administrationguide - packetfence
TRANSCRIPT
AdministrationGuideforPacketFenceversion603
AdministrationGuidebyInverseInc
Version603-Jun2016Copyrightcopy2016Inverseinc
PermissionisgrantedtocopydistributeandormodifythisdocumentunderthetermsoftheGNUFreeDocumentationLicenseVersion12oranylaterversionpublishedbytheFreeSoftwareFoundationwithnoInvariantSectionsnoFront-CoverTextsandnoBack-CoverTextsAcopyofthelicenseisincludedinthesectionentitledGNUFreeDocumentationLicense
ThefontsusedinthisguidearelicensedundertheSILOpenFontLicenseVersion11ThislicenseisavailablewithaFAQathttpscriptssilorgOFL
CopyrightcopyŁukaszDziedzichttpwwwlatofontscomwithReservedFontNameLato
CopyrightcopyRaphLevienhttpleviencomwithReservedFontNameInconsolata
Copyrightcopy2016Inverseinc iii
TableofContentsAbout thisGuide 1
Othersourcesof information 1Introduction 2
Features 2Network Integration 5Components 5
SystemRequirements 7Assumptions 7MinimumHardwareRequirements 7OperatingSystemRequirements 7
Installation 9OS Installation 9SoftwareDownload 10Software Installation 10
Getoffontherightfoot 12TechnicalintroductiontoInlineenforcement 13
Introduction 13Deviceconfiguration 13Accesscontrol 13Limitations 14
TechnicalintroductiontoOut-of-bandenforcement 15Introduction 15VLANassignmenttechniques15MoreonSNMPtrapsVLANisolation 17
TechnicalintroductiontoHybridenforcement 20Introduction 20Deviceconfiguration 20
Configuration 21RolesManagement 21Authentication 22ExternalAPIauthentication 24SAMLauthentication 25NetworkDevicesDefinition(switchesconf) 27PortalProfiles 31FreeRADIUSConfiguration 32PortalModules 43
Debugging 52Log files 52RADIUSDebugging 52
MoreonVoIP Integration 54CDPandLLDPareyourfriend 54VoIPandVLANassignmenttechniques 54WhatifCDPLLDPfeatureismissing 55
Advanced topics 56AppleandAndroidWirelessProvisioning 56BillingEngine 57DevicesRegistration 69Eduroam 70Fingerbank integration 74FloatingNetworkDevices 75OAuth2Authentication 77
Copyrightcopy2016Inverseinc iv
Passthrough 79ProductionDHCPaccess 80Proxy Interception 81RoutedNetworks 82StatementofHealth (SoH) 85VLANFilterDefinition 86RADIUSFilterDefinition 88DNSenforcement 90Parkeddevices 90
Optionalcomponents 92Blockingmaliciousactivitieswithviolations 92ComplianceChecks 100RADIUSAccounting 105Oinkmaster 106GuestsManagement 107ActiveDirectoryIntegration 110DHCPremotesensor 115Switch loginaccess 117
OperatingSystemBestPractices 118IPTables 118LogRotations 118
Performanceoptimization 119SNMPTrapsLimit 119MySQLoptimizations 119CaptivePortalOptimizations 122DashboardOptimizations(statisticscollection) 123
Additional Information 125CommercialSupportandContactInformation 126GNUFreeDocumentationLicense 127AAdministrationTools 128
pfcmd 128pfcmd_vlan 129
Chapter1
Copyrightcopy2016Inverseinc AboutthisGuide 1
AboutthisGuide
This guide will walk you through the installation and the day to day administration of thePacketFencesolution
Thelatestversionofthisguideisavailableathttpwwwpacketfenceorgdocumentation
Othersourcesofinformation
Thefollowingdocumentsareincludedinthepackageandreleasetarballs
NetworkDevicesConfigurationGuide(pdf) Covers switch controllers and accesspointsconfiguration
DeveloperrsquosGuide(pdf) Covers captive portal customizationVLAN management customization andinstructionsforsupportingnewhardware
CREDITS ThisisatleastapartialfileofPacketFencecontributors
NEWSasciidoc Covers noteworthy featuresimprovementsandbugfixesbyrelease
UPGRADEasciidoc Covers compatibility related changesmanual instructions and general notesaboutupgrading
ChangeLog Coversallchangestothesourcecode
Chapter2
Copyrightcopy2016Inverseinc Introduction 2
Introduction
PacketFence isa fullysupported trustedFreeandOpenSourcenetworkaccesscontrol (NAC)system Boosting an impressive feature set including a captive portal for registration andremediation centralized wired and wireless management 8021X support layer-2 isolation ofproblematicdevicesintegrationwithIDSvulnerabilityscannersandfirewallsPacketFencecanbeusedtoeffectivelysecurenetworks-fromsmalltoverylargeheterogeneousnetworks
Features
Outofband(VLANEnforcement) PacketFencersquosoperationiscompletelyoutof band when using VLAN enforcementwhich allows the solution to scalegeographicallyandtobemoreresilienttofailures
InBand(InlineEnforcement) PacketFence can also be configured tobe in-band especially when you havenon-manageable network switches oraccesspointsPacketFencecanalsoworkwith both VLAN and Inline enforcementactivated for maximum scalability andsecuritywhileallowingolderhardwaretostillbesecuredusing inlineenforcementBothlayer-2andlayer-3aresupportedforinlineenforcement
Hybridsupport(InlineEnforcementwithRADIUSsupport)
PacketFence can also be configuredas hybrid if you have a manageabledevice that supports 8021X andorMAC-authenticationThis feature canbeenabled using a RADIUS attribute (MACaddress SSID port) or using full inlinemodeontheequipment
Hotspotsupport(WebAuthEnforcement) PacketFence can also be configured ashotspotifyouhaveamanageabledevicethat supports an external captive portal(likeCiscoWLCorArubaIAP)
VoiceoverIP(VoIP)support Also called IP Telephony (IPT) VoIP isfully supported (even in heterogeneous
Chapter2
Copyrightcopy2016Inverseinc Introduction 3
environments)formultipleswitchvendors(CiscoAvayaHPandmanymore)
8021X 8021X wireless and wired is supportedthroughourFreeRADIUSmodule
Wirelessintegration PacketFence integrates perfectly withwireless networks through ourFreeRADIUS module This allows youto secure your wired and wirelessnetworks the same way using the sameuser database and using the samecaptive portal providing a consistentuser experience Mixing Access Points(AP) vendors andWireless Controllers issupported
Registration PacketFence supports an optionalregistrationmechanismsimilartocaptiveportalsolutionsContrarytomostcaptiveportal solutionsPacketFence remembersusers who previously registered andwillautomatically give them access withoutanotherauthenticationOfcourse this isconfigurable An Acceptable Use Policycan be specified such that users cannotenable network access without firstacceptingit
Detectionofabnormalnetworkactivities Abnormal network activities (computervirus worms spyware traffic deniedby establishment policy etc) can bedetectedusinglocalandremoteSnortorSuricatasensorsBeyondsimpledetectionPacketFence layers its own alerting andsuppression mechanism on each alerttypeAsetofconfigurableactionsforeachviolationisavailabletoadministrators
Proactivevulnerabilityscans Either Nessus OpenVAS or WMIvulnerabilityscanscanbeperformeduponregistration scheduled or on an ad-hocbasis PacketFence correlates the scanengine vulnerability IDrsquos of each scanto the violation configuration returningcontent specificweb pages aboutwhichvulnerabilitythehostmayhave
Isolationofproblematicdevices PacketFence supports several isolationtechniquesincludingVLANisolationwithVoIP support (even in heterogeneousenvironments)formultipleswitchvendors
Remediationthroughacaptiveportal Once trapped all network traffic isterminated by the PacketFence system
Chapter2
Copyrightcopy2016Inverseinc Introduction 4
Based on the nodersquos current status(unregisteredopenviolationetc)theuseris redirected to the appropriate URL Inthe case of a violation the user willbe presented with instructions for theparticular situation heshe is in reducingcostlyhelpdeskintervention
Firewallintegration PacketFence provides Single-Sign Onfeatures with many firewalls Uponconnection on the wired or wirelessnetwork PacketFence can dynamicallyupdatetheIPuserassociationonfirewallsforthemtoapplyifrequiredper-userorper-groupfilteringpolicies
Command-lineandWeb-basedmanagement Web-basedandcommand-line interfacesforallmanagementtasks
GuestAccess PacketFence supports a special guestVLAN out of the box You configureyour network so that the guest VLANonly goes out to the Internet and theregistrationVLANand the captiveportalarethecomponentsusedtoexplaintotheguesthowtoregisterforaccessandhowhisaccessworksThis isusuallybrandedby the organization offering the accessSeveral means of registering guests arepossible PacketFence does also supportguestaccessbulkcreationsandimports
Devicesregistration A registered user can access a specialWeb page to register a device of hisownThisregistrationprocesswillrequireloginfromtheuserandthenwillregisterdeviceswithpre-approvedMACOUIintoaconfigurablecategory
PacketFenceisdevelopedbyacommunityofdeveloperslocatedmainlyinNorthAmericaMoreinformationcanbefoundathttpwwwpacketfenceorg
Chapter2
Copyrightcopy2016Inverseinc Introduction 5
NetworkIntegration
VLANenforcementispicturedintheabovediagramInlineenforcementshouldbeseenasasimpleflatnetworkwherePacketFenceactsasafirewallgateway
Components
PacketFencerequiresvariouscomponentstoworksuchasaWebserveradatabaseserverandaRADIUSserverItinteractswithexternaltoolstoextenditsfunctionalities
Chapter2
Copyrightcopy2016Inverseinc Introduction 6
Chapter3
Copyrightcopy2016Inverseinc SystemRequirements 7
SystemRequirements
Assumptions
PacketFencereusesmanycomponentsinaninfrastructureThusitrequiresthefollowingones
Databaseserver(MySQLorMariaDB) Webserver(Apache) DHCPserver(ISCDHCP) RADIUSserver(FreeRADIUS)
Dependingonyoursetupyoumayhavetoinstalladditionalcomponentslike
NIDS(SnortSuricata)
Inthisguideweassumethatallthosecomponentsarerunningonthesameserver(ielocalhostor127001)thatPacketFencewillbeinstalledon
Good understanding of those underlying component and GNULinux is required to installPacketFence If youmiss some of those required components please refer to the appropriatedocumentationandproceedwiththeinstallationoftheserequirementsbeforecontinuingwiththisguide
MinimumHardwareRequirements
Thefollowingprovidesalistoftheminimumserverhardwarerecommendations
IntelorAMDCPU3GHz 8GBofRAM 100GBofdiskspace(RAID-1recommended) 1Networkcard(2recommended)
OperatingSystemRequirements
PacketFencesupportsthefollowingoperatingsystemsonthex86_64architectures
Chapter3
Copyrightcopy2016Inverseinc SystemRequirements 8
RedHatEnterpriseLinux6xand7xServer CommunityENTerpriseOperatingSystem(CentOS)6xand7x Debian70(Wheezy)and80(Jessie)
MakesurethatyoucaninstalladditionalpackagesfromyourstandarddistributionForexampleifyouareusingRedHatEnterpriseLinuxyouhavetobesubscribedtotheRedHatNetworkbeforecontinuingwiththePacketFencesoftwareinstallation
OtherdistributionssuchasFedoraandGentooareknowntoworkbutthisdocumentdoesnrsquotcoverthem
Servicesstart-upPacketFencetakescareofhandlingtheoperationofthefollowingservices
Webserver(httpd) DHCPserver(dhcpd) FreeRADIUSserver(radiusd) SnortSuricataNetworkIDS(snortsuricata) Firewall(iptables)
Makesurethatalltheotherservicesareautomaticallystartedbyyouroperatingsystem
Chapter4
Copyrightcopy2016Inverseinc Installation 9
Installation
ThissectionwillguideyouthroughtheinstallationofPacketFencetogetherwithitsdependencies
OSInstallation
InstallyourdistributionwithminimalinstallationandnoadditionalpackagesThen
DisableFirewall DisableSELinux DisableAppArmor Disableresolvconf
Makesureyoursystemisuptodateandyouryumorapt-getdatabaseisupdatedOnaRHEL-basedsystemdo
yum update
OnaDebianorUbuntusystemdo
apt-get updateapt-get upgrade
RegardingSELinuxorAppArmoreven if these featuresmaybewantedbysomeorganizationsPacketFencewillnotrunproperlyifSELinuxorAppArmorareenabledYouwillneedtoexplicitlydisableSELinuxintheetcselinuxconfigfileandAppArmorwithupdate-rcd-fapparmorstopupdate-rcd-fapparmorteardownandupdate-rcd-fapparmorremoveRegardingresolvconfyoucanremovethesymlinktothatfileandsimplycreatetheetcresolvconffilewiththecontentyouwant
RedHat-basedsystems
Note
AppliestoCentOSandScientificLinuxbutonlythex86_64architectureissupported
Chapter4
Copyrightcopy2016Inverseinc Installation 10
RHEL6x
NoteTheseareextrastepsarerequiredforRHEL6systemsonlyexcludingderivativessuchasCentOSorScientificLinux
RedHatEnterpriseLinuxusersneedtotakeanadditionalsetupstepIfyouarenotusingtheRHNSubscriptionManagementfromRedHatyouneedtoenabletheoptionalchannelbyrunningthefollowingasroot
rhn-channel --add --channel=rhel-`uname -m`-server-optional-6
DebianAllthePacketFencedependenciesareavailablethroughtheofficialrepositories
SoftwareDownload
PacketFenceprovidesaRPMrepositoryforRHELCentOSinsteadofasingleRPMfile
ForDebianPacketFencealsoprovidespackagerepositories
TheserepositoriescontainallrequireddependenciestoinstallPacketFenceThisprovidesnumerousadvantages
easyinstallation everythingispackagedasRPMdeb(nomoreCPANhassle) easyupgrade
SoftwareInstallation
RHELCentOSInordertousethePacketFencerepository
yum localinstall httppacketfenceorgdownloadsPacketFenceRHEL6`uname -i`RPMSpacketfence-release-12-51noarchrpm
Once the repository is defined you can install PacketFencewith all its dependencies and therequiredexternalservices(DatabaseserverDHCPserverRADIUSserver)using
Chapter4
Copyrightcopy2016Inverseinc Installation 11
yum install perlyum install --enablerepo=packetfence packetfence
OnceinstalledtheWeb-basedconfigurationinterfacewillautomaticallybestartedYoucanaccessitfromhttpsip_of_packetfence1443configurator
DebianForDebian7
Inordertousetherepositorycreateafilenamedetcaptsourceslistdpacketfencelist
echo deb httpinversecadownloadsPacketFencedebian wheezy wheezy gt etcaptsourceslistdpacketfencelist
ForDebian8
Inordertousetherepositorycreateafilenamedetcaptsourceslistdpacketfencelist
echo deb httpinversecadownloadsPacketFencedebian jessie jessie gt etcaptsourceslistdpacketfencelist
Once the repository is defined you can install PacketFencewith all its dependencies and therequiredexternalservices(DatabaseserverDHCPserverRADIUSserver)using
sudo apt-key adv --keyserver keysgnupgnet --recv-key 0x810273C4sudo apt-get updatesudo apt-get install packetfence
Chapter5
Copyrightcopy2016Inverseinc Getoffontherightfoot 12
Getoffontherightfoot
PriorconfiguringPacketFenceyoumustchoseanappropriateenforcementmodetobeusedbyPacketFencewithyournetworkingequipmentTheenforcementmodeisthetechniqueusedtoenforceregistrationandanysubsequentaccessofdevicesonyournetworkPacketFencesupportsthefollowingenforcementmodes
Inline Out-of-band Hybrid
It isalsopossibletocombineenforcementmodesForexampleyoucouldusetheout-of-bandmodeonyourwiredswitcheswhileusingtheinlinemodeonyouroldWiFiaccesspoints
The following sections will explain these enforcement modes If you decide to use the inlinemodepleaserefertothePacketFenceInlineDeploymentQuickGuideusingZENforacompleteconfigurationexampleIfyoudevicetousetheout-of-bandmodepleaserefertothePacketFenceOut-of-BandDeploymentQuickGuideusingZEN
Chapter6
Copyrightcopy2016InverseincTechnicalintroductiontoInlineenforcement 13
TechnicalintroductiontoInlineenforcement
Introduction
Beforetheversion30ofPacketFenceitwasnotpossibletosupportunmanageabledevicessuchasentry-levelconsumerswitchesoraccess-pointsNowwiththenewinlinemodePacketFencecanbeusein-bandforthosedevicesSoinotherwordsPacketFencewouldbecomethegatewayofthatinlinenetworkandNATorroutethetrafficusingIPTablesIPSettotheInternet(ortoanothersectionofthenetwork)Letseehowitworks
Deviceconfiguration
NospecialconfigurationisneededontheunmanageabledeviceThatrsquosthebeautyofitYouonlyneedtoensurethatthedeviceistalkingontheinlineVLANAtthispointallthetrafficwillbepassingthroughPacketFencesinceitisthegatewayforthisVLAN
Accesscontrol
TheaccesscontrolreliesentirelyonIPTablesIPSetWhenauserisnotregisteredandconnectsintheinlineVLANPacketFencewillgivehimanIPaddressAtthispointtheuserwillbemarkedasunregisteredintheipsetsessionandalltheWebtrafficwillberedirectedtothecaptiveportalandother trafficblockedTheuserwill have to register through thecaptiveportal as inVLANenforcementWhenheregistersPacketFencechangesthedeviceacutesipsetsessiontoallowtheuserrsquosmacaddresstogothroughit
Chapter6
Copyrightcopy2016InverseincTechnicalintroductiontoInlineenforcement 14
Limitations
Inlineenforcementbecauseofitrsquosnaturehasseverallimitationsthatonemustbeawareof
EveryonebehindaninlineinterfaceisonthesameLayer2LAN EverypacketofauthorizedusersgoesthroughthePacketFenceserverincreasingtheserversloadconsiderablyPlanaheadforcapacity
Everypacketofauthorizedusersgoes throughthePacketFenceserver it isasinglepointoffailureforInternetaccess
Ipsetcanstoreupto65536entriessoitisnotpossibletohaveainlinenetworkclassupperthanB
Thisiswhyit isconsideredapoormanrsquoswayofdoingaccesscontrolWehaveavoideditforalongtimebecauseoftheabovementionedlimitationsThatsaidbeingabletoperformbothinlineandVLANenforcementonthesameserveratthesametimeisarealadvantageitallowsuserstomaintainmaximumsecuritywhiletheydeploynewandmorecapablenetworkhardwareprovidingacleanmigrationpathtoVLANenforcement
Chapter7
Copyrightcopy2016InverseincTechnicalintroductiontoOut-of-bandenforcement 15
TechnicalintroductiontoOut-of-bandenforcement
Introduction
VLANassignmentiscurrentlyperformedusingseveraldifferenttechniquesThesetechniquesarecompatibleone toanotherbutnoton the sameswitchportThismeans thatyoucanuse themoresecureandmoderntechniquesforyour latestswitchesandanothertechniqueontheoldswitchesthatdoesnrsquotsupportlatesttechniquesAsitrsquosnameimpliesVLANassignmentmeansthatPacketFenceistheserverthatassignstheVLANtoadeviceThisVLANcanbeoneofyourVLANsoritcanbeaspecialVLANwherePacketFencepresentsthecaptiveportalforauthenticationorremediation
VLANassignmenteffectivelyisolateyourhostsattheOSILayer2meaningthatitisthetrickiestmethodtobypassandistheonewhichadaptsbesttoyourenvironmentsinceitgluesintoyourcurrentVLANassignmentmethodology
VLANassignmenttechniques
Wired8021X+MACAuthentication8021Xprovidesport-basedauthenticationwhichinvolvescommunicationsbetweenasupplicantauthenticator(knownasNAS)andauthenticationserver(knownasAAA)ThesupplicantisoftensoftwareonaclientdevicesuchasalaptoptheauthenticatorisawiredEthernetswitchorwirelessaccesspointandtheauthenticationserverisgenerallyaRADIUSserver
Thesupplicant(ieclientdevice)isnotallowedaccessthroughtheauthenticatortothenetworkuntilthesupplicantrsquosidentityisauthorizedWith8021Xport-basedauthenticationthesupplicantprovides credentials such as user name password or digital certificate to the authenticatorandtheauthenticatorforwardsthecredentialstotheauthenticationserverforverificationIfthecredentialsarevalid(intheauthenticationserverdatabase)thesupplicant(clientdevice)isallowedtoaccessthenetworkTheprotocolforauthenticationiscalledExtensibleAuthenticationProtocol(EAP)whichhavemanyvariantsBothsupplicantandauthenticationserversneed tospeak thesameEAPprotocolMostpopularEAPvariantisPEAP-MsCHAPv2(supportedbyWindowsMacOSXLinuxforauthenticationagainstAD)
Chapter7
Copyrightcopy2016InverseincTechnicalintroductiontoOut-of-bandenforcement 16
InthiscontextPacketFencerunstheauthenticationserver(aFreeRADIUSinstance)andwillreturntheappropriateVLANtotheswitchAmodulethatintegratesinFreeRADIUSdoesaremotecalltothePacketFenceservertoobtainthatinformationMoreandmoredeviceshave8021Xsupplicantwhichmakesthisapproachmoreandmorepopular
MACAuthenticationisanewmechanismintroducedbysomeswitchvendortohandlethecaseswherea8021XsupplicantdoesnotexistDifferentvendorshavedifferentnames for itCiscocallsitMACAuthenticationBypass(MAB)JunipercallsitMACRADIUSExtremeNetworkscallsitNetloginetcAfteratimeoutperiodtheswitchwillstoptryingtoperform8021XandwillfallbacktoMACAuthenticationIthastheadvantageofusingthesameapproachas8021XexceptthattheMACaddressissentinsteadoftheusernameandthereisnoend-to-endEAPconversation(nostrongauthentication)UsingMACAuthenticationdeviceslikenetworkprinterornon-8021XcapableIPPhonescanstillgainaccesstothenetworkandtherightVLAN
Wireless8021X+MACauthenticationWireless 8021Xworks likewired8021X andMAC authentication is the same aswiredMACAuthenticationWhere things change is that the8021X isused to setup the security keys forencryptedcommunication(WPA2-Enterprise)whileMACauthenticationisonlyusedtoauthorize(allowordisallow)aMAConthewirelessnetwork
OnwirelessnetworkstheusualPacketFencesetupdictatethatyouconfiguretwoSSIDsanopenoneandasecureoneTheopenoneisusedtohelpusersconfigurethesecureoneproperlyandrequiresauthenticationoverthecaptiveportal(whichrunsinHTTPS)
ThefollowingdiagramdemonstratestheflowbetweenamobileenpointaWiFiaccesspointaWiFicontrollerandPacketFence
1 UserinitiatesassociationtoWLANAPandtransmitsMACaddressIfuseraccessesnetworkviaaregistereddeviceinPacketFencegoto8
2 The WLAN controller transmits MAC address via RADIUS to the PacketFence server toauthenticateauthorizethatMACaddressontheAP
3 PacketFenceserverconductsaddressaudit in itsdatabase If itdoesnotrecognizetheMACaddressgoto4Ifitdoesgoto8
4 PacketFenceserverdirectsWLANcontrollerviaRADIUS(RFC2868attributes)toputthedeviceinanunauthenticatedroleldquo(setofACLsthatwouldlimitredirecttheusertothePacketFence
Chapter7
Copyrightcopy2016InverseincTechnicalintroductiontoOut-of-bandenforcement 17
captiveportalforregistrationorwecanalsousearegistrationVLANinwhichPacketFencedoesDNSblackholingandistheDHCPserver)
5 TheuserrsquosdeviceissuesaDHCPDNSrequesttoPacketFence(whichisaDHCPDNSserveronthisVLANorforthisrole)whichsendstheIPandDNSinformationAtthispointACLsarelimitingredirectingtheusertothePacketFencersquoscaptiveportalforauthenticationPacketFencefingerprintsthedevice(user-agentattributesDHCPinformationampMACaddresspatterns)towhichitcantakevariousactionsincludingkeepdeviceonregistrationportaldirecttoalternatecaptive portal auto-register thedevice auto-block thedevice etc If thedevice remains ontheregistrationportaltheuserregistersbyprovidingtheinformation(usernamepasswordcellphonenumberetc)At this timePacketFencecouldalsorequire thedevicetogothroughapostureassessment(usingNessusOpenVASetc)
6 Ifauthentication is required (usernamepassword) througha loginformthosecredentialsarevalidatedviatheDirectoryserver(oranyotherauthenticationsources-likeLDAPSQLRADIUSSMSFacebookGoogle+etc)whichprovidesuserattributestoPacketFencewhichcreatesuser+devicepolicyprofileinitsdatabase
7 PacketFenceperformsaChangeofAuthorization(RFC3576)onthecontrollerandtheusermustbere-authenticatedreauthorizedsowegobackto1
8 PacketFenceserverdirectsWLANcontrollerviaRADIUStoputthedeviceinanauthenticatedroleldquoorinthenormalVLAN
WebAuthmodeWebauthenticationisamethodontheswitchthatforwardshttptrafficofthedevicetothecaptiveportalWiththismodeyourdevicewillneverchangeofVLANIDbutonlytheACLassociatedtoyourdevicewillchangeRefertotheNetworkDevicesConfigurationGuidetoseeasamplewebauthconfigurationonaCiscoWLC
Port-securityandSNMPReliesontheport-securitySNMPTrapsAfakestaticMACaddressisassignedtoalltheportsthiswayanyMACaddresswillgenerateasecurityviolationandatrapwillbesenttoPacketFenceThesystemwillauthorizetheMACandsettheportintherightVLANVoIPsupportispossiblebuttrickyItvariesalotdependingontheswitchvendorCiscoiswellsupportedbutisolationofaPCbehindanIPPhoneleadstoaninterestingdilemmaeitheryoushuttheport(andthephoneatthesametime)oryouchangethedataVLANbutthePCdoesnrsquotdoDHCP(didnrsquotdetectlinkwasdown)soitcannotreachthecaptiveportal
AsidefromtheVoIPisolationdilemmaitisthetechniquethathasproventobereliableandthathasthemostswitchvendorsupport
MoreonSNMPtrapsVLANisolation
WhentheVLANisolationisworkingthroughSNMPtrapsallswitchports(onwhichVLANisolationshouldbedone)mustbeconfiguredtosendSNMPtrapstothePacketFencehostOnPacketFence
Chapter7
Copyrightcopy2016InverseincTechnicalintroductiontoOut-of-bandenforcement 18
weusesnmptrapdastheSNMPtrapreceiverAsitreceivestrapsitreformatsandwritesthemintoaflatfileusrlocalpflogssnmptrapdlogThemultithreadedpfsetvlandaemonreadsthesetrapsfromtheflatfileandrespondstothembysettingtheswitchporttothecorrectVLANCurrentlywesupportswitchesfromCiscoEdge-coreHPIntelLinksysandNortel(addingsupportfor switches fromanothervendor impliesextending thepfSwitch class)DependingonyourswitchescapabilitiespfsetvlanwillactondifferenttypesofSNMPtraps
YouneedtocreatearegistrationVLAN(withaDHCPserverbutnoroutingtootherVLANs)inwhichPacketFencewillputunregistereddevicesIfyouwanttoisolatecomputerswhichhaveopenviolationsinaseparateVLANanisolationVLANneedsalsotobecreated
linkUplinkDowntraps(deprecated)ThisisthemostbasicsetupanditneedsathirdVLANtheMACdetectionVLANThereshouldbenothinginthisVLAN(noDHCPserver)anditshouldnotberoutedanywhereitisjustanvoidVLAN
WhenahostconnectstoaswitchporttheswitchsendsalinkUptraptoPacketFenceSinceittakessometimebeforetheswitchlearnstheMACaddressofthenewlyconnecteddevicePacketFenceimmediatelyputstheportintheMACdetectionVLANinwhichthedevicewillsendDHCPrequests(withnoanswer)inorderfortheswitchtolearnitsMACaddressThenpfsetvlanwillsendperiodical
Chapter7
Copyrightcopy2016InverseincTechnicalintroductiontoOut-of-bandenforcement 19
SNMPqueriestotheswitchuntiltheswitchlearnstheMACofthedeviceWhentheMACaddressisknownpfsetvlanchecksitsstatus(existingregisteredanyviolations)inthedatabaseandputstheportintheappropriateVLANWhenadeviceisunpluggedtheswitchsendsalinkDowntraptoPacketFencewhichputstheportintotheMACdetectionVLAN
WhenacomputerbootstheinitializationoftheNICgeneratesseverallinkstatuschangesAndeverytimetheswitchsendsalinkUpandalinkDowntraptoPacketFenceSincePacketFencehastoactoneachofthesetrapsthisgeneratesunfortunatelysomeunnecessaryloadonpfsetvlanInordertooptimizethetraptreatmentPacketFencestopseverythreadforalinkUptrapwhenitreceivesalinkDowntraponthesameportButusingonlylinkUplinkDowntrapsisnotthemostscalableoptionForexampleincaseofpowerfailureifhundredsofcomputersbootatthesametimePacketFencewouldreceivea lotoftrapsalmost instantlyandthiscouldresult innetworkconnectionlatency
MACnotificationtrapsIfyourswitchessupportMACnotificationtraps(MAClearntMACremoved)wesuggestthatyouactivatetheminadditiontothelinkUplinkDowntrapsThiswaypfsetvlandoesnotneedafteralinkUptraptoquerytheswitchcontinuouslyuntiltheMAChasfinallybeenlearnedWhenitreceivesalinkUptrapforaportonwhichMACnotificationtrapsarealsoenableditonlyneedstoputtheportintheMACdetectionVLANandcanthenfreethethreadWhentheswitchlearnstheMACaddressofthedeviceitsendsaMAClearnttrap(containingtheMACaddress)toPacketFence
PortSecuritytrapsIn itsmostbasicformthePortSecurityfeaturerememberstheMACaddressconnectedtotheswitchportandallowsonlythatMACaddresstocommunicateonthatport IfanyotherMACaddress tries tocommunicate through theportport securitywillnotallow itandsendaport-securitytrap
IfyourswitchessupportthisfeaturewestronglyrecommendtouseitratherthanlinkUplinkDownandorMACnotificationsWhyBecauseaslongasaMACaddressisauthorizedonaportandistheonlyoneconnectedtheswitchwillsendnotrapwhetherthedevicerebootsplugsinorunplugsThisdrasticallyreducestheSNMPinteractionsbetweentheswitchesandPacketFence
WhenyouenableportsecuritytrapsyoushouldnotenablelinkUplinkDownnorMACnotificationtraps
Chapter8
Copyrightcopy2016InverseincTechnicalintroductiontoHybridenforcement 20
TechnicalintroductiontoHybridenforcement
Introduction
In previous versions of PacketFence it was not possible to have RADIUS enabled for inlineenforcementmodeNowwiththenewhybridmodeallthedevicesthatsupports8021XorMAC-authenticationcanworkwiththismodeLetrsquosseehowitworks
Deviceconfiguration
Youneedtoconfigure inlineenforcementmode inPacketFenceandconfigureyourswitch(es)accesspoint(s)tousetheVLANassignementtechniques(8021XorMAC-authentication)YoualsoneedtotakecareofaspecificparameterintheswitchconfigurationwindowTriggertoenableinlinemodeThisparameterisworkinglikeatriggerandyouhavethepossibilitytodefinedifferentsortoftriggers
ALWAYSPORTMACSSID
where ALWAYS means that the device is always in inline mode PORTspecifytheifIndexoftheportwhichwilluseinlineenforcementMACamacaddressthatwillbeputininlineenforcementtechniqueratherthanVLANenforcementandSSIDanssidnameAnexample
SSIDGuestAccessMAC001122334455
ThiswilltriggerallthenodesthatconnectstotheGuestAccessSSIDtouseinlineenforcementmode(PacketFencewillreturnavoidVLANortheinlineVlanifdefinedinswitchconfiguration)andtheMACaddress001122334455clientifitconnectsonanotherSSID
Chapter9
Copyrightcopy2016Inverseinc Configuration 21
Configuration
AtthispointinthedocumentationPacketFenceshouldbeinstalledYouwouldalsohavechosentherightenforcementmethodforyouandcompletedtheinitialconfigurationofPacketFenceThefollowingsectionpresentskeyconceptsandfeaturesinPacketFence
PacketFenceprovidesaweb-basedadministrationinterfaceforeasyconfigurationandoperationalmanagementIfyouwentthroughPacketFencersquosweb-basedconfigurationtoolyoushouldhavesetthepasswordfortheadminuser
Once PacketFence is started the administration interface is available at httpsip_of_packetfence1443
ThenextkeystepsareimportanttounderstandhowPacketFenceworksInordertogetthesolutionworking youmust first understand and configure the following aspects of the solution in thisspecificorder
1 roles-aroleinPacketFencewillbeeventuallybemappedtoaVLANanACLoranexternalroleYoumustdefinetherolestouseinyourorganizationfornetworkaccess
2 authentication-oncerolesaredefinedyoumustcreateanappropraiteauthenticationsourceinPacketFenceThatwillallowPacketFencetocomputetherightroletobeusedforanendpointortheuserusingit
3 network devices - once your roles and authentication sources are defined you must addswitchesWiFicontrollersorAPstobemananagedbyPacketFenceWhendoingsoyouwillconfigurehowrolesarebeingmappedtoVLANACLsorexternalroles
4 portal profiles - at this point you are almost ready to test You will need to set whichauthenticationsourcesaretobeusedonthedefaultcaptiveportalorcreateanotheronetosuityourneeds
5 test
NoteIfyouplantouse8021X-pleaseseetheFreeRADIUSConfigurationsectionbelow
RolesManagement
RolesinPacketFencecanbecreatedfromPacketFenceadministrativeGUI-fromtheConfigurationrarrUsersrarrRoles section From this interface you can also limit thenumberof devicesusersbelongingtocertainrolescanregister
Chapter9
Copyrightcopy2016Inverseinc Configuration 22
RolesaredynamicallycomputedbyPacketFencebasedontherules(ieasetofconditionsandactions)fromauthenticationsourcesusingafirst-matchwinsalgorithmRolesarethenmatchedtoVLANorinternalrolesorACLonequipmentfromtheConfigurationrarrNetworkrarrSwitchesmodule
Authentication
PacketFence can authenticate users that register devices via the captive portal using variousmethodsAmongthesupportedmethodsthereare
ActiveDirectory
Apachehtpasswdfile
ExternalHTTPAPI
Facebook(OAuth2)
Github(OAuth2)
Google(OAuth2)
Kerberos
LDAP
LinkedIn(OAuth2)
Null
RADIUS
SMS
SponsoredEmail
Twitter(OAuth2)
WindowsLive(OAuth2)
Moreover PacketFence can also authenticate users defined in its own internal SQL databaseAuthentication sources can be created from PacketFence administrative GUI - from theConfigurationrarrUsersrarrSourcessectionAlternatively(butnotrecommended)authenticationsourcesrulesconditionsandactionscanbeconfiguredfromconfauthenticationconf
Eachauthenticationsourcesyoudefinewillhaveasetofrulesconditionsandactions
Multiple authentication sources canbedefined andwill be tested in theorder specified (notethattheycanbereorderedfromtheGUIbydraggingitaround)EachsourcecanhavemultipleruleswhichwillalsobetestedintheorderspecifiedRulescanalsobereorderedjustlikesourcesFinallyconditionscanbedefinedforaruletomatchcertaincriteriasIfthecriteriasmatch(one
Chapter9
Copyrightcopy2016Inverseinc Configuration 23
ormore)actionarethenappliedandrulestestingstopacrossallsourcesasthisisafirstmatchwinsoperation
WhennoconditionisdefinedtherulewillbeconsideredasafallbackWhenafallbackisdefinedallactionswillbeappliedforanyusersthatmatchintheauthenticationsource
OnceasourceisdefineditcanbeusedfromConfigurationrarrPortalProfilesEachportalprofilehasalistofauthenticationsourcestouse
ExampleLetrsquossaywehavetworolesguestandemployeeFirstwedefinethemConfigurationrarrUsersrarrRoles
NowwewanttoauthenticateemployeesusingActiveDirectory (overLDAP)andguestsusingPacketFencersquosinternaldatabase-bothusingPacketFencersquoscaptiveportalFromtheConfigurationrarrUsersrarrSourcesweselectAddsourcerarrADWeprovidethefollowinginformation
Namead1 DescriptionActiveDirectoryforEmployees Host19216812389withoutSSLTLS BaseDNCN=UsersDC=acmeDC=local ScopeOne-level UsernameAttributesAMAccountName BindDNCN=AdministratorCN=UsersDC=acmeDC=local Passwordacme123
ThenweaddarulebyclickingontheAddrulebuttonandprovidethefollowinginformation
Nameemployees DescriptionRuleforallemployees Donrsquotsetanycondition(asitrsquosacatch-allrule) Setthefollowingactions
Setroleemployee
SetunregistrationdateJanuary1st2020
Test the connection and save everything Using the newly defined source any username thatactuallymatchesinthesource(usingthesAMAccountName)willhavetheemployeeroleandanunregistrationdatesettoJanuary1st2020
NowsincewewanttoauthenticateguestsfromPacketFencersquosinternalSQLdatabaseaccountsmustbeprovisionnedmanuallyYoucandosofromtheUsersrarrCreatesectionWhencreatingguestsspecifyguestfortheSetroleactionandsetanaccessdurationfor1day
If youwould like to differentiate user authentication andmachine authentication using ActiveDirectoryonewaytodoitisbycreatingasecondauthenticationsourcesformachines
Namead1 DescriptionActiveDirectoryforMachines Host19216812389withoutSSLTLS BaseDNCN=ComputersDC=acmeDC=local ScopeOne-level
Chapter9
Copyrightcopy2016Inverseinc Configuration 24
UsernameAttributeservicePrincipalName BindDNCN=AdministratorCN=UsersDC=acmeDC=local Passwordacme123
Thenweaddarule
Namemachines DescriptionRuleforallmachines Donrsquotsetanycondition(asitrsquosacatch-allrule) Setthefollowingactions
Setrolemachineauth
SetunregistrationdateJanuary1st2020
Note
Whenaruleisdefinedasacatch-all itwillalwaysmatchiftheusernameattributematchesthequeriedoneThisappliesforActiveDirectoryLDAPandApachehtpasswdfilesourcesKerberosandRADIUSwillactastruecatch-allandaccepteverything
Note
IfyouwanttouseotherLDAPattributesinyourauthenticationsourceaddtheminConfigurationrarrAdvancedrarrCustomLDAPattributesTheywillthenbeavailableintherulesyoudefine
ExternalAPIauthentication
PacketFencealsosupportscallinganexternalHTTPAPIasanauthenticationsourceTheexternalAPIneedstoimplementanauthenticationactionandanauthorizationaction
AuthenticationThisshouldprovidetheinformationaboutwhetherornottheusernamepasswordcombinationisvalid
TheseinformationareavailablethroughthePOSTfieldsoftherequest
TheservershouldreplywithtwoattributesinaJSONresponse
resultshouldbe1forsuccess0forfailure messageshouldbethereasonitsucceededorfailed
ExampleJSONresponse
result1messageValid username and password
Chapter9
Copyrightcopy2016Inverseinc Configuration 25
AuthorizationThisshouldprovidetheactionstoapplyonauserbasedonitrsquosattributes
The following attributes are available for the reply access_duration access_level sponsorunregdatecategory
SampleJSONresponsenotethatnotallattributesarenecessaryonlysendbackwhatyouneed
access_duration1Daccess_levelALLsponsor1 unregdate2030-01-01categorydefault
Note
See usrlocalpfaddonsexample_external_auth for an example implementationcompatiblewithPacketFence
PacketFenceconfigurationInPacketFenceyouneedtoconfigureanHTTPsourceinordertouseanexternalAPI
Hereisabriefdescriptionofthefields
Host First theprotocol then the IPaddressorhostnameof theAPIand lastly theport toconnecttotheAPI
APIusernameandpasswordIfyourAPIimplementsHTTPbasicauthentication(RFC2617)youcanaddtheminthesefieldsLeavinganyofthosetwofieldsemptywillmakePacketFencedotherequestswithoutanyauthentication
AuthenticationURLURLrelativetothehosttocallwhendoingtheauthenticationofauserNotethatitisautomaticallyprefixedbyaslash
AuthorizationURLURLrelativetothehosttocallwhendoingtheauthorizationofauserNotethatitisautomaticallyprefixedbyaslash
SAMLauthentication
PacketFence supports SAML authentication in the captive portal in combination with anotherinternalsourcetodefinethelevelofauthorizationoftheuser
FirsttransfertheIdentityProvidermetadataonthePacketFenceserverInthisexampleitwillbeunderthepathusrlocalpfconfidp-metadataxml
Then transfer the certificate and CA certificate of the Identity provider on the server In thisexample theywill be under the paths usrlocalpfconfsslidpcrt and usrlocalpfconfsslidp-cacrtIfitisaself-signedcertificatethenyouwillbeabletouseitastheCAinthePacketFenceconfiguration
Chapter9
Copyrightcopy2016Inverseinc Configuration 26
Then toconfigureSAML inPacketFencego inConfigurationrarrSourcesand thencreateanewInternalsourceofthetypeSAMLandconfigureit
Where
ServiceProviderentityIDistheidentifieroftheServiceProvider(PacketFence)MakesurethismatchesyourIdentityProviderconfiguration
PathtoServiceProviderkeyisthepathtothekeythatwillbeusedbyPacketFencetosignitsmessagestotheIdentityProviderAdefaultoneisprovidedunderthepathusrlocalpfconfsslserverkey
PathtoServiceProvidercertisthepathtothecertificateassociatedtothekeyaboveAself-signedoneisprovidedunderthepathusrlocalpfconfsslserverkey
PathtoIdentityProvidermetadataisthepathtothemetadatafileyoutransferedabove(shouldbeinusrlocalpfconfidp-metadataxml)
PathtoIdentityProvidercertisthepathtothecertificateoftheidentityprovideryoutransferedontheserverabove(shouldbeinusrlocalpfconfsslidpcrt)
Chapter9
Copyrightcopy2016Inverseinc Configuration 27
Path to Identity Provider CA cert is the path to the CA certificate of the identity provideryoutransferedontheserverabove(shouldbeinusrlocalpfconfsslca-idpcrt)Ifthecertificateaboveisself-signedputthesamepathasaboveinthisfield
AttributeoftheusernameintheSAMLresponse istheattributethatcontainstheusernamein the SAML assertion returned by your Identity Provider The default should fit at leastSimpleSAMLphp
Authorizationsource isthesourcethatwillbeusedtomatchtheusernameagainsttherulesdefinedinitThisallowstosettheroleandaccessdurationoftheuserTheAuthenticationsectionofthisdocumentcontainsexplanationsonhowtoconfigureanLDAPsourcewhichcanthenbeusedhere
OncethisisdonesavethesourceandyouwillbeabletodownloadtheServiceProvidermetadataforPacketFenceusingthelinkDownloadServiceProvidermetadataonthepage
Configure your identity provider according to the generated metadata to complete the TrustbetweenPacketFenceandyourIdentityProvider
In the case of SimpleSAMLPHP the following configurationwas used inmetadatasaml20-sp-remotephp
$metadata[PF_ENTITY_ID] = array( AssertionConsumerService =gt httpPORTAL_HOSTNAMEsamlassertion SingleLogoutService =gt httpPORTAL_HOSTNAMEsamllogoff)
Note
PacketFencedoesnotsupportlogoffontheSAMLIdentityProviderYoucanstilldefinetheURLinthemetadatabutitwillnotbeused
PassthroughsInorderforyouruserstobeabletoaccesstheIdentityProviderloginpageyouwillneedtoactivatepassthroughsandaddtheIndentityProviderdomaintotheallowedpassthroughs
Todosogo inConfigurationrarrTrapping thencheckPassthrough andadd the IdentityProviderdomainnametothePasshtroughslist
Next restart iptables and pfdns to apply your new passthroughs Also make surenetipv4ip_forward = 1isconfiguredinetcsysctlconf
NetworkDevicesDefinition(switchesconf)
ThissectionappliesonlyforVLANenforcementUsersplanningtodoinlineenforcementonlycanskipthissection
PacketFenceneedstoknowwhichswitchesaccesspointsorcontrollersitmanagestheirtypeandconfigurationAllthisinformationisstoredinusrlocalpfconfswitchesconfYoucanmodify
Chapter9
Copyrightcopy2016Inverseinc Configuration 28
theconfigurationdirectlyintheswitchesconffileoryoucandoitfromtheWebAdministrationpanelunderConfigurationrarrNetworkrarrSwitches-whichisnowthepreferredway
Theusrlocalpfconfswitchesconfconfigurationfilecontainsadefaultsectionincluding
DefaultSNMPreadwritecommunitiesfortheswitches Defaultworkingmode(seethenotebelowaboutpossibleworkingmodes)
andaswitchsectionforeachswitch(managedbyPacketFence)including
SwitchIPMacRange Switchvendortype Switchuplinkports(trunksandnon-managedIfIndex) per-switchre-definitionoftheVLANs(ifrequired)
NoteswitchesconfisloadedatstartupAreloadisrequiredwhenchangesaremanuallymadetothisfileusrlocalpfbinpfcmd configreload
WorkingmodesTherearethreedifferentworkingmodesforaswitchinPacketFence
Testing pfsetvlanwritesinthelogfileswhatitwouldnormallydobutitdoesnrsquotdoanything
Registration pfsetvlan automatically-register allMAC addresses seenon theswitchportsAsintestingmodenoVLANchangesaredone
Production pfsetvlan sends the SNMPwrites to change the VLAN on theswitchports
RADIUSTo set theRADIUS secret set it from theWebadministrative interfacewhenadding a switchAlternativelyedittheswitchconfigfile(usrlocalpfconfswitchesconf)andsetthefollowingparameters
radiusSecret = secretPassPhrase
MoreovertheRADIUSsecretisrequiredtosupporttheRADIUSDynamicAuthentication(ChangeofauthorizationorDisconnect)asdefinedinRFC3576
SNMPv1v2candv3PacketFenceusesSNMPtocommunicatewithmostswitchesPacketFencealsosupportsSNMPv3YoucanuseSNMPv3forcommunicationinbothdirectionsfromtheswitchtoPacketFenceandfromPacketFencetotheswitchSNMPusageisdiscouragedyoushouldnowuseRADIUSHoweverevenifRADIUSisbeingusedsomeswitchesmightalsorequireSNMPtobeconfiguredtoworkproperlywithPacketFence
Chapter9
Copyrightcopy2016Inverseinc Configuration 29
FromPacketFencetoaswitchEdittheswitchconfigfile(usrlocalpfconfswitchesconf)andsetthefollowingparameters
SNMPVersion = 3SNMPUserNameRead = readUserSNMPAuthProtocolRead = MD5SNMPAuthPasswordRead = authpwdreadSNMPPrivProtocolRead = AESSNMPPrivPasswordRead = privpwdreadSNMPUserNameWrite = writeUserSNMPAuthProtocolWrite = MD5SNMPAuthPasswordWrite = authpwdwriteSNMPPrivProtocolWrite = AESSNMPPrivPasswordWrite = privpwdwrite
FromaswitchtoPacketFenceEdittheswitchconfigfile(usrlocalpfconfswitchesconf)andsetthefollowingparameters
SNMPVersionTrap = 3SNMPUserNameTrap = readUserSNMPAuthProtocolTrap = MD5SNMPAuthPasswordTrap = authpwdreadSNMPPrivProtocolTrap = AESSNMPPrivPasswordTrap = privpwdread
SwitchConfigurationHereisaswitchconfigurationexampleinordertoenableSNMPv3inbothdirectionsonaCiscoSwitch
snmp-server engineID local AA5ED139B81D4A328D18ACD1snmp-server group readGroup v3 privsnmp-server group writeGroup v3 priv read v1default write v1defaultsnmp-server user readUser readGroup v3 auth md5 authpwdread priv aes 128 privpwdreadsnmp-server user writeUser writeGroup v3 auth md5 authpwdwrite priv aes 128 privpwdwritesnmp-server enable traps port-securitysnmp-server enable traps port-security trap-rate 1snmp-server host 192168050 version 3 priv readUser port-security
Command-LineInterfaceTelnetandSSH
WarningPrivilegedetectionisdisabledinthecurrentPacketFenceversionduetosomeissues(see1370)SomakesurethatthecliUserandcliPwdyouprovidealwaysgetyouintoaprivilegedmode(exceptforTrapezehardware)
Chapter9
Copyrightcopy2016Inverseinc Configuration 30
PackeFenceneedssometimestoestablishaninteractivecommand-linesessionwithaswitchThiscanbedoneusingTelnetYoucanalsouseSSHInordertodosoedittheswitchconfigurationfile(usrlocalpfconfswitchesconf)andsetthefollowingparameters
cliTransport = SSH (or Telnet)cliUser = admincliPwd = admin_pwdcliEnablePwd =
ItcanalsobedonethroughtheWebAdministrationInterfaceunderConfigurationrarrSwitches
WebServicesInterfacePackeFencesometimesneedstoestablishadialogwiththeWebServicescapabilitiesofaswitchInorder todo soedit the switchconfig file (usrlocalpfconfswitchesconf) and set thefollowingparameters
wsTransport = http (or https)wsUser = adminwsPwd = admin_pwd
ItcanalsobedonethroughtheWebAdministrationInterfaceunderConfigurationrarrSwitches
Role-basedenforcementsupportSomenetworkdevicessupporttheassignmentofaspecificsetofrules(firewallorACLs)toauserTheideaisthattheserulescanbealotmoreaccuratetocontrolwhatausercanorcannotdocomparedtoVLANwhichhavealargernetworkmanagementoverhead
PacketFencesupportsassigningrolesondevicesforswitchesandWiFicontrollers thatsupportitThecurrentroleassignmentstrategyistoassignitalongwiththeVLAN(thatmaychangeinthefuture)Aspecial internalroletoexternalroleassignmentmustbeconfigured intheswitchconfigurationfile(usrlocalpfconfswitchesconf)
Thecurrentformatisthefollowing
Format ltrolenamegtRole=ltcontroller_rolegt
Andyouassignittotheglobalrolesparameterortheper-switchoneForexample
adminRole=full-accessengineeringRole=full-accesssalesRole=little-access
wouldreturnthefull-accessroletothenodescategorizedasadminorengineeringandtherolelittle-accesstonodescategorizedassalesItcanalsobedonethroughtheWebAdministrationInterfaceunderConfigurationrarrSwitches
Chapter9
Copyrightcopy2016Inverseinc Configuration 31
CautionMakesurethattherolesareproperlydefinedonthenetworkdevicespriortoassigningroles
PortalProfiles
PacketFencecomeswithadefaultportalprofileThefollowparametersareimportanttoconfigurenomatterifyouusethedefaultportalprofileorcreateanewone
RedirectURLunderConfigurationrarrPortalProfilerarrPortalName
ForsomebrowsersitispreferabletoredirecttheusertoaspecificURLinsteadoftheURLtheuseroriginallyintendedtovisitForthesebrowserstheURLdefinedinredirecturlwillbetheonewheretheuserwillberedirectedAffectedbrowsersareFirefox3andlater
IPunderConfigurationrarrCaptiveportal
ThisIPisusedasthewebserverwhohoststhecommonnetwork-access-detectiongifwhichisusedtodetectifnetworkaccesswasenabledItcannotbeadomainnamesinceit isusedinregistrationorquarantinewhereDNSisblack-holedItisrecommendedthatyouallowyouruserstoreachyourPacketFenceserverandputyourLANrsquosPacketFenceIPBydefaultwewillmakethisreachPacketFencersquoswebsiteasaneasierandmoreaccessiblesolution
In somecases youmaywant topresentadifferent captiveportal (seebelow for theavailablecustomizations)accordingtotheSSIDtheVLANtheswitchIPMACortheURItheclientconnectstoTodosoPacketFencehastheconceptofportalprofileswhichgivesyouthispossibility
WhenconfiguredportalprofileswilloverridedefaultvaluesforwhichitisconfiguredWhennovaluesareconfiguredintheprofilePacketFencewilltakeitsdefaultones(accordingtothedefaultportalprofile)
HerearethedifferentconfigurationparametersthatcanbesetforeachportalprofilesTheonlymandatoryparameterisfilterotherwisePacketFencewonrsquotbeabletocorrectlyapplytheportalprofileTheparametersmustbesetinconfprofilesconf
[profilename1]description = the description of your portal profilefilter = the name of the SSID for which youd like to apply the profile or the VLAN numbersources = comma-separated list of authentications sources (IDs) to use
Portal profiles should be managed from PacketFencersquos Web administrative GUI - from theConfigurationrarrPortalProfilessectionAddingaportalprofilefromthatinterfacewillcorrectlycopytemplatesover-whichcanthenbemodifiedasyouwish
FiltersunderConfigurationrarrPortalProfilerarrPortalNamerarrFitlers
PacketFenceoffersthefollowingfiltersConnectionTypeNetworkNodeRolePortrealmSSIDSwitchSwitchPortURIVLANandTimeperiod
Chapter9
Copyrightcopy2016Inverseinc Configuration 32
Examplewiththemostcommonones
SSIDGuest-SSID
VLAN100
SwitchPortltSwitchIdgt-ltPortgt
NetworkNetworkinCIDRformatoranIPaddress
Caution
Noderolewilltakeeffectonlywitha8021xconnectionorifyouuseVLANfilters
PacketFence relies extensively on Apache for its captive portal administrative interface andWeb services The PacketFenceacutes Apache configuration are located in usrlocalpfconfhttpdconfd
Inthisdirectoryyouhavethreeimportantfileshttpdadminhttpdportalhttpdwebserviceshttpdaaa
httpdadminisusedtomanagePacketFenceadmininterface
httpdportalisusedtomanagePacketFencecaptiveportalinterface
httpdwebservicesisusedtomanagePacketFencewebservicesinterface
httpdaaaisusetomanageincomingRADIUSrequest
ThesefileshavebeenwrittenusingthePerllanguageandarecompletelydynamic-sotheyactivateservicesonlyonthenetworkinterfacesprovidedforthispurpose
TheotherfilesinthisdirectoryaremanagedbyPacketFenceusingtemplatessoitiseasytomodifythesefilesbasedonyourconfigurationSSLisenabledbydefaulttosecureaccess
UponPacketFenceinstallationself-signedcertificateswillbecreatedinusrlocalpfconfssl(serverkey andservercrt)Thosecertificates canbe replacedanytimebyyour3rd-partyorexistingwildcardcertificatewithoutproblemsPleasenotethattheCN(CommonName)needstobethesameastheonedefinedinthePacketFenceconfigurationfile(pfconf)
FreeRADIUSConfiguration
ThissectionpresentstheFreeRADIUSconfigurationsteps InsomeoccasionsaRADIUSserverismandatoryinordertogiveaccesstothenetworkForexampletheusageofWPA2-Enterprise(Wireless 8021X) MAC authentication and Wired 8021X all require a RADIUS server toauthenticatetheusersandthedevicesandthentopushtheproperrolesorVLANattributestothenetworkequipment
Chapter9
Copyrightcopy2016Inverseinc Configuration 33
Option1AuthenticationagainstActiveDirectory(AD)
Caution
If you are using an ActiveActive or ActivePassive cluster please follow theinstructionsunderOption1bsincetheinstructionsbelowdonotcurrentlyworkinacluster
InordertohavedomainauthenticationworkingproperlyyouneedtoenableIPforwardingonyourserverTodoitpermanentlylookintheetcsysctlconfandsetthefollowingline
Controls IP packet forwardingnetipv4ip_forward = 1
Nowexecutesysctl -ptoapplytheconfiguration
NextgointheAdministrationinterfaceunderConfigurationrarrDomains
Note
IfyoucanrsquotaccessthissectionandyouhavepreviouslyconfiguredyourservertobindtoadomainexternallytoPacketFencemakesureyourunusrlocalpfaddonsADmigratepl
ClickAddDomainandfillintheinformationsaboutyourdomain
Chapter9
Copyrightcopy2016Inverseinc Configuration 34
Where
IdentifierisauniqueidentifierforyourdomainItrsquospurposeisonlyvisual
Workgroupistheworkgroupofyourdomainintheoldsyntax(likeNT4)
DNSnameofthedomainistheFQDNofyourdomainTheonethatsuffixesyouraccountnames
ThisserverrsquosnameisthenamethattheserverrsquosaccountwillhaveinyourActiveDirectory
DNSserveristheIPaddressoftheDNSserverofthisdomainMakesurethattheserveryouputtherehastheproperDNSentriesforthisdomain
UsernameistheusernamethatwillbeusedforbindingtotheserverThisaccountmustbeadomainadministrator
Passwordisthepasswordfortheusernamedefinedabove
Chapter9
Copyrightcopy2016Inverseinc Configuration 35
Troubleshooting In order to troubleshoot unsuccessful binds please refer to the following file chrootsltmydomaingtvarlogsambaltmydomaingtlogwinbinddReplaceltmydomaingtwiththeidentifieryousetinthedomainconfiguration
Youcanvalidatethedomainbindusingthefollowingcommandchroot chrootsltmydomaingtwbinfo -u
You can test the authentication process using the following command chroot chrootsltmydomaingt ntlm_auth --username=administrator
Note
UndercertainconditionsthetestjoinmayshowasunsuccessfulintheAdministrationinterfacebut theauthenticationprocesswill stillworkproperlyTry the test abovebeforedoinganyadditionnaltroubleshooting
DefaultdomainconfigurationYoushouldnowdefinethedomainyouwanttouseasthedefaultonebycreatingthefollowingrealminConfigurationrarrRealms
NextrestartPacketFenceinStatusrarrServices
MultipledomainsauthenticationFirstconfigureyourdomainsinConfigurationrarrDomains
OncetheyareconfiguredgoinConfigurationrarrRealms
Chapter9
Copyrightcopy2016Inverseinc Configuration 36
Createanewrealm thatmatches theDNSnameofyourdomainANDone thatmatchesyourworkgroupInthecaseofthisexampleitwillbeDOMAINNETandDOMAIN
Where
RealmiseithertheDNSname(FQDN)ofyourdomainortheworkgroup
RealmoptionsareanyrealmoptionsthatyouwanttoaddtotheFreeRADIUSconfiguration
Domainisthedomainwhichisassociatedtothisrealm
Nowcreatethetwootherrealmsassociatedtoyourotherdomains
Youshouldnowhavethefollowingrealmconfiguration
Chapter9
Copyrightcopy2016Inverseinc Configuration 37
Option1bAuthenticationagainstActiveDirectory(AD)inacluster
SambaKerberosWinbind
InstallSambaYoucaneitherusethesourcesorusethepackageforyourOSForRHELCentOSdo
yum install samba krb5-workstation
ForDebianandUbuntudo
apt-get install samba winbind krb5-user
Note
IfyouhaveWindows7PCsinyournetworkyouneedtouseSambaversion350(orgreater)
WhendonewiththeSambainstallmodifyyouretchosts inordertoaddtheFQDNofyourActiveDirectoryserversThenyouneedtomodifyetckrb5confHereisanexamplefortheDOMAINNETdomainforCentosRHEL
Chapter9
Copyrightcopy2016Inverseinc Configuration 38
[logging] default = FILEvarlogkrb5libslog kdc = FILEvarlogkrb5kdclog admin_server = FILEvarlogkadmindlog
[libdefaults] default_realm = DOMAINNET dns_lookup_realm = false dns_lookup_kdc = false ticket_lifetime = 24h forwardable = yes
[realms] DOMAINNET = kdc = adserverdomainnet88 admin_server = adserverdomainnet749 default_domain = domainnet [domain_realm] domainnet = DOMAINNET domainnet = DOMAINNET
[appdefaults] pam = debug = false ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = false
ForDebianandUbuntu
[logging] default = FILEvarlogkrb5libslog kdc = FILEvarlogkrb5kdclog admin_server = FILEvarlogkadmindlog [libdefaults] default_realm = DOMAINNET ticket_lifetime = 24h forwardable = yes [appdefaults] pam = debug = false ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = false
NexteditetcsambasmbconfAgainhereisanexampleforourDOMAINNETforCentosRHEL
Chapter9
Copyrightcopy2016Inverseinc Configuration 39
[global] workgroup = DOMAIN server string = h security = ads passdb backend = tdbsam realm = DOMAINNET encrypt passwords = yes winbind use default domain = yes client NTLMv2 auth = yes preferred master = no domain master = no local master = no load printers = no log level = 1 winbind5 auth3 winbind max clients = 750 winbind max domain connections = 15 machine password timeout = 0
ForDebianandUbuntu
[global] workgroup = DOMAIN server string = Samba Server Version v security = ads realm = DOMAINNET password server = 19216811 domain master = no local master = no preferred master = no winbind separator = + winbind enum users = yes winbind enum groups = yes winbind use default domain = yes winbind nested groups = yes winbind refresh tickets = yes template homedir = homeDU template shell = binbash client use spnego = yes client ntlmv2 auth = yes encrypt passwords = yes restrict anonymous = 2 log file = varlogsambalogm max log size = 50 machine password timeout = 0
IssueakinitandklistinordertogetandverifytheKerberostoken
kinit administrator klist
Afterthatyouneedtostartsambaandjointhemachinetothedomain
Chapter9
Copyrightcopy2016Inverseinc Configuration 40
service smb start chkconfig --level 345 smb on net ads join -U administrator
NotethatforDebianandUbuntuyouwillprobablyhavethiserror
kinit succeeded but ads_sasl_spnego_krb5_bind failed Invalid credentials Join to domain is not valid Invalid credentials
ForCentosRHEL
usermod -a -G wbpriv pf
Finallystartwinbindandtestthesetupusingntlm_authandradtest
service winbind start chkconfig --level 345 winbind on
ForDebianandUbuntu
usermod -a -G winbindd_priv pf ntlm_auth --username myDomainUser radtest -t mschap -x myDomainUser myDomainPassword localhost18120 12 testing123 Sending Access-Request of id 108 to 127001 port 18120 User-Name = myDomainUser NAS-IP-Address = 10001 NAS-Port = 12 Message-Authenticator = 0x00000000000000000000000000000000 MS-CHAP-Challenge = 0x79d62c9da4e55104 MS-CHAP-Response = 0x000100000000000000000000000000000000000000000000000091c843b420f0dec4228ed2f26bff07d5e49ad9a2974229e5 rad_recv Access-Accept packet from host 127001 port 18120 id=108 length=20
Option2LocalAuthenticationAddyouruserrsquosentriesattheendoftheusrlocalpfraddbusersfilewiththefollowingformat
username Cleartext-Password = password
Option3EAPauthenticationagainstOpenLDAPToauthenticate8021xconnectionagainstOpenLDAPyouneedtodefinetheldapconnectioninusrlocalpfraddbmodulesldapandbesurethattheuserpasswordisdefineasaNTHASHorascleartext
Chapter9
Copyrightcopy2016Inverseinc Configuration 41
ldap openldap server = ldapacmecom identity = uid=admindc=acmedc=com password = password basedn = dc=districtdc=acmedc=com filter = (uid=mschapUser-Name) ldap_connections_number = 5 timeout = 4 timelimit = 3 net_timeout = 1 tls dictionary_mapping = $confdirldapattrmap edir_account_policy_check = no
keepalive LDAP_OPT_X_KEEPALIVE_IDLE idle = 60
LDAP_OPT_X_KEEPALIVE_PROBES probes = 3
LDAP_OPT_X_KEEPALIVE_INTERVAL interval = 3
Next in usrlocalpfraddbsites-availablepacketfence-tunnel add in the authorizesection
authorize suffix ntdomain eap ok = return files openldap
Option4EAPGuestAuthenticationonemailsponsorandSMSregistrationThissectionwillallowlocalcredentialscreatedduringguestregistrationtobeusedin8021xEAP-PEAPconnections
FirstcreateaguestSSIDwiththeguestaccessyouwanttouse(EmailSponsororSMShellip)andactivateCreatelocalaccountonthatsource
AttheendoftheguestregistrationPacketFencewillsendanemailwiththecredentialsforEmailandSponsorForSMSthephonenumberandthePINcodeshouldbeused
Chapter9
Copyrightcopy2016Inverseinc Configuration 42
Note
ThisoptiondoesnrsquotcurrentlyworkwiththeReusedot1xcredentialsoptionofthecaptiveportal
In usrlocalpfconfradiusdpacketfence-tunnel uncomment the line packetfence-local-authandrestartradiusd
ThiswillactivatethefeatureforanylocalaccountonthePacketFenceserverYoucanrestrictwhichaccounts canbeusedby commenting the appropriate line inusrlocalpfraddbpolicydpacketfenceForexampleifyouwouldwanttodeactivatethisfeatureforaccountscreatedviaSMSyouwouldhavethefollowing
packetfence-local-auth Disable ntlm_auth update control ampMS-CHAP-Use-NTLM-Auth = No Check password table for local user pflocal if (fail || notfound) Check password table with email and password for a sponsor registration pfguest if (fail || notfound) Check password table with email and password for a guest registration pfsponsor if (fail || notfound) Dont check activation table with phone number and PIN code pfsms lt--- This line was commented out if (fail || notfound) update control ampMS-CHAP-Use-NTLM-Auth = Yes
Note
For this feature to work the users passwords must be stored in cleartext in thedatabaseThisisconfigurableviaadvancedhash_passwords
Option5EAPLocaluserAuthenticationThegoalhereistousethelocaluseryoucreatedintheadminGUIforEAPauthenticationThelogicisexactlythesamethaninoption4thedifferenceisthatweuseanotherSSIDandweonlyuselocalaccounts
Chapter9
Copyrightcopy2016Inverseinc Configuration 43
Editusrlocalpfraddbsites-availablepacketfence-tunnel
InthisexampleweactivatethisfeatureonaspecificSSIDname(Secure-local-Wireless)disabledbydefaultNTLMAuthandtestlocalaccountIfitfailledthenwereactivateNTLMAuth
Activate local user eap authentication based on a specific SSID Set Called-Station-SSID with the current SSID setcalled_station_ssid if (Called-Station-SSID == Secure-local-Wireless) Disable ntlm_auth update control MS-CHAP-Use-NTLM-Auth = No Check password table for local user pflocal if (fail || notfound) update control MS-CHAP-Use-NTLM-Auth = Yes
Caution
Youwillneedtodeasactivatepasswordhashinginthedatabaseforlocalauthenticationto work In the administration interface go in Configurationrarr Advanced and setDatabasepasswordshashingmethodtoplaintext
TestsTestyoursetupwithradtestusingthefollowingcommandandmakesureyougetanAccess-Acceptanswer
radtest dd9999 Abcd1234 localhost18120 12 testing123Sending Access-Request of id 74 to 127001 port 18120 User-Name = dd9999 User-Password = Abcd1234 NAS-IP-Address = 255255255255 NAS-Port = 12rad_recv Access-Accept packet from host 12700118120 id=74 length=20
PortalModules
ThePacketFencecaptiveportalflowishighlycustomizableThissectionwillcoverthePortalModuleswhichareusedtodefinethebehaviorofthecaptiveportal
Chapter9
Copyrightcopy2016Inverseinc Configuration 44
Note
WhenupgradingfromaversionthatdoesnrsquothavetheportalmodulesthePacketFencePortal Modules configuration already comes with defaults that will fit most casesand offers the same behavior as previous versions of PacketFence Meaning allthe available Portal Profile sources are used for authentication then the availableprovisionerswillbeused
FirstabriefdescriptionoftheavailablePortalModules
RootThis iswhereitallstartsthismoduleisasimplecontainerthatdefinesallthemodulesthatneedtobeappliedinachainedwaytotheuserOncetheuserhascompletedallmodulescontainedintheRootheisreleasedonthenetwork
Choice This allows to give a choice between multiple modules to the user Thedefault_registration_policyisagoodexampleofachoicethatisofferedtotheuser
ChainedThisallowsyoutodefinealistofmodulesthatauserneedstogothroughintheorderthattheyaredefined-exyouwantyouruserstoregisterviaGoogle+andpayfortheiraccessusingPayPal
MessageThisallowsyou todisplayamessage to theuserAnexample isavailablebelow inDisplayingamessagetotheuseraftertheregistration
AuthenticationTheauthenticationmodulescanbeofalotoftypesYouwouldwanttodefineoneofthesemodulesinordertooverridetherequiredfieldsthesourcetousethetemplateoranyothermoduleattribute
BillingAllowstodefineamodulebasedononeormorebillingsources
ChoiceAllows todefineamodulebasedonmultiple sourcesandmoduleswithadvancedfilteringoptionsSeethesectionAuthenticationChoicemodulebelowforadetailedexplanation
LoginAllowsyoutodefineausernamepasswordbasedmodulewithmultipleinternalsources(ActiveDirectoryLDAPhellip)
OthermodulesTheothermodulesareallbasedonthesourcetypetheyareassignedtotheyallowtoselectthesourcetheAUPacceptanceandmandatoryfieldsifapplicable
ExamplesThissectionwillcontainthefollowingexamples
Promptingforfieldswithoutauthentication
Promptingadditionnalfieldsduringtheauthentication
Chainedauthentication
MixingloginandSecureSSIDon-boardingontheportal
Displayingamessagetotheuseraftertheregistration
Chapter9
Copyrightcopy2016Inverseinc Configuration 45
CreatingacustomrootmoduleFirstcreateacustomrootmoduleforourexamples inordertonotaffectthedefaultpolicy InordertodosogoinConfigurationrarrPortalModulesthenclickAddPortalModuleandselectthetypeRootGiveittheidentifiermy_first_root_moduleandthedescriptionMy first root modulethenhitsave
Next head toConfigurationrarr Portal Profiles select the portal profile you use (most probablydefault)andthenunderRootPortalModuleassignMy first root modulethensaveyourprofileIfyouweretoaccessthecaptiveportalnowanerrorwoulddisplaysincetheRootmoduleweconfigureddoesnrsquotcontainanything
YoucouldaddsomeofthepreconfiguredmodulestothenewRootmoduleyoucreatedandthatwouldmaketheerrordisapear
PromptingforfieldswithoutauthenticationInordertopromptfieldswithoutauthenticationyoucanusetheNullsourcewiththeNullPortalModule
PacketFencealreadycomeswithaNullsourcepreconfiguredIfyouhavenrsquotmodifieditordeletedityoucanuseitforthisexampleOtherwisegoinConfigurationrarrSourcesandcreateanewNullsourcewithacatchallrulethatassignsaroleandaccessduration
ThengoinConfigurationrarrPortalModulesandclickAddPortalModuleandselectAuthenticationrarrNullSettheIdentifiertoprompt_fieldsandconfigurethemodulewiththeMandatoryfieldsyouwantanduncheckRequireAUPsothattheuserdoesnrsquothavetoaccepttheAUPbeforesubmittingthesefields
Nextaddtheprompt_fieldsmoduleinmy_first_root_module(removinganypreviousmodules)andsave itNowwhenvisitingtheportal itshouldpromptyouforthefieldsyoudefine inthe
Chapter9
Copyrightcopy2016Inverseinc Configuration 46
moduleThensubmittingtheseinformationswillassignyoutheroleandaccessdurationthatyoudefinedinthenullsource
Promptingadditionnalfieldsduringtheauthentication
IfyouwanttopromptadditionnalfieldsduringtheauthenticationprocessforamoduleyoucandefineaModulebasedonthatsourcethatwillspecifytheadditionnalmandatoryfieldsforthissource
Youcanalsoaddadditionnalmandatoryfieldstothedefaultpoliciesthatarealreadyconfigured
Thisexamplewillmakethedefault_guest_policyrequiretheusertoenterafirstnamelastnameandaddresssothatguestshavetoenterthesethreeinformationsbeforeregistering
Go in Configuration rarr Portal Modules and click the default_guest_policy Add firstnamelastnameandaddresstotheMandatoryfieldsandsave
Nextaddthedefault_guest_policytomy_first_root_module(removinganypreviousmodules)Nowwhenvisitingtheportalselectinganyoftheguestsourceswillrequireyoutoenterboththemandatoryfieldsofthesource(exphone+mobileprovider)andthemandatoryfieldsyoudefinedinthedefault_guest_policy
Note
Notallsourcessupportadditionnalmandatoryfields(exOAuthsourceslikeGoogleFacebookhellip)
Chainedauthentication
Theportalmodulesallowyoutochaintwoormoremodulestogetherinordertomaketheuseraccomplishalloftheactionsinthemoduleinthedesiredsequence
ThisexamplewillallowyoutoconfigureaChainedmodulethatwillrequiretheusertologinviaanyconfiguredOAuthsource(GithubGoogle+hellip)andthenvalidatehisphonenumberusingSMSregistration
FortheOAuthloginwewillusethedefault_oauth_policysojustmakesureyouhaveanOAuthsourceconfiguredcorrectlyandavailableinyourPortalProfile
ThenwewillcreateamodulethatwillcontainthedefinitionofourSMSregistration
GoinConfigurationrarrPortalModulesthenclickAddPortalModuleandselectAuthenticationrarrSMS
ConfiguretheportalmodulesothatitusesthesmssourceandunchecktheRequireAUPoptionsincetheuserwillhavealreadyacceptedtheAUPwhenregisteringusingOAuth
Chapter9
Copyrightcopy2016Inverseinc Configuration 47
ThenaddanotherPortalModuleoftypeChainedNameitchained_oauth_smsassignarelevantdescriptionandthenadddefault_oauth_policyandsmstotheModulesfields
Chapter9
Copyrightcopy2016Inverseinc Configuration 48
Next add the chained_oauth_sms module in my_first_root_module (removing any previousmodules)andsaveitNowwhenvisitingtheportalyoushouldhavetoauthenticationusinganOAuthsourceandthenusingSMSbasedregistration
MixingloginandSecureSSIDon-boardingontheportalThisexamplewillguideyouthroughconfiguringaportalflowthatwillallowfordevicestoaccessanopenSSIDusinganLDAPusernamepasswordbutalsogivethechoicetoconfiguretheSecureSSIDdirectlyfromtheportal
FirstweneedtoconfiguretheprovisionersfortheSecureSSIDonboardingRefertosectionAppleandAndroidWirelessProvisioningofthisguidetoconfigureyourprovisionersandaddthemtotheportalprofile
CreateaprovisionerofthetypeDenyandadditwithyourotherprovisioners(puttinganyotherprovisionerbeforeit)Thiswillmakesurethatifthereisnomatchontheotherprovisionersitwillnotallowthedevicethrough
AlsointheportalprofileaddyourLDAPsourcetotheavailablesourcessoitstheonlyoneavailable
NextcreateaProvisioningportalmodulebygoinginConfigurationrarrPortalModulesSettheIdentifiertosecure_boardingandthedescriptiontoBoard Secure SSIDAlsouncheckSkipablesotheuserisforcedtoboardtheSSIDshoulditchoosethisoption
ThenstillinthePortalModulescreateaChoicemoduleSettheIdentifiertologin_or_boardinganddescriptiontoLoginorBoardingAddsecure_boardinganddefault_login_policytotheModulesfieldandsave
Chapter9
Copyrightcopy2016Inverseinc Configuration 49
Next add the login_or_boarding module in my_first_root_module (removing any previousmodules)andsaveitNowwhenvisitingtheportalyouwillhavethechoicebetweenlogintotheLDAPsourceandgainaccesstothenetworkordirectlyuseprovisioninginordertoconfigureyourdeviceforaSecureSSID
Displayingamessagetotheuseraftertheregistration=
UsingtheMessagemoduleyoucandisplayacustommessagetotheuserYoucanalsocustomizethetemplatetodisplayinordertodisplayafullycustompage
Go inConfigurationrarrPortalModules thenclickAddPortalModule and selectMessage Set theIdentifiertohello_worldandthedescriptiontoHello World
ThenputthefollowingintheMessagefield
Hello World lta href=wwwpacketfenceorggtClick here to access the PacketFence websiteltagt
Next add default_registration_policy and hello_world in the Modules ofmy_first_root_module(removinganypreviousmodules)andsaveitNowwhenvisitingtheportalyoushouldhavetoauthenticateusingthesourcesdefinedinyourportalprofileandyouwillthenseethehelloworldmessage
Chapter9
Copyrightcopy2016Inverseinc Configuration 50
AuthenticationChoicemodule(advanced)The Authentication Choice module allows to define a choice between multiple sources usingadvancedfilteringrulesmanualselectionofthesourcesandselectionofPortalModules
AllthesourcesthataredefinedintheSourcesfieldwillbeavailableforusagebytheuserSamegoesforthemodulesdefinedinModules
YoucanalsodefinewhichmandatoryfieldsyouwanttopromptfortheseauthenticationchoicesAlthoughyoucanstillconfigurethemonanyAuthenticationChoicemoduletheywillonlybeshowniftheyareapplicabletothesource
InadditiontothemanualselectionaboveyoucandynamicallyselectsourcespartofthePortalProfilebasedontheirobjectattribute(ObjectClassAuthenticationtypeAuthenticationClass)
NoteYoucanfindalltheauthenticationobjectsinlibpfAuthenticationSource
SourcesbyclassAllowsyoutospecifytheperlclassnameofthesourcesyouwantavailable
ex pfAuthenticationSourceSMSSource will select all the SMS sourcespfAuthenticationSourceBillingSourcewillselectallthebillingsources(PaypalStripehellip)
SourcesbytypeAllowsyoutofilteroutsourcesusingthetypeattributeoftheAuthenticationobject
Sources by Auth Class Allows you to filter our sources using the class attribute of theAuthenticationobject
Chapter9
Copyrightcopy2016Inverseinc Configuration 51
Youcanseethedefault_guest_policyanddefault_oauth_policyforexamplesofthismodule
Chapter10
Copyrightcopy2016Inverseinc Debugging 52
Debugging
Logfiles
HerearethemostimportantPacketFencelogfiles
usrlocalpflogspacketfencelogmdashPacketFenceCoreLog usrlocalpflogshttpdportalaccessmdashApachendashCaptivePortalAccessLog usrlocalpflogshttpdportalerrormdashApachendashCaptivePortalErrorLog usrlocalpflogshttpdadminaccessmdashApachendashWebAdminServicesAccessLog usrlocalpflogshttpdadminerrormdashApachendashWebAdminServicesErrorLog usrlocalpflogshttpdwebservicesaccessmdashApachendashWebservicesAccessLog usrlocalpflogshttpdwebserviceserrormdashApachendashWebservicesErrorLog usrlocalpflogshttpdaaaaccessmdashApachendashAAAAccessLog usrlocalpflogshttpdaaaerrormdashApachendashAAAErrorLog
ThereareotherlogfilesinusrlocalpflogsthatcouldberelevantdependingonwhatissueyouareexperiencingMakesureyoutakealookatthem
ThemainloggingconfigurationfileisusrlocalpfconflogconfItcontainstheconfigurationforthepacketfencelogfile(LogLog4Perl)andyounormallydonrsquotneedtomodifyitTheloggingconfigurationfilesforeveryservicearelocatedunderusrlocalpfconflogconfd
RADIUSDebugging
FirstchecktheFreeRADIUSlogsThefileislocatedatusrlocalpflogsradiuslog
IfthisdidnrsquothelprunFreeRADIUSindebugmodeTodosostartitusingthefollowingcommands
Fortheauthenticationradiusprocess
radiusd -X -d usrlocalpfraddb -n auth
Fortheaccountingradiusprocess
radiusd -X -d usrlocalpfraddb -n acct
Chapter10
Copyrightcopy2016Inverseinc Debugging 53
Additionally there is a raddebug tool that can extract debug logs from a running FreeRADIUSdaemonPacketFencersquosFreeRADIUSispreconfiguredwithsuchsupport
Inordertohaveanoutputfromraddebugyouneedtoeither
a MakesureuserpfhasashellinetcpasswdaddusrsbintoPATH(export PATH=usrsbin$PATH)andexecuteraddebugaspf
b Runraddebugasroot(lesssecure)
Nowyoucanrunraddebugeasily
raddebug -t 300 -f usrlocalpfvarrunradiusdsock
TheabovewilloutputFreeRADIUSauthenticationdebuglogsfor5minutes
Usethefollowingtodebugradiusaccounting
raddebug -t 300 -f usrlocalpfvarrunradiusd-acctsock
Seeman raddebugforalltheoptions
Chapter11
Copyrightcopy2016Inverseinc MoreonVoIPIntegration 54
MoreonVoIPIntegration
VoIPhasbeengrowinginpopularityonenterprisenetworksAtfirstsighttheITadministratorsthinkthatdeployingVoIPwithaNACposesahugecomplicatedchallengetoresolveInfactdependingofthehardwareyouhavenotreallyInthissectionwewillseewhy
CDPandLLDPareyourfriend
ForthoseofyouwhoareunawareoftheexistenceofCDPorLLDP(orLLDP-MED) IsuggestyoustartreadingonthistopicCiscoDiscoveryProtocol(CDP)isdevice-discoveryprotocolthatrunsonallCisco-manufacturedequipmentincludingroutersaccessserversbridgesandswitchesUsingCDPadevicecanadvertise itsexistencetootherdevicesandreceive informationaboutotherdevicesonthesameLANorontheremotesideofaWANIntheworldofVoIPCDPisabletodetermineiftheconnectingdeviceisanIPPhoneornotandtelltheIPPhonetotagitsethernetframeusingtheconfiguredvoiceVLANontheswitchport
OnmanyothervendorsyouarelikelytofindLLDPorLLDP-MEDsupportLinkLayerDiscoveryProtocol (LLDP) is a vendor-neutral Link Layer protocol in the Internet Protocol Suite used bynetworkdevicesforadvertisingtheiridentitycapabilitiesandneighborsSameasCDPLLDPcantellanIPPhonewhichVLANidisthevoiceVLAN
VoIPandVLANassignmenttechniques
As you already know PacketFence supportsmanyVLAN assignment techniques such as port-securitymacauthenticationor8021XLetrsquosseehowVoIPisdoingwitheachofthose
Port-securityUsing port-security the VoIP device rely on CDPLLDP to tag its ethernet frame using theconfiguredvoiceVLANontheswitchportAfterthatweensurethatasecuritytrapissentfromthevoiceVLANsothatPacketFencecanauthorizethemacaddressontheportWhenthePCconnectsanothersecuritytrapwillbesentbutfromthedataVLANThatwaywewillhave1macaddressauthorizedonthevoiceVLANand1ontheaccessVLAN
Chapter11
Copyrightcopy2016Inverseinc MoreonVoIPIntegration 55
Note
Not all vendors support VoIP on port-security please refer to the NetworkConfigurationGuide
MACAuthenticationand8021XCiscohardwareOnCiscoswitcheswearelookingatthemulti-domainconfigurationThemulti-domainmeansthatwecanhaveonedeviceontheVOICEdomainandonedeviceontheDATAdomainThedomainassignmentisdoneusingaCiscoVSAWhenthephoneconnectstotheswitchportPacketFencewillrespondwiththeproperVSAonlynoRADIUStunneledattributesCDPthentellsthephonetotagitsethernetframesusingtheconfiguredvoiceVLANontheportWhenaPCconnectstheRADIUSserverwillreturntunneledattributesandtheswitchwillplacetheportintheprovidedaccessVLAN
Non-CiscohardwareOnothervendorhardwareitispossibletomakeVoIPworkusingRADIUSVSAsWhenaphoneconnectstoaswitchportPacketFenceneedstoreturntheproperVSAtotelltheswitchtoallowtagged frames from thisdeviceWhen thePCwill connectwewill be able to return standardRADIUStunnelattributestotheswitchthatwillbetheuntaggedVLAN
Note
AgainrefertotheNetworkConfigurationGuidetoseeifVoIPissupportedonyourswitchhardware
WhatifCDPLLDPfeatureismissing
ItispossiblethatyourphonedoesnrsquotsupportCDPorLLDPIfitrsquosthecaseyouareprobablylookingattheDHCPwayofprovisionningyourphonewithavoiceVLANSomemodelswillaskforaspecificDHCPoptionsothattheDHCPservercangivethephoneavoiceVLANidThephonewillthenrebootandtagitsethernetframeusingtheprovidedVLANtag
Inorder tomake this scenarioworkwithPacketFenceyouneed toensure thatyou tweak theregistrationandyourproductionDHCPservertoprovidetheDHCPoptionYoualsoneedtomakesure there isavoiceVLANproperlyconfiguredontheportandthatyouauto-registeryour IPPhones(OnthefirstconnectthephonewillbeassignedontheregistrationVLAN)
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 56
Advancedtopics
This section covers advanced topics in PacketFence Note that it is also possible to configurePacketFencemanuallyusingitsconfigurationfilesinsteadofitsWebadministrativeinterfaceItisstillrecommendedtousetheWebinterface
InanycasetheusrlocalpfconfpfconffilecontainsthePacketFencegeneralconfigurationForexamplethisistheplacewhereweinformPacketFenceitwillworkinVLANisolationmode
All the default parameters and their descriptions are stored in usrlocalpfconfpfconfdefaults
Inordertooverrideadefaultparameterdefineitandsetitinpfconf
usrlocalpfconfdocumentationconfholdsthecompletelistofallavailableparameters
Alltheseparametersarealsoaccessiblethroughtheweb-basedadministrationinterfaceundertheConfigurationtabItishighlyrecommendedthatyouusetheweb-basedadministrationinterfaceofPacketFenceforanyconfigurationchanges
AppleandAndroidWirelessProvisioning
Apple devices such as iPhones iPads iPods and Mac OS X (107+) support wireless profileimportationusing a specialXML file format (mobileconfig)Android is also able to support thisfeaturebyimportingthewirelessprofilewiththeAndroidPacketFenceAgentInfactinstallingsuchfileonyourAppledevicewillautomaticallyconfigurethewirelesssettingsforagivenSSIDThisfeatureisoftenusedwhentheSSIDishiddenandyouwanttoeasetheconfigurationstepsonthemobiledevice(becauseitisoftenpainfultoconfiguremanually)InPacketFencewearegoingfurtherwegeneratetheprofileaccordingtotheadministratorrsquospreferenceandwepre-populatethefilewiththeuserrsquoscredentials(withoutthepassword)TheusersimplyneedstoinstallitsgeneratedfileandhewillbeabletousethenewSSID
ConfigurethefeatureFirstofallyouneedtoconfiguretheSSIDthatyourdeviceswilluseaftertheygothoughtheauthenticationprocess
InordertodothatintheadministrationinterfacegoinConfigurationProvisionersThenselecttheandroidprovisionerEntertheSSIDandsave
NowdothesamethingfortheiOSprovisioner
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 57
AfteryousimplyneedtoaddtheAndroidandiOSprovisionerstoyourPortalProfileconfiguration
ForAndroidyoumustallowpassthroughsinyourpfconfconfigurationfile
[trapping]passthrough=enabledpassthroughs=ggphtcomgoogleusercontentcomandroidclientsgooglecomgoogleapiscomandroidclientsgooglecomgvt1com
ProfilegenerationUponregistrationinsteadofshowingthedefaultreleasepagetheuserwillbeshowinganotherversionofthepagesayingthatthewirelessprofilehasbeengeneratedwithaclickablelinkonitToinstalltheprofileAppleuserownersimplyneedtoclickonthatlinkandfollowtheinstructionsontheirdeviceAndroiduserownersimplyclicktothelinkandwillbeforwardedtoGooglePlaytoinstallPacketFenceagentSimply launchtheapplicationandclicktoconfigurewillcreatethesecureSSIDprofileItisthatsimple
BillingEngine
PacketFence integrates theability touseapaymentgatewaytobillusers togainaccess to thenetworkWhenconfiguredtheuserwhowantstoaccessthenetworkInternetispromptedbyapageaskingforitrsquospersonnalinformationaswellasitrsquoscreditcardinformation
PacketFencecurrentlysupportsfourpaymentgatewaysAuthorizenetMirapayPaypalandStripe
Inordertoactivatethebillingyouwillneedtoconfigurethefollowingcomponents
Billingsource(s)
Billingtier(s)
ConfiguringabillingsourceFirstselectabillingproviderandfollowtheinstructionsbelow
Paypal
Note
ThisproviderrequiresthatyourPacketFenceserverisaccessibleonthepublicdomainFor thisyourPacketFenceportal shouldbeavailableonapublic IPusing theDNSservernameconfiguredinPacketFence
Ifyouhaveabusinessaccountanddonotwanttoconfigureatestenvironmentyoucanskipthenextsection
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 58
Sandboxaccount
To configure a sandbox paypal account for use in PacketFence head to httpsdeveloperpaypalcomandeithersignuporloginintoyourexistingaccount
ThenintheSandboxmenuclickAccounts
CreateanaccountthathasthetypePersonalandonethathasthetypeBusiness
AfterwardsgobackintoaccountsandexpandthebusinessaccountthenclickProfile
NowclicktheChangepasswordlinkandchangethepasswordandnoteit
Dothesamethingwiththepersonalaccountyoucreated
Configuringthemerchantaccount
LoginintothePaypalbusinessaccountthatyoucreatedathttpswwwsandboxpaypalcomifyouareusingasandboxaccountoronhttpswwwpaypalcomifyouareusingarealaccount
NextgoinMyAccountrarrProfileinordertogointoyourprofileconfiguration
NextintheSellingPreferencesyouwillneedtoselectWebsitePaymentPreferences
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 59
Configurethesettingssotheymatchthescreenshotbelow
YoushouldturnonAutoReturnsetthereturnURLtohttpsYOUR_PORTAL_HOSTNAMEbillingpaypalverify
YoushouldalsotakenoteoftheIdentityTokenasitwillberequiredinthePacketFenceconfiguration
NextgobackinyourprofileconfigurationMyaccountrarrProfileandselectEncryptedPaymentSettings
NowonthispageyouwillneedtosubmitthecertificateusedbyPacketFencetoPaypal(usrlocalpfconfsslservercrtbydefault)
Once you have submitted it note itrsquos associated Cert ID as you will need to configure it inPacketFence
StillonthatpageclicktheDownloadlinktodownloadthePaypalpubliccertificateandputitonthePacketFenceserverunderpathusrlocalpfconfsslpaypalpem
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 60
Caution
ThecertificatewillNOTbethesameifyouuseasandboxaccountorarealaccount
ConfiguringPacketFence
NowinthePacketFenceadministrationinterfacegoinConfigurationrarrSourcesandcreateanewsourceoftypeBillingrarrPaypal
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 61
Where
IdentitytokenistheoneyounotedwhenontheWebsitePaymentPreferencespage CertIDistheoneyounotedwhenontheEncryptedPaymentSettings Paymenttypeiswhethertheaccessisdonationbased(notmandatorytopayforit) Emailaddressistheemailaddressofthemerchantpaypalaccount CertfileisthepathtothePacketFencecertificate(usrlocalpfconfsslservercrtbydefault) KeyfileisthepathtothePacketFencecertificate(usrlocalpfconfsslserverkeybydefault) Paypal cert file is thepath to thePaypal certificate (usrlocalpfconfsslpaypalpem in thisexample)
Currencyisthecurrencythatwillbeusedinthetransactions Testmodeshouldbeactivatedifyouareusingasandboxaccount
Stripe
Stripeaccount
Firstgoonhttpsdashboardstripecomcreateanaccountandlogin
NextonthetoprightclickYouraccountthenAccountsettings
NavigatetotheAPIkeystabandnoteyourkeyandsecretThetestkeyshouldbeusedwhentestingtheconfigurationandthelivekeywhenputtingthesourceinproduction
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 62
ConfiguringPacketFence
NowinthePacketFenceadministrationinterfacegoinConfigurationrarrSourcesandcreateanewsourceoftypeBillingrarrStripe
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 63
Where
SecretkeyisthesecretkeyyougotfromyourStripeaccount PublishablekeyisthepublishablekeyyougotfromyourStripeaccount Styleiswhetheryouaredoingaone-timechargeorsubscriptionbasedbilling(recurring)SeesectionSubscriptionbasedregistrationbelowfordetailsonhowtoconfigureit
Currencyisthecurrencythatwillbeusedinthetransactions Testmodeshouldbeactivatedifyouareusingthetestkeyandsecretaccount
Authorizenet
Creatinganaccount
First go on httpsaccountauthorizenet to signup for a merchant account or httpdeveloperauthorizenetforasandboxaccount
AfteryoucreatedyouraccountyouwillbeshownyourAPIloginIDandTransactionkeyNotebothoftheseinformationsforusageinthePacketFenceconfiguration
Thenloginintoyournewaccount
ThenunderAccountclickSettings
OnthesettingspageinthesectionSecuritysettingsclickMD5-Hash
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 64
NowenterasecretthatwillbesharedbetweenauthorizenetandPacketFence
PacketFenceconfiguration
NextinthePacketFenceadministrationinterfacegoinConfigurationrarrSourcesandcreateanewsourceoftypeBillingrarrAuthorizeNet
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 65
Where
APIloginIDistheoneyougotearlierwhilecreatingyouraccount Transactionkeyistheoneyougotearlierwhilecreatingyouraccount MD5hashtheoneyouconfiguredinyourAuthorizenetaccount Currencyisthecurrencythatwillbeusedinthetransactions Testmodeshouldbeactivatedifyouareusingasandboxaccount
Mirapay
To be contributed
AddingbillingtiersOnceyouhaveconfiguredoneormorebillingsourceyouneedtodefinebillingtierswhichwilldefinethepriceandtargetauthenticationrulesfortheuser
InthePacketFenceadministrationinterfacegoinConfigurationrarrBillingtiers
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 66
ThenclickAddbillingtierandconfigureit
Where
Billingtieristheuniqueidentifierofthebillingtier Nameisthefriendlynameofthebillingtier Descriptionisanextendeddescriptionofthebillingtier Priceistheamountthatwillbechargedtotheuser Accessdurationistheamountoftimetheuserwillbegrantedaccesstoyournetwork Roleisthetargetroletheusershouldbein Usetimebalancedefinesiftheaccessdurationshouldbecomputedonreal-timeaccessdurationmeaningiftheuserbuys24hoursofaccesshecanusethenetworkfor24hoursindifferenttimeblocksThisrequiresavalidRADIUSaccountingconfiguration
Note
IfdonrsquotwanttouseallthebillingtiersthataredefinedyoucanspecifytheonesthatshouldbeactiveinthePortalprofile
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 67
SubscriptionbasedregistrationPacketFencesupportssubscriptionbasedbillingusingStripeasabillingprovider
Billingtier
Whenusingsubscriptionbasedbillingitisadvisedtoconfigurethebillingtiersoithasanalmostinfiniteaccessduration(eg20years)asthebillingproviderwillbecontactingthePacketFenceserverwhenthesubscriptioniscanceled
YoushouldconfigureabillingtierforeachsubscriptionplanyouwanttohaveThisexamplewillusetheplansimpleandadvancedconfiguredusingthefollowingparameters
[simple]name=Simple network accessdescription=Click here if you are poorprice=399role=guestaccess_duration=10Yuse_time_balance=disabled
[advanced]name=Simple network accessdescription=Click here if you are poorprice=999role=advanced_guestaccess_duration=10Yuse_time_balance=disabled
Stripeconfiguration
TheninyourStripedashboardyoushouldgoinSubscriptionsrarrPlans
Thencreateanewplan
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 68
Where
ID is the billing tier identifier It is important that this matches the ID of the billing tier inPacketFence
AmountisthepriceoftheplanItisimportantthatthismatchesthepriceofthebillingtierinPacketFence
CurrencyisthecurrencythatwillbeusedinthetransactionsItisimportantthatthismatchesthecurrencyoftheStripesourceinPacketFence
IntervalistheintervalatwhichthecustomershouldbebilledInthecaseofthisexampleitismonthly
Nowfollowingthesameprocedurecreatetheadvancedplan
ReceivingupdatesfromStripeAsthesubscriptioncanbecancelledbyauseryouneedtosetupyourPacketFenceinstallationtoreceiveupdatesfromStripe
UpdatesaresentusingHTTPrequestsonapublicIP
YouneedtomakesurethatyourPacketFenceserverisavailablethroughapublicIPonport80andthatyourPacketFenceserverhostnameresolvesonthepublicdomain
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 69
TheninStripeconfigureaWebhooksoStripeinformsPacketFenceofanyeventthathappensinthisStripemerchantaccount
InordertodosogoinYourAccountrarrAccountSettingsrarrWebhooksandclickAddendpoint
Where
URListheURLtothePacketFenceserverThisshouldbehttpYOUR_PORTAL_HOSTNAMEhookbillingstripe
Modeiswhetherthiswebhookisfortestingmodeorlivemode
NoweverytimeauserunsubscribesfromaplanPacketFencewillbenotifiedandwillunregisterthatdevicefromyournetwork
DevicesRegistration
Usershavethepossibilitytoregistertheirdevices(MicrosoftXBOXXBOX360NintendoDSWiiSonyPlayStationandsoon)rightfromaspecialportalpageWhenaccessingthispageuserswillbe
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 70
promptedtologinasiftheywereregisteringthemselvesOnceloggedintheportalwillaskthemtoenterthedeviceMACaddressthatwillthenbematchedagainstapredefinedlistofauthorizedMACOUIThedevicewillberegisteredwiththeuserrsquosidandcanbeassignedintoaspecificcategoryforeasiermanagement
HerersquoshowtoconfigurethewholethingTheportalpagecanbeaccessedbythefollowingURLhttpsYOUR_PORTAL_HOSTNAMEdevice-registration This URL is accessible fromwithin thenetworkinanyVLANthatcanreachthePacketFenceserver
Thefollowingcanbeconfiguredbyeditingthepfconffile
[registration]device_registration = enableddevice_registration_role = gaming
MakesuretheroleexistsinPacketFenceotherwiseyouwillencounterregistrationerrorsMoreovermakesuretherolemappingforyourparticularequipmentisdone
TheseparameterscanalsobeconfiguredfromtheConfigurationrarrRegistrationsection
Note
AportalinterfacetypeisrequiredtousethisfeatureAportalinterfacetypecanbeaddedtoanynetworkinterfaceusingthewebadminGUI
Eduroam
eduroam (education roaming) is the secureworld-wide roaming access servicedevelopedfortheinternationalresearchandeducationcommunity
eduroamallowsstudentsresearchersandstafffromparticipatinginstitutionstoobtainInternetconnectivityacrosscampusandwhenvisitingotherparticipatinginstitutionsbysimplyopeningtheirlaptop
mdasheduroamhttpswwweduroamorg
PacketFencesupportsintegrationwitheduroamandallowsparticipatinginstitutionstoauthenticatebothlocallyvisitingusersfromotherinstitutionsaswellasallowingotherinstitutionstoauthenticatelocalusers
In order for PacketFence to allow eduroam authentication the FreeRADIUS configuration ofPacketFencemustbemodifiedtoallowtheeduroamserverstoconnecttoitasclientsaswellastoproxyRADIUSauthenticationrequestsforusersfromoutsideinstitutions
FirstmodifytheusrlocalpfraddbclientsconffiletoallowtheeduroamserverstoconnecttoyourPacketFenceserverAddtheeduroamserversasclientsandmakesure toaddtheproperRADIUSsecretSetashortnametorefertotheseclientsasyouwilllaterneedittoexcludethemfromsomepartsofthePacketFenceconfiguration
clientsconfexample
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 71
client tlrs1eduroamus secret = useStrongerSecret shortname = tlrs1
client tlrs2eduroamus secret = useStrongerSecret shortname = tlrs2
SecondlymodifythelistofdomainsandproxyserversinusrlocalpfraddbproxyconfYouwillneedtodefineeachofyourdomainsaswellastheDEFAULTdomainTheDEFAULTrealmwillapplytoanyclientthatattemptstoauthenticatewitharealmthatisnototherwisedefinedinproxyconfandwillbeproxiedtotheeduroamservers
Defineoneormorehomeservers(serverstowhicheduroamrequestsshouldbeproxied)
proxyconfexample
home_server tlrs1eduroamus type = auth ipaddr = 25712811 port = 1812 secret = useStrongerSecret require_message_authenticator = yes
Defineapoolofserverstogroupyoureduroamhomeserverstogether
proxyconfexample
home_server_pool eduroam type = fail-over home_server = tlrs1eduroamus home_server = tlrs2eduroamus
DefinerealmstoselectwhichrequestsshouldbeproxiedtotheeduroamserverpoolThereshouldbeonerealmforeachofyourdomainsandpossiblyonemoreperdomainifyouintendtoallowusernamesoftheDOMAINuserform
TheREALMissetbasedonthedomainfoundbythesuffixorntdomainmodules (seeraddbmodulesrealm)Thesuffixorntdomainmodulestrytofindadomaineitherwithandomainorsuffixusername
IfnoneisfoundtheREALMisNULL
IfadomainisfoundFreeRADIUStriestomatchoneoftheREALMSdefinedinthisfile
IfthedomainiseitherexampleeduorEXAMPLEFreeRADIUSsetsthecorrespondingREALMieexampleeduorEXAMPLE
IftheREALMdoesnotmatcheither(anditisnrsquotNULL)thatmeanstherewasadomainotherthanEXAMPLEorexampleeduandweassumeitismeanttobeproxiedtoeduroamFreeRADIUSsetstheDEFAULTrealm(whichisproxiedtotheeduroamauthenticationpool)
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 72
The REALM determines where the request is sent to If the REALM authenticates locally therequestsareprocessedentirelybyFreeRADIUSIftheREALMsetsadifferenthomeserverpooltherequestsareproxiedtotheserversdefinedwithinthatpool
proxyconfexample
This realm is for requests which dont have an explicit realm prefix or suffix User names like bob will match this one No authentication server is defined thus the authentication is done locallyrealm NULL
This realm is for ntdomain users who might use the domain like this EXAMPLEusername No authentication server is defined thus the authentication is done locallyrealm EXAMPLE
This realm is for suffix users who use the domain like this usernameexampleedu No authentication server is defined thus the authentication is done locallyrealm exampleedu
This realm is for ALL OTHER requests Meaning in this context eduroam The auth_pool is set to the eduroam pool and so the requests will be proxiedrealm DEFAULT auth_pool = eduroam nostrip
Thirdly youmust configure the packetfence FreeRADIUS virtual servers to treat the requestsproperly
Inusrlocalpfraddbsites-enabledpacketfencemodifytheauthorizesectionlikethis
raddbsites-enabledpacketfenceexample
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 73
authorize pay attention to the order of the modules It matters ntdomain suffix preprocess
uncomment this section if you want to block eduroam users from you other SSIDs The attribute name ( Called-Station-Id ) may differ based on your controller if ( Called-Station-Id ~ eduroam$i) update control Proxy-To-Realm = local
eap ok = return
files expiration logintime packetfence
Inusrlocalpfraddbsites-enabledpacketfence-tunnelmodifythepost-authsectionlikethisIfyouomit this change the requestwill be sent toPacketFencewhere itwill be failed since theeduroamserversarenotpartofyourconfiguredswitches
raddbsites-enabledpacketfence-tunnelexample
post-auth exec
we skip packetfence when the request is coming from the eduroam servers if ( clientshortname = tlrs1 ampamp clientshortname = tlrs2 ) packetfence
Post-Auth-Type REJECT attr_filteraccess_reject
Finallymakesurethattherealmsmoduleisconfiguredthisway(seeusrlocalpfraddbmodulesrealm)
raddbmodulesrealmexample
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 74
usernamerealmrealm suffix format = suffix delimiter =
domainuserrealm ntdomain format = prefix delimiter = ignore_null = yes
Fingerbankintegration
FingerbankagreatdeviceprofilingtooldevelopedalongsideofPacketFencenowintegrateswithittopower-upthefeaturesetallowingaPacketFenceadministratortoeasilytriggerviolationsbasedondifferentdevicetypesdeviceparentsDHCPfingerprintsDHCPvendorIDsMACvendorsandbrowseruseragents
Thecoreofthat integrationresides intheabilityforaPacketFencesystemto interactwiththeFingerbankupstreamprojectwhichthenallowadailybasisfingerprintsdatabaseupdatesharingunknowndatasothatmorecomplexalgorithmscanprocessthatnewdatatointegrateitintheglobaldatabasequeryingtheglobalupstreamdatabaseinthecaseofanunknownmatchandmuchmore
SincetheFingerbankintegrationisnowthedefactodeviceprofilingtoolofPacketFenceitwasarequirementtomakeitassimpleaspossibletoconfigureandtouseFromthemomentaworkingPacketFencesystemis inplaceFingerbank isalsoreadytobeusedbutonly inalocalmodewhichmeansnointeractionwiththeupstreamFingerbankproject
OnboardingTobenefitfromalltheadvantagesoftheFingerbankprojecttheonboardingstepisrequiredtocreateanAPIkeythatwill thenallow interactionwiththeupstreamprojectThatcaneasilybedoneonlybygoingintheSettingsmenuitemundertheFingerbanksectionofthePacketFenceConfigurationtabFromthereaneasyprocesstocreateandsaveanuserorganizationspecificAPIkeycanbefollowedOncecompletedthefullfeaturesetofFingerbankcanbeused
UpdateFingerbankdatabaseUpdatingtheFingerbankdatacanrsquotbeeasierTheonlyrequirementistheonboardingprocesswhichallowsyoutointeractwithupstreamprojectOncedoneanoptiontoUpdateFingerbankDBcanbefoundontopofeverymenuitemsectionsunderFingerbankProcessmaytakeaminuteortwodependingonthesizeofthedatabaseandtheinternetconnectivityafterwhichasuccessorerrormessagewillbeshowaccordinglyLocalrecordsareNOTbeingmodifiedduringthisprocess
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 75
SubmitunknowndataSayingthatwedonrsquotknoweverythingisnotfalsemodestyInthatsensetheSubmitUnknownUnmatchedFingerprintsoptionismadeavailable(afteronboarding)sothatunknownfingerprintingdatagoinginandoutonyournetworkcaneasilybesubmittedtotheupstreamFingerbankprojectforfurtheranalysisandintegrationtheintheglobaldatabase
UpstreaminterogationBydefaultPacketFenceisconfiguredtointerogatetheupstreamFingerbankproject(ifonboardinghasbeencompleted)tofullfillaquerywithunmatchedlocalresultsUnmatchedlocalresultscanresultofanolderversionoftheFingerbankdatabaseorarequirementforamorecomplexalgorithmduetothedatasetThatbehavioriscompletelytransparentandcanbemodifiedusingtheSettingsmenuitemundertheFingerbanksectionofthePacketFenceConfigurationtab
LocalentriesItispossibleforanadministratorwhowantstocustomizeanexistingrecord(orcreateanewone)todosousingtheLocalentriesAnupstreamrecord(DHCPFingerprintDHCPVendorMACVendorUserAgentDevicetypeevenaCombination)canbeclonedandthenmodifiedonalocalbasisifneededLocalrecordsarealwaysmatchedfirstsincetheirpurposeistooverrideanexistingoneAlocalcombinationcanbecreatedtomatcheitherLocalorUpstreamorbothentriestoallowidentificationofadevice
SettingsFingerbanksettingscaneasilybemodifiedfromtheSettingsmenuitemundertheFingerbanksectionofthePacketFenceConfigurationtabTherersquosdocumentationforeachaneveryparameterthatalloweasierunderstanding
FloatingNetworkDevices
Startingwithversion19PacketFencenowsupportsfloatingnetworkdevicesAFloatingnetworkdeviceisadeviceforwhichPacketFencehasadifferentbehaviourcomparedtoaregulardeviceThisfunctionalitywasoriginallyaddedtosupportmobileAccessPoints
Caution
RightnowPacketFenceonlysupportsfloatingnetworkdevicesonCiscoandNortelswitchesconfiguredwithport-security
For a regular device PacketFence put it in theVLAN corresponding to its status (RegistrationQuarantineorRegularVlan)andauthorizesitontheport(port-security)
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 76
AfloatingnetworkdeviceisadevicethatPacketFencedoesnotmanageasaregulardevice
WhenafloatingnetworkdeviceispluggedPacketFencewillletallowalltheMACaddressesthatwillbeconnectedtothisdevice(orappearontheport)andifnecessaryconfiguretheportasmulti-vlan(trunk)andsetPVIDandtaggedVLANsontheport
WhenanfloatingnetworkdeviceisunpluggedPacketFencewillreconfiguretheportlikebeforeitwasplugged
HowitworksConfiguration
floatingnetworkdeviceshavetobeidentifiedusingtheirMACaddress linkuplinkdowntrapsarenotenabledontheswitchesonlyport-securitytrapsare
WhenPacketFencereceivesaport-securitytrapforafloatingnetworkdeviceitchangestheportconfigurationsothat
itdisablesport-security itsetsthePVID iteventuallysetstheportasmulti-vlan(trunk)andsetsthetaggedVlans itenableslinkdowntraps
WhenPFreceivesa linkdowntraponaport inwhichafloatingnetworkdevicewasplugged itchangestheportconfigurationsothat
itenablesport-security itdisableslinkdowntraps
IdentificationAswementionedearliereachfloatingnetworkdevicehastobeidentifiedTherearetwowaystodoit
byeditingconffloating_network_deviceconf throughtheWebGUIinConfigurationrarrNetworkrarrFloatingdevices
Herearethesettingsthatareavailable
MACAddress MACaddressofthefloatingdevice
IPAddress IPaddressofthefloatingdevice(notrequiredforinformationonly)
trunkPort YesnoShouldtheportbeconfiguredasamuti-vlanport
pvid VLANinwhichPacketFenceshouldputtheport
taggedVlan CommaseparatedlistofVLANsIftheportisamulti-vlanthesearetheVlansthathavetobetaggedontheport
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 77
OAuth2Authentication
NoteOAuth2authenticationdoesnotworkwithWebauthenforcement
The captive portal of PacketFence allows a guestuser to register using hisGoogle FacebookLinkedInWindowsLiveTwitterorGithubaccount
ForeachproviderswemaintainanalloweddomainlisttopunchholesintothefirewallsotheusercanhittheproviderloginpageThislistisavailableineachOAuth2authenticationsource
Inordertohaveoauth2workingproperlyyouneedtoenableIPforwardingonyourserversTodoitpermanentlylookintheetcsysctlconfandsetthefollowingline
Controls IP packet forwardingnetipv4ip_forward = 1
Savethefileandissueasysctl -ptoupdatetheOSconfig
You must also enable the passthrough option in your PacketFence configuration(trappingpassthroughinpfconf)
GoogleInordertouseGoogleasaOAuth2provideryouneedtogetanAPIkeytoaccesstheirservicesSignupherehttpcodegooglecomapisconsoleMakesureyouusethisURIfortheRedirectURIfieldhttpsYOUR_PORTAL_HOSTNAMEoauth2callbackOfcoursereplacethehostnamewiththevaluesfromgeneralhostnameandgeneraldomain
YoucankeepthedefaultconfigurationmodifytheAppIDampAppSecret(GivenbyGoogleonthedevelopperplateform)andPortalURL(httpsYOUR_PORTAL_HOSTNAMEoauth2callback)
Also add the following Authorized domains googlecom googleca googlefrgstaticcomgoogleapiscomaccountsyoutubecom(MakesurethatyouhavethegoogledomainfromyourcountrylikeCanadagooglecaFrancegooglefretchellip)
OnceyouhaveyourclientidandAPIkeyyouneedtoconfiguretheOAuth2providerThiscanbedonebyaddingaGoogleOAuth2authenticationsourcefromConfigurationrarrSources
MoreoverdonrsquotforgettoaddGoogleasaregistrationmodefromyourportalprofiledefinitionavailablefromConfigurationrarrPortalProfilesandPages
FacebookTo use Facebook you also need an API code and a secret key To get one go here httpsdevelopersfacebookcomappsWhenyoucreateyourAppmakesureyouspecifythefollowingastheWebsiteURLhttpsYOUR_PORTAL_HOSTNAMEoauth2callback
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 78
Ofcoursereplacethehostnamewiththevaluesfromgeneralhostnameandgeneraldomain
YoucankeepthedefaultconfigurationmodifytheAppIDampAppSecret(GivenbyFaceBookonthedevelopperplateform)andPortalURL(httpsYOUR_PORTAL_HOSTNAMEoauth2callback)
Also add the followingAuthorizeddomains facebookcom fbcdnnet akamaihdnet (Maychange)
OnceyouhaveyourinformationyouneedtoconfiguretheOAuth2providerThiscanbedonebyaddingaFacebookOAuth2authenticationsourcefromConfigurationrarrSources
MoreoverdonrsquotforgettoaddFacebookasaregistrationmodefromyourportalprofiledefinitionavailablefromConfigurationrarrPortalProfilesandPages
CautionByallowingOAuththroughFacebookyouwillgiveFacebookaccesstotheuserswhiletheyaresittingintheregistrationVLAN
GitHubTouseGitHubyoualsoneedanAPIcodeandasecretkeyTogetoneyouneedtocreateanAppherehttpsgithubcomsettingsapplicationsWhenyoucreateyourAppmakesureyouspecifythefollowingastheCallbackURLhttpsYOUR_PORTAL_HOSTNAMEoauth2callback
Ofcoursereplacethehostnamewiththevaluesfromgeneralhostnameandgeneraldomain
OnceyouhaveyourinformationyouneedtoconfiguretheOAuth2providerThiscanbedonebyaddingaGitHubOAuth2authenticationsourcefromConfigurationrarrSources
MoreoverdonrsquotforgettoaddGitHubasaregistrationmodefromyourportalprofiledefinitionavailablefromConfigurationrarrPortalProfilesandPages
LinkedInTouseLinkedInyoualsoneedanAPIcodeandasecretkeyTogetoneyouneedtocreateanAppherehttpsdeveloperlinkedincomWhenyoucreateyourAppmakesureyouspecifythefollowingastheCallbackURLhttpsYOUR_PORTAL_HOSTNAMEoauth2callback
Ofcoursereplacethehostnamewiththevaluesfromgeneralhostnameandgeneraldomain
OnceyouhaveyourinformationyouneedtoconfiguretheOAuth2providerThiscanbedonebyaddingaLinkedInOAuth2authenticationsourcefromConfigurationrarrSources
MoreoverdonrsquotforgettoaddLinkedInasaregistrationmodefromyourportalprofiledefinitionavailablefromConfigurationrarrPortalProfilesandPages
AlsoLinkedInrequiresastateparameterfortheauthorizationURLIfyoumodifyitmakesuretoadditattheendofyourURL
TwitterTouseTwitteryoualsoneedanAPIcodeandasecretkeywhichTwittercallsconsumerkeyandconsumersecretObtainthis informationbycreatingannewapplicationfromyourTwitterApps
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 79
ManagementpageWhenyoucreateyourAppmakesureyouspecifythefollowingastheCallbackURLhttpsYOUR_PORTAL_HOSTNAMEoauth2callback
Ofcoursereplacethehostnamewiththevaluesfromgeneralhostnameandgeneraldomain
OnceyouhaveyourinformationyouneedtoconfiguretheOAuth2providerThiscanbedonebyaddingaTwitterOAuth2authenticationsourcefromConfigurationrarrSources
MoreoverdonrsquotforgettoaddTwitterasaregistrationmodefromyourportalprofiledefinitionavailablefromConfigurationrarrPortalProfilesandPages
WindowsLiveTouseWindowsliveyoualsoneedanAPIcodeandasecretkeyTogetoneyouneedtocreateanAppherehttpsaccountlivecomdevelopersapplicationsWhenyoucreateyourAppmakesureyouspecifythefollowingastheCallbackURLhttpsYOUR_PORTAL_HOSTNAMEoauth2callback
Ofcoursereplacethehostnamewiththevaluesfromgeneralhostnameandgeneraldomain
OnceyouhaveyourinformationyouneedtoconfiguretheOAuth2providerThiscanbedonebyaddingaWindowsLiveOAuth2authenticationsourcefromConfigurationrarrSources
Moreover donrsquot forget to add WindowsLive as a registration mode from your portal profiledefinitionavailablefromConfigurationrarrPortalProfilesandPages
Passthrough
Inorder tousethepassthroughfeature inPacketFenceyouneedtoenable it fromtheGUI inConfigurationrarrTrappingandcheckPassthrough
Therearetwosolutionsforpassthroughs-oneusingDNSresolutionandiptablesandtheotheroneusingApachersquosmod_proxymoduleWhenenabledPacketFencewillusepfdnsifyoudefinedPassthroughsorApachemod-proxyifyoudefinedProxyPassthroughstoallowtrappeddevicestoreachexternalwebsites
DNSpassthroughAddanewFQDN (shouldbeawildcarddomain like googlecom) in thePassthroughssectionWhenPacketFencereceivesaDNSrequestforthisdomainitwillanswerthereal IPaddressandpunchahole inthefirewall (using iptables)toallowaccessWiththismethodPacketFencemustbethedefaultgatewayofyourdevice
mod_proxypassthroughAddanewFQDN(shouldbeawildcarddomainlikegooglecom)intheProxyPassthroughssectionForthisFQDNPacketFencewillanswertheIPaddressofthecaptiveportalandwhenadevicehitsthecaptiveportalPacketFencewilldetectthatthisFQDNhasapassthroughconfigurationandwillforwardthetraffictomod_proxy
ThesetwomethodscanbeusedtogetherbutDNS-basedpassthroughshavehigherpriority
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 80
ProductionDHCPaccess
Inorder toperformallof itsaccesscontroldutiesPacketFenceneedstobeable tomapMACaddressesintoIPaddresses
ForallthenetworksVLANswhereyouwantPacketFencetohavetheabilitytoisolateanodeortohaveIPinformationaboutnodesyouwillneedtoperformoneofthetechniquesbelow
AlsonotethatthisdoesnrsquotneedtobedonefortheregistrationisolationVLANsandinlineinterfacessincePacketFenceactsastheDHCPserverinthesenetworks
IPHelpers(recommended)If you are already using IPHelpers for your productionDHCP in your production VLANs thisapproachisthesimplestoneandtheonethatworksthebest
Add PacketFencersquos management IP address as the last ip helper-address statement in yournetworkequipmentAtthispointPacketFencewillreceiveacopyofallDHCPrequestsforthatVLANandwillrecordwhatIPweredistributedtowhatnodeusingapfdhcplistenerdaemon
BydefaultnoDHCPServershouldberunningonthatinterfacewhereyouaresendingtherequestsThisisbydesignotherwisePacketFencewouldreplytotheDHCPrequestswhichwouldbeabadthing
ObtainacopyoftheDHCPtrafficGetacopyofalltheDHCPTraffictoadedicatedphysicalinterfaceinthePacketFenceserverandrunpfdhcplisteneronthatinterfaceItwillinvolveconfiguringyourswitchproperlytoperformportmirroring(akanetworkspan)andaddinginPacketFencetheproperinterfacestatementattheoperatingsystemlevelandinpfconf
etcsysconfignetwork-scriptsifcfg-eth2
DEVICE=eth2ONBOOT=yesBOOTPROTO=none
Addtopfconf(IPsarenotimportanttheyarethereonlysothatPacketFencewillstart)
[interface eth2]mask=2552552550type=dhcp-listenergateway=19216815ip=19216811
RestartPacketFenceandyoushouldbegoodtogo
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 81
InterfaceineveryVLANBecauseDHCPtrafficisbroadcasttrafficanalternativeforsmallnetworkswithfewlocalVLANsistoputaVLANinterfaceforeveryVLANonthePacketFenceserverandhaveapfdhcplistenerlistenonthatVLANinterface
OnthenetworksideyouneedtomakesurethattheVLANtrulyreachesallthewayfromyourclienttoyourDHCPinfrastructureuptothePacketFenceserver
OnthePacketFencesidefirstyouneedanoperatingsystemVLANinterfaceliketheonebelowStoredinetcsysconfignetwork-scriptsifcfg-eth01010
Engineering VLANDEVICE=eth01010ONBOOT=yesBOOTPROTO=staticIPADDR=1001014NETMASK=2552552550VLAN=yes
ThenyouneedtospecifyinpfconfthatyouareinterestedinthatVLANrsquosDHCPbysettingtypetodhcp-listener
[interface eth01010]mask=2552552550type=dhcp-listenergateway=1001011ip=1001014
RepeattheaboveforallyourproductionVLANsthenrestartPacketFence
HostproductionDHCPonPacketFenceItrsquosanoptionJustmodifyconfdhcpdconfsothat itwillhostyourproductionDHCPproperlyandmakesurethatapfdhcplistenerrunsonthesameinterfacewhereproductionDHCPrunsHoweverpleasenotethatthisisNOTrecommendedSeethistickettoseewhy
ProxyInterception
PacketFenceenablesyoutointerceptproxyrequestsandforwardthemtothecaptiveportalItonlyworksonelayer-2networksbecausePacketFencemustbethedefaultgatewayInordertousetheProxyInterceptionfeatureyouneedtoenableitfromtheGUIinConfigurationrarrTrappingandcheckProxyInterception
Addtheportyouwanttointercept(like8080or3128)andaddanewentryintheetchostsfiletoresolvethefullyqualifieddomainname(fqdn)ofthecaptiveportaltotheIPaddressofthe
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 82
registration interfaceThismodification ismandatory inorder forApache to receives theproxyrequests
RoutedNetworks
Ifyour isolationandregistrationnetworksarenot locally-reachable (at layer2)onthenetworkbut routed to the PacketFence server yoursquoll have to let the PacketFence server know thisPacketFencecanevenprovideDHCPandDNSintheseroutednetworksandprovidesaneasytouseconfigurationinterface
FordhcpdmakesurethattheclientsDHCPrequestsarecorrectlyforwarded(IPHelpersintheremoterouters)tothePacketFenceserverThenmakesureyoufollowedtheinstructionsintheDHCPandDNSServerConfiguration(networksconf)foryourlocallyaccessiblenetwork
Ifweconsiderthenetworkarchitectureillustratedintheaboveschemaconfpfconfwillincludethelocalregistrationandisolationinterfacesonly
[interface eth02]enforcement=vlanip=19216821type=internalmask=2552552550
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 83
[interface eth03]enforcement=vlanip=19216831type=internalmask=2552552550
Note
PacketFencewillnotstartunlessyouhaveatleastoneinternalinterfacesoyouneedtocreatelocalregistrationandisolationVLANsevenifyoudonrsquotintendtousethemAlsotheinternalinterfacesaretheonlyonesonwhichdhcpdlistenssotheremoteregistrationandisolationsubnetsneedtopointtheirDHCPhelper-addresstothoseparticularIPs
ThenyouneedtoprovidetheroutednetworksinformationtoPacketFenceYoucandoitthroughtheGUIinAdministrationrarrNetworks(orinconfnetworksconf)
confnetworksconfwilllooklikethis
[19216820]netmask=2552552550gateway=19216821next_hop=domain-name=registrationexamplecomdns=19216821dhcp_start=192168210dhcp_end=1921682200dhcp_default_lease_time=300dhcp_max_lease_time=600type=vlan-registrationnamed=enableddhcpd=enabled
[19216830]netmask=2552552550gateway=19216831next_hop=domain-name=isolationexamplecomdns=19216831dhcp_start=192168310dhcp_end=1921683200dhcp_default_lease_time=300dhcp_max_lease_time=600type=vlan-isolationnamed=enableddhcpd=enabled
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 84
[192168200]netmask=2552552550gateway=19216820254next_hop=1921682254domain-name=registrationexamplecomdns=19216821dhcp_start=1921682010dhcp_end=19216820200dhcp_default_lease_time=300dhcp_max_lease_time=600type=vlan-registrationnamed=enableddhcpd=enabled
[192168300]netmask=2552552550gateway=19216830254next_hop=1921683254domain-name=isolationexamplecomdns=19216831dhcp_start=1921683010dhcp_end=19216830200dhcp_default_lease_time=300dhcp_max_lease_time=600type=vlan-isolationnamed=enableddhcpd=enabled
DHCPclientsontheregistrationandisolationnetworksreceivethePFserverIPastheirDNSserver(dns=xxxx)andPFspoofsDNSresponsestoforceclientsviatheportalHoweverclientscouldmanuallyconfiguretheirDNSsettingstoescapetheportalTopreventthisyouwillneedtoapplyanACLontheaccessrouternearesttheclientspermittingaccessonlytothePFserverandlocalDHCPbroadcasttraffic
ForexamplefortheVLAN20remoteregistrationnetwork
ip access-list extended PF_REGISTRATION permit ip any host 19216821 permit udp any any eq 67 deny ip any any loginterface vlan 20 ip address 19216820254 2552552550 ip helper-address 19216821 ip access-group PF_REGISTRATION in
Ifyouredgeswitchessupportvlan-isolationyoucanalsoapplytheACLthereThishastheadvantageofpreventingmachinesinisolationfromattemptingtoattackeachother
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 85
StatementofHealth(SoH)
TheStatementofHealth(SoH)isproductthathasbeendevelopedbyMicrosoftIntheMicrosoftworldthis isnamedNetworkAccessProtectionorNAPOnWindowsversionsfromXPSP2toWindows7thereisaNAPserviceinstalledthatcanrelayhealthinformation(Anti-VirusupdatestatusWindowsUpdatestatusetc) toaRADIUSServeroraDHCPserverThesectionbelowexplainsyouhowtodoSoHpolicieswithPacketFence
InstallationBydefaultweturnSoHoffToenableitssupportsimplyuncommentthefollowinglinesinusrlocalpfconfradiusdeapconf
soh=yessoh-virtual-server = soh-server
RestarttheRADIUSserviceafterward
OntheclientsidetoenableSoHforEAPdothefollowing(Windows7example)
sc config napagent start=autosc start napagent
Wired 8021Xsc config dot3svc start=auto depend=napagentsc start dot3svc
netsh nap client show config
get the ID value for the EAP Quarantine Enforcement Clientnetsh nap client set enforce id=$ID admin=enable
ThelaststepistoselecttheEnforceNetworkAccessProtectioncheckboxundertheEAPprofilesettingsThosestepscanbeeasilyconfiguredusingGPOs
ConfigurationofSoHpolicyInordertoenforceaSoHpolicyweneedtocreateitfirstThisisdoneusingtheConfigurationrarrCompliancerarrStatementofHealthmodule
PolicyexampleLetrsquoswalkthroughanexamplesituationSupposeyouwanttodisplayaremediationpagetoclientsthatdonothaveananti-virusenabled
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 86
ThethreebroadstepsarecreateaviolationclassfortheconditionthencreateanSoHfiltertotriggertheviolationwhenanti-virusisdisabledandfinallyreloadtheviolations
FirstcreatetheproperviolationeitherviatheAdminUIorbyeditingtheconfviolationsconffiles
[4000001]desc=No anti-virus enabledurl=remediationphptemplate=noantivirusactions=reevaluate_accessemaillogenabled=Y
Note
Youmayalsowanttosetotherattributessuchasauto_enablegraceetc
WhendonewiththeviolationvisittheWebAdministrationunderConfigurationrarrCompliancerarrStatementofHealthand(editthefilternamedDefaultor)usetheAddafilterbuttontocreateafilternamedantivirusClickonantivirusinthefilterlistandselectTriggerviolationintheactiondrop-downEnterthevidoftheviolationyoucreatedaboveintheinputboxthatappears
Next clickonAddacondition and selectAnti-virus is anddisabled in thedrop-downboxesthat appear Click on the Save filters button Finally reload the violations either by restartingPacketFenceorusingthepfcmd reload violationscommand
Thelaststepistocreateanewremediationtemplatecallednoantivirusphponthefilesysteminthehtmlcaptive-portalviolationsfolderEditittoincludethetextyouwanttodisplaytotheusers
VLANFilterDefinition
Weaddedtheabilitytospecifyfiltersdirectlyintheportionofcodethatre-evaluatestheVLANordoacalltotheAPI
Theserulesareavailableindifferentscopes
ViolationRoleRegistrationRoleRegisteredRoleInlineRoleAutoRegisterNodeInfoForAutoReg
Andcanbedefinedusingdifferentcriterialike
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 87
node_infoattribute (like node_infostatus)switchifIndexmacconnection_typeusernamessidtimeownerattribute (like ownerpid)radius_requestattribute (like radius_requestCalling-Station-Id)
Forexample letsdefinearulethatpreventsadevicefromconnectingwhenitscategory isthedefaultwhentheSSIDisSECUREandwhenthecurrenttimeisbetween11amand2pmfromMondaytoFridaywhenittrytoconnectasaregistereddevice
[category]filter = node_infocategoryoperator = isvalue = default
[ssid]filter = ssidoperator = isvalue = SECURE
[time]filter = timeoperator = isvalue = wd Mon Tue Wed Thu Fri hr 11am-2pm
[1categoryampssidamptime]scope = RegisteredRolerole = nointernet
ThesecondexamplewillcreateaviolationiftheSSIDisOPENandtheownerisigmout
[igmout]filter = ownerpidoperator = isvalue = igmout
[open]filter = ssidoperator = isvalue = OPEN
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 88
[2igmoutampssid]scope = RegisteredRoleaction = trigger_violationaction_param = mac = $mac tid = 1100012 type = INTERNAL
Thethirdexamplewillautoregisterthedeviceandassigntherolestafftoeachdevicewheretheusernameisigmout
[igmout]filter = usernameoperator = isvalue = igmout
[secure]filter = ssidoperator = isvalue = SECURE
[3igmoutampsecure]scope = AutoRegisterrole = staff
[4igmoutampsecure]scope = NodeInfoForAutoRegrole = staff
Youcanhavealookinthefilevlan_filtersconftherearesomeexamplesonhowtouseanddefinefilters
RADIUSFilterDefinition
WeaddedtheabilitytospecifyfiltersdirectlyintheportionofcodethatreturntheradiusanswerordoacalltotheAPI
Theserulesareonlyavailableinonescope
returnRadiusAccessAccept
Andcanbedefinedusingdifferentcriterialike
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 89
node_infoattribute (like node_info$attribute)switchifIndexmacconnection_typeusernamessidtimeownerattribute (like owner$attribute)radius_requestattribute (like radius_request$attribute)violationuser_rolevlan
Forexample letsdefinearulethatreturnAccessAcceptwhentheconnectionisEthernet-EAPandwhenthereisnoviolation(merge_returnmeansthattheoriginalanswerofPacketFencewillbemergewiththefilteranswerautomatically)
[violation]filter = violationoperator = defined
[etherneteap]filter = connection_typeoperator = isvalue = Ethernet-EAP
[1etherneteapampviolation]merge_answer = noscope = returnRadiusAccessAccept
Inthisotherexamplewejustaddanewattributetotheoriginalanswerinthesameconditions(here$user_rolewillbereplacedbytherealuserroleofthedeviceand$switch_portalURLwillbereplacedbythevalueof_portalURLdefinedintheswitchconfig)
[1etherneteapampviolation]merge_answer = yesscope = returnRadiusAccessAcceptanswer1 = Cisco-AVPair =gt url-redirect-acl=$user_roleurl-redirect=$switch_portalURLcep$session_id
Youcanhavea look in the file radius_filtersconf therearesomeexamplesonhowtouseanddefinefilters
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 90
DNSenforcement
DNSenforcementallowsyoutocontrolthenetworkaccessofthedevicebyusingthepfdnsserviceonPacketFence
The architecture ofDNS enforcement is as following -DHCP andDNS are provided by thePacketFenceserver-ThePacketFenceDHCPserverwillprovidetheIPofyournetworkequipmentasthegatewayandtheIPaddressofthePacketFenceDNSservertoresolvenames-Routingisprovidedbyanotherequipmentonyournetwork(CoreswitchFirewallRouterhellip)-IfausershouldbeshowntheportalthepfdnsservicewillreturnapointertotheIPaddressofthecaptiveportalotherwisepfdnswillresolvethenameexternallyanduseitinthereply
Thisenforcementmodeusedby itselfcanbebypassedbythedevicebyusingadifferentDNSserverorbyusingitsownDNScache
ThefirstcanbepreventedusinganACLonyourroutingequipmentthesecondcanbepreventedbycombiningDNSenforcementwithSingle-Sign-OnonyournetworkequipmentPleaseseetheFirewallSingle-Sign-Ondocumentationfordetailsonhowtoaccomplishthis
Inorder toconfigureDNSenforcementyoufirstneedtogo inConfigurationrarrInterfaces thenselectoneofyourinterfacesandsetitinDNSenforcementmode
AfteryouneedtoconfigurearoutednetworkforthisinterfacebyclickingAddroutednetworkSeetheRoutedNetworkssectionofthisdocumentfordetailsonhowtoconfigureit
NoteIfyouarenotusingaroutednetworkyouneedtouseInlineenforcementasDNSenforcementcanonlybeusedforroutednetworks
Oncethisisdoneyouneedtorestartthedhcpdandpfdnsservices
Parkeddevices
Intheeventthatyouaremanagingalargeregistrationnetworkwithdevicesthatstaythere(exStudentsthatcanrsquotregisterinyourenvironment)thesedevicesconsumepreciousresourcesandgenerateuselessloadonthecaptiveportalandregistrationDHCPserver
UsingtheparkingfeatureyoucanmakethesedeviceshavealongerleaseandhitanextremellylightweightcaptiveportalsothattheamountofresourcestheyconsumeisminimalInthatcaptiveportal theywillseeamessageexplainingthattheyhavenrsquot registeredtheirdeviceforacertainamountoftimeandwillletthemleavetheparkedstatebypressingalink
Theparkedvsunparkedstateiscontrolledthroughviolation1300003whichgetstriggeredaccordingtotheparkingthresholdsetting(ConfigurationrarrParking)
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 91
SoinordertoactivatetheparkinggoinConfigurationrarrParkingandsetthethresholdtoacertainamountofsecondsAsuggestedvaluewouldbe21600whichis6hoursThismeansthatifadevicestaysinyourregistrationnetworkformorethan6hoursinarowitwilltriggerviolation1300003andplacethatdeviceintotheparkedstate
Inthatsamesectionyoucandefinetheleaselengthoftheuserwhenheisintheparkedstate
Note
ParkingisdetectedwhenadeviceasksforDHCPifPacketFenceisnotyourDHCPserverfortheregistrationnetworkthisfeaturewillnotworkAlsoifthedevicegoesintotheparkedstatewithaleasetimeof1hourandtheuserimmediatelyreleaseshimselffromtheparkingstateitwilltake1hourbeforethenextdetectiontakesplaceevenifyousetparkingthresholdtoalowervalue
Violation1300003Thisviolationcontrolswhathappenswhenauserisdetecteddoingparking
Herearethemainsettings
Youcanaddactionstothepredefinedones(likeEmailadminorExternalaction)inDefinitionrarrActions
TheamountoftimeausercanunparktheirdeviceiscontrolledthroughtheRemediationrarrMaxenablesetting
TheamountofgracetimebetweentwoparkingviolationsiscontrolledbytheRemediationrarrGracesettingThismeansonceauserreleasehimselffromtheparkedstatehewillhaveatleastthisamountoftimetoregisterbeforetheparkingtriggersagain
Thedestinationrole(thusVLAN)oftheuseriscontrolledbyAdvancedrarrRoleYoushouldleavetheuserintheregistrationrolebutshouldyouwanttodedicatearoleforparkingyoucansetitthere
TheTemplateattributewillonlybeusedwhentheuserisonthenormalPacketFenceportalandnottheonededicatedforparkingIfyouwanttheusertoaccessthenon-parkingportaldisableShowparkingportalinConfigurationrarrParking
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 92
Optionalcomponents
Blockingmaliciousactivitieswithviolations
PolicyviolationsallowyoutorestrictclientsystemaccessbasedonviolationsofcertainpoliciesForexampleifyoudonotallowP2PtypetrafficonyournetworkandyouarerunningtheappropriatesoftwaretodetectitandtriggeraviolationforagivenclientPacketFencewillgivethatclientablockedpagewhichcanbecustomizedtoyourwishes
Inorder tobeable toblockmaliciousactivities installationandconfigurationofaPacketFencecompatibleIDSisrequiredPacketFencecurrentlysupportSnortSuricataandSecurityOnion
Snort
Installation
The installation procedure is quite simple for SNORTWe maintain a working version on thePacketFencerepositoryToinstallitsimplyrunthefollowingcommand
yum install snort
Configuration
PacketFenceprovidesabasicsnortconftemplatethatyoumayneedtoeditdependingoftheSnortversionThefileislocatedinusrlocalpfconfItisrarelynecessarytochangeanythinginthatfiletomakeSnortworkandtrapalertsDONOTeditthesnortconflocatedinusrlocalpfvarconfallthemodificationwillbedestroyedoneachPacketFencerestart
Suricata
Installation
SincethesuricataIDSisnotpackagedwiththedistros(exceptmaybeFedorawhichwedonotofficiallysupport)youneedtobuildittheoldway
The OISF provides a really well written how-to for that Itrsquos available here httpsredmineopeninfosecfoundationorgprojectssuricatawikiCentOS5
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 93
NoteTobenefittheOPSWATMetadefenderCloudintegrationSuricataneedstobebuiltwith libnss libnsprsupportMakesure touseJSONoutputMore informationonhowtoachievethiscanbefoundtherehttpsredmineopeninfosecfoundationorgprojectssuricatawikiMD5
ConfigurationDepending onwhether or not Suricata is running on the PacketFence server configuration isdifferent
WhenrunninglocallyPacketFenceprovidesabasicsuricatayamlthatcanbemodifiedtosuitdifferentneedsThefileislocatedinusrlocalpfconf
In thecase thatSuricata is runningonaseparateserverSuricataconfigurationwillhave tobehandledseparatelywhichisnotthepurposeofthepresentguide
OPSWATMetadefenderCloudItispossibletotriggerviolationsbasedonthreatlevelofdownloadedfilesusingtheMetadefenderCloudintegrationinconjunctionwiththeSuricataMD5extractionfeatureWithoutenteringinthedetailsherearethebasicstepstomakeitwork
FirstanOPSWATportalaccountisrequiredtomakeuseoftheAPISuchaccountcanbeobtainedthroughtheOPSWATportalhttpsportalopswatcom
OtherrequirementisaSuricataworkinginstallationbuiltwithlibnsslibnsprsupportasdescribedintheupperInstallationsection
AlongwiththeOPSWATAPIkeyforMetadefenderCloud(theycallitLicenseKey)andtheworkingSuricatainstallationsomeconfiguration(PacketFencebasedANDSuricatabased)isalsorequired
AssumingthatallthestepsforSuricataMD5extractionhavebeenfollowedherersquoswhattodonext
OntheSuricataserver(syslog-ngispreferredduetoeasierandmorepowerfulconfigurationIfnotinstalleditmightbeanidea)
Configureetcsyslog-ngsyslog-ngconfbyaddingthefollowingtoenablesendingMD5filestorelogentriestoPacketFence
PacketFence OPSWAT Metadefender Cloud integration This line specifies where the files-jsonlog file is located -gt Make sure to configure the right path along with the right filenamesource s_suricata_files file(MY_SURICATA_LOG_FILES_PATHfiles-jsonlog program_override(suricata_files) flags(no-parse)) This line tells syslog-ng to send the data read to the PacketFence management interface IP address using UDP 514 -gt Make sure to configure the right PacketFence management interface IP addressdestination d_packetfence udp(PACKETFENCE_MGMT_IP port(514)) This line indicates syslog-ng to use the s_suricata_files source and send it to the d_packetfence destinationlog source(s_suricata_files) destination(d_packetfence)
Arestartofthesyslog-ngdaemonisrequired
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 94
service syslog-ng restart
OnthePacketFenceserver
ModifyrsyslogconfigurationtoallowincomingUDPpacketsbyuncommentingthefollowingtwolinesinetcrsyslogconf
$ModLoad imudp$UDPServerRun 514
Configure etcrsyslogdsuricata_filesconf by adding the following which will enablereceptionofSuricataMD5filestorelogentries
if $programname == suricata_files then usrlocalpfvarsuricata_filesamp ~
Makesurethereceivingalertpipe(FIFO)exists
mkfifo usrlocalpfvarsuricata_files
Restartthersyslogdaemon
service rsyslog restart
AtthispointSuricatashouldbeabletoextractMD5checksumofdownloadedfilesandsendtherelatedlogentrytoPacketFence
AconfigurationofanewsyslogparseraswellassomeviolationsaretheonlyremainingstepstomakefullusageoftheOPSWATMetadefenderCloudintegration
Configurationofanewsyslogparsershouldusethefollowings
Type suricata_httpAlert pipe the previously created alert pipe (FIFO) which is in this case usrlocalpfvarsuricata_files
Configurationofanewviolationcanusethefollowingtriggertypes
Type metascanTriggers ID The scan result returned by Metadefender Cloud online
Type suricata_md5Trigger ID The MD5 hash returned by Suricata
SecurityOnionInstallationandConfigurationSecurityOnionisaUbuntubasedsecuritysuiteThelatest installationinstructionsareavailabledirectly from theSecurityOnionwebsite httpsgithubcomSecurity-Onion-Solutionssecurity-onionwikiInstallation
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 95
SinceasecuritysuiteconsistsofmultiplepiecesofsoftwaretiedtogetheryoumaybepromptedfordifferentoptionsduringtheinstallationprocessAdetailedProductionDeploymentguidecanalsobefounddirectlyfromtheSecurityOnionwebsitehttpsgithubcomSecurity-Onion-Solutionssecurity-onionwikiProductionDeployment
PacketFenceintegration
OnceSecurityOnionisinstalledandminimallyconfiguredintegrationwithPacketFenceisrequiredtobeabletoraiseviolationsbasedonsensor(s)alertssyslogisusedtoforwardsensor(s)alertsfromSecurityOniontothePacketFencedetectionmecanisms
The simplest way is as follow (based on httpsgithubcomSecurity-Onion-Solutionssecurity-onionwikiThirdPartyIntegration)
OntheSecurityOnionserver
Note
Mustbedoneonthemasterserverrunningsguild
Configureetcsyslog-ngsyslog-ngconfbyaddingthefollowingtoenablesendingsguildlogentriestoPacketFence
PacketFence IDS integration This line specifies where the sguildlog file is located -gt Make sure to configure the right patch along with the right filename (on a Security Onion setup that should be pretty much standard)source s_sguil file(varlognsmsecurityonionsguildlog program_override(securityonion_ids)) This line filters on the string ldquoAlert Receivedrdquofilter f_sguil match(Alert Received) This line tells syslog-ng to send the data read to the PacketFence management IP address using UDP 514 -gt Make sure to configure the right PacketFence management interface IP addressdestination d_packetfence udp(PACKENTFENCE_MGMT_IP port(514)) This line indicates syslog-ng to use the s_sguil source apply the f_sguil filter and send it to the d_packetfence destinationlog source(s_sguil) filter(f_sguil) destination(d_packetfence)
Arestartofthesyslog-ngdaemonisthenrequired
service syslog-ng restart
OnthePacketFenceserver
ModifyrsyslogconfigurationtoallowincomingUDPpacketsbyuncommentingthefollowingtwolinesinetcrsyslogconf
$ModLoad imudp$UDPServerRun 514
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 96
Configureetcrsyslogdsecurityonion_idsconfbyaddingthefollowingswhichwillenablereceptionofSecurityOnionsguildlogentries
if $programname == securityonion_ids then usrlocalpfvarsecurityonion_idsamp ~
Makesurethereceivingalertpipe(FIFO)exists
mkfifo usrlocalpfvarsecurityonion_ids
Restartthersyslogdaemon
service rsyslog restart
AtthispointSecurityOnionshouldbeabletosenddetectedalertslogentriestoPacketFence
AconfigurationofanewsyslogparseraswellassomeviolationsaretheonlyremainingstepstomakefullusageoftheSecurityOnionIDSintegration
Configurationofanewsyslogparsershouldusethefollowings
Type security_onionAlert pipe the previously created alert pipe (FIFO) which is in this case usrlocalpfvarsecurityonion_ids
Configurationofanewviolationcanusethefollowingtriggertypes
Type detectTriggers ID The IDS triggered rule ID
Type suricata_eventTrigger ID The rule class of the triggered IDS alert
ViolationsInordertomakePacketFencereacttotheSnortalertsyouneedtoexplicitlytellthesoftwaretodosoOtherwisethealertswillbediscardedThisisquitesimpletoaccomplishInfactyouneedtocreateaviolationandaddtheSnortalertSIDinthetriggersectionofaViolation
PacketFenceviolationsareconfiguredinConfigurationrarrViolations
TheexamplebelowwillguideyoutocreateaviolationthatwillisolatedevicethathavegeneratedPeer-to-peer traffic and that are usingMac OSX or have a malware and are usingMicrosoftWindows
Violationdefinition
Firstyouneedtoconfiguretheviolationdefinition
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 97
Where
Enablediswhetherornottheviolationiscurrentlyactivated(shouldbeON) Identifier is the violation ID Any integer except 1200000-120099 which is reserved forrequiredadministrationviolations
Descriptionistheuserfriendlydescriptionoftheviolation Actionsisthelistofactionstobeexecutedwhenthisviolationisraised
Unregister nodewillunregisterthenode
Send email to ownerwillemailtheviolationdetailstotheownerofthedeviceWillonlyworkifthepersonhasitrsquosemailfieldpopulated
Send email to admin will email the violation details to the address specified in[alerting]emailaddrusing[alerting]smtpserverMultipleemailaddrcanbesperatedbycomma
Reevaluate accesswillplacethedeviceinthedestinationVLANconfiguredintheviolationIt opens a violation and leaves it open If it is not there theviolation isopenedand thenautomaticallyclosed
Log messagewilllogtheviolationinthelogfiledefinedin[alerting]log
External commandwillexecuteacommandontheoperatingsystemwhenthisviolation israised
Close a violationwillcloseanexistingviolationforthisdevicewhenthisoneisraised
Set rolewillmodifytheroleofthedevice
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 98
Enforce provisioningwilltriggeracheckofcomplianceontheprovisionersdefinedforthedevice
Prioritydefinestheorderontowhichviolationsshouldbehandledshouldtherebemorethanoneforadevice
Whitelisted Rolesisthelistofrolesthatarenotaffectedbythisviolation
Triggers
NextintheTriggerstabyouneedtodefinethetriggersthatwillraisetheviolationInthecaseofthisexampleitwillbethesetwocasesAdevicethathasgeneratedPeer-to-peertrafficandthatisusingMACOSXAdevicethathasbeendetectedasbeingarogueDHCP
Click the+ sign at the top right inorder to create anew trigger then in thedropdown selectSuricata
AmenuwillappearintowhichyoucanselectET P2PwhichwillmatchallP2PalertsfromSuricata
OnceyouaddedthistriggerselectDevicefromthedropdownandenter38whichisthedeviceidentifierforMacOSX
Nexthittheltbuttonthenthe+toaddanothertrigger
SelectthetypeInternaltheninthemenuthatappearsbelowitselectRogue DHCP detectionandclickAdd
Remediation
NextintheRemediationtabyoucanconfigurethebehaviorwhenaclientgetsisolated
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 99
Where
Auto Enableiswhetherornottheusercanreleasetheviolationhimselfafteracknoledgingthemessageonthecaptiveportal
Max Enables istheamountoftimeausercanusetheAuto EnablefunctionnalityAfterthisamountoftimeshewillnotbeabletoreleasetheviolationanditwillhavetobemanuallyreleasebyanadministratorusingthePacketFenceadministrationinterface
GraceisAmountoftimebeforetheviolationcanreoccurThisisusefultoallowhoststime(intheexample2minutes)todownloadtoolstofixtheirissueorshutofftheirpeer-to-peerapplication
Dynamic WindowwillonlyworksforaccountingviolationsTheviolationwillbeopenedaccordingtothetimeyousetintheaccountingviolation(ieYouhaveanaccountingviolationfor10GBmonthIfyoubustthebandwidthafter3daystheviolationwillopenandthereleasedatewillbesetforthelastdayofthecurrentmonth)
WindowistheamountoftimebeforeaviolationwillbeclosedautomaticallyInsteadofallowingpeopletoreactivatethenetworkyoumaywanttoopenaviolationforadefinedamountoftimeinstead
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 100
Delay byisthedelaybeforetriggeringtheviolation TemplateistheHTMLtemplatethehostwillberedirectedtowhileinviolationYoucancreatenewtemplatesfromthePortalProfilesconfigurationsection
Button textisthetextofthebuttonthatisusedwhentheuserisreleasingtheviolationdirectlyfromthecaptiveportal
AdvancedIntheAdvancedtabyouconfigurethedestinationVLANofthedevicewhenithastheReevaluateaccessactionanditsredirectionURLwhentheuserisreleased
ComplianceChecks
PacketFence supports eitherNessusOpenVAS andWMI as a scanning engine for compliancechecksSincePacketFencev51youarenowabletocreatemultiplesscanenginesconfigurationandassignthemonspecificcaptiveportalsItmeanperexamplethatyouarenowabletoactiveascanforspecificOperatingSystemonlyonaspecificSSID
InstallationNessusPlease visit httpwwwnessusorgdownload to download Nessus v5 and install the Nessuspackage for your operating system You will also need to register for the HomeFeed (or theProfessionalFeed)inordertogettheplugins
AfteryouinstalledNessusfollowtheNessusdocumentationfortheconfigurationoftheNessusServerandtocreateauserforPacketFence
NoteYou may run into some issue while using Nessus with the NetNessusXMLRPCmodule(whichisthedefaultbehaviorinPacketFence)Pleaserefertothebugtrackingsystemformoreinformation
OpenVASPleasevisithttpwwwopenvasorginstall-packageshtmlopenvas4_centos_atomic toconfigurethecorrectrepositorytobeabletoinstallthelatestOpenVASscanningengine
Once installed pleasemake sure to follow the instructions to correctly configure the scanningengineandcreateascanconfigurationthatwillfityourneedsYoursquollalsoneedtocreateauserforPacketFencetobeabletocommunicatewiththeserver
ItisimportanttogetthecorrectscanconfigIDandNBEreportformatIDtopopulatetheparametersinthePacketFenceconfigurationfileTheeasiestwaytogettheseIDsisbydownloadingbothofthescanconfigurationandreportformatfromtheOpenVASwebguiandretrievetheIDsinthefilenames
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 101
Forexamplereport-format-f5c2a364-47d2-4700-b21d-0a7693daddabxmlgivesreportformatIDf5c2a364-47d2-4700-b21d-0a7693daddab
WMIYoujusthavetoenablewmioneachwindowsdeviceswithaGPOfromActiveDirectory
ConfigurationIn order for the compliance checks to correctly work with PacketFence (communication andgenerateviolationsinsidePacketFence)youneedtoconfigurethesesections
ScannerDefinitionFirstgoinConfigurationandScannerDefinition
Thenaddascan
Therearecommonparametersforeachscanengines
Name the name of your scan engineRoles Only devices with these role(s) will be affected (Optional)OS Only devices with this Operating System will be affected (Optional)Duration Approximate duration of scan (Progress bar on the captive portal)Scan before registration Trigger the scan when the device appear on the registration vlanScan after registration Trigger the scan just after registration on the captive portalScan after registration Trigger the scan on the production network (pfdhcplistener must receive production dhcp traffic)8021x Even if the auto-registration has been enabled the scan will be trigger on a EAP connection8021x types comma delimited EAP type that will trigger the scan if 8021x above has been enabled
SpecifictoNessus
Hostname or IP Address Hostname or IP Address where Nessus is runningUsername Username to connect to Nessus scanPassword Password to connect to Nessus scanPort of the service port to connect (default 8834)Nessus client policy the name of the policy to use for the scan (Must be define on the Nessus server)
SpecifictoOpenVAS
Hostname or IP Address Hostname or IP Address where OpenVAS is runningUsername Username to connect to OpenVAS scanPassword Password to connect to OpenVAS scanPort of the service port to connect (default 9390)OpenVAS config ID the ID of scanning configuration on the OpenVAS server
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 102
SpecifictoWMI
Username A username from Active Directory that is allowed to connect to wmiDomain Domain of the Active DirectoryPassword Password of the accountWMI Rules Ordered list of WMI rules you defined in Configuration -gt WMI Rules Definition
WMIRulesDefinition
IfyouhaveconfiguredaWMIscanenginethenyouneedtodefineWMIRulesWMIisasortofdatabaseoneachwindowsdevicestoretreiveinformationonthedeviceyouneedtoknowthesqlrequestInordertohelpyoutofindandmakearuleyoucanuseathirdpartytoollikeWMIExplorer
GoinconfigurationrarrWMIRulesDefinition
Therearealready3rulesdefined
Software_Installedlogged_userProcess_Running
LetrsquostaketheSoftware_Installedrule
request select from Win32_Product
Rules Actions
[Google]attribute = Captionoperator = matchvalue =Google
[1Google]action=trigger_violationaction_param = mac = $mac tid = 888888 type = INTERNAL
Thisrulewilldothefollowing
retreive all the installed software on the device and test if the attribute Caption contain Googleif it matched then we will trigger a violation (with the trigger internal888888) for the mac address of the device
Thesecondonelogged_user
request select UserName from Win32_ComputerSystem
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 103
Rules Actions
[UserName]attribute = UserNameoperator = matchvalue = ()
[1UserName]action = dynamic_register_nodeaction_param = mac = $mac username = $result-gtUserName
Thisrulewilldothefollowing
retreive the current logged user on the device and register the device based on the user account
ThelastoneProcess_Running
request select Name from Win32_Process
Rules Actions
[explorer]attribute = Nameoperator = matchvalue = explorerexe
[1explorer]action = allow
Thisrulewilldothefollowing
retreive all the running process on the device and if one match explorerexe then we bypass the scan
Rulessyntax
the syntax of the rules are simple to understand
the request is the sql request you will launch on the remote device you must know what the request will returnto write the test
Inside the Rules Actions we define 2 sorts of blocsThe test bloc (ie [explorer]) and the action bloc (ie [1explorer])
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 104
The test bloc is a simple test based on the result of the request- attribute is the attribute you want to test- operator can be is is_not match match_not- value is the value you want to compare
Feel free to define multiples test blocs
The action bloc is where you will define your logic per example lets take this one [1googleampexplorer] this mean that if the google test istrue and explorer is true then we execute the actionThe logic can be more complex and can be something like that [1google|(explorerampmemory)] that mean if not google or (explorer and memory)
ViolationsdefinitionYouneedtocreateanewviolationsectionandhavetospecify
UsingNessus
trigger=NessusltviolationIdgt
UsingOpenVAS
trigger=OpenVASltviolationIdgt
WhereviolationIdiseithertheIDoftheNessuspluginortheOIDoftheOpenVASplugintocheckforOnceyouhavefinishedtheconfigurationyouneedtoreloadtheviolationrelateddatabasecontentsusing
$ pfcmd reload violations
NoteViolationswilltriggerifthepluginishigherthanalowseverityvulnerability
AssignScandefinitiontoportalprofilesThelaststepistoassignoneormorescanneryouconfiguredtooneormoreportalprofilesGoinConfigurationrarrPortalProfilesrarrEditaPortalrarrAddScan
HostingNessusOpenVASremotelyBecauseoftheCPUintensivenatureofanautomatedvulnerabilityassessmentwerecommendthatitishostedonaseparateserverforlargeenvironmentsTodosoacoupleofthingsarerequired
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 105
PacketFence needs to be able to communicate to the server on the port specified by thevulnerabilityengineused
Thescanningserverneedtobeabletoaccessthetargets InotherwordsregistrationVLANaccessisrequiredifscanonregistrationisenabled
IfyouareusingtheOpenVASscanningengine
ThescanningserverneedtobeabletoreachPacketFencersquosAdmininterface(onport1443bydefault)byitsDNSentryOtherwisePacketFencewonrsquotbenotifiedofcompletedscans
YoumusthaveavalidSSLcertificateonyourPacketFenceserver
IfyouareusingtheNessusscanningengine
YoujusthavetochangethehostvaluebytheNessusserverIP
RADIUSAccounting
RADIUSAccountingisusuallyusedbyISPstobillclientsInPacketFenceweareabletousethisinformationtodetermineifthenodeisstillconnectedhowmuchtimeithasbeenconnectedandhowmuchbandwitdhtheuserconsumed
ViolationsUsingPacketFence it ispossible toaddviolations to limitbandwidthabuseThe formatof thetriggerisverysimple
Accounting[DIRECTION][LIMIT][INTERVAL(optional)]
Letrsquosexplaineachchunkproperly
DIRECTIONYoucaneithersetalimittoinbound(IN)outbound(OUT)ortotal(TOT)bandwidth LIMIT You can set a number of bytes(B) kilobytes(KB) megabytes(MB) gigabytes(GB) orpetabytes(PB)
INTERVALThisisactuallythetimewindowwewilllookforpotentialabuseYoucansetanumberofdays(D)weeks(W)months(M)oryears(Y)
Exampletriggers LookforIncoming(Download)trafficwitha50GBmonth
AccountingIN50GB1M
LookforOutgoing(Upload)trafficwitha500MBday
AccountingOUT500MB1D
LookforTotal(Download+Upload)trafficwitha200GBlimitinthelastweek
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 106
AccountingTOT200GB1W
Graceperiod
WhenusingsuchviolationfeaturesettingthegraceperiodisreallyimportantYoudonrsquotwanttoputittoolow(ieAuserre-enablehisnetworkandgetcaughtafter1bytesistranmitted)ortoohighWerecommendthatyousetthegraceperiodtooneintervalwindow
Oinkmaster
OinkmasterisaperlscriptthatenablesthepossibilitytoupdatethedifferentsnortrulesveryeasilyItissimpletouseandinstallThissectionwillshowyouhowtoimplementOinkmastertoworkwithPacketFenceandSnort
PleasevisithttpoinkmastersourceforgenetdownloadshtmltodownloadoinkmasterAsampleoinkmasterconfigurationfileisprovidedatusrlocalpfaddonssnortoinkmasterconf
ConfigurationHerearethestepstomakeOinkmasterworkWewillassumethatyoualreadydownloadedthenewestoinkmasterarchive
1 UntarthefreshlydownloadedOinkmaster
2 CopytherequiredperlscriptsintousrlocalpfoinkmasterYouneedtocopyovercontribandoinkmasterpl
3 CopytheoinkmasterconfprovidedbyPacketFence(seethesectionabove)inusrlocalpfconf
4 ModifytheconfigurationtosuityourownneedsCurrentlytheconfigurationfileissettofetchthebleedingrules
RulesupdateInordertogetperiodicupdatesforPacketFenceSnortruleswesimplyneedtocreateacrontabentrywiththerightinformationTheexamplebelowshowsacrontabentrytofetchtheupdatesdailyat2300PM
0 23 (cd usrlocalpf perl oinkmasteroinkmasterpl -C confoinkmasterconf -o confsnort)
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 107
GuestsManagement
PacketFencesupportstheabilitytomanageguestsbyestablishingexpiredatesandassigndifferentroleswhichwillpermitdifferentaccessestothenetworkresources
Guestscanself-registerthemselvesusinganactivationcodesenttotheirmobilephoneortheycanusetheiremailaddressandreceiveandactivationlinktoactivatetheirnetworkaccess
PacketFencehas theoption tohaveguestssponsored theiraccessby local staffOnceaguestrequestsasponsoredaccessanemailissenttothesponsorandthesponsormustclickonalinkandauthenticateinordertoenablehisaccess
Moreover PacketFence also has the option for guests to request their access in advanceConfirmationbyemailandbyasponsorarethetwopre-registrationtechniquessupportedatthispoint
TheadminGUIallowPacketFenceadministratorsorguestsmanagerstocreatesingleaccountsmultipleaccountsusingaprefix(ieguest1guest2guest3hellip)orimportdatafromaCSVtocreateaccountsAccessdurationandexpectedarrivaldatearealsocustomizable
Usage
Guestself-registration
Self-registrationisenabledbydefaultItispartofthecaptiveportalprofileandcanbeaccessedontheregistrationpagebyclickingtheSignuplink
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 108
ManagedguestsPartofthewebadministrationinterfacetheguestsmanagementinterfaceisenabledbydefaultItisaccessiblethroughtheUsersrarrCreatemenu
Guestpre-registrationPre-registrationisdisabledbydefaultOnceenabledPacketFencersquosfirewallandApacheACLsallowaccesstothesignuppageontheportalevenfromaremotelocationAllthatshouldberequiredfrom theadministrators is toopenup theirperimeter firewall toallowaccess toPacketFencersquosmanagementinterfaceIPonport443andmakesureadomainnametoreachsaidIPisconfigured(andthattheSSLcertmatchesit)Thenyoucanpromotethepre-registrationlinkfromyourextranetwebsitehttpslthostnamegtsignup
CautionPre-registrationincreasestheattacksurfaceofthePacketFencesystemsinceasubsetofitrsquosfunctionnalityisexposedontheInternetMakesureyouunderstandtherisksapplythecriticaloperatingsystemupdatesandapplyPacketFencersquossecurityfixes
NoteAportalinterfacetypeisrequiredtousethisfeatureAportalinterfacetypecanbeaddedtoanynetworkinterfaceusingthewebadminGUI
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 109
ConfigurationGuestself-registrationIt ispossibletomodifythedefaultvaluesoftheguestself-registrationfeaturebyeditingusrlocalpfconfpfconf
Defaultvaluesarelocatedinusrlocalpfconfpfconfdefaultsanddocumentationforeverysettingsisavailableinusrlocalpfconfdocumentationconf
[guests_self_registration]guest_pid=emailpreregistration=disabled
TheseparameterscanalsobeconfiguredfromtheConfigurationrarrSelfRegistrationsectionoftheWebadmininterface
Availableregistrationmodesaredefinedonaper-portal-profilebasisTheseareconfigurablefromConfigurationrarrPortalProfiles Todisable the self-registration feature simply removeall self-registrationsourcesfromtheportalprofiledefinitionNoticehoweverthatifyourdefaultportalprofilehasnosourceitwilluseallauthenticationsources
Caution
AvalidMTAconfiguredinPacketFenceisneededtocorrectlyrelayemailsrelatedtotheguestmoduleIflocalhostisusedassmtpservermakesurethataMTAisinstalledandconfiguredontheserver
Note
AportalinterfacetypeisrequiredtousethisfeatureAportalinterfacetypecanbeaddedtoanynetworkinterfaceusingthewebadminGUI
Self-registered guests are added under the users tab of the PacketFenceWeb administrationinterface
ManagedguestsItispossibletomodifythedefaultvaluesoftheguestscreatedfromtheWebadmininterfacebyeditingusrlocalpfconfpfconf
Defaultvaluesarelocatedinusrlocalpfconfpfconfdefaultsanddocumentationforeverysettingsisavailableinusrlocalpfconfdocumentationsconf
[guests_admin_registration]access_duration_choices=1h3h12h1D2D3D5Ddefault_access_duration=12h
Theformatofthedurationisasfollow
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 110
ltDURATIONgtltDATETIME_UNITgt[ltPERIOD_BASEgtltOPERATORgtltDURATIONgtltDATE_UNITgt]
Letrsquosexplainthemeaningofeachparameter
DURATIONanumbercorrespondingtotheperiodduration DATETIME_UNIT acharactercorresponding to theunitsof thedateor timedurationeither s(seconds)m(minutes)h(hours)D(days)W(weeks)M(months)orY(years)
PERIOD_BASEeitherF(fixed)orR(relative)ArelativeperiodiscomputedfromthebeginningoftheperiodunitWeeksstartonMonday
OPERATOReither+or-Thedurationfollowingtheoperatorisaddedorsubtractedfromthebaseduration
DATE_UNITacharactercorrespondingtotheunitsoftheextendeddurationLimitedtodateunits(D(days)W(weeks)M(months)orY(years))
TheseparameterscanalsobeconfiguredfromtheConfigurationrarrAdminRegistrationsectionoftheWebadmininterface
From theUserspageof thePacketFenceWebadmin interface it is possible to set the accessdurationofuserschangetheirpasswordandmore
Guestpre-registrationTominimallyconfigureguestpre-registrationyoumustmakesurethatthefollowingstatementissetunder[guests_self_registration]inusrlocalpfconfpfconf
[guests_self_registration]preregistration=enabled
ThisparametercanalsobeconfiguredfromtheConfigurationrarrSelfRegistrationsection
Finallyitisadvisedthatyoureadthewholeguestself-registrationsectionsincepre-registrationissimplyatwistoftheself-registrationprocess
Caution
AvalidMTAconfiguredinPacketFenceisneededtocorrectlyrelayemailsrelatedtotheguestmoduleIflocalhostisusedassmtpservermakesurethataMTAisinstalledandconfiguredontheserver
ActiveDirectoryIntegration
DeletedAccountCreate thescriptunreg_node_deleted_accountps1on theWindowsServerwith the followingcontentMakesuretochangeIP_PACKETFENCEtotheIPaddressofyourPacketFenceserverYoursquollalsoneedtochangetheusernameandpasswordastheymustmatchthecredentialsdefinedintheWebadmininterfaceunderConfigurationrarrWebServices
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 111
Powershell script to unregister deleted Active Directory account based on the UserName
Get-EventLog -LogName Security -InstanceId 4726 | Select ReplacementStringsAccount name| $url = httpsIP_PACKETFENCE9090 $username = admin Username for the webservices $password = admin Password for the webservices [SystemNetServicePointManager]ServerCertificateValidationCallback = $true $command = jsonrpc 20 method unreg_node_for_pid params [pid +$_ReplacementStrings[0]+]
$bytes = [SystemTextEncoding]ASCIIGetBytes($command) $web = [SystemNetWebRequest]Create($url) $webMethod = POST $webContentLength = $bytesLength $webContentType = applicationjson-rpc $webCredentials = new-object SystemNetNetworkCredential($username $password) $stream = $webGetRequestStream() $streamWrite($bytes0$bytesLength) $streamclose()
$reader = New-Object SystemIOStreamreader -ArgumentList $webGetResponse()GetResponseStream() $readerReadToEnd() $readerClose()
CreatethescheduledtaskbasedonaneventIDStartrarrRunrarrTaskschdmsc
TaskSchedulerrarrTaskSchedulerLibraryrarrEventViewerTaskrarrCreateTask
General
Name PacketFence-Unreg_node-for-deleted-accountCheck Run whether user is logged on or notCheck Run with highest privileges
TriggersrarrNew
Begin on the task On an eventLog SecuritySource Microsoft Windows security auditingEvent ID 4726
ActionsrarrNew
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 112
Action Start a programProgramscript powershellexeAdd arguments (optional) Cscriptsunreg_node_deleted_accountps1
Settings
At the bottom select in the list Run a new instance in parallel in order to unregister multiple nodes at the same time
ValidatewithOkandgivetheaccountwhowillrunthistask(UsuallyDOMAINAdministrator)
DisabledAccountCreatethescriptunreg_node_disabled_accountps1ontheWindowsServerwiththefollowingcontentMakesuretochangeIP_PACKETFENCEtotheIPaddressofyourPacketFenceserverYoursquollalsoneedtochangetheusernameandpasswordastheymustmatchthecredentialsdefinedintheWebadmininterfaceunderConfigurationrarrWebServices
Powershell script to unregister disabled Active Directory account based on the UserName
Get-EventLog -LogName Security -InstanceId 4725 | Select ReplacementStringsAccount name| $url = httpsIP_PACKETFENCE9090 $username = admin Username for the webservices $password = admin Password for the webservices [SystemNetServicePointManager]ServerCertificateValidationCallback = $true $command = jsonrpc 20 method unreg_node_for_pid params [pid +$_ReplacementStrings[0]+]
$bytes = [SystemTextEncoding]ASCIIGetBytes($command) $web = [SystemNetWebRequest]Create($url) $webMethod = POST $webContentLength = $bytesLength $webContentType = applicationjson-rpc $webCredentials = new-object SystemNetNetworkCredential($username $password) $stream = $webGetRequestStream() $streamWrite($bytes0$bytesLength) $streamclose()
$reader = New-Object SystemIOStreamreader -ArgumentList $webGetResponse()GetResponseStream() $readerReadToEnd() $readerClose()
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 113
CreatethescheduledtaskbasedonaneventID
StartrarrRunrarrTaskschdmsc
TaskSchedulerrarrTaskSchedulerLibraryrarrEventViewerTaskrarrCreateTask
General
Name PacketFence-Unreg_node-for-disabled-accountCheck Run whether user is logged on or notCheck Run with highest privileges
TriggersrarrNew
Begin on the task On an eventLog SecuritySource Microsoft Windows security auditingEvent ID 4725
ActionsrarrNew
Action Start a programProgramscript powershellexeAdd arguments (optional) Cscriptsunreg_node_disabled_accountps1
Settings
At the bottom select in the list Run a new instance in parallel
ValidatewithOkandgivetheaccountwhowillrunthistask(UsuallyDOMAINAdministrator)
LockedAccountCreate the script unreg_node_locked_accountps1 on theWindows Serverwith the followingcontentMakesuretochangeIP_PACKETFENCEtotheIPaddressofyourPacketFenceserverYoursquollalsoneedtochangetheusernameandpasswordastheymustmatchthecredentialsdefinedintheWebadmininterfaceunderConfigurationrarrWebServices
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 114
Powershell script to unregister locked Active Directory account based on the UserName
Get-EventLog -LogName Security -InstanceId 4740 | Select ReplacementStringsAccount name| $url = httpsIP_PACKETFENCE9090 $username = admin Username for the webservices $password = admin Password for the webservices [SystemNetServicePointManager]ServerCertificateValidationCallback = $true $command = jsonrpc 20 method unreg_node_for_pid params [pid +$_ReplacementStrings[0]+]
$bytes = [SystemTextEncoding]ASCIIGetBytes($command) $web = [SystemNetWebRequest]Create($url) $webMethod = POST $webContentLength = $bytesLength $webContentType = applicationjson-rpc $webCredentials = new-object SystemNetNetworkCredential($username $password) $stream = $webGetRequestStream() $streamWrite($bytes0$bytesLength) $streamclose()
$reader = New-Object SystemIOStreamreader -ArgumentList $webGetResponse()GetResponseStream() $readerReadToEnd() $readerClose()
CreatethescheduledtaskbasedonaneventIDStartrarrRunrarrTaskschdmsc
TaskSchedulerrarrTaskSchedulerLibraryrarrEventViewerTaskrarrCreateTask
General
Name PacketFence-Unreg_node-for-locked-accountCheck Run whether user is logged on or notCheck Run with highest privileges
TriggersrarrNew
Begin on the task On an eventLog SecuritySource Microsoft Windows security auditingEvent ID 4740
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 115
ActionsrarrNew
Action Start a programProgramscript powershellexeAdd arguments (optional) Cscriptsunreg_node_locked_accountps1
Settings
At the bottom select in the list Run a new instance in parallel
ValidatewithOkandgivetheaccountwhowillrunthistask(UsuallyDOMAINAdministrator)
DHCPremotesensor
TheDHCPremotesensorconsistsofalightweightbinarythatisinstalledonyourproductionDHCPserverinordertoreplicatetheDHCPtraffic1to1tothePacketFenceserverThissolutionismorereliablethantheDHCPrelayingsincePacketFencereceivesacopyofallyourDHCPtrafficandnotonlythebroadcastedDHCPtrafficSupportedDHCPserversareMicrosoftDHCPserverandCentOS6and7
ThesesensorsworkbycapturingthepacketsatthelowestlevelpossibleonyourDHCPserverandforwardthemtothePacketFencemanagementinterface
MicrosoftDHCPsensorYouwillfirstneedtodownloadandinstallWinPcapavailablefromhttpwwwwinpcaporginstall
YouwillalsoneedtodownloadandinstallMicrosoftVisualC++2010Redistributableavailablefromhttpwwwmicrosoftcomdownloaddetailsaspxid=5555
NoteYou absolutely need to install the 32-bit version of Microsoft Visual C++ 2010Redistributableevenifyouareusinga64-bitoperatingsystem
Then get the remote sensor from Inversersquos download website httpinversecadownloadsPacketFenceudp-reflectorudp_reflectorexe
CreatethedirectoryCudp-reflectorandmovethedownloadedfileinside
Nowwewillcreateaservicesothereflectorstartsonboot
Firstdownloadandunzipnssmfromhttpsnssmccdownload
NextcreateabatchfileudpreflectorbatinCudp-reflectorthatcontainCudp-reflectorudp_reflectorexe -s pcap067 -d 19216815767 -b 25000
Where pcap0 is the interface where your DHCP is listening (use Cudp-reflectorudp_reflectorexe -ltolistinterfaces)
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 116
Thenrunnssm install udpreflector
InApplication
InPathsetittoCudp-reflectorudpreflectorbat InStartupdirectorysetittoCudp-reflector InArgumentssetittonothing
InDetails
InStartuptypeselectAutomatic
InLogon
InLogonasselectLocalSystemaccount
ThenpressInstallservice
TheDHCPtrafficshouldnowbereflectedonyourPacketFenceserver
LinuxbasedsensorFirstdownloadtheRPMonyourDHCPserver
CentOS6and7serversForCentOS6
for x86_64 wget httpinversecadownloadsPacketFenceCentOS6extrax86_64RPMSudp-reflector-10-61x86_64rpm
ForCentOS7
for x86_64 wget httpinversecadownloadsPacketFenceCentOS7extrax86_64RPMSudp-reflector-10-61x86_64rpm
Nowinstallthesensor
rpm -i udp-reflector-rpm
CompilingthesensorfromsourceonaLinuxsystemFirstmakesureyouhavethefollowingpackagesinstalled
libpcap libpcap-devel gcc-c++
Getthesourcecodeofthesensor
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 117
mkdir -p ~udp-reflector ampamp cd ~udp-reflector wget httpinversecadownloadsPacketFenceudp-reflectorudp_reflectorcpp g++ udp_reflectorcpp -o usrlocalbinudp_reflector -lpcap
ConfiguringthesensorPlacethefollowinglineinetcrclocal
where pcap0 is the pcap interface where your DHCP server listens on (List them usingudp_reflector -l)
where19216815isthemanagementIPofyourPacketFenceserver
usrlocalbinudp_reflector -s pcap067 -d 19216815767 -b 25000 amp
Startthesensor
usrlocalbinudp_reflector -s pcap067 -d 19216815767 -b 25000 amp
TheDHCPtrafficshouldnowbereflectedonyourPacketFenceserver
Switchloginaccess
PacketFenceisabletoactasanauthenticationandauthorizationserviceforgrantingcommand-lineinterface(CLI)accesstoswitchesPacketFencecurrentlysupportsCiscoswitchesandthesemustbeconfiguredusingthefollowingguidehttpwwwciscocomcenussupportdocssecurity-vpnremote-authentication-dial-user-service-radius116291-configure-freeradius-00html From thePacketFencersquos web admin interface you must configure an Admin Access role(ConfigurationrarrAdminaccess)thatcontainstheactionSwitchesCLI-ReadorSwitchesCLI-WriteandassignthisroletoaninternaluserorinanAdministrationruleinaninternalsource
Chapter14
Copyrightcopy2016Inverseinc OperatingSystemBestPractices 118
OperatingSystemBestPractices
IPTables
IPTablesisnowentirelymanagedbyPacketFenceHoweverifyouneedtoperformsomecustomrules you canmodifyconfiptablesconf to yourownneedsHowever thedefault templateshouldworkformostusers
LogRotations
PacketFencecangeneratea lotof logentries inhugeproductionenvironmentsThis iswhywerecommendtouselogrotatetoperiodicallyrotateyourlogsAworkinglogrotatescriptisprovidedwiththePacketFencepackageThisscriptislocatedinusrlocalpfaddonsanditrsquosconfiguredto do aweekly log rotation and keeping old logswith compression It has been added duringPacketFenceinitialinstallation
Chapter15
Copyrightcopy2016Inverseinc Performanceoptimization 119
Performanceoptimization
SNMPTrapsLimit
PacketFencemainlyrelyonSNMPtrapstocommunicatewithequipmentDuetothefactthattrapscominginfromapproved(configured)devicesareallprocessedbythedaemonitispossibleforsomeonewhowanttogenerateacertainloadonthePacketFenceservertoforcethegenerationofnon-legitimateSNMPtrapsoraswitchcanrandomlygenerateahighquantityoftrapssenttoPacketFenceforanunknownreason
BecauseofthatitispossibletolimitthenumberofSNMPtrapscominginfromasingleswitchportandtakeactionifthatlimitisreachedForexampleifover100trapsarereceivedbyPacketFencefromthesameswitchportinaminutetheswitchportwillbeshutandanotificationemailwillbesent
HerersquosthedefaultconfigfortheSNMPtrapslimitfeatureAsyoucanseebydefaultPacketFencewill log the abnormal activity after 100 traps from the same switch port in a minute Theseconfigurationsareintheconfpfconffile
[vlan]trap_limit = enabledtrap_limit_threshold = 100trap_limit_action =
AlternativelyyoucanconfiguretheseparametersfromthePacketFenceWebadministrativeGUIintheConfigurationrarrSNMPsection
MySQLoptimizations
TuningMySQLIfyoursquorePacketFencesystemisactingveryslowthiscouldbeduetoyourMySQLconfigurationYoushoulddothefollowingtotuneperformance
Checkthesystemload
uptime113637 up 235 days 121 1 user load average 125 105 079
Chapter15
Copyrightcopy2016Inverseinc Performanceoptimization 120
CheckiostatandCPU
iostat 5avg-cpu user nice sys iowait idle 060 000 320 2020 7600Device tps Blk_reads Blk_wrtns Blk_read Blk_wrtnccissc0d0 3240 000 156000 0 7800avg-cpu user nice sys iowait idle 060 000 220 920 8800Device tps Blk_reads Blk_wrtns Blk_read Blk_wrtnccissc0d0 780 000 7360 0 368avg-cpu user nice sys iowait idle 060 000 180 2380 7380Device tps Blk_reads Blk_wrtns Blk_read Blk_wrtnccissc0d0 3140 000 142720 0 7136avg-cpu user nice sys iowait idle 060 000 240 1816 7884Device tps Blk_reads Blk_wrtns Blk_read Blk_wrtnccissc0d0 2794 000 117365 0 5880
Asyoucanseetheloadis125andIOWaitispeakingat20-thisisnotgoodIfyourIOwaitislowbutyourMySQListaking+50CPUthisisalsonotgoodCheckyourMySQLinstallforthefollowingvariables
mysqlgt show variables| innodb_additional_mem_pool_size | 1048576 || innodb_autoextend_increment | 8 || innodb_buffer_pool_awe_mem_mb | 0 || innodb_buffer_pool_size | 8388608 |
PacketFencereliesheavilyonInnoDBsoyoushouldincreasethebuffer_poolsizefromthedefaultvalues
ShutdownPacketFenceandMySQL
etcinitdpacketfence stopShutting down PacketFence[] etcinitdmysql stopStopping MySQL [ OK ]
Editetcmycnf(oryourlocalmycnf)
Chapter15
Copyrightcopy2016Inverseinc Performanceoptimization 121
[mysqld] Set buffer pool size to 50-80 of your computers memoryinnodb_buffer_pool_size=800Minnodb_additional_mem_pool_size=20Minnodb_flush_log_at_trx_commit=2innodb_file_per_table allow more connectionsmax_connections=700 set cache sizekey_buffer_size=900Mtable_cache=300query_cache_size=256M enable slow query loglog_slow_queries = ON
StartupMySQLandPacketFence
etcinitdmysqld startStarting MySQL [ OK ] etcinitdpacketfence startStarting PacketFence[]
Wait10minutesforPacketFencetoinitialthenetworkmapandre-checkiostatandCPU
uptime120158 up 235 days 146 1 user load average 015 039 052 iostat 5Device tps Blk_reads Blk_wrtns Blk_read Blk_wrtnccissc0d0 800 000 7520 0 376
avg-cpu user nice sys iowait idle 060 000 299 1337 8303
Device tps Blk_reads Blk_wrtns Blk_read Blk_wrtnccissc0d0 1497 000 43273 0 2168avg-cpu user nice sys iowait idle 020 000 260 660 9060
Device tps Blk_reads Blk_wrtns Blk_read Blk_wrtnccissc0d0 480 000 4800 0 240
MySQLoptimizationtoolWerecommendthatyouruntheMySQLTuneronyourdatabasesetupafteracoupleofweekstohelpyouidentifyMySQLconfigurationimprovementThetoolisbundledwithPacketFenceandcanberunfromthecommand-line
usrlocalbinpftest mysql
Chapter15
Copyrightcopy2016Inverseinc Performanceoptimization 122
KeepingtablessmallOvertimesomeofthetableswillgrowlargeandthiswilldragdownperformance(thisisespeciallytrueonawirelesssetup)
OnesuchtableisthelocationlogtableWerecommendthatclosedentriesinthistablebemovedto the archive table locationlog_archive after some time A closed record is onewhere theend_timefieldissettoadate(stricklyspeakingitiswhenend_timeisnotnullandnotequalsto0)
Weprovideascriptcalleddatabase-backup-and-maintenanceshlocatedinaddonsthatperformsthiscleanupinadditiontooptimizetablesonSundayanddailybackups
AvoidToomanyconnectionsproblemsInawirelesscontexttheretendstobealotofconnectionsmadetothedatabasebyourfreeradiusmoduleThedefaultMySQLvalue tend tobe low (100) soweencourageyou to increase thatvaluetoatleast300Seehttpdevmysqlcomdocrefman50entoo-many-connectionshtmlfordetails
AvoidHostlthostnamegtisblockedproblemsInawirelesscontexttheretendtobealotofconnectionsmadetothedatabasebyourfreeradiusmoduleWhentheserverisloadedtheseconnectionattemptscantimeoutIfaconnectiontimesoutduringconnectionMySQLwillconsiderthisaconnectionerrorandafter10ofthese(bydefault)hewilllockthehostoutwitha
Host host_name is blocked because of many connection errors Unblock with mysqladmin flush-hosts
Thiswill grindPacketFence to a halt so youwant to avoid that at all costOneway to do soistoincreasethenumberofmaximumconnections(seeabove)toperiodicallyflushhostsortoallowmoreconnectionerrorsSeehttpdevmysqlcomdocrefman50enblocked-hosthtmlfordetails
CaptivePortalOptimizations
Avoidcaptiveportaloverloadduetonon-browserHTTPrequestsBydefaultwealloweveryquerytoberedirectedandreachPacketFencefor thecaptiveportaloperationInalotofcasesthismeansthatalotofnon-userinitiatedqueriesreachPacketFenceandwasteitsresourcesfornothingsincetheyarenotfrombrowsers(iTunesWindowsupdateMSNMessengerGoogleDesktophellip)
Chapter15
Copyrightcopy2016Inverseinc Performanceoptimization 123
Sinceversion43ofPacketFenceyoucandefineHTTPfiltersforApachefromtheconfigurationofPacketFence
SomeruleshavebeenenabledbydefaultlikeonetorejectrequestswithnodefineduseragentAllrulesincludingsomeexamplesaredefinedintheconfigurationfileapache_filtersconf
FiltersaredefinedwithatleasttwoblocksFirstarethetestsForexample
[get_ua_is_dalvik]filter = user_agentmethod = GEToperator = matchvalue = Dalvik
[get_uri_not_generate204]filter = urimethod = GEToperator = match_notvalue = generate_204
ThelastblockdefinestherelationshipbetweenthetestsandthedesiredactionForexample
[block_dalvikget_ua_is_dalvikampget_uri_not_generate204]action = 501redirect_url =
Thisfilterwillreturnanerrorcode(501)iftheuseragentisDalvikandtheURIdoesnrsquotcontain_generate_204
DashboardOptimizations(statisticscollection)
The collection and aggregation of statistics in the whisper database can be IO intensive permomentThismeansthatitcanbebeneficialtoseperatethemonanotherdiskevenifitisavirtualdiskthatwillsharethesameunderlyingphysicaldisk
Firstaddadiskinyourvirtualmachineorbaremetalserverandreboot(thisexamplewillusedevsdbasthenewdevice
Makesurepacketfenceisstopped
service packetfence stop
Createanext4partition
mkfsext4 devsdb
Thenmovetheolddatabasestoabackuppoint
Chapter15
Copyrightcopy2016Inverseinc Performanceoptimization 124
mv usrlocalpfvargraphite usrlocalpfvargraphitebak
Mountyournewdiskandcheckthatitismounted
echo devsdb usrlocalpfvargraphite ext4 defaults 1 1 gtgt etcfstab mkdir usrlocalpfvargraphite mount -a dh -h
Applytheproperuserrightsandrestoreyourdatabasefromyourbackup
chown pfpf usrlocalpfvargraphite cp -frp usrlocalpfvargraphitebak usrlocalpfvargraphite
StartpacketfenceandmakesureyourstatsarestillthereandbeingcollectedproperlyThenremovethebackupyoumaderm -fr usrlocalpfvargraphitebak
Chapter16
Copyrightcopy2016Inverseinc AdditionalInformation 125
AdditionalInformation
FormoreinformationpleaseconsultthemailingarchivesorpostyourquestionstoitFordetailssee
packetfence-announcelistssourceforgenet Public announcements (new releases securitywarningsetc)regardingPacketFence
packetfence-devellistssourceforgenetDiscussionofPacketFencedevelopment
packetfence-userslistssourceforgenetUserandusagediscussions
Chapter17
Copyrightcopy2016InverseincCommercialSupport
andContactInformation 126
CommercialSupportandContactInformation
For any questions or comments do not hesitate to contact us by writing an email tosupportinverseca
Inverse (httpinverseca)offersprofessional servicesaroundPacketFence tohelporganizationsdeploythesolutioncustomizemigrateversionsorfromanothersystemperformancetuningoraligningwithbestpractices
Hourlyratesorsupportpackagesareofferedtobestsuityourneeds
Pleasevisithttpinversecafordetails
Chapter18
Copyrightcopy2016Inverseinc GNUFreeDocumentationLicense 127
GNUFreeDocumentationLicense
Pleaserefertohttpwwwgnuorglicensesfdl-12txtforthefulllicense
Chapter18
Copyrightcopy2016Inverseinc AdministrationTools 128
AppendixAAdministrationTools
pfcmd
pfcmdisthecommandlineinterfacetomostPacketFencefunctionalities
Whenexecutedwithoutanyargumentspfcmdreturnsabasichelpmessagewithallmainoptions
Chapter18
Copyrightcopy2016Inverseinc AdministrationTools 129
Usage pfcmd ltcommandgt [options]
Commands cache | manage the cache subsystem checkup | perform a sanity checkup and report any problems class | view violation classes configfiles | push or pull configfiles intofrom database configreload | reload the configution floatingnetworkdeviceconfig | querymodify floating network devices configuration parameters help | show help for pfcmd commands ifoctetshistorymac | accounting history ifoctetshistoryswitch | accounting history ifoctetshistoryuser | accounting history import | bulk import of information into the database ipmachistory | IPMAC history locationhistorymac | SwitchPort history locationhistoryswitch | SwitchPort history networkconfig | querymodify network configuration parameters node | manipulate node entries pfconfig | interact with pfconfig portalprofileconfig | querymodify portal profile configuration parameters reload | rebuild fingerprint or violations tables without restart service | startstoprestart and get PF daemon status schedule | Nessus scan scheduling switchconfig | querymodify switchesconf configuration parameters version | output version information violationconfig | querymodify violationsconf configuration parameters
Please view pfcmd help ltcommandgt for details on each option
ThenodeviewoptionshowsallinformationcontainedinthenodedatabasetableforaspecifiedMACaddress
usrlocalpfbinpfcmd node view 525400123502mac|pid|detect_date|regdate|unregdate|lastskip|status|user_agent|computername|notes|last_arp|last_dhcp|switch|port|vlan|dhcp_fingerprint525400123502|1|2008-10-23 173216||||unreg||||2008-10-23 211221|||||
pfcmd_vlan
pfcmd_vlanisthecommandlineinterfacetomostVLANisolationrelatedfunctionality
Chapter18
Copyrightcopy2016Inverseinc AdministrationTools 130
Againwhenexecutedwithoutanyargumentsahelpscreenisshown
Usage pfcmd_vlan command [options]
Command -deauthenticate de-authenticate a dot11 client -deauthenticateDot1x de-authenticate a dot1x client (pass ifIndex for wired 8021x and mac for wireless 8021x) -getAlias show the description of the specified switch port -getAllMACs show all MACS on all switch ports -getHubs show switch ports with several MACs -getIfOperStatus show the operational status of the specified switch port -getIfType show the ifType on the specified switch port -getLocation show at which switch port the MAC is found -getSwitchLocation show SNMP location of specified switch -getMAC show all MACs on the specified switch port -getType show switch type -getUpLinks show the upLinks of the specified switch -getVersion show switch OS version -getVlan show the VLAN on the specified switch port -getVlanType show the VLAN type on the specified port -help brief help message -isolate set the switch port to the isolation VLAN -man full documentation -reAssignVlan re-assign a switch port VLAN -reevaluateAccess reevaluate the current VLAN or firewall rules of a given MAC -runSwitchMethod run a particular method call on a given switch (FOR ADVANCED PURPOSES) -setAlias set the description of the specified switch port -setDefaultVlan set the switch port to the default VLAN -setIfAdminStatus set the admin status of the specified switch port -setVlan set VLAN on the specified switch port -setVlanAllPort set VLAN on all non-UpLink ports of the specified switch
Options -alias switch port description -ifAdminStatus ifAdminStatus -ifIndex switch port ifIndex -mac MAC address -showPF show additional information available in PF -switch switch description -verbose log verbosity level 0 fatal messages 1 warn messages 2 info messages 3 debug 4 trace -vlan VLAN id -vlanName VLAN name (as in switchesconf)
AdministrationGuidebyInverseInc
Version603-Jun2016Copyrightcopy2016Inverseinc
PermissionisgrantedtocopydistributeandormodifythisdocumentunderthetermsoftheGNUFreeDocumentationLicenseVersion12oranylaterversionpublishedbytheFreeSoftwareFoundationwithnoInvariantSectionsnoFront-CoverTextsandnoBack-CoverTextsAcopyofthelicenseisincludedinthesectionentitledGNUFreeDocumentationLicense
ThefontsusedinthisguidearelicensedundertheSILOpenFontLicenseVersion11ThislicenseisavailablewithaFAQathttpscriptssilorgOFL
CopyrightcopyŁukaszDziedzichttpwwwlatofontscomwithReservedFontNameLato
CopyrightcopyRaphLevienhttpleviencomwithReservedFontNameInconsolata
Copyrightcopy2016Inverseinc iii
TableofContentsAbout thisGuide 1
Othersourcesof information 1Introduction 2
Features 2Network Integration 5Components 5
SystemRequirements 7Assumptions 7MinimumHardwareRequirements 7OperatingSystemRequirements 7
Installation 9OS Installation 9SoftwareDownload 10Software Installation 10
Getoffontherightfoot 12TechnicalintroductiontoInlineenforcement 13
Introduction 13Deviceconfiguration 13Accesscontrol 13Limitations 14
TechnicalintroductiontoOut-of-bandenforcement 15Introduction 15VLANassignmenttechniques15MoreonSNMPtrapsVLANisolation 17
TechnicalintroductiontoHybridenforcement 20Introduction 20Deviceconfiguration 20
Configuration 21RolesManagement 21Authentication 22ExternalAPIauthentication 24SAMLauthentication 25NetworkDevicesDefinition(switchesconf) 27PortalProfiles 31FreeRADIUSConfiguration 32PortalModules 43
Debugging 52Log files 52RADIUSDebugging 52
MoreonVoIP Integration 54CDPandLLDPareyourfriend 54VoIPandVLANassignmenttechniques 54WhatifCDPLLDPfeatureismissing 55
Advanced topics 56AppleandAndroidWirelessProvisioning 56BillingEngine 57DevicesRegistration 69Eduroam 70Fingerbank integration 74FloatingNetworkDevices 75OAuth2Authentication 77
Copyrightcopy2016Inverseinc iv
Passthrough 79ProductionDHCPaccess 80Proxy Interception 81RoutedNetworks 82StatementofHealth (SoH) 85VLANFilterDefinition 86RADIUSFilterDefinition 88DNSenforcement 90Parkeddevices 90
Optionalcomponents 92Blockingmaliciousactivitieswithviolations 92ComplianceChecks 100RADIUSAccounting 105Oinkmaster 106GuestsManagement 107ActiveDirectoryIntegration 110DHCPremotesensor 115Switch loginaccess 117
OperatingSystemBestPractices 118IPTables 118LogRotations 118
Performanceoptimization 119SNMPTrapsLimit 119MySQLoptimizations 119CaptivePortalOptimizations 122DashboardOptimizations(statisticscollection) 123
Additional Information 125CommercialSupportandContactInformation 126GNUFreeDocumentationLicense 127AAdministrationTools 128
pfcmd 128pfcmd_vlan 129
Chapter1
Copyrightcopy2016Inverseinc AboutthisGuide 1
AboutthisGuide
This guide will walk you through the installation and the day to day administration of thePacketFencesolution
Thelatestversionofthisguideisavailableathttpwwwpacketfenceorgdocumentation
Othersourcesofinformation
Thefollowingdocumentsareincludedinthepackageandreleasetarballs
NetworkDevicesConfigurationGuide(pdf) Covers switch controllers and accesspointsconfiguration
DeveloperrsquosGuide(pdf) Covers captive portal customizationVLAN management customization andinstructionsforsupportingnewhardware
CREDITS ThisisatleastapartialfileofPacketFencecontributors
NEWSasciidoc Covers noteworthy featuresimprovementsandbugfixesbyrelease
UPGRADEasciidoc Covers compatibility related changesmanual instructions and general notesaboutupgrading
ChangeLog Coversallchangestothesourcecode
Chapter2
Copyrightcopy2016Inverseinc Introduction 2
Introduction
PacketFence isa fullysupported trustedFreeandOpenSourcenetworkaccesscontrol (NAC)system Boosting an impressive feature set including a captive portal for registration andremediation centralized wired and wireless management 8021X support layer-2 isolation ofproblematicdevicesintegrationwithIDSvulnerabilityscannersandfirewallsPacketFencecanbeusedtoeffectivelysecurenetworks-fromsmalltoverylargeheterogeneousnetworks
Features
Outofband(VLANEnforcement) PacketFencersquosoperationiscompletelyoutof band when using VLAN enforcementwhich allows the solution to scalegeographicallyandtobemoreresilienttofailures
InBand(InlineEnforcement) PacketFence can also be configured tobe in-band especially when you havenon-manageable network switches oraccesspointsPacketFencecanalsoworkwith both VLAN and Inline enforcementactivated for maximum scalability andsecuritywhileallowingolderhardwaretostillbesecuredusing inlineenforcementBothlayer-2andlayer-3aresupportedforinlineenforcement
Hybridsupport(InlineEnforcementwithRADIUSsupport)
PacketFence can also be configuredas hybrid if you have a manageabledevice that supports 8021X andorMAC-authenticationThis feature canbeenabled using a RADIUS attribute (MACaddress SSID port) or using full inlinemodeontheequipment
Hotspotsupport(WebAuthEnforcement) PacketFence can also be configured ashotspotifyouhaveamanageabledevicethat supports an external captive portal(likeCiscoWLCorArubaIAP)
VoiceoverIP(VoIP)support Also called IP Telephony (IPT) VoIP isfully supported (even in heterogeneous
Chapter2
Copyrightcopy2016Inverseinc Introduction 3
environments)formultipleswitchvendors(CiscoAvayaHPandmanymore)
8021X 8021X wireless and wired is supportedthroughourFreeRADIUSmodule
Wirelessintegration PacketFence integrates perfectly withwireless networks through ourFreeRADIUS module This allows youto secure your wired and wirelessnetworks the same way using the sameuser database and using the samecaptive portal providing a consistentuser experience Mixing Access Points(AP) vendors andWireless Controllers issupported
Registration PacketFence supports an optionalregistrationmechanismsimilartocaptiveportalsolutionsContrarytomostcaptiveportal solutionsPacketFence remembersusers who previously registered andwillautomatically give them access withoutanotherauthenticationOfcourse this isconfigurable An Acceptable Use Policycan be specified such that users cannotenable network access without firstacceptingit
Detectionofabnormalnetworkactivities Abnormal network activities (computervirus worms spyware traffic deniedby establishment policy etc) can bedetectedusinglocalandremoteSnortorSuricatasensorsBeyondsimpledetectionPacketFence layers its own alerting andsuppression mechanism on each alerttypeAsetofconfigurableactionsforeachviolationisavailabletoadministrators
Proactivevulnerabilityscans Either Nessus OpenVAS or WMIvulnerabilityscanscanbeperformeduponregistration scheduled or on an ad-hocbasis PacketFence correlates the scanengine vulnerability IDrsquos of each scanto the violation configuration returningcontent specificweb pages aboutwhichvulnerabilitythehostmayhave
Isolationofproblematicdevices PacketFence supports several isolationtechniquesincludingVLANisolationwithVoIP support (even in heterogeneousenvironments)formultipleswitchvendors
Remediationthroughacaptiveportal Once trapped all network traffic isterminated by the PacketFence system
Chapter2
Copyrightcopy2016Inverseinc Introduction 4
Based on the nodersquos current status(unregisteredopenviolationetc)theuseris redirected to the appropriate URL Inthe case of a violation the user willbe presented with instructions for theparticular situation heshe is in reducingcostlyhelpdeskintervention
Firewallintegration PacketFence provides Single-Sign Onfeatures with many firewalls Uponconnection on the wired or wirelessnetwork PacketFence can dynamicallyupdatetheIPuserassociationonfirewallsforthemtoapplyifrequiredper-userorper-groupfilteringpolicies
Command-lineandWeb-basedmanagement Web-basedandcommand-line interfacesforallmanagementtasks
GuestAccess PacketFence supports a special guestVLAN out of the box You configureyour network so that the guest VLANonly goes out to the Internet and theregistrationVLANand the captiveportalarethecomponentsusedtoexplaintotheguesthowtoregisterforaccessandhowhisaccessworksThis isusuallybrandedby the organization offering the accessSeveral means of registering guests arepossible PacketFence does also supportguestaccessbulkcreationsandimports
Devicesregistration A registered user can access a specialWeb page to register a device of hisownThisregistrationprocesswillrequireloginfromtheuserandthenwillregisterdeviceswithpre-approvedMACOUIintoaconfigurablecategory
PacketFenceisdevelopedbyacommunityofdeveloperslocatedmainlyinNorthAmericaMoreinformationcanbefoundathttpwwwpacketfenceorg
Chapter2
Copyrightcopy2016Inverseinc Introduction 5
NetworkIntegration
VLANenforcementispicturedintheabovediagramInlineenforcementshouldbeseenasasimpleflatnetworkwherePacketFenceactsasafirewallgateway
Components
PacketFencerequiresvariouscomponentstoworksuchasaWebserveradatabaseserverandaRADIUSserverItinteractswithexternaltoolstoextenditsfunctionalities
Chapter2
Copyrightcopy2016Inverseinc Introduction 6
Chapter3
Copyrightcopy2016Inverseinc SystemRequirements 7
SystemRequirements
Assumptions
PacketFencereusesmanycomponentsinaninfrastructureThusitrequiresthefollowingones
Databaseserver(MySQLorMariaDB) Webserver(Apache) DHCPserver(ISCDHCP) RADIUSserver(FreeRADIUS)
Dependingonyoursetupyoumayhavetoinstalladditionalcomponentslike
NIDS(SnortSuricata)
Inthisguideweassumethatallthosecomponentsarerunningonthesameserver(ielocalhostor127001)thatPacketFencewillbeinstalledon
Good understanding of those underlying component and GNULinux is required to installPacketFence If youmiss some of those required components please refer to the appropriatedocumentationandproceedwiththeinstallationoftheserequirementsbeforecontinuingwiththisguide
MinimumHardwareRequirements
Thefollowingprovidesalistoftheminimumserverhardwarerecommendations
IntelorAMDCPU3GHz 8GBofRAM 100GBofdiskspace(RAID-1recommended) 1Networkcard(2recommended)
OperatingSystemRequirements
PacketFencesupportsthefollowingoperatingsystemsonthex86_64architectures
Chapter3
Copyrightcopy2016Inverseinc SystemRequirements 8
RedHatEnterpriseLinux6xand7xServer CommunityENTerpriseOperatingSystem(CentOS)6xand7x Debian70(Wheezy)and80(Jessie)
MakesurethatyoucaninstalladditionalpackagesfromyourstandarddistributionForexampleifyouareusingRedHatEnterpriseLinuxyouhavetobesubscribedtotheRedHatNetworkbeforecontinuingwiththePacketFencesoftwareinstallation
OtherdistributionssuchasFedoraandGentooareknowntoworkbutthisdocumentdoesnrsquotcoverthem
Servicesstart-upPacketFencetakescareofhandlingtheoperationofthefollowingservices
Webserver(httpd) DHCPserver(dhcpd) FreeRADIUSserver(radiusd) SnortSuricataNetworkIDS(snortsuricata) Firewall(iptables)
Makesurethatalltheotherservicesareautomaticallystartedbyyouroperatingsystem
Chapter4
Copyrightcopy2016Inverseinc Installation 9
Installation
ThissectionwillguideyouthroughtheinstallationofPacketFencetogetherwithitsdependencies
OSInstallation
InstallyourdistributionwithminimalinstallationandnoadditionalpackagesThen
DisableFirewall DisableSELinux DisableAppArmor Disableresolvconf
Makesureyoursystemisuptodateandyouryumorapt-getdatabaseisupdatedOnaRHEL-basedsystemdo
yum update
OnaDebianorUbuntusystemdo
apt-get updateapt-get upgrade
RegardingSELinuxorAppArmoreven if these featuresmaybewantedbysomeorganizationsPacketFencewillnotrunproperlyifSELinuxorAppArmorareenabledYouwillneedtoexplicitlydisableSELinuxintheetcselinuxconfigfileandAppArmorwithupdate-rcd-fapparmorstopupdate-rcd-fapparmorteardownandupdate-rcd-fapparmorremoveRegardingresolvconfyoucanremovethesymlinktothatfileandsimplycreatetheetcresolvconffilewiththecontentyouwant
RedHat-basedsystems
Note
AppliestoCentOSandScientificLinuxbutonlythex86_64architectureissupported
Chapter4
Copyrightcopy2016Inverseinc Installation 10
RHEL6x
NoteTheseareextrastepsarerequiredforRHEL6systemsonlyexcludingderivativessuchasCentOSorScientificLinux
RedHatEnterpriseLinuxusersneedtotakeanadditionalsetupstepIfyouarenotusingtheRHNSubscriptionManagementfromRedHatyouneedtoenabletheoptionalchannelbyrunningthefollowingasroot
rhn-channel --add --channel=rhel-`uname -m`-server-optional-6
DebianAllthePacketFencedependenciesareavailablethroughtheofficialrepositories
SoftwareDownload
PacketFenceprovidesaRPMrepositoryforRHELCentOSinsteadofasingleRPMfile
ForDebianPacketFencealsoprovidespackagerepositories
TheserepositoriescontainallrequireddependenciestoinstallPacketFenceThisprovidesnumerousadvantages
easyinstallation everythingispackagedasRPMdeb(nomoreCPANhassle) easyupgrade
SoftwareInstallation
RHELCentOSInordertousethePacketFencerepository
yum localinstall httppacketfenceorgdownloadsPacketFenceRHEL6`uname -i`RPMSpacketfence-release-12-51noarchrpm
Once the repository is defined you can install PacketFencewith all its dependencies and therequiredexternalservices(DatabaseserverDHCPserverRADIUSserver)using
Chapter4
Copyrightcopy2016Inverseinc Installation 11
yum install perlyum install --enablerepo=packetfence packetfence
OnceinstalledtheWeb-basedconfigurationinterfacewillautomaticallybestartedYoucanaccessitfromhttpsip_of_packetfence1443configurator
DebianForDebian7
Inordertousetherepositorycreateafilenamedetcaptsourceslistdpacketfencelist
echo deb httpinversecadownloadsPacketFencedebian wheezy wheezy gt etcaptsourceslistdpacketfencelist
ForDebian8
Inordertousetherepositorycreateafilenamedetcaptsourceslistdpacketfencelist
echo deb httpinversecadownloadsPacketFencedebian jessie jessie gt etcaptsourceslistdpacketfencelist
Once the repository is defined you can install PacketFencewith all its dependencies and therequiredexternalservices(DatabaseserverDHCPserverRADIUSserver)using
sudo apt-key adv --keyserver keysgnupgnet --recv-key 0x810273C4sudo apt-get updatesudo apt-get install packetfence
Chapter5
Copyrightcopy2016Inverseinc Getoffontherightfoot 12
Getoffontherightfoot
PriorconfiguringPacketFenceyoumustchoseanappropriateenforcementmodetobeusedbyPacketFencewithyournetworkingequipmentTheenforcementmodeisthetechniqueusedtoenforceregistrationandanysubsequentaccessofdevicesonyournetworkPacketFencesupportsthefollowingenforcementmodes
Inline Out-of-band Hybrid
It isalsopossibletocombineenforcementmodesForexampleyoucouldusetheout-of-bandmodeonyourwiredswitcheswhileusingtheinlinemodeonyouroldWiFiaccesspoints
The following sections will explain these enforcement modes If you decide to use the inlinemodepleaserefertothePacketFenceInlineDeploymentQuickGuideusingZENforacompleteconfigurationexampleIfyoudevicetousetheout-of-bandmodepleaserefertothePacketFenceOut-of-BandDeploymentQuickGuideusingZEN
Chapter6
Copyrightcopy2016InverseincTechnicalintroductiontoInlineenforcement 13
TechnicalintroductiontoInlineenforcement
Introduction
Beforetheversion30ofPacketFenceitwasnotpossibletosupportunmanageabledevicessuchasentry-levelconsumerswitchesoraccess-pointsNowwiththenewinlinemodePacketFencecanbeusein-bandforthosedevicesSoinotherwordsPacketFencewouldbecomethegatewayofthatinlinenetworkandNATorroutethetrafficusingIPTablesIPSettotheInternet(ortoanothersectionofthenetwork)Letseehowitworks
Deviceconfiguration
NospecialconfigurationisneededontheunmanageabledeviceThatrsquosthebeautyofitYouonlyneedtoensurethatthedeviceistalkingontheinlineVLANAtthispointallthetrafficwillbepassingthroughPacketFencesinceitisthegatewayforthisVLAN
Accesscontrol
TheaccesscontrolreliesentirelyonIPTablesIPSetWhenauserisnotregisteredandconnectsintheinlineVLANPacketFencewillgivehimanIPaddressAtthispointtheuserwillbemarkedasunregisteredintheipsetsessionandalltheWebtrafficwillberedirectedtothecaptiveportalandother trafficblockedTheuserwill have to register through thecaptiveportal as inVLANenforcementWhenheregistersPacketFencechangesthedeviceacutesipsetsessiontoallowtheuserrsquosmacaddresstogothroughit
Chapter6
Copyrightcopy2016InverseincTechnicalintroductiontoInlineenforcement 14
Limitations
Inlineenforcementbecauseofitrsquosnaturehasseverallimitationsthatonemustbeawareof
EveryonebehindaninlineinterfaceisonthesameLayer2LAN EverypacketofauthorizedusersgoesthroughthePacketFenceserverincreasingtheserversloadconsiderablyPlanaheadforcapacity
Everypacketofauthorizedusersgoes throughthePacketFenceserver it isasinglepointoffailureforInternetaccess
Ipsetcanstoreupto65536entriessoitisnotpossibletohaveainlinenetworkclassupperthanB
Thisiswhyit isconsideredapoormanrsquoswayofdoingaccesscontrolWehaveavoideditforalongtimebecauseoftheabovementionedlimitationsThatsaidbeingabletoperformbothinlineandVLANenforcementonthesameserveratthesametimeisarealadvantageitallowsuserstomaintainmaximumsecuritywhiletheydeploynewandmorecapablenetworkhardwareprovidingacleanmigrationpathtoVLANenforcement
Chapter7
Copyrightcopy2016InverseincTechnicalintroductiontoOut-of-bandenforcement 15
TechnicalintroductiontoOut-of-bandenforcement
Introduction
VLANassignmentiscurrentlyperformedusingseveraldifferenttechniquesThesetechniquesarecompatibleone toanotherbutnoton the sameswitchportThismeans thatyoucanuse themoresecureandmoderntechniquesforyour latestswitchesandanothertechniqueontheoldswitchesthatdoesnrsquotsupportlatesttechniquesAsitrsquosnameimpliesVLANassignmentmeansthatPacketFenceistheserverthatassignstheVLANtoadeviceThisVLANcanbeoneofyourVLANsoritcanbeaspecialVLANwherePacketFencepresentsthecaptiveportalforauthenticationorremediation
VLANassignmenteffectivelyisolateyourhostsattheOSILayer2meaningthatitisthetrickiestmethodtobypassandistheonewhichadaptsbesttoyourenvironmentsinceitgluesintoyourcurrentVLANassignmentmethodology
VLANassignmenttechniques
Wired8021X+MACAuthentication8021Xprovidesport-basedauthenticationwhichinvolvescommunicationsbetweenasupplicantauthenticator(knownasNAS)andauthenticationserver(knownasAAA)ThesupplicantisoftensoftwareonaclientdevicesuchasalaptoptheauthenticatorisawiredEthernetswitchorwirelessaccesspointandtheauthenticationserverisgenerallyaRADIUSserver
Thesupplicant(ieclientdevice)isnotallowedaccessthroughtheauthenticatortothenetworkuntilthesupplicantrsquosidentityisauthorizedWith8021Xport-basedauthenticationthesupplicantprovides credentials such as user name password or digital certificate to the authenticatorandtheauthenticatorforwardsthecredentialstotheauthenticationserverforverificationIfthecredentialsarevalid(intheauthenticationserverdatabase)thesupplicant(clientdevice)isallowedtoaccessthenetworkTheprotocolforauthenticationiscalledExtensibleAuthenticationProtocol(EAP)whichhavemanyvariantsBothsupplicantandauthenticationserversneed tospeak thesameEAPprotocolMostpopularEAPvariantisPEAP-MsCHAPv2(supportedbyWindowsMacOSXLinuxforauthenticationagainstAD)
Chapter7
Copyrightcopy2016InverseincTechnicalintroductiontoOut-of-bandenforcement 16
InthiscontextPacketFencerunstheauthenticationserver(aFreeRADIUSinstance)andwillreturntheappropriateVLANtotheswitchAmodulethatintegratesinFreeRADIUSdoesaremotecalltothePacketFenceservertoobtainthatinformationMoreandmoredeviceshave8021Xsupplicantwhichmakesthisapproachmoreandmorepopular
MACAuthenticationisanewmechanismintroducedbysomeswitchvendortohandlethecaseswherea8021XsupplicantdoesnotexistDifferentvendorshavedifferentnames for itCiscocallsitMACAuthenticationBypass(MAB)JunipercallsitMACRADIUSExtremeNetworkscallsitNetloginetcAfteratimeoutperiodtheswitchwillstoptryingtoperform8021XandwillfallbacktoMACAuthenticationIthastheadvantageofusingthesameapproachas8021XexceptthattheMACaddressissentinsteadoftheusernameandthereisnoend-to-endEAPconversation(nostrongauthentication)UsingMACAuthenticationdeviceslikenetworkprinterornon-8021XcapableIPPhonescanstillgainaccesstothenetworkandtherightVLAN
Wireless8021X+MACauthenticationWireless 8021Xworks likewired8021X andMAC authentication is the same aswiredMACAuthenticationWhere things change is that the8021X isused to setup the security keys forencryptedcommunication(WPA2-Enterprise)whileMACauthenticationisonlyusedtoauthorize(allowordisallow)aMAConthewirelessnetwork
OnwirelessnetworkstheusualPacketFencesetupdictatethatyouconfiguretwoSSIDsanopenoneandasecureoneTheopenoneisusedtohelpusersconfigurethesecureoneproperlyandrequiresauthenticationoverthecaptiveportal(whichrunsinHTTPS)
ThefollowingdiagramdemonstratestheflowbetweenamobileenpointaWiFiaccesspointaWiFicontrollerandPacketFence
1 UserinitiatesassociationtoWLANAPandtransmitsMACaddressIfuseraccessesnetworkviaaregistereddeviceinPacketFencegoto8
2 The WLAN controller transmits MAC address via RADIUS to the PacketFence server toauthenticateauthorizethatMACaddressontheAP
3 PacketFenceserverconductsaddressaudit in itsdatabase If itdoesnotrecognizetheMACaddressgoto4Ifitdoesgoto8
4 PacketFenceserverdirectsWLANcontrollerviaRADIUS(RFC2868attributes)toputthedeviceinanunauthenticatedroleldquo(setofACLsthatwouldlimitredirecttheusertothePacketFence
Chapter7
Copyrightcopy2016InverseincTechnicalintroductiontoOut-of-bandenforcement 17
captiveportalforregistrationorwecanalsousearegistrationVLANinwhichPacketFencedoesDNSblackholingandistheDHCPserver)
5 TheuserrsquosdeviceissuesaDHCPDNSrequesttoPacketFence(whichisaDHCPDNSserveronthisVLANorforthisrole)whichsendstheIPandDNSinformationAtthispointACLsarelimitingredirectingtheusertothePacketFencersquoscaptiveportalforauthenticationPacketFencefingerprintsthedevice(user-agentattributesDHCPinformationampMACaddresspatterns)towhichitcantakevariousactionsincludingkeepdeviceonregistrationportaldirecttoalternatecaptive portal auto-register thedevice auto-block thedevice etc If thedevice remains ontheregistrationportaltheuserregistersbyprovidingtheinformation(usernamepasswordcellphonenumberetc)At this timePacketFencecouldalsorequire thedevicetogothroughapostureassessment(usingNessusOpenVASetc)
6 Ifauthentication is required (usernamepassword) througha loginformthosecredentialsarevalidatedviatheDirectoryserver(oranyotherauthenticationsources-likeLDAPSQLRADIUSSMSFacebookGoogle+etc)whichprovidesuserattributestoPacketFencewhichcreatesuser+devicepolicyprofileinitsdatabase
7 PacketFenceperformsaChangeofAuthorization(RFC3576)onthecontrollerandtheusermustbere-authenticatedreauthorizedsowegobackto1
8 PacketFenceserverdirectsWLANcontrollerviaRADIUStoputthedeviceinanauthenticatedroleldquoorinthenormalVLAN
WebAuthmodeWebauthenticationisamethodontheswitchthatforwardshttptrafficofthedevicetothecaptiveportalWiththismodeyourdevicewillneverchangeofVLANIDbutonlytheACLassociatedtoyourdevicewillchangeRefertotheNetworkDevicesConfigurationGuidetoseeasamplewebauthconfigurationonaCiscoWLC
Port-securityandSNMPReliesontheport-securitySNMPTrapsAfakestaticMACaddressisassignedtoalltheportsthiswayanyMACaddresswillgenerateasecurityviolationandatrapwillbesenttoPacketFenceThesystemwillauthorizetheMACandsettheportintherightVLANVoIPsupportispossiblebuttrickyItvariesalotdependingontheswitchvendorCiscoiswellsupportedbutisolationofaPCbehindanIPPhoneleadstoaninterestingdilemmaeitheryoushuttheport(andthephoneatthesametime)oryouchangethedataVLANbutthePCdoesnrsquotdoDHCP(didnrsquotdetectlinkwasdown)soitcannotreachthecaptiveportal
AsidefromtheVoIPisolationdilemmaitisthetechniquethathasproventobereliableandthathasthemostswitchvendorsupport
MoreonSNMPtrapsVLANisolation
WhentheVLANisolationisworkingthroughSNMPtrapsallswitchports(onwhichVLANisolationshouldbedone)mustbeconfiguredtosendSNMPtrapstothePacketFencehostOnPacketFence
Chapter7
Copyrightcopy2016InverseincTechnicalintroductiontoOut-of-bandenforcement 18
weusesnmptrapdastheSNMPtrapreceiverAsitreceivestrapsitreformatsandwritesthemintoaflatfileusrlocalpflogssnmptrapdlogThemultithreadedpfsetvlandaemonreadsthesetrapsfromtheflatfileandrespondstothembysettingtheswitchporttothecorrectVLANCurrentlywesupportswitchesfromCiscoEdge-coreHPIntelLinksysandNortel(addingsupportfor switches fromanothervendor impliesextending thepfSwitch class)DependingonyourswitchescapabilitiespfsetvlanwillactondifferenttypesofSNMPtraps
YouneedtocreatearegistrationVLAN(withaDHCPserverbutnoroutingtootherVLANs)inwhichPacketFencewillputunregistereddevicesIfyouwanttoisolatecomputerswhichhaveopenviolationsinaseparateVLANanisolationVLANneedsalsotobecreated
linkUplinkDowntraps(deprecated)ThisisthemostbasicsetupanditneedsathirdVLANtheMACdetectionVLANThereshouldbenothinginthisVLAN(noDHCPserver)anditshouldnotberoutedanywhereitisjustanvoidVLAN
WhenahostconnectstoaswitchporttheswitchsendsalinkUptraptoPacketFenceSinceittakessometimebeforetheswitchlearnstheMACaddressofthenewlyconnecteddevicePacketFenceimmediatelyputstheportintheMACdetectionVLANinwhichthedevicewillsendDHCPrequests(withnoanswer)inorderfortheswitchtolearnitsMACaddressThenpfsetvlanwillsendperiodical
Chapter7
Copyrightcopy2016InverseincTechnicalintroductiontoOut-of-bandenforcement 19
SNMPqueriestotheswitchuntiltheswitchlearnstheMACofthedeviceWhentheMACaddressisknownpfsetvlanchecksitsstatus(existingregisteredanyviolations)inthedatabaseandputstheportintheappropriateVLANWhenadeviceisunpluggedtheswitchsendsalinkDowntraptoPacketFencewhichputstheportintotheMACdetectionVLAN
WhenacomputerbootstheinitializationoftheNICgeneratesseverallinkstatuschangesAndeverytimetheswitchsendsalinkUpandalinkDowntraptoPacketFenceSincePacketFencehastoactoneachofthesetrapsthisgeneratesunfortunatelysomeunnecessaryloadonpfsetvlanInordertooptimizethetraptreatmentPacketFencestopseverythreadforalinkUptrapwhenitreceivesalinkDowntraponthesameportButusingonlylinkUplinkDowntrapsisnotthemostscalableoptionForexampleincaseofpowerfailureifhundredsofcomputersbootatthesametimePacketFencewouldreceivea lotoftrapsalmost instantlyandthiscouldresult innetworkconnectionlatency
MACnotificationtrapsIfyourswitchessupportMACnotificationtraps(MAClearntMACremoved)wesuggestthatyouactivatetheminadditiontothelinkUplinkDowntrapsThiswaypfsetvlandoesnotneedafteralinkUptraptoquerytheswitchcontinuouslyuntiltheMAChasfinallybeenlearnedWhenitreceivesalinkUptrapforaportonwhichMACnotificationtrapsarealsoenableditonlyneedstoputtheportintheMACdetectionVLANandcanthenfreethethreadWhentheswitchlearnstheMACaddressofthedeviceitsendsaMAClearnttrap(containingtheMACaddress)toPacketFence
PortSecuritytrapsIn itsmostbasicformthePortSecurityfeaturerememberstheMACaddressconnectedtotheswitchportandallowsonlythatMACaddresstocommunicateonthatport IfanyotherMACaddress tries tocommunicate through theportport securitywillnotallow itandsendaport-securitytrap
IfyourswitchessupportthisfeaturewestronglyrecommendtouseitratherthanlinkUplinkDownandorMACnotificationsWhyBecauseaslongasaMACaddressisauthorizedonaportandistheonlyoneconnectedtheswitchwillsendnotrapwhetherthedevicerebootsplugsinorunplugsThisdrasticallyreducestheSNMPinteractionsbetweentheswitchesandPacketFence
WhenyouenableportsecuritytrapsyoushouldnotenablelinkUplinkDownnorMACnotificationtraps
Chapter8
Copyrightcopy2016InverseincTechnicalintroductiontoHybridenforcement 20
TechnicalintroductiontoHybridenforcement
Introduction
In previous versions of PacketFence it was not possible to have RADIUS enabled for inlineenforcementmodeNowwiththenewhybridmodeallthedevicesthatsupports8021XorMAC-authenticationcanworkwiththismodeLetrsquosseehowitworks
Deviceconfiguration
Youneedtoconfigure inlineenforcementmode inPacketFenceandconfigureyourswitch(es)accesspoint(s)tousetheVLANassignementtechniques(8021XorMAC-authentication)YoualsoneedtotakecareofaspecificparameterintheswitchconfigurationwindowTriggertoenableinlinemodeThisparameterisworkinglikeatriggerandyouhavethepossibilitytodefinedifferentsortoftriggers
ALWAYSPORTMACSSID
where ALWAYS means that the device is always in inline mode PORTspecifytheifIndexoftheportwhichwilluseinlineenforcementMACamacaddressthatwillbeputininlineenforcementtechniqueratherthanVLANenforcementandSSIDanssidnameAnexample
SSIDGuestAccessMAC001122334455
ThiswilltriggerallthenodesthatconnectstotheGuestAccessSSIDtouseinlineenforcementmode(PacketFencewillreturnavoidVLANortheinlineVlanifdefinedinswitchconfiguration)andtheMACaddress001122334455clientifitconnectsonanotherSSID
Chapter9
Copyrightcopy2016Inverseinc Configuration 21
Configuration
AtthispointinthedocumentationPacketFenceshouldbeinstalledYouwouldalsohavechosentherightenforcementmethodforyouandcompletedtheinitialconfigurationofPacketFenceThefollowingsectionpresentskeyconceptsandfeaturesinPacketFence
PacketFenceprovidesaweb-basedadministrationinterfaceforeasyconfigurationandoperationalmanagementIfyouwentthroughPacketFencersquosweb-basedconfigurationtoolyoushouldhavesetthepasswordfortheadminuser
Once PacketFence is started the administration interface is available at httpsip_of_packetfence1443
ThenextkeystepsareimportanttounderstandhowPacketFenceworksInordertogetthesolutionworking youmust first understand and configure the following aspects of the solution in thisspecificorder
1 roles-aroleinPacketFencewillbeeventuallybemappedtoaVLANanACLoranexternalroleYoumustdefinetherolestouseinyourorganizationfornetworkaccess
2 authentication-oncerolesaredefinedyoumustcreateanappropraiteauthenticationsourceinPacketFenceThatwillallowPacketFencetocomputetherightroletobeusedforanendpointortheuserusingit
3 network devices - once your roles and authentication sources are defined you must addswitchesWiFicontrollersorAPstobemananagedbyPacketFenceWhendoingsoyouwillconfigurehowrolesarebeingmappedtoVLANACLsorexternalroles
4 portal profiles - at this point you are almost ready to test You will need to set whichauthenticationsourcesaretobeusedonthedefaultcaptiveportalorcreateanotheronetosuityourneeds
5 test
NoteIfyouplantouse8021X-pleaseseetheFreeRADIUSConfigurationsectionbelow
RolesManagement
RolesinPacketFencecanbecreatedfromPacketFenceadministrativeGUI-fromtheConfigurationrarrUsersrarrRoles section From this interface you can also limit thenumberof devicesusersbelongingtocertainrolescanregister
Chapter9
Copyrightcopy2016Inverseinc Configuration 22
RolesaredynamicallycomputedbyPacketFencebasedontherules(ieasetofconditionsandactions)fromauthenticationsourcesusingafirst-matchwinsalgorithmRolesarethenmatchedtoVLANorinternalrolesorACLonequipmentfromtheConfigurationrarrNetworkrarrSwitchesmodule
Authentication
PacketFence can authenticate users that register devices via the captive portal using variousmethodsAmongthesupportedmethodsthereare
ActiveDirectory
Apachehtpasswdfile
ExternalHTTPAPI
Facebook(OAuth2)
Github(OAuth2)
Google(OAuth2)
Kerberos
LDAP
LinkedIn(OAuth2)
Null
RADIUS
SMS
SponsoredEmail
Twitter(OAuth2)
WindowsLive(OAuth2)
Moreover PacketFence can also authenticate users defined in its own internal SQL databaseAuthentication sources can be created from PacketFence administrative GUI - from theConfigurationrarrUsersrarrSourcessectionAlternatively(butnotrecommended)authenticationsourcesrulesconditionsandactionscanbeconfiguredfromconfauthenticationconf
Eachauthenticationsourcesyoudefinewillhaveasetofrulesconditionsandactions
Multiple authentication sources canbedefined andwill be tested in theorder specified (notethattheycanbereorderedfromtheGUIbydraggingitaround)EachsourcecanhavemultipleruleswhichwillalsobetestedintheorderspecifiedRulescanalsobereorderedjustlikesourcesFinallyconditionscanbedefinedforaruletomatchcertaincriteriasIfthecriteriasmatch(one
Chapter9
Copyrightcopy2016Inverseinc Configuration 23
ormore)actionarethenappliedandrulestestingstopacrossallsourcesasthisisafirstmatchwinsoperation
WhennoconditionisdefinedtherulewillbeconsideredasafallbackWhenafallbackisdefinedallactionswillbeappliedforanyusersthatmatchintheauthenticationsource
OnceasourceisdefineditcanbeusedfromConfigurationrarrPortalProfilesEachportalprofilehasalistofauthenticationsourcestouse
ExampleLetrsquossaywehavetworolesguestandemployeeFirstwedefinethemConfigurationrarrUsersrarrRoles
NowwewanttoauthenticateemployeesusingActiveDirectory (overLDAP)andguestsusingPacketFencersquosinternaldatabase-bothusingPacketFencersquoscaptiveportalFromtheConfigurationrarrUsersrarrSourcesweselectAddsourcerarrADWeprovidethefollowinginformation
Namead1 DescriptionActiveDirectoryforEmployees Host19216812389withoutSSLTLS BaseDNCN=UsersDC=acmeDC=local ScopeOne-level UsernameAttributesAMAccountName BindDNCN=AdministratorCN=UsersDC=acmeDC=local Passwordacme123
ThenweaddarulebyclickingontheAddrulebuttonandprovidethefollowinginformation
Nameemployees DescriptionRuleforallemployees Donrsquotsetanycondition(asitrsquosacatch-allrule) Setthefollowingactions
Setroleemployee
SetunregistrationdateJanuary1st2020
Test the connection and save everything Using the newly defined source any username thatactuallymatchesinthesource(usingthesAMAccountName)willhavetheemployeeroleandanunregistrationdatesettoJanuary1st2020
NowsincewewanttoauthenticateguestsfromPacketFencersquosinternalSQLdatabaseaccountsmustbeprovisionnedmanuallyYoucandosofromtheUsersrarrCreatesectionWhencreatingguestsspecifyguestfortheSetroleactionandsetanaccessdurationfor1day
If youwould like to differentiate user authentication andmachine authentication using ActiveDirectoryonewaytodoitisbycreatingasecondauthenticationsourcesformachines
Namead1 DescriptionActiveDirectoryforMachines Host19216812389withoutSSLTLS BaseDNCN=ComputersDC=acmeDC=local ScopeOne-level
Chapter9
Copyrightcopy2016Inverseinc Configuration 24
UsernameAttributeservicePrincipalName BindDNCN=AdministratorCN=UsersDC=acmeDC=local Passwordacme123
Thenweaddarule
Namemachines DescriptionRuleforallmachines Donrsquotsetanycondition(asitrsquosacatch-allrule) Setthefollowingactions
Setrolemachineauth
SetunregistrationdateJanuary1st2020
Note
Whenaruleisdefinedasacatch-all itwillalwaysmatchiftheusernameattributematchesthequeriedoneThisappliesforActiveDirectoryLDAPandApachehtpasswdfilesourcesKerberosandRADIUSwillactastruecatch-allandaccepteverything
Note
IfyouwanttouseotherLDAPattributesinyourauthenticationsourceaddtheminConfigurationrarrAdvancedrarrCustomLDAPattributesTheywillthenbeavailableintherulesyoudefine
ExternalAPIauthentication
PacketFencealsosupportscallinganexternalHTTPAPIasanauthenticationsourceTheexternalAPIneedstoimplementanauthenticationactionandanauthorizationaction
AuthenticationThisshouldprovidetheinformationaboutwhetherornottheusernamepasswordcombinationisvalid
TheseinformationareavailablethroughthePOSTfieldsoftherequest
TheservershouldreplywithtwoattributesinaJSONresponse
resultshouldbe1forsuccess0forfailure messageshouldbethereasonitsucceededorfailed
ExampleJSONresponse
result1messageValid username and password
Chapter9
Copyrightcopy2016Inverseinc Configuration 25
AuthorizationThisshouldprovidetheactionstoapplyonauserbasedonitrsquosattributes
The following attributes are available for the reply access_duration access_level sponsorunregdatecategory
SampleJSONresponsenotethatnotallattributesarenecessaryonlysendbackwhatyouneed
access_duration1Daccess_levelALLsponsor1 unregdate2030-01-01categorydefault
Note
See usrlocalpfaddonsexample_external_auth for an example implementationcompatiblewithPacketFence
PacketFenceconfigurationInPacketFenceyouneedtoconfigureanHTTPsourceinordertouseanexternalAPI
Hereisabriefdescriptionofthefields
Host First theprotocol then the IPaddressorhostnameof theAPIand lastly theport toconnecttotheAPI
APIusernameandpasswordIfyourAPIimplementsHTTPbasicauthentication(RFC2617)youcanaddtheminthesefieldsLeavinganyofthosetwofieldsemptywillmakePacketFencedotherequestswithoutanyauthentication
AuthenticationURLURLrelativetothehosttocallwhendoingtheauthenticationofauserNotethatitisautomaticallyprefixedbyaslash
AuthorizationURLURLrelativetothehosttocallwhendoingtheauthorizationofauserNotethatitisautomaticallyprefixedbyaslash
SAMLauthentication
PacketFence supports SAML authentication in the captive portal in combination with anotherinternalsourcetodefinethelevelofauthorizationoftheuser
FirsttransfertheIdentityProvidermetadataonthePacketFenceserverInthisexampleitwillbeunderthepathusrlocalpfconfidp-metadataxml
Then transfer the certificate and CA certificate of the Identity provider on the server In thisexample theywill be under the paths usrlocalpfconfsslidpcrt and usrlocalpfconfsslidp-cacrtIfitisaself-signedcertificatethenyouwillbeabletouseitastheCAinthePacketFenceconfiguration
Chapter9
Copyrightcopy2016Inverseinc Configuration 26
Then toconfigureSAML inPacketFencego inConfigurationrarrSourcesand thencreateanewInternalsourceofthetypeSAMLandconfigureit
Where
ServiceProviderentityIDistheidentifieroftheServiceProvider(PacketFence)MakesurethismatchesyourIdentityProviderconfiguration
PathtoServiceProviderkeyisthepathtothekeythatwillbeusedbyPacketFencetosignitsmessagestotheIdentityProviderAdefaultoneisprovidedunderthepathusrlocalpfconfsslserverkey
PathtoServiceProvidercertisthepathtothecertificateassociatedtothekeyaboveAself-signedoneisprovidedunderthepathusrlocalpfconfsslserverkey
PathtoIdentityProvidermetadataisthepathtothemetadatafileyoutransferedabove(shouldbeinusrlocalpfconfidp-metadataxml)
PathtoIdentityProvidercertisthepathtothecertificateoftheidentityprovideryoutransferedontheserverabove(shouldbeinusrlocalpfconfsslidpcrt)
Chapter9
Copyrightcopy2016Inverseinc Configuration 27
Path to Identity Provider CA cert is the path to the CA certificate of the identity provideryoutransferedontheserverabove(shouldbeinusrlocalpfconfsslca-idpcrt)Ifthecertificateaboveisself-signedputthesamepathasaboveinthisfield
AttributeoftheusernameintheSAMLresponse istheattributethatcontainstheusernamein the SAML assertion returned by your Identity Provider The default should fit at leastSimpleSAMLphp
Authorizationsource isthesourcethatwillbeusedtomatchtheusernameagainsttherulesdefinedinitThisallowstosettheroleandaccessdurationoftheuserTheAuthenticationsectionofthisdocumentcontainsexplanationsonhowtoconfigureanLDAPsourcewhichcanthenbeusedhere
OncethisisdonesavethesourceandyouwillbeabletodownloadtheServiceProvidermetadataforPacketFenceusingthelinkDownloadServiceProvidermetadataonthepage
Configure your identity provider according to the generated metadata to complete the TrustbetweenPacketFenceandyourIdentityProvider
In the case of SimpleSAMLPHP the following configurationwas used inmetadatasaml20-sp-remotephp
$metadata[PF_ENTITY_ID] = array( AssertionConsumerService =gt httpPORTAL_HOSTNAMEsamlassertion SingleLogoutService =gt httpPORTAL_HOSTNAMEsamllogoff)
Note
PacketFencedoesnotsupportlogoffontheSAMLIdentityProviderYoucanstilldefinetheURLinthemetadatabutitwillnotbeused
PassthroughsInorderforyouruserstobeabletoaccesstheIdentityProviderloginpageyouwillneedtoactivatepassthroughsandaddtheIndentityProviderdomaintotheallowedpassthroughs
Todosogo inConfigurationrarrTrapping thencheckPassthrough andadd the IdentityProviderdomainnametothePasshtroughslist
Next restart iptables and pfdns to apply your new passthroughs Also make surenetipv4ip_forward = 1isconfiguredinetcsysctlconf
NetworkDevicesDefinition(switchesconf)
ThissectionappliesonlyforVLANenforcementUsersplanningtodoinlineenforcementonlycanskipthissection
PacketFenceneedstoknowwhichswitchesaccesspointsorcontrollersitmanagestheirtypeandconfigurationAllthisinformationisstoredinusrlocalpfconfswitchesconfYoucanmodify
Chapter9
Copyrightcopy2016Inverseinc Configuration 28
theconfigurationdirectlyintheswitchesconffileoryoucandoitfromtheWebAdministrationpanelunderConfigurationrarrNetworkrarrSwitches-whichisnowthepreferredway
Theusrlocalpfconfswitchesconfconfigurationfilecontainsadefaultsectionincluding
DefaultSNMPreadwritecommunitiesfortheswitches Defaultworkingmode(seethenotebelowaboutpossibleworkingmodes)
andaswitchsectionforeachswitch(managedbyPacketFence)including
SwitchIPMacRange Switchvendortype Switchuplinkports(trunksandnon-managedIfIndex) per-switchre-definitionoftheVLANs(ifrequired)
NoteswitchesconfisloadedatstartupAreloadisrequiredwhenchangesaremanuallymadetothisfileusrlocalpfbinpfcmd configreload
WorkingmodesTherearethreedifferentworkingmodesforaswitchinPacketFence
Testing pfsetvlanwritesinthelogfileswhatitwouldnormallydobutitdoesnrsquotdoanything
Registration pfsetvlan automatically-register allMAC addresses seenon theswitchportsAsintestingmodenoVLANchangesaredone
Production pfsetvlan sends the SNMPwrites to change the VLAN on theswitchports
RADIUSTo set theRADIUS secret set it from theWebadministrative interfacewhenadding a switchAlternativelyedittheswitchconfigfile(usrlocalpfconfswitchesconf)andsetthefollowingparameters
radiusSecret = secretPassPhrase
MoreovertheRADIUSsecretisrequiredtosupporttheRADIUSDynamicAuthentication(ChangeofauthorizationorDisconnect)asdefinedinRFC3576
SNMPv1v2candv3PacketFenceusesSNMPtocommunicatewithmostswitchesPacketFencealsosupportsSNMPv3YoucanuseSNMPv3forcommunicationinbothdirectionsfromtheswitchtoPacketFenceandfromPacketFencetotheswitchSNMPusageisdiscouragedyoushouldnowuseRADIUSHoweverevenifRADIUSisbeingusedsomeswitchesmightalsorequireSNMPtobeconfiguredtoworkproperlywithPacketFence
Chapter9
Copyrightcopy2016Inverseinc Configuration 29
FromPacketFencetoaswitchEdittheswitchconfigfile(usrlocalpfconfswitchesconf)andsetthefollowingparameters
SNMPVersion = 3SNMPUserNameRead = readUserSNMPAuthProtocolRead = MD5SNMPAuthPasswordRead = authpwdreadSNMPPrivProtocolRead = AESSNMPPrivPasswordRead = privpwdreadSNMPUserNameWrite = writeUserSNMPAuthProtocolWrite = MD5SNMPAuthPasswordWrite = authpwdwriteSNMPPrivProtocolWrite = AESSNMPPrivPasswordWrite = privpwdwrite
FromaswitchtoPacketFenceEdittheswitchconfigfile(usrlocalpfconfswitchesconf)andsetthefollowingparameters
SNMPVersionTrap = 3SNMPUserNameTrap = readUserSNMPAuthProtocolTrap = MD5SNMPAuthPasswordTrap = authpwdreadSNMPPrivProtocolTrap = AESSNMPPrivPasswordTrap = privpwdread
SwitchConfigurationHereisaswitchconfigurationexampleinordertoenableSNMPv3inbothdirectionsonaCiscoSwitch
snmp-server engineID local AA5ED139B81D4A328D18ACD1snmp-server group readGroup v3 privsnmp-server group writeGroup v3 priv read v1default write v1defaultsnmp-server user readUser readGroup v3 auth md5 authpwdread priv aes 128 privpwdreadsnmp-server user writeUser writeGroup v3 auth md5 authpwdwrite priv aes 128 privpwdwritesnmp-server enable traps port-securitysnmp-server enable traps port-security trap-rate 1snmp-server host 192168050 version 3 priv readUser port-security
Command-LineInterfaceTelnetandSSH
WarningPrivilegedetectionisdisabledinthecurrentPacketFenceversionduetosomeissues(see1370)SomakesurethatthecliUserandcliPwdyouprovidealwaysgetyouintoaprivilegedmode(exceptforTrapezehardware)
Chapter9
Copyrightcopy2016Inverseinc Configuration 30
PackeFenceneedssometimestoestablishaninteractivecommand-linesessionwithaswitchThiscanbedoneusingTelnetYoucanalsouseSSHInordertodosoedittheswitchconfigurationfile(usrlocalpfconfswitchesconf)andsetthefollowingparameters
cliTransport = SSH (or Telnet)cliUser = admincliPwd = admin_pwdcliEnablePwd =
ItcanalsobedonethroughtheWebAdministrationInterfaceunderConfigurationrarrSwitches
WebServicesInterfacePackeFencesometimesneedstoestablishadialogwiththeWebServicescapabilitiesofaswitchInorder todo soedit the switchconfig file (usrlocalpfconfswitchesconf) and set thefollowingparameters
wsTransport = http (or https)wsUser = adminwsPwd = admin_pwd
ItcanalsobedonethroughtheWebAdministrationInterfaceunderConfigurationrarrSwitches
Role-basedenforcementsupportSomenetworkdevicessupporttheassignmentofaspecificsetofrules(firewallorACLs)toauserTheideaisthattheserulescanbealotmoreaccuratetocontrolwhatausercanorcannotdocomparedtoVLANwhichhavealargernetworkmanagementoverhead
PacketFencesupportsassigningrolesondevicesforswitchesandWiFicontrollers thatsupportitThecurrentroleassignmentstrategyistoassignitalongwiththeVLAN(thatmaychangeinthefuture)Aspecial internalroletoexternalroleassignmentmustbeconfigured intheswitchconfigurationfile(usrlocalpfconfswitchesconf)
Thecurrentformatisthefollowing
Format ltrolenamegtRole=ltcontroller_rolegt
Andyouassignittotheglobalrolesparameterortheper-switchoneForexample
adminRole=full-accessengineeringRole=full-accesssalesRole=little-access
wouldreturnthefull-accessroletothenodescategorizedasadminorengineeringandtherolelittle-accesstonodescategorizedassalesItcanalsobedonethroughtheWebAdministrationInterfaceunderConfigurationrarrSwitches
Chapter9
Copyrightcopy2016Inverseinc Configuration 31
CautionMakesurethattherolesareproperlydefinedonthenetworkdevicespriortoassigningroles
PortalProfiles
PacketFencecomeswithadefaultportalprofileThefollowparametersareimportanttoconfigurenomatterifyouusethedefaultportalprofileorcreateanewone
RedirectURLunderConfigurationrarrPortalProfilerarrPortalName
ForsomebrowsersitispreferabletoredirecttheusertoaspecificURLinsteadoftheURLtheuseroriginallyintendedtovisitForthesebrowserstheURLdefinedinredirecturlwillbetheonewheretheuserwillberedirectedAffectedbrowsersareFirefox3andlater
IPunderConfigurationrarrCaptiveportal
ThisIPisusedasthewebserverwhohoststhecommonnetwork-access-detectiongifwhichisusedtodetectifnetworkaccesswasenabledItcannotbeadomainnamesinceit isusedinregistrationorquarantinewhereDNSisblack-holedItisrecommendedthatyouallowyouruserstoreachyourPacketFenceserverandputyourLANrsquosPacketFenceIPBydefaultwewillmakethisreachPacketFencersquoswebsiteasaneasierandmoreaccessiblesolution
In somecases youmaywant topresentadifferent captiveportal (seebelow for theavailablecustomizations)accordingtotheSSIDtheVLANtheswitchIPMACortheURItheclientconnectstoTodosoPacketFencehastheconceptofportalprofileswhichgivesyouthispossibility
WhenconfiguredportalprofileswilloverridedefaultvaluesforwhichitisconfiguredWhennovaluesareconfiguredintheprofilePacketFencewilltakeitsdefaultones(accordingtothedefaultportalprofile)
HerearethedifferentconfigurationparametersthatcanbesetforeachportalprofilesTheonlymandatoryparameterisfilterotherwisePacketFencewonrsquotbeabletocorrectlyapplytheportalprofileTheparametersmustbesetinconfprofilesconf
[profilename1]description = the description of your portal profilefilter = the name of the SSID for which youd like to apply the profile or the VLAN numbersources = comma-separated list of authentications sources (IDs) to use
Portal profiles should be managed from PacketFencersquos Web administrative GUI - from theConfigurationrarrPortalProfilessectionAddingaportalprofilefromthatinterfacewillcorrectlycopytemplatesover-whichcanthenbemodifiedasyouwish
FiltersunderConfigurationrarrPortalProfilerarrPortalNamerarrFitlers
PacketFenceoffersthefollowingfiltersConnectionTypeNetworkNodeRolePortrealmSSIDSwitchSwitchPortURIVLANandTimeperiod
Chapter9
Copyrightcopy2016Inverseinc Configuration 32
Examplewiththemostcommonones
SSIDGuest-SSID
VLAN100
SwitchPortltSwitchIdgt-ltPortgt
NetworkNetworkinCIDRformatoranIPaddress
Caution
Noderolewilltakeeffectonlywitha8021xconnectionorifyouuseVLANfilters
PacketFence relies extensively on Apache for its captive portal administrative interface andWeb services The PacketFenceacutes Apache configuration are located in usrlocalpfconfhttpdconfd
Inthisdirectoryyouhavethreeimportantfileshttpdadminhttpdportalhttpdwebserviceshttpdaaa
httpdadminisusedtomanagePacketFenceadmininterface
httpdportalisusedtomanagePacketFencecaptiveportalinterface
httpdwebservicesisusedtomanagePacketFencewebservicesinterface
httpdaaaisusetomanageincomingRADIUSrequest
ThesefileshavebeenwrittenusingthePerllanguageandarecompletelydynamic-sotheyactivateservicesonlyonthenetworkinterfacesprovidedforthispurpose
TheotherfilesinthisdirectoryaremanagedbyPacketFenceusingtemplatessoitiseasytomodifythesefilesbasedonyourconfigurationSSLisenabledbydefaulttosecureaccess
UponPacketFenceinstallationself-signedcertificateswillbecreatedinusrlocalpfconfssl(serverkey andservercrt)Thosecertificates canbe replacedanytimebyyour3rd-partyorexistingwildcardcertificatewithoutproblemsPleasenotethattheCN(CommonName)needstobethesameastheonedefinedinthePacketFenceconfigurationfile(pfconf)
FreeRADIUSConfiguration
ThissectionpresentstheFreeRADIUSconfigurationsteps InsomeoccasionsaRADIUSserverismandatoryinordertogiveaccesstothenetworkForexampletheusageofWPA2-Enterprise(Wireless 8021X) MAC authentication and Wired 8021X all require a RADIUS server toauthenticatetheusersandthedevicesandthentopushtheproperrolesorVLANattributestothenetworkequipment
Chapter9
Copyrightcopy2016Inverseinc Configuration 33
Option1AuthenticationagainstActiveDirectory(AD)
Caution
If you are using an ActiveActive or ActivePassive cluster please follow theinstructionsunderOption1bsincetheinstructionsbelowdonotcurrentlyworkinacluster
InordertohavedomainauthenticationworkingproperlyyouneedtoenableIPforwardingonyourserverTodoitpermanentlylookintheetcsysctlconfandsetthefollowingline
Controls IP packet forwardingnetipv4ip_forward = 1
Nowexecutesysctl -ptoapplytheconfiguration
NextgointheAdministrationinterfaceunderConfigurationrarrDomains
Note
IfyoucanrsquotaccessthissectionandyouhavepreviouslyconfiguredyourservertobindtoadomainexternallytoPacketFencemakesureyourunusrlocalpfaddonsADmigratepl
ClickAddDomainandfillintheinformationsaboutyourdomain
Chapter9
Copyrightcopy2016Inverseinc Configuration 34
Where
IdentifierisauniqueidentifierforyourdomainItrsquospurposeisonlyvisual
Workgroupistheworkgroupofyourdomainintheoldsyntax(likeNT4)
DNSnameofthedomainistheFQDNofyourdomainTheonethatsuffixesyouraccountnames
ThisserverrsquosnameisthenamethattheserverrsquosaccountwillhaveinyourActiveDirectory
DNSserveristheIPaddressoftheDNSserverofthisdomainMakesurethattheserveryouputtherehastheproperDNSentriesforthisdomain
UsernameistheusernamethatwillbeusedforbindingtotheserverThisaccountmustbeadomainadministrator
Passwordisthepasswordfortheusernamedefinedabove
Chapter9
Copyrightcopy2016Inverseinc Configuration 35
Troubleshooting In order to troubleshoot unsuccessful binds please refer to the following file chrootsltmydomaingtvarlogsambaltmydomaingtlogwinbinddReplaceltmydomaingtwiththeidentifieryousetinthedomainconfiguration
Youcanvalidatethedomainbindusingthefollowingcommandchroot chrootsltmydomaingtwbinfo -u
You can test the authentication process using the following command chroot chrootsltmydomaingt ntlm_auth --username=administrator
Note
UndercertainconditionsthetestjoinmayshowasunsuccessfulintheAdministrationinterfacebut theauthenticationprocesswill stillworkproperlyTry the test abovebeforedoinganyadditionnaltroubleshooting
DefaultdomainconfigurationYoushouldnowdefinethedomainyouwanttouseasthedefaultonebycreatingthefollowingrealminConfigurationrarrRealms
NextrestartPacketFenceinStatusrarrServices
MultipledomainsauthenticationFirstconfigureyourdomainsinConfigurationrarrDomains
OncetheyareconfiguredgoinConfigurationrarrRealms
Chapter9
Copyrightcopy2016Inverseinc Configuration 36
Createanewrealm thatmatches theDNSnameofyourdomainANDone thatmatchesyourworkgroupInthecaseofthisexampleitwillbeDOMAINNETandDOMAIN
Where
RealmiseithertheDNSname(FQDN)ofyourdomainortheworkgroup
RealmoptionsareanyrealmoptionsthatyouwanttoaddtotheFreeRADIUSconfiguration
Domainisthedomainwhichisassociatedtothisrealm
Nowcreatethetwootherrealmsassociatedtoyourotherdomains
Youshouldnowhavethefollowingrealmconfiguration
Chapter9
Copyrightcopy2016Inverseinc Configuration 37
Option1bAuthenticationagainstActiveDirectory(AD)inacluster
SambaKerberosWinbind
InstallSambaYoucaneitherusethesourcesorusethepackageforyourOSForRHELCentOSdo
yum install samba krb5-workstation
ForDebianandUbuntudo
apt-get install samba winbind krb5-user
Note
IfyouhaveWindows7PCsinyournetworkyouneedtouseSambaversion350(orgreater)
WhendonewiththeSambainstallmodifyyouretchosts inordertoaddtheFQDNofyourActiveDirectoryserversThenyouneedtomodifyetckrb5confHereisanexamplefortheDOMAINNETdomainforCentosRHEL
Chapter9
Copyrightcopy2016Inverseinc Configuration 38
[logging] default = FILEvarlogkrb5libslog kdc = FILEvarlogkrb5kdclog admin_server = FILEvarlogkadmindlog
[libdefaults] default_realm = DOMAINNET dns_lookup_realm = false dns_lookup_kdc = false ticket_lifetime = 24h forwardable = yes
[realms] DOMAINNET = kdc = adserverdomainnet88 admin_server = adserverdomainnet749 default_domain = domainnet [domain_realm] domainnet = DOMAINNET domainnet = DOMAINNET
[appdefaults] pam = debug = false ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = false
ForDebianandUbuntu
[logging] default = FILEvarlogkrb5libslog kdc = FILEvarlogkrb5kdclog admin_server = FILEvarlogkadmindlog [libdefaults] default_realm = DOMAINNET ticket_lifetime = 24h forwardable = yes [appdefaults] pam = debug = false ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = false
NexteditetcsambasmbconfAgainhereisanexampleforourDOMAINNETforCentosRHEL
Chapter9
Copyrightcopy2016Inverseinc Configuration 39
[global] workgroup = DOMAIN server string = h security = ads passdb backend = tdbsam realm = DOMAINNET encrypt passwords = yes winbind use default domain = yes client NTLMv2 auth = yes preferred master = no domain master = no local master = no load printers = no log level = 1 winbind5 auth3 winbind max clients = 750 winbind max domain connections = 15 machine password timeout = 0
ForDebianandUbuntu
[global] workgroup = DOMAIN server string = Samba Server Version v security = ads realm = DOMAINNET password server = 19216811 domain master = no local master = no preferred master = no winbind separator = + winbind enum users = yes winbind enum groups = yes winbind use default domain = yes winbind nested groups = yes winbind refresh tickets = yes template homedir = homeDU template shell = binbash client use spnego = yes client ntlmv2 auth = yes encrypt passwords = yes restrict anonymous = 2 log file = varlogsambalogm max log size = 50 machine password timeout = 0
IssueakinitandklistinordertogetandverifytheKerberostoken
kinit administrator klist
Afterthatyouneedtostartsambaandjointhemachinetothedomain
Chapter9
Copyrightcopy2016Inverseinc Configuration 40
service smb start chkconfig --level 345 smb on net ads join -U administrator
NotethatforDebianandUbuntuyouwillprobablyhavethiserror
kinit succeeded but ads_sasl_spnego_krb5_bind failed Invalid credentials Join to domain is not valid Invalid credentials
ForCentosRHEL
usermod -a -G wbpriv pf
Finallystartwinbindandtestthesetupusingntlm_authandradtest
service winbind start chkconfig --level 345 winbind on
ForDebianandUbuntu
usermod -a -G winbindd_priv pf ntlm_auth --username myDomainUser radtest -t mschap -x myDomainUser myDomainPassword localhost18120 12 testing123 Sending Access-Request of id 108 to 127001 port 18120 User-Name = myDomainUser NAS-IP-Address = 10001 NAS-Port = 12 Message-Authenticator = 0x00000000000000000000000000000000 MS-CHAP-Challenge = 0x79d62c9da4e55104 MS-CHAP-Response = 0x000100000000000000000000000000000000000000000000000091c843b420f0dec4228ed2f26bff07d5e49ad9a2974229e5 rad_recv Access-Accept packet from host 127001 port 18120 id=108 length=20
Option2LocalAuthenticationAddyouruserrsquosentriesattheendoftheusrlocalpfraddbusersfilewiththefollowingformat
username Cleartext-Password = password
Option3EAPauthenticationagainstOpenLDAPToauthenticate8021xconnectionagainstOpenLDAPyouneedtodefinetheldapconnectioninusrlocalpfraddbmodulesldapandbesurethattheuserpasswordisdefineasaNTHASHorascleartext
Chapter9
Copyrightcopy2016Inverseinc Configuration 41
ldap openldap server = ldapacmecom identity = uid=admindc=acmedc=com password = password basedn = dc=districtdc=acmedc=com filter = (uid=mschapUser-Name) ldap_connections_number = 5 timeout = 4 timelimit = 3 net_timeout = 1 tls dictionary_mapping = $confdirldapattrmap edir_account_policy_check = no
keepalive LDAP_OPT_X_KEEPALIVE_IDLE idle = 60
LDAP_OPT_X_KEEPALIVE_PROBES probes = 3
LDAP_OPT_X_KEEPALIVE_INTERVAL interval = 3
Next in usrlocalpfraddbsites-availablepacketfence-tunnel add in the authorizesection
authorize suffix ntdomain eap ok = return files openldap
Option4EAPGuestAuthenticationonemailsponsorandSMSregistrationThissectionwillallowlocalcredentialscreatedduringguestregistrationtobeusedin8021xEAP-PEAPconnections
FirstcreateaguestSSIDwiththeguestaccessyouwanttouse(EmailSponsororSMShellip)andactivateCreatelocalaccountonthatsource
AttheendoftheguestregistrationPacketFencewillsendanemailwiththecredentialsforEmailandSponsorForSMSthephonenumberandthePINcodeshouldbeused
Chapter9
Copyrightcopy2016Inverseinc Configuration 42
Note
ThisoptiondoesnrsquotcurrentlyworkwiththeReusedot1xcredentialsoptionofthecaptiveportal
In usrlocalpfconfradiusdpacketfence-tunnel uncomment the line packetfence-local-authandrestartradiusd
ThiswillactivatethefeatureforanylocalaccountonthePacketFenceserverYoucanrestrictwhichaccounts canbeusedby commenting the appropriate line inusrlocalpfraddbpolicydpacketfenceForexampleifyouwouldwanttodeactivatethisfeatureforaccountscreatedviaSMSyouwouldhavethefollowing
packetfence-local-auth Disable ntlm_auth update control ampMS-CHAP-Use-NTLM-Auth = No Check password table for local user pflocal if (fail || notfound) Check password table with email and password for a sponsor registration pfguest if (fail || notfound) Check password table with email and password for a guest registration pfsponsor if (fail || notfound) Dont check activation table with phone number and PIN code pfsms lt--- This line was commented out if (fail || notfound) update control ampMS-CHAP-Use-NTLM-Auth = Yes
Note
For this feature to work the users passwords must be stored in cleartext in thedatabaseThisisconfigurableviaadvancedhash_passwords
Option5EAPLocaluserAuthenticationThegoalhereistousethelocaluseryoucreatedintheadminGUIforEAPauthenticationThelogicisexactlythesamethaninoption4thedifferenceisthatweuseanotherSSIDandweonlyuselocalaccounts
Chapter9
Copyrightcopy2016Inverseinc Configuration 43
Editusrlocalpfraddbsites-availablepacketfence-tunnel
InthisexampleweactivatethisfeatureonaspecificSSIDname(Secure-local-Wireless)disabledbydefaultNTLMAuthandtestlocalaccountIfitfailledthenwereactivateNTLMAuth
Activate local user eap authentication based on a specific SSID Set Called-Station-SSID with the current SSID setcalled_station_ssid if (Called-Station-SSID == Secure-local-Wireless) Disable ntlm_auth update control MS-CHAP-Use-NTLM-Auth = No Check password table for local user pflocal if (fail || notfound) update control MS-CHAP-Use-NTLM-Auth = Yes
Caution
Youwillneedtodeasactivatepasswordhashinginthedatabaseforlocalauthenticationto work In the administration interface go in Configurationrarr Advanced and setDatabasepasswordshashingmethodtoplaintext
TestsTestyoursetupwithradtestusingthefollowingcommandandmakesureyougetanAccess-Acceptanswer
radtest dd9999 Abcd1234 localhost18120 12 testing123Sending Access-Request of id 74 to 127001 port 18120 User-Name = dd9999 User-Password = Abcd1234 NAS-IP-Address = 255255255255 NAS-Port = 12rad_recv Access-Accept packet from host 12700118120 id=74 length=20
PortalModules
ThePacketFencecaptiveportalflowishighlycustomizableThissectionwillcoverthePortalModuleswhichareusedtodefinethebehaviorofthecaptiveportal
Chapter9
Copyrightcopy2016Inverseinc Configuration 44
Note
WhenupgradingfromaversionthatdoesnrsquothavetheportalmodulesthePacketFencePortal Modules configuration already comes with defaults that will fit most casesand offers the same behavior as previous versions of PacketFence Meaning allthe available Portal Profile sources are used for authentication then the availableprovisionerswillbeused
FirstabriefdescriptionoftheavailablePortalModules
RootThis iswhereitallstartsthismoduleisasimplecontainerthatdefinesallthemodulesthatneedtobeappliedinachainedwaytotheuserOncetheuserhascompletedallmodulescontainedintheRootheisreleasedonthenetwork
Choice This allows to give a choice between multiple modules to the user Thedefault_registration_policyisagoodexampleofachoicethatisofferedtotheuser
ChainedThisallowsyoutodefinealistofmodulesthatauserneedstogothroughintheorderthattheyaredefined-exyouwantyouruserstoregisterviaGoogle+andpayfortheiraccessusingPayPal
MessageThisallowsyou todisplayamessage to theuserAnexample isavailablebelow inDisplayingamessagetotheuseraftertheregistration
AuthenticationTheauthenticationmodulescanbeofalotoftypesYouwouldwanttodefineoneofthesemodulesinordertooverridetherequiredfieldsthesourcetousethetemplateoranyothermoduleattribute
BillingAllowstodefineamodulebasedononeormorebillingsources
ChoiceAllows todefineamodulebasedonmultiple sourcesandmoduleswithadvancedfilteringoptionsSeethesectionAuthenticationChoicemodulebelowforadetailedexplanation
LoginAllowsyoutodefineausernamepasswordbasedmodulewithmultipleinternalsources(ActiveDirectoryLDAPhellip)
OthermodulesTheothermodulesareallbasedonthesourcetypetheyareassignedtotheyallowtoselectthesourcetheAUPacceptanceandmandatoryfieldsifapplicable
ExamplesThissectionwillcontainthefollowingexamples
Promptingforfieldswithoutauthentication
Promptingadditionnalfieldsduringtheauthentication
Chainedauthentication
MixingloginandSecureSSIDon-boardingontheportal
Displayingamessagetotheuseraftertheregistration
Chapter9
Copyrightcopy2016Inverseinc Configuration 45
CreatingacustomrootmoduleFirstcreateacustomrootmoduleforourexamples inordertonotaffectthedefaultpolicy InordertodosogoinConfigurationrarrPortalModulesthenclickAddPortalModuleandselectthetypeRootGiveittheidentifiermy_first_root_moduleandthedescriptionMy first root modulethenhitsave
Next head toConfigurationrarr Portal Profiles select the portal profile you use (most probablydefault)andthenunderRootPortalModuleassignMy first root modulethensaveyourprofileIfyouweretoaccessthecaptiveportalnowanerrorwoulddisplaysincetheRootmoduleweconfigureddoesnrsquotcontainanything
YoucouldaddsomeofthepreconfiguredmodulestothenewRootmoduleyoucreatedandthatwouldmaketheerrordisapear
PromptingforfieldswithoutauthenticationInordertopromptfieldswithoutauthenticationyoucanusetheNullsourcewiththeNullPortalModule
PacketFencealreadycomeswithaNullsourcepreconfiguredIfyouhavenrsquotmodifieditordeletedityoucanuseitforthisexampleOtherwisegoinConfigurationrarrSourcesandcreateanewNullsourcewithacatchallrulethatassignsaroleandaccessduration
ThengoinConfigurationrarrPortalModulesandclickAddPortalModuleandselectAuthenticationrarrNullSettheIdentifiertoprompt_fieldsandconfigurethemodulewiththeMandatoryfieldsyouwantanduncheckRequireAUPsothattheuserdoesnrsquothavetoaccepttheAUPbeforesubmittingthesefields
Nextaddtheprompt_fieldsmoduleinmy_first_root_module(removinganypreviousmodules)andsave itNowwhenvisitingtheportal itshouldpromptyouforthefieldsyoudefine inthe
Chapter9
Copyrightcopy2016Inverseinc Configuration 46
moduleThensubmittingtheseinformationswillassignyoutheroleandaccessdurationthatyoudefinedinthenullsource
Promptingadditionnalfieldsduringtheauthentication
IfyouwanttopromptadditionnalfieldsduringtheauthenticationprocessforamoduleyoucandefineaModulebasedonthatsourcethatwillspecifytheadditionnalmandatoryfieldsforthissource
Youcanalsoaddadditionnalmandatoryfieldstothedefaultpoliciesthatarealreadyconfigured
Thisexamplewillmakethedefault_guest_policyrequiretheusertoenterafirstnamelastnameandaddresssothatguestshavetoenterthesethreeinformationsbeforeregistering
Go in Configuration rarr Portal Modules and click the default_guest_policy Add firstnamelastnameandaddresstotheMandatoryfieldsandsave
Nextaddthedefault_guest_policytomy_first_root_module(removinganypreviousmodules)Nowwhenvisitingtheportalselectinganyoftheguestsourceswillrequireyoutoenterboththemandatoryfieldsofthesource(exphone+mobileprovider)andthemandatoryfieldsyoudefinedinthedefault_guest_policy
Note
Notallsourcessupportadditionnalmandatoryfields(exOAuthsourceslikeGoogleFacebookhellip)
Chainedauthentication
Theportalmodulesallowyoutochaintwoormoremodulestogetherinordertomaketheuseraccomplishalloftheactionsinthemoduleinthedesiredsequence
ThisexamplewillallowyoutoconfigureaChainedmodulethatwillrequiretheusertologinviaanyconfiguredOAuthsource(GithubGoogle+hellip)andthenvalidatehisphonenumberusingSMSregistration
FortheOAuthloginwewillusethedefault_oauth_policysojustmakesureyouhaveanOAuthsourceconfiguredcorrectlyandavailableinyourPortalProfile
ThenwewillcreateamodulethatwillcontainthedefinitionofourSMSregistration
GoinConfigurationrarrPortalModulesthenclickAddPortalModuleandselectAuthenticationrarrSMS
ConfiguretheportalmodulesothatitusesthesmssourceandunchecktheRequireAUPoptionsincetheuserwillhavealreadyacceptedtheAUPwhenregisteringusingOAuth
Chapter9
Copyrightcopy2016Inverseinc Configuration 47
ThenaddanotherPortalModuleoftypeChainedNameitchained_oauth_smsassignarelevantdescriptionandthenadddefault_oauth_policyandsmstotheModulesfields
Chapter9
Copyrightcopy2016Inverseinc Configuration 48
Next add the chained_oauth_sms module in my_first_root_module (removing any previousmodules)andsaveitNowwhenvisitingtheportalyoushouldhavetoauthenticationusinganOAuthsourceandthenusingSMSbasedregistration
MixingloginandSecureSSIDon-boardingontheportalThisexamplewillguideyouthroughconfiguringaportalflowthatwillallowfordevicestoaccessanopenSSIDusinganLDAPusernamepasswordbutalsogivethechoicetoconfiguretheSecureSSIDdirectlyfromtheportal
FirstweneedtoconfiguretheprovisionersfortheSecureSSIDonboardingRefertosectionAppleandAndroidWirelessProvisioningofthisguidetoconfigureyourprovisionersandaddthemtotheportalprofile
CreateaprovisionerofthetypeDenyandadditwithyourotherprovisioners(puttinganyotherprovisionerbeforeit)Thiswillmakesurethatifthereisnomatchontheotherprovisionersitwillnotallowthedevicethrough
AlsointheportalprofileaddyourLDAPsourcetotheavailablesourcessoitstheonlyoneavailable
NextcreateaProvisioningportalmodulebygoinginConfigurationrarrPortalModulesSettheIdentifiertosecure_boardingandthedescriptiontoBoard Secure SSIDAlsouncheckSkipablesotheuserisforcedtoboardtheSSIDshoulditchoosethisoption
ThenstillinthePortalModulescreateaChoicemoduleSettheIdentifiertologin_or_boardinganddescriptiontoLoginorBoardingAddsecure_boardinganddefault_login_policytotheModulesfieldandsave
Chapter9
Copyrightcopy2016Inverseinc Configuration 49
Next add the login_or_boarding module in my_first_root_module (removing any previousmodules)andsaveitNowwhenvisitingtheportalyouwillhavethechoicebetweenlogintotheLDAPsourceandgainaccesstothenetworkordirectlyuseprovisioninginordertoconfigureyourdeviceforaSecureSSID
Displayingamessagetotheuseraftertheregistration=
UsingtheMessagemoduleyoucandisplayacustommessagetotheuserYoucanalsocustomizethetemplatetodisplayinordertodisplayafullycustompage
Go inConfigurationrarrPortalModules thenclickAddPortalModule and selectMessage Set theIdentifiertohello_worldandthedescriptiontoHello World
ThenputthefollowingintheMessagefield
Hello World lta href=wwwpacketfenceorggtClick here to access the PacketFence websiteltagt
Next add default_registration_policy and hello_world in the Modules ofmy_first_root_module(removinganypreviousmodules)andsaveitNowwhenvisitingtheportalyoushouldhavetoauthenticateusingthesourcesdefinedinyourportalprofileandyouwillthenseethehelloworldmessage
Chapter9
Copyrightcopy2016Inverseinc Configuration 50
AuthenticationChoicemodule(advanced)The Authentication Choice module allows to define a choice between multiple sources usingadvancedfilteringrulesmanualselectionofthesourcesandselectionofPortalModules
AllthesourcesthataredefinedintheSourcesfieldwillbeavailableforusagebytheuserSamegoesforthemodulesdefinedinModules
YoucanalsodefinewhichmandatoryfieldsyouwanttopromptfortheseauthenticationchoicesAlthoughyoucanstillconfigurethemonanyAuthenticationChoicemoduletheywillonlybeshowniftheyareapplicabletothesource
InadditiontothemanualselectionaboveyoucandynamicallyselectsourcespartofthePortalProfilebasedontheirobjectattribute(ObjectClassAuthenticationtypeAuthenticationClass)
NoteYoucanfindalltheauthenticationobjectsinlibpfAuthenticationSource
SourcesbyclassAllowsyoutospecifytheperlclassnameofthesourcesyouwantavailable
ex pfAuthenticationSourceSMSSource will select all the SMS sourcespfAuthenticationSourceBillingSourcewillselectallthebillingsources(PaypalStripehellip)
SourcesbytypeAllowsyoutofilteroutsourcesusingthetypeattributeoftheAuthenticationobject
Sources by Auth Class Allows you to filter our sources using the class attribute of theAuthenticationobject
Chapter9
Copyrightcopy2016Inverseinc Configuration 51
Youcanseethedefault_guest_policyanddefault_oauth_policyforexamplesofthismodule
Chapter10
Copyrightcopy2016Inverseinc Debugging 52
Debugging
Logfiles
HerearethemostimportantPacketFencelogfiles
usrlocalpflogspacketfencelogmdashPacketFenceCoreLog usrlocalpflogshttpdportalaccessmdashApachendashCaptivePortalAccessLog usrlocalpflogshttpdportalerrormdashApachendashCaptivePortalErrorLog usrlocalpflogshttpdadminaccessmdashApachendashWebAdminServicesAccessLog usrlocalpflogshttpdadminerrormdashApachendashWebAdminServicesErrorLog usrlocalpflogshttpdwebservicesaccessmdashApachendashWebservicesAccessLog usrlocalpflogshttpdwebserviceserrormdashApachendashWebservicesErrorLog usrlocalpflogshttpdaaaaccessmdashApachendashAAAAccessLog usrlocalpflogshttpdaaaerrormdashApachendashAAAErrorLog
ThereareotherlogfilesinusrlocalpflogsthatcouldberelevantdependingonwhatissueyouareexperiencingMakesureyoutakealookatthem
ThemainloggingconfigurationfileisusrlocalpfconflogconfItcontainstheconfigurationforthepacketfencelogfile(LogLog4Perl)andyounormallydonrsquotneedtomodifyitTheloggingconfigurationfilesforeveryservicearelocatedunderusrlocalpfconflogconfd
RADIUSDebugging
FirstchecktheFreeRADIUSlogsThefileislocatedatusrlocalpflogsradiuslog
IfthisdidnrsquothelprunFreeRADIUSindebugmodeTodosostartitusingthefollowingcommands
Fortheauthenticationradiusprocess
radiusd -X -d usrlocalpfraddb -n auth
Fortheaccountingradiusprocess
radiusd -X -d usrlocalpfraddb -n acct
Chapter10
Copyrightcopy2016Inverseinc Debugging 53
Additionally there is a raddebug tool that can extract debug logs from a running FreeRADIUSdaemonPacketFencersquosFreeRADIUSispreconfiguredwithsuchsupport
Inordertohaveanoutputfromraddebugyouneedtoeither
a MakesureuserpfhasashellinetcpasswdaddusrsbintoPATH(export PATH=usrsbin$PATH)andexecuteraddebugaspf
b Runraddebugasroot(lesssecure)
Nowyoucanrunraddebugeasily
raddebug -t 300 -f usrlocalpfvarrunradiusdsock
TheabovewilloutputFreeRADIUSauthenticationdebuglogsfor5minutes
Usethefollowingtodebugradiusaccounting
raddebug -t 300 -f usrlocalpfvarrunradiusd-acctsock
Seeman raddebugforalltheoptions
Chapter11
Copyrightcopy2016Inverseinc MoreonVoIPIntegration 54
MoreonVoIPIntegration
VoIPhasbeengrowinginpopularityonenterprisenetworksAtfirstsighttheITadministratorsthinkthatdeployingVoIPwithaNACposesahugecomplicatedchallengetoresolveInfactdependingofthehardwareyouhavenotreallyInthissectionwewillseewhy
CDPandLLDPareyourfriend
ForthoseofyouwhoareunawareoftheexistenceofCDPorLLDP(orLLDP-MED) IsuggestyoustartreadingonthistopicCiscoDiscoveryProtocol(CDP)isdevice-discoveryprotocolthatrunsonallCisco-manufacturedequipmentincludingroutersaccessserversbridgesandswitchesUsingCDPadevicecanadvertise itsexistencetootherdevicesandreceive informationaboutotherdevicesonthesameLANorontheremotesideofaWANIntheworldofVoIPCDPisabletodetermineiftheconnectingdeviceisanIPPhoneornotandtelltheIPPhonetotagitsethernetframeusingtheconfiguredvoiceVLANontheswitchport
OnmanyothervendorsyouarelikelytofindLLDPorLLDP-MEDsupportLinkLayerDiscoveryProtocol (LLDP) is a vendor-neutral Link Layer protocol in the Internet Protocol Suite used bynetworkdevicesforadvertisingtheiridentitycapabilitiesandneighborsSameasCDPLLDPcantellanIPPhonewhichVLANidisthevoiceVLAN
VoIPandVLANassignmenttechniques
As you already know PacketFence supportsmanyVLAN assignment techniques such as port-securitymacauthenticationor8021XLetrsquosseehowVoIPisdoingwitheachofthose
Port-securityUsing port-security the VoIP device rely on CDPLLDP to tag its ethernet frame using theconfiguredvoiceVLANontheswitchportAfterthatweensurethatasecuritytrapissentfromthevoiceVLANsothatPacketFencecanauthorizethemacaddressontheportWhenthePCconnectsanothersecuritytrapwillbesentbutfromthedataVLANThatwaywewillhave1macaddressauthorizedonthevoiceVLANand1ontheaccessVLAN
Chapter11
Copyrightcopy2016Inverseinc MoreonVoIPIntegration 55
Note
Not all vendors support VoIP on port-security please refer to the NetworkConfigurationGuide
MACAuthenticationand8021XCiscohardwareOnCiscoswitcheswearelookingatthemulti-domainconfigurationThemulti-domainmeansthatwecanhaveonedeviceontheVOICEdomainandonedeviceontheDATAdomainThedomainassignmentisdoneusingaCiscoVSAWhenthephoneconnectstotheswitchportPacketFencewillrespondwiththeproperVSAonlynoRADIUStunneledattributesCDPthentellsthephonetotagitsethernetframesusingtheconfiguredvoiceVLANontheportWhenaPCconnectstheRADIUSserverwillreturntunneledattributesandtheswitchwillplacetheportintheprovidedaccessVLAN
Non-CiscohardwareOnothervendorhardwareitispossibletomakeVoIPworkusingRADIUSVSAsWhenaphoneconnectstoaswitchportPacketFenceneedstoreturntheproperVSAtotelltheswitchtoallowtagged frames from thisdeviceWhen thePCwill connectwewill be able to return standardRADIUStunnelattributestotheswitchthatwillbetheuntaggedVLAN
Note
AgainrefertotheNetworkConfigurationGuidetoseeifVoIPissupportedonyourswitchhardware
WhatifCDPLLDPfeatureismissing
ItispossiblethatyourphonedoesnrsquotsupportCDPorLLDPIfitrsquosthecaseyouareprobablylookingattheDHCPwayofprovisionningyourphonewithavoiceVLANSomemodelswillaskforaspecificDHCPoptionsothattheDHCPservercangivethephoneavoiceVLANidThephonewillthenrebootandtagitsethernetframeusingtheprovidedVLANtag
Inorder tomake this scenarioworkwithPacketFenceyouneed toensure thatyou tweak theregistrationandyourproductionDHCPservertoprovidetheDHCPoptionYoualsoneedtomakesure there isavoiceVLANproperlyconfiguredontheportandthatyouauto-registeryour IPPhones(OnthefirstconnectthephonewillbeassignedontheregistrationVLAN)
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 56
Advancedtopics
This section covers advanced topics in PacketFence Note that it is also possible to configurePacketFencemanuallyusingitsconfigurationfilesinsteadofitsWebadministrativeinterfaceItisstillrecommendedtousetheWebinterface
InanycasetheusrlocalpfconfpfconffilecontainsthePacketFencegeneralconfigurationForexamplethisistheplacewhereweinformPacketFenceitwillworkinVLANisolationmode
All the default parameters and their descriptions are stored in usrlocalpfconfpfconfdefaults
Inordertooverrideadefaultparameterdefineitandsetitinpfconf
usrlocalpfconfdocumentationconfholdsthecompletelistofallavailableparameters
Alltheseparametersarealsoaccessiblethroughtheweb-basedadministrationinterfaceundertheConfigurationtabItishighlyrecommendedthatyouusetheweb-basedadministrationinterfaceofPacketFenceforanyconfigurationchanges
AppleandAndroidWirelessProvisioning
Apple devices such as iPhones iPads iPods and Mac OS X (107+) support wireless profileimportationusing a specialXML file format (mobileconfig)Android is also able to support thisfeaturebyimportingthewirelessprofilewiththeAndroidPacketFenceAgentInfactinstallingsuchfileonyourAppledevicewillautomaticallyconfigurethewirelesssettingsforagivenSSIDThisfeatureisoftenusedwhentheSSIDishiddenandyouwanttoeasetheconfigurationstepsonthemobiledevice(becauseitisoftenpainfultoconfiguremanually)InPacketFencewearegoingfurtherwegeneratetheprofileaccordingtotheadministratorrsquospreferenceandwepre-populatethefilewiththeuserrsquoscredentials(withoutthepassword)TheusersimplyneedstoinstallitsgeneratedfileandhewillbeabletousethenewSSID
ConfigurethefeatureFirstofallyouneedtoconfiguretheSSIDthatyourdeviceswilluseaftertheygothoughtheauthenticationprocess
InordertodothatintheadministrationinterfacegoinConfigurationProvisionersThenselecttheandroidprovisionerEntertheSSIDandsave
NowdothesamethingfortheiOSprovisioner
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 57
AfteryousimplyneedtoaddtheAndroidandiOSprovisionerstoyourPortalProfileconfiguration
ForAndroidyoumustallowpassthroughsinyourpfconfconfigurationfile
[trapping]passthrough=enabledpassthroughs=ggphtcomgoogleusercontentcomandroidclientsgooglecomgoogleapiscomandroidclientsgooglecomgvt1com
ProfilegenerationUponregistrationinsteadofshowingthedefaultreleasepagetheuserwillbeshowinganotherversionofthepagesayingthatthewirelessprofilehasbeengeneratedwithaclickablelinkonitToinstalltheprofileAppleuserownersimplyneedtoclickonthatlinkandfollowtheinstructionsontheirdeviceAndroiduserownersimplyclicktothelinkandwillbeforwardedtoGooglePlaytoinstallPacketFenceagentSimply launchtheapplicationandclicktoconfigurewillcreatethesecureSSIDprofileItisthatsimple
BillingEngine
PacketFence integrates theability touseapaymentgatewaytobillusers togainaccess to thenetworkWhenconfiguredtheuserwhowantstoaccessthenetworkInternetispromptedbyapageaskingforitrsquospersonnalinformationaswellasitrsquoscreditcardinformation
PacketFencecurrentlysupportsfourpaymentgatewaysAuthorizenetMirapayPaypalandStripe
Inordertoactivatethebillingyouwillneedtoconfigurethefollowingcomponents
Billingsource(s)
Billingtier(s)
ConfiguringabillingsourceFirstselectabillingproviderandfollowtheinstructionsbelow
Paypal
Note
ThisproviderrequiresthatyourPacketFenceserverisaccessibleonthepublicdomainFor thisyourPacketFenceportal shouldbeavailableonapublic IPusing theDNSservernameconfiguredinPacketFence
Ifyouhaveabusinessaccountanddonotwanttoconfigureatestenvironmentyoucanskipthenextsection
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 58
Sandboxaccount
To configure a sandbox paypal account for use in PacketFence head to httpsdeveloperpaypalcomandeithersignuporloginintoyourexistingaccount
ThenintheSandboxmenuclickAccounts
CreateanaccountthathasthetypePersonalandonethathasthetypeBusiness
