DOCSLIB.ORG

Packetfence – Version 1.7.5

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Packetfence – Version 1.7.5 PacketFence – version 1.7.5 Installation and Confguration Guide Copyright © 2008 Inverse inc. (http://inverse.ca) Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation; with no Invariant Sections, no Front-Cover Texts, and no Back-Cover Texts. A copy of the license is included in the section entitled “GNU Free Documentation License”. Version 1.7.5 – October 2008 Contents Chapter 1 About this Guide .............................................................................................................. 3 Chapter 2 Introduction .......................................................................................................................4 How does VLAN isolation work ? ............................................................................. 5 Blocking malicious activities with violations .............................................................7 New features in 1.7.5 ...............................................................................................9 Bugs fxed in 1.7.5 ................................................................................................... 9 Chapter 3 System Requirements .................................................................................................... 10 Assumptions .......................................................................................................... 10 Minimum Hardware Requirements .........................................................................11 Operating System Requirements .............................................................................12 Chapter 4 Installation .......................................................................................................................13 OS Installation ....................................................................................................... 13 Software Downloads .............................................................................................. 14 Software Installation ...............................................................................................14 Chapter 5 Confguration ...................................................................................................................16 General Confguration ............................................................................................16 Apache Confguration ............................................................................................ 16 Authentication (fat fle, LDAP, Radius) ................................................................... 16 VLAN isolation ...................................................................................................... 18 Violations .............................................................................................................. 26 Starting Services .....................................................................................................27 Chapter 6 Testing ...............................................................................................................................28 PacketFence Web Interface .....................................................................................28 VLAN Isolation ...................................................................................................... 28 Chapter 7 Appendix A: pf.conf ....................................................................................................... 30 Chapter 8 Appendix B: Switches supported by PacketFence .................................................... 53 Chapter 9 Appendix C: Switch Confguration ..............................................................................55 3COM ................................................................................................................... 55 Cisco ..................................................................................................................... 56 D-Link ................................................................................................................... 59 Dell ....................................................................................................................... 60 Edge-corE .............................................................................................................. 60 Enterasys ................................................................................................................60 HP ProCurve ..........................................................................................................61 Intel .......................................................................................................................64 Linksys ...................................................................................................................64 Nortel ....................................................................................................................64 Chapter 10 Appendix D: Additional Softwares ............................................................................. 67 Nessus ...................................................................................................................67 Snort ......................................................................................................................67 Oinkmaster ............................................................................................................67 Chapter 11 Additional Information ................................................................................................. 68 Chapter 12 Commercial Support and Contact Information ......................................................... 