolation

Introduction

The VLAN isolation is working through SNMP traps. All switch ports (on which VLAN isolation should be done) must be confgured to send SNMP traps to the PacketFence host. On PacketFence, we use snmptrapd as the SNMP trap receiver. As it receives traps, it reformats and writes them into a fat fle: /usr/local/pf/logs/snmptrapd.log. The multithreaded pfsetvlan daemon reads these traps from the fat fle and responds to them by setting the switch port to the correct VLAN. Currently, we support switches from Cisco, Edge-core, HP, Intel, Linksys and Nortel (adding support for switches from another vendor implies extending the pf::SNMP class). Depending on your switches capabilities, pfsetvlan will act on different types of SNMP traps.

You need to create a registration VLAN (with a DHCP server, but no routing to other VLANs) in which PacketFence will put unregistered devices. If you want to isolate computers which have open violations in a separate VLAN, an isolation VLAN needs also to be created.

❏ linkUp/linkDown traps This is the most basic setup and it needs a third VLAN: the MAC detection VLAN. There should be nothing in this VLAN (no DHCP server) and it should not be routed anywhere; it is just an empty VLAN. When a host connects to a switch port, the switch sends a linkUp trap to PacketFence. Since it takes some time before the switch learns the MAC address of the newly connected device, PacketFence immediately puts the port in the MAC detection VLAN in which the device will send DHCP requests (with no answer) in order for the switch to learn its MAC address. Then pfsetvlan will send periodical SNMP queries to the switch until the switch learns the MAC of the device. When the MAC address is known, pfsetvlan checks its status (existing ? registered ? any violations ?) in the database and puts the port in the appropriate VLAN. When a device is unplugged, the switch sends a 'linkDown' trap to PacketFence which puts the port into the MAC detection VLAN. When a computer boots, the initialization of the NIC generates several link status changes. And every time the switch sends a linkUp and a linkDown trap to PacketFence. Since PacketFence has to act on each of these traps, this generates unfortunately some unnecessary load on pfsetvlan. In order to optimize the trap treatment, PacketFence stops every thread for a 'linkUp trap' when it receives a 'linkDown' trap on the same port. But using only linkUp/linkDown traps is not the most scalable option. For example in case of power failure, if hundreds of computers boot at the same time, PacketFence would receive a lot of traps almost instantly and this could result in network connection latency…

❏ MAC notifcation traps If your switches support MAC notifcation traps (MAC learnt, MAC removed), we suggest that you activate them in addition to the linkUp/linkDown traps. This way, pfsetvlan does not need, after a linkUp trap, to query the switch continuously until the MAC has fnally been learned. When it receives a linkUp trap for a port on which MAC notifcation traps are also enabled, it only needs to put the port in the MAC detection VLAN and can then free the thread. When the switch learns the MAC address of the device it sends a MAC learnt trap (containing the MAC address) to PacketFence.

❏ Port Security traps In its most basic form, the Port Security feature remembers the MAC address connected to the switch port and allows only that MAC address to communicate on that port. If any other MAC address tries to communicate through the port, port security will not allow it and send a port- security trap. If your switches support this feature, we strongly recommend to use it rather than linkUp/linkDown and/or MAC notifcations. Why ? Because as long as a MAC address is authorized on a port and is the only one connected, the switch will send no trap whether the device reboots, plugs in or unplugs. This drastically reduces the SNMP interactions between the switches and PacketFence. When you enable port security traps you should not enable linkUp/linkDown nor MAC notifcation traps.

PacketFence supports the following devices:

Vendor Model PacketFence Type (used in switches.conf) 3COM NJ220 ThreeCom::NJ220 SuperStack 3 Switch 4200 ThreeCom::SS4200 SuperStack 3 Switch 4500 ThreeCom::SS4500 Switch 4200G ThreeCom::Switch_4200G Amer L2 Switch SS2R24i Amer::SS2R24i Aruba Controller 200 Aruba::Controller_200 Cisco Aironet 1130 AG Cisco::Aironet_1130 Aironet 1240 AG Cisco::Aironet_1242 Aironet 1250 Cisco::Aironet_1250 2100 Wireless Controller Cisco::WLC_2106 4400 Wireless Controller Cisco::WLC_4400 Catalyst 2900XL Series Cisco::Catalyst_2900XL Catalyst 2950 Cisco::Catalyst_2950 Catalyst 2960 Cisco::Catalyst_2960 Catalyst 2970 Cisco::Catalyst_2970 Catalyst 3500XL Series Cisco::Catalyst_3500XL Catalyst 3550 Cisco::Catalyst_3550 Catalyst 3560 Cisco::Catalyst_3560 Catalyst 3750 Cisco::Catalyst_3750 Catalyst 4500 Cisco::Catalyst_4500 Router ISR 1800 Series Cisco::ISR_1800 Wireless Services Module Cisco::WiSM D-Link DES 3526 Dlink::DES_3526 DWS 3026 Dlink::DWS_3026 Dell PowerConnect 3424 Dell::PowerConnect3424 Edge-corE 3526XA Accton::ES3536XA 3528M Accton::ES3528M

Enterasys Matrix N3 Enterasys::Matrix_N3 SecureStack C2 Enterasys::SecureStack_C2 SecureStack C3 Enterasys::SecureStack_C3 Standalone D2 Enterasys::D2 Extreme Networks Summit Series Extreme::Summit Foundry FastIron 4802 Foundry::FastIron_4802 HP ProCurve 2500 Series HP::Procurve_2500 ProCurve 2600 Series HP::Procurve_2600 ProCurve 3400cl Series HP::Procurve_3400cl ProCurve 4100 Series HP::Procurve_4100 Intel Express 460 Intel::Express_460 Express 530 Intel::Express_530 Linksys SRW224G4 Linksys::SRW224G4 Nortel BPS2000 Nortel::BPS2000 ERS 2500 Series Nortel::ERS2500 ERS 4500 Series Nortel::ERS4500 ES325 Nortel::ES325 Baystack 470 Nortel::Baystack470 Baystack 4550 Nortel::Baystack4550 Baystack 5520 Nortel::Baystack5520 SMC TigerStack 6128 L2 SMC::TS6128L2 TigerStack 6224M SMC::TS6224M TigerStack 8824-48M SMC::TS8800M

Command-Line Interface: Telnet and SSH

PackeFence needs sometimes to establish an interactive command-line session with a switch. This can be done using Telnet. Starting with 1.8, you can now use SSH. In order to do so, edit the switch confg fle (/usr/local/pf/conf/switches.conf) and set the following parameters :

cliTransport = SSH (or Telnet) cliUser = admin cliPwd = admin_pwd cliEnablePwd =

Web Services Interface

PackeFence sometimes needs to establish a dialog with the Web Services capabilities of a switch. In order to do so, edit the switch confg fle (/usr/local/pf/conf/switches.conf) and set the following parameters :

wsTransport = http (or https) wsUser = admin wsPwd = admin_pwd

Note: as of PacketFence 1.9.1 few switches require Web Services confguration in order to work.

SNMP v1, v2c and v3

PacketFence uses SNMP to communicate with the switches. Starting with 1.8, PacketFence now supports SNMP v3. You can use SNMP v3 for communication in both directions: from the switch to PacketFence and from PacketFence to the switch.

From PacketFence to a switch

Edit the switch confg fle (/usr/local/pf/conf/switches.conf) and set the following parameters:

SNMPVersion = 3 SNMPUserNameRead = readUser SNMPAuthProtocolRead = MD5 SNMPAuthPasswordRead = authpwdread SNMPPrivProtocolRead = DES SNMPPrivPasswordRead = privpwdread SNMPUserNameWrite = writeUser SNMPAuthProtocolWrite = MD5 SNMPAuthPasswordWrite = authpwdwrite SNMPPrivProtocolWrite = DES SNMPPrivPasswordWrite = privpwdwrite

From a switch to PacketFence

Edit the switch confg fle (/usr/local/pf/conf/switches.conf) and set the following parameters:

SNMPVersionTrap = 3 SNMPUserNameTrap = readUser SNMPAuthProtocolTrap = MD5 SNMPAuthPasswordTrap = authpwdread SNMPPrivProtocolTrap = DES SNMPPrivPasswordTrap = privpwdread

Switch Confguration

Here is a switch confguration example in order to enable SNMP v3 in both directions on a Cisco Switch.

snmp-server engineID local AA5ED139B81D4A328D18ACD1 snmp-server group readGroup v3 priv snmp-server group writeGroup v3 priv read v1default write v1default snmp-server user readUser readGroup v3 auth md5 authpwdread priv des56 privpwdread snmp-server user writeUser writeGroup v3 auth md5 authpwdwrite priv des56 privpwdwrite snmp-server enable traps port-security snmp-server enable traps port-security trap-rate 1 snmp-server host 192.168.0.50 version 3 priv readUser port-security

Switch Confguration

Assumptions

Throughout this confguration example we use the following assumptions for our network infrastructure: ❏ PacketFence IP address: 192.168.1.5 ❏ Normal VLAN: 1 ❏ Registration VLAN: 2 ❏ Isolation VLAN: 3 ❏ MAC Detection VLAN: 4 ❏ VoIP, Voice VLAN: 100 ❏ use SNMP v2c ❏ community name used by the switches to send traps to PacketFence: public

3COM

PacketFence supports 3Com switches with no VoIP using one trap type: ❏ linkUp/linkDown ❏ Port Security (with static MACs) Don't forget to update the startup confg !

SuperStack 3 Switch 4200 and 4500, Switch 4200G in linkUp/linkDown

❏ Global confg settings

snmp-agent snmp-agent target-host trap address udp-domain 192.168.1.5 params securityname public snmp-agent trap enable standard linkup linkdown

❏ On each interface:

port access vlan 4

SuperStack 3 Switch 4200 and 4500, Switch 4200G in Port Security

❏ Global confg settings

snmp-agent snmp-agent target-host trap address udp-domain 192.168.1.5 params securityname public snmp-agent trap enable port-security enable port-security trap addresslearned port-security trap intrusion

❏ On each interface:

port access vlan 4 port-security max-mac-count 1 port-security port-mode secure port-security intrusion-mode blockmac undo enable snmp trap updown

NJ220

This switch does not support port-security. To confgure: use web interface to send the linkUp/linkDown traps to the PacketFence server.

Amer

PacketFence supports Amer switches with no VoIP using one trap type: ❏ linkUp/linkDown Don't forget to update the startup confg !

L2 Switch SS2R24i

❏ Global confg settings:

create snmp host 192.168.1.60 v2c public create snmp user public ReadGroup enable snmp traps

❏ On each interface:

config vlan default delete xx config vlan mac-detection add untagged xx

where xx stands for the interface index

Cisco

PacketFence supports Cisco switches with VoIP using three different trap types: ❏ linkUp/linkDown ❏ MAC Notifcation ❏ Port Security (with static MACs) Enable either linkUp/linkDown and MAC notifcation together or Port Security only (When possible, we recommend Port Security), see below for details. Don't forget to update the startup confg !

2900XL Series and 3500XL Series

Those switches do not support port-security with static MAC address so we enable linkUp/linkDown and MAC notifcation traps.

