administrationguide - packetfence

AdministrationGuideforPacketFenceversion603

AdministrationGuidebyInverseInc

Version603-Jun2016Copyrightcopy2016Inverseinc

PermissionisgrantedtocopydistributeandormodifythisdocumentunderthetermsoftheGNUFreeDocumentationLicenseVersion12oranylaterversionpublishedbytheFreeSoftwareFoundationwithnoInvariantSectionsnoFront-CoverTextsandnoBack-CoverTextsAcopyofthelicenseisincludedinthesectionentitledGNUFreeDocumentationLicense

ThefontsusedinthisguidearelicensedundertheSILOpenFontLicenseVersion11ThislicenseisavailablewithaFAQathttpscriptssilorgOFL

CopyrightcopyŁukaszDziedzichttpwwwlatofontscomwithReservedFontNameLato

CopyrightcopyRaphLevienhttpleviencomwithReservedFontNameInconsolata

Copyrightcopy2016Inverseinc iii

TableofContentsAbout thisGuide 1

Othersourcesof information 1Introduction 2

Features 2Network Integration 5Components 5

SystemRequirements 7Assumptions 7MinimumHardwareRequirements 7OperatingSystemRequirements 7

Installation 9OS Installation 9SoftwareDownload 10Software Installation 10

Getoffontherightfoot 12TechnicalintroductiontoInlineenforcement 13

Introduction 13Deviceconfiguration 13Accesscontrol 13Limitations 14

TechnicalintroductiontoOut-of-bandenforcement 15Introduction 15VLANassignmenttechniques15MoreonSNMPtrapsVLANisolation 17

TechnicalintroductiontoHybridenforcement 20Introduction 20Deviceconfiguration 20

Configuration 21RolesManagement 21Authentication 22ExternalAPIauthentication 24SAMLauthentication 25NetworkDevicesDefinition(switchesconf) 27PortalProfiles 31FreeRADIUSConfiguration 32PortalModules 43

Debugging 52Log files 52RADIUSDebugging 52

MoreonVoIP Integration 54CDPandLLDPareyourfriend 54VoIPandVLANassignmenttechniques 54WhatifCDPLLDPfeatureismissing 55

Advanced topics 56AppleandAndroidWirelessProvisioning 56BillingEngine 57DevicesRegistration 69Eduroam 70Fingerbank integration 74FloatingNetworkDevices 75OAuth2Authentication 77

Copyrightcopy2016Inverseinc iv

Passthrough 79ProductionDHCPaccess 80Proxy Interception 81RoutedNetworks 82StatementofHealth (SoH) 85VLANFilterDefinition 86RADIUSFilterDefinition 88DNSenforcement 90Parkeddevices 90

Optionalcomponents 92Blockingmaliciousactivitieswithviolations 92ComplianceChecks 100RADIUSAccounting 105Oinkmaster 106GuestsManagement 107ActiveDirectoryIntegration 110DHCPremotesensor 115Switch loginaccess 117

OperatingSystemBestPractices 118IPTables 118LogRotations 118

Performanceoptimization 119SNMPTrapsLimit 119MySQLoptimizations 119CaptivePortalOptimizations 122DashboardOptimizations(statisticscollection) 123

Additional Information 125CommercialSupportandContactInformation 126GNUFreeDocumentationLicense 127AAdministrationTools 128

pfcmd 128pfcmd_vlan 129

Chapter1

Copyrightcopy2016Inverseinc AboutthisGuide 1

AboutthisGuide

This guide will walk you through the installation and the day to day administration of thePacketFencesolution

Thelatestversionofthisguideisavailableathttpwwwpacketfenceorgdocumentation

Othersourcesofinformation

Thefollowingdocumentsareincludedinthepackageandreleasetarballs

NetworkDevicesConfigurationGuide(pdf) Covers switch controllers and accesspointsconfiguration

DeveloperrsquosGuide(pdf) Covers captive portal customizationVLAN management customization andinstructionsforsupportingnewhardware

CREDITS ThisisatleastapartialfileofPacketFencecontributors

NEWSasciidoc Covers noteworthy featuresimprovementsandbugfixesbyrelease

UPGRADEasciidoc Covers compatibility related changesmanual instructions and general notesaboutupgrading

ChangeLog Coversallchangestothesourcecode

Chapter2

Copyrightcopy2016Inverseinc Introduction 2

Introduction

PacketFence isa fullysupported trustedFreeandOpenSourcenetworkaccesscontrol (NAC)system Boosting an impressive feature set including a captive portal for registration andremediation centralized wired and wireless management 8021X support layer-2 isolation ofproblematicdevicesintegrationwithIDSvulnerabilityscannersandfirewallsPacketFencecanbeusedtoeffectivelysecurenetworks-fromsmalltoverylargeheterogeneousnetworks

Features

Outofband(VLANEnforcement) PacketFencersquosoperationiscompletelyoutof band when using VLAN enforcementwhich allows the solution to scalegeographicallyandtobemoreresilienttofailures

InBand(InlineEnforcement) PacketFence can also be configured tobe in-band especially when you havenon-manageable network switches oraccesspointsPacketFencecanalsoworkwith both VLAN and Inline enforcementactivated for maximum scalability andsecuritywhileallowingolderhardwaretostillbesecuredusing inlineenforcementBothlayer-2andlayer-3aresupportedforinlineenforcement

Hybridsupport(InlineEnforcementwithRADIUSsupport)

PacketFence can also be configuredas hybrid if you have a manageabledevice that supports 8021X andorMAC-authenticationThis feature canbeenabled using a RADIUS attribute (MACaddress SSID port) or using full inlinemodeontheequipment

Hotspotsupport(WebAuthEnforcement) PacketFence can also be configured ashotspotifyouhaveamanageabledevicethat supports an external captive portal(likeCiscoWLCorArubaIAP)

VoiceoverIP(VoIP)support Also called IP Telephony (IPT) VoIP isfully supported (even in heterogeneous

Chapter2


environments)formultipleswitchvendors(CiscoAvayaHPandmanymore)

8021X 8021X wireless and wired is supportedthroughourFreeRADIUSmodule

Wirelessintegration PacketFence integrates perfectly withwireless networks through ourFreeRADIUS module This allows youto secure your wired and wirelessnetworks the same way using the sameuser database and using the samecaptive portal providing a consistentuser experience Mixing Access Points(AP) vendors andWireless Controllers issupported

Registration PacketFence supports an optionalregistrationmechanismsimilartocaptiveportalsolutionsContrarytomostcaptiveportal solutionsPacketFence remembersusers who previously registered andwillautomatically give them access withoutanotherauthenticationOfcourse this isconfigurable An Acceptable Use Policycan be specified such that users cannotenable network access without firstacceptingit

Detectionofabnormalnetworkactivities Abnormal network activities (computervirus worms spyware traffic deniedby establishment policy etc) can bedetectedusinglocalandremoteSnortorSuricatasensorsBeyondsimpledetectionPacketFence layers its own alerting andsuppression mechanism on each alerttypeAsetofconfigurableactionsforeachviolationisavailabletoadministrators

Proactivevulnerabilityscans Either Nessus OpenVAS or WMIvulnerabilityscanscanbeperformeduponregistration scheduled or on an ad-hocbasis PacketFence correlates the scanengine vulnerability IDrsquos of each scanto the violation configuration returningcontent specificweb pages aboutwhichvulnerabilitythehostmayhave

Isolationofproblematicdevices PacketFence supports several isolationtechniquesincludingVLANisolationwithVoIP support (even in heterogeneousenvironments)formultipleswitchvendors

Remediationthroughacaptiveportal Once trapped all network traffic isterminated by the PacketFence system

Chapter2


Based on the nodersquos current status(unregisteredopenviolationetc)theuseris redirected to the appropriate URL Inthe case of a violation the user willbe presented with instructions for theparticular situation heshe is in reducingcostlyhelpdeskintervention

Firewallintegration PacketFence provides Single-Sign Onfeatures with many firewalls Uponconnection on the wired or wirelessnetwork PacketFence can dynamicallyupdatetheIPuserassociationonfirewallsforthemtoapplyifrequiredper-userorper-groupfilteringpolicies

Command-lineandWeb-basedmanagement Web-basedandcommand-line interfacesforallmanagementtasks

GuestAccess PacketFence supports a special guestVLAN out of the box You configureyour network so that the guest VLANonly goes out to the Internet and theregistrationVLANand the captiveportalarethecomponentsusedtoexplaintotheguesthowtoregisterforaccessandhowhisaccessworksThis isusuallybrandedby the organization offering the accessSeveral means of registering guests arepossible PacketFence does also supportguestaccessbulkcreationsandimports

Devicesregistration A registered user can access a specialWeb page to register a device of hisownThisregistrationprocesswillrequireloginfromtheuserandthenwillregisterdeviceswithpre-approvedMACOUIintoaconfigurablecategory

PacketFenceisdevelopedbyacommunityofdeveloperslocatedmainlyinNorthAmericaMoreinformationcanbefoundathttpwwwpacketfenceorg

Chapter2


NetworkIntegration

VLANenforcementispicturedintheabovediagramInlineenforcementshouldbeseenasasimpleflatnetworkwherePacketFenceactsasafirewallgateway

Components

PacketFencerequiresvariouscomponentstoworksuchasaWebserveradatabaseserverandaRADIUSserverItinteractswithexternaltoolstoextenditsfunctionalities

Chapter2


Chapter3

Copyrightcopy2016Inverseinc SystemRequirements 7

SystemRequirements

Assumptions

PacketFencereusesmanycomponentsinaninfrastructureThusitrequiresthefollowingones

Databaseserver(MySQLorMariaDB) Webserver(Apache) DHCPserver(ISCDHCP) RADIUSserver(FreeRADIUS)

Dependingonyoursetupyoumayhavetoinstalladditionalcomponentslike

NIDS(SnortSuricata)

Inthisguideweassumethatallthosecomponentsarerunningonthesameserver(ielocalhostor127001)thatPacketFencewillbeinstalledon

Good understanding of those underlying component and GNULinux is required to installPacketFence If youmiss some of those required components please refer to the appropriatedocumentationandproceedwiththeinstallationoftheserequirementsbeforecontinuingwiththisguide

MinimumHardwareRequirements

Thefollowingprovidesalistoftheminimumserverhardwarerecommendations

IntelorAMDCPU3GHz 8GBofRAM 100GBofdiskspace(RAID-1recommended) 1Networkcard(2recommended)

OperatingSystemRequirements

PacketFencesupportsthefollowingoperatingsystemsonthex86_64architectures

Chapter3


RedHatEnterpriseLinux6xand7xServer CommunityENTerpriseOperatingSystem(CentOS)6xand7x Debian70(Wheezy)and80(Jessie)

MakesurethatyoucaninstalladditionalpackagesfromyourstandarddistributionForexampleifyouareusingRedHatEnterpriseLinuxyouhavetobesubscribedtotheRedHatNetworkbeforecontinuingwiththePacketFencesoftwareinstallation

OtherdistributionssuchasFedoraandGentooareknowntoworkbutthisdocumentdoesnrsquotcoverthem

Servicesstart-upPacketFencetakescareofhandlingtheoperationofthefollowingservices

Webserver(httpd) DHCPserver(dhcpd) FreeRADIUSserver(radiusd) SnortSuricataNetworkIDS(snortsuricata) Firewall(iptables)

Makesurethatalltheotherservicesareautomaticallystartedbyyouroperatingsystem

Chapter4

Copyrightcopy2016Inverseinc Installation 9

Installation

ThissectionwillguideyouthroughtheinstallationofPacketFencetogetherwithitsdependencies

OSInstallation

InstallyourdistributionwithminimalinstallationandnoadditionalpackagesThen

DisableFirewall DisableSELinux DisableAppArmor Disableresolvconf

Makesureyoursystemisuptodateandyouryumorapt-getdatabaseisupdatedOnaRHEL-basedsystemdo

yum update

OnaDebianorUbuntusystemdo

apt-get updateapt-get upgrade

RegardingSELinuxorAppArmoreven if these featuresmaybewantedbysomeorganizationsPacketFencewillnotrunproperlyifSELinuxorAppArmorareenabledYouwillneedtoexplicitlydisableSELinuxintheetcselinuxconfigfileandAppArmorwithupdate-rcd-fapparmorstopupdate-rcd-fapparmorteardownandupdate-rcd-fapparmorremoveRegardingresolvconfyoucanremovethesymlinktothatfileandsimplycreatetheetcresolvconffilewiththecontentyouwant

RedHat-basedsystems

Note

AppliestoCentOSandScientificLinuxbutonlythex86_64architectureissupported

Chapter4


RHEL6x

NoteTheseareextrastepsarerequiredforRHEL6systemsonlyexcludingderivativessuchasCentOSorScientificLinux

RedHatEnterpriseLinuxusersneedtotakeanadditionalsetupstepIfyouarenotusingtheRHNSubscriptionManagementfromRedHatyouneedtoenabletheoptionalchannelbyrunningthefollowingasroot

rhn-channel --add --channel=rhel-`uname -m`-server-optional-6

DebianAllthePacketFencedependenciesareavailablethroughtheofficialrepositories

SoftwareDownload

PacketFenceprovidesaRPMrepositoryforRHELCentOSinsteadofasingleRPMfile

ForDebianPacketFencealsoprovidespackagerepositories

TheserepositoriescontainallrequireddependenciestoinstallPacketFenceThisprovidesnumerousadvantages

easyinstallation everythingispackagedasRPMdeb(nomoreCPANhassle) easyupgrade

SoftwareInstallation

RHELCentOSInordertousethePacketFencerepository

yum localinstall httppacketfenceorgdownloadsPacketFenceRHEL6`uname -i`RPMSpacketfence-release-12-51noarchrpm

Once the repository is defined you can install PacketFencewith all its dependencies and therequiredexternalservices(DatabaseserverDHCPserverRADIUSserver)using

Chapter4


yum install perlyum install --enablerepo=packetfence packetfence

OnceinstalledtheWeb-basedconfigurationinterfacewillautomaticallybestartedYoucanaccessitfromhttpsip_of_packetfence1443configurator

DebianForDebian7

Inordertousetherepositorycreateafilenamedetcaptsourceslistdpacketfencelist

echo deb httpinversecadownloadsPacketFencedebian wheezy wheezy gt etcaptsourceslistdpacketfencelist

ForDebian8


echo deb httpinversecadownloadsPacketFencedebian jessie jessie gt etcaptsourceslistdpacketfencelist


sudo apt-key adv --keyserver keysgnupgnet --recv-key 0x810273C4sudo apt-get updatesudo apt-get install packetfence

Chapter5

Copyrightcopy2016Inverseinc Getoffontherightfoot 12

Getoffontherightfoot

PriorconfiguringPacketFenceyoumustchoseanappropriateenforcementmodetobeusedbyPacketFencewithyournetworkingequipmentTheenforcementmodeisthetechniqueusedtoenforceregistrationandanysubsequentaccessofdevicesonyournetworkPacketFencesupportsthefollowingenforcementmodes

Inline Out-of-band Hybrid

It isalsopossibletocombineenforcementmodesForexampleyoucouldusetheout-of-bandmodeonyourwiredswitcheswhileusingtheinlinemodeonyouroldWiFiaccesspoints

The following sections will explain these enforcement modes If you decide to use the inlinemodepleaserefertothePacketFenceInlineDeploymentQuickGuideusingZENforacompleteconfigurationexampleIfyoudevicetousetheout-of-bandmodepleaserefertothePacketFenceOut-of-BandDeploymentQuickGuideusingZEN

Chapter6

Copyrightcopy2016InverseincTechnicalintroductiontoInlineenforcement 13

TechnicalintroductiontoInlineenforcement

Introduction

Beforetheversion30ofPacketFenceitwasnotpossibletosupportunmanageabledevicessuchasentry-levelconsumerswitchesoraccess-pointsNowwiththenewinlinemodePacketFencecanbeusein-bandforthosedevicesSoinotherwordsPacketFencewouldbecomethegatewayofthatinlinenetworkandNATorroutethetrafficusingIPTablesIPSettotheInternet(ortoanothersectionofthenetwork)Letseehowitworks

Deviceconfiguration

NospecialconfigurationisneededontheunmanageabledeviceThatrsquosthebeautyofitYouonlyneedtoensurethatthedeviceistalkingontheinlineVLANAtthispointallthetrafficwillbepassingthroughPacketFencesinceitisthegatewayforthisVLAN

Accesscontrol

TheaccesscontrolreliesentirelyonIPTablesIPSetWhenauserisnotregisteredandconnectsintheinlineVLANPacketFencewillgivehimanIPaddressAtthispointtheuserwillbemarkedasunregisteredintheipsetsessionandalltheWebtrafficwillberedirectedtothecaptiveportalandother trafficblockedTheuserwill have to register through thecaptiveportal as inVLANenforcementWhenheregistersPacketFencechangesthedeviceacutesipsetsessiontoallowtheuserrsquosmacaddresstogothroughit

Chapter6


Limitations

Inlineenforcementbecauseofitrsquosnaturehasseverallimitationsthatonemustbeawareof

EveryonebehindaninlineinterfaceisonthesameLayer2LAN EverypacketofauthorizedusersgoesthroughthePacketFenceserverincreasingtheserversloadconsiderablyPlanaheadforcapacity

Everypacketofauthorizedusersgoes throughthePacketFenceserver it isasinglepointoffailureforInternetaccess

Ipsetcanstoreupto65536entriessoitisnotpossibletohaveainlinenetworkclassupperthanB

Thisiswhyit isconsideredapoormanrsquoswayofdoingaccesscontrolWehaveavoideditforalongtimebecauseoftheabovementionedlimitationsThatsaidbeingabletoperformbothinlineandVLANenforcementonthesameserveratthesametimeisarealadvantageitallowsuserstomaintainmaximumsecuritywhiletheydeploynewandmorecapablenetworkhardwareprovidingacleanmigrationpathtoVLANenforcement

Chapter7

Copyrightcopy2016InverseincTechnicalintroductiontoOut-of-bandenforcement 15

TechnicalintroductiontoOut-of-bandenforcement

Introduction

VLANassignmentiscurrentlyperformedusingseveraldifferenttechniquesThesetechniquesarecompatibleone toanotherbutnoton the sameswitchportThismeans thatyoucanuse themoresecureandmoderntechniquesforyour latestswitchesandanothertechniqueontheoldswitchesthatdoesnrsquotsupportlatesttechniquesAsitrsquosnameimpliesVLANassignmentmeansthatPacketFenceistheserverthatassignstheVLANtoadeviceThisVLANcanbeoneofyourVLANsoritcanbeaspecialVLANwherePacketFencepresentsthecaptiveportalforauthenticationorremediation

VLANassignmenteffectivelyisolateyourhostsattheOSILayer2meaningthatitisthetrickiestmethodtobypassandistheonewhichadaptsbesttoyourenvironmentsinceitgluesintoyourcurrentVLANassignmentmethodology

VLANassignmenttechniques

Wired8021X+MACAuthentication8021Xprovidesport-basedauthenticationwhichinvolvescommunicationsbetweenasupplicantauthenticator(knownasNAS)andauthenticationserver(knownasAAA)ThesupplicantisoftensoftwareonaclientdevicesuchasalaptoptheauthenticatorisawiredEthernetswitchorwirelessaccesspointandtheauthenticationserverisgenerallyaRADIUSserver

Thesupplicant(ieclientdevice)isnotallowedaccessthroughtheauthenticatortothenetworkuntilthesupplicantrsquosidentityisauthorizedWith8021Xport-basedauthenticationthesupplicantprovides credentials such as user name password or digital certificate to the authenticatorandtheauthenticatorforwardsthecredentialstotheauthenticationserverforverificationIfthecredentialsarevalid(intheauthenticationserverdatabase)thesupplicant(clientdevice)isallowedtoaccessthenetworkTheprotocolforauthenticationiscalledExtensibleAuthenticationProtocol(EAP)whichhavemanyvariantsBothsupplicantandauthenticationserversneed tospeak thesameEAPprotocolMostpopularEAPvariantisPEAP-MsCHAPv2(supportedbyWindowsMacOSXLinuxforauthenticationagainstAD)