AfterwardsgobackintoaccountsandexpandthebusinessaccountthenclickProfile
NowclicktheChangepasswordlinkandchangethepasswordandnoteit
Dothesamethingwiththepersonalaccountyoucreated
Configuringthemerchantaccount
LoginintothePaypalbusinessaccountthatyoucreatedathttpswwwsandboxpaypalcomifyouareusingasandboxaccountoronhttpswwwpaypalcomifyouareusingarealaccount
NextgoinMyAccountrarrProfileinordertogointoyourprofileconfiguration
NextintheSellingPreferencesyouwillneedtoselectWebsitePaymentPreferences
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 59
Configurethesettingssotheymatchthescreenshotbelow
YoushouldturnonAutoReturnsetthereturnURLtohttpsYOUR_PORTAL_HOSTNAMEbillingpaypalverify
YoushouldalsotakenoteoftheIdentityTokenasitwillberequiredinthePacketFenceconfiguration
NextgobackinyourprofileconfigurationMyaccountrarrProfileandselectEncryptedPaymentSettings
NowonthispageyouwillneedtosubmitthecertificateusedbyPacketFencetoPaypal(usrlocalpfconfsslservercrtbydefault)
Once you have submitted it note itrsquos associated Cert ID as you will need to configure it inPacketFence
StillonthatpageclicktheDownloadlinktodownloadthePaypalpubliccertificateandputitonthePacketFenceserverunderpathusrlocalpfconfsslpaypalpem
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 60
Caution
ThecertificatewillNOTbethesameifyouuseasandboxaccountorarealaccount
ConfiguringPacketFence
NowinthePacketFenceadministrationinterfacegoinConfigurationrarrSourcesandcreateanewsourceoftypeBillingrarrPaypal
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 61
Where
IdentitytokenistheoneyounotedwhenontheWebsitePaymentPreferencespage CertIDistheoneyounotedwhenontheEncryptedPaymentSettings Paymenttypeiswhethertheaccessisdonationbased(notmandatorytopayforit) Emailaddressistheemailaddressofthemerchantpaypalaccount CertfileisthepathtothePacketFencecertificate(usrlocalpfconfsslservercrtbydefault) KeyfileisthepathtothePacketFencecertificate(usrlocalpfconfsslserverkeybydefault) Paypal cert file is thepath to thePaypal certificate (usrlocalpfconfsslpaypalpem in thisexample)
Currencyisthecurrencythatwillbeusedinthetransactions Testmodeshouldbeactivatedifyouareusingasandboxaccount
Stripe
Stripeaccount
Firstgoonhttpsdashboardstripecomcreateanaccountandlogin
NextonthetoprightclickYouraccountthenAccountsettings
NavigatetotheAPIkeystabandnoteyourkeyandsecretThetestkeyshouldbeusedwhentestingtheconfigurationandthelivekeywhenputtingthesourceinproduction
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 62
ConfiguringPacketFence
NowinthePacketFenceadministrationinterfacegoinConfigurationrarrSourcesandcreateanewsourceoftypeBillingrarrStripe
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 63
Where
SecretkeyisthesecretkeyyougotfromyourStripeaccount PublishablekeyisthepublishablekeyyougotfromyourStripeaccount Styleiswhetheryouaredoingaone-timechargeorsubscriptionbasedbilling(recurring)SeesectionSubscriptionbasedregistrationbelowfordetailsonhowtoconfigureit
Currencyisthecurrencythatwillbeusedinthetransactions Testmodeshouldbeactivatedifyouareusingthetestkeyandsecretaccount
Authorizenet
Creatinganaccount
First go on httpsaccountauthorizenet to signup for a merchant account or httpdeveloperauthorizenetforasandboxaccount
AfteryoucreatedyouraccountyouwillbeshownyourAPIloginIDandTransactionkeyNotebothoftheseinformationsforusageinthePacketFenceconfiguration
Thenloginintoyournewaccount
ThenunderAccountclickSettings
OnthesettingspageinthesectionSecuritysettingsclickMD5-Hash
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 64
NowenterasecretthatwillbesharedbetweenauthorizenetandPacketFence
PacketFenceconfiguration
NextinthePacketFenceadministrationinterfacegoinConfigurationrarrSourcesandcreateanewsourceoftypeBillingrarrAuthorizeNet
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 65
Where
APIloginIDistheoneyougotearlierwhilecreatingyouraccount Transactionkeyistheoneyougotearlierwhilecreatingyouraccount MD5hashtheoneyouconfiguredinyourAuthorizenetaccount Currencyisthecurrencythatwillbeusedinthetransactions Testmodeshouldbeactivatedifyouareusingasandboxaccount
Mirapay
To be contributed
AddingbillingtiersOnceyouhaveconfiguredoneormorebillingsourceyouneedtodefinebillingtierswhichwilldefinethepriceandtargetauthenticationrulesfortheuser
InthePacketFenceadministrationinterfacegoinConfigurationrarrBillingtiers
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 66
ThenclickAddbillingtierandconfigureit
Where
Billingtieristheuniqueidentifierofthebillingtier Nameisthefriendlynameofthebillingtier Descriptionisanextendeddescriptionofthebillingtier Priceistheamountthatwillbechargedtotheuser Accessdurationistheamountoftimetheuserwillbegrantedaccesstoyournetwork Roleisthetargetroletheusershouldbein Usetimebalancedefinesiftheaccessdurationshouldbecomputedonreal-timeaccessdurationmeaningiftheuserbuys24hoursofaccesshecanusethenetworkfor24hoursindifferenttimeblocksThisrequiresavalidRADIUSaccountingconfiguration
Note
IfdonrsquotwanttouseallthebillingtiersthataredefinedyoucanspecifytheonesthatshouldbeactiveinthePortalprofile
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 67
SubscriptionbasedregistrationPacketFencesupportssubscriptionbasedbillingusingStripeasabillingprovider
Billingtier
Whenusingsubscriptionbasedbillingitisadvisedtoconfigurethebillingtiersoithasanalmostinfiniteaccessduration(eg20years)asthebillingproviderwillbecontactingthePacketFenceserverwhenthesubscriptioniscanceled
YoushouldconfigureabillingtierforeachsubscriptionplanyouwanttohaveThisexamplewillusetheplansimpleandadvancedconfiguredusingthefollowingparameters
[simple]name=Simple network accessdescription=Click here if you are poorprice=399role=guestaccess_duration=10Yuse_time_balance=disabled
[advanced]name=Simple network accessdescription=Click here if you are poorprice=999role=advanced_guestaccess_duration=10Yuse_time_balance=disabled
Stripeconfiguration
TheninyourStripedashboardyoushouldgoinSubscriptionsrarrPlans
Thencreateanewplan
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 68
Where
ID is the billing tier identifier It is important that this matches the ID of the billing tier inPacketFence
AmountisthepriceoftheplanItisimportantthatthismatchesthepriceofthebillingtierinPacketFence
CurrencyisthecurrencythatwillbeusedinthetransactionsItisimportantthatthismatchesthecurrencyoftheStripesourceinPacketFence
IntervalistheintervalatwhichthecustomershouldbebilledInthecaseofthisexampleitismonthly
Nowfollowingthesameprocedurecreatetheadvancedplan
ReceivingupdatesfromStripeAsthesubscriptioncanbecancelledbyauseryouneedtosetupyourPacketFenceinstallationtoreceiveupdatesfromStripe
UpdatesaresentusingHTTPrequestsonapublicIP
YouneedtomakesurethatyourPacketFenceserverisavailablethroughapublicIPonport80andthatyourPacketFenceserverhostnameresolvesonthepublicdomain
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 69
TheninStripeconfigureaWebhooksoStripeinformsPacketFenceofanyeventthathappensinthisStripemerchantaccount
InordertodosogoinYourAccountrarrAccountSettingsrarrWebhooksandclickAddendpoint
Where
URListheURLtothePacketFenceserverThisshouldbehttpYOUR_PORTAL_HOSTNAMEhookbillingstripe
Modeiswhetherthiswebhookisfortestingmodeorlivemode
NoweverytimeauserunsubscribesfromaplanPacketFencewillbenotifiedandwillunregisterthatdevicefromyournetwork
DevicesRegistration
Usershavethepossibilitytoregistertheirdevices(MicrosoftXBOXXBOX360NintendoDSWiiSonyPlayStationandsoon)rightfromaspecialportalpageWhenaccessingthispageuserswillbe
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 70
promptedtologinasiftheywereregisteringthemselvesOnceloggedintheportalwillaskthemtoenterthedeviceMACaddressthatwillthenbematchedagainstapredefinedlistofauthorizedMACOUIThedevicewillberegisteredwiththeuserrsquosidandcanbeassignedintoaspecificcategoryforeasiermanagement
HerersquoshowtoconfigurethewholethingTheportalpagecanbeaccessedbythefollowingURLhttpsYOUR_PORTAL_HOSTNAMEdevice-registration This URL is accessible fromwithin thenetworkinanyVLANthatcanreachthePacketFenceserver
Thefollowingcanbeconfiguredbyeditingthepfconffile
[registration]device_registration = enableddevice_registration_role = gaming
MakesuretheroleexistsinPacketFenceotherwiseyouwillencounterregistrationerrorsMoreovermakesuretherolemappingforyourparticularequipmentisdone
TheseparameterscanalsobeconfiguredfromtheConfigurationrarrRegistrationsection
Note
AportalinterfacetypeisrequiredtousethisfeatureAportalinterfacetypecanbeaddedtoanynetworkinterfaceusingthewebadminGUI
Eduroam
eduroam (education roaming) is the secureworld-wide roaming access servicedevelopedfortheinternationalresearchandeducationcommunity
eduroamallowsstudentsresearchersandstafffromparticipatinginstitutionstoobtainInternetconnectivityacrosscampusandwhenvisitingotherparticipatinginstitutionsbysimplyopeningtheirlaptop
mdasheduroamhttpswwweduroamorg
PacketFencesupportsintegrationwitheduroamandallowsparticipatinginstitutionstoauthenticatebothlocallyvisitingusersfromotherinstitutionsaswellasallowingotherinstitutionstoauthenticatelocalusers
In order for PacketFence to allow eduroam authentication the FreeRADIUS configuration ofPacketFencemustbemodifiedtoallowtheeduroamserverstoconnecttoitasclientsaswellastoproxyRADIUSauthenticationrequestsforusersfromoutsideinstitutions
FirstmodifytheusrlocalpfraddbclientsconffiletoallowtheeduroamserverstoconnecttoyourPacketFenceserverAddtheeduroamserversasclientsandmakesure toaddtheproperRADIUSsecretSetashortnametorefertotheseclientsasyouwilllaterneedittoexcludethemfromsomepartsofthePacketFenceconfiguration
clientsconfexample
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 71
client tlrs1eduroamus secret = useStrongerSecret shortname = tlrs1
client tlrs2eduroamus secret = useStrongerSecret shortname = tlrs2
SecondlymodifythelistofdomainsandproxyserversinusrlocalpfraddbproxyconfYouwillneedtodefineeachofyourdomainsaswellastheDEFAULTdomainTheDEFAULTrealmwillapplytoanyclientthatattemptstoauthenticatewitharealmthatisnototherwisedefinedinproxyconfandwillbeproxiedtotheeduroamservers
Defineoneormorehomeservers(serverstowhicheduroamrequestsshouldbeproxied)
proxyconfexample
home_server tlrs1eduroamus type = auth ipaddr = 25712811 port = 1812 secret = useStrongerSecret require_message_authenticator = yes
Defineapoolofserverstogroupyoureduroamhomeserverstogether
proxyconfexample
home_server_pool eduroam type = fail-over home_server = tlrs1eduroamus home_server = tlrs2eduroamus
DefinerealmstoselectwhichrequestsshouldbeproxiedtotheeduroamserverpoolThereshouldbeonerealmforeachofyourdomainsandpossiblyonemoreperdomainifyouintendtoallowusernamesoftheDOMAINuserform
TheREALMissetbasedonthedomainfoundbythesuffixorntdomainmodules (seeraddbmodulesrealm)Thesuffixorntdomainmodulestrytofindadomaineitherwithandomainorsuffixusername
IfnoneisfoundtheREALMisNULL
IfadomainisfoundFreeRADIUStriestomatchoneoftheREALMSdefinedinthisfile
IfthedomainiseitherexampleeduorEXAMPLEFreeRADIUSsetsthecorrespondingREALMieexampleeduorEXAMPLE
IftheREALMdoesnotmatcheither(anditisnrsquotNULL)thatmeanstherewasadomainotherthanEXAMPLEorexampleeduandweassumeitismeanttobeproxiedtoeduroamFreeRADIUSsetstheDEFAULTrealm(whichisproxiedtotheeduroamauthenticationpool)
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 72
The REALM determines where the request is sent to If the REALM authenticates locally therequestsareprocessedentirelybyFreeRADIUSIftheREALMsetsadifferenthomeserverpooltherequestsareproxiedtotheserversdefinedwithinthatpool
proxyconfexample
This realm is for requests which dont have an explicit realm prefix or suffix User names like bob will match this one No authentication server is defined thus the authentication is done locallyrealm NULL
This realm is for ntdomain users who might use the domain like this EXAMPLEusername No authentication server is defined thus the authentication is done locallyrealm EXAMPLE
This realm is for suffix users who use the domain like this usernameexampleedu No authentication server is defined thus the authentication is done locallyrealm exampleedu
This realm is for ALL OTHER requests Meaning in this context eduroam The auth_pool is set to the eduroam pool and so the requests will be proxiedrealm DEFAULT auth_pool = eduroam nostrip
Thirdly youmust configure the packetfence FreeRADIUS virtual servers to treat the requestsproperly
Inusrlocalpfraddbsites-enabledpacketfencemodifytheauthorizesectionlikethis
raddbsites-enabledpacketfenceexample
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 73
authorize pay attention to the order of the modules It matters ntdomain suffix preprocess
uncomment this section if you want to block eduroam users from you other SSIDs The attribute name ( Called-Station-Id ) may differ based on your controller if ( Called-Station-Id ~ eduroam$i) update control Proxy-To-Realm = local
eap ok = return
files expiration logintime packetfence
Inusrlocalpfraddbsites-enabledpacketfence-tunnelmodifythepost-authsectionlikethisIfyouomit this change the requestwill be sent toPacketFencewhere itwill be failed since theeduroamserversarenotpartofyourconfiguredswitches
raddbsites-enabledpacketfence-tunnelexample
post-auth exec
we skip packetfence when the request is coming from the eduroam servers if ( clientshortname = tlrs1 ampamp clientshortname = tlrs2 ) packetfence
Post-Auth-Type REJECT attr_filteraccess_reject
Finallymakesurethattherealmsmoduleisconfiguredthisway(seeusrlocalpfraddbmodulesrealm)
raddbmodulesrealmexample
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 74
usernamerealmrealm suffix format = suffix delimiter =
domainuserrealm ntdomain format = prefix delimiter = ignore_null = yes
Fingerbankintegration
FingerbankagreatdeviceprofilingtooldevelopedalongsideofPacketFencenowintegrateswithittopower-upthefeaturesetallowingaPacketFenceadministratortoeasilytriggerviolationsbasedondifferentdevicetypesdeviceparentsDHCPfingerprintsDHCPvendorIDsMACvendorsandbrowseruseragents
Thecoreofthat integrationresides intheabilityforaPacketFencesystemto interactwiththeFingerbankupstreamprojectwhichthenallowadailybasisfingerprintsdatabaseupdatesharingunknowndatasothatmorecomplexalgorithmscanprocessthatnewdatatointegrateitintheglobaldatabasequeryingtheglobalupstreamdatabaseinthecaseofanunknownmatchandmuchmore
SincetheFingerbankintegrationisnowthedefactodeviceprofilingtoolofPacketFenceitwasarequirementtomakeitassimpleaspossibletoconfigureandtouseFromthemomentaworkingPacketFencesystemis inplaceFingerbank isalsoreadytobeusedbutonly inalocalmodewhichmeansnointeractionwiththeupstreamFingerbankproject
OnboardingTobenefitfromalltheadvantagesoftheFingerbankprojecttheonboardingstepisrequiredtocreateanAPIkeythatwill thenallow interactionwiththeupstreamprojectThatcaneasilybedoneonlybygoingintheSettingsmenuitemundertheFingerbanksectionofthePacketFenceConfigurationtabFromthereaneasyprocesstocreateandsaveanuserorganizationspecificAPIkeycanbefollowedOncecompletedthefullfeaturesetofFingerbankcanbeused
UpdateFingerbankdatabaseUpdatingtheFingerbankdatacanrsquotbeeasierTheonlyrequirementistheonboardingprocesswhichallowsyoutointeractwithupstreamprojectOncedoneanoptiontoUpdateFingerbankDBcanbefoundontopofeverymenuitemsectionsunderFingerbankProcessmaytakeaminuteortwodependingonthesizeofthedatabaseandtheinternetconnectivityafterwhichasuccessorerrormessagewillbeshowaccordinglyLocalrecordsareNOTbeingmodifiedduringthisprocess
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 75
SubmitunknowndataSayingthatwedonrsquotknoweverythingisnotfalsemodestyInthatsensetheSubmitUnknownUnmatchedFingerprintsoptionismadeavailable(afteronboarding)sothatunknownfingerprintingdatagoinginandoutonyournetworkcaneasilybesubmittedtotheupstreamFingerbankprojectforfurtheranalysisandintegrationtheintheglobaldatabase
UpstreaminterogationBydefaultPacketFenceisconfiguredtointerogatetheupstreamFingerbankproject(ifonboardinghasbeencompleted)tofullfillaquerywithunmatchedlocalresultsUnmatchedlocalresultscanresultofanolderversionoftheFingerbankdatabaseorarequirementforamorecomplexalgorithmduetothedatasetThatbehavioriscompletelytransparentandcanbemodifiedusingtheSettingsmenuitemundertheFingerbanksectionofthePacketFenceConfigurationtab
LocalentriesItispossibleforanadministratorwhowantstocustomizeanexistingrecord(orcreateanewone)todosousingtheLocalentriesAnupstreamrecord(DHCPFingerprintDHCPVendorMACVendorUserAgentDevicetypeevenaCombination)canbeclonedandthenmodifiedonalocalbasisifneededLocalrecordsarealwaysmatchedfirstsincetheirpurposeistooverrideanexistingoneAlocalcombinationcanbecreatedtomatcheitherLocalorUpstreamorbothentriestoallowidentificationofadevice
SettingsFingerbanksettingscaneasilybemodifiedfromtheSettingsmenuitemundertheFingerbanksectionofthePacketFenceConfigurationtabTherersquosdocumentationforeachaneveryparameterthatalloweasierunderstanding
FloatingNetworkDevices
Startingwithversion19PacketFencenowsupportsfloatingnetworkdevicesAFloatingnetworkdeviceisadeviceforwhichPacketFencehasadifferentbehaviourcomparedtoaregulardeviceThisfunctionalitywasoriginallyaddedtosupportmobileAccessPoints
Caution
RightnowPacketFenceonlysupportsfloatingnetworkdevicesonCiscoandNortelswitchesconfiguredwithport-security
For a regular device PacketFence put it in theVLAN corresponding to its status (RegistrationQuarantineorRegularVlan)andauthorizesitontheport(port-security)
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 76
AfloatingnetworkdeviceisadevicethatPacketFencedoesnotmanageasaregulardevice
WhenafloatingnetworkdeviceispluggedPacketFencewillletallowalltheMACaddressesthatwillbeconnectedtothisdevice(orappearontheport)andifnecessaryconfiguretheportasmulti-vlan(trunk)andsetPVIDandtaggedVLANsontheport
WhenanfloatingnetworkdeviceisunpluggedPacketFencewillreconfiguretheportlikebeforeitwasplugged
HowitworksConfiguration
floatingnetworkdeviceshavetobeidentifiedusingtheirMACaddress linkuplinkdowntrapsarenotenabledontheswitchesonlyport-securitytrapsare
WhenPacketFencereceivesaport-securitytrapforafloatingnetworkdeviceitchangestheportconfigurationsothat
itdisablesport-security itsetsthePVID iteventuallysetstheportasmulti-vlan(trunk)andsetsthetaggedVlans itenableslinkdowntraps
WhenPFreceivesa linkdowntraponaport inwhichafloatingnetworkdevicewasplugged itchangestheportconfigurationsothat
itenablesport-security itdisableslinkdowntraps
IdentificationAswementionedearliereachfloatingnetworkdevicehastobeidentifiedTherearetwowaystodoit
byeditingconffloating_network_deviceconf throughtheWebGUIinConfigurationrarrNetworkrarrFloatingdevices
Herearethesettingsthatareavailable
MACAddress MACaddressofthefloatingdevice
IPAddress IPaddressofthefloatingdevice(notrequiredforinformationonly)
trunkPort YesnoShouldtheportbeconfiguredasamuti-vlanport
pvid VLANinwhichPacketFenceshouldputtheport
taggedVlan CommaseparatedlistofVLANsIftheportisamulti-vlanthesearetheVlansthathavetobetaggedontheport
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 77
OAuth2Authentication
NoteOAuth2authenticationdoesnotworkwithWebauthenforcement
The captive portal of PacketFence allows a guestuser to register using hisGoogle FacebookLinkedInWindowsLiveTwitterorGithubaccount
ForeachproviderswemaintainanalloweddomainlisttopunchholesintothefirewallsotheusercanhittheproviderloginpageThislistisavailableineachOAuth2authenticationsource
Inordertohaveoauth2workingproperlyyouneedtoenableIPforwardingonyourserversTodoitpermanentlylookintheetcsysctlconfandsetthefollowingline
Controls IP packet forwardingnetipv4ip_forward = 1
Savethefileandissueasysctl -ptoupdatetheOSconfig
You must also enable the passthrough option in your PacketFence configuration(trappingpassthroughinpfconf)
GoogleInordertouseGoogleasaOAuth2provideryouneedtogetanAPIkeytoaccesstheirservicesSignupherehttpcodegooglecomapisconsoleMakesureyouusethisURIfortheRedirectURIfieldhttpsYOUR_PORTAL_HOSTNAMEoauth2callbackOfcoursereplacethehostnamewiththevaluesfromgeneralhostnameandgeneraldomain
YoucankeepthedefaultconfigurationmodifytheAppIDampAppSecret(GivenbyGoogleonthedevelopperplateform)andPortalURL(httpsYOUR_PORTAL_HOSTNAMEoauth2callback)
Also add the following Authorized domains googlecom googleca googlefrgstaticcomgoogleapiscomaccountsyoutubecom(MakesurethatyouhavethegoogledomainfromyourcountrylikeCanadagooglecaFrancegooglefretchellip)
OnceyouhaveyourclientidandAPIkeyyouneedtoconfiguretheOAuth2providerThiscanbedonebyaddingaGoogleOAuth2authenticationsourcefromConfigurationrarrSources
MoreoverdonrsquotforgettoaddGoogleasaregistrationmodefromyourportalprofiledefinitionavailablefromConfigurationrarrPortalProfilesandPages
FacebookTo use Facebook you also need an API code and a secret key To get one go here httpsdevelopersfacebookcomappsWhenyoucreateyourAppmakesureyouspecifythefollowingastheWebsiteURLhttpsYOUR_PORTAL_HOSTNAMEoauth2callback
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 78
Ofcoursereplacethehostnamewiththevaluesfromgeneralhostnameandgeneraldomain
YoucankeepthedefaultconfigurationmodifytheAppIDampAppSecret(GivenbyFaceBookonthedevelopperplateform)andPortalURL(httpsYOUR_PORTAL_HOSTNAMEoauth2callback)
Also add the followingAuthorizeddomains facebookcom fbcdnnet akamaihdnet (Maychange)
OnceyouhaveyourinformationyouneedtoconfiguretheOAuth2providerThiscanbedonebyaddingaFacebookOAuth2authenticationsourcefromConfigurationrarrSources
MoreoverdonrsquotforgettoaddFacebookasaregistrationmodefromyourportalprofiledefinitionavailablefromConfigurationrarrPortalProfilesandPages
CautionByallowingOAuththroughFacebookyouwillgiveFacebookaccesstotheuserswhiletheyaresittingintheregistrationVLAN
GitHubTouseGitHubyoualsoneedanAPIcodeandasecretkeyTogetoneyouneedtocreateanAppherehttpsgithubcomsettingsapplicationsWhenyoucreateyourAppmakesureyouspecifythefollowingastheCallbackURLhttpsYOUR_PORTAL_HOSTNAMEoauth2callback
Ofcoursereplacethehostnamewiththevaluesfromgeneralhostnameandgeneraldomain
OnceyouhaveyourinformationyouneedtoconfiguretheOAuth2providerThiscanbedonebyaddingaGitHubOAuth2authenticationsourcefromConfigurationrarrSources
MoreoverdonrsquotforgettoaddGitHubasaregistrationmodefromyourportalprofiledefinitionavailablefromConfigurationrarrPortalProfilesandPages
LinkedInTouseLinkedInyoualsoneedanAPIcodeandasecretkeyTogetoneyouneedtocreateanAppherehttpsdeveloperlinkedincomWhenyoucreateyourAppmakesureyouspecifythefollowingastheCallbackURLhttpsYOUR_PORTAL_HOSTNAMEoauth2callback
Ofcoursereplacethehostnamewiththevaluesfromgeneralhostnameandgeneraldomain
OnceyouhaveyourinformationyouneedtoconfiguretheOAuth2providerThiscanbedonebyaddingaLinkedInOAuth2authenticationsourcefromConfigurationrarrSources
MoreoverdonrsquotforgettoaddLinkedInasaregistrationmodefromyourportalprofiledefinitionavailablefromConfigurationrarrPortalProfilesandPages
AlsoLinkedInrequiresastateparameterfortheauthorizationURLIfyoumodifyitmakesuretoadditattheendofyourURL
TwitterTouseTwitteryoualsoneedanAPIcodeandasecretkeywhichTwittercallsconsumerkeyandconsumersecretObtainthis informationbycreatingannewapplicationfromyourTwitterApps
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 79
ManagementpageWhenyoucreateyourAppmakesureyouspecifythefollowingastheCallbackURLhttpsYOUR_PORTAL_HOSTNAMEoauth2callback
Ofcoursereplacethehostnamewiththevaluesfromgeneralhostnameandgeneraldomain
OnceyouhaveyourinformationyouneedtoconfiguretheOAuth2providerThiscanbedonebyaddingaTwitterOAuth2authenticationsourcefromConfigurationrarrSources
MoreoverdonrsquotforgettoaddTwitterasaregistrationmodefromyourportalprofiledefinitionavailablefromConfigurationrarrPortalProfilesandPages
WindowsLiveTouseWindowsliveyoualsoneedanAPIcodeandasecretkeyTogetoneyouneedtocreateanAppherehttpsaccountlivecomdevelopersapplicationsWhenyoucreateyourAppmakesureyouspecifythefollowingastheCallbackURLhttpsYOUR_PORTAL_HOSTNAMEoauth2callback
Ofcoursereplacethehostnamewiththevaluesfromgeneralhostnameandgeneraldomain
OnceyouhaveyourinformationyouneedtoconfiguretheOAuth2providerThiscanbedonebyaddingaWindowsLiveOAuth2authenticationsourcefromConfigurationrarrSources
Moreover donrsquot forget to add WindowsLive as a registration mode from your portal profiledefinitionavailablefromConfigurationrarrPortalProfilesandPages
Passthrough
Inorder tousethepassthroughfeature inPacketFenceyouneedtoenable it fromtheGUI inConfigurationrarrTrappingandcheckPassthrough
Therearetwosolutionsforpassthroughs-oneusingDNSresolutionandiptablesandtheotheroneusingApachersquosmod_proxymoduleWhenenabledPacketFencewillusepfdnsifyoudefinedPassthroughsorApachemod-proxyifyoudefinedProxyPassthroughstoallowtrappeddevicestoreachexternalwebsites
DNSpassthroughAddanewFQDN (shouldbeawildcarddomain like googlecom) in thePassthroughssectionWhenPacketFencereceivesaDNSrequestforthisdomainitwillanswerthereal IPaddressandpunchahole inthefirewall (using iptables)toallowaccessWiththismethodPacketFencemustbethedefaultgatewayofyourdevice
mod_proxypassthroughAddanewFQDN(shouldbeawildcarddomainlikegooglecom)intheProxyPassthroughssectionForthisFQDNPacketFencewillanswertheIPaddressofthecaptiveportalandwhenadevicehitsthecaptiveportalPacketFencewilldetectthatthisFQDNhasapassthroughconfigurationandwillforwardthetraffictomod_proxy
ThesetwomethodscanbeusedtogetherbutDNS-basedpassthroughshavehigherpriority
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 80
ProductionDHCPaccess
Inorder toperformallof itsaccesscontroldutiesPacketFenceneedstobeable tomapMACaddressesintoIPaddresses
ForallthenetworksVLANswhereyouwantPacketFencetohavetheabilitytoisolateanodeortohaveIPinformationaboutnodesyouwillneedtoperformoneofthetechniquesbelow
AlsonotethatthisdoesnrsquotneedtobedonefortheregistrationisolationVLANsandinlineinterfacessincePacketFenceactsastheDHCPserverinthesenetworks
IPHelpers(recommended)If you are already using IPHelpers for your productionDHCP in your production VLANs thisapproachisthesimplestoneandtheonethatworksthebest
Add PacketFencersquos management IP address as the last ip helper-address statement in yournetworkequipmentAtthispointPacketFencewillreceiveacopyofallDHCPrequestsforthatVLANandwillrecordwhatIPweredistributedtowhatnodeusingapfdhcplistenerdaemon
BydefaultnoDHCPServershouldberunningonthatinterfacewhereyouaresendingtherequestsThisisbydesignotherwisePacketFencewouldreplytotheDHCPrequestswhichwouldbeabadthing
ObtainacopyoftheDHCPtrafficGetacopyofalltheDHCPTraffictoadedicatedphysicalinterfaceinthePacketFenceserverandrunpfdhcplisteneronthatinterfaceItwillinvolveconfiguringyourswitchproperlytoperformportmirroring(akanetworkspan)andaddinginPacketFencetheproperinterfacestatementattheoperatingsystemlevelandinpfconf
etcsysconfignetwork-scriptsifcfg-eth2
DEVICE=eth2ONBOOT=yesBOOTPROTO=none
Addtopfconf(IPsarenotimportanttheyarethereonlysothatPacketFencewillstart)
[interface eth2]mask=2552552550type=dhcp-listenergateway=19216815ip=19216811
RestartPacketFenceandyoushouldbegoodtogo
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 81
InterfaceineveryVLANBecauseDHCPtrafficisbroadcasttrafficanalternativeforsmallnetworkswithfewlocalVLANsistoputaVLANinterfaceforeveryVLANonthePacketFenceserverandhaveapfdhcplistenerlistenonthatVLANinterface
OnthenetworksideyouneedtomakesurethattheVLANtrulyreachesallthewayfromyourclienttoyourDHCPinfrastructureuptothePacketFenceserver
OnthePacketFencesidefirstyouneedanoperatingsystemVLANinterfaceliketheonebelowStoredinetcsysconfignetwork-scriptsifcfg-eth01010
Engineering VLANDEVICE=eth01010ONBOOT=yesBOOTPROTO=staticIPADDR=1001014NETMASK=2552552550VLAN=yes
ThenyouneedtospecifyinpfconfthatyouareinterestedinthatVLANrsquosDHCPbysettingtypetodhcp-listener
[interface eth01010]mask=2552552550type=dhcp-listenergateway=1001011ip=1001014
RepeattheaboveforallyourproductionVLANsthenrestartPacketFence
HostproductionDHCPonPacketFenceItrsquosanoptionJustmodifyconfdhcpdconfsothat itwillhostyourproductionDHCPproperlyandmakesurethatapfdhcplistenerrunsonthesameinterfacewhereproductionDHCPrunsHoweverpleasenotethatthisisNOTrecommendedSeethistickettoseewhy
ProxyInterception
PacketFenceenablesyoutointerceptproxyrequestsandforwardthemtothecaptiveportalItonlyworksonelayer-2networksbecausePacketFencemustbethedefaultgatewayInordertousetheProxyInterceptionfeatureyouneedtoenableitfromtheGUIinConfigurationrarrTrappingandcheckProxyInterception
Addtheportyouwanttointercept(like8080or3128)andaddanewentryintheetchostsfiletoresolvethefullyqualifieddomainname(fqdn)ofthecaptiveportaltotheIPaddressofthe
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 82
registration interfaceThismodification ismandatory inorder forApache to receives theproxyrequests
RoutedNetworks
Ifyour isolationandregistrationnetworksarenot locally-reachable (at layer2)onthenetworkbut routed to the PacketFence server yoursquoll have to let the PacketFence server know thisPacketFencecanevenprovideDHCPandDNSintheseroutednetworksandprovidesaneasytouseconfigurationinterface
FordhcpdmakesurethattheclientsDHCPrequestsarecorrectlyforwarded(IPHelpersintheremoterouters)tothePacketFenceserverThenmakesureyoufollowedtheinstructionsintheDHCPandDNSServerConfiguration(networksconf)foryourlocallyaccessiblenetwork
Ifweconsiderthenetworkarchitectureillustratedintheaboveschemaconfpfconfwillincludethelocalregistrationandisolationinterfacesonly
[interface eth02]enforcement=vlanip=19216821type=internalmask=2552552550
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 83
[interface eth03]enforcement=vlanip=19216831type=internalmask=2552552550
Note
PacketFencewillnotstartunlessyouhaveatleastoneinternalinterfacesoyouneedtocreatelocalregistrationandisolationVLANsevenifyoudonrsquotintendtousethemAlsotheinternalinterfacesaretheonlyonesonwhichdhcpdlistenssotheremoteregistrationandisolationsubnetsneedtopointtheirDHCPhelper-addresstothoseparticularIPs
ThenyouneedtoprovidetheroutednetworksinformationtoPacketFenceYoucandoitthroughtheGUIinAdministrationrarrNetworks(orinconfnetworksconf)
confnetworksconfwilllooklikethis
[19216820]netmask=2552552550gateway=19216821next_hop=domain-name=registrationexamplecomdns=19216821dhcp_start=192168210dhcp_end=1921682200dhcp_default_lease_time=300dhcp_max_lease_time=600type=vlan-registrationnamed=enableddhcpd=enabled
[19216830]netmask=2552552550gateway=19216831next_hop=domain-name=isolationexamplecomdns=19216831dhcp_start=192168310dhcp_end=1921683200dhcp_default_lease_time=300dhcp_max_lease_time=600type=vlan-isolationnamed=enableddhcpd=enabled
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 84
[192168200]netmask=2552552550gateway=19216820254next_hop=1921682254domain-name=registrationexamplecomdns=19216821dhcp_start=1921682010dhcp_end=19216820200dhcp_default_lease_time=300dhcp_max_lease_time=600type=vlan-registrationnamed=enableddhcpd=enabled
[192168300]netmask=2552552550gateway=19216830254next_hop=1921683254domain-name=isolationexamplecomdns=19216831dhcp_start=1921683010dhcp_end=19216830200dhcp_default_lease_time=300dhcp_max_lease_time=600type=vlan-isolationnamed=enableddhcpd=enabled
DHCPclientsontheregistrationandisolationnetworksreceivethePFserverIPastheirDNSserver(dns=xxxx)andPFspoofsDNSresponsestoforceclientsviatheportalHoweverclientscouldmanuallyconfiguretheirDNSsettingstoescapetheportalTopreventthisyouwillneedtoapplyanACLontheaccessrouternearesttheclientspermittingaccessonlytothePFserverandlocalDHCPbroadcasttraffic
ForexamplefortheVLAN20remoteregistrationnetwork
ip access-list extended PF_REGISTRATION permit ip any host 19216821 permit udp any any eq 67 deny ip any any loginterface vlan 20 ip address 19216820254 2552552550 ip helper-address 19216821 ip access-group PF_REGISTRATION in
Ifyouredgeswitchessupportvlan-isolationyoucanalsoapplytheACLthereThishastheadvantageofpreventingmachinesinisolationfromattemptingtoattackeachother
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 85
StatementofHealth(SoH)
TheStatementofHealth(SoH)isproductthathasbeendevelopedbyMicrosoftIntheMicrosoftworldthis isnamedNetworkAccessProtectionorNAPOnWindowsversionsfromXPSP2toWindows7thereisaNAPserviceinstalledthatcanrelayhealthinformation(Anti-VirusupdatestatusWindowsUpdatestatusetc) toaRADIUSServeroraDHCPserverThesectionbelowexplainsyouhowtodoSoHpolicieswithPacketFence
InstallationBydefaultweturnSoHoffToenableitssupportsimplyuncommentthefollowinglinesinusrlocalpfconfradiusdeapconf
soh=yessoh-virtual-server = soh-server
RestarttheRADIUSserviceafterward
OntheclientsidetoenableSoHforEAPdothefollowing(Windows7example)
sc config napagent start=autosc start napagent
Wired 8021Xsc config dot3svc start=auto depend=napagentsc start dot3svc
netsh nap client show config
get the ID value for the EAP Quarantine Enforcement Clientnetsh nap client set enforce id=$ID admin=enable
ThelaststepistoselecttheEnforceNetworkAccessProtectioncheckboxundertheEAPprofilesettingsThosestepscanbeeasilyconfiguredusingGPOs
ConfigurationofSoHpolicyInordertoenforceaSoHpolicyweneedtocreateitfirstThisisdoneusingtheConfigurationrarrCompliancerarrStatementofHealthmodule
PolicyexampleLetrsquoswalkthroughanexamplesituationSupposeyouwanttodisplayaremediationpagetoclientsthatdonothaveananti-virusenabled
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 86
ThethreebroadstepsarecreateaviolationclassfortheconditionthencreateanSoHfiltertotriggertheviolationwhenanti-virusisdisabledandfinallyreloadtheviolations
FirstcreatetheproperviolationeitherviatheAdminUIorbyeditingtheconfviolationsconffiles
[4000001]desc=No anti-virus enabledurl=remediationphptemplate=noantivirusactions=reevaluate_accessemaillogenabled=Y
Note
Youmayalsowanttosetotherattributessuchasauto_enablegraceetc
WhendonewiththeviolationvisittheWebAdministrationunderConfigurationrarrCompliancerarrStatementofHealthand(editthefilternamedDefaultor)usetheAddafilterbuttontocreateafilternamedantivirusClickonantivirusinthefilterlistandselectTriggerviolationintheactiondrop-downEnterthevidoftheviolationyoucreatedaboveintheinputboxthatappears
Next clickonAddacondition and selectAnti-virus is anddisabled in thedrop-downboxesthat appear Click on the Save filters button Finally reload the violations either by restartingPacketFenceorusingthepfcmd reload violationscommand
Thelaststepistocreateanewremediationtemplatecallednoantivirusphponthefilesysteminthehtmlcaptive-portalviolationsfolderEditittoincludethetextyouwanttodisplaytotheusers
VLANFilterDefinition
Weaddedtheabilitytospecifyfiltersdirectlyintheportionofcodethatre-evaluatestheVLANordoacalltotheAPI
Theserulesareavailableindifferentscopes
ViolationRoleRegistrationRoleRegisteredRoleInlineRoleAutoRegisterNodeInfoForAutoReg
Andcanbedefinedusingdifferentcriterialike
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 87
node_infoattribute (like node_infostatus)switchifIndexmacconnection_typeusernamessidtimeownerattribute (like ownerpid)radius_requestattribute (like radius_requestCalling-Station-Id)
Forexample letsdefinearulethatpreventsadevicefromconnectingwhenitscategory isthedefaultwhentheSSIDisSECUREandwhenthecurrenttimeisbetween11amand2pmfromMondaytoFridaywhenittrytoconnectasaregistereddevice
[category]filter = node_infocategoryoperator = isvalue = default
[ssid]filter = ssidoperator = isvalue = SECURE
[time]filter = timeoperator = isvalue = wd Mon Tue Wed Thu Fri hr 11am-2pm
[1categoryampssidamptime]scope = RegisteredRolerole = nointernet
ThesecondexamplewillcreateaviolationiftheSSIDisOPENandtheownerisigmout
[igmout]filter = ownerpidoperator = isvalue = igmout
[open]filter = ssidoperator = isvalue = OPEN
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 88
[2igmoutampssid]scope = RegisteredRoleaction = trigger_violationaction_param = mac = $mac tid = 1100012 type = INTERNAL
Thethirdexamplewillautoregisterthedeviceandassigntherolestafftoeachdevicewheretheusernameisigmout
[igmout]filter = usernameoperator = isvalue = igmout
[secure]filter = ssidoperator = isvalue = SECURE
[3igmoutampsecure]scope = AutoRegisterrole = staff
[4igmoutampsecure]scope = NodeInfoForAutoRegrole = staff
Youcanhavealookinthefilevlan_filtersconftherearesomeexamplesonhowtouseanddefinefilters
RADIUSFilterDefinition
WeaddedtheabilitytospecifyfiltersdirectlyintheportionofcodethatreturntheradiusanswerordoacalltotheAPI
Theserulesareonlyavailableinonescope
returnRadiusAccessAccept
Andcanbedefinedusingdifferentcriterialike
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 89
node_infoattribute (like node_info$attribute)switchifIndexmacconnection_typeusernamessidtimeownerattribute (like owner$attribute)radius_requestattribute (like radius_request$attribute)violationuser_rolevlan
Forexample letsdefinearulethatreturnAccessAcceptwhentheconnectionisEthernet-EAPandwhenthereisnoviolation(merge_returnmeansthattheoriginalanswerofPacketFencewillbemergewiththefilteranswerautomatically)
[violation]filter = violationoperator = defined
[etherneteap]filter = connection_typeoperator = isvalue = Ethernet-EAP
[1etherneteapampviolation]merge_answer = noscope = returnRadiusAccessAccept
Inthisotherexamplewejustaddanewattributetotheoriginalanswerinthesameconditions(here$user_rolewillbereplacedbytherealuserroleofthedeviceand$switch_portalURLwillbereplacedbythevalueof_portalURLdefinedintheswitchconfig)
[1etherneteapampviolation]merge_answer = yesscope = returnRadiusAccessAcceptanswer1 = Cisco-AVPair =gt url-redirect-acl=$user_roleurl-redirect=$switch_portalURLcep$session_id
Youcanhavea look in the file radius_filtersconf therearesomeexamplesonhowtouseanddefinefilters
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 90
DNSenforcement
DNSenforcementallowsyoutocontrolthenetworkaccessofthedevicebyusingthepfdnsserviceonPacketFence
The architecture ofDNS enforcement is as following -DHCP andDNS are provided by thePacketFenceserver-ThePacketFenceDHCPserverwillprovidetheIPofyournetworkequipmentasthegatewayandtheIPaddressofthePacketFenceDNSservertoresolvenames-Routingisprovidedbyanotherequipmentonyournetwork(CoreswitchFirewallRouterhellip)-IfausershouldbeshowntheportalthepfdnsservicewillreturnapointertotheIPaddressofthecaptiveportalotherwisepfdnswillresolvethenameexternallyanduseitinthereply
Thisenforcementmodeusedby itselfcanbebypassedbythedevicebyusingadifferentDNSserverorbyusingitsownDNScache
ThefirstcanbepreventedusinganACLonyourroutingequipmentthesecondcanbepreventedbycombiningDNSenforcementwithSingle-Sign-OnonyournetworkequipmentPleaseseetheFirewallSingle-Sign-Ondocumentationfordetailsonhowtoaccomplishthis
Inorder toconfigureDNSenforcementyoufirstneedtogo inConfigurationrarrInterfaces thenselectoneofyourinterfacesandsetitinDNSenforcementmode
AfteryouneedtoconfigurearoutednetworkforthisinterfacebyclickingAddroutednetworkSeetheRoutedNetworkssectionofthisdocumentfordetailsonhowtoconfigureit
NoteIfyouarenotusingaroutednetworkyouneedtouseInlineenforcementasDNSenforcementcanonlybeusedforroutednetworks
Oncethisisdoneyouneedtorestartthedhcpdandpfdnsservices
Parkeddevices
Intheeventthatyouaremanagingalargeregistrationnetworkwithdevicesthatstaythere(exStudentsthatcanrsquotregisterinyourenvironment)thesedevicesconsumepreciousresourcesandgenerateuselessloadonthecaptiveportalandregistrationDHCPserver
UsingtheparkingfeatureyoucanmakethesedeviceshavealongerleaseandhitanextremellylightweightcaptiveportalsothattheamountofresourcestheyconsumeisminimalInthatcaptiveportal theywillseeamessageexplainingthattheyhavenrsquot registeredtheirdeviceforacertainamountoftimeandwillletthemleavetheparkedstatebypressingalink
Theparkedvsunparkedstateiscontrolledthroughviolation1300003whichgetstriggeredaccordingtotheparkingthresholdsetting(ConfigurationrarrParking)
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 91
SoinordertoactivatetheparkinggoinConfigurationrarrParkingandsetthethresholdtoacertainamountofsecondsAsuggestedvaluewouldbe21600whichis6hoursThismeansthatifadevicestaysinyourregistrationnetworkformorethan6hoursinarowitwilltriggerviolation1300003andplacethatdeviceintotheparkedstate
Inthatsamesectionyoucandefinetheleaselengthoftheuserwhenheisintheparkedstate
Note
ParkingisdetectedwhenadeviceasksforDHCPifPacketFenceisnotyourDHCPserverfortheregistrationnetworkthisfeaturewillnotworkAlsoifthedevicegoesintotheparkedstatewithaleasetimeof1hourandtheuserimmediatelyreleaseshimselffromtheparkingstateitwilltake1hourbeforethenextdetectiontakesplaceevenifyousetparkingthresholdtoalowervalue
Violation1300003Thisviolationcontrolswhathappenswhenauserisdetecteddoingparking
Herearethemainsettings
Youcanaddactionstothepredefinedones(likeEmailadminorExternalaction)inDefinitionrarrActions
TheamountoftimeausercanunparktheirdeviceiscontrolledthroughtheRemediationrarrMaxenablesetting
TheamountofgracetimebetweentwoparkingviolationsiscontrolledbytheRemediationrarrGracesettingThismeansonceauserreleasehimselffromtheparkedstatehewillhaveatleastthisamountoftimetoregisterbeforetheparkingtriggersagain
Thedestinationrole(thusVLAN)oftheuseriscontrolledbyAdvancedrarrRoleYoushouldleavetheuserintheregistrationrolebutshouldyouwanttodedicatearoleforparkingyoucansetitthere
TheTemplateattributewillonlybeusedwhentheuserisonthenormalPacketFenceportalandnottheonededicatedforparkingIfyouwanttheusertoaccessthenon-parkingportaldisableShowparkingportalinConfigurationrarrParking
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 92
Optionalcomponents
Blockingmaliciousactivitieswithviolations
PolicyviolationsallowyoutorestrictclientsystemaccessbasedonviolationsofcertainpoliciesForexampleifyoudonotallowP2PtypetrafficonyournetworkandyouarerunningtheappropriatesoftwaretodetectitandtriggeraviolationforagivenclientPacketFencewillgivethatclientablockedpagewhichcanbecustomizedtoyourwishes
Inorder tobeable toblockmaliciousactivities installationandconfigurationofaPacketFencecompatibleIDSisrequiredPacketFencecurrentlysupportSnortSuricataandSecurityOnion
Snort
Installation
The installation procedure is quite simple for SNORTWe maintain a working version on thePacketFencerepositoryToinstallitsimplyrunthefollowingcommand
yum install snort
Configuration
PacketFenceprovidesabasicsnortconftemplatethatyoumayneedtoeditdependingoftheSnortversionThefileislocatedinusrlocalpfconfItisrarelynecessarytochangeanythinginthatfiletomakeSnortworkandtrapalertsDONOTeditthesnortconflocatedinusrlocalpfvarconfallthemodificationwillbedestroyedoneachPacketFencerestart
Suricata
Installation
SincethesuricataIDSisnotpackagedwiththedistros(exceptmaybeFedorawhichwedonotofficiallysupport)youneedtobuildittheoldway
The OISF provides a really well written how-to for that Itrsquos available here httpsredmineopeninfosecfoundationorgprojectssuricatawikiCentOS5
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 93
NoteTobenefittheOPSWATMetadefenderCloudintegrationSuricataneedstobebuiltwith libnss libnsprsupportMakesure touseJSONoutputMore informationonhowtoachievethiscanbefoundtherehttpsredmineopeninfosecfoundationorgprojectssuricatawikiMD5
ConfigurationDepending onwhether or not Suricata is running on the PacketFence server configuration isdifferent
WhenrunninglocallyPacketFenceprovidesabasicsuricatayamlthatcanbemodifiedtosuitdifferentneedsThefileislocatedinusrlocalpfconf
In thecase thatSuricata is runningonaseparateserverSuricataconfigurationwillhave tobehandledseparatelywhichisnotthepurposeofthepresentguide
OPSWATMetadefenderCloudItispossibletotriggerviolationsbasedonthreatlevelofdownloadedfilesusingtheMetadefenderCloudintegrationinconjunctionwiththeSuricataMD5extractionfeatureWithoutenteringinthedetailsherearethebasicstepstomakeitwork
FirstanOPSWATportalaccountisrequiredtomakeuseoftheAPISuchaccountcanbeobtainedthroughtheOPSWATportalhttpsportalopswatcom
OtherrequirementisaSuricataworkinginstallationbuiltwithlibnsslibnsprsupportasdescribedintheupperInstallationsection
AlongwiththeOPSWATAPIkeyforMetadefenderCloud(theycallitLicenseKey)andtheworkingSuricatainstallationsomeconfiguration(PacketFencebasedANDSuricatabased)isalsorequired
AssumingthatallthestepsforSuricataMD5extractionhavebeenfollowedherersquoswhattodonext
OntheSuricataserver(syslog-ngispreferredduetoeasierandmorepowerfulconfigurationIfnotinstalleditmightbeanidea)
Configureetcsyslog-ngsyslog-ngconfbyaddingthefollowingtoenablesendingMD5filestorelogentriestoPacketFence
PacketFence OPSWAT Metadefender Cloud integration This line specifies where the files-jsonlog file is located -gt Make sure to configure the right path along with the right filenamesource s_suricata_files file(MY_SURICATA_LOG_FILES_PATHfiles-jsonlog program_override(suricata_files) flags(no-parse)) This line tells syslog-ng to send the data read to the PacketFence management interface IP address using UDP 514 -gt Make sure to configure the right PacketFence management interface IP addressdestination d_packetfence udp(PACKETFENCE_MGMT_IP port(514)) This line indicates syslog-ng to use the s_suricata_files source and send it to the d_packetfence destinationlog source(s_suricata_files) destination(d_packetfence)
Arestartofthesyslog-ngdaemonisrequired
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 94
service syslog-ng restart
OnthePacketFenceserver
ModifyrsyslogconfigurationtoallowincomingUDPpacketsbyuncommentingthefollowingtwolinesinetcrsyslogconf
$ModLoad imudp$UDPServerRun 514
Configure etcrsyslogdsuricata_filesconf by adding the following which will enablereceptionofSuricataMD5filestorelogentries
if $programname == suricata_files then usrlocalpfvarsuricata_filesamp ~
Makesurethereceivingalertpipe(FIFO)exists
mkfifo usrlocalpfvarsuricata_files
Restartthersyslogdaemon
service rsyslog restart
AtthispointSuricatashouldbeabletoextractMD5checksumofdownloadedfilesandsendtherelatedlogentrytoPacketFence
AconfigurationofanewsyslogparseraswellassomeviolationsaretheonlyremainingstepstomakefullusageoftheOPSWATMetadefenderCloudintegration
Configurationofanewsyslogparsershouldusethefollowings
Type suricata_httpAlert pipe the previously created alert pipe (FIFO) which is in this case usrlocalpfvarsuricata_files
Configurationofanewviolationcanusethefollowingtriggertypes
Type metascanTriggers ID The scan result returned by Metadefender Cloud online
Type suricata_md5Trigger ID The MD5 hash returned by Suricata
SecurityOnionInstallationandConfigurationSecurityOnionisaUbuntubasedsecuritysuiteThelatest installationinstructionsareavailabledirectly from theSecurityOnionwebsite httpsgithubcomSecurity-Onion-Solutionssecurity-onionwikiInstallation
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 95
SinceasecuritysuiteconsistsofmultiplepiecesofsoftwaretiedtogetheryoumaybepromptedfordifferentoptionsduringtheinstallationprocessAdetailedProductionDeploymentguidecanalsobefounddirectlyfromtheSecurityOnionwebsitehttpsgithubcomSecurity-Onion-Solutionssecurity-onionwikiProductionDeployment
PacketFenceintegration
OnceSecurityOnionisinstalledandminimallyconfiguredintegrationwithPacketFenceisrequiredtobeabletoraiseviolationsbasedonsensor(s)alertssyslogisusedtoforwardsensor(s)alertsfromSecurityOniontothePacketFencedetectionmecanisms
The simplest way is as follow (based on httpsgithubcomSecurity-Onion-Solutionssecurity-onionwikiThirdPartyIntegration)
OntheSecurityOnionserver
Note
Mustbedoneonthemasterserverrunningsguild
Configureetcsyslog-ngsyslog-ngconfbyaddingthefollowingtoenablesendingsguildlogentriestoPacketFence
PacketFence IDS integration This line specifies where the sguildlog file is located -gt Make sure to configure the right patch along with the right filename (on a Security Onion setup that should be pretty much standard)source s_sguil file(varlognsmsecurityonionsguildlog program_override(securityonion_ids)) This line filters on the string ldquoAlert Receivedrdquofilter f_sguil match(Alert Received) This line tells syslog-ng to send the data read to the PacketFence management IP address using UDP 514 -gt Make sure to configure the right PacketFence management interface IP addressdestination d_packetfence udp(PACKENTFENCE_MGMT_IP port(514)) This line indicates syslog-ng to use the s_sguil source apply the f_sguil filter and send it to the d_packetfence destinationlog source(s_sguil) filter(f_sguil) destination(d_packetfence)
Arestartofthesyslog-ngdaemonisthenrequired
service syslog-ng restart
OnthePacketFenceserver
ModifyrsyslogconfigurationtoallowincomingUDPpacketsbyuncommentingthefollowingtwolinesinetcrsyslogconf
$ModLoad imudp$UDPServerRun 514
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 96
Configureetcrsyslogdsecurityonion_idsconfbyaddingthefollowingswhichwillenablereceptionofSecurityOnionsguildlogentries
if $programname == securityonion_ids then usrlocalpfvarsecurityonion_idsamp ~
Makesurethereceivingalertpipe(FIFO)exists
mkfifo usrlocalpfvarsecurityonion_ids
Restartthersyslogdaemon
service rsyslog restart
AtthispointSecurityOnionshouldbeabletosenddetectedalertslogentriestoPacketFence
AconfigurationofanewsyslogparseraswellassomeviolationsaretheonlyremainingstepstomakefullusageoftheSecurityOnionIDSintegration
Configurationofanewsyslogparsershouldusethefollowings
Type security_onionAlert pipe the previously created alert pipe (FIFO) which is in this case usrlocalpfvarsecurityonion_ids
Configurationofanewviolationcanusethefollowingtriggertypes
Type detectTriggers ID The IDS triggered rule ID
Type suricata_eventTrigger ID The rule class of the triggered IDS alert
ViolationsInordertomakePacketFencereacttotheSnortalertsyouneedtoexplicitlytellthesoftwaretodosoOtherwisethealertswillbediscardedThisisquitesimpletoaccomplishInfactyouneedtocreateaviolationandaddtheSnortalertSIDinthetriggersectionofaViolation
PacketFenceviolationsareconfiguredinConfigurationrarrViolations
TheexamplebelowwillguideyoutocreateaviolationthatwillisolatedevicethathavegeneratedPeer-to-peer traffic and that are usingMac OSX or have a malware and are usingMicrosoftWindows
Violationdefinition
Firstyouneedtoconfiguretheviolationdefinition
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 97
Where
Enablediswhetherornottheviolationiscurrentlyactivated(shouldbeON) Identifier is the violation ID Any integer except 1200000-120099 which is reserved forrequiredadministrationviolations
Descriptionistheuserfriendlydescriptionoftheviolation Actionsisthelistofactionstobeexecutedwhenthisviolationisraised
Unregister nodewillunregisterthenode
Send email to ownerwillemailtheviolationdetailstotheownerofthedeviceWillonlyworkifthepersonhasitrsquosemailfieldpopulated
Send email to admin will email the violation details to the address specified in[alerting]emailaddrusing[alerting]smtpserverMultipleemailaddrcanbesperatedbycomma
Reevaluate accesswillplacethedeviceinthedestinationVLANconfiguredintheviolationIt opens a violation and leaves it open If it is not there theviolation isopenedand thenautomaticallyclosed
Log messagewilllogtheviolationinthelogfiledefinedin[alerting]log
External commandwillexecuteacommandontheoperatingsystemwhenthisviolation israised
Close a violationwillcloseanexistingviolationforthisdevicewhenthisoneisraised
Set rolewillmodifytheroleofthedevice
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 98
Enforce provisioningwilltriggeracheckofcomplianceontheprovisionersdefinedforthedevice
Prioritydefinestheorderontowhichviolationsshouldbehandledshouldtherebemorethanoneforadevice
Whitelisted Rolesisthelistofrolesthatarenotaffectedbythisviolation
Triggers
NextintheTriggerstabyouneedtodefinethetriggersthatwillraisetheviolationInthecaseofthisexampleitwillbethesetwocasesAdevicethathasgeneratedPeer-to-peertrafficandthatisusingMACOSXAdevicethathasbeendetectedasbeingarogueDHCP
Click the+ sign at the top right inorder to create anew trigger then in thedropdown selectSuricata
AmenuwillappearintowhichyoucanselectET P2PwhichwillmatchallP2PalertsfromSuricata
OnceyouaddedthistriggerselectDevicefromthedropdownandenter38whichisthedeviceidentifierforMacOSX
Nexthittheltbuttonthenthe+toaddanothertrigger
SelectthetypeInternaltheninthemenuthatappearsbelowitselectRogue DHCP detectionandclickAdd
Remediation
NextintheRemediationtabyoucanconfigurethebehaviorwhenaclientgetsisolated
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 99
Where
Auto Enableiswhetherornottheusercanreleasetheviolationhimselfafteracknoledgingthemessageonthecaptiveportal
Max Enables istheamountoftimeausercanusetheAuto EnablefunctionnalityAfterthisamountoftimeshewillnotbeabletoreleasetheviolationanditwillhavetobemanuallyreleasebyanadministratorusingthePacketFenceadministrationinterface
GraceisAmountoftimebeforetheviolationcanreoccurThisisusefultoallowhoststime(intheexample2minutes)todownloadtoolstofixtheirissueorshutofftheirpeer-to-peerapplication
Dynamic WindowwillonlyworksforaccountingviolationsTheviolationwillbeopenedaccordingtothetimeyousetintheaccountingviolation(ieYouhaveanaccountingviolationfor10GBmonthIfyoubustthebandwidthafter3daystheviolationwillopenandthereleasedatewillbesetforthelastdayofthecurrentmonth)
WindowistheamountoftimebeforeaviolationwillbeclosedautomaticallyInsteadofallowingpeopletoreactivatethenetworkyoumaywanttoopenaviolationforadefinedamountoftimeinstead
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 100
Delay byisthedelaybeforetriggeringtheviolation TemplateistheHTMLtemplatethehostwillberedirectedtowhileinviolationYoucancreatenewtemplatesfromthePortalProfilesconfigurationsection
Button textisthetextofthebuttonthatisusedwhentheuserisreleasingtheviolationdirectlyfromthecaptiveportal
AdvancedIntheAdvancedtabyouconfigurethedestinationVLANofthedevicewhenithastheReevaluateaccessactionanditsredirectionURLwhentheuserisreleased
ComplianceChecks
PacketFence supports eitherNessusOpenVAS andWMI as a scanning engine for compliancechecksSincePacketFencev51youarenowabletocreatemultiplesscanenginesconfigurationandassignthemonspecificcaptiveportalsItmeanperexamplethatyouarenowabletoactiveascanforspecificOperatingSystemonlyonaspecificSSID
InstallationNessusPlease visit httpwwwnessusorgdownload to download Nessus v5 and install the Nessuspackage for your operating system You will also need to register for the HomeFeed (or theProfessionalFeed)inordertogettheplugins
AfteryouinstalledNessusfollowtheNessusdocumentationfortheconfigurationoftheNessusServerandtocreateauserforPacketFence
NoteYou may run into some issue while using Nessus with the NetNessusXMLRPCmodule(whichisthedefaultbehaviorinPacketFence)Pleaserefertothebugtrackingsystemformoreinformation
OpenVASPleasevisithttpwwwopenvasorginstall-packageshtmlopenvas4_centos_atomic toconfigurethecorrectrepositorytobeabletoinstallthelatestOpenVASscanningengine
Once installed pleasemake sure to follow the instructions to correctly configure the scanningengineandcreateascanconfigurationthatwillfityourneedsYoursquollalsoneedtocreateauserforPacketFencetobeabletocommunicatewiththeserver
ItisimportanttogetthecorrectscanconfigIDandNBEreportformatIDtopopulatetheparametersinthePacketFenceconfigurationfileTheeasiestwaytogettheseIDsisbydownloadingbothofthescanconfigurationandreportformatfromtheOpenVASwebguiandretrievetheIDsinthefilenames
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 101
Forexamplereport-format-f5c2a364-47d2-4700-b21d-0a7693daddabxmlgivesreportformatIDf5c2a364-47d2-4700-b21d-0a7693daddab
WMIYoujusthavetoenablewmioneachwindowsdeviceswithaGPOfromActiveDirectory
ConfigurationIn order for the compliance checks to correctly work with PacketFence (communication andgenerateviolationsinsidePacketFence)youneedtoconfigurethesesections
ScannerDefinitionFirstgoinConfigurationandScannerDefinition
Thenaddascan
Therearecommonparametersforeachscanengines
Name the name of your scan engineRoles Only devices with these role(s) will be affected (Optional)OS Only devices with this Operating System will be affected (Optional)Duration Approximate duration of scan (Progress bar on the captive portal)Scan before registration Trigger the scan when the device appear on the registration vlanScan after registration Trigger the scan just after registration on the captive portalScan after registration Trigger the scan on the production network (pfdhcplistener must receive production dhcp traffic)8021x Even if the auto-registration has been enabled the scan will be trigger on a EAP connection8021x types comma delimited EAP type that will trigger the scan if 8021x above has been enabled
SpecifictoNessus
Hostname or IP Address Hostname or IP Address where Nessus is runningUsername Username to connect to Nessus scanPassword Password to connect to Nessus scanPort of the service port to connect (default 8834)Nessus client policy the name of the policy to use for the scan (Must be define on the Nessus server)
SpecifictoOpenVAS
Hostname or IP Address Hostname or IP Address where OpenVAS is runningUsername Username to connect to OpenVAS scanPassword Password to connect to OpenVAS scanPort of the service port to connect (default 9390)OpenVAS config ID the ID of scanning configuration on the OpenVAS server
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 102
SpecifictoWMI
Username A username from Active Directory that is allowed to connect to wmiDomain Domain of the Active DirectoryPassword Password of the accountWMI Rules Ordered list of WMI rules you defined in Configuration -gt WMI Rules Definition
WMIRulesDefinition
IfyouhaveconfiguredaWMIscanenginethenyouneedtodefineWMIRulesWMIisasortofdatabaseoneachwindowsdevicestoretreiveinformationonthedeviceyouneedtoknowthesqlrequestInordertohelpyoutofindandmakearuleyoucanuseathirdpartytoollikeWMIExplorer
GoinconfigurationrarrWMIRulesDefinition
Therearealready3rulesdefined
Software_Installedlogged_userProcess_Running
LetrsquostaketheSoftware_Installedrule
request select from Win32_Product
Rules Actions
[Google]attribute = Captionoperator = matchvalue =Google
[1Google]action=trigger_violationaction_param = mac = $mac tid = 888888 type = INTERNAL
Thisrulewilldothefollowing
retreive all the installed software on the device and test if the attribute Caption contain Googleif it matched then we will trigger a violation (with the trigger internal888888) for the mac address of the device
Thesecondonelogged_user
request select UserName from Win32_ComputerSystem
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 103
Rules Actions
[UserName]attribute = UserNameoperator = matchvalue = ()
[1UserName]action = dynamic_register_nodeaction_param = mac = $mac username = $result-gtUserName
Thisrulewilldothefollowing
retreive the current logged user on the device and register the device based on the user account
ThelastoneProcess_Running
request select Name from Win32_Process
Rules Actions
[explorer]attribute = Nameoperator = matchvalue = explorerexe
[1explorer]action = allow
Thisrulewilldothefollowing
retreive all the running process on the device and if one match explorerexe then we bypass the scan
Rulessyntax
the syntax of the rules are simple to understand
the request is the sql request you will launch on the remote device you must know what the request will returnto write the test
Inside the Rules Actions we define 2 sorts of blocsThe test bloc (ie [explorer]) and the action bloc (ie [1explorer])
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 104
The test bloc is a simple test based on the result of the request- attribute is the attribute you want to test- operator can be is is_not match match_not- value is the value you want to compare
Feel free to define multiples test blocs
The action bloc is where you will define your logic per example lets take this one [1googleampexplorer] this mean that if the google test istrue and explorer is true then we execute the actionThe logic can be more complex and can be something like that [1google|(explorerampmemory)] that mean if not google or (explorer and memory)
ViolationsdefinitionYouneedtocreateanewviolationsectionandhavetospecify
UsingNessus
trigger=NessusltviolationIdgt
UsingOpenVAS
trigger=OpenVASltviolationIdgt
WhereviolationIdiseithertheIDoftheNessuspluginortheOIDoftheOpenVASplugintocheckforOnceyouhavefinishedtheconfigurationyouneedtoreloadtheviolationrelateddatabasecontentsusing
$ pfcmd reload violations
NoteViolationswilltriggerifthepluginishigherthanalowseverityvulnerability
AssignScandefinitiontoportalprofilesThelaststepistoassignoneormorescanneryouconfiguredtooneormoreportalprofilesGoinConfigurationrarrPortalProfilesrarrEditaPortalrarrAddScan
HostingNessusOpenVASremotelyBecauseoftheCPUintensivenatureofanautomatedvulnerabilityassessmentwerecommendthatitishostedonaseparateserverforlargeenvironmentsTodosoacoupleofthingsarerequired
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 105
PacketFence needs to be able to communicate to the server on the port specified by thevulnerabilityengineused
Thescanningserverneedtobeabletoaccessthetargets InotherwordsregistrationVLANaccessisrequiredifscanonregistrationisenabled
IfyouareusingtheOpenVASscanningengine
ThescanningserverneedtobeabletoreachPacketFencersquosAdmininterface(onport1443bydefault)byitsDNSentryOtherwisePacketFencewonrsquotbenotifiedofcompletedscans
YoumusthaveavalidSSLcertificateonyourPacketFenceserver
IfyouareusingtheNessusscanningengine
YoujusthavetochangethehostvaluebytheNessusserverIP
RADIUSAccounting
RADIUSAccountingisusuallyusedbyISPstobillclientsInPacketFenceweareabletousethisinformationtodetermineifthenodeisstillconnectedhowmuchtimeithasbeenconnectedandhowmuchbandwitdhtheuserconsumed
ViolationsUsingPacketFence it ispossible toaddviolations to limitbandwidthabuseThe formatof thetriggerisverysimple
Accounting[DIRECTION][LIMIT][INTERVAL(optional)]
Letrsquosexplaineachchunkproperly
DIRECTIONYoucaneithersetalimittoinbound(IN)outbound(OUT)ortotal(TOT)bandwidth LIMIT You can set a number of bytes(B) kilobytes(KB) megabytes(MB) gigabytes(GB) orpetabytes(PB)
INTERVALThisisactuallythetimewindowwewilllookforpotentialabuseYoucansetanumberofdays(D)weeks(W)months(M)oryears(Y)
Exampletriggers LookforIncoming(Download)trafficwitha50GBmonth
AccountingIN50GB1M
LookforOutgoing(Upload)trafficwitha500MBday
AccountingOUT500MB1D
LookforTotal(Download+Upload)trafficwitha200GBlimitinthelastweek
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 106
AccountingTOT200GB1W
Graceperiod
WhenusingsuchviolationfeaturesettingthegraceperiodisreallyimportantYoudonrsquotwanttoputittoolow(ieAuserre-enablehisnetworkandgetcaughtafter1bytesistranmitted)ortoohighWerecommendthatyousetthegraceperiodtooneintervalwindow
Oinkmaster
OinkmasterisaperlscriptthatenablesthepossibilitytoupdatethedifferentsnortrulesveryeasilyItissimpletouseandinstallThissectionwillshowyouhowtoimplementOinkmastertoworkwithPacketFenceandSnort
PleasevisithttpoinkmastersourceforgenetdownloadshtmltodownloadoinkmasterAsampleoinkmasterconfigurationfileisprovidedatusrlocalpfaddonssnortoinkmasterconf
ConfigurationHerearethestepstomakeOinkmasterworkWewillassumethatyoualreadydownloadedthenewestoinkmasterarchive
1 UntarthefreshlydownloadedOinkmaster
2 CopytherequiredperlscriptsintousrlocalpfoinkmasterYouneedtocopyovercontribandoinkmasterpl
3 CopytheoinkmasterconfprovidedbyPacketFence(seethesectionabove)inusrlocalpfconf
4 ModifytheconfigurationtosuityourownneedsCurrentlytheconfigurationfileissettofetchthebleedingrules
RulesupdateInordertogetperiodicupdatesforPacketFenceSnortruleswesimplyneedtocreateacrontabentrywiththerightinformationTheexamplebelowshowsacrontabentrytofetchtheupdatesdailyat2300PM
0 23 (cd usrlocalpf perl oinkmasteroinkmasterpl -C confoinkmasterconf -o confsnort)
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 107
GuestsManagement
PacketFencesupportstheabilitytomanageguestsbyestablishingexpiredatesandassigndifferentroleswhichwillpermitdifferentaccessestothenetworkresources
Guestscanself-registerthemselvesusinganactivationcodesenttotheirmobilephoneortheycanusetheiremailaddressandreceiveandactivationlinktoactivatetheirnetworkaccess
PacketFencehas theoption tohaveguestssponsored theiraccessby local staffOnceaguestrequestsasponsoredaccessanemailissenttothesponsorandthesponsormustclickonalinkandauthenticateinordertoenablehisaccess
Moreover PacketFence also has the option for guests to request their access in advanceConfirmationbyemailandbyasponsorarethetwopre-registrationtechniquessupportedatthispoint
TheadminGUIallowPacketFenceadministratorsorguestsmanagerstocreatesingleaccountsmultipleaccountsusingaprefix(ieguest1guest2guest3hellip)orimportdatafromaCSVtocreateaccountsAccessdurationandexpectedarrivaldatearealsocustomizable
Usage
Guestself-registration
Self-registrationisenabledbydefaultItispartofthecaptiveportalprofileandcanbeaccessedontheregistrationpagebyclickingtheSignuplink
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 108
ManagedguestsPartofthewebadministrationinterfacetheguestsmanagementinterfaceisenabledbydefaultItisaccessiblethroughtheUsersrarrCreatemenu
Guestpre-registrationPre-registrationisdisabledbydefaultOnceenabledPacketFencersquosfirewallandApacheACLsallowaccesstothesignuppageontheportalevenfromaremotelocationAllthatshouldberequiredfrom theadministrators is toopenup theirperimeter firewall toallowaccess toPacketFencersquosmanagementinterfaceIPonport443andmakesureadomainnametoreachsaidIPisconfigured(andthattheSSLcertmatchesit)Thenyoucanpromotethepre-registrationlinkfromyourextranetwebsitehttpslthostnamegtsignup
CautionPre-registrationincreasestheattacksurfaceofthePacketFencesystemsinceasubsetofitrsquosfunctionnalityisexposedontheInternetMakesureyouunderstandtherisksapplythecriticaloperatingsystemupdatesandapplyPacketFencersquossecurityfixes
NoteAportalinterfacetypeisrequiredtousethisfeatureAportalinterfacetypecanbeaddedtoanynetworkinterfaceusingthewebadminGUI
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 109
ConfigurationGuestself-registrationIt ispossibletomodifythedefaultvaluesoftheguestself-registrationfeaturebyeditingusrlocalpfconfpfconf
Defaultvaluesarelocatedinusrlocalpfconfpfconfdefaultsanddocumentationforeverysettingsisavailableinusrlocalpfconfdocumentationconf
[guests_self_registration]guest_pid=emailpreregistration=disabled
TheseparameterscanalsobeconfiguredfromtheConfigurationrarrSelfRegistrationsectionoftheWebadmininterface
Availableregistrationmodesaredefinedonaper-portal-profilebasisTheseareconfigurablefromConfigurationrarrPortalProfiles Todisable the self-registration feature simply removeall self-registrationsourcesfromtheportalprofiledefinitionNoticehoweverthatifyourdefaultportalprofilehasnosourceitwilluseallauthenticationsources
Caution
AvalidMTAconfiguredinPacketFenceisneededtocorrectlyrelayemailsrelatedtotheguestmoduleIflocalhostisusedassmtpservermakesurethataMTAisinstalledandconfiguredontheserver
Note
AportalinterfacetypeisrequiredtousethisfeatureAportalinterfacetypecanbeaddedtoanynetworkinterfaceusingthewebadminGUI
Self-registered guests are added under the users tab of the PacketFenceWeb administrationinterface
ManagedguestsItispossibletomodifythedefaultvaluesoftheguestscreatedfromtheWebadmininterfacebyeditingusrlocalpfconfpfconf
Defaultvaluesarelocatedinusrlocalpfconfpfconfdefaultsanddocumentationforeverysettingsisavailableinusrlocalpfconfdocumentationsconf
[guests_admin_registration]access_duration_choices=1h3h12h1D2D3D5Ddefault_access_duration=12h
Theformatofthedurationisasfollow
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 110
ltDURATIONgtltDATETIME_UNITgt[ltPERIOD_BASEgtltOPERATORgtltDURATIONgtltDATE_UNITgt]
Letrsquosexplainthemeaningofeachparameter
DURATIONanumbercorrespondingtotheperiodduration DATETIME_UNIT acharactercorresponding to theunitsof thedateor timedurationeither s(seconds)m(minutes)h(hours)D(days)W(weeks)M(months)orY(years)
PERIOD_BASEeitherF(fixed)orR(relative)ArelativeperiodiscomputedfromthebeginningoftheperiodunitWeeksstartonMonday
OPERATOReither+or-Thedurationfollowingtheoperatorisaddedorsubtractedfromthebaseduration
DATE_UNITacharactercorrespondingtotheunitsoftheextendeddurationLimitedtodateunits(D(days)W(weeks)M(months)orY(years))
TheseparameterscanalsobeconfiguredfromtheConfigurationrarrAdminRegistrationsectionoftheWebadmininterface
From theUserspageof thePacketFenceWebadmin interface it is possible to set the accessdurationofuserschangetheirpasswordandmore
Guestpre-registrationTominimallyconfigureguestpre-registrationyoumustmakesurethatthefollowingstatementissetunder[guests_self_registration]inusrlocalpfconfpfconf
[guests_self_registration]preregistration=enabled
ThisparametercanalsobeconfiguredfromtheConfigurationrarrSelfRegistrationsection
Finallyitisadvisedthatyoureadthewholeguestself-registrationsectionsincepre-registrationissimplyatwistoftheself-registrationprocess
Caution
AvalidMTAconfiguredinPacketFenceisneededtocorrectlyrelayemailsrelatedtotheguestmoduleIflocalhostisusedassmtpservermakesurethataMTAisinstalledandconfiguredontheserver
ActiveDirectoryIntegration
DeletedAccountCreate thescriptunreg_node_deleted_accountps1on theWindowsServerwith the followingcontentMakesuretochangeIP_PACKETFENCEtotheIPaddressofyourPacketFenceserverYoursquollalsoneedtochangetheusernameandpasswordastheymustmatchthecredentialsdefinedintheWebadmininterfaceunderConfigurationrarrWebServices
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 111
Powershell script to unregister deleted Active Directory account based on the UserName
Get-EventLog -LogName Security -InstanceId 4726 | Select ReplacementStringsAccount name| $url = httpsIP_PACKETFENCE9090 $username = admin Username for the webservices $password = admin Password for the webservices [SystemNetServicePointManager]ServerCertificateValidationCallback = $true $command = jsonrpc 20 method unreg_node_for_pid params [pid +$_ReplacementStrings[0]+]
$bytes = [SystemTextEncoding]ASCIIGetBytes($command) $web = [SystemNetWebRequest]Create($url) $webMethod = POST $webContentLength = $bytesLength $webContentType = applicationjson-rpc $webCredentials = new-object SystemNetNetworkCredential($username $password) $stream = $webGetRequestStream() $streamWrite($bytes0$bytesLength) $streamclose()
$reader = New-Object SystemIOStreamreader -ArgumentList $webGetResponse()GetResponseStream() $readerReadToEnd() $readerClose()
CreatethescheduledtaskbasedonaneventIDStartrarrRunrarrTaskschdmsc
TaskSchedulerrarrTaskSchedulerLibraryrarrEventViewerTaskrarrCreateTask
General
Name PacketFence-Unreg_node-for-deleted-accountCheck Run whether user is logged on or notCheck Run with highest privileges
TriggersrarrNew
Begin on the task On an eventLog SecuritySource Microsoft Windows security auditingEvent ID 4726
ActionsrarrNew
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 112
Action Start a programProgramscript powershellexeAdd arguments (optional) Cscriptsunreg_node_deleted_accountps1
Settings
At the bottom select in the list Run a new instance in parallel in order to unregister multiple nodes at the same time
ValidatewithOkandgivetheaccountwhowillrunthistask(UsuallyDOMAINAdministrator)
DisabledAccountCreatethescriptunreg_node_disabled_accountps1ontheWindowsServerwiththefollowingcontentMakesuretochangeIP_PACKETFENCEtotheIPaddressofyourPacketFenceserverYoursquollalsoneedtochangetheusernameandpasswordastheymustmatchthecredentialsdefinedintheWebadmininterfaceunderConfigurationrarrWebServices
Powershell script to unregister disabled Active Directory account based on the UserName
Get-EventLog -LogName Security -InstanceId 4725 | Select ReplacementStringsAccount name| $url = httpsIP_PACKETFENCE9090 $username = admin Username for the webservices $password = admin Password for the webservices [SystemNetServicePointManager]ServerCertificateValidationCallback = $true $command = jsonrpc 20 method unreg_node_for_pid params [pid +$_ReplacementStrings[0]+]
$bytes = [SystemTextEncoding]ASCIIGetBytes($command) $web = [SystemNetWebRequest]Create($url) $webMethod = POST $webContentLength = $bytesLength $webContentType = applicationjson-rpc $webCredentials = new-object SystemNetNetworkCredential($username $password) $stream = $webGetRequestStream() $streamWrite($bytes0$bytesLength) $streamclose()
$reader = New-Object SystemIOStreamreader -ArgumentList $webGetResponse()GetResponseStream() $readerReadToEnd() $readerClose()
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 113
CreatethescheduledtaskbasedonaneventID
StartrarrRunrarrTaskschdmsc
TaskSchedulerrarrTaskSchedulerLibraryrarrEventViewerTaskrarrCreateTask
General
Name PacketFence-Unreg_node-for-disabled-accountCheck Run whether user is logged on or notCheck Run with highest privileges
TriggersrarrNew
Begin on the task On an eventLog SecuritySource Microsoft Windows security auditingEvent ID 4725
ActionsrarrNew
Action Start a programProgramscript powershellexeAdd arguments (optional) Cscriptsunreg_node_disabled_accountps1
Settings
At the bottom select in the list Run a new instance in parallel
ValidatewithOkandgivetheaccountwhowillrunthistask(UsuallyDOMAINAdministrator)
LockedAccountCreate the script unreg_node_locked_accountps1 on theWindows Serverwith the followingcontentMakesuretochangeIP_PACKETFENCEtotheIPaddressofyourPacketFenceserverYoursquollalsoneedtochangetheusernameandpasswordastheymustmatchthecredentialsdefinedintheWebadmininterfaceunderConfigurationrarrWebServices
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 114
Powershell script to unregister locked Active Directory account based on the UserName
Get-EventLog -LogName Security -InstanceId 4740 | Select ReplacementStringsAccount name| $url = httpsIP_PACKETFENCE9090 $username = admin Username for the webservices $password = admin Password for the webservices [SystemNetServicePointManager]ServerCertificateValidationCallback = $true $command = jsonrpc 20 method unreg_node_for_pid params [pid +$_ReplacementStrings[0]+]
$bytes = [SystemTextEncoding]ASCIIGetBytes($command) $web = [SystemNetWebRequest]Create($url) $webMethod = POST $webContentLength = $bytesLength $webContentType = applicationjson-rpc $webCredentials = new-object SystemNetNetworkCredential($username $password) $stream = $webGetRequestStream() $streamWrite($bytes0$bytesLength) $streamclose()
$reader = New-Object SystemIOStreamreader -ArgumentList $webGetResponse()GetResponseStream() $readerReadToEnd() $readerClose()
CreatethescheduledtaskbasedonaneventIDStartrarrRunrarrTaskschdmsc
TaskSchedulerrarrTaskSchedulerLibraryrarrEventViewerTaskrarrCreateTask
General
Name PacketFence-Unreg_node-for-locked-accountCheck Run whether user is logged on or notCheck Run with highest privileges
TriggersrarrNew
Begin on the task On an eventLog SecuritySource Microsoft Windows security auditingEvent ID 4740
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 115
ActionsrarrNew
Action Start a programProgramscript powershellexeAdd arguments (optional) Cscriptsunreg_node_locked_accountps1
Settings
At the bottom select in the list Run a new instance in parallel
ValidatewithOkandgivetheaccountwhowillrunthistask(UsuallyDOMAINAdministrator)
DHCPremotesensor
TheDHCPremotesensorconsistsofalightweightbinarythatisinstalledonyourproductionDHCPserverinordertoreplicatetheDHCPtraffic1to1tothePacketFenceserverThissolutionismorereliablethantheDHCPrelayingsincePacketFencereceivesacopyofallyourDHCPtrafficandnotonlythebroadcastedDHCPtrafficSupportedDHCPserversareMicrosoftDHCPserverandCentOS6and7
ThesesensorsworkbycapturingthepacketsatthelowestlevelpossibleonyourDHCPserverandforwardthemtothePacketFencemanagementinterface
MicrosoftDHCPsensorYouwillfirstneedtodownloadandinstallWinPcapavailablefromhttpwwwwinpcaporginstall
YouwillalsoneedtodownloadandinstallMicrosoftVisualC++2010Redistributableavailablefromhttpwwwmicrosoftcomdownloaddetailsaspxid=5555
NoteYou absolutely need to install the 32-bit version of Microsoft Visual C++ 2010Redistributableevenifyouareusinga64-bitoperatingsystem
Then get the remote sensor from Inversersquos download website httpinversecadownloadsPacketFenceudp-reflectorudp_reflectorexe
CreatethedirectoryCudp-reflectorandmovethedownloadedfileinside
Nowwewillcreateaservicesothereflectorstartsonboot
Firstdownloadandunzipnssmfromhttpsnssmccdownload
NextcreateabatchfileudpreflectorbatinCudp-reflectorthatcontainCudp-reflectorudp_reflectorexe -s pcap067 -d 19216815767 -b 25000
Where pcap0 is the interface where your DHCP is listening (use Cudp-reflectorudp_reflectorexe -ltolistinterfaces)
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 116
Thenrunnssm install udpreflector
InApplication
InPathsetittoCudp-reflectorudpreflectorbat InStartupdirectorysetittoCudp-reflector InArgumentssetittonothing
InDetails
InStartuptypeselectAutomatic
InLogon
InLogonasselectLocalSystemaccount
ThenpressInstallservice
TheDHCPtrafficshouldnowbereflectedonyourPacketFenceserver
LinuxbasedsensorFirstdownloadtheRPMonyourDHCPserver
CentOS6and7serversForCentOS6
for x86_64 wget httpinversecadownloadsPacketFenceCentOS6extrax86_64RPMSudp-reflector-10-61x86_64rpm
ForCentOS7
for x86_64 wget httpinversecadownloadsPacketFenceCentOS7extrax86_64RPMSudp-reflector-10-61x86_64rpm
Nowinstallthesensor
rpm -i udp-reflector-rpm
CompilingthesensorfromsourceonaLinuxsystemFirstmakesureyouhavethefollowingpackagesinstalled
libpcap libpcap-devel gcc-c++
Getthesourcecodeofthesensor
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 117
mkdir -p ~udp-reflector ampamp cd ~udp-reflector wget httpinversecadownloadsPacketFenceudp-reflectorudp_reflectorcpp g++ udp_reflectorcpp -o usrlocalbinudp_reflector -lpcap
ConfiguringthesensorPlacethefollowinglineinetcrclocal
where pcap0 is the pcap interface where your DHCP server listens on (List them usingudp_reflector -l)
where19216815isthemanagementIPofyourPacketFenceserver
usrlocalbinudp_reflector -s pcap067 -d 19216815767 -b 25000 amp
Startthesensor
usrlocalbinudp_reflector -s pcap067 -d 19216815767 -b 25000 amp
TheDHCPtrafficshouldnowbereflectedonyourPacketFenceserver
Switchloginaccess
PacketFenceisabletoactasanauthenticationandauthorizationserviceforgrantingcommand-lineinterface(CLI)accesstoswitchesPacketFencecurrentlysupportsCiscoswitchesandthesemustbeconfiguredusingthefollowingguidehttpwwwciscocomcenussupportdocssecurity-vpnremote-authentication-dial-user-service-radius116291-configure-freeradius-00html From thePacketFencersquos web admin interface you must configure an Admin Access role(ConfigurationrarrAdminaccess)thatcontainstheactionSwitchesCLI-ReadorSwitchesCLI-WriteandassignthisroletoaninternaluserorinanAdministrationruleinaninternalsource
Chapter14
Copyrightcopy2016Inverseinc OperatingSystemBestPractices 118
OperatingSystemBestPractices
IPTables
IPTablesisnowentirelymanagedbyPacketFenceHoweverifyouneedtoperformsomecustomrules you canmodifyconfiptablesconf to yourownneedsHowever thedefault templateshouldworkformostusers
LogRotations
PacketFencecangeneratea lotof logentries inhugeproductionenvironmentsThis iswhywerecommendtouselogrotatetoperiodicallyrotateyourlogsAworkinglogrotatescriptisprovidedwiththePacketFencepackageThisscriptislocatedinusrlocalpfaddonsanditrsquosconfiguredto do aweekly log rotation and keeping old logswith compression It has been added duringPacketFenceinitialinstallation
Chapter15
Copyrightcopy2016Inverseinc Performanceoptimization 119
Performanceoptimization
SNMPTrapsLimit
PacketFencemainlyrelyonSNMPtrapstocommunicatewithequipmentDuetothefactthattrapscominginfromapproved(configured)devicesareallprocessedbythedaemonitispossibleforsomeonewhowanttogenerateacertainloadonthePacketFenceservertoforcethegenerationofnon-legitimateSNMPtrapsoraswitchcanrandomlygenerateahighquantityoftrapssenttoPacketFenceforanunknownreason
BecauseofthatitispossibletolimitthenumberofSNMPtrapscominginfromasingleswitchportandtakeactionifthatlimitisreachedForexampleifover100trapsarereceivedbyPacketFencefromthesameswitchportinaminutetheswitchportwillbeshutandanotificationemailwillbesent
HerersquosthedefaultconfigfortheSNMPtrapslimitfeatureAsyoucanseebydefaultPacketFencewill log the abnormal activity after 100 traps from the same switch port in a minute Theseconfigurationsareintheconfpfconffile
[vlan]trap_limit = enabledtrap_limit_threshold = 100trap_limit_action =
AlternativelyyoucanconfiguretheseparametersfromthePacketFenceWebadministrativeGUIintheConfigurationrarrSNMPsection
MySQLoptimizations
TuningMySQLIfyoursquorePacketFencesystemisactingveryslowthiscouldbeduetoyourMySQLconfigurationYoushoulddothefollowingtotuneperformance
Checkthesystemload
uptime113637 up 235 days 121 1 user load average 125 105 079
Chapter15
Copyrightcopy2016Inverseinc Performanceoptimization 120
CheckiostatandCPU
iostat 5avg-cpu user nice sys iowait idle 060 000 320 2020 7600Device tps Blk_reads Blk_wrtns Blk_read Blk_wrtnccissc0d0 3240 000 156000 0 7800avg-cpu user nice sys iowait idle 060 000 220 920 8800Device tps Blk_reads Blk_wrtns Blk_read Blk_wrtnccissc0d0 780 000 7360 0 368avg-cpu user nice sys iowait idle 060 000 180 2380 7380Device tps Blk_reads Blk_wrtns Blk_read Blk_wrtnccissc0d0 3140 000 142720 0 7136avg-cpu user nice sys iowait idle 060 000 240 1816 7884Device tps Blk_reads Blk_wrtns Blk_read Blk_wrtnccissc0d0 2794 000 117365 0 5880
Asyoucanseetheloadis125andIOWaitispeakingat20-thisisnotgoodIfyourIOwaitislowbutyourMySQListaking+50CPUthisisalsonotgoodCheckyourMySQLinstallforthefollowingvariables
mysqlgt show variables| innodb_additional_mem_pool_size | 1048576 || innodb_autoextend_increment | 8 || innodb_buffer_pool_awe_mem_mb | 0 || innodb_buffer_pool_size | 8388608 |
PacketFencereliesheavilyonInnoDBsoyoushouldincreasethebuffer_poolsizefromthedefaultvalues
ShutdownPacketFenceandMySQL
etcinitdpacketfence stopShutting down PacketFence[] etcinitdmysql stopStopping MySQL [ OK ]
Editetcmycnf(oryourlocalmycnf)
Chapter15
Copyrightcopy2016Inverseinc Performanceoptimization 121
[mysqld] Set buffer pool size to 50-80 of your computers memoryinnodb_buffer_pool_size=800Minnodb_additional_mem_pool_size=20Minnodb_flush_log_at_trx_commit=2innodb_file_per_table allow more connectionsmax_connections=700 set cache sizekey_buffer_size=900Mtable_cache=300query_cache_size=256M enable slow query loglog_slow_queries = ON
StartupMySQLandPacketFence
etcinitdmysqld startStarting MySQL [ OK ] etcinitdpacketfence startStarting PacketFence[]
Wait10minutesforPacketFencetoinitialthenetworkmapandre-checkiostatandCPU
uptime120158 up 235 days 146 1 user load average 015 039 052 iostat 5Device tps Blk_reads Blk_wrtns Blk_read Blk_wrtnccissc0d0 800 000 7520 0 376
avg-cpu user nice sys iowait idle 060 000 299 1337 8303
Device tps Blk_reads Blk_wrtns Blk_read Blk_wrtnccissc0d0 1497 000 43273 0 2168avg-cpu user nice sys iowait idle 020 000 260 660 9060
Device tps Blk_reads Blk_wrtns Blk_read Blk_wrtnccissc0d0 480 000 4800 0 240
MySQLoptimizationtoolWerecommendthatyouruntheMySQLTuneronyourdatabasesetupafteracoupleofweekstohelpyouidentifyMySQLconfigurationimprovementThetoolisbundledwithPacketFenceandcanberunfromthecommand-line
usrlocalbinpftest mysql
Chapter15
Copyrightcopy2016Inverseinc Performanceoptimization 122
KeepingtablessmallOvertimesomeofthetableswillgrowlargeandthiswilldragdownperformance(thisisespeciallytrueonawirelesssetup)
OnesuchtableisthelocationlogtableWerecommendthatclosedentriesinthistablebemovedto the archive table locationlog_archive after some time A closed record is onewhere theend_timefieldissettoadate(stricklyspeakingitiswhenend_timeisnotnullandnotequalsto0)
Weprovideascriptcalleddatabase-backup-and-maintenanceshlocatedinaddonsthatperformsthiscleanupinadditiontooptimizetablesonSundayanddailybackups
AvoidToomanyconnectionsproblemsInawirelesscontexttheretendstobealotofconnectionsmadetothedatabasebyourfreeradiusmoduleThedefaultMySQLvalue tend tobe low (100) soweencourageyou to increase thatvaluetoatleast300Seehttpdevmysqlcomdocrefman50entoo-many-connectionshtmlfordetails
AvoidHostlthostnamegtisblockedproblemsInawirelesscontexttheretendtobealotofconnectionsmadetothedatabasebyourfreeradiusmoduleWhentheserverisloadedtheseconnectionattemptscantimeoutIfaconnectiontimesoutduringconnectionMySQLwillconsiderthisaconnectionerrorandafter10ofthese(bydefault)hewilllockthehostoutwitha
Host host_name is blocked because of many connection errors Unblock with mysqladmin flush-hosts
Thiswill grindPacketFence to a halt so youwant to avoid that at all costOneway to do soistoincreasethenumberofmaximumconnections(seeabove)toperiodicallyflushhostsortoallowmoreconnectionerrorsSeehttpdevmysqlcomdocrefman50enblocked-hosthtmlfordetails
CaptivePortalOptimizations
Avoidcaptiveportaloverloadduetonon-browserHTTPrequestsBydefaultwealloweveryquerytoberedirectedandreachPacketFencefor thecaptiveportaloperationInalotofcasesthismeansthatalotofnon-userinitiatedqueriesreachPacketFenceandwasteitsresourcesfornothingsincetheyarenotfrombrowsers(iTunesWindowsupdateMSNMessengerGoogleDesktophellip)
Chapter15
Copyrightcopy2016Inverseinc Performanceoptimization 123
Sinceversion43ofPacketFenceyoucandefineHTTPfiltersforApachefromtheconfigurationofPacketFence
SomeruleshavebeenenabledbydefaultlikeonetorejectrequestswithnodefineduseragentAllrulesincludingsomeexamplesaredefinedintheconfigurationfileapache_filtersconf
FiltersaredefinedwithatleasttwoblocksFirstarethetestsForexample
[get_ua_is_dalvik]filter = user_agentmethod = GEToperator = matchvalue = Dalvik
[get_uri_not_generate204]filter = urimethod = GEToperator = match_notvalue = generate_204
ThelastblockdefinestherelationshipbetweenthetestsandthedesiredactionForexample
[block_dalvikget_ua_is_dalvikampget_uri_not_generate204]action = 501redirect_url =
Thisfilterwillreturnanerrorcode(501)iftheuseragentisDalvikandtheURIdoesnrsquotcontain_generate_204
DashboardOptimizations(statisticscollection)
The collection and aggregation of statistics in the whisper database can be IO intensive permomentThismeansthatitcanbebeneficialtoseperatethemonanotherdiskevenifitisavirtualdiskthatwillsharethesameunderlyingphysicaldisk
Firstaddadiskinyourvirtualmachineorbaremetalserverandreboot(thisexamplewillusedevsdbasthenewdevice
Makesurepacketfenceisstopped
service packetfence stop
Createanext4partition
mkfsext4 devsdb
Thenmovetheolddatabasestoabackuppoint
Chapter15
Copyrightcopy2016Inverseinc Performanceoptimization 124
mv usrlocalpfvargraphite usrlocalpfvargraphitebak
Mountyournewdiskandcheckthatitismounted
echo devsdb usrlocalpfvargraphite ext4 defaults 1 1 gtgt etcfstab mkdir usrlocalpfvargraphite mount -a dh -h
Applytheproperuserrightsandrestoreyourdatabasefromyourbackup
chown pfpf usrlocalpfvargraphite cp -frp usrlocalpfvargraphitebak usrlocalpfvargraphite
StartpacketfenceandmakesureyourstatsarestillthereandbeingcollectedproperlyThenremovethebackupyoumaderm -fr usrlocalpfvargraphitebak
Chapter16
Copyrightcopy2016Inverseinc AdditionalInformation 125
AdditionalInformation
FormoreinformationpleaseconsultthemailingarchivesorpostyourquestionstoitFordetailssee
packetfence-announcelistssourceforgenet Public announcements (new releases securitywarningsetc)regardingPacketFence
packetfence-devellistssourceforgenetDiscussionofPacketFencedevelopment
packetfence-userslistssourceforgenetUserandusagediscussions
Chapter17
Copyrightcopy2016InverseincCommercialSupport
andContactInformation 126
CommercialSupportandContactInformation
For any questions or comments do not hesitate to contact us by writing an email tosupportinverseca
Inverse (httpinverseca)offersprofessional servicesaroundPacketFence tohelporganizationsdeploythesolutioncustomizemigrateversionsorfromanothersystemperformancetuningoraligningwithbestpractices
Hourlyratesorsupportpackagesareofferedtobestsuityourneeds
Pleasevisithttpinversecafordetails
Chapter18
Copyrightcopy2016Inverseinc GNUFreeDocumentationLicense 127
GNUFreeDocumentationLicense
Pleaserefertohttpwwwgnuorglicensesfdl-12txtforthefulllicense
Chapter18
Copyrightcopy2016Inverseinc AdministrationTools 128
AppendixAAdministrationTools
pfcmd
pfcmdisthecommandlineinterfacetomostPacketFencefunctionalities
Whenexecutedwithoutanyargumentspfcmdreturnsabasichelpmessagewithallmainoptions
Chapter18
Copyrightcopy2016Inverseinc AdministrationTools 129
Usage pfcmd ltcommandgt [options]
Commands cache | manage the cache subsystem checkup | perform a sanity checkup and report any problems class | view violation classes configfiles | push or pull configfiles intofrom database configreload | reload the configution floatingnetworkdeviceconfig | querymodify floating network devices configuration parameters help | show help for pfcmd commands ifoctetshistorymac | accounting history ifoctetshistoryswitch | accounting history ifoctetshistoryuser | accounting history import | bulk import of information into the database ipmachistory | IPMAC history locationhistorymac | SwitchPort history locationhistoryswitch | SwitchPort history networkconfig | querymodify network configuration parameters node | manipulate node entries pfconfig | interact with pfconfig portalprofileconfig | querymodify portal profile configuration parameters reload | rebuild fingerprint or violations tables without restart service | startstoprestart and get PF daemon status schedule | Nessus scan scheduling switchconfig | querymodify switchesconf configuration parameters version | output version information violationconfig | querymodify violationsconf configuration parameters
Please view pfcmd help ltcommandgt for details on each option
ThenodeviewoptionshowsallinformationcontainedinthenodedatabasetableforaspecifiedMACaddress
usrlocalpfbinpfcmd node view 525400123502mac|pid|detect_date|regdate|unregdate|lastskip|status|user_agent|computername|notes|last_arp|last_dhcp|switch|port|vlan|dhcp_fingerprint525400123502|1|2008-10-23 173216||||unreg||||2008-10-23 211221|||||
pfcmd_vlan
pfcmd_vlanisthecommandlineinterfacetomostVLANisolationrelatedfunctionality
Chapter18
Copyrightcopy2016Inverseinc AdministrationTools 130
Againwhenexecutedwithoutanyargumentsahelpscreenisshown
Usage pfcmd_vlan command [options]
Command -deauthenticate de-authenticate a dot11 client -deauthenticateDot1x de-authenticate a dot1x client (pass ifIndex for wired 8021x and mac for wireless 8021x) -getAlias show the description of the specified switch port -getAllMACs show all MACS on all switch ports -getHubs show switch ports with several MACs -getIfOperStatus show the operational status of the specified switch port -getIfType show the ifType on the specified switch port -getLocation show at which switch port the MAC is found -getSwitchLocation show SNMP location of specified switch -getMAC show all MACs on the specified switch port -getType show switch type -getUpLinks show the upLinks of the specified switch -getVersion show switch OS version -getVlan show the VLAN on the specified switch port -getVlanType show the VLAN type on the specified port -help brief help message -isolate set the switch port to the isolation VLAN -man full documentation -reAssignVlan re-assign a switch port VLAN -reevaluateAccess reevaluate the current VLAN or firewall rules of a given MAC -runSwitchMethod run a particular method call on a given switch (FOR ADVANCED PURPOSES) -setAlias set the description of the specified switch port -setDefaultVlan set the switch port to the default VLAN -setIfAdminStatus set the admin status of the specified switch port -setVlan set VLAN on the specified switch port -setVlanAllPort set VLAN on all non-UpLink ports of the specified switch
Options -alias switch port description -ifAdminStatus ifAdminStatus -ifIndex switch port ifIndex -mac MAC address -showPF show additional information available in PF -switch switch description -verbose log verbosity level 0 fatal messages 1 warn messages 2 info messages 3 debug 4 trace -vlan VLAN id -vlanName VLAN name (as in switchesconf)
Copyrightcopy2016Inverseinc iii
TableofContentsAbout thisGuide 1
Othersourcesof information 1Introduction 2
Features 2Network Integration 5Components 5
SystemRequirements 7Assumptions 7MinimumHardwareRequirements 7OperatingSystemRequirements 7
Installation 9OS Installation 9SoftwareDownload 10Software Installation 10
Getoffontherightfoot 12TechnicalintroductiontoInlineenforcement 13
Introduction 13Deviceconfiguration 13Accesscontrol 13Limitations 14
TechnicalintroductiontoOut-of-bandenforcement 15Introduction 15VLANassignmenttechniques15MoreonSNMPtrapsVLANisolation 17
TechnicalintroductiontoHybridenforcement 20Introduction 20Deviceconfiguration 20
Configuration 21RolesManagement 21Authentication 22ExternalAPIauthentication 24SAMLauthentication 25NetworkDevicesDefinition(switchesconf) 27PortalProfiles 31FreeRADIUSConfiguration 32PortalModules 43
Debugging 52Log files 52RADIUSDebugging 52
MoreonVoIP Integration 54CDPandLLDPareyourfriend 54VoIPandVLANassignmenttechniques 54WhatifCDPLLDPfeatureismissing 55
Advanced topics 56AppleandAndroidWirelessProvisioning 56BillingEngine 57DevicesRegistration 69Eduroam 70Fingerbank integration 74FloatingNetworkDevices 75OAuth2Authentication 77
Copyrightcopy2016Inverseinc iv
Passthrough 79ProductionDHCPaccess 80Proxy Interception 81RoutedNetworks 82StatementofHealth (SoH) 85VLANFilterDefinition 86RADIUSFilterDefinition 88DNSenforcement 90Parkeddevices 90
Optionalcomponents 92Blockingmaliciousactivitieswithviolations 92ComplianceChecks 100RADIUSAccounting 105Oinkmaster 106GuestsManagement 107ActiveDirectoryIntegration 110DHCPremotesensor 115Switch loginaccess 117
OperatingSystemBestPractices 118IPTables 118LogRotations 118
Performanceoptimization 119SNMPTrapsLimit 119MySQLoptimizations 119CaptivePortalOptimizations 122DashboardOptimizations(statisticscollection) 123
Additional Information 125CommercialSupportandContactInformation 126GNUFreeDocumentationLicense 127AAdministrationTools 128
pfcmd 128pfcmd_vlan 129
Chapter1
Copyrightcopy2016Inverseinc AboutthisGuide 1
AboutthisGuide
This guide will walk you through the installation and the day to day administration of thePacketFencesolution
Thelatestversionofthisguideisavailableathttpwwwpacketfenceorgdocumentation
Othersourcesofinformation
Thefollowingdocumentsareincludedinthepackageandreleasetarballs
NetworkDevicesConfigurationGuide(pdf) Covers switch controllers and accesspointsconfiguration
DeveloperrsquosGuide(pdf) Covers captive portal customizationVLAN management customization andinstructionsforsupportingnewhardware
CREDITS ThisisatleastapartialfileofPacketFencecontributors
NEWSasciidoc Covers noteworthy featuresimprovementsandbugfixesbyrelease
UPGRADEasciidoc Covers compatibility related changesmanual instructions and general notesaboutupgrading
ChangeLog Coversallchangestothesourcecode
Chapter2
Copyrightcopy2016Inverseinc Introduction 2
Introduction
PacketFence isa fullysupported trustedFreeandOpenSourcenetworkaccesscontrol (NAC)system Boosting an impressive feature set including a captive portal for registration andremediation centralized wired and wireless management 8021X support layer-2 isolation ofproblematicdevicesintegrationwithIDSvulnerabilityscannersandfirewallsPacketFencecanbeusedtoeffectivelysecurenetworks-fromsmalltoverylargeheterogeneousnetworks
Features
Outofband(VLANEnforcement) PacketFencersquosoperationiscompletelyoutof band when using VLAN enforcementwhich allows the solution to scalegeographicallyandtobemoreresilienttofailures
InBand(InlineEnforcement) PacketFence can also be configured tobe in-band especially when you havenon-manageable network switches oraccesspointsPacketFencecanalsoworkwith both VLAN and Inline enforcementactivated for maximum scalability andsecuritywhileallowingolderhardwaretostillbesecuredusing inlineenforcementBothlayer-2andlayer-3aresupportedforinlineenforcement
Hybridsupport(InlineEnforcementwithRADIUSsupport)
PacketFence can also be configuredas hybrid if you have a manageabledevice that supports 8021X andorMAC-authenticationThis feature canbeenabled using a RADIUS attribute (MACaddress SSID port) or using full inlinemodeontheequipment
Hotspotsupport(WebAuthEnforcement) PacketFence can also be configured ashotspotifyouhaveamanageabledevicethat supports an external captive portal(likeCiscoWLCorArubaIAP)
VoiceoverIP(VoIP)support Also called IP Telephony (IPT) VoIP isfully supported (even in heterogeneous
Chapter2
Copyrightcopy2016Inverseinc Introduction 3
environments)formultipleswitchvendors(CiscoAvayaHPandmanymore)
8021X 8021X wireless and wired is supportedthroughourFreeRADIUSmodule
Wirelessintegration PacketFence integrates perfectly withwireless networks through ourFreeRADIUS module This allows youto secure your wired and wirelessnetworks the same way using the sameuser database and using the samecaptive portal providing a consistentuser experience Mixing Access Points(AP) vendors andWireless Controllers issupported
Registration PacketFence supports an optionalregistrationmechanismsimilartocaptiveportalsolutionsContrarytomostcaptiveportal solutionsPacketFence remembersusers who previously registered andwillautomatically give them access withoutanotherauthenticationOfcourse this isconfigurable An Acceptable Use Policycan be specified such that users cannotenable network access without firstacceptingit
Detectionofabnormalnetworkactivities Abnormal network activities (computervirus worms spyware traffic deniedby establishment policy etc) can bedetectedusinglocalandremoteSnortorSuricatasensorsBeyondsimpledetectionPacketFence layers its own alerting andsuppression mechanism on each alerttypeAsetofconfigurableactionsforeachviolationisavailabletoadministrators
Proactivevulnerabilityscans Either Nessus OpenVAS or WMIvulnerabilityscanscanbeperformeduponregistration scheduled or on an ad-hocbasis PacketFence correlates the scanengine vulnerability IDrsquos of each scanto the violation configuration returningcontent specificweb pages aboutwhichvulnerabilitythehostmayhave
Isolationofproblematicdevices PacketFence supports several isolationtechniquesincludingVLANisolationwithVoIP support (even in heterogeneousenvironments)formultipleswitchvendors
Remediationthroughacaptiveportal Once trapped all network traffic isterminated by the PacketFence system
Chapter2
Copyrightcopy2016Inverseinc Introduction 4
Based on the nodersquos current status(unregisteredopenviolationetc)theuseris redirected to the appropriate URL Inthe case of a violation the user willbe presented with instructions for theparticular situation heshe is in reducingcostlyhelpdeskintervention
Firewallintegration PacketFence provides Single-Sign Onfeatures with many firewalls Uponconnection on the wired or wirelessnetwork PacketFence can dynamicallyupdatetheIPuserassociationonfirewallsforthemtoapplyifrequiredper-userorper-groupfilteringpolicies
Command-lineandWeb-basedmanagement Web-basedandcommand-line interfacesforallmanagementtasks
GuestAccess PacketFence supports a special guestVLAN out of the box You configureyour network so that the guest VLANonly goes out to the Internet and theregistrationVLANand the captiveportalarethecomponentsusedtoexplaintotheguesthowtoregisterforaccessandhowhisaccessworksThis isusuallybrandedby the organization offering the accessSeveral means of registering guests arepossible PacketFence does also supportguestaccessbulkcreationsandimports
Devicesregistration A registered user can access a specialWeb page to register a device of hisownThisregistrationprocesswillrequireloginfromtheuserandthenwillregisterdeviceswithpre-approvedMACOUIintoaconfigurablecategory
PacketFenceisdevelopedbyacommunityofdeveloperslocatedmainlyinNorthAmericaMoreinformationcanbefoundathttpwwwpacketfenceorg
Chapter2
Copyrightcopy2016Inverseinc Introduction 5
NetworkIntegration
VLANenforcementispicturedintheabovediagramInlineenforcementshouldbeseenasasimpleflatnetworkwherePacketFenceactsasafirewallgateway
Components
PacketFencerequiresvariouscomponentstoworksuchasaWebserveradatabaseserverandaRADIUSserverItinteractswithexternaltoolstoextenditsfunctionalities
Chapter2
Copyrightcopy2016Inverseinc Introduction 6
Chapter3
Copyrightcopy2016Inverseinc SystemRequirements 7
SystemRequirements
Assumptions
PacketFencereusesmanycomponentsinaninfrastructureThusitrequiresthefollowingones
Databaseserver(MySQLorMariaDB) Webserver(Apache) DHCPserver(ISCDHCP) RADIUSserver(FreeRADIUS)
Dependingonyoursetupyoumayhavetoinstalladditionalcomponentslike
NIDS(SnortSuricata)
Inthisguideweassumethatallthosecomponentsarerunningonthesameserver(ielocalhostor127001)thatPacketFencewillbeinstalledon
Good understanding of those underlying component and GNULinux is required to installPacketFence If youmiss some of those required components please refer to the appropriatedocumentationandproceedwiththeinstallationoftheserequirementsbeforecontinuingwiththisguide
MinimumHardwareRequirements
Thefollowingprovidesalistoftheminimumserverhardwarerecommendations
IntelorAMDCPU3GHz 8GBofRAM 100GBofdiskspace(RAID-1recommended) 1Networkcard(2recommended)
OperatingSystemRequirements
PacketFencesupportsthefollowingoperatingsystemsonthex86_64architectures
Chapter3
Copyrightcopy2016Inverseinc SystemRequirements 8
RedHatEnterpriseLinux6xand7xServer CommunityENTerpriseOperatingSystem(CentOS)6xand7x Debian70(Wheezy)and80(Jessie)
MakesurethatyoucaninstalladditionalpackagesfromyourstandarddistributionForexampleifyouareusingRedHatEnterpriseLinuxyouhavetobesubscribedtotheRedHatNetworkbeforecontinuingwiththePacketFencesoftwareinstallation
OtherdistributionssuchasFedoraandGentooareknowntoworkbutthisdocumentdoesnrsquotcoverthem
Servicesstart-upPacketFencetakescareofhandlingtheoperationofthefollowingservices
Webserver(httpd) DHCPserver(dhcpd) FreeRADIUSserver(radiusd) SnortSuricataNetworkIDS(snortsuricata) Firewall(iptables)
Makesurethatalltheotherservicesareautomaticallystartedbyyouroperatingsystem
Chapter4
Copyrightcopy2016Inverseinc Installation 9
Installation
ThissectionwillguideyouthroughtheinstallationofPacketFencetogetherwithitsdependencies
OSInstallation
InstallyourdistributionwithminimalinstallationandnoadditionalpackagesThen
DisableFirewall DisableSELinux DisableAppArmor Disableresolvconf
Makesureyoursystemisuptodateandyouryumorapt-getdatabaseisupdatedOnaRHEL-basedsystemdo
yum update
OnaDebianorUbuntusystemdo
apt-get updateapt-get upgrade
RegardingSELinuxorAppArmoreven if these featuresmaybewantedbysomeorganizationsPacketFencewillnotrunproperlyifSELinuxorAppArmorareenabledYouwillneedtoexplicitlydisableSELinuxintheetcselinuxconfigfileandAppArmorwithupdate-rcd-fapparmorstopupdate-rcd-fapparmorteardownandupdate-rcd-fapparmorremoveRegardingresolvconfyoucanremovethesymlinktothatfileandsimplycreatetheetcresolvconffilewiththecontentyouwant
RedHat-basedsystems
Note
AppliestoCentOSandScientificLinuxbutonlythex86_64architectureissupported
Chapter4
Copyrightcopy2016Inverseinc Installation 10
RHEL6x
NoteTheseareextrastepsarerequiredforRHEL6systemsonlyexcludingderivativessuchasCentOSorScientificLinux
RedHatEnterpriseLinuxusersneedtotakeanadditionalsetupstepIfyouarenotusingtheRHNSubscriptionManagementfromRedHatyouneedtoenabletheoptionalchannelbyrunningthefollowingasroot
rhn-channel --add --channel=rhel-`uname -m`-server-optional-6
DebianAllthePacketFencedependenciesareavailablethroughtheofficialrepositories
SoftwareDownload
PacketFenceprovidesaRPMrepositoryforRHELCentOSinsteadofasingleRPMfile
ForDebianPacketFencealsoprovidespackagerepositories
TheserepositoriescontainallrequireddependenciestoinstallPacketFenceThisprovidesnumerousadvantages
easyinstallation everythingispackagedasRPMdeb(nomoreCPANhassle) easyupgrade
SoftwareInstallation
RHELCentOSInordertousethePacketFencerepository
yum localinstall httppacketfenceorgdownloadsPacketFenceRHEL6`uname -i`RPMSpacketfence-release-12-51noarchrpm
Once the repository is defined you can install PacketFencewith all its dependencies and therequiredexternalservices(DatabaseserverDHCPserverRADIUSserver)using
Chapter4
Copyrightcopy2016Inverseinc Installation 11
yum install perlyum install --enablerepo=packetfence packetfence
OnceinstalledtheWeb-basedconfigurationinterfacewillautomaticallybestartedYoucanaccessitfromhttpsip_of_packetfence1443configurator
DebianForDebian7
Inordertousetherepositorycreateafilenamedetcaptsourceslistdpacketfencelist
echo deb httpinversecadownloadsPacketFencedebian wheezy wheezy gt etcaptsourceslistdpacketfencelist
ForDebian8
Inordertousetherepositorycreateafilenamedetcaptsourceslistdpacketfencelist
echo deb httpinversecadownloadsPacketFencedebian jessie jessie gt etcaptsourceslistdpacketfencelist
Once the repository is defined you can install PacketFencewith all its dependencies and therequiredexternalservices(DatabaseserverDHCPserverRADIUSserver)using
sudo apt-key adv --keyserver keysgnupgnet --recv-key 0x810273C4sudo apt-get updatesudo apt-get install packetfence
Chapter5
Copyrightcopy2016Inverseinc Getoffontherightfoot 12
Getoffontherightfoot
PriorconfiguringPacketFenceyoumustchoseanappropriateenforcementmodetobeusedbyPacketFencewithyournetworkingequipmentTheenforcementmodeisthetechniqueusedtoenforceregistrationandanysubsequentaccessofdevicesonyournetworkPacketFencesupportsthefollowingenforcementmodes
Inline Out-of-band Hybrid
It isalsopossibletocombineenforcementmodesForexampleyoucouldusetheout-of-bandmodeonyourwiredswitcheswhileusingtheinlinemodeonyouroldWiFiaccesspoints
The following sections will explain these enforcement modes If you decide to use the inlinemodepleaserefertothePacketFenceInlineDeploymentQuickGuideusingZENforacompleteconfigurationexampleIfyoudevicetousetheout-of-bandmodepleaserefertothePacketFenceOut-of-BandDeploymentQuickGuideusingZEN
Chapter6
Copyrightcopy2016InverseincTechnicalintroductiontoInlineenforcement 13
TechnicalintroductiontoInlineenforcement
Introduction
Beforetheversion30ofPacketFenceitwasnotpossibletosupportunmanageabledevicessuchasentry-levelconsumerswitchesoraccess-pointsNowwiththenewinlinemodePacketFencecanbeusein-bandforthosedevicesSoinotherwordsPacketFencewouldbecomethegatewayofthatinlinenetworkandNATorroutethetrafficusingIPTablesIPSettotheInternet(ortoanothersectionofthenetwork)Letseehowitworks
Deviceconfiguration
NospecialconfigurationisneededontheunmanageabledeviceThatrsquosthebeautyofitYouonlyneedtoensurethatthedeviceistalkingontheinlineVLANAtthispointallthetrafficwillbepassingthroughPacketFencesinceitisthegatewayforthisVLAN
Accesscontrol
TheaccesscontrolreliesentirelyonIPTablesIPSetWhenauserisnotregisteredandconnectsintheinlineVLANPacketFencewillgivehimanIPaddressAtthispointtheuserwillbemarkedasunregisteredintheipsetsessionandalltheWebtrafficwillberedirectedtothecaptiveportalandother trafficblockedTheuserwill have to register through thecaptiveportal as inVLANenforcementWhenheregistersPacketFencechangesthedeviceacutesipsetsessiontoallowtheuserrsquosmacaddresstogothroughit
Chapter6
Copyrightcopy2016InverseincTechnicalintroductiontoInlineenforcement 14
Limitations
Inlineenforcementbecauseofitrsquosnaturehasseverallimitationsthatonemustbeawareof
EveryonebehindaninlineinterfaceisonthesameLayer2LAN EverypacketofauthorizedusersgoesthroughthePacketFenceserverincreasingtheserversloadconsiderablyPlanaheadforcapacity
Everypacketofauthorizedusersgoes throughthePacketFenceserver it isasinglepointoffailureforInternetaccess
Ipsetcanstoreupto65536entriessoitisnotpossibletohaveainlinenetworkclassupperthanB
Thisiswhyit isconsideredapoormanrsquoswayofdoingaccesscontrolWehaveavoideditforalongtimebecauseoftheabovementionedlimitationsThatsaidbeingabletoperformbothinlineandVLANenforcementonthesameserveratthesametimeisarealadvantageitallowsuserstomaintainmaximumsecuritywhiletheydeploynewandmorecapablenetworkhardwareprovidingacleanmigrationpathtoVLANenforcement
Chapter7
Copyrightcopy2016InverseincTechnicalintroductiontoOut-of-bandenforcement 15
TechnicalintroductiontoOut-of-bandenforcement
Introduction
VLANassignmentiscurrentlyperformedusingseveraldifferenttechniquesThesetechniquesarecompatibleone toanotherbutnoton the sameswitchportThismeans thatyoucanuse themoresecureandmoderntechniquesforyour latestswitchesandanothertechniqueontheoldswitchesthatdoesnrsquotsupportlatesttechniquesAsitrsquosnameimpliesVLANassignmentmeansthatPacketFenceistheserverthatassignstheVLANtoadeviceThisVLANcanbeoneofyourVLANsoritcanbeaspecialVLANwherePacketFencepresentsthecaptiveportalforauthenticationorremediation
VLANassignmenteffectivelyisolateyourhostsattheOSILayer2meaningthatitisthetrickiestmethodtobypassandistheonewhichadaptsbesttoyourenvironmentsinceitgluesintoyourcurrentVLANassignmentmethodology
VLANassignmenttechniques
Wired8021X+MACAuthentication8021Xprovidesport-basedauthenticationwhichinvolvescommunicationsbetweenasupplicantauthenticator(knownasNAS)andauthenticationserver(knownasAAA)ThesupplicantisoftensoftwareonaclientdevicesuchasalaptoptheauthenticatorisawiredEthernetswitchorwirelessaccesspointandtheauthenticationserverisgenerallyaRADIUSserver
Thesupplicant(ieclientdevice)isnotallowedaccessthroughtheauthenticatortothenetworkuntilthesupplicantrsquosidentityisauthorizedWith8021Xport-basedauthenticationthesupplicantprovides credentials such as user name password or digital certificate to the authenticatorandtheauthenticatorforwardsthecredentialstotheauthenticationserverforverificationIfthecredentialsarevalid(intheauthenticationserverdatabase)thesupplicant(clientdevice)isallowedtoaccessthenetworkTheprotocolforauthenticationiscalledExtensibleAuthenticationProtocol(EAP)whichhavemanyvariantsBothsupplicantandauthenticationserversneed tospeak thesameEAPprotocolMostpopularEAPvariantisPEAP-MsCHAPv2(supportedbyWindowsMacOSXLinuxforauthenticationagainstAD)
Chapter7
Copyrightcopy2016InverseincTechnicalintroductiontoOut-of-bandenforcement 16
InthiscontextPacketFencerunstheauthenticationserver(aFreeRADIUSinstance)andwillreturntheappropriateVLANtotheswitchAmodulethatintegratesinFreeRADIUSdoesaremotecalltothePacketFenceservertoobtainthatinformationMoreandmoredeviceshave8021Xsupplicantwhichmakesthisapproachmoreandmorepopular
MACAuthenticationisanewmechanismintroducedbysomeswitchvendortohandlethecaseswherea8021XsupplicantdoesnotexistDifferentvendorshavedifferentnames for itCiscocallsitMACAuthenticationBypass(MAB)JunipercallsitMACRADIUSExtremeNetworkscallsitNetloginetcAfteratimeoutperiodtheswitchwillstoptryingtoperform8021XandwillfallbacktoMACAuthenticationIthastheadvantageofusingthesameapproachas8021XexceptthattheMACaddressissentinsteadoftheusernameandthereisnoend-to-endEAPconversation(nostrongauthentication)UsingMACAuthenticationdeviceslikenetworkprinterornon-8021XcapableIPPhonescanstillgainaccesstothenetworkandtherightVLAN
Wireless8021X+MACauthenticationWireless 8021Xworks likewired8021X andMAC authentication is the same aswiredMACAuthenticationWhere things change is that the8021X isused to setup the security keys forencryptedcommunication(WPA2-Enterprise)whileMACauthenticationisonlyusedtoauthorize(allowordisallow)aMAConthewirelessnetwork
OnwirelessnetworkstheusualPacketFencesetupdictatethatyouconfiguretwoSSIDsanopenoneandasecureoneTheopenoneisusedtohelpusersconfigurethesecureoneproperlyandrequiresauthenticationoverthecaptiveportal(whichrunsinHTTPS)
ThefollowingdiagramdemonstratestheflowbetweenamobileenpointaWiFiaccesspointaWiFicontrollerandPacketFence
1 UserinitiatesassociationtoWLANAPandtransmitsMACaddressIfuseraccessesnetworkviaaregistereddeviceinPacketFencegoto8
2 The WLAN controller transmits MAC address via RADIUS to the PacketFence server toauthenticateauthorizethatMACaddressontheAP
3 PacketFenceserverconductsaddressaudit in itsdatabase If itdoesnotrecognizetheMACaddressgoto4Ifitdoesgoto8
4 PacketFenceserverdirectsWLANcontrollerviaRADIUS(RFC2868attributes)toputthedeviceinanunauthenticatedroleldquo(setofACLsthatwouldlimitredirecttheusertothePacketFence
Chapter7
Copyrightcopy2016InverseincTechnicalintroductiontoOut-of-bandenforcement 17
captiveportalforregistrationorwecanalsousearegistrationVLANinwhichPacketFencedoesDNSblackholingandistheDHCPserver)
5 TheuserrsquosdeviceissuesaDHCPDNSrequesttoPacketFence(whichisaDHCPDNSserveronthisVLANorforthisrole)whichsendstheIPandDNSinformationAtthispointACLsarelimitingredirectingtheusertothePacketFencersquoscaptiveportalforauthenticationPacketFencefingerprintsthedevice(user-agentattributesDHCPinformationampMACaddresspatterns)towhichitcantakevariousactionsincludingkeepdeviceonregistrationportaldirecttoalternatecaptive portal auto-register thedevice auto-block thedevice etc If thedevice remains ontheregistrationportaltheuserregistersbyprovidingtheinformation(usernamepasswordcellphonenumberetc)At this timePacketFencecouldalsorequire thedevicetogothroughapostureassessment(usingNessusOpenVASetc)
6 Ifauthentication is required (usernamepassword) througha loginformthosecredentialsarevalidatedviatheDirectoryserver(oranyotherauthenticationsources-likeLDAPSQLRADIUSSMSFacebookGoogle+etc)whichprovidesuserattributestoPacketFencewhichcreatesuser+devicepolicyprofileinitsdatabase
7 PacketFenceperformsaChangeofAuthorization(RFC3576)onthecontrollerandtheusermustbere-authenticatedreauthorizedsowegobackto1
8 PacketFenceserverdirectsWLANcontrollerviaRADIUStoputthedeviceinanauthenticatedroleldquoorinthenormalVLAN
WebAuthmodeWebauthenticationisamethodontheswitchthatforwardshttptrafficofthedevicetothecaptiveportalWiththismodeyourdevicewillneverchangeofVLANIDbutonlytheACLassociatedtoyourdevicewillchangeRefertotheNetworkDevicesConfigurationGuidetoseeasamplewebauthconfigurationonaCiscoWLC
Port-securityandSNMPReliesontheport-securitySNMPTrapsAfakestaticMACaddressisassignedtoalltheportsthiswayanyMACaddresswillgenerateasecurityviolationandatrapwillbesenttoPacketFenceThesystemwillauthorizetheMACandsettheportintherightVLANVoIPsupportispossiblebuttrickyItvariesalotdependingontheswitchvendorCiscoiswellsupportedbutisolationofaPCbehindanIPPhoneleadstoaninterestingdilemmaeitheryoushuttheport(andthephoneatthesametime)oryouchangethedataVLANbutthePCdoesnrsquotdoDHCP(didnrsquotdetectlinkwasdown)soitcannotreachthecaptiveportal
AsidefromtheVoIPisolationdilemmaitisthetechniquethathasproventobereliableandthathasthemostswitchvendorsupport
MoreonSNMPtrapsVLANisolation
WhentheVLANisolationisworkingthroughSNMPtrapsallswitchports(onwhichVLANisolationshouldbedone)mustbeconfiguredtosendSNMPtrapstothePacketFencehostOnPacketFence
Chapter7
Copyrightcopy2016InverseincTechnicalintroductiontoOut-of-bandenforcement 18
weusesnmptrapdastheSNMPtrapreceiverAsitreceivestrapsitreformatsandwritesthemintoaflatfileusrlocalpflogssnmptrapdlogThemultithreadedpfsetvlandaemonreadsthesetrapsfromtheflatfileandrespondstothembysettingtheswitchporttothecorrectVLANCurrentlywesupportswitchesfromCiscoEdge-coreHPIntelLinksysandNortel(addingsupportfor switches fromanothervendor impliesextending thepfSwitch class)DependingonyourswitchescapabilitiespfsetvlanwillactondifferenttypesofSNMPtraps
YouneedtocreatearegistrationVLAN(withaDHCPserverbutnoroutingtootherVLANs)inwhichPacketFencewillputunregistereddevicesIfyouwanttoisolatecomputerswhichhaveopenviolationsinaseparateVLANanisolationVLANneedsalsotobecreated
linkUplinkDowntraps(deprecated)ThisisthemostbasicsetupanditneedsathirdVLANtheMACdetectionVLANThereshouldbenothinginthisVLAN(noDHCPserver)anditshouldnotberoutedanywhereitisjustanvoidVLAN
WhenahostconnectstoaswitchporttheswitchsendsalinkUptraptoPacketFenceSinceittakessometimebeforetheswitchlearnstheMACaddressofthenewlyconnecteddevicePacketFenceimmediatelyputstheportintheMACdetectionVLANinwhichthedevicewillsendDHCPrequests(withnoanswer)inorderfortheswitchtolearnitsMACaddressThenpfsetvlanwillsendperiodical
Chapter7
Copyrightcopy2016InverseincTechnicalintroductiontoOut-of-bandenforcement 19
SNMPqueriestotheswitchuntiltheswitchlearnstheMACofthedeviceWhentheMACaddressisknownpfsetvlanchecksitsstatus(existingregisteredanyviolations)inthedatabaseandputstheportintheappropriateVLANWhenadeviceisunpluggedtheswitchsendsalinkDowntraptoPacketFencewhichputstheportintotheMACdetectionVLAN
WhenacomputerbootstheinitializationoftheNICgeneratesseverallinkstatuschangesAndeverytimetheswitchsendsalinkUpandalinkDowntraptoPacketFenceSincePacketFencehastoactoneachofthesetrapsthisgeneratesunfortunatelysomeunnecessaryloadonpfsetvlanInordertooptimizethetraptreatmentPacketFencestopseverythreadforalinkUptrapwhenitreceivesalinkDowntraponthesameportButusingonlylinkUplinkDowntrapsisnotthemostscalableoptionForexampleincaseofpowerfailureifhundredsofcomputersbootatthesametimePacketFencewouldreceivea lotoftrapsalmost instantlyandthiscouldresult innetworkconnectionlatency
MACnotificationtrapsIfyourswitchessupportMACnotificationtraps(MAClearntMACremoved)wesuggestthatyouactivatetheminadditiontothelinkUplinkDowntrapsThiswaypfsetvlandoesnotneedafteralinkUptraptoquerytheswitchcontinuouslyuntiltheMAChasfinallybeenlearnedWhenitreceivesalinkUptrapforaportonwhichMACnotificationtrapsarealsoenableditonlyneedstoputtheportintheMACdetectionVLANandcanthenfreethethreadWhentheswitchlearnstheMACaddressofthedeviceitsendsaMAClearnttrap(containingtheMACaddress)toPacketFence
PortSecuritytrapsIn itsmostbasicformthePortSecurityfeaturerememberstheMACaddressconnectedtotheswitchportandallowsonlythatMACaddresstocommunicateonthatport IfanyotherMACaddress tries tocommunicate through theportport securitywillnotallow itandsendaport-securitytrap
IfyourswitchessupportthisfeaturewestronglyrecommendtouseitratherthanlinkUplinkDownandorMACnotificationsWhyBecauseaslongasaMACaddressisauthorizedonaportandistheonlyoneconnectedtheswitchwillsendnotrapwhetherthedevicerebootsplugsinorunplugsThisdrasticallyreducestheSNMPinteractionsbetweentheswitchesandPacketFence
WhenyouenableportsecuritytrapsyoushouldnotenablelinkUplinkDownnorMACnotificationtraps
Chapter8
Copyrightcopy2016InverseincTechnicalintroductiontoHybridenforcement 20
TechnicalintroductiontoHybridenforcement
Introduction
In previous versions of PacketFence it was not possible to have RADIUS enabled for inlineenforcementmodeNowwiththenewhybridmodeallthedevicesthatsupports8021XorMAC-authenticationcanworkwiththismodeLetrsquosseehowitworks
Deviceconfiguration
Youneedtoconfigure inlineenforcementmode inPacketFenceandconfigureyourswitch(es)accesspoint(s)tousetheVLANassignementtechniques(8021XorMAC-authentication)YoualsoneedtotakecareofaspecificparameterintheswitchconfigurationwindowTriggertoenableinlinemodeThisparameterisworkinglikeatriggerandyouhavethepossibilitytodefinedifferentsortoftriggers
ALWAYSPORTMACSSID
where ALWAYS means that the device is always in inline mode PORTspecifytheifIndexoftheportwhichwilluseinlineenforcementMACamacaddressthatwillbeputininlineenforcementtechniqueratherthanVLANenforcementandSSIDanssidnameAnexample
SSIDGuestAccessMAC001122334455
ThiswilltriggerallthenodesthatconnectstotheGuestAccessSSIDtouseinlineenforcementmode(PacketFencewillreturnavoidVLANortheinlineVlanifdefinedinswitchconfiguration)andtheMACaddress001122334455clientifitconnectsonanotherSSID
Chapter9
Copyrightcopy2016Inverseinc Configuration 21
Configuration
AtthispointinthedocumentationPacketFenceshouldbeinstalledYouwouldalsohavechosentherightenforcementmethodforyouandcompletedtheinitialconfigurationofPacketFenceThefollowingsectionpresentskeyconceptsandfeaturesinPacketFence
PacketFenceprovidesaweb-basedadministrationinterfaceforeasyconfigurationandoperationalmanagementIfyouwentthroughPacketFencersquosweb-basedconfigurationtoolyoushouldhavesetthepasswordfortheadminuser
Once PacketFence is started the administration interface is available at httpsip_of_packetfence1443
ThenextkeystepsareimportanttounderstandhowPacketFenceworksInordertogetthesolutionworking youmust first understand and configure the following aspects of the solution in thisspecificorder
1 roles-aroleinPacketFencewillbeeventuallybemappedtoaVLANanACLoranexternalroleYoumustdefinetherolestouseinyourorganizationfornetworkaccess
2 authentication-oncerolesaredefinedyoumustcreateanappropraiteauthenticationsourceinPacketFenceThatwillallowPacketFencetocomputetherightroletobeusedforanendpointortheuserusingit
3 network devices - once your roles and authentication sources are defined you must addswitchesWiFicontrollersorAPstobemananagedbyPacketFenceWhendoingsoyouwillconfigurehowrolesarebeingmappedtoVLANACLsorexternalroles
4 portal profiles - at this point you are almost ready to test You will need to set whichauthenticationsourcesaretobeusedonthedefaultcaptiveportalorcreateanotheronetosuityourneeds
5 test
NoteIfyouplantouse8021X-pleaseseetheFreeRADIUSConfigurationsectionbelow
RolesManagement
RolesinPacketFencecanbecreatedfromPacketFenceadministrativeGUI-fromtheConfigurationrarrUsersrarrRoles section From this interface you can also limit thenumberof devicesusersbelongingtocertainrolescanregister
Chapter9
Copyrightcopy2016Inverseinc Configuration 22
RolesaredynamicallycomputedbyPacketFencebasedontherules(ieasetofconditionsandactions)fromauthenticationsourcesusingafirst-matchwinsalgorithmRolesarethenmatchedtoVLANorinternalrolesorACLonequipmentfromtheConfigurationrarrNetworkrarrSwitchesmodule
Authentication
PacketFence can authenticate users that register devices via the captive portal using variousmethodsAmongthesupportedmethodsthereare
ActiveDirectory
Apachehtpasswdfile
ExternalHTTPAPI
Facebook(OAuth2)
Github(OAuth2)
Google(OAuth2)
Kerberos
LDAP
LinkedIn(OAuth2)
Null
RADIUS
SMS
SponsoredEmail
Twitter(OAuth2)
WindowsLive(OAuth2)
Moreover PacketFence can also authenticate users defined in its own internal SQL databaseAuthentication sources can be created from PacketFence administrative GUI - from theConfigurationrarrUsersrarrSourcessectionAlternatively(butnotrecommended)authenticationsourcesrulesconditionsandactionscanbeconfiguredfromconfauthenticationconf
Eachauthenticationsourcesyoudefinewillhaveasetofrulesconditionsandactions
Multiple authentication sources canbedefined andwill be tested in theorder specified (notethattheycanbereorderedfromtheGUIbydraggingitaround)EachsourcecanhavemultipleruleswhichwillalsobetestedintheorderspecifiedRulescanalsobereorderedjustlikesourcesFinallyconditionscanbedefinedforaruletomatchcertaincriteriasIfthecriteriasmatch(one
Chapter9
Copyrightcopy2016Inverseinc Configuration 23
ormore)actionarethenappliedandrulestestingstopacrossallsourcesasthisisafirstmatchwinsoperation
WhennoconditionisdefinedtherulewillbeconsideredasafallbackWhenafallbackisdefinedallactionswillbeappliedforanyusersthatmatchintheauthenticationsource
OnceasourceisdefineditcanbeusedfromConfigurationrarrPortalProfilesEachportalprofilehasalistofauthenticationsourcestouse
ExampleLetrsquossaywehavetworolesguestandemployeeFirstwedefinethemConfigurationrarrUsersrarrRoles
NowwewanttoauthenticateemployeesusingActiveDirectory (overLDAP)andguestsusingPacketFencersquosinternaldatabase-bothusingPacketFencersquoscaptiveportalFromtheConfigurationrarrUsersrarrSourcesweselectAddsourcerarrADWeprovidethefollowinginformation
Namead1 DescriptionActiveDirectoryforEmployees Host19216812389withoutSSLTLS BaseDNCN=UsersDC=acmeDC=local ScopeOne-level UsernameAttributesAMAccountName BindDNCN=AdministratorCN=UsersDC=acmeDC=local Passwordacme123
ThenweaddarulebyclickingontheAddrulebuttonandprovidethefollowinginformation
Nameemployees DescriptionRuleforallemployees Donrsquotsetanycondition(asitrsquosacatch-allrule) Setthefollowingactions
Setroleemployee
SetunregistrationdateJanuary1st2020
Test the connection and save everything Using the newly defined source any username thatactuallymatchesinthesource(usingthesAMAccountName)willhavetheemployeeroleandanunregistrationdatesettoJanuary1st2020
NowsincewewanttoauthenticateguestsfromPacketFencersquosinternalSQLdatabaseaccountsmustbeprovisionnedmanuallyYoucandosofromtheUsersrarrCreatesectionWhencreatingguestsspecifyguestfortheSetroleactionandsetanaccessdurationfor1day
If youwould like to differentiate user authentication andmachine authentication using ActiveDirectoryonewaytodoitisbycreatingasecondauthenticationsourcesformachines
Namead1 DescriptionActiveDirectoryforMachines Host19216812389withoutSSLTLS BaseDNCN=ComputersDC=acmeDC=local ScopeOne-level
Chapter9
Copyrightcopy2016Inverseinc Configuration 24
UsernameAttributeservicePrincipalName BindDNCN=AdministratorCN=UsersDC=acmeDC=local Passwordacme123
Thenweaddarule
Namemachines DescriptionRuleforallmachines Donrsquotsetanycondition(asitrsquosacatch-allrule) Setthefollowingactions
Setrolemachineauth
SetunregistrationdateJanuary1st2020
Note
Whenaruleisdefinedasacatch-all itwillalwaysmatchiftheusernameattributematchesthequeriedoneThisappliesforActiveDirectoryLDAPandApachehtpasswdfilesourcesKerberosandRADIUSwillactastruecatch-allandaccepteverything
Note
IfyouwanttouseotherLDAPattributesinyourauthenticationsourceaddtheminConfigurationrarrAdvancedrarrCustomLDAPattributesTheywillthenbeavailableintherulesyoudefine
ExternalAPIauthentication
PacketFencealsosupportscallinganexternalHTTPAPIasanauthenticationsourceTheexternalAPIneedstoimplementanauthenticationactionandanauthorizationaction
AuthenticationThisshouldprovidetheinformationaboutwhetherornottheusernamepasswordcombinationisvalid
TheseinformationareavailablethroughthePOSTfieldsoftherequest
TheservershouldreplywithtwoattributesinaJSONresponse
resultshouldbe1forsuccess0forfailure messageshouldbethereasonitsucceededorfailed
ExampleJSONresponse
result1messageValid username and password
Chapter9
Copyrightcopy2016Inverseinc Configuration 25
AuthorizationThisshouldprovidetheactionstoapplyonauserbasedonitrsquosattributes
The following attributes are available for the reply access_duration access_level sponsorunregdatecategory
SampleJSONresponsenotethatnotallattributesarenecessaryonlysendbackwhatyouneed
access_duration1Daccess_levelALLsponsor1 unregdate2030-01-01categorydefault
Note
See usrlocalpfaddonsexample_external_auth for an example implementationcompatiblewithPacketFence
PacketFenceconfigurationInPacketFenceyouneedtoconfigureanHTTPsourceinordertouseanexternalAPI
Hereisabriefdescriptionofthefields
Host First theprotocol then the IPaddressorhostnameof theAPIand lastly theport toconnecttotheAPI
APIusernameandpasswordIfyourAPIimplementsHTTPbasicauthentication(RFC2617)youcanaddtheminthesefieldsLeavinganyofthosetwofieldsemptywillmakePacketFencedotherequestswithoutanyauthentication
AuthenticationURLURLrelativetothehosttocallwhendoingtheauthenticationofauserNotethatitisautomaticallyprefixedbyaslash
AuthorizationURLURLrelativetothehosttocallwhendoingtheauthorizationofauserNotethatitisautomaticallyprefixedbyaslash
SAMLauthentication
PacketFence supports SAML authentication in the captive portal in combination with anotherinternalsourcetodefinethelevelofauthorizationoftheuser
FirsttransfertheIdentityProvidermetadataonthePacketFenceserverInthisexampleitwillbeunderthepathusrlocalpfconfidp-metadataxml
Then transfer the certificate and CA certificate of the Identity provider on the server In thisexample theywill be under the paths usrlocalpfconfsslidpcrt and usrlocalpfconfsslidp-cacrtIfitisaself-signedcertificatethenyouwillbeabletouseitastheCAinthePacketFenceconfiguration
Chapter9
Copyrightcopy2016Inverseinc Configuration 26
Then toconfigureSAML inPacketFencego inConfigurationrarrSourcesand thencreateanewInternalsourceofthetypeSAMLandconfigureit
Where
ServiceProviderentityIDistheidentifieroftheServiceProvider(PacketFence)MakesurethismatchesyourIdentityProviderconfiguration
PathtoServiceProviderkeyisthepathtothekeythatwillbeusedbyPacketFencetosignitsmessagestotheIdentityProviderAdefaultoneisprovidedunderthepathusrlocalpfconfsslserverkey
PathtoServiceProvidercertisthepathtothecertificateassociatedtothekeyaboveAself-signedoneisprovidedunderthepathusrlocalpfconfsslserverkey
PathtoIdentityProvidermetadataisthepathtothemetadatafileyoutransferedabove(shouldbeinusrlocalpfconfidp-metadataxml)
PathtoIdentityProvidercertisthepathtothecertificateoftheidentityprovideryoutransferedontheserverabove(shouldbeinusrlocalpfconfsslidpcrt)
Chapter9
Copyrightcopy2016Inverseinc Configuration 27
Path to Identity Provider CA cert is the path to the CA certificate of the identity provideryoutransferedontheserverabove(shouldbeinusrlocalpfconfsslca-idpcrt)Ifthecertificateaboveisself-signedputthesamepathasaboveinthisfield
AttributeoftheusernameintheSAMLresponse istheattributethatcontainstheusernamein the SAML assertion returned by your Identity Provider The default should fit at leastSimpleSAMLphp
Authorizationsource isthesourcethatwillbeusedtomatchtheusernameagainsttherulesdefinedinitThisallowstosettheroleandaccessdurationoftheuserTheAuthenticationsectionofthisdocumentcontainsexplanationsonhowtoconfigureanLDAPsourcewhichcanthenbeusedhere
OncethisisdonesavethesourceandyouwillbeabletodownloadtheServiceProvidermetadataforPacketFenceusingthelinkDownloadServiceProvidermetadataonthepage
Configure your identity provider according to the generated metadata to complete the TrustbetweenPacketFenceandyourIdentityProvider
In the case of SimpleSAMLPHP the following configurationwas used inmetadatasaml20-sp-remotephp
$metadata[PF_ENTITY_ID] = array( AssertionConsumerService =gt httpPORTAL_HOSTNAMEsamlassertion SingleLogoutService =gt httpPORTAL_HOSTNAMEsamllogoff)
Note
PacketFencedoesnotsupportlogoffontheSAMLIdentityProviderYoucanstilldefinetheURLinthemetadatabutitwillnotbeused
PassthroughsInorderforyouruserstobeabletoaccesstheIdentityProviderloginpageyouwillneedtoactivatepassthroughsandaddtheIndentityProviderdomaintotheallowedpassthroughs
Todosogo inConfigurationrarrTrapping thencheckPassthrough andadd the IdentityProviderdomainnametothePasshtroughslist
Next restart iptables and pfdns to apply your new passthroughs Also make surenetipv4ip_forward = 1isconfiguredinetcsysctlconf
NetworkDevicesDefinition(switchesconf)
ThissectionappliesonlyforVLANenforcementUsersplanningtodoinlineenforcementonlycanskipthissection
PacketFenceneedstoknowwhichswitchesaccesspointsorcontrollersitmanagestheirtypeandconfigurationAllthisinformationisstoredinusrlocalpfconfswitchesconfYoucanmodify
Chapter9
Copyrightcopy2016Inverseinc Configuration 28
theconfigurationdirectlyintheswitchesconffileoryoucandoitfromtheWebAdministrationpanelunderConfigurationrarrNetworkrarrSwitches-whichisnowthepreferredway
Theusrlocalpfconfswitchesconfconfigurationfilecontainsadefaultsectionincluding
DefaultSNMPreadwritecommunitiesfortheswitches Defaultworkingmode(seethenotebelowaboutpossibleworkingmodes)
andaswitchsectionforeachswitch(managedbyPacketFence)including
SwitchIPMacRange Switchvendortype Switchuplinkports(trunksandnon-managedIfIndex) per-switchre-definitionoftheVLANs(ifrequired)
NoteswitchesconfisloadedatstartupAreloadisrequiredwhenchangesaremanuallymadetothisfileusrlocalpfbinpfcmd configreload
WorkingmodesTherearethreedifferentworkingmodesforaswitchinPacketFence
Testing pfsetvlanwritesinthelogfileswhatitwouldnormallydobutitdoesnrsquotdoanything
Registration pfsetvlan automatically-register allMAC addresses seenon theswitchportsAsintestingmodenoVLANchangesaredone
Production pfsetvlan sends the SNMPwrites to change the VLAN on theswitchports
RADIUSTo set theRADIUS secret set it from theWebadministrative interfacewhenadding a switchAlternativelyedittheswitchconfigfile(usrlocalpfconfswitchesconf)andsetthefollowingparameters
radiusSecret = secretPassPhrase
MoreovertheRADIUSsecretisrequiredtosupporttheRADIUSDynamicAuthentication(ChangeofauthorizationorDisconnect)asdefinedinRFC3576
SNMPv1v2candv3PacketFenceusesSNMPtocommunicatewithmostswitchesPacketFencealsosupportsSNMPv3YoucanuseSNMPv3forcommunicationinbothdirectionsfromtheswitchtoPacketFenceandfromPacketFencetotheswitchSNMPusageisdiscouragedyoushouldnowuseRADIUSHoweverevenifRADIUSisbeingusedsomeswitchesmightalsorequireSNMPtobeconfiguredtoworkproperlywithPacketFence
Chapter9
Copyrightcopy2016Inverseinc Configuration 29
FromPacketFencetoaswitchEdittheswitchconfigfile(usrlocalpfconfswitchesconf)andsetthefollowingparameters
SNMPVersion = 3SNMPUserNameRead = readUserSNMPAuthProtocolRead = MD5SNMPAuthPasswordRead = authpwdreadSNMPPrivProtocolRead = AESSNMPPrivPasswordRead = privpwdreadSNMPUserNameWrite = writeUserSNMPAuthProtocolWrite = MD5SNMPAuthPasswordWrite = authpwdwriteSNMPPrivProtocolWrite = AESSNMPPrivPasswordWrite = privpwdwrite
FromaswitchtoPacketFenceEdittheswitchconfigfile(usrlocalpfconfswitchesconf)andsetthefollowingparameters
SNMPVersionTrap = 3SNMPUserNameTrap = readUserSNMPAuthProtocolTrap = MD5SNMPAuthPasswordTrap = authpwdreadSNMPPrivProtocolTrap = AESSNMPPrivPasswordTrap = privpwdread
SwitchConfigurationHereisaswitchconfigurationexampleinordertoenableSNMPv3inbothdirectionsonaCiscoSwitch
snmp-server engineID local AA5ED139B81D4A328D18ACD1snmp-server group readGroup v3 privsnmp-server group writeGroup v3 priv read v1default write v1defaultsnmp-server user readUser readGroup v3 auth md5 authpwdread priv aes 128 privpwdreadsnmp-server user writeUser writeGroup v3 auth md5 authpwdwrite priv aes 128 privpwdwritesnmp-server enable traps port-securitysnmp-server enable traps port-security trap-rate 1snmp-server host 192168050 version 3 priv readUser port-security
Command-LineInterfaceTelnetandSSH
WarningPrivilegedetectionisdisabledinthecurrentPacketFenceversionduetosomeissues(see1370)SomakesurethatthecliUserandcliPwdyouprovidealwaysgetyouintoaprivilegedmode(exceptforTrapezehardware)
Chapter9
Copyrightcopy2016Inverseinc Configuration 30
PackeFenceneedssometimestoestablishaninteractivecommand-linesessionwithaswitchThiscanbedoneusingTelnetYoucanalsouseSSHInordertodosoedittheswitchconfigurationfile(usrlocalpfconfswitchesconf)andsetthefollowingparameters
cliTransport = SSH (or Telnet)cliUser = admincliPwd = admin_pwdcliEnablePwd =
ItcanalsobedonethroughtheWebAdministrationInterfaceunderConfigurationrarrSwitches
WebServicesInterfacePackeFencesometimesneedstoestablishadialogwiththeWebServicescapabilitiesofaswitchInorder todo soedit the switchconfig file (usrlocalpfconfswitchesconf) and set thefollowingparameters
wsTransport = http (or https)wsUser = adminwsPwd = admin_pwd
ItcanalsobedonethroughtheWebAdministrationInterfaceunderConfigurationrarrSwitches
Role-basedenforcementsupportSomenetworkdevicessupporttheassignmentofaspecificsetofrules(firewallorACLs)toauserTheideaisthattheserulescanbealotmoreaccuratetocontrolwhatausercanorcannotdocomparedtoVLANwhichhavealargernetworkmanagementoverhead
PacketFencesupportsassigningrolesondevicesforswitchesandWiFicontrollers thatsupportitThecurrentroleassignmentstrategyistoassignitalongwiththeVLAN(thatmaychangeinthefuture)Aspecial internalroletoexternalroleassignmentmustbeconfigured intheswitchconfigurationfile(usrlocalpfconfswitchesconf)
Thecurrentformatisthefollowing
Format ltrolenamegtRole=ltcontroller_rolegt
Andyouassignittotheglobalrolesparameterortheper-switchoneForexample
adminRole=full-accessengineeringRole=full-accesssalesRole=little-access
wouldreturnthefull-accessroletothenodescategorizedasadminorengineeringandtherolelittle-accesstonodescategorizedassalesItcanalsobedonethroughtheWebAdministrationInterfaceunderConfigurationrarrSwitches
Chapter9
Copyrightcopy2016Inverseinc Configuration 31
CautionMakesurethattherolesareproperlydefinedonthenetworkdevicespriortoassigningroles
PortalProfiles
PacketFencecomeswithadefaultportalprofileThefollowparametersareimportanttoconfigurenomatterifyouusethedefaultportalprofileorcreateanewone
RedirectURLunderConfigurationrarrPortalProfilerarrPortalName
ForsomebrowsersitispreferabletoredirecttheusertoaspecificURLinsteadoftheURLtheuseroriginallyintendedtovisitForthesebrowserstheURLdefinedinredirecturlwillbetheonewheretheuserwillberedirectedAffectedbrowsersareFirefox3andlater
IPunderConfigurationrarrCaptiveportal
ThisIPisusedasthewebserverwhohoststhecommonnetwork-access-detectiongifwhichisusedtodetectifnetworkaccesswasenabledItcannotbeadomainnamesinceit isusedinregistrationorquarantinewhereDNSisblack-holedItisrecommendedthatyouallowyouruserstoreachyourPacketFenceserverandputyourLANrsquosPacketFenceIPBydefaultwewillmakethisreachPacketFencersquoswebsiteasaneasierandmoreaccessiblesolution
In somecases youmaywant topresentadifferent captiveportal (seebelow for theavailablecustomizations)accordingtotheSSIDtheVLANtheswitchIPMACortheURItheclientconnectstoTodosoPacketFencehastheconceptofportalprofileswhichgivesyouthispossibility
WhenconfiguredportalprofileswilloverridedefaultvaluesforwhichitisconfiguredWhennovaluesareconfiguredintheprofilePacketFencewilltakeitsdefaultones(accordingtothedefaultportalprofile)
HerearethedifferentconfigurationparametersthatcanbesetforeachportalprofilesTheonlymandatoryparameterisfilterotherwisePacketFencewonrsquotbeabletocorrectlyapplytheportalprofileTheparametersmustbesetinconfprofilesconf
[profilename1]description = the description of your portal profilefilter = the name of the SSID for which youd like to apply the profile or the VLAN numbersources = comma-separated list of authentications sources (IDs) to use
Portal profiles should be managed from PacketFencersquos Web administrative GUI - from theConfigurationrarrPortalProfilessectionAddingaportalprofilefromthatinterfacewillcorrectlycopytemplatesover-whichcanthenbemodifiedasyouwish
FiltersunderConfigurationrarrPortalProfilerarrPortalNamerarrFitlers
PacketFenceoffersthefollowingfiltersConnectionTypeNetworkNodeRolePortrealmSSIDSwitchSwitchPortURIVLANandTimeperiod
Chapter9
Copyrightcopy2016Inverseinc Configuration 32
Examplewiththemostcommonones
SSIDGuest-SSID
VLAN100
SwitchPortltSwitchIdgt-ltPortgt
NetworkNetworkinCIDRformatoranIPaddress
Caution
Noderolewilltakeeffectonlywitha8021xconnectionorifyouuseVLANfilters
PacketFence relies extensively on Apache for its captive portal administrative interface andWeb services The PacketFenceacutes Apache configuration are located in usrlocalpfconfhttpdconfd
Inthisdirectoryyouhavethreeimportantfileshttpdadminhttpdportalhttpdwebserviceshttpdaaa
httpdadminisusedtomanagePacketFenceadmininterface
httpdportalisusedtomanagePacketFencecaptiveportalinterface
httpdwebservicesisusedtomanagePacketFencewebservicesinterface
httpdaaaisusetomanageincomingRADIUSrequest
ThesefileshavebeenwrittenusingthePerllanguageandarecompletelydynamic-sotheyactivateservicesonlyonthenetworkinterfacesprovidedforthispurpose
TheotherfilesinthisdirectoryaremanagedbyPacketFenceusingtemplatessoitiseasytomodifythesefilesbasedonyourconfigurationSSLisenabledbydefaulttosecureaccess
UponPacketFenceinstallationself-signedcertificateswillbecreatedinusrlocalpfconfssl(serverkey andservercrt)Thosecertificates canbe replacedanytimebyyour3rd-partyorexistingwildcardcertificatewithoutproblemsPleasenotethattheCN(CommonName)needstobethesameastheonedefinedinthePacketFenceconfigurationfile(pfconf)
FreeRADIUSConfiguration
ThissectionpresentstheFreeRADIUSconfigurationsteps InsomeoccasionsaRADIUSserverismandatoryinordertogiveaccesstothenetworkForexampletheusageofWPA2-Enterprise(Wireless 8021X) MAC authentication and Wired 8021X all require a RADIUS server toauthenticatetheusersandthedevicesandthentopushtheproperrolesorVLANattributestothenetworkequipment
Chapter9
Copyrightcopy2016Inverseinc Configuration 33
Option1AuthenticationagainstActiveDirectory(AD)
Caution
If you are using an ActiveActive or ActivePassive cluster please follow theinstructionsunderOption1bsincetheinstructionsbelowdonotcurrentlyworkinacluster
InordertohavedomainauthenticationworkingproperlyyouneedtoenableIPforwardingonyourserverTodoitpermanentlylookintheetcsysctlconfandsetthefollowingline
Controls IP packet forwardingnetipv4ip_forward = 1
Nowexecutesysctl -ptoapplytheconfiguration
NextgointheAdministrationinterfaceunderConfigurationrarrDomains
Note
IfyoucanrsquotaccessthissectionandyouhavepreviouslyconfiguredyourservertobindtoadomainexternallytoPacketFencemakesureyourunusrlocalpfaddonsADmigratepl
ClickAddDomainandfillintheinformationsaboutyourdomain
Chapter9
Copyrightcopy2016Inverseinc Configuration 34
Where
IdentifierisauniqueidentifierforyourdomainItrsquospurposeisonlyvisual
Workgroupistheworkgroupofyourdomainintheoldsyntax(likeNT4)
DNSnameofthedomainistheFQDNofyourdomainTheonethatsuffixesyouraccountnames
ThisserverrsquosnameisthenamethattheserverrsquosaccountwillhaveinyourActiveDirectory
DNSserveristheIPaddressoftheDNSserverofthisdomainMakesurethattheserveryouputtherehastheproperDNSentriesforthisdomain
UsernameistheusernamethatwillbeusedforbindingtotheserverThisaccountmustbeadomainadministrator
Passwordisthepasswordfortheusernamedefinedabove
Chapter9
Copyrightcopy2016Inverseinc Configuration 35
Troubleshooting In order to troubleshoot unsuccessful binds please refer to the following file chrootsltmydomaingtvarlogsambaltmydomaingtlogwinbinddReplaceltmydomaingtwiththeidentifieryousetinthedomainconfiguration
Youcanvalidatethedomainbindusingthefollowingcommandchroot chrootsltmydomaingtwbinfo -u
You can test the authentication process using the following command chroot chrootsltmydomaingt ntlm_auth --username=administrator
Note
UndercertainconditionsthetestjoinmayshowasunsuccessfulintheAdministrationinterfacebut theauthenticationprocesswill stillworkproperlyTry the test abovebeforedoinganyadditionnaltroubleshooting
DefaultdomainconfigurationYoushouldnowdefinethedomainyouwanttouseasthedefaultonebycreatingthefollowingrealminConfigurationrarrRealms
NextrestartPacketFenceinStatusrarrServices
MultipledomainsauthenticationFirstconfigureyourdomainsinConfigurationrarrDomains
OncetheyareconfiguredgoinConfigurationrarrRealms
Chapter9
Copyrightcopy2016Inverseinc Configuration 36
Createanewrealm thatmatches theDNSnameofyourdomainANDone thatmatchesyourworkgroupInthecaseofthisexampleitwillbeDOMAINNETandDOMAIN
Where
RealmiseithertheDNSname(FQDN)ofyourdomainortheworkgroup
RealmoptionsareanyrealmoptionsthatyouwanttoaddtotheFreeRADIUSconfiguration
Domainisthedomainwhichisassociatedtothisrealm
Nowcreatethetwootherrealmsassociatedtoyourotherdomains
Youshouldnowhavethefollowingrealmconfiguration
Chapter9
Copyrightcopy2016Inverseinc Configuration 37
Option1bAuthenticationagainstActiveDirectory(AD)inacluster
SambaKerberosWinbind
InstallSambaYoucaneitherusethesourcesorusethepackageforyourOSForRHELCentOSdo
yum install samba krb5-workstation
ForDebianandUbuntudo
apt-get install samba winbind krb5-user
Note
IfyouhaveWindows7PCsinyournetworkyouneedtouseSambaversion350(orgreater)
WhendonewiththeSambainstallmodifyyouretchosts inordertoaddtheFQDNofyourActiveDirectoryserversThenyouneedtomodifyetckrb5confHereisanexamplefortheDOMAINNETdomainforCentosRHEL
Chapter9
Copyrightcopy2016Inverseinc Configuration 38
[logging] default = FILEvarlogkrb5libslog kdc = FILEvarlogkrb5kdclog admin_server = FILEvarlogkadmindlog
[libdefaults] default_realm = DOMAINNET dns_lookup_realm = false dns_lookup_kdc = false ticket_lifetime = 24h forwardable = yes
[realms] DOMAINNET = kdc = adserverdomainnet88 admin_server = adserverdomainnet749 default_domain = domainnet [domain_realm] domainnet = DOMAINNET domainnet = DOMAINNET
[appdefaults] pam = debug = false ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = false
ForDebianandUbuntu
[logging] default = FILEvarlogkrb5libslog kdc = FILEvarlogkrb5kdclog admin_server = FILEvarlogkadmindlog [libdefaults] default_realm = DOMAINNET ticket_lifetime = 24h forwardable = yes [appdefaults] pam = debug = false ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = false
NexteditetcsambasmbconfAgainhereisanexampleforourDOMAINNETforCentosRHEL
Chapter9
Copyrightcopy2016Inverseinc Configuration 39
[global] workgroup = DOMAIN server string = h security = ads passdb backend = tdbsam realm = DOMAINNET encrypt passwords = yes winbind use default domain = yes client NTLMv2 auth = yes preferred master = no domain master = no local master = no load printers = no log level = 1 winbind5 auth3 winbind max clients = 750 winbind max domain connections = 15 machine password timeout = 0
ForDebianandUbuntu
[global] workgroup = DOMAIN server string = Samba Server Version v security = ads realm = DOMAINNET password server = 19216811 domain master = no local master = no preferred master = no winbind separator = + winbind enum users = yes winbind enum groups = yes winbind use default domain = yes winbind nested groups = yes winbind refresh tickets = yes template homedir = homeDU template shell = binbash client use spnego = yes client ntlmv2 auth = yes encrypt passwords = yes restrict anonymous = 2 log file = varlogsambalogm max log size = 50 machine password timeout = 0
IssueakinitandklistinordertogetandverifytheKerberostoken
kinit administrator klist
Afterthatyouneedtostartsambaandjointhemachinetothedomain
Chapter9
Copyrightcopy2016Inverseinc Configuration 40
service smb start chkconfig --level 345 smb on net ads join -U administrator
NotethatforDebianandUbuntuyouwillprobablyhavethiserror
kinit succeeded but ads_sasl_spnego_krb5_bind failed Invalid credentials Join to domain is not valid Invalid credentials
ForCentosRHEL
usermod -a -G wbpriv pf
Finallystartwinbindandtestthesetupusingntlm_authandradtest
service winbind start chkconfig --level 345 winbind on
ForDebianandUbuntu
usermod -a -G winbindd_priv pf ntlm_auth --username myDomainUser radtest -t mschap -x myDomainUser myDomainPassword localhost18120 12 testing123 Sending Access-Request of id 108 to 127001 port 18120 User-Name = myDomainUser NAS-IP-Address = 10001 NAS-Port = 12 Message-Authenticator = 0x00000000000000000000000000000000 MS-CHAP-Challenge = 0x79d62c9da4e55104 MS-CHAP-Response = 0x000100000000000000000000000000000000000000000000000091c843b420f0dec4228ed2f26bff07d5e49ad9a2974229e5 rad_recv Access-Accept packet from host 127001 port 18120 id=108 length=20
Option2LocalAuthenticationAddyouruserrsquosentriesattheendoftheusrlocalpfraddbusersfilewiththefollowingformat
username Cleartext-Password = password
Option3EAPauthenticationagainstOpenLDAPToauthenticate8021xconnectionagainstOpenLDAPyouneedtodefinetheldapconnectioninusrlocalpfraddbmodulesldapandbesurethattheuserpasswordisdefineasaNTHASHorascleartext
Chapter9
Copyrightcopy2016Inverseinc Configuration 41
ldap openldap server = ldapacmecom identity = uid=admindc=acmedc=com password = password basedn = dc=districtdc=acmedc=com filter = (uid=mschapUser-Name) ldap_connections_number = 5 timeout = 4 timelimit = 3 net_timeout = 1 tls dictionary_mapping = $confdirldapattrmap edir_account_policy_check = no
keepalive LDAP_OPT_X_KEEPALIVE_IDLE idle = 60
LDAP_OPT_X_KEEPALIVE_PROBES probes = 3
LDAP_OPT_X_KEEPALIVE_INTERVAL interval = 3
Next in usrlocalpfraddbsites-availablepacketfence-tunnel add in the authorizesection
authorize suffix ntdomain eap ok = return files openldap
Option4EAPGuestAuthenticationonemailsponsorandSMSregistrationThissectionwillallowlocalcredentialscreatedduringguestregistrationtobeusedin8021xEAP-PEAPconnections
FirstcreateaguestSSIDwiththeguestaccessyouwanttouse(EmailSponsororSMShellip)andactivateCreatelocalaccountonthatsource
AttheendoftheguestregistrationPacketFencewillsendanemailwiththecredentialsforEmailandSponsorForSMSthephonenumberandthePINcodeshouldbeused
Chapter9
Copyrightcopy2016Inverseinc Configuration 42
Note
ThisoptiondoesnrsquotcurrentlyworkwiththeReusedot1xcredentialsoptionofthecaptiveportal
In usrlocalpfconfradiusdpacketfence-tunnel uncomment the line packetfence-local-authandrestartradiusd
ThiswillactivatethefeatureforanylocalaccountonthePacketFenceserverYoucanrestrictwhichaccounts canbeusedby commenting the appropriate line inusrlocalpfraddbpolicydpacketfenceForexampleifyouwouldwanttodeactivatethisfeatureforaccountscreatedviaSMSyouwouldhavethefollowing
packetfence-local-auth Disable ntlm_auth update control ampMS-CHAP-Use-NTLM-Auth = No Check password table for local user pflocal if (fail || notfound) Check password table with email and password for a sponsor registration pfguest if (fail || notfound) Check password table with email and password for a guest registration pfsponsor if (fail || notfound) Dont check activation table with phone number and PIN code pfsms lt--- This line was commented out if (fail || notfound) update control ampMS-CHAP-Use-NTLM-Auth = Yes
Note
For this feature to work the users passwords must be stored in cleartext in thedatabaseThisisconfigurableviaadvancedhash_passwords
Option5EAPLocaluserAuthenticationThegoalhereistousethelocaluseryoucreatedintheadminGUIforEAPauthenticationThelogicisexactlythesamethaninoption4thedifferenceisthatweuseanotherSSIDandweonlyuselocalaccounts
Chapter9
Copyrightcopy2016Inverseinc Configuration 43
Editusrlocalpfraddbsites-availablepacketfence-tunnel
InthisexampleweactivatethisfeatureonaspecificSSIDname(Secure-local-Wireless)disabledbydefaultNTLMAuthandtestlocalaccountIfitfailledthenwereactivateNTLMAuth
Activate local user eap authentication based on a specific SSID Set Called-Station-SSID with the current SSID setcalled_station_ssid if (Called-Station-SSID == Secure-local-Wireless) Disable ntlm_auth update control MS-CHAP-Use-NTLM-Auth = No Check password table for local user pflocal if (fail || notfound) update control MS-CHAP-Use-NTLM-Auth = Yes
Caution
Youwillneedtodeasactivatepasswordhashinginthedatabaseforlocalauthenticationto work In the administration interface go in Configurationrarr Advanced and setDatabasepasswordshashingmethodtoplaintext
TestsTestyoursetupwithradtestusingthefollowingcommandandmakesureyougetanAccess-Acceptanswer
radtest dd9999 Abcd1234 localhost18120 12 testing123Sending Access-Request of id 74 to 127001 port 18120 User-Name = dd9999 User-Password = Abcd1234 NAS-IP-Address = 255255255255 NAS-Port = 12rad_recv Access-Accept packet from host 12700118120 id=74 length=20
PortalModules
ThePacketFencecaptiveportalflowishighlycustomizableThissectionwillcoverthePortalModuleswhichareusedtodefinethebehaviorofthecaptiveportal
Chapter9
Copyrightcopy2016Inverseinc Configuration 44
Note
WhenupgradingfromaversionthatdoesnrsquothavetheportalmodulesthePacketFencePortal Modules configuration already comes with defaults that will fit most casesand offers the same behavior as previous versions of PacketFence Meaning allthe available Portal Profile sources are used for authentication then the availableprovisionerswillbeused
FirstabriefdescriptionoftheavailablePortalModules
RootThis iswhereitallstartsthismoduleisasimplecontainerthatdefinesallthemodulesthatneedtobeappliedinachainedwaytotheuserOncetheuserhascompletedallmodulescontainedintheRootheisreleasedonthenetwork
Choice This allows to give a choice between multiple modules to the user Thedefault_registration_policyisagoodexampleofachoicethatisofferedtotheuser
ChainedThisallowsyoutodefinealistofmodulesthatauserneedstogothroughintheorderthattheyaredefined-exyouwantyouruserstoregisterviaGoogle+andpayfortheiraccessusingPayPal
MessageThisallowsyou todisplayamessage to theuserAnexample isavailablebelow inDisplayingamessagetotheuseraftertheregistration
AuthenticationTheauthenticationmodulescanbeofalotoftypesYouwouldwanttodefineoneofthesemodulesinordertooverridetherequiredfieldsthesourcetousethetemplateoranyothermoduleattribute
BillingAllowstodefineamodulebasedononeormorebillingsources
ChoiceAllows todefineamodulebasedonmultiple sourcesandmoduleswithadvancedfilteringoptionsSeethesectionAuthenticationChoicemodulebelowforadetailedexplanation
LoginAllowsyoutodefineausernamepasswordbasedmodulewithmultipleinternalsources(ActiveDirectoryLDAPhellip)
OthermodulesTheothermodulesareallbasedonthesourcetypetheyareassignedtotheyallowtoselectthesourcetheAUPacceptanceandmandatoryfieldsifapplicable
ExamplesThissectionwillcontainthefollowingexamples
Promptingforfieldswithoutauthentication
Promptingadditionnalfieldsduringtheauthentication
Chainedauthentication
MixingloginandSecureSSIDon-boardingontheportal
Displayingamessagetotheuseraftertheregistration
Chapter9
Copyrightcopy2016Inverseinc Configuration 45
CreatingacustomrootmoduleFirstcreateacustomrootmoduleforourexamples inordertonotaffectthedefaultpolicy InordertodosogoinConfigurationrarrPortalModulesthenclickAddPortalModuleandselectthetypeRootGiveittheidentifiermy_first_root_moduleandthedescriptionMy first root modulethenhitsave
Next head toConfigurationrarr Portal Profiles select the portal profile you use (most probablydefault)andthenunderRootPortalModuleassignMy first root modulethensaveyourprofileIfyouweretoaccessthecaptiveportalnowanerrorwoulddisplaysincetheRootmoduleweconfigureddoesnrsquotcontainanything
YoucouldaddsomeofthepreconfiguredmodulestothenewRootmoduleyoucreatedandthatwouldmaketheerrordisapear
PromptingforfieldswithoutauthenticationInordertopromptfieldswithoutauthenticationyoucanusetheNullsourcewiththeNullPortalModule
PacketFencealreadycomeswithaNullsourcepreconfiguredIfyouhavenrsquotmodifieditordeletedityoucanuseitforthisexampleOtherwisegoinConfigurationrarrSourcesandcreateanewNullsourcewithacatchallrulethatassignsaroleandaccessduration
ThengoinConfigurationrarrPortalModulesandclickAddPortalModuleandselectAuthenticationrarrNullSettheIdentifiertoprompt_fieldsandconfigurethemodulewiththeMandatoryfieldsyouwantanduncheckRequireAUPsothattheuserdoesnrsquothavetoaccepttheAUPbeforesubmittingthesefields
Nextaddtheprompt_fieldsmoduleinmy_first_root_module(removinganypreviousmodules)andsave itNowwhenvisitingtheportal itshouldpromptyouforthefieldsyoudefine inthe
Chapter9
Copyrightcopy2016Inverseinc Configuration 46
moduleThensubmittingtheseinformationswillassignyoutheroleandaccessdurationthatyoudefinedinthenullsource
Promptingadditionnalfieldsduringtheauthentication
IfyouwanttopromptadditionnalfieldsduringtheauthenticationprocessforamoduleyoucandefineaModulebasedonthatsourcethatwillspecifytheadditionnalmandatoryfieldsforthissource
Youcanalsoaddadditionnalmandatoryfieldstothedefaultpoliciesthatarealreadyconfigured
Thisexamplewillmakethedefault_guest_policyrequiretheusertoenterafirstnamelastnameandaddresssothatguestshavetoenterthesethreeinformationsbeforeregistering
Go in Configuration rarr Portal Modules and click the default_guest_policy Add firstnamelastnameandaddresstotheMandatoryfieldsandsave
Nextaddthedefault_guest_policytomy_first_root_module(removinganypreviousmodules)Nowwhenvisitingtheportalselectinganyoftheguestsourceswillrequireyoutoenterboththemandatoryfieldsofthesource(exphone+mobileprovider)andthemandatoryfieldsyoudefinedinthedefault_guest_policy
Note
Notallsourcessupportadditionnalmandatoryfields(exOAuthsourceslikeGoogleFacebookhellip)
Chainedauthentication
Theportalmodulesallowyoutochaintwoormoremodulestogetherinordertomaketheuseraccomplishalloftheactionsinthemoduleinthedesiredsequence
ThisexamplewillallowyoutoconfigureaChainedmodulethatwillrequiretheusertologinviaanyconfiguredOAuthsource(GithubGoogle+hellip)andthenvalidatehisphonenumberusingSMSregistration
FortheOAuthloginwewillusethedefault_oauth_policysojustmakesureyouhaveanOAuthsourceconfiguredcorrectlyandavailableinyourPortalProfile
ThenwewillcreateamodulethatwillcontainthedefinitionofourSMSregistration
GoinConfigurationrarrPortalModulesthenclickAddPortalModuleandselectAuthenticationrarrSMS
ConfiguretheportalmodulesothatitusesthesmssourceandunchecktheRequireAUPoptionsincetheuserwillhavealreadyacceptedtheAUPwhenregisteringusingOAuth
Chapter9
Copyrightcopy2016Inverseinc Configuration 47
ThenaddanotherPortalModuleoftypeChainedNameitchained_oauth_smsassignarelevantdescriptionandthenadddefault_oauth_policyandsmstotheModulesfields
Chapter9
Copyrightcopy2016Inverseinc Configuration 48
Next add the chained_oauth_sms module in my_first_root_module (removing any previousmodules)andsaveitNowwhenvisitingtheportalyoushouldhavetoauthenticationusinganOAuthsourceandthenusingSMSbasedregistration
MixingloginandSecureSSIDon-boardingontheportalThisexamplewillguideyouthroughconfiguringaportalflowthatwillallowfordevicestoaccessanopenSSIDusinganLDAPusernamepasswordbutalsogivethechoicetoconfiguretheSecureSSIDdirectlyfromtheportal
FirstweneedtoconfiguretheprovisionersfortheSecureSSIDonboardingRefertosectionAppleandAndroidWirelessProvisioningofthisguidetoconfigureyourprovisionersandaddthemtotheportalprofile
CreateaprovisionerofthetypeDenyandadditwithyourotherprovisioners(puttinganyotherprovisionerbeforeit)Thiswillmakesurethatifthereisnomatchontheotherprovisionersitwillnotallowthedevicethrough
AlsointheportalprofileaddyourLDAPsourcetotheavailablesourcessoitstheonlyoneavailable
NextcreateaProvisioningportalmodulebygoinginConfigurationrarrPortalModulesSettheIdentifiertosecure_boardingandthedescriptiontoBoard Secure SSIDAlsouncheckSkipablesotheuserisforcedtoboardtheSSIDshoulditchoosethisoption
ThenstillinthePortalModulescreateaChoicemoduleSettheIdentifiertologin_or_boardinganddescriptiontoLoginorBoardingAddsecure_boardinganddefault_login_policytotheModulesfieldandsave
Chapter9
Copyrightcopy2016Inverseinc Configuration 49
Next add the login_or_boarding module in my_first_root_module (removing any previousmodules)andsaveitNowwhenvisitingtheportalyouwillhavethechoicebetweenlogintotheLDAPsourceandgainaccesstothenetworkordirectlyuseprovisioninginordertoconfigureyourdeviceforaSecureSSID
Displayingamessagetotheuseraftertheregistration=
UsingtheMessagemoduleyoucandisplayacustommessagetotheuserYoucanalsocustomizethetemplatetodisplayinordertodisplayafullycustompage
Go inConfigurationrarrPortalModules thenclickAddPortalModule and selectMessage Set theIdentifiertohello_worldandthedescriptiontoHello World
ThenputthefollowingintheMessagefield
Hello World lta href=wwwpacketfenceorggtClick here to access the PacketFence websiteltagt
Next add default_registration_policy and hello_world in the Modules ofmy_first_root_module(removinganypreviousmodules)andsaveitNowwhenvisitingtheportalyoushouldhavetoauthenticateusingthesourcesdefinedinyourportalprofileandyouwillthenseethehelloworldmessage
Chapter9
Copyrightcopy2016Inverseinc Configuration 50
AuthenticationChoicemodule(advanced)The Authentication Choice module allows to define a choice between multiple sources usingadvancedfilteringrulesmanualselectionofthesourcesandselectionofPortalModules
AllthesourcesthataredefinedintheSourcesfieldwillbeavailableforusagebytheuserSamegoesforthemodulesdefinedinModules
YoucanalsodefinewhichmandatoryfieldsyouwanttopromptfortheseauthenticationchoicesAlthoughyoucanstillconfigurethemonanyAuthenticationChoicemoduletheywillonlybeshowniftheyareapplicabletothesource
InadditiontothemanualselectionaboveyoucandynamicallyselectsourcespartofthePortalProfilebasedontheirobjectattribute(ObjectClassAuthenticationtypeAuthenticationClass)
NoteYoucanfindalltheauthenticationobjectsinlibpfAuthenticationSource
SourcesbyclassAllowsyoutospecifytheperlclassnameofthesourcesyouwantavailable
ex pfAuthenticationSourceSMSSource will select all the SMS sourcespfAuthenticationSourceBillingSourcewillselectallthebillingsources(PaypalStripehellip)
SourcesbytypeAllowsyoutofilteroutsourcesusingthetypeattributeoftheAuthenticationobject
Sources by Auth Class Allows you to filter our sources using the class attribute of theAuthenticationobject
Chapter9
Copyrightcopy2016Inverseinc Configuration 51
Youcanseethedefault_guest_policyanddefault_oauth_policyforexamplesofthismodule
Chapter10
Copyrightcopy2016Inverseinc Debugging 52
Debugging
Logfiles
HerearethemostimportantPacketFencelogfiles
usrlocalpflogspacketfencelogmdashPacketFenceCoreLog usrlocalpflogshttpdportalaccessmdashApachendashCaptivePortalAccessLog usrlocalpflogshttpdportalerrormdashApachendashCaptivePortalErrorLog usrlocalpflogshttpdadminaccessmdashApachendashWebAdminServicesAccessLog usrlocalpflogshttpdadminerrormdashApachendashWebAdminServicesErrorLog usrlocalpflogshttpdwebservicesaccessmdashApachendashWebservicesAccessLog usrlocalpflogshttpdwebserviceserrormdashApachendashWebservicesErrorLog usrlocalpflogshttpdaaaaccessmdashApachendashAAAAccessLog usrlocalpflogshttpdaaaerrormdashApachendashAAAErrorLog
ThereareotherlogfilesinusrlocalpflogsthatcouldberelevantdependingonwhatissueyouareexperiencingMakesureyoutakealookatthem
ThemainloggingconfigurationfileisusrlocalpfconflogconfItcontainstheconfigurationforthepacketfencelogfile(LogLog4Perl)andyounormallydonrsquotneedtomodifyitTheloggingconfigurationfilesforeveryservicearelocatedunderusrlocalpfconflogconfd
RADIUSDebugging
FirstchecktheFreeRADIUSlogsThefileislocatedatusrlocalpflogsradiuslog
IfthisdidnrsquothelprunFreeRADIUSindebugmodeTodosostartitusingthefollowingcommands
Fortheauthenticationradiusprocess
radiusd -X -d usrlocalpfraddb -n auth
Fortheaccountingradiusprocess
radiusd -X -d usrlocalpfraddb -n acct
Chapter10
Copyrightcopy2016Inverseinc Debugging 53
Additionally there is a raddebug tool that can extract debug logs from a running FreeRADIUSdaemonPacketFencersquosFreeRADIUSispreconfiguredwithsuchsupport
Inordertohaveanoutputfromraddebugyouneedtoeither
a MakesureuserpfhasashellinetcpasswdaddusrsbintoPATH(export PATH=usrsbin$PATH)andexecuteraddebugaspf
b Runraddebugasroot(lesssecure)
Nowyoucanrunraddebugeasily
raddebug -t 300 -f usrlocalpfvarrunradiusdsock
TheabovewilloutputFreeRADIUSauthenticationdebuglogsfor5minutes
Usethefollowingtodebugradiusaccounting
raddebug -t 300 -f usrlocalpfvarrunradiusd-acctsock
Seeman raddebugforalltheoptions
Chapter11
Copyrightcopy2016Inverseinc MoreonVoIPIntegration 54
MoreonVoIPIntegration
VoIPhasbeengrowinginpopularityonenterprisenetworksAtfirstsighttheITadministratorsthinkthatdeployingVoIPwithaNACposesahugecomplicatedchallengetoresolveInfactdependingofthehardwareyouhavenotreallyInthissectionwewillseewhy
CDPandLLDPareyourfriend
ForthoseofyouwhoareunawareoftheexistenceofCDPorLLDP(orLLDP-MED) IsuggestyoustartreadingonthistopicCiscoDiscoveryProtocol(CDP)isdevice-discoveryprotocolthatrunsonallCisco-manufacturedequipmentincludingroutersaccessserversbridgesandswitchesUsingCDPadevicecanadvertise itsexistencetootherdevicesandreceive informationaboutotherdevicesonthesameLANorontheremotesideofaWANIntheworldofVoIPCDPisabletodetermineiftheconnectingdeviceisanIPPhoneornotandtelltheIPPhonetotagitsethernetframeusingtheconfiguredvoiceVLANontheswitchport
OnmanyothervendorsyouarelikelytofindLLDPorLLDP-MEDsupportLinkLayerDiscoveryProtocol (LLDP) is a vendor-neutral Link Layer protocol in the Internet Protocol Suite used bynetworkdevicesforadvertisingtheiridentitycapabilitiesandneighborsSameasCDPLLDPcantellanIPPhonewhichVLANidisthevoiceVLAN
VoIPandVLANassignmenttechniques
As you already know PacketFence supportsmanyVLAN assignment techniques such as port-securitymacauthenticationor8021XLetrsquosseehowVoIPisdoingwitheachofthose
Port-securityUsing port-security the VoIP device rely on CDPLLDP to tag its ethernet frame using theconfiguredvoiceVLANontheswitchportAfterthatweensurethatasecuritytrapissentfromthevoiceVLANsothatPacketFencecanauthorizethemacaddressontheportWhenthePCconnectsanothersecuritytrapwillbesentbutfromthedataVLANThatwaywewillhave1macaddressauthorizedonthevoiceVLANand1ontheaccessVLAN
Chapter11
Copyrightcopy2016Inverseinc MoreonVoIPIntegration 55
Note
Not all vendors support VoIP on port-security please refer to the NetworkConfigurationGuide
MACAuthenticationand8021XCiscohardwareOnCiscoswitcheswearelookingatthemulti-domainconfigurationThemulti-domainmeansthatwecanhaveonedeviceontheVOICEdomainandonedeviceontheDATAdomainThedomainassignmentisdoneusingaCiscoVSAWhenthephoneconnectstotheswitchportPacketFencewillrespondwiththeproperVSAonlynoRADIUStunneledattributesCDPthentellsthephonetotagitsethernetframesusingtheconfiguredvoiceVLANontheportWhenaPCconnectstheRADIUSserverwillreturntunneledattributesandtheswitchwillplacetheportintheprovidedaccessVLAN
Non-CiscohardwareOnothervendorhardwareitispossibletomakeVoIPworkusingRADIUSVSAsWhenaphoneconnectstoaswitchportPacketFenceneedstoreturntheproperVSAtotelltheswitchtoallowtagged frames from thisdeviceWhen thePCwill connectwewill be able to return standardRADIUStunnelattributestotheswitchthatwillbetheuntaggedVLAN
Note
AgainrefertotheNetworkConfigurationGuidetoseeifVoIPissupportedonyourswitchhardware
WhatifCDPLLDPfeatureismissing
ItispossiblethatyourphonedoesnrsquotsupportCDPorLLDPIfitrsquosthecaseyouareprobablylookingattheDHCPwayofprovisionningyourphonewithavoiceVLANSomemodelswillaskforaspecificDHCPoptionsothattheDHCPservercangivethephoneavoiceVLANidThephonewillthenrebootandtagitsethernetframeusingtheprovidedVLANtag
Inorder tomake this scenarioworkwithPacketFenceyouneed toensure thatyou tweak theregistrationandyourproductionDHCPservertoprovidetheDHCPoptionYoualsoneedtomakesure there isavoiceVLANproperlyconfiguredontheportandthatyouauto-registeryour IPPhones(OnthefirstconnectthephonewillbeassignedontheregistrationVLAN)
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 56
Advancedtopics
This section covers advanced topics in PacketFence Note that it is also possible to configurePacketFencemanuallyusingitsconfigurationfilesinsteadofitsWebadministrativeinterfaceItisstillrecommendedtousetheWebinterface
InanycasetheusrlocalpfconfpfconffilecontainsthePacketFencegeneralconfigurationForexamplethisistheplacewhereweinformPacketFenceitwillworkinVLANisolationmode
All the default parameters and their descriptions are stored in usrlocalpfconfpfconfdefaults
Inordertooverrideadefaultparameterdefineitandsetitinpfconf
usrlocalpfconfdocumentationconfholdsthecompletelistofallavailableparameters
Alltheseparametersarealsoaccessiblethroughtheweb-basedadministrationinterfaceundertheConfigurationtabItishighlyrecommendedthatyouusetheweb-basedadministrationinterfaceofPacketFenceforanyconfigurationchanges
AppleandAndroidWirelessProvisioning
Apple devices such as iPhones iPads iPods and Mac OS X (107+) support wireless profileimportationusing a specialXML file format (mobileconfig)Android is also able to support thisfeaturebyimportingthewirelessprofilewiththeAndroidPacketFenceAgentInfactinstallingsuchfileonyourAppledevicewillautomaticallyconfigurethewirelesssettingsforagivenSSIDThisfeatureisoftenusedwhentheSSIDishiddenandyouwanttoeasetheconfigurationstepsonthemobiledevice(becauseitisoftenpainfultoconfiguremanually)InPacketFencewearegoingfurtherwegeneratetheprofileaccordingtotheadministratorrsquospreferenceandwepre-populatethefilewiththeuserrsquoscredentials(withoutthepassword)TheusersimplyneedstoinstallitsgeneratedfileandhewillbeabletousethenewSSID
ConfigurethefeatureFirstofallyouneedtoconfiguretheSSIDthatyourdeviceswilluseaftertheygothoughtheauthenticationprocess
InordertodothatintheadministrationinterfacegoinConfigurationProvisionersThenselecttheandroidprovisionerEntertheSSIDandsave
NowdothesamethingfortheiOSprovisioner
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 57
AfteryousimplyneedtoaddtheAndroidandiOSprovisionerstoyourPortalProfileconfiguration
ForAndroidyoumustallowpassthroughsinyourpfconfconfigurationfile
[trapping]passthrough=enabledpassthroughs=ggphtcomgoogleusercontentcomandroidclientsgooglecomgoogleapiscomandroidclientsgooglecomgvt1com
ProfilegenerationUponregistrationinsteadofshowingthedefaultreleasepagetheuserwillbeshowinganotherversionofthepagesayingthatthewirelessprofilehasbeengeneratedwithaclickablelinkonitToinstalltheprofileAppleuserownersimplyneedtoclickonthatlinkandfollowtheinstructionsontheirdeviceAndroiduserownersimplyclicktothelinkandwillbeforwardedtoGooglePlaytoinstallPacketFenceagentSimply launchtheapplicationandclicktoconfigurewillcreatethesecureSSIDprofileItisthatsimple
BillingEngine
PacketFence integrates theability touseapaymentgatewaytobillusers togainaccess to thenetworkWhenconfiguredtheuserwhowantstoaccessthenetworkInternetispromptedbyapageaskingforitrsquospersonnalinformationaswellasitrsquoscreditcardinformation
PacketFencecurrentlysupportsfourpaymentgatewaysAuthorizenetMirapayPaypalandStripe
Inordertoactivatethebillingyouwillneedtoconfigurethefollowingcomponents
Billingsource(s)
Billingtier(s)
ConfiguringabillingsourceFirstselectabillingproviderandfollowtheinstructionsbelow
Paypal
Note
ThisproviderrequiresthatyourPacketFenceserverisaccessibleonthepublicdomainFor thisyourPacketFenceportal shouldbeavailableonapublic IPusing theDNSservernameconfiguredinPacketFence
Ifyouhaveabusinessaccountanddonotwanttoconfigureatestenvironmentyoucanskipthenextsection
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 58
Sandboxaccount
To configure a sandbox paypal account for use in PacketFence head to httpsdeveloperpaypalcomandeithersignuporloginintoyourexistingaccount
ThenintheSandboxmenuclickAccounts
CreateanaccountthathasthetypePersonalandonethathasthetypeBusiness
AfterwardsgobackintoaccountsandexpandthebusinessaccountthenclickProfile
NowclicktheChangepasswordlinkandchangethepasswordandnoteit
Dothesamethingwiththepersonalaccountyoucreated
Configuringthemerchantaccount
LoginintothePaypalbusinessaccountthatyoucreatedathttpswwwsandboxpaypalcomifyouareusingasandboxaccountoronhttpswwwpaypalcomifyouareusingarealaccount
NextgoinMyAccountrarrProfileinordertogointoyourprofileconfiguration
NextintheSellingPreferencesyouwillneedtoselectWebsitePaymentPreferences
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 59
Configurethesettingssotheymatchthescreenshotbelow
YoushouldturnonAutoReturnsetthereturnURLtohttpsYOUR_PORTAL_HOSTNAMEbillingpaypalverify
YoushouldalsotakenoteoftheIdentityTokenasitwillberequiredinthePacketFenceconfiguration
NextgobackinyourprofileconfigurationMyaccountrarrProfileandselectEncryptedPaymentSettings
NowonthispageyouwillneedtosubmitthecertificateusedbyPacketFencetoPaypal(usrlocalpfconfsslservercrtbydefault)
Once you have submitted it note itrsquos associated Cert ID as you will need to configure it inPacketFence
StillonthatpageclicktheDownloadlinktodownloadthePaypalpubliccertificateandputitonthePacketFenceserverunderpathusrlocalpfconfsslpaypalpem
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 60
Caution
ThecertificatewillNOTbethesameifyouuseasandboxaccountorarealaccount
ConfiguringPacketFence
NowinthePacketFenceadministrationinterfacegoinConfigurationrarrSourcesandcreateanewsourceoftypeBillingrarrPaypal
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 61
Where
IdentitytokenistheoneyounotedwhenontheWebsitePaymentPreferencespage CertIDistheoneyounotedwhenontheEncryptedPaymentSettings Paymenttypeiswhethertheaccessisdonationbased(notmandatorytopayforit) Emailaddressistheemailaddressofthemerchantpaypalaccount CertfileisthepathtothePacketFencecertificate(usrlocalpfconfsslservercrtbydefault) KeyfileisthepathtothePacketFencecertificate(usrlocalpfconfsslserverkeybydefault) Paypal cert file is thepath to thePaypal certificate (usrlocalpfconfsslpaypalpem in thisexample)
Currencyisthecurrencythatwillbeusedinthetransactions Testmodeshouldbeactivatedifyouareusingasandboxaccount
Stripe
Stripeaccount
Firstgoonhttpsdashboardstripecomcreateanaccountandlogin
NextonthetoprightclickYouraccountthenAccountsettings
NavigatetotheAPIkeystabandnoteyourkeyandsecretThetestkeyshouldbeusedwhentestingtheconfigurationandthelivekeywhenputtingthesourceinproduction
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 62
ConfiguringPacketFence
NowinthePacketFenceadministrationinterfacegoinConfigurationrarrSourcesandcreateanewsourceoftypeBillingrarrStripe
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 63
Where
SecretkeyisthesecretkeyyougotfromyourStripeaccount PublishablekeyisthepublishablekeyyougotfromyourStripeaccount Styleiswhetheryouaredoingaone-timechargeorsubscriptionbasedbilling(recurring)SeesectionSubscriptionbasedregistrationbelowfordetailsonhowtoconfigureit
Currencyisthecurrencythatwillbeusedinthetransactions Testmodeshouldbeactivatedifyouareusingthetestkeyandsecretaccount
Authorizenet
Creatinganaccount
First go on httpsaccountauthorizenet to signup for a merchant account or httpdeveloperauthorizenetforasandboxaccount
AfteryoucreatedyouraccountyouwillbeshownyourAPIloginIDandTransactionkeyNotebothoftheseinformationsforusageinthePacketFenceconfiguration
Thenloginintoyournewaccount
ThenunderAccountclickSettings
OnthesettingspageinthesectionSecuritysettingsclickMD5-Hash
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 64
NowenterasecretthatwillbesharedbetweenauthorizenetandPacketFence
PacketFenceconfiguration
NextinthePacketFenceadministrationinterfacegoinConfigurationrarrSourcesandcreateanewsourceoftypeBillingrarrAuthorizeNet
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 65
Where
APIloginIDistheoneyougotearlierwhilecreatingyouraccount Transactionkeyistheoneyougotearlierwhilecreatingyouraccount MD5hashtheoneyouconfiguredinyourAuthorizenetaccount Currencyisthecurrencythatwillbeusedinthetransactions Testmodeshouldbeactivatedifyouareusingasandboxaccount
Mirapay
To be contributed
AddingbillingtiersOnceyouhaveconfiguredoneormorebillingsourceyouneedtodefinebillingtierswhichwilldefinethepriceandtargetauthenticationrulesfortheuser
InthePacketFenceadministrationinterfacegoinConfigurationrarrBillingtiers
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 66
ThenclickAddbillingtierandconfigureit
Where
Billingtieristheuniqueidentifierofthebillingtier Nameisthefriendlynameofthebillingtier Descriptionisanextendeddescriptionofthebillingtier Priceistheamountthatwillbechargedtotheuser Accessdurationistheamountoftimetheuserwillbegrantedaccesstoyournetwork Roleisthetargetroletheusershouldbein Usetimebalancedefinesiftheaccessdurationshouldbecomputedonreal-timeaccessdurationmeaningiftheuserbuys24hoursofaccesshecanusethenetworkfor24hoursindifferenttimeblocksThisrequiresavalidRADIUSaccountingconfiguration
Note
IfdonrsquotwanttouseallthebillingtiersthataredefinedyoucanspecifytheonesthatshouldbeactiveinthePortalprofile
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 67
SubscriptionbasedregistrationPacketFencesupportssubscriptionbasedbillingusingStripeasabillingprovider
Billingtier
Whenusingsubscriptionbasedbillingitisadvisedtoconfigurethebillingtiersoithasanalmostinfiniteaccessduration(eg20years)asthebillingproviderwillbecontactingthePacketFenceserverwhenthesubscriptioniscanceled
YoushouldconfigureabillingtierforeachsubscriptionplanyouwanttohaveThisexamplewillusetheplansimpleandadvancedconfiguredusingthefollowingparameters
[simple]name=Simple network accessdescription=Click here if you are poorprice=399role=guestaccess_duration=10Yuse_time_balance=disabled
[advanced]name=Simple network accessdescription=Click here if you are poorprice=999role=advanced_guestaccess_duration=10Yuse_time_balance=disabled
Stripeconfiguration
TheninyourStripedashboardyoushouldgoinSubscriptionsrarrPlans
Thencreateanewplan
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 68
Where
ID is the billing tier identifier It is important that this matches the ID of the billing tier inPacketFence
AmountisthepriceoftheplanItisimportantthatthismatchesthepriceofthebillingtierinPacketFence
CurrencyisthecurrencythatwillbeusedinthetransactionsItisimportantthatthismatchesthecurrencyoftheStripesourceinPacketFence
IntervalistheintervalatwhichthecustomershouldbebilledInthecaseofthisexampleitismonthly
Nowfollowingthesameprocedurecreatetheadvancedplan
ReceivingupdatesfromStripeAsthesubscriptioncanbecancelledbyauseryouneedtosetupyourPacketFenceinstallationtoreceiveupdatesfromStripe
UpdatesaresentusingHTTPrequestsonapublicIP
YouneedtomakesurethatyourPacketFenceserverisavailablethroughapublicIPonport80andthatyourPacketFenceserverhostnameresolvesonthepublicdomain
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 69
TheninStripeconfigureaWebhooksoStripeinformsPacketFenceofanyeventthathappensinthisStripemerchantaccount
InordertodosogoinYourAccountrarrAccountSettingsrarrWebhooksandclickAddendpoint
Where
URListheURLtothePacketFenceserverThisshouldbehttpYOUR_PORTAL_HOSTNAMEhookbillingstripe
Modeiswhetherthiswebhookisfortestingmodeorlivemode
NoweverytimeauserunsubscribesfromaplanPacketFencewillbenotifiedandwillunregisterthatdevicefromyournetwork
DevicesRegistration
Usershavethepossibilitytoregistertheirdevices(MicrosoftXBOXXBOX360NintendoDSWiiSonyPlayStationandsoon)rightfromaspecialportalpageWhenaccessingthispageuserswillbe
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 70
promptedtologinasiftheywereregisteringthemselvesOnceloggedintheportalwillaskthemtoenterthedeviceMACaddressthatwillthenbematchedagainstapredefinedlistofauthorizedMACOUIThedevicewillberegisteredwiththeuserrsquosidandcanbeassignedintoaspecificcategoryforeasiermanagement
HerersquoshowtoconfigurethewholethingTheportalpagecanbeaccessedbythefollowingURLhttpsYOUR_PORTAL_HOSTNAMEdevice-registration This URL is accessible fromwithin thenetworkinanyVLANthatcanreachthePacketFenceserver
Thefollowingcanbeconfiguredbyeditingthepfconffile
[registration]device_registration = enableddevice_registration_role = gaming
MakesuretheroleexistsinPacketFenceotherwiseyouwillencounterregistrationerrorsMoreovermakesuretherolemappingforyourparticularequipmentisdone
TheseparameterscanalsobeconfiguredfromtheConfigurationrarrRegistrationsection
Note
AportalinterfacetypeisrequiredtousethisfeatureAportalinterfacetypecanbeaddedtoanynetworkinterfaceusingthewebadminGUI
Eduroam
eduroam (education roaming) is the secureworld-wide roaming access servicedevelopedfortheinternationalresearchandeducationcommunity
eduroamallowsstudentsresearchersandstafffromparticipatinginstitutionstoobtainInternetconnectivityacrosscampusandwhenvisitingotherparticipatinginstitutionsbysimplyopeningtheirlaptop
mdasheduroamhttpswwweduroamorg
PacketFencesupportsintegrationwitheduroamandallowsparticipatinginstitutionstoauthenticatebothlocallyvisitingusersfromotherinstitutionsaswellasallowingotherinstitutionstoauthenticatelocalusers
In order for PacketFence to allow eduroam authentication the FreeRADIUS configuration ofPacketFencemustbemodifiedtoallowtheeduroamserverstoconnecttoitasclientsaswellastoproxyRADIUSauthenticationrequestsforusersfromoutsideinstitutions
FirstmodifytheusrlocalpfraddbclientsconffiletoallowtheeduroamserverstoconnecttoyourPacketFenceserverAddtheeduroamserversasclientsandmakesure toaddtheproperRADIUSsecretSetashortnametorefertotheseclientsasyouwilllaterneedittoexcludethemfromsomepartsofthePacketFenceconfiguration
clientsconfexample
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 71
client tlrs1eduroamus secret = useStrongerSecret shortname = tlrs1
client tlrs2eduroamus secret = useStrongerSecret shortname = tlrs2
SecondlymodifythelistofdomainsandproxyserversinusrlocalpfraddbproxyconfYouwillneedtodefineeachofyourdomainsaswellastheDEFAULTdomainTheDEFAULTrealmwillapplytoanyclientthatattemptstoauthenticatewitharealmthatisnototherwisedefinedinproxyconfandwillbeproxiedtotheeduroamservers
Defineoneormorehomeservers(serverstowhicheduroamrequestsshouldbeproxied)
proxyconfexample
home_server tlrs1eduroamus type = auth ipaddr = 25712811 port = 1812 secret = useStrongerSecret require_message_authenticator = yes
Defineapoolofserverstogroupyoureduroamhomeserverstogether
proxyconfexample
home_server_pool eduroam type = fail-over home_server = tlrs1eduroamus home_server = tlrs2eduroamus
DefinerealmstoselectwhichrequestsshouldbeproxiedtotheeduroamserverpoolThereshouldbeonerealmforeachofyourdomainsandpossiblyonemoreperdomainifyouintendtoallowusernamesoftheDOMAINuserform
TheREALMissetbasedonthedomainfoundbythesuffixorntdomainmodules (seeraddbmodulesrealm)Thesuffixorntdomainmodulestrytofindadomaineitherwithandomainorsuffixusername
IfnoneisfoundtheREALMisNULL
IfadomainisfoundFreeRADIUStriestomatchoneoftheREALMSdefinedinthisfile
IfthedomainiseitherexampleeduorEXAMPLEFreeRADIUSsetsthecorrespondingREALMieexampleeduorEXAMPLE
IftheREALMdoesnotmatcheither(anditisnrsquotNULL)thatmeanstherewasadomainotherthanEXAMPLEorexampleeduandweassumeitismeanttobeproxiedtoeduroamFreeRADIUSsetstheDEFAULTrealm(whichisproxiedtotheeduroamauthenticationpool)
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 72
The REALM determines where the request is sent to If the REALM authenticates locally therequestsareprocessedentirelybyFreeRADIUSIftheREALMsetsadifferenthomeserverpooltherequestsareproxiedtotheserversdefinedwithinthatpool
proxyconfexample
This realm is for requests which dont have an explicit realm prefix or suffix User names like bob will match this one No authentication server is defined thus the authentication is done locallyrealm NULL
This realm is for ntdomain users who might use the domain like this EXAMPLEusername No authentication server is defined thus the authentication is done locallyrealm EXAMPLE
This realm is for suffix users who use the domain like this usernameexampleedu No authentication server is defined thus the authentication is done locallyrealm exampleedu
This realm is for ALL OTHER requests Meaning in this context eduroam The auth_pool is set to the eduroam pool and so the requests will be proxiedrealm DEFAULT auth_pool = eduroam nostrip
Thirdly youmust configure the packetfence FreeRADIUS virtual servers to treat the requestsproperly
Inusrlocalpfraddbsites-enabledpacketfencemodifytheauthorizesectionlikethis
raddbsites-enabledpacketfenceexample
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 73
authorize pay attention to the order of the modules It matters ntdomain suffix preprocess
uncomment this section if you want to block eduroam users from you other SSIDs The attribute name ( Called-Station-Id ) may differ based on your controller if ( Called-Station-Id ~ eduroam$i) update control Proxy-To-Realm = local
eap ok = return
files expiration logintime packetfence
Inusrlocalpfraddbsites-enabledpacketfence-tunnelmodifythepost-authsectionlikethisIfyouomit this change the requestwill be sent toPacketFencewhere itwill be failed since theeduroamserversarenotpartofyourconfiguredswitches
raddbsites-enabledpacketfence-tunnelexample
post-auth exec
we skip packetfence when the request is coming from the eduroam servers if ( clientshortname = tlrs1 ampamp clientshortname = tlrs2 ) packetfence
Post-Auth-Type REJECT attr_filteraccess_reject
Finallymakesurethattherealmsmoduleisconfiguredthisway(seeusrlocalpfraddbmodulesrealm)
raddbmodulesrealmexample
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 74
usernamerealmrealm suffix format = suffix delimiter =
domainuserrealm ntdomain format = prefix delimiter = ignore_null = yes
Fingerbankintegration
FingerbankagreatdeviceprofilingtooldevelopedalongsideofPacketFencenowintegrateswithittopower-upthefeaturesetallowingaPacketFenceadministratortoeasilytriggerviolationsbasedondifferentdevicetypesdeviceparentsDHCPfingerprintsDHCPvendorIDsMACvendorsandbrowseruseragents
Thecoreofthat integrationresides intheabilityforaPacketFencesystemto interactwiththeFingerbankupstreamprojectwhichthenallowadailybasisfingerprintsdatabaseupdatesharingunknowndatasothatmorecomplexalgorithmscanprocessthatnewdatatointegrateitintheglobaldatabasequeryingtheglobalupstreamdatabaseinthecaseofanunknownmatchandmuchmore
SincetheFingerbankintegrationisnowthedefactodeviceprofilingtoolofPacketFenceitwasarequirementtomakeitassimpleaspossibletoconfigureandtouseFromthemomentaworkingPacketFencesystemis inplaceFingerbank isalsoreadytobeusedbutonly inalocalmodewhichmeansnointeractionwiththeupstreamFingerbankproject
OnboardingTobenefitfromalltheadvantagesoftheFingerbankprojecttheonboardingstepisrequiredtocreateanAPIkeythatwill thenallow interactionwiththeupstreamprojectThatcaneasilybedoneonlybygoingintheSettingsmenuitemundertheFingerbanksectionofthePacketFenceConfigurationtabFromthereaneasyprocesstocreateandsaveanuserorganizationspecificAPIkeycanbefollowedOncecompletedthefullfeaturesetofFingerbankcanbeused
UpdateFingerbankdatabaseUpdatingtheFingerbankdatacanrsquotbeeasierTheonlyrequirementistheonboardingprocesswhichallowsyoutointeractwithupstreamprojectOncedoneanoptiontoUpdateFingerbankDBcanbefoundontopofeverymenuitemsectionsunderFingerbankProcessmaytakeaminuteortwodependingonthesizeofthedatabaseandtheinternetconnectivityafterwhichasuccessorerrormessagewillbeshowaccordinglyLocalrecordsareNOTbeingmodifiedduringthisprocess
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 75
SubmitunknowndataSayingthatwedonrsquotknoweverythingisnotfalsemodestyInthatsensetheSubmitUnknownUnmatchedFingerprintsoptionismadeavailable(afteronboarding)sothatunknownfingerprintingdatagoinginandoutonyournetworkcaneasilybesubmittedtotheupstreamFingerbankprojectforfurtheranalysisandintegrationtheintheglobaldatabase
UpstreaminterogationBydefaultPacketFenceisconfiguredtointerogatetheupstreamFingerbankproject(ifonboardinghasbeencompleted)tofullfillaquerywithunmatchedlocalresultsUnmatchedlocalresultscanresultofanolderversionoftheFingerbankdatabaseorarequirementforamorecomplexalgorithmduetothedatasetThatbehavioriscompletelytransparentandcanbemodifiedusingtheSettingsmenuitemundertheFingerbanksectionofthePacketFenceConfigurationtab
LocalentriesItispossibleforanadministratorwhowantstocustomizeanexistingrecord(orcreateanewone)todosousingtheLocalentriesAnupstreamrecord(DHCPFingerprintDHCPVendorMACVendorUserAgentDevicetypeevenaCombination)canbeclonedandthenmodifiedonalocalbasisifneededLocalrecordsarealwaysmatchedfirstsincetheirpurposeistooverrideanexistingoneAlocalcombinationcanbecreatedtomatcheitherLocalorUpstreamorbothentriestoallowidentificationofadevice
SettingsFingerbanksettingscaneasilybemodifiedfromtheSettingsmenuitemundertheFingerbanksectionofthePacketFenceConfigurationtabTherersquosdocumentationforeachaneveryparameterthatalloweasierunderstanding
FloatingNetworkDevices
Startingwithversion19PacketFencenowsupportsfloatingnetworkdevicesAFloatingnetworkdeviceisadeviceforwhichPacketFencehasadifferentbehaviourcomparedtoaregulardeviceThisfunctionalitywasoriginallyaddedtosupportmobileAccessPoints
Caution
RightnowPacketFenceonlysupportsfloatingnetworkdevicesonCiscoandNortelswitchesconfiguredwithport-security
For a regular device PacketFence put it in theVLAN corresponding to its status (RegistrationQuarantineorRegularVlan)andauthorizesitontheport(port-security)
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 76
AfloatingnetworkdeviceisadevicethatPacketFencedoesnotmanageasaregulardevice
WhenafloatingnetworkdeviceispluggedPacketFencewillletallowalltheMACaddressesthatwillbeconnectedtothisdevice(orappearontheport)andifnecessaryconfiguretheportasmulti-vlan(trunk)andsetPVIDandtaggedVLANsontheport
WhenanfloatingnetworkdeviceisunpluggedPacketFencewillreconfiguretheportlikebeforeitwasplugged
HowitworksConfiguration
floatingnetworkdeviceshavetobeidentifiedusingtheirMACaddress linkuplinkdowntrapsarenotenabledontheswitchesonlyport-securitytrapsare
WhenPacketFencereceivesaport-securitytrapforafloatingnetworkdeviceitchangestheportconfigurationsothat
itdisablesport-security itsetsthePVID iteventuallysetstheportasmulti-vlan(trunk)andsetsthetaggedVlans itenableslinkdowntraps
WhenPFreceivesa linkdowntraponaport inwhichafloatingnetworkdevicewasplugged itchangestheportconfigurationsothat
itenablesport-security itdisableslinkdowntraps
IdentificationAswementionedearliereachfloatingnetworkdevicehastobeidentifiedTherearetwowaystodoit
byeditingconffloating_network_deviceconf throughtheWebGUIinConfigurationrarrNetworkrarrFloatingdevices
Herearethesettingsthatareavailable
MACAddress MACaddressofthefloatingdevice
IPAddress IPaddressofthefloatingdevice(notrequiredforinformationonly)
trunkPort YesnoShouldtheportbeconfiguredasamuti-vlanport
pvid VLANinwhichPacketFenceshouldputtheport
taggedVlan CommaseparatedlistofVLANsIftheportisamulti-vlanthesearetheVlansthathavetobetaggedontheport
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 77
OAuth2Authentication
NoteOAuth2authenticationdoesnotworkwithWebauthenforcement
The captive portal of PacketFence allows a guestuser to register using hisGoogle FacebookLinkedInWindowsLiveTwitterorGithubaccount
ForeachproviderswemaintainanalloweddomainlisttopunchholesintothefirewallsotheusercanhittheproviderloginpageThislistisavailableineachOAuth2authenticationsource
Inordertohaveoauth2workingproperlyyouneedtoenableIPforwardingonyourserversTodoitpermanentlylookintheetcsysctlconfandsetthefollowingline
Controls IP packet forwardingnetipv4ip_forward = 1
Savethefileandissueasysctl -ptoupdatetheOSconfig
You must also enable the passthrough option in your PacketFence configuration(trappingpassthroughinpfconf)
GoogleInordertouseGoogleasaOAuth2provideryouneedtogetanAPIkeytoaccesstheirservicesSignupherehttpcodegooglecomapisconsoleMakesureyouusethisURIfortheRedirectURIfieldhttpsYOUR_PORTAL_HOSTNAMEoauth2callbackOfcoursereplacethehostnamewiththevaluesfromgeneralhostnameandgeneraldomain
YoucankeepthedefaultconfigurationmodifytheAppIDampAppSecret(GivenbyGoogleonthedevelopperplateform)andPortalURL(httpsYOUR_PORTAL_HOSTNAMEoauth2callback)
Also add the following Authorized domains googlecom googleca googlefrgstaticcomgoogleapiscomaccountsyoutubecom(MakesurethatyouhavethegoogledomainfromyourcountrylikeCanadagooglecaFrancegooglefretchellip)
OnceyouhaveyourclientidandAPIkeyyouneedtoconfiguretheOAuth2providerThiscanbedonebyaddingaGoogleOAuth2authenticationsourcefromConfigurationrarrSources
MoreoverdonrsquotforgettoaddGoogleasaregistrationmodefromyourportalprofiledefinitionavailablefromConfigurationrarrPortalProfilesandPages
FacebookTo use Facebook you also need an API code and a secret key To get one go here httpsdevelopersfacebookcomappsWhenyoucreateyourAppmakesureyouspecifythefollowingastheWebsiteURLhttpsYOUR_PORTAL_HOSTNAMEoauth2callback
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 78
Ofcoursereplacethehostnamewiththevaluesfromgeneralhostnameandgeneraldomain
YoucankeepthedefaultconfigurationmodifytheAppIDampAppSecret(GivenbyFaceBookonthedevelopperplateform)andPortalURL(httpsYOUR_PORTAL_HOSTNAMEoauth2callback)
Also add the followingAuthorizeddomains facebookcom fbcdnnet akamaihdnet (Maychange)
OnceyouhaveyourinformationyouneedtoconfiguretheOAuth2providerThiscanbedonebyaddingaFacebookOAuth2authenticationsourcefromConfigurationrarrSources
MoreoverdonrsquotforgettoaddFacebookasaregistrationmodefromyourportalprofiledefinitionavailablefromConfigurationrarrPortalProfilesandPages
CautionByallowingOAuththroughFacebookyouwillgiveFacebookaccesstotheuserswhiletheyaresittingintheregistrationVLAN
GitHubTouseGitHubyoualsoneedanAPIcodeandasecretkeyTogetoneyouneedtocreateanAppherehttpsgithubcomsettingsapplicationsWhenyoucreateyourAppmakesureyouspecifythefollowingastheCallbackURLhttpsYOUR_PORTAL_HOSTNAMEoauth2callback
Ofcoursereplacethehostnamewiththevaluesfromgeneralhostnameandgeneraldomain
OnceyouhaveyourinformationyouneedtoconfiguretheOAuth2providerThiscanbedonebyaddingaGitHubOAuth2authenticationsourcefromConfigurationrarrSources
MoreoverdonrsquotforgettoaddGitHubasaregistrationmodefromyourportalprofiledefinitionavailablefromConfigurationrarrPortalProfilesandPages
LinkedInTouseLinkedInyoualsoneedanAPIcodeandasecretkeyTogetoneyouneedtocreateanAppherehttpsdeveloperlinkedincomWhenyoucreateyourAppmakesureyouspecifythefollowingastheCallbackURLhttpsYOUR_PORTAL_HOSTNAMEoauth2callback
Ofcoursereplacethehostnamewiththevaluesfromgeneralhostnameandgeneraldomain
OnceyouhaveyourinformationyouneedtoconfiguretheOAuth2providerThiscanbedonebyaddingaLinkedInOAuth2authenticationsourcefromConfigurationrarrSources
MoreoverdonrsquotforgettoaddLinkedInasaregistrationmodefromyourportalprofiledefinitionavailablefromConfigurationrarrPortalProfilesandPages
AlsoLinkedInrequiresastateparameterfortheauthorizationURLIfyoumodifyitmakesuretoadditattheendofyourURL
TwitterTouseTwitteryoualsoneedanAPIcodeandasecretkeywhichTwittercallsconsumerkeyandconsumersecretObtainthis informationbycreatingannewapplicationfromyourTwitterApps
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 79
ManagementpageWhenyoucreateyourAppmakesureyouspecifythefollowingastheCallbackURLhttpsYOUR_PORTAL_HOSTNAMEoauth2callback
Ofcoursereplacethehostnamewiththevaluesfromgeneralhostnameandgeneraldomain
OnceyouhaveyourinformationyouneedtoconfiguretheOAuth2providerThiscanbedonebyaddingaTwitterOAuth2authenticationsourcefromConfigurationrarrSources
MoreoverdonrsquotforgettoaddTwitterasaregistrationmodefromyourportalprofiledefinitionavailablefromConfigurationrarrPortalProfilesandPages
WindowsLiveTouseWindowsliveyoualsoneedanAPIcodeandasecretkeyTogetoneyouneedtocreateanAppherehttpsaccountlivecomdevelopersapplicationsWhenyoucreateyourAppmakesureyouspecifythefollowingastheCallbackURLhttpsYOUR_PORTAL_HOSTNAMEoauth2callback
Ofcoursereplacethehostnamewiththevaluesfromgeneralhostnameandgeneraldomain
OnceyouhaveyourinformationyouneedtoconfiguretheOAuth2providerThiscanbedonebyaddingaWindowsLiveOAuth2authenticationsourcefromConfigurationrarrSources
Moreover donrsquot forget to add WindowsLive as a registration mode from your portal profiledefinitionavailablefromConfigurationrarrPortalProfilesandPages
Passthrough
Inorder tousethepassthroughfeature inPacketFenceyouneedtoenable it fromtheGUI inConfigurationrarrTrappingandcheckPassthrough
Therearetwosolutionsforpassthroughs-oneusingDNSresolutionandiptablesandtheotheroneusingApachersquosmod_proxymoduleWhenenabledPacketFencewillusepfdnsifyoudefinedPassthroughsorApachemod-proxyifyoudefinedProxyPassthroughstoallowtrappeddevicestoreachexternalwebsites
DNSpassthroughAddanewFQDN (shouldbeawildcarddomain like googlecom) in thePassthroughssectionWhenPacketFencereceivesaDNSrequestforthisdomainitwillanswerthereal IPaddressandpunchahole inthefirewall (using iptables)toallowaccessWiththismethodPacketFencemustbethedefaultgatewayofyourdevice
mod_proxypassthroughAddanewFQDN(shouldbeawildcarddomainlikegooglecom)intheProxyPassthroughssectionForthisFQDNPacketFencewillanswertheIPaddressofthecaptiveportalandwhenadevicehitsthecaptiveportalPacketFencewilldetectthatthisFQDNhasapassthroughconfigurationandwillforwardthetraffictomod_proxy
ThesetwomethodscanbeusedtogetherbutDNS-basedpassthroughshavehigherpriority
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 80
ProductionDHCPaccess
Inorder toperformallof itsaccesscontroldutiesPacketFenceneedstobeable tomapMACaddressesintoIPaddresses
ForallthenetworksVLANswhereyouwantPacketFencetohavetheabilitytoisolateanodeortohaveIPinformationaboutnodesyouwillneedtoperformoneofthetechniquesbelow
AlsonotethatthisdoesnrsquotneedtobedonefortheregistrationisolationVLANsandinlineinterfacessincePacketFenceactsastheDHCPserverinthesenetworks
IPHelpers(recommended)If you are already using IPHelpers for your productionDHCP in your production VLANs thisapproachisthesimplestoneandtheonethatworksthebest
Add PacketFencersquos management IP address as the last ip helper-address statement in yournetworkequipmentAtthispointPacketFencewillreceiveacopyofallDHCPrequestsforthatVLANandwillrecordwhatIPweredistributedtowhatnodeusingapfdhcplistenerdaemon
BydefaultnoDHCPServershouldberunningonthatinterfacewhereyouaresendingtherequestsThisisbydesignotherwisePacketFencewouldreplytotheDHCPrequestswhichwouldbeabadthing
ObtainacopyoftheDHCPtrafficGetacopyofalltheDHCPTraffictoadedicatedphysicalinterfaceinthePacketFenceserverandrunpfdhcplisteneronthatinterfaceItwillinvolveconfiguringyourswitchproperlytoperformportmirroring(akanetworkspan)andaddinginPacketFencetheproperinterfacestatementattheoperatingsystemlevelandinpfconf
etcsysconfignetwork-scriptsifcfg-eth2
DEVICE=eth2ONBOOT=yesBOOTPROTO=none
Addtopfconf(IPsarenotimportanttheyarethereonlysothatPacketFencewillstart)
[interface eth2]mask=2552552550type=dhcp-listenergateway=19216815ip=19216811
RestartPacketFenceandyoushouldbegoodtogo
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 81
InterfaceineveryVLANBecauseDHCPtrafficisbroadcasttrafficanalternativeforsmallnetworkswithfewlocalVLANsistoputaVLANinterfaceforeveryVLANonthePacketFenceserverandhaveapfdhcplistenerlistenonthatVLANinterface
OnthenetworksideyouneedtomakesurethattheVLANtrulyreachesallthewayfromyourclienttoyourDHCPinfrastructureuptothePacketFenceserver
OnthePacketFencesidefirstyouneedanoperatingsystemVLANinterfaceliketheonebelowStoredinetcsysconfignetwork-scriptsifcfg-eth01010
Engineering VLANDEVICE=eth01010ONBOOT=yesBOOTPROTO=staticIPADDR=1001014NETMASK=2552552550VLAN=yes
ThenyouneedtospecifyinpfconfthatyouareinterestedinthatVLANrsquosDHCPbysettingtypetodhcp-listener
[interface eth01010]mask=2552552550type=dhcp-listenergateway=1001011ip=1001014
RepeattheaboveforallyourproductionVLANsthenrestartPacketFence
HostproductionDHCPonPacketFenceItrsquosanoptionJustmodifyconfdhcpdconfsothat itwillhostyourproductionDHCPproperlyandmakesurethatapfdhcplistenerrunsonthesameinterfacewhereproductionDHCPrunsHoweverpleasenotethatthisisNOTrecommendedSeethistickettoseewhy
ProxyInterception
PacketFenceenablesyoutointerceptproxyrequestsandforwardthemtothecaptiveportalItonlyworksonelayer-2networksbecausePacketFencemustbethedefaultgatewayInordertousetheProxyInterceptionfeatureyouneedtoenableitfromtheGUIinConfigurationrarrTrappingandcheckProxyInterception
Addtheportyouwanttointercept(like8080or3128)andaddanewentryintheetchostsfiletoresolvethefullyqualifieddomainname(fqdn)ofthecaptiveportaltotheIPaddressofthe
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 82
registration interfaceThismodification ismandatory inorder forApache to receives theproxyrequests
RoutedNetworks
Ifyour isolationandregistrationnetworksarenot locally-reachable (at layer2)onthenetworkbut routed to the PacketFence server yoursquoll have to let the PacketFence server know thisPacketFencecanevenprovideDHCPandDNSintheseroutednetworksandprovidesaneasytouseconfigurationinterface
FordhcpdmakesurethattheclientsDHCPrequestsarecorrectlyforwarded(IPHelpersintheremoterouters)tothePacketFenceserverThenmakesureyoufollowedtheinstructionsintheDHCPandDNSServerConfiguration(networksconf)foryourlocallyaccessiblenetwork
Ifweconsiderthenetworkarchitectureillustratedintheaboveschemaconfpfconfwillincludethelocalregistrationandisolationinterfacesonly
[interface eth02]enforcement=vlanip=19216821type=internalmask=2552552550
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 83
[interface eth03]enforcement=vlanip=19216831type=internalmask=2552552550
Note
PacketFencewillnotstartunlessyouhaveatleastoneinternalinterfacesoyouneedtocreatelocalregistrationandisolationVLANsevenifyoudonrsquotintendtousethemAlsotheinternalinterfacesaretheonlyonesonwhichdhcpdlistenssotheremoteregistrationandisolationsubnetsneedtopointtheirDHCPhelper-addresstothoseparticularIPs
ThenyouneedtoprovidetheroutednetworksinformationtoPacketFenceYoucandoitthroughtheGUIinAdministrationrarrNetworks(orinconfnetworksconf)
confnetworksconfwilllooklikethis
[19216820]netmask=2552552550gateway=19216821next_hop=domain-name=registrationexamplecomdns=19216821dhcp_start=192168210dhcp_end=1921682200dhcp_default_lease_time=300dhcp_max_lease_time=600type=vlan-registrationnamed=enableddhcpd=enabled
[19216830]netmask=2552552550gateway=19216831next_hop=domain-name=isolationexamplecomdns=19216831dhcp_start=192168310dhcp_end=1921683200dhcp_default_lease_time=300dhcp_max_lease_time=600type=vlan-isolationnamed=enableddhcpd=enabled
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 84
[192168200]netmask=2552552550gateway=19216820254next_hop=1921682254domain-name=registrationexamplecomdns=19216821dhcp_start=1921682010dhcp_end=19216820200dhcp_default_lease_time=300dhcp_max_lease_time=600type=vlan-registrationnamed=enableddhcpd=enabled
[192168300]netmask=2552552550gateway=19216830254next_hop=1921683254domain-name=isolationexamplecomdns=19216831dhcp_start=1921683010dhcp_end=19216830200dhcp_default_lease_time=300dhcp_max_lease_time=600type=vlan-isolationnamed=enableddhcpd=enabled
DHCPclientsontheregistrationandisolationnetworksreceivethePFserverIPastheirDNSserver(dns=xxxx)andPFspoofsDNSresponsestoforceclientsviatheportalHoweverclientscouldmanuallyconfiguretheirDNSsettingstoescapetheportalTopreventthisyouwillneedtoapplyanACLontheaccessrouternearesttheclientspermittingaccessonlytothePFserverandlocalDHCPbroadcasttraffic
ForexamplefortheVLAN20remoteregistrationnetwork
ip access-list extended PF_REGISTRATION permit ip any host 19216821 permit udp any any eq 67 deny ip any any loginterface vlan 20 ip address 19216820254 2552552550 ip helper-address 19216821 ip access-group PF_REGISTRATION in
Ifyouredgeswitchessupportvlan-isolationyoucanalsoapplytheACLthereThishastheadvantageofpreventingmachinesinisolationfromattemptingtoattackeachother
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 85
StatementofHealth(SoH)
TheStatementofHealth(SoH)isproductthathasbeendevelopedbyMicrosoftIntheMicrosoftworldthis isnamedNetworkAccessProtectionorNAPOnWindowsversionsfromXPSP2toWindows7thereisaNAPserviceinstalledthatcanrelayhealthinformation(Anti-VirusupdatestatusWindowsUpdatestatusetc) toaRADIUSServeroraDHCPserverThesectionbelowexplainsyouhowtodoSoHpolicieswithPacketFence
InstallationBydefaultweturnSoHoffToenableitssupportsimplyuncommentthefollowinglinesinusrlocalpfconfradiusdeapconf
soh=yessoh-virtual-server = soh-server
RestarttheRADIUSserviceafterward
OntheclientsidetoenableSoHforEAPdothefollowing(Windows7example)
sc config napagent start=autosc start napagent
Wired 8021Xsc config dot3svc start=auto depend=napagentsc start dot3svc
netsh nap client show config
get the ID value for the EAP Quarantine Enforcement Clientnetsh nap client set enforce id=$ID admin=enable
ThelaststepistoselecttheEnforceNetworkAccessProtectioncheckboxundertheEAPprofilesettingsThosestepscanbeeasilyconfiguredusingGPOs
ConfigurationofSoHpolicyInordertoenforceaSoHpolicyweneedtocreateitfirstThisisdoneusingtheConfigurationrarrCompliancerarrStatementofHealthmodule
PolicyexampleLetrsquoswalkthroughanexamplesituationSupposeyouwanttodisplayaremediationpagetoclientsthatdonothaveananti-virusenabled
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 86
ThethreebroadstepsarecreateaviolationclassfortheconditionthencreateanSoHfiltertotriggertheviolationwhenanti-virusisdisabledandfinallyreloadtheviolations
FirstcreatetheproperviolationeitherviatheAdminUIorbyeditingtheconfviolationsconffiles
[4000001]desc=No anti-virus enabledurl=remediationphptemplate=noantivirusactions=reevaluate_accessemaillogenabled=Y
Note
Youmayalsowanttosetotherattributessuchasauto_enablegraceetc
WhendonewiththeviolationvisittheWebAdministrationunderConfigurationrarrCompliancerarrStatementofHealthand(editthefilternamedDefaultor)usetheAddafilterbuttontocreateafilternamedantivirusClickonantivirusinthefilterlistandselectTriggerviolationintheactiondrop-downEnterthevidoftheviolationyoucreatedaboveintheinputboxthatappears
Next clickonAddacondition and selectAnti-virus is anddisabled in thedrop-downboxesthat appear Click on the Save filters button Finally reload the violations either by restartingPacketFenceorusingthepfcmd reload violationscommand
Thelaststepistocreateanewremediationtemplatecallednoantivirusphponthefilesysteminthehtmlcaptive-portalviolationsfolderEditittoincludethetextyouwanttodisplaytotheusers
VLANFilterDefinition
Weaddedtheabilitytospecifyfiltersdirectlyintheportionofcodethatre-evaluatestheVLANordoacalltotheAPI
Theserulesareavailableindifferentscopes
ViolationRoleRegistrationRoleRegisteredRoleInlineRoleAutoRegisterNodeInfoForAutoReg
Andcanbedefinedusingdifferentcriterialike
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 87
node_infoattribute (like node_infostatus)switchifIndexmacconnection_typeusernamessidtimeownerattribute (like ownerpid)radius_requestattribute (like radius_requestCalling-Station-Id)
Forexample letsdefinearulethatpreventsadevicefromconnectingwhenitscategory isthedefaultwhentheSSIDisSECUREandwhenthecurrenttimeisbetween11amand2pmfromMondaytoFridaywhenittrytoconnectasaregistereddevice
[category]filter = node_infocategoryoperator = isvalue = default
[ssid]filter = ssidoperator = isvalue = SECURE
[time]filter = timeoperator = isvalue = wd Mon Tue Wed Thu Fri hr 11am-2pm
[1categoryampssidamptime]scope = RegisteredRolerole = nointernet
ThesecondexamplewillcreateaviolationiftheSSIDisOPENandtheownerisigmout
[igmout]filter = ownerpidoperator = isvalue = igmout
[open]filter = ssidoperator = isvalue = OPEN
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 88
[2igmoutampssid]scope = RegisteredRoleaction = trigger_violationaction_param = mac = $mac tid = 1100012 type = INTERNAL
Thethirdexamplewillautoregisterthedeviceandassigntherolestafftoeachdevicewheretheusernameisigmout
[igmout]filter = usernameoperator = isvalue = igmout
[secure]filter = ssidoperator = isvalue = SECURE
[3igmoutampsecure]scope = AutoRegisterrole = staff
[4igmoutampsecure]scope = NodeInfoForAutoRegrole = staff
Youcanhavealookinthefilevlan_filtersconftherearesomeexamplesonhowtouseanddefinefilters
RADIUSFilterDefinition
WeaddedtheabilitytospecifyfiltersdirectlyintheportionofcodethatreturntheradiusanswerordoacalltotheAPI
Theserulesareonlyavailableinonescope
returnRadiusAccessAccept
Andcanbedefinedusingdifferentcriterialike
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 89
node_infoattribute (like node_info$attribute)switchifIndexmacconnection_typeusernamessidtimeownerattribute (like owner$attribute)radius_requestattribute (like radius_request$attribute)violationuser_rolevlan
Forexample letsdefinearulethatreturnAccessAcceptwhentheconnectionisEthernet-EAPandwhenthereisnoviolation(merge_returnmeansthattheoriginalanswerofPacketFencewillbemergewiththefilteranswerautomatically)
[violation]filter = violationoperator = defined
[etherneteap]filter = connection_typeoperator = isvalue = Ethernet-EAP
[1etherneteapampviolation]merge_answer = noscope = returnRadiusAccessAccept
Inthisotherexamplewejustaddanewattributetotheoriginalanswerinthesameconditions(here$user_rolewillbereplacedbytherealuserroleofthedeviceand$switch_portalURLwillbereplacedbythevalueof_portalURLdefinedintheswitchconfig)
[1etherneteapampviolation]merge_answer = yesscope = returnRadiusAccessAcceptanswer1 = Cisco-AVPair =gt url-redirect-acl=$user_roleurl-redirect=$switch_portalURLcep$session_id
Youcanhavea look in the file radius_filtersconf therearesomeexamplesonhowtouseanddefinefilters
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 90
DNSenforcement
DNSenforcementallowsyoutocontrolthenetworkaccessofthedevicebyusingthepfdnsserviceonPacketFence
The architecture ofDNS enforcement is as following -DHCP andDNS are provided by thePacketFenceserver-ThePacketFenceDHCPserverwillprovidetheIPofyournetworkequipmentasthegatewayandtheIPaddressofthePacketFenceDNSservertoresolvenames-Routingisprovidedbyanotherequipmentonyournetwork(CoreswitchFirewallRouterhellip)-IfausershouldbeshowntheportalthepfdnsservicewillreturnapointertotheIPaddressofthecaptiveportalotherwisepfdnswillresolvethenameexternallyanduseitinthereply
Thisenforcementmodeusedby itselfcanbebypassedbythedevicebyusingadifferentDNSserverorbyusingitsownDNScache
ThefirstcanbepreventedusinganACLonyourroutingequipmentthesecondcanbepreventedbycombiningDNSenforcementwithSingle-Sign-OnonyournetworkequipmentPleaseseetheFirewallSingle-Sign-Ondocumentationfordetailsonhowtoaccomplishthis
Inorder toconfigureDNSenforcementyoufirstneedtogo inConfigurationrarrInterfaces thenselectoneofyourinterfacesandsetitinDNSenforcementmode
AfteryouneedtoconfigurearoutednetworkforthisinterfacebyclickingAddroutednetworkSeetheRoutedNetworkssectionofthisdocumentfordetailsonhowtoconfigureit
NoteIfyouarenotusingaroutednetworkyouneedtouseInlineenforcementasDNSenforcementcanonlybeusedforroutednetworks
Oncethisisdoneyouneedtorestartthedhcpdandpfdnsservices
Parkeddevices
Intheeventthatyouaremanagingalargeregistrationnetworkwithdevicesthatstaythere(exStudentsthatcanrsquotregisterinyourenvironment)thesedevicesconsumepreciousresourcesandgenerateuselessloadonthecaptiveportalandregistrationDHCPserver
UsingtheparkingfeatureyoucanmakethesedeviceshavealongerleaseandhitanextremellylightweightcaptiveportalsothattheamountofresourcestheyconsumeisminimalInthatcaptiveportal theywillseeamessageexplainingthattheyhavenrsquot registeredtheirdeviceforacertainamountoftimeandwillletthemleavetheparkedstatebypressingalink
Theparkedvsunparkedstateiscontrolledthroughviolation1300003whichgetstriggeredaccordingtotheparkingthresholdsetting(ConfigurationrarrParking)
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 91
SoinordertoactivatetheparkinggoinConfigurationrarrParkingandsetthethresholdtoacertainamountofsecondsAsuggestedvaluewouldbe21600whichis6hoursThismeansthatifadevicestaysinyourregistrationnetworkformorethan6hoursinarowitwilltriggerviolation1300003andplacethatdeviceintotheparkedstate
Inthatsamesectionyoucandefinetheleaselengthoftheuserwhenheisintheparkedstate
Note
ParkingisdetectedwhenadeviceasksforDHCPifPacketFenceisnotyourDHCPserverfortheregistrationnetworkthisfeaturewillnotworkAlsoifthedevicegoesintotheparkedstatewithaleasetimeof1hourandtheuserimmediatelyreleaseshimselffromtheparkingstateitwilltake1hourbeforethenextdetectiontakesplaceevenifyousetparkingthresholdtoalowervalue
Violation1300003Thisviolationcontrolswhathappenswhenauserisdetecteddoingparking
Herearethemainsettings
Youcanaddactionstothepredefinedones(likeEmailadminorExternalaction)inDefinitionrarrActions
TheamountoftimeausercanunparktheirdeviceiscontrolledthroughtheRemediationrarrMaxenablesetting
TheamountofgracetimebetweentwoparkingviolationsiscontrolledbytheRemediationrarrGracesettingThismeansonceauserreleasehimselffromtheparkedstatehewillhaveatleastthisamountoftimetoregisterbeforetheparkingtriggersagain
Thedestinationrole(thusVLAN)oftheuseriscontrolledbyAdvancedrarrRoleYoushouldleavetheuserintheregistrationrolebutshouldyouwanttodedicatearoleforparkingyoucansetitthere
TheTemplateattributewillonlybeusedwhentheuserisonthenormalPacketFenceportalandnottheonededicatedforparkingIfyouwanttheusertoaccessthenon-parkingportaldisableShowparkingportalinConfigurationrarrParking
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 92
Optionalcomponents
Blockingmaliciousactivitieswithviolations
PolicyviolationsallowyoutorestrictclientsystemaccessbasedonviolationsofcertainpoliciesForexampleifyoudonotallowP2PtypetrafficonyournetworkandyouarerunningtheappropriatesoftwaretodetectitandtriggeraviolationforagivenclientPacketFencewillgivethatclientablockedpagewhichcanbecustomizedtoyourwishes
Inorder tobeable toblockmaliciousactivities installationandconfigurationofaPacketFencecompatibleIDSisrequiredPacketFencecurrentlysupportSnortSuricataandSecurityOnion
Snort
Installation
The installation procedure is quite simple for SNORTWe maintain a working version on thePacketFencerepositoryToinstallitsimplyrunthefollowingcommand
yum install snort
Configuration
PacketFenceprovidesabasicsnortconftemplatethatyoumayneedtoeditdependingoftheSnortversionThefileislocatedinusrlocalpfconfItisrarelynecessarytochangeanythinginthatfiletomakeSnortworkandtrapalertsDONOTeditthesnortconflocatedinusrlocalpfvarconfallthemodificationwillbedestroyedoneachPacketFencerestart
Suricata
Installation
SincethesuricataIDSisnotpackagedwiththedistros(exceptmaybeFedorawhichwedonotofficiallysupport)youneedtobuildittheoldway
The OISF provides a really well written how-to for that Itrsquos available here httpsredmineopeninfosecfoundationorgprojectssuricatawikiCentOS5
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 93
NoteTobenefittheOPSWATMetadefenderCloudintegrationSuricataneedstobebuiltwith libnss libnsprsupportMakesure touseJSONoutputMore informationonhowtoachievethiscanbefoundtherehttpsredmineopeninfosecfoundationorgprojectssuricatawikiMD5
ConfigurationDepending onwhether or not Suricata is running on the PacketFence server configuration isdifferent
WhenrunninglocallyPacketFenceprovidesabasicsuricatayamlthatcanbemodifiedtosuitdifferentneedsThefileislocatedinusrlocalpfconf
In thecase thatSuricata is runningonaseparateserverSuricataconfigurationwillhave tobehandledseparatelywhichisnotthepurposeofthepresentguide
OPSWATMetadefenderCloudItispossibletotriggerviolationsbasedonthreatlevelofdownloadedfilesusingtheMetadefenderCloudintegrationinconjunctionwiththeSuricataMD5extractionfeatureWithoutenteringinthedetailsherearethebasicstepstomakeitwork
FirstanOPSWATportalaccountisrequiredtomakeuseoftheAPISuchaccountcanbeobtainedthroughtheOPSWATportalhttpsportalopswatcom
OtherrequirementisaSuricataworkinginstallationbuiltwithlibnsslibnsprsupportasdescribedintheupperInstallationsection
AlongwiththeOPSWATAPIkeyforMetadefenderCloud(theycallitLicenseKey)andtheworkingSuricatainstallationsomeconfiguration(PacketFencebasedANDSuricatabased)isalsorequired
AssumingthatallthestepsforSuricataMD5extractionhavebeenfollowedherersquoswhattodonext
OntheSuricataserver(syslog-ngispreferredduetoeasierandmorepowerfulconfigurationIfnotinstalleditmightbeanidea)
Configureetcsyslog-ngsyslog-ngconfbyaddingthefollowingtoenablesendingMD5filestorelogentriestoPacketFence
PacketFence OPSWAT Metadefender Cloud integration This line specifies where the files-jsonlog file is located -gt Make sure to configure the right path along with the right filenamesource s_suricata_files file(MY_SURICATA_LOG_FILES_PATHfiles-jsonlog program_override(suricata_files) flags(no-parse)) This line tells syslog-ng to send the data read to the PacketFence management interface IP address using UDP 514 -gt Make sure to configure the right PacketFence management interface IP addressdestination d_packetfence udp(PACKETFENCE_MGMT_IP port(514)) This line indicates syslog-ng to use the s_suricata_files source and send it to the d_packetfence destinationlog source(s_suricata_files) destination(d_packetfence)
Arestartofthesyslog-ngdaemonisrequired
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 94
service syslog-ng restart
OnthePacketFenceserver
ModifyrsyslogconfigurationtoallowincomingUDPpacketsbyuncommentingthefollowingtwolinesinetcrsyslogconf
$ModLoad imudp$UDPServerRun 514
Configure etcrsyslogdsuricata_filesconf by adding the following which will enablereceptionofSuricataMD5filestorelogentries
if $programname == suricata_files then usrlocalpfvarsuricata_filesamp ~
Makesurethereceivingalertpipe(FIFO)exists
mkfifo usrlocalpfvarsuricata_files
Restartthersyslogdaemon
service rsyslog restart
AtthispointSuricatashouldbeabletoextractMD5checksumofdownloadedfilesandsendtherelatedlogentrytoPacketFence
AconfigurationofanewsyslogparseraswellassomeviolationsaretheonlyremainingstepstomakefullusageoftheOPSWATMetadefenderCloudintegration
Configurationofanewsyslogparsershouldusethefollowings
Type suricata_httpAlert pipe the previously created alert pipe (FIFO) which is in this case usrlocalpfvarsuricata_files
Configurationofanewviolationcanusethefollowingtriggertypes
Type metascanTriggers ID The scan result returned by Metadefender Cloud online
Type suricata_md5Trigger ID The MD5 hash returned by Suricata
SecurityOnionInstallationandConfigurationSecurityOnionisaUbuntubasedsecuritysuiteThelatest installationinstructionsareavailabledirectly from theSecurityOnionwebsite httpsgithubcomSecurity-Onion-Solutionssecurity-onionwikiInstallation
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 95
SinceasecuritysuiteconsistsofmultiplepiecesofsoftwaretiedtogetheryoumaybepromptedfordifferentoptionsduringtheinstallationprocessAdetailedProductionDeploymentguidecanalsobefounddirectlyfromtheSecurityOnionwebsitehttpsgithubcomSecurity-Onion-Solutionssecurity-onionwikiProductionDeployment
PacketFenceintegration
OnceSecurityOnionisinstalledandminimallyconfiguredintegrationwithPacketFenceisrequiredtobeabletoraiseviolationsbasedonsensor(s)alertssyslogisusedtoforwardsensor(s)alertsfromSecurityOniontothePacketFencedetectionmecanisms
The simplest way is as follow (based on httpsgithubcomSecurity-Onion-Solutionssecurity-onionwikiThirdPartyIntegration)
OntheSecurityOnionserver
Note
Mustbedoneonthemasterserverrunningsguild
Configureetcsyslog-ngsyslog-ngconfbyaddingthefollowingtoenablesendingsguildlogentriestoPacketFence
PacketFence IDS integration This line specifies where the sguildlog file is located -gt Make sure to configure the right patch along with the right filename (on a Security Onion setup that should be pretty much standard)source s_sguil file(varlognsmsecurityonionsguildlog program_override(securityonion_ids)) This line filters on the string ldquoAlert Receivedrdquofilter f_sguil match(Alert Received) This line tells syslog-ng to send the data read to the PacketFence management IP address using UDP 514 -gt Make sure to configure the right PacketFence management interface IP addressdestination d_packetfence udp(PACKENTFENCE_MGMT_IP port(514)) This line indicates syslog-ng to use the s_sguil source apply the f_sguil filter and send it to the d_packetfence destinationlog source(s_sguil) filter(f_sguil) destination(d_packetfence)
Arestartofthesyslog-ngdaemonisthenrequired
service syslog-ng restart
OnthePacketFenceserver
ModifyrsyslogconfigurationtoallowincomingUDPpacketsbyuncommentingthefollowingtwolinesinetcrsyslogconf
$ModLoad imudp$UDPServerRun 514
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 96
Configureetcrsyslogdsecurityonion_idsconfbyaddingthefollowingswhichwillenablereceptionofSecurityOnionsguildlogentries
if $programname == securityonion_ids then usrlocalpfvarsecurityonion_idsamp ~
Makesurethereceivingalertpipe(FIFO)exists
mkfifo usrlocalpfvarsecurityonion_ids
Restartthersyslogdaemon
service rsyslog restart
AtthispointSecurityOnionshouldbeabletosenddetectedalertslogentriestoPacketFence
AconfigurationofanewsyslogparseraswellassomeviolationsaretheonlyremainingstepstomakefullusageoftheSecurityOnionIDSintegration
Configurationofanewsyslogparsershouldusethefollowings
Type security_onionAlert pipe the previously created alert pipe (FIFO) which is in this case usrlocalpfvarsecurityonion_ids
Configurationofanewviolationcanusethefollowingtriggertypes
Type detectTriggers ID The IDS triggered rule ID
Type suricata_eventTrigger ID The rule class of the triggered IDS alert
ViolationsInordertomakePacketFencereacttotheSnortalertsyouneedtoexplicitlytellthesoftwaretodosoOtherwisethealertswillbediscardedThisisquitesimpletoaccomplishInfactyouneedtocreateaviolationandaddtheSnortalertSIDinthetriggersectionofaViolation
PacketFenceviolationsareconfiguredinConfigurationrarrViolations
TheexamplebelowwillguideyoutocreateaviolationthatwillisolatedevicethathavegeneratedPeer-to-peer traffic and that are usingMac OSX or have a malware and are usingMicrosoftWindows
Violationdefinition
Firstyouneedtoconfiguretheviolationdefinition
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 97
Where
Enablediswhetherornottheviolationiscurrentlyactivated(shouldbeON) Identifier is the violation ID Any integer except 1200000-120099 which is reserved forrequiredadministrationviolations
Descriptionistheuserfriendlydescriptionoftheviolation Actionsisthelistofactionstobeexecutedwhenthisviolationisraised
Unregister nodewillunregisterthenode
Send email to ownerwillemailtheviolationdetailstotheownerofthedeviceWillonlyworkifthepersonhasitrsquosemailfieldpopulated
Send email to admin will email the violation details to the address specified in[alerting]emailaddrusing[alerting]smtpserverMultipleemailaddrcanbesperatedbycomma
Reevaluate accesswillplacethedeviceinthedestinationVLANconfiguredintheviolationIt opens a violation and leaves it open If it is not there theviolation isopenedand thenautomaticallyclosed
Log messagewilllogtheviolationinthelogfiledefinedin[alerting]log
External commandwillexecuteacommandontheoperatingsystemwhenthisviolation israised
Close a violationwillcloseanexistingviolationforthisdevicewhenthisoneisraised
Set rolewillmodifytheroleofthedevice
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 98
Enforce provisioningwilltriggeracheckofcomplianceontheprovisionersdefinedforthedevice
Prioritydefinestheorderontowhichviolationsshouldbehandledshouldtherebemorethanoneforadevice
Whitelisted Rolesisthelistofrolesthatarenotaffectedbythisviolation
Triggers
NextintheTriggerstabyouneedtodefinethetriggersthatwillraisetheviolationInthecaseofthisexampleitwillbethesetwocasesAdevicethathasgeneratedPeer-to-peertrafficandthatisusingMACOSXAdevicethathasbeendetectedasbeingarogueDHCP
Click the+ sign at the top right inorder to create anew trigger then in thedropdown selectSuricata
AmenuwillappearintowhichyoucanselectET P2PwhichwillmatchallP2PalertsfromSuricata
OnceyouaddedthistriggerselectDevicefromthedropdownandenter38whichisthedeviceidentifierforMacOSX
Nexthittheltbuttonthenthe+toaddanothertrigger
SelectthetypeInternaltheninthemenuthatappearsbelowitselectRogue DHCP detectionandclickAdd
Remediation
NextintheRemediationtabyoucanconfigurethebehaviorwhenaclientgetsisolated
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 99
Where
Auto Enableiswhetherornottheusercanreleasetheviolationhimselfafteracknoledgingthemessageonthecaptiveportal
Max Enables istheamountoftimeausercanusetheAuto EnablefunctionnalityAfterthisamountoftimeshewillnotbeabletoreleasetheviolationanditwillhavetobemanuallyreleasebyanadministratorusingthePacketFenceadministrationinterface
GraceisAmountoftimebeforetheviolationcanreoccurThisisusefultoallowhoststime(intheexample2minutes)todownloadtoolstofixtheirissueorshutofftheirpeer-to-peerapplication
Dynamic WindowwillonlyworksforaccountingviolationsTheviolationwillbeopenedaccordingtothetimeyousetintheaccountingviolation(ieYouhaveanaccountingviolationfor10GBmonthIfyoubustthebandwidthafter3daystheviolationwillopenandthereleasedatewillbesetforthelastdayofthecurrentmonth)
WindowistheamountoftimebeforeaviolationwillbeclosedautomaticallyInsteadofallowingpeopletoreactivatethenetworkyoumaywanttoopenaviolationforadefinedamountoftimeinstead
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 100
Delay byisthedelaybeforetriggeringtheviolation TemplateistheHTMLtemplatethehostwillberedirectedtowhileinviolationYoucancreatenewtemplatesfromthePortalProfilesconfigurationsection
Button textisthetextofthebuttonthatisusedwhentheuserisreleasingtheviolationdirectlyfromthecaptiveportal
AdvancedIntheAdvancedtabyouconfigurethedestinationVLANofthedevicewhenithastheReevaluateaccessactionanditsredirectionURLwhentheuserisreleased
ComplianceChecks
PacketFence supports eitherNessusOpenVAS andWMI as a scanning engine for compliancechecksSincePacketFencev51youarenowabletocreatemultiplesscanenginesconfigurationandassignthemonspecificcaptiveportalsItmeanperexamplethatyouarenowabletoactiveascanforspecificOperatingSystemonlyonaspecificSSID
InstallationNessusPlease visit httpwwwnessusorgdownload to download Nessus v5 and install the Nessuspackage for your operating system You will also need to register for the HomeFeed (or theProfessionalFeed)inordertogettheplugins
AfteryouinstalledNessusfollowtheNessusdocumentationfortheconfigurationoftheNessusServerandtocreateauserforPacketFence
NoteYou may run into some issue while using Nessus with the NetNessusXMLRPCmodule(whichisthedefaultbehaviorinPacketFence)Pleaserefertothebugtrackingsystemformoreinformation
OpenVASPleasevisithttpwwwopenvasorginstall-packageshtmlopenvas4_centos_atomic toconfigurethecorrectrepositorytobeabletoinstallthelatestOpenVASscanningengine
Once installed pleasemake sure to follow the instructions to correctly configure the scanningengineandcreateascanconfigurationthatwillfityourneedsYoursquollalsoneedtocreateauserforPacketFencetobeabletocommunicatewiththeserver
ItisimportanttogetthecorrectscanconfigIDandNBEreportformatIDtopopulatetheparametersinthePacketFenceconfigurationfileTheeasiestwaytogettheseIDsisbydownloadingbothofthescanconfigurationandreportformatfromtheOpenVASwebguiandretrievetheIDsinthefilenames
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 101
Forexamplereport-format-f5c2a364-47d2-4700-b21d-0a7693daddabxmlgivesreportformatIDf5c2a364-47d2-4700-b21d-0a7693daddab
WMIYoujusthavetoenablewmioneachwindowsdeviceswithaGPOfromActiveDirectory
ConfigurationIn order for the compliance checks to correctly work with PacketFence (communication andgenerateviolationsinsidePacketFence)youneedtoconfigurethesesections
ScannerDefinitionFirstgoinConfigurationandScannerDefinition
Thenaddascan
Therearecommonparametersforeachscanengines
Name the name of your scan engineRoles Only devices with these role(s) will be affected (Optional)OS Only devices with this Operating System will be affected (Optional)Duration Approximate duration of scan (Progress bar on the captive portal)Scan before registration Trigger the scan when the device appear on the registration vlanScan after registration Trigger the scan just after registration on the captive portalScan after registration Trigger the scan on the production network (pfdhcplistener must receive production dhcp traffic)8021x Even if the auto-registration has been enabled the scan will be trigger on a EAP connection8021x types comma delimited EAP type that will trigger the scan if 8021x above has been enabled
SpecifictoNessus
Hostname or IP Address Hostname or IP Address where Nessus is runningUsername Username to connect to Nessus scanPassword Password to connect to Nessus scanPort of the service port to connect (default 8834)Nessus client policy the name of the policy to use for the scan (Must be define on the Nessus server)
SpecifictoOpenVAS
Hostname or IP Address Hostname or IP Address where OpenVAS is runningUsername Username to connect to OpenVAS scanPassword Password to connect to OpenVAS scanPort of the service port to connect (default 9390)OpenVAS config ID the ID of scanning configuration on the OpenVAS server
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 102
SpecifictoWMI
Username A username from Active Directory that is allowed to connect to wmiDomain Domain of the Active DirectoryPassword Password of the accountWMI Rules Ordered list of WMI rules you defined in Configuration -gt WMI Rules Definition
WMIRulesDefinition
IfyouhaveconfiguredaWMIscanenginethenyouneedtodefineWMIRulesWMIisasortofdatabaseoneachwindowsdevicestoretreiveinformationonthedeviceyouneedtoknowthesqlrequestInordertohelpyoutofindandmakearuleyoucanuseathirdpartytoollikeWMIExplorer
GoinconfigurationrarrWMIRulesDefinition
Therearealready3rulesdefined
Software_Installedlogged_userProcess_Running
LetrsquostaketheSoftware_Installedrule
request select from Win32_Product
Rules Actions
[Google]attribute = Captionoperator = matchvalue =Google
[1Google]action=trigger_violationaction_param = mac = $mac tid = 888888 type = INTERNAL
Thisrulewilldothefollowing
retreive all the installed software on the device and test if the attribute Caption contain Googleif it matched then we will trigger a violation (with the trigger internal888888) for the mac address of the device
Thesecondonelogged_user
request select UserName from Win32_ComputerSystem
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 103
Rules Actions
[UserName]attribute = UserNameoperator = matchvalue = ()
[1UserName]action = dynamic_register_nodeaction_param = mac = $mac username = $result-gtUserName
Thisrulewilldothefollowing
retreive the current logged user on the device and register the device based on the user account
ThelastoneProcess_Running
request select Name from Win32_Process
Rules Actions
[explorer]attribute = Nameoperator = matchvalue = explorerexe
[1explorer]action = allow
Thisrulewilldothefollowing
retreive all the running process on the device and if one match explorerexe then we bypass the scan
Rulessyntax
the syntax of the rules are simple to understand
the request is the sql request you will launch on the remote device you must know what the request will returnto write the test
Inside the Rules Actions we define 2 sorts of blocsThe test bloc (ie [explorer]) and the action bloc (ie [1explorer])
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 104
The test bloc is a simple test based on the result of the request- attribute is the attribute you want to test- operator can be is is_not match match_not- value is the value you want to compare
Feel free to define multiples test blocs
The action bloc is where you will define your logic per example lets take this one [1googleampexplorer] this mean that if the google test istrue and explorer is true then we execute the actionThe logic can be more complex and can be something like that [1google|(explorerampmemory)] that mean if not google or (explorer and memory)
ViolationsdefinitionYouneedtocreateanewviolationsectionandhavetospecify
UsingNessus
trigger=NessusltviolationIdgt
UsingOpenVAS
trigger=OpenVASltviolationIdgt
WhereviolationIdiseithertheIDoftheNessuspluginortheOIDoftheOpenVASplugintocheckforOnceyouhavefinishedtheconfigurationyouneedtoreloadtheviolationrelateddatabasecontentsusing
$ pfcmd reload violations
NoteViolationswilltriggerifthepluginishigherthanalowseverityvulnerability
AssignScandefinitiontoportalprofilesThelaststepistoassignoneormorescanneryouconfiguredtooneormoreportalprofilesGoinConfigurationrarrPortalProfilesrarrEditaPortalrarrAddScan
HostingNessusOpenVASremotelyBecauseoftheCPUintensivenatureofanautomatedvulnerabilityassessmentwerecommendthatitishostedonaseparateserverforlargeenvironmentsTodosoacoupleofthingsarerequired
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 105
PacketFence needs to be able to communicate to the server on the port specified by thevulnerabilityengineused
Thescanningserverneedtobeabletoaccessthetargets InotherwordsregistrationVLANaccessisrequiredifscanonregistrationisenabled
IfyouareusingtheOpenVASscanningengine
ThescanningserverneedtobeabletoreachPacketFencersquosAdmininterface(onport1443bydefault)byitsDNSentryOtherwisePacketFencewonrsquotbenotifiedofcompletedscans
YoumusthaveavalidSSLcertificateonyourPacketFenceserver
IfyouareusingtheNessusscanningengine
YoujusthavetochangethehostvaluebytheNessusserverIP
RADIUSAccounting
RADIUSAccountingisusuallyusedbyISPstobillclientsInPacketFenceweareabletousethisinformationtodetermineifthenodeisstillconnectedhowmuchtimeithasbeenconnectedandhowmuchbandwitdhtheuserconsumed
ViolationsUsingPacketFence it ispossible toaddviolations to limitbandwidthabuseThe formatof thetriggerisverysimple
Accounting[DIRECTION][LIMIT][INTERVAL(optional)]
Letrsquosexplaineachchunkproperly
DIRECTIONYoucaneithersetalimittoinbound(IN)outbound(OUT)ortotal(TOT)bandwidth LIMIT You can set a number of bytes(B) kilobytes(KB) megabytes(MB) gigabytes(GB) orpetabytes(PB)
INTERVALThisisactuallythetimewindowwewilllookforpotentialabuseYoucansetanumberofdays(D)weeks(W)months(M)oryears(Y)
Exampletriggers LookforIncoming(Download)trafficwitha50GBmonth
AccountingIN50GB1M
LookforOutgoing(Upload)trafficwitha500MBday
AccountingOUT500MB1D
LookforTotal(Download+Upload)trafficwitha200GBlimitinthelastweek
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 106
AccountingTOT200GB1W
Graceperiod
WhenusingsuchviolationfeaturesettingthegraceperiodisreallyimportantYoudonrsquotwanttoputittoolow(ieAuserre-enablehisnetworkandgetcaughtafter1bytesistranmitted)ortoohighWerecommendthatyousetthegraceperiodtooneintervalwindow
Oinkmaster
OinkmasterisaperlscriptthatenablesthepossibilitytoupdatethedifferentsnortrulesveryeasilyItissimpletouseandinstallThissectionwillshowyouhowtoimplementOinkmastertoworkwithPacketFenceandSnort
PleasevisithttpoinkmastersourceforgenetdownloadshtmltodownloadoinkmasterAsampleoinkmasterconfigurationfileisprovidedatusrlocalpfaddonssnortoinkmasterconf
ConfigurationHerearethestepstomakeOinkmasterworkWewillassumethatyoualreadydownloadedthenewestoinkmasterarchive
1 UntarthefreshlydownloadedOinkmaster
2 CopytherequiredperlscriptsintousrlocalpfoinkmasterYouneedtocopyovercontribandoinkmasterpl
3 CopytheoinkmasterconfprovidedbyPacketFence(seethesectionabove)inusrlocalpfconf
4 ModifytheconfigurationtosuityourownneedsCurrentlytheconfigurationfileissettofetchthebleedingrules
RulesupdateInordertogetperiodicupdatesforPacketFenceSnortruleswesimplyneedtocreateacrontabentrywiththerightinformationTheexamplebelowshowsacrontabentrytofetchtheupdatesdailyat2300PM
0 23 (cd usrlocalpf perl oinkmasteroinkmasterpl -C confoinkmasterconf -o confsnort)
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 107
GuestsManagement
PacketFencesupportstheabilitytomanageguestsbyestablishingexpiredatesandassigndifferentroleswhichwillpermitdifferentaccessestothenetworkresources
Guestscanself-registerthemselvesusinganactivationcodesenttotheirmobilephoneortheycanusetheiremailaddressandreceiveandactivationlinktoactivatetheirnetworkaccess
PacketFencehas theoption tohaveguestssponsored theiraccessby local staffOnceaguestrequestsasponsoredaccessanemailissenttothesponsorandthesponsormustclickonalinkandauthenticateinordertoenablehisaccess
Moreover PacketFence also has the option for guests to request their access in advanceConfirmationbyemailandbyasponsorarethetwopre-registrationtechniquessupportedatthispoint
TheadminGUIallowPacketFenceadministratorsorguestsmanagerstocreatesingleaccountsmultipleaccountsusingaprefix(ieguest1guest2guest3hellip)orimportdatafromaCSVtocreateaccountsAccessdurationandexpectedarrivaldatearealsocustomizable
Usage
Guestself-registration
Self-registrationisenabledbydefaultItispartofthecaptiveportalprofileandcanbeaccessedontheregistrationpagebyclickingtheSignuplink
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 108
ManagedguestsPartofthewebadministrationinterfacetheguestsmanagementinterfaceisenabledbydefaultItisaccessiblethroughtheUsersrarrCreatemenu
Guestpre-registrationPre-registrationisdisabledbydefaultOnceenabledPacketFencersquosfirewallandApacheACLsallowaccesstothesignuppageontheportalevenfromaremotelocationAllthatshouldberequiredfrom theadministrators is toopenup theirperimeter firewall toallowaccess toPacketFencersquosmanagementinterfaceIPonport443andmakesureadomainnametoreachsaidIPisconfigured(andthattheSSLcertmatchesit)Thenyoucanpromotethepre-registrationlinkfromyourextranetwebsitehttpslthostnamegtsignup
CautionPre-registrationincreasestheattacksurfaceofthePacketFencesystemsinceasubsetofitrsquosfunctionnalityisexposedontheInternetMakesureyouunderstandtherisksapplythecriticaloperatingsystemupdatesandapplyPacketFencersquossecurityfixes
NoteAportalinterfacetypeisrequiredtousethisfeatureAportalinterfacetypecanbeaddedtoanynetworkinterfaceusingthewebadminGUI
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 109
ConfigurationGuestself-registrationIt ispossibletomodifythedefaultvaluesoftheguestself-registrationfeaturebyeditingusrlocalpfconfpfconf
Defaultvaluesarelocatedinusrlocalpfconfpfconfdefaultsanddocumentationforeverysettingsisavailableinusrlocalpfconfdocumentationconf
[guests_self_registration]guest_pid=emailpreregistration=disabled
TheseparameterscanalsobeconfiguredfromtheConfigurationrarrSelfRegistrationsectionoftheWebadmininterface
Availableregistrationmodesaredefinedonaper-portal-profilebasisTheseareconfigurablefromConfigurationrarrPortalProfiles Todisable the self-registration feature simply removeall self-registrationsourcesfromtheportalprofiledefinitionNoticehoweverthatifyourdefaultportalprofilehasnosourceitwilluseallauthenticationsources
Caution
AvalidMTAconfiguredinPacketFenceisneededtocorrectlyrelayemailsrelatedtotheguestmoduleIflocalhostisusedassmtpservermakesurethataMTAisinstalledandconfiguredontheserver
Note
AportalinterfacetypeisrequiredtousethisfeatureAportalinterfacetypecanbeaddedtoanynetworkinterfaceusingthewebadminGUI
Self-registered guests are added under the users tab of the PacketFenceWeb administrationinterface
ManagedguestsItispossibletomodifythedefaultvaluesoftheguestscreatedfromtheWebadmininterfacebyeditingusrlocalpfconfpfconf
Defaultvaluesarelocatedinusrlocalpfconfpfconfdefaultsanddocumentationforeverysettingsisavailableinusrlocalpfconfdocumentationsconf
[guests_admin_registration]access_duration_choices=1h3h12h1D2D3D5Ddefault_access_duration=12h
Theformatofthedurationisasfollow
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 110
ltDURATIONgtltDATETIME_UNITgt[ltPERIOD_BASEgtltOPERATORgtltDURATIONgtltDATE_UNITgt]
Letrsquosexplainthemeaningofeachparameter
DURATIONanumbercorrespondingtotheperiodduration DATETIME_UNIT acharactercorresponding to theunitsof thedateor timedurationeither s(seconds)m(minutes)h(hours)D(days)W(weeks)M(months)orY(years)
PERIOD_BASEeitherF(fixed)orR(relative)ArelativeperiodiscomputedfromthebeginningoftheperiodunitWeeksstartonMonday
OPERATOReither+or-Thedurationfollowingtheoperatorisaddedorsubtractedfromthebaseduration
DATE_UNITacharactercorrespondingtotheunitsoftheextendeddurationLimitedtodateunits(D(days)W(weeks)M(months)orY(years))
TheseparameterscanalsobeconfiguredfromtheConfigurationrarrAdminRegistrationsectionoftheWebadmininterface
From theUserspageof thePacketFenceWebadmin interface it is possible to set the accessdurationofuserschangetheirpasswordandmore
Guestpre-registrationTominimallyconfigureguestpre-registrationyoumustmakesurethatthefollowingstatementissetunder[guests_self_registration]inusrlocalpfconfpfconf
[guests_self_registration]preregistration=enabled
ThisparametercanalsobeconfiguredfromtheConfigurationrarrSelfRegistrationsection
Finallyitisadvisedthatyoureadthewholeguestself-registrationsectionsincepre-registrationissimplyatwistoftheself-registrationprocess
Caution
AvalidMTAconfiguredinPacketFenceisneededtocorrectlyrelayemailsrelatedtotheguestmoduleIflocalhostisusedassmtpservermakesurethataMTAisinstalledandconfiguredontheserver
ActiveDirectoryIntegration
DeletedAccountCreate thescriptunreg_node_deleted_accountps1on theWindowsServerwith the followingcontentMakesuretochangeIP_PACKETFENCEtotheIPaddressofyourPacketFenceserverYoursquollalsoneedtochangetheusernameandpasswordastheymustmatchthecredentialsdefinedintheWebadmininterfaceunderConfigurationrarrWebServices
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 111
Powershell script to unregister deleted Active Directory account based on the UserName
Get-EventLog -LogName Security -InstanceId 4726 | Select ReplacementStringsAccount name| $url = httpsIP_PACKETFENCE9090 $username = admin Username for the webservices $password = admin Password for the webservices [SystemNetServicePointManager]ServerCertificateValidationCallback = $true $command = jsonrpc 20 method unreg_node_for_pid params [pid +$_ReplacementStrings[0]+]
$bytes = [SystemTextEncoding]ASCIIGetBytes($command) $web = [SystemNetWebRequest]Create($url) $webMethod = POST $webContentLength = $bytesLength $webContentType = applicationjson-rpc $webCredentials = new-object SystemNetNetworkCredential($username $password) $stream = $webGetRequestStream() $streamWrite($bytes0$bytesLength) $streamclose()
$reader = New-Object SystemIOStreamreader -ArgumentList $webGetResponse()GetResponseStream() $readerReadToEnd() $readerClose()
CreatethescheduledtaskbasedonaneventIDStartrarrRunrarrTaskschdmsc
TaskSchedulerrarrTaskSchedulerLibraryrarrEventViewerTaskrarrCreateTask
General
Name PacketFence-Unreg_node-for-deleted-accountCheck Run whether user is logged on or notCheck Run with highest privileges
TriggersrarrNew
Begin on the task On an eventLog SecuritySource Microsoft Windows security auditingEvent ID 4726
ActionsrarrNew
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 112
Action Start a programProgramscript powershellexeAdd arguments (optional) Cscriptsunreg_node_deleted_accountps1
Settings
At the bottom select in the list Run a new instance in parallel in order to unregister multiple nodes at the same time
ValidatewithOkandgivetheaccountwhowillrunthistask(UsuallyDOMAINAdministrator)
DisabledAccountCreatethescriptunreg_node_disabled_accountps1ontheWindowsServerwiththefollowingcontentMakesuretochangeIP_PACKETFENCEtotheIPaddressofyourPacketFenceserverYoursquollalsoneedtochangetheusernameandpasswordastheymustmatchthecredentialsdefinedintheWebadmininterfaceunderConfigurationrarrWebServices
Powershell script to unregister disabled Active Directory account based on the UserName
Get-EventLog -LogName Security -InstanceId 4725 | Select ReplacementStringsAccount name| $url = httpsIP_PACKETFENCE9090 $username = admin Username for the webservices $password = admin Password for the webservices [SystemNetServicePointManager]ServerCertificateValidationCallback = $true $command = jsonrpc 20 method unreg_node_for_pid params [pid +$_ReplacementStrings[0]+]
$bytes = [SystemTextEncoding]ASCIIGetBytes($command) $web = [SystemNetWebRequest]Create($url) $webMethod = POST $webContentLength = $bytesLength $webContentType = applicationjson-rpc $webCredentials = new-object SystemNetNetworkCredential($username $password) $stream = $webGetRequestStream() $streamWrite($bytes0$bytesLength) $streamclose()
$reader = New-Object SystemIOStreamreader -ArgumentList $webGetResponse()GetResponseStream() $readerReadToEnd() $readerClose()
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 113
CreatethescheduledtaskbasedonaneventID
StartrarrRunrarrTaskschdmsc
TaskSchedulerrarrTaskSchedulerLibraryrarrEventViewerTaskrarrCreateTask
General
Name PacketFence-Unreg_node-for-disabled-accountCheck Run whether user is logged on or notCheck Run with highest privileges
TriggersrarrNew
Begin on the task On an eventLog SecuritySource Microsoft Windows security auditingEvent ID 4725
ActionsrarrNew
Action Start a programProgramscript powershellexeAdd arguments (optional) Cscriptsunreg_node_disabled_accountps1
Settings
At the bottom select in the list Run a new instance in parallel
ValidatewithOkandgivetheaccountwhowillrunthistask(UsuallyDOMAINAdministrator)
LockedAccountCreate the script unreg_node_locked_accountps1 on theWindows Serverwith the followingcontentMakesuretochangeIP_PACKETFENCEtotheIPaddressofyourPacketFenceserverYoursquollalsoneedtochangetheusernameandpasswordastheymustmatchthecredentialsdefinedintheWebadmininterfaceunderConfigurationrarrWebServices
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 114
Powershell script to unregister locked Active Directory account based on the UserName
Get-EventLog -LogName Security -InstanceId 4740 | Select ReplacementStringsAccount name| $url = httpsIP_PACKETFENCE9090 $username = admin Username for the webservices $password = admin Password for the webservices [SystemNetServicePointManager]ServerCertificateValidationCallback = $true $command = jsonrpc 20 method unreg_node_for_pid params [pid +$_ReplacementStrings[0]+]
$bytes = [SystemTextEncoding]ASCIIGetBytes($command) $web = [SystemNetWebRequest]Create($url) $webMethod = POST $webContentLength = $bytesLength $webContentType = applicationjson-rpc $webCredentials = new-object SystemNetNetworkCredential($username $password) $stream = $webGetRequestStream() $streamWrite($bytes0$bytesLength) $streamclose()
$reader = New-Object SystemIOStreamreader -ArgumentList $webGetResponse()GetResponseStream() $readerReadToEnd() $readerClose()
CreatethescheduledtaskbasedonaneventIDStartrarrRunrarrTaskschdmsc
TaskSchedulerrarrTaskSchedulerLibraryrarrEventViewerTaskrarrCreateTask
General
Name PacketFence-Unreg_node-for-locked-accountCheck Run whether user is logged on or notCheck Run with highest privileges
TriggersrarrNew
Begin on the task On an eventLog SecuritySource Microsoft Windows security auditingEvent ID 4740
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 115
ActionsrarrNew
Action Start a programProgramscript powershellexeAdd arguments (optional) Cscriptsunreg_node_locked_accountps1
Settings
At the bottom select in the list Run a new instance in parallel
ValidatewithOkandgivetheaccountwhowillrunthistask(UsuallyDOMAINAdministrator)
DHCPremotesensor
TheDHCPremotesensorconsistsofalightweightbinarythatisinstalledonyourproductionDHCPserverinordertoreplicatetheDHCPtraffic1to1tothePacketFenceserverThissolutionismorereliablethantheDHCPrelayingsincePacketFencereceivesacopyofallyourDHCPtrafficandnotonlythebroadcastedDHCPtrafficSupportedDHCPserversareMicrosoftDHCPserverandCentOS6and7
ThesesensorsworkbycapturingthepacketsatthelowestlevelpossibleonyourDHCPserverandforwardthemtothePacketFencemanagementinterface
MicrosoftDHCPsensorYouwillfirstneedtodownloadandinstallWinPcapavailablefromhttpwwwwinpcaporginstall
YouwillalsoneedtodownloadandinstallMicrosoftVisualC++2010Redistributableavailablefromhttpwwwmicrosoftcomdownloaddetailsaspxid=5555
NoteYou absolutely need to install the 32-bit version of Microsoft Visual C++ 2010Redistributableevenifyouareusinga64-bitoperatingsystem
Then get the remote sensor from Inversersquos download website httpinversecadownloadsPacketFenceudp-reflectorudp_reflectorexe
CreatethedirectoryCudp-reflectorandmovethedownloadedfileinside
Nowwewillcreateaservicesothereflectorstartsonboot
Firstdownloadandunzipnssmfromhttpsnssmccdownload
NextcreateabatchfileudpreflectorbatinCudp-reflectorthatcontainCudp-reflectorudp_reflectorexe -s pcap067 -d 19216815767 -b 25000
Where pcap0 is the interface where your DHCP is listening (use Cudp-reflectorudp_reflectorexe -ltolistinterfaces)
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 116
Thenrunnssm install udpreflector
InApplication
InPathsetittoCudp-reflectorudpreflectorbat InStartupdirectorysetittoCudp-reflector InArgumentssetittonothing
InDetails
InStartuptypeselectAutomatic
InLogon
InLogonasselectLocalSystemaccount
ThenpressInstallservice
TheDHCPtrafficshouldnowbereflectedonyourPacketFenceserver
LinuxbasedsensorFirstdownloadtheRPMonyourDHCPserver
CentOS6and7serversForCentOS6
for x86_64 wget httpinversecadownloadsPacketFenceCentOS6extrax86_64RPMSudp-reflector-10-61x86_64rpm
ForCentOS7
for x86_64 wget httpinversecadownloadsPacketFenceCentOS7extrax86_64RPMSudp-reflector-10-61x86_64rpm
Nowinstallthesensor
rpm -i udp-reflector-rpm
CompilingthesensorfromsourceonaLinuxsystemFirstmakesureyouhavethefollowingpackagesinstalled
libpcap libpcap-devel gcc-c++
Getthesourcecodeofthesensor
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 117
mkdir -p ~udp-reflector ampamp cd ~udp-reflector wget httpinversecadownloadsPacketFenceudp-reflectorudp_reflectorcpp g++ udp_reflectorcpp -o usrlocalbinudp_reflector -lpcap
ConfiguringthesensorPlacethefollowinglineinetcrclocal
where pcap0 is the pcap interface where your DHCP server listens on (List them usingudp_reflector -l)
where19216815isthemanagementIPofyourPacketFenceserver
usrlocalbinudp_reflector -s pcap067 -d 19216815767 -b 25000 amp
Startthesensor
usrlocalbinudp_reflector -s pcap067 -d 19216815767 -b 25000 amp
TheDHCPtrafficshouldnowbereflectedonyourPacketFenceserver
Switchloginaccess
PacketFenceisabletoactasanauthenticationandauthorizationserviceforgrantingcommand-lineinterface(CLI)accesstoswitchesPacketFencecurrentlysupportsCiscoswitchesandthesemustbeconfiguredusingthefollowingguidehttpwwwciscocomcenussupportdocssecurity-vpnremote-authentication-dial-user-service-radius116291-configure-freeradius-00html From thePacketFencersquos web admin interface you must configure an Admin Access role(ConfigurationrarrAdminaccess)thatcontainstheactionSwitchesCLI-ReadorSwitchesCLI-WriteandassignthisroletoaninternaluserorinanAdministrationruleinaninternalsource
Chapter14
Copyrightcopy2016Inverseinc OperatingSystemBestPractices 118
OperatingSystemBestPractices
IPTables
IPTablesisnowentirelymanagedbyPacketFenceHoweverifyouneedtoperformsomecustomrules you canmodifyconfiptablesconf to yourownneedsHowever thedefault templateshouldworkformostusers
LogRotations
PacketFencecangeneratea lotof logentries inhugeproductionenvironmentsThis iswhywerecommendtouselogrotatetoperiodicallyrotateyourlogsAworkinglogrotatescriptisprovidedwiththePacketFencepackageThisscriptislocatedinusrlocalpfaddonsanditrsquosconfiguredto do aweekly log rotation and keeping old logswith compression It has been added duringPacketFenceinitialinstallation
Chapter15
Copyrightcopy2016Inverseinc Performanceoptimization 119
Performanceoptimization
SNMPTrapsLimit
PacketFencemainlyrelyonSNMPtrapstocommunicatewithequipmentDuetothefactthattrapscominginfromapproved(configured)devicesareallprocessedbythedaemonitispossibleforsomeonewhowanttogenerateacertainloadonthePacketFenceservertoforcethegenerationofnon-legitimateSNMPtrapsoraswitchcanrandomlygenerateahighquantityoftrapssenttoPacketFenceforanunknownreason
BecauseofthatitispossibletolimitthenumberofSNMPtrapscominginfromasingleswitchportandtakeactionifthatlimitisreachedForexampleifover100trapsarereceivedbyPacketFencefromthesameswitchportinaminutetheswitchportwillbeshutandanotificationemailwillbesent
HerersquosthedefaultconfigfortheSNMPtrapslimitfeatureAsyoucanseebydefaultPacketFencewill log the abnormal activity after 100 traps from the same switch port in a minute Theseconfigurationsareintheconfpfconffile
[vlan]trap_limit = enabledtrap_limit_threshold = 100trap_limit_action =
AlternativelyyoucanconfiguretheseparametersfromthePacketFenceWebadministrativeGUIintheConfigurationrarrSNMPsection
MySQLoptimizations
TuningMySQLIfyoursquorePacketFencesystemisactingveryslowthiscouldbeduetoyourMySQLconfigurationYoushoulddothefollowingtotuneperformance
Checkthesystemload
uptime113637 up 235 days 121 1 user load average 125 105 079
Chapter15
Copyrightcopy2016Inverseinc Performanceoptimization 120
CheckiostatandCPU
iostat 5avg-cpu user nice sys iowait idle 060 000 320 2020 7600Device tps Blk_reads Blk_wrtns Blk_read Blk_wrtnccissc0d0 3240 000 156000 0 7800avg-cpu user nice sys iowait idle 060 000 220 920 8800Device tps Blk_reads Blk_wrtns Blk_read Blk_wrtnccissc0d0 780 000 7360 0 368avg-cpu user nice sys iowait idle 060 000 180 2380 7380Device tps Blk_reads Blk_wrtns Blk_read Blk_wrtnccissc0d0 3140 000 142720 0 7136avg-cpu user nice sys iowait idle 060 000 240 1816 7884Device tps Blk_reads Blk_wrtns Blk_read Blk_wrtnccissc0d0 2794 000 117365 0 5880
Asyoucanseetheloadis125andIOWaitispeakingat20-thisisnotgoodIfyourIOwaitislowbutyourMySQListaking+50CPUthisisalsonotgoodCheckyourMySQLinstallforthefollowingvariables
mysqlgt show variables| innodb_additional_mem_pool_size | 1048576 || innodb_autoextend_increment | 8 || innodb_buffer_pool_awe_mem_mb | 0 || innodb_buffer_pool_size | 8388608 |
PacketFencereliesheavilyonInnoDBsoyoushouldincreasethebuffer_poolsizefromthedefaultvalues
ShutdownPacketFenceandMySQL
etcinitdpacketfence stopShutting down PacketFence[] etcinitdmysql stopStopping MySQL [ OK ]
Editetcmycnf(oryourlocalmycnf)
Chapter15
Copyrightcopy2016Inverseinc Performanceoptimization 121
[mysqld] Set buffer pool size to 50-80 of your computers memoryinnodb_buffer_pool_size=800Minnodb_additional_mem_pool_size=20Minnodb_flush_log_at_trx_commit=2innodb_file_per_table allow more connectionsmax_connections=700 set cache sizekey_buffer_size=900Mtable_cache=300query_cache_size=256M enable slow query loglog_slow_queries = ON
StartupMySQLandPacketFence
etcinitdmysqld startStarting MySQL [ OK ] etcinitdpacketfence startStarting PacketFence[]
Wait10minutesforPacketFencetoinitialthenetworkmapandre-checkiostatandCPU
uptime120158 up 235 days 146 1 user load average 015 039 052 iostat 5Device tps Blk_reads Blk_wrtns Blk_read Blk_wrtnccissc0d0 800 000 7520 0 376
avg-cpu user nice sys iowait idle 060 000 299 1337 8303
Device tps Blk_reads Blk_wrtns Blk_read Blk_wrtnccissc0d0 1497 000 43273 0 2168avg-cpu user nice sys iowait idle 020 000 260 660 9060
Device tps Blk_reads Blk_wrtns Blk_read Blk_wrtnccissc0d0 480 000 4800 0 240
MySQLoptimizationtoolWerecommendthatyouruntheMySQLTuneronyourdatabasesetupafteracoupleofweekstohelpyouidentifyMySQLconfigurationimprovementThetoolisbundledwithPacketFenceandcanberunfromthecommand-line
usrlocalbinpftest mysql
Chapter15
Copyrightcopy2016Inverseinc Performanceoptimization 122
KeepingtablessmallOvertimesomeofthetableswillgrowlargeandthiswilldragdownperformance(thisisespeciallytrueonawirelesssetup)
OnesuchtableisthelocationlogtableWerecommendthatclosedentriesinthistablebemovedto the archive table locationlog_archive after some time A closed record is onewhere theend_timefieldissettoadate(stricklyspeakingitiswhenend_timeisnotnullandnotequalsto0)
Weprovideascriptcalleddatabase-backup-and-maintenanceshlocatedinaddonsthatperformsthiscleanupinadditiontooptimizetablesonSundayanddailybackups
AvoidToomanyconnectionsproblemsInawirelesscontexttheretendstobealotofconnectionsmadetothedatabasebyourfreeradiusmoduleThedefaultMySQLvalue tend tobe low (100) soweencourageyou to increase thatvaluetoatleast300Seehttpdevmysqlcomdocrefman50entoo-many-connectionshtmlfordetails
AvoidHostlthostnamegtisblockedproblemsInawirelesscontexttheretendtobealotofconnectionsmadetothedatabasebyourfreeradiusmoduleWhentheserverisloadedtheseconnectionattemptscantimeoutIfaconnectiontimesoutduringconnectionMySQLwillconsiderthisaconnectionerrorandafter10ofthese(bydefault)hewilllockthehostoutwitha
Host host_name is blocked because of many connection errors Unblock with mysqladmin flush-hosts
Thiswill grindPacketFence to a halt so youwant to avoid that at all costOneway to do soistoincreasethenumberofmaximumconnections(seeabove)toperiodicallyflushhostsortoallowmoreconnectionerrorsSeehttpdevmysqlcomdocrefman50enblocked-hosthtmlfordetails
CaptivePortalOptimizations
Avoidcaptiveportaloverloadduetonon-browserHTTPrequestsBydefaultwealloweveryquerytoberedirectedandreachPacketFencefor thecaptiveportaloperationInalotofcasesthismeansthatalotofnon-userinitiatedqueriesreachPacketFenceandwasteitsresourcesfornothingsincetheyarenotfrombrowsers(iTunesWindowsupdateMSNMessengerGoogleDesktophellip)
Chapter15
Copyrightcopy2016Inverseinc Performanceoptimization 123
Sinceversion43ofPacketFenceyoucandefineHTTPfiltersforApachefromtheconfigurationofPacketFence
SomeruleshavebeenenabledbydefaultlikeonetorejectrequestswithnodefineduseragentAllrulesincludingsomeexamplesaredefinedintheconfigurationfileapache_filtersconf
FiltersaredefinedwithatleasttwoblocksFirstarethetestsForexample
[get_ua_is_dalvik]filter = user_agentmethod = GEToperator = matchvalue = Dalvik
[get_uri_not_generate204]filter = urimethod = GEToperator = match_notvalue = generate_204
ThelastblockdefinestherelationshipbetweenthetestsandthedesiredactionForexample
[block_dalvikget_ua_is_dalvikampget_uri_not_generate204]action = 501redirect_url =
Thisfilterwillreturnanerrorcode(501)iftheuseragentisDalvikandtheURIdoesnrsquotcontain_generate_204
DashboardOptimizations(statisticscollection)
The collection and aggregation of statistics in the whisper database can be IO intensive permomentThismeansthatitcanbebeneficialtoseperatethemonanotherdiskevenifitisavirtualdiskthatwillsharethesameunderlyingphysicaldisk
Firstaddadiskinyourvirtualmachineorbaremetalserverandreboot(thisexamplewillusedevsdbasthenewdevice
Makesurepacketfenceisstopped
service packetfence stop
Createanext4partition
mkfsext4 devsdb
Thenmovetheolddatabasestoabackuppoint
Chapter15
Copyrightcopy2016Inverseinc Performanceoptimization 124
mv usrlocalpfvargraphite usrlocalpfvargraphitebak
Mountyournewdiskandcheckthatitismounted
echo devsdb usrlocalpfvargraphite ext4 defaults 1 1 gtgt etcfstab mkdir usrlocalpfvargraphite mount -a dh -h
Applytheproperuserrightsandrestoreyourdatabasefromyourbackup
chown pfpf usrlocalpfvargraphite cp -frp usrlocalpfvargraphitebak usrlocalpfvargraphite
StartpacketfenceandmakesureyourstatsarestillthereandbeingcollectedproperlyThenremovethebackupyoumaderm -fr usrlocalpfvargraphitebak
Chapter16
Copyrightcopy2016Inverseinc AdditionalInformation 125
AdditionalInformation
FormoreinformationpleaseconsultthemailingarchivesorpostyourquestionstoitFordetailssee
packetfence-announcelistssourceforgenet Public announcements (new releases securitywarningsetc)regardingPacketFence
packetfence-devellistssourceforgenetDiscussionofPacketFencedevelopment
packetfence-userslistssourceforgenetUserandusagediscussions
Chapter17
Copyrightcopy2016InverseincCommercialSupport
andContactInformation 126
CommercialSupportandContactInformation
For any questions or comments do not hesitate to contact us by writing an email tosupportinverseca
Inverse (httpinverseca)offersprofessional servicesaroundPacketFence tohelporganizationsdeploythesolutioncustomizemigrateversionsorfromanothersystemperformancetuningoraligningwithbestpractices
Hourlyratesorsupportpackagesareofferedtobestsuityourneeds
Pleasevisithttpinversecafordetails
Chapter18
Copyrightcopy2016Inverseinc GNUFreeDocumentationLicense 127
GNUFreeDocumentationLicense
Pleaserefertohttpwwwgnuorglicensesfdl-12txtforthefulllicense
Chapter18
Copyrightcopy2016Inverseinc AdministrationTools 128
AppendixAAdministrationTools
pfcmd
pfcmdisthecommandlineinterfacetomostPacketFencefunctionalities
Whenexecutedwithoutanyargumentspfcmdreturnsabasichelpmessagewithallmainoptions
Chapter18
Copyrightcopy2016Inverseinc AdministrationTools 129
Usage pfcmd ltcommandgt [options]
Commands cache | manage the cache subsystem checkup | perform a sanity checkup and report any problems class | view violation classes configfiles | push or pull configfiles intofrom database configreload | reload the configution floatingnetworkdeviceconfig | querymodify floating network devices configuration parameters help | show help for pfcmd commands ifoctetshistorymac | accounting history ifoctetshistoryswitch | accounting history ifoctetshistoryuser | accounting history import | bulk import of information into the database ipmachistory | IPMAC history locationhistorymac | SwitchPort history locationhistoryswitch | SwitchPort history networkconfig | querymodify network configuration parameters node | manipulate node entries pfconfig | interact with pfconfig portalprofileconfig | querymodify portal profile configuration parameters reload | rebuild fingerprint or violations tables without restart service | startstoprestart and get PF daemon status schedule | Nessus scan scheduling switchconfig | querymodify switchesconf configuration parameters version | output version information violationconfig | querymodify violationsconf configuration parameters
Please view pfcmd help ltcommandgt for details on each option
ThenodeviewoptionshowsallinformationcontainedinthenodedatabasetableforaspecifiedMACaddress
usrlocalpfbinpfcmd node view 525400123502mac|pid|detect_date|regdate|unregdate|lastskip|status|user_agent|computername|notes|last_arp|last_dhcp|switch|port|vlan|dhcp_fingerprint525400123502|1|2008-10-23 173216||||unreg||||2008-10-23 211221|||||
pfcmd_vlan
pfcmd_vlanisthecommandlineinterfacetomostVLANisolationrelatedfunctionality
Chapter18
Copyrightcopy2016Inverseinc AdministrationTools 130
Againwhenexecutedwithoutanyargumentsahelpscreenisshown
Usage pfcmd_vlan command [options]
Command -deauthenticate de-authenticate a dot11 client -deauthenticateDot1x de-authenticate a dot1x client (pass ifIndex for wired 8021x and mac for wireless 8021x) -getAlias show the description of the specified switch port -getAllMACs show all MACS on all switch ports -getHubs show switch ports with several MACs -getIfOperStatus show the operational status of the specified switch port -getIfType show the ifType on the specified switch port -getLocation show at which switch port the MAC is found -getSwitchLocation show SNMP location of specified switch -getMAC show all MACs on the specified switch port -getType show switch type -getUpLinks show the upLinks of the specified switch -getVersion show switch OS version -getVlan show the VLAN on the specified switch port -getVlanType show the VLAN type on the specified port -help brief help message -isolate set the switch port to the isolation VLAN -man full documentation -reAssignVlan re-assign a switch port VLAN -reevaluateAccess reevaluate the current VLAN or firewall rules of a given MAC -runSwitchMethod run a particular method call on a given switch (FOR ADVANCED PURPOSES) -setAlias set the description of the specified switch port -setDefaultVlan set the switch port to the default VLAN -setIfAdminStatus set the admin status of the specified switch port -setVlan set VLAN on the specified switch port -setVlanAllPort set VLAN on all non-UpLink ports of the specified switch
Options -alias switch port description -ifAdminStatus ifAdminStatus -ifIndex switch port ifIndex -mac MAC address -showPF show additional information available in PF -switch switch description -verbose log verbosity level 0 fatal messages 1 warn messages 2 info messages 3 debug 4 trace -vlan VLAN id -vlanName VLAN name (as in switchesconf)
Copyrightcopy2016Inverseinc iv
Passthrough 79ProductionDHCPaccess 80Proxy Interception 81RoutedNetworks 82StatementofHealth (SoH) 85VLANFilterDefinition 86RADIUSFilterDefinition 88DNSenforcement 90Parkeddevices 90
Optionalcomponents 92Blockingmaliciousactivitieswithviolations 92ComplianceChecks 100RADIUSAccounting 105Oinkmaster 106GuestsManagement 107ActiveDirectoryIntegration 110DHCPremotesensor 115Switch loginaccess 117
OperatingSystemBestPractices 118IPTables 118LogRotations 118
Performanceoptimization 119SNMPTrapsLimit 119MySQLoptimizations 119CaptivePortalOptimizations 122DashboardOptimizations(statisticscollection) 123
Additional Information 125CommercialSupportandContactInformation 126GNUFreeDocumentationLicense 127AAdministrationTools 128
pfcmd 128pfcmd_vlan 129
Chapter1
Copyrightcopy2016Inverseinc AboutthisGuide 1
AboutthisGuide
This guide will walk you through the installation and the day to day administration of thePacketFencesolution
Thelatestversionofthisguideisavailableathttpwwwpacketfenceorgdocumentation
Othersourcesofinformation
Thefollowingdocumentsareincludedinthepackageandreleasetarballs
NetworkDevicesConfigurationGuide(pdf) Covers switch controllers and accesspointsconfiguration
DeveloperrsquosGuide(pdf) Covers captive portal customizationVLAN management customization andinstructionsforsupportingnewhardware
CREDITS ThisisatleastapartialfileofPacketFencecontributors
NEWSasciidoc Covers noteworthy featuresimprovementsandbugfixesbyrelease
UPGRADEasciidoc Covers compatibility related changesmanual instructions and general notesaboutupgrading
ChangeLog Coversallchangestothesourcecode
Chapter2
Copyrightcopy2016Inverseinc Introduction 2
Introduction
PacketFence isa fullysupported trustedFreeandOpenSourcenetworkaccesscontrol (NAC)system Boosting an impressive feature set including a captive portal for registration andremediation centralized wired and wireless management 8021X support layer-2 isolation ofproblematicdevicesintegrationwithIDSvulnerabilityscannersandfirewallsPacketFencecanbeusedtoeffectivelysecurenetworks-fromsmalltoverylargeheterogeneousnetworks
Features
Outofband(VLANEnforcement) PacketFencersquosoperationiscompletelyoutof band when using VLAN enforcementwhich allows the solution to scalegeographicallyandtobemoreresilienttofailures
InBand(InlineEnforcement) PacketFence can also be configured tobe in-band especially when you havenon-manageable network switches oraccesspointsPacketFencecanalsoworkwith both VLAN and Inline enforcementactivated for maximum scalability andsecuritywhileallowingolderhardwaretostillbesecuredusing inlineenforcementBothlayer-2andlayer-3aresupportedforinlineenforcement
Hybridsupport(InlineEnforcementwithRADIUSsupport)
PacketFence can also be configuredas hybrid if you have a manageabledevice that supports 8021X andorMAC-authenticationThis feature canbeenabled using a RADIUS attribute (MACaddress SSID port) or using full inlinemodeontheequipment
Hotspotsupport(WebAuthEnforcement) PacketFence can also be configured ashotspotifyouhaveamanageabledevicethat supports an external captive portal(likeCiscoWLCorArubaIAP)
VoiceoverIP(VoIP)support Also called IP Telephony (IPT) VoIP isfully supported (even in heterogeneous
Chapter2
Copyrightcopy2016Inverseinc Introduction 3
environments)formultipleswitchvendors(CiscoAvayaHPandmanymore)
8021X 8021X wireless and wired is supportedthroughourFreeRADIUSmodule
Wirelessintegration PacketFence integrates perfectly withwireless networks through ourFreeRADIUS module This allows youto secure your wired and wirelessnetworks the same way using the sameuser database and using the samecaptive portal providing a consistentuser experience Mixing Access Points(AP) vendors andWireless Controllers issupported
Registration PacketFence supports an optionalregistrationmechanismsimilartocaptiveportalsolutionsContrarytomostcaptiveportal solutionsPacketFence remembersusers who previously registered andwillautomatically give them access withoutanotherauthenticationOfcourse this isconfigurable An Acceptable Use Policycan be specified such that users cannotenable network access without firstacceptingit
Detectionofabnormalnetworkactivities Abnormal network activities (computervirus worms spyware traffic deniedby establishment policy etc) can bedetectedusinglocalandremoteSnortorSuricatasensorsBeyondsimpledetectionPacketFence layers its own alerting andsuppression mechanism on each alerttypeAsetofconfigurableactionsforeachviolationisavailabletoadministrators
Proactivevulnerabilityscans Either Nessus OpenVAS or WMIvulnerabilityscanscanbeperformeduponregistration scheduled or on an ad-hocbasis PacketFence correlates the scanengine vulnerability IDrsquos of each scanto the violation configuration returningcontent specificweb pages aboutwhichvulnerabilitythehostmayhave
Isolationofproblematicdevices PacketFence supports several isolationtechniquesincludingVLANisolationwithVoIP support (even in heterogeneousenvironments)formultipleswitchvendors
Remediationthroughacaptiveportal Once trapped all network traffic isterminated by the PacketFence system
Chapter2
Copyrightcopy2016Inverseinc Introduction 4
Based on the nodersquos current status(unregisteredopenviolationetc)theuseris redirected to the appropriate URL Inthe case of a violation the user willbe presented with instructions for theparticular situation heshe is in reducingcostlyhelpdeskintervention
Firewallintegration PacketFence provides Single-Sign Onfeatures with many firewalls Uponconnection on the wired or wirelessnetwork PacketFence can dynamicallyupdatetheIPuserassociationonfirewallsforthemtoapplyifrequiredper-userorper-groupfilteringpolicies
Command-lineandWeb-basedmanagement Web-basedandcommand-line interfacesforallmanagementtasks
GuestAccess PacketFence supports a special guestVLAN out of the box You configureyour network so that the guest VLANonly goes out to the Internet and theregistrationVLANand the captiveportalarethecomponentsusedtoexplaintotheguesthowtoregisterforaccessandhowhisaccessworksThis isusuallybrandedby the organization offering the accessSeveral means of registering guests arepossible PacketFence does also supportguestaccessbulkcreationsandimports
Devicesregistration A registered user can access a specialWeb page to register a device of hisownThisregistrationprocesswillrequireloginfromtheuserandthenwillregisterdeviceswithpre-approvedMACOUIintoaconfigurablecategory
PacketFenceisdevelopedbyacommunityofdeveloperslocatedmainlyinNorthAmericaMoreinformationcanbefoundathttpwwwpacketfenceorg
Chapter2
Copyrightcopy2016Inverseinc Introduction 5
NetworkIntegration
VLANenforcementispicturedintheabovediagramInlineenforcementshouldbeseenasasimpleflatnetworkwherePacketFenceactsasafirewallgateway
Components
PacketFencerequiresvariouscomponentstoworksuchasaWebserveradatabaseserverandaRADIUSserverItinteractswithexternaltoolstoextenditsfunctionalities
Chapter2
Copyrightcopy2016Inverseinc Introduction 6
Chapter3
Copyrightcopy2016Inverseinc SystemRequirements 7
SystemRequirements
Assumptions
PacketFencereusesmanycomponentsinaninfrastructureThusitrequiresthefollowingones
Databaseserver(MySQLorMariaDB) Webserver(Apache) DHCPserver(ISCDHCP) RADIUSserver(FreeRADIUS)
Dependingonyoursetupyoumayhavetoinstalladditionalcomponentslike
NIDS(SnortSuricata)
Inthisguideweassumethatallthosecomponentsarerunningonthesameserver(ielocalhostor127001)thatPacketFencewillbeinstalledon
Good understanding of those underlying component and GNULinux is required to installPacketFence If youmiss some of those required components please refer to the appropriatedocumentationandproceedwiththeinstallationoftheserequirementsbeforecontinuingwiththisguide
MinimumHardwareRequirements
Thefollowingprovidesalistoftheminimumserverhardwarerecommendations
IntelorAMDCPU3GHz 8GBofRAM 100GBofdiskspace(RAID-1recommended) 1Networkcard(2recommended)
OperatingSystemRequirements
PacketFencesupportsthefollowingoperatingsystemsonthex86_64architectures
Chapter3
Copyrightcopy2016Inverseinc SystemRequirements 8
RedHatEnterpriseLinux6xand7xServer CommunityENTerpriseOperatingSystem(CentOS)6xand7x Debian70(Wheezy)and80(Jessie)
MakesurethatyoucaninstalladditionalpackagesfromyourstandarddistributionForexampleifyouareusingRedHatEnterpriseLinuxyouhavetobesubscribedtotheRedHatNetworkbeforecontinuingwiththePacketFencesoftwareinstallation
OtherdistributionssuchasFedoraandGentooareknowntoworkbutthisdocumentdoesnrsquotcoverthem
Servicesstart-upPacketFencetakescareofhandlingtheoperationofthefollowingservices
Webserver(httpd) DHCPserver(dhcpd) FreeRADIUSserver(radiusd) SnortSuricataNetworkIDS(snortsuricata) Firewall(iptables)
Makesurethatalltheotherservicesareautomaticallystartedbyyouroperatingsystem
Chapter4
Copyrightcopy2016Inverseinc Installation 9
Installation
ThissectionwillguideyouthroughtheinstallationofPacketFencetogetherwithitsdependencies
OSInstallation
InstallyourdistributionwithminimalinstallationandnoadditionalpackagesThen
DisableFirewall DisableSELinux DisableAppArmor Disableresolvconf
Makesureyoursystemisuptodateandyouryumorapt-getdatabaseisupdatedOnaRHEL-basedsystemdo
yum update
OnaDebianorUbuntusystemdo
apt-get updateapt-get upgrade
RegardingSELinuxorAppArmoreven if these featuresmaybewantedbysomeorganizationsPacketFencewillnotrunproperlyifSELinuxorAppArmorareenabledYouwillneedtoexplicitlydisableSELinuxintheetcselinuxconfigfileandAppArmorwithupdate-rcd-fapparmorstopupdate-rcd-fapparmorteardownandupdate-rcd-fapparmorremoveRegardingresolvconfyoucanremovethesymlinktothatfileandsimplycreatetheetcresolvconffilewiththecontentyouwant
RedHat-basedsystems
Note
AppliestoCentOSandScientificLinuxbutonlythex86_64architectureissupported
Chapter4
Copyrightcopy2016Inverseinc Installation 10
RHEL6x
NoteTheseareextrastepsarerequiredforRHEL6systemsonlyexcludingderivativessuchasCentOSorScientificLinux
RedHatEnterpriseLinuxusersneedtotakeanadditionalsetupstepIfyouarenotusingtheRHNSubscriptionManagementfromRedHatyouneedtoenabletheoptionalchannelbyrunningthefollowingasroot
rhn-channel --add --channel=rhel-`uname -m`-server-optional-6
DebianAllthePacketFencedependenciesareavailablethroughtheofficialrepositories
SoftwareDownload
PacketFenceprovidesaRPMrepositoryforRHELCentOSinsteadofasingleRPMfile
ForDebianPacketFencealsoprovidespackagerepositories
TheserepositoriescontainallrequireddependenciestoinstallPacketFenceThisprovidesnumerousadvantages
easyinstallation everythingispackagedasRPMdeb(nomoreCPANhassle) easyupgrade
SoftwareInstallation
RHELCentOSInordertousethePacketFencerepository
yum localinstall httppacketfenceorgdownloadsPacketFenceRHEL6`uname -i`RPMSpacketfence-release-12-51noarchrpm
Once the repository is defined you can install PacketFencewith all its dependencies and therequiredexternalservices(DatabaseserverDHCPserverRADIUSserver)using
Chapter4
Copyrightcopy2016Inverseinc Installation 11
yum install perlyum install --enablerepo=packetfence packetfence
OnceinstalledtheWeb-basedconfigurationinterfacewillautomaticallybestartedYoucanaccessitfromhttpsip_of_packetfence1443configurator
DebianForDebian7
Inordertousetherepositorycreateafilenamedetcaptsourceslistdpacketfencelist
echo deb httpinversecadownloadsPacketFencedebian wheezy wheezy gt etcaptsourceslistdpacketfencelist
ForDebian8
Inordertousetherepositorycreateafilenamedetcaptsourceslistdpacketfencelist
echo deb httpinversecadownloadsPacketFencedebian jessie jessie gt etcaptsourceslistdpacketfencelist
Once the repository is defined you can install PacketFencewith all its dependencies and therequiredexternalservices(DatabaseserverDHCPserverRADIUSserver)using
sudo apt-key adv --keyserver keysgnupgnet --recv-key 0x810273C4sudo apt-get updatesudo apt-get install packetfence
Chapter5
Copyrightcopy2016Inverseinc Getoffontherightfoot 12
Getoffontherightfoot
PriorconfiguringPacketFenceyoumustchoseanappropriateenforcementmodetobeusedbyPacketFencewithyournetworkingequipmentTheenforcementmodeisthetechniqueusedtoenforceregistrationandanysubsequentaccessofdevicesonyournetworkPacketFencesupportsthefollowingenforcementmodes
Inline Out-of-band Hybrid
It isalsopossibletocombineenforcementmodesForexampleyoucouldusetheout-of-bandmodeonyourwiredswitcheswhileusingtheinlinemodeonyouroldWiFiaccesspoints
The following sections will explain these enforcement modes If you decide to use the inlinemodepleaserefertothePacketFenceInlineDeploymentQuickGuideusingZENforacompleteconfigurationexampleIfyoudevicetousetheout-of-bandmodepleaserefertothePacketFenceOut-of-BandDeploymentQuickGuideusingZEN
Chapter6
Copyrightcopy2016InverseincTechnicalintroductiontoInlineenforcement 13
TechnicalintroductiontoInlineenforcement
Introduction
Beforetheversion30ofPacketFenceitwasnotpossibletosupportunmanageabledevicessuchasentry-levelconsumerswitchesoraccess-pointsNowwiththenewinlinemodePacketFencecanbeusein-bandforthosedevicesSoinotherwordsPacketFencewouldbecomethegatewayofthatinlinenetworkandNATorroutethetrafficusingIPTablesIPSettotheInternet(ortoanothersectionofthenetwork)Letseehowitworks
Deviceconfiguration
NospecialconfigurationisneededontheunmanageabledeviceThatrsquosthebeautyofitYouonlyneedtoensurethatthedeviceistalkingontheinlineVLANAtthispointallthetrafficwillbepassingthroughPacketFencesinceitisthegatewayforthisVLAN
Accesscontrol
TheaccesscontrolreliesentirelyonIPTablesIPSetWhenauserisnotregisteredandconnectsintheinlineVLANPacketFencewillgivehimanIPaddressAtthispointtheuserwillbemarkedasunregisteredintheipsetsessionandalltheWebtrafficwillberedirectedtothecaptiveportalandother trafficblockedTheuserwill have to register through thecaptiveportal as inVLANenforcementWhenheregistersPacketFencechangesthedeviceacutesipsetsessiontoallowtheuserrsquosmacaddresstogothroughit
Chapter6
Copyrightcopy2016InverseincTechnicalintroductiontoInlineenforcement 14
Limitations
Inlineenforcementbecauseofitrsquosnaturehasseverallimitationsthatonemustbeawareof
EveryonebehindaninlineinterfaceisonthesameLayer2LAN EverypacketofauthorizedusersgoesthroughthePacketFenceserverincreasingtheserversloadconsiderablyPlanaheadforcapacity
Everypacketofauthorizedusersgoes throughthePacketFenceserver it isasinglepointoffailureforInternetaccess
Ipsetcanstoreupto65536entriessoitisnotpossibletohaveainlinenetworkclassupperthanB
Thisiswhyit isconsideredapoormanrsquoswayofdoingaccesscontrolWehaveavoideditforalongtimebecauseoftheabovementionedlimitationsThatsaidbeingabletoperformbothinlineandVLANenforcementonthesameserveratthesametimeisarealadvantageitallowsuserstomaintainmaximumsecuritywhiletheydeploynewandmorecapablenetworkhardwareprovidingacleanmigrationpathtoVLANenforcement
Chapter7
Copyrightcopy2016InverseincTechnicalintroductiontoOut-of-bandenforcement 15
TechnicalintroductiontoOut-of-bandenforcement
Introduction
VLANassignmentiscurrentlyperformedusingseveraldifferenttechniquesThesetechniquesarecompatibleone toanotherbutnoton the sameswitchportThismeans thatyoucanuse themoresecureandmoderntechniquesforyour latestswitchesandanothertechniqueontheoldswitchesthatdoesnrsquotsupportlatesttechniquesAsitrsquosnameimpliesVLANassignmentmeansthatPacketFenceistheserverthatassignstheVLANtoadeviceThisVLANcanbeoneofyourVLANsoritcanbeaspecialVLANwherePacketFencepresentsthecaptiveportalforauthenticationorremediation
VLANassignmenteffectivelyisolateyourhostsattheOSILayer2meaningthatitisthetrickiestmethodtobypassandistheonewhichadaptsbesttoyourenvironmentsinceitgluesintoyourcurrentVLANassignmentmethodology
VLANassignmenttechniques
Wired8021X+MACAuthentication8021Xprovidesport-basedauthenticationwhichinvolvescommunicationsbetweenasupplicantauthenticator(knownasNAS)andauthenticationserver(knownasAAA)ThesupplicantisoftensoftwareonaclientdevicesuchasalaptoptheauthenticatorisawiredEthernetswitchorwirelessaccesspointandtheauthenticationserverisgenerallyaRADIUSserver
Thesupplicant(ieclientdevice)isnotallowedaccessthroughtheauthenticatortothenetworkuntilthesupplicantrsquosidentityisauthorizedWith8021Xport-basedauthenticationthesupplicantprovides credentials such as user name password or digital certificate to the authenticatorandtheauthenticatorforwardsthecredentialstotheauthenticationserverforverificationIfthecredentialsarevalid(intheauthenticationserverdatabase)thesupplicant(clientdevice)isallowedtoaccessthenetworkTheprotocolforauthenticationiscalledExtensibleAuthenticationProtocol(EAP)whichhavemanyvariantsBothsupplicantandauthenticationserversneed tospeak thesameEAPprotocolMostpopularEAPvariantisPEAP-MsCHAPv2(supportedbyWindowsMacOSXLinuxforauthenticationagainstAD)
Chapter7
Copyrightcopy2016InverseincTechnicalintroductiontoOut-of-bandenforcement 16
InthiscontextPacketFencerunstheauthenticationserver(aFreeRADIUSinstance)andwillreturntheappropriateVLANtotheswitchAmodulethatintegratesinFreeRADIUSdoesaremotecalltothePacketFenceservertoobtainthatinformationMoreandmoredeviceshave8021Xsupplicantwhichmakesthisapproachmoreandmorepopular
MACAuthenticationisanewmechanismintroducedbysomeswitchvendortohandlethecaseswherea8021XsupplicantdoesnotexistDifferentvendorshavedifferentnames for itCiscocallsitMACAuthenticationBypass(MAB)JunipercallsitMACRADIUSExtremeNetworkscallsitNetloginetcAfteratimeoutperiodtheswitchwillstoptryingtoperform8021XandwillfallbacktoMACAuthenticationIthastheadvantageofusingthesameapproachas8021XexceptthattheMACaddressissentinsteadoftheusernameandthereisnoend-to-endEAPconversation(nostrongauthentication)UsingMACAuthenticationdeviceslikenetworkprinterornon-8021XcapableIPPhonescanstillgainaccesstothenetworkandtherightVLAN
Wireless8021X+MACauthenticationWireless 8021Xworks likewired8021X andMAC authentication is the same aswiredMACAuthenticationWhere things change is that the8021X isused to setup the security keys forencryptedcommunication(WPA2-Enterprise)whileMACauthenticationisonlyusedtoauthorize(allowordisallow)aMAConthewirelessnetwork
OnwirelessnetworkstheusualPacketFencesetupdictatethatyouconfiguretwoSSIDsanopenoneandasecureoneTheopenoneisusedtohelpusersconfigurethesecureoneproperlyandrequiresauthenticationoverthecaptiveportal(whichrunsinHTTPS)
ThefollowingdiagramdemonstratestheflowbetweenamobileenpointaWiFiaccesspointaWiFicontrollerandPacketFence
1 UserinitiatesassociationtoWLANAPandtransmitsMACaddressIfuseraccessesnetworkviaaregistereddeviceinPacketFencegoto8
2 The WLAN controller transmits MAC address via RADIUS to the PacketFence server toauthenticateauthorizethatMACaddressontheAP
3 PacketFenceserverconductsaddressaudit in itsdatabase If itdoesnotrecognizetheMACaddressgoto4Ifitdoesgoto8
4 PacketFenceserverdirectsWLANcontrollerviaRADIUS(RFC2868attributes)toputthedeviceinanunauthenticatedroleldquo(setofACLsthatwouldlimitredirecttheusertothePacketFence
Chapter7
Copyrightcopy2016InverseincTechnicalintroductiontoOut-of-bandenforcement 17
captiveportalforregistrationorwecanalsousearegistrationVLANinwhichPacketFencedoesDNSblackholingandistheDHCPserver)
5 TheuserrsquosdeviceissuesaDHCPDNSrequesttoPacketFence(whichisaDHCPDNSserveronthisVLANorforthisrole)whichsendstheIPandDNSinformationAtthispointACLsarelimitingredirectingtheusertothePacketFencersquoscaptiveportalforauthenticationPacketFencefingerprintsthedevice(user-agentattributesDHCPinformationampMACaddresspatterns)towhichitcantakevariousactionsincludingkeepdeviceonregistrationportaldirecttoalternatecaptive portal auto-register thedevice auto-block thedevice etc If thedevice remains ontheregistrationportaltheuserregistersbyprovidingtheinformation(usernamepasswordcellphonenumberetc)At this timePacketFencecouldalsorequire thedevicetogothroughapostureassessment(usingNessusOpenVASetc)
6 Ifauthentication is required (usernamepassword) througha loginformthosecredentialsarevalidatedviatheDirectoryserver(oranyotherauthenticationsources-likeLDAPSQLRADIUSSMSFacebookGoogle+etc)whichprovidesuserattributestoPacketFencewhichcreatesuser+devicepolicyprofileinitsdatabase
7 PacketFenceperformsaChangeofAuthorization(RFC3576)onthecontrollerandtheusermustbere-authenticatedreauthorizedsowegobackto1
8 PacketFenceserverdirectsWLANcontrollerviaRADIUStoputthedeviceinanauthenticatedroleldquoorinthenormalVLAN
WebAuthmodeWebauthenticationisamethodontheswitchthatforwardshttptrafficofthedevicetothecaptiveportalWiththismodeyourdevicewillneverchangeofVLANIDbutonlytheACLassociatedtoyourdevicewillchangeRefertotheNetworkDevicesConfigurationGuidetoseeasamplewebauthconfigurationonaCiscoWLC
Port-securityandSNMPReliesontheport-securitySNMPTrapsAfakestaticMACaddressisassignedtoalltheportsthiswayanyMACaddresswillgenerateasecurityviolationandatrapwillbesenttoPacketFenceThesystemwillauthorizetheMACandsettheportintherightVLANVoIPsupportispossiblebuttrickyItvariesalotdependingontheswitchvendorCiscoiswellsupportedbutisolationofaPCbehindanIPPhoneleadstoaninterestingdilemmaeitheryoushuttheport(andthephoneatthesametime)oryouchangethedataVLANbutthePCdoesnrsquotdoDHCP(didnrsquotdetectlinkwasdown)soitcannotreachthecaptiveportal
AsidefromtheVoIPisolationdilemmaitisthetechniquethathasproventobereliableandthathasthemostswitchvendorsupport
MoreonSNMPtrapsVLANisolation
WhentheVLANisolationisworkingthroughSNMPtrapsallswitchports(onwhichVLANisolationshouldbedone)mustbeconfiguredtosendSNMPtrapstothePacketFencehostOnPacketFence
Chapter7
Copyrightcopy2016InverseincTechnicalintroductiontoOut-of-bandenforcement 18
weusesnmptrapdastheSNMPtrapreceiverAsitreceivestrapsitreformatsandwritesthemintoaflatfileusrlocalpflogssnmptrapdlogThemultithreadedpfsetvlandaemonreadsthesetrapsfromtheflatfileandrespondstothembysettingtheswitchporttothecorrectVLANCurrentlywesupportswitchesfromCiscoEdge-coreHPIntelLinksysandNortel(addingsupportfor switches fromanothervendor impliesextending thepfSwitch class)DependingonyourswitchescapabilitiespfsetvlanwillactondifferenttypesofSNMPtraps
YouneedtocreatearegistrationVLAN(withaDHCPserverbutnoroutingtootherVLANs)inwhichPacketFencewillputunregistereddevicesIfyouwanttoisolatecomputerswhichhaveopenviolationsinaseparateVLANanisolationVLANneedsalsotobecreated
linkUplinkDowntraps(deprecated)ThisisthemostbasicsetupanditneedsathirdVLANtheMACdetectionVLANThereshouldbenothinginthisVLAN(noDHCPserver)anditshouldnotberoutedanywhereitisjustanvoidVLAN
WhenahostconnectstoaswitchporttheswitchsendsalinkUptraptoPacketFenceSinceittakessometimebeforetheswitchlearnstheMACaddressofthenewlyconnecteddevicePacketFenceimmediatelyputstheportintheMACdetectionVLANinwhichthedevicewillsendDHCPrequests(withnoanswer)inorderfortheswitchtolearnitsMACaddressThenpfsetvlanwillsendperiodical
Chapter7
Copyrightcopy2016InverseincTechnicalintroductiontoOut-of-bandenforcement 19
SNMPqueriestotheswitchuntiltheswitchlearnstheMACofthedeviceWhentheMACaddressisknownpfsetvlanchecksitsstatus(existingregisteredanyviolations)inthedatabaseandputstheportintheappropriateVLANWhenadeviceisunpluggedtheswitchsendsalinkDowntraptoPacketFencewhichputstheportintotheMACdetectionVLAN
WhenacomputerbootstheinitializationoftheNICgeneratesseverallinkstatuschangesAndeverytimetheswitchsendsalinkUpandalinkDowntraptoPacketFenceSincePacketFencehastoactoneachofthesetrapsthisgeneratesunfortunatelysomeunnecessaryloadonpfsetvlanInordertooptimizethetraptreatmentPacketFencestopseverythreadforalinkUptrapwhenitreceivesalinkDowntraponthesameportButusingonlylinkUplinkDowntrapsisnotthemostscalableoptionForexampleincaseofpowerfailureifhundredsofcomputersbootatthesametimePacketFencewouldreceivea lotoftrapsalmost instantlyandthiscouldresult innetworkconnectionlatency
MACnotificationtrapsIfyourswitchessupportMACnotificationtraps(MAClearntMACremoved)wesuggestthatyouactivatetheminadditiontothelinkUplinkDowntrapsThiswaypfsetvlandoesnotneedafteralinkUptraptoquerytheswitchcontinuouslyuntiltheMAChasfinallybeenlearnedWhenitreceivesalinkUptrapforaportonwhichMACnotificationtrapsarealsoenableditonlyneedstoputtheportintheMACdetectionVLANandcanthenfreethethreadWhentheswitchlearnstheMACaddressofthedeviceitsendsaMAClearnttrap(containingtheMACaddress)toPacketFence
PortSecuritytrapsIn itsmostbasicformthePortSecurityfeaturerememberstheMACaddressconnectedtotheswitchportandallowsonlythatMACaddresstocommunicateonthatport IfanyotherMACaddress tries tocommunicate through theportport securitywillnotallow itandsendaport-securitytrap
IfyourswitchessupportthisfeaturewestronglyrecommendtouseitratherthanlinkUplinkDownandorMACnotificationsWhyBecauseaslongasaMACaddressisauthorizedonaportandistheonlyoneconnectedtheswitchwillsendnotrapwhetherthedevicerebootsplugsinorunplugsThisdrasticallyreducestheSNMPinteractionsbetweentheswitchesandPacketFence
WhenyouenableportsecuritytrapsyoushouldnotenablelinkUplinkDownnorMACnotificationtraps
Chapter8
Copyrightcopy2016InverseincTechnicalintroductiontoHybridenforcement 20
TechnicalintroductiontoHybridenforcement
Introduction
In previous versions of PacketFence it was not possible to have RADIUS enabled for inlineenforcementmodeNowwiththenewhybridmodeallthedevicesthatsupports8021XorMAC-authenticationcanworkwiththismodeLetrsquosseehowitworks
Deviceconfiguration
Youneedtoconfigure inlineenforcementmode inPacketFenceandconfigureyourswitch(es)accesspoint(s)tousetheVLANassignementtechniques(8021XorMAC-authentication)YoualsoneedtotakecareofaspecificparameterintheswitchconfigurationwindowTriggertoenableinlinemodeThisparameterisworkinglikeatriggerandyouhavethepossibilitytodefinedifferentsortoftriggers
ALWAYSPORTMACSSID
where ALWAYS means that the device is always in inline mode PORTspecifytheifIndexoftheportwhichwilluseinlineenforcementMACamacaddressthatwillbeputininlineenforcementtechniqueratherthanVLANenforcementandSSIDanssidnameAnexample
SSIDGuestAccessMAC001122334455
ThiswilltriggerallthenodesthatconnectstotheGuestAccessSSIDtouseinlineenforcementmode(PacketFencewillreturnavoidVLANortheinlineVlanifdefinedinswitchconfiguration)andtheMACaddress001122334455clientifitconnectsonanotherSSID
Chapter9
Copyrightcopy2016Inverseinc Configuration 21
Configuration
AtthispointinthedocumentationPacketFenceshouldbeinstalledYouwouldalsohavechosentherightenforcementmethodforyouandcompletedtheinitialconfigurationofPacketFenceThefollowingsectionpresentskeyconceptsandfeaturesinPacketFence
PacketFenceprovidesaweb-basedadministrationinterfaceforeasyconfigurationandoperationalmanagementIfyouwentthroughPacketFencersquosweb-basedconfigurationtoolyoushouldhavesetthepasswordfortheadminuser
Once PacketFence is started the administration interface is available at httpsip_of_packetfence1443
ThenextkeystepsareimportanttounderstandhowPacketFenceworksInordertogetthesolutionworking youmust first understand and configure the following aspects of the solution in thisspecificorder
1 roles-aroleinPacketFencewillbeeventuallybemappedtoaVLANanACLoranexternalroleYoumustdefinetherolestouseinyourorganizationfornetworkaccess
2 authentication-oncerolesaredefinedyoumustcreateanappropraiteauthenticationsourceinPacketFenceThatwillallowPacketFencetocomputetherightroletobeusedforanendpointortheuserusingit
3 network devices - once your roles and authentication sources are defined you must addswitchesWiFicontrollersorAPstobemananagedbyPacketFenceWhendoingsoyouwillconfigurehowrolesarebeingmappedtoVLANACLsorexternalroles
4 portal profiles - at this point you are almost ready to test You will need to set whichauthenticationsourcesaretobeusedonthedefaultcaptiveportalorcreateanotheronetosuityourneeds
5 test
NoteIfyouplantouse8021X-pleaseseetheFreeRADIUSConfigurationsectionbelow
RolesManagement
RolesinPacketFencecanbecreatedfromPacketFenceadministrativeGUI-fromtheConfigurationrarrUsersrarrRoles section From this interface you can also limit thenumberof devicesusersbelongingtocertainrolescanregister
Chapter9
Copyrightcopy2016Inverseinc Configuration 22
RolesaredynamicallycomputedbyPacketFencebasedontherules(ieasetofconditionsandactions)fromauthenticationsourcesusingafirst-matchwinsalgorithmRolesarethenmatchedtoVLANorinternalrolesorACLonequipmentfromtheConfigurationrarrNetworkrarrSwitchesmodule
Authentication
PacketFence can authenticate users that register devices via the captive portal using variousmethodsAmongthesupportedmethodsthereare
ActiveDirectory
Apachehtpasswdfile
ExternalHTTPAPI
Facebook(OAuth2)
Github(OAuth2)
Google(OAuth2)
Kerberos
LDAP
LinkedIn(OAuth2)
Null
RADIUS
SMS
SponsoredEmail
Twitter(OAuth2)
WindowsLive(OAuth2)
Moreover PacketFence can also authenticate users defined in its own internal SQL databaseAuthentication sources can be created from PacketFence administrative GUI - from theConfigurationrarrUsersrarrSourcessectionAlternatively(butnotrecommended)authenticationsourcesrulesconditionsandactionscanbeconfiguredfromconfauthenticationconf
Eachauthenticationsourcesyoudefinewillhaveasetofrulesconditionsandactions
Multiple authentication sources canbedefined andwill be tested in theorder specified (notethattheycanbereorderedfromtheGUIbydraggingitaround)EachsourcecanhavemultipleruleswhichwillalsobetestedintheorderspecifiedRulescanalsobereorderedjustlikesourcesFinallyconditionscanbedefinedforaruletomatchcertaincriteriasIfthecriteriasmatch(one
Chapter9
Copyrightcopy2016Inverseinc Configuration 23
ormore)actionarethenappliedandrulestestingstopacrossallsourcesasthisisafirstmatchwinsoperation
WhennoconditionisdefinedtherulewillbeconsideredasafallbackWhenafallbackisdefinedallactionswillbeappliedforanyusersthatmatchintheauthenticationsource
OnceasourceisdefineditcanbeusedfromConfigurationrarrPortalProfilesEachportalprofilehasalistofauthenticationsourcestouse
ExampleLetrsquossaywehavetworolesguestandemployeeFirstwedefinethemConfigurationrarrUsersrarrRoles
NowwewanttoauthenticateemployeesusingActiveDirectory (overLDAP)andguestsusingPacketFencersquosinternaldatabase-bothusingPacketFencersquoscaptiveportalFromtheConfigurationrarrUsersrarrSourcesweselectAddsourcerarrADWeprovidethefollowinginformation
Namead1 DescriptionActiveDirectoryforEmployees Host19216812389withoutSSLTLS BaseDNCN=UsersDC=acmeDC=local ScopeOne-level UsernameAttributesAMAccountName BindDNCN=AdministratorCN=UsersDC=acmeDC=local Passwordacme123
ThenweaddarulebyclickingontheAddrulebuttonandprovidethefollowinginformation
Nameemployees DescriptionRuleforallemployees Donrsquotsetanycondition(asitrsquosacatch-allrule) Setthefollowingactions
Setroleemployee
SetunregistrationdateJanuary1st2020
Test the connection and save everything Using the newly defined source any username thatactuallymatchesinthesource(usingthesAMAccountName)willhavetheemployeeroleandanunregistrationdatesettoJanuary1st2020
NowsincewewanttoauthenticateguestsfromPacketFencersquosinternalSQLdatabaseaccountsmustbeprovisionnedmanuallyYoucandosofromtheUsersrarrCreatesectionWhencreatingguestsspecifyguestfortheSetroleactionandsetanaccessdurationfor1day
If youwould like to differentiate user authentication andmachine authentication using ActiveDirectoryonewaytodoitisbycreatingasecondauthenticationsourcesformachines
Namead1 DescriptionActiveDirectoryforMachines Host19216812389withoutSSLTLS BaseDNCN=ComputersDC=acmeDC=local ScopeOne-level
Chapter9
Copyrightcopy2016Inverseinc Configuration 24
UsernameAttributeservicePrincipalName BindDNCN=AdministratorCN=UsersDC=acmeDC=local Passwordacme123
Thenweaddarule
Namemachines DescriptionRuleforallmachines Donrsquotsetanycondition(asitrsquosacatch-allrule) Setthefollowingactions
Setrolemachineauth
SetunregistrationdateJanuary1st2020
Note
Whenaruleisdefinedasacatch-all itwillalwaysmatchiftheusernameattributematchesthequeriedoneThisappliesforActiveDirectoryLDAPandApachehtpasswdfilesourcesKerberosandRADIUSwillactastruecatch-allandaccepteverything
Note
IfyouwanttouseotherLDAPattributesinyourauthenticationsourceaddtheminConfigurationrarrAdvancedrarrCustomLDAPattributesTheywillthenbeavailableintherulesyoudefine
ExternalAPIauthentication
PacketFencealsosupportscallinganexternalHTTPAPIasanauthenticationsourceTheexternalAPIneedstoimplementanauthenticationactionandanauthorizationaction
AuthenticationThisshouldprovidetheinformationaboutwhetherornottheusernamepasswordcombinationisvalid
TheseinformationareavailablethroughthePOSTfieldsoftherequest
TheservershouldreplywithtwoattributesinaJSONresponse
resultshouldbe1forsuccess0forfailure messageshouldbethereasonitsucceededorfailed
ExampleJSONresponse
result1messageValid username and password
Chapter9
Copyrightcopy2016Inverseinc Configuration 25
AuthorizationThisshouldprovidetheactionstoapplyonauserbasedonitrsquosattributes
The following attributes are available for the reply access_duration access_level sponsorunregdatecategory
SampleJSONresponsenotethatnotallattributesarenecessaryonlysendbackwhatyouneed
access_duration1Daccess_levelALLsponsor1 unregdate2030-01-01categorydefault
Note
See usrlocalpfaddonsexample_external_auth for an example implementationcompatiblewithPacketFence
PacketFenceconfigurationInPacketFenceyouneedtoconfigureanHTTPsourceinordertouseanexternalAPI
Hereisabriefdescriptionofthefields
Host First theprotocol then the IPaddressorhostnameof theAPIand lastly theport toconnecttotheAPI
APIusernameandpasswordIfyourAPIimplementsHTTPbasicauthentication(RFC2617)youcanaddtheminthesefieldsLeavinganyofthosetwofieldsemptywillmakePacketFencedotherequestswithoutanyauthentication
AuthenticationURLURLrelativetothehosttocallwhendoingtheauthenticationofauserNotethatitisautomaticallyprefixedbyaslash
AuthorizationURLURLrelativetothehosttocallwhendoingtheauthorizationofauserNotethatitisautomaticallyprefixedbyaslash
SAMLauthentication
PacketFence supports SAML authentication in the captive portal in combination with anotherinternalsourcetodefinethelevelofauthorizationoftheuser
FirsttransfertheIdentityProvidermetadataonthePacketFenceserverInthisexampleitwillbeunderthepathusrlocalpfconfidp-metadataxml
Then transfer the certificate and CA certificate of the Identity provider on the server In thisexample theywill be under the paths usrlocalpfconfsslidpcrt and usrlocalpfconfsslidp-cacrtIfitisaself-signedcertificatethenyouwillbeabletouseitastheCAinthePacketFenceconfiguration
Chapter9
Copyrightcopy2016Inverseinc Configuration 26
Then toconfigureSAML inPacketFencego inConfigurationrarrSourcesand thencreateanewInternalsourceofthetypeSAMLandconfigureit
Where
ServiceProviderentityIDistheidentifieroftheServiceProvider(PacketFence)MakesurethismatchesyourIdentityProviderconfiguration
PathtoServiceProviderkeyisthepathtothekeythatwillbeusedbyPacketFencetosignitsmessagestotheIdentityProviderAdefaultoneisprovidedunderthepathusrlocalpfconfsslserverkey
PathtoServiceProvidercertisthepathtothecertificateassociatedtothekeyaboveAself-signedoneisprovidedunderthepathusrlocalpfconfsslserverkey
PathtoIdentityProvidermetadataisthepathtothemetadatafileyoutransferedabove(shouldbeinusrlocalpfconfidp-metadataxml)
PathtoIdentityProvidercertisthepathtothecertificateoftheidentityprovideryoutransferedontheserverabove(shouldbeinusrlocalpfconfsslidpcrt)
Chapter9
Copyrightcopy2016Inverseinc Configuration 27
Path to Identity Provider CA cert is the path to the CA certificate of the identity provideryoutransferedontheserverabove(shouldbeinusrlocalpfconfsslca-idpcrt)Ifthecertificateaboveisself-signedputthesamepathasaboveinthisfield
AttributeoftheusernameintheSAMLresponse istheattributethatcontainstheusernamein the SAML assertion returned by your Identity Provider The default should fit at leastSimpleSAMLphp
Authorizationsource isthesourcethatwillbeusedtomatchtheusernameagainsttherulesdefinedinitThisallowstosettheroleandaccessdurationoftheuserTheAuthenticationsectionofthisdocumentcontainsexplanationsonhowtoconfigureanLDAPsourcewhichcanthenbeusedhere
OncethisisdonesavethesourceandyouwillbeabletodownloadtheServiceProvidermetadataforPacketFenceusingthelinkDownloadServiceProvidermetadataonthepage
Configure your identity provider according to the generated metadata to complete the TrustbetweenPacketFenceandyourIdentityProvider
In the case of SimpleSAMLPHP the following configurationwas used inmetadatasaml20-sp-remotephp
$metadata[PF_ENTITY_ID] = array( AssertionConsumerService =gt httpPORTAL_HOSTNAMEsamlassertion SingleLogoutService =gt httpPORTAL_HOSTNAMEsamllogoff)
Note
PacketFencedoesnotsupportlogoffontheSAMLIdentityProviderYoucanstilldefinetheURLinthemetadatabutitwillnotbeused
PassthroughsInorderforyouruserstobeabletoaccesstheIdentityProviderloginpageyouwillneedtoactivatepassthroughsandaddtheIndentityProviderdomaintotheallowedpassthroughs
Todosogo inConfigurationrarrTrapping thencheckPassthrough andadd the IdentityProviderdomainnametothePasshtroughslist
Next restart iptables and pfdns to apply your new passthroughs Also make surenetipv4ip_forward = 1isconfiguredinetcsysctlconf
NetworkDevicesDefinition(switchesconf)
ThissectionappliesonlyforVLANenforcementUsersplanningtodoinlineenforcementonlycanskipthissection
PacketFenceneedstoknowwhichswitchesaccesspointsorcontrollersitmanagestheirtypeandconfigurationAllthisinformationisstoredinusrlocalpfconfswitchesconfYoucanmodify
Chapter9
Copyrightcopy2016Inverseinc Configuration 28
theconfigurationdirectlyintheswitchesconffileoryoucandoitfromtheWebAdministrationpanelunderConfigurationrarrNetworkrarrSwitches-whichisnowthepreferredway
Theusrlocalpfconfswitchesconfconfigurationfilecontainsadefaultsectionincluding
DefaultSNMPreadwritecommunitiesfortheswitches Defaultworkingmode(seethenotebelowaboutpossibleworkingmodes)
andaswitchsectionforeachswitch(managedbyPacketFence)including
SwitchIPMacRange Switchvendortype Switchuplinkports(trunksandnon-managedIfIndex) per-switchre-definitionoftheVLANs(ifrequired)
NoteswitchesconfisloadedatstartupAreloadisrequiredwhenchangesaremanuallymadetothisfileusrlocalpfbinpfcmd configreload
WorkingmodesTherearethreedifferentworkingmodesforaswitchinPacketFence
Testing pfsetvlanwritesinthelogfileswhatitwouldnormallydobutitdoesnrsquotdoanything
Registration pfsetvlan automatically-register allMAC addresses seenon theswitchportsAsintestingmodenoVLANchangesaredone
Production pfsetvlan sends the SNMPwrites to change the VLAN on theswitchports
RADIUSTo set theRADIUS secret set it from theWebadministrative interfacewhenadding a switchAlternativelyedittheswitchconfigfile(usrlocalpfconfswitchesconf)andsetthefollowingparameters
radiusSecret = secretPassPhrase
MoreovertheRADIUSsecretisrequiredtosupporttheRADIUSDynamicAuthentication(ChangeofauthorizationorDisconnect)asdefinedinRFC3576
SNMPv1v2candv3PacketFenceusesSNMPtocommunicatewithmostswitchesPacketFencealsosupportsSNMPv3YoucanuseSNMPv3forcommunicationinbothdirectionsfromtheswitchtoPacketFenceandfromPacketFencetotheswitchSNMPusageisdiscouragedyoushouldnowuseRADIUSHoweverevenifRADIUSisbeingusedsomeswitchesmightalsorequireSNMPtobeconfiguredtoworkproperlywithPacketFence
Chapter9
Copyrightcopy2016Inverseinc Configuration 29
FromPacketFencetoaswitchEdittheswitchconfigfile(usrlocalpfconfswitchesconf)andsetthefollowingparameters
SNMPVersion = 3SNMPUserNameRead = readUserSNMPAuthProtocolRead = MD5SNMPAuthPasswordRead = authpwdreadSNMPPrivProtocolRead = AESSNMPPrivPasswordRead = privpwdreadSNMPUserNameWrite = writeUserSNMPAuthProtocolWrite = MD5SNMPAuthPasswordWrite = authpwdwriteSNMPPrivProtocolWrite = AESSNMPPrivPasswordWrite = privpwdwrite
FromaswitchtoPacketFenceEdittheswitchconfigfile(usrlocalpfconfswitchesconf)andsetthefollowingparameters
SNMPVersionTrap = 3SNMPUserNameTrap = readUserSNMPAuthProtocolTrap = MD5SNMPAuthPasswordTrap = authpwdreadSNMPPrivProtocolTrap = AESSNMPPrivPasswordTrap = privpwdread
SwitchConfigurationHereisaswitchconfigurationexampleinordertoenableSNMPv3inbothdirectionsonaCiscoSwitch
snmp-server engineID local AA5ED139B81D4A328D18ACD1snmp-server group readGroup v3 privsnmp-server group writeGroup v3 priv read v1default write v1defaultsnmp-server user readUser readGroup v3 auth md5 authpwdread priv aes 128 privpwdreadsnmp-server user writeUser writeGroup v3 auth md5 authpwdwrite priv aes 128 privpwdwritesnmp-server enable traps port-securitysnmp-server enable traps port-security trap-rate 1snmp-server host 192168050 version 3 priv readUser port-security
Command-LineInterfaceTelnetandSSH
WarningPrivilegedetectionisdisabledinthecurrentPacketFenceversionduetosomeissues(see1370)SomakesurethatthecliUserandcliPwdyouprovidealwaysgetyouintoaprivilegedmode(exceptforTrapezehardware)
Chapter9
Copyrightcopy2016Inverseinc Configuration 30
PackeFenceneedssometimestoestablishaninteractivecommand-linesessionwithaswitchThiscanbedoneusingTelnetYoucanalsouseSSHInordertodosoedittheswitchconfigurationfile(usrlocalpfconfswitchesconf)andsetthefollowingparameters
cliTransport = SSH (or Telnet)cliUser = admincliPwd = admin_pwdcliEnablePwd =
ItcanalsobedonethroughtheWebAdministrationInterfaceunderConfigurationrarrSwitches
WebServicesInterfacePackeFencesometimesneedstoestablishadialogwiththeWebServicescapabilitiesofaswitchInorder todo soedit the switchconfig file (usrlocalpfconfswitchesconf) and set thefollowingparameters
wsTransport = http (or https)wsUser = adminwsPwd = admin_pwd
ItcanalsobedonethroughtheWebAdministrationInterfaceunderConfigurationrarrSwitches
Role-basedenforcementsupportSomenetworkdevicessupporttheassignmentofaspecificsetofrules(firewallorACLs)toauserTheideaisthattheserulescanbealotmoreaccuratetocontrolwhatausercanorcannotdocomparedtoVLANwhichhavealargernetworkmanagementoverhead
PacketFencesupportsassigningrolesondevicesforswitchesandWiFicontrollers thatsupportitThecurrentroleassignmentstrategyistoassignitalongwiththeVLAN(thatmaychangeinthefuture)Aspecial internalroletoexternalroleassignmentmustbeconfigured intheswitchconfigurationfile(usrlocalpfconfswitchesconf)
Thecurrentformatisthefollowing
Format ltrolenamegtRole=ltcontroller_rolegt
Andyouassignittotheglobalrolesparameterortheper-switchoneForexample
adminRole=full-accessengineeringRole=full-accesssalesRole=little-access
wouldreturnthefull-accessroletothenodescategorizedasadminorengineeringandtherolelittle-accesstonodescategorizedassalesItcanalsobedonethroughtheWebAdministrationInterfaceunderConfigurationrarrSwitches
Chapter9
Copyrightcopy2016Inverseinc Configuration 31
CautionMakesurethattherolesareproperlydefinedonthenetworkdevicespriortoassigningroles
PortalProfiles
PacketFencecomeswithadefaultportalprofileThefollowparametersareimportanttoconfigurenomatterifyouusethedefaultportalprofileorcreateanewone
RedirectURLunderConfigurationrarrPortalProfilerarrPortalName
ForsomebrowsersitispreferabletoredirecttheusertoaspecificURLinsteadoftheURLtheuseroriginallyintendedtovisitForthesebrowserstheURLdefinedinredirecturlwillbetheonewheretheuserwillberedirectedAffectedbrowsersareFirefox3andlater
IPunderConfigurationrarrCaptiveportal
ThisIPisusedasthewebserverwhohoststhecommonnetwork-access-detectiongifwhichisusedtodetectifnetworkaccesswasenabledItcannotbeadomainnamesinceit isusedinregistrationorquarantinewhereDNSisblack-holedItisrecommendedthatyouallowyouruserstoreachyourPacketFenceserverandputyourLANrsquosPacketFenceIPBydefaultwewillmakethisreachPacketFencersquoswebsiteasaneasierandmoreaccessiblesolution
In somecases youmaywant topresentadifferent captiveportal (seebelow for theavailablecustomizations)accordingtotheSSIDtheVLANtheswitchIPMACortheURItheclientconnectstoTodosoPacketFencehastheconceptofportalprofileswhichgivesyouthispossibility
WhenconfiguredportalprofileswilloverridedefaultvaluesforwhichitisconfiguredWhennovaluesareconfiguredintheprofilePacketFencewilltakeitsdefaultones(accordingtothedefaultportalprofile)
HerearethedifferentconfigurationparametersthatcanbesetforeachportalprofilesTheonlymandatoryparameterisfilterotherwisePacketFencewonrsquotbeabletocorrectlyapplytheportalprofileTheparametersmustbesetinconfprofilesconf
[profilename1]description = the description of your portal profilefilter = the name of the SSID for which youd like to apply the profile or the VLAN numbersources = comma-separated list of authentications sources (IDs) to use
Portal profiles should be managed from PacketFencersquos Web administrative GUI - from theConfigurationrarrPortalProfilessectionAddingaportalprofilefromthatinterfacewillcorrectlycopytemplatesover-whichcanthenbemodifiedasyouwish
FiltersunderConfigurationrarrPortalProfilerarrPortalNamerarrFitlers
PacketFenceoffersthefollowingfiltersConnectionTypeNetworkNodeRolePortrealmSSIDSwitchSwitchPortURIVLANandTimeperiod
Chapter9
Copyrightcopy2016Inverseinc Configuration 32
Examplewiththemostcommonones
SSIDGuest-SSID
VLAN100
SwitchPortltSwitchIdgt-ltPortgt
NetworkNetworkinCIDRformatoranIPaddress
Caution
Noderolewilltakeeffectonlywitha8021xconnectionorifyouuseVLANfilters
PacketFence relies extensively on Apache for its captive portal administrative interface andWeb services The PacketFenceacutes Apache configuration are located in usrlocalpfconfhttpdconfd
Inthisdirectoryyouhavethreeimportantfileshttpdadminhttpdportalhttpdwebserviceshttpdaaa
httpdadminisusedtomanagePacketFenceadmininterface
httpdportalisusedtomanagePacketFencecaptiveportalinterface
httpdwebservicesisusedtomanagePacketFencewebservicesinterface
httpdaaaisusetomanageincomingRADIUSrequest
ThesefileshavebeenwrittenusingthePerllanguageandarecompletelydynamic-sotheyactivateservicesonlyonthenetworkinterfacesprovidedforthispurpose
TheotherfilesinthisdirectoryaremanagedbyPacketFenceusingtemplatessoitiseasytomodifythesefilesbasedonyourconfigurationSSLisenabledbydefaulttosecureaccess
UponPacketFenceinstallationself-signedcertificateswillbecreatedinusrlocalpfconfssl(serverkey andservercrt)Thosecertificates canbe replacedanytimebyyour3rd-partyorexistingwildcardcertificatewithoutproblemsPleasenotethattheCN(CommonName)needstobethesameastheonedefinedinthePacketFenceconfigurationfile(pfconf)
FreeRADIUSConfiguration
ThissectionpresentstheFreeRADIUSconfigurationsteps InsomeoccasionsaRADIUSserverismandatoryinordertogiveaccesstothenetworkForexampletheusageofWPA2-Enterprise(Wireless 8021X) MAC authentication and Wired 8021X all require a RADIUS server toauthenticatetheusersandthedevicesandthentopushtheproperrolesorVLANattributestothenetworkequipment
Chapter9
Copyrightcopy2016Inverseinc Configuration 33
Option1AuthenticationagainstActiveDirectory(AD)
Caution
If you are using an ActiveActive or ActivePassive cluster please follow theinstructionsunderOption1bsincetheinstructionsbelowdonotcurrentlyworkinacluster
InordertohavedomainauthenticationworkingproperlyyouneedtoenableIPforwardingonyourserverTodoitpermanentlylookintheetcsysctlconfandsetthefollowingline
Controls IP packet forwardingnetipv4ip_forward = 1
Nowexecutesysctl -ptoapplytheconfiguration
NextgointheAdministrationinterfaceunderConfigurationrarrDomains
Note
IfyoucanrsquotaccessthissectionandyouhavepreviouslyconfiguredyourservertobindtoadomainexternallytoPacketFencemakesureyourunusrlocalpfaddonsADmigratepl
ClickAddDomainandfillintheinformationsaboutyourdomain
Chapter9
Copyrightcopy2016Inverseinc Configuration 34
Where
IdentifierisauniqueidentifierforyourdomainItrsquospurposeisonlyvisual
Workgroupistheworkgroupofyourdomainintheoldsyntax(likeNT4)
DNSnameofthedomainistheFQDNofyourdomainTheonethatsuffixesyouraccountnames
ThisserverrsquosnameisthenamethattheserverrsquosaccountwillhaveinyourActiveDirectory
DNSserveristheIPaddressoftheDNSserverofthisdomainMakesurethattheserveryouputtherehastheproperDNSentriesforthisdomain
UsernameistheusernamethatwillbeusedforbindingtotheserverThisaccountmustbeadomainadministrator
Passwordisthepasswordfortheusernamedefinedabove
Chapter9
Copyrightcopy2016Inverseinc Configuration 35
Troubleshooting In order to troubleshoot unsuccessful binds please refer to the following file chrootsltmydomaingtvarlogsambaltmydomaingtlogwinbinddReplaceltmydomaingtwiththeidentifieryousetinthedomainconfiguration
Youcanvalidatethedomainbindusingthefollowingcommandchroot chrootsltmydomaingtwbinfo -u
You can test the authentication process using the following command chroot chrootsltmydomaingt ntlm_auth --username=administrator
Note
UndercertainconditionsthetestjoinmayshowasunsuccessfulintheAdministrationinterfacebut theauthenticationprocesswill stillworkproperlyTry the test abovebeforedoinganyadditionnaltroubleshooting
DefaultdomainconfigurationYoushouldnowdefinethedomainyouwanttouseasthedefaultonebycreatingthefollowingrealminConfigurationrarrRealms
NextrestartPacketFenceinStatusrarrServices
MultipledomainsauthenticationFirstconfigureyourdomainsinConfigurationrarrDomains
OncetheyareconfiguredgoinConfigurationrarrRealms
Chapter9
Copyrightcopy2016Inverseinc Configuration 36
Createanewrealm thatmatches theDNSnameofyourdomainANDone thatmatchesyourworkgroupInthecaseofthisexampleitwillbeDOMAINNETandDOMAIN
Where
RealmiseithertheDNSname(FQDN)ofyourdomainortheworkgroup
RealmoptionsareanyrealmoptionsthatyouwanttoaddtotheFreeRADIUSconfiguration
Domainisthedomainwhichisassociatedtothisrealm
Nowcreatethetwootherrealmsassociatedtoyourotherdomains
Youshouldnowhavethefollowingrealmconfiguration
Chapter9
Copyrightcopy2016Inverseinc Configuration 37
Option1bAuthenticationagainstActiveDirectory(AD)inacluster
SambaKerberosWinbind
InstallSambaYoucaneitherusethesourcesorusethepackageforyourOSForRHELCentOSdo
yum install samba krb5-workstation
ForDebianandUbuntudo
apt-get install samba winbind krb5-user
Note
IfyouhaveWindows7PCsinyournetworkyouneedtouseSambaversion350(orgreater)
WhendonewiththeSambainstallmodifyyouretchosts inordertoaddtheFQDNofyourActiveDirectoryserversThenyouneedtomodifyetckrb5confHereisanexamplefortheDOMAINNETdomainforCentosRHEL
Chapter9
Copyrightcopy2016Inverseinc Configuration 38
[logging] default = FILEvarlogkrb5libslog kdc = FILEvarlogkrb5kdclog admin_server = FILEvarlogkadmindlog
[libdefaults] default_realm = DOMAINNET dns_lookup_realm = false dns_lookup_kdc = false ticket_lifetime = 24h forwardable = yes
[realms] DOMAINNET = kdc = adserverdomainnet88 admin_server = adserverdomainnet749 default_domain = domainnet [domain_realm] domainnet = DOMAINNET domainnet = DOMAINNET
[appdefaults] pam = debug = false ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = false
ForDebianandUbuntu
[logging] default = FILEvarlogkrb5libslog kdc = FILEvarlogkrb5kdclog admin_server = FILEvarlogkadmindlog [libdefaults] default_realm = DOMAINNET ticket_lifetime = 24h forwardable = yes [appdefaults] pam = debug = false ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = false
NexteditetcsambasmbconfAgainhereisanexampleforourDOMAINNETforCentosRHEL
Chapter9
Copyrightcopy2016Inverseinc Configuration 39
[global] workgroup = DOMAIN server string = h security = ads passdb backend = tdbsam realm = DOMAINNET encrypt passwords = yes winbind use default domain = yes client NTLMv2 auth = yes preferred master = no domain master = no local master = no load printers = no log level = 1 winbind5 auth3 winbind max clients = 750 winbind max domain connections = 15 machine password timeout = 0
ForDebianandUbuntu
[global] workgroup = DOMAIN server string = Samba Server Version v security = ads realm = DOMAINNET password server = 19216811 domain master = no local master = no preferred master = no winbind separator = + winbind enum users = yes winbind enum groups = yes winbind use default domain = yes winbind nested groups = yes winbind refresh tickets = yes template homedir = homeDU template shell = binbash client use spnego = yes client ntlmv2 auth = yes encrypt passwords = yes restrict anonymous = 2 log file = varlogsambalogm max log size = 50 machine password timeout = 0
IssueakinitandklistinordertogetandverifytheKerberostoken
kinit administrator klist
Afterthatyouneedtostartsambaandjointhemachinetothedomain
Chapter9
Copyrightcopy2016Inverseinc Configuration 40
service smb start chkconfig --level 345 smb on net ads join -U administrator
NotethatforDebianandUbuntuyouwillprobablyhavethiserror
kinit succeeded but ads_sasl_spnego_krb5_bind failed Invalid credentials Join to domain is not valid Invalid credentials
ForCentosRHEL
usermod -a -G wbpriv pf
Finallystartwinbindandtestthesetupusingntlm_authandradtest
service winbind start chkconfig --level 345 winbind on
ForDebianandUbuntu
usermod -a -G winbindd_priv pf ntlm_auth --username myDomainUser radtest -t mschap -x myDomainUser myDomainPassword localhost18120 12 testing123 Sending Access-Request of id 108 to 127001 port 18120 User-Name = myDomainUser NAS-IP-Address = 10001 NAS-Port = 12 Message-Authenticator = 0x00000000000000000000000000000000 MS-CHAP-Challenge = 0x79d62c9da4e55104 MS-CHAP-Response = 0x000100000000000000000000000000000000000000000000000091c843b420f0dec4228ed2f26bff07d5e49ad9a2974229e5 rad_recv Access-Accept packet from host 127001 port 18120 id=108 length=20
Option2LocalAuthenticationAddyouruserrsquosentriesattheendoftheusrlocalpfraddbusersfilewiththefollowingformat
username Cleartext-Password = password
Option3EAPauthenticationagainstOpenLDAPToauthenticate8021xconnectionagainstOpenLDAPyouneedtodefinetheldapconnectioninusrlocalpfraddbmodulesldapandbesurethattheuserpasswordisdefineasaNTHASHorascleartext
Chapter9
Copyrightcopy2016Inverseinc Configuration 41
ldap openldap server = ldapacmecom identity = uid=admindc=acmedc=com password = password basedn = dc=districtdc=acmedc=com filter = (uid=mschapUser-Name) ldap_connections_number = 5 timeout = 4 timelimit = 3 net_timeout = 1 tls dictionary_mapping = $confdirldapattrmap edir_account_policy_check = no
keepalive LDAP_OPT_X_KEEPALIVE_IDLE idle = 60
LDAP_OPT_X_KEEPALIVE_PROBES probes = 3
LDAP_OPT_X_KEEPALIVE_INTERVAL interval = 3
Next in usrlocalpfraddbsites-availablepacketfence-tunnel add in the authorizesection
authorize suffix ntdomain eap ok = return files openldap
Option4EAPGuestAuthenticationonemailsponsorandSMSregistrationThissectionwillallowlocalcredentialscreatedduringguestregistrationtobeusedin8021xEAP-PEAPconnections
FirstcreateaguestSSIDwiththeguestaccessyouwanttouse(EmailSponsororSMShellip)andactivateCreatelocalaccountonthatsource
AttheendoftheguestregistrationPacketFencewillsendanemailwiththecredentialsforEmailandSponsorForSMSthephonenumberandthePINcodeshouldbeused
Chapter9
Copyrightcopy2016Inverseinc Configuration 42
Note
ThisoptiondoesnrsquotcurrentlyworkwiththeReusedot1xcredentialsoptionofthecaptiveportal
In usrlocalpfconfradiusdpacketfence-tunnel uncomment the line packetfence-local-authandrestartradiusd
ThiswillactivatethefeatureforanylocalaccountonthePacketFenceserverYoucanrestrictwhichaccounts canbeusedby commenting the appropriate line inusrlocalpfraddbpolicydpacketfenceForexampleifyouwouldwanttodeactivatethisfeatureforaccountscreatedviaSMSyouwouldhavethefollowing
packetfence-local-auth Disable ntlm_auth update control ampMS-CHAP-Use-NTLM-Auth = No Check password table for local user pflocal if (fail || notfound) Check password table with email and password for a sponsor registration pfguest if (fail || notfound) Check password table with email and password for a guest registration pfsponsor if (fail || notfound) Dont check activation table with phone number and PIN code pfsms lt--- This line was commented out if (fail || notfound) update control ampMS-CHAP-Use-NTLM-Auth = Yes
Note
For this feature to work the users passwords must be stored in cleartext in thedatabaseThisisconfigurableviaadvancedhash_passwords
Option5EAPLocaluserAuthenticationThegoalhereistousethelocaluseryoucreatedintheadminGUIforEAPauthenticationThelogicisexactlythesamethaninoption4thedifferenceisthatweuseanotherSSIDandweonlyuselocalaccounts
Chapter9
Copyrightcopy2016Inverseinc Configuration 43
Editusrlocalpfraddbsites-availablepacketfence-tunnel
InthisexampleweactivatethisfeatureonaspecificSSIDname(Secure-local-Wireless)disabledbydefaultNTLMAuthandtestlocalaccountIfitfailledthenwereactivateNTLMAuth
Activate local user eap authentication based on a specific SSID Set Called-Station-SSID with the current SSID setcalled_station_ssid if (Called-Station-SSID == Secure-local-Wireless) Disable ntlm_auth update control MS-CHAP-Use-NTLM-Auth = No Check password table for local user pflocal if (fail || notfound) update control MS-CHAP-Use-NTLM-Auth = Yes
Caution
Youwillneedtodeasactivatepasswordhashinginthedatabaseforlocalauthenticationto work In the administration interface go in Configurationrarr Advanced and setDatabasepasswordshashingmethodtoplaintext
TestsTestyoursetupwithradtestusingthefollowingcommandandmakesureyougetanAccess-Acceptanswer
radtest dd9999 Abcd1234 localhost18120 12 testing123Sending Access-Request of id 74 to 127001 port 18120 User-Name = dd9999 User-Password = Abcd1234 NAS-IP-Address = 255255255255 NAS-Port = 12rad_recv Access-Accept packet from host 12700118120 id=74 length=20
PortalModules
ThePacketFencecaptiveportalflowishighlycustomizableThissectionwillcoverthePortalModuleswhichareusedtodefinethebehaviorofthecaptiveportal
Chapter9
Copyrightcopy2016Inverseinc Configuration 44
Note
WhenupgradingfromaversionthatdoesnrsquothavetheportalmodulesthePacketFencePortal Modules configuration already comes with defaults that will fit most casesand offers the same behavior as previous versions of PacketFence Meaning allthe available Portal Profile sources are used for authentication then the availableprovisionerswillbeused
FirstabriefdescriptionoftheavailablePortalModules
RootThis iswhereitallstartsthismoduleisasimplecontainerthatdefinesallthemodulesthatneedtobeappliedinachainedwaytotheuserOncetheuserhascompletedallmodulescontainedintheRootheisreleasedonthenetwork
Choice This allows to give a choice between multiple modules to the user Thedefault_registration_policyisagoodexampleofachoicethatisofferedtotheuser
ChainedThisallowsyoutodefinealistofmodulesthatauserneedstogothroughintheorderthattheyaredefined-exyouwantyouruserstoregisterviaGoogle+andpayfortheiraccessusingPayPal
MessageThisallowsyou todisplayamessage to theuserAnexample isavailablebelow inDisplayingamessagetotheuseraftertheregistration
AuthenticationTheauthenticationmodulescanbeofalotoftypesYouwouldwanttodefineoneofthesemodulesinordertooverridetherequiredfieldsthesourcetousethetemplateoranyothermoduleattribute
BillingAllowstodefineamodulebasedononeormorebillingsources
ChoiceAllows todefineamodulebasedonmultiple sourcesandmoduleswithadvancedfilteringoptionsSeethesectionAuthenticationChoicemodulebelowforadetailedexplanation
LoginAllowsyoutodefineausernamepasswordbasedmodulewithmultipleinternalsources(ActiveDirectoryLDAPhellip)
OthermodulesTheothermodulesareallbasedonthesourcetypetheyareassignedtotheyallowtoselectthesourcetheAUPacceptanceandmandatoryfieldsifapplicable
ExamplesThissectionwillcontainthefollowingexamples
Promptingforfieldswithoutauthentication
Promptingadditionnalfieldsduringtheauthentication
Chainedauthentication
MixingloginandSecureSSIDon-boardingontheportal
Displayingamessagetotheuseraftertheregistration
Chapter9
Copyrightcopy2016Inverseinc Configuration 45
CreatingacustomrootmoduleFirstcreateacustomrootmoduleforourexamples inordertonotaffectthedefaultpolicy InordertodosogoinConfigurationrarrPortalModulesthenclickAddPortalModuleandselectthetypeRootGiveittheidentifiermy_first_root_moduleandthedescriptionMy first root modulethenhitsave
Next head toConfigurationrarr Portal Profiles select the portal profile you use (most probablydefault)andthenunderRootPortalModuleassignMy first root modulethensaveyourprofileIfyouweretoaccessthecaptiveportalnowanerrorwoulddisplaysincetheRootmoduleweconfigureddoesnrsquotcontainanything
YoucouldaddsomeofthepreconfiguredmodulestothenewRootmoduleyoucreatedandthatwouldmaketheerrordisapear
PromptingforfieldswithoutauthenticationInordertopromptfieldswithoutauthenticationyoucanusetheNullsourcewiththeNullPortalModule
PacketFencealreadycomeswithaNullsourcepreconfiguredIfyouhavenrsquotmodifieditordeletedityoucanuseitforthisexampleOtherwisegoinConfigurationrarrSourcesandcreateanewNullsourcewithacatchallrulethatassignsaroleandaccessduration
ThengoinConfigurationrarrPortalModulesandclickAddPortalModuleandselectAuthenticationrarrNullSettheIdentifiertoprompt_fieldsandconfigurethemodulewiththeMandatoryfieldsyouwantanduncheckRequireAUPsothattheuserdoesnrsquothavetoaccepttheAUPbeforesubmittingthesefields
Nextaddtheprompt_fieldsmoduleinmy_first_root_module(removinganypreviousmodules)andsave itNowwhenvisitingtheportal itshouldpromptyouforthefieldsyoudefine inthe
Chapter9
Copyrightcopy2016Inverseinc Configuration 46
moduleThensubmittingtheseinformationswillassignyoutheroleandaccessdurationthatyoudefinedinthenullsource
Promptingadditionnalfieldsduringtheauthentication
IfyouwanttopromptadditionnalfieldsduringtheauthenticationprocessforamoduleyoucandefineaModulebasedonthatsourcethatwillspecifytheadditionnalmandatoryfieldsforthissource
Youcanalsoaddadditionnalmandatoryfieldstothedefaultpoliciesthatarealreadyconfigured
Thisexamplewillmakethedefault_guest_policyrequiretheusertoenterafirstnamelastnameandaddresssothatguestshavetoenterthesethreeinformationsbeforeregistering
Go in Configuration rarr Portal Modules and click the default_guest_policy Add firstnamelastnameandaddresstotheMandatoryfieldsandsave
Nextaddthedefault_guest_policytomy_first_root_module(removinganypreviousmodules)Nowwhenvisitingtheportalselectinganyoftheguestsourceswillrequireyoutoenterboththemandatoryfieldsofthesource(exphone+mobileprovider)andthemandatoryfieldsyoudefinedinthedefault_guest_policy
Note
Notallsourcessupportadditionnalmandatoryfields(exOAuthsourceslikeGoogleFacebookhellip)
Chainedauthentication
Theportalmodulesallowyoutochaintwoormoremodulestogetherinordertomaketheuseraccomplishalloftheactionsinthemoduleinthedesiredsequence
ThisexamplewillallowyoutoconfigureaChainedmodulethatwillrequiretheusertologinviaanyconfiguredOAuthsource(GithubGoogle+hellip)andthenvalidatehisphonenumberusingSMSregistration
FortheOAuthloginwewillusethedefault_oauth_policysojustmakesureyouhaveanOAuthsourceconfiguredcorrectlyandavailableinyourPortalProfile
ThenwewillcreateamodulethatwillcontainthedefinitionofourSMSregistration
GoinConfigurationrarrPortalModulesthenclickAddPortalModuleandselectAuthenticationrarrSMS
ConfiguretheportalmodulesothatitusesthesmssourceandunchecktheRequireAUPoptionsincetheuserwillhavealreadyacceptedtheAUPwhenregisteringusingOAuth
Chapter9
Copyrightcopy2016Inverseinc Configuration 47
ThenaddanotherPortalModuleoftypeChainedNameitchained_oauth_smsassignarelevantdescriptionandthenadddefault_oauth_policyandsmstotheModulesfields
Chapter9
Copyrightcopy2016Inverseinc Configuration 48
Next add the chained_oauth_sms module in my_first_root_module (removing any previousmodules)andsaveitNowwhenvisitingtheportalyoushouldhavetoauthenticationusinganOAuthsourceandthenusingSMSbasedregistration
MixingloginandSecureSSIDon-boardingontheportalThisexamplewillguideyouthroughconfiguringaportalflowthatwillallowfordevicestoaccessanopenSSIDusinganLDAPusernamepasswordbutalsogivethechoicetoconfiguretheSecureSSIDdirectlyfromtheportal
FirstweneedtoconfiguretheprovisionersfortheSecureSSIDonboardingRefertosectionAppleandAndroidWirelessProvisioningofthisguidetoconfigureyourprovisionersandaddthemtotheportalprofile
CreateaprovisionerofthetypeDenyandadditwithyourotherprovisioners(puttinganyotherprovisionerbeforeit)Thiswillmakesurethatifthereisnomatchontheotherprovisionersitwillnotallowthedevicethrough
AlsointheportalprofileaddyourLDAPsourcetotheavailablesourcessoitstheonlyoneavailable
NextcreateaProvisioningportalmodulebygoinginConfigurationrarrPortalModulesSettheIdentifiertosecure_boardingandthedescriptiontoBoard Secure SSIDAlsouncheckSkipablesotheuserisforcedtoboardtheSSIDshoulditchoosethisoption
ThenstillinthePortalModulescreateaChoicemoduleSettheIdentifiertologin_or_boardinganddescriptiontoLoginorBoardingAddsecure_boardinganddefault_login_policytotheModulesfieldandsave
Chapter9
Copyrightcopy2016Inverseinc Configuration 49
Next add the login_or_boarding module in my_first_root_module (removing any previousmodules)andsaveitNowwhenvisitingtheportalyouwillhavethechoicebetweenlogintotheLDAPsourceandgainaccesstothenetworkordirectlyuseprovisioninginordertoconfigureyourdeviceforaSecureSSID
Displayingamessagetotheuseraftertheregistration=
UsingtheMessagemoduleyoucandisplayacustommessagetotheuserYoucanalsocustomizethetemplatetodisplayinordertodisplayafullycustompage
Go inConfigurationrarrPortalModules thenclickAddPortalModule and selectMessage Set theIdentifiertohello_worldandthedescriptiontoHello World
ThenputthefollowingintheMessagefield
Hello World lta href=wwwpacketfenceorggtClick here to access the PacketFence websiteltagt
Next add default_registration_policy and hello_world in the Modules ofmy_first_root_module(removinganypreviousmodules)andsaveitNowwhenvisitingtheportalyoushouldhavetoauthenticateusingthesourcesdefinedinyourportalprofileandyouwillthenseethehelloworldmessage
Chapter9
Copyrightcopy2016Inverseinc Configuration 50
AuthenticationChoicemodule(advanced)The Authentication Choice module allows to define a choice between multiple sources usingadvancedfilteringrulesmanualselectionofthesourcesandselectionofPortalModules
AllthesourcesthataredefinedintheSourcesfieldwillbeavailableforusagebytheuserSamegoesforthemodulesdefinedinModules
YoucanalsodefinewhichmandatoryfieldsyouwanttopromptfortheseauthenticationchoicesAlthoughyoucanstillconfigurethemonanyAuthenticationChoicemoduletheywillonlybeshowniftheyareapplicabletothesource
InadditiontothemanualselectionaboveyoucandynamicallyselectsourcespartofthePortalProfilebasedontheirobjectattribute(ObjectClassAuthenticationtypeAuthenticationClass)
NoteYoucanfindalltheauthenticationobjectsinlibpfAuthenticationSource
SourcesbyclassAllowsyoutospecifytheperlclassnameofthesourcesyouwantavailable
ex pfAuthenticationSourceSMSSource will select all the SMS sourcespfAuthenticationSourceBillingSourcewillselectallthebillingsources(PaypalStripehellip)
SourcesbytypeAllowsyoutofilteroutsourcesusingthetypeattributeoftheAuthenticationobject
Sources by Auth Class Allows you to filter our sources using the class attribute of theAuthenticationobject
Chapter9
Copyrightcopy2016Inverseinc Configuration 51
Youcanseethedefault_guest_policyanddefault_oauth_policyforexamplesofthismodule
Chapter10
Copyrightcopy2016Inverseinc Debugging 52
Debugging
Logfiles
HerearethemostimportantPacketFencelogfiles
usrlocalpflogspacketfencelogmdashPacketFenceCoreLog usrlocalpflogshttpdportalaccessmdashApachendashCaptivePortalAccessLog usrlocalpflogshttpdportalerrormdashApachendashCaptivePortalErrorLog usrlocalpflogshttpdadminaccessmdashApachendashWebAdminServicesAccessLog usrlocalpflogshttpdadminerrormdashApachendashWebAdminServicesErrorLog usrlocalpflogshttpdwebservicesaccessmdashApachendashWebservicesAccessLog usrlocalpflogshttpdwebserviceserrormdashApachendashWebservicesErrorLog usrlocalpflogshttpdaaaaccessmdashApachendashAAAAccessLog usrlocalpflogshttpdaaaerrormdashApachendashAAAErrorLog
ThereareotherlogfilesinusrlocalpflogsthatcouldberelevantdependingonwhatissueyouareexperiencingMakesureyoutakealookatthem
ThemainloggingconfigurationfileisusrlocalpfconflogconfItcontainstheconfigurationforthepacketfencelogfile(LogLog4Perl)andyounormallydonrsquotneedtomodifyitTheloggingconfigurationfilesforeveryservicearelocatedunderusrlocalpfconflogconfd
RADIUSDebugging
FirstchecktheFreeRADIUSlogsThefileislocatedatusrlocalpflogsradiuslog
IfthisdidnrsquothelprunFreeRADIUSindebugmodeTodosostartitusingthefollowingcommands
Fortheauthenticationradiusprocess
radiusd -X -d usrlocalpfraddb -n auth
Fortheaccountingradiusprocess
radiusd -X -d usrlocalpfraddb -n acct
Chapter10
Copyrightcopy2016Inverseinc Debugging 53
Additionally there is a raddebug tool that can extract debug logs from a running FreeRADIUSdaemonPacketFencersquosFreeRADIUSispreconfiguredwithsuchsupport
Inordertohaveanoutputfromraddebugyouneedtoeither
a MakesureuserpfhasashellinetcpasswdaddusrsbintoPATH(export PATH=usrsbin$PATH)andexecuteraddebugaspf
b Runraddebugasroot(lesssecure)
Nowyoucanrunraddebugeasily
raddebug -t 300 -f usrlocalpfvarrunradiusdsock
TheabovewilloutputFreeRADIUSauthenticationdebuglogsfor5minutes
Usethefollowingtodebugradiusaccounting
raddebug -t 300 -f usrlocalpfvarrunradiusd-acctsock
Seeman raddebugforalltheoptions
Chapter11
Copyrightcopy2016Inverseinc MoreonVoIPIntegration 54
MoreonVoIPIntegration
VoIPhasbeengrowinginpopularityonenterprisenetworksAtfirstsighttheITadministratorsthinkthatdeployingVoIPwithaNACposesahugecomplicatedchallengetoresolveInfactdependingofthehardwareyouhavenotreallyInthissectionwewillseewhy
CDPandLLDPareyourfriend
ForthoseofyouwhoareunawareoftheexistenceofCDPorLLDP(orLLDP-MED) IsuggestyoustartreadingonthistopicCiscoDiscoveryProtocol(CDP)isdevice-discoveryprotocolthatrunsonallCisco-manufacturedequipmentincludingroutersaccessserversbridgesandswitchesUsingCDPadevicecanadvertise itsexistencetootherdevicesandreceive informationaboutotherdevicesonthesameLANorontheremotesideofaWANIntheworldofVoIPCDPisabletodetermineiftheconnectingdeviceisanIPPhoneornotandtelltheIPPhonetotagitsethernetframeusingtheconfiguredvoiceVLANontheswitchport
OnmanyothervendorsyouarelikelytofindLLDPorLLDP-MEDsupportLinkLayerDiscoveryProtocol (LLDP) is a vendor-neutral Link Layer protocol in the Internet Protocol Suite used bynetworkdevicesforadvertisingtheiridentitycapabilitiesandneighborsSameasCDPLLDPcantellanIPPhonewhichVLANidisthevoiceVLAN
VoIPandVLANassignmenttechniques
As you already know PacketFence supportsmanyVLAN assignment techniques such as port-securitymacauthenticationor8021XLetrsquosseehowVoIPisdoingwitheachofthose
Port-securityUsing port-security the VoIP device rely on CDPLLDP to tag its ethernet frame using theconfiguredvoiceVLANontheswitchportAfterthatweensurethatasecuritytrapissentfromthevoiceVLANsothatPacketFencecanauthorizethemacaddressontheportWhenthePCconnectsanothersecuritytrapwillbesentbutfromthedataVLANThatwaywewillhave1macaddressauthorizedonthevoiceVLANand1ontheaccessVLAN
Chapter11
Copyrightcopy2016Inverseinc MoreonVoIPIntegration 55
Note
Not all vendors support VoIP on port-security please refer to the NetworkConfigurationGuide
MACAuthenticationand8021XCiscohardwareOnCiscoswitcheswearelookingatthemulti-domainconfigurationThemulti-domainmeansthatwecanhaveonedeviceontheVOICEdomainandonedeviceontheDATAdomainThedomainassignmentisdoneusingaCiscoVSAWhenthephoneconnectstotheswitchportPacketFencewillrespondwiththeproperVSAonlynoRADIUStunneledattributesCDPthentellsthephonetotagitsethernetframesusingtheconfiguredvoiceVLANontheportWhenaPCconnectstheRADIUSserverwillreturntunneledattributesandtheswitchwillplacetheportintheprovidedaccessVLAN
Non-CiscohardwareOnothervendorhardwareitispossibletomakeVoIPworkusingRADIUSVSAsWhenaphoneconnectstoaswitchportPacketFenceneedstoreturntheproperVSAtotelltheswitchtoallowtagged frames from thisdeviceWhen thePCwill connectwewill be able to return standardRADIUStunnelattributestotheswitchthatwillbetheuntaggedVLAN
Note
AgainrefertotheNetworkConfigurationGuidetoseeifVoIPissupportedonyourswitchhardware
WhatifCDPLLDPfeatureismissing
ItispossiblethatyourphonedoesnrsquotsupportCDPorLLDPIfitrsquosthecaseyouareprobablylookingattheDHCPwayofprovisionningyourphonewithavoiceVLANSomemodelswillaskforaspecificDHCPoptionsothattheDHCPservercangivethephoneavoiceVLANidThephonewillthenrebootandtagitsethernetframeusingtheprovidedVLANtag
Inorder tomake this scenarioworkwithPacketFenceyouneed toensure thatyou tweak theregistrationandyourproductionDHCPservertoprovidetheDHCPoptionYoualsoneedtomakesure there isavoiceVLANproperlyconfiguredontheportandthatyouauto-registeryour IPPhones(OnthefirstconnectthephonewillbeassignedontheregistrationVLAN)
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 56
Advancedtopics
This section covers advanced topics in PacketFence Note that it is also possible to configurePacketFencemanuallyusingitsconfigurationfilesinsteadofitsWebadministrativeinterfaceItisstillrecommendedtousetheWebinterface
InanycasetheusrlocalpfconfpfconffilecontainsthePacketFencegeneralconfigurationForexamplethisistheplacewhereweinformPacketFenceitwillworkinVLANisolationmode
All the default parameters and their descriptions are stored in usrlocalpfconfpfconfdefaults
Inordertooverrideadefaultparameterdefineitandsetitinpfconf
usrlocalpfconfdocumentationconfholdsthecompletelistofallavailableparameters
Alltheseparametersarealsoaccessiblethroughtheweb-basedadministrationinterfaceundertheConfigurationtabItishighlyrecommendedthatyouusetheweb-basedadministrationinterfaceofPacketFenceforanyconfigurationchanges
AppleandAndroidWirelessProvisioning
Apple devices such as iPhones iPads iPods and Mac OS X (107+) support wireless profileimportationusing a specialXML file format (mobileconfig)Android is also able to support thisfeaturebyimportingthewirelessprofilewiththeAndroidPacketFenceAgentInfactinstallingsuchfileonyourAppledevicewillautomaticallyconfigurethewirelesssettingsforagivenSSIDThisfeatureisoftenusedwhentheSSIDishiddenandyouwanttoeasetheconfigurationstepsonthemobiledevice(becauseitisoftenpainfultoconfiguremanually)InPacketFencewearegoingfurtherwegeneratetheprofileaccordingtotheadministratorrsquospreferenceandwepre-populatethefilewiththeuserrsquoscredentials(withoutthepassword)TheusersimplyneedstoinstallitsgeneratedfileandhewillbeabletousethenewSSID
ConfigurethefeatureFirstofallyouneedtoconfiguretheSSIDthatyourdeviceswilluseaftertheygothoughtheauthenticationprocess
InordertodothatintheadministrationinterfacegoinConfigurationProvisionersThenselecttheandroidprovisionerEntertheSSIDandsave
NowdothesamethingfortheiOSprovisioner
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 57
AfteryousimplyneedtoaddtheAndroidandiOSprovisionerstoyourPortalProfileconfiguration
ForAndroidyoumustallowpassthroughsinyourpfconfconfigurationfile
[trapping]passthrough=enabledpassthroughs=ggphtcomgoogleusercontentcomandroidclientsgooglecomgoogleapiscomandroidclientsgooglecomgvt1com
ProfilegenerationUponregistrationinsteadofshowingthedefaultreleasepagetheuserwillbeshowinganotherversionofthepagesayingthatthewirelessprofilehasbeengeneratedwithaclickablelinkonitToinstalltheprofileAppleuserownersimplyneedtoclickonthatlinkandfollowtheinstructionsontheirdeviceAndroiduserownersimplyclicktothelinkandwillbeforwardedtoGooglePlaytoinstallPacketFenceagentSimply launchtheapplicationandclicktoconfigurewillcreatethesecureSSIDprofileItisthatsimple
BillingEngine
PacketFence integrates theability touseapaymentgatewaytobillusers togainaccess to thenetworkWhenconfiguredtheuserwhowantstoaccessthenetworkInternetispromptedbyapageaskingforitrsquospersonnalinformationaswellasitrsquoscreditcardinformation
PacketFencecurrentlysupportsfourpaymentgatewaysAuthorizenetMirapayPaypalandStripe
Inordertoactivatethebillingyouwillneedtoconfigurethefollowingcomponents
Billingsource(s)
Billingtier(s)
ConfiguringabillingsourceFirstselectabillingproviderandfollowtheinstructionsbelow
Paypal
Note
ThisproviderrequiresthatyourPacketFenceserverisaccessibleonthepublicdomainFor thisyourPacketFenceportal shouldbeavailableonapublic IPusing theDNSservernameconfiguredinPacketFence
Ifyouhaveabusinessaccountanddonotwanttoconfigureatestenvironmentyoucanskipthenextsection
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 58
Sandboxaccount
To configure a sandbox paypal account for use in PacketFence head to httpsdeveloperpaypalcomandeithersignuporloginintoyourexistingaccount
ThenintheSandboxmenuclickAccounts
CreateanaccountthathasthetypePersonalandonethathasthetypeBusiness
AfterwardsgobackintoaccountsandexpandthebusinessaccountthenclickProfile
NowclicktheChangepasswordlinkandchangethepasswordandnoteit
Dothesamethingwiththepersonalaccountyoucreated
Configuringthemerchantaccount
LoginintothePaypalbusinessaccountthatyoucreatedathttpswwwsandboxpaypalcomifyouareusingasandboxaccountoronhttpswwwpaypalcomifyouareusingarealaccount
NextgoinMyAccountrarrProfileinordertogointoyourprofileconfiguration
NextintheSellingPreferencesyouwillneedtoselectWebsitePaymentPreferences
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 59
Configurethesettingssotheymatchthescreenshotbelow
YoushouldturnonAutoReturnsetthereturnURLtohttpsYOUR_PORTAL_HOSTNAMEbillingpaypalverify
YoushouldalsotakenoteoftheIdentityTokenasitwillberequiredinthePacketFenceconfiguration
NextgobackinyourprofileconfigurationMyaccountrarrProfileandselectEncryptedPaymentSettings
NowonthispageyouwillneedtosubmitthecertificateusedbyPacketFencetoPaypal(usrlocalpfconfsslservercrtbydefault)
Once you have submitted it note itrsquos associated Cert ID as you will need to configure it inPacketFence
StillonthatpageclicktheDownloadlinktodownloadthePaypalpubliccertificateandputitonthePacketFenceserverunderpathusrlocalpfconfsslpaypalpem
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 60
Caution
ThecertificatewillNOTbethesameifyouuseasandboxaccountorarealaccount
ConfiguringPacketFence
NowinthePacketFenceadministrationinterfacegoinConfigurationrarrSourcesandcreateanewsourceoftypeBillingrarrPaypal
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 61
Where
IdentitytokenistheoneyounotedwhenontheWebsitePaymentPreferencespage CertIDistheoneyounotedwhenontheEncryptedPaymentSettings Paymenttypeiswhethertheaccessisdonationbased(notmandatorytopayforit) Emailaddressistheemailaddressofthemerchantpaypalaccount CertfileisthepathtothePacketFencecertificate(usrlocalpfconfsslservercrtbydefault) KeyfileisthepathtothePacketFencecertificate(usrlocalpfconfsslserverkeybydefault) Paypal cert file is thepath to thePaypal certificate (usrlocalpfconfsslpaypalpem in thisexample)
Currencyisthecurrencythatwillbeusedinthetransactions Testmodeshouldbeactivatedifyouareusingasandboxaccount
Stripe
Stripeaccount
Firstgoonhttpsdashboardstripecomcreateanaccountandlogin
NextonthetoprightclickYouraccountthenAccountsettings
NavigatetotheAPIkeystabandnoteyourkeyandsecretThetestkeyshouldbeusedwhentestingtheconfigurationandthelivekeywhenputtingthesourceinproduction
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 62
ConfiguringPacketFence
NowinthePacketFenceadministrationinterfacegoinConfigurationrarrSourcesandcreateanewsourceoftypeBillingrarrStripe
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 63
Where
SecretkeyisthesecretkeyyougotfromyourStripeaccount PublishablekeyisthepublishablekeyyougotfromyourStripeaccount Styleiswhetheryouaredoingaone-timechargeorsubscriptionbasedbilling(recurring)SeesectionSubscriptionbasedregistrationbelowfordetailsonhowtoconfigureit
Currencyisthecurrencythatwillbeusedinthetransactions Testmodeshouldbeactivatedifyouareusingthetestkeyandsecretaccount
Authorizenet
Creatinganaccount
First go on httpsaccountauthorizenet to signup for a merchant account or httpdeveloperauthorizenetforasandboxaccount
AfteryoucreatedyouraccountyouwillbeshownyourAPIloginIDandTransactionkeyNotebothoftheseinformationsforusageinthePacketFenceconfiguration
Thenloginintoyournewaccount
ThenunderAccountclickSettings
OnthesettingspageinthesectionSecuritysettingsclickMD5-Hash
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 64
NowenterasecretthatwillbesharedbetweenauthorizenetandPacketFence
PacketFenceconfiguration
NextinthePacketFenceadministrationinterfacegoinConfigurationrarrSourcesandcreateanewsourceoftypeBillingrarrAuthorizeNet
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 65
Where
APIloginIDistheoneyougotearlierwhilecreatingyouraccount Transactionkeyistheoneyougotearlierwhilecreatingyouraccount MD5hashtheoneyouconfiguredinyourAuthorizenetaccount Currencyisthecurrencythatwillbeusedinthetransactions Testmodeshouldbeactivatedifyouareusingasandboxaccount
Mirapay
To be contributed
AddingbillingtiersOnceyouhaveconfiguredoneormorebillingsourceyouneedtodefinebillingtierswhichwilldefinethepriceandtargetauthenticationrulesfortheuser
InthePacketFenceadministrationinterfacegoinConfigurationrarrBillingtiers
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 66
ThenclickAddbillingtierandconfigureit
Where
Billingtieristheuniqueidentifierofthebillingtier Nameisthefriendlynameofthebillingtier Descriptionisanextendeddescriptionofthebillingtier Priceistheamountthatwillbechargedtotheuser Accessdurationistheamountoftimetheuserwillbegrantedaccesstoyournetwork Roleisthetargetroletheusershouldbein Usetimebalancedefinesiftheaccessdurationshouldbecomputedonreal-timeaccessdurationmeaningiftheuserbuys24hoursofaccesshecanusethenetworkfor24hoursindifferenttimeblocksThisrequiresavalidRADIUSaccountingconfiguration
Note
IfdonrsquotwanttouseallthebillingtiersthataredefinedyoucanspecifytheonesthatshouldbeactiveinthePortalprofile
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 67
SubscriptionbasedregistrationPacketFencesupportssubscriptionbasedbillingusingStripeasabillingprovider
Billingtier
Whenusingsubscriptionbasedbillingitisadvisedtoconfigurethebillingtiersoithasanalmostinfiniteaccessduration(eg20years)asthebillingproviderwillbecontactingthePacketFenceserverwhenthesubscriptioniscanceled
YoushouldconfigureabillingtierforeachsubscriptionplanyouwanttohaveThisexamplewillusetheplansimpleandadvancedconfiguredusingthefollowingparameters
[simple]name=Simple network accessdescription=Click here if you are poorprice=399role=guestaccess_duration=10Yuse_time_balance=disabled
[advanced]name=Simple network accessdescription=Click here if you are poorprice=999role=advanced_guestaccess_duration=10Yuse_time_balance=disabled
Stripeconfiguration
TheninyourStripedashboardyoushouldgoinSubscriptionsrarrPlans
Thencreateanewplan
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 68
Where
ID is the billing tier identifier It is important that this matches the ID of the billing tier inPacketFence
AmountisthepriceoftheplanItisimportantthatthismatchesthepriceofthebillingtierinPacketFence
CurrencyisthecurrencythatwillbeusedinthetransactionsItisimportantthatthismatchesthecurrencyoftheStripesourceinPacketFence
IntervalistheintervalatwhichthecustomershouldbebilledInthecaseofthisexampleitismonthly
Nowfollowingthesameprocedurecreatetheadvancedplan
ReceivingupdatesfromStripeAsthesubscriptioncanbecancelledbyauseryouneedtosetupyourPacketFenceinstallationtoreceiveupdatesfromStripe
UpdatesaresentusingHTTPrequestsonapublicIP
YouneedtomakesurethatyourPacketFenceserverisavailablethroughapublicIPonport80andthatyourPacketFenceserverhostnameresolvesonthepublicdomain
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 69
TheninStripeconfigureaWebhooksoStripeinformsPacketFenceofanyeventthathappensinthisStripemerchantaccount
InordertodosogoinYourAccountrarrAccountSettingsrarrWebhooksandclickAddendpoint
Where
URListheURLtothePacketFenceserverThisshouldbehttpYOUR_PORTAL_HOSTNAMEhookbillingstripe
Modeiswhetherthiswebhookisfortestingmodeorlivemode
NoweverytimeauserunsubscribesfromaplanPacketFencewillbenotifiedandwillunregisterthatdevicefromyournetwork
DevicesRegistration
Usershavethepossibilitytoregistertheirdevices(MicrosoftXBOXXBOX360NintendoDSWiiSonyPlayStationandsoon)rightfromaspecialportalpageWhenaccessingthispageuserswillbe
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 70
promptedtologinasiftheywereregisteringthemselvesOnceloggedintheportalwillaskthemtoenterthedeviceMACaddressthatwillthenbematchedagainstapredefinedlistofauthorizedMACOUIThedevicewillberegisteredwiththeuserrsquosidandcanbeassignedintoaspecificcategoryforeasiermanagement
HerersquoshowtoconfigurethewholethingTheportalpagecanbeaccessedbythefollowingURLhttpsYOUR_PORTAL_HOSTNAMEdevice-registration This URL is accessible fromwithin thenetworkinanyVLANthatcanreachthePacketFenceserver
Thefollowingcanbeconfiguredbyeditingthepfconffile
[registration]device_registration = enableddevice_registration_role = gaming
MakesuretheroleexistsinPacketFenceotherwiseyouwillencounterregistrationerrorsMoreovermakesuretherolemappingforyourparticularequipmentisdone
TheseparameterscanalsobeconfiguredfromtheConfigurationrarrRegistrationsection
Note
AportalinterfacetypeisrequiredtousethisfeatureAportalinterfacetypecanbeaddedtoanynetworkinterfaceusingthewebadminGUI
Eduroam
eduroam (education roaming) is the secureworld-wide roaming access servicedevelopedfortheinternationalresearchandeducationcommunity
eduroamallowsstudentsresearchersandstafffromparticipatinginstitutionstoobtainInternetconnectivityacrosscampusandwhenvisitingotherparticipatinginstitutionsbysimplyopeningtheirlaptop
mdasheduroamhttpswwweduroamorg
PacketFencesupportsintegrationwitheduroamandallowsparticipatinginstitutionstoauthenticatebothlocallyvisitingusersfromotherinstitutionsaswellasallowingotherinstitutionstoauthenticatelocalusers
In order for PacketFence to allow eduroam authentication the FreeRADIUS configuration ofPacketFencemustbemodifiedtoallowtheeduroamserverstoconnecttoitasclientsaswellastoproxyRADIUSauthenticationrequestsforusersfromoutsideinstitutions
FirstmodifytheusrlocalpfraddbclientsconffiletoallowtheeduroamserverstoconnecttoyourPacketFenceserverAddtheeduroamserversasclientsandmakesure toaddtheproperRADIUSsecretSetashortnametorefertotheseclientsasyouwilllaterneedittoexcludethemfromsomepartsofthePacketFenceconfiguration
clientsconfexample
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 71
client tlrs1eduroamus secret = useStrongerSecret shortname = tlrs1
client tlrs2eduroamus secret = useStrongerSecret shortname = tlrs2
SecondlymodifythelistofdomainsandproxyserversinusrlocalpfraddbproxyconfYouwillneedtodefineeachofyourdomainsaswellastheDEFAULTdomainTheDEFAULTrealmwillapplytoanyclientthatattemptstoauthenticatewitharealmthatisnototherwisedefinedinproxyconfandwillbeproxiedtotheeduroamservers
Defineoneormorehomeservers(serverstowhicheduroamrequestsshouldbeproxied)
proxyconfexample
home_server tlrs1eduroamus type = auth ipaddr = 25712811 port = 1812 secret = useStrongerSecret require_message_authenticator = yes
Defineapoolofserverstogroupyoureduroamhomeserverstogether
proxyconfexample
home_server_pool eduroam type = fail-over home_server = tlrs1eduroamus home_server = tlrs2eduroamus
DefinerealmstoselectwhichrequestsshouldbeproxiedtotheeduroamserverpoolThereshouldbeonerealmforeachofyourdomainsandpossiblyonemoreperdomainifyouintendtoallowusernamesoftheDOMAINuserform
TheREALMissetbasedonthedomainfoundbythesuffixorntdomainmodules (seeraddbmodulesrealm)Thesuffixorntdomainmodulestrytofindadomaineitherwithandomainorsuffixusername
IfnoneisfoundtheREALMisNULL
IfadomainisfoundFreeRADIUStriestomatchoneoftheREALMSdefinedinthisfile
IfthedomainiseitherexampleeduorEXAMPLEFreeRADIUSsetsthecorrespondingREALMieexampleeduorEXAMPLE
IftheREALMdoesnotmatcheither(anditisnrsquotNULL)thatmeanstherewasadomainotherthanEXAMPLEorexampleeduandweassumeitismeanttobeproxiedtoeduroamFreeRADIUSsetstheDEFAULTrealm(whichisproxiedtotheeduroamauthenticationpool)
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 72
The REALM determines where the request is sent to If the REALM authenticates locally therequestsareprocessedentirelybyFreeRADIUSIftheREALMsetsadifferenthomeserverpooltherequestsareproxiedtotheserversdefinedwithinthatpool
proxyconfexample
This realm is for requests which dont have an explicit realm prefix or suffix User names like bob will match this one No authentication server is defined thus the authentication is done locallyrealm NULL
This realm is for ntdomain users who might use the domain like this EXAMPLEusername No authentication server is defined thus the authentication is done locallyrealm EXAMPLE
This realm is for suffix users who use the domain like this usernameexampleedu No authentication server is defined thus the authentication is done locallyrealm exampleedu
This realm is for ALL OTHER requests Meaning in this context eduroam The auth_pool is set to the eduroam pool and so the requests will be proxiedrealm DEFAULT auth_pool = eduroam nostrip
Thirdly youmust configure the packetfence FreeRADIUS virtual servers to treat the requestsproperly
Inusrlocalpfraddbsites-enabledpacketfencemodifytheauthorizesectionlikethis
raddbsites-enabledpacketfenceexample
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 73
authorize pay attention to the order of the modules It matters ntdomain suffix preprocess
uncomment this section if you want to block eduroam users from you other SSIDs The attribute name ( Called-Station-Id ) may differ based on your controller if ( Called-Station-Id ~ eduroam$i) update control Proxy-To-Realm = local
eap ok = return
files expiration logintime packetfence
Inusrlocalpfraddbsites-enabledpacketfence-tunnelmodifythepost-authsectionlikethisIfyouomit this change the requestwill be sent toPacketFencewhere itwill be failed since theeduroamserversarenotpartofyourconfiguredswitches
raddbsites-enabledpacketfence-tunnelexample
post-auth exec
we skip packetfence when the request is coming from the eduroam servers if ( clientshortname = tlrs1 ampamp clientshortname = tlrs2 ) packetfence
Post-Auth-Type REJECT attr_filteraccess_reject
Finallymakesurethattherealmsmoduleisconfiguredthisway(seeusrlocalpfraddbmodulesrealm)
raddbmodulesrealmexample
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 74
usernamerealmrealm suffix format = suffix delimiter =
domainuserrealm ntdomain format = prefix delimiter = ignore_null = yes
Fingerbankintegration
FingerbankagreatdeviceprofilingtooldevelopedalongsideofPacketFencenowintegrateswithittopower-upthefeaturesetallowingaPacketFenceadministratortoeasilytriggerviolationsbasedondifferentdevicetypesdeviceparentsDHCPfingerprintsDHCPvendorIDsMACvendorsandbrowseruseragents
Thecoreofthat integrationresides intheabilityforaPacketFencesystemto interactwiththeFingerbankupstreamprojectwhichthenallowadailybasisfingerprintsdatabaseupdatesharingunknowndatasothatmorecomplexalgorithmscanprocessthatnewdatatointegrateitintheglobaldatabasequeryingtheglobalupstreamdatabaseinthecaseofanunknownmatchandmuchmore
SincetheFingerbankintegrationisnowthedefactodeviceprofilingtoolofPacketFenceitwasarequirementtomakeitassimpleaspossibletoconfigureandtouseFromthemomentaworkingPacketFencesystemis inplaceFingerbank isalsoreadytobeusedbutonly inalocalmodewhichmeansnointeractionwiththeupstreamFingerbankproject
OnboardingTobenefitfromalltheadvantagesoftheFingerbankprojecttheonboardingstepisrequiredtocreateanAPIkeythatwill thenallow interactionwiththeupstreamprojectThatcaneasilybedoneonlybygoingintheSettingsmenuitemundertheFingerbanksectionofthePacketFenceConfigurationtabFromthereaneasyprocesstocreateandsaveanuserorganizationspecificAPIkeycanbefollowedOncecompletedthefullfeaturesetofFingerbankcanbeused
UpdateFingerbankdatabaseUpdatingtheFingerbankdatacanrsquotbeeasierTheonlyrequirementistheonboardingprocesswhichallowsyoutointeractwithupstreamprojectOncedoneanoptiontoUpdateFingerbankDBcanbefoundontopofeverymenuitemsectionsunderFingerbankProcessmaytakeaminuteortwodependingonthesizeofthedatabaseandtheinternetconnectivityafterwhichasuccessorerrormessagewillbeshowaccordinglyLocalrecordsareNOTbeingmodifiedduringthisprocess
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 75
SubmitunknowndataSayingthatwedonrsquotknoweverythingisnotfalsemodestyInthatsensetheSubmitUnknownUnmatchedFingerprintsoptionismadeavailable(afteronboarding)sothatunknownfingerprintingdatagoinginandoutonyournetworkcaneasilybesubmittedtotheupstreamFingerbankprojectforfurtheranalysisandintegrationtheintheglobaldatabase
UpstreaminterogationBydefaultPacketFenceisconfiguredtointerogatetheupstreamFingerbankproject(ifonboardinghasbeencompleted)tofullfillaquerywithunmatchedlocalresultsUnmatchedlocalresultscanresultofanolderversionoftheFingerbankdatabaseorarequirementforamorecomplexalgorithmduetothedatasetThatbehavioriscompletelytransparentandcanbemodifiedusingtheSettingsmenuitemundertheFingerbanksectionofthePacketFenceConfigurationtab
LocalentriesItispossibleforanadministratorwhowantstocustomizeanexistingrecord(orcreateanewone)todosousingtheLocalentriesAnupstreamrecord(DHCPFingerprintDHCPVendorMACVendorUserAgentDevicetypeevenaCombination)canbeclonedandthenmodifiedonalocalbasisifneededLocalrecordsarealwaysmatchedfirstsincetheirpurposeistooverrideanexistingoneAlocalcombinationcanbecreatedtomatcheitherLocalorUpstreamorbothentriestoallowidentificationofadevice
SettingsFingerbanksettingscaneasilybemodifiedfromtheSettingsmenuitemundertheFingerbanksectionofthePacketFenceConfigurationtabTherersquosdocumentationforeachaneveryparameterthatalloweasierunderstanding
FloatingNetworkDevices
Startingwithversion19PacketFencenowsupportsfloatingnetworkdevicesAFloatingnetworkdeviceisadeviceforwhichPacketFencehasadifferentbehaviourcomparedtoaregulardeviceThisfunctionalitywasoriginallyaddedtosupportmobileAccessPoints
Caution
RightnowPacketFenceonlysupportsfloatingnetworkdevicesonCiscoandNortelswitchesconfiguredwithport-security
For a regular device PacketFence put it in theVLAN corresponding to its status (RegistrationQuarantineorRegularVlan)andauthorizesitontheport(port-security)
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 76
AfloatingnetworkdeviceisadevicethatPacketFencedoesnotmanageasaregulardevice
WhenafloatingnetworkdeviceispluggedPacketFencewillletallowalltheMACaddressesthatwillbeconnectedtothisdevice(orappearontheport)andifnecessaryconfiguretheportasmulti-vlan(trunk)andsetPVIDandtaggedVLANsontheport
WhenanfloatingnetworkdeviceisunpluggedPacketFencewillreconfiguretheportlikebeforeitwasplugged
HowitworksConfiguration
floatingnetworkdeviceshavetobeidentifiedusingtheirMACaddress linkuplinkdowntrapsarenotenabledontheswitchesonlyport-securitytrapsare
WhenPacketFencereceivesaport-securitytrapforafloatingnetworkdeviceitchangestheportconfigurationsothat
itdisablesport-security itsetsthePVID iteventuallysetstheportasmulti-vlan(trunk)andsetsthetaggedVlans itenableslinkdowntraps
WhenPFreceivesa linkdowntraponaport inwhichafloatingnetworkdevicewasplugged itchangestheportconfigurationsothat
itenablesport-security itdisableslinkdowntraps
IdentificationAswementionedearliereachfloatingnetworkdevicehastobeidentifiedTherearetwowaystodoit
byeditingconffloating_network_deviceconf throughtheWebGUIinConfigurationrarrNetworkrarrFloatingdevices
Herearethesettingsthatareavailable
MACAddress MACaddressofthefloatingdevice
IPAddress IPaddressofthefloatingdevice(notrequiredforinformationonly)
trunkPort YesnoShouldtheportbeconfiguredasamuti-vlanport
pvid VLANinwhichPacketFenceshouldputtheport
taggedVlan CommaseparatedlistofVLANsIftheportisamulti-vlanthesearetheVlansthathavetobetaggedontheport
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 77
OAuth2Authentication
NoteOAuth2authenticationdoesnotworkwithWebauthenforcement
The captive portal of PacketFence allows a guestuser to register using hisGoogle FacebookLinkedInWindowsLiveTwitterorGithubaccount
ForeachproviderswemaintainanalloweddomainlisttopunchholesintothefirewallsotheusercanhittheproviderloginpageThislistisavailableineachOAuth2authenticationsource
Inordertohaveoauth2workingproperlyyouneedtoenableIPforwardingonyourserversTodoitpermanentlylookintheetcsysctlconfandsetthefollowingline
Controls IP packet forwardingnetipv4ip_forward = 1
Savethefileandissueasysctl -ptoupdatetheOSconfig
You must also enable the passthrough option in your PacketFence configuration(trappingpassthroughinpfconf)
GoogleInordertouseGoogleasaOAuth2provideryouneedtogetanAPIkeytoaccesstheirservicesSignupherehttpcodegooglecomapisconsoleMakesureyouusethisURIfortheRedirectURIfieldhttpsYOUR_PORTAL_HOSTNAMEoauth2callbackOfcoursereplacethehostnamewiththevaluesfromgeneralhostnameandgeneraldomain
YoucankeepthedefaultconfigurationmodifytheAppIDampAppSecret(GivenbyGoogleonthedevelopperplateform)andPortalURL(httpsYOUR_PORTAL_HOSTNAMEoauth2callback)
Also add the following Authorized domains googlecom googleca googlefrgstaticcomgoogleapiscomaccountsyoutubecom(MakesurethatyouhavethegoogledomainfromyourcountrylikeCanadagooglecaFrancegooglefretchellip)
OnceyouhaveyourclientidandAPIkeyyouneedtoconfiguretheOAuth2providerThiscanbedonebyaddingaGoogleOAuth2authenticationsourcefromConfigurationrarrSources
MoreoverdonrsquotforgettoaddGoogleasaregistrationmodefromyourportalprofiledefinitionavailablefromConfigurationrarrPortalProfilesandPages
FacebookTo use Facebook you also need an API code and a secret key To get one go here httpsdevelopersfacebookcomappsWhenyoucreateyourAppmakesureyouspecifythefollowingastheWebsiteURLhttpsYOUR_PORTAL_HOSTNAMEoauth2callback
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 78
Ofcoursereplacethehostnamewiththevaluesfromgeneralhostnameandgeneraldomain
YoucankeepthedefaultconfigurationmodifytheAppIDampAppSecret(GivenbyFaceBookonthedevelopperplateform)andPortalURL(httpsYOUR_PORTAL_HOSTNAMEoauth2callback)
Also add the followingAuthorizeddomains facebookcom fbcdnnet akamaihdnet (Maychange)
OnceyouhaveyourinformationyouneedtoconfiguretheOAuth2providerThiscanbedonebyaddingaFacebookOAuth2authenticationsourcefromConfigurationrarrSources
MoreoverdonrsquotforgettoaddFacebookasaregistrationmodefromyourportalprofiledefinitionavailablefromConfigurationrarrPortalProfilesandPages
CautionByallowingOAuththroughFacebookyouwillgiveFacebookaccesstotheuserswhiletheyaresittingintheregistrationVLAN
GitHubTouseGitHubyoualsoneedanAPIcodeandasecretkeyTogetoneyouneedtocreateanAppherehttpsgithubcomsettingsapplicationsWhenyoucreateyourAppmakesureyouspecifythefollowingastheCallbackURLhttpsYOUR_PORTAL_HOSTNAMEoauth2callback
Ofcoursereplacethehostnamewiththevaluesfromgeneralhostnameandgeneraldomain
OnceyouhaveyourinformationyouneedtoconfiguretheOAuth2providerThiscanbedonebyaddingaGitHubOAuth2authenticationsourcefromConfigurationrarrSources
MoreoverdonrsquotforgettoaddGitHubasaregistrationmodefromyourportalprofiledefinitionavailablefromConfigurationrarrPortalProfilesandPages
LinkedInTouseLinkedInyoualsoneedanAPIcodeandasecretkeyTogetoneyouneedtocreateanAppherehttpsdeveloperlinkedincomWhenyoucreateyourAppmakesureyouspecifythefollowingastheCallbackURLhttpsYOUR_PORTAL_HOSTNAMEoauth2callback
Ofcoursereplacethehostnamewiththevaluesfromgeneralhostnameandgeneraldomain
OnceyouhaveyourinformationyouneedtoconfiguretheOAuth2providerThiscanbedonebyaddingaLinkedInOAuth2authenticationsourcefromConfigurationrarrSources
MoreoverdonrsquotforgettoaddLinkedInasaregistrationmodefromyourportalprofiledefinitionavailablefromConfigurationrarrPortalProfilesandPages
AlsoLinkedInrequiresastateparameterfortheauthorizationURLIfyoumodifyitmakesuretoadditattheendofyourURL
TwitterTouseTwitteryoualsoneedanAPIcodeandasecretkeywhichTwittercallsconsumerkeyandconsumersecretObtainthis informationbycreatingannewapplicationfromyourTwitterApps
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 79
ManagementpageWhenyoucreateyourAppmakesureyouspecifythefollowingastheCallbackURLhttpsYOUR_PORTAL_HOSTNAMEoauth2callback
Ofcoursereplacethehostnamewiththevaluesfromgeneralhostnameandgeneraldomain
OnceyouhaveyourinformationyouneedtoconfiguretheOAuth2providerThiscanbedonebyaddingaTwitterOAuth2authenticationsourcefromConfigurationrarrSources
MoreoverdonrsquotforgettoaddTwitterasaregistrationmodefromyourportalprofiledefinitionavailablefromConfigurationrarrPortalProfilesandPages
WindowsLiveTouseWindowsliveyoualsoneedanAPIcodeandasecretkeyTogetoneyouneedtocreateanAppherehttpsaccountlivecomdevelopersapplicationsWhenyoucreateyourAppmakesureyouspecifythefollowingastheCallbackURLhttpsYOUR_PORTAL_HOSTNAMEoauth2callback
Ofcoursereplacethehostnamewiththevaluesfromgeneralhostnameandgeneraldomain
OnceyouhaveyourinformationyouneedtoconfiguretheOAuth2providerThiscanbedonebyaddingaWindowsLiveOAuth2authenticationsourcefromConfigurationrarrSources
Moreover donrsquot forget to add WindowsLive as a registration mode from your portal profiledefinitionavailablefromConfigurationrarrPortalProfilesandPages
Passthrough
Inorder tousethepassthroughfeature inPacketFenceyouneedtoenable it fromtheGUI inConfigurationrarrTrappingandcheckPassthrough
Therearetwosolutionsforpassthroughs-oneusingDNSresolutionandiptablesandtheotheroneusingApachersquosmod_proxymoduleWhenenabledPacketFencewillusepfdnsifyoudefinedPassthroughsorApachemod-proxyifyoudefinedProxyPassthroughstoallowtrappeddevicestoreachexternalwebsites
DNSpassthroughAddanewFQDN (shouldbeawildcarddomain like googlecom) in thePassthroughssectionWhenPacketFencereceivesaDNSrequestforthisdomainitwillanswerthereal IPaddressandpunchahole inthefirewall (using iptables)toallowaccessWiththismethodPacketFencemustbethedefaultgatewayofyourdevice
mod_proxypassthroughAddanewFQDN(shouldbeawildcarddomainlikegooglecom)intheProxyPassthroughssectionForthisFQDNPacketFencewillanswertheIPaddressofthecaptiveportalandwhenadevicehitsthecaptiveportalPacketFencewilldetectthatthisFQDNhasapassthroughconfigurationandwillforwardthetraffictomod_proxy
ThesetwomethodscanbeusedtogetherbutDNS-basedpassthroughshavehigherpriority
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 80
ProductionDHCPaccess
Inorder toperformallof itsaccesscontroldutiesPacketFenceneedstobeable tomapMACaddressesintoIPaddresses
ForallthenetworksVLANswhereyouwantPacketFencetohavetheabilitytoisolateanodeortohaveIPinformationaboutnodesyouwillneedtoperformoneofthetechniquesbelow
AlsonotethatthisdoesnrsquotneedtobedonefortheregistrationisolationVLANsandinlineinterfacessincePacketFenceactsastheDHCPserverinthesenetworks
IPHelpers(recommended)If you are already using IPHelpers for your productionDHCP in your production VLANs thisapproachisthesimplestoneandtheonethatworksthebest
Add PacketFencersquos management IP address as the last ip helper-address statement in yournetworkequipmentAtthispointPacketFencewillreceiveacopyofallDHCPrequestsforthatVLANandwillrecordwhatIPweredistributedtowhatnodeusingapfdhcplistenerdaemon
BydefaultnoDHCPServershouldberunningonthatinterfacewhereyouaresendingtherequestsThisisbydesignotherwisePacketFencewouldreplytotheDHCPrequestswhichwouldbeabadthing
ObtainacopyoftheDHCPtrafficGetacopyofalltheDHCPTraffictoadedicatedphysicalinterfaceinthePacketFenceserverandrunpfdhcplisteneronthatinterfaceItwillinvolveconfiguringyourswitchproperlytoperformportmirroring(akanetworkspan)andaddinginPacketFencetheproperinterfacestatementattheoperatingsystemlevelandinpfconf
etcsysconfignetwork-scriptsifcfg-eth2
DEVICE=eth2ONBOOT=yesBOOTPROTO=none
Addtopfconf(IPsarenotimportanttheyarethereonlysothatPacketFencewillstart)
[interface eth2]mask=2552552550type=dhcp-listenergateway=19216815ip=19216811
RestartPacketFenceandyoushouldbegoodtogo
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 81
InterfaceineveryVLANBecauseDHCPtrafficisbroadcasttrafficanalternativeforsmallnetworkswithfewlocalVLANsistoputaVLANinterfaceforeveryVLANonthePacketFenceserverandhaveapfdhcplistenerlistenonthatVLANinterface
OnthenetworksideyouneedtomakesurethattheVLANtrulyreachesallthewayfromyourclienttoyourDHCPinfrastructureuptothePacketFenceserver
OnthePacketFencesidefirstyouneedanoperatingsystemVLANinterfaceliketheonebelowStoredinetcsysconfignetwork-scriptsifcfg-eth01010
Engineering VLANDEVICE=eth01010ONBOOT=yesBOOTPROTO=staticIPADDR=1001014NETMASK=2552552550VLAN=yes
ThenyouneedtospecifyinpfconfthatyouareinterestedinthatVLANrsquosDHCPbysettingtypetodhcp-listener
[interface eth01010]mask=2552552550type=dhcp-listenergateway=1001011ip=1001014
RepeattheaboveforallyourproductionVLANsthenrestartPacketFence
HostproductionDHCPonPacketFenceItrsquosanoptionJustmodifyconfdhcpdconfsothat itwillhostyourproductionDHCPproperlyandmakesurethatapfdhcplistenerrunsonthesameinterfacewhereproductionDHCPrunsHoweverpleasenotethatthisisNOTrecommendedSeethistickettoseewhy
ProxyInterception
PacketFenceenablesyoutointerceptproxyrequestsandforwardthemtothecaptiveportalItonlyworksonelayer-2networksbecausePacketFencemustbethedefaultgatewayInordertousetheProxyInterceptionfeatureyouneedtoenableitfromtheGUIinConfigurationrarrTrappingandcheckProxyInterception
Addtheportyouwanttointercept(like8080or3128)andaddanewentryintheetchostsfiletoresolvethefullyqualifieddomainname(fqdn)ofthecaptiveportaltotheIPaddressofthe
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 82
registration interfaceThismodification ismandatory inorder forApache to receives theproxyrequests
RoutedNetworks
Ifyour isolationandregistrationnetworksarenot locally-reachable (at layer2)onthenetworkbut routed to the PacketFence server yoursquoll have to let the PacketFence server know thisPacketFencecanevenprovideDHCPandDNSintheseroutednetworksandprovidesaneasytouseconfigurationinterface
FordhcpdmakesurethattheclientsDHCPrequestsarecorrectlyforwarded(IPHelpersintheremoterouters)tothePacketFenceserverThenmakesureyoufollowedtheinstructionsintheDHCPandDNSServerConfiguration(networksconf)foryourlocallyaccessiblenetwork
Ifweconsiderthenetworkarchitectureillustratedintheaboveschemaconfpfconfwillincludethelocalregistrationandisolationinterfacesonly
[interface eth02]enforcement=vlanip=19216821type=internalmask=2552552550
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 83
[interface eth03]enforcement=vlanip=19216831type=internalmask=2552552550
Note
PacketFencewillnotstartunlessyouhaveatleastoneinternalinterfacesoyouneedtocreatelocalregistrationandisolationVLANsevenifyoudonrsquotintendtousethemAlsotheinternalinterfacesaretheonlyonesonwhichdhcpdlistenssotheremoteregistrationandisolationsubnetsneedtopointtheirDHCPhelper-addresstothoseparticularIPs
ThenyouneedtoprovidetheroutednetworksinformationtoPacketFenceYoucandoitthroughtheGUIinAdministrationrarrNetworks(orinconfnetworksconf)
confnetworksconfwilllooklikethis
[19216820]netmask=2552552550gateway=19216821next_hop=domain-name=registrationexamplecomdns=19216821dhcp_start=192168210dhcp_end=1921682200dhcp_default_lease_time=300dhcp_max_lease_time=600type=vlan-registrationnamed=enableddhcpd=enabled
[19216830]netmask=2552552550gateway=19216831next_hop=domain-name=isolationexamplecomdns=19216831dhcp_start=192168310dhcp_end=1921683200dhcp_default_lease_time=300dhcp_max_lease_time=600type=vlan-isolationnamed=enableddhcpd=enabled
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 84
[192168200]netmask=2552552550gateway=19216820254next_hop=1921682254domain-name=registrationexamplecomdns=19216821dhcp_start=1921682010dhcp_end=19216820200dhcp_default_lease_time=300dhcp_max_lease_time=600type=vlan-registrationnamed=enableddhcpd=enabled
[192168300]netmask=2552552550gateway=19216830254next_hop=1921683254domain-name=isolationexamplecomdns=19216831dhcp_start=1921683010dhcp_end=19216830200dhcp_default_lease_time=300dhcp_max_lease_time=600type=vlan-isolationnamed=enableddhcpd=enabled
DHCPclientsontheregistrationandisolationnetworksreceivethePFserverIPastheirDNSserver(dns=xxxx)andPFspoofsDNSresponsestoforceclientsviatheportalHoweverclientscouldmanuallyconfiguretheirDNSsettingstoescapetheportalTopreventthisyouwillneedtoapplyanACLontheaccessrouternearesttheclientspermittingaccessonlytothePFserverandlocalDHCPbroadcasttraffic
ForexamplefortheVLAN20remoteregistrationnetwork
ip access-list extended PF_REGISTRATION permit ip any host 19216821 permit udp any any eq 67 deny ip any any loginterface vlan 20 ip address 19216820254 2552552550 ip helper-address 19216821 ip access-group PF_REGISTRATION in
Ifyouredgeswitchessupportvlan-isolationyoucanalsoapplytheACLthereThishastheadvantageofpreventingmachinesinisolationfromattemptingtoattackeachother
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 85
StatementofHealth(SoH)
TheStatementofHealth(SoH)isproductthathasbeendevelopedbyMicrosoftIntheMicrosoftworldthis isnamedNetworkAccessProtectionorNAPOnWindowsversionsfromXPSP2toWindows7thereisaNAPserviceinstalledthatcanrelayhealthinformation(Anti-VirusupdatestatusWindowsUpdatestatusetc) toaRADIUSServeroraDHCPserverThesectionbelowexplainsyouhowtodoSoHpolicieswithPacketFence
InstallationBydefaultweturnSoHoffToenableitssupportsimplyuncommentthefollowinglinesinusrlocalpfconfradiusdeapconf
soh=yessoh-virtual-server = soh-server
RestarttheRADIUSserviceafterward
OntheclientsidetoenableSoHforEAPdothefollowing(Windows7example)
sc config napagent start=autosc start napagent
Wired 8021Xsc config dot3svc start=auto depend=napagentsc start dot3svc
netsh nap client show config
get the ID value for the EAP Quarantine Enforcement Clientnetsh nap client set enforce id=$ID admin=enable
ThelaststepistoselecttheEnforceNetworkAccessProtectioncheckboxundertheEAPprofilesettingsThosestepscanbeeasilyconfiguredusingGPOs
ConfigurationofSoHpolicyInordertoenforceaSoHpolicyweneedtocreateitfirstThisisdoneusingtheConfigurationrarrCompliancerarrStatementofHealthmodule
PolicyexampleLetrsquoswalkthroughanexamplesituationSupposeyouwanttodisplayaremediationpagetoclientsthatdonothaveananti-virusenabled
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 86
ThethreebroadstepsarecreateaviolationclassfortheconditionthencreateanSoHfiltertotriggertheviolationwhenanti-virusisdisabledandfinallyreloadtheviolations
FirstcreatetheproperviolationeitherviatheAdminUIorbyeditingtheconfviolationsconffiles
[4000001]desc=No anti-virus enabledurl=remediationphptemplate=noantivirusactions=reevaluate_accessemaillogenabled=Y
Note
Youmayalsowanttosetotherattributessuchasauto_enablegraceetc
WhendonewiththeviolationvisittheWebAdministrationunderConfigurationrarrCompliancerarrStatementofHealthand(editthefilternamedDefaultor)usetheAddafilterbuttontocreateafilternamedantivirusClickonantivirusinthefilterlistandselectTriggerviolationintheactiondrop-downEnterthevidoftheviolationyoucreatedaboveintheinputboxthatappears
Next clickonAddacondition and selectAnti-virus is anddisabled in thedrop-downboxesthat appear Click on the Save filters button Finally reload the violations either by restartingPacketFenceorusingthepfcmd reload violationscommand
Thelaststepistocreateanewremediationtemplatecallednoantivirusphponthefilesysteminthehtmlcaptive-portalviolationsfolderEditittoincludethetextyouwanttodisplaytotheusers
VLANFilterDefinition
Weaddedtheabilitytospecifyfiltersdirectlyintheportionofcodethatre-evaluatestheVLANordoacalltotheAPI
Theserulesareavailableindifferentscopes
ViolationRoleRegistrationRoleRegisteredRoleInlineRoleAutoRegisterNodeInfoForAutoReg
Andcanbedefinedusingdifferentcriterialike
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 87
node_infoattribute (like node_infostatus)switchifIndexmacconnection_typeusernamessidtimeownerattribute (like ownerpid)radius_requestattribute (like radius_requestCalling-Station-Id)
Forexample letsdefinearulethatpreventsadevicefromconnectingwhenitscategory isthedefaultwhentheSSIDisSECUREandwhenthecurrenttimeisbetween11amand2pmfromMondaytoFridaywhenittrytoconnectasaregistereddevice
[category]filter = node_infocategoryoperator = isvalue = default
[ssid]filter = ssidoperator = isvalue = SECURE
[time]filter = timeoperator = isvalue = wd Mon Tue Wed Thu Fri hr 11am-2pm
[1categoryampssidamptime]scope = RegisteredRolerole = nointernet
ThesecondexamplewillcreateaviolationiftheSSIDisOPENandtheownerisigmout
[igmout]filter = ownerpidoperator = isvalue = igmout
[open]filter = ssidoperator = isvalue = OPEN
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 88
[2igmoutampssid]scope = RegisteredRoleaction = trigger_violationaction_param = mac = $mac tid = 1100012 type = INTERNAL
Thethirdexamplewillautoregisterthedeviceandassigntherolestafftoeachdevicewheretheusernameisigmout
[igmout]filter = usernameoperator = isvalue = igmout
[secure]filter = ssidoperator = isvalue = SECURE
[3igmoutampsecure]scope = AutoRegisterrole = staff
[4igmoutampsecure]scope = NodeInfoForAutoRegrole = staff
Youcanhavealookinthefilevlan_filtersconftherearesomeexamplesonhowtouseanddefinefilters
RADIUSFilterDefinition
WeaddedtheabilitytospecifyfiltersdirectlyintheportionofcodethatreturntheradiusanswerordoacalltotheAPI
Theserulesareonlyavailableinonescope
returnRadiusAccessAccept
Andcanbedefinedusingdifferentcriterialike
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 89
node_infoattribute (like node_info$attribute)switchifIndexmacconnection_typeusernamessidtimeownerattribute (like owner$attribute)radius_requestattribute (like radius_request$attribute)violationuser_rolevlan
Forexample letsdefinearulethatreturnAccessAcceptwhentheconnectionisEthernet-EAPandwhenthereisnoviolation(merge_returnmeansthattheoriginalanswerofPacketFencewillbemergewiththefilteranswerautomatically)
[violation]filter = violationoperator = defined
[etherneteap]filter = connection_typeoperator = isvalue = Ethernet-EAP
[1etherneteapampviolation]merge_answer = noscope = returnRadiusAccessAccept
Inthisotherexamplewejustaddanewattributetotheoriginalanswerinthesameconditions(here$user_rolewillbereplacedbytherealuserroleofthedeviceand$switch_portalURLwillbereplacedbythevalueof_portalURLdefinedintheswitchconfig)
[1etherneteapampviolation]merge_answer = yesscope = returnRadiusAccessAcceptanswer1 = Cisco-AVPair =gt url-redirect-acl=$user_roleurl-redirect=$switch_portalURLcep$session_id
Youcanhavea look in the file radius_filtersconf therearesomeexamplesonhowtouseanddefinefilters
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 90
DNSenforcement
DNSenforcementallowsyoutocontrolthenetworkaccessofthedevicebyusingthepfdnsserviceonPacketFence
The architecture ofDNS enforcement is as following -DHCP andDNS are provided by thePacketFenceserver-ThePacketFenceDHCPserverwillprovidetheIPofyournetworkequipmentasthegatewayandtheIPaddressofthePacketFenceDNSservertoresolvenames-Routingisprovidedbyanotherequipmentonyournetwork(CoreswitchFirewallRouterhellip)-IfausershouldbeshowntheportalthepfdnsservicewillreturnapointertotheIPaddressofthecaptiveportalotherwisepfdnswillresolvethenameexternallyanduseitinthereply
Thisenforcementmodeusedby itselfcanbebypassedbythedevicebyusingadifferentDNSserverorbyusingitsownDNScache
ThefirstcanbepreventedusinganACLonyourroutingequipmentthesecondcanbepreventedbycombiningDNSenforcementwithSingle-Sign-OnonyournetworkequipmentPleaseseetheFirewallSingle-Sign-Ondocumentationfordetailsonhowtoaccomplishthis
Inorder toconfigureDNSenforcementyoufirstneedtogo inConfigurationrarrInterfaces thenselectoneofyourinterfacesandsetitinDNSenforcementmode
AfteryouneedtoconfigurearoutednetworkforthisinterfacebyclickingAddroutednetworkSeetheRoutedNetworkssectionofthisdocumentfordetailsonhowtoconfigureit
NoteIfyouarenotusingaroutednetworkyouneedtouseInlineenforcementasDNSenforcementcanonlybeusedforroutednetworks
Oncethisisdoneyouneedtorestartthedhcpdandpfdnsservices
Parkeddevices
Intheeventthatyouaremanagingalargeregistrationnetworkwithdevicesthatstaythere(exStudentsthatcanrsquotregisterinyourenvironment)thesedevicesconsumepreciousresourcesandgenerateuselessloadonthecaptiveportalandregistrationDHCPserver
UsingtheparkingfeatureyoucanmakethesedeviceshavealongerleaseandhitanextremellylightweightcaptiveportalsothattheamountofresourcestheyconsumeisminimalInthatcaptiveportal theywillseeamessageexplainingthattheyhavenrsquot registeredtheirdeviceforacertainamountoftimeandwillletthemleavetheparkedstatebypressingalink
Theparkedvsunparkedstateiscontrolledthroughviolation1300003whichgetstriggeredaccordingtotheparkingthresholdsetting(ConfigurationrarrParking)
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 91
SoinordertoactivatetheparkinggoinConfigurationrarrParkingandsetthethresholdtoacertainamountofsecondsAsuggestedvaluewouldbe21600whichis6hoursThismeansthatifadevicestaysinyourregistrationnetworkformorethan6hoursinarowitwilltriggerviolation1300003andplacethatdeviceintotheparkedstate
Inthatsamesectionyoucandefinetheleaselengthoftheuserwhenheisintheparkedstate
Note
ParkingisdetectedwhenadeviceasksforDHCPifPacketFenceisnotyourDHCPserverfortheregistrationnetworkthisfeaturewillnotworkAlsoifthedevicegoesintotheparkedstatewithaleasetimeof1hourandtheuserimmediatelyreleaseshimselffromtheparkingstateitwilltake1hourbeforethenextdetectiontakesplaceevenifyousetparkingthresholdtoalowervalue
Violation1300003Thisviolationcontrolswhathappenswhenauserisdetecteddoingparking
Herearethemainsettings
Youcanaddactionstothepredefinedones(likeEmailadminorExternalaction)inDefinitionrarrActions
TheamountoftimeausercanunparktheirdeviceiscontrolledthroughtheRemediationrarrMaxenablesetting
TheamountofgracetimebetweentwoparkingviolationsiscontrolledbytheRemediationrarrGracesettingThismeansonceauserreleasehimselffromtheparkedstatehewillhaveatleastthisamountoftimetoregisterbeforetheparkingtriggersagain
Thedestinationrole(thusVLAN)oftheuseriscontrolledbyAdvancedrarrRoleYoushouldleavetheuserintheregistrationrolebutshouldyouwanttodedicatearoleforparkingyoucansetitthere
TheTemplateattributewillonlybeusedwhentheuserisonthenormalPacketFenceportalandnottheonededicatedforparkingIfyouwanttheusertoaccessthenon-parkingportaldisableShowparkingportalinConfigurationrarrParking
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 92
Optionalcomponents
Blockingmaliciousactivitieswithviolations
PolicyviolationsallowyoutorestrictclientsystemaccessbasedonviolationsofcertainpoliciesForexampleifyoudonotallowP2PtypetrafficonyournetworkandyouarerunningtheappropriatesoftwaretodetectitandtriggeraviolationforagivenclientPacketFencewillgivethatclientablockedpagewhichcanbecustomizedtoyourwishes
Inorder tobeable toblockmaliciousactivities installationandconfigurationofaPacketFencecompatibleIDSisrequiredPacketFencecurrentlysupportSnortSuricataandSecurityOnion
Snort
Installation
The installation procedure is quite simple for SNORTWe maintain a working version on thePacketFencerepositoryToinstallitsimplyrunthefollowingcommand
yum install snort
Configuration
PacketFenceprovidesabasicsnortconftemplatethatyoumayneedtoeditdependingoftheSnortversionThefileislocatedinusrlocalpfconfItisrarelynecessarytochangeanythinginthatfiletomakeSnortworkandtrapalertsDONOTeditthesnortconflocatedinusrlocalpfvarconfallthemodificationwillbedestroyedoneachPacketFencerestart
Suricata
Installation
SincethesuricataIDSisnotpackagedwiththedistros(exceptmaybeFedorawhichwedonotofficiallysupport)youneedtobuildittheoldway
The OISF provides a really well written how-to for that Itrsquos available here httpsredmineopeninfosecfoundationorgprojectssuricatawikiCentOS5
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 93
NoteTobenefittheOPSWATMetadefenderCloudintegrationSuricataneedstobebuiltwith libnss libnsprsupportMakesure touseJSONoutputMore informationonhowtoachievethiscanbefoundtherehttpsredmineopeninfosecfoundationorgprojectssuricatawikiMD5
ConfigurationDepending onwhether or not Suricata is running on the PacketFence server configuration isdifferent
WhenrunninglocallyPacketFenceprovidesabasicsuricatayamlthatcanbemodifiedtosuitdifferentneedsThefileislocatedinusrlocalpfconf
In thecase thatSuricata is runningonaseparateserverSuricataconfigurationwillhave tobehandledseparatelywhichisnotthepurposeofthepresentguide
OPSWATMetadefenderCloudItispossibletotriggerviolationsbasedonthreatlevelofdownloadedfilesusingtheMetadefenderCloudintegrationinconjunctionwiththeSuricataMD5extractionfeatureWithoutenteringinthedetailsherearethebasicstepstomakeitwork
FirstanOPSWATportalaccountisrequiredtomakeuseoftheAPISuchaccountcanbeobtainedthroughtheOPSWATportalhttpsportalopswatcom
OtherrequirementisaSuricataworkinginstallationbuiltwithlibnsslibnsprsupportasdescribedintheupperInstallationsection
AlongwiththeOPSWATAPIkeyforMetadefenderCloud(theycallitLicenseKey)andtheworkingSuricatainstallationsomeconfiguration(PacketFencebasedANDSuricatabased)isalsorequired
AssumingthatallthestepsforSuricataMD5extractionhavebeenfollowedherersquoswhattodonext
OntheSuricataserver(syslog-ngispreferredduetoeasierandmorepowerfulconfigurationIfnotinstalleditmightbeanidea)
Configureetcsyslog-ngsyslog-ngconfbyaddingthefollowingtoenablesendingMD5filestorelogentriestoPacketFence
PacketFence OPSWAT Metadefender Cloud integration This line specifies where the files-jsonlog file is located -gt Make sure to configure the right path along with the right filenamesource s_suricata_files file(MY_SURICATA_LOG_FILES_PATHfiles-jsonlog program_override(suricata_files) flags(no-parse)) This line tells syslog-ng to send the data read to the PacketFence management interface IP address using UDP 514 -gt Make sure to configure the right PacketFence management interface IP addressdestination d_packetfence udp(PACKETFENCE_MGMT_IP port(514)) This line indicates syslog-ng to use the s_suricata_files source and send it to the d_packetfence destinationlog source(s_suricata_files) destination(d_packetfence)
Arestartofthesyslog-ngdaemonisrequired
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 94
service syslog-ng restart
OnthePacketFenceserver
ModifyrsyslogconfigurationtoallowincomingUDPpacketsbyuncommentingthefollowingtwolinesinetcrsyslogconf
$ModLoad imudp$UDPServerRun 514
Configure etcrsyslogdsuricata_filesconf by adding the following which will enablereceptionofSuricataMD5filestorelogentries
if $programname == suricata_files then usrlocalpfvarsuricata_filesamp ~
Makesurethereceivingalertpipe(FIFO)exists
mkfifo usrlocalpfvarsuricata_files
Restartthersyslogdaemon
service rsyslog restart
AtthispointSuricatashouldbeabletoextractMD5checksumofdownloadedfilesandsendtherelatedlogentrytoPacketFence
AconfigurationofanewsyslogparseraswellassomeviolationsaretheonlyremainingstepstomakefullusageoftheOPSWATMetadefenderCloudintegration
Configurationofanewsyslogparsershouldusethefollowings
Type suricata_httpAlert pipe the previously created alert pipe (FIFO) which is in this case usrlocalpfvarsuricata_files
Configurationofanewviolationcanusethefollowingtriggertypes
Type metascanTriggers ID The scan result returned by Metadefender Cloud online
Type suricata_md5Trigger ID The MD5 hash returned by Suricata
SecurityOnionInstallationandConfigurationSecurityOnionisaUbuntubasedsecuritysuiteThelatest installationinstructionsareavailabledirectly from theSecurityOnionwebsite httpsgithubcomSecurity-Onion-Solutionssecurity-onionwikiInstallation
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 95
SinceasecuritysuiteconsistsofmultiplepiecesofsoftwaretiedtogetheryoumaybepromptedfordifferentoptionsduringtheinstallationprocessAdetailedProductionDeploymentguidecanalsobefounddirectlyfromtheSecurityOnionwebsitehttpsgithubcomSecurity-Onion-Solutionssecurity-onionwikiProductionDeployment
PacketFenceintegration
OnceSecurityOnionisinstalledandminimallyconfiguredintegrationwithPacketFenceisrequiredtobeabletoraiseviolationsbasedonsensor(s)alertssyslogisusedtoforwardsensor(s)alertsfromSecurityOniontothePacketFencedetectionmecanisms
The simplest way is as follow (based on httpsgithubcomSecurity-Onion-Solutionssecurity-onionwikiThirdPartyIntegration)
OntheSecurityOnionserver
Note
Mustbedoneonthemasterserverrunningsguild
Configureetcsyslog-ngsyslog-ngconfbyaddingthefollowingtoenablesendingsguildlogentriestoPacketFence
PacketFence IDS integration This line specifies where the sguildlog file is located -gt Make sure to configure the right patch along with the right filename (on a Security Onion setup that should be pretty much standard)source s_sguil file(varlognsmsecurityonionsguildlog program_override(securityonion_ids)) This line filters on the string ldquoAlert Receivedrdquofilter f_sguil match(Alert Received) This line tells syslog-ng to send the data read to the PacketFence management IP address using UDP 514 -gt Make sure to configure the right PacketFence management interface IP addressdestination d_packetfence udp(PACKENTFENCE_MGMT_IP port(514)) This line indicates syslog-ng to use the s_sguil source apply the f_sguil filter and send it to the d_packetfence destinationlog source(s_sguil) filter(f_sguil) destination(d_packetfence)
Arestartofthesyslog-ngdaemonisthenrequired
service syslog-ng restart
OnthePacketFenceserver
ModifyrsyslogconfigurationtoallowincomingUDPpacketsbyuncommentingthefollowingtwolinesinetcrsyslogconf
$ModLoad imudp$UDPServerRun 514
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 96
Configureetcrsyslogdsecurityonion_idsconfbyaddingthefollowingswhichwillenablereceptionofSecurityOnionsguildlogentries
if $programname == securityonion_ids then usrlocalpfvarsecurityonion_idsamp ~
Makesurethereceivingalertpipe(FIFO)exists
mkfifo usrlocalpfvarsecurityonion_ids
Restartthersyslogdaemon
service rsyslog restart
AtthispointSecurityOnionshouldbeabletosenddetectedalertslogentriestoPacketFence
AconfigurationofanewsyslogparseraswellassomeviolationsaretheonlyremainingstepstomakefullusageoftheSecurityOnionIDSintegration
Configurationofanewsyslogparsershouldusethefollowings
Type security_onionAlert pipe the previously created alert pipe (FIFO) which is in this case usrlocalpfvarsecurityonion_ids
Configurationofanewviolationcanusethefollowingtriggertypes
Type detectTriggers ID The IDS triggered rule ID
Type suricata_eventTrigger ID The rule class of the triggered IDS alert
ViolationsInordertomakePacketFencereacttotheSnortalertsyouneedtoexplicitlytellthesoftwaretodosoOtherwisethealertswillbediscardedThisisquitesimpletoaccomplishInfactyouneedtocreateaviolationandaddtheSnortalertSIDinthetriggersectionofaViolation
PacketFenceviolationsareconfiguredinConfigurationrarrViolations
TheexamplebelowwillguideyoutocreateaviolationthatwillisolatedevicethathavegeneratedPeer-to-peer traffic and that are usingMac OSX or have a malware and are usingMicrosoftWindows
Violationdefinition
Firstyouneedtoconfiguretheviolationdefinition
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 97
Where
Enablediswhetherornottheviolationiscurrentlyactivated(shouldbeON) Identifier is the violation ID Any integer except 1200000-120099 which is reserved forrequiredadministrationviolations
Descriptionistheuserfriendlydescriptionoftheviolation Actionsisthelistofactionstobeexecutedwhenthisviolationisraised
Unregister nodewillunregisterthenode
Send email to ownerwillemailtheviolationdetailstotheownerofthedeviceWillonlyworkifthepersonhasitrsquosemailfieldpopulated
Send email to admin will email the violation details to the address specified in[alerting]emailaddrusing[alerting]smtpserverMultipleemailaddrcanbesperatedbycomma
Reevaluate accesswillplacethedeviceinthedestinationVLANconfiguredintheviolationIt opens a violation and leaves it open If it is not there theviolation isopenedand thenautomaticallyclosed
Log messagewilllogtheviolationinthelogfiledefinedin[alerting]log
External commandwillexecuteacommandontheoperatingsystemwhenthisviolation israised
Close a violationwillcloseanexistingviolationforthisdevicewhenthisoneisraised
Set rolewillmodifytheroleofthedevice
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 98
Enforce provisioningwilltriggeracheckofcomplianceontheprovisionersdefinedforthedevice
Prioritydefinestheorderontowhichviolationsshouldbehandledshouldtherebemorethanoneforadevice
Whitelisted Rolesisthelistofrolesthatarenotaffectedbythisviolation
Triggers
NextintheTriggerstabyouneedtodefinethetriggersthatwillraisetheviolationInthecaseofthisexampleitwillbethesetwocasesAdevicethathasgeneratedPeer-to-peertrafficandthatisusingMACOSXAdevicethathasbeendetectedasbeingarogueDHCP
Click the+ sign at the top right inorder to create anew trigger then in thedropdown selectSuricata
AmenuwillappearintowhichyoucanselectET P2PwhichwillmatchallP2PalertsfromSuricata
OnceyouaddedthistriggerselectDevicefromthedropdownandenter38whichisthedeviceidentifierforMacOSX
Nexthittheltbuttonthenthe+toaddanothertrigger
SelectthetypeInternaltheninthemenuthatappearsbelowitselectRogue DHCP detectionandclickAdd
Remediation
NextintheRemediationtabyoucanconfigurethebehaviorwhenaclientgetsisolated
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 99
Where
Auto Enableiswhetherornottheusercanreleasetheviolationhimselfafteracknoledgingthemessageonthecaptiveportal
Max Enables istheamountoftimeausercanusetheAuto EnablefunctionnalityAfterthisamountoftimeshewillnotbeabletoreleasetheviolationanditwillhavetobemanuallyreleasebyanadministratorusingthePacketFenceadministrationinterface
GraceisAmountoftimebeforetheviolationcanreoccurThisisusefultoallowhoststime(intheexample2minutes)todownloadtoolstofixtheirissueorshutofftheirpeer-to-peerapplication
Dynamic WindowwillonlyworksforaccountingviolationsTheviolationwillbeopenedaccordingtothetimeyousetintheaccountingviolation(ieYouhaveanaccountingviolationfor10GBmonthIfyoubustthebandwidthafter3daystheviolationwillopenandthereleasedatewillbesetforthelastdayofthecurrentmonth)
WindowistheamountoftimebeforeaviolationwillbeclosedautomaticallyInsteadofallowingpeopletoreactivatethenetworkyoumaywanttoopenaviolationforadefinedamountoftimeinstead
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 100
Delay byisthedelaybeforetriggeringtheviolation TemplateistheHTMLtemplatethehostwillberedirectedtowhileinviolationYoucancreatenewtemplatesfromthePortalProfilesconfigurationsection
Button textisthetextofthebuttonthatisusedwhentheuserisreleasingtheviolationdirectlyfromthecaptiveportal
AdvancedIntheAdvancedtabyouconfigurethedestinationVLANofthedevicewhenithastheReevaluateaccessactionanditsredirectionURLwhentheuserisreleased
ComplianceChecks
PacketFence supports eitherNessusOpenVAS andWMI as a scanning engine for compliancechecksSincePacketFencev51youarenowabletocreatemultiplesscanenginesconfigurationandassignthemonspecificcaptiveportalsItmeanperexamplethatyouarenowabletoactiveascanforspecificOperatingSystemonlyonaspecificSSID
InstallationNessusPlease visit httpwwwnessusorgdownload to download Nessus v5 and install the Nessuspackage for your operating system You will also need to register for the HomeFeed (or theProfessionalFeed)inordertogettheplugins
AfteryouinstalledNessusfollowtheNessusdocumentationfortheconfigurationoftheNessusServerandtocreateauserforPacketFence
NoteYou may run into some issue while using Nessus with the NetNessusXMLRPCmodule(whichisthedefaultbehaviorinPacketFence)Pleaserefertothebugtrackingsystemformoreinformation
OpenVASPleasevisithttpwwwopenvasorginstall-packageshtmlopenvas4_centos_atomic toconfigurethecorrectrepositorytobeabletoinstallthelatestOpenVASscanningengine
Once installed pleasemake sure to follow the instructions to correctly configure the scanningengineandcreateascanconfigurationthatwillfityourneedsYoursquollalsoneedtocreateauserforPacketFencetobeabletocommunicatewiththeserver
ItisimportanttogetthecorrectscanconfigIDandNBEreportformatIDtopopulatetheparametersinthePacketFenceconfigurationfileTheeasiestwaytogettheseIDsisbydownloadingbothofthescanconfigurationandreportformatfromtheOpenVASwebguiandretrievetheIDsinthefilenames
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 101
Forexamplereport-format-f5c2a364-47d2-4700-b21d-0a7693daddabxmlgivesreportformatIDf5c2a364-47d2-4700-b21d-0a7693daddab
WMIYoujusthavetoenablewmioneachwindowsdeviceswithaGPOfromActiveDirectory
ConfigurationIn order for the compliance checks to correctly work with PacketFence (communication andgenerateviolationsinsidePacketFence)youneedtoconfigurethesesections
ScannerDefinitionFirstgoinConfigurationandScannerDefinition
Thenaddascan
Therearecommonparametersforeachscanengines
Name the name of your scan engineRoles Only devices with these role(s) will be affected (Optional)OS Only devices with this Operating System will be affected (Optional)Duration Approximate duration of scan (Progress bar on the captive portal)Scan before registration Trigger the scan when the device appear on the registration vlanScan after registration Trigger the scan just after registration on the captive portalScan after registration Trigger the scan on the production network (pfdhcplistener must receive production dhcp traffic)8021x Even if the auto-registration has been enabled the scan will be trigger on a EAP connection8021x types comma delimited EAP type that will trigger the scan if 8021x above has been enabled
SpecifictoNessus
Hostname or IP Address Hostname or IP Address where Nessus is runningUsername Username to connect to Nessus scanPassword Password to connect to Nessus scanPort of the service port to connect (default 8834)Nessus client policy the name of the policy to use for the scan (Must be define on the Nessus server)
SpecifictoOpenVAS
Hostname or IP Address Hostname or IP Address where OpenVAS is runningUsername Username to connect to OpenVAS scanPassword Password to connect to OpenVAS scanPort of the service port to connect (default 9390)OpenVAS config ID the ID of scanning configuration on the OpenVAS server
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 102
SpecifictoWMI
Username A username from Active Directory that is allowed to connect to wmiDomain Domain of the Active DirectoryPassword Password of the accountWMI Rules Ordered list of WMI rules you defined in Configuration -gt WMI Rules Definition
WMIRulesDefinition
IfyouhaveconfiguredaWMIscanenginethenyouneedtodefineWMIRulesWMIisasortofdatabaseoneachwindowsdevicestoretreiveinformationonthedeviceyouneedtoknowthesqlrequestInordertohelpyoutofindandmakearuleyoucanuseathirdpartytoollikeWMIExplorer
GoinconfigurationrarrWMIRulesDefinition
Therearealready3rulesdefined
Software_Installedlogged_userProcess_Running
LetrsquostaketheSoftware_Installedrule
request select from Win32_Product
Rules Actions
[Google]attribute = Captionoperator = matchvalue =Google
[1Google]action=trigger_violationaction_param = mac = $mac tid = 888888 type = INTERNAL
Thisrulewilldothefollowing
retreive all the installed software on the device and test if the attribute Caption contain Googleif it matched then we will trigger a violation (with the trigger internal888888) for the mac address of the device
Thesecondonelogged_user
request select UserName from Win32_ComputerSystem
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 103
Rules Actions
[UserName]attribute = UserNameoperator = matchvalue = ()
[1UserName]action = dynamic_register_nodeaction_param = mac = $mac username = $result-gtUserName
Thisrulewilldothefollowing
retreive the current logged user on the device and register the device based on the user account
ThelastoneProcess_Running
request select Name from Win32_Process
Rules Actions
[explorer]attribute = Nameoperator = matchvalue = explorerexe
[1explorer]action = allow
Thisrulewilldothefollowing
retreive all the running process on the device and if one match explorerexe then we bypass the scan
Rulessyntax
the syntax of the rules are simple to understand
the request is the sql request you will launch on the remote device you must know what the request will returnto write the test
Inside the Rules Actions we define 2 sorts of blocsThe test bloc (ie [explorer]) and the action bloc (ie [1explorer])
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 104
The test bloc is a simple test based on the result of the request- attribute is the attribute you want to test- operator can be is is_not match match_not- value is the value you want to compare
Feel free to define multiples test blocs
The action bloc is where you will define your logic per example lets take this one [1googleampexplorer] this mean that if the google test istrue and explorer is true then we execute the actionThe logic can be more complex and can be something like that [1google|(explorerampmemory)] that mean if not google or (explorer and memory)
ViolationsdefinitionYouneedtocreateanewviolationsectionandhavetospecify
UsingNessus
trigger=NessusltviolationIdgt
UsingOpenVAS
trigger=OpenVASltviolationIdgt
WhereviolationIdiseithertheIDoftheNessuspluginortheOIDoftheOpenVASplugintocheckforOnceyouhavefinishedtheconfigurationyouneedtoreloadtheviolationrelateddatabasecontentsusing
$ pfcmd reload violations
NoteViolationswilltriggerifthepluginishigherthanalowseverityvulnerability
AssignScandefinitiontoportalprofilesThelaststepistoassignoneormorescanneryouconfiguredtooneormoreportalprofilesGoinConfigurationrarrPortalProfilesrarrEditaPortalrarrAddScan
HostingNessusOpenVASremotelyBecauseoftheCPUintensivenatureofanautomatedvulnerabilityassessmentwerecommendthatitishostedonaseparateserverforlargeenvironmentsTodosoacoupleofthingsarerequired
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 105
PacketFence needs to be able to communicate to the server on the port specified by thevulnerabilityengineused
Thescanningserverneedtobeabletoaccessthetargets InotherwordsregistrationVLANaccessisrequiredifscanonregistrationisenabled
IfyouareusingtheOpenVASscanningengine
ThescanningserverneedtobeabletoreachPacketFencersquosAdmininterface(onport1443bydefault)byitsDNSentryOtherwisePacketFencewonrsquotbenotifiedofcompletedscans
YoumusthaveavalidSSLcertificateonyourPacketFenceserver
IfyouareusingtheNessusscanningengine
YoujusthavetochangethehostvaluebytheNessusserverIP
RADIUSAccounting
RADIUSAccountingisusuallyusedbyISPstobillclientsInPacketFenceweareabletousethisinformationtodetermineifthenodeisstillconnectedhowmuchtimeithasbeenconnectedandhowmuchbandwitdhtheuserconsumed
ViolationsUsingPacketFence it ispossible toaddviolations to limitbandwidthabuseThe formatof thetriggerisverysimple
Accounting[DIRECTION][LIMIT][INTERVAL(optional)]
Letrsquosexplaineachchunkproperly
DIRECTIONYoucaneithersetalimittoinbound(IN)outbound(OUT)ortotal(TOT)bandwidth LIMIT You can set a number of bytes(B) kilobytes(KB) megabytes(MB) gigabytes(GB) orpetabytes(PB)
INTERVALThisisactuallythetimewindowwewilllookforpotentialabuseYoucansetanumberofdays(D)weeks(W)months(M)oryears(Y)
Exampletriggers LookforIncoming(Download)trafficwitha50GBmonth
AccountingIN50GB1M
LookforOutgoing(Upload)trafficwitha500MBday
AccountingOUT500MB1D
LookforTotal(Download+Upload)trafficwitha200GBlimitinthelastweek
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 106
AccountingTOT200GB1W
Graceperiod
WhenusingsuchviolationfeaturesettingthegraceperiodisreallyimportantYoudonrsquotwanttoputittoolow(ieAuserre-enablehisnetworkandgetcaughtafter1bytesistranmitted)ortoohighWerecommendthatyousetthegraceperiodtooneintervalwindow
Oinkmaster
OinkmasterisaperlscriptthatenablesthepossibilitytoupdatethedifferentsnortrulesveryeasilyItissimpletouseandinstallThissectionwillshowyouhowtoimplementOinkmastertoworkwithPacketFenceandSnort
PleasevisithttpoinkmastersourceforgenetdownloadshtmltodownloadoinkmasterAsampleoinkmasterconfigurationfileisprovidedatusrlocalpfaddonssnortoinkmasterconf
ConfigurationHerearethestepstomakeOinkmasterworkWewillassumethatyoualreadydownloadedthenewestoinkmasterarchive
1 UntarthefreshlydownloadedOinkmaster
2 CopytherequiredperlscriptsintousrlocalpfoinkmasterYouneedtocopyovercontribandoinkmasterpl
3 CopytheoinkmasterconfprovidedbyPacketFence(seethesectionabove)inusrlocalpfconf
4 ModifytheconfigurationtosuityourownneedsCurrentlytheconfigurationfileissettofetchthebleedingrules
RulesupdateInordertogetperiodicupdatesforPacketFenceSnortruleswesimplyneedtocreateacrontabentrywiththerightinformationTheexamplebelowshowsacrontabentrytofetchtheupdatesdailyat2300PM
0 23 (cd usrlocalpf perl oinkmasteroinkmasterpl -C confoinkmasterconf -o confsnort)
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 107
GuestsManagement
PacketFencesupportstheabilitytomanageguestsbyestablishingexpiredatesandassigndifferentroleswhichwillpermitdifferentaccessestothenetworkresources
Guestscanself-registerthemselvesusinganactivationcodesenttotheirmobilephoneortheycanusetheiremailaddressandreceiveandactivationlinktoactivatetheirnetworkaccess
PacketFencehas theoption tohaveguestssponsored theiraccessby local staffOnceaguestrequestsasponsoredaccessanemailissenttothesponsorandthesponsormustclickonalinkandauthenticateinordertoenablehisaccess
Moreover PacketFence also has the option for guests to request their access in advanceConfirmationbyemailandbyasponsorarethetwopre-registrationtechniquessupportedatthispoint
TheadminGUIallowPacketFenceadministratorsorguestsmanagerstocreatesingleaccountsmultipleaccountsusingaprefix(ieguest1guest2guest3hellip)orimportdatafromaCSVtocreateaccountsAccessdurationandexpectedarrivaldatearealsocustomizable
Usage
Guestself-registration
Self-registrationisenabledbydefaultItispartofthecaptiveportalprofileandcanbeaccessedontheregistrationpagebyclickingtheSignuplink
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 108
ManagedguestsPartofthewebadministrationinterfacetheguestsmanagementinterfaceisenabledbydefaultItisaccessiblethroughtheUsersrarrCreatemenu
Guestpre-registrationPre-registrationisdisabledbydefaultOnceenabledPacketFencersquosfirewallandApacheACLsallowaccesstothesignuppageontheportalevenfromaremotelocationAllthatshouldberequiredfrom theadministrators is toopenup theirperimeter firewall toallowaccess toPacketFencersquosmanagementinterfaceIPonport443andmakesureadomainnametoreachsaidIPisconfigured(andthattheSSLcertmatchesit)Thenyoucanpromotethepre-registrationlinkfromyourextranetwebsitehttpslthostnamegtsignup
CautionPre-registrationincreasestheattacksurfaceofthePacketFencesystemsinceasubsetofitrsquosfunctionnalityisexposedontheInternetMakesureyouunderstandtherisksapplythecriticaloperatingsystemupdatesandapplyPacketFencersquossecurityfixes
NoteAportalinterfacetypeisrequiredtousethisfeatureAportalinterfacetypecanbeaddedtoanynetworkinterfaceusingthewebadminGUI
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 109
ConfigurationGuestself-registrationIt ispossibletomodifythedefaultvaluesoftheguestself-registrationfeaturebyeditingusrlocalpfconfpfconf
Defaultvaluesarelocatedinusrlocalpfconfpfconfdefaultsanddocumentationforeverysettingsisavailableinusrlocalpfconfdocumentationconf
[guests_self_registration]guest_pid=emailpreregistration=disabled
TheseparameterscanalsobeconfiguredfromtheConfigurationrarrSelfRegistrationsectionoftheWebadmininterface
Availableregistrationmodesaredefinedonaper-portal-profilebasisTheseareconfigurablefromConfigurationrarrPortalProfiles Todisable the self-registration feature simply removeall self-registrationsourcesfromtheportalprofiledefinitionNoticehoweverthatifyourdefaultportalprofilehasnosourceitwilluseallauthenticationsources
Caution
AvalidMTAconfiguredinPacketFenceisneededtocorrectlyrelayemailsrelatedtotheguestmoduleIflocalhostisusedassmtpservermakesurethataMTAisinstalledandconfiguredontheserver
Note
AportalinterfacetypeisrequiredtousethisfeatureAportalinterfacetypecanbeaddedtoanynetworkinterfaceusingthewebadminGUI
Self-registered guests are added under the users tab of the PacketFenceWeb administrationinterface
ManagedguestsItispossibletomodifythedefaultvaluesoftheguestscreatedfromtheWebadmininterfacebyeditingusrlocalpfconfpfconf
Defaultvaluesarelocatedinusrlocalpfconfpfconfdefaultsanddocumentationforeverysettingsisavailableinusrlocalpfconfdocumentationsconf
[guests_admin_registration]access_duration_choices=1h3h12h1D2D3D5Ddefault_access_duration=12h
Theformatofthedurationisasfollow
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 110
ltDURATIONgtltDATETIME_UNITgt[ltPERIOD_BASEgtltOPERATORgtltDURATIONgtltDATE_UNITgt]
Letrsquosexplainthemeaningofeachparameter
DURATIONanumbercorrespondingtotheperiodduration DATETIME_UNIT acharactercorresponding to theunitsof thedateor timedurationeither s(seconds)m(minutes)h(hours)D(days)W(weeks)M(months)orY(years)
PERIOD_BASEeitherF(fixed)orR(relative)ArelativeperiodiscomputedfromthebeginningoftheperiodunitWeeksstartonMonday
OPERATOReither+or-Thedurationfollowingtheoperatorisaddedorsubtractedfromthebaseduration
DATE_UNITacharactercorrespondingtotheunitsoftheextendeddurationLimitedtodateunits(D(days)W(weeks)M(months)orY(years))
TheseparameterscanalsobeconfiguredfromtheConfigurationrarrAdminRegistrationsectionoftheWebadmininterface
From theUserspageof thePacketFenceWebadmin interface it is possible to set the accessdurationofuserschangetheirpasswordandmore
Guestpre-registrationTominimallyconfigureguestpre-registrationyoumustmakesurethatthefollowingstatementissetunder[guests_self_registration]inusrlocalpfconfpfconf
[guests_self_registration]preregistration=enabled
ThisparametercanalsobeconfiguredfromtheConfigurationrarrSelfRegistrationsection
Finallyitisadvisedthatyoureadthewholeguestself-registrationsectionsincepre-registrationissimplyatwistoftheself-registrationprocess
Caution
AvalidMTAconfiguredinPacketFenceisneededtocorrectlyrelayemailsrelatedtotheguestmoduleIflocalhostisusedassmtpservermakesurethataMTAisinstalledandconfiguredontheserver
ActiveDirectoryIntegration
DeletedAccountCreate thescriptunreg_node_deleted_accountps1on theWindowsServerwith the followingcontentMakesuretochangeIP_PACKETFENCEtotheIPaddressofyourPacketFenceserverYoursquollalsoneedtochangetheusernameandpasswordastheymustmatchthecredentialsdefinedintheWebadmininterfaceunderConfigurationrarrWebServices
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 111
Powershell script to unregister deleted Active Directory account based on the UserName
Get-EventLog -LogName Security -InstanceId 4726 | Select ReplacementStringsAccount name| $url = httpsIP_PACKETFENCE9090 $username = admin Username for the webservices $password = admin Password for the webservices [SystemNetServicePointManager]ServerCertificateValidationCallback = $true $command = jsonrpc 20 method unreg_node_for_pid params [pid +$_ReplacementStrings[0]+]
$bytes = [SystemTextEncoding]ASCIIGetBytes($command) $web = [SystemNetWebRequest]Create($url) $webMethod = POST $webContentLength = $bytesLength $webContentType = applicationjson-rpc $webCredentials = new-object SystemNetNetworkCredential($username $password) $stream = $webGetRequestStream() $streamWrite($bytes0$bytesLength) $streamclose()
$reader = New-Object SystemIOStreamreader -ArgumentList $webGetResponse()GetResponseStream() $readerReadToEnd() $readerClose()
CreatethescheduledtaskbasedonaneventIDStartrarrRunrarrTaskschdmsc
TaskSchedulerrarrTaskSchedulerLibraryrarrEventViewerTaskrarrCreateTask
General
Name PacketFence-Unreg_node-for-deleted-accountCheck Run whether user is logged on or notCheck Run with highest privileges
TriggersrarrNew
Begin on the task On an eventLog SecuritySource Microsoft Windows security auditingEvent ID 4726
ActionsrarrNew
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 112
Action Start a programProgramscript powershellexeAdd arguments (optional) Cscriptsunreg_node_deleted_accountps1
Settings
At the bottom select in the list Run a new instance in parallel in order to unregister multiple nodes at the same time
ValidatewithOkandgivetheaccountwhowillrunthistask(UsuallyDOMAINAdministrator)
DisabledAccountCreatethescriptunreg_node_disabled_accountps1ontheWindowsServerwiththefollowingcontentMakesuretochangeIP_PACKETFENCEtotheIPaddressofyourPacketFenceserverYoursquollalsoneedtochangetheusernameandpasswordastheymustmatchthecredentialsdefinedintheWebadmininterfaceunderConfigurationrarrWebServices
Powershell script to unregister disabled Active Directory account based on the UserName
Get-EventLog -LogName Security -InstanceId 4725 | Select ReplacementStringsAccount name| $url = httpsIP_PACKETFENCE9090 $username = admin Username for the webservices $password = admin Password for the webservices [SystemNetServicePointManager]ServerCertificateValidationCallback = $true $command = jsonrpc 20 method unreg_node_for_pid params [pid +$_ReplacementStrings[0]+]
$bytes = [SystemTextEncoding]ASCIIGetBytes($command) $web = [SystemNetWebRequest]Create($url) $webMethod = POST $webContentLength = $bytesLength $webContentType = applicationjson-rpc $webCredentials = new-object SystemNetNetworkCredential($username $password) $stream = $webGetRequestStream() $streamWrite($bytes0$bytesLength) $streamclose()
$reader = New-Object SystemIOStreamreader -ArgumentList $webGetResponse()GetResponseStream() $readerReadToEnd() $readerClose()
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 113
CreatethescheduledtaskbasedonaneventID
StartrarrRunrarrTaskschdmsc
TaskSchedulerrarrTaskSchedulerLibraryrarrEventViewerTaskrarrCreateTask
General
Name PacketFence-Unreg_node-for-disabled-accountCheck Run whether user is logged on or notCheck Run with highest privileges
TriggersrarrNew
Begin on the task On an eventLog SecuritySource Microsoft Windows security auditingEvent ID 4725
ActionsrarrNew
Action Start a programProgramscript powershellexeAdd arguments (optional) Cscriptsunreg_node_disabled_accountps1
Settings
At the bottom select in the list Run a new instance in parallel
ValidatewithOkandgivetheaccountwhowillrunthistask(UsuallyDOMAINAdministrator)
LockedAccountCreate the script unreg_node_locked_accountps1 on theWindows Serverwith the followingcontentMakesuretochangeIP_PACKETFENCEtotheIPaddressofyourPacketFenceserverYoursquollalsoneedtochangetheusernameandpasswordastheymustmatchthecredentialsdefinedintheWebadmininterfaceunderConfigurationrarrWebServices
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 114
Powershell script to unregister locked Active Directory account based on the UserName
Get-EventLog -LogName Security -InstanceId 4740 | Select ReplacementStringsAccount name| $url = httpsIP_PACKETFENCE9090 $username = admin Username for the webservices $password = admin Password for the webservices [SystemNetServicePointManager]ServerCertificateValidationCallback = $true $command = jsonrpc 20 method unreg_node_for_pid params [pid +$_ReplacementStrings[0]+]
$bytes = [SystemTextEncoding]ASCIIGetBytes($command) $web = [SystemNetWebRequest]Create($url) $webMethod = POST $webContentLength = $bytesLength $webContentType = applicationjson-rpc $webCredentials = new-object SystemNetNetworkCredential($username $password) $stream = $webGetRequestStream() $streamWrite($bytes0$bytesLength) $streamclose()
$reader = New-Object SystemIOStreamreader -ArgumentList $webGetResponse()GetResponseStream() $readerReadToEnd() $readerClose()
CreatethescheduledtaskbasedonaneventIDStartrarrRunrarrTaskschdmsc
TaskSchedulerrarrTaskSchedulerLibraryrarrEventViewerTaskrarrCreateTask
General
Name PacketFence-Unreg_node-for-locked-accountCheck Run whether user is logged on or notCheck Run with highest privileges
TriggersrarrNew
Begin on the task On an eventLog SecuritySource Microsoft Windows security auditingEvent ID 4740
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 115
ActionsrarrNew
Action Start a programProgramscript powershellexeAdd arguments (optional) Cscriptsunreg_node_locked_accountps1
Settings
At the bottom select in the list Run a new instance in parallel
ValidatewithOkandgivetheaccountwhowillrunthistask(UsuallyDOMAINAdministrator)
DHCPremotesensor
TheDHCPremotesensorconsistsofalightweightbinarythatisinstalledonyourproductionDHCPserverinordertoreplicatetheDHCPtraffic1to1tothePacketFenceserverThissolutionismorereliablethantheDHCPrelayingsincePacketFencereceivesacopyofallyourDHCPtrafficandnotonlythebroadcastedDHCPtrafficSupportedDHCPserversareMicrosoftDHCPserverandCentOS6and7
ThesesensorsworkbycapturingthepacketsatthelowestlevelpossibleonyourDHCPserverandforwardthemtothePacketFencemanagementinterface
MicrosoftDHCPsensorYouwillfirstneedtodownloadandinstallWinPcapavailablefromhttpwwwwinpcaporginstall
YouwillalsoneedtodownloadandinstallMicrosoftVisualC++2010Redistributableavailablefromhttpwwwmicrosoftcomdownloaddetailsaspxid=5555
NoteYou absolutely need to install the 32-bit version of Microsoft Visual C++ 2010Redistributableevenifyouareusinga64-bitoperatingsystem
Then get the remote sensor from Inversersquos download website httpinversecadownloadsPacketFenceudp-reflectorudp_reflectorexe
CreatethedirectoryCudp-reflectorandmovethedownloadedfileinside
Nowwewillcreateaservicesothereflectorstartsonboot
Firstdownloadandunzipnssmfromhttpsnssmccdownload
NextcreateabatchfileudpreflectorbatinCudp-reflectorthatcontainCudp-reflectorudp_reflectorexe -s pcap067 -d 19216815767 -b 25000
Where pcap0 is the interface where your DHCP is listening (use Cudp-reflectorudp_reflectorexe -ltolistinterfaces)
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 116
Thenrunnssm install udpreflector
InApplication
InPathsetittoCudp-reflectorudpreflectorbat InStartupdirectorysetittoCudp-reflector InArgumentssetittonothing
InDetails
InStartuptypeselectAutomatic
InLogon
InLogonasselectLocalSystemaccount
ThenpressInstallservice
TheDHCPtrafficshouldnowbereflectedonyourPacketFenceserver
LinuxbasedsensorFirstdownloadtheRPMonyourDHCPserver
CentOS6and7serversForCentOS6
for x86_64 wget httpinversecadownloadsPacketFenceCentOS6extrax86_64RPMSudp-reflector-10-61x86_64rpm
ForCentOS7
for x86_64 wget httpinversecadownloadsPacketFenceCentOS7extrax86_64RPMSudp-reflector-10-61x86_64rpm
Nowinstallthesensor
rpm -i udp-reflector-rpm
CompilingthesensorfromsourceonaLinuxsystemFirstmakesureyouhavethefollowingpackagesinstalled
libpcap libpcap-devel gcc-c++
Getthesourcecodeofthesensor
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 117
mkdir -p ~udp-reflector ampamp cd ~udp-reflector wget httpinversecadownloadsPacketFenceudp-reflectorudp_reflectorcpp g++ udp_reflectorcpp -o usrlocalbinudp_reflector -lpcap
ConfiguringthesensorPlacethefollowinglineinetcrclocal
where pcap0 is the pcap interface where your DHCP server listens on (List them usingudp_reflector -l)
where19216815isthemanagementIPofyourPacketFenceserver
usrlocalbinudp_reflector -s pcap067 -d 19216815767 -b 25000 amp
Startthesensor
usrlocalbinudp_reflector -s pcap067 -d 19216815767 -b 25000 amp
TheDHCPtrafficshouldnowbereflectedonyourPacketFenceserver
Switchloginaccess
PacketFenceisabletoactasanauthenticationandauthorizationserviceforgrantingcommand-lineinterface(CLI)accesstoswitchesPacketFencecurrentlysupportsCiscoswitchesandthesemustbeconfiguredusingthefollowingguidehttpwwwciscocomcenussupportdocssecurity-vpnremote-authentication-dial-user-service-radius116291-configure-freeradius-00html From thePacketFencersquos web admin interface you must configure an Admin Access role(ConfigurationrarrAdminaccess)thatcontainstheactionSwitchesCLI-ReadorSwitchesCLI-WriteandassignthisroletoaninternaluserorinanAdministrationruleinaninternalsource
Chapter14
Copyrightcopy2016Inverseinc OperatingSystemBestPractices 118
OperatingSystemBestPractices
IPTables
IPTablesisnowentirelymanagedbyPacketFenceHoweverifyouneedtoperformsomecustomrules you canmodifyconfiptablesconf to yourownneedsHowever thedefault templateshouldworkformostusers
LogRotations
PacketFencecangeneratea lotof logentries inhugeproductionenvironmentsThis iswhywerecommendtouselogrotatetoperiodicallyrotateyourlogsAworkinglogrotatescriptisprovidedwiththePacketFencepackageThisscriptislocatedinusrlocalpfaddonsanditrsquosconfiguredto do aweekly log rotation and keeping old logswith compression It has been added duringPacketFenceinitialinstallation
Chapter15
Copyrightcopy2016Inverseinc Performanceoptimization 119
Performanceoptimization
SNMPTrapsLimit
PacketFencemainlyrelyonSNMPtrapstocommunicatewithequipmentDuetothefactthattrapscominginfromapproved(configured)devicesareallprocessedbythedaemonitispossibleforsomeonewhowanttogenerateacertainloadonthePacketFenceservertoforcethegenerationofnon-legitimateSNMPtrapsoraswitchcanrandomlygenerateahighquantityoftrapssenttoPacketFenceforanunknownreason
BecauseofthatitispossibletolimitthenumberofSNMPtrapscominginfromasingleswitchportandtakeactionifthatlimitisreachedForexampleifover100trapsarereceivedbyPacketFencefromthesameswitchportinaminutetheswitchportwillbeshutandanotificationemailwillbesent
HerersquosthedefaultconfigfortheSNMPtrapslimitfeatureAsyoucanseebydefaultPacketFencewill log the abnormal activity after 100 traps from the same switch port in a minute Theseconfigurationsareintheconfpfconffile
[vlan]trap_limit = enabledtrap_limit_threshold = 100trap_limit_action =
AlternativelyyoucanconfiguretheseparametersfromthePacketFenceWebadministrativeGUIintheConfigurationrarrSNMPsection
MySQLoptimizations
TuningMySQLIfyoursquorePacketFencesystemisactingveryslowthiscouldbeduetoyourMySQLconfigurationYoushoulddothefollowingtotuneperformance
Checkthesystemload
uptime113637 up 235 days 121 1 user load average 125 105 079
Chapter15
Copyrightcopy2016Inverseinc Performanceoptimization 120
CheckiostatandCPU
iostat 5avg-cpu user nice sys iowait idle 060 000 320 2020 7600Device tps Blk_reads Blk_wrtns Blk_read Blk_wrtnccissc0d0 3240 000 156000 0 7800avg-cpu user nice sys iowait idle 060 000 220 920 8800Device tps Blk_reads Blk_wrtns Blk_read Blk_wrtnccissc0d0 780 000 7360 0 368avg-cpu user nice sys iowait idle 060 000 180 2380 7380Device tps Blk_reads Blk_wrtns Blk_read Blk_wrtnccissc0d0 3140 000 142720 0 7136avg-cpu user nice sys iowait idle 060 000 240 1816 7884Device tps Blk_reads Blk_wrtns Blk_read Blk_wrtnccissc0d0 2794 000 117365 0 5880
Asyoucanseetheloadis125andIOWaitispeakingat20-thisisnotgoodIfyourIOwaitislowbutyourMySQListaking+50CPUthisisalsonotgoodCheckyourMySQLinstallforthefollowingvariables
mysqlgt show variables| innodb_additional_mem_pool_size | 1048576 || innodb_autoextend_increment | 8 || innodb_buffer_pool_awe_mem_mb | 0 || innodb_buffer_pool_size | 8388608 |
PacketFencereliesheavilyonInnoDBsoyoushouldincreasethebuffer_poolsizefromthedefaultvalues
ShutdownPacketFenceandMySQL
etcinitdpacketfence stopShutting down PacketFence[] etcinitdmysql stopStopping MySQL [ OK ]
Editetcmycnf(oryourlocalmycnf)
Chapter15
Copyrightcopy2016Inverseinc Performanceoptimization 121
[mysqld] Set buffer pool size to 50-80 of your computers memoryinnodb_buffer_pool_size=800Minnodb_additional_mem_pool_size=20Minnodb_flush_log_at_trx_commit=2innodb_file_per_table allow more connectionsmax_connections=700 set cache sizekey_buffer_size=900Mtable_cache=300query_cache_size=256M enable slow query loglog_slow_queries = ON
StartupMySQLandPacketFence
etcinitdmysqld startStarting MySQL [ OK ] etcinitdpacketfence startStarting PacketFence[]
Wait10minutesforPacketFencetoinitialthenetworkmapandre-checkiostatandCPU
uptime120158 up 235 days 146 1 user load average 015 039 052 iostat 5Device tps Blk_reads Blk_wrtns Blk_read Blk_wrtnccissc0d0 800 000 7520 0 376
avg-cpu user nice sys iowait idle 060 000 299 1337 8303
Device tps Blk_reads Blk_wrtns Blk_read Blk_wrtnccissc0d0 1497 000 43273 0 2168avg-cpu user nice sys iowait idle 020 000 260 660 9060
Device tps Blk_reads Blk_wrtns Blk_read Blk_wrtnccissc0d0 480 000 4800 0 240
MySQLoptimizationtoolWerecommendthatyouruntheMySQLTuneronyourdatabasesetupafteracoupleofweekstohelpyouidentifyMySQLconfigurationimprovementThetoolisbundledwithPacketFenceandcanberunfromthecommand-line
usrlocalbinpftest mysql
Chapter15
Copyrightcopy2016Inverseinc Performanceoptimization 122
KeepingtablessmallOvertimesomeofthetableswillgrowlargeandthiswilldragdownperformance(thisisespeciallytrueonawirelesssetup)
OnesuchtableisthelocationlogtableWerecommendthatclosedentriesinthistablebemovedto the archive table locationlog_archive after some time A closed record is onewhere theend_timefieldissettoadate(stricklyspeakingitiswhenend_timeisnotnullandnotequalsto0)
Weprovideascriptcalleddatabase-backup-and-maintenanceshlocatedinaddonsthatperformsthiscleanupinadditiontooptimizetablesonSundayanddailybackups
AvoidToomanyconnectionsproblemsInawirelesscontexttheretendstobealotofconnectionsmadetothedatabasebyourfreeradiusmoduleThedefaultMySQLvalue tend tobe low (100) soweencourageyou to increase thatvaluetoatleast300Seehttpdevmysqlcomdocrefman50entoo-many-connectionshtmlfordetails
AvoidHostlthostnamegtisblockedproblemsInawirelesscontexttheretendtobealotofconnectionsmadetothedatabasebyourfreeradiusmoduleWhentheserverisloadedtheseconnectionattemptscantimeoutIfaconnectiontimesoutduringconnectionMySQLwillconsiderthisaconnectionerrorandafter10ofthese(bydefault)hewilllockthehostoutwitha
Host host_name is blocked because of many connection errors Unblock with mysqladmin flush-hosts
Thiswill grindPacketFence to a halt so youwant to avoid that at all costOneway to do soistoincreasethenumberofmaximumconnections(seeabove)toperiodicallyflushhostsortoallowmoreconnectionerrorsSeehttpdevmysqlcomdocrefman50enblocked-hosthtmlfordetails
CaptivePortalOptimizations
Avoidcaptiveportaloverloadduetonon-browserHTTPrequestsBydefaultwealloweveryquerytoberedirectedandreachPacketFencefor thecaptiveportaloperationInalotofcasesthismeansthatalotofnon-userinitiatedqueriesreachPacketFenceandwasteitsresourcesfornothingsincetheyarenotfrombrowsers(iTunesWindowsupdateMSNMessengerGoogleDesktophellip)
Chapter15
Copyrightcopy2016Inverseinc Performanceoptimization 123
Sinceversion43ofPacketFenceyoucandefineHTTPfiltersforApachefromtheconfigurationofPacketFence
SomeruleshavebeenenabledbydefaultlikeonetorejectrequestswithnodefineduseragentAllrulesincludingsomeexamplesaredefinedintheconfigurationfileapache_filtersconf
FiltersaredefinedwithatleasttwoblocksFirstarethetestsForexample
[get_ua_is_dalvik]filter = user_agentmethod = GEToperator = matchvalue = Dalvik
[get_uri_not_generate204]filter = urimethod = GEToperator = match_notvalue = generate_204
ThelastblockdefinestherelationshipbetweenthetestsandthedesiredactionForexample
[block_dalvikget_ua_is_dalvikampget_uri_not_generate204]action = 501redirect_url =
Thisfilterwillreturnanerrorcode(501)iftheuseragentisDalvikandtheURIdoesnrsquotcontain_generate_204
DashboardOptimizations(statisticscollection)
The collection and aggregation of statistics in the whisper database can be IO intensive permomentThismeansthatitcanbebeneficialtoseperatethemonanotherdiskevenifitisavirtualdiskthatwillsharethesameunderlyingphysicaldisk
Firstaddadiskinyourvirtualmachineorbaremetalserverandreboot(thisexamplewillusedevsdbasthenewdevice
Makesurepacketfenceisstopped
service packetfence stop
Createanext4partition
mkfsext4 devsdb
Thenmovetheolddatabasestoabackuppoint
Chapter15
Copyrightcopy2016Inverseinc Performanceoptimization 124
mv usrlocalpfvargraphite usrlocalpfvargraphitebak
Mountyournewdiskandcheckthatitismounted
echo devsdb usrlocalpfvargraphite ext4 defaults 1 1 gtgt etcfstab mkdir usrlocalpfvargraphite mount -a dh -h
Applytheproperuserrightsandrestoreyourdatabasefromyourbackup
chown pfpf usrlocalpfvargraphite cp -frp usrlocalpfvargraphitebak usrlocalpfvargraphite
StartpacketfenceandmakesureyourstatsarestillthereandbeingcollectedproperlyThenremovethebackupyoumaderm -fr usrlocalpfvargraphitebak
Chapter16
Copyrightcopy2016Inverseinc AdditionalInformation 125
AdditionalInformation
FormoreinformationpleaseconsultthemailingarchivesorpostyourquestionstoitFordetailssee
packetfence-announcelistssourceforgenet Public announcements (new releases securitywarningsetc)regardingPacketFence
packetfence-devellistssourceforgenetDiscussionofPacketFencedevelopment
packetfence-userslistssourceforgenetUserandusagediscussions
Chapter17
Copyrightcopy2016InverseincCommercialSupport
andContactInformation 126
CommercialSupportandContactInformation
For any questions or comments do not hesitate to contact us by writing an email tosupportinverseca
Inverse (httpinverseca)offersprofessional servicesaroundPacketFence tohelporganizationsdeploythesolutioncustomizemigrateversionsorfromanothersystemperformancetuningoraligningwithbestpractices
Hourlyratesorsupportpackagesareofferedtobestsuityourneeds
Pleasevisithttpinversecafordetails
Chapter18
Copyrightcopy2016Inverseinc GNUFreeDocumentationLicense 127
GNUFreeDocumentationLicense
Pleaserefertohttpwwwgnuorglicensesfdl-12txtforthefulllicense
Chapter18
Copyrightcopy2016Inverseinc AdministrationTools 128
AppendixAAdministrationTools
pfcmd
pfcmdisthecommandlineinterfacetomostPacketFencefunctionalities
Whenexecutedwithoutanyargumentspfcmdreturnsabasichelpmessagewithallmainoptions
Chapter18
Copyrightcopy2016Inverseinc AdministrationTools 129
Usage pfcmd ltcommandgt [options]
Commands cache | manage the cache subsystem checkup | perform a sanity checkup and report any problems class | view violation classes configfiles | push or pull configfiles intofrom database configreload | reload the configution floatingnetworkdeviceconfig | querymodify floating network devices configuration parameters help | show help for pfcmd commands ifoctetshistorymac | accounting history ifoctetshistoryswitch | accounting history ifoctetshistoryuser | accounting history import | bulk import of information into the database ipmachistory | IPMAC history locationhistorymac | SwitchPort history locationhistoryswitch | SwitchPort history networkconfig | querymodify network configuration parameters node | manipulate node entries pfconfig | interact with pfconfig portalprofileconfig | querymodify portal profile configuration parameters reload | rebuild fingerprint or violations tables without restart service | startstoprestart and get PF daemon status schedule | Nessus scan scheduling switchconfig | querymodify switchesconf configuration parameters version | output version information violationconfig | querymodify violationsconf configuration parameters
Please view pfcmd help ltcommandgt for details on each option
ThenodeviewoptionshowsallinformationcontainedinthenodedatabasetableforaspecifiedMACaddress
usrlocalpfbinpfcmd node view 525400123502mac|pid|detect_date|regdate|unregdate|lastskip|status|user_agent|computername|notes|last_arp|last_dhcp|switch|port|vlan|dhcp_fingerprint525400123502|1|2008-10-23 173216||||unreg||||2008-10-23 211221|||||
pfcmd_vlan
pfcmd_vlanisthecommandlineinterfacetomostVLANisolationrelatedfunctionality
Chapter18
Copyrightcopy2016Inverseinc AdministrationTools 130
Againwhenexecutedwithoutanyargumentsahelpscreenisshown
Usage pfcmd_vlan command [options]
Command -deauthenticate de-authenticate a dot11 client -deauthenticateDot1x de-authenticate a dot1x client (pass ifIndex for wired 8021x and mac for wireless 8021x) -getAlias show the description of the specified switch port -getAllMACs show all MACS on all switch ports -getHubs show switch ports with several MACs -getIfOperStatus show the operational status of the specified switch port -getIfType show the ifType on the specified switch port -getLocation show at which switch port the MAC is found -getSwitchLocation show SNMP location of specified switch -getMAC show all MACs on the specified switch port -getType show switch type -getUpLinks show the upLinks of the specified switch -getVersion show switch OS version -getVlan show the VLAN on the specified switch port -getVlanType show the VLAN type on the specified port -help brief help message -isolate set the switch port to the isolation VLAN -man full documentation -reAssignVlan re-assign a switch port VLAN -reevaluateAccess reevaluate the current VLAN or firewall rules of a given MAC -runSwitchMethod run a particular method call on a given switch (FOR ADVANCED PURPOSES) -setAlias set the description of the specified switch port -setDefaultVlan set the switch port to the default VLAN -setIfAdminStatus set the admin status of the specified switch port -setVlan set VLAN on the specified switch port -setVlanAllPort set VLAN on all non-UpLink ports of the specified switch
Options -alias switch port description -ifAdminStatus ifAdminStatus -ifIndex switch port ifIndex -mac MAC address -showPF show additional information available in PF -switch switch description -verbose log verbosity level 0 fatal messages 1 warn messages 2 info messages 3 debug 4 trace -vlan VLAN id -vlanName VLAN name (as in switchesconf)
Chapter1
Copyrightcopy2016Inverseinc AboutthisGuide 1
AboutthisGuide
This guide will walk you through the installation and the day to day administration of thePacketFencesolution
Thelatestversionofthisguideisavailableathttpwwwpacketfenceorgdocumentation
Othersourcesofinformation
Thefollowingdocumentsareincludedinthepackageandreleasetarballs
NetworkDevicesConfigurationGuide(pdf) Covers switch controllers and accesspointsconfiguration
DeveloperrsquosGuide(pdf) Covers captive portal customizationVLAN management customization andinstructionsforsupportingnewhardware
CREDITS ThisisatleastapartialfileofPacketFencecontributors
NEWSasciidoc Covers noteworthy featuresimprovementsandbugfixesbyrelease
UPGRADEasciidoc Covers compatibility related changesmanual instructions and general notesaboutupgrading
ChangeLog Coversallchangestothesourcecode
Chapter2
Copyrightcopy2016Inverseinc Introduction 2
Introduction
PacketFence isa fullysupported trustedFreeandOpenSourcenetworkaccesscontrol (NAC)system Boosting an impressive feature set including a captive portal for registration andremediation centralized wired and wireless management 8021X support layer-2 isolation ofproblematicdevicesintegrationwithIDSvulnerabilityscannersandfirewallsPacketFencecanbeusedtoeffectivelysecurenetworks-fromsmalltoverylargeheterogeneousnetworks
Features
Outofband(VLANEnforcement) PacketFencersquosoperationiscompletelyoutof band when using VLAN enforcementwhich allows the solution to scalegeographicallyandtobemoreresilienttofailures
InBand(InlineEnforcement) PacketFence can also be configured tobe in-band especially when you havenon-manageable network switches oraccesspointsPacketFencecanalsoworkwith both VLAN and Inline enforcementactivated for maximum scalability andsecuritywhileallowingolderhardwaretostillbesecuredusing inlineenforcementBothlayer-2andlayer-3aresupportedforinlineenforcement
Hybridsupport(InlineEnforcementwithRADIUSsupport)
PacketFence can also be configuredas hybrid if you have a manageabledevice that supports 8021X andorMAC-authenticationThis feature canbeenabled using a RADIUS attribute (MACaddress SSID port) or using full inlinemodeontheequipment
Hotspotsupport(WebAuthEnforcement) PacketFence can also be configured ashotspotifyouhaveamanageabledevicethat supports an external captive portal(likeCiscoWLCorArubaIAP)
VoiceoverIP(VoIP)support Also called IP Telephony (IPT) VoIP isfully supported (even in heterogeneous
Chapter2
Copyrightcopy2016Inverseinc Introduction 3
environments)formultipleswitchvendors(CiscoAvayaHPandmanymore)
8021X 8021X wireless and wired is supportedthroughourFreeRADIUSmodule
Wirelessintegration PacketFence integrates perfectly withwireless networks through ourFreeRADIUS module This allows youto secure your wired and wirelessnetworks the same way using the sameuser database and using the samecaptive portal providing a consistentuser experience Mixing Access Points(AP) vendors andWireless Controllers issupported
Registration PacketFence supports an optionalregistrationmechanismsimilartocaptiveportalsolutionsContrarytomostcaptiveportal solutionsPacketFence remembersusers who previously registered andwillautomatically give them access withoutanotherauthenticationOfcourse this isconfigurable An Acceptable Use Policycan be specified such that users cannotenable network access without firstacceptingit
Detectionofabnormalnetworkactivities Abnormal network activities (computervirus worms spyware traffic deniedby establishment policy etc) can bedetectedusinglocalandremoteSnortorSuricatasensorsBeyondsimpledetectionPacketFence layers its own alerting andsuppression mechanism on each alerttypeAsetofconfigurableactionsforeachviolationisavailabletoadministrators
Proactivevulnerabilityscans Either Nessus OpenVAS or WMIvulnerabilityscanscanbeperformeduponregistration scheduled or on an ad-hocbasis PacketFence correlates the scanengine vulnerability IDrsquos of each scanto the violation configuration returningcontent specificweb pages aboutwhichvulnerabilitythehostmayhave
Isolationofproblematicdevices PacketFence supports several isolationtechniquesincludingVLANisolationwithVoIP support (even in heterogeneousenvironments)formultipleswitchvendors
Remediationthroughacaptiveportal Once trapped all network traffic isterminated by the PacketFence system
Chapter2
Copyrightcopy2016Inverseinc Introduction 4
Based on the nodersquos current status(unregisteredopenviolationetc)theuseris redirected to the appropriate URL Inthe case of a violation the user willbe presented with instructions for theparticular situation heshe is in reducingcostlyhelpdeskintervention
Firewallintegration PacketFence provides Single-Sign Onfeatures with many firewalls Uponconnection on the wired or wirelessnetwork PacketFence can dynamicallyupdatetheIPuserassociationonfirewallsforthemtoapplyifrequiredper-userorper-groupfilteringpolicies
Command-lineandWeb-basedmanagement Web-basedandcommand-line interfacesforallmanagementtasks
GuestAccess PacketFence supports a special guestVLAN out of the box You configureyour network so that the guest VLANonly goes out to the Internet and theregistrationVLANand the captiveportalarethecomponentsusedtoexplaintotheguesthowtoregisterforaccessandhowhisaccessworksThis isusuallybrandedby the organization offering the accessSeveral means of registering guests arepossible PacketFence does also supportguestaccessbulkcreationsandimports
Devicesregistration A registered user can access a specialWeb page to register a device of hisownThisregistrationprocesswillrequireloginfromtheuserandthenwillregisterdeviceswithpre-approvedMACOUIintoaconfigurablecategory
PacketFenceisdevelopedbyacommunityofdeveloperslocatedmainlyinNorthAmericaMoreinformationcanbefoundathttpwwwpacketfenceorg
Chapter2
Copyrightcopy2016Inverseinc Introduction 5
NetworkIntegration
VLANenforcementispicturedintheabovediagramInlineenforcementshouldbeseenasasimpleflatnetworkwherePacketFenceactsasafirewallgateway
Components
PacketFencerequiresvariouscomponentstoworksuchasaWebserveradatabaseserverandaRADIUSserverItinteractswithexternaltoolstoextenditsfunctionalities
Chapter2
Copyrightcopy2016Inverseinc Introduction 6
Chapter3
Copyrightcopy2016Inverseinc SystemRequirements 7
SystemRequirements
Assumptions
PacketFencereusesmanycomponentsinaninfrastructureThusitrequiresthefollowingones
Databaseserver(MySQLorMariaDB) Webserver(Apache) DHCPserver(ISCDHCP) RADIUSserver(FreeRADIUS)
Dependingonyoursetupyoumayhavetoinstalladditionalcomponentslike
NIDS(SnortSuricata)
Inthisguideweassumethatallthosecomponentsarerunningonthesameserver(ielocalhostor127001)thatPacketFencewillbeinstalledon
Good understanding of those underlying component and GNULinux is required to installPacketFence If youmiss some of those required components please refer to the appropriatedocumentationandproceedwiththeinstallationoftheserequirementsbeforecontinuingwiththisguide
MinimumHardwareRequirements
Thefollowingprovidesalistoftheminimumserverhardwarerecommendations
IntelorAMDCPU3GHz 8GBofRAM 100GBofdiskspace(RAID-1recommended) 1Networkcard(2recommended)
OperatingSystemRequirements
PacketFencesupportsthefollowingoperatingsystemsonthex86_64architectures
Chapter3
Copyrightcopy2016Inverseinc SystemRequirements 8
RedHatEnterpriseLinux6xand7xServer CommunityENTerpriseOperatingSystem(CentOS)6xand7x Debian70(Wheezy)and80(Jessie)
MakesurethatyoucaninstalladditionalpackagesfromyourstandarddistributionForexampleifyouareusingRedHatEnterpriseLinuxyouhavetobesubscribedtotheRedHatNetworkbeforecontinuingwiththePacketFencesoftwareinstallation
OtherdistributionssuchasFedoraandGentooareknowntoworkbutthisdocumentdoesnrsquotcoverthem
Servicesstart-upPacketFencetakescareofhandlingtheoperationofthefollowingservices
Webserver(httpd) DHCPserver(dhcpd) FreeRADIUSserver(radiusd) SnortSuricataNetworkIDS(snortsuricata) Firewall(iptables)
Makesurethatalltheotherservicesareautomaticallystartedbyyouroperatingsystem
Chapter4
Copyrightcopy2016Inverseinc Installation 9
Installation
ThissectionwillguideyouthroughtheinstallationofPacketFencetogetherwithitsdependencies
OSInstallation
InstallyourdistributionwithminimalinstallationandnoadditionalpackagesThen
DisableFirewall DisableSELinux DisableAppArmor Disableresolvconf
Makesureyoursystemisuptodateandyouryumorapt-getdatabaseisupdatedOnaRHEL-basedsystemdo
yum update
OnaDebianorUbuntusystemdo
apt-get updateapt-get upgrade
RegardingSELinuxorAppArmoreven if these featuresmaybewantedbysomeorganizationsPacketFencewillnotrunproperlyifSELinuxorAppArmorareenabledYouwillneedtoexplicitlydisableSELinuxintheetcselinuxconfigfileandAppArmorwithupdate-rcd-fapparmorstopupdate-rcd-fapparmorteardownandupdate-rcd-fapparmorremoveRegardingresolvconfyoucanremovethesymlinktothatfileandsimplycreatetheetcresolvconffilewiththecontentyouwant
RedHat-basedsystems
Note
AppliestoCentOSandScientificLinuxbutonlythex86_64architectureissupported
Chapter4
Copyrightcopy2016Inverseinc Installation 10
RHEL6x
NoteTheseareextrastepsarerequiredforRHEL6systemsonlyexcludingderivativessuchasCentOSorScientificLinux
RedHatEnterpriseLinuxusersneedtotakeanadditionalsetupstepIfyouarenotusingtheRHNSubscriptionManagementfromRedHatyouneedtoenabletheoptionalchannelbyrunningthefollowingasroot
rhn-channel --add --channel=rhel-`uname -m`-server-optional-6
DebianAllthePacketFencedependenciesareavailablethroughtheofficialrepositories
SoftwareDownload
PacketFenceprovidesaRPMrepositoryforRHELCentOSinsteadofasingleRPMfile
ForDebianPacketFencealsoprovidespackagerepositories
TheserepositoriescontainallrequireddependenciestoinstallPacketFenceThisprovidesnumerousadvantages
easyinstallation everythingispackagedasRPMdeb(nomoreCPANhassle) easyupgrade
SoftwareInstallation
RHELCentOSInordertousethePacketFencerepository
yum localinstall httppacketfenceorgdownloadsPacketFenceRHEL6`uname -i`RPMSpacketfence-release-12-51noarchrpm
Once the repository is defined you can install PacketFencewith all its dependencies and therequiredexternalservices(DatabaseserverDHCPserverRADIUSserver)using
Chapter4
Copyrightcopy2016Inverseinc Installation 11
yum install perlyum install --enablerepo=packetfence packetfence
OnceinstalledtheWeb-basedconfigurationinterfacewillautomaticallybestartedYoucanaccessitfromhttpsip_of_packetfence1443configurator
DebianForDebian7
Inordertousetherepositorycreateafilenamedetcaptsourceslistdpacketfencelist
echo deb httpinversecadownloadsPacketFencedebian wheezy wheezy gt etcaptsourceslistdpacketfencelist
ForDebian8
Inordertousetherepositorycreateafilenamedetcaptsourceslistdpacketfencelist
echo deb httpinversecadownloadsPacketFencedebian jessie jessie gt etcaptsourceslistdpacketfencelist
Once the repository is defined you can install PacketFencewith all its dependencies and therequiredexternalservices(DatabaseserverDHCPserverRADIUSserver)using
sudo apt-key adv --keyserver keysgnupgnet --recv-key 0x810273C4sudo apt-get updatesudo apt-get install packetfence
Chapter5
Copyrightcopy2016Inverseinc Getoffontherightfoot 12
Getoffontherightfoot
PriorconfiguringPacketFenceyoumustchoseanappropriateenforcementmodetobeusedbyPacketFencewithyournetworkingequipmentTheenforcementmodeisthetechniqueusedtoenforceregistrationandanysubsequentaccessofdevicesonyournetworkPacketFencesupportsthefollowingenforcementmodes
Inline Out-of-band Hybrid
It isalsopossibletocombineenforcementmodesForexampleyoucouldusetheout-of-bandmodeonyourwiredswitcheswhileusingtheinlinemodeonyouroldWiFiaccesspoints
The following sections will explain these enforcement modes If you decide to use the inlinemodepleaserefertothePacketFenceInlineDeploymentQuickGuideusingZENforacompleteconfigurationexampleIfyoudevicetousetheout-of-bandmodepleaserefertothePacketFenceOut-of-BandDeploymentQuickGuideusingZEN
Chapter6
Copyrightcopy2016InverseincTechnicalintroductiontoInlineenforcement 13
TechnicalintroductiontoInlineenforcement
Introduction
Beforetheversion30ofPacketFenceitwasnotpossibletosupportunmanageabledevicessuchasentry-levelconsumerswitchesoraccess-pointsNowwiththenewinlinemodePacketFencecanbeusein-bandforthosedevicesSoinotherwordsPacketFencewouldbecomethegatewayofthatinlinenetworkandNATorroutethetrafficusingIPTablesIPSettotheInternet(ortoanothersectionofthenetwork)Letseehowitworks
Deviceconfiguration
NospecialconfigurationisneededontheunmanageabledeviceThatrsquosthebeautyofitYouonlyneedtoensurethatthedeviceistalkingontheinlineVLANAtthispointallthetrafficwillbepassingthroughPacketFencesinceitisthegatewayforthisVLAN
Accesscontrol
TheaccesscontrolreliesentirelyonIPTablesIPSetWhenauserisnotregisteredandconnectsintheinlineVLANPacketFencewillgivehimanIPaddressAtthispointtheuserwillbemarkedasunregisteredintheipsetsessionandalltheWebtrafficwillberedirectedtothecaptiveportalandother trafficblockedTheuserwill have to register through thecaptiveportal as inVLANenforcementWhenheregistersPacketFencechangesthedeviceacutesipsetsessiontoallowtheuserrsquosmacaddresstogothroughit
Chapter6
Copyrightcopy2016InverseincTechnicalintroductiontoInlineenforcement 14
Limitations
Inlineenforcementbecauseofitrsquosnaturehasseverallimitationsthatonemustbeawareof
EveryonebehindaninlineinterfaceisonthesameLayer2LAN EverypacketofauthorizedusersgoesthroughthePacketFenceserverincreasingtheserversloadconsiderablyPlanaheadforcapacity
Everypacketofauthorizedusersgoes throughthePacketFenceserver it isasinglepointoffailureforInternetaccess
Ipsetcanstoreupto65536entriessoitisnotpossibletohaveainlinenetworkclassupperthanB
Thisiswhyit isconsideredapoormanrsquoswayofdoingaccesscontrolWehaveavoideditforalongtimebecauseoftheabovementionedlimitationsThatsaidbeingabletoperformbothinlineandVLANenforcementonthesameserveratthesametimeisarealadvantageitallowsuserstomaintainmaximumsecuritywhiletheydeploynewandmorecapablenetworkhardwareprovidingacleanmigrationpathtoVLANenforcement
Chapter7
Copyrightcopy2016InverseincTechnicalintroductiontoOut-of-bandenforcement 15
TechnicalintroductiontoOut-of-bandenforcement
Introduction
VLANassignmentiscurrentlyperformedusingseveraldifferenttechniquesThesetechniquesarecompatibleone toanotherbutnoton the sameswitchportThismeans thatyoucanuse themoresecureandmoderntechniquesforyour latestswitchesandanothertechniqueontheoldswitchesthatdoesnrsquotsupportlatesttechniquesAsitrsquosnameimpliesVLANassignmentmeansthatPacketFenceistheserverthatassignstheVLANtoadeviceThisVLANcanbeoneofyourVLANsoritcanbeaspecialVLANwherePacketFencepresentsthecaptiveportalforauthenticationorremediation
VLANassignmenteffectivelyisolateyourhostsattheOSILayer2meaningthatitisthetrickiestmethodtobypassandistheonewhichadaptsbesttoyourenvironmentsinceitgluesintoyourcurrentVLANassignmentmethodology
VLANassignmenttechniques
Wired8021X+MACAuthentication8021Xprovidesport-basedauthenticationwhichinvolvescommunicationsbetweenasupplicantauthenticator(knownasNAS)andauthenticationserver(knownasAAA)ThesupplicantisoftensoftwareonaclientdevicesuchasalaptoptheauthenticatorisawiredEthernetswitchorwirelessaccesspointandtheauthenticationserverisgenerallyaRADIUSserver
Thesupplicant(ieclientdevice)isnotallowedaccessthroughtheauthenticatortothenetworkuntilthesupplicantrsquosidentityisauthorizedWith8021Xport-basedauthenticationthesupplicantprovides credentials such as user name password or digital certificate to the authenticatorandtheauthenticatorforwardsthecredentialstotheauthenticationserverforverificationIfthecredentialsarevalid(intheauthenticationserverdatabase)thesupplicant(clientdevice)isallowedtoaccessthenetworkTheprotocolforauthenticationiscalledExtensibleAuthenticationProtocol(EAP)whichhavemanyvariantsBothsupplicantandauthenticationserversneed tospeak thesameEAPprotocolMostpopularEAPvariantisPEAP-MsCHAPv2(supportedbyWindowsMacOSXLinuxforauthenticationagainstAD)
Chapter7
Copyrightcopy2016InverseincTechnicalintroductiontoOut-of-bandenforcement 16
InthiscontextPacketFencerunstheauthenticationserver(aFreeRADIUSinstance)andwillreturntheappropriateVLANtotheswitchAmodulethatintegratesinFreeRADIUSdoesaremotecalltothePacketFenceservertoobtainthatinformationMoreandmoredeviceshave8021Xsupplicantwhichmakesthisapproachmoreandmorepopular
MACAuthenticationisanewmechanismintroducedbysomeswitchvendortohandlethecaseswherea8021XsupplicantdoesnotexistDifferentvendorshavedifferentnames for itCiscocallsitMACAuthenticationBypass(MAB)JunipercallsitMACRADIUSExtremeNetworkscallsitNetloginetcAfteratimeoutperiodtheswitchwillstoptryingtoperform8021XandwillfallbacktoMACAuthenticationIthastheadvantageofusingthesameapproachas8021XexceptthattheMACaddressissentinsteadoftheusernameandthereisnoend-to-endEAPconversation(nostrongauthentication)UsingMACAuthenticationdeviceslikenetworkprinterornon-8021XcapableIPPhonescanstillgainaccesstothenetworkandtherightVLAN
Wireless8021X+MACauthenticationWireless 8021Xworks likewired8021X andMAC authentication is the same aswiredMACAuthenticationWhere things change is that the8021X isused to setup the security keys forencryptedcommunication(WPA2-Enterprise)whileMACauthenticationisonlyusedtoauthorize(allowordisallow)aMAConthewirelessnetwork
OnwirelessnetworkstheusualPacketFencesetupdictatethatyouconfiguretwoSSIDsanopenoneandasecureoneTheopenoneisusedtohelpusersconfigurethesecureoneproperlyandrequiresauthenticationoverthecaptiveportal(whichrunsinHTTPS)
ThefollowingdiagramdemonstratestheflowbetweenamobileenpointaWiFiaccesspointaWiFicontrollerandPacketFence
1 UserinitiatesassociationtoWLANAPandtransmitsMACaddressIfuseraccessesnetworkviaaregistereddeviceinPacketFencegoto8
2 The WLAN controller transmits MAC address via RADIUS to the PacketFence server toauthenticateauthorizethatMACaddressontheAP
3 PacketFenceserverconductsaddressaudit in itsdatabase If itdoesnotrecognizetheMACaddressgoto4Ifitdoesgoto8
4 PacketFenceserverdirectsWLANcontrollerviaRADIUS(RFC2868attributes)toputthedeviceinanunauthenticatedroleldquo(setofACLsthatwouldlimitredirecttheusertothePacketFence
Chapter7
Copyrightcopy2016InverseincTechnicalintroductiontoOut-of-bandenforcement 17
captiveportalforregistrationorwecanalsousearegistrationVLANinwhichPacketFencedoesDNSblackholingandistheDHCPserver)
5 TheuserrsquosdeviceissuesaDHCPDNSrequesttoPacketFence(whichisaDHCPDNSserveronthisVLANorforthisrole)whichsendstheIPandDNSinformationAtthispointACLsarelimitingredirectingtheusertothePacketFencersquoscaptiveportalforauthenticationPacketFencefingerprintsthedevice(user-agentattributesDHCPinformationampMACaddresspatterns)towhichitcantakevariousactionsincludingkeepdeviceonregistrationportaldirecttoalternatecaptive portal auto-register thedevice auto-block thedevice etc If thedevice remains ontheregistrationportaltheuserregistersbyprovidingtheinformation(usernamepasswordcellphonenumberetc)At this timePacketFencecouldalsorequire thedevicetogothroughapostureassessment(usingNessusOpenVASetc)
6 Ifauthentication is required (usernamepassword) througha loginformthosecredentialsarevalidatedviatheDirectoryserver(oranyotherauthenticationsources-likeLDAPSQLRADIUSSMSFacebookGoogle+etc)whichprovidesuserattributestoPacketFencewhichcreatesuser+devicepolicyprofileinitsdatabase
7 PacketFenceperformsaChangeofAuthorization(RFC3576)onthecontrollerandtheusermustbere-authenticatedreauthorizedsowegobackto1
8 PacketFenceserverdirectsWLANcontrollerviaRADIUStoputthedeviceinanauthenticatedroleldquoorinthenormalVLAN
WebAuthmodeWebauthenticationisamethodontheswitchthatforwardshttptrafficofthedevicetothecaptiveportalWiththismodeyourdevicewillneverchangeofVLANIDbutonlytheACLassociatedtoyourdevicewillchangeRefertotheNetworkDevicesConfigurationGuidetoseeasamplewebauthconfigurationonaCiscoWLC
Port-securityandSNMPReliesontheport-securitySNMPTrapsAfakestaticMACaddressisassignedtoalltheportsthiswayanyMACaddresswillgenerateasecurityviolationandatrapwillbesenttoPacketFenceThesystemwillauthorizetheMACandsettheportintherightVLANVoIPsupportispossiblebuttrickyItvariesalotdependingontheswitchvendorCiscoiswellsupportedbutisolationofaPCbehindanIPPhoneleadstoaninterestingdilemmaeitheryoushuttheport(andthephoneatthesametime)oryouchangethedataVLANbutthePCdoesnrsquotdoDHCP(didnrsquotdetectlinkwasdown)soitcannotreachthecaptiveportal
AsidefromtheVoIPisolationdilemmaitisthetechniquethathasproventobereliableandthathasthemostswitchvendorsupport
MoreonSNMPtrapsVLANisolation
WhentheVLANisolationisworkingthroughSNMPtrapsallswitchports(onwhichVLANisolationshouldbedone)mustbeconfiguredtosendSNMPtrapstothePacketFencehostOnPacketFence
Chapter7
Copyrightcopy2016InverseincTechnicalintroductiontoOut-of-bandenforcement 18
weusesnmptrapdastheSNMPtrapreceiverAsitreceivestrapsitreformatsandwritesthemintoaflatfileusrlocalpflogssnmptrapdlogThemultithreadedpfsetvlandaemonreadsthesetrapsfromtheflatfileandrespondstothembysettingtheswitchporttothecorrectVLANCurrentlywesupportswitchesfromCiscoEdge-coreHPIntelLinksysandNortel(addingsupportfor switches fromanothervendor impliesextending thepfSwitch class)DependingonyourswitchescapabilitiespfsetvlanwillactondifferenttypesofSNMPtraps
YouneedtocreatearegistrationVLAN(withaDHCPserverbutnoroutingtootherVLANs)inwhichPacketFencewillputunregistereddevicesIfyouwanttoisolatecomputerswhichhaveopenviolationsinaseparateVLANanisolationVLANneedsalsotobecreated
linkUplinkDowntraps(deprecated)ThisisthemostbasicsetupanditneedsathirdVLANtheMACdetectionVLANThereshouldbenothinginthisVLAN(noDHCPserver)anditshouldnotberoutedanywhereitisjustanvoidVLAN
WhenahostconnectstoaswitchporttheswitchsendsalinkUptraptoPacketFenceSinceittakessometimebeforetheswitchlearnstheMACaddressofthenewlyconnecteddevicePacketFenceimmediatelyputstheportintheMACdetectionVLANinwhichthedevicewillsendDHCPrequests(withnoanswer)inorderfortheswitchtolearnitsMACaddressThenpfsetvlanwillsendperiodical
Chapter7
Copyrightcopy2016InverseincTechnicalintroductiontoOut-of-bandenforcement 19
SNMPqueriestotheswitchuntiltheswitchlearnstheMACofthedeviceWhentheMACaddressisknownpfsetvlanchecksitsstatus(existingregisteredanyviolations)inthedatabaseandputstheportintheappropriateVLANWhenadeviceisunpluggedtheswitchsendsalinkDowntraptoPacketFencewhichputstheportintotheMACdetectionVLAN
WhenacomputerbootstheinitializationoftheNICgeneratesseverallinkstatuschangesAndeverytimetheswitchsendsalinkUpandalinkDowntraptoPacketFenceSincePacketFencehastoactoneachofthesetrapsthisgeneratesunfortunatelysomeunnecessaryloadonpfsetvlanInordertooptimizethetraptreatmentPacketFencestopseverythreadforalinkUptrapwhenitreceivesalinkDowntraponthesameportButusingonlylinkUplinkDowntrapsisnotthemostscalableoptionForexampleincaseofpowerfailureifhundredsofcomputersbootatthesametimePacketFencewouldreceivea lotoftrapsalmost instantlyandthiscouldresult innetworkconnectionlatency
MACnotificationtrapsIfyourswitchessupportMACnotificationtraps(MAClearntMACremoved)wesuggestthatyouactivatetheminadditiontothelinkUplinkDowntrapsThiswaypfsetvlandoesnotneedafteralinkUptraptoquerytheswitchcontinuouslyuntiltheMAChasfinallybeenlearnedWhenitreceivesalinkUptrapforaportonwhichMACnotificationtrapsarealsoenableditonlyneedstoputtheportintheMACdetectionVLANandcanthenfreethethreadWhentheswitchlearnstheMACaddressofthedeviceitsendsaMAClearnttrap(containingtheMACaddress)toPacketFence
PortSecuritytrapsIn itsmostbasicformthePortSecurityfeaturerememberstheMACaddressconnectedtotheswitchportandallowsonlythatMACaddresstocommunicateonthatport IfanyotherMACaddress tries tocommunicate through theportport securitywillnotallow itandsendaport-securitytrap
IfyourswitchessupportthisfeaturewestronglyrecommendtouseitratherthanlinkUplinkDownandorMACnotificationsWhyBecauseaslongasaMACaddressisauthorizedonaportandistheonlyoneconnectedtheswitchwillsendnotrapwhetherthedevicerebootsplugsinorunplugsThisdrasticallyreducestheSNMPinteractionsbetweentheswitchesandPacketFence
WhenyouenableportsecuritytrapsyoushouldnotenablelinkUplinkDownnorMACnotificationtraps
Chapter8
Copyrightcopy2016InverseincTechnicalintroductiontoHybridenforcement 20
TechnicalintroductiontoHybridenforcement
Introduction
In previous versions of PacketFence it was not possible to have RADIUS enabled for inlineenforcementmodeNowwiththenewhybridmodeallthedevicesthatsupports8021XorMAC-authenticationcanworkwiththismodeLetrsquosseehowitworks
Deviceconfiguration
Youneedtoconfigure inlineenforcementmode inPacketFenceandconfigureyourswitch(es)accesspoint(s)tousetheVLANassignementtechniques(8021XorMAC-authentication)YoualsoneedtotakecareofaspecificparameterintheswitchconfigurationwindowTriggertoenableinlinemodeThisparameterisworkinglikeatriggerandyouhavethepossibilitytodefinedifferentsortoftriggers
ALWAYSPORTMACSSID
where ALWAYS means that the device is always in inline mode PORTspecifytheifIndexoftheportwhichwilluseinlineenforcementMACamacaddressthatwillbeputininlineenforcementtechniqueratherthanVLANenforcementandSSIDanssidnameAnexample
SSIDGuestAccessMAC001122334455
ThiswilltriggerallthenodesthatconnectstotheGuestAccessSSIDtouseinlineenforcementmode(PacketFencewillreturnavoidVLANortheinlineVlanifdefinedinswitchconfiguration)andtheMACaddress001122334455clientifitconnectsonanotherSSID
Chapter9
Copyrightcopy2016Inverseinc Configuration 21
Configuration
AtthispointinthedocumentationPacketFenceshouldbeinstalledYouwouldalsohavechosentherightenforcementmethodforyouandcompletedtheinitialconfigurationofPacketFenceThefollowingsectionpresentskeyconceptsandfeaturesinPacketFence
PacketFenceprovidesaweb-basedadministrationinterfaceforeasyconfigurationandoperationalmanagementIfyouwentthroughPacketFencersquosweb-basedconfigurationtoolyoushouldhavesetthepasswordfortheadminuser
Once PacketFence is started the administration interface is available at httpsip_of_packetfence1443
ThenextkeystepsareimportanttounderstandhowPacketFenceworksInordertogetthesolutionworking youmust first understand and configure the following aspects of the solution in thisspecificorder
1 roles-aroleinPacketFencewillbeeventuallybemappedtoaVLANanACLoranexternalroleYoumustdefinetherolestouseinyourorganizationfornetworkaccess
2 authentication-oncerolesaredefinedyoumustcreateanappropraiteauthenticationsourceinPacketFenceThatwillallowPacketFencetocomputetherightroletobeusedforanendpointortheuserusingit
3 network devices - once your roles and authentication sources are defined you must addswitchesWiFicontrollersorAPstobemananagedbyPacketFenceWhendoingsoyouwillconfigurehowrolesarebeingmappedtoVLANACLsorexternalroles
4 portal profiles - at this point you are almost ready to test You will need to set whichauthenticationsourcesaretobeusedonthedefaultcaptiveportalorcreateanotheronetosuityourneeds
5 test
NoteIfyouplantouse8021X-pleaseseetheFreeRADIUSConfigurationsectionbelow
RolesManagement
RolesinPacketFencecanbecreatedfromPacketFenceadministrativeGUI-fromtheConfigurationrarrUsersrarrRoles section From this interface you can also limit thenumberof devicesusersbelongingtocertainrolescanregister
Chapter9
Copyrightcopy2016Inverseinc Configuration 22
RolesaredynamicallycomputedbyPacketFencebasedontherules(ieasetofconditionsandactions)fromauthenticationsourcesusingafirst-matchwinsalgorithmRolesarethenmatchedtoVLANorinternalrolesorACLonequipmentfromtheConfigurationrarrNetworkrarrSwitchesmodule
Authentication
PacketFence can authenticate users that register devices via the captive portal using variousmethodsAmongthesupportedmethodsthereare
ActiveDirectory
Apachehtpasswdfile
ExternalHTTPAPI
Facebook(OAuth2)
Github(OAuth2)
Google(OAuth2)
Kerberos
LDAP
LinkedIn(OAuth2)
Null
RADIUS
SMS
SponsoredEmail
Twitter(OAuth2)
WindowsLive(OAuth2)
Moreover PacketFence can also authenticate users defined in its own internal SQL databaseAuthentication sources can be created from PacketFence administrative GUI - from theConfigurationrarrUsersrarrSourcessectionAlternatively(butnotrecommended)authenticationsourcesrulesconditionsandactionscanbeconfiguredfromconfauthenticationconf
Eachauthenticationsourcesyoudefinewillhaveasetofrulesconditionsandactions
Multiple authentication sources canbedefined andwill be tested in theorder specified (notethattheycanbereorderedfromtheGUIbydraggingitaround)EachsourcecanhavemultipleruleswhichwillalsobetestedintheorderspecifiedRulescanalsobereorderedjustlikesourcesFinallyconditionscanbedefinedforaruletomatchcertaincriteriasIfthecriteriasmatch(one
Chapter9
Copyrightcopy2016Inverseinc Configuration 23
ormore)actionarethenappliedandrulestestingstopacrossallsourcesasthisisafirstmatchwinsoperation
WhennoconditionisdefinedtherulewillbeconsideredasafallbackWhenafallbackisdefinedallactionswillbeappliedforanyusersthatmatchintheauthenticationsource
OnceasourceisdefineditcanbeusedfromConfigurationrarrPortalProfilesEachportalprofilehasalistofauthenticationsourcestouse
ExampleLetrsquossaywehavetworolesguestandemployeeFirstwedefinethemConfigurationrarrUsersrarrRoles
NowwewanttoauthenticateemployeesusingActiveDirectory (overLDAP)andguestsusingPacketFencersquosinternaldatabase-bothusingPacketFencersquoscaptiveportalFromtheConfigurationrarrUsersrarrSourcesweselectAddsourcerarrADWeprovidethefollowinginformation
Namead1 DescriptionActiveDirectoryforEmployees Host19216812389withoutSSLTLS BaseDNCN=UsersDC=acmeDC=local ScopeOne-level UsernameAttributesAMAccountName BindDNCN=AdministratorCN=UsersDC=acmeDC=local Passwordacme123
ThenweaddarulebyclickingontheAddrulebuttonandprovidethefollowinginformation
Nameemployees DescriptionRuleforallemployees Donrsquotsetanycondition(asitrsquosacatch-allrule) Setthefollowingactions
Setroleemployee
SetunregistrationdateJanuary1st2020
Test the connection and save everything Using the newly defined source any username thatactuallymatchesinthesource(usingthesAMAccountName)willhavetheemployeeroleandanunregistrationdatesettoJanuary1st2020
NowsincewewanttoauthenticateguestsfromPacketFencersquosinternalSQLdatabaseaccountsmustbeprovisionnedmanuallyYoucandosofromtheUsersrarrCreatesectionWhencreatingguestsspecifyguestfortheSetroleactionandsetanaccessdurationfor1day
If youwould like to differentiate user authentication andmachine authentication using ActiveDirectoryonewaytodoitisbycreatingasecondauthenticationsourcesformachines
Namead1 DescriptionActiveDirectoryforMachines Host19216812389withoutSSLTLS BaseDNCN=ComputersDC=acmeDC=local ScopeOne-level
Chapter9
Copyrightcopy2016Inverseinc Configuration 24
UsernameAttributeservicePrincipalName BindDNCN=AdministratorCN=UsersDC=acmeDC=local Passwordacme123
Thenweaddarule
Namemachines DescriptionRuleforallmachines Donrsquotsetanycondition(asitrsquosacatch-allrule) Setthefollowingactions
Setrolemachineauth
SetunregistrationdateJanuary1st2020
Note
Whenaruleisdefinedasacatch-all itwillalwaysmatchiftheusernameattributematchesthequeriedoneThisappliesforActiveDirectoryLDAPandApachehtpasswdfilesourcesKerberosandRADIUSwillactastruecatch-allandaccepteverything
Note
IfyouwanttouseotherLDAPattributesinyourauthenticationsourceaddtheminConfigurationrarrAdvancedrarrCustomLDAPattributesTheywillthenbeavailableintherulesyoudefine
ExternalAPIauthentication
PacketFencealsosupportscallinganexternalHTTPAPIasanauthenticationsourceTheexternalAPIneedstoimplementanauthenticationactionandanauthorizationaction
AuthenticationThisshouldprovidetheinformationaboutwhetherornottheusernamepasswordcombinationisvalid
TheseinformationareavailablethroughthePOSTfieldsoftherequest
TheservershouldreplywithtwoattributesinaJSONresponse
resultshouldbe1forsuccess0forfailure messageshouldbethereasonitsucceededorfailed
ExampleJSONresponse
result1messageValid username and password
Chapter9
Copyrightcopy2016Inverseinc Configuration 25
AuthorizationThisshouldprovidetheactionstoapplyonauserbasedonitrsquosattributes
The following attributes are available for the reply access_duration access_level sponsorunregdatecategory
SampleJSONresponsenotethatnotallattributesarenecessaryonlysendbackwhatyouneed
access_duration1Daccess_levelALLsponsor1 unregdate2030-01-01categorydefault
Note
See usrlocalpfaddonsexample_external_auth for an example implementationcompatiblewithPacketFence
PacketFenceconfigurationInPacketFenceyouneedtoconfigureanHTTPsourceinordertouseanexternalAPI
Hereisabriefdescriptionofthefields
Host First theprotocol then the IPaddressorhostnameof theAPIand lastly theport toconnecttotheAPI
APIusernameandpasswordIfyourAPIimplementsHTTPbasicauthentication(RFC2617)youcanaddtheminthesefieldsLeavinganyofthosetwofieldsemptywillmakePacketFencedotherequestswithoutanyauthentication
AuthenticationURLURLrelativetothehosttocallwhendoingtheauthenticationofauserNotethatitisautomaticallyprefixedbyaslash
AuthorizationURLURLrelativetothehosttocallwhendoingtheauthorizationofauserNotethatitisautomaticallyprefixedbyaslash
SAMLauthentication
PacketFence supports SAML authentication in the captive portal in combination with anotherinternalsourcetodefinethelevelofauthorizationoftheuser
FirsttransfertheIdentityProvidermetadataonthePacketFenceserverInthisexampleitwillbeunderthepathusrlocalpfconfidp-metadataxml
Then transfer the certificate and CA certificate of the Identity provider on the server In thisexample theywill be under the paths usrlocalpfconfsslidpcrt and usrlocalpfconfsslidp-cacrtIfitisaself-signedcertificatethenyouwillbeabletouseitastheCAinthePacketFenceconfiguration
Chapter9
Copyrightcopy2016Inverseinc Configuration 26
Then toconfigureSAML inPacketFencego inConfigurationrarrSourcesand thencreateanewInternalsourceofthetypeSAMLandconfigureit
Where
ServiceProviderentityIDistheidentifieroftheServiceProvider(PacketFence)MakesurethismatchesyourIdentityProviderconfiguration
PathtoServiceProviderkeyisthepathtothekeythatwillbeusedbyPacketFencetosignitsmessagestotheIdentityProviderAdefaultoneisprovidedunderthepathusrlocalpfconfsslserverkey
PathtoServiceProvidercertisthepathtothecertificateassociatedtothekeyaboveAself-signedoneisprovidedunderthepathusrlocalpfconfsslserverkey
PathtoIdentityProvidermetadataisthepathtothemetadatafileyoutransferedabove(shouldbeinusrlocalpfconfidp-metadataxml)
PathtoIdentityProvidercertisthepathtothecertificateoftheidentityprovideryoutransferedontheserverabove(shouldbeinusrlocalpfconfsslidpcrt)
Chapter9
Copyrightcopy2016Inverseinc Configuration 27
Path to Identity Provider CA cert is the path to the CA certificate of the identity provideryoutransferedontheserverabove(shouldbeinusrlocalpfconfsslca-idpcrt)Ifthecertificateaboveisself-signedputthesamepathasaboveinthisfield
AttributeoftheusernameintheSAMLresponse istheattributethatcontainstheusernamein the SAML assertion returned by your Identity Provider The default should fit at leastSimpleSAMLphp
Authorizationsource isthesourcethatwillbeusedtomatchtheusernameagainsttherulesdefinedinitThisallowstosettheroleandaccessdurationoftheuserTheAuthenticationsectionofthisdocumentcontainsexplanationsonhowtoconfigureanLDAPsourcewhichcanthenbeusedhere
OncethisisdonesavethesourceandyouwillbeabletodownloadtheServiceProvidermetadataforPacketFenceusingthelinkDownloadServiceProvidermetadataonthepage
Configure your identity provider according to the generated metadata to complete the TrustbetweenPacketFenceandyourIdentityProvider
In the case of SimpleSAMLPHP the following configurationwas used inmetadatasaml20-sp-remotephp
$metadata[PF_ENTITY_ID] = array( AssertionConsumerService =gt httpPORTAL_HOSTNAMEsamlassertion SingleLogoutService =gt httpPORTAL_HOSTNAMEsamllogoff)
Note
PacketFencedoesnotsupportlogoffontheSAMLIdentityProviderYoucanstilldefinetheURLinthemetadatabutitwillnotbeused
PassthroughsInorderforyouruserstobeabletoaccesstheIdentityProviderloginpageyouwillneedtoactivatepassthroughsandaddtheIndentityProviderdomaintotheallowedpassthroughs
Todosogo inConfigurationrarrTrapping thencheckPassthrough andadd the IdentityProviderdomainnametothePasshtroughslist
Next restart iptables and pfdns to apply your new passthroughs Also make surenetipv4ip_forward = 1isconfiguredinetcsysctlconf
NetworkDevicesDefinition(switchesconf)
ThissectionappliesonlyforVLANenforcementUsersplanningtodoinlineenforcementonlycanskipthissection
PacketFenceneedstoknowwhichswitchesaccesspointsorcontrollersitmanagestheirtypeandconfigurationAllthisinformationisstoredinusrlocalpfconfswitchesconfYoucanmodify
Chapter9
Copyrightcopy2016Inverseinc Configuration 28
theconfigurationdirectlyintheswitchesconffileoryoucandoitfromtheWebAdministrationpanelunderConfigurationrarrNetworkrarrSwitches-whichisnowthepreferredway
Theusrlocalpfconfswitchesconfconfigurationfilecontainsadefaultsectionincluding
DefaultSNMPreadwritecommunitiesfortheswitches Defaultworkingmode(seethenotebelowaboutpossibleworkingmodes)
andaswitchsectionforeachswitch(managedbyPacketFence)including
SwitchIPMacRange Switchvendortype Switchuplinkports(trunksandnon-managedIfIndex) per-switchre-definitionoftheVLANs(ifrequired)
NoteswitchesconfisloadedatstartupAreloadisrequiredwhenchangesaremanuallymadetothisfileusrlocalpfbinpfcmd configreload
WorkingmodesTherearethreedifferentworkingmodesforaswitchinPacketFence
Testing pfsetvlanwritesinthelogfileswhatitwouldnormallydobutitdoesnrsquotdoanything
Registration pfsetvlan automatically-register allMAC addresses seenon theswitchportsAsintestingmodenoVLANchangesaredone
Production pfsetvlan sends the SNMPwrites to change the VLAN on theswitchports
RADIUSTo set theRADIUS secret set it from theWebadministrative interfacewhenadding a switchAlternativelyedittheswitchconfigfile(usrlocalpfconfswitchesconf)andsetthefollowingparameters
radiusSecret = secretPassPhrase
MoreovertheRADIUSsecretisrequiredtosupporttheRADIUSDynamicAuthentication(ChangeofauthorizationorDisconnect)asdefinedinRFC3576
SNMPv1v2candv3PacketFenceusesSNMPtocommunicatewithmostswitchesPacketFencealsosupportsSNMPv3YoucanuseSNMPv3forcommunicationinbothdirectionsfromtheswitchtoPacketFenceandfromPacketFencetotheswitchSNMPusageisdiscouragedyoushouldnowuseRADIUSHoweverevenifRADIUSisbeingusedsomeswitchesmightalsorequireSNMPtobeconfiguredtoworkproperlywithPacketFence
Chapter9
Copyrightcopy2016Inverseinc Configuration 29
FromPacketFencetoaswitchEdittheswitchconfigfile(usrlocalpfconfswitchesconf)andsetthefollowingparameters
SNMPVersion = 3SNMPUserNameRead = readUserSNMPAuthProtocolRead = MD5SNMPAuthPasswordRead = authpwdreadSNMPPrivProtocolRead = AESSNMPPrivPasswordRead = privpwdreadSNMPUserNameWrite = writeUserSNMPAuthProtocolWrite = MD5SNMPAuthPasswordWrite = authpwdwriteSNMPPrivProtocolWrite = AESSNMPPrivPasswordWrite = privpwdwrite
FromaswitchtoPacketFenceEdittheswitchconfigfile(usrlocalpfconfswitchesconf)andsetthefollowingparameters
SNMPVersionTrap = 3SNMPUserNameTrap = readUserSNMPAuthProtocolTrap = MD5SNMPAuthPasswordTrap = authpwdreadSNMPPrivProtocolTrap = AESSNMPPrivPasswordTrap = privpwdread
SwitchConfigurationHereisaswitchconfigurationexampleinordertoenableSNMPv3inbothdirectionsonaCiscoSwitch
snmp-server engineID local AA5ED139B81D4A328D18ACD1snmp-server group readGroup v3 privsnmp-server group writeGroup v3 priv read v1default write v1defaultsnmp-server user readUser readGroup v3 auth md5 authpwdread priv aes 128 privpwdreadsnmp-server user writeUser writeGroup v3 auth md5 authpwdwrite priv aes 128 privpwdwritesnmp-server enable traps port-securitysnmp-server enable traps port-security trap-rate 1snmp-server host 192168050 version 3 priv readUser port-security
Command-LineInterfaceTelnetandSSH
WarningPrivilegedetectionisdisabledinthecurrentPacketFenceversionduetosomeissues(see1370)SomakesurethatthecliUserandcliPwdyouprovidealwaysgetyouintoaprivilegedmode(exceptforTrapezehardware)
Chapter9
Copyrightcopy2016Inverseinc Configuration 30
PackeFenceneedssometimestoestablishaninteractivecommand-linesessionwithaswitchThiscanbedoneusingTelnetYoucanalsouseSSHInordertodosoedittheswitchconfigurationfile(usrlocalpfconfswitchesconf)andsetthefollowingparameters
cliTransport = SSH (or Telnet)cliUser = admincliPwd = admin_pwdcliEnablePwd =
ItcanalsobedonethroughtheWebAdministrationInterfaceunderConfigurationrarrSwitches
WebServicesInterfacePackeFencesometimesneedstoestablishadialogwiththeWebServicescapabilitiesofaswitchInorder todo soedit the switchconfig file (usrlocalpfconfswitchesconf) and set thefollowingparameters
wsTransport = http (or https)wsUser = adminwsPwd = admin_pwd
ItcanalsobedonethroughtheWebAdministrationInterfaceunderConfigurationrarrSwitches
Role-basedenforcementsupportSomenetworkdevicessupporttheassignmentofaspecificsetofrules(firewallorACLs)toauserTheideaisthattheserulescanbealotmoreaccuratetocontrolwhatausercanorcannotdocomparedtoVLANwhichhavealargernetworkmanagementoverhead
PacketFencesupportsassigningrolesondevicesforswitchesandWiFicontrollers thatsupportitThecurrentroleassignmentstrategyistoassignitalongwiththeVLAN(thatmaychangeinthefuture)Aspecial internalroletoexternalroleassignmentmustbeconfigured intheswitchconfigurationfile(usrlocalpfconfswitchesconf)
Thecurrentformatisthefollowing
Format ltrolenamegtRole=ltcontroller_rolegt
Andyouassignittotheglobalrolesparameterortheper-switchoneForexample
adminRole=full-accessengineeringRole=full-accesssalesRole=little-access
wouldreturnthefull-accessroletothenodescategorizedasadminorengineeringandtherolelittle-accesstonodescategorizedassalesItcanalsobedonethroughtheWebAdministrationInterfaceunderConfigurationrarrSwitches
Chapter9
Copyrightcopy2016Inverseinc Configuration 31
CautionMakesurethattherolesareproperlydefinedonthenetworkdevicespriortoassigningroles
PortalProfiles
PacketFencecomeswithadefaultportalprofileThefollowparametersareimportanttoconfigurenomatterifyouusethedefaultportalprofileorcreateanewone
RedirectURLunderConfigurationrarrPortalProfilerarrPortalName
ForsomebrowsersitispreferabletoredirecttheusertoaspecificURLinsteadoftheURLtheuseroriginallyintendedtovisitForthesebrowserstheURLdefinedinredirecturlwillbetheonewheretheuserwillberedirectedAffectedbrowsersareFirefox3andlater
IPunderConfigurationrarrCaptiveportal
ThisIPisusedasthewebserverwhohoststhecommonnetwork-access-detectiongifwhichisusedtodetectifnetworkaccesswasenabledItcannotbeadomainnamesinceit isusedinregistrationorquarantinewhereDNSisblack-holedItisrecommendedthatyouallowyouruserstoreachyourPacketFenceserverandputyourLANrsquosPacketFenceIPBydefaultwewillmakethisreachPacketFencersquoswebsiteasaneasierandmoreaccessiblesolution
In somecases youmaywant topresentadifferent captiveportal (seebelow for theavailablecustomizations)accordingtotheSSIDtheVLANtheswitchIPMACortheURItheclientconnectstoTodosoPacketFencehastheconceptofportalprofileswhichgivesyouthispossibility
WhenconfiguredportalprofileswilloverridedefaultvaluesforwhichitisconfiguredWhennovaluesareconfiguredintheprofilePacketFencewilltakeitsdefaultones(accordingtothedefaultportalprofile)
HerearethedifferentconfigurationparametersthatcanbesetforeachportalprofilesTheonlymandatoryparameterisfilterotherwisePacketFencewonrsquotbeabletocorrectlyapplytheportalprofileTheparametersmustbesetinconfprofilesconf
[profilename1]description = the description of your portal profilefilter = the name of the SSID for which youd like to apply the profile or the VLAN numbersources = comma-separated list of authentications sources (IDs) to use
Portal profiles should be managed from PacketFencersquos Web administrative GUI - from theConfigurationrarrPortalProfilessectionAddingaportalprofilefromthatinterfacewillcorrectlycopytemplatesover-whichcanthenbemodifiedasyouwish
FiltersunderConfigurationrarrPortalProfilerarrPortalNamerarrFitlers
PacketFenceoffersthefollowingfiltersConnectionTypeNetworkNodeRolePortrealmSSIDSwitchSwitchPortURIVLANandTimeperiod
Chapter9
Copyrightcopy2016Inverseinc Configuration 32
Examplewiththemostcommonones
SSIDGuest-SSID
VLAN100
SwitchPortltSwitchIdgt-ltPortgt
NetworkNetworkinCIDRformatoranIPaddress
Caution
Noderolewilltakeeffectonlywitha8021xconnectionorifyouuseVLANfilters
PacketFence relies extensively on Apache for its captive portal administrative interface andWeb services The PacketFenceacutes Apache configuration are located in usrlocalpfconfhttpdconfd
Inthisdirectoryyouhavethreeimportantfileshttpdadminhttpdportalhttpdwebserviceshttpdaaa
httpdadminisusedtomanagePacketFenceadmininterface
httpdportalisusedtomanagePacketFencecaptiveportalinterface
httpdwebservicesisusedtomanagePacketFencewebservicesinterface
httpdaaaisusetomanageincomingRADIUSrequest
ThesefileshavebeenwrittenusingthePerllanguageandarecompletelydynamic-sotheyactivateservicesonlyonthenetworkinterfacesprovidedforthispurpose
TheotherfilesinthisdirectoryaremanagedbyPacketFenceusingtemplatessoitiseasytomodifythesefilesbasedonyourconfigurationSSLisenabledbydefaulttosecureaccess
UponPacketFenceinstallationself-signedcertificateswillbecreatedinusrlocalpfconfssl(serverkey andservercrt)Thosecertificates canbe replacedanytimebyyour3rd-partyorexistingwildcardcertificatewithoutproblemsPleasenotethattheCN(CommonName)needstobethesameastheonedefinedinthePacketFenceconfigurationfile(pfconf)
FreeRADIUSConfiguration
ThissectionpresentstheFreeRADIUSconfigurationsteps InsomeoccasionsaRADIUSserverismandatoryinordertogiveaccesstothenetworkForexampletheusageofWPA2-Enterprise(Wireless 8021X) MAC authentication and Wired 8021X all require a RADIUS server toauthenticatetheusersandthedevicesandthentopushtheproperrolesorVLANattributestothenetworkequipment
Chapter9
Copyrightcopy2016Inverseinc Configuration 33
Option1AuthenticationagainstActiveDirectory(AD)
Caution
If you are using an ActiveActive or ActivePassive cluster please follow theinstructionsunderOption1bsincetheinstructionsbelowdonotcurrentlyworkinacluster
InordertohavedomainauthenticationworkingproperlyyouneedtoenableIPforwardingonyourserverTodoitpermanentlylookintheetcsysctlconfandsetthefollowingline
Controls IP packet forwardingnetipv4ip_forward = 1
Nowexecutesysctl -ptoapplytheconfiguration
NextgointheAdministrationinterfaceunderConfigurationrarrDomains
Note
IfyoucanrsquotaccessthissectionandyouhavepreviouslyconfiguredyourservertobindtoadomainexternallytoPacketFencemakesureyourunusrlocalpfaddonsADmigratepl
ClickAddDomainandfillintheinformationsaboutyourdomain
Chapter9
Copyrightcopy2016Inverseinc Configuration 34
Where
IdentifierisauniqueidentifierforyourdomainItrsquospurposeisonlyvisual
Workgroupistheworkgroupofyourdomainintheoldsyntax(likeNT4)
DNSnameofthedomainistheFQDNofyourdomainTheonethatsuffixesyouraccountnames
ThisserverrsquosnameisthenamethattheserverrsquosaccountwillhaveinyourActiveDirectory
DNSserveristheIPaddressoftheDNSserverofthisdomainMakesurethattheserveryouputtherehastheproperDNSentriesforthisdomain
UsernameistheusernamethatwillbeusedforbindingtotheserverThisaccountmustbeadomainadministrator
Passwordisthepasswordfortheusernamedefinedabove
Chapter9
Copyrightcopy2016Inverseinc Configuration 35
Troubleshooting In order to troubleshoot unsuccessful binds please refer to the following file chrootsltmydomaingtvarlogsambaltmydomaingtlogwinbinddReplaceltmydomaingtwiththeidentifieryousetinthedomainconfiguration
Youcanvalidatethedomainbindusingthefollowingcommandchroot chrootsltmydomaingtwbinfo -u
You can test the authentication process using the following command chroot chrootsltmydomaingt ntlm_auth --username=administrator
Note
UndercertainconditionsthetestjoinmayshowasunsuccessfulintheAdministrationinterfacebut theauthenticationprocesswill stillworkproperlyTry the test abovebeforedoinganyadditionnaltroubleshooting
DefaultdomainconfigurationYoushouldnowdefinethedomainyouwanttouseasthedefaultonebycreatingthefollowingrealminConfigurationrarrRealms
NextrestartPacketFenceinStatusrarrServices
MultipledomainsauthenticationFirstconfigureyourdomainsinConfigurationrarrDomains
OncetheyareconfiguredgoinConfigurationrarrRealms
Chapter9
Copyrightcopy2016Inverseinc Configuration 36
Createanewrealm thatmatches theDNSnameofyourdomainANDone thatmatchesyourworkgroupInthecaseofthisexampleitwillbeDOMAINNETandDOMAIN
Where
RealmiseithertheDNSname(FQDN)ofyourdomainortheworkgroup
RealmoptionsareanyrealmoptionsthatyouwanttoaddtotheFreeRADIUSconfiguration
Domainisthedomainwhichisassociatedtothisrealm
Nowcreatethetwootherrealmsassociatedtoyourotherdomains
Youshouldnowhavethefollowingrealmconfiguration
Chapter9
Copyrightcopy2016Inverseinc Configuration 37
Option1bAuthenticationagainstActiveDirectory(AD)inacluster
SambaKerberosWinbind
InstallSambaYoucaneitherusethesourcesorusethepackageforyourOSForRHELCentOSdo
yum install samba krb5-workstation
ForDebianandUbuntudo
apt-get install samba winbind krb5-user
Note
IfyouhaveWindows7PCsinyournetworkyouneedtouseSambaversion350(orgreater)
WhendonewiththeSambainstallmodifyyouretchosts inordertoaddtheFQDNofyourActiveDirectoryserversThenyouneedtomodifyetckrb5confHereisanexamplefortheDOMAINNETdomainforCentosRHEL
Chapter9
Copyrightcopy2016Inverseinc Configuration 38
[logging] default = FILEvarlogkrb5libslog kdc = FILEvarlogkrb5kdclog admin_server = FILEvarlogkadmindlog
[libdefaults] default_realm = DOMAINNET dns_lookup_realm = false dns_lookup_kdc = false ticket_lifetime = 24h forwardable = yes
[realms] DOMAINNET = kdc = adserverdomainnet88 admin_server = adserverdomainnet749 default_domain = domainnet [domain_realm] domainnet = DOMAINNET domainnet = DOMAINNET
[appdefaults] pam = debug = false ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = false
ForDebianandUbuntu
[logging] default = FILEvarlogkrb5libslog kdc = FILEvarlogkrb5kdclog admin_server = FILEvarlogkadmindlog [libdefaults] default_realm = DOMAINNET ticket_lifetime = 24h forwardable = yes [appdefaults] pam = debug = false ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = false
NexteditetcsambasmbconfAgainhereisanexampleforourDOMAINNETforCentosRHEL
Chapter9
Copyrightcopy2016Inverseinc Configuration 39
[global] workgroup = DOMAIN server string = h security = ads passdb backend = tdbsam realm = DOMAINNET encrypt passwords = yes winbind use default domain = yes client NTLMv2 auth = yes preferred master = no domain master = no local master = no load printers = no log level = 1 winbind5 auth3 winbind max clients = 750 winbind max domain connections = 15 machine password timeout = 0
ForDebianandUbuntu
[global] workgroup = DOMAIN server string = Samba Server Version v security = ads realm = DOMAINNET password server = 19216811 domain master = no local master = no preferred master = no winbind separator = + winbind enum users = yes winbind enum groups = yes winbind use default domain = yes winbind nested groups = yes winbind refresh tickets = yes template homedir = homeDU template shell = binbash client use spnego = yes client ntlmv2 auth = yes encrypt passwords = yes restrict anonymous = 2 log file = varlogsambalogm max log size = 50 machine password timeout = 0
IssueakinitandklistinordertogetandverifytheKerberostoken
kinit administrator klist
Afterthatyouneedtostartsambaandjointhemachinetothedomain
Chapter9
Copyrightcopy2016Inverseinc Configuration 40
service smb start chkconfig --level 345 smb on net ads join -U administrator
NotethatforDebianandUbuntuyouwillprobablyhavethiserror
kinit succeeded but ads_sasl_spnego_krb5_bind failed Invalid credentials Join to domain is not valid Invalid credentials
ForCentosRHEL
usermod -a -G wbpriv pf
Finallystartwinbindandtestthesetupusingntlm_authandradtest
service winbind start chkconfig --level 345 winbind on
ForDebianandUbuntu
usermod -a -G winbindd_priv pf ntlm_auth --username myDomainUser radtest -t mschap -x myDomainUser myDomainPassword localhost18120 12 testing123 Sending Access-Request of id 108 to 127001 port 18120 User-Name = myDomainUser NAS-IP-Address = 10001 NAS-Port = 12 Message-Authenticator = 0x00000000000000000000000000000000 MS-CHAP-Challenge = 0x79d62c9da4e55104 MS-CHAP-Response = 0x000100000000000000000000000000000000000000000000000091c843b420f0dec4228ed2f26bff07d5e49ad9a2974229e5 rad_recv Access-Accept packet from host 127001 port 18120 id=108 length=20
Option2LocalAuthenticationAddyouruserrsquosentriesattheendoftheusrlocalpfraddbusersfilewiththefollowingformat
username Cleartext-Password = password
Option3EAPauthenticationagainstOpenLDAPToauthenticate8021xconnectionagainstOpenLDAPyouneedtodefinetheldapconnectioninusrlocalpfraddbmodulesldapandbesurethattheuserpasswordisdefineasaNTHASHorascleartext
Chapter9
Copyrightcopy2016Inverseinc Configuration 41
ldap openldap server = ldapacmecom identity = uid=admindc=acmedc=com password = password basedn = dc=districtdc=acmedc=com filter = (uid=mschapUser-Name) ldap_connections_number = 5 timeout = 4 timelimit = 3 net_timeout = 1 tls dictionary_mapping = $confdirldapattrmap edir_account_policy_check = no
keepalive LDAP_OPT_X_KEEPALIVE_IDLE idle = 60
LDAP_OPT_X_KEEPALIVE_PROBES probes = 3
LDAP_OPT_X_KEEPALIVE_INTERVAL interval = 3
Next in usrlocalpfraddbsites-availablepacketfence-tunnel add in the authorizesection
authorize suffix ntdomain eap ok = return files openldap
Option4EAPGuestAuthenticationonemailsponsorandSMSregistrationThissectionwillallowlocalcredentialscreatedduringguestregistrationtobeusedin8021xEAP-PEAPconnections
FirstcreateaguestSSIDwiththeguestaccessyouwanttouse(EmailSponsororSMShellip)andactivateCreatelocalaccountonthatsource
AttheendoftheguestregistrationPacketFencewillsendanemailwiththecredentialsforEmailandSponsorForSMSthephonenumberandthePINcodeshouldbeused
Chapter9
Copyrightcopy2016Inverseinc Configuration 42
Note
ThisoptiondoesnrsquotcurrentlyworkwiththeReusedot1xcredentialsoptionofthecaptiveportal
In usrlocalpfconfradiusdpacketfence-tunnel uncomment the line packetfence-local-authandrestartradiusd
ThiswillactivatethefeatureforanylocalaccountonthePacketFenceserverYoucanrestrictwhichaccounts canbeusedby commenting the appropriate line inusrlocalpfraddbpolicydpacketfenceForexampleifyouwouldwanttodeactivatethisfeatureforaccountscreatedviaSMSyouwouldhavethefollowing
packetfence-local-auth Disable ntlm_auth update control ampMS-CHAP-Use-NTLM-Auth = No Check password table for local user pflocal if (fail || notfound) Check password table with email and password for a sponsor registration pfguest if (fail || notfound) Check password table with email and password for a guest registration pfsponsor if (fail || notfound) Dont check activation table with phone number and PIN code pfsms lt--- This line was commented out if (fail || notfound) update control ampMS-CHAP-Use-NTLM-Auth = Yes
Note
For this feature to work the users passwords must be stored in cleartext in thedatabaseThisisconfigurableviaadvancedhash_passwords
Option5EAPLocaluserAuthenticationThegoalhereistousethelocaluseryoucreatedintheadminGUIforEAPauthenticationThelogicisexactlythesamethaninoption4thedifferenceisthatweuseanotherSSIDandweonlyuselocalaccounts
Chapter9
Copyrightcopy2016Inverseinc Configuration 43
Editusrlocalpfraddbsites-availablepacketfence-tunnel
InthisexampleweactivatethisfeatureonaspecificSSIDname(Secure-local-Wireless)disabledbydefaultNTLMAuthandtestlocalaccountIfitfailledthenwereactivateNTLMAuth
Activate local user eap authentication based on a specific SSID Set Called-Station-SSID with the current SSID setcalled_station_ssid if (Called-Station-SSID == Secure-local-Wireless) Disable ntlm_auth update control MS-CHAP-Use-NTLM-Auth = No Check password table for local user pflocal if (fail || notfound) update control MS-CHAP-Use-NTLM-Auth = Yes
Caution
Youwillneedtodeasactivatepasswordhashinginthedatabaseforlocalauthenticationto work In the administration interface go in Configurationrarr Advanced and setDatabasepasswordshashingmethodtoplaintext
TestsTestyoursetupwithradtestusingthefollowingcommandandmakesureyougetanAccess-Acceptanswer
radtest dd9999 Abcd1234 localhost18120 12 testing123Sending Access-Request of id 74 to 127001 port 18120 User-Name = dd9999 User-Password = Abcd1234 NAS-IP-Address = 255255255255 NAS-Port = 12rad_recv Access-Accept packet from host 12700118120 id=74 length=20
PortalModules
ThePacketFencecaptiveportalflowishighlycustomizableThissectionwillcoverthePortalModuleswhichareusedtodefinethebehaviorofthecaptiveportal
Chapter9
Copyrightcopy2016Inverseinc Configuration 44
Note
WhenupgradingfromaversionthatdoesnrsquothavetheportalmodulesthePacketFencePortal Modules configuration already comes with defaults that will fit most casesand offers the same behavior as previous versions of PacketFence Meaning allthe available Portal Profile sources are used for authentication then the availableprovisionerswillbeused
FirstabriefdescriptionoftheavailablePortalModules
RootThis iswhereitallstartsthismoduleisasimplecontainerthatdefinesallthemodulesthatneedtobeappliedinachainedwaytotheuserOncetheuserhascompletedallmodulescontainedintheRootheisreleasedonthenetwork
Choice This allows to give a choice between multiple modules to the user Thedefault_registration_policyisagoodexampleofachoicethatisofferedtotheuser
ChainedThisallowsyoutodefinealistofmodulesthatauserneedstogothroughintheorderthattheyaredefined-exyouwantyouruserstoregisterviaGoogle+andpayfortheiraccessusingPayPal
MessageThisallowsyou todisplayamessage to theuserAnexample isavailablebelow inDisplayingamessagetotheuseraftertheregistration
AuthenticationTheauthenticationmodulescanbeofalotoftypesYouwouldwanttodefineoneofthesemodulesinordertooverridetherequiredfieldsthesourcetousethetemplateoranyothermoduleattribute
BillingAllowstodefineamodulebasedononeormorebillingsources
ChoiceAllows todefineamodulebasedonmultiple sourcesandmoduleswithadvancedfilteringoptionsSeethesectionAuthenticationChoicemodulebelowforadetailedexplanation
LoginAllowsyoutodefineausernamepasswordbasedmodulewithmultipleinternalsources(ActiveDirectoryLDAPhellip)
OthermodulesTheothermodulesareallbasedonthesourcetypetheyareassignedtotheyallowtoselectthesourcetheAUPacceptanceandmandatoryfieldsifapplicable
ExamplesThissectionwillcontainthefollowingexamples
Promptingforfieldswithoutauthentication
Promptingadditionnalfieldsduringtheauthentication
Chainedauthentication
MixingloginandSecureSSIDon-boardingontheportal
Displayingamessagetotheuseraftertheregistration
Chapter9
Copyrightcopy2016Inverseinc Configuration 45
CreatingacustomrootmoduleFirstcreateacustomrootmoduleforourexamples inordertonotaffectthedefaultpolicy InordertodosogoinConfigurationrarrPortalModulesthenclickAddPortalModuleandselectthetypeRootGiveittheidentifiermy_first_root_moduleandthedescriptionMy first root modulethenhitsave
Next head toConfigurationrarr Portal Profiles select the portal profile you use (most probablydefault)andthenunderRootPortalModuleassignMy first root modulethensaveyourprofileIfyouweretoaccessthecaptiveportalnowanerrorwoulddisplaysincetheRootmoduleweconfigureddoesnrsquotcontainanything
YoucouldaddsomeofthepreconfiguredmodulestothenewRootmoduleyoucreatedandthatwouldmaketheerrordisapear
PromptingforfieldswithoutauthenticationInordertopromptfieldswithoutauthenticationyoucanusetheNullsourcewiththeNullPortalModule
PacketFencealreadycomeswithaNullsourcepreconfiguredIfyouhavenrsquotmodifieditordeletedityoucanuseitforthisexampleOtherwisegoinConfigurationrarrSourcesandcreateanewNullsourcewithacatchallrulethatassignsaroleandaccessduration
ThengoinConfigurationrarrPortalModulesandclickAddPortalModuleandselectAuthenticationrarrNullSettheIdentifiertoprompt_fieldsandconfigurethemodulewiththeMandatoryfieldsyouwantanduncheckRequireAUPsothattheuserdoesnrsquothavetoaccepttheAUPbeforesubmittingthesefields
Nextaddtheprompt_fieldsmoduleinmy_first_root_module(removinganypreviousmodules)andsave itNowwhenvisitingtheportal itshouldpromptyouforthefieldsyoudefine inthe
Chapter9
Copyrightcopy2016Inverseinc Configuration 46
moduleThensubmittingtheseinformationswillassignyoutheroleandaccessdurationthatyoudefinedinthenullsource
Promptingadditionnalfieldsduringtheauthentication
IfyouwanttopromptadditionnalfieldsduringtheauthenticationprocessforamoduleyoucandefineaModulebasedonthatsourcethatwillspecifytheadditionnalmandatoryfieldsforthissource
Youcanalsoaddadditionnalmandatoryfieldstothedefaultpoliciesthatarealreadyconfigured
Thisexamplewillmakethedefault_guest_policyrequiretheusertoenterafirstnamelastnameandaddresssothatguestshavetoenterthesethreeinformationsbeforeregistering
Go in Configuration rarr Portal Modules and click the default_guest_policy Add firstnamelastnameandaddresstotheMandatoryfieldsandsave
Nextaddthedefault_guest_policytomy_first_root_module(removinganypreviousmodules)Nowwhenvisitingtheportalselectinganyoftheguestsourceswillrequireyoutoenterboththemandatoryfieldsofthesource(exphone+mobileprovider)andthemandatoryfieldsyoudefinedinthedefault_guest_policy
Note
Notallsourcessupportadditionnalmandatoryfields(exOAuthsourceslikeGoogleFacebookhellip)
Chainedauthentication
Theportalmodulesallowyoutochaintwoormoremodulestogetherinordertomaketheuseraccomplishalloftheactionsinthemoduleinthedesiredsequence
ThisexamplewillallowyoutoconfigureaChainedmodulethatwillrequiretheusertologinviaanyconfiguredOAuthsource(GithubGoogle+hellip)andthenvalidatehisphonenumberusingSMSregistration
FortheOAuthloginwewillusethedefault_oauth_policysojustmakesureyouhaveanOAuthsourceconfiguredcorrectlyandavailableinyourPortalProfile
ThenwewillcreateamodulethatwillcontainthedefinitionofourSMSregistration
GoinConfigurationrarrPortalModulesthenclickAddPortalModuleandselectAuthenticationrarrSMS
ConfiguretheportalmodulesothatitusesthesmssourceandunchecktheRequireAUPoptionsincetheuserwillhavealreadyacceptedtheAUPwhenregisteringusingOAuth
Chapter9
Copyrightcopy2016Inverseinc Configuration 47
ThenaddanotherPortalModuleoftypeChainedNameitchained_oauth_smsassignarelevantdescriptionandthenadddefault_oauth_policyandsmstotheModulesfields
Chapter9
Copyrightcopy2016Inverseinc Configuration 48
Next add the chained_oauth_sms module in my_first_root_module (removing any previousmodules)andsaveitNowwhenvisitingtheportalyoushouldhavetoauthenticationusinganOAuthsourceandthenusingSMSbasedregistration
MixingloginandSecureSSIDon-boardingontheportalThisexamplewillguideyouthroughconfiguringaportalflowthatwillallowfordevicestoaccessanopenSSIDusinganLDAPusernamepasswordbutalsogivethechoicetoconfiguretheSecureSSIDdirectlyfromtheportal
FirstweneedtoconfiguretheprovisionersfortheSecureSSIDonboardingRefertosectionAppleandAndroidWirelessProvisioningofthisguidetoconfigureyourprovisionersandaddthemtotheportalprofile
CreateaprovisionerofthetypeDenyandadditwithyourotherprovisioners(puttinganyotherprovisionerbeforeit)Thiswillmakesurethatifthereisnomatchontheotherprovisionersitwillnotallowthedevicethrough
AlsointheportalprofileaddyourLDAPsourcetotheavailablesourcessoitstheonlyoneavailable
NextcreateaProvisioningportalmodulebygoinginConfigurationrarrPortalModulesSettheIdentifiertosecure_boardingandthedescriptiontoBoard Secure SSIDAlsouncheckSkipablesotheuserisforcedtoboardtheSSIDshoulditchoosethisoption
ThenstillinthePortalModulescreateaChoicemoduleSettheIdentifiertologin_or_boardinganddescriptiontoLoginorBoardingAddsecure_boardinganddefault_login_policytotheModulesfieldandsave
Chapter9
Copyrightcopy2016Inverseinc Configuration 49
Next add the login_or_boarding module in my_first_root_module (removing any previousmodules)andsaveitNowwhenvisitingtheportalyouwillhavethechoicebetweenlogintotheLDAPsourceandgainaccesstothenetworkordirectlyuseprovisioninginordertoconfigureyourdeviceforaSecureSSID
Displayingamessagetotheuseraftertheregistration=
UsingtheMessagemoduleyoucandisplayacustommessagetotheuserYoucanalsocustomizethetemplatetodisplayinordertodisplayafullycustompage
Go inConfigurationrarrPortalModules thenclickAddPortalModule and selectMessage Set theIdentifiertohello_worldandthedescriptiontoHello World
ThenputthefollowingintheMessagefield
Hello World lta href=wwwpacketfenceorggtClick here to access the PacketFence websiteltagt
Next add default_registration_policy and hello_world in the Modules ofmy_first_root_module(removinganypreviousmodules)andsaveitNowwhenvisitingtheportalyoushouldhavetoauthenticateusingthesourcesdefinedinyourportalprofileandyouwillthenseethehelloworldmessage
Chapter9
Copyrightcopy2016Inverseinc Configuration 50
AuthenticationChoicemodule(advanced)The Authentication Choice module allows to define a choice between multiple sources usingadvancedfilteringrulesmanualselectionofthesourcesandselectionofPortalModules
AllthesourcesthataredefinedintheSourcesfieldwillbeavailableforusagebytheuserSamegoesforthemodulesdefinedinModules
YoucanalsodefinewhichmandatoryfieldsyouwanttopromptfortheseauthenticationchoicesAlthoughyoucanstillconfigurethemonanyAuthenticationChoicemoduletheywillonlybeshowniftheyareapplicabletothesource
InadditiontothemanualselectionaboveyoucandynamicallyselectsourcespartofthePortalProfilebasedontheirobjectattribute(ObjectClassAuthenticationtypeAuthenticationClass)
NoteYoucanfindalltheauthenticationobjectsinlibpfAuthenticationSource
SourcesbyclassAllowsyoutospecifytheperlclassnameofthesourcesyouwantavailable
ex pfAuthenticationSourceSMSSource will select all the SMS sourcespfAuthenticationSourceBillingSourcewillselectallthebillingsources(PaypalStripehellip)
SourcesbytypeAllowsyoutofilteroutsourcesusingthetypeattributeoftheAuthenticationobject
Sources by Auth Class Allows you to filter our sources using the class attribute of theAuthenticationobject
Chapter9
Copyrightcopy2016Inverseinc Configuration 51
Youcanseethedefault_guest_policyanddefault_oauth_policyforexamplesofthismodule
Chapter10
Copyrightcopy2016Inverseinc Debugging 52
Debugging
Logfiles
HerearethemostimportantPacketFencelogfiles
