Upload
buiphuc
View
225
Download
0
Embed Size (px)
Citation preview
AdministrationGuideforPacketFenceversion6.2.1
AdministrationGuidebyInverseInc.
Version6.2.1-Jul2016Copyright2016Inverseinc.
Permissionisgrantedtocopy,distributeand/ormodifythisdocumentunderthetermsoftheGNUFreeDocumentationLicense,Version1.2oranylaterversionpublishedbytheFreeSoftwareFoundation;withnoInvariantSections,noFront-CoverTexts,andnoBack-CoverTexts.Acopyofthelicenseisincludedinthesectionentitled"GNUFreeDocumentationLicense".
ThefontsusedinthisguidearelicensedundertheSILOpenFontLicense,Version1.1.ThislicenseisavailablewithaFAQat:http://scripts.sil.org/OFL
CopyrightukaszDziedzic,http://www.latofonts.com,withReservedFontName:"Lato".
CopyrightRaphLevien,http://levien.com/,withReservedFontName:"Inconsolata".
http://scripts.sil.org/OFLhttp://scripts.sil.org/OFLhttp://www.latofonts.com/http://levien.com/
Copyright2016Inverseinc. iii
TableofContentsAbout thisGuide .............................................................................................................. 1
Othersourcesof information..................................................................................... 1Introduction ..................................................................................................................... 2
Features ................................................................................................................... 2Network Integration .................................................................................................. 5Components ............................................................................................................. 5
SystemRequirements ........................................................................................................ 7Assumptions ............................................................................................................. 7MinimumHardwareRequirements.............................................................................. 7OperatingSystemRequirements................................................................................ 7
Installation ....................................................................................................................... 9OS Installation .......................................................................................................... 9SoftwareDownload ................................................................................................ 10Software Installation ................................................................................................ 10
Getoffontherightfoot ................................................................................................. 12TechnicalintroductiontoInlineenforcement..................................................................... 13
Introduction ........................................................................................................... 13Deviceconfiguration ............................................................................................... 13Accesscontrol ........................................................................................................ 13Limitations ............................................................................................................. 14
TechnicalintroductiontoOut-of-bandenforcement........................................................... 15Introduction ........................................................................................................... 15VLANassignmenttechniques...................................................................................15MoreonSNMPtrapsVLANisolation....................................................................... 17
TechnicalintroductiontoHybridenforcement................................................................... 20Introduction ........................................................................................................... 20Deviceconfiguration ............................................................................................... 20
Configuration ................................................................................................................. 21RolesManagement ................................................................................................. 21Authentication ........................................................................................................ 22ExternalAPIauthentication ..................................................................................... 24SAMLauthentication ............................................................................................... 25NetworkDevicesDefinition(switches.conf)............................................................... 27PortalProfiles ......................................................................................................... 31FreeRADIUSConfiguration ...................................................................................... 32PortalModules ....................................................................................................... 43
Debugging ..................................................................................................................... 52Log files ................................................................................................................. 52RADIUSDebugging ................................................................................................ 52
MoreonVoIP Integration ................................................................................................ 54CDPandLLDPareyourfriend................................................................................ 54VoIPandVLANassignmenttechniques..................................................................... 54WhatifCDP/LLDPfeatureismissing....................................................................... 55
Advanced topics ............................................................................................................. 56AppleandAndroidWirelessProvisioning.................................................................. 56BillingEngine ......................................................................................................... 57DevicesRegistration ................................................................................................ 69Eduroam ................................................................................................................ 70Fingerbank integration ............................................................................................. 74FloatingNetworkDevices ....................................................................................... 75OAuth2Authentication ........................................................................................... 77
Copyright2016Inverseinc. iv
Passthrough ........................................................................................................... 79ProductionDHCPaccess ......................................................................................... 80Proxy Interception ................................................................................................... 81RoutedNetworks .................................................................................................... 82StatementofHealth (SoH) ....................................................................................... 85VLANFilterDefinition ............................................................................................ 86RADIUSFilterDefinition ......................................................................................... 88DNSenforcement ................................................................................................... 90Parkeddevices ....................................................................................................... 90
Optionalcomponents ...................................................................................................... 92Blockingmaliciousactivitieswithviolations............................................................... 92ComplianceChecks ............................................................................................... 100RADIUSAccounting .............................................................................................. 105Oinkmaster ........................................................................................................... 106GuestsManagement ............................................................................................. 107ActiveDirectoryIntegration.................................................................................... 110DHCPremotesensor ............................................................................................ 115Switch loginaccess ............................................................................................... 117
OperatingSystemBestPractices.................................................................................... 118IPTables ............................................................................................................... 118LogRotations ....................................................................................................... 118
Performanceoptimization .............................................................................................. 119SNMPTrapsLimit ................................................................................................. 119MySQLoptimizations ............................................................................................ 119CaptivePortalOptimizations.................................................................................. 122DashboardOptimizations(statisticscollection)......................................................... 123
Additional Information ................................................................................................... 125CommercialSupportandContactInformation................................................................. 126GNUFreeDocumentationLicense................................................................................. 127A.AdministrationTools .................................................................................................. 128
pfcmd .................................................................................................................. 128pfcmd_vlan ........................................................................................................... 129
Chapter1
Copyright2016Inverseinc. AboutthisGuide 1
AboutthisGuide
This guide will walk you through the installation and the day to day administration of thePacketFencesolution.
Thelatestversionofthisguideisavailableathttp://www.packetfence.org/documentation/
Othersourcesofinformation
Thefollowingdocumentsareincludedinthepackageandreleasetarballs.
NetworkDevicesConfigurationGuide(pdf) Covers switch, controllers and accesspointsconfiguration.
DevelopersGuide(pdf) Covers captive portal customization,VLAN management customization andinstructionsforsupportingnewhardware.
CREDITS Thisis,atleast,apartialfileofPacketFencecontributors.
NEWS.asciidoc Covers noteworthy features,improvementsandbugfixesbyrelease.
UPGRADE.asciidoc Covers compatibility related changes,manual instructions and general notesaboutupgrading.
ChangeLog Coversallchangestothesourcecode.
http://www.packetfence.org/documentation/
Chapter2
Copyright2016Inverseinc. Introduction 2
Introduction
PacketFence isa fullysupported, trusted,FreeandOpenSourcenetworkaccesscontrol (NAC)system. Boosting an impressive feature set including a captive portal for registration andremediation, centralized wired and wireless management, 802.1X support, layer-2 isolation ofproblematicdevices,integrationwithIDS,vulnerabilityscannersandfirewalls;PacketFencecanbeusedtoeffectivelysecurenetworks-fromsmalltoverylargeheterogeneousnetworks.
Features
Outofband(VLANEnforcement) PacketFencesoperationiscompletelyoutof band when using VLAN enforcementwhich allows the solution to scalegeographicallyandtobemoreresilienttofailures.
InBand(InlineEnforcement) PacketFence can also be configured tobe in-band, especially when you havenon-manageable network switches oraccesspoints.PacketFencecanalsoworkwith both VLAN and Inline enforcementactivated for maximum scalability andsecuritywhileallowingolderhardwaretostillbesecuredusing inlineenforcement.Bothlayer-2andlayer-3aresupportedforinlineenforcement.
Hybridsupport(InlineEnforcementwithRADIUSsupport)
PacketFence can also be configuredas hybrid, if you have a manageabledevice that supports 802.1X and/orMAC-authentication.This feature canbeenabled using a RADIUS attribute (MACaddress, SSID, port) or using full inlinemodeontheequipment.
Hotspotsupport(WebAuthEnforcement) PacketFence can also be configured ashotspot,ifyouhaveamanageabledevicethat supports an external captive portal(likeCiscoWLCorArubaIAP).
VoiceoverIP(VoIP)support Also called IP Telephony (IPT), VoIP isfully supported (even in heterogeneous
Chapter2
Copyright2016Inverseinc. Introduction 3
environments)formultipleswitchvendors(Cisco,Avaya,HPandmanymore).
802.1X 802.1X wireless and wired is supportedthroughourFreeRADIUSmodule.
Wirelessintegration PacketFence integrates perfectly withwireless networks through ourFreeRADIUS module. This allows youto secure your wired and wirelessnetworks the same way using the sameuser database and using the samecaptive portal, providing a consistentuser experience. Mixing Access Points(AP) vendors andWireless Controllers issupported.
Registration PacketFence supports an optionalregistrationmechanismsimilarto"captiveportal"solutions.Contrarytomostcaptiveportal solutions,PacketFence remembersusers who previously registered andwillautomatically give them access withoutanotherauthentication.Ofcourse, this isconfigurable. An Acceptable Use Policycan be specified such that users cannotenable network access without firstacceptingit.
Detectionofabnormalnetworkactivities Abnormal network activities (computervirus, worms, spyware, traffic deniedby establishment policy, etc.) can bedetectedusinglocalandremoteSnortorSuricatasensors.Beyondsimpledetection,PacketFence layers its own alerting andsuppression mechanism on each alerttype.Asetofconfigurableactionsforeachviolationisavailabletoadministrators.
Proactivevulnerabilityscans Either Nessus , OpenVAS or WMIvulnerabilityscanscanbeperformeduponregistration, scheduled or on an ad-hocbasis. PacketFence correlates the scanengine vulnerability IDs of each scanto the violation configuration, returningcontent specificweb pages aboutwhichvulnerabilitythehostmayhave.
Isolationofproblematicdevices PacketFence supports several isolationtechniques,includingVLANisolationwithVoIP support (even in heterogeneousenvironments)formultipleswitchvendors.
Remediationthroughacaptiveportal Once trapped, all network traffic isterminated by the PacketFence system.
http://www.freeradius.orghttp://www.freeradius.org/http://www.snort.org/http://suricata-ids.org/http://www.nessus.org/nessus/http://www.openvas.org
Chapter2
Copyright2016Inverseinc. Introduction 4
Based on the nodes current status(unregistered,openviolation,etc),theuseris redirected to the appropriate URL. Inthe case of a violation, the user willbe presented with instructions for theparticular situation he/she is in reducingcostlyhelpdeskintervention.
Firewallintegration PacketFence provides Single-Sign Onfeatures with many firewalls. Uponconnection on the wired or wirelessnetwork, PacketFence can dynamicallyupdatetheIP/userassociationonfirewallsforthemtoapply,ifrequired,per-userorper-groupfilteringpolicies.
Command-lineandWeb-basedmanagement Web-basedandcommand-line interfacesforallmanagementtasks.
GuestAccess PacketFence supports a special guestVLAN out of the box. You configureyour network so that the guest VLANonly goes out to the Internet and theregistrationVLANand the captiveportalarethecomponentsusedtoexplaintotheguesthowtoregisterforaccessandhowhisaccessworks.This isusuallybrandedby the organization offering the access.Several means of registering guests arepossible. PacketFence does also supportguestaccessbulkcreationsandimports.
Devicesregistration A registered user can access a specialWeb page to register a device of hisown.Thisregistrationprocesswillrequireloginfromtheuserandthenwillregisterdeviceswithpre-approvedMACOUIintoaconfigurablecategory.
PacketFenceisdevelopedbyacommunityofdeveloperslocatedmainlyinNorthAmerica.Moreinformationcanbefoundathttp://www.packetfence.org.
http://www.packetfence.org
Chapter2
Copyright2016Inverseinc. Introduction 5
NetworkIntegration
VLANenforcementispicturedintheabovediagram.InlineenforcementshouldbeseenasasimpleflatnetworkwherePacketFenceactsasafirewall/gateway.
