PacketFence ± version 3.1.0 Administration Guide Copyright © 2008-2011 Inverse inc. (http://inverse.ca) Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation; with no Invariant Sections, no Front-Cover Texts, and no Back-Cover Texts. A copy of the license is included in the section entitled “GNU Free Documentation License”. Version 3.1.0 – December 2011 Contents Chapter 1 About this Guide ..................................................................................................................6 Other sources of information ....................................................................................6 Chapter 2 Introduction .........................................................................................................................7 Features ...................................................................................................................7 Network Integration ...............................................................................................10 Components ...........................................................................................................11 Chapter 3 System Requirements ........................................................................................................12 Assumptions ...........................................................................................................12 Minimum Hardware Requirements .........................................................................13 Operating System Requirements .............................................................................14 Chapter 4 Installation .........................................................................................................................15 OS Installation ........................................................................................................15 Software Download ................................................................................................17 Software Installation ...............................................................................................17 Chapter 5 Configuration .....................................................................................................................18 First Step ................................................................................................................18 Web-based Administration Interface .......................................................................18 Global configuration file (pf.conf) ...........................................................................19 Apache Configuration ............................................................................................19 SELinux ..................................................................................................................20 Authentication (flat file, LDAP/AD, RADIUS) ..........................................................20 Network Devices Definition (switches.conf) ............................................................21 Default VLAN assignment .......................................................................................24 Inline enforcement configuration ............................................................................24 DHCP and DNS Server Configuration (networks.conf) ............................................25 Production DHCP access ........................................................................................26 Routed Networks ....................................................................................................29 FreeRADIUS Configuration .....................................................................................31 Starting PacketFence Services .................................................................................35 Log files .................................................................................................................35 Chapter 6 Configuration by example .................................................................................................37 Assumptions ...........................................................................................................37 Network Interfaces .................................................................................................38 Switch Setup ..........................................................................................................39 switches.conf .........................................................................................................40 pf.conf ...................................................................................................................41 networks.conf .........................................................................................................42 Inline enforcement specifics ...................................................................................43 Chapter 7 Optional components ........................................................................................................44 Blocking malicious activities with violations ...........................................................44 Conformity Scan (Nessus) .......................................................................................48 Oinkmaster ............................................................................................................50 Floating Network Devices ......................................................................................51 Guest management ................................................................................................53 Statement of Health (SoH) ......................................................................................56 Apple wireless profile provisioning .........................................................................58 SNMP traps limit ....................................................................................................59 Chapter 8 Operating System Best Practices ......................................................................................60 Iptables ..................................................................................................................60 Log Rotations .........................................................................................................60 High availability .....................................................................................................61 Chapter 9 Performance optimization .................................................................................................69 MySQL optimizations .............................................................................................69 Captive portal optimizations ...................................................................................73 Chapter 10 Frequently Asked Questions .............................................................................................74 Chapter 11 Technical introduction to VLAN enforcement ................................................................75 Introduction ...........................................................................................................75 More on SNMP traps VLAN isolation ......................................................................77 Chapter 12 Technical introduction to Inline enforcement ..................................................................79 Introduction ...........................................................................................................79 Device configuration ..............................................................................................79 Access control ........................................................................................................79 Limitations .............................................................................................................79 Chapter 13 Appendix A: Administration Tools ...................................................................................81 pfcmd ....................................................................................................................81 pfcmd_vlan ............................................................................................................82 Web Admin GUI ....................................................................................................84 Chapter 14 Appendix B : Manual FreeRADIUS 2 configuration ......................................................85 Chapter 15 Appendix C: Legacy FreeRADIUS 1.x configuration .....................................................88 Chapter 16 Additional Information .....................................................................................................92 Chapter 17 Commercial Support and Contact Information ..............................................................93 Chapter 18 GNU Free Documentation License ...................................................................................94 Chapter 1 1 About this Guide This guide will walk you through the installation and the day to day administration of the PacketFence solution. The instructions are based on version 3.1.0 of PacketFence. The latest version of this guide is available at http://www.packetfence.org/documentation/ Other sources of information Network Devices Configuration Guide – Covers switch,