Chapter7


InthiscontextPacketFencerunstheauthenticationserver(aFreeRADIUSinstance)andwillreturntheappropriateVLANtotheswitchAmodulethatintegratesinFreeRADIUSdoesaremotecalltothePacketFenceservertoobtainthatinformationMoreandmoredeviceshave8021Xsupplicantwhichmakesthisapproachmoreandmorepopular

MACAuthenticationisanewmechanismintroducedbysomeswitchvendortohandlethecaseswherea8021XsupplicantdoesnotexistDifferentvendorshavedifferentnames for itCiscocallsitMACAuthenticationBypass(MAB)JunipercallsitMACRADIUSExtremeNetworkscallsitNetloginetcAfteratimeoutperiodtheswitchwillstoptryingtoperform8021XandwillfallbacktoMACAuthenticationIthastheadvantageofusingthesameapproachas8021XexceptthattheMACaddressissentinsteadoftheusernameandthereisnoend-to-endEAPconversation(nostrongauthentication)UsingMACAuthenticationdeviceslikenetworkprinterornon-8021XcapableIPPhonescanstillgainaccesstothenetworkandtherightVLAN

Wireless8021X+MACauthenticationWireless 8021Xworks likewired8021X andMAC authentication is the same aswiredMACAuthenticationWhere things change is that the8021X isused to setup the security keys forencryptedcommunication(WPA2-Enterprise)whileMACauthenticationisonlyusedtoauthorize(allowordisallow)aMAConthewirelessnetwork

OnwirelessnetworkstheusualPacketFencesetupdictatethatyouconfiguretwoSSIDsanopenoneandasecureoneTheopenoneisusedtohelpusersconfigurethesecureoneproperlyandrequiresauthenticationoverthecaptiveportal(whichrunsinHTTPS)

ThefollowingdiagramdemonstratestheflowbetweenamobileenpointaWiFiaccesspointaWiFicontrollerandPacketFence

1 UserinitiatesassociationtoWLANAPandtransmitsMACaddressIfuseraccessesnetworkviaaregistereddeviceinPacketFencegoto8

2 The WLAN controller transmits MAC address via RADIUS to the PacketFence server toauthenticateauthorizethatMACaddressontheAP

3 PacketFenceserverconductsaddressaudit in itsdatabase If itdoesnotrecognizetheMACaddressgoto4Ifitdoesgoto8

4 PacketFenceserverdirectsWLANcontrollerviaRADIUS(RFC2868attributes)toputthedeviceinanunauthenticatedroleldquo(setofACLsthatwouldlimitredirecttheusertothePacketFence

Chapter7


captiveportalforregistrationorwecanalsousearegistrationVLANinwhichPacketFencedoesDNSblackholingandistheDHCPserver)

5 TheuserrsquosdeviceissuesaDHCPDNSrequesttoPacketFence(whichisaDHCPDNSserveronthisVLANorforthisrole)whichsendstheIPandDNSinformationAtthispointACLsarelimitingredirectingtheusertothePacketFencersquoscaptiveportalforauthenticationPacketFencefingerprintsthedevice(user-agentattributesDHCPinformationampMACaddresspatterns)towhichitcantakevariousactionsincludingkeepdeviceonregistrationportaldirecttoalternatecaptive portal auto-register thedevice auto-block thedevice etc If thedevice remains ontheregistrationportaltheuserregistersbyprovidingtheinformation(usernamepasswordcellphonenumberetc)At this timePacketFencecouldalsorequire thedevicetogothroughapostureassessment(usingNessusOpenVASetc)

6 Ifauthentication is required (usernamepassword) througha loginformthosecredentialsarevalidatedviatheDirectoryserver(oranyotherauthenticationsources-likeLDAPSQLRADIUSSMSFacebookGoogle+etc)whichprovidesuserattributestoPacketFencewhichcreatesuser+devicepolicyprofileinitsdatabase

7 PacketFenceperformsaChangeofAuthorization(RFC3576)onthecontrollerandtheusermustbere-authenticatedreauthorizedsowegobackto1

8 PacketFenceserverdirectsWLANcontrollerviaRADIUStoputthedeviceinanauthenticatedroleldquoorinthenormalVLAN

WebAuthmodeWebauthenticationisamethodontheswitchthatforwardshttptrafficofthedevicetothecaptiveportalWiththismodeyourdevicewillneverchangeofVLANIDbutonlytheACLassociatedtoyourdevicewillchangeRefertotheNetworkDevicesConfigurationGuidetoseeasamplewebauthconfigurationonaCiscoWLC

Port-securityandSNMPReliesontheport-securitySNMPTrapsAfakestaticMACaddressisassignedtoalltheportsthiswayanyMACaddresswillgenerateasecurityviolationandatrapwillbesenttoPacketFenceThesystemwillauthorizetheMACandsettheportintherightVLANVoIPsupportispossiblebuttrickyItvariesalotdependingontheswitchvendorCiscoiswellsupportedbutisolationofaPCbehindanIPPhoneleadstoaninterestingdilemmaeitheryoushuttheport(andthephoneatthesametime)oryouchangethedataVLANbutthePCdoesnrsquotdoDHCP(didnrsquotdetectlinkwasdown)soitcannotreachthecaptiveportal

AsidefromtheVoIPisolationdilemmaitisthetechniquethathasproventobereliableandthathasthemostswitchvendorsupport

MoreonSNMPtrapsVLANisolation

WhentheVLANisolationisworkingthroughSNMPtrapsallswitchports(onwhichVLANisolationshouldbedone)mustbeconfiguredtosendSNMPtrapstothePacketFencehostOnPacketFence

Chapter7


weusesnmptrapdastheSNMPtrapreceiverAsitreceivestrapsitreformatsandwritesthemintoaflatfileusrlocalpflogssnmptrapdlogThemultithreadedpfsetvlandaemonreadsthesetrapsfromtheflatfileandrespondstothembysettingtheswitchporttothecorrectVLANCurrentlywesupportswitchesfromCiscoEdge-coreHPIntelLinksysandNortel(addingsupportfor switches fromanothervendor impliesextending thepfSwitch class)DependingonyourswitchescapabilitiespfsetvlanwillactondifferenttypesofSNMPtraps

YouneedtocreatearegistrationVLAN(withaDHCPserverbutnoroutingtootherVLANs)inwhichPacketFencewillputunregistereddevicesIfyouwanttoisolatecomputerswhichhaveopenviolationsinaseparateVLANanisolationVLANneedsalsotobecreated

linkUplinkDowntraps(deprecated)ThisisthemostbasicsetupanditneedsathirdVLANtheMACdetectionVLANThereshouldbenothinginthisVLAN(noDHCPserver)anditshouldnotberoutedanywhereitisjustanvoidVLAN

WhenahostconnectstoaswitchporttheswitchsendsalinkUptraptoPacketFenceSinceittakessometimebeforetheswitchlearnstheMACaddressofthenewlyconnecteddevicePacketFenceimmediatelyputstheportintheMACdetectionVLANinwhichthedevicewillsendDHCPrequests(withnoanswer)inorderfortheswitchtolearnitsMACaddressThenpfsetvlanwillsendperiodical

Chapter7


SNMPqueriestotheswitchuntiltheswitchlearnstheMACofthedeviceWhentheMACaddressisknownpfsetvlanchecksitsstatus(existingregisteredanyviolations)inthedatabaseandputstheportintheappropriateVLANWhenadeviceisunpluggedtheswitchsendsalinkDowntraptoPacketFencewhichputstheportintotheMACdetectionVLAN

WhenacomputerbootstheinitializationoftheNICgeneratesseverallinkstatuschangesAndeverytimetheswitchsendsalinkUpandalinkDowntraptoPacketFenceSincePacketFencehastoactoneachofthesetrapsthisgeneratesunfortunatelysomeunnecessaryloadonpfsetvlanInordertooptimizethetraptreatmentPacketFencestopseverythreadforalinkUptrapwhenitreceivesalinkDowntraponthesameportButusingonlylinkUplinkDowntrapsisnotthemostscalableoptionForexampleincaseofpowerfailureifhundredsofcomputersbootatthesametimePacketFencewouldreceivea lotoftrapsalmost instantlyandthiscouldresult innetworkconnectionlatency

MACnotificationtrapsIfyourswitchessupportMACnotificationtraps(MAClearntMACremoved)wesuggestthatyouactivatetheminadditiontothelinkUplinkDowntrapsThiswaypfsetvlandoesnotneedafteralinkUptraptoquerytheswitchcontinuouslyuntiltheMAChasfinallybeenlearnedWhenitreceivesalinkUptrapforaportonwhichMACnotificationtrapsarealsoenableditonlyneedstoputtheportintheMACdetectionVLANandcanthenfreethethreadWhentheswitchlearnstheMACaddressofthedeviceitsendsaMAClearnttrap(containingtheMACaddress)toPacketFence

PortSecuritytrapsIn itsmostbasicformthePortSecurityfeaturerememberstheMACaddressconnectedtotheswitchportandallowsonlythatMACaddresstocommunicateonthatport IfanyotherMACaddress tries tocommunicate through theportport securitywillnotallow itandsendaport-securitytrap

IfyourswitchessupportthisfeaturewestronglyrecommendtouseitratherthanlinkUplinkDownandorMACnotificationsWhyBecauseaslongasaMACaddressisauthorizedonaportandistheonlyoneconnectedtheswitchwillsendnotrapwhetherthedevicerebootsplugsinorunplugsThisdrasticallyreducestheSNMPinteractionsbetweentheswitchesandPacketFence

WhenyouenableportsecuritytrapsyoushouldnotenablelinkUplinkDownnorMACnotificationtraps

Chapter8

Copyrightcopy2016InverseincTechnicalintroductiontoHybridenforcement 20

TechnicalintroductiontoHybridenforcement

Introduction

In previous versions of PacketFence it was not possible to have RADIUS enabled for inlineenforcementmodeNowwiththenewhybridmodeallthedevicesthatsupports8021XorMAC-authenticationcanworkwiththismodeLetrsquosseehowitworks

Deviceconfiguration

Youneedtoconfigure inlineenforcementmode inPacketFenceandconfigureyourswitch(es)accesspoint(s)tousetheVLANassignementtechniques(8021XorMAC-authentication)YoualsoneedtotakecareofaspecificparameterintheswitchconfigurationwindowTriggertoenableinlinemodeThisparameterisworkinglikeatriggerandyouhavethepossibilitytodefinedifferentsortoftriggers

ALWAYSPORTMACSSID

where ALWAYS means that the device is always in inline mode PORTspecifytheifIndexoftheportwhichwilluseinlineenforcementMACamacaddressthatwillbeputininlineenforcementtechniqueratherthanVLANenforcementandSSIDanssidnameAnexample

SSIDGuestAccessMAC001122334455

ThiswilltriggerallthenodesthatconnectstotheGuestAccessSSIDtouseinlineenforcementmode(PacketFencewillreturnavoidVLANortheinlineVlanifdefinedinswitchconfiguration)andtheMACaddress001122334455clientifitconnectsonanotherSSID

Chapter9

Copyrightcopy2016Inverseinc Configuration 21

Configuration

AtthispointinthedocumentationPacketFenceshouldbeinstalledYouwouldalsohavechosentherightenforcementmethodforyouandcompletedtheinitialconfigurationofPacketFenceThefollowingsectionpresentskeyconceptsandfeaturesinPacketFence

PacketFenceprovidesaweb-basedadministrationinterfaceforeasyconfigurationandoperationalmanagementIfyouwentthroughPacketFencersquosweb-basedconfigurationtoolyoushouldhavesetthepasswordfortheadminuser

Once PacketFence is started the administration interface is available at httpsip_of_packetfence1443

ThenextkeystepsareimportanttounderstandhowPacketFenceworksInordertogetthesolutionworking youmust first understand and configure the following aspects of the solution in thisspecificorder

1 roles-aroleinPacketFencewillbeeventuallybemappedtoaVLANanACLoranexternalroleYoumustdefinetherolestouseinyourorganizationfornetworkaccess

2 authentication-oncerolesaredefinedyoumustcreateanappropraiteauthenticationsourceinPacketFenceThatwillallowPacketFencetocomputetherightroletobeusedforanendpointortheuserusingit

3 network devices - once your roles and authentication sources are defined you must addswitchesWiFicontrollersorAPstobemananagedbyPacketFenceWhendoingsoyouwillconfigurehowrolesarebeingmappedtoVLANACLsorexternalroles

4 portal profiles - at this point you are almost ready to test You will need to set whichauthenticationsourcesaretobeusedonthedefaultcaptiveportalorcreateanotheronetosuityourneeds

5 test

NoteIfyouplantouse8021X-pleaseseetheFreeRADIUSConfigurationsectionbelow

RolesManagement

RolesinPacketFencecanbecreatedfromPacketFenceadministrativeGUI-fromtheConfigurationrarrUsersrarrRoles section From this interface you can also limit thenumberof devicesusersbelongingtocertainrolescanregister

Chapter9


RolesaredynamicallycomputedbyPacketFencebasedontherules(ieasetofconditionsandactions)fromauthenticationsourcesusingafirst-matchwinsalgorithmRolesarethenmatchedtoVLANorinternalrolesorACLonequipmentfromtheConfigurationrarrNetworkrarrSwitchesmodule

Authentication

PacketFence can authenticate users that register devices via the captive portal using variousmethodsAmongthesupportedmethodsthereare

ActiveDirectory

Apachehtpasswdfile

Email

ExternalHTTPAPI

Facebook(OAuth2)

Github(OAuth2)

Google(OAuth2)

Kerberos

LDAP

LinkedIn(OAuth2)

Null

RADIUS

SMS

SponsoredEmail

Twitter(OAuth2)

WindowsLive(OAuth2)

Moreover PacketFence can also authenticate users defined in its own internal SQL databaseAuthentication sources can be created from PacketFence administrative GUI - from theConfigurationrarrUsersrarrSourcessectionAlternatively(butnotrecommended)authenticationsourcesrulesconditionsandactionscanbeconfiguredfromconfauthenticationconf

Eachauthenticationsourcesyoudefinewillhaveasetofrulesconditionsandactions

Multiple authentication sources canbedefined andwill be tested in theorder specified (notethattheycanbereorderedfromtheGUIbydraggingitaround)EachsourcecanhavemultipleruleswhichwillalsobetestedintheorderspecifiedRulescanalsobereorderedjustlikesourcesFinallyconditionscanbedefinedforaruletomatchcertaincriteriasIfthecriteriasmatch(one

Chapter9


ormore)actionarethenappliedandrulestestingstopacrossallsourcesasthisisafirstmatchwinsoperation

WhennoconditionisdefinedtherulewillbeconsideredasafallbackWhenafallbackisdefinedallactionswillbeappliedforanyusersthatmatchintheauthenticationsource

OnceasourceisdefineditcanbeusedfromConfigurationrarrPortalProfilesEachportalprofilehasalistofauthenticationsourcestouse

ExampleLetrsquossaywehavetworolesguestandemployeeFirstwedefinethemConfigurationrarrUsersrarrRoles

NowwewanttoauthenticateemployeesusingActiveDirectory (overLDAP)andguestsusingPacketFencersquosinternaldatabase-bothusingPacketFencersquoscaptiveportalFromtheConfigurationrarrUsersrarrSourcesweselectAddsourcerarrADWeprovidethefollowinginformation

Namead1 DescriptionActiveDirectoryforEmployees Host19216812389withoutSSLTLS BaseDNCN=UsersDC=acmeDC=local ScopeOne-level UsernameAttributesAMAccountName BindDNCN=AdministratorCN=UsersDC=acmeDC=local Passwordacme123

ThenweaddarulebyclickingontheAddrulebuttonandprovidethefollowinginformation

Nameemployees DescriptionRuleforallemployees Donrsquotsetanycondition(asitrsquosacatch-allrule) Setthefollowingactions

Setroleemployee

SetunregistrationdateJanuary1st2020

Test the connection and save everything Using the newly defined source any username thatactuallymatchesinthesource(usingthesAMAccountName)willhavetheemployeeroleandanunregistrationdatesettoJanuary1st2020

NowsincewewanttoauthenticateguestsfromPacketFencersquosinternalSQLdatabaseaccountsmustbeprovisionnedmanuallyYoucandosofromtheUsersrarrCreatesectionWhencreatingguestsspecifyguestfortheSetroleactionandsetanaccessdurationfor1day

If youwould like to differentiate user authentication andmachine authentication using ActiveDirectoryonewaytodoitisbycreatingasecondauthenticationsourcesformachines

Namead1 DescriptionActiveDirectoryforMachines Host19216812389withoutSSLTLS BaseDNCN=ComputersDC=acmeDC=local ScopeOne-level

Chapter9


UsernameAttributeservicePrincipalName BindDNCN=AdministratorCN=UsersDC=acmeDC=local Passwordacme123

Thenweaddarule

Namemachines DescriptionRuleforallmachines Donrsquotsetanycondition(asitrsquosacatch-allrule) Setthefollowingactions

Setrolemachineauth


Note

Whenaruleisdefinedasacatch-all itwillalwaysmatchiftheusernameattributematchesthequeriedoneThisappliesforActiveDirectoryLDAPandApachehtpasswdfilesourcesKerberosandRADIUSwillactastruecatch-allandaccepteverything

Note

IfyouwanttouseotherLDAPattributesinyourauthenticationsourceaddtheminConfigurationrarrAdvancedrarrCustomLDAPattributesTheywillthenbeavailableintherulesyoudefine

ExternalAPIauthentication

PacketFencealsosupportscallinganexternalHTTPAPIasanauthenticationsourceTheexternalAPIneedstoimplementanauthenticationactionandanauthorizationaction

AuthenticationThisshouldprovidetheinformationaboutwhetherornottheusernamepasswordcombinationisvalid

TheseinformationareavailablethroughthePOSTfieldsoftherequest

TheservershouldreplywithtwoattributesinaJSONresponse

resultshouldbe1forsuccess0forfailure messageshouldbethereasonitsucceededorfailed

ExampleJSONresponse

result1messageValid username and password

Chapter9


AuthorizationThisshouldprovidetheactionstoapplyonauserbasedonitrsquosattributes

The following attributes are available for the reply access_duration access_level sponsorunregdatecategory

SampleJSONresponsenotethatnotallattributesarenecessaryonlysendbackwhatyouneed

access_duration1Daccess_levelALLsponsor1 unregdate2030-01-01categorydefault

Note

See usrlocalpfaddonsexample_external_auth for an example implementationcompatiblewithPacketFence

PacketFenceconfigurationInPacketFenceyouneedtoconfigureanHTTPsourceinordertouseanexternalAPI

Hereisabriefdescriptionofthefields

Host First theprotocol then the IPaddressorhostnameof theAPIand lastly theport toconnecttotheAPI

APIusernameandpasswordIfyourAPIimplementsHTTPbasicauthentication(RFC2617)youcanaddtheminthesefieldsLeavinganyofthosetwofieldsemptywillmakePacketFencedotherequestswithoutanyauthentication

AuthenticationURLURLrelativetothehosttocallwhendoingtheauthenticationofauserNotethatitisautomaticallyprefixedbyaslash

AuthorizationURLURLrelativetothehosttocallwhendoingtheauthorizationofauserNotethatitisautomaticallyprefixedbyaslash

SAMLauthentication

PacketFence supports SAML authentication in the captive portal in combination with anotherinternalsourcetodefinethelevelofauthorizationoftheuser

FirsttransfertheIdentityProvidermetadataonthePacketFenceserverInthisexampleitwillbeunderthepathusrlocalpfconfidp-metadataxml

Then transfer the certificate and CA certificate of the Identity provider on the server In thisexample theywill be under the paths usrlocalpfconfsslidpcrt and usrlocalpfconfsslidp-cacrtIfitisaself-signedcertificatethenyouwillbeabletouseitastheCAinthePacketFenceconfiguration

Chapter9


Then toconfigureSAML inPacketFencego inConfigurationrarrSourcesand thencreateanewInternalsourceofthetypeSAMLandconfigureit

Where

ServiceProviderentityIDistheidentifieroftheServiceProvider(PacketFence)MakesurethismatchesyourIdentityProviderconfiguration

PathtoServiceProviderkeyisthepathtothekeythatwillbeusedbyPacketFencetosignitsmessagestotheIdentityProviderAdefaultoneisprovidedunderthepathusrlocalpfconfsslserverkey