Components
PacketFencerequiresvariouscomponentstoworksuchasaWebserver,adatabaseserver,andaRADIUSserver.Itinteractswithexternaltoolstoextenditsfunctionalities.
Chapter2
Copyright2016Inverseinc. Introduction 6
Chapter3
Copyright2016Inverseinc. SystemRequirements 7
SystemRequirements
Assumptions
PacketFencereusesmanycomponentsinaninfrastructure.Thus,itrequiresthefollowingones:
Databaseserver(MySQLorMariaDB) Webserver(Apache) DHCPserver(ISCDHCP) RADIUSserver(FreeRADIUS)
Dependingonyoursetupyoumayhavetoinstalladditionalcomponentslike:
NIDS(Snort/Suricata)
Inthisguide,weassumethatallthosecomponentsarerunningonthesameserver(i.e.,"localhost"or"127.0.0.1")thatPacketFencewillbeinstalledon.
Good understanding of those underlying component and GNU/Linux is required to installPacketFence. If youmiss some of those required components, please refer to the appropriatedocumentationandproceedwiththeinstallationoftheserequirementsbeforecontinuingwiththisguide.
MinimumHardwareRequirements
Thefollowingprovidesalistoftheminimumserverhardwarerecommendations:
IntelorAMDCPU3GHz 8GBofRAM 100GBofdiskspace(RAID-1recommended) 1Networkcard(2recommended)
OperatingSystemRequirements
PacketFencesupportsthefollowingoperatingsystemsonthex86_64architectures:
Chapter3
Copyright2016Inverseinc. SystemRequirements 8
RedHatEnterpriseLinux6.xand7.xServer CommunityENTerpriseOperatingSystem(CentOS)6.xand7.x Debian7.0(Wheezy)and8.0(Jessie)
Makesurethatyoucaninstalladditionalpackagesfromyourstandarddistribution.Forexample,ifyouareusingRedHatEnterpriseLinux,youhavetobesubscribedtotheRedHatNetworkbeforecontinuingwiththePacketFencesoftwareinstallation.
OtherdistributionssuchasFedoraandGentooareknowntoworkbutthisdocumentdoesntcoverthem.
Servicesstart-upPacketFencetakescareofhandlingtheoperationofthefollowingservices:
Webserver(httpd) DHCPserver(dhcpd) FreeRADIUSserver(radiusd) Snort/SuricataNetworkIDS(snort/suricata) Firewall(iptables)
Makesurethatalltheotherservicesareautomaticallystartedbyyouroperatingsystem!
Chapter4
Copyright2016Inverseinc. Installation 9
Installation
ThissectionwillguideyouthroughtheinstallationofPacketFencetogetherwithitsdependencies.
OSInstallation
Installyourdistributionwithminimalinstallationandnoadditionalpackages.Then:
DisableFirewall DisableSELinux DisableAppArmor Disableresolvconf
Makesureyoursystemisuptodateandyouryumorapt-getdatabaseisupdated.OnaRHEL-basedsystem,do:
yum update
OnaDebianorUbuntusystem,do:
apt-get updateapt-get upgrade
RegardingSELinuxorAppArmor,even if these featuresmaybewantedbysomeorganizations,PacketFencewillnotrunproperlyifSELinuxorAppArmorareenabled.YouwillneedtoexplicitlydisableSELinuxinthe/etc/selinux/configfileandAppArmorwithupdate-rc.d-fapparmorstop,update-rc.d-fapparmorteardownandupdate-rc.d-fapparmorremove.Regardingresolvconf,youcanremovethesymlinktothatfileandsimplycreatethe/etc/resolv.conffilewiththecontentyouwant.
RedHat-basedsystems
Note
AppliestoCentOSandScientificLinuxbutonlythex86_64architectureissupported.
Chapter4
Copyright2016Inverseinc. Installation 10
RHEL6.x
NoteTheseareextrastepsarerequiredforRHEL6systemsonly,excludingderivativessuchasCentOSorScientificLinux.
RedHatEnterpriseLinuxusersneedtotakeanadditionalsetupstep.IfyouarenotusingtheRHNSubscriptionManagementfromRedHatyouneedtoenabletheoptionalchannelbyrunningthefollowingasroot:
rhn-channel --add --channel=rhel-`uname -m`-server-optional-6
DebianAllthePacketFencedependenciesareavailablethroughtheofficialrepositories.
SoftwareDownload
PacketFenceprovidesaRPMrepositoryforRHEL/CentOSinsteadofasingleRPMfile.
ForDebian,PacketFencealsoprovidespackagerepositories.
TheserepositoriescontainallrequireddependenciestoinstallPacketFence.Thisprovidesnumerousadvantages:
easyinstallation everythingispackagedasRPM/deb(nomoreCPANhassle) easyupgrade
SoftwareInstallation
RHEL/CentOSInordertousethePacketFencerepository:
# yum localinstall http://packetfence.org/downloads/PacketFence/RHEL6/`uname -i`/RPMS/packetfence-release-1.2-5.1.noarch.rpm
Once the repository is defined, you can install PacketFencewith all its dependencies, and therequiredexternalservices(Databaseserver,DHCPserver,RADIUSserver)using:
Chapter4
Copyright2016Inverseinc. Installation 11
yum install perlyum install --enablerepo=packetfence packetfence
Onceinstalled,theWeb-basedconfigurationinterfacewillautomaticallybestarted.Youcanaccessitfromhttps://@ip_of_packetfence:1443/configurator
DebianForDebian7:
Inordertousetherepository,createafilenamed/etc/apt/sources.list.d/packetfence.list:
echo 'deb http://inverse.ca/downloads/PacketFence/debian wheezy wheezy' > /etc/apt/sources.list.d/packetfence.list
ForDebian8:
Inordertousetherepository,createafilenamed/etc/apt/sources.list.d/packetfence.list:
echo 'deb http://inverse.ca/downloads/PacketFence/debian jessie jessie' > /etc/apt/sources.list.d/packetfence.list
Once the repository is defined, you can install PacketFencewith all its dependencies, and therequiredexternalservices(Databaseserver,DHCPserver,RADIUSserver)using:
sudo apt-key adv --keyserver keys.gnupg.net --recv-key 0x810273C4sudo apt-get updatesudo apt-get install packetfence
https://@ip_of_packetfence:1443/configurator
Chapter5
Copyright2016Inverseinc. Getoffontherightfoot 12
Getoffontherightfoot
PriorconfiguringPacketFence,youmustchoseanappropriateenforcementmodetobeusedbyPacketFencewithyournetworkingequipment.Theenforcementmodeisthetechniqueusedtoenforceregistrationandanysubsequentaccessofdevicesonyournetwork.PacketFencesupportsthefollowingenforcementmodes:
Inline Out-of-band Hybrid
It isalsopossibletocombineenforcementmodes.Forexample,youcouldusetheout-of-bandmodeonyourwiredswitches,whileusingtheinlinemodeonyouroldWiFiaccesspoints.
The following sections will explain these enforcement modes. If you decide to use the inlinemode,pleaserefertothePacketFenceInlineDeploymentQuickGuideusingZENforacompleteconfigurationexample.Ifyoudecidetousetheout-of-bandmode,pleaserefertothePacketFenceOut-of-BandDeploymentQuickGuideusingZEN
Chapter6
Copyright2016Inverseinc.TechnicalintroductiontoInlineenforcement 13
TechnicalintroductiontoInlineenforcement
Introduction
Beforetheversion3.0ofPacketFence,itwasnotpossibletosupportunmanageabledevicessuchasentry-levelconsumerswitchesoraccess-points.Now,withthenewinlinemode,PacketFencecanbeusein-bandforthosedevices.Soinotherwords,PacketFencewouldbecomethegatewayofthatinlinenetwork,andNATorroutethetrafficusingIPTables/IPSettotheInternet(ortoanothersectionofthenetwork).Letseehowitworks.
Deviceconfiguration
Nospecialconfigurationisneededontheunmanageabledevice.Thatsthebeautyofit.Youonlyneedtoensurethatthedeviceis"talking"ontheinlineVLAN.Atthispoint,allthetrafficwillbepassingthroughPacketFencesinceitisthegatewayforthisVLAN.
Accesscontrol
TheaccesscontrolreliesentirelyonIPTables/IPSet.Whenauserisnotregistered,andconnectsintheinlineVLAN,PacketFencewillgivehimanIPaddress.Atthispoint,theuserwillbemarkedasunregisteredintheipsetsession,andalltheWebtrafficwillberedirectedtothecaptiveportalandother trafficblocked.Theuserwill have to register through thecaptiveportal as inVLANenforcement.Whenheregisters,PacketFencechangesthedevicesipsetsessiontoallowtheusersmacaddresstogothroughit.
Chapter6
Copyright2016Inverseinc.TechnicalintroductiontoInlineenforcement 14
Limitations
Inlineenforcementbecauseofitsnaturehasseverallimitationsthatonemustbeawareof.
EveryonebehindaninlineinterfaceisonthesameLayer2LAN EverypacketofauthorizedusersgoesthroughthePacketFenceserverincreasingtheservers'loadconsiderably:Planaheadforcapacity
Everypacketofauthorizedusersgoes throughthePacketFenceserver: it isasinglepointoffailureforInternetaccess
Ipsetcanstoreupto65536entries,soitisnotpossibletohaveainlinenetworkclassupperthanB
Thisiswhyit isconsideredapoormanswayofdoingaccesscontrol.Wehaveavoideditforalongtimebecauseoftheabovementionedlimitations.Thatsaid,beingabletoperformbothinlineandVLANenforcementonthesameserveratthesametimeisarealadvantage:itallowsuserstomaintainmaximumsecuritywhiletheydeploynewandmorecapablenetworkhardwareprovidingacleanmigrationpathtoVLANenforcement.
Chapter7
Copyright2016Inverseinc.TechnicalintroductiontoOut-of-bandenforcement 15
TechnicalintroductiontoOut-of-bandenforcement
Introduction
VLANassignmentiscurrentlyperformedusingseveraldifferenttechniques.Thesetechniquesarecompatibleone toanotherbutnoton the sameswitchport.Thismeans thatyoucanuse themoresecureandmoderntechniquesforyour latestswitchesandanothertechniqueontheoldswitchesthatdoesntsupportlatesttechniques.Asitsnameimplies,VLANassignmentmeansthatPacketFenceistheserverthatassignstheVLANtoadevice.ThisVLANcanbeoneofyourVLANsoritcanbeaspecialVLANwherePacketFencepresentsthecaptiveportalforauthenticationorremediation.
VLANassignmenteffectivelyisolateyourhostsattheOSILayer2meaningthatitisthetrickiestmethodtobypassandistheonewhichadaptsbesttoyourenvironmentsinceitgluesintoyourcurrentVLANassignmentmethodology.
VLANassignmenttechniques
Wired:802.1X+MACAuthentication802.1Xprovidesport-basedauthentication,whichinvolvescommunicationsbetweenasupplicant,authenticator(knownasNAS),andauthenticationserver(knownasAAA).Thesupplicantisoftensoftwareonaclientdevice,suchasalaptop,theauthenticatorisawiredEthernetswitchorwirelessaccesspoint,andtheauthenticationserverisgenerallyaRADIUSserver.