usrlocalpflogspacketfencelogmdashPacketFenceCoreLog usrlocalpflogshttpdportalaccessmdashApachendashCaptivePortalAccessLog usrlocalpflogshttpdportalerrormdashApachendashCaptivePortalErrorLog usrlocalpflogshttpdadminaccessmdashApachendashWebAdminServicesAccessLog usrlocalpflogshttpdadminerrormdashApachendashWebAdminServicesErrorLog usrlocalpflogshttpdwebservicesaccessmdashApachendashWebservicesAccessLog usrlocalpflogshttpdwebserviceserrormdashApachendashWebservicesErrorLog usrlocalpflogshttpdaaaaccessmdashApachendashAAAAccessLog usrlocalpflogshttpdaaaerrormdashApachendashAAAErrorLog
ThereareotherlogfilesinusrlocalpflogsthatcouldberelevantdependingonwhatissueyouareexperiencingMakesureyoutakealookatthem
ThemainloggingconfigurationfileisusrlocalpfconflogconfItcontainstheconfigurationforthepacketfencelogfile(LogLog4Perl)andyounormallydonrsquotneedtomodifyitTheloggingconfigurationfilesforeveryservicearelocatedunderusrlocalpfconflogconfd
RADIUSDebugging
FirstchecktheFreeRADIUSlogsThefileislocatedatusrlocalpflogsradiuslog
IfthisdidnrsquothelprunFreeRADIUSindebugmodeTodosostartitusingthefollowingcommands
Fortheauthenticationradiusprocess
radiusd -X -d usrlocalpfraddb -n auth
Fortheaccountingradiusprocess
radiusd -X -d usrlocalpfraddb -n acct
Chapter10
Copyrightcopy2016Inverseinc Debugging 53
Additionally there is a raddebug tool that can extract debug logs from a running FreeRADIUSdaemonPacketFencersquosFreeRADIUSispreconfiguredwithsuchsupport
Inordertohaveanoutputfromraddebugyouneedtoeither
a MakesureuserpfhasashellinetcpasswdaddusrsbintoPATH(export PATH=usrsbin$PATH)andexecuteraddebugaspf
b Runraddebugasroot(lesssecure)
Nowyoucanrunraddebugeasily
raddebug -t 300 -f usrlocalpfvarrunradiusdsock
TheabovewilloutputFreeRADIUSauthenticationdebuglogsfor5minutes
Usethefollowingtodebugradiusaccounting
raddebug -t 300 -f usrlocalpfvarrunradiusd-acctsock
Seeman raddebugforalltheoptions
Chapter11
Copyrightcopy2016Inverseinc MoreonVoIPIntegration 54
MoreonVoIPIntegration
VoIPhasbeengrowinginpopularityonenterprisenetworksAtfirstsighttheITadministratorsthinkthatdeployingVoIPwithaNACposesahugecomplicatedchallengetoresolveInfactdependingofthehardwareyouhavenotreallyInthissectionwewillseewhy
CDPandLLDPareyourfriend
ForthoseofyouwhoareunawareoftheexistenceofCDPorLLDP(orLLDP-MED) IsuggestyoustartreadingonthistopicCiscoDiscoveryProtocol(CDP)isdevice-discoveryprotocolthatrunsonallCisco-manufacturedequipmentincludingroutersaccessserversbridgesandswitchesUsingCDPadevicecanadvertise itsexistencetootherdevicesandreceive informationaboutotherdevicesonthesameLANorontheremotesideofaWANIntheworldofVoIPCDPisabletodetermineiftheconnectingdeviceisanIPPhoneornotandtelltheIPPhonetotagitsethernetframeusingtheconfiguredvoiceVLANontheswitchport
OnmanyothervendorsyouarelikelytofindLLDPorLLDP-MEDsupportLinkLayerDiscoveryProtocol (LLDP) is a vendor-neutral Link Layer protocol in the Internet Protocol Suite used bynetworkdevicesforadvertisingtheiridentitycapabilitiesandneighborsSameasCDPLLDPcantellanIPPhonewhichVLANidisthevoiceVLAN
VoIPandVLANassignmenttechniques
As you already know PacketFence supportsmanyVLAN assignment techniques such as port-securitymacauthenticationor8021XLetrsquosseehowVoIPisdoingwitheachofthose
Port-securityUsing port-security the VoIP device rely on CDPLLDP to tag its ethernet frame using theconfiguredvoiceVLANontheswitchportAfterthatweensurethatasecuritytrapissentfromthevoiceVLANsothatPacketFencecanauthorizethemacaddressontheportWhenthePCconnectsanothersecuritytrapwillbesentbutfromthedataVLANThatwaywewillhave1macaddressauthorizedonthevoiceVLANand1ontheaccessVLAN
Chapter11
Copyrightcopy2016Inverseinc MoreonVoIPIntegration 55
Note
Not all vendors support VoIP on port-security please refer to the NetworkConfigurationGuide
MACAuthenticationand8021XCiscohardwareOnCiscoswitcheswearelookingatthemulti-domainconfigurationThemulti-domainmeansthatwecanhaveonedeviceontheVOICEdomainandonedeviceontheDATAdomainThedomainassignmentisdoneusingaCiscoVSAWhenthephoneconnectstotheswitchportPacketFencewillrespondwiththeproperVSAonlynoRADIUStunneledattributesCDPthentellsthephonetotagitsethernetframesusingtheconfiguredvoiceVLANontheportWhenaPCconnectstheRADIUSserverwillreturntunneledattributesandtheswitchwillplacetheportintheprovidedaccessVLAN
Non-CiscohardwareOnothervendorhardwareitispossibletomakeVoIPworkusingRADIUSVSAsWhenaphoneconnectstoaswitchportPacketFenceneedstoreturntheproperVSAtotelltheswitchtoallowtagged frames from thisdeviceWhen thePCwill connectwewill be able to return standardRADIUStunnelattributestotheswitchthatwillbetheuntaggedVLAN
Note
AgainrefertotheNetworkConfigurationGuidetoseeifVoIPissupportedonyourswitchhardware
WhatifCDPLLDPfeatureismissing
ItispossiblethatyourphonedoesnrsquotsupportCDPorLLDPIfitrsquosthecaseyouareprobablylookingattheDHCPwayofprovisionningyourphonewithavoiceVLANSomemodelswillaskforaspecificDHCPoptionsothattheDHCPservercangivethephoneavoiceVLANidThephonewillthenrebootandtagitsethernetframeusingtheprovidedVLANtag
Inorder tomake this scenarioworkwithPacketFenceyouneed toensure thatyou tweak theregistrationandyourproductionDHCPservertoprovidetheDHCPoptionYoualsoneedtomakesure there isavoiceVLANproperlyconfiguredontheportandthatyouauto-registeryour IPPhones(OnthefirstconnectthephonewillbeassignedontheregistrationVLAN)
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 56
Advancedtopics
This section covers advanced topics in PacketFence Note that it is also possible to configurePacketFencemanuallyusingitsconfigurationfilesinsteadofitsWebadministrativeinterfaceItisstillrecommendedtousetheWebinterface
InanycasetheusrlocalpfconfpfconffilecontainsthePacketFencegeneralconfigurationForexamplethisistheplacewhereweinformPacketFenceitwillworkinVLANisolationmode
All the default parameters and their descriptions are stored in usrlocalpfconfpfconfdefaults
Inordertooverrideadefaultparameterdefineitandsetitinpfconf
usrlocalpfconfdocumentationconfholdsthecompletelistofallavailableparameters
Alltheseparametersarealsoaccessiblethroughtheweb-basedadministrationinterfaceundertheConfigurationtabItishighlyrecommendedthatyouusetheweb-basedadministrationinterfaceofPacketFenceforanyconfigurationchanges
AppleandAndroidWirelessProvisioning
Apple devices such as iPhones iPads iPods and Mac OS X (107+) support wireless profileimportationusing a specialXML file format (mobileconfig)Android is also able to support thisfeaturebyimportingthewirelessprofilewiththeAndroidPacketFenceAgentInfactinstallingsuchfileonyourAppledevicewillautomaticallyconfigurethewirelesssettingsforagivenSSIDThisfeatureisoftenusedwhentheSSIDishiddenandyouwanttoeasetheconfigurationstepsonthemobiledevice(becauseitisoftenpainfultoconfiguremanually)InPacketFencewearegoingfurtherwegeneratetheprofileaccordingtotheadministratorrsquospreferenceandwepre-populatethefilewiththeuserrsquoscredentials(withoutthepassword)TheusersimplyneedstoinstallitsgeneratedfileandhewillbeabletousethenewSSID
ConfigurethefeatureFirstofallyouneedtoconfiguretheSSIDthatyourdeviceswilluseaftertheygothoughtheauthenticationprocess
InordertodothatintheadministrationinterfacegoinConfigurationProvisionersThenselecttheandroidprovisionerEntertheSSIDandsave
NowdothesamethingfortheiOSprovisioner
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 57
AfteryousimplyneedtoaddtheAndroidandiOSprovisionerstoyourPortalProfileconfiguration
ForAndroidyoumustallowpassthroughsinyourpfconfconfigurationfile
[trapping]passthrough=enabledpassthroughs=ggphtcomgoogleusercontentcomandroidclientsgooglecomgoogleapiscomandroidclientsgooglecomgvt1com
ProfilegenerationUponregistrationinsteadofshowingthedefaultreleasepagetheuserwillbeshowinganotherversionofthepagesayingthatthewirelessprofilehasbeengeneratedwithaclickablelinkonitToinstalltheprofileAppleuserownersimplyneedtoclickonthatlinkandfollowtheinstructionsontheirdeviceAndroiduserownersimplyclicktothelinkandwillbeforwardedtoGooglePlaytoinstallPacketFenceagentSimply launchtheapplicationandclicktoconfigurewillcreatethesecureSSIDprofileItisthatsimple
BillingEngine
PacketFence integrates theability touseapaymentgatewaytobillusers togainaccess to thenetworkWhenconfiguredtheuserwhowantstoaccessthenetworkInternetispromptedbyapageaskingforitrsquospersonnalinformationaswellasitrsquoscreditcardinformation
PacketFencecurrentlysupportsfourpaymentgatewaysAuthorizenetMirapayPaypalandStripe
Inordertoactivatethebillingyouwillneedtoconfigurethefollowingcomponents
Billingsource(s)
Billingtier(s)
ConfiguringabillingsourceFirstselectabillingproviderandfollowtheinstructionsbelow
Paypal
Note
ThisproviderrequiresthatyourPacketFenceserverisaccessibleonthepublicdomainFor thisyourPacketFenceportal shouldbeavailableonapublic IPusing theDNSservernameconfiguredinPacketFence
Ifyouhaveabusinessaccountanddonotwanttoconfigureatestenvironmentyoucanskipthenextsection
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 58
Sandboxaccount
To configure a sandbox paypal account for use in PacketFence head to httpsdeveloperpaypalcomandeithersignuporloginintoyourexistingaccount
ThenintheSandboxmenuclickAccounts
CreateanaccountthathasthetypePersonalandonethathasthetypeBusiness
AfterwardsgobackintoaccountsandexpandthebusinessaccountthenclickProfile
NowclicktheChangepasswordlinkandchangethepasswordandnoteit
Dothesamethingwiththepersonalaccountyoucreated
Configuringthemerchantaccount
LoginintothePaypalbusinessaccountthatyoucreatedathttpswwwsandboxpaypalcomifyouareusingasandboxaccountoronhttpswwwpaypalcomifyouareusingarealaccount
NextgoinMyAccountrarrProfileinordertogointoyourprofileconfiguration
NextintheSellingPreferencesyouwillneedtoselectWebsitePaymentPreferences
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 59
Configurethesettingssotheymatchthescreenshotbelow
YoushouldturnonAutoReturnsetthereturnURLtohttpsYOUR_PORTAL_HOSTNAMEbillingpaypalverify
YoushouldalsotakenoteoftheIdentityTokenasitwillberequiredinthePacketFenceconfiguration
NextgobackinyourprofileconfigurationMyaccountrarrProfileandselectEncryptedPaymentSettings
NowonthispageyouwillneedtosubmitthecertificateusedbyPacketFencetoPaypal(usrlocalpfconfsslservercrtbydefault)
Once you have submitted it note itrsquos associated Cert ID as you will need to configure it inPacketFence
StillonthatpageclicktheDownloadlinktodownloadthePaypalpubliccertificateandputitonthePacketFenceserverunderpathusrlocalpfconfsslpaypalpem
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 60
Caution
ThecertificatewillNOTbethesameifyouuseasandboxaccountorarealaccount
ConfiguringPacketFence
NowinthePacketFenceadministrationinterfacegoinConfigurationrarrSourcesandcreateanewsourceoftypeBillingrarrPaypal
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 61
Where
IdentitytokenistheoneyounotedwhenontheWebsitePaymentPreferencespage CertIDistheoneyounotedwhenontheEncryptedPaymentSettings Paymenttypeiswhethertheaccessisdonationbased(notmandatorytopayforit) Emailaddressistheemailaddressofthemerchantpaypalaccount CertfileisthepathtothePacketFencecertificate(usrlocalpfconfsslservercrtbydefault) KeyfileisthepathtothePacketFencecertificate(usrlocalpfconfsslserverkeybydefault) Paypal cert file is thepath to thePaypal certificate (usrlocalpfconfsslpaypalpem in thisexample)
Currencyisthecurrencythatwillbeusedinthetransactions Testmodeshouldbeactivatedifyouareusingasandboxaccount
Stripe
Stripeaccount
Firstgoonhttpsdashboardstripecomcreateanaccountandlogin
NextonthetoprightclickYouraccountthenAccountsettings
NavigatetotheAPIkeystabandnoteyourkeyandsecretThetestkeyshouldbeusedwhentestingtheconfigurationandthelivekeywhenputtingthesourceinproduction
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 62
ConfiguringPacketFence
NowinthePacketFenceadministrationinterfacegoinConfigurationrarrSourcesandcreateanewsourceoftypeBillingrarrStripe
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 63
Where
SecretkeyisthesecretkeyyougotfromyourStripeaccount PublishablekeyisthepublishablekeyyougotfromyourStripeaccount Styleiswhetheryouaredoingaone-timechargeorsubscriptionbasedbilling(recurring)SeesectionSubscriptionbasedregistrationbelowfordetailsonhowtoconfigureit
Currencyisthecurrencythatwillbeusedinthetransactions Testmodeshouldbeactivatedifyouareusingthetestkeyandsecretaccount
Authorizenet
Creatinganaccount
First go on httpsaccountauthorizenet to signup for a merchant account or httpdeveloperauthorizenetforasandboxaccount
AfteryoucreatedyouraccountyouwillbeshownyourAPIloginIDandTransactionkeyNotebothoftheseinformationsforusageinthePacketFenceconfiguration
Thenloginintoyournewaccount
ThenunderAccountclickSettings
OnthesettingspageinthesectionSecuritysettingsclickMD5-Hash
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 64
NowenterasecretthatwillbesharedbetweenauthorizenetandPacketFence
PacketFenceconfiguration
NextinthePacketFenceadministrationinterfacegoinConfigurationrarrSourcesandcreateanewsourceoftypeBillingrarrAuthorizeNet
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 65
Where
APIloginIDistheoneyougotearlierwhilecreatingyouraccount Transactionkeyistheoneyougotearlierwhilecreatingyouraccount MD5hashtheoneyouconfiguredinyourAuthorizenetaccount Currencyisthecurrencythatwillbeusedinthetransactions Testmodeshouldbeactivatedifyouareusingasandboxaccount
Mirapay
To be contributed
AddingbillingtiersOnceyouhaveconfiguredoneormorebillingsourceyouneedtodefinebillingtierswhichwilldefinethepriceandtargetauthenticationrulesfortheuser
InthePacketFenceadministrationinterfacegoinConfigurationrarrBillingtiers
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 66
ThenclickAddbillingtierandconfigureit
Where
Billingtieristheuniqueidentifierofthebillingtier Nameisthefriendlynameofthebillingtier Descriptionisanextendeddescriptionofthebillingtier Priceistheamountthatwillbechargedtotheuser Accessdurationistheamountoftimetheuserwillbegrantedaccesstoyournetwork Roleisthetargetroletheusershouldbein Usetimebalancedefinesiftheaccessdurationshouldbecomputedonreal-timeaccessdurationmeaningiftheuserbuys24hoursofaccesshecanusethenetworkfor24hoursindifferenttimeblocksThisrequiresavalidRADIUSaccountingconfiguration
Note
IfdonrsquotwanttouseallthebillingtiersthataredefinedyoucanspecifytheonesthatshouldbeactiveinthePortalprofile
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 67
SubscriptionbasedregistrationPacketFencesupportssubscriptionbasedbillingusingStripeasabillingprovider
Billingtier
Whenusingsubscriptionbasedbillingitisadvisedtoconfigurethebillingtiersoithasanalmostinfiniteaccessduration(eg20years)asthebillingproviderwillbecontactingthePacketFenceserverwhenthesubscriptioniscanceled
YoushouldconfigureabillingtierforeachsubscriptionplanyouwanttohaveThisexamplewillusetheplansimpleandadvancedconfiguredusingthefollowingparameters
[simple]name=Simple network accessdescription=Click here if you are poorprice=399role=guestaccess_duration=10Yuse_time_balance=disabled
[advanced]name=Simple network accessdescription=Click here if you are poorprice=999role=advanced_guestaccess_duration=10Yuse_time_balance=disabled
Stripeconfiguration
TheninyourStripedashboardyoushouldgoinSubscriptionsrarrPlans
Thencreateanewplan
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 68
Where
ID is the billing tier identifier It is important that this matches the ID of the billing tier inPacketFence
AmountisthepriceoftheplanItisimportantthatthismatchesthepriceofthebillingtierinPacketFence
CurrencyisthecurrencythatwillbeusedinthetransactionsItisimportantthatthismatchesthecurrencyoftheStripesourceinPacketFence
IntervalistheintervalatwhichthecustomershouldbebilledInthecaseofthisexampleitismonthly
Nowfollowingthesameprocedurecreatetheadvancedplan
ReceivingupdatesfromStripeAsthesubscriptioncanbecancelledbyauseryouneedtosetupyourPacketFenceinstallationtoreceiveupdatesfromStripe
UpdatesaresentusingHTTPrequestsonapublicIP
YouneedtomakesurethatyourPacketFenceserverisavailablethroughapublicIPonport80andthatyourPacketFenceserverhostnameresolvesonthepublicdomain
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 69
TheninStripeconfigureaWebhooksoStripeinformsPacketFenceofanyeventthathappensinthisStripemerchantaccount
InordertodosogoinYourAccountrarrAccountSettingsrarrWebhooksandclickAddendpoint
Where
URListheURLtothePacketFenceserverThisshouldbehttpYOUR_PORTAL_HOSTNAMEhookbillingstripe
Modeiswhetherthiswebhookisfortestingmodeorlivemode
NoweverytimeauserunsubscribesfromaplanPacketFencewillbenotifiedandwillunregisterthatdevicefromyournetwork
DevicesRegistration
Usershavethepossibilitytoregistertheirdevices(MicrosoftXBOXXBOX360NintendoDSWiiSonyPlayStationandsoon)rightfromaspecialportalpageWhenaccessingthispageuserswillbe
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 70
promptedtologinasiftheywereregisteringthemselvesOnceloggedintheportalwillaskthemtoenterthedeviceMACaddressthatwillthenbematchedagainstapredefinedlistofauthorizedMACOUIThedevicewillberegisteredwiththeuserrsquosidandcanbeassignedintoaspecificcategoryforeasiermanagement
HerersquoshowtoconfigurethewholethingTheportalpagecanbeaccessedbythefollowingURLhttpsYOUR_PORTAL_HOSTNAMEdevice-registration This URL is accessible fromwithin thenetworkinanyVLANthatcanreachthePacketFenceserver
Thefollowingcanbeconfiguredbyeditingthepfconffile
[registration]device_registration = enableddevice_registration_role = gaming
MakesuretheroleexistsinPacketFenceotherwiseyouwillencounterregistrationerrorsMoreovermakesuretherolemappingforyourparticularequipmentisdone
TheseparameterscanalsobeconfiguredfromtheConfigurationrarrRegistrationsection
Note
AportalinterfacetypeisrequiredtousethisfeatureAportalinterfacetypecanbeaddedtoanynetworkinterfaceusingthewebadminGUI
Eduroam
eduroam (education roaming) is the secureworld-wide roaming access servicedevelopedfortheinternationalresearchandeducationcommunity
eduroamallowsstudentsresearchersandstafffromparticipatinginstitutionstoobtainInternetconnectivityacrosscampusandwhenvisitingotherparticipatinginstitutionsbysimplyopeningtheirlaptop
mdasheduroamhttpswwweduroamorg
PacketFencesupportsintegrationwitheduroamandallowsparticipatinginstitutionstoauthenticatebothlocallyvisitingusersfromotherinstitutionsaswellasallowingotherinstitutionstoauthenticatelocalusers
In order for PacketFence to allow eduroam authentication the FreeRADIUS configuration ofPacketFencemustbemodifiedtoallowtheeduroamserverstoconnecttoitasclientsaswellastoproxyRADIUSauthenticationrequestsforusersfromoutsideinstitutions
FirstmodifytheusrlocalpfraddbclientsconffiletoallowtheeduroamserverstoconnecttoyourPacketFenceserverAddtheeduroamserversasclientsandmakesure toaddtheproperRADIUSsecretSetashortnametorefertotheseclientsasyouwilllaterneedittoexcludethemfromsomepartsofthePacketFenceconfiguration
clientsconfexample
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 71
client tlrs1eduroamus secret = useStrongerSecret shortname = tlrs1
client tlrs2eduroamus secret = useStrongerSecret shortname = tlrs2
SecondlymodifythelistofdomainsandproxyserversinusrlocalpfraddbproxyconfYouwillneedtodefineeachofyourdomainsaswellastheDEFAULTdomainTheDEFAULTrealmwillapplytoanyclientthatattemptstoauthenticatewitharealmthatisnototherwisedefinedinproxyconfandwillbeproxiedtotheeduroamservers
Defineoneormorehomeservers(serverstowhicheduroamrequestsshouldbeproxied)
proxyconfexample
home_server tlrs1eduroamus type = auth ipaddr = 25712811 port = 1812 secret = useStrongerSecret require_message_authenticator = yes
Defineapoolofserverstogroupyoureduroamhomeserverstogether
proxyconfexample
home_server_pool eduroam type = fail-over home_server = tlrs1eduroamus home_server = tlrs2eduroamus
DefinerealmstoselectwhichrequestsshouldbeproxiedtotheeduroamserverpoolThereshouldbeonerealmforeachofyourdomainsandpossiblyonemoreperdomainifyouintendtoallowusernamesoftheDOMAINuserform
TheREALMissetbasedonthedomainfoundbythesuffixorntdomainmodules (seeraddbmodulesrealm)Thesuffixorntdomainmodulestrytofindadomaineitherwithandomainorsuffixusername
IfnoneisfoundtheREALMisNULL
IfadomainisfoundFreeRADIUStriestomatchoneoftheREALMSdefinedinthisfile
IfthedomainiseitherexampleeduorEXAMPLEFreeRADIUSsetsthecorrespondingREALMieexampleeduorEXAMPLE
IftheREALMdoesnotmatcheither(anditisnrsquotNULL)thatmeanstherewasadomainotherthanEXAMPLEorexampleeduandweassumeitismeanttobeproxiedtoeduroamFreeRADIUSsetstheDEFAULTrealm(whichisproxiedtotheeduroamauthenticationpool)
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 72
The REALM determines where the request is sent to If the REALM authenticates locally therequestsareprocessedentirelybyFreeRADIUSIftheREALMsetsadifferenthomeserverpooltherequestsareproxiedtotheserversdefinedwithinthatpool
proxyconfexample
This realm is for requests which dont have an explicit realm prefix or suffix User names like bob will match this one No authentication server is defined thus the authentication is done locallyrealm NULL
This realm is for ntdomain users who might use the domain like this EXAMPLEusername No authentication server is defined thus the authentication is done locallyrealm EXAMPLE
This realm is for suffix users who use the domain like this usernameexampleedu No authentication server is defined thus the authentication is done locallyrealm exampleedu
This realm is for ALL OTHER requests Meaning in this context eduroam The auth_pool is set to the eduroam pool and so the requests will be proxiedrealm DEFAULT auth_pool = eduroam nostrip
Thirdly youmust configure the packetfence FreeRADIUS virtual servers to treat the requestsproperly
Inusrlocalpfraddbsites-enabledpacketfencemodifytheauthorizesectionlikethis
raddbsites-enabledpacketfenceexample
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 73
authorize pay attention to the order of the modules It matters ntdomain suffix preprocess
uncomment this section if you want to block eduroam users from you other SSIDs The attribute name ( Called-Station-Id ) may differ based on your controller if ( Called-Station-Id ~ eduroam$i) update control Proxy-To-Realm = local
eap ok = return
files expiration logintime packetfence
Inusrlocalpfraddbsites-enabledpacketfence-tunnelmodifythepost-authsectionlikethisIfyouomit this change the requestwill be sent toPacketFencewhere itwill be failed since theeduroamserversarenotpartofyourconfiguredswitches
raddbsites-enabledpacketfence-tunnelexample
post-auth exec
we skip packetfence when the request is coming from the eduroam servers if ( clientshortname = tlrs1 ampamp clientshortname = tlrs2 ) packetfence
Post-Auth-Type REJECT attr_filteraccess_reject
Finallymakesurethattherealmsmoduleisconfiguredthisway(seeusrlocalpfraddbmodulesrealm)
raddbmodulesrealmexample
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 74
usernamerealmrealm suffix format = suffix delimiter =
domainuserrealm ntdomain format = prefix delimiter = ignore_null = yes
Fingerbankintegration
FingerbankagreatdeviceprofilingtooldevelopedalongsideofPacketFencenowintegrateswithittopower-upthefeaturesetallowingaPacketFenceadministratortoeasilytriggerviolationsbasedondifferentdevicetypesdeviceparentsDHCPfingerprintsDHCPvendorIDsMACvendorsandbrowseruseragents
Thecoreofthat integrationresides intheabilityforaPacketFencesystemto interactwiththeFingerbankupstreamprojectwhichthenallowadailybasisfingerprintsdatabaseupdatesharingunknowndatasothatmorecomplexalgorithmscanprocessthatnewdatatointegrateitintheglobaldatabasequeryingtheglobalupstreamdatabaseinthecaseofanunknownmatchandmuchmore
SincetheFingerbankintegrationisnowthedefactodeviceprofilingtoolofPacketFenceitwasarequirementtomakeitassimpleaspossibletoconfigureandtouseFromthemomentaworkingPacketFencesystemis inplaceFingerbank isalsoreadytobeusedbutonly inalocalmodewhichmeansnointeractionwiththeupstreamFingerbankproject
OnboardingTobenefitfromalltheadvantagesoftheFingerbankprojecttheonboardingstepisrequiredtocreateanAPIkeythatwill thenallow interactionwiththeupstreamprojectThatcaneasilybedoneonlybygoingintheSettingsmenuitemundertheFingerbanksectionofthePacketFenceConfigurationtabFromthereaneasyprocesstocreateandsaveanuserorganizationspecificAPIkeycanbefollowedOncecompletedthefullfeaturesetofFingerbankcanbeused
UpdateFingerbankdatabaseUpdatingtheFingerbankdatacanrsquotbeeasierTheonlyrequirementistheonboardingprocesswhichallowsyoutointeractwithupstreamprojectOncedoneanoptiontoUpdateFingerbankDBcanbefoundontopofeverymenuitemsectionsunderFingerbankProcessmaytakeaminuteortwodependingonthesizeofthedatabaseandtheinternetconnectivityafterwhichasuccessorerrormessagewillbeshowaccordinglyLocalrecordsareNOTbeingmodifiedduringthisprocess
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 75
SubmitunknowndataSayingthatwedonrsquotknoweverythingisnotfalsemodestyInthatsensetheSubmitUnknownUnmatchedFingerprintsoptionismadeavailable(afteronboarding)sothatunknownfingerprintingdatagoinginandoutonyournetworkcaneasilybesubmittedtotheupstreamFingerbankprojectforfurtheranalysisandintegrationtheintheglobaldatabase
UpstreaminterogationBydefaultPacketFenceisconfiguredtointerogatetheupstreamFingerbankproject(ifonboardinghasbeencompleted)tofullfillaquerywithunmatchedlocalresultsUnmatchedlocalresultscanresultofanolderversionoftheFingerbankdatabaseorarequirementforamorecomplexalgorithmduetothedatasetThatbehavioriscompletelytransparentandcanbemodifiedusingtheSettingsmenuitemundertheFingerbanksectionofthePacketFenceConfigurationtab
LocalentriesItispossibleforanadministratorwhowantstocustomizeanexistingrecord(orcreateanewone)todosousingtheLocalentriesAnupstreamrecord(DHCPFingerprintDHCPVendorMACVendorUserAgentDevicetypeevenaCombination)canbeclonedandthenmodifiedonalocalbasisifneededLocalrecordsarealwaysmatchedfirstsincetheirpurposeistooverrideanexistingoneAlocalcombinationcanbecreatedtomatcheitherLocalorUpstreamorbothentriestoallowidentificationofadevice
SettingsFingerbanksettingscaneasilybemodifiedfromtheSettingsmenuitemundertheFingerbanksectionofthePacketFenceConfigurationtabTherersquosdocumentationforeachaneveryparameterthatalloweasierunderstanding
FloatingNetworkDevices
Startingwithversion19PacketFencenowsupportsfloatingnetworkdevicesAFloatingnetworkdeviceisadeviceforwhichPacketFencehasadifferentbehaviourcomparedtoaregulardeviceThisfunctionalitywasoriginallyaddedtosupportmobileAccessPoints
Caution
RightnowPacketFenceonlysupportsfloatingnetworkdevicesonCiscoandNortelswitchesconfiguredwithport-security
For a regular device PacketFence put it in theVLAN corresponding to its status (RegistrationQuarantineorRegularVlan)andauthorizesitontheport(port-security)
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 76
AfloatingnetworkdeviceisadevicethatPacketFencedoesnotmanageasaregulardevice
WhenafloatingnetworkdeviceispluggedPacketFencewillletallowalltheMACaddressesthatwillbeconnectedtothisdevice(orappearontheport)andifnecessaryconfiguretheportasmulti-vlan(trunk)andsetPVIDandtaggedVLANsontheport
WhenanfloatingnetworkdeviceisunpluggedPacketFencewillreconfiguretheportlikebeforeitwasplugged
HowitworksConfiguration
floatingnetworkdeviceshavetobeidentifiedusingtheirMACaddress linkuplinkdowntrapsarenotenabledontheswitchesonlyport-securitytrapsare
WhenPacketFencereceivesaport-securitytrapforafloatingnetworkdeviceitchangestheportconfigurationsothat
itdisablesport-security itsetsthePVID iteventuallysetstheportasmulti-vlan(trunk)andsetsthetaggedVlans itenableslinkdowntraps
WhenPFreceivesa linkdowntraponaport inwhichafloatingnetworkdevicewasplugged itchangestheportconfigurationsothat
itenablesport-security itdisableslinkdowntraps
IdentificationAswementionedearliereachfloatingnetworkdevicehastobeidentifiedTherearetwowaystodoit
byeditingconffloating_network_deviceconf throughtheWebGUIinConfigurationrarrNetworkrarrFloatingdevices
Herearethesettingsthatareavailable
MACAddress MACaddressofthefloatingdevice
IPAddress IPaddressofthefloatingdevice(notrequiredforinformationonly)
trunkPort YesnoShouldtheportbeconfiguredasamuti-vlanport
pvid VLANinwhichPacketFenceshouldputtheport
taggedVlan CommaseparatedlistofVLANsIftheportisamulti-vlanthesearetheVlansthathavetobetaggedontheport
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 77
OAuth2Authentication
NoteOAuth2authenticationdoesnotworkwithWebauthenforcement
The captive portal of PacketFence allows a guestuser to register using hisGoogle FacebookLinkedInWindowsLiveTwitterorGithubaccount
ForeachproviderswemaintainanalloweddomainlisttopunchholesintothefirewallsotheusercanhittheproviderloginpageThislistisavailableineachOAuth2authenticationsource
Inordertohaveoauth2workingproperlyyouneedtoenableIPforwardingonyourserversTodoitpermanentlylookintheetcsysctlconfandsetthefollowingline
Controls IP packet forwardingnetipv4ip_forward = 1
Savethefileandissueasysctl -ptoupdatetheOSconfig
You must also enable the passthrough option in your PacketFence configuration(trappingpassthroughinpfconf)
GoogleInordertouseGoogleasaOAuth2provideryouneedtogetanAPIkeytoaccesstheirservicesSignupherehttpcodegooglecomapisconsoleMakesureyouusethisURIfortheRedirectURIfieldhttpsYOUR_PORTAL_HOSTNAMEoauth2callbackOfcoursereplacethehostnamewiththevaluesfromgeneralhostnameandgeneraldomain
YoucankeepthedefaultconfigurationmodifytheAppIDampAppSecret(GivenbyGoogleonthedevelopperplateform)andPortalURL(httpsYOUR_PORTAL_HOSTNAMEoauth2callback)
Also add the following Authorized domains googlecom googleca googlefrgstaticcomgoogleapiscomaccountsyoutubecom(MakesurethatyouhavethegoogledomainfromyourcountrylikeCanadagooglecaFrancegooglefretchellip)
OnceyouhaveyourclientidandAPIkeyyouneedtoconfiguretheOAuth2providerThiscanbedonebyaddingaGoogleOAuth2authenticationsourcefromConfigurationrarrSources
MoreoverdonrsquotforgettoaddGoogleasaregistrationmodefromyourportalprofiledefinitionavailablefromConfigurationrarrPortalProfilesandPages
FacebookTo use Facebook you also need an API code and a secret key To get one go here httpsdevelopersfacebookcomappsWhenyoucreateyourAppmakesureyouspecifythefollowingastheWebsiteURLhttpsYOUR_PORTAL_HOSTNAMEoauth2callback
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 78
Ofcoursereplacethehostnamewiththevaluesfromgeneralhostnameandgeneraldomain
YoucankeepthedefaultconfigurationmodifytheAppIDampAppSecret(GivenbyFaceBookonthedevelopperplateform)andPortalURL(httpsYOUR_PORTAL_HOSTNAMEoauth2callback)
Also add the followingAuthorizeddomains facebookcom fbcdnnet akamaihdnet (Maychange)
OnceyouhaveyourinformationyouneedtoconfiguretheOAuth2providerThiscanbedonebyaddingaFacebookOAuth2authenticationsourcefromConfigurationrarrSources
MoreoverdonrsquotforgettoaddFacebookasaregistrationmodefromyourportalprofiledefinitionavailablefromConfigurationrarrPortalProfilesandPages
CautionByallowingOAuththroughFacebookyouwillgiveFacebookaccesstotheuserswhiletheyaresittingintheregistrationVLAN
GitHubTouseGitHubyoualsoneedanAPIcodeandasecretkeyTogetoneyouneedtocreateanAppherehttpsgithubcomsettingsapplicationsWhenyoucreateyourAppmakesureyouspecifythefollowingastheCallbackURLhttpsYOUR_PORTAL_HOSTNAMEoauth2callback
Ofcoursereplacethehostnamewiththevaluesfromgeneralhostnameandgeneraldomain
OnceyouhaveyourinformationyouneedtoconfiguretheOAuth2providerThiscanbedonebyaddingaGitHubOAuth2authenticationsourcefromConfigurationrarrSources
MoreoverdonrsquotforgettoaddGitHubasaregistrationmodefromyourportalprofiledefinitionavailablefromConfigurationrarrPortalProfilesandPages
LinkedInTouseLinkedInyoualsoneedanAPIcodeandasecretkeyTogetoneyouneedtocreateanAppherehttpsdeveloperlinkedincomWhenyoucreateyourAppmakesureyouspecifythefollowingastheCallbackURLhttpsYOUR_PORTAL_HOSTNAMEoauth2callback
Ofcoursereplacethehostnamewiththevaluesfromgeneralhostnameandgeneraldomain
OnceyouhaveyourinformationyouneedtoconfiguretheOAuth2providerThiscanbedonebyaddingaLinkedInOAuth2authenticationsourcefromConfigurationrarrSources
MoreoverdonrsquotforgettoaddLinkedInasaregistrationmodefromyourportalprofiledefinitionavailablefromConfigurationrarrPortalProfilesandPages
AlsoLinkedInrequiresastateparameterfortheauthorizationURLIfyoumodifyitmakesuretoadditattheendofyourURL
TwitterTouseTwitteryoualsoneedanAPIcodeandasecretkeywhichTwittercallsconsumerkeyandconsumersecretObtainthis informationbycreatingannewapplicationfromyourTwitterApps
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 79
ManagementpageWhenyoucreateyourAppmakesureyouspecifythefollowingastheCallbackURLhttpsYOUR_PORTAL_HOSTNAMEoauth2callback
Ofcoursereplacethehostnamewiththevaluesfromgeneralhostnameandgeneraldomain
OnceyouhaveyourinformationyouneedtoconfiguretheOAuth2providerThiscanbedonebyaddingaTwitterOAuth2authenticationsourcefromConfigurationrarrSources
MoreoverdonrsquotforgettoaddTwitterasaregistrationmodefromyourportalprofiledefinitionavailablefromConfigurationrarrPortalProfilesandPages
WindowsLiveTouseWindowsliveyoualsoneedanAPIcodeandasecretkeyTogetoneyouneedtocreateanAppherehttpsaccountlivecomdevelopersapplicationsWhenyoucreateyourAppmakesureyouspecifythefollowingastheCallbackURLhttpsYOUR_PORTAL_HOSTNAMEoauth2callback
Ofcoursereplacethehostnamewiththevaluesfromgeneralhostnameandgeneraldomain
OnceyouhaveyourinformationyouneedtoconfiguretheOAuth2providerThiscanbedonebyaddingaWindowsLiveOAuth2authenticationsourcefromConfigurationrarrSources
Moreover donrsquot forget to add WindowsLive as a registration mode from your portal profiledefinitionavailablefromConfigurationrarrPortalProfilesandPages
Passthrough
Inorder tousethepassthroughfeature inPacketFenceyouneedtoenable it fromtheGUI inConfigurationrarrTrappingandcheckPassthrough
Therearetwosolutionsforpassthroughs-oneusingDNSresolutionandiptablesandtheotheroneusingApachersquosmod_proxymoduleWhenenabledPacketFencewillusepfdnsifyoudefinedPassthroughsorApachemod-proxyifyoudefinedProxyPassthroughstoallowtrappeddevicestoreachexternalwebsites
DNSpassthroughAddanewFQDN (shouldbeawildcarddomain like googlecom) in thePassthroughssectionWhenPacketFencereceivesaDNSrequestforthisdomainitwillanswerthereal IPaddressandpunchahole inthefirewall (using iptables)toallowaccessWiththismethodPacketFencemustbethedefaultgatewayofyourdevice
mod_proxypassthroughAddanewFQDN(shouldbeawildcarddomainlikegooglecom)intheProxyPassthroughssectionForthisFQDNPacketFencewillanswertheIPaddressofthecaptiveportalandwhenadevicehitsthecaptiveportalPacketFencewilldetectthatthisFQDNhasapassthroughconfigurationandwillforwardthetraffictomod_proxy
ThesetwomethodscanbeusedtogetherbutDNS-basedpassthroughshavehigherpriority
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 80
ProductionDHCPaccess
Inorder toperformallof itsaccesscontroldutiesPacketFenceneedstobeable tomapMACaddressesintoIPaddresses
ForallthenetworksVLANswhereyouwantPacketFencetohavetheabilitytoisolateanodeortohaveIPinformationaboutnodesyouwillneedtoperformoneofthetechniquesbelow
AlsonotethatthisdoesnrsquotneedtobedonefortheregistrationisolationVLANsandinlineinterfacessincePacketFenceactsastheDHCPserverinthesenetworks
IPHelpers(recommended)If you are already using IPHelpers for your productionDHCP in your production VLANs thisapproachisthesimplestoneandtheonethatworksthebest
Add PacketFencersquos management IP address as the last ip helper-address statement in yournetworkequipmentAtthispointPacketFencewillreceiveacopyofallDHCPrequestsforthatVLANandwillrecordwhatIPweredistributedtowhatnodeusingapfdhcplistenerdaemon
BydefaultnoDHCPServershouldberunningonthatinterfacewhereyouaresendingtherequestsThisisbydesignotherwisePacketFencewouldreplytotheDHCPrequestswhichwouldbeabadthing
ObtainacopyoftheDHCPtrafficGetacopyofalltheDHCPTraffictoadedicatedphysicalinterfaceinthePacketFenceserverandrunpfdhcplisteneronthatinterfaceItwillinvolveconfiguringyourswitchproperlytoperformportmirroring(akanetworkspan)andaddinginPacketFencetheproperinterfacestatementattheoperatingsystemlevelandinpfconf
etcsysconfignetwork-scriptsifcfg-eth2
DEVICE=eth2ONBOOT=yesBOOTPROTO=none
Addtopfconf(IPsarenotimportanttheyarethereonlysothatPacketFencewillstart)
[interface eth2]mask=2552552550type=dhcp-listenergateway=19216815ip=19216811
RestartPacketFenceandyoushouldbegoodtogo
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 81
InterfaceineveryVLANBecauseDHCPtrafficisbroadcasttrafficanalternativeforsmallnetworkswithfewlocalVLANsistoputaVLANinterfaceforeveryVLANonthePacketFenceserverandhaveapfdhcplistenerlistenonthatVLANinterface
OnthenetworksideyouneedtomakesurethattheVLANtrulyreachesallthewayfromyourclienttoyourDHCPinfrastructureuptothePacketFenceserver
OnthePacketFencesidefirstyouneedanoperatingsystemVLANinterfaceliketheonebelowStoredinetcsysconfignetwork-scriptsifcfg-eth01010
Engineering VLANDEVICE=eth01010ONBOOT=yesBOOTPROTO=staticIPADDR=1001014NETMASK=2552552550VLAN=yes
ThenyouneedtospecifyinpfconfthatyouareinterestedinthatVLANrsquosDHCPbysettingtypetodhcp-listener
[interface eth01010]mask=2552552550type=dhcp-listenergateway=1001011ip=1001014
RepeattheaboveforallyourproductionVLANsthenrestartPacketFence
HostproductionDHCPonPacketFenceItrsquosanoptionJustmodifyconfdhcpdconfsothat itwillhostyourproductionDHCPproperlyandmakesurethatapfdhcplistenerrunsonthesameinterfacewhereproductionDHCPrunsHoweverpleasenotethatthisisNOTrecommendedSeethistickettoseewhy
ProxyInterception
PacketFenceenablesyoutointerceptproxyrequestsandforwardthemtothecaptiveportalItonlyworksonelayer-2networksbecausePacketFencemustbethedefaultgatewayInordertousetheProxyInterceptionfeatureyouneedtoenableitfromtheGUIinConfigurationrarrTrappingandcheckProxyInterception
Addtheportyouwanttointercept(like8080or3128)andaddanewentryintheetchostsfiletoresolvethefullyqualifieddomainname(fqdn)ofthecaptiveportaltotheIPaddressofthe
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 82
registration interfaceThismodification ismandatory inorder forApache to receives theproxyrequests
RoutedNetworks
Ifyour isolationandregistrationnetworksarenot locally-reachable (at layer2)onthenetworkbut routed to the PacketFence server yoursquoll have to let the PacketFence server know thisPacketFencecanevenprovideDHCPandDNSintheseroutednetworksandprovidesaneasytouseconfigurationinterface
FordhcpdmakesurethattheclientsDHCPrequestsarecorrectlyforwarded(IPHelpersintheremoterouters)tothePacketFenceserverThenmakesureyoufollowedtheinstructionsintheDHCPandDNSServerConfiguration(networksconf)foryourlocallyaccessiblenetwork
Ifweconsiderthenetworkarchitectureillustratedintheaboveschemaconfpfconfwillincludethelocalregistrationandisolationinterfacesonly
[interface eth02]enforcement=vlanip=19216821type=internalmask=2552552550
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 83
[interface eth03]enforcement=vlanip=19216831type=internalmask=2552552550
Note
PacketFencewillnotstartunlessyouhaveatleastoneinternalinterfacesoyouneedtocreatelocalregistrationandisolationVLANsevenifyoudonrsquotintendtousethemAlsotheinternalinterfacesaretheonlyonesonwhichdhcpdlistenssotheremoteregistrationandisolationsubnetsneedtopointtheirDHCPhelper-addresstothoseparticularIPs
ThenyouneedtoprovidetheroutednetworksinformationtoPacketFenceYoucandoitthroughtheGUIinAdministrationrarrNetworks(orinconfnetworksconf)
confnetworksconfwilllooklikethis
[19216820]netmask=2552552550gateway=19216821next_hop=domain-name=registrationexamplecomdns=19216821dhcp_start=192168210dhcp_end=1921682200dhcp_default_lease_time=300dhcp_max_lease_time=600type=vlan-registrationnamed=enableddhcpd=enabled
[19216830]netmask=2552552550gateway=19216831next_hop=domain-name=isolationexamplecomdns=19216831dhcp_start=192168310dhcp_end=1921683200dhcp_default_lease_time=300dhcp_max_lease_time=600type=vlan-isolationnamed=enableddhcpd=enabled
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 84
[192168200]netmask=2552552550gateway=19216820254next_hop=1921682254domain-name=registrationexamplecomdns=19216821dhcp_start=1921682010dhcp_end=19216820200dhcp_default_lease_time=300dhcp_max_lease_time=600type=vlan-registrationnamed=enableddhcpd=enabled
[192168300]netmask=2552552550gateway=19216830254next_hop=1921683254domain-name=isolationexamplecomdns=19216831dhcp_start=1921683010dhcp_end=19216830200dhcp_default_lease_time=300dhcp_max_lease_time=600type=vlan-isolationnamed=enableddhcpd=enabled
DHCPclientsontheregistrationandisolationnetworksreceivethePFserverIPastheirDNSserver(dns=xxxx)andPFspoofsDNSresponsestoforceclientsviatheportalHoweverclientscouldmanuallyconfiguretheirDNSsettingstoescapetheportalTopreventthisyouwillneedtoapplyanACLontheaccessrouternearesttheclientspermittingaccessonlytothePFserverandlocalDHCPbroadcasttraffic
ForexamplefortheVLAN20remoteregistrationnetwork
ip access-list extended PF_REGISTRATION permit ip any host 19216821 permit udp any any eq 67 deny ip any any loginterface vlan 20 ip address 19216820254 2552552550 ip helper-address 19216821 ip access-group PF_REGISTRATION in
Ifyouredgeswitchessupportvlan-isolationyoucanalsoapplytheACLthereThishastheadvantageofpreventingmachinesinisolationfromattemptingtoattackeachother
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 85
StatementofHealth(SoH)
TheStatementofHealth(SoH)isproductthathasbeendevelopedbyMicrosoftIntheMicrosoftworldthis isnamedNetworkAccessProtectionorNAPOnWindowsversionsfromXPSP2toWindows7thereisaNAPserviceinstalledthatcanrelayhealthinformation(Anti-VirusupdatestatusWindowsUpdatestatusetc) toaRADIUSServeroraDHCPserverThesectionbelowexplainsyouhowtodoSoHpolicieswithPacketFence
InstallationBydefaultweturnSoHoffToenableitssupportsimplyuncommentthefollowinglinesinusrlocalpfconfradiusdeapconf
soh=yessoh-virtual-server = soh-server
RestarttheRADIUSserviceafterward
OntheclientsidetoenableSoHforEAPdothefollowing(Windows7example)
sc config napagent start=autosc start napagent
Wired 8021Xsc config dot3svc start=auto depend=napagentsc start dot3svc
netsh nap client show config
get the ID value for the EAP Quarantine Enforcement Clientnetsh nap client set enforce id=$ID admin=enable
ThelaststepistoselecttheEnforceNetworkAccessProtectioncheckboxundertheEAPprofilesettingsThosestepscanbeeasilyconfiguredusingGPOs
ConfigurationofSoHpolicyInordertoenforceaSoHpolicyweneedtocreateitfirstThisisdoneusingtheConfigurationrarrCompliancerarrStatementofHealthmodule
PolicyexampleLetrsquoswalkthroughanexamplesituationSupposeyouwanttodisplayaremediationpagetoclientsthatdonothaveananti-virusenabled
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 86
ThethreebroadstepsarecreateaviolationclassfortheconditionthencreateanSoHfiltertotriggertheviolationwhenanti-virusisdisabledandfinallyreloadtheviolations
FirstcreatetheproperviolationeitherviatheAdminUIorbyeditingtheconfviolationsconffiles
[4000001]desc=No anti-virus enabledurl=remediationphptemplate=noantivirusactions=reevaluate_accessemaillogenabled=Y
Note
Youmayalsowanttosetotherattributessuchasauto_enablegraceetc
WhendonewiththeviolationvisittheWebAdministrationunderConfigurationrarrCompliancerarrStatementofHealthand(editthefilternamedDefaultor)usetheAddafilterbuttontocreateafilternamedantivirusClickonantivirusinthefilterlistandselectTriggerviolationintheactiondrop-downEnterthevidoftheviolationyoucreatedaboveintheinputboxthatappears
Next clickonAddacondition and selectAnti-virus is anddisabled in thedrop-downboxesthat appear Click on the Save filters button Finally reload the violations either by restartingPacketFenceorusingthepfcmd reload violationscommand
Thelaststepistocreateanewremediationtemplatecallednoantivirusphponthefilesysteminthehtmlcaptive-portalviolationsfolderEditittoincludethetextyouwanttodisplaytotheusers
VLANFilterDefinition
Weaddedtheabilitytospecifyfiltersdirectlyintheportionofcodethatre-evaluatestheVLANordoacalltotheAPI
Theserulesareavailableindifferentscopes
ViolationRoleRegistrationRoleRegisteredRoleInlineRoleAutoRegisterNodeInfoForAutoReg
Andcanbedefinedusingdifferentcriterialike
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 87
node_infoattribute (like node_infostatus)switchifIndexmacconnection_typeusernamessidtimeownerattribute (like ownerpid)radius_requestattribute (like radius_requestCalling-Station-Id)
Forexample letsdefinearulethatpreventsadevicefromconnectingwhenitscategory isthedefaultwhentheSSIDisSECUREandwhenthecurrenttimeisbetween11amand2pmfromMondaytoFridaywhenittrytoconnectasaregistereddevice
[category]filter = node_infocategoryoperator = isvalue = default
[ssid]filter = ssidoperator = isvalue = SECURE
[time]filter = timeoperator = isvalue = wd Mon Tue Wed Thu Fri hr 11am-2pm
[1categoryampssidamptime]scope = RegisteredRolerole = nointernet
ThesecondexamplewillcreateaviolationiftheSSIDisOPENandtheownerisigmout
[igmout]filter = ownerpidoperator = isvalue = igmout
[open]filter = ssidoperator = isvalue = OPEN
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 88
[2igmoutampssid]scope = RegisteredRoleaction = trigger_violationaction_param = mac = $mac tid = 1100012 type = INTERNAL
Thethirdexamplewillautoregisterthedeviceandassigntherolestafftoeachdevicewheretheusernameisigmout
[igmout]filter = usernameoperator = isvalue = igmout
[secure]filter = ssidoperator = isvalue = SECURE
[3igmoutampsecure]scope = AutoRegisterrole = staff
[4igmoutampsecure]scope = NodeInfoForAutoRegrole = staff
Youcanhavealookinthefilevlan_filtersconftherearesomeexamplesonhowtouseanddefinefilters
RADIUSFilterDefinition
WeaddedtheabilitytospecifyfiltersdirectlyintheportionofcodethatreturntheradiusanswerordoacalltotheAPI
Theserulesareonlyavailableinonescope
returnRadiusAccessAccept
Andcanbedefinedusingdifferentcriterialike
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 89
node_infoattribute (like node_info$attribute)switchifIndexmacconnection_typeusernamessidtimeownerattribute (like owner$attribute)radius_requestattribute (like radius_request$attribute)violationuser_rolevlan
Forexample letsdefinearulethatreturnAccessAcceptwhentheconnectionisEthernet-EAPandwhenthereisnoviolation(merge_returnmeansthattheoriginalanswerofPacketFencewillbemergewiththefilteranswerautomatically)
[violation]filter = violationoperator = defined
[etherneteap]filter = connection_typeoperator = isvalue = Ethernet-EAP
[1etherneteapampviolation]merge_answer = noscope = returnRadiusAccessAccept
Inthisotherexamplewejustaddanewattributetotheoriginalanswerinthesameconditions(here$user_rolewillbereplacedbytherealuserroleofthedeviceand$switch_portalURLwillbereplacedbythevalueof_portalURLdefinedintheswitchconfig)
[1etherneteapampviolation]merge_answer = yesscope = returnRadiusAccessAcceptanswer1 = Cisco-AVPair =gt url-redirect-acl=$user_roleurl-redirect=$switch_portalURLcep$session_id
Youcanhavea look in the file radius_filtersconf therearesomeexamplesonhowtouseanddefinefilters
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 90
DNSenforcement
DNSenforcementallowsyoutocontrolthenetworkaccessofthedevicebyusingthepfdnsserviceonPacketFence
The architecture ofDNS enforcement is as following -DHCP andDNS are provided by thePacketFenceserver-ThePacketFenceDHCPserverwillprovidetheIPofyournetworkequipmentasthegatewayandtheIPaddressofthePacketFenceDNSservertoresolvenames-Routingisprovidedbyanotherequipmentonyournetwork(CoreswitchFirewallRouterhellip)-IfausershouldbeshowntheportalthepfdnsservicewillreturnapointertotheIPaddressofthecaptiveportalotherwisepfdnswillresolvethenameexternallyanduseitinthereply
Thisenforcementmodeusedby itselfcanbebypassedbythedevicebyusingadifferentDNSserverorbyusingitsownDNScache
ThefirstcanbepreventedusinganACLonyourroutingequipmentthesecondcanbepreventedbycombiningDNSenforcementwithSingle-Sign-OnonyournetworkequipmentPleaseseetheFirewallSingle-Sign-Ondocumentationfordetailsonhowtoaccomplishthis
Inorder toconfigureDNSenforcementyoufirstneedtogo inConfigurationrarrInterfaces thenselectoneofyourinterfacesandsetitinDNSenforcementmode
AfteryouneedtoconfigurearoutednetworkforthisinterfacebyclickingAddroutednetworkSeetheRoutedNetworkssectionofthisdocumentfordetailsonhowtoconfigureit
NoteIfyouarenotusingaroutednetworkyouneedtouseInlineenforcementasDNSenforcementcanonlybeusedforroutednetworks
Oncethisisdoneyouneedtorestartthedhcpdandpfdnsservices
Parkeddevices
Intheeventthatyouaremanagingalargeregistrationnetworkwithdevicesthatstaythere(exStudentsthatcanrsquotregisterinyourenvironment)thesedevicesconsumepreciousresourcesandgenerateuselessloadonthecaptiveportalandregistrationDHCPserver
UsingtheparkingfeatureyoucanmakethesedeviceshavealongerleaseandhitanextremellylightweightcaptiveportalsothattheamountofresourcestheyconsumeisminimalInthatcaptiveportal theywillseeamessageexplainingthattheyhavenrsquot registeredtheirdeviceforacertainamountoftimeandwillletthemleavetheparkedstatebypressingalink
Theparkedvsunparkedstateiscontrolledthroughviolation1300003whichgetstriggeredaccordingtotheparkingthresholdsetting(ConfigurationrarrParking)
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 91
SoinordertoactivatetheparkinggoinConfigurationrarrParkingandsetthethresholdtoacertainamountofsecondsAsuggestedvaluewouldbe21600whichis6hoursThismeansthatifadevicestaysinyourregistrationnetworkformorethan6hoursinarowitwilltriggerviolation1300003andplacethatdeviceintotheparkedstate
Inthatsamesectionyoucandefinetheleaselengthoftheuserwhenheisintheparkedstate
Note
ParkingisdetectedwhenadeviceasksforDHCPifPacketFenceisnotyourDHCPserverfortheregistrationnetworkthisfeaturewillnotworkAlsoifthedevicegoesintotheparkedstatewithaleasetimeof1hourandtheuserimmediatelyreleaseshimselffromtheparkingstateitwilltake1hourbeforethenextdetectiontakesplaceevenifyousetparkingthresholdtoalowervalue
Violation1300003Thisviolationcontrolswhathappenswhenauserisdetecteddoingparking
Herearethemainsettings
Youcanaddactionstothepredefinedones(likeEmailadminorExternalaction)inDefinitionrarrActions
TheamountoftimeausercanunparktheirdeviceiscontrolledthroughtheRemediationrarrMaxenablesetting
TheamountofgracetimebetweentwoparkingviolationsiscontrolledbytheRemediationrarrGracesettingThismeansonceauserreleasehimselffromtheparkedstatehewillhaveatleastthisamountoftimetoregisterbeforetheparkingtriggersagain
Thedestinationrole(thusVLAN)oftheuseriscontrolledbyAdvancedrarrRoleYoushouldleavetheuserintheregistrationrolebutshouldyouwanttodedicatearoleforparkingyoucansetitthere
TheTemplateattributewillonlybeusedwhentheuserisonthenormalPacketFenceportalandnottheonededicatedforparkingIfyouwanttheusertoaccessthenon-parkingportaldisableShowparkingportalinConfigurationrarrParking
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 92
Optionalcomponents
Blockingmaliciousactivitieswithviolations
PolicyviolationsallowyoutorestrictclientsystemaccessbasedonviolationsofcertainpoliciesForexampleifyoudonotallowP2PtypetrafficonyournetworkandyouarerunningtheappropriatesoftwaretodetectitandtriggeraviolationforagivenclientPacketFencewillgivethatclientablockedpagewhichcanbecustomizedtoyourwishes
Inorder tobeable toblockmaliciousactivities installationandconfigurationofaPacketFencecompatibleIDSisrequiredPacketFencecurrentlysupportSnortSuricataandSecurityOnion
Snort
Installation
The installation procedure is quite simple for SNORTWe maintain a working version on thePacketFencerepositoryToinstallitsimplyrunthefollowingcommand
yum install snort
Configuration
PacketFenceprovidesabasicsnortconftemplatethatyoumayneedtoeditdependingoftheSnortversionThefileislocatedinusrlocalpfconfItisrarelynecessarytochangeanythinginthatfiletomakeSnortworkandtrapalertsDONOTeditthesnortconflocatedinusrlocalpfvarconfallthemodificationwillbedestroyedoneachPacketFencerestart
Suricata
Installation
SincethesuricataIDSisnotpackagedwiththedistros(exceptmaybeFedorawhichwedonotofficiallysupport)youneedtobuildittheoldway
The OISF provides a really well written how-to for that Itrsquos available here httpsredmineopeninfosecfoundationorgprojectssuricatawikiCentOS5
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 93
NoteTobenefittheOPSWATMetadefenderCloudintegrationSuricataneedstobebuiltwith libnss libnsprsupportMakesure touseJSONoutputMore informationonhowtoachievethiscanbefoundtherehttpsredmineopeninfosecfoundationorgprojectssuricatawikiMD5
ConfigurationDepending onwhether or not Suricata is running on the PacketFence server configuration isdifferent
WhenrunninglocallyPacketFenceprovidesabasicsuricatayamlthatcanbemodifiedtosuitdifferentneedsThefileislocatedinusrlocalpfconf
In thecase thatSuricata is runningonaseparateserverSuricataconfigurationwillhave tobehandledseparatelywhichisnotthepurposeofthepresentguide
OPSWATMetadefenderCloudItispossibletotriggerviolationsbasedonthreatlevelofdownloadedfilesusingtheMetadefenderCloudintegrationinconjunctionwiththeSuricataMD5extractionfeatureWithoutenteringinthedetailsherearethebasicstepstomakeitwork
FirstanOPSWATportalaccountisrequiredtomakeuseoftheAPISuchaccountcanbeobtainedthroughtheOPSWATportalhttpsportalopswatcom
OtherrequirementisaSuricataworkinginstallationbuiltwithlibnsslibnsprsupportasdescribedintheupperInstallationsection
AlongwiththeOPSWATAPIkeyforMetadefenderCloud(theycallitLicenseKey)andtheworkingSuricatainstallationsomeconfiguration(PacketFencebasedANDSuricatabased)isalsorequired
AssumingthatallthestepsforSuricataMD5extractionhavebeenfollowedherersquoswhattodonext
OntheSuricataserver(syslog-ngispreferredduetoeasierandmorepowerfulconfigurationIfnotinstalleditmightbeanidea)
Configureetcsyslog-ngsyslog-ngconfbyaddingthefollowingtoenablesendingMD5filestorelogentriestoPacketFence
PacketFence OPSWAT Metadefender Cloud integration This line specifies where the files-jsonlog file is located -gt Make sure to configure the right path along with the right filenamesource s_suricata_files file(MY_SURICATA_LOG_FILES_PATHfiles-jsonlog program_override(suricata_files) flags(no-parse)) This line tells syslog-ng to send the data read to the PacketFence management interface IP address using UDP 514 -gt Make sure to configure the right PacketFence management interface IP addressdestination d_packetfence udp(PACKETFENCE_MGMT_IP port(514)) This line indicates syslog-ng to use the s_suricata_files source and send it to the d_packetfence destinationlog source(s_suricata_files) destination(d_packetfence)
Arestartofthesyslog-ngdaemonisrequired
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 94
service syslog-ng restart
OnthePacketFenceserver
ModifyrsyslogconfigurationtoallowincomingUDPpacketsbyuncommentingthefollowingtwolinesinetcrsyslogconf
$ModLoad imudp$UDPServerRun 514
Configure etcrsyslogdsuricata_filesconf by adding the following which will enablereceptionofSuricataMD5filestorelogentries
if $programname == suricata_files then usrlocalpfvarsuricata_filesamp ~
Makesurethereceivingalertpipe(FIFO)exists
mkfifo usrlocalpfvarsuricata_files
Restartthersyslogdaemon
service rsyslog restart
AtthispointSuricatashouldbeabletoextractMD5checksumofdownloadedfilesandsendtherelatedlogentrytoPacketFence
AconfigurationofanewsyslogparseraswellassomeviolationsaretheonlyremainingstepstomakefullusageoftheOPSWATMetadefenderCloudintegration
Configurationofanewsyslogparsershouldusethefollowings
Type suricata_httpAlert pipe the previously created alert pipe (FIFO) which is in this case usrlocalpfvarsuricata_files
Configurationofanewviolationcanusethefollowingtriggertypes
Type metascanTriggers ID The scan result returned by Metadefender Cloud online
Type suricata_md5Trigger ID The MD5 hash returned by Suricata
SecurityOnionInstallationandConfigurationSecurityOnionisaUbuntubasedsecuritysuiteThelatest installationinstructionsareavailabledirectly from theSecurityOnionwebsite httpsgithubcomSecurity-Onion-Solutionssecurity-onionwikiInstallation
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 95
SinceasecuritysuiteconsistsofmultiplepiecesofsoftwaretiedtogetheryoumaybepromptedfordifferentoptionsduringtheinstallationprocessAdetailedProductionDeploymentguidecanalsobefounddirectlyfromtheSecurityOnionwebsitehttpsgithubcomSecurity-Onion-Solutionssecurity-onionwikiProductionDeployment
PacketFenceintegration
OnceSecurityOnionisinstalledandminimallyconfiguredintegrationwithPacketFenceisrequiredtobeabletoraiseviolationsbasedonsensor(s)alertssyslogisusedtoforwardsensor(s)alertsfromSecurityOniontothePacketFencedetectionmecanisms
The simplest way is as follow (based on httpsgithubcomSecurity-Onion-Solutionssecurity-onionwikiThirdPartyIntegration)
OntheSecurityOnionserver
Note
Mustbedoneonthemasterserverrunningsguild
Configureetcsyslog-ngsyslog-ngconfbyaddingthefollowingtoenablesendingsguildlogentriestoPacketFence
PacketFence IDS integration This line specifies where the sguildlog file is located -gt Make sure to configure the right patch along with the right filename (on a Security Onion setup that should be pretty much standard)source s_sguil file(varlognsmsecurityonionsguildlog program_override(securityonion_ids)) This line filters on the string ldquoAlert Receivedrdquofilter f_sguil match(Alert Received) This line tells syslog-ng to send the data read to the PacketFence management IP address using UDP 514 -gt Make sure to configure the right PacketFence management interface IP addressdestination d_packetfence udp(PACKENTFENCE_MGMT_IP port(514)) This line indicates syslog-ng to use the s_sguil source apply the f_sguil filter and send it to the d_packetfence destinationlog source(s_sguil) filter(f_sguil) destination(d_packetfence)
Arestartofthesyslog-ngdaemonisthenrequired
service syslog-ng restart
OnthePacketFenceserver
ModifyrsyslogconfigurationtoallowincomingUDPpacketsbyuncommentingthefollowingtwolinesinetcrsyslogconf
$ModLoad imudp$UDPServerRun 514
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 96
Configureetcrsyslogdsecurityonion_idsconfbyaddingthefollowingswhichwillenablereceptionofSecurityOnionsguildlogentries
if $programname == securityonion_ids then usrlocalpfvarsecurityonion_idsamp ~
Makesurethereceivingalertpipe(FIFO)exists
mkfifo usrlocalpfvarsecurityonion_ids
Restartthersyslogdaemon
service rsyslog restart
AtthispointSecurityOnionshouldbeabletosenddetectedalertslogentriestoPacketFence
AconfigurationofanewsyslogparseraswellassomeviolationsaretheonlyremainingstepstomakefullusageoftheSecurityOnionIDSintegration
Configurationofanewsyslogparsershouldusethefollowings
Type security_onionAlert pipe the previously created alert pipe (FIFO) which is in this case usrlocalpfvarsecurityonion_ids
Configurationofanewviolationcanusethefollowingtriggertypes
Type detectTriggers ID The IDS triggered rule ID
Type suricata_eventTrigger ID The rule class of the triggered IDS alert
ViolationsInordertomakePacketFencereacttotheSnortalertsyouneedtoexplicitlytellthesoftwaretodosoOtherwisethealertswillbediscardedThisisquitesimpletoaccomplishInfactyouneedtocreateaviolationandaddtheSnortalertSIDinthetriggersectionofaViolation
PacketFenceviolationsareconfiguredinConfigurationrarrViolations
TheexamplebelowwillguideyoutocreateaviolationthatwillisolatedevicethathavegeneratedPeer-to-peer traffic and that are usingMac OSX or have a malware and are usingMicrosoftWindows
Violationdefinition
Firstyouneedtoconfiguretheviolationdefinition
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 97
Where
Enablediswhetherornottheviolationiscurrentlyactivated(shouldbeON) Identifier is the violation ID Any integer except 1200000-120099 which is reserved forrequiredadministrationviolations
Descriptionistheuserfriendlydescriptionoftheviolation Actionsisthelistofactionstobeexecutedwhenthisviolationisraised
Unregister nodewillunregisterthenode
Send email to ownerwillemailtheviolationdetailstotheownerofthedeviceWillonlyworkifthepersonhasitrsquosemailfieldpopulated
Send email to admin will email the violation details to the address specified in[alerting]emailaddrusing[alerting]smtpserverMultipleemailaddrcanbesperatedbycomma
Reevaluate accesswillplacethedeviceinthedestinationVLANconfiguredintheviolationIt opens a violation and leaves it open If it is not there theviolation isopenedand thenautomaticallyclosed
Log messagewilllogtheviolationinthelogfiledefinedin[alerting]log
External commandwillexecuteacommandontheoperatingsystemwhenthisviolation israised
Close a violationwillcloseanexistingviolationforthisdevicewhenthisoneisraised
Set rolewillmodifytheroleofthedevice
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 98
Enforce provisioningwilltriggeracheckofcomplianceontheprovisionersdefinedforthedevice
Prioritydefinestheorderontowhichviolationsshouldbehandledshouldtherebemorethanoneforadevice
Whitelisted Rolesisthelistofrolesthatarenotaffectedbythisviolation
Triggers
NextintheTriggerstabyouneedtodefinethetriggersthatwillraisetheviolationInthecaseofthisexampleitwillbethesetwocasesAdevicethathasgeneratedPeer-to-peertrafficandthatisusingMACOSXAdevicethathasbeendetectedasbeingarogueDHCP
Click the+ sign at the top right inorder to create anew trigger then in thedropdown selectSuricata
AmenuwillappearintowhichyoucanselectET P2PwhichwillmatchallP2PalertsfromSuricata
OnceyouaddedthistriggerselectDevicefromthedropdownandenter38whichisthedeviceidentifierforMacOSX
Nexthittheltbuttonthenthe+toaddanothertrigger
SelectthetypeInternaltheninthemenuthatappearsbelowitselectRogue DHCP detectionandclickAdd
Remediation
NextintheRemediationtabyoucanconfigurethebehaviorwhenaclientgetsisolated
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 99
Where
Auto Enableiswhetherornottheusercanreleasetheviolationhimselfafteracknoledgingthemessageonthecaptiveportal
Max Enables istheamountoftimeausercanusetheAuto EnablefunctionnalityAfterthisamountoftimeshewillnotbeabletoreleasetheviolationanditwillhavetobemanuallyreleasebyanadministratorusingthePacketFenceadministrationinterface
GraceisAmountoftimebeforetheviolationcanreoccurThisisusefultoallowhoststime(intheexample2minutes)todownloadtoolstofixtheirissueorshutofftheirpeer-to-peerapplication
Dynamic WindowwillonlyworksforaccountingviolationsTheviolationwillbeopenedaccordingtothetimeyousetintheaccountingviolation(ieYouhaveanaccountingviolationfor10GBmonthIfyoubustthebandwidthafter3daystheviolationwillopenandthereleasedatewillbesetforthelastdayofthecurrentmonth)
WindowistheamountoftimebeforeaviolationwillbeclosedautomaticallyInsteadofallowingpeopletoreactivatethenetworkyoumaywanttoopenaviolationforadefinedamountoftimeinstead
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 100
Delay byisthedelaybeforetriggeringtheviolation TemplateistheHTMLtemplatethehostwillberedirectedtowhileinviolationYoucancreatenewtemplatesfromthePortalProfilesconfigurationsection
Button textisthetextofthebuttonthatisusedwhentheuserisreleasingtheviolationdirectlyfromthecaptiveportal
AdvancedIntheAdvancedtabyouconfigurethedestinationVLANofthedevicewhenithastheReevaluateaccessactionanditsredirectionURLwhentheuserisreleased
ComplianceChecks
PacketFence supports eitherNessusOpenVAS andWMI as a scanning engine for compliancechecksSincePacketFencev51youarenowabletocreatemultiplesscanenginesconfigurationandassignthemonspecificcaptiveportalsItmeanperexamplethatyouarenowabletoactiveascanforspecificOperatingSystemonlyonaspecificSSID
InstallationNessusPlease visit httpwwwnessusorgdownload to download Nessus v5 and install the Nessuspackage for your operating system You will also need to register for the HomeFeed (or theProfessionalFeed)inordertogettheplugins
AfteryouinstalledNessusfollowtheNessusdocumentationfortheconfigurationoftheNessusServerandtocreateauserforPacketFence
NoteYou may run into some issue while using Nessus with the NetNessusXMLRPCmodule(whichisthedefaultbehaviorinPacketFence)Pleaserefertothebugtrackingsystemformoreinformation
OpenVASPleasevisithttpwwwopenvasorginstall-packageshtmlopenvas4_centos_atomic toconfigurethecorrectrepositorytobeabletoinstallthelatestOpenVASscanningengine
Once installed pleasemake sure to follow the instructions to correctly configure the scanningengineandcreateascanconfigurationthatwillfityourneedsYoursquollalsoneedtocreateauserforPacketFencetobeabletocommunicatewiththeserver
ItisimportanttogetthecorrectscanconfigIDandNBEreportformatIDtopopulatetheparametersinthePacketFenceconfigurationfileTheeasiestwaytogettheseIDsisbydownloadingbothofthescanconfigurationandreportformatfromtheOpenVASwebguiandretrievetheIDsinthefilenames
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 101
Forexamplereport-format-f5c2a364-47d2-4700-b21d-0a7693daddabxmlgivesreportformatIDf5c2a364-47d2-4700-b21d-0a7693daddab
WMIYoujusthavetoenablewmioneachwindowsdeviceswithaGPOfromActiveDirectory
ConfigurationIn order for the compliance checks to correctly work with PacketFence (communication andgenerateviolationsinsidePacketFence)youneedtoconfigurethesesections
ScannerDefinitionFirstgoinConfigurationandScannerDefinition
Thenaddascan
Therearecommonparametersforeachscanengines
Name the name of your scan engineRoles Only devices with these role(s) will be affected (Optional)OS Only devices with this Operating System will be affected (Optional)Duration Approximate duration of scan (Progress bar on the captive portal)Scan before registration Trigger the scan when the device appear on the registration vlanScan after registration Trigger the scan just after registration on the captive portalScan after registration Trigger the scan on the production network (pfdhcplistener must receive production dhcp traffic)8021x Even if the auto-registration has been enabled the scan will be trigger on a EAP connection8021x types comma delimited EAP type that will trigger the scan if 8021x above has been enabled
SpecifictoNessus
Hostname or IP Address Hostname or IP Address where Nessus is runningUsername Username to connect to Nessus scanPassword Password to connect to Nessus scanPort of the service port to connect (default 8834)Nessus client policy the name of the policy to use for the scan (Must be define on the Nessus server)
SpecifictoOpenVAS
Hostname or IP Address Hostname or IP Address where OpenVAS is runningUsername Username to connect to OpenVAS scanPassword Password to connect to OpenVAS scanPort of the service port to connect (default 9390)OpenVAS config ID the ID of scanning configuration on the OpenVAS server
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 102
SpecifictoWMI
Username A username from Active Directory that is allowed to connect to wmiDomain Domain of the Active DirectoryPassword Password of the accountWMI Rules Ordered list of WMI rules you defined in Configuration -gt WMI Rules Definition
WMIRulesDefinition
IfyouhaveconfiguredaWMIscanenginethenyouneedtodefineWMIRulesWMIisasortofdatabaseoneachwindowsdevicestoretreiveinformationonthedeviceyouneedtoknowthesqlrequestInordertohelpyoutofindandmakearuleyoucanuseathirdpartytoollikeWMIExplorer
GoinconfigurationrarrWMIRulesDefinition
Therearealready3rulesdefined
Software_Installedlogged_userProcess_Running
LetrsquostaketheSoftware_Installedrule
request select from Win32_Product
Rules Actions
[Google]attribute = Captionoperator = matchvalue =Google
[1Google]action=trigger_violationaction_param = mac = $mac tid = 888888 type = INTERNAL
Thisrulewilldothefollowing
retreive all the installed software on the device and test if the attribute Caption contain Googleif it matched then we will trigger a violation (with the trigger internal888888) for the mac address of the device
Thesecondonelogged_user
request select UserName from Win32_ComputerSystem
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 103
Rules Actions
[UserName]attribute = UserNameoperator = matchvalue = ()
[1UserName]action = dynamic_register_nodeaction_param = mac = $mac username = $result-gtUserName
Thisrulewilldothefollowing
retreive the current logged user on the device and register the device based on the user account
ThelastoneProcess_Running
request select Name from Win32_Process
Rules Actions
[explorer]attribute = Nameoperator = matchvalue = explorerexe
[1explorer]action = allow
Thisrulewilldothefollowing
retreive all the running process on the device and if one match explorerexe then we bypass the scan
Rulessyntax
the syntax of the rules are simple to understand
the request is the sql request you will launch on the remote device you must know what the request will returnto write the test
Inside the Rules Actions we define 2 sorts of blocsThe test bloc (ie [explorer]) and the action bloc (ie [1explorer])
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 104
The test bloc is a simple test based on the result of the request- attribute is the attribute you want to test- operator can be is is_not match match_not- value is the value you want to compare
Feel free to define multiples test blocs
The action bloc is where you will define your logic per example lets take this one [1googleampexplorer] this mean that if the google test istrue and explorer is true then we execute the actionThe logic can be more complex and can be something like that [1google|(explorerampmemory)] that mean if not google or (explorer and memory)
ViolationsdefinitionYouneedtocreateanewviolationsectionandhavetospecify
UsingNessus
trigger=NessusltviolationIdgt
UsingOpenVAS
trigger=OpenVASltviolationIdgt
WhereviolationIdiseithertheIDoftheNessuspluginortheOIDoftheOpenVASplugintocheckforOnceyouhavefinishedtheconfigurationyouneedtoreloadtheviolationrelateddatabasecontentsusing
$ pfcmd reload violations
NoteViolationswilltriggerifthepluginishigherthanalowseverityvulnerability
AssignScandefinitiontoportalprofilesThelaststepistoassignoneormorescanneryouconfiguredtooneormoreportalprofilesGoinConfigurationrarrPortalProfilesrarrEditaPortalrarrAddScan
HostingNessusOpenVASremotelyBecauseoftheCPUintensivenatureofanautomatedvulnerabilityassessmentwerecommendthatitishostedonaseparateserverforlargeenvironmentsTodosoacoupleofthingsarerequired
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 105
PacketFence needs to be able to communicate to the server on the port specified by thevulnerabilityengineused
Thescanningserverneedtobeabletoaccessthetargets InotherwordsregistrationVLANaccessisrequiredifscanonregistrationisenabled
IfyouareusingtheOpenVASscanningengine
ThescanningserverneedtobeabletoreachPacketFencersquosAdmininterface(onport1443bydefault)byitsDNSentryOtherwisePacketFencewonrsquotbenotifiedofcompletedscans
YoumusthaveavalidSSLcertificateonyourPacketFenceserver
IfyouareusingtheNessusscanningengine
YoujusthavetochangethehostvaluebytheNessusserverIP
RADIUSAccounting
RADIUSAccountingisusuallyusedbyISPstobillclientsInPacketFenceweareabletousethisinformationtodetermineifthenodeisstillconnectedhowmuchtimeithasbeenconnectedandhowmuchbandwitdhtheuserconsumed
ViolationsUsingPacketFence it ispossible toaddviolations to limitbandwidthabuseThe formatof thetriggerisverysimple
Accounting[DIRECTION][LIMIT][INTERVAL(optional)]
Letrsquosexplaineachchunkproperly
DIRECTIONYoucaneithersetalimittoinbound(IN)outbound(OUT)ortotal(TOT)bandwidth LIMIT You can set a number of bytes(B) kilobytes(KB) megabytes(MB) gigabytes(GB) orpetabytes(PB)
INTERVALThisisactuallythetimewindowwewilllookforpotentialabuseYoucansetanumberofdays(D)weeks(W)months(M)oryears(Y)
Exampletriggers LookforIncoming(Download)trafficwitha50GBmonth
AccountingIN50GB1M
LookforOutgoing(Upload)trafficwitha500MBday
AccountingOUT500MB1D
LookforTotal(Download+Upload)trafficwitha200GBlimitinthelastweek
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 106
AccountingTOT200GB1W
Graceperiod
WhenusingsuchviolationfeaturesettingthegraceperiodisreallyimportantYoudonrsquotwanttoputittoolow(ieAuserre-enablehisnetworkandgetcaughtafter1bytesistranmitted)ortoohighWerecommendthatyousetthegraceperiodtooneintervalwindow
Oinkmaster
OinkmasterisaperlscriptthatenablesthepossibilitytoupdatethedifferentsnortrulesveryeasilyItissimpletouseandinstallThissectionwillshowyouhowtoimplementOinkmastertoworkwithPacketFenceandSnort
PleasevisithttpoinkmastersourceforgenetdownloadshtmltodownloadoinkmasterAsampleoinkmasterconfigurationfileisprovidedatusrlocalpfaddonssnortoinkmasterconf
ConfigurationHerearethestepstomakeOinkmasterworkWewillassumethatyoualreadydownloadedthenewestoinkmasterarchive
1 UntarthefreshlydownloadedOinkmaster
2 CopytherequiredperlscriptsintousrlocalpfoinkmasterYouneedtocopyovercontribandoinkmasterpl
3 CopytheoinkmasterconfprovidedbyPacketFence(seethesectionabove)inusrlocalpfconf
4 ModifytheconfigurationtosuityourownneedsCurrentlytheconfigurationfileissettofetchthebleedingrules
RulesupdateInordertogetperiodicupdatesforPacketFenceSnortruleswesimplyneedtocreateacrontabentrywiththerightinformationTheexamplebelowshowsacrontabentrytofetchtheupdatesdailyat2300PM
0 23 (cd usrlocalpf perl oinkmasteroinkmasterpl -C confoinkmasterconf -o confsnort)
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 107
GuestsManagement
PacketFencesupportstheabilitytomanageguestsbyestablishingexpiredatesandassigndifferentroleswhichwillpermitdifferentaccessestothenetworkresources
Guestscanself-registerthemselvesusinganactivationcodesenttotheirmobilephoneortheycanusetheiremailaddressandreceiveandactivationlinktoactivatetheirnetworkaccess
PacketFencehas theoption tohaveguestssponsored theiraccessby local staffOnceaguestrequestsasponsoredaccessanemailissenttothesponsorandthesponsormustclickonalinkandauthenticateinordertoenablehisaccess
Moreover PacketFence also has the option for guests to request their access in advanceConfirmationbyemailandbyasponsorarethetwopre-registrationtechniquessupportedatthispoint
TheadminGUIallowPacketFenceadministratorsorguestsmanagerstocreatesingleaccountsmultipleaccountsusingaprefix(ieguest1guest2guest3hellip)orimportdatafromaCSVtocreateaccountsAccessdurationandexpectedarrivaldatearealsocustomizable
Usage
Guestself-registration
Self-registrationisenabledbydefaultItispartofthecaptiveportalprofileandcanbeaccessedontheregistrationpagebyclickingtheSignuplink
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 108
ManagedguestsPartofthewebadministrationinterfacetheguestsmanagementinterfaceisenabledbydefaultItisaccessiblethroughtheUsersrarrCreatemenu
Guestpre-registrationPre-registrationisdisabledbydefaultOnceenabledPacketFencersquosfirewallandApacheACLsallowaccesstothesignuppageontheportalevenfromaremotelocationAllthatshouldberequiredfrom theadministrators is toopenup theirperimeter firewall toallowaccess toPacketFencersquosmanagementinterfaceIPonport443andmakesureadomainnametoreachsaidIPisconfigured(andthattheSSLcertmatchesit)Thenyoucanpromotethepre-registrationlinkfromyourextranetwebsitehttpslthostnamegtsignup
CautionPre-registrationincreasestheattacksurfaceofthePacketFencesystemsinceasubsetofitrsquosfunctionnalityisexposedontheInternetMakesureyouunderstandtherisksapplythecriticaloperatingsystemupdatesandapplyPacketFencersquossecurityfixes
NoteAportalinterfacetypeisrequiredtousethisfeatureAportalinterfacetypecanbeaddedtoanynetworkinterfaceusingthewebadminGUI
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 109
ConfigurationGuestself-registrationIt ispossibletomodifythedefaultvaluesoftheguestself-registrationfeaturebyeditingusrlocalpfconfpfconf
Defaultvaluesarelocatedinusrlocalpfconfpfconfdefaultsanddocumentationforeverysettingsisavailableinusrlocalpfconfdocumentationconf
[guests_self_registration]guest_pid=emailpreregistration=disabled
TheseparameterscanalsobeconfiguredfromtheConfigurationrarrSelfRegistrationsectionoftheWebadmininterface
Availableregistrationmodesaredefinedonaper-portal-profilebasisTheseareconfigurablefromConfigurationrarrPortalProfiles Todisable the self-registration feature simply removeall self-registrationsourcesfromtheportalprofiledefinitionNoticehoweverthatifyourdefaultportalprofilehasnosourceitwilluseallauthenticationsources
Caution
AvalidMTAconfiguredinPacketFenceisneededtocorrectlyrelayemailsrelatedtotheguestmoduleIflocalhostisusedassmtpservermakesurethataMTAisinstalledandconfiguredontheserver
Note
AportalinterfacetypeisrequiredtousethisfeatureAportalinterfacetypecanbeaddedtoanynetworkinterfaceusingthewebadminGUI
Self-registered guests are added under the users tab of the PacketFenceWeb administrationinterface
ManagedguestsItispossibletomodifythedefaultvaluesoftheguestscreatedfromtheWebadmininterfacebyeditingusrlocalpfconfpfconf
Defaultvaluesarelocatedinusrlocalpfconfpfconfdefaultsanddocumentationforeverysettingsisavailableinusrlocalpfconfdocumentationsconf
[guests_admin_registration]access_duration_choices=1h3h12h1D2D3D5Ddefault_access_duration=12h
Theformatofthedurationisasfollow
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 110
ltDURATIONgtltDATETIME_UNITgt[ltPERIOD_BASEgtltOPERATORgtltDURATIONgtltDATE_UNITgt]
Letrsquosexplainthemeaningofeachparameter
DURATIONanumbercorrespondingtotheperiodduration DATETIME_UNIT acharactercorresponding to theunitsof thedateor timedurationeither s(seconds)m(minutes)h(hours)D(days)W(weeks)M(months)orY(years)
PERIOD_BASEeitherF(fixed)orR(relative)ArelativeperiodiscomputedfromthebeginningoftheperiodunitWeeksstartonMonday
OPERATOReither+or-Thedurationfollowingtheoperatorisaddedorsubtractedfromthebaseduration
DATE_UNITacharactercorrespondingtotheunitsoftheextendeddurationLimitedtodateunits(D(days)W(weeks)M(months)orY(years))
TheseparameterscanalsobeconfiguredfromtheConfigurationrarrAdminRegistrationsectionoftheWebadmininterface
From theUserspageof thePacketFenceWebadmin interface it is possible to set the accessdurationofuserschangetheirpasswordandmore
Guestpre-registrationTominimallyconfigureguestpre-registrationyoumustmakesurethatthefollowingstatementissetunder[guests_self_registration]inusrlocalpfconfpfconf
[guests_self_registration]preregistration=enabled
ThisparametercanalsobeconfiguredfromtheConfigurationrarrSelfRegistrationsection
Finallyitisadvisedthatyoureadthewholeguestself-registrationsectionsincepre-registrationissimplyatwistoftheself-registrationprocess
Caution
AvalidMTAconfiguredinPacketFenceisneededtocorrectlyrelayemailsrelatedtotheguestmoduleIflocalhostisusedassmtpservermakesurethataMTAisinstalledandconfiguredontheserver
ActiveDirectoryIntegration
DeletedAccountCreate thescriptunreg_node_deleted_accountps1on theWindowsServerwith the followingcontentMakesuretochangeIP_PACKETFENCEtotheIPaddressofyourPacketFenceserverYoursquollalsoneedtochangetheusernameandpasswordastheymustmatchthecredentialsdefinedintheWebadmininterfaceunderConfigurationrarrWebServices
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 111
Powershell script to unregister deleted Active Directory account based on the UserName
Get-EventLog -LogName Security -InstanceId 4726 | Select ReplacementStringsAccount name| $url = httpsIP_PACKETFENCE9090 $username = admin Username for the webservices $password = admin Password for the webservices [SystemNetServicePointManager]ServerCertificateValidationCallback = $true $command = jsonrpc 20 method unreg_node_for_pid params [pid +$_ReplacementStrings[0]+]
$bytes = [SystemTextEncoding]ASCIIGetBytes($command) $web = [SystemNetWebRequest]Create($url) $webMethod = POST $webContentLength = $bytesLength $webContentType = applicationjson-rpc $webCredentials = new-object SystemNetNetworkCredential($username $password) $stream = $webGetRequestStream() $streamWrite($bytes0$bytesLength) $streamclose()
$reader = New-Object SystemIOStreamreader -ArgumentList $webGetResponse()GetResponseStream() $readerReadToEnd() $readerClose()
CreatethescheduledtaskbasedonaneventIDStartrarrRunrarrTaskschdmsc
TaskSchedulerrarrTaskSchedulerLibraryrarrEventViewerTaskrarrCreateTask
General
Name PacketFence-Unreg_node-for-deleted-accountCheck Run whether user is logged on or notCheck Run with highest privileges
TriggersrarrNew
Begin on the task On an eventLog SecuritySource Microsoft Windows security auditingEvent ID 4726
ActionsrarrNew
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 112
Action Start a programProgramscript powershellexeAdd arguments (optional) Cscriptsunreg_node_deleted_accountps1
Settings
At the bottom select in the list Run a new instance in parallel in order to unregister multiple nodes at the same time
ValidatewithOkandgivetheaccountwhowillrunthistask(UsuallyDOMAINAdministrator)
DisabledAccountCreatethescriptunreg_node_disabled_accountps1ontheWindowsServerwiththefollowingcontentMakesuretochangeIP_PACKETFENCEtotheIPaddressofyourPacketFenceserverYoursquollalsoneedtochangetheusernameandpasswordastheymustmatchthecredentialsdefinedintheWebadmininterfaceunderConfigurationrarrWebServices
Powershell script to unregister disabled Active Directory account based on the UserName
Get-EventLog -LogName Security -InstanceId 4725 | Select ReplacementStringsAccount name| $url = httpsIP_PACKETFENCE9090 $username = admin Username for the webservices $password = admin Password for the webservices [SystemNetServicePointManager]ServerCertificateValidationCallback = $true $command = jsonrpc 20 method unreg_node_for_pid params [pid +$_ReplacementStrings[0]+]
$bytes = [SystemTextEncoding]ASCIIGetBytes($command) $web = [SystemNetWebRequest]Create($url) $webMethod = POST $webContentLength = $bytesLength $webContentType = applicationjson-rpc $webCredentials = new-object SystemNetNetworkCredential($username $password) $stream = $webGetRequestStream() $streamWrite($bytes0$bytesLength) $streamclose()
$reader = New-Object SystemIOStreamreader -ArgumentList $webGetResponse()GetResponseStream() $readerReadToEnd() $readerClose()
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 113
CreatethescheduledtaskbasedonaneventID
StartrarrRunrarrTaskschdmsc
TaskSchedulerrarrTaskSchedulerLibraryrarrEventViewerTaskrarrCreateTask
General
Name PacketFence-Unreg_node-for-disabled-accountCheck Run whether user is logged on or notCheck Run with highest privileges
TriggersrarrNew
Begin on the task On an eventLog SecuritySource Microsoft Windows security auditingEvent ID 4725
ActionsrarrNew
Action Start a programProgramscript powershellexeAdd arguments (optional) Cscriptsunreg_node_disabled_accountps1
Settings
At the bottom select in the list Run a new instance in parallel
ValidatewithOkandgivetheaccountwhowillrunthistask(UsuallyDOMAINAdministrator)
LockedAccountCreate the script unreg_node_locked_accountps1 on theWindows Serverwith the followingcontentMakesuretochangeIP_PACKETFENCEtotheIPaddressofyourPacketFenceserverYoursquollalsoneedtochangetheusernameandpasswordastheymustmatchthecredentialsdefinedintheWebadmininterfaceunderConfigurationrarrWebServices
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 114
Powershell script to unregister locked Active Directory account based on the UserName
Get-EventLog -LogName Security -InstanceId 4740 | Select ReplacementStringsAccount name| $url = httpsIP_PACKETFENCE9090 $username = admin Username for the webservices $password = admin Password for the webservices [SystemNetServicePointManager]ServerCertificateValidationCallback = $true $command = jsonrpc 20 method unreg_node_for_pid params [pid +$_ReplacementStrings[0]+]
$bytes = [SystemTextEncoding]ASCIIGetBytes($command) $web = [SystemNetWebRequest]Create($url) $webMethod = POST $webContentLength = $bytesLength $webContentType = applicationjson-rpc $webCredentials = new-object SystemNetNetworkCredential($username $password) $stream = $webGetRequestStream() $streamWrite($bytes0$bytesLength) $streamclose()
$reader = New-Object SystemIOStreamreader -ArgumentList $webGetResponse()GetResponseStream() $readerReadToEnd() $readerClose()
CreatethescheduledtaskbasedonaneventIDStartrarrRunrarrTaskschdmsc
TaskSchedulerrarrTaskSchedulerLibraryrarrEventViewerTaskrarrCreateTask
General
Name PacketFence-Unreg_node-for-locked-accountCheck Run whether user is logged on or notCheck Run with highest privileges
TriggersrarrNew
Begin on the task On an eventLog SecuritySource Microsoft Windows security auditingEvent ID 4740
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 115
ActionsrarrNew
Action Start a programProgramscript powershellexeAdd arguments (optional) Cscriptsunreg_node_locked_accountps1
Settings
At the bottom select in the list Run a new instance in parallel
ValidatewithOkandgivetheaccountwhowillrunthistask(UsuallyDOMAINAdministrator)
DHCPremotesensor
TheDHCPremotesensorconsistsofalightweightbinarythatisinstalledonyourproductionDHCPserverinordertoreplicatetheDHCPtraffic1to1tothePacketFenceserverThissolutionismorereliablethantheDHCPrelayingsincePacketFencereceivesacopyofallyourDHCPtrafficandnotonlythebroadcastedDHCPtrafficSupportedDHCPserversareMicrosoftDHCPserverandCentOS6and7
ThesesensorsworkbycapturingthepacketsatthelowestlevelpossibleonyourDHCPserverandforwardthemtothePacketFencemanagementinterface
MicrosoftDHCPsensorYouwillfirstneedtodownloadandinstallWinPcapavailablefromhttpwwwwinpcaporginstall
YouwillalsoneedtodownloadandinstallMicrosoftVisualC++2010Redistributableavailablefromhttpwwwmicrosoftcomdownloaddetailsaspxid=5555
NoteYou absolutely need to install the 32-bit version of Microsoft Visual C++ 2010Redistributableevenifyouareusinga64-bitoperatingsystem
Then get the remote sensor from Inversersquos download website httpinversecadownloadsPacketFenceudp-reflectorudp_reflectorexe
CreatethedirectoryCudp-reflectorandmovethedownloadedfileinside
Nowwewillcreateaservicesothereflectorstartsonboot
Firstdownloadandunzipnssmfromhttpsnssmccdownload
NextcreateabatchfileudpreflectorbatinCudp-reflectorthatcontainCudp-reflectorudp_reflectorexe -s pcap067 -d 19216815767 -b 25000
Where pcap0 is the interface where your DHCP is listening (use Cudp-reflectorudp_reflectorexe -ltolistinterfaces)
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 116
Thenrunnssm install udpreflector
InApplication
InPathsetittoCudp-reflectorudpreflectorbat InStartupdirectorysetittoCudp-reflector InArgumentssetittonothing
InDetails
InStartuptypeselectAutomatic
InLogon
InLogonasselectLocalSystemaccount
ThenpressInstallservice
TheDHCPtrafficshouldnowbereflectedonyourPacketFenceserver
LinuxbasedsensorFirstdownloadtheRPMonyourDHCPserver
CentOS6and7serversForCentOS6
for x86_64 wget httpinversecadownloadsPacketFenceCentOS6extrax86_64RPMSudp-reflector-10-61x86_64rpm
ForCentOS7
for x86_64 wget httpinversecadownloadsPacketFenceCentOS7extrax86_64RPMSudp-reflector-10-61x86_64rpm
Nowinstallthesensor
rpm -i udp-reflector-rpm
CompilingthesensorfromsourceonaLinuxsystemFirstmakesureyouhavethefollowingpackagesinstalled
libpcap libpcap-devel gcc-c++
Getthesourcecodeofthesensor
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 117
mkdir -p ~udp-reflector ampamp cd ~udp-reflector wget httpinversecadownloadsPacketFenceudp-reflectorudp_reflectorcpp g++ udp_reflectorcpp -o usrlocalbinudp_reflector -lpcap
ConfiguringthesensorPlacethefollowinglineinetcrclocal
where pcap0 is the pcap interface where your DHCP server listens on (List them usingudp_reflector -l)
where19216815isthemanagementIPofyourPacketFenceserver
usrlocalbinudp_reflector -s pcap067 -d 19216815767 -b 25000 amp
Startthesensor
usrlocalbinudp_reflector -s pcap067 -d 19216815767 -b 25000 amp
TheDHCPtrafficshouldnowbereflectedonyourPacketFenceserver
Switchloginaccess
PacketFenceisabletoactasanauthenticationandauthorizationserviceforgrantingcommand-lineinterface(CLI)accesstoswitchesPacketFencecurrentlysupportsCiscoswitchesandthesemustbeconfiguredusingthefollowingguidehttpwwwciscocomcenussupportdocssecurity-vpnremote-authentication-dial-user-service-radius116291-configure-freeradius-00html From thePacketFencersquos web admin interface you must configure an Admin Access role(ConfigurationrarrAdminaccess)thatcontainstheactionSwitchesCLI-ReadorSwitchesCLI-WriteandassignthisroletoaninternaluserorinanAdministrationruleinaninternalsource
Chapter14
Copyrightcopy2016Inverseinc OperatingSystemBestPractices 118
OperatingSystemBestPractices
IPTables
IPTablesisnowentirelymanagedbyPacketFenceHoweverifyouneedtoperformsomecustomrules you canmodifyconfiptablesconf to yourownneedsHowever thedefault templateshouldworkformostusers
LogRotations
PacketFencecangeneratea lotof logentries inhugeproductionenvironmentsThis iswhywerecommendtouselogrotatetoperiodicallyrotateyourlogsAworkinglogrotatescriptisprovidedwiththePacketFencepackageThisscriptislocatedinusrlocalpfaddonsanditrsquosconfiguredto do aweekly log rotation and keeping old logswith compression It has been added duringPacketFenceinitialinstallation
Chapter15
Copyrightcopy2016Inverseinc Performanceoptimization 119
Performanceoptimization
SNMPTrapsLimit
PacketFencemainlyrelyonSNMPtrapstocommunicatewithequipmentDuetothefactthattrapscominginfromapproved(configured)devicesareallprocessedbythedaemonitispossibleforsomeonewhowanttogenerateacertainloadonthePacketFenceservertoforcethegenerationofnon-legitimateSNMPtrapsoraswitchcanrandomlygenerateahighquantityoftrapssenttoPacketFenceforanunknownreason
BecauseofthatitispossibletolimitthenumberofSNMPtrapscominginfromasingleswitchportandtakeactionifthatlimitisreachedForexampleifover100trapsarereceivedbyPacketFencefromthesameswitchportinaminutetheswitchportwillbeshutandanotificationemailwillbesent
HerersquosthedefaultconfigfortheSNMPtrapslimitfeatureAsyoucanseebydefaultPacketFencewill log the abnormal activity after 100 traps from the same switch port in a minute Theseconfigurationsareintheconfpfconffile
[vlan]trap_limit = enabledtrap_limit_threshold = 100trap_limit_action =
AlternativelyyoucanconfiguretheseparametersfromthePacketFenceWebadministrativeGUIintheConfigurationrarrSNMPsection
MySQLoptimizations
TuningMySQLIfyoursquorePacketFencesystemisactingveryslowthiscouldbeduetoyourMySQLconfigurationYoushoulddothefollowingtotuneperformance
Checkthesystemload
uptime113637 up 235 days 121 1 user load average 125 105 079
Chapter15
Copyrightcopy2016Inverseinc Performanceoptimization 120
CheckiostatandCPU
iostat 5avg-cpu user nice sys iowait idle 060 000 320 2020 7600Device tps Blk_reads Blk_wrtns Blk_read Blk_wrtnccissc0d0 3240 000 156000 0 7800avg-cpu user nice sys iowait idle 060 000 220 920 8800Device tps Blk_reads Blk_wrtns Blk_read Blk_wrtnccissc0d0 780 000 7360 0 368avg-cpu user nice sys iowait idle 060 000 180 2380 7380Device tps Blk_reads Blk_wrtns Blk_read Blk_wrtnccissc0d0 3140 000 142720 0 7136avg-cpu user nice sys iowait idle 060 000 240 1816 7884Device tps Blk_reads Blk_wrtns Blk_read Blk_wrtnccissc0d0 2794 000 117365 0 5880
Asyoucanseetheloadis125andIOWaitispeakingat20-thisisnotgoodIfyourIOwaitislowbutyourMySQListaking+50CPUthisisalsonotgoodCheckyourMySQLinstallforthefollowingvariables
mysqlgt show variables| innodb_additional_mem_pool_size | 1048576 || innodb_autoextend_increment | 8 || innodb_buffer_pool_awe_mem_mb | 0 || innodb_buffer_pool_size | 8388608 |
PacketFencereliesheavilyonInnoDBsoyoushouldincreasethebuffer_poolsizefromthedefaultvalues
ShutdownPacketFenceandMySQL
etcinitdpacketfence stopShutting down PacketFence[] etcinitdmysql stopStopping MySQL [ OK ]
Editetcmycnf(oryourlocalmycnf)
Chapter15
Copyrightcopy2016Inverseinc Performanceoptimization 121
[mysqld] Set buffer pool size to 50-80 of your computers memoryinnodb_buffer_pool_size=800Minnodb_additional_mem_pool_size=20Minnodb_flush_log_at_trx_commit=2innodb_file_per_table allow more connectionsmax_connections=700 set cache sizekey_buffer_size=900Mtable_cache=300query_cache_size=256M enable slow query loglog_slow_queries = ON
StartupMySQLandPacketFence
etcinitdmysqld startStarting MySQL [ OK ] etcinitdpacketfence startStarting PacketFence[]
Wait10minutesforPacketFencetoinitialthenetworkmapandre-checkiostatandCPU
uptime120158 up 235 days 146 1 user load average 015 039 052 iostat 5Device tps Blk_reads Blk_wrtns Blk_read Blk_wrtnccissc0d0 800 000 7520 0 376
avg-cpu user nice sys iowait idle 060 000 299 1337 8303
Device tps Blk_reads Blk_wrtns Blk_read Blk_wrtnccissc0d0 1497 000 43273 0 2168avg-cpu user nice sys iowait idle 020 000 260 660 9060
Device tps Blk_reads Blk_wrtns Blk_read Blk_wrtnccissc0d0 480 000 4800 0 240
MySQLoptimizationtoolWerecommendthatyouruntheMySQLTuneronyourdatabasesetupafteracoupleofweekstohelpyouidentifyMySQLconfigurationimprovementThetoolisbundledwithPacketFenceandcanberunfromthecommand-line
usrlocalbinpftest mysql
Chapter15
Copyrightcopy2016Inverseinc Performanceoptimization 122
KeepingtablessmallOvertimesomeofthetableswillgrowlargeandthiswilldragdownperformance(thisisespeciallytrueonawirelesssetup)
OnesuchtableisthelocationlogtableWerecommendthatclosedentriesinthistablebemovedto the archive table locationlog_archive after some time A closed record is onewhere theend_timefieldissettoadate(stricklyspeakingitiswhenend_timeisnotnullandnotequalsto0)
Weprovideascriptcalleddatabase-backup-and-maintenanceshlocatedinaddonsthatperformsthiscleanupinadditiontooptimizetablesonSundayanddailybackups
AvoidToomanyconnectionsproblemsInawirelesscontexttheretendstobealotofconnectionsmadetothedatabasebyourfreeradiusmoduleThedefaultMySQLvalue tend tobe low (100) soweencourageyou to increase thatvaluetoatleast300Seehttpdevmysqlcomdocrefman50entoo-many-connectionshtmlfordetails
AvoidHostlthostnamegtisblockedproblemsInawirelesscontexttheretendtobealotofconnectionsmadetothedatabasebyourfreeradiusmoduleWhentheserverisloadedtheseconnectionattemptscantimeoutIfaconnectiontimesoutduringconnectionMySQLwillconsiderthisaconnectionerrorandafter10ofthese(bydefault)hewilllockthehostoutwitha
Host host_name is blocked because of many connection errors Unblock with mysqladmin flush-hosts
Thiswill grindPacketFence to a halt so youwant to avoid that at all costOneway to do soistoincreasethenumberofmaximumconnections(seeabove)toperiodicallyflushhostsortoallowmoreconnectionerrorsSeehttpdevmysqlcomdocrefman50enblocked-hosthtmlfordetails
CaptivePortalOptimizations
Avoidcaptiveportaloverloadduetonon-browserHTTPrequestsBydefaultwealloweveryquerytoberedirectedandreachPacketFencefor thecaptiveportaloperationInalotofcasesthismeansthatalotofnon-userinitiatedqueriesreachPacketFenceandwasteitsresourcesfornothingsincetheyarenotfrombrowsers(iTunesWindowsupdateMSNMessengerGoogleDesktophellip)
Chapter15
Copyrightcopy2016Inverseinc Performanceoptimization 123
Sinceversion43ofPacketFenceyoucandefineHTTPfiltersforApachefromtheconfigurationofPacketFence
SomeruleshavebeenenabledbydefaultlikeonetorejectrequestswithnodefineduseragentAllrulesincludingsomeexamplesaredefinedintheconfigurationfileapache_filtersconf
FiltersaredefinedwithatleasttwoblocksFirstarethetestsForexample
[get_ua_is_dalvik]filter = user_agentmethod = GEToperator = matchvalue = Dalvik
[get_uri_not_generate204]filter = urimethod = GEToperator = match_notvalue = generate_204
ThelastblockdefinestherelationshipbetweenthetestsandthedesiredactionForexample
[block_dalvikget_ua_is_dalvikampget_uri_not_generate204]action = 501redirect_url =
Thisfilterwillreturnanerrorcode(501)iftheuseragentisDalvikandtheURIdoesnrsquotcontain_generate_204
DashboardOptimizations(statisticscollection)
The collection and aggregation of statistics in the whisper database can be IO intensive permomentThismeansthatitcanbebeneficialtoseperatethemonanotherdiskevenifitisavirtualdiskthatwillsharethesameunderlyingphysicaldisk
Firstaddadiskinyourvirtualmachineorbaremetalserverandreboot(thisexamplewillusedevsdbasthenewdevice
Makesurepacketfenceisstopped
service packetfence stop
Createanext4partition
mkfsext4 devsdb
Thenmovetheolddatabasestoabackuppoint
Chapter15
Copyrightcopy2016Inverseinc Performanceoptimization 124
mv usrlocalpfvargraphite usrlocalpfvargraphitebak
Mountyournewdiskandcheckthatitismounted
echo devsdb usrlocalpfvargraphite ext4 defaults 1 1 gtgt etcfstab mkdir usrlocalpfvargraphite mount -a dh -h
Applytheproperuserrightsandrestoreyourdatabasefromyourbackup
chown pfpf usrlocalpfvargraphite cp -frp usrlocalpfvargraphitebak usrlocalpfvargraphite
StartpacketfenceandmakesureyourstatsarestillthereandbeingcollectedproperlyThenremovethebackupyoumaderm -fr usrlocalpfvargraphitebak
Chapter16
Copyrightcopy2016Inverseinc AdditionalInformation 125
AdditionalInformation
FormoreinformationpleaseconsultthemailingarchivesorpostyourquestionstoitFordetailssee
packetfence-announcelistssourceforgenet Public announcements (new releases securitywarningsetc)regardingPacketFence
packetfence-devellistssourceforgenetDiscussionofPacketFencedevelopment
packetfence-userslistssourceforgenetUserandusagediscussions
Chapter17
Copyrightcopy2016InverseincCommercialSupport
andContactInformation 126
CommercialSupportandContactInformation
For any questions or comments do not hesitate to contact us by writing an email tosupportinverseca
Inverse (httpinverseca)offersprofessional servicesaroundPacketFence tohelporganizationsdeploythesolutioncustomizemigrateversionsorfromanothersystemperformancetuningoraligningwithbestpractices
Hourlyratesorsupportpackagesareofferedtobestsuityourneeds
Pleasevisithttpinversecafordetails
Chapter18
Copyrightcopy2016Inverseinc GNUFreeDocumentationLicense 127
GNUFreeDocumentationLicense
Pleaserefertohttpwwwgnuorglicensesfdl-12txtforthefulllicense
Chapter18
Copyrightcopy2016Inverseinc AdministrationTools 128
AppendixAAdministrationTools
pfcmd
pfcmdisthecommandlineinterfacetomostPacketFencefunctionalities
Whenexecutedwithoutanyargumentspfcmdreturnsabasichelpmessagewithallmainoptions
Chapter18
Copyrightcopy2016Inverseinc AdministrationTools 129
Usage pfcmd ltcommandgt [options]
Commands cache | manage the cache subsystem checkup | perform a sanity checkup and report any problems class | view violation classes configfiles | push or pull configfiles intofrom database configreload | reload the configution floatingnetworkdeviceconfig | querymodify floating network devices configuration parameters help | show help for pfcmd commands ifoctetshistorymac | accounting history ifoctetshistoryswitch | accounting history ifoctetshistoryuser | accounting history import | bulk import of information into the database ipmachistory | IPMAC history locationhistorymac | SwitchPort history locationhistoryswitch | SwitchPort history networkconfig | querymodify network configuration parameters node | manipulate node entries pfconfig | interact with pfconfig portalprofileconfig | querymodify portal profile configuration parameters reload | rebuild fingerprint or violations tables without restart service | startstoprestart and get PF daemon status schedule | Nessus scan scheduling switchconfig | querymodify switchesconf configuration parameters version | output version information violationconfig | querymodify violationsconf configuration parameters
Please view pfcmd help ltcommandgt for details on each option
ThenodeviewoptionshowsallinformationcontainedinthenodedatabasetableforaspecifiedMACaddress
usrlocalpfbinpfcmd node view 525400123502mac|pid|detect_date|regdate|unregdate|lastskip|status|user_agent|computername|notes|last_arp|last_dhcp|switch|port|vlan|dhcp_fingerprint525400123502|1|2008-10-23 173216||||unreg||||2008-10-23 211221|||||
pfcmd_vlan
pfcmd_vlanisthecommandlineinterfacetomostVLANisolationrelatedfunctionality
Chapter18
Copyrightcopy2016Inverseinc AdministrationTools 130
Againwhenexecutedwithoutanyargumentsahelpscreenisshown
Usage pfcmd_vlan command [options]
Command -deauthenticate de-authenticate a dot11 client -deauthenticateDot1x de-authenticate a dot1x client (pass ifIndex for wired 8021x and mac for wireless 8021x) -getAlias show the description of the specified switch port -getAllMACs show all MACS on all switch ports -getHubs show switch ports with several MACs -getIfOperStatus show the operational status of the specified switch port -getIfType show the ifType on the specified switch port -getLocation show at which switch port the MAC is found -getSwitchLocation show SNMP location of specified switch -getMAC show all MACs on the specified switch port -getType show switch type -getUpLinks show the upLinks of the specified switch -getVersion show switch OS version -getVlan show the VLAN on the specified switch port -getVlanType show the VLAN type on the specified port -help brief help message -isolate set the switch port to the isolation VLAN -man full documentation -reAssignVlan re-assign a switch port VLAN -reevaluateAccess reevaluate the current VLAN or firewall rules of a given MAC -runSwitchMethod run a particular method call on a given switch (FOR ADVANCED PURPOSES) -setAlias set the description of the specified switch port -setDefaultVlan set the switch port to the default VLAN -setIfAdminStatus set the admin status of the specified switch port -setVlan set VLAN on the specified switch port -setVlanAllPort set VLAN on all non-UpLink ports of the specified switch
Options -alias switch port description -ifAdminStatus ifAdminStatus -ifIndex switch port ifIndex -mac MAC address -showPF show additional information available in PF -switch switch description -verbose log verbosity level 0 fatal messages 1 warn messages 2 info messages 3 debug 4 trace -vlan VLAN id -vlanName VLAN name (as in switchesconf)
Chapter2
Copyrightcopy2016Inverseinc Introduction 2
Introduction
PacketFence isa fullysupported trustedFreeandOpenSourcenetworkaccesscontrol (NAC)system Boosting an impressive feature set including a captive portal for registration andremediation centralized wired and wireless management 8021X support layer-2 isolation ofproblematicdevicesintegrationwithIDSvulnerabilityscannersandfirewallsPacketFencecanbeusedtoeffectivelysecurenetworks-fromsmalltoverylargeheterogeneousnetworks
Features
Outofband(VLANEnforcement) PacketFencersquosoperationiscompletelyoutof band when using VLAN enforcementwhich allows the solution to scalegeographicallyandtobemoreresilienttofailures
InBand(InlineEnforcement) PacketFence can also be configured tobe in-band especially when you havenon-manageable network switches oraccesspointsPacketFencecanalsoworkwith both VLAN and Inline enforcementactivated for maximum scalability andsecuritywhileallowingolderhardwaretostillbesecuredusing inlineenforcementBothlayer-2andlayer-3aresupportedforinlineenforcement
Hybridsupport(InlineEnforcementwithRADIUSsupport)
PacketFence can also be configuredas hybrid if you have a manageabledevice that supports 8021X andorMAC-authenticationThis feature canbeenabled using a RADIUS attribute (MACaddress SSID port) or using full inlinemodeontheequipment
Hotspotsupport(WebAuthEnforcement) PacketFence can also be configured ashotspotifyouhaveamanageabledevicethat supports an external captive portal(likeCiscoWLCorArubaIAP)
VoiceoverIP(VoIP)support Also called IP Telephony (IPT) VoIP isfully supported (even in heterogeneous
Chapter2
Copyrightcopy2016Inverseinc Introduction 3
environments)formultipleswitchvendors(CiscoAvayaHPandmanymore)
8021X 8021X wireless and wired is supportedthroughourFreeRADIUSmodule
Wirelessintegration PacketFence integrates perfectly withwireless networks through ourFreeRADIUS module This allows youto secure your wired and wirelessnetworks the same way using the sameuser database and using the samecaptive portal providing a consistentuser experience Mixing Access Points(AP) vendors andWireless Controllers issupported
Registration PacketFence supports an optionalregistrationmechanismsimilartocaptiveportalsolutionsContrarytomostcaptiveportal solutionsPacketFence remembersusers who previously registered andwillautomatically give them access withoutanotherauthenticationOfcourse this isconfigurable An Acceptable Use Policycan be specified such that users cannotenable network access without firstacceptingit
Detectionofabnormalnetworkactivities Abnormal network activities (computervirus worms spyware traffic deniedby establishment policy etc) can bedetectedusinglocalandremoteSnortorSuricatasensorsBeyondsimpledetectionPacketFence layers its own alerting andsuppression mechanism on each alerttypeAsetofconfigurableactionsforeachviolationisavailabletoadministrators
Proactivevulnerabilityscans Either Nessus OpenVAS or WMIvulnerabilityscanscanbeperformeduponregistration scheduled or on an ad-hocbasis PacketFence correlates the scanengine vulnerability IDrsquos of each scanto the violation configuration returningcontent specificweb pages aboutwhichvulnerabilitythehostmayhave
Isolationofproblematicdevices PacketFence supports several isolationtechniquesincludingVLANisolationwithVoIP support (even in heterogeneousenvironments)formultipleswitchvendors
Remediationthroughacaptiveportal Once trapped all network traffic isterminated by the PacketFence system
Chapter2
Copyrightcopy2016Inverseinc Introduction 4
Based on the nodersquos current status(unregisteredopenviolationetc)theuseris redirected to the appropriate URL Inthe case of a violation the user willbe presented with instructions for theparticular situation heshe is in reducingcostlyhelpdeskintervention
Firewallintegration PacketFence provides Single-Sign Onfeatures with many firewalls Uponconnection on the wired or wirelessnetwork PacketFence can dynamicallyupdatetheIPuserassociationonfirewallsforthemtoapplyifrequiredper-userorper-groupfilteringpolicies
Command-lineandWeb-basedmanagement Web-basedandcommand-line interfacesforallmanagementtasks
GuestAccess PacketFence supports a special guestVLAN out of the box You configureyour network so that the guest VLANonly goes out to the Internet and theregistrationVLANand the captiveportalarethecomponentsusedtoexplaintotheguesthowtoregisterforaccessandhowhisaccessworksThis isusuallybrandedby the organization offering the accessSeveral means of registering guests arepossible PacketFence does also supportguestaccessbulkcreationsandimports
Devicesregistration A registered user can access a specialWeb page to register a device of hisownThisregistrationprocesswillrequireloginfromtheuserandthenwillregisterdeviceswithpre-approvedMACOUIintoaconfigurablecategory
PacketFenceisdevelopedbyacommunityofdeveloperslocatedmainlyinNorthAmericaMoreinformationcanbefoundathttpwwwpacketfenceorg
Chapter2
Copyrightcopy2016Inverseinc Introduction 5
NetworkIntegration
VLANenforcementispicturedintheabovediagramInlineenforcementshouldbeseenasasimpleflatnetworkwherePacketFenceactsasafirewallgateway
Components
PacketFencerequiresvariouscomponentstoworksuchasaWebserveradatabaseserverandaRADIUSserverItinteractswithexternaltoolstoextenditsfunctionalities
Chapter2
Copyrightcopy2016Inverseinc Introduction 6
Chapter3
Copyrightcopy2016Inverseinc SystemRequirements 7
SystemRequirements
Assumptions
PacketFencereusesmanycomponentsinaninfrastructureThusitrequiresthefollowingones
Databaseserver(MySQLorMariaDB) Webserver(Apache) DHCPserver(ISCDHCP) RADIUSserver(FreeRADIUS)
Dependingonyoursetupyoumayhavetoinstalladditionalcomponentslike
NIDS(SnortSuricata)
Inthisguideweassumethatallthosecomponentsarerunningonthesameserver(ielocalhostor127001)thatPacketFencewillbeinstalledon
Good understanding of those underlying component and GNULinux is required to installPacketFence If youmiss some of those required components please refer to the appropriatedocumentationandproceedwiththeinstallationoftheserequirementsbeforecontinuingwiththisguide
MinimumHardwareRequirements
Thefollowingprovidesalistoftheminimumserverhardwarerecommendations
IntelorAMDCPU3GHz 8GBofRAM 100GBofdiskspace(RAID-1recommended) 1Networkcard(2recommended)
OperatingSystemRequirements
PacketFencesupportsthefollowingoperatingsystemsonthex86_64architectures
Chapter3
Copyrightcopy2016Inverseinc SystemRequirements 8
RedHatEnterpriseLinux6xand7xServer CommunityENTerpriseOperatingSystem(CentOS)6xand7x Debian70(Wheezy)and80(Jessie)
MakesurethatyoucaninstalladditionalpackagesfromyourstandarddistributionForexampleifyouareusingRedHatEnterpriseLinuxyouhavetobesubscribedtotheRedHatNetworkbeforecontinuingwiththePacketFencesoftwareinstallation
OtherdistributionssuchasFedoraandGentooareknowntoworkbutthisdocumentdoesnrsquotcoverthem
Servicesstart-upPacketFencetakescareofhandlingtheoperationofthefollowingservices
Webserver(httpd) DHCPserver(dhcpd) FreeRADIUSserver(radiusd) SnortSuricataNetworkIDS(snortsuricata) Firewall(iptables)
Makesurethatalltheotherservicesareautomaticallystartedbyyouroperatingsystem
Chapter4
Copyrightcopy2016Inverseinc Installation 9
Installation
ThissectionwillguideyouthroughtheinstallationofPacketFencetogetherwithitsdependencies
OSInstallation
InstallyourdistributionwithminimalinstallationandnoadditionalpackagesThen
DisableFirewall DisableSELinux DisableAppArmor Disableresolvconf
Makesureyoursystemisuptodateandyouryumorapt-getdatabaseisupdatedOnaRHEL-basedsystemdo
yum update
OnaDebianorUbuntusystemdo
apt-get updateapt-get upgrade
RegardingSELinuxorAppArmoreven if these featuresmaybewantedbysomeorganizationsPacketFencewillnotrunproperlyifSELinuxorAppArmorareenabledYouwillneedtoexplicitlydisableSELinuxintheetcselinuxconfigfileandAppArmorwithupdate-rcd-fapparmorstopupdate-rcd-fapparmorteardownandupdate-rcd-fapparmorremoveRegardingresolvconfyoucanremovethesymlinktothatfileandsimplycreatetheetcresolvconffilewiththecontentyouwant
RedHat-basedsystems
Note
AppliestoCentOSandScientificLinuxbutonlythex86_64architectureissupported
Chapter4
Copyrightcopy2016Inverseinc Installation 10
RHEL6x
NoteTheseareextrastepsarerequiredforRHEL6systemsonlyexcludingderivativessuchasCentOSorScientificLinux
RedHatEnterpriseLinuxusersneedtotakeanadditionalsetupstepIfyouarenotusingtheRHNSubscriptionManagementfromRedHatyouneedtoenabletheoptionalchannelbyrunningthefollowingasroot
rhn-channel --add --channel=rhel-`uname -m`-server-optional-6
DebianAllthePacketFencedependenciesareavailablethroughtheofficialrepositories
SoftwareDownload
PacketFenceprovidesaRPMrepositoryforRHELCentOSinsteadofasingleRPMfile
ForDebianPacketFencealsoprovidespackagerepositories
TheserepositoriescontainallrequireddependenciestoinstallPacketFenceThisprovidesnumerousadvantages
easyinstallation everythingispackagedasRPMdeb(nomoreCPANhassle) easyupgrade
SoftwareInstallation
RHELCentOSInordertousethePacketFencerepository
yum localinstall httppacketfenceorgdownloadsPacketFenceRHEL6`uname -i`RPMSpacketfence-release-12-51noarchrpm
Once the repository is defined you can install PacketFencewith all its dependencies and therequiredexternalservices(DatabaseserverDHCPserverRADIUSserver)using
Chapter4
Copyrightcopy2016Inverseinc Installation 11
yum install perlyum install --enablerepo=packetfence packetfence
OnceinstalledtheWeb-basedconfigurationinterfacewillautomaticallybestartedYoucanaccessitfromhttpsip_of_packetfence1443configurator
DebianForDebian7
Inordertousetherepositorycreateafilenamedetcaptsourceslistdpacketfencelist
echo deb httpinversecadownloadsPacketFencedebian wheezy wheezy gt etcaptsourceslistdpacketfencelist
ForDebian8
Inordertousetherepositorycreateafilenamedetcaptsourceslistdpacketfencelist
echo deb httpinversecadownloadsPacketFencedebian jessie jessie gt etcaptsourceslistdpacketfencelist
Once the repository is defined you can install PacketFencewith all its dependencies and therequiredexternalservices(DatabaseserverDHCPserverRADIUSserver)using
sudo apt-key adv --keyserver keysgnupgnet --recv-key 0x810273C4sudo apt-get updatesudo apt-get install packetfence
Chapter5
Copyrightcopy2016Inverseinc Getoffontherightfoot 12
Getoffontherightfoot
PriorconfiguringPacketFenceyoumustchoseanappropriateenforcementmodetobeusedbyPacketFencewithyournetworkingequipmentTheenforcementmodeisthetechniqueusedtoenforceregistrationandanysubsequentaccessofdevicesonyournetworkPacketFencesupportsthefollowingenforcementmodes
Inline Out-of-band Hybrid
It isalsopossibletocombineenforcementmodesForexampleyoucouldusetheout-of-bandmodeonyourwiredswitcheswhileusingtheinlinemodeonyouroldWiFiaccesspoints
The following sections will explain these enforcement modes If you decide to use the inlinemodepleaserefertothePacketFenceInlineDeploymentQuickGuideusingZENforacompleteconfigurationexampleIfyoudevicetousetheout-of-bandmodepleaserefertothePacketFenceOut-of-BandDeploymentQuickGuideusingZEN
Chapter6
Copyrightcopy2016InverseincTechnicalintroductiontoInlineenforcement 13
TechnicalintroductiontoInlineenforcement
Introduction
Beforetheversion30ofPacketFenceitwasnotpossibletosupportunmanageabledevicessuchasentry-levelconsumerswitchesoraccess-pointsNowwiththenewinlinemodePacketFencecanbeusein-bandforthosedevicesSoinotherwordsPacketFencewouldbecomethegatewayofthatinlinenetworkandNATorroutethetrafficusingIPTablesIPSettotheInternet(ortoanothersectionofthenetwork)Letseehowitworks
Deviceconfiguration
NospecialconfigurationisneededontheunmanageabledeviceThatrsquosthebeautyofitYouonlyneedtoensurethatthedeviceistalkingontheinlineVLANAtthispointallthetrafficwillbepassingthroughPacketFencesinceitisthegatewayforthisVLAN
Accesscontrol
TheaccesscontrolreliesentirelyonIPTablesIPSetWhenauserisnotregisteredandconnectsintheinlineVLANPacketFencewillgivehimanIPaddressAtthispointtheuserwillbemarkedasunregisteredintheipsetsessionandalltheWebtrafficwillberedirectedtothecaptiveportalandother trafficblockedTheuserwill have to register through thecaptiveportal as inVLANenforcementWhenheregistersPacketFencechangesthedeviceacutesipsetsessiontoallowtheuserrsquosmacaddresstogothroughit
Chapter6
Copyrightcopy2016InverseincTechnicalintroductiontoInlineenforcement 14
Limitations
Inlineenforcementbecauseofitrsquosnaturehasseverallimitationsthatonemustbeawareof
EveryonebehindaninlineinterfaceisonthesameLayer2LAN EverypacketofauthorizedusersgoesthroughthePacketFenceserverincreasingtheserversloadconsiderablyPlanaheadforcapacity
Everypacketofauthorizedusersgoes throughthePacketFenceserver it isasinglepointoffailureforInternetaccess
Ipsetcanstoreupto65536entriessoitisnotpossibletohaveainlinenetworkclassupperthanB
Thisiswhyit isconsideredapoormanrsquoswayofdoingaccesscontrolWehaveavoideditforalongtimebecauseoftheabovementionedlimitationsThatsaidbeingabletoperformbothinlineandVLANenforcementonthesameserveratthesametimeisarealadvantageitallowsuserstomaintainmaximumsecuritywhiletheydeploynewandmorecapablenetworkhardwareprovidingacleanmigrationpathtoVLANenforcement
Chapter7
Copyrightcopy2016InverseincTechnicalintroductiontoOut-of-bandenforcement 15
TechnicalintroductiontoOut-of-bandenforcement
Introduction
VLANassignmentiscurrentlyperformedusingseveraldifferenttechniquesThesetechniquesarecompatibleone toanotherbutnoton the sameswitchportThismeans thatyoucanuse themoresecureandmoderntechniquesforyour latestswitchesandanothertechniqueontheoldswitchesthatdoesnrsquotsupportlatesttechniquesAsitrsquosnameimpliesVLANassignmentmeansthatPacketFenceistheserverthatassignstheVLANtoadeviceThisVLANcanbeoneofyourVLANsoritcanbeaspecialVLANwherePacketFencepresentsthecaptiveportalforauthenticationorremediation
VLANassignmenteffectivelyisolateyourhostsattheOSILayer2meaningthatitisthetrickiestmethodtobypassandistheonewhichadaptsbesttoyourenvironmentsinceitgluesintoyourcurrentVLANassignmentmethodology
VLANassignmenttechniques
Wired8021X+MACAuthentication8021Xprovidesport-basedauthenticationwhichinvolvescommunicationsbetweenasupplicantauthenticator(knownasNAS)andauthenticationserver(knownasAAA)ThesupplicantisoftensoftwareonaclientdevicesuchasalaptoptheauthenticatorisawiredEthernetswitchorwirelessaccesspointandtheauthenticationserverisgenerallyaRADIUSserver
Thesupplicant(ieclientdevice)isnotallowedaccessthroughtheauthenticatortothenetworkuntilthesupplicantrsquosidentityisauthorizedWith8021Xport-basedauthenticationthesupplicantprovides credentials such as user name password or digital certificate to the authenticatorandtheauthenticatorforwardsthecredentialstotheauthenticationserverforverificationIfthecredentialsarevalid(intheauthenticationserverdatabase)thesupplicant(clientdevice)isallowedtoaccessthenetworkTheprotocolforauthenticationiscalledExtensibleAuthenticationProtocol(EAP)whichhavemanyvariantsBothsupplicantandauthenticationserversneed tospeak thesameEAPprotocolMostpopularEAPvariantisPEAP-MsCHAPv2(supportedbyWindowsMacOSXLinuxforauthenticationagainstAD)
Chapter7
Copyrightcopy2016InverseincTechnicalintroductiontoOut-of-bandenforcement 16
InthiscontextPacketFencerunstheauthenticationserver(aFreeRADIUSinstance)andwillreturntheappropriateVLANtotheswitchAmodulethatintegratesinFreeRADIUSdoesaremotecalltothePacketFenceservertoobtainthatinformationMoreandmoredeviceshave8021Xsupplicantwhichmakesthisapproachmoreandmorepopular
MACAuthenticationisanewmechanismintroducedbysomeswitchvendortohandlethecaseswherea8021XsupplicantdoesnotexistDifferentvendorshavedifferentnames for itCiscocallsitMACAuthenticationBypass(MAB)JunipercallsitMACRADIUSExtremeNetworkscallsitNetloginetcAfteratimeoutperiodtheswitchwillstoptryingtoperform8021XandwillfallbacktoMACAuthenticationIthastheadvantageofusingthesameapproachas8021XexceptthattheMACaddressissentinsteadoftheusernameandthereisnoend-to-endEAPconversation(nostrongauthentication)UsingMACAuthenticationdeviceslikenetworkprinterornon-8021XcapableIPPhonescanstillgainaccesstothenetworkandtherightVLAN
Wireless8021X+MACauthenticationWireless 8021Xworks likewired8021X andMAC authentication is the same aswiredMACAuthenticationWhere things change is that the8021X isused to setup the security keys forencryptedcommunication(WPA2-Enterprise)whileMACauthenticationisonlyusedtoauthorize(allowordisallow)aMAConthewirelessnetwork
OnwirelessnetworkstheusualPacketFencesetupdictatethatyouconfiguretwoSSIDsanopenoneandasecureoneTheopenoneisusedtohelpusersconfigurethesecureoneproperlyandrequiresauthenticationoverthecaptiveportal(whichrunsinHTTPS)
ThefollowingdiagramdemonstratestheflowbetweenamobileenpointaWiFiaccesspointaWiFicontrollerandPacketFence
1 UserinitiatesassociationtoWLANAPandtransmitsMACaddressIfuseraccessesnetworkviaaregistereddeviceinPacketFencegoto8
2 The WLAN controller transmits MAC address via RADIUS to the PacketFence server toauthenticateauthorizethatMACaddressontheAP
3 PacketFenceserverconductsaddressaudit in itsdatabase If itdoesnotrecognizetheMACaddressgoto4Ifitdoesgoto8
4 PacketFenceserverdirectsWLANcontrollerviaRADIUS(RFC2868attributes)toputthedeviceinanunauthenticatedroleldquo(setofACLsthatwouldlimitredirecttheusertothePacketFence
Chapter7
Copyrightcopy2016InverseincTechnicalintroductiontoOut-of-bandenforcement 17
captiveportalforregistrationorwecanalsousearegistrationVLANinwhichPacketFencedoesDNSblackholingandistheDHCPserver)
5 TheuserrsquosdeviceissuesaDHCPDNSrequesttoPacketFence(whichisaDHCPDNSserveronthisVLANorforthisrole)whichsendstheIPandDNSinformationAtthispointACLsarelimitingredirectingtheusertothePacketFencersquoscaptiveportalforauthenticationPacketFencefingerprintsthedevice(user-agentattributesDHCPinformationampMACaddresspatterns)towhichitcantakevariousactionsincludingkeepdeviceonregistrationportaldirecttoalternatecaptive portal auto-register thedevice auto-block thedevice etc If thedevice remains ontheregistrationportaltheuserregistersbyprovidingtheinformation(usernamepasswordcellphonenumberetc)At this timePacketFencecouldalsorequire thedevicetogothroughapostureassessment(usingNessusOpenVASetc)
6 Ifauthentication is required (usernamepassword) througha loginformthosecredentialsarevalidatedviatheDirectoryserver(oranyotherauthenticationsources-likeLDAPSQLRADIUSSMSFacebookGoogle+etc)whichprovidesuserattributestoPacketFencewhichcreatesuser+devicepolicyprofileinitsdatabase
7 PacketFenceperformsaChangeofAuthorization(RFC3576)onthecontrollerandtheusermustbere-authenticatedreauthorizedsowegobackto1
8 PacketFenceserverdirectsWLANcontrollerviaRADIUStoputthedeviceinanauthenticatedroleldquoorinthenormalVLAN
WebAuthmodeWebauthenticationisamethodontheswitchthatforwardshttptrafficofthedevicetothecaptiveportalWiththismodeyourdevicewillneverchangeofVLANIDbutonlytheACLassociatedtoyourdevicewillchangeRefertotheNetworkDevicesConfigurationGuidetoseeasamplewebauthconfigurationonaCiscoWLC
Port-securityandSNMPReliesontheport-securitySNMPTrapsAfakestaticMACaddressisassignedtoalltheportsthiswayanyMACaddresswillgenerateasecurityviolationandatrapwillbesenttoPacketFenceThesystemwillauthorizetheMACandsettheportintherightVLANVoIPsupportispossiblebuttrickyItvariesalotdependingontheswitchvendorCiscoiswellsupportedbutisolationofaPCbehindanIPPhoneleadstoaninterestingdilemmaeitheryoushuttheport(andthephoneatthesametime)oryouchangethedataVLANbutthePCdoesnrsquotdoDHCP(didnrsquotdetectlinkwasdown)soitcannotreachthecaptiveportal
AsidefromtheVoIPisolationdilemmaitisthetechniquethathasproventobereliableandthathasthemostswitchvendorsupport
MoreonSNMPtrapsVLANisolation
WhentheVLANisolationisworkingthroughSNMPtrapsallswitchports(onwhichVLANisolationshouldbedone)mustbeconfiguredtosendSNMPtrapstothePacketFencehostOnPacketFence
Chapter7
Copyrightcopy2016InverseincTechnicalintroductiontoOut-of-bandenforcement 18
weusesnmptrapdastheSNMPtrapreceiverAsitreceivestrapsitreformatsandwritesthemintoaflatfileusrlocalpflogssnmptrapdlogThemultithreadedpfsetvlandaemonreadsthesetrapsfromtheflatfileandrespondstothembysettingtheswitchporttothecorrectVLANCurrentlywesupportswitchesfromCiscoEdge-coreHPIntelLinksysandNortel(addingsupportfor switches fromanothervendor impliesextending thepfSwitch class)DependingonyourswitchescapabilitiespfsetvlanwillactondifferenttypesofSNMPtraps
YouneedtocreatearegistrationVLAN(withaDHCPserverbutnoroutingtootherVLANs)inwhichPacketFencewillputunregistereddevicesIfyouwanttoisolatecomputerswhichhaveopenviolationsinaseparateVLANanisolationVLANneedsalsotobecreated
linkUplinkDowntraps(deprecated)ThisisthemostbasicsetupanditneedsathirdVLANtheMACdetectionVLANThereshouldbenothinginthisVLAN(noDHCPserver)anditshouldnotberoutedanywhereitisjustanvoidVLAN
WhenahostconnectstoaswitchporttheswitchsendsalinkUptraptoPacketFenceSinceittakessometimebeforetheswitchlearnstheMACaddressofthenewlyconnecteddevicePacketFenceimmediatelyputstheportintheMACdetectionVLANinwhichthedevicewillsendDHCPrequests(withnoanswer)inorderfortheswitchtolearnitsMACaddressThenpfsetvlanwillsendperiodical
Chapter7
Copyrightcopy2016InverseincTechnicalintroductiontoOut-of-bandenforcement 19
SNMPqueriestotheswitchuntiltheswitchlearnstheMACofthedeviceWhentheMACaddressisknownpfsetvlanchecksitsstatus(existingregisteredanyviolations)inthedatabaseandputstheportintheappropriateVLANWhenadeviceisunpluggedtheswitchsendsalinkDowntraptoPacketFencewhichputstheportintotheMACdetectionVLAN
WhenacomputerbootstheinitializationoftheNICgeneratesseverallinkstatuschangesAndeverytimetheswitchsendsalinkUpandalinkDowntraptoPacketFenceSincePacketFencehastoactoneachofthesetrapsthisgeneratesunfortunatelysomeunnecessaryloadonpfsetvlanInordertooptimizethetraptreatmentPacketFencestopseverythreadforalinkUptrapwhenitreceivesalinkDowntraponthesameportButusingonlylinkUplinkDowntrapsisnotthemostscalableoptionForexampleincaseofpowerfailureifhundredsofcomputersbootatthesametimePacketFencewouldreceivea lotoftrapsalmost instantlyandthiscouldresult innetworkconnectionlatency
MACnotificationtrapsIfyourswitchessupportMACnotificationtraps(MAClearntMACremoved)wesuggestthatyouactivatetheminadditiontothelinkUplinkDowntrapsThiswaypfsetvlandoesnotneedafteralinkUptraptoquerytheswitchcontinuouslyuntiltheMAChasfinallybeenlearnedWhenitreceivesalinkUptrapforaportonwhichMACnotificationtrapsarealsoenableditonlyneedstoputtheportintheMACdetectionVLANandcanthenfreethethreadWhentheswitchlearnstheMACaddressofthedeviceitsendsaMAClearnttrap(containingtheMACaddress)toPacketFence
PortSecuritytrapsIn itsmostbasicformthePortSecurityfeaturerememberstheMACaddressconnectedtotheswitchportandallowsonlythatMACaddresstocommunicateonthatport IfanyotherMACaddress tries tocommunicate through theportport securitywillnotallow itandsendaport-securitytrap
IfyourswitchessupportthisfeaturewestronglyrecommendtouseitratherthanlinkUplinkDownandorMACnotificationsWhyBecauseaslongasaMACaddressisauthorizedonaportandistheonlyoneconnectedtheswitchwillsendnotrapwhetherthedevicerebootsplugsinorunplugsThisdrasticallyreducestheSNMPinteractionsbetweentheswitchesandPacketFence
WhenyouenableportsecuritytrapsyoushouldnotenablelinkUplinkDownnorMACnotificationtraps
Chapter8
Copyrightcopy2016InverseincTechnicalintroductiontoHybridenforcement 20
TechnicalintroductiontoHybridenforcement
Introduction
In previous versions of PacketFence it was not possible to have RADIUS enabled for inlineenforcementmodeNowwiththenewhybridmodeallthedevicesthatsupports8021XorMAC-authenticationcanworkwiththismodeLetrsquosseehowitworks
Deviceconfiguration
Youneedtoconfigure inlineenforcementmode inPacketFenceandconfigureyourswitch(es)accesspoint(s)tousetheVLANassignementtechniques(8021XorMAC-authentication)YoualsoneedtotakecareofaspecificparameterintheswitchconfigurationwindowTriggertoenableinlinemodeThisparameterisworkinglikeatriggerandyouhavethepossibilitytodefinedifferentsortoftriggers
ALWAYSPORTMACSSID
where ALWAYS means that the device is always in inline mode PORTspecifytheifIndexoftheportwhichwilluseinlineenforcementMACamacaddressthatwillbeputininlineenforcementtechniqueratherthanVLANenforcementandSSIDanssidnameAnexample
SSIDGuestAccessMAC001122334455
ThiswilltriggerallthenodesthatconnectstotheGuestAccessSSIDtouseinlineenforcementmode(PacketFencewillreturnavoidVLANortheinlineVlanifdefinedinswitchconfiguration)andtheMACaddress001122334455clientifitconnectsonanotherSSID
Chapter9
Copyrightcopy2016Inverseinc Configuration 21
Configuration
AtthispointinthedocumentationPacketFenceshouldbeinstalledYouwouldalsohavechosentherightenforcementmethodforyouandcompletedtheinitialconfigurationofPacketFenceThefollowingsectionpresentskeyconceptsandfeaturesinPacketFence
PacketFenceprovidesaweb-basedadministrationinterfaceforeasyconfigurationandoperationalmanagementIfyouwentthroughPacketFencersquosweb-basedconfigurationtoolyoushouldhavesetthepasswordfortheadminuser
Once PacketFence is started the administration interface is available at httpsip_of_packetfence1443
ThenextkeystepsareimportanttounderstandhowPacketFenceworksInordertogetthesolutionworking youmust first understand and configure the following aspects of the solution in thisspecificorder
1 roles-aroleinPacketFencewillbeeventuallybemappedtoaVLANanACLoranexternalroleYoumustdefinetherolestouseinyourorganizationfornetworkaccess
2 authentication-oncerolesaredefinedyoumustcreateanappropraiteauthenticationsourceinPacketFenceThatwillallowPacketFencetocomputetherightroletobeusedforanendpointortheuserusingit
3 network devices - once your roles and authentication sources are defined you must addswitchesWiFicontrollersorAPstobemananagedbyPacketFenceWhendoingsoyouwillconfigurehowrolesarebeingmappedtoVLANACLsorexternalroles
4 portal profiles - at this point you are almost ready to test You will need to set whichauthenticationsourcesaretobeusedonthedefaultcaptiveportalorcreateanotheronetosuityourneeds
5 test
NoteIfyouplantouse8021X-pleaseseetheFreeRADIUSConfigurationsectionbelow
RolesManagement
RolesinPacketFencecanbecreatedfromPacketFenceadministrativeGUI-fromtheConfigurationrarrUsersrarrRoles section From this interface you can also limit thenumberof devicesusersbelongingtocertainrolescanregister
Chapter9
Copyrightcopy2016Inverseinc Configuration 22
RolesaredynamicallycomputedbyPacketFencebasedontherules(ieasetofconditionsandactions)fromauthenticationsourcesusingafirst-matchwinsalgorithmRolesarethenmatchedtoVLANorinternalrolesorACLonequipmentfromtheConfigurationrarrNetworkrarrSwitchesmodule
Authentication
PacketFence can authenticate users that register devices via the captive portal using variousmethodsAmongthesupportedmethodsthereare
ActiveDirectory
Apachehtpasswdfile
ExternalHTTPAPI
Facebook(OAuth2)
Github(OAuth2)
Google(OAuth2)
Kerberos
LDAP
LinkedIn(OAuth2)
Null
RADIUS
SMS
SponsoredEmail
Twitter(OAuth2)
WindowsLive(OAuth2)
Moreover PacketFence can also authenticate users defined in its own internal SQL databaseAuthentication sources can be created from PacketFence administrative GUI - from theConfigurationrarrUsersrarrSourcessectionAlternatively(butnotrecommended)authenticationsourcesrulesconditionsandactionscanbeconfiguredfromconfauthenticationconf
Eachauthenticationsourcesyoudefinewillhaveasetofrulesconditionsandactions
Multiple authentication sources canbedefined andwill be tested in theorder specified (notethattheycanbereorderedfromtheGUIbydraggingitaround)EachsourcecanhavemultipleruleswhichwillalsobetestedintheorderspecifiedRulescanalsobereorderedjustlikesourcesFinallyconditionscanbedefinedforaruletomatchcertaincriteriasIfthecriteriasmatch(one
Chapter9
Copyrightcopy2016Inverseinc Configuration 23
ormore)actionarethenappliedandrulestestingstopacrossallsourcesasthisisafirstmatchwinsoperation
WhennoconditionisdefinedtherulewillbeconsideredasafallbackWhenafallbackisdefinedallactionswillbeappliedforanyusersthatmatchintheauthenticationsource
OnceasourceisdefineditcanbeusedfromConfigurationrarrPortalProfilesEachportalprofilehasalistofauthenticationsourcestouse
ExampleLetrsquossaywehavetworolesguestandemployeeFirstwedefinethemConfigurationrarrUsersrarrRoles
NowwewanttoauthenticateemployeesusingActiveDirectory (overLDAP)andguestsusingPacketFencersquosinternaldatabase-bothusingPacketFencersquoscaptiveportalFromtheConfigurationrarrUsersrarrSourcesweselectAddsourcerarrADWeprovidethefollowinginformation
Namead1 DescriptionActiveDirectoryforEmployees Host19216812389withoutSSLTLS BaseDNCN=UsersDC=acmeDC=local ScopeOne-level UsernameAttributesAMAccountName BindDNCN=AdministratorCN=UsersDC=acmeDC=local Passwordacme123
ThenweaddarulebyclickingontheAddrulebuttonandprovidethefollowinginformation
Nameemployees DescriptionRuleforallemployees Donrsquotsetanycondition(asitrsquosacatch-allrule) Setthefollowingactions
Setroleemployee
SetunregistrationdateJanuary1st2020
Test the connection and save everything Using the newly defined source any username thatactuallymatchesinthesource(usingthesAMAccountName)willhavetheemployeeroleandanunregistrationdatesettoJanuary1st2020
NowsincewewanttoauthenticateguestsfromPacketFencersquosinternalSQLdatabaseaccountsmustbeprovisionnedmanuallyYoucandosofromtheUsersrarrCreatesectionWhencreatingguestsspecifyguestfortheSetroleactionandsetanaccessdurationfor1day
If youwould like to differentiate user authentication andmachine authentication using ActiveDirectoryonewaytodoitisbycreatingasecondauthenticationsourcesformachines
Namead1 DescriptionActiveDirectoryforMachines Host19216812389withoutSSLTLS BaseDNCN=ComputersDC=acmeDC=local ScopeOne-level
Chapter9
Copyrightcopy2016Inverseinc Configuration 24
UsernameAttributeservicePrincipalName BindDNCN=AdministratorCN=UsersDC=acmeDC=local Passwordacme123
Thenweaddarule
Namemachines DescriptionRuleforallmachines Donrsquotsetanycondition(asitrsquosacatch-allrule) Setthefollowingactions
Setrolemachineauth
SetunregistrationdateJanuary1st2020
Note
Whenaruleisdefinedasacatch-all itwillalwaysmatchiftheusernameattributematchesthequeriedoneThisappliesforActiveDirectoryLDAPandApachehtpasswdfilesourcesKerberosandRADIUSwillactastruecatch-allandaccepteverything
Note
IfyouwanttouseotherLDAPattributesinyourauthenticationsourceaddtheminConfigurationrarrAdvancedrarrCustomLDAPattributesTheywillthenbeavailableintherulesyoudefine
ExternalAPIauthentication
PacketFencealsosupportscallinganexternalHTTPAPIasanauthenticationsourceTheexternalAPIneedstoimplementanauthenticationactionandanauthorizationaction
AuthenticationThisshouldprovidetheinformationaboutwhetherornottheusernamepasswordcombinationisvalid
TheseinformationareavailablethroughthePOSTfieldsoftherequest
TheservershouldreplywithtwoattributesinaJSONresponse
resultshouldbe1forsuccess0forfailure messageshouldbethereasonitsucceededorfailed
ExampleJSONresponse
result1messageValid username and password
Chapter9
Copyrightcopy2016Inverseinc Configuration 25
AuthorizationThisshouldprovidetheactionstoapplyonauserbasedonitrsquosattributes
The following attributes are available for the reply access_duration access_level sponsorunregdatecategory
SampleJSONresponsenotethatnotallattributesarenecessaryonlysendbackwhatyouneed
access_duration1Daccess_levelALLsponsor1 unregdate2030-01-01categorydefault
Note
See usrlocalpfaddonsexample_external_auth for an example implementationcompatiblewithPacketFence
PacketFenceconfigurationInPacketFenceyouneedtoconfigureanHTTPsourceinordertouseanexternalAPI
Hereisabriefdescriptionofthefields
Host First theprotocol then the IPaddressorhostnameof theAPIand lastly theport toconnecttotheAPI
APIusernameandpasswordIfyourAPIimplementsHTTPbasicauthentication(RFC2617)youcanaddtheminthesefieldsLeavinganyofthosetwofieldsemptywillmakePacketFencedotherequestswithoutanyauthentication
AuthenticationURLURLrelativetothehosttocallwhendoingtheauthenticationofauserNotethatitisautomaticallyprefixedbyaslash
AuthorizationURLURLrelativetothehosttocallwhendoingtheauthorizationofauserNotethatitisautomaticallyprefixedbyaslash
SAMLauthentication
PacketFence supports SAML authentication in the captive portal in combination with anotherinternalsourcetodefinethelevelofauthorizationoftheuser
FirsttransfertheIdentityProvidermetadataonthePacketFenceserverInthisexampleitwillbeunderthepathusrlocalpfconfidp-metadataxml
Then transfer the certificate and CA certificate of the Identity provider on the server In thisexample theywill be under the paths usrlocalpfconfsslidpcrt and usrlocalpfconfsslidp-cacrtIfitisaself-signedcertificatethenyouwillbeabletouseitastheCAinthePacketFenceconfiguration
Chapter9
Copyrightcopy2016Inverseinc Configuration 26
Then toconfigureSAML inPacketFencego inConfigurationrarrSourcesand thencreateanewInternalsourceofthetypeSAMLandconfigureit
Where
ServiceProviderentityIDistheidentifieroftheServiceProvider(PacketFence)MakesurethismatchesyourIdentityProviderconfiguration
PathtoServiceProviderkeyisthepathtothekeythatwillbeusedbyPacketFencetosignitsmessagestotheIdentityProviderAdefaultoneisprovidedunderthepathusrlocalpfconfsslserverkey
PathtoServiceProvidercertisthepathtothecertificateassociatedtothekeyaboveAself-signedoneisprovidedunderthepathusrlocalpfconfsslserverkey
PathtoIdentityProvidermetadataisthepathtothemetadatafileyoutransferedabove(shouldbeinusrlocalpfconfidp-metadataxml)
PathtoIdentityProvidercertisthepathtothecertificateoftheidentityprovideryoutransferedontheserverabove(shouldbeinusrlocalpfconfsslidpcrt)
Chapter9
Copyrightcopy2016Inverseinc Configuration 27
Path to Identity Provider CA cert is the path to the CA certificate of the identity provideryoutransferedontheserverabove(shouldbeinusrlocalpfconfsslca-idpcrt)Ifthecertificateaboveisself-signedputthesamepathasaboveinthisfield
AttributeoftheusernameintheSAMLresponse istheattributethatcontainstheusernamein the SAML assertion returned by your Identity Provider The default should fit at leastSimpleSAMLphp
Authorizationsource isthesourcethatwillbeusedtomatchtheusernameagainsttherulesdefinedinitThisallowstosettheroleandaccessdurationoftheuserTheAuthenticationsectionofthisdocumentcontainsexplanationsonhowtoconfigureanLDAPsourcewhichcanthenbeusedhere
OncethisisdonesavethesourceandyouwillbeabletodownloadtheServiceProvidermetadataforPacketFenceusingthelinkDownloadServiceProvidermetadataonthepage
Configure your identity provider according to the generated metadata to complete the TrustbetweenPacketFenceandyourIdentityProvider
In the case of SimpleSAMLPHP the following configurationwas used inmetadatasaml20-sp-remotephp
$metadata[PF_ENTITY_ID] = array( AssertionConsumerService =gt httpPORTAL_HOSTNAMEsamlassertion SingleLogoutService =gt httpPORTAL_HOSTNAMEsamllogoff)
Note
PacketFencedoesnotsupportlogoffontheSAMLIdentityProviderYoucanstilldefinetheURLinthemetadatabutitwillnotbeused
PassthroughsInorderforyouruserstobeabletoaccesstheIdentityProviderloginpageyouwillneedtoactivatepassthroughsandaddtheIndentityProviderdomaintotheallowedpassthroughs
Todosogo inConfigurationrarrTrapping thencheckPassthrough andadd the IdentityProviderdomainnametothePasshtroughslist
Next restart iptables and pfdns to apply your new passthroughs Also make surenetipv4ip_forward = 1isconfiguredinetcsysctlconf
NetworkDevicesDefinition(switchesconf)
ThissectionappliesonlyforVLANenforcementUsersplanningtodoinlineenforcementonlycanskipthissection
PacketFenceneedstoknowwhichswitchesaccesspointsorcontrollersitmanagestheirtypeandconfigurationAllthisinformationisstoredinusrlocalpfconfswitchesconfYoucanmodify
Chapter9
Copyrightcopy2016Inverseinc Configuration 28
theconfigurationdirectlyintheswitchesconffileoryoucandoitfromtheWebAdministrationpanelunderConfigurationrarrNetworkrarrSwitches-whichisnowthepreferredway
Theusrlocalpfconfswitchesconfconfigurationfilecontainsadefaultsectionincluding
DefaultSNMPreadwritecommunitiesfortheswitches Defaultworkingmode(seethenotebelowaboutpossibleworkingmodes)
andaswitchsectionforeachswitch(managedbyPacketFence)including
SwitchIPMacRange Switchvendortype Switchuplinkports(trunksandnon-managedIfIndex) per-switchre-definitionoftheVLANs(ifrequired)
NoteswitchesconfisloadedatstartupAreloadisrequiredwhenchangesaremanuallymadetothisfileusrlocalpfbinpfcmd configreload
WorkingmodesTherearethreedifferentworkingmodesforaswitchinPacketFence
Testing pfsetvlanwritesinthelogfileswhatitwouldnormallydobutitdoesnrsquotdoanything
Registration pfsetvlan automatically-register allMAC addresses seenon theswitchportsAsintestingmodenoVLANchangesaredone
Production pfsetvlan sends the SNMPwrites to change the VLAN on theswitchports
RADIUSTo set theRADIUS secret set it from theWebadministrative interfacewhenadding a switchAlternativelyedittheswitchconfigfile(usrlocalpfconfswitchesconf)andsetthefollowingparameters
radiusSecret = secretPassPhrase
MoreovertheRADIUSsecretisrequiredtosupporttheRADIUSDynamicAuthentication(ChangeofauthorizationorDisconnect)asdefinedinRFC3576
SNMPv1v2candv3PacketFenceusesSNMPtocommunicatewithmostswitchesPacketFencealsosupportsSNMPv3YoucanuseSNMPv3forcommunicationinbothdirectionsfromtheswitchtoPacketFenceandfromPacketFencetotheswitchSNMPusageisdiscouragedyoushouldnowuseRADIUSHoweverevenifRADIUSisbeingusedsomeswitchesmightalsorequireSNMPtobeconfiguredtoworkproperlywithPacketFence
Chapter9
Copyrightcopy2016Inverseinc Configuration 29
FromPacketFencetoaswitchEdittheswitchconfigfile(usrlocalpfconfswitchesconf)andsetthefollowingparameters
SNMPVersion = 3SNMPUserNameRead = readUserSNMPAuthProtocolRead = MD5SNMPAuthPasswordRead = authpwdreadSNMPPrivProtocolRead = AESSNMPPrivPasswordRead = privpwdreadSNMPUserNameWrite = writeUserSNMPAuthProtocolWrite = MD5SNMPAuthPasswordWrite = authpwdwriteSNMPPrivProtocolWrite = AESSNMPPrivPasswordWrite = privpwdwrite
FromaswitchtoPacketFenceEdittheswitchconfigfile(usrlocalpfconfswitchesconf)andsetthefollowingparameters
SNMPVersionTrap = 3SNMPUserNameTrap = readUserSNMPAuthProtocolTrap = MD5SNMPAuthPasswordTrap = authpwdreadSNMPPrivProtocolTrap = AESSNMPPrivPasswordTrap = privpwdread
SwitchConfigurationHereisaswitchconfigurationexampleinordertoenableSNMPv3inbothdirectionsonaCiscoSwitch
snmp-server engineID local AA5ED139B81D4A328D18ACD1snmp-server group readGroup v3 privsnmp-server group writeGroup v3 priv read v1default write v1defaultsnmp-server user readUser readGroup v3 auth md5 authpwdread priv aes 128 privpwdreadsnmp-server user writeUser writeGroup v3 auth md5 authpwdwrite priv aes 128 privpwdwritesnmp-server enable traps port-securitysnmp-server enable traps port-security trap-rate 1snmp-server host 192168050 version 3 priv readUser port-security
Command-LineInterfaceTelnetandSSH
WarningPrivilegedetectionisdisabledinthecurrentPacketFenceversionduetosomeissues(see1370)SomakesurethatthecliUserandcliPwdyouprovidealwaysgetyouintoaprivilegedmode(exceptforTrapezehardware)
Chapter9
Copyrightcopy2016Inverseinc Configuration 30
PackeFenceneedssometimestoestablishaninteractivecommand-linesessionwithaswitchThiscanbedoneusingTelnetYoucanalsouseSSHInordertodosoedittheswitchconfigurationfile(usrlocalpfconfswitchesconf)andsetthefollowingparameters
cliTransport = SSH (or Telnet)cliUser = admincliPwd = admin_pwdcliEnablePwd =
ItcanalsobedonethroughtheWebAdministrationInterfaceunderConfigurationrarrSwitches
WebServicesInterfacePackeFencesometimesneedstoestablishadialogwiththeWebServicescapabilitiesofaswitchInorder todo soedit the switchconfig file (usrlocalpfconfswitchesconf) and set thefollowingparameters
wsTransport = http (or https)wsUser = adminwsPwd = admin_pwd
ItcanalsobedonethroughtheWebAdministrationInterfaceunderConfigurationrarrSwitches
Role-basedenforcementsupportSomenetworkdevicessupporttheassignmentofaspecificsetofrules(firewallorACLs)toauserTheideaisthattheserulescanbealotmoreaccuratetocontrolwhatausercanorcannotdocomparedtoVLANwhichhavealargernetworkmanagementoverhead
PacketFencesupportsassigningrolesondevicesforswitchesandWiFicontrollers thatsupportitThecurrentroleassignmentstrategyistoassignitalongwiththeVLAN(thatmaychangeinthefuture)Aspecial internalroletoexternalroleassignmentmustbeconfigured intheswitchconfigurationfile(usrlocalpfconfswitchesconf)
Thecurrentformatisthefollowing
Format ltrolenamegtRole=ltcontroller_rolegt
Andyouassignittotheglobalrolesparameterortheper-switchoneForexample
adminRole=full-accessengineeringRole=full-accesssalesRole=little-access
wouldreturnthefull-accessroletothenodescategorizedasadminorengineeringandtherolelittle-accesstonodescategorizedassalesItcanalsobedonethroughtheWebAdministrationInterfaceunderConfigurationrarrSwitches
Chapter9
Copyrightcopy2016Inverseinc Configuration 31
CautionMakesurethattherolesareproperlydefinedonthenetworkdevicespriortoassigningroles
PortalProfiles
PacketFencecomeswithadefaultportalprofileThefollowparametersareimportanttoconfigurenomatterifyouusethedefaultportalprofileorcreateanewone
RedirectURLunderConfigurationrarrPortalProfilerarrPortalName
ForsomebrowsersitispreferabletoredirecttheusertoaspecificURLinsteadoftheURLtheuseroriginallyintendedtovisitForthesebrowserstheURLdefinedinredirecturlwillbetheonewheretheuserwillberedirectedAffectedbrowsersareFirefox3andlater
IPunderConfigurationrarrCaptiveportal
ThisIPisusedasthewebserverwhohoststhecommonnetwork-access-detectiongifwhichisusedtodetectifnetworkaccesswasenabledItcannotbeadomainnamesinceit isusedinregistrationorquarantinewhereDNSisblack-holedItisrecommendedthatyouallowyouruserstoreachyourPacketFenceserverandputyourLANrsquosPacketFenceIPBydefaultwewillmakethisreachPacketFencersquoswebsiteasaneasierandmoreaccessiblesolution
In somecases youmaywant topresentadifferent captiveportal (seebelow for theavailablecustomizations)accordingtotheSSIDtheVLANtheswitchIPMACortheURItheclientconnectstoTodosoPacketFencehastheconceptofportalprofileswhichgivesyouthispossibility
WhenconfiguredportalprofileswilloverridedefaultvaluesforwhichitisconfiguredWhennovaluesareconfiguredintheprofilePacketFencewilltakeitsdefaultones(accordingtothedefaultportalprofile)
HerearethedifferentconfigurationparametersthatcanbesetforeachportalprofilesTheonlymandatoryparameterisfilterotherwisePacketFencewonrsquotbeabletocorrectlyapplytheportalprofileTheparametersmustbesetinconfprofilesconf
[profilename1]description = the description of your portal profilefilter = the name of the SSID for which youd like to apply the profile or the VLAN numbersources = comma-separated list of authentications sources (IDs) to use
Portal profiles should be managed from PacketFencersquos Web administrative GUI - from theConfigurationrarrPortalProfilessectionAddingaportalprofilefromthatinterfacewillcorrectlycopytemplatesover-whichcanthenbemodifiedasyouwish
FiltersunderConfigurationrarrPortalProfilerarrPortalNamerarrFitlers
PacketFenceoffersthefollowingfiltersConnectionTypeNetworkNodeRolePortrealmSSIDSwitchSwitchPortURIVLANandTimeperiod
Chapter9
Copyrightcopy2016Inverseinc Configuration 32
Examplewiththemostcommonones
SSIDGuest-SSID
VLAN100
SwitchPortltSwitchIdgt-ltPortgt
NetworkNetworkinCIDRformatoranIPaddress
Caution
Noderolewilltakeeffectonlywitha8021xconnectionorifyouuseVLANfilters
PacketFence relies extensively on Apache for its captive portal administrative interface andWeb services The PacketFenceacutes Apache configuration are located in usrlocalpfconfhttpdconfd
Inthisdirectoryyouhavethreeimportantfileshttpdadminhttpdportalhttpdwebserviceshttpdaaa
httpdadminisusedtomanagePacketFenceadmininterface
httpdportalisusedtomanagePacketFencecaptiveportalinterface
httpdwebservicesisusedtomanagePacketFencewebservicesinterface
httpdaaaisusetomanageincomingRADIUSrequest
ThesefileshavebeenwrittenusingthePerllanguageandarecompletelydynamic-sotheyactivateservicesonlyonthenetworkinterfacesprovidedforthispurpose
TheotherfilesinthisdirectoryaremanagedbyPacketFenceusingtemplatessoitiseasytomodifythesefilesbasedonyourconfigurationSSLisenabledbydefaulttosecureaccess
UponPacketFenceinstallationself-signedcertificateswillbecreatedinusrlocalpfconfssl(serverkey andservercrt)Thosecertificates canbe replacedanytimebyyour3rd-partyorexistingwildcardcertificatewithoutproblemsPleasenotethattheCN(CommonName)needstobethesameastheonedefinedinthePacketFenceconfigurationfile(pfconf)
FreeRADIUSConfiguration
ThissectionpresentstheFreeRADIUSconfigurationsteps InsomeoccasionsaRADIUSserverismandatoryinordertogiveaccesstothenetworkForexampletheusageofWPA2-Enterprise(Wireless 8021X) MAC authentication and Wired 8021X all require a RADIUS server toauthenticatetheusersandthedevicesandthentopushtheproperrolesorVLANattributestothenetworkequipment
Chapter9
Copyrightcopy2016Inverseinc Configuration 33
Option1AuthenticationagainstActiveDirectory(AD)
Caution
If you are using an ActiveActive or ActivePassive cluster please follow theinstructionsunderOption1bsincetheinstructionsbelowdonotcurrentlyworkinacluster
InordertohavedomainauthenticationworkingproperlyyouneedtoenableIPforwardingonyourserverTodoitpermanentlylookintheetcsysctlconfandsetthefollowingline
Controls IP packet forwardingnetipv4ip_forward = 1
Nowexecutesysctl -ptoapplytheconfiguration
NextgointheAdministrationinterfaceunderConfigurationrarrDomains
Note
IfyoucanrsquotaccessthissectionandyouhavepreviouslyconfiguredyourservertobindtoadomainexternallytoPacketFencemakesureyourunusrlocalpfaddonsADmigratepl
ClickAddDomainandfillintheinformationsaboutyourdomain
Chapter9
Copyrightcopy2016Inverseinc Configuration 34
Where
IdentifierisauniqueidentifierforyourdomainItrsquospurposeisonlyvisual
Workgroupistheworkgroupofyourdomainintheoldsyntax(likeNT4)
DNSnameofthedomainistheFQDNofyourdomainTheonethatsuffixesyouraccountnames
ThisserverrsquosnameisthenamethattheserverrsquosaccountwillhaveinyourActiveDirectory
DNSserveristheIPaddressoftheDNSserverofthisdomainMakesurethattheserveryouputtherehastheproperDNSentriesforthisdomain
UsernameistheusernamethatwillbeusedforbindingtotheserverThisaccountmustbeadomainadministrator
Passwordisthepasswordfortheusernamedefinedabove
Chapter9
Copyrightcopy2016Inverseinc Configuration 35
Troubleshooting In order to troubleshoot unsuccessful binds please refer to the following file chrootsltmydomaingtvarlogsambaltmydomaingtlogwinbinddReplaceltmydomaingtwiththeidentifieryousetinthedomainconfiguration
Youcanvalidatethedomainbindusingthefollowingcommandchroot chrootsltmydomaingtwbinfo -u
You can test the authentication process using the following command chroot chrootsltmydomaingt ntlm_auth --username=administrator
Note
UndercertainconditionsthetestjoinmayshowasunsuccessfulintheAdministrationinterfacebut theauthenticationprocesswill stillworkproperlyTry the test abovebeforedoinganyadditionnaltroubleshooting
DefaultdomainconfigurationYoushouldnowdefinethedomainyouwanttouseasthedefaultonebycreatingthefollowingrealminConfigurationrarrRealms
NextrestartPacketFenceinStatusrarrServices
MultipledomainsauthenticationFirstconfigureyourdomainsinConfigurationrarrDomains
OncetheyareconfiguredgoinConfigurationrarrRealms
Chapter9
Copyrightcopy2016Inverseinc Configuration 36
Createanewrealm thatmatches theDNSnameofyourdomainANDone thatmatchesyourworkgroupInthecaseofthisexampleitwillbeDOMAINNETandDOMAIN
Where
RealmiseithertheDNSname(FQDN)ofyourdomainortheworkgroup
RealmoptionsareanyrealmoptionsthatyouwanttoaddtotheFreeRADIUSconfiguration
Domainisthedomainwhichisassociatedtothisrealm
Nowcreatethetwootherrealmsassociatedtoyourotherdomains
Youshouldnowhavethefollowingrealmconfiguration
Chapter9
Copyrightcopy2016Inverseinc Configuration 37
Option1bAuthenticationagainstActiveDirectory(AD)inacluster
SambaKerberosWinbind
InstallSambaYoucaneitherusethesourcesorusethepackageforyourOSForRHELCentOSdo
yum install samba krb5-workstation
ForDebianandUbuntudo
apt-get install samba winbind krb5-user
Note
IfyouhaveWindows7PCsinyournetworkyouneedtouseSambaversion350(orgreater)
WhendonewiththeSambainstallmodifyyouretchosts inordertoaddtheFQDNofyourActiveDirectoryserversThenyouneedtomodifyetckrb5confHereisanexamplefortheDOMAINNETdomainforCentosRHEL
Chapter9
Copyrightcopy2016Inverseinc Configuration 38
[logging] default = FILEvarlogkrb5libslog kdc = FILEvarlogkrb5kdclog admin_server = FILEvarlogkadmindlog
[libdefaults] default_realm = DOMAINNET dns_lookup_realm = false dns_lookup_kdc = false ticket_lifetime = 24h forwardable = yes
[realms] DOMAINNET = kdc = adserverdomainnet88 admin_server = adserverdomainnet749 default_domain = domainnet [domain_realm] domainnet = DOMAINNET domainnet = DOMAINNET
[appdefaults] pam = debug = false ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = false
ForDebianandUbuntu
[logging] default = FILEvarlogkrb5libslog kdc = FILEvarlogkrb5kdclog admin_server = FILEvarlogkadmindlog [libdefaults] default_realm = DOMAINNET ticket_lifetime = 24h forwardable = yes [appdefaults] pam = debug = false ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = false
NexteditetcsambasmbconfAgainhereisanexampleforourDOMAINNETforCentosRHEL
Chapter9
Copyrightcopy2016Inverseinc Configuration 39
[global] workgroup = DOMAIN server string = h security = ads passdb backend = tdbsam realm = DOMAINNET encrypt passwords = yes winbind use default domain = yes client NTLMv2 auth = yes preferred master = no domain master = no local master = no load printers = no log level = 1 winbind5 auth3 winbind max clients = 750 winbind max domain connections = 15 machine password timeout = 0
ForDebianandUbuntu
[global] workgroup = DOMAIN server string = Samba Server Version v security = ads realm = DOMAINNET password server = 19216811 domain master = no local master = no preferred master = no winbind separator = + winbind enum users = yes winbind enum groups = yes winbind use default domain = yes winbind nested groups = yes winbind refresh tickets = yes template homedir = homeDU template shell = binbash client use spnego = yes client ntlmv2 auth = yes encrypt passwords = yes restrict anonymous = 2 log file = varlogsambalogm max log size = 50 machine password timeout = 0
IssueakinitandklistinordertogetandverifytheKerberostoken
kinit administrator klist
Afterthatyouneedtostartsambaandjointhemachinetothedomain
Chapter9
Copyrightcopy2016Inverseinc Configuration 40
service smb start chkconfig --level 345 smb on net ads join -U administrator
NotethatforDebianandUbuntuyouwillprobablyhavethiserror
kinit succeeded but ads_sasl_spnego_krb5_bind failed Invalid credentials Join to domain is not valid Invalid credentials
ForCentosRHEL
usermod -a -G wbpriv pf
Finallystartwinbindandtestthesetupusingntlm_authandradtest
service winbind start chkconfig --level 345 winbind on
ForDebianandUbuntu
usermod -a -G winbindd_priv pf ntlm_auth --username myDomainUser radtest -t mschap -x myDomainUser myDomainPassword localhost18120 12 testing123 Sending Access-Request of id 108 to 127001 port 18120 User-Name = myDomainUser NAS-IP-Address = 10001 NAS-Port = 12 Message-Authenticator = 0x00000000000000000000000000000000 MS-CHAP-Challenge = 0x79d62c9da4e55104 MS-CHAP-Response = 0x000100000000000000000000000000000000000000000000000091c843b420f0dec4228ed2f26bff07d5e49ad9a2974229e5 rad_recv Access-Accept packet from host 127001 port 18120 id=108 length=20
Option2LocalAuthenticationAddyouruserrsquosentriesattheendoftheusrlocalpfraddbusersfilewiththefollowingformat
username Cleartext-Password = password
Option3EAPauthenticationagainstOpenLDAPToauthenticate8021xconnectionagainstOpenLDAPyouneedtodefinetheldapconnectioninusrlocalpfraddbmodulesldapandbesurethattheuserpasswordisdefineasaNTHASHorascleartext
Chapter9
Copyrightcopy2016Inverseinc Configuration 41
ldap openldap server = ldapacmecom identity = uid=admindc=acmedc=com password = password basedn = dc=districtdc=acmedc=com filter = (uid=mschapUser-Name) ldap_connections_number = 5 timeout = 4 timelimit = 3 net_timeout = 1 tls dictionary_mapping = $confdirldapattrmap edir_account_policy_check = no
keepalive LDAP_OPT_X_KEEPALIVE_IDLE idle = 60
LDAP_OPT_X_KEEPALIVE_PROBES probes = 3
LDAP_OPT_X_KEEPALIVE_INTERVAL interval = 3
Next in usrlocalpfraddbsites-availablepacketfence-tunnel add in the authorizesection
authorize suffix ntdomain eap ok = return files openldap
Option4EAPGuestAuthenticationonemailsponsorandSMSregistrationThissectionwillallowlocalcredentialscreatedduringguestregistrationtobeusedin8021xEAP-PEAPconnections
FirstcreateaguestSSIDwiththeguestaccessyouwanttouse(EmailSponsororSMShellip)andactivateCreatelocalaccountonthatsource
AttheendoftheguestregistrationPacketFencewillsendanemailwiththecredentialsforEmailandSponsorForSMSthephonenumberandthePINcodeshouldbeused
Chapter9
Copyrightcopy2016Inverseinc Configuration 42
Note
ThisoptiondoesnrsquotcurrentlyworkwiththeReusedot1xcredentialsoptionofthecaptiveportal
In usrlocalpfconfradiusdpacketfence-tunnel uncomment the line packetfence-local-authandrestartradiusd
ThiswillactivatethefeatureforanylocalaccountonthePacketFenceserverYoucanrestrictwhichaccounts canbeusedby commenting the appropriate line inusrlocalpfraddbpolicydpacketfenceForexampleifyouwouldwanttodeactivatethisfeatureforaccountscreatedviaSMSyouwouldhavethefollowing
packetfence-local-auth Disable ntlm_auth update control ampMS-CHAP-Use-NTLM-Auth = No Check password table for local user pflocal if (fail || notfound) Check password table with email and password for a sponsor registration pfguest if (fail || notfound) Check password table with email and password for a guest registration pfsponsor if (fail || notfound) Dont check activation table with phone number and PIN code pfsms lt--- This line was commented out if (fail || notfound) update control ampMS-CHAP-Use-NTLM-Auth = Yes
Note
For this feature to work the users passwords must be stored in cleartext in thedatabaseThisisconfigurableviaadvancedhash_passwords
Option5EAPLocaluserAuthenticationThegoalhereistousethelocaluseryoucreatedintheadminGUIforEAPauthenticationThelogicisexactlythesamethaninoption4thedifferenceisthatweuseanotherSSIDandweonlyuselocalaccounts
Chapter9
Copyrightcopy2016Inverseinc Configuration 43
Editusrlocalpfraddbsites-availablepacketfence-tunnel
InthisexampleweactivatethisfeatureonaspecificSSIDname(Secure-local-Wireless)disabledbydefaultNTLMAuthandtestlocalaccountIfitfailledthenwereactivateNTLMAuth
Activate local user eap authentication based on a specific SSID Set Called-Station-SSID with the current SSID setcalled_station_ssid if (Called-Station-SSID == Secure-local-Wireless) Disable ntlm_auth update control MS-CHAP-Use-NTLM-Auth = No Check password table for local user pflocal if (fail || notfound) update control MS-CHAP-Use-NTLM-Auth = Yes
Caution
Youwillneedtodeasactivatepasswordhashinginthedatabaseforlocalauthenticationto work In the administration interface go in Configurationrarr Advanced and setDatabasepasswordshashingmethodtoplaintext
TestsTestyoursetupwithradtestusingthefollowingcommandandmakesureyougetanAccess-Acceptanswer
radtest dd9999 Abcd1234 localhost18120 12 testing123Sending Access-Request of id 74 to 127001 port 18120 User-Name = dd9999 User-Password = Abcd1234 NAS-IP-Address = 255255255255 NAS-Port = 12rad_recv Access-Accept packet from host 12700118120 id=74 length=20
PortalModules
ThePacketFencecaptiveportalflowishighlycustomizableThissectionwillcoverthePortalModuleswhichareusedtodefinethebehaviorofthecaptiveportal
Chapter9
Copyrightcopy2016Inverseinc Configuration 44
Note
WhenupgradingfromaversionthatdoesnrsquothavetheportalmodulesthePacketFencePortal Modules configuration already comes with defaults that will fit most casesand offers the same behavior as previous versions of PacketFence Meaning allthe available Portal Profile sources are used for authentication then the availableprovisionerswillbeused
FirstabriefdescriptionoftheavailablePortalModules
RootThis iswhereitallstartsthismoduleisasimplecontainerthatdefinesallthemodulesthatneedtobeappliedinachainedwaytotheuserOncetheuserhascompletedallmodulescontainedintheRootheisreleasedonthenetwork
Choice This allows to give a choice between multiple modules to the user Thedefault_registration_policyisagoodexampleofachoicethatisofferedtotheuser
ChainedThisallowsyoutodefinealistofmodulesthatauserneedstogothroughintheorderthattheyaredefined-exyouwantyouruserstoregisterviaGoogle+andpayfortheiraccessusingPayPal
MessageThisallowsyou todisplayamessage to theuserAnexample isavailablebelow inDisplayingamessagetotheuseraftertheregistration
AuthenticationTheauthenticationmodulescanbeofalotoftypesYouwouldwanttodefineoneofthesemodulesinordertooverridetherequiredfieldsthesourcetousethetemplateoranyothermoduleattribute
BillingAllowstodefineamodulebasedononeormorebillingsources
ChoiceAllows todefineamodulebasedonmultiple sourcesandmoduleswithadvancedfilteringoptionsSeethesectionAuthenticationChoicemodulebelowforadetailedexplanation
LoginAllowsyoutodefineausernamepasswordbasedmodulewithmultipleinternalsources(ActiveDirectoryLDAPhellip)
OthermodulesTheothermodulesareallbasedonthesourcetypetheyareassignedtotheyallowtoselectthesourcetheAUPacceptanceandmandatoryfieldsifapplicable
ExamplesThissectionwillcontainthefollowingexamples
Promptingforfieldswithoutauthentication
Promptingadditionnalfieldsduringtheauthentication
Chainedauthentication
MixingloginandSecureSSIDon-boardingontheportal
Displayingamessagetotheuseraftertheregistration
Chapter9
Copyrightcopy2016Inverseinc Configuration 45
CreatingacustomrootmoduleFirstcreateacustomrootmoduleforourexamples inordertonotaffectthedefaultpolicy InordertodosogoinConfigurationrarrPortalModulesthenclickAddPortalModuleandselectthetypeRootGiveittheidentifiermy_first_root_moduleandthedescriptionMy first root modulethenhitsave
Next head toConfigurationrarr Portal Profiles select the portal profile you use (most probablydefault)andthenunderRootPortalModuleassignMy first root modulethensaveyourprofileIfyouweretoaccessthecaptiveportalnowanerrorwoulddisplaysincetheRootmoduleweconfigureddoesnrsquotcontainanything
YoucouldaddsomeofthepreconfiguredmodulestothenewRootmoduleyoucreatedandthatwouldmaketheerrordisapear
PromptingforfieldswithoutauthenticationInordertopromptfieldswithoutauthenticationyoucanusetheNullsourcewiththeNullPortalModule
PacketFencealreadycomeswithaNullsourcepreconfiguredIfyouhavenrsquotmodifieditordeletedityoucanuseitforthisexampleOtherwisegoinConfigurationrarrSourcesandcreateanewNullsourcewithacatchallrulethatassignsaroleandaccessduration
ThengoinConfigurationrarrPortalModulesandclickAddPortalModuleandselectAuthenticationrarrNullSettheIdentifiertoprompt_fieldsandconfigurethemodulewiththeMandatoryfieldsyouwantanduncheckRequireAUPsothattheuserdoesnrsquothavetoaccepttheAUPbeforesubmittingthesefields
Nextaddtheprompt_fieldsmoduleinmy_first_root_module(removinganypreviousmodules)andsave itNowwhenvisitingtheportal itshouldpromptyouforthefieldsyoudefine inthe
Chapter9
Copyrightcopy2016Inverseinc Configuration 46
moduleThensubmittingtheseinformationswillassignyoutheroleandaccessdurationthatyoudefinedinthenullsource
Promptingadditionnalfieldsduringtheauthentication
IfyouwanttopromptadditionnalfieldsduringtheauthenticationprocessforamoduleyoucandefineaModulebasedonthatsourcethatwillspecifytheadditionnalmandatoryfieldsforthissource
Youcanalsoaddadditionnalmandatoryfieldstothedefaultpoliciesthatarealreadyconfigured
Thisexamplewillmakethedefault_guest_policyrequiretheusertoenterafirstnamelastnameandaddresssothatguestshavetoenterthesethreeinformationsbeforeregistering
Go in Configuration rarr Portal Modules and click the default_guest_policy Add firstnamelastnameandaddresstotheMandatoryfieldsandsave
Nextaddthedefault_guest_policytomy_first_root_module(removinganypreviousmodules)Nowwhenvisitingtheportalselectinganyoftheguestsourceswillrequireyoutoenterboththemandatoryfieldsofthesource(exphone+mobileprovider)andthemandatoryfieldsyoudefinedinthedefault_guest_policy
Note
Notallsourcessupportadditionnalmandatoryfields(exOAuthsourceslikeGoogleFacebookhellip)
Chainedauthentication
Theportalmodulesallowyoutochaintwoormoremodulestogetherinordertomaketheuseraccomplishalloftheactionsinthemoduleinthedesiredsequence
ThisexamplewillallowyoutoconfigureaChainedmodulethatwillrequiretheusertologinviaanyconfiguredOAuthsource(GithubGoogle+hellip)andthenvalidatehisphonenumberusingSMSregistration
FortheOAuthloginwewillusethedefault_oauth_policysojustmakesureyouhaveanOAuthsourceconfiguredcorrectlyandavailableinyourPortalProfile
ThenwewillcreateamodulethatwillcontainthedefinitionofourSMSregistration
GoinConfigurationrarrPortalModulesthenclickAddPortalModuleandselectAuthenticationrarrSMS
ConfiguretheportalmodulesothatitusesthesmssourceandunchecktheRequireAUPoptionsincetheuserwillhavealreadyacceptedtheAUPwhenregisteringusingOAuth
Chapter9
Copyrightcopy2016Inverseinc Configuration 47
ThenaddanotherPortalModuleoftypeChainedNameitchained_oauth_smsassignarelevantdescriptionandthenadddefault_oauth_policyandsmstotheModulesfields
Chapter9
Copyrightcopy2016Inverseinc Configuration 48
Next add the chained_oauth_sms module in my_first_root_module (removing any previousmodules)andsaveitNowwhenvisitingtheportalyoushouldhavetoauthenticationusinganOAuthsourceandthenusingSMSbasedregistration
MixingloginandSecureSSIDon-boardingontheportalThisexamplewillguideyouthroughconfiguringaportalflowthatwillallowfordevicestoaccessanopenSSIDusinganLDAPusernamepasswordbutalsogivethechoicetoconfiguretheSecureSSIDdirectlyfromtheportal
FirstweneedtoconfiguretheprovisionersfortheSecureSSIDonboardingRefertosectionAppleandAndroidWirelessProvisioningofthisguidetoconfigureyourprovisionersandaddthemtotheportalprofile
CreateaprovisionerofthetypeDenyandadditwithyourotherprovisioners(puttinganyotherprovisionerbeforeit)Thiswillmakesurethatifthereisnomatchontheotherprovisionersitwillnotallowthedevicethrough
AlsointheportalprofileaddyourLDAPsourcetotheavailablesourcessoitstheonlyoneavailable
NextcreateaProvisioningportalmodulebygoinginConfigurationrarrPortalModulesSettheIdentifiertosecure_boardingandthedescriptiontoBoard Secure SSIDAlsouncheckSkipablesotheuserisforcedtoboardtheSSIDshoulditchoosethisoption
ThenstillinthePortalModulescreateaChoicemoduleSettheIdentifiertologin_or_boardinganddescriptiontoLoginorBoardingAddsecure_boardinganddefault_login_policytotheModulesfieldandsave
Chapter9
Copyrightcopy2016Inverseinc Configuration 49
Next add the login_or_boarding module in my_first_root_module (removing any previousmodules)andsaveitNowwhenvisitingtheportalyouwillhavethechoicebetweenlogintotheLDAPsourceandgainaccesstothenetworkordirectlyuseprovisioninginordertoconfigureyourdeviceforaSecureSSID
Displayingamessagetotheuseraftertheregistration=
UsingtheMessagemoduleyoucandisplayacustommessagetotheuserYoucanalsocustomizethetemplatetodisplayinordertodisplayafullycustompage
Go inConfigurationrarrPortalModules thenclickAddPortalModule and selectMessage Set theIdentifiertohello_worldandthedescriptiontoHello World
ThenputthefollowingintheMessagefield
Hello World lta href=wwwpacketfenceorggtClick here to access the PacketFence websiteltagt
Next add default_registration_policy and hello_world in the Modules ofmy_first_root_module(removinganypreviousmodules)andsaveitNowwhenvisitingtheportalyoushouldhavetoauthenticateusingthesourcesdefinedinyourportalprofileandyouwillthenseethehelloworldmessage
Chapter9
Copyrightcopy2016Inverseinc Configuration 50
AuthenticationChoicemodule(advanced)The Authentication Choice module allows to define a choice between multiple sources usingadvancedfilteringrulesmanualselectionofthesourcesandselectionofPortalModules
AllthesourcesthataredefinedintheSourcesfieldwillbeavailableforusagebytheuserSamegoesforthemodulesdefinedinModules
YoucanalsodefinewhichmandatoryfieldsyouwanttopromptfortheseauthenticationchoicesAlthoughyoucanstillconfigurethemonanyAuthenticationChoicemoduletheywillonlybeshowniftheyareapplicabletothesource
InadditiontothemanualselectionaboveyoucandynamicallyselectsourcespartofthePortalProfilebasedontheirobjectattribute(ObjectClassAuthenticationtypeAuthenticationClass)
NoteYoucanfindalltheauthenticationobjectsinlibpfAuthenticationSource
SourcesbyclassAllowsyoutospecifytheperlclassnameofthesourcesyouwantavailable
ex pfAuthenticationSourceSMSSource will select all the SMS sourcespfAuthenticationSourceBillingSourcewillselectallthebillingsources(PaypalStripehellip)
SourcesbytypeAllowsyoutofilteroutsourcesusingthetypeattributeoftheAuthenticationobject
Sources by Auth Class Allows you to filter our sources using the class attribute of theAuthenticationobject
Chapter9
Copyrightcopy2016Inverseinc Configuration 51
Youcanseethedefault_guest_policyanddefault_oauth_policyforexamplesofthismodule
Chapter10
Copyrightcopy2016Inverseinc Debugging 52
Debugging
Logfiles
HerearethemostimportantPacketFencelogfiles
usrlocalpflogspacketfencelogmdashPacketFenceCoreLog usrlocalpflogshttpdportalaccessmdashApachendashCaptivePortalAccessLog usrlocalpflogshttpdportalerrormdashApachendashCaptivePortalErrorLog usrlocalpflogshttpdadminaccessmdashApachendashWebAdminServicesAccessLog usrlocalpflogshttpdadminerrormdashApachendashWebAdminServicesErrorLog usrlocalpflogshttpdwebservicesaccessmdashApachendashWebservicesAccessLog usrlocalpflogshttpdwebserviceserrormdashApachendashWebservicesErrorLog usrlocalpflogshttpdaaaaccessmdashApachendashAAAAccessLog usrlocalpflogshttpdaaaerrormdashApachendashAAAErrorLog
ThereareotherlogfilesinusrlocalpflogsthatcouldberelevantdependingonwhatissueyouareexperiencingMakesureyoutakealookatthem
ThemainloggingconfigurationfileisusrlocalpfconflogconfItcontainstheconfigurationforthepacketfencelogfile(LogLog4Perl)andyounormallydonrsquotneedtomodifyitTheloggingconfigurationfilesforeveryservicearelocatedunderusrlocalpfconflogconfd
RADIUSDebugging
FirstchecktheFreeRADIUSlogsThefileislocatedatusrlocalpflogsradiuslog
IfthisdidnrsquothelprunFreeRADIUSindebugmodeTodosostartitusingthefollowingcommands
Fortheauthenticationradiusprocess
radiusd -X -d usrlocalpfraddb -n auth
Fortheaccountingradiusprocess
radiusd -X -d usrlocalpfraddb -n acct
Chapter10
Copyrightcopy2016Inverseinc Debugging 53
Additionally there is a raddebug tool that can extract debug logs from a running FreeRADIUSdaemonPacketFencersquosFreeRADIUSispreconfiguredwithsuchsupport
Inordertohaveanoutputfromraddebugyouneedtoeither
a MakesureuserpfhasashellinetcpasswdaddusrsbintoPATH(export PATH=usrsbin$PATH)andexecuteraddebugaspf
b Runraddebugasroot(lesssecure)
Nowyoucanrunraddebugeasily
raddebug -t 300 -f usrlocalpfvarrunradiusdsock
TheabovewilloutputFreeRADIUSauthenticationdebuglogsfor5minutes
Usethefollowingtodebugradiusaccounting
raddebug -t 300 -f usrlocalpfvarrunradiusd-acctsock
Seeman raddebugforalltheoptions
Chapter11
Copyrightcopy2016Inverseinc MoreonVoIPIntegration 54
MoreonVoIPIntegration
VoIPhasbeengrowinginpopularityonenterprisenetworksAtfirstsighttheITadministratorsthinkthatdeployingVoIPwithaNACposesahugecomplicatedchallengetoresolveInfactdependingofthehardwareyouhavenotreallyInthissectionwewillseewhy
CDPandLLDPareyourfriend
ForthoseofyouwhoareunawareoftheexistenceofCDPorLLDP(orLLDP-MED) IsuggestyoustartreadingonthistopicCiscoDiscoveryProtocol(CDP)isdevice-discoveryprotocolthatrunsonallCisco-manufacturedequipmentincludingroutersaccessserversbridgesandswitchesUsingCDPadevicecanadvertise itsexistencetootherdevicesandreceive informationaboutotherdevicesonthesameLANorontheremotesideofaWANIntheworldofVoIPCDPisabletodetermineiftheconnectingdeviceisanIPPhoneornotandtelltheIPPhonetotagitsethernetframeusingtheconfiguredvoiceVLANontheswitchport
OnmanyothervendorsyouarelikelytofindLLDPorLLDP-MEDsupportLinkLayerDiscoveryProtocol (LLDP) is a vendor-neutral Link Layer protocol in the Internet Protocol Suite used bynetworkdevicesforadvertisingtheiridentitycapabilitiesandneighborsSameasCDPLLDPcantellanIPPhonewhichVLANidisthevoiceVLAN
VoIPandVLANassignmenttechniques
As you already know PacketFence supportsmanyVLAN assignment techniques such as port-securitymacauthenticationor8021XLetrsquosseehowVoIPisdoingwitheachofthose
Port-securityUsing port-security the VoIP device rely on CDPLLDP to tag its ethernet frame using theconfiguredvoiceVLANontheswitchportAfterthatweensurethatasecuritytrapissentfromthevoiceVLANsothatPacketFencecanauthorizethemacaddressontheportWhenthePCconnectsanothersecuritytrapwillbesentbutfromthedataVLANThatwaywewillhave1macaddressauthorizedonthevoiceVLANand1ontheaccessVLAN
Chapter11
Copyrightcopy2016Inverseinc MoreonVoIPIntegration 55
Note
Not all vendors support VoIP on port-security please refer to the NetworkConfigurationGuide
MACAuthenticationand8021XCiscohardwareOnCiscoswitcheswearelookingatthemulti-domainconfigurationThemulti-domainmeansthatwecanhaveonedeviceontheVOICEdomainandonedeviceontheDATAdomainThedomainassignmentisdoneusingaCiscoVSAWhenthephoneconnectstotheswitchportPacketFencewillrespondwiththeproperVSAonlynoRADIUStunneledattributesCDPthentellsthephonetotagitsethernetframesusingtheconfiguredvoiceVLANontheportWhenaPCconnectstheRADIUSserverwillreturntunneledattributesandtheswitchwillplacetheportintheprovidedaccessVLAN
Non-CiscohardwareOnothervendorhardwareitispossibletomakeVoIPworkusingRADIUSVSAsWhenaphoneconnectstoaswitchportPacketFenceneedstoreturntheproperVSAtotelltheswitchtoallowtagged frames from thisdeviceWhen thePCwill connectwewill be able to return standardRADIUStunnelattributestotheswitchthatwillbetheuntaggedVLAN
Note
AgainrefertotheNetworkConfigurationGuidetoseeifVoIPissupportedonyourswitchhardware
WhatifCDPLLDPfeatureismissing
ItispossiblethatyourphonedoesnrsquotsupportCDPorLLDPIfitrsquosthecaseyouareprobablylookingattheDHCPwayofprovisionningyourphonewithavoiceVLANSomemodelswillaskforaspecificDHCPoptionsothattheDHCPservercangivethephoneavoiceVLANidThephonewillthenrebootandtagitsethernetframeusingtheprovidedVLANtag
Inorder tomake this scenarioworkwithPacketFenceyouneed toensure thatyou tweak theregistrationandyourproductionDHCPservertoprovidetheDHCPoptionYoualsoneedtomakesure there isavoiceVLANproperlyconfiguredontheportandthatyouauto-registeryour IPPhones(OnthefirstconnectthephonewillbeassignedontheregistrationVLAN)
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 56
Advancedtopics
This section covers advanced topics in PacketFence Note that it is also possible to configurePacketFencemanuallyusingitsconfigurationfilesinsteadofitsWebadministrativeinterfaceItisstillrecommendedtousetheWebinterface
InanycasetheusrlocalpfconfpfconffilecontainsthePacketFencegeneralconfigurationForexamplethisistheplacewhereweinformPacketFenceitwillworkinVLANisolationmode
All the default parameters and their descriptions are stored in usrlocalpfconfpfconfdefaults
Inordertooverrideadefaultparameterdefineitandsetitinpfconf
usrlocalpfconfdocumentationconfholdsthecompletelistofallavailableparameters
Alltheseparametersarealsoaccessiblethroughtheweb-basedadministrationinterfaceundertheConfigurationtabItishighlyrecommendedthatyouusetheweb-basedadministrationinterfaceofPacketFenceforanyconfigurationchanges
AppleandAndroidWirelessProvisioning
Apple devices such as iPhones iPads iPods and Mac OS X (107+) support wireless profileimportationusing a specialXML file format (mobileconfig)Android is also able to support thisfeaturebyimportingthewirelessprofilewiththeAndroidPacketFenceAgentInfactinstallingsuchfileonyourAppledevicewillautomaticallyconfigurethewirelesssettingsforagivenSSIDThisfeatureisoftenusedwhentheSSIDishiddenandyouwanttoeasetheconfigurationstepsonthemobiledevice(becauseitisoftenpainfultoconfiguremanually)InPacketFencewearegoingfurtherwegeneratetheprofileaccordingtotheadministratorrsquospreferenceandwepre-populatethefilewiththeuserrsquoscredentials(withoutthepassword)TheusersimplyneedstoinstallitsgeneratedfileandhewillbeabletousethenewSSID
ConfigurethefeatureFirstofallyouneedtoconfiguretheSSIDthatyourdeviceswilluseaftertheygothoughtheauthenticationprocess
InordertodothatintheadministrationinterfacegoinConfigurationProvisionersThenselecttheandroidprovisionerEntertheSSIDandsave
NowdothesamethingfortheiOSprovisioner
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 57
AfteryousimplyneedtoaddtheAndroidandiOSprovisionerstoyourPortalProfileconfiguration
ForAndroidyoumustallowpassthroughsinyourpfconfconfigurationfile
[trapping]passthrough=enabledpassthroughs=ggphtcomgoogleusercontentcomandroidclientsgooglecomgoogleapiscomandroidclientsgooglecomgvt1com
ProfilegenerationUponregistrationinsteadofshowingthedefaultreleasepagetheuserwillbeshowinganotherversionofthepagesayingthatthewirelessprofilehasbeengeneratedwithaclickablelinkonitToinstalltheprofileAppleuserownersimplyneedtoclickonthatlinkandfollowtheinstructionsontheirdeviceAndroiduserownersimplyclicktothelinkandwillbeforwardedtoGooglePlaytoinstallPacketFenceagentSimply launchtheapplicationandclicktoconfigurewillcreatethesecureSSIDprofileItisthatsimple
BillingEngine
PacketFence integrates theability touseapaymentgatewaytobillusers togainaccess to thenetworkWhenconfiguredtheuserwhowantstoaccessthenetworkInternetispromptedbyapageaskingforitrsquospersonnalinformationaswellasitrsquoscreditcardinformation
PacketFencecurrentlysupportsfourpaymentgatewaysAuthorizenetMirapayPaypalandStripe
Inordertoactivatethebillingyouwillneedtoconfigurethefollowingcomponents
Billingsource(s)
Billingtier(s)
ConfiguringabillingsourceFirstselectabillingproviderandfollowtheinstructionsbelow
Paypal
Note
ThisproviderrequiresthatyourPacketFenceserverisaccessibleonthepublicdomainFor thisyourPacketFenceportal shouldbeavailableonapublic IPusing theDNSservernameconfiguredinPacketFence
Ifyouhaveabusinessaccountanddonotwanttoconfigureatestenvironmentyoucanskipthenextsection
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 58
Sandboxaccount
To configure a sandbox paypal account for use in PacketFence head to httpsdeveloperpaypalcomandeithersignuporloginintoyourexistingaccount
ThenintheSandboxmenuclickAccounts
CreateanaccountthathasthetypePersonalandonethathasthetypeBusiness
AfterwardsgobackintoaccountsandexpandthebusinessaccountthenclickProfile
NowclicktheChangepasswordlinkandchangethepasswordandnoteit
Dothesamethingwiththepersonalaccountyoucreated
Configuringthemerchantaccount
LoginintothePaypalbusinessaccountthatyoucreatedathttpswwwsandboxpaypalcomifyouareusingasandboxaccountoronhttpswwwpaypalcomifyouareusingarealaccount
NextgoinMyAccountrarrProfileinordertogointoyourprofileconfiguration
NextintheSellingPreferencesyouwillneedtoselectWebsitePaymentPreferences
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 59
Configurethesettingssotheymatchthescreenshotbelow
YoushouldturnonAutoReturnsetthereturnURLtohttpsYOUR_PORTAL_HOSTNAMEbillingpaypalverify
YoushouldalsotakenoteoftheIdentityTokenasitwillberequiredinthePacketFenceconfiguration
NextgobackinyourprofileconfigurationMyaccountrarrProfileandselectEncryptedPaymentSettings
NowonthispageyouwillneedtosubmitthecertificateusedbyPacketFencetoPaypal(usrlocalpfconfsslservercrtbydefault)
Once you have submitted it note itrsquos associated Cert ID as you will need to configure it inPacketFence
StillonthatpageclicktheDownloadlinktodownloadthePaypalpubliccertificateandputitonthePacketFenceserverunderpathusrlocalpfconfsslpaypalpem
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 60
Caution
ThecertificatewillNOTbethesameifyouuseasandboxaccountorarealaccount
ConfiguringPacketFence
NowinthePacketFenceadministrationinterfacegoinConfigurationrarrSourcesandcreateanewsourceoftypeBillingrarrPaypal
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 61
Where
IdentitytokenistheoneyounotedwhenontheWebsitePaymentPreferencespage CertIDistheoneyounotedwhenontheEncryptedPaymentSettings Paymenttypeiswhethertheaccessisdonationbased(notmandatorytopayforit) Emailaddressistheemailaddressofthemerchantpaypalaccount CertfileisthepathtothePacketFencecertificate(usrlocalpfconfsslservercrtbydefault) KeyfileisthepathtothePacketFencecertificate(usrlocalpfconfsslserverkeybydefault) Paypal cert file is thepath to thePaypal certificate (usrlocalpfconfsslpaypalpem in thisexample)
Currencyisthecurrencythatwillbeusedinthetransactions Testmodeshouldbeactivatedifyouareusingasandboxaccount
Stripe
Stripeaccount
Firstgoonhttpsdashboardstripecomcreateanaccountandlogin
NextonthetoprightclickYouraccountthenAccountsettings
NavigatetotheAPIkeystabandnoteyourkeyandsecretThetestkeyshouldbeusedwhentestingtheconfigurationandthelivekeywhenputtingthesourceinproduction
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 62
ConfiguringPacketFence
NowinthePacketFenceadministrationinterfacegoinConfigurationrarrSourcesandcreateanewsourceoftypeBillingrarrStripe
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 63
Where
SecretkeyisthesecretkeyyougotfromyourStripeaccount PublishablekeyisthepublishablekeyyougotfromyourStripeaccount Styleiswhetheryouaredoingaone-timechargeorsubscriptionbasedbilling(recurring)SeesectionSubscriptionbasedregistrationbelowfordetailsonhowtoconfigureit
Currencyisthecurrencythatwillbeusedinthetransactions Testmodeshouldbeactivatedifyouareusingthetestkeyandsecretaccount
Authorizenet
Creatinganaccount
First go on httpsaccountauthorizenet to signup for a merchant account or httpdeveloperauthorizenetforasandboxaccount
AfteryoucreatedyouraccountyouwillbeshownyourAPIloginIDandTransactionkeyNotebothoftheseinformationsforusageinthePacketFenceconfiguration
Thenloginintoyournewaccount
ThenunderAccountclickSettings
OnthesettingspageinthesectionSecuritysettingsclickMD5-Hash
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 64
NowenterasecretthatwillbesharedbetweenauthorizenetandPacketFence
PacketFenceconfiguration
NextinthePacketFenceadministrationinterfacegoinConfigurationrarrSourcesandcreateanewsourceoftypeBillingrarrAuthorizeNet
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 65
Where
APIloginIDistheoneyougotearlierwhilecreatingyouraccount Transactionkeyistheoneyougotearlierwhilecreatingyouraccount MD5hashtheoneyouconfiguredinyourAuthorizenetaccount Currencyisthecurrencythatwillbeusedinthetransactions Testmodeshouldbeactivatedifyouareusingasandboxaccount
Mirapay
To be contributed
AddingbillingtiersOnceyouhaveconfiguredoneormorebillingsourceyouneedtodefinebillingtierswhichwilldefinethepriceandtargetauthenticationrulesfortheuser
InthePacketFenceadministrationinterfacegoinConfigurationrarrBillingtiers
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 66
ThenclickAddbillingtierandconfigureit
Where
Billingtieristheuniqueidentifierofthebillingtier Nameisthefriendlynameofthebillingtier Descriptionisanextendeddescriptionofthebillingtier Priceistheamountthatwillbechargedtotheuser Accessdurationistheamountoftimetheuserwillbegrantedaccesstoyournetwork Roleisthetargetroletheusershouldbein Usetimebalancedefinesiftheaccessdurationshouldbecomputedonreal-timeaccessdurationmeaningiftheuserbuys24hoursofaccesshecanusethenetworkfor24hoursindifferenttimeblocksThisrequiresavalidRADIUSaccountingconfiguration
Note
IfdonrsquotwanttouseallthebillingtiersthataredefinedyoucanspecifytheonesthatshouldbeactiveinthePortalprofile
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 67
SubscriptionbasedregistrationPacketFencesupportssubscriptionbasedbillingusingStripeasabillingprovider
Billingtier
Whenusingsubscriptionbasedbillingitisadvisedtoconfigurethebillingtiersoithasanalmostinfiniteaccessduration(eg20years)asthebillingproviderwillbecontactingthePacketFenceserverwhenthesubscriptioniscanceled
YoushouldconfigureabillingtierforeachsubscriptionplanyouwanttohaveThisexamplewillusetheplansimpleandadvancedconfiguredusingthefollowingparameters
[simple]name=Simple network accessdescription=Click here if you are poorprice=399role=guestaccess_duration=10Yuse_time_balance=disabled
[advanced]name=Simple network accessdescription=Click here if you are poorprice=999role=advanced_guestaccess_duration=10Yuse_time_balance=disabled
Stripeconfiguration
TheninyourStripedashboardyoushouldgoinSubscriptionsrarrPlans
Thencreateanewplan
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 68
Where
ID is the billing tier identifier It is important that this matches the ID of the billing tier inPacketFence
AmountisthepriceoftheplanItisimportantthatthismatchesthepriceofthebillingtierinPacketFence
CurrencyisthecurrencythatwillbeusedinthetransactionsItisimportantthatthismatchesthecurrencyoftheStripesourceinPacketFence
IntervalistheintervalatwhichthecustomershouldbebilledInthecaseofthisexampleitismonthly
Nowfollowingthesameprocedurecreatetheadvancedplan
ReceivingupdatesfromStripeAsthesubscriptioncanbecancelledbyauseryouneedtosetupyourPacketFenceinstallationtoreceiveupdatesfromStripe
UpdatesaresentusingHTTPrequestsonapublicIP
YouneedtomakesurethatyourPacketFenceserverisavailablethroughapublicIPonport80andthatyourPacketFenceserverhostnameresolvesonthepublicdomain
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 69
TheninStripeconfigureaWebhooksoStripeinformsPacketFenceofanyeventthathappensinthisStripemerchantaccount
InordertodosogoinYourAccountrarrAccountSettingsrarrWebhooksandclickAddendpoint
Where
URListheURLtothePacketFenceserverThisshouldbehttpYOUR_PORTAL_HOSTNAMEhookbillingstripe
Modeiswhetherthiswebhookisfortestingmodeorlivemode
NoweverytimeauserunsubscribesfromaplanPacketFencewillbenotifiedandwillunregisterthatdevicefromyournetwork
DevicesRegistration
Usershavethepossibilitytoregistertheirdevices(MicrosoftXBOXXBOX360NintendoDSWiiSonyPlayStationandsoon)rightfromaspecialportalpageWhenaccessingthispageuserswillbe
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 70
promptedtologinasiftheywereregisteringthemselvesOnceloggedintheportalwillaskthemtoenterthedeviceMACaddressthatwillthenbematchedagainstapredefinedlistofauthorizedMACOUIThedevicewillberegisteredwiththeuserrsquosidandcanbeassignedintoaspecificcategoryforeasiermanagement
HerersquoshowtoconfigurethewholethingTheportalpagecanbeaccessedbythefollowingURLhttpsYOUR_PORTAL_HOSTNAMEdevice-registration This URL is accessible fromwithin thenetworkinanyVLANthatcanreachthePacketFenceserver
Thefollowingcanbeconfiguredbyeditingthepfconffile
[registration]device_registration = enableddevice_registration_role = gaming
MakesuretheroleexistsinPacketFenceotherwiseyouwillencounterregistrationerrorsMoreovermakesuretherolemappingforyourparticularequipmentisdone
TheseparameterscanalsobeconfiguredfromtheConfigurationrarrRegistrationsection
Note
AportalinterfacetypeisrequiredtousethisfeatureAportalinterfacetypecanbeaddedtoanynetworkinterfaceusingthewebadminGUI
Eduroam
eduroam (education roaming) is the secureworld-wide roaming access servicedevelopedfortheinternationalresearchandeducationcommunity
eduroamallowsstudentsresearchersandstafffromparticipatinginstitutionstoobtainInternetconnectivityacrosscampusandwhenvisitingotherparticipatinginstitutionsbysimplyopeningtheirlaptop
mdasheduroamhttpswwweduroamorg
PacketFencesupportsintegrationwitheduroamandallowsparticipatinginstitutionstoauthenticatebothlocallyvisitingusersfromotherinstitutionsaswellasallowingotherinstitutionstoauthenticatelocalusers
In order for PacketFence to allow eduroam authentication the FreeRADIUS configuration ofPacketFencemustbemodifiedtoallowtheeduroamserverstoconnecttoitasclientsaswellastoproxyRADIUSauthenticationrequestsforusersfromoutsideinstitutions
FirstmodifytheusrlocalpfraddbclientsconffiletoallowtheeduroamserverstoconnecttoyourPacketFenceserverAddtheeduroamserversasclientsandmakesure toaddtheproperRADIUSsecretSetashortnametorefertotheseclientsasyouwilllaterneedittoexcludethemfromsomepartsofthePacketFenceconfiguration
clientsconfexample
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 71
client tlrs1eduroamus secret = useStrongerSecret shortname = tlrs1
client tlrs2eduroamus secret = useStrongerSecret shortname = tlrs2
SecondlymodifythelistofdomainsandproxyserversinusrlocalpfraddbproxyconfYouwillneedtodefineeachofyourdomainsaswellastheDEFAULTdomainTheDEFAULTrealmwillapplytoanyclientthatattemptstoauthenticatewitharealmthatisnototherwisedefinedinproxyconfandwillbeproxiedtotheeduroamservers
Defineoneormorehomeservers(serverstowhicheduroamrequestsshouldbeproxied)
proxyconfexample
home_server tlrs1eduroamus type = auth ipaddr = 25712811 port = 1812 secret = useStrongerSecret require_message_authenticator = yes
Defineapoolofserverstogroupyoureduroamhomeserverstogether
proxyconfexample
home_server_pool eduroam type = fail-over home_server = tlrs1eduroamus home_server = tlrs2eduroamus
DefinerealmstoselectwhichrequestsshouldbeproxiedtotheeduroamserverpoolThereshouldbeonerealmforeachofyourdomainsandpossiblyonemoreperdomainifyouintendtoallowusernamesoftheDOMAINuserform
TheREALMissetbasedonthedomainfoundbythesuffixorntdomainmodules (seeraddbmodulesrealm)Thesuffixorntdomainmodulestrytofindadomaineitherwithandomainorsuffixusername
IfnoneisfoundtheREALMisNULL
IfadomainisfoundFreeRADIUStriestomatchoneoftheREALMSdefinedinthisfile
IfthedomainiseitherexampleeduorEXAMPLEFreeRADIUSsetsthecorrespondingREALMieexampleeduorEXAMPLE
IftheREALMdoesnotmatcheither(anditisnrsquotNULL)thatmeanstherewasadomainotherthanEXAMPLEorexampleeduandweassumeitismeanttobeproxiedtoeduroamFreeRADIUSsetstheDEFAULTrealm(whichisproxiedtotheeduroamauthenticationpool)
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 72
The REALM determines where the request is sent to If the REALM authenticates locally therequestsareprocessedentirelybyFreeRADIUSIftheREALMsetsadifferenthomeserverpooltherequestsareproxiedtotheserversdefinedwithinthatpool
proxyconfexample
This realm is for requests which dont have an explicit realm prefix or suffix User names like bob will match this one No authentication server is defined thus the authentication is done locallyrealm NULL
This realm is for ntdomain users who might use the domain like this EXAMPLEusername No authentication server is defined thus the authentication is done locallyrealm EXAMPLE
This realm is for suffix users who use the domain like this usernameexampleedu No authentication server is defined thus the authentication is done locallyrealm exampleedu
This realm is for ALL OTHER requests Meaning in this context eduroam The auth_pool is set to the eduroam pool and so the requests will be proxiedrealm DEFAULT auth_pool = eduroam nostrip
Thirdly youmust configure the packetfence FreeRADIUS virtual servers to treat the requestsproperly
Inusrlocalpfraddbsites-enabledpacketfencemodifytheauthorizesectionlikethis
raddbsites-enabledpacketfenceexample
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 73
authorize pay attention to the order of the modules It matters ntdomain suffix preprocess
uncomment this section if you want to block eduroam users from you other SSIDs The attribute name ( Called-Station-Id ) may differ based on your controller if ( Called-Station-Id ~ eduroam$i) update control Proxy-To-Realm = local
eap ok = return
files expiration logintime packetfence
Inusrlocalpfraddbsites-enabledpacketfence-tunnelmodifythepost-authsectionlikethisIfyouomit this change the requestwill be sent toPacketFencewhere itwill be failed since theeduroamserversarenotpartofyourconfiguredswitches
raddbsites-enabledpacketfence-tunnelexample
post-auth exec
we skip packetfence when the request is coming from the eduroam servers if ( clientshortname = tlrs1 ampamp clientshortname = tlrs2 ) packetfence
Post-Auth-Type REJECT attr_filteraccess_reject
Finallymakesurethattherealmsmoduleisconfiguredthisway(seeusrlocalpfraddbmodulesrealm)
raddbmodulesrealmexample
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 74
usernamerealmrealm suffix format = suffix delimiter =
domainuserrealm ntdomain format = prefix delimiter = ignore_null = yes
Fingerbankintegration
FingerbankagreatdeviceprofilingtooldevelopedalongsideofPacketFencenowintegrateswithittopower-upthefeaturesetallowingaPacketFenceadministratortoeasilytriggerviolationsbasedondifferentdevicetypesdeviceparentsDHCPfingerprintsDHCPvendorIDsMACvendorsandbrowseruseragents
Thecoreofthat integrationresides intheabilityforaPacketFencesystemto interactwiththeFingerbankupstreamprojectwhichthenallowadailybasisfingerprintsdatabaseupdatesharingunknowndatasothatmorecomplexalgorithmscanprocessthatnewdatatointegrateitintheglobaldatabasequeryingtheglobalupstreamdatabaseinthecaseofanunknownmatchandmuchmore
SincetheFingerbankintegrationisnowthedefactodeviceprofilingtoolofPacketFenceitwasarequirementtomakeitassimpleaspossibletoconfigureandtouseFromthemomentaworkingPacketFencesystemis inplaceFingerbank isalsoreadytobeusedbutonly inalocalmodewhichmeansnointeractionwiththeupstreamFingerbankproject
OnboardingTobenefitfromalltheadvantagesoftheFingerbankprojecttheonboardingstepisrequiredtocreateanAPIkeythatwill thenallow interactionwiththeupstreamprojectThatcaneasilybedoneonlybygoingintheSettingsmenuitemundertheFingerbanksectionofthePacketFenceConfigurationtabFromthereaneasyprocesstocreateandsaveanuserorganizationspecificAPIkeycanbefollowedOncecompletedthefullfeaturesetofFingerbankcanbeused
UpdateFingerbankdatabaseUpdatingtheFingerbankdatacanrsquotbeeasierTheonlyrequirementistheonboardingprocesswhichallowsyoutointeractwithupstreamprojectOncedoneanoptiontoUpdateFingerbankDBcanbefoundontopofeverymenuitemsectionsunderFingerbankProcessmaytakeaminuteortwodependingonthesizeofthedatabaseandtheinternetconnectivityafterwhichasuccessorerrormessagewillbeshowaccordinglyLocalrecordsareNOTbeingmodifiedduringthisprocess
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 75
SubmitunknowndataSayingthatwedonrsquotknoweverythingisnotfalsemodestyInthatsensetheSubmitUnknownUnmatchedFingerprintsoptionismadeavailable(afteronboarding)sothatunknownfingerprintingdatagoinginandoutonyournetworkcaneasilybesubmittedtotheupstreamFingerbankprojectforfurtheranalysisandintegrationtheintheglobaldatabase
UpstreaminterogationBydefaultPacketFenceisconfiguredtointerogatetheupstreamFingerbankproject(ifonboardinghasbeencompleted)tofullfillaquerywithunmatchedlocalresultsUnmatchedlocalresultscanresultofanolderversionoftheFingerbankdatabaseorarequirementforamorecomplexalgorithmduetothedatasetThatbehavioriscompletelytransparentandcanbemodifiedusingtheSettingsmenuitemundertheFingerbanksectionofthePacketFenceConfigurationtab
LocalentriesItispossibleforanadministratorwhowantstocustomizeanexistingrecord(orcreateanewone)todosousingtheLocalentriesAnupstreamrecord(DHCPFingerprintDHCPVendorMACVendorUserAgentDevicetypeevenaCombination)canbeclonedandthenmodifiedonalocalbasisifneededLocalrecordsarealwaysmatchedfirstsincetheirpurposeistooverrideanexistingoneAlocalcombinationcanbecreatedtomatcheitherLocalorUpstreamorbothentriestoallowidentificationofadevice
SettingsFingerbanksettingscaneasilybemodifiedfromtheSettingsmenuitemundertheFingerbanksectionofthePacketFenceConfigurationtabTherersquosdocumentationforeachaneveryparameterthatalloweasierunderstanding
FloatingNetworkDevices
Startingwithversion19PacketFencenowsupportsfloatingnetworkdevicesAFloatingnetworkdeviceisadeviceforwhichPacketFencehasadifferentbehaviourcomparedtoaregulardeviceThisfunctionalitywasoriginallyaddedtosupportmobileAccessPoints
Caution
RightnowPacketFenceonlysupportsfloatingnetworkdevicesonCiscoandNortelswitchesconfiguredwithport-security
For a regular device PacketFence put it in theVLAN corresponding to its status (RegistrationQuarantineorRegularVlan)andauthorizesitontheport(port-security)
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 76
AfloatingnetworkdeviceisadevicethatPacketFencedoesnotmanageasaregulardevice
WhenafloatingnetworkdeviceispluggedPacketFencewillletallowalltheMACaddressesthatwillbeconnectedtothisdevice(orappearontheport)andifnecessaryconfiguretheportasmulti-vlan(trunk)andsetPVIDandtaggedVLANsontheport
WhenanfloatingnetworkdeviceisunpluggedPacketFencewillreconfiguretheportlikebeforeitwasplugged
HowitworksConfiguration
floatingnetworkdeviceshavetobeidentifiedusingtheirMACaddress linkuplinkdowntrapsarenotenabledontheswitchesonlyport-securitytrapsare
WhenPacketFencereceivesaport-securitytrapforafloatingnetworkdeviceitchangestheportconfigurationsothat
itdisablesport-security itsetsthePVID iteventuallysetstheportasmulti-vlan(trunk)andsetsthetaggedVlans itenableslinkdowntraps
WhenPFreceivesa linkdowntraponaport inwhichafloatingnetworkdevicewasplugged itchangestheportconfigurationsothat
itenablesport-security itdisableslinkdowntraps
IdentificationAswementionedearliereachfloatingnetworkdevicehastobeidentifiedTherearetwowaystodoit
byeditingconffloating_network_deviceconf throughtheWebGUIinConfigurationrarrNetworkrarrFloatingdevices
Herearethesettingsthatareavailable
MACAddress MACaddressofthefloatingdevice
IPAddress IPaddressofthefloatingdevice(notrequiredforinformationonly)
trunkPort YesnoShouldtheportbeconfiguredasamuti-vlanport
pvid VLANinwhichPacketFenceshouldputtheport
taggedVlan CommaseparatedlistofVLANsIftheportisamulti-vlanthesearetheVlansthathavetobetaggedontheport
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 77
OAuth2Authentication
NoteOAuth2authenticationdoesnotworkwithWebauthenforcement
The captive portal of PacketFence allows a guestuser to register using hisGoogle FacebookLinkedInWindowsLiveTwitterorGithubaccount
ForeachproviderswemaintainanalloweddomainlisttopunchholesintothefirewallsotheusercanhittheproviderloginpageThislistisavailableineachOAuth2authenticationsource
Inordertohaveoauth2workingproperlyyouneedtoenableIPforwardingonyourserversTodoitpermanentlylookintheetcsysctlconfandsetthefollowingline
Controls IP packet forwardingnetipv4ip_forward = 1
Savethefileandissueasysctl -ptoupdatetheOSconfig
You must also enable the passthrough option in your PacketFence configuration(trappingpassthroughinpfconf)
GoogleInordertouseGoogleasaOAuth2provideryouneedtogetanAPIkeytoaccesstheirservicesSignupherehttpcodegooglecomapisconsoleMakesureyouusethisURIfortheRedirectURIfieldhttpsYOUR_PORTAL_HOSTNAMEoauth2callbackOfcoursereplacethehostnamewiththevaluesfromgeneralhostnameandgeneraldomain
YoucankeepthedefaultconfigurationmodifytheAppIDampAppSecret(GivenbyGoogleonthedevelopperplateform)andPortalURL(httpsYOUR_PORTAL_HOSTNAMEoauth2callback)
Also add the following Authorized domains googlecom googleca googlefrgstaticcomgoogleapiscomaccountsyoutubecom(MakesurethatyouhavethegoogledomainfromyourcountrylikeCanadagooglecaFrancegooglefretchellip)
OnceyouhaveyourclientidandAPIkeyyouneedtoconfiguretheOAuth2providerThiscanbedonebyaddingaGoogleOAuth2authenticationsourcefromConfigurationrarrSources
MoreoverdonrsquotforgettoaddGoogleasaregistrationmodefromyourportalprofiledefinitionavailablefromConfigurationrarrPortalProfilesandPages
FacebookTo use Facebook you also need an API code and a secret key To get one go here httpsdevelopersfacebookcomappsWhenyoucreateyourAppmakesureyouspecifythefollowingastheWebsiteURLhttpsYOUR_PORTAL_HOSTNAMEoauth2callback
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 78
Ofcoursereplacethehostnamewiththevaluesfromgeneralhostnameandgeneraldomain
YoucankeepthedefaultconfigurationmodifytheAppIDampAppSecret(GivenbyFaceBookonthedevelopperplateform)andPortalURL(httpsYOUR_PORTAL_HOSTNAMEoauth2callback)
Also add the followingAuthorizeddomains facebookcom fbcdnnet akamaihdnet (Maychange)
OnceyouhaveyourinformationyouneedtoconfiguretheOAuth2providerThiscanbedonebyaddingaFacebookOAuth2authenticationsourcefromConfigurationrarrSources
MoreoverdonrsquotforgettoaddFacebookasaregistrationmodefromyourportalprofiledefinitionavailablefromConfigurationrarrPortalProfilesandPages
CautionByallowingOAuththroughFacebookyouwillgiveFacebookaccesstotheuserswhiletheyaresittingintheregistrationVLAN
GitHubTouseGitHubyoualsoneedanAPIcodeandasecretkeyTogetoneyouneedtocreateanAppherehttpsgithubcomsettingsapplicationsWhenyoucreateyourAppmakesureyouspecifythefollowingastheCallbackURLhttpsYOUR_PORTAL_HOSTNAMEoauth2callback
Ofcoursereplacethehostnamewiththevaluesfromgeneralhostnameandgeneraldomain
OnceyouhaveyourinformationyouneedtoconfiguretheOAuth2providerThiscanbedonebyaddingaGitHubOAuth2authenticationsourcefromConfigurationrarrSources
MoreoverdonrsquotforgettoaddGitHubasaregistrationmodefromyourportalprofiledefinitionavailablefromConfigurationrarrPortalProfilesandPages
LinkedInTouseLinkedInyoualsoneedanAPIcodeandasecretkeyTogetoneyouneedtocreateanAppherehttpsdeveloperlinkedincomWhenyoucreateyourAppmakesureyouspecifythefollowingastheCallbackURLhttpsYOUR_PORTAL_HOSTNAMEoauth2callback
Ofcoursereplacethehostnamewiththevaluesfromgeneralhostnameandgeneraldomain
OnceyouhaveyourinformationyouneedtoconfiguretheOAuth2providerThiscanbedonebyaddingaLinkedInOAuth2authenticationsourcefromConfigurationrarrSources
MoreoverdonrsquotforgettoaddLinkedInasaregistrationmodefromyourportalprofiledefinitionavailablefromConfigurationrarrPortalProfilesandPages
AlsoLinkedInrequiresastateparameterfortheauthorizationURLIfyoumodifyitmakesuretoadditattheendofyourURL
TwitterTouseTwitteryoualsoneedanAPIcodeandasecretkeywhichTwittercallsconsumerkeyandconsumersecretObtainthis informationbycreatingannewapplicationfromyourTwitterApps
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 79
ManagementpageWhenyoucreateyourAppmakesureyouspecifythefollowingastheCallbackURLhttpsYOUR_PORTAL_HOSTNAMEoauth2callback
Ofcoursereplacethehostnamewiththevaluesfromgeneralhostnameandgeneraldomain
OnceyouhaveyourinformationyouneedtoconfiguretheOAuth2providerThiscanbedonebyaddingaTwitterOAuth2authenticationsourcefromConfigurationrarrSources
MoreoverdonrsquotforgettoaddTwitterasaregistrationmodefromyourportalprofiledefinitionavailablefromConfigurationrarrPortalProfilesandPages
WindowsLiveTouseWindowsliveyoualsoneedanAPIcodeandasecretkeyTogetoneyouneedtocreateanAppherehttpsaccountlivecomdevelopersapplicationsWhenyoucreateyourAppmakesureyouspecifythefollowingastheCallbackURLhttpsYOUR_PORTAL_HOSTNAMEoauth2callback
Ofcoursereplacethehostnamewiththevaluesfromgeneralhostnameandgeneraldomain
OnceyouhaveyourinformationyouneedtoconfiguretheOAuth2providerThiscanbedonebyaddingaWindowsLiveOAuth2authenticationsourcefromConfigurationrarrSources
Moreover donrsquot forget to add WindowsLive as a registration mode from your portal profiledefinitionavailablefromConfigurationrarrPortalProfilesandPages
Passthrough
Inorder tousethepassthroughfeature inPacketFenceyouneedtoenable it fromtheGUI inConfigurationrarrTrappingandcheckPassthrough
Therearetwosolutionsforpassthroughs-oneusingDNSresolutionandiptablesandtheotheroneusingApachersquosmod_proxymoduleWhenenabledPacketFencewillusepfdnsifyoudefinedPassthroughsorApachemod-proxyifyoudefinedProxyPassthroughstoallowtrappeddevicestoreachexternalwebsites
DNSpassthroughAddanewFQDN (shouldbeawildcarddomain like googlecom) in thePassthroughssectionWhenPacketFencereceivesaDNSrequestforthisdomainitwillanswerthereal IPaddressandpunchahole inthefirewall (using iptables)toallowaccessWiththismethodPacketFencemustbethedefaultgatewayofyourdevice
mod_proxypassthroughAddanewFQDN(shouldbeawildcarddomainlikegooglecom)intheProxyPassthroughssectionForthisFQDNPacketFencewillanswertheIPaddressofthecaptiveportalandwhenadevicehitsthecaptiveportalPacketFencewilldetectthatthisFQDNhasapassthroughconfigurationandwillforwardthetraffictomod_proxy
ThesetwomethodscanbeusedtogetherbutDNS-basedpassthroughshavehigherpriority
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 80
ProductionDHCPaccess
Inorder toperformallof itsaccesscontroldutiesPacketFenceneedstobeable tomapMACaddressesintoIPaddresses
ForallthenetworksVLANswhereyouwantPacketFencetohavetheabilitytoisolateanodeortohaveIPinformationaboutnodesyouwillneedtoperformoneofthetechniquesbelow
AlsonotethatthisdoesnrsquotneedtobedonefortheregistrationisolationVLANsandinlineinterfacessincePacketFenceactsastheDHCPserverinthesenetworks
IPHelpers(recommended)If you are already using IPHelpers for your productionDHCP in your production VLANs thisapproachisthesimplestoneandtheonethatworksthebest
Add PacketFencersquos management IP address as the last ip helper-address statement in yournetworkequipmentAtthispointPacketFencewillreceiveacopyofallDHCPrequestsforthatVLANandwillrecordwhatIPweredistributedtowhatnodeusingapfdhcplistenerdaemon
BydefaultnoDHCPServershouldberunningonthatinterfacewhereyouaresendingtherequestsThisisbydesignotherwisePacketFencewouldreplytotheDHCPrequestswhichwouldbeabadthing
ObtainacopyoftheDHCPtrafficGetacopyofalltheDHCPTraffictoadedicatedphysicalinterfaceinthePacketFenceserverandrunpfdhcplisteneronthatinterfaceItwillinvolveconfiguringyourswitchproperlytoperformportmirroring(akanetworkspan)andaddinginPacketFencetheproperinterfacestatementattheoperatingsystemlevelandinpfconf
etcsysconfignetwork-scriptsifcfg-eth2
DEVICE=eth2ONBOOT=yesBOOTPROTO=none
Addtopfconf(IPsarenotimportanttheyarethereonlysothatPacketFencewillstart)
[interface eth2]mask=2552552550type=dhcp-listenergateway=19216815ip=19216811
RestartPacketFenceandyoushouldbegoodtogo
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 81
InterfaceineveryVLANBecauseDHCPtrafficisbroadcasttrafficanalternativeforsmallnetworkswithfewlocalVLANsistoputaVLANinterfaceforeveryVLANonthePacketFenceserverandhaveapfdhcplistenerlistenonthatVLANinterface
OnthenetworksideyouneedtomakesurethattheVLANtrulyreachesallthewayfromyourclienttoyourDHCPinfrastructureuptothePacketFenceserver
OnthePacketFencesidefirstyouneedanoperatingsystemVLANinterfaceliketheonebelowStoredinetcsysconfignetwork-scriptsifcfg-eth01010
Engineering VLANDEVICE=eth01010ONBOOT=yesBOOTPROTO=staticIPADDR=1001014NETMASK=2552552550VLAN=yes
ThenyouneedtospecifyinpfconfthatyouareinterestedinthatVLANrsquosDHCPbysettingtypetodhcp-listener
[interface eth01010]mask=2552552550type=dhcp-listenergateway=1001011ip=1001014
RepeattheaboveforallyourproductionVLANsthenrestartPacketFence
HostproductionDHCPonPacketFenceItrsquosanoptionJustmodifyconfdhcpdconfsothat itwillhostyourproductionDHCPproperlyandmakesurethatapfdhcplistenerrunsonthesameinterfacewhereproductionDHCPrunsHoweverpleasenotethatthisisNOTrecommendedSeethistickettoseewhy
ProxyInterception
PacketFenceenablesyoutointerceptproxyrequestsandforwardthemtothecaptiveportalItonlyworksonelayer-2networksbecausePacketFencemustbethedefaultgatewayInordertousetheProxyInterceptionfeatureyouneedtoenableitfromtheGUIinConfigurationrarrTrappingandcheckProxyInterception
Addtheportyouwanttointercept(like8080or3128)andaddanewentryintheetchostsfiletoresolvethefullyqualifieddomainname(fqdn)ofthecaptiveportaltotheIPaddressofthe
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 82
registration interfaceThismodification ismandatory inorder forApache to receives theproxyrequests
RoutedNetworks
Ifyour isolationandregistrationnetworksarenot locally-reachable (at layer2)onthenetworkbut routed to the PacketFence server yoursquoll have to let the PacketFence server know thisPacketFencecanevenprovideDHCPandDNSintheseroutednetworksandprovidesaneasytouseconfigurationinterface
FordhcpdmakesurethattheclientsDHCPrequestsarecorrectlyforwarded(IPHelpersintheremoterouters)tothePacketFenceserverThenmakesureyoufollowedtheinstructionsintheDHCPandDNSServerConfiguration(networksconf)foryourlocallyaccessiblenetwork
Ifweconsiderthenetworkarchitectureillustratedintheaboveschemaconfpfconfwillincludethelocalregistrationandisolationinterfacesonly
[interface eth02]enforcement=vlanip=19216821type=internalmask=2552552550
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 83
[interface eth03]enforcement=vlanip=19216831type=internalmask=2552552550
Note
PacketFencewillnotstartunlessyouhaveatleastoneinternalinterfacesoyouneedtocreatelocalregistrationandisolationVLANsevenifyoudonrsquotintendtousethemAlsotheinternalinterfacesaretheonlyonesonwhichdhcpdlistenssotheremoteregistrationandisolationsubnetsneedtopointtheirDHCPhelper-addresstothoseparticularIPs
ThenyouneedtoprovidetheroutednetworksinformationtoPacketFenceYoucandoitthroughtheGUIinAdministrationrarrNetworks(orinconfnetworksconf)
confnetworksconfwilllooklikethis
[19216820]netmask=2552552550gateway=19216821next_hop=domain-name=registrationexamplecomdns=19216821dhcp_start=192168210dhcp_end=1921682200dhcp_default_lease_time=300dhcp_max_lease_time=600type=vlan-registrationnamed=enableddhcpd=enabled
[19216830]netmask=2552552550gateway=19216831next_hop=domain-name=isolationexamplecomdns=19216831dhcp_start=192168310dhcp_end=1921683200dhcp_default_lease_time=300dhcp_max_lease_time=600type=vlan-isolationnamed=enableddhcpd=enabled
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 84
[192168200]netmask=2552552550gateway=19216820254next_hop=1921682254domain-name=registrationexamplecomdns=19216821dhcp_start=1921682010dhcp_end=19216820200dhcp_default_lease_time=300dhcp_max_lease_time=600type=vlan-registrationnamed=enableddhcpd=enabled
[192168300]netmask=2552552550gateway=19216830254next_hop=1921683254domain-name=isolationexamplecomdns=19216831dhcp_start=1921683010dhcp_end=19216830200dhcp_default_lease_time=300dhcp_max_lease_time=600type=vlan-isolationnamed=enableddhcpd=enabled
DHCPclientsontheregistrationandisolationnetworksreceivethePFserverIPastheirDNSserver(dns=xxxx)andPFspoofsDNSresponsestoforceclientsviatheportalHoweverclientscouldmanuallyconfiguretheirDNSsettingstoescapetheportalTopreventthisyouwillneedtoapplyanACLontheaccessrouternearesttheclientspermittingaccessonlytothePFserverandlocalDHCPbroadcasttraffic
ForexamplefortheVLAN20remoteregistrationnetwork
ip access-list extended PF_REGISTRATION permit ip any host 19216821 permit udp any any eq 67 deny ip any any loginterface vlan 20 ip address 19216820254 2552552550 ip helper-address 19216821 ip access-group PF_REGISTRATION in
Ifyouredgeswitchessupportvlan-isolationyoucanalsoapplytheACLthereThishastheadvantageofpreventingmachinesinisolationfromattemptingtoattackeachother
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 85
StatementofHealth(SoH)
TheStatementofHealth(SoH)isproductthathasbeendevelopedbyMicrosoftIntheMicrosoftworldthis isnamedNetworkAccessProtectionorNAPOnWindowsversionsfromXPSP2toWindows7thereisaNAPserviceinstalledthatcanrelayhealthinformation(Anti-VirusupdatestatusWindowsUpdatestatusetc) toaRADIUSServeroraDHCPserverThesectionbelowexplainsyouhowtodoSoHpolicieswithPacketFence
InstallationBydefaultweturnSoHoffToenableitssupportsimplyuncommentthefollowinglinesinusrlocalpfconfradiusdeapconf
soh=yessoh-virtual-server = soh-server
RestarttheRADIUSserviceafterward
OntheclientsidetoenableSoHforEAPdothefollowing(Windows7example)
sc config napagent start=autosc start napagent
Wired 8021Xsc config dot3svc start=auto depend=napagentsc start dot3svc
netsh nap client show config
get the ID value for the EAP Quarantine Enforcement Clientnetsh nap client set enforce id=$ID admin=enable
ThelaststepistoselecttheEnforceNetworkAccessProtectioncheckboxundertheEAPprofilesettingsThosestepscanbeeasilyconfiguredusingGPOs
ConfigurationofSoHpolicyInordertoenforceaSoHpolicyweneedtocreateitfirstThisisdoneusingtheConfigurationrarrCompliancerarrStatementofHealthmodule
PolicyexampleLetrsquoswalkthroughanexamplesituationSupposeyouwanttodisplayaremediationpagetoclientsthatdonothaveananti-virusenabled
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 86
ThethreebroadstepsarecreateaviolationclassfortheconditionthencreateanSoHfiltertotriggertheviolationwhenanti-virusisdisabledandfinallyreloadtheviolations
FirstcreatetheproperviolationeitherviatheAdminUIorbyeditingtheconfviolationsconffiles
[4000001]desc=No anti-virus enabledurl=remediationphptemplate=noantivirusactions=reevaluate_accessemaillogenabled=Y
Note
Youmayalsowanttosetotherattributessuchasauto_enablegraceetc
WhendonewiththeviolationvisittheWebAdministrationunderConfigurationrarrCompliancerarrStatementofHealthand(editthefilternamedDefaultor)usetheAddafilterbuttontocreateafilternamedantivirusClickonantivirusinthefilterlistandselectTriggerviolationintheactiondrop-downEnterthevidoftheviolationyoucreatedaboveintheinputboxthatappears
Next clickonAddacondition and selectAnti-virus is anddisabled in thedrop-downboxesthat appear Click on the Save filters button Finally reload the violations either by restartingPacketFenceorusingthepfcmd reload violationscommand
Thelaststepistocreateanewremediationtemplatecallednoantivirusphponthefilesysteminthehtmlcaptive-portalviolationsfolderEditittoincludethetextyouwanttodisplaytotheusers
VLANFilterDefinition
Weaddedtheabilitytospecifyfiltersdirectlyintheportionofcodethatre-evaluatestheVLANordoacalltotheAPI
Theserulesareavailableindifferentscopes
ViolationRoleRegistrationRoleRegisteredRoleInlineRoleAutoRegisterNodeInfoForAutoReg
Andcanbedefinedusingdifferentcriterialike
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 87
node_infoattribute (like node_infostatus)switchifIndexmacconnection_typeusernamessidtimeownerattribute (like ownerpid)radius_requestattribute (like radius_requestCalling-Station-Id)
Forexample letsdefinearulethatpreventsadevicefromconnectingwhenitscategory isthedefaultwhentheSSIDisSECUREandwhenthecurrenttimeisbetween11amand2pmfromMondaytoFridaywhenittrytoconnectasaregistereddevice
[category]filter = node_infocategoryoperator = isvalue = default
[ssid]filter = ssidoperator = isvalue = SECURE
[time]filter = timeoperator = isvalue = wd Mon Tue Wed Thu Fri hr 11am-2pm
[1categoryampssidamptime]scope = RegisteredRolerole = nointernet
ThesecondexamplewillcreateaviolationiftheSSIDisOPENandtheownerisigmout
[igmout]filter = ownerpidoperator = isvalue = igmout
[open]filter = ssidoperator = isvalue = OPEN
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 88
[2igmoutampssid]scope = RegisteredRoleaction = trigger_violationaction_param = mac = $mac tid = 1100012 type = INTERNAL
Thethirdexamplewillautoregisterthedeviceandassigntherolestafftoeachdevicewheretheusernameisigmout
[igmout]filter = usernameoperator = isvalue = igmout
[secure]filter = ssidoperator = isvalue = SECURE
[3igmoutampsecure]scope = AutoRegisterrole = staff
[4igmoutampsecure]scope = NodeInfoForAutoRegrole = staff
Youcanhavealookinthefilevlan_filtersconftherearesomeexamplesonhowtouseanddefinefilters
RADIUSFilterDefinition
WeaddedtheabilitytospecifyfiltersdirectlyintheportionofcodethatreturntheradiusanswerordoacalltotheAPI
Theserulesareonlyavailableinonescope
returnRadiusAccessAccept
Andcanbedefinedusingdifferentcriterialike
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 89
node_infoattribute (like node_info$attribute)switchifIndexmacconnection_typeusernamessidtimeownerattribute (like owner$attribute)radius_requestattribute (like radius_request$attribute)violationuser_rolevlan
Forexample letsdefinearulethatreturnAccessAcceptwhentheconnectionisEthernet-EAPandwhenthereisnoviolation(merge_returnmeansthattheoriginalanswerofPacketFencewillbemergewiththefilteranswerautomatically)
[violation]filter = violationoperator = defined
[etherneteap]filter = connection_typeoperator = isvalue = Ethernet-EAP
[1etherneteapampviolation]merge_answer = noscope = returnRadiusAccessAccept
Inthisotherexamplewejustaddanewattributetotheoriginalanswerinthesameconditions(here$user_rolewillbereplacedbytherealuserroleofthedeviceand$switch_portalURLwillbereplacedbythevalueof_portalURLdefinedintheswitchconfig)
[1etherneteapampviolation]merge_answer = yesscope = returnRadiusAccessAcceptanswer1 = Cisco-AVPair =gt url-redirect-acl=$user_roleurl-redirect=$switch_portalURLcep$session_id
Youcanhavea look in the file radius_filtersconf therearesomeexamplesonhowtouseanddefinefilters
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 90
DNSenforcement
DNSenforcementallowsyoutocontrolthenetworkaccessofthedevicebyusingthepfdnsserviceonPacketFence
The architecture ofDNS enforcement is as following -DHCP andDNS are provided by thePacketFenceserver-ThePacketFenceDHCPserverwillprovidetheIPofyournetworkequipmentasthegatewayandtheIPaddressofthePacketFenceDNSservertoresolvenames-Routingisprovidedbyanotherequipmentonyournetwork(CoreswitchFirewallRouterhellip)-IfausershouldbeshowntheportalthepfdnsservicewillreturnapointertotheIPaddressofthecaptiveportalotherwisepfdnswillresolvethenameexternallyanduseitinthereply
Thisenforcementmodeusedby itselfcanbebypassedbythedevicebyusingadifferentDNSserverorbyusingitsownDNScache
ThefirstcanbepreventedusinganACLonyourroutingequipmentthesecondcanbepreventedbycombiningDNSenforcementwithSingle-Sign-OnonyournetworkequipmentPleaseseetheFirewallSingle-Sign-Ondocumentationfordetailsonhowtoaccomplishthis
Inorder toconfigureDNSenforcementyoufirstneedtogo inConfigurationrarrInterfaces thenselectoneofyourinterfacesandsetitinDNSenforcementmode
AfteryouneedtoconfigurearoutednetworkforthisinterfacebyclickingAddroutednetworkSeetheRoutedNetworkssectionofthisdocumentfordetailsonhowtoconfigureit
NoteIfyouarenotusingaroutednetworkyouneedtouseInlineenforcementasDNSenforcementcanonlybeusedforroutednetworks
Oncethisisdoneyouneedtorestartthedhcpdandpfdnsservices
Parkeddevices
Intheeventthatyouaremanagingalargeregistrationnetworkwithdevicesthatstaythere(exStudentsthatcanrsquotregisterinyourenvironment)thesedevicesconsumepreciousresourcesandgenerateuselessloadonthecaptiveportalandregistrationDHCPserver
UsingtheparkingfeatureyoucanmakethesedeviceshavealongerleaseandhitanextremellylightweightcaptiveportalsothattheamountofresourcestheyconsumeisminimalInthatcaptiveportal theywillseeamessageexplainingthattheyhavenrsquot registeredtheirdeviceforacertainamountoftimeandwillletthemleavetheparkedstatebypressingalink
Theparkedvsunparkedstateiscontrolledthroughviolation1300003whichgetstriggeredaccordingtotheparkingthresholdsetting(ConfigurationrarrParking)
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 91
SoinordertoactivatetheparkinggoinConfigurationrarrParkingandsetthethresholdtoacertainamountofsecondsAsuggestedvaluewouldbe21600whichis6hoursThismeansthatifadevicestaysinyourregistrationnetworkformorethan6hoursinarowitwilltriggerviolation1300003andplacethatdeviceintotheparkedstate
Inthatsamesectionyoucandefinetheleaselengthoftheuserwhenheisintheparkedstate
Note
ParkingisdetectedwhenadeviceasksforDHCPifPacketFenceisnotyourDHCPserverfortheregistrationnetworkthisfeaturewillnotworkAlsoifthedevicegoesintotheparkedstatewithaleasetimeof1hourandtheuserimmediatelyreleaseshimselffromtheparkingstateitwilltake1hourbeforethenextdetectiontakesplaceevenifyousetparkingthresholdtoalowervalue
Violation1300003Thisviolationcontrolswhathappenswhenauserisdetecteddoingparking
Herearethemainsettings
Youcanaddactionstothepredefinedones(likeEmailadminorExternalaction)inDefinitionrarrActions
TheamountoftimeausercanunparktheirdeviceiscontrolledthroughtheRemediationrarrMaxenablesetting
TheamountofgracetimebetweentwoparkingviolationsiscontrolledbytheRemediationrarrGracesettingThismeansonceauserreleasehimselffromtheparkedstatehewillhaveatleastthisamountoftimetoregisterbeforetheparkingtriggersagain
Thedestinationrole(thusVLAN)oftheuseriscontrolledbyAdvancedrarrRoleYoushouldleavetheuserintheregistrationrolebutshouldyouwanttodedicatearoleforparkingyoucansetitthere
TheTemplateattributewillonlybeusedwhentheuserisonthenormalPacketFenceportalandnottheonededicatedforparkingIfyouwanttheusertoaccessthenon-parkingportaldisableShowparkingportalinConfigurationrarrParking
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 92
Optionalcomponents
Blockingmaliciousactivitieswithviolations
PolicyviolationsallowyoutorestrictclientsystemaccessbasedonviolationsofcertainpoliciesForexampleifyoudonotallowP2PtypetrafficonyournetworkandyouarerunningtheappropriatesoftwaretodetectitandtriggeraviolationforagivenclientPacketFencewillgivethatclientablockedpagewhichcanbecustomizedtoyourwishes
Inorder tobeable toblockmaliciousactivities installationandconfigurationofaPacketFencecompatibleIDSisrequiredPacketFencecurrentlysupportSnortSuricataandSecurityOnion
Snort
Installation
The installation procedure is quite simple for SNORTWe maintain a working version on thePacketFencerepositoryToinstallitsimplyrunthefollowingcommand
yum install snort
Configuration
PacketFenceprovidesabasicsnortconftemplatethatyoumayneedtoeditdependingoftheSnortversionThefileislocatedinusrlocalpfconfItisrarelynecessarytochangeanythinginthatfiletomakeSnortworkandtrapalertsDONOTeditthesnortconflocatedinusrlocalpfvarconfallthemodificationwillbedestroyedoneachPacketFencerestart
Suricata
Installation
SincethesuricataIDSisnotpackagedwiththedistros(exceptmaybeFedorawhichwedonotofficiallysupport)youneedtobuildittheoldway
The OISF provides a really well written how-to for that Itrsquos available here httpsredmineopeninfosecfoundationorgprojectssuricatawikiCentOS5
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 93
NoteTobenefittheOPSWATMetadefenderCloudintegrationSuricataneedstobebuiltwith libnss libnsprsupportMakesure touseJSONoutputMore informationonhowtoachievethiscanbefoundtherehttpsredmineopeninfosecfoundationorgprojectssuricatawikiMD5
ConfigurationDepending onwhether or not Suricata is running on the PacketFence server configuration isdifferent
WhenrunninglocallyPacketFenceprovidesabasicsuricatayamlthatcanbemodifiedtosuitdifferentneedsThefileislocatedinusrlocalpfconf
In thecase thatSuricata is runningonaseparateserverSuricataconfigurationwillhave tobehandledseparatelywhichisnotthepurposeofthepresentguide
OPSWATMetadefenderCloudItispossibletotriggerviolationsbasedonthreatlevelofdownloadedfilesusingtheMetadefenderCloudintegrationinconjunctionwiththeSuricataMD5extractionfeatureWithoutenteringinthedetailsherearethebasicstepstomakeitwork
FirstanOPSWATportalaccountisrequiredtomakeuseoftheAPISuchaccountcanbeobtainedthroughtheOPSWATportalhttpsportalopswatcom
OtherrequirementisaSuricataworkinginstallationbuiltwithlibnsslibnsprsupportasdescribedintheupperInstallationsection
AlongwiththeOPSWATAPIkeyforMetadefenderCloud(theycallitLicenseKey)andtheworkingSuricatainstallationsomeconfiguration(PacketFencebasedANDSuricatabased)isalsorequired
AssumingthatallthestepsforSuricataMD5extractionhavebeenfollowedherersquoswhattodonext
OntheSuricataserver(syslog-ngispreferredduetoeasierandmorepowerfulconfigurationIfnotinstalleditmightbeanidea)
Configureetcsyslog-ngsyslog-ngconfbyaddingthefollowingtoenablesendingMD5filestorelogentriestoPacketFence
PacketFence OPSWAT Metadefender Cloud integration This line specifies where the files-jsonlog file is located -gt Make sure to configure the right path along with the right filenamesource s_suricata_files file(MY_SURICATA_LOG_FILES_PATHfiles-jsonlog program_override(suricata_files) flags(no-parse)) This line tells syslog-ng to send the data read to the PacketFence management interface IP address using UDP 514 -gt Make sure to configure the right PacketFence management interface IP addressdestination d_packetfence udp(PACKETFENCE_MGMT_IP port(514)) This line indicates syslog-ng to use the s_suricata_files source and send it to the d_packetfence destinationlog source(s_suricata_files) destination(d_packetfence)
Arestartofthesyslog-ngdaemonisrequired
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 94
service syslog-ng restart
OnthePacketFenceserver
ModifyrsyslogconfigurationtoallowincomingUDPpacketsbyuncommentingthefollowingtwolinesinetcrsyslogconf
$ModLoad imudp$UDPServerRun 514
Configure etcrsyslogdsuricata_filesconf by adding the following which will enablereceptionofSuricataMD5filestorelogentries
if $programname == suricata_files then usrlocalpfvarsuricata_filesamp ~
Makesurethereceivingalertpipe(FIFO)exists
mkfifo usrlocalpfvarsuricata_files
Restartthersyslogdaemon
service rsyslog restart
AtthispointSuricatashouldbeabletoextractMD5checksumofdownloadedfilesandsendtherelatedlogentrytoPacketFence
AconfigurationofanewsyslogparseraswellassomeviolationsaretheonlyremainingstepstomakefullusageoftheOPSWATMetadefenderCloudintegration
Configurationofanewsyslogparsershouldusethefollowings
Type suricata_httpAlert pipe the previously created alert pipe (FIFO) which is in this case usrlocalpfvarsuricata_files
Configurationofanewviolationcanusethefollowingtriggertypes
Type metascanTriggers ID The scan result returned by Metadefender Cloud online
Type suricata_md5Trigger ID The MD5 hash returned by Suricata
SecurityOnionInstallationandConfigurationSecurityOnionisaUbuntubasedsecuritysuiteThelatest installationinstructionsareavailabledirectly from theSecurityOnionwebsite httpsgithubcomSecurity-Onion-Solutionssecurity-onionwikiInstallation
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 95
SinceasecuritysuiteconsistsofmultiplepiecesofsoftwaretiedtogetheryoumaybepromptedfordifferentoptionsduringtheinstallationprocessAdetailedProductionDeploymentguidecanalsobefounddirectlyfromtheSecurityOnionwebsitehttpsgithubcomSecurity-Onion-Solutionssecurity-onionwikiProductionDeployment
PacketFenceintegration
OnceSecurityOnionisinstalledandminimallyconfiguredintegrationwithPacketFenceisrequiredtobeabletoraiseviolationsbasedonsensor(s)alertssyslogisusedtoforwardsensor(s)alertsfromSecurityOniontothePacketFencedetectionmecanisms
The simplest way is as follow (based on httpsgithubcomSecurity-Onion-Solutionssecurity-onionwikiThirdPartyIntegration)
OntheSecurityOnionserver
Note
Mustbedoneonthemasterserverrunningsguild
Configureetcsyslog-ngsyslog-ngconfbyaddingthefollowingtoenablesendingsguildlogentriestoPacketFence
PacketFence IDS integration This line specifies where the sguildlog file is located -gt Make sure to configure the right patch along with the right filename (on a Security Onion setup that should be pretty much standard)source s_sguil file(varlognsmsecurityonionsguildlog program_override(securityonion_ids)) This line filters on the string ldquoAlert Receivedrdquofilter f_sguil match(Alert Received) This line tells syslog-ng to send the data read to the PacketFence management IP address using UDP 514 -gt Make sure to configure the right PacketFence management interface IP addressdestination d_packetfence udp(PACKENTFENCE_MGMT_IP port(514)) This line indicates syslog-ng to use the s_sguil source apply the f_sguil filter and send it to the d_packetfence destinationlog source(s_sguil) filter(f_sguil) destination(d_packetfence)
Arestartofthesyslog-ngdaemonisthenrequired
service syslog-ng restart
OnthePacketFenceserver
ModifyrsyslogconfigurationtoallowincomingUDPpacketsbyuncommentingthefollowingtwolinesinetcrsyslogconf
$ModLoad imudp$UDPServerRun 514
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 96
Configureetcrsyslogdsecurityonion_idsconfbyaddingthefollowingswhichwillenablereceptionofSecurityOnionsguildlogentries
if $programname == securityonion_ids then usrlocalpfvarsecurityonion_idsamp ~
Makesurethereceivingalertpipe(FIFO)exists
mkfifo usrlocalpfvarsecurityonion_ids
Restartthersyslogdaemon
service rsyslog restart
AtthispointSecurityOnionshouldbeabletosenddetectedalertslogentriestoPacketFence
AconfigurationofanewsyslogparseraswellassomeviolationsaretheonlyremainingstepstomakefullusageoftheSecurityOnionIDSintegration
Configurationofanewsyslogparsershouldusethefollowings
Type security_onionAlert pipe the previously created alert pipe (FIFO) which is in this case usrlocalpfvarsecurityonion_ids
Configurationofanewviolationcanusethefollowingtriggertypes
Type detectTriggers ID The IDS triggered rule ID
Type suricata_eventTrigger ID The rule class of the triggered IDS alert
ViolationsInordertomakePacketFencereacttotheSnortalertsyouneedtoexplicitlytellthesoftwaretodosoOtherwisethealertswillbediscardedThisisquitesimpletoaccomplishInfactyouneedtocreateaviolationandaddtheSnortalertSIDinthetriggersectionofaViolation
PacketFenceviolationsareconfiguredinConfigurationrarrViolations
TheexamplebelowwillguideyoutocreateaviolationthatwillisolatedevicethathavegeneratedPeer-to-peer traffic and that are usingMac OSX or have a malware and are usingMicrosoftWindows
Violationdefinition
Firstyouneedtoconfiguretheviolationdefinition
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 97
Where
Enablediswhetherornottheviolationiscurrentlyactivated(shouldbeON) Identifier is the violation ID Any integer except 1200000-120099 which is reserved forrequiredadministrationviolations
Descriptionistheuserfriendlydescriptionoftheviolation Actionsisthelistofactionstobeexecutedwhenthisviolationisraised
Unregister nodewillunregisterthenode
Send email to ownerwillemailtheviolationdetailstotheownerofthedeviceWillonlyworkifthepersonhasitrsquosemailfieldpopulated
Send email to admin will email the violation details to the address specified in[alerting]emailaddrusing[alerting]smtpserverMultipleemailaddrcanbesperatedbycomma
Reevaluate accesswillplacethedeviceinthedestinationVLANconfiguredintheviolationIt opens a violation and leaves it open If it is not there theviolation isopenedand thenautomaticallyclosed
Log messagewilllogtheviolationinthelogfiledefinedin[alerting]log
External commandwillexecuteacommandontheoperatingsystemwhenthisviolation israised
Close a violationwillcloseanexistingviolationforthisdevicewhenthisoneisraised
Set rolewillmodifytheroleofthedevice
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 98
Enforce provisioningwilltriggeracheckofcomplianceontheprovisionersdefinedforthedevice
Prioritydefinestheorderontowhichviolationsshouldbehandledshouldtherebemorethanoneforadevice
Whitelisted Rolesisthelistofrolesthatarenotaffectedbythisviolation
Triggers
NextintheTriggerstabyouneedtodefinethetriggersthatwillraisetheviolationInthecaseofthisexampleitwillbethesetwocasesAdevicethathasgeneratedPeer-to-peertrafficandthatisusingMACOSXAdevicethathasbeendetectedasbeingarogueDHCP
Click the+ sign at the top right inorder to create anew trigger then in thedropdown selectSuricata
AmenuwillappearintowhichyoucanselectET P2PwhichwillmatchallP2PalertsfromSuricata
OnceyouaddedthistriggerselectDevicefromthedropdownandenter38whichisthedeviceidentifierforMacOSX
Nexthittheltbuttonthenthe+toaddanothertrigger
SelectthetypeInternaltheninthemenuthatappearsbelowitselectRogue DHCP detectionandclickAdd
Remediation
NextintheRemediationtabyoucanconfigurethebehaviorwhenaclientgetsisolated
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 99
Where
Auto Enableiswhetherornottheusercanreleasetheviolationhimselfafteracknoledgingthemessageonthecaptiveportal
Max Enables istheamountoftimeausercanusetheAuto EnablefunctionnalityAfterthisamountoftimeshewillnotbeabletoreleasetheviolationanditwillhavetobemanuallyreleasebyanadministratorusingthePacketFenceadministrationinterface
GraceisAmountoftimebeforetheviolationcanreoccurThisisusefultoallowhoststime(intheexample2minutes)todownloadtoolstofixtheirissueorshutofftheirpeer-to-peerapplication
Dynamic WindowwillonlyworksforaccountingviolationsTheviolationwillbeopenedaccordingtothetimeyousetintheaccountingviolation(ieYouhaveanaccountingviolationfor10GBmonthIfyoubustthebandwidthafter3daystheviolationwillopenandthereleasedatewillbesetforthelastdayofthecurrentmonth)
WindowistheamountoftimebeforeaviolationwillbeclosedautomaticallyInsteadofallowingpeopletoreactivatethenetworkyoumaywanttoopenaviolationforadefinedamountoftimeinstead
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 100
Delay byisthedelaybeforetriggeringtheviolation TemplateistheHTMLtemplatethehostwillberedirectedtowhileinviolationYoucancreatenewtemplatesfromthePortalProfilesconfigurationsection
Button textisthetextofthebuttonthatisusedwhentheuserisreleasingtheviolationdirectlyfromthecaptiveportal
AdvancedIntheAdvancedtabyouconfigurethedestinationVLANofthedevicewhenithastheReevaluateaccessactionanditsredirectionURLwhentheuserisreleased
ComplianceChecks
PacketFence supports eitherNessusOpenVAS andWMI as a scanning engine for compliancechecksSincePacketFencev51youarenowabletocreatemultiplesscanenginesconfigurationandassignthemonspecificcaptiveportalsItmeanperexamplethatyouarenowabletoactiveascanforspecificOperatingSystemonlyonaspecificSSID
InstallationNessusPlease visit httpwwwnessusorgdownload to download Nessus v5 and install the Nessuspackage for your operating system You will also need to register for the HomeFeed (or theProfessionalFeed)inordertogettheplugins
AfteryouinstalledNessusfollowtheNessusdocumentationfortheconfigurationoftheNessusServerandtocreateauserforPacketFence
NoteYou may run into some issue while using Nessus with the NetNessusXMLRPCmodule(whichisthedefaultbehaviorinPacketFence)Pleaserefertothebugtrackingsystemformoreinformation
OpenVASPleasevisithttpwwwopenvasorginstall-packageshtmlopenvas4_centos_atomic toconfigurethecorrectrepositorytobeabletoinstallthelatestOpenVASscanningengine
Once installed pleasemake sure to follow the instructions to correctly configure the scanningengineandcreateascanconfigurationthatwillfityourneedsYoursquollalsoneedtocreateauserforPacketFencetobeabletocommunicatewiththeserver
ItisimportanttogetthecorrectscanconfigIDandNBEreportformatIDtopopulatetheparametersinthePacketFenceconfigurationfileTheeasiestwaytogettheseIDsisbydownloadingbothofthescanconfigurationandreportformatfromtheOpenVASwebguiandretrievetheIDsinthefilenames
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 101
Forexamplereport-format-f5c2a364-47d2-4700-b21d-0a7693daddabxmlgivesreportformatIDf5c2a364-47d2-4700-b21d-0a7693daddab
WMIYoujusthavetoenablewmioneachwindowsdeviceswithaGPOfromActiveDirectory
ConfigurationIn order for the compliance checks to correctly work with PacketFence (communication andgenerateviolationsinsidePacketFence)youneedtoconfigurethesesections
ScannerDefinitionFirstgoinConfigurationandScannerDefinition
Thenaddascan
Therearecommonparametersforeachscanengines
Name the name of your scan engineRoles Only devices with these role(s) will be affected (Optional)OS Only devices with this Operating System will be affected (Optional)Duration Approximate duration of scan (Progress bar on the captive portal)Scan before registration Trigger the scan when the device appear on the registration vlanScan after registration Trigger the scan just after registration on the captive portalScan after registration Trigger the scan on the production network (pfdhcplistener must receive production dhcp traffic)8021x Even if the auto-registration has been enabled the scan will be trigger on a EAP connection8021x types comma delimited EAP type that will trigger the scan if 8021x above has been enabled
SpecifictoNessus
Hostname or IP Address Hostname or IP Address where Nessus is runningUsername Username to connect to Nessus scanPassword Password to connect to Nessus scanPort of the service port to connect (default 8834)Nessus client policy the name of the policy to use for the scan (Must be define on the Nessus server)
SpecifictoOpenVAS
Hostname or IP Address Hostname or IP Address where OpenVAS is runningUsername Username to connect to OpenVAS scanPassword Password to connect to OpenVAS scanPort of the service port to connect (default 9390)OpenVAS config ID the ID of scanning configuration on the OpenVAS server
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 102
SpecifictoWMI
Username A username from Active Directory that is allowed to connect to wmiDomain Domain of the Active DirectoryPassword Password of the accountWMI Rules Ordered list of WMI rules you defined in Configuration -gt WMI Rules Definition
WMIRulesDefinition
IfyouhaveconfiguredaWMIscanenginethenyouneedtodefineWMIRulesWMIisasortofdatabaseoneachwindowsdevicestoretreiveinformationonthedeviceyouneedtoknowthesqlrequestInordertohelpyoutofindandmakearuleyoucanuseathirdpartytoollikeWMIExplorer
GoinconfigurationrarrWMIRulesDefinition
Therearealready3rulesdefined
Software_Installedlogged_userProcess_Running
LetrsquostaketheSoftware_Installedrule
request select from Win32_Product
Rules Actions
[Google]attribute = Captionoperator = matchvalue =Google
[1Google]action=trigger_violationaction_param = mac = $mac tid = 888888 type = INTERNAL
Thisrulewilldothefollowing
retreive all the installed software on the device and test if the attribute Caption contain Googleif it matched then we will trigger a violation (with the trigger internal888888) for the mac address of the device
Thesecondonelogged_user
request select UserName from Win32_ComputerSystem
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 103
Rules Actions
[UserName]attribute = UserNameoperator = matchvalue = ()
[1UserName]action = dynamic_register_nodeaction_param = mac = $mac username = $result-gtUserName
Thisrulewilldothefollowing
retreive the current logged user on the device and register the device based on the user account
ThelastoneProcess_Running
request select Name from Win32_Process
Rules Actions
[explorer]attribute = Nameoperator = matchvalue = explorerexe
[1explorer]action = allow
Thisrulewilldothefollowing
retreive all the running process on the device and if one match explorerexe then we bypass the scan
Rulessyntax
the syntax of the rules are simple to understand
the request is the sql request you will launch on the remote device you must know what the request will returnto write the test
Inside the Rules Actions we define 2 sorts of blocsThe test bloc (ie [explorer]) and the action bloc (ie [1explorer])
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 104
The test bloc is a simple test based on the result of the request- attribute is the attribute you want to test- operator can be is is_not match match_not- value is the value you want to compare
Feel free to define multiples test blocs
The action bloc is where you will define your logic per example lets take this one [1googleampexplorer] this mean that if the google test istrue and explorer is true then we execute the actionThe logic can be more complex and can be something like that [1google|(explorerampmemory)] that mean if not google or (explorer and memory)
ViolationsdefinitionYouneedtocreateanewviolationsectionandhavetospecify
UsingNessus
trigger=NessusltviolationIdgt
UsingOpenVAS
trigger=OpenVASltviolationIdgt
WhereviolationIdiseithertheIDoftheNessuspluginortheOIDoftheOpenVASplugintocheckforOnceyouhavefinishedtheconfigurationyouneedtoreloadtheviolationrelateddatabasecontentsusing
$ pfcmd reload violations
NoteViolationswilltriggerifthepluginishigherthanalowseverityvulnerability
AssignScandefinitiontoportalprofilesThelaststepistoassignoneormorescanneryouconfiguredtooneormoreportalprofilesGoinConfigurationrarrPortalProfilesrarrEditaPortalrarrAddScan
HostingNessusOpenVASremotelyBecauseoftheCPUintensivenatureofanautomatedvulnerabilityassessmentwerecommendthatitishostedonaseparateserverforlargeenvironmentsTodosoacoupleofthingsarerequired
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 105
PacketFence needs to be able to communicate to the server on the port specified by thevulnerabilityengineused
Thescanningserverneedtobeabletoaccessthetargets InotherwordsregistrationVLANaccessisrequiredifscanonregistrationisenabled
IfyouareusingtheOpenVASscanningengine
ThescanningserverneedtobeabletoreachPacketFencersquosAdmininterface(onport1443bydefault)byitsDNSentryOtherwisePacketFencewonrsquotbenotifiedofcompletedscans
YoumusthaveavalidSSLcertificateonyourPacketFenceserver
IfyouareusingtheNessusscanningengine
YoujusthavetochangethehostvaluebytheNessusserverIP
RADIUSAccounting
RADIUSAccountingisusuallyusedbyISPstobillclientsInPacketFenceweareabletousethisinformationtodetermineifthenodeisstillconnectedhowmuchtimeithasbeenconnectedandhowmuchbandwitdhtheuserconsumed
ViolationsUsingPacketFence it ispossible toaddviolations to limitbandwidthabuseThe formatof thetriggerisverysimple
Accounting[DIRECTION][LIMIT][INTERVAL(optional)]
Letrsquosexplaineachchunkproperly
DIRECTIONYoucaneithersetalimittoinbound(IN)outbound(OUT)ortotal(TOT)bandwidth LIMIT You can set a number of bytes(B) kilobytes(KB) megabytes(MB) gigabytes(GB) orpetabytes(PB)
INTERVALThisisactuallythetimewindowwewilllookforpotentialabuseYoucansetanumberofdays(D)weeks(W)months(M)oryears(Y)
Exampletriggers LookforIncoming(Download)trafficwitha50GBmonth
AccountingIN50GB1M
LookforOutgoing(Upload)trafficwitha500MBday
AccountingOUT500MB1D
LookforTotal(Download+Upload)trafficwitha200GBlimitinthelastweek
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 106
AccountingTOT200GB1W
Graceperiod
WhenusingsuchviolationfeaturesettingthegraceperiodisreallyimportantYoudonrsquotwanttoputittoolow(ieAuserre-enablehisnetworkandgetcaughtafter1bytesistranmitted)ortoohighWerecommendthatyousetthegraceperiodtooneintervalwindow
Oinkmaster
OinkmasterisaperlscriptthatenablesthepossibilitytoupdatethedifferentsnortrulesveryeasilyItissimpletouseandinstallThissectionwillshowyouhowtoimplementOinkmastertoworkwithPacketFenceandSnort
PleasevisithttpoinkmastersourceforgenetdownloadshtmltodownloadoinkmasterAsampleoinkmasterconfigurationfileisprovidedatusrlocalpfaddonssnortoinkmasterconf
ConfigurationHerearethestepstomakeOinkmasterworkWewillassumethatyoualreadydownloadedthenewestoinkmasterarchive
1 UntarthefreshlydownloadedOinkmaster
2 CopytherequiredperlscriptsintousrlocalpfoinkmasterYouneedtocopyovercontribandoinkmasterpl
3 CopytheoinkmasterconfprovidedbyPacketFence(seethesectionabove)inusrlocalpfconf
4 ModifytheconfigurationtosuityourownneedsCurrentlytheconfigurationfileissettofetchthebleedingrules
RulesupdateInordertogetperiodicupdatesforPacketFenceSnortruleswesimplyneedtocreateacrontabentrywiththerightinformationTheexamplebelowshowsacrontabentrytofetchtheupdatesdailyat2300PM
0 23 (cd usrlocalpf perl oinkmasteroinkmasterpl -C confoinkmasterconf -o confsnort)
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 107
GuestsManagement
PacketFencesupportstheabilitytomanageguestsbyestablishingexpiredatesandassigndifferentroleswhichwillpermitdifferentaccessestothenetworkresources
Guestscanself-registerthemselvesusinganactivationcodesenttotheirmobilephoneortheycanusetheiremailaddressandreceiveandactivationlinktoactivatetheirnetworkaccess
PacketFencehas theoption tohaveguestssponsored theiraccessby local staffOnceaguestrequestsasponsoredaccessanemailissenttothesponsorandthesponsormustclickonalinkandauthenticateinordertoenablehisaccess
Moreover PacketFence also has the option for guests to request their access in advanceConfirmationbyemailandbyasponsorarethetwopre-registrationtechniquessupportedatthispoint
TheadminGUIallowPacketFenceadministratorsorguestsmanagerstocreatesingleaccountsmultipleaccountsusingaprefix(ieguest1guest2guest3hellip)orimportdatafromaCSVtocreateaccountsAccessdurationandexpectedarrivaldatearealsocustomizable
Usage
Guestself-registration
Self-registrationisenabledbydefaultItispartofthecaptiveportalprofileandcanbeaccessedontheregistrationpagebyclickingtheSignuplink
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 108
ManagedguestsPartofthewebadministrationinterfacetheguestsmanagementinterfaceisenabledbydefaultItisaccessiblethroughtheUsersrarrCreatemenu
Guestpre-registrationPre-registrationisdisabledbydefaultOnceenabledPacketFencersquosfirewallandApacheACLsallowaccesstothesignuppageontheportalevenfromaremotelocationAllthatshouldberequiredfrom theadministrators is toopenup theirperimeter firewall toallowaccess toPacketFencersquosmanagementinterfaceIPonport443andmakesureadomainnametoreachsaidIPisconfigured(andthattheSSLcertmatchesit)Thenyoucanpromotethepre-registrationlinkfromyourextranetwebsitehttpslthostnamegtsignup
CautionPre-registrationincreasestheattacksurfaceofthePacketFencesystemsinceasubsetofitrsquosfunctionnalityisexposedontheInternetMakesureyouunderstandtherisksapplythecriticaloperatingsystemupdatesandapplyPacketFencersquossecurityfixes
NoteAportalinterfacetypeisrequiredtousethisfeatureAportalinterfacetypecanbeaddedtoanynetworkinterfaceusingthewebadminGUI
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 109
ConfigurationGuestself-registrationIt ispossibletomodifythedefaultvaluesoftheguestself-registrationfeaturebyeditingusrlocalpfconfpfconf
Defaultvaluesarelocatedinusrlocalpfconfpfconfdefaultsanddocumentationforeverysettingsisavailableinusrlocalpfconfdocumentationconf
[guests_self_registration]guest_pid=emailpreregistration=disabled
TheseparameterscanalsobeconfiguredfromtheConfigurationrarrSelfRegistrationsectionoftheWebadmininterface
Availableregistrationmodesaredefinedonaper-portal-profilebasisTheseareconfigurablefromConfigurationrarrPortalProfiles Todisable the self-registration feature simply removeall self-registrationsourcesfromtheportalprofiledefinitionNoticehoweverthatifyourdefaultportalprofilehasnosourceitwilluseallauthenticationsources
Caution
AvalidMTAconfiguredinPacketFenceisneededtocorrectlyrelayemailsrelatedtotheguestmoduleIflocalhostisusedassmtpservermakesurethataMTAisinstalledandconfiguredontheserver
Note
AportalinterfacetypeisrequiredtousethisfeatureAportalinterfacetypecanbeaddedtoanynetworkinterfaceusingthewebadminGUI
Self-registered guests are added under the users tab of the PacketFenceWeb administrationinterface
ManagedguestsItispossibletomodifythedefaultvaluesoftheguestscreatedfromtheWebadmininterfacebyeditingusrlocalpfconfpfconf
Defaultvaluesarelocatedinusrlocalpfconfpfconfdefaultsanddocumentationforeverysettingsisavailableinusrlocalpfconfdocumentationsconf
[guests_admin_registration]access_duration_choices=1h3h12h1D2D3D5Ddefault_access_duration=12h
Theformatofthedurationisasfollow
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 110
ltDURATIONgtltDATETIME_UNITgt[ltPERIOD_BASEgtltOPERATORgtltDURATIONgtltDATE_UNITgt]
Letrsquosexplainthemeaningofeachparameter
DURATIONanumbercorrespondingtotheperiodduration DATETIME_UNIT acharactercorresponding to theunitsof thedateor timedurationeither s(seconds)m(minutes)h(hours)D(days)W(weeks)M(months)orY(years)
PERIOD_BASEeitherF(fixed)orR(relative)ArelativeperiodiscomputedfromthebeginningoftheperiodunitWeeksstartonMonday
OPERATOReither+or-Thedurationfollowingtheoperatorisaddedorsubtractedfromthebaseduration
DATE_UNITacharactercorrespondingtotheunitsoftheextendeddurationLimitedtodateunits(D(days)W(weeks)M(months)orY(years))
TheseparameterscanalsobeconfiguredfromtheConfigurationrarrAdminRegistrationsectionoftheWebadmininterface
From theUserspageof thePacketFenceWebadmin interface it is possible to set the accessdurationofuserschangetheirpasswordandmore
Guestpre-registrationTominimallyconfigureguestpre-registrationyoumustmakesurethatthefollowingstatementissetunder[guests_self_registration]inusrlocalpfconfpfconf
[guests_self_registration]preregistration=enabled
ThisparametercanalsobeconfiguredfromtheConfigurationrarrSelfRegistrationsection
Finallyitisadvisedthatyoureadthewholeguestself-registrationsectionsincepre-registrationissimplyatwistoftheself-registrationprocess
Caution
AvalidMTAconfiguredinPacketFenceisneededtocorrectlyrelayemailsrelatedtotheguestmoduleIflocalhostisusedassmtpservermakesurethataMTAisinstalledandconfiguredontheserver
ActiveDirectoryIntegration
DeletedAccountCreate thescriptunreg_node_deleted_accountps1on theWindowsServerwith the followingcontentMakesuretochangeIP_PACKETFENCEtotheIPaddressofyourPacketFenceserverYoursquollalsoneedtochangetheusernameandpasswordastheymustmatchthecredentialsdefinedintheWebadmininterfaceunderConfigurationrarrWebServices
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 111
Powershell script to unregister deleted Active Directory account based on the UserName
Get-EventLog -LogName Security -InstanceId 4726 | Select ReplacementStringsAccount name| $url = httpsIP_PACKETFENCE9090 $username = admin Username for the webservices $password = admin Password for the webservices [SystemNetServicePointManager]ServerCertificateValidationCallback = $true $command = jsonrpc 20 method unreg_node_for_pid params [pid +$_ReplacementStrings[0]+]
$bytes = [SystemTextEncoding]ASCIIGetBytes($command) $web = [SystemNetWebRequest]Create($url) $webMethod = POST $webContentLength = $bytesLength $webContentType = applicationjson-rpc $webCredentials = new-object SystemNetNetworkCredential($username $password) $stream = $webGetRequestStream() $streamWrite($bytes0$bytesLength) $streamclose()
$reader = New-Object SystemIOStreamreader -ArgumentList $webGetResponse()GetResponseStream() $readerReadToEnd() $readerClose()
CreatethescheduledtaskbasedonaneventIDStartrarrRunrarrTaskschdmsc
TaskSchedulerrarrTaskSchedulerLibraryrarrEventViewerTaskrarrCreateTask
General
Name PacketFence-Unreg_node-for-deleted-accountCheck Run whether user is logged on or notCheck Run with highest privileges
TriggersrarrNew
Begin on the task On an eventLog SecuritySource Microsoft Windows security auditingEvent ID 4726
ActionsrarrNew
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 112
Action Start a programProgramscript powershellexeAdd arguments (optional) Cscriptsunreg_node_deleted_accountps1
Settings
At the bottom select in the list Run a new instance in parallel in order to unregister multiple nodes at the same time
ValidatewithOkandgivetheaccountwhowillrunthistask(UsuallyDOMAINAdministrator)
DisabledAccountCreatethescriptunreg_node_disabled_accountps1ontheWindowsServerwiththefollowingcontentMakesuretochangeIP_PACKETFENCEtotheIPaddressofyourPacketFenceserverYoursquollalsoneedtochangetheusernameandpasswordastheymustmatchthecredentialsdefinedintheWebadmininterfaceunderConfigurationrarrWebServices
Powershell script to unregister disabled Active Directory account based on the UserName
Get-EventLog -LogName Security -InstanceId 4725 | Select ReplacementStringsAccount name| $url = httpsIP_PACKETFENCE9090 $username = admin Username for the webservices $password = admin Password for the webservices [SystemNetServicePointManager]ServerCertificateValidationCallback = $true $command = jsonrpc 20 method unreg_node_for_pid params [pid +$_ReplacementStrings[0]+]
$bytes = [SystemTextEncoding]ASCIIGetBytes($command) $web = [SystemNetWebRequest]Create($url) $webMethod = POST $webContentLength = $bytesLength $webContentType = applicationjson-rpc $webCredentials = new-object SystemNetNetworkCredential($username $password) $stream = $webGetRequestStream() $streamWrite($bytes0$bytesLength) $streamclose()