❏ Global confg settings:

snmp-server enable traps snmp linkdown linkup snmp-server enable traps mac-notification snmp-server host 192.168.1.5 trap version 2c public snmp mac-notification mac-address-table notification interval 0 mac-address-table notification mac-address-table aging-time 3600

❏ On each interface with no VoIP:

switchport mode access switchport access vlan 4 snmp trap mac-notification added

❏ On each interface with VoIP:

switchport trunk encapsulation dot1q switchport trunk native vlan 4 switchport mode trunk switchport voice vlan 100 snmp trap mac-notification added snmp trap mac-notification removed

2950

Those switches support port-security with static MAC address but we can not secure a MAC on the data VLAN specifcally so enable it if there is no VoIP, use linkUp/linkDown and MAC notifcation otherwise. With port-security, if no MAC is connected on ports when activating port-security, we need to secure bogus MAC addresses on ports in order for the switch to send a trap when a new MAC appears on a port. On the other hand, if a MAC is actually connected when you enable port security, you must secure this MAC raher than the bogus one. Otherwise this MAC will lose its connectivity instantly. ❏ Global confg settings with no VoIP

snmp-server enable traps port-security snmp-server enable traps port-security trap-rate 1 snmp-server host 192.168.1.5 version 2c public port-security

❏ On each interface with no VoIP

switchport mode access switchport access vlan 4 switchport port-security switchport port-security violation restrict switchport port-security mac-address 0200.0000.00xx

where xxxxx stands for the interface ifIndex

❏ Use the following templates for interface IfIndex in bogus MAC addresses (0200.000x.xxxx): Fa0/1...Fa0/48 -> 1...48 Gi0/1, Gi0/2 -> 49, 50

❏ Global confg settings with VoIP:

❏ On each interface with VoIP

switchport voice vlan 100 switchport access vlan 4 switchport mode access snmp trap mac-notification added snmp trap mac-notification removed

2960, 2970, 3550, 3560, 3750

Those switches support port-security with static MAC address and allow us to secure a MAC on the data VLAN so we enable it whether there is VoIP or not. We need to secure bogus MAC addresses on ports in order for the switch to send a trap when a new MAC appears on a port. ❏ Global confg settings

snmp-server enable traps port-security snmp-server enable traps port-security trap-rate 1 snmp-server host 192.168.1.5 version 2c public port-security

❏ On each interface with no VoIP:

switchport access vlan 4 switchport port-security switchport port-security maximum 1 vlan access switchport port-security violation restrict switchport port-security mac-address 0200.000x.xxxx

where xxxxx stands for the interface ifIndex

❏ On each interface with VoIP:

switchport voice vlan 100 switchport access vlan 4 switchport port-security switchport port-security maximum 2 switchport port-security maximum 1 vlan access switchport port-security violation restrict switchport port-security mac-address 0200.000x.xxxx

where xxxxx stands for the interface ifIndex ❏ Use the following templates for interface IfIndex in bogus MAC addresses (0200.000x.xxxx): Fa0/1...Fa0/48 -> 10001...10048 Gi0/1...Gi0/48 -> 10101...10148

Stacked 2960, Stacked 2970, Stacked 3550, Stacked 3560, Stacked 3750, 4500 Series

The 4500 Series and all the stacked switches work exactly the same way as if they were not stacked so the confguration is the same: they support port-security with static MAC address and allow us to secure a MAC on the data VLAN so we enable it whether there is VoIP or not. We need to secure bogus MAC addresses on ports in order for the switch to send a trap when a new MAC appears on a port. ❏ Global confg settings

snmp-server enable traps port-security snmp-server enable traps port-security trap-rate 1 snmp-server host 192.168.1.5 version 2c public port-security

❏ On each interface with no VoIP:

switchport access vlan 4 switchport port-security switchport port-security maximum 1 vlan access switchport port-security violation restrict switchport port-security mac-address 0200.000x.xxxx

❏ On each interface with VoIP:

switchport port-security mac-address 0200.000x.xxxx

where xxxxx stands for the interface ifIndex

❏ Use the following templates for interface IfIndex in bogus MAC addresses (0200.000x.xxxx): Fa1/0/1...Fa1/0/48 -> 10001...10048 Gi1/0/1...Gi1/0/48 -> 10101...10148 Fa2/0/1...Fa2/0/48 -> 10501...10548 Gi2/0/1...Gi2/0/48 -> 10601...10648 Fa3/0/1...Fa3/0/48 -> 11001...11048 Gi3/0/1...Gi3/0/48 -> 11101...11148 Fa4/0/1...Fa4/0/48 -> 11501...11548 Gi4/0/1...Gi4/0/48 -> 11601...11648 ...

Router ISR 1800 Series

PacketFence supports the 1800 series Router with linkUp / linkDown traps. It cannot do anything about the router interfaces (ie: fa0 and fa1 on a 1811). VLAN interfaces ifIndex should also be marked as uplinks in the PacketFence switch confguration as they generate traps but are of no interest to PacketFence (layer 3). ❏ Global confg settings:

snmp-server enable traps snmp linkdown linkup snmp-server host 192.168.1.5 trap version 2c public

❏ On each interface:

switchport mode access switchport access vlan 4

D-Link

PacketFence supports D-Link switches with no VoIP using two different trap types: ❏ linkUp/linkDown ❏ MAC Notifcation We recommend to enable linkUp/linkDown and MAC notifcation together. Don't forget to update the startup confg !

DES3526

❏ Global confg settings

To be contributed...

❏ On each interface:

To be contributed...

Dell

PowerConnect 3424

PacketFence supports this switch using linkUp/linkDown traps. ❏ Global confg settings

To be contributed...

❏ On each interface:

To be contributed...

Edge-corE

PacketFence supports Edge-corE switches with no VoIP using one trap type: ❏ linkUp/linkDown Don't forget to update the startup confg !

3526XA and 3528M

❏ Global confg settings

SNMP-server host 192.168.1.5 public version 2c udp-port 162

Enterasys

PacketFence supports Enterasys switches with no VoIP using two different trap types: ❏ linkUp/linkDown ❏ MAC Locking (Port Security with static MACs) We recommend to enable MAC locking only. Don't forget to update the startup confg !

Matrix N3

linkUp/linkDown traps are enabled by default so we disable them and enable MAC locking only. Also, by default this switch doesn't do an electrical low-level linkDown when setting the port to admin down. So we need to activate a global option called forcelinkdown to enable this behaviour. Without this option, clients don't understand that they lost their connection and they never do a new DHCP on VLAN change. ❏ Global confg settings

set snmp community public set snmp targetparams v2cPF user public security-model v2c message- processing v2c set snmp notify entryPF tag TrapPF set snmp targetaddr tr 192.168.1.5 param v2cPF taglist TrapPF set maclock enable set forcelinkdown enable

❏ On each interface:

set port trap ge.1.xx disable set maclock enable ge.1.xx set maclock static ge.1.xx 1 set maclock firstarrival ge.1.xx 0 set maclock trap ge.1.xx enable

where xx stands for the interface index

SecureStack C2

linkUp/linkDown traps are enabled by default so we disable them and enable MAC locking only.

❏ Global confg settings

❏ On each interface:

set port trap fe.1.xx disable set maclock enable fe.1.xx set maclock static fe.1.xx 1 set maclock firstarrival fe.1.xx 0

where xx stands for the interface index

SecureStack C3

This switch has the particular “feature” of allowing more than one untagged egress VLAN per port. This means that you must add all the VLAN created for PacketFence as untagged egress VLAN on the relevant interfaces. This is why there is a VLAN command on each interface below. linkUp/linkDown traps are enabled by default so we disable them and enable MAC locking only. ❏ Global confg settings

❏ On each interface:

set vlan egress 1,2,3 ge.1.xx untagged set port trap ge.1.xx disable set maclock enable ge.1.xx set maclock static ge.1.xx 1 set maclock firstarrival ge.1.xx 0 set maclock trap ge.1.xx enable

where xx stands for the interface index

Standalone D2

linkUp/linkDown traps are enabled by default so we disable them and enable MAC locking only. Warning: This switch Switch accepts multiple untagged VLAN per port when confgured through SNMP. This is problematic because on some occasions the untagged VLAN port list can become inconsistent with the switch’s running confg. To fx that, clear all untagged VLANs of a port even if the CLI interface doesn’t show them. To do so, use: clear vlan egress ❏ Global confg settings

❏ On each interface:

set port trap ge.1.xx disable set maclock enable ge.1.xx set maclock static ge.1.xx 1 set maclock firstarrival ge.1.xx 0 set maclock trap ge.1.xx enable

where xx stands for the interface index

Extreme Networks

PacketFence supports Extreme Networks switches using two different trap types: ❏ linkUp/linkDown ❏ MAC Address Lockdown (Port Security) We recommend to enable MAC Address Lockdown only. Don't forget to save the confguration!

All Extreme XOS based switches

In addition to the SNMP and VLANs settings, this switch needs the Web Services to be enabled and an administrative username and password provided in its PacketFence confguration for Web Services. linkUp/linkDown traps are enabled by default so we disable them and enable MAC Address Lockdown only. ❏ Global confg settings without Voice over IP (VoIP):

enable snmp access configure snmp add trapreceiver 192.168.1.5 community public enable web http configure vlan "Default" delete ports configure vlan registration add ports untagged configure ports vlan registration lock-learning disable snmp traps port-up-down ports

where : are ports you want to secure. It can be an individual port or a port-range with a dash.

❏ Global confg settings with Voice over IP (VoIP):

enable snmp access configure snmp add trapreceiver 192.168.1.5 community public enable web http configure vlan "Default" delete ports configure vlan registration add ports untagged configure vlan voice add ports tagged configure ports vlan registration lock-learning configure ports vlan voice limit-learning 1 disable snmp traps port-up-down ports

where : are ports you want to secure. It can be an individual port or a port-range with a dash.

Foundry

FastIron 4802

PacketFence support this switch with optional VoIP using two different trap types: ❏ linkUp/linkDown ❏ Port Security (with static MACs) We recommend to enable Port Security only. Don't forget to update the startup confg !

snmp-server host 192.168.1.5 public no snmp-server enable traps link-down no snmp-server enable traps link-up

❏ On each interface with no VoIP:

int eth xx port security enable maximum 1 secure 0200.0000.00xx 0 violation restrict

where xx stands for the interface ifIndex.

❏ With VoIP a little more work needs to be performed. Instead of the no-VoIP, put in the following confg:

conf t vlan untagged eth xx vlan tagged eth xx

int eth xx dual-mode port security maximum 2 secure 0200.00xx.xxxx secure 0200.01xx.xxxx violation restrict enable

where xxxxxx stands for the interface number (flled with zeros), with your voice- VLAN number and with your mac-detection VLAN number.

HP ProCurve

PacketFence supports ProCurve switches with no VoIP using two different trap types: ❏ linkUp/linkDown ❏ Port Security (with static MACs) We recommend to enable Port Security only. Don't forget to update the startup confg ! Note: HP ProCurve only sends one security trap to PacketFence per security violation so make sure PacketFence runs when you confgure port-security. Also, because of the above limitation, it is considered good practice to reset the intrusion fag as a frst troubleshooting step. If you want to learn more about intrusion fag and port-security, please refer to the ProCurve documentation. Warning: If you confgure a switch that is already in production be careful that enabling port- security causes active MAC addresses to be automatically added to the intrusion list without a security trap sent to PacketFence. This is undesired because PacketFence will not be notifed that it needs to confgure the port. As a work-around, unplug clients before activating port-security or remove the intrusion fag after you enabled port-security with: port-security clear-intrusion-flag.

2500 Series

linkUp/linkDown traps are enabled by default so we disable them and enable Port Security only. On 2500's, we need to secure bogus MAC addresses on ports in order for the switch to send a trap when a new MAC appears on a port.