Thesupplicant(i.e.,clientdevice)isnotallowedaccessthroughtheauthenticatortothenetworkuntilthesupplicantsidentityisauthorized.With802.1Xport-basedauthentication,thesupplicantprovides credentials, such as user name / password or digital certificate, to the authenticator,andtheauthenticatorforwardsthecredentialstotheauthenticationserverforverification.Ifthecredentialsarevalid(intheauthenticationserverdatabase),thesupplicant(clientdevice)isallowedtoaccessthenetwork.TheprotocolforauthenticationiscalledExtensibleAuthenticationProtocol(EAP)whichhavemanyvariants.Bothsupplicantandauthenticationserversneed tospeak thesameEAPprotocol.MostpopularEAPvariantisPEAP-MsCHAPv2(supportedbyWindows/MacOSX/LinuxforauthenticationagainstAD).
Chapter7
Copyright2016Inverseinc.TechnicalintroductiontoOut-of-bandenforcement 16
Inthiscontext,PacketFencerunstheauthenticationserver(aFreeRADIUSinstance)andwillreturntheappropriateVLANtotheswitch.AmodulethatintegratesinFreeRADIUSdoesaremotecalltothePacketFenceservertoobtainthatinformation.Moreandmoredeviceshave802.1Xsupplicantwhichmakesthisapproachmoreandmorepopular.
MACAuthenticationisanewmechanismintroducedbysomeswitchvendortohandlethecaseswherea802.1Xsupplicantdoesnotexist.Differentvendorshavedifferentnames for it.CiscocallsitMACAuthenticationBypass(MAB),JunipercallsitMACRADIUS,ExtremeNetworkscallsitNetlogin,etc.Afteratimeoutperiod,theswitchwillstoptryingtoperform802.1XandwillfallbacktoMACAuthentication.Ithastheadvantageofusingthesameapproachas802.1XexceptthattheMACaddressissentinsteadoftheusernameandthereisnoend-to-endEAPconversation(nostrongauthentication).UsingMACAuthentication,deviceslikenetworkprinterornon-802.1XcapableIPPhonescanstillgainaccesstothenetworkandtherightVLAN.
Wireless:802.1X+MACauthenticationWireless 802.1Xworks likewired802.1X andMAC authentication is the same aswiredMACAuthentication.Where things change is that the802.1X isused to setup the security keys forencryptedcommunication(WPA2-Enterprise)whileMACauthenticationisonlyusedtoauthorize(allowordisallow)aMAConthewirelessnetwork.
Onwirelessnetworks,theusualPacketFencesetupdictatethatyouconfiguretwoSSIDs:anopenoneandasecureone.Theopenoneisusedtohelpusersconfigurethesecureoneproperlyandrequiresauthenticationoverthecaptiveportal(whichrunsinHTTPS).
Thefollowingdiagramdemonstratestheflowbetweenamobileenpoint,aWiFiaccesspoint,aWiFicontrollerandPacketFence:
1. UserinitiatesassociationtoWLANAPandtransmitsMACaddress.IfuseraccessesnetworkviaaregistereddeviceinPacketFencegoto8
2. The WLAN controller transmits MAC address via RADIUS to the PacketFence server toauthenticate/authorizethatMACaddressontheAP
3. PacketFenceserverconductsaddressaudit in itsdatabase. If itdoesnotrecognizetheMACaddressgoto4.Ifitdoesgoto8.
4. PacketFenceserverdirectsWLANcontrollerviaRADIUS(RFC2868attributes)toputthedeviceinan"unauthenticatedrole(setofACLsthatwouldlimit/redirecttheusertothePacketFence
Chapter7
Copyright2016Inverseinc.TechnicalintroductiontoOut-of-bandenforcement 17
captiveportalforregistration,orwecanalsousearegistrationVLANinwhichPacketFencedoesDNSblackholingandistheDHCPserver)
5. TheusersdeviceissuesaDHCP/DNSrequesttoPacketFence(whichisaDHCP/DNSserveronthisVLANorforthisrole)whichsendstheIPandDNSinformation.Atthispoint,ACLsarelimiting/redirectingtheusertothePacketFencescaptiveportalforauthentication.PacketFencefingerprintsthedevice(user-agentattributes,DHCPinformation&MACaddresspatterns)towhichitcantakevariousactionsincluding:keepdeviceonregistrationportal,directtoalternatecaptive portal, auto-register thedevice, auto-block thedevice, etc. If thedevice remains ontheregistrationportaltheuserregistersbyprovidingtheinformation(username/password,cellphonenumber,etc.).At this timePacketFencecouldalsorequire thedevicetogothroughapostureassessment(usingNessus,OpenVAS,etc.)
6. Ifauthentication is required (username/password) througha loginform,thosecredentialsarevalidatedviatheDirectoryserver(oranyotherauthenticationsources-likeLDAP,SQL,RADIUS,SMS,Facebook,Google+,etc.)whichprovidesuserattributestoPacketFencewhichcreatesuser+devicepolicyprofileinitsdatabase.
7. PacketFenceperformsaChangeofAuthorization(RFC3576)onthecontrollerandtheusermustbere-authenticated/reauthorized,sowegobackto1
8. PacketFenceserverdirectsWLANcontrollerviaRADIUStoputthedeviceinan"authenticatedrole,orinthe"normal"VLAN
WebAuthmodeWebauthenticationisamethodontheswitchthatforwardshttptrafficofthedevicetothecaptiveportal.Withthismode,yourdevicewillneverchangeofVLANIDbutonlytheACLassociatedtoyourdevicewillchange.RefertotheNetworkDevicesConfigurationGuidetoseeasamplewebauthconfigurationonaCiscoWLC.
Port-securityandSNMPReliesontheport-securitySNMPTraps.AfakestaticMACaddressisassignedtoalltheportsthiswayanyMACaddresswillgenerateasecurityviolationandatrapwillbesenttoPacketFence.ThesystemwillauthorizetheMACandsettheportintherightVLAN.VoIPsupportispossiblebuttricky.Itvariesalotdependingontheswitchvendor.CiscoiswellsupportedbutisolationofaPCbehindanIPPhoneleadstoaninterestingdilemma:eitheryoushuttheport(andthephoneatthesametime)oryouchangethedataVLANbutthePCdoesntdoDHCP(didntdetectlinkwasdown)soitcannotreachthecaptiveportal.
AsidefromtheVoIPisolationdilemma,itisthetechniquethathasproventobereliableandthathasthemostswitchvendorsupport.
MoreonSNMPtrapsVLANisolation
WhentheVLANisolationisworkingthroughSNMPtrapsallswitchports(onwhichVLANisolationshouldbedone)mustbeconfiguredtosendSNMPtrapstothePacketFencehost.OnPacketFence,
Chapter7
Copyright2016Inverseinc.TechnicalintroductiontoOut-of-bandenforcement 18
weusesnmptrapdastheSNMPtrapreceiver.Asitreceivestraps,itreformatsandwritesthemintoaflatfile:/usr/local/pf/logs/snmptrapd.log.ThemultithreadedpfsetvlandaemonreadsthesetrapsfromtheflatfileandrespondstothembysettingtheswitchporttothecorrectVLAN.Currently,wesupportswitchesfromCisco,Edge-core,HP,Intel,LinksysandNortel(addingsupportfor switches fromanothervendor impliesextending thepf::Switch class).Dependingonyourswitchescapabilities,pfsetvlanwillactondifferenttypesofSNMPtraps.
YouneedtocreatearegistrationVLAN(withaDHCPserver,butnoroutingtootherVLANs)inwhichPacketFencewillputunregistereddevices.IfyouwanttoisolatecomputerswhichhaveopenviolationsinaseparateVLAN,anisolationVLANneedsalsotobecreated.
linkUp/linkDowntraps(deprecated)ThisisthemostbasicsetupanditneedsathirdVLAN:theMACdetectionVLAN.ThereshouldbenothinginthisVLAN(noDHCPserver)anditshouldnotberoutedanywhere;itisjustanvoidVLAN.
Whenahostconnectstoaswitchport,theswitchsendsalinkUptraptoPacketFence.SinceittakessometimebeforetheswitchlearnstheMACaddressofthenewlyconnecteddevice,PacketFenceimmediatelyputstheportintheMACdetectionVLANinwhichthedevicewillsendDHCPrequests(withnoanswer)inorderfortheswitchtolearnitsMACaddress.Thenpfsetvlanwillsendperiodical
Chapter7
Copyright2016Inverseinc.TechnicalintroductiontoOut-of-bandenforcement 19
SNMPqueriestotheswitchuntiltheswitchlearnstheMACofthedevice.WhentheMACaddressisknown,pfsetvlanchecksitsstatus(existing?registered?anyviolations?)inthedatabaseandputstheportintheappropriateVLAN.Whenadeviceisunplugged,theswitchsendsalinkDowntraptoPacketFencewhichputstheportintotheMACdetectionVLAN.
Whenacomputerboots,theinitializationoftheNICgeneratesseverallinkstatuschanges.AndeverytimetheswitchsendsalinkUpandalinkDowntraptoPacketFence.SincePacketFencehastoactoneachofthesetraps,thisgeneratesunfortunatelysomeunnecessaryloadonpfsetvlan.Inordertooptimizethetraptreatment,PacketFencestopseverythreadforalinkUptrapwhenitreceivesalinkDowntraponthesameport.ButusingonlylinkUp/linkDowntrapsisnotthemostscalableoption.Forexampleincaseofpowerfailure,ifhundredsofcomputersbootatthesametime,PacketFencewouldreceivea lotoftrapsalmost instantlyandthiscouldresult innetworkconnectionlatency.
MACnotificationtrapsIfyourswitchessupportMACnotificationtraps(MAClearnt,MACremoved),wesuggestthatyouactivatetheminadditiontothelinkUp/linkDowntraps.Thisway,pfsetvlandoesnotneed,afteralinkUptrap,toquerytheswitchcontinuouslyuntiltheMAChasfinallybeenlearned.WhenitreceivesalinkUptrapforaportonwhichMACnotificationtrapsarealsoenabled,itonlyneedstoputtheportintheMACdetectionVLANandcanthenfreethethread.WhentheswitchlearnstheMACaddressofthedeviceitsendsaMAClearnttrap(containingtheMACaddress)toPacketFence.
PortSecuritytrapsIn itsmostbasicform,thePortSecurityfeaturerememberstheMACaddressconnectedtotheswitchportandallowsonlythatMACaddresstocommunicateonthatport. IfanyotherMACaddress tries tocommunicate through theport,port securitywillnotallow itandsendaport-securitytrap.
Ifyourswitchessupportthisfeature,westronglyrecommendtouseitratherthanlinkUp/linkDownand/orMACnotifications.Why?BecauseaslongasaMACaddressisauthorizedonaportandistheonlyoneconnected,theswitchwillsendnotrapwhetherthedevicereboots,plugsinorunplugs.ThisdrasticallyreducestheSNMPinteractionsbetweentheswitchesandPacketFence.
WhenyouenableportsecuritytrapsyoushouldnotenablelinkUp/linkDownnorMACnotificationtraps.
Chapter8
Copyright2016Inverseinc.TechnicalintroductiontoHybridenforcement 20
TechnicalintroductiontoHybridenforcement
Introduction
In previous versions of PacketFence, it was not possible to have RADIUS enabled for inlineenforcementmode.Nowwiththenewhybridmode,allthedevicesthatsupports802.1XorMAC-authenticationcanworkwiththismode.Letsseehowitworks.
Deviceconfiguration
Youneedtoconfigure inlineenforcementmode inPacketFenceandconfigureyourswitch(es)/accesspoint(s)tousetheVLANassignementtechniques(802.1XorMAC-authentication).Youalsoneedtotakecareofaspecificparameterintheswitchconfigurationwindow,"Triggertoenableinlinemode".Thisparameterisworkinglikeatriggerandyouhavethepossibilitytodefinedifferentsortoftriggers:
ALWAYS,PORT,MAC,SSID
where ALWAYS means that the device is always in inline mode, PORTspecifytheifIndexoftheportwhichwilluseinlineenforcement,MACamacaddressthatwillbeputininlineenforcementtechniqueratherthanVLANenforcementandSSIDanssidname.Anexample:
SSID::GuestAccess,MAC::00:11:22:33:44:55
ThiswilltriggerallthenodesthatconnectstotheGuestAccessSSIDtouseinlineenforcementmode(PacketFencewillreturnavoidVLANortheinlineVlanifdefinedinswitchconfiguration)andtheMACaddress00:11:22:33:44:55clientifitconnectsonanotherSSID.
Chapter9
Copyright2016Inverseinc. Configuration 21
Configuration
Atthispointinthedocumentation,PacketFenceshouldbeinstalled.YouwouldalsohavechosentherightenforcementmethodforyouandcompletedtheinitialconfigurationofPacketFence.ThefollowingsectionpresentskeyconceptsandfeaturesinPacketFence.
PacketFenceprovidesaweb-basedadministrationinterfaceforeasyconfigurationandoperationalmanagement.IfyouwentthroughPacketFencesweb-basedconfigurationtool,youshouldhavesetthepasswordfortheadminuser.
Once PacketFence is started, the administration interface is available at: https://@ip_of_packetfence:1443/
ThenextkeystepsareimportanttounderstandhowPacketFenceworks.Inordertogetthesolutionworking, youmust first understand and configure the following aspects of the solution in thisspecificorder:
1. roles-aroleinPacketFencewillbeeventuallybemappedtoaVLAN,anACLoranexternalrole.Youmustdefinetherolestouseinyourorganizationfornetworkaccess
2. authentication-oncerolesaredefined,youmustcreateanappropraiteauthenticationsourceinPacketFence.ThatwillallowPacketFencetocomputetherightroletobeusedforanendpoint,ortheuserusingit
3. network devices - once your roles and authentication sources are defined, you must addswitches,WiFicontrollersorAPstobemananagedbyPacketFence.Whendoingso,youwillconfigurehowrolesarebeingmappedtoVLAN,ACLsorexternalroles
4. portal profiles - at this point, you are almost ready to test. You will need to set whichauthenticationsourcesaretobeusedonthedefaultcaptiveportal,orcreateanotheronetosuityourneeds
5. test!
NoteIfyouplantouse802.1X-pleaseseetheFreeRADIUSConfigurationsectionbelow.
RolesManagement
RolesinPacketFencecanbecreatedfromPacketFenceadministrativeGUI-fromtheConfigurationUsersRoles section. From this interface, you can also limit thenumberof devicesusersbelongingtocertainrolescanregister.
https://@ip_of_packetfence:1443/https://@ip_of_packetfence:1443/
Chapter9
Copyright2016Inverseinc. Configuration 22
RolesaredynamicallycomputedbyPacketFence,basedontherules(ie.,asetofconditionsandactions)fromauthenticationsources,usingafirst-matchwinsalgorithm.RolesarethenmatchedtoVLANorinternalrolesorACLonequipmentfromtheConfigurationNetworkSwitchesmodule.
Authentication
PacketFence can authenticate users that register devices via the captive portal using variousmethods.Amongthesupportedmethods,thereare:
ActiveDirectory
Apachehtpasswdfile
ExternalHTTPAPI
Facebook(OAuth2)
Github(OAuth2)
Google(OAuth2)
Kerberos
LDAP
LinkedIn(OAuth2)
Null
RADIUS
SMS
SponsoredEmail
Twitter(OAuth2)
WindowsLive(OAuth2)
Moreover, PacketFence can also authenticate users defined in its own internal SQL database.Authentication sources can be created from PacketFence administrative GUI - from theConfigurationUsersSourcessection.Alternatively(butnotrecommended),authenticationsources,rules,conditionsandactionscanbeconfiguredfromconf/authentication.conf.
Eachauthenticationsourcesyoudefinewillhaveasetofrules,conditionsandactions.
Multipleauthenticationsourcescanbedefined,andwillbetestedintheorderspecified(notethattheycanbe reordered fromtheGUIbydragging themaround).Eachsourcecanhavemultiplerules,whichwillalsobetestedintheorderspecified.Rulescanalsobereordered,justlikesources.Finally,conditionscanbedefinedforaruletomatchcertaincriteria.Ifthecriteriamatch(oneor
Chapter9
Copyright2016Inverseinc. Configuration 23
more),actionarethenappliedandrulestestingstop,acrossallsourcesasthisisa"firstmatchwins"operation.
Whennoconditionisdefined,therulewillbeconsideredasacatch-all.Whenacatch-allisdefined,allactionswillbeappliedforanyusersthatmatchintheauthenticationsource.
Onceasourceisdefined,itcanbeusedfromConfigurationPortalProfiles.Eachportalprofilehasalistofauthenticationsourcestouse.
ExampleLetssaywehavetworoles:guestandemployee.First,wedefinethemConfigurationUsersRoles.
Now,wewanttoauthenticateemployeesusingActiveDirectory (overLDAP),andguestsusingPacketFencesinternaldatabase-bothusingPacketFencescaptiveportal.FromtheConfigurationUsersSources,weselectAddsourceAD.Weprovidethefollowinginformation:
Name:ad1 Description:ActiveDirectoryforEmployees Host:192.168.1.2:389withoutSSL/TLS BaseDN:CN=Users,DC=acme,DC=local Scope:One-level UsernameAttribute:sAMAccountName BindDN:CN=Administrator,CN=Users,DC=acme,DC=local Password:acme123
Then,weaddarulebyclickingontheAddrulebuttonandprovidethefollowinginformation:
Name:employees Description:Ruleforallemployees Dontsetanycondition(asitsacatch-allrule) Setthefollowingactions:
Setroleemployee
SetunregistrationdateJanuary1st,2020
Test the connection and save everything. Using the newly defined source, any username thatactuallymatchesinthesource(usingthesAMAccountName)willhavetheemployeeroleandanunregistrationdatesettoJanuary1st,2020.
Now,sincewewanttoauthenticateguestsfromPacketFencesinternalSQLdatabase,accountsmustbeprovisionnedmanually.YoucandosofromtheUsersCreatesection.Whencreatingguests,specify"guest"fortheSetroleaction,andsetanaccessdurationfor1day.
If youwould like to differentiate user authentication andmachine authentication using ActiveDirectory,onewaytodoitisbycreatingasecondauthenticationsources,formachines:
Name:ad1 Description:ActiveDirectoryforMachines Host:192.168.1.2:389withoutSSL/TLS BaseDN:CN=Computers,DC=acme,DC=local Scope:One-level
Chapter9
Copyright2016Inverseinc. Configuration 24
UsernameAttribute:servicePrincipalName BindDN:CN=Administrator,CN=Users,DC=acme,DC=local Password:acme123
Then,weaddarule:
Name:*machines Description:Ruleforallmachines Dontsetanycondition(asitsacatch-allrule) Setthefollowingactions:
Setrolemachineauth
SetunregistrationdateJanuary1st,2020
Note
Whenaruleisdefinedasacatch-all, itwillalwaysmatchiftheusernameattributematchesthequeriedone.ThisappliesforActiveDirectory,LDAPandApachehtpasswdfilesources.KerberosandRADIUSwillactastruecatch-all,andaccepteverything.
Note
IfyouwanttouseotherLDAPattributesinyourauthenticationsource,addtheminConfigurationAdvancedCustomLDAPattributes.Theywillthenbeavailableintherulesyoudefine.
ExternalAPIauthentication
PacketFencealsosupportscallinganexternalHTTPAPIasanauthenticationsource.TheexternalAPIneedstoimplementanauthenticationactionandanauthorizationaction.
AuthenticationThisshouldprovidetheinformationaboutwhetherornottheusername/passwordcombinationisvalid
TheseinformationareavailablethroughthePOSTfieldsoftherequest
TheservershouldreplywithtwoattributesinaJSONresponse
result:shouldbe1forsuccess,0forfailure message:shouldbethereasonitsucceededorfailed
ExampleJSONresponse:
{"result":1,"message":"Valid username and password"}
Chapter9
Copyright2016Inverseinc. Configuration 25
AuthorizationThisshouldprovidetheactionstoapplyonauserbasedonitsattributes
The following attributes are available for the reply : access_duration, access_level, sponsor,unregdate,category.
SampleJSONresponse,notethatnotallattributesarenecessary,onlysendbackwhatyouneed.
{"access_duration":"1D","access_level":"ALL","sponsor":1 ,"unregdate":"2030-01-01","category":"default"}
Note
See /usr/local/pf/addons/example_external_auth for an example implementationcompatiblewithPacketFence.
PacketFenceconfigurationInPacketFence,youneedtoconfigureanHTTPsourceinordertouseanexternalAPI.
Hereisabriefdescriptionofthefields:
Host :First, theprotocol, then the IPaddressorhostnameof theAPIand lastly theport toconnecttotheAPI.
APIusernameandpassword:IfyourAPIimplementsHTTPbasicauthentication(RFC2617)youcanaddtheminthesefields.LeavinganyofthosetwofieldsemptywillmakePacketFencedotherequestswithoutanyauthentication.
AuthenticationURL:URLrelativetothehosttocallwhendoingtheauthenticationofauser.Notethatitisautomaticallyprefixedbyaslash.
AuthorizationURL:URLrelativetothehosttocallwhendoingtheauthorizationofauser.Notethatitisautomaticallyprefixedbyaslash.
SAMLauthentication
PacketFence supports SAML authentication in the captive portal in combination with anotherinternalsourcetodefinethelevelofauthorizationoftheuser.
First,transfertheIdentityProvidermetadataonthePacketFenceserver.Inthisexample,itwillbeunderthepath/usr/local/pf/conf/idp-metadata.xml.
Then, transfer the certificate and CA certificate of the Identity provider on the server. In thisexample, theywill be under the paths /usr/local/pf/conf/ssl/idp.crt and /usr/local/pf/conf/ssl/idp-ca.crt.Ifitisaself-signedcertificate,thenyouwillbeabletouseitastheCAinthePacketFenceconfiguration.
Chapter9
Copyright2016Inverseinc. Configuration 26
Then, toconfigureSAML inPacketFence,go inConfigurationSourcesand thencreateanewInternalsourceofthetypeSAMLandconfigureit.
Where:
ServiceProviderentityIDistheidentifieroftheServiceProvider(PacketFence).MakesurethismatchesyourIdentityProviderconfiguration.
PathtoServiceProviderkeyisthepathtothekeythatwillbeusedbyPacketFencetosignitsmessagestotheIdentityProvider.Adefaultoneisprovidedunderthepath:/usr/local/pf/conf/ssl/server.key
PathtoServiceProvidercertisthepathtothecertificateassociatedtothekeyabove.Aself-signedoneisprovidedunderthepath:/usr/local/pf/conf/ssl/server.key
PathtoIdentityProvidermetadataisthepathtothemetadatafileyoutransferedabove(shouldbein/usr/local/pf/conf/idp-metadata.xml)
PathtoIdentityProvidercertisthepathtothecertificateoftheidentityprovideryoutransferedontheserverabove(shouldbein/usr/local/pf/conf/ssl/idp.crt).
Chapter9
Copyright2016Inverseinc. Configuration 27
Path to Identity Provider CA cert is the path to the CA certificate of the identity provideryoutransferedontheserverabove(shouldbein/usr/local/pf/conf/ssl/ca-idp.crt).Ifthecertificateaboveisself-signed,putthesamepathasaboveinthisfield.
AttributeoftheusernameintheSAMLresponse istheattributethatcontainstheusernamein the SAML assertion returned by your Identity Provider. The default should fit at leastSimpleSAMLphp.
Authorizationsource isthesourcethatwillbeusedtomatchtheusernameagainsttherulesdefinedinit.Thisallowstosettheroleandaccessdurationoftheuser.TheAuthenticationsectionofthisdocumentcontainsexplanationsonhowtoconfigureanLDAPsourcewhichcanthenbeusedhere.
Oncethisisdone,savethesourceandyouwillbeabletodownloadtheServiceProvidermetadataforPacketFenceusingthelinkDownloadServiceProvidermetadataonthepage.
Configure your identity provider according to the generated metadata to complete the TrustbetweenPacketFenceandyourIdentityProvider.
In the case of SimpleSAMLPHP, the following configurationwas used inmetadata/saml20-sp-remote.php:
$metadata['PF_ENTITY_ID'] = array( 'AssertionConsumerService' => 'http://PORTAL_HOSTNAME/saml/assertion', 'SingleLogoutService' => 'http://PORTAL_HOSTNAME/saml/logoff',);
Note
PacketFencedoesnotsupportlogoffontheSAMLIdentityProvider.YoucanstilldefinetheURLinthemetadatabutitwillnotbeused.
PassthroughsInorderforyouruserstobeabletoaccesstheIdentityProviderloginpage,youwillneedtoactivatepassthroughsandaddtheIndentityProviderdomaintotheallowedpassthroughs.
Todoso,go inConfigurationTrapping, thencheckPassthrough andadd the IdentityProviderdomainnametothePasshtroughslist.
Next, restart iptables and pfdns to apply your new passthroughs. Also make surenet.ipv4.ip_forward = 1isconfiguredin/etc/sysctl.conf.
NetworkDevicesDefinition(switches.conf)
ThissectionappliesonlyforVLANenforcement.Usersplanningtodoinlineenforcementonlycanskipthissection.
PacketFenceneedstoknowwhichswitches,accesspointsorcontrollersitmanages,theirtypeandconfiguration.Allthisinformationisstoredin/usr/local/pf/conf/switches.conf.Youcanmodify
Chapter9
Copyright2016Inverseinc. Configuration 28
theconfigurationdirectlyintheswitches.conffileoryoucandoitfromtheWebAdministrationpanelunderConfigurationNetworkSwitches-whichisnowthepreferredway.
The/usr/local/pf/conf/switches.confconfigurationfilecontainsadefaultsectionincluding:
DefaultSNMPread/writecommunitiesfortheswitches Defaultworkingmode(seethenotebelowaboutpossibleworkingmodes)
andaswitchsectionforeachswitch(managedbyPacketFence)including:
SwitchIP/Mac/Range Switchvendor/type Switchuplinkports(trunksandnon-managedIfIndex) per-switchre-definitionoftheVLANs(ifrequired)
Noteswitches.confisloadedatstartup.Areloadisrequiredwhenchangesaremanuallymadetothisfile/usr/local/pf/bin/pfcmd configreload.
WorkingmodesTherearethreedifferentworkingmodesforaswitchinPacketFence:
Testing pfsetvlanwritesinthelogfileswhatitwouldnormallydo,butitdoesntdoanything.
Registration pfsetvlan automatically-register allMAC addresses seenon theswitchports.Asintestingmode,noVLANchangesaredone.
Production pfsetvlan sends the SNMPwrites to change the VLAN on theswitchports.
RADIUSTo set theRADIUS secret, set it from theWebadministrative interfacewhenadding a switch.Alternatively,edittheswitchconfigfile(/usr/local/pf/conf/switches.conf)andsetthefollowingparameters:
radiusSecret = secretPassPhrase
Moreover,theRADIUSsecretisrequiredtosupporttheRADIUSDynamicAuthentication(ChangeofauthorizationorDisconnect)asdefinedinRFC3576.
SNMPv1,v2candv3PacketFenceusesSNMPtocommunicatewithmostswitches.PacketFencealsosupportsSNMPv3.YoucanuseSNMPv3forcommunicationinbothdirections:fromtheswitchtoPacketFenceandfromPacketFencetotheswitch.SNMPusageisdiscouraged,youshouldnowuseRADIUS.However,evenifRADIUSisbeingused,someswitchesmightalsorequireSNMPtobeconfiguredtoworkproperlywithPacketFence.
Chapter9
Copyright2016Inverseinc. Configuration 29
FromPacketFencetoaswitchEdittheswitchconfigfile(/usr/local/pf/conf/switches.conf)andsetthefollowingparameters:
SNMPVersion = 3SNMPUserNameRead = readUserSNMPAuthProtocolRead = MD5SNMPAuthPasswordRead = authpwdreadSNMPPrivProtocolRead = AESSNMPPrivPasswordRead = privpwdreadSNMPUserNameWrite = writeUserSNMPAuthProtocolWrite = MD5SNMPAuthPasswordWrite = authpwdwriteSNMPPrivProtocolWrite = AESSNMPPrivPasswordWrite = privpwdwrite
FromaswitchtoPacketFenceEdittheswitchconfigfile(/usr/local/pf/conf/switches.conf)andsetthefollowingparameters:
SNMPVersionTrap = 3SNMPUserNameTrap = readUserSNMPAuthProtocolTrap = MD5SNMPAuthPasswordTrap = authpwdreadSNMPPrivProtocolTrap = AESSNMPPrivPasswordTrap = privpwdread
SwitchConfigurationHereisaswitchconfigurationexampleinordertoenableSNMPv3inbothdirectionsonaCiscoSwitch.
snmp-server engineID local AA5ED139B81D4A328D18ACD1snmp-server group readGroup v3 privsnmp-server group writeGroup v3 priv read v1default write v1defaultsnmp-server user readUser readGroup v3 auth md5 authpwdread priv aes 128 privpwdreadsnmp-server user writeUser writeGroup v3 auth md5 authpwdwrite priv aes 128 privpwdwritesnmp-server enable traps port-securitysnmp-server enable traps port-security trap-rate 1snmp-server host 192.168.0.50 version 3 priv readUser port-security
Command-LineInterface:TelnetandSSH
WarningPrivilegedetectionisdisabledinthecurrentPacketFenceversionduetosomeissues(see#1370).SomakesurethatthecliUserandcliPwdyouprovidealwaysgetyouintoaprivilegedmode(exceptforTrapezehardware).
http://www.packetfence.org/bugs/view.php?id=1370
Chapter9
Copyright2016Inverseinc. Configuration 30
PackeFenceneedssometimestoestablishaninteractivecommand-linesessionwithaswitch.ThiscanbedoneusingTelnet.YoucanalsouseSSH.Inordertodoso,edittheswitchconfigurationfile(/usr/local/pf/conf/switches.conf)andsetthefollowingparameters:
cliTransport = SSH (or Telnet)cliUser = admincliPwd = admin_pwdcliEnablePwd =
ItcanalsobedonethroughtheWebAdministrationInterfaceunderConfigurationSwitches.
WebServicesInterfacePackeFencesometimesneedstoestablishadialogwiththeWebServicescapabilitiesofaswitch.Inorder todo so,edit the switchconfig file (/usr/local/pf/conf/switches.conf) and set thefollowingparameters:
wsTransport = http (or https)wsUser = adminwsPwd = admin_pwd
ItcanalsobedonethroughtheWebAdministrationInterfaceunderConfigurationSwitches.
Role-basedenforcementsupportSomenetworkdevicessupporttheassignmentofaspecificsetofrules(firewallorACLs)toauser.TheideaisthattheserulescanbealotmoreaccuratetocontrolwhatausercanorcannotdocomparedtoVLANwhichhavealargernetworkmanagementoverhead.
PacketFencesupportsassigningrolesondevicesforswitchesandWiFicontrollers thatsupportit.ThecurrentroleassignmentstrategyistoassignitalongwiththeVLAN(thatmaychangeinthefuture).Aspecial internalroletoexternalroleassignmentmustbeconfigured intheswitchconfigurationfile(/usr/local/pf/conf/switches.conf).
Thecurrentformatisthefollowing:
Format: Role=
Andyouassignittotheglobalrolesparameterortheper-switchone.Forexample:
adminRole=full-accessengineeringRole=full-accesssalesRole=little-access
wouldreturnthefull-accessroletothenodescategorizedasadminorengineeringandtherolelittle-accesstonodescategorizedassales.ItcanalsobedonethroughtheWebAdministrationInterfaceunderConfigurationSwitches.
Chapter9
Copyright2016Inverseinc. Configuration 31
CautionMakesurethattherolesareproperlydefinedonthenetworkdevicespriortoassigningroles!
PortalProfiles
PacketFencecomeswithadefaultportalprofile.Thefollowparametersareimportanttoconfigurenomatterifyouusethedefaultportalprofileorcreateanewone:
RedirectURLunderConfigurationPortalProfilePortalName
Forsomebrowsers,itispreferabletoredirecttheusertoaspecificURLinsteadoftheURLtheuseroriginallyintendedtovisit.Forthesebrowsers,theURLdefinedinredirecturlwillbetheonewheretheuserwillberedirected.AffectedbrowsersareFirefox3andlater.
IPunderConfigurationCaptiveportal
ThisIPisusedasthewebserverwhohoststhecommon/network-access-detection.gifwhichisusedtodetectifnetworkaccesswasenabled.Itcannotbeadomainnamesinceit isusedinregistrationorquarantinewhereDNSisblack-holed.ItisrecommendedthatyouallowyouruserstoreachyourPacketFenceserverandputyourLANsPacketFenceIP.BydefaultwewillmakethisreachPacketFenceswebsiteasaneasierandmoreaccessiblesolution.
In somecases, youmaywant topresentadifferent captiveportal (seebelow for theavailablecustomizations)accordingtotheSSID,theVLAN,theswitchIP/MACortheURItheclientconnectsto.Todoso,PacketFencehastheconceptofportalprofileswhichgivesyouthispossibility.
Whenconfigured,portalprofileswilloverridedefaultvaluesforwhichitisconfigured.Whennovaluesareconfiguredintheprofile,PacketFencewilltakeitsdefaultones(accordingtothe"default"portalprofile).
Herearethedifferentconfigurationparametersthatcanbesetforeachportalprofiles.Theonlymandatoryparameteris"filter",otherwise,PacketFencewontbeabletocorrectlyapplytheportalprofile.Theparametersmustbesetinconf/profiles.conf:
[profilename1]description = the description of your portal profilefilter = the name of the SSID for which you'd like to apply the profile, or the VLAN numbersources = comma-separated list of authentications sources (IDs) to use
Portal profiles should be managed from PacketFences Web administrative GUI - from theConfigurationPortalProfilessection.Addingaportalprofilefromthatinterfacewillcorrectlycopytemplatesover-whichcanthenbemodifiedasyouwish.
FiltersunderConfigurationPortalProfilePortalNameFilters
PacketFenceoffersthefollowingfilters:ConnectionType,Network,NodeRole,Port,realm,SSID,Switch,SwitchPort,URI,VLANandTimeperiod.
Chapter9
Copyright2016Inverseinc. Configuration 32
Examplewiththemostcommonones:
SSID:Guest-SSID
VLAN:100
SwitchPort:-
Network:NetworkinCIDRformatoranIPaddress
Caution
Noderolewilltakeeffectonlywitha802.1XconnectionorifyouuseVLANfilters.