$reader = New-Object SystemIOStreamreader -ArgumentList $webGetResponse()GetResponseStream() $readerReadToEnd() $readerClose()
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 113
CreatethescheduledtaskbasedonaneventID
StartrarrRunrarrTaskschdmsc
TaskSchedulerrarrTaskSchedulerLibraryrarrEventViewerTaskrarrCreateTask
General
Name PacketFence-Unreg_node-for-disabled-accountCheck Run whether user is logged on or notCheck Run with highest privileges
TriggersrarrNew
Begin on the task On an eventLog SecuritySource Microsoft Windows security auditingEvent ID 4725
ActionsrarrNew
Action Start a programProgramscript powershellexeAdd arguments (optional) Cscriptsunreg_node_disabled_accountps1
Settings
At the bottom select in the list Run a new instance in parallel
ValidatewithOkandgivetheaccountwhowillrunthistask(UsuallyDOMAINAdministrator)
LockedAccountCreate the script unreg_node_locked_accountps1 on theWindows Serverwith the followingcontentMakesuretochangeIP_PACKETFENCEtotheIPaddressofyourPacketFenceserverYoursquollalsoneedtochangetheusernameandpasswordastheymustmatchthecredentialsdefinedintheWebadmininterfaceunderConfigurationrarrWebServices
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 114
Powershell script to unregister locked Active Directory account based on the UserName
Get-EventLog -LogName Security -InstanceId 4740 | Select ReplacementStringsAccount name| $url = httpsIP_PACKETFENCE9090 $username = admin Username for the webservices $password = admin Password for the webservices [SystemNetServicePointManager]ServerCertificateValidationCallback = $true $command = jsonrpc 20 method unreg_node_for_pid params [pid +$_ReplacementStrings[0]+]
$bytes = [SystemTextEncoding]ASCIIGetBytes($command) $web = [SystemNetWebRequest]Create($url) $webMethod = POST $webContentLength = $bytesLength $webContentType = applicationjson-rpc $webCredentials = new-object SystemNetNetworkCredential($username $password) $stream = $webGetRequestStream() $streamWrite($bytes0$bytesLength) $streamclose()
$reader = New-Object SystemIOStreamreader -ArgumentList $webGetResponse()GetResponseStream() $readerReadToEnd() $readerClose()
CreatethescheduledtaskbasedonaneventIDStartrarrRunrarrTaskschdmsc
TaskSchedulerrarrTaskSchedulerLibraryrarrEventViewerTaskrarrCreateTask
General
Name PacketFence-Unreg_node-for-locked-accountCheck Run whether user is logged on or notCheck Run with highest privileges
TriggersrarrNew
Begin on the task On an eventLog SecuritySource Microsoft Windows security auditingEvent ID 4740
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 115
ActionsrarrNew
Action Start a programProgramscript powershellexeAdd arguments (optional) Cscriptsunreg_node_locked_accountps1
Settings
At the bottom select in the list Run a new instance in parallel
ValidatewithOkandgivetheaccountwhowillrunthistask(UsuallyDOMAINAdministrator)
DHCPremotesensor
TheDHCPremotesensorconsistsofalightweightbinarythatisinstalledonyourproductionDHCPserverinordertoreplicatetheDHCPtraffic1to1tothePacketFenceserverThissolutionismorereliablethantheDHCPrelayingsincePacketFencereceivesacopyofallyourDHCPtrafficandnotonlythebroadcastedDHCPtrafficSupportedDHCPserversareMicrosoftDHCPserverandCentOS6and7
ThesesensorsworkbycapturingthepacketsatthelowestlevelpossibleonyourDHCPserverandforwardthemtothePacketFencemanagementinterface
MicrosoftDHCPsensorYouwillfirstneedtodownloadandinstallWinPcapavailablefromhttpwwwwinpcaporginstall
YouwillalsoneedtodownloadandinstallMicrosoftVisualC++2010Redistributableavailablefromhttpwwwmicrosoftcomdownloaddetailsaspxid=5555
NoteYou absolutely need to install the 32-bit version of Microsoft Visual C++ 2010Redistributableevenifyouareusinga64-bitoperatingsystem
Then get the remote sensor from Inversersquos download website httpinversecadownloadsPacketFenceudp-reflectorudp_reflectorexe
CreatethedirectoryCudp-reflectorandmovethedownloadedfileinside
Nowwewillcreateaservicesothereflectorstartsonboot
Firstdownloadandunzipnssmfromhttpsnssmccdownload
NextcreateabatchfileudpreflectorbatinCudp-reflectorthatcontainCudp-reflectorudp_reflectorexe -s pcap067 -d 19216815767 -b 25000
Where pcap0 is the interface where your DHCP is listening (use Cudp-reflectorudp_reflectorexe -ltolistinterfaces)
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 116
Thenrunnssm install udpreflector
InApplication
InPathsetittoCudp-reflectorudpreflectorbat InStartupdirectorysetittoCudp-reflector InArgumentssetittonothing
InDetails
InStartuptypeselectAutomatic
InLogon
InLogonasselectLocalSystemaccount
ThenpressInstallservice
TheDHCPtrafficshouldnowbereflectedonyourPacketFenceserver
LinuxbasedsensorFirstdownloadtheRPMonyourDHCPserver
CentOS6and7serversForCentOS6
for x86_64 wget httpinversecadownloadsPacketFenceCentOS6extrax86_64RPMSudp-reflector-10-61x86_64rpm
ForCentOS7
for x86_64 wget httpinversecadownloadsPacketFenceCentOS7extrax86_64RPMSudp-reflector-10-61x86_64rpm
Nowinstallthesensor
rpm -i udp-reflector-rpm
CompilingthesensorfromsourceonaLinuxsystemFirstmakesureyouhavethefollowingpackagesinstalled
libpcap libpcap-devel gcc-c++
Getthesourcecodeofthesensor
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 117
mkdir -p ~udp-reflector ampamp cd ~udp-reflector wget httpinversecadownloadsPacketFenceudp-reflectorudp_reflectorcpp g++ udp_reflectorcpp -o usrlocalbinudp_reflector -lpcap
ConfiguringthesensorPlacethefollowinglineinetcrclocal
where pcap0 is the pcap interface where your DHCP server listens on (List them usingudp_reflector -l)
where19216815isthemanagementIPofyourPacketFenceserver
usrlocalbinudp_reflector -s pcap067 -d 19216815767 -b 25000 amp
Startthesensor
usrlocalbinudp_reflector -s pcap067 -d 19216815767 -b 25000 amp
TheDHCPtrafficshouldnowbereflectedonyourPacketFenceserver
Switchloginaccess
PacketFenceisabletoactasanauthenticationandauthorizationserviceforgrantingcommand-lineinterface(CLI)accesstoswitchesPacketFencecurrentlysupportsCiscoswitchesandthesemustbeconfiguredusingthefollowingguidehttpwwwciscocomcenussupportdocssecurity-vpnremote-authentication-dial-user-service-radius116291-configure-freeradius-00html From thePacketFencersquos web admin interface you must configure an Admin Access role(ConfigurationrarrAdminaccess)thatcontainstheactionSwitchesCLI-ReadorSwitchesCLI-WriteandassignthisroletoaninternaluserorinanAdministrationruleinaninternalsource
Chapter14
Copyrightcopy2016Inverseinc OperatingSystemBestPractices 118
OperatingSystemBestPractices
IPTables
IPTablesisnowentirelymanagedbyPacketFenceHoweverifyouneedtoperformsomecustomrules you canmodifyconfiptablesconf to yourownneedsHowever thedefault templateshouldworkformostusers
LogRotations
PacketFencecangeneratea lotof logentries inhugeproductionenvironmentsThis iswhywerecommendtouselogrotatetoperiodicallyrotateyourlogsAworkinglogrotatescriptisprovidedwiththePacketFencepackageThisscriptislocatedinusrlocalpfaddonsanditrsquosconfiguredto do aweekly log rotation and keeping old logswith compression It has been added duringPacketFenceinitialinstallation
Chapter15
Copyrightcopy2016Inverseinc Performanceoptimization 119
Performanceoptimization
SNMPTrapsLimit
PacketFencemainlyrelyonSNMPtrapstocommunicatewithequipmentDuetothefactthattrapscominginfromapproved(configured)devicesareallprocessedbythedaemonitispossibleforsomeonewhowanttogenerateacertainloadonthePacketFenceservertoforcethegenerationofnon-legitimateSNMPtrapsoraswitchcanrandomlygenerateahighquantityoftrapssenttoPacketFenceforanunknownreason
BecauseofthatitispossibletolimitthenumberofSNMPtrapscominginfromasingleswitchportandtakeactionifthatlimitisreachedForexampleifover100trapsarereceivedbyPacketFencefromthesameswitchportinaminutetheswitchportwillbeshutandanotificationemailwillbesent
HerersquosthedefaultconfigfortheSNMPtrapslimitfeatureAsyoucanseebydefaultPacketFencewill log the abnormal activity after 100 traps from the same switch port in a minute Theseconfigurationsareintheconfpfconffile
[vlan]trap_limit = enabledtrap_limit_threshold = 100trap_limit_action =
AlternativelyyoucanconfiguretheseparametersfromthePacketFenceWebadministrativeGUIintheConfigurationrarrSNMPsection
MySQLoptimizations
TuningMySQLIfyoursquorePacketFencesystemisactingveryslowthiscouldbeduetoyourMySQLconfigurationYoushoulddothefollowingtotuneperformance
Checkthesystemload
uptime113637 up 235 days 121 1 user load average 125 105 079
Chapter15
Copyrightcopy2016Inverseinc Performanceoptimization 120
CheckiostatandCPU
iostat 5avg-cpu user nice sys iowait idle 060 000 320 2020 7600Device tps Blk_reads Blk_wrtns Blk_read Blk_wrtnccissc0d0 3240 000 156000 0 7800avg-cpu user nice sys iowait idle 060 000 220 920 8800Device tps Blk_reads Blk_wrtns Blk_read Blk_wrtnccissc0d0 780 000 7360 0 368avg-cpu user nice sys iowait idle 060 000 180 2380 7380Device tps Blk_reads Blk_wrtns Blk_read Blk_wrtnccissc0d0 3140 000 142720 0 7136avg-cpu user nice sys iowait idle 060 000 240 1816 7884Device tps Blk_reads Blk_wrtns Blk_read Blk_wrtnccissc0d0 2794 000 117365 0 5880
Asyoucanseetheloadis125andIOWaitispeakingat20-thisisnotgoodIfyourIOwaitislowbutyourMySQListaking+50CPUthisisalsonotgoodCheckyourMySQLinstallforthefollowingvariables
mysqlgt show variables| innodb_additional_mem_pool_size | 1048576 || innodb_autoextend_increment | 8 || innodb_buffer_pool_awe_mem_mb | 0 || innodb_buffer_pool_size | 8388608 |
PacketFencereliesheavilyonInnoDBsoyoushouldincreasethebuffer_poolsizefromthedefaultvalues
ShutdownPacketFenceandMySQL
etcinitdpacketfence stopShutting down PacketFence[] etcinitdmysql stopStopping MySQL [ OK ]
Editetcmycnf(oryourlocalmycnf)
Chapter15
Copyrightcopy2016Inverseinc Performanceoptimization 121
[mysqld] Set buffer pool size to 50-80 of your computers memoryinnodb_buffer_pool_size=800Minnodb_additional_mem_pool_size=20Minnodb_flush_log_at_trx_commit=2innodb_file_per_table allow more connectionsmax_connections=700 set cache sizekey_buffer_size=900Mtable_cache=300query_cache_size=256M enable slow query loglog_slow_queries = ON
StartupMySQLandPacketFence
etcinitdmysqld startStarting MySQL [ OK ] etcinitdpacketfence startStarting PacketFence[]
Wait10minutesforPacketFencetoinitialthenetworkmapandre-checkiostatandCPU
uptime120158 up 235 days 146 1 user load average 015 039 052 iostat 5Device tps Blk_reads Blk_wrtns Blk_read Blk_wrtnccissc0d0 800 000 7520 0 376
avg-cpu user nice sys iowait idle 060 000 299 1337 8303
Device tps Blk_reads Blk_wrtns Blk_read Blk_wrtnccissc0d0 1497 000 43273 0 2168avg-cpu user nice sys iowait idle 020 000 260 660 9060
Device tps Blk_reads Blk_wrtns Blk_read Blk_wrtnccissc0d0 480 000 4800 0 240
MySQLoptimizationtoolWerecommendthatyouruntheMySQLTuneronyourdatabasesetupafteracoupleofweekstohelpyouidentifyMySQLconfigurationimprovementThetoolisbundledwithPacketFenceandcanberunfromthecommand-line
usrlocalbinpftest mysql
Chapter15
Copyrightcopy2016Inverseinc Performanceoptimization 122
KeepingtablessmallOvertimesomeofthetableswillgrowlargeandthiswilldragdownperformance(thisisespeciallytrueonawirelesssetup)
OnesuchtableisthelocationlogtableWerecommendthatclosedentriesinthistablebemovedto the archive table locationlog_archive after some time A closed record is onewhere theend_timefieldissettoadate(stricklyspeakingitiswhenend_timeisnotnullandnotequalsto0)
Weprovideascriptcalleddatabase-backup-and-maintenanceshlocatedinaddonsthatperformsthiscleanupinadditiontooptimizetablesonSundayanddailybackups
AvoidToomanyconnectionsproblemsInawirelesscontexttheretendstobealotofconnectionsmadetothedatabasebyourfreeradiusmoduleThedefaultMySQLvalue tend tobe low (100) soweencourageyou to increase thatvaluetoatleast300Seehttpdevmysqlcomdocrefman50entoo-many-connectionshtmlfordetails
AvoidHostlthostnamegtisblockedproblemsInawirelesscontexttheretendtobealotofconnectionsmadetothedatabasebyourfreeradiusmoduleWhentheserverisloadedtheseconnectionattemptscantimeoutIfaconnectiontimesoutduringconnectionMySQLwillconsiderthisaconnectionerrorandafter10ofthese(bydefault)hewilllockthehostoutwitha
Host host_name is blocked because of many connection errors Unblock with mysqladmin flush-hosts
Thiswill grindPacketFence to a halt so youwant to avoid that at all costOneway to do soistoincreasethenumberofmaximumconnections(seeabove)toperiodicallyflushhostsortoallowmoreconnectionerrorsSeehttpdevmysqlcomdocrefman50enblocked-hosthtmlfordetails
CaptivePortalOptimizations
Avoidcaptiveportaloverloadduetonon-browserHTTPrequestsBydefaultwealloweveryquerytoberedirectedandreachPacketFencefor thecaptiveportaloperationInalotofcasesthismeansthatalotofnon-userinitiatedqueriesreachPacketFenceandwasteitsresourcesfornothingsincetheyarenotfrombrowsers(iTunesWindowsupdateMSNMessengerGoogleDesktophellip)
Chapter15
Copyrightcopy2016Inverseinc Performanceoptimization 123
Sinceversion43ofPacketFenceyoucandefineHTTPfiltersforApachefromtheconfigurationofPacketFence
SomeruleshavebeenenabledbydefaultlikeonetorejectrequestswithnodefineduseragentAllrulesincludingsomeexamplesaredefinedintheconfigurationfileapache_filtersconf
FiltersaredefinedwithatleasttwoblocksFirstarethetestsForexample
[get_ua_is_dalvik]filter = user_agentmethod = GEToperator = matchvalue = Dalvik
[get_uri_not_generate204]filter = urimethod = GEToperator = match_notvalue = generate_204
ThelastblockdefinestherelationshipbetweenthetestsandthedesiredactionForexample
[block_dalvikget_ua_is_dalvikampget_uri_not_generate204]action = 501redirect_url =
Thisfilterwillreturnanerrorcode(501)iftheuseragentisDalvikandtheURIdoesnrsquotcontain_generate_204
DashboardOptimizations(statisticscollection)
The collection and aggregation of statistics in the whisper database can be IO intensive permomentThismeansthatitcanbebeneficialtoseperatethemonanotherdiskevenifitisavirtualdiskthatwillsharethesameunderlyingphysicaldisk
Firstaddadiskinyourvirtualmachineorbaremetalserverandreboot(thisexamplewillusedevsdbasthenewdevice
Makesurepacketfenceisstopped
service packetfence stop
Createanext4partition
mkfsext4 devsdb
Thenmovetheolddatabasestoabackuppoint
Chapter15
Copyrightcopy2016Inverseinc Performanceoptimization 124
mv usrlocalpfvargraphite usrlocalpfvargraphitebak
Mountyournewdiskandcheckthatitismounted
echo devsdb usrlocalpfvargraphite ext4 defaults 1 1 gtgt etcfstab mkdir usrlocalpfvargraphite mount -a dh -h
Applytheproperuserrightsandrestoreyourdatabasefromyourbackup
chown pfpf usrlocalpfvargraphite cp -frp usrlocalpfvargraphitebak usrlocalpfvargraphite
StartpacketfenceandmakesureyourstatsarestillthereandbeingcollectedproperlyThenremovethebackupyoumaderm -fr usrlocalpfvargraphitebak
Chapter16
Copyrightcopy2016Inverseinc AdditionalInformation 125
AdditionalInformation
FormoreinformationpleaseconsultthemailingarchivesorpostyourquestionstoitFordetailssee
packetfence-announcelistssourceforgenet Public announcements (new releases securitywarningsetc)regardingPacketFence
packetfence-devellistssourceforgenetDiscussionofPacketFencedevelopment
packetfence-userslistssourceforgenetUserandusagediscussions
Chapter17
Copyrightcopy2016InverseincCommercialSupport
andContactInformation 126
CommercialSupportandContactInformation
For any questions or comments do not hesitate to contact us by writing an email tosupportinverseca
Inverse (httpinverseca)offersprofessional servicesaroundPacketFence tohelporganizationsdeploythesolutioncustomizemigrateversionsorfromanothersystemperformancetuningoraligningwithbestpractices
Hourlyratesorsupportpackagesareofferedtobestsuityourneeds
Pleasevisithttpinversecafordetails
Chapter18
Copyrightcopy2016Inverseinc GNUFreeDocumentationLicense 127
GNUFreeDocumentationLicense
Pleaserefertohttpwwwgnuorglicensesfdl-12txtforthefulllicense
Chapter18
Copyrightcopy2016Inverseinc AdministrationTools 128
AppendixAAdministrationTools
pfcmd
pfcmdisthecommandlineinterfacetomostPacketFencefunctionalities
Whenexecutedwithoutanyargumentspfcmdreturnsabasichelpmessagewithallmainoptions
Chapter18
Copyrightcopy2016Inverseinc AdministrationTools 129
Usage pfcmd ltcommandgt [options]
Commands cache | manage the cache subsystem checkup | perform a sanity checkup and report any problems class | view violation classes configfiles | push or pull configfiles intofrom database configreload | reload the configution floatingnetworkdeviceconfig | querymodify floating network devices configuration parameters help | show help for pfcmd commands ifoctetshistorymac | accounting history ifoctetshistoryswitch | accounting history ifoctetshistoryuser | accounting history import | bulk import of information into the database ipmachistory | IPMAC history locationhistorymac | SwitchPort history locationhistoryswitch | SwitchPort history networkconfig | querymodify network configuration parameters node | manipulate node entries pfconfig | interact with pfconfig portalprofileconfig | querymodify portal profile configuration parameters reload | rebuild fingerprint or violations tables without restart service | startstoprestart and get PF daemon status schedule | Nessus scan scheduling switchconfig | querymodify switchesconf configuration parameters version | output version information violationconfig | querymodify violationsconf configuration parameters
Please view pfcmd help ltcommandgt for details on each option
ThenodeviewoptionshowsallinformationcontainedinthenodedatabasetableforaspecifiedMACaddress
usrlocalpfbinpfcmd node view 525400123502mac|pid|detect_date|regdate|unregdate|lastskip|status|user_agent|computername|notes|last_arp|last_dhcp|switch|port|vlan|dhcp_fingerprint525400123502|1|2008-10-23 173216||||unreg||||2008-10-23 211221|||||
pfcmd_vlan
pfcmd_vlanisthecommandlineinterfacetomostVLANisolationrelatedfunctionality
Chapter18
Copyrightcopy2016Inverseinc AdministrationTools 130
Againwhenexecutedwithoutanyargumentsahelpscreenisshown
Usage pfcmd_vlan command [options]
Command -deauthenticate de-authenticate a dot11 client -deauthenticateDot1x de-authenticate a dot1x client (pass ifIndex for wired 8021x and mac for wireless 8021x) -getAlias show the description of the specified switch port -getAllMACs show all MACS on all switch ports -getHubs show switch ports with several MACs -getIfOperStatus show the operational status of the specified switch port -getIfType show the ifType on the specified switch port -getLocation show at which switch port the MAC is found -getSwitchLocation show SNMP location of specified switch -getMAC show all MACs on the specified switch port -getType show switch type -getUpLinks show the upLinks of the specified switch -getVersion show switch OS version -getVlan show the VLAN on the specified switch port -getVlanType show the VLAN type on the specified port -help brief help message -isolate set the switch port to the isolation VLAN -man full documentation -reAssignVlan re-assign a switch port VLAN -reevaluateAccess reevaluate the current VLAN or firewall rules of a given MAC -runSwitchMethod run a particular method call on a given switch (FOR ADVANCED PURPOSES) -setAlias set the description of the specified switch port -setDefaultVlan set the switch port to the default VLAN -setIfAdminStatus set the admin status of the specified switch port -setVlan set VLAN on the specified switch port -setVlanAllPort set VLAN on all non-UpLink ports of the specified switch
Options -alias switch port description -ifAdminStatus ifAdminStatus -ifIndex switch port ifIndex -mac MAC address -showPF show additional information available in PF -switch switch description -verbose log verbosity level 0 fatal messages 1 warn messages 2 info messages 3 debug 4 trace -vlan VLAN id -vlanName VLAN name (as in switchesconf)
Chapter2
Copyrightcopy2016Inverseinc Introduction 3
environments)formultipleswitchvendors(CiscoAvayaHPandmanymore)
8021X 8021X wireless and wired is supportedthroughourFreeRADIUSmodule
Wirelessintegration PacketFence integrates perfectly withwireless networks through ourFreeRADIUS module This allows youto secure your wired and wirelessnetworks the same way using the sameuser database and using the samecaptive portal providing a consistentuser experience Mixing Access Points(AP) vendors andWireless Controllers issupported
Registration PacketFence supports an optionalregistrationmechanismsimilartocaptiveportalsolutionsContrarytomostcaptiveportal solutionsPacketFence remembersusers who previously registered andwillautomatically give them access withoutanotherauthenticationOfcourse this isconfigurable An Acceptable Use Policycan be specified such that users cannotenable network access without firstacceptingit
Detectionofabnormalnetworkactivities Abnormal network activities (computervirus worms spyware traffic deniedby establishment policy etc) can bedetectedusinglocalandremoteSnortorSuricatasensorsBeyondsimpledetectionPacketFence layers its own alerting andsuppression mechanism on each alerttypeAsetofconfigurableactionsforeachviolationisavailabletoadministrators
Proactivevulnerabilityscans Either Nessus OpenVAS or WMIvulnerabilityscanscanbeperformeduponregistration scheduled or on an ad-hocbasis PacketFence correlates the scanengine vulnerability IDrsquos of each scanto the violation configuration returningcontent specificweb pages aboutwhichvulnerabilitythehostmayhave
Isolationofproblematicdevices PacketFence supports several isolationtechniquesincludingVLANisolationwithVoIP support (even in heterogeneousenvironments)formultipleswitchvendors
Remediationthroughacaptiveportal Once trapped all network traffic isterminated by the PacketFence system
Chapter2
Copyrightcopy2016Inverseinc Introduction 4
Based on the nodersquos current status(unregisteredopenviolationetc)theuseris redirected to the appropriate URL Inthe case of a violation the user willbe presented with instructions for theparticular situation heshe is in reducingcostlyhelpdeskintervention
Firewallintegration PacketFence provides Single-Sign Onfeatures with many firewalls Uponconnection on the wired or wirelessnetwork PacketFence can dynamicallyupdatetheIPuserassociationonfirewallsforthemtoapplyifrequiredper-userorper-groupfilteringpolicies
Command-lineandWeb-basedmanagement Web-basedandcommand-line interfacesforallmanagementtasks
GuestAccess PacketFence supports a special guestVLAN out of the box You configureyour network so that the guest VLANonly goes out to the Internet and theregistrationVLANand the captiveportalarethecomponentsusedtoexplaintotheguesthowtoregisterforaccessandhowhisaccessworksThis isusuallybrandedby the organization offering the accessSeveral means of registering guests arepossible PacketFence does also supportguestaccessbulkcreationsandimports
Devicesregistration A registered user can access a specialWeb page to register a device of hisownThisregistrationprocesswillrequireloginfromtheuserandthenwillregisterdeviceswithpre-approvedMACOUIintoaconfigurablecategory
PacketFenceisdevelopedbyacommunityofdeveloperslocatedmainlyinNorthAmericaMoreinformationcanbefoundathttpwwwpacketfenceorg
Chapter2
Copyrightcopy2016Inverseinc Introduction 5
NetworkIntegration
VLANenforcementispicturedintheabovediagramInlineenforcementshouldbeseenasasimpleflatnetworkwherePacketFenceactsasafirewallgateway
Components
PacketFencerequiresvariouscomponentstoworksuchasaWebserveradatabaseserverandaRADIUSserverItinteractswithexternaltoolstoextenditsfunctionalities
Chapter2
Copyrightcopy2016Inverseinc Introduction 6
Chapter3
Copyrightcopy2016Inverseinc SystemRequirements 7
SystemRequirements
Assumptions
PacketFencereusesmanycomponentsinaninfrastructureThusitrequiresthefollowingones
Databaseserver(MySQLorMariaDB) Webserver(Apache) DHCPserver(ISCDHCP) RADIUSserver(FreeRADIUS)
Dependingonyoursetupyoumayhavetoinstalladditionalcomponentslike
NIDS(SnortSuricata)
Inthisguideweassumethatallthosecomponentsarerunningonthesameserver(ielocalhostor127001)thatPacketFencewillbeinstalledon
Good understanding of those underlying component and GNULinux is required to installPacketFence If youmiss some of those required components please refer to the appropriatedocumentationandproceedwiththeinstallationoftheserequirementsbeforecontinuingwiththisguide
MinimumHardwareRequirements
Thefollowingprovidesalistoftheminimumserverhardwarerecommendations
IntelorAMDCPU3GHz 8GBofRAM 100GBofdiskspace(RAID-1recommended) 1Networkcard(2recommended)
OperatingSystemRequirements
PacketFencesupportsthefollowingoperatingsystemsonthex86_64architectures
Chapter3
Copyrightcopy2016Inverseinc SystemRequirements 8
RedHatEnterpriseLinux6xand7xServer CommunityENTerpriseOperatingSystem(CentOS)6xand7x Debian70(Wheezy)and80(Jessie)
MakesurethatyoucaninstalladditionalpackagesfromyourstandarddistributionForexampleifyouareusingRedHatEnterpriseLinuxyouhavetobesubscribedtotheRedHatNetworkbeforecontinuingwiththePacketFencesoftwareinstallation
OtherdistributionssuchasFedoraandGentooareknowntoworkbutthisdocumentdoesnrsquotcoverthem
Servicesstart-upPacketFencetakescareofhandlingtheoperationofthefollowingservices
Webserver(httpd) DHCPserver(dhcpd) FreeRADIUSserver(radiusd) SnortSuricataNetworkIDS(snortsuricata) Firewall(iptables)
Makesurethatalltheotherservicesareautomaticallystartedbyyouroperatingsystem
Chapter4
Copyrightcopy2016Inverseinc Installation 9
Installation
ThissectionwillguideyouthroughtheinstallationofPacketFencetogetherwithitsdependencies
OSInstallation
InstallyourdistributionwithminimalinstallationandnoadditionalpackagesThen
DisableFirewall DisableSELinux DisableAppArmor Disableresolvconf
Makesureyoursystemisuptodateandyouryumorapt-getdatabaseisupdatedOnaRHEL-basedsystemdo
yum update
OnaDebianorUbuntusystemdo
apt-get updateapt-get upgrade
RegardingSELinuxorAppArmoreven if these featuresmaybewantedbysomeorganizationsPacketFencewillnotrunproperlyifSELinuxorAppArmorareenabledYouwillneedtoexplicitlydisableSELinuxintheetcselinuxconfigfileandAppArmorwithupdate-rcd-fapparmorstopupdate-rcd-fapparmorteardownandupdate-rcd-fapparmorremoveRegardingresolvconfyoucanremovethesymlinktothatfileandsimplycreatetheetcresolvconffilewiththecontentyouwant
RedHat-basedsystems
Note
AppliestoCentOSandScientificLinuxbutonlythex86_64architectureissupported
Chapter4
Copyrightcopy2016Inverseinc Installation 10
RHEL6x
NoteTheseareextrastepsarerequiredforRHEL6systemsonlyexcludingderivativessuchasCentOSorScientificLinux
RedHatEnterpriseLinuxusersneedtotakeanadditionalsetupstepIfyouarenotusingtheRHNSubscriptionManagementfromRedHatyouneedtoenabletheoptionalchannelbyrunningthefollowingasroot
rhn-channel --add --channel=rhel-`uname -m`-server-optional-6
DebianAllthePacketFencedependenciesareavailablethroughtheofficialrepositories
SoftwareDownload
PacketFenceprovidesaRPMrepositoryforRHELCentOSinsteadofasingleRPMfile
ForDebianPacketFencealsoprovidespackagerepositories
TheserepositoriescontainallrequireddependenciestoinstallPacketFenceThisprovidesnumerousadvantages
easyinstallation everythingispackagedasRPMdeb(nomoreCPANhassle) easyupgrade
SoftwareInstallation
RHELCentOSInordertousethePacketFencerepository
yum localinstall httppacketfenceorgdownloadsPacketFenceRHEL6`uname -i`RPMSpacketfence-release-12-51noarchrpm
Once the repository is defined you can install PacketFencewith all its dependencies and therequiredexternalservices(DatabaseserverDHCPserverRADIUSserver)using
Chapter4
Copyrightcopy2016Inverseinc Installation 11
yum install perlyum install --enablerepo=packetfence packetfence
OnceinstalledtheWeb-basedconfigurationinterfacewillautomaticallybestartedYoucanaccessitfromhttpsip_of_packetfence1443configurator
DebianForDebian7
Inordertousetherepositorycreateafilenamedetcaptsourceslistdpacketfencelist
echo deb httpinversecadownloadsPacketFencedebian wheezy wheezy gt etcaptsourceslistdpacketfencelist
ForDebian8
Inordertousetherepositorycreateafilenamedetcaptsourceslistdpacketfencelist
echo deb httpinversecadownloadsPacketFencedebian jessie jessie gt etcaptsourceslistdpacketfencelist
Once the repository is defined you can install PacketFencewith all its dependencies and therequiredexternalservices(DatabaseserverDHCPserverRADIUSserver)using
sudo apt-key adv --keyserver keysgnupgnet --recv-key 0x810273C4sudo apt-get updatesudo apt-get install packetfence
Chapter5
Copyrightcopy2016Inverseinc Getoffontherightfoot 12
Getoffontherightfoot
PriorconfiguringPacketFenceyoumustchoseanappropriateenforcementmodetobeusedbyPacketFencewithyournetworkingequipmentTheenforcementmodeisthetechniqueusedtoenforceregistrationandanysubsequentaccessofdevicesonyournetworkPacketFencesupportsthefollowingenforcementmodes
Inline Out-of-band Hybrid
It isalsopossibletocombineenforcementmodesForexampleyoucouldusetheout-of-bandmodeonyourwiredswitcheswhileusingtheinlinemodeonyouroldWiFiaccesspoints
The following sections will explain these enforcement modes If you decide to use the inlinemodepleaserefertothePacketFenceInlineDeploymentQuickGuideusingZENforacompleteconfigurationexampleIfyoudevicetousetheout-of-bandmodepleaserefertothePacketFenceOut-of-BandDeploymentQuickGuideusingZEN
Chapter6
Copyrightcopy2016InverseincTechnicalintroductiontoInlineenforcement 13
TechnicalintroductiontoInlineenforcement
Introduction
Beforetheversion30ofPacketFenceitwasnotpossibletosupportunmanageabledevicessuchasentry-levelconsumerswitchesoraccess-pointsNowwiththenewinlinemodePacketFencecanbeusein-bandforthosedevicesSoinotherwordsPacketFencewouldbecomethegatewayofthatinlinenetworkandNATorroutethetrafficusingIPTablesIPSettotheInternet(ortoanothersectionofthenetwork)Letseehowitworks
Deviceconfiguration
NospecialconfigurationisneededontheunmanageabledeviceThatrsquosthebeautyofitYouonlyneedtoensurethatthedeviceistalkingontheinlineVLANAtthispointallthetrafficwillbepassingthroughPacketFencesinceitisthegatewayforthisVLAN
Accesscontrol
TheaccesscontrolreliesentirelyonIPTablesIPSetWhenauserisnotregisteredandconnectsintheinlineVLANPacketFencewillgivehimanIPaddressAtthispointtheuserwillbemarkedasunregisteredintheipsetsessionandalltheWebtrafficwillberedirectedtothecaptiveportalandother trafficblockedTheuserwill have to register through thecaptiveportal as inVLANenforcementWhenheregistersPacketFencechangesthedeviceacutesipsetsessiontoallowtheuserrsquosmacaddresstogothroughit
Chapter6
Copyrightcopy2016InverseincTechnicalintroductiontoInlineenforcement 14
Limitations
Inlineenforcementbecauseofitrsquosnaturehasseverallimitationsthatonemustbeawareof
EveryonebehindaninlineinterfaceisonthesameLayer2LAN EverypacketofauthorizedusersgoesthroughthePacketFenceserverincreasingtheserversloadconsiderablyPlanaheadforcapacity
Everypacketofauthorizedusersgoes throughthePacketFenceserver it isasinglepointoffailureforInternetaccess
Ipsetcanstoreupto65536entriessoitisnotpossibletohaveainlinenetworkclassupperthanB
Thisiswhyit isconsideredapoormanrsquoswayofdoingaccesscontrolWehaveavoideditforalongtimebecauseoftheabovementionedlimitationsThatsaidbeingabletoperformbothinlineandVLANenforcementonthesameserveratthesametimeisarealadvantageitallowsuserstomaintainmaximumsecuritywhiletheydeploynewandmorecapablenetworkhardwareprovidingacleanmigrationpathtoVLANenforcement
Chapter7
Copyrightcopy2016InverseincTechnicalintroductiontoOut-of-bandenforcement 15
TechnicalintroductiontoOut-of-bandenforcement
Introduction
VLANassignmentiscurrentlyperformedusingseveraldifferenttechniquesThesetechniquesarecompatibleone toanotherbutnoton the sameswitchportThismeans thatyoucanuse themoresecureandmoderntechniquesforyour latestswitchesandanothertechniqueontheoldswitchesthatdoesnrsquotsupportlatesttechniquesAsitrsquosnameimpliesVLANassignmentmeansthatPacketFenceistheserverthatassignstheVLANtoadeviceThisVLANcanbeoneofyourVLANsoritcanbeaspecialVLANwherePacketFencepresentsthecaptiveportalforauthenticationorremediation
VLANassignmenteffectivelyisolateyourhostsattheOSILayer2meaningthatitisthetrickiestmethodtobypassandistheonewhichadaptsbesttoyourenvironmentsinceitgluesintoyourcurrentVLANassignmentmethodology
VLANassignmenttechniques
Wired8021X+MACAuthentication8021Xprovidesport-basedauthenticationwhichinvolvescommunicationsbetweenasupplicantauthenticator(knownasNAS)andauthenticationserver(knownasAAA)ThesupplicantisoftensoftwareonaclientdevicesuchasalaptoptheauthenticatorisawiredEthernetswitchorwirelessaccesspointandtheauthenticationserverisgenerallyaRADIUSserver
Thesupplicant(ieclientdevice)isnotallowedaccessthroughtheauthenticatortothenetworkuntilthesupplicantrsquosidentityisauthorizedWith8021Xport-basedauthenticationthesupplicantprovides credentials such as user name password or digital certificate to the authenticatorandtheauthenticatorforwardsthecredentialstotheauthenticationserverforverificationIfthecredentialsarevalid(intheauthenticationserverdatabase)thesupplicant(clientdevice)isallowedtoaccessthenetworkTheprotocolforauthenticationiscalledExtensibleAuthenticationProtocol(EAP)whichhavemanyvariantsBothsupplicantandauthenticationserversneed tospeak thesameEAPprotocolMostpopularEAPvariantisPEAP-MsCHAPv2(supportedbyWindowsMacOSXLinuxforauthenticationagainstAD)
Chapter7
Copyrightcopy2016InverseincTechnicalintroductiontoOut-of-bandenforcement 16
InthiscontextPacketFencerunstheauthenticationserver(aFreeRADIUSinstance)andwillreturntheappropriateVLANtotheswitchAmodulethatintegratesinFreeRADIUSdoesaremotecalltothePacketFenceservertoobtainthatinformationMoreandmoredeviceshave8021Xsupplicantwhichmakesthisapproachmoreandmorepopular
MACAuthenticationisanewmechanismintroducedbysomeswitchvendortohandlethecaseswherea8021XsupplicantdoesnotexistDifferentvendorshavedifferentnames for itCiscocallsitMACAuthenticationBypass(MAB)JunipercallsitMACRADIUSExtremeNetworkscallsitNetloginetcAfteratimeoutperiodtheswitchwillstoptryingtoperform8021XandwillfallbacktoMACAuthenticationIthastheadvantageofusingthesameapproachas8021XexceptthattheMACaddressissentinsteadoftheusernameandthereisnoend-to-endEAPconversation(nostrongauthentication)UsingMACAuthenticationdeviceslikenetworkprinterornon-8021XcapableIPPhonescanstillgainaccesstothenetworkandtherightVLAN
Wireless8021X+MACauthenticationWireless 8021Xworks likewired8021X andMAC authentication is the same aswiredMACAuthenticationWhere things change is that the8021X isused to setup the security keys forencryptedcommunication(WPA2-Enterprise)whileMACauthenticationisonlyusedtoauthorize(allowordisallow)aMAConthewirelessnetwork
OnwirelessnetworkstheusualPacketFencesetupdictatethatyouconfiguretwoSSIDsanopenoneandasecureoneTheopenoneisusedtohelpusersconfigurethesecureoneproperlyandrequiresauthenticationoverthecaptiveportal(whichrunsinHTTPS)
ThefollowingdiagramdemonstratestheflowbetweenamobileenpointaWiFiaccesspointaWiFicontrollerandPacketFence
1 UserinitiatesassociationtoWLANAPandtransmitsMACaddressIfuseraccessesnetworkviaaregistereddeviceinPacketFencegoto8
2 The WLAN controller transmits MAC address via RADIUS to the PacketFence server toauthenticateauthorizethatMACaddressontheAP
3 PacketFenceserverconductsaddressaudit in itsdatabase If itdoesnotrecognizetheMACaddressgoto4Ifitdoesgoto8
4 PacketFenceserverdirectsWLANcontrollerviaRADIUS(RFC2868attributes)toputthedeviceinanunauthenticatedroleldquo(setofACLsthatwouldlimitredirecttheusertothePacketFence
Chapter7
Copyrightcopy2016InverseincTechnicalintroductiontoOut-of-bandenforcement 17
captiveportalforregistrationorwecanalsousearegistrationVLANinwhichPacketFencedoesDNSblackholingandistheDHCPserver)
5 TheuserrsquosdeviceissuesaDHCPDNSrequesttoPacketFence(whichisaDHCPDNSserveronthisVLANorforthisrole)whichsendstheIPandDNSinformationAtthispointACLsarelimitingredirectingtheusertothePacketFencersquoscaptiveportalforauthenticationPacketFencefingerprintsthedevice(user-agentattributesDHCPinformationampMACaddresspatterns)towhichitcantakevariousactionsincludingkeepdeviceonregistrationportaldirecttoalternatecaptive portal auto-register thedevice auto-block thedevice etc If thedevice remains ontheregistrationportaltheuserregistersbyprovidingtheinformation(usernamepasswordcellphonenumberetc)At this timePacketFencecouldalsorequire thedevicetogothroughapostureassessment(usingNessusOpenVASetc)
6 Ifauthentication is required (usernamepassword) througha loginformthosecredentialsarevalidatedviatheDirectoryserver(oranyotherauthenticationsources-likeLDAPSQLRADIUSSMSFacebookGoogle+etc)whichprovidesuserattributestoPacketFencewhichcreatesuser+devicepolicyprofileinitsdatabase
7 PacketFenceperformsaChangeofAuthorization(RFC3576)onthecontrollerandtheusermustbere-authenticatedreauthorizedsowegobackto1
8 PacketFenceserverdirectsWLANcontrollerviaRADIUStoputthedeviceinanauthenticatedroleldquoorinthenormalVLAN
WebAuthmodeWebauthenticationisamethodontheswitchthatforwardshttptrafficofthedevicetothecaptiveportalWiththismodeyourdevicewillneverchangeofVLANIDbutonlytheACLassociatedtoyourdevicewillchangeRefertotheNetworkDevicesConfigurationGuidetoseeasamplewebauthconfigurationonaCiscoWLC
Port-securityandSNMPReliesontheport-securitySNMPTrapsAfakestaticMACaddressisassignedtoalltheportsthiswayanyMACaddresswillgenerateasecurityviolationandatrapwillbesenttoPacketFenceThesystemwillauthorizetheMACandsettheportintherightVLANVoIPsupportispossiblebuttrickyItvariesalotdependingontheswitchvendorCiscoiswellsupportedbutisolationofaPCbehindanIPPhoneleadstoaninterestingdilemmaeitheryoushuttheport(andthephoneatthesametime)oryouchangethedataVLANbutthePCdoesnrsquotdoDHCP(didnrsquotdetectlinkwasdown)soitcannotreachthecaptiveportal
AsidefromtheVoIPisolationdilemmaitisthetechniquethathasproventobereliableandthathasthemostswitchvendorsupport
MoreonSNMPtrapsVLANisolation
WhentheVLANisolationisworkingthroughSNMPtrapsallswitchports(onwhichVLANisolationshouldbedone)mustbeconfiguredtosendSNMPtrapstothePacketFencehostOnPacketFence
Chapter7
Copyrightcopy2016InverseincTechnicalintroductiontoOut-of-bandenforcement 18
weusesnmptrapdastheSNMPtrapreceiverAsitreceivestrapsitreformatsandwritesthemintoaflatfileusrlocalpflogssnmptrapdlogThemultithreadedpfsetvlandaemonreadsthesetrapsfromtheflatfileandrespondstothembysettingtheswitchporttothecorrectVLANCurrentlywesupportswitchesfromCiscoEdge-coreHPIntelLinksysandNortel(addingsupportfor switches fromanothervendor impliesextending thepfSwitch class)DependingonyourswitchescapabilitiespfsetvlanwillactondifferenttypesofSNMPtraps
YouneedtocreatearegistrationVLAN(withaDHCPserverbutnoroutingtootherVLANs)inwhichPacketFencewillputunregistereddevicesIfyouwanttoisolatecomputerswhichhaveopenviolationsinaseparateVLANanisolationVLANneedsalsotobecreated
linkUplinkDowntraps(deprecated)ThisisthemostbasicsetupanditneedsathirdVLANtheMACdetectionVLANThereshouldbenothinginthisVLAN(noDHCPserver)anditshouldnotberoutedanywhereitisjustanvoidVLAN
WhenahostconnectstoaswitchporttheswitchsendsalinkUptraptoPacketFenceSinceittakessometimebeforetheswitchlearnstheMACaddressofthenewlyconnecteddevicePacketFenceimmediatelyputstheportintheMACdetectionVLANinwhichthedevicewillsendDHCPrequests(withnoanswer)inorderfortheswitchtolearnitsMACaddressThenpfsetvlanwillsendperiodical
Chapter7
Copyrightcopy2016InverseincTechnicalintroductiontoOut-of-bandenforcement 19
SNMPqueriestotheswitchuntiltheswitchlearnstheMACofthedeviceWhentheMACaddressisknownpfsetvlanchecksitsstatus(existingregisteredanyviolations)inthedatabaseandputstheportintheappropriateVLANWhenadeviceisunpluggedtheswitchsendsalinkDowntraptoPacketFencewhichputstheportintotheMACdetectionVLAN
WhenacomputerbootstheinitializationoftheNICgeneratesseverallinkstatuschangesAndeverytimetheswitchsendsalinkUpandalinkDowntraptoPacketFenceSincePacketFencehastoactoneachofthesetrapsthisgeneratesunfortunatelysomeunnecessaryloadonpfsetvlanInordertooptimizethetraptreatmentPacketFencestopseverythreadforalinkUptrapwhenitreceivesalinkDowntraponthesameportButusingonlylinkUplinkDowntrapsisnotthemostscalableoptionForexampleincaseofpowerfailureifhundredsofcomputersbootatthesametimePacketFencewouldreceivea lotoftrapsalmost instantlyandthiscouldresult innetworkconnectionlatency
MACnotificationtrapsIfyourswitchessupportMACnotificationtraps(MAClearntMACremoved)wesuggestthatyouactivatetheminadditiontothelinkUplinkDowntrapsThiswaypfsetvlandoesnotneedafteralinkUptraptoquerytheswitchcontinuouslyuntiltheMAChasfinallybeenlearnedWhenitreceivesalinkUptrapforaportonwhichMACnotificationtrapsarealsoenableditonlyneedstoputtheportintheMACdetectionVLANandcanthenfreethethreadWhentheswitchlearnstheMACaddressofthedeviceitsendsaMAClearnttrap(containingtheMACaddress)toPacketFence
PortSecuritytrapsIn itsmostbasicformthePortSecurityfeaturerememberstheMACaddressconnectedtotheswitchportandallowsonlythatMACaddresstocommunicateonthatport IfanyotherMACaddress tries tocommunicate through theportport securitywillnotallow itandsendaport-securitytrap
IfyourswitchessupportthisfeaturewestronglyrecommendtouseitratherthanlinkUplinkDownandorMACnotificationsWhyBecauseaslongasaMACaddressisauthorizedonaportandistheonlyoneconnectedtheswitchwillsendnotrapwhetherthedevicerebootsplugsinorunplugsThisdrasticallyreducestheSNMPinteractionsbetweentheswitchesandPacketFence
WhenyouenableportsecuritytrapsyoushouldnotenablelinkUplinkDownnorMACnotificationtraps
Chapter8
Copyrightcopy2016InverseincTechnicalintroductiontoHybridenforcement 20
TechnicalintroductiontoHybridenforcement
Introduction
In previous versions of PacketFence it was not possible to have RADIUS enabled for inlineenforcementmodeNowwiththenewhybridmodeallthedevicesthatsupports8021XorMAC-authenticationcanworkwiththismodeLetrsquosseehowitworks
Deviceconfiguration
Youneedtoconfigure inlineenforcementmode inPacketFenceandconfigureyourswitch(es)accesspoint(s)tousetheVLANassignementtechniques(8021XorMAC-authentication)YoualsoneedtotakecareofaspecificparameterintheswitchconfigurationwindowTriggertoenableinlinemodeThisparameterisworkinglikeatriggerandyouhavethepossibilitytodefinedifferentsortoftriggers
ALWAYSPORTMACSSID
where ALWAYS means that the device is always in inline mode PORTspecifytheifIndexoftheportwhichwilluseinlineenforcementMACamacaddressthatwillbeputininlineenforcementtechniqueratherthanVLANenforcementandSSIDanssidnameAnexample
SSIDGuestAccessMAC001122334455
ThiswilltriggerallthenodesthatconnectstotheGuestAccessSSIDtouseinlineenforcementmode(PacketFencewillreturnavoidVLANortheinlineVlanifdefinedinswitchconfiguration)andtheMACaddress001122334455clientifitconnectsonanotherSSID
Chapter9
Copyrightcopy2016Inverseinc Configuration 21
Configuration
AtthispointinthedocumentationPacketFenceshouldbeinstalledYouwouldalsohavechosentherightenforcementmethodforyouandcompletedtheinitialconfigurationofPacketFenceThefollowingsectionpresentskeyconceptsandfeaturesinPacketFence
PacketFenceprovidesaweb-basedadministrationinterfaceforeasyconfigurationandoperationalmanagementIfyouwentthroughPacketFencersquosweb-basedconfigurationtoolyoushouldhavesetthepasswordfortheadminuser
Once PacketFence is started the administration interface is available at httpsip_of_packetfence1443
ThenextkeystepsareimportanttounderstandhowPacketFenceworksInordertogetthesolutionworking youmust first understand and configure the following aspects of the solution in thisspecificorder
1 roles-aroleinPacketFencewillbeeventuallybemappedtoaVLANanACLoranexternalroleYoumustdefinetherolestouseinyourorganizationfornetworkaccess
2 authentication-oncerolesaredefinedyoumustcreateanappropraiteauthenticationsourceinPacketFenceThatwillallowPacketFencetocomputetherightroletobeusedforanendpointortheuserusingit
3 network devices - once your roles and authentication sources are defined you must addswitchesWiFicontrollersorAPstobemananagedbyPacketFenceWhendoingsoyouwillconfigurehowrolesarebeingmappedtoVLANACLsorexternalroles
4 portal profiles - at this point you are almost ready to test You will need to set whichauthenticationsourcesaretobeusedonthedefaultcaptiveportalorcreateanotheronetosuityourneeds
5 test
NoteIfyouplantouse8021X-pleaseseetheFreeRADIUSConfigurationsectionbelow
RolesManagement
RolesinPacketFencecanbecreatedfromPacketFenceadministrativeGUI-fromtheConfigurationrarrUsersrarrRoles section From this interface you can also limit thenumberof devicesusersbelongingtocertainrolescanregister
Chapter9
Copyrightcopy2016Inverseinc Configuration 22
RolesaredynamicallycomputedbyPacketFencebasedontherules(ieasetofconditionsandactions)fromauthenticationsourcesusingafirst-matchwinsalgorithmRolesarethenmatchedtoVLANorinternalrolesorACLonequipmentfromtheConfigurationrarrNetworkrarrSwitchesmodule
Authentication
PacketFence can authenticate users that register devices via the captive portal using variousmethodsAmongthesupportedmethodsthereare
ActiveDirectory
Apachehtpasswdfile
ExternalHTTPAPI
Facebook(OAuth2)
Github(OAuth2)
Google(OAuth2)
Kerberos
LDAP
LinkedIn(OAuth2)
Null
RADIUS
SMS
SponsoredEmail
Twitter(OAuth2)
WindowsLive(OAuth2)
Moreover PacketFence can also authenticate users defined in its own internal SQL databaseAuthentication sources can be created from PacketFence administrative GUI - from theConfigurationrarrUsersrarrSourcessectionAlternatively(butnotrecommended)authenticationsourcesrulesconditionsandactionscanbeconfiguredfromconfauthenticationconf
Eachauthenticationsourcesyoudefinewillhaveasetofrulesconditionsandactions
Multiple authentication sources canbedefined andwill be tested in theorder specified (notethattheycanbereorderedfromtheGUIbydraggingitaround)EachsourcecanhavemultipleruleswhichwillalsobetestedintheorderspecifiedRulescanalsobereorderedjustlikesourcesFinallyconditionscanbedefinedforaruletomatchcertaincriteriasIfthecriteriasmatch(one
Chapter9
Copyrightcopy2016Inverseinc Configuration 23
ormore)actionarethenappliedandrulestestingstopacrossallsourcesasthisisafirstmatchwinsoperation
WhennoconditionisdefinedtherulewillbeconsideredasafallbackWhenafallbackisdefinedallactionswillbeappliedforanyusersthatmatchintheauthenticationsource
OnceasourceisdefineditcanbeusedfromConfigurationrarrPortalProfilesEachportalprofilehasalistofauthenticationsourcestouse
ExampleLetrsquossaywehavetworolesguestandemployeeFirstwedefinethemConfigurationrarrUsersrarrRoles
NowwewanttoauthenticateemployeesusingActiveDirectory (overLDAP)andguestsusingPacketFencersquosinternaldatabase-bothusingPacketFencersquoscaptiveportalFromtheConfigurationrarrUsersrarrSourcesweselectAddsourcerarrADWeprovidethefollowinginformation
Namead1 DescriptionActiveDirectoryforEmployees Host19216812389withoutSSLTLS BaseDNCN=UsersDC=acmeDC=local ScopeOne-level UsernameAttributesAMAccountName BindDNCN=AdministratorCN=UsersDC=acmeDC=local Passwordacme123
ThenweaddarulebyclickingontheAddrulebuttonandprovidethefollowinginformation
Nameemployees DescriptionRuleforallemployees Donrsquotsetanycondition(asitrsquosacatch-allrule) Setthefollowingactions
Setroleemployee
SetunregistrationdateJanuary1st2020
Test the connection and save everything Using the newly defined source any username thatactuallymatchesinthesource(usingthesAMAccountName)willhavetheemployeeroleandanunregistrationdatesettoJanuary1st2020
NowsincewewanttoauthenticateguestsfromPacketFencersquosinternalSQLdatabaseaccountsmustbeprovisionnedmanuallyYoucandosofromtheUsersrarrCreatesectionWhencreatingguestsspecifyguestfortheSetroleactionandsetanaccessdurationfor1day
If youwould like to differentiate user authentication andmachine authentication using ActiveDirectoryonewaytodoitisbycreatingasecondauthenticationsourcesformachines
Namead1 DescriptionActiveDirectoryforMachines Host19216812389withoutSSLTLS BaseDNCN=ComputersDC=acmeDC=local ScopeOne-level
Chapter9
Copyrightcopy2016Inverseinc Configuration 24
UsernameAttributeservicePrincipalName BindDNCN=AdministratorCN=UsersDC=acmeDC=local Passwordacme123
Thenweaddarule
Namemachines DescriptionRuleforallmachines Donrsquotsetanycondition(asitrsquosacatch-allrule) Setthefollowingactions
Setrolemachineauth
SetunregistrationdateJanuary1st2020
Note
Whenaruleisdefinedasacatch-all itwillalwaysmatchiftheusernameattributematchesthequeriedoneThisappliesforActiveDirectoryLDAPandApachehtpasswdfilesourcesKerberosandRADIUSwillactastruecatch-allandaccepteverything
Note
IfyouwanttouseotherLDAPattributesinyourauthenticationsourceaddtheminConfigurationrarrAdvancedrarrCustomLDAPattributesTheywillthenbeavailableintherulesyoudefine
ExternalAPIauthentication
PacketFencealsosupportscallinganexternalHTTPAPIasanauthenticationsourceTheexternalAPIneedstoimplementanauthenticationactionandanauthorizationaction
AuthenticationThisshouldprovidetheinformationaboutwhetherornottheusernamepasswordcombinationisvalid
TheseinformationareavailablethroughthePOSTfieldsoftherequest
TheservershouldreplywithtwoattributesinaJSONresponse
resultshouldbe1forsuccess0forfailure messageshouldbethereasonitsucceededorfailed
ExampleJSONresponse
result1messageValid username and password
Chapter9
Copyrightcopy2016Inverseinc Configuration 25
AuthorizationThisshouldprovidetheactionstoapplyonauserbasedonitrsquosattributes
The following attributes are available for the reply access_duration access_level sponsorunregdatecategory
SampleJSONresponsenotethatnotallattributesarenecessaryonlysendbackwhatyouneed
access_duration1Daccess_levelALLsponsor1 unregdate2030-01-01categorydefault
Note
See usrlocalpfaddonsexample_external_auth for an example implementationcompatiblewithPacketFence
PacketFenceconfigurationInPacketFenceyouneedtoconfigureanHTTPsourceinordertouseanexternalAPI
Hereisabriefdescriptionofthefields
Host First theprotocol then the IPaddressorhostnameof theAPIand lastly theport toconnecttotheAPI
APIusernameandpasswordIfyourAPIimplementsHTTPbasicauthentication(RFC2617)youcanaddtheminthesefieldsLeavinganyofthosetwofieldsemptywillmakePacketFencedotherequestswithoutanyauthentication
AuthenticationURLURLrelativetothehosttocallwhendoingtheauthenticationofauserNotethatitisautomaticallyprefixedbyaslash
AuthorizationURLURLrelativetothehosttocallwhendoingtheauthorizationofauserNotethatitisautomaticallyprefixedbyaslash
SAMLauthentication
PacketFence supports SAML authentication in the captive portal in combination with anotherinternalsourcetodefinethelevelofauthorizationoftheuser
FirsttransfertheIdentityProvidermetadataonthePacketFenceserverInthisexampleitwillbeunderthepathusrlocalpfconfidp-metadataxml
Then transfer the certificate and CA certificate of the Identity provider on the server In thisexample theywill be under the paths usrlocalpfconfsslidpcrt and usrlocalpfconfsslidp-cacrtIfitisaself-signedcertificatethenyouwillbeabletouseitastheCAinthePacketFenceconfiguration
Chapter9
Copyrightcopy2016Inverseinc Configuration 26
Then toconfigureSAML inPacketFencego inConfigurationrarrSourcesand thencreateanewInternalsourceofthetypeSAMLandconfigureit
Where
ServiceProviderentityIDistheidentifieroftheServiceProvider(PacketFence)MakesurethismatchesyourIdentityProviderconfiguration
PathtoServiceProviderkeyisthepathtothekeythatwillbeusedbyPacketFencetosignitsmessagestotheIdentityProviderAdefaultoneisprovidedunderthepathusrlocalpfconfsslserverkey
PathtoServiceProvidercertisthepathtothecertificateassociatedtothekeyaboveAself-signedoneisprovidedunderthepathusrlocalpfconfsslserverkey
PathtoIdentityProvidermetadataisthepathtothemetadatafileyoutransferedabove(shouldbeinusrlocalpfconfidp-metadataxml)
PathtoIdentityProvidercertisthepathtothecertificateoftheidentityprovideryoutransferedontheserverabove(shouldbeinusrlocalpfconfsslidpcrt)
Chapter9
Copyrightcopy2016Inverseinc Configuration 27
Path to Identity Provider CA cert is the path to the CA certificate of the identity provideryoutransferedontheserverabove(shouldbeinusrlocalpfconfsslca-idpcrt)Ifthecertificateaboveisself-signedputthesamepathasaboveinthisfield
AttributeoftheusernameintheSAMLresponse istheattributethatcontainstheusernamein the SAML assertion returned by your Identity Provider The default should fit at leastSimpleSAMLphp
Authorizationsource isthesourcethatwillbeusedtomatchtheusernameagainsttherulesdefinedinitThisallowstosettheroleandaccessdurationoftheuserTheAuthenticationsectionofthisdocumentcontainsexplanationsonhowtoconfigureanLDAPsourcewhichcanthenbeusedhere
OncethisisdonesavethesourceandyouwillbeabletodownloadtheServiceProvidermetadataforPacketFenceusingthelinkDownloadServiceProvidermetadataonthepage
Configure your identity provider according to the generated metadata to complete the TrustbetweenPacketFenceandyourIdentityProvider
In the case of SimpleSAMLPHP the following configurationwas used inmetadatasaml20-sp-remotephp
$metadata[PF_ENTITY_ID] = array( AssertionConsumerService =gt httpPORTAL_HOSTNAMEsamlassertion SingleLogoutService =gt httpPORTAL_HOSTNAMEsamllogoff)
Note
PacketFencedoesnotsupportlogoffontheSAMLIdentityProviderYoucanstilldefinetheURLinthemetadatabutitwillnotbeused
PassthroughsInorderforyouruserstobeabletoaccesstheIdentityProviderloginpageyouwillneedtoactivatepassthroughsandaddtheIndentityProviderdomaintotheallowedpassthroughs
Todosogo inConfigurationrarrTrapping thencheckPassthrough andadd the IdentityProviderdomainnametothePasshtroughslist
Next restart iptables and pfdns to apply your new passthroughs Also make surenetipv4ip_forward = 1isconfiguredinetcsysctlconf
NetworkDevicesDefinition(switchesconf)
ThissectionappliesonlyforVLANenforcementUsersplanningtodoinlineenforcementonlycanskipthissection
PacketFenceneedstoknowwhichswitchesaccesspointsorcontrollersitmanagestheirtypeandconfigurationAllthisinformationisstoredinusrlocalpfconfswitchesconfYoucanmodify
Chapter9
Copyrightcopy2016Inverseinc Configuration 28
theconfigurationdirectlyintheswitchesconffileoryoucandoitfromtheWebAdministrationpanelunderConfigurationrarrNetworkrarrSwitches-whichisnowthepreferredway
Theusrlocalpfconfswitchesconfconfigurationfilecontainsadefaultsectionincluding
DefaultSNMPreadwritecommunitiesfortheswitches Defaultworkingmode(seethenotebelowaboutpossibleworkingmodes)
andaswitchsectionforeachswitch(managedbyPacketFence)including
SwitchIPMacRange Switchvendortype Switchuplinkports(trunksandnon-managedIfIndex) per-switchre-definitionoftheVLANs(ifrequired)
NoteswitchesconfisloadedatstartupAreloadisrequiredwhenchangesaremanuallymadetothisfileusrlocalpfbinpfcmd configreload
WorkingmodesTherearethreedifferentworkingmodesforaswitchinPacketFence
Testing pfsetvlanwritesinthelogfileswhatitwouldnormallydobutitdoesnrsquotdoanything
Registration pfsetvlan automatically-register allMAC addresses seenon theswitchportsAsintestingmodenoVLANchangesaredone
Production pfsetvlan sends the SNMPwrites to change the VLAN on theswitchports
RADIUSTo set theRADIUS secret set it from theWebadministrative interfacewhenadding a switchAlternativelyedittheswitchconfigfile(usrlocalpfconfswitchesconf)andsetthefollowingparameters
radiusSecret = secretPassPhrase
MoreovertheRADIUSsecretisrequiredtosupporttheRADIUSDynamicAuthentication(ChangeofauthorizationorDisconnect)asdefinedinRFC3576
SNMPv1v2candv3PacketFenceusesSNMPtocommunicatewithmostswitchesPacketFencealsosupportsSNMPv3YoucanuseSNMPv3forcommunicationinbothdirectionsfromtheswitchtoPacketFenceandfromPacketFencetotheswitchSNMPusageisdiscouragedyoushouldnowuseRADIUSHoweverevenifRADIUSisbeingusedsomeswitchesmightalsorequireSNMPtobeconfiguredtoworkproperlywithPacketFence
Chapter9
Copyrightcopy2016Inverseinc Configuration 29
FromPacketFencetoaswitchEdittheswitchconfigfile(usrlocalpfconfswitchesconf)andsetthefollowingparameters
SNMPVersion = 3SNMPUserNameRead = readUserSNMPAuthProtocolRead = MD5SNMPAuthPasswordRead = authpwdreadSNMPPrivProtocolRead = AESSNMPPrivPasswordRead = privpwdreadSNMPUserNameWrite = writeUserSNMPAuthProtocolWrite = MD5SNMPAuthPasswordWrite = authpwdwriteSNMPPrivProtocolWrite = AESSNMPPrivPasswordWrite = privpwdwrite
FromaswitchtoPacketFenceEdittheswitchconfigfile(usrlocalpfconfswitchesconf)andsetthefollowingparameters
SNMPVersionTrap = 3SNMPUserNameTrap = readUserSNMPAuthProtocolTrap = MD5SNMPAuthPasswordTrap = authpwdreadSNMPPrivProtocolTrap = AESSNMPPrivPasswordTrap = privpwdread
SwitchConfigurationHereisaswitchconfigurationexampleinordertoenableSNMPv3inbothdirectionsonaCiscoSwitch
snmp-server engineID local AA5ED139B81D4A328D18ACD1snmp-server group readGroup v3 privsnmp-server group writeGroup v3 priv read v1default write v1defaultsnmp-server user readUser readGroup v3 auth md5 authpwdread priv aes 128 privpwdreadsnmp-server user writeUser writeGroup v3 auth md5 authpwdwrite priv aes 128 privpwdwritesnmp-server enable traps port-securitysnmp-server enable traps port-security trap-rate 1snmp-server host 192168050 version 3 priv readUser port-security
Command-LineInterfaceTelnetandSSH
WarningPrivilegedetectionisdisabledinthecurrentPacketFenceversionduetosomeissues(see1370)SomakesurethatthecliUserandcliPwdyouprovidealwaysgetyouintoaprivilegedmode(exceptforTrapezehardware)
Chapter9
Copyrightcopy2016Inverseinc Configuration 30
PackeFenceneedssometimestoestablishaninteractivecommand-linesessionwithaswitchThiscanbedoneusingTelnetYoucanalsouseSSHInordertodosoedittheswitchconfigurationfile(usrlocalpfconfswitchesconf)andsetthefollowingparameters
cliTransport = SSH (or Telnet)cliUser = admincliPwd = admin_pwdcliEnablePwd =
ItcanalsobedonethroughtheWebAdministrationInterfaceunderConfigurationrarrSwitches
WebServicesInterfacePackeFencesometimesneedstoestablishadialogwiththeWebServicescapabilitiesofaswitchInorder todo soedit the switchconfig file (usrlocalpfconfswitchesconf) and set thefollowingparameters
wsTransport = http (or https)wsUser = adminwsPwd = admin_pwd
ItcanalsobedonethroughtheWebAdministrationInterfaceunderConfigurationrarrSwitches
Role-basedenforcementsupportSomenetworkdevicessupporttheassignmentofaspecificsetofrules(firewallorACLs)toauserTheideaisthattheserulescanbealotmoreaccuratetocontrolwhatausercanorcannotdocomparedtoVLANwhichhavealargernetworkmanagementoverhead
PacketFencesupportsassigningrolesondevicesforswitchesandWiFicontrollers thatsupportitThecurrentroleassignmentstrategyistoassignitalongwiththeVLAN(thatmaychangeinthefuture)Aspecial internalroletoexternalroleassignmentmustbeconfigured intheswitchconfigurationfile(usrlocalpfconfswitchesconf)
Thecurrentformatisthefollowing
Format ltrolenamegtRole=ltcontroller_rolegt
Andyouassignittotheglobalrolesparameterortheper-switchoneForexample
adminRole=full-accessengineeringRole=full-accesssalesRole=little-access
wouldreturnthefull-accessroletothenodescategorizedasadminorengineeringandtherolelittle-accesstonodescategorizedassalesItcanalsobedonethroughtheWebAdministrationInterfaceunderConfigurationrarrSwitches
Chapter9
Copyrightcopy2016Inverseinc Configuration 31
CautionMakesurethattherolesareproperlydefinedonthenetworkdevicespriortoassigningroles
PortalProfiles
PacketFencecomeswithadefaultportalprofileThefollowparametersareimportanttoconfigurenomatterifyouusethedefaultportalprofileorcreateanewone
RedirectURLunderConfigurationrarrPortalProfilerarrPortalName
ForsomebrowsersitispreferabletoredirecttheusertoaspecificURLinsteadoftheURLtheuseroriginallyintendedtovisitForthesebrowserstheURLdefinedinredirecturlwillbetheonewheretheuserwillberedirectedAffectedbrowsersareFirefox3andlater
IPunderConfigurationrarrCaptiveportal
ThisIPisusedasthewebserverwhohoststhecommonnetwork-access-detectiongifwhichisusedtodetectifnetworkaccesswasenabledItcannotbeadomainnamesinceit isusedinregistrationorquarantinewhereDNSisblack-holedItisrecommendedthatyouallowyouruserstoreachyourPacketFenceserverandputyourLANrsquosPacketFenceIPBydefaultwewillmakethisreachPacketFencersquoswebsiteasaneasierandmoreaccessiblesolution
In somecases youmaywant topresentadifferent captiveportal (seebelow for theavailablecustomizations)accordingtotheSSIDtheVLANtheswitchIPMACortheURItheclientconnectstoTodosoPacketFencehastheconceptofportalprofileswhichgivesyouthispossibility
WhenconfiguredportalprofileswilloverridedefaultvaluesforwhichitisconfiguredWhennovaluesareconfiguredintheprofilePacketFencewilltakeitsdefaultones(accordingtothedefaultportalprofile)
HerearethedifferentconfigurationparametersthatcanbesetforeachportalprofilesTheonlymandatoryparameterisfilterotherwisePacketFencewonrsquotbeabletocorrectlyapplytheportalprofileTheparametersmustbesetinconfprofilesconf
[profilename1]description = the description of your portal profilefilter = the name of the SSID for which youd like to apply the profile or the VLAN numbersources = comma-separated list of authentications sources (IDs) to use
Portal profiles should be managed from PacketFencersquos Web administrative GUI - from theConfigurationrarrPortalProfilessectionAddingaportalprofilefromthatinterfacewillcorrectlycopytemplatesover-whichcanthenbemodifiedasyouwish
FiltersunderConfigurationrarrPortalProfilerarrPortalNamerarrFitlers
PacketFenceoffersthefollowingfiltersConnectionTypeNetworkNodeRolePortrealmSSIDSwitchSwitchPortURIVLANandTimeperiod
Chapter9
Copyrightcopy2016Inverseinc Configuration 32
Examplewiththemostcommonones
SSIDGuest-SSID
VLAN100
SwitchPortltSwitchIdgt-ltPortgt
NetworkNetworkinCIDRformatoranIPaddress
Caution
Noderolewilltakeeffectonlywitha8021xconnectionorifyouuseVLANfilters
PacketFence relies extensively on Apache for its captive portal administrative interface andWeb services The PacketFenceacutes Apache configuration are located in usrlocalpfconfhttpdconfd
Inthisdirectoryyouhavethreeimportantfileshttpdadminhttpdportalhttpdwebserviceshttpdaaa
httpdadminisusedtomanagePacketFenceadmininterface
httpdportalisusedtomanagePacketFencecaptiveportalinterface
httpdwebservicesisusedtomanagePacketFencewebservicesinterface
httpdaaaisusetomanageincomingRADIUSrequest
ThesefileshavebeenwrittenusingthePerllanguageandarecompletelydynamic-sotheyactivateservicesonlyonthenetworkinterfacesprovidedforthispurpose
TheotherfilesinthisdirectoryaremanagedbyPacketFenceusingtemplatessoitiseasytomodifythesefilesbasedonyourconfigurationSSLisenabledbydefaulttosecureaccess
UponPacketFenceinstallationself-signedcertificateswillbecreatedinusrlocalpfconfssl(serverkey andservercrt)Thosecertificates canbe replacedanytimebyyour3rd-partyorexistingwildcardcertificatewithoutproblemsPleasenotethattheCN(CommonName)needstobethesameastheonedefinedinthePacketFenceconfigurationfile(pfconf)
FreeRADIUSConfiguration
ThissectionpresentstheFreeRADIUSconfigurationsteps InsomeoccasionsaRADIUSserverismandatoryinordertogiveaccesstothenetworkForexampletheusageofWPA2-Enterprise(Wireless 8021X) MAC authentication and Wired 8021X all require a RADIUS server toauthenticatetheusersandthedevicesandthentopushtheproperrolesorVLANattributestothenetworkequipment
Chapter9
Copyrightcopy2016Inverseinc Configuration 33
Option1AuthenticationagainstActiveDirectory(AD)
Caution
If you are using an ActiveActive or ActivePassive cluster please follow theinstructionsunderOption1bsincetheinstructionsbelowdonotcurrentlyworkinacluster
InordertohavedomainauthenticationworkingproperlyyouneedtoenableIPforwardingonyourserverTodoitpermanentlylookintheetcsysctlconfandsetthefollowingline
Controls IP packet forwardingnetipv4ip_forward = 1
Nowexecutesysctl -ptoapplytheconfiguration
NextgointheAdministrationinterfaceunderConfigurationrarrDomains
Note
IfyoucanrsquotaccessthissectionandyouhavepreviouslyconfiguredyourservertobindtoadomainexternallytoPacketFencemakesureyourunusrlocalpfaddonsADmigratepl
ClickAddDomainandfillintheinformationsaboutyourdomain
Chapter9
Copyrightcopy2016Inverseinc Configuration 34
Where
IdentifierisauniqueidentifierforyourdomainItrsquospurposeisonlyvisual
Workgroupistheworkgroupofyourdomainintheoldsyntax(likeNT4)
DNSnameofthedomainistheFQDNofyourdomainTheonethatsuffixesyouraccountnames
ThisserverrsquosnameisthenamethattheserverrsquosaccountwillhaveinyourActiveDirectory
DNSserveristheIPaddressoftheDNSserverofthisdomainMakesurethattheserveryouputtherehastheproperDNSentriesforthisdomain
UsernameistheusernamethatwillbeusedforbindingtotheserverThisaccountmustbeadomainadministrator
Passwordisthepasswordfortheusernamedefinedabove
Chapter9
Copyrightcopy2016Inverseinc Configuration 35
Troubleshooting In order to troubleshoot unsuccessful binds please refer to the following file chrootsltmydomaingtvarlogsambaltmydomaingtlogwinbinddReplaceltmydomaingtwiththeidentifieryousetinthedomainconfiguration
Youcanvalidatethedomainbindusingthefollowingcommandchroot chrootsltmydomaingtwbinfo -u
You can test the authentication process using the following command chroot chrootsltmydomaingt ntlm_auth --username=administrator
Note
UndercertainconditionsthetestjoinmayshowasunsuccessfulintheAdministrationinterfacebut theauthenticationprocesswill stillworkproperlyTry the test abovebeforedoinganyadditionnaltroubleshooting
DefaultdomainconfigurationYoushouldnowdefinethedomainyouwanttouseasthedefaultonebycreatingthefollowingrealminConfigurationrarrRealms
NextrestartPacketFenceinStatusrarrServices
MultipledomainsauthenticationFirstconfigureyourdomainsinConfigurationrarrDomains
OncetheyareconfiguredgoinConfigurationrarrRealms
Chapter9
Copyrightcopy2016Inverseinc Configuration 36
Createanewrealm thatmatches theDNSnameofyourdomainANDone thatmatchesyourworkgroupInthecaseofthisexampleitwillbeDOMAINNETandDOMAIN
Where
RealmiseithertheDNSname(FQDN)ofyourdomainortheworkgroup
RealmoptionsareanyrealmoptionsthatyouwanttoaddtotheFreeRADIUSconfiguration
Domainisthedomainwhichisassociatedtothisrealm
Nowcreatethetwootherrealmsassociatedtoyourotherdomains
Youshouldnowhavethefollowingrealmconfiguration
Chapter9
Copyrightcopy2016Inverseinc Configuration 37
Option1bAuthenticationagainstActiveDirectory(AD)inacluster
SambaKerberosWinbind
InstallSambaYoucaneitherusethesourcesorusethepackageforyourOSForRHELCentOSdo
yum install samba krb5-workstation
ForDebianandUbuntudo
apt-get install samba winbind krb5-user
Note
IfyouhaveWindows7PCsinyournetworkyouneedtouseSambaversion350(orgreater)
WhendonewiththeSambainstallmodifyyouretchosts inordertoaddtheFQDNofyourActiveDirectoryserversThenyouneedtomodifyetckrb5confHereisanexamplefortheDOMAINNETdomainforCentosRHEL
Chapter9
Copyrightcopy2016Inverseinc Configuration 38
[logging] default = FILEvarlogkrb5libslog kdc = FILEvarlogkrb5kdclog admin_server = FILEvarlogkadmindlog
[libdefaults] default_realm = DOMAINNET dns_lookup_realm = false dns_lookup_kdc = false ticket_lifetime = 24h forwardable = yes
[realms] DOMAINNET = kdc = adserverdomainnet88 admin_server = adserverdomainnet749 default_domain = domainnet [domain_realm] domainnet = DOMAINNET domainnet = DOMAINNET
[appdefaults] pam = debug = false ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = false
ForDebianandUbuntu
[logging] default = FILEvarlogkrb5libslog kdc = FILEvarlogkrb5kdclog admin_server = FILEvarlogkadmindlog [libdefaults] default_realm = DOMAINNET ticket_lifetime = 24h forwardable = yes [appdefaults] pam = debug = false ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = false
NexteditetcsambasmbconfAgainhereisanexampleforourDOMAINNETforCentosRHEL
Chapter9
Copyrightcopy2016Inverseinc Configuration 39
[global] workgroup = DOMAIN server string = h security = ads passdb backend = tdbsam realm = DOMAINNET encrypt passwords = yes winbind use default domain = yes client NTLMv2 auth = yes preferred master = no domain master = no local master = no load printers = no log level = 1 winbind5 auth3 winbind max clients = 750 winbind max domain connections = 15 machine password timeout = 0
ForDebianandUbuntu
[global] workgroup = DOMAIN server string = Samba Server Version v security = ads realm = DOMAINNET password server = 19216811 domain master = no local master = no preferred master = no winbind separator = + winbind enum users = yes winbind enum groups = yes winbind use default domain = yes winbind nested groups = yes winbind refresh tickets = yes template homedir = homeDU template shell = binbash client use spnego = yes client ntlmv2 auth = yes encrypt passwords = yes restrict anonymous = 2 log file = varlogsambalogm max log size = 50 machine password timeout = 0
IssueakinitandklistinordertogetandverifytheKerberostoken
kinit administrator klist
Afterthatyouneedtostartsambaandjointhemachinetothedomain
Chapter9
Copyrightcopy2016Inverseinc Configuration 40
service smb start chkconfig --level 345 smb on net ads join -U administrator
NotethatforDebianandUbuntuyouwillprobablyhavethiserror
kinit succeeded but ads_sasl_spnego_krb5_bind failed Invalid credentials Join to domain is not valid Invalid credentials
ForCentosRHEL
usermod -a -G wbpriv pf
Finallystartwinbindandtestthesetupusingntlm_authandradtest
service winbind start chkconfig --level 345 winbind on
ForDebianandUbuntu
usermod -a -G winbindd_priv pf ntlm_auth --username myDomainUser radtest -t mschap -x myDomainUser myDomainPassword localhost18120 12 testing123 Sending Access-Request of id 108 to 127001 port 18120 User-Name = myDomainUser NAS-IP-Address = 10001 NAS-Port = 12 Message-Authenticator = 0x00000000000000000000000000000000 MS-CHAP-Challenge = 0x79d62c9da4e55104 MS-CHAP-Response = 0x000100000000000000000000000000000000000000000000000091c843b420f0dec4228ed2f26bff07d5e49ad9a2974229e5 rad_recv Access-Accept packet from host 127001 port 18120 id=108 length=20
Option2LocalAuthenticationAddyouruserrsquosentriesattheendoftheusrlocalpfraddbusersfilewiththefollowingformat
username Cleartext-Password = password
Option3EAPauthenticationagainstOpenLDAPToauthenticate8021xconnectionagainstOpenLDAPyouneedtodefinetheldapconnectioninusrlocalpfraddbmodulesldapandbesurethattheuserpasswordisdefineasaNTHASHorascleartext
Chapter9
Copyrightcopy2016Inverseinc Configuration 41
ldap openldap server = ldapacmecom identity = uid=admindc=acmedc=com password = password basedn = dc=districtdc=acmedc=com filter = (uid=mschapUser-Name) ldap_connections_number = 5 timeout = 4 timelimit = 3 net_timeout = 1 tls dictionary_mapping = $confdirldapattrmap edir_account_policy_check = no
keepalive LDAP_OPT_X_KEEPALIVE_IDLE idle = 60
LDAP_OPT_X_KEEPALIVE_PROBES probes = 3
LDAP_OPT_X_KEEPALIVE_INTERVAL interval = 3
Next in usrlocalpfraddbsites-availablepacketfence-tunnel add in the authorizesection
authorize suffix ntdomain eap ok = return files openldap
Option4EAPGuestAuthenticationonemailsponsorandSMSregistrationThissectionwillallowlocalcredentialscreatedduringguestregistrationtobeusedin8021xEAP-PEAPconnections
FirstcreateaguestSSIDwiththeguestaccessyouwanttouse(EmailSponsororSMShellip)andactivateCreatelocalaccountonthatsource
AttheendoftheguestregistrationPacketFencewillsendanemailwiththecredentialsforEmailandSponsorForSMSthephonenumberandthePINcodeshouldbeused
Chapter9
Copyrightcopy2016Inverseinc Configuration 42
Note
ThisoptiondoesnrsquotcurrentlyworkwiththeReusedot1xcredentialsoptionofthecaptiveportal
In usrlocalpfconfradiusdpacketfence-tunnel uncomment the line packetfence-local-authandrestartradiusd
ThiswillactivatethefeatureforanylocalaccountonthePacketFenceserverYoucanrestrictwhichaccounts canbeusedby commenting the appropriate line inusrlocalpfraddbpolicydpacketfenceForexampleifyouwouldwanttodeactivatethisfeatureforaccountscreatedviaSMSyouwouldhavethefollowing
packetfence-local-auth Disable ntlm_auth update control ampMS-CHAP-Use-NTLM-Auth = No Check password table for local user pflocal if (fail || notfound) Check password table with email and password for a sponsor registration pfguest if (fail || notfound) Check password table with email and password for a guest registration pfsponsor if (fail || notfound) Dont check activation table with phone number and PIN code pfsms lt--- This line was commented out if (fail || notfound) update control ampMS-CHAP-Use-NTLM-Auth = Yes
Note
For this feature to work the users passwords must be stored in cleartext in thedatabaseThisisconfigurableviaadvancedhash_passwords
Option5EAPLocaluserAuthenticationThegoalhereistousethelocaluseryoucreatedintheadminGUIforEAPauthenticationThelogicisexactlythesamethaninoption4thedifferenceisthatweuseanotherSSIDandweonlyuselocalaccounts
Chapter9
Copyrightcopy2016Inverseinc Configuration 43
Editusrlocalpfraddbsites-availablepacketfence-tunnel
InthisexampleweactivatethisfeatureonaspecificSSIDname(Secure-local-Wireless)disabledbydefaultNTLMAuthandtestlocalaccountIfitfailledthenwereactivateNTLMAuth
Activate local user eap authentication based on a specific SSID Set Called-Station-SSID with the current SSID setcalled_station_ssid if (Called-Station-SSID == Secure-local-Wireless) Disable ntlm_auth update control MS-CHAP-Use-NTLM-Auth = No Check password table for local user pflocal if (fail || notfound) update control MS-CHAP-Use-NTLM-Auth = Yes
Caution
Youwillneedtodeasactivatepasswordhashinginthedatabaseforlocalauthenticationto work In the administration interface go in Configurationrarr Advanced and setDatabasepasswordshashingmethodtoplaintext
TestsTestyoursetupwithradtestusingthefollowingcommandandmakesureyougetanAccess-Acceptanswer
radtest dd9999 Abcd1234 localhost18120 12 testing123Sending Access-Request of id 74 to 127001 port 18120 User-Name = dd9999 User-Password = Abcd1234 NAS-IP-Address = 255255255255 NAS-Port = 12rad_recv Access-Accept packet from host 12700118120 id=74 length=20
PortalModules
ThePacketFencecaptiveportalflowishighlycustomizableThissectionwillcoverthePortalModuleswhichareusedtodefinethebehaviorofthecaptiveportal
Chapter9
Copyrightcopy2016Inverseinc Configuration 44
Note
WhenupgradingfromaversionthatdoesnrsquothavetheportalmodulesthePacketFencePortal Modules configuration already comes with defaults that will fit most casesand offers the same behavior as previous versions of PacketFence Meaning allthe available Portal Profile sources are used for authentication then the availableprovisionerswillbeused
FirstabriefdescriptionoftheavailablePortalModules
RootThis iswhereitallstartsthismoduleisasimplecontainerthatdefinesallthemodulesthatneedtobeappliedinachainedwaytotheuserOncetheuserhascompletedallmodulescontainedintheRootheisreleasedonthenetwork
Choice This allows to give a choice between multiple modules to the user Thedefault_registration_policyisagoodexampleofachoicethatisofferedtotheuser
ChainedThisallowsyoutodefinealistofmodulesthatauserneedstogothroughintheorderthattheyaredefined-exyouwantyouruserstoregisterviaGoogle+andpayfortheiraccessusingPayPal
MessageThisallowsyou todisplayamessage to theuserAnexample isavailablebelow inDisplayingamessagetotheuseraftertheregistration
AuthenticationTheauthenticationmodulescanbeofalotoftypesYouwouldwanttodefineoneofthesemodulesinordertooverridetherequiredfieldsthesourcetousethetemplateoranyothermoduleattribute
BillingAllowstodefineamodulebasedononeormorebillingsources
ChoiceAllows todefineamodulebasedonmultiple sourcesandmoduleswithadvancedfilteringoptionsSeethesectionAuthenticationChoicemodulebelowforadetailedexplanation
LoginAllowsyoutodefineausernamepasswordbasedmodulewithmultipleinternalsources(ActiveDirectoryLDAPhellip)
OthermodulesTheothermodulesareallbasedonthesourcetypetheyareassignedtotheyallowtoselectthesourcetheAUPacceptanceandmandatoryfieldsifapplicable
ExamplesThissectionwillcontainthefollowingexamples
Promptingforfieldswithoutauthentication
Promptingadditionnalfieldsduringtheauthentication
Chainedauthentication
MixingloginandSecureSSIDon-boardingontheportal
Displayingamessagetotheuseraftertheregistration
Chapter9
Copyrightcopy2016Inverseinc Configuration 45
CreatingacustomrootmoduleFirstcreateacustomrootmoduleforourexamples inordertonotaffectthedefaultpolicy InordertodosogoinConfigurationrarrPortalModulesthenclickAddPortalModuleandselectthetypeRootGiveittheidentifiermy_first_root_moduleandthedescriptionMy first root modulethenhitsave
Next head toConfigurationrarr Portal Profiles select the portal profile you use (most probablydefault)andthenunderRootPortalModuleassignMy first root modulethensaveyourprofileIfyouweretoaccessthecaptiveportalnowanerrorwoulddisplaysincetheRootmoduleweconfigureddoesnrsquotcontainanything
YoucouldaddsomeofthepreconfiguredmodulestothenewRootmoduleyoucreatedandthatwouldmaketheerrordisapear
PromptingforfieldswithoutauthenticationInordertopromptfieldswithoutauthenticationyoucanusetheNullsourcewiththeNullPortalModule
PacketFencealreadycomeswithaNullsourcepreconfiguredIfyouhavenrsquotmodifieditordeletedityoucanuseitforthisexampleOtherwisegoinConfigurationrarrSourcesandcreateanewNullsourcewithacatchallrulethatassignsaroleandaccessduration
ThengoinConfigurationrarrPortalModulesandclickAddPortalModuleandselectAuthenticationrarrNullSettheIdentifiertoprompt_fieldsandconfigurethemodulewiththeMandatoryfieldsyouwantanduncheckRequireAUPsothattheuserdoesnrsquothavetoaccepttheAUPbeforesubmittingthesefields
Nextaddtheprompt_fieldsmoduleinmy_first_root_module(removinganypreviousmodules)andsave itNowwhenvisitingtheportal itshouldpromptyouforthefieldsyoudefine inthe
Chapter9
Copyrightcopy2016Inverseinc Configuration 46
moduleThensubmittingtheseinformationswillassignyoutheroleandaccessdurationthatyoudefinedinthenullsource
Promptingadditionnalfieldsduringtheauthentication
IfyouwanttopromptadditionnalfieldsduringtheauthenticationprocessforamoduleyoucandefineaModulebasedonthatsourcethatwillspecifytheadditionnalmandatoryfieldsforthissource
Youcanalsoaddadditionnalmandatoryfieldstothedefaultpoliciesthatarealreadyconfigured
Thisexamplewillmakethedefault_guest_policyrequiretheusertoenterafirstnamelastnameandaddresssothatguestshavetoenterthesethreeinformationsbeforeregistering
Go in Configuration rarr Portal Modules and click the default_guest_policy Add firstnamelastnameandaddresstotheMandatoryfieldsandsave
Nextaddthedefault_guest_policytomy_first_root_module(removinganypreviousmodules)Nowwhenvisitingtheportalselectinganyoftheguestsourceswillrequireyoutoenterboththemandatoryfieldsofthesource(exphone+mobileprovider)andthemandatoryfieldsyoudefinedinthedefault_guest_policy
Note
Notallsourcessupportadditionnalmandatoryfields(exOAuthsourceslikeGoogleFacebookhellip)
Chainedauthentication
Theportalmodulesallowyoutochaintwoormoremodulestogetherinordertomaketheuseraccomplishalloftheactionsinthemoduleinthedesiredsequence
ThisexamplewillallowyoutoconfigureaChainedmodulethatwillrequiretheusertologinviaanyconfiguredOAuthsource(GithubGoogle+hellip)andthenvalidatehisphonenumberusingSMSregistration
FortheOAuthloginwewillusethedefault_oauth_policysojustmakesureyouhaveanOAuthsourceconfiguredcorrectlyandavailableinyourPortalProfile
ThenwewillcreateamodulethatwillcontainthedefinitionofourSMSregistration
GoinConfigurationrarrPortalModulesthenclickAddPortalModuleandselectAuthenticationrarrSMS
ConfiguretheportalmodulesothatitusesthesmssourceandunchecktheRequireAUPoptionsincetheuserwillhavealreadyacceptedtheAUPwhenregisteringusingOAuth
Chapter9
Copyrightcopy2016Inverseinc Configuration 47
ThenaddanotherPortalModuleoftypeChainedNameitchained_oauth_smsassignarelevantdescriptionandthenadddefault_oauth_policyandsmstotheModulesfields
Chapter9
Copyrightcopy2016Inverseinc Configuration 48
Next add the chained_oauth_sms module in my_first_root_module (removing any previousmodules)andsaveitNowwhenvisitingtheportalyoushouldhavetoauthenticationusinganOAuthsourceandthenusingSMSbasedregistration
MixingloginandSecureSSIDon-boardingontheportalThisexamplewillguideyouthroughconfiguringaportalflowthatwillallowfordevicestoaccessanopenSSIDusinganLDAPusernamepasswordbutalsogivethechoicetoconfiguretheSecureSSIDdirectlyfromtheportal
FirstweneedtoconfiguretheprovisionersfortheSecureSSIDonboardingRefertosectionAppleandAndroidWirelessProvisioningofthisguidetoconfigureyourprovisionersandaddthemtotheportalprofile
CreateaprovisionerofthetypeDenyandadditwithyourotherprovisioners(puttinganyotherprovisionerbeforeit)Thiswillmakesurethatifthereisnomatchontheotherprovisionersitwillnotallowthedevicethrough
AlsointheportalprofileaddyourLDAPsourcetotheavailablesourcessoitstheonlyoneavailable
NextcreateaProvisioningportalmodulebygoinginConfigurationrarrPortalModulesSettheIdentifiertosecure_boardingandthedescriptiontoBoard Secure SSIDAlsouncheckSkipablesotheuserisforcedtoboardtheSSIDshoulditchoosethisoption
ThenstillinthePortalModulescreateaChoicemoduleSettheIdentifiertologin_or_boardinganddescriptiontoLoginorBoardingAddsecure_boardinganddefault_login_policytotheModulesfieldandsave
Chapter9
Copyrightcopy2016Inverseinc Configuration 49
Next add the login_or_boarding module in my_first_root_module (removing any previousmodules)andsaveitNowwhenvisitingtheportalyouwillhavethechoicebetweenlogintotheLDAPsourceandgainaccesstothenetworkordirectlyuseprovisioninginordertoconfigureyourdeviceforaSecureSSID
Displayingamessagetotheuseraftertheregistration=
UsingtheMessagemoduleyoucandisplayacustommessagetotheuserYoucanalsocustomizethetemplatetodisplayinordertodisplayafullycustompage
Go inConfigurationrarrPortalModules thenclickAddPortalModule and selectMessage Set theIdentifiertohello_worldandthedescriptiontoHello World
ThenputthefollowingintheMessagefield
Hello World lta href=wwwpacketfenceorggtClick here to access the PacketFence websiteltagt
Next add default_registration_policy and hello_world in the Modules ofmy_first_root_module(removinganypreviousmodules)andsaveitNowwhenvisitingtheportalyoushouldhavetoauthenticateusingthesourcesdefinedinyourportalprofileandyouwillthenseethehelloworldmessage
Chapter9
Copyrightcopy2016Inverseinc Configuration 50
AuthenticationChoicemodule(advanced)The Authentication Choice module allows to define a choice between multiple sources usingadvancedfilteringrulesmanualselectionofthesourcesandselectionofPortalModules
AllthesourcesthataredefinedintheSourcesfieldwillbeavailableforusagebytheuserSamegoesforthemodulesdefinedinModules
YoucanalsodefinewhichmandatoryfieldsyouwanttopromptfortheseauthenticationchoicesAlthoughyoucanstillconfigurethemonanyAuthenticationChoicemoduletheywillonlybeshowniftheyareapplicabletothesource
InadditiontothemanualselectionaboveyoucandynamicallyselectsourcespartofthePortalProfilebasedontheirobjectattribute(ObjectClassAuthenticationtypeAuthenticationClass)
NoteYoucanfindalltheauthenticationobjectsinlibpfAuthenticationSource
SourcesbyclassAllowsyoutospecifytheperlclassnameofthesourcesyouwantavailable
ex pfAuthenticationSourceSMSSource will select all the SMS sourcespfAuthenticationSourceBillingSourcewillselectallthebillingsources(PaypalStripehellip)
SourcesbytypeAllowsyoutofilteroutsourcesusingthetypeattributeoftheAuthenticationobject
Sources by Auth Class Allows you to filter our sources using the class attribute of theAuthenticationobject
Chapter9
Copyrightcopy2016Inverseinc Configuration 51
Youcanseethedefault_guest_policyanddefault_oauth_policyforexamplesofthismodule
Chapter10
Copyrightcopy2016Inverseinc Debugging 52
Debugging
Logfiles
HerearethemostimportantPacketFencelogfiles
usrlocalpflogspacketfencelogmdashPacketFenceCoreLog usrlocalpflogshttpdportalaccessmdashApachendashCaptivePortalAccessLog usrlocalpflogshttpdportalerrormdashApachendashCaptivePortalErrorLog usrlocalpflogshttpdadminaccessmdashApachendashWebAdminServicesAccessLog usrlocalpflogshttpdadminerrormdashApachendashWebAdminServicesErrorLog usrlocalpflogshttpdwebservicesaccessmdashApachendashWebservicesAccessLog usrlocalpflogshttpdwebserviceserrormdashApachendashWebservicesErrorLog usrlocalpflogshttpdaaaaccessmdashApachendashAAAAccessLog usrlocalpflogshttpdaaaerrormdashApachendashAAAErrorLog
ThereareotherlogfilesinusrlocalpflogsthatcouldberelevantdependingonwhatissueyouareexperiencingMakesureyoutakealookatthem
ThemainloggingconfigurationfileisusrlocalpfconflogconfItcontainstheconfigurationforthepacketfencelogfile(LogLog4Perl)andyounormallydonrsquotneedtomodifyitTheloggingconfigurationfilesforeveryservicearelocatedunderusrlocalpfconflogconfd
RADIUSDebugging
FirstchecktheFreeRADIUSlogsThefileislocatedatusrlocalpflogsradiuslog
IfthisdidnrsquothelprunFreeRADIUSindebugmodeTodosostartitusingthefollowingcommands
Fortheauthenticationradiusprocess
radiusd -X -d usrlocalpfraddb -n auth
Fortheaccountingradiusprocess
radiusd -X -d usrlocalpfraddb -n acct
Chapter10
Copyrightcopy2016Inverseinc Debugging 53
Additionally there is a raddebug tool that can extract debug logs from a running FreeRADIUSdaemonPacketFencersquosFreeRADIUSispreconfiguredwithsuchsupport
Inordertohaveanoutputfromraddebugyouneedtoeither
a MakesureuserpfhasashellinetcpasswdaddusrsbintoPATH(export PATH=usrsbin$PATH)andexecuteraddebugaspf
b Runraddebugasroot(lesssecure)
Nowyoucanrunraddebugeasily
raddebug -t 300 -f usrlocalpfvarrunradiusdsock
TheabovewilloutputFreeRADIUSauthenticationdebuglogsfor5minutes
Usethefollowingtodebugradiusaccounting
raddebug -t 300 -f usrlocalpfvarrunradiusd-acctsock
Seeman raddebugforalltheoptions
Chapter11
Copyrightcopy2016Inverseinc MoreonVoIPIntegration 54
MoreonVoIPIntegration
VoIPhasbeengrowinginpopularityonenterprisenetworksAtfirstsighttheITadministratorsthinkthatdeployingVoIPwithaNACposesahugecomplicatedchallengetoresolveInfactdependingofthehardwareyouhavenotreallyInthissectionwewillseewhy
CDPandLLDPareyourfriend
ForthoseofyouwhoareunawareoftheexistenceofCDPorLLDP(orLLDP-MED) IsuggestyoustartreadingonthistopicCiscoDiscoveryProtocol(CDP)isdevice-discoveryprotocolthatrunsonallCisco-manufacturedequipmentincludingroutersaccessserversbridgesandswitchesUsingCDPadevicecanadvertise itsexistencetootherdevicesandreceive informationaboutotherdevicesonthesameLANorontheremotesideofaWANIntheworldofVoIPCDPisabletodetermineiftheconnectingdeviceisanIPPhoneornotandtelltheIPPhonetotagitsethernetframeusingtheconfiguredvoiceVLANontheswitchport
OnmanyothervendorsyouarelikelytofindLLDPorLLDP-MEDsupportLinkLayerDiscoveryProtocol (LLDP) is a vendor-neutral Link Layer protocol in the Internet Protocol Suite used bynetworkdevicesforadvertisingtheiridentitycapabilitiesandneighborsSameasCDPLLDPcantellanIPPhonewhichVLANidisthevoiceVLAN
VoIPandVLANassignmenttechniques
As you already know PacketFence supportsmanyVLAN assignment techniques such as port-securitymacauthenticationor8021XLetrsquosseehowVoIPisdoingwitheachofthose
Port-securityUsing port-security the VoIP device rely on CDPLLDP to tag its ethernet frame using theconfiguredvoiceVLANontheswitchportAfterthatweensurethatasecuritytrapissentfromthevoiceVLANsothatPacketFencecanauthorizethemacaddressontheportWhenthePCconnectsanothersecuritytrapwillbesentbutfromthedataVLANThatwaywewillhave1macaddressauthorizedonthevoiceVLANand1ontheaccessVLAN
Chapter11
Copyrightcopy2016Inverseinc MoreonVoIPIntegration 55
Note
Not all vendors support VoIP on port-security please refer to the NetworkConfigurationGuide
MACAuthenticationand8021XCiscohardwareOnCiscoswitcheswearelookingatthemulti-domainconfigurationThemulti-domainmeansthatwecanhaveonedeviceontheVOICEdomainandonedeviceontheDATAdomainThedomainassignmentisdoneusingaCiscoVSAWhenthephoneconnectstotheswitchportPacketFencewillrespondwiththeproperVSAonlynoRADIUStunneledattributesCDPthentellsthephonetotagitsethernetframesusingtheconfiguredvoiceVLANontheportWhenaPCconnectstheRADIUSserverwillreturntunneledattributesandtheswitchwillplacetheportintheprovidedaccessVLAN
Non-CiscohardwareOnothervendorhardwareitispossibletomakeVoIPworkusingRADIUSVSAsWhenaphoneconnectstoaswitchportPacketFenceneedstoreturntheproperVSAtotelltheswitchtoallowtagged frames from thisdeviceWhen thePCwill connectwewill be able to return standardRADIUStunnelattributestotheswitchthatwillbetheuntaggedVLAN
Note
AgainrefertotheNetworkConfigurationGuidetoseeifVoIPissupportedonyourswitchhardware
WhatifCDPLLDPfeatureismissing
ItispossiblethatyourphonedoesnrsquotsupportCDPorLLDPIfitrsquosthecaseyouareprobablylookingattheDHCPwayofprovisionningyourphonewithavoiceVLANSomemodelswillaskforaspecificDHCPoptionsothattheDHCPservercangivethephoneavoiceVLANidThephonewillthenrebootandtagitsethernetframeusingtheprovidedVLANtag
Inorder tomake this scenarioworkwithPacketFenceyouneed toensure thatyou tweak theregistrationandyourproductionDHCPservertoprovidetheDHCPoptionYoualsoneedtomakesure there isavoiceVLANproperlyconfiguredontheportandthatyouauto-registeryour IPPhones(OnthefirstconnectthephonewillbeassignedontheregistrationVLAN)
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 56
Advancedtopics
This section covers advanced topics in PacketFence Note that it is also possible to configurePacketFencemanuallyusingitsconfigurationfilesinsteadofitsWebadministrativeinterfaceItisstillrecommendedtousetheWebinterface
InanycasetheusrlocalpfconfpfconffilecontainsthePacketFencegeneralconfigurationForexamplethisistheplacewhereweinformPacketFenceitwillworkinVLANisolationmode
All the default parameters and their descriptions are stored in usrlocalpfconfpfconfdefaults
Inordertooverrideadefaultparameterdefineitandsetitinpfconf
usrlocalpfconfdocumentationconfholdsthecompletelistofallavailableparameters
Alltheseparametersarealsoaccessiblethroughtheweb-basedadministrationinterfaceundertheConfigurationtabItishighlyrecommendedthatyouusetheweb-basedadministrationinterfaceofPacketFenceforanyconfigurationchanges
AppleandAndroidWirelessProvisioning
Apple devices such as iPhones iPads iPods and Mac OS X (107+) support wireless profileimportationusing a specialXML file format (mobileconfig)Android is also able to support thisfeaturebyimportingthewirelessprofilewiththeAndroidPacketFenceAgentInfactinstallingsuchfileonyourAppledevicewillautomaticallyconfigurethewirelesssettingsforagivenSSIDThisfeatureisoftenusedwhentheSSIDishiddenandyouwanttoeasetheconfigurationstepsonthemobiledevice(becauseitisoftenpainfultoconfiguremanually)InPacketFencewearegoingfurtherwegeneratetheprofileaccordingtotheadministratorrsquospreferenceandwepre-populatethefilewiththeuserrsquoscredentials(withoutthepassword)TheusersimplyneedstoinstallitsgeneratedfileandhewillbeabletousethenewSSID
ConfigurethefeatureFirstofallyouneedtoconfiguretheSSIDthatyourdeviceswilluseaftertheygothoughtheauthenticationprocess
InordertodothatintheadministrationinterfacegoinConfigurationProvisionersThenselecttheandroidprovisionerEntertheSSIDandsave
NowdothesamethingfortheiOSprovisioner
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 57
AfteryousimplyneedtoaddtheAndroidandiOSprovisionerstoyourPortalProfileconfiguration
ForAndroidyoumustallowpassthroughsinyourpfconfconfigurationfile
[trapping]passthrough=enabledpassthroughs=ggphtcomgoogleusercontentcomandroidclientsgooglecomgoogleapiscomandroidclientsgooglecomgvt1com
ProfilegenerationUponregistrationinsteadofshowingthedefaultreleasepagetheuserwillbeshowinganotherversionofthepagesayingthatthewirelessprofilehasbeengeneratedwithaclickablelinkonitToinstalltheprofileAppleuserownersimplyneedtoclickonthatlinkandfollowtheinstructionsontheirdeviceAndroiduserownersimplyclicktothelinkandwillbeforwardedtoGooglePlaytoinstallPacketFenceagentSimply launchtheapplicationandclicktoconfigurewillcreatethesecureSSIDprofileItisthatsimple
BillingEngine
PacketFence integrates theability touseapaymentgatewaytobillusers togainaccess to thenetworkWhenconfiguredtheuserwhowantstoaccessthenetworkInternetispromptedbyapageaskingforitrsquospersonnalinformationaswellasitrsquoscreditcardinformation
PacketFencecurrentlysupportsfourpaymentgatewaysAuthorizenetMirapayPaypalandStripe
Inordertoactivatethebillingyouwillneedtoconfigurethefollowingcomponents
Billingsource(s)
Billingtier(s)
ConfiguringabillingsourceFirstselectabillingproviderandfollowtheinstructionsbelow
Paypal
Note
ThisproviderrequiresthatyourPacketFenceserverisaccessibleonthepublicdomainFor thisyourPacketFenceportal shouldbeavailableonapublic IPusing theDNSservernameconfiguredinPacketFence
Ifyouhaveabusinessaccountanddonotwanttoconfigureatestenvironmentyoucanskipthenextsection
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 58
Sandboxaccount
To configure a sandbox paypal account for use in PacketFence head to httpsdeveloperpaypalcomandeithersignuporloginintoyourexistingaccount
ThenintheSandboxmenuclickAccounts
CreateanaccountthathasthetypePersonalandonethathasthetypeBusiness
AfterwardsgobackintoaccountsandexpandthebusinessaccountthenclickProfile
NowclicktheChangepasswordlinkandchangethepasswordandnoteit
Dothesamethingwiththepersonalaccountyoucreated
Configuringthemerchantaccount
LoginintothePaypalbusinessaccountthatyoucreatedathttpswwwsandboxpaypalcomifyouareusingasandboxaccountoronhttpswwwpaypalcomifyouareusingarealaccount
NextgoinMyAccountrarrProfileinordertogointoyourprofileconfiguration
NextintheSellingPreferencesyouwillneedtoselectWebsitePaymentPreferences
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 59
Configurethesettingssotheymatchthescreenshotbelow
YoushouldturnonAutoReturnsetthereturnURLtohttpsYOUR_PORTAL_HOSTNAMEbillingpaypalverify
YoushouldalsotakenoteoftheIdentityTokenasitwillberequiredinthePacketFenceconfiguration
NextgobackinyourprofileconfigurationMyaccountrarrProfileandselectEncryptedPaymentSettings
NowonthispageyouwillneedtosubmitthecertificateusedbyPacketFencetoPaypal(usrlocalpfconfsslservercrtbydefault)
Once you have submitted it note itrsquos associated Cert ID as you will need to configure it inPacketFence
StillonthatpageclicktheDownloadlinktodownloadthePaypalpubliccertificateandputitonthePacketFenceserverunderpathusrlocalpfconfsslpaypalpem
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 60
Caution
ThecertificatewillNOTbethesameifyouuseasandboxaccountorarealaccount
ConfiguringPacketFence
NowinthePacketFenceadministrationinterfacegoinConfigurationrarrSourcesandcreateanewsourceoftypeBillingrarrPaypal
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 61
Where
IdentitytokenistheoneyounotedwhenontheWebsitePaymentPreferencespage CertIDistheoneyounotedwhenontheEncryptedPaymentSettings Paymenttypeiswhethertheaccessisdonationbased(notmandatorytopayforit) Emailaddressistheemailaddressofthemerchantpaypalaccount CertfileisthepathtothePacketFencecertificate(usrlocalpfconfsslservercrtbydefault) KeyfileisthepathtothePacketFencecertificate(usrlocalpfconfsslserverkeybydefault) Paypal cert file is thepath to thePaypal certificate (usrlocalpfconfsslpaypalpem in thisexample)
Currencyisthecurrencythatwillbeusedinthetransactions Testmodeshouldbeactivatedifyouareusingasandboxaccount
Stripe
Stripeaccount
Firstgoonhttpsdashboardstripecomcreateanaccountandlogin
NextonthetoprightclickYouraccountthenAccountsettings
NavigatetotheAPIkeystabandnoteyourkeyandsecretThetestkeyshouldbeusedwhentestingtheconfigurationandthelivekeywhenputtingthesourceinproduction
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 62
ConfiguringPacketFence
NowinthePacketFenceadministrationinterfacegoinConfigurationrarrSourcesandcreateanewsourceoftypeBillingrarrStripe
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 63
Where
SecretkeyisthesecretkeyyougotfromyourStripeaccount PublishablekeyisthepublishablekeyyougotfromyourStripeaccount Styleiswhetheryouaredoingaone-timechargeorsubscriptionbasedbilling(recurring)SeesectionSubscriptionbasedregistrationbelowfordetailsonhowtoconfigureit
Currencyisthecurrencythatwillbeusedinthetransactions Testmodeshouldbeactivatedifyouareusingthetestkeyandsecretaccount
Authorizenet
Creatinganaccount
First go on httpsaccountauthorizenet to signup for a merchant account or httpdeveloperauthorizenetforasandboxaccount
AfteryoucreatedyouraccountyouwillbeshownyourAPIloginIDandTransactionkeyNotebothoftheseinformationsforusageinthePacketFenceconfiguration
Thenloginintoyournewaccount
ThenunderAccountclickSettings
OnthesettingspageinthesectionSecuritysettingsclickMD5-Hash
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 64
NowenterasecretthatwillbesharedbetweenauthorizenetandPacketFence
PacketFenceconfiguration
NextinthePacketFenceadministrationinterfacegoinConfigurationrarrSourcesandcreateanewsourceoftypeBillingrarrAuthorizeNet
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 65
Where
APIloginIDistheoneyougotearlierwhilecreatingyouraccount Transactionkeyistheoneyougotearlierwhilecreatingyouraccount MD5hashtheoneyouconfiguredinyourAuthorizenetaccount Currencyisthecurrencythatwillbeusedinthetransactions Testmodeshouldbeactivatedifyouareusingasandboxaccount
Mirapay
To be contributed
AddingbillingtiersOnceyouhaveconfiguredoneormorebillingsourceyouneedtodefinebillingtierswhichwilldefinethepriceandtargetauthenticationrulesfortheuser
InthePacketFenceadministrationinterfacegoinConfigurationrarrBillingtiers
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 66
ThenclickAddbillingtierandconfigureit
Where
Billingtieristheuniqueidentifierofthebillingtier Nameisthefriendlynameofthebillingtier Descriptionisanextendeddescriptionofthebillingtier Priceistheamountthatwillbechargedtotheuser Accessdurationistheamountoftimetheuserwillbegrantedaccesstoyournetwork Roleisthetargetroletheusershouldbein Usetimebalancedefinesiftheaccessdurationshouldbecomputedonreal-timeaccessdurationmeaningiftheuserbuys24hoursofaccesshecanusethenetworkfor24hoursindifferenttimeblocksThisrequiresavalidRADIUSaccountingconfiguration
Note
IfdonrsquotwanttouseallthebillingtiersthataredefinedyoucanspecifytheonesthatshouldbeactiveinthePortalprofile
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 67
SubscriptionbasedregistrationPacketFencesupportssubscriptionbasedbillingusingStripeasabillingprovider
Billingtier
Whenusingsubscriptionbasedbillingitisadvisedtoconfigurethebillingtiersoithasanalmostinfiniteaccessduration(eg20years)asthebillingproviderwillbecontactingthePacketFenceserverwhenthesubscriptioniscanceled
YoushouldconfigureabillingtierforeachsubscriptionplanyouwanttohaveThisexamplewillusetheplansimpleandadvancedconfiguredusingthefollowingparameters
[simple]name=Simple network accessdescription=Click here if you are poorprice=399role=guestaccess_duration=10Yuse_time_balance=disabled
[advanced]name=Simple network accessdescription=Click here if you are poorprice=999role=advanced_guestaccess_duration=10Yuse_time_balance=disabled
Stripeconfiguration
TheninyourStripedashboardyoushouldgoinSubscriptionsrarrPlans
Thencreateanewplan
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 68
Where
ID is the billing tier identifier It is important that this matches the ID of the billing tier inPacketFence
AmountisthepriceoftheplanItisimportantthatthismatchesthepriceofthebillingtierinPacketFence
CurrencyisthecurrencythatwillbeusedinthetransactionsItisimportantthatthismatchesthecurrencyoftheStripesourceinPacketFence
IntervalistheintervalatwhichthecustomershouldbebilledInthecaseofthisexampleitismonthly
Nowfollowingthesameprocedurecreatetheadvancedplan
ReceivingupdatesfromStripeAsthesubscriptioncanbecancelledbyauseryouneedtosetupyourPacketFenceinstallationtoreceiveupdatesfromStripe
UpdatesaresentusingHTTPrequestsonapublicIP
YouneedtomakesurethatyourPacketFenceserverisavailablethroughapublicIPonport80andthatyourPacketFenceserverhostnameresolvesonthepublicdomain
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 69
TheninStripeconfigureaWebhooksoStripeinformsPacketFenceofanyeventthathappensinthisStripemerchantaccount
InordertodosogoinYourAccountrarrAccountSettingsrarrWebhooksandclickAddendpoint
Where
URListheURLtothePacketFenceserverThisshouldbehttpYOUR_PORTAL_HOSTNAMEhookbillingstripe
Modeiswhetherthiswebhookisfortestingmodeorlivemode
NoweverytimeauserunsubscribesfromaplanPacketFencewillbenotifiedandwillunregisterthatdevicefromyournetwork
DevicesRegistration
Usershavethepossibilitytoregistertheirdevices(MicrosoftXBOXXBOX360NintendoDSWiiSonyPlayStationandsoon)rightfromaspecialportalpageWhenaccessingthispageuserswillbe
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 70
promptedtologinasiftheywereregisteringthemselvesOnceloggedintheportalwillaskthemtoenterthedeviceMACaddressthatwillthenbematchedagainstapredefinedlistofauthorizedMACOUIThedevicewillberegisteredwiththeuserrsquosidandcanbeassignedintoaspecificcategoryforeasiermanagement
HerersquoshowtoconfigurethewholethingTheportalpagecanbeaccessedbythefollowingURLhttpsYOUR_PORTAL_HOSTNAMEdevice-registration This URL is accessible fromwithin thenetworkinanyVLANthatcanreachthePacketFenceserver
Thefollowingcanbeconfiguredbyeditingthepfconffile
[registration]device_registration = enableddevice_registration_role = gaming
MakesuretheroleexistsinPacketFenceotherwiseyouwillencounterregistrationerrorsMoreovermakesuretherolemappingforyourparticularequipmentisdone
TheseparameterscanalsobeconfiguredfromtheConfigurationrarrRegistrationsection
Note
AportalinterfacetypeisrequiredtousethisfeatureAportalinterfacetypecanbeaddedtoanynetworkinterfaceusingthewebadminGUI
Eduroam
eduroam (education roaming) is the secureworld-wide roaming access servicedevelopedfortheinternationalresearchandeducationcommunity
eduroamallowsstudentsresearchersandstafffromparticipatinginstitutionstoobtainInternetconnectivityacrosscampusandwhenvisitingotherparticipatinginstitutionsbysimplyopeningtheirlaptop
mdasheduroamhttpswwweduroamorg
PacketFencesupportsintegrationwitheduroamandallowsparticipatinginstitutionstoauthenticatebothlocallyvisitingusersfromotherinstitutionsaswellasallowingotherinstitutionstoauthenticatelocalusers
In order for PacketFence to allow eduroam authentication the FreeRADIUS configuration ofPacketFencemustbemodifiedtoallowtheeduroamserverstoconnecttoitasclientsaswellastoproxyRADIUSauthenticationrequestsforusersfromoutsideinstitutions
FirstmodifytheusrlocalpfraddbclientsconffiletoallowtheeduroamserverstoconnecttoyourPacketFenceserverAddtheeduroamserversasclientsandmakesure toaddtheproperRADIUSsecretSetashortnametorefertotheseclientsasyouwilllaterneedittoexcludethemfromsomepartsofthePacketFenceconfiguration
clientsconfexample
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 71
client tlrs1eduroamus secret = useStrongerSecret shortname = tlrs1
client tlrs2eduroamus secret = useStrongerSecret shortname = tlrs2
SecondlymodifythelistofdomainsandproxyserversinusrlocalpfraddbproxyconfYouwillneedtodefineeachofyourdomainsaswellastheDEFAULTdomainTheDEFAULTrealmwillapplytoanyclientthatattemptstoauthenticatewitharealmthatisnototherwisedefinedinproxyconfandwillbeproxiedtotheeduroamservers
Defineoneormorehomeservers(serverstowhicheduroamrequestsshouldbeproxied)
proxyconfexample
home_server tlrs1eduroamus type = auth ipaddr = 25712811 port = 1812 secret = useStrongerSecret require_message_authenticator = yes
Defineapoolofserverstogroupyoureduroamhomeserverstogether
proxyconfexample
home_server_pool eduroam type = fail-over home_server = tlrs1eduroamus home_server = tlrs2eduroamus
DefinerealmstoselectwhichrequestsshouldbeproxiedtotheeduroamserverpoolThereshouldbeonerealmforeachofyourdomainsandpossiblyonemoreperdomainifyouintendtoallowusernamesoftheDOMAINuserform
TheREALMissetbasedonthedomainfoundbythesuffixorntdomainmodules (seeraddbmodulesrealm)Thesuffixorntdomainmodulestrytofindadomaineitherwithandomainorsuffixusername
IfnoneisfoundtheREALMisNULL
IfadomainisfoundFreeRADIUStriestomatchoneoftheREALMSdefinedinthisfile
IfthedomainiseitherexampleeduorEXAMPLEFreeRADIUSsetsthecorrespondingREALMieexampleeduorEXAMPLE
IftheREALMdoesnotmatcheither(anditisnrsquotNULL)thatmeanstherewasadomainotherthanEXAMPLEorexampleeduandweassumeitismeanttobeproxiedtoeduroamFreeRADIUSsetstheDEFAULTrealm(whichisproxiedtotheeduroamauthenticationpool)
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 72
The REALM determines where the request is sent to If the REALM authenticates locally therequestsareprocessedentirelybyFreeRADIUSIftheREALMsetsadifferenthomeserverpooltherequestsareproxiedtotheserversdefinedwithinthatpool
proxyconfexample
This realm is for requests which dont have an explicit realm prefix or suffix User names like bob will match this one No authentication server is defined thus the authentication is done locallyrealm NULL
This realm is for ntdomain users who might use the domain like this EXAMPLEusername No authentication server is defined thus the authentication is done locallyrealm EXAMPLE
This realm is for suffix users who use the domain like this usernameexampleedu No authentication server is defined thus the authentication is done locallyrealm exampleedu
This realm is for ALL OTHER requests Meaning in this context eduroam The auth_pool is set to the eduroam pool and so the requests will be proxiedrealm DEFAULT auth_pool = eduroam nostrip
Thirdly youmust configure the packetfence FreeRADIUS virtual servers to treat the requestsproperly
Inusrlocalpfraddbsites-enabledpacketfencemodifytheauthorizesectionlikethis
raddbsites-enabledpacketfenceexample
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 73
authorize pay attention to the order of the modules It matters ntdomain suffix preprocess
uncomment this section if you want to block eduroam users from you other SSIDs The attribute name ( Called-Station-Id ) may differ based on your controller if ( Called-Station-Id ~ eduroam$i) update control Proxy-To-Realm = local
eap ok = return
files expiration logintime packetfence
Inusrlocalpfraddbsites-enabledpacketfence-tunnelmodifythepost-authsectionlikethisIfyouomit this change the requestwill be sent toPacketFencewhere itwill be failed since theeduroamserversarenotpartofyourconfiguredswitches
raddbsites-enabledpacketfence-tunnelexample
post-auth exec
we skip packetfence when the request is coming from the eduroam servers if ( clientshortname = tlrs1 ampamp clientshortname = tlrs2 ) packetfence
Post-Auth-Type REJECT attr_filteraccess_reject
Finallymakesurethattherealmsmoduleisconfiguredthisway(seeusrlocalpfraddbmodulesrealm)
raddbmodulesrealmexample
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 74
usernamerealmrealm suffix format = suffix delimiter =
domainuserrealm ntdomain format = prefix delimiter = ignore_null = yes
Fingerbankintegration
FingerbankagreatdeviceprofilingtooldevelopedalongsideofPacketFencenowintegrateswithittopower-upthefeaturesetallowingaPacketFenceadministratortoeasilytriggerviolationsbasedondifferentdevicetypesdeviceparentsDHCPfingerprintsDHCPvendorIDsMACvendorsandbrowseruseragents
Thecoreofthat integrationresides intheabilityforaPacketFencesystemto interactwiththeFingerbankupstreamprojectwhichthenallowadailybasisfingerprintsdatabaseupdatesharingunknowndatasothatmorecomplexalgorithmscanprocessthatnewdatatointegrateitintheglobaldatabasequeryingtheglobalupstreamdatabaseinthecaseofanunknownmatchandmuchmore
SincetheFingerbankintegrationisnowthedefactodeviceprofilingtoolofPacketFenceitwasarequirementtomakeitassimpleaspossibletoconfigureandtouseFromthemomentaworkingPacketFencesystemis inplaceFingerbank isalsoreadytobeusedbutonly inalocalmodewhichmeansnointeractionwiththeupstreamFingerbankproject
OnboardingTobenefitfromalltheadvantagesoftheFingerbankprojecttheonboardingstepisrequiredtocreateanAPIkeythatwill thenallow interactionwiththeupstreamprojectThatcaneasilybedoneonlybygoingintheSettingsmenuitemundertheFingerbanksectionofthePacketFenceConfigurationtabFromthereaneasyprocesstocreateandsaveanuserorganizationspecificAPIkeycanbefollowedOncecompletedthefullfeaturesetofFingerbankcanbeused
UpdateFingerbankdatabaseUpdatingtheFingerbankdatacanrsquotbeeasierTheonlyrequirementistheonboardingprocesswhichallowsyoutointeractwithupstreamprojectOncedoneanoptiontoUpdateFingerbankDBcanbefoundontopofeverymenuitemsectionsunderFingerbankProcessmaytakeaminuteortwodependingonthesizeofthedatabaseandtheinternetconnectivityafterwhichasuccessorerrormessagewillbeshowaccordinglyLocalrecordsareNOTbeingmodifiedduringthisprocess
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 75
SubmitunknowndataSayingthatwedonrsquotknoweverythingisnotfalsemodestyInthatsensetheSubmitUnknownUnmatchedFingerprintsoptionismadeavailable(afteronboarding)sothatunknownfingerprintingdatagoinginandoutonyournetworkcaneasilybesubmittedtotheupstreamFingerbankprojectforfurtheranalysisandintegrationtheintheglobaldatabase
UpstreaminterogationBydefaultPacketFenceisconfiguredtointerogatetheupstreamFingerbankproject(ifonboardinghasbeencompleted)tofullfillaquerywithunmatchedlocalresultsUnmatchedlocalresultscanresultofanolderversionoftheFingerbankdatabaseorarequirementforamorecomplexalgorithmduetothedatasetThatbehavioriscompletelytransparentandcanbemodifiedusingtheSettingsmenuitemundertheFingerbanksectionofthePacketFenceConfigurationtab
LocalentriesItispossibleforanadministratorwhowantstocustomizeanexistingrecord(orcreateanewone)todosousingtheLocalentriesAnupstreamrecord(DHCPFingerprintDHCPVendorMACVendorUserAgentDevicetypeevenaCombination)canbeclonedandthenmodifiedonalocalbasisifneededLocalrecordsarealwaysmatchedfirstsincetheirpurposeistooverrideanexistingoneAlocalcombinationcanbecreatedtomatcheitherLocalorUpstreamorbothentriestoallowidentificationofadevice
SettingsFingerbanksettingscaneasilybemodifiedfromtheSettingsmenuitemundertheFingerbanksectionofthePacketFenceConfigurationtabTherersquosdocumentationforeachaneveryparameterthatalloweasierunderstanding
FloatingNetworkDevices
Startingwithversion19PacketFencenowsupportsfloatingnetworkdevicesAFloatingnetworkdeviceisadeviceforwhichPacketFencehasadifferentbehaviourcomparedtoaregulardeviceThisfunctionalitywasoriginallyaddedtosupportmobileAccessPoints
Caution
RightnowPacketFenceonlysupportsfloatingnetworkdevicesonCiscoandNortelswitchesconfiguredwithport-security
For a regular device PacketFence put it in theVLAN corresponding to its status (RegistrationQuarantineorRegularVlan)andauthorizesitontheport(port-security)
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 76
AfloatingnetworkdeviceisadevicethatPacketFencedoesnotmanageasaregulardevice
WhenafloatingnetworkdeviceispluggedPacketFencewillletallowalltheMACaddressesthatwillbeconnectedtothisdevice(orappearontheport)andifnecessaryconfiguretheportasmulti-vlan(trunk)andsetPVIDandtaggedVLANsontheport
WhenanfloatingnetworkdeviceisunpluggedPacketFencewillreconfiguretheportlikebeforeitwasplugged
HowitworksConfiguration
floatingnetworkdeviceshavetobeidentifiedusingtheirMACaddress linkuplinkdowntrapsarenotenabledontheswitchesonlyport-securitytrapsare
WhenPacketFencereceivesaport-securitytrapforafloatingnetworkdeviceitchangestheportconfigurationsothat
itdisablesport-security itsetsthePVID iteventuallysetstheportasmulti-vlan(trunk)andsetsthetaggedVlans itenableslinkdowntraps
WhenPFreceivesa linkdowntraponaport inwhichafloatingnetworkdevicewasplugged itchangestheportconfigurationsothat
itenablesport-security itdisableslinkdowntraps
IdentificationAswementionedearliereachfloatingnetworkdevicehastobeidentifiedTherearetwowaystodoit
byeditingconffloating_network_deviceconf throughtheWebGUIinConfigurationrarrNetworkrarrFloatingdevices
Herearethesettingsthatareavailable
MACAddress MACaddressofthefloatingdevice
IPAddress IPaddressofthefloatingdevice(notrequiredforinformationonly)
trunkPort YesnoShouldtheportbeconfiguredasamuti-vlanport
pvid VLANinwhichPacketFenceshouldputtheport
taggedVlan CommaseparatedlistofVLANsIftheportisamulti-vlanthesearetheVlansthathavetobetaggedontheport
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 77
OAuth2Authentication
NoteOAuth2authenticationdoesnotworkwithWebauthenforcement
The captive portal of PacketFence allows a guestuser to register using hisGoogle FacebookLinkedInWindowsLiveTwitterorGithubaccount
ForeachproviderswemaintainanalloweddomainlisttopunchholesintothefirewallsotheusercanhittheproviderloginpageThislistisavailableineachOAuth2authenticationsource
Inordertohaveoauth2workingproperlyyouneedtoenableIPforwardingonyourserversTodoitpermanentlylookintheetcsysctlconfandsetthefollowingline
Controls IP packet forwardingnetipv4ip_forward = 1
Savethefileandissueasysctl -ptoupdatetheOSconfig
You must also enable the passthrough option in your PacketFence configuration(trappingpassthroughinpfconf)
GoogleInordertouseGoogleasaOAuth2provideryouneedtogetanAPIkeytoaccesstheirservicesSignupherehttpcodegooglecomapisconsoleMakesureyouusethisURIfortheRedirectURIfieldhttpsYOUR_PORTAL_HOSTNAMEoauth2callbackOfcoursereplacethehostnamewiththevaluesfromgeneralhostnameandgeneraldomain
YoucankeepthedefaultconfigurationmodifytheAppIDampAppSecret(GivenbyGoogleonthedevelopperplateform)andPortalURL(httpsYOUR_PORTAL_HOSTNAMEoauth2callback)
Also add the following Authorized domains googlecom googleca googlefrgstaticcomgoogleapiscomaccountsyoutubecom(MakesurethatyouhavethegoogledomainfromyourcountrylikeCanadagooglecaFrancegooglefretchellip)
OnceyouhaveyourclientidandAPIkeyyouneedtoconfiguretheOAuth2providerThiscanbedonebyaddingaGoogleOAuth2authenticationsourcefromConfigurationrarrSources
MoreoverdonrsquotforgettoaddGoogleasaregistrationmodefromyourportalprofiledefinitionavailablefromConfigurationrarrPortalProfilesandPages
FacebookTo use Facebook you also need an API code and a secret key To get one go here httpsdevelopersfacebookcomappsWhenyoucreateyourAppmakesureyouspecifythefollowingastheWebsiteURLhttpsYOUR_PORTAL_HOSTNAMEoauth2callback
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 78
Ofcoursereplacethehostnamewiththevaluesfromgeneralhostnameandgeneraldomain
YoucankeepthedefaultconfigurationmodifytheAppIDampAppSecret(GivenbyFaceBookonthedevelopperplateform)andPortalURL(httpsYOUR_PORTAL_HOSTNAMEoauth2callback)
Also add the followingAuthorizeddomains facebookcom fbcdnnet akamaihdnet (Maychange)
OnceyouhaveyourinformationyouneedtoconfiguretheOAuth2providerThiscanbedonebyaddingaFacebookOAuth2authenticationsourcefromConfigurationrarrSources
MoreoverdonrsquotforgettoaddFacebookasaregistrationmodefromyourportalprofiledefinitionavailablefromConfigurationrarrPortalProfilesandPages
CautionByallowingOAuththroughFacebookyouwillgiveFacebookaccesstotheuserswhiletheyaresittingintheregistrationVLAN
GitHubTouseGitHubyoualsoneedanAPIcodeandasecretkeyTogetoneyouneedtocreateanAppherehttpsgithubcomsettingsapplicationsWhenyoucreateyourAppmakesureyouspecifythefollowingastheCallbackURLhttpsYOUR_PORTAL_HOSTNAMEoauth2callback
Ofcoursereplacethehostnamewiththevaluesfromgeneralhostnameandgeneraldomain
OnceyouhaveyourinformationyouneedtoconfiguretheOAuth2providerThiscanbedonebyaddingaGitHubOAuth2authenticationsourcefromConfigurationrarrSources
MoreoverdonrsquotforgettoaddGitHubasaregistrationmodefromyourportalprofiledefinitionavailablefromConfigurationrarrPortalProfilesandPages
LinkedInTouseLinkedInyoualsoneedanAPIcodeandasecretkeyTogetoneyouneedtocreateanAppherehttpsdeveloperlinkedincomWhenyoucreateyourAppmakesureyouspecifythefollowingastheCallbackURLhttpsYOUR_PORTAL_HOSTNAMEoauth2callback
Ofcoursereplacethehostnamewiththevaluesfromgeneralhostnameandgeneraldomain
OnceyouhaveyourinformationyouneedtoconfiguretheOAuth2providerThiscanbedonebyaddingaLinkedInOAuth2authenticationsourcefromConfigurationrarrSources
MoreoverdonrsquotforgettoaddLinkedInasaregistrationmodefromyourportalprofiledefinitionavailablefromConfigurationrarrPortalProfilesandPages
AlsoLinkedInrequiresastateparameterfortheauthorizationURLIfyoumodifyitmakesuretoadditattheendofyourURL
TwitterTouseTwitteryoualsoneedanAPIcodeandasecretkeywhichTwittercallsconsumerkeyandconsumersecretObtainthis informationbycreatingannewapplicationfromyourTwitterApps
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 79
ManagementpageWhenyoucreateyourAppmakesureyouspecifythefollowingastheCallbackURLhttpsYOUR_PORTAL_HOSTNAMEoauth2callback
Ofcoursereplacethehostnamewiththevaluesfromgeneralhostnameandgeneraldomain
OnceyouhaveyourinformationyouneedtoconfiguretheOAuth2providerThiscanbedonebyaddingaTwitterOAuth2authenticationsourcefromConfigurationrarrSources
MoreoverdonrsquotforgettoaddTwitterasaregistrationmodefromyourportalprofiledefinitionavailablefromConfigurationrarrPortalProfilesandPages
WindowsLiveTouseWindowsliveyoualsoneedanAPIcodeandasecretkeyTogetoneyouneedtocreateanAppherehttpsaccountlivecomdevelopersapplicationsWhenyoucreateyourAppmakesureyouspecifythefollowingastheCallbackURLhttpsYOUR_PORTAL_HOSTNAMEoauth2callback
Ofcoursereplacethehostnamewiththevaluesfromgeneralhostnameandgeneraldomain
OnceyouhaveyourinformationyouneedtoconfiguretheOAuth2providerThiscanbedonebyaddingaWindowsLiveOAuth2authenticationsourcefromConfigurationrarrSources
Moreover donrsquot forget to add WindowsLive as a registration mode from your portal profiledefinitionavailablefromConfigurationrarrPortalProfilesandPages
Passthrough
Inorder tousethepassthroughfeature inPacketFenceyouneedtoenable it fromtheGUI inConfigurationrarrTrappingandcheckPassthrough
Therearetwosolutionsforpassthroughs-oneusingDNSresolutionandiptablesandtheotheroneusingApachersquosmod_proxymoduleWhenenabledPacketFencewillusepfdnsifyoudefinedPassthroughsorApachemod-proxyifyoudefinedProxyPassthroughstoallowtrappeddevicestoreachexternalwebsites
DNSpassthroughAddanewFQDN (shouldbeawildcarddomain like googlecom) in thePassthroughssectionWhenPacketFencereceivesaDNSrequestforthisdomainitwillanswerthereal IPaddressandpunchahole inthefirewall (using iptables)toallowaccessWiththismethodPacketFencemustbethedefaultgatewayofyourdevice
mod_proxypassthroughAddanewFQDN(shouldbeawildcarddomainlikegooglecom)intheProxyPassthroughssectionForthisFQDNPacketFencewillanswertheIPaddressofthecaptiveportalandwhenadevicehitsthecaptiveportalPacketFencewilldetectthatthisFQDNhasapassthroughconfigurationandwillforwardthetraffictomod_proxy
ThesetwomethodscanbeusedtogetherbutDNS-basedpassthroughshavehigherpriority
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 80
ProductionDHCPaccess
Inorder toperformallof itsaccesscontroldutiesPacketFenceneedstobeable tomapMACaddressesintoIPaddresses
ForallthenetworksVLANswhereyouwantPacketFencetohavetheabilitytoisolateanodeortohaveIPinformationaboutnodesyouwillneedtoperformoneofthetechniquesbelow
AlsonotethatthisdoesnrsquotneedtobedonefortheregistrationisolationVLANsandinlineinterfacessincePacketFenceactsastheDHCPserverinthesenetworks
IPHelpers(recommended)If you are already using IPHelpers for your productionDHCP in your production VLANs thisapproachisthesimplestoneandtheonethatworksthebest
Add PacketFencersquos management IP address as the last ip helper-address statement in yournetworkequipmentAtthispointPacketFencewillreceiveacopyofallDHCPrequestsforthatVLANandwillrecordwhatIPweredistributedtowhatnodeusingapfdhcplistenerdaemon
BydefaultnoDHCPServershouldberunningonthatinterfacewhereyouaresendingtherequestsThisisbydesignotherwisePacketFencewouldreplytotheDHCPrequestswhichwouldbeabadthing
ObtainacopyoftheDHCPtrafficGetacopyofalltheDHCPTraffictoadedicatedphysicalinterfaceinthePacketFenceserverandrunpfdhcplisteneronthatinterfaceItwillinvolveconfiguringyourswitchproperlytoperformportmirroring(akanetworkspan)andaddinginPacketFencetheproperinterfacestatementattheoperatingsystemlevelandinpfconf
etcsysconfignetwork-scriptsifcfg-eth2
DEVICE=eth2ONBOOT=yesBOOTPROTO=none
Addtopfconf(IPsarenotimportanttheyarethereonlysothatPacketFencewillstart)
[interface eth2]mask=2552552550type=dhcp-listenergateway=19216815ip=19216811
RestartPacketFenceandyoushouldbegoodtogo
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 81
InterfaceineveryVLANBecauseDHCPtrafficisbroadcasttrafficanalternativeforsmallnetworkswithfewlocalVLANsistoputaVLANinterfaceforeveryVLANonthePacketFenceserverandhaveapfdhcplistenerlistenonthatVLANinterface
OnthenetworksideyouneedtomakesurethattheVLANtrulyreachesallthewayfromyourclienttoyourDHCPinfrastructureuptothePacketFenceserver
OnthePacketFencesidefirstyouneedanoperatingsystemVLANinterfaceliketheonebelowStoredinetcsysconfignetwork-scriptsifcfg-eth01010
Engineering VLANDEVICE=eth01010ONBOOT=yesBOOTPROTO=staticIPADDR=1001014NETMASK=2552552550VLAN=yes
ThenyouneedtospecifyinpfconfthatyouareinterestedinthatVLANrsquosDHCPbysettingtypetodhcp-listener
[interface eth01010]mask=2552552550type=dhcp-listenergateway=1001011ip=1001014
RepeattheaboveforallyourproductionVLANsthenrestartPacketFence
HostproductionDHCPonPacketFenceItrsquosanoptionJustmodifyconfdhcpdconfsothat itwillhostyourproductionDHCPproperlyandmakesurethatapfdhcplistenerrunsonthesameinterfacewhereproductionDHCPrunsHoweverpleasenotethatthisisNOTrecommendedSeethistickettoseewhy
ProxyInterception
PacketFenceenablesyoutointerceptproxyrequestsandforwardthemtothecaptiveportalItonlyworksonelayer-2networksbecausePacketFencemustbethedefaultgatewayInordertousetheProxyInterceptionfeatureyouneedtoenableitfromtheGUIinConfigurationrarrTrappingandcheckProxyInterception
Addtheportyouwanttointercept(like8080or3128)andaddanewentryintheetchostsfiletoresolvethefullyqualifieddomainname(fqdn)ofthecaptiveportaltotheIPaddressofthe
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 82
registration interfaceThismodification ismandatory inorder forApache to receives theproxyrequests
RoutedNetworks
Ifyour isolationandregistrationnetworksarenot locally-reachable (at layer2)onthenetworkbut routed to the PacketFence server yoursquoll have to let the PacketFence server know thisPacketFencecanevenprovideDHCPandDNSintheseroutednetworksandprovidesaneasytouseconfigurationinterface
FordhcpdmakesurethattheclientsDHCPrequestsarecorrectlyforwarded(IPHelpersintheremoterouters)tothePacketFenceserverThenmakesureyoufollowedtheinstructionsintheDHCPandDNSServerConfiguration(networksconf)foryourlocallyaccessiblenetwork
Ifweconsiderthenetworkarchitectureillustratedintheaboveschemaconfpfconfwillincludethelocalregistrationandisolationinterfacesonly
[interface eth02]enforcement=vlanip=19216821type=internalmask=2552552550
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 83
[interface eth03]enforcement=vlanip=19216831type=internalmask=2552552550
Note
PacketFencewillnotstartunlessyouhaveatleastoneinternalinterfacesoyouneedtocreatelocalregistrationandisolationVLANsevenifyoudonrsquotintendtousethemAlsotheinternalinterfacesaretheonlyonesonwhichdhcpdlistenssotheremoteregistrationandisolationsubnetsneedtopointtheirDHCPhelper-addresstothoseparticularIPs
ThenyouneedtoprovidetheroutednetworksinformationtoPacketFenceYoucandoitthroughtheGUIinAdministrationrarrNetworks(orinconfnetworksconf)
confnetworksconfwilllooklikethis
[19216820]netmask=2552552550gateway=19216821next_hop=domain-name=registrationexamplecomdns=19216821dhcp_start=192168210dhcp_end=1921682200dhcp_default_lease_time=300dhcp_max_lease_time=600type=vlan-registrationnamed=enableddhcpd=enabled
[19216830]netmask=2552552550gateway=19216831next_hop=domain-name=isolationexamplecomdns=19216831dhcp_start=192168310dhcp_end=1921683200dhcp_default_lease_time=300dhcp_max_lease_time=600type=vlan-isolationnamed=enableddhcpd=enabled
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 84
[192168200]netmask=2552552550gateway=19216820254next_hop=1921682254domain-name=registrationexamplecomdns=19216821dhcp_start=1921682010dhcp_end=19216820200dhcp_default_lease_time=300dhcp_max_lease_time=600type=vlan-registrationnamed=enableddhcpd=enabled
[192168300]netmask=2552552550gateway=19216830254next_hop=1921683254domain-name=isolationexamplecomdns=19216831dhcp_start=1921683010dhcp_end=19216830200dhcp_default_lease_time=300dhcp_max_lease_time=600type=vlan-isolationnamed=enableddhcpd=enabled
DHCPclientsontheregistrationandisolationnetworksreceivethePFserverIPastheirDNSserver(dns=xxxx)andPFspoofsDNSresponsestoforceclientsviatheportalHoweverclientscouldmanuallyconfiguretheirDNSsettingstoescapetheportalTopreventthisyouwillneedtoapplyanACLontheaccessrouternearesttheclientspermittingaccessonlytothePFserverandlocalDHCPbroadcasttraffic
ForexamplefortheVLAN20remoteregistrationnetwork
ip access-list extended PF_REGISTRATION permit ip any host 19216821 permit udp any any eq 67 deny ip any any loginterface vlan 20 ip address 19216820254 2552552550 ip helper-address 19216821 ip access-group PF_REGISTRATION in
Ifyouredgeswitchessupportvlan-isolationyoucanalsoapplytheACLthereThishastheadvantageofpreventingmachinesinisolationfromattemptingtoattackeachother
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 85
StatementofHealth(SoH)
TheStatementofHealth(SoH)isproductthathasbeendevelopedbyMicrosoftIntheMicrosoftworldthis isnamedNetworkAccessProtectionorNAPOnWindowsversionsfromXPSP2toWindows7thereisaNAPserviceinstalledthatcanrelayhealthinformation(Anti-VirusupdatestatusWindowsUpdatestatusetc) toaRADIUSServeroraDHCPserverThesectionbelowexplainsyouhowtodoSoHpolicieswithPacketFence
InstallationBydefaultweturnSoHoffToenableitssupportsimplyuncommentthefollowinglinesinusrlocalpfconfradiusdeapconf
soh=yessoh-virtual-server = soh-server
RestarttheRADIUSserviceafterward
OntheclientsidetoenableSoHforEAPdothefollowing(Windows7example)
sc config napagent start=autosc start napagent
Wired 8021Xsc config dot3svc start=auto depend=napagentsc start dot3svc
netsh nap client show config
get the ID value for the EAP Quarantine Enforcement Clientnetsh nap client set enforce id=$ID admin=enable
ThelaststepistoselecttheEnforceNetworkAccessProtectioncheckboxundertheEAPprofilesettingsThosestepscanbeeasilyconfiguredusingGPOs
ConfigurationofSoHpolicyInordertoenforceaSoHpolicyweneedtocreateitfirstThisisdoneusingtheConfigurationrarrCompliancerarrStatementofHealthmodule
PolicyexampleLetrsquoswalkthroughanexamplesituationSupposeyouwanttodisplayaremediationpagetoclientsthatdonothaveananti-virusenabled
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 86
ThethreebroadstepsarecreateaviolationclassfortheconditionthencreateanSoHfiltertotriggertheviolationwhenanti-virusisdisabledandfinallyreloadtheviolations
FirstcreatetheproperviolationeitherviatheAdminUIorbyeditingtheconfviolationsconffiles
[4000001]desc=No anti-virus enabledurl=remediationphptemplate=noantivirusactions=reevaluate_accessemaillogenabled=Y
Note
Youmayalsowanttosetotherattributessuchasauto_enablegraceetc
WhendonewiththeviolationvisittheWebAdministrationunderConfigurationrarrCompliancerarrStatementofHealthand(editthefilternamedDefaultor)usetheAddafilterbuttontocreateafilternamedantivirusClickonantivirusinthefilterlistandselectTriggerviolationintheactiondrop-downEnterthevidoftheviolationyoucreatedaboveintheinputboxthatappears
Next clickonAddacondition and selectAnti-virus is anddisabled in thedrop-downboxesthat appear Click on the Save filters button Finally reload the violations either by restartingPacketFenceorusingthepfcmd reload violationscommand
Thelaststepistocreateanewremediationtemplatecallednoantivirusphponthefilesysteminthehtmlcaptive-portalviolationsfolderEditittoincludethetextyouwanttodisplaytotheusers
VLANFilterDefinition
Weaddedtheabilitytospecifyfiltersdirectlyintheportionofcodethatre-evaluatestheVLANordoacalltotheAPI
Theserulesareavailableindifferentscopes
ViolationRoleRegistrationRoleRegisteredRoleInlineRoleAutoRegisterNodeInfoForAutoReg
Andcanbedefinedusingdifferentcriterialike
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 87
node_infoattribute (like node_infostatus)switchifIndexmacconnection_typeusernamessidtimeownerattribute (like ownerpid)radius_requestattribute (like radius_requestCalling-Station-Id)
Forexample letsdefinearulethatpreventsadevicefromconnectingwhenitscategory isthedefaultwhentheSSIDisSECUREandwhenthecurrenttimeisbetween11amand2pmfromMondaytoFridaywhenittrytoconnectasaregistereddevice
[category]filter = node_infocategoryoperator = isvalue = default
[ssid]filter = ssidoperator = isvalue = SECURE
[time]filter = timeoperator = isvalue = wd Mon Tue Wed Thu Fri hr 11am-2pm
[1categoryampssidamptime]scope = RegisteredRolerole = nointernet
ThesecondexamplewillcreateaviolationiftheSSIDisOPENandtheownerisigmout
[igmout]filter = ownerpidoperator = isvalue = igmout
[open]filter = ssidoperator = isvalue = OPEN
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 88
[2igmoutampssid]scope = RegisteredRoleaction = trigger_violationaction_param = mac = $mac tid = 1100012 type = INTERNAL
Thethirdexamplewillautoregisterthedeviceandassigntherolestafftoeachdevicewheretheusernameisigmout
[igmout]filter = usernameoperator = isvalue = igmout
[secure]filter = ssidoperator = isvalue = SECURE
[3igmoutampsecure]scope = AutoRegisterrole = staff
[4igmoutampsecure]scope = NodeInfoForAutoRegrole = staff
Youcanhavealookinthefilevlan_filtersconftherearesomeexamplesonhowtouseanddefinefilters
RADIUSFilterDefinition
WeaddedtheabilitytospecifyfiltersdirectlyintheportionofcodethatreturntheradiusanswerordoacalltotheAPI
Theserulesareonlyavailableinonescope
returnRadiusAccessAccept
Andcanbedefinedusingdifferentcriterialike
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 89
node_infoattribute (like node_info$attribute)switchifIndexmacconnection_typeusernamessidtimeownerattribute (like owner$attribute)radius_requestattribute (like radius_request$attribute)violationuser_rolevlan
Forexample letsdefinearulethatreturnAccessAcceptwhentheconnectionisEthernet-EAPandwhenthereisnoviolation(merge_returnmeansthattheoriginalanswerofPacketFencewillbemergewiththefilteranswerautomatically)
[violation]filter = violationoperator = defined
[etherneteap]filter = connection_typeoperator = isvalue = Ethernet-EAP
[1etherneteapampviolation]merge_answer = noscope = returnRadiusAccessAccept
Inthisotherexamplewejustaddanewattributetotheoriginalanswerinthesameconditions(here$user_rolewillbereplacedbytherealuserroleofthedeviceand$switch_portalURLwillbereplacedbythevalueof_portalURLdefinedintheswitchconfig)
[1etherneteapampviolation]merge_answer = yesscope = returnRadiusAccessAcceptanswer1 = Cisco-AVPair =gt url-redirect-acl=$user_roleurl-redirect=$switch_portalURLcep$session_id
Youcanhavea look in the file radius_filtersconf therearesomeexamplesonhowtouseanddefinefilters
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 90
DNSenforcement
DNSenforcementallowsyoutocontrolthenetworkaccessofthedevicebyusingthepfdnsserviceonPacketFence
The architecture ofDNS enforcement is as following -DHCP andDNS are provided by thePacketFenceserver-ThePacketFenceDHCPserverwillprovidetheIPofyournetworkequipmentasthegatewayandtheIPaddressofthePacketFenceDNSservertoresolvenames-Routingisprovidedbyanotherequipmentonyournetwork(CoreswitchFirewallRouterhellip)-IfausershouldbeshowntheportalthepfdnsservicewillreturnapointertotheIPaddressofthecaptiveportalotherwisepfdnswillresolvethenameexternallyanduseitinthereply
Thisenforcementmodeusedby itselfcanbebypassedbythedevicebyusingadifferentDNSserverorbyusingitsownDNScache
ThefirstcanbepreventedusinganACLonyourroutingequipmentthesecondcanbepreventedbycombiningDNSenforcementwithSingle-Sign-OnonyournetworkequipmentPleaseseetheFirewallSingle-Sign-Ondocumentationfordetailsonhowtoaccomplishthis
Inorder toconfigureDNSenforcementyoufirstneedtogo inConfigurationrarrInterfaces thenselectoneofyourinterfacesandsetitinDNSenforcementmode
AfteryouneedtoconfigurearoutednetworkforthisinterfacebyclickingAddroutednetworkSeetheRoutedNetworkssectionofthisdocumentfordetailsonhowtoconfigureit
NoteIfyouarenotusingaroutednetworkyouneedtouseInlineenforcementasDNSenforcementcanonlybeusedforroutednetworks
Oncethisisdoneyouneedtorestartthedhcpdandpfdnsservices
Parkeddevices
Intheeventthatyouaremanagingalargeregistrationnetworkwithdevicesthatstaythere(exStudentsthatcanrsquotregisterinyourenvironment)thesedevicesconsumepreciousresourcesandgenerateuselessloadonthecaptiveportalandregistrationDHCPserver
UsingtheparkingfeatureyoucanmakethesedeviceshavealongerleaseandhitanextremellylightweightcaptiveportalsothattheamountofresourcestheyconsumeisminimalInthatcaptiveportal theywillseeamessageexplainingthattheyhavenrsquot registeredtheirdeviceforacertainamountoftimeandwillletthemleavetheparkedstatebypressingalink
Theparkedvsunparkedstateiscontrolledthroughviolation1300003whichgetstriggeredaccordingtotheparkingthresholdsetting(ConfigurationrarrParking)
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 91
SoinordertoactivatetheparkinggoinConfigurationrarrParkingandsetthethresholdtoacertainamountofsecondsAsuggestedvaluewouldbe21600whichis6hoursThismeansthatifadevicestaysinyourregistrationnetworkformorethan6hoursinarowitwilltriggerviolation1300003andplacethatdeviceintotheparkedstate
Inthatsamesectionyoucandefinetheleaselengthoftheuserwhenheisintheparkedstate
Note
ParkingisdetectedwhenadeviceasksforDHCPifPacketFenceisnotyourDHCPserverfortheregistrationnetworkthisfeaturewillnotworkAlsoifthedevicegoesintotheparkedstatewithaleasetimeof1hourandtheuserimmediatelyreleaseshimselffromtheparkingstateitwilltake1hourbeforethenextdetectiontakesplaceevenifyousetparkingthresholdtoalowervalue
Violation1300003Thisviolationcontrolswhathappenswhenauserisdetecteddoingparking
Herearethemainsettings
Youcanaddactionstothepredefinedones(likeEmailadminorExternalaction)inDefinitionrarrActions
TheamountoftimeausercanunparktheirdeviceiscontrolledthroughtheRemediationrarrMaxenablesetting
TheamountofgracetimebetweentwoparkingviolationsiscontrolledbytheRemediationrarrGracesettingThismeansonceauserreleasehimselffromtheparkedstatehewillhaveatleastthisamountoftimetoregisterbeforetheparkingtriggersagain
Thedestinationrole(thusVLAN)oftheuseriscontrolledbyAdvancedrarrRoleYoushouldleavetheuserintheregistrationrolebutshouldyouwanttodedicatearoleforparkingyoucansetitthere
TheTemplateattributewillonlybeusedwhentheuserisonthenormalPacketFenceportalandnottheonededicatedforparkingIfyouwanttheusertoaccessthenon-parkingportaldisableShowparkingportalinConfigurationrarrParking
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 92
Optionalcomponents
Blockingmaliciousactivitieswithviolations
PolicyviolationsallowyoutorestrictclientsystemaccessbasedonviolationsofcertainpoliciesForexampleifyoudonotallowP2PtypetrafficonyournetworkandyouarerunningtheappropriatesoftwaretodetectitandtriggeraviolationforagivenclientPacketFencewillgivethatclientablockedpagewhichcanbecustomizedtoyourwishes
Inorder tobeable toblockmaliciousactivities installationandconfigurationofaPacketFencecompatibleIDSisrequiredPacketFencecurrentlysupportSnortSuricataandSecurityOnion
Snort
Installation
The installation procedure is quite simple for SNORTWe maintain a working version on thePacketFencerepositoryToinstallitsimplyrunthefollowingcommand
yum install snort
Configuration
PacketFenceprovidesabasicsnortconftemplatethatyoumayneedtoeditdependingoftheSnortversionThefileislocatedinusrlocalpfconfItisrarelynecessarytochangeanythinginthatfiletomakeSnortworkandtrapalertsDONOTeditthesnortconflocatedinusrlocalpfvarconfallthemodificationwillbedestroyedoneachPacketFencerestart
Suricata
Installation
SincethesuricataIDSisnotpackagedwiththedistros(exceptmaybeFedorawhichwedonotofficiallysupport)youneedtobuildittheoldway
The OISF provides a really well written how-to for that Itrsquos available here httpsredmineopeninfosecfoundationorgprojectssuricatawikiCentOS5
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 93
NoteTobenefittheOPSWATMetadefenderCloudintegrationSuricataneedstobebuiltwith libnss libnsprsupportMakesure touseJSONoutputMore informationonhowtoachievethiscanbefoundtherehttpsredmineopeninfosecfoundationorgprojectssuricatawikiMD5
ConfigurationDepending onwhether or not Suricata is running on the PacketFence server configuration isdifferent
WhenrunninglocallyPacketFenceprovidesabasicsuricatayamlthatcanbemodifiedtosuitdifferentneedsThefileislocatedinusrlocalpfconf
In thecase thatSuricata is runningonaseparateserverSuricataconfigurationwillhave tobehandledseparatelywhichisnotthepurposeofthepresentguide
OPSWATMetadefenderCloudItispossibletotriggerviolationsbasedonthreatlevelofdownloadedfilesusingtheMetadefenderCloudintegrationinconjunctionwiththeSuricataMD5extractionfeatureWithoutenteringinthedetailsherearethebasicstepstomakeitwork
FirstanOPSWATportalaccountisrequiredtomakeuseoftheAPISuchaccountcanbeobtainedthroughtheOPSWATportalhttpsportalopswatcom
OtherrequirementisaSuricataworkinginstallationbuiltwithlibnsslibnsprsupportasdescribedintheupperInstallationsection
AlongwiththeOPSWATAPIkeyforMetadefenderCloud(theycallitLicenseKey)andtheworkingSuricatainstallationsomeconfiguration(PacketFencebasedANDSuricatabased)isalsorequired
AssumingthatallthestepsforSuricataMD5extractionhavebeenfollowedherersquoswhattodonext
OntheSuricataserver(syslog-ngispreferredduetoeasierandmorepowerfulconfigurationIfnotinstalleditmightbeanidea)
Configureetcsyslog-ngsyslog-ngconfbyaddingthefollowingtoenablesendingMD5filestorelogentriestoPacketFence
PacketFence OPSWAT Metadefender Cloud integration This line specifies where the files-jsonlog file is located -gt Make sure to configure the right path along with the right filenamesource s_suricata_files file(MY_SURICATA_LOG_FILES_PATHfiles-jsonlog program_override(suricata_files) flags(no-parse)) This line tells syslog-ng to send the data read to the PacketFence management interface IP address using UDP 514 -gt Make sure to configure the right PacketFence management interface IP addressdestination d_packetfence udp(PACKETFENCE_MGMT_IP port(514)) This line indicates syslog-ng to use the s_suricata_files source and send it to the d_packetfence destinationlog source(s_suricata_files) destination(d_packetfence)
Arestartofthesyslog-ngdaemonisrequired
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 94
service syslog-ng restart
OnthePacketFenceserver
ModifyrsyslogconfigurationtoallowincomingUDPpacketsbyuncommentingthefollowingtwolinesinetcrsyslogconf
$ModLoad imudp$UDPServerRun 514
Configure etcrsyslogdsuricata_filesconf by adding the following which will enablereceptionofSuricataMD5filestorelogentries
if $programname == suricata_files then usrlocalpfvarsuricata_filesamp ~
Makesurethereceivingalertpipe(FIFO)exists
mkfifo usrlocalpfvarsuricata_files
Restartthersyslogdaemon
service rsyslog restart
AtthispointSuricatashouldbeabletoextractMD5checksumofdownloadedfilesandsendtherelatedlogentrytoPacketFence
AconfigurationofanewsyslogparseraswellassomeviolationsaretheonlyremainingstepstomakefullusageoftheOPSWATMetadefenderCloudintegration
Configurationofanewsyslogparsershouldusethefollowings
Type suricata_httpAlert pipe the previously created alert pipe (FIFO) which is in this case usrlocalpfvarsuricata_files
Configurationofanewviolationcanusethefollowingtriggertypes
Type metascanTriggers ID The scan result returned by Metadefender Cloud online
Type suricata_md5Trigger ID The MD5 hash returned by Suricata
SecurityOnionInstallationandConfigurationSecurityOnionisaUbuntubasedsecuritysuiteThelatest installationinstructionsareavailabledirectly from theSecurityOnionwebsite httpsgithubcomSecurity-Onion-Solutionssecurity-onionwikiInstallation
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 95
SinceasecuritysuiteconsistsofmultiplepiecesofsoftwaretiedtogetheryoumaybepromptedfordifferentoptionsduringtheinstallationprocessAdetailedProductionDeploymentguidecanalsobefounddirectlyfromtheSecurityOnionwebsitehttpsgithubcomSecurity-Onion-Solutionssecurity-onionwikiProductionDeployment
PacketFenceintegration
OnceSecurityOnionisinstalledandminimallyconfiguredintegrationwithPacketFenceisrequiredtobeabletoraiseviolationsbasedonsensor(s)alertssyslogisusedtoforwardsensor(s)alertsfromSecurityOniontothePacketFencedetectionmecanisms
The simplest way is as follow (based on httpsgithubcomSecurity-Onion-Solutionssecurity-onionwikiThirdPartyIntegration)
OntheSecurityOnionserver
Note
Mustbedoneonthemasterserverrunningsguild
Configureetcsyslog-ngsyslog-ngconfbyaddingthefollowingtoenablesendingsguildlogentriestoPacketFence
PacketFence IDS integration This line specifies where the sguildlog file is located -gt Make sure to configure the right patch along with the right filename (on a Security Onion setup that should be pretty much standard)source s_sguil file(varlognsmsecurityonionsguildlog program_override(securityonion_ids)) This line filters on the string ldquoAlert Receivedrdquofilter f_sguil match(Alert Received) This line tells syslog-ng to send the data read to the PacketFence management IP address using UDP 514 -gt Make sure to configure the right PacketFence management interface IP addressdestination d_packetfence udp(PACKENTFENCE_MGMT_IP port(514)) This line indicates syslog-ng to use the s_sguil source apply the f_sguil filter and send it to the d_packetfence destinationlog source(s_sguil) filter(f_sguil) destination(d_packetfence)
Arestartofthesyslog-ngdaemonisthenrequired
service syslog-ng restart
OnthePacketFenceserver
ModifyrsyslogconfigurationtoallowincomingUDPpacketsbyuncommentingthefollowingtwolinesinetcrsyslogconf
$ModLoad imudp$UDPServerRun 514
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 96
Configureetcrsyslogdsecurityonion_idsconfbyaddingthefollowingswhichwillenablereceptionofSecurityOnionsguildlogentries
if $programname == securityonion_ids then usrlocalpfvarsecurityonion_idsamp ~
Makesurethereceivingalertpipe(FIFO)exists
mkfifo usrlocalpfvarsecurityonion_ids
Restartthersyslogdaemon
service rsyslog restart
AtthispointSecurityOnionshouldbeabletosenddetectedalertslogentriestoPacketFence
AconfigurationofanewsyslogparseraswellassomeviolationsaretheonlyremainingstepstomakefullusageoftheSecurityOnionIDSintegration
Configurationofanewsyslogparsershouldusethefollowings
Type security_onionAlert pipe the previously created alert pipe (FIFO) which is in this case usrlocalpfvarsecurityonion_ids
Configurationofanewviolationcanusethefollowingtriggertypes
Type detectTriggers ID The IDS triggered rule ID
Type suricata_eventTrigger ID The rule class of the triggered IDS alert
ViolationsInordertomakePacketFencereacttotheSnortalertsyouneedtoexplicitlytellthesoftwaretodosoOtherwisethealertswillbediscardedThisisquitesimpletoaccomplishInfactyouneedtocreateaviolationandaddtheSnortalertSIDinthetriggersectionofaViolation
PacketFenceviolationsareconfiguredinConfigurationrarrViolations
TheexamplebelowwillguideyoutocreateaviolationthatwillisolatedevicethathavegeneratedPeer-to-peer traffic and that are usingMac OSX or have a malware and are usingMicrosoftWindows
Violationdefinition
Firstyouneedtoconfiguretheviolationdefinition
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 97
Where
Enablediswhetherornottheviolationiscurrentlyactivated(shouldbeON) Identifier is the violation ID Any integer except 1200000-120099 which is reserved forrequiredadministrationviolations
Descriptionistheuserfriendlydescriptionoftheviolation Actionsisthelistofactionstobeexecutedwhenthisviolationisraised
Unregister nodewillunregisterthenode
Send email to ownerwillemailtheviolationdetailstotheownerofthedeviceWillonlyworkifthepersonhasitrsquosemailfieldpopulated
Send email to admin will email the violation details to the address specified in[alerting]emailaddrusing[alerting]smtpserverMultipleemailaddrcanbesperatedbycomma
Reevaluate accesswillplacethedeviceinthedestinationVLANconfiguredintheviolationIt opens a violation and leaves it open If it is not there theviolation isopenedand thenautomaticallyclosed
Log messagewilllogtheviolationinthelogfiledefinedin[alerting]log
External commandwillexecuteacommandontheoperatingsystemwhenthisviolation israised
Close a violationwillcloseanexistingviolationforthisdevicewhenthisoneisraised
Set rolewillmodifytheroleofthedevice
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 98
Enforce provisioningwilltriggeracheckofcomplianceontheprovisionersdefinedforthedevice
Prioritydefinestheorderontowhichviolationsshouldbehandledshouldtherebemorethanoneforadevice
Whitelisted Rolesisthelistofrolesthatarenotaffectedbythisviolation
Triggers
NextintheTriggerstabyouneedtodefinethetriggersthatwillraisetheviolationInthecaseofthisexampleitwillbethesetwocasesAdevicethathasgeneratedPeer-to-peertrafficandthatisusingMACOSXAdevicethathasbeendetectedasbeingarogueDHCP
Click the+ sign at the top right inorder to create anew trigger then in thedropdown selectSuricata
AmenuwillappearintowhichyoucanselectET P2PwhichwillmatchallP2PalertsfromSuricata
OnceyouaddedthistriggerselectDevicefromthedropdownandenter38whichisthedeviceidentifierforMacOSX
Nexthittheltbuttonthenthe+toaddanothertrigger
SelectthetypeInternaltheninthemenuthatappearsbelowitselectRogue DHCP detectionandclickAdd
Remediation
NextintheRemediationtabyoucanconfigurethebehaviorwhenaclientgetsisolated
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 99
Where
Auto Enableiswhetherornottheusercanreleasetheviolationhimselfafteracknoledgingthemessageonthecaptiveportal
Max Enables istheamountoftimeausercanusetheAuto EnablefunctionnalityAfterthisamountoftimeshewillnotbeabletoreleasetheviolationanditwillhavetobemanuallyreleasebyanadministratorusingthePacketFenceadministrationinterface
GraceisAmountoftimebeforetheviolationcanreoccurThisisusefultoallowhoststime(intheexample2minutes)todownloadtoolstofixtheirissueorshutofftheirpeer-to-peerapplication
Dynamic WindowwillonlyworksforaccountingviolationsTheviolationwillbeopenedaccordingtothetimeyousetintheaccountingviolation(ieYouhaveanaccountingviolationfor10GBmonthIfyoubustthebandwidthafter3daystheviolationwillopenandthereleasedatewillbesetforthelastdayofthecurrentmonth)
WindowistheamountoftimebeforeaviolationwillbeclosedautomaticallyInsteadofallowingpeopletoreactivatethenetworkyoumaywanttoopenaviolationforadefinedamountoftimeinstead
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 100
Delay byisthedelaybeforetriggeringtheviolation TemplateistheHTMLtemplatethehostwillberedirectedtowhileinviolationYoucancreatenewtemplatesfromthePortalProfilesconfigurationsection
Button textisthetextofthebuttonthatisusedwhentheuserisreleasingtheviolationdirectlyfromthecaptiveportal
AdvancedIntheAdvancedtabyouconfigurethedestinationVLANofthedevicewhenithastheReevaluateaccessactionanditsredirectionURLwhentheuserisreleased
ComplianceChecks
PacketFence supports eitherNessusOpenVAS andWMI as a scanning engine for compliancechecksSincePacketFencev51youarenowabletocreatemultiplesscanenginesconfigurationandassignthemonspecificcaptiveportalsItmeanperexamplethatyouarenowabletoactiveascanforspecificOperatingSystemonlyonaspecificSSID
InstallationNessusPlease visit httpwwwnessusorgdownload to download Nessus v5 and install the Nessuspackage for your operating system You will also need to register for the HomeFeed (or theProfessionalFeed)inordertogettheplugins
AfteryouinstalledNessusfollowtheNessusdocumentationfortheconfigurationoftheNessusServerandtocreateauserforPacketFence
NoteYou may run into some issue while using Nessus with the NetNessusXMLRPCmodule(whichisthedefaultbehaviorinPacketFence)Pleaserefertothebugtrackingsystemformoreinformation
OpenVASPleasevisithttpwwwopenvasorginstall-packageshtmlopenvas4_centos_atomic toconfigurethecorrectrepositorytobeabletoinstallthelatestOpenVASscanningengine
Once installed pleasemake sure to follow the instructions to correctly configure the scanningengineandcreateascanconfigurationthatwillfityourneedsYoursquollalsoneedtocreateauserforPacketFencetobeabletocommunicatewiththeserver
ItisimportanttogetthecorrectscanconfigIDandNBEreportformatIDtopopulatetheparametersinthePacketFenceconfigurationfileTheeasiestwaytogettheseIDsisbydownloadingbothofthescanconfigurationandreportformatfromtheOpenVASwebguiandretrievetheIDsinthefilenames
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 101
Forexamplereport-format-f5c2a364-47d2-4700-b21d-0a7693daddabxmlgivesreportformatIDf5c2a364-47d2-4700-b21d-0a7693daddab
WMIYoujusthavetoenablewmioneachwindowsdeviceswithaGPOfromActiveDirectory
ConfigurationIn order for the compliance checks to correctly work with PacketFence (communication andgenerateviolationsinsidePacketFence)youneedtoconfigurethesesections
ScannerDefinitionFirstgoinConfigurationandScannerDefinition
Thenaddascan
Therearecommonparametersforeachscanengines
Name the name of your scan engineRoles Only devices with these role(s) will be affected (Optional)OS Only devices with this Operating System will be affected (Optional)Duration Approximate duration of scan (Progress bar on the captive portal)Scan before registration Trigger the scan when the device appear on the registration vlanScan after registration Trigger the scan just after registration on the captive portalScan after registration Trigger the scan on the production network (pfdhcplistener must receive production dhcp traffic)8021x Even if the auto-registration has been enabled the scan will be trigger on a EAP connection8021x types comma delimited EAP type that will trigger the scan if 8021x above has been enabled
SpecifictoNessus
Hostname or IP Address Hostname or IP Address where Nessus is runningUsername Username to connect to Nessus scanPassword Password to connect to Nessus scanPort of the service port to connect (default 8834)Nessus client policy the name of the policy to use for the scan (Must be define on the Nessus server)
SpecifictoOpenVAS
Hostname or IP Address Hostname or IP Address where OpenVAS is runningUsername Username to connect to OpenVAS scanPassword Password to connect to OpenVAS scanPort of the service port to connect (default 9390)OpenVAS config ID the ID of scanning configuration on the OpenVAS server
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 102
SpecifictoWMI
Username A username from Active Directory that is allowed to connect to wmiDomain Domain of the Active DirectoryPassword Password of the accountWMI Rules Ordered list of WMI rules you defined in Configuration -gt WMI Rules Definition
WMIRulesDefinition
IfyouhaveconfiguredaWMIscanenginethenyouneedtodefineWMIRulesWMIisasortofdatabaseoneachwindowsdevicestoretreiveinformationonthedeviceyouneedtoknowthesqlrequestInordertohelpyoutofindandmakearuleyoucanuseathirdpartytoollikeWMIExplorer
GoinconfigurationrarrWMIRulesDefinition
Therearealready3rulesdefined
Software_Installedlogged_userProcess_Running
LetrsquostaketheSoftware_Installedrule
request select from Win32_Product
Rules Actions
[Google]attribute = Captionoperator = matchvalue =Google
[1Google]action=trigger_violationaction_param = mac = $mac tid = 888888 type = INTERNAL
Thisrulewilldothefollowing
retreive all the installed software on the device and test if the attribute Caption contain Googleif it matched then we will trigger a violation (with the trigger internal888888) for the mac address of the device
Thesecondonelogged_user
request select UserName from Win32_ComputerSystem
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 103
Rules Actions
[UserName]attribute = UserNameoperator = matchvalue = ()
[1UserName]action = dynamic_register_nodeaction_param = mac = $mac username = $result-gtUserName
Thisrulewilldothefollowing
retreive the current logged user on the device and register the device based on the user account
ThelastoneProcess_Running
request select Name from Win32_Process
Rules Actions
[explorer]attribute = Nameoperator = matchvalue = explorerexe
[1explorer]action = allow
Thisrulewilldothefollowing
retreive all the running process on the device and if one match explorerexe then we bypass the scan
Rulessyntax
the syntax of the rules are simple to understand
the request is the sql request you will launch on the remote device you must know what the request will returnto write the test
Inside the Rules Actions we define 2 sorts of blocsThe test bloc (ie [explorer]) and the action bloc (ie [1explorer])
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 104
The test bloc is a simple test based on the result of the request- attribute is the attribute you want to test- operator can be is is_not match match_not- value is the value you want to compare
Feel free to define multiples test blocs
The action bloc is where you will define your logic per example lets take this one [1googleampexplorer] this mean that if the google test istrue and explorer is true then we execute the actionThe logic can be more complex and can be something like that [1google|(explorerampmemory)] that mean if not google or (explorer and memory)
ViolationsdefinitionYouneedtocreateanewviolationsectionandhavetospecify
UsingNessus
trigger=NessusltviolationIdgt
UsingOpenVAS
trigger=OpenVASltviolationIdgt
WhereviolationIdiseithertheIDoftheNessuspluginortheOIDoftheOpenVASplugintocheckforOnceyouhavefinishedtheconfigurationyouneedtoreloadtheviolationrelateddatabasecontentsusing
$ pfcmd reload violations
NoteViolationswilltriggerifthepluginishigherthanalowseverityvulnerability
AssignScandefinitiontoportalprofilesThelaststepistoassignoneormorescanneryouconfiguredtooneormoreportalprofilesGoinConfigurationrarrPortalProfilesrarrEditaPortalrarrAddScan
HostingNessusOpenVASremotelyBecauseoftheCPUintensivenatureofanautomatedvulnerabilityassessmentwerecommendthatitishostedonaseparateserverforlargeenvironmentsTodosoacoupleofthingsarerequired
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 105
PacketFence needs to be able to communicate to the server on the port specified by thevulnerabilityengineused
Thescanningserverneedtobeabletoaccessthetargets InotherwordsregistrationVLANaccessisrequiredifscanonregistrationisenabled
IfyouareusingtheOpenVASscanningengine
ThescanningserverneedtobeabletoreachPacketFencersquosAdmininterface(onport1443bydefault)byitsDNSentryOtherwisePacketFencewonrsquotbenotifiedofcompletedscans
YoumusthaveavalidSSLcertificateonyourPacketFenceserver
IfyouareusingtheNessusscanningengine
YoujusthavetochangethehostvaluebytheNessusserverIP
RADIUSAccounting
RADIUSAccountingisusuallyusedbyISPstobillclientsInPacketFenceweareabletousethisinformationtodetermineifthenodeisstillconnectedhowmuchtimeithasbeenconnectedandhowmuchbandwitdhtheuserconsumed
ViolationsUsingPacketFence it ispossible toaddviolations to limitbandwidthabuseThe formatof thetriggerisverysimple
Accounting[DIRECTION][LIMIT][INTERVAL(optional)]
Letrsquosexplaineachchunkproperly
DIRECTIONYoucaneithersetalimittoinbound(IN)outbound(OUT)ortotal(TOT)bandwidth LIMIT You can set a number of bytes(B) kilobytes(KB) megabytes(MB) gigabytes(GB) orpetabytes(PB)
INTERVALThisisactuallythetimewindowwewilllookforpotentialabuseYoucansetanumberofdays(D)weeks(W)months(M)oryears(Y)
Exampletriggers LookforIncoming(Download)trafficwitha50GBmonth
AccountingIN50GB1M
LookforOutgoing(Upload)trafficwitha500MBday
AccountingOUT500MB1D
LookforTotal(Download+Upload)trafficwitha200GBlimitinthelastweek
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 106
AccountingTOT200GB1W
Graceperiod
WhenusingsuchviolationfeaturesettingthegraceperiodisreallyimportantYoudonrsquotwanttoputittoolow(ieAuserre-enablehisnetworkandgetcaughtafter1bytesistranmitted)ortoohighWerecommendthatyousetthegraceperiodtooneintervalwindow
Oinkmaster
OinkmasterisaperlscriptthatenablesthepossibilitytoupdatethedifferentsnortrulesveryeasilyItissimpletouseandinstallThissectionwillshowyouhowtoimplementOinkmastertoworkwithPacketFenceandSnort
PleasevisithttpoinkmastersourceforgenetdownloadshtmltodownloadoinkmasterAsampleoinkmasterconfigurationfileisprovidedatusrlocalpfaddonssnortoinkmasterconf
ConfigurationHerearethestepstomakeOinkmasterworkWewillassumethatyoualreadydownloadedthenewestoinkmasterarchive
1 UntarthefreshlydownloadedOinkmaster
2 CopytherequiredperlscriptsintousrlocalpfoinkmasterYouneedtocopyovercontribandoinkmasterpl
3 CopytheoinkmasterconfprovidedbyPacketFence(seethesectionabove)inusrlocalpfconf
4 ModifytheconfigurationtosuityourownneedsCurrentlytheconfigurationfileissettofetchthebleedingrules
RulesupdateInordertogetperiodicupdatesforPacketFenceSnortruleswesimplyneedtocreateacrontabentrywiththerightinformationTheexamplebelowshowsacrontabentrytofetchtheupdatesdailyat2300PM
0 23 (cd usrlocalpf perl oinkmasteroinkmasterpl -C confoinkmasterconf -o confsnort)
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 107
GuestsManagement
PacketFencesupportstheabilitytomanageguestsbyestablishingexpiredatesandassigndifferentroleswhichwillpermitdifferentaccessestothenetworkresources
Guestscanself-registerthemselvesusinganactivationcodesenttotheirmobilephoneortheycanusetheiremailaddressandreceiveandactivationlinktoactivatetheirnetworkaccess
PacketFencehas theoption tohaveguestssponsored theiraccessby local staffOnceaguestrequestsasponsoredaccessanemailissenttothesponsorandthesponsormustclickonalinkandauthenticateinordertoenablehisaccess
Moreover PacketFence also has the option for guests to request their access in advanceConfirmationbyemailandbyasponsorarethetwopre-registrationtechniquessupportedatthispoint
TheadminGUIallowPacketFenceadministratorsorguestsmanagerstocreatesingleaccountsmultipleaccountsusingaprefix(ieguest1guest2guest3hellip)orimportdatafromaCSVtocreateaccountsAccessdurationandexpectedarrivaldatearealsocustomizable
Usage
Guestself-registration
Self-registrationisenabledbydefaultItispartofthecaptiveportalprofileandcanbeaccessedontheregistrationpagebyclickingtheSignuplink
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 108
ManagedguestsPartofthewebadministrationinterfacetheguestsmanagementinterfaceisenabledbydefaultItisaccessiblethroughtheUsersrarrCreatemenu
Guestpre-registrationPre-registrationisdisabledbydefaultOnceenabledPacketFencersquosfirewallandApacheACLsallowaccesstothesignuppageontheportalevenfromaremotelocationAllthatshouldberequiredfrom theadministrators is toopenup theirperimeter firewall toallowaccess toPacketFencersquosmanagementinterfaceIPonport443andmakesureadomainnametoreachsaidIPisconfigured(andthattheSSLcertmatchesit)Thenyoucanpromotethepre-registrationlinkfromyourextranetwebsitehttpslthostnamegtsignup
CautionPre-registrationincreasestheattacksurfaceofthePacketFencesystemsinceasubsetofitrsquosfunctionnalityisexposedontheInternetMakesureyouunderstandtherisksapplythecriticaloperatingsystemupdatesandapplyPacketFencersquossecurityfixes
NoteAportalinterfacetypeisrequiredtousethisfeatureAportalinterfacetypecanbeaddedtoanynetworkinterfaceusingthewebadminGUI
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 109
ConfigurationGuestself-registrationIt ispossibletomodifythedefaultvaluesoftheguestself-registrationfeaturebyeditingusrlocalpfconfpfconf
Defaultvaluesarelocatedinusrlocalpfconfpfconfdefaultsanddocumentationforeverysettingsisavailableinusrlocalpfconfdocumentationconf
[guests_self_registration]guest_pid=emailpreregistration=disabled
TheseparameterscanalsobeconfiguredfromtheConfigurationrarrSelfRegistrationsectionoftheWebadmininterface
Availableregistrationmodesaredefinedonaper-portal-profilebasisTheseareconfigurablefromConfigurationrarrPortalProfiles Todisable the self-registration feature simply removeall self-registrationsourcesfromtheportalprofiledefinitionNoticehoweverthatifyourdefaultportalprofilehasnosourceitwilluseallauthenticationsources
Caution
AvalidMTAconfiguredinPacketFenceisneededtocorrectlyrelayemailsrelatedtotheguestmoduleIflocalhostisusedassmtpservermakesurethataMTAisinstalledandconfiguredontheserver
Note
AportalinterfacetypeisrequiredtousethisfeatureAportalinterfacetypecanbeaddedtoanynetworkinterfaceusingthewebadminGUI
Self-registered guests are added under the users tab of the PacketFenceWeb administrationinterface
ManagedguestsItispossibletomodifythedefaultvaluesoftheguestscreatedfromtheWebadmininterfacebyeditingusrlocalpfconfpfconf
Defaultvaluesarelocatedinusrlocalpfconfpfconfdefaultsanddocumentationforeverysettingsisavailableinusrlocalpfconfdocumentationsconf
[guests_admin_registration]access_duration_choices=1h3h12h1D2D3D5Ddefault_access_duration=12h
Theformatofthedurationisasfollow
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 110
ltDURATIONgtltDATETIME_UNITgt[ltPERIOD_BASEgtltOPERATORgtltDURATIONgtltDATE_UNITgt]
Letrsquosexplainthemeaningofeachparameter
DURATIONanumbercorrespondingtotheperiodduration DATETIME_UNIT acharactercorresponding to theunitsof thedateor timedurationeither s(seconds)m(minutes)h(hours)D(days)W(weeks)M(months)orY(years)
PERIOD_BASEeitherF(fixed)orR(relative)ArelativeperiodiscomputedfromthebeginningoftheperiodunitWeeksstartonMonday
OPERATOReither+or-Thedurationfollowingtheoperatorisaddedorsubtractedfromthebaseduration
DATE_UNITacharactercorrespondingtotheunitsoftheextendeddurationLimitedtodateunits(D(days)W(weeks)M(months)orY(years))
TheseparameterscanalsobeconfiguredfromtheConfigurationrarrAdminRegistrationsectionoftheWebadmininterface
From theUserspageof thePacketFenceWebadmin interface it is possible to set the accessdurationofuserschangetheirpasswordandmore
Guestpre-registrationTominimallyconfigureguestpre-registrationyoumustmakesurethatthefollowingstatementissetunder[guests_self_registration]inusrlocalpfconfpfconf
[guests_self_registration]preregistration=enabled
ThisparametercanalsobeconfiguredfromtheConfigurationrarrSelfRegistrationsection
Finallyitisadvisedthatyoureadthewholeguestself-registrationsectionsincepre-registrationissimplyatwistoftheself-registrationprocess
Caution
AvalidMTAconfiguredinPacketFenceisneededtocorrectlyrelayemailsrelatedtotheguestmoduleIflocalhostisusedassmtpservermakesurethataMTAisinstalledandconfiguredontheserver
ActiveDirectoryIntegration
DeletedAccountCreate thescriptunreg_node_deleted_accountps1on theWindowsServerwith the followingcontentMakesuretochangeIP_PACKETFENCEtotheIPaddressofyourPacketFenceserverYoursquollalsoneedtochangetheusernameandpasswordastheymustmatchthecredentialsdefinedintheWebadmininterfaceunderConfigurationrarrWebServices
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 111
Powershell script to unregister deleted Active Directory account based on the UserName
Get-EventLog -LogName Security -InstanceId 4726 | Select ReplacementStringsAccount name| $url = httpsIP_PACKETFENCE9090 $username = admin Username for the webservices $password = admin Password for the webservices [SystemNetServicePointManager]ServerCertificateValidationCallback = $true $command = jsonrpc 20 method unreg_node_for_pid params [pid +$_ReplacementStrings[0]+]
$bytes = [SystemTextEncoding]ASCIIGetBytes($command) $web = [SystemNetWebRequest]Create($url) $webMethod = POST $webContentLength = $bytesLength $webContentType = applicationjson-rpc $webCredentials = new-object SystemNetNetworkCredential($username $password) $stream = $webGetRequestStream() $streamWrite($bytes0$bytesLength) $streamclose()
$reader = New-Object SystemIOStreamreader -ArgumentList $webGetResponse()GetResponseStream() $readerReadToEnd() $readerClose()
CreatethescheduledtaskbasedonaneventIDStartrarrRunrarrTaskschdmsc
TaskSchedulerrarrTaskSchedulerLibraryrarrEventViewerTaskrarrCreateTask
General
Name PacketFence-Unreg_node-for-deleted-accountCheck Run whether user is logged on or notCheck Run with highest privileges
TriggersrarrNew
Begin on the task On an eventLog SecuritySource Microsoft Windows security auditingEvent ID 4726
ActionsrarrNew
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 112
Action Start a programProgramscript powershellexeAdd arguments (optional) Cscriptsunreg_node_deleted_accountps1
Settings
At the bottom select in the list Run a new instance in parallel in order to unregister multiple nodes at the same time
ValidatewithOkandgivetheaccountwhowillrunthistask(UsuallyDOMAINAdministrator)
DisabledAccountCreatethescriptunreg_node_disabled_accountps1ontheWindowsServerwiththefollowingcontentMakesuretochangeIP_PACKETFENCEtotheIPaddressofyourPacketFenceserverYoursquollalsoneedtochangetheusernameandpasswordastheymustmatchthecredentialsdefinedintheWebadmininterfaceunderConfigurationrarrWebServices
Powershell script to unregister disabled Active Directory account based on the UserName
Get-EventLog -LogName Security -InstanceId 4725 | Select ReplacementStringsAccount name| $url = httpsIP_PACKETFENCE9090 $username = admin Username for the webservices $password = admin Password for the webservices [SystemNetServicePointManager]ServerCertificateValidationCallback = $true $command = jsonrpc 20 method unreg_node_for_pid params [pid +$_ReplacementStrings[0]+]
$bytes = [SystemTextEncoding]ASCIIGetBytes($command) $web = [SystemNetWebRequest]Create($url) $webMethod = POST $webContentLength = $bytesLength $webContentType = applicationjson-rpc $webCredentials = new-object SystemNetNetworkCredential($username $password) $stream = $webGetRequestStream() $streamWrite($bytes0$bytesLength) $streamclose()
$reader = New-Object SystemIOStreamreader -ArgumentList $webGetResponse()GetResponseStream() $readerReadToEnd() $readerClose()
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 113
CreatethescheduledtaskbasedonaneventID
StartrarrRunrarrTaskschdmsc
TaskSchedulerrarrTaskSchedulerLibraryrarrEventViewerTaskrarrCreateTask
General
Name PacketFence-Unreg_node-for-disabled-accountCheck Run whether user is logged on or notCheck Run with highest privileges
TriggersrarrNew
Begin on the task On an eventLog SecuritySource Microsoft Windows security auditingEvent ID 4725
ActionsrarrNew
Action Start a programProgramscript powershellexeAdd arguments (optional) Cscriptsunreg_node_disabled_accountps1
Settings
At the bottom select in the list Run a new instance in parallel
ValidatewithOkandgivetheaccountwhowillrunthistask(UsuallyDOMAINAdministrator)
LockedAccountCreate the script unreg_node_locked_accountps1 on theWindows Serverwith the followingcontentMakesuretochangeIP_PACKETFENCEtotheIPaddressofyourPacketFenceserverYoursquollalsoneedtochangetheusernameandpasswordastheymustmatchthecredentialsdefinedintheWebadmininterfaceunderConfigurationrarrWebServices
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 114
Powershell script to unregister locked Active Directory account based on the UserName
Get-EventLog -LogName Security -InstanceId 4740 | Select ReplacementStringsAccount name| $url = httpsIP_PACKETFENCE9090 $username = admin Username for the webservices $password = admin Password for the webservices [SystemNetServicePointManager]ServerCertificateValidationCallback = $true $command = jsonrpc 20 method unreg_node_for_pid params [pid +$_ReplacementStrings[0]+]
$bytes = [SystemTextEncoding]ASCIIGetBytes($command) $web = [SystemNetWebRequest]Create($url) $webMethod = POST $webContentLength = $bytesLength $webContentType = applicationjson-rpc $webCredentials = new-object SystemNetNetworkCredential($username $password) $stream = $webGetRequestStream() $streamWrite($bytes0$bytesLength) $streamclose()
$reader = New-Object SystemIOStreamreader -ArgumentList $webGetResponse()GetResponseStream() $readerReadToEnd() $readerClose()
CreatethescheduledtaskbasedonaneventIDStartrarrRunrarrTaskschdmsc
TaskSchedulerrarrTaskSchedulerLibraryrarrEventViewerTaskrarrCreateTask
General
Name PacketFence-Unreg_node-for-locked-accountCheck Run whether user is logged on or notCheck Run with highest privileges
TriggersrarrNew
Begin on the task On an eventLog SecuritySource Microsoft Windows security auditingEvent ID 4740
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 115
ActionsrarrNew
Action Start a programProgramscript powershellexeAdd arguments (optional) Cscriptsunreg_node_locked_accountps1
Settings
At the bottom select in the list Run a new instance in parallel
ValidatewithOkandgivetheaccountwhowillrunthistask(UsuallyDOMAINAdministrator)
DHCPremotesensor
TheDHCPremotesensorconsistsofalightweightbinarythatisinstalledonyourproductionDHCPserverinordertoreplicatetheDHCPtraffic1to1tothePacketFenceserverThissolutionismorereliablethantheDHCPrelayingsincePacketFencereceivesacopyofallyourDHCPtrafficandnotonlythebroadcastedDHCPtrafficSupportedDHCPserversareMicrosoftDHCPserverandCentOS6and7
ThesesensorsworkbycapturingthepacketsatthelowestlevelpossibleonyourDHCPserverandforwardthemtothePacketFencemanagementinterface
MicrosoftDHCPsensorYouwillfirstneedtodownloadandinstallWinPcapavailablefromhttpwwwwinpcaporginstall
YouwillalsoneedtodownloadandinstallMicrosoftVisualC++2010Redistributableavailablefromhttpwwwmicrosoftcomdownloaddetailsaspxid=5555
NoteYou absolutely need to install the 32-bit version of Microsoft Visual C++ 2010Redistributableevenifyouareusinga64-bitoperatingsystem
Then get the remote sensor from Inversersquos download website httpinversecadownloadsPacketFenceudp-reflectorudp_reflectorexe
CreatethedirectoryCudp-reflectorandmovethedownloadedfileinside
Nowwewillcreateaservicesothereflectorstartsonboot
Firstdownloadandunzipnssmfromhttpsnssmccdownload
NextcreateabatchfileudpreflectorbatinCudp-reflectorthatcontainCudp-reflectorudp_reflectorexe -s pcap067 -d 19216815767 -b 25000
Where pcap0 is the interface where your DHCP is listening (use Cudp-reflectorudp_reflectorexe -ltolistinterfaces)
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 116
Thenrunnssm install udpreflector
InApplication
InPathsetittoCudp-reflectorudpreflectorbat InStartupdirectorysetittoCudp-reflector InArgumentssetittonothing
InDetails
InStartuptypeselectAutomatic
InLogon
InLogonasselectLocalSystemaccount
ThenpressInstallservice
TheDHCPtrafficshouldnowbereflectedonyourPacketFenceserver
LinuxbasedsensorFirstdownloadtheRPMonyourDHCPserver
CentOS6and7serversForCentOS6
for x86_64 wget httpinversecadownloadsPacketFenceCentOS6extrax86_64RPMSudp-reflector-10-61x86_64rpm
ForCentOS7
for x86_64 wget httpinversecadownloadsPacketFenceCentOS7extrax86_64RPMSudp-reflector-10-61x86_64rpm
Nowinstallthesensor
rpm -i udp-reflector-rpm
CompilingthesensorfromsourceonaLinuxsystemFirstmakesureyouhavethefollowingpackagesinstalled
libpcap libpcap-devel gcc-c++
Getthesourcecodeofthesensor
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 117
mkdir -p ~udp-reflector ampamp cd ~udp-reflector wget httpinversecadownloadsPacketFenceudp-reflectorudp_reflectorcpp g++ udp_reflectorcpp -o usrlocalbinudp_reflector -lpcap
ConfiguringthesensorPlacethefollowinglineinetcrclocal
where pcap0 is the pcap interface where your DHCP server listens on (List them usingudp_reflector -l)
where19216815isthemanagementIPofyourPacketFenceserver
usrlocalbinudp_reflector -s pcap067 -d 19216815767 -b 25000 amp
Startthesensor
usrlocalbinudp_reflector -s pcap067 -d 19216815767 -b 25000 amp
TheDHCPtrafficshouldnowbereflectedonyourPacketFenceserver
Switchloginaccess
PacketFenceisabletoactasanauthenticationandauthorizationserviceforgrantingcommand-lineinterface(CLI)accesstoswitchesPacketFencecurrentlysupportsCiscoswitchesandthesemustbeconfiguredusingthefollowingguidehttpwwwciscocomcenussupportdocssecurity-vpnremote-authentication-dial-user-service-radius116291-configure-freeradius-00html From thePacketFencersquos web admin interface you must configure an Admin Access role(ConfigurationrarrAdminaccess)thatcontainstheactionSwitchesCLI-ReadorSwitchesCLI-WriteandassignthisroletoaninternaluserorinanAdministrationruleinaninternalsource
Chapter14
Copyrightcopy2016Inverseinc OperatingSystemBestPractices 118
OperatingSystemBestPractices
IPTables
IPTablesisnowentirelymanagedbyPacketFenceHoweverifyouneedtoperformsomecustomrules you canmodifyconfiptablesconf to yourownneedsHowever thedefault templateshouldworkformostusers
LogRotations
PacketFencecangeneratea lotof logentries inhugeproductionenvironmentsThis iswhywerecommendtouselogrotatetoperiodicallyrotateyourlogsAworkinglogrotatescriptisprovidedwiththePacketFencepackageThisscriptislocatedinusrlocalpfaddonsanditrsquosconfiguredto do aweekly log rotation and keeping old logswith compression It has been added duringPacketFenceinitialinstallation
Chapter15
Copyrightcopy2016Inverseinc Performanceoptimization 119
Performanceoptimization
SNMPTrapsLimit
PacketFencemainlyrelyonSNMPtrapstocommunicatewithequipmentDuetothefactthattrapscominginfromapproved(configured)devicesareallprocessedbythedaemonitispossibleforsomeonewhowanttogenerateacertainloadonthePacketFenceservertoforcethegenerationofnon-legitimateSNMPtrapsoraswitchcanrandomlygenerateahighquantityoftrapssenttoPacketFenceforanunknownreason
BecauseofthatitispossibletolimitthenumberofSNMPtrapscominginfromasingleswitchportandtakeactionifthatlimitisreachedForexampleifover100trapsarereceivedbyPacketFencefromthesameswitchportinaminutetheswitchportwillbeshutandanotificationemailwillbesent
HerersquosthedefaultconfigfortheSNMPtrapslimitfeatureAsyoucanseebydefaultPacketFencewill log the abnormal activity after 100 traps from the same switch port in a minute Theseconfigurationsareintheconfpfconffile
[vlan]trap_limit = enabledtrap_limit_threshold = 100trap_limit_action =
AlternativelyyoucanconfiguretheseparametersfromthePacketFenceWebadministrativeGUIintheConfigurationrarrSNMPsection
MySQLoptimizations
TuningMySQLIfyoursquorePacketFencesystemisactingveryslowthiscouldbeduetoyourMySQLconfigurationYoushoulddothefollowingtotuneperformance
Checkthesystemload
uptime113637 up 235 days 121 1 user load average 125 105 079
Chapter15
Copyrightcopy2016Inverseinc Performanceoptimization 120
CheckiostatandCPU
iostat 5avg-cpu user nice sys iowait idle 060 000 320 2020 7600Device tps Blk_reads Blk_wrtns Blk_read Blk_wrtnccissc0d0 3240 000 156000 0 7800avg-cpu user nice sys iowait idle 060 000 220 920 8800Device tps Blk_reads Blk_wrtns Blk_read Blk_wrtnccissc0d0 780 000 7360 0 368avg-cpu user nice sys iowait idle 060 000 180 2380 7380Device tps Blk_reads Blk_wrtns Blk_read Blk_wrtnccissc0d0 3140 000 142720 0 7136avg-cpu user nice sys iowait idle 060 000 240 1816 7884Device tps Blk_reads Blk_wrtns Blk_read Blk_wrtnccissc0d0 2794 000 117365 0 5880
Asyoucanseetheloadis125andIOWaitispeakingat20-thisisnotgoodIfyourIOwaitislowbutyourMySQListaking+50CPUthisisalsonotgoodCheckyourMySQLinstallforthefollowingvariables
mysqlgt show variables| innodb_additional_mem_pool_size | 1048576 || innodb_autoextend_increment | 8 || innodb_buffer_pool_awe_mem_mb | 0 || innodb_buffer_pool_size | 8388608 |
PacketFencereliesheavilyonInnoDBsoyoushouldincreasethebuffer_poolsizefromthedefaultvalues
ShutdownPacketFenceandMySQL
etcinitdpacketfence stopShutting down PacketFence[] etcinitdmysql stopStopping MySQL [ OK ]
Editetcmycnf(oryourlocalmycnf)
Chapter15
Copyrightcopy2016Inverseinc Performanceoptimization 121
[mysqld] Set buffer pool size to 50-80 of your computers memoryinnodb_buffer_pool_size=800Minnodb_additional_mem_pool_size=20Minnodb_flush_log_at_trx_commit=2innodb_file_per_table allow more connectionsmax_connections=700 set cache sizekey_buffer_size=900Mtable_cache=300query_cache_size=256M enable slow query loglog_slow_queries = ON
StartupMySQLandPacketFence
etcinitdmysqld startStarting MySQL [ OK ] etcinitdpacketfence startStarting PacketFence[]
Wait10minutesforPacketFencetoinitialthenetworkmapandre-checkiostatandCPU
uptime120158 up 235 days 146 1 user load average 015 039 052 iostat 5Device tps Blk_reads Blk_wrtns Blk_read Blk_wrtnccissc0d0 800 000 7520 0 376
avg-cpu user nice sys iowait idle 060 000 299 1337 8303
Device tps Blk_reads Blk_wrtns Blk_read Blk_wrtnccissc0d0 1497 000 43273 0 2168avg-cpu user nice sys iowait idle 020 000 260 660 9060
Device tps Blk_reads Blk_wrtns Blk_read Blk_wrtnccissc0d0 480 000 4800 0 240
MySQLoptimizationtoolWerecommendthatyouruntheMySQLTuneronyourdatabasesetupafteracoupleofweekstohelpyouidentifyMySQLconfigurationimprovementThetoolisbundledwithPacketFenceandcanberunfromthecommand-line
usrlocalbinpftest mysql
Chapter15
Copyrightcopy2016Inverseinc Performanceoptimization 122
KeepingtablessmallOvertimesomeofthetableswillgrowlargeandthiswilldragdownperformance(thisisespeciallytrueonawirelesssetup)
OnesuchtableisthelocationlogtableWerecommendthatclosedentriesinthistablebemovedto the archive table locationlog_archive after some time A closed record is onewhere theend_timefieldissettoadate(stricklyspeakingitiswhenend_timeisnotnullandnotequalsto0)
Weprovideascriptcalleddatabase-backup-and-maintenanceshlocatedinaddonsthatperformsthiscleanupinadditiontooptimizetablesonSundayanddailybackups
AvoidToomanyconnectionsproblemsInawirelesscontexttheretendstobealotofconnectionsmadetothedatabasebyourfreeradiusmoduleThedefaultMySQLvalue tend tobe low (100) soweencourageyou to increase thatvaluetoatleast300Seehttpdevmysqlcomdocrefman50entoo-many-connectionshtmlfordetails
AvoidHostlthostnamegtisblockedproblemsInawirelesscontexttheretendtobealotofconnectionsmadetothedatabasebyourfreeradiusmoduleWhentheserverisloadedtheseconnectionattemptscantimeoutIfaconnectiontimesoutduringconnectionMySQLwillconsiderthisaconnectionerrorandafter10ofthese(bydefault)hewilllockthehostoutwitha
Host host_name is blocked because of many connection errors Unblock with mysqladmin flush-hosts
Thiswill grindPacketFence to a halt so youwant to avoid that at all costOneway to do soistoincreasethenumberofmaximumconnections(seeabove)toperiodicallyflushhostsortoallowmoreconnectionerrorsSeehttpdevmysqlcomdocrefman50enblocked-hosthtmlfordetails
CaptivePortalOptimizations
Avoidcaptiveportaloverloadduetonon-browserHTTPrequestsBydefaultwealloweveryquerytoberedirectedandreachPacketFencefor thecaptiveportaloperationInalotofcasesthismeansthatalotofnon-userinitiatedqueriesreachPacketFenceandwasteitsresourcesfornothingsincetheyarenotfrombrowsers(iTunesWindowsupdateMSNMessengerGoogleDesktophellip)
Chapter15
Copyrightcopy2016Inverseinc Performanceoptimization 123
Sinceversion43ofPacketFenceyoucandefineHTTPfiltersforApachefromtheconfigurationofPacketFence
SomeruleshavebeenenabledbydefaultlikeonetorejectrequestswithnodefineduseragentAllrulesincludingsomeexamplesaredefinedintheconfigurationfileapache_filtersconf
FiltersaredefinedwithatleasttwoblocksFirstarethetestsForexample
[get_ua_is_dalvik]filter = user_agentmethod = GEToperator = matchvalue = Dalvik
[get_uri_not_generate204]filter = urimethod = GEToperator = match_notvalue = generate_204
ThelastblockdefinestherelationshipbetweenthetestsandthedesiredactionForexample
[block_dalvikget_ua_is_dalvikampget_uri_not_generate204]action = 501redirect_url =
Thisfilterwillreturnanerrorcode(501)iftheuseragentisDalvikandtheURIdoesnrsquotcontain_generate_204
DashboardOptimizations(statisticscollection)
The collection and aggregation of statistics in the whisper database can be IO intensive permomentThismeansthatitcanbebeneficialtoseperatethemonanotherdiskevenifitisavirtualdiskthatwillsharethesameunderlyingphysicaldisk
Firstaddadiskinyourvirtualmachineorbaremetalserverandreboot(thisexamplewillusedevsdbasthenewdevice
Makesurepacketfenceisstopped
service packetfence stop
Createanext4partition
mkfsext4 devsdb
Thenmovetheolddatabasestoabackuppoint
Chapter15
Copyrightcopy2016Inverseinc Performanceoptimization 124
mv usrlocalpfvargraphite usrlocalpfvargraphitebak
Mountyournewdiskandcheckthatitismounted
echo devsdb usrlocalpfvargraphite ext4 defaults 1 1 gtgt etcfstab mkdir usrlocalpfvargraphite mount -a dh -h
Applytheproperuserrightsandrestoreyourdatabasefromyourbackup
chown pfpf usrlocalpfvargraphite cp -frp usrlocalpfvargraphitebak usrlocalpfvargraphite
StartpacketfenceandmakesureyourstatsarestillthereandbeingcollectedproperlyThenremovethebackupyoumaderm -fr usrlocalpfvargraphitebak
Chapter16
Copyrightcopy2016Inverseinc AdditionalInformation 125
AdditionalInformation
FormoreinformationpleaseconsultthemailingarchivesorpostyourquestionstoitFordetailssee
packetfence-announcelistssourceforgenet Public announcements (new releases securitywarningsetc)regardingPacketFence
packetfence-devellistssourceforgenetDiscussionofPacketFencedevelopment
packetfence-userslistssourceforgenetUserandusagediscussions
Chapter17
Copyrightcopy2016InverseincCommercialSupport
andContactInformation 126
CommercialSupportandContactInformation
For any questions or comments do not hesitate to contact us by writing an email tosupportinverseca
Inverse (httpinverseca)offersprofessional servicesaroundPacketFence tohelporganizationsdeploythesolutioncustomizemigrateversionsorfromanothersystemperformancetuningoraligningwithbestpractices
Hourlyratesorsupportpackagesareofferedtobestsuityourneeds
Pleasevisithttpinversecafordetails
Chapter18
Copyrightcopy2016Inverseinc GNUFreeDocumentationLicense 127
GNUFreeDocumentationLicense
Pleaserefertohttpwwwgnuorglicensesfdl-12txtforthefulllicense
Chapter18
Copyrightcopy2016Inverseinc AdministrationTools 128
AppendixAAdministrationTools
pfcmd
pfcmdisthecommandlineinterfacetomostPacketFencefunctionalities
Whenexecutedwithoutanyargumentspfcmdreturnsabasichelpmessagewithallmainoptions
Chapter18
Copyrightcopy2016Inverseinc AdministrationTools 129
Usage pfcmd ltcommandgt [options]
Commands cache | manage the cache subsystem checkup | perform a sanity checkup and report any problems class | view violation classes configfiles | push or pull configfiles intofrom database configreload | reload the configution floatingnetworkdeviceconfig | querymodify floating network devices configuration parameters help | show help for pfcmd commands ifoctetshistorymac | accounting history ifoctetshistoryswitch | accounting history ifoctetshistoryuser | accounting history import | bulk import of information into the database ipmachistory | IPMAC history locationhistorymac | SwitchPort history locationhistoryswitch | SwitchPort history networkconfig | querymodify network configuration parameters node | manipulate node entries pfconfig | interact with pfconfig portalprofileconfig | querymodify portal profile configuration parameters reload | rebuild fingerprint or violations tables without restart service | startstoprestart and get PF daemon status schedule | Nessus scan scheduling switchconfig | querymodify switchesconf configuration parameters version | output version information violationconfig | querymodify violationsconf configuration parameters
Please view pfcmd help ltcommandgt for details on each option
ThenodeviewoptionshowsallinformationcontainedinthenodedatabasetableforaspecifiedMACaddress
usrlocalpfbinpfcmd node view 525400123502mac|pid|detect_date|regdate|unregdate|lastskip|status|user_agent|computername|notes|last_arp|last_dhcp|switch|port|vlan|dhcp_fingerprint525400123502|1|2008-10-23 173216||||unreg||||2008-10-23 211221|||||
pfcmd_vlan
pfcmd_vlanisthecommandlineinterfacetomostVLANisolationrelatedfunctionality
Chapter18
Copyrightcopy2016Inverseinc AdministrationTools 130
Againwhenexecutedwithoutanyargumentsahelpscreenisshown
Usage pfcmd_vlan command [options]
Command -deauthenticate de-authenticate a dot11 client -deauthenticateDot1x de-authenticate a dot1x client (pass ifIndex for wired 8021x and mac for wireless 8021x) -getAlias show the description of the specified switch port -getAllMACs show all MACS on all switch ports -getHubs show switch ports with several MACs -getIfOperStatus show the operational status of the specified switch port -getIfType show the ifType on the specified switch port -getLocation show at which switch port the MAC is found -getSwitchLocation show SNMP location of specified switch -getMAC show all MACs on the specified switch port -getType show switch type -getUpLinks show the upLinks of the specified switch -getVersion show switch OS version -getVlan show the VLAN on the specified switch port -getVlanType show the VLAN type on the specified port -help brief help message -isolate set the switch port to the isolation VLAN -man full documentation -reAssignVlan re-assign a switch port VLAN -reevaluateAccess reevaluate the current VLAN or firewall rules of a given MAC -runSwitchMethod run a particular method call on a given switch (FOR ADVANCED PURPOSES) -setAlias set the description of the specified switch port -setDefaultVlan set the switch port to the default VLAN -setIfAdminStatus set the admin status of the specified switch port -setVlan set VLAN on the specified switch port -setVlanAllPort set VLAN on all non-UpLink ports of the specified switch
Options -alias switch port description -ifAdminStatus ifAdminStatus -ifIndex switch port ifIndex -mac MAC address -showPF show additional information available in PF -switch switch description -verbose log verbosity level 0 fatal messages 1 warn messages 2 info messages 3 debug 4 trace -vlan VLAN id -vlanName VLAN name (as in switchesconf)
Chapter2
Copyrightcopy2016Inverseinc Introduction 4
Based on the nodersquos current status(unregisteredopenviolationetc)theuseris redirected to the appropriate URL Inthe case of a violation the user willbe presented with instructions for theparticular situation heshe is in reducingcostlyhelpdeskintervention
Firewallintegration PacketFence provides Single-Sign Onfeatures with many firewalls Uponconnection on the wired or wirelessnetwork PacketFence can dynamicallyupdatetheIPuserassociationonfirewallsforthemtoapplyifrequiredper-userorper-groupfilteringpolicies
Command-lineandWeb-basedmanagement Web-basedandcommand-line interfacesforallmanagementtasks
GuestAccess PacketFence supports a special guestVLAN out of the box You configureyour network so that the guest VLANonly goes out to the Internet and theregistrationVLANand the captiveportalarethecomponentsusedtoexplaintotheguesthowtoregisterforaccessandhowhisaccessworksThis isusuallybrandedby the organization offering the accessSeveral means of registering guests arepossible PacketFence does also supportguestaccessbulkcreationsandimports
Devicesregistration A registered user can access a specialWeb page to register a device of hisownThisregistrationprocesswillrequireloginfromtheuserandthenwillregisterdeviceswithpre-approvedMACOUIintoaconfigurablecategory
PacketFenceisdevelopedbyacommunityofdeveloperslocatedmainlyinNorthAmericaMoreinformationcanbefoundathttpwwwpacketfenceorg
Chapter2
Copyrightcopy2016Inverseinc Introduction 5
NetworkIntegration
VLANenforcementispicturedintheabovediagramInlineenforcementshouldbeseenasasimpleflatnetworkwherePacketFenceactsasafirewallgateway
Components
PacketFencerequiresvariouscomponentstoworksuchasaWebserveradatabaseserverandaRADIUSserverItinteractswithexternaltoolstoextenditsfunctionalities
Chapter2
Copyrightcopy2016Inverseinc Introduction 6
Chapter3
Copyrightcopy2016Inverseinc SystemRequirements 7
SystemRequirements
Assumptions
PacketFencereusesmanycomponentsinaninfrastructureThusitrequiresthefollowingones
Databaseserver(MySQLorMariaDB) Webserver(Apache) DHCPserver(ISCDHCP) RADIUSserver(FreeRADIUS)
Dependingonyoursetupyoumayhavetoinstalladditionalcomponentslike
NIDS(SnortSuricata)
Inthisguideweassumethatallthosecomponentsarerunningonthesameserver(ielocalhostor127001)thatPacketFencewillbeinstalledon
Good understanding of those underlying component and GNULinux is required to installPacketFence If youmiss some of those required components please refer to the appropriatedocumentationandproceedwiththeinstallationoftheserequirementsbeforecontinuingwiththisguide
MinimumHardwareRequirements
Thefollowingprovidesalistoftheminimumserverhardwarerecommendations
IntelorAMDCPU3GHz 8GBofRAM 100GBofdiskspace(RAID-1recommended) 1Networkcard(2recommended)
OperatingSystemRequirements
PacketFencesupportsthefollowingoperatingsystemsonthex86_64architectures
Chapter3
Copyrightcopy2016Inverseinc SystemRequirements 8
RedHatEnterpriseLinux6xand7xServer CommunityENTerpriseOperatingSystem(CentOS)6xand7x Debian70(Wheezy)and80(Jessie)
MakesurethatyoucaninstalladditionalpackagesfromyourstandarddistributionForexampleifyouareusingRedHatEnterpriseLinuxyouhavetobesubscribedtotheRedHatNetworkbeforecontinuingwiththePacketFencesoftwareinstallation
OtherdistributionssuchasFedoraandGentooareknowntoworkbutthisdocumentdoesnrsquotcoverthem
Servicesstart-upPacketFencetakescareofhandlingtheoperationofthefollowingservices
Webserver(httpd) DHCPserver(dhcpd) FreeRADIUSserver(radiusd) SnortSuricataNetworkIDS(snortsuricata) Firewall(iptables)
Makesurethatalltheotherservicesareautomaticallystartedbyyouroperatingsystem
Chapter4
Copyrightcopy2016Inverseinc Installation 9
Installation
ThissectionwillguideyouthroughtheinstallationofPacketFencetogetherwithitsdependencies
OSInstallation
InstallyourdistributionwithminimalinstallationandnoadditionalpackagesThen
DisableFirewall DisableSELinux DisableAppArmor Disableresolvconf
Makesureyoursystemisuptodateandyouryumorapt-getdatabaseisupdatedOnaRHEL-basedsystemdo
yum update
OnaDebianorUbuntusystemdo
apt-get updateapt-get upgrade
RegardingSELinuxorAppArmoreven if these featuresmaybewantedbysomeorganizationsPacketFencewillnotrunproperlyifSELinuxorAppArmorareenabledYouwillneedtoexplicitlydisableSELinuxintheetcselinuxconfigfileandAppArmorwithupdate-rcd-fapparmorstopupdate-rcd-fapparmorteardownandupdate-rcd-fapparmorremoveRegardingresolvconfyoucanremovethesymlinktothatfileandsimplycreatetheetcresolvconffilewiththecontentyouwant
RedHat-basedsystems
Note
AppliestoCentOSandScientificLinuxbutonlythex86_64architectureissupported
Chapter4
Copyrightcopy2016Inverseinc Installation 10
RHEL6x
NoteTheseareextrastepsarerequiredforRHEL6systemsonlyexcludingderivativessuchasCentOSorScientificLinux
RedHatEnterpriseLinuxusersneedtotakeanadditionalsetupstepIfyouarenotusingtheRHNSubscriptionManagementfromRedHatyouneedtoenabletheoptionalchannelbyrunningthefollowingasroot
rhn-channel --add --channel=rhel-`uname -m`-server-optional-6
DebianAllthePacketFencedependenciesareavailablethroughtheofficialrepositories
SoftwareDownload
PacketFenceprovidesaRPMrepositoryforRHELCentOSinsteadofasingleRPMfile
ForDebianPacketFencealsoprovidespackagerepositories
TheserepositoriescontainallrequireddependenciestoinstallPacketFenceThisprovidesnumerousadvantages
easyinstallation everythingispackagedasRPMdeb(nomoreCPANhassle) easyupgrade
SoftwareInstallation
RHELCentOSInordertousethePacketFencerepository
yum localinstall httppacketfenceorgdownloadsPacketFenceRHEL6`uname -i`RPMSpacketfence-release-12-51noarchrpm
Once the repository is defined you can install PacketFencewith all its dependencies and therequiredexternalservices(DatabaseserverDHCPserverRADIUSserver)using
Chapter4
Copyrightcopy2016Inverseinc Installation 11
yum install perlyum install --enablerepo=packetfence packetfence
OnceinstalledtheWeb-basedconfigurationinterfacewillautomaticallybestartedYoucanaccessitfromhttpsip_of_packetfence1443configurator
DebianForDebian7
Inordertousetherepositorycreateafilenamedetcaptsourceslistdpacketfencelist
echo deb httpinversecadownloadsPacketFencedebian wheezy wheezy gt etcaptsourceslistdpacketfencelist
ForDebian8
Inordertousetherepositorycreateafilenamedetcaptsourceslistdpacketfencelist
echo deb httpinversecadownloadsPacketFencedebian jessie jessie gt etcaptsourceslistdpacketfencelist
Once the repository is defined you can install PacketFencewith all its dependencies and therequiredexternalservices(DatabaseserverDHCPserverRADIUSserver)using
sudo apt-key adv --keyserver keysgnupgnet --recv-key 0x810273C4sudo apt-get updatesudo apt-get install packetfence
Chapter5
Copyrightcopy2016Inverseinc Getoffontherightfoot 12
Getoffontherightfoot
PriorconfiguringPacketFenceyoumustchoseanappropriateenforcementmodetobeusedbyPacketFencewithyournetworkingequipmentTheenforcementmodeisthetechniqueusedtoenforceregistrationandanysubsequentaccessofdevicesonyournetworkPacketFencesupportsthefollowingenforcementmodes
Inline Out-of-band Hybrid
It isalsopossibletocombineenforcementmodesForexampleyoucouldusetheout-of-bandmodeonyourwiredswitcheswhileusingtheinlinemodeonyouroldWiFiaccesspoints
The following sections will explain these enforcement modes If you decide to use the inlinemodepleaserefertothePacketFenceInlineDeploymentQuickGuideusingZENforacompleteconfigurationexampleIfyoudevicetousetheout-of-bandmodepleaserefertothePacketFenceOut-of-BandDeploymentQuickGuideusingZEN
Chapter6
Copyrightcopy2016InverseincTechnicalintroductiontoInlineenforcement 13
TechnicalintroductiontoInlineenforcement
Introduction
Beforetheversion30ofPacketFenceitwasnotpossibletosupportunmanageabledevicessuchasentry-levelconsumerswitchesoraccess-pointsNowwiththenewinlinemodePacketFencecanbeusein-bandforthosedevicesSoinotherwordsPacketFencewouldbecomethegatewayofthatinlinenetworkandNATorroutethetrafficusingIPTablesIPSettotheInternet(ortoanothersectionofthenetwork)Letseehowitworks
Deviceconfiguration
NospecialconfigurationisneededontheunmanageabledeviceThatrsquosthebeautyofitYouonlyneedtoensurethatthedeviceistalkingontheinlineVLANAtthispointallthetrafficwillbepassingthroughPacketFencesinceitisthegatewayforthisVLAN
Accesscontrol
TheaccesscontrolreliesentirelyonIPTablesIPSetWhenauserisnotregisteredandconnectsintheinlineVLANPacketFencewillgivehimanIPaddressAtthispointtheuserwillbemarkedasunregisteredintheipsetsessionandalltheWebtrafficwillberedirectedtothecaptiveportalandother trafficblockedTheuserwill have to register through thecaptiveportal as inVLANenforcementWhenheregistersPacketFencechangesthedeviceacutesipsetsessiontoallowtheuserrsquosmacaddresstogothroughit
Chapter6
Copyrightcopy2016InverseincTechnicalintroductiontoInlineenforcement 14
Limitations
Inlineenforcementbecauseofitrsquosnaturehasseverallimitationsthatonemustbeawareof
EveryonebehindaninlineinterfaceisonthesameLayer2LAN EverypacketofauthorizedusersgoesthroughthePacketFenceserverincreasingtheserversloadconsiderablyPlanaheadforcapacity
Everypacketofauthorizedusersgoes throughthePacketFenceserver it isasinglepointoffailureforInternetaccess
Ipsetcanstoreupto65536entriessoitisnotpossibletohaveainlinenetworkclassupperthanB
Thisiswhyit isconsideredapoormanrsquoswayofdoingaccesscontrolWehaveavoideditforalongtimebecauseoftheabovementionedlimitationsThatsaidbeingabletoperformbothinlineandVLANenforcementonthesameserveratthesametimeisarealadvantageitallowsuserstomaintainmaximumsecuritywhiletheydeploynewandmorecapablenetworkhardwareprovidingacleanmigrationpathtoVLANenforcement
Chapter7
Copyrightcopy2016InverseincTechnicalintroductiontoOut-of-bandenforcement 15
TechnicalintroductiontoOut-of-bandenforcement
Introduction
VLANassignmentiscurrentlyperformedusingseveraldifferenttechniquesThesetechniquesarecompatibleone toanotherbutnoton the sameswitchportThismeans thatyoucanuse themoresecureandmoderntechniquesforyour latestswitchesandanothertechniqueontheoldswitchesthatdoesnrsquotsupportlatesttechniquesAsitrsquosnameimpliesVLANassignmentmeansthatPacketFenceistheserverthatassignstheVLANtoadeviceThisVLANcanbeoneofyourVLANsoritcanbeaspecialVLANwherePacketFencepresentsthecaptiveportalforauthenticationorremediation
VLANassignmenteffectivelyisolateyourhostsattheOSILayer2meaningthatitisthetrickiestmethodtobypassandistheonewhichadaptsbesttoyourenvironmentsinceitgluesintoyourcurrentVLANassignmentmethodology
VLANassignmenttechniques
Wired8021X+MACAuthentication8021Xprovidesport-basedauthenticationwhichinvolvescommunicationsbetweenasupplicantauthenticator(knownasNAS)andauthenticationserver(knownasAAA)ThesupplicantisoftensoftwareonaclientdevicesuchasalaptoptheauthenticatorisawiredEthernetswitchorwirelessaccesspointandtheauthenticationserverisgenerallyaRADIUSserver
Thesupplicant(ieclientdevice)isnotallowedaccessthroughtheauthenticatortothenetworkuntilthesupplicantrsquosidentityisauthorizedWith8021Xport-basedauthenticationthesupplicantprovides credentials such as user name password or digital certificate to the authenticatorandtheauthenticatorforwardsthecredentialstotheauthenticationserverforverificationIfthecredentialsarevalid(intheauthenticationserverdatabase)thesupplicant(clientdevice)isallowedtoaccessthenetworkTheprotocolforauthenticationiscalledExtensibleAuthenticationProtocol(EAP)whichhavemanyvariantsBothsupplicantandauthenticationserversneed tospeak thesameEAPprotocolMostpopularEAPvariantisPEAP-MsCHAPv2(supportedbyWindowsMacOSXLinuxforauthenticationagainstAD)
Chapter7
Copyrightcopy2016InverseincTechnicalintroductiontoOut-of-bandenforcement 16
InthiscontextPacketFencerunstheauthenticationserver(aFreeRADIUSinstance)andwillreturntheappropriateVLANtotheswitchAmodulethatintegratesinFreeRADIUSdoesaremotecalltothePacketFenceservertoobtainthatinformationMoreandmoredeviceshave8021Xsupplicantwhichmakesthisapproachmoreandmorepopular
MACAuthenticationisanewmechanismintroducedbysomeswitchvendortohandlethecaseswherea8021XsupplicantdoesnotexistDifferentvendorshavedifferentnames for itCiscocallsitMACAuthenticationBypass(MAB)JunipercallsitMACRADIUSExtremeNetworkscallsitNetloginetcAfteratimeoutperiodtheswitchwillstoptryingtoperform8021XandwillfallbacktoMACAuthenticationIthastheadvantageofusingthesameapproachas8021XexceptthattheMACaddressissentinsteadoftheusernameandthereisnoend-to-endEAPconversation(nostrongauthentication)UsingMACAuthenticationdeviceslikenetworkprinterornon-8021XcapableIPPhonescanstillgainaccesstothenetworkandtherightVLAN
Wireless8021X+MACauthenticationWireless 8021Xworks likewired8021X andMAC authentication is the same aswiredMACAuthenticationWhere things change is that the8021X isused to setup the security keys forencryptedcommunication(WPA2-Enterprise)whileMACauthenticationisonlyusedtoauthorize(allowordisallow)aMAConthewirelessnetwork
OnwirelessnetworkstheusualPacketFencesetupdictatethatyouconfiguretwoSSIDsanopenoneandasecureoneTheopenoneisusedtohelpusersconfigurethesecureoneproperlyandrequiresauthenticationoverthecaptiveportal(whichrunsinHTTPS)
ThefollowingdiagramdemonstratestheflowbetweenamobileenpointaWiFiaccesspointaWiFicontrollerandPacketFence
1 UserinitiatesassociationtoWLANAPandtransmitsMACaddressIfuseraccessesnetworkviaaregistereddeviceinPacketFencegoto8
2 The WLAN controller transmits MAC address via RADIUS to the PacketFence server toauthenticateauthorizethatMACaddressontheAP
3 PacketFenceserverconductsaddressaudit in itsdatabase If itdoesnotrecognizetheMACaddressgoto4Ifitdoesgoto8
4 PacketFenceserverdirectsWLANcontrollerviaRADIUS(RFC2868attributes)toputthedeviceinanunauthenticatedroleldquo(setofACLsthatwouldlimitredirecttheusertothePacketFence
Chapter7
Copyrightcopy2016InverseincTechnicalintroductiontoOut-of-bandenforcement 17
captiveportalforregistrationorwecanalsousearegistrationVLANinwhichPacketFencedoesDNSblackholingandistheDHCPserver)
5 TheuserrsquosdeviceissuesaDHCPDNSrequesttoPacketFence(whichisaDHCPDNSserveronthisVLANorforthisrole)whichsendstheIPandDNSinformationAtthispointACLsarelimitingredirectingtheusertothePacketFencersquoscaptiveportalforauthenticationPacketFencefingerprintsthedevice(user-agentattributesDHCPinformationampMACaddresspatterns)towhichitcantakevariousactionsincludingkeepdeviceonregistrationportaldirecttoalternatecaptive portal auto-register thedevice auto-block thedevice etc If thedevice remains ontheregistrationportaltheuserregistersbyprovidingtheinformation(usernamepasswordcellphonenumberetc)At this timePacketFencecouldalsorequire thedevicetogothroughapostureassessment(usingNessusOpenVASetc)
6 Ifauthentication is required (usernamepassword) througha loginformthosecredentialsarevalidatedviatheDirectoryserver(oranyotherauthenticationsources-likeLDAPSQLRADIUSSMSFacebookGoogle+etc)whichprovidesuserattributestoPacketFencewhichcreatesuser+devicepolicyprofileinitsdatabase
7 PacketFenceperformsaChangeofAuthorization(RFC3576)onthecontrollerandtheusermustbere-authenticatedreauthorizedsowegobackto1
8 PacketFenceserverdirectsWLANcontrollerviaRADIUStoputthedeviceinanauthenticatedroleldquoorinthenormalVLAN
WebAuthmodeWebauthenticationisamethodontheswitchthatforwardshttptrafficofthedevicetothecaptiveportalWiththismodeyourdevicewillneverchangeofVLANIDbutonlytheACLassociatedtoyourdevicewillchangeRefertotheNetworkDevicesConfigurationGuidetoseeasamplewebauthconfigurationonaCiscoWLC
Port-securityandSNMPReliesontheport-securitySNMPTrapsAfakestaticMACaddressisassignedtoalltheportsthiswayanyMACaddresswillgenerateasecurityviolationandatrapwillbesenttoPacketFenceThesystemwillauthorizetheMACandsettheportintherightVLANVoIPsupportispossiblebuttrickyItvariesalotdependingontheswitchvendorCiscoiswellsupportedbutisolationofaPCbehindanIPPhoneleadstoaninterestingdilemmaeitheryoushuttheport(andthephoneatthesametime)oryouchangethedataVLANbutthePCdoesnrsquotdoDHCP(didnrsquotdetectlinkwasdown)soitcannotreachthecaptiveportal
AsidefromtheVoIPisolationdilemmaitisthetechniquethathasproventobereliableandthathasthemostswitchvendorsupport
MoreonSNMPtrapsVLANisolation
WhentheVLANisolationisworkingthroughSNMPtrapsallswitchports(onwhichVLANisolationshouldbedone)mustbeconfiguredtosendSNMPtrapstothePacketFencehostOnPacketFence
Chapter7
Copyrightcopy2016InverseincTechnicalintroductiontoOut-of-bandenforcement 18
weusesnmptrapdastheSNMPtrapreceiverAsitreceivestrapsitreformatsandwritesthemintoaflatfileusrlocalpflogssnmptrapdlogThemultithreadedpfsetvlandaemonreadsthesetrapsfromtheflatfileandrespondstothembysettingtheswitchporttothecorrectVLANCurrentlywesupportswitchesfromCiscoEdge-coreHPIntelLinksysandNortel(addingsupportfor switches fromanothervendor impliesextending thepfSwitch class)DependingonyourswitchescapabilitiespfsetvlanwillactondifferenttypesofSNMPtraps
YouneedtocreatearegistrationVLAN(withaDHCPserverbutnoroutingtootherVLANs)inwhichPacketFencewillputunregistereddevicesIfyouwanttoisolatecomputerswhichhaveopenviolationsinaseparateVLANanisolationVLANneedsalsotobecreated
linkUplinkDowntraps(deprecated)ThisisthemostbasicsetupanditneedsathirdVLANtheMACdetectionVLANThereshouldbenothinginthisVLAN(noDHCPserver)anditshouldnotberoutedanywhereitisjustanvoidVLAN
WhenahostconnectstoaswitchporttheswitchsendsalinkUptraptoPacketFenceSinceittakessometimebeforetheswitchlearnstheMACaddressofthenewlyconnecteddevicePacketFenceimmediatelyputstheportintheMACdetectionVLANinwhichthedevicewillsendDHCPrequests(withnoanswer)inorderfortheswitchtolearnitsMACaddressThenpfsetvlanwillsendperiodical
Chapter7
Copyrightcopy2016InverseincTechnicalintroductiontoOut-of-bandenforcement 19
SNMPqueriestotheswitchuntiltheswitchlearnstheMACofthedeviceWhentheMACaddressisknownpfsetvlanchecksitsstatus(existingregisteredanyviolations)inthedatabaseandputstheportintheappropriateVLANWhenadeviceisunpluggedtheswitchsendsalinkDowntraptoPacketFencewhichputstheportintotheMACdetectionVLAN
WhenacomputerbootstheinitializationoftheNICgeneratesseverallinkstatuschangesAndeverytimetheswitchsendsalinkUpandalinkDowntraptoPacketFenceSincePacketFencehastoactoneachofthesetrapsthisgeneratesunfortunatelysomeunnecessaryloadonpfsetvlanInordertooptimizethetraptreatmentPacketFencestopseverythreadforalinkUptrapwhenitreceivesalinkDowntraponthesameportButusingonlylinkUplinkDowntrapsisnotthemostscalableoptionForexampleincaseofpowerfailureifhundredsofcomputersbootatthesametimePacketFencewouldreceivea lotoftrapsalmost instantlyandthiscouldresult innetworkconnectionlatency
MACnotificationtrapsIfyourswitchessupportMACnotificationtraps(MAClearntMACremoved)wesuggestthatyouactivatetheminadditiontothelinkUplinkDowntrapsThiswaypfsetvlandoesnotneedafteralinkUptraptoquerytheswitchcontinuouslyuntiltheMAChasfinallybeenlearnedWhenitreceivesalinkUptrapforaportonwhichMACnotificationtrapsarealsoenableditonlyneedstoputtheportintheMACdetectionVLANandcanthenfreethethreadWhentheswitchlearnstheMACaddressofthedeviceitsendsaMAClearnttrap(containingtheMACaddress)toPacketFence
PortSecuritytrapsIn itsmostbasicformthePortSecurityfeaturerememberstheMACaddressconnectedtotheswitchportandallowsonlythatMACaddresstocommunicateonthatport IfanyotherMACaddress tries tocommunicate through theportport securitywillnotallow itandsendaport-securitytrap
IfyourswitchessupportthisfeaturewestronglyrecommendtouseitratherthanlinkUplinkDownandorMACnotificationsWhyBecauseaslongasaMACaddressisauthorizedonaportandistheonlyoneconnectedtheswitchwillsendnotrapwhetherthedevicerebootsplugsinorunplugsThisdrasticallyreducestheSNMPinteractionsbetweentheswitchesandPacketFence
WhenyouenableportsecuritytrapsyoushouldnotenablelinkUplinkDownnorMACnotificationtraps
Chapter8
Copyrightcopy2016InverseincTechnicalintroductiontoHybridenforcement 20
TechnicalintroductiontoHybridenforcement
Introduction
In previous versions of PacketFence it was not possible to have RADIUS enabled for inlineenforcementmodeNowwiththenewhybridmodeallthedevicesthatsupports8021XorMAC-authenticationcanworkwiththismodeLetrsquosseehowitworks
Deviceconfiguration
Youneedtoconfigure inlineenforcementmode inPacketFenceandconfigureyourswitch(es)accesspoint(s)tousetheVLANassignementtechniques(8021XorMAC-authentication)YoualsoneedtotakecareofaspecificparameterintheswitchconfigurationwindowTriggertoenableinlinemodeThisparameterisworkinglikeatriggerandyouhavethepossibilitytodefinedifferentsortoftriggers
ALWAYSPORTMACSSID
where ALWAYS means that the device is always in inline mode PORTspecifytheifIndexoftheportwhichwilluseinlineenforcementMACamacaddressthatwillbeputininlineenforcementtechniqueratherthanVLANenforcementandSSIDanssidnameAnexample
SSIDGuestAccessMAC001122334455
ThiswilltriggerallthenodesthatconnectstotheGuestAccessSSIDtouseinlineenforcementmode(PacketFencewillreturnavoidVLANortheinlineVlanifdefinedinswitchconfiguration)andtheMACaddress001122334455clientifitconnectsonanotherSSID
Chapter9
Copyrightcopy2016Inverseinc Configuration 21
Configuration
AtthispointinthedocumentationPacketFenceshouldbeinstalledYouwouldalsohavechosentherightenforcementmethodforyouandcompletedtheinitialconfigurationofPacketFenceThefollowingsectionpresentskeyconceptsandfeaturesinPacketFence
PacketFenceprovidesaweb-basedadministrationinterfaceforeasyconfigurationandoperationalmanagementIfyouwentthroughPacketFencersquosweb-basedconfigurationtoolyoushouldhavesetthepasswordfortheadminuser
Once PacketFence is started the administration interface is available at httpsip_of_packetfence1443
ThenextkeystepsareimportanttounderstandhowPacketFenceworksInordertogetthesolutionworking youmust first understand and configure the following aspects of the solution in thisspecificorder
1 roles-aroleinPacketFencewillbeeventuallybemappedtoaVLANanACLoranexternalroleYoumustdefinetherolestouseinyourorganizationfornetworkaccess
2 authentication-oncerolesaredefinedyoumustcreateanappropraiteauthenticationsourceinPacketFenceThatwillallowPacketFencetocomputetherightroletobeusedforanendpointortheuserusingit
3 network devices - once your roles and authentication sources are defined you must addswitchesWiFicontrollersorAPstobemananagedbyPacketFenceWhendoingsoyouwillconfigurehowrolesarebeingmappedtoVLANACLsorexternalroles
4 portal profiles - at this point you are almost ready to test You will need to set whichauthenticationsourcesaretobeusedonthedefaultcaptiveportalorcreateanotheronetosuityourneeds
5 test
NoteIfyouplantouse8021X-pleaseseetheFreeRADIUSConfigurationsectionbelow
RolesManagement
RolesinPacketFencecanbecreatedfromPacketFenceadministrativeGUI-fromtheConfigurationrarrUsersrarrRoles section From this interface you can also limit thenumberof devicesusersbelongingtocertainrolescanregister
Chapter9
Copyrightcopy2016Inverseinc Configuration 22
RolesaredynamicallycomputedbyPacketFencebasedontherules(ieasetofconditionsandactions)fromauthenticationsourcesusingafirst-matchwinsalgorithmRolesarethenmatchedtoVLANorinternalrolesorACLonequipmentfromtheConfigurationrarrNetworkrarrSwitchesmodule
Authentication
PacketFence can authenticate users that register devices via the captive portal using variousmethodsAmongthesupportedmethodsthereare
ActiveDirectory
Apachehtpasswdfile
ExternalHTTPAPI
Facebook(OAuth2)
Github(OAuth2)
Google(OAuth2)
Kerberos
LDAP
LinkedIn(OAuth2)
Null
RADIUS
SMS
SponsoredEmail
Twitter(OAuth2)
WindowsLive(OAuth2)
Moreover PacketFence can also authenticate users defined in its own internal SQL databaseAuthentication sources can be created from PacketFence administrative GUI - from theConfigurationrarrUsersrarrSourcessectionAlternatively(butnotrecommended)authenticationsourcesrulesconditionsandactionscanbeconfiguredfromconfauthenticationconf
Eachauthenticationsourcesyoudefinewillhaveasetofrulesconditionsandactions
Multiple authentication sources canbedefined andwill be tested in theorder specified (notethattheycanbereorderedfromtheGUIbydraggingitaround)EachsourcecanhavemultipleruleswhichwillalsobetestedintheorderspecifiedRulescanalsobereorderedjustlikesourcesFinallyconditionscanbedefinedforaruletomatchcertaincriteriasIfthecriteriasmatch(one
Chapter9
Copyrightcopy2016Inverseinc Configuration 23
ormore)actionarethenappliedandrulestestingstopacrossallsourcesasthisisafirstmatchwinsoperation
WhennoconditionisdefinedtherulewillbeconsideredasafallbackWhenafallbackisdefinedallactionswillbeappliedforanyusersthatmatchintheauthenticationsource
OnceasourceisdefineditcanbeusedfromConfigurationrarrPortalProfilesEachportalprofilehasalistofauthenticationsourcestouse
ExampleLetrsquossaywehavetworolesguestandemployeeFirstwedefinethemConfigurationrarrUsersrarrRoles
NowwewanttoauthenticateemployeesusingActiveDirectory (overLDAP)andguestsusingPacketFencersquosinternaldatabase-bothusingPacketFencersquoscaptiveportalFromtheConfigurationrarrUsersrarrSourcesweselectAddsourcerarrADWeprovidethefollowinginformation
Namead1 DescriptionActiveDirectoryforEmployees Host19216812389withoutSSLTLS BaseDNCN=UsersDC=acmeDC=local ScopeOne-level UsernameAttributesAMAccountName BindDNCN=AdministratorCN=UsersDC=acmeDC=local Passwordacme123
ThenweaddarulebyclickingontheAddrulebuttonandprovidethefollowinginformation
Nameemployees DescriptionRuleforallemployees Donrsquotsetanycondition(asitrsquosacatch-allrule) Setthefollowingactions
Setroleemployee
SetunregistrationdateJanuary1st2020
Test the connection and save everything Using the newly defined source any username thatactuallymatchesinthesource(usingthesAMAccountName)willhavetheemployeeroleandanunregistrationdatesettoJanuary1st2020
NowsincewewanttoauthenticateguestsfromPacketFencersquosinternalSQLdatabaseaccountsmustbeprovisionnedmanuallyYoucandosofromtheUsersrarrCreatesectionWhencreatingguestsspecifyguestfortheSetroleactionandsetanaccessdurationfor1day
If youwould like to differentiate user authentication andmachine authentication using ActiveDirectoryonewaytodoitisbycreatingasecondauthenticationsourcesformachines
Namead1 DescriptionActiveDirectoryforMachines Host19216812389withoutSSLTLS BaseDNCN=ComputersDC=acmeDC=local ScopeOne-level
Chapter9
Copyrightcopy2016Inverseinc Configuration 24
UsernameAttributeservicePrincipalName BindDNCN=AdministratorCN=UsersDC=acmeDC=local Passwordacme123
Thenweaddarule
Namemachines DescriptionRuleforallmachines Donrsquotsetanycondition(asitrsquosacatch-allrule) Setthefollowingactions
Setrolemachineauth
SetunregistrationdateJanuary1st2020
Note
Whenaruleisdefinedasacatch-all itwillalwaysmatchiftheusernameattributematchesthequeriedoneThisappliesforActiveDirectoryLDAPandApachehtpasswdfilesourcesKerberosandRADIUSwillactastruecatch-allandaccepteverything
Note
IfyouwanttouseotherLDAPattributesinyourauthenticationsourceaddtheminConfigurationrarrAdvancedrarrCustomLDAPattributesTheywillthenbeavailableintherulesyoudefine
ExternalAPIauthentication
PacketFencealsosupportscallinganexternalHTTPAPIasanauthenticationsourceTheexternalAPIneedstoimplementanauthenticationactionandanauthorizationaction
AuthenticationThisshouldprovidetheinformationaboutwhetherornottheusernamepasswordcombinationisvalid
TheseinformationareavailablethroughthePOSTfieldsoftherequest
TheservershouldreplywithtwoattributesinaJSONresponse
resultshouldbe1forsuccess0forfailure messageshouldbethereasonitsucceededorfailed
ExampleJSONresponse
result1messageValid username and password
Chapter9
Copyrightcopy2016Inverseinc Configuration 25
AuthorizationThisshouldprovidetheactionstoapplyonauserbasedonitrsquosattributes
The following attributes are available for the reply access_duration access_level sponsorunregdatecategory
SampleJSONresponsenotethatnotallattributesarenecessaryonlysendbackwhatyouneed
access_duration1Daccess_levelALLsponsor1 unregdate2030-01-01categorydefault
Note
See usrlocalpfaddonsexample_external_auth for an example implementationcompatiblewithPacketFence
PacketFenceconfigurationInPacketFenceyouneedtoconfigureanHTTPsourceinordertouseanexternalAPI
Hereisabriefdescriptionofthefields
Host First theprotocol then the IPaddressorhostnameof theAPIand lastly theport toconnecttotheAPI
APIusernameandpasswordIfyourAPIimplementsHTTPbasicauthentication(RFC2617)youcanaddtheminthesefieldsLeavinganyofthosetwofieldsemptywillmakePacketFencedotherequestswithoutanyauthentication
AuthenticationURLURLrelativetothehosttocallwhendoingtheauthenticationofauserNotethatitisautomaticallyprefixedbyaslash
AuthorizationURLURLrelativetothehosttocallwhendoingtheauthorizationofauserNotethatitisautomaticallyprefixedbyaslash
SAMLauthentication
PacketFence supports SAML authentication in the captive portal in combination with anotherinternalsourcetodefinethelevelofauthorizationoftheuser
FirsttransfertheIdentityProvidermetadataonthePacketFenceserverInthisexampleitwillbeunderthepathusrlocalpfconfidp-metadataxml
Then transfer the certificate and CA certificate of the Identity provider on the server In thisexample theywill be under the paths usrlocalpfconfsslidpcrt and usrlocalpfconfsslidp-cacrtIfitisaself-signedcertificatethenyouwillbeabletouseitastheCAinthePacketFenceconfiguration
Chapter9
Copyrightcopy2016Inverseinc Configuration 26
Then toconfigureSAML inPacketFencego inConfigurationrarrSourcesand thencreateanewInternalsourceofthetypeSAMLandconfigureit
Where
ServiceProviderentityIDistheidentifieroftheServiceProvider(PacketFence)MakesurethismatchesyourIdentityProviderconfiguration
PathtoServiceProviderkeyisthepathtothekeythatwillbeusedbyPacketFencetosignitsmessagestotheIdentityProviderAdefaultoneisprovidedunderthepathusrlocalpfconfsslserverkey
PathtoServiceProvidercertisthepathtothecertificateassociatedtothekeyaboveAself-signedoneisprovidedunderthepathusrlocalpfconfsslserverkey
PathtoIdentityProvidermetadataisthepathtothemetadatafileyoutransferedabove(shouldbeinusrlocalpfconfidp-metadataxml)
PathtoIdentityProvidercertisthepathtothecertificateoftheidentityprovideryoutransferedontheserverabove(shouldbeinusrlocalpfconfsslidpcrt)
Chapter9
Copyrightcopy2016Inverseinc Configuration 27
Path to Identity Provider CA cert is the path to the CA certificate of the identity provideryoutransferedontheserverabove(shouldbeinusrlocalpfconfsslca-idpcrt)Ifthecertificateaboveisself-signedputthesamepathasaboveinthisfield
AttributeoftheusernameintheSAMLresponse istheattributethatcontainstheusernamein the SAML assertion returned by your Identity Provider The default should fit at leastSimpleSAMLphp
Authorizationsource isthesourcethatwillbeusedtomatchtheusernameagainsttherulesdefinedinitThisallowstosettheroleandaccessdurationoftheuserTheAuthenticationsectionofthisdocumentcontainsexplanationsonhowtoconfigureanLDAPsourcewhichcanthenbeusedhere
OncethisisdonesavethesourceandyouwillbeabletodownloadtheServiceProvidermetadataforPacketFenceusingthelinkDownloadServiceProvidermetadataonthepage
Configure your identity provider according to the generated metadata to complete the TrustbetweenPacketFenceandyourIdentityProvider
In the case of SimpleSAMLPHP the following configurationwas used inmetadatasaml20-sp-remotephp
$metadata[PF_ENTITY_ID] = array( AssertionConsumerService =gt httpPORTAL_HOSTNAMEsamlassertion SingleLogoutService =gt httpPORTAL_HOSTNAMEsamllogoff)
Note
PacketFencedoesnotsupportlogoffontheSAMLIdentityProviderYoucanstilldefinetheURLinthemetadatabutitwillnotbeused
PassthroughsInorderforyouruserstobeabletoaccesstheIdentityProviderloginpageyouwillneedtoactivatepassthroughsandaddtheIndentityProviderdomaintotheallowedpassthroughs
Todosogo inConfigurationrarrTrapping thencheckPassthrough andadd the IdentityProviderdomainnametothePasshtroughslist
Next restart iptables and pfdns to apply your new passthroughs Also make surenetipv4ip_forward = 1isconfiguredinetcsysctlconf
NetworkDevicesDefinition(switchesconf)
ThissectionappliesonlyforVLANenforcementUsersplanningtodoinlineenforcementonlycanskipthissection
PacketFenceneedstoknowwhichswitchesaccesspointsorcontrollersitmanagestheirtypeandconfigurationAllthisinformationisstoredinusrlocalpfconfswitchesconfYoucanmodify
Chapter9
Copyrightcopy2016Inverseinc Configuration 28
theconfigurationdirectlyintheswitchesconffileoryoucandoitfromtheWebAdministrationpanelunderConfigurationrarrNetworkrarrSwitches-whichisnowthepreferredway
Theusrlocalpfconfswitchesconfconfigurationfilecontainsadefaultsectionincluding
DefaultSNMPreadwritecommunitiesfortheswitches Defaultworkingmode(seethenotebelowaboutpossibleworkingmodes)
andaswitchsectionforeachswitch(managedbyPacketFence)including
SwitchIPMacRange Switchvendortype Switchuplinkports(trunksandnon-managedIfIndex) per-switchre-definitionoftheVLANs(ifrequired)
NoteswitchesconfisloadedatstartupAreloadisrequiredwhenchangesaremanuallymadetothisfileusrlocalpfbinpfcmd configreload
WorkingmodesTherearethreedifferentworkingmodesforaswitchinPacketFence
Testing pfsetvlanwritesinthelogfileswhatitwouldnormallydobutitdoesnrsquotdoanything
Registration pfsetvlan automatically-register allMAC addresses seenon theswitchportsAsintestingmodenoVLANchangesaredone
Production pfsetvlan sends the SNMPwrites to change the VLAN on theswitchports
RADIUSTo set theRADIUS secret set it from theWebadministrative interfacewhenadding a switchAlternativelyedittheswitchconfigfile(usrlocalpfconfswitchesconf)andsetthefollowingparameters
radiusSecret = secretPassPhrase
MoreovertheRADIUSsecretisrequiredtosupporttheRADIUSDynamicAuthentication(ChangeofauthorizationorDisconnect)asdefinedinRFC3576
SNMPv1v2candv3PacketFenceusesSNMPtocommunicatewithmostswitchesPacketFencealsosupportsSNMPv3YoucanuseSNMPv3forcommunicationinbothdirectionsfromtheswitchtoPacketFenceandfromPacketFencetotheswitchSNMPusageisdiscouragedyoushouldnowuseRADIUSHoweverevenifRADIUSisbeingusedsomeswitchesmightalsorequireSNMPtobeconfiguredtoworkproperlywithPacketFence
Chapter9
Copyrightcopy2016Inverseinc Configuration 29
FromPacketFencetoaswitchEdittheswitchconfigfile(usrlocalpfconfswitchesconf)andsetthefollowingparameters
SNMPVersion = 3SNMPUserNameRead = readUserSNMPAuthProtocolRead = MD5SNMPAuthPasswordRead = authpwdreadSNMPPrivProtocolRead = AESSNMPPrivPasswordRead = privpwdreadSNMPUserNameWrite = writeUserSNMPAuthProtocolWrite = MD5SNMPAuthPasswordWrite = authpwdwriteSNMPPrivProtocolWrite = AESSNMPPrivPasswordWrite = privpwdwrite
FromaswitchtoPacketFenceEdittheswitchconfigfile(usrlocalpfconfswitchesconf)andsetthefollowingparameters
SNMPVersionTrap = 3SNMPUserNameTrap = readUserSNMPAuthProtocolTrap = MD5SNMPAuthPasswordTrap = authpwdreadSNMPPrivProtocolTrap = AESSNMPPrivPasswordTrap = privpwdread
SwitchConfigurationHereisaswitchconfigurationexampleinordertoenableSNMPv3inbothdirectionsonaCiscoSwitch
snmp-server engineID local AA5ED139B81D4A328D18ACD1snmp-server group readGroup v3 privsnmp-server group writeGroup v3 priv read v1default write v1defaultsnmp-server user readUser readGroup v3 auth md5 authpwdread priv aes 128 privpwdreadsnmp-server user writeUser writeGroup v3 auth md5 authpwdwrite priv aes 128 privpwdwritesnmp-server enable traps port-securitysnmp-server enable traps port-security trap-rate 1snmp-server host 192168050 version 3 priv readUser port-security
Command-LineInterfaceTelnetandSSH
WarningPrivilegedetectionisdisabledinthecurrentPacketFenceversionduetosomeissues(see1370)SomakesurethatthecliUserandcliPwdyouprovidealwaysgetyouintoaprivilegedmode(exceptforTrapezehardware)
Chapter9
Copyrightcopy2016Inverseinc Configuration 30
PackeFenceneedssometimestoestablishaninteractivecommand-linesessionwithaswitchThiscanbedoneusingTelnetYoucanalsouseSSHInordertodosoedittheswitchconfigurationfile(usrlocalpfconfswitchesconf)andsetthefollowingparameters
cliTransport = SSH (or Telnet)cliUser = admincliPwd = admin_pwdcliEnablePwd =
ItcanalsobedonethroughtheWebAdministrationInterfaceunderConfigurationrarrSwitches
WebServicesInterfacePackeFencesometimesneedstoestablishadialogwiththeWebServicescapabilitiesofaswitchInorder todo soedit the switchconfig file (usrlocalpfconfswitchesconf) and set thefollowingparameters
wsTransport = http (or https)wsUser = adminwsPwd = admin_pwd
ItcanalsobedonethroughtheWebAdministrationInterfaceunderConfigurationrarrSwitches
Role-basedenforcementsupportSomenetworkdevicessupporttheassignmentofaspecificsetofrules(firewallorACLs)toauserTheideaisthattheserulescanbealotmoreaccuratetocontrolwhatausercanorcannotdocomparedtoVLANwhichhavealargernetworkmanagementoverhead
PacketFencesupportsassigningrolesondevicesforswitchesandWiFicontrollers thatsupportitThecurrentroleassignmentstrategyistoassignitalongwiththeVLAN(thatmaychangeinthefuture)Aspecial internalroletoexternalroleassignmentmustbeconfigured intheswitchconfigurationfile(usrlocalpfconfswitchesconf)
Thecurrentformatisthefollowing
Format ltrolenamegtRole=ltcontroller_rolegt
Andyouassignittotheglobalrolesparameterortheper-switchoneForexample
adminRole=full-accessengineeringRole=full-accesssalesRole=little-access
wouldreturnthefull-accessroletothenodescategorizedasadminorengineeringandtherolelittle-accesstonodescategorizedassalesItcanalsobedonethroughtheWebAdministrationInterfaceunderConfigurationrarrSwitches
Chapter9
Copyrightcopy2016Inverseinc Configuration 31
CautionMakesurethattherolesareproperlydefinedonthenetworkdevicespriortoassigningroles
PortalProfiles
PacketFencecomeswithadefaultportalprofileThefollowparametersareimportanttoconfigurenomatterifyouusethedefaultportalprofileorcreateanewone
RedirectURLunderConfigurationrarrPortalProfilerarrPortalName
ForsomebrowsersitispreferabletoredirecttheusertoaspecificURLinsteadoftheURLtheuseroriginallyintendedtovisitForthesebrowserstheURLdefinedinredirecturlwillbetheonewheretheuserwillberedirectedAffectedbrowsersareFirefox3andlater
IPunderConfigurationrarrCaptiveportal
ThisIPisusedasthewebserverwhohoststhecommonnetwork-access-detectiongifwhichisusedtodetectifnetworkaccesswasenabledItcannotbeadomainnamesinceit isusedinregistrationorquarantinewhereDNSisblack-holedItisrecommendedthatyouallowyouruserstoreachyourPacketFenceserverandputyourLANrsquosPacketFenceIPBydefaultwewillmakethisreachPacketFencersquoswebsiteasaneasierandmoreaccessiblesolution
In somecases youmaywant topresentadifferent captiveportal (seebelow for theavailablecustomizations)accordingtotheSSIDtheVLANtheswitchIPMACortheURItheclientconnectstoTodosoPacketFencehastheconceptofportalprofileswhichgivesyouthispossibility
WhenconfiguredportalprofileswilloverridedefaultvaluesforwhichitisconfiguredWhennovaluesareconfiguredintheprofilePacketFencewilltakeitsdefaultones(accordingtothedefaultportalprofile)
HerearethedifferentconfigurationparametersthatcanbesetforeachportalprofilesTheonlymandatoryparameterisfilterotherwisePacketFencewonrsquotbeabletocorrectlyapplytheportalprofileTheparametersmustbesetinconfprofilesconf
[profilename1]description = the description of your portal profilefilter = the name of the SSID for which youd like to apply the profile or the VLAN numbersources = comma-separated list of authentications sources (IDs) to use
Portal profiles should be managed from PacketFencersquos Web administrative GUI - from theConfigurationrarrPortalProfilessectionAddingaportalprofilefromthatinterfacewillcorrectlycopytemplatesover-whichcanthenbemodifiedasyouwish
FiltersunderConfigurationrarrPortalProfilerarrPortalNamerarrFitlers
PacketFenceoffersthefollowingfiltersConnectionTypeNetworkNodeRolePortrealmSSIDSwitchSwitchPortURIVLANandTimeperiod
Chapter9
Copyrightcopy2016Inverseinc Configuration 32
Examplewiththemostcommonones
SSIDGuest-SSID
VLAN100
SwitchPortltSwitchIdgt-ltPortgt
NetworkNetworkinCIDRformatoranIPaddress
Caution
Noderolewilltakeeffectonlywitha8021xconnectionorifyouuseVLANfilters
PacketFence relies extensively on Apache for its captive portal administrative interface andWeb services The PacketFenceacutes Apache configuration are located in usrlocalpfconfhttpdconfd
Inthisdirectoryyouhavethreeimportantfileshttpdadminhttpdportalhttpdwebserviceshttpdaaa
httpdadminisusedtomanagePacketFenceadmininterface
httpdportalisusedtomanagePacketFencecaptiveportalinterface
httpdwebservicesisusedtomanagePacketFencewebservicesinterface
httpdaaaisusetomanageincomingRADIUSrequest
ThesefileshavebeenwrittenusingthePerllanguageandarecompletelydynamic-sotheyactivateservicesonlyonthenetworkinterfacesprovidedforthispurpose
TheotherfilesinthisdirectoryaremanagedbyPacketFenceusingtemplatessoitiseasytomodifythesefilesbasedonyourconfigurationSSLisenabledbydefaulttosecureaccess
UponPacketFenceinstallationself-signedcertificateswillbecreatedinusrlocalpfconfssl(serverkey andservercrt)Thosecertificates canbe replacedanytimebyyour3rd-partyorexistingwildcardcertificatewithoutproblemsPleasenotethattheCN(CommonName)needstobethesameastheonedefinedinthePacketFenceconfigurationfile(pfconf)
FreeRADIUSConfiguration
ThissectionpresentstheFreeRADIUSconfigurationsteps InsomeoccasionsaRADIUSserverismandatoryinordertogiveaccesstothenetworkForexampletheusageofWPA2-Enterprise(Wireless 8021X) MAC authentication and Wired 8021X all require a RADIUS server toauthenticatetheusersandthedevicesandthentopushtheproperrolesorVLANattributestothenetworkequipment
Chapter9
Copyrightcopy2016Inverseinc Configuration 33
Option1AuthenticationagainstActiveDirectory(AD)
Caution
If you are using an ActiveActive or ActivePassive cluster please follow theinstructionsunderOption1bsincetheinstructionsbelowdonotcurrentlyworkinacluster
InordertohavedomainauthenticationworkingproperlyyouneedtoenableIPforwardingonyourserverTodoitpermanentlylookintheetcsysctlconfandsetthefollowingline
Controls IP packet forwardingnetipv4ip_forward = 1
Nowexecutesysctl -ptoapplytheconfiguration
NextgointheAdministrationinterfaceunderConfigurationrarrDomains
Note
IfyoucanrsquotaccessthissectionandyouhavepreviouslyconfiguredyourservertobindtoadomainexternallytoPacketFencemakesureyourunusrlocalpfaddonsADmigratepl
ClickAddDomainandfillintheinformationsaboutyourdomain
Chapter9
Copyrightcopy2016Inverseinc Configuration 34
Where
IdentifierisauniqueidentifierforyourdomainItrsquospurposeisonlyvisual
Workgroupistheworkgroupofyourdomainintheoldsyntax(likeNT4)
DNSnameofthedomainistheFQDNofyourdomainTheonethatsuffixesyouraccountnames
ThisserverrsquosnameisthenamethattheserverrsquosaccountwillhaveinyourActiveDirectory
DNSserveristheIPaddressoftheDNSserverofthisdomainMakesurethattheserveryouputtherehastheproperDNSentriesforthisdomain
UsernameistheusernamethatwillbeusedforbindingtotheserverThisaccountmustbeadomainadministrator
Passwordisthepasswordfortheusernamedefinedabove
Chapter9
Copyrightcopy2016Inverseinc Configuration 35
Troubleshooting In order to troubleshoot unsuccessful binds please refer to the following file chrootsltmydomaingtvarlogsambaltmydomaingtlogwinbinddReplaceltmydomaingtwiththeidentifieryousetinthedomainconfiguration
Youcanvalidatethedomainbindusingthefollowingcommandchroot chrootsltmydomaingtwbinfo -u
You can test the authentication process using the following command chroot chrootsltmydomaingt ntlm_auth --username=administrator
Note
UndercertainconditionsthetestjoinmayshowasunsuccessfulintheAdministrationinterfacebut theauthenticationprocesswill stillworkproperlyTry the test abovebeforedoinganyadditionnaltroubleshooting
DefaultdomainconfigurationYoushouldnowdefinethedomainyouwanttouseasthedefaultonebycreatingthefollowingrealminConfigurationrarrRealms
NextrestartPacketFenceinStatusrarrServices
MultipledomainsauthenticationFirstconfigureyourdomainsinConfigurationrarrDomains
OncetheyareconfiguredgoinConfigurationrarrRealms
Chapter9
Copyrightcopy2016Inverseinc Configuration 36
Createanewrealm thatmatches theDNSnameofyourdomainANDone thatmatchesyourworkgroupInthecaseofthisexampleitwillbeDOMAINNETandDOMAIN
Where
RealmiseithertheDNSname(FQDN)ofyourdomainortheworkgroup
RealmoptionsareanyrealmoptionsthatyouwanttoaddtotheFreeRADIUSconfiguration
Domainisthedomainwhichisassociatedtothisrealm
Nowcreatethetwootherrealmsassociatedtoyourotherdomains
Youshouldnowhavethefollowingrealmconfiguration
Chapter9
Copyrightcopy2016Inverseinc Configuration 37
Option1bAuthenticationagainstActiveDirectory(AD)inacluster
SambaKerberosWinbind
InstallSambaYoucaneitherusethesourcesorusethepackageforyourOSForRHELCentOSdo
yum install samba krb5-workstation
ForDebianandUbuntudo
apt-get install samba winbind krb5-user
Note
IfyouhaveWindows7PCsinyournetworkyouneedtouseSambaversion350(orgreater)
WhendonewiththeSambainstallmodifyyouretchosts inordertoaddtheFQDNofyourActiveDirectoryserversThenyouneedtomodifyetckrb5confHereisanexamplefortheDOMAINNETdomainforCentosRHEL
Chapter9
Copyrightcopy2016Inverseinc Configuration 38
[logging] default = FILEvarlogkrb5libslog kdc = FILEvarlogkrb5kdclog admin_server = FILEvarlogkadmindlog
[libdefaults] default_realm = DOMAINNET dns_lookup_realm = false dns_lookup_kdc = false ticket_lifetime = 24h forwardable = yes
[realms] DOMAINNET = kdc = adserverdomainnet88 admin_server = adserverdomainnet749 default_domain = domainnet [domain_realm] domainnet = DOMAINNET domainnet = DOMAINNET
[appdefaults] pam = debug = false ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = false
ForDebianandUbuntu
[logging] default = FILEvarlogkrb5libslog kdc = FILEvarlogkrb5kdclog admin_server = FILEvarlogkadmindlog [libdefaults] default_realm = DOMAINNET ticket_lifetime = 24h forwardable = yes [appdefaults] pam = debug = false ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = false
NexteditetcsambasmbconfAgainhereisanexampleforourDOMAINNETforCentosRHEL
Chapter9
Copyrightcopy2016Inverseinc Configuration 39
[global] workgroup = DOMAIN server string = h security = ads passdb backend = tdbsam realm = DOMAINNET encrypt passwords = yes winbind use default domain = yes client NTLMv2 auth = yes preferred master = no domain master = no local master = no load printers = no log level = 1 winbind5 auth3 winbind max clients = 750 winbind max domain connections = 15 machine password timeout = 0
ForDebianandUbuntu
[global] workgroup = DOMAIN server string = Samba Server Version v security = ads realm = DOMAINNET password server = 19216811 domain master = no local master = no preferred master = no winbind separator = + winbind enum users = yes winbind enum groups = yes winbind use default domain = yes winbind nested groups = yes winbind refresh tickets = yes template homedir = homeDU template shell = binbash client use spnego = yes client ntlmv2 auth = yes encrypt passwords = yes restrict anonymous = 2 log file = varlogsambalogm max log size = 50 machine password timeout = 0
IssueakinitandklistinordertogetandverifytheKerberostoken
kinit administrator klist
Afterthatyouneedtostartsambaandjointhemachinetothedomain
Chapter9
Copyrightcopy2016Inverseinc Configuration 40
service smb start chkconfig --level 345 smb on net ads join -U administrator
NotethatforDebianandUbuntuyouwillprobablyhavethiserror
kinit succeeded but ads_sasl_spnego_krb5_bind failed Invalid credentials Join to domain is not valid Invalid credentials
ForCentosRHEL
usermod -a -G wbpriv pf
Finallystartwinbindandtestthesetupusingntlm_authandradtest
service winbind start chkconfig --level 345 winbind on
ForDebianandUbuntu
usermod -a -G winbindd_priv pf ntlm_auth --username myDomainUser radtest -t mschap -x myDomainUser myDomainPassword localhost18120 12 testing123 Sending Access-Request of id 108 to 127001 port 18120 User-Name = myDomainUser NAS-IP-Address = 10001 NAS-Port = 12 Message-Authenticator = 0x00000000000000000000000000000000 MS-CHAP-Challenge = 0x79d62c9da4e55104 MS-CHAP-Response = 0x000100000000000000000000000000000000000000000000000091c843b420f0dec4228ed2f26bff07d5e49ad9a2974229e5 rad_recv Access-Accept packet from host 127001 port 18120 id=108 length=20
Option2LocalAuthenticationAddyouruserrsquosentriesattheendoftheusrlocalpfraddbusersfilewiththefollowingformat
username Cleartext-Password = password
Option3EAPauthenticationagainstOpenLDAPToauthenticate8021xconnectionagainstOpenLDAPyouneedtodefinetheldapconnectioninusrlocalpfraddbmodulesldapandbesurethattheuserpasswordisdefineasaNTHASHorascleartext
Chapter9
Copyrightcopy2016Inverseinc Configuration 41
ldap openldap server = ldapacmecom identity = uid=admindc=acmedc=com password = password basedn = dc=districtdc=acmedc=com filter = (uid=mschapUser-Name) ldap_connections_number = 5 timeout = 4 timelimit = 3 net_timeout = 1 tls dictionary_mapping = $confdirldapattrmap edir_account_policy_check = no
keepalive LDAP_OPT_X_KEEPALIVE_IDLE idle = 60
LDAP_OPT_X_KEEPALIVE_PROBES probes = 3
LDAP_OPT_X_KEEPALIVE_INTERVAL interval = 3
Next in usrlocalpfraddbsites-availablepacketfence-tunnel add in the authorizesection
authorize suffix ntdomain eap ok = return files openldap
Option4EAPGuestAuthenticationonemailsponsorandSMSregistrationThissectionwillallowlocalcredentialscreatedduringguestregistrationtobeusedin8021xEAP-PEAPconnections
FirstcreateaguestSSIDwiththeguestaccessyouwanttouse(EmailSponsororSMShellip)andactivateCreatelocalaccountonthatsource
AttheendoftheguestregistrationPacketFencewillsendanemailwiththecredentialsforEmailandSponsorForSMSthephonenumberandthePINcodeshouldbeused
Chapter9
Copyrightcopy2016Inverseinc Configuration 42
Note
ThisoptiondoesnrsquotcurrentlyworkwiththeReusedot1xcredentialsoptionofthecaptiveportal
In usrlocalpfconfradiusdpacketfence-tunnel uncomment the line packetfence-local-authandrestartradiusd
ThiswillactivatethefeatureforanylocalaccountonthePacketFenceserverYoucanrestrictwhichaccounts canbeusedby commenting the appropriate line inusrlocalpfraddbpolicydpacketfenceForexampleifyouwouldwanttodeactivatethisfeatureforaccountscreatedviaSMSyouwouldhavethefollowing
packetfence-local-auth Disable ntlm_auth update control ampMS-CHAP-Use-NTLM-Auth = No Check password table for local user pflocal if (fail || notfound) Check password table with email and password for a sponsor registration pfguest if (fail || notfound) Check password table with email and password for a guest registration pfsponsor if (fail || notfound) Dont check activation table with phone number and PIN code pfsms lt--- This line was commented out if (fail || notfound) update control ampMS-CHAP-Use-NTLM-Auth = Yes
Note
For this feature to work the users passwords must be stored in cleartext in thedatabaseThisisconfigurableviaadvancedhash_passwords
Option5EAPLocaluserAuthenticationThegoalhereistousethelocaluseryoucreatedintheadminGUIforEAPauthenticationThelogicisexactlythesamethaninoption4thedifferenceisthatweuseanotherSSIDandweonlyuselocalaccounts
Chapter9
Copyrightcopy2016Inverseinc Configuration 43
Editusrlocalpfraddbsites-availablepacketfence-tunnel
InthisexampleweactivatethisfeatureonaspecificSSIDname(Secure-local-Wireless)disabledbydefaultNTLMAuthandtestlocalaccountIfitfailledthenwereactivateNTLMAuth
Activate local user eap authentication based on a specific SSID Set Called-Station-SSID with the current SSID setcalled_station_ssid if (Called-Station-SSID == Secure-local-Wireless) Disable ntlm_auth update control MS-CHAP-Use-NTLM-Auth = No Check password table for local user pflocal if (fail || notfound) update control MS-CHAP-Use-NTLM-Auth = Yes
Caution
Youwillneedtodeasactivatepasswordhashinginthedatabaseforlocalauthenticationto work In the administration interface go in Configurationrarr Advanced and setDatabasepasswordshashingmethodtoplaintext
TestsTestyoursetupwithradtestusingthefollowingcommandandmakesureyougetanAccess-Acceptanswer
radtest dd9999 Abcd1234 localhost18120 12 testing123Sending Access-Request of id 74 to 127001 port 18120 User-Name = dd9999 User-Password = Abcd1234 NAS-IP-Address = 255255255255 NAS-Port = 12rad_recv Access-Accept packet from host 12700118120 id=74 length=20
PortalModules
ThePacketFencecaptiveportalflowishighlycustomizableThissectionwillcoverthePortalModuleswhichareusedtodefinethebehaviorofthecaptiveportal
Chapter9
Copyrightcopy2016Inverseinc Configuration 44
Note
WhenupgradingfromaversionthatdoesnrsquothavetheportalmodulesthePacketFencePortal Modules configuration already comes with defaults that will fit most casesand offers the same behavior as previous versions of PacketFence Meaning allthe available Portal Profile sources are used for authentication then the availableprovisionerswillbeused
FirstabriefdescriptionoftheavailablePortalModules
RootThis iswhereitallstartsthismoduleisasimplecontainerthatdefinesallthemodulesthatneedtobeappliedinachainedwaytotheuserOncetheuserhascompletedallmodulescontainedintheRootheisreleasedonthenetwork
Choice This allows to give a choice between multiple modules to the user Thedefault_registration_policyisagoodexampleofachoicethatisofferedtotheuser
ChainedThisallowsyoutodefinealistofmodulesthatauserneedstogothroughintheorderthattheyaredefined-exyouwantyouruserstoregisterviaGoogle+andpayfortheiraccessusingPayPal
MessageThisallowsyou todisplayamessage to theuserAnexample isavailablebelow inDisplayingamessagetotheuseraftertheregistration
AuthenticationTheauthenticationmodulescanbeofalotoftypesYouwouldwanttodefineoneofthesemodulesinordertooverridetherequiredfieldsthesourcetousethetemplateoranyothermoduleattribute
BillingAllowstodefineamodulebasedononeormorebillingsources
ChoiceAllows todefineamodulebasedonmultiple sourcesandmoduleswithadvancedfilteringoptionsSeethesectionAuthenticationChoicemodulebelowforadetailedexplanation
LoginAllowsyoutodefineausernamepasswordbasedmodulewithmultipleinternalsources(ActiveDirectoryLDAPhellip)
OthermodulesTheothermodulesareallbasedonthesourcetypetheyareassignedtotheyallowtoselectthesourcetheAUPacceptanceandmandatoryfieldsifapplicable
ExamplesThissectionwillcontainthefollowingexamples
Promptingforfieldswithoutauthentication
Promptingadditionnalfieldsduringtheauthentication
Chainedauthentication
MixingloginandSecureSSIDon-boardingontheportal
Displayingamessagetotheuseraftertheregistration
Chapter9
Copyrightcopy2016Inverseinc Configuration 45
CreatingacustomrootmoduleFirstcreateacustomrootmoduleforourexamples inordertonotaffectthedefaultpolicy InordertodosogoinConfigurationrarrPortalModulesthenclickAddPortalModuleandselectthetypeRootGiveittheidentifiermy_first_root_moduleandthedescriptionMy first root modulethenhitsave
Next head toConfigurationrarr Portal Profiles select the portal profile you use (most probablydefault)andthenunderRootPortalModuleassignMy first root modulethensaveyourprofileIfyouweretoaccessthecaptiveportalnowanerrorwoulddisplaysincetheRootmoduleweconfigureddoesnrsquotcontainanything
YoucouldaddsomeofthepreconfiguredmodulestothenewRootmoduleyoucreatedandthatwouldmaketheerrordisapear
PromptingforfieldswithoutauthenticationInordertopromptfieldswithoutauthenticationyoucanusetheNullsourcewiththeNullPortalModule
PacketFencealreadycomeswithaNullsourcepreconfiguredIfyouhavenrsquotmodifieditordeletedityoucanuseitforthisexampleOtherwisegoinConfigurationrarrSourcesandcreateanewNullsourcewithacatchallrulethatassignsaroleandaccessduration
ThengoinConfigurationrarrPortalModulesandclickAddPortalModuleandselectAuthenticationrarrNullSettheIdentifiertoprompt_fieldsandconfigurethemodulewiththeMandatoryfieldsyouwantanduncheckRequireAUPsothattheuserdoesnrsquothavetoaccepttheAUPbeforesubmittingthesefields
Nextaddtheprompt_fieldsmoduleinmy_first_root_module(removinganypreviousmodules)andsave itNowwhenvisitingtheportal itshouldpromptyouforthefieldsyoudefine inthe
Chapter9
Copyrightcopy2016Inverseinc Configuration 46
moduleThensubmittingtheseinformationswillassignyoutheroleandaccessdurationthatyoudefinedinthenullsource
Promptingadditionnalfieldsduringtheauthentication
IfyouwanttopromptadditionnalfieldsduringtheauthenticationprocessforamoduleyoucandefineaModulebasedonthatsourcethatwillspecifytheadditionnalmandatoryfieldsforthissource
Youcanalsoaddadditionnalmandatoryfieldstothedefaultpoliciesthatarealreadyconfigured
Thisexamplewillmakethedefault_guest_policyrequiretheusertoenterafirstnamelastnameandaddresssothatguestshavetoenterthesethreeinformationsbeforeregistering
Go in Configuration rarr Portal Modules and click the default_guest_policy Add firstnamelastnameandaddresstotheMandatoryfieldsandsave
Nextaddthedefault_guest_policytomy_first_root_module(removinganypreviousmodules)Nowwhenvisitingtheportalselectinganyoftheguestsourceswillrequireyoutoenterboththemandatoryfieldsofthesource(exphone+mobileprovider)andthemandatoryfieldsyoudefinedinthedefault_guest_policy
Note
Notallsourcessupportadditionnalmandatoryfields(exOAuthsourceslikeGoogleFacebookhellip)
Chainedauthentication
Theportalmodulesallowyoutochaintwoormoremodulestogetherinordertomaketheuseraccomplishalloftheactionsinthemoduleinthedesiredsequence
ThisexamplewillallowyoutoconfigureaChainedmodulethatwillrequiretheusertologinviaanyconfiguredOAuthsource(GithubGoogle+hellip)andthenvalidatehisphonenumberusingSMSregistration
FortheOAuthloginwewillusethedefault_oauth_policysojustmakesureyouhaveanOAuthsourceconfiguredcorrectlyandavailableinyourPortalProfile
ThenwewillcreateamodulethatwillcontainthedefinitionofourSMSregistration
GoinConfigurationrarrPortalModulesthenclickAddPortalModuleandselectAuthenticationrarrSMS
ConfiguretheportalmodulesothatitusesthesmssourceandunchecktheRequireAUPoptionsincetheuserwillhavealreadyacceptedtheAUPwhenregisteringusingOAuth
Chapter9
Copyrightcopy2016Inverseinc Configuration 47
ThenaddanotherPortalModuleoftypeChainedNameitchained_oauth_smsassignarelevantdescriptionandthenadddefault_oauth_policyandsmstotheModulesfields
Chapter9
Copyrightcopy2016Inverseinc Configuration 48
Next add the chained_oauth_sms module in my_first_root_module (removing any previousmodules)andsaveitNowwhenvisitingtheportalyoushouldhavetoauthenticationusinganOAuthsourceandthenusingSMSbasedregistration
MixingloginandSecureSSIDon-boardingontheportalThisexamplewillguideyouthroughconfiguringaportalflowthatwillallowfordevicestoaccessanopenSSIDusinganLDAPusernamepasswordbutalsogivethechoicetoconfiguretheSecureSSIDdirectlyfromtheportal
FirstweneedtoconfiguretheprovisionersfortheSecureSSIDonboardingRefertosectionAppleandAndroidWirelessProvisioningofthisguidetoconfigureyourprovisionersandaddthemtotheportalprofile
CreateaprovisionerofthetypeDenyandadditwithyourotherprovisioners(puttinganyotherprovisionerbeforeit)Thiswillmakesurethatifthereisnomatchontheotherprovisionersitwillnotallowthedevicethrough
AlsointheportalprofileaddyourLDAPsourcetotheavailablesourcessoitstheonlyoneavailable
NextcreateaProvisioningportalmodulebygoinginConfigurationrarrPortalModulesSettheIdentifiertosecure_boardingandthedescriptiontoBoard Secure SSIDAlsouncheckSkipablesotheuserisforcedtoboardtheSSIDshoulditchoosethisoption
ThenstillinthePortalModulescreateaChoicemoduleSettheIdentifiertologin_or_boardinganddescriptiontoLoginorBoardingAddsecure_boardinganddefault_login_policytotheModulesfieldandsave
Chapter9
Copyrightcopy2016Inverseinc Configuration 49
Next add the login_or_boarding module in my_first_root_module (removing any previousmodules)andsaveitNowwhenvisitingtheportalyouwillhavethechoicebetweenlogintotheLDAPsourceandgainaccesstothenetworkordirectlyuseprovisioninginordertoconfigureyourdeviceforaSecureSSID
Displayingamessagetotheuseraftertheregistration=
UsingtheMessagemoduleyoucandisplayacustommessagetotheuserYoucanalsocustomizethetemplatetodisplayinordertodisplayafullycustompage
Go inConfigurationrarrPortalModules thenclickAddPortalModule and selectMessage Set theIdentifiertohello_worldandthedescriptiontoHello World
ThenputthefollowingintheMessagefield
Hello World lta href=wwwpacketfenceorggtClick here to access the PacketFence websiteltagt
Next add default_registration_policy and hello_world in the Modules ofmy_first_root_module(removinganypreviousmodules)andsaveitNowwhenvisitingtheportalyoushouldhavetoauthenticateusingthesourcesdefinedinyourportalprofileandyouwillthenseethehelloworldmessage
Chapter9
Copyrightcopy2016Inverseinc Configuration 50
AuthenticationChoicemodule(advanced)The Authentication Choice module allows to define a choice between multiple sources usingadvancedfilteringrulesmanualselectionofthesourcesandselectionofPortalModules
AllthesourcesthataredefinedintheSourcesfieldwillbeavailableforusagebytheuserSamegoesforthemodulesdefinedinModules
YoucanalsodefinewhichmandatoryfieldsyouwanttopromptfortheseauthenticationchoicesAlthoughyoucanstillconfigurethemonanyAuthenticationChoicemoduletheywillonlybeshowniftheyareapplicabletothesource
InadditiontothemanualselectionaboveyoucandynamicallyselectsourcespartofthePortalProfilebasedontheirobjectattribute(ObjectClassAuthenticationtypeAuthenticationClass)
NoteYoucanfindalltheauthenticationobjectsinlibpfAuthenticationSource
SourcesbyclassAllowsyoutospecifytheperlclassnameofthesourcesyouwantavailable
ex pfAuthenticationSourceSMSSource will select all the SMS sourcespfAuthenticationSourceBillingSourcewillselectallthebillingsources(PaypalStripehellip)
SourcesbytypeAllowsyoutofilteroutsourcesusingthetypeattributeoftheAuthenticationobject
Sources by Auth Class Allows you to filter our sources using the class attribute of theAuthenticationobject
Chapter9
Copyrightcopy2016Inverseinc Configuration 51
Youcanseethedefault_guest_policyanddefault_oauth_policyforexamplesofthismodule
Chapter10
Copyrightcopy2016Inverseinc Debugging 52
Debugging
Logfiles
HerearethemostimportantPacketFencelogfiles
usrlocalpflogspacketfencelogmdashPacketFenceCoreLog usrlocalpflogshttpdportalaccessmdashApachendashCaptivePortalAccessLog usrlocalpflogshttpdportalerrormdashApachendashCaptivePortalErrorLog usrlocalpflogshttpdadminaccessmdashApachendashWebAdminServicesAccessLog usrlocalpflogshttpdadminerrormdashApachendashWebAdminServicesErrorLog usrlocalpflogshttpdwebservicesaccessmdashApachendashWebservicesAccessLog usrlocalpflogshttpdwebserviceserrormdashApachendashWebservicesErrorLog usrlocalpflogshttpdaaaaccessmdashApachendashAAAAccessLog usrlocalpflogshttpdaaaerrormdashApachendashAAAErrorLog
ThereareotherlogfilesinusrlocalpflogsthatcouldberelevantdependingonwhatissueyouareexperiencingMakesureyoutakealookatthem
ThemainloggingconfigurationfileisusrlocalpfconflogconfItcontainstheconfigurationforthepacketfencelogfile(LogLog4Perl)andyounormallydonrsquotneedtomodifyitTheloggingconfigurationfilesforeveryservicearelocatedunderusrlocalpfconflogconfd
RADIUSDebugging
FirstchecktheFreeRADIUSlogsThefileislocatedatusrlocalpflogsradiuslog
IfthisdidnrsquothelprunFreeRADIUSindebugmodeTodosostartitusingthefollowingcommands
Fortheauthenticationradiusprocess
radiusd -X -d usrlocalpfraddb -n auth
Fortheaccountingradiusprocess
radiusd -X -d usrlocalpfraddb -n acct
Chapter10
Copyrightcopy2016Inverseinc Debugging 53
Additionally there is a raddebug tool that can extract debug logs from a running FreeRADIUSdaemonPacketFencersquosFreeRADIUSispreconfiguredwithsuchsupport
Inordertohaveanoutputfromraddebugyouneedtoeither
a MakesureuserpfhasashellinetcpasswdaddusrsbintoPATH(export PATH=usrsbin$PATH)andexecuteraddebugaspf