69 Chapter 13 GNU Free Documentation License .............................................................................. 70 Chapter 1 1 About this Guide This guide will walk you through the installation and confguration of the PacketFence solution. It covers VLAN isolation setup. The instructions are based on version 1.7.5 of PacketFence. The latest version of this guide is available at http://inverse.ca/uploads/docs/PacketFence_Installation_Guide.pdf. © 2008 Inverse inc. About this Guide 3 Chapter 2 2 Introduction PacketFence is an open-source network access control (NAC). PacketFence features: ❏ Registration of new network devices through a captive portal. Confgurable options exist for registration “windows” – absolute or relative time periods during which users may skip registration with periodic reminders. An Acceptable Use Policy can be specifed such that users cannot enable network access without frst accepting it. The duration of a node registration can be a relative value (eg. “four weeks from frst network access”) or an absolute date (eg. “Thu Jan 20 20:00:00 EST 2009”). ❏ Detection of abnormal network activities (computer virus, worms, spyware, etc.) including from remote Snort sensors. Beyond simple detection, PacketFence layers its own alerting and suppression mechanism on each alert type. A set of confgurable actions for each violation is available to administrators: email, log, trap. ❏ Proactive vulnerability scans: Nessus vulnerability scans can be performed on a scheduled or ad-hoc basis. A host can be scanned at registration, allowing administrators to isolate infected machines. PacketFence correlates the Nessus vulnerability ID’s of each scan to the violation confguration, returning content specifc web pages about which vulnerability the host may have. ❏ Isolation and user-directed mitigation/remediation: Once trapped, all HTTP, IMAP and POP sessions are terminated by the PacketFence system. Based on the nodes current status (unregistered, open violation, etc), the user is redirected to the appropriate URL. In the case of a violation, the user will be presented with removal instructions for the particular infection he/she has.A maximum number of re-enables, also confgurable per violation, exists to permanently disable access if the user cannot solve the problem on his/her own. ❏ Web-based and command-line interfaces for management tasks ❏ Three different trapping mechanisms: ARP, DHCP and VLAN. • ARP allows to much more control over policy violations, but requires that PacketFence has a local interface to all networks (must sit in front of the router). • DHCP allows to have one PacketFence system in a remote location controlling many networks (Router will Relay DHCP requests). The down side is that you must replace your existing DHCP server with PacketFence, that static IPs can bypass isolation, and that the DHCP lease time will need to expire (50-100% of lease time) before a host can be put into isolation. • VLAN isolation allows you to totally isolate devices from the network by putting them in separate (non routed) VLANs. You need to create two VLANs: registration and isolation and then confgure your switches to send SNMP traps to PacketFence. VLAN isolation is available in 1.7 and later. © 2008 Inverse inc. Introduction 4 Chapter 2 ❏ DHCP fngerprinting which can be used to automatically register VoIP phones, game consoles and more ❏ VoIP support (even in heterogeneous environments) for multiple switch vendors (Cisco, Edge- Core, HP, LinkSys, Nortel Networks and many more) ❏ 802.1X support through a FreeRADIUS module ❏ Wireless integration with FreeRADIUS which allows you to secure your wired and wireless networks (different APs and Cisco WLC) the same way PacketFence
Load more

Recommended publications
  • Ten Strategies of a World-Class Cybersecurity Operations Center Conveys MITRE’S Expertise on Accumulated Expertise on Enterprise-Grade Computer Network Defense
    Bleed rule--remove from file Bleed rule--remove from file MITRE’s accumulated Ten Strategies of a World-Class Cybersecurity Operations Center conveys MITRE’s expertise on accumulated expertise on enterprise-grade computer network defense. It covers ten key qualities enterprise- grade of leading Cybersecurity Operations Centers (CSOCs), ranging from their structure and organization, computer MITRE network to processes that best enable effective and efficient operations, to approaches that extract maximum defense Ten Strategies of a World-Class value from CSOC technology investments. This book offers perspective and context for key decision Cybersecurity Operations Center points in structuring a CSOC and shows how to: • Find the right size and structure for the CSOC team Cybersecurity Operations Center a World-Class of Strategies Ten The MITRE Corporation is • Achieve effective placement within a larger organization that a not-for-profit organization enables CSOC operations that operates federally funded • Attract, retain, and grow the right staff and skills research and development • Prepare the CSOC team, technologies, and processes for agile, centers (FFRDCs). FFRDCs threat-based response are unique organizations that • Architect for large-scale data collection and analysis with a assist the U.S. government with limited budget scientific research and analysis, • Prioritize sensor placement and data feed choices across development and acquisition, enteprise systems, enclaves, networks, and perimeters and systems engineering and integration. We’re proud to have If you manage, work in, or are standing up a CSOC, this book is for you. served the public interest for It is also available on MITRE’s website, www.mitre.org. more than 50 years.