PacketFencereliesextensivelyonApacheforitscaptiveportal,administrativeinterfaceandWebservices.ThePacketFenceApacheconfigurationislocatedin/usr/local/pf/conf/httpd.conf.d/.
Inthisdirectoryyouhavethreeimportantfiles:httpd.admin,httpd.portal,httpd.webservices,httpd.aaa.
httpd.adminisusedtomanagePacketFenceadmininterface
httpd.portalisusedtomanagePacketFencecaptiveportalinterface
httpd.webservicesisusedtomanagePacketFencewebservicesinterface
httpd.aaaisusetomanageincomingRADIUSrequest
ThesefileshavebeenwrittenusingthePerllanguageandarecompletelydynamic-sotheyactivateservicesonlyonthenetworkinterfacesprovidedforthispurpose.
TheotherfilesinthisdirectoryaremanagedbyPacketFenceusingtemplates,soitiseasytomodifythesefilesbasedonyourconfiguration.SSLisenabledbydefaulttosecureaccess.
UponPacketFenceinstallation,self-signedcertificateswillbecreatedin/usr/local/pf/conf/ssl(server.key andserver.crt).Thosecertificates canbe replacedanytimebyyour3rd-partyorexistingwildcardcertificatewithoutproblems.PleasenotethattheCN(CommonName)needstobethesameastheonedefinedinthePacketFenceconfigurationfile(pf.conf).
FreeRADIUSConfiguration
ThissectionpresentstheFreeRADIUSconfigurationsteps. Insomeoccasions,aRADIUSserverismandatoryinordertogiveaccesstothenetwork.Forexample,theusageofWPA2-Enterprise(Wireless 802.1X), MAC authentication and Wired 802.1X all require a RADIUS server toauthenticatetheusersandthedevices,andthentopushtheproperrolesorVLANattributestothenetworkequipment.
Chapter9
Copyright2016Inverseinc. Configuration 33
Option1:AuthenticationagainstActiveDirectory(AD)
Caution
If you are using an Active/Active or Active/Passive cluster, please follow theinstructionsunderOption1bsincetheinstructionsbelowdonotcurrentlyworkinacluster.
Inordertohavedomainauthenticationworkingproperly,youneedtoenableIPforwardingonyourserver.Todoitpermanently,lookinthe/etc/sysctl.conf,andsetthefollowingline:
# Controls IP packet forwardingnet.ipv4.ip_forward = 1
Nowexecutesysctl -ptoapplytheconfiguration
Next,gointheAdministrationinterfaceunderConfigurationDomains.
Note
IfyoucantaccessthissectionandyouhavepreviouslyconfiguredyourservertobindtoadomainexternallytoPacketFence,makesureyourun/usr/local/pf/addons/AD/migrate.pl
ClickAddDomainandfillintheinformationsaboutyourdomain.
Chapter9
Copyright2016Inverseinc. Configuration 34
Where:
Identifierisauniqueidentifierforyourdomain.Itspurposeisonlyvisual.
Workgroupistheworkgroupofyourdomainintheoldsyntax(likeNT4).
DNSnameofthedomainistheFQDNofyourdomain.Theonethatsuffixesyouraccountnames.
ThisserversnameisthenamethattheserversaccountwillhaveinyourActiveDirectory.
DNSserveristheIPaddressoftheDNSserverofthisdomain.MakesurethattheserveryouputtherehastheproperDNSentriesforthisdomain.
Usernameistheusernamethatwillbeusedforbindingtotheserver.Thisaccountmustbeadomainadministrator.
Passwordisthepasswordfortheusernamedefinedabove.
Chapter9
Copyright2016Inverseinc. Configuration 35
Troubleshooting In order to troubleshoot unsuccessful binds, please refer to the following file : /chroots//var/log/samba/log.winbindd.Replacewiththeidentifieryousetinthedomainconfiguration.
Youcanvalidatethedomainbindusingthefollowingcommand:chroot /chroots/wbinfo -u
You can test the authentication process using the following command chroot /chroots/ ntlm_auth --username=administrator
Note
Undercertainconditions,thetestjoinmayshowasunsuccessfulintheAdministrationinterfacebut theauthenticationprocesswill stillworkproperly.Try the test abovebeforedoinganyadditionnaltroubleshooting
DefaultdomainconfigurationYoushouldnowdefinethedomainyouwanttouseasthedefaultonebycreatingthefollowingrealminConfigurationRealms
Next,restartPacketFenceinStatusServices
MultipledomainsauthenticationFirstconfigureyourdomainsinConfigurationDomains.
Oncetheyareconfigured,goinConfigurationRealms.
Chapter9
Copyright2016Inverseinc. Configuration 36
Createanewrealm thatmatches theDNSnameofyourdomainANDone thatmatchesyourworkgroup.Inthecaseofthisexample,itwillbeDOMAIN.NETandDOMAIN.
Where:
RealmiseithertheDNSname(FQDN)ofyourdomainortheworkgroup
RealmoptionsareanyrealmoptionsthatyouwanttoaddtotheFreeRADIUSconfiguration
Domainisthedomainwhichisassociatedtothisrealm
Nowcreatethetwootherrealmsassociatedtoyourotherdomains.
Youshouldnowhavethefollowingrealmconfiguration
Chapter9
Copyright2016Inverseinc. Configuration 37
Option1b:AuthenticationagainstActiveDirectory(AD)inacluster
Samba/Kerberos/Winbind
InstallSamba.YoucaneitherusethesourcesorusethepackageforyourOS.ForRHEL/CentOS,do:
yum install samba krb5-workstation
ForDebianandUbuntu,do:
apt-get install samba winbind krb5-user
Note
IfyouhaveWindows7PCsinyournetwork,youneedtouseSambaversion3.5.0(orgreater).
WhendonewiththeSambainstall,modifyyour/etc/hosts inordertoaddtheFQDNofyourActiveDirectoryservers.Then,youneedtomodify/etc/krb5.conf.HereisanexamplefortheDOMAIN.NETdomainforCentos/RHEL:
Chapter9
Copyright2016Inverseinc. Configuration 38
[logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log
[libdefaults] default_realm = DOMAIN.NET dns_lookup_realm = false dns_lookup_kdc = false ticket_lifetime = 24h forwardable = yes
[realms] DOMAIN.NET = { kdc = adserver.domain.net:88 admin_server = adserver.domain.net:749 default_domain = domain.net }[domain_realm] .domain.net = DOMAIN.NET domain.net = DOMAIN.NET
[appdefaults] pam = { debug = false ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = false }
ForDebianandUbuntu:
[logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = DOMAIN.NET ticket_lifetime = 24h forwardable = yes [appdefaults] pam = { debug = false ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = false }
Next,edit/etc/samba/smb.conf.Again,hereisanexampleforourDOMAIN.NETforCentos/RHEL:
Chapter9
Copyright2016Inverseinc. Configuration 39
[global] workgroup = DOMAIN server string = %h security = ads passdb backend = tdbsam realm = DOMAIN.NET encrypt passwords = yes winbind use default domain = yes client NTLMv2 auth = yes preferred master = no domain master = no local master = no load printers = no log level = 1 winbind:5 auth:3 winbind max clients = 750 winbind max domain connections = 15 machine password timeout = 0
ForDebianandUbuntu:
[global] workgroup = DOMAIN server string = Samba Server Version %v security = ads realm = DOMAIN.NET password server = 192.168.1.1 domain master = no local master = no preferred master = no winbind separator = + winbind enum users = yes winbind enum groups = yes winbind use default domain = yes winbind nested groups = yes winbind refresh tickets = yes template homedir = /home/%D/%U template shell = /bin/bash client use spnego = yes client ntlmv2 auth = yes encrypt passwords = yes restrict anonymous = 2 log file = /var/log/samba/log.%m max log size = 50 machine password timeout = 0
IssueakinitandklistinordertogetandverifytheKerberostoken:
# kinit administrator# klist
Afterthat,youneedtostartsamba,andjointhemachinetothedomain:
Chapter9
Copyright2016Inverseinc. Configuration 40
# service smb start# chkconfig --level 345 smb on# net ads join -U administrator
NotethatforDebianandUbuntuyouwillprobablyhavethiserror:
# kinit succeeded but ads_sasl_spnego_krb5_bind failed: Invalid credentials# Join to domain is not valid: Invalid credentials
ForCentos/RHEL:
# usermod -a -G wbpriv pf
Finally,startwinbind,andtestthesetupusingntlm_authandradtest:
# service winbind start# chkconfig --level 345 winbind on
ForDebianandUbuntu:
# usermod -a -G winbindd_priv pf# ntlm_auth --username myDomainUser# radtest -t mschap -x myDomainUser myDomainPassword localhost:18120 12 testing123 Sending Access-Request of id 108 to 127.0.0.1 port 18120 User-Name = "myDomainUser" NAS-IP-Address = 10.0.0.1 NAS-Port = 12 Message-Authenticator = 0x00000000000000000000000000000000 MS-CHAP-Challenge = 0x79d62c9da4e55104 MS-CHAP-Response = 0x000100000000000000000000000000000000000000000000000091c843b420f0dec4228ed2f26bff07d5e49ad9a2974229e5 rad_recv: Access-Accept packet from host 127.0.0.1 port 18120, id=108, length=20
Option2:LocalAuthenticationAddyourusersentriesattheendofthe/usr/local/pf/raddb/usersfilewiththefollowingformat:
username Cleartext-Password := "password"
Option3:EAPauthenticationagainstOpenLDAPToauthenticate802.1XconnectionagainstOpenLDAPyouneedtodefinetheLDAPconnectionin/usr/local/pf/raddb/modules/ldapandbesurethattheuserpasswordisdefineasaNTHASHorascleartext.
Chapter9
Copyright2016Inverseinc. Configuration 41
ldap openldap { server = "ldap.acme.com" identity = "uid=admin,dc=acme,dc=com" password = "password" basedn = "dc=district,dc=acme,dc=com" filter = "(uid=%{mschap:User-Name})" ldap_connections_number = 5 timeout = 4 timelimit = 3 net_timeout = 1 tls { } dictionary_mapping = ${confdir}/ldap.attrmap edir_account_policy_check = no
keepalive { # LDAP_OPT_X_KEEPALIVE_IDLE idle = 60
# LDAP_OPT_X_KEEPALIVE_PROBES probes = 3
# LDAP_OPT_X_KEEPALIVE_INTERVAL interval = 3 } }
Next in /usr/local/pf/raddb/sites-available/packetfence-tunnel add in the authorizesection:
authorize { suffix ntdomain eap { ok = return } files openldap }
Option4:EAPGuestAuthenticationonemail,sponsorandSMSregistrationThissectionwillallowlocalcredentialscreatedduringguestregistrationtobeusedin802.1XEAP-PEAPconnections.
FirstcreateaguestSSIDwiththeguestaccessyouwanttouse(Email,SponsororSMS,)andactivateCreatelocalaccountonthatsource.
Attheendoftheguestregistration,PacketFencewillsendanemailwiththecredentialsforEmailandSponsor.ForSMSthephonenumberandthePINcodeshouldbeused.
Chapter9
Copyright2016Inverseinc. Configuration 42
Note
ThisoptiondoesntcurrentlyworkwiththeReusedot1xcredentialsoptionofthecaptiveportal.
In /usr/local/pf/conf/radiusd/packetfence-tunnel uncomment the line # packetfence-local-authandrestartradiusd.
ThiswillactivatethefeatureforanylocalaccountonthePacketFenceserver.Youcanrestrictwhichaccounts canbeusedby commenting the appropriate line in/usr/local/pf/raddb/policy.d/packetfence.Forexample,ifyouwouldwanttodeactivatethisfeatureforaccountscreatedviaSMS,youwouldhavethefollowing:
packetfence-local-auth { # Disable ntlm_auth update control { &MS-CHAP-Use-NTLM-Auth := No } # Check password table for local user pflocal if (fail || notfound) { # Check password table with email and password for a sponsor registration pfguest if (fail || notfound) { # Check password table with email and password for a guest registration pfsponsor if (fail || notfound) { # *Don't* check activation table with phone number and PIN code # pfsms
Chapter9
Copyright2016Inverseinc. Configuration 43
Edit/usr/local/pf/raddb/sites-available/packetfence-tunnel
InthisexampleweactivatethisfeatureonaspecificSSIDname(Secure-local-Wireless),disabledbydefaultNTLMAuthandtestlocalaccount.IfitfailledthenwereactivateNTLMAuth.
####Activate local user eap authentication based on a specific SSID ###### Set Called-Station-SSID with the current SSID# set.called_station_ssid# if (Called-Station-SSID == 'Secure-local-Wireless') {## Disable ntlm_auth# update control {# MS-CHAP-Use-NTLM-Auth := No# }## Check password table for local user# pflocal# if (fail || notfound) {# update control {# MS-CHAP-Use-NTLM-Auth := Yes# }# }# }
Caution
Youwillneedtodeasactivatepasswordhashinginthedatabaseforlocalauthenticationto work. In the administration interface, go in Configuration Advanced and setDatabasepasswordshashingmethodtoplaintext
TestsTestyoursetupwithradtestusingthefollowingcommandandmakesureyougetanAccess-Acceptanswer:
# radtest dd9999 Abcd1234 localhost:18120 12 testing123Sending Access-Request of id 74 to 127.0.0.1 port 18120 User-Name = "dd9999" User-Password = "Abcd1234" NAS-IP-Address = 255.255.255.255 NAS-Port = 12rad_recv: Access-Accept packet from host 127.0.0.1:18120, id=74, length=20
PortalModules
ThePacketFencecaptiveportalflowishighlycustomizable.ThissectionwillcoverthePortalModuleswhichareusedtodefinethebehaviorofthecaptiveportal.
Chapter9
Copyright2016Inverseinc. Configuration 44
NoteWhenupgradingfromaversionthatdoesnthavetheportalmodules,thePacketFencePortal Modules configuration already comes with defaults that will fit most casesand offers the same behavior as previous versions of PacketFence. Meaning, allthe available Portal Profile sources are used for authentication, then the availableprovisionerswillbeused.
First,abriefdescriptionoftheavailablePortalModules:
Root:This iswhereitallstarts,thismoduleisasimplecontainerthatdefinesallthemodulesthatneedtobeappliedinachainedwaytotheuser.OncetheuserhascompletedallmodulescontainedintheRoot,heisreleasedonthenetwork.
Choice: This allows to give a choice between multiple modules to the user. Thedefault_registration_policyisagoodexampleofachoicethatisofferedtotheuser.
Chained:Thisallowsyoutodefinealistofmodulesthatauserneedstogothroughintheorderthattheyaredefined-ex:youwantyouruserstoregisterviaGoogle+andpayfortheiraccessusingPayPal.
Message:Thisallowsyou todisplayamessage to theuser.Anexample isavailablebelow inDisplayingamessagetotheuseraftertheregistration
URL:ThisallowsyoutoredirecttheusertoalocalorexternalURLwhichcanthencomebacktotheportaltocontinue.AnexampleisavailablebelowinCallinganexternalwebsite.
Authentication:Theauthenticationmodulescanbeofalotoftypes.Youwouldwanttodefineoneofthesemodules,inordertooverridetherequiredfields,thesourcetouse,thetemplateoranyothermoduleattribute.
Billing:Allowstodefineamodulebasedononeormorebillingsources
Choice:Allows todefineamodulebasedonmultiple sourcesandmoduleswithadvancedfilteringoptions.SeethesectionAuthenticationChoicemodulebelowforadetailedexplanation.
Login:Allowsyoutodefineausername/passwordbasedmodulewithmultipleinternalsources(ActiveDirectory,LDAP,)
Othermodules:Theothermodulesareallbasedonthesourcetypetheyareassignedto,theyallowtoselectthesource,theAUPacceptance,andmandatoryfieldsifapplicable.
ExamplesThissectionwillcontainthefollowingexamples:
Promptingforfieldswithoutauthentication.
Promptingadditionnalfieldsduringtheauthentication.
Chainedauthentication.
MixingloginandSecureSSIDon-boardingontheportal.
Displayingamessagetotheuseraftertheregistration.
Chapter9
Copyright2016Inverseinc. Configuration 45
CreatingacustomrootmoduleFirst,createacustomrootmoduleforourexamples inordertonotaffectthedefaultpolicy. Inordertodoso,goinConfigurationPortalModules,thenclickAddPortalModuleandselectthetypeRoot.Giveittheidentifiermy_first_root_moduleandthedescriptionMy first root module,thenhitsave.
Next, head toConfiguration Portal Profiles, select the portal profile you use (most probablydefault)andthenunderRootPortalModule,assignMy first root modulethensaveyourprofile.Ifyouweretoaccessthecaptiveportalnow,anerrorwoulddisplaysincetheRootmoduleweconfigureddoesntcontainanything.
YoucouldaddsomeofthepreconfiguredmodulestothenewRootmoduleyoucreatedandthatwouldmaketheerrordisapear.
PromptingforfieldswithoutauthenticationInordertopromptfieldswithoutauthentication,youcanusetheNullsourcewiththeNullPortalModule.
PacketFencealreadycomeswithaNullsourcepreconfigured.Ifyouhaventmodifieditordeletedit,youcanuseitforthisexample.Otherwise,goinConfigurationSourcesandcreateanewNullsourcewithacatchallrulethatassignsaroleandaccessduration.
ThengoinConfigurationPortalModulesandclickAddPortalModuleandselectAuthenticationNull.SettheIdentifiertoprompt_fieldsandconfigurethemodulewiththeMandatoryfieldsyouwantanduncheckRequireAUPsothattheuserdoesnthavetoaccepttheAUPbeforesubmittingthesefields.
Next,addtheprompt_fieldsmoduleinmy_first_root_module(removinganypreviousmodules)andsave it.Nowwhenvisitingtheportal, itshouldpromptyouforthefieldsyoudefine inthe
Chapter9
Copyright2016Inverseinc. Configuration 46
module.Then,submittingtheseinformationswillassignyoutheroleandaccessdurationthatyoudefinedinthenullsource.
Promptingadditionnalfieldsduringtheauthentication
Ifyouwanttopromptadditionnalfieldsduringtheauthenticationprocessforamodule,youcandefineaModulebasedonthatsourcethatwillspecifytheadditionnalmandatoryfieldsforthissource.
Youcanalsoaddadditionnalmandatoryfieldstothedefaultpoliciesthatarealreadyconfigured.
Thisexamplewillmakethedefault_guest_policyrequiretheusertoenterafirstname,lastnameandaddresssothatguestshavetoenterthesethreeinformationsbeforeregistering.
Go in Configuration Portal Modules and click the default_guest_policy. Add firstname,lastnameandaddresstotheMandatoryfieldsandsave.
Next,addthedefault_guest_policytomy_first_root_module(removinganypreviousmodules).Nowwhenvisitingtheportal,selectinganyoftheguestsourceswillrequireyoutoenterboththemandatoryfieldsofthesource(ex:phone+mobileprovider)andthemandatoryfieldsyoudefinedinthedefault_guest_policy.
Note
Notallsourcessupportadditionnalmandatoryfields(ex:OAuthsourceslikeGoogle,Facebook,).
Chainedauthentication
Theportalmodulesallowyoutochaintwoormoremodulestogetherinordertomaketheuseraccomplishalloftheactionsinthemoduleinthedesiredsequence.
ThisexamplewillallowyoutoconfigureaChainedmodulethatwillrequiretheusertologinviaanyconfiguredOAuthsource(Github,Google+,)andthenvalidatehisphonenumberusingSMSregistration.
FortheOAuthloginwewillusethedefault_oauth_policy,sojustmakesureyouhaveanOAuthsourceconfiguredcorrectlyandavailableinyourPortalProfile.
Then,wewillcreateamodulethatwillcontainthedefinitionofourSMSregistration.
GoinConfigurationPortalModulesthenclickAddPortalModuleandselectAuthenticationSMS.
ConfiguretheportalmodulesothatitusesthesmssourceandunchecktheRequireAUPoptionsincetheuserwillhavealreadyacceptedtheAUPwhenregisteringusingOAuth.
Chapter9
Copyright2016Inverseinc. Configuration 47
Then,addanotherPortalModuleoftypeChained.Nameitchained_oauth_sms,assignarelevantdescriptionandthenadddefault_oauth_policyandsmstotheModulesfields
Chapter9
Copyright2016Inverseinc. Configuration 48
Next, add the chained_oauth_sms module in my_first_root_module (removing any previousmodules)andsaveit.Nowwhenvisitingtheportal,youshouldhavetoauthenticationusinganOAuthsourceandthenusingSMSbasedregistration.
MixingloginandSecureSSIDon-boardingontheportalThisexamplewillguideyouthroughconfiguringaportalflowthatwillallowfordevicestoaccessanopenSSIDusinganLDAPusername/passwordbutalsogivethechoicetoconfiguretheSecureSSIDdirectlyfromtheportal.
First,weneedtoconfiguretheprovisionersfortheSecureSSIDonboarding.RefertosectionAppleandAndroidWirelessProvisioningofthisguidetoconfigureyourprovisionersandaddthemtotheportalprofile.
CreateaprovisionerofthetypeDenyandadditwithyourotherprovisioners(puttinganyotherprovisionerbeforeit).Thiswillmakesurethatifthereisnomatchontheotherprovisioners,itwillnotallowthedevicethrough.
AlsointheportalprofileaddyourLDAPsourcetotheavailablesourcessoitstheonlyoneavailable.
Next,createaProvisioningportalmodulebygoinginConfigurationPortalModules.SettheIdentifiertosecure_boardingandthedescriptiontoBoard Secure SSID.AlsouncheckSkipablesotheuserisforcedtoboardtheSSIDshoulditchoosethisoption.
Then,stillinthePortalModules,createaChoicemodule.SettheIdentifiertologin_or_boardinganddescriptiontoLoginorBoarding.Addsecure_boardinganddefault_login_policytotheModulesfieldandsave.
Chapter9
Copyright2016Inverseinc. Configuration 49
Next, add the login_or_boarding module in my_first_root_module (removing any previousmodules)andsaveit.Nowwhenvisitingtheportal,youwillhavethechoicebetweenlogintotheLDAPsourceandgainaccesstothenetworkordirectlyuseprovisioninginordertoconfigureyourdeviceforaSecureSSID.
Displayingamessagetotheuseraftertheregistration=
UsingtheMessagemoduleyoucandisplayacustommessagetotheuser.Youcanalsocustomizethetemplatetodisplayinordertodisplayafullycustompage.
Go inConfigurationPortalModules, thenclickAddPortalModule and selectMessage. Set theIdentifiertohello_worldandthedescriptiontoHello World.
ThenputthefollowingintheMessagefield
Hello World !Click here to access the PacketFence website!
Next, add default_registration_policy and hello_world in the Modules ofmy_first_root_module(removinganypreviousmodules)andsaveit.Nowwhenvisitingtheportal,youshouldhavetoauthenticateusingthesourcesdefinedinyourportalprofileandyouwillthenseethehelloworldmessage.
Chapter9
Copyright2016Inverseinc. Configuration 50
CallinganexternalwebsiteUsing theURLmodule, youcan redirect theuser to a localor externalURL (as longas it is inthepassthroughs).Thenyoucanmakeitsotheportalacceptsacallbackinorderfortheflowtocontinue.
Inthisexample,theportalwillredirecttoanexternalyhostedPHPscriptthatwillgivearandomtokentotheuserandthencallbacktheportaltocompletetheregistrationprocess.
Theexample script is located inaddons/example_external_auth/token.php and aREADME isavailableinthatdirectorytosetitup.
Onceyouhavethescript installedandworkingonURL:http://YOUR_PORTAL_HOSTNAME:10000/token.php,youcanconfigurewhatyouneedonthePacketFenceside.
Go in Configuration Portal Modules, then click Add Portal Module and select URL. Setthe Identifier to token_system, the Description to Token system and the URL to http://YOUR_PORTAL_HOSTNAME:10000/token.php.
Next, add default_registration_policy and token_system in the Modules ofmy_first_root_module(removinganypreviousmodules)andsaveit.Nowwhenvisitingtheportal,youshouldhavetoauthenticateusingthesourcesdefinedinyourportalprofileandthenyouwillberedirectedtoexampletokensystem.Clickingthecontinuelinkonthatsystemwillbringyoubacktotheportalandcompletetheregistrationprocess.
AuthenticationChoicemodule(advanced)The Authentication Choice module allows to define a choice between multiple sources usingadvancedfilteringrules,manualselectionofthesourcesandselectionofPortalModules.
Chapter9
Copyright2016Inverseinc. Configuration 51
AllthesourcesthataredefinedintheSourcesfieldwillbeavailableforusagebytheuser.SamegoesforthemodulesdefinedinModules.
Youcanalsodefinewhichmandatoryfieldsyouwanttopromptfortheseauthenticationchoices.AlthoughyoucanstillconfigurethemonanyAuthenticationChoicemodule,theywillonlybeshowniftheyareapplicabletothesource.
InadditiontothemanualselectionaboveyoucandynamicallyselectsourcespartofthePortalProfilebasedontheirobjectattribute(ObjectClass,Authenticationtype,AuthenticationClass).
Note
Youcanfindalltheauthenticationobjectsinlib/pf/Authentication/Source
Sourcesbyclass:Allowsyoutospecifytheperlclassnameofthesourcesyouwantavailable
ex: pf::Authentication::Source::SMSSource will select all the SMS sources.pf::Authentication::Source::BillingSourcewillselectallthebillingsources(Paypal,Stripe,)
Sourcesbytype:AllowsyoutofilteroutsourcesusingthetypeattributeoftheAuthenticationobject
Sources by Auth Class: Allows you to filter our sources using the class attribute of theAuthenticationobject.
Youcanseethedefault_guest_policyanddefault_oauth_policyforexamplesofthismodule.
Chapter10
Copyright2016Inverseinc. Debugging 52
Debugging
Logfiles
HerearethemostimportantPacketFencelogfiles:
/usr/local/pf/logs/packetfence.logPacketFenceCoreLog /usr/local/pf/logs/httpd.portal.accessApacheCaptivePortalAccessLog /usr/local/pf/logs/httpd.portal.errorApacheCaptivePortalErrorLog /usr/local/pf/logs/httpd.admin.accessApacheWebAdmin/ServicesAccessLog /usr/local/pf/logs/httpd.admin.errorApacheWebAdmin/ServicesErrorLog /usr/local/pf/logs/httpd.webservices.accessApacheWebservicesAccessLog /usr/local/pf/logs/httpd.webservices.errorApacheWebservicesErrorLog /usr/local/pf/logs/httpd.aaa.accessApacheAAAAccessLog /usr/local/pf/logs/httpd.aaa.errorApacheAAAErrorLog
Thereareotherlogfilesin/usr/local/pf/logs/thatcouldberelevantdependingonwhatissueyouareexperiencing.Makesureyoutakealookatthem.
Themainloggingconfigurationfileis/usr/local/pf/conf/log.conf.Itcontainstheconfigurationforthepacketfence.logfile(Log::Log4Perl)andyounormallydontneedtomodifyit.Theloggingconfigurationfilesforeveryservicearelocatedunder/usr/local/pf/conf/log.conf.d/.
RADIUSDebugging
First,checktheFreeRADIUSlogs.Thefileislocatedat/usr/local/pf/logs/radius.log.
Ifthisdidnthelp,runFreeRADIUSindebugmode.Todoso,startitusingthefollowingcommands.
Fortheauthenticationradiusprocess:
# radiusd -X -d /usr/local/pf/raddb -n auth
Fortheaccountingradiusprocess:
# radiusd -X -d /usr/local/pf/raddb -n acct
Chapter10
Copyright2016Inverseinc. Debugging 53
Additionally there is a raddebug tool that can extract debug logs from a running FreeRADIUSdaemon.PacketFencesFreeRADIUSispreconfiguredwithsuchsupport.
Inordertohaveanoutputfromraddebug,youneedtoeither:
a. Makesureuserpfhasashellin/etc/passwd,add/usr/sbintoPATH(export PATH=/usr/sbin:$PATH)andexecuteraddebugaspf
b. Runraddebugasroot(lesssecure!)
Nowyoucanrunraddebugeasily:
raddebug -t 300 -f /usr/local/pf/var/run/radiusd.sock
TheabovewilloutputFreeRADIUS'authenticationdebuglogsfor5minutes.
Usethefollowingtodebugradiusaccounting:
raddebug -t 300 -f /usr/local/pf/var/run/radiusd-acct.sock
Seeman raddebugforalltheoptions.
Chapter11
Copyright2016Inverseinc. MoreonVoIPIntegration 54
MoreonVoIPIntegration
VoIPhasbeengrowinginpopularityonenterprisenetworks.Atfirstsight,theITadministratorsthinkthatdeployingVoIPwithaNACposesahugecomplicatedchallengetoresolve.Infact,dependingofthehardwareyouhave,notreally.Inthissection,wewillseewhy.
CDPandLLDPareyourfriend
ForthoseofyouwhoareunawareoftheexistenceofCDPorLLDP(orLLDP-MED), Isuggestyoustartreadingonthistopic.CiscoDiscoveryProtocol(CDP)isdevice-discoveryprotocolthatrunsonallCisco-manufacturedequipmentincludingrouters,accessservers,bridges,andswitches.UsingCDP,adevicecanadvertise itsexistencetootherdevicesandreceive informationaboutotherdevicesonthesameLANorontheremotesideofaWAN.IntheworldofVoIP,CDPisabletodetermineiftheconnectingdeviceisanIPPhoneornot,andtelltheIPPhonetotagitsethernetframeusingtheconfiguredvoiceVLANontheswitchport.
Onmanyothervendors,youarelikelytofindLLDPorLLDP-MEDsupport.LinkLayerDiscoveryProtocol (LLDP) is a vendor-neutral Link Layer protocol in the Internet Protocol Suite used bynetworkdevicesforadvertisingtheiridentity,capabilities,andneighbors.SameasCDP,LLDPcantellanIPPhonewhichVLANidisthevoiceVLAN.
VoIPandVLANassignmenttechniques
As you already know, PacketFence supportsmanyVLAN assignment techniques such as port-security,macauthenticationor802.1X.LetsseehowVoIPisdoingwitheachofthose.
Port-securityUsing port-security, the VoIP device rely on CDP/LLDP to tag its ethernet frame using theconfiguredvoiceVLANontheswitchport.Afterthat,weensurethatasecuritytrapissentfromthevoiceVLANsothatPacketFencecanauthorizethemacaddressontheport.WhenthePCconnects,anothersecuritytrapwillbesent,butfromthedataVLAN.Thatway,wewillhave1macaddressauthorizedonthevoiceVLAN,and1ontheaccessVLAN.
Chapter11
Copyright2016Inverseinc. MoreonVoIPIntegration 55
Note
Not all vendors support VoIP on port-security, please refer to the NetworkConfigurationGuide.
MACAuthenticationand802.1XCiscohardwareOnCiscoswitches,wearelookingatthemulti-domainconfiguration.Themulti-domainmeansthatwecanhaveonedeviceontheVOICEdomain,andonedeviceontheDATAdomain.ThedomainassignmentisdoneusingaCiscoVendor-SpecificAttributes(VSA).Whenthephoneconnectstotheswitchport,PacketFencewillrespondwiththeproperVSAonly,noRADIUStunneledattributes.CDPthentellsthephonetotagitsethernetframesusingtheconfiguredvoiceVLANontheport.WhenaPCconnects,theRADIUSserverwillreturntunneledattributes,andtheswitchwillplacetheportintheprovidedaccessVLAN.
Non-CiscohardwareOnothervendorhardware,itispossibletomakeVoIPworkusingRADIUSVSAs.Whenaphoneconnectstoaswitchport,PacketFenceneedstoreturntheproperVSAtotelltheswitchtoallowtagged frames from thisdevice.When thePCwill connect,wewill be able to return standardRADIUStunnelattributestotheswitch,thatwillbetheuntaggedVLAN.
Note
Again,refertotheNetworkConfigurationGuidetoseeifVoIPissupportedonyourswitchhardware.
WhatifCDP/LLDPfeatureismissing
ItispossiblethatyourphonedoesntsupportCDPorLLDP.Ifitsthecase,youareprobablylookingatthe"DHCPway"ofprovisionningyourphonewithavoiceVLAN.SomemodelswillaskforaspecificDHCPoptionsothattheDHCPservercangivethephoneavoiceVLANid.Thephonewillthenreboot,andtagitsethernetframeusingtheprovidedVLANtag.
Inorder tomake this scenarioworkwithPacketFence,youneed toensure thatyou tweak theregistrationandyourproductionDHCPservertoprovidetheDHCPoption.Youalsoneedtomakesure there isavoiceVLANproperlyconfiguredontheport,andthatyouauto-registeryour IPPhones(Onthefirstconnect,thephonewillbeassignedontheregistrationVLAN).
Chapter12
Copyright2016Inverseinc. Advancedtopics 56
Advancedtopics
This section covers advanced topics in PacketFence. Note that it is also possible to configurePacketFencemanuallyusingitsconfigurationfilesinsteadofitsWebadministrativeinterface.ItisstillrecommendedtousetheWebinterface.
Inanycase,the/usr/local/pf/conf/pf.conffilecontainsthePacketFencegeneralconfiguration.Forexample,thisistheplacewhereweinformPacketFenceitwillworkinVLANisolationmode.
All the default parameters and their descriptions are stored in /usr/local/pf/conf/pf.conf.defaults.
Inordertooverrideadefaultparameter,defineitandsetitinpf.conf.
/usr/local/pf/conf/documentation.confholdsthecompletelistofallavailableparameters.
Alltheseparametersarealsoaccessiblethroughtheweb-basedadministrationinterfaceundertheConfigurationtab.Itishighlyrecommendedthatyouusetheweb-basedadministrationinterfaceofPacketFenceforanyconfigurationchanges.
AppleandAndroidWirelessProvisioning
Apple devices such as iPhones, iPads, iPods and Mac OS X (10.7+) support wireless prof