b Runraddebugasroot(lesssecure)
Nowyoucanrunraddebugeasily
raddebug -t 300 -f usrlocalpfvarrunradiusdsock
TheabovewilloutputFreeRADIUSauthenticationdebuglogsfor5minutes
Usethefollowingtodebugradiusaccounting
raddebug -t 300 -f usrlocalpfvarrunradiusd-acctsock
Seeman raddebugforalltheoptions
Chapter11
Copyrightcopy2016Inverseinc MoreonVoIPIntegration 54
MoreonVoIPIntegration
VoIPhasbeengrowinginpopularityonenterprisenetworksAtfirstsighttheITadministratorsthinkthatdeployingVoIPwithaNACposesahugecomplicatedchallengetoresolveInfactdependingofthehardwareyouhavenotreallyInthissectionwewillseewhy
CDPandLLDPareyourfriend
ForthoseofyouwhoareunawareoftheexistenceofCDPorLLDP(orLLDP-MED) IsuggestyoustartreadingonthistopicCiscoDiscoveryProtocol(CDP)isdevice-discoveryprotocolthatrunsonallCisco-manufacturedequipmentincludingroutersaccessserversbridgesandswitchesUsingCDPadevicecanadvertise itsexistencetootherdevicesandreceive informationaboutotherdevicesonthesameLANorontheremotesideofaWANIntheworldofVoIPCDPisabletodetermineiftheconnectingdeviceisanIPPhoneornotandtelltheIPPhonetotagitsethernetframeusingtheconfiguredvoiceVLANontheswitchport
OnmanyothervendorsyouarelikelytofindLLDPorLLDP-MEDsupportLinkLayerDiscoveryProtocol (LLDP) is a vendor-neutral Link Layer protocol in the Internet Protocol Suite used bynetworkdevicesforadvertisingtheiridentitycapabilitiesandneighborsSameasCDPLLDPcantellanIPPhonewhichVLANidisthevoiceVLAN
VoIPandVLANassignmenttechniques
As you already know PacketFence supportsmanyVLAN assignment techniques such as port-securitymacauthenticationor8021XLetrsquosseehowVoIPisdoingwitheachofthose
Port-securityUsing port-security the VoIP device rely on CDPLLDP to tag its ethernet frame using theconfiguredvoiceVLANontheswitchportAfterthatweensurethatasecuritytrapissentfromthevoiceVLANsothatPacketFencecanauthorizethemacaddressontheportWhenthePCconnectsanothersecuritytrapwillbesentbutfromthedataVLANThatwaywewillhave1macaddressauthorizedonthevoiceVLANand1ontheaccessVLAN
Chapter11
Copyrightcopy2016Inverseinc MoreonVoIPIntegration 55
Note
Not all vendors support VoIP on port-security please refer to the NetworkConfigurationGuide
MACAuthenticationand8021XCiscohardwareOnCiscoswitcheswearelookingatthemulti-domainconfigurationThemulti-domainmeansthatwecanhaveonedeviceontheVOICEdomainandonedeviceontheDATAdomainThedomainassignmentisdoneusingaCiscoVSAWhenthephoneconnectstotheswitchportPacketFencewillrespondwiththeproperVSAonlynoRADIUStunneledattributesCDPthentellsthephonetotagitsethernetframesusingtheconfiguredvoiceVLANontheportWhenaPCconnectstheRADIUSserverwillreturntunneledattributesandtheswitchwillplacetheportintheprovidedaccessVLAN
Non-CiscohardwareOnothervendorhardwareitispossibletomakeVoIPworkusingRADIUSVSAsWhenaphoneconnectstoaswitchportPacketFenceneedstoreturntheproperVSAtotelltheswitchtoallowtagged frames from thisdeviceWhen thePCwill connectwewill be able to return standardRADIUStunnelattributestotheswitchthatwillbetheuntaggedVLAN
Note
AgainrefertotheNetworkConfigurationGuidetoseeifVoIPissupportedonyourswitchhardware
WhatifCDPLLDPfeatureismissing
ItispossiblethatyourphonedoesnrsquotsupportCDPorLLDPIfitrsquosthecaseyouareprobablylookingattheDHCPwayofprovisionningyourphonewithavoiceVLANSomemodelswillaskforaspecificDHCPoptionsothattheDHCPservercangivethephoneavoiceVLANidThephonewillthenrebootandtagitsethernetframeusingtheprovidedVLANtag
Inorder tomake this scenarioworkwithPacketFenceyouneed toensure thatyou tweak theregistrationandyourproductionDHCPservertoprovidetheDHCPoptionYoualsoneedtomakesure there isavoiceVLANproperlyconfiguredontheportandthatyouauto-registeryour IPPhones(OnthefirstconnectthephonewillbeassignedontheregistrationVLAN)
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 56
Advancedtopics
This section covers advanced topics in PacketFence Note that it is also possible to configurePacketFencemanuallyusingitsconfigurationfilesinsteadofitsWebadministrativeinterfaceItisstillrecommendedtousetheWebinterface
InanycasetheusrlocalpfconfpfconffilecontainsthePacketFencegeneralconfigurationForexamplethisistheplacewhereweinformPacketFenceitwillworkinVLANisolationmode
All the default parameters and their descriptions are stored in usrlocalpfconfpfconfdefaults
Inordertooverrideadefaultparameterdefineitandsetitinpfconf
usrlocalpfconfdocumentationconfholdsthecompletelistofallavailableparameters
Alltheseparametersarealsoaccessiblethroughtheweb-basedadministrationinterfaceundertheConfigurationtabItishighlyrecommendedthatyouusetheweb-basedadministrationinterfaceofPacketFenceforanyconfigurationchanges
AppleandAndroidWirelessProvisioning
Apple devices such as iPhones iPads iPods and Mac OS X (107+) support wireless profileimportationusing a specialXML file format (mobileconfig)Android is also able to support thisfeaturebyimportingthewirelessprofilewiththeAndroidPacketFenceAgentInfactinstallingsuchfileonyourAppledevicewillautomaticallyconfigurethewirelesssettingsforagivenSSIDThisfeatureisoftenusedwhentheSSIDishiddenandyouwanttoeasetheconfigurationstepsonthemobiledevice(becauseitisoftenpainfultoconfiguremanually)InPacketFencewearegoingfurtherwegeneratetheprofileaccordingtotheadministratorrsquospreferenceandwepre-populatethefilewiththeuserrsquoscredentials(withoutthepassword)TheusersimplyneedstoinstallitsgeneratedfileandhewillbeabletousethenewSSID
ConfigurethefeatureFirstofallyouneedtoconfiguretheSSIDthatyourdeviceswilluseaftertheygothoughtheauthenticationprocess
InordertodothatintheadministrationinterfacegoinConfigurationProvisionersThenselecttheandroidprovisionerEntertheSSIDandsave
NowdothesamethingfortheiOSprovisioner
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 57
AfteryousimplyneedtoaddtheAndroidandiOSprovisionerstoyourPortalProfileconfiguration
ForAndroidyoumustallowpassthroughsinyourpfconfconfigurationfile
[trapping]passthrough=enabledpassthroughs=ggphtcomgoogleusercontentcomandroidclientsgooglecomgoogleapiscomandroidclientsgooglecomgvt1com
ProfilegenerationUponregistrationinsteadofshowingthedefaultreleasepagetheuserwillbeshowinganotherversionofthepagesayingthatthewirelessprofilehasbeengeneratedwithaclickablelinkonitToinstalltheprofileAppleuserownersimplyneedtoclickonthatlinkandfollowtheinstructionsontheirdeviceAndroiduserownersimplyclicktothelinkandwillbeforwardedtoGooglePlaytoinstallPacketFenceagentSimply launchtheapplicationandclicktoconfigurewillcreatethesecureSSIDprofileItisthatsimple
BillingEngine
PacketFence integrates theability touseapaymentgatewaytobillusers togainaccess to thenetworkWhenconfiguredtheuserwhowantstoaccessthenetworkInternetispromptedbyapageaskingforitrsquospersonnalinformationaswellasitrsquoscreditcardinformation
PacketFencecurrentlysupportsfourpaymentgatewaysAuthorizenetMirapayPaypalandStripe
Inordertoactivatethebillingyouwillneedtoconfigurethefollowingcomponents
Billingsource(s)
Billingtier(s)
ConfiguringabillingsourceFirstselectabillingproviderandfollowtheinstructionsbelow
Paypal
Note
ThisproviderrequiresthatyourPacketFenceserverisaccessibleonthepublicdomainFor thisyourPacketFenceportal shouldbeavailableonapublic IPusing theDNSservernameconfiguredinPacketFence
Ifyouhaveabusinessaccountanddonotwanttoconfigureatestenvironmentyoucanskipthenextsection
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 58
Sandboxaccount
To configure a sandbox paypal account for use in PacketFence head to httpsdeveloperpaypalcomandeithersignuporloginintoyourexistingaccount
ThenintheSandboxmenuclickAccounts
CreateanaccountthathasthetypePersonalandonethathasthetypeBusiness
AfterwardsgobackintoaccountsandexpandthebusinessaccountthenclickProfile
NowclicktheChangepasswordlinkandchangethepasswordandnoteit
Dothesamethingwiththepersonalaccountyoucreated
Configuringthemerchantaccount
LoginintothePaypalbusinessaccountthatyoucreatedathttpswwwsandboxpaypalcomifyouareusingasandboxaccountoronhttpswwwpaypalcomifyouareusingarealaccount
NextgoinMyAccountrarrProfileinordertogointoyourprofileconfiguration
NextintheSellingPreferencesyouwillneedtoselectWebsitePaymentPreferences
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 59
Configurethesettingssotheymatchthescreenshotbelow
YoushouldturnonAutoReturnsetthereturnURLtohttpsYOUR_PORTAL_HOSTNAMEbillingpaypalverify
YoushouldalsotakenoteoftheIdentityTokenasitwillberequiredinthePacketFenceconfiguration
NextgobackinyourprofileconfigurationMyaccountrarrProfileandselectEncryptedPaymentSettings
NowonthispageyouwillneedtosubmitthecertificateusedbyPacketFencetoPaypal(usrlocalpfconfsslservercrtbydefault)
Once you have submitted it note itrsquos associated Cert ID as you will need to configure it inPacketFence
StillonthatpageclicktheDownloadlinktodownloadthePaypalpubliccertificateandputitonthePacketFenceserverunderpathusrlocalpfconfsslpaypalpem
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 60
Caution
ThecertificatewillNOTbethesameifyouuseasandboxaccountorarealaccount
ConfiguringPacketFence
NowinthePacketFenceadministrationinterfacegoinConfigurationrarrSourcesandcreateanewsourceoftypeBillingrarrPaypal
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 61
Where
IdentitytokenistheoneyounotedwhenontheWebsitePaymentPreferencespage CertIDistheoneyounotedwhenontheEncryptedPaymentSettings Paymenttypeiswhethertheaccessisdonationbased(notmandatorytopayforit) Emailaddressistheemailaddressofthemerchantpaypalaccount CertfileisthepathtothePacketFencecertificate(usrlocalpfconfsslservercrtbydefault) KeyfileisthepathtothePacketFencecertificate(usrlocalpfconfsslserverkeybydefault) Paypal cert file is thepath to thePaypal certificate (usrlocalpfconfsslpaypalpem in thisexample)
Currencyisthecurrencythatwillbeusedinthetransactions Testmodeshouldbeactivatedifyouareusingasandboxaccount
Stripe
Stripeaccount
Firstgoonhttpsdashboardstripecomcreateanaccountandlogin
NextonthetoprightclickYouraccountthenAccountsettings
NavigatetotheAPIkeystabandnoteyourkeyandsecretThetestkeyshouldbeusedwhentestingtheconfigurationandthelivekeywhenputtingthesourceinproduction
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 62
ConfiguringPacketFence
NowinthePacketFenceadministrationinterfacegoinConfigurationrarrSourcesandcreateanewsourceoftypeBillingrarrStripe
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 63
Where
SecretkeyisthesecretkeyyougotfromyourStripeaccount PublishablekeyisthepublishablekeyyougotfromyourStripeaccount Styleiswhetheryouaredoingaone-timechargeorsubscriptionbasedbilling(recurring)SeesectionSubscriptionbasedregistrationbelowfordetailsonhowtoconfigureit
Currencyisthecurrencythatwillbeusedinthetransactions Testmodeshouldbeactivatedifyouareusingthetestkeyandsecretaccount
Authorizenet
Creatinganaccount
First go on httpsaccountauthorizenet to signup for a merchant account or httpdeveloperauthorizenetforasandboxaccount
AfteryoucreatedyouraccountyouwillbeshownyourAPIloginIDandTransactionkeyNotebothoftheseinformationsforusageinthePacketFenceconfiguration
Thenloginintoyournewaccount
ThenunderAccountclickSettings
OnthesettingspageinthesectionSecuritysettingsclickMD5-Hash
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 64
NowenterasecretthatwillbesharedbetweenauthorizenetandPacketFence
PacketFenceconfiguration
NextinthePacketFenceadministrationinterfacegoinConfigurationrarrSourcesandcreateanewsourceoftypeBillingrarrAuthorizeNet
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 65
Where
APIloginIDistheoneyougotearlierwhilecreatingyouraccount Transactionkeyistheoneyougotearlierwhilecreatingyouraccount MD5hashtheoneyouconfiguredinyourAuthorizenetaccount Currencyisthecurrencythatwillbeusedinthetransactions Testmodeshouldbeactivatedifyouareusingasandboxaccount
Mirapay
To be contributed
AddingbillingtiersOnceyouhaveconfiguredoneormorebillingsourceyouneedtodefinebillingtierswhichwilldefinethepriceandtargetauthenticationrulesfortheuser
InthePacketFenceadministrationinterfacegoinConfigurationrarrBillingtiers
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 66
ThenclickAddbillingtierandconfigureit
Where
Billingtieristheuniqueidentifierofthebillingtier Nameisthefriendlynameofthebillingtier Descriptionisanextendeddescriptionofthebillingtier Priceistheamountthatwillbechargedtotheuser Accessdurationistheamountoftimetheuserwillbegrantedaccesstoyournetwork Roleisthetargetroletheusershouldbein Usetimebalancedefinesiftheaccessdurationshouldbecomputedonreal-timeaccessdurationmeaningiftheuserbuys24hoursofaccesshecanusethenetworkfor24hoursindifferenttimeblocksThisrequiresavalidRADIUSaccountingconfiguration
Note
IfdonrsquotwanttouseallthebillingtiersthataredefinedyoucanspecifytheonesthatshouldbeactiveinthePortalprofile
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 67
SubscriptionbasedregistrationPacketFencesupportssubscriptionbasedbillingusingStripeasabillingprovider
Billingtier
Whenusingsubscriptionbasedbillingitisadvisedtoconfigurethebillingtiersoithasanalmostinfiniteaccessduration(eg20years)asthebillingproviderwillbecontactingthePacketFenceserverwhenthesubscriptioniscanceled
YoushouldconfigureabillingtierforeachsubscriptionplanyouwanttohaveThisexamplewillusetheplansimpleandadvancedconfiguredusingthefollowingparameters
[simple]name=Simple network accessdescription=Click here if you are poorprice=399role=guestaccess_duration=10Yuse_time_balance=disabled
[advanced]name=Simple network accessdescription=Click here if you are poorprice=999role=advanced_guestaccess_duration=10Yuse_time_balance=disabled
Stripeconfiguration
TheninyourStripedashboardyoushouldgoinSubscriptionsrarrPlans
Thencreateanewplan
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 68
Where
ID is the billing tier identifier It is important that this matches the ID of the billing tier inPacketFence
AmountisthepriceoftheplanItisimportantthatthismatchesthepriceofthebillingtierinPacketFence
CurrencyisthecurrencythatwillbeusedinthetransactionsItisimportantthatthismatchesthecurrencyoftheStripesourceinPacketFence
IntervalistheintervalatwhichthecustomershouldbebilledInthecaseofthisexampleitismonthly
Nowfollowingthesameprocedurecreatetheadvancedplan
ReceivingupdatesfromStripeAsthesubscriptioncanbecancelledbyauseryouneedtosetupyourPacketFenceinstallationtoreceiveupdatesfromStripe
UpdatesaresentusingHTTPrequestsonapublicIP
YouneedtomakesurethatyourPacketFenceserverisavailablethroughapublicIPonport80andthatyourPacketFenceserverhostnameresolvesonthepublicdomain
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 69
TheninStripeconfigureaWebhooksoStripeinformsPacketFenceofanyeventthathappensinthisStripemerchantaccount
InordertodosogoinYourAccountrarrAccountSettingsrarrWebhooksandclickAddendpoint
Where
URListheURLtothePacketFenceserverThisshouldbehttpYOUR_PORTAL_HOSTNAMEhookbillingstripe
Modeiswhetherthiswebhookisfortestingmodeorlivemode
NoweverytimeauserunsubscribesfromaplanPacketFencewillbenotifiedandwillunregisterthatdevicefromyournetwork
DevicesRegistration
Usershavethepossibilitytoregistertheirdevices(MicrosoftXBOXXBOX360NintendoDSWiiSonyPlayStationandsoon)rightfromaspecialportalpageWhenaccessingthispageuserswillbe
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 70
promptedtologinasiftheywereregisteringthemselvesOnceloggedintheportalwillaskthemtoenterthedeviceMACaddressthatwillthenbematchedagainstapredefinedlistofauthorizedMACOUIThedevicewillberegisteredwiththeuserrsquosidandcanbeassignedintoaspecificcategoryforeasiermanagement
HerersquoshowtoconfigurethewholethingTheportalpagecanbeaccessedbythefollowingURLhttpsYOUR_PORTAL_HOSTNAMEdevice-registration This URL is accessible fromwithin thenetworkinanyVLANthatcanreachthePacketFenceserver
Thefollowingcanbeconfiguredbyeditingthepfconffile
[registration]device_registration = enableddevice_registration_role = gaming
MakesuretheroleexistsinPacketFenceotherwiseyouwillencounterregistrationerrorsMoreovermakesuretherolemappingforyourparticularequipmentisdone
TheseparameterscanalsobeconfiguredfromtheConfigurationrarrRegistrationsection
Note
AportalinterfacetypeisrequiredtousethisfeatureAportalinterfacetypecanbeaddedtoanynetworkinterfaceusingthewebadminGUI
Eduroam
eduroam (education roaming) is the secureworld-wide roaming access servicedevelopedfortheinternationalresearchandeducationcommunity
eduroamallowsstudentsresearchersandstafffromparticipatinginstitutionstoobtainInternetconnectivityacrosscampusandwhenvisitingotherparticipatinginstitutionsbysimplyopeningtheirlaptop
mdasheduroamhttpswwweduroamorg
PacketFencesupportsintegrationwitheduroamandallowsparticipatinginstitutionstoauthenticatebothlocallyvisitingusersfromotherinstitutionsaswellasallowingotherinstitutionstoauthenticatelocalusers
In order for PacketFence to allow eduroam authentication the FreeRADIUS configuration ofPacketFencemustbemodifiedtoallowtheeduroamserverstoconnecttoitasclientsaswellastoproxyRADIUSauthenticationrequestsforusersfromoutsideinstitutions
FirstmodifytheusrlocalpfraddbclientsconffiletoallowtheeduroamserverstoconnecttoyourPacketFenceserverAddtheeduroamserversasclientsandmakesure toaddtheproperRADIUSsecretSetashortnametorefertotheseclientsasyouwilllaterneedittoexcludethemfromsomepartsofthePacketFenceconfiguration
clientsconfexample
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 71
client tlrs1eduroamus secret = useStrongerSecret shortname = tlrs1
client tlrs2eduroamus secret = useStrongerSecret shortname = tlrs2
SecondlymodifythelistofdomainsandproxyserversinusrlocalpfraddbproxyconfYouwillneedtodefineeachofyourdomainsaswellastheDEFAULTdomainTheDEFAULTrealmwillapplytoanyclientthatattemptstoauthenticatewitharealmthatisnototherwisedefinedinproxyconfandwillbeproxiedtotheeduroamservers
Defineoneormorehomeservers(serverstowhicheduroamrequestsshouldbeproxied)
proxyconfexample
home_server tlrs1eduroamus type = auth ipaddr = 25712811 port = 1812 secret = useStrongerSecret require_message_authenticator = yes
Defineapoolofserverstogroupyoureduroamhomeserverstogether
proxyconfexample
home_server_pool eduroam type = fail-over home_server = tlrs1eduroamus home_server = tlrs2eduroamus
DefinerealmstoselectwhichrequestsshouldbeproxiedtotheeduroamserverpoolThereshouldbeonerealmforeachofyourdomainsandpossiblyonemoreperdomainifyouintendtoallowusernamesoftheDOMAINuserform
TheREALMissetbasedonthedomainfoundbythesuffixorntdomainmodules (seeraddbmodulesrealm)Thesuffixorntdomainmodulestrytofindadomaineitherwithandomainorsuffixusername
IfnoneisfoundtheREALMisNULL
IfadomainisfoundFreeRADIUStriestomatchoneoftheREALMSdefinedinthisfile
IfthedomainiseitherexampleeduorEXAMPLEFreeRADIUSsetsthecorrespondingREALMieexampleeduorEXAMPLE
IftheREALMdoesnotmatcheither(anditisnrsquotNULL)thatmeanstherewasadomainotherthanEXAMPLEorexampleeduandweassumeitismeanttobeproxiedtoeduroamFreeRADIUSsetstheDEFAULTrealm(whichisproxiedtotheeduroamauthenticationpool)
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 72
The REALM determines where the request is sent to If the REALM authenticates locally therequestsareprocessedentirelybyFreeRADIUSIftheREALMsetsadifferenthomeserverpooltherequestsareproxiedtotheserversdefinedwithinthatpool
proxyconfexample
This realm is for requests which dont have an explicit realm prefix or suffix User names like bob will match this one No authentication server is defined thus the authentication is done locallyrealm NULL
This realm is for ntdomain users who might use the domain like this EXAMPLEusername No authentication server is defined thus the authentication is done locallyrealm EXAMPLE
This realm is for suffix users who use the domain like this usernameexampleedu No authentication server is defined thus the authentication is done locallyrealm exampleedu
This realm is for ALL OTHER requests Meaning in this context eduroam The auth_pool is set to the eduroam pool and so the requests will be proxiedrealm DEFAULT auth_pool = eduroam nostrip
Thirdly youmust configure the packetfence FreeRADIUS virtual servers to treat the requestsproperly
Inusrlocalpfraddbsites-enabledpacketfencemodifytheauthorizesectionlikethis
raddbsites-enabledpacketfenceexample
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 73
authorize pay attention to the order of the modules It matters ntdomain suffix preprocess
uncomment this section if you want to block eduroam users from you other SSIDs The attribute name ( Called-Station-Id ) may differ based on your controller if ( Called-Station-Id ~ eduroam$i) update control Proxy-To-Realm = local
eap ok = return
files expiration logintime packetfence
Inusrlocalpfraddbsites-enabledpacketfence-tunnelmodifythepost-authsectionlikethisIfyouomit this change the requestwill be sent toPacketFencewhere itwill be failed since theeduroamserversarenotpartofyourconfiguredswitches
raddbsites-enabledpacketfence-tunnelexample
post-auth exec
we skip packetfence when the request is coming from the eduroam servers if ( clientshortname = tlrs1 ampamp clientshortname = tlrs2 ) packetfence
Post-Auth-Type REJECT attr_filteraccess_reject
Finallymakesurethattherealmsmoduleisconfiguredthisway(seeusrlocalpfraddbmodulesrealm)
raddbmodulesrealmexample
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 74
usernamerealmrealm suffix format = suffix delimiter =
domainuserrealm ntdomain format = prefix delimiter = ignore_null = yes
Fingerbankintegration
FingerbankagreatdeviceprofilingtooldevelopedalongsideofPacketFencenowintegrateswithittopower-upthefeaturesetallowingaPacketFenceadministratortoeasilytriggerviolationsbasedondifferentdevicetypesdeviceparentsDHCPfingerprintsDHCPvendorIDsMACvendorsandbrowseruseragents
Thecoreofthat integrationresides intheabilityforaPacketFencesystemto interactwiththeFingerbankupstreamprojectwhichthenallowadailybasisfingerprintsdatabaseupdatesharingunknowndatasothatmorecomplexalgorithmscanprocessthatnewdatatointegrateitintheglobaldatabasequeryingtheglobalupstreamdatabaseinthecaseofanunknownmatchandmuchmore
SincetheFingerbankintegrationisnowthedefactodeviceprofilingtoolofPacketFenceitwasarequirementtomakeitassimpleaspossibletoconfigureandtouseFromthemomentaworkingPacketFencesystemis inplaceFingerbank isalsoreadytobeusedbutonly inalocalmodewhichmeansnointeractionwiththeupstreamFingerbankproject
OnboardingTobenefitfromalltheadvantagesoftheFingerbankprojecttheonboardingstepisrequiredtocreateanAPIkeythatwill thenallow interactionwiththeupstreamprojectThatcaneasilybedoneonlybygoingintheSettingsmenuitemundertheFingerbanksectionofthePacketFenceConfigurationtabFromthereaneasyprocesstocreateandsaveanuserorganizationspecificAPIkeycanbefollowedOncecompletedthefullfeaturesetofFingerbankcanbeused
UpdateFingerbankdatabaseUpdatingtheFingerbankdatacanrsquotbeeasierTheonlyrequirementistheonboardingprocesswhichallowsyoutointeractwithupstreamprojectOncedoneanoptiontoUpdateFingerbankDBcanbefoundontopofeverymenuitemsectionsunderFingerbankProcessmaytakeaminuteortwodependingonthesizeofthedatabaseandtheinternetconnectivityafterwhichasuccessorerrormessagewillbeshowaccordinglyLocalrecordsareNOTbeingmodifiedduringthisprocess
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 75
SubmitunknowndataSayingthatwedonrsquotknoweverythingisnotfalsemodestyInthatsensetheSubmitUnknownUnmatchedFingerprintsoptionismadeavailable(afteronboarding)sothatunknownfingerprintingdatagoinginandoutonyournetworkcaneasilybesubmittedtotheupstreamFingerbankprojectforfurtheranalysisandintegrationtheintheglobaldatabase
UpstreaminterogationBydefaultPacketFenceisconfiguredtointerogatetheupstreamFingerbankproject(ifonboardinghasbeencompleted)tofullfillaquerywithunmatchedlocalresultsUnmatchedlocalresultscanresultofanolderversionoftheFingerbankdatabaseorarequirementforamorecomplexalgorithmduetothedatasetThatbehavioriscompletelytransparentandcanbemodifiedusingtheSettingsmenuitemundertheFingerbanksectionofthePacketFenceConfigurationtab
LocalentriesItispossibleforanadministratorwhowantstocustomizeanexistingrecord(orcreateanewone)todosousingtheLocalentriesAnupstreamrecord(DHCPFingerprintDHCPVendorMACVendorUserAgentDevicetypeevenaCombination)canbeclonedandthenmodifiedonalocalbasisifneededLocalrecordsarealwaysmatchedfirstsincetheirpurposeistooverrideanexistingoneAlocalcombinationcanbecreatedtomatcheitherLocalorUpstreamorbothentriestoallowidentificationofadevice
SettingsFingerbanksettingscaneasilybemodifiedfromtheSettingsmenuitemundertheFingerbanksectionofthePacketFenceConfigurationtabTherersquosdocumentationforeachaneveryparameterthatalloweasierunderstanding
FloatingNetworkDevices
Startingwithversion19PacketFencenowsupportsfloatingnetworkdevicesAFloatingnetworkdeviceisadeviceforwhichPacketFencehasadifferentbehaviourcomparedtoaregulardeviceThisfunctionalitywasoriginallyaddedtosupportmobileAccessPoints
Caution
RightnowPacketFenceonlysupportsfloatingnetworkdevicesonCiscoandNortelswitchesconfiguredwithport-security
For a regular device PacketFence put it in theVLAN corresponding to its status (RegistrationQuarantineorRegularVlan)andauthorizesitontheport(port-security)
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 76
AfloatingnetworkdeviceisadevicethatPacketFencedoesnotmanageasaregulardevice
WhenafloatingnetworkdeviceispluggedPacketFencewillletallowalltheMACaddressesthatwillbeconnectedtothisdevice(orappearontheport)andifnecessaryconfiguretheportasmulti-vlan(trunk)andsetPVIDandtaggedVLANsontheport
WhenanfloatingnetworkdeviceisunpluggedPacketFencewillreconfiguretheportlikebeforeitwasplugged
HowitworksConfiguration
floatingnetworkdeviceshavetobeidentifiedusingtheirMACaddress linkuplinkdowntrapsarenotenabledontheswitchesonlyport-securitytrapsare
WhenPacketFencereceivesaport-securitytrapforafloatingnetworkdeviceitchangestheportconfigurationsothat
itdisablesport-security itsetsthePVID iteventuallysetstheportasmulti-vlan(trunk)andsetsthetaggedVlans itenableslinkdowntraps
WhenPFreceivesa linkdowntraponaport inwhichafloatingnetworkdevicewasplugged itchangestheportconfigurationsothat
itenablesport-security itdisableslinkdowntraps
IdentificationAswementionedearliereachfloatingnetworkdevicehastobeidentifiedTherearetwowaystodoit
byeditingconffloating_network_deviceconf throughtheWebGUIinConfigurationrarrNetworkrarrFloatingdevices
Herearethesettingsthatareavailable
MACAddress MACaddressofthefloatingdevice
IPAddress IPaddressofthefloatingdevice(notrequiredforinformationonly)
trunkPort YesnoShouldtheportbeconfiguredasamuti-vlanport
pvid VLANinwhichPacketFenceshouldputtheport
taggedVlan CommaseparatedlistofVLANsIftheportisamulti-vlanthesearetheVlansthathavetobetaggedontheport
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 77
OAuth2Authentication
NoteOAuth2authenticationdoesnotworkwithWebauthenforcement
The captive portal of PacketFence allows a guestuser to register using hisGoogle FacebookLinkedInWindowsLiveTwitterorGithubaccount
ForeachproviderswemaintainanalloweddomainlisttopunchholesintothefirewallsotheusercanhittheproviderloginpageThislistisavailableineachOAuth2authenticationsource
Inordertohaveoauth2workingproperlyyouneedtoenableIPforwardingonyourserversTodoitpermanentlylookintheetcsysctlconfandsetthefollowingline
Controls IP packet forwardingnetipv4ip_forward = 1
Savethefileandissueasysctl -ptoupdatetheOSconfig
You must also enable the passthrough option in your PacketFence configuration(trappingpassthroughinpfconf)
GoogleInordertouseGoogleasaOAuth2provideryouneedtogetanAPIkeytoaccesstheirservicesSignupherehttpcodegooglecomapisconsoleMakesureyouusethisURIfortheRedirectURIfieldhttpsYOUR_PORTAL_HOSTNAMEoauth2callbackOfcoursereplacethehostnamewiththevaluesfromgeneralhostnameandgeneraldomain
YoucankeepthedefaultconfigurationmodifytheAppIDampAppSecret(GivenbyGoogleonthedevelopperplateform)andPortalURL(httpsYOUR_PORTAL_HOSTNAMEoauth2callback)
Also add the following Authorized domains googlecom googleca googlefrgstaticcomgoogleapiscomaccountsyoutubecom(MakesurethatyouhavethegoogledomainfromyourcountrylikeCanadagooglecaFrancegooglefretchellip)
OnceyouhaveyourclientidandAPIkeyyouneedtoconfiguretheOAuth2providerThiscanbedonebyaddingaGoogleOAuth2authenticationsourcefromConfigurationrarrSources
MoreoverdonrsquotforgettoaddGoogleasaregistrationmodefromyourportalprofiledefinitionavailablefromConfigurationrarrPortalProfilesandPages
FacebookTo use Facebook you also need an API code and a secret key To get one go here httpsdevelopersfacebookcomappsWhenyoucreateyourAppmakesureyouspecifythefollowingastheWebsiteURLhttpsYOUR_PORTAL_HOSTNAMEoauth2callback
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 78
Ofcoursereplacethehostnamewiththevaluesfromgeneralhostnameandgeneraldomain
YoucankeepthedefaultconfigurationmodifytheAppIDampAppSecret(GivenbyFaceBookonthedevelopperplateform)andPortalURL(httpsYOUR_PORTAL_HOSTNAMEoauth2callback)
Also add the followingAuthorizeddomains facebookcom fbcdnnet akamaihdnet (Maychange)
OnceyouhaveyourinformationyouneedtoconfiguretheOAuth2providerThiscanbedonebyaddingaFacebookOAuth2authenticationsourcefromConfigurationrarrSources
MoreoverdonrsquotforgettoaddFacebookasaregistrationmodefromyourportalprofiledefinitionavailablefromConfigurationrarrPortalProfilesandPages
CautionByallowingOAuththroughFacebookyouwillgiveFacebookaccesstotheuserswhiletheyaresittingintheregistrationVLAN
GitHubTouseGitHubyoualsoneedanAPIcodeandasecretkeyTogetoneyouneedtocreateanAppherehttpsgithubcomsettingsapplicationsWhenyoucreateyourAppmakesureyouspecifythefollowingastheCallbackURLhttpsYOUR_PORTAL_HOSTNAMEoauth2callback
Ofcoursereplacethehostnamewiththevaluesfromgeneralhostnameandgeneraldomain
OnceyouhaveyourinformationyouneedtoconfiguretheOAuth2providerThiscanbedonebyaddingaGitHubOAuth2authenticationsourcefromConfigurationrarrSources
MoreoverdonrsquotforgettoaddGitHubasaregistrationmodefromyourportalprofiledefinitionavailablefromConfigurationrarrPortalProfilesandPages
LinkedInTouseLinkedInyoualsoneedanAPIcodeandasecretkeyTogetoneyouneedtocreateanAppherehttpsdeveloperlinkedincomWhenyoucreateyourAppmakesureyouspecifythefollowingastheCallbackURLhttpsYOUR_PORTAL_HOSTNAMEoauth2callback
Ofcoursereplacethehostnamewiththevaluesfromgeneralhostnameandgeneraldomain
OnceyouhaveyourinformationyouneedtoconfiguretheOAuth2providerThiscanbedonebyaddingaLinkedInOAuth2authenticationsourcefromConfigurationrarrSources
MoreoverdonrsquotforgettoaddLinkedInasaregistrationmodefromyourportalprofiledefinitionavailablefromConfigurationrarrPortalProfilesandPages
AlsoLinkedInrequiresastateparameterfortheauthorizationURLIfyoumodifyitmakesuretoadditattheendofyourURL
TwitterTouseTwitteryoualsoneedanAPIcodeandasecretkeywhichTwittercallsconsumerkeyandconsumersecretObtainthis informationbycreatingannewapplicationfromyourTwitterApps
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 79
ManagementpageWhenyoucreateyourAppmakesureyouspecifythefollowingastheCallbackURLhttpsYOUR_PORTAL_HOSTNAMEoauth2callback
Ofcoursereplacethehostnamewiththevaluesfromgeneralhostnameandgeneraldomain
OnceyouhaveyourinformationyouneedtoconfiguretheOAuth2providerThiscanbedonebyaddingaTwitterOAuth2authenticationsourcefromConfigurationrarrSources
MoreoverdonrsquotforgettoaddTwitterasaregistrationmodefromyourportalprofiledefinitionavailablefromConfigurationrarrPortalProfilesandPages
WindowsLiveTouseWindowsliveyoualsoneedanAPIcodeandasecretkeyTogetoneyouneedtocreateanAppherehttpsaccountlivecomdevelopersapplicationsWhenyoucreateyourAppmakesureyouspecifythefollowingastheCallbackURLhttpsYOUR_PORTAL_HOSTNAMEoauth2callback
Ofcoursereplacethehostnamewiththevaluesfromgeneralhostnameandgeneraldomain
OnceyouhaveyourinformationyouneedtoconfiguretheOAuth2providerThiscanbedonebyaddingaWindowsLiveOAuth2authenticationsourcefromConfigurationrarrSources
Moreover donrsquot forget to add WindowsLive as a registration mode from your portal profiledefinitionavailablefromConfigurationrarrPortalProfilesandPages
Passthrough
Inorder tousethepassthroughfeature inPacketFenceyouneedtoenable it fromtheGUI inConfigurationrarrTrappingandcheckPassthrough
Therearetwosolutionsforpassthroughs-oneusingDNSresolutionandiptablesandtheotheroneusingApachersquosmod_proxymoduleWhenenabledPacketFencewillusepfdnsifyoudefinedPassthroughsorApachemod-proxyifyoudefinedProxyPassthroughstoallowtrappeddevicestoreachexternalwebsites
DNSpassthroughAddanewFQDN (shouldbeawildcarddomain like googlecom) in thePassthroughssectionWhenPacketFencereceivesaDNSrequestforthisdomainitwillanswerthereal IPaddressandpunchahole inthefirewall (using iptables)toallowaccessWiththismethodPacketFencemustbethedefaultgatewayofyourdevice
mod_proxypassthroughAddanewFQDN(shouldbeawildcarddomainlikegooglecom)intheProxyPassthroughssectionForthisFQDNPacketFencewillanswertheIPaddressofthecaptiveportalandwhenadevicehitsthecaptiveportalPacketFencewilldetectthatthisFQDNhasapassthroughconfigurationandwillforwardthetraffictomod_proxy
ThesetwomethodscanbeusedtogetherbutDNS-basedpassthroughshavehigherpriority
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 80
ProductionDHCPaccess
Inorder toperformallof itsaccesscontroldutiesPacketFenceneedstobeable tomapMACaddressesintoIPaddresses
ForallthenetworksVLANswhereyouwantPacketFencetohavetheabilitytoisolateanodeortohaveIPinformationaboutnodesyouwillneedtoperformoneofthetechniquesbelow
AlsonotethatthisdoesnrsquotneedtobedonefortheregistrationisolationVLANsandinlineinterfacessincePacketFenceactsastheDHCPserverinthesenetworks
IPHelpers(recommended)If you are already using IPHelpers for your productionDHCP in your production VLANs thisapproachisthesimplestoneandtheonethatworksthebest
Add PacketFencersquos management IP address as the last ip helper-address statement in yournetworkequipmentAtthispointPacketFencewillreceiveacopyofallDHCPrequestsforthatVLANandwillrecordwhatIPweredistributedtowhatnodeusingapfdhcplistenerdaemon
BydefaultnoDHCPServershouldberunningonthatinterfacewhereyouaresendingtherequestsThisisbydesignotherwisePacketFencewouldreplytotheDHCPrequestswhichwouldbeabadthing
ObtainacopyoftheDHCPtrafficGetacopyofalltheDHCPTraffictoadedicatedphysicalinterfaceinthePacketFenceserverandrunpfdhcplisteneronthatinterfaceItwillinvolveconfiguringyourswitchproperlytoperformportmirroring(akanetworkspan)andaddinginPacketFencetheproperinterfacestatementattheoperatingsystemlevelandinpfconf
etcsysconfignetwork-scriptsifcfg-eth2
DEVICE=eth2ONBOOT=yesBOOTPROTO=none
Addtopfconf(IPsarenotimportanttheyarethereonlysothatPacketFencewillstart)
[interface eth2]mask=2552552550type=dhcp-listenergateway=19216815ip=19216811
RestartPacketFenceandyoushouldbegoodtogo
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 81
InterfaceineveryVLANBecauseDHCPtrafficisbroadcasttrafficanalternativeforsmallnetworkswithfewlocalVLANsistoputaVLANinterfaceforeveryVLANonthePacketFenceserverandhaveapfdhcplistenerlistenonthatVLANinterface
OnthenetworksideyouneedtomakesurethattheVLANtrulyreachesallthewayfromyourclienttoyourDHCPinfrastructureuptothePacketFenceserver
OnthePacketFencesidefirstyouneedanoperatingsystemVLANinterfaceliketheonebelowStoredinetcsysconfignetwork-scriptsifcfg-eth01010
Engineering VLANDEVICE=eth01010ONBOOT=yesBOOTPROTO=staticIPADDR=1001014NETMASK=2552552550VLAN=yes
ThenyouneedtospecifyinpfconfthatyouareinterestedinthatVLANrsquosDHCPbysettingtypetodhcp-listener
[interface eth01010]mask=2552552550type=dhcp-listenergateway=1001011ip=1001014
RepeattheaboveforallyourproductionVLANsthenrestartPacketFence
HostproductionDHCPonPacketFenceItrsquosanoptionJustmodifyconfdhcpdconfsothat itwillhostyourproductionDHCPproperlyandmakesurethatapfdhcplistenerrunsonthesameinterfacewhereproductionDHCPrunsHoweverpleasenotethatthisisNOTrecommendedSeethistickettoseewhy
ProxyInterception
PacketFenceenablesyoutointerceptproxyrequestsandforwardthemtothecaptiveportalItonlyworksonelayer-2networksbecausePacketFencemustbethedefaultgatewayInordertousetheProxyInterceptionfeatureyouneedtoenableitfromtheGUIinConfigurationrarrTrappingandcheckProxyInterception
Addtheportyouwanttointercept(like8080or3128)andaddanewentryintheetchostsfiletoresolvethefullyqualifieddomainname(fqdn)ofthecaptiveportaltotheIPaddressofthe
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 82
registration interfaceThismodification ismandatory inorder forApache to receives theproxyrequests
RoutedNetworks
Ifyour isolationandregistrationnetworksarenot locally-reachable (at layer2)onthenetworkbut routed to the PacketFence server yoursquoll have to let the PacketFence server know thisPacketFencecanevenprovideDHCPandDNSintheseroutednetworksandprovidesaneasytouseconfigurationinterface
FordhcpdmakesurethattheclientsDHCPrequestsarecorrectlyforwarded(IPHelpersintheremoterouters)tothePacketFenceserverThenmakesureyoufollowedtheinstructionsintheDHCPandDNSServerConfiguration(networksconf)foryourlocallyaccessiblenetwork
Ifweconsiderthenetworkarchitectureillustratedintheaboveschemaconfpfconfwillincludethelocalregistrationandisolationinterfacesonly
[interface eth02]enforcement=vlanip=19216821type=internalmask=2552552550
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 83
[interface eth03]enforcement=vlanip=19216831type=internalmask=2552552550
Note
PacketFencewillnotstartunlessyouhaveatleastoneinternalinterfacesoyouneedtocreatelocalregistrationandisolationVLANsevenifyoudonrsquotintendtousethemAlsotheinternalinterfacesaretheonlyonesonwhichdhcpdlistenssotheremoteregistrationandisolationsubnetsneedtopointtheirDHCPhelper-addresstothoseparticularIPs
ThenyouneedtoprovidetheroutednetworksinformationtoPacketFenceYoucandoitthroughtheGUIinAdministrationrarrNetworks(orinconfnetworksconf)
confnetworksconfwilllooklikethis
[19216820]netmask=2552552550gateway=19216821next_hop=domain-name=registrationexamplecomdns=19216821dhcp_start=192168210dhcp_end=1921682200dhcp_default_lease_time=300dhcp_max_lease_time=600type=vlan-registrationnamed=enableddhcpd=enabled
[19216830]netmask=2552552550gateway=19216831next_hop=domain-name=isolationexamplecomdns=19216831dhcp_start=192168310dhcp_end=1921683200dhcp_default_lease_time=300dhcp_max_lease_time=600type=vlan-isolationnamed=enableddhcpd=enabled
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 84
[192168200]netmask=2552552550gateway=19216820254next_hop=1921682254domain-name=registrationexamplecomdns=19216821dhcp_start=1921682010dhcp_end=19216820200dhcp_default_lease_time=300dhcp_max_lease_time=600type=vlan-registrationnamed=enableddhcpd=enabled
[192168300]netmask=2552552550gateway=19216830254next_hop=1921683254domain-name=isolationexamplecomdns=19216831dhcp_start=1921683010dhcp_end=19216830200dhcp_default_lease_time=300dhcp_max_lease_time=600type=vlan-isolationnamed=enableddhcpd=enabled
DHCPclientsontheregistrationandisolationnetworksreceivethePFserverIPastheirDNSserver(dns=xxxx)andPFspoofsDNSresponsestoforceclientsviatheportalHoweverclientscouldmanuallyconfiguretheirDNSsettingstoescapetheportalTopreventthisyouwillneedtoapplyanACLontheaccessrouternearesttheclientspermittingaccessonlytothePFserverandlocalDHCPbroadcasttraffic
ForexamplefortheVLAN20remoteregistrationnetwork
ip access-list extended PF_REGISTRATION permit ip any host 19216821 permit udp any any eq 67 deny ip any any loginterface vlan 20 ip address 19216820254 2552552550 ip helper-address 19216821 ip access-group PF_REGISTRATION in
Ifyouredgeswitchessupportvlan-isolationyoucanalsoapplytheACLthereThishastheadvantageofpreventingmachinesinisolationfromattemptingtoattackeachother
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 85
StatementofHealth(SoH)
TheStatementofHealth(SoH)isproductthathasbeendevelopedbyMicrosoftIntheMicrosoftworldthis isnamedNetworkAccessProtectionorNAPOnWindowsversionsfromXPSP2toWindows7thereisaNAPserviceinstalledthatcanrelayhealthinformation(Anti-VirusupdatestatusWindowsUpdatestatusetc) toaRADIUSServeroraDHCPserverThesectionbelowexplainsyouhowtodoSoHpolicieswithPacketFence
InstallationBydefaultweturnSoHoffToenableitssupportsimplyuncommentthefollowinglinesinusrlocalpfconfradiusdeapconf
soh=yessoh-virtual-server = soh-server
RestarttheRADIUSserviceafterward
OntheclientsidetoenableSoHforEAPdothefollowing(Windows7example)
sc config napagent start=autosc start napagent
Wired 8021Xsc config dot3svc start=auto depend=napagentsc start dot3svc
netsh nap client show config
get the ID value for the EAP Quarantine Enforcement Clientnetsh nap client set enforce id=$ID admin=enable
ThelaststepistoselecttheEnforceNetworkAccessProtectioncheckboxundertheEAPprofilesettingsThosestepscanbeeasilyconfiguredusingGPOs
ConfigurationofSoHpolicyInordertoenforceaSoHpolicyweneedtocreateitfirstThisisdoneusingtheConfigurationrarrCompliancerarrStatementofHealthmodule
PolicyexampleLetrsquoswalkthroughanexamplesituationSupposeyouwanttodisplayaremediationpagetoclientsthatdonothaveananti-virusenabled
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 86
ThethreebroadstepsarecreateaviolationclassfortheconditionthencreateanSoHfiltertotriggertheviolationwhenanti-virusisdisabledandfinallyreloadtheviolations
FirstcreatetheproperviolationeitherviatheAdminUIorbyeditingtheconfviolationsconffiles
[4000001]desc=No anti-virus enabledurl=remediationphptemplate=noantivirusactions=reevaluate_accessemaillogenabled=Y
Note
Youmayalsowanttosetotherattributessuchasauto_enablegraceetc
WhendonewiththeviolationvisittheWebAdministrationunderConfigurationrarrCompliancerarrStatementofHealthand(editthefilternamedDefaultor)usetheAddafilterbuttontocreateafilternamedantivirusClickonantivirusinthefilterlistandselectTriggerviolationintheactiondrop-downEnterthevidoftheviolationyoucreatedaboveintheinputboxthatappears
Next clickonAddacondition and selectAnti-virus is anddisabled in thedrop-downboxesthat appear Click on the Save filters button Finally reload the violations either by restartingPacketFenceorusingthepfcmd reload violationscommand
Thelaststepistocreateanewremediationtemplatecallednoantivirusphponthefilesysteminthehtmlcaptive-portalviolationsfolderEditittoincludethetextyouwanttodisplaytotheusers
VLANFilterDefinition
Weaddedtheabilitytospecifyfiltersdirectlyintheportionofcodethatre-evaluatestheVLANordoacalltotheAPI
Theserulesareavailableindifferentscopes
ViolationRoleRegistrationRoleRegisteredRoleInlineRoleAutoRegisterNodeInfoForAutoReg
Andcanbedefinedusingdifferentcriterialike
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 87
node_infoattribute (like node_infostatus)switchifIndexmacconnection_typeusernamessidtimeownerattribute (like ownerpid)radius_requestattribute (like radius_requestCalling-Station-Id)
Forexample letsdefinearulethatpreventsadevicefromconnectingwhenitscategory isthedefaultwhentheSSIDisSECUREandwhenthecurrenttimeisbetween11amand2pmfromMondaytoFridaywhenittrytoconnectasaregistereddevice
[category]filter = node_infocategoryoperator = isvalue = default
[ssid]filter = ssidoperator = isvalue = SECURE
[time]filter = timeoperator = isvalue = wd Mon Tue Wed Thu Fri hr 11am-2pm
[1categoryampssidamptime]scope = RegisteredRolerole = nointernet
ThesecondexamplewillcreateaviolationiftheSSIDisOPENandtheownerisigmout
[igmout]filter = ownerpidoperator = isvalue = igmout
[open]filter = ssidoperator = isvalue = OPEN
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 88
[2igmoutampssid]scope = RegisteredRoleaction = trigger_violationaction_param = mac = $mac tid = 1100012 type = INTERNAL
Thethirdexamplewillautoregisterthedeviceandassigntherolestafftoeachdevicewheretheusernameisigmout
[igmout]filter = usernameoperator = isvalue = igmout
[secure]filter = ssidoperator = isvalue = SECURE
[3igmoutampsecure]scope = AutoRegisterrole = staff
[4igmoutampsecure]scope = NodeInfoForAutoRegrole = staff
Youcanhavealookinthefilevlan_filtersconftherearesomeexamplesonhowtouseanddefinefilters
RADIUSFilterDefinition
WeaddedtheabilitytospecifyfiltersdirectlyintheportionofcodethatreturntheradiusanswerordoacalltotheAPI
Theserulesareonlyavailableinonescope
returnRadiusAccessAccept
Andcanbedefinedusingdifferentcriterialike
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 89
node_infoattribute (like node_info$attribute)switchifIndexmacconnection_typeusernamessidtimeownerattribute (like owner$attribute)radius_requestattribute (like radius_request$attribute)violationuser_rolevlan
Forexample letsdefinearulethatreturnAccessAcceptwhentheconnectionisEthernet-EAPandwhenthereisnoviolation(merge_returnmeansthattheoriginalanswerofPacketFencewillbemergewiththefilteranswerautomatically)
[violation]filter = violationoperator = defined
[etherneteap]filter = connection_typeoperator = isvalue = Ethernet-EAP
[1etherneteapampviolation]merge_answer = noscope = returnRadiusAccessAccept
Inthisotherexamplewejustaddanewattributetotheoriginalanswerinthesameconditions(here$user_rolewillbereplacedbytherealuserroleofthedeviceand$switch_portalURLwillbereplacedbythevalueof_portalURLdefinedintheswitchconfig)
[1etherneteapampviolation]merge_answer = yesscope = returnRadiusAccessAcceptanswer1 = Cisco-AVPair =gt url-redirect-acl=$user_roleurl-redirect=$switch_portalURLcep$session_id
Youcanhavea look in the file radius_filtersconf therearesomeexamplesonhowtouseanddefinefilters
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 90
DNSenforcement
DNSenforcementallowsyoutocontrolthenetworkaccessofthedevicebyusingthepfdnsserviceonPacketFence
The architecture ofDNS enforcement is as following -DHCP andDNS are provided by thePacketFenceserver-ThePacketFenceDHCPserverwillprovidetheIPofyournetworkequipmentasthegatewayandtheIPaddressofthePacketFenceDNSservertoresolvenames-Routingisprovidedbyanotherequipmentonyournetwork(CoreswitchFirewallRouterhellip)-IfausershouldbeshowntheportalthepfdnsservicewillreturnapointertotheIPaddressofthecaptiveportalotherwisepfdnswillresolvethenameexternallyanduseitinthereply
Thisenforcementmodeusedby itselfcanbebypassedbythedevicebyusingadifferentDNSserverorbyusingitsownDNScache
ThefirstcanbepreventedusinganACLonyourroutingequipmentthesecondcanbepreventedbycombiningDNSenforcementwithSingle-Sign-OnonyournetworkequipmentPleaseseetheFirewallSingle-Sign-Ondocumentationfordetailsonhowtoaccomplishthis
Inorder toconfigureDNSenforcementyoufirstneedtogo inConfigurationrarrInterfaces thenselectoneofyourinterfacesandsetitinDNSenforcementmode
AfteryouneedtoconfigurearoutednetworkforthisinterfacebyclickingAddroutednetworkSeetheRoutedNetworkssectionofthisdocumentfordetailsonhowtoconfigureit
NoteIfyouarenotusingaroutednetworkyouneedtouseInlineenforcementasDNSenforcementcanonlybeusedforroutednetworks
Oncethisisdoneyouneedtorestartthedhcpdandpfdnsservices
Parkeddevices
Intheeventthatyouaremanagingalargeregistrationnetworkwithdevicesthatstaythere(exStudentsthatcanrsquotregisterinyourenvironment)thesedevicesconsumepreciousresourcesandgenerateuselessloadonthecaptiveportalandregistrationDHCPserver
UsingtheparkingfeatureyoucanmakethesedeviceshavealongerleaseandhitanextremellylightweightcaptiveportalsothattheamountofresourcestheyconsumeisminimalInthatcaptiveportal theywillseeamessageexplainingthattheyhavenrsquot registeredtheirdeviceforacertainamountoftimeandwillletthemleavetheparkedstatebypressingalink
Theparkedvsunparkedstateiscontrolledthroughviolation1300003whichgetstriggeredaccordingtotheparkingthresholdsetting(ConfigurationrarrParking)
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 91
SoinordertoactivatetheparkinggoinConfigurationrarrParkingandsetthethresholdtoacertainamountofsecondsAsuggestedvaluewouldbe21600whichis6hoursThismeansthatifadevicestaysinyourregistrationnetworkformorethan6hoursinarowitwilltriggerviolation1300003andplacethatdeviceintotheparkedstate
Inthatsamesectionyoucandefinetheleaselengthoftheuserwhenheisintheparkedstate
Note
ParkingisdetectedwhenadeviceasksforDHCPifPacketFenceisnotyourDHCPserverfortheregistrationnetworkthisfeaturewillnotworkAlsoifthedevicegoesintotheparkedstatewithaleasetimeof1hourandtheuserimmediatelyreleaseshimselffromtheparkingstateitwilltake1hourbeforethenextdetectiontakesplaceevenifyousetparkingthresholdtoalowervalue
Violation1300003Thisviolationcontrolswhathappenswhenauserisdetecteddoingparking
Herearethemainsettings
Youcanaddactionstothepredefinedones(likeEmailadminorExternalaction)inDefinitionrarrActions
TheamountoftimeausercanunparktheirdeviceiscontrolledthroughtheRemediationrarrMaxenablesetting
TheamountofgracetimebetweentwoparkingviolationsiscontrolledbytheRemediationrarrGracesettingThismeansonceauserreleasehimselffromtheparkedstatehewillhaveatleastthisamountoftimetoregisterbeforetheparkingtriggersagain
Thedestinationrole(thusVLAN)oftheuseriscontrolledbyAdvancedrarrRoleYoushouldleavetheuserintheregistrationrolebutshouldyouwanttodedicatearoleforparkingyoucansetitthere
TheTemplateattributewillonlybeusedwhentheuserisonthenormalPacketFenceportalandnottheonededicatedforparkingIfyouwanttheusertoaccessthenon-parkingportaldisableShowparkingportalinConfigurationrarrParking
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 92
Optionalcomponents
Blockingmaliciousactivitieswithviolations
PolicyviolationsallowyoutorestrictclientsystemaccessbasedonviolationsofcertainpoliciesForexampleifyoudonotallowP2PtypetrafficonyournetworkandyouarerunningtheappropriatesoftwaretodetectitandtriggeraviolationforagivenclientPacketFencewillgivethatclientablockedpagewhichcanbecustomizedtoyourwishes
Inorder tobeable toblockmaliciousactivities installationandconfigurationofaPacketFencecompatibleIDSisrequiredPacketFencecurrentlysupportSnortSuricataandSecurityOnion
Snort
Installation
The installation procedure is quite simple for SNORTWe maintain a working version on thePacketFencerepositoryToinstallitsimplyrunthefollowingcommand
yum install snort
Configuration
PacketFenceprovidesabasicsnortconftemplatethatyoumayneedtoeditdependingoftheSnortversionThefileislocatedinusrlocalpfconfItisrarelynecessarytochangeanythinginthatfiletomakeSnortworkandtrapalertsDONOTeditthesnortconflocatedinusrlocalpfvarconfallthemodificationwillbedestroyedoneachPacketFencerestart
Suricata
Installation
SincethesuricataIDSisnotpackagedwiththedistros(exceptmaybeFedorawhichwedonotofficiallysupport)youneedtobuildittheoldway
The OISF provides a really well written how-to for that Itrsquos available here httpsredmineopeninfosecfoundationorgprojectssuricatawikiCentOS5
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 93
NoteTobenefittheOPSWATMetadefenderCloudintegrationSuricataneedstobebuiltwith libnss libnsprsupportMakesure touseJSONoutputMore informationonhowtoachievethiscanbefoundtherehttpsredmineopeninfosecfoundationorgprojectssuricatawikiMD5
ConfigurationDepending onwhether or not Suricata is running on the PacketFence server configuration isdifferent
WhenrunninglocallyPacketFenceprovidesabasicsuricatayamlthatcanbemodifiedtosuitdifferentneedsThefileislocatedinusrlocalpfconf
In thecase thatSuricata is runningonaseparateserverSuricataconfigurationwillhave tobehandledseparatelywhichisnotthepurposeofthepresentguide
OPSWATMetadefenderCloudItispossibletotriggerviolationsbasedonthreatlevelofdownloadedfilesusingtheMetadefenderCloudintegrationinconjunctionwiththeSuricataMD5extractionfeatureWithoutenteringinthedetailsherearethebasicstepstomakeitwork
FirstanOPSWATportalaccountisrequiredtomakeuseoftheAPISuchaccountcanbeobtainedthroughtheOPSWATportalhttpsportalopswatcom
OtherrequirementisaSuricataworkinginstallationbuiltwithlibnsslibnsprsupportasdescribedintheupperInstallationsection
AlongwiththeOPSWATAPIkeyforMetadefenderCloud(theycallitLicenseKey)andtheworkingSuricatainstallationsomeconfiguration(PacketFencebasedANDSuricatabased)isalsorequired
AssumingthatallthestepsforSuricataMD5extractionhavebeenfollowedherersquoswhattodonext
OntheSuricataserver(syslog-ngispreferredduetoeasierandmorepowerfulconfigurationIfnotinstalleditmightbeanidea)
Configureetcsyslog-ngsyslog-ngconfbyaddingthefollowingtoenablesendingMD5filestorelogentriestoPacketFence
PacketFence OPSWAT Metadefender Cloud integration This line specifies where the files-jsonlog file is located -gt Make sure to configure the right path along with the right filenamesource s_suricata_files file(MY_SURICATA_LOG_FILES_PATHfiles-jsonlog program_override(suricata_files) flags(no-parse)) This line tells syslog-ng to send the data read to the PacketFence management interface IP address using UDP 514 -gt Make sure to configure the right PacketFence management interface IP addressdestination d_packetfence udp(PACKETFENCE_MGMT_IP port(514)) This line indicates syslog-ng to use the s_suricata_files source and send it to the d_packetfence destinationlog source(s_suricata_files) destination(d_packetfence)
Arestartofthesyslog-ngdaemonisrequired
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 94
service syslog-ng restart
OnthePacketFenceserver
ModifyrsyslogconfigurationtoallowincomingUDPpacketsbyuncommentingthefollowingtwolinesinetcrsyslogconf
$ModLoad imudp$UDPServerRun 514
Configure etcrsyslogdsuricata_filesconf by adding the following which will enablereceptionofSuricataMD5filestorelogentries
if $programname == suricata_files then usrlocalpfvarsuricata_filesamp ~
Makesurethereceivingalertpipe(FIFO)exists
mkfifo usrlocalpfvarsuricata_files
Restartthersyslogdaemon
service rsyslog restart
AtthispointSuricatashouldbeabletoextractMD5checksumofdownloadedfilesandsendtherelatedlogentrytoPacketFence
AconfigurationofanewsyslogparseraswellassomeviolationsaretheonlyremainingstepstomakefullusageoftheOPSWATMetadefenderCloudintegration
Configurationofanewsyslogparsershouldusethefollowings
Type suricata_httpAlert pipe the previously created alert pipe (FIFO) which is in this case usrlocalpfvarsuricata_files
Configurationofanewviolationcanusethefollowingtriggertypes
Type metascanTriggers ID The scan result returned by Metadefender Cloud online
Type suricata_md5Trigger ID The MD5 hash returned by Suricata
SecurityOnionInstallationandConfigurationSecurityOnionisaUbuntubasedsecuritysuiteThelatest installationinstructionsareavailabledirectly from theSecurityOnionwebsite httpsgithubcomSecurity-Onion-Solutionssecurity-onionwikiInstallation
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 95
SinceasecuritysuiteconsistsofmultiplepiecesofsoftwaretiedtogetheryoumaybepromptedfordifferentoptionsduringtheinstallationprocessAdetailedProductionDeploymentguidecanalsobefounddirectlyfromtheSecurityOnionwebsitehttpsgithubcomSecurity-Onion-Solutionssecurity-onionwikiProductionDeployment
PacketFenceintegration
OnceSecurityOnionisinstalledandminimallyconfiguredintegrationwithPacketFenceisrequiredtobeabletoraiseviolationsbasedonsensor(s)alertssyslogisusedtoforwardsensor(s)alertsfromSecurityOniontothePacketFencedetectionmecanisms
The simplest way is as follow (based on httpsgithubcomSecurity-Onion-Solutionssecurity-onionwikiThirdPartyIntegration)
OntheSecurityOnionserver
Note
Mustbedoneonthemasterserverrunningsguild
Configureetcsyslog-ngsyslog-ngconfbyaddingthefollowingtoenablesendingsguildlogentriestoPacketFence
PacketFence IDS integration This line specifies where the sguildlog file is located -gt Make sure to configure the right patch along with the right filename (on a Security Onion setup that should be pretty much standard)source s_sguil file(varlognsmsecurityonionsguildlog program_override(securityonion_ids)) This line filters on the string ldquoAlert Receivedrdquofilter f_sguil match(Alert Received) This line tells syslog-ng to send the data read to the PacketFence management IP address using UDP 514 -gt Make sure to configure the right PacketFence management interface IP addressdestination d_packetfence udp(PACKENTFENCE_MGMT_IP port(514)) This line indicates syslog-ng to use the s_sguil source apply the f_sguil filter and send it to the d_packetfence destinationlog source(s_sguil) filter(f_sguil) destination(d_packetfence)
Arestartofthesyslog-ngdaemonisthenrequired
service syslog-ng restart
OnthePacketFenceserver
ModifyrsyslogconfigurationtoallowincomingUDPpacketsbyuncommentingthefollowingtwolinesinetcrsyslogconf
$ModLoad imudp$UDPServerRun 514
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 96
Configureetcrsyslogdsecurityonion_idsconfbyaddingthefollowingswhichwillenablereceptionofSecurityOnionsguildlogentries
if $programname == securityonion_ids then usrlocalpfvarsecurityonion_idsamp ~
Makesurethereceivingalertpipe(FIFO)exists
mkfifo usrlocalpfvarsecurityonion_ids
Restartthersyslogdaemon
service rsyslog restart
AtthispointSecurityOnionshouldbeabletosenddetectedalertslogentriestoPacketFence
AconfigurationofanewsyslogparseraswellassomeviolationsaretheonlyremainingstepstomakefullusageoftheSecurityOnionIDSintegration
Configurationofanewsyslogparsershouldusethefollowings
Type security_onionAlert pipe the previously created alert pipe (FIFO) which is in this case usrlocalpfvarsecurityonion_ids
Configurationofanewviolationcanusethefollowingtriggertypes
Type detectTriggers ID The IDS triggered rule ID
Type suricata_eventTrigger ID The rule class of the triggered IDS alert
ViolationsInordertomakePacketFencereacttotheSnortalertsyouneedtoexplicitlytellthesoftwaretodosoOtherwisethealertswillbediscardedThisisquitesimpletoaccomplishInfactyouneedtocreateaviolationandaddtheSnortalertSIDinthetriggersectionofaViolation
PacketFenceviolationsareconfiguredinConfigurationrarrViolations
TheexamplebelowwillguideyoutocreateaviolationthatwillisolatedevicethathavegeneratedPeer-to-peer traffic and that are usingMac OSX or have a malware and are usingMicrosoftWindows
Violationdefinition
Firstyouneedtoconfiguretheviolationdefinition
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 97
Where
Enablediswhetherornottheviolationiscurrentlyactivated(shouldbeON) Identifier is the violation ID Any integer except 1200000-120099 which is reserved forrequiredadministrationviolations
Descriptionistheuserfriendlydescriptionoftheviolation Actionsisthelistofactionstobeexecutedwhenthisviolationisraised
Unregister nodewillunregisterthenode
Send email to ownerwillemailtheviolationdetailstotheownerofthedeviceWillonlyworkifthepersonhasitrsquosemailfieldpopulated
Send email to admin will email the violation details to the address specified in[alerting]emailaddrusing[alerting]smtpserverMultipleemailaddrcanbesperatedbycomma
Reevaluate accesswillplacethedeviceinthedestinationVLANconfiguredintheviolationIt opens a violation and leaves it open If it is not there theviolation isopenedand thenautomaticallyclosed
Log messagewilllogtheviolationinthelogfiledefinedin[alerting]log
External commandwillexecuteacommandontheoperatingsystemwhenthisviolation israised
Close a violationwillcloseanexistingviolationforthisdevicewhenthisoneisraised
Set rolewillmodifytheroleofthedevice
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 98
Enforce provisioningwilltriggeracheckofcomplianceontheprovisionersdefinedforthedevice
Prioritydefinestheorderontowhichviolationsshouldbehandledshouldtherebemorethanoneforadevice
Whitelisted Rolesisthelistofrolesthatarenotaffectedbythisviolation
Triggers
NextintheTriggerstabyouneedtodefinethetriggersthatwillraisetheviolationInthecaseofthisexampleitwillbethesetwocasesAdevicethathasgeneratedPeer-to-peertrafficandthatisusingMACOSXAdevicethathasbeendetectedasbeingarogueDHCP
Click the+ sign at the top right inorder to create anew trigger then in thedropdown selectSuricata
AmenuwillappearintowhichyoucanselectET P2PwhichwillmatchallP2PalertsfromSuricata
OnceyouaddedthistriggerselectDevicefromthedropdownandenter38whichisthedeviceidentifierforMacOSX
Nexthittheltbuttonthenthe+toaddanothertrigger
SelectthetypeInternaltheninthemenuthatappearsbelowitselectRogue DHCP detectionandclickAdd
Remediation
NextintheRemediationtabyoucanconfigurethebehaviorwhenaclientgetsisolated
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 99
Where
Auto Enableiswhetherornottheusercanreleasetheviolationhimselfafteracknoledgingthemessageonthecaptiveportal
Max Enables istheamountoftimeausercanusetheAuto EnablefunctionnalityAfterthisamountoftimeshewillnotbeabletoreleasetheviolationanditwillhavetobemanuallyreleasebyanadministratorusingthePacketFenceadministrationinterface
GraceisAmountoftimebeforetheviolationcanreoccurThisisusefultoallowhoststime(intheexample2minutes)todownloadtoolstofixtheirissueorshutofftheirpeer-to-peerapplication
Dynamic WindowwillonlyworksforaccountingviolationsTheviolationwillbeopenedaccordingtothetimeyousetintheaccountingviolation(ieYouhaveanaccountingviolationfor10GBmonthIfyoubustthebandwidthafter3daystheviolationwillopenandthereleasedatewillbesetforthelastdayofthecurrentmonth)
WindowistheamountoftimebeforeaviolationwillbeclosedautomaticallyInsteadofallowingpeopletoreactivatethenetworkyoumaywanttoopenaviolationforadefinedamountoftimeinstead
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 100
Delay byisthedelaybeforetriggeringtheviolation TemplateistheHTMLtemplatethehostwillberedirectedtowhileinviolationYoucancreatenewtemplatesfromthePortalProfilesconfigurationsection
Button textisthetextofthebuttonthatisusedwhentheuserisreleasingtheviolationdirectlyfromthecaptiveportal
AdvancedIntheAdvancedtabyouconfigurethedestinationVLANofthedevicewhenithastheReevaluateaccessactionanditsredirectionURLwhentheuserisreleased
ComplianceChecks
PacketFence supports eitherNessusOpenVAS andWMI as a scanning engine for compliancechecksSincePacketFencev51youarenowabletocreatemultiplesscanenginesconfigurationandassignthemonspecificcaptiveportalsItmeanperexamplethatyouarenowabletoactiveascanforspecificOperatingSystemonlyonaspecificSSID
InstallationNessusPlease visit httpwwwnessusorgdownload to download Nessus v5 and install the Nessuspackage for your operating system You will also need to register for the HomeFeed (or theProfessionalFeed)inordertogettheplugins
AfteryouinstalledNessusfollowtheNessusdocumentationfortheconfigurationoftheNessusServerandtocreateauserforPacketFence
NoteYou may run into some issue while using Nessus with the NetNessusXMLRPCmodule(whichisthedefaultbehaviorinPacketFence)Pleaserefertothebugtrackingsystemformoreinformation
OpenVASPleasevisithttpwwwopenvasorginstall-packageshtmlopenvas4_centos_atomic toconfigurethecorrectrepositorytobeabletoinstallthelatestOpenVASscanningengine
Once installed pleasemake sure to follow the instructions to correctly configure the scanningengineandcreateascanconfigurationthatwillfityourneedsYoursquollalsoneedtocreateauserforPacketFencetobeabletocommunicatewiththeserver
ItisimportanttogetthecorrectscanconfigIDandNBEreportformatIDtopopulatetheparametersinthePacketFenceconfigurationfileTheeasiestwaytogettheseIDsisbydownloadingbothofthescanconfigurationandreportformatfromtheOpenVASwebguiandretrievetheIDsinthefilenames
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 101
Forexamplereport-format-f5c2a364-47d2-4700-b21d-0a7693daddabxmlgivesreportformatIDf5c2a364-47d2-4700-b21d-0a7693daddab
WMIYoujusthavetoenablewmioneachwindowsdeviceswithaGPOfromActiveDirectory
ConfigurationIn order for the compliance checks to correctly work with PacketFence (communication andgenerateviolationsinsidePacketFence)youneedtoconfigurethesesections
ScannerDefinitionFirstgoinConfigurationandScannerDefinition
Thenaddascan
Therearecommonparametersforeachscanengines
Name the name of your scan engineRoles Only devices with these role(s) will be affected (Optional)OS Only devices with this Operating System will be affected (Optional)Duration Approximate duration of scan (Progress bar on the captive portal)Scan before registration Trigger the scan when the device appear on the registration vlanScan after registration Trigger the scan just after registration on the captive portalScan after registration Trigger the scan on the production network (pfdhcplistener must receive production dhcp traffic)8021x Even if the auto-registration has been enabled the scan will be trigger on a EAP connection8021x types comma delimited EAP type that will trigger the scan if 8021x above has been enabled
SpecifictoNessus
Hostname or IP Address Hostname or IP Address where Nessus is runningUsername Username to connect to Nessus scanPassword Password to connect to Nessus scanPort of the service port to connect (default 8834)Nessus client policy the name of the policy to use for the scan (Must be define on the Nessus server)
SpecifictoOpenVAS
Hostname or IP Address Hostname or IP Address where OpenVAS is runningUsername Username to connect to OpenVAS scanPassword Password to connect to OpenVAS scanPort of the service port to connect (default 9390)OpenVAS config ID the ID of scanning configuration on the OpenVAS server
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 102
SpecifictoWMI
Username A username from Active Directory that is allowed to connect to wmiDomain Domain of the Active DirectoryPassword Password of the accountWMI Rules Ordered list of WMI rules you defined in Configuration -gt WMI Rules Definition
WMIRulesDefinition
IfyouhaveconfiguredaWMIscanenginethenyouneedtodefineWMIRulesWMIisasortofdatabaseoneachwindowsdevicestoretreiveinformationonthedeviceyouneedtoknowthesqlrequestInordertohelpyoutofindandmakearuleyoucanuseathirdpartytoollikeWMIExplorer
GoinconfigurationrarrWMIRulesDefinition
Therearealready3rulesdefined
Software_Installedlogged_userProcess_Running
LetrsquostaketheSoftware_Installedrule
request select from Win32_Product
Rules Actions
[Google]attribute = Captionoperator = matchvalue =Google
[1Google]action=trigger_violationaction_param = mac = $mac tid = 888888 type = INTERNAL
Thisrulewilldothefollowing
retreive all the installed software on the device and test if the attribute Caption contain Googleif it matched then we will trigger a violation (with the trigger internal888888) for the mac address of the device
Thesecondonelogged_user
request select UserName from Win32_ComputerSystem
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 103
Rules Actions
[UserName]attribute = UserNameoperator = matchvalue = ()
[1UserName]action = dynamic_register_nodeaction_param = mac = $mac username = $result-gtUserName
Thisrulewilldothefollowing
retreive the current logged user on the device and register the device based on the user account
ThelastoneProcess_Running
request select Name from Win32_Process
Rules Actions
[explorer]attribute = Nameoperator = matchvalue = explorerexe
[1explorer]action = allow
Thisrulewilldothefollowing
retreive all the running process on the device and if one match explorerexe then we bypass the scan
Rulessyntax
the syntax of the rules are simple to understand
the request is the sql request you will launch on the remote device you must know what the request will returnto write the test
Inside the Rules Actions we define 2 sorts of blocsThe test bloc (ie [explorer]) and the action bloc (ie [1explorer])
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 104
The test bloc is a simple test based on the result of the request- attribute is the attribute you want to test- operator can be is is_not match match_not- value is the value you want to compare
Feel free to define multiples test blocs
The action bloc is where you will define your logic per example lets take this one [1googleampexplorer] this mean that if the google test istrue and explorer is true then we execute the actionThe logic can be more complex and can be something like that [1google|(explorerampmemory)] that mean if not google or (explorer and memory)
ViolationsdefinitionYouneedtocreateanewviolationsectionandhavetospecify
UsingNessus
trigger=NessusltviolationIdgt
UsingOpenVAS
trigger=OpenVASltviolationIdgt
WhereviolationIdiseithertheIDoftheNessuspluginortheOIDoftheOpenVASplugintocheckforOnceyouhavefinishedtheconfigurationyouneedtoreloadtheviolationrelateddatabasecontentsusing
$ pfcmd reload violations
NoteViolationswilltriggerifthepluginishigherthanalowseverityvulnerability
AssignScandefinitiontoportalprofilesThelaststepistoassignoneormorescanneryouconfiguredtooneormoreportalprofilesGoinConfigurationrarrPortalProfilesrarrEditaPortalrarrAddScan
HostingNessusOpenVASremotelyBecauseoftheCPUintensivenatureofanautomatedvulnerabilityassessmentwerecommendthatitishostedonaseparateserverforlargeenvironmentsTodosoacoupleofthingsarerequired
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 105
PacketFence needs to be able to communicate to the server on the port specified by thevulnerabilityengineused
Thescanningserverneedtobeabletoaccessthetargets InotherwordsregistrationVLANaccessisrequiredifscanonregistrationisenabled
IfyouareusingtheOpenVASscanningengine
ThescanningserverneedtobeabletoreachPacketFencersquosAdmininterface(onport1443bydefault)byitsDNSentryOtherwisePacketFencewonrsquotbenotifiedofcompletedscans
YoumusthaveavalidSSLcertificateonyourPacketFenceserver
IfyouareusingtheNessusscanningengine
YoujusthavetochangethehostvaluebytheNessusserverIP
RADIUSAccounting
RADIUSAccountingisusuallyusedbyISPstobillclientsInPacketFenceweareabletousethisinformationtodetermineifthenodeisstillconnectedhowmuchtimeithasbeenconnectedandhowmuchbandwitdhtheuserconsumed
ViolationsUsingPacketFence it ispossible toaddviolations to limitbandwidthabuseThe formatof thetriggerisverysimple
Accounting[DIRECTION][LIMIT][INTERVAL(optional)]
Letrsquosexplaineachchunkproperly
DIRECTIONYoucaneithersetalimittoinbound(IN)outbound(OUT)ortotal(TOT)bandwidth LIMIT You can set a number of bytes(B) kilobytes(KB) megabytes(MB) gigabytes(GB) orpetabytes(PB)
INTERVALThisisactuallythetimewindowwewilllookforpotentialabuseYoucansetanumberofdays(D)weeks(W)months(M)oryears(Y)
Exampletriggers LookforIncoming(Download)trafficwitha50GBmonth
AccountingIN50GB1M
LookforOutgoing(Upload)trafficwitha500MBday
AccountingOUT500MB1D
LookforTotal(Download+Upload)trafficwitha200GBlimitinthelastweek
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 106
AccountingTOT200GB1W
Graceperiod
WhenusingsuchviolationfeaturesettingthegraceperiodisreallyimportantYoudonrsquotwanttoputittoolow(ieAuserre-enablehisnetworkandgetcaughtafter1bytesistranmitted)ortoohighWerecommendthatyousetthegraceperiodtooneintervalwindow
Oinkmaster
OinkmasterisaperlscriptthatenablesthepossibilitytoupdatethedifferentsnortrulesveryeasilyItissimpletouseandinstallThissectionwillshowyouhowtoimplementOinkmastertoworkwithPacketFenceandSnort
PleasevisithttpoinkmastersourceforgenetdownloadshtmltodownloadoinkmasterAsampleoinkmasterconfigurationfileisprovidedatusrlocalpfaddonssnortoinkmasterconf
ConfigurationHerearethestepstomakeOinkmasterworkWewillassumethatyoualreadydownloadedthenewestoinkmasterarchive
1 UntarthefreshlydownloadedOinkmaster
2 CopytherequiredperlscriptsintousrlocalpfoinkmasterYouneedtocopyovercontribandoinkmasterpl
3 CopytheoinkmasterconfprovidedbyPacketFence(seethesectionabove)inusrlocalpfconf
4 ModifytheconfigurationtosuityourownneedsCurrentlytheconfigurationfileissettofetchthebleedingrules
RulesupdateInordertogetperiodicupdatesforPacketFenceSnortruleswesimplyneedtocreateacrontabentrywiththerightinformationTheexamplebelowshowsacrontabentrytofetchtheupdatesdailyat2300PM
0 23 (cd usrlocalpf perl oinkmasteroinkmasterpl -C confoinkmasterconf -o confsnort)
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 107
GuestsManagement
PacketFencesupportstheabilitytomanageguestsbyestablishingexpiredatesandassigndifferentroleswhichwillpermitdifferentaccessestothenetworkresources
Guestscanself-registerthemselvesusinganactivationcodesenttotheirmobilephoneortheycanusetheiremailaddressandreceiveandactivationlinktoactivatetheirnetworkaccess
PacketFencehas theoption tohaveguestssponsored theiraccessby local staffOnceaguestrequestsasponsoredaccessanemailissenttothesponsorandthesponsormustclickonalinkandauthenticateinordertoenablehisaccess
Moreover PacketFence also has the option for guests to request their access in advanceConfirmationbyemailandbyasponsorarethetwopre-registrationtechniquessupportedatthispoint
TheadminGUIallowPacketFenceadministratorsorguestsmanagerstocreatesingleaccountsmultipleaccountsusingaprefix(ieguest1guest2guest3hellip)orimportdatafromaCSVtocreateaccountsAccessdurationandexpectedarrivaldatearealsocustomizable
Usage
Guestself-registration
Self-registrationisenabledbydefaultItispartofthecaptiveportalprofileandcanbeaccessedontheregistrationpagebyclickingtheSignuplink
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 108
ManagedguestsPartofthewebadministrationinterfacetheguestsmanagementinterfaceisenabledbydefaultItisaccessiblethroughtheUsersrarrCreatemenu
Guestpre-registrationPre-registrationisdisabledbydefaultOnceenabledPacketFencersquosfirewallandApacheACLsallowaccesstothesignuppageontheportalevenfromaremotelocationAllthatshouldberequiredfrom theadministrators is toopenup theirperimeter firewall toallowaccess toPacketFencersquosmanagementinterfaceIPonport443andmakesureadomainnametoreachsaidIPisconfigured(andthattheSSLcertmatchesit)Thenyoucanpromotethepre-registrationlinkfromyourextranetwebsitehttpslthostnamegtsignup
CautionPre-registrationincreasestheattacksurfaceofthePacketFencesystemsinceasubsetofitrsquosfunctionnalityisexposedontheInternetMakesureyouunderstandtherisksapplythecriticaloperatingsystemupdatesandapplyPacketFencersquossecurityfixes
NoteAportalinterfacetypeisrequiredtousethisfeatureAportalinterfacetypecanbeaddedtoanynetworkinterfaceusingthewebadminGUI
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 109
ConfigurationGuestself-registrationIt ispossibletomodifythedefaultvaluesoftheguestself-registrationfeaturebyeditingusrlocalpfconfpfconf
Defaultvaluesarelocatedinusrlocalpfconfpfconfdefaultsanddocumentationforeverysettingsisavailableinusrlocalpfconfdocumentationconf
[guests_self_registration]guest_pid=emailpreregistration=disabled
TheseparameterscanalsobeconfiguredfromtheConfigurationrarrSelfRegistrationsectionoftheWebadmininterface
Availableregistrationmodesaredefinedonaper-portal-profilebasisTheseareconfigurablefromConfigurationrarrPortalProfiles Todisable the self-registration feature simply removeall self-registrationsourcesfromtheportalprofiledefinitionNoticehoweverthatifyourdefaultportalprofilehasnosourceitwilluseallauthenticationsources
Caution
AvalidMTAconfiguredinPacketFenceisneededtocorrectlyrelayemailsrelatedtotheguestmoduleIflocalhostisusedassmtpservermakesurethataMTAisinstalledandconfiguredontheserver
Note
AportalinterfacetypeisrequiredtousethisfeatureAportalinterfacetypecanbeaddedtoanynetworkinterfaceusingthewebadminGUI
Self-registered guests are added under the users tab of the PacketFenceWeb administrationinterface
ManagedguestsItispossibletomodifythedefaultvaluesoftheguestscreatedfromtheWebadmininterfacebyeditingusrlocalpfconfpfconf
Defaultvaluesarelocatedinusrlocalpfconfpfconfdefaultsanddocumentationforeverysettingsisavailableinusrlocalpfconfdocumentationsconf
[guests_admin_registration]access_duration_choices=1h3h12h1D2D3D5Ddefault_access_duration=12h
Theformatofthedurationisasfollow
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 110
ltDURATIONgtltDATETIME_UNITgt[ltPERIOD_BASEgtltOPERATORgtltDURATIONgtltDATE_UNITgt]
Letrsquosexplainthemeaningofeachparameter
DURATIONanumbercorrespondingtotheperiodduration DATETIME_UNIT acharactercorresponding to theunitsof thedateor timedurationeither s(seconds)m(minutes)h(hours)D(days)W(weeks)M(months)orY(years)
PERIOD_BASEeitherF(fixed)orR(relative)ArelativeperiodiscomputedfromthebeginningoftheperiodunitWeeksstartonMonday
OPERATOReither+or-Thedurationfollowingtheoperatorisaddedorsubtractedfromthebaseduration
DATE_UNITacharactercorrespondingtotheunitsoftheextendeddurationLimitedtodateunits(D(days)W(weeks)M(months)orY(years))
TheseparameterscanalsobeconfiguredfromtheConfigurationrarrAdminRegistrationsectionoftheWebadmininterface
From theUserspageof thePacketFenceWebadmin interface it is possible to set the accessdurationofuserschangetheirpasswordandmore
Guestpre-registrationTominimallyconfigureguestpre-registrationyoumustmakesurethatthefollowingstatementissetunder[guests_self_registration]inusrlocalpfconfpfconf
[guests_self_registration]preregistration=enabled
ThisparametercanalsobeconfiguredfromtheConfigurationrarrSelfRegistrationsection
Finallyitisadvisedthatyoureadthewholeguestself-registrationsectionsincepre-registrationissimplyatwistoftheself-registrationprocess
Caution
AvalidMTAconfiguredinPacketFenceisneededtocorrectlyrelayemailsrelatedtotheguestmoduleIflocalhostisusedassmtpservermakesurethataMTAisinstalledandconfiguredontheserver
ActiveDirectoryIntegration
DeletedAccountCreate thescriptunreg_node_deleted_accountps1on theWindowsServerwith the followingcontentMakesuretochangeIP_PACKETFENCEtotheIPaddressofyourPacketFenceserverYoursquollalsoneedtochangetheusernameandpasswordastheymustmatchthecredentialsdefinedintheWebadmininterfaceunderConfigurationrarrWebServices
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 111
Powershell script to unregister deleted Active Directory account based on the UserName
Get-EventLog -LogName Security -InstanceId 4726 | Select ReplacementStringsAccount name| $url = httpsIP_PACKETFENCE9090 $username = admin Username for the webservices $password = admin Password for the webservices [SystemNetServicePointManager]ServerCertificateValidationCallback = $true $command = jsonrpc 20 method unreg_node_for_pid params [pid +$_ReplacementStrings[0]+]
$bytes = [SystemTextEncoding]ASCIIGetBytes($command) $web = [SystemNetWebRequest]Create($url) $webMethod = POST $webContentLength = $bytesLength $webContentType = applicationjson-rpc $webCredentials = new-object SystemNetNetworkCredential($username $password) $stream = $webGetRequestStream() $streamWrite($bytes0$bytesLength) $streamclose()
$reader = New-Object SystemIOStreamreader -ArgumentList $webGetResponse()GetResponseStream() $readerReadToEnd() $readerClose()
CreatethescheduledtaskbasedonaneventIDStartrarrRunrarrTaskschdmsc
TaskSchedulerrarrTaskSchedulerLibraryrarrEventViewerTaskrarrCreateTask
General
Name PacketFence-Unreg_node-for-deleted-accountCheck Run whether user is logged on or notCheck Run with highest privileges
TriggersrarrNew
Begin on the task On an eventLog SecuritySource Microsoft Windows security auditingEvent ID 4726
ActionsrarrNew
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 112
Action Start a programProgramscript powershellexeAdd arguments (optional) Cscriptsunreg_node_deleted_accountps1
Settings
At the bottom select in the list Run a new instance in parallel in order to unregister multiple nodes at the same time
ValidatewithOkandgivetheaccountwhowillrunthistask(UsuallyDOMAINAdministrator)
DisabledAccountCreatethescriptunreg_node_disabled_accountps1ontheWindowsServerwiththefollowingcontentMakesuretochangeIP_PACKETFENCEtotheIPaddressofyourPacketFenceserverYoursquollalsoneedtochangetheusernameandpasswordastheymustmatchthecredentialsdefinedintheWebadmininterfaceunderConfigurationrarrWebServices
Powershell script to unregister disabled Active Directory account based on the UserName
Get-EventLog -LogName Security -InstanceId 4725 | Select ReplacementStringsAccount name| $url = httpsIP_PACKETFENCE9090 $username = admin Username for the webservices $password = admin Password for the webservices [SystemNetServicePointManager]ServerCertificateValidationCallback = $true $command = jsonrpc 20 method unreg_node_for_pid params [pid +$_ReplacementStrings[0]+]
$bytes = [SystemTextEncoding]ASCIIGetBytes($command) $web = [SystemNetWebRequest]Create($url) $webMethod = POST $webContentLength = $bytesLength $webContentType = applicationjson-rpc $webCredentials = new-object SystemNetNetworkCredential($username $password) $stream = $webGetRequestStream() $streamWrite($bytes0$bytesLength) $streamclose()
$reader = New-Object SystemIOStreamreader -ArgumentList $webGetResponse()GetResponseStream() $readerReadToEnd() $readerClose()
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 113
CreatethescheduledtaskbasedonaneventID
StartrarrRunrarrTaskschdmsc
TaskSchedulerrarrTaskSchedulerLibraryrarrEventViewerTaskrarrCreateTask
General
Name PacketFence-Unreg_node-for-disabled-accountCheck Run whether user is logged on or notCheck Run with highest privileges
TriggersrarrNew
Begin on the task On an eventLog SecuritySource Microsoft Windows security auditingEvent ID 4725
ActionsrarrNew
Action Start a programProgramscript powershellexeAdd arguments (optional) Cscriptsunreg_node_disabled_accountps1
Settings
At the bottom select in the list Run a new instance in parallel
ValidatewithOkandgivetheaccountwhowillrunthistask(UsuallyDOMAINAdministrator)
LockedAccountCreate the script unreg_node_locked_accountps1 on theWindows Serverwith the followingcontentMakesuretochangeIP_PACKETFENCEtotheIPaddressofyourPacketFenceserverYoursquollalsoneedtochangetheusernameandpasswordastheymustmatchthecredentialsdefinedintheWebadmininterfaceunderConfigurationrarrWebServices
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 114
Powershell script to unregister locked Active Directory account based on the UserName
Get-EventLog -LogName Security -InstanceId 4740 | Select ReplacementStringsAccount name| $url = httpsIP_PACKETFENCE9090 $username = admin Username for the webservices $password = admin Password for the webservices [SystemNetServicePointManager]ServerCertificateValidationCallback = $true $command = jsonrpc 20 method unreg_node_for_pid params [pid +$_ReplacementStrings[0]+]
$bytes = [SystemTextEncoding]ASCIIGetBytes($command) $web = [SystemNetWebRequest]Create($url) $webMethod = POST $webContentLength = $bytesLength $webContentType = applicationjson-rpc $webCredentials = new-object SystemNetNetworkCredential($username $password) $stream = $webGetRequestStream() $streamWrite($bytes0$bytesLength) $streamclose()
$reader = New-Object SystemIOStreamreader -ArgumentList $webGetResponse()GetResponseStream() $readerReadToEnd() $readerClose()
CreatethescheduledtaskbasedonaneventIDStartrarrRunrarrTaskschdmsc
TaskSchedulerrarrTaskSchedulerLibraryrarrEventViewerTaskrarrCreateTask
General
Name PacketFence-Unreg_node-for-locked-accountCheck Run whether user is logged on or notCheck Run with highest privileges
TriggersrarrNew
Begin on the task On an eventLog SecuritySource Microsoft Windows security auditingEvent ID 4740
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 115
ActionsrarrNew
Action Start a programProgramscript powershellexeAdd arguments (optional) Cscriptsunreg_node_locked_accountps1
Settings
At the bottom select in the list Run a new instance in parallel
ValidatewithOkandgivetheaccountwhowillrunthistask(UsuallyDOMAINAdministrator)
DHCPremotesensor
TheDHCPremotesensorconsistsofalightweightbinarythatisinstalledonyourproductionDHCPserverinordertoreplicatetheDHCPtraffic1to1tothePacketFenceserverThissolutionismorereliablethantheDHCPrelayingsincePacketFencereceivesacopyofallyourDHCPtrafficandnotonlythebroadcastedDHCPtrafficSupportedDHCPserversareMicrosoftDHCPserverandCentOS6and7
ThesesensorsworkbycapturingthepacketsatthelowestlevelpossibleonyourDHCPserverandforwardthemtothePacketFencemanagementinterface
MicrosoftDHCPsensorYouwillfirstneedtodownloadandinstallWinPcapavailablefromhttpwwwwinpcaporginstall
YouwillalsoneedtodownloadandinstallMicrosoftVisualC++2010Redistributableavailablefromhttpwwwmicrosoftcomdownloaddetailsaspxid=5555
NoteYou absolutely need to install the 32-bit version of Microsoft Visual C++ 2010Redistributableevenifyouareusinga64-bitoperatingsystem
Then get the remote sensor from Inversersquos download website httpinversecadownloadsPacketFenceudp-reflectorudp_reflectorexe
CreatethedirectoryCudp-reflectorandmovethedownloadedfileinside
Nowwewillcreateaservicesothereflectorstartsonboot
Firstdownloadandunzipnssmfromhttpsnssmccdownload
NextcreateabatchfileudpreflectorbatinCudp-reflectorthatcontainCudp-reflectorudp_reflectorexe -s pcap067 -d 19216815767 -b 25000
Where pcap0 is the interface where your DHCP is listening (use Cudp-reflectorudp_reflectorexe -ltolistinterfaces)
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 116
Thenrunnssm install udpreflector
InApplication
InPathsetittoCudp-reflectorudpreflectorbat InStartupdirectorysetittoCudp-reflector InArgumentssetittonothing
InDetails
InStartuptypeselectAutomatic
InLogon
InLogonasselectLocalSystemaccount
ThenpressInstallservice
TheDHCPtrafficshouldnowbereflectedonyourPacketFenceserver
LinuxbasedsensorFirstdownloadtheRPMonyourDHCPserver
CentOS6and7serversForCentOS6
for x86_64 wget httpinversecadownloadsPacketFenceCentOS6extrax86_64RPMSudp-reflector-10-61x86_64rpm
ForCentOS7
for x86_64 wget httpinversecadownloadsPacketFenceCentOS7extrax86_64RPMSudp-reflector-10-61x86_64rpm
Nowinstallthesensor
rpm -i udp-reflector-rpm
CompilingthesensorfromsourceonaLinuxsystemFirstmakesureyouhavethefollowingpackagesinstalled
libpcap libpcap-devel gcc-c++
Getthesourcecodeofthesensor
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 117
mkdir -p ~udp-reflector ampamp cd ~udp-reflector wget httpinversecadownloadsPacketFenceudp-reflectorudp_reflectorcpp g++ udp_reflectorcpp -o usrlocalbinudp_reflector -lpcap
ConfiguringthesensorPlacethefollowinglineinetcrclocal
where pcap0 is the pcap interface where your DHCP server listens on (List them usingudp_reflector -l)
where19216815isthemanagementIPofyourPacketFenceserver
usrlocalbinudp_reflector -s pcap067 -d 19216815767 -b 25000 amp
Startthesensor
usrlocalbinudp_reflector -s pcap067 -d 19216815767 -b 25000 amp
TheDHCPtrafficshouldnowbereflectedonyourPacketFenceserver
Switchloginaccess
PacketFenceisabletoactasanauthenticationandauthorizationserviceforgrantingcommand-lineinterface(CLI)accesstoswitchesPacketFencecurrentlysupportsCiscoswitchesandthesemustbeconfiguredusingthefollowingguidehttpwwwciscocomcenussupportdocssecurity-vpnremote-authentication-dial-user-service-radius116291-configure-freeradius-00html From thePacketFencersquos web admin interface you must configure an Admin Access role(ConfigurationrarrAdminaccess)thatcontainstheactionSwitchesCLI-ReadorSwitchesCLI-WriteandassignthisroletoaninternaluserorinanAdministrationruleinaninternalsource
Chapter14
Copyrightcopy2016Inverseinc OperatingSystemBestPractices 118
OperatingSystemBestPractices
IPTables
IPTablesisnowentirelymanagedbyPacketFenceHoweverifyouneedtoperformsomecustomrules you canmodifyconfiptablesconf to yourownneedsHowever thedefault templateshouldworkformostusers
LogRotations
PacketFencecangeneratea lotof logentries inhugeproductionenvironmentsThis iswhywerecommendtouselogrotatetoperiodicallyrotateyourlogsAworkinglogrotatescriptisprovidedwiththePacketFencepackageThisscriptislocatedinusrlocalpfaddonsanditrsquosconfiguredto do aweekly log rotation and keeping old logswith compression It has been added duringPacketFenceinitialinstallation
Chapter15
Copyrightcopy2016Inverseinc Performanceoptimization 119
Performanceoptimization
SNMPTrapsLimit
PacketFencemainlyrelyonSNMPtrapstocommunicatewithequipmentDuetothefactthattrapscominginfromapproved(configured)devicesareallprocessedbythedaemonitispossibleforsomeonewhowanttogenerateacertainloadonthePacketFenceservertoforcethegenerationofnon-legitimateSNMPtrapsoraswitchcanrandomlygenerateahighquantityoftrapssenttoPacketFenceforanunknownreason
BecauseofthatitispossibletolimitthenumberofSNMPtrapscominginfromasingleswitchportandtakeactionifthatlimitisreachedForexampleifover100trapsarereceivedbyPacketFencefromthesameswitchportinaminutetheswitchportwillbeshutandanotificationemailwillbesent
HerersquosthedefaultconfigfortheSNMPtrapslimitfeatureAsyoucanseebydefaultPacketFencewill log the abnormal activity after 100 traps from the same switch port in a minute Theseconfigurationsareintheconfpfconffile
[vlan]trap_limit = enabledtrap_limit_threshold = 100trap_limit_action =
AlternativelyyoucanconfiguretheseparametersfromthePacketFenceWebadministrativeGUIintheConfigurationrarrSNMPsection
MySQLoptimizations
TuningMySQLIfyoursquorePacketFencesystemisactingveryslowthiscouldbeduetoyourMySQLconfigurationYoushoulddothefollowingtotuneperformance
Checkthesystemload
uptime113637 up 235 days 121 1 user load average 125 105 079
Chapter15
Copyrightcopy2016Inverseinc Performanceoptimization 120
CheckiostatandCPU
iostat 5avg-cpu user nice sys iowait idle 060 000 320 2020 7600Device tps Blk_reads Blk_wrtns Blk_read Blk_wrtnccissc0d0 3240 000 156000 0 7800avg-cpu user nice sys iowait idle 060 000 220 920 8800Device tps Blk_reads Blk_wrtns Blk_read Blk_wrtnccissc0d0 780 000 7360 0 368avg-cpu user nice sys iowait idle 060 000 180 2380 7380Device tps Blk_reads Blk_wrtns Blk_read Blk_wrtnccissc0d0 3140 000 142720 0 7136avg-cpu user nice sys iowait idle 060 000 240 1816 7884Device tps Blk_reads Blk_wrtns Blk_read Blk_wrtnccissc0d0 2794 000 117365 0 5880
Asyoucanseetheloadis125andIOWaitispeakingat20-thisisnotgoodIfyourIOwaitislowbutyourMySQListaking+50CPUthisisalsonotgoodCheckyourMySQLinstallforthefollowingvariables
mysqlgt show variables| innodb_additional_mem_pool_size | 1048576 || innodb_autoextend_increment | 8 || innodb_buffer_pool_awe_mem_mb | 0 || innodb_buffer_pool_size | 8388608 |
PacketFencereliesheavilyonInnoDBsoyoushouldincreasethebuffer_poolsizefromthedefaultvalues
ShutdownPacketFenceandMySQL
etcinitdpacketfence stopShutting down PacketFence[] etcinitdmysql stopStopping MySQL [ OK ]
Editetcmycnf(oryourlocalmycnf)
Chapter15
Copyrightcopy2016Inverseinc Performanceoptimization 121
[mysqld] Set buffer pool size to 50-80 of your computers memoryinnodb_buffer_pool_size=800Minnodb_additional_mem_pool_size=20Minnodb_flush_log_at_trx_commit=2innodb_file_per_table allow more connectionsmax_connections=700 set cache sizekey_buffer_size=900Mtable_cache=300query_cache_size=256M enable slow query loglog_slow_queries = ON
StartupMySQLandPacketFence
etcinitdmysqld startStarting MySQL [ OK ] etcinitdpacketfence startStarting PacketFence[]
Wait10minutesforPacketFencetoinitialthenetworkmapandre-checkiostatandCPU
uptime120158 up 235 days 146 1 user load average 015 039 052 iostat 5Device tps Blk_reads Blk_wrtns Blk_read Blk_wrtnccissc0d0 800 000 7520 0 376
avg-cpu user nice sys iowait idle 060 000 299 1337 8303
Device tps Blk_reads Blk_wrtns Blk_read Blk_wrtnccissc0d0 1497 000 43273 0 2168avg-cpu user nice sys iowait idle 020 000 260 660 9060
Device tps Blk_reads Blk_wrtns Blk_read Blk_wrtnccissc0d0 480 000 4800 0 240
MySQLoptimizationtoolWerecommendthatyouruntheMySQLTuneronyourdatabasesetupafteracoupleofweekstohelpyouidentifyMySQLconfigurationimprovementThetoolisbundledwithPacketFenceandcanberunfromthecommand-line
usrlocalbinpftest mysql
Chapter15
Copyrightcopy2016Inverseinc Performanceoptimization 122
KeepingtablessmallOvertimesomeofthetableswillgrowlargeandthiswilldragdownperformance(thisisespeciallytrueonawirelesssetup)
OnesuchtableisthelocationlogtableWerecommendthatclosedentriesinthistablebemovedto the archive table locationlog_archive after some time A closed record is onewhere theend_timefieldissettoadate(stricklyspeakingitiswhenend_timeisnotnullandnotequalsto0)
Weprovideascriptcalleddatabase-backup-and-maintenanceshlocatedinaddonsthatperformsthiscleanupinadditiontooptimizetablesonSundayanddailybackups
AvoidToomanyconnectionsproblemsInawirelesscontexttheretendstobealotofconnectionsmadetothedatabasebyourfreeradiusmoduleThedefaultMySQLvalue tend tobe low (100) soweencourageyou to increase thatvaluetoatleast300Seehttpdevmysqlcomdocrefman50entoo-many-connectionshtmlfordetails
AvoidHostlthostnamegtisblockedproblemsInawirelesscontexttheretendtobealotofconnectionsmadetothedatabasebyourfreeradiusmoduleWhentheserverisloadedtheseconnectionattemptscantimeoutIfaconnectiontimesoutduringconnectionMySQLwillconsiderthisaconnectionerrorandafter10ofthese(bydefault)hewilllockthehostoutwitha
Host host_name is blocked because of many connection errors Unblock with mysqladmin flush-hosts
Thiswill grindPacketFence to a halt so youwant to avoid that at all costOneway to do soistoincreasethenumberofmaximumconnections(seeabove)toperiodicallyflushhostsortoallowmoreconnectionerrorsSeehttpdevmysqlcomdocrefman50enblocked-hosthtmlfordetails
CaptivePortalOptimizations
Avoidcaptiveportaloverloadduetonon-browserHTTPrequestsBydefaultwealloweveryquerytoberedirectedandreachPacketFencefor thecaptiveportaloperationInalotofcasesthismeansthatalotofnon-userinitiatedqueriesreachPacketFenceandwasteitsresourcesfornothingsincetheyarenotfrombrowsers(iTunesWindowsupdateMSNMessengerGoogleDesktophellip)
Chapter15
Copyrightcopy2016Inverseinc Performanceoptimization 123
Sinceversion43ofPacketFenceyoucandefineHTTPfiltersforApachefromtheconfigurationofPacketFence
SomeruleshavebeenenabledbydefaultlikeonetorejectrequestswithnodefineduseragentAllrulesincludingsomeexamplesaredefinedintheconfigurationfileapache_filtersconf
FiltersaredefinedwithatleasttwoblocksFirstarethetestsForexample
[get_ua_is_dalvik]filter = user_agentmethod = GEToperator = matchvalue = Dalvik
[get_uri_not_generate204]filter = urimethod = GEToperator = match_notvalue = generate_204
ThelastblockdefinestherelationshipbetweenthetestsandthedesiredactionForexample
[block_dalvikget_ua_is_dalvikampget_uri_not_generate204]action = 501redirect_url =
Thisfilterwillreturnanerrorcode(501)iftheuseragentisDalvikandtheURIdoesnrsquotcontain_generate_204
DashboardOptimizations(statisticscollection)
The collection and aggregation of statistics in the whisper database can be IO intensive permomentThismeansthatitcanbebeneficialtoseperatethemonanotherdiskevenifitisavirtualdiskthatwillsharethesameunderlyingphysicaldisk
Firstaddadiskinyourvirtualmachineorbaremetalserverandreboot(thisexamplewillusedevsdbasthenewdevice
Makesurepacketfenceisstopped
service packetfence stop
Createanext4partition
mkfsext4 devsdb
Thenmovetheolddatabasestoabackuppoint
Chapter15
Copyrightcopy2016Inverseinc Performanceoptimization 124
mv usrlocalpfvargraphite usrlocalpfvargraphitebak
Mountyournewdiskandcheckthatitismounted
echo devsdb usrlocalpfvargraphite ext4 defaults 1 1 gtgt etcfstab mkdir usrlocalpfvargraphite mount -a dh -h
Applytheproperuserrightsandrestoreyourdatabasefromyourbackup
chown pfpf usrlocalpfvargraphite cp -frp usrlocalpfvargraphitebak usrlocalpfvargraphite
StartpacketfenceandmakesureyourstatsarestillthereandbeingcollectedproperlyThenremovethebackupyoumaderm -fr usrlocalpfvargraphitebak
Chapter16
Copyrightcopy2016Inverseinc AdditionalInformation 125
AdditionalInformation
FormoreinformationpleaseconsultthemailingarchivesorpostyourquestionstoitFordetailssee
packetfence-announcelistssourceforgenet Public announcements (new releases securitywarningsetc)regardingPacketFence
packetfence-devellistssourceforgenetDiscussionofPacketFencedevelopment
packetfence-userslistssourceforgenetUserandusagediscussions
Chapter17
Copyrightcopy2016InverseincCommercialSupport
andContactInformation 126
CommercialSupportandContactInformation
For any questions or comments do not hesitate to contact us by writing an email tosupportinverseca
Inverse (httpinverseca)offersprofessional servicesaroundPacketFence tohelporganizationsdeploythesolutioncustomizemigrateversionsorfromanothersystemperformancetuningoraligningwithbestpractices
Hourlyratesorsupportpackagesareofferedtobestsuityourneeds
Pleasevisithttpinversecafordetails
Chapter18
Copyrightcopy2016Inverseinc GNUFreeDocumentationLicense 127
GNUFreeDocumentationLicense
Pleaserefertohttpwwwgnuorglicensesfdl-12txtforthefulllicense
Chapter18
Copyrightcopy2016Inverseinc AdministrationTools 128
AppendixAAdministrationTools
pfcmd
pfcmdisthecommandlineinterfacetomostPacketFencefunctionalities
Whenexecutedwithoutanyargumentspfcmdreturnsabasichelpmessagewithallmainoptions
Chapter18
Copyrightcopy2016Inverseinc AdministrationTools 129
Usage pfcmd ltcommandgt [options]
Commands cache | manage the cache subsystem checkup | perform a sanity checkup and report any problems class | view violation classes configfiles | push or pull configfiles intofrom database configreload | reload the configution floatingnetworkdeviceconfig | querymodify floating network devices configuration parameters help | show help for pfcmd commands ifoctetshistorymac | accounting history ifoctetshistoryswitch | accounting history ifoctetshistoryuser | accounting history import | bulk import of information into the database ipmachistory | IPMAC history locationhistorymac | SwitchPort history locationhistoryswitch | SwitchPort history networkconfig | querymodify network configuration parameters node | manipulate node entries pfconfig | interact with pfconfig portalprofileconfig | querymodify portal profile configuration parameters reload | rebuild fingerprint or violations tables without restart service | startstoprestart and get PF daemon status schedule | Nessus scan scheduling switchconfig | querymodify switchesconf configuration parameters version | output version information violationconfig | querymodify violationsconf configuration parameters
Please view pfcmd help ltcommandgt for details on each option
ThenodeviewoptionshowsallinformationcontainedinthenodedatabasetableforaspecifiedMACaddress
usrlocalpfbinpfcmd node view 525400123502mac|pid|detect_date|regdate|unregdate|lastskip|status|user_agent|computername|notes|last_arp|last_dhcp|switch|port|vlan|dhcp_fingerprint525400123502|1|2008-10-23 173216||||unreg||||2008-10-23 211221|||||
pfcmd_vlan
pfcmd_vlanisthecommandlineinterfacetomostVLANisolationrelatedfunctionality
Chapter18
Copyrightcopy2016Inverseinc AdministrationTools 130
Againwhenexecutedwithoutanyargumentsahelpscreenisshown
Usage pfcmd_vlan command [options]
Command -deauthenticate de-authenticate a dot11 client -deauthenticateDot1x de-authenticate a dot1x client (pass ifIndex for wired 8021x and mac for wireless 8021x) -getAlias show the description of the specified switch port -getAllMACs show all MACS on all switch ports -getHubs show switch ports with several MACs -getIfOperStatus show the operational status of the specified switch port -getIfType show the ifType on the specified switch port -getLocation show at which switch port the MAC is found -getSwitchLocation show SNMP location of specified switch -getMAC show all MACs on the specified switch port -getType show switch type -getUpLinks show the upLinks of the specified switch -getVersion show switch OS version -getVlan show the VLAN on the specified switch port -getVlanType show the VLAN type on the specified port -help brief help message -isolate set the switch port to the isolation VLAN -man full documentation -reAssignVlan re-assign a switch port VLAN -reevaluateAccess reevaluate the current VLAN or firewall rules of a given MAC -runSwitchMethod run a particular method call on a given switch (FOR ADVANCED PURPOSES) -setAlias set the description of the specified switch port -setDefaultVlan set the switch port to the default VLAN -setIfAdminStatus set the admin status of the specified switch port -setVlan set VLAN on the specified switch port -setVlanAllPort set VLAN on all non-UpLink ports of the specified switch
Options -alias switch port description -ifAdminStatus ifAdminStatus -ifIndex switch port ifIndex -mac MAC address -showPF show additional information available in PF -switch switch description -verbose log verbosity level 0 fatal messages 1 warn messages 2 info messages 3 debug 4 trace -vlan VLAN id -vlanName VLAN name (as in switchesconf)
Chapter2
Copyrightcopy2016Inverseinc Introduction 5
NetworkIntegration
VLANenforcementispicturedintheabovediagramInlineenforcementshouldbeseenasasimpleflatnetworkwherePacketFenceactsasafirewallgateway
Components
PacketFencerequiresvariouscomponentstoworksuchasaWebserveradatabaseserverandaRADIUSserverItinteractswithexternaltoolstoextenditsfunctionalities
Chapter2
Copyrightcopy2016Inverseinc Introduction 6
Chapter3
Copyrightcopy2016Inverseinc SystemRequirements 7
SystemRequirements
Assumptions
PacketFencereusesmanycomponentsinaninfrastructureThusitrequiresthefollowingones
Databaseserver(MySQLorMariaDB) Webserver(Apache) DHCPserver(ISCDHCP) RADIUSserver(FreeRADIUS)
Dependingonyoursetupyoumayhavetoinstalladditionalcomponentslike
NIDS(SnortSuricata)
Inthisguideweassumethatallthosecomponentsarerunningonthesameserver(ielocalhostor127001)thatPacketFencewillbeinstalledon
Good understanding of those underlying component and GNULinux is required to installPacketFence If youmiss some of those required components please refer to the appropriatedocumentationandproceedwiththeinstallationoftheserequirementsbeforecontinuingwiththisguide
MinimumHardwareRequirements
Thefollowingprovidesalistoftheminimumserverhardwarerecommendations
IntelorAMDCPU3GHz 8GBofRAM 100GBofdiskspace(RAID-1recommended) 1Networkcard(2recommended)
OperatingSystemRequirements
PacketFencesupportsthefollowingoperatingsystemsonthex86_64architectures
Chapter3
Copyrightcopy2016Inverseinc SystemRequirements 8
RedHatEnterpriseLinux6xand7xServer CommunityENTerpriseOperatingSystem(CentOS)6xand7x Debian70(Wheezy)and80(Jessie)
MakesurethatyoucaninstalladditionalpackagesfromyourstandarddistributionForexampleifyouareusingRedHatEnterpriseLinuxyouhavetobesubscribedtotheRedHatNetworkbeforecontinuingwiththePacketFencesoftwareinstallation
OtherdistributionssuchasFedoraandGentooareknowntoworkbutthisdocumentdoesnrsquotcoverthem
Servicesstart-upPacketFencetakescareofhandlingtheoperationofthefollowingservices
Webserver(httpd) DHCPserver(dhcpd) FreeRADIUSserver(radiusd) SnortSuricataNetworkIDS(snortsuricata) Firewall(iptables)
Makesurethatalltheotherservicesareautomaticallystartedbyyouroperatingsystem
Chapter4
Copyrightcopy2016Inverseinc Installation 9
Installation
ThissectionwillguideyouthroughtheinstallationofPacketFencetogetherwithitsdependencies
OSInstallation
InstallyourdistributionwithminimalinstallationandnoadditionalpackagesThen
DisableFirewall DisableSELinux DisableAppArmor Disableresolvconf
Makesureyoursystemisuptodateandyouryumorapt-getdatabaseisupdatedOnaRHEL-basedsystemdo
yum update
OnaDebianorUbuntusystemdo
apt-get updateapt-get upgrade
RegardingSELinuxorAppArmoreven if these featuresmaybewantedbysomeorganizationsPacketFencewillnotrunproperlyifSELinuxorAppArmorareenabledYouwillneedtoexplicitlydisableSELinuxintheetcselinuxconfigfileandAppArmorwithupdate-rcd-fapparmorstopupdate-rcd-fapparmorteardownandupdate-rcd-fapparmorremoveRegardingresolvconfyoucanremovethesymlinktothatfileandsimplycreatetheetcresolvconffilewiththecontentyouwant
RedHat-basedsystems
Note
AppliestoCentOSandScientificLinuxbutonlythex86_64architectureissupported
Chapter4
Copyrightcopy2016Inverseinc Installation 10
RHEL6x
NoteTheseareextrastepsarerequiredforRHEL6systemsonlyexcludingderivativessuchasCentOSorScientificLinux
RedHatEnterpriseLinuxusersneedtotakeanadditionalsetupstepIfyouarenotusingtheRHNSubscriptionManagementfromRedHatyouneedtoenabletheoptionalchannelbyrunningthefollowingasroot
rhn-channel --add --channel=rhel-`uname -m`-server-optional-6
DebianAllthePacketFencedependenciesareavailablethroughtheofficialrepositories
SoftwareDownload
PacketFenceprovidesaRPMrepositoryforRHELCentOSinsteadofasingleRPMfile
ForDebianPacketFencealsoprovidespackagerepositories
TheserepositoriescontainallrequireddependenciestoinstallPacketFenceThisprovidesnumerousadvantages
easyinstallation everythingispackagedasRPMdeb(nomoreCPANhassle) easyupgrade
SoftwareInstallation
RHELCentOSInordertousethePacketFencerepository
yum localinstall httppacketfenceorgdownloadsPacketFenceRHEL6`uname -i`RPMSpacketfence-release-12-51noarchrpm
Once the repository is defined you can install PacketFencewith all its dependencies and therequiredexternalservices(DatabaseserverDHCPserverRADIUSserver)using
Chapter4
Copyrightcopy2016Inverseinc Installation 11
yum install perlyum install --enablerepo=packetfence packetfence
OnceinstalledtheWeb-basedconfigurationinterfacewillautomaticallybestartedYoucanaccessitfromhttpsip_of_packetfence1443configurator
DebianForDebian7
Inordertousetherepositorycreateafilenamedetcaptsourceslistdpacketfencelist
echo deb httpinversecadownloadsPacketFencedebian wheezy wheezy gt etcaptsourceslistdpacketfencelist
ForDebian8
Inordertousetherepositorycreateafilenamedetcaptsourceslistdpacketfencelist
echo deb httpinversecadownloadsPacketFencedebian jessie jessie gt etcaptsourceslistdpacketfencelist
Once the repository is defined you can install PacketFencewith all its dependencies and therequiredexternalservices(DatabaseserverDHCPserverRADIUSserver)using
sudo apt-key adv --keyserver keysgnupgnet --recv-key 0x810273C4sudo apt-get updatesudo apt-get install packetfence
Chapter5
Copyrightcopy2016Inverseinc Getoffontherightfoot 12
Getoffontherightfoot
PriorconfiguringPacketFenceyoumustchoseanappropriateenforcementmodetobeusedbyPacketFencewithyournetworkingequipmentTheenforcementmodeisthetechniqueusedtoenforceregistrationandanysubsequentaccessofdevicesonyournetworkPacketFencesupportsthefollowingenforcementmodes
Inline Out-of-band Hybrid
It isalsopossibletocombineenforcementmodesForexampleyoucouldusetheout-of-bandmodeonyourwiredswitcheswhileusingtheinlinemodeonyouroldWiFiaccesspoints
The following sections will explain these enforcement modes If you decide to use the inlinemodepleaserefertothePacketFenceInlineDeploymentQuickGuideusingZENforacompleteconfigurationexampleIfyoudevicetousetheout-of-bandmodepleaserefertothePacketFenceOut-of-BandDeploymentQuickGuideusingZEN
Chapter6
Copyrightcopy2016InverseincTechnicalintroductiontoInlineenforcement 13
TechnicalintroductiontoInlineenforcement
Introduction
Beforetheversion30ofPacketFenceitwasnotpossibletosupportunmanageabledevicessuchasentry-levelconsumerswitchesoraccess-pointsNowwiththenewinlinemodePacketFencecanbeusein-bandforthosedevicesSoinotherwordsPacketFencewouldbecomethegatewayofthatinlinenetworkandNATorroutethetrafficusingIPTablesIPSettotheInternet(ortoanothersectionofthenetwork)Letseehowitworks
Deviceconfiguration
NospecialconfigurationisneededontheunmanageabledeviceThatrsquosthebeautyofitYouonlyneedtoensurethatthedeviceistalkingontheinlineVLANAtthispointallthetrafficwillbepassingthroughPacketFencesinceitisthegatewayforthisVLAN
Accesscontrol
TheaccesscontrolreliesentirelyonIPTablesIPSetWhenauserisnotregisteredandconnectsintheinlineVLANPacketFencewillgivehimanIPaddressAtthispointtheuserwillbemarkedasunregisteredintheipsetsessionandalltheWebtrafficwillberedirectedtothecaptiveportalandother trafficblockedTheuserwill have to register through thecaptiveportal as inVLANenforcementWhenheregistersPacketFencechangesthedeviceacutesipsetsessiontoallowtheuserrsquosmacaddresstogothroughit
Chapter6
Copyrightcopy2016InverseincTechnicalintroductiontoInlineenforcement 14
Limitations
Inlineenforcementbecauseofitrsquosnaturehasseverallimitationsthatonemustbeawareof
EveryonebehindaninlineinterfaceisonthesameLayer2LAN EverypacketofauthorizedusersgoesthroughthePacketFenceserverincreasingtheserversloadconsiderablyPlanaheadforcapacity
Everypacketofauthorizedusersgoes throughthePacketFenceserver it isasinglepointoffailureforInternetaccess
Ipsetcanstoreupto65536entriessoitisnotpossibletohaveainlinenetworkclassupperthanB
Thisiswhyit isconsideredapoormanrsquoswayofdoingaccesscontrolWehaveavoideditforalongtimebecauseoftheabovementionedlimitationsThatsaidbeingabletoperformbothinlineandVLANenforcementonthesameserveratthesametimeisarealadvantageitallowsuserstomaintainmaximumsecuritywhiletheydeploynewandmorecapablenetworkhardwareprovidingacleanmigrationpathtoVLANenforcement
Chapter7
Copyrightcopy2016InverseincTechnicalintroductiontoOut-of-bandenforcement 15
TechnicalintroductiontoOut-of-bandenforcement
Introduction
VLANassignmentiscurrentlyperformedusingseveraldifferenttechniquesThesetechniquesarecompatibleone toanotherbutnoton the sameswitchportThismeans thatyoucanuse themoresecureandmoderntechniquesforyour latestswitchesandanothertechniqueontheoldswitchesthatdoesnrsquotsupportlatesttechniquesAsitrsquosnameimpliesVLANassignmentmeansthatPacketFenceistheserverthatassignstheVLANtoadeviceThisVLANcanbeoneofyourVLANsoritcanbeaspecialVLANwherePacketFencepresentsthecaptiveportalforauthenticationorremediation
VLANassignmenteffectivelyisolateyourhostsattheOSILayer2meaningthatitisthetrickiestmethodtobypassandistheonewhichadaptsbesttoyourenvironmentsinceitgluesintoyourcurrentVLANassignmentmethodology
VLANassignmenttechniques
Wired8021X+MACAuthentication8021Xprovidesport-basedauthenticationwhichinvolvescommunicationsbetweenasupplicantauthenticator(knownasNAS)andauthenticationserver(knownasAAA)ThesupplicantisoftensoftwareonaclientdevicesuchasalaptoptheauthenticatorisawiredEthernetswitchorwirelessaccesspointandtheauthenticationserverisgenerallyaRADIUSserver
Thesupplicant(ieclientdevice)isnotallowedaccessthroughtheauthenticatortothenetworkuntilthesupplicantrsquosidentityisauthorizedWith8021Xport-basedauthenticationthesupplicantprovides credentials such as user name password or digital certificate to the authenticatorandtheauthenticatorforwardsthecredentialstotheauthenticationserverforverificationIfthecredentialsarevalid(intheauthenticationserverdatabase)thesupplicant(clientdevice)isallowedtoaccessthenetworkTheprotocolforauthenticationiscalledExtensibleAuthenticationProtocol(EAP)whichhavemanyvariantsBothsupplicantandauthenticationserversneed tospeak thesameEAPprotocolMostpopularEAPvariantisPEAP-MsCHAPv2(supportedbyWindowsMacOSXLinuxforauthenticationagainstAD)
Chapter7
Copyrightcopy2016InverseincTechnicalintroductiontoOut-of-bandenforcement 16
InthiscontextPacketFencerunstheauthenticationserver(aFreeRADIUSinstance)andwillreturntheappropriateVLANtotheswitchAmodulethatintegratesinFreeRADIUSdoesaremotecalltothePacketFenceservertoobtainthatinformationMoreandmoredeviceshave8021Xsupplicantwhichmakesthisapproachmoreandmorepopular
MACAuthenticationisanewmechanismintroducedbysomeswitchvendortohandlethecaseswherea8021XsupplicantdoesnotexistDifferentvendorshavedifferentnames for itCiscocallsitMACAuthenticationBypass(MAB)JunipercallsitMACRADIUSExtremeNetworkscallsitNetloginetcAfteratimeoutperiodtheswitchwillstoptryingtoperform8021XandwillfallbacktoMACAuthenticationIthastheadvantageofusingthesameapproachas8021XexceptthattheMACaddressissentinsteadoftheusernameandthereisnoend-to-endEAPconversation(nostrongauthentication)UsingMACAuthenticationdeviceslikenetworkprinterornon-8021XcapableIPPhonescanstillgainaccesstothenetworkandtherightVLAN
Wireless8021X+MACauthenticationWireless 8021Xworks likewired8021X andMAC authentication is the same aswiredMACAuthenticationWhere things change is that the8021X isused to setup the security keys forencryptedcommunication(WPA2-Enterprise)whileMACauthenticationisonlyusedtoauthorize(allowordisallow)aMAConthewirelessnetwork
OnwirelessnetworkstheusualPacketFencesetupdictatethatyouconfiguretwoSSIDsanopenoneandasecureoneTheopenoneisusedtohelpusersconfigurethesecureoneproperlyandrequiresauthenticationoverthecaptiveportal(whichrunsinHTTPS)
ThefollowingdiagramdemonstratestheflowbetweenamobileenpointaWiFiaccesspointaWiFicontrollerandPacketFence
1 UserinitiatesassociationtoWLANAPandtransmitsMACaddressIfuseraccessesnetworkviaaregistereddeviceinPacketFencegoto8
2 The WLAN controller transmits MAC address via RADIUS to the PacketFence server toauthenticateauthorizethatMACaddressontheAP
3 PacketFenceserverconductsaddressaudit in itsdatabase If itdoesnotrecognizetheMACaddressgoto4Ifitdoesgoto8
4 PacketFenceserverdirectsWLANcontrollerviaRADIUS(RFC2868attributes)toputthedeviceinanunauthenticatedroleldquo(setofACLsthatwouldlimitredirecttheusertothePacketFence
Chapter7
Copyrightcopy2016InverseincTechnicalintroductiontoOut-of-bandenforcement 17
captiveportalforregistrationorwecanalsousearegistrationVLANinwhichPacketFencedoesDNSblackholingandistheDHCPserver)
5 TheuserrsquosdeviceissuesaDHCPDNSrequesttoPacketFence(whichisaDHCPDNSserveronthisVLANorforthisrole)whichsendstheIPandDNSinformationAtthispointACLsarelimitingredirectingtheusertothePacketFencersquoscaptiveportalforauthenticationPacketFencefingerprintsthedevice(user-agentattributesDHCPinformationampMACaddresspatterns)towhichitcantakevariousactionsincludingkeepdeviceonregistrationportaldirecttoalternatecaptive portal auto-register thedevice auto-block thedevice etc If thedevice remains ontheregistrationportaltheuserregistersbyprovidingtheinformation(usernamepasswordcellphonenumberetc)At this timePacketFencecouldalsorequire thedevicetogothroughapostureassessment(usingNessusOpenVASetc)
6 Ifauthentication is required (usernamepassword) througha loginformthosecredentialsarevalidatedviatheDirectoryserver(oranyotherauthenticationsources-likeLDAPSQLRADIUSSMSFacebookGoogle+etc)whichprovidesuserattributestoPacketFencewhichcreatesuser+devicepolicyprofileinitsdatabase
7 PacketFenceperformsaChangeofAuthorization(RFC3576)onthecontrollerandtheusermustbere-authenticatedreauthorizedsowegobackto1
8 PacketFenceserverdirectsWLANcontrollerviaRADIUStoputthedeviceinanauthenticatedroleldquoorinthenormalVLAN
WebAuthmodeWebauthenticationisamethodontheswitchthatforwardshttptrafficofthedevicetothecaptiveportalWiththismodeyourdevicewillneverchangeofVLANIDbutonlytheACLassociatedtoyourdevicewillchangeRefertotheNetworkDevicesConfigurationGuidetoseeasamplewebauthconfigurationonaCiscoWLC
Port-securityandSNMPReliesontheport-securitySNMPTrapsAfakestaticMACaddressisassignedtoalltheportsthiswayanyMACaddresswillgenerateasecurityviolationandatrapwillbesenttoPacketFenceThesystemwillauthorizetheMACandsettheportintherightVLANVoIPsupportispossiblebuttrickyItvariesalotdependingontheswitchvendorCiscoiswellsupportedbutisolationofaPCbehindanIPPhoneleadstoaninterestingdilemmaeitheryoushuttheport(andthephoneatthesametime)oryouchangethedataVLANbutthePCdoesnrsquotdoDHCP(didnrsquotdetectlinkwasdown)soitcannotreachthecaptiveportal
AsidefromtheVoIPisolationdilemmaitisthetechniquethathasproventobereliableandthathasthemostswitchvendorsupport
MoreonSNMPtrapsVLANisolation
WhentheVLANisolationisworkingthroughSNMPtrapsallswitchports(onwhichVLANisolationshouldbedone)mustbeconfiguredtosendSNMPtrapstothePacketFencehostOnPacketFence
Chapter7
Copyrightcopy2016InverseincTechnicalintroductiontoOut-of-bandenforcement 18
weusesnmptrapdastheSNMPtrapreceiverAsitreceivestrapsitreformatsandwritesthemintoaflatfileusrlocalpflogssnmptrapdlogThemultithreadedpfsetvlandaemonreadsthesetrapsfromtheflatfileandrespondstothembysettingtheswitchporttothecorrectVLANCurrentlywesupportswitchesfromCiscoEdge-coreHPIntelLinksysandNortel(addingsupportfor switches fromanothervendor impliesextending thepfSwitch class)DependingonyourswitchescapabilitiespfsetvlanwillactondifferenttypesofSNMPtraps
YouneedtocreatearegistrationVLAN(withaDHCPserverbutnoroutingtootherVLANs)inwhichPacketFencewillputunregistereddevicesIfyouwanttoisolatecomputerswhichhaveopenviolationsinaseparateVLANanisolationVLANneedsalsotobecreated
linkUplinkDowntraps(deprecated)ThisisthemostbasicsetupanditneedsathirdVLANtheMACdetectionVLANThereshouldbenothinginthisVLAN(noDHCPserver)anditshouldnotberoutedanywhereitisjustanvoidVLAN
WhenahostconnectstoaswitchporttheswitchsendsalinkUptraptoPacketFenceSinceittakessometimebeforetheswitchlearnstheMACaddressofthenewlyconnecteddevicePacketFenceimmediatelyputstheportintheMACdetectionVLANinwhichthedevicewillsendDHCPrequests(withnoanswer)inorderfortheswitchtolearnitsMACaddressThenpfsetvlanwillsendperiodical
Chapter7
Copyrightcopy2016InverseincTechnicalintroductiontoOut-of-bandenforcement 19
SNMPqueriestotheswitchuntiltheswitchlearnstheMACofthedeviceWhentheMACaddressisknownpfsetvlanchecksitsstatus(existingregisteredanyviolations)inthedatabaseandputstheportintheappropriateVLANWhenadeviceisunpluggedtheswitchsendsalinkDowntraptoPacketFencewhichputstheportintotheMACdetectionVLAN
WhenacomputerbootstheinitializationoftheNICgeneratesseverallinkstatuschangesAndeverytimetheswitchsendsalinkUpandalinkDowntraptoPacketFenceSincePacketFencehastoactoneachofthesetrapsthisgeneratesunfortunatelysomeunnecessaryloadonpfsetvlanInordertooptimizethetraptreatmentPacketFencestopseverythreadforalinkUptrapwhenitreceivesalinkDowntraponthesameportButusingonlylinkUplinkDowntrapsisnotthemostscalableoptionForexampleincaseofpowerfailureifhundredsofcomputersbootatthesametimePacketFencewouldreceivea lotoftrapsalmost instantlyandthiscouldresult innetworkconnectionlatency
MACnotificationtrapsIfyourswitchessupportMACnotificationtraps(MAClearntMACremoved)wesuggestthatyouactivatetheminadditiontothelinkUplinkDowntrapsThiswaypfsetvlandoesnotneedafteralinkUptraptoquerytheswitchcontinuouslyuntiltheMAChasfinallybeenlearnedWhenitreceivesalinkUptrapforaportonwhichMACnotificationtrapsarealsoenableditonlyneedstoputtheportintheMACdetectionVLANandcanthenfreethethreadWhentheswitchlearnstheMACaddressofthedeviceitsendsaMAClearnttrap(containingtheMACaddress)toPacketFence
PortSecuritytrapsIn itsmostbasicformthePortSecurityfeaturerememberstheMACaddressconnectedtotheswitchportandallowsonlythatMACaddresstocommunicateonthatport IfanyotherMACaddress tries tocommunicate through theportport securitywillnotallow itandsendaport-securitytrap
IfyourswitchessupportthisfeaturewestronglyrecommendtouseitratherthanlinkUplinkDownandorMACnotificationsWhyBecauseaslongasaMACaddressisauthorizedonaportandistheonlyoneconnectedtheswitchwillsendnotrapwhetherthedevicerebootsplugsinorunplugsThisdrasticallyreducestheSNMPinteractionsbetweentheswitchesandPacketFence
WhenyouenableportsecuritytrapsyoushouldnotenablelinkUplinkDownnorMACnotificationtraps
Chapter8
Copyrightcopy2016InverseincTechnicalintroductiontoHybridenforcement 20
TechnicalintroductiontoHybridenforcement
Introduction
In previous versions of PacketFence it was not possible to have RADIUS enabled for inlineenforcementmodeNowwiththenewhybridmodeallthedevicesthatsupports8021XorMAC-authenticationcanworkwiththismodeLetrsquosseehowitworks
Deviceconfiguration
Youneedtoconfigure inlineenforcementmode inPacketFenceandconfigureyourswitch(es)accesspoint(s)tousetheVLANassignementtechniques(8021XorMAC-authentication)YoualsoneedtotakecareofaspecificparameterintheswitchconfigurationwindowTriggertoenableinlinemodeThisparameterisworkinglikeatriggerandyouhavethepossibilitytodefinedifferentsortoftriggers
ALWAYSPORTMACSSID
where ALWAYS means that the device is always in inline mode PORTspecifytheifIndexoftheportwhichwilluseinlineenforcementMACamacaddressthatwillbeputininlineenforcementtechniqueratherthanVLANenforcementandSSIDanssidnameAnexample
SSIDGuestAccessMAC001122334455
ThiswilltriggerallthenodesthatconnectstotheGuestAccessSSIDtouseinlineenforcementmode(PacketFencewillreturnavoidVLANortheinlineVlanifdefinedinswitchconfiguration)andtheMACaddress001122334455clientifitconnectsonanotherSSID
Chapter9
Copyrightcopy2016Inverseinc Configuration 21
Configuration
AtthispointinthedocumentationPacketFenceshouldbeinstalledYouwouldalsohavechosentherightenforcementmethodforyouandcompletedtheinitialconfigurationofPacketFenceThefollowingsectionpresentskeyconceptsandfeaturesinPacketFence
PacketFenceprovidesaweb-basedadministrationinterfaceforeasyconfigurationandoperationalmanagementIfyouwentthroughPacketFencersquosweb-basedconfigurationtoolyoushouldhavesetthepasswordfortheadminuser
Once PacketFence is started the administration interface is available at httpsip_of_packetfence1443
ThenextkeystepsareimportanttounderstandhowPacketFenceworksInordertogetthesolutionworking youmust first understand and configure the following aspects of the solution in thisspecificorder
1 roles-aroleinPacketFencewillbeeventuallybemappedtoaVLANanACLoranexternalroleYoumustdefinetherolestouseinyourorganizationfornetworkaccess
2 authentication-oncerolesaredefinedyoumustcreateanappropraiteauthenticationsourceinPacketFenceThatwillallowPacketFencetocomputetherightroletobeusedforanendpointortheuserusingit
3 network devices - once your roles and authentication sources are defined you must addswitchesWiFicontrollersorAPstobemananagedbyPacketFenceWhendoingsoyouwillconfigurehowrolesarebeingmappedtoVLANACLsorexternalroles
4 portal profiles - at this point you are almost ready to test You will need to set whichauthenticationsourcesaretobeusedonthedefaultcaptiveportalorcreateanotheronetosuityourneeds
5 test
NoteIfyouplantouse8021X-pleaseseetheFreeRADIUSConfigurationsectionbelow
RolesManagement
RolesinPacketFencecanbecreatedfromPacketFenceadministrativeGUI-fromtheConfigurationrarrUsersrarrRoles section From this interface you can also limit thenumberof devicesusersbelongingtocertainrolescanregister
Chapter9
Copyrightcopy2016Inverseinc Configuration 22
RolesaredynamicallycomputedbyPacketFencebasedontherules(ieasetofconditionsandactions)fromauthenticationsourcesusingafirst-matchwinsalgorithmRolesarethenmatchedtoVLANorinternalrolesorACLonequipmentfromtheConfigurationrarrNetworkrarrSwitchesmodule
Authentication
PacketFence can authenticate users that register devices via the captive portal using variousmethodsAmongthesupportedmethodsthereare
ActiveDirectory
Apachehtpasswdfile
ExternalHTTPAPI
Facebook(OAuth2)
Github(OAuth2)
Google(OAuth2)
Kerberos
LDAP
LinkedIn(OAuth2)
Null
RADIUS
SMS
SponsoredEmail
Twitter(OAuth2)
WindowsLive(OAuth2)
Moreover PacketFence can also authenticate users defined in its own internal SQL databaseAuthentication sources can be created from PacketFence administrative GUI - from theConfigurationrarrUsersrarrSourcessectionAlternatively(butnotrecommended)authenticationsourcesrulesconditionsandactionscanbeconfiguredfromconfauthenticationconf
Eachauthenticationsourcesyoudefinewillhaveasetofrulesconditionsandactions
Multiple authentication sources canbedefined andwill be tested in theorder specified (notethattheycanbereorderedfromtheGUIbydraggingitaround)EachsourcecanhavemultipleruleswhichwillalsobetestedintheorderspecifiedRulescanalsobereorderedjustlikesourcesFinallyconditionscanbedefinedforaruletomatchcertaincriteriasIfthecriteriasmatch(one
Chapter9
Copyrightcopy2016Inverseinc Configuration 23
ormore)actionarethenappliedandrulestestingstopacrossallsourcesasthisisafirstmatchwinsoperation
WhennoconditionisdefinedtherulewillbeconsideredasafallbackWhenafallbackisdefinedallactionswillbeappliedforanyusersthatmatchintheauthenticationsource
OnceasourceisdefineditcanbeusedfromConfigurationrarrPortalProfilesEachportalprofilehasalistofauthenticationsourcestouse
ExampleLetrsquossaywehavetworolesguestandemployeeFirstwedefinethemConfigurationrarrUsersrarrRoles
NowwewanttoauthenticateemployeesusingActiveDirectory (overLDAP)andguestsusingPacketFencersquosinternaldatabase-bothusingPacketFencersquoscaptiveportalFromtheConfigurationrarrUsersrarrSourcesweselectAddsourcerarrADWeprovidethefollowinginformation
Namead1 DescriptionActiveDirectoryforEmployees Host19216812389withoutSSLTLS BaseDNCN=UsersDC=acmeDC=local ScopeOne-level UsernameAttributesAMAccountName BindDNCN=AdministratorCN=UsersDC=acmeDC=local Passwordacme123
ThenweaddarulebyclickingontheAddrulebuttonandprovidethefollowinginformation
Nameemployees DescriptionRuleforallemployees Donrsquotsetanycondition(asitrsquosacatch-allrule) Setthefollowingactions
Setroleemployee
SetunregistrationdateJanuary1st2020
Test the connection and save everything Using the newly defined source any username thatactuallymatchesinthesource(usingthesAMAccountName)willhavetheemployeeroleandanunregistrationdatesettoJanuary1st2020
NowsincewewanttoauthenticateguestsfromPacketFencersquosinternalSQLdatabaseaccountsmustbeprovisionnedmanuallyYoucandosofromtheUsersrarrCreatesectionWhencreatingguestsspecifyguestfortheSetroleactionandsetanaccessdurationfor1day
If youwould like to differentiate user authentication andmachine authentication using ActiveDirectoryonewaytodoitisbycreatingasecondauthenticationsourcesformachines
Namead1 DescriptionActiveDirectoryforMachines Host19216812389withoutSSLTLS BaseDNCN=ComputersDC=acmeDC=local ScopeOne-level
Chapter9
Copyrightcopy2016Inverseinc Configuration 24
UsernameAttributeservicePrincipalName BindDNCN=AdministratorCN=UsersDC=acmeDC=local Passwordacme123
Thenweaddarule
Namemachines DescriptionRuleforallmachines Donrsquotsetanycondition(asitrsquosacatch-allrule) Setthefollowingactions
Setrolemachineauth
SetunregistrationdateJanuary1st2020
Note
Whenaruleisdefinedasacatch-all itwillalwaysmatchiftheusernameattributematchesthequeriedoneThisappliesforActiveDirectoryLDAPandApachehtpasswdfilesourcesKerberosandRADIUSwillactastruecatch-allandaccepteverything
Note
IfyouwanttouseotherLDAPattributesinyourauthenticationsourceaddtheminConfigurationrarrAdvancedrarrCustomLDAPattributesTheywillthenbeavailableintherulesyoudefine
ExternalAPIauthentication
PacketFencealsosupportscallinganexternalHTTPAPIasanauthenticationsourceTheexternalAPIneedstoimplementanauthenticationactionandanauthorizationaction
AuthenticationThisshouldprovidetheinformationaboutwhetherornottheusernamepasswordcombinationisvalid
TheseinformationareavailablethroughthePOSTfieldsoftherequest
TheservershouldreplywithtwoattributesinaJSONresponse
resultshouldbe1forsuccess0forfailure messageshouldbethereasonitsucceededorfailed
ExampleJSONresponse
result1messageValid username and password
Chapter9
Copyrightcopy2016Inverseinc Configuration 25
AuthorizationThisshouldprovidetheactionstoapplyonauserbasedonitrsquosattributes
The following attributes are available for the reply access_duration access_level sponsorunregdatecategory
SampleJSONresponsenotethatnotallattributesarenecessaryonlysendbackwhatyouneed
access_duration1Daccess_levelALLsponsor1 unregdate2030-01-01categorydefault
Note
See usrlocalpfaddonsexample_external_auth for an example implementationcompatiblewithPacketFence
PacketFenceconfigurationInPacketFenceyouneedtoconfigureanHTTPsourceinordertouseanexternalAPI
Hereisabriefdescriptionofthefields
Host First theprotocol then the IPaddressorhostnameof theAPIand lastly theport toconnecttotheAPI
APIusernameandpasswordIfyourAPIimplementsHTTPbasicauthentication(RFC2617)youcanaddtheminthesefieldsLeavinganyofthosetwofieldsemptywillmakePacketFencedotherequestswithoutanyauthentication
AuthenticationURLURLrelativetothehosttocallwhendoingtheauthenticationofauserNotethatitisautomaticallyprefixedbyaslash
AuthorizationURLURLrelativetothehosttocallwhendoingtheauthorizationofauserNotethatitisautomaticallyprefixedbyaslash
SAMLauthentication
PacketFence supports SAML authentication in the captive portal in combination with anotherinternalsourcetodefinethelevelofauthorizationoftheuser
FirsttransfertheIdentityProvidermetadataonthePacketFenceserverInthisexampleitwillbeunderthepathusrlocalpfconfidp-metadataxml
Then transfer the certificate and CA certificate of the Identity provider on the server In thisexample theywill be under the paths usrlocalpfconfsslidpcrt and usrlocalpfconfsslidp-cacrtIfitisaself-signedcertificatethenyouwillbeabletouseitastheCAinthePacketFenceconfiguration
Chapter9
Copyrightcopy2016Inverseinc Configuration 26
Then toconfigureSAML inPacketFencego inConfigurationrarrSourcesand thencreateanewInternalsourceofthetypeSAMLandconfigureit
Where
ServiceProviderentityIDistheidentifieroftheServiceProvider(PacketFence)MakesurethismatchesyourIdentityProviderconfiguration
PathtoServiceProviderkeyisthepathtothekeythatwillbeusedbyPacketFencetosignitsmessagestotheIdentityProviderAdefaultoneisprovidedunderthepathusrlocalpfconfsslserverkey
PathtoServiceProvidercertisthepathtothecertificateassociatedtothekeyaboveAself-signedoneisprovidedunderthepathusrlocalpfconfsslserverkey
PathtoIdentityProvidermetadataisthepathtothemetadatafileyoutransferedabove(shouldbeinusrlocalpfconfidp-metadataxml)
PathtoIdentityProvidercertisthepathtothecertificateoftheidentityprovideryoutransferedontheserverabove(shouldbeinusrlocalpfconfsslidpcrt)
Chapter9
Copyrightcopy2016Inverseinc Configuration 27
Path to Identity Provider CA cert is the path to the CA certificate of the identity provideryoutransferedontheserverabove(shouldbeinusrlocalpfconfsslca-idpcrt)Ifthecertificateaboveisself-signedputthesamepathasaboveinthisfield
AttributeoftheusernameintheSAMLresponse istheattributethatcontainstheusernamein the SAML assertion returned by your Identity Provider The default should fit at leastSimpleSAMLphp
Authorizationsource isthesourcethatwillbeusedtomatchtheusernameagainsttherulesdefinedinitThisallowstosettheroleandaccessdurationoftheuserTheAuthenticationsectionofthisdocumentcontainsexplanationsonhowtoconfigureanLDAPsourcewhichcanthenbeusedhere
OncethisisdonesavethesourceandyouwillbeabletodownloadtheServiceProvidermetadataforPacketFenceusingthelinkDownloadServiceProvidermetadataonthepage
Configure your identity provider according to the generated metadata to complete the TrustbetweenPacketFenceandyourIdentityProvider
In the case of SimpleSAMLPHP the following configurationwas used inmetadatasaml20-sp-remotephp
$metadata[PF_ENTITY_ID] = array( AssertionConsumerService =gt httpPORTAL_HOSTNAMEsamlassertion SingleLogoutService =gt httpPORTAL_HOSTNAMEsamllogoff)
Note
PacketFencedoesnotsupportlogoffontheSAMLIdentityProviderYoucanstilldefinetheURLinthemetadatabutitwillnotbeused
PassthroughsInorderforyouruserstobeabletoaccesstheIdentityProviderloginpageyouwillneedtoactivatepassthroughsandaddtheIndentityProviderdomaintotheallowedpassthroughs
Todosogo inConfigurationrarrTrapping thencheckPassthrough andadd the IdentityProviderdomainnametothePasshtroughslist
Next restart iptables and pfdns to apply your new passthroughs Also make surenetipv4ip_forward = 1isconfiguredinetcsysctlconf
NetworkDevicesDefinition(switchesconf)
ThissectionappliesonlyforVLANenforcementUsersplanningtodoinlineenforcementonlycanskipthissection
PacketFenceneedstoknowwhichswitchesaccesspointsorcontrollersitmanagestheirtypeandconfigurationAllthisinformationisstoredinusrlocalpfconfswitchesconfYoucanmodify
Chapter9
Copyrightcopy2016Inverseinc Configuration 28
theconfigurationdirectlyintheswitchesconffileoryoucandoitfromtheWebAdministrationpanelunderConfigurationrarrNetworkrarrSwitches-whichisnowthepreferredway
Theusrlocalpfconfswitchesconfconfigurationfilecontainsadefaultsectionincluding
DefaultSNMPreadwritecommunitiesfortheswitches Defaultworkingmode(seethenotebelowaboutpossibleworkingmodes)
andaswitchsectionforeachswitch(managedbyPacketFence)including
SwitchIPMacRange Switchvendortype Switchuplinkports(trunksandnon-managedIfIndex) per-switchre-definitionoftheVLANs(ifrequired)
NoteswitchesconfisloadedatstartupAreloadisrequiredwhenchangesaremanuallymadetothisfileusrlocalpfbinpfcmd configreload
WorkingmodesTherearethreedifferentworkingmodesforaswitchinPacketFence
Testing pfsetvlanwritesinthelogfileswhatitwouldnormallydobutitdoesnrsquotdoanything
Registration pfsetvlan automatically-register allMAC addresses seenon theswitchportsAsintestingmodenoVLANchangesaredone
Production pfsetvlan sends the SNMPwrites to change the VLAN on theswitchports
RADIUSTo set theRADIUS secret set it from theWebadministrative interfacewhenadding a switchAlternativelyedittheswitchconfigfile(usrlocalpfconfswitchesconf)andsetthefollowingparameters
radiusSecret = secretPassPhrase
MoreovertheRADIUSsecretisrequiredtosupporttheRADIUSDynamicAuthentication(ChangeofauthorizationorDisconnect)asdefinedinRFC3576
SNMPv1v2candv3PacketFenceusesSNMPtocommunicatewithmostswitchesPacketFencealsosupportsSNMPv3YoucanuseSNMPv3forcommunicationinbothdirectionsfromtheswitchtoPacketFenceandfromPacketFencetotheswitchSNMPusageisdiscouragedyoushouldnowuseRADIUSHoweverevenifRADIUSisbeingusedsomeswitchesmightalsorequireSNMPtobeconfiguredtoworkproperlywithPacketFence
Chapter9
Copyrightcopy2016Inverseinc Configuration 29
FromPacketFencetoaswitchEdittheswitchconfigfile(usrlocalpfconfswitchesconf)andsetthefollowingparameters
SNMPVersion = 3SNMPUserNameRead = readUserSNMPAuthProtocolRead = MD5SNMPAuthPasswordRead = authpwdreadSNMPPrivProtocolRead = AESSNMPPrivPasswordRead = privpwdreadSNMPUserNameWrite = writeUserSNMPAuthProtocolWrite = MD5SNMPAuthPasswordWrite = authpwdwriteSNMPPrivProtocolWrite = AESSNMPPrivPasswordWrite = privpwdwrite
FromaswitchtoPacketFenceEdittheswitchconfigfile(usrlocalpfconfswitchesconf)andsetthefollowingparameters
SNMPVersionTrap = 3SNMPUserNameTrap = readUserSNMPAuthProtocolTrap = MD5SNMPAuthPasswordTrap = authpwdreadSNMPPrivProtocolTrap = AESSNMPPrivPasswordTrap = privpwdread
SwitchConfigurationHereisaswitchconfigurationexampleinordertoenableSNMPv3inbothdirectionsonaCiscoSwitch
snmp-server engineID local AA5ED139B81D4A328D18ACD1snmp-server group readGroup v3 privsnmp-server group writeGroup v3 priv read v1default write v1defaultsnmp-server user readUser readGroup v3 auth md5 authpwdread priv aes 128 privpwdreadsnmp-server user writeUser writeGroup v3 auth md5 authpwdwrite priv aes 128 privpwdwritesnmp-server enable traps port-securitysnmp-server enable traps port-security trap-rate 1snmp-server host 192168050 version 3 priv readUser port-security
Command-LineInterfaceTelnetandSSH
WarningPrivilegedetectionisdisabledinthecurrentPacketFenceversionduetosomeissues(see1370)SomakesurethatthecliUserandcliPwdyouprovidealwaysgetyouintoaprivilegedmode(exceptforTrapezehardware)
Chapter9
Copyrightcopy2016Inverseinc Configuration 30
PackeFenceneedssometimestoestablishaninteractivecommand-linesessionwithaswitchThiscanbedoneusingTelnetYoucanalsouseSSHInordertodosoedittheswitchconfigurationfile(usrlocalpfconfswitchesconf)andsetthefollowingparameters
cliTransport = SSH (or Telnet)cliUser = admincliPwd = admin_pwdcliEnablePwd =
ItcanalsobedonethroughtheWebAdministrationInterfaceunderConfigurationrarrSwitches
WebServicesInterfacePackeFencesometimesneedstoestablishadialogwiththeWebServicescapabilitiesofaswitchInorder todo soedit the switchconfig file (usrlocalpfconfswitchesconf) and set thefollowingparameters
wsTransport = http (or https)wsUser = adminwsPwd = admin_pwd
ItcanalsobedonethroughtheWebAdministrationInterfaceunderConfigurationrarrSwitches
Role-basedenforcementsupportSomenetworkdevicessupporttheassignmentofaspecificsetofrules(firewallorACLs)toauserTheideaisthattheserulescanbealotmoreaccuratetocontrolwhatausercanorcannotdocomparedtoVLANwhichhavealargernetworkmanagementoverhead
PacketFencesupportsassigningrolesondevicesforswitchesandWiFicontrollers thatsupportitThecurrentroleassignmentstrategyistoassignitalongwiththeVLAN(thatmaychangeinthefuture)Aspecial internalroletoexternalroleassignmentmustbeconfigured intheswitchconfigurationfile(usrlocalpfconfswitchesconf)
Thecurrentformatisthefollowing
Format ltrolenamegtRole=ltcontroller_rolegt
Andyouassignittotheglobalrolesparameterortheper-switchoneForexample
adminRole=full-accessengineeringRole=full-accesssalesRole=little-access
wouldreturnthefull-accessroletothenodescategorizedasadminorengineeringandtherolelittle-accesstonodescategorizedassalesItcanalsobedonethroughtheWebAdministrationInterfaceunderConfigurationrarrSwitches
Chapter9
Copyrightcopy2016Inverseinc Configuration 31
CautionMakesurethattherolesareproperlydefinedonthenetworkdevicespriortoassigningroles
PortalProfiles
PacketFencecomeswithadefaultportalprofileThefollowparametersareimportanttoconfigurenomatterifyouusethedefaultportalprofileorcreateanewone
RedirectURLunderConfigurationrarrPortalProfilerarrPortalName
ForsomebrowsersitispreferabletoredirecttheusertoaspecificURLinsteadoftheURLtheuseroriginallyintendedtovisitForthesebrowserstheURLdefinedinredirecturlwillbetheonewheretheuserwillberedirectedAffectedbrowsersareFirefox3andlater
IPunderConfigurationrarrCaptiveportal
ThisIPisusedasthewebserverwhohoststhecommonnetwork-access-detectiongifwhichisusedtodetectifnetworkaccesswasenabledItcannotbeadomainnamesinceit isusedinregistrationorquarantinewhereDNSisblack-holedItisrecommendedthatyouallowyouruserstoreachyourPacketFenceserverandputyourLANrsquosPacketFenceIPBydefaultwewillmakethisreachPacketFencersquoswebsiteasaneasierandmoreaccessiblesolution
In somecases youmaywant topresentadifferent captiveportal (seebelow for theavailablecustomizations)accordingtotheSSIDtheVLANtheswitchIPMACortheURItheclientconnectstoTodosoPacketFencehastheconceptofportalprofileswhichgivesyouthispossibility
WhenconfiguredportalprofileswilloverridedefaultvaluesforwhichitisconfiguredWhennovaluesareconfiguredintheprofilePacketFencewilltakeitsdefaultones(accordingtothedefaultportalprofile)
HerearethedifferentconfigurationparametersthatcanbesetforeachportalprofilesTheonlymandatoryparameterisfilterotherwisePacketFencewonrsquotbeabletocorrectlyapplytheportalprofileTheparametersmustbesetinconfprofilesconf
[profilename1]description = the description of your portal profilefilter = the name of the SSID for which youd like to apply the profile or the VLAN numbersources = comma-separated list of authentications sources (IDs) to use
Portal profiles should be managed from PacketFencersquos Web administrative GUI - from theConfigurationrarrPortalProfilessectionAddingaportalprofilefromthatinterfacewillcorrectlycopytemplatesover-whichcanthenbemodifiedasyouwish
FiltersunderConfigurationrarrPortalProfilerarrPortalNamerarrFitlers
PacketFenceoffersthefollowingfiltersConnectionTypeNetworkNodeRolePortrealmSSIDSwitchSwitchPortURIVLANandTimeperiod
Chapter9
Copyrightcopy2016Inverseinc Configuration 32
Examplewiththemostcommonones
SSIDGuest-SSID
VLAN100
SwitchPortltSwitchIdgt-ltPortgt
NetworkNetworkinCIDRformatoranIPaddress
Caution
Noderolewilltakeeffectonlywitha8021xconnectionorifyouuseVLANfilters
PacketFence relies extensively on Apache for its captive portal administrative interface andWeb services The PacketFenceacutes Apache configuration are located in usrlocalpfconfhttpdconfd
Inthisdirectoryyouhavethreeimportantfileshttpdadminhttpdportalhttpdwebserviceshttpdaaa
httpdadminisusedtomanagePacketFenceadmininterface
httpdportalisusedtomanagePacketFencecaptiveportalinterface
httpdwebservicesisusedtomanagePacketFencewebservicesinterface
httpdaaaisusetomanageincomingRADIUSrequest
ThesefileshavebeenwrittenusingthePerllanguageandarecompletelydynamic-sotheyactivateservicesonlyonthenetworkinterfacesprovidedforthispurpose
TheotherfilesinthisdirectoryaremanagedbyPacketFenceusingtemplatessoitiseasytomodifythesefilesbasedonyourconfigurationSSLisenabledbydefaulttosecureaccess
UponPacketFenceinstallationself-signedcertificateswillbecreatedinusrlocalpfconfssl(serverkey andservercrt)Thosecertificates canbe replacedanytimebyyour3rd-partyorexistingwildcardcertificatewithoutproblemsPleasenotethattheCN(CommonName)needstobethesameastheonedefinedinthePacketFenceconfigurationfile(pfconf)
FreeRADIUSConfiguration
ThissectionpresentstheFreeRADIUSconfigurationsteps InsomeoccasionsaRADIUSserverismandatoryinordertogiveaccesstothenetworkForexampletheusageofWPA2-Enterprise(Wireless 8021X) MAC authentication and Wired 8021X all require a RADIUS server toauthenticatetheusersandthedevicesandthentopushtheproperrolesorVLANattributestothenetworkequipment
Chapter9
Copyrightcopy2016Inverseinc Configuration 33
Option1AuthenticationagainstActiveDirectory(AD)
Caution
If you are using an ActiveActive or ActivePassive cluster please follow theinstructionsunderOption1bsincetheinstructionsbelowdonotcurrentlyworkinacluster
InordertohavedomainauthenticationworkingproperlyyouneedtoenableIPforwardingonyourserverTodoitpermanentlylookintheetcsysctlconfandsetthefollowingline
Controls IP packet forwardingnetipv4ip_forward = 1
Nowexecutesysctl -ptoapplytheconfiguration
NextgointheAdministrationinterfaceunderConfigurationrarrDomains
Note
IfyoucanrsquotaccessthissectionandyouhavepreviouslyconfiguredyourservertobindtoadomainexternallytoPacketFencemakesureyourunusrlocalpfaddonsADmigratepl
ClickAddDomainandfillintheinformationsaboutyourdomain
Chapter9
Copyrightcopy2016Inverseinc Configuration 34
Where
IdentifierisauniqueidentifierforyourdomainItrsquospurposeisonlyvisual
Workgroupistheworkgroupofyourdomainintheoldsyntax(likeNT4)
DNSnameofthedomainistheFQDNofyourdomainTheonethatsuffixesyouraccountnames
ThisserverrsquosnameisthenamethattheserverrsquosaccountwillhaveinyourActiveDirectory
DNSserveristheIPaddressoftheDNSserverofthisdomainMakesurethattheserveryouputtherehastheproperDNSentriesforthisdomain
UsernameistheusernamethatwillbeusedforbindingtotheserverThisaccountmustbeadomainadministrator
Passwordisthepasswordfortheusernamedefinedabove
Chapter9
Copyrightcopy2016Inverseinc Configuration 35
Troubleshooting In order to troubleshoot unsuccessful binds please refer to the following file chrootsltmydomaingtvarlogsambaltmydomaingtlogwinbinddReplaceltmydomaingtwiththeidentifieryousetinthedomainconfiguration
Youcanvalidatethedomainbindusingthefollowingcommandchroot chrootsltmydomaingtwbinfo -u
You can test the authentication process using the following command chroot chrootsltmydomaingt ntlm_auth --username=administrator
Note
UndercertainconditionsthetestjoinmayshowasunsuccessfulintheAdministrationinterfacebut theauthenticationprocesswill stillworkproperlyTry the test abovebeforedoinganyadditionnaltroubleshooting
DefaultdomainconfigurationYoushouldnowdefinethedomainyouwanttouseasthedefaultonebycreatingthefollowingrealminConfigurationrarrRealms
NextrestartPacketFenceinStatusrarrServices
MultipledomainsauthenticationFirstconfigureyourdomainsinConfigurationrarrDomains
OncetheyareconfiguredgoinConfigurationrarrRealms
Chapter9
Copyrightcopy2016Inverseinc Configuration 36
Createanewrealm thatmatches theDNSnameofyourdomainANDone thatmatchesyourworkgroupInthecaseofthisexampleitwillbeDOMAINNETandDOMAIN
Where
RealmiseithertheDNSname(FQDN)ofyourdomainortheworkgroup
RealmoptionsareanyrealmoptionsthatyouwanttoaddtotheFreeRADIUSconfiguration
Domainisthedomainwhichisassociatedtothisrealm
Nowcreatethetwootherrealmsassociatedtoyourotherdomains
Youshouldnowhavethefollowingrealmconfiguration
Chapter9
Copyrightcopy2016Inverseinc Configuration 37
Option1bAuthenticationagainstActiveDirectory(AD)inacluster
SambaKerberosWinbind
InstallSambaYoucaneitherusethesourcesorusethepackageforyourOSForRHELCentOSdo
yum install samba krb5-workstation
ForDebianandUbuntudo
apt-get install samba winbind krb5-user
Note
IfyouhaveWindows7PCsinyournetworkyouneedtouseSambaversion350(orgreater)
WhendonewiththeSambainstallmodifyyouretchosts inordertoaddtheFQDNofyourActiveDirectoryserversThenyouneedtomodifyetckrb5confHereisanexamplefortheDOMAINNETdomainforCentosRHEL
Chapter9
Copyrightcopy2016Inverseinc Configuration 38
[logging] default = FILEvarlogkrb5libslog kdc = FILEvarlogkrb5kdclog admin_server = FILEvarlogkadmindlog
[libdefaults] default_realm = DOMAINNET dns_lookup_realm = false dns_lookup_kdc = false ticket_lifetime = 24h forwardable = yes
[realms] DOMAINNET = kdc = adserverdomainnet88 admin_server = adserverdomainnet749 default_domain = domainnet [domain_realm] domainnet = DOMAINNET domainnet = DOMAINNET
[appdefaults] pam = debug = false ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = false
ForDebianandUbuntu
[logging] default = FILEvarlogkrb5libslog kdc = FILEvarlogkrb5kdclog admin_server = FILEvarlogkadmindlog [libdefaults] default_realm = DOMAINNET ticket_lifetime = 24h forwardable = yes [appdefaults] pam = debug = false ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = false
NexteditetcsambasmbconfAgainhereisanexampleforourDOMAINNETforCentosRHEL
Chapter9
Copyrightcopy2016Inverseinc Configuration 39
[global] workgroup = DOMAIN server string = h security = ads passdb backend = tdbsam realm = DOMAINNET encrypt passwords = yes winbind use default domain = yes client NTLMv2 auth = yes preferred master = no domain master = no local master = no load printers = no log level = 1 winbind5 auth3 winbind max clients = 750 winbind max domain connections = 15 machine password timeout = 0
ForDebianandUbuntu
[global] workgroup = DOMAIN server string = Samba Server Version v security = ads realm = DOMAINNET password server = 19216811 domain master = no local master = no preferred master = no winbind separator = + winbind enum users = yes winbind enum groups = yes winbind use default domain = yes winbind nested groups = yes winbind refresh tickets = yes template homedir = homeDU template shell = binbash client use spnego = yes client ntlmv2 auth = yes encrypt passwords = yes restrict anonymous = 2 log file = varlogsambalogm max log size = 50 machine password timeout = 0
IssueakinitandklistinordertogetandverifytheKerberostoken
kinit administrator klist
Afterthatyouneedtostartsambaandjointhemachinetothedomain
Chapter9
Copyrightcopy2016Inverseinc Configuration 40
service smb start chkconfig --level 345 smb on net ads join -U administrator
NotethatforDebianandUbuntuyouwillprobablyhavethiserror
kinit succeeded but ads_sasl_spnego_krb5_bind failed Invalid credentials Join to domain is not valid Invalid credentials
ForCentosRHEL
usermod -a -G wbpriv pf
Finallystartwinbindandtestthesetupusingntlm_authandradtest
service winbind start chkconfig --level 345 winbind on
ForDebianandUbuntu
usermod -a -G winbindd_priv pf ntlm_auth --username myDomainUser radtest -t mschap -x myDomainUser myDomainPassword localhost18120 12 testing123 Sending Access-Request of id 108 to 127001 port 18120 User-Name = myDomainUser NAS-IP-Address = 10001 NAS-Port = 12 Message-Authenticator = 0x00000000000000000000000000000000 MS-CHAP-Challenge = 0x79d62c9da4e55104 MS-CHAP-Response = 0x000100000000000000000000000000000000000000000000000091c843b420f0dec4228ed2f26bff07d5e49ad9a2974229e5 rad_recv Access-Accept packet from host 127001 port 18120 id=108 length=20
Option2LocalAuthenticationAddyouruserrsquosentriesattheendoftheusrlocalpfraddbusersfilewiththefollowingformat
username Cleartext-Password = password
Option3EAPauthenticationagainstOpenLDAPToauthenticate8021xconnectionagainstOpenLDAPyouneedtodefinetheldapconnectioninusrlocalpfraddbmodulesldapandbesurethattheuserpasswordisdefineasaNTHASHorascleartext
Chapter9
Copyrightcopy2016Inverseinc Configuration 41
ldap openldap server = ldapacmecom identity = uid=admindc=acmedc=com password = password basedn = dc=districtdc=acmedc=com filter = (uid=mschapUser-Name) ldap_connections_number = 5 timeout = 4 timelimit = 3 net_timeout = 1 tls dictionary_mapping = $confdirldapattrmap edir_account_policy_check = no
keepalive LDAP_OPT_X_KEEPALIVE_IDLE idle = 60
LDAP_OPT_X_KEEPALIVE_PROBES probes = 3
LDAP_OPT_X_KEEPALIVE_INTERVAL interval = 3
Next in usrlocalpfraddbsites-availablepacketfence-tunnel add in the authorizesection
authorize suffix ntdomain eap ok = return files openldap
Option4EAPGuestAuthenticationonemailsponsorandSMSregistrationThissectionwillallowlocalcredentialscreatedduringguestregistrationtobeusedin8021xEAP-PEAPconnections
FirstcreateaguestSSIDwiththeguestaccessyouwanttouse(EmailSponsororSMShellip)andactivateCreatelocalaccountonthatsource
AttheendoftheguestregistrationPacketFencewillsendanemailwiththecredentialsforEmailandSponsorForSMSthephonenumberandthePINcodeshouldbeused
Chapter9
Copyrightcopy2016Inverseinc Configuration 42
Note
ThisoptiondoesnrsquotcurrentlyworkwiththeReusedot1xcredentialsoptionofthecaptiveportal
In usrlocalpfconfradiusdpacketfence-tunnel uncomment the line packetfence-local-authandrestartradiusd
ThiswillactivatethefeatureforanylocalaccountonthePacketFenceserverYoucanrestrictwhichaccounts canbeusedby commenting the appropriate line inusrlocalpfraddbpolicydpacketfenceForexampleifyouwouldwanttodeactivatethisfeatureforaccountscreatedviaSMSyouwouldhavethefollowing
packetfence-local-auth Disable ntlm_auth update control ampMS-CHAP-Use-NTLM-Auth = No Check password table for local user pflocal if (fail || notfound) Check password table with email and password for a sponsor registration pfguest if (fail || notfound) Check password table with email and password for a guest registration pfsponsor if (fail || notfound) Dont check activation table with phone number and PIN code pfsms lt--- This line was commented out if (fail || notfound) update control ampMS-CHAP-Use-NTLM-Auth = Yes
Note
For this feature to work the users passwords must be stored in cleartext in thedatabaseThisisconfigurableviaadvancedhash_passwords
Option5EAPLocaluserAuthenticationThegoalhereistousethelocaluseryoucreatedintheadminGUIforEAPauthenticationThelogicisexactlythesamethaninoption4thedifferenceisthatweuseanotherSSIDandweonlyuselocalaccounts
Chapter9
Copyrightcopy2016Inverseinc Configuration 43
Editusrlocalpfraddbsites-availablepacketfence-tunnel
InthisexampleweactivatethisfeatureonaspecificSSIDname(Secure-local-Wireless)disabledbydefaultNTLMAuthandtestlocalaccountIfitfailledthenwereactivateNTLMAuth
Activate local user eap authentication based on a specific SSID Set Called-Station-SSID with the current SSID setcalled_station_ssid if (Called-Station-SSID == Secure-local-Wireless) Disable ntlm_auth update control MS-CHAP-Use-NTLM-Auth = No Check password table for local user pflocal if (fail || notfound) update control MS-CHAP-Use-NTLM-Auth = Yes
Caution
Youwillneedtodeasactivatepasswordhashinginthedatabaseforlocalauthenticationto work In the administration interface go in Configurationrarr Advanced and setDatabasepasswordshashingmethodtoplaintext
TestsTestyoursetupwithradtestusingthefollowingcommandandmakesureyougetanAccess-Acceptanswer
radtest dd9999 Abcd1234 localhost18120 12 testing123Sending Access-Request of id 74 to 127001 port 18120 User-Name = dd9999 User-Password = Abcd1234 NAS-IP-Address = 255255255255 NAS-Port = 12rad_recv Access-Accept packet from host 12700118120 id=74 length=20
PortalModules
ThePacketFencecaptiveportalflowishighlycustomizableThissectionwillcoverthePortalModuleswhichareusedtodefinethebehaviorofthecaptiveportal
Chapter9
Copyrightcopy2016Inverseinc Configuration 44
Note
WhenupgradingfromaversionthatdoesnrsquothavetheportalmodulesthePacketFencePortal Modules configuration already comes with defaults that will fit most casesand offers the same behavior as previous versions of PacketFence Meaning allthe available Portal Profile sources are used for authentication then the availableprovisionerswillbeused
FirstabriefdescriptionoftheavailablePortalModules
RootThis iswhereitallstartsthismoduleisasimplecontainerthatdefinesallthemodulesthatneedtobeappliedinachainedwaytotheuserOncetheuserhascompletedallmodulescontainedintheRootheisreleasedonthenetwork
Choice This allows to give a choice between multiple modules to the user Thedefault_registration_policyisagoodexampleofachoicethatisofferedtotheuser
ChainedThisallowsyoutodefinealistofmodulesthatauserneedstogothroughintheorderthattheyaredefined-exyouwantyouruserstoregisterviaGoogle+andpayfortheiraccessusingPayPal
MessageThisallowsyou todisplayamessage to theuserAnexample isavailablebelow inDisplayingamessagetotheuseraftertheregistration
AuthenticationTheauthenticationmodulescanbeofalotoftypesYouwouldwanttodefineoneofthesemodulesinordertooverridetherequiredfieldsthesourcetousethetemplateoranyothermoduleattribute
BillingAllowstodefineamodulebasedononeormorebillingsources
ChoiceAllows todefineamodulebasedonmultiple sourcesandmoduleswithadvancedfilteringoptionsSeethesectionAuthenticationChoicemodulebelowforadetailedexplanation
LoginAllowsyoutodefineausernamepasswordbasedmodulewithmultipleinternalsources(ActiveDirectoryLDAPhellip)
OthermodulesTheothermodulesareallbasedonthesourcetypetheyareassignedtotheyallowtoselectthesourcetheAUPacceptanceandmandatoryfieldsifapplicable
ExamplesThissectionwillcontainthefollowingexamples
Promptingforfieldswithoutauthentication
Promptingadditionnalfieldsduringtheauthentication
Chainedauthentication
MixingloginandSecureSSIDon-boardingontheportal
Displayingamessagetotheuseraftertheregistration
Chapter9
Copyrightcopy2016Inverseinc Configuration 45
CreatingacustomrootmoduleFirstcreateacustomrootmoduleforourexamples inordertonotaffectthedefaultpolicy InordertodosogoinConfigurationrarrPortalModulesthenclickAddPortalModuleandselectthetypeRootGiveittheidentifiermy_first_root_moduleandthedescriptionMy first root modulethenhitsave
Next head toConfigurationrarr Portal Profiles select the portal profile you use (most probablydefault)andthenunderRootPortalModuleassignMy first root modulethensaveyourprofileIfyouweretoaccessthecaptiveportalnowanerrorwoulddisplaysincetheRootmoduleweconfigureddoesnrsquotcontainanything
YoucouldaddsomeofthepreconfiguredmodulestothenewRootmoduleyoucreatedandthatwouldmaketheerrordisapear
PromptingforfieldswithoutauthenticationInordertopromptfieldswithoutauthenticationyoucanusetheNullsourcewiththeNullPortalModule
PacketFencealreadycomeswithaNullsourcepreconfiguredIfyouhavenrsquotmodifieditordeletedityoucanuseitforthisexampleOtherwisegoinConfigurationrarrSourcesandcreateanewNullsourcewithacatchallrulethatassignsaroleandaccessduration
ThengoinConfigurationrarrPortalModulesandclickAddPortalModuleandselectAuthenticationrarrNullSettheIdentifiertoprompt_fieldsandconfigurethemodulewiththeMandatoryfieldsyouwantanduncheckRequireAUPsothattheuserdoesnrsquothavetoaccepttheAUPbeforesubmittingthesefields
Nextaddtheprompt_fieldsmoduleinmy_first_root_module(removinganypreviousmodules)andsave itNowwhenvisitingtheportal itshouldpromptyouforthefieldsyoudefine inthe
Chapter9
Copyrightcopy2016Inverseinc Configuration 46
moduleThensubmittingtheseinformationswillassignyoutheroleandaccessdurationthatyoudefinedinthenullsource
Promptingadditionnalfieldsduringtheauthentication
IfyouwanttopromptadditionnalfieldsduringtheauthenticationprocessforamoduleyoucandefineaModulebasedonthatsourcethatwillspecifytheadditionnalmandatoryfieldsforthissource
Youcanalsoaddadditionnalmandatoryfieldstothedefaultpoliciesthatarealreadyconfigured
Thisexamplewillmakethedefault_guest_policyrequiretheusertoenterafirstnamelastnameandaddresssothatguestshavetoenterthesethreeinformationsbeforeregistering
Go in Configuration rarr Portal Modules and click the default_guest_policy Add firstnamelastnameandaddresstotheMandatoryfieldsandsave
Nextaddthedefault_guest_policytomy_first_root_module(removinganypreviousmodules)Nowwhenvisitingtheportalselectinganyoftheguestsourceswillrequireyoutoenterboththemandatoryfieldsofthesource(exphone+mobileprovider)andthemandatoryfieldsyoudefinedinthedefault_guest_policy
Note
Notallsourcessupportadditionnalmandatoryfields(exOAuthsourceslikeGoogleFacebookhellip)
Chainedauthentication
Theportalmodulesallowyoutochaintwoormoremodulestogetherinordertomaketheuseraccomplishalloftheactionsinthemoduleinthedesiredsequence
ThisexamplewillallowyoutoconfigureaChainedmodulethatwillrequiretheusertologinviaanyconfiguredOAuthsource(GithubGoogle+hellip)andthenvalidatehisphonenumberusingSMSregistration
FortheOAuthloginwewillusethedefault_oauth_policysojustmakesureyouhaveanOAuthsourceconfiguredcorrectlyandavailableinyourPortalProfile
ThenwewillcreateamodulethatwillcontainthedefinitionofourSMSregistration
GoinConfigurationrarrPortalModulesthenclickAddPortalModuleandselectAuthenticationrarrSMS
ConfiguretheportalmodulesothatitusesthesmssourceandunchecktheRequireAUPoptionsincetheuserwillhavealreadyacceptedtheAUPwhenregisteringusingOAuth
Chapter9
Copyrightcopy2016Inverseinc Configuration 47
ThenaddanotherPortalModuleoftypeChainedNameitchained_oauth_smsassignarelevantdescriptionandthenadddefault_oauth_policyandsmstotheModulesfields
Chapter9
Copyrightcopy2016Inverseinc Configuration 48
Next add the chained_oauth_sms module in my_first_root_module (removing any previousmodules)andsaveitNowwhenvisitingtheportalyoushouldhavetoauthenticationusinganOAuthsourceandthenusingSMSbasedregistration
MixingloginandSecureSSIDon-boardingontheportalThisexamplewillguideyouthroughconfiguringaportalflowthatwillallowfordevicestoaccessanopenSSIDusinganLDAPusernamepasswordbutalsogivethechoicetoconfiguretheSecureSSIDdirectlyfromtheportal
FirstweneedtoconfiguretheprovisionersfortheSecureSSIDonboardingRefertosectionAppleandAndroidWirelessProvisioningofthisguidetoconfigureyourprovisionersandaddthemtotheportalprofile
CreateaprovisionerofthetypeDenyandadditwithyourotherprovisioners(puttinganyotherprovisionerbeforeit)Thiswillmakesurethatifthereisnomatchontheotherprovisionersitwillnotallowthedevicethrough
AlsointheportalprofileaddyourLDAPsourcetotheavailablesourcessoitstheonlyoneavailable
NextcreateaProvisioningportalmodulebygoinginConfigurationrarrPortalModulesSettheIdentifiertosecure_boardingandthedescriptiontoBoard Secure SSIDAlsouncheckSkipablesotheuserisforcedtoboardtheSSIDshoulditchoosethisoption
ThenstillinthePortalModulescreateaChoicemoduleSettheIdentifiertologin_or_boardinganddescriptiontoLoginorBoardingAddsecure_boardinganddefault_login_policytotheModulesfieldandsave
Chapter9
Copyrightcopy2016Inverseinc Configuration 49
Next add the login_or_boarding module in my_first_root_module (removing any previousmodules)andsaveitNowwhenvisitingtheportalyouwillhavethechoicebetweenlogintotheLDAPsourceandgainaccesstothenetworkordirectlyuseprovisioninginordertoconfigureyourdeviceforaSecureSSID
Displayingamessagetotheuseraftertheregistration=
UsingtheMessagemoduleyoucandisplayacustommessagetotheuserYoucanalsocustomizethetemplatetodisplayinordertodisplayafullycustompage
Go inConfigurationrarrPortalModules thenclickAddPortalModule and selectMessage Set theIdentifiertohello_worldandthedescriptiontoHello World
ThenputthefollowingintheMessagefield
Hello World lta href=wwwpacketfenceorggtClick here to access the PacketFence websiteltagt
Next add default_registration_policy and hello_world in the Modules ofmy_first_root_module(removinganypreviousmodules)andsaveitNowwhenvisitingtheportalyoushouldhavetoauthenticateusingthesourcesdefinedinyourportalprofileandyouwillthenseethehelloworldmessage
Chapter9
Copyrightcopy2016Inverseinc Configuration 50
AuthenticationChoicemodule(advanced)The Authentication Choice module allows to define a choice between multiple sources usingadvancedfilteringrulesmanualselectionofthesourcesandselectionofPortalModules
AllthesourcesthataredefinedintheSourcesfieldwillbeavailableforusagebytheuserSamegoesforthemodulesdefinedinModules
YoucanalsodefinewhichmandatoryfieldsyouwanttopromptfortheseauthenticationchoicesAlthoughyoucanstillconfigurethemonanyAuthenticationChoicemoduletheywillonlybeshowniftheyareapplicabletothesource
InadditiontothemanualselectionaboveyoucandynamicallyselectsourcespartofthePortalProfilebasedontheirobjectattribute(ObjectClassAuthenticationtypeAuthenticationClass)
NoteYoucanfindalltheauthenticationobjectsinlibpfAuthenticationSource
SourcesbyclassAllowsyoutospecifytheperlclassnameofthesourcesyouwantavailable
ex pfAuthenticationSourceSMSSource will select all the SMS sourcespfAuthenticationSourceBillingSourcewillselectallthebillingsources(PaypalStripehellip)
SourcesbytypeAllowsyoutofilteroutsourcesusingthetypeattributeoftheAuthenticationobject
Sources by Auth Class Allows you to filter our sources using the class attribute of theAuthenticationobject
Chapter9
Copyrightcopy2016Inverseinc Configuration 51
Youcanseethedefault_guest_policyanddefault_oauth_policyforexamplesofthismodule
Chapter10
Copyrightcopy2016Inverseinc Debugging 52
Debugging
Logfiles
HerearethemostimportantPacketFencelogfiles
usrlocalpflogspacketfencelogmdashPacketFenceCoreLog usrlocalpflogshttpdportalaccessmdashApachendashCaptivePortalAccessLog usrlocalpflogshttpdportalerrormdashApachendashCaptivePortalErrorLog usrlocalpflogshttpdadminaccessmdashApachendashWebAdminServicesAccessLog usrlocalpflogshttpdadminerrormdashApachendashWebAdminServicesErrorLog usrlocalpflogshttpdwebservicesaccessmdashApachendashWebservicesAccessLog usrlocalpflogshttpdwebserviceserrormdashApachendashWebservicesErrorLog usrlocalpflogshttpdaaaaccessmdashApachendashAAAAccessLog usrlocalpflogshttpdaaaerrormdashApachendashAAAErrorLog
ThereareotherlogfilesinusrlocalpflogsthatcouldberelevantdependingonwhatissueyouareexperiencingMakesureyoutakealookatthem
ThemainloggingconfigurationfileisusrlocalpfconflogconfItcontainstheconfigurationforthepacketfencelogfile(LogLog4Perl)andyounormallydonrsquotneedtomodifyitTheloggingconfigurationfilesforeveryservicearelocatedunderusrlocalpfconflogconfd
RADIUSDebugging
FirstchecktheFreeRADIUSlogsThefileislocatedatusrlocalpflogsradiuslog
IfthisdidnrsquothelprunFreeRADIUSindebugmodeTodosostartitusingthefollowingcommands
Fortheauthenticationradiusprocess
radiusd -X -d usrlocalpfraddb -n auth
Fortheaccountingradiusprocess
radiusd -X -d usrlocalpfraddb -n acct
Chapter10
Copyrightcopy2016Inverseinc Debugging 53
Additionally there is a raddebug tool that can extract debug logs from a running FreeRADIUSdaemonPacketFencersquosFreeRADIUSispreconfiguredwithsuchsupport
Inordertohaveanoutputfromraddebugyouneedtoeither
a MakesureuserpfhasashellinetcpasswdaddusrsbintoPATH(export PATH=usrsbin$PATH)andexecuteraddebugaspf
b Runraddebugasroot(lesssecure)
Nowyoucanrunraddebugeasily
raddebug -t 300 -f usrlocalpfvarrunradiusdsock
TheabovewilloutputFreeRADIUSauthenticationdebuglogsfor5minutes
Usethefollowingtodebugradiusaccounting
raddebug -t 300 -f usrlocalpfvarrunradiusd-acctsock
Seeman raddebugforalltheoptions
Chapter11
Copyrightcopy2016Inverseinc MoreonVoIPIntegration 54
MoreonVoIPIntegration
VoIPhasbeengrowinginpopularityonenterprisenetworksAtfirstsighttheITadministratorsthinkthatdeployingVoIPwithaNACposesahugecomplicatedchallengetoresolveInfactdependingofthehardwareyouhavenotreallyInthissectionwewillseewhy
CDPandLLDPareyourfriend
ForthoseofyouwhoareunawareoftheexistenceofCDPorLLDP(orLLDP-MED) IsuggestyoustartreadingonthistopicCiscoDiscoveryProtocol(CDP)isdevice-discoveryprotocolthatrunsonallCisco-manufacturedequipmentincludingroutersaccessserversbridgesandswitchesUsingCDPadevicecanadvertise itsexistencetootherdevicesandreceive informationaboutotherdevicesonthesameLANorontheremotesideofaWANIntheworldofVoIPCDPisabletodetermineiftheconnectingdeviceisanIPPhoneornotandtelltheIPPhonetotagitsethernetframeusingtheconfiguredvoiceVLANontheswitchport
OnmanyothervendorsyouarelikelytofindLLDPorLLDP-MEDsupportLinkLayerDiscoveryProtocol (LLDP) is a vendor-neutral Link Layer protocol in the Internet Protocol Suite used bynetworkdevicesforadvertisingtheiridentitycapabilitiesandneighborsSameasCDPLLDPcantellanIPPhonewhichVLANidisthevoiceVLAN
VoIPandVLANassignmenttechniques
As you already know PacketFence supportsmanyVLAN assignment techniques such as port-securitymacauthenticationor8021XLetrsquosseehowVoIPisdoingwitheachofthose
Port-securityUsing port-security the VoIP device rely on CDPLLDP to tag its ethernet frame using theconfiguredvoiceVLANontheswitchportAfterthatweensurethatasecuritytrapissentfromthevoiceVLANsothatPacketFencecanauthorizethemacaddressontheportWhenthePCconnectsanothersecuritytrapwillbesentbutfromthedataVLANThatwaywewillhave1macaddressauthorizedonthevoiceVLANand1ontheaccessVLAN
Chapter11
Copyrightcopy2016Inverseinc MoreonVoIPIntegration 55
Note
Not all vendors support VoIP on port-security please refer to the NetworkConfigurationGuide
MACAuthenticationand8021XCiscohardwareOnCiscoswitcheswearelookingatthemulti-domainconfigurationThemulti-domainmeansthatwecanhaveonedeviceontheVOICEdomainandonedeviceontheDATAdomainThedomainassignmentisdoneusingaCiscoVSAWhenthephoneconnectstotheswitchportPacketFencewillrespondwiththeproperVSAonlynoRADIUStunneledattributesCDPthentellsthephonetotagitsethernetframesusingtheconfiguredvoiceVLANontheportWhenaPCconnectstheRADIUSserverwillreturntunneledattributesandtheswitchwillplacetheportintheprovidedaccessVLAN
Non-CiscohardwareOnothervendorhardwareitispossibletomakeVoIPworkusingRADIUSVSAsWhenaphoneconnectstoaswitchportPacketFenceneedstoreturntheproperVSAtotelltheswitchtoallowtagged frames from thisdeviceWhen thePCwill connectwewill be able to return standardRADIUStunnelattributestotheswitchthatwillbetheuntaggedVLAN
Note
AgainrefertotheNetworkConfigurationGuidetoseeifVoIPissupportedonyourswitchhardware
WhatifCDPLLDPfeatureismissing
ItispossiblethatyourphonedoesnrsquotsupportCDPorLLDPIfitrsquosthecaseyouareprobablylookingattheDHCPwayofprovisionningyourphonewithavoiceVLANSomemodelswillaskforaspecificDHCPoptionsothattheDHCPservercangivethephoneavoiceVLANidThephonewillthenrebootandtagitsethernetframeusingtheprovidedVLANtag
Inorder tomake this scenarioworkwithPacketFenceyouneed toensure thatyou tweak theregistrationandyourproductionDHCPservertoprovidetheDHCPoptionYoualsoneedtomakesure there isavoiceVLANproperlyconfiguredontheportandthatyouauto-registeryour IPPhones(OnthefirstconnectthephonewillbeassignedontheregistrationVLAN)
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 56
Advancedtopics
This section covers advanced topics in PacketFence Note that it is also possible to configurePacketFencemanuallyusingitsconfigurationfilesinsteadofitsWebadministrativeinterfaceItisstillrecommendedtousetheWebinterface
InanycasetheusrlocalpfconfpfconffilecontainsthePacketFencegeneralconfigurationForexamplethisistheplacewhereweinformPacketFenceitwillworkinVLANisolationmode
All the default parameters and their descriptions are stored in usrlocalpfconfpfconfdefaults
Inordertooverrideadefaultparameterdefineitandsetitinpfconf
usrlocalpfconfdocumentationconfholdsthecompletelistofallavailableparameters
Alltheseparametersarealsoaccessiblethroughtheweb-basedadministrationinterfaceundertheConfigurationtabItishighlyrecommendedthatyouusetheweb-basedadministrationinterfaceofPacketFenceforanyconfigurationchanges
AppleandAndroidWirelessProvisioning
Apple devices such as iPhones iPads iPods and Mac OS X (107+) support wireless profileimportationusing a specialXML file format (mobileconfig)Android is also able to support thisfeaturebyimportingthewirelessprofilewiththeAndroidPacketFenceAgentInfactinstallingsuchfileonyourAppledevicewillautomaticallyconfigurethewirelesssettingsforagivenSSIDThisfeatureisoftenusedwhentheSSIDishiddenandyouwanttoeasetheconfigurationstepsonthemobiledevice(becauseitisoftenpainfultoconfiguremanually)InPacketFencewearegoingfurtherwegeneratetheprofileaccordingtotheadministratorrsquospreferenceandwepre-populatethefilewiththeuserrsquoscredentials(withoutthepassword)TheusersimplyneedstoinstallitsgeneratedfileandhewillbeabletousethenewSSID
ConfigurethefeatureFirstofallyouneedtoconfiguretheSSIDthatyourdeviceswilluseaftertheygothoughtheauthenticationprocess
InordertodothatintheadministrationinterfacegoinConfigurationProvisionersThenselecttheandroidprovisionerEntertheSSIDandsave
NowdothesamethingfortheiOSprovisioner
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 57
AfteryousimplyneedtoaddtheAndroidandiOSprovisionerstoyourPortalProfileconfiguration
ForAndroidyoumustallowpassthroughsinyourpfconfconfigurationfile
[trapping]passthrough=enabledpassthroughs=ggphtcomgoogleusercontentcomandroidclientsgooglecomgoogleapiscomandroidclientsgooglecomgvt1com
ProfilegenerationUponregistrationinsteadofshowingthedefaultreleasepagetheuserwillbeshowinganotherversionofthepagesayingthatthewirelessprofilehasbeengeneratedwithaclickablelinkonitToinstalltheprofileAppleuserownersimplyneedtoclickonthatlinkandfollowtheinstructionsontheirdeviceAndroiduserownersimplyclicktothelinkandwillbeforwardedtoGooglePlaytoinstallPacketFenceagentSimply launchtheapplicationandclicktoconfigurewillcreatethesecureSSIDprofileItisthatsimple
BillingEngine
PacketFence integrates theability touseapaymentgatewaytobillusers togainaccess to thenetworkWhenconfiguredtheuserwhowantstoaccessthenetworkInternetispromptedbyapageaskingforitrsquospersonnalinformationaswellasitrsquoscreditcardinformation
PacketFencecurrentlysupportsfourpaymentgatewaysAuthorizenetMirapayPaypalandStripe
Inordertoactivatethebillingyouwillneedtoconfigurethefollowingcomponents
Billingsource(s)
Billingtier(s)
ConfiguringabillingsourceFirstselectabillingproviderandfollowtheinstructionsbelow
Paypal
Note
ThisproviderrequiresthatyourPacketFenceserverisaccessibleonthepublicdomainFor thisyourPacketFenceportal shouldbeavailableonapublic IPusing theDNSservernameconfiguredinPacketFence
Ifyouhaveabusinessaccountanddonotwanttoconfigureatestenvironmentyoucanskipthenextsection
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 58
Sandboxaccount
To configure a sandbox paypal account for use in PacketFence head to httpsdeveloperpaypalcomandeithersignuporloginintoyourexistingaccount
ThenintheSandboxmenuclickAccounts
CreateanaccountthathasthetypePersonalandonethathasthetypeBusiness
AfterwardsgobackintoaccountsandexpandthebusinessaccountthenclickProfile
NowclicktheChangepasswordlinkandchangethepasswordandnoteit
Dothesamethingwiththepersonalaccountyoucreated
Configuringthemerchantaccount
LoginintothePaypalbusinessaccountthatyoucreatedathttpswwwsandboxpaypalcomifyouareusingasandboxaccountoronhttpswwwpaypalcomifyouareusingarealaccount
NextgoinMyAccountrarrProfileinordertogointoyourprofileconfiguration
NextintheSellingPreferencesyouwillneedtoselectWebsitePaymentPreferences
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 59
Configurethesettingssotheymatchthescreenshotbelow
YoushouldturnonAutoReturnsetthereturnURLtohttpsYOUR_PORTAL_HOSTNAMEbillingpaypalverify
YoushouldalsotakenoteoftheIdentityTokenasitwillberequiredinthePacketFenceconfiguration
NextgobackinyourprofileconfigurationMyaccountrarrProfileandselectEncryptedPaymentSettings
NowonthispageyouwillneedtosubmitthecertificateusedbyPacketFencetoPaypal(usrlocalpfconfsslservercrtbydefault)
Once you have submitted it note itrsquos associated Cert ID as you will need to configure it inPacketFence
StillonthatpageclicktheDownloadlinktodownloadthePaypalpubliccertificateandputitonthePacketFenceserverunderpathusrlocalpfconfsslpaypalpem
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 60
Caution
ThecertificatewillNOTbethesameifyouuseasandboxaccountorarealaccount
ConfiguringPacketFence
NowinthePacketFenceadministrationinterfacegoinConfigurationrarrSourcesandcreateanewsourceoftypeBillingrarrPaypal
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 61
Where
IdentitytokenistheoneyounotedwhenontheWebsitePaymentPreferencespage CertIDistheoneyounotedwhenontheEncryptedPaymentSettings Paymenttypeiswhethertheaccessisdonationbased(notmandatorytopayforit) Emailaddressistheemailaddressofthemerchantpaypalaccount CertfileisthepathtothePacketFencecertificate(usrlocalpfconfsslservercrtbydefault) KeyfileisthepathtothePacketFencecertificate(usrlocalpfconfsslserverkeybydefault) Paypal cert file is thepath to thePaypal certificate (usrlocalpfconfsslpaypalpem in thisexample)
Currencyisthecurrencythatwillbeusedinthetransactions Testmodeshouldbeactivatedifyouareusingasandboxaccount
Stripe
Stripeaccount
Firstgoonhttpsdashboardstripecomcreateanaccountandlogin
NextonthetoprightclickYouraccountthenAccountsettings
NavigatetotheAPIkeystabandnoteyourkeyandsecretThetestkeyshouldbeusedwhentestingtheconfigurationandthelivekeywhenputtingthesourceinproduction
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 62
ConfiguringPacketFence
NowinthePacketFenceadministrationinterfacegoinConfigurationrarrSourcesandcreateanewsourceoftypeBillingrarrStripe
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 63
Where
SecretkeyisthesecretkeyyougotfromyourStripeaccount PublishablekeyisthepublishablekeyyougotfromyourStripeaccount Styleiswhetheryouaredoingaone-timechargeorsubscriptionbasedbilling(recurring)SeesectionSubscriptionbasedregistrationbelowfordetailsonhowtoconfigureit
Currencyisthecurrencythatwillbeusedinthetransactions Testmodeshouldbeactivatedifyouareusingthetestkeyandsecretaccount
Authorizenet
Creatinganaccount
First go on httpsaccountauthorizenet to signup for a merchant account or httpdeveloperauthorizenetforasandboxaccount
AfteryoucreatedyouraccountyouwillbeshownyourAPIloginIDandTransactionkeyNotebothoftheseinformationsforusageinthePacketFenceconfiguration
Thenloginintoyournewaccount
ThenunderAccountclickSettings
OnthesettingspageinthesectionSecuritysettingsclickMD5-Hash
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 64
NowenterasecretthatwillbesharedbetweenauthorizenetandPacketFence
PacketFenceconfiguration
NextinthePacketFenceadministrationinterfacegoinConfigurationrarrSourcesandcreateanewsourceoftypeBillingrarrAuthorizeNet
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 65
Where
APIloginIDistheoneyougotearlierwhilecreatingyouraccount Transactionkeyistheoneyougotearlierwhilecreatingyouraccount MD5hashtheoneyouconfiguredinyourAuthorizenetaccount Currencyisthecurrencythatwillbeusedinthetransactions Testmodeshouldbeactivatedifyouareusingasandboxaccount
Mirapay
To be contributed
AddingbillingtiersOnceyouhaveconfiguredoneormorebillingsourceyouneedtodefinebillingtierswhichwilldefinethepriceandtargetauthenticationrulesfortheuser
InthePacketFenceadministrationinterfacegoinConfigurationrarrBillingtiers
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 66
ThenclickAddbillingtierandconfigureit
Where
Billingtieristheuniqueidentifierofthebillingtier Nameisthefriendlynameofthebillingtier Descriptionisanextendeddescriptionofthebillingtier Priceistheamountthatwillbechargedtotheuser Accessdurationistheamountoftimetheuserwillbegrantedaccesstoyournetwork Roleisthetargetroletheusershouldbein Usetimebalancedefinesiftheaccessdurationshouldbecomputedonreal-timeaccessdurationmeaningiftheuserbuys24hoursofaccesshecanusethenetworkfor24hoursindifferenttimeblocksThisrequiresavalidRADIUSaccountingconfiguration
Note
IfdonrsquotwanttouseallthebillingtiersthataredefinedyoucanspecifytheonesthatshouldbeactiveinthePortalprofile
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 67
SubscriptionbasedregistrationPacketFencesupportssubscriptionbasedbillingusingStripeasabillingprovider
Billingtier
Whenusingsubscriptionbasedbillingitisadvisedtoconfigurethebillingtiersoithasanalmostinfiniteaccessduration(eg20years)asthebillingproviderwillbecontactingthePacketFenceserverwhenthesubscriptioniscanceled
YoushouldconfigureabillingtierforeachsubscriptionplanyouwanttohaveThisexamplewillusetheplansimpleandadvancedconfiguredusingthefollowingparameters
[simple]name=Simple network accessdescription=Click here if you are poorprice=399role=guestaccess_duration=10Yuse_time_balance=disabled
[advanced]name=Simple network accessdescription=Click here if you are poorprice=999role=advanced_guestaccess_duration=10Yuse_time_balance=disabled
Stripeconfiguration
TheninyourStripedashboardyoushouldgoinSubscriptionsrarrPlans
Thencreateanewplan
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 68
Where
ID is the billing tier identifier It is important that this matches the ID of the billing tier inPacketFence
AmountisthepriceoftheplanItisimportantthatthismatchesthepriceofthebillingtierinPacketFence
CurrencyisthecurrencythatwillbeusedinthetransactionsItisimportantthatthismatchesthecurrencyoftheStripesourceinPacketFence
IntervalistheintervalatwhichthecustomershouldbebilledInthecaseofthisexampleitismonthly
Nowfollowingthesameprocedurecreatetheadvancedplan
ReceivingupdatesfromStripeAsthesubscriptioncanbecancelledbyauseryouneedtosetupyourPacketFenceinstallationtoreceiveupdatesfromStripe
UpdatesaresentusingHTTPrequestsonapublicIP
YouneedtomakesurethatyourPacketFenceserverisavailablethroughapublicIPonport80andthatyourPacketFenceserverhostnameresolvesonthepublicdomain
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 69
TheninStripeconfigureaWebhooksoStripeinformsPacketFenceofanyeventthathappensinthisStripemerchantaccount
InordertodosogoinYourAccountrarrAccountSettingsrarrWebhooksandclickAddendpoint
Where
URListheURLtothePacketFenceserverThisshouldbehttpYOUR_PORTAL_HOSTNAMEhookbillingstripe
Modeiswhetherthiswebhookisfortestingmodeorlivemode
NoweverytimeauserunsubscribesfromaplanPacketFencewillbenotifiedandwillunregisterthatdevicefromyournetwork
DevicesRegistration
Usershavethepossibilitytoregistertheirdevices(MicrosoftXBOXXBOX360NintendoDSWiiSonyPlayStationandsoon)rightfromaspecialportalpageWhenaccessingthispageuserswillbe
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 70
promptedtologinasiftheywereregisteringthemselvesOnceloggedintheportalwillaskthemtoenterthedeviceMACaddressthatwillthenbematchedagainstapredefinedlistofauthorizedMACOUIThedevicewillberegisteredwiththeuserrsquosidandcanbeassignedintoaspecificcategoryforeasiermanagement
HerersquoshowtoconfigurethewholethingTheportalpagecanbeaccessedbythefollowingURLhttpsYOUR_PORTAL_HOSTNAMEdevice-registration This URL is accessible fromwithin thenetworkinanyVLANthatcanreachthePacketFenceserver
Thefollowingcanbeconfiguredbyeditingthepfconffile
[registration]device_registration = enableddevice_registration_role = gaming
MakesuretheroleexistsinPacketFenceotherwiseyouwillencounterregistrationerrorsMoreovermakesuretherolemappingforyourparticularequipmentisdone
TheseparameterscanalsobeconfiguredfromtheConfigurationrarrRegistrationsection
Note
AportalinterfacetypeisrequiredtousethisfeatureAportalinterfacetypecanbeaddedtoanynetworkinterfaceusingthewebadminGUI
Eduroam
eduroam (education roaming) is the secureworld-wide roaming access servicedevelopedfortheinternationalresearchandeducationcommunity
eduroamallowsstudentsresearchersandstafffromparticipatinginstitutionstoobtainInternetconnectivityacrosscampusandwhenvisitingotherparticipatinginstitutionsbysimplyopeningtheirlaptop
mdasheduroamhttpswwweduroamorg
PacketFencesupportsintegrationwitheduroamandallowsparticipatinginstitutionstoauthenticatebothlocallyvisitingusersfromotherinstitutionsaswellasallowingotherinstitutionstoauthenticatelocalusers
In order for PacketFence to allow eduroam authentication the FreeRADIUS configuration ofPacketFencemustbemodifiedtoallowtheeduroamserverstoconnecttoitasclientsaswellastoproxyRADIUSauthenticationrequestsforusersfromoutsideinstitutions
FirstmodifytheusrlocalpfraddbclientsconffiletoallowtheeduroamserverstoconnecttoyourPacketFenceserverAddtheeduroamserversasclientsandmakesure toaddtheproperRADIUSsecretSetashortnametorefertotheseclientsasyouwilllaterneedittoexcludethemfromsomepartsofthePacketFenceconfiguration
clientsconfexample
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 71
client tlrs1eduroamus secret = useStrongerSecret shortname = tlrs1
client tlrs2eduroamus secret = useStrongerSecret shortname = tlrs2
SecondlymodifythelistofdomainsandproxyserversinusrlocalpfraddbproxyconfYouwillneedtodefineeachofyourdomainsaswellastheDEFAULTdomainTheDEFAULTrealmwillapplytoanyclientthatattemptstoauthenticatewitharealmthatisnototherwisedefinedinproxyconfandwillbeproxiedtotheeduroamservers
Defineoneormorehomeservers(serverstowhicheduroamrequestsshouldbeproxied)
proxyconfexample
home_server tlrs1eduroamus type = auth ipaddr = 25712811 port = 1812 secret = useStrongerSecret require_message_authenticator = yes
Defineapoolofserverstogroupyoureduroamhomeserverstogether
proxyconfexample
home_server_pool eduroam type = fail-over home_server = tlrs1eduroamus home_server = tlrs2eduroamus
DefinerealmstoselectwhichrequestsshouldbeproxiedtotheeduroamserverpoolThereshouldbeonerealmforeachofyourdomainsandpossiblyonemoreperdomainifyouintendtoallowusernamesoftheDOMAINuserform
TheREALMissetbasedonthedomainfoundbythesuffixorntdomainmodules (seeraddbmodulesrealm)Thesuffixorntdomainmodulestrytofindadomaineitherwithandomainorsuffixusername
IfnoneisfoundtheREALMisNULL
IfadomainisfoundFreeRADIUStriestomatchoneoftheREALMSdefinedinthisfile
IfthedomainiseitherexampleeduorEXAMPLEFreeRADIUSsetsthecorrespondingREALMieexampleeduorEXAMPLE
IftheREALMdoesnotmatcheither(anditisnrsquotNULL)thatmeanstherewasadomainotherthanEXAMPLEorexampleeduandweassumeitismeanttobeproxiedtoeduroamFreeRADIUSsetstheDEFAULTrealm(whichisproxiedtotheeduroamauthenticationpool)
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 72
The REALM determines where the request is sent to If the REALM authenticates locally therequestsareprocessedentirelybyFreeRADIUSIftheREALMsetsadifferenthomeserverpooltherequestsareproxiedtotheserversdefinedwithinthatpool
proxyconfexample
This realm is for requests which dont have an explicit realm prefix or suffix User names like bob will match this one No authentication server is defined thus the authentication is done locallyrealm NULL
This realm is for ntdomain users who might use the domain like this EXAMPLEusername No authentication server is defined thus the authentication is done locallyrealm EXAMPLE
This realm is for suffix users who use the domain like this usernameexampleedu No authentication server is defined thus the authentication is done locallyrealm exampleedu
This realm is for ALL OTHER requests Meaning in this context eduroam The auth_pool is set to the eduroam pool and so the requests will be proxiedrealm DEFAULT auth_pool = eduroam nostrip
Thirdly youmust configure the packetfence FreeRADIUS virtual servers to treat the requestsproperly
Inusrlocalpfraddbsites-enabledpacketfencemodifytheauthorizesectionlikethis
raddbsites-enabledpacketfenceexample
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 73
authorize pay attention to the order of the modules It matters ntdomain suffix preprocess
uncomment this section if you want to block eduroam users from you other SSIDs The attribute name ( Called-Station-Id ) may differ based on your controller if ( Called-Station-Id ~ eduroam$i) update control Proxy-To-Realm = local
eap ok = return
files expiration logintime packetfence
Inusrlocalpfraddbsites-enabledpacketfence-tunnelmodifythepost-authsectionlikethisIfyouomit this change the requestwill be sent toPacketFencewhere itwill be failed since theeduroamserversarenotpartofyourconfiguredswitches
raddbsites-enabledpacketfence-tunnelexample
post-auth exec
we skip packetfence when the request is coming from the eduroam servers if ( clientshortname = tlrs1 ampamp clientshortname = tlrs2 ) packetfence
Post-Auth-Type REJECT attr_filteraccess_reject
Finallymakesurethattherealmsmoduleisconfiguredthisway(seeusrlocalpfraddbmodulesrealm)
raddbmodulesrealmexample
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 74
usernamerealmrealm suffix format = suffix delimiter =
domainuserrealm ntdomain format = prefix delimiter = ignore_null = yes
Fingerbankintegration
FingerbankagreatdeviceprofilingtooldevelopedalongsideofPacketFencenowintegrateswithittopower-upthefeaturesetallowingaPacketFenceadministratortoeasilytriggerviolationsbasedondifferentdevicetypesdeviceparentsDHCPfingerprintsDHCPvendorIDsMACvendorsandbrowseruseragents
Thecoreofthat integrationresides intheabilityforaPacketFencesystemto interactwiththeFingerbankupstreamprojectwhichthenallowadailybasisfingerprintsdatabaseupdatesharingunknowndatasothatmorecomplexalgorithmscanprocessthatnewdatatointegrateitintheglobaldatabasequeryingtheglobalupstreamdatabaseinthecaseofanunknownmatchandmuchmore
SincetheFingerbankintegrationisnowthedefactodeviceprofilingtoolofPacketFenceitwasarequirementtomakeitassimpleaspossibletoconfigureandtouseFromthemomentaworkingPacketFencesystemis inplaceFingerbank isalsoreadytobeusedbutonly inalocalmodewhichmeansnointeractionwiththeupstreamFingerbankproject
OnboardingTobenefitfromalltheadvantagesoftheFingerbankprojecttheonboardingstepisrequiredtocreateanAPIkeythatwill thenallow interactionwiththeupstreamprojectThatcaneasilybedoneonlybygoingintheSettingsmenuitemundertheFingerbanksectionofthePacketFenceConfigurationtabFromthereaneasyprocesstocreateandsaveanuserorganizationspecificAPIkeycanbefollowedOncecompletedthefullfeaturesetofFingerbankcanbeused
UpdateFingerbankdatabaseUpdatingtheFingerbankdatacanrsquotbeeasierTheonlyrequirementistheonboardingprocesswhichallowsyoutointeractwithupstreamprojectOncedoneanoptiontoUpdateFingerbankDBcanbefoundontopofeverymenuitemsectionsunderFingerbankProcessmaytakeaminuteortwodependingonthesizeofthedatabaseandtheinternetconnectivityafterwhichasuccessorerrormessagewillbeshowaccordinglyLocalrecordsareNOTbeingmodifiedduringthisprocess
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 75
SubmitunknowndataSayingthatwedonrsquotknoweverythingisnotfalsemodestyInthatsensetheSubmitUnknownUnmatchedFingerprintsoptionismadeavailable(afteronboarding)sothatunknownfingerprintingdatagoinginandoutonyournetworkcaneasilybesubmittedtotheupstreamFingerbankprojectforfurtheranalysisandintegrationtheintheglobaldatabase
UpstreaminterogationBydefaultPacketFenceisconfiguredtointerogatetheupstreamFingerbankproject(ifonboardinghasbeencompleted)tofullfillaquerywithunmatchedlocalresultsUnmatchedlocalresultscanresultofanolderversionoftheFingerbankdatabaseorarequirementforamorecomplexalgorithmduetothedatasetThatbehavioriscompletelytransparentandcanbemodifiedusingtheSettingsmenuitemundertheFingerbanksectionofthePacketFenceConfigurationtab
LocalentriesItispossibleforanadministratorwhowantstocustomizeanexistingrecord(orcreateanewone)todosousingtheLocalentriesAnupstreamrecord(DHCPFingerprintDHCPVendorMACVendorUserAgentDevicetypeevenaCombination)canbeclonedandthenmodifiedonalocalbasisifneededLocalrecordsarealwaysmatchedfirstsincetheirpurposeistooverrideanexistingoneAlocalcombinationcanbecreatedtomatcheitherLocalorUpstreamorbothentriestoallowidentificationofadevice
SettingsFingerbanksettingscaneasilybemodifiedfromtheSettingsmenuitemundertheFingerbanksectionofthePacketFenceConfigurationtabTherersquosdocumentationforeachaneveryparameterthatalloweasierunderstanding
FloatingNetworkDevices
Startingwithversion19PacketFencenowsupportsfloatingnetworkdevicesAFloatingnetworkdeviceisadeviceforwhichPacketFencehasadifferentbehaviourcomparedtoaregulardeviceThisfunctionalitywasoriginallyaddedtosupportmobileAccessPoints
Caution
RightnowPacketFenceonlysupportsfloatingnetworkdevicesonCiscoandNortelswitchesconfiguredwithport-security
For a regular device PacketFence put it in theVLAN corresponding to its status (RegistrationQuarantineorRegularVlan)andauthorizesitontheport(port-security)
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 76
AfloatingnetworkdeviceisadevicethatPacketFencedoesnotmanageasaregulardevice
WhenafloatingnetworkdeviceispluggedPacketFencewillletallowalltheMACaddressesthatwillbeconnectedtothisdevice(orappearontheport)andifnecessaryconfiguretheportasmulti-vlan(trunk)andsetPVIDandtaggedVLANsontheport
WhenanfloatingnetworkdeviceisunpluggedPacketFencewillreconfiguretheportlikebeforeitwasplugged
HowitworksConfiguration
floatingnetworkdeviceshavetobeidentifiedusingtheirMACaddress linkuplinkdowntrapsarenotenabledontheswitchesonlyport-securitytrapsare
WhenPacketFencereceivesaport-securitytrapforafloatingnetworkdeviceitchangestheportconfigurationsothat
itdisablesport-security itsetsthePVID iteventuallysetstheportasmulti-vlan(trunk)andsetsthetaggedVlans itenableslinkdowntraps
WhenPFreceivesa linkdowntraponaport inwhichafloatingnetworkdevicewasplugged itchangestheportconfigurationsothat
itenablesport-security itdisableslinkdowntraps
IdentificationAswementionedearliereachfloatingnetworkdevicehastobeidentifiedTherearetwowaystodoit
byeditingconffloating_network_deviceconf throughtheWebGUIinConfigurationrarrNetworkrarrFloatingdevices
Herearethesettingsthatareavailable
MACAddress MACaddressofthefloatingdevice
IPAddress IPaddressofthefloatingdevice(notrequiredforinformationonly)
trunkPort YesnoShouldtheportbeconfiguredasamuti-vlanport
pvid VLANinwhichPacketFenceshouldputtheport
taggedVlan CommaseparatedlistofVLANsIftheportisamulti-vlanthesearetheVlansthathavetobetaggedontheport
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 77
OAuth2Authentication
NoteOAuth2authenticationdoesnotworkwithWebauthenforcement
The captive portal of PacketFence allows a guestuser to register using hisGoogle FacebookLinkedInWindowsLiveTwitterorGithubaccount
ForeachproviderswemaintainanalloweddomainlisttopunchholesintothefirewallsotheusercanhittheproviderloginpageThislistisavailableineachOAuth2authenticationsource
Inordertohaveoauth2workingproperlyyouneedtoenableIPforwardingonyourserversTodoitpermanentlylookintheetcsysctlconfandsetthefollowingline
Controls IP packet forwardingnetipv4ip_forward = 1
Savethefileandissueasysctl -ptoupdatetheOSconfig
You must also enable the passthrough option in your PacketFence configuration(trappingpassthroughinpfconf)
GoogleInordertouseGoogleasaOAuth2provideryouneedtogetanAPIkeytoaccesstheirservicesSignupherehttpcodegooglecomapisconsoleMakesureyouusethisURIfortheRedirectURIfieldhttpsYOUR_PORTAL_HOSTNAMEoauth2callbackOfcoursereplacethehostnamewiththevaluesfromgeneralhostnameandgeneraldomain
YoucankeepthedefaultconfigurationmodifytheAppIDampAppSecret(GivenbyGoogleonthedevelopperplateform)andPortalURL(httpsYOUR_PORTAL_HOSTNAMEoauth2callback)
Also add the following Authorized domains googlecom googleca googlefrgstaticcomgoogleapiscomaccountsyoutubecom(MakesurethatyouhavethegoogledomainfromyourcountrylikeCanadagooglecaFrancegooglefretchellip)
OnceyouhaveyourclientidandAPIkeyyouneedtoconfiguretheOAuth2providerThiscanbedonebyaddingaGoogleOAuth2authenticationsourcefromConfigurationrarrSources
MoreoverdonrsquotforgettoaddGoogleasaregistrationmodefromyourportalprofiledefinitionavailablefromConfigurationrarrPortalProfilesandPages
FacebookTo use Facebook you also need an API code and a secret key To get one go here httpsdevelopersfacebookcomappsWhenyoucreateyourAppmakesureyouspecifythefollowingastheWebsiteURLhttpsYOUR_PORTAL_HOSTNAMEoauth2callback
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 78
Ofcoursereplacethehostnamewiththevaluesfromgeneralhostnameandgeneraldomain
YoucankeepthedefaultconfigurationmodifytheAppIDampAppSecret(GivenbyFaceBookonthedevelopperplateform)andPortalURL(httpsYOUR_PORTAL_HOSTNAMEoauth2callback)
Also add the followingAuthorizeddomains facebookcom fbcdnnet akamaihdnet (Maychange)
OnceyouhaveyourinformationyouneedtoconfiguretheOAuth2providerThiscanbedonebyaddingaFacebookOAuth2authenticationsourcefromConfigurationrarrSources
MoreoverdonrsquotforgettoaddFacebookasaregistrationmodefromyourportalprofiledefinitionavailablefromConfigurationrarrPortalProfilesandPages
CautionByallowingOAuththroughFacebookyouwillgiveFacebookaccesstotheuserswhiletheyaresittingintheregistrationVLAN
GitHubTouseGitHubyoualsoneedanAPIcodeandasecretkeyTogetoneyouneedtocreateanAppherehttpsgithubcomsettingsapplicationsWhenyoucreateyourAppmakesureyouspecifythefollowingastheCallbackURLhttpsYOUR_PORTAL_HOSTNAMEoauth2callback
Ofcoursereplacethehostnamewiththevaluesfromgeneralhostnameandgeneraldomain
OnceyouhaveyourinformationyouneedtoconfiguretheOAuth2providerThiscanbedonebyaddingaGitHubOAuth2authenticationsourcefromConfigurationrarrSources
MoreoverdonrsquotforgettoaddGitHubasaregistrationmodefromyourportalprofiledefinitionavailablefromConfigurationrarrPortalProfilesandPages
LinkedInTouseLinkedInyoualsoneedanAPIcodeandasecretkeyTogetoneyouneedtocreateanAppherehttpsdeveloperlinkedincomWhenyoucreateyourAppmakesureyouspecifythefollowingastheCallbackURLhttpsYOUR_PORTAL_HOSTNAMEoauth2callback
Ofcoursereplacethehostnamewiththevaluesfromgeneralhostnameandgeneraldomain
OnceyouhaveyourinformationyouneedtoconfiguretheOAuth2providerThiscanbedonebyaddingaLinkedInOAuth2authenticationsourcefromConfigurationrarrSources
MoreoverdonrsquotforgettoaddLinkedInasaregistrationmodefromyourportalprofiledefinitionavailablefromConfigurationrarrPortalProfilesandPages
AlsoLinkedInrequiresastateparameterfortheauthorizationURLIfyoumodifyitmakesuretoadditattheendofyourURL
TwitterTouseTwitteryoualsoneedanAPIcodeandasecretkeywhichTwittercallsconsumerkeyandconsumersecretObtainthis informationbycreatingannewapplicationfromyourTwitterApps
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 79
ManagementpageWhenyoucreateyourAppmakesureyouspecifythefollowingastheCallbackURLhttpsYOUR_PORTAL_HOSTNAMEoauth2callback
Ofcoursereplacethehostnamewiththevaluesfromgeneralhostnameandgeneraldomain
OnceyouhaveyourinformationyouneedtoconfiguretheOAuth2providerThiscanbedonebyaddingaTwitterOAuth2authenticationsourcefromConfigurationrarrSources
MoreoverdonrsquotforgettoaddTwitterasaregistrationmodefromyourportalprofiledefinitionavailablefromConfigurationrarrPortalProfilesandPages
WindowsLiveTouseWindowsliveyoualsoneedanAPIcodeandasecretkeyTogetoneyouneedtocreateanAppherehttpsaccountlivecomdevelopersapplicationsWhenyoucreateyourAppmakesureyouspecifythefollowingastheCallbackURLhttpsYOUR_PORTAL_HOSTNAMEoauth2callback
Ofcoursereplacethehostnamewiththevaluesfromgeneralhostnameandgeneraldomain
OnceyouhaveyourinformationyouneedtoconfiguretheOAuth2providerThiscanbedonebyaddingaWindowsLiveOAuth2authenticationsourcefromConfigurationrarrSources
Moreover donrsquot forget to add WindowsLive as a registration mode from your portal profiledefinitionavailablefromConfigurationrarrPortalProfilesandPages
Passthrough
Inorder tousethepassthroughfeature inPacketFenceyouneedtoenable it fromtheGUI inConfigurationrarrTrappingandcheckPassthrough
Therearetwosolutionsforpassthroughs-oneusingDNSresolutionandiptablesandtheotheroneusingApachersquosmod_proxymoduleWhenenabledPacketFencewillusepfdnsifyoudefinedPassthroughsorApachemod-proxyifyoudefinedProxyPassthroughstoallowtrappeddevicestoreachexternalwebsites
DNSpassthroughAddanewFQDN (shouldbeawildcarddomain like googlecom) in thePassthroughssectionWhenPacketFencereceivesaDNSrequestforthisdomainitwillanswerthereal IPaddressandpunchahole inthefirewall (using iptables)toallowaccessWiththismethodPacketFencemustbethedefaultgatewayofyourdevice
mod_proxypassthroughAddanewFQDN(shouldbeawildcarddomainlikegooglecom)intheProxyPassthroughssectionForthisFQDNPacketFencewillanswertheIPaddressofthecaptiveportalandwhenadevicehitsthecaptiveportalPacketFencewilldetectthatthisFQDNhasapassthroughconfigurationandwillforwardthetraffictomod_proxy
ThesetwomethodscanbeusedtogetherbutDNS-basedpassthroughshavehigherpriority
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 80
ProductionDHCPaccess
Inorder toperformallof itsaccesscontroldutiesPacketFenceneedstobeable tomapMACaddressesintoIPaddresses
ForallthenetworksVLANswhereyouwantPacketFencetohavetheabilitytoisolateanodeortohaveIPinformationaboutnodesyouwillneedtoperformoneofthetechniquesbelow
AlsonotethatthisdoesnrsquotneedtobedonefortheregistrationisolationVLANsandinlineinterfacessincePacketFenceactsastheDHCPserverinthesenetworks
IPHelpers(recommended)If you are already using IPHelpers for your productionDHCP in your production VLANs thisapproachisthesimplestoneandtheonethatworksthebest
Add PacketFencersquos management IP address as the last ip helper-address statement in yournetworkequipmentAtthispointPacketFencewillreceiveacopyofallDHCPrequestsforthatVLANandwillrecordwhatIPweredistributedtowhatnodeusingapfdhcplistenerdaemon
BydefaultnoDHCPServershouldberunningonthatinterfacewhereyouaresendingtherequestsThisisbydesignotherwisePacketFencewouldreplytotheDHCPrequestswhichwouldbeabadthing
ObtainacopyoftheDHCPtrafficGetacopyofalltheDHCPTraffictoadedicatedphysicalinterfaceinthePacketFenceserverandrunpfdhcplisteneronthatinterfaceItwillinvolveconfiguringyourswitchproperlytoperformportmirroring(akanetworkspan)andaddinginPacketFencetheproperinterfacestatementattheoperatingsystemlevelandinpfconf
etcsysconfignetwork-scriptsifcfg-eth2
DEVICE=eth2ONBOOT=yesBOOTPROTO=none
Addtopfconf(IPsarenotimportanttheyarethereonlysothatPacketFencewillstart)
[interface eth2]mask=2552552550type=dhcp-listenergateway=19216815ip=19216811
RestartPacketFenceandyoushouldbegoodtogo
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 81
InterfaceineveryVLANBecauseDHCPtrafficisbroadcasttrafficanalternativeforsmallnetworkswithfewlocalVLANsistoputaVLANinterfaceforeveryVLANonthePacketFenceserverandhaveapfdhcplistenerlistenonthatVLANinterface
OnthenetworksideyouneedtomakesurethattheVLANtrulyreachesallthewayfromyourclienttoyourDHCPinfrastructureuptothePacketFenceserver
OnthePacketFencesidefirstyouneedanoperatingsystemVLANinterfaceliketheonebelowStoredinetcsysconfignetwork-scriptsifcfg-eth01010
Engineering VLANDEVICE=eth01010ONBOOT=yesBOOTPROTO=staticIPADDR=1001014NETMASK=2552552550VLAN=yes
ThenyouneedtospecifyinpfconfthatyouareinterestedinthatVLANrsquosDHCPbysettingtypetodhcp-listener
[interface eth01010]mask=2552552550type=dhcp-listenergateway=1001011ip=1001014
RepeattheaboveforallyourproductionVLANsthenrestartPacketFence
HostproductionDHCPonPacketFenceItrsquosanoptionJustmodifyconfdhcpdconfsothat itwillhostyourproductionDHCPproperlyandmakesurethatapfdhcplistenerrunsonthesameinterfacewhereproductionDHCPrunsHoweverpleasenotethatthisisNOTrecommendedSeethistickettoseewhy
ProxyInterception
PacketFenceenablesyoutointerceptproxyrequestsandforwardthemtothecaptiveportalItonlyworksonelayer-2networksbecausePacketFencemustbethedefaultgatewayInordertousetheProxyInterceptionfeatureyouneedtoenableitfromtheGUIinConfigurationrarrTrappingandcheckProxyInterception
Addtheportyouwanttointercept(like8080or3128)andaddanewentryintheetchostsfiletoresolvethefullyqualifieddomainname(fqdn)ofthecaptiveportaltotheIPaddressofthe
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 82
registration interfaceThismodification ismandatory inorder forApache to receives theproxyrequests
RoutedNetworks
Ifyour isolationandregistrationnetworksarenot locally-reachable (at layer2)onthenetworkbut routed to the PacketFence server yoursquoll have to let the PacketFence server know thisPacketFencecanevenprovideDHCPandDNSintheseroutednetworksandprovidesaneasytouseconfigurationinterface
FordhcpdmakesurethattheclientsDHCPrequestsarecorrectlyforwarded(IPHelpersintheremoterouters)tothePacketFenceserverThenmakesureyoufollowedtheinstructionsintheDHCPandDNSServerConfiguration(networksconf)foryourlocallyaccessiblenetwork
Ifweconsiderthenetworkarchitectureillustratedintheaboveschemaconfpfconfwillincludethelocalregistrationandisolationinterfacesonly
[interface eth02]enforcement=vlanip=19216821type=internalmask=2552552550
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 83
[interface eth03]enforcement=vlanip=19216831type=internalmask=2552552550
Note
PacketFencewillnotstartunlessyouhaveatleastoneinternalinterfacesoyouneedtocreatelocalregistrationandisolationVLANsevenifyoudonrsquotintendtousethemAlsotheinternalinterfacesaretheonlyonesonwhichdhcpdlistenssotheremoteregistrationandisolationsubnetsneedtopointtheirDHCPhelper-addresstothoseparticularIPs
ThenyouneedtoprovidetheroutednetworksinformationtoPacketFenceYoucandoitthroughtheGUIinAdministrationrarrNetworks(orinconfnetworksconf)
confnetworksconfwilllooklikethis
[19216820]netmask=2552552550gateway=19216821next_hop=domain-name=registrationexamplecomdns=19216821dhcp_start=192168210dhcp_end=1921682200dhcp_default_lease_time=300dhcp_max_lease_time=600type=vlan-registrationnamed=enableddhcpd=enabled
[19216830]netmask=2552552550gateway=19216831next_hop=domain-name=isolationexamplecomdns=19216831dhcp_start=192168310dhcp_end=1921683200dhcp_default_lease_time=300dhcp_max_lease_time=600type=vlan-isolationnamed=enableddhcpd=enabled
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 84
[192168200]netmask=2552552550gateway=19216820254next_hop=1921682254domain-name=registrationexamplecomdns=19216821dhcp_start=1921682010dhcp_end=19216820200dhcp_default_lease_time=300dhcp_max_lease_time=600type=vlan-registrationnamed=enableddhcpd=enabled
[192168300]netmask=2552552550gateway=19216830254next_hop=1921683254domain-name=isolationexamplecomdns=19216831dhcp_start=1921683010dhcp_end=19216830200dhcp_default_lease_time=300dhcp_max_lease_time=600type=vlan-isolationnamed=enableddhcpd=enabled
DHCPclientsontheregistrationandisolationnetworksreceivethePFserverIPastheirDNSserver(dns=xxxx)andPFspoofsDNSresponsestoforceclientsviatheportalHoweverclientscouldmanuallyconfiguretheirDNSsettingstoescapetheportalTopreventthisyouwillneedtoapplyanACLontheaccessrouternearesttheclientspermittingaccessonlytothePFserverandlocalDHCPbroadcasttraffic
ForexamplefortheVLAN20remoteregistrationnetwork
ip access-list extended PF_REGISTRATION permit ip any host 19216821 permit udp any any eq 67 deny ip any any loginterface vlan 20 ip address 19216820254 2552552550 ip helper-address 19216821 ip access-group PF_REGISTRATION in
Ifyouredgeswitchessupportvlan-isolationyoucanalsoapplytheACLthereThishastheadvantageofpreventingmachinesinisolationfromattemptingtoattackeachother
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 85
StatementofHealth(SoH)
TheStatementofHealth(SoH)isproductthathasbeendevelopedbyMicrosoftIntheMicrosoftworldthis isnamedNetworkAccessProtectionorNAPOnWindowsversionsfromXPSP2toWindows7thereisaNAPserviceinstalledthatcanrelayhealthinformation(Anti-VirusupdatestatusWindowsUpdatestatusetc) toaRADIUSServeroraDHCPserverThesectionbelowexplainsyouhowtodoSoHpolicieswithPacketFence
InstallationBydefaultweturnSoHoffToenableitssupportsimplyuncommentthefollowinglinesinusrlocalpfconfradiusdeapconf
soh=yessoh-virtual-server = soh-server
RestarttheRADIUSserviceafterward
OntheclientsidetoenableSoHforEAPdothefollowing(Windows7example)
sc config napagent start=autosc start napagent
Wired 8021Xsc config dot3svc start=auto depend=napagentsc start dot3svc
netsh nap client show config
get the ID value for the EAP Quarantine Enforcement Clientnetsh nap client set enforce id=$ID admin=enable
ThelaststepistoselecttheEnforceNetworkAccessProtectioncheckboxundertheEAPprofilesettingsThosestepscanbeeasilyconfiguredusingGPOs
ConfigurationofSoHpolicyInordertoenforceaSoHpolicyweneedtocreateitfirstThisisdoneusingtheConfigurationrarrCompliancerarrStatementofHealthmodule
PolicyexampleLetrsquoswalkthroughanexamplesituationSupposeyouwanttodisplayaremediationpagetoclientsthatdonothaveananti-virusenabled
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 86
ThethreebroadstepsarecreateaviolationclassfortheconditionthencreateanSoHfiltertotriggertheviolationwhenanti-virusisdisabledandfinallyreloadtheviolations
FirstcreatetheproperviolationeitherviatheAdminUIorbyeditingtheconfviolationsconffiles
[4000001]desc=No anti-virus enabledurl=remediationphptemplate=noantivirusactions=reevaluate_accessemaillogenabled=Y
Note
Youmayalsowanttosetotherattributessuchasauto_enablegraceetc
WhendonewiththeviolationvisittheWebAdministrationunderConfigurationrarrCompliancerarrStatementofHealthand(editthefilternamedDefaultor)usetheAddafilterbuttontocreateafilternamedantivirusClickonantivirusinthefilterlistandselectTriggerviolationintheactiondrop-downEnterthevidoftheviolationyoucreatedaboveintheinputboxthatappears
Next clickonAddacondition and selectAnti-virus is anddisabled in thedrop-downboxesthat appear Click on the Save filters button Finally reload the violations either by restartingPacketFenceorusingthepfcmd reload violationscommand
Thelaststepistocreateanewremediationtemplatecallednoantivirusphponthefilesysteminthehtmlcaptive-portalviolationsfolderEditittoincludethetextyouwanttodisplaytotheusers
VLANFilterDefinition
Weaddedtheabilitytospecifyfiltersdirectlyintheportionofcodethatre-evaluatestheVLANordoacalltotheAPI
Theserulesareavailableindifferentscopes
ViolationRoleRegistrationRoleRegisteredRoleInlineRoleAutoRegisterNodeInfoForAutoReg
Andcanbedefinedusingdifferentcriterialike
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 87
node_infoattribute (like node_infostatus)switchifIndexmacconnection_typeusernamessidtimeownerattribute (like ownerpid)radius_requestattribute (like radius_requestCalling-Station-Id)
Forexample letsdefinearulethatpreventsadevicefromconnectingwhenitscategory isthedefaultwhentheSSIDisSECUREandwhenthecurrenttimeisbetween11amand2pmfromMondaytoFridaywhenittrytoconnectasaregistereddevice
[category]filter = node_infocategoryoperator = isvalue = default
[ssid]filter = ssidoperator = isvalue = SECURE
[time]filter = timeoperator = isvalue = wd Mon Tue Wed Thu Fri hr 11am-2pm
[1categoryampssidamptime]scope = RegisteredRolerole = nointernet
ThesecondexamplewillcreateaviolationiftheSSIDisOPENandtheownerisigmout
[igmout]filter = ownerpidoperator = isvalue = igmout
[open]filter = ssidoperator = isvalue = OPEN
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 88
[2igmoutampssid]scope = RegisteredRoleaction = trigger_violationaction_param = mac = $mac tid = 1100012 type = INTERNAL
Thethirdexamplewillautoregisterthedeviceandassigntherolestafftoeachdevicewheretheusernameisigmout
[igmout]filter = usernameoperator = isvalue = igmout
[secure]filter = ssidoperator = isvalue = SECURE
[3igmoutampsecure]scope = AutoRegisterrole = staff
[4igmoutampsecure]scope = NodeInfoForAutoRegrole = staff
Youcanhavealookinthefilevlan_filtersconftherearesomeexamplesonhowtouseanddefinefilters
RADIUSFilterDefinition
WeaddedtheabilitytospecifyfiltersdirectlyintheportionofcodethatreturntheradiusanswerordoacalltotheAPI
Theserulesareonlyavailableinonescope
returnRadiusAccessAccept
Andcanbedefinedusingdifferentcriterialike
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 89
node_infoattribute (like node_info$attribute)switchifIndexmacconnection_typeusernamessidtimeownerattribute (like owner$attribute)radius_requestattribute (like radius_request$attribute)violationuser_rolevlan
Forexample letsdefinearulethatreturnAccessAcceptwhentheconnectionisEthernet-EAPandwhenthereisnoviolation(merge_returnmeansthattheoriginalanswerofPacketFencewillbemergewiththefilteranswerautomatically)
[violation]filter = violationoperator = defined
[etherneteap]filter = connection_typeoperator = isvalue = Ethernet-EAP
[1etherneteapampviolation]merge_answer = noscope = returnRadiusAccessAccept
Inthisotherexamplewejustaddanewattributetotheoriginalanswerinthesameconditions(here$user_rolewillbereplacedbytherealuserroleofthedeviceand$switch_portalURLwillbereplacedbythevalueof_portalURLdefinedintheswitchconfig)
[1etherneteapampviolation]merge_answer = yesscope = returnRadiusAccessAcceptanswer1 = Cisco-AVPair =gt url-redirect-acl=$user_roleurl-redirect=$switch_portalURLcep$session_id
Youcanhavea look in the file radius_filtersconf therearesomeexamplesonhowtouseanddefinefilters
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 90
DNSenforcement
DNSenforcementallowsyoutocontrolthenetworkaccessofthedevicebyusingthepfdnsserviceonPacketFence
The architecture ofDNS enforcement is as following -DHCP andDNS are provided by thePacketFenceserver-ThePacketFenceDHCPserverwillprovidetheIPofyournetworkequipmentasthegatewayandtheIPaddressofthePacketFenceDNSservertoresolvenames-Routingisprovidedbyanotherequipmentonyournetwork(CoreswitchFirewallRouterhellip)-IfausershouldbeshowntheportalthepfdnsservicewillreturnapointertotheIPaddressofthecaptiveportalotherwisepfdnswillresolvethenameexternallyanduseitinthereply
Thisenforcementmodeusedby itselfcanbebypassedbythedevicebyusingadifferentDNSserverorbyusingitsownDNScache
ThefirstcanbepreventedusinganACLonyourroutingequipmentthesecondcanbepreventedbycombiningDNSenforcementwithSingle-Sign-OnonyournetworkequipmentPleaseseetheFirewallSingle-Sign-Ondocumentationfordetailsonhowtoaccomplishthis
Inorder toconfigureDNSenforcementyoufirstneedtogo inConfigurationrarrInterfaces thenselectoneofyourinterfacesandsetitinDNSenforcementmode
AfteryouneedtoconfigurearoutednetworkforthisinterfacebyclickingAddroutednetworkSeetheRoutedNetworkssectionofthisdocumentfordetailsonhowtoconfigureit
NoteIfyouarenotusingaroutednetworkyouneedtouseInlineenforcementasDNSenforcementcanonlybeusedforroutednetworks
Oncethisisdoneyouneedtorestartthedhcpdandpfdnsservices
Parkeddevices
Intheeventthatyouaremanagingalargeregistrationnetworkwithdevicesthatstaythere(exStudentsthatcanrsquotregisterinyourenvironment)thesedevicesconsumepreciousresourcesandgenerateuselessloadonthecaptiveportalandregistrationDHCPserver
UsingtheparkingfeatureyoucanmakethesedeviceshavealongerleaseandhitanextremellylightweightcaptiveportalsothattheamountofresourcestheyconsumeisminimalInthatcaptiveportal theywillseeamessageexplainingthattheyhavenrsquot registeredtheirdeviceforacertainamountoftimeandwillletthemleavetheparkedstatebypressingalink
Theparkedvsunparkedstateiscontrolledthroughviolation1300003whichgetstriggeredaccordingtotheparkingthresholdsetting(ConfigurationrarrParking)
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 91
SoinordertoactivatetheparkinggoinConfigurationrarrParkingandsetthethresholdtoacertainamountofsecondsAsuggestedvaluewouldbe21600whichis6hoursThismeansthatifadevicestaysinyourregistrationnetworkformorethan6hoursinarowitwilltriggerviolation1300003andplacethatdeviceintotheparkedstate
Inthatsamesectionyoucandefinetheleaselengthoftheuserwhenheisintheparkedstate
Note
ParkingisdetectedwhenadeviceasksforDHCPifPacketFenceisnotyourDHCPserverfortheregistrationnetworkthisfeaturewillnotworkAlsoifthedevicegoesintotheparkedstatewithaleasetimeof1hourandtheuserimmediatelyreleaseshimselffromtheparkingstateitwilltake1hourbeforethenextdetectiontakesplaceevenifyousetparkingthresholdtoalowervalue
Violation1300003Thisviolationcontrolswhathappenswhenauserisdetecteddoingparking
Herearethemainsettings
Youcanaddactionstothepredefinedones(likeEmailadminorExternalaction)inDefinitionrarrActions
TheamountoftimeausercanunparktheirdeviceiscontrolledthroughtheRemediationrarrMaxenablesetting
TheamountofgracetimebetweentwoparkingviolationsiscontrolledbytheRemediationrarrGracesettingThismeansonceauserreleasehimselffromtheparkedstatehewillhaveatleastthisamountoftimetoregisterbeforetheparkingtriggersagain
Thedestinationrole(thusVLAN)oftheuseriscontrolledbyAdvancedrarrRoleYoushouldleavetheuserintheregistrationrolebutshouldyouwanttodedicatearoleforparkingyoucansetitthere
TheTemplateattributewillonlybeusedwhentheuserisonthenormalPacketFenceportalandnottheonededicatedforparkingIfyouwanttheusertoaccessthenon-parkingportaldisableShowparkingportalinConfigurationrarrParking
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 92
Optionalcomponents
Blockingmaliciousactivitieswithviolations
PolicyviolationsallowyoutorestrictclientsystemaccessbasedonviolationsofcertainpoliciesForexampleifyoudonotallowP2PtypetrafficonyournetworkandyouarerunningtheappropriatesoftwaretodetectitandtriggeraviolationforagivenclientPacketFencewillgivethatclientablockedpagewhichcanbecustomizedtoyourwishes
Inorder tobeable toblockmaliciousactivities installationandconfigurationofaPacketFencecompatibleIDSisrequiredPacketFencecurrentlysupportSnortSuricataandSecurityOnion
Snort
Installation
The installation procedure is quite simple for SNORTWe maintain a working version on thePacketFencerepositoryToinstallitsimplyrunthefollowingcommand
yum install snort
Configuration
PacketFenceprovidesabasicsnortconftemplatethatyoumayneedtoeditdependingoftheSnortversionThefileislocatedinusrlocalpfconfItisrarelynecessarytochangeanythinginthatfiletomakeSnortworkandtrapalertsDONOTeditthesnortconflocatedinusrlocalpfvarconfallthemodificationwillbedestroyedoneachPacketFencerestart
Suricata
Installation
SincethesuricataIDSisnotpackagedwiththedistros(exceptmaybeFedorawhichwedonotofficiallysupport)youneedtobuildittheoldway
The OISF provides a really well written how-to for that Itrsquos available here httpsredmineopeninfosecfoundationorgprojectssuricatawikiCentOS5
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 93
NoteTobenefittheOPSWATMetadefenderCloudintegrationSuricataneedstobebuiltwith libnss libnsprsupportMakesure touseJSONoutputMore informationonhowtoachievethiscanbefoundtherehttpsredmineopeninfosecfoundationorgprojectssuricatawikiMD5
ConfigurationDepending onwhether or not Suricata is running on the PacketFence server configuration isdifferent
WhenrunninglocallyPacketFenceprovidesabasicsuricatayamlthatcanbemodifiedtosuitdifferentneedsThefileislocatedinusrlocalpfconf
In thecase thatSuricata is runningonaseparateserverSuricataconfigurationwillhave tobehandledseparatelywhichisnotthepurposeofthepresentguide
OPSWATMetadefenderCloudItispossibletotriggerviolationsbasedonthreatlevelofdownloadedfilesusingtheMetadefenderCloudintegrationinconjunctionwiththeSuricataMD5extractionfeatureWithoutenteringinthedetailsherearethebasicstepstomakeitwork
FirstanOPSWATportalaccountisrequiredtomakeuseoftheAPISuchaccountcanbeobtainedthroughtheOPSWATportalhttpsportalopswatcom
OtherrequirementisaSuricataworkinginstallationbuiltwithlibnsslibnsprsupportasdescribedintheupperInstallationsection
AlongwiththeOPSWATAPIkeyforMetadefenderCloud(theycallitLicenseKey)andtheworkingSuricatainstallationsomeconfiguration(PacketFencebasedANDSuricatabased)isalsorequired
AssumingthatallthestepsforSuricataMD5extractionhavebeenfollowedherersquoswhattodonext
OntheSuricataserver(syslog-ngispreferredduetoeasierandmorepowerfulconfigurationIfnotinstalleditmightbeanidea)
Configureetcsyslog-ngsyslog-ngconfbyaddingthefollowingtoenablesendingMD5filestorelogentriestoPacketFence
PacketFence OPSWAT Metadefender Cloud integration This line specifies where the files-jsonlog file is located -gt Make sure to configure the right path along with the right filenamesource s_suricata_files file(MY_SURICATA_LOG_FILES_PATHfiles-jsonlog program_override(suricata_files) flags(no-parse)) This line tells syslog-ng to send the data read to the PacketFence management interface IP address using UDP 514 -gt Make sure to configure the right PacketFence management interface IP addressdestination d_packetfence udp(PACKETFENCE_MGMT_IP port(514)) This line indicates syslog-ng to use the s_suricata_files source and send it to the d_packetfence destinationlog source(s_suricata_files) destination(d_packetfence)
Arestartofthesyslog-ngdaemonisrequired
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 94
service syslog-ng restart
OnthePacketFenceserver
ModifyrsyslogconfigurationtoallowincomingUDPpacketsbyuncommentingthefollowingtwolinesinetcrsyslogconf
$ModLoad imudp$UDPServerRun 514
Configure etcrsyslogdsuricata_filesconf by adding the following which will enablereceptionofSuricataMD5filestorelogentries
if $programname == suricata_files then usrlocalpfvarsuricata_filesamp ~
Makesurethereceivingalertpipe(FIFO)exists
mkfifo usrlocalpfvarsuricata_files
Restartthersyslogdaemon
service rsyslog restart
AtthispointSuricatashouldbeabletoextractMD5checksumofdownloadedfilesandsendtherelatedlogentrytoPacketFence
AconfigurationofanewsyslogparseraswellassomeviolationsaretheonlyremainingstepstomakefullusageoftheOPSWATMetadefenderCloudintegration
Configurationofanewsyslogparsershouldusethefollowings
Type suricata_httpAlert pipe the previously created alert pipe (FIFO) which is in this case usrlocalpfvarsuricata_files
Configurationofanewviolationcanusethefollowingtriggertypes
Type metascanTriggers ID The scan result returned by Metadefender Cloud online
Type suricata_md5Trigger ID The MD5 hash returned by Suricata
SecurityOnionInstallationandConfigurationSecurityOnionisaUbuntubasedsecuritysuiteThelatest installationinstructionsareavailabledirectly from theSecurityOnionwebsite httpsgithubcomSecurity-Onion-Solutionssecurity-onionwikiInstallation
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 95
SinceasecuritysuiteconsistsofmultiplepiecesofsoftwaretiedtogetheryoumaybepromptedfordifferentoptionsduringtheinstallationprocessAdetailedProductionDeploymentguidecanalsobefounddirectlyfromtheSecurityOnionwebsitehttpsgithubcomSecurity-Onion-Solutionssecurity-onionwikiProductionDeployment
PacketFenceintegration
OnceSecurityOnionisinstalledandminimallyconfiguredintegrationwithPacketFenceisrequiredtobeabletoraiseviolationsbasedonsensor(s)alertssyslogisusedtoforwardsensor(s)alertsfromSecurityOniontothePacketFencedetectionmecanisms
The simplest way is as follow (based on httpsgithubcomSecurity-Onion-Solutionssecurity-onionwikiThirdPartyIntegration)
OntheSecurityOnionserver
Note
Mustbedoneonthemasterserverrunningsguild
Configureetcsyslog-ngsyslog-ngconfbyaddingthefollowingtoenablesendingsguildlogentriestoPacketFence
PacketFence IDS integration This line specifies where the sguildlog file is located -gt Make sure to configure the right patch along with the right filename (on a Security Onion setup that should be pretty much standard)source s_sguil file(varlognsmsecurityonionsguildlog program_override(securityonion_ids)) This line filters on the string ldquoAlert Receivedrdquofilter f_sguil match(Alert Received) This line tells syslog-ng to send the data read to the PacketFence management IP address using UDP 514 -gt Make sure to configure the right PacketFence management interface IP addressdestination d_packetfence udp(PACKENTFENCE_MGMT_IP port(514)) This line indicates syslog-ng to use the s_sguil source apply the f_sguil filter and send it to the d_packetfence destinationlog source(s_sguil) filter(f_sguil) destination(d_packetfence)
Arestartofthesyslog-ngdaemonisthenrequired
service syslog-ng restart
OnthePacketFenceserver
ModifyrsyslogconfigurationtoallowincomingUDPpacketsbyuncommentingthefollowingtwolinesinetcrsyslogconf
$ModLoad imudp$UDPServerRun 514
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 96
Configureetcrsyslogdsecurityonion_idsconfbyaddingthefollowingswhichwillenablereceptionofSecurityOnionsguildlogentries
if $programname == securityonion_ids then usrlocalpfvarsecurityonion_idsamp ~
Makesurethereceivingalertpipe(FIFO)exists
mkfifo usrlocalpfvarsecurityonion_ids
Restartthersyslogdaemon
service rsyslog restart
AtthispointSecurityOnionshouldbeabletosenddetectedalertslogentriestoPacketFence
AconfigurationofanewsyslogparseraswellassomeviolationsaretheonlyremainingstepstomakefullusageoftheSecurityOnionIDSintegration
Configurationofanewsyslogparsershouldusethefollowings
Type security_onionAlert pipe the previously created alert pipe (FIFO) which is in this case usrlocalpfvarsecurityonion_ids
Configurationofanewviolationcanusethefollowingtriggertypes
Type detectTriggers ID The IDS triggered rule ID
Type suricata_eventTrigger ID The rule class of the triggered IDS alert
ViolationsInordertomakePacketFencereacttotheSnortalertsyouneedtoexplicitlytellthesoftwaretodosoOtherwisethealertswillbediscardedThisisquitesimpletoaccomplishInfactyouneedtocreateaviolationandaddtheSnortalertSIDinthetriggersectionofaViolation
PacketFenceviolationsareconfiguredinConfigurationrarrViolations
TheexamplebelowwillguideyoutocreateaviolationthatwillisolatedevicethathavegeneratedPeer-to-peer traffic and that are usingMac OSX or have a malware and are usingMicrosoftWindows
Violationdefinition
Firstyouneedtoconfiguretheviolationdefinition
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 97
Where
Enablediswhetherornottheviolationiscurrentlyactivated(shouldbeON) Identifier is the violation ID Any integer except 1200000-120099 which is reserved forrequiredadministrationviolations
Descriptionistheuserfriendlydescriptionoftheviolation Actionsisthelistofactionstobeexecutedwhenthisviolationisraised
Unregister nodewillunregisterthenode
Send email to ownerwillemailtheviolationdetailstotheownerofthedeviceWillonlyworkifthepersonhasitrsquosemailfieldpopulated
Send email to admin will email the violation details to the address specified in[alerting]emailaddrusing[alerting]smtpserverMultipleemailaddrcanbesperatedbycomma
Reevaluate accesswillplacethedeviceinthedestinationVLANconfiguredintheviolationIt opens a violation and leaves it open If it is not there theviolation isopenedand thenautomaticallyclosed
Log messagewilllogtheviolationinthelogfiledefinedin[alerting]log
External commandwillexecuteacommandontheoperatingsystemwhenthisviolation israised
Close a violationwillcloseanexistingviolationforthisdevicewhenthisoneisraised
Set rolewillmodifytheroleofthedevice
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 98
Enforce provisioningwilltriggeracheckofcomplianceontheprovisionersdefinedforthedevice
Prioritydefinestheorderontowhichviolationsshouldbehandledshouldtherebemorethanoneforadevice
Whitelisted Rolesisthelistofrolesthatarenotaffectedbythisviolation
Triggers
NextintheTriggerstabyouneedtodefinethetriggersthatwillraisetheviolationInthecaseofthisexampleitwillbethesetwocasesAdevicethathasgeneratedPeer-to-peertrafficandthatisusingMACOSXAdevicethathasbeendetectedasbeingarogueDHCP
Click the+ sign at the top right inorder to create anew trigger then in thedropdown selectSuricata
AmenuwillappearintowhichyoucanselectET P2PwhichwillmatchallP2PalertsfromSuricata
OnceyouaddedthistriggerselectDevicefromthedropdownandenter38whichisthedeviceidentifierforMacOSX
Nexthittheltbuttonthenthe+toaddanothertrigger
SelectthetypeInternaltheninthemenuthatappearsbelowitselectRogue DHCP detectionandclickAdd
Remediation
NextintheRemediationtabyoucanconfigurethebehaviorwhenaclientgetsisolated
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 99
Where
Auto Enableiswhetherornottheusercanreleasetheviolationhimselfafteracknoledgingthemessageonthecaptiveportal
Max Enables istheamountoftimeausercanusetheAuto EnablefunctionnalityAfterthisamountoftimeshewillnotbeabletoreleasetheviolationanditwillhavetobemanuallyreleasebyanadministratorusingthePacketFenceadministrationinterface
GraceisAmountoftimebeforetheviolationcanreoccurThisisusefultoallowhoststime(intheexample2minutes)todownloadtoolstofixtheirissueorshutofftheirpeer-to-peerapplication
Dynamic WindowwillonlyworksforaccountingviolationsTheviolationwillbeopenedaccordingtothetimeyousetintheaccountingviolation(ieYouhaveanaccountingviolationfor10GBmonthIfyoubustthebandwidthafter3daystheviolationwillopenandthereleasedatewillbesetforthelastdayofthecurrentmonth)
WindowistheamountoftimebeforeaviolationwillbeclosedautomaticallyInsteadofallowingpeopletoreactivatethenetworkyoumaywanttoopenaviolationforadefinedamountoftimeinstead
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 100
Delay byisthedelaybeforetriggeringtheviolation TemplateistheHTMLtemplatethehostwillberedirectedtowhileinviolationYoucancreatenewtemplatesfromthePortalProfilesconfigurationsection
Button textisthetextofthebuttonthatisusedwhentheuserisreleasingtheviolationdirectlyfromthecaptiveportal
AdvancedIntheAdvancedtabyouconfigurethedestinationVLANofthedevicewhenithastheReevaluateaccessactionanditsredirectionURLwhentheuserisreleased
ComplianceChecks
PacketFence supports eitherNessusOpenVAS andWMI as a scanning engine for compliancechecksSincePacketFencev51youarenowabletocreatemultiplesscanenginesconfigurationandassignthemonspecificcaptiveportalsItmeanperexamplethatyouarenowabletoactiveascanforspecificOperatingSystemonlyonaspecificSSID
InstallationNessusPlease visit httpwwwnessusorgdownload to download Nessus v5 and install the Nessuspackage for your operating system You will also need to register for the HomeFeed (or theProfessionalFeed)inordertogettheplugins
AfteryouinstalledNessusfollowtheNessusdocumentationfortheconfigurationoftheNessusServerandtocreateauserforPacketFence
NoteYou may run into some issue while using Nessus with the NetNessusXMLRPCmodule(whichisthedefaultbehaviorinPacketFence)Pleaserefertothebugtrackingsystemformoreinformation
OpenVASPleasevisithttpwwwopenvasorginstall-packageshtmlopenvas4_centos_atomic toconfigurethecorrectrepositorytobeabletoinstallthelatestOpenVASscanningengine
Once installed pleasemake sure to follow the instructions to correctly configure the scanningengineandcreateascanconfigurationthatwillfityourneedsYoursquollalsoneedtocreateauserforPacketFencetobeabletocommunicatewiththeserver
ItisimportanttogetthecorrectscanconfigIDandNBEreportformatIDtopopulatetheparametersinthePacketFenceconfigurationfileTheeasiestwaytogettheseIDsisbydownloadingbothofthescanconfigurationandreportformatfromtheOpenVASwebguiandretrievetheIDsinthefilenames
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 101
Forexamplereport-format-f5c2a364-47d2-4700-b21d-0a7693daddabxmlgivesreportformatIDf5c2a364-47d2-4700-b21d-0a7693daddab
WMIYoujusthavetoenablewmioneachwindowsdeviceswithaGPOfromActiveDirectory
ConfigurationIn order for the compliance checks to correctly work with PacketFence (communication andgenerateviolationsinsidePacketFence)youneedtoconfigurethesesections
ScannerDefinitionFirstgoinConfigurationandScannerDefinition
Thenaddascan
Therearecommonparametersforeachscanengines
Name the name of your scan engineRoles Only devices with these role(s) will be affected (Optional)OS Only devices with this Operating System will be affected (Optional)Duration Approximate duration of scan (Progress bar on the captive portal)Scan before registration Trigger the scan when the device appear on the registration vlanScan after registration Trigger the scan just after registration on the captive portalScan after registration Trigger the scan on the production network (pfdhcplistener must receive production dhcp traffic)8021x Even if the auto-registration has been enabled the scan will be trigger on a EAP connection8021x types comma delimited EAP type that will trigger the scan if 8021x above has been enabled
SpecifictoNessus
Hostname or IP Address Hostname or IP Address where Nessus is runningUsername Username to connect to Nessus scanPassword Password to connect to Nessus scanPort of the service port to connect (default 8834)Nessus client policy the name of the policy to use for the scan (Must be define on the Nessus server)
SpecifictoOpenVAS
Hostname or IP Address Hostname or IP Address where OpenVAS is runningUsername Username to connect to OpenVAS scanPassword Password to connect to OpenVAS scanPort of the service port to connect (default 9390)OpenVAS config ID the ID of scanning configuration on the OpenVAS server
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 102
SpecifictoWMI
Username A username from Active Directory that is allowed to connect to wmiDomain Domain of the Active DirectoryPassword Password of the accountWMI Rules Ordered list of WMI rules you defined in Configuration -gt WMI Rules Definition
WMIRulesDefinition
IfyouhaveconfiguredaWMIscanenginethenyouneedtodefineWMIRulesWMIisasortofdatabaseoneachwindowsdevicestoretreiveinformationonthedeviceyouneedtoknowthesqlrequestInordertohelpyoutofindandmakearuleyoucanuseathirdpartytoollikeWMIExplorer
GoinconfigurationrarrWMIRulesDefinition
Therearealready3rulesdefined
Software_Installedlogged_userProcess_Running
LetrsquostaketheSoftware_Installedrule
request select from Win32_Product
Rules Actions
[Google]attribute = Captionoperator = matchvalue =Google
[1Google]action=trigger_violationaction_param = mac = $mac tid = 888888 type = INTERNAL
Thisrulewilldothefollowing
retreive all the installed software on the device and test if the attribute Caption contain Googleif it matched then we will trigger a violation (with the trigger internal888888) for the mac address of the device
Thesecondonelogged_user
request select UserName from Win32_ComputerSystem
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 103
Rules Actions
[UserName]attribute = UserNameoperator = matchvalue = ()
[1UserName]action = dynamic_register_nodeaction_param = mac = $mac username = $result-gtUserName
Thisrulewilldothefollowing
retreive the current logged user on the device and register the device based on the user account
ThelastoneProcess_Running
request select Name from Win32_Process
Rules Actions
[explorer]attribute = Nameoperator = matchvalue = explorerexe
[1explorer]action = allow
Thisrulewilldothefollowing
retreive all the running process on the device and if one match explorerexe then we bypass the scan
Rulessyntax
the syntax of the rules are simple to understand
the request is the sql request you will launch on the remote device you must know what the request will returnto write the test
Inside the Rules Actions we define 2 sorts of blocsThe test bloc (ie [explorer]) and the action bloc (ie [1explorer])
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 104
The test bloc is a simple test based on the result of the request- attribute is the attribute you want to test- operator can be is is_not match match_not- value is the value you want to compare
Feel free to define multiples test blocs
The action bloc is where you will define your logic per example lets take this one [1googleampexplorer] this mean that if the google test istrue and explorer is true then we execute the actionThe logic can be more complex and can be something like that [1google|(explorerampmemory)] that mean if not google or (explorer and memory)
ViolationsdefinitionYouneedtocreateanewviolationsectionandhavetospecify
UsingNessus
trigger=NessusltviolationIdgt
UsingOpenVAS
trigger=OpenVASltviolationIdgt
WhereviolationIdiseithertheIDoftheNessuspluginortheOIDoftheOpenVASplugintocheckforOnceyouhavefinishedtheconfigurationyouneedtoreloadtheviolationrelateddatabasecontentsusing
$ pfcmd reload violations
NoteViolationswilltriggerifthepluginishigherthanalowseverityvulnerability
AssignScandefinitiontoportalprofilesThelaststepistoassignoneormorescanneryouconfiguredtooneormoreportalprofilesGoinConfigurationrarrPortalProfilesrarrEditaPortalrarrAddScan
HostingNessusOpenVASremotelyBecauseoftheCPUintensivenatureofanautomatedvulnerabilityassessmentwerecommendthatitishostedonaseparateserverforlargeenvironmentsTodosoacoupleofthingsarerequired
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 105
PacketFence needs to be able to communicate to the server on the port specified by thevulnerabilityengineused
Thescanningserverneedtobeabletoaccessthetargets InotherwordsregistrationVLANaccessisrequiredifscanonregistrationisenabled
IfyouareusingtheOpenVASscanningengine
ThescanningserverneedtobeabletoreachPacketFencersquosAdmininterface(onport1443bydefault)byitsDNSentryOtherwisePacketFencewonrsquotbenotifiedofcompletedscans
YoumusthaveavalidSSLcertificateonyourPacketFenceserver
IfyouareusingtheNessusscanningengine
YoujusthavetochangethehostvaluebytheNessusserverIP
RADIUSAccounting
RADIUSAccountingisusuallyusedbyISPstobillclientsInPacketFenceweareabletousethisinformationtodetermineifthenodeisstillconnectedhowmuchtimeithasbeenconnectedandhowmuchbandwitdhtheuserconsumed
ViolationsUsingPacketFence it ispossible toaddviolations to limitbandwidthabuseThe formatof thetriggerisverysimple
Accounting[DIRECTION][LIMIT][INTERVAL(optional)]
Letrsquosexplaineachchunkproperly
DIRECTIONYoucaneithersetalimittoinbound(IN)outbound(OUT)ortotal(TOT)bandwidth LIMIT You can set a number of bytes(B) kilobytes(KB) megabytes(MB) gigabytes(GB) orpetabytes(PB)
INTERVALThisisactuallythetimewindowwewilllookforpotentialabuseYoucansetanumberofdays(D)weeks(W)months(M)oryears(Y)
Exampletriggers LookforIncoming(Download)trafficwitha50GBmonth
AccountingIN50GB1M
LookforOutgoing(Upload)trafficwitha500MBday
AccountingOUT500MB1D
LookforTotal(Download+Upload)trafficwitha200GBlimitinthelastweek
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 106
AccountingTOT200GB1W
Graceperiod
WhenusingsuchviolationfeaturesettingthegraceperiodisreallyimportantYoudonrsquotwanttoputittoolow(ieAuserre-enablehisnetworkandgetcaughtafter1bytesistranmitted)ortoohighWerecommendthatyousetthegraceperiodtooneintervalwindow
Oinkmaster
OinkmasterisaperlscriptthatenablesthepossibilitytoupdatethedifferentsnortrulesveryeasilyItissimpletouseandinstallThissectionwillshowyouhowtoimplementOinkmastertoworkwithPacketFenceandSnort
PleasevisithttpoinkmastersourceforgenetdownloadshtmltodownloadoinkmasterAsampleoinkmasterconfigurationfileisprovidedatusrlocalpfaddonssnortoinkmasterconf
ConfigurationHerearethestepstomakeOinkmasterworkWewillassumethatyoualreadydownloadedthenewestoinkmasterarchive
1 UntarthefreshlydownloadedOinkmaster
2 CopytherequiredperlscriptsintousrlocalpfoinkmasterYouneedtocopyovercontribandoinkmasterpl
3 CopytheoinkmasterconfprovidedbyPacketFence(seethesectionabove)inusrlocalpfconf
4 ModifytheconfigurationtosuityourownneedsCurrentlytheconfigurationfileissettofetchthebleedingrules
RulesupdateInordertogetperiodicupdatesforPacketFenceSnortruleswesimplyneedtocreateacrontabentrywiththerightinformationTheexamplebelowshowsacrontabentrytofetchtheupdatesdailyat2300PM
0 23 (cd usrlocalpf perl oinkmasteroinkmasterpl -C confoinkmasterconf -o confsnort)
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 107
GuestsManagement
PacketFencesupportstheabilitytomanageguestsbyestablishingexpiredatesandassigndifferentroleswhichwillpermitdifferentaccessestothenetworkresources
Guestscanself-registerthemselvesusinganactivationcodesenttotheirmobilephoneortheycanusetheiremailaddressandreceiveandactivationlinktoactivatetheirnetworkaccess
PacketFencehas theoption tohaveguestssponsored theiraccessby local staffOnceaguestrequestsasponsoredaccessanemailissenttothesponsorandthesponsormustclickonalinkandauthenticateinordertoenablehisaccess
Moreover PacketFence also has the option for guests to request their access in advanceConfirmationbyemailandbyasponsorarethetwopre-registrationtechniquessupportedatthispoint
TheadminGUIallowPacketFenceadministratorsorguestsmanagerstocreatesingleaccountsmultipleaccountsusingaprefix(ieguest1guest2guest3hellip)orimportdatafromaCSVtocreateaccountsAccessdurationandexpectedarrivaldatearealsocustomizable
Usage
Guestself-registration
Self-registrationisenabledbydefaultItispartofthecaptiveportalprofileandcanbeaccessedontheregistrationpagebyclickingtheSignuplink
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 108
ManagedguestsPartofthewebadministrationinterfacetheguestsmanagementinterfaceisenabledbydefaultItisaccessiblethroughtheUsersrarrCreatemenu
Guestpre-registrationPre-registrationisdisabledbydefaultOnceenabledPacketFencersquosfirewallandApacheACLsallowaccesstothesignuppageontheportalevenfromaremotelocationAllthatshouldberequiredfrom theadministrators is toopenup theirperimeter firewall toallowaccess toPacketFencersquosmanagementinterfaceIPonport443andmakesureadomainnametoreachsaidIPisconfigured(andthattheSSLcertmatchesit)Thenyoucanpromotethepre-registrationlinkfromyourextranetwebsitehttpslthostnamegtsignup
CautionPre-registrationincreasestheattacksurfaceofthePacketFencesystemsinceasubsetofitrsquosfunctionnalityisexposedontheInternetMakesureyouunderstandtherisksapplythecriticaloperatingsystemupdatesandapplyPacketFencersquossecurityfixes
NoteAportalinterfacetypeisrequiredtousethisfeatureAportalinterfacetypecanbeaddedtoanynetworkinterfaceusingthewebadminGUI
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 109
ConfigurationGuestself-registrationIt ispossibletomodifythedefaultvaluesoftheguestself-registrationfeaturebyeditingusrlocalpfconfpfconf
Defaultvaluesarelocatedinusrlocalpfconfpfconfdefaultsanddocumentationforeverysettingsisavailableinusrlocalpfconfdocumentationconf
[guests_self_registration]guest_pid=emailpreregistration=disabled
TheseparameterscanalsobeconfiguredfromtheConfigurationrarrSelfRegistrationsectionoftheWebadmininterface
Availableregistrationmodesaredefinedonaper-portal-profilebasisTheseareconfigurablefromConfigurationrarrPortalProfiles Todisable the self-registration feature simply removeall self-registrationsourcesfromtheportalprofiledefinitionNoticehoweverthatifyourdefaultportalprofilehasnosourceitwilluseallauthenticationsources
Caution
AvalidMTAconfiguredinPacketFenceisneededtocorrectlyrelayemailsrelatedtotheguestmoduleIflocalhostisusedassmtpservermakesurethataMTAisinstalledandconfiguredontheserver
Note
AportalinterfacetypeisrequiredtousethisfeatureAportalinterfacetypecanbeaddedtoanynetworkinterfaceusingthewebadminGUI
Self-registered guests are added under the users tab of the PacketFenceWeb administrationinterface
ManagedguestsItispossibletomodifythedefaultvaluesoftheguestscreatedfromtheWebadmininterfacebyeditingusrlocalpfconfpfconf
Defaultvaluesarelocatedinusrlocalpfconfpfconfdefaultsanddocumentationforeverysettingsisavailableinusrlocalpfconfdocumentationsconf
[guests_admin_registration]access_duration_choices=1h3h12h1D2D3D5Ddefault_access_duration=12h
Theformatofthedurationisasfollow
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 110
ltDURATIONgtltDATETIME_UNITgt[ltPERIOD_BASEgtltOPERATORgtltDURATIONgtltDATE_UNITgt]
Letrsquosexplainthemeaningofeachparameter
DURATIONanumbercorrespondingtotheperiodduration DATETIME_UNIT acharactercorresponding to theunitsof thedateor timedurationeither s(seconds)m(minutes)h(hours)D(days)W(weeks)M(months)orY(years)
PERIOD_BASEeitherF(fixed)orR(relative)ArelativeperiodiscomputedfromthebeginningoftheperiodunitWeeksstartonMonday
OPERATOReither+or-Thedurationfollowingtheoperatorisaddedorsubtractedfromthebaseduration
DATE_UNITacharactercorrespondingtotheunitsoftheextendeddurationLimitedtodateunits(D(days)W(weeks)M(months)orY(years))
TheseparameterscanalsobeconfiguredfromtheConfigurationrarrAdminRegistrationsectionoftheWebadmininterface
From theUserspageof thePacketFenceWebadmin interface it is possible to set the accessdurationofuserschangetheirpasswordandmore
Guestpre-registrationTominimallyconfigureguestpre-registrationyoumustmakesurethatthefollowingstatementissetunder[guests_self_registration]inusrlocalpfconfpfconf
[guests_self_registration]preregistration=enabled
ThisparametercanalsobeconfiguredfromtheConfigurationrarrSelfRegistrationsection
Finallyitisadvisedthatyoureadthewholeguestself-registrationsectionsincepre-registrationissimplyatwistoftheself-registrationprocess
Caution
AvalidMTAconfiguredinPacketFenceisneededtocorrectlyrelayemailsrelatedtotheguestmoduleIflocalhostisusedassmtpservermakesurethataMTAisinstalledandconfiguredontheserver
ActiveDirectoryIntegration
DeletedAccountCreate thescriptunreg_node_deleted_accountps1on theWindowsServerwith the followingcontentMakesuretochangeIP_PACKETFENCEtotheIPaddressofyourPacketFenceserverYoursquollalsoneedtochangetheusernameandpasswordastheymustmatchthecredentialsdefinedintheWebadmininterfaceunderConfigurationrarrWebServices
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 111
Powershell script to unregister deleted Active Directory account based on the UserName
Get-EventLog -LogName Security -InstanceId 4726 | Select ReplacementStringsAccount name| $url = httpsIP_PACKETFENCE9090 $username = admin Username for the webservices $password = admin Password for the webservices [SystemNetServicePointManager]ServerCertificateValidationCallback = $true $command = jsonrpc 20 method unreg_node_for_pid params [pid +$_ReplacementStrings[0]+]
$bytes = [SystemTextEncoding]ASCIIGetBytes($command) $web = [SystemNetWebRequest]Create($url) $webMethod = POST $webContentLength = $bytesLength $webContentType = applicationjson-rpc $webCredentials = new-object SystemNetNetworkCredential($username $password) $stream = $webGetRequestStream() $streamWrite($bytes0$bytesLength) $streamclose()
$reader = New-Object SystemIOStreamreader -ArgumentList $webGetResponse()GetResponseStream() $readerReadToEnd() $readerClose()
CreatethescheduledtaskbasedonaneventIDStartrarrRunrarrTaskschdmsc
TaskSchedulerrarrTaskSchedulerLibraryrarrEventViewerTaskrarrCreateTask
General
Name PacketFence-Unreg_node-for-deleted-accountCheck Run whether user is logged on or notCheck Run with highest privileges
TriggersrarrNew
Begin on the task On an eventLog SecuritySource Microsoft Windows security auditingEvent ID 4726
ActionsrarrNew
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 112
Action Start a programProgramscript powershellexeAdd arguments (optional) Cscriptsunreg_node_deleted_accountps1
Settings
At the bottom select in the list Run a new instance in parallel in order to unregister multiple nodes at the same time
ValidatewithOkandgivetheaccountwhowillrunthistask(UsuallyDOMAINAdministrator)
DisabledAccountCreatethescriptunreg_node_disabled_accountps1ontheWindowsServerwiththefollowingcontentMakesuretochangeIP_PACKETFENCEtotheIPaddressofyourPacketFenceserverYoursquollalsoneedtochangetheusernameandpasswordastheymustmatchthecredentialsdefinedintheWebadmininterfaceunderConfigurationrarrWebServices
Powershell script to unregister disabled Active Directory account based on the UserName
Get-EventLog -LogName Security -InstanceId 4725 | Select ReplacementStringsAccount name| $url = httpsIP_PACKETFENCE9090 $username = admin Username for the webservices $password = admin Password for the webservices [SystemNetServicePointManager]ServerCertificateValidationCallback = $true $command = jsonrpc 20 method unreg_node_for_pid params [pid +$_ReplacementStrings[0]+]
$bytes = [SystemTextEncoding]ASCIIGetBytes($command) $web = [SystemNetWebRequest]Create($url) $webMethod = POST $webContentLength = $bytesLength $webContentType = applicationjson-rpc $webCredentials = new-object SystemNetNetworkCredential($username $password) $stream = $webGetRequestStream() $streamWrite($bytes0$bytesLength) $streamclose()
$reader = New-Object SystemIOStreamreader -ArgumentList $webGetResponse()GetResponseStream() $readerReadToEnd() $readerClose()
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 113
CreatethescheduledtaskbasedonaneventID
StartrarrRunrarrTaskschdmsc
TaskSchedulerrarrTaskSchedulerLibraryrarrEventViewerTaskrarrCreateTask
General
Name PacketFence-Unreg_node-for-disabled-accountCheck Run whether user is logged on or notCheck Run with highest privileges
TriggersrarrNew
Begin on the task On an eventLog SecuritySource Microsoft Windows security auditingEvent ID 4725
ActionsrarrNew
Action Start a programProgramscript powershellexeAdd arguments (optional) Cscriptsunreg_node_disabled_accountps1
Settings
At the bottom select in the list Run a new instance in parallel
ValidatewithOkandgivetheaccountwhowillrunthistask(UsuallyDOMAINAdministrator)
LockedAccountCreate the script unreg_node_locked_accountps1 on theWindows Serverwith the followingcontentMakesuretochangeIP_PACKETFENCEtotheIPaddressofyourPacketFenceserverYoursquollalsoneedtochangetheusernameandpasswordastheymustmatchthecredentialsdefinedintheWebadmininterfaceunderConfigurationrarrWebServices
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 114
Powershell script to unregister locked Active Directory account based on the UserName
Get-EventLog -LogName Security -InstanceId 4740 | Select ReplacementStringsAccount name| $url = httpsIP_PACKETFENCE9090 $username = admin Username for the webservices $password = admin Password for the webservices [SystemNetServicePointManager]ServerCertificateValidationCallback = $true $command = jsonrpc 20 method unreg_node_for_pid params [pid +$_ReplacementStrings[0]+]
$bytes = [SystemTextEncoding]ASCIIGetBytes($command) $web = [SystemNetWebRequest]Create($url) $webMethod = POST $webContentLength = $bytesLength $webContentType = applicationjson-rpc $webCredentials = new-object SystemNetNetworkCredential($username $password) $stream = $webGetRequestStream() $streamWrite($bytes0$bytesLength) $streamclose()
$reader = New-Object SystemIOStreamreader -ArgumentList $webGetResponse()GetResponseStream() $readerReadToEnd() $readerClose()
CreatethescheduledtaskbasedonaneventIDStartrarrRunrarrTaskschdmsc
TaskSchedulerrarrTaskSchedulerLibraryrarrEventViewerTaskrarrCreateTask
General
Name PacketFence-Unreg_node-for-locked-accountCheck Run whether user is logged on or notCheck Run with highest privileges
TriggersrarrNew
Begin on the task On an eventLog SecuritySource Microsoft Windows security auditingEvent ID 4740
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 115
ActionsrarrNew
Action Start a programProgramscript powershellexeAdd arguments (optional) Cscriptsunreg_node_locked_accountps1
Settings
At the bottom select in the list Run a new instance in parallel
ValidatewithOkandgivetheaccountwhowillrunthistask(UsuallyDOMAINAdministrator)
DHCPremotesensor
TheDHCPremotesensorconsistsofalightweightbinarythatisinstalledonyourproductionDHCPserverinordertoreplicatetheDHCPtraffic1to1tothePacketFenceserverThissolutionismorereliablethantheDHCPrelayingsincePacketFencereceivesacopyofallyourDHCPtrafficandnotonlythebroadcastedDHCPtrafficSupportedDHCPserversareMicrosoftDHCPserverandCentOS6and7
ThesesensorsworkbycapturingthepacketsatthelowestlevelpossibleonyourDHCPserverandforwardthemtothePacketFencemanagementinterface
MicrosoftDHCPsensorYouwillfirstneedtodownloadandinstallWinPcapavailablefromhttpwwwwinpcaporginstall
YouwillalsoneedtodownloadandinstallMicrosoftVisualC++2010Redistributableavailablefromhttpwwwmicrosoftcomdownloaddetailsaspxid=5555
NoteYou absolutely need to install the 32-bit version of Microsoft Visual C++ 2010Redistributableevenifyouareusinga64-bitoperatingsystem
Then get the remote sensor from Inversersquos download website httpinversecadownloadsPacketFenceudp-reflectorudp_reflectorexe
CreatethedirectoryCudp-reflectorandmovethedownloadedfileinside
Nowwewillcreateaservicesothereflectorstartsonboot
Firstdownloadandunzipnssmfromhttpsnssmccdownload
NextcreateabatchfileudpreflectorbatinCudp-reflectorthatcontainCudp-reflectorudp_reflectorexe -s pcap067 -d 19216815767 -b 25000
Where pcap0 is the interface where your DHCP is listening (use Cudp-reflectorudp_reflectorexe -ltolistinterfaces)
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 116
Thenrunnssm install udpreflector
InApplication
InPathsetittoCudp-reflectorudpreflectorbat InStartupdirectorysetittoCudp-reflector InArgumentssetittonothing
InDetails
InStartuptypeselectAutomatic
InLogon
InLogonasselectLocalSystemaccount
ThenpressInstallservice
TheDHCPtrafficshouldnowbereflectedonyourPacketFenceserver
LinuxbasedsensorFirstdownloadtheRPMonyourDHCPserver
CentOS6and7serversForCentOS6
for x86_64 wget httpinversecadownloadsPacketFenceCentOS6extrax86_64RPMSudp-reflector-10-61x86_64rpm
ForCentOS7
for x86_64 wget httpinversecadownloadsPacketFenceCentOS7extrax86_64RPMSudp-reflector-10-61x86_64rpm
Nowinstallthesensor
rpm -i udp-reflector-rpm
CompilingthesensorfromsourceonaLinuxsystemFirstmakesureyouhavethefollowingpackagesinstalled
libpcap libpcap-devel gcc-c++
Getthesourcecodeofthesensor
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 117
mkdir -p ~udp-reflector ampamp cd ~udp-reflector wget httpinversecadownloadsPacketFenceudp-reflectorudp_reflectorcpp g++ udp_reflectorcpp -o usrlocalbinudp_reflector -lpcap
ConfiguringthesensorPlacethefollowinglineinetcrclocal
where pcap0 is the pcap interface where your DHCP server listens on (List them usingudp_reflector -l)
where19216815isthemanagementIPofyourPacketFenceserver
usrlocalbinudp_reflector -s pcap067 -d 19216815767 -b 25000 amp
Startthesensor
usrlocalbinudp_reflector -s pcap067 -d 19216815767 -b 25000 amp
TheDHCPtrafficshouldnowbereflectedonyourPacketFenceserver
Switchloginaccess
PacketFenceisabletoactasanauthenticationandauthorizationserviceforgrantingcommand-lineinterface(CLI)accesstoswitchesPacketFencecurrentlysupportsCiscoswitchesandthesemustbeconfiguredusingthefollowingguidehttpwwwciscocomcenussupportdocssecurity-vpnremote-authentication-dial-user-service-radius116291-configure-freeradius-00html From thePacketFencersquos web admin interface you must configure an Admin Access role(ConfigurationrarrAdminaccess)thatcontainstheactionSwitchesCLI-ReadorSwitchesCLI-WriteandassignthisroletoaninternaluserorinanAdministrationruleinaninternalsource
Chapter14
Copyrightcopy2016Inverseinc OperatingSystemBestPractices 118
OperatingSystemBestPractices
IPTables
IPTablesisnowentirelymanagedbyPacketFenceHoweverifyouneedtoperformsomecustomrules you canmodifyconfiptablesconf to yourownneedsHowever thedefault templateshouldworkformostusers
LogRotations
PacketFencecangeneratea lotof logentries inhugeproductionenvironmentsThis iswhywerecommendtouselogrotatetoperiodicallyrotateyourlogsAworkinglogrotatescriptisprovidedwiththePacketFencepackageThisscriptislocatedinusrlocalpfaddonsanditrsquosconfiguredto do aweekly log rotation and keeping old logswith compression It has been added duringPacketFenceinitialinstallation
Chapter15
Copyrightcopy2016Inverseinc Performanceoptimization 119
Performanceoptimization
SNMPTrapsLimit
PacketFencemainlyrelyonSNMPtrapstocommunicatewithequipmentDuetothefactthattrapscominginfromapproved(configured)devicesareallprocessedbythedaemonitispossibleforsomeonewhowanttogenerateacertainloadonthePacketFenceservertoforcethegenerationofnon-legitimateSNMPtrapsoraswitchcanrandomlygenerateahighquantityoftrapssenttoPacketFenceforanunknownreason
BecauseofthatitispossibletolimitthenumberofSNMPtrapscominginfromasingleswitchportandtakeactionifthatlimitisreachedForexampleifover100trapsarereceivedbyPacketFencefromthesameswitchportinaminutetheswitchportwillbeshutandanotificationemailwillbesent
HerersquosthedefaultconfigfortheSNMPtrapslimitfeatureAsyoucanseebydefaultPacketFencewill log the abnormal activity after 100 traps from the same switch port in a minute Theseconfigurationsareintheconfpfconffile
[vlan]trap_limit = enabledtrap_limit_threshold = 100trap_limit_action =
AlternativelyyoucanconfiguretheseparametersfromthePacketFenceWebadministrativeGUIintheConfigurationrarrSNMPsection
MySQLoptimizations
TuningMySQLIfyoursquorePacketFencesystemisactingveryslowthiscouldbeduetoyourMySQLconfigurationYoushoulddothefollowingtotuneperformance
Checkthesystemload
uptime113637 up 235 days 121 1 user load average 125 105 079
Chapter15
Copyrightcopy2016Inverseinc Performanceoptimization 120
CheckiostatandCPU
iostat 5avg-cpu user nice sys iowait idle 060 000 320 2020 7600Device tps Blk_reads Blk_wrtns Blk_read Blk_wrtnccissc0d0 3240 000 156000 0 7800avg-cpu user nice sys iowait idle 060 000 220 920 8800Device tps Blk_reads Blk_wrtns Blk_read Blk_wrtnccissc0d0 780 000 7360 0 368avg-cpu user nice sys iowait idle 060 000 180 2380 7380Device tps Blk_reads Blk_wrtns Blk_read Blk_wrtnccissc0d0 3140 000 142720 0 7136avg-cpu user nice sys iowait idle 060 000 240 1816 7884Device tps Blk_reads Blk_wrtns Blk_read Blk_wrtnccissc0d0 2794 000 117365 0 5880
Asyoucanseetheloadis125andIOWaitispeakingat20-thisisnotgoodIfyourIOwaitislowbutyourMySQListaking+50CPUthisisalsonotgoodCheckyourMySQLinstallforthefollowingvariables
mysqlgt show variables| innodb_additional_mem_pool_size | 1048576 || innodb_autoextend_increment | 8 || innodb_buffer_pool_awe_mem_mb | 0 || innodb_buffer_pool_size | 8388608 |
PacketFencereliesheavilyonInnoDBsoyoushouldincreasethebuffer_poolsizefromthedefaultvalues
ShutdownPacketFenceandMySQL
etcinitdpacketfence stopShutting down PacketFence[] etcinitdmysql stopStopping MySQL [ OK ]
Editetcmycnf(oryourlocalmycnf)
Chapter15
Copyrightcopy2016Inverseinc Performanceoptimization 121
[mysqld] Set buffer pool size to 50-80 of your computers memoryinnodb_buffer_pool_size=800Minnodb_additional_mem_pool_size=20Minnodb_flush_log_at_trx_commit=2innodb_file_per_table allow more connectionsmax_connections=700 set cache sizekey_buffer_size=900Mtable_cache=300query_cache_size=256M enable slow query loglog_slow_queries = ON
StartupMySQLandPacketFence
etcinitdmysqld startStarting MySQL [ OK ] etcinitdpacketfence startStarting PacketFence[]
Wait10minutesforPacketFencetoinitialthenetworkmapandre-checkiostatandCPU
uptime120158 up 235 days 146 1 user load average 015 039 052 iostat 5Device tps Blk_reads Blk_wrtns Blk_read Blk_wrtnccissc0d0 800 000 7520 0 376
avg-cpu user nice sys iowait idle 060 000 299 1337 8303
Device tps Blk_reads Blk_wrtns Blk_read Blk_wrtnccissc0d0 1497 000 43273 0 2168avg-cpu user nice sys iowait idle 020 000 260 660 9060
Device tps Blk_reads Blk_wrtns Blk_read Blk_wrtnccissc0d0 480 000 4800 0 240
MySQLoptimizationtoolWerecommendthatyouruntheMySQLTuneronyourdatabasesetupafteracoupleofweekstohelpyouidentifyMySQLconfigurationimprovementThetoolisbundledwithPacketFenceandcanberunfromthecommand-line
usrlocalbinpftest mysql
Chapter15
Copyrightcopy2016Inverseinc Performanceoptimization 122
KeepingtablessmallOvertimesomeofthetableswillgrowlargeandthiswilldragdownperformance(thisisespeciallytrueonawirelesssetup)
OnesuchtableisthelocationlogtableWerecommendthatclosedentriesinthistablebemovedto the archive table locationlog_archive after some time A closed record is onewhere theend_timefieldissettoadate(stricklyspeakingitiswhenend_timeisnotnullandnotequalsto0)
Weprovideascriptcalleddatabase-backup-and-maintenanceshlocatedinaddonsthatperformsthiscleanupinadditiontooptimizetablesonSundayanddailybackups
AvoidToomanyconnectionsproblemsInawirelesscontexttheretendstobealotofconnectionsmadetothedatabasebyourfreeradiusmoduleThedefaultMySQLvalue tend tobe low (100) soweencourageyou to increase thatvaluetoatleast300Seehttpdevmysqlcomdocrefman50entoo-many-connectionshtmlfordetails
AvoidHostlthostnamegtisblockedproblemsInawirelesscontexttheretendtobealotofconnectionsmadetothedatabasebyourfreeradiusmoduleWhentheserverisloadedtheseconnectionattemptscantimeoutIfaconnectiontimesoutduringconnectionMySQLwillconsiderthisaconnectionerrorandafter10ofthese(bydefault)hewilllockthehostoutwitha
Host host_name is blocked because of many connection errors Unblock with mysqladmin flush-hosts
Thiswill grindPacketFence to a halt so youwant to avoid that at all costOneway to do soistoincreasethenumberofmaximumconnections(seeabove)toperiodicallyflushhostsortoallowmoreconnectionerrorsSeehttpdevmysqlcomdocrefman50enblocked-hosthtmlfordetails
CaptivePortalOptimizations
Avoidcaptiveportaloverloadduetonon-browserHTTPrequestsBydefaultwealloweveryquerytoberedirectedandreachPacketFencefor thecaptiveportaloperationInalotofcasesthismeansthatalotofnon-userinitiatedqueriesreachPacketFenceandwasteitsresourcesfornothingsincetheyarenotfrombrowsers(iTunesWindowsupdateMSNMessengerGoogleDesktophellip)
Chapter15
Copyrightcopy2016Inverseinc Performanceoptimization 123
Sinceversion43ofPacketFenceyoucandefineHTTPfiltersforApachefromtheconfigurationofPacketFence
SomeruleshavebeenenabledbydefaultlikeonetorejectrequestswithnodefineduseragentAllrulesincludingsomeexamplesaredefinedintheconfigurationfileapache_filtersconf
FiltersaredefinedwithatleasttwoblocksFirstarethetestsForexample
[get_ua_is_dalvik]filter = user_agentmethod = GEToperator = matchvalue = Dalvik
[get_uri_not_generate204]filter = urimethod = GEToperator = match_notvalue = generate_204
ThelastblockdefinestherelationshipbetweenthetestsandthedesiredactionForexample
[block_dalvikget_ua_is_dalvikampget_uri_not_generate204]action = 501redirect_url =
Thisfilterwillreturnanerrorcode(501)iftheuseragentisDalvikandtheURIdoesnrsquotcontain_generate_204
DashboardOptimizations(statisticscollection)
The collection and aggregation of statistics in the whisper database can be IO intensive permomentThismeansthatitcanbebeneficialtoseperatethemonanotherdiskevenifitisavirtualdiskthatwillsharethesameunderlyingphysicaldisk
Firstaddadiskinyourvirtualmachineorbaremetalserverandreboot(thisexamplewillusedevsdbasthenewdevice
Makesurepacketfenceisstopped
service packetfence stop
Createanext4partition
mkfsext4 devsdb
Thenmovetheolddatabasestoabackuppoint
Chapter15
Copyrightcopy2016Inverseinc Performanceoptimization 124
mv usrlocalpfvargraphite usrlocalpfvargraphitebak
Mountyournewdiskandcheckthatitismounted
echo devsdb usrlocalpfvargraphite ext4 defaults 1 1 gtgt etcfstab mkdir usrlocalpfvargraphite mount -a dh -h
Applytheproperuserrightsandrestoreyourdatabasefromyourbackup
chown pfpf usrlocalpfvargraphite cp -frp usrlocalpfvargraphitebak usrlocalpfvargraphite
StartpacketfenceandmakesureyourstatsarestillthereandbeingcollectedproperlyThenremovethebackupyoumaderm -fr usrlocalpfvargraphitebak
Chapter16
Copyrightcopy2016Inverseinc AdditionalInformation 125
AdditionalInformation
FormoreinformationpleaseconsultthemailingarchivesorpostyourquestionstoitFordetailssee
packetfence-announcelistssourceforgenet Public announcements (new releases securitywarningsetc)regardingPacketFence
packetfence-devellistssourceforgenetDiscussionofPacketFencedevelopment
packetfence-userslistssourceforgenetUserandusagediscussions
Chapter17
Copyrightcopy2016InverseincCommercialSupport
andContactInformation 126
CommercialSupportandContactInformation
For any questions or comments do not hesitate to contact us by writing an email tosupportinverseca
Inverse (httpinverseca)offersprofessional servicesaroundPacketFence tohelporganizationsdeploythesolutioncustomizemigrateversionsorfromanothersystemperformancetuningoraligningwithbestpractices
Hourlyratesorsupportpackagesareofferedtobestsuityourneeds
Pleasevisithttpinversecafordetails
Chapter18
Copyrightcopy2016Inverseinc GNUFreeDocumentationLicense 127
GNUFreeDocumentationLicense
Pleaserefertohttpwwwgnuorglicensesfdl-12txtforthefulllicense
Chapter18
Copyrightcopy2016Inverseinc AdministrationTools 128
AppendixAAdministrationTools
pfcmd
pfcmdisthecommandlineinterfacetomostPacketFencefunctionalities
Whenexecutedwithoutanyargumentspfcmdreturnsabasichelpmessagewithallmainoptions
Chapter18
Copyrightcopy2016Inverseinc AdministrationTools 129
Usage pfcmd ltcommandgt [options]
Commands cache | manage the cache subsystem checkup | perform a sanity checkup and report any problems class | view violation classes configfiles | push or pull configfiles intofrom database configreload | reload the configution floatingnetworkdeviceconfig | querymodify floating network devices configuration parameters help | show help for pfcmd commands ifoctetshistorymac | accounting history ifoctetshistoryswitch | accounting history ifoctetshistoryuser | accounting history import | bulk import of information into the database ipmachistory | IPMAC history locationhistorymac | SwitchPort history locationhistoryswitch | SwitchPort history networkconfig | querymodify network configuration parameters node | manipulate node entries pfconfig | interact with pfconfig portalprofileconfig | querymodify portal profile configuration parameters reload | rebuild fingerprint or violations tables without restart service | startstoprestart and get PF daemon status schedule | Nessus scan scheduling switchconfig | querymodify switchesconf configuration parameters version | output version information violationconfig | querymodify violationsconf configuration parameters
Please view pfcmd help ltcommandgt for details on each option
ThenodeviewoptionshowsallinformationcontainedinthenodedatabasetableforaspecifiedMACaddress
usrlocalpfbinpfcmd node view 525400123502mac|pid|detect_date|regdate|unregdate|lastskip|status|user_agent|computername|notes|last_arp|last_dhcp|switch|port|vlan|dhcp_fingerprint525400123502|1|2008-10-23 173216||||unreg||||2008-10-23 211221|||||
pfcmd_vlan
pfcmd_vlanisthecommandlineinterfacetomostVLANisolationrelatedfunctionality
Chapter18
Copyrightcopy2016Inverseinc AdministrationTools 130
Againwhenexecutedwithoutanyargumentsahelpscreenisshown
Usage pfcmd_vlan command [options]
Command -deauthenticate de-authenticate a dot11 client -deauthenticateDot1x de-authenticate a dot1x client (pass ifIndex for wired 8021x and mac for wireless 8021x) -getAlias show the description of the specified switch port -getAllMACs show all MACS on all switch ports -getHubs show switch ports with several MACs -getIfOperStatus show the operational status of the specified switch port -getIfType show the ifType on the specified switch port -getLocation show at which switch port the MAC is found -getSwitchLocation show SNMP location of specified switch -getMAC show all MACs on the specified switch port -getType show switch type -getUpLinks show the upLinks of the specified switch -getVersion show switch OS version -getVlan show the VLAN on the specified switch port -getVlanType show the VLAN type on the specified port -help brief help message -isolate set the switch port to the isolation VLAN -man full documentation -reAssignVlan re-assign a switch port VLAN -reevaluateAccess reevaluate the current VLAN or firewall rules of a given MAC -runSwitchMethod run a particular method call on a given switch (FOR ADVANCED PURPOSES) -setAlias set the description of the specified switch port -setDefaultVlan set the switch port to the default VLAN -setIfAdminStatus set the admin status of the specified switch port -setVlan set VLAN on the specified switch port -setVlanAllPort set VLAN on all non-UpLink ports of the specified switch
Options -alias switch port description -ifAdminStatus ifAdminStatus -ifIndex switch port ifIndex -mac MAC address -showPF show additional information available in PF -switch switch description -verbose log verbosity level 0 fatal messages 1 warn messages 2 info messages 3 debug 4 trace -vlan VLAN id -vlanName VLAN name (as in switchesconf)
Chapter2
Copyrightcopy2016Inverseinc Introduction 6
Chapter3
Copyrightcopy2016Inverseinc SystemRequirements 7
SystemRequirements
Assumptions
PacketFencereusesmanycomponentsinaninfrastructureThusitrequiresthefollowingones
Databaseserver(MySQLorMariaDB) Webserver(Apache) DHCPserver(ISCDHCP) RADIUSserver(FreeRADIUS)
Dependingonyoursetupyoumayhavetoinstalladditionalcomponentslike
NIDS(SnortSuricata)
Inthisguideweassumethatallthosecomponentsarerunningonthesameserver(ielocalhostor127001)thatPacketFencewillbeinstalledon
Good understanding of those underlying component and GNULinux is required to installPacketFence If youmiss some of those required components please refer to the appropriatedocumentationandproceedwiththeinstallationoftheserequirementsbeforecontinuingwiththisguide
MinimumHardwareRequirements
Thefollowingprovidesalistoftheminimumserverhardwarerecommendations
IntelorAMDCPU3GHz 8GBofRAM 100GBofdiskspace(RAID-1recommended) 1Networkcard(2recommended)
OperatingSystemRequirements
PacketFencesupportsthefollowingoperatingsystemsonthex86_64architectures
Chapter3
Copyrightcopy2016Inverseinc SystemRequirements 8
RedHatEnterpriseLinux6xand7xServer CommunityENTerpriseOperatingSystem(CentOS)6xand7x Debian70(Wheezy)and80(Jessie)
MakesurethatyoucaninstalladditionalpackagesfromyourstandarddistributionForexampleifyouareusingRedHatEnterpriseLinuxyouhavetobesubscribedtotheRedHatNetworkbeforecontinuingwiththePacketFencesoftwareinstallation
OtherdistributionssuchasFedoraandGentooareknowntoworkbutthisdocumentdoesnrsquotcoverthem
Servicesstart-upPacketFencetakescareofhandlingtheoperationofthefollowingservices
Webserver(httpd) DHCPserver(dhcpd) FreeRADIUSserver(radiusd) SnortSuricataNetworkIDS(snortsuricata) Firewall(iptables)
Makesurethatalltheotherservicesareautomaticallystartedbyyouroperatingsystem
Chapter4
Copyrightcopy2016Inverseinc Installation 9
Installation
ThissectionwillguideyouthroughtheinstallationofPacketFencetogetherwithitsdependencies
OSInstallation
InstallyourdistributionwithminimalinstallationandnoadditionalpackagesThen
DisableFirewall DisableSELinux DisableAppArmor Disableresolvconf
Makesureyoursystemisuptodateandyouryumorapt-getdatabaseisupdatedOnaRHEL-basedsystemdo
yum update
OnaDebianorUbuntusystemdo
apt-get updateapt-get upgrade
RegardingSELinuxorAppArmoreven if these featuresmaybewantedbysomeorganizationsPacketFencewillnotrunproperlyifSELinuxorAppArmorareenabledYouwillneedtoexplicitlydisableSELinuxintheetcselinuxconfigfileandAppArmorwithupdate-rcd-fapparmorstopupdate-rcd-fapparmorteardownandupdate-rcd-fapparmorremoveRegardingresolvconfyoucanremovethesymlinktothatfileandsimplycreatetheetcresolvconffilewiththecontentyouwant
RedHat-basedsystems
Note
AppliestoCentOSandScientificLinuxbutonlythex86_64architectureissupported
Chapter4
Copyrightcopy2016Inverseinc Installation 10
RHEL6x
NoteTheseareextrastepsarerequiredforRHEL6systemsonlyexcludingderivativessuchasCentOSorScientificLinux
RedHatEnterpriseLinuxusersneedtotakeanadditionalsetupstepIfyouarenotusingtheRHNSubscriptionManagementfromRedHatyouneedtoenabletheoptionalchannelbyrunningthefollowingasroot
rhn-channel --add --channel=rhel-`uname -m`-server-optional-6
DebianAllthePacketFencedependenciesareavailablethroughtheofficialrepositories
SoftwareDownload
PacketFenceprovidesaRPMrepositoryforRHELCentOSinsteadofasingleRPMfile
ForDebianPacketFencealsoprovidespackagerepositories
TheserepositoriescontainallrequireddependenciestoinstallPacketFenceThisprovidesnumerousadvantages
easyinstallation everythingispackagedasRPMdeb(nomoreCPANhassle) easyupgrade
SoftwareInstallation
RHELCentOSInordertousethePacketFencerepository
yum localinstall httppacketfenceorgdownloadsPacketFenceRHEL6`uname -i`RPMSpacketfence-release-12-51noarchrpm
Once the repository is defined you can install PacketFencewith all its dependencies and therequiredexternalservices(DatabaseserverDHCPserverRADIUSserver)using
Chapter4
Copyrightcopy2016Inverseinc Installation 11
yum install perlyum install --enablerepo=packetfence packetfence
OnceinstalledtheWeb-basedconfigurationinterfacewillautomaticallybestartedYoucanaccessitfromhttpsip_of_packetfence1443configurator
DebianForDebian7
Inordertousetherepositorycreateafilenamedetcaptsourceslistdpacketfencelist
echo deb httpinversecadownloadsPacketFencedebian wheezy wheezy gt etcaptsourceslistdpacketfencelist
ForDebian8
Inordertousetherepositorycreateafilenamedetcaptsourceslistdpacketfencelist
echo deb httpinversecadownloadsPacketFencedebian jessie jessie gt etcaptsourceslistdpacketfencelist
Once the repository is defined you can install PacketFencewith all its dependencies and therequiredexternalservices(DatabaseserverDHCPserverRADIUSserver)using
sudo apt-key adv --keyserver keysgnupgnet --recv-key 0x810273C4sudo apt-get updatesudo apt-get install packetfence
Chapter5
Copyrightcopy2016Inverseinc Getoffontherightfoot 12
Getoffontherightfoot
PriorconfiguringPacketFenceyoumustchoseanappropriateenforcementmodetobeusedbyPacketFencewithyournetworkingequipmentTheenforcementmodeisthetechniqueusedtoenforceregistrationandanysubsequentaccessofdevicesonyournetworkPacketFencesupportsthefollowingenforcementmodes
Inline Out-of-band Hybrid
It isalsopossibletocombineenforcementmodesForexampleyoucouldusetheout-of-bandmodeonyourwiredswitcheswhileusingtheinlinemodeonyouroldWiFiaccesspoints
The following sections will explain these enforcement modes If you decide to use the inlinemodepleaserefertothePacketFenceInlineDeploymentQuickGuideusingZENforacompleteconfigurationexampleIfyoudevicetousetheout-of-bandmodepleaserefertothePacketFenceOut-of-BandDeploymentQuickGuideusingZEN
Chapter6
Copyrightcopy2016InverseincTechnicalintroductiontoInlineenforcement 13
TechnicalintroductiontoInlineenforcement
Introduction
Beforetheversion30ofPacketFenceitwasnotpossibletosupportunmanageabledevicessuchasentry-levelconsumerswitchesoraccess-pointsNowwiththenewinlinemodePacketFencecanbeusein-bandforthosedevicesSoinotherwordsPacketFencewouldbecomethegatewayofthatinlinenetworkandNATorroutethetrafficusingIPTablesIPSettotheInternet(ortoanothersectionofthenetwork)Letseehowitworks
Deviceconfiguration
NospecialconfigurationisneededontheunmanageabledeviceThatrsquosthebeautyofitYouonlyneedtoensurethatthedeviceistalkingontheinlineVLANAtthispointallthetrafficwillbepassingthroughPacketFencesinceitisthegatewayforthisVLAN
Accesscontrol
TheaccesscontrolreliesentirelyonIPTablesIPSetWhenauserisnotregisteredandconnectsintheinlineVLANPacketFencewillgivehimanIPaddressAtthispointtheuserwillbemarkedasunregisteredintheipsetsessionandalltheWebtrafficwillberedirectedtothecaptiveportalandother trafficblockedTheuserwill have to register through thecaptiveportal as inVLANenforcementWhenheregistersPacketFencechangesthedeviceacutesipsetsessiontoallowtheuserrsquosmacaddresstogothroughit
Chapter6
Copyrightcopy2016InverseincTechnicalintroductiontoInlineenforcement 14
Limitations
Inlineenforcementbecauseofitrsquosnaturehasseverallimitationsthatonemustbeawareof
EveryonebehindaninlineinterfaceisonthesameLayer2LAN EverypacketofauthorizedusersgoesthroughthePacketFenceserverincreasingtheserversloadconsiderablyPlanaheadforcapacity
Everypacketofauthorizedusersgoes throughthePacketFenceserver it isasinglepointoffailureforInternetaccess
Ipsetcanstoreupto65536entriessoitisnotpossibletohaveainlinenetworkclassupperthanB
Thisiswhyit isconsideredapoormanrsquoswayofdoingaccesscontrolWehaveavoideditforalongtimebecauseoftheabovementionedlimitationsThatsaidbeingabletoperformbothinlineandVLANenforcementonthesameserveratthesametimeisarealadvantageitallowsuserstomaintainmaximumsecuritywhiletheydeploynewandmorecapablenetworkhardwareprovidingacleanmigrationpathtoVLANenforcement
Chapter7
Copyrightcopy2016InverseincTechnicalintroductiontoOut-of-bandenforcement 15
TechnicalintroductiontoOut-of-bandenforcement
Introduction
VLANassignmentiscurrentlyperformedusingseveraldifferenttechniquesThesetechniquesarecompatibleone toanotherbutnoton the sameswitchportThismeans thatyoucanuse themoresecureandmoderntechniquesforyour latestswitchesandanothertechniqueontheoldswitchesthatdoesnrsquotsupportlatesttechniquesAsitrsquosnameimpliesVLANassignmentmeansthatPacketFenceistheserverthatassignstheVLANtoadeviceThisVLANcanbeoneofyourVLANsoritcanbeaspecialVLANwherePacketFencepresentsthecaptiveportalforauthenticationorremediation
VLANassignmenteffectivelyisolateyourhostsattheOSILayer2meaningthatitisthetrickiestmethodtobypassandistheonewhichadaptsbesttoyourenvironmentsinceitgluesintoyourcurrentVLANassignmentmethodology
VLANassignmenttechniques
Wired8021X+MACAuthentication8021Xprovidesport-basedauthenticationwhichinvolvescommunicationsbetweenasupplicantauthenticator(knownasNAS)andauthenticationserver(knownasAAA)ThesupplicantisoftensoftwareonaclientdevicesuchasalaptoptheauthenticatorisawiredEthernetswitchorwirelessaccesspointandtheauthenticationserverisgenerallyaRADIUSserver
Thesupplicant(ieclientdevice)isnotallowedaccessthroughtheauthenticatortothenetworkuntilthesupplicantrsquosidentityisauthorizedWith8021Xport-basedauthenticationthesupplicantprovides credentials such as user name password or digital certificate to the authenticatorandtheauthenticatorforwardsthecredentialstotheauthenticationserverforverificationIfthecredentialsarevalid(intheauthenticationserverdatabase)thesupplicant(clientdevice)isallowedtoaccessthenetworkTheprotocolforauthenticationiscalledExtensibleAuthenticationProtocol(EAP)whichhavemanyvariantsBothsupplicantandauthenticationserversneed tospeak thesameEAPprotocolMostpopularEAPvariantisPEAP-MsCHAPv2(supportedbyWindowsMacOSXLinuxforauthenticationagainstAD)
Chapter7
Copyrightcopy2016InverseincTechnicalintroductiontoOut-of-bandenforcement 16
InthiscontextPacketFencerunstheauthenticationserver(aFreeRADIUSinstance)andwillreturntheappropriateVLANtotheswitchAmodulethatintegratesinFreeRADIUSdoesaremotecalltothePacketFenceservertoobtainthatinformationMoreandmoredeviceshave8021Xsupplicantwhichmakesthisapproachmoreandmorepopular
MACAuthenticationisanewmechanismintroducedbysomeswitchvendortohandlethecaseswherea8021XsupplicantdoesnotexistDifferentvendorshavedifferentnames for itCiscocallsitMACAuthenticationBypass(MAB)JunipercallsitMACRADIUSExtremeNetworkscallsitNetloginetcAfteratimeoutperiodtheswitchwillstoptryingtoperform8021XandwillfallbacktoMACAuthenticationIthastheadvantageofusingthesameapproachas8021XexceptthattheMACaddressissentinsteadoftheusernameandthereisnoend-to-endEAPconversation(nostrongauthentication)UsingMACAuthenticationdeviceslikenetworkprinterornon-8021XcapableIPPhonescanstillgainaccesstothenetworkandtherightVLAN
Wireless8021X+MACauthenticationWireless 8021Xworks likewired8021X andMAC authentication is the same aswiredMACAuthenticationWhere things change is that the8021X isused to setup the security keys forencryptedcommunication(WPA2-Enterprise)whileMACauthenticationisonlyusedtoauthorize(allowordisallow)aMAConthewirelessnetwork
OnwirelessnetworkstheusualPacketFencesetupdictatethatyouconfiguretwoSSIDsanopenoneandasecureoneTheopenoneisusedtohelpusersconfigurethesecureoneproperlyandrequiresauthenticationoverthecaptiveportal(whichrunsinHTTPS)
ThefollowingdiagramdemonstratestheflowbetweenamobileenpointaWiFiaccesspointaWiFicontrollerandPacketFence
1 UserinitiatesassociationtoWLANAPandtransmitsMACaddressIfuseraccessesnetworkviaaregistereddeviceinPacketFencegoto8
2 The WLAN controller transmits MAC address via RADIUS to the PacketFence server toauthenticateauthorizethatMACaddressontheAP
3 PacketFenceserverconductsaddressaudit in itsdatabase If itdoesnotrecognizetheMACaddressgoto4Ifitdoesgoto8
4 PacketFenceserverdirectsWLANcontrollerviaRADIUS(RFC2868attributes)toputthedeviceinanunauthenticatedroleldquo(setofACLsthatwouldlimitredirecttheusertothePacketFence
Chapter7
Copyrightcopy2016InverseincTechnicalintroductiontoOut-of-bandenforcement 17
captiveportalforregistrationorwecanalsousearegistrationVLANinwhichPacketFencedoesDNSblackholingandistheDHCPserver)
5 TheuserrsquosdeviceissuesaDHCPDNSrequesttoPacketFence(whichisaDHCPDNSserveronthisVLANorforthisrole)whichsendstheIPandDNSinformationAtthispointACLsarelimitingredirectingtheusertothePacketFencersquoscaptiveportalforauthenticationPacketFencefingerprintsthedevice(user-agentattributesDHCPinformationampMACaddresspatterns)towhichitcantakevariousactionsincludingkeepdeviceonregistrationportaldirecttoalternatecaptive portal auto-register thedevice auto-block thedevice etc If thedevice remains ontheregistrationportaltheuserregistersbyprovidingtheinformation(usernamepasswordcellphonenumberetc)At this timePacketFencecouldalsorequire thedevicetogothroughapostureassessment(usingNessusOpenVASetc)
6 Ifauthentication is required (usernamepassword) througha loginformthosecredentialsarevalidatedviatheDirectoryserver(oranyotherauthenticationsources-likeLDAPSQLRADIUSSMSFacebookGoogle+etc)whichprovidesuserattributestoPacketFencewhichcreatesuser+devicepolicyprofileinitsdatabase
7 PacketFenceperformsaChangeofAuthorization(RFC3576)onthecontrollerandtheusermustbere-authenticatedreauthorizedsowegobackto1
8 PacketFenceserverdirectsWLANcontrollerviaRADIUStoputthedeviceinanauthenticatedroleldquoorinthenormalVLAN
WebAuthmodeWebauthenticationisamethodontheswitchthatforwardshttptrafficofthedevicetothecaptiveportalWiththismodeyourdevicewillneverchangeofVLANIDbutonlytheACLassociatedtoyourdevicewillchangeRefertotheNetworkDevicesConfigurationGuidetoseeasamplewebauthconfigurationonaCiscoWLC
Port-securityandSNMPReliesontheport-securitySNMPTrapsAfakestaticMACaddressisassignedtoalltheportsthiswayanyMACaddresswillgenerateasecurityviolationandatrapwillbesenttoPacketFenceThesystemwillauthorizetheMACandsettheportintherightVLANVoIPsupportispossiblebuttrickyItvariesalotdependingontheswitchvendorCiscoiswellsupportedbutisolationofaPCbehindanIPPhoneleadstoaninterestingdilemmaeitheryoushuttheport(andthephoneatthesametime)oryouchangethedataVLANbutthePCdoesnrsquotdoDHCP(didnrsquotdetectlinkwasdown)soitcannotreachthecaptiveportal
AsidefromtheVoIPisolationdilemmaitisthetechniquethathasproventobereliableandthathasthemostswitchvendorsupport
MoreonSNMPtrapsVLANisolation
WhentheVLANisolationisworkingthroughSNMPtrapsallswitchports(onwhichVLANisolationshouldbedone)mustbeconfiguredtosendSNMPtrapstothePacketFencehostOnPacketFence
Chapter7
Copyrightcopy2016InverseincTechnicalintroductiontoOut-of-bandenforcement 18
weusesnmptrapdastheSNMPtrapreceiverAsitreceivestrapsitreformatsandwritesthemintoaflatfileusrlocalpflogssnmptrapdlogThemultithreadedpfsetvlandaemonreadsthesetrapsfromtheflatfileandrespondstothembysettingtheswitchporttothecorrectVLANCurrentlywesupportswitchesfromCiscoEdge-coreHPIntelLinksysandNortel(addingsupportfor switches fromanothervendor impliesextending thepfSwitch class)DependingonyourswitchescapabilitiespfsetvlanwillactondifferenttypesofSNMPtraps
YouneedtocreatearegistrationVLAN(withaDHCPserverbutnoroutingtootherVLANs)inwhichPacketFencewillputunregistereddevicesIfyouwanttoisolatecomputerswhichhaveopenviolationsinaseparateVLANanisolationVLANneedsalsotobecreated
linkUplinkDowntraps(deprecated)ThisisthemostbasicsetupanditneedsathirdVLANtheMACdetectionVLANThereshouldbenothinginthisVLAN(noDHCPserver)anditshouldnotberoutedanywhereitisjustanvoidVLAN
WhenahostconnectstoaswitchporttheswitchsendsalinkUptraptoPacketFenceSinceittakessometimebeforetheswitchlearnstheMACaddressofthenewlyconnecteddevicePacketFenceimmediatelyputstheportintheMACdetectionVLANinwhichthedevicewillsendDHCPrequests(withnoanswer)inorderfortheswitchtolearnitsMACaddressThenpfsetvlanwillsendperiodical
Chapter7
Copyrightcopy2016InverseincTechnicalintroductiontoOut-of-bandenforcement 19
SNMPqueriestotheswitchuntiltheswitchlearnstheMACofthedeviceWhentheMACaddressisknownpfsetvlanchecksitsstatus(existingregisteredanyviolations)inthedatabaseandputstheportintheappropriateVLANWhenadeviceisunpluggedtheswitchsendsalinkDowntraptoPacketFencewhichputstheportintotheMACdetectionVLAN
WhenacomputerbootstheinitializationoftheNICgeneratesseverallinkstatuschangesAndeverytimetheswitchsendsalinkUpandalinkDowntraptoPacketFenceSincePacketFencehastoactoneachofthesetrapsthisgeneratesunfortunatelysomeunnecessaryloadonpfsetvlanInordertooptimizethetraptreatmentPacketFencestopseverythreadforalinkUptrapwhenitreceivesalinkDowntraponthesameportButusingonlylinkUplinkDowntrapsisnotthemostscalableoptionForexampleincaseofpowerfailureifhundredsofcomputersbootatthesametimePacketFencewouldreceivea lotoftrapsalmost instantlyandthiscouldresult innetworkconnectionlatency
MACnotificationtrapsIfyourswitchessupportMACnotificationtraps(MAClearntMACremoved)wesuggestthatyouactivatetheminadditiontothelinkUplinkDowntrapsThiswaypfsetvlandoesnotneedafteralinkUptraptoquerytheswitchcontinuouslyuntiltheMAChasfinallybeenlearnedWhenitreceivesalinkUptrapforaportonwhichMACnotificationtrapsarealsoenableditonlyneedstoputtheportintheMACdetectionVLANandcanthenfreethethreadWhentheswitchlearnstheMACaddressofthedeviceitsendsaMAClearnttrap(containingtheMACaddress)toPacketFence
PortSecuritytrapsIn itsmostbasicformthePortSecurityfeaturerememberstheMACaddressconnectedtotheswitchportandallowsonlythatMACaddresstocommunicateonthatport IfanyotherMACaddress tries tocommunicate through theportport securitywillnotallow itandsendaport-securitytrap
IfyourswitchessupportthisfeaturewestronglyrecommendtouseitratherthanlinkUplinkDownandorMACnotificationsWhyBecauseaslongasaMACaddressisauthorizedonaportandistheonlyoneconnectedtheswitchwillsendnotrapwhetherthedevicerebootsplugsinorunplugsThisdrasticallyreducestheSNMPinteractionsbetweentheswitchesandPacketFence
WhenyouenableportsecuritytrapsyoushouldnotenablelinkUplinkDownnorMACnotificationtraps
Chapter8
Copyrightcopy2016InverseincTechnicalintroductiontoHybridenforcement 20
TechnicalintroductiontoHybridenforcement
Introduction
In previous versions of PacketFence it was not possible to have RADIUS enabled for inlineenforcementmodeNowwiththenewhybridmodeallthedevicesthatsupports8021XorMAC-authenticationcanworkwiththismodeLetrsquosseehowitworks
Deviceconfiguration
Youneedtoconfigure inlineenforcementmode inPacketFenceandconfigureyourswitch(es)accesspoint(s)tousetheVLANassignementtechniques(8021XorMAC-authentication)YoualsoneedtotakecareofaspecificparameterintheswitchconfigurationwindowTriggertoenableinlinemodeThisparameterisworkinglikeatriggerandyouhavethepossibilitytodefinedifferentsortoftriggers
ALWAYSPORTMACSSID
where ALWAYS means that the device is always in inline mode PORTspecifytheifIndexoftheportwhichwilluseinlineenforcementMACamacaddressthatwillbeputininlineenforcementtechniqueratherthanVLANenforcementandSSIDanssidnameAnexample
SSIDGuestAccessMAC001122334455
ThiswilltriggerallthenodesthatconnectstotheGuestAccessSSIDtouseinlineenforcementmode(PacketFencewillreturnavoidVLANortheinlineVlanifdefinedinswitchconfiguration)andtheMACaddress001122334455clientifitconnectsonanotherSSID
Chapter9
Copyrightcopy2016Inverseinc Configuration 21
Configuration
AtthispointinthedocumentationPacketFenceshouldbeinstalledYouwouldalsohavechosentherightenforcementmethodforyouandcompletedtheinitialconfigurationofPacketFenceThefollowingsectionpresentskeyconceptsandfeaturesinPacketFence
PacketFenceprovidesaweb-basedadministrationinterfaceforeasyconfigurationandoperationalmanagementIfyouwentthroughPacketFencersquosweb-basedconfigurationtoolyoushouldhavesetthepasswordfortheadminuser
Once PacketFence is started the administration interface is available at httpsip_of_packetfence1443
ThenextkeystepsareimportanttounderstandhowPacketFenceworksInordertogetthesolutionworking youmust first understand and configure the following aspects of the solution in thisspecificorder
1 roles-aroleinPacketFencewillbeeventuallybemappedtoaVLANanACLoranexternalroleYoumustdefinetherolestouseinyourorganizationfornetworkaccess
2 authentication-oncerolesaredefinedyoumustcreateanappropraiteauthenticationsourceinPacketFenceThatwillallowPacketFencetocomputetherightroletobeusedforanendpointortheuserusingit
3 network devices - once your roles and authentication sources are defined you must addswitchesWiFicontrollersorAPstobemananagedbyPacketFenceWhendoingsoyouwillconfigurehowrolesarebeingmappedtoVLANACLsorexternalroles
4 portal profiles - at this point you are almost ready to test You will need to set whichauthenticationsourcesaretobeusedonthedefaultcaptiveportalorcreateanotheronetosuityourneeds
5 test
NoteIfyouplantouse8021X-pleaseseetheFreeRADIUSConfigurationsectionbelow
RolesManagement
RolesinPacketFencecanbecreatedfromPacketFenceadministrativeGUI-fromtheConfigurationrarrUsersrarrRoles section From this interface you can also limit thenumberof devicesusersbelongingtocertainrolescanregister
Chapter9
Copyrightcopy2016Inverseinc Configuration 22
RolesaredynamicallycomputedbyPacketFencebasedontherules(ieasetofconditionsandactions)fromauthenticationsourcesusingafirst-matchwinsalgorithmRolesarethenmatchedtoVLANorinternalrolesorACLonequipmentfromtheConfigurationrarrNetworkrarrSwitchesmodule
Authentication
PacketFence can authenticate users that register devices via the captive portal using variousmethodsAmongthesupportedmethodsthereare
ActiveDirectory
Apachehtpasswdfile
ExternalHTTPAPI
Facebook(OAuth2)
Github(OAuth2)
Google(OAuth2)
Kerberos
LDAP
LinkedIn(OAuth2)
Null
RADIUS
SMS
SponsoredEmail
Twitter(OAuth2)
WindowsLive(OAuth2)
Moreover PacketFence can also authenticate users defined in its own internal SQL databaseAuthentication sources can be created from PacketFence administrative GUI - from theConfigurationrarrUsersrarrSourcessectionAlternatively(butnotrecommended)authenticationsourcesrulesconditionsandactionscanbeconfiguredfromconfauthenticationconf
Eachauthenticationsourcesyoudefinewillhaveasetofrulesconditionsandactions
Multiple authentication sources canbedefined andwill be tested in theorder specified (notethattheycanbereorderedfromtheGUIbydraggingitaround)EachsourcecanhavemultipleruleswhichwillalsobetestedintheorderspecifiedRulescanalsobereorderedjustlikesourcesFinallyconditionscanbedefinedforaruletomatchcertaincriteriasIfthecriteriasmatch(one
Chapter9
Copyrightcopy2016Inverseinc Configuration 23
ormore)actionarethenappliedandrulestestingstopacrossallsourcesasthisisafirstmatchwinsoperation
WhennoconditionisdefinedtherulewillbeconsideredasafallbackWhenafallbackisdefinedallactionswillbeappliedforanyusersthatmatchintheauthenticationsource
OnceasourceisdefineditcanbeusedfromConfigurationrarrPortalProfilesEachportalprofilehasalistofauthenticationsourcestouse
ExampleLetrsquossaywehavetworolesguestandemployeeFirstwedefinethemConfigurationrarrUsersrarrRoles
NowwewanttoauthenticateemployeesusingActiveDirectory (overLDAP)andguestsusingPacketFencersquosinternaldatabase-bothusingPacketFencersquoscaptiveportalFromtheConfigurationrarrUsersrarrSourcesweselectAddsourcerarrADWeprovidethefollowinginformation
Namead1 DescriptionActiveDirectoryforEmployees Host19216812389withoutSSLTLS BaseDNCN=UsersDC=acmeDC=local ScopeOne-level UsernameAttributesAMAccountName BindDNCN=AdministratorCN=UsersDC=acmeDC=local Passwordacme123
ThenweaddarulebyclickingontheAddrulebuttonandprovidethefollowinginformation
Nameemployees DescriptionRuleforallemployees Donrsquotsetanycondition(asitrsquosacatch-allrule) Setthefollowingactions
Setroleemployee
SetunregistrationdateJanuary1st2020
Test the connection and save everything Using the newly defined source any username thatactuallymatchesinthesource(usingthesAMAccountName)willhavetheemployeeroleandanunregistrationdatesettoJanuary1st2020
NowsincewewanttoauthenticateguestsfromPacketFencersquosinternalSQLdatabaseaccountsmustbeprovisionnedmanuallyYoucandosofromtheUsersrarrCreatesectionWhencreatingguestsspecifyguestfortheSetroleactionandsetanaccessdurationfor1day
If youwould like to differentiate user authentication andmachine authentication using ActiveDirectoryonewaytodoitisbycreatingasecondauthenticationsourcesformachines
Namead1 DescriptionActiveDirectoryforMachines Host19216812389withoutSSLTLS BaseDNCN=ComputersDC=acmeDC=local ScopeOne-level
Chapter9
Copyrightcopy2016Inverseinc Configuration 24
UsernameAttributeservicePrincipalName BindDNCN=AdministratorCN=UsersDC=acmeDC=local Passwordacme123
Thenweaddarule
Namemachines DescriptionRuleforallmachines Donrsquotsetanycondition(asitrsquosacatch-allrule) Setthefollowingactions
Setrolemachineauth
SetunregistrationdateJanuary1st2020
Note
Whenaruleisdefinedasacatch-all itwillalwaysmatchiftheusernameattributematchesthequeriedoneThisappliesforActiveDirectoryLDAPandApachehtpasswdfilesourcesKerberosandRADIUSwillactastruecatch-allandaccepteverything
Note
IfyouwanttouseotherLDAPattributesinyourauthenticationsourceaddtheminConfigurationrarrAdvancedrarrCustomLDAPattributesTheywillthenbeavailableintherulesyoudefine
ExternalAPIauthentication
PacketFencealsosupportscallinganexternalHTTPAPIasanauthenticationsourceTheexternalAPIneedstoimplementanauthenticationactionandanauthorizationaction
AuthenticationThisshouldprovidetheinformationaboutwhetherornottheusernamepasswordcombinationisvalid
TheseinformationareavailablethroughthePOSTfieldsoftherequest
TheservershouldreplywithtwoattributesinaJSONresponse
resultshouldbe1forsuccess0forfailure messageshouldbethereasonitsucceededorfailed
ExampleJSONresponse
result1messageValid username and password
Chapter9
Copyrightcopy2016Inverseinc Configuration 25
AuthorizationThisshouldprovidetheactionstoapplyonauserbasedonitrsquosattributes
The following attributes are available for the reply access_duration access_level sponsorunregdatecategory
SampleJSONresponsenotethatnotallattributesarenecessaryonlysendbackwhatyouneed
access_duration1Daccess_levelALLsponsor1 unregdate2030-01-01categorydefault
Note
See usrlocalpfaddonsexample_external_auth for an example implementationcompatiblewithPacketFence
PacketFenceconfigurationInPacketFenceyouneedtoconfigureanHTTPsourceinordertouseanexternalAPI
Hereisabriefdescriptionofthefields
Host First theprotocol then the IPaddressorhostnameof theAPIand lastly theport toconnecttotheAPI
APIusernameandpasswordIfyourAPIimplementsHTTPbasicauthentication(RFC2617)youcanaddtheminthesefieldsLeavinganyofthosetwofieldsemptywillmakePacketFencedotherequestswithoutanyauthentication
AuthenticationURLURLrelativetothehosttocallwhendoingtheauthenticationofauserNotethatitisautomaticallyprefixedbyaslash
AuthorizationURLURLrelativetothehosttocallwhendoingtheauthorizationofauserNotethatitisautomaticallyprefixedbyaslash
SAMLauthentication
PacketFence supports SAML authentication in the captive portal in combination with anotherinternalsourcetodefinethelevelofauthorizationoftheuser
FirsttransfertheIdentityProvidermetadataonthePacketFenceserverInthisexampleitwillbeunderthepathusrlocalpfconfidp-metadataxml
Then transfer the certificate and CA certificate of the Identity provider on the server In thisexample theywill be under the paths usrlocalpfconfsslidpcrt and usrlocalpfconfsslidp-cacrtIfitisaself-signedcertificatethenyouwillbeabletouseitastheCAinthePacketFenceconfiguration
Chapter9
Copyrightcopy2016Inverseinc Configuration 26
Then toconfigureSAML inPacketFencego inConfigurationrarrSourcesand thencreateanewInternalsourceofthetypeSAMLandconfigureit
Where
ServiceProviderentityIDistheidentifieroftheServiceProvider(PacketFence)MakesurethismatchesyourIdentityProviderconfiguration
PathtoServiceProviderkeyisthepathtothekeythatwillbeusedbyPacketFencetosignitsmessagestotheIdentityProviderAdefaultoneisprovidedunderthepathusrlocalpfconfsslserverkey
PathtoServiceProvidercertisthepathtothecertificateassociatedtothekeyaboveAself-signedoneisprovidedunderthepathusrlocalpfconfsslserverkey
PathtoIdentityProvidermetadataisthepathtothemetadatafileyoutransferedabove(shouldbeinusrlocalpfconfidp-metadataxml)
PathtoIdentityProvidercertisthepathtothecertificateoftheidentityprovideryoutransferedontheserverabove(shouldbeinusrlocalpfconfsslidpcrt)
Chapter9
Copyrightcopy2016Inverseinc Configuration 27
Path to Identity Provider CA cert is the path to the CA certificate of the identity provideryoutransferedontheserverabove(shouldbeinusrlocalpfconfsslca-idpcrt)Ifthecertificateaboveisself-signedputthesamepathasaboveinthisfield
AttributeoftheusernameintheSAMLresponse istheattributethatcontainstheusernamein the SAML assertion returned by your Identity Provider The default should fit at leastSimpleSAMLphp
Authorizationsource isthesourcethatwillbeusedtomatchtheusernameagainsttherulesdefinedinitThisallowstosettheroleandaccessdurationoftheuserTheAuthenticationsectionofthisdocumentcontainsexplanationsonhowtoconfigureanLDAPsourcewhichcanthenbeusedhere
OncethisisdonesavethesourceandyouwillbeabletodownloadtheServiceProvidermetadataforPacketFenceusingthelinkDownloadServiceProvidermetadataonthepage
Configure your identity provider according to the generated metadata to complete the TrustbetweenPacketFenceandyourIdentityProvider
In the case of SimpleSAMLPHP the following configurationwas used inmetadatasaml20-sp-remotephp
$metadata[PF_ENTITY_ID] = array( AssertionConsumerService =gt httpPORTAL_HOSTNAMEsamlassertion SingleLogoutService =gt httpPORTAL_HOSTNAMEsamllogoff)
Note
PacketFencedoesnotsupportlogoffontheSAMLIdentityProviderYoucanstilldefinetheURLinthemetadatabutitwillnotbeused
PassthroughsInorderforyouruserstobeabletoaccesstheIdentityProviderloginpageyouwillneedtoactivatepassthroughsandaddtheIndentityProviderdomaintotheallowedpassthroughs
Todosogo inConfigurationrarrTrapping thencheckPassthrough andadd the IdentityProviderdomainnametothePasshtroughslist
Next restart iptables and pfdns to apply your new passthroughs Also make surenetipv4ip_forward = 1isconfiguredinetcsysctlconf
NetworkDevicesDefinition(switchesconf)
ThissectionappliesonlyforVLANenforcementUsersplanningtodoinlineenforcementonlycanskipthissection
PacketFenceneedstoknowwhichswitchesaccesspointsorcontrollersitmanagestheirtypeandconfigurationAllthisinformationisstoredinusrlocalpfconfswitchesconfYoucanmodify
Chapter9
Copyrightcopy2016Inverseinc Configuration 28
theconfigurationdirectlyintheswitchesconffileoryoucandoitfromtheWebAdministrationpanelunderConfigurationrarrNetworkrarrSwitches-whichisnowthepreferredway
Theusrlocalpfconfswitchesconfconfigurationfilecontainsadefaultsectionincluding
DefaultSNMPreadwritecommunitiesfortheswitches Defaultworkingmode(seethenotebelowaboutpossibleworkingmodes)
andaswitchsectionforeachswitch(managedbyPacketFence)including
SwitchIPMacRange Switchvendortype Switchuplinkports(trunksandnon-managedIfIndex) per-switchre-definitionoftheVLANs(ifrequired)
NoteswitchesconfisloadedatstartupAreloadisrequiredwhenchangesaremanuallymadetothisfileusrlocalpfbinpfcmd configreload
WorkingmodesTherearethreedifferentworkingmodesforaswitchinPacketFence
Testing pfsetvlanwritesinthelogfileswhatitwouldnormallydobutitdoesnrsquotdoanything
Registration pfsetvlan automatically-register allMAC addresses seenon theswitchportsAsintestingmodenoVLANchangesaredone
Production pfsetvlan sends the SNMPwrites to change the VLAN on theswitchports
RADIUSTo set theRADIUS secret set it from theWebadministrative interfacewhenadding a switchAlternativelyedittheswitchconfigfile(usrlocalpfconfswitchesconf)andsetthefollowingparameters
radiusSecret = secretPassPhrase
MoreovertheRADIUSsecretisrequiredtosupporttheRADIUSDynamicAuthentication(ChangeofauthorizationorDisconnect)asdefinedinRFC3576
SNMPv1v2candv3PacketFenceusesSNMPtocommunicatewithmostswitchesPacketFencealsosupportsSNMPv3YoucanuseSNMPv3forcommunicationinbothdirectionsfromtheswitchtoPacketFenceandfromPacketFencetotheswitchSNMPusageisdiscouragedyoushouldnowuseRADIUSHoweverevenifRADIUSisbeingusedsomeswitchesmightalsorequireSNMPtobeconfiguredtoworkproperlywithPacketFence
Chapter9
Copyrightcopy2016Inverseinc Configuration 29
FromPacketFencetoaswitchEdittheswitchconfigfile(usrlocalpfconfswitchesconf)andsetthefollowingparameters
SNMPVersion = 3SNMPUserNameRead = readUserSNMPAuthProtocolRead = MD5SNMPAuthPasswordRead = authpwdreadSNMPPrivProtocolRead = AESSNMPPrivPasswordRead = privpwdreadSNMPUserNameWrite = writeUserSNMPAuthProtocolWrite = MD5SNMPAuthPasswordWrite = authpwdwriteSNMPPrivProtocolWrite = AESSNMPPrivPasswordWrite = privpwdwrite
FromaswitchtoPacketFenceEdittheswitchconfigfile(usrlocalpfconfswitchesconf)andsetthefollowingparameters
SNMPVersionTrap = 3SNMPUserNameTrap = readUserSNMPAuthProtocolTrap = MD5SNMPAuthPasswordTrap = authpwdreadSNMPPrivProtocolTrap = AESSNMPPrivPasswordTrap = privpwdread
SwitchConfigurationHereisaswitchconfigurationexampleinordertoenableSNMPv3inbothdirectionsonaCiscoSwitch
snmp-server engineID local AA5ED139B81D4A328D18ACD1snmp-server group readGroup v3 privsnmp-server group writeGroup v3 priv read v1default write v1defaultsnmp-server user readUser readGroup v3 auth md5 authpwdread priv aes 128 privpwdreadsnmp-server user writeUser writeGroup v3 auth md5 authpwdwrite priv aes 128 privpwdwritesnmp-server enable traps port-securitysnmp-server enable traps port-security trap-rate 1snmp-server host 192168050 version 3 priv readUser port-security
Command-LineInterfaceTelnetandSSH
WarningPrivilegedetectionisdisabledinthecurrentPacketFenceversionduetosomeissues(see1370)SomakesurethatthecliUserandcliPwdyouprovidealwaysgetyouintoaprivilegedmode(exceptforTrapezehardware)
Chapter9
Copyrightcopy2016Inverseinc Configuration 30
PackeFenceneedssometimestoestablishaninteractivecommand-linesessionwithaswitchThiscanbedoneusingTelnetYoucanalsouseSSHInordertodosoedittheswitchconfigurationfile(usrlocalpfconfswitchesconf)andsetthefollowingparameters
cliTransport = SSH (or Telnet)cliUser = admincliPwd = admin_pwdcliEnablePwd =
ItcanalsobedonethroughtheWebAdministrationInterfaceunderConfigurationrarrSwitches
WebServicesInterfacePackeFencesometimesneedstoestablishadialogwiththeWebServicescapabilitiesofaswitchInorder todo soedit the switchconfig file (usrlocalpfconfswitchesconf) and set thefollowingparameters
wsTransport = http (or https)wsUser = adminwsPwd = admin_pwd
ItcanalsobedonethroughtheWebAdministrationInterfaceunderConfigurationrarrSwitches
Role-basedenforcementsupportSomenetworkdevicessupporttheassignmentofaspecificsetofrules(firewallorACLs)toauserTheideaisthattheserulescanbealotmoreaccuratetocontrolwhatausercanorcannotdocomparedtoVLANwhichhavealargernetworkmanagementoverhead
PacketFencesupportsassigningrolesondevicesforswitchesandWiFicontrollers thatsupportitThecurrentroleassignmentstrategyistoassignitalongwiththeVLAN(thatmaychangeinthefuture)Aspecial internalroletoexternalroleassignmentmustbeconfigured intheswitchconfigurationfile(usrlocalpfconfswitchesconf)
Thecurrentformatisthefollowing
Format ltrolenamegtRole=ltcontroller_rolegt
Andyouassignittotheglobalrolesparameterortheper-switchoneForexample
adminRole=full-accessengineeringRole=full-accesssalesRole=little-access
wouldreturnthefull-accessroletothenodescategorizedasadminorengineeringandtherolelittle-accesstonodescategorizedassalesItcanalsobedonethroughtheWebAdministrationInterfaceunderConfigurationrarrSwitches
Chapter9
Copyrightcopy2016Inverseinc Configuration 31
CautionMakesurethattherolesareproperlydefinedonthenetworkdevicespriortoassigningroles
PortalProfiles
PacketFencecomeswithadefaultportalprofileThefollowparametersareimportanttoconfigurenomatterifyouusethedefaultportalprofileorcreateanewone
RedirectURLunderConfigurationrarrPortalProfilerarrPortalName
ForsomebrowsersitispreferabletoredirecttheusertoaspecificURLinsteadoftheURLtheuseroriginallyintendedtovisitForthesebrowserstheURLdefinedinredirecturlwillbetheonewheretheuserwillberedirectedAffectedbrowsersareFirefox3andlater
IPunderConfigurationrarrCaptiveportal
ThisIPisusedasthewebserverwhohoststhecommonnetwork-access-detectiongifwhichisusedtodetectifnetworkaccesswasenabledItcannotbeadomainnamesinceit isusedinregistrationorquarantinewhereDNSisblack-holedItisrecommendedthatyouallowyouruserstoreachyourPacketFenceserverandputyourLANrsquosPacketFenceIPBydefaultwewillmakethisreachPacketFencersquoswebsiteasaneasierandmoreaccessiblesolution
In somecases youmaywant topresentadifferent captiveportal (seebelow for theavailablecustomizations)accordingtotheSSIDtheVLANtheswitchIPMACortheURItheclientconnectstoTodosoPacketFencehastheconceptofportalprofileswhichgivesyouthispossibility
WhenconfiguredportalprofileswilloverridedefaultvaluesforwhichitisconfiguredWhennovaluesareconfiguredintheprofilePacketFencewilltakeitsdefaultones(accordingtothedefaultportalprofile)
HerearethedifferentconfigurationparametersthatcanbesetforeachportalprofilesTheonlymandatoryparameterisfilterotherwisePacketFencewonrsquotbeabletocorrectlyapplytheportalprofileTheparametersmustbesetinconfprofilesconf
[profilename1]description = the description of your portal profilefilter = the name of the SSID for which youd like to apply the profile or the VLAN numbersources = comma-separated list of authentications sources (IDs) to use
Portal profiles should be managed from PacketFencersquos Web administrative GUI - from theConfigurationrarrPortalProfilessectionAddingaportalprofilefromthatinterfacewillcorrectlycopytemplatesover-whichcanthenbemodifiedasyouwish
FiltersunderConfigurationrarrPortalProfilerarrPortalNamerarrFitlers
PacketFenceoffersthefollowingfiltersConnectionTypeNetworkNodeRolePortrealmSSIDSwitchSwitchPortURIVLANandTimeperiod
Chapter9
Copyrightcopy2016Inverseinc Configuration 32
Examplewiththemostcommonones
SSIDGuest-SSID
VLAN100
SwitchPortltSwitchIdgt-ltPortgt
NetworkNetworkinCIDRformatoranIPaddress
Caution
Noderolewilltakeeffectonlywitha8021xconnectionorifyouuseVLANfilters
PacketFence relies extensively on Apache for its captive portal administrative interface andWeb services The PacketFenceacutes Apache configuration are located in usrlocalpfconfhttpdconfd
Inthisdirectoryyouhavethreeimportantfileshttpdadminhttpdportalhttpdwebserviceshttpdaaa
httpdadminisusedtomanagePacketFenceadmininterface
httpdportalisusedtomanagePacketFencecaptiveportalinterface
httpdwebservicesisusedtomanagePacketFencewebservicesinterface
httpdaaaisusetomanageincomingRADIUSrequest
ThesefileshavebeenwrittenusingthePerllanguageandarecompletelydynamic-sotheyactivateservicesonlyonthenetworkinterfacesprovidedforthispurpose
TheotherfilesinthisdirectoryaremanagedbyPacketFenceusingtemplatessoitiseasytomodifythesefilesbasedonyourconfigurationSSLisenabledbydefaulttosecureaccess
UponPacketFenceinstallationself-signedcertificateswillbecreatedinusrlocalpfconfssl(serverkey andservercrt)Thosecertificates canbe replacedanytimebyyour3rd-partyorexistingwildcardcertificatewithoutproblemsPleasenotethattheCN(CommonName)needstobethesameastheonedefinedinthePacketFenceconfigurationfile(pfconf)
FreeRADIUSConfiguration
ThissectionpresentstheFreeRADIUSconfigurationsteps InsomeoccasionsaRADIUSserverismandatoryinordertogiveaccesstothenetworkForexampletheusageofWPA2-Enterprise(Wireless 8021X) MAC authentication and Wired 8021X all require a RADIUS server toauthenticatetheusersandthedevicesandthentopushtheproperrolesorVLANattributestothenetworkequipment
Chapter9
Copyrightcopy2016Inverseinc Configuration 33
Option1AuthenticationagainstActiveDirectory(AD)
Caution
If you are using an ActiveActive or ActivePassive cluster please follow theinstructionsunderOption1bsincetheinstructionsbelowdonotcurrentlyworkinacluster
InordertohavedomainauthenticationworkingproperlyyouneedtoenableIPforwardingonyourserverTodoitpermanentlylookintheetcsysctlconfandsetthefollowingline
Controls IP packet forwardingnetipv4ip_forward = 1
Nowexecutesysctl -ptoapplytheconfiguration
NextgointheAdministrationinterfaceunderConfigurationrarrDomains
Note
IfyoucanrsquotaccessthissectionandyouhavepreviouslyconfiguredyourservertobindtoadomainexternallytoPacketFencemakesureyourunusrlocalpfaddonsADmigratepl
ClickAddDomainandfillintheinformationsaboutyourdomain
Chapter9
Copyrightcopy2016Inverseinc Configuration 34
Where
IdentifierisauniqueidentifierforyourdomainItrsquospurposeisonlyvisual
Workgroupistheworkgroupofyourdomainintheoldsyntax(likeNT4)
DNSnameofthedomainistheFQDNofyourdomainTheonethatsuffixesyouraccountnames
ThisserverrsquosnameisthenamethattheserverrsquosaccountwillhaveinyourActiveDirectory
DNSserveristheIPaddressoftheDNSserverofthisdomainMakesurethattheserveryouputtherehastheproperDNSentriesforthisdomain
UsernameistheusernamethatwillbeusedforbindingtotheserverThisaccountmustbeadomainadministrator
Passwordisthepasswordfortheusernamedefinedabove
Chapter9
Copyrightcopy2016Inverseinc Configuration 35
Troubleshooting In order to troubleshoot unsuccessful binds please refer to the following file chrootsltmydomaingtvarlogsambaltmydomaingtlogwinbinddReplaceltmydomaingtwiththeidentifieryousetinthedomainconfiguration
Youcanvalidatethedomainbindusingthefollowingcommandchroot chrootsltmydomaingtwbinfo -u
You can test the authentication process using the following command chroot chrootsltmydomaingt ntlm_auth --username=administrator
Note
UndercertainconditionsthetestjoinmayshowasunsuccessfulintheAdministrationinterfacebut theauthenticationprocesswill stillworkproperlyTry the test abovebeforedoinganyadditionnaltroubleshooting
DefaultdomainconfigurationYoushouldnowdefinethedomainyouwanttouseasthedefaultonebycreatingthefollowingrealminConfigurationrarrRealms
NextrestartPacketFenceinStatusrarrServices
MultipledomainsauthenticationFirstconfigureyourdomainsinConfigurationrarrDomains
OncetheyareconfiguredgoinConfigurationrarrRealms
Chapter9
Copyrightcopy2016Inverseinc Configuration 36
Createanewrealm thatmatches theDNSnameofyourdomainANDone thatmatchesyourworkgroupInthecaseofthisexampleitwillbeDOMAINNETandDOMAIN
Where
RealmiseithertheDNSname(FQDN)ofyourdomainortheworkgroup
RealmoptionsareanyrealmoptionsthatyouwanttoaddtotheFreeRADIUSconfiguration
Domainisthedomainwhichisassociatedtothisrealm
Nowcreatethetwootherrealmsassociatedtoyourotherdomains
Youshouldnowhavethefollowingrealmconfiguration
Chapter9
Copyrightcopy2016Inverseinc Configuration 37
Option1bAuthenticationagainstActiveDirectory(AD)inacluster
SambaKerberosWinbind
InstallSambaYoucaneitherusethesourcesorusethepackageforyourOSForRHELCentOSdo
yum install samba krb5-workstation
ForDebianandUbuntudo
apt-get install samba winbind krb5-user
Note
IfyouhaveWindows7PCsinyournetworkyouneedtouseSambaversion350(orgreater)
WhendonewiththeSambainstallmodifyyouretchosts inordertoaddtheFQDNofyourActiveDirectoryserversThenyouneedtomodifyetckrb5confHereisanexamplefortheDOMAINNETdomainforCentosRHEL
Chapter9
Copyrightcopy2016Inverseinc Configuration 38
[logging] default = FILEvarlogkrb5libslog kdc = FILEvarlogkrb5kdclog admin_server = FILEvarlogkadmindlog
[libdefaults] default_realm = DOMAINNET dns_lookup_realm = false dns_lookup_kdc = false ticket_lifetime = 24h forwardable = yes
[realms] DOMAINNET = kdc = adserverdomainnet88 admin_server = adserverdomainnet749 default_domain = domainnet [domain_realm] domainnet = DOMAINNET domainnet = DOMAINNET
[appdefaults] pam = debug = false ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = false
ForDebianandUbuntu
[logging] default = FILEvarlogkrb5libslog kdc = FILEvarlogkrb5kdclog admin_server = FILEvarlogkadmindlog [libdefaults] default_realm = DOMAINNET ticket_lifetime = 24h forwardable = yes [appdefaults] pam = debug = false ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = false
NexteditetcsambasmbconfAgainhereisanexampleforourDOMAINNETforCentosRHEL
Chapter9
Copyrightcopy2016Inverseinc Configuration 39
[global] workgroup = DOMAIN server string = h security = ads passdb backend = tdbsam realm = DOMAINNET encrypt passwords = yes winbind use default domain = yes client NTLMv2 auth = yes preferred master = no domain master = no local master = no load printers = no log level = 1 winbind5 auth3 winbind max clients = 750 winbind max domain connections = 15 machine password timeout = 0
ForDebianandUbuntu
[global] workgroup = DOMAIN server string = Samba Server Version v security = ads realm = DOMAINNET password server = 19216811 domain master = no local master = no preferred master = no winbind separator = + winbind enum users = yes winbind enum groups = yes winbind use default domain = yes winbind nested groups = yes winbind refresh tickets = yes template homedir = homeDU template shell = binbash client use spnego = yes client ntlmv2 auth = yes encrypt passwords = yes restrict anonymous = 2 log file = varlogsambalogm max log size = 50 machine password timeout = 0
IssueakinitandklistinordertogetandverifytheKerberostoken
kinit administrator klist
Afterthatyouneedtostartsambaandjointhemachinetothedomain
Chapter9
Copyrightcopy2016Inverseinc Configuration 40
service smb start chkconfig --level 345 smb on net ads join -U administrator
NotethatforDebianandUbuntuyouwillprobablyhavethiserror
kinit succeeded but ads_sasl_spnego_krb5_bind failed Invalid credentials Join to domain is not valid Invalid credentials
ForCentosRHEL
usermod -a -G wbpriv pf
Finallystartwinbindandtestthesetupusingntlm_authandradtest
service winbind start chkconfig --level 345 winbind on
ForDebianandUbuntu
usermod -a -G winbindd_priv pf ntlm_auth --username myDomainUser radtest -t mschap -x myDomainUser myDomainPassword localhost18120 12 testing123 Sending Access-Request of id 108 to 127001 port 18120 User-Name = myDomainUser NAS-IP-Address = 10001 NAS-Port = 12 Message-Authenticator = 0x00000000000000000000000000000000 MS-CHAP-Challenge = 0x79d62c9da4e55104 MS-CHAP-Response = 0x000100000000000000000000000000000000000000000000000091c843b420f0dec4228ed2f26bff07d5e49ad9a2974229e5 rad_recv Access-Accept packet from host 127001 port 18120 id=108 length=20
Option2LocalAuthenticationAddyouruserrsquosentriesattheendoftheusrlocalpfraddbusersfilewiththefollowingformat
username Cleartext-Password = password
Option3EAPauthenticationagainstOpenLDAPToauthenticate8021xconnectionagainstOpenLDAPyouneedtodefinetheldapconnectioninusrlocalpfraddbmodulesldapandbesurethattheuserpasswordisdefineasaNTHASHorascleartext
Chapter9
Copyrightcopy2016Inverseinc Configuration 41
ldap openldap server = ldapacmecom identity = uid=admindc=acmedc=com password = password basedn = dc=districtdc=acmedc=com filter = (uid=mschapUser-Name) ldap_connections_number = 5 timeout = 4 timelimit = 3 net_timeout = 1 tls dictionary_mapping = $confdirldapattrmap edir_account_policy_check = no
keepalive LDAP_OPT_X_KEEPALIVE_IDLE idle = 60
LDAP_OPT_X_KEEPALIVE_PROBES probes = 3
LDAP_OPT_X_KEEPALIVE_INTERVAL interval = 3
Next in usrlocalpfraddbsites-availablepacketfence-tunnel add in the authorizesection
authorize suffix ntdomain eap ok = return files openldap
Option4EAPGuestAuthenticationonemailsponsorandSMSregistrationThissectionwillallowlocalcredentialscreatedduringguestregistrationtobeusedin8021xEAP-PEAPconnections
FirstcreateaguestSSIDwiththeguestaccessyouwanttouse(EmailSponsororSMShellip)andactivateCreatelocalaccountonthatsource
AttheendoftheguestregistrationPacketFencewillsendanemailwiththecredentialsforEmailandSponsorForSMSthephonenumberandthePINcodeshouldbeused
Chapter9
Copyrightcopy2016Inverseinc Configuration 42
Note
ThisoptiondoesnrsquotcurrentlyworkwiththeReusedot1xcredentialsoptionofthecaptiveportal
In usrlocalpfconfradiusdpacketfence-tunnel uncomment the line packetfence-local-authandrestartradiusd
ThiswillactivatethefeatureforanylocalaccountonthePacketFenceserverYoucanrestrictwhichaccounts canbeusedby commenting the appropriate line inusrlocalpfraddbpolicydpacketfenceForexampleifyouwouldwanttodeactivatethisfeatureforaccountscreatedviaSMSyouwouldhavethefollowing
packetfence-local-auth Disable ntlm_auth update control ampMS-CHAP-Use-NTLM-Auth = No Check password table for local user pflocal if (fail || notfound) Check password table with email and password for a sponsor registration pfguest if (fail || notfound) Check password table with email and password for a guest registration pfsponsor if (fail || notfound) Dont check activation table with phone number and PIN code pfsms lt--- This line was commented out if (fail || notfound) update control ampMS-CHAP-Use-NTLM-Auth = Yes
Note
For this feature to work the users passwords must be stored in cleartext in thedatabaseThisisconfigurableviaadvancedhash_passwords
Option5EAPLocaluserAuthenticationThegoalhereistousethelocaluseryoucreatedintheadminGUIforEAPauthenticationThelogicisexactlythesamethaninoption4thedifferenceisthatweuseanotherSSIDandweonlyuselocalaccounts
Chapter9
Copyrightcopy2016Inverseinc Configuration 43
Editusrlocalpfraddbsites-availablepacketfence-tunnel
InthisexampleweactivatethisfeatureonaspecificSSIDname(Secure-local-Wireless)disabledbydefaultNTLMAuthandtestlocalaccountIfitfailledthenwereactivateNTLMAuth
Activate local user eap authentication based on a specific SSID Set Called-Station-SSID with the current SSID setcalled_station_ssid if (Called-Station-SSID == Secure-local-Wireless) Disable ntlm_auth update control MS-CHAP-Use-NTLM-Auth = No Check password table for local user pflocal if (fail || notfound) update control MS-CHAP-Use-NTLM-Auth = Yes
Caution
Youwillneedtodeasactivatepasswordhashinginthedatabaseforlocalauthenticationto work In the administration interface go in Configurationrarr Advanced and setDatabasepasswordshashingmethodtoplaintext
TestsTestyoursetupwithradtestusingthefollowingcommandandmakesureyougetanAccess-Acceptanswer
radtest dd9999 Abcd1234 localhost18120 12 testing123Sending Access-Request of id 74 to 127001 port 18120 User-Name = dd9999 User-Password = Abcd1234 NAS-IP-Address = 255255255255 NAS-Port = 12rad_recv Access-Accept packet from host 12700118120 id=74 length=20
PortalModules
ThePacketFencecaptiveportalflowishighlycustomizableThissectionwillcoverthePortalModuleswhichareusedtodefinethebehaviorofthecaptiveportal
Chapter9
Copyrightcopy2016Inverseinc Configuration 44
Note
WhenupgradingfromaversionthatdoesnrsquothavetheportalmodulesthePacketFencePortal Modules configuration already comes with defaults that will fit most casesand offers the same behavior as previous versions of PacketFence Meaning allthe available Portal Profile sources are used for authentication then the availableprovisionerswillbeused
FirstabriefdescriptionoftheavailablePortalModules
RootThis iswhereitallstartsthismoduleisasimplecontainerthatdefinesallthemodulesthatneedtobeappliedinachainedwaytotheuserOncetheuserhascompletedallmodulescontainedintheRootheisreleasedonthenetwork
Choice This allows to give a choice between multiple modules to the user Thedefault_registration_policyisagoodexampleofachoicethatisofferedtotheuser
ChainedThisallowsyoutodefinealistofmodulesthatauserneedstogothroughintheorderthattheyaredefined-exyouwantyouruserstoregisterviaGoogle+andpayfortheiraccessusingPayPal
MessageThisallowsyou todisplayamessage to theuserAnexample isavailablebelow inDisplayingamessagetotheuseraftertheregistration
AuthenticationTheauthenticationmodulescanbeofalotoftypesYouwouldwanttodefineoneofthesemodulesinordertooverridetherequiredfieldsthesourcetousethetemplateoranyothermoduleattribute
BillingAllowstodefineamodulebasedononeormorebillingsources
ChoiceAllows todefineamodulebasedonmultiple sourcesandmoduleswithadvancedfilteringoptionsSeethesectionAuthenticationChoicemodulebelowforadetailedexplanation
LoginAllowsyoutodefineausernamepasswordbasedmodulewithmultipleinternalsources(ActiveDirectoryLDAPhellip)
OthermodulesTheothermodulesareallbasedonthesourcetypetheyareassignedtotheyallowtoselectthesourcetheAUPacceptanceandmandatoryfieldsifapplicable
ExamplesThissectionwillcontainthefollowingexamples
Promptingforfieldswithoutauthentication
Promptingadditionnalfieldsduringtheauthentication
Chainedauthentication
MixingloginandSecureSSIDon-boardingontheportal
Displayingamessagetotheuseraftertheregistration
Chapter9
Copyrightcopy2016Inverseinc Configuration 45
CreatingacustomrootmoduleFirstcreateacustomrootmoduleforourexamples inordertonotaffectthedefaultpolicy InordertodosogoinConfigurationrarrPortalModulesthenclickAddPortalModuleandselectthetypeRootGiveittheidentifiermy_first_root_moduleandthedescriptionMy first root modulethenhitsave
Next head toConfigurationrarr Portal Profiles select the portal profile you use (most probablydefault)andthenunderRootPortalModuleassignMy first root modulethensaveyourprofileIfyouweretoaccessthecaptiveportalnowanerrorwoulddisplaysincetheRootmoduleweconfigureddoesnrsquotcontainanything
YoucouldaddsomeofthepreconfiguredmodulestothenewRootmoduleyoucreatedandthatwouldmaketheerrordisapear
PromptingforfieldswithoutauthenticationInordertopromptfieldswithoutauthenticationyoucanusetheNullsourcewiththeNullPortalModule
PacketFencealreadycomeswithaNullsourcepreconfiguredIfyouhavenrsquotmodifieditordeletedityoucanuseitforthisexampleOtherwisegoinConfigurationrarrSourcesandcreateanewNullsourcewithacatchallrulethatassignsaroleandaccessduration
ThengoinConfigurationrarrPortalModulesandclickAddPortalModuleandselectAuthenticationrarrNullSettheIdentifiertoprompt_fieldsandconfigurethemodulewiththeMandatoryfieldsyouwantanduncheckRequireAUPsothattheuserdoesnrsquothavetoaccepttheAUPbeforesubmittingthesefields
Nextaddtheprompt_fieldsmoduleinmy_first_root_module(removinganypreviousmodules)andsave itNowwhenvisitingtheportal itshouldpromptyouforthefieldsyoudefine inthe
Chapter9
Copyrightcopy2016Inverseinc Configuration 46
moduleThensubmittingtheseinformationswillassignyoutheroleandaccessdurationthatyoudefinedinthenullsource
Promptingadditionnalfieldsduringtheauthentication
IfyouwanttopromptadditionnalfieldsduringtheauthenticationprocessforamoduleyoucandefineaModulebasedonthatsourcethatwillspecifytheadditionnalmandatoryfieldsforthissource
Youcanalsoaddadditionnalmandatoryfieldstothedefaultpoliciesthatarealreadyconfigured
Thisexamplewillmakethedefault_guest_policyrequiretheusertoenterafirstnamelastnameandaddresssothatguestshavetoenterthesethreeinformationsbeforeregistering
Go in Configuration rarr Portal Modules and click the default_guest_policy Add firstnamelastnameandaddresstotheMandatoryfieldsandsave
Nextaddthedefault_guest_policytomy_first_root_module(removinganypreviousmodules)Nowwhenvisitingtheportalselectinganyoftheguestsourceswillrequireyoutoenterboththemandatoryfieldsofthesource(exphone+mobileprovider)andthemandatoryfieldsyoudefinedinthedefault_guest_policy
Note
Notallsourcessupportadditionnalmandatoryfields(exOAuthsourceslikeGoogleFacebookhellip)
Chainedauthentication
Theportalmodulesallowyoutochaintwoormoremodulestogetherinordertomaketheuseraccomplishalloftheactionsinthemoduleinthedesiredsequence
ThisexamplewillallowyoutoconfigureaChainedmodulethatwillrequiretheusertologinviaanyconfiguredOAuthsource(GithubGoogle+hellip)andthenvalidatehisphonenumberusingSMSregistration
FortheOAuthloginwewillusethedefault_oauth_policysojustmakesureyouhaveanOAuthsourceconfiguredcorrectlyandavailableinyourPortalProfile
ThenwewillcreateamodulethatwillcontainthedefinitionofourSMSregistration
GoinConfigurationrarrPortalModulesthenclickAddPortalModuleandselectAuthenticationrarrSMS
ConfiguretheportalmodulesothatitusesthesmssourceandunchecktheRequireAUPoptionsincetheuserwillhavealreadyacceptedtheAUPwhenregisteringusingOAuth
Chapter9
Copyrightcopy2016Inverseinc Configuration 47
ThenaddanotherPortalModuleoftypeChainedNameitchained_oauth_smsassignarelevantdescriptionandthenadddefault_oauth_policyandsmstotheModulesfields
Chapter9
Copyrightcopy2016Inverseinc Configuration 48
Next add the chained_oauth_sms module in my_first_root_module (removing any previousmodules)andsaveitNowwhenvisitingtheportalyoushouldhavetoauthenticationusinganOAuthsourceandthenusingSMSbasedregistration
MixingloginandSecureSSIDon-boardingontheportalThisexamplewillguideyouthroughconfiguringaportalflowthatwillallowfordevicestoaccessanopenSSIDusinganLDAPusernamepasswordbutalsogivethechoicetoconfiguretheSecureSSIDdirectlyfromtheportal
FirstweneedtoconfiguretheprovisionersfortheSecureSSIDonboardingRefertosectionAppleandAndroidWirelessProvisioningofthisguidetoconfigureyourprovisionersandaddthemtotheportalprofile
CreateaprovisionerofthetypeDenyandadditwithyourotherprovisioners(puttinganyotherprovisionerbeforeit)Thiswillmakesurethatifthereisnomatchontheotherprovisionersitwillnotallowthedevicethrough
AlsointheportalprofileaddyourLDAPsourcetotheavailablesourcessoitstheonlyoneavailable
NextcreateaProvisioningportalmodulebygoinginConfigurationrarrPortalModulesSettheIdentifiertosecure_boardingandthedescriptiontoBoard Secure SSIDAlsouncheckSkipablesotheuserisforcedtoboardtheSSIDshoulditchoosethisoption
ThenstillinthePortalModulescreateaChoicemoduleSettheIdentifiertologin_or_boardinganddescriptiontoLoginorBoardingAddsecure_boardinganddefault_login_policytotheModulesfieldandsave
Chapter9
Copyrightcopy2016Inverseinc Configuration 49
Next add the login_or_boarding module in my_first_root_module (removing any previousmodules)andsaveitNowwhenvisitingtheportalyouwillhavethechoicebetweenlogintotheLDAPsourceandgainaccesstothenetworkordirectlyuseprovisioninginordertoconfigureyourdeviceforaSecureSSID
Displayingamessagetotheuseraftertheregistration=
UsingtheMessagemoduleyoucandisplayacustommessagetotheuserYoucanalsocustomizethetemplatetodisplayinordertodisplayafullycustompage
Go inConfigurationrarrPortalModules thenclickAddPortalModule and selectMessage Set theIdentifiertohello_worldandthedescriptiontoHello World
ThenputthefollowingintheMessagefield
Hello World lta href=wwwpacketfenceorggtClick here to access the PacketFence websiteltagt
Next add default_registration_policy and hello_world in the Modules ofmy_first_root_module(removinganypreviousmodules)andsaveitNowwhenvisitingtheportalyoushouldhavetoauthenticateusingthesourcesdefinedinyourportalprofileandyouwillthenseethehelloworldmessage
Chapter9
Copyrightcopy2016Inverseinc Configuration 50
AuthenticationChoicemodule(advanced)The Authentication Choice module allows to define a choice between multiple sources usingadvancedfilteringrulesmanualselectionofthesourcesandselectionofPortalModules
AllthesourcesthataredefinedintheSourcesfieldwillbeavailableforusagebytheuserSamegoesforthemodulesdefinedinModules
YoucanalsodefinewhichmandatoryfieldsyouwanttopromptfortheseauthenticationchoicesAlthoughyoucanstillconfigurethemonanyAuthenticationChoicemoduletheywillonlybeshowniftheyareapplicabletothesource
InadditiontothemanualselectionaboveyoucandynamicallyselectsourcespartofthePortalProfilebasedontheirobjectattribute(ObjectClassAuthenticationtypeAuthenticationClass)
NoteYoucanfindalltheauthenticationobjectsinlibpfAuthenticationSource
SourcesbyclassAllowsyoutospecifytheperlclassnameofthesourcesyouwantavailable
ex pfAuthenticationSourceSMSSource will select all the SMS sourcespfAuthenticationSourceBillingSourcewillselectallthebillingsources(PaypalStripehellip)
SourcesbytypeAllowsyoutofilteroutsourcesusingthetypeattributeoftheAuthenticationobject
Sources by Auth Class Allows you to filter our sources using the class attribute of theAuthenticationobject
Chapter9
Copyrightcopy2016Inverseinc Configuration 51
Youcanseethedefault_guest_policyanddefault_oauth_policyforexamplesofthismodule
Chapter10
Copyrightcopy2016Inverseinc Debugging 52
Debugging
Logfiles
HerearethemostimportantPacketFencelogfiles
usrlocalpflogspacketfencelogmdashPacketFenceCoreLog usrlocalpflogshttpdportalaccessmdashApachendashCaptivePortalAccessLog usrlocalpflogshttpdportalerrormdashApachendashCaptivePortalErrorLog usrlocalpflogshttpdadminaccessmdashApachendashWebAdminServicesAccessLog usrlocalpflogshttpdadminerrormdashApachendashWebAdminServicesErrorLog usrlocalpflogshttpdwebservicesaccessmdashApachendashWebservicesAccessLog usrlocalpflogshttpdwebserviceserrormdashApachendashWebservicesErrorLog usrlocalpflogshttpdaaaaccessmdashApachendashAAAAccessLog usrlocalpflogshttpdaaaerrormdashApachendashAAAErrorLog
ThereareotherlogfilesinusrlocalpflogsthatcouldberelevantdependingonwhatissueyouareexperiencingMakesureyoutakealookatthem
ThemainloggingconfigurationfileisusrlocalpfconflogconfItcontainstheconfigurationforthepacketfencelogfile(LogLog4Perl)andyounormallydonrsquotneedtomodifyitTheloggingconfigurationfilesforeveryservicearelocatedunderusrlocalpfconflogconfd
RADIUSDebugging
FirstchecktheFreeRADIUSlogsThefileislocatedatusrlocalpflogsradiuslog
IfthisdidnrsquothelprunFreeRADIUSindebugmodeTodosostartitusingthefollowingcommands
Fortheauthenticationradiusprocess
radiusd -X -d usrlocalpfraddb -n auth
Fortheaccountingradiusprocess
radiusd -X -d usrlocalpfraddb -n acct
Chapter10
Copyrightcopy2016Inverseinc Debugging 53
Additionally there is a raddebug tool that can extract debug logs from a running FreeRADIUSdaemonPacketFencersquosFreeRADIUSispreconfiguredwithsuchsupport
Inordertohaveanoutputfromraddebugyouneedtoeither
a MakesureuserpfhasashellinetcpasswdaddusrsbintoPATH(export PATH=usrsbin$PATH)andexecuteraddebugaspf
b Runraddebugasroot(lesssecure)
Nowyoucanrunraddebugeasily
raddebug -t 300 -f usrlocalpfvarrunradiusdsock
TheabovewilloutputFreeRADIUSauthenticationdebuglogsfor5minutes
Usethefollowingtodebugradiusaccounting
raddebug -t 300 -f usrlocalpfvarrunradiusd-acctsock
Seeman raddebugforalltheoptions
Chapter11
Copyrightcopy2016Inverseinc MoreonVoIPIntegration 54
MoreonVoIPIntegration
VoIPhasbeengrowinginpopularityonenterprisenetworksAtfirstsighttheITadministratorsthinkthatdeployingVoIPwithaNACposesahugecomplicatedchallengetoresolveInfactdependingofthehardwareyouhavenotreallyInthissectionwewillseewhy
CDPandLLDPareyourfriend
ForthoseofyouwhoareunawareoftheexistenceofCDPorLLDP(orLLDP-MED) IsuggestyoustartreadingonthistopicCiscoDiscoveryProtocol(CDP)isdevice-discoveryprotocolthatrunsonallCisco-manufacturedequipmentincludingroutersaccessserversbridgesandswitchesUsingCDPadevicecanadvertise itsexistencetootherdevicesandreceive informationaboutotherdevicesonthesameLANorontheremotesideofaWANIntheworldofVoIPCDPisabletodetermineiftheconnectingdeviceisanIPPhoneornotandtelltheIPPhonetotagitsethernetframeusingtheconfiguredvoiceVLANontheswitchport
OnmanyothervendorsyouarelikelytofindLLDPorLLDP-MEDsupportLinkLayerDiscoveryProtocol (LLDP) is a vendor-neutral Link Layer protocol in the Internet Protocol Suite used bynetworkdevicesforadvertisingtheiridentitycapabilitiesandneighborsSameasCDPLLDPcantellanIPPhonewhichVLANidisthevoiceVLAN
VoIPandVLANassignmenttechniques
As you already know PacketFence supportsmanyVLAN assignment techniques such as port-securitymacauthenticationor8021XLetrsquosseehowVoIPisdoingwitheachofthose
Port-securityUsing port-security the VoIP device rely on CDPLLDP to tag its ethernet frame using theconfiguredvoiceVLANontheswitchportAfterthatweensurethatasecuritytrapissentfromthevoiceVLANsothatPacketFencecanauthorizethemacaddressontheportWhenthePCconnectsanothersecuritytrapwillbesentbutfromthedataVLANThatwaywewillhave1macaddressauthorizedonthevoiceVLANand1ontheaccessVLAN
Chapter11
Copyrightcopy2016Inverseinc MoreonVoIPIntegration 55
Note
Not all vendors support VoIP on port-security please refer to the NetworkConfigurationGuide
MACAuthenticationand8021XCiscohardwareOnCiscoswitcheswearelookingatthemulti-domainconfigurationThemulti-domainmeansthatwecanhaveonedeviceontheVOICEdomainandonedeviceontheDATAdomainThedomainassignmentisdoneusingaCiscoVSAWhenthephoneconnectstotheswitchportPacketFencewillrespondwiththeproperVSAonlynoRADIUStunneledattributesCDPthentellsthephonetotagitsethernetframesusingtheconfiguredvoiceVLANontheportWhenaPCconnectstheRADIUSserverwillreturntunneledattributesandtheswitchwillplacetheportintheprovidedaccessVLAN
Non-CiscohardwareOnothervendorhardwareitispossibletomakeVoIPworkusingRADIUSVSAsWhenaphoneconnectstoaswitchportPacketFenceneedstoreturntheproperVSAtotelltheswitchtoallowtagged frames from thisdeviceWhen thePCwill connectwewill be able to return standardRADIUStunnelattributestotheswitchthatwillbetheuntaggedVLAN
Note
AgainrefertotheNetworkConfigurationGuidetoseeifVoIPissupportedonyourswitchhardware
WhatifCDPLLDPfeatureismissing
ItispossiblethatyourphonedoesnrsquotsupportCDPorLLDPIfitrsquosthecaseyouareprobablylookingattheDHCPwayofprovisionningyourphonewithavoiceVLANSomemodelswillaskforaspecificDHCPoptionsothattheDHCPservercangivethephoneavoiceVLANidThephonewillthenrebootandtagitsethernetframeusingtheprovidedVLANtag
Inorder tomake this scenarioworkwithPacketFenceyouneed toensure thatyou tweak theregistrationandyourproductionDHCPservertoprovidetheDHCPoptionYoualsoneedtomakesure there isavoiceVLANproperlyconfiguredontheportandthatyouauto-registeryour IPPhones(OnthefirstconnectthephonewillbeassignedontheregistrationVLAN)
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 56
Advancedtopics
This section covers advanced topics in PacketFence Note that it is also possible to configurePacketFencemanuallyusingitsconfigurationfilesinsteadofitsWebadministrativeinterfaceItisstillrecommendedtousetheWebinterface
InanycasetheusrlocalpfconfpfconffilecontainsthePacketFencegeneralconfigurationForexamplethisistheplacewhereweinformPacketFenceitwillworkinVLANisolationmode
All the default parameters and their descriptions are stored in usrlocalpfconfpfconfdefaults
Inordertooverrideadefaultparameterdefineitandsetitinpfconf
usrlocalpfconfdocumentationconfholdsthecompletelistofallavailableparameters
Alltheseparametersarealsoaccessiblethroughtheweb-basedadministrationinterfaceundertheConfigurationtabItishighlyrecommendedthatyouusetheweb-basedadministrationinterfaceofPacketFenceforanyconfigurationchanges
AppleandAndroidWirelessProvisioning
Apple devices such as iPhones iPads iPods and Mac OS X (107+) support wireless profileimportationusing a specialXML file format (mobileconfig)Android is also able to support thisfeaturebyimportingthewirelessprofilewiththeAndroidPacketFenceAgentInfactinstallingsuchfileonyourAppledevicewillautomaticallyconfigurethewirelesssettingsforagivenSSIDThisfeatureisoftenusedwhentheSSIDishiddenandyouwanttoeasetheconfigurationstepsonthemobiledevice(becauseitisoftenpainfultoconfiguremanually)InPacketFencewearegoingfurtherwegeneratetheprofileaccordingtotheadministratorrsquospreferenceandwepre-populatethefilewiththeuserrsquoscredentials(withoutthepassword)TheusersimplyneedstoinstallitsgeneratedfileandhewillbeabletousethenewSSID
ConfigurethefeatureFirstofallyouneedtoconfiguretheSSIDthatyourdeviceswilluseaftertheygothoughtheauthenticationprocess
InordertodothatintheadministrationinterfacegoinConfigurationProvisionersThenselecttheandroidprovisionerEntertheSSIDandsave
NowdothesamethingfortheiOSprovisioner
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 57
AfteryousimplyneedtoaddtheAndroidandiOSprovisionerstoyourPortalProfileconfiguration
ForAndroidyoumustallowpassthroughsinyourpfconfconfigurationfile
[trapping]passthrough=enabledpassthroughs=ggphtcomgoogleusercontentcomandroidclientsgooglecomgoogleapiscomandroidclientsgooglecomgvt1com
ProfilegenerationUponregistrationinsteadofshowingthedefaultreleasepagetheuserwillbeshowinganotherversionofthepagesayingthatthewirelessprofilehasbeengeneratedwithaclickablelinkonitToinstalltheprofileAppleuserownersimplyneedtoclickonthatlinkandfollowtheinstructionsontheirdeviceAndroiduserownersimplyclicktothelinkandwillbeforwardedtoGooglePlaytoinstallPacketFenceagentSimply launchtheapplicationandclicktoconfigurewillcreatethesecureSSIDprofileItisthatsimple
BillingEngine
PacketFence integrates theability touseapaymentgatewaytobillusers togainaccess to thenetworkWhenconfiguredtheuserwhowantstoaccessthenetworkInternetispromptedbyapageaskingforitrsquospersonnalinformationaswellasitrsquoscreditcardinformation
PacketFencecurrentlysupportsfourpaymentgatewaysAuthorizenetMirapayPaypalandStripe
Inordertoactivatethebillingyouwillneedtoconfigurethefollowingcomponents
Billingsource(s)
Billingtier(s)
ConfiguringabillingsourceFirstselectabillingproviderandfollowtheinstructionsbelow
Paypal
Note
ThisproviderrequiresthatyourPacketFenceserverisaccessibleonthepublicdomainFor thisyourPacketFenceportal shouldbeavailableonapublic IPusing theDNSservernameconfiguredinPacketFence
Ifyouhaveabusinessaccountanddonotwanttoconfigureatestenvironmentyoucanskipthenextsection
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 58
Sandboxaccount
To configure a sandbox paypal account for use in PacketFence head to httpsdeveloperpaypalcomandeithersignuporloginintoyourexistingaccount
ThenintheSandboxmenuclickAccounts
CreateanaccountthathasthetypePersonalandonethathasthetypeBusiness
AfterwardsgobackintoaccountsandexpandthebusinessaccountthenclickProfile
NowclicktheChangepasswordlinkandchangethepasswordandnoteit
Dothesamethingwiththepersonalaccountyoucreated
Configuringthemerchantaccount
LoginintothePaypalbusinessaccountthatyoucreatedathttpswwwsandboxpaypalcomifyouareusingasandboxaccountoronhttpswwwpaypalcomifyouareusingarealaccount
NextgoinMyAccountrarrProfileinordertogointoyourprofileconfiguration
NextintheSellingPreferencesyouwillneedtoselectWebsitePaymentPreferences
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 59
Configurethesettingssotheymatchthescreenshotbelow
YoushouldturnonAutoReturnsetthereturnURLtohttpsYOUR_PORTAL_HOSTNAMEbillingpaypalverify
YoushouldalsotakenoteoftheIdentityTokenasitwillberequiredinthePacketFenceconfiguration
NextgobackinyourprofileconfigurationMyaccountrarrProfileandselectEncryptedPaymentSettings
NowonthispageyouwillneedtosubmitthecertificateusedbyPacketFencetoPaypal(usrlocalpfconfsslservercrtbydefault)
Once you have submitted it note itrsquos associated Cert ID as you will need to configure it inPacketFence
StillonthatpageclicktheDownloadlinktodownloadthePaypalpubliccertificateandputitonthePacketFenceserverunderpathusrlocalpfconfsslpaypalpem
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 60
Caution
ThecertificatewillNOTbethesameifyouuseasandboxaccountorarealaccount
ConfiguringPacketFence
NowinthePacketFenceadministrationinterfacegoinConfigurationrarrSourcesandcreateanewsourceoftypeBillingrarrPaypal
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 61
Where
IdentitytokenistheoneyounotedwhenontheWebsitePaymentPreferencespage CertIDistheoneyounotedwhenontheEncryptedPaymentSettings Paymenttypeiswhethertheaccessisdonationbased(notmandatorytopayforit) Emailaddressistheemailaddressofthemerchantpaypalaccount CertfileisthepathtothePacketFencecertificate(usrlocalpfconfsslservercrtbydefault) KeyfileisthepathtothePacketFencecertificate(usrlocalpfconfsslserverkeybydefault) Paypal cert file is thepath to thePaypal certificate (usrlocalpfconfsslpaypalpem in thisexample)
Currencyisthecurrencythatwillbeusedinthetransactions Testmodeshouldbeactivatedifyouareusingasandboxaccount
Stripe
Stripeaccount
Firstgoonhttpsdashboardstripecomcreateanaccountandlogin
NextonthetoprightclickYouraccountthenAccountsettings
NavigatetotheAPIkeystabandnoteyourkeyandsecretThetestkeyshouldbeusedwhentestingtheconfigurationandthelivekeywhenputtingthesourceinproduction
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 62
ConfiguringPacketFence
NowinthePacketFenceadministrationinterfacegoinConfigurationrarrSourcesandcreateanewsourceoftypeBillingrarrStripe
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 63
Where
SecretkeyisthesecretkeyyougotfromyourStripeaccount PublishablekeyisthepublishablekeyyougotfromyourStripeaccount Styleiswhetheryouaredoingaone-timechargeorsubscriptionbasedbilling(recurring)SeesectionSubscriptionbasedregistrationbelowfordetailsonhowtoconfigureit
Currencyisthecurrencythatwillbeusedinthetransactions Testmodeshouldbeactivatedifyouareusingthetestkeyandsecretaccount
Authorizenet
Creatinganaccount
First go on httpsaccountauthorizenet to signup for a merchant account or httpdeveloperauthorizenetforasandboxaccount
AfteryoucreatedyouraccountyouwillbeshownyourAPIloginIDandTransactionkeyNotebothoftheseinformationsforusageinthePacketFenceconfiguration
Thenloginintoyournewaccount
ThenunderAccountclickSettings
OnthesettingspageinthesectionSecuritysettingsclickMD5-Hash
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 64
NowenterasecretthatwillbesharedbetweenauthorizenetandPacketFence
PacketFenceconfiguration
NextinthePacketFenceadministrationinterfacegoinConfigurationrarrSourcesandcreateanewsourceoftypeBillingrarrAuthorizeNet
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 65
Where
APIloginIDistheoneyougotearlierwhilecreatingyouraccount Transactionkeyistheoneyougotearlierwhilecreatingyouraccount MD5hashtheoneyouconfiguredinyourAuthorizenetaccount Currencyisthecurrencythatwillbeusedinthetransactions Testmodeshouldbeactivatedifyouareusingasandboxaccount
Mirapay
To be contributed
AddingbillingtiersOnceyouhaveconfiguredoneormorebillingsourceyouneedtodefinebillingtierswhichwilldefinethepriceandtargetauthenticationrulesfortheuser
InthePacketFenceadministrationinterfacegoinConfigurationrarrBillingtiers
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 66
ThenclickAddbillingtierandconfigureit
Where
Billingtieristheuniqueidentifierofthebillingtier Nameisthefriendlynameofthebillingtier Descriptionisanextendeddescriptionofthebillingtier Priceistheamountthatwillbechargedtotheuser Accessdurationistheamountoftimetheuserwillbegrantedaccesstoyournetwork Roleisthetargetroletheusershouldbein Usetimebalancedefinesiftheaccessdurationshouldbecomputedonreal-timeaccessdurationmeaningiftheuserbuys24hoursofaccesshecanusethenetworkfor24hoursindifferenttimeblocksThisrequiresavalidRADIUSaccountingconfiguration
Note
IfdonrsquotwanttouseallthebillingtiersthataredefinedyoucanspecifytheonesthatshouldbeactiveinthePortalprofile
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 67
SubscriptionbasedregistrationPacketFencesupportssubscriptionbasedbillingusingStripeasabillingprovider
Billingtier
Whenusingsubscriptionbasedbillingitisadvisedtoconfigurethebillingtiersoithasanalmostinfiniteaccessduration(eg20years)asthebillingproviderwillbecontactingthePacketFenceserverwhenthesubscriptioniscanceled
YoushouldconfigureabillingtierforeachsubscriptionplanyouwanttohaveThisexamplewillusetheplansimpleandadvancedconfiguredusingthefollowingparameters
[simple]name=Simple network accessdescription=Click here if you are poorprice=399role=guestaccess_duration=10Yuse_time_balance=disabled
[advanced]name=Simple network accessdescription=Click here if you are poorprice=999role=advanced_guestaccess_duration=10Yuse_time_balance=disabled
Stripeconfiguration
TheninyourStripedashboardyoushouldgoinSubscriptionsrarrPlans
Thencreateanewplan
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 68
Where
ID is the billing tier identifier It is important that this matches the ID of the billing tier inPacketFence
AmountisthepriceoftheplanItisimportantthatthismatchesthepriceofthebillingtierinPacketFence
CurrencyisthecurrencythatwillbeusedinthetransactionsItisimportantthatthismatchesthecurrencyoftheStripesourceinPacketFence
IntervalistheintervalatwhichthecustomershouldbebilledInthecaseofthisexampleitismonthly
Nowfollowingthesameprocedurecreatetheadvancedplan
ReceivingupdatesfromStripeAsthesubscriptioncanbecancelledbyauseryouneedtosetupyourPacketFenceinstallationtoreceiveupdatesfromStripe
UpdatesaresentusingHTTPrequestsonapublicIP
YouneedtomakesurethatyourPacketFenceserverisavailablethroughapublicIPonport80andthatyourPacketFenceserverhostnameresolvesonthepublicdomain
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 69
TheninStripeconfigureaWebhooksoStripeinformsPacketFenceofanyeventthathappensinthisStripemerchantaccount
InordertodosogoinYourAccountrarrAccountSettingsrarrWebhooksandclickAddendpoint
Where
URListheURLtothePacketFenceserverThisshouldbehttpYOUR_PORTAL_HOSTNAMEhookbillingstripe
Modeiswhetherthiswebhookisfortestingmodeorlivemode
NoweverytimeauserunsubscribesfromaplanPacketFencewillbenotifiedandwillunregisterthatdevicefromyournetwork
DevicesRegistration
Usershavethepossibilitytoregistertheirdevices(MicrosoftXBOXXBOX360NintendoDSWiiSonyPlayStationandsoon)rightfromaspecialportalpageWhenaccessingthispageuserswillbe
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 70
promptedtologinasiftheywereregisteringthemselvesOnceloggedintheportalwillaskthemtoenterthedeviceMACaddressthatwillthenbematchedagainstapredefinedlistofauthorizedMACOUIThedevicewillberegisteredwiththeuserrsquosidandcanbeassignedintoaspecificcategoryforeasiermanagement
HerersquoshowtoconfigurethewholethingTheportalpagecanbeaccessedbythefollowingURLhttpsYOUR_PORTAL_HOSTNAMEdevice-registration This URL is accessible fromwithin thenetworkinanyVLANthatcanreachthePacketFenceserver
Thefollowingcanbeconfiguredbyeditingthepfconffile
[registration]device_registration = enableddevice_registration_role = gaming
MakesuretheroleexistsinPacketFenceotherwiseyouwillencounterregistrationerrorsMoreovermakesuretherolemappingforyourparticularequipmentisdone
TheseparameterscanalsobeconfiguredfromtheConfigurationrarrRegistrationsection
Note
AportalinterfacetypeisrequiredtousethisfeatureAportalinterfacetypecanbeaddedtoanynetworkinterfaceusingthewebadminGUI
Eduroam
eduroam (education roaming) is the secureworld-wide roaming access servicedevelopedfortheinternationalresearchandeducationcommunity
eduroamallowsstudentsresearchersandstafffromparticipatinginstitutionstoobtainInternetconnectivityacrosscampusandwhenvisitingotherparticipatinginstitutionsbysimplyopeningtheirlaptop
mdasheduroamhttpswwweduroamorg
PacketFencesupportsintegrationwitheduroamandallowsparticipatinginstitutionstoauthenticatebothlocallyvisitingusersfromotherinstitutionsaswellasallowingotherinstitutionstoauthenticatelocalusers
In order for PacketFence to allow eduroam authentication the FreeRADIUS configuration ofPacketFencemustbemodifiedtoallowtheeduroamserverstoconnecttoitasclientsaswellastoproxyRADIUSauthenticationrequestsforusersfromoutsideinstitutions
FirstmodifytheusrlocalpfraddbclientsconffiletoallowtheeduroamserverstoconnecttoyourPacketFenceserverAddtheeduroamserversasclientsandmakesure toaddtheproperRADIUSsecretSetashortnametorefertotheseclientsasyouwilllaterneedittoexcludethemfromsomepartsofthePacketFenceconfiguration
clientsconfexample
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 71
client tlrs1eduroamus secret = useStrongerSecret shortname = tlrs1
client tlrs2eduroamus secret = useStrongerSecret shortname = tlrs2
SecondlymodifythelistofdomainsandproxyserversinusrlocalpfraddbproxyconfYouwillneedtodefineeachofyourdomainsaswellastheDEFAULTdomainTheDEFAULTrealmwillapplytoanyclientthatattemptstoauthenticatewitharealmthatisnototherwisedefinedinproxyconfandwillbeproxiedtotheeduroamservers
Defineoneormorehomeservers(serverstowhicheduroamrequestsshouldbeproxied)
proxyconfexample
home_server tlrs1eduroamus type = auth ipaddr = 25712811 port = 1812 secret = useStrongerSecret require_message_authenticator = yes
Defineapoolofserverstogroupyoureduroamhomeserverstogether
proxyconfexample
home_server_pool eduroam type = fail-over home_server = tlrs1eduroamus home_server = tlrs2eduroamus
DefinerealmstoselectwhichrequestsshouldbeproxiedtotheeduroamserverpoolThereshouldbeonerealmforeachofyourdomainsandpossiblyonemoreperdomainifyouintendtoallowusernamesoftheDOMAINuserform
TheREALMissetbasedonthedomainfoundbythesuffixorntdomainmodules (seeraddbmodulesrealm)Thesuffixorntdomainmodulestrytofindadomaineitherwithandomainorsuffixusername
IfnoneisfoundtheREALMisNULL
IfadomainisfoundFreeRADIUStriestomatchoneoftheREALMSdefinedinthisfile
IfthedomainiseitherexampleeduorEXAMPLEFreeRADIUSsetsthecorrespondingREALMieexampleeduorEXAMPLE
IftheREALMdoesnotmatcheither(anditisnrsquotNULL)thatmeanstherewasadomainotherthanEXAMPLEorexampleeduandweassumeitismeanttobeproxiedtoeduroamFreeRADIUSsetstheDEFAULTrealm(whichisproxiedtotheeduroamauthenticationpool)
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 72
The REALM determines where the request is sent to If the REALM authenticates locally therequestsareprocessedentirelybyFreeRADIUSIftheREALMsetsadifferenthomeserverpooltherequestsareproxiedtotheserversdefinedwithinthatpool
proxyconfexample
This realm is for requests which dont have an explicit realm prefix or suffix User names like bob will match this one No authentication server is defined thus the authentication is done locallyrealm NULL
This realm is for ntdomain users who might use the domain like this EXAMPLEusername No authentication server is defined thus the authentication is done locallyrealm EXAMPLE
This realm is for suffix users who use the domain like this usernameexampleedu No authentication server is defined thus the authentication is done locallyrealm exampleedu
This realm is for ALL OTHER requests Meaning in this context eduroam The auth_pool is set to the eduroam pool and so the requests will be proxiedrealm DEFAULT auth_pool = eduroam nostrip
Thirdly youmust configure the packetfence FreeRADIUS virtual servers to treat the requestsproperly
Inusrlocalpfraddbsites-enabledpacketfencemodifytheauthorizesectionlikethis
raddbsites-enabledpacketfenceexample
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 73
authorize pay attention to the order of the modules It matters ntdomain suffix preprocess
uncomment this section if you want to block eduroam users from you other SSIDs The attribute name ( Called-Station-Id ) may differ based on your controller if ( Called-Station-Id ~ eduroam$i) update control Proxy-To-Realm = local
eap ok = return
files expiration logintime packetfence
Inusrlocalpfraddbsites-enabledpacketfence-tunnelmodifythepost-authsectionlikethisIfyouomit this change the requestwill be sent toPacketFencewhere itwill be failed since theeduroamserversarenotpartofyourconfiguredswitches
raddbsites-enabledpacketfence-tunnelexample
post-auth exec
we skip packetfence when the request is coming from the eduroam servers if ( clientshortname = tlrs1 ampamp clientshortname = tlrs2 ) packetfence
Post-Auth-Type REJECT attr_filteraccess_reject
Finallymakesurethattherealmsmoduleisconfiguredthisway(seeusrlocalpfraddbmodulesrealm)
raddbmodulesrealmexample
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 74
usernamerealmrealm suffix format = suffix delimiter =
domainuserrealm ntdomain format = prefix delimiter = ignore_null = yes
Fingerbankintegration
FingerbankagreatdeviceprofilingtooldevelopedalongsideofPacketFencenowintegrateswithittopower-upthefeaturesetallowingaPacketFenceadministratortoeasilytriggerviolationsbasedondifferentdevicetypesdeviceparentsDHCPfingerprintsDHCPvendorIDsMACvendorsandbrowseruseragents
Thecoreofthat integrationresides intheabilityforaPacketFencesystemto interactwiththeFingerbankupstreamprojectwhichthenallowadailybasisfingerprintsdatabaseupdatesharingunknowndatasothatmorecomplexalgorithmscanprocessthatnewdatatointegrateitintheglobaldatabasequeryingtheglobalupstreamdatabaseinthecaseofanunknownmatchandmuchmore
SincetheFingerbankintegrationisnowthedefactodeviceprofilingtoolofPacketFenceitwasarequirementtomakeitassimpleaspossibletoconfigureandtouseFromthemomentaworkingPacketFencesystemis inplaceFingerbank isalsoreadytobeusedbutonly inalocalmodewhichmeansnointeractionwiththeupstreamFingerbankproject
OnboardingTobenefitfromalltheadvantagesoftheFingerbankprojecttheonboardingstepisrequiredtocreateanAPIkeythatwill thenallow interactionwiththeupstreamprojectThatcaneasilybedoneonlybygoingintheSettingsmenuitemundertheFingerbanksectionofthePacketFenceConfigurationtabFromthereaneasyprocesstocreateandsaveanuserorganizationspecificAPIkeycanbefollowedOncecompletedthefullfeaturesetofFingerbankcanbeused
UpdateFingerbankdatabaseUpdatingtheFingerbankdatacanrsquotbeeasierTheonlyrequirementistheonboardingprocesswhichallowsyoutointeractwithupstreamprojectOncedoneanoptiontoUpdateFingerbankDBcanbefoundontopofeverymenuitemsectionsunderFingerbankProcessmaytakeaminuteortwodependingonthesizeofthedatabaseandtheinternetconnectivityafterwhichasuccessorerrormessagewillbeshowaccordinglyLocalrecordsareNOTbeingmodifiedduringthisprocess
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 75
SubmitunknowndataSayingthatwedonrsquotknoweverythingisnotfalsemodestyInthatsensetheSubmitUnknownUnmatchedFingerprintsoptionismadeavailable(afteronboarding)sothatunknownfingerprintingdatagoinginandoutonyournetworkcaneasilybesubmittedtotheupstreamFingerbankprojectforfurtheranalysisandintegrationtheintheglobaldatabase
UpstreaminterogationBydefaultPacketFenceisconfiguredtointerogatetheupstreamFingerbankproject(ifonboardinghasbeencompleted)tofullfillaquerywithunmatchedlocalresultsUnmatchedlocalresultscanresultofanolderversionoftheFingerbankdatabaseorarequirementforamorecomplexalgorithmduetothedatasetThatbehavioriscompletelytransparentandcanbemodifiedusingtheSettingsmenuitemundertheFingerbanksectionofthePacketFenceConfigurationtab
LocalentriesItispossibleforanadministratorwhowantstocustomizeanexistingrecord(orcreateanewone)todosousingtheLocalentriesAnupstreamrecord(DHCPFingerprintDHCPVendorMACVendorUserAgentDevicetypeevenaCombination)canbeclonedandthenmodifiedonalocalbasisifneededLocalrecordsarealwaysmatchedfirstsincetheirpurposeistooverrideanexistingoneAlocalcombinationcanbecreatedtomatcheitherLocalorUpstreamorbothentriestoallowidentificationofadevice
SettingsFingerbanksettingscaneasilybemodifiedfromtheSettingsmenuitemundertheFingerbanksectionofthePacketFenceConfigurationtabTherersquosdocumentationforeachaneveryparameterthatalloweasierunderstanding
FloatingNetworkDevices
Startingwithversion19PacketFencenowsupportsfloatingnetworkdevicesAFloatingnetworkdeviceisadeviceforwhichPacketFencehasadifferentbehaviourcomparedtoaregulardeviceThisfunctionalitywasoriginallyaddedtosupportmobileAccessPoints
Caution
RightnowPacketFenceonlysupportsfloatingnetworkdevicesonCiscoandNortelswitchesconfiguredwithport-security
For a regular device PacketFence put it in theVLAN corresponding to its status (RegistrationQuarantineorRegularVlan)andauthorizesitontheport(port-security)
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 76
AfloatingnetworkdeviceisadevicethatPacketFencedoesnotmanageasaregulardevice
WhenafloatingnetworkdeviceispluggedPacketFencewillletallowalltheMACaddressesthatwillbeconnectedtothisdevice(orappearontheport)andifnecessaryconfiguretheportasmulti-vlan(trunk)andsetPVIDandtaggedVLANsontheport
WhenanfloatingnetworkdeviceisunpluggedPacketFencewillreconfiguretheportlikebeforeitwasplugged
HowitworksConfiguration
floatingnetworkdeviceshavetobeidentifiedusingtheirMACaddress linkuplinkdowntrapsarenotenabledontheswitchesonlyport-securitytrapsare
WhenPacketFencereceivesaport-securitytrapforafloatingnetworkdeviceitchangestheportconfigurationsothat
itdisablesport-security itsetsthePVID iteventuallysetstheportasmulti-vlan(trunk)andsetsthetaggedVlans itenableslinkdowntraps
WhenPFreceivesa linkdowntraponaport inwhichafloatingnetworkdevicewasplugged itchangestheportconfigurationsothat
itenablesport-security itdisableslinkdowntraps
IdentificationAswementionedearliereachfloatingnetworkdevicehastobeidentifiedTherearetwowaystodoit
byeditingconffloating_network_deviceconf throughtheWebGUIinConfigurationrarrNetworkrarrFloatingdevices
Herearethesettingsthatareavailable
MACAddress MACaddressofthefloatingdevice
IPAddress IPaddressofthefloatingdevice(notrequiredforinformationonly)
trunkPort YesnoShouldtheportbeconfiguredasamuti-vlanport
pvid VLANinwhichPacketFenceshouldputtheport
taggedVlan CommaseparatedlistofVLANsIftheportisamulti-vlanthesearetheVlansthathavetobetaggedontheport
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 77
OAuth2Authentication
NoteOAuth2authenticationdoesnotworkwithWebauthenforcement
The captive portal of PacketFence allows a guestuser to register using hisGoogle FacebookLinkedInWindowsLiveTwitterorGithubaccount
ForeachproviderswemaintainanalloweddomainlisttopunchholesintothefirewallsotheusercanhittheproviderloginpageThislistisavailableineachOAuth2authenticationsource
Inordertohaveoauth2workingproperlyyouneedtoenableIPforwardingonyourserversTodoitpermanentlylookintheetcsysctlconfandsetthefollowingline
Controls IP packet forwardingnetipv4ip_forward = 1
Savethefileandissueasysctl -ptoupdatetheOSconfig
You must also enable the passthrough option in your PacketFence configuration(trappingpassthroughinpfconf)
GoogleInordertouseGoogleasaOAuth2provideryouneedtogetanAPIkeytoaccesstheirservicesSignupherehttpcodegooglecomapisconsoleMakesureyouusethisURIfortheRedirectURIfieldhttpsYOUR_PORTAL_HOSTNAMEoauth2callbackOfcoursereplacethehostnamewiththevaluesfromgeneralhostnameandgeneraldomain
YoucankeepthedefaultconfigurationmodifytheAppIDampAppSecret(GivenbyGoogleonthedevelopperplateform)andPortalURL(httpsYOUR_PORTAL_HOSTNAMEoauth2callback)
Also add the following Authorized domains googlecom googleca googlefrgstaticcomgoogleapiscomaccountsyoutubecom(MakesurethatyouhavethegoogledomainfromyourcountrylikeCanadagooglecaFrancegooglefretchellip)
OnceyouhaveyourclientidandAPIkeyyouneedtoconfiguretheOAuth2providerThiscanbedonebyaddingaGoogleOAuth2authenticationsourcefromConfigurationrarrSources
MoreoverdonrsquotforgettoaddGoogleasaregistrationmodefromyourportalprofiledefinitionavailablefromConfigurationrarrPortalProfilesandPages
FacebookTo use Facebook you also need an API code and a secret key To get one go here httpsdevelopersfacebookcomappsWhenyoucreateyourAppmakesureyouspecifythefollowingastheWebsiteURLhttpsYOUR_PORTAL_HOSTNAMEoauth2callback
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 78
Ofcoursereplacethehostnamewiththevaluesfromgeneralhostnameandgeneraldomain
YoucankeepthedefaultconfigurationmodifytheAppIDampAppSecret(GivenbyFaceBookonthedevelopperplateform)andPortalURL(httpsYOUR_PORTAL_HOSTNAMEoauth2callback)
Also add the followingAuthorizeddomains facebookcom fbcdnnet akamaihdnet (Maychange)
OnceyouhaveyourinformationyouneedtoconfiguretheOAuth2providerThiscanbedonebyaddingaFacebookOAuth2authenticationsourcefromConfigurationrarrSources
MoreoverdonrsquotforgettoaddFacebookasaregistrationmodefromyourportalprofiledefinitionavailablefromConfigurationrarrPortalProfilesandPages
CautionByallowingOAuththroughFacebookyouwillgiveFacebookaccesstotheuserswhiletheyaresittingintheregistrationVLAN
GitHubTouseGitHubyoualsoneedanAPIcodeandasecretkeyTogetoneyouneedtocreateanAppherehttpsgithubcomsettingsapplicationsWhenyoucreateyourAppmakesureyouspecifythefollowingastheCallbackURLhttpsYOUR_PORTAL_HOSTNAMEoauth2callback
Ofcoursereplacethehostnamewiththevaluesfromgeneralhostnameandgeneraldomain
OnceyouhaveyourinformationyouneedtoconfiguretheOAuth2providerThiscanbedonebyaddingaGitHubOAuth2authenticationsourcefromConfigurationrarrSources
MoreoverdonrsquotforgettoaddGitHubasaregistrationmodefromyourportalprofiledefinitionavailablefromConfigurationrarrPortalProfilesandPages
LinkedInTouseLinkedInyoualsoneedanAPIcodeandasecretkeyTogetoneyouneedtocreateanAppherehttpsdeveloperlinkedincomWhenyoucreateyourAppmakesureyouspecifythefollowingastheCallbackURLhttpsYOUR_PORTAL_HOSTNAMEoauth2callback
Ofcoursereplacethehostnamewiththevaluesfromgeneralhostnameandgeneraldomain
OnceyouhaveyourinformationyouneedtoconfiguretheOAuth2providerThiscanbedonebyaddingaLinkedInOAuth2authenticationsourcefromConfigurationrarrSources
MoreoverdonrsquotforgettoaddLinkedInasaregistrationmodefromyourportalprofiledefinitionavailablefromConfigurationrarrPortalProfilesandPages
AlsoLinkedInrequiresastateparameterfortheauthorizationURLIfyoumodifyitmakesuretoadditattheendofyourURL
TwitterTouseTwitteryoualsoneedanAPIcodeandasecretkeywhichTwittercallsconsumerkeyandconsumersecretObtainthis informationbycreatingannewapplicationfromyourTwitterApps
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 79
ManagementpageWhenyoucreateyourAppmakesureyouspecifythefollowingastheCallbackURLhttpsYOUR_PORTAL_HOSTNAMEoauth2callback
Ofcoursereplacethehostnamewiththevaluesfromgeneralhostnameandgeneraldomain
OnceyouhaveyourinformationyouneedtoconfiguretheOAuth2providerThiscanbedonebyaddingaTwitterOAuth2authenticationsourcefromConfigurationrarrSources
MoreoverdonrsquotforgettoaddTwitterasaregistrationmodefromyourportalprofiledefinitionavailablefromConfigurationrarrPortalProfilesandPages
WindowsLiveTouseWindowsliveyoualsoneedanAPIcodeandasecretkeyTogetoneyouneedtocreateanAppherehttpsaccountlivecomdevelopersapplicationsWhenyoucreateyourAppmakesureyouspecifythefollowingastheCallbackURLhttpsYOUR_PORTAL_HOSTNAMEoauth2callback
Ofcoursereplacethehostnamewiththevaluesfromgeneralhostnameandgeneraldomain
OnceyouhaveyourinformationyouneedtoconfiguretheOAuth2providerThiscanbedonebyaddingaWindowsLiveOAuth2authenticationsourcefromConfigurationrarrSources
Moreover donrsquot forget to add WindowsLive as a registration mode from your portal profiledefinitionavailablefromConfigurationrarrPortalProfilesandPages
Passthrough
Inorder tousethepassthroughfeature inPacketFenceyouneedtoenable it fromtheGUI inConfigurationrarrTrappingandcheckPassthrough
Therearetwosolutionsforpassthroughs-oneusingDNSresolutionandiptablesandtheotheroneusingApachersquosmod_proxymoduleWhenenabledPacketFencewillusepfdnsifyoudefinedPassthroughsorApachemod-proxyifyoudefinedProxyPassthroughstoallowtrappeddevicestoreachexternalwebsites
DNSpassthroughAddanewFQDN (shouldbeawildcarddomain like googlecom) in thePassthroughssectionWhenPacketFencereceivesaDNSrequestforthisdomainitwillanswerthereal IPaddressandpunchahole inthefirewall (using iptables)toallowaccessWiththismethodPacketFencemustbethedefaultgatewayofyourdevice
mod_proxypassthroughAddanewFQDN(shouldbeawildcarddomainlikegooglecom)intheProxyPassthroughssectionForthisFQDNPacketFencewillanswertheIPaddressofthecaptiveportalandwhenadevicehitsthecaptiveportalPacketFencewilldetectthatthisFQDNhasapassthroughconfigurationandwillforwardthetraffictomod_proxy
ThesetwomethodscanbeusedtogetherbutDNS-basedpassthroughshavehigherpriority
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 80
ProductionDHCPaccess
Inorder toperformallof itsaccesscontroldutiesPacketFenceneedstobeable tomapMACaddressesintoIPaddresses
ForallthenetworksVLANswhereyouwantPacketFencetohavetheabilitytoisolateanodeortohaveIPinformationaboutnodesyouwillneedtoperformoneofthetechniquesbelow
AlsonotethatthisdoesnrsquotneedtobedonefortheregistrationisolationVLANsandinlineinterfacessincePacketFenceactsastheDHCPserverinthesenetworks
IPHelpers(recommended)If you are already using IPHelpers for your productionDHCP in your production VLANs thisapproachisthesimplestoneandtheonethatworksthebest
Add PacketFencersquos management IP address as the last ip helper-address statement in yournetworkequipmentAtthispointPacketFencewillreceiveacopyofallDHCPrequestsforthatVLANandwillrecordwhatIPweredistributedtowhatnodeusingapfdhcplistenerdaemon
BydefaultnoDHCPServershouldberunningonthatinterfacewhereyouaresendingtherequestsThisisbydesignotherwisePacketFencewouldreplytotheDHCPrequestswhichwouldbeabadthing
ObtainacopyoftheDHCPtrafficGetacopyofalltheDHCPTraffictoadedicatedphysicalinterfaceinthePacketFenceserverandrunpfdhcplisteneronthatinterfaceItwillinvolveconfiguringyourswitchproperlytoperformportmirroring(akanetworkspan)andaddinginPacketFencetheproperinterfacestatementattheoperatingsystemlevelandinpfconf
etcsysconfignetwork-scriptsifcfg-eth2
DEVICE=eth2ONBOOT=yesBOOTPROTO=none
Addtopfconf(IPsarenotimportanttheyarethereonlysothatPacketFencewillstart)
[interface eth2]mask=2552552550type=dhcp-listenergateway=19216815ip=19216811
RestartPacketFenceandyoushouldbegoodtogo
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 81
InterfaceineveryVLANBecauseDHCPtrafficisbroadcasttrafficanalternativeforsmallnetworkswithfewlocalVLANsistoputaVLANinterfaceforeveryVLANonthePacketFenceserverandhaveapfdhcplistenerlistenonthatVLANinterface
OnthenetworksideyouneedtomakesurethattheVLANtrulyreachesallthewayfromyourclienttoyourDHCPinfrastructureuptothePacketFenceserver
OnthePacketFencesidefirstyouneedanoperatingsystemVLANinterfaceliketheonebelowStoredinetcsysconfignetwork-scriptsifcfg-eth01010
Engineering VLANDEVICE=eth01010ONBOOT=yesBOOTPROTO=staticIPADDR=1001014NETMASK=2552552550VLAN=yes
ThenyouneedtospecifyinpfconfthatyouareinterestedinthatVLANrsquosDHCPbysettingtypetodhcp-listener
[interface eth01010]mask=2552552550type=dhcp-listenergateway=1001011ip=1001014
RepeattheaboveforallyourproductionVLANsthenrestartPacketFence
HostproductionDHCPonPacketFenceItrsquosanoptionJustmodifyconfdhcpdconfsothat itwillhostyourproductionDHCPproperlyandmakesurethatapfdhcplistenerrunsonthesameinterfacewhereproductionDHCPrunsHoweverpleasenotethatthisisNOTrecommendedSeethistickettoseewhy
ProxyInterception
PacketFenceenablesyoutointerceptproxyrequestsandforwardthemtothecaptiveportalItonlyworksonelayer-2networksbecausePacketFencemustbethedefaultgatewayInordertousetheProxyInterceptionfeatureyouneedtoenableitfromtheGUIinConfigurationrarrTrappingandcheckProxyInterception
Addtheportyouwanttointercept(like8080or3128)andaddanewentryintheetchostsfiletoresolvethefullyqualifieddomainname(fqdn)ofthecaptiveportaltotheIPaddressofthe
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 82
registration interfaceThismodification ismandatory inorder forApache to receives theproxyrequests
RoutedNetworks
Ifyour isolationandregistrationnetworksarenot locally-reachable (at layer2)onthenetworkbut routed to the PacketFence server yoursquoll have to let the PacketFence server know thisPacketFencecanevenprovideDHCPandDNSintheseroutednetworksandprovidesaneasytouseconfigurationinterface
FordhcpdmakesurethattheclientsDHCPrequestsarecorrectlyforwarded(IPHelpersintheremoterouters)tothePacketFenceserverThenmakesureyoufollowedtheinstructionsintheDHCPandDNSServerConfiguration(networksconf)foryourlocallyaccessiblenetwork
Ifweconsiderthenetworkarchitectureillustratedintheaboveschemaconfpfconfwillincludethelocalregistrationandisolationinterfacesonly
[interface eth02]enforcement=vlanip=19216821type=internalmask=2552552550
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 83
[interface eth03]enforcement=vlanip=19216831type=internalmask=2552552550
Note
PacketFencewillnotstartunlessyouhaveatleastoneinternalinterfacesoyouneedtocreatelocalregistrationandisolationVLANsevenifyoudonrsquotintendtousethemAlsotheinternalinterfacesaretheonlyonesonwhichdhcpdlistenssotheremoteregistrationandisolationsubnetsneedtopointtheirDHCPhelper-addresstothoseparticularIPs
ThenyouneedtoprovidetheroutednetworksinformationtoPacketFenceYoucandoitthroughtheGUIinAdministrationrarrNetworks(orinconfnetworksconf)
confnetworksconfwilllooklikethis
[19216820]netmask=2552552550gateway=19216821next_hop=domain-name=registrationexamplecomdns=19216821dhcp_start=192168210dhcp_end=1921682200dhcp_default_lease_time=300dhcp_max_lease_time=600type=vlan-registrationnamed=enableddhcpd=enabled
[19216830]netmask=2552552550gateway=19216831next_hop=domain-name=isolationexamplecomdns=19216831dhcp_start=192168310dhcp_end=1921683200dhcp_default_lease_time=300dhcp_max_lease_time=600type=vlan-isolationnamed=enableddhcpd=enabled
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 84
[192168200]netmask=2552552550gateway=19216820254next_hop=1921682254domain-name=registrationexamplecomdns=19216821dhcp_start=1921682010dhcp_end=19216820200dhcp_default_lease_time=300dhcp_max_lease_time=600type=vlan-registrationnamed=enableddhcpd=enabled
[192168300]netmask=2552552550gateway=19216830254next_hop=1921683254domain-name=isolationexamplecomdns=19216831dhcp_start=1921683010dhcp_end=19216830200dhcp_default_lease_time=300dhcp_max_lease_time=600type=vlan-isolationnamed=enableddhcpd=enabled
DHCPclientsontheregistrationandisolationnetworksreceivethePFserverIPastheirDNSserver(dns=xxxx)andPFspoofsDNSresponsestoforceclientsviatheportalHoweverclientscouldmanuallyconfiguretheirDNSsettingstoescapetheportalTopreventthisyouwillneedtoapplyanACLontheaccessrouternearesttheclientspermittingaccessonlytothePFserverandlocalDHCPbroadcasttraffic
ForexamplefortheVLAN20remoteregistrationnetwork
ip access-list extended PF_REGISTRATION permit ip any host 19216821 permit udp any any eq 67 deny ip any any loginterface vlan 20 ip address 19216820254 2552552550 ip helper-address 19216821 ip access-group PF_REGISTRATION in
Ifyouredgeswitchessupportvlan-isolationyoucanalsoapplytheACLthereThishastheadvantageofpreventingmachinesinisolationfromattemptingtoattackeachother
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 85
StatementofHealth(SoH)
TheStatementofHealth(SoH)isproductthathasbeendevelopedbyMicrosoftIntheMicrosoftworldthis isnamedNetworkAccessProtectionorNAPOnWindowsversionsfromXPSP2toWindows7thereisaNAPserviceinstalledthatcanrelayhealthinformation(Anti-VirusupdatestatusWindowsUpdatestatusetc) toaRADIUSServeroraDHCPserverThesectionbelowexplainsyouhowtodoSoHpolicieswithPacketFence
InstallationBydefaultweturnSoHoffToenableitssupportsimplyuncommentthefollowinglinesinusrlocalpfconfradiusdeapconf
soh=yessoh-virtual-server = soh-server
RestarttheRADIUSserviceafterward
OntheclientsidetoenableSoHforEAPdothefollowing(Windows7example)
sc config napagent start=autosc start napagent
Wired 8021Xsc config dot3svc start=auto depend=napagentsc start dot3svc
netsh nap client show config
get the ID value for the EAP Quarantine Enforcement Clientnetsh nap client set enforce id=$ID admin=enable
ThelaststepistoselecttheEnforceNetworkAccessProtectioncheckboxundertheEAPprofilesettingsThosestepscanbeeasilyconfiguredusingGPOs
ConfigurationofSoHpolicyInordertoenforceaSoHpolicyweneedtocreateitfirstThisisdoneusingtheConfigurationrarrCompliancerarrStatementofHealthmodule
PolicyexampleLetrsquoswalkthroughanexamplesituationSupposeyouwanttodisplayaremediationpagetoclientsthatdonothaveananti-virusenabled
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 86
ThethreebroadstepsarecreateaviolationclassfortheconditionthencreateanSoHfiltertotriggertheviolationwhenanti-virusisdisabledandfinallyreloadtheviolations
FirstcreatetheproperviolationeitherviatheAdminUIorbyeditingtheconfviolationsconffiles
[4000001]desc=No anti-virus enabledurl=remediationphptemplate=noantivirusactions=reevaluate_accessemaillogenabled=Y
Note
Youmayalsowanttosetotherattributessuchasauto_enablegraceetc
WhendonewiththeviolationvisittheWebAdministrationunderConfigurationrarrCompliancerarrStatementofHealthand(editthefilternamedDefaultor)usetheAddafilterbuttontocreateafilternamedantivirusClickonantivirusinthefilterlistandselectTriggerviolationintheactiondrop-downEnterthevidoftheviolationyoucreatedaboveintheinputboxthatappears
Next clickonAddacondition and selectAnti-virus is anddisabled in thedrop-downboxesthat appear Click on the Save filters button Finally reload the violations either by restartingPacketFenceorusingthepfcmd reload violationscommand
Thelaststepistocreateanewremediationtemplatecallednoantivirusphponthefilesysteminthehtmlcaptive-portalviolationsfolderEditittoincludethetextyouwanttodisplaytotheusers
VLANFilterDefinition
Weaddedtheabilitytospecifyfiltersdirectlyintheportionofcodethatre-evaluatestheVLANordoacalltotheAPI
Theserulesareavailableindifferentscopes
ViolationRoleRegistrationRoleRegisteredRoleInlineRoleAutoRegisterNodeInfoForAutoReg
Andcanbedefinedusingdifferentcriterialike
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 87
node_infoattribute (like node_infostatus)switchifIndexmacconnection_typeusernamessidtimeownerattribute (like ownerpid)radius_requestattribute (like radius_requestCalling-Station-Id)
Forexample letsdefinearulethatpreventsadevicefromconnectingwhenitscategory isthedefaultwhentheSSIDisSECUREandwhenthecurrenttimeisbetween11amand2pmfromMondaytoFridaywhenittrytoconnectasaregistereddevice
[category]filter = node_infocategoryoperator = isvalue = default
[ssid]filter = ssidoperator = isvalue = SECURE
[time]filter = timeoperator = isvalue = wd Mon Tue Wed Thu Fri hr 11am-2pm
[1categoryampssidamptime]scope = RegisteredRolerole = nointernet
ThesecondexamplewillcreateaviolationiftheSSIDisOPENandtheownerisigmout
[igmout]filter = ownerpidoperator = isvalue = igmout
[open]filter = ssidoperator = isvalue = OPEN
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 88
[2igmoutampssid]scope = RegisteredRoleaction = trigger_violationaction_param = mac = $mac tid = 1100012 type = INTERNAL
Thethirdexamplewillautoregisterthedeviceandassigntherolestafftoeachdevicewheretheusernameisigmout
[igmout]filter = usernameoperator = isvalue = igmout
[secure]filter = ssidoperator = isvalue = SECURE
[3igmoutampsecure]scope = AutoRegisterrole = staff
[4igmoutampsecure]scope = NodeInfoForAutoRegrole = staff
Youcanhavealookinthefilevlan_filtersconftherearesomeexamplesonhowtouseanddefinefilters
RADIUSFilterDefinition
WeaddedtheabilitytospecifyfiltersdirectlyintheportionofcodethatreturntheradiusanswerordoacalltotheAPI
Theserulesareonlyavailableinonescope
returnRadiusAccessAccept
Andcanbedefinedusingdifferentcriterialike
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 89
node_infoattribute (like node_info$attribute)switchifIndexmacconnection_typeusernamessidtimeownerattribute (like owner$attribute)radius_requestattribute (like radius_request$attribute)violationuser_rolevlan
Forexample letsdefinearulethatreturnAccessAcceptwhentheconnectionisEthernet-EAPandwhenthereisnoviolation(merge_returnmeansthattheoriginalanswerofPacketFencewillbemergewiththefilteranswerautomatically)
[violation]filter = violationoperator = defined
[etherneteap]filter = connection_typeoperator = isvalue = Ethernet-EAP
[1etherneteapampviolation]merge_answer = noscope = returnRadiusAccessAccept
Inthisotherexamplewejustaddanewattributetotheoriginalanswerinthesameconditions(here$user_rolewillbereplacedbytherealuserroleofthedeviceand$switch_portalURLwillbereplacedbythevalueof_portalURLdefinedintheswitchconfig)
[1etherneteapampviolation]merge_answer = yesscope = returnRadiusAccessAcceptanswer1 = Cisco-AVPair =gt url-redirect-acl=$user_roleurl-redirect=$switch_portalURLcep$session_id
Youcanhavea look in the file radius_filtersconf therearesomeexamplesonhowtouseanddefinefilters
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 90
DNSenforcement
DNSenforcementallowsyoutocontrolthenetworkaccessofthedevicebyusingthepfdnsserviceonPacketFence
The architecture ofDNS enforcement is as following -DHCP andDNS are provided by thePacketFenceserver-ThePacketFenceDHCPserverwillprovidetheIPofyournetworkequipmentasthegatewayandtheIPaddressofthePacketFenceDNSservertoresolvenames-Routingisprovidedbyanotherequipmentonyournetwork(CoreswitchFirewallRouterhellip)-IfausershouldbeshowntheportalthepfdnsservicewillreturnapointertotheIPaddressofthecaptiveportalotherwisepfdnswillresolvethenameexternallyanduseitinthereply
Thisenforcementmodeusedby itselfcanbebypassedbythedevicebyusingadifferentDNSserverorbyusingitsownDNScache
ThefirstcanbepreventedusinganACLonyourroutingequipmentthesecondcanbepreventedbycombiningDNSenforcementwithSingle-Sign-OnonyournetworkequipmentPleaseseetheFirewallSingle-Sign-Ondocumentationfordetailsonhowtoaccomplishthis
Inorder toconfigureDNSenforcementyoufirstneedtogo inConfigurationrarrInterfaces thenselectoneofyourinterfacesandsetitinDNSenforcementmode
AfteryouneedtoconfigurearoutednetworkforthisinterfacebyclickingAddroutednetworkSeetheRoutedNetworkssectionofthisdocumentfordetailsonhowtoconfigureit
NoteIfyouarenotusingaroutednetworkyouneedtouseInlineenforcementasDNSenforcementcanonlybeusedforroutednetworks
Oncethisisdoneyouneedtorestartthedhcpdandpfdnsservices
Parkeddevices
Intheeventthatyouaremanagingalargeregistrationnetworkwithdevicesthatstaythere(exStudentsthatcanrsquotregisterinyourenvironment)thesedevicesconsumepreciousresourcesandgenerateuselessloadonthecaptiveportalandregistrationDHCPserver
UsingtheparkingfeatureyoucanmakethesedeviceshavealongerleaseandhitanextremellylightweightcaptiveportalsothattheamountofresourcestheyconsumeisminimalInthatcaptiveportal theywillseeamessageexplainingthattheyhavenrsquot registeredtheirdeviceforacertainamountoftimeandwillletthemleavetheparkedstatebypressingalink
Theparkedvsunparkedstateiscontrolledthroughviolation1300003whichgetstriggeredaccordingtotheparkingthresholdsetting(ConfigurationrarrParking)
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 91
SoinordertoactivatetheparkinggoinConfigurationrarrParkingandsetthethresholdtoacertainamountofsecondsAsuggestedvaluewouldbe21600whichis6hoursThismeansthatifadevicestaysinyourregistrationnetworkformorethan6hoursinarowitwilltriggerviolation1300003andplacethatdeviceintotheparkedstate
Inthatsamesectionyoucandefinetheleaselengthoftheuserwhenheisintheparkedstate
Note
ParkingisdetectedwhenadeviceasksforDHCPifPacketFenceisnotyourDHCPserverfortheregistrationnetworkthisfeaturewillnotworkAlsoifthedevicegoesintotheparkedstatewithaleasetimeof1hourandtheuserimmediatelyreleaseshimselffromtheparkingstateitwilltake1hourbeforethenextdetectiontakesplaceevenifyousetparkingthresholdtoalowervalue
Violation1300003Thisviolationcontrolswhathappenswhenauserisdetecteddoingparking
Herearethemainsettings
Youcanaddactionstothepredefinedones(likeEmailadminorExternalaction)inDefinitionrarrActions
TheamountoftimeausercanunparktheirdeviceiscontrolledthroughtheRemediationrarrMaxenablesetting
TheamountofgracetimebetweentwoparkingviolationsiscontrolledbytheRemediationrarrGracesettingThismeansonceauserreleasehimselffromtheparkedstatehewillhaveatleastthisamountoftimetoregisterbeforetheparkingtriggersagain
Thedestinationrole(thusVLAN)oftheuseriscontrolledbyAdvancedrarrRoleYoushouldleavetheuserintheregistrationrolebutshouldyouwanttodedicatearoleforparkingyoucansetitthere
TheTemplateattributewillonlybeusedwhentheuserisonthenormalPacketFenceportalandnottheonededicatedforparkingIfyouwanttheusertoaccessthenon-parkingportaldisableShowparkingportalinConfigurationrarrParking
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 92
Optionalcomponents
Blockingmaliciousactivitieswithviolations
PolicyviolationsallowyoutorestrictclientsystemaccessbasedonviolationsofcertainpoliciesForexampleifyoudonotallowP2PtypetrafficonyournetworkandyouarerunningtheappropriatesoftwaretodetectitandtriggeraviolationforagivenclientPacketFencewillgivethatclientablockedpagewhichcanbecustomizedtoyourwishes
Inorder tobeable toblockmaliciousactivities installationandconfigurationofaPacketFencecompatibleIDSisrequiredPacketFencecurrentlysupportSnortSuricataandSecurityOnion
Snort
Installation
The installation procedure is quite simple for SNORTWe maintain a working version on thePacketFencerepositoryToinstallitsimplyrunthefollowingcommand
yum install snort
Configuration
PacketFenceprovidesabasicsnortconftemplatethatyoumayneedtoeditdependingoftheSnortversionThefileislocatedinusrlocalpfconfItisrarelynecessarytochangeanythinginthatfiletomakeSnortworkandtrapalertsDONOTeditthesnortconflocatedinusrlocalpfvarconfallthemodificationwillbedestroyedoneachPacketFencerestart
Suricata
Installation
SincethesuricataIDSisnotpackagedwiththedistros(exceptmaybeFedorawhichwedonotofficiallysupport)youneedtobuildittheoldway
The OISF provides a really well written how-to for that Itrsquos available here httpsredmineopeninfosecfoundationorgprojectssuricatawikiCentOS5
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 93
NoteTobenefittheOPSWATMetadefenderCloudintegrationSuricataneedstobebuiltwith libnss libnsprsupportMakesure touseJSONoutputMore informationonhowtoachievethiscanbefoundtherehttpsredmineopeninfosecfoundationorgprojectssuricatawikiMD5
ConfigurationDepending onwhether or not Suricata is running on the PacketFence server configuration isdifferent
WhenrunninglocallyPacketFenceprovidesabasicsuricatayamlthatcanbemodifiedtosuitdifferentneedsThefileislocatedinusrlocalpfconf
In thecase thatSuricata is runningonaseparateserverSuricataconfigurationwillhave tobehandledseparatelywhichisnotthepurposeofthepresentguide
OPSWATMetadefenderCloudItispossibletotriggerviolationsbasedonthreatlevelofdownloadedfilesusingtheMetadefenderCloudintegrationinconjunctionwiththeSuricataMD5extractionfeatureWithoutenteringinthedetailsherearethebasicstepstomakeitwork
FirstanOPSWATportalaccountisrequiredtomakeuseoftheAPISuchaccountcanbeobtainedthroughtheOPSWATportalhttpsportalopswatcom
OtherrequirementisaSuricataworkinginstallationbuiltwithlibnsslibnsprsupportasdescribedintheupperInstallationsection
AlongwiththeOPSWATAPIkeyforMetadefenderCloud(theycallitLicenseKey)andtheworkingSuricatainstallationsomeconfiguration(PacketFencebasedANDSuricatabased)isalsorequired
AssumingthatallthestepsforSuricataMD5extractionhavebeenfollowedherersquoswhattodonext
OntheSuricataserver(syslog-ngispreferredduetoeasierandmorepowerfulconfigurationIfnotinstalleditmightbeanidea)
Configureetcsyslog-ngsyslog-ngconfbyaddingthefollowingtoenablesendingMD5filestorelogentriestoPacketFence
PacketFence OPSWAT Metadefender Cloud integration This line specifies where the files-jsonlog file is located -gt Make sure to configure the right path along with the right filenamesource s_suricata_files file(MY_SURICATA_LOG_FILES_PATHfiles-jsonlog program_override(suricata_files) flags(no-parse)) This line tells syslog-ng to send the data read to the PacketFence management interface IP address using UDP 514 -gt Make sure to configure the right PacketFence management interface IP addressdestination d_packetfence udp(PACKETFENCE_MGMT_IP port(514)) This line indicates syslog-ng to use the s_suricata_files source and send it to the d_packetfence destinationlog source(s_suricata_files) destination(d_packetfence)
Arestartofthesyslog-ngdaemonisrequired
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 94
service syslog-ng restart
OnthePacketFenceserver
ModifyrsyslogconfigurationtoallowincomingUDPpacketsbyuncommentingthefollowingtwolinesinetcrsyslogconf
$ModLoad imudp$UDPServerRun 514
Configure etcrsyslogdsuricata_filesconf by adding the following which will enablereceptionofSuricataMD5filestorelogentries
if $programname == suricata_files then usrlocalpfvarsuricata_filesamp ~
Makesurethereceivingalertpipe(FIFO)exists
mkfifo usrlocalpfvarsuricata_files
Restartthersyslogdaemon
service rsyslog restart
AtthispointSuricatashouldbeabletoextractMD5checksumofdownloadedfilesandsendtherelatedlogentrytoPacketFence
AconfigurationofanewsyslogparseraswellassomeviolationsaretheonlyremainingstepstomakefullusageoftheOPSWATMetadefenderCloudintegration
Configurationofanewsyslogparsershouldusethefollowings
Type suricata_httpAlert pipe the previously created alert pipe (FIFO) which is in this case usrlocalpfvarsuricata_files
Configurationofanewviolationcanusethefollowingtriggertypes
Type metascanTriggers ID The scan result returned by Metadefender Cloud online
Type suricata_md5Trigger ID The MD5 hash returned by Suricata
SecurityOnionInstallationandConfigurationSecurityOnionisaUbuntubasedsecuritysuiteThelatest installationinstructionsareavailabledirectly from theSecurityOnionwebsite httpsgithubcomSecurity-Onion-Solutionssecurity-onionwikiInstallation
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 95
SinceasecuritysuiteconsistsofmultiplepiecesofsoftwaretiedtogetheryoumaybepromptedfordifferentoptionsduringtheinstallationprocessAdetailedProductionDeploymentguidecanalsobefounddirectlyfromtheSecurityOnionwebsitehttpsgithubcomSecurity-Onion-Solutionssecurity-onionwikiProductionDeployment
PacketFenceintegration
OnceSecurityOnionisinstalledandminimallyconfiguredintegrationwithPacketFenceisrequiredtobeabletoraiseviolationsbasedonsensor(s)alertssyslogisusedtoforwardsensor(s)alertsfromSecurityOniontothePacketFencedetectionmecanisms
The simplest way is as follow (based on httpsgithubcomSecurity-Onion-Solutionssecurity-onionwikiThirdPartyIntegration)
OntheSecurityOnionserver
Note
Mustbedoneonthemasterserverrunningsguild
Configureetcsyslog-ngsyslog-ngconfbyaddingthefollowingtoenablesendingsguildlogentriestoPacketFence
PacketFence IDS integration This line specifies where the sguildlog file is located -gt Make sure to configure the right patch along with the right filename (on a Security Onion setup that should be pretty much standard)source s_sguil file(varlognsmsecurityonionsguildlog program_override(securityonion_ids)) This line filters on the string ldquoAlert Receivedrdquofilter f_sguil match(Alert Received) This line tells syslog-ng to send the data read to the PacketFence management IP address using UDP 514 -gt Make sure to configure the right PacketFence management interface IP addressdestination d_packetfence udp(PACKENTFENCE_MGMT_IP port(514)) This line indicates syslog-ng to use the s_sguil source apply the f_sguil filter and send it to the d_packetfence destinationlog source(s_sguil) filter(f_sguil) destination(d_packetfence)
Arestartofthesyslog-ngdaemonisthenrequired
service syslog-ng restart
OnthePacketFenceserver
ModifyrsyslogconfigurationtoallowincomingUDPpacketsbyuncommentingthefollowingtwolinesinetcrsyslogconf
$ModLoad imudp$UDPServerRun 514
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 96
Configureetcrsyslogdsecurityonion_idsconfbyaddingthefollowingswhichwillenablereceptionofSecurityOnionsguildlogentries
if $programname == securityonion_ids then usrlocalpfvarsecurityonion_idsamp ~
Makesurethereceivingalertpipe(FIFO)exists
mkfifo usrlocalpfvarsecurityonion_ids
Restartthersyslogdaemon
service rsyslog restart
AtthispointSecurityOnionshouldbeabletosenddetectedalertslogentriestoPacketFence
AconfigurationofanewsyslogparseraswellassomeviolationsaretheonlyremainingstepstomakefullusageoftheSecurityOnionIDSintegration
Configurationofanewsyslogparsershouldusethefollowings
Type security_onionAlert pipe the previously created alert pipe (FIFO) which is in this case usrlocalpfvarsecurityonion_ids
Configurationofanewviolationcanusethefollowingtriggertypes
Type detectTriggers ID The IDS triggered rule ID
Type suricata_eventTrigger ID The rule class of the triggered IDS alert
ViolationsInordertomakePacketFencereacttotheSnortalertsyouneedtoexplicitlytellthesoftwaretodosoOtherwisethealertswillbediscardedThisisquitesimpletoaccomplishInfactyouneedtocreateaviolationandaddtheSnortalertSIDinthetriggersectionofaViolation
PacketFenceviolationsareconfiguredinConfigurationrarrViolations
TheexamplebelowwillguideyoutocreateaviolationthatwillisolatedevicethathavegeneratedPeer-to-peer traffic and that are usingMac OSX or have a malware and are usingMicrosoftWindows
Violationdefinition
Firstyouneedtoconfiguretheviolationdefinition
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 97
Where
Enablediswhetherornottheviolationiscurrentlyactivated(shouldbeON) Identifier is the violation ID Any integer except 1200000-120099 which is reserved forrequiredadministrationviolations
Descriptionistheuserfriendlydescriptionoftheviolation Actionsisthelistofactionstobeexecutedwhenthisviolationisraised
Unregister nodewillunregisterthenode
Send email to ownerwillemailtheviolationdetailstotheownerofthedeviceWillonlyworkifthepersonhasitrsquosemailfieldpopulated
Send email to admin will email the violation details to the address specified in[alerting]emailaddrusing[alerting]smtpserverMultipleemailaddrcanbesperatedbycomma
Reevaluate accesswillplacethedeviceinthedestinationVLANconfiguredintheviolationIt opens a violation and leaves it open If it is not there theviolation isopenedand thenautomaticallyclosed
Log messagewilllogtheviolationinthelogfiledefinedin[alerting]log
External commandwillexecuteacommandontheoperatingsystemwhenthisviolation israised
Close a violationwillcloseanexistingviolationforthisdevicewhenthisoneisraised
Set rolewillmodifytheroleofthedevice
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 98
Enforce provisioningwilltriggeracheckofcomplianceontheprovisionersdefinedforthedevice
Prioritydefinestheorderontowhichviolationsshouldbehandledshouldtherebemorethanoneforadevice
Whitelisted Rolesisthelistofrolesthatarenotaffectedbythisviolation
Triggers
NextintheTriggerstabyouneedtodefinethetriggersthatwillraisetheviolationInthecaseofthisexampleitwillbethesetwocasesAdevicethathasgeneratedPeer-to-peertrafficandthatisusingMACOSXAdevicethathasbeendetectedasbeingarogueDHCP
Click the+ sign at the top right inorder to create anew trigger then in thedropdown selectSuricata
AmenuwillappearintowhichyoucanselectET P2PwhichwillmatchallP2PalertsfromSuricata
OnceyouaddedthistriggerselectDevicefromthedropdownandenter38whichisthedeviceidentifierforMacOSX
Nexthittheltbuttonthenthe+toaddanothertrigger
SelectthetypeInternaltheninthemenuthatappearsbelowitselectRogue DHCP detectionandclickAdd
Remediation
NextintheRemediationtabyoucanconfigurethebehaviorwhenaclientgetsisolated
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 99
Where
Auto Enableiswhetherornottheusercanreleasetheviolationhimselfafteracknoledgingthemessageonthecaptiveportal
Max Enables istheamountoftimeausercanusetheAuto EnablefunctionnalityAfterthisamountoftimeshewillnotbeabletoreleasetheviolationanditwillhavetobemanuallyreleasebyanadministratorusingthePacketFenceadministrationinterface
GraceisAmountoftimebeforetheviolationcanreoccurThisisusefultoallowhoststime(intheexample2minutes)todownloadtoolstofixtheirissueorshutofftheirpeer-to-peerapplication
Dynamic WindowwillonlyworksforaccountingviolationsTheviolationwillbeopenedaccordingtothetimeyousetintheaccountingviolation(ieYouhaveanaccountingviolationfor10GBmonthIfyoubustthebandwidthafter3daystheviolationwillopenandthereleasedatewillbesetforthelastdayofthecurrentmonth)
WindowistheamountoftimebeforeaviolationwillbeclosedautomaticallyInsteadofallowingpeopletoreactivatethenetworkyoumaywanttoopenaviolationforadefinedamountoftimeinstead
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 100
Delay byisthedelaybeforetriggeringtheviolation TemplateistheHTMLtemplatethehostwillberedirectedtowhileinviolationYoucancreatenewtemplatesfromthePortalProfilesconfigurationsection
Button textisthetextofthebuttonthatisusedwhentheuserisreleasingtheviolationdirectlyfromthecaptiveportal
AdvancedIntheAdvancedtabyouconfigurethedestinationVLANofthedevicewhenithastheReevaluateaccessactionanditsredirectionURLwhentheuserisreleased
ComplianceChecks
PacketFence supports eitherNessusOpenVAS andWMI as a scanning engine for compliancechecksSincePacketFencev51youarenowabletocreatemultiplesscanenginesconfigurationandassignthemonspecificcaptiveportalsItmeanperexamplethatyouarenowabletoactiveascanforspecificOperatingSystemonlyonaspecificSSID
InstallationNessusPlease visit httpwwwnessusorgdownload to download Nessus v5 and install the Nessuspackage for your operating system You will also need to register for the HomeFeed (or theProfessionalFeed)inordertogettheplugins
AfteryouinstalledNessusfollowtheNessusdocumentationfortheconfigurationoftheNessusServerandtocreateauserforPacketFence
NoteYou may run into some issue while using Nessus with the NetNessusXMLRPCmodule(whichisthedefaultbehaviorinPacketFence)Pleaserefertothebugtrackingsystemformoreinformation
OpenVASPleasevisithttpwwwopenvasorginstall-packageshtmlopenvas4_centos_atomic toconfigurethecorrectrepositorytobeabletoinstallthelatestOpenVASscanningengine
Once installed pleasemake sure to follow the instructions to correctly configure the scanningengineandcreateascanconfigurationthatwillfityourneedsYoursquollalsoneedtocreateauserforPacketFencetobeabletocommunicatewiththeserver
ItisimportanttogetthecorrectscanconfigIDandNBEreportformatIDtopopulatetheparametersinthePacketFenceconfigurationfileTheeasiestwaytogettheseIDsisbydownloadingbothofthescanconfigurationandreportformatfromtheOpenVASwebguiandretrievetheIDsinthefilenames
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 101
Forexamplereport-format-f5c2a364-47d2-4700-b21d-0a7693daddabxmlgivesreportformatIDf5c2a364-47d2-4700-b21d-0a7693daddab
WMIYoujusthavetoenablewmioneachwindowsdeviceswithaGPOfromActiveDirectory
ConfigurationIn order for the compliance checks to correctly work with PacketFence (communication andgenerateviolationsinsidePacketFence)youneedtoconfigurethesesections
ScannerDefinitionFirstgoinConfigurationandScannerDefinition
Thenaddascan
Therearecommonparametersforeachscanengines
Name the name of your scan engineRoles Only devices with these role(s) will be affected (Optional)OS Only devices with this Operating System will be affected (Optional)Duration Approximate duration of scan (Progress bar on the captive portal)Scan before registration Trigger the scan when the device appear on the registration vlanScan after registration Trigger the scan just after registration on the captive portalScan after registration Trigger the scan on the production network (pfdhcplistener must receive production dhcp traffic)8021x Even if the auto-registration has been enabled the scan will be trigger on a EAP connection8021x types comma delimited EAP type that will trigger the scan if 8021x above has been enabled
SpecifictoNessus
Hostname or IP Address Hostname or IP Address where Nessus is runningUsername Username to connect to Nessus scanPassword Password to connect to Nessus scanPort of the service port to connect (default 8834)Nessus client policy the name of the policy to use for the scan (Must be define on the Nessus server)
SpecifictoOpenVAS
Hostname or IP Address Hostname or IP Address where OpenVAS is runningUsername Username to connect to OpenVAS scanPassword Password to connect to OpenVAS scanPort of the service port to connect (default 9390)OpenVAS config ID the ID of scanning configuration on the OpenVAS server
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 102
SpecifictoWMI
Username A username from Active Directory that is allowed to connect to wmiDomain Domain of the Active DirectoryPassword Password of the accountWMI Rules Ordered list of WMI rules you defined in Configuration -gt WMI Rules Definition
WMIRulesDefinition
IfyouhaveconfiguredaWMIscanenginethenyouneedtodefineWMIRulesWMIisasortofdatabaseoneachwindowsdevicestoretreiveinformationonthedeviceyouneedtoknowthesqlrequestInordertohelpyoutofindandmakearuleyoucanuseathirdpartytoollikeWMIExplorer
GoinconfigurationrarrWMIRulesDefinition
Therearealready3rulesdefined
Software_Installedlogged_userProcess_Running
LetrsquostaketheSoftware_Installedrule
request select from Win32_Product
Rules Actions
[Google]attribute = Captionoperator = matchvalue =Google
[1Google]action=trigger_violationaction_param = mac = $mac tid = 888888 type = INTERNAL
Thisrulewilldothefollowing
retreive all the installed software on the device and test if the attribute Caption contain Googleif it matched then we will trigger a violation (with the trigger internal888888) for the mac address of the device
Thesecondonelogged_user
request select UserName from Win32_ComputerSystem
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 103
Rules Actions
[UserName]attribute = UserNameoperator = matchvalue = ()
[1UserName]action = dynamic_register_nodeaction_param = mac = $mac username = $result-gtUserName
Thisrulewilldothefollowing
retreive the current logged user on the device and register the device based on the user account
ThelastoneProcess_Running
request select Name from Win32_Process
Rules Actions
[explorer]attribute = Nameoperator = matchvalue = explorerexe
[1explorer]action = allow
Thisrulewilldothefollowing
retreive all the running process on the device and if one match explorerexe then we bypass the scan
Rulessyntax
the syntax of the rules are simple to understand
the request is the sql request you will launch on the remote device you must know what the request will returnto write the test
Inside the Rules Actions we define 2 sorts of blocsThe test bloc (ie [explorer]) and the action bloc (ie [1explorer])
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 104
The test bloc is a simple test based on the result of the request- attribute is the attribute you want to test- operator can be is is_not match match_not- value is the value you want to compare
Feel free to define multiples test blocs
The action bloc is where you will define your logic per example lets take this one [1googleampexplorer] this mean that if the google test istrue and explorer is true then we execute the actionThe logic can be more complex and can be something like that [1google|(explorerampmemory)] that mean if not google or (explorer and memory)
ViolationsdefinitionYouneedtocreateanewviolationsectionandhavetospecify
UsingNessus
trigger=NessusltviolationIdgt
UsingOpenVAS
trigger=OpenVASltviolationIdgt
WhereviolationIdiseithertheIDoftheNessuspluginortheOIDoftheOpenVASplugintocheckforOnceyouhavefinishedtheconfigurationyouneedtoreloadtheviolationrelateddatabasecontentsusing
$ pfcmd reload violations
NoteViolationswilltriggerifthepluginishigherthanalowseverityvulnerability
AssignScandefinitiontoportalprofilesThelaststepistoassignoneormorescanneryouconfiguredtooneormoreportalprofilesGoinConfigurationrarrPortalProfilesrarrEditaPortalrarrAddScan
HostingNessusOpenVASremotelyBecauseoftheCPUintensivenatureofanautomatedvulnerabilityassessmentwerecommendthatitishostedonaseparateserverforlargeenvironmentsTodosoacoupleofthingsarerequired
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 105
PacketFence needs to be able to communicate to the server on the port specified by thevulnerabilityengineused
Thescanningserverneedtobeabletoaccessthetargets InotherwordsregistrationVLANaccessisrequiredifscanonregistrationisenabled
IfyouareusingtheOpenVASscanningengine
ThescanningserverneedtobeabletoreachPacketFencersquosAdmininterface(onport1443bydefault)byitsDNSentryOtherwisePacketFencewonrsquotbenotifiedofcompletedscans
YoumusthaveavalidSSLcertificateonyourPacketFenceserver
IfyouareusingtheNessusscanningengine
YoujusthavetochangethehostvaluebytheNessusserverIP
RADIUSAccounting
RADIUSAccountingisusuallyusedbyISPstobillclientsInPacketFenceweareabletousethisinformationtodetermineifthenodeisstillconnectedhowmuchtimeithasbeenconnectedandhowmuchbandwitdhtheuserconsumed
ViolationsUsingPacketFence it ispossible toaddviolations to limitbandwidthabuseThe formatof thetriggerisverysimple
Accounting[DIRECTION][LIMIT][INTERVAL(optional)]
Letrsquosexplaineachchunkproperly
DIRECTIONYoucaneithersetalimittoinbound(IN)outbound(OUT)ortotal(TOT)bandwidth LIMIT You can set a number of bytes(B) kilobytes(KB) megabytes(MB) gigabytes(GB) orpetabytes(PB)
INTERVALThisisactuallythetimewindowwewilllookforpotentialabuseYoucansetanumberofdays(D)weeks(W)months(M)oryears(Y)
Exampletriggers LookforIncoming(Download)trafficwitha50GBmonth
AccountingIN50GB1M
LookforOutgoing(Upload)trafficwitha500MBday
AccountingOUT500MB1D
LookforTotal(Download+Upload)trafficwitha200GBlimitinthelastweek
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 106
AccountingTOT200GB1W
Graceperiod
WhenusingsuchviolationfeaturesettingthegraceperiodisreallyimportantYoudonrsquotwanttoputittoolow(ieAuserre-enablehisnetworkandgetcaughtafter1bytesistranmitted)ortoohighWerecommendthatyousetthegraceperiodtooneintervalwindow
Oinkmaster
OinkmasterisaperlscriptthatenablesthepossibilitytoupdatethedifferentsnortrulesveryeasilyItissimpletouseandinstallThissectionwillshowyouhowtoimplementOinkmastertoworkwithPacketFenceandSnort
PleasevisithttpoinkmastersourceforgenetdownloadshtmltodownloadoinkmasterAsampleoinkmasterconfigurationfileisprovidedatusrlocalpfaddonssnortoinkmasterconf
ConfigurationHerearethestepstomakeOinkmasterworkWewillassumethatyoualreadydownloadedthenewestoinkmasterarchive
1 UntarthefreshlydownloadedOinkmaster
2 CopytherequiredperlscriptsintousrlocalpfoinkmasterYouneedtocopyovercontribandoinkmasterpl
3 CopytheoinkmasterconfprovidedbyPacketFence(seethesectionabove)inusrlocalpfconf
4 ModifytheconfigurationtosuityourownneedsCurrentlytheconfigurationfileissettofetchthebleedingrules
RulesupdateInordertogetperiodicupdatesforPacketFenceSnortruleswesimplyneedtocreateacrontabentrywiththerightinformationTheexamplebelowshowsacrontabentrytofetchtheupdatesdailyat2300PM
0 23 (cd usrlocalpf perl oinkmasteroinkmasterpl -C confoinkmasterconf -o confsnort)
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 107
GuestsManagement
PacketFencesupportstheabilitytomanageguestsbyestablishingexpiredatesandassigndifferentroleswhichwillpermitdifferentaccessestothenetworkresources
Guestscanself-registerthemselvesusinganactivationcodesenttotheirmobilephoneortheycanusetheiremailaddressandreceiveandactivationlinktoactivatetheirnetworkaccess
PacketFencehas theoption tohaveguestssponsored theiraccessby local staffOnceaguestrequestsasponsoredaccessanemailissenttothesponsorandthesponsormustclickonalinkandauthenticateinordertoenablehisaccess
Moreover PacketFence also has the option for guests to request their access in advanceConfirmationbyemailandbyasponsorarethetwopre-registrationtechniquessupportedatthispoint
TheadminGUIallowPacketFenceadministratorsorguestsmanagerstocreatesingleaccountsmultipleaccountsusingaprefix(ieguest1guest2guest3hellip)orimportdatafromaCSVtocreateaccountsAccessdurationandexpectedarrivaldatearealsocustomizable
Usage
Guestself-registration
Self-registrationisenabledbydefaultItispartofthecaptiveportalprofileandcanbeaccessedontheregistrationpagebyclickingtheSignuplink
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 108
ManagedguestsPartofthewebadministrationinterfacetheguestsmanagementinterfaceisenabledbydefaultItisaccessiblethroughtheUsersrarrCreatemenu
Guestpre-registrationPre-registrationisdisabledbydefaultOnceenabledPacketFencersquosfirewallandApacheACLsallowaccesstothesignuppageontheportalevenfromaremotelocationAllthatshouldberequiredfrom theadministrators is toopenup theirperimeter firewall toallowaccess toPacketFencersquosmanagementinterfaceIPonport443andmakesureadomainnametoreachsaidIPisconfigured(andthattheSSLcertmatchesit)Thenyoucanpromotethepre-registrationlinkfromyourextranetwebsitehttpslthostnamegtsignup
CautionPre-registrationincreasestheattacksurfaceofthePacketFencesystemsinceasubsetofitrsquosfunctionnalityisexposedontheInternetMakesureyouunderstandtherisksapplythecriticaloperatingsystemupdatesandapplyPacketFencersquossecurityfixes
NoteAportalinterfacetypeisrequiredtousethisfeatureAportalinterfacetypecanbeaddedtoanynetworkinterfaceusingthewebadminGUI
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 109
ConfigurationGuestself-registrationIt ispossibletomodifythedefaultvaluesoftheguestself-registrationfeaturebyeditingusrlocalpfconfpfconf
Defaultvaluesarelocatedinusrlocalpfconfpfconfdefaultsanddocumentationforeverysettingsisavailableinusrlocalpfconfdocumentationconf
[guests_self_registration]guest_pid=emailpreregistration=disabled
TheseparameterscanalsobeconfiguredfromtheConfigurationrarrSelfRegistrationsectionoftheWebadmininterface
Availableregistrationmodesaredefinedonaper-portal-profilebasisTheseareconfigurablefromConfigurationrarrPortalProfiles Todisable the self-registration feature simply removeall self-registrationsourcesfromtheportalprofiledefinitionNoticehoweverthatifyourdefaultportalprofilehasnosourceitwilluseallauthenticationsources
Caution
AvalidMTAconfiguredinPacketFenceisneededtocorrectlyrelayemailsrelatedtotheguestmoduleIflocalhostisusedassmtpservermakesurethataMTAisinstalledandconfiguredontheserver
Note
AportalinterfacetypeisrequiredtousethisfeatureAportalinterfacetypecanbeaddedtoanynetworkinterfaceusingthewebadminGUI
Self-registered guests are added under the users tab of the PacketFenceWeb administrationinterface
ManagedguestsItispossibletomodifythedefaultvaluesoftheguestscreatedfromtheWebadmininterfacebyeditingusrlocalpfconfpfconf
Defaultvaluesarelocatedinusrlocalpfconfpfconfdefaultsanddocumentationforeverysettingsisavailableinusrlocalpfconfdocumentationsconf
[guests_admin_registration]access_duration_choices=1h3h12h1D2D3D5Ddefault_access_duration=12h
Theformatofthedurationisasfollow
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 110
ltDURATIONgtltDATETIME_UNITgt[ltPERIOD_BASEgtltOPERATORgtltDURATIONgtltDATE_UNITgt]
Letrsquosexplainthemeaningofeachparameter
DURATIONanumbercorrespondingtotheperiodduration DATETIME_UNIT acharactercorresponding to theunitsof thedateor timedurationeither s(seconds)m(minutes)h(hours)D(days)W(weeks)M(months)orY(years)
PERIOD_BASEeitherF(fixed)orR(relative)ArelativeperiodiscomputedfromthebeginningoftheperiodunitWeeksstartonMonday
OPERATOReither+or-Thedurationfollowingtheoperatorisaddedorsubtractedfromthebaseduration
DATE_UNITacharactercorrespondingtotheunitsoftheextendeddurationLimitedtodateunits(D(days)W(weeks)M(months)orY(years))
TheseparameterscanalsobeconfiguredfromtheConfigurationrarrAdminRegistrationsectionoftheWebadmininterface
From theUserspageof thePacketFenceWebadmin interface it is possible to set the accessdurationofuserschangetheirpasswordandmore
Guestpre-registrationTominimallyconfigureguestpre-registrationyoumustmakesurethatthefollowingstatementissetunder[guests_self_registration]inusrlocalpfconfpfconf
[guests_self_registration]preregistration=enabled
ThisparametercanalsobeconfiguredfromtheConfigurationrarrSelfRegistrationsection
Finallyitisadvisedthatyoureadthewholeguestself-registrationsectionsincepre-registrationissimplyatwistoftheself-registrationprocess
Caution
AvalidMTAconfiguredinPacketFenceisneededtocorrectlyrelayemailsrelatedtotheguestmoduleIflocalhostisusedassmtpservermakesurethataMTAisinstalledandconfiguredontheserver
ActiveDirectoryIntegration
DeletedAccountCreate thescriptunreg_node_deleted_accountps1on theWindowsServerwith the followingcontentMakesuretochangeIP_PACKETFENCEtotheIPaddressofyourPacketFenceserverYoursquollalsoneedtochangetheusernameandpasswordastheymustmatchthecredentialsdefinedintheWebadmininterfaceunderConfigurationrarrWebServices
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 111
Powershell script to unregister deleted Active Directory account based on the UserName
Get-EventLog -LogName Security -InstanceId 4726 | Select ReplacementStringsAccount name| $url = httpsIP_PACKETFENCE9090 $username = admin Username for the webservices $password = admin Password for the webservices [SystemNetServicePointManager]ServerCertificateValidationCallback = $true $command = jsonrpc 20 method unreg_node_for_pid params [pid +$_ReplacementStrings[0]+]
$bytes = [SystemTextEncoding]ASCIIGetBytes($command) $web = [SystemNetWebRequest]Create($url) $webMethod = POST $webContentLength = $bytesLength $webContentType = applicationjson-rpc $webCredentials = new-object SystemNetNetworkCredential($username $password) $stream = $webGetRequestStream() $streamWrite($bytes0$bytesLength) $streamclose()
$reader = New-Object SystemIOStreamreader -ArgumentList $webGetResponse()GetResponseStream() $readerReadToEnd() $readerClose()
CreatethescheduledtaskbasedonaneventIDStartrarrRunrarrTaskschdmsc
TaskSchedulerrarrTaskSchedulerLibraryrarrEventViewerTaskrarrCreateTask
General
Name PacketFence-Unreg_node-for-deleted-accountCheck Run whether user is logged on or notCheck Run with highest privileges
TriggersrarrNew
Begin on the task On an eventLog SecuritySource Microsoft Windows security auditingEvent ID 4726
ActionsrarrNew
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 112
Action Start a programProgramscript powershellexeAdd arguments (optional) Cscriptsunreg_node_deleted_accountps1
Settings
At the bottom select in the list Run a new instance in parallel in order to unregister multiple nodes at the same time
ValidatewithOkandgivetheaccountwhowillrunthistask(UsuallyDOMAINAdministrator)
DisabledAccountCreatethescriptunreg_node_disabled_accountps1ontheWindowsServerwiththefollowingcontentMakesuretochangeIP_PACKETFENCEtotheIPaddressofyourPacketFenceserverYoursquollalsoneedtochangetheusernameandpasswordastheymustmatchthecredentialsdefinedintheWebadmininterfaceunderConfigurationrarrWebServices
Powershell script to unregister disabled Active Directory account based on the UserName
Get-EventLog -LogName Security -InstanceId 4725 | Select ReplacementStringsAccount name| $url = httpsIP_PACKETFENCE9090 $username = admin Username for the webservices $password = admin Password for the webservices [SystemNetServicePointManager]ServerCertificateValidationCallback = $true $command = jsonrpc 20 method unreg_node_for_pid params [pid +$_ReplacementStrings[0]+]
$bytes = [SystemTextEncoding]ASCIIGetBytes($command) $web = [SystemNetWebRequest]Create($url) $webMethod = POST $webContentLength = $bytesLength $webContentType = applicationjson-rpc $webCredentials = new-object SystemNetNetworkCredential($username $password) $stream = $webGetRequestStream() $streamWrite($bytes0$bytesLength) $streamclose()
$reader = New-Object SystemIOStreamreader -ArgumentList $webGetResponse()GetResponseStream() $readerReadToEnd() $readerClose()
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 113
CreatethescheduledtaskbasedonaneventID
StartrarrRunrarrTaskschdmsc
TaskSchedulerrarrTaskSchedulerLibraryrarrEventViewerTaskrarrCreateTask
General
Name PacketFence-Unreg_node-for-disabled-accountCheck Run whether user is logged on or notCheck Run with highest privileges
TriggersrarrNew
Begin on the task On an eventLog SecuritySource Microsoft Windows security auditingEvent ID 4725
ActionsrarrNew
Action Start a programProgramscript powershellexeAdd arguments (optional) Cscriptsunreg_node_disabled_accountps1
Settings
At the bottom select in the list Run a new instance in parallel
ValidatewithOkandgivetheaccountwhowillrunthistask(UsuallyDOMAINAdministrator)
LockedAccountCreate the script unreg_node_locked_accountps1 on theWindows Serverwith the followingcontentMakesuretochangeIP_PACKETFENCEtotheIPaddressofyourPacketFenceserverYoursquollalsoneedtochangetheusernameandpasswordastheymustmatchthecredentialsdefinedintheWebadmininterfaceunderConfigurationrarrWebServices
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 114
Powershell script to unregister locked Active Directory account based on the UserName
Get-EventLog -LogName Security -InstanceId 4740 | Select ReplacementStringsAccount name| $url = httpsIP_PACKETFENCE9090 $username = admin Username for the webservices $password = admin Password for the webservices [SystemNetServicePointManager]ServerCertificateValidationCallback = $true $command = jsonrpc 20 method unreg_node_for_pid params [pid +$_ReplacementStrings[0]+]
$bytes = [SystemTextEncoding]ASCIIGetBytes($command) $web = [SystemNetWebRequest]Create($url) $webMethod = POST $webContentLength = $bytesLength $webContentType = applicationjson-rpc $webCredentials = new-object SystemNetNetworkCredential($username $password) $stream = $webGetRequestStream() $streamWrite($bytes0$bytesLength) $streamclose()
$reader = New-Object SystemIOStreamreader -ArgumentList $webGetResponse()GetResponseStream() $readerReadToEnd() $readerClose()
CreatethescheduledtaskbasedonaneventIDStartrarrRunrarrTaskschdmsc
TaskSchedulerrarrTaskSchedulerLibraryrarrEventViewerTaskrarrCreateTask
General
Name PacketFence-Unreg_node-for-locked-accountCheck Run whether user is logged on or notCheck Run with highest privileges
TriggersrarrNew
Begin on the task On an eventLog SecuritySource Microsoft Windows security auditingEvent ID 4740
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 115
ActionsrarrNew
Action Start a programProgramscript powershellexeAdd arguments (optional) Cscriptsunreg_node_locked_accountps1
Settings
At the bottom select in the list Run a new instance in parallel
ValidatewithOkandgivetheaccountwhowillrunthistask(UsuallyDOMAINAdministrator)
DHCPremotesensor
TheDHCPremotesensorconsistsofalightweightbinarythatisinstalledonyourproductionDHCPserverinordertoreplicatetheDHCPtraffic1to1tothePacketFenceserverThissolutionismorereliablethantheDHCPrelayingsincePacketFencereceivesacopyofallyourDHCPtrafficandnotonlythebroadcastedDHCPtrafficSupportedDHCPserversareMicrosoftDHCPserverandCentOS6and7
ThesesensorsworkbycapturingthepacketsatthelowestlevelpossibleonyourDHCPserverandforwardthemtothePacketFencemanagementinterface
MicrosoftDHCPsensorYouwillfirstneedtodownloadandinstallWinPcapavailablefromhttpwwwwinpcaporginstall
YouwillalsoneedtodownloadandinstallMicrosoftVisualC++2010Redistributableavailablefromhttpwwwmicrosoftcomdownloaddetailsaspxid=5555
NoteYou absolutely need to install the 32-bit version of Microsoft Visual C++ 2010Redistributableevenifyouareusinga64-bitoperatingsystem
Then get the remote sensor from Inversersquos download website httpinversecadownloadsPacketFenceudp-reflectorudp_reflectorexe
CreatethedirectoryCudp-reflectorandmovethedownloadedfileinside
Nowwewillcreateaservicesothereflectorstartsonboot
Firstdownloadandunzipnssmfromhttpsnssmccdownload
NextcreateabatchfileudpreflectorbatinCudp-reflectorthatcontainCudp-reflectorudp_reflectorexe -s pcap067 -d 19216815767 -b 25000
Where pcap0 is the interface where your DHCP is listening (use Cudp-reflectorudp_reflectorexe -ltolistinterfaces)
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 116
Thenrunnssm install udpreflector
InApplication
InPathsetittoCudp-reflectorudpreflectorbat InStartupdirectorysetittoCudp-reflector InArgumentssetittonothing
InDetails
InStartuptypeselectAutomatic
InLogon
InLogonasselectLocalSystemaccount
ThenpressInstallservice
TheDHCPtrafficshouldnowbereflectedonyourPacketFenceserver
LinuxbasedsensorFirstdownloadtheRPMonyourDHCPserver
CentOS6and7serversForCentOS6
for x86_64 wget httpinversecadownloadsPacketFenceCentOS6extrax86_64RPMSudp-reflector-10-61x86_64rpm
ForCentOS7
for x86_64 wget httpinversecadownloadsPacketFenceCentOS7extrax86_64RPMSudp-reflector-10-61x86_64rpm
Nowinstallthesensor
rpm -i udp-reflector-rpm
CompilingthesensorfromsourceonaLinuxsystemFirstmakesureyouhavethefollowingpackagesinstalled
libpcap libpcap-devel gcc-c++
Getthesourcecodeofthesensor
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 117
mkdir -p ~udp-reflector ampamp cd ~udp-reflector wget httpinversecadownloadsPacketFenceudp-reflectorudp_reflectorcpp g++ udp_reflectorcpp -o usrlocalbinudp_reflector -lpcap
ConfiguringthesensorPlacethefollowinglineinetcrclocal
where pcap0 is the pcap interface where your DHCP server listens on (List them usingudp_reflector -l)
where19216815isthemanagementIPofyourPacketFenceserver
usrlocalbinudp_reflector -s pcap067 -d 19216815767 -b 25000 amp
Startthesensor
usrlocalbinudp_reflector -s pcap067 -d 19216815767 -b 25000 amp
TheDHCPtrafficshouldnowbereflectedonyourPacketFenceserver
Switchloginaccess
PacketFenceisabletoactasanauthenticationandauthorizationserviceforgrantingcommand-lineinterface(CLI)accesstoswitchesPacketFencecurrentlysupportsCiscoswitchesandthesemustbeconfiguredusingthefollowingguidehttpwwwciscocomcenussupportdocssecurity-vpnremote-authentication-dial-user-service-radius116291-configure-freeradius-00html From thePacketFencersquos web admin interface you must configure an Admin Access role(ConfigurationrarrAdminaccess)thatcontainstheactionSwitchesCLI-ReadorSwitchesCLI-WriteandassignthisroletoaninternaluserorinanAdministrationruleinaninternalsource
Chapter14
Copyrightcopy2016Inverseinc OperatingSystemBestPractices 118
OperatingSystemBestPractices
IPTables
IPTablesisnowentirelymanagedbyPacketFenceHoweverifyouneedtoperformsomecustomrules you canmodifyconfiptablesconf to yourownneedsHowever thedefault templateshouldworkformostusers
LogRotations
PacketFencecangeneratea lotof logentries inhugeproductionenvironmentsThis iswhywerecommendtouselogrotatetoperiodicallyrotateyourlogsAworkinglogrotatescriptisprovidedwiththePacketFencepackageThisscriptislocatedinusrlocalpfaddonsanditrsquosconfiguredto do aweekly log rotation and keeping old logswith compression It has been added duringPacketFenceinitialinstallation
Chapter15
Copyrightcopy2016Inverseinc Performanceoptimization 119
Performanceoptimization
SNMPTrapsLimit
PacketFencemainlyrelyonSNMPtrapstocommunicatewithequipmentDuetothefactthattrapscominginfromapproved(configured)devicesareallprocessedbythedaemonitispossibleforsomeonewhowanttogenerateacertainloadonthePacketFenceservertoforcethegenerationofnon-legitimateSNMPtrapsoraswitchcanrandomlygenerateahighquantityoftrapssenttoPacketFenceforanunknownreason
BecauseofthatitispossibletolimitthenumberofSNMPtrapscominginfromasingleswitchportandtakeactionifthatlimitisreachedForexampleifover100trapsarereceivedbyPacketFencefromthesameswitchportinaminutetheswitchportwillbeshutandanotificationemailwillbesent
HerersquosthedefaultconfigfortheSNMPtrapslimitfeatureAsyoucanseebydefaultPacketFencewill log the abnormal activity after 100 traps from the same switch port in a minute Theseconfigurationsareintheconfpfconffile
[vlan]trap_limit = enabledtrap_limit_threshold = 100trap_limit_action =
AlternativelyyoucanconfiguretheseparametersfromthePacketFenceWebadministrativeGUIintheConfigurationrarrSNMPsection
MySQLoptimizations
TuningMySQLIfyoursquorePacketFencesystemisactingveryslowthiscouldbeduetoyourMySQLconfigurationYoushoulddothefollowingtotuneperformance
Checkthesystemload
uptime113637 up 235 days 121 1 user load average 125 105 079
Chapter15
Copyrightcopy2016Inverseinc Performanceoptimization 120
CheckiostatandCPU
iostat 5avg-cpu user nice sys iowait idle 060 000 320 2020 7600Device tps Blk_reads Blk_wrtns Blk_read Blk_wrtnccissc0d0 3240 000 156000 0 7800avg-cpu user nice sys iowait idle 060 000 220 920 8800Device tps Blk_reads Blk_wrtns Blk_read Blk_wrtnccissc0d0 780 000 7360 0 368avg-cpu user nice sys iowait idle 060 000 180 2380 7380Device tps Blk_reads Blk_wrtns Blk_read Blk_wrtnccissc0d0 3140 000 142720 0 7136avg-cpu user nice sys iowait idle 060 000 240 1816 7884Device tps Blk_reads Blk_wrtns Blk_read Blk_wrtnccissc0d0 2794 000 117365 0 5880
Asyoucanseetheloadis125andIOWaitispeakingat20-thisisnotgoodIfyourIOwaitislowbutyourMySQListaking+50CPUthisisalsonotgoodCheckyourMySQLinstallforthefollowingvariables
mysqlgt show variables| innodb_additional_mem_pool_size | 1048576 || innodb_autoextend_increment | 8 || innodb_buffer_pool_awe_mem_mb | 0 || innodb_buffer_pool_size | 8388608 |
PacketFencereliesheavilyonInnoDBsoyoushouldincreasethebuffer_poolsizefromthedefaultvalues
ShutdownPacketFenceandMySQL
etcinitdpacketfence stopShutting down PacketFence[] etcinitdmysql stopStopping MySQL [ OK ]
Editetcmycnf(oryourlocalmycnf)
Chapter15
Copyrightcopy2016Inverseinc Performanceoptimization 121
[mysqld] Set buffer pool size to 50-80 of your computers memoryinnodb_buffer_pool_size=800Minnodb_additional_mem_pool_size=20Minnodb_flush_log_at_trx_commit=2innodb_file_per_table allow more connectionsmax_connections=700 set cache sizekey_buffer_size=900Mtable_cache=300query_cache_size=256M enable slow query loglog_slow_queries = ON
StartupMySQLandPacketFence
etcinitdmysqld startStarting MySQL [ OK ] etcinitdpacketfence startStarting PacketFence[]
Wait10minutesforPacketFencetoinitialthenetworkmapandre-checkiostatandCPU
uptime120158 up 235 days 146 1 user load average 015 039 052 iostat 5Device tps Blk_reads Blk_wrtns Blk_read Blk_wrtnccissc0d0 800 000 7520 0 376
avg-cpu user nice sys iowait idle 060 000 299 1337 8303
Device tps Blk_reads Blk_wrtns Blk_read Blk_wrtnccissc0d0 1497 000 43273 0 2168avg-cpu user nice sys iowait idle 020 000 260 660 9060
Device tps Blk_reads Blk_wrtns Blk_read Blk_wrtnccissc0d0 480 000 4800 0 240
MySQLoptimizationtoolWerecommendthatyouruntheMySQLTuneronyourdatabasesetupafteracoupleofweekstohelpyouidentifyMySQLconfigurationimprovementThetoolisbundledwithPacketFenceandcanberunfromthecommand-line
usrlocalbinpftest mysql
Chapter15
Copyrightcopy2016Inverseinc Performanceoptimization 122
KeepingtablessmallOvertimesomeofthetableswillgrowlargeandthiswilldragdownperformance(thisisespeciallytrueonawirelesssetup)
OnesuchtableisthelocationlogtableWerecommendthatclosedentriesinthistablebemovedto the archive table locationlog_archive after some time A closed record is onewhere theend_timefieldissettoadate(stricklyspeakingitiswhenend_timeisnotnullandnotequalsto0)
Weprovideascriptcalleddatabase-backup-and-maintenanceshlocatedinaddonsthatperformsthiscleanupinadditiontooptimizetablesonSundayanddailybackups
AvoidToomanyconnectionsproblemsInawirelesscontexttheretendstobealotofconnectionsmadetothedatabasebyourfreeradiusmoduleThedefaultMySQLvalue tend tobe low (100) soweencourageyou to increase thatvaluetoatleast300Seehttpdevmysqlcomdocrefman50entoo-many-connectionshtmlfordetails
AvoidHostlthostnamegtisblockedproblemsInawirelesscontexttheretendtobealotofconnectionsmadetothedatabasebyourfreeradiusmoduleWhentheserverisloadedtheseconnectionattemptscantimeoutIfaconnectiontimesoutduringconnectionMySQLwillconsiderthisaconnectionerrorandafter10ofthese(bydefault)hewilllockthehostoutwitha
Host host_name is blocked because of many connection errors Unblock with mysqladmin flush-hosts
Thiswill grindPacketFence to a halt so youwant to avoid that at all costOneway to do soistoincreasethenumberofmaximumconnections(seeabove)toperiodicallyflushhostsortoallowmoreconnectionerrorsSeehttpdevmysqlcomdocrefman50enblocked-hosthtmlfordetails
CaptivePortalOptimizations
Avoidcaptiveportaloverloadduetonon-browserHTTPrequestsBydefaultwealloweveryquerytoberedirectedandreachPacketFencefor thecaptiveportaloperationInalotofcasesthismeansthatalotofnon-userinitiatedqueriesreachPacketFenceandwasteitsresourcesfornothingsincetheyarenotfrombrowsers(iTunesWindowsupdateMSNMessengerGoogleDesktophellip)
Chapter15
Copyrightcopy2016Inverseinc Performanceoptimization 123
Sinceversion43ofPacketFenceyoucandefineHTTPfiltersforApachefromtheconfigurationofPacketFence
SomeruleshavebeenenabledbydefaultlikeonetorejectrequestswithnodefineduseragentAllrulesincludingsomeexamplesaredefinedintheconfigurationfileapache_filtersconf
FiltersaredefinedwithatleasttwoblocksFirstarethetestsForexample
[get_ua_is_dalvik]filter = user_agentmethod = GEToperator = matchvalue = Dalvik
[get_uri_not_generate204]filter = urimethod = GEToperator = match_notvalue = generate_204
ThelastblockdefinestherelationshipbetweenthetestsandthedesiredactionForexample
[block_dalvikget_ua_is_dalvikampget_uri_not_generate204]action = 501redirect_url =
Thisfilterwillreturnanerrorcode(501)iftheuseragentisDalvikandtheURIdoesnrsquotcontain_generate_204
DashboardOptimizations(statisticscollection)
The collection and aggregation of statistics in the whisper database can be IO intensive permomentThismeansthatitcanbebeneficialtoseperatethemonanotherdiskevenifitisavirtualdiskthatwillsharethesameunderlyingphysicaldisk
Firstaddadiskinyourvirtualmachineorbaremetalserverandreboot(thisexamplewillusedevsdbasthenewdevice
Makesurepacketfenceisstopped
service packetfence stop
Createanext4partition
mkfsext4 devsdb
Thenmovetheolddatabasestoabackuppoint
Chapter15
Copyrightcopy2016Inverseinc Performanceoptimization 124
mv usrlocalpfvargraphite usrlocalpfvargraphitebak
Mountyournewdiskandcheckthatitismounted
echo devsdb usrlocalpfvargraphite ext4 defaults 1 1 gtgt etcfstab mkdir usrlocalpfvargraphite mount -a dh -h
Applytheproperuserrightsandrestoreyourdatabasefromyourbackup
chown pfpf usrlocalpfvargraphite cp -frp usrlocalpfvargraphitebak usrlocalpfvargraphite
StartpacketfenceandmakesureyourstatsarestillthereandbeingcollectedproperlyThenremovethebackupyoumaderm -fr usrlocalpfvargraphitebak
Chapter16
Copyrightcopy2016Inverseinc AdditionalInformation 125
AdditionalInformation
FormoreinformationpleaseconsultthemailingarchivesorpostyourquestionstoitFordetailssee
packetfence-announcelistssourceforgenet Public announcements (new releases securitywarningsetc)regardingPacketFence
packetfence-devellistssourceforgenetDiscussionofPacketFencedevelopment
packetfence-userslistssourceforgenetUserandusagediscussions
Chapter17
Copyrightcopy2016InverseincCommercialSupport
andContactInformation 126
CommercialSupportandContactInformation
For any questions or comments do not hesitate to contact us by writing an email tosupportinverseca
Inverse (httpinverseca)offersprofessional servicesaroundPacketFence tohelporganizationsdeploythesolutioncustomizemigrateversionsorfromanothersystemperformancetuningoraligningwithbestpractices
Hourlyratesorsupportpackagesareofferedtobestsuityourneeds
Pleasevisithttpinversecafordetails
Chapter18
Copyrightcopy2016Inverseinc GNUFreeDocumentationLicense 127
GNUFreeDocumentationLicense
Pleaserefertohttpwwwgnuorglicensesfdl-12txtforthefulllicense
Chapter18
Copyrightcopy2016Inverseinc AdministrationTools 128
AppendixAAdministrationTools
pfcmd
pfcmdisthecommandlineinterfacetomostPacketFencefunctionalities
Whenexecutedwithoutanyargumentspfcmdreturnsabasichelpmessagewithallmainoptions
Chapter18
Copyrightcopy2016Inverseinc AdministrationTools 129
Usage pfcmd ltcommandgt [options]
Commands cache | manage the cache subsystem checkup | perform a sanity checkup and report any problems class | view violation classes configfiles | push or pull configfiles intofrom database configreload | reload the configution floatingnetworkdeviceconfig | querymodify floating network devices configuration parameters help | show help for pfcmd commands ifoctetshistorymac | accounting history ifoctetshistoryswitch | accounting history ifoctetshistoryuser | accounting history import | bulk import of information into the database ipmachistory | IPMAC history locationhistorymac | SwitchPort history locationhistoryswitch | SwitchPort history networkconfig | querymodify network configuration parameters node | manipulate node entries pfconfig | interact with pfconfig portalprofileconfig | querymodify portal profile configuration parameters reload | rebuild fingerprint or violations tables without restart service | startstoprestart and get PF daemon status schedule | Nessus scan scheduling switchconfig | querymodify switchesconf configuration parameters version | output version information violationconfig | querymodify violationsconf configuration parameters
Please view pfcmd help ltcommandgt for details on each option
ThenodeviewoptionshowsallinformationcontainedinthenodedatabasetableforaspecifiedMACaddress
usrlocalpfbinpfcmd node view 525400123502mac|pid|detect_date|regdate|unregdate|lastskip|status|user_agent|computername|notes|last_arp|last_dhcp|switch|port|vlan|dhcp_fingerprint525400123502|1|2008-10-23 173216||||unreg||||2008-10-23 211221|||||
pfcmd_vlan
pfcmd_vlanisthecommandlineinterfacetomostVLANisolationrelatedfunctionality
Chapter18
Copyrightcopy2016Inverseinc AdministrationTools 130
Againwhenexecutedwithoutanyargumentsahelpscreenisshown
Usage pfcmd_vlan command [options]
Command -deauthenticate de-authenticate a dot11 client -deauthenticateDot1x de-authenticate a dot1x client (pass ifIndex for wired 8021x and mac for wireless 8021x) -getAlias show the description of the specified switch port -getAllMACs show all MACS on all switch ports -getHubs show switch ports with several MACs -getIfOperStatus show the operational status of the specified switch port -getIfType show the ifType on the specified switch port -getLocation show at which switch port the MAC is found -getSwitchLocation show SNMP location of specified switch -getMAC show all MACs on the specified switch port -getType show switch type -getUpLinks show the upLinks of the specified switch -getVersion show switch OS version -getVlan show the VLAN on the specified switch port -getVlanType show the VLAN type on the specified port -help brief help message -isolate set the switch port to the isolation VLAN -man full documentation -reAssignVlan re-assign a switch port VLAN -reevaluateAccess reevaluate the current VLAN or firewall rules of a given MAC -runSwitchMethod run a particular method call on a given switch (FOR ADVANCED PURPOSES) -setAlias set the description of the specified switch port -setDefaultVlan set the switch port to the default VLAN -setIfAdminStatus set the admin status of the specified switch port -setVlan set VLAN on the specified switch port -setVlanAllPort set VLAN on all non-UpLink ports of the specified switch
Options -alias switch port description -ifAdminStatus ifAdminStatus -ifIndex switch port ifIndex -mac MAC address -showPF show additional information available in PF -switch switch description -verbose log verbosity level 0 fatal messages 1 warn messages 2 info messages 3 debug 4 trace -vlan VLAN id -vlanName VLAN name (as in switchesconf)
Chapter3
Copyrightcopy2016Inverseinc SystemRequirements 7
SystemRequirements
Assumptions
PacketFencereusesmanycomponentsinaninfrastructureThusitrequiresthefollowingones
Databaseserver(MySQLorMariaDB) Webserver(Apache) DHCPserver(ISCDHCP) RADIUSserver(FreeRADIUS)
Dependingonyoursetupyoumayhavetoinstalladditionalcomponentslike
NIDS(SnortSuricata)
Inthisguideweassumethatallthosecomponentsarerunningonthesameserver(ielocalhostor127001)thatPacketFencewillbeinstalledon
Good understanding of those underlying component and GNULinux is required to installPacketFence If youmiss some of those required components please refer to the appropriatedocumentationandproceedwiththeinstallationoftheserequirementsbeforecontinuingwiththisguide
MinimumHardwareRequirements
Thefollowingprovidesalistoftheminimumserverhardwarerecommendations
IntelorAMDCPU3GHz 8GBofRAM 100GBofdiskspace(RAID-1recommended) 1Networkcard(2recommended)
OperatingSystemRequirements
PacketFencesupportsthefollowingoperatingsystemsonthex86_64architectures
Chapter3
Copyrightcopy2016Inverseinc SystemRequirements 8
RedHatEnterpriseLinux6xand7xServer CommunityENTerpriseOperatingSystem(CentOS)6xand7x Debian70(Wheezy)and80(Jessie)
MakesurethatyoucaninstalladditionalpackagesfromyourstandarddistributionForexampleifyouareusingRedHatEnterpriseLinuxyouhavetobesubscribedtotheRedHatNetworkbeforecontinuingwiththePacketFencesoftwareinstallation
OtherdistributionssuchasFedoraandGentooareknowntoworkbutthisdocumentdoesnrsquotcoverthem
Servicesstart-upPacketFencetakescareofhandlingtheoperationofthefollowingservices
Webserver(httpd) DHCPserver(dhcpd) FreeRADIUSserver(radiusd) SnortSuricataNetworkIDS(snortsuricata) Firewall(iptables)
Makesurethatalltheotherservicesareautomaticallystartedbyyouroperatingsystem
Chapter4
Copyrightcopy2016Inverseinc Installation 9
Installation
ThissectionwillguideyouthroughtheinstallationofPacketFencetogetherwithitsdependencies
OSInstallation
InstallyourdistributionwithminimalinstallationandnoadditionalpackagesThen
DisableFirewall DisableSELinux DisableAppArmor Disableresolvconf
Makesureyoursystemisuptodateandyouryumorapt-getdatabaseisupdatedOnaRHEL-basedsystemdo
yum update
OnaDebianorUbuntusystemdo
apt-get updateapt-get upgrade
RegardingSELinuxorAppArmoreven if these featuresmaybewantedbysomeorganizationsPacketFencewillnotrunproperlyifSELinuxorAppArmorareenabledYouwillneedtoexplicitlydisableSELinuxintheetcselinuxconfigfileandAppArmorwithupdate-rcd-fapparmorstopupdate-rcd-fapparmorteardownandupdate-rcd-fapparmorremoveRegardingresolvconfyoucanremovethesymlinktothatfileandsimplycreatetheetcresolvconffilewiththecontentyouwant
RedHat-basedsystems
Note
AppliestoCentOSandScientificLinuxbutonlythex86_64architectureissupported
Chapter4
Copyrightcopy2016Inverseinc Installation 10
RHEL6x
NoteTheseareextrastepsarerequiredforRHEL6systemsonlyexcludingderivativessuchasCentOSorScientificLinux
RedHatEnterpriseLinuxusersneedtotakeanadditionalsetupstepIfyouarenotusingtheRHNSubscriptionManagementfromRedHatyouneedtoenabletheoptionalchannelbyrunningthefollowingasroot
rhn-channel --add --channel=rhel-`uname -m`-server-optional-6
DebianAllthePacketFencedependenciesareavailablethroughtheofficialrepositories
SoftwareDownload
PacketFenceprovidesaRPMrepositoryforRHELCentOSinsteadofasingleRPMfile
ForDebianPacketFencealsoprovidespackagerepositories
TheserepositoriescontainallrequireddependenciestoinstallPacketFenceThisprovidesnumerousadvantages
easyinstallation everythingispackagedasRPMdeb(nomoreCPANhassle) easyupgrade
SoftwareInstallation
RHELCentOSInordertousethePacketFencerepository
yum localinstall httppacketfenceorgdownloadsPacketFenceRHEL6`uname -i`RPMSpacketfence-release-12-51noarchrpm
Once the repository is defined you can install PacketFencewith all its dependencies and therequiredexternalservices(DatabaseserverDHCPserverRADIUSserver)using
Chapter4
Copyrightcopy2016Inverseinc Installation 11
yum install perlyum install --enablerepo=packetfence packetfence
OnceinstalledtheWeb-basedconfigurationinterfacewillautomaticallybestartedYoucanaccessitfromhttpsip_of_packetfence1443configurator
DebianForDebian7
Inordertousetherepositorycreateafilenamedetcaptsourceslistdpacketfencelist
echo deb httpinversecadownloadsPacketFencedebian wheezy wheezy gt etcaptsourceslistdpacketfencelist
ForDebian8
Inordertousetherepositorycreateafilenamedetcaptsourceslistdpacketfencelist
echo deb httpinversecadownloadsPacketFencedebian jessie jessie gt etcaptsourceslistdpacketfencelist
Once the repository is defined you can install PacketFencewith all its dependencies and therequiredexternalservices(DatabaseserverDHCPserverRADIUSserver)using
sudo apt-key adv --keyserver keysgnupgnet --recv-key 0x810273C4sudo apt-get updatesudo apt-get install packetfence
Chapter5
Copyrightcopy2016Inverseinc Getoffontherightfoot 12
Getoffontherightfoot
PriorconfiguringPacketFenceyoumustchoseanappropriateenforcementmodetobeusedbyPacketFencewithyournetworkingequipmentTheenforcementmodeisthetechniqueusedtoenforceregistrationandanysubsequentaccessofdevicesonyournetworkPacketFencesupportsthefollowingenforcementmodes
Inline Out-of-band Hybrid
It isalsopossibletocombineenforcementmodesForexampleyoucouldusetheout-of-bandmodeonyourwiredswitcheswhileusingtheinlinemodeonyouroldWiFiaccesspoints
The following sections will explain these enforcement modes If you decide to use the inlinemodepleaserefertothePacketFenceInlineDeploymentQuickGuideusingZENforacompleteconfigurationexampleIfyoudevicetousetheout-of-bandmodepleaserefertothePacketFenceOut-of-BandDeploymentQuickGuideusingZEN
Chapter6
Copyrightcopy2016InverseincTechnicalintroductiontoInlineenforcement 13
TechnicalintroductiontoInlineenforcement
Introduction
Beforetheversion30ofPacketFenceitwasnotpossibletosupportunmanageabledevicessuchasentry-levelconsumerswitchesoraccess-pointsNowwiththenewinlinemodePacketFencecanbeusein-bandforthosedevicesSoinotherwordsPacketFencewouldbecomethegatewayofthatinlinenetworkandNATorroutethetrafficusingIPTablesIPSettotheInternet(ortoanothersectionofthenetwork)Letseehowitworks
Deviceconfiguration
NospecialconfigurationisneededontheunmanageabledeviceThatrsquosthebeautyofitYouonlyneedtoensurethatthedeviceistalkingontheinlineVLANAtthispointallthetrafficwillbepassingthroughPacketFencesinceitisthegatewayforthisVLAN
Accesscontrol
TheaccesscontrolreliesentirelyonIPTablesIPSetWhenauserisnotregisteredandconnectsintheinlineVLANPacketFencewillgivehimanIPaddressAtthispointtheuserwillbemarkedasunregisteredintheipsetsessionandalltheWebtrafficwillberedirectedtothecaptiveportalandother trafficblockedTheuserwill have to register through thecaptiveportal as inVLANenforcementWhenheregistersPacketFencechangesthedeviceacutesipsetsessiontoallowtheuserrsquosmacaddresstogothroughit
Chapter6
Copyrightcopy2016InverseincTechnicalintroductiontoInlineenforcement 14
Limitations
Inlineenforcementbecauseofitrsquosnaturehasseverallimitationsthatonemustbeawareof
EveryonebehindaninlineinterfaceisonthesameLayer2LAN EverypacketofauthorizedusersgoesthroughthePacketFenceserverincreasingtheserversloadconsiderablyPlanaheadforcapacity
Everypacketofauthorizedusersgoes throughthePacketFenceserver it isasinglepointoffailureforInternetaccess
Ipsetcanstoreupto65536entriessoitisnotpossibletohaveainlinenetworkclassupperthanB
Thisiswhyit isconsideredapoormanrsquoswayofdoingaccesscontrolWehaveavoideditforalongtimebecauseoftheabovementionedlimitationsThatsaidbeingabletoperformbothinlineandVLANenforcementonthesameserveratthesametimeisarealadvantageitallowsuserstomaintainmaximumsecuritywhiletheydeploynewandmorecapablenetworkhardwareprovidingacleanmigrationpathtoVLANenforcement
Chapter7
Copyrightcopy2016InverseincTechnicalintroductiontoOut-of-bandenforcement 15
TechnicalintroductiontoOut-of-bandenforcement
Introduction
VLANassignmentiscurrentlyperformedusingseveraldifferenttechniquesThesetechniquesarecompatibleone toanotherbutnoton the sameswitchportThismeans thatyoucanuse themoresecureandmoderntechniquesforyour latestswitchesandanothertechniqueontheoldswitchesthatdoesnrsquotsupportlatesttechniquesAsitrsquosnameimpliesVLANassignmentmeansthatPacketFenceistheserverthatassignstheVLANtoadeviceThisVLANcanbeoneofyourVLANsoritcanbeaspecialVLANwherePacketFencepresentsthecaptiveportalforauthenticationorremediation
VLANassignmenteffectivelyisolateyourhostsattheOSILayer2meaningthatitisthetrickiestmethodtobypassandistheonewhichadaptsbesttoyourenvironmentsinceitgluesintoyourcurrentVLANassignmentmethodology
VLANassignmenttechniques
Wired8021X+MACAuthentication8021Xprovidesport-basedauthenticationwhichinvolvescommunicationsbetweenasupplicantauthenticator(knownasNAS)andauthenticationserver(knownasAAA)ThesupplicantisoftensoftwareonaclientdevicesuchasalaptoptheauthenticatorisawiredEthernetswitchorwirelessaccesspointandtheauthenticationserverisgenerallyaRADIUSserver
Thesupplicant(ieclientdevice)isnotallowedaccessthroughtheauthenticatortothenetworkuntilthesupplicantrsquosidentityisauthorizedWith8021Xport-basedauthenticationthesupplicantprovides credentials such as user name password or digital certificate to the authenticatorandtheauthenticatorforwardsthecredentialstotheauthenticationserverforverificationIfthecredentialsarevalid(intheauthenticationserverdatabase)thesupplicant(clientdevice)isallowedtoaccessthenetworkTheprotocolforauthenticationiscalledExtensibleAuthenticationProtocol(EAP)whichhavemanyvariantsBothsupplicantandauthenticationserversneed tospeak thesameEAPprotocolMostpopularEAPvariantisPEAP-MsCHAPv2(supportedbyWindowsMacOSXLinuxforauthenticationagainstAD)
Chapter7
Copyrightcopy2016InverseincTechnicalintroductiontoOut-of-bandenforcement 16
InthiscontextPacketFencerunstheauthenticationserver(aFreeRADIUSinstance)andwillreturntheappropriateVLANtotheswitchAmodulethatintegratesinFreeRADIUSdoesaremotecalltothePacketFenceservertoobtainthatinformationMoreandmoredeviceshave8021Xsupplicantwhichmakesthisapproachmoreandmorepopular
MACAuthenticationisanewmechanismintroducedbysomeswitchvendortohandlethecaseswherea8021XsupplicantdoesnotexistDifferentvendorshavedifferentnames for itCiscocallsitMACAuthenticationBypass(MAB)JunipercallsitMACRADIUSExtremeNetworkscallsitNetloginetcAfteratimeoutperiodtheswitchwillstoptryingtoperform8021XandwillfallbacktoMACAuthenticationIthastheadvantageofusingthesameapproachas8021XexceptthattheMACaddressissentinsteadoftheusernameandthereisnoend-to-endEAPconversation(nostrongauthentication)UsingMACAuthenticationdeviceslikenetworkprinterornon-8021XcapableIPPhonescanstillgainaccesstothenetworkandtherightVLAN
Wireless8021X+MACauthenticationWireless 8021Xworks likewired8021X andMAC authentication is the same aswiredMACAuthenticationWhere things change is that the8021X isused to setup the security keys forencryptedcommunication(WPA2-Enterprise)whileMACauthenticationisonlyusedtoauthorize(allowordisallow)aMAConthewirelessnetwork
OnwirelessnetworkstheusualPacketFencesetupdictatethatyouconfiguretwoSSIDsanopenoneandasecureoneTheopenoneisusedtohelpusersconfigurethesecureoneproperlyandrequiresauthenticationoverthecaptiveportal(whichrunsinHTTPS)
ThefollowingdiagramdemonstratestheflowbetweenamobileenpointaWiFiaccesspointaWiFicontrollerandPacketFence
1 UserinitiatesassociationtoWLANAPandtransmitsMACaddressIfuseraccessesnetworkviaaregistereddeviceinPacketFencegoto8
2 The WLAN controller transmits MAC address via RADIUS to the PacketFence server toauthenticateauthorizethatMACaddressontheAP
3 PacketFenceserverconductsaddressaudit in itsdatabase If itdoesnotrecognizetheMACaddressgoto4Ifitdoesgoto8
4 PacketFenceserverdirectsWLANcontrollerviaRADIUS(RFC2868attributes)toputthedeviceinanunauthenticatedroleldquo(setofACLsthatwouldlimitredirecttheusertothePacketFence
Chapter7
Copyrightcopy2016InverseincTechnicalintroductiontoOut-of-bandenforcement 17
captiveportalforregistrationorwecanalsousearegistrationVLANinwhichPacketFencedoesDNSblackholingandistheDHCPserver)
5 TheuserrsquosdeviceissuesaDHCPDNSrequesttoPacketFence(whichisaDHCPDNSserveronthisVLANorforthisrole)whichsendstheIPandDNSinformationAtthispointACLsarelimitingredirectingtheusertothePacketFencersquoscaptiveportalforauthenticationPacketFencefingerprintsthedevice(user-agentattributesDHCPinformationampMACaddresspatterns)towhichitcantakevariousactionsincludingkeepdeviceonregistrationportaldirecttoalternatecaptive portal auto-register thedevice auto-block thedevice etc If thedevice remains ontheregistrationportaltheuserregistersbyprovidingtheinformation(usernamepasswordcellphonenumberetc)At this timePacketFencecouldalsorequire thedevicetogothroughapostureassessment(usingNessusOpenVASetc)
6 Ifauthentication is required (usernamepassword) througha loginformthosecredentialsarevalidatedviatheDirectoryserver(oranyotherauthenticationsources-likeLDAPSQLRADIUSSMSFacebookGoogle+etc)whichprovidesuserattributestoPacketFencewhichcreatesuser+devicepolicyprofileinitsdatabase
7 PacketFenceperformsaChangeofAuthorization(RFC3576)onthecontrollerandtheusermustbere-authenticatedreauthorizedsowegobackto1
8 PacketFenceserverdirectsWLANcontrollerviaRADIUStoputthedeviceinanauthenticatedroleldquoorinthenormalVLAN
WebAuthmodeWebauthenticationisamethodontheswitchthatforwardshttptrafficofthedevicetothecaptiveportalWiththismodeyourdevicewillneverchangeofVLANIDbutonlytheACLassociatedtoyourdevicewillchangeRefertotheNetworkDevicesConfigurationGuidetoseeasamplewebauthconfigurationonaCiscoWLC
Port-securityandSNMPReliesontheport-securitySNMPTrapsAfakestaticMACaddressisassignedtoalltheportsthiswayanyMACaddresswillgenerateasecurityviolationandatrapwillbesenttoPacketFenceThesystemwillauthorizetheMACandsettheportintherightVLANVoIPsupportispossiblebuttrickyItvariesalotdependingontheswitchvendorCiscoiswellsupportedbutisolationofaPCbehindanIPPhoneleadstoaninterestingdilemmaeitheryoushuttheport(andthephoneatthesametime)oryouchangethedataVLANbutthePCdoesnrsquotdoDHCP(didnrsquotdetectlinkwasdown)soitcannotreachthecaptiveportal
AsidefromtheVoIPisolationdilemmaitisthetechniquethathasproventobereliableandthathasthemostswitchvendorsupport
MoreonSNMPtrapsVLANisolation
WhentheVLANisolationisworkingthroughSNMPtrapsallswitchports(onwhichVLANisolationshouldbedone)mustbeconfiguredtosendSNMPtrapstothePacketFencehostOnPacketFence
Chapter7
Copyrightcopy2016InverseincTechnicalintroductiontoOut-of-bandenforcement 18
weusesnmptrapdastheSNMPtrapreceiverAsitreceivestrapsitreformatsandwritesthemintoaflatfileusrlocalpflogssnmptrapdlogThemultithreadedpfsetvlandaemonreadsthesetrapsfromtheflatfileandrespondstothembysettingtheswitchporttothecorrectVLANCurrentlywesupportswitchesfromCiscoEdge-coreHPIntelLinksysandNortel(addingsupportfor switches fromanothervendor impliesextending thepfSwitch class)DependingonyourswitchescapabilitiespfsetvlanwillactondifferenttypesofSNMPtraps
YouneedtocreatearegistrationVLAN(withaDHCPserverbutnoroutingtootherVLANs)inwhichPacketFencewillputunregistereddevicesIfyouwanttoisolatecomputerswhichhaveopenviolationsinaseparateVLANanisolationVLANneedsalsotobecreated
linkUplinkDowntraps(deprecated)ThisisthemostbasicsetupanditneedsathirdVLANtheMACdetectionVLANThereshouldbenothinginthisVLAN(noDHCPserver)anditshouldnotberoutedanywhereitisjustanvoidVLAN
WhenahostconnectstoaswitchporttheswitchsendsalinkUptraptoPacketFenceSinceittakessometimebeforetheswitchlearnstheMACaddressofthenewlyconnecteddevicePacketFenceimmediatelyputstheportintheMACdetectionVLANinwhichthedevicewillsendDHCPrequests(withnoanswer)inorderfortheswitchtolearnitsMACaddressThenpfsetvlanwillsendperiodical
Chapter7
Copyrightcopy2016InverseincTechnicalintroductiontoOut-of-bandenforcement 19
SNMPqueriestotheswitchuntiltheswitchlearnstheMACofthedeviceWhentheMACaddressisknownpfsetvlanchecksitsstatus(existingregisteredanyviolations)inthedatabaseandputstheportintheappropriateVLANWhenadeviceisunpluggedtheswitchsendsalinkDowntraptoPacketFencewhichputstheportintotheMACdetectionVLAN
WhenacomputerbootstheinitializationoftheNICgeneratesseverallinkstatuschangesAndeverytimetheswitchsendsalinkUpandalinkDowntraptoPacketFenceSincePacketFencehastoactoneachofthesetrapsthisgeneratesunfortunatelysomeunnecessaryloadonpfsetvlanInordertooptimizethetraptreatmentPacketFencestopseverythreadforalinkUptrapwhenitreceivesalinkDowntraponthesameportButusingonlylinkUplinkDowntrapsisnotthemostscalableoptionForexampleincaseofpowerfailureifhundredsofcomputersbootatthesametimePacketFencewouldreceivea lotoftrapsalmost instantlyandthiscouldresult innetworkconnectionlatency
MACnotificationtrapsIfyourswitchessupportMACnotificationtraps(MAClearntMACremoved)wesuggestthatyouactivatetheminadditiontothelinkUplinkDowntrapsThiswaypfsetvlandoesnotneedafteralinkUptraptoquerytheswitchcontinuouslyuntiltheMAChasfinallybeenlearnedWhenitreceivesalinkUptrapforaportonwhichMACnotificationtrapsarealsoenableditonlyneedstoputtheportintheMACdetectionVLANandcanthenfreethethreadWhentheswitchlearnstheMACaddressofthedeviceitsendsaMAClearnttrap(containingtheMACaddress)toPacketFence
PortSecuritytrapsIn itsmostbasicformthePortSecurityfeaturerememberstheMACaddressconnectedtotheswitchportandallowsonlythatMACaddresstocommunicateonthatport IfanyotherMACaddress tries tocommunicate through theportport securitywillnotallow itandsendaport-securitytrap
IfyourswitchessupportthisfeaturewestronglyrecommendtouseitratherthanlinkUplinkDownandorMACnotificationsWhyBecauseaslongasaMACaddressisauthorizedonaportandistheonlyoneconnectedtheswitchwillsendnotrapwhetherthedevicerebootsplugsinorunplugsThisdrasticallyreducestheSNMPinteractionsbetweentheswitchesandPacketFence
WhenyouenableportsecuritytrapsyoushouldnotenablelinkUplinkDownnorMACnotificationtraps
Chapter8
Copyrightcopy2016InverseincTechnicalintroductiontoHybridenforcement 20
TechnicalintroductiontoHybridenforcement
Introduction
In previous versions of PacketFence it was not possible to have RADIUS enabled for inlineenforcementmodeNowwiththenewhybridmodeallthedevicesthatsupports8021XorMAC-authenticationcanworkwiththismodeLetrsquosseehowitworks
Deviceconfiguration
Youneedtoconfigure inlineenforcementmode inPacketFenceandconfigureyourswitch(es)accesspoint(s)tousetheVLANassignementtechniques(8021XorMAC-authentication)YoualsoneedtotakecareofaspecificparameterintheswitchconfigurationwindowTriggertoenableinlinemodeThisparameterisworkinglikeatriggerandyouhavethepossibilitytodefinedifferentsortoftriggers
ALWAYSPORTMACSSID
where ALWAYS means that the device is always in inline mode PORTspecifytheifIndexoftheportwhichwilluseinlineenforcementMACamacaddressthatwillbeputininlineenforcementtechniqueratherthanVLANenforcementandSSIDanssidnameAnexample
SSIDGuestAccessMAC001122334455
ThiswilltriggerallthenodesthatconnectstotheGuestAccessSSIDtouseinlineenforcementmode(PacketFencewillreturnavoidVLANortheinlineVlanifdefinedinswitchconfiguration)andtheMACaddress001122334455clientifitconnectsonanotherSSID
Chapter9
Copyrightcopy2016Inverseinc Configuration 21
Configuration
AtthispointinthedocumentationPacketFenceshouldbeinstalledYouwouldalsohavechosentherightenforcementmethodforyouandcompletedtheinitialconfigurationofPacketFenceThefollowingsectionpresentskeyconceptsandfeaturesinPacketFence
PacketFenceprovidesaweb-basedadministrationinterfaceforeasyconfigurationandoperationalmanagementIfyouwentthroughPacketFencersquosweb-basedconfigurationtoolyoushouldhavesetthepasswordfortheadminuser
Once PacketFence is started the administration interface is available at httpsip_of_packetfence1443
ThenextkeystepsareimportanttounderstandhowPacketFenceworksInordertogetthesolutionworking youmust first understand and configure the following aspects of the solution in thisspecificorder
1 roles-aroleinPacketFencewillbeeventuallybemappedtoaVLANanACLoranexternalroleYoumustdefinetherolestouseinyourorganizationfornetworkaccess
2 authentication-oncerolesaredefinedyoumustcreateanappropraiteauthenticationsourceinPacketFenceThatwillallowPacketFencetocomputetherightroletobeusedforanendpointortheuserusingit
3 network devices - once your roles and authentication sources are defined you must addswitchesWiFicontrollersorAPstobemananagedbyPacketFenceWhendoingsoyouwillconfigurehowrolesarebeingmappedtoVLANACLsorexternalroles
4 portal profiles - at this point you are almost ready to test You will need to set whichauthenticationsourcesaretobeusedonthedefaultcaptiveportalorcreateanotheronetosuityourneeds
5 test
NoteIfyouplantouse8021X-pleaseseetheFreeRADIUSConfigurationsectionbelow
RolesManagement
RolesinPacketFencecanbecreatedfromPacketFenceadministrativeGUI-fromtheConfigurationrarrUsersrarrRoles section From this interface you can also limit thenumberof devicesusersbelongingtocertainrolescanregister
Chapter9
Copyrightcopy2016Inverseinc Configuration 22
RolesaredynamicallycomputedbyPacketFencebasedontherules(ieasetofconditionsandactions)fromauthenticationsourcesusingafirst-matchwinsalgorithmRolesarethenmatchedtoVLANorinternalrolesorACLonequipmentfromtheConfigurationrarrNetworkrarrSwitchesmodule
Authentication
PacketFence can authenticate users that register devices via the captive portal using variousmethodsAmongthesupportedmethodsthereare
ActiveDirectory
Apachehtpasswdfile
ExternalHTTPAPI
Facebook(OAuth2)
Github(OAuth2)
Google(OAuth2)
Kerberos
LDAP
LinkedIn(OAuth2)
Null
RADIUS
SMS
SponsoredEmail
Twitter(OAuth2)
WindowsLive(OAuth2)
Moreover PacketFence can also authenticate users defined in its own internal SQL databaseAuthentication sources can be created from PacketFence administrative GUI - from theConfigurationrarrUsersrarrSourcessectionAlternatively(butnotrecommended)authenticationsourcesrulesconditionsandactionscanbeconfiguredfromconfauthenticationconf
Eachauthenticationsourcesyoudefinewillhaveasetofrulesconditionsandactions
Multiple authentication sources canbedefined andwill be tested in theorder specified (notethattheycanbereorderedfromtheGUIbydraggingitaround)EachsourcecanhavemultipleruleswhichwillalsobetestedintheorderspecifiedRulescanalsobereorderedjustlikesourcesFinallyconditionscanbedefinedforaruletomatchcertaincriteriasIfthecriteriasmatch(one
Chapter9
Copyrightcopy2016Inverseinc Configuration 23
ormore)actionarethenappliedandrulestestingstopacrossallsourcesasthisisafirstmatchwinsoperation
WhennoconditionisdefinedtherulewillbeconsideredasafallbackWhenafallbackisdefinedallactionswillbeappliedforanyusersthatmatchintheauthenticationsource
OnceasourceisdefineditcanbeusedfromConfigurationrarrPortalProfilesEachportalprofilehasalistofauthenticationsourcestouse
ExampleLetrsquossaywehavetworolesguestandemployeeFirstwedefinethemConfigurationrarrUsersrarrRoles
NowwewanttoauthenticateemployeesusingActiveDirectory (overLDAP)andguestsusingPacketFencersquosinternaldatabase-bothusingPacketFencersquoscaptiveportalFromtheConfigurationrarrUsersrarrSourcesweselectAddsourcerarrADWeprovidethefollowinginformation
Namead1 DescriptionActiveDirectoryforEmployees Host19216812389withoutSSLTLS BaseDNCN=UsersDC=acmeDC=local ScopeOne-level UsernameAttributesAMAccountName BindDNCN=AdministratorCN=UsersDC=acmeDC=local Passwordacme123
ThenweaddarulebyclickingontheAddrulebuttonandprovidethefollowinginformation
Nameemployees DescriptionRuleforallemployees Donrsquotsetanycondition(asitrsquosacatch-allrule) Setthefollowingactions
Setroleemployee
SetunregistrationdateJanuary1st2020
Test the connection and save everything Using the newly defined source any username thatactuallymatchesinthesource(usingthesAMAccountName)willhavetheemployeeroleandanunregistrationdatesettoJanuary1st2020
NowsincewewanttoauthenticateguestsfromPacketFencersquosinternalSQLdatabaseaccountsmustbeprovisionnedmanuallyYoucandosofromtheUsersrarrCreatesectionWhencreatingguestsspecifyguestfortheSetroleactionandsetanaccessdurationfor1day
If youwould like to differentiate user authentication andmachine authentication using ActiveDirectoryonewaytodoitisbycreatingasecondauthenticationsourcesformachines
Namead1 DescriptionActiveDirectoryforMachines Host19216812389withoutSSLTLS BaseDNCN=ComputersDC=acmeDC=local ScopeOne-level
Chapter9
Copyrightcopy2016Inverseinc Configuration 24
UsernameAttributeservicePrincipalName BindDNCN=AdministratorCN=UsersDC=acmeDC=local Passwordacme123
Thenweaddarule
Namemachines DescriptionRuleforallmachines Donrsquotsetanycondition(asitrsquosacatch-allrule) Setthefollowingactions
Setrolemachineauth
SetunregistrationdateJanuary1st2020
Note
Whenaruleisdefinedasacatch-all itwillalwaysmatchiftheusernameattributematchesthequeriedoneThisappliesforActiveDirectoryLDAPandApachehtpasswdfilesourcesKerberosandRADIUSwillactastruecatch-allandaccepteverything
Note
IfyouwanttouseotherLDAPattributesinyourauthenticationsourceaddtheminConfigurationrarrAdvancedrarrCustomLDAPattributesTheywillthenbeavailableintherulesyoudefine
ExternalAPIauthentication
PacketFencealsosupportscallinganexternalHTTPAPIasanauthenticationsourceTheexternalAPIneedstoimplementanauthenticationactionandanauthorizationaction
AuthenticationThisshouldprovidetheinformationaboutwhetherornottheusernamepasswordcombinationisvalid
TheseinformationareavailablethroughthePOSTfieldsoftherequest
TheservershouldreplywithtwoattributesinaJSONresponse
resultshouldbe1forsuccess0forfailure messageshouldbethereasonitsucceededorfailed
ExampleJSONresponse
result1messageValid username and password
Chapter9
Copyrightcopy2016Inverseinc Configuration 25
AuthorizationThisshouldprovidetheactionstoapplyonauserbasedonitrsquosattributes
The following attributes are available for the reply access_duration access_level sponsorunregdatecategory
SampleJSONresponsenotethatnotallattributesarenecessaryonlysendbackwhatyouneed
access_duration1Daccess_levelALLsponsor1 unregdate2030-01-01categorydefault
Note
See usrlocalpfaddonsexample_external_auth for an example implementationcompatiblewithPacketFence
PacketFenceconfigurationInPacketFenceyouneedtoconfigureanHTTPsourceinordertouseanexternalAPI
Hereisabriefdescriptionofthefields
Host First theprotocol then the IPaddressorhostnameof theAPIand lastly theport toconnecttotheAPI
APIusernameandpasswordIfyourAPIimplementsHTTPbasicauthentication(RFC2617)youcanaddtheminthesefieldsLeavinganyofthosetwofieldsemptywillmakePacketFencedotherequestswithoutanyauthentication
AuthenticationURLURLrelativetothehosttocallwhendoingtheauthenticationofauserNotethatitisautomaticallyprefixedbyaslash
AuthorizationURLURLrelativetothehosttocallwhendoingtheauthorizationofauserNotethatitisautomaticallyprefixedbyaslash
SAMLauthentication
PacketFence supports SAML authentication in the captive portal in combination with anotherinternalsourcetodefinethelevelofauthorizationoftheuser
FirsttransfertheIdentityProvidermetadataonthePacketFenceserverInthisexampleitwillbeunderthepathusrlocalpfconfidp-metadataxml
Then transfer the certificate and CA certificate of the Identity provider on the server In thisexample theywill be under the paths usrlocalpfconfsslidpcrt and usrlocalpfconfsslidp-cacrtIfitisaself-signedcertificatethenyouwillbeabletouseitastheCAinthePacketFenceconfiguration
Chapter9
Copyrightcopy2016Inverseinc Configuration 26
Then toconfigureSAML inPacketFencego inConfigurationrarrSourcesand thencreateanewInternalsourceofthetypeSAMLandconfigureit
Where
ServiceProviderentityIDistheidentifieroftheServiceProvider(PacketFence)MakesurethismatchesyourIdentityProviderconfiguration
PathtoServiceProviderkeyisthepathtothekeythatwillbeusedbyPacketFencetosignitsmessagestotheIdentityProviderAdefaultoneisprovidedunderthepathusrlocalpfconfsslserverkey
PathtoServiceProvidercertisthepathtothecertificateassociatedtothekeyaboveAself-signedoneisprovidedunderthepathusrlocalpfconfsslserverkey
PathtoIdentityProvidermetadataisthepathtothemetadatafileyoutransferedabove(shouldbeinusrlocalpfconfidp-metadataxml)
PathtoIdentityProvidercertisthepathtothecertificateoftheidentityprovideryoutransferedontheserverabove(shouldbeinusrlocalpfconfsslidpcrt)
Chapter9
Copyrightcopy2016Inverseinc Configuration 27
Path to Identity Provider CA cert is the path to the CA certificate of the identity provideryoutransferedontheserverabove(shouldbeinusrlocalpfconfsslca-idpcrt)Ifthecertificateaboveisself-signedputthesamepathasaboveinthisfield
AttributeoftheusernameintheSAMLresponse istheattributethatcontainstheusernamein the SAML assertion returned by your Identity Provider The default should fit at leastSimpleSAMLphp
Authorizationsource isthesourcethatwillbeusedtomatchtheusernameagainsttherulesdefinedinitThisallowstosettheroleandaccessdurationoftheuserTheAuthenticationsectionofthisdocumentcontainsexplanationsonhowtoconfigureanLDAPsourcewhichcanthenbeusedhere
OncethisisdonesavethesourceandyouwillbeabletodownloadtheServiceProvidermetadataforPacketFenceusingthelinkDownloadServiceProvidermetadataonthepage
Configure your identity provider according to the generated metadata to complete the TrustbetweenPacketFenceandyourIdentityProvider
In the case of SimpleSAMLPHP the following configurationwas used inmetadatasaml20-sp-remotephp
$metadata[PF_ENTITY_ID] = array( AssertionConsumerService =gt httpPORTAL_HOSTNAMEsamlassertion SingleLogoutService =gt httpPORTAL_HOSTNAMEsamllogoff)
Note
PacketFencedoesnotsupportlogoffontheSAMLIdentityProviderYoucanstilldefinetheURLinthemetadatabutitwillnotbeused
PassthroughsInorderforyouruserstobeabletoaccesstheIdentityProviderloginpageyouwillneedtoactivatepassthroughsandaddtheIndentityProviderdomaintotheallowedpassthroughs
Todosogo inConfigurationrarrTrapping thencheckPassthrough andadd the IdentityProviderdomainnametothePasshtroughslist
Next restart iptables and pfdns to apply your new passthroughs Also make surenetipv4ip_forward = 1isconfiguredinetcsysctlconf
NetworkDevicesDefinition(switchesconf)
ThissectionappliesonlyforVLANenforcementUsersplanningtodoinlineenforcementonlycanskipthissection
PacketFenceneedstoknowwhichswitchesaccesspointsorcontrollersitmanagestheirtypeandconfigurationAllthisinformationisstoredinusrlocalpfconfswitchesconfYoucanmodify
Chapter9
Copyrightcopy2016Inverseinc Configuration 28
theconfigurationdirectlyintheswitchesconffileoryoucandoitfromtheWebAdministrationpanelunderConfigurationrarrNetworkrarrSwitches-whichisnowthepreferredway
Theusrlocalpfconfswitchesconfconfigurationfilecontainsadefaultsectionincluding
DefaultSNMPreadwritecommunitiesfortheswitches Defaultworkingmode(seethenotebelowaboutpossibleworkingmodes)
andaswitchsectionforeachswitch(managedbyPacketFence)including
SwitchIPMacRange Switchvendortype Switchuplinkports(trunksandnon-managedIfIndex) per-switchre-definitionoftheVLANs(ifrequired)
NoteswitchesconfisloadedatstartupAreloadisrequiredwhenchangesaremanuallymadetothisfileusrlocalpfbinpfcmd configreload
WorkingmodesTherearethreedifferentworkingmodesforaswitchinPacketFence
Testing pfsetvlanwritesinthelogfileswhatitwouldnormallydobutitdoesnrsquotdoanything
Registration pfsetvlan automatically-register allMAC addresses seenon theswitchportsAsintestingmodenoVLANchangesaredone
Production pfsetvlan sends the SNMPwrites to change the VLAN on theswitchports
RADIUSTo set theRADIUS secret set it from theWebadministrative interfacewhenadding a switchAlternativelyedittheswitchconfigfile(usrlocalpfconfswitchesconf)andsetthefollowingparameters
radiusSecret = secretPassPhrase
MoreovertheRADIUSsecretisrequiredtosupporttheRADIUSDynamicAuthentication(ChangeofauthorizationorDisconnect)asdefinedinRFC3576
SNMPv1v2candv3PacketFenceusesSNMPtocommunicatewithmostswitchesPacketFencealsosupportsSNMPv3YoucanuseSNMPv3forcommunicationinbothdirectionsfromtheswitchtoPacketFenceandfromPacketFencetotheswitchSNMPusageisdiscouragedyoushouldnowuseRADIUSHoweverevenifRADIUSisbeingusedsomeswitchesmightalsorequireSNMPtobeconfiguredtoworkproperlywithPacketFence
Chapter9
Copyrightcopy2016Inverseinc Configuration 29
FromPacketFencetoaswitchEdittheswitchconfigfile(usrlocalpfconfswitchesconf)andsetthefollowingparameters
SNMPVersion = 3SNMPUserNameRead = readUserSNMPAuthProtocolRead = MD5SNMPAuthPasswordRead = authpwdreadSNMPPrivProtocolRead = AESSNMPPrivPasswordRead = privpwdreadSNMPUserNameWrite = writeUserSNMPAuthProtocolWrite = MD5SNMPAuthPasswordWrite = authpwdwriteSNMPPrivProtocolWrite = AESSNMPPrivPasswordWrite = privpwdwrite
FromaswitchtoPacketFenceEdittheswitchconfigfile(usrlocalpfconfswitchesconf)andsetthefollowingparameters
SNMPVersionTrap = 3SNMPUserNameTrap = readUserSNMPAuthProtocolTrap = MD5SNMPAuthPasswordTrap = authpwdreadSNMPPrivProtocolTrap = AESSNMPPrivPasswordTrap = privpwdread
SwitchConfigurationHereisaswitchconfigurationexampleinordertoenableSNMPv3inbothdirectionsonaCiscoSwitch
snmp-server engineID local AA5ED139B81D4A328D18ACD1snmp-server group readGroup v3 privsnmp-server group writeGroup v3 priv read v1default write v1defaultsnmp-server user readUser readGroup v3 auth md5 authpwdread priv aes 128 privpwdreadsnmp-server user writeUser writeGroup v3 auth md5 authpwdwrite priv aes 128 privpwdwritesnmp-server enable traps port-securitysnmp-server enable traps port-security trap-rate 1snmp-server host 192168050 version 3 priv readUser port-security
Command-LineInterfaceTelnetandSSH
WarningPrivilegedetectionisdisabledinthecurrentPacketFenceversionduetosomeissues(see1370)SomakesurethatthecliUserandcliPwdyouprovidealwaysgetyouintoaprivilegedmode(exceptforTrapezehardware)
Chapter9
Copyrightcopy2016Inverseinc Configuration 30
PackeFenceneedssometimestoestablishaninteractivecommand-linesessionwithaswitchThiscanbedoneusingTelnetYoucanalsouseSSHInordertodosoedittheswitchconfigurationfile(usrlocalpfconfswitchesconf)andsetthefollowingparameters
cliTransport = SSH (or Telnet)cliUser = admincliPwd = admin_pwdcliEnablePwd =
ItcanalsobedonethroughtheWebAdministrationInterfaceunderConfigurationrarrSwitches
WebServicesInterfacePackeFencesometimesneedstoestablishadialogwiththeWebServicescapabilitiesofaswitchInorder todo soedit the switchconfig file (usrlocalpfconfswitchesconf) and set thefollowingparameters
wsTransport = http (or https)wsUser = adminwsPwd = admin_pwd
ItcanalsobedonethroughtheWebAdministrationInterfaceunderConfigurationrarrSwitches
Role-basedenforcementsupportSomenetworkdevicessupporttheassignmentofaspecificsetofrules(firewallorACLs)toauserTheideaisthattheserulescanbealotmoreaccuratetocontrolwhatausercanorcannotdocomparedtoVLANwhichhavealargernetworkmanagementoverhead
PacketFencesupportsassigningrolesondevicesforswitchesandWiFicontrollers thatsupportitThecurrentroleassignmentstrategyistoassignitalongwiththeVLAN(thatmaychangeinthefuture)Aspecial internalroletoexternalroleassignmentmustbeconfigured intheswitchconfigurationfile(usrlocalpfconfswitchesconf)
Thecurrentformatisthefollowing
Format ltrolenamegtRole=ltcontroller_rolegt
Andyouassignittotheglobalrolesparameterortheper-switchoneForexample
adminRole=full-accessengineeringRole=full-accesssalesRole=little-access
wouldreturnthefull-accessroletothenodescategorizedasadminorengineeringandtherolelittle-accesstonodescategorizedassalesItcanalsobedonethroughtheWebAdministrationInterfaceunderConfigurationrarrSwitches
Chapter9
Copyrightcopy2016Inverseinc Configuration 31
CautionMakesurethattherolesareproperlydefinedonthenetworkdevicespriortoassigningroles
PortalProfiles
PacketFencecomeswithadefaultportalprofileThefollowparametersareimportanttoconfigurenomatterifyouusethedefaultportalprofileorcreateanewone
RedirectURLunderConfigurationrarrPortalProfilerarrPortalName
ForsomebrowsersitispreferabletoredirecttheusertoaspecificURLinsteadoftheURLtheuseroriginallyintendedtovisitForthesebrowserstheURLdefinedinredirecturlwillbetheonewheretheuserwillberedirectedAffectedbrowsersareFirefox3andlater
IPunderConfigurationrarrCaptiveportal
ThisIPisusedasthewebserverwhohoststhecommonnetwork-access-detectiongifwhichisusedtodetectifnetworkaccesswasenabledItcannotbeadomainnamesinceit isusedinregistrationorquarantinewhereDNSisblack-holedItisrecommendedthatyouallowyouruserstoreachyourPacketFenceserverandputyourLANrsquosPacketFenceIPBydefaultwewillmakethisreachPacketFencersquoswebsiteasaneasierandmoreaccessiblesolution
In somecases youmaywant topresentadifferent captiveportal (seebelow for theavailablecustomizations)accordingtotheSSIDtheVLANtheswitchIPMACortheURItheclientconnectstoTodosoPacketFencehastheconceptofportalprofileswhichgivesyouthispossibility
WhenconfiguredportalprofileswilloverridedefaultvaluesforwhichitisconfiguredWhennovaluesareconfiguredintheprofilePacketFencewilltakeitsdefaultones(accordingtothedefaultportalprofile)
HerearethedifferentconfigurationparametersthatcanbesetforeachportalprofilesTheonlymandatoryparameterisfilterotherwisePacketFencewonrsquotbeabletocorrectlyapplytheportalprofileTheparametersmustbesetinconfprofilesconf
[profilename1]description = the description of your portal profilefilter = the name of the SSID for which youd like to apply the profile or the VLAN numbersources = comma-separated list of authentications sources (IDs) to use
Portal profiles should be managed from PacketFencersquos Web administrative GUI - from theConfigurationrarrPortalProfilessectionAddingaportalprofilefromthatinterfacewillcorrectlycopytemplatesover-whichcanthenbemodifiedasyouwish
FiltersunderConfigurationrarrPortalProfilerarrPortalNamerarrFitlers
PacketFenceoffersthefollowingfiltersConnectionTypeNetworkNodeRolePortrealmSSIDSwitchSwitchPortURIVLANandTimeperiod
Chapter9
Copyrightcopy2016Inverseinc Configuration 32
Examplewiththemostcommonones
SSIDGuest-SSID
VLAN100
SwitchPortltSwitchIdgt-ltPortgt
NetworkNetworkinCIDRformatoranIPaddress
Caution
Noderolewilltakeeffectonlywitha8021xconnectionorifyouuseVLANfilters
PacketFence relies extensively on Apache for its captive portal administrative interface andWeb services The PacketFenceacutes Apache configuration are located in usrlocalpfconfhttpdconfd
Inthisdirectoryyouhavethreeimportantfileshttpdadminhttpdportalhttpdwebserviceshttpdaaa
httpdadminisusedtomanagePacketFenceadmininterface
httpdportalisusedtomanagePacketFencecaptiveportalinterface
httpdwebservicesisusedtomanagePacketFencewebservicesinterface
httpdaaaisusetomanageincomingRADIUSrequest
ThesefileshavebeenwrittenusingthePerllanguageandarecompletelydynamic-sotheyactivateservicesonlyonthenetworkinterfacesprovidedforthispurpose
TheotherfilesinthisdirectoryaremanagedbyPacketFenceusingtemplatessoitiseasytomodifythesefilesbasedonyourconfigurationSSLisenabledbydefaulttosecureaccess
UponPacketFenceinstallationself-signedcertificateswillbecreatedinusrlocalpfconfssl(serverkey andservercrt)Thosecertificates canbe replacedanytimebyyour3rd-partyorexistingwildcardcertificatewithoutproblemsPleasenotethattheCN(CommonName)needstobethesameastheonedefinedinthePacketFenceconfigurationfile(pfconf)
FreeRADIUSConfiguration
ThissectionpresentstheFreeRADIUSconfigurationsteps InsomeoccasionsaRADIUSserverismandatoryinordertogiveaccesstothenetworkForexampletheusageofWPA2-Enterprise(Wireless 8021X) MAC authentication and Wired 8021X all require a RADIUS server toauthenticatetheusersandthedevicesandthentopushtheproperrolesorVLANattributestothenetworkequipment
Chapter9
Copyrightcopy2016Inverseinc Configuration 33
Option1AuthenticationagainstActiveDirectory(AD)
Caution
If you are using an ActiveActive or ActivePassive cluster please follow theinstructionsunderOption1bsincetheinstructionsbelowdonotcurrentlyworkinacluster
InordertohavedomainauthenticationworkingproperlyyouneedtoenableIPforwardingonyourserverTodoitpermanentlylookintheetcsysctlconfandsetthefollowingline
Controls IP packet forwardingnetipv4ip_forward = 1
Nowexecutesysctl -ptoapplytheconfiguration
NextgointheAdministrationinterfaceunderConfigurationrarrDomains
Note
IfyoucanrsquotaccessthissectionandyouhavepreviouslyconfiguredyourservertobindtoadomainexternallytoPacketFencemakesureyourunusrlocalpfaddonsADmigratepl
ClickAddDomainandfillintheinformationsaboutyourdomain
Chapter9
Copyrightcopy2016Inverseinc Configuration 34
Where
IdentifierisauniqueidentifierforyourdomainItrsquospurposeisonlyvisual
Workgroupistheworkgroupofyourdomainintheoldsyntax(likeNT4)
DNSnameofthedomainistheFQDNofyourdomainTheonethatsuffixesyouraccountnames
ThisserverrsquosnameisthenamethattheserverrsquosaccountwillhaveinyourActiveDirectory
DNSserveristheIPaddressoftheDNSserverofthisdomainMakesurethattheserveryouputtherehastheproperDNSentriesforthisdomain
UsernameistheusernamethatwillbeusedforbindingtotheserverThisaccountmustbeadomainadministrator
Passwordisthepasswordfortheusernamedefinedabove
Chapter9
Copyrightcopy2016Inverseinc Configuration 35
Troubleshooting In order to troubleshoot unsuccessful binds please refer to the following file chrootsltmydomaingtvarlogsambaltmydomaingtlogwinbinddReplaceltmydomaingtwiththeidentifieryousetinthedomainconfiguration
Youcanvalidatethedomainbindusingthefollowingcommandchroot chrootsltmydomaingtwbinfo -u
You can test the authentication process using the following command chroot chrootsltmydomaingt ntlm_auth --username=administrator
Note
UndercertainconditionsthetestjoinmayshowasunsuccessfulintheAdministrationinterfacebut theauthenticationprocesswill stillworkproperlyTry the test abovebeforedoinganyadditionnaltroubleshooting
DefaultdomainconfigurationYoushouldnowdefinethedomainyouwanttouseasthedefaultonebycreatingthefollowingrealminConfigurationrarrRealms
NextrestartPacketFenceinStatusrarrServices
MultipledomainsauthenticationFirstconfigureyourdomainsinConfigurationrarrDomains
OncetheyareconfiguredgoinConfigurationrarrRealms
Chapter9
Copyrightcopy2016Inverseinc Configuration 36
Createanewrealm thatmatches theDNSnameofyourdomainANDone thatmatchesyourworkgroupInthecaseofthisexampleitwillbeDOMAINNETandDOMAIN
Where
RealmiseithertheDNSname(FQDN)ofyourdomainortheworkgroup
RealmoptionsareanyrealmoptionsthatyouwanttoaddtotheFreeRADIUSconfiguration
Domainisthedomainwhichisassociatedtothisrealm
Nowcreatethetwootherrealmsassociatedtoyourotherdomains
Youshouldnowhavethefollowingrealmconfiguration
Chapter9
Copyrightcopy2016Inverseinc Configuration 37
Option1bAuthenticationagainstActiveDirectory(AD)inacluster
SambaKerberosWinbind
InstallSambaYoucaneitherusethesourcesorusethepackageforyourOSForRHELCentOSdo
yum install samba krb5-workstation
ForDebianandUbuntudo
apt-get install samba winbind krb5-user
Note
IfyouhaveWindows7PCsinyournetworkyouneedtouseSambaversion350(orgreater)
WhendonewiththeSambainstallmodifyyouretchosts inordertoaddtheFQDNofyourActiveDirectoryserversThenyouneedtomodifyetckrb5confHereisanexamplefortheDOMAINNETdomainforCentosRHEL
Chapter9
Copyrightcopy2016Inverseinc Configuration 38
[logging] default = FILEvarlogkrb5libslog kdc = FILEvarlogkrb5kdclog admin_server = FILEvarlogkadmindlog
[libdefaults] default_realm = DOMAINNET dns_lookup_realm = false dns_lookup_kdc = false ticket_lifetime = 24h forwardable = yes
[realms] DOMAINNET = kdc = adserverdomainnet88 admin_server = adserverdomainnet749 default_domain = domainnet [domain_realm] domainnet = DOMAINNET domainnet = DOMAINNET
[appdefaults] pam = debug = false ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = false
ForDebianandUbuntu
[logging] default = FILEvarlogkrb5libslog kdc = FILEvarlogkrb5kdclog admin_server = FILEvarlogkadmindlog [libdefaults] default_realm = DOMAINNET ticket_lifetime = 24h forwardable = yes [appdefaults] pam = debug = false ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = false
NexteditetcsambasmbconfAgainhereisanexampleforourDOMAINNETforCentosRHEL
Chapter9
Copyrightcopy2016Inverseinc Configuration 39
[global] workgroup = DOMAIN server string = h security = ads passdb backend = tdbsam realm = DOMAINNET encrypt passwords = yes winbind use default domain = yes client NTLMv2 auth = yes preferred master = no domain master = no local master = no load printers = no log level = 1 winbind5 auth3 winbind max clients = 750 winbind max domain connections = 15 machine password timeout = 0
ForDebianandUbuntu
[global] workgroup = DOMAIN server string = Samba Server Version v security = ads realm = DOMAINNET password server = 19216811 domain master = no local master = no preferred master = no winbind separator = + winbind enum users = yes winbind enum groups = yes winbind use default domain = yes winbind nested groups = yes winbind refresh tickets = yes template homedir = homeDU template shell = binbash client use spnego = yes client ntlmv2 auth = yes encrypt passwords = yes restrict anonymous = 2 log file = varlogsambalogm max log size = 50 machine password timeout = 0
IssueakinitandklistinordertogetandverifytheKerberostoken
kinit administrator klist
Afterthatyouneedtostartsambaandjointhemachinetothedomain
Chapter9
Copyrightcopy2016Inverseinc Configuration 40
service smb start chkconfig --level 345 smb on net ads join -U administrator
NotethatforDebianandUbuntuyouwillprobablyhavethiserror
kinit succeeded but ads_sasl_spnego_krb5_bind failed Invalid credentials Join to domain is not valid Invalid credentials
ForCentosRHEL
usermod -a -G wbpriv pf
Finallystartwinbindandtestthesetupusingntlm_authandradtest
service winbind start chkconfig --level 345 winbind on
ForDebianandUbuntu
usermod -a -G winbindd_priv pf ntlm_auth --username myDomainUser radtest -t mschap -x myDomainUser myDomainPassword localhost18120 12 testing123 Sending Access-Request of id 108 to 127001 port 18120 User-Name = myDomainUser NAS-IP-Address = 10001 NAS-Port = 12 Message-Authenticator = 0x00000000000000000000000000000000 MS-CHAP-Challenge = 0x79d62c9da4e55104 MS-CHAP-Response = 0x000100000000000000000000000000000000000000000000000091c843b420f0dec4228ed2f26bff07d5e49ad9a2974229e5 rad_recv Access-Accept packet from host 127001 port 18120 id=108 length=20
Option2LocalAuthenticationAddyouruserrsquosentriesattheendoftheusrlocalpfraddbusersfilewiththefollowingformat
username Cleartext-Password = password
Option3EAPauthenticationagainstOpenLDAPToauthenticate8021xconnectionagainstOpenLDAPyouneedtodefinetheldapconnectioninusrlocalpfraddbmodulesldapandbesurethattheuserpasswordisdefineasaNTHASHorascleartext
Chapter9
Copyrightcopy2016Inverseinc Configuration 41
ldap openldap server = ldapacmecom identity = uid=admindc=acmedc=com password = password basedn = dc=districtdc=acmedc=com filter = (uid=mschapUser-Name) ldap_connections_number = 5 timeout = 4 timelimit = 3 net_timeout = 1 tls dictionary_mapping = $confdirldapattrmap edir_account_policy_check = no
keepalive LDAP_OPT_X_KEEPALIVE_IDLE idle = 60
LDAP_OPT_X_KEEPALIVE_PROBES probes = 3
LDAP_OPT_X_KEEPALIVE_INTERVAL interval = 3
Next in usrlocalpfraddbsites-availablepacketfence-tunnel add in the authorizesection
authorize suffix ntdomain eap ok = return files openldap
Option4EAPGuestAuthenticationonemailsponsorandSMSregistrationThissectionwillallowlocalcredentialscreatedduringguestregistrationtobeusedin8021xEAP-PEAPconnections
FirstcreateaguestSSIDwiththeguestaccessyouwanttouse(EmailSponsororSMShellip)andactivateCreatelocalaccountonthatsource
AttheendoftheguestregistrationPacketFencewillsendanemailwiththecredentialsforEmailandSponsorForSMSthephonenumberandthePINcodeshouldbeused
Chapter9
Copyrightcopy2016Inverseinc Configuration 42
Note
ThisoptiondoesnrsquotcurrentlyworkwiththeReusedot1xcredentialsoptionofthecaptiveportal
In usrlocalpfconfradiusdpacketfence-tunnel uncomment the line packetfence-local-authandrestartradiusd
ThiswillactivatethefeatureforanylocalaccountonthePacketFenceserverYoucanrestrictwhichaccounts canbeusedby commenting the appropriate line inusrlocalpfraddbpolicydpacketfenceForexampleifyouwouldwanttodeactivatethisfeatureforaccountscreatedviaSMSyouwouldhavethefollowing
packetfence-local-auth Disable ntlm_auth update control ampMS-CHAP-Use-NTLM-Auth = No Check password table for local user pflocal if (fail || notfound) Check password table with email and password for a sponsor registration pfguest if (fail || notfound) Check password table with email and password for a guest registration pfsponsor if (fail || notfound) Dont check activation table with phone number and PIN code pfsms lt--- This line was commented out if (fail || notfound) update control ampMS-CHAP-Use-NTLM-Auth = Yes
Note
For this feature to work the users passwords must be stored in cleartext in thedatabaseThisisconfigurableviaadvancedhash_passwords
Option5EAPLocaluserAuthenticationThegoalhereistousethelocaluseryoucreatedintheadminGUIforEAPauthenticationThelogicisexactlythesamethaninoption4thedifferenceisthatweuseanotherSSIDandweonlyuselocalaccounts
Chapter9
Copyrightcopy2016Inverseinc Configuration 43
Editusrlocalpfraddbsites-availablepacketfence-tunnel
InthisexampleweactivatethisfeatureonaspecificSSIDname(Secure-local-Wireless)disabledbydefaultNTLMAuthandtestlocalaccountIfitfailledthenwereactivateNTLMAuth
Activate local user eap authentication based on a specific SSID Set Called-Station-SSID with the current SSID setcalled_station_ssid if (Called-Station-SSID == Secure-local-Wireless) Disable ntlm_auth update control MS-CHAP-Use-NTLM-Auth = No Check password table for local user pflocal if (fail || notfound) update control MS-CHAP-Use-NTLM-Auth = Yes
Caution
Youwillneedtodeasactivatepasswordhashinginthedatabaseforlocalauthenticationto work In the administration interface go in Configurationrarr Advanced and setDatabasepasswordshashingmethodtoplaintext
TestsTestyoursetupwithradtestusingthefollowingcommandandmakesureyougetanAccess-Acceptanswer
radtest dd9999 Abcd1234 localhost18120 12 testing123Sending Access-Request of id 74 to 127001 port 18120 User-Name = dd9999 User-Password = Abcd1234 NAS-IP-Address = 255255255255 NAS-Port = 12rad_recv Access-Accept packet from host 12700118120 id=74 length=20
PortalModules
ThePacketFencecaptiveportalflowishighlycustomizableThissectionwillcoverthePortalModuleswhichareusedtodefinethebehaviorofthecaptiveportal
Chapter9
Copyrightcopy2016Inverseinc Configuration 44
Note
WhenupgradingfromaversionthatdoesnrsquothavetheportalmodulesthePacketFencePortal Modules configuration already comes with defaults that will fit most casesand offers the same behavior as previous versions of PacketFence Meaning allthe available Portal Profile sources are used for authentication then the availableprovisionerswillbeused
FirstabriefdescriptionoftheavailablePortalModules
RootThis iswhereitallstartsthismoduleisasimplecontainerthatdefinesallthemodulesthatneedtobeappliedinachainedwaytotheuserOncetheuserhascompletedallmodulescontainedintheRootheisreleasedonthenetwork
Choice This allows to give a choice between multiple modules to the user Thedefault_registration_policyisagoodexampleofachoicethatisofferedtotheuser
ChainedThisallowsyoutodefinealistofmodulesthatauserneedstogothroughintheorderthattheyaredefined-exyouwantyouruserstoregisterviaGoogle+andpayfortheiraccessusingPayPal
MessageThisallowsyou todisplayamessage to theuserAnexample isavailablebelow inDisplayingamessagetotheuseraftertheregistration
AuthenticationTheauthenticationmodulescanbeofalotoftypesYouwouldwanttodefineoneofthesemodulesinordertooverridetherequiredfieldsthesourcetousethetemplateoranyothermoduleattribute
BillingAllowstodefineamodulebasedononeormorebillingsources
ChoiceAllows todefineamodulebasedonmultiple sourcesandmoduleswithadvancedfilteringoptionsSeethesectionAuthenticationChoicemodulebelowforadetailedexplanation
LoginAllowsyoutodefineausernamepasswordbasedmodulewithmultipleinternalsources(ActiveDirectoryLDAPhellip)
OthermodulesTheothermodulesareallbasedonthesourcetypetheyareassignedtotheyallowtoselectthesourcetheAUPacceptanceandmandatoryfieldsifapplicable
ExamplesThissectionwillcontainthefollowingexamples
Promptingforfieldswithoutauthentication
Promptingadditionnalfieldsduringtheauthentication
Chainedauthentication
MixingloginandSecureSSIDon-boardingontheportal
Displayingamessagetotheuseraftertheregistration
Chapter9
Copyrightcopy2016Inverseinc Configuration 45
CreatingacustomrootmoduleFirstcreateacustomrootmoduleforourexamples inordertonotaffectthedefaultpolicy InordertodosogoinConfigurationrarrPortalModulesthenclickAddPortalModuleandselectthetypeRootGiveittheidentifiermy_first_root_moduleandthedescriptionMy first root modulethenhitsave
Next head toConfigurationrarr Portal Profiles select the portal profile you use (most probablydefault)andthenunderRootPortalModuleassignMy first root modulethensaveyourprofileIfyouweretoaccessthecaptiveportalnowanerrorwoulddisplaysincetheRootmoduleweconfigureddoesnrsquotcontainanything
YoucouldaddsomeofthepreconfiguredmodulestothenewRootmoduleyoucreatedandthatwouldmaketheerrordisapear
PromptingforfieldswithoutauthenticationInordertopromptfieldswithoutauthenticationyoucanusetheNullsourcewiththeNullPortalModule
PacketFencealreadycomeswithaNullsourcepreconfiguredIfyouhavenrsquotmodifieditordeletedityoucanuseitforthisexampleOtherwisegoinConfigurationrarrSourcesandcreateanewNullsourcewithacatchallrulethatassignsaroleandaccessduration
ThengoinConfigurationrarrPortalModulesandclickAddPortalModuleandselectAuthenticationrarrNullSettheIdentifiertoprompt_fieldsandconfigurethemodulewiththeMandatoryfieldsyouwantanduncheckRequireAUPsothattheuserdoesnrsquothavetoaccepttheAUPbeforesubmittingthesefields
Nextaddtheprompt_fieldsmoduleinmy_first_root_module(removinganypreviousmodules)andsave itNowwhenvisitingtheportal itshouldpromptyouforthefieldsyoudefine inthe
Chapter9
Copyrightcopy2016Inverseinc Configuration 46
moduleThensubmittingtheseinformationswillassignyoutheroleandaccessdurationthatyoudefinedinthenullsource
Promptingadditionnalfieldsduringtheauthentication
IfyouwanttopromptadditionnalfieldsduringtheauthenticationprocessforamoduleyoucandefineaModulebasedonthatsourcethatwillspecifytheadditionnalmandatoryfieldsforthissource
Youcanalsoaddadditionnalmandatoryfieldstothedefaultpoliciesthatarealreadyconfigured
Thisexamplewillmakethedefault_guest_policyrequiretheusertoenterafirstnamelastnameandaddresssothatguestshavetoenterthesethreeinformationsbeforeregistering
Go in Configuration rarr Portal Modules and click the default_guest_policy Add firstnamelastnameandaddresstotheMandatoryfieldsandsave
Nextaddthedefault_guest_policytomy_first_root_module(removinganypreviousmodules)Nowwhenvisitingtheportalselectinganyoftheguestsourceswillrequireyoutoenterboththemandatoryfieldsofthesource(exphone+mobileprovider)andthemandatoryfieldsyoudefinedinthedefault_guest_policy
Note
Notallsourcessupportadditionnalmandatoryfields(exOAuthsourceslikeGoogleFacebookhellip)
Chainedauthentication
Theportalmodulesallowyoutochaintwoormoremodulestogetherinordertomaketheuseraccomplishalloftheactionsinthemoduleinthedesiredsequence
ThisexamplewillallowyoutoconfigureaChainedmodulethatwillrequiretheusertologinviaanyconfiguredOAuthsource(GithubGoogle+hellip)andthenvalidatehisphonenumberusingSMSregistration
FortheOAuthloginwewillusethedefault_oauth_policysojustmakesureyouhaveanOAuthsourceconfiguredcorrectlyandavailableinyourPortalProfile
ThenwewillcreateamodulethatwillcontainthedefinitionofourSMSregistration
GoinConfigurationrarrPortalModulesthenclickAddPortalModuleandselectAuthenticationrarrSMS
ConfiguretheportalmodulesothatitusesthesmssourceandunchecktheRequireAUPoptionsincetheuserwillhavealreadyacceptedtheAUPwhenregisteringusingOAuth
Chapter9
Copyrightcopy2016Inverseinc Configuration 47
ThenaddanotherPortalModuleoftypeChainedNameitchained_oauth_smsassignarelevantdescriptionandthenadddefault_oauth_policyandsmstotheModulesfields
Chapter9
Copyrightcopy2016Inverseinc Configuration 48
Next add the chained_oauth_sms module in my_first_root_module (removing any previousmodules)andsaveitNowwhenvisitingtheportalyoushouldhavetoauthenticationusinganOAuthsourceandthenusingSMSbasedregistration
MixingloginandSecureSSIDon-boardingontheportalThisexamplewillguideyouthroughconfiguringaportalflowthatwillallowfordevicestoaccessanopenSSIDusinganLDAPusernamepasswordbutalsogivethechoicetoconfiguretheSecureSSIDdirectlyfromtheportal
FirstweneedtoconfiguretheprovisionersfortheSecureSSIDonboardingRefertosectionAppleandAndroidWirelessProvisioningofthisguidetoconfigureyourprovisionersandaddthemtotheportalprofile
CreateaprovisionerofthetypeDenyandadditwithyourotherprovisioners(puttinganyotherprovisionerbeforeit)Thiswillmakesurethatifthereisnomatchontheotherprovisionersitwillnotallowthedevicethrough
AlsointheportalprofileaddyourLDAPsourcetotheavailablesourcessoitstheonlyoneavailable
NextcreateaProvisioningportalmodulebygoinginConfigurationrarrPortalModulesSettheIdentifiertosecure_boardingandthedescriptiontoBoard Secure SSIDAlsouncheckSkipablesotheuserisforcedtoboardtheSSIDshoulditchoosethisoption
ThenstillinthePortalModulescreateaChoicemoduleSettheIdentifiertologin_or_boardinganddescriptiontoLoginorBoardingAddsecure_boardinganddefault_login_policytotheModulesfieldandsave
Chapter9
Copyrightcopy2016Inverseinc Configuration 49
Next add the login_or_boarding module in my_first_root_module (removing any previousmodules)andsaveitNowwhenvisitingtheportalyouwillhavethechoicebetweenlogintotheLDAPsourceandgainaccesstothenetworkordirectlyuseprovisioninginordertoconfigureyourdeviceforaSecureSSID
Displayingamessagetotheuseraftertheregistration=
UsingtheMessagemoduleyoucandisplayacustommessagetotheuserYoucanalsocustomizethetemplatetodisplayinordertodisplayafullycustompage
Go inConfigurationrarrPortalModules thenclickAddPortalModule and selectMessage Set theIdentifiertohello_worldandthedescriptiontoHello World
ThenputthefollowingintheMessagefield
Hello World lta href=wwwpacketfenceorggtClick here to access the PacketFence websiteltagt
Next add default_registration_policy and hello_world in the Modules ofmy_first_root_module(removinganypreviousmodules)andsaveitNowwhenvisitingtheportalyoushouldhavetoauthenticateusingthesourcesdefinedinyourportalprofileandyouwillthenseethehelloworldmessage
Chapter9
Copyrightcopy2016Inverseinc Configuration 50
AuthenticationChoicemodule(advanced)The Authentication Choice module allows to define a choice between multiple sources usingadvancedfilteringrulesmanualselectionofthesourcesandselectionofPortalModules
AllthesourcesthataredefinedintheSourcesfieldwillbeavailableforusagebytheuserSamegoesforthemodulesdefinedinModules
YoucanalsodefinewhichmandatoryfieldsyouwanttopromptfortheseauthenticationchoicesAlthoughyoucanstillconfigurethemonanyAuthenticationChoicemoduletheywillonlybeshowniftheyareapplicabletothesource
InadditiontothemanualselectionaboveyoucandynamicallyselectsourcespartofthePortalProfilebasedontheirobjectattribute(ObjectClassAuthenticationtypeAuthenticationClass)
NoteYoucanfindalltheauthenticationobjectsinlibpfAuthenticationSource
SourcesbyclassAllowsyoutospecifytheperlclassnameofthesourcesyouwantavailable
ex pfAuthenticationSourceSMSSource will select all the SMS sourcespfAuthenticationSourceBillingSourcewillselectallthebillingsources(PaypalStripehellip)
SourcesbytypeAllowsyoutofilteroutsourcesusingthetypeattributeoftheAuthenticationobject
Sources by Auth Class Allows you to filter our sources using the class attribute of theAuthenticationobject
Chapter9
Copyrightcopy2016Inverseinc Configuration 51
Youcanseethedefault_guest_policyanddefault_oauth_policyforexamplesofthismodule
Chapter10
Copyrightcopy2016Inverseinc Debugging 52
Debugging
Logfiles
HerearethemostimportantPacketFencelogfiles
usrlocalpflogspacketfencelogmdashPacketFenceCoreLog usrlocalpflogshttpdportalaccessmdashApachendashCaptivePortalAccessLog usrlocalpflogshttpdportalerrormdashApachendashCaptivePortalErrorLog usrlocalpflogshttpdadminaccessmdashApachendashWebAdminServicesAccessLog usrlocalpflogshttpdadminerrormdashApachendashWebAdminServicesErrorLog usrlocalpflogshttpdwebservicesaccessmdashApachendashWebservicesAccessLog usrlocalpflogshttpdwebserviceserrormdashApachendashWebservicesErrorLog usrlocalpflogshttpdaaaaccessmdashApachendashAAAAccessLog usrlocalpflogshttpdaaaerrormdashApachendashAAAErrorLog
ThereareotherlogfilesinusrlocalpflogsthatcouldberelevantdependingonwhatissueyouareexperiencingMakesureyoutakealookatthem
ThemainloggingconfigurationfileisusrlocalpfconflogconfItcontainstheconfigurationforthepacketfencelogfile(LogLog4Perl)andyounormallydonrsquotneedtomodifyitTheloggingconfigurationfilesforeveryservicearelocatedunderusrlocalpfconflogconfd
RADIUSDebugging
FirstchecktheFreeRADIUSlogsThefileislocatedatusrlocalpflogsradiuslog
IfthisdidnrsquothelprunFreeRADIUSindebugmodeTodosostartitusingthefollowingcommands
Fortheauthenticationradiusprocess
radiusd -X -d usrlocalpfraddb -n auth
Fortheaccountingradiusprocess
radiusd -X -d usrlocalpfraddb -n acct
Chapter10
Copyrightcopy2016Inverseinc Debugging 53
Additionally there is a raddebug tool that can extract debug logs from a running FreeRADIUSdaemonPacketFencersquosFreeRADIUSispreconfiguredwithsuchsupport
Inordertohaveanoutputfromraddebugyouneedtoeither
a MakesureuserpfhasashellinetcpasswdaddusrsbintoPATH(export PATH=usrsbin$PATH)andexecuteraddebugaspf
b Runraddebugasroot(lesssecure)
Nowyoucanrunraddebugeasily
raddebug -t 300 -f usrlocalpfvarrunradiusdsock
TheabovewilloutputFreeRADIUSauthenticationdebuglogsfor5minutes
Usethefollowingtodebugradiusaccounting
raddebug -t 300 -f usrlocalpfvarrunradiusd-acctsock
Seeman raddebugforalltheoptions
Chapter11
Copyrightcopy2016Inverseinc MoreonVoIPIntegration 54
MoreonVoIPIntegration
VoIPhasbeengrowinginpopularityonenterprisenetworksAtfirstsighttheITadministratorsthinkthatdeployingVoIPwithaNACposesahugecomplicatedchallengetoresolveInfactdependingofthehardwareyouhavenotreallyInthissectionwewillseewhy
CDPandLLDPareyourfriend
ForthoseofyouwhoareunawareoftheexistenceofCDPorLLDP(orLLDP-MED) IsuggestyoustartreadingonthistopicCiscoDiscoveryProtocol(CDP)isdevice-discoveryprotocolthatrunsonallCisco-manufacturedequipmentincludingroutersaccessserversbridgesandswitchesUsingCDPadevicecanadvertise itsexistencetootherdevicesandreceive informationaboutotherdevicesonthesameLANorontheremotesideofaWANIntheworldofVoIPCDPisabletodetermineiftheconnectingdeviceisanIPPhoneornotandtelltheIPPhonetotagitsethernetframeusingtheconfiguredvoiceVLANontheswitchport
OnmanyothervendorsyouarelikelytofindLLDPorLLDP-MEDsupportLinkLayerDiscoveryProtocol (LLDP) is a vendor-neutral Link Layer protocol in the Internet Protocol Suite used bynetworkdevicesforadvertisingtheiridentitycapabilitiesandneighborsSameasCDPLLDPcantellanIPPhonewhichVLANidisthevoiceVLAN
VoIPandVLANassignmenttechniques
As you already know PacketFence supportsmanyVLAN assignment techniques such as port-securitymacauthenticationor8021XLetrsquosseehowVoIPisdoingwitheachofthose
Port-securityUsing port-security the VoIP device rely on CDPLLDP to tag its ethernet frame using theconfiguredvoiceVLANontheswitchportAfterthatweensurethatasecuritytrapissentfromthevoiceVLANsothatPacketFencecanauthorizethemacaddressontheportWhenthePCconnectsanothersecuritytrapwillbesentbutfromthedataVLANThatwaywewillhave1macaddressauthorizedonthevoiceVLANand1ontheaccessVLAN
Chapter11
Copyrightcopy2016Inverseinc MoreonVoIPIntegration 55
Note
Not all vendors support VoIP on port-security please refer to the NetworkConfigurationGuide
MACAuthenticationand8021XCiscohardwareOnCiscoswitcheswearelookingatthemulti-domainconfigurationThemulti-domainmeansthatwecanhaveonedeviceontheVOICEdomainandonedeviceontheDATAdomainThedomainassignmentisdoneusingaCiscoVSAWhenthephoneconnectstotheswitchportPacketFencewillrespondwiththeproperVSAonlynoRADIUStunneledattributesCDPthentellsthephonetotagitsethernetframesusingtheconfiguredvoiceVLANontheportWhenaPCconnectstheRADIUSserverwillreturntunneledattributesandtheswitchwillplacetheportintheprovidedaccessVLAN
Non-CiscohardwareOnothervendorhardwareitispossibletomakeVoIPworkusingRADIUSVSAsWhenaphoneconnectstoaswitchportPacketFenceneedstoreturntheproperVSAtotelltheswitchtoallowtagged frames from thisdeviceWhen thePCwill connectwewill be able to return standardRADIUStunnelattributestotheswitchthatwillbetheuntaggedVLAN
Note
AgainrefertotheNetworkConfigurationGuidetoseeifVoIPissupportedonyourswitchhardware
WhatifCDPLLDPfeatureismissing
ItispossiblethatyourphonedoesnrsquotsupportCDPorLLDPIfitrsquosthecaseyouareprobablylookingattheDHCPwayofprovisionningyourphonewithavoiceVLANSomemodelswillaskforaspecificDHCPoptionsothattheDHCPservercangivethephoneavoiceVLANidThephonewillthenrebootandtagitsethernetframeusingtheprovidedVLANtag
Inorder tomake this scenarioworkwithPacketFenceyouneed toensure thatyou tweak theregistrationandyourproductionDHCPservertoprovidetheDHCPoptionYoualsoneedtomakesure there isavoiceVLANproperlyconfiguredontheportandthatyouauto-registeryour IPPhones(OnthefirstconnectthephonewillbeassignedontheregistrationVLAN)
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 56
Advancedtopics
This section covers advanced topics in PacketFence Note that it is also possible to configurePacketFencemanuallyusingitsconfigurationfilesinsteadofitsWebadministrativeinterfaceItisstillrecommendedtousetheWebinterface
InanycasetheusrlocalpfconfpfconffilecontainsthePacketFencegeneralconfigurationForexamplethisistheplacewhereweinformPacketFenceitwillworkinVLANisolationmode
All the default parameters and their descriptions are stored in usrlocalpfconfpfconfdefaults
Inordertooverrideadefaultparameterdefineitandsetitinpfconf
usrlocalpfconfdocumentationconfholdsthecompletelistofallavailableparameters
Alltheseparametersarealsoaccessiblethroughtheweb-basedadministrationinterfaceundertheConfigurationtabItishighlyrecommendedthatyouusetheweb-basedadministrationinterfaceofPacketFenceforanyconfigurationchanges
AppleandAndroidWirelessProvisioning
Apple devices such as iPhones iPads iPods and Mac OS X (107+) support wireless profileimportationusing a specialXML file format (mobileconfig)Android is also able to support thisfeaturebyimportingthewirelessprofilewiththeAndroidPacketFenceAgentInfactinstallingsuchfileonyourAppledevicewillautomaticallyconfigurethewirelesssettingsforagivenSSIDThisfeatureisoftenusedwhentheSSIDishiddenandyouwanttoeasetheconfigurationstepsonthemobiledevice(becauseitisoftenpainfultoconfiguremanually)InPacketFencewearegoingfurtherwegeneratetheprofileaccordingtotheadministratorrsquospreferenceandwepre-populatethefilewiththeuserrsquoscredentials(withoutthepassword)TheusersimplyneedstoinstallitsgeneratedfileandhewillbeabletousethenewSSID
ConfigurethefeatureFirstofallyouneedtoconfiguretheSSIDthatyourdeviceswilluseaftertheygothoughtheauthenticationprocess
InordertodothatintheadministrationinterfacegoinConfigurationProvisionersThenselecttheandroidprovisionerEntertheSSIDandsave
NowdothesamethingfortheiOSprovisioner
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 57
AfteryousimplyneedtoaddtheAndroidandiOSprovisionerstoyourPortalProfileconfiguration
ForAndroidyoumustallowpassthroughsinyourpfconfconfigurationfile
[trapping]passthrough=enabledpassthroughs=ggphtcomgoogleusercontentcomandroidclientsgooglecomgoogleapiscomandroidclientsgooglecomgvt1com
ProfilegenerationUponregistrationinsteadofshowingthedefaultreleasepagetheuserwillbeshowinganotherversionofthepagesayingthatthewirelessprofilehasbeengeneratedwithaclickablelinkonitToinstalltheprofileAppleuserownersimplyneedtoclickonthatlinkandfollowtheinstructionsontheirdeviceAndroiduserownersimplyclicktothelinkandwillbeforwardedtoGooglePlaytoinstallPacketFenceagentSimply launchtheapplicationandclicktoconfigurewillcreatethesecureSSIDprofileItisthatsimple
BillingEngine
PacketFence integrates theability touseapaymentgatewaytobillusers togainaccess to thenetworkWhenconfiguredtheuserwhowantstoaccessthenetworkInternetispromptedbyapageaskingforitrsquospersonnalinformationaswellasitrsquoscreditcardinformation
PacketFencecurrentlysupportsfourpaymentgatewaysAuthorizenetMirapayPaypalandStripe
Inordertoactivatethebillingyouwillneedtoconfigurethefollowingcomponents
Billingsource(s)
Billingtier(s)
ConfiguringabillingsourceFirstselectabillingproviderandfollowtheinstructionsbelow
Paypal
Note
ThisproviderrequiresthatyourPacketFenceserverisaccessibleonthepublicdomainFor thisyourPacketFenceportal shouldbeavailableonapublic IPusing theDNSservernameconfiguredinPacketFence
Ifyouhaveabusinessaccountanddonotwanttoconfigureatestenvironmentyoucanskipthenextsection
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 58
Sandboxaccount
To configure a sandbox paypal account for use in PacketFence head to httpsdeveloperpaypalcomandeithersignuporloginintoyourexistingaccount
ThenintheSandboxmenuclickAccounts
CreateanaccountthathasthetypePersonalandonethathasthetypeBusiness
AfterwardsgobackintoaccountsandexpandthebusinessaccountthenclickProfile
NowclicktheChangepasswordlinkandchangethepasswordandnoteit
Dothesamethingwiththepersonalaccountyoucreated
Configuringthemerchantaccount
LoginintothePaypalbusinessaccountthatyoucreatedathttpswwwsandboxpaypalcomifyouareusingasandboxaccountoronhttpswwwpaypalcomifyouareusingarealaccount
NextgoinMyAccountrarrProfileinordertogointoyourprofileconfiguration
NextintheSellingPreferencesyouwillneedtoselectWebsitePaymentPreferences
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 59
Configurethesettingssotheymatchthescreenshotbelow
YoushouldturnonAutoReturnsetthereturnURLtohttpsYOUR_PORTAL_HOSTNAMEbillingpaypalverify
YoushouldalsotakenoteoftheIdentityTokenasitwillberequiredinthePacketFenceconfiguration
NextgobackinyourprofileconfigurationMyaccountrarrProfileandselectEncryptedPaymentSettings
NowonthispageyouwillneedtosubmitthecertificateusedbyPacketFencetoPaypal(usrlocalpfconfsslservercrtbydefault)
Once you have submitted it note itrsquos associated Cert ID as you will need to configure it inPacketFence
StillonthatpageclicktheDownloadlinktodownloadthePaypalpubliccertificateandputitonthePacketFenceserverunderpathusrlocalpfconfsslpaypalpem
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 60
Caution
ThecertificatewillNOTbethesameifyouuseasandboxaccountorarealaccount
ConfiguringPacketFence
NowinthePacketFenceadministrationinterfacegoinConfigurationrarrSourcesandcreateanewsourceoftypeBillingrarrPaypal
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 61
Where
IdentitytokenistheoneyounotedwhenontheWebsitePaymentPreferencespage CertIDistheoneyounotedwhenontheEncryptedPaymentSettings Paymenttypeiswhethertheaccessisdonationbased(notmandatorytopayforit) Emailaddressistheemailaddressofthemerchantpaypalaccount CertfileisthepathtothePacketFencecertificate(usrlocalpfconfsslservercrtbydefault) KeyfileisthepathtothePacketFencecertificate(usrlocalpfconfsslserverkeybydefault) Paypal cert file is thepath to thePaypal certificate (usrlocalpfconfsslpaypalpem in thisexample)
Currencyisthecurrencythatwillbeusedinthetransactions Testmodeshouldbeactivatedifyouareusingasandboxaccount
Stripe
Stripeaccount
Firstgoonhttpsdashboardstripecomcreateanaccountandlogin
NextonthetoprightclickYouraccountthenAccountsettings
NavigatetotheAPIkeystabandnoteyourkeyandsecretThetestkeyshouldbeusedwhentestingtheconfigurationandthelivekeywhenputtingthesourceinproduction
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 62
ConfiguringPacketFence
NowinthePacketFenceadministrationinterfacegoinConfigurationrarrSourcesandcreateanewsourceoftypeBillingrarrStripe
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 63
Where
SecretkeyisthesecretkeyyougotfromyourStripeaccount PublishablekeyisthepublishablekeyyougotfromyourStripeaccount Styleiswhetheryouaredoingaone-timechargeorsubscriptionbasedbilling(recurring)SeesectionSubscriptionbasedregistrationbelowfordetailsonhowtoconfigureit
Currencyisthecurrencythatwillbeusedinthetransactions Testmodeshouldbeactivatedifyouareusingthetestkeyandsecretaccount
Authorizenet
Creatinganaccount
First go on httpsaccountauthorizenet to signup for a merchant account or httpdeveloperauthorizenetforasandboxaccount
AfteryoucreatedyouraccountyouwillbeshownyourAPIloginIDandTransactionkeyNotebothoftheseinformationsforusageinthePacketFenceconfiguration
Thenloginintoyournewaccount
ThenunderAccountclickSettings
OnthesettingspageinthesectionSecuritysettingsclickMD5-Hash
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 64
NowenterasecretthatwillbesharedbetweenauthorizenetandPacketFence
PacketFenceconfiguration
NextinthePacketFenceadministrationinterfacegoinConfigurationrarrSourcesandcreateanewsourceoftypeBillingrarrAuthorizeNet
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 65
Where
APIloginIDistheoneyougotearlierwhilecreatingyouraccount Transactionkeyistheoneyougotearlierwhilecreatingyouraccount MD5hashtheoneyouconfiguredinyourAuthorizenetaccount Currencyisthecurrencythatwillbeusedinthetransactions Testmodeshouldbeactivatedifyouareusingasandboxaccount
Mirapay
To be contributed
AddingbillingtiersOnceyouhaveconfiguredoneormorebillingsourceyouneedtodefinebillingtierswhichwilldefinethepriceandtargetauthenticationrulesfortheuser
InthePacketFenceadministrationinterfacegoinConfigurationrarrBillingtiers