    [Show full text]
  • Secure Magazine
    When it comes to information security, most of us will remember this year as the year when an industry giant suffered a huge incident with extensive ramifications. Naturally, I'm talking about the RSA breach back in March, when the company experienced privileged data loss. We've seen privacy snafus, data breaches, a rise of mobile malware and financial fraud. What can we expect next year? Unfortunately, probably more of the same. In any case, I wish you a successful 2012. Stay safe! Mirko Zorz Editor in Chief Visit the magazine website at www.insecuremag.com (IN)SECURE Magazine contacts Feedback and contributions: Mirko Zorz, Editor in Chief - [email protected] News: Zeljka Zorz, Managing Editor - [email protected] Marketing: Berislav Kucan, Director of Marketing - [email protected] Distribution (IN)SECURE Magazine can be freely distributed in the form of the original, non-modified PDF document. Distribution of modified versions of (IN)SECURE Magazine content is prohibited without the explicit permission from the editor. Copyright (IN)SECURE Magazine 2011. www.insecuremag.com IT pros can't resist peeking at information and other sensitive data including, privileged information for example, other people’s Christmas bonus details. • 42 percent of those surveyed said that in their organizations' IT staff are sharing passwords or access to systems or applications • 26 percent said that they were aware of an IT staff member abusing a privileged login to illicitly access sensitive information • 48 percent of respondents work at companies that are still not changing their IT security staff will be some of the most privileged passwords within 90 days – a informed people at the office Christmas party violation of most major regulatory compliance this year.
    [Show full text]
  • Clustering Quick Installation Guide
    ClusteringQuickInstallationGuide forPacketFenceversion5.3.1 ClusteringQuickInstallationGuide byInverseInc. Version5.3.1-July2015 Copyright©2015Inverseinc. Permissionisgrantedtocopy,distributeand/ormodifythisdocumentunderthetermsoftheGNUFreeDocumentationLicense,Version 1.2oranylaterversionpublishedbytheFreeSoftwareFoundation;withnoInvariantSections,noFront-CoverTexts,andnoBack-Cover Texts.Acopyofthelicenseisincludedinthesectionentitled"GNUFreeDocumentationLicense". ThefontsusedinthisguidearelicensedundertheSILOpenFontLicense,Version1.1.ThislicenseisavailablewithaFAQat:http:// scripts.sil.org/OFL Copyright©ŁukaszDziedzic,http://www.latofonts.com,withReservedFontName:"Lato". Copyright©RaphLevien,http://levien.com/,withReservedFontName:"Inconsolata". TableofContents AboutthisGuide.............................................................................................................. 1 Assumptions.....................................................................................................................2 Installation....................................................................................................................... 3 Step1:Installthereplicateddatabase........................................................................ 3 Step2:Serverconfiguration..................................................................................... 9 Step3:Createanewcluster.................................................................................. 10 Step4:Connectaslavepacketfenceserver..............................................................11
    [Show full text]
  • Trabajo Fin De Grado
    E.T.S. de Ingeniería Industrial, Informática y de Telecomunicación Renovación de la infraestructura de red de datos para soporte NAC (Network Access Control) de una empresa. Grado en Ingeniería en Tecnologías de Telecomunicación Trabajo Fin de Grado Autor: Ruth González Novillo Director: Eduardo Magaña Lizarrondo Pamplona, 25 Junio del 2014 ÍNDICE RESÚMEN .............................................................................................................................................. 0 ÍNDICE DE FIGURAS ................................................................................................................................ 1 LISTA DE PALABRAS CLAVE .................................................................................................................... 3 CAPÍTULO 1 – INTRODUCCIÓN. .............................................................................................................. 1 CAPÍTULO 2 – SITUACIÓN ACTUAL DE LA RED DE DATOS. ...................................................................... 3 2.1 Localizaciones de la Red de Datos. Infraestructura. ...................................................................... 3 2.2 Estructura lógica de la Red de Datos ............................................................................................ 5 2.3 Protocolos propietarios del fabricante ........................................................................................... 6 2.4 Red Corporativa ............................................................................................................................