PathtoServiceProvidercertisthepathtothecertificateassociatedtothekeyaboveAself-signedoneisprovidedunderthepathusrlocalpfconfsslserverkey

PathtoIdentityProvidermetadataisthepathtothemetadatafileyoutransferedabove(shouldbeinusrlocalpfconfidp-metadataxml)

PathtoIdentityProvidercertisthepathtothecertificateoftheidentityprovideryoutransferedontheserverabove(shouldbeinusrlocalpfconfsslidpcrt)

Chapter9


Path to Identity Provider CA cert is the path to the CA certificate of the identity provideryoutransferedontheserverabove(shouldbeinusrlocalpfconfsslca-idpcrt)Ifthecertificateaboveisself-signedputthesamepathasaboveinthisfield

AttributeoftheusernameintheSAMLresponse istheattributethatcontainstheusernamein the SAML assertion returned by your Identity Provider The default should fit at leastSimpleSAMLphp

Authorizationsource isthesourcethatwillbeusedtomatchtheusernameagainsttherulesdefinedinitThisallowstosettheroleandaccessdurationoftheuserTheAuthenticationsectionofthisdocumentcontainsexplanationsonhowtoconfigureanLDAPsourcewhichcanthenbeusedhere

OncethisisdonesavethesourceandyouwillbeabletodownloadtheServiceProvidermetadataforPacketFenceusingthelinkDownloadServiceProvidermetadataonthepage

Configure your identity provider according to the generated metadata to complete the TrustbetweenPacketFenceandyourIdentityProvider

In the case of SimpleSAMLPHP the following configurationwas used inmetadatasaml20-sp-remotephp

$metadata[PF_ENTITY_ID] = array( AssertionConsumerService =gt httpPORTAL_HOSTNAMEsamlassertion SingleLogoutService =gt httpPORTAL_HOSTNAMEsamllogoff)

Note

PacketFencedoesnotsupportlogoffontheSAMLIdentityProviderYoucanstilldefinetheURLinthemetadatabutitwillnotbeused

PassthroughsInorderforyouruserstobeabletoaccesstheIdentityProviderloginpageyouwillneedtoactivatepassthroughsandaddtheIndentityProviderdomaintotheallowedpassthroughs

Todosogo inConfigurationrarrTrapping thencheckPassthrough andadd the IdentityProviderdomainnametothePasshtroughslist

Next restart iptables and pfdns to apply your new passthroughs Also make surenetipv4ip_forward = 1isconfiguredinetcsysctlconf

NetworkDevicesDefinition(switchesconf)

ThissectionappliesonlyforVLANenforcementUsersplanningtodoinlineenforcementonlycanskipthissection

PacketFenceneedstoknowwhichswitchesaccesspointsorcontrollersitmanagestheirtypeandconfigurationAllthisinformationisstoredinusrlocalpfconfswitchesconfYoucanmodify

Chapter9


theconfigurationdirectlyintheswitchesconffileoryoucandoitfromtheWebAdministrationpanelunderConfigurationrarrNetworkrarrSwitches-whichisnowthepreferredway

Theusrlocalpfconfswitchesconfconfigurationfilecontainsadefaultsectionincluding

DefaultSNMPreadwritecommunitiesfortheswitches Defaultworkingmode(seethenotebelowaboutpossibleworkingmodes)

andaswitchsectionforeachswitch(managedbyPacketFence)including

SwitchIPMacRange Switchvendortype Switchuplinkports(trunksandnon-managedIfIndex) per-switchre-definitionoftheVLANs(ifrequired)

NoteswitchesconfisloadedatstartupAreloadisrequiredwhenchangesaremanuallymadetothisfileusrlocalpfbinpfcmd configreload

WorkingmodesTherearethreedifferentworkingmodesforaswitchinPacketFence

Testing pfsetvlanwritesinthelogfileswhatitwouldnormallydobutitdoesnrsquotdoanything

Registration pfsetvlan automatically-register allMAC addresses seenon theswitchportsAsintestingmodenoVLANchangesaredone

Production pfsetvlan sends the SNMPwrites to change the VLAN on theswitchports

RADIUSTo set theRADIUS secret set it from theWebadministrative interfacewhenadding a switchAlternativelyedittheswitchconfigfile(usrlocalpfconfswitchesconf)andsetthefollowingparameters

radiusSecret = secretPassPhrase

MoreovertheRADIUSsecretisrequiredtosupporttheRADIUSDynamicAuthentication(ChangeofauthorizationorDisconnect)asdefinedinRFC3576

SNMPv1v2candv3PacketFenceusesSNMPtocommunicatewithmostswitchesPacketFencealsosupportsSNMPv3YoucanuseSNMPv3forcommunicationinbothdirectionsfromtheswitchtoPacketFenceandfromPacketFencetotheswitchSNMPusageisdiscouragedyoushouldnowuseRADIUSHoweverevenifRADIUSisbeingusedsomeswitchesmightalsorequireSNMPtobeconfiguredtoworkproperlywithPacketFence

Chapter9


FromPacketFencetoaswitchEdittheswitchconfigfile(usrlocalpfconfswitchesconf)andsetthefollowingparameters

SNMPVersion = 3SNMPUserNameRead = readUserSNMPAuthProtocolRead = MD5SNMPAuthPasswordRead = authpwdreadSNMPPrivProtocolRead = AESSNMPPrivPasswordRead = privpwdreadSNMPUserNameWrite = writeUserSNMPAuthProtocolWrite = MD5SNMPAuthPasswordWrite = authpwdwriteSNMPPrivProtocolWrite = AESSNMPPrivPasswordWrite = privpwdwrite

FromaswitchtoPacketFenceEdittheswitchconfigfile(usrlocalpfconfswitchesconf)andsetthefollowingparameters

SNMPVersionTrap = 3SNMPUserNameTrap = readUserSNMPAuthProtocolTrap = MD5SNMPAuthPasswordTrap = authpwdreadSNMPPrivProtocolTrap = AESSNMPPrivPasswordTrap = privpwdread

SwitchConfigurationHereisaswitchconfigurationexampleinordertoenableSNMPv3inbothdirectionsonaCiscoSwitch

snmp-server engineID local AA5ED139B81D4A328D18ACD1snmp-server group readGroup v3 privsnmp-server group writeGroup v3 priv read v1default write v1defaultsnmp-server user readUser readGroup v3 auth md5 authpwdread priv aes 128 privpwdreadsnmp-server user writeUser writeGroup v3 auth md5 authpwdwrite priv aes 128 privpwdwritesnmp-server enable traps port-securitysnmp-server enable traps port-security trap-rate 1snmp-server host 192168050 version 3 priv readUser port-security

Command-LineInterfaceTelnetandSSH

WarningPrivilegedetectionisdisabledinthecurrentPacketFenceversionduetosomeissues(see1370)SomakesurethatthecliUserandcliPwdyouprovidealwaysgetyouintoaprivilegedmode(exceptforTrapezehardware)

Chapter9


PackeFenceneedssometimestoestablishaninteractivecommand-linesessionwithaswitchThiscanbedoneusingTelnetYoucanalsouseSSHInordertodosoedittheswitchconfigurationfile(usrlocalpfconfswitchesconf)andsetthefollowingparameters

cliTransport = SSH (or Telnet)cliUser = admincliPwd = admin_pwdcliEnablePwd =

ItcanalsobedonethroughtheWebAdministrationInterfaceunderConfigurationrarrSwitches

WebServicesInterfacePackeFencesometimesneedstoestablishadialogwiththeWebServicescapabilitiesofaswitchInorder todo soedit the switchconfig file (usrlocalpfconfswitchesconf) and set thefollowingparameters

wsTransport = http (or https)wsUser = adminwsPwd = admin_pwd


Role-basedenforcementsupportSomenetworkdevicessupporttheassignmentofaspecificsetofrules(firewallorACLs)toauserTheideaisthattheserulescanbealotmoreaccuratetocontrolwhatausercanorcannotdocomparedtoVLANwhichhavealargernetworkmanagementoverhead

PacketFencesupportsassigningrolesondevicesforswitchesandWiFicontrollers thatsupportitThecurrentroleassignmentstrategyistoassignitalongwiththeVLAN(thatmaychangeinthefuture)Aspecial internalroletoexternalroleassignmentmustbeconfigured intheswitchconfigurationfile(usrlocalpfconfswitchesconf)

Thecurrentformatisthefollowing

Format ltrolenamegtRole=ltcontroller_rolegt

Andyouassignittotheglobalrolesparameterortheper-switchoneForexample

adminRole=full-accessengineeringRole=full-accesssalesRole=little-access

wouldreturnthefull-accessroletothenodescategorizedasadminorengineeringandtherolelittle-accesstonodescategorizedassalesItcanalsobedonethroughtheWebAdministrationInterfaceunderConfigurationrarrSwitches

Chapter9


CautionMakesurethattherolesareproperlydefinedonthenetworkdevicespriortoassigningroles

PortalProfiles

PacketFencecomeswithadefaultportalprofileThefollowparametersareimportanttoconfigurenomatterifyouusethedefaultportalprofileorcreateanewone

RedirectURLunderConfigurationrarrPortalProfilerarrPortalName

ForsomebrowsersitispreferabletoredirecttheusertoaspecificURLinsteadoftheURLtheuseroriginallyintendedtovisitForthesebrowserstheURLdefinedinredirecturlwillbetheonewheretheuserwillberedirectedAffectedbrowsersareFirefox3andlater

IPunderConfigurationrarrCaptiveportal

ThisIPisusedasthewebserverwhohoststhecommonnetwork-access-detectiongifwhichisusedtodetectifnetworkaccesswasenabledItcannotbeadomainnamesinceit isusedinregistrationorquarantinewhereDNSisblack-holedItisrecommendedthatyouallowyouruserstoreachyourPacketFenceserverandputyourLANrsquosPacketFenceIPBydefaultwewillmakethisreachPacketFencersquoswebsiteasaneasierandmoreaccessiblesolution

In somecases youmaywant topresentadifferent captiveportal (seebelow for theavailablecustomizations)accordingtotheSSIDtheVLANtheswitchIPMACortheURItheclientconnectstoTodosoPacketFencehastheconceptofportalprofileswhichgivesyouthispossibility

WhenconfiguredportalprofileswilloverridedefaultvaluesforwhichitisconfiguredWhennovaluesareconfiguredintheprofilePacketFencewilltakeitsdefaultones(accordingtothedefaultportalprofile)

HerearethedifferentconfigurationparametersthatcanbesetforeachportalprofilesTheonlymandatoryparameterisfilterotherwisePacketFencewonrsquotbeabletocorrectlyapplytheportalprofileTheparametersmustbesetinconfprofilesconf

[profilename1]description = the description of your portal profilefilter = the name of the SSID for which youd like to apply the profile or the VLAN numbersources = comma-separated list of authentications sources (IDs) to use

Portal profiles should be managed from PacketFencersquos Web administrative GUI - from theConfigurationrarrPortalProfilessectionAddingaportalprofilefromthatinterfacewillcorrectlycopytemplatesover-whichcanthenbemodifiedasyouwish

FiltersunderConfigurationrarrPortalProfilerarrPortalNamerarrFitlers

PacketFenceoffersthefollowingfiltersConnectionTypeNetworkNodeRolePortrealmSSIDSwitchSwitchPortURIVLANandTimeperiod

Chapter9


Examplewiththemostcommonones

SSIDGuest-SSID

VLAN100

SwitchPortltSwitchIdgt-ltPortgt

NetworkNetworkinCIDRformatoranIPaddress

Caution

Noderolewilltakeeffectonlywitha8021xconnectionorifyouuseVLANfilters

PacketFence relies extensively on Apache for its captive portal administrative interface andWeb services The PacketFenceacutes Apache configuration are located in usrlocalpfconfhttpdconfd

Inthisdirectoryyouhavethreeimportantfileshttpdadminhttpdportalhttpdwebserviceshttpdaaa

httpdadminisusedtomanagePacketFenceadmininterface

httpdportalisusedtomanagePacketFencecaptiveportalinterface

httpdwebservicesisusedtomanagePacketFencewebservicesinterface

httpdaaaisusetomanageincomingRADIUSrequest

ThesefileshavebeenwrittenusingthePerllanguageandarecompletelydynamic-sotheyactivateservicesonlyonthenetworkinterfacesprovidedforthispurpose

TheotherfilesinthisdirectoryaremanagedbyPacketFenceusingtemplatessoitiseasytomodifythesefilesbasedonyourconfigurationSSLisenabledbydefaulttosecureaccess

UponPacketFenceinstallationself-signedcertificateswillbecreatedinusrlocalpfconfssl(serverkey andservercrt)Thosecertificates canbe replacedanytimebyyour3rd-partyorexistingwildcardcertificatewithoutproblemsPleasenotethattheCN(CommonName)needstobethesameastheonedefinedinthePacketFenceconfigurationfile(pfconf)

FreeRADIUSConfiguration

ThissectionpresentstheFreeRADIUSconfigurationsteps InsomeoccasionsaRADIUSserverismandatoryinordertogiveaccesstothenetworkForexampletheusageofWPA2-Enterprise(Wireless 8021X) MAC authentication and Wired 8021X all require a RADIUS server toauthenticatetheusersandthedevicesandthentopushtheproperrolesorVLANattributestothenetworkequipment

Chapter9


Option1AuthenticationagainstActiveDirectory(AD)

Caution

If you are using an ActiveActive or ActivePassive cluster please follow theinstructionsunderOption1bsincetheinstructionsbelowdonotcurrentlyworkinacluster

InordertohavedomainauthenticationworkingproperlyyouneedtoenableIPforwardingonyourserverTodoitpermanentlylookintheetcsysctlconfandsetthefollowingline

Controls IP packet forwardingnetipv4ip_forward = 1

Nowexecutesysctl -ptoapplytheconfiguration

NextgointheAdministrationinterfaceunderConfigurationrarrDomains

Note

IfyoucanrsquotaccessthissectionandyouhavepreviouslyconfiguredyourservertobindtoadomainexternallytoPacketFencemakesureyourunusrlocalpfaddonsADmigratepl

ClickAddDomainandfillintheinformationsaboutyourdomain

Chapter9


Where

IdentifierisauniqueidentifierforyourdomainItrsquospurposeisonlyvisual

Workgroupistheworkgroupofyourdomainintheoldsyntax(likeNT4)

DNSnameofthedomainistheFQDNofyourdomainTheonethatsuffixesyouraccountnames

ThisserverrsquosnameisthenamethattheserverrsquosaccountwillhaveinyourActiveDirectory

DNSserveristheIPaddressoftheDNSserverofthisdomainMakesurethattheserveryouputtherehastheproperDNSentriesforthisdomain

UsernameistheusernamethatwillbeusedforbindingtotheserverThisaccountmustbeadomainadministrator

Passwordisthepasswordfortheusernamedefinedabove

Chapter9


Troubleshooting In order to troubleshoot unsuccessful binds please refer to the following file chrootsltmydomaingtvarlogsambaltmydomaingtlogwinbinddReplaceltmydomaingtwiththeidentifieryousetinthedomainconfiguration

Youcanvalidatethedomainbindusingthefollowingcommandchroot chrootsltmydomaingtwbinfo -u

You can test the authentication process using the following command chroot chrootsltmydomaingt ntlm_auth --username=administrator

Note

UndercertainconditionsthetestjoinmayshowasunsuccessfulintheAdministrationinterfacebut theauthenticationprocesswill stillworkproperlyTry the test abovebeforedoinganyadditionnaltroubleshooting

DefaultdomainconfigurationYoushouldnowdefinethedomainyouwanttouseasthedefaultonebycreatingthefollowingrealminConfigurationrarrRealms

NextrestartPacketFenceinStatusrarrServices

MultipledomainsauthenticationFirstconfigureyourdomainsinConfigurationrarrDomains

OncetheyareconfiguredgoinConfigurationrarrRealms

Chapter9


Createanewrealm thatmatches theDNSnameofyourdomainANDone thatmatchesyourworkgroupInthecaseofthisexampleitwillbeDOMAINNETandDOMAIN

Where

RealmiseithertheDNSname(FQDN)ofyourdomainortheworkgroup

RealmoptionsareanyrealmoptionsthatyouwanttoaddtotheFreeRADIUSconfiguration

Domainisthedomainwhichisassociatedtothisrealm

Nowcreatethetwootherrealmsassociatedtoyourotherdomains

Youshouldnowhavethefollowingrealmconfiguration

Chapter9


Option1bAuthenticationagainstActiveDirectory(AD)inacluster

SambaKerberosWinbind

InstallSambaYoucaneitherusethesourcesorusethepackageforyourOSForRHELCentOSdo

yum install samba krb5-workstation

ForDebianandUbuntudo

apt-get install samba winbind krb5-user

Note

IfyouhaveWindows7PCsinyournetworkyouneedtouseSambaversion350(orgreater)

WhendonewiththeSambainstallmodifyyouretchosts inordertoaddtheFQDNofyourActiveDirectoryserversThenyouneedtomodifyetckrb5confHereisanexamplefortheDOMAINNETdomainforCentosRHEL

Chapter9


[logging] default = FILEvarlogkrb5libslog kdc = FILEvarlogkrb5kdclog admin_server = FILEvarlogkadmindlog

[libdefaults] default_realm = DOMAINNET dns_lookup_realm = false dns_lookup_kdc = false ticket_lifetime = 24h forwardable = yes

[realms] DOMAINNET = kdc = adserverdomainnet88 admin_server = adserverdomainnet749 default_domain = domainnet [domain_realm] domainnet = DOMAINNET domainnet = DOMAINNET

[appdefaults] pam = debug = false ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = false

ForDebianandUbuntu

[logging] default = FILEvarlogkrb5libslog kdc = FILEvarlogkrb5kdclog admin_server = FILEvarlogkadmindlog [libdefaults] default_realm = DOMAINNET ticket_lifetime = 24h forwardable = yes [appdefaults] pam = debug = false ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = false

NexteditetcsambasmbconfAgainhereisanexampleforourDOMAINNETforCentosRHEL

Chapter9


[global] workgroup = DOMAIN server string = h security = ads passdb backend = tdbsam realm = DOMAINNET encrypt passwords = yes winbind use default domain = yes client NTLMv2 auth = yes preferred master = no domain master = no local master = no load printers = no log level = 1 winbind5 auth3 winbind max clients = 750 winbind max domain connections = 15 machine password timeout = 0

ForDebianandUbuntu

[global] workgroup = DOMAIN server string = Samba Server Version v security = ads realm = DOMAINNET password server = 19216811 domain master = no local master = no preferred master = no winbind separator = + winbind enum users = yes winbind enum groups = yes winbind use default domain = yes winbind nested groups = yes winbind refresh tickets = yes template homedir = homeDU template shell = binbash client use spnego = yes client ntlmv2 auth = yes encrypt passwords = yes restrict anonymous = 2 log file = varlogsambalogm max log size = 50 machine password timeout = 0

IssueakinitandklistinordertogetandverifytheKerberostoken

kinit administrator klist

Afterthatyouneedtostartsambaandjointhemachinetothedomain

Chapter9


service smb start chkconfig --level 345 smb on net ads join -U administrator

NotethatforDebianandUbuntuyouwillprobablyhavethiserror

kinit succeeded but ads_sasl_spnego_krb5_bind failed Invalid credentials Join to domain is not valid Invalid credentials

ForCentosRHEL

usermod -a -G wbpriv pf

Finallystartwinbindandtestthesetupusingntlm_authandradtest

service winbind start chkconfig --level 345 winbind on

ForDebianandUbuntu

usermod -a -G winbindd_priv pf ntlm_auth --username myDomainUser radtest -t mschap -x myDomainUser myDomainPassword localhost18120 12 testing123 Sending Access-Request of id 108 to 127001 port 18120 User-Name = myDomainUser NAS-IP-Address = 10001 NAS-Port = 12 Message-Authenticator = 0x00000000000000000000000000000000 MS-CHAP-Challenge = 0x79d62c9da4e55104 MS-CHAP-Response = 0x000100000000000000000000000000000000000000000000000091c843b420f0dec4228ed2f26bff07d5e49ad9a2974229e5 rad_recv Access-Accept packet from host 127001 port 18120 id=108 length=20