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 66
ThenclickAddbillingtierandconfigureit
Where
Billingtieristheuniqueidentifierofthebillingtier Nameisthefriendlynameofthebillingtier Descriptionisanextendeddescriptionofthebillingtier Priceistheamountthatwillbechargedtotheuser Accessdurationistheamountoftimetheuserwillbegrantedaccesstoyournetwork Roleisthetargetroletheusershouldbein Usetimebalancedefinesiftheaccessdurationshouldbecomputedonreal-timeaccessdurationmeaningiftheuserbuys24hoursofaccesshecanusethenetworkfor24hoursindifferenttimeblocksThisrequiresavalidRADIUSaccountingconfiguration
Note
IfdonrsquotwanttouseallthebillingtiersthataredefinedyoucanspecifytheonesthatshouldbeactiveinthePortalprofile
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 67
SubscriptionbasedregistrationPacketFencesupportssubscriptionbasedbillingusingStripeasabillingprovider
Billingtier
Whenusingsubscriptionbasedbillingitisadvisedtoconfigurethebillingtiersoithasanalmostinfiniteaccessduration(eg20years)asthebillingproviderwillbecontactingthePacketFenceserverwhenthesubscriptioniscanceled
YoushouldconfigureabillingtierforeachsubscriptionplanyouwanttohaveThisexamplewillusetheplansimpleandadvancedconfiguredusingthefollowingparameters
[simple]name=Simple network accessdescription=Click here if you are poorprice=399role=guestaccess_duration=10Yuse_time_balance=disabled
[advanced]name=Simple network accessdescription=Click here if you are poorprice=999role=advanced_guestaccess_duration=10Yuse_time_balance=disabled
Stripeconfiguration
TheninyourStripedashboardyoushouldgoinSubscriptionsrarrPlans
Thencreateanewplan
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 68
Where
ID is the billing tier identifier It is important that this matches the ID of the billing tier inPacketFence
AmountisthepriceoftheplanItisimportantthatthismatchesthepriceofthebillingtierinPacketFence
CurrencyisthecurrencythatwillbeusedinthetransactionsItisimportantthatthismatchesthecurrencyoftheStripesourceinPacketFence
IntervalistheintervalatwhichthecustomershouldbebilledInthecaseofthisexampleitismonthly
Nowfollowingthesameprocedurecreatetheadvancedplan
ReceivingupdatesfromStripeAsthesubscriptioncanbecancelledbyauseryouneedtosetupyourPacketFenceinstallationtoreceiveupdatesfromStripe
UpdatesaresentusingHTTPrequestsonapublicIP
YouneedtomakesurethatyourPacketFenceserverisavailablethroughapublicIPonport80andthatyourPacketFenceserverhostnameresolvesonthepublicdomain
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 69
TheninStripeconfigureaWebhooksoStripeinformsPacketFenceofanyeventthathappensinthisStripemerchantaccount
InordertodosogoinYourAccountrarrAccountSettingsrarrWebhooksandclickAddendpoint
Where
URListheURLtothePacketFenceserverThisshouldbehttpYOUR_PORTAL_HOSTNAMEhookbillingstripe
Modeiswhetherthiswebhookisfortestingmodeorlivemode
NoweverytimeauserunsubscribesfromaplanPacketFencewillbenotifiedandwillunregisterthatdevicefromyournetwork
DevicesRegistration
Usershavethepossibilitytoregistertheirdevices(MicrosoftXBOXXBOX360NintendoDSWiiSonyPlayStationandsoon)rightfromaspecialportalpageWhenaccessingthispageuserswillbe
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 70
promptedtologinasiftheywereregisteringthemselvesOnceloggedintheportalwillaskthemtoenterthedeviceMACaddressthatwillthenbematchedagainstapredefinedlistofauthorizedMACOUIThedevicewillberegisteredwiththeuserrsquosidandcanbeassignedintoaspecificcategoryforeasiermanagement
HerersquoshowtoconfigurethewholethingTheportalpagecanbeaccessedbythefollowingURLhttpsYOUR_PORTAL_HOSTNAMEdevice-registration This URL is accessible fromwithin thenetworkinanyVLANthatcanreachthePacketFenceserver
Thefollowingcanbeconfiguredbyeditingthepfconffile
[registration]device_registration = enableddevice_registration_role = gaming
MakesuretheroleexistsinPacketFenceotherwiseyouwillencounterregistrationerrorsMoreovermakesuretherolemappingforyourparticularequipmentisdone
TheseparameterscanalsobeconfiguredfromtheConfigurationrarrRegistrationsection
Note
AportalinterfacetypeisrequiredtousethisfeatureAportalinterfacetypecanbeaddedtoanynetworkinterfaceusingthewebadminGUI
Eduroam
eduroam (education roaming) is the secureworld-wide roaming access servicedevelopedfortheinternationalresearchandeducationcommunity
eduroamallowsstudentsresearchersandstafffromparticipatinginstitutionstoobtainInternetconnectivityacrosscampusandwhenvisitingotherparticipatinginstitutionsbysimplyopeningtheirlaptop
mdasheduroamhttpswwweduroamorg
PacketFencesupportsintegrationwitheduroamandallowsparticipatinginstitutionstoauthenticatebothlocallyvisitingusersfromotherinstitutionsaswellasallowingotherinstitutionstoauthenticatelocalusers
In order for PacketFence to allow eduroam authentication the FreeRADIUS configuration ofPacketFencemustbemodifiedtoallowtheeduroamserverstoconnecttoitasclientsaswellastoproxyRADIUSauthenticationrequestsforusersfromoutsideinstitutions
FirstmodifytheusrlocalpfraddbclientsconffiletoallowtheeduroamserverstoconnecttoyourPacketFenceserverAddtheeduroamserversasclientsandmakesure toaddtheproperRADIUSsecretSetashortnametorefertotheseclientsasyouwilllaterneedittoexcludethemfromsomepartsofthePacketFenceconfiguration
clientsconfexample
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 71
client tlrs1eduroamus secret = useStrongerSecret shortname = tlrs1
client tlrs2eduroamus secret = useStrongerSecret shortname = tlrs2
SecondlymodifythelistofdomainsandproxyserversinusrlocalpfraddbproxyconfYouwillneedtodefineeachofyourdomainsaswellastheDEFAULTdomainTheDEFAULTrealmwillapplytoanyclientthatattemptstoauthenticatewitharealmthatisnototherwisedefinedinproxyconfandwillbeproxiedtotheeduroamservers
Defineoneormorehomeservers(serverstowhicheduroamrequestsshouldbeproxied)
proxyconfexample
home_server tlrs1eduroamus type = auth ipaddr = 25712811 port = 1812 secret = useStrongerSecret require_message_authenticator = yes
Defineapoolofserverstogroupyoureduroamhomeserverstogether
proxyconfexample
home_server_pool eduroam type = fail-over home_server = tlrs1eduroamus home_server = tlrs2eduroamus
DefinerealmstoselectwhichrequestsshouldbeproxiedtotheeduroamserverpoolThereshouldbeonerealmforeachofyourdomainsandpossiblyonemoreperdomainifyouintendtoallowusernamesoftheDOMAINuserform
TheREALMissetbasedonthedomainfoundbythesuffixorntdomainmodules (seeraddbmodulesrealm)Thesuffixorntdomainmodulestrytofindadomaineitherwithandomainorsuffixusername
IfnoneisfoundtheREALMisNULL
IfadomainisfoundFreeRADIUStriestomatchoneoftheREALMSdefinedinthisfile
IfthedomainiseitherexampleeduorEXAMPLEFreeRADIUSsetsthecorrespondingREALMieexampleeduorEXAMPLE
IftheREALMdoesnotmatcheither(anditisnrsquotNULL)thatmeanstherewasadomainotherthanEXAMPLEorexampleeduandweassumeitismeanttobeproxiedtoeduroamFreeRADIUSsetstheDEFAULTrealm(whichisproxiedtotheeduroamauthenticationpool)
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 72
The REALM determines where the request is sent to If the REALM authenticates locally therequestsareprocessedentirelybyFreeRADIUSIftheREALMsetsadifferenthomeserverpooltherequestsareproxiedtotheserversdefinedwithinthatpool
proxyconfexample
This realm is for requests which dont have an explicit realm prefix or suffix User names like bob will match this one No authentication server is defined thus the authentication is done locallyrealm NULL
This realm is for ntdomain users who might use the domain like this EXAMPLEusername No authentication server is defined thus the authentication is done locallyrealm EXAMPLE
This realm is for suffix users who use the domain like this usernameexampleedu No authentication server is defined thus the authentication is done locallyrealm exampleedu
This realm is for ALL OTHER requests Meaning in this context eduroam The auth_pool is set to the eduroam pool and so the requests will be proxiedrealm DEFAULT auth_pool = eduroam nostrip
Thirdly youmust configure the packetfence FreeRADIUS virtual servers to treat the requestsproperly
Inusrlocalpfraddbsites-enabledpacketfencemodifytheauthorizesectionlikethis
raddbsites-enabledpacketfenceexample
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 73
authorize pay attention to the order of the modules It matters ntdomain suffix preprocess
uncomment this section if you want to block eduroam users from you other SSIDs The attribute name ( Called-Station-Id ) may differ based on your controller if ( Called-Station-Id ~ eduroam$i) update control Proxy-To-Realm = local
eap ok = return
files expiration logintime packetfence
Inusrlocalpfraddbsites-enabledpacketfence-tunnelmodifythepost-authsectionlikethisIfyouomit this change the requestwill be sent toPacketFencewhere itwill be failed since theeduroamserversarenotpartofyourconfiguredswitches
raddbsites-enabledpacketfence-tunnelexample
post-auth exec
we skip packetfence when the request is coming from the eduroam servers if ( clientshortname = tlrs1 ampamp clientshortname = tlrs2 ) packetfence
Post-Auth-Type REJECT attr_filteraccess_reject
Finallymakesurethattherealmsmoduleisconfiguredthisway(seeusrlocalpfraddbmodulesrealm)
raddbmodulesrealmexample
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 74
usernamerealmrealm suffix format = suffix delimiter =
domainuserrealm ntdomain format = prefix delimiter = ignore_null = yes
Fingerbankintegration
FingerbankagreatdeviceprofilingtooldevelopedalongsideofPacketFencenowintegrateswithittopower-upthefeaturesetallowingaPacketFenceadministratortoeasilytriggerviolationsbasedondifferentdevicetypesdeviceparentsDHCPfingerprintsDHCPvendorIDsMACvendorsandbrowseruseragents
Thecoreofthat integrationresides intheabilityforaPacketFencesystemto interactwiththeFingerbankupstreamprojectwhichthenallowadailybasisfingerprintsdatabaseupdatesharingunknowndatasothatmorecomplexalgorithmscanprocessthatnewdatatointegrateitintheglobaldatabasequeryingtheglobalupstreamdatabaseinthecaseofanunknownmatchandmuchmore
SincetheFingerbankintegrationisnowthedefactodeviceprofilingtoolofPacketFenceitwasarequirementtomakeitassimpleaspossibletoconfigureandtouseFromthemomentaworkingPacketFencesystemis inplaceFingerbank isalsoreadytobeusedbutonly inalocalmodewhichmeansnointeractionwiththeupstreamFingerbankproject
OnboardingTobenefitfromalltheadvantagesoftheFingerbankprojecttheonboardingstepisrequiredtocreateanAPIkeythatwill thenallow interactionwiththeupstreamprojectThatcaneasilybedoneonlybygoingintheSettingsmenuitemundertheFingerbanksectionofthePacketFenceConfigurationtabFromthereaneasyprocesstocreateandsaveanuserorganizationspecificAPIkeycanbefollowedOncecompletedthefullfeaturesetofFingerbankcanbeused
UpdateFingerbankdatabaseUpdatingtheFingerbankdatacanrsquotbeeasierTheonlyrequirementistheonboardingprocesswhichallowsyoutointeractwithupstreamprojectOncedoneanoptiontoUpdateFingerbankDBcanbefoundontopofeverymenuitemsectionsunderFingerbankProcessmaytakeaminuteortwodependingonthesizeofthedatabaseandtheinternetconnectivityafterwhichasuccessorerrormessagewillbeshowaccordinglyLocalrecordsareNOTbeingmodifiedduringthisprocess
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 75
SubmitunknowndataSayingthatwedonrsquotknoweverythingisnotfalsemodestyInthatsensetheSubmitUnknownUnmatchedFingerprintsoptionismadeavailable(afteronboarding)sothatunknownfingerprintingdatagoinginandoutonyournetworkcaneasilybesubmittedtotheupstreamFingerbankprojectforfurtheranalysisandintegrationtheintheglobaldatabase
UpstreaminterogationBydefaultPacketFenceisconfiguredtointerogatetheupstreamFingerbankproject(ifonboardinghasbeencompleted)tofullfillaquerywithunmatchedlocalresultsUnmatchedlocalresultscanresultofanolderversionoftheFingerbankdatabaseorarequirementforamorecomplexalgorithmduetothedatasetThatbehavioriscompletelytransparentandcanbemodifiedusingtheSettingsmenuitemundertheFingerbanksectionofthePacketFenceConfigurationtab
LocalentriesItispossibleforanadministratorwhowantstocustomizeanexistingrecord(orcreateanewone)todosousingtheLocalentriesAnupstreamrecord(DHCPFingerprintDHCPVendorMACVendorUserAgentDevicetypeevenaCombination)canbeclonedandthenmodifiedonalocalbasisifneededLocalrecordsarealwaysmatchedfirstsincetheirpurposeistooverrideanexistingoneAlocalcombinationcanbecreatedtomatcheitherLocalorUpstreamorbothentriestoallowidentificationofadevice
SettingsFingerbanksettingscaneasilybemodifiedfromtheSettingsmenuitemundertheFingerbanksectionofthePacketFenceConfigurationtabTherersquosdocumentationforeachaneveryparameterthatalloweasierunderstanding
FloatingNetworkDevices
Startingwithversion19PacketFencenowsupportsfloatingnetworkdevicesAFloatingnetworkdeviceisadeviceforwhichPacketFencehasadifferentbehaviourcomparedtoaregulardeviceThisfunctionalitywasoriginallyaddedtosupportmobileAccessPoints
Caution
RightnowPacketFenceonlysupportsfloatingnetworkdevicesonCiscoandNortelswitchesconfiguredwithport-security
For a regular device PacketFence put it in theVLAN corresponding to its status (RegistrationQuarantineorRegularVlan)andauthorizesitontheport(port-security)
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 76
AfloatingnetworkdeviceisadevicethatPacketFencedoesnotmanageasaregulardevice
WhenafloatingnetworkdeviceispluggedPacketFencewillletallowalltheMACaddressesthatwillbeconnectedtothisdevice(orappearontheport)andifnecessaryconfiguretheportasmulti-vlan(trunk)andsetPVIDandtaggedVLANsontheport
WhenanfloatingnetworkdeviceisunpluggedPacketFencewillreconfiguretheportlikebeforeitwasplugged
HowitworksConfiguration
floatingnetworkdeviceshavetobeidentifiedusingtheirMACaddress linkuplinkdowntrapsarenotenabledontheswitchesonlyport-securitytrapsare
WhenPacketFencereceivesaport-securitytrapforafloatingnetworkdeviceitchangestheportconfigurationsothat
itdisablesport-security itsetsthePVID iteventuallysetstheportasmulti-vlan(trunk)andsetsthetaggedVlans itenableslinkdowntraps
WhenPFreceivesa linkdowntraponaport inwhichafloatingnetworkdevicewasplugged itchangestheportconfigurationsothat
itenablesport-security itdisableslinkdowntraps
IdentificationAswementionedearliereachfloatingnetworkdevicehastobeidentifiedTherearetwowaystodoit
byeditingconffloating_network_deviceconf throughtheWebGUIinConfigurationrarrNetworkrarrFloatingdevices
Herearethesettingsthatareavailable
MACAddress MACaddressofthefloatingdevice
IPAddress IPaddressofthefloatingdevice(notrequiredforinformationonly)
trunkPort YesnoShouldtheportbeconfiguredasamuti-vlanport
pvid VLANinwhichPacketFenceshouldputtheport
taggedVlan CommaseparatedlistofVLANsIftheportisamulti-vlanthesearetheVlansthathavetobetaggedontheport
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 77
OAuth2Authentication
NoteOAuth2authenticationdoesnotworkwithWebauthenforcement
The captive portal of PacketFence allows a guestuser to register using hisGoogle FacebookLinkedInWindowsLiveTwitterorGithubaccount
ForeachproviderswemaintainanalloweddomainlisttopunchholesintothefirewallsotheusercanhittheproviderloginpageThislistisavailableineachOAuth2authenticationsource
Inordertohaveoauth2workingproperlyyouneedtoenableIPforwardingonyourserversTodoitpermanentlylookintheetcsysctlconfandsetthefollowingline
Controls IP packet forwardingnetipv4ip_forward = 1
Savethefileandissueasysctl -ptoupdatetheOSconfig
You must also enable the passthrough option in your PacketFence configuration(trappingpassthroughinpfconf)
GoogleInordertouseGoogleasaOAuth2provideryouneedtogetanAPIkeytoaccesstheirservicesSignupherehttpcodegooglecomapisconsoleMakesureyouusethisURIfortheRedirectURIfieldhttpsYOUR_PORTAL_HOSTNAMEoauth2callbackOfcoursereplacethehostnamewiththevaluesfromgeneralhostnameandgeneraldomain
YoucankeepthedefaultconfigurationmodifytheAppIDampAppSecret(GivenbyGoogleonthedevelopperplateform)andPortalURL(httpsYOUR_PORTAL_HOSTNAMEoauth2callback)
Also add the following Authorized domains googlecom googleca googlefrgstaticcomgoogleapiscomaccountsyoutubecom(MakesurethatyouhavethegoogledomainfromyourcountrylikeCanadagooglecaFrancegooglefretchellip)
OnceyouhaveyourclientidandAPIkeyyouneedtoconfiguretheOAuth2providerThiscanbedonebyaddingaGoogleOAuth2authenticationsourcefromConfigurationrarrSources
MoreoverdonrsquotforgettoaddGoogleasaregistrationmodefromyourportalprofiledefinitionavailablefromConfigurationrarrPortalProfilesandPages
FacebookTo use Facebook you also need an API code and a secret key To get one go here httpsdevelopersfacebookcomappsWhenyoucreateyourAppmakesureyouspecifythefollowingastheWebsiteURLhttpsYOUR_PORTAL_HOSTNAMEoauth2callback
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 78
Ofcoursereplacethehostnamewiththevaluesfromgeneralhostnameandgeneraldomain
YoucankeepthedefaultconfigurationmodifytheAppIDampAppSecret(GivenbyFaceBookonthedevelopperplateform)andPortalURL(httpsYOUR_PORTAL_HOSTNAMEoauth2callback)
Also add the followingAuthorizeddomains facebookcom fbcdnnet akamaihdnet (Maychange)
OnceyouhaveyourinformationyouneedtoconfiguretheOAuth2providerThiscanbedonebyaddingaFacebookOAuth2authenticationsourcefromConfigurationrarrSources
MoreoverdonrsquotforgettoaddFacebookasaregistrationmodefromyourportalprofiledefinitionavailablefromConfigurationrarrPortalProfilesandPages
CautionByallowingOAuththroughFacebookyouwillgiveFacebookaccesstotheuserswhiletheyaresittingintheregistrationVLAN
GitHubTouseGitHubyoualsoneedanAPIcodeandasecretkeyTogetoneyouneedtocreateanAppherehttpsgithubcomsettingsapplicationsWhenyoucreateyourAppmakesureyouspecifythefollowingastheCallbackURLhttpsYOUR_PORTAL_HOSTNAMEoauth2callback
Ofcoursereplacethehostnamewiththevaluesfromgeneralhostnameandgeneraldomain
OnceyouhaveyourinformationyouneedtoconfiguretheOAuth2providerThiscanbedonebyaddingaGitHubOAuth2authenticationsourcefromConfigurationrarrSources
MoreoverdonrsquotforgettoaddGitHubasaregistrationmodefromyourportalprofiledefinitionavailablefromConfigurationrarrPortalProfilesandPages
LinkedInTouseLinkedInyoualsoneedanAPIcodeandasecretkeyTogetoneyouneedtocreateanAppherehttpsdeveloperlinkedincomWhenyoucreateyourAppmakesureyouspecifythefollowingastheCallbackURLhttpsYOUR_PORTAL_HOSTNAMEoauth2callback
Ofcoursereplacethehostnamewiththevaluesfromgeneralhostnameandgeneraldomain
OnceyouhaveyourinformationyouneedtoconfiguretheOAuth2providerThiscanbedonebyaddingaLinkedInOAuth2authenticationsourcefromConfigurationrarrSources
MoreoverdonrsquotforgettoaddLinkedInasaregistrationmodefromyourportalprofiledefinitionavailablefromConfigurationrarrPortalProfilesandPages
AlsoLinkedInrequiresastateparameterfortheauthorizationURLIfyoumodifyitmakesuretoadditattheendofyourURL
TwitterTouseTwitteryoualsoneedanAPIcodeandasecretkeywhichTwittercallsconsumerkeyandconsumersecretObtainthis informationbycreatingannewapplicationfromyourTwitterApps
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 79
ManagementpageWhenyoucreateyourAppmakesureyouspecifythefollowingastheCallbackURLhttpsYOUR_PORTAL_HOSTNAMEoauth2callback
Ofcoursereplacethehostnamewiththevaluesfromgeneralhostnameandgeneraldomain
OnceyouhaveyourinformationyouneedtoconfiguretheOAuth2providerThiscanbedonebyaddingaTwitterOAuth2authenticationsourcefromConfigurationrarrSources
MoreoverdonrsquotforgettoaddTwitterasaregistrationmodefromyourportalprofiledefinitionavailablefromConfigurationrarrPortalProfilesandPages
WindowsLiveTouseWindowsliveyoualsoneedanAPIcodeandasecretkeyTogetoneyouneedtocreateanAppherehttpsaccountlivecomdevelopersapplicationsWhenyoucreateyourAppmakesureyouspecifythefollowingastheCallbackURLhttpsYOUR_PORTAL_HOSTNAMEoauth2callback
Ofcoursereplacethehostnamewiththevaluesfromgeneralhostnameandgeneraldomain
OnceyouhaveyourinformationyouneedtoconfiguretheOAuth2providerThiscanbedonebyaddingaWindowsLiveOAuth2authenticationsourcefromConfigurationrarrSources
Moreover donrsquot forget to add WindowsLive as a registration mode from your portal profiledefinitionavailablefromConfigurationrarrPortalProfilesandPages
Passthrough
Inorder tousethepassthroughfeature inPacketFenceyouneedtoenable it fromtheGUI inConfigurationrarrTrappingandcheckPassthrough
Therearetwosolutionsforpassthroughs-oneusingDNSresolutionandiptablesandtheotheroneusingApachersquosmod_proxymoduleWhenenabledPacketFencewillusepfdnsifyoudefinedPassthroughsorApachemod-proxyifyoudefinedProxyPassthroughstoallowtrappeddevicestoreachexternalwebsites
DNSpassthroughAddanewFQDN (shouldbeawildcarddomain like googlecom) in thePassthroughssectionWhenPacketFencereceivesaDNSrequestforthisdomainitwillanswerthereal IPaddressandpunchahole inthefirewall (using iptables)toallowaccessWiththismethodPacketFencemustbethedefaultgatewayofyourdevice
mod_proxypassthroughAddanewFQDN(shouldbeawildcarddomainlikegooglecom)intheProxyPassthroughssectionForthisFQDNPacketFencewillanswertheIPaddressofthecaptiveportalandwhenadevicehitsthecaptiveportalPacketFencewilldetectthatthisFQDNhasapassthroughconfigurationandwillforwardthetraffictomod_proxy
ThesetwomethodscanbeusedtogetherbutDNS-basedpassthroughshavehigherpriority
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 80
ProductionDHCPaccess
Inorder toperformallof itsaccesscontroldutiesPacketFenceneedstobeable tomapMACaddressesintoIPaddresses
ForallthenetworksVLANswhereyouwantPacketFencetohavetheabilitytoisolateanodeortohaveIPinformationaboutnodesyouwillneedtoperformoneofthetechniquesbelow
AlsonotethatthisdoesnrsquotneedtobedonefortheregistrationisolationVLANsandinlineinterfacessincePacketFenceactsastheDHCPserverinthesenetworks
IPHelpers(recommended)If you are already using IPHelpers for your productionDHCP in your production VLANs thisapproachisthesimplestoneandtheonethatworksthebest
Add PacketFencersquos management IP address as the last ip helper-address statement in yournetworkequipmentAtthispointPacketFencewillreceiveacopyofallDHCPrequestsforthatVLANandwillrecordwhatIPweredistributedtowhatnodeusingapfdhcplistenerdaemon
BydefaultnoDHCPServershouldberunningonthatinterfacewhereyouaresendingtherequestsThisisbydesignotherwisePacketFencewouldreplytotheDHCPrequestswhichwouldbeabadthing
ObtainacopyoftheDHCPtrafficGetacopyofalltheDHCPTraffictoadedicatedphysicalinterfaceinthePacketFenceserverandrunpfdhcplisteneronthatinterfaceItwillinvolveconfiguringyourswitchproperlytoperformportmirroring(akanetworkspan)andaddinginPacketFencetheproperinterfacestatementattheoperatingsystemlevelandinpfconf
etcsysconfignetwork-scriptsifcfg-eth2
DEVICE=eth2ONBOOT=yesBOOTPROTO=none
Addtopfconf(IPsarenotimportanttheyarethereonlysothatPacketFencewillstart)
[interface eth2]mask=2552552550type=dhcp-listenergateway=19216815ip=19216811
RestartPacketFenceandyoushouldbegoodtogo
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 81
InterfaceineveryVLANBecauseDHCPtrafficisbroadcasttrafficanalternativeforsmallnetworkswithfewlocalVLANsistoputaVLANinterfaceforeveryVLANonthePacketFenceserverandhaveapfdhcplistenerlistenonthatVLANinterface
OnthenetworksideyouneedtomakesurethattheVLANtrulyreachesallthewayfromyourclienttoyourDHCPinfrastructureuptothePacketFenceserver
OnthePacketFencesidefirstyouneedanoperatingsystemVLANinterfaceliketheonebelowStoredinetcsysconfignetwork-scriptsifcfg-eth01010
Engineering VLANDEVICE=eth01010ONBOOT=yesBOOTPROTO=staticIPADDR=1001014NETMASK=2552552550VLAN=yes
ThenyouneedtospecifyinpfconfthatyouareinterestedinthatVLANrsquosDHCPbysettingtypetodhcp-listener
[interface eth01010]mask=2552552550type=dhcp-listenergateway=1001011ip=1001014
RepeattheaboveforallyourproductionVLANsthenrestartPacketFence
HostproductionDHCPonPacketFenceItrsquosanoptionJustmodifyconfdhcpdconfsothat itwillhostyourproductionDHCPproperlyandmakesurethatapfdhcplistenerrunsonthesameinterfacewhereproductionDHCPrunsHoweverpleasenotethatthisisNOTrecommendedSeethistickettoseewhy
ProxyInterception
PacketFenceenablesyoutointerceptproxyrequestsandforwardthemtothecaptiveportalItonlyworksonelayer-2networksbecausePacketFencemustbethedefaultgatewayInordertousetheProxyInterceptionfeatureyouneedtoenableitfromtheGUIinConfigurationrarrTrappingandcheckProxyInterception
Addtheportyouwanttointercept(like8080or3128)andaddanewentryintheetchostsfiletoresolvethefullyqualifieddomainname(fqdn)ofthecaptiveportaltotheIPaddressofthe
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 82
registration interfaceThismodification ismandatory inorder forApache to receives theproxyrequests
RoutedNetworks
Ifyour isolationandregistrationnetworksarenot locally-reachable (at layer2)onthenetworkbut routed to the PacketFence server yoursquoll have to let the PacketFence server know thisPacketFencecanevenprovideDHCPandDNSintheseroutednetworksandprovidesaneasytouseconfigurationinterface
FordhcpdmakesurethattheclientsDHCPrequestsarecorrectlyforwarded(IPHelpersintheremoterouters)tothePacketFenceserverThenmakesureyoufollowedtheinstructionsintheDHCPandDNSServerConfiguration(networksconf)foryourlocallyaccessiblenetwork
Ifweconsiderthenetworkarchitectureillustratedintheaboveschemaconfpfconfwillincludethelocalregistrationandisolationinterfacesonly
[interface eth02]enforcement=vlanip=19216821type=internalmask=2552552550
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 83
[interface eth03]enforcement=vlanip=19216831type=internalmask=2552552550
Note
PacketFencewillnotstartunlessyouhaveatleastoneinternalinterfacesoyouneedtocreatelocalregistrationandisolationVLANsevenifyoudonrsquotintendtousethemAlsotheinternalinterfacesaretheonlyonesonwhichdhcpdlistenssotheremoteregistrationandisolationsubnetsneedtopointtheirDHCPhelper-addresstothoseparticularIPs
ThenyouneedtoprovidetheroutednetworksinformationtoPacketFenceYoucandoitthroughtheGUIinAdministrationrarrNetworks(orinconfnetworksconf)
confnetworksconfwilllooklikethis
[19216820]netmask=2552552550gateway=19216821next_hop=domain-name=registrationexamplecomdns=19216821dhcp_start=192168210dhcp_end=1921682200dhcp_default_lease_time=300dhcp_max_lease_time=600type=vlan-registrationnamed=enableddhcpd=enabled
[19216830]netmask=2552552550gateway=19216831next_hop=domain-name=isolationexamplecomdns=19216831dhcp_start=192168310dhcp_end=1921683200dhcp_default_lease_time=300dhcp_max_lease_time=600type=vlan-isolationnamed=enableddhcpd=enabled
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 84
[192168200]netmask=2552552550gateway=19216820254next_hop=1921682254domain-name=registrationexamplecomdns=19216821dhcp_start=1921682010dhcp_end=19216820200dhcp_default_lease_time=300dhcp_max_lease_time=600type=vlan-registrationnamed=enableddhcpd=enabled
[192168300]netmask=2552552550gateway=19216830254next_hop=1921683254domain-name=isolationexamplecomdns=19216831dhcp_start=1921683010dhcp_end=19216830200dhcp_default_lease_time=300dhcp_max_lease_time=600type=vlan-isolationnamed=enableddhcpd=enabled
DHCPclientsontheregistrationandisolationnetworksreceivethePFserverIPastheirDNSserver(dns=xxxx)andPFspoofsDNSresponsestoforceclientsviatheportalHoweverclientscouldmanuallyconfiguretheirDNSsettingstoescapetheportalTopreventthisyouwillneedtoapplyanACLontheaccessrouternearesttheclientspermittingaccessonlytothePFserverandlocalDHCPbroadcasttraffic
ForexamplefortheVLAN20remoteregistrationnetwork
ip access-list extended PF_REGISTRATION permit ip any host 19216821 permit udp any any eq 67 deny ip any any loginterface vlan 20 ip address 19216820254 2552552550 ip helper-address 19216821 ip access-group PF_REGISTRATION in
Ifyouredgeswitchessupportvlan-isolationyoucanalsoapplytheACLthereThishastheadvantageofpreventingmachinesinisolationfromattemptingtoattackeachother
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 85
StatementofHealth(SoH)
TheStatementofHealth(SoH)isproductthathasbeendevelopedbyMicrosoftIntheMicrosoftworldthis isnamedNetworkAccessProtectionorNAPOnWindowsversionsfromXPSP2toWindows7thereisaNAPserviceinstalledthatcanrelayhealthinformation(Anti-VirusupdatestatusWindowsUpdatestatusetc) toaRADIUSServeroraDHCPserverThesectionbelowexplainsyouhowtodoSoHpolicieswithPacketFence
InstallationBydefaultweturnSoHoffToenableitssupportsimplyuncommentthefollowinglinesinusrlocalpfconfradiusdeapconf
soh=yessoh-virtual-server = soh-server
RestarttheRADIUSserviceafterward
OntheclientsidetoenableSoHforEAPdothefollowing(Windows7example)
sc config napagent start=autosc start napagent
Wired 8021Xsc config dot3svc start=auto depend=napagentsc start dot3svc
netsh nap client show config
get the ID value for the EAP Quarantine Enforcement Clientnetsh nap client set enforce id=$ID admin=enable
ThelaststepistoselecttheEnforceNetworkAccessProtectioncheckboxundertheEAPprofilesettingsThosestepscanbeeasilyconfiguredusingGPOs
ConfigurationofSoHpolicyInordertoenforceaSoHpolicyweneedtocreateitfirstThisisdoneusingtheConfigurationrarrCompliancerarrStatementofHealthmodule
PolicyexampleLetrsquoswalkthroughanexamplesituationSupposeyouwanttodisplayaremediationpagetoclientsthatdonothaveananti-virusenabled
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 86
ThethreebroadstepsarecreateaviolationclassfortheconditionthencreateanSoHfiltertotriggertheviolationwhenanti-virusisdisabledandfinallyreloadtheviolations
FirstcreatetheproperviolationeitherviatheAdminUIorbyeditingtheconfviolationsconffiles
[4000001]desc=No anti-virus enabledurl=remediationphptemplate=noantivirusactions=reevaluate_accessemaillogenabled=Y
Note
Youmayalsowanttosetotherattributessuchasauto_enablegraceetc
WhendonewiththeviolationvisittheWebAdministrationunderConfigurationrarrCompliancerarrStatementofHealthand(editthefilternamedDefaultor)usetheAddafilterbuttontocreateafilternamedantivirusClickonantivirusinthefilterlistandselectTriggerviolationintheactiondrop-downEnterthevidoftheviolationyoucreatedaboveintheinputboxthatappears
Next clickonAddacondition and selectAnti-virus is anddisabled in thedrop-downboxesthat appear Click on the Save filters button Finally reload the violations either by restartingPacketFenceorusingthepfcmd reload violationscommand
Thelaststepistocreateanewremediationtemplatecallednoantivirusphponthefilesysteminthehtmlcaptive-portalviolationsfolderEditittoincludethetextyouwanttodisplaytotheusers
VLANFilterDefinition
Weaddedtheabilitytospecifyfiltersdirectlyintheportionofcodethatre-evaluatestheVLANordoacalltotheAPI
Theserulesareavailableindifferentscopes
ViolationRoleRegistrationRoleRegisteredRoleInlineRoleAutoRegisterNodeInfoForAutoReg
Andcanbedefinedusingdifferentcriterialike
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 87
node_infoattribute (like node_infostatus)switchifIndexmacconnection_typeusernamessidtimeownerattribute (like ownerpid)radius_requestattribute (like radius_requestCalling-Station-Id)
Forexample letsdefinearulethatpreventsadevicefromconnectingwhenitscategory isthedefaultwhentheSSIDisSECUREandwhenthecurrenttimeisbetween11amand2pmfromMondaytoFridaywhenittrytoconnectasaregistereddevice
[category]filter = node_infocategoryoperator = isvalue = default
[ssid]filter = ssidoperator = isvalue = SECURE
[time]filter = timeoperator = isvalue = wd Mon Tue Wed Thu Fri hr 11am-2pm
[1categoryampssidamptime]scope = RegisteredRolerole = nointernet
ThesecondexamplewillcreateaviolationiftheSSIDisOPENandtheownerisigmout
[igmout]filter = ownerpidoperator = isvalue = igmout
[open]filter = ssidoperator = isvalue = OPEN
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 88
[2igmoutampssid]scope = RegisteredRoleaction = trigger_violationaction_param = mac = $mac tid = 1100012 type = INTERNAL
Thethirdexamplewillautoregisterthedeviceandassigntherolestafftoeachdevicewheretheusernameisigmout
[igmout]filter = usernameoperator = isvalue = igmout
[secure]filter = ssidoperator = isvalue = SECURE
[3igmoutampsecure]scope = AutoRegisterrole = staff
[4igmoutampsecure]scope = NodeInfoForAutoRegrole = staff
Youcanhavealookinthefilevlan_filtersconftherearesomeexamplesonhowtouseanddefinefilters
RADIUSFilterDefinition
WeaddedtheabilitytospecifyfiltersdirectlyintheportionofcodethatreturntheradiusanswerordoacalltotheAPI
Theserulesareonlyavailableinonescope
returnRadiusAccessAccept
Andcanbedefinedusingdifferentcriterialike
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 89
node_infoattribute (like node_info$attribute)switchifIndexmacconnection_typeusernamessidtimeownerattribute (like owner$attribute)radius_requestattribute (like radius_request$attribute)violationuser_rolevlan
Forexample letsdefinearulethatreturnAccessAcceptwhentheconnectionisEthernet-EAPandwhenthereisnoviolation(merge_returnmeansthattheoriginalanswerofPacketFencewillbemergewiththefilteranswerautomatically)
[violation]filter = violationoperator = defined
[etherneteap]filter = connection_typeoperator = isvalue = Ethernet-EAP
[1etherneteapampviolation]merge_answer = noscope = returnRadiusAccessAccept
Inthisotherexamplewejustaddanewattributetotheoriginalanswerinthesameconditions(here$user_rolewillbereplacedbytherealuserroleofthedeviceand$switch_portalURLwillbereplacedbythevalueof_portalURLdefinedintheswitchconfig)
[1etherneteapampviolation]merge_answer = yesscope = returnRadiusAccessAcceptanswer1 = Cisco-AVPair =gt url-redirect-acl=$user_roleurl-redirect=$switch_portalURLcep$session_id
Youcanhavea look in the file radius_filtersconf therearesomeexamplesonhowtouseanddefinefilters
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 90
DNSenforcement
DNSenforcementallowsyoutocontrolthenetworkaccessofthedevicebyusingthepfdnsserviceonPacketFence
The architecture ofDNS enforcement is as following -DHCP andDNS are provided by thePacketFenceserver-ThePacketFenceDHCPserverwillprovidetheIPofyournetworkequipmentasthegatewayandtheIPaddressofthePacketFenceDNSservertoresolvenames-Routingisprovidedbyanotherequipmentonyournetwork(CoreswitchFirewallRouterhellip)-IfausershouldbeshowntheportalthepfdnsservicewillreturnapointertotheIPaddressofthecaptiveportalotherwisepfdnswillresolvethenameexternallyanduseitinthereply
Thisenforcementmodeusedby itselfcanbebypassedbythedevicebyusingadifferentDNSserverorbyusingitsownDNScache
ThefirstcanbepreventedusinganACLonyourroutingequipmentthesecondcanbepreventedbycombiningDNSenforcementwithSingle-Sign-OnonyournetworkequipmentPleaseseetheFirewallSingle-Sign-Ondocumentationfordetailsonhowtoaccomplishthis
Inorder toconfigureDNSenforcementyoufirstneedtogo inConfigurationrarrInterfaces thenselectoneofyourinterfacesandsetitinDNSenforcementmode
AfteryouneedtoconfigurearoutednetworkforthisinterfacebyclickingAddroutednetworkSeetheRoutedNetworkssectionofthisdocumentfordetailsonhowtoconfigureit
NoteIfyouarenotusingaroutednetworkyouneedtouseInlineenforcementasDNSenforcementcanonlybeusedforroutednetworks
Oncethisisdoneyouneedtorestartthedhcpdandpfdnsservices
Parkeddevices
Intheeventthatyouaremanagingalargeregistrationnetworkwithdevicesthatstaythere(exStudentsthatcanrsquotregisterinyourenvironment)thesedevicesconsumepreciousresourcesandgenerateuselessloadonthecaptiveportalandregistrationDHCPserver
UsingtheparkingfeatureyoucanmakethesedeviceshavealongerleaseandhitanextremellylightweightcaptiveportalsothattheamountofresourcestheyconsumeisminimalInthatcaptiveportal theywillseeamessageexplainingthattheyhavenrsquot registeredtheirdeviceforacertainamountoftimeandwillletthemleavetheparkedstatebypressingalink
Theparkedvsunparkedstateiscontrolledthroughviolation1300003whichgetstriggeredaccordingtotheparkingthresholdsetting(ConfigurationrarrParking)
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 91
SoinordertoactivatetheparkinggoinConfigurationrarrParkingandsetthethresholdtoacertainamountofsecondsAsuggestedvaluewouldbe21600whichis6hoursThismeansthatifadevicestaysinyourregistrationnetworkformorethan6hoursinarowitwilltriggerviolation1300003andplacethatdeviceintotheparkedstate
Inthatsamesectionyoucandefinetheleaselengthoftheuserwhenheisintheparkedstate
Note
ParkingisdetectedwhenadeviceasksforDHCPifPacketFenceisnotyourDHCPserverfortheregistrationnetworkthisfeaturewillnotworkAlsoifthedevicegoesintotheparkedstatewithaleasetimeof1hourandtheuserimmediatelyreleaseshimselffromtheparkingstateitwilltake1hourbeforethenextdetectiontakesplaceevenifyousetparkingthresholdtoalowervalue
Violation1300003Thisviolationcontrolswhathappenswhenauserisdetecteddoingparking
Herearethemainsettings
Youcanaddactionstothepredefinedones(likeEmailadminorExternalaction)inDefinitionrarrActions
TheamountoftimeausercanunparktheirdeviceiscontrolledthroughtheRemediationrarrMaxenablesetting
TheamountofgracetimebetweentwoparkingviolationsiscontrolledbytheRemediationrarrGracesettingThismeansonceauserreleasehimselffromtheparkedstatehewillhaveatleastthisamountoftimetoregisterbeforetheparkingtriggersagain
Thedestinationrole(thusVLAN)oftheuseriscontrolledbyAdvancedrarrRoleYoushouldleavetheuserintheregistrationrolebutshouldyouwanttodedicatearoleforparkingyoucansetitthere
TheTemplateattributewillonlybeusedwhentheuserisonthenormalPacketFenceportalandnottheonededicatedforparkingIfyouwanttheusertoaccessthenon-parkingportaldisableShowparkingportalinConfigurationrarrParking
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 92
Optionalcomponents
Blockingmaliciousactivitieswithviolations
PolicyviolationsallowyoutorestrictclientsystemaccessbasedonviolationsofcertainpoliciesForexampleifyoudonotallowP2PtypetrafficonyournetworkandyouarerunningtheappropriatesoftwaretodetectitandtriggeraviolationforagivenclientPacketFencewillgivethatclientablockedpagewhichcanbecustomizedtoyourwishes
Inorder tobeable toblockmaliciousactivities installationandconfigurationofaPacketFencecompatibleIDSisrequiredPacketFencecurrentlysupportSnortSuricataandSecurityOnion
Snort
Installation
The installation procedure is quite simple for SNORTWe maintain a working version on thePacketFencerepositoryToinstallitsimplyrunthefollowingcommand
yum install snort
Configuration
PacketFenceprovidesabasicsnortconftemplatethatyoumayneedtoeditdependingoftheSnortversionThefileislocatedinusrlocalpfconfItisrarelynecessarytochangeanythinginthatfiletomakeSnortworkandtrapalertsDONOTeditthesnortconflocatedinusrlocalpfvarconfallthemodificationwillbedestroyedoneachPacketFencerestart
Suricata
Installation
SincethesuricataIDSisnotpackagedwiththedistros(exceptmaybeFedorawhichwedonotofficiallysupport)youneedtobuildittheoldway
The OISF provides a really well written how-to for that Itrsquos available here httpsredmineopeninfosecfoundationorgprojectssuricatawikiCentOS5
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 93
NoteTobenefittheOPSWATMetadefenderCloudintegrationSuricataneedstobebuiltwith libnss libnsprsupportMakesure touseJSONoutputMore informationonhowtoachievethiscanbefoundtherehttpsredmineopeninfosecfoundationorgprojectssuricatawikiMD5
ConfigurationDepending onwhether or not Suricata is running on the PacketFence server configuration isdifferent
WhenrunninglocallyPacketFenceprovidesabasicsuricatayamlthatcanbemodifiedtosuitdifferentneedsThefileislocatedinusrlocalpfconf
In thecase thatSuricata is runningonaseparateserverSuricataconfigurationwillhave tobehandledseparatelywhichisnotthepurposeofthepresentguide
OPSWATMetadefenderCloudItispossibletotriggerviolationsbasedonthreatlevelofdownloadedfilesusingtheMetadefenderCloudintegrationinconjunctionwiththeSuricataMD5extractionfeatureWithoutenteringinthedetailsherearethebasicstepstomakeitwork
FirstanOPSWATportalaccountisrequiredtomakeuseoftheAPISuchaccountcanbeobtainedthroughtheOPSWATportalhttpsportalopswatcom
OtherrequirementisaSuricataworkinginstallationbuiltwithlibnsslibnsprsupportasdescribedintheupperInstallationsection
AlongwiththeOPSWATAPIkeyforMetadefenderCloud(theycallitLicenseKey)andtheworkingSuricatainstallationsomeconfiguration(PacketFencebasedANDSuricatabased)isalsorequired
AssumingthatallthestepsforSuricataMD5extractionhavebeenfollowedherersquoswhattodonext
OntheSuricataserver(syslog-ngispreferredduetoeasierandmorepowerfulconfigurationIfnotinstalleditmightbeanidea)
Configureetcsyslog-ngsyslog-ngconfbyaddingthefollowingtoenablesendingMD5filestorelogentriestoPacketFence
PacketFence OPSWAT Metadefender Cloud integration This line specifies where the files-jsonlog file is located -gt Make sure to configure the right path along with the right filenamesource s_suricata_files file(MY_SURICATA_LOG_FILES_PATHfiles-jsonlog program_override(suricata_files) flags(no-parse)) This line tells syslog-ng to send the data read to the PacketFence management interface IP address using UDP 514 -gt Make sure to configure the right PacketFence management interface IP addressdestination d_packetfence udp(PACKETFENCE_MGMT_IP port(514)) This line indicates syslog-ng to use the s_suricata_files source and send it to the d_packetfence destinationlog source(s_suricata_files) destination(d_packetfence)
Arestartofthesyslog-ngdaemonisrequired
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 94
service syslog-ng restart
OnthePacketFenceserver
ModifyrsyslogconfigurationtoallowincomingUDPpacketsbyuncommentingthefollowingtwolinesinetcrsyslogconf
$ModLoad imudp$UDPServerRun 514
Configure etcrsyslogdsuricata_filesconf by adding the following which will enablereceptionofSuricataMD5filestorelogentries
if $programname == suricata_files then usrlocalpfvarsuricata_filesamp ~
Makesurethereceivingalertpipe(FIFO)exists
mkfifo usrlocalpfvarsuricata_files
Restartthersyslogdaemon
service rsyslog restart
AtthispointSuricatashouldbeabletoextractMD5checksumofdownloadedfilesandsendtherelatedlogentrytoPacketFence
AconfigurationofanewsyslogparseraswellassomeviolationsaretheonlyremainingstepstomakefullusageoftheOPSWATMetadefenderCloudintegration
Configurationofanewsyslogparsershouldusethefollowings
Type suricata_httpAlert pipe the previously created alert pipe (FIFO) which is in this case usrlocalpfvarsuricata_files
Configurationofanewviolationcanusethefollowingtriggertypes
Type metascanTriggers ID The scan result returned by Metadefender Cloud online
Type suricata_md5Trigger ID The MD5 hash returned by Suricata
SecurityOnionInstallationandConfigurationSecurityOnionisaUbuntubasedsecuritysuiteThelatest installationinstructionsareavailabledirectly from theSecurityOnionwebsite httpsgithubcomSecurity-Onion-Solutionssecurity-onionwikiInstallation
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 95
SinceasecuritysuiteconsistsofmultiplepiecesofsoftwaretiedtogetheryoumaybepromptedfordifferentoptionsduringtheinstallationprocessAdetailedProductionDeploymentguidecanalsobefounddirectlyfromtheSecurityOnionwebsitehttpsgithubcomSecurity-Onion-Solutionssecurity-onionwikiProductionDeployment
PacketFenceintegration
OnceSecurityOnionisinstalledandminimallyconfiguredintegrationwithPacketFenceisrequiredtobeabletoraiseviolationsbasedonsensor(s)alertssyslogisusedtoforwardsensor(s)alertsfromSecurityOniontothePacketFencedetectionmecanisms
The simplest way is as follow (based on httpsgithubcomSecurity-Onion-Solutionssecurity-onionwikiThirdPartyIntegration)
OntheSecurityOnionserver
Note
Mustbedoneonthemasterserverrunningsguild
Configureetcsyslog-ngsyslog-ngconfbyaddingthefollowingtoenablesendingsguildlogentriestoPacketFence
PacketFence IDS integration This line specifies where the sguildlog file is located -gt Make sure to configure the right patch along with the right filename (on a Security Onion setup that should be pretty much standard)source s_sguil file(varlognsmsecurityonionsguildlog program_override(securityonion_ids)) This line filters on the string ldquoAlert Receivedrdquofilter f_sguil match(Alert Received) This line tells syslog-ng to send the data read to the PacketFence management IP address using UDP 514 -gt Make sure to configure the right PacketFence management interface IP addressdestination d_packetfence udp(PACKENTFENCE_MGMT_IP port(514)) This line indicates syslog-ng to use the s_sguil source apply the f_sguil filter and send it to the d_packetfence destinationlog source(s_sguil) filter(f_sguil) destination(d_packetfence)
Arestartofthesyslog-ngdaemonisthenrequired
service syslog-ng restart
OnthePacketFenceserver
ModifyrsyslogconfigurationtoallowincomingUDPpacketsbyuncommentingthefollowingtwolinesinetcrsyslogconf
$ModLoad imudp$UDPServerRun 514
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 96
Configureetcrsyslogdsecurityonion_idsconfbyaddingthefollowingswhichwillenablereceptionofSecurityOnionsguildlogentries
if $programname == securityonion_ids then usrlocalpfvarsecurityonion_idsamp ~
Makesurethereceivingalertpipe(FIFO)exists
mkfifo usrlocalpfvarsecurityonion_ids
Restartthersyslogdaemon
service rsyslog restart
AtthispointSecurityOnionshouldbeabletosenddetectedalertslogentriestoPacketFence
AconfigurationofanewsyslogparseraswellassomeviolationsaretheonlyremainingstepstomakefullusageoftheSecurityOnionIDSintegration
Configurationofanewsyslogparsershouldusethefollowings
Type security_onionAlert pipe the previously created alert pipe (FIFO) which is in this case usrlocalpfvarsecurityonion_ids
Configurationofanewviolationcanusethefollowingtriggertypes
Type detectTriggers ID The IDS triggered rule ID
Type suricata_eventTrigger ID The rule class of the triggered IDS alert
ViolationsInordertomakePacketFencereacttotheSnortalertsyouneedtoexplicitlytellthesoftwaretodosoOtherwisethealertswillbediscardedThisisquitesimpletoaccomplishInfactyouneedtocreateaviolationandaddtheSnortalertSIDinthetriggersectionofaViolation
PacketFenceviolationsareconfiguredinConfigurationrarrViolations
TheexamplebelowwillguideyoutocreateaviolationthatwillisolatedevicethathavegeneratedPeer-to-peer traffic and that are usingMac OSX or have a malware and are usingMicrosoftWindows
Violationdefinition
Firstyouneedtoconfiguretheviolationdefinition
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 97
Where
Enablediswhetherornottheviolationiscurrentlyactivated(shouldbeON) Identifier is the violation ID Any integer except 1200000-120099 which is reserved forrequiredadministrationviolations
Descriptionistheuserfriendlydescriptionoftheviolation Actionsisthelistofactionstobeexecutedwhenthisviolationisraised
Unregister nodewillunregisterthenode
Send email to ownerwillemailtheviolationdetailstotheownerofthedeviceWillonlyworkifthepersonhasitrsquosemailfieldpopulated
Send email to admin will email the violation details to the address specified in[alerting]emailaddrusing[alerting]smtpserverMultipleemailaddrcanbesperatedbycomma
Reevaluate accesswillplacethedeviceinthedestinationVLANconfiguredintheviolationIt opens a violation and leaves it open If it is not there theviolation isopenedand thenautomaticallyclosed
Log messagewilllogtheviolationinthelogfiledefinedin[alerting]log
External commandwillexecuteacommandontheoperatingsystemwhenthisviolation israised
Close a violationwillcloseanexistingviolationforthisdevicewhenthisoneisraised
Set rolewillmodifytheroleofthedevice
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 98
Enforce provisioningwilltriggeracheckofcomplianceontheprovisionersdefinedforthedevice
Prioritydefinestheorderontowhichviolationsshouldbehandledshouldtherebemorethanoneforadevice
Whitelisted Rolesisthelistofrolesthatarenotaffectedbythisviolation
Triggers
NextintheTriggerstabyouneedtodefinethetriggersthatwillraisetheviolationInthecaseofthisexampleitwillbethesetwocasesAdevicethathasgeneratedPeer-to-peertrafficandthatisusingMACOSXAdevicethathasbeendetectedasbeingarogueDHCP
Click the+ sign at the top right inorder to create anew trigger then in thedropdown selectSuricata
AmenuwillappearintowhichyoucanselectET P2PwhichwillmatchallP2PalertsfromSuricata
OnceyouaddedthistriggerselectDevicefromthedropdownandenter38whichisthedeviceidentifierforMacOSX
Nexthittheltbuttonthenthe+toaddanothertrigger
SelectthetypeInternaltheninthemenuthatappearsbelowitselectRogue DHCP detectionandclickAdd
Remediation
NextintheRemediationtabyoucanconfigurethebehaviorwhenaclientgetsisolated
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 99
Where
Auto Enableiswhetherornottheusercanreleasetheviolationhimselfafteracknoledgingthemessageonthecaptiveportal
Max Enables istheamountoftimeausercanusetheAuto EnablefunctionnalityAfterthisamountoftimeshewillnotbeabletoreleasetheviolationanditwillhavetobemanuallyreleasebyanadministratorusingthePacketFenceadministrationinterface
GraceisAmountoftimebeforetheviolationcanreoccurThisisusefultoallowhoststime(intheexample2minutes)todownloadtoolstofixtheirissueorshutofftheirpeer-to-peerapplication
Dynamic WindowwillonlyworksforaccountingviolationsTheviolationwillbeopenedaccordingtothetimeyousetintheaccountingviolation(ieYouhaveanaccountingviolationfor10GBmonthIfyoubustthebandwidthafter3daystheviolationwillopenandthereleasedatewillbesetforthelastdayofthecurrentmonth)
WindowistheamountoftimebeforeaviolationwillbeclosedautomaticallyInsteadofallowingpeopletoreactivatethenetworkyoumaywanttoopenaviolationforadefinedamountoftimeinstead
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 100
Delay byisthedelaybeforetriggeringtheviolation TemplateistheHTMLtemplatethehostwillberedirectedtowhileinviolationYoucancreatenewtemplatesfromthePortalProfilesconfigurationsection
Button textisthetextofthebuttonthatisusedwhentheuserisreleasingtheviolationdirectlyfromthecaptiveportal
AdvancedIntheAdvancedtabyouconfigurethedestinationVLANofthedevicewhenithastheReevaluateaccessactionanditsredirectionURLwhentheuserisreleased
ComplianceChecks
PacketFence supports eitherNessusOpenVAS andWMI as a scanning engine for compliancechecksSincePacketFencev51youarenowabletocreatemultiplesscanenginesconfigurationandassignthemonspecificcaptiveportalsItmeanperexamplethatyouarenowabletoactiveascanforspecificOperatingSystemonlyonaspecificSSID
InstallationNessusPlease visit httpwwwnessusorgdownload to download Nessus v5 and install the Nessuspackage for your operating system You will also need to register for the HomeFeed (or theProfessionalFeed)inordertogettheplugins
AfteryouinstalledNessusfollowtheNessusdocumentationfortheconfigurationoftheNessusServerandtocreateauserforPacketFence
NoteYou may run into some issue while using Nessus with the NetNessusXMLRPCmodule(whichisthedefaultbehaviorinPacketFence)Pleaserefertothebugtrackingsystemformoreinformation
OpenVASPleasevisithttpwwwopenvasorginstall-packageshtmlopenvas4_centos_atomic toconfigurethecorrectrepositorytobeabletoinstallthelatestOpenVASscanningengine
Once installed pleasemake sure to follow the instructions to correctly configure the scanningengineandcreateascanconfigurationthatwillfityourneedsYoursquollalsoneedtocreateauserforPacketFencetobeabletocommunicatewiththeserver
ItisimportanttogetthecorrectscanconfigIDandNBEreportformatIDtopopulatetheparametersinthePacketFenceconfigurationfileTheeasiestwaytogettheseIDsisbydownloadingbothofthescanconfigurationandreportformatfromtheOpenVASwebguiandretrievetheIDsinthefilenames
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 101
Forexamplereport-format-f5c2a364-47d2-4700-b21d-0a7693daddabxmlgivesreportformatIDf5c2a364-47d2-4700-b21d-0a7693daddab
WMIYoujusthavetoenablewmioneachwindowsdeviceswithaGPOfromActiveDirectory
ConfigurationIn order for the compliance checks to correctly work with PacketFence (communication andgenerateviolationsinsidePacketFence)youneedtoconfigurethesesections
ScannerDefinitionFirstgoinConfigurationandScannerDefinition
Thenaddascan
Therearecommonparametersforeachscanengines
Name the name of your scan engineRoles Only devices with these role(s) will be affected (Optional)OS Only devices with this Operating System will be affected (Optional)Duration Approximate duration of scan (Progress bar on the captive portal)Scan before registration Trigger the scan when the device appear on the registration vlanScan after registration Trigger the scan just after registration on the captive portalScan after registration Trigger the scan on the production network (pfdhcplistener must receive production dhcp traffic)8021x Even if the auto-registration has been enabled the scan will be trigger on a EAP connection8021x types comma delimited EAP type that will trigger the scan if 8021x above has been enabled
SpecifictoNessus
Hostname or IP Address Hostname or IP Address where Nessus is runningUsername Username to connect to Nessus scanPassword Password to connect to Nessus scanPort of the service port to connect (default 8834)Nessus client policy the name of the policy to use for the scan (Must be define on the Nessus server)
SpecifictoOpenVAS
Hostname or IP Address Hostname or IP Address where OpenVAS is runningUsername Username to connect to OpenVAS scanPassword Password to connect to OpenVAS scanPort of the service port to connect (default 9390)OpenVAS config ID the ID of scanning configuration on the OpenVAS server
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 102
SpecifictoWMI
Username A username from Active Directory that is allowed to connect to wmiDomain Domain of the Active DirectoryPassword Password of the accountWMI Rules Ordered list of WMI rules you defined in Configuration -gt WMI Rules Definition
WMIRulesDefinition
IfyouhaveconfiguredaWMIscanenginethenyouneedtodefineWMIRulesWMIisasortofdatabaseoneachwindowsdevicestoretreiveinformationonthedeviceyouneedtoknowthesqlrequestInordertohelpyoutofindandmakearuleyoucanuseathirdpartytoollikeWMIExplorer
GoinconfigurationrarrWMIRulesDefinition
Therearealready3rulesdefined
Software_Installedlogged_userProcess_Running
LetrsquostaketheSoftware_Installedrule
request select from Win32_Product
Rules Actions
[Google]attribute = Captionoperator = matchvalue =Google
[1Google]action=trigger_violationaction_param = mac = $mac tid = 888888 type = INTERNAL
Thisrulewilldothefollowing
retreive all the installed software on the device and test if the attribute Caption contain Googleif it matched then we will trigger a violation (with the trigger internal888888) for the mac address of the device
Thesecondonelogged_user
request select UserName from Win32_ComputerSystem
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 103
Rules Actions
[UserName]attribute = UserNameoperator = matchvalue = ()
[1UserName]action = dynamic_register_nodeaction_param = mac = $mac username = $result-gtUserName
Thisrulewilldothefollowing
retreive the current logged user on the device and register the device based on the user account
ThelastoneProcess_Running
request select Name from Win32_Process
Rules Actions
[explorer]attribute = Nameoperator = matchvalue = explorerexe
[1explorer]action = allow
Thisrulewilldothefollowing
retreive all the running process on the device and if one match explorerexe then we bypass the scan
Rulessyntax
the syntax of the rules are simple to understand
the request is the sql request you will launch on the remote device you must know what the request will returnto write the test
Inside the Rules Actions we define 2 sorts of blocsThe test bloc (ie [explorer]) and the action bloc (ie [1explorer])
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 104
The test bloc is a simple test based on the result of the request- attribute is the attribute you want to test- operator can be is is_not match match_not- value is the value you want to compare
Feel free to define multiples test blocs
The action bloc is where you will define your logic per example lets take this one [1googleampexplorer] this mean that if the google test istrue and explorer is true then we execute the actionThe logic can be more complex and can be something like that [1google|(explorerampmemory)] that mean if not google or (explorer and memory)
ViolationsdefinitionYouneedtocreateanewviolationsectionandhavetospecify
UsingNessus
trigger=NessusltviolationIdgt
UsingOpenVAS
trigger=OpenVASltviolationIdgt
WhereviolationIdiseithertheIDoftheNessuspluginortheOIDoftheOpenVASplugintocheckforOnceyouhavefinishedtheconfigurationyouneedtoreloadtheviolationrelateddatabasecontentsusing
$ pfcmd reload violations
NoteViolationswilltriggerifthepluginishigherthanalowseverityvulnerability
AssignScandefinitiontoportalprofilesThelaststepistoassignoneormorescanneryouconfiguredtooneormoreportalprofilesGoinConfigurationrarrPortalProfilesrarrEditaPortalrarrAddScan
HostingNessusOpenVASremotelyBecauseoftheCPUintensivenatureofanautomatedvulnerabilityassessmentwerecommendthatitishostedonaseparateserverforlargeenvironmentsTodosoacoupleofthingsarerequired
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 105
PacketFence needs to be able to communicate to the server on the port specified by thevulnerabilityengineused
Thescanningserverneedtobeabletoaccessthetargets InotherwordsregistrationVLANaccessisrequiredifscanonregistrationisenabled
IfyouareusingtheOpenVASscanningengine
ThescanningserverneedtobeabletoreachPacketFencersquosAdmininterface(onport1443bydefault)byitsDNSentryOtherwisePacketFencewonrsquotbenotifiedofcompletedscans
YoumusthaveavalidSSLcertificateonyourPacketFenceserver
IfyouareusingtheNessusscanningengine
YoujusthavetochangethehostvaluebytheNessusserverIP
RADIUSAccounting
RADIUSAccountingisusuallyusedbyISPstobillclientsInPacketFenceweareabletousethisinformationtodetermineifthenodeisstillconnectedhowmuchtimeithasbeenconnectedandhowmuchbandwitdhtheuserconsumed
ViolationsUsingPacketFence it ispossible toaddviolations to limitbandwidthabuseThe formatof thetriggerisverysimple
Accounting[DIRECTION][LIMIT][INTERVAL(optional)]
Letrsquosexplaineachchunkproperly
DIRECTIONYoucaneithersetalimittoinbound(IN)outbound(OUT)ortotal(TOT)bandwidth LIMIT You can set a number of bytes(B) kilobytes(KB) megabytes(MB) gigabytes(GB) orpetabytes(PB)
INTERVALThisisactuallythetimewindowwewilllookforpotentialabuseYoucansetanumberofdays(D)weeks(W)months(M)oryears(Y)
Exampletriggers LookforIncoming(Download)trafficwitha50GBmonth
AccountingIN50GB1M
LookforOutgoing(Upload)trafficwitha500MBday
AccountingOUT500MB1D
LookforTotal(Download+Upload)trafficwitha200GBlimitinthelastweek
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 106
AccountingTOT200GB1W
Graceperiod
WhenusingsuchviolationfeaturesettingthegraceperiodisreallyimportantYoudonrsquotwanttoputittoolow(ieAuserre-enablehisnetworkandgetcaughtafter1bytesistranmitted)ortoohighWerecommendthatyousetthegraceperiodtooneintervalwindow
Oinkmaster
OinkmasterisaperlscriptthatenablesthepossibilitytoupdatethedifferentsnortrulesveryeasilyItissimpletouseandinstallThissectionwillshowyouhowtoimplementOinkmastertoworkwithPacketFenceandSnort
PleasevisithttpoinkmastersourceforgenetdownloadshtmltodownloadoinkmasterAsampleoinkmasterconfigurationfileisprovidedatusrlocalpfaddonssnortoinkmasterconf
ConfigurationHerearethestepstomakeOinkmasterworkWewillassumethatyoualreadydownloadedthenewestoinkmasterarchive
1 UntarthefreshlydownloadedOinkmaster
2 CopytherequiredperlscriptsintousrlocalpfoinkmasterYouneedtocopyovercontribandoinkmasterpl
3 CopytheoinkmasterconfprovidedbyPacketFence(seethesectionabove)inusrlocalpfconf
4 ModifytheconfigurationtosuityourownneedsCurrentlytheconfigurationfileissettofetchthebleedingrules
RulesupdateInordertogetperiodicupdatesforPacketFenceSnortruleswesimplyneedtocreateacrontabentrywiththerightinformationTheexamplebelowshowsacrontabentrytofetchtheupdatesdailyat2300PM
0 23 (cd usrlocalpf perl oinkmasteroinkmasterpl -C confoinkmasterconf -o confsnort)
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 107
GuestsManagement
PacketFencesupportstheabilitytomanageguestsbyestablishingexpiredatesandassigndifferentroleswhichwillpermitdifferentaccessestothenetworkresources
Guestscanself-registerthemselvesusinganactivationcodesenttotheirmobilephoneortheycanusetheiremailaddressandreceiveandactivationlinktoactivatetheirnetworkaccess
PacketFencehas theoption tohaveguestssponsored theiraccessby local staffOnceaguestrequestsasponsoredaccessanemailissenttothesponsorandthesponsormustclickonalinkandauthenticateinordertoenablehisaccess
Moreover PacketFence also has the option for guests to request their access in advanceConfirmationbyemailandbyasponsorarethetwopre-registrationtechniquessupportedatthispoint
TheadminGUIallowPacketFenceadministratorsorguestsmanagerstocreatesingleaccountsmultipleaccountsusingaprefix(ieguest1guest2guest3hellip)orimportdatafromaCSVtocreateaccountsAccessdurationandexpectedarrivaldatearealsocustomizable
Usage
Guestself-registration
Self-registrationisenabledbydefaultItispartofthecaptiveportalprofileandcanbeaccessedontheregistrationpagebyclickingtheSignuplink
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 108
ManagedguestsPartofthewebadministrationinterfacetheguestsmanagementinterfaceisenabledbydefaultItisaccessiblethroughtheUsersrarrCreatemenu
Guestpre-registrationPre-registrationisdisabledbydefaultOnceenabledPacketFencersquosfirewallandApacheACLsallowaccesstothesignuppageontheportalevenfromaremotelocationAllthatshouldberequiredfrom theadministrators is toopenup theirperimeter firewall toallowaccess toPacketFencersquosmanagementinterfaceIPonport443andmakesureadomainnametoreachsaidIPisconfigured(andthattheSSLcertmatchesit)Thenyoucanpromotethepre-registrationlinkfromyourextranetwebsitehttpslthostnamegtsignup
CautionPre-registrationincreasestheattacksurfaceofthePacketFencesystemsinceasubsetofitrsquosfunctionnalityisexposedontheInternetMakesureyouunderstandtherisksapplythecriticaloperatingsystemupdatesandapplyPacketFencersquossecurityfixes
NoteAportalinterfacetypeisrequiredtousethisfeatureAportalinterfacetypecanbeaddedtoanynetworkinterfaceusingthewebadminGUI
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 109
ConfigurationGuestself-registrationIt ispossibletomodifythedefaultvaluesoftheguestself-registrationfeaturebyeditingusrlocalpfconfpfconf
Defaultvaluesarelocatedinusrlocalpfconfpfconfdefaultsanddocumentationforeverysettingsisavailableinusrlocalpfconfdocumentationconf
[guests_self_registration]guest_pid=emailpreregistration=disabled
TheseparameterscanalsobeconfiguredfromtheConfigurationrarrSelfRegistrationsectionoftheWebadmininterface
Availableregistrationmodesaredefinedonaper-portal-profilebasisTheseareconfigurablefromConfigurationrarrPortalProfiles Todisable the self-registration feature simply removeall self-registrationsourcesfromtheportalprofiledefinitionNoticehoweverthatifyourdefaultportalprofilehasnosourceitwilluseallauthenticationsources
Caution
AvalidMTAconfiguredinPacketFenceisneededtocorrectlyrelayemailsrelatedtotheguestmoduleIflocalhostisusedassmtpservermakesurethataMTAisinstalledandconfiguredontheserver
Note
AportalinterfacetypeisrequiredtousethisfeatureAportalinterfacetypecanbeaddedtoanynetworkinterfaceusingthewebadminGUI
Self-registered guests are added under the users tab of the PacketFenceWeb administrationinterface
ManagedguestsItispossibletomodifythedefaultvaluesoftheguestscreatedfromtheWebadmininterfacebyeditingusrlocalpfconfpfconf
Defaultvaluesarelocatedinusrlocalpfconfpfconfdefaultsanddocumentationforeverysettingsisavailableinusrlocalpfconfdocumentationsconf
[guests_admin_registration]access_duration_choices=1h3h12h1D2D3D5Ddefault_access_duration=12h
Theformatofthedurationisasfollow
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 110
ltDURATIONgtltDATETIME_UNITgt[ltPERIOD_BASEgtltOPERATORgtltDURATIONgtltDATE_UNITgt]
Letrsquosexplainthemeaningofeachparameter
DURATIONanumbercorrespondingtotheperiodduration DATETIME_UNIT acharactercorresponding to theunitsof thedateor timedurationeither s(seconds)m(minutes)h(hours)D(days)W(weeks)M(months)orY(years)
PERIOD_BASEeitherF(fixed)orR(relative)ArelativeperiodiscomputedfromthebeginningoftheperiodunitWeeksstartonMonday
OPERATOReither+or-Thedurationfollowingtheoperatorisaddedorsubtractedfromthebaseduration
DATE_UNITacharactercorrespondingtotheunitsoftheextendeddurationLimitedtodateunits(D(days)W(weeks)M(months)orY(years))
TheseparameterscanalsobeconfiguredfromtheConfigurationrarrAdminRegistrationsectionoftheWebadmininterface
From theUserspageof thePacketFenceWebadmin interface it is possible to set the accessdurationofuserschangetheirpasswordandmore
Guestpre-registrationTominimallyconfigureguestpre-registrationyoumustmakesurethatthefollowingstatementissetunder[guests_self_registration]inusrlocalpfconfpfconf
[guests_self_registration]preregistration=enabled
ThisparametercanalsobeconfiguredfromtheConfigurationrarrSelfRegistrationsection
Finallyitisadvisedthatyoureadthewholeguestself-registrationsectionsincepre-registrationissimplyatwistoftheself-registrationprocess
Caution
AvalidMTAconfiguredinPacketFenceisneededtocorrectlyrelayemailsrelatedtotheguestmoduleIflocalhostisusedassmtpservermakesurethataMTAisinstalledandconfiguredontheserver
ActiveDirectoryIntegration
DeletedAccountCreate thescriptunreg_node_deleted_accountps1on theWindowsServerwith the followingcontentMakesuretochangeIP_PACKETFENCEtotheIPaddressofyourPacketFenceserverYoursquollalsoneedtochangetheusernameandpasswordastheymustmatchthecredentialsdefinedintheWebadmininterfaceunderConfigurationrarrWebServices
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 111
Powershell script to unregister deleted Active Directory account based on the UserName
Get-EventLog -LogName Security -InstanceId 4726 | Select ReplacementStringsAccount name| $url = httpsIP_PACKETFENCE9090 $username = admin Username for the webservices $password = admin Password for the webservices [SystemNetServicePointManager]ServerCertificateValidationCallback = $true $command = jsonrpc 20 method unreg_node_for_pid params [pid +$_ReplacementStrings[0]+]
$bytes = [SystemTextEncoding]ASCIIGetBytes($command) $web = [SystemNetWebRequest]Create($url) $webMethod = POST $webContentLength = $bytesLength $webContentType = applicationjson-rpc $webCredentials = new-object SystemNetNetworkCredential($username $password) $stream = $webGetRequestStream() $streamWrite($bytes0$bytesLength) $streamclose()
$reader = New-Object SystemIOStreamreader -ArgumentList $webGetResponse()GetResponseStream() $readerReadToEnd() $readerClose()
CreatethescheduledtaskbasedonaneventIDStartrarrRunrarrTaskschdmsc
TaskSchedulerrarrTaskSchedulerLibraryrarrEventViewerTaskrarrCreateTask
General
Name PacketFence-Unreg_node-for-deleted-accountCheck Run whether user is logged on or notCheck Run with highest privileges
TriggersrarrNew
Begin on the task On an eventLog SecuritySource Microsoft Windows security auditingEvent ID 4726
ActionsrarrNew
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 112
Action Start a programProgramscript powershellexeAdd arguments (optional) Cscriptsunreg_node_deleted_accountps1
Settings
At the bottom select in the list Run a new instance in parallel in order to unregister multiple nodes at the same time
ValidatewithOkandgivetheaccountwhowillrunthistask(UsuallyDOMAINAdministrator)
DisabledAccountCreatethescriptunreg_node_disabled_accountps1ontheWindowsServerwiththefollowingcontentMakesuretochangeIP_PACKETFENCEtotheIPaddressofyourPacketFenceserverYoursquollalsoneedtochangetheusernameandpasswordastheymustmatchthecredentialsdefinedintheWebadmininterfaceunderConfigurationrarrWebServices
Powershell script to unregister disabled Active Directory account based on the UserName
Get-EventLog -LogName Security -InstanceId 4725 | Select ReplacementStringsAccount name| $url = httpsIP_PACKETFENCE9090 $username = admin Username for the webservices $password = admin Password for the webservices [SystemNetServicePointManager]ServerCertificateValidationCallback = $true $command = jsonrpc 20 method unreg_node_for_pid params [pid +$_ReplacementStrings[0]+]
$bytes = [SystemTextEncoding]ASCIIGetBytes($command) $web = [SystemNetWebRequest]Create($url) $webMethod = POST $webContentLength = $bytesLength $webContentType = applicationjson-rpc $webCredentials = new-object SystemNetNetworkCredential($username $password) $stream = $webGetRequestStream() $streamWrite($bytes0$bytesLength) $streamclose()
$reader = New-Object SystemIOStreamreader -ArgumentList $webGetResponse()GetResponseStream() $readerReadToEnd() $readerClose()
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 113
CreatethescheduledtaskbasedonaneventID
StartrarrRunrarrTaskschdmsc
TaskSchedulerrarrTaskSchedulerLibraryrarrEventViewerTaskrarrCreateTask
General
Name PacketFence-Unreg_node-for-disabled-accountCheck Run whether user is logged on or notCheck Run with highest privileges
TriggersrarrNew
Begin on the task On an eventLog SecuritySource Microsoft Windows security auditingEvent ID 4725
ActionsrarrNew
Action Start a programProgramscript powershellexeAdd arguments (optional) Cscriptsunreg_node_disabled_accountps1
Settings
At the bottom select in the list Run a new instance in parallel
ValidatewithOkandgivetheaccountwhowillrunthistask(UsuallyDOMAINAdministrator)
LockedAccountCreate the script unreg_node_locked_accountps1 on theWindows Serverwith the followingcontentMakesuretochangeIP_PACKETFENCEtotheIPaddressofyourPacketFenceserverYoursquollalsoneedtochangetheusernameandpasswordastheymustmatchthecredentialsdefinedintheWebadmininterfaceunderConfigurationrarrWebServices
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 114
Powershell script to unregister locked Active Directory account based on the UserName
Get-EventLog -LogName Security -InstanceId 4740 | Select ReplacementStringsAccount name| $url = httpsIP_PACKETFENCE9090 $username = admin Username for the webservices $password = admin Password for the webservices [SystemNetServicePointManager]ServerCertificateValidationCallback = $true $command = jsonrpc 20 method unreg_node_for_pid params [pid +$_ReplacementStrings[0]+]
$bytes = [SystemTextEncoding]ASCIIGetBytes($command) $web = [SystemNetWebRequest]Create($url) $webMethod = POST $webContentLength = $bytesLength $webContentType = applicationjson-rpc $webCredentials = new-object SystemNetNetworkCredential($username $password) $stream = $webGetRequestStream() $streamWrite($bytes0$bytesLength) $streamclose()
$reader = New-Object SystemIOStreamreader -ArgumentList $webGetResponse()GetResponseStream() $readerReadToEnd() $readerClose()
CreatethescheduledtaskbasedonaneventIDStartrarrRunrarrTaskschdmsc
TaskSchedulerrarrTaskSchedulerLibraryrarrEventViewerTaskrarrCreateTask
General
Name PacketFence-Unreg_node-for-locked-accountCheck Run whether user is logged on or notCheck Run with highest privileges
TriggersrarrNew
Begin on the task On an eventLog SecuritySource Microsoft Windows security auditingEvent ID 4740
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 115
ActionsrarrNew
Action Start a programProgramscript powershellexeAdd arguments (optional) Cscriptsunreg_node_locked_accountps1
Settings
At the bottom select in the list Run a new instance in parallel
ValidatewithOkandgivetheaccountwhowillrunthistask(UsuallyDOMAINAdministrator)
DHCPremotesensor
TheDHCPremotesensorconsistsofalightweightbinarythatisinstalledonyourproductionDHCPserverinordertoreplicatetheDHCPtraffic1to1tothePacketFenceserverThissolutionismorereliablethantheDHCPrelayingsincePacketFencereceivesacopyofallyourDHCPtrafficandnotonlythebroadcastedDHCPtrafficSupportedDHCPserversareMicrosoftDHCPserverandCentOS6and7
ThesesensorsworkbycapturingthepacketsatthelowestlevelpossibleonyourDHCPserverandforwardthemtothePacketFencemanagementinterface
MicrosoftDHCPsensorYouwillfirstneedtodownloadandinstallWinPcapavailablefromhttpwwwwinpcaporginstall
YouwillalsoneedtodownloadandinstallMicrosoftVisualC++2010Redistributableavailablefromhttpwwwmicrosoftcomdownloaddetailsaspxid=5555
NoteYou absolutely need to install the 32-bit version of Microsoft Visual C++ 2010Redistributableevenifyouareusinga64-bitoperatingsystem
Then get the remote sensor from Inversersquos download website httpinversecadownloadsPacketFenceudp-reflectorudp_reflectorexe
CreatethedirectoryCudp-reflectorandmovethedownloadedfileinside
Nowwewillcreateaservicesothereflectorstartsonboot
Firstdownloadandunzipnssmfromhttpsnssmccdownload
NextcreateabatchfileudpreflectorbatinCudp-reflectorthatcontainCudp-reflectorudp_reflectorexe -s pcap067 -d 19216815767 -b 25000
Where pcap0 is the interface where your DHCP is listening (use Cudp-reflectorudp_reflectorexe -ltolistinterfaces)
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 116
Thenrunnssm install udpreflector
InApplication
InPathsetittoCudp-reflectorudpreflectorbat InStartupdirectorysetittoCudp-reflector InArgumentssetittonothing
InDetails
InStartuptypeselectAutomatic
InLogon
InLogonasselectLocalSystemaccount
ThenpressInstallservice
TheDHCPtrafficshouldnowbereflectedonyourPacketFenceserver
LinuxbasedsensorFirstdownloadtheRPMonyourDHCPserver
CentOS6and7serversForCentOS6
for x86_64 wget httpinversecadownloadsPacketFenceCentOS6extrax86_64RPMSudp-reflector-10-61x86_64rpm
ForCentOS7
for x86_64 wget httpinversecadownloadsPacketFenceCentOS7extrax86_64RPMSudp-reflector-10-61x86_64rpm
Nowinstallthesensor
rpm -i udp-reflector-rpm
CompilingthesensorfromsourceonaLinuxsystemFirstmakesureyouhavethefollowingpackagesinstalled
libpcap libpcap-devel gcc-c++
Getthesourcecodeofthesensor
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 117
mkdir -p ~udp-reflector ampamp cd ~udp-reflector wget httpinversecadownloadsPacketFenceudp-reflectorudp_reflectorcpp g++ udp_reflectorcpp -o usrlocalbinudp_reflector -lpcap
ConfiguringthesensorPlacethefollowinglineinetcrclocal
where pcap0 is the pcap interface where your DHCP server listens on (List them usingudp_reflector -l)
where19216815isthemanagementIPofyourPacketFenceserver
usrlocalbinudp_reflector -s pcap067 -d 19216815767 -b 25000 amp
Startthesensor
usrlocalbinudp_reflector -s pcap067 -d 19216815767 -b 25000 amp
TheDHCPtrafficshouldnowbereflectedonyourPacketFenceserver
Switchloginaccess
PacketFenceisabletoactasanauthenticationandauthorizationserviceforgrantingcommand-lineinterface(CLI)accesstoswitchesPacketFencecurrentlysupportsCiscoswitchesandthesemustbeconfiguredusingthefollowingguidehttpwwwciscocomcenussupportdocssecurity-vpnremote-authentication-dial-user-service-radius116291-configure-freeradius-00html From thePacketFencersquos web admin interface you must configure an Admin Access role(ConfigurationrarrAdminaccess)thatcontainstheactionSwitchesCLI-ReadorSwitchesCLI-WriteandassignthisroletoaninternaluserorinanAdministrationruleinaninternalsource
Chapter14
Copyrightcopy2016Inverseinc OperatingSystemBestPractices 118
OperatingSystemBestPractices
IPTables
IPTablesisnowentirelymanagedbyPacketFenceHoweverifyouneedtoperformsomecustomrules you canmodifyconfiptablesconf to yourownneedsHowever thedefault templateshouldworkformostusers
LogRotations
PacketFencecangeneratea lotof logentries inhugeproductionenvironmentsThis iswhywerecommendtouselogrotatetoperiodicallyrotateyourlogsAworkinglogrotatescriptisprovidedwiththePacketFencepackageThisscriptislocatedinusrlocalpfaddonsanditrsquosconfiguredto do aweekly log rotation and keeping old logswith compression It has been added duringPacketFenceinitialinstallation
Chapter15
Copyrightcopy2016Inverseinc Performanceoptimization 119
Performanceoptimization
SNMPTrapsLimit
PacketFencemainlyrelyonSNMPtrapstocommunicatewithequipmentDuetothefactthattrapscominginfromapproved(configured)devicesareallprocessedbythedaemonitispossibleforsomeonewhowanttogenerateacertainloadonthePacketFenceservertoforcethegenerationofnon-legitimateSNMPtrapsoraswitchcanrandomlygenerateahighquantityoftrapssenttoPacketFenceforanunknownreason
BecauseofthatitispossibletolimitthenumberofSNMPtrapscominginfromasingleswitchportandtakeactionifthatlimitisreachedForexampleifover100trapsarereceivedbyPacketFencefromthesameswitchportinaminutetheswitchportwillbeshutandanotificationemailwillbesent
HerersquosthedefaultconfigfortheSNMPtrapslimitfeatureAsyoucanseebydefaultPacketFencewill log the abnormal activity after 100 traps from the same switch port in a minute Theseconfigurationsareintheconfpfconffile
[vlan]trap_limit = enabledtrap_limit_threshold = 100trap_limit_action =
AlternativelyyoucanconfiguretheseparametersfromthePacketFenceWebadministrativeGUIintheConfigurationrarrSNMPsection
MySQLoptimizations
TuningMySQLIfyoursquorePacketFencesystemisactingveryslowthiscouldbeduetoyourMySQLconfigurationYoushoulddothefollowingtotuneperformance
Checkthesystemload
uptime113637 up 235 days 121 1 user load average 125 105 079
Chapter15
Copyrightcopy2016Inverseinc Performanceoptimization 120
CheckiostatandCPU
iostat 5avg-cpu user nice sys iowait idle 060 000 320 2020 7600Device tps Blk_reads Blk_wrtns Blk_read Blk_wrtnccissc0d0 3240 000 156000 0 7800avg-cpu user nice sys iowait idle 060 000 220 920 8800Device tps Blk_reads Blk_wrtns Blk_read Blk_wrtnccissc0d0 780 000 7360 0 368avg-cpu user nice sys iowait idle 060 000 180 2380 7380Device tps Blk_reads Blk_wrtns Blk_read Blk_wrtnccissc0d0 3140 000 142720 0 7136avg-cpu user nice sys iowait idle 060 000 240 1816 7884Device tps Blk_reads Blk_wrtns Blk_read Blk_wrtnccissc0d0 2794 000 117365 0 5880
Asyoucanseetheloadis125andIOWaitispeakingat20-thisisnotgoodIfyourIOwaitislowbutyourMySQListaking+50CPUthisisalsonotgoodCheckyourMySQLinstallforthefollowingvariables
mysqlgt show variables| innodb_additional_mem_pool_size | 1048576 || innodb_autoextend_increment | 8 || innodb_buffer_pool_awe_mem_mb | 0 || innodb_buffer_pool_size | 8388608 |
PacketFencereliesheavilyonInnoDBsoyoushouldincreasethebuffer_poolsizefromthedefaultvalues
ShutdownPacketFenceandMySQL
etcinitdpacketfence stopShutting down PacketFence[] etcinitdmysql stopStopping MySQL [ OK ]
Editetcmycnf(oryourlocalmycnf)
Chapter15
Copyrightcopy2016Inverseinc Performanceoptimization 121
[mysqld] Set buffer pool size to 50-80 of your computers memoryinnodb_buffer_pool_size=800Minnodb_additional_mem_pool_size=20Minnodb_flush_log_at_trx_commit=2innodb_file_per_table allow more connectionsmax_connections=700 set cache sizekey_buffer_size=900Mtable_cache=300query_cache_size=256M enable slow query loglog_slow_queries = ON
StartupMySQLandPacketFence
etcinitdmysqld startStarting MySQL [ OK ] etcinitdpacketfence startStarting PacketFence[]
Wait10minutesforPacketFencetoinitialthenetworkmapandre-checkiostatandCPU
uptime120158 up 235 days 146 1 user load average 015 039 052 iostat 5Device tps Blk_reads Blk_wrtns Blk_read Blk_wrtnccissc0d0 800 000 7520 0 376
avg-cpu user nice sys iowait idle 060 000 299 1337 8303
Device tps Blk_reads Blk_wrtns Blk_read Blk_wrtnccissc0d0 1497 000 43273 0 2168avg-cpu user nice sys iowait idle 020 000 260 660 9060
Device tps Blk_reads Blk_wrtns Blk_read Blk_wrtnccissc0d0 480 000 4800 0 240
MySQLoptimizationtoolWerecommendthatyouruntheMySQLTuneronyourdatabasesetupafteracoupleofweekstohelpyouidentifyMySQLconfigurationimprovementThetoolisbundledwithPacketFenceandcanberunfromthecommand-line
usrlocalbinpftest mysql
Chapter15
Copyrightcopy2016Inverseinc Performanceoptimization 122
KeepingtablessmallOvertimesomeofthetableswillgrowlargeandthiswilldragdownperformance(thisisespeciallytrueonawirelesssetup)
OnesuchtableisthelocationlogtableWerecommendthatclosedentriesinthistablebemovedto the archive table locationlog_archive after some time A closed record is onewhere theend_timefieldissettoadate(stricklyspeakingitiswhenend_timeisnotnullandnotequalsto0)
Weprovideascriptcalleddatabase-backup-and-maintenanceshlocatedinaddonsthatperformsthiscleanupinadditiontooptimizetablesonSundayanddailybackups
AvoidToomanyconnectionsproblemsInawirelesscontexttheretendstobealotofconnectionsmadetothedatabasebyourfreeradiusmoduleThedefaultMySQLvalue tend tobe low (100) soweencourageyou to increase thatvaluetoatleast300Seehttpdevmysqlcomdocrefman50entoo-many-connectionshtmlfordetails
AvoidHostlthostnamegtisblockedproblemsInawirelesscontexttheretendtobealotofconnectionsmadetothedatabasebyourfreeradiusmoduleWhentheserverisloadedtheseconnectionattemptscantimeoutIfaconnectiontimesoutduringconnectionMySQLwillconsiderthisaconnectionerrorandafter10ofthese(bydefault)hewilllockthehostoutwitha
Host host_name is blocked because of many connection errors Unblock with mysqladmin flush-hosts
Thiswill grindPacketFence to a halt so youwant to avoid that at all costOneway to do soistoincreasethenumberofmaximumconnections(seeabove)toperiodicallyflushhostsortoallowmoreconnectionerrorsSeehttpdevmysqlcomdocrefman50enblocked-hosthtmlfordetails
CaptivePortalOptimizations
Avoidcaptiveportaloverloadduetonon-browserHTTPrequestsBydefaultwealloweveryquerytoberedirectedandreachPacketFencefor thecaptiveportaloperationInalotofcasesthismeansthatalotofnon-userinitiatedqueriesreachPacketFenceandwasteitsresourcesfornothingsincetheyarenotfrombrowsers(iTunesWindowsupdateMSNMessengerGoogleDesktophellip)
Chapter15
Copyrightcopy2016Inverseinc Performanceoptimization 123
Sinceversion43ofPacketFenceyoucandefineHTTPfiltersforApachefromtheconfigurationofPacketFence
SomeruleshavebeenenabledbydefaultlikeonetorejectrequestswithnodefineduseragentAllrulesincludingsomeexamplesaredefinedintheconfigurationfileapache_filtersconf
FiltersaredefinedwithatleasttwoblocksFirstarethetestsForexample
[get_ua_is_dalvik]filter = user_agentmethod = GEToperator = matchvalue = Dalvik
[get_uri_not_generate204]filter = urimethod = GEToperator = match_notvalue = generate_204
ThelastblockdefinestherelationshipbetweenthetestsandthedesiredactionForexample
[block_dalvikget_ua_is_dalvikampget_uri_not_generate204]action = 501redirect_url =
Thisfilterwillreturnanerrorcode(501)iftheuseragentisDalvikandtheURIdoesnrsquotcontain_generate_204
DashboardOptimizations(statisticscollection)
The collection and aggregation of statistics in the whisper database can be IO intensive permomentThismeansthatitcanbebeneficialtoseperatethemonanotherdiskevenifitisavirtualdiskthatwillsharethesameunderlyingphysicaldisk
Firstaddadiskinyourvirtualmachineorbaremetalserverandreboot(thisexamplewillusedevsdbasthenewdevice
Makesurepacketfenceisstopped
service packetfence stop
Createanext4partition
mkfsext4 devsdb
Thenmovetheolddatabasestoabackuppoint
Chapter15
Copyrightcopy2016Inverseinc Performanceoptimization 124
mv usrlocalpfvargraphite usrlocalpfvargraphitebak
Mountyournewdiskandcheckthatitismounted
echo devsdb usrlocalpfvargraphite ext4 defaults 1 1 gtgt etcfstab mkdir usrlocalpfvargraphite mount -a dh -h
Applytheproperuserrightsandrestoreyourdatabasefromyourbackup
chown pfpf usrlocalpfvargraphite cp -frp usrlocalpfvargraphitebak usrlocalpfvargraphite
StartpacketfenceandmakesureyourstatsarestillthereandbeingcollectedproperlyThenremovethebackupyoumaderm -fr usrlocalpfvargraphitebak
Chapter16
Copyrightcopy2016Inverseinc AdditionalInformation 125
AdditionalInformation
FormoreinformationpleaseconsultthemailingarchivesorpostyourquestionstoitFordetailssee
packetfence-announcelistssourceforgenet Public announcements (new releases securitywarningsetc)regardingPacketFence
packetfence-devellistssourceforgenetDiscussionofPacketFencedevelopment
packetfence-userslistssourceforgenetUserandusagediscussions
Chapter17
Copyrightcopy2016InverseincCommercialSupport
andContactInformation 126
CommercialSupportandContactInformation
For any questions or comments do not hesitate to contact us by writing an email tosupportinverseca
Inverse (httpinverseca)offersprofessional servicesaroundPacketFence tohelporganizationsdeploythesolutioncustomizemigrateversionsorfromanothersystemperformancetuningoraligningwithbestpractices
Hourlyratesorsupportpackagesareofferedtobestsuityourneeds
Pleasevisithttpinversecafordetails
Chapter18
Copyrightcopy2016Inverseinc GNUFreeDocumentationLicense 127
GNUFreeDocumentationLicense
Pleaserefertohttpwwwgnuorglicensesfdl-12txtforthefulllicense
Chapter18
Copyrightcopy2016Inverseinc AdministrationTools 128
AppendixAAdministrationTools
pfcmd
pfcmdisthecommandlineinterfacetomostPacketFencefunctionalities
Whenexecutedwithoutanyargumentspfcmdreturnsabasichelpmessagewithallmainoptions
Chapter18
Copyrightcopy2016Inverseinc AdministrationTools 129
Usage pfcmd ltcommandgt [options]
Commands cache | manage the cache subsystem checkup | perform a sanity checkup and report any problems class | view violation classes configfiles | push or pull configfiles intofrom database configreload | reload the configution floatingnetworkdeviceconfig | querymodify floating network devices configuration parameters help | show help for pfcmd commands ifoctetshistorymac | accounting history ifoctetshistoryswitch | accounting history ifoctetshistoryuser | accounting history import | bulk import of information into the database ipmachistory | IPMAC history locationhistorymac | SwitchPort history locationhistoryswitch | SwitchPort history networkconfig | querymodify network configuration parameters node | manipulate node entries pfconfig | interact with pfconfig portalprofileconfig | querymodify portal profile configuration parameters reload | rebuild fingerprint or violations tables without restart service | startstoprestart and get PF daemon status schedule | Nessus scan scheduling switchconfig | querymodify switchesconf configuration parameters version | output version information violationconfig | querymodify violationsconf configuration parameters
Please view pfcmd help ltcommandgt for details on each option
ThenodeviewoptionshowsallinformationcontainedinthenodedatabasetableforaspecifiedMACaddress
usrlocalpfbinpfcmd node view 525400123502mac|pid|detect_date|regdate|unregdate|lastskip|status|user_agent|computername|notes|last_arp|last_dhcp|switch|port|vlan|dhcp_fingerprint525400123502|1|2008-10-23 173216||||unreg||||2008-10-23 211221|||||
pfcmd_vlan
pfcmd_vlanisthecommandlineinterfacetomostVLANisolationrelatedfunctionality
Chapter18
Copyrightcopy2016Inverseinc AdministrationTools 130
Againwhenexecutedwithoutanyargumentsahelpscreenisshown
Usage pfcmd_vlan command [options]
Command -deauthenticate de-authenticate a dot11 client -deauthenticateDot1x de-authenticate a dot1x client (pass ifIndex for wired 8021x and mac for wireless 8021x) -getAlias show the description of the specified switch port -getAllMACs show all MACS on all switch ports -getHubs show switch ports with several MACs -getIfOperStatus show the operational status of the specified switch port -getIfType show the ifType on the specified switch port -getLocation show at which switch port the MAC is found -getSwitchLocation show SNMP location of specified switch -getMAC show all MACs on the specified switch port -getType show switch type -getUpLinks show the upLinks of the specified switch -getVersion show switch OS version -getVlan show the VLAN on the specified switch port -getVlanType show the VLAN type on the specified port -help brief help message -isolate set the switch port to the isolation VLAN -man full documentation -reAssignVlan re-assign a switch port VLAN -reevaluateAccess reevaluate the current VLAN or firewall rules of a given MAC -runSwitchMethod run a particular method call on a given switch (FOR ADVANCED PURPOSES) -setAlias set the description of the specified switch port -setDefaultVlan set the switch port to the default VLAN -setIfAdminStatus set the admin status of the specified switch port -setVlan set VLAN on the specified switch port -setVlanAllPort set VLAN on all non-UpLink ports of the specified switch
Options -alias switch port description -ifAdminStatus ifAdminStatus -ifIndex switch port ifIndex -mac MAC address -showPF show additional information available in PF -switch switch description -verbose log verbosity level 0 fatal messages 1 warn messages 2 info messages 3 debug 4 trace -vlan VLAN id -vlanName VLAN name (as in switchesconf)
Chapter3
Copyrightcopy2016Inverseinc SystemRequirements 8
RedHatEnterpriseLinux6xand7xServer CommunityENTerpriseOperatingSystem(CentOS)6xand7x Debian70(Wheezy)and80(Jessie)
MakesurethatyoucaninstalladditionalpackagesfromyourstandarddistributionForexampleifyouareusingRedHatEnterpriseLinuxyouhavetobesubscribedtotheRedHatNetworkbeforecontinuingwiththePacketFencesoftwareinstallation
OtherdistributionssuchasFedoraandGentooareknowntoworkbutthisdocumentdoesnrsquotcoverthem
Servicesstart-upPacketFencetakescareofhandlingtheoperationofthefollowingservices
Webserver(httpd) DHCPserver(dhcpd) FreeRADIUSserver(radiusd) SnortSuricataNetworkIDS(snortsuricata) Firewall(iptables)
Makesurethatalltheotherservicesareautomaticallystartedbyyouroperatingsystem
Chapter4
Copyrightcopy2016Inverseinc Installation 9
Installation
ThissectionwillguideyouthroughtheinstallationofPacketFencetogetherwithitsdependencies
OSInstallation
InstallyourdistributionwithminimalinstallationandnoadditionalpackagesThen
DisableFirewall DisableSELinux DisableAppArmor Disableresolvconf
Makesureyoursystemisuptodateandyouryumorapt-getdatabaseisupdatedOnaRHEL-basedsystemdo
yum update
OnaDebianorUbuntusystemdo
apt-get updateapt-get upgrade
RegardingSELinuxorAppArmoreven if these featuresmaybewantedbysomeorganizationsPacketFencewillnotrunproperlyifSELinuxorAppArmorareenabledYouwillneedtoexplicitlydisableSELinuxintheetcselinuxconfigfileandAppArmorwithupdate-rcd-fapparmorstopupdate-rcd-fapparmorteardownandupdate-rcd-fapparmorremoveRegardingresolvconfyoucanremovethesymlinktothatfileandsimplycreatetheetcresolvconffilewiththecontentyouwant
RedHat-basedsystems
Note
AppliestoCentOSandScientificLinuxbutonlythex86_64architectureissupported
Chapter4
Copyrightcopy2016Inverseinc Installation 10
RHEL6x
NoteTheseareextrastepsarerequiredforRHEL6systemsonlyexcludingderivativessuchasCentOSorScientificLinux
RedHatEnterpriseLinuxusersneedtotakeanadditionalsetupstepIfyouarenotusingtheRHNSubscriptionManagementfromRedHatyouneedtoenabletheoptionalchannelbyrunningthefollowingasroot
rhn-channel --add --channel=rhel-`uname -m`-server-optional-6
DebianAllthePacketFencedependenciesareavailablethroughtheofficialrepositories
SoftwareDownload
PacketFenceprovidesaRPMrepositoryforRHELCentOSinsteadofasingleRPMfile
ForDebianPacketFencealsoprovidespackagerepositories
TheserepositoriescontainallrequireddependenciestoinstallPacketFenceThisprovidesnumerousadvantages
easyinstallation everythingispackagedasRPMdeb(nomoreCPANhassle) easyupgrade
SoftwareInstallation
RHELCentOSInordertousethePacketFencerepository
yum localinstall httppacketfenceorgdownloadsPacketFenceRHEL6`uname -i`RPMSpacketfence-release-12-51noarchrpm
Once the repository is defined you can install PacketFencewith all its dependencies and therequiredexternalservices(DatabaseserverDHCPserverRADIUSserver)using
Chapter4
Copyrightcopy2016Inverseinc Installation 11
yum install perlyum install --enablerepo=packetfence packetfence
OnceinstalledtheWeb-basedconfigurationinterfacewillautomaticallybestartedYoucanaccessitfromhttpsip_of_packetfence1443configurator
DebianForDebian7
Inordertousetherepositorycreateafilenamedetcaptsourceslistdpacketfencelist
echo deb httpinversecadownloadsPacketFencedebian wheezy wheezy gt etcaptsourceslistdpacketfencelist
ForDebian8
Inordertousetherepositorycreateafilenamedetcaptsourceslistdpacketfencelist
echo deb httpinversecadownloadsPacketFencedebian jessie jessie gt etcaptsourceslistdpacketfencelist
Once the repository is defined you can install PacketFencewith all its dependencies and therequiredexternalservices(DatabaseserverDHCPserverRADIUSserver)using
sudo apt-key adv --keyserver keysgnupgnet --recv-key 0x810273C4sudo apt-get updatesudo apt-get install packetfence
Chapter5
Copyrightcopy2016Inverseinc Getoffontherightfoot 12
Getoffontherightfoot
PriorconfiguringPacketFenceyoumustchoseanappropriateenforcementmodetobeusedbyPacketFencewithyournetworkingequipmentTheenforcementmodeisthetechniqueusedtoenforceregistrationandanysubsequentaccessofdevicesonyournetworkPacketFencesupportsthefollowingenforcementmodes
Inline Out-of-band Hybrid
It isalsopossibletocombineenforcementmodesForexampleyoucouldusetheout-of-bandmodeonyourwiredswitcheswhileusingtheinlinemodeonyouroldWiFiaccesspoints
The following sections will explain these enforcement modes If you decide to use the inlinemodepleaserefertothePacketFenceInlineDeploymentQuickGuideusingZENforacompleteconfigurationexampleIfyoudevicetousetheout-of-bandmodepleaserefertothePacketFenceOut-of-BandDeploymentQuickGuideusingZEN
Chapter6
Copyrightcopy2016InverseincTechnicalintroductiontoInlineenforcement 13
TechnicalintroductiontoInlineenforcement
Introduction
Beforetheversion30ofPacketFenceitwasnotpossibletosupportunmanageabledevicessuchasentry-levelconsumerswitchesoraccess-pointsNowwiththenewinlinemodePacketFencecanbeusein-bandforthosedevicesSoinotherwordsPacketFencewouldbecomethegatewayofthatinlinenetworkandNATorroutethetrafficusingIPTablesIPSettotheInternet(ortoanothersectionofthenetwork)Letseehowitworks
Deviceconfiguration
NospecialconfigurationisneededontheunmanageabledeviceThatrsquosthebeautyofitYouonlyneedtoensurethatthedeviceistalkingontheinlineVLANAtthispointallthetrafficwillbepassingthroughPacketFencesinceitisthegatewayforthisVLAN
Accesscontrol
TheaccesscontrolreliesentirelyonIPTablesIPSetWhenauserisnotregisteredandconnectsintheinlineVLANPacketFencewillgivehimanIPaddressAtthispointtheuserwillbemarkedasunregisteredintheipsetsessionandalltheWebtrafficwillberedirectedtothecaptiveportalandother trafficblockedTheuserwill have to register through thecaptiveportal as inVLANenforcementWhenheregistersPacketFencechangesthedeviceacutesipsetsessiontoallowtheuserrsquosmacaddresstogothroughit
Chapter6
Copyrightcopy2016InverseincTechnicalintroductiontoInlineenforcement 14
Limitations
Inlineenforcementbecauseofitrsquosnaturehasseverallimitationsthatonemustbeawareof
EveryonebehindaninlineinterfaceisonthesameLayer2LAN EverypacketofauthorizedusersgoesthroughthePacketFenceserverincreasingtheserversloadconsiderablyPlanaheadforcapacity
Everypacketofauthorizedusersgoes throughthePacketFenceserver it isasinglepointoffailureforInternetaccess
Ipsetcanstoreupto65536entriessoitisnotpossibletohaveainlinenetworkclassupperthanB
Thisiswhyit isconsideredapoormanrsquoswayofdoingaccesscontrolWehaveavoideditforalongtimebecauseoftheabovementionedlimitationsThatsaidbeingabletoperformbothinlineandVLANenforcementonthesameserveratthesametimeisarealadvantageitallowsuserstomaintainmaximumsecuritywhiletheydeploynewandmorecapablenetworkhardwareprovidingacleanmigrationpathtoVLANenforcement
Chapter7
Copyrightcopy2016InverseincTechnicalintroductiontoOut-of-bandenforcement 15
TechnicalintroductiontoOut-of-bandenforcement
Introduction
VLANassignmentiscurrentlyperformedusingseveraldifferenttechniquesThesetechniquesarecompatibleone toanotherbutnoton the sameswitchportThismeans thatyoucanuse themoresecureandmoderntechniquesforyour latestswitchesandanothertechniqueontheoldswitchesthatdoesnrsquotsupportlatesttechniquesAsitrsquosnameimpliesVLANassignmentmeansthatPacketFenceistheserverthatassignstheVLANtoadeviceThisVLANcanbeoneofyourVLANsoritcanbeaspecialVLANwherePacketFencepresentsthecaptiveportalforauthenticationorremediation
VLANassignmenteffectivelyisolateyourhostsattheOSILayer2meaningthatitisthetrickiestmethodtobypassandistheonewhichadaptsbesttoyourenvironmentsinceitgluesintoyourcurrentVLANassignmentmethodology
VLANassignmenttechniques
Wired8021X+MACAuthentication8021Xprovidesport-basedauthenticationwhichinvolvescommunicationsbetweenasupplicantauthenticator(knownasNAS)andauthenticationserver(knownasAAA)ThesupplicantisoftensoftwareonaclientdevicesuchasalaptoptheauthenticatorisawiredEthernetswitchorwirelessaccesspointandtheauthenticationserverisgenerallyaRADIUSserver
Thesupplicant(ieclientdevice)isnotallowedaccessthroughtheauthenticatortothenetworkuntilthesupplicantrsquosidentityisauthorizedWith8021Xport-basedauthenticationthesupplicantprovides credentials such as user name password or digital certificate to the authenticatorandtheauthenticatorforwardsthecredentialstotheauthenticationserverforverificationIfthecredentialsarevalid(intheauthenticationserverdatabase)thesupplicant(clientdevice)isallowedtoaccessthenetworkTheprotocolforauthenticationiscalledExtensibleAuthenticationProtocol(EAP)whichhavemanyvariantsBothsupplicantandauthenticationserversneed tospeak thesameEAPprotocolMostpopularEAPvariantisPEAP-MsCHAPv2(supportedbyWindowsMacOSXLinuxforauthenticationagainstAD)
Chapter7
Copyrightcopy2016InverseincTechnicalintroductiontoOut-of-bandenforcement 16
InthiscontextPacketFencerunstheauthenticationserver(aFreeRADIUSinstance)andwillreturntheappropriateVLANtotheswitchAmodulethatintegratesinFreeRADIUSdoesaremotecalltothePacketFenceservertoobtainthatinformationMoreandmoredeviceshave8021Xsupplicantwhichmakesthisapproachmoreandmorepopular
MACAuthenticationisanewmechanismintroducedbysomeswitchvendortohandlethecaseswherea8021XsupplicantdoesnotexistDifferentvendorshavedifferentnames for itCiscocallsitMACAuthenticationBypass(MAB)JunipercallsitMACRADIUSExtremeNetworkscallsitNetloginetcAfteratimeoutperiodtheswitchwillstoptryingtoperform8021XandwillfallbacktoMACAuthenticationIthastheadvantageofusingthesameapproachas8021XexceptthattheMACaddressissentinsteadoftheusernameandthereisnoend-to-endEAPconversation(nostrongauthentication)UsingMACAuthenticationdeviceslikenetworkprinterornon-8021XcapableIPPhonescanstillgainaccesstothenetworkandtherightVLAN
Wireless8021X+MACauthenticationWireless 8021Xworks likewired8021X andMAC authentication is the same aswiredMACAuthenticationWhere things change is that the8021X isused to setup the security keys forencryptedcommunication(WPA2-Enterprise)whileMACauthenticationisonlyusedtoauthorize(allowordisallow)aMAConthewirelessnetwork
OnwirelessnetworkstheusualPacketFencesetupdictatethatyouconfiguretwoSSIDsanopenoneandasecureoneTheopenoneisusedtohelpusersconfigurethesecureoneproperlyandrequiresauthenticationoverthecaptiveportal(whichrunsinHTTPS)
ThefollowingdiagramdemonstratestheflowbetweenamobileenpointaWiFiaccesspointaWiFicontrollerandPacketFence
1 UserinitiatesassociationtoWLANAPandtransmitsMACaddressIfuseraccessesnetworkviaaregistereddeviceinPacketFencegoto8
2 The WLAN controller transmits MAC address via RADIUS to the PacketFence server toauthenticateauthorizethatMACaddressontheAP
3 PacketFenceserverconductsaddressaudit in itsdatabase If itdoesnotrecognizetheMACaddressgoto4Ifitdoesgoto8
4 PacketFenceserverdirectsWLANcontrollerviaRADIUS(RFC2868attributes)toputthedeviceinanunauthenticatedroleldquo(setofACLsthatwouldlimitredirecttheusertothePacketFence
Chapter7
Copyrightcopy2016InverseincTechnicalintroductiontoOut-of-bandenforcement 17
captiveportalforregistrationorwecanalsousearegistrationVLANinwhichPacketFencedoesDNSblackholingandistheDHCPserver)
5 TheuserrsquosdeviceissuesaDHCPDNSrequesttoPacketFence(whichisaDHCPDNSserveronthisVLANorforthisrole)whichsendstheIPandDNSinformationAtthispointACLsarelimitingredirectingtheusertothePacketFencersquoscaptiveportalforauthenticationPacketFencefingerprintsthedevice(user-agentattributesDHCPinformationampMACaddresspatterns)towhichitcantakevariousactionsincludingkeepdeviceonregistrationportaldirecttoalternatecaptive portal auto-register thedevice auto-block thedevice etc If thedevice remains ontheregistrationportaltheuserregistersbyprovidingtheinformation(usernamepasswordcellphonenumberetc)At this timePacketFencecouldalsorequire thedevicetogothroughapostureassessment(usingNessusOpenVASetc)
6 Ifauthentication is required (usernamepassword) througha loginformthosecredentialsarevalidatedviatheDirectoryserver(oranyotherauthenticationsources-likeLDAPSQLRADIUSSMSFacebookGoogle+etc)whichprovidesuserattributestoPacketFencewhichcreatesuser+devicepolicyprofileinitsdatabase
7 PacketFenceperformsaChangeofAuthorization(RFC3576)onthecontrollerandtheusermustbere-authenticatedreauthorizedsowegobackto1
8 PacketFenceserverdirectsWLANcontrollerviaRADIUStoputthedeviceinanauthenticatedroleldquoorinthenormalVLAN
WebAuthmodeWebauthenticationisamethodontheswitchthatforwardshttptrafficofthedevicetothecaptiveportalWiththismodeyourdevicewillneverchangeofVLANIDbutonlytheACLassociatedtoyourdevicewillchangeRefertotheNetworkDevicesConfigurationGuidetoseeasamplewebauthconfigurationonaCiscoWLC
Port-securityandSNMPReliesontheport-securitySNMPTrapsAfakestaticMACaddressisassignedtoalltheportsthiswayanyMACaddresswillgenerateasecurityviolationandatrapwillbesenttoPacketFenceThesystemwillauthorizetheMACandsettheportintherightVLANVoIPsupportispossiblebuttrickyItvariesalotdependingontheswitchvendorCiscoiswellsupportedbutisolationofaPCbehindanIPPhoneleadstoaninterestingdilemmaeitheryoushuttheport(andthephoneatthesametime)oryouchangethedataVLANbutthePCdoesnrsquotdoDHCP(didnrsquotdetectlinkwasdown)soitcannotreachthecaptiveportal
AsidefromtheVoIPisolationdilemmaitisthetechniquethathasproventobereliableandthathasthemostswitchvendorsupport
MoreonSNMPtrapsVLANisolation
WhentheVLANisolationisworkingthroughSNMPtrapsallswitchports(onwhichVLANisolationshouldbedone)mustbeconfiguredtosendSNMPtrapstothePacketFencehostOnPacketFence
Chapter7
Copyrightcopy2016InverseincTechnicalintroductiontoOut-of-bandenforcement 18
weusesnmptrapdastheSNMPtrapreceiverAsitreceivestrapsitreformatsandwritesthemintoaflatfileusrlocalpflogssnmptrapdlogThemultithreadedpfsetvlandaemonreadsthesetrapsfromtheflatfileandrespondstothembysettingtheswitchporttothecorrectVLANCurrentlywesupportswitchesfromCiscoEdge-coreHPIntelLinksysandNortel(addingsupportfor switches fromanothervendor impliesextending thepfSwitch class)DependingonyourswitchescapabilitiespfsetvlanwillactondifferenttypesofSNMPtraps
YouneedtocreatearegistrationVLAN(withaDHCPserverbutnoroutingtootherVLANs)inwhichPacketFencewillputunregistereddevicesIfyouwanttoisolatecomputerswhichhaveopenviolationsinaseparateVLANanisolationVLANneedsalsotobecreated
linkUplinkDowntraps(deprecated)ThisisthemostbasicsetupanditneedsathirdVLANtheMACdetectionVLANThereshouldbenothinginthisVLAN(noDHCPserver)anditshouldnotberoutedanywhereitisjustanvoidVLAN
WhenahostconnectstoaswitchporttheswitchsendsalinkUptraptoPacketFenceSinceittakessometimebeforetheswitchlearnstheMACaddressofthenewlyconnecteddevicePacketFenceimmediatelyputstheportintheMACdetectionVLANinwhichthedevicewillsendDHCPrequests(withnoanswer)inorderfortheswitchtolearnitsMACaddressThenpfsetvlanwillsendperiodical
Chapter7
Copyrightcopy2016InverseincTechnicalintroductiontoOut-of-bandenforcement 19
SNMPqueriestotheswitchuntiltheswitchlearnstheMACofthedeviceWhentheMACaddressisknownpfsetvlanchecksitsstatus(existingregisteredanyviolations)inthedatabaseandputstheportintheappropriateVLANWhenadeviceisunpluggedtheswitchsendsalinkDowntraptoPacketFencewhichputstheportintotheMACdetectionVLAN
WhenacomputerbootstheinitializationoftheNICgeneratesseverallinkstatuschangesAndeverytimetheswitchsendsalinkUpandalinkDowntraptoPacketFenceSincePacketFencehastoactoneachofthesetrapsthisgeneratesunfortunatelysomeunnecessaryloadonpfsetvlanInordertooptimizethetraptreatmentPacketFencestopseverythreadforalinkUptrapwhenitreceivesalinkDowntraponthesameportButusingonlylinkUplinkDowntrapsisnotthemostscalableoptionForexampleincaseofpowerfailureifhundredsofcomputersbootatthesametimePacketFencewouldreceivea lotoftrapsalmost instantlyandthiscouldresult innetworkconnectionlatency
MACnotificationtrapsIfyourswitchessupportMACnotificationtraps(MAClearntMACremoved)wesuggestthatyouactivatetheminadditiontothelinkUplinkDowntrapsThiswaypfsetvlandoesnotneedafteralinkUptraptoquerytheswitchcontinuouslyuntiltheMAChasfinallybeenlearnedWhenitreceivesalinkUptrapforaportonwhichMACnotificationtrapsarealsoenableditonlyneedstoputtheportintheMACdetectionVLANandcanthenfreethethreadWhentheswitchlearnstheMACaddressofthedeviceitsendsaMAClearnttrap(containingtheMACaddress)toPacketFence
PortSecuritytrapsIn itsmostbasicformthePortSecurityfeaturerememberstheMACaddressconnectedtotheswitchportandallowsonlythatMACaddresstocommunicateonthatport IfanyotherMACaddress tries tocommunicate through theportport securitywillnotallow itandsendaport-securitytrap
IfyourswitchessupportthisfeaturewestronglyrecommendtouseitratherthanlinkUplinkDownandorMACnotificationsWhyBecauseaslongasaMACaddressisauthorizedonaportandistheonlyoneconnectedtheswitchwillsendnotrapwhetherthedevicerebootsplugsinorunplugsThisdrasticallyreducestheSNMPinteractionsbetweentheswitchesandPacketFence
WhenyouenableportsecuritytrapsyoushouldnotenablelinkUplinkDownnorMACnotificationtraps
Chapter8
Copyrightcopy2016InverseincTechnicalintroductiontoHybridenforcement 20
TechnicalintroductiontoHybridenforcement
Introduction
In previous versions of PacketFence it was not possible to have RADIUS enabled for inlineenforcementmodeNowwiththenewhybridmodeallthedevicesthatsupports8021XorMAC-authenticationcanworkwiththismodeLetrsquosseehowitworks
Deviceconfiguration
Youneedtoconfigure inlineenforcementmode inPacketFenceandconfigureyourswitch(es)accesspoint(s)tousetheVLANassignementtechniques(8021XorMAC-authentication)YoualsoneedtotakecareofaspecificparameterintheswitchconfigurationwindowTriggertoenableinlinemodeThisparameterisworkinglikeatriggerandyouhavethepossibilitytodefinedifferentsortoftriggers
ALWAYSPORTMACSSID
where ALWAYS means that the device is always in inline mode PORTspecifytheifIndexoftheportwhichwilluseinlineenforcementMACamacaddressthatwillbeputininlineenforcementtechniqueratherthanVLANenforcementandSSIDanssidnameAnexample
SSIDGuestAccessMAC001122334455
ThiswilltriggerallthenodesthatconnectstotheGuestAccessSSIDtouseinlineenforcementmode(PacketFencewillreturnavoidVLANortheinlineVlanifdefinedinswitchconfiguration)andtheMACaddress001122334455clientifitconnectsonanotherSSID
Chapter9
Copyrightcopy2016Inverseinc Configuration 21
Configuration
AtthispointinthedocumentationPacketFenceshouldbeinstalledYouwouldalsohavechosentherightenforcementmethodforyouandcompletedtheinitialconfigurationofPacketFenceThefollowingsectionpresentskeyconceptsandfeaturesinPacketFence
PacketFenceprovidesaweb-basedadministrationinterfaceforeasyconfigurationandoperationalmanagementIfyouwentthroughPacketFencersquosweb-basedconfigurationtoolyoushouldhavesetthepasswordfortheadminuser
Once PacketFence is started the administration interface is available at httpsip_of_packetfence1443
ThenextkeystepsareimportanttounderstandhowPacketFenceworksInordertogetthesolutionworking youmust first understand and configure the following aspects of the solution in thisspecificorder
1 roles-aroleinPacketFencewillbeeventuallybemappedtoaVLANanACLoranexternalroleYoumustdefinetherolestouseinyourorganizationfornetworkaccess
2 authentication-oncerolesaredefinedyoumustcreateanappropraiteauthenticationsourceinPacketFenceThatwillallowPacketFencetocomputetherightroletobeusedforanendpointortheuserusingit
3 network devices - once your roles and authentication sources are defined you must addswitchesWiFicontrollersorAPstobemananagedbyPacketFenceWhendoingsoyouwillconfigurehowrolesarebeingmappedtoVLANACLsorexternalroles
4 portal profiles - at this point you are almost ready to test You will need to set whichauthenticationsourcesaretobeusedonthedefaultcaptiveportalorcreateanotheronetosuityourneeds
5 test
NoteIfyouplantouse8021X-pleaseseetheFreeRADIUSConfigurationsectionbelow
RolesManagement
RolesinPacketFencecanbecreatedfromPacketFenceadministrativeGUI-fromtheConfigurationrarrUsersrarrRoles section From this interface you can also limit thenumberof devicesusersbelongingtocertainrolescanregister
Chapter9
Copyrightcopy2016Inverseinc Configuration 22
RolesaredynamicallycomputedbyPacketFencebasedontherules(ieasetofconditionsandactions)fromauthenticationsourcesusingafirst-matchwinsalgorithmRolesarethenmatchedtoVLANorinternalrolesorACLonequipmentfromtheConfigurationrarrNetworkrarrSwitchesmodule
Authentication
PacketFence can authenticate users that register devices via the captive portal using variousmethodsAmongthesupportedmethodsthereare
ActiveDirectory
Apachehtpasswdfile
ExternalHTTPAPI
Facebook(OAuth2)
Github(OAuth2)
Google(OAuth2)
Kerberos
LDAP
LinkedIn(OAuth2)
Null
RADIUS
SMS
SponsoredEmail
Twitter(OAuth2)
WindowsLive(OAuth2)
Moreover PacketFence can also authenticate users defined in its own internal SQL databaseAuthentication sources can be created from PacketFence administrative GUI - from theConfigurationrarrUsersrarrSourcessectionAlternatively(butnotrecommended)authenticationsourcesrulesconditionsandactionscanbeconfiguredfromconfauthenticationconf
Eachauthenticationsourcesyoudefinewillhaveasetofrulesconditionsandactions
Multiple authentication sources canbedefined andwill be tested in theorder specified (notethattheycanbereorderedfromtheGUIbydraggingitaround)EachsourcecanhavemultipleruleswhichwillalsobetestedintheorderspecifiedRulescanalsobereorderedjustlikesourcesFinallyconditionscanbedefinedforaruletomatchcertaincriteriasIfthecriteriasmatch(one
Chapter9
Copyrightcopy2016Inverseinc Configuration 23
ormore)actionarethenappliedandrulestestingstopacrossallsourcesasthisisafirstmatchwinsoperation
WhennoconditionisdefinedtherulewillbeconsideredasafallbackWhenafallbackisdefinedallactionswillbeappliedforanyusersthatmatchintheauthenticationsource
OnceasourceisdefineditcanbeusedfromConfigurationrarrPortalProfilesEachportalprofilehasalistofauthenticationsourcestouse
ExampleLetrsquossaywehavetworolesguestandemployeeFirstwedefinethemConfigurationrarrUsersrarrRoles
NowwewanttoauthenticateemployeesusingActiveDirectory (overLDAP)andguestsusingPacketFencersquosinternaldatabase-bothusingPacketFencersquoscaptiveportalFromtheConfigurationrarrUsersrarrSourcesweselectAddsourcerarrADWeprovidethefollowinginformation
Namead1 DescriptionActiveDirectoryforEmployees Host19216812389withoutSSLTLS BaseDNCN=UsersDC=acmeDC=local ScopeOne-level UsernameAttributesAMAccountName BindDNCN=AdministratorCN=UsersDC=acmeDC=local Passwordacme123
ThenweaddarulebyclickingontheAddrulebuttonandprovidethefollowinginformation
Nameemployees DescriptionRuleforallemployees Donrsquotsetanycondition(asitrsquosacatch-allrule) Setthefollowingactions
Setroleemployee
SetunregistrationdateJanuary1st2020
Test the connection and save everything Using the newly defined source any username thatactuallymatchesinthesource(usingthesAMAccountName)willhavetheemployeeroleandanunregistrationdatesettoJanuary1st2020
NowsincewewanttoauthenticateguestsfromPacketFencersquosinternalSQLdatabaseaccountsmustbeprovisionnedmanuallyYoucandosofromtheUsersrarrCreatesectionWhencreatingguestsspecifyguestfortheSetroleactionandsetanaccessdurationfor1day
If youwould like to differentiate user authentication andmachine authentication using ActiveDirectoryonewaytodoitisbycreatingasecondauthenticationsourcesformachines
Namead1 DescriptionActiveDirectoryforMachines Host19216812389withoutSSLTLS BaseDNCN=ComputersDC=acmeDC=local ScopeOne-level
Chapter9
Copyrightcopy2016Inverseinc Configuration 24
UsernameAttributeservicePrincipalName BindDNCN=AdministratorCN=UsersDC=acmeDC=local Passwordacme123
Thenweaddarule
Namemachines DescriptionRuleforallmachines Donrsquotsetanycondition(asitrsquosacatch-allrule) Setthefollowingactions
Setrolemachineauth
SetunregistrationdateJanuary1st2020
Note
Whenaruleisdefinedasacatch-all itwillalwaysmatchiftheusernameattributematchesthequeriedoneThisappliesforActiveDirectoryLDAPandApachehtpasswdfilesourcesKerberosandRADIUSwillactastruecatch-allandaccepteverything
Note
IfyouwanttouseotherLDAPattributesinyourauthenticationsourceaddtheminConfigurationrarrAdvancedrarrCustomLDAPattributesTheywillthenbeavailableintherulesyoudefine
ExternalAPIauthentication
PacketFencealsosupportscallinganexternalHTTPAPIasanauthenticationsourceTheexternalAPIneedstoimplementanauthenticationactionandanauthorizationaction
AuthenticationThisshouldprovidetheinformationaboutwhetherornottheusernamepasswordcombinationisvalid
TheseinformationareavailablethroughthePOSTfieldsoftherequest
TheservershouldreplywithtwoattributesinaJSONresponse
resultshouldbe1forsuccess0forfailure messageshouldbethereasonitsucceededorfailed
ExampleJSONresponse
result1messageValid username and password
Chapter9
Copyrightcopy2016Inverseinc Configuration 25
AuthorizationThisshouldprovidetheactionstoapplyonauserbasedonitrsquosattributes
The following attributes are available for the reply access_duration access_level sponsorunregdatecategory
SampleJSONresponsenotethatnotallattributesarenecessaryonlysendbackwhatyouneed
access_duration1Daccess_levelALLsponsor1 unregdate2030-01-01categorydefault
Note
See usrlocalpfaddonsexample_external_auth for an example implementationcompatiblewithPacketFence
PacketFenceconfigurationInPacketFenceyouneedtoconfigureanHTTPsourceinordertouseanexternalAPI
Hereisabriefdescriptionofthefields
Host First theprotocol then the IPaddressorhostnameof theAPIand lastly theport toconnecttotheAPI
APIusernameandpasswordIfyourAPIimplementsHTTPbasicauthentication(RFC2617)youcanaddtheminthesefieldsLeavinganyofthosetwofieldsemptywillmakePacketFencedotherequestswithoutanyauthentication
AuthenticationURLURLrelativetothehosttocallwhendoingtheauthenticationofauserNotethatitisautomaticallyprefixedbyaslash
AuthorizationURLURLrelativetothehosttocallwhendoingtheauthorizationofauserNotethatitisautomaticallyprefixedbyaslash
SAMLauthentication
PacketFence supports SAML authentication in the captive portal in combination with anotherinternalsourcetodefinethelevelofauthorizationoftheuser
FirsttransfertheIdentityProvidermetadataonthePacketFenceserverInthisexampleitwillbeunderthepathusrlocalpfconfidp-metadataxml
Then transfer the certificate and CA certificate of the Identity provider on the server In thisexample theywill be under the paths usrlocalpfconfsslidpcrt and usrlocalpfconfsslidp-cacrtIfitisaself-signedcertificatethenyouwillbeabletouseitastheCAinthePacketFenceconfiguration
Chapter9
Copyrightcopy2016Inverseinc Configuration 26
Then toconfigureSAML inPacketFencego inConfigurationrarrSourcesand thencreateanewInternalsourceofthetypeSAMLandconfigureit
Where
ServiceProviderentityIDistheidentifieroftheServiceProvider(PacketFence)MakesurethismatchesyourIdentityProviderconfiguration
PathtoServiceProviderkeyisthepathtothekeythatwillbeusedbyPacketFencetosignitsmessagestotheIdentityProviderAdefaultoneisprovidedunderthepathusrlocalpfconfsslserverkey
PathtoServiceProvidercertisthepathtothecertificateassociatedtothekeyaboveAself-signedoneisprovidedunderthepathusrlocalpfconfsslserverkey
PathtoIdentityProvidermetadataisthepathtothemetadatafileyoutransferedabove(shouldbeinusrlocalpfconfidp-metadataxml)
PathtoIdentityProvidercertisthepathtothecertificateoftheidentityprovideryoutransferedontheserverabove(shouldbeinusrlocalpfconfsslidpcrt)
Chapter9
Copyrightcopy2016Inverseinc Configuration 27
Path to Identity Provider CA cert is the path to the CA certificate of the identity provideryoutransferedontheserverabove(shouldbeinusrlocalpfconfsslca-idpcrt)Ifthecertificateaboveisself-signedputthesamepathasaboveinthisfield
AttributeoftheusernameintheSAMLresponse istheattributethatcontainstheusernamein the SAML assertion returned by your Identity Provider The default should fit at leastSimpleSAMLphp
Authorizationsource isthesourcethatwillbeusedtomatchtheusernameagainsttherulesdefinedinitThisallowstosettheroleandaccessdurationoftheuserTheAuthenticationsectionofthisdocumentcontainsexplanationsonhowtoconfigureanLDAPsourcewhichcanthenbeusedhere
OncethisisdonesavethesourceandyouwillbeabletodownloadtheServiceProvidermetadataforPacketFenceusingthelinkDownloadServiceProvidermetadataonthepage
Configure your identity provider according to the generated metadata to complete the TrustbetweenPacketFenceandyourIdentityProvider
In the case of SimpleSAMLPHP the following configurationwas used inmetadatasaml20-sp-remotephp
$metadata[PF_ENTITY_ID] = array( AssertionConsumerService =gt httpPORTAL_HOSTNAMEsamlassertion SingleLogoutService =gt httpPORTAL_HOSTNAMEsamllogoff)
Note
PacketFencedoesnotsupportlogoffontheSAMLIdentityProviderYoucanstilldefinetheURLinthemetadatabutitwillnotbeused
PassthroughsInorderforyouruserstobeabletoaccesstheIdentityProviderloginpageyouwillneedtoactivatepassthroughsandaddtheIndentityProviderdomaintotheallowedpassthroughs
Todosogo inConfigurationrarrTrapping thencheckPassthrough andadd the IdentityProviderdomainnametothePasshtroughslist
Next restart iptables and pfdns to apply your new passthroughs Also make surenetipv4ip_forward = 1isconfiguredinetcsysctlconf
NetworkDevicesDefinition(switchesconf)
ThissectionappliesonlyforVLANenforcementUsersplanningtodoinlineenforcementonlycanskipthissection
PacketFenceneedstoknowwhichswitchesaccesspointsorcontrollersitmanagestheirtypeandconfigurationAllthisinformationisstoredinusrlocalpfconfswitchesconfYoucanmodify
Chapter9
Copyrightcopy2016Inverseinc Configuration 28
theconfigurationdirectlyintheswitchesconffileoryoucandoitfromtheWebAdministrationpanelunderConfigurationrarrNetworkrarrSwitches-whichisnowthepreferredway
Theusrlocalpfconfswitchesconfconfigurationfilecontainsadefaultsectionincluding
DefaultSNMPreadwritecommunitiesfortheswitches Defaultworkingmode(seethenotebelowaboutpossibleworkingmodes)
andaswitchsectionforeachswitch(managedbyPacketFence)including
SwitchIPMacRange Switchvendortype Switchuplinkports(trunksandnon-managedIfIndex) per-switchre-definitionoftheVLANs(ifrequired)
NoteswitchesconfisloadedatstartupAreloadisrequiredwhenchangesaremanuallymadetothisfileusrlocalpfbinpfcmd configreload
WorkingmodesTherearethreedifferentworkingmodesforaswitchinPacketFence
Testing pfsetvlanwritesinthelogfileswhatitwouldnormallydobutitdoesnrsquotdoanything
Registration pfsetvlan automatically-register allMAC addresses seenon theswitchportsAsintestingmodenoVLANchangesaredone
Production pfsetvlan sends the SNMPwrites to change the VLAN on theswitchports
RADIUSTo set theRADIUS secret set it from theWebadministrative interfacewhenadding a switchAlternativelyedittheswitchconfigfile(usrlocalpfconfswitchesconf)andsetthefollowingparameters
radiusSecret = secretPassPhrase
MoreovertheRADIUSsecretisrequiredtosupporttheRADIUSDynamicAuthentication(ChangeofauthorizationorDisconnect)asdefinedinRFC3576
SNMPv1v2candv3PacketFenceusesSNMPtocommunicatewithmostswitchesPacketFencealsosupportsSNMPv3YoucanuseSNMPv3forcommunicationinbothdirectionsfromtheswitchtoPacketFenceandfromPacketFencetotheswitchSNMPusageisdiscouragedyoushouldnowuseRADIUSHoweverevenifRADIUSisbeingusedsomeswitchesmightalsorequireSNMPtobeconfiguredtoworkproperlywithPacketFence
Chapter9
Copyrightcopy2016Inverseinc Configuration 29
FromPacketFencetoaswitchEdittheswitchconfigfile(usrlocalpfconfswitchesconf)andsetthefollowingparameters
SNMPVersion = 3SNMPUserNameRead = readUserSNMPAuthProtocolRead = MD5SNMPAuthPasswordRead = authpwdreadSNMPPrivProtocolRead = AESSNMPPrivPasswordRead = privpwdreadSNMPUserNameWrite = writeUserSNMPAuthProtocolWrite = MD5SNMPAuthPasswordWrite = authpwdwriteSNMPPrivProtocolWrite = AESSNMPPrivPasswordWrite = privpwdwrite
FromaswitchtoPacketFenceEdittheswitchconfigfile(usrlocalpfconfswitchesconf)andsetthefollowingparameters
SNMPVersionTrap = 3SNMPUserNameTrap = readUserSNMPAuthProtocolTrap = MD5SNMPAuthPasswordTrap = authpwdreadSNMPPrivProtocolTrap = AESSNMPPrivPasswordTrap = privpwdread
SwitchConfigurationHereisaswitchconfigurationexampleinordertoenableSNMPv3inbothdirectionsonaCiscoSwitch
snmp-server engineID local AA5ED139B81D4A328D18ACD1snmp-server group readGroup v3 privsnmp-server group writeGroup v3 priv read v1default write v1defaultsnmp-server user readUser readGroup v3 auth md5 authpwdread priv aes 128 privpwdreadsnmp-server user writeUser writeGroup v3 auth md5 authpwdwrite priv aes 128 privpwdwritesnmp-server enable traps port-securitysnmp-server enable traps port-security trap-rate 1snmp-server host 192168050 version 3 priv readUser port-security
Command-LineInterfaceTelnetandSSH
WarningPrivilegedetectionisdisabledinthecurrentPacketFenceversionduetosomeissues(see1370)SomakesurethatthecliUserandcliPwdyouprovidealwaysgetyouintoaprivilegedmode(exceptforTrapezehardware)
Chapter9
Copyrightcopy2016Inverseinc Configuration 30
PackeFenceneedssometimestoestablishaninteractivecommand-linesessionwithaswitchThiscanbedoneusingTelnetYoucanalsouseSSHInordertodosoedittheswitchconfigurationfile(usrlocalpfconfswitchesconf)andsetthefollowingparameters
cliTransport = SSH (or Telnet)cliUser = admincliPwd = admin_pwdcliEnablePwd =
ItcanalsobedonethroughtheWebAdministrationInterfaceunderConfigurationrarrSwitches
WebServicesInterfacePackeFencesometimesneedstoestablishadialogwiththeWebServicescapabilitiesofaswitchInorder todo soedit the switchconfig file (usrlocalpfconfswitchesconf) and set thefollowingparameters
wsTransport = http (or https)wsUser = adminwsPwd = admin_pwd
ItcanalsobedonethroughtheWebAdministrationInterfaceunderConfigurationrarrSwitches
Role-basedenforcementsupportSomenetworkdevicessupporttheassignmentofaspecificsetofrules(firewallorACLs)toauserTheideaisthattheserulescanbealotmoreaccuratetocontrolwhatausercanorcannotdocomparedtoVLANwhichhavealargernetworkmanagementoverhead
PacketFencesupportsassigningrolesondevicesforswitchesandWiFicontrollers thatsupportitThecurrentroleassignmentstrategyistoassignitalongwiththeVLAN(thatmaychangeinthefuture)Aspecial internalroletoexternalroleassignmentmustbeconfigured intheswitchconfigurationfile(usrlocalpfconfswitchesconf)
Thecurrentformatisthefollowing
Format ltrolenamegtRole=ltcontroller_rolegt
Andyouassignittotheglobalrolesparameterortheper-switchoneForexample
adminRole=full-accessengineeringRole=full-accesssalesRole=little-access
wouldreturnthefull-accessroletothenodescategorizedasadminorengineeringandtherolelittle-accesstonodescategorizedassalesItcanalsobedonethroughtheWebAdministrationInterfaceunderConfigurationrarrSwitches
Chapter9
Copyrightcopy2016Inverseinc Configuration 31
CautionMakesurethattherolesareproperlydefinedonthenetworkdevicespriortoassigningroles
PortalProfiles
PacketFencecomeswithadefaultportalprofileThefollowparametersareimportanttoconfigurenomatterifyouusethedefaultportalprofileorcreateanewone
RedirectURLunderConfigurationrarrPortalProfilerarrPortalName
ForsomebrowsersitispreferabletoredirecttheusertoaspecificURLinsteadoftheURLtheuseroriginallyintendedtovisitForthesebrowserstheURLdefinedinredirecturlwillbetheonewheretheuserwillberedirectedAffectedbrowsersareFirefox3andlater
IPunderConfigurationrarrCaptiveportal
ThisIPisusedasthewebserverwhohoststhecommonnetwork-access-detectiongifwhichisusedtodetectifnetworkaccesswasenabledItcannotbeadomainnamesinceit isusedinregistrationorquarantinewhereDNSisblack-holedItisrecommendedthatyouallowyouruserstoreachyourPacketFenceserverandputyourLANrsquosPacketFenceIPBydefaultwewillmakethisreachPacketFencersquoswebsiteasaneasierandmoreaccessiblesolution
In somecases youmaywant topresentadifferent captiveportal (seebelow for theavailablecustomizations)accordingtotheSSIDtheVLANtheswitchIPMACortheURItheclientconnectstoTodosoPacketFencehastheconceptofportalprofileswhichgivesyouthispossibility
WhenconfiguredportalprofileswilloverridedefaultvaluesforwhichitisconfiguredWhennovaluesareconfiguredintheprofilePacketFencewilltakeitsdefaultones(accordingtothedefaultportalprofile)
HerearethedifferentconfigurationparametersthatcanbesetforeachportalprofilesTheonlymandatoryparameterisfilterotherwisePacketFencewonrsquotbeabletocorrectlyapplytheportalprofileTheparametersmustbesetinconfprofilesconf
[profilename1]description = the description of your portal profilefilter = the name of the SSID for which youd like to apply the profile or the VLAN numbersources = comma-separated list of authentications sources (IDs) to use
Portal profiles should be managed from PacketFencersquos Web administrative GUI - from theConfigurationrarrPortalProfilessectionAddingaportalprofilefromthatinterfacewillcorrectlycopytemplatesover-whichcanthenbemodifiedasyouwish
FiltersunderConfigurationrarrPortalProfilerarrPortalNamerarrFitlers
PacketFenceoffersthefollowingfiltersConnectionTypeNetworkNodeRolePortrealmSSIDSwitchSwitchPortURIVLANandTimeperiod
Chapter9
Copyrightcopy2016Inverseinc Configuration 32
Examplewiththemostcommonones
SSIDGuest-SSID
VLAN100
SwitchPortltSwitchIdgt-ltPortgt
NetworkNetworkinCIDRformatoranIPaddress
Caution
Noderolewilltakeeffectonlywitha8021xconnectionorifyouuseVLANfilters
PacketFence relies extensively on Apache for its captive portal administrative interface andWeb services The PacketFenceacutes Apache configuration are located in usrlocalpfconfhttpdconfd
Inthisdirectoryyouhavethreeimportantfileshttpdadminhttpdportalhttpdwebserviceshttpdaaa
httpdadminisusedtomanagePacketFenceadmininterface
httpdportalisusedtomanagePacketFencecaptiveportalinterface
httpdwebservicesisusedtomanagePacketFencewebservicesinterface
httpdaaaisusetomanageincomingRADIUSrequest
ThesefileshavebeenwrittenusingthePerllanguageandarecompletelydynamic-sotheyactivateservicesonlyonthenetworkinterfacesprovidedforthispurpose
TheotherfilesinthisdirectoryaremanagedbyPacketFenceusingtemplatessoitiseasytomodifythesefilesbasedonyourconfigurationSSLisenabledbydefaulttosecureaccess
UponPacketFenceinstallationself-signedcertificateswillbecreatedinusrlocalpfconfssl(serverkey andservercrt)Thosecertificates canbe replacedanytimebyyour3rd-partyorexistingwildcardcertificatewithoutproblemsPleasenotethattheCN(CommonName)needstobethesameastheonedefinedinthePacketFenceconfigurationfile(pfconf)
FreeRADIUSConfiguration
ThissectionpresentstheFreeRADIUSconfigurationsteps InsomeoccasionsaRADIUSserverismandatoryinordertogiveaccesstothenetworkForexampletheusageofWPA2-Enterprise(Wireless 8021X) MAC authentication and Wired 8021X all require a RADIUS server toauthenticatetheusersandthedevicesandthentopushtheproperrolesorVLANattributestothenetworkequipment
Chapter9
Copyrightcopy2016Inverseinc Configuration 33
Option1AuthenticationagainstActiveDirectory(AD)
Caution
If you are using an ActiveActive or ActivePassive cluster please follow theinstructionsunderOption1bsincetheinstructionsbelowdonotcurrentlyworkinacluster
InordertohavedomainauthenticationworkingproperlyyouneedtoenableIPforwardingonyourserverTodoitpermanentlylookintheetcsysctlconfandsetthefollowingline
Controls IP packet forwardingnetipv4ip_forward = 1
Nowexecutesysctl -ptoapplytheconfiguration
NextgointheAdministrationinterfaceunderConfigurationrarrDomains
Note
IfyoucanrsquotaccessthissectionandyouhavepreviouslyconfiguredyourservertobindtoadomainexternallytoPacketFencemakesureyourunusrlocalpfaddonsADmigratepl
ClickAddDomainandfillintheinformationsaboutyourdomain
Chapter9
Copyrightcopy2016Inverseinc Configuration 34
Where
IdentifierisauniqueidentifierforyourdomainItrsquospurposeisonlyvisual
Workgroupistheworkgroupofyourdomainintheoldsyntax(likeNT4)
DNSnameofthedomainistheFQDNofyourdomainTheonethatsuffixesyouraccountnames
ThisserverrsquosnameisthenamethattheserverrsquosaccountwillhaveinyourActiveDirectory
DNSserveristheIPaddressoftheDNSserverofthisdomainMakesurethattheserveryouputtherehastheproperDNSentriesforthisdomain
UsernameistheusernamethatwillbeusedforbindingtotheserverThisaccountmustbeadomainadministrator
Passwordisthepasswordfortheusernamedefinedabove
Chapter9
Copyrightcopy2016Inverseinc Configuration 35
Troubleshooting In order to troubleshoot unsuccessful binds please refer to the following file chrootsltmydomaingtvarlogsambaltmydomaingtlogwinbinddReplaceltmydomaingtwiththeidentifieryousetinthedomainconfiguration
Youcanvalidatethedomainbindusingthefollowingcommandchroot chrootsltmydomaingtwbinfo -u
You can test the authentication process using the following command chroot chrootsltmydomaingt ntlm_auth --username=administrator
Note
UndercertainconditionsthetestjoinmayshowasunsuccessfulintheAdministrationinterfacebut theauthenticationprocesswill stillworkproperlyTry the test abovebeforedoinganyadditionnaltroubleshooting
DefaultdomainconfigurationYoushouldnowdefinethedomainyouwanttouseasthedefaultonebycreatingthefollowingrealminConfigurationrarrRealms
NextrestartPacketFenceinStatusrarrServices
MultipledomainsauthenticationFirstconfigureyourdomainsinConfigurationrarrDomains
OncetheyareconfiguredgoinConfigurationrarrRealms
Chapter9
Copyrightcopy2016Inverseinc Configuration 36
Createanewrealm thatmatches theDNSnameofyourdomainANDone thatmatchesyourworkgroupInthecaseofthisexampleitwillbeDOMAINNETandDOMAIN
Where
RealmiseithertheDNSname(FQDN)ofyourdomainortheworkgroup
RealmoptionsareanyrealmoptionsthatyouwanttoaddtotheFreeRADIUSconfiguration
Domainisthedomainwhichisassociatedtothisrealm
Nowcreatethetwootherrealmsassociatedtoyourotherdomains
Youshouldnowhavethefollowingrealmconfiguration
Chapter9
Copyrightcopy2016Inverseinc Configuration 37
Option1bAuthenticationagainstActiveDirectory(AD)inacluster
SambaKerberosWinbind
InstallSambaYoucaneitherusethesourcesorusethepackageforyourOSForRHELCentOSdo
yum install samba krb5-workstation
ForDebianandUbuntudo
apt-get install samba winbind krb5-user
Note
IfyouhaveWindows7PCsinyournetworkyouneedtouseSambaversion350(orgreater)
WhendonewiththeSambainstallmodifyyouretchosts inordertoaddtheFQDNofyourActiveDirectoryserversThenyouneedtomodifyetckrb5confHereisanexamplefortheDOMAINNETdomainforCentosRHEL
Chapter9
Copyrightcopy2016Inverseinc Configuration 38
[logging] default = FILEvarlogkrb5libslog kdc = FILEvarlogkrb5kdclog admin_server = FILEvarlogkadmindlog
[libdefaults] default_realm = DOMAINNET dns_lookup_realm = false dns_lookup_kdc = false ticket_lifetime = 24h forwardable = yes
[realms] DOMAINNET = kdc = adserverdomainnet88 admin_server = adserverdomainnet749 default_domain = domainnet [domain_realm] domainnet = DOMAINNET domainnet = DOMAINNET
[appdefaults] pam = debug = false ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = false
ForDebianandUbuntu
[logging] default = FILEvarlogkrb5libslog kdc = FILEvarlogkrb5kdclog admin_server = FILEvarlogkadmindlog [libdefaults] default_realm = DOMAINNET ticket_lifetime = 24h forwardable = yes [appdefaults] pam = debug = false ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = false
NexteditetcsambasmbconfAgainhereisanexampleforourDOMAINNETforCentosRHEL
Chapter9
Copyrightcopy2016Inverseinc Configuration 39
[global] workgroup = DOMAIN server string = h security = ads passdb backend = tdbsam realm = DOMAINNET encrypt passwords = yes winbind use default domain = yes client NTLMv2 auth = yes preferred master = no domain master = no local master = no load printers = no log level = 1 winbind5 auth3 winbind max clients = 750 winbind max domain connections = 15 machine password timeout = 0
ForDebianandUbuntu
[global] workgroup = DOMAIN server string = Samba Server Version v security = ads realm = DOMAINNET password server = 19216811 domain master = no local master = no preferred master = no winbind separator = + winbind enum users = yes winbind enum groups = yes winbind use default domain = yes winbind nested groups = yes winbind refresh tickets = yes template homedir = homeDU template shell = binbash client use spnego = yes client ntlmv2 auth = yes encrypt passwords = yes restrict anonymous = 2 log file = varlogsambalogm max log size = 50 machine password timeout = 0
IssueakinitandklistinordertogetandverifytheKerberostoken
kinit administrator klist
Afterthatyouneedtostartsambaandjointhemachinetothedomain
Chapter9
Copyrightcopy2016Inverseinc Configuration 40
service smb start chkconfig --level 345 smb on net ads join -U administrator
NotethatforDebianandUbuntuyouwillprobablyhavethiserror
kinit succeeded but ads_sasl_spnego_krb5_bind failed Invalid credentials Join to domain is not valid Invalid credentials
ForCentosRHEL
usermod -a -G wbpriv pf
Finallystartwinbindandtestthesetupusingntlm_authandradtest
service winbind start chkconfig --level 345 winbind on
ForDebianandUbuntu
usermod -a -G winbindd_priv pf ntlm_auth --username myDomainUser radtest -t mschap -x myDomainUser myDomainPassword localhost18120 12 testing123 Sending Access-Request of id 108 to 127001 port 18120 User-Name = myDomainUser NAS-IP-Address = 10001 NAS-Port = 12 Message-Authenticator = 0x00000000000000000000000000000000 MS-CHAP-Challenge = 0x79d62c9da4e55104 MS-CHAP-Response = 0x000100000000000000000000000000000000000000000000000091c843b420f0dec4228ed2f26bff07d5e49ad9a2974229e5 rad_recv Access-Accept packet from host 127001 port 18120 id=108 length=20
Option2LocalAuthenticationAddyouruserrsquosentriesattheendoftheusrlocalpfraddbusersfilewiththefollowingformat
username Cleartext-Password = password
Option3EAPauthenticationagainstOpenLDAPToauthenticate8021xconnectionagainstOpenLDAPyouneedtodefinetheldapconnectioninusrlocalpfraddbmodulesldapandbesurethattheuserpasswordisdefineasaNTHASHorascleartext
Chapter9
Copyrightcopy2016Inverseinc Configuration 41
ldap openldap server = ldapacmecom identity = uid=admindc=acmedc=com password = password basedn = dc=districtdc=acmedc=com filter = (uid=mschapUser-Name) ldap_connections_number = 5 timeout = 4 timelimit = 3 net_timeout = 1 tls dictionary_mapping = $confdirldapattrmap edir_account_policy_check = no
keepalive LDAP_OPT_X_KEEPALIVE_IDLE idle = 60
LDAP_OPT_X_KEEPALIVE_PROBES probes = 3
LDAP_OPT_X_KEEPALIVE_INTERVAL interval = 3
Next in usrlocalpfraddbsites-availablepacketfence-tunnel add in the authorizesection
authorize suffix ntdomain eap ok = return files openldap
Option4EAPGuestAuthenticationonemailsponsorandSMSregistrationThissectionwillallowlocalcredentialscreatedduringguestregistrationtobeusedin8021xEAP-PEAPconnections
FirstcreateaguestSSIDwiththeguestaccessyouwanttouse(EmailSponsororSMShellip)andactivateCreatelocalaccountonthatsource
AttheendoftheguestregistrationPacketFencewillsendanemailwiththecredentialsforEmailandSponsorForSMSthephonenumberandthePINcodeshouldbeused
Chapter9
Copyrightcopy2016Inverseinc Configuration 42
Note
ThisoptiondoesnrsquotcurrentlyworkwiththeReusedot1xcredentialsoptionofthecaptiveportal
In usrlocalpfconfradiusdpacketfence-tunnel uncomment the line packetfence-local-authandrestartradiusd
ThiswillactivatethefeatureforanylocalaccountonthePacketFenceserverYoucanrestrictwhichaccounts canbeusedby commenting the appropriate line inusrlocalpfraddbpolicydpacketfenceForexampleifyouwouldwanttodeactivatethisfeatureforaccountscreatedviaSMSyouwouldhavethefollowing
packetfence-local-auth Disable ntlm_auth update control ampMS-CHAP-Use-NTLM-Auth = No Check password table for local user pflocal if (fail || notfound) Check password table with email and password for a sponsor registration pfguest if (fail || notfound) Check password table with email and password for a guest registration pfsponsor if (fail || notfound) Dont check activation table with phone number and PIN code pfsms lt--- This line was commented out if (fail || notfound) update control ampMS-CHAP-Use-NTLM-Auth = Yes
Note
For this feature to work the users passwords must be stored in cleartext in thedatabaseThisisconfigurableviaadvancedhash_passwords
Option5EAPLocaluserAuthenticationThegoalhereistousethelocaluseryoucreatedintheadminGUIforEAPauthenticationThelogicisexactlythesamethaninoption4thedifferenceisthatweuseanotherSSIDandweonlyuselocalaccounts
Chapter9
Copyrightcopy2016Inverseinc Configuration 43
Editusrlocalpfraddbsites-availablepacketfence-tunnel
InthisexampleweactivatethisfeatureonaspecificSSIDname(Secure-local-Wireless)disabledbydefaultNTLMAuthandtestlocalaccountIfitfailledthenwereactivateNTLMAuth
Activate local user eap authentication based on a specific SSID Set Called-Station-SSID with the current SSID setcalled_station_ssid if (Called-Station-SSID == Secure-local-Wireless) Disable ntlm_auth update control MS-CHAP-Use-NTLM-Auth = No Check password table for local user pflocal if (fail || notfound) update control MS-CHAP-Use-NTLM-Auth = Yes
Caution
Youwillneedtodeasactivatepasswordhashinginthedatabaseforlocalauthenticationto work In the administration interface go in Configurationrarr Advanced and setDatabasepasswordshashingmethodtoplaintext
TestsTestyoursetupwithradtestusingthefollowingcommandandmakesureyougetanAccess-Acceptanswer
radtest dd9999 Abcd1234 localhost18120 12 testing123Sending Access-Request of id 74 to 127001 port 18120 User-Name = dd9999 User-Password = Abcd1234 NAS-IP-Address = 255255255255 NAS-Port = 12rad_recv Access-Accept packet from host 12700118120 id=74 length=20
PortalModules
ThePacketFencecaptiveportalflowishighlycustomizableThissectionwillcoverthePortalModuleswhichareusedtodefinethebehaviorofthecaptiveportal
Chapter9
Copyrightcopy2016Inverseinc Configuration 44
Note
WhenupgradingfromaversionthatdoesnrsquothavetheportalmodulesthePacketFencePortal Modules configuration already comes with defaults that will fit most casesand offers the same behavior as previous versions of PacketFence Meaning allthe available Portal Profile sources are used for authentication then the availableprovisionerswillbeused
FirstabriefdescriptionoftheavailablePortalModules
RootThis iswhereitallstartsthismoduleisasimplecontainerthatdefinesallthemodulesthatneedtobeappliedinachainedwaytotheuserOncetheuserhascompletedallmodulescontainedintheRootheisreleasedonthenetwork
Choice This allows to give a choice between multiple modules to the user Thedefault_registration_policyisagoodexampleofachoicethatisofferedtotheuser
ChainedThisallowsyoutodefinealistofmodulesthatauserneedstogothroughintheorderthattheyaredefined-exyouwantyouruserstoregisterviaGoogle+andpayfortheiraccessusingPayPal
MessageThisallowsyou todisplayamessage to theuserAnexample isavailablebelow inDisplayingamessagetotheuseraftertheregistration
AuthenticationTheauthenticationmodulescanbeofalotoftypesYouwouldwanttodefineoneofthesemodulesinordertooverridetherequiredfieldsthesourcetousethetemplateoranyothermoduleattribute
BillingAllowstodefineamodulebasedononeormorebillingsources
ChoiceAllows todefineamodulebasedonmultiple sourcesandmoduleswithadvancedfilteringoptionsSeethesectionAuthenticationChoicemodulebelowforadetailedexplanation
LoginAllowsyoutodefineausernamepasswordbasedmodulewithmultipleinternalsources(ActiveDirectoryLDAPhellip)
OthermodulesTheothermodulesareallbasedonthesourcetypetheyareassignedtotheyallowtoselectthesourcetheAUPacceptanceandmandatoryfieldsifapplicable
ExamplesThissectionwillcontainthefollowingexamples
Promptingforfieldswithoutauthentication
Promptingadditionnalfieldsduringtheauthentication
Chainedauthentication
MixingloginandSecureSSIDon-boardingontheportal
Displayingamessagetotheuseraftertheregistration
Chapter9
Copyrightcopy2016Inverseinc Configuration 45
CreatingacustomrootmoduleFirstcreateacustomrootmoduleforourexamples inordertonotaffectthedefaultpolicy InordertodosogoinConfigurationrarrPortalModulesthenclickAddPortalModuleandselectthetypeRootGiveittheidentifiermy_first_root_moduleandthedescriptionMy first root modulethenhitsave
Next head toConfigurationrarr Portal Profiles select the portal profile you use (most probablydefault)andthenunderRootPortalModuleassignMy first root modulethensaveyourprofileIfyouweretoaccessthecaptiveportalnowanerrorwoulddisplaysincetheRootmoduleweconfigureddoesnrsquotcontainanything
YoucouldaddsomeofthepreconfiguredmodulestothenewRootmoduleyoucreatedandthatwouldmaketheerrordisapear
PromptingforfieldswithoutauthenticationInordertopromptfieldswithoutauthenticationyoucanusetheNullsourcewiththeNullPortalModule
PacketFencealreadycomeswithaNullsourcepreconfiguredIfyouhavenrsquotmodifieditordeletedityoucanuseitforthisexampleOtherwisegoinConfigurationrarrSourcesandcreateanewNullsourcewithacatchallrulethatassignsaroleandaccessduration
ThengoinConfigurationrarrPortalModulesandclickAddPortalModuleandselectAuthenticationrarrNullSettheIdentifiertoprompt_fieldsandconfigurethemodulewiththeMandatoryfieldsyouwantanduncheckRequireAUPsothattheuserdoesnrsquothavetoaccepttheAUPbeforesubmittingthesefields
Nextaddtheprompt_fieldsmoduleinmy_first_root_module(removinganypreviousmodules)andsave itNowwhenvisitingtheportal itshouldpromptyouforthefieldsyoudefine inthe
Chapter9
Copyrightcopy2016Inverseinc Configuration 46
moduleThensubmittingtheseinformationswillassignyoutheroleandaccessdurationthatyoudefinedinthenullsource
Promptingadditionnalfieldsduringtheauthentication
IfyouwanttopromptadditionnalfieldsduringtheauthenticationprocessforamoduleyoucandefineaModulebasedonthatsourcethatwillspecifytheadditionnalmandatoryfieldsforthissource
Youcanalsoaddadditionnalmandatoryfieldstothedefaultpoliciesthatarealreadyconfigured
Thisexamplewillmakethedefault_guest_policyrequiretheusertoenterafirstnamelastnameandaddresssothatguestshavetoenterthesethreeinformationsbeforeregistering
Go in Configuration rarr Portal Modules and click the default_guest_policy Add firstnamelastnameandaddresstotheMandatoryfieldsandsave
Nextaddthedefault_guest_policytomy_first_root_module(removinganypreviousmodules)Nowwhenvisitingtheportalselectinganyoftheguestsourceswillrequireyoutoenterboththemandatoryfieldsofthesource(exphone+mobileprovider)andthemandatoryfieldsyoudefinedinthedefault_guest_policy
Note
Notallsourcessupportadditionnalmandatoryfields(exOAuthsourceslikeGoogleFacebookhellip)
Chainedauthentication
Theportalmodulesallowyoutochaintwoormoremodulestogetherinordertomaketheuseraccomplishalloftheactionsinthemoduleinthedesiredsequence
ThisexamplewillallowyoutoconfigureaChainedmodulethatwillrequiretheusertologinviaanyconfiguredOAuthsource(GithubGoogle+hellip)andthenvalidatehisphonenumberusingSMSregistration
FortheOAuthloginwewillusethedefault_oauth_policysojustmakesureyouhaveanOAuthsourceconfiguredcorrectlyandavailableinyourPortalProfile
ThenwewillcreateamodulethatwillcontainthedefinitionofourSMSregistration
GoinConfigurationrarrPortalModulesthenclickAddPortalModuleandselectAuthenticationrarrSMS
ConfiguretheportalmodulesothatitusesthesmssourceandunchecktheRequireAUPoptionsincetheuserwillhavealreadyacceptedtheAUPwhenregisteringusingOAuth
Chapter9
Copyrightcopy2016Inverseinc Configuration 47
ThenaddanotherPortalModuleoftypeChainedNameitchained_oauth_smsassignarelevantdescriptionandthenadddefault_oauth_policyandsmstotheModulesfields
Chapter9
Copyrightcopy2016Inverseinc Configuration 48
Next add the chained_oauth_sms module in my_first_root_module (removing any previousmodules)andsaveitNowwhenvisitingtheportalyoushouldhavetoauthenticationusinganOAuthsourceandthenusingSMSbasedregistration
MixingloginandSecureSSIDon-boardingontheportalThisexamplewillguideyouthroughconfiguringaportalflowthatwillallowfordevicestoaccessanopenSSIDusinganLDAPusernamepasswordbutalsogivethechoicetoconfiguretheSecureSSIDdirectlyfromtheportal
FirstweneedtoconfiguretheprovisionersfortheSecureSSIDonboardingRefertosectionAppleandAndroidWirelessProvisioningofthisguidetoconfigureyourprovisionersandaddthemtotheportalprofile
CreateaprovisionerofthetypeDenyandadditwithyourotherprovisioners(puttinganyotherprovisionerbeforeit)Thiswillmakesurethatifthereisnomatchontheotherprovisionersitwillnotallowthedevicethrough
AlsointheportalprofileaddyourLDAPsourcetotheavailablesourcessoitstheonlyoneavailable
NextcreateaProvisioningportalmodulebygoinginConfigurationrarrPortalModulesSettheIdentifiertosecure_boardingandthedescriptiontoBoard Secure SSIDAlsouncheckSkipablesotheuserisforcedtoboardtheSSIDshoulditchoosethisoption
ThenstillinthePortalModulescreateaChoicemoduleSettheIdentifiertologin_or_boardinganddescriptiontoLoginorBoardingAddsecure_boardinganddefault_login_policytotheModulesfieldandsave
Chapter9
Copyrightcopy2016Inverseinc Configuration 49
Next add the login_or_boarding module in my_first_root_module (removing any previousmodules)andsaveitNowwhenvisitingtheportalyouwillhavethechoicebetweenlogintotheLDAPsourceandgainaccesstothenetworkordirectlyuseprovisioninginordertoconfigureyourdeviceforaSecureSSID
Displayingamessagetotheuseraftertheregistration=
UsingtheMessagemoduleyoucandisplayacustommessagetotheuserYoucanalsocustomizethetemplatetodisplayinordertodisplayafullycustompage
Go inConfigurationrarrPortalModules thenclickAddPortalModule and selectMessage Set theIdentifiertohello_worldandthedescriptiontoHello World
ThenputthefollowingintheMessagefield
Hello World lta href=wwwpacketfenceorggtClick here to access the PacketFence websiteltagt
Next add default_registration_policy and hello_world in the Modules ofmy_first_root_module(removinganypreviousmodules)andsaveitNowwhenvisitingtheportalyoushouldhavetoauthenticateusingthesourcesdefinedinyourportalprofileandyouwillthenseethehelloworldmessage
Chapter9
Copyrightcopy2016Inverseinc Configuration 50
AuthenticationChoicemodule(advanced)The Authentication Choice module allows to define a choice between multiple sources usingadvancedfilteringrulesmanualselectionofthesourcesandselectionofPortalModules
AllthesourcesthataredefinedintheSourcesfieldwillbeavailableforusagebytheuserSamegoesforthemodulesdefinedinModules
YoucanalsodefinewhichmandatoryfieldsyouwanttopromptfortheseauthenticationchoicesAlthoughyoucanstillconfigurethemonanyAuthenticationChoicemoduletheywillonlybeshowniftheyareapplicabletothesource
InadditiontothemanualselectionaboveyoucandynamicallyselectsourcespartofthePortalProfilebasedontheirobjectattribute(ObjectClassAuthenticationtypeAuthenticationClass)
NoteYoucanfindalltheauthenticationobjectsinlibpfAuthenticationSource
SourcesbyclassAllowsyoutospecifytheperlclassnameofthesourcesyouwantavailable
ex pfAuthenticationSourceSMSSource will select all the SMS sourcespfAuthenticationSourceBillingSourcewillselectallthebillingsources(PaypalStripehellip)
SourcesbytypeAllowsyoutofilteroutsourcesusingthetypeattributeoftheAuthenticationobject
Sources by Auth Class Allows you to filter our sources using the class attribute of theAuthenticationobject
Chapter9
Copyrightcopy2016Inverseinc Configuration 51
Youcanseethedefault_guest_policyanddefault_oauth_policyforexamplesofthismodule
Chapter10
Copyrightcopy2016Inverseinc Debugging 52
Debugging
Logfiles
HerearethemostimportantPacketFencelogfiles
usrlocalpflogspacketfencelogmdashPacketFenceCoreLog usrlocalpflogshttpdportalaccessmdashApachendashCaptivePortalAccessLog usrlocalpflogshttpdportalerrormdashApachendashCaptivePortalErrorLog usrlocalpflogshttpdadminaccessmdashApachendashWebAdminServicesAccessLog usrlocalpflogshttpdadminerrormdashApachendashWebAdminServicesErrorLog usrlocalpflogshttpdwebservicesaccessmdashApachendashWebservicesAccessLog usrlocalpflogshttpdwebserviceserrormdashApachendashWebservicesErrorLog usrlocalpflogshttpdaaaaccessmdashApachendashAAAAccessLog usrlocalpflogshttpdaaaerrormdashApachendashAAAErrorLog
ThereareotherlogfilesinusrlocalpflogsthatcouldberelevantdependingonwhatissueyouareexperiencingMakesureyoutakealookatthem
ThemainloggingconfigurationfileisusrlocalpfconflogconfItcontainstheconfigurationforthepacketfencelogfile(LogLog4Perl)andyounormallydonrsquotneedtomodifyitTheloggingconfigurationfilesforeveryservicearelocatedunderusrlocalpfconflogconfd
RADIUSDebugging
FirstchecktheFreeRADIUSlogsThefileislocatedatusrlocalpflogsradiuslog
IfthisdidnrsquothelprunFreeRADIUSindebugmodeTodosostartitusingthefollowingcommands
Fortheauthenticationradiusprocess
radiusd -X -d usrlocalpfraddb -n auth
Fortheaccountingradiusprocess
radiusd -X -d usrlocalpfraddb -n acct
Chapter10
Copyrightcopy2016Inverseinc Debugging 53
Additionally there is a raddebug tool that can extract debug logs from a running FreeRADIUSdaemonPacketFencersquosFreeRADIUSispreconfiguredwithsuchsupport
Inordertohaveanoutputfromraddebugyouneedtoeither
a MakesureuserpfhasashellinetcpasswdaddusrsbintoPATH(export PATH=usrsbin$PATH)andexecuteraddebugaspf
b Runraddebugasroot(lesssecure)
Nowyoucanrunraddebugeasily
raddebug -t 300 -f usrlocalpfvarrunradiusdsock
TheabovewilloutputFreeRADIUSauthenticationdebuglogsfor5minutes
Usethefollowingtodebugradiusaccounting
raddebug -t 300 -f usrlocalpfvarrunradiusd-acctsock
Seeman raddebugforalltheoptions
Chapter11
Copyrightcopy2016Inverseinc MoreonVoIPIntegration 54
MoreonVoIPIntegration
VoIPhasbeengrowinginpopularityonenterprisenetworksAtfirstsighttheITadministratorsthinkthatdeployingVoIPwithaNACposesahugecomplicatedchallengetoresolveInfactdependingofthehardwareyouhavenotreallyInthissectionwewillseewhy
CDPandLLDPareyourfriend
ForthoseofyouwhoareunawareoftheexistenceofCDPorLLDP(orLLDP-MED) IsuggestyoustartreadingonthistopicCiscoDiscoveryProtocol(CDP)isdevice-discoveryprotocolthatrunsonallCisco-manufacturedequipmentincludingroutersaccessserversbridgesandswitchesUsingCDPadevicecanadvertise itsexistencetootherdevicesandreceive informationaboutotherdevicesonthesameLANorontheremotesideofaWANIntheworldofVoIPCDPisabletodetermineiftheconnectingdeviceisanIPPhoneornotandtelltheIPPhonetotagitsethernetframeusingtheconfiguredvoiceVLANontheswitchport
OnmanyothervendorsyouarelikelytofindLLDPorLLDP-MEDsupportLinkLayerDiscoveryProtocol (LLDP) is a vendor-neutral Link Layer protocol in the Internet Protocol Suite used bynetworkdevicesforadvertisingtheiridentitycapabilitiesandneighborsSameasCDPLLDPcantellanIPPhonewhichVLANidisthevoiceVLAN
VoIPandVLANassignmenttechniques
As you already know PacketFence supportsmanyVLAN assignment techniques such as port-securitymacauthenticationor8021XLetrsquosseehowVoIPisdoingwitheachofthose
Port-securityUsing port-security the VoIP device rely on CDPLLDP to tag its ethernet frame using theconfiguredvoiceVLANontheswitchportAfterthatweensurethatasecuritytrapissentfromthevoiceVLANsothatPacketFencecanauthorizethemacaddressontheportWhenthePCconnectsanothersecuritytrapwillbesentbutfromthedataVLANThatwaywewillhave1macaddressauthorizedonthevoiceVLANand1ontheaccessVLAN
Chapter11
Copyrightcopy2016Inverseinc MoreonVoIPIntegration 55
Note
Not all vendors support VoIP on port-security please refer to the NetworkConfigurationGuide
MACAuthenticationand8021XCiscohardwareOnCiscoswitcheswearelookingatthemulti-domainconfigurationThemulti-domainmeansthatwecanhaveonedeviceontheVOICEdomainandonedeviceontheDATAdomainThedomainassignmentisdoneusingaCiscoVSAWhenthephoneconnectstotheswitchportPacketFencewillrespondwiththeproperVSAonlynoRADIUStunneledattributesCDPthentellsthephonetotagitsethernetframesusingtheconfiguredvoiceVLANontheportWhenaPCconnectstheRADIUSserverwillreturntunneledattributesandtheswitchwillplacetheportintheprovidedaccessVLAN
Non-CiscohardwareOnothervendorhardwareitispossibletomakeVoIPworkusingRADIUSVSAsWhenaphoneconnectstoaswitchportPacketFenceneedstoreturntheproperVSAtotelltheswitchtoallowtagged frames from thisdeviceWhen thePCwill connectwewill be able to return standardRADIUStunnelattributestotheswitchthatwillbetheuntaggedVLAN
Note
AgainrefertotheNetworkConfigurationGuidetoseeifVoIPissupportedonyourswitchhardware
WhatifCDPLLDPfeatureismissing
ItispossiblethatyourphonedoesnrsquotsupportCDPorLLDPIfitrsquosthecaseyouareprobablylookingattheDHCPwayofprovisionningyourphonewithavoiceVLANSomemodelswillaskforaspecificDHCPoptionsothattheDHCPservercangivethephoneavoiceVLANidThephonewillthenrebootandtagitsethernetframeusingtheprovidedVLANtag
Inorder tomake this scenarioworkwithPacketFenceyouneed toensure thatyou tweak theregistrationandyourproductionDHCPservertoprovidetheDHCPoptionYoualsoneedtomakesure there isavoiceVLANproperlyconfiguredontheportandthatyouauto-registeryour IPPhones(OnthefirstconnectthephonewillbeassignedontheregistrationVLAN)
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 56
Advancedtopics
This section covers advanced topics in PacketFence Note that it is also possible to configurePacketFencemanuallyusingitsconfigurationfilesinsteadofitsWebadministrativeinterfaceItisstillrecommendedtousetheWebinterface
InanycasetheusrlocalpfconfpfconffilecontainsthePacketFencegeneralconfigurationForexamplethisistheplacewhereweinformPacketFenceitwillworkinVLANisolationmode
All the default parameters and their descriptions are stored in usrlocalpfconfpfconfdefaults
Inordertooverrideadefaultparameterdefineitandsetitinpfconf
usrlocalpfconfdocumentationconfholdsthecompletelistofallavailableparameters
Alltheseparametersarealsoaccessiblethroughtheweb-basedadministrationinterfaceundertheConfigurationtabItishighlyrecommendedthatyouusetheweb-basedadministrationinterfaceofPacketFenceforanyconfigurationchanges
AppleandAndroidWirelessProvisioning
Apple devices such as iPhones iPads iPods and Mac OS X (107+) support wireless profileimportationusing a specialXML file format (mobileconfig)Android is also able to support thisfeaturebyimportingthewirelessprofilewiththeAndroidPacketFenceAgentInfactinstallingsuchfileonyourAppledevicewillautomaticallyconfigurethewirelesssettingsforagivenSSIDThisfeatureisoftenusedwhentheSSIDishiddenandyouwanttoeasetheconfigurationstepsonthemobiledevice(becauseitisoftenpainfultoconfiguremanually)InPacketFencewearegoingfurtherwegeneratetheprofileaccordingtotheadministratorrsquospreferenceandwepre-populatethefilewiththeuserrsquoscredentials(withoutthepassword)TheusersimplyneedstoinstallitsgeneratedfileandhewillbeabletousethenewSSID
ConfigurethefeatureFirstofallyouneedtoconfiguretheSSIDthatyourdeviceswilluseaftertheygothoughtheauthenticationprocess
InordertodothatintheadministrationinterfacegoinConfigurationProvisionersThenselecttheandroidprovisionerEntertheSSIDandsave
NowdothesamethingfortheiOSprovisioner
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 57
AfteryousimplyneedtoaddtheAndroidandiOSprovisionerstoyourPortalProfileconfiguration
ForAndroidyoumustallowpassthroughsinyourpfconfconfigurationfile
[trapping]passthrough=enabledpassthroughs=ggphtcomgoogleusercontentcomandroidclientsgooglecomgoogleapiscomandroidclientsgooglecomgvt1com
ProfilegenerationUponregistrationinsteadofshowingthedefaultreleasepagetheuserwillbeshowinganotherversionofthepagesayingthatthewirelessprofilehasbeengeneratedwithaclickablelinkonitToinstalltheprofileAppleuserownersimplyneedtoclickonthatlinkandfollowtheinstructionsontheirdeviceAndroiduserownersimplyclicktothelinkandwillbeforwardedtoGooglePlaytoinstallPacketFenceagentSimply launchtheapplicationandclicktoconfigurewillcreatethesecureSSIDprofileItisthatsimple
BillingEngine
PacketFence integrates theability touseapaymentgatewaytobillusers togainaccess to thenetworkWhenconfiguredtheuserwhowantstoaccessthenetworkInternetispromptedbyapageaskingforitrsquospersonnalinformationaswellasitrsquoscreditcardinformation
PacketFencecurrentlysupportsfourpaymentgatewaysAuthorizenetMirapayPaypalandStripe
Inordertoactivatethebillingyouwillneedtoconfigurethefollowingcomponents
Billingsource(s)
Billingtier(s)
ConfiguringabillingsourceFirstselectabillingproviderandfollowtheinstructionsbelow
Paypal
Note
ThisproviderrequiresthatyourPacketFenceserverisaccessibleonthepublicdomainFor thisyourPacketFenceportal shouldbeavailableonapublic IPusing theDNSservernameconfiguredinPacketFence
Ifyouhaveabusinessaccountanddonotwanttoconfigureatestenvironmentyoucanskipthenextsection
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 58
Sandboxaccount
To configure a sandbox paypal account for use in PacketFence head to httpsdeveloperpaypalcomandeithersignuporloginintoyourexistingaccount
ThenintheSandboxmenuclickAccounts
CreateanaccountthathasthetypePersonalandonethathasthetypeBusiness
AfterwardsgobackintoaccountsandexpandthebusinessaccountthenclickProfile
NowclicktheChangepasswordlinkandchangethepasswordandnoteit
Dothesamethingwiththepersonalaccountyoucreated
Configuringthemerchantaccount
LoginintothePaypalbusinessaccountthatyoucreatedathttpswwwsandboxpaypalcomifyouareusingasandboxaccountoronhttpswwwpaypalcomifyouareusingarealaccount
NextgoinMyAccountrarrProfileinordertogointoyourprofileconfiguration
NextintheSellingPreferencesyouwillneedtoselectWebsitePaymentPreferences
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 59
Configurethesettingssotheymatchthescreenshotbelow
YoushouldturnonAutoReturnsetthereturnURLtohttpsYOUR_PORTAL_HOSTNAMEbillingpaypalverify
YoushouldalsotakenoteoftheIdentityTokenasitwillberequiredinthePacketFenceconfiguration
NextgobackinyourprofileconfigurationMyaccountrarrProfileandselectEncryptedPaymentSettings
NowonthispageyouwillneedtosubmitthecertificateusedbyPacketFencetoPaypal(usrlocalpfconfsslservercrtbydefault)
Once you have submitted it note itrsquos associated Cert ID as you will need to configure it inPacketFence
StillonthatpageclicktheDownloadlinktodownloadthePaypalpubliccertificateandputitonthePacketFenceserverunderpathusrlocalpfconfsslpaypalpem
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 60
Caution
ThecertificatewillNOTbethesameifyouuseasandboxaccountorarealaccount
ConfiguringPacketFence
NowinthePacketFenceadministrationinterfacegoinConfigurationrarrSourcesandcreateanewsourceoftypeBillingrarrPaypal
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 61
Where
IdentitytokenistheoneyounotedwhenontheWebsitePaymentPreferencespage CertIDistheoneyounotedwhenontheEncryptedPaymentSettings Paymenttypeiswhethertheaccessisdonationbased(notmandatorytopayforit) Emailaddressistheemailaddressofthemerchantpaypalaccount CertfileisthepathtothePacketFencecertificate(usrlocalpfconfsslservercrtbydefault) KeyfileisthepathtothePacketFencecertificate(usrlocalpfconfsslserverkeybydefault) Paypal cert file is thepath to thePaypal certificate (usrlocalpfconfsslpaypalpem in thisexample)
Currencyisthecurrencythatwillbeusedinthetransactions Testmodeshouldbeactivatedifyouareusingasandboxaccount
Stripe
Stripeaccount
Firstgoonhttpsdashboardstripecomcreateanaccountandlogin
NextonthetoprightclickYouraccountthenAccountsettings
NavigatetotheAPIkeystabandnoteyourkeyandsecretThetestkeyshouldbeusedwhentestingtheconfigurationandthelivekeywhenputtingthesourceinproduction
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 62
ConfiguringPacketFence
NowinthePacketFenceadministrationinterfacegoinConfigurationrarrSourcesandcreateanewsourceoftypeBillingrarrStripe
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 63
Where
SecretkeyisthesecretkeyyougotfromyourStripeaccount PublishablekeyisthepublishablekeyyougotfromyourStripeaccount Styleiswhetheryouaredoingaone-timechargeorsubscriptionbasedbilling(recurring)SeesectionSubscriptionbasedregistrationbelowfordetailsonhowtoconfigureit
Currencyisthecurrencythatwillbeusedinthetransactions Testmodeshouldbeactivatedifyouareusingthetestkeyandsecretaccount
Authorizenet
Creatinganaccount
First go on httpsaccountauthorizenet to signup for a merchant account or httpdeveloperauthorizenetforasandboxaccount
AfteryoucreatedyouraccountyouwillbeshownyourAPIloginIDandTransactionkeyNotebothoftheseinformationsforusageinthePacketFenceconfiguration
Thenloginintoyournewaccount
ThenunderAccountclickSettings
OnthesettingspageinthesectionSecuritysettingsclickMD5-Hash
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 64
NowenterasecretthatwillbesharedbetweenauthorizenetandPacketFence
PacketFenceconfiguration
NextinthePacketFenceadministrationinterfacegoinConfigurationrarrSourcesandcreateanewsourceoftypeBillingrarrAuthorizeNet
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 65
Where
APIloginIDistheoneyougotearlierwhilecreatingyouraccount Transactionkeyistheoneyougotearlierwhilecreatingyouraccount MD5hashtheoneyouconfiguredinyourAuthorizenetaccount Currencyisthecurrencythatwillbeusedinthetransactions Testmodeshouldbeactivatedifyouareusingasandboxaccount
Mirapay
To be contributed
AddingbillingtiersOnceyouhaveconfiguredoneormorebillingsourceyouneedtodefinebillingtierswhichwilldefinethepriceandtargetauthenticationrulesfortheuser
InthePacketFenceadministrationinterfacegoinConfigurationrarrBillingtiers
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 66
ThenclickAddbillingtierandconfigureit
Where
Billingtieristheuniqueidentifierofthebillingtier Nameisthefriendlynameofthebillingtier Descriptionisanextendeddescriptionofthebillingtier Priceistheamountthatwillbechargedtotheuser Accessdurationistheamountoftimetheuserwillbegrantedaccesstoyournetwork Roleisthetargetroletheusershouldbein Usetimebalancedefinesiftheaccessdurationshouldbecomputedonreal-timeaccessdurationmeaningiftheuserbuys24hoursofaccesshecanusethenetworkfor24hoursindifferenttimeblocksThisrequiresavalidRADIUSaccountingconfiguration
Note
IfdonrsquotwanttouseallthebillingtiersthataredefinedyoucanspecifytheonesthatshouldbeactiveinthePortalprofile
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 67
SubscriptionbasedregistrationPacketFencesupportssubscriptionbasedbillingusingStripeasabillingprovider
Billingtier
Whenusingsubscriptionbasedbillingitisadvisedtoconfigurethebillingtiersoithasanalmostinfiniteaccessduration(eg20years)asthebillingproviderwillbecontactingthePacketFenceserverwhenthesubscriptioniscanceled
YoushouldconfigureabillingtierforeachsubscriptionplanyouwanttohaveThisexamplewillusetheplansimpleandadvancedconfiguredusingthefollowingparameters
[simple]name=Simple network accessdescription=Click here if you are poorprice=399role=guestaccess_duration=10Yuse_time_balance=disabled
[advanced]name=Simple network accessdescription=Click here if you are poorprice=999role=advanced_guestaccess_duration=10Yuse_time_balance=disabled
Stripeconfiguration
TheninyourStripedashboardyoushouldgoinSubscriptionsrarrPlans
Thencreateanewplan
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 68
Where
ID is the billing tier identifier It is important that this matches the ID of the billing tier inPacketFence
AmountisthepriceoftheplanItisimportantthatthismatchesthepriceofthebillingtierinPacketFence
CurrencyisthecurrencythatwillbeusedinthetransactionsItisimportantthatthismatchesthecurrencyoftheStripesourceinPacketFence
IntervalistheintervalatwhichthecustomershouldbebilledInthecaseofthisexampleitismonthly
Nowfollowingthesameprocedurecreatetheadvancedplan
ReceivingupdatesfromStripeAsthesubscriptioncanbecancelledbyauseryouneedtosetupyourPacketFenceinstallationtoreceiveupdatesfromStripe
UpdatesaresentusingHTTPrequestsonapublicIP
YouneedtomakesurethatyourPacketFenceserverisavailablethroughapublicIPonport80andthatyourPacketFenceserverhostnameresolvesonthepublicdomain
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 69
TheninStripeconfigureaWebhooksoStripeinformsPacketFenceofanyeventthathappensinthisStripemerchantaccount
InordertodosogoinYourAccountrarrAccountSettingsrarrWebhooksandclickAddendpoint
Where
URListheURLtothePacketFenceserverThisshouldbehttpYOUR_PORTAL_HOSTNAMEhookbillingstripe
Modeiswhetherthiswebhookisfortestingmodeorlivemode
NoweverytimeauserunsubscribesfromaplanPacketFencewillbenotifiedandwillunregisterthatdevicefromyournetwork
DevicesRegistration
Usershavethepossibilitytoregistertheirdevices(MicrosoftXBOXXBOX360NintendoDSWiiSonyPlayStationandsoon)rightfromaspecialportalpageWhenaccessingthispageuserswillbe
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 70
promptedtologinasiftheywereregisteringthemselvesOnceloggedintheportalwillaskthemtoenterthedeviceMACaddressthatwillthenbematchedagainstapredefinedlistofauthorizedMACOUIThedevicewillberegisteredwiththeuserrsquosidandcanbeassignedintoaspecificcategoryforeasiermanagement
HerersquoshowtoconfigurethewholethingTheportalpagecanbeaccessedbythefollowingURLhttpsYOUR_PORTAL_HOSTNAMEdevice-registration This URL is accessible fromwithin thenetworkinanyVLANthatcanreachthePacketFenceserver
Thefollowingcanbeconfiguredbyeditingthepfconffile
[registration]device_registration = enableddevice_registration_role = gaming
MakesuretheroleexistsinPacketFenceotherwiseyouwillencounterregistrationerrorsMoreovermakesuretherolemappingforyourparticularequipmentisdone
TheseparameterscanalsobeconfiguredfromtheConfigurationrarrRegistrationsection
Note
AportalinterfacetypeisrequiredtousethisfeatureAportalinterfacetypecanbeaddedtoanynetworkinterfaceusingthewebadminGUI
Eduroam
eduroam (education roaming) is the secureworld-wide roaming access servicedevelopedfortheinternationalresearchandeducationcommunity
eduroamallowsstudentsresearchersandstafffromparticipatinginstitutionstoobtainInternetconnectivityacrosscampusandwhenvisitingotherparticipatinginstitutionsbysimplyopeningtheirlaptop
mdasheduroamhttpswwweduroamorg
PacketFencesupportsintegrationwitheduroamandallowsparticipatinginstitutionstoauthenticatebothlocallyvisitingusersfromotherinstitutionsaswellasallowingotherinstitutionstoauthenticatelocalusers
In order for PacketFence to allow eduroam authentication the FreeRADIUS configuration ofPacketFencemustbemodifiedtoallowtheeduroamserverstoconnecttoitasclientsaswellastoproxyRADIUSauthenticationrequestsforusersfromoutsideinstitutions
FirstmodifytheusrlocalpfraddbclientsconffiletoallowtheeduroamserverstoconnecttoyourPacketFenceserverAddtheeduroamserversasclientsandmakesure toaddtheproperRADIUSsecretSetashortnametorefertotheseclientsasyouwilllaterneedittoexcludethemfromsomepartsofthePacketFenceconfiguration
clientsconfexample
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 71
client tlrs1eduroamus secret = useStrongerSecret shortname = tlrs1
client tlrs2eduroamus secret = useStrongerSecret shortname = tlrs2
SecondlymodifythelistofdomainsandproxyserversinusrlocalpfraddbproxyconfYouwillneedtodefineeachofyourdomainsaswellastheDEFAULTdomainTheDEFAULTrealmwillapplytoanyclientthatattemptstoauthenticatewitharealmthatisnototherwisedefinedinproxyconfandwillbeproxiedtotheeduroamservers
Defineoneormorehomeservers(serverstowhicheduroamrequestsshouldbeproxied)
proxyconfexample
home_server tlrs1eduroamus type = auth ipaddr = 25712811 port = 1812 secret = useStrongerSecret require_message_authenticator = yes
Defineapoolofserverstogroupyoureduroamhomeserverstogether
proxyconfexample
home_server_pool eduroam type = fail-over home_server = tlrs1eduroamus home_server = tlrs2eduroamus
DefinerealmstoselectwhichrequestsshouldbeproxiedtotheeduroamserverpoolThereshouldbeonerealmforeachofyourdomainsandpossiblyonemoreperdomainifyouintendtoallowusernamesoftheDOMAINuserform
TheREALMissetbasedonthedomainfoundbythesuffixorntdomainmodules (seeraddbmodulesrealm)Thesuffixorntdomainmodulestrytofindadomaineitherwithandomainorsuffixusername
IfnoneisfoundtheREALMisNULL
IfadomainisfoundFreeRADIUStriestomatchoneoftheREALMSdefinedinthisfile
IfthedomainiseitherexampleeduorEXAMPLEFreeRADIUSsetsthecorrespondingREALMieexampleeduorEXAMPLE
IftheREALMdoesnotmatcheither(anditisnrsquotNULL)thatmeanstherewasadomainotherthanEXAMPLEorexampleeduandweassumeitismeanttobeproxiedtoeduroamFreeRADIUSsetstheDEFAULTrealm(whichisproxiedtotheeduroamauthenticationpool)
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 72
The REALM determines where the request is sent to If the REALM authenticates locally therequestsareprocessedentirelybyFreeRADIUSIftheREALMsetsadifferenthomeserverpooltherequestsareproxiedtotheserversdefinedwithinthatpool
proxyconfexample
This realm is for requests which dont have an explicit realm prefix or suffix User names like bob will match this one No authentication server is defined thus the authentication is done locallyrealm NULL
This realm is for ntdomain users who might use the domain like this EXAMPLEusername No authentication server is defined thus the authentication is done locallyrealm EXAMPLE
This realm is for suffix users who use the domain like this usernameexampleedu No authentication server is defined thus the authentication is done locallyrealm exampleedu
This realm is for ALL OTHER requests Meaning in this context eduroam The auth_pool is set to the eduroam pool and so the requests will be proxiedrealm DEFAULT auth_pool = eduroam nostrip
Thirdly youmust configure the packetfence FreeRADIUS virtual servers to treat the requestsproperly
Inusrlocalpfraddbsites-enabledpacketfencemodifytheauthorizesectionlikethis
raddbsites-enabledpacketfenceexample
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 73
authorize pay attention to the order of the modules It matters ntdomain suffix preprocess
uncomment this section if you want to block eduroam users from you other SSIDs The attribute name ( Called-Station-Id ) may differ based on your controller if ( Called-Station-Id ~ eduroam$i) update control Proxy-To-Realm = local
eap ok = return
files expiration logintime packetfence
Inusrlocalpfraddbsites-enabledpacketfence-tunnelmodifythepost-authsectionlikethisIfyouomit this change the requestwill be sent toPacketFencewhere itwill be failed since theeduroamserversarenotpartofyourconfiguredswitches
raddbsites-enabledpacketfence-tunnelexample
post-auth exec
we skip packetfence when the request is coming from the eduroam servers if ( clientshortname = tlrs1 ampamp clientshortname = tlrs2 ) packetfence
Post-Auth-Type REJECT attr_filteraccess_reject
Finallymakesurethattherealmsmoduleisconfiguredthisway(seeusrlocalpfraddbmodulesrealm)
raddbmodulesrealmexample
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 74
usernamerealmrealm suffix format = suffix delimiter =
domainuserrealm ntdomain format = prefix delimiter = ignore_null = yes
Fingerbankintegration
FingerbankagreatdeviceprofilingtooldevelopedalongsideofPacketFencenowintegrateswithittopower-upthefeaturesetallowingaPacketFenceadministratortoeasilytriggerviolationsbasedondifferentdevicetypesdeviceparentsDHCPfingerprintsDHCPvendorIDsMACvendorsandbrowseruseragents
Thecoreofthat integrationresides intheabilityforaPacketFencesystemto interactwiththeFingerbankupstreamprojectwhichthenallowadailybasisfingerprintsdatabaseupdatesharingunknowndatasothatmorecomplexalgorithmscanprocessthatnewdatatointegrateitintheglobaldatabasequeryingtheglobalupstreamdatabaseinthecaseofanunknownmatchandmuchmore
SincetheFingerbankintegrationisnowthedefactodeviceprofilingtoolofPacketFenceitwasarequirementtomakeitassimpleaspossibletoconfigureandtouseFromthemomentaworkingPacketFencesystemis inplaceFingerbank isalsoreadytobeusedbutonly inalocalmodewhichmeansnointeractionwiththeupstreamFingerbankproject
OnboardingTobenefitfromalltheadvantagesoftheFingerbankprojecttheonboardingstepisrequiredtocreateanAPIkeythatwill thenallow interactionwiththeupstreamprojectThatcaneasilybedoneonlybygoingintheSettingsmenuitemundertheFingerbanksectionofthePacketFenceConfigurationtabFromthereaneasyprocesstocreateandsaveanuserorganizationspecificAPIkeycanbefollowedOncecompletedthefullfeaturesetofFingerbankcanbeused
UpdateFingerbankdatabaseUpdatingtheFingerbankdatacanrsquotbeeasierTheonlyrequirementistheonboardingprocesswhichallowsyoutointeractwithupstreamprojectOncedoneanoptiontoUpdateFingerbankDBcanbefoundontopofeverymenuitemsectionsunderFingerbankProcessmaytakeaminuteortwodependingonthesizeofthedatabaseandtheinternetconnectivityafterwhichasuccessorerrormessagewillbeshowaccordinglyLocalrecordsareNOTbeingmodifiedduringthisprocess
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 75
SubmitunknowndataSayingthatwedonrsquotknoweverythingisnotfalsemodestyInthatsensetheSubmitUnknownUnmatchedFingerprintsoptionismadeavailable(afteronboarding)sothatunknownfingerprintingdatagoinginandoutonyournetworkcaneasilybesubmittedtotheupstreamFingerbankprojectforfurtheranalysisandintegrationtheintheglobaldatabase
UpstreaminterogationBydefaultPacketFenceisconfiguredtointerogatetheupstreamFingerbankproject(ifonboardinghasbeencompleted)tofullfillaquerywithunmatchedlocalresultsUnmatchedlocalresultscanresultofanolderversionoftheFingerbankdatabaseorarequirementforamorecomplexalgorithmduetothedatasetThatbehavioriscompletelytransparentandcanbemodifiedusingtheSettingsmenuitemundertheFingerbanksectionofthePacketFenceConfigurationtab
LocalentriesItispossibleforanadministratorwhowantstocustomizeanexistingrecord(orcreateanewone)todosousingtheLocalentriesAnupstreamrecord(DHCPFingerprintDHCPVendorMACVendorUserAgentDevicetypeevenaCombination)canbeclonedandthenmodifiedonalocalbasisifneededLocalrecordsarealwaysmatchedfirstsincetheirpurposeistooverrideanexistingoneAlocalcombinationcanbecreatedtomatcheitherLocalorUpstreamorbothentriestoallowidentificationofadevice
SettingsFingerbanksettingscaneasilybemodifiedfromtheSettingsmenuitemundertheFingerbanksectionofthePacketFenceConfigurationtabTherersquosdocumentationforeachaneveryparameterthatalloweasierunderstanding
FloatingNetworkDevices
Startingwithversion19PacketFencenowsupportsfloatingnetworkdevicesAFloatingnetworkdeviceisadeviceforwhichPacketFencehasadifferentbehaviourcomparedtoaregulardeviceThisfunctionalitywasoriginallyaddedtosupportmobileAccessPoints
Caution
RightnowPacketFenceonlysupportsfloatingnetworkdevicesonCiscoandNortelswitchesconfiguredwithport-security
For a regular device PacketFence put it in theVLAN corresponding to its status (RegistrationQuarantineorRegularVlan)andauthorizesitontheport(port-security)
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 76
AfloatingnetworkdeviceisadevicethatPacketFencedoesnotmanageasaregulardevice
WhenafloatingnetworkdeviceispluggedPacketFencewillletallowalltheMACaddressesthatwillbeconnectedtothisdevice(orappearontheport)andifnecessaryconfiguretheportasmulti-vlan(trunk)andsetPVIDandtaggedVLANsontheport
WhenanfloatingnetworkdeviceisunpluggedPacketFencewillreconfiguretheportlikebeforeitwasplugged
HowitworksConfiguration
floatingnetworkdeviceshavetobeidentifiedusingtheirMACaddress linkuplinkdowntrapsarenotenabledontheswitchesonlyport-securitytrapsare
WhenPacketFencereceivesaport-securitytrapforafloatingnetworkdeviceitchangestheportconfigurationsothat
itdisablesport-security itsetsthePVID iteventuallysetstheportasmulti-vlan(trunk)andsetsthetaggedVlans itenableslinkdowntraps
WhenPFreceivesa linkdowntraponaport inwhichafloatingnetworkdevicewasplugged itchangestheportconfigurationsothat
itenablesport-security itdisableslinkdowntraps
IdentificationAswementionedearliereachfloatingnetworkdevicehastobeidentifiedTherearetwowaystodoit
byeditingconffloating_network_deviceconf throughtheWebGUIinConfigurationrarrNetworkrarrFloatingdevices
Herearethesettingsthatareavailable
MACAddress MACaddressofthefloatingdevice
IPAddress IPaddressofthefloatingdevice(notrequiredforinformationonly)
trunkPort YesnoShouldtheportbeconfiguredasamuti-vlanport
pvid VLANinwhichPacketFenceshouldputtheport
taggedVlan CommaseparatedlistofVLANsIftheportisamulti-vlanthesearetheVlansthathavetobetaggedontheport
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 77
OAuth2Authentication
NoteOAuth2authenticationdoesnotworkwithWebauthenforcement
The captive portal of PacketFence allows a guestuser to register using hisGoogle FacebookLinkedInWindowsLiveTwitterorGithubaccount
ForeachproviderswemaintainanalloweddomainlisttopunchholesintothefirewallsotheusercanhittheproviderloginpageThislistisavailableineachOAuth2authenticationsource
Inordertohaveoauth2workingproperlyyouneedtoenableIPforwardingonyourserversTodoitpermanentlylookintheetcsysctlconfandsetthefollowingline
Controls IP packet forwardingnetipv4ip_forward = 1
Savethefileandissueasysctl -ptoupdatetheOSconfig
You must also enable the passthrough option in your PacketFence configuration(trappingpassthroughinpfconf)
GoogleInordertouseGoogleasaOAuth2provideryouneedtogetanAPIkeytoaccesstheirservicesSignupherehttpcodegooglecomapisconsoleMakesureyouusethisURIfortheRedirectURIfieldhttpsYOUR_PORTAL_HOSTNAMEoauth2callbackOfcoursereplacethehostnamewiththevaluesfromgeneralhostnameandgeneraldomain
YoucankeepthedefaultconfigurationmodifytheAppIDampAppSecret(GivenbyGoogleonthedevelopperplateform)andPortalURL(httpsYOUR_PORTAL_HOSTNAMEoauth2callback)
Also add the following Authorized domains googlecom googleca googlefrgstaticcomgoogleapiscomaccountsyoutubecom(MakesurethatyouhavethegoogledomainfromyourcountrylikeCanadagooglecaFrancegooglefretchellip)
OnceyouhaveyourclientidandAPIkeyyouneedtoconfiguretheOAuth2providerThiscanbedonebyaddingaGoogleOAuth2authenticationsourcefromConfigurationrarrSources
MoreoverdonrsquotforgettoaddGoogleasaregistrationmodefromyourportalprofiledefinitionavailablefromConfigurationrarrPortalProfilesandPages
FacebookTo use Facebook you also need an API code and a secret key To get one go here httpsdevelopersfacebookcomappsWhenyoucreateyourAppmakesureyouspecifythefollowingastheWebsiteURLhttpsYOUR_PORTAL_HOSTNAMEoauth2callback
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 78
Ofcoursereplacethehostnamewiththevaluesfromgeneralhostnameandgeneraldomain
YoucankeepthedefaultconfigurationmodifytheAppIDampAppSecret(GivenbyFaceBookonthedevelopperplateform)andPortalURL(httpsYOUR_PORTAL_HOSTNAMEoauth2callback)
Also add the followingAuthorizeddomains facebookcom fbcdnnet akamaihdnet (Maychange)
OnceyouhaveyourinformationyouneedtoconfiguretheOAuth2providerThiscanbedonebyaddingaFacebookOAuth2authenticationsourcefromConfigurationrarrSources
MoreoverdonrsquotforgettoaddFacebookasaregistrationmodefromyourportalprofiledefinitionavailablefromConfigurationrarrPortalProfilesandPages
CautionByallowingOAuththroughFacebookyouwillgiveFacebookaccesstotheuserswhiletheyaresittingintheregistrationVLAN
GitHubTouseGitHubyoualsoneedanAPIcodeandasecretkeyTogetoneyouneedtocreateanAppherehttpsgithubcomsettingsapplicationsWhenyoucreateyourAppmakesureyouspecifythefollowingastheCallbackURLhttpsYOUR_PORTAL_HOSTNAMEoauth2callback
Ofcoursereplacethehostnamewiththevaluesfromgeneralhostnameandgeneraldomain
OnceyouhaveyourinformationyouneedtoconfiguretheOAuth2providerThiscanbedonebyaddingaGitHubOAuth2authenticationsourcefromConfigurationrarrSources
MoreoverdonrsquotforgettoaddGitHubasaregistrationmodefromyourportalprofiledefinitionavailablefromConfigurationrarrPortalProfilesandPages
LinkedInTouseLinkedInyoualsoneedanAPIcodeandasecretkeyTogetoneyouneedtocreateanAppherehttpsdeveloperlinkedincomWhenyoucreateyourAppmakesureyouspecifythefollowingastheCallbackURLhttpsYOUR_PORTAL_HOSTNAMEoauth2callback
Ofcoursereplacethehostnamewiththevaluesfromgeneralhostnameandgeneraldomain
OnceyouhaveyourinformationyouneedtoconfiguretheOAuth2providerThiscanbedonebyaddingaLinkedInOAuth2authenticationsourcefromConfigurationrarrSources
MoreoverdonrsquotforgettoaddLinkedInasaregistrationmodefromyourportalprofiledefinitionavailablefromConfigurationrarrPortalProfilesandPages
AlsoLinkedInrequiresastateparameterfortheauthorizationURLIfyoumodifyitmakesuretoadditattheendofyourURL
TwitterTouseTwitteryoualsoneedanAPIcodeandasecretkeywhichTwittercallsconsumerkeyandconsumersecretObtainthis informationbycreatingannewapplicationfromyourTwitterApps
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 79
ManagementpageWhenyoucreateyourAppmakesureyouspecifythefollowingastheCallbackURLhttpsYOUR_PORTAL_HOSTNAMEoauth2callback
Ofcoursereplacethehostnamewiththevaluesfromgeneralhostnameandgeneraldomain
OnceyouhaveyourinformationyouneedtoconfiguretheOAuth2providerThiscanbedonebyaddingaTwitterOAuth2authenticationsourcefromConfigurationrarrSources
MoreoverdonrsquotforgettoaddTwitterasaregistrationmodefromyourportalprofiledefinitionavailablefromConfigurationrarrPortalProfilesandPages
WindowsLiveTouseWindowsliveyoualsoneedanAPIcodeandasecretkeyTogetoneyouneedtocreateanAppherehttpsaccountlivecomdevelopersapplicationsWhenyoucreateyourAppmakesureyouspecifythefollowingastheCallbackURLhttpsYOUR_PORTAL_HOSTNAMEoauth2callback
Ofcoursereplacethehostnamewiththevaluesfromgeneralhostnameandgeneraldomain
OnceyouhaveyourinformationyouneedtoconfiguretheOAuth2providerThiscanbedonebyaddingaWindowsLiveOAuth2authenticationsourcefromConfigurationrarrSources
Moreover donrsquot forget to add WindowsLive as a registration mode from your portal profiledefinitionavailablefromConfigurationrarrPortalProfilesandPages
Passthrough
Inorder tousethepassthroughfeature inPacketFenceyouneedtoenable it fromtheGUI inConfigurationrarrTrappingandcheckPassthrough
Therearetwosolutionsforpassthroughs-oneusingDNSresolutionandiptablesandtheotheroneusingApachersquosmod_proxymoduleWhenenabledPacketFencewillusepfdnsifyoudefinedPassthroughsorApachemod-proxyifyoudefinedProxyPassthroughstoallowtrappeddevicestoreachexternalwebsites
DNSpassthroughAddanewFQDN (shouldbeawildcarddomain like googlecom) in thePassthroughssectionWhenPacketFencereceivesaDNSrequestforthisdomainitwillanswerthereal IPaddressandpunchahole inthefirewall (using iptables)toallowaccessWiththismethodPacketFencemustbethedefaultgatewayofyourdevice
mod_proxypassthroughAddanewFQDN(shouldbeawildcarddomainlikegooglecom)intheProxyPassthroughssectionForthisFQDNPacketFencewillanswertheIPaddressofthecaptiveportalandwhenadevicehitsthecaptiveportalPacketFencewilldetectthatthisFQDNhasapassthroughconfigurationandwillforwardthetraffictomod_proxy
ThesetwomethodscanbeusedtogetherbutDNS-basedpassthroughshavehigherpriority
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 80
ProductionDHCPaccess
Inorder toperformallof itsaccesscontroldutiesPacketFenceneedstobeable tomapMACaddressesintoIPaddresses
ForallthenetworksVLANswhereyouwantPacketFencetohavetheabilitytoisolateanodeortohaveIPinformationaboutnodesyouwillneedtoperformoneofthetechniquesbelow
AlsonotethatthisdoesnrsquotneedtobedonefortheregistrationisolationVLANsandinlineinterfacessincePacketFenceactsastheDHCPserverinthesenetworks
IPHelpers(recommended)If you are already using IPHelpers for your productionDHCP in your production VLANs thisapproachisthesimplestoneandtheonethatworksthebest
Add PacketFencersquos management IP address as the last ip helper-address statement in yournetworkequipmentAtthispointPacketFencewillreceiveacopyofallDHCPrequestsforthatVLANandwillrecordwhatIPweredistributedtowhatnodeusingapfdhcplistenerdaemon
BydefaultnoDHCPServershouldberunningonthatinterfacewhereyouaresendingtherequestsThisisbydesignotherwisePacketFencewouldreplytotheDHCPrequestswhichwouldbeabadthing
ObtainacopyoftheDHCPtrafficGetacopyofalltheDHCPTraffictoadedicatedphysicalinterfaceinthePacketFenceserverandrunpfdhcplisteneronthatinterfaceItwillinvolveconfiguringyourswitchproperlytoperformportmirroring(akanetworkspan)andaddinginPacketFencetheproperinterfacestatementattheoperatingsystemlevelandinpfconf
etcsysconfignetwork-scriptsifcfg-eth2
DEVICE=eth2ONBOOT=yesBOOTPROTO=none
Addtopfconf(IPsarenotimportanttheyarethereonlysothatPacketFencewillstart)
[interface eth2]mask=2552552550type=dhcp-listenergateway=19216815ip=19216811
RestartPacketFenceandyoushouldbegoodtogo
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 81
InterfaceineveryVLANBecauseDHCPtrafficisbroadcasttrafficanalternativeforsmallnetworkswithfewlocalVLANsistoputaVLANinterfaceforeveryVLANonthePacketFenceserverandhaveapfdhcplistenerlistenonthatVLANinterface
OnthenetworksideyouneedtomakesurethattheVLANtrulyreachesallthewayfromyourclienttoyourDHCPinfrastructureuptothePacketFenceserver
OnthePacketFencesidefirstyouneedanoperatingsystemVLANinterfaceliketheonebelowStoredinetcsysconfignetwork-scriptsifcfg-eth01010
Engineering VLANDEVICE=eth01010ONBOOT=yesBOOTPROTO=staticIPADDR=1001014NETMASK=2552552550VLAN=yes
ThenyouneedtospecifyinpfconfthatyouareinterestedinthatVLANrsquosDHCPbysettingtypetodhcp-listener
[interface eth01010]mask=2552552550type=dhcp-listenergateway=1001011ip=1001014
RepeattheaboveforallyourproductionVLANsthenrestartPacketFence
HostproductionDHCPonPacketFenceItrsquosanoptionJustmodifyconfdhcpdconfsothat itwillhostyourproductionDHCPproperlyandmakesurethatapfdhcplistenerrunsonthesameinterfacewhereproductionDHCPrunsHoweverpleasenotethatthisisNOTrecommendedSeethistickettoseewhy
ProxyInterception
PacketFenceenablesyoutointerceptproxyrequestsandforwardthemtothecaptiveportalItonlyworksonelayer-2networksbecausePacketFencemustbethedefaultgatewayInordertousetheProxyInterceptionfeatureyouneedtoenableitfromtheGUIinConfigurationrarrTrappingandcheckProxyInterception
Addtheportyouwanttointercept(like8080or3128)andaddanewentryintheetchostsfiletoresolvethefullyqualifieddomainname(fqdn)ofthecaptiveportaltotheIPaddressofthe
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 82
registration interfaceThismodification ismandatory inorder forApache to receives theproxyrequests
RoutedNetworks
Ifyour isolationandregistrationnetworksarenot locally-reachable (at layer2)onthenetworkbut routed to the PacketFence server yoursquoll have to let the PacketFence server know thisPacketFencecanevenprovideDHCPandDNSintheseroutednetworksandprovidesaneasytouseconfigurationinterface
FordhcpdmakesurethattheclientsDHCPrequestsarecorrectlyforwarded(IPHelpersintheremoterouters)tothePacketFenceserverThenmakesureyoufollowedtheinstructionsintheDHCPandDNSServerConfiguration(networksconf)foryourlocallyaccessiblenetwork
Ifweconsiderthenetworkarchitectureillustratedintheaboveschemaconfpfconfwillincludethelocalregistrationandisolationinterfacesonly
[interface eth02]enforcement=vlanip=19216821type=internalmask=2552552550
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 83
[interface eth03]enforcement=vlanip=19216831type=internalmask=2552552550
Note
PacketFencewillnotstartunlessyouhaveatleastoneinternalinterfacesoyouneedtocreatelocalregistrationandisolationVLANsevenifyoudonrsquotintendtousethemAlsotheinternalinterfacesaretheonlyonesonwhichdhcpdlistenssotheremoteregistrationandisolationsubnetsneedtopointtheirDHCPhelper-addresstothoseparticularIPs
ThenyouneedtoprovidetheroutednetworksinformationtoPacketFenceYoucandoitthroughtheGUIinAdministrationrarrNetworks(orinconfnetworksconf)
confnetworksconfwilllooklikethis
[19216820]netmask=2552552550gateway=19216821next_hop=domain-name=registrationexamplecomdns=19216821dhcp_start=192168210dhcp_end=1921682200dhcp_default_lease_time=300dhcp_max_lease_time=600type=vlan-registrationnamed=enableddhcpd=enabled
[19216830]netmask=2552552550gateway=19216831next_hop=domain-name=isolationexamplecomdns=19216831dhcp_start=192168310dhcp_end=1921683200dhcp_default_lease_time=300dhcp_max_lease_time=600type=vlan-isolationnamed=enableddhcpd=enabled
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 84
[192168200]netmask=2552552550gateway=19216820254next_hop=1921682254domain-name=registrationexamplecomdns=19216821dhcp_start=1921682010dhcp_end=19216820200dhcp_default_lease_time=300dhcp_max_lease_time=600type=vlan-registrationnamed=enableddhcpd=enabled
[192168300]netmask=2552552550gateway=19216830254next_hop=1921683254domain-name=isolationexamplecomdns=19216831dhcp_start=1921683010dhcp_end=19216830200dhcp_default_lease_time=300dhcp_max_lease_time=600type=vlan-isolationnamed=enableddhcpd=enabled
DHCPclientsontheregistrationandisolationnetworksreceivethePFserverIPastheirDNSserver(dns=xxxx)andPFspoofsDNSresponsestoforceclientsviatheportalHoweverclientscouldmanuallyconfiguretheirDNSsettingstoescapetheportalTopreventthisyouwillneedtoapplyanACLontheaccessrouternearesttheclientspermittingaccessonlytothePFserverandlocalDHCPbroadcasttraffic
ForexamplefortheVLAN20remoteregistrationnetwork
ip access-list extended PF_REGISTRATION permit ip any host 19216821 permit udp any any eq 67 deny ip any any loginterface vlan 20 ip address 19216820254 2552552550 ip helper-address 19216821 ip access-group PF_REGISTRATION in
Ifyouredgeswitchessupportvlan-isolationyoucanalsoapplytheACLthereThishastheadvantageofpreventingmachinesinisolationfromattemptingtoattackeachother
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 85
StatementofHealth(SoH)
TheStatementofHealth(SoH)isproductthathasbeendevelopedbyMicrosoftIntheMicrosoftworldthis isnamedNetworkAccessProtectionorNAPOnWindowsversionsfromXPSP2toWindows7thereisaNAPserviceinstalledthatcanrelayhealthinformation(Anti-VirusupdatestatusWindowsUpdatestatusetc) toaRADIUSServeroraDHCPserverThesectionbelowexplainsyouhowtodoSoHpolicieswithPacketFence
InstallationBydefaultweturnSoHoffToenableitssupportsimplyuncommentthefollowinglinesinusrlocalpfconfradiusdeapconf
soh=yessoh-virtual-server = soh-server
RestarttheRADIUSserviceafterward
OntheclientsidetoenableSoHforEAPdothefollowing(Windows7example)
sc config napagent start=autosc start napagent
Wired 8021Xsc config dot3svc start=auto depend=napagentsc start dot3svc
netsh nap client show config
get the ID value for the EAP Quarantine Enforcement Clientnetsh nap client set enforce id=$ID admin=enable
ThelaststepistoselecttheEnforceNetworkAccessProtectioncheckboxundertheEAPprofilesettingsThosestepscanbeeasilyconfiguredusingGPOs
ConfigurationofSoHpolicyInordertoenforceaSoHpolicyweneedtocreateitfirstThisisdoneusingtheConfigurationrarrCompliancerarrStatementofHealthmodule
PolicyexampleLetrsquoswalkthroughanexamplesituationSupposeyouwanttodisplayaremediationpagetoclientsthatdonothaveananti-virusenabled
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 86
ThethreebroadstepsarecreateaviolationclassfortheconditionthencreateanSoHfiltertotriggertheviolationwhenanti-virusisdisabledandfinallyreloadtheviolations
FirstcreatetheproperviolationeitherviatheAdminUIorbyeditingtheconfviolationsconffiles
[4000001]desc=No anti-virus enabledurl=remediationphptemplate=noantivirusactions=reevaluate_accessemaillogenabled=Y
Note
Youmayalsowanttosetotherattributessuchasauto_enablegraceetc
WhendonewiththeviolationvisittheWebAdministrationunderConfigurationrarrCompliancerarrStatementofHealthand(editthefilternamedDefaultor)usetheAddafilterbuttontocreateafilternamedantivirusClickonantivirusinthefilterlistandselectTriggerviolationintheactiondrop-downEnterthevidoftheviolationyoucreatedaboveintheinputboxthatappears
Next clickonAddacondition and selectAnti-virus is anddisabled in thedrop-downboxesthat appear Click on the Save filters button Finally reload the violations either by restartingPacketFenceorusingthepfcmd reload violationscommand
Thelaststepistocreateanewremediationtemplatecallednoantivirusphponthefilesysteminthehtmlcaptive-portalviolationsfolderEditittoincludethetextyouwanttodisplaytotheusers
VLANFilterDefinition
Weaddedtheabilitytospecifyfiltersdirectlyintheportionofcodethatre-evaluatestheVLANordoacalltotheAPI
Theserulesareavailableindifferentscopes
ViolationRoleRegistrationRoleRegisteredRoleInlineRoleAutoRegisterNodeInfoForAutoReg
Andcanbedefinedusingdifferentcriterialike
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 87
node_infoattribute (like node_infostatus)switchifIndexmacconnection_typeusernamessidtimeownerattribute (like ownerpid)radius_requestattribute (like radius_requestCalling-Station-Id)
Forexample letsdefinearulethatpreventsadevicefromconnectingwhenitscategory isthedefaultwhentheSSIDisSECUREandwhenthecurrenttimeisbetween11amand2pmfromMondaytoFridaywhenittrytoconnectasaregistereddevice
[category]filter = node_infocategoryoperator = isvalue = default
[ssid]filter = ssidoperator = isvalue = SECURE
[time]filter = timeoperator = isvalue = wd Mon Tue Wed Thu Fri hr 11am-2pm
[1categoryampssidamptime]scope = RegisteredRolerole = nointernet
ThesecondexamplewillcreateaviolationiftheSSIDisOPENandtheownerisigmout
[igmout]filter = ownerpidoperator = isvalue = igmout
[open]filter = ssidoperator = isvalue = OPEN
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 88
[2igmoutampssid]scope = RegisteredRoleaction = trigger_violationaction_param = mac = $mac tid = 1100012 type = INTERNAL
Thethirdexamplewillautoregisterthedeviceandassigntherolestafftoeachdevicewheretheusernameisigmout
[igmout]filter = usernameoperator = isvalue = igmout
[secure]filter = ssidoperator = isvalue = SECURE
[3igmoutampsecure]scope = AutoRegisterrole = staff
[4igmoutampsecure]scope = NodeInfoForAutoRegrole = staff
Youcanhavealookinthefilevlan_filtersconftherearesomeexamplesonhowtouseanddefinefilters
RADIUSFilterDefinition
WeaddedtheabilitytospecifyfiltersdirectlyintheportionofcodethatreturntheradiusanswerordoacalltotheAPI
Theserulesareonlyavailableinonescope
returnRadiusAccessAccept
Andcanbedefinedusingdifferentcriterialike
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 89
node_infoattribute (like node_info$attribute)switchifIndexmacconnection_typeusernamessidtimeownerattribute (like owner$attribute)radius_requestattribute (like radius_request$attribute)violationuser_rolevlan
Forexample letsdefinearulethatreturnAccessAcceptwhentheconnectionisEthernet-EAPandwhenthereisnoviolation(merge_returnmeansthattheoriginalanswerofPacketFencewillbemergewiththefilteranswerautomatically)
[violation]filter = violationoperator = defined
[etherneteap]filter = connection_typeoperator = isvalue = Ethernet-EAP
[1etherneteapampviolation]merge_answer = noscope = returnRadiusAccessAccept
Inthisotherexamplewejustaddanewattributetotheoriginalanswerinthesameconditions(here$user_rolewillbereplacedbytherealuserroleofthedeviceand$switch_portalURLwillbereplacedbythevalueof_portalURLdefinedintheswitchconfig)
[1etherneteapampviolation]merge_answer = yesscope = returnRadiusAccessAcceptanswer1 = Cisco-AVPair =gt url-redirect-acl=$user_roleurl-redirect=$switch_portalURLcep$session_id
Youcanhavea look in the file radius_filtersconf therearesomeexamplesonhowtouseanddefinefilters
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 90
DNSenforcement
DNSenforcementallowsyoutocontrolthenetworkaccessofthedevicebyusingthepfdnsserviceonPacketFence
The architecture ofDNS enforcement is as following -DHCP andDNS are provided by thePacketFenceserver-ThePacketFenceDHCPserverwillprovidetheIPofyournetworkequipmentasthegatewayandtheIPaddressofthePacketFenceDNSservertoresolvenames-Routingisprovidedbyanotherequipmentonyournetwork(CoreswitchFirewallRouterhellip)-IfausershouldbeshowntheportalthepfdnsservicewillreturnapointertotheIPaddressofthecaptiveportalotherwisepfdnswillresolvethenameexternallyanduseitinthereply
Thisenforcementmodeusedby itselfcanbebypassedbythedevicebyusingadifferentDNSserverorbyusingitsownDNScache
ThefirstcanbepreventedusinganACLonyourroutingequipmentthesecondcanbepreventedbycombiningDNSenforcementwithSingle-Sign-OnonyournetworkequipmentPleaseseetheFirewallSingle-Sign-Ondocumentationfordetailsonhowtoaccomplishthis
Inorder toconfigureDNSenforcementyoufirstneedtogo inConfigurationrarrInterfaces thenselectoneofyourinterfacesandsetitinDNSenforcementmode
AfteryouneedtoconfigurearoutednetworkforthisinterfacebyclickingAddroutednetworkSeetheRoutedNetworkssectionofthisdocumentfordetailsonhowtoconfigureit
NoteIfyouarenotusingaroutednetworkyouneedtouseInlineenforcementasDNSenforcementcanonlybeusedforroutednetworks
Oncethisisdoneyouneedtorestartthedhcpdandpfdnsservices
Parkeddevices
Intheeventthatyouaremanagingalargeregistrationnetworkwithdevicesthatstaythere(exStudentsthatcanrsquotregisterinyourenvironment)thesedevicesconsumepreciousresourcesandgenerateuselessloadonthecaptiveportalandregistrationDHCPserver
UsingtheparkingfeatureyoucanmakethesedeviceshavealongerleaseandhitanextremellylightweightcaptiveportalsothattheamountofresourcestheyconsumeisminimalInthatcaptiveportal theywillseeamessageexplainingthattheyhavenrsquot registeredtheirdeviceforacertainamountoftimeandwillletthemleavetheparkedstatebypressingalink
Theparkedvsunparkedstateiscontrolledthroughviolation1300003whichgetstriggeredaccordingtotheparkingthresholdsetting(ConfigurationrarrParking)
Chapter12
Copyrightcopy2016Inverseinc Advancedtopics 91
SoinordertoactivatetheparkinggoinConfigurationrarrParkingandsetthethresholdtoacertainamountofsecondsAsuggestedvaluewouldbe21600whichis6hoursThismeansthatifadevicestaysinyourregistrationnetworkformorethan6hoursinarowitwilltriggerviolation1300003andplacethatdeviceintotheparkedstate
Inthatsamesectionyoucandefinetheleaselengthoftheuserwhenheisintheparkedstate
Note
ParkingisdetectedwhenadeviceasksforDHCPifPacketFenceisnotyourDHCPserverfortheregistrationnetworkthisfeaturewillnotworkAlsoifthedevicegoesintotheparkedstatewithaleasetimeof1hourandtheuserimmediatelyreleaseshimselffromtheparkingstateitwilltake1hourbeforethenextdetectiontakesplaceevenifyousetparkingthresholdtoalowervalue
Violation1300003Thisviolationcontrolswhathappenswhenauserisdetecteddoingparking
Herearethemainsettings
Youcanaddactionstothepredefinedones(likeEmailadminorExternalaction)inDefinitionrarrActions
TheamountoftimeausercanunparktheirdeviceiscontrolledthroughtheRemediationrarrMaxenablesetting
TheamountofgracetimebetweentwoparkingviolationsiscontrolledbytheRemediationrarrGracesettingThismeansonceauserreleasehimselffromtheparkedstatehewillhaveatleastthisamountoftimetoregisterbeforetheparkingtriggersagain
Thedestinationrole(thusVLAN)oftheuseriscontrolledbyAdvancedrarrRoleYoushouldleavetheuserintheregistrationrolebutshouldyouwanttodedicatearoleforparkingyoucansetitthere
TheTemplateattributewillonlybeusedwhentheuserisonthenormalPacketFenceportalandnottheonededicatedforparkingIfyouwanttheusertoaccessthenon-parkingportaldisableShowparkingportalinConfigurationrarrParking
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 92
Optionalcomponents
Blockingmaliciousactivitieswithviolations
PolicyviolationsallowyoutorestrictclientsystemaccessbasedonviolationsofcertainpoliciesForexampleifyoudonotallowP2PtypetrafficonyournetworkandyouarerunningtheappropriatesoftwaretodetectitandtriggeraviolationforagivenclientPacketFencewillgivethatclientablockedpagewhichcanbecustomizedtoyourwishes
Inorder tobeable toblockmaliciousactivities installationandconfigurationofaPacketFencecompatibleIDSisrequiredPacketFencecurrentlysupportSnortSuricataandSecurityOnion
Snort
Installation
The installation procedure is quite simple for SNORTWe maintain a working version on thePacketFencerepositoryToinstallitsimplyrunthefollowingcommand
yum install snort
Configuration
PacketFenceprovidesabasicsnortconftemplatethatyoumayneedtoeditdependingoftheSnortversionThefileislocatedinusrlocalpfconfItisrarelynecessarytochangeanythinginthatfiletomakeSnortworkandtrapalertsDONOTeditthesnortconflocatedinusrlocalpfvarconfallthemodificationwillbedestroyedoneachPacketFencerestart
Suricata
Installation
SincethesuricataIDSisnotpackagedwiththedistros(exceptmaybeFedorawhichwedonotofficiallysupport)youneedtobuildittheoldway
The OISF provides a really well written how-to for that Itrsquos available here httpsredmineopeninfosecfoundationorgprojectssuricatawikiCentOS5
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 93
NoteTobenefittheOPSWATMetadefenderCloudintegrationSuricataneedstobebuiltwith libnss libnsprsupportMakesure touseJSONoutputMore informationonhowtoachievethiscanbefoundtherehttpsredmineopeninfosecfoundationorgprojectssuricatawikiMD5
ConfigurationDepending onwhether or not Suricata is running on the PacketFence server configuration isdifferent
WhenrunninglocallyPacketFenceprovidesabasicsuricatayamlthatcanbemodifiedtosuitdifferentneedsThefileislocatedinusrlocalpfconf
In thecase thatSuricata is runningonaseparateserverSuricataconfigurationwillhave tobehandledseparatelywhichisnotthepurposeofthepresentguide
OPSWATMetadefenderCloudItispossibletotriggerviolationsbasedonthreatlevelofdownloadedfilesusingtheMetadefenderCloudintegrationinconjunctionwiththeSuricataMD5extractionfeatureWithoutenteringinthedetailsherearethebasicstepstomakeitwork
FirstanOPSWATportalaccountisrequiredtomakeuseoftheAPISuchaccountcanbeobtainedthroughtheOPSWATportalhttpsportalopswatcom
OtherrequirementisaSuricataworkinginstallationbuiltwithlibnsslibnsprsupportasdescribedintheupperInstallationsection
AlongwiththeOPSWATAPIkeyforMetadefenderCloud(theycallitLicenseKey)andtheworkingSuricatainstallationsomeconfiguration(PacketFencebasedANDSuricatabased)isalsorequired
AssumingthatallthestepsforSuricataMD5extractionhavebeenfollowedherersquoswhattodonext
OntheSuricataserver(syslog-ngispreferredduetoeasierandmorepowerfulconfigurationIfnotinstalleditmightbeanidea)
Configureetcsyslog-ngsyslog-ngconfbyaddingthefollowingtoenablesendingMD5filestorelogentriestoPacketFence
PacketFence OPSWAT Metadefender Cloud integration This line specifies where the files-jsonlog file is located -gt Make sure to configure the right path along with the right filenamesource s_suricata_files file(MY_SURICATA_LOG_FILES_PATHfiles-jsonlog program_override(suricata_files) flags(no-parse)) This line tells syslog-ng to send the data read to the PacketFence management interface IP address using UDP 514 -gt Make sure to configure the right PacketFence management interface IP addressdestination d_packetfence udp(PACKETFENCE_MGMT_IP port(514)) This line indicates syslog-ng to use the s_suricata_files source and send it to the d_packetfence destinationlog source(s_suricata_files) destination(d_packetfence)
Arestartofthesyslog-ngdaemonisrequired
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 94
service syslog-ng restart
OnthePacketFenceserver
ModifyrsyslogconfigurationtoallowincomingUDPpacketsbyuncommentingthefollowingtwolinesinetcrsyslogconf
$ModLoad imudp$UDPServerRun 514
Configure etcrsyslogdsuricata_filesconf by adding the following which will enablereceptionofSuricataMD5filestorelogentries
if $programname == suricata_files then usrlocalpfvarsuricata_filesamp ~
Makesurethereceivingalertpipe(FIFO)exists
mkfifo usrlocalpfvarsuricata_files
Restartthersyslogdaemon
service rsyslog restart
AtthispointSuricatashouldbeabletoextractMD5checksumofdownloadedfilesandsendtherelatedlogentrytoPacketFence
AconfigurationofanewsyslogparseraswellassomeviolationsaretheonlyremainingstepstomakefullusageoftheOPSWATMetadefenderCloudintegration
Configurationofanewsyslogparsershouldusethefollowings
Type suricata_httpAlert pipe the previously created alert pipe (FIFO) which is in this case usrlocalpfvarsuricata_files
Configurationofanewviolationcanusethefollowingtriggertypes
Type metascanTriggers ID The scan result returned by Metadefender Cloud online
Type suricata_md5Trigger ID The MD5 hash returned by Suricata
SecurityOnionInstallationandConfigurationSecurityOnionisaUbuntubasedsecuritysuiteThelatest installationinstructionsareavailabledirectly from theSecurityOnionwebsite httpsgithubcomSecurity-Onion-Solutionssecurity-onionwikiInstallation
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 95
SinceasecuritysuiteconsistsofmultiplepiecesofsoftwaretiedtogetheryoumaybepromptedfordifferentoptionsduringtheinstallationprocessAdetailedProductionDeploymentguidecanalsobefounddirectlyfromtheSecurityOnionwebsitehttpsgithubcomSecurity-Onion-Solutionssecurity-onionwikiProductionDeployment
PacketFenceintegration
OnceSecurityOnionisinstalledandminimallyconfiguredintegrationwithPacketFenceisrequiredtobeabletoraiseviolationsbasedonsensor(s)alertssyslogisusedtoforwardsensor(s)alertsfromSecurityOniontothePacketFencedetectionmecanisms
The simplest way is as follow (based on httpsgithubcomSecurity-Onion-Solutionssecurity-onionwikiThirdPartyIntegration)
OntheSecurityOnionserver
Note
Mustbedoneonthemasterserverrunningsguild
Configureetcsyslog-ngsyslog-ngconfbyaddingthefollowingtoenablesendingsguildlogentriestoPacketFence
PacketFence IDS integration This line specifies where the sguildlog file is located -gt Make sure to configure the right patch along with the right filename (on a Security Onion setup that should be pretty much standard)source s_sguil file(varlognsmsecurityonionsguildlog program_override(securityonion_ids)) This line filters on the string ldquoAlert Receivedrdquofilter f_sguil match(Alert Received) This line tells syslog-ng to send the data read to the PacketFence management IP address using UDP 514 -gt Make sure to configure the right PacketFence management interface IP addressdestination d_packetfence udp(PACKENTFENCE_MGMT_IP port(514)) This line indicates syslog-ng to use the s_sguil source apply the f_sguil filter and send it to the d_packetfence destinationlog source(s_sguil) filter(f_sguil) destination(d_packetfence)
Arestartofthesyslog-ngdaemonisthenrequired
service syslog-ng restart
OnthePacketFenceserver
ModifyrsyslogconfigurationtoallowincomingUDPpacketsbyuncommentingthefollowingtwolinesinetcrsyslogconf
$ModLoad imudp$UDPServerRun 514
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 96
Configureetcrsyslogdsecurityonion_idsconfbyaddingthefollowingswhichwillenablereceptionofSecurityOnionsguildlogentries
if $programname == securityonion_ids then usrlocalpfvarsecurityonion_idsamp ~
Makesurethereceivingalertpipe(FIFO)exists
mkfifo usrlocalpfvarsecurityonion_ids
Restartthersyslogdaemon
service rsyslog restart
AtthispointSecurityOnionshouldbeabletosenddetectedalertslogentriestoPacketFence
AconfigurationofanewsyslogparseraswellassomeviolationsaretheonlyremainingstepstomakefullusageoftheSecurityOnionIDSintegration
Configurationofanewsyslogparsershouldusethefollowings
Type security_onionAlert pipe the previously created alert pipe (FIFO) which is in this case usrlocalpfvarsecurityonion_ids
Configurationofanewviolationcanusethefollowingtriggertypes
Type detectTriggers ID The IDS triggered rule ID
Type suricata_eventTrigger ID The rule class of the triggered IDS alert
ViolationsInordertomakePacketFencereacttotheSnortalertsyouneedtoexplicitlytellthesoftwaretodosoOtherwisethealertswillbediscardedThisisquitesimpletoaccomplishInfactyouneedtocreateaviolationandaddtheSnortalertSIDinthetriggersectionofaViolation
PacketFenceviolationsareconfiguredinConfigurationrarrViolations
TheexamplebelowwillguideyoutocreateaviolationthatwillisolatedevicethathavegeneratedPeer-to-peer traffic and that are usingMac OSX or have a malware and are usingMicrosoftWindows
Violationdefinition
Firstyouneedtoconfiguretheviolationdefinition
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 97
Where
Enablediswhetherornottheviolationiscurrentlyactivated(shouldbeON) Identifier is the violation ID Any integer except 1200000-120099 which is reserved forrequiredadministrationviolations
Descriptionistheuserfriendlydescriptionoftheviolation Actionsisthelistofactionstobeexecutedwhenthisviolationisraised
Unregister nodewillunregisterthenode
Send email to ownerwillemailtheviolationdetailstotheownerofthedeviceWillonlyworkifthepersonhasitrsquosemailfieldpopulated
Send email to admin will email the violation details to the address specified in[alerting]emailaddrusing[alerting]smtpserverMultipleemailaddrcanbesperatedbycomma
Reevaluate accesswillplacethedeviceinthedestinationVLANconfiguredintheviolationIt opens a violation and leaves it open If it is not there theviolation isopenedand thenautomaticallyclosed
Log messagewilllogtheviolationinthelogfiledefinedin[alerting]log
External commandwillexecuteacommandontheoperatingsystemwhenthisviolation israised
Close a violationwillcloseanexistingviolationforthisdevicewhenthisoneisraised
Set rolewillmodifytheroleofthedevice
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 98
Enforce provisioningwilltriggeracheckofcomplianceontheprovisionersdefinedforthedevice
Prioritydefinestheorderontowhichviolationsshouldbehandledshouldtherebemorethanoneforadevice
Whitelisted Rolesisthelistofrolesthatarenotaffectedbythisviolation
Triggers
NextintheTriggerstabyouneedtodefinethetriggersthatwillraisetheviolationInthecaseofthisexampleitwillbethesetwocasesAdevicethathasgeneratedPeer-to-peertrafficandthatisusingMACOSXAdevicethathasbeendetectedasbeingarogueDHCP
Click the+ sign at the top right inorder to create anew trigger then in thedropdown selectSuricata
AmenuwillappearintowhichyoucanselectET P2PwhichwillmatchallP2PalertsfromSuricata
OnceyouaddedthistriggerselectDevicefromthedropdownandenter38whichisthedeviceidentifierforMacOSX
Nexthittheltbuttonthenthe+toaddanothertrigger
SelectthetypeInternaltheninthemenuthatappearsbelowitselectRogue DHCP detectionandclickAdd
Remediation
NextintheRemediationtabyoucanconfigurethebehaviorwhenaclientgetsisolated
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 99
Where
Auto Enableiswhetherornottheusercanreleasetheviolationhimselfafteracknoledgingthemessageonthecaptiveportal
Max Enables istheamountoftimeausercanusetheAuto EnablefunctionnalityAfterthisamountoftimeshewillnotbeabletoreleasetheviolationanditwillhavetobemanuallyreleasebyanadministratorusingthePacketFenceadministrationinterface
GraceisAmountoftimebeforetheviolationcanreoccurThisisusefultoallowhoststime(intheexample2minutes)todownloadtoolstofixtheirissueorshutofftheirpeer-to-peerapplication
Dynamic WindowwillonlyworksforaccountingviolationsTheviolationwillbeopenedaccordingtothetimeyousetintheaccountingviolation(ieYouhaveanaccountingviolationfor10GBmonthIfyoubustthebandwidthafter3daystheviolationwillopenandthereleasedatewillbesetforthelastdayofthecurrentmonth)
WindowistheamountoftimebeforeaviolationwillbeclosedautomaticallyInsteadofallowingpeopletoreactivatethenetworkyoumaywanttoopenaviolationforadefinedamountoftimeinstead
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 100
Delay byisthedelaybeforetriggeringtheviolation TemplateistheHTMLtemplatethehostwillberedirectedtowhileinviolationYoucancreatenewtemplatesfromthePortalProfilesconfigurationsection
Button textisthetextofthebuttonthatisusedwhentheuserisreleasingtheviolationdirectlyfromthecaptiveportal
AdvancedIntheAdvancedtabyouconfigurethedestinationVLANofthedevicewhenithastheReevaluateaccessactionanditsredirectionURLwhentheuserisreleased
ComplianceChecks
PacketFence supports eitherNessusOpenVAS andWMI as a scanning engine for compliancechecksSincePacketFencev51youarenowabletocreatemultiplesscanenginesconfigurationandassignthemonspecificcaptiveportalsItmeanperexamplethatyouarenowabletoactiveascanforspecificOperatingSystemonlyonaspecificSSID
InstallationNessusPlease visit httpwwwnessusorgdownload to download Nessus v5 and install the Nessuspackage for your operating system You will also need to register for the HomeFeed (or theProfessionalFeed)inordertogettheplugins
AfteryouinstalledNessusfollowtheNessusdocumentationfortheconfigurationoftheNessusServerandtocreateauserforPacketFence
NoteYou may run into some issue while using Nessus with the NetNessusXMLRPCmodule(whichisthedefaultbehaviorinPacketFence)Pleaserefertothebugtrackingsystemformoreinformation
OpenVASPleasevisithttpwwwopenvasorginstall-packageshtmlopenvas4_centos_atomic toconfigurethecorrectrepositorytobeabletoinstallthelatestOpenVASscanningengine
Once installed pleasemake sure to follow the instructions to correctly configure the scanningengineandcreateascanconfigurationthatwillfityourneedsYoursquollalsoneedtocreateauserforPacketFencetobeabletocommunicatewiththeserver
ItisimportanttogetthecorrectscanconfigIDandNBEreportformatIDtopopulatetheparametersinthePacketFenceconfigurationfileTheeasiestwaytogettheseIDsisbydownloadingbothofthescanconfigurationandreportformatfromtheOpenVASwebguiandretrievetheIDsinthefilenames
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 101
Forexamplereport-format-f5c2a364-47d2-4700-b21d-0a7693daddabxmlgivesreportformatIDf5c2a364-47d2-4700-b21d-0a7693daddab
WMIYoujusthavetoenablewmioneachwindowsdeviceswithaGPOfromActiveDirectory
ConfigurationIn order for the compliance checks to correctly work with PacketFence (communication andgenerateviolationsinsidePacketFence)youneedtoconfigurethesesections
ScannerDefinitionFirstgoinConfigurationandScannerDefinition
Thenaddascan
Therearecommonparametersforeachscanengines
Name the name of your scan engineRoles Only devices with these role(s) will be affected (Optional)OS Only devices with this Operating System will be affected (Optional)Duration Approximate duration of scan (Progress bar on the captive portal)Scan before registration Trigger the scan when the device appear on the registration vlanScan after registration Trigger the scan just after registration on the captive portalScan after registration Trigger the scan on the production network (pfdhcplistener must receive production dhcp traffic)8021x Even if the auto-registration has been enabled the scan will be trigger on a EAP connection8021x types comma delimited EAP type that will trigger the scan if 8021x above has been enabled
SpecifictoNessus
Hostname or IP Address Hostname or IP Address where Nessus is runningUsername Username to connect to Nessus scanPassword Password to connect to Nessus scanPort of the service port to connect (default 8834)Nessus client policy the name of the policy to use for the scan (Must be define on the Nessus server)
SpecifictoOpenVAS
Hostname or IP Address Hostname or IP Address where OpenVAS is runningUsername Username to connect to OpenVAS scanPassword Password to connect to OpenVAS scanPort of the service port to connect (default 9390)OpenVAS config ID the ID of scanning configuration on the OpenVAS server
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 102
SpecifictoWMI
Username A username from Active Directory that is allowed to connect to wmiDomain Domain of the Active DirectoryPassword Password of the accountWMI Rules Ordered list of WMI rules you defined in Configuration -gt WMI Rules Definition
WMIRulesDefinition
IfyouhaveconfiguredaWMIscanenginethenyouneedtodefineWMIRulesWMIisasortofdatabaseoneachwindowsdevicestoretreiveinformationonthedeviceyouneedtoknowthesqlrequestInordertohelpyoutofindandmakearuleyoucanuseathirdpartytoollikeWMIExplorer
GoinconfigurationrarrWMIRulesDefinition
Therearealready3rulesdefined
Software_Installedlogged_userProcess_Running
LetrsquostaketheSoftware_Installedrule
request select from Win32_Product
Rules Actions
[Google]attribute = Captionoperator = matchvalue =Google
[1Google]action=trigger_violationaction_param = mac = $mac tid = 888888 type = INTERNAL
Thisrulewilldothefollowing
retreive all the installed software on the device and test if the attribute Caption contain Googleif it matched then we will trigger a violation (with the trigger internal888888) for the mac address of the device
Thesecondonelogged_user
request select UserName from Win32_ComputerSystem
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 103
Rules Actions
[UserName]attribute = UserNameoperator = matchvalue = ()
[1UserName]action = dynamic_register_nodeaction_param = mac = $mac username = $result-gtUserName
Thisrulewilldothefollowing
retreive the current logged user on the device and register the device based on the user account
ThelastoneProcess_Running
request select Name from Win32_Process
Rules Actions
[explorer]attribute = Nameoperator = matchvalue = explorerexe
[1explorer]action = allow
Thisrulewilldothefollowing
retreive all the running process on the device and if one match explorerexe then we bypass the scan
Rulessyntax
the syntax of the rules are simple to understand
the request is the sql request you will launch on the remote device you must know what the request will returnto write the test
Inside the Rules Actions we define 2 sorts of blocsThe test bloc (ie [explorer]) and the action bloc (ie [1explorer])
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 104
The test bloc is a simple test based on the result of the request- attribute is the attribute you want to test- operator can be is is_not match match_not- value is the value you want to compare
Feel free to define multiples test blocs
The action bloc is where you will define your logic per example lets take this one [1googleampexplorer] this mean that if the google test istrue and explorer is true then we execute the actionThe logic can be more complex and can be something like that [1google|(explorerampmemory)] that mean if not google or (explorer and memory)
ViolationsdefinitionYouneedtocreateanewviolationsectionandhavetospecify
UsingNessus
trigger=NessusltviolationIdgt
UsingOpenVAS
trigger=OpenVASltviolationIdgt
WhereviolationIdiseithertheIDoftheNessuspluginortheOIDoftheOpenVASplugintocheckforOnceyouhavefinishedtheconfigurationyouneedtoreloadtheviolationrelateddatabasecontentsusing
$ pfcmd reload violations
NoteViolationswilltriggerifthepluginishigherthanalowseverityvulnerability
AssignScandefinitiontoportalprofilesThelaststepistoassignoneormorescanneryouconfiguredtooneormoreportalprofilesGoinConfigurationrarrPortalProfilesrarrEditaPortalrarrAddScan
HostingNessusOpenVASremotelyBecauseoftheCPUintensivenatureofanautomatedvulnerabilityassessmentwerecommendthatitishostedonaseparateserverforlargeenvironmentsTodosoacoupleofthingsarerequired
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 105
PacketFence needs to be able to communicate to the server on the port specified by thevulnerabilityengineused
Thescanningserverneedtobeabletoaccessthetargets InotherwordsregistrationVLANaccessisrequiredifscanonregistrationisenabled
IfyouareusingtheOpenVASscanningengine
ThescanningserverneedtobeabletoreachPacketFencersquosAdmininterface(onport1443bydefault)byitsDNSentryOtherwisePacketFencewonrsquotbenotifiedofcompletedscans
YoumusthaveavalidSSLcertificateonyourPacketFenceserver
IfyouareusingtheNessusscanningengine
YoujusthavetochangethehostvaluebytheNessusserverIP
RADIUSAccounting
RADIUSAccountingisusuallyusedbyISPstobillclientsInPacketFenceweareabletousethisinformationtodetermineifthenodeisstillconnectedhowmuchtimeithasbeenconnectedandhowmuchbandwitdhtheuserconsumed
ViolationsUsingPacketFence it ispossible toaddviolations to limitbandwidthabuseThe formatof thetriggerisverysimple
Accounting[DIRECTION][LIMIT][INTERVAL(optional)]
Letrsquosexplaineachchunkproperly
DIRECTIONYoucaneithersetalimittoinbound(IN)outbound(OUT)ortotal(TOT)bandwidth LIMIT You can set a number of bytes(B) kilobytes(KB) megabytes(MB) gigabytes(GB) orpetabytes(PB)
INTERVALThisisactuallythetimewindowwewilllookforpotentialabuseYoucansetanumberofdays(D)weeks(W)months(M)oryears(Y)
Exampletriggers LookforIncoming(Download)trafficwitha50GBmonth
AccountingIN50GB1M
LookforOutgoing(Upload)trafficwitha500MBday
AccountingOUT500MB1D
LookforTotal(Download+Upload)trafficwitha200GBlimitinthelastweek
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 106
AccountingTOT200GB1W
Graceperiod
WhenusingsuchviolationfeaturesettingthegraceperiodisreallyimportantYoudonrsquotwanttoputittoolow(ieAuserre-enablehisnetworkandgetcaughtafter1bytesistranmitted)ortoohighWerecommendthatyousetthegraceperiodtooneintervalwindow
Oinkmaster
OinkmasterisaperlscriptthatenablesthepossibilitytoupdatethedifferentsnortrulesveryeasilyItissimpletouseandinstallThissectionwillshowyouhowtoimplementOinkmastertoworkwithPacketFenceandSnort
PleasevisithttpoinkmastersourceforgenetdownloadshtmltodownloadoinkmasterAsampleoinkmasterconfigurationfileisprovidedatusrlocalpfaddonssnortoinkmasterconf
ConfigurationHerearethestepstomakeOinkmasterworkWewillassumethatyoualreadydownloadedthenewestoinkmasterarchive
1 UntarthefreshlydownloadedOinkmaster
2 CopytherequiredperlscriptsintousrlocalpfoinkmasterYouneedtocopyovercontribandoinkmasterpl
3 CopytheoinkmasterconfprovidedbyPacketFence(seethesectionabove)inusrlocalpfconf
4 ModifytheconfigurationtosuityourownneedsCurrentlytheconfigurationfileissettofetchthebleedingrules
RulesupdateInordertogetperiodicupdatesforPacketFenceSnortruleswesimplyneedtocreateacrontabentrywiththerightinformationTheexamplebelowshowsacrontabentrytofetchtheupdatesdailyat2300PM
0 23 (cd usrlocalpf perl oinkmasteroinkmasterpl -C confoinkmasterconf -o confsnort)
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 107
GuestsManagement
PacketFencesupportstheabilitytomanageguestsbyestablishingexpiredatesandassigndifferentroleswhichwillpermitdifferentaccessestothenetworkresources
Guestscanself-registerthemselvesusinganactivationcodesenttotheirmobilephoneortheycanusetheiremailaddressandreceiveandactivationlinktoactivatetheirnetworkaccess
PacketFencehas theoption tohaveguestssponsored theiraccessby local staffOnceaguestrequestsasponsoredaccessanemailissenttothesponsorandthesponsormustclickonalinkandauthenticateinordertoenablehisaccess
Moreover PacketFence also has the option for guests to request their access in advanceConfirmationbyemailandbyasponsorarethetwopre-registrationtechniquessupportedatthispoint
TheadminGUIallowPacketFenceadministratorsorguestsmanagerstocreatesingleaccountsmultipleaccountsusingaprefix(ieguest1guest2guest3hellip)orimportdatafromaCSVtocreateaccountsAccessdurationandexpectedarrivaldatearealsocustomizable
Usage
Guestself-registration
Self-registrationisenabledbydefaultItispartofthecaptiveportalprofileandcanbeaccessedontheregistrationpagebyclickingtheSignuplink
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 108
ManagedguestsPartofthewebadministrationinterfacetheguestsmanagementinterfaceisenabledbydefaultItisaccessiblethroughtheUsersrarrCreatemenu
Guestpre-registrationPre-registrationisdisabledbydefaultOnceenabledPacketFencersquosfirewallandApacheACLsallowaccesstothesignuppageontheportalevenfromaremotelocationAllthatshouldberequiredfrom theadministrators is toopenup theirperimeter firewall toallowaccess toPacketFencersquosmanagementinterfaceIPonport443andmakesureadomainnametoreachsaidIPisconfigured(andthattheSSLcertmatchesit)Thenyoucanpromotethepre-registrationlinkfromyourextranetwebsitehttpslthostnamegtsignup
CautionPre-registrationincreasestheattacksurfaceofthePacketFencesystemsinceasubsetofitrsquosfunctionnalityisexposedontheInternetMakesureyouunderstandtherisksapplythecriticaloperatingsystemupdatesandapplyPacketFencersquossecurityfixes
NoteAportalinterfacetypeisrequiredtousethisfeatureAportalinterfacetypecanbeaddedtoanynetworkinterfaceusingthewebadminGUI
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 109
ConfigurationGuestself-registrationIt ispossibletomodifythedefaultvaluesoftheguestself-registrationfeaturebyeditingusrlocalpfconfpfconf
Defaultvaluesarelocatedinusrlocalpfconfpfconfdefaultsanddocumentationforeverysettingsisavailableinusrlocalpfconfdocumentationconf
[guests_self_registration]guest_pid=emailpreregistration=disabled
TheseparameterscanalsobeconfiguredfromtheConfigurationrarrSelfRegistrationsectionoftheWebadmininterface
Availableregistrationmodesaredefinedonaper-portal-profilebasisTheseareconfigurablefromConfigurationrarrPortalProfiles Todisable the self-registration feature simply removeall self-registrationsourcesfromtheportalprofiledefinitionNoticehoweverthatifyourdefaultportalprofilehasnosourceitwilluseallauthenticationsources
Caution
AvalidMTAconfiguredinPacketFenceisneededtocorrectlyrelayemailsrelatedtotheguestmoduleIflocalhostisusedassmtpservermakesurethataMTAisinstalledandconfiguredontheserver
Note
AportalinterfacetypeisrequiredtousethisfeatureAportalinterfacetypecanbeaddedtoanynetworkinterfaceusingthewebadminGUI
Self-registered guests are added under the users tab of the PacketFenceWeb administrationinterface
ManagedguestsItispossibletomodifythedefaultvaluesoftheguestscreatedfromtheWebadmininterfacebyeditingusrlocalpfconfpfconf
Defaultvaluesarelocatedinusrlocalpfconfpfconfdefaultsanddocumentationforeverysettingsisavailableinusrlocalpfconfdocumentationsconf
[guests_admin_registration]access_duration_choices=1h3h12h1D2D3D5Ddefault_access_duration=12h
Theformatofthedurationisasfollow
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 110
ltDURATIONgtltDATETIME_UNITgt[ltPERIOD_BASEgtltOPERATORgtltDURATIONgtltDATE_UNITgt]
Letrsquosexplainthemeaningofeachparameter
DURATIONanumbercorrespondingtotheperiodduration DATETIME_UNIT acharactercorresponding to theunitsof thedateor timedurationeither s(seconds)m(minutes)h(hours)D(days)W(weeks)M(months)orY(years)
PERIOD_BASEeitherF(fixed)orR(relative)ArelativeperiodiscomputedfromthebeginningoftheperiodunitWeeksstartonMonday
OPERATOReither+or-Thedurationfollowingtheoperatorisaddedorsubtractedfromthebaseduration
DATE_UNITacharactercorrespondingtotheunitsoftheextendeddurationLimitedtodateunits(D(days)W(weeks)M(months)orY(years))
TheseparameterscanalsobeconfiguredfromtheConfigurationrarrAdminRegistrationsectionoftheWebadmininterface
From theUserspageof thePacketFenceWebadmin interface it is possible to set the accessdurationofuserschangetheirpasswordandmore
Guestpre-registrationTominimallyconfigureguestpre-registrationyoumustmakesurethatthefollowingstatementissetunder[guests_self_registration]inusrlocalpfconfpfconf
[guests_self_registration]preregistration=enabled
ThisparametercanalsobeconfiguredfromtheConfigurationrarrSelfRegistrationsection
Finallyitisadvisedthatyoureadthewholeguestself-registrationsectionsincepre-registrationissimplyatwistoftheself-registrationprocess
Caution
AvalidMTAconfiguredinPacketFenceisneededtocorrectlyrelayemailsrelatedtotheguestmoduleIflocalhostisusedassmtpservermakesurethataMTAisinstalledandconfiguredontheserver
ActiveDirectoryIntegration
DeletedAccountCreate thescriptunreg_node_deleted_accountps1on theWindowsServerwith the followingcontentMakesuretochangeIP_PACKETFENCEtotheIPaddressofyourPacketFenceserverYoursquollalsoneedtochangetheusernameandpasswordastheymustmatchthecredentialsdefinedintheWebadmininterfaceunderConfigurationrarrWebServices
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 111
Powershell script to unregister deleted Active Directory account based on the UserName
Get-EventLog -LogName Security -InstanceId 4726 | Select ReplacementStringsAccount name| $url = httpsIP_PACKETFENCE9090 $username = admin Username for the webservices $password = admin Password for the webservices [SystemNetServicePointManager]ServerCertificateValidationCallback = $true $command = jsonrpc 20 method unreg_node_for_pid params [pid +$_ReplacementStrings[0]+]
$bytes = [SystemTextEncoding]ASCIIGetBytes($command) $web = [SystemNetWebRequest]Create($url) $webMethod = POST $webContentLength = $bytesLength $webContentType = applicationjson-rpc $webCredentials = new-object SystemNetNetworkCredential($username $password) $stream = $webGetRequestStream() $streamWrite($bytes0$bytesLength) $streamclose()
$reader = New-Object SystemIOStreamreader -ArgumentList $webGetResponse()GetResponseStream() $readerReadToEnd() $readerClose()
CreatethescheduledtaskbasedonaneventIDStartrarrRunrarrTaskschdmsc
TaskSchedulerrarrTaskSchedulerLibraryrarrEventViewerTaskrarrCreateTask
General
Name PacketFence-Unreg_node-for-deleted-accountCheck Run whether user is logged on or notCheck Run with highest privileges
TriggersrarrNew
Begin on the task On an eventLog SecuritySource Microsoft Windows security auditingEvent ID 4726
ActionsrarrNew
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 112
Action Start a programProgramscript powershellexeAdd arguments (optional) Cscriptsunreg_node_deleted_accountps1
Settings
At the bottom select in the list Run a new instance in parallel in order to unregister multiple nodes at the same time
ValidatewithOkandgivetheaccountwhowillrunthistask(UsuallyDOMAINAdministrator)
DisabledAccountCreatethescriptunreg_node_disabled_accountps1ontheWindowsServerwiththefollowingcontentMakesuretochangeIP_PACKETFENCEtotheIPaddressofyourPacketFenceserverYoursquollalsoneedtochangetheusernameandpasswordastheymustmatchthecredentialsdefinedintheWebadmininterfaceunderConfigurationrarrWebServices
Powershell script to unregister disabled Active Directory account based on the UserName
Get-EventLog -LogName Security -InstanceId 4725 | Select ReplacementStringsAccount name| $url = httpsIP_PACKETFENCE9090 $username = admin Username for the webservices $password = admin Password for the webservices [SystemNetServicePointManager]ServerCertificateValidationCallback = $true $command = jsonrpc 20 method unreg_node_for_pid params [pid +$_ReplacementStrings[0]+]
$bytes = [SystemTextEncoding]ASCIIGetBytes($command) $web = [SystemNetWebRequest]Create($url) $webMethod = POST $webContentLength = $bytesLength $webContentType = applicationjson-rpc $webCredentials = new-object SystemNetNetworkCredential($username $password) $stream = $webGetRequestStream() $streamWrite($bytes0$bytesLength) $streamclose()
$reader = New-Object SystemIOStreamreader -ArgumentList $webGetResponse()GetResponseStream() $readerReadToEnd() $readerClose()
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 113
CreatethescheduledtaskbasedonaneventID
StartrarrRunrarrTaskschdmsc
TaskSchedulerrarrTaskSchedulerLibraryrarrEventViewerTaskrarrCreateTask
General
Name PacketFence-Unreg_node-for-disabled-accountCheck Run whether user is logged on or notCheck Run with highest privileges
TriggersrarrNew
Begin on the task On an eventLog SecuritySource Microsoft Windows security auditingEvent ID 4725
ActionsrarrNew
Action Start a programProgramscript powershellexeAdd arguments (optional) Cscriptsunreg_node_disabled_accountps1
Settings
At the bottom select in the list Run a new instance in parallel
ValidatewithOkandgivetheaccountwhowillrunthistask(UsuallyDOMAINAdministrator)
LockedAccountCreate the script unreg_node_locked_accountps1 on theWindows Serverwith the followingcontentMakesuretochangeIP_PACKETFENCEtotheIPaddressofyourPacketFenceserverYoursquollalsoneedtochangetheusernameandpasswordastheymustmatchthecredentialsdefinedintheWebadmininterfaceunderConfigurationrarrWebServices
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 114
Powershell script to unregister locked Active Directory account based on the UserName
Get-EventLog -LogName Security -InstanceId 4740 | Select ReplacementStringsAccount name| $url = httpsIP_PACKETFENCE9090 $username = admin Username for the webservices $password = admin Password for the webservices [SystemNetServicePointManager]ServerCertificateValidationCallback = $true $command = jsonrpc 20 method unreg_node_for_pid params [pid +$_ReplacementStrings[0]+]
$bytes = [SystemTextEncoding]ASCIIGetBytes($command) $web = [SystemNetWebRequest]Create($url) $webMethod = POST $webContentLength = $bytesLength $webContentType = applicationjson-rpc $webCredentials = new-object SystemNetNetworkCredential($username $password) $stream = $webGetRequestStream() $streamWrite($bytes0$bytesLength) $streamclose()
$reader = New-Object SystemIOStreamreader -ArgumentList $webGetResponse()GetResponseStream() $readerReadToEnd() $readerClose()
CreatethescheduledtaskbasedonaneventIDStartrarrRunrarrTaskschdmsc
TaskSchedulerrarrTaskSchedulerLibraryrarrEventViewerTaskrarrCreateTask
General
Name PacketFence-Unreg_node-for-locked-accountCheck Run whether user is logged on or notCheck Run with highest privileges
TriggersrarrNew
Begin on the task On an eventLog SecuritySource Microsoft Windows security auditingEvent ID 4740
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 115
ActionsrarrNew
Action Start a programProgramscript powershellexeAdd arguments (optional) Cscriptsunreg_node_locked_accountps1
Settings
At the bottom select in the list Run a new instance in parallel
ValidatewithOkandgivetheaccountwhowillrunthistask(UsuallyDOMAINAdministrator)
DHCPremotesensor
TheDHCPremotesensorconsistsofalightweightbinarythatisinstalledonyourproductionDHCPserverinordertoreplicatetheDHCPtraffic1to1tothePacketFenceserverThissolutionismorereliablethantheDHCPrelayingsincePacketFencereceivesacopyofallyourDHCPtrafficandnotonlythebroadcastedDHCPtrafficSupportedDHCPserversareMicrosoftDHCPserverandCentOS6and7
ThesesensorsworkbycapturingthepacketsatthelowestlevelpossibleonyourDHCPserverandforwardthemtothePacketFencemanagementinterface
MicrosoftDHCPsensorYouwillfirstneedtodownloadandinstallWinPcapavailablefromhttpwwwwinpcaporginstall
YouwillalsoneedtodownloadandinstallMicrosoftVisualC++2010Redistributableavailablefromhttpwwwmicrosoftcomdownloaddetailsaspxid=5555
NoteYou absolutely need to install the 32-bit version of Microsoft Visual C++ 2010Redistributableevenifyouareusinga64-bitoperatingsystem
Then get the remote sensor from Inversersquos download website httpinversecadownloadsPacketFenceudp-reflectorudp_reflectorexe
CreatethedirectoryCudp-reflectorandmovethedownloadedfileinside
Nowwewillcreateaservicesothereflectorstartsonboot
Firstdownloadandunzipnssmfromhttpsnssmccdownload
NextcreateabatchfileudpreflectorbatinCudp-reflectorthatcontainCudp-reflectorudp_reflectorexe -s pcap067 -d 19216815767 -b 25000
Where pcap0 is the interface where your DHCP is listening (use Cudp-reflectorudp_reflectorexe -ltolistinterfaces)
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 116
Thenrunnssm install udpreflector
InApplication
InPathsetittoCudp-reflectorudpreflectorbat InStartupdirectorysetittoCudp-reflector InArgumentssetittonothing
InDetails
InStartuptypeselectAutomatic
InLogon
InLogonasselectLocalSystemaccount
ThenpressInstallservice
TheDHCPtrafficshouldnowbereflectedonyourPacketFenceserver
LinuxbasedsensorFirstdownloadtheRPMonyourDHCPserver
CentOS6and7serversForCentOS6
for x86_64 wget httpinversecadownloadsPacketFenceCentOS6extrax86_64RPMSudp-reflector-10-61x86_64rpm
ForCentOS7
for x86_64 wget httpinversecadownloadsPacketFenceCentOS7extrax86_64RPMSudp-reflector-10-61x86_64rpm
Nowinstallthesensor
rpm -i udp-reflector-rpm
CompilingthesensorfromsourceonaLinuxsystemFirstmakesureyouhavethefollowingpackagesinstalled
libpcap libpcap-devel gcc-c++
Getthesourcecodeofthesensor
Chapter13
Copyrightcopy2016Inverseinc Optionalcomponents 117
mkdir -p ~udp-reflector ampamp cd ~udp-reflector wget httpinversecadownloadsPacketFenceudp-reflectorudp_reflectorcpp g++ udp_reflectorcpp -o usrlocalbinudp_reflector -lpcap
ConfiguringthesensorPlacethefollowinglineinetcrclocal
where pcap0 is the pcap interface where your DHCP server listens on (List them usingudp_reflector -l)
where19216815isthemanagementIPofyourPacketFenceserver
usrlocalbinudp_reflector -s pcap067 -d 19216815767 -b 25000 amp
Startthesensor
usrlocalbinudp_reflector -s pcap067 -d 19216815767 -b 25000 amp
TheDHCPtrafficshouldnowbereflectedonyourPacketFenceserver
Switchloginaccess
PacketFenceisabletoactasanauthenticationandauthorizationserviceforgrantingcommand-lineinterface(CLI)accesstoswitchesPacketFencecurrentlysupportsCiscoswitchesandthesemustbeconfiguredusingthefollowingguidehttpwwwciscocomcenussupportdocssecurity-vpnremote-authentication-dial-user-service-radius116291-configure-freeradius-00html From thePacketFencersquos web admin interface you must configure an Admin Access role(ConfigurationrarrAdminaccess)thatcontainstheactionSwitchesCLI-ReadorSwitchesCLI-WriteandassignthisroletoaninternaluserorinanAdministrationruleinaninternalsource
Chapter14
Copyrightcopy2016Inverseinc OperatingSystemBestPractices 118
OperatingSystemBestPractices
IPTables
IPTablesisnowentirelymanagedbyPacketFenceHoweverifyouneedtoperformsomecustomrules you canmodifyconfiptablesconf to yourownneedsHowever thedefault templateshouldworkformostusers
LogRotations
PacketFencecangeneratea lotof logentries inhugeproductionenvironmentsThis iswhywerecommendtouselogrotatetoperiodicallyrotateyourlogsAworkinglogrotatescriptisprovidedwiththePacketFencepackageThisscriptislocatedinusrlocalpfaddonsanditrsquosconfiguredto do aweekly log rotation and keeping old logswith compression It has been added duringPacketFenceinitialinstallation
Chapter15
Copyrightcopy2016Inverseinc Performanceoptimization 119
Performanceoptimization
SNMPTrapsLimit
PacketFencemainlyrelyonSNMPtrapstocommunicatewithequipmentDuetothefactthattrapscominginfromapproved(configured)devicesareallprocessedbythedaemonitispossibleforsomeonewhowanttogenerateacertainloadonthePacketFenceservertoforcethegenerationofnon-legitimateSNMPtrapsoraswitchcanrandomlygenerateahighquantityoftrapssenttoPacketFenceforanunknownreason
BecauseofthatitispossibletolimitthenumberofSNMPtrapscominginfromasingleswitchportandtakeactionifthatlimitisreachedForexampleifover100trapsarereceivedbyPacketFencefromthesameswitchportinaminutetheswitchportwillbeshutandanotificationemailwillbesent
HerersquosthedefaultconfigfortheSNMPtrapslimitfeatureAsyoucanseebydefaultPacketFencewill log the abnormal activity after 100 traps from the same switch port in a minute Theseconfigurationsareintheconfpfconffile
[vlan]trap_limit = enabledtrap_limit_threshold = 100trap_limit_action =
AlternativelyyoucanconfiguretheseparametersfromthePacketFenceWebadministrativeGUIintheConfigurationrarrSNMPsection
MySQLoptimizations
TuningMySQLIfyoursquorePacketFencesystemisactingveryslowthiscouldbeduetoyourMySQLconfigurationYoushoulddothefollowingtotuneperformance
Checkthesystemload
uptime113637 up 235 days 121 1 user load average 125 105 079
Chapter15
Copyrightcopy2016Inverseinc Performanceoptimization 120
CheckiostatandCPU
iostat 5avg-cpu user nice sys iowait idle 060 000 320 2020 7600Device tps Blk_reads Blk_wrtns Blk_read Blk_wrtnccissc0d0 3240 000 156000 0 7800avg-cpu user nice sys iowait idle 060 000 220 920 8800Device tps Blk_reads Blk_wrtns Blk_read Blk_wrtnccissc0d0 780 000 7360 0 368avg-cpu user nice sys iowait idle 060 000 180 2380 7380Device tps Blk_reads Blk_wrtns Blk_read Blk_wrtnccissc0d0 3140 000 142720 0 7136avg-cpu user nice sys iowait idle 060 000 240 1816 7884Device tps Blk_reads Blk_wrtns Blk_read Blk_wrtnccissc0d0 2794 000 117365 0 5880
Asyoucanseetheloadis125andIOWaitispeakingat20-thisisnotgoodIfyourIOwaitislowbutyourMySQListaking+50CPUthisisalsonotgoodCheckyourMySQLinstallforthefollowingvariables
mysqlgt show variables| innodb_additional_mem_pool_size | 1048576 || innodb_autoextend_increment | 8 || innodb_buffer_pool_awe_mem_mb | 0 || innodb_buffer_pool_size | 8388608 |
PacketFencereliesheavilyonInnoDBsoyoushouldincreasethebuffer_poolsizefromthedefaultvalues
ShutdownPacketFenceandMySQL
etcinitdpacketfence stopShutting down PacketFence[] etcinitdmysql stopStopping MySQL [ OK ]
Editetcmycnf(oryourlocalmycnf)
Chapter15
Copyrightcopy2016Inverseinc Performanceoptimization 121
[mysqld] Set buffer pool size to 50-80 of your computers memoryinnodb_buffer_pool_size=800Minnodb_additional_mem_pool_size=20Minnodb_flush_log_at_trx_commit=2innodb_file_per_table allow more connectionsmax_connections=700 set cache sizekey_buffer_size=900Mtable_cache=300query_cache_size=256M enable slow query loglog_slow_queries = ON
StartupMySQLandPacketFence
etcinitdmysqld startStarting MySQL [ OK ] etcinitdpacketfence startStarting PacketFence[]
Wait10minutesforPacketFencetoinitialthenetworkmapandre-checkiostatandCPU
uptime120158 up 235 days 146 1 user load average 015 039 052 iostat 5Device tps Blk_reads Blk_wrtns Blk_read Blk_wrtnccissc0d0 800 000 7520 0 376
avg-cpu user nice sys iowait idle 060 000 299 1337 8303
Device tps Blk_reads Blk_wrtns Blk_read Blk_wrtnccissc0d0 1497 000 43273 0 2168avg-cpu user nice sys iowait idle 020 000 260 660 9060
Device tps Blk_reads Blk_wrtns Blk_read Blk_wrtnccissc0d0 480 000 4800 0 240
MySQLoptimizationtoolWerecommendthatyouruntheMySQLTuneronyourdatabasesetupafteracoupleofweekstohelpyouidentifyMySQLconfigurationimprovementThetoolisbundledwithPacketFenceandcanberunfromthecommand-line
usrlocalbinpftest mysql
Chapter15
Copyrightcopy2016Inverseinc Performanceoptimization 122
KeepingtablessmallOvertimesomeofthetableswillgrowlargeandthiswilldragdownperformance(thisisespeciallytrueonawirelesssetup)
OnesuchtableisthelocationlogtableWerecommendthatclosedentriesinthistablebemovedto the archive table locationlog_archive after some time A closed record is onewhere theend_timefieldissettoadate(stricklyspeakingitiswhenend_timeisnotnullandnotequalsto0)
Weprovideascriptcalleddatabase-backup-and-maintenanceshlocatedinaddonsthatperformsthiscleanupinadditiontooptimizetablesonSundayanddailybackups
AvoidToomanyconnectionsproblemsInawirelesscontexttheretendstobealotofconnectionsmadetothedatabasebyourfreeradiusmoduleThedefaultMySQLvalue tend tobe low (100) soweencourageyou to increase thatvaluetoatleast300Seehttpdevmysqlcomdocrefman50entoo-many-connectionshtmlfordetails
AvoidHostlthostnamegtisblockedproblemsInawirelesscontexttheretendtobealotofconnectionsmadetothedatabasebyourfreeradiusmoduleWhentheserverisloadedtheseconnectionattemptscantimeoutIfaconnectiontimesoutduringconnectionMySQLwillconsiderthisaconnectionerrorandafter10ofthese(bydefault)hewilllockthehostoutwitha
Host host_name is blocked because of many connection errors Unblock with mysqladmin flush-hosts
Thiswill grindPacketFence to a halt so youwant to avoid that at all costOneway to do soistoincreasethenumberofmaximumconnections(seeabove)toperiodicallyflushhostsortoallowmoreconnectionerrorsSeehttpdevmysqlcomdocrefman50enblocked-hosthtmlfordetails
CaptivePortalOptimizations
Avoidcaptiveportaloverloadduetonon-browserHTTPrequestsBydefaultwealloweveryquerytoberedirectedandreachPacketFencefor thecaptiveportaloperationInalotofcasesthismeansthatalotofnon-userinitiatedqueriesreachPacketFenceandwasteitsresourcesfornothingsincetheyarenotfrombrowsers(iTunesWindowsupdateMSNMessengerGoogleDesktophellip)
Chapter15
Copyrightcopy2016Inverseinc Performanceoptimization 123
Sinceversion43ofPacketFenceyoucandefineHTTPfiltersforApachefromtheconfigurationofPacketFence
SomeruleshavebeenenabledbydefaultlikeonetorejectrequestswithnodefineduseragentAllrulesincludingsomeexamplesaredefinedintheconfigurationfileapache_filtersconf
FiltersaredefinedwithatleasttwoblocksFirstarethetestsForexample
[get_ua_is_dalvik]filter = user_agentmethod = GEToperator = matchvalue = Dalvik
[get_uri_not_generate204]filter = urimethod = GEToperator = match_notvalue = generate_204
ThelastblockdefinestherelationshipbetweenthetestsandthedesiredactionForexample
[block_dalvikget_ua_is_dalvikampget_uri_not_generate204]action = 501redirect_url =
Thisfilterwillreturnanerrorcode(501)iftheuseragentisDalvikandtheURIdoesnrsquotcontain_generate_204
DashboardOptimizations(statisticscollection)
The collection and aggregation of statistics in the whisper database can be IO intensive permomentThismeansthatitcanbebeneficialtoseperatethemonanotherdiskevenifitisavirtualdiskthatwillsharethesameunderlyingphysicaldisk
Firstaddadiskinyourvirtualmachineorbaremetalserverandreboot(thisexamplewillusedevsdbasthenewdevice
Makesurepacketfenceisstopped
service packetfence stop
Createanext4partition
mkfsext4 devsdb
Thenmovetheolddatabasestoabackuppoint
Chapter15
Copyrightcopy2016Inverseinc Performanceoptimization 124
mv usrlocalpfvargraphite usrlocalpfvargraphitebak
Mountyournewdiskandcheckthatitismounted
echo devsdb usrlocalpfvargraphite ext4 defaults 1 1 gtgt etcfstab mkdir usrlocalpfvargraphite mount -a dh -h
Applytheproperuserrightsandrestoreyourdatabasefromyourbackup
chown pfpf usrlocalpfvargraphite cp -frp usrlocalpfvargraphitebak usrlocalpfvargraphite
StartpacketfenceandmakesureyourstatsarestillthereandbeingcollectedproperlyThenremovethebackupyoumaderm -fr usrlocalpfvargraphitebak
Chapter16
Copyrightcopy2016Inverseinc AdditionalInformation 125
AdditionalInformation
FormoreinformationpleaseconsultthemailingarchivesorpostyourquestionstoitFordetailssee
packetfence-announcelistssourceforgenet Public announcements (new releases securitywarningsetc)regardingPacketFence
packetfence-devellistssourceforgenetDiscussionofPacketFencedevelopment
packetfence-userslistssourceforgenetUserandusagediscussions
Chapter17
Copyrightcopy2016InverseincCommercialSupport
andContactInformation 126
CommercialSupportandContactInformation
For any questions or comments do not hesitate to contact us by writing an email tosupportinverseca
Inverse (httpinverseca)offersprofessional servicesaroundPacketFence tohelporganizationsdeploythesolutioncustomizemigrateversionsorfromanothersystemperformancetuningoraligningwithbestpractices
Hourlyratesorsupportpackagesareofferedtobestsuityourneeds
Pleasevisithttpinversecafordetails
Chapter18
Copyrightcopy2016Inverseinc GNUFreeDocumentationLicense 127
GNUFreeDocumentationLicense
Pleaserefertohttpwwwgnuorglicensesfdl-12txtforthefulllicense
Chapter18
Copyrightcopy2016Inverseinc AdministrationTools 128
AppendixAAdministrationTools
pfcmd
pfcmdisthecommandlineinterfacetomostPacketFencefunctionalities
Whenexecutedwithoutanyargumentspfcmdreturnsabasichelpmessagewithallmainoptions
Chapter18
Copyrightcopy2016Inverseinc AdministrationTools 129
Usage pfcmd ltcommandgt [options]
Commands cache | manage the cache subsystem checkup | perform a sanity checkup and report any problems class | view violation classes configfiles | push or pull configfiles intofrom database configreload | reload the configution floatingnetworkdeviceconfig | querymodify floating network devices configuration parameters help | show help for pfcmd commands ifoctetshistorymac | accounting history ifoctetshistoryswitch | accounting history ifoctetshistoryuser | accounting history import | bulk import of information into the database ipmachistory | IPMAC history locationhistorymac | SwitchPort history locationhistoryswitch | SwitchPort history networkconfig | querymodify network configuration parameters node | manipulate node entries pfconfig | interact with pfconfig portalprofileconfig | querymodify portal profile configuration parameters reload | rebuild fingerprint or violations tables without restart service | startstoprestart and get PF daemon status schedule | Nessus scan scheduling switchconfig | querymodify switchesconf configuration parameters version | output version information violationconfig | querymodify violationsconf configuration parameters
Please view pfcmd help ltcommandgt for details on each option
ThenodeviewoptionshowsallinformationcontainedinthenodedatabasetableforaspecifiedMACaddress
usrlocalpfbinpfcmd node view 525400123502mac|pid|detect_date|regdate|unregdate|lastskip|status|user_agent|computername|notes|last_arp|last_dhcp|switch|port|vlan|dhcp_fingerprint525400123502|1|2008-10-23 173216||||unreg||||2008-10-23 211221|||||
pfcmd_vlan
pfcmd_vlanisthecommandlineinterfacetomostVLANisolationrelatedfunctionality
Chapter18
Copyrightcopy2016Inverseinc AdministrationTools 130
Againwhenexecutedwithoutanyargumentsahelpscreenisshown
Usage pfcmd_vlan command [options]
Command -deauthenticate de-authenticate a dot11 client -deauthenticateDot1x de-authenticate a dot1x client (pass ifIndex for wired 8021x and mac for wireless 8021x) -getAlias show the description of the specified switch port -getAllMACs show all MACS on all switch ports -getHubs show switch ports with several MACs -getIfOperStatus show the operational status of the specified switch port -getIfType show the ifType on the specified switch port -getLocation show at which switch port the MAC is found -getSwitchLocation show SNMP location of specified switch -getMAC show all MACs on the specified switch port -getType show switch type -getUpLinks show the upLinks of the specified switch -getVersion show switch OS version -getVlan show the VLAN on the specified switch port -getVlanType show the VLAN type on the specified port -help brief help message -isolate set the switch port to the isolation VLAN -man full documentation -reAssignVlan re-assign a switch port VLAN -reevaluateAccess reevaluate the current VLAN or firewall rules of a given MAC -runSwitchMethod run a particular method call on a given switch (FOR ADVANCED PURPOSES) -setAlias set the description of the specified switch port -setDefaultVlan set the switch port to the default VLAN -setIfAdminStatus set the admin status of the specified switch port -setVlan set VLAN on the specified switch port -setVlanAllPort set VLAN on all non-UpLink ports of the specified switch
Options -alias switch port description -ifAdminStatus ifAdminStatus -ifIndex switch port ifIndex -mac MAC address -showPF show additional information available in PF -switch switch description -verbose log verbosity level 0 fatal messages 1 warn messages 2 info messages 3 debug 4 trace -vlan VLAN id -vlanName VLAN name (as in switchesconf)