    [Show full text]
  • Packetfence Administration Guide
    PacketFence Administration Guide for version 3.5.0 PacketFence Administration Guide by Olivier Bilodeau, Fabrice Durand, François Gaudreault, and Derek Wuelfrath Past Authors: Dominik Gehl Version 3.5.0 - August 2012 Copyright © 2008-2012 Inverse inc. Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation; with no Invariant Sections, no Front-Cover Texts, and no Back-Cover Texts. A copy of the license is included in the section entitled "GNU Free Documentation License". The fonts used in this guide are licensed under the SIL Open Font License, Version 1.1. This license is available with a FAQ at: http://scripts.sil.org/OFL Copyright © Barry Schwartz, http://www.crudfactory.com, with Reserved Font Name: "Sorts Mill Goudy". Copyright © Raph Levien, http://levien.com/, with Reserved Font Name: "Inconsolata". Revision History Revision 2.5 2012-07-30 FG Doc update for RADIUS Revision 2.4 2012-07-26 DW Added documentation for new captive portal profiles feature. Revision 2.3 2012-07-19 FG Adding suricata documentation Revision 2.2 2012-06-13 OB, FD Added installation procedure for Debian. A minor fix to RHEL6 install instructions. Revision 2.1 2012-04-12 OB, DW Added new documentation about pre-registered, sponsored guests and role-based enforcement. Covered updated inline enforcement instructions. Updated drbd and samba installation instructions. SoH, ntlm_auth test and some typos fixed too. Revision 2.0 2012-02-22 FG, OB, DW Documentation ported to asciidoc.
    [Show full text]
  • 18T00505.Pdf
    ESCUELA SUPERIOR POLITÉCNICA DE CHIMBORAZO FACULTAD DE INFORMÁTICA Y ELECTRÓNICA ESCUELA DE INGENIERÍA EN SISTEMAS “ANÁLISIS COMPARATIVO DE HERRAMIENTAS N.A.C OPENSOURCE Y SU APLICACIÓN A LA DIRECCIÓN PROVINCIAL DEL CONSEJO DE LA JUDICATURA DE CHIMBORAZO” TESIS DE GRADO Previa la obtención del título de INGENIERO EN SISTEMAS INFORMÁTICOS Presentado por: CARLOS MIGUEL PADILLA CEVALLOS RIOBAMBA – ECUADOR 2012 AGRADECIMIENTO Agradezco infinitamente a Dios por ser la luz y la fuerza de mi vida, a mis padres por su apoyo incondicional y el sacrificio que han hecho por darme una educación; a mis hermanos y amigos por sus consejos y aprecio. DEDICATORIA A Dios y a mis padres por los buenos valores, hábitos y enseñanzas que me han ayudado a salir adelante y alcanzar mis sueños y objetivos. A mi novia por sus consejos, comprensión y apoyo. También a mis hermanos por siempre darme fuerza para seguir adelante. NOMBRE FIRMA FECHA Ing. Iván Ménes DECANO FACULTAD DE ..................................... ..................................... INFORMÁTICA Y ELECTRÓNICA Ing. Raúl Rosero DIRECTOR ESCUELA ..................................... ..................................... INGENIERÍA EN SISTEMAS Ing. Alberto Arellano DIRECTOR DE TESIS ..................................... ..................................... Ing. Diego Ávila MIEMBRO DEL ..................................... ..................................... TRIBUNAL Ing. Carlos Rodríguez DIRECTOR DPTO. ..................................... ..................................... DOCUMENTACIÓN NOTA
    [Show full text]
  • Clustering Quick Installation Guide
    ClusteringQuickInstallationGuide forPacketFenceversion6.0.0 ClusteringQuickInstallationGuide byInverseInc. Version6.0.0-Apr2016 Copyright©2015Inverseinc. Permissionisgrantedtocopy,distributeand/ormodifythisdocumentunderthetermsoftheGNUFreeDocumentationLicense,Version 1.2oranylaterversionpublishedbytheFreeSoftwareFoundation;withnoInvariantSections,noFront-CoverTexts,andnoBack-Cover Texts.Acopyofthelicenseisincludedinthesectionentitled"GNUFreeDocumentationLicense". ThefontsusedinthisguidearelicensedundertheSILOpenFontLicense,Version1.1.ThislicenseisavailablewithaFAQat:http:// scripts.sil.org/OFL Copyright©ŁukaszDziedzic,http://www.latofonts.com,withReservedFontName:"Lato". Copyright©RaphLevien,http://levien.com/,withReservedFontName:"Inconsolata". TableofContents AboutthisGuide.............................................................................................................. 