Option2LocalAuthenticationAddyouruserrsquosentriesattheendoftheusrlocalpfraddbusersfilewiththefollowingformat

username Cleartext-Password = password

Option3EAPauthenticationagainstOpenLDAPToauthenticate8021xconnectionagainstOpenLDAPyouneedtodefinetheldapconnectioninusrlocalpfraddbmodulesldapandbesurethattheuserpasswordisdefineasaNTHASHorascleartext

Chapter9


ldap openldap server = ldapacmecom identity = uid=admindc=acmedc=com password = password basedn = dc=districtdc=acmedc=com filter = (uid=mschapUser-Name) ldap_connections_number = 5 timeout = 4 timelimit = 3 net_timeout = 1 tls dictionary_mapping = $confdirldapattrmap edir_account_policy_check = no

keepalive LDAP_OPT_X_KEEPALIVE_IDLE idle = 60

LDAP_OPT_X_KEEPALIVE_PROBES probes = 3

LDAP_OPT_X_KEEPALIVE_INTERVAL interval = 3

Next in usrlocalpfraddbsites-availablepacketfence-tunnel add in the authorizesection

authorize suffix ntdomain eap ok = return files openldap

Option4EAPGuestAuthenticationonemailsponsorandSMSregistrationThissectionwillallowlocalcredentialscreatedduringguestregistrationtobeusedin8021xEAP-PEAPconnections

FirstcreateaguestSSIDwiththeguestaccessyouwanttouse(EmailSponsororSMShellip)andactivateCreatelocalaccountonthatsource

AttheendoftheguestregistrationPacketFencewillsendanemailwiththecredentialsforEmailandSponsorForSMSthephonenumberandthePINcodeshouldbeused

Chapter9


Note

ThisoptiondoesnrsquotcurrentlyworkwiththeReusedot1xcredentialsoptionofthecaptiveportal

In usrlocalpfconfradiusdpacketfence-tunnel uncomment the line packetfence-local-authandrestartradiusd

ThiswillactivatethefeatureforanylocalaccountonthePacketFenceserverYoucanrestrictwhichaccounts canbeusedby commenting the appropriate line inusrlocalpfraddbpolicydpacketfenceForexampleifyouwouldwanttodeactivatethisfeatureforaccountscreatedviaSMSyouwouldhavethefollowing

packetfence-local-auth Disable ntlm_auth update control ampMS-CHAP-Use-NTLM-Auth = No Check password table for local user pflocal if (fail || notfound) Check password table with email and password for a sponsor registration pfguest if (fail || notfound) Check password table with email and password for a guest registration pfsponsor if (fail || notfound) Dont check activation table with phone number and PIN code pfsms lt--- This line was commented out if (fail || notfound) update control ampMS-CHAP-Use-NTLM-Auth = Yes

Note

For this feature to work the users passwords must be stored in cleartext in thedatabaseThisisconfigurableviaadvancedhash_passwords

Option5EAPLocaluserAuthenticationThegoalhereistousethelocaluseryoucreatedintheadminGUIforEAPauthenticationThelogicisexactlythesamethaninoption4thedifferenceisthatweuseanotherSSIDandweonlyuselocalaccounts

Chapter9


Editusrlocalpfraddbsites-availablepacketfence-tunnel

InthisexampleweactivatethisfeatureonaspecificSSIDname(Secure-local-Wireless)disabledbydefaultNTLMAuthandtestlocalaccountIfitfailledthenwereactivateNTLMAuth

Activate local user eap authentication based on a specific SSID Set Called-Station-SSID with the current SSID setcalled_station_ssid if (Called-Station-SSID == Secure-local-Wireless) Disable ntlm_auth update control MS-CHAP-Use-NTLM-Auth = No Check password table for local user pflocal if (fail || notfound) update control MS-CHAP-Use-NTLM-Auth = Yes

Caution

Youwillneedtodeasactivatepasswordhashinginthedatabaseforlocalauthenticationto work In the administration interface go in Configurationrarr Advanced and setDatabasepasswordshashingmethodtoplaintext

TestsTestyoursetupwithradtestusingthefollowingcommandandmakesureyougetanAccess-Acceptanswer

radtest dd9999 Abcd1234 localhost18120 12 testing123Sending Access-Request of id 74 to 127001 port 18120 User-Name = dd9999 User-Password = Abcd1234 NAS-IP-Address = 255255255255 NAS-Port = 12rad_recv Access-Accept packet from host 12700118120 id=74 length=20

PortalModules

ThePacketFencecaptiveportalflowishighlycustomizableThissectionwillcoverthePortalModuleswhichareusedtodefinethebehaviorofthecaptiveportal

Chapter9


Note

WhenupgradingfromaversionthatdoesnrsquothavetheportalmodulesthePacketFencePortal Modules configuration already comes with defaults that will fit most casesand offers the same behavior as previous versions of PacketFence Meaning allthe available Portal Profile sources are used for authentication then the availableprovisionerswillbeused

FirstabriefdescriptionoftheavailablePortalModules

RootThis iswhereitallstartsthismoduleisasimplecontainerthatdefinesallthemodulesthatneedtobeappliedinachainedwaytotheuserOncetheuserhascompletedallmodulescontainedintheRootheisreleasedonthenetwork

Choice This allows to give a choice between multiple modules to the user Thedefault_registration_policyisagoodexampleofachoicethatisofferedtotheuser

ChainedThisallowsyoutodefinealistofmodulesthatauserneedstogothroughintheorderthattheyaredefined-exyouwantyouruserstoregisterviaGoogle+andpayfortheiraccessusingPayPal

MessageThisallowsyou todisplayamessage to theuserAnexample isavailablebelow inDisplayingamessagetotheuseraftertheregistration

AuthenticationTheauthenticationmodulescanbeofalotoftypesYouwouldwanttodefineoneofthesemodulesinordertooverridetherequiredfieldsthesourcetousethetemplateoranyothermoduleattribute

BillingAllowstodefineamodulebasedononeormorebillingsources

ChoiceAllows todefineamodulebasedonmultiple sourcesandmoduleswithadvancedfilteringoptionsSeethesectionAuthenticationChoicemodulebelowforadetailedexplanation

LoginAllowsyoutodefineausernamepasswordbasedmodulewithmultipleinternalsources(ActiveDirectoryLDAPhellip)

OthermodulesTheothermodulesareallbasedonthesourcetypetheyareassignedtotheyallowtoselectthesourcetheAUPacceptanceandmandatoryfieldsifapplicable

ExamplesThissectionwillcontainthefollowingexamples

Promptingforfieldswithoutauthentication

Promptingadditionnalfieldsduringtheauthentication

Chainedauthentication

MixingloginandSecureSSIDon-boardingontheportal

Displayingamessagetotheuseraftertheregistration

Chapter9


CreatingacustomrootmoduleFirstcreateacustomrootmoduleforourexamples inordertonotaffectthedefaultpolicy InordertodosogoinConfigurationrarrPortalModulesthenclickAddPortalModuleandselectthetypeRootGiveittheidentifiermy_first_root_moduleandthedescriptionMy first root modulethenhitsave

Next head toConfigurationrarr Portal Profiles select the portal profile you use (most probablydefault)andthenunderRootPortalModuleassignMy first root modulethensaveyourprofileIfyouweretoaccessthecaptiveportalnowanerrorwoulddisplaysincetheRootmoduleweconfigureddoesnrsquotcontainanything

YoucouldaddsomeofthepreconfiguredmodulestothenewRootmoduleyoucreatedandthatwouldmaketheerrordisapear

PromptingforfieldswithoutauthenticationInordertopromptfieldswithoutauthenticationyoucanusetheNullsourcewiththeNullPortalModule

PacketFencealreadycomeswithaNullsourcepreconfiguredIfyouhavenrsquotmodifieditordeletedityoucanuseitforthisexampleOtherwisegoinConfigurationrarrSourcesandcreateanewNullsourcewithacatchallrulethatassignsaroleandaccessduration

ThengoinConfigurationrarrPortalModulesandclickAddPortalModuleandselectAuthenticationrarrNullSettheIdentifiertoprompt_fieldsandconfigurethemodulewiththeMandatoryfieldsyouwantanduncheckRequireAUPsothattheuserdoesnrsquothavetoaccepttheAUPbeforesubmittingthesefields

Nextaddtheprompt_fieldsmoduleinmy_first_root_module(removinganypreviousmodules)andsave itNowwhenvisitingtheportal itshouldpromptyouforthefieldsyoudefine inthe

Chapter9


moduleThensubmittingtheseinformationswillassignyoutheroleandaccessdurationthatyoudefinedinthenullsource


IfyouwanttopromptadditionnalfieldsduringtheauthenticationprocessforamoduleyoucandefineaModulebasedonthatsourcethatwillspecifytheadditionnalmandatoryfieldsforthissource

Youcanalsoaddadditionnalmandatoryfieldstothedefaultpoliciesthatarealreadyconfigured

Thisexamplewillmakethedefault_guest_policyrequiretheusertoenterafirstnamelastnameandaddresssothatguestshavetoenterthesethreeinformationsbeforeregistering

Go in Configuration rarr Portal Modules and click the default_guest_policy Add firstnamelastnameandaddresstotheMandatoryfieldsandsave

Nextaddthedefault_guest_policytomy_first_root_module(removinganypreviousmodules)Nowwhenvisitingtheportalselectinganyoftheguestsourceswillrequireyoutoenterboththemandatoryfieldsofthesource(exphone+mobileprovider)andthemandatoryfieldsyoudefinedinthedefault_guest_policy

Note

Notallsourcessupportadditionnalmandatoryfields(exOAuthsourceslikeGoogleFacebookhellip)


Theportalmodulesallowyoutochaintwoormoremodulestogetherinordertomaketheuseraccomplishalloftheactionsinthemoduleinthedesiredsequence

ThisexamplewillallowyoutoconfigureaChainedmodulethatwillrequiretheusertologinviaanyconfiguredOAuthsource(GithubGoogle+hellip)andthenvalidatehisphonenumberusingSMSregistration

FortheOAuthloginwewillusethedefault_oauth_policysojustmakesureyouhaveanOAuthsourceconfiguredcorrectlyandavailableinyourPortalProfile

ThenwewillcreateamodulethatwillcontainthedefinitionofourSMSregistration

GoinConfigurationrarrPortalModulesthenclickAddPortalModuleandselectAuthenticationrarrSMS

ConfiguretheportalmodulesothatitusesthesmssourceandunchecktheRequireAUPoptionsincetheuserwillhavealreadyacceptedtheAUPwhenregisteringusingOAuth

Chapter9


ThenaddanotherPortalModuleoftypeChainedNameitchained_oauth_smsassignarelevantdescriptionandthenadddefault_oauth_policyandsmstotheModulesfields

Chapter9


Next add the chained_oauth_sms module in my_first_root_module (removing any previousmodules)andsaveitNowwhenvisitingtheportalyoushouldhavetoauthenticationusinganOAuthsourceandthenusingSMSbasedregistration

MixingloginandSecureSSIDon-boardingontheportalThisexamplewillguideyouthroughconfiguringaportalflowthatwillallowfordevicestoaccessanopenSSIDusinganLDAPusernamepasswordbutalsogivethechoicetoconfiguretheSecureSSIDdirectlyfromtheportal

FirstweneedtoconfiguretheprovisionersfortheSecureSSIDonboardingRefertosectionAppleandAndroidWirelessProvisioningofthisguidetoconfigureyourprovisionersandaddthemtotheportalprofile

CreateaprovisionerofthetypeDenyandadditwithyourotherprovisioners(puttinganyotherprovisionerbeforeit)Thiswillmakesurethatifthereisnomatchontheotherprovisionersitwillnotallowthedevicethrough

AlsointheportalprofileaddyourLDAPsourcetotheavailablesourcessoitstheonlyoneavailable

NextcreateaProvisioningportalmodulebygoinginConfigurationrarrPortalModulesSettheIdentifiertosecure_boardingandthedescriptiontoBoard Secure SSIDAlsouncheckSkipablesotheuserisforcedtoboardtheSSIDshoulditchoosethisoption

ThenstillinthePortalModulescreateaChoicemoduleSettheIdentifiertologin_or_boardinganddescriptiontoLoginorBoardingAddsecure_boardinganddefault_login_policytotheModulesfieldandsave

Chapter9


Next add the login_or_boarding module in my_first_root_module (removing any previousmodules)andsaveitNowwhenvisitingtheportalyouwillhavethechoicebetweenlogintotheLDAPsourceandgainaccesstothenetworkordirectlyuseprovisioninginordertoconfigureyourdeviceforaSecureSSID

Displayingamessagetotheuseraftertheregistration=

UsingtheMessagemoduleyoucandisplayacustommessagetotheuserYoucanalsocustomizethetemplatetodisplayinordertodisplayafullycustompage

Go inConfigurationrarrPortalModules thenclickAddPortalModule and selectMessage Set theIdentifiertohello_worldandthedescriptiontoHello World

ThenputthefollowingintheMessagefield

Hello World lta href=wwwpacketfenceorggtClick here to access the PacketFence websiteltagt

Next add default_registration_policy and hello_world in the Modules ofmy_first_root_module(removinganypreviousmodules)andsaveitNowwhenvisitingtheportalyoushouldhavetoauthenticateusingthesourcesdefinedinyourportalprofileandyouwillthenseethehelloworldmessage

Chapter9


AuthenticationChoicemodule(advanced)The Authentication Choice module allows to define a choice between multiple sources usingadvancedfilteringrulesmanualselectionofthesourcesandselectionofPortalModules

AllthesourcesthataredefinedintheSourcesfieldwillbeavailableforusagebytheuserSamegoesforthemodulesdefinedinModules

YoucanalsodefinewhichmandatoryfieldsyouwanttopromptfortheseauthenticationchoicesAlthoughyoucanstillconfigurethemonanyAuthenticationChoicemoduletheywillonlybeshowniftheyareapplicabletothesource

InadditiontothemanualselectionaboveyoucandynamicallyselectsourcespartofthePortalProfilebasedontheirobjectattribute(ObjectClassAuthenticationtypeAuthenticationClass)

NoteYoucanfindalltheauthenticationobjectsinlibpfAuthenticationSource

SourcesbyclassAllowsyoutospecifytheperlclassnameofthesourcesyouwantavailable

ex pfAuthenticationSourceSMSSource will select all the SMS sourcespfAuthenticationSourceBillingSourcewillselectallthebillingsources(PaypalStripehellip)

SourcesbytypeAllowsyoutofilteroutsourcesusingthetypeattributeoftheAuthenticationobject

Sources by Auth Class Allows you to filter our sources using the class attribute of theAuthenticationobject

Chapter9


Youcanseethedefault_guest_policyanddefault_oauth_policyforexamplesofthismodule

Chapter10

Copyrightcopy2016Inverseinc Debugging 52

Debugging

Logfiles

HerearethemostimportantPacketFencelogfiles

usrlocalpflogspacketfencelogmdashPacketFenceCoreLog usrlocalpflogshttpdportalaccessmdashApachendashCaptivePortalAccessLog usrlocalpflogshttpdportalerrormdashApachendashCaptivePortalErrorLog usrlocalpflogshttpdadminaccessmdashApachendashWebAdminServicesAccessLog usrlocalpflogshttpdadminerrormdashApachendashWebAdminServicesErrorLog usrlocalpflogshttpdwebservicesaccessmdashApachendashWebservicesAccessLog usrlocalpflogshttpdwebserviceserrormdashApachendashWebservicesErrorLog usrlocalpflogshttpdaaaaccessmdashApachendashAAAAccessLog usrlocalpflogshttpdaaaerrormdashApachendashAAAErrorLog

ThereareotherlogfilesinusrlocalpflogsthatcouldberelevantdependingonwhatissueyouareexperiencingMakesureyoutakealookatthem

ThemainloggingconfigurationfileisusrlocalpfconflogconfItcontainstheconfigurationforthepacketfencelogfile(LogLog4Perl)andyounormallydonrsquotneedtomodifyitTheloggingconfigurationfilesforeveryservicearelocatedunderusrlocalpfconflogconfd

RADIUSDebugging

FirstchecktheFreeRADIUSlogsThefileislocatedatusrlocalpflogsradiuslog

IfthisdidnrsquothelprunFreeRADIUSindebugmodeTodosostartitusingthefollowingcommands

Fortheauthenticationradiusprocess

radiusd -X -d usrlocalpfraddb -n auth

Fortheaccountingradiusprocess

radiusd -X -d usrlocalpfraddb -n acct

Chapter10


Additionally there is a raddebug tool that can extract debug logs from a running FreeRADIUSdaemonPacketFencersquosFreeRADIUSispreconfiguredwithsuchsupport

Inordertohaveanoutputfromraddebugyouneedtoeither

a MakesureuserpfhasashellinetcpasswdaddusrsbintoPATH(export PATH=usrsbin$PATH)andexecuteraddebugaspf

b Runraddebugasroot(lesssecure)

Nowyoucanrunraddebugeasily

raddebug -t 300 -f usrlocalpfvarrunradiusdsock

TheabovewilloutputFreeRADIUSauthenticationdebuglogsfor5minutes

Usethefollowingtodebugradiusaccounting

raddebug -t 300 -f usrlocalpfvarrunradiusd-acctsock

Seeman raddebugforalltheoptions

Chapter11

Copyrightcopy2016Inverseinc MoreonVoIPIntegration 54

MoreonVoIPIntegration

VoIPhasbeengrowinginpopularityonenterprisenetworksAtfirstsighttheITadministratorsthinkthatdeployingVoIPwithaNACposesahugecomplicatedchallengetoresolveInfactdependingofthehardwareyouhavenotreallyInthissectionwewillseewhy

CDPandLLDPareyourfriend

ForthoseofyouwhoareunawareoftheexistenceofCDPorLLDP(orLLDP-MED) IsuggestyoustartreadingonthistopicCiscoDiscoveryProtocol(CDP)isdevice-discoveryprotocolthatrunsonallCisco-manufacturedequipmentincludingroutersaccessserversbridgesandswitchesUsingCDPadevicecanadvertise itsexistencetootherdevicesandreceive informationaboutotherdevicesonthesameLANorontheremotesideofaWANIntheworldofVoIPCDPisabletodetermineiftheconnectingdeviceisanIPPhoneornotandtelltheIPPhonetotagitsethernetframeusingtheconfiguredvoiceVLANontheswitchport

OnmanyothervendorsyouarelikelytofindLLDPorLLDP-MEDsupportLinkLayerDiscoveryProtocol (LLDP) is a vendor-neutral Link Layer protocol in the Internet Protocol Suite used bynetworkdevicesforadvertisingtheiridentitycapabilitiesandneighborsSameasCDPLLDPcantellanIPPhonewhichVLANidisthevoiceVLAN

VoIPandVLANassignmenttechniques

As you already know PacketFence supportsmanyVLAN assignment techniques such as port-securitymacauthenticationor8021XLetrsquosseehowVoIPisdoingwitheachofthose

Port-securityUsing port-security the VoIP device rely on CDPLLDP to tag its ethernet frame using theconfiguredvoiceVLANontheswitchportAfterthatweensurethatasecuritytrapissentfromthevoiceVLANsothatPacketFencecanauthorizethemacaddressontheportWhenthePCconnectsanothersecuritytrapwillbesentbutfromthedataVLANThatwaywewillhave1macaddressauthorizedonthevoiceVLANand1ontheaccessVLAN

Chapter11


Note

Not all vendors support VoIP on port-security please refer to the NetworkConfigurationGuide

MACAuthenticationand8021XCiscohardwareOnCiscoswitcheswearelookingatthemulti-domainconfigurationThemulti-domainmeansthatwecanhaveonedeviceontheVOICEdomainandonedeviceontheDATAdomainThedomainassignmentisdoneusingaCiscoVSAWhenthephoneconnectstotheswitchportPacketFencewillrespondwiththeproperVSAonlynoRADIUStunneledattributesCDPthentellsthephonetotagitsethernetframesusingtheconfiguredvoiceVLANontheportWhenaPCconnectstheRADIUSserverwillreturntunneledattributesandtheswitchwillplacetheportintheprovidedaccessVLAN

Non-CiscohardwareOnothervendorhardwareitispossibletomakeVoIPworkusingRADIUSVSAsWhenaphoneconnectstoaswitchportPacketFenceneedstoreturntheproperVSAtotelltheswitchtoallowtagged frames from thisdeviceWhen thePCwill connectwewill be able to return standardRADIUStunnelattributestotheswitchthatwillbetheuntaggedVLAN

Note

AgainrefertotheNetworkConfigurationGuidetoseeifVoIPissupportedonyourswitchhardware

WhatifCDPLLDPfeatureismissing

ItispossiblethatyourphonedoesnrsquotsupportCDPorLLDPIfitrsquosthecaseyouareprobablylookingattheDHCPwayofprovisionningyourphonewithavoiceVLANSomemodelswillaskforaspecificDHCPoptionsothattheDHCPservercangivethephoneavoiceVLANidThephonewillthenrebootandtagitsethernetframeusingtheprovidedVLANtag

Inorder tomake this scenarioworkwithPacketFenceyouneed toensure thatyou tweak theregistrationandyourproductionDHCPservertoprovidetheDHCPoptionYoualsoneedtomakesure there isavoiceVLANproperlyconfiguredontheportandthatyouauto-registeryour IPPhones(OnthefirstconnectthephonewillbeassignedontheregistrationVLAN)

Chapter12

Copyrightcopy2016Inverseinc Advancedtopics 56

Advancedtopics

This section covers advanced topics in PacketFence Note that it is also possible to configurePacketFencemanuallyusingitsconfigurationfilesinsteadofitsWebadministrativeinterfaceItisstillrecommendedtousetheWebinterface

InanycasetheusrlocalpfconfpfconffilecontainsthePacketFencegeneralconfigurationForexamplethisistheplacewhereweinformPacketFenceitwillworkinVLANisolationmode

All the default parameters and their descriptions are stored in usrlocalpfconfpfconfdefaults

Inordertooverrideadefaultparameterdefineitandsetitinpfconf

usrlocalpfconfdocumentationconfholdsthecompletelistofallavailableparameters

Alltheseparametersarealsoaccessiblethroughtheweb-basedadministrationinterfaceundertheConfigurationtabItishighlyrecommendedthatyouusetheweb-basedadministrationinterfaceofPacketFenceforanyconfigurationchanges

AppleandAndroidWirelessProvisioning

Apple devices such as iPhones iPads iPods and Mac OS X (107+) support wireless profileimportationusing a specialXML file format (mobileconfig)Android is also able to support thisfeaturebyimportingthewirelessprofilewiththeAndroidPacketFenceAgentInfactinstallingsuchfileonyourAppledevicewillautomaticallyconfigurethewirelesssettingsforagivenSSIDThisfeatureisoftenusedwhentheSSIDishiddenandyouwanttoeasetheconfigurationstepsonthemobiledevice(becauseitisoftenpainfultoconfiguremanually)InPacketFencewearegoingfurtherwegeneratetheprofileaccordingtotheadministratorrsquospreferenceandwepre-populatethefilewiththeuserrsquoscredentials(withoutthepassword)TheusersimplyneedstoinstallitsgeneratedfileandhewillbeabletousethenewSSID

ConfigurethefeatureFirstofallyouneedtoconfiguretheSSIDthatyourdeviceswilluseaftertheygothoughtheauthenticationprocess

InordertodothatintheadministrationinterfacegoinConfigurationProvisionersThenselecttheandroidprovisionerEntertheSSIDandsave

NowdothesamethingfortheiOSprovisioner

Chapter12


AfteryousimplyneedtoaddtheAndroidandiOSprovisionerstoyourPortalProfileconfiguration

ForAndroidyoumustallowpassthroughsinyourpfconfconfigurationfile

[trapping]passthrough=enabledpassthroughs=ggphtcomgoogleusercontentcomandroidclientsgooglecomgoogleapiscomandroidclientsgooglecomgvt1com

ProfilegenerationUponregistrationinsteadofshowingthedefaultreleasepagetheuserwillbeshowinganotherversionofthepagesayingthatthewirelessprofilehasbeengeneratedwithaclickablelinkonitToinstalltheprofileAppleuserownersimplyneedtoclickonthatlinkandfollowtheinstructionsontheirdeviceAndroiduserownersimplyclicktothelinkandwillbeforwardedtoGooglePlaytoinstallPacketFenceagentSimply launchtheapplicationandclicktoconfigurewillcreatethesecureSSIDprofileItisthatsimple

BillingEngine

PacketFence integrates theability touseapaymentgatewaytobillusers togainaccess to thenetworkWhenconfiguredtheuserwhowantstoaccessthenetworkInternetispromptedbyapageaskingforitrsquospersonnalinformationaswellasitrsquoscreditcardinformation

PacketFencecurrentlysupportsfourpaymentgatewaysAuthorizenetMirapayPaypalandStripe

Inordertoactivatethebillingyouwillneedtoconfigurethefollowingcomponents

Billingsource(s)

Billingtier(s)

ConfiguringabillingsourceFirstselectabillingproviderandfollowtheinstructionsbelow

Paypal

Note

ThisproviderrequiresthatyourPacketFenceserverisaccessibleonthepublicdomainFor thisyourPacketFenceportal shouldbeavailableonapublic IPusing theDNSservernameconfiguredinPacketFence

Ifyouhaveabusinessaccountanddonotwanttoconfigureatestenvironmentyoucanskipthenextsection

Chapter12


Sandboxaccount

To configure a sandbox paypal account for use in PacketFence head to httpsdeveloperpaypalcomandeithersignuporloginintoyourexistingaccount

ThenintheSandboxmenuclickAccounts

CreateanaccountthathasthetypePersonalandonethathasthetypeBusiness

AfterwardsgobackintoaccountsandexpandthebusinessaccountthenclickProfile

NowclicktheChangepasswordlinkandchangethepasswordandnoteit

Dothesamethingwiththepersonalaccountyoucreated

Configuringthemerchantaccount

LoginintothePaypalbusinessaccountthatyoucreatedathttpswwwsandboxpaypalcomifyouareusingasandboxaccountoronhttpswwwpaypalcomifyouareusingarealaccount

NextgoinMyAccountrarrProfileinordertogointoyourprofileconfiguration

NextintheSellingPreferencesyouwillneedtoselectWebsitePaymentPreferences

Chapter12


Configurethesettingssotheymatchthescreenshotbelow

YoushouldturnonAutoReturnsetthereturnURLtohttpsYOUR_PORTAL_HOSTNAMEbillingpaypalverify

YoushouldalsotakenoteoftheIdentityTokenasitwillberequiredinthePacketFenceconfiguration

NextgobackinyourprofileconfigurationMyaccountrarrProfileandselectEncryptedPaymentSettings

NowonthispageyouwillneedtosubmitthecertificateusedbyPacketFencetoPaypal(usrlocalpfconfsslservercrtbydefault)

Once you have submitted it note itrsquos associated Cert ID as you will need to configure it inPacketFence

StillonthatpageclicktheDownloadlinktodownloadthePaypalpubliccertificateandputitonthePacketFenceserverunderpathusrlocalpfconfsslpaypalpem

Chapter12


Caution

ThecertificatewillNOTbethesameifyouuseasandboxaccountorarealaccount

ConfiguringPacketFence

NowinthePacketFenceadministrationinterfacegoinConfigurationrarrSourcesandcreateanewsourceoftypeBillingrarrPaypal

Chapter12


Where

IdentitytokenistheoneyounotedwhenontheWebsitePaymentPreferencespage CertIDistheoneyounotedwhenontheEncryptedPaymentSettings Paymenttypeiswhethertheaccessisdonationbased(notmandatorytopayforit) Emailaddressistheemailaddressofthemerchantpaypalaccount CertfileisthepathtothePacketFencecertificate(usrlocalpfconfsslservercrtbydefault) KeyfileisthepathtothePacketFencecertificate(usrlocalpfconfsslserverkeybydefault) Paypal cert file is thepath to thePaypal certificate (usrlocalpfconfsslpaypalpem in thisexample)

Currencyisthecurrencythatwillbeusedinthetransactions Testmodeshouldbeactivatedifyouareusingasandboxaccount

Stripe

Stripeaccount

Firstgoonhttpsdashboardstripecomcreateanaccountandlogin

NextonthetoprightclickYouraccountthenAccountsettings

NavigatetotheAPIkeystabandnoteyourkeyandsecretThetestkeyshouldbeusedwhentestingtheconfigurationandthelivekeywhenputtingthesourceinproduction

Chapter12



NowinthePacketFenceadministrationinterfacegoinConfigurationrarrSourcesandcreateanewsourceoftypeBillingrarrStripe

Chapter12


Where

SecretkeyisthesecretkeyyougotfromyourStripeaccount PublishablekeyisthepublishablekeyyougotfromyourStripeaccount Styleiswhetheryouaredoingaone-timechargeorsubscriptionbasedbilling(recurring)SeesectionSubscriptionbasedregistrationbelowfordetailsonhowtoconfigureit

Currencyisthecurrencythatwillbeusedinthetransactions Testmodeshouldbeactivatedifyouareusingthetestkeyandsecretaccount

Authorizenet

Creatinganaccount

First go on httpsaccountauthorizenet to signup for a merchant account or httpdeveloperauthorizenetforasandboxaccount

AfteryoucreatedyouraccountyouwillbeshownyourAPIloginIDandTransactionkeyNotebothoftheseinformationsforusageinthePacketFenceconfiguration

Thenloginintoyournewaccount

ThenunderAccountclickSettings

OnthesettingspageinthesectionSecuritysettingsclickMD5-Hash

Chapter12


NowenterasecretthatwillbesharedbetweenauthorizenetandPacketFence

PacketFenceconfiguration

NextinthePacketFenceadministrationinterfacegoinConfigurationrarrSourcesandcreateanewsourceoftypeBillingrarrAuthorizeNet

Chapter12


Where

APIloginIDistheoneyougotearlierwhilecreatingyouraccount Transactionkeyistheoneyougotearlierwhilecreatingyouraccount MD5hashtheoneyouconfiguredinyourAuthorizenetaccount Currencyisthecurrencythatwillbeusedinthetransactions Testmodeshouldbeactivatedifyouareusingasandboxaccount

Mirapay

To be contributed

AddingbillingtiersOnceyouhaveconfiguredoneormorebillingsourceyouneedtodefinebillingtierswhichwilldefinethepriceandtargetauthenticationrulesfortheuser

InthePacketFenceadministrationinterfacegoinConfigurationrarrBillingtiers

Chapter12


ThenclickAddbillingtierandconfigureit

Where

Billingtieristheuniqueidentifierofthebillingtier Nameisthefriendlynameofthebillingtier Descriptionisanextendeddescriptionofthebillingtier Priceistheamountthatwillbechargedtotheuser Accessdurationistheamountoftimetheuserwillbegrantedaccesstoyournetwork Roleisthetargetroletheusershouldbein Usetimebalancedefinesiftheaccessdurationshouldbecomputedonreal-timeaccessdurationmeaningiftheuserbuys24hoursofaccesshecanusethenetworkfor24hoursindifferenttimeblocksThisrequiresavalidRADIUSaccountingconfiguration

Note

IfdonrsquotwanttouseallthebillingtiersthataredefinedyoucanspecifytheonesthatshouldbeactiveinthePortalprofile

Chapter12


SubscriptionbasedregistrationPacketFencesupportssubscriptionbasedbillingusingStripeasabillingprovider

Billingtier

Whenusingsubscriptionbasedbillingitisadvisedtoconfigurethebillingtiersoithasanalmostinfiniteaccessduration(eg20years)asthebillingproviderwillbecontactingthePacketFenceserverwhenthesubscriptioniscanceled

YoushouldconfigureabillingtierforeachsubscriptionplanyouwanttohaveThisexamplewillusetheplansimpleandadvancedconfiguredusingthefollowingparameters

[simple]name=Simple network accessdescription=Click here if you are poorprice=399role=guestaccess_duration=10Yuse_time_balance=disabled

[advanced]name=Simple network accessdescription=Click here if you are poorprice=999role=advanced_guestaccess_duration=10Yuse_time_balance=disabled

Stripeconfiguration

TheninyourStripedashboardyoushouldgoinSubscriptionsrarrPlans

Thencreateanewplan

Chapter12


Where

ID is the billing tier identifier It is important that this matches the ID of the billing tier inPacketFence

AmountisthepriceoftheplanItisimportantthatthismatchesthepriceofthebillingtierinPacketFence

CurrencyisthecurrencythatwillbeusedinthetransactionsItisimportantthatthismatchesthecurrencyoftheStripesourceinPacketFence

IntervalistheintervalatwhichthecustomershouldbebilledInthecaseofthisexampleitismonthly

Nowfollowingthesameprocedurecreatetheadvancedplan

ReceivingupdatesfromStripeAsthesubscriptioncanbecancelledbyauseryouneedtosetupyourPacketFenceinstallationtoreceiveupdatesfromStripe

UpdatesaresentusingHTTPrequestsonapublicIP

YouneedtomakesurethatyourPacketFenceserverisavailablethroughapublicIPonport80andthatyourPacketFenceserverhostnameresolvesonthepublicdomain

Chapter12


TheninStripeconfigureaWebhooksoStripeinformsPacketFenceofanyeventthathappensinthisStripemerchantaccount

InordertodosogoinYourAccountrarrAccountSettingsrarrWebhooksandclickAddendpoint

Where

URListheURLtothePacketFenceserverThisshouldbehttpYOUR_PORTAL_HOSTNAMEhookbillingstripe

Modeiswhetherthiswebhookisfortestingmodeorlivemode

NoweverytimeauserunsubscribesfromaplanPacketFencewillbenotifiedandwillunregisterthatdevicefromyournetwork

DevicesRegistration

Usershavethepossibilitytoregistertheirdevices(MicrosoftXBOXXBOX360NintendoDSWiiSonyPlayStationandsoon)rightfromaspecialportalpageWhenaccessingthispageuserswillbe

Chapter12


promptedtologinasiftheywereregisteringthemselvesOnceloggedintheportalwillaskthemtoenterthedeviceMACaddressthatwillthenbematchedagainstapredefinedlistofauthorizedMACOUIThedevicewillberegisteredwiththeuserrsquosidandcanbeassignedintoaspecificcategoryforeasiermanagement

HerersquoshowtoconfigurethewholethingTheportalpagecanbeaccessedbythefollowingURLhttpsYOUR_PORTAL_HOSTNAMEdevice-registration This URL is accessible fromwithin thenetworkinanyVLANthatcanreachthePacketFenceserver

Thefollowingcanbeconfiguredbyeditingthepfconffile

[registration]device_registration = enableddevice_registration_role = gaming

MakesuretheroleexistsinPacketFenceotherwiseyouwillencounterregistrationerrorsMoreovermakesuretherolemappingforyourparticularequipmentisdone

TheseparameterscanalsobeconfiguredfromtheConfigurationrarrRegistrationsection

Note

AportalinterfacetypeisrequiredtousethisfeatureAportalinterfacetypecanbeaddedtoanynetworkinterfaceusingthewebadminGUI

Eduroam

eduroam (education roaming) is the secureworld-wide roaming access servicedevelopedfortheinternationalresearchandeducationcommunity

eduroamallowsstudentsresearchersandstafffromparticipatinginstitutionstoobtainInternetconnectivityacrosscampusandwhenvisitingotherparticipatinginstitutionsbysimplyopeningtheirlaptop

mdasheduroamhttpswwweduroamorg

PacketFencesupportsintegrationwitheduroamandallowsparticipatinginstitutionstoauthenticatebothlocallyvisitingusersfromotherinstitutionsaswellasallowingotherinstitutionstoauthenticatelocalusers

In order for PacketFence to allow eduroam authentication the FreeRADIUS configuration ofPacketFencemustbemodifiedtoallowtheeduroamserverstoconnecttoitasclientsaswellastoproxyRADIUSauthenticationrequestsforusersfromoutsideinstitutions

FirstmodifytheusrlocalpfraddbclientsconffiletoallowtheeduroamserverstoconnecttoyourPacketFenceserverAddtheeduroamserversasclientsandmakesure toaddtheproperRADIUSsecretSetashortnametorefertotheseclientsasyouwilllaterneedittoexcludethemfromsomepartsofthePacketFenceconfiguration

clientsconfexample

Chapter12


client tlrs1eduroamus secret = useStrongerSecret shortname = tlrs1


SecondlymodifythelistofdomainsandproxyserversinusrlocalpfraddbproxyconfYouwillneedtodefineeachofyourdomainsaswellastheDEFAULTdomainTheDEFAULTrealmwillapplytoanyclientthatattemptstoauthenticatewitharealmthatisnototherwisedefinedinproxyconfandwillbeproxiedtotheeduroamservers

Defineoneormorehomeservers(serverstowhicheduroamrequestsshouldbeproxied)

proxyconfexample

home_server tlrs1eduroamus type = auth ipaddr = 25712811 port = 1812 secret = useStrongerSecret require_message_authenticator = yes

Defineapoolofserverstogroupyoureduroamhomeserverstogether

proxyconfexample

home_server_pool eduroam type = fail-over home_server = tlrs1eduroamus home_server = tlrs2eduroamus

DefinerealmstoselectwhichrequestsshouldbeproxiedtotheeduroamserverpoolThereshouldbeonerealmforeachofyourdomainsandpossiblyonemoreperdomainifyouintendtoallowusernamesoftheDOMAINuserform

TheREALMissetbasedonthedomainfoundbythesuffixorntdomainmodules (seeraddbmodulesrealm)Thesuffixorntdomainmodulestrytofindadomaineitherwithandomainorsuffixusername

IfnoneisfoundtheREALMisNULL

IfadomainisfoundFreeRADIUStriestomatchoneoftheREALMSdefinedinthisfile

IfthedomainiseitherexampleeduorEXAMPLEFreeRADIUSsetsthecorrespondingREALMieexampleeduorEXAMPLE

IftheREALMdoesnotmatcheither(anditisnrsquotNULL)thatmeanstherewasadomainotherthanEXAMPLEorexampleeduandweassumeitismeanttobeproxiedtoeduroamFreeRADIUSsetstheDEFAULTrealm(whichisproxiedtotheeduroamauthenticationpool)

Chapter12


The REALM determines where the request is sent to If the REALM authenticates locally therequestsareprocessedentirelybyFreeRADIUSIftheREALMsetsadifferenthomeserverpooltherequestsareproxiedtotheserversdefinedwithinthatpool

proxyconfexample

This realm is for requests which dont have an explicit realm prefix or suffix User names like bob will match this one No authentication server is defined thus the authentication is done locallyrealm NULL

This realm is for ntdomain users who might use the domain like this EXAMPLEusername No authentication server is defined thus the authentication is done locallyrealm EXAMPLE

This realm is for suffix users who use the domain like this usernameexampleedu No authentication server is defined thus the authentication is done locallyrealm exampleedu

This realm is for ALL OTHER requests Meaning in this context eduroam The auth_pool is set to the eduroam pool and so the requests will be proxiedrealm DEFAULT auth_pool = eduroam nostrip

Thirdly youmust configure the packetfence FreeRADIUS virtual servers to treat the requestsproperly

Inusrlocalpfraddbsites-enabledpacketfencemodifytheauthorizesectionlikethis

raddbsites-enabledpacketfenceexample

Chapter12


authorize pay attention to the order of the modules It matters ntdomain suffix preprocess

uncomment this section if you want to block eduroam users from you other SSIDs The attribute name ( Called-Station-Id ) may differ based on your controller if ( Called-Station-Id ~ eduroam$i) update control Proxy-To-Realm = local

eap ok = return

files expiration logintime packetfence

Inusrlocalpfraddbsites-enabledpacketfence-tunnelmodifythepost-authsectionlikethisIfyouomit this change the requestwill be sent toPacketFencewhere itwill be failed since theeduroamserversarenotpartofyourconfiguredswitches

raddbsites-enabledpacketfence-tunnelexample

post-auth exec

we skip packetfence when the request is coming from the eduroam servers if ( clientshortname = tlrs1 ampamp clientshortname = tlrs2 ) packetfence

Post-Auth-Type REJECT attr_filteraccess_reject

Finallymakesurethattherealmsmoduleisconfiguredthisway(seeusrlocalpfraddbmodulesrealm)

raddbmodulesrealmexample

Chapter12


usernamerealmrealm suffix format = suffix delimiter =

domainuserrealm ntdomain format = prefix delimiter = ignore_null = yes

Fingerbankintegration

FingerbankagreatdeviceprofilingtooldevelopedalongsideofPacketFencenowintegrateswithittopower-upthefeaturesetallowingaPacketFenceadministratortoeasilytriggerviolationsbasedondifferentdevicetypesdeviceparentsDHCPfingerprintsDHCPvendorIDsMACvendorsandbrowseruseragents

Thecoreofthat integrationresides intheabilityforaPacketFencesystemto interactwiththeFingerbankupstreamprojectwhichthenallowadailybasisfingerprintsdatabaseupdatesharingunknowndatasothatmorecomplexalgorithmscanprocessthatnewdatatointegrateitintheglobaldatabasequeryingtheglobalupstreamdatabaseinthecaseofanunknownmatchandmuchmore

SincetheFingerbankintegrationisnowthedefactodeviceprofilingtoolofPacketFenceitwasarequirementtomakeitassimpleaspossibletoconfigureandtouseFromthemomentaworkingPacketFencesystemis inplaceFingerbank isalsoreadytobeusedbutonly inalocalmodewhichmeansnointeractionwiththeupstreamFingerbankproject

OnboardingTobenefitfromalltheadvantagesoftheFingerbankprojecttheonboardingstepisrequiredtocreateanAPIkeythatwill thenallow interactionwiththeupstreamprojectThatcaneasilybedoneonlybygoingintheSettingsmenuitemundertheFingerbanksectionofthePacketFenceConfigurationtabFromthereaneasyprocesstocreateandsaveanuserorganizationspecificAPIkeycanbefollowedOncecompletedthefullfeaturesetofFingerbankcanbeused

UpdateFingerbankdatabaseUpdatingtheFingerbankdatacanrsquotbeeasierTheonlyrequirementistheonboardingprocesswhichallowsyoutointeractwithupstreamprojectOncedoneanoptiontoUpdateFingerbankDBcanbefoundontopofeverymenuitemsectionsunderFingerbankProcessmaytakeaminuteortwodependingonthesizeofthedatabaseandtheinternetconnectivityafterwhichasuccessorerrormessagewillbeshowaccordinglyLocalrecordsareNOTbeingmodifiedduringthisprocess

Chapter12


SubmitunknowndataSayingthatwedonrsquotknoweverythingisnotfalsemodestyInthatsensetheSubmitUnknownUnmatchedFingerprintsoptionismadeavailable(afteronboarding)sothatunknownfingerprintingdatagoinginandoutonyournetworkcaneasilybesubmittedtotheupstreamFingerbankprojectforfurtheranalysisandintegrationtheintheglobaldatabase

UpstreaminterogationBydefaultPacketFenceisconfiguredtointerogatetheupstreamFingerbankproject(ifonboardinghasbeencompleted)tofullfillaquerywithunmatchedlocalresultsUnmatchedlocalresultscanresultofanolderversionoftheFingerbankdatabaseorarequirementforamorecomplexalgorithmduetothedatasetThatbehavioriscompletelytransparentandcanbemodifiedusingtheSettingsmenuitemundertheFingerbanksectionofthePacketFenceConfigurationtab

LocalentriesItispossibleforanadministratorwhowantstocustomizeanexistingrecord(orcreateanewone)todosousingtheLocalentriesAnupstreamrecord(DHCPFingerprintDHCPVendorMACVendorUserAgentDevicetypeevenaCombination)canbeclonedandthenmodifiedonalocalbasisifneededLocalrecordsarealwaysmatchedfirstsincetheirpurposeistooverrideanexistingoneAlocalcombinationcanbecreatedtomatcheitherLocalorUpstreamorbothentriestoallowidentificationofadevice

SettingsFingerbanksettingscaneasilybemodifiedfromtheSettingsmenuitemundertheFingerbanksectionofthePacketFenceConfigurationtabTherersquosdocumentationforeachaneveryparameterthatalloweasierunderstanding

FloatingNetworkDevices

Startingwithversion19PacketFencenowsupportsfloatingnetworkdevicesAFloatingnetworkdeviceisadeviceforwhichPacketFencehasadifferentbehaviourcomparedtoaregulardeviceThisfunctionalitywasoriginallyaddedtosupportmobileAccessPoints

Caution

RightnowPacketFenceonlysupportsfloatingnetworkdevicesonCiscoandNortelswitchesconfiguredwithport-security

For a regular device PacketFence put it in theVLAN corresponding to its status (RegistrationQuarantineorRegularVlan)andauthorizesitontheport(port-security)

Chapter12


AfloatingnetworkdeviceisadevicethatPacketFencedoesnotmanageasaregulardevice

WhenafloatingnetworkdeviceispluggedPacketFencewillletallowalltheMACaddressesthatwillbeconnectedtothisdevice(orappearontheport)andifnecessaryconfiguretheportasmulti-vlan(trunk)andsetPVIDandtaggedVLANsontheport

WhenanfloatingnetworkdeviceisunpluggedPacketFencewillreconfiguretheportlikebeforeitwasplugged

HowitworksConfiguration

floatingnetworkdeviceshavetobeidentifiedusingtheirMACaddress linkuplinkdowntrapsarenotenabledontheswitchesonlyport-securitytrapsare

WhenPacketFencereceivesaport-securitytrapforafloatingnetworkdeviceitchangestheportconfigurationsothat

itdisablesport-security itsetsthePVID iteventuallysetstheportasmulti-vlan(trunk)andsetsthetaggedVlans itenableslinkdowntraps

WhenPFreceivesa linkdowntraponaport inwhichafloatingnetworkdevicewasplugged itchangestheportconfigurationsothat

itenablesport-security itdisableslinkdowntraps

IdentificationAswementionedearliereachfloatingnetworkdevicehastobeidentifiedTherearetwowaystodoit

byeditingconffloating_network_deviceconf throughtheWebGUIinConfigurationrarrNetworkrarrFloatingdevices

Herearethesettingsthatareavailable

MACAddress MACaddressofthefloatingdevice

IPAddress IPaddressofthefloatingdevice(notrequiredforinformationonly)

trunkPort YesnoShouldtheportbeconfiguredasamuti-vlanport

pvid VLANinwhichPacketFenceshouldputtheport

taggedVlan CommaseparatedlistofVLANsIftheportisamulti-vlanthesearetheVlansthathavetobetaggedontheport

Chapter12


OAuth2Authentication

NoteOAuth2authenticationdoesnotworkwithWebauthenforcement

The captive portal of PacketFence allows a guestuser to register using hisGoogle FacebookLinkedInWindowsLiveTwitterorGithubaccount

ForeachproviderswemaintainanalloweddomainlisttopunchholesintothefirewallsotheusercanhittheproviderloginpageThislistisavailableineachOAuth2authenticationsource

Inordertohaveoauth2workingproperlyyouneedtoenableIPforwardingonyourserversTodoitpermanentlylookintheetcsysctlconfandsetthefollowingline


Savethefileandissueasysctl -ptoupdatetheOSconfig

You must also enable the passthrough option in your PacketFence configuration(trappingpassthroughinpfconf)

GoogleInordertouseGoogleasaOAuth2provideryouneedtogetanAPIkeytoaccesstheirservicesSignupherehttpcodegooglecomapisconsoleMakesureyouusethisURIfortheRedirectURIfieldhttpsYOUR_PORTAL_HOSTNAMEoauth2callbackOfcoursereplacethehostnamewiththevaluesfromgeneralhostnameandgeneraldomain

YoucankeepthedefaultconfigurationmodifytheAppIDampAppSecret(GivenbyGoogleonthedevelopperplateform)andPortalURL(httpsYOUR_PORTAL_HOSTNAMEoauth2callback)

Also add the following Authorized domains googlecom googleca googlefrgstaticcomgoogleapiscomaccountsyoutubecom(MakesurethatyouhavethegoogledomainfromyourcountrylikeCanadagooglecaFrancegooglefretchellip)

OnceyouhaveyourclientidandAPIkeyyouneedtoconfiguretheOAuth2providerThiscanbedonebyaddingaGoogleOAuth2authenticationsourcefromConfigurationrarrSources

MoreoverdonrsquotforgettoaddGoogleasaregistrationmodefromyourportalprofiledefinitionavailablefromConfigurationrarrPortalProfilesandPages

FacebookTo use Facebook you also need an API code and a secret key To get one go here httpsdevelopersfacebookcomappsWhenyoucreateyourAppmakesureyouspecifythefollowingastheWebsiteURLhttpsYOUR_PORTAL_HOSTNAMEoauth2callback

Chapter12


Ofcoursereplacethehostnamewiththevaluesfromgeneralhostnameandgeneraldomain

YoucankeepthedefaultconfigurationmodifytheAppIDampAppSecret(GivenbyFaceBookonthedevelopperplateform)andPortalURL(httpsYOUR_PORTAL_HOSTNAMEoauth2callback)

Also add the followingAuthorizeddomains facebookcom fbcdnnet akamaihdnet (Maychange)

OnceyouhaveyourinformationyouneedtoconfiguretheOAuth2providerThiscanbedonebyaddingaFacebookOAuth2authenticationsourcefromConfigurationrarrSources

MoreoverdonrsquotforgettoaddFacebookasaregistrationmodefromyourportalprofiledefinitionavailablefromConfigurationrarrPortalProfilesandPages

CautionByallowingOAuththroughFacebookyouwillgiveFacebookaccesstotheuserswhiletheyaresittingintheregistrationVLAN

GitHubTouseGitHubyoualsoneedanAPIcodeandasecretkeyTogetoneyouneedtocreateanAppherehttpsgithubcomsettingsapplicationsWhenyoucreateyourAppmakesureyouspecifythefollowingastheCallbackURLhttpsYOUR_PORTAL_HOSTNAMEoauth2callback


OnceyouhaveyourinformationyouneedtoconfiguretheOAuth2providerThiscanbedonebyaddingaGitHubOAuth2authenticationsourcefromConfigurationrarrSources

MoreoverdonrsquotforgettoaddGitHubasaregistrationmodefromyourportalprofiledefinitionavailablefromConfigurationrarrPortalProfilesandPages

LinkedInTouseLinkedInyoualsoneedanAPIcodeandasecretkeyTogetoneyouneedtocreateanAppherehttpsdeveloperlinkedincomWhenyoucreateyourAppmakesureyouspecifythefollowingastheCallbackURLhttpsYOUR_PORTAL_HOSTNAMEoauth2callback


OnceyouhaveyourinformationyouneedtoconfiguretheOAuth2providerThiscanbedonebyaddingaLinkedInOAuth2authenticationsourcefromConfigurationrarrSources

MoreoverdonrsquotforgettoaddLinkedInasaregistrationmodefromyourportalprofiledefinitionavailablefromConfigurationrarrPortalProfilesandPages

AlsoLinkedInrequiresastateparameterfortheauthorizationURLIfyoumodifyitmakesuretoadditattheendofyourURL

TwitterTouseTwitteryoualsoneedanAPIcodeandasecretkeywhichTwittercallsconsumerkeyandconsumersecretObtainthis informationbycreatingannewapplicationfromyourTwitterApps

Chapter12


ManagementpageWhenyoucreateyourAppmakesureyouspecifythefollowingastheCallbackURLhttpsYOUR_PORTAL_HOSTNAMEoauth2callback


OnceyouhaveyourinformationyouneedtoconfiguretheOAuth2providerThiscanbedonebyaddingaTwitterOAuth2authenticationsourcefromConfigurationrarrSources

MoreoverdonrsquotforgettoaddTwitterasaregistrationmodefromyourportalprofiledefinitionavailablefromConfigurationrarrPortalProfilesandPages

WindowsLiveTouseWindowsliveyoualsoneedanAPIcodeandasecretkeyTogetoneyouneedtocreateanAppherehttpsaccountlivecomdevelopersapplicationsWhenyoucreateyourAppmakesureyouspecifythefollowingastheCallbackURLhttpsYOUR_PORTAL_HOSTNAMEoauth2callback


OnceyouhaveyourinformationyouneedtoconfiguretheOAuth2providerThiscanbedonebyaddingaWindowsLiveOAuth2authenticationsourcefromConfigurationrarrSources

Moreover donrsquot forget to add WindowsLive as a registration mode from your portal profiledefinitionavailablefromConfigurationrarrPortalProfilesandPages

Passthrough

Inorder tousethepassthroughfeature inPacketFenceyouneedtoenable it fromtheGUI inConfigurationrarrTrappingandcheckPassthrough

Therearetwosolutionsforpassthroughs-oneusingDNSresolutionandiptablesandtheotheroneusingApachersquosmod_proxymoduleWhenenabledPacketFencewillusepfdnsifyoudefinedPassthroughsorApachemod-proxyifyoudefinedProxyPassthroughstoallowtrappeddevicestoreachexternalwebsites

DNSpassthroughAddanewFQDN (shouldbeawildcarddomain like googlecom) in thePassthroughssectionWhenPacketFencereceivesaDNSrequestforthisdomainitwillanswerthereal IPaddressandpunchahole inthefirewall (using iptables)toallowaccessWiththismethodPacketFencemustbethedefaultgatewayofyourdevice

mod_proxypassthroughAddanewFQDN(shouldbeawildcarddomainlikegooglecom)intheProxyPassthroughssectionForthisFQDNPacketFencewillanswertheIPaddressofthecaptiveportalandwhenadevicehitsthecaptiveportalPacketFencewilldetectthatthisFQDNhasapassthroughconfigurationandwillforwardthetraffictomod_proxy

ThesetwomethodscanbeusedtogetherbutDNS-basedpassthroughshavehigherpriority

Chapter12


ProductionDHCPaccess

Inorder toperformallof itsaccesscontroldutiesPacketFenceneedstobeable tomapMACaddressesintoIPaddresses

ForallthenetworksVLANswhereyouwantPacketFencetohavetheabilitytoisolateanodeortohaveIPinformationaboutnodesyouwillneedtoperformoneofthetechniquesbelow

AlsonotethatthisdoesnrsquotneedtobedonefortheregistrationisolationVLANsandinlineinterfacessincePacketFenceactsastheDHCPserverinthesenetworks

IPHelpers(recommended)If you are already using IPHelpers for your productionDHCP in your production VLANs thisapproachisthesimplestoneandtheonethatworksthebest

Add PacketFencersquos management IP address as the last ip helper-address statement in yournetworkequipmentAtthispointPacketFencewillreceiveacopyofallDHCPrequestsforthatVLANandwillrecordwhatIPweredistributedtowhatnodeusingapfdhcplistenerdaemon

BydefaultnoDHCPServershouldberunningonthatinterfacewhereyouaresendingtherequestsThisisbydesignotherwisePacketFencewouldreplytotheDHCPrequestswhichwouldbeabadthing

ObtainacopyoftheDHCPtrafficGetacopyofalltheDHCPTraffictoadedicatedphysicalinterfaceinthePacketFenceserverandrunpfdhcplisteneronthatinterfaceItwillinvolveconfiguringyourswitchproperlytoperformportmirroring(akanetworkspan)andaddinginPacketFencetheproperinterfacestatementattheoperatingsystemlevelandinpfconf

etcsysconfignetwork-scriptsifcfg-eth2

DEVICE=eth2ONBOOT=yesBOOTPROTO=none

Addtopfconf(IPsarenotimportanttheyarethereonlysothatPacketFencewillstart)

[interface eth2]mask=2552552550type=dhcp-listenergateway=19216815ip=19216811

RestartPacketFenceandyoushouldbegoodtogo

Chapter12


InterfaceineveryVLANBecauseDHCPtrafficisbroadcasttrafficanalternativeforsmallnetworkswithfewlocalVLANsistoputaVLANinterfaceforeveryVLANonthePacketFenceserverandhaveapfdhcplistenerlistenonthatVLANinterface

OnthenetworksideyouneedtomakesurethattheVLANtrulyreachesallthewayfromyourclienttoyourDHCPinfrastructureuptothePacketFenceserver

OnthePacketFencesidefirstyouneedanoperatingsystemVLANinterfaceliketheonebelowStoredinetcsysconfignetwork-scriptsifcfg-eth01010

Engineering VLANDEVICE=eth01010ONBOOT=yesBOOTPROTO=staticIPADDR=1001014NETMASK=2552552550VLAN=yes

ThenyouneedtospecifyinpfconfthatyouareinterestedinthatVLANrsquosDHCPbysettingtypetodhcp-listener


RepeattheaboveforallyourproductionVLANsthenrestartPacketFence

HostproductionDHCPonPacketFenceItrsquosanoptionJustmodifyconfdhcpdconfsothat itwillhostyourproductionDHCPproperlyandmakesurethatapfdhcplistenerrunsonthesameinterfacewhereproductionDHCPrunsHoweverpleasenotethatthisisNOTrecommendedSeethistickettoseewhy

ProxyInterception

PacketFenceenablesyoutointerceptproxyrequestsandforwardthemtothecaptiveportalItonlyworksonelayer-2networksbecausePacketFencemustbethedefaultgatewayInordertousetheProxyInterceptionfeatureyouneedtoenableitfromtheGUIinConfigurationrarrTrappingandcheckProxyInterception

Addtheportyouwanttointercept(like8080or3128)andaddanewentryintheetchostsfiletoresolvethefullyqualifieddomainname(fqdn)ofthecaptiveportaltotheIPaddressofthe

Chapter12


registration interfaceThismodification ismandatory inorder forApache to receives theproxyrequests

RoutedNetworks

Ifyour isolationandregistrationnetworksarenot locally-reachable (at layer2)onthenetworkbut routed to the PacketFence server yoursquoll have to let the PacketFence server know thisPacketFencecanevenprovideDHCPandDNSintheseroutednetworksandprovidesaneasytouseconfigurationinterface

FordhcpdmakesurethattheclientsDHCPrequestsarecorrectlyforwarded(IPHelpersintheremoterouters)tothePacketFenceserverThenmakesureyoufollowedtheinstructionsintheDHCPandDNSServerConfiguration(networksconf)foryourlocallyaccessiblenetwork

Ifweconsiderthenetworkarchitectureillustratedintheaboveschemaconfpfconfwillincludethelocalregistrationandisolationinterfacesonly

[interface eth02]enforcement=vlanip=19216821type=internalmask=2552552550

Chapter12



Note

PacketFencewillnotstartunlessyouhaveatleastoneinternalinterfacesoyouneedtocreatelocalregistrationandisolationVLANsevenifyoudonrsquotintendtousethemAlsotheinternalinterfacesaretheonlyonesonwhichdhcpdlistenssotheremoteregistrationandisolationsubnetsneedtopointtheirDHCPhelper-addresstothoseparticularIPs

ThenyouneedtoprovidetheroutednetworksinformationtoPacketFenceYoucandoitthroughtheGUIinAdministrationrarrNetworks(orinconfnetworksconf)

confnetworksconfwilllooklikethis

[19216820]netmask=2552552550gateway=19216821next_hop=domain-name=registrationexamplecomdns=19216821dhcp_start=192168210dhcp_end=1921682200dhcp_default_lease_time=300dhcp_max_lease_time=600type=vlan-registrationnamed=enableddhcpd=enabled

[19216830]netmask=2552552550gateway=19216831next_hop=domain-name=isolationexamplecomdns=19216831dhcp_start=192168310dhcp_end=1921683200dhcp_default_lease_time=300dhcp_max_lease_time=600type=vlan-isolationnamed=enableddhcpd=enabled

Chapter12


[192168200]netmask=2552552550gateway=19216820254next_hop=1921682254domain-name=registrationexamplecomdns=19216821dhcp_start=1921682010dhcp_end=19216820200dhcp_default_lease_time=300dhcp_max_lease_time=600type=vlan-registrationnamed=enableddhcpd=enabled

[192168300]netmask=2552552550gateway=19216830254next_hop=1921683254domain-name=isolationexamplecomdns=19216831dhcp_start=1921683010dhcp_end=19216830200dhcp_default_lease_time=300dhcp_max_lease_time=600type=vlan-isolationnamed=enableddhcpd=enabled

DHCPclientsontheregistrationandisolationnetworksreceivethePFserverIPastheirDNSserver(dns=xxxx)andPFspoofsDNSresponsestoforceclientsviatheportalHoweverclientscouldmanuallyconfiguretheirDNSsettingstoescapetheportalTopreventthisyouwillneedtoapplyanACLontheaccessrouternearesttheclientspermittingaccessonlytothePFserverandlocalDHCPbroadcasttraffic

ForexamplefortheVLAN20remoteregistrationnetwork

ip access-list extended PF_REGISTRATION permit ip any host 19216821 permit udp any any eq 67 deny ip any any loginterface vlan 20 ip address 19216820254 2552552550 ip helper-address 19216821 ip access-group PF_REGISTRATION in

Ifyouredgeswitchessupportvlan-isolationyoucanalsoapplytheACLthereThishastheadvantageofpreventingmachinesinisolationfromattemptingtoattackeachother

Chapter12


StatementofHealth(SoH)

TheStatementofHealth(SoH)isproductthathasbeendevelopedbyMicrosoftIntheMicrosoftworldthis isnamedNetworkAccessProtectionorNAPOnWindowsversionsfromXPSP2toWindows7thereisaNAPserviceinstalledthatcanrelayhealthinformation(Anti-VirusupdatestatusWindowsUpdatestatusetc) toaRADIUSServeroraDHCPserverThesectionbelowexplainsyouhowtodoSoHpolicieswithPacketFence

InstallationBydefaultweturnSoHoffToenableitssupportsimplyuncommentthefollowinglinesinusrlocalpfconfradiusdeapconf

soh=yessoh-virtual-server = soh-server

RestarttheRADIUSserviceafterward

OntheclientsidetoenableSoHforEAPdothefollowing(Windows7example)

sc config napagent start=autosc start napagent

Wired 8021Xsc config dot3svc start=auto depend=napagentsc start dot3svc

netsh nap client show config

get the ID value for the EAP Quarantine Enforcement Clientnetsh nap client set enforce id=$ID admin=enable

ThelaststepistoselecttheEnforceNetworkAccessProtectioncheckboxundertheEAPprofilesettingsThosestepscanbeeasilyconfiguredusingGPOs

ConfigurationofSoHpolicyInordertoenforceaSoHpolicyweneedtocreateitfirstThisisdoneusingtheConfigurationrarrCompliancerarrStatementofHealthmodule

PolicyexampleLetrsquoswalkthroughanexamplesituationSupposeyouwanttodisplayaremediationpagetoclientsthatdonothaveananti-virusenabled

Chapter12


ThethreebroadstepsarecreateaviolationclassfortheconditionthencreateanSoHfiltertotriggertheviolationwhenanti-virusisdisabledandfinallyreloadtheviolations

FirstcreatetheproperviolationeitherviatheAdminUIorbyeditingtheconfviolationsconffiles

[4000001]desc=No anti-virus enabledurl=remediationphptemplate=noantivirusactions=reevaluate_accessemaillogenabled=Y

Note

Youmayalsowanttosetotherattributessuchasauto_enablegraceetc

WhendonewiththeviolationvisittheWebAdministrationunderConfigurationrarrCompliancerarrStatementofHealthand(editthefilternamedDefaultor)usetheAddafilterbuttontocreateafilternamedantivirusClickonantivirusinthefilterlistandselectTriggerviolationintheactiondrop-downEnterthevidoftheviolationyoucreatedaboveintheinputboxthatappears

Next clickonAddacondition and selectAnti-virus is anddisabled in thedrop-downboxesthat appear Click on the Save filters button Finally reload the violations either by restartingPacketFenceorusingthepfcmd reload violationscommand

Thelaststepistocreateanewremediationtemplatecallednoantivirusphponthefilesysteminthehtmlcaptive-portalviolationsfolderEditittoincludethetextyouwanttodisplaytotheusers

VLANFilterDefinition

Weaddedtheabilitytospecifyfiltersdirectlyintheportionofcodethatre-evaluatestheVLANordoacalltotheAPI

Theserulesareavailableindifferentscopes

ViolationRoleRegistrationRoleRegisteredRoleInlineRoleAutoRegisterNodeInfoForAutoReg

Andcanbedefinedusingdifferentcriterialike

Chapter12


node_infoattribute (like node_infostatus)switchifIndexmacconnection_typeusernamessidtimeownerattribute (like ownerpid)radius_requestattribute (like radius_requestCalling-Station-Id)

Forexample letsdefinearulethatpreventsadevicefromconnectingwhenitscategory isthedefaultwhentheSSIDisSECUREandwhenthecurrenttimeisbetween11amand2pmfromMondaytoFridaywhenittrytoconnectasaregistereddevice

[category]filter = node_infocategoryoperator = isvalue = default

[ssid]filter = ssidoperator = isvalue = SECURE

[time]filter = timeoperator = isvalue = wd Mon Tue Wed Thu Fri hr 11am-2pm

[1categoryampssidamptime]scope = RegisteredRolerole = nointernet

ThesecondexamplewillcreateaviolationiftheSSIDisOPENandtheownerisigmout

[igmout]filter = ownerpidoperator = isvalue = igmout

[open]filter = ssidoperator = isvalue = OPEN

Chapter12


[2igmoutampssid]scope = RegisteredRoleaction = trigger_violationaction_param = mac = $mac tid = 1100012 type = INTERNAL

Thethirdexamplewillautoregisterthedeviceandassigntherolestafftoeachdevicewheretheusernameisigmout

[igmout]filter = usernameoperator = isvalue = igmout

[secure]filter = ssidoperator = isvalue = SECURE

[3igmoutampsecure]scope = AutoRegisterrole = staff

[4igmoutampsecure]scope = NodeInfoForAutoRegrole = staff

Youcanhavealookinthefilevlan_filtersconftherearesomeexamplesonhowtouseanddefinefilters

RADIUSFilterDefinition

WeaddedtheabilitytospecifyfiltersdirectlyintheportionofcodethatreturntheradiusanswerordoacalltotheAPI

Theserulesareonlyavailableinonescope

returnRadiusAccessAccept


Chapter12


node_infoattribute (like node_info$attribute)switchifIndexmacconnection_typeusernamessidtimeownerattribute (like owner$attribute)radius_requestattribute (like radius_request$attribute)violationuser_rolevlan

Forexample letsdefinearulethatreturnAccessAcceptwhentheconnectionisEthernet-EAPandwhenthereisnoviolation(merge_returnmeansthattheoriginalanswerofPacketFencewillbemergewiththefilteranswerautomatically)

[violation]filter = violationoperator = defined

[etherneteap]filter = connection_typeoperator = isvalue = Ethernet-EAP

[1etherneteapampviolation]merge_answer = noscope = returnRadiusAccessAccept

Inthisotherexamplewejustaddanewattributetotheoriginalanswerinthesameconditions(here$user_rolewillbereplacedbytherealuserroleofthedeviceand$switch_portalURLwillbereplacedbythevalueof_portalURLdefinedintheswitchconfig)

[1etherneteapampviolation]merge_answer = yesscope = returnRadiusAccessAcceptanswer1 = Cisco-AVPair =gt url-redirect-acl=$user_roleurl-redirect=$switch_portalURLcep$session_id

Youcanhavea look in the file radius_filtersconf therearesomeexamplesonhowtouseanddefinefilters

Chapter12


DNSenforcement

DNSenforcementallowsyoutocontrolthenetworkaccessofthedevicebyusingthepfdnsserviceonPacketFence

The architecture ofDNS enforcement is as following -DHCP andDNS are provided by thePacketFenceserver-ThePacketFenceDHCPserverwillprovidetheIPofyournetworkequipmentasthegatewayandtheIPaddressofthePacketFenceDNSservertoresolvenames-Routingisprovidedbyanotherequipmentonyournetwork(CoreswitchFirewallRouterhellip)-IfausershouldbeshowntheportalthepfdnsservicewillreturnapointertotheIPaddressofthecaptiveportalotherwisepfdnswillresolvethenameexternallyanduseitinthereply

Thisenforcementmodeusedby itselfcanbebypassedbythedevicebyusingadifferentDNSserverorbyusingitsownDNScache

ThefirstcanbepreventedusinganACLonyourroutingequipmentthesecondcanbepreventedbycombiningDNSenforcementwithSingle-Sign-OnonyournetworkequipmentPleaseseetheFirewallSingle-Sign-Ondocumentationfordetailsonhowtoaccomplishthis

Inorder toconfigureDNSenforcementyoufirstneedtogo inConfigurationrarrInterfaces thenselectoneofyourinterfacesandsetitinDNSenforcementmode

AfteryouneedtoconfigurearoutednetworkforthisinterfacebyclickingAddroutednetworkSeetheRoutedNetworkssectionofthisdocumentfordetailsonhowtoconfigureit

NoteIfyouarenotusingaroutednetworkyouneedtouseInlineenforcementasDNSenforcementcanonlybeusedforroutednetworks

Oncethisisdoneyouneedtorestartthedhcpdandpfdnsservices

Parkeddevices

Intheeventthatyouaremanagingalargeregistrationnetworkwithdevicesthatstaythere(exStudentsthatcanrsquotregisterinyourenvironment)thesedevicesconsumepreciousresourcesandgenerateuselessloadonthecaptiveportalandregistrationDHCPserver

UsingtheparkingfeatureyoucanmakethesedeviceshavealongerleaseandhitanextremellylightweightcaptiveportalsothattheamountofresourcestheyconsumeisminimalInthatcaptiveportal theywillseeamessageexplainingthattheyhavenrsquot registeredtheirdeviceforacertainamountoftimeandwillletthemleavetheparkedstatebypressingalink

Theparkedvsunparkedstateiscontrolledthroughviolation1300003whichgetstriggeredaccordingtotheparkingthresholdsetting(ConfigurationrarrParking)

Chapter12


SoinordertoactivatetheparkinggoinConfigurationrarrParkingandsetthethresholdtoacertainamountofsecondsAsuggestedvaluewouldbe21600whichis6hoursThismeansthatifadevicestaysinyourregistrationnetworkformorethan6hoursinarowitwilltriggerviolation1300003andplacethatdeviceintotheparkedstate

Inthatsamesectionyoucandefinetheleaselengthoftheuserwhenheisintheparkedstate

Note

ParkingisdetectedwhenadeviceasksforDHCPifPacketFenceisnotyourDHCPserverfortheregistrationnetworkthisfeaturewillnotworkAlsoifthedevicegoesintotheparkedstatewithaleasetimeof1hourandtheuserimmediatelyreleaseshimselffromtheparkingstateitwilltake1hourbeforethenextdetectiontakesplaceevenifyousetparkingthresholdtoalowervalue

Violation1300003Thisviolationcontrolswhathappenswhenauserisdetecteddoingparking

Herearethemainsettings

Youcanaddactionstothepredefinedones(likeEmailadminorExternalaction)inDefinitionrarrActions

TheamountoftimeausercanunparktheirdeviceiscontrolledthroughtheRemediationrarrMaxenablesetting

TheamountofgracetimebetweentwoparkingviolationsiscontrolledbytheRemediationrarrGracesettingThismeansonceauserreleasehimselffromtheparkedstatehewillhaveatleastthisamountoftimetoregisterbeforetheparkingtriggersagain

Thedestinationrole(thusVLAN)oftheuseriscontrolledbyAdvancedrarrRoleYoushouldleavetheuserintheregistrationrolebutshouldyouwanttodedicatearoleforparkingyoucansetitthere

TheTemplateattributewillonlybeusedwhentheuserisonthenormalPacketFenceportalandnottheonededicatedforparkingIfyouwanttheusertoaccessthenon-parkingportaldisableShowparkingportalinConfigurationrarrParking

Chapter13

Copyrightcopy2016Inverseinc Optionalcomponents 92

Optionalcomponents

Blockingmaliciousactivitieswithviolations

PolicyviolationsallowyoutorestrictclientsystemaccessbasedonviolationsofcertainpoliciesForexampleifyoudonotallowP2PtypetrafficonyournetworkandyouarerunningtheappropriatesoftwaretodetectitandtriggeraviolationforagivenclientPacketFencewillgivethatclientablockedpagewhichcanbecustomizedtoyourwishes

Inorder tobeable toblockmaliciousactivities installationandconfigurationofaPacketFencecompatibleIDSisrequiredPacketFencecurrentlysupportSnortSuricataandSecurityOnion

Snort

Installation

The installation procedure is quite simple for SNORTWe maintain a working version on thePacketFencerepositoryToinstallitsimplyrunthefollowingcommand

yum install snort

Configuration

PacketFenceprovidesabasicsnortconftemplatethatyoumayneedtoeditdependingoftheSnortversionThefileislocatedinusrlocalpfconfItisrarelynecessarytochangeanythinginthatfiletomakeSnortworkandtrapalertsDONOTeditthesnortconflocatedinusrlocalpfvarconfallthemodificationwillbedestroyedoneachPacketFencerestart

Suricata

Installation

SincethesuricataIDSisnotpackagedwiththedistros(exceptmaybeFedorawhichwedonotofficiallysupport)youneedtobuildittheoldway

The OISF provides a really well written how-to for that Itrsquos available here httpsredmineopeninfosecfoundationorgprojectssuricatawikiCentOS5

Chapter13


NoteTobenefittheOPSWATMetadefenderCloudintegrationSuricataneedstobebuiltwith libnss libnsprsupportMakesure touseJSONoutputMore informationonhowtoachievethiscanbefoundtherehttpsredmineopeninfosecfoundationorgprojectssuricatawikiMD5

ConfigurationDepending onwhether or not Suricata is running on the PacketFence server configuration isdifferent

WhenrunninglocallyPacketFenceprovidesabasicsuricatayamlthatcanbemodifiedtosuitdifferentneedsThefileislocatedinusrlocalpfconf

In thecase thatSuricata is runningonaseparateserverSuricataconfigurationwillhave tobehandledseparatelywhichisnotthepurposeofthepresentguide

OPSWATMetadefenderCloudItispossibletotriggerviolationsbasedonthreatlevelofdownloadedfilesusingtheMetadefenderCloudintegrationinconjunctionwiththeSuricataMD5extractionfeatureWithoutenteringinthedetailsherearethebasicstepstomakeitwork

FirstanOPSWATportalaccountisrequiredtomakeuseoftheAPISuchaccountcanbeobtainedthroughtheOPSWATportalhttpsportalopswatcom

OtherrequirementisaSuricataworkinginstallationbuiltwithlibnsslibnsprsupportasdescribedintheupperInstallationsection

AlongwiththeOPSWATAPIkeyforMetadefenderCloud(theycallitLicenseKey)andtheworkingSuricatainstallationsomeconfiguration(PacketFencebasedANDSuricatabased)isalsorequired

AssumingthatallthestepsforSuricataMD5extractionhavebeenfollowedherersquoswhattodonext

OntheSuricataserver(syslog-ngispreferredduetoeasierandmorepowerfulconfigurationIfnotinstalleditmightbeanidea)

Configureetcsyslog-ngsyslog-ngconfbyaddingthefollowingtoenablesendingMD5filestorelogentriestoPacketFence

PacketFence OPSWAT Metadefender Cloud integration This line specifies where the files-jsonlog file is located -gt Make sure to configure the right path along with the right filenamesource s_suricata_files file(MY_SURICATA_LOG_FILES_PATHfiles-jsonlog program_override(suricata_files) flags(no-parse)) This line tells syslog-ng to send the data read to the PacketFence management interface IP address using UDP 514 -gt Make sure to configure the right PacketFence management interface IP addressdestination d_packetfence udp(PACKETFENCE_MGMT_IP port(514)) This line indicates syslog-ng to use the s_suricata_files source and send it to the d_packetfence destinationlog source(s_suricata_files) destination(d_packetfence)

Arestartofthesyslog-ngdaemonisrequired

Chapter13


service syslog-ng restart

OnthePacketFenceserver

ModifyrsyslogconfigurationtoallowincomingUDPpacketsbyuncommentingthefollowingtwolinesinetcrsyslogconf

$ModLoad imudp$UDPServerRun 514

Configure etcrsyslogdsuricata_filesconf by adding the following which will enablereceptionofSuricataMD5filestorelogentries

if $programname == suricata_files then usrlocalpfvarsuricata_filesamp ~

Makesurethereceivingalertpipe(FIFO)exists

mkfifo usrlocalpfvarsuricata_files

Restartthersyslogdaemon

service rsyslog restart

AtthispointSuricatashouldbeabletoextractMD5checksumofdownloadedfilesandsendtherelatedlogentrytoPacketFence

AconfigurationofanewsyslogparseraswellassomeviolationsaretheonlyremainingstepstomakefullusageoftheOPSWATMetadefenderCloudintegration

Configurationofanewsyslogparsershouldusethefollowings

Type suricata_httpAlert pipe the previously created alert pipe (FIFO) which is in this case usrlocalpfvarsuricata_files

Configurationofanewviolationcanusethefollowingtriggertypes

Type metascanTriggers ID The scan result returned by Metadefender Cloud online

Type suricata_md5Trigger ID The MD5 hash returned by Suricata

SecurityOnionInstallationandConfigurationSecurityOnionisaUbuntubasedsecuritysuiteThelatest installationinstructionsareavailabledirectly from theSecurityOnionwebsite httpsgithubcomSecurity-Onion-Solutionssecurity-onionwikiInstallation

Chapter13


SinceasecuritysuiteconsistsofmultiplepiecesofsoftwaretiedtogetheryoumaybepromptedfordifferentoptionsduringtheinstallationprocessAdetailedProductionDeploymentguidecanalsobefounddirectlyfromtheSecurityOnionwebsitehttpsgithubcomSecurity-Onion-Solutionssecurity-onionwikiProductionDeployment

PacketFenceintegration

OnceSecurityOnionisinstalledandminimallyconfiguredintegrationwithPacketFenceisrequiredtobeabletoraiseviolationsbasedonsensor(s)alertssyslogisusedtoforwardsensor(s)alertsfromSecurityOniontothePacketFencedetectionmecanisms

The simplest way is as follow (based on httpsgithubcomSecurity-Onion-Solutionssecurity-onionwikiThirdPartyIntegration)

OntheSecurityOnionserver

Note

Mustbedoneonthemasterserverrunningsguild

Configureetcsyslog-ngsyslog-ngconfbyaddingthefollowingtoenablesendingsguildlogentriestoPacketFence

PacketFence IDS integration This line specifies where the sguildlog file is located -gt Make sure to configure the right patch along with the right filename (on a Security Onion setup that should be pretty much standard)source s_sguil file(varlognsmsecurityonionsguildlog program_override(securityonion_ids)) This line filters on the string ldquoAlert Receivedrdquofilter f_sguil match(Alert Received) This line tells syslog-ng to send the data read to the PacketFence management IP address using UDP 514 -gt Make sure to configure the right PacketFence management interface IP addressdestination d_packetfence udp(PACKENTFENCE_MGMT_IP port(514)) This line indicates syslog-ng to use the s_sguil source apply the f_sguil filter and send it to the d_packetfence destinationlog source(s_sguil) filter(f_sguil) destination(d_packetfence)

Arestartofthesyslog-ngdaemonisthenrequired





Chapter13


Configureetcrsyslogdsecurityonion_idsconfbyaddingthefollowingswhichwillenablereceptionofSecurityOnionsguildlogentries

if $programname == securityonion_ids then usrlocalpfvarsecurityonion_idsamp ~


mkfifo usrlocalpfvarsecurityonion_ids



AtthispointSecurityOnionshouldbeabletosenddetectedalertslogentriestoPacketFence

AconfigurationofanewsyslogparseraswellassomeviolationsaretheonlyremainingstepstomakefullusageoftheSecurityOnionIDSintegration


Type security_onionAlert pipe the previously created alert pipe (FIFO) which is in this case usrlocalpfvarsecurityonion_ids


Type detectTriggers ID The IDS triggered rule ID

Type suricata_eventTrigger ID The rule class of the triggered IDS alert

ViolationsInordertomakePacketFencereacttotheSnortalertsyouneedtoexplicitlytellthesoftwaretodosoOtherwisethealertswillbediscardedThisisquitesimpletoaccomplishInfactyouneedtocreateaviolationandaddtheSnortalertSIDinthetriggersectionofaViolation

PacketFenceviolationsareconfiguredinConfigurationrarrViolations

TheexamplebelowwillguideyoutocreateaviolationthatwillisolatedevicethathavegeneratedPeer-to-peer traffic and that are usingMac OSX or have a malware and are usingMicrosoftWindows

Violationdefinition

Firstyouneedtoconfiguretheviolationdefinition

Chapter13


Where

Enablediswhetherornottheviolationiscurrentlyactivated(shouldbeON) Identifier is the violation ID Any integer except 1200000-120099 which is reserved forrequiredadministrationviolations

Descriptionistheuserfriendlydescriptionoftheviolation Actionsisthelistofactionstobeexecutedwhenthisviolationisraised

Unregister nodewillunregisterthenode

Send email to ownerwillemailtheviolationdetailstotheownerofthedeviceWillonlyworkifthepersonhasitrsquosemailfieldpopulated

Send email to admin will email the violation details to the address specified in[alerting]emailaddrusing[alerting]smtpserverMultipleemailaddrcanbesperatedbycomma

Reevaluate accesswillplacethedeviceinthedestinationVLANconfiguredintheviolationIt opens a violation and leaves it open If it is not there theviolation isopenedand thenautomaticallyclosed

Log messagewilllogtheviolationinthelogfiledefinedin[alerting]log

External commandwillexecuteacommandontheoperatingsystemwhenthisviolation israised

Close a violationwillcloseanexistingviolationforthisdevicewhenthisoneisraised

Set rolewillmodifytheroleofthedevice

Chapter13


Enforce provisioningwilltriggeracheckofcomplianceontheprovisionersdefinedforthedevice

Prioritydefinestheorderontowhichviolationsshouldbehandledshouldtherebemorethanoneforadevice

Whitelisted Rolesisthelistofrolesthatarenotaffectedbythisviolation

Triggers

NextintheTriggerstabyouneedtodefinethetriggersthatwillraisetheviolationInthecaseofthisexampleitwillbethesetwocasesAdevicethathasgeneratedPeer-to-peertrafficandthatisusingMACOSXAdevicethathasbeendetectedasbeingarogueDHCP

Click the+ sign at the top right inorder to create anew trigger then in thedropdown selectSuricata

AmenuwillappearintowhichyoucanselectET P2PwhichwillmatchallP2PalertsfromSuricata

OnceyouaddedthistriggerselectDevicefromthedropdownandenter38whichisthedeviceidentifierforMacOSX

Nexthittheltbuttonthenthe+toaddanothertrigger

SelectthetypeInternaltheninthemenuthatappearsbelowitselectRogue DHCP detectionandclickAdd

Remediation

NextintheRemediationtabyoucanconfigurethebehaviorwhenaclientgetsisolated

Chapter13


Where

Auto Enableiswhetherornottheusercanreleasetheviolationhimselfafteracknoledgingthemessageonthecaptiveportal

Max Enables istheamountoftimeausercanusetheAuto EnablefunctionnalityAfterthisamountoftimeshewillnotbeabletoreleasetheviolationanditwillhavetobemanuallyreleasebyanadministratorusingthePacketFenceadministrationinterface

GraceisAmountoftimebeforetheviolationcanreoccurThisisusefultoallowhoststime(intheexample2minutes)todownloadtoolstofixtheirissueorshutofftheirpeer-to-peerapplication

Dynamic WindowwillonlyworksforaccountingviolationsTheviolationwillbeopenedaccordingtothetimeyousetintheaccountingviolation(ieYouhaveanaccountingviolationfor10GBmonthIfyoubustthebandwidthafter3daystheviolationwillopenandthereleasedatewillbesetforthelastdayofthecurrentmonth)

WindowistheamountoftimebeforeaviolationwillbeclosedautomaticallyInsteadofallowingpeopletoreactivatethenetworkyoumaywanttoopenaviolationforadefinedamountoftimeinstead

Chapter13


Delay byisthedelaybeforetriggeringtheviolation TemplateistheHTMLtemplatethehostwillberedirectedtowhileinviolationYoucancreatenewtemplatesfromthePortalProfilesconfigurationsection

Button textisthetextofthebuttonthatisusedwhentheuserisreleasingtheviolationdirectlyfromthecaptiveportal

AdvancedIntheAdvancedtabyouconfigurethedestinationVLANofthedevicewhenithastheReevaluateaccessactionanditsredirectionURLwhentheuserisreleased

ComplianceChecks

PacketFence supports eitherNessusOpenVAS andWMI as a scanning engine for compliancechecksSincePacketFencev51youarenowabletocreatemultiplesscanenginesconfigurationandassignthemonspecificcaptiveportalsItmeanperexamplethatyouarenowabletoactiveascanforspecificOperatingSystemonlyonaspecificSSID

InstallationNessusPlease visit httpwwwnessusorgdownload to download Nessus v5 and install the Nessuspackage for your operating system You will also need to register for the HomeFeed (or theProfessionalFeed)inordertogettheplugins

AfteryouinstalledNessusfollowtheNessusdocumentationfortheconfigurationoftheNessusServerandtocreateauserforPacketFence

NoteYou may run into some issue while using Nessus with the NetNessusXMLRPCmodule(whichisthedefaultbehaviorinPacketFence)Pleaserefertothebugtrackingsystemformoreinformation

OpenVASPleasevisithttpwwwopenvasorginstall-packageshtmlopenvas4_centos_atomic toconfigurethecorrectrepositorytobeabletoinstallthelatestOpenVASscanningengine

Once installed pleasemake sure to follow the instructions to correctly configure the scanningengineandcreateascanconfigurationthatwillfityourneedsYoursquollalsoneedtocreateauserforPacketFencetobeabletocommunicatewiththeserver

ItisimportanttogetthecorrectscanconfigIDandNBEreportformatIDtopopulatetheparametersinthePacketFenceconfigurationfileTheeasiestwaytogettheseIDsisbydownloadingbothofthescanconfigurationandreportformatfromtheOpenVASwebguiandretrievetheIDsinthefilenames

Chapter13


Forexamplereport-format-f5c2a364-47d2-4700-b21d-0a7693daddabxmlgivesreportformatIDf5c2a364-47d2-4700-b21d-0a7693daddab

WMIYoujusthavetoenablewmioneachwindowsdeviceswithaGPOfromActiveDirectory

ConfigurationIn order for the compliance checks to correctly work with PacketFence (communication andgenerateviolationsinsidePacketFence)youneedtoconfigurethesesections

ScannerDefinitionFirstgoinConfigurationandScannerDefinition

Thenaddascan

Therearecommonparametersforeachscanengines

Name the name of your scan engineRoles Only devices with these role(s) will be affected (Optional)OS Only devices with this Operating System will be affected (Optional)Duration Approximate duration of scan (Progress bar on the captive portal)Scan before registration Trigger the scan when the device appear on the registration vlanScan after registration Trigger the scan just after registration on the captive portalScan after registration Trigger the scan on the production network (pfdhcplistener must receive production dhcp traffic)8021x Even if the auto-registration has been enabled the scan will be trigger on a EAP connection8021x types comma delimited EAP type that will trigger the scan if 8021x above has been enabled

SpecifictoNessus

Hostname or IP Address Hostname or IP Address where Nessus is runningUsername Username to connect to Nessus scanPassword Password to connect to Nessus scanPort of the service port to connect (default 8834)Nessus client policy the name of the policy to use for the scan (Must be define on the Nessus server)

SpecifictoOpenVAS

Hostname or IP Address Hostname or IP Address where OpenVAS is runningUsername Username to connect to OpenVAS scanPassword Password to connect to OpenVAS scanPort of the service port to connect (default 9390)OpenVAS config ID the ID of scanning configuration on the OpenVAS server

Chapter13


SpecifictoWMI

Username A username from Active Directory that is allowed to connect to wmiDomain Domain of the Active DirectoryPassword Password of the accountWMI Rules Ordered list of WMI rules you defined in Configuration -gt WMI Rules Definition

WMIRulesDefinition

IfyouhaveconfiguredaWMIscanenginethenyouneedtodefineWMIRulesWMIisasortofdatabaseoneachwindowsdevicestoretreiveinformationonthedeviceyouneedtoknowthesqlrequestInordertohelpyoutofindandmakearuleyoucanuseathirdpartytoollikeWMIExplorer

GoinconfigurationrarrWMIRulesDefinition

Therearealready3rulesdefined

Software_Installedlogged_userProcess_Running

LetrsquostaketheSoftware_Installedrule

request select from Win32_Product

Rules Actions

[Google]attribute = Captionoperator = matchvalue =Google

[1Google]action=trigger_violationaction_param = mac = $mac tid = 888888 type = INTERNAL

Thisrulewilldothefollowing

retreive all the installed software on the device and test if the attribute Caption contain Googleif it matched then we will trigger a violation (with the trigger internal888888) for the mac address of the device

Thesecondonelogged_user

request select UserName from Win32_ComputerSystem

Chapter13


Rules Actions

[UserName]attribute = UserNameoperator = matchvalue = ()

[1UserName]action = dynamic_register_nodeaction_param = mac = $mac username = $result-gtUserName


retreive the current logged user on the device and register the device based on the user account

ThelastoneProcess_Running

request select Name from Win32_Process

Rules Actions

[explorer]attribute = Nameoperator = matchvalue = explorerexe

[1explorer]action = allow


retreive all the running process on the device and if one match explorerexe then we bypass the scan

Rulessyntax

the syntax of the rules are simple to understand

the request is the sql request you will launch on the remote device you must know what the request will returnto write the test

Inside the Rules Actions we define 2 sorts of blocsThe test bloc (ie [explorer]) and the action bloc (ie [1explorer])

Chapter13


The test bloc is a simple test based on the result of the requestattribute is the attribute you want to test- operator can be is is_not match match_not- value is the value you want to compare

Feel free to define multiples test blocs

The action bloc is where you will define your logic per example lets take this one [1googleampexplorer] this mean that if the google test istrue and explorer is true then we execute the actionThe logic can be more complex and can be something like that [1google|(explorerampmemory)] that mean if not google or (explorer and memory)

ViolationsdefinitionYouneedtocreateanewviolationsectionandhavetospecify

UsingNessus

trigger=NessusltviolationIdgt

UsingOpenVAS

trigger=OpenVASltviolationIdgt

WhereviolationIdiseithertheIDoftheNessuspluginortheOIDoftheOpenVASplugintocheckforOnceyouhavefinishedtheconfigurationyouneedtoreloadtheviolationrelateddatabasecontentsusing

$ pfcmd reload violations

NoteViolationswilltriggerifthepluginishigherthanalowseverityvulnerability

AssignScandefinitiontoportalprofilesThelaststepistoassignoneormorescanneryouconfiguredtooneormoreportalprofilesGoinConfigurationrarrPortalProfilesrarrEditaPortalrarrAddScan

HostingNessusOpenVASremotelyBecauseoftheCPUintensivenatureofanautomatedvulnerabilityassessmentwerecommendthatitishostedonaseparateserverforlargeenvironmentsTodosoacoupleofthingsarerequired

Chapter13


PacketFence needs to be able to communicate to the server on the port specified by thevulnerabilityengineused

Thescanningserverneedtobeabletoaccessthetargets InotherwordsregistrationVLANaccessisrequiredifscanonregistrationisenabled

IfyouareusingtheOpenVASscanningengine

ThescanningserverneedtobeabletoreachPacketFencersquosAdmininterface(onport1443bydefault)byitsDNSentryOtherwisePacketFencewonrsquotbenotifiedofcompletedscans

YoumusthaveavalidSSLcertificateonyourPacketFenceserver

IfyouareusingtheNessusscanningengine

YoujusthavetochangethehostvaluebytheNessusserverIP

RADIUSAccounting

RADIUSAccountingisusuallyusedbyISPstobillclientsInPacketFenceweareabletousethisinformationtodetermineifthenodeisstillconnectedhowmuchtimeithasbeenconnectedandhowmuchbandwitdhtheuserconsumed

ViolationsUsingPacketFence it ispossible toaddviolations to limitbandwidthabuseThe formatof thetriggerisverysimple

Accounting[DIRECTION][LIMIT][INTERVAL(optional)]

Letrsquosexplaineachchunkproperly

DIRECTIONYoucaneithersetalimittoinbound(IN)outbound(OUT)ortotal(TOT)bandwidth LIMIT You can set a number of bytes(B) kilobytes(KB) megabytes(MB) gigabytes(GB) orpetabytes(PB)

INTERVALThisisactuallythetimewindowwewilllookforpotentialabuseYoucansetanumberofdays(D)weeks(W)months(M)oryears(Y)

Exampletriggers LookforIncoming(Download)trafficwitha50GBmonth

AccountingIN50GB1M

LookforOutgoing(Upload)trafficwitha500MBday

AccountingOUT500MB1D

LookforTotal(Download+Upload)trafficwitha200GBlimitinthelastweek

Chapter13


AccountingTOT200GB1W

Graceperiod

WhenusingsuchviolationfeaturesettingthegraceperiodisreallyimportantYoudonrsquotwanttoputittoolow(ieAuserre-enablehisnetworkandgetcaughtafter1bytesistranmitted)ortoohighWerecommendthatyousetthegraceperiodtooneintervalwindow

Oinkmaster

OinkmasterisaperlscriptthatenablesthepossibilitytoupdatethedifferentsnortrulesveryeasilyItissimpletouseandinstallThissectionwillshowyouhowtoimplementOinkmastertoworkwithPacketFenceandSnort

PleasevisithttpoinkmastersourceforgenetdownloadshtmltodownloadoinkmasterAsampleoinkmasterconfigurationfileisprovidedatusrlocalpfaddonssnortoinkmasterconf

ConfigurationHerearethestepstomakeOinkmasterworkWewillassumethatyoualreadydownloadedthenewestoinkmasterarchive

1 UntarthefreshlydownloadedOinkmaster

2 CopytherequiredperlscriptsintousrlocalpfoinkmasterYouneedtocopyovercontribandoinkmasterpl

3 CopytheoinkmasterconfprovidedbyPacketFence(seethesectionabove)inusrlocalpfconf

4 ModifytheconfigurationtosuityourownneedsCurrentlytheconfigurationfileissettofetchthebleedingrules

RulesupdateInordertogetperiodicupdatesforPacketFenceSnortruleswesimplyneedtocreateacrontabentrywiththerightinformationTheexamplebelowshowsacrontabentrytofetchtheupdatesdailyat2300PM

0 23 (cd usrlocalpf perl oinkmasteroinkmasterpl -C confoinkmasterconf -o confsnort)

Chapter13


GuestsManagement

PacketFencesupportstheabilitytomanageguestsbyestablishingexpiredatesandassigndifferentroleswhichwillpermitdifferentaccessestothenetworkresources

Guestscanself-registerthemselvesusinganactivationcodesenttotheirmobilephoneortheycanusetheiremailaddressandreceiveandactivationlinktoactivatetheirnetworkaccess

PacketFencehas theoption tohaveguestssponsored theiraccessby local staffOnceaguestrequestsasponsoredaccessanemailissenttothesponsorandthesponsormustclickonalinkandauthenticateinordertoenablehisaccess

Moreover PacketFence also has the option for guests to request their access in advanceConfirmationbyemailandbyasponsorarethetwopre-registrationtechniquessupportedatthispoint

TheadminGUIallowPacketFenceadministratorsorguestsmanagerstocreatesingleaccountsmultipleaccountsusingaprefix(ieguest1guest2guest3hellip)orimportdatafromaCSVtocreateaccountsAccessdurationandexpectedarrivaldatearealsocustomizable

Usage

Guestself-registration

Self-registrationisenabledbydefaultItispartofthecaptiveportalprofileandcanbeaccessedontheregistrationpagebyclickingtheSignuplink

Chapter13


ManagedguestsPartofthewebadministrationinterfacetheguestsmanagementinterfaceisenabledbydefaultItisaccessiblethroughtheUsersrarrCreatemenu

Guestpre-registrationPre-registrationisdisabledbydefaultOnceenabledPacketFencersquosfirewallandApacheACLsallowaccesstothesignuppageontheportalevenfromaremotelocationAllthatshouldberequiredfrom theadministrators is toopenup theirperimeter firewall toallowaccess toPacketFencersquosmanagementinterfaceIPonport443andmakesureadomainnametoreachsaidIPisconfigured(andthattheSSLcertmatchesit)Thenyoucanpromotethepre-registrationlinkfromyourextranetwebsitehttpslthostnamegtsignup

CautionPre-registrationincreasestheattacksurfaceofthePacketFencesystemsinceasubsetofitrsquosfunctionnalityisexposedontheInternetMakesureyouunderstandtherisksapplythecriticaloperatingsystemupdatesandapplyPacketFencersquossecurityfixes

NoteAportalinterfacetypeisrequiredtousethisfeatureAportalinterfacetypecanbeaddedtoanynetworkinterfaceusingthewebadminGUI

Chapter13


ConfigurationGuestself-registrationIt ispossibletomodifythedefaultvaluesoftheguestself-registrationfeaturebyeditingusrlocalpfconfpfconf

Defaultvaluesarelocatedinusrlocalpfconfpfconfdefaultsanddocumentationforeverysettingsisavailableinusrlocalpfconfdocumentationconf

[guests_self_registration]guest_pid=emailpreregistration=disabled

TheseparameterscanalsobeconfiguredfromtheConfigurationrarrSelfRegistrationsectionoftheWebadmininterface

Availableregistrationmodesaredefinedonaper-portal-profilebasisTheseareconfigurablefromConfigurationrarrPortalProfiles Todisable the self-registration feature simply removeall self-registrationsourcesfromtheportalprofiledefinitionNoticehoweverthatifyourdefaultportalprofilehasnosourceitwilluseallauthenticationsources

Caution

AvalidMTAconfiguredinPacketFenceisneededtocorrectlyrelayemailsrelatedtotheguestmoduleIflocalhostisusedassmtpservermakesurethataMTAisinstalledandconfiguredontheserver

Note


Self-registered guests are added under the users tab of the PacketFenceWeb administrationinterface

ManagedguestsItispossibletomodifythedefaultvaluesoftheguestscreatedfromtheWebadmininterfacebyeditingusrlocalpfconfpfconf

Defaultvaluesarelocatedinusrlocalpfconfpfconfdefaultsanddocumentationforeverysettingsisavailableinusrlocalpfconfdocumentationsconf

[guests_admin_registration]access_duration_choices=1h3h12h1D2D3D5Ddefault_access_duration=12h

Theformatofthedurationisasfollow

Chapter13


ltDURATIONgtltDATETIME_UNITgt[ltPERIOD_BASEgtltOPERATORgtltDURATIONgtltDATE_UNITgt]

Letrsquosexplainthemeaningofeachparameter

DURATIONanumbercorrespondingtotheperiodduration DATETIME_UNIT acharactercorresponding to theunitsof thedateor timedurationeither s(seconds)m(minutes)h(hours)D(days)W(weeks)M(months)orY(years)

PERIOD_BASEeitherF(fixed)orR(relative)ArelativeperiodiscomputedfromthebeginningoftheperiodunitWeeksstartonMonday

OPERATOReither+or-Thedurationfollowingtheoperatorisaddedorsubtractedfromthebaseduration

DATE_UNITacharactercorrespondingtotheunitsoftheextendeddurationLimitedtodateunits(D(days)W(weeks)M(months)orY(years))

TheseparameterscanalsobeconfiguredfromtheConfigurationrarrAdminRegistrationsectionoftheWebadmininterface

From theUserspageof thePacketFenceWebadmin interface it is possible to set the accessdurationofuserschangetheirpasswordandmore

Guestpre-registrationTominimallyconfigureguestpre-registrationyoumustmakesurethatthefollowingstatementissetunder[guests_self_registration]inusrlocalpfconfpfconf

[guests_self_registration]preregistration=enabled

ThisparametercanalsobeconfiguredfromtheConfigurationrarrSelfRegistrationsection

Finallyitisadvisedthatyoureadthewholeguestself-registrationsectionsincepre-registrationissimplyatwistoftheself-registrationprocess

Caution


ActiveDirectoryIntegration

DeletedAccountCreate thescriptunreg_node_deleted_accountps1on theWindowsServerwith the followingcontentMakesuretochangeIP_PACKETFENCEtotheIPaddressofyourPