PacketFence Administration Guide for version 4.2.2 PacketFence Administration Guide by Inverse Inc. Version 4.2.2 - May 2014 Copyright © 2008-2014 Inverse inc. Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation; with no Invariant Sections, no Front-Cover Texts, and no Back-Cover Texts. A copy of the license is included in the section entitled "GNU Free Documentation License". The fonts used in this guide are licensed under the SIL Open Font License, Version 1.1. This license is available with a FAQ at: http://scripts.sil.org/OFL Copyright © Barry Schwartz, http://www.crudfactory.com, with Reserved Font Name: "Sorts Mill Goudy". Copyright © Raph Levien, http://levien.com/, with Reserved Font Name: "Inconsolata". Table of Contents About this Guide ................................................................................................................. 1 Other sources of information ......................................................................................... 1 Introduction ....................................................................................................................... 2 Features .................................................................................................................... 2 Network Integration .................................................................................................... 5 Components .............................................................................................................. 6 System Requirements .......................................................................................................... 7 Assumptions .............................................................................................................. 7 Minimum Hardware Requirements ................................................................................. 7 Operating System Requirements .................................................................................... 8 Installation ........................................................................................................................ 9 OS Installation ............................................................................................................ 9 Software Download .................................................................................................... 10 Software Installation .................................................................................................. 10 Configuration .................................................................................................................... 12 First Step ................................................................................................................. 12 Web-based Administration Interface .............................................................................. 13 Global configuration file (pf.conf) ................................................................................. 13 Apache Configuration ................................................................................................. 13 SELinux .................................................................................................................... 14 Roles Management .................................................................................................... 14 Authentication .......................................................................................................... 15 Network Devices Definition (switches.conf) .................................................................... 17 Default VLAN/role assignment ...................................................................................... 20 Inline enforcement configuration .................................................................................. 20 Hybrid mode ............................................................................................................ 21 Web Auth mode ........................................................................................................ 21 DHCP and DNS Server Configuration (networks.conf) ........................................................ 22 Production DHCP access ............................................................................................. 23 Routed Networks ....................................................................................................... 24 FreeRADIUS Configuration ............................................................................................ 27 Starting PacketFence Services ...................................................................................... 32 Log files .................................................................................................................. 33 Passthrough ............................................................................................................. 33 Proxy Interception ..................................................................................................... 34 Configuration by example ................................................................................................... 35 Assumptions ............................................................................................................. 35 Network Interfaces .................................................................................................... 36 Switch Setup ............................................................................................................ 37 switches.conf ............................................................................................................ 38 pf.conf .................................................................................................................... 39 networks.conf ........................................................................................................... 41 Inline enforcement specifics ........................................................................................ 42 Optional components ......................................................................................................... 44 Blocking malicious activities with violations ................................................................... 44 Compliance Checks .................................................................................................... 48 RADIUS Accounting .................................................................................................... 51 Oinkmaster ............................................................................................................... 52 Floating Network Devices ............................................................................................ 52 Guests Management .................................................................................................. 54 Statement of Health (SoH) .......................................................................................... 57 Copyright © 2008-2014 Inverse inc. iii Billing Engine ........................................................................................................... 61 Portal Profiles ........................................................................................................... 62 OAuth2 Authentication ............................................................................................... 63 Gaming Devices Registration ....................................................................................... 64 Eduroam .................................................................................................................. 65 Operating System Best Practices .......................................................................................... 70 Iptables ................................................................................................................... 70 Log Rotations ........................................................................................................... 70 Logrotate (recommended) ........................................................................................... 70 Log4perl ................................................................................................................... 70 High Availability ........................................................................................................ 71 Performance optimization ................................................................................................... 78 MySQL optimizations .................................................................................................. 78 Captive Portal Optimizations ....................................................................................... 81 Frequently Asked Questions ................................................................................................ 82 Technical introduction to VLAN enforcement .......................................................................... 83 Introduction ............................................................................................................. 83 VLAN assignment techniques ....................................................................................... 83 More on SNMP traps VLAN isolation ............................................................................. 84 Technical introduction to