1 Assumptions.....................................................................................................................2 InstallationonCentOS6................................................................................................... 3 Step1:Installthereplicateddatabase........................................................................ 3 Step2:Serverconfiguration..................................................................................... 9 InstallationonCentOS7................................................................................................. 11 Step1:Installthereplicateddatabase.......................................................................11
    [Show full text]
  • Packetfence Administration Guide
    PacketFence Administration Guide for version 3.5.1 PacketFence Administration Guide by Olivier Bilodeau, Fabrice Durand, François Gaudreault, and Derek Wuelfrath Past Authors: Dominik Gehl Version 3.5.1 - September 2012 Copyright © 2008-2012 Inverse inc. Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation; with no Invariant Sections, no Front-Cover Texts, and no Back-Cover Texts. A copy of the license is included in the section entitled "GNU Free Documentation License". The fonts used in this guide are licensed under the SIL Open Font License, Version 1.1. This license is available with a FAQ at: http://scripts.sil.org/OFL Copyright © Barry Schwartz, http://www.crudfactory.com, with Reserved Font Name: "Sorts Mill Goudy". Copyright © Raph Levien, http://levien.com/, with Reserved Font Name: "Inconsolata". Revision History Revision 2.6 2012-09-05 OB, DW, FD Managed FreeRADIUS updates. Proper ownership of the /var/lib/samba/winbind_privileged folder since 3.5 release. Added EPEL on the installation line for RHEL-based systems. Revision 2.5 2012-07-30 FG Doc update for RADIUS Revision 2.4 2012-07-26 DW Added documentation for new captive portal profiles feature. Revision 2.3 2012-07-19 FG Adding suricata documentation Revision 2.2 2012-06-13 OB, FD Added installation procedure for Debian. A minor fix to RHEL6 install instructions. Revision 2.1 2012-04-12 OB, DW Added new documentation about pre-registered, sponsored guests and role-based enforcement.
    [Show full text]
  • Installation Guide
    Installation Guide PacketFence v11.0.0 Version 11.0.0 - September 2021 Table of Contents 1. About this Guide . 2 1.1. Other sources of information . 2 2. Introduction . 3 3. System Requirements . 4 3.1. Assumptions . 4 3.2. Minimum Hardware Requirements. 4 3.3. Operating System Requirements . 4 4. Installation . 6 4.1. Installing PacketFence from the ZEN. 6 4.2. Installing PacketFence on existing Linux . 7 5. Getting Started . 10 5.1. Going Through the Configurator . 10 5.2. Connecting PacketFence to Microsoft Active Directory . 11 5.3. Configuring Cisco Catalyst 2960 Switch. 11 5.4. Adding the Switch to PacketFence. 13 5.5. Configuring the Connection Profile . 13 5.6. Configuring Microsoft Windows Supplicant . 14 5.7. Testing. 14 5.8. Alerting . 14 6. Enabling the Captive Portal . 15 6.1. Creating Authentication Source for Guests. 15 6.2. Configure switchport for Web Authentication . 15 6.3. Adjust Switch Configuration in PacketFence. 16 6.4. Enabling Portal on Management Interface . 16 6.5. Configuring the Connection Profile . 17 6.6. Testing. 17 7. Authentication Sources . 18 7.1. Email Authentication for Guests. 19 7.2. Adding SMS Authentication for Guests . 20 8. Introduction to Role-based Access Control . 22 8.1. Adding Roles. 22 8.2. Using the Employee Role . 23 8.3. Using the Corporate_Machine Role . 23 9. Supported Enforcement Modes . 25 9.1. Technical Introduction to Inline Enforcement . 25 9.2. Technical Introduction to Out-of-band Enforcement . 26 9.3. Technical Introduction to Hybrid Enforcement. 30 9.4. Technical Introduction to RADIUS Enforcement.
    [Show full text]
  • Packetfence Administration Guide for Version 4.0.0 Packetfence Administration Guide by Inverse Inc
    PacketFence Administration Guide for version 4.0.0 PacketFence Administration Guide by Inverse Inc. Version 4.0.0 - May 2013 Copyright © 2008-2013 Inverse inc. Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation; with no Invariant Sections, no Front-Cover Texts, and no Back-Cover Texts. A copy of the license is included in the section entitled "GNU Free Documentation License". The fonts used in this guide are licensed under the SIL Open Font License, Version 1.1. This license is available with a FAQ at: http://scripts.sil.org/OFL Copyright © Barry Schwartz, http://www.crudfactory.com, with Reserved Font Name: "Sorts Mill Goudy". Copyright © Raph Levien, http://levien.com/, with Reserved Font Name: "Inconsolata". Table of Contents About this Guide ................................................................................................................. 1 Other sources of information ......................................................................................... 1 Introduction ....................................................................................................................... 2 Features .................................................................................................................... 2 Network Integration .................................................................................................... 5 Components .............................................................................................................
    [Show full text]
  • Developer's Guide
    Developer’s Guide PacketFence v11.1.0 Version 11.1.0 - September 2021 Table of Contents 1. About this Guide . 2 1.1. Other sources of information . 2 2. Creating a new Switch via a Template. 3 2.1. Using web admin . 3 2.2. Using CLI. 3 2.3. Required Parameters . 3 2.4. RADIUS scope Parameters . 3 2.5. Additional parameters . 4 2.6. Comments . 4 2.7. Defining RADIUS Attributes . 4 2.8. Dynamic RADIUS Attribute Value Syntax . 4 3. Documentation . 13 4. Asciidoctor documentation . 14 4.1. Documentation Conventions . 14 4.2. Checklist to create a new guide . 19 5. Golang environment . 20 5.1. PacketFence Golang libraries . 20 6. Code conventions . 24 6.1. Code style. 24 7. HTTP JSON API . 26 7.1. How to use the API . 26 8. Customizing PacketFence . 28 8.1. Captive Portal. 28 8.2. Adding custom fields to the database . 30 8.3. VLAN assignment . 30 9. SNMP. 32 9.1. Introduction . 32 9.2. Obtaining switch and port information . 32 10. Supporting new network hardware. 33 10.1. Switch . 33 10.2. Wireless Access-Points or Controllers. 36 10.3. The "adding a new network device module in PacketFence" checklist . 38 11. PacketFence builds . 39 11.1. Packer . 39 11.2. Anatomy of Packer template . 39 11.3. How to build Docker images ? . 39 11.4. Troubleshooting . 40 12. Developer recipes. 41 12.1. Virtual environment. 41 12.2. Running development version . 41 13. Running tests . 44 13.1. Unit tests . 44 13.2. Integration tests. 45 14.
    [Show full text]
  • Packetfence Administration Guide for Version 4.2.2 Packetfence Administration Guide by Inverse Inc
    PacketFence Administration Guide for version 4.2.2 PacketFence Administration Guide by Inverse Inc. Version 4.2.2 - May 2014 Copyright © 2008-2014 Inverse inc. Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation; with no Invariant Sections, no Front-Cover Texts, and no Back-Cover Texts. A copy of the license is included in the section entitled "GNU Free Documentation License". The fonts used in this guide are licensed under the SIL Open Font License, Version 1.1. This license is available with a FAQ at: http://scripts.sil.org/OFL Copyright © Barry Schwartz, http://www.crudfactory.com, with Reserved Font Name: "Sorts Mill Goudy". Copyright © Raph Levien, http://levien.com/, with Reserved Font Name: "Inconsolata". Table of Contents About this Guide ................................................................................................................. 1 Other sources of information ......................................................................................... 1 Introduction ....................................................................................................................... 2 Features .................................................................................................................... 2 Network Integration .................................................................................................... 5 Components .............................................................................................................
    [Show full text]