❏ Global confg settings

snmp-server community "public" Unrestricted snmp-server host 192.168.1.5 "public" Not-INFO no snmp-server enable traps link-change 1-26

❏ On each interface:

port-security xx learn-mode static action send-alarm mac-address 0200000000xx

where xx stands for the interface index

2600 Series and 3400cl Series

linkUp/linkDown traps are enabled by default so we disable them and enable Port Security only. On 2600's, we don't need to secure bogus MAC addresses on ports in order for the switch to send a trap when a new MAC appears on a port. ❏ Global confg settings

snmp-server community public manager unrestricted snmp-server host 192.168.1.5 "public" Not-INFO no snmp-server enable traps link-change 1-26

❏ On each interface:

port-security xx learn-mode configured action send-alarm

where xx stands for the interface index

4100 Series

linkUp/linkDown traps are enabled by default and we have not found a way yet to disable them so do not forget to declare the trunk ports as uplinks in the switch confg fle. On 4100's, we need to secure bogus MAC addresses on ports in order for the switch to send a trap when a new MAC appears on a port. The ports are indexed differently on 4100's: it is based on the number of modules you have in your 4100. Each module is indexed with a letter (A,B,C, ...)

❏ Global confg settings

snmp-server community "public" Unrestricted snmp-server host 192.168.1.5 "public" Not-INFO no snmp-server enable traps link-change 1-26

❏ You should confgure interfaces like this:

port-security A1 learn-mode static action send-alarm mac-address 020000000001 ... port-security A24 learn-mode static action send-alarm mac-address 020000000024 port-security B1 learn-mode static action send-alarm mac-address 020000000025 ... port-security B24 learn-mode static action send-alarm mac-address 020000000048 port-security C1 learn-mode static action send-alarm mac-address 020000000049 ... port-security C24 learn-mode static action send-alarm mac-address 020000000072

Intel

Express 460 and Express 530

PacketFence support these switches with no VoIP using one trap type: ❏ linkUp/linkDown Exact command-line confguration to be contributed...

Linksys

PacketFence supports Linksys switches with no VoIP using one trap type: ❏ linkUp/linkDown Don't forget to update the startup confg !

SRW224G4

❏ Global confg settings

no snmp-server trap authentication snmp-server community CS_2000_le rw view Default snmp-server community CS_2000_ls ro view Default snmp-server host 192.168.1.5 public 2

❏ On each interface

switchport access vlan 4

Nortel

PacketFence supports Nortel switches with VoIP using one trap type: ❏ Mac Security Don't forget to update the startup confg ! NOTE: if you are using a 5520 in a stack, you must declare it as a Nortel::BayStack5520Stacked in /usr/local/pf/conf/switches.conf. Indeed, when stacked, this switch refers to its ifIndex differently than when not stacked so there is some specifc code in a different perl module.

BayStack 470, ERS2500 Series, ERS4500 Series, 4550, 5520 and ES325

❏ Global confg settings

snmp-server authentication-trap disable snmp-server host 192.168.1.5 "public" snmp trap link-status port 1-24 disable no mac-security mac-address-table interface FastEthernet ALL mac-security port ALL disable

mac-security port 1-24 enable default mac-security auto-learning port ALL max-addrs exit mac-security enable mac-security snmp-lock disable mac-security intrusion-detect disable mac-security filtering enable mac-security snmp-trap enable mac-security auto-learning aging-time 60 mac-security learning-ports NONE mac-security learning disable

BPS2000

You can only confgure this switch through menus. ❏ Enable “MAC Address Security”:

MAC Address Security: Enabled MAC Address Security SNMP-Locked: Disabled Partition Port on Intrusion Detected: Disabled DA Filtering on Intrusion Detected: Enabled Generate SNMP Trap on Intrusion: Enabled Current Learning Mode: Disabled Learn by Ports: NONE

Port Trunk Security ------1 Enabled ... 24 Enabled

SMC

PacketFence supports these switches without VoIP using two different trap types: ❏ linkUp/linkDown on 6128L2, 6224M, 8824M and 8848M ❏ Port Security (with static MACs) on 6128L2, 8824M and 8848M We recommend to enable Port Security only. Don't forget to update the startup confg !

TigerStack 6128L2, 8824M and 8848M

PacketFence supports these switches without VoIP using two different trap types: ❏ linkUp/linkDown ❏ Port Security (with static MACs) We recommend to enable Port Security only.

❏ Global confg settings

SNMP-server host 192.168.1.5 public version 2c udp-port 162 no snmp-server enable traps link-up-down

❏ On each interface:

port security max-mac-count 1 port security port security action trap

TigerStack 6224M

❏ linkUp/linkDown

❏ Global confg settings

SNMP-server host 192.168.1.5 public version 1

Routing, DHCPd and BIND

If your isolation and registration networks are not spanned on the network, but routed to the PacketFence server, you'll have to let the PacketFence server know this. PacketFence can even provide DHCP and Domain Name services in this case and provides an easy to use confguration interface.

For dhcpd, make sure that the clients DHCP requests are correctly forwarded (IP Helper in the remote routers) to the PacketFence server. Then enable DHCP and DNS in pf.conf

[vlan] dhcpd = enabled named = enabled

Then you need to update the DNS templates fles as followed. In our example, conf/templates/named-isolation.ca would look like:

$TTL 3600 . IN SOA %%hostname%%. %%incharge%% ( 2009020901 ; serial 10800 ; refresh 3600 ; retry 604800 ; expire 86400 ; default_ttl ) IN NS %%hostname% . *. IN A 192.168.3.1 IN MX 5 %%hostname%%. 1.3.168.192.in-addr.arpa. IN PTR %%hostname%%

conf/templates/named-registration.ca would look like:

$TTL 3600 . IN SOA %%hostname%%. %%incharge%% ( 2009020901 ; serial 10800 ; refresh 3600 ; retry 604800 ; expire 86400 ; default_ttl ) IN NS %%hostname% . *. IN A 192.168.2.1 IN MX 5 %%hostname%%. 1.2.168.192.in-addr.arpa. IN PTR %%hostname%%

Now, edit conf/networks.conf by entering all your routed networks such as for example:

[192.168.2.0] netmask=255.255.255.0 gateway=192.168.2.1 pf_gateway=192.168.2.254 domain-name=registration.example.com dns=192.168.2.1 dhcp_start=192.168.2.10 dhcp_end=192.168.2.200 dhcp_default_lease_time=300 dhcp_max_lease_time=600 type=registration named=enabled dhcpd=enabled

[192.168.3.0] netmask=255.255.255.0 gateway=192.168.3.1 pf_gateway=192.168.3.254 domain-name=isolation.example.com dns=192.168.3.1 dhcp_start=192.168.3.10 dhcp_end=192.168.3.200 dhcp_default_lease_time=300 dhcp_max_lease_time=600 type=isolation named=enabled dhcpd=enabled

[192.168.20.0] netmask=255.255.255.0 gateway=192.168.20.254 pf_gateway=192.168.2.254 domain-name=registration.example.com dns=192.168.2.1 dhcp_start=192.168.20.10 dhcp_end=192.168.20.200 dhcp_default_lease_time=300 dhcp_max_lease_time=600 type=registration named=enabled dhcpd=enabled

[192.168.30.0] netmask=255.255.255.0 gateway=192.168.30.254 pf_gateway=192.168.3.254 domain-name=isolation.example.com dns=192.168.3.1 dhcp_start=192.168.30.10 dhcp_end=192.168.30.200 dhcp_default_lease_time=300 dhcp_max_lease_time=600 type=isolation named=enabled dhcpd=enabled

Once you have entered a frst section into conf/networks.conf, the PacketFence web admin GUI will present you with an interface to this confguration fle.

5 Integration with wireless networks

PacketFence integrates very well with wireless networks. As for its wired counterpart, the switch, a wireless Access Points (AP) needs to implement some specifc features in order for the integration to work perfectly. In particular, the AP needs to support ❏ several SSIDs with several VLANs inside each SSID ❏ authentication against a RADIUS server ❏ dynamic VLAN assignment (through RADIUS attributes) ❏ SNMP deauthentication traps ❏ the deauthentication of an associated station

MAC Authentication

In this frst example, we are going to build a setup in which MAC WAP confguration

First defne the normal, isolation, registration and visitor VLANs on the AP, together with the appropriate wired and wireless interfaces as shown below for the isolation VLAN

dot11 vlan-name normal vlan 1 dot11 vlan-name registration vlan 2 dot11 vlan-name isolation vlan 3 dot11 vlan-name visitor vlan 5

interface Dot11Radio0 encryption vlan 1 mode ciphers aes-ccm encryption vlan 2 mode ciphers aes-ccm ssid WPA2 ssid MACauth

interface Dot11Radio0.2 encapsulation dot1Q 2 no ip route-cache bridge-group 253

bridge-group 253 subscriber-loop-control bridge-group 253 block-unknown-source no bridge-group 253 source-learning no bridge-group 253 unicast-flooding bridge-group 253 spanning-disabled

interface Dot11Radio0.3 encapsulation dot1Q 3 no ip route-cache bridge-group 254 bridge-group 254 subscriber-loop-control bridge-group 254 block-unknown-source no bridge-group 254 source-learning no bridge-group 254 unicast-flooding bridge-group 254 spanning-disabled

interface Dot11Radio0.5 encapsulation dot1Q 5 no ip route-cache bridge-group 255 bridge-group 255 subscriber-loop-control bridge-group 255 block-unknown-source no bridge-group 255 source-learning no bridge-group 255 unicast-flooding bridge-group 255 spanning-disabled

interface FastEthernet0.2 encapsulation dot1Q 2 no ip route-cache bridge-group 253 no bridge-group 253 source-learning bridge-group 253 spanning-disabled

interface FastEthernet0.3 encapsulation dot1Q 3 no ip route-cache bridge-group 254 no bridge-group 254 source-learning bridge-group 254 spanning-disabled

interface FastEthernet0.5

encapsulation dot1Q 5 no ip route-cache bridge-group 255 no bridge-group 255 source-learning bridge-group 255 spanning-disabled

Then create the two SSIDs

dot11 ssid WPA2 vlan 3 backup normal authentication open eap eap_methods authentication key-management wpa

dot11 ssid MACauth vlan 2 backup visitor authentication open mac-address mac_methods mbssid guest-mode

Confgure the RADIUS server (we assume here that the FreeRADIUS server and the PacketFence server are located on the same box)

radius-server host 192.168.0.10 auth-port 1812 acct-port 1813 key secretKey aaa group server radius rad_eap server 192.168.0.10 auth-port 1812 acct-port 1813 aaa authentication login eap_methods group rad_eap aaa group server radius rad_mac server 192.168.0.10 auth-port 1812 acct-port 1813 aaa authentication login mac_methods group rad_mac

Now check with a Wi-Fi card that you can actually see the two new SSIDs. You can't connect to them yet since the RADIUS server is not up and running.

FreeRADIUS 1.x Confguration

Make sure to install the following packages: ❏ freeradius

/etc/raddb/clients.conf

Add the following lines:

client 192.168.0.3 { secret = secretKey shortname = AP1242 }

/etc/raddb/radiusd.conf

Add the following lines to the modules{} section:

perl { module = ${confdir}/rlm_perl_packetfence.pl }

Make sure the authorize{} and post_auth{} sections look like this:

authorize { preprocess eap files }

Make sure that the post-auth{} section looks like this:

post-auth { perl }

/etc/raddb/users

Add the following lines where we defne that non EAP-messages should, by default, lead to an authentication acceptance

DEFAULT EAP-Message !* "", Auth-Type := Accept

/etc/raddb/rlm_perl_packetfence.pl

This perl script uses the Calling-Station-Id RADIUS request attribute, containing the MAC of the wireless station, to determine its registration and violation status. Based on this information, it sets the Tunnel-Medium-Type, Tunnel-Type and Tunnel-Private-Group-ID RADIUS reply attributes. The AP, upon reception of these three attributes, then confnes the wireless station into the specifed VLAN. Make sure to set the required confguration parameters on top of the fle. Mainly, the VLAN tags used in your environment and PacketFence's database credentials.

# Database connection settings DB_HOSTNAME => 'localhost', DB_NAME => 'pf', DB_USER => 'pf', DB_PASS => 'pf', # VLAN configuration VLAN_GUEST => 5, VLAN_REGISTRATION => 2, VLAN_ISOLATION => 3, VLAN_NORMAL => 1

Tests

Test your setup with radtest using the following command and make sure you get an Access- Accept answer:

# radtest dd9999 Abcd1234 localhost 12 testing123

Sending Access-Request of id 74 to 127.0.0.1 port 1812 User-Name = "dd9999" User-Password = "Abcd1234" NAS-IP-Address = 255.255.255.255 NAS-Port = 12 rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=74, length=20

Debug

In order to start FreeRadius in debug mode, start it using the following command:

# radiusd -X

FreeRADIUS 2.x Confguration

Make sure to install the following packages: ❏ freeradius2 ❏ freeradius2-perl ❏ freeradius2-utils

/etc/raddb/clients.conf

Add the following lines:

client AP1242 { ipaddr = 192.168.0.3 netmask = 32 secret = secretKey }

/etc/raddb/modules/perl

Add the following lines to the modules{} section:

perl { module = ${confdir}/rlm_perl_packetfence.pl }

/etc/raddb/sites-enabled/default

Make sure the authorize{} section looks like this:

authorize { preprocess eap files expiration logintime }

Make sure the post-auth{} section looks like this:

post-auth { perl }

/etc/raddb/users

Add the following lines where we defne that non EAP-messages should, by default, lead to an authentication acceptance

DEFAULT EAP-Message !* "", Auth-Type := Accept

/etc/raddb/rlm_perl_packetfence.pl

Tests

Test your setup with radtest using the following command and make sure you get an Access- Accept answer:

# radtest dd9999 Abcd1234 localhost 12 testing123

Debug

In order to start FreeRadius in debug mode, start it using the following command:

# radiusd -X

802.1x

PacketFence can be used with 802.1X both on wired and on wireless networks. In both cases, you'll have to confgure FreeRADIUS.

WAP confguration

First defne the normal, isolation, registration and visitor VLANs on the AP, together with the appropriate wired and wireless interfaces as shown below for the isolation VLAN

dot11 vlan-name normal vlan 1 dot11 vlan-name registration vlan 2 dot11 vlan-name isolation vlan 3 dot11 vlan-name visitor vlan 5

interface Dot11Radio0 encryption vlan 1 mode ciphers aes-ccm encryption vlan 2 mode ciphers aes-ccm ssid WPA2 ssid MACauth

interface Dot11Radio0.2 encapsulation dot1Q 2 no ip route-cache bridge-group 253 bridge-group 253 subscriber-loop-control bridge-group 253 block-unknown-source no bridge-group 253 source-learning no bridge-group 253 unicast-flooding bridge-group 253 spanning-disabled

bridge-group 254 spanning-disabled

interface FastEthernet0.2 encapsulation dot1Q 2 no ip route-cache bridge-group 253 no bridge-group 253 source-learning bridge-group 253 spanning-disabled

interface FastEthernet0.3 encapsulation dot1Q 3 no ip route-cache bridge-group 254 no bridge-group 254 source-learning bridge-group 254 spanning-disabled

interface FastEthernet0.5 encapsulation dot1Q 5 no ip route-cache bridge-group 255 no bridge-group 255 source-learning bridge-group 255 spanning-disabled

Then create the two SSIDs

dot11 ssid WPA2 vlan 3 backup normal authentication open eap eap_methods authentication key-management wpa

dot11 ssid MACauth vlan 2 backup visitor authentication open mac-address mac_methods mbssid guest-mode

Confgure the RADIUS server (we assume here that the FreeRADIUS server and the PacketFence server are located on the same box)

Enable the SNMP deauthentication traps

snmp-server enable traps deauthenticate snmp-server host 192.168.0.10 public deauthenticate

And fnally activate the SSIDs on the radio

interface Dot11Radio0 encryption vlan 1 mode ciphers aes-ccm encryption vlan 2 mode ciphers aes-ccm ssid WPA2 ssid MACauth

Now check with a Wi-Fi card that you can actually see the two new SSIDs. You can't connect to them yet since the RADIUS server is not up and running.

FreeRADIUS 1.x Confguration

Make sure to install the following packages: ❏ freeradius

/etc/raddb/clients.conf

Add the following lines:

client 192.168.0.3 { secret = secretKey shortname = AP1242 }

/etc/raddb/radiusd.conf

Add the following lines to the modules{} section:

perl { module = ${confdir}/rlm_perl_packetfence.pl }

Make sure the authorize{} section looks like this:

authorize { preprocess eap files perl }

Make sure the post-auth{} section looks like this:

post-auth { perl }

Make sure the mschap{} section looks like this:

mschap { authtype = MS-CHAP use_mppe = yes require_encryption = yes require_strong = yes with_ntdomain_hack = yes ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=% {mschap:User-Name:-None} --challenge=%{mschap:Challenge:-00} --nt- response=%{mschap:NT-Response:-00}" }

/etc/raddb/eap.conf

Make sure this fle looks like:

eap { default_eap_type = peap timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no

md5 { }

leap { }

gtc { auth_type = PAP }

tls { private_key_file = /usr/local/pf/conf/ssl/keyfile.key certificate_file = /usr/local/pf/conf/ssl/certfile.crt CA_file = /usr/local/pf/conf/ssl/CAfile.crt dh_file = /dev/null random_file = /dev/urandom }

peap { default_eap_type = mschapv2 }

mschapv2 { } }

/etc/raddb/users

Add the following lines where we defne that non EAP-messages should, by default, lead to an authentication acceptance

DEFAULT EAP-Message !* "", Auth-Type := Accept

/etc/raddb/rlm_perl_packetfence.pl

Tests

Test your setup with radtest using the following command and make sure you get an Access- Accept answer:

# radtest dd9999 Abcd1234 localhost 12 testing123

Debug

In order to start FreeRadius in debug mode, start it using the following command:

# radiusd -X

FreeRADIUS 2.x Confguration

Make sure to install the following packages: ❏ freeradius2 ❏ freeradius2-perl ❏ freeradius2-utils

/etc/raddb/clients.conf

Add the following lines:

client AP1242 { ipaddr = 192.168.0.3 netmask = 32 secret = secretKey }

/etc/raddb/modules/perl

Add the following lines to the modules{} section:

perl { module = ${confdir}/rlm_perl_packetfence.pl }

/etc/raddb/eap.conf

Make sure this fle looks like:

eap { default_eap_type = peap timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = 2048

md5 { }

leap { }

gtc { auth_type = PAP }

tls { certdir = ${confdir}/certs cadir = ${confdir}/certs private_key_file = /usr/local/pf/conf/ssl/keyfile.key certificate_file = /usr/local/pf/conf/ssl/certfile.crt CA_file = /usr/local/pf/conf/ssl/CACert.crt dh_file = ${certdir}/dh random_file = ${certdir}/random cipher_list = "DEFAULT" make_cert_command = "${certdir}/bootstrap" cache { enable = no

lifetime = 24 # hours max_entries = 255 } }

ttls { default_eap_type = md5 copy_request_to_tunnel = no use_tunneled_reply = no virtual_server = "inner-tunnel" }

peap { default_eap_type = mschapv2 copy_request_to_tunnel = no use_tunneled_reply = no virtual_server = "inner-tunnel" }

mschapv2 { } }

/etc/raddb/modules/mschap

Make sure this fle looks like:

mschap { use_mppe = yes require_encryption = yes require_strong = yes with_ntdomain_hack = yes ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=% {mschap:User-Name:-None} --challenge=%{mschap:Challenge:-00} --nt- response=%{mschap:NT-Response:-00}"

/etc/raddb/sites-enabled/default

Make sure the authorize{}, authenticate{} and post-auth{} sections look like this:

authorize { preprocess eap { ok = return } files expiration logintime }

authenticate { Auth-Type MS-CHAP { mschap } eap }

post-auth { perl }

/etc/raddb/users

Add the following lines where we defne that non EAP-messages should, by default, lead to an authentication acceptance

DEFAULT EAP-Message !* "", Auth-Type := Accept

/etc/raddb/rlm_perl_packetfence.pl

Tests

Test your setup with radtest using the following command and make sure you get an Access- Accept answer:

# radtest dd9999 Abcd1234 localhost 12 testing123

Debug

In order to start FreeRadius in debug mode, start it using the following command:

# radiusd -X

6 Floating Network Devices

Starting with version 1.9, PacketFence now supports foating network devices. A Floating network device is a device for which PacketFence has a different behaviour compared to a regular device. This functionality was originally added to support mobile Access Points. Right now PacketFence only supports foating network devices on Cisco switches confgured with port-security. For a regular device, PacketFence puts it in the Vlan corresponding to its status (Registration, Quarantine or Regular Vlan) and authorizes it on the port (port-security). A foating network device is a device that PacketFence does not manage as a regular device.

When a foating network device is plugged, PacketFence should let/allow all the MAC addresses that will be connected to this device (or appear on the port) and if necessary, confgure the port as multi-vlan (trunk) and set PVID and tagged VLANs on the port. When an foating network device is unplugged, PacketFence should reconfgure the port like before it was plugged.

Here is how it works: ❏ foating network devices have to be identifed using their MAC address. ❏ linkup/linkdown traps are not enabled on the switches, only port-security traps are.

When PacketFence receives a port-security trap for a foating network device, it changes the port confguration so that: ❏ it disables port-security ❏ it sets the PVID ❏ it eventually sets the port as multi-vlan (trunk) and sets the tagged Vlans ❏ it enables linkdown traps

When PF receives a linkdown trap on a port in which a foating network device was plugged, it changes the port confguration so that: ❏ it enables port-security ❏ it disables linkdown traps

Identifcation

As we mentioned ealier, each foating network device has to be identifed. Ther are two ways to do it: ❏ by editing conf/foating_network_device.conf ❏ through the Web GUI, in the Confguration -> Floating Network Device tab.

Here are the settings that are available: ❏ MAC address ❏ IP address (in case of a static IP) ❏ trunkPort: yes/no. Should the port be confgured as a muti-vlan port ? ❏ pvid: Vlan in which PacketFence should put the port ❏ taggedVlan: comma separated list of Vlans. If the port is a multi-vlan, these are the Vlans that have to be tagged on the port.

7 Blocking malicious activities with violations

Policy violations allow you to restrict client system access based on violations of certain policies. For example, if you do not allow P2P type traffc on your network, and you are running the appropriate software to detect it and trigger a violation for a given client, PacketFence will give that client a “blocked” page which can be customized to your wishes. PacketFence policy violations are controlled using the /usr/local/pf/conf/violations.conf confguration fle. The violation format is as follows:

[1234] desc=Your Violation Description priority=8 url=/content/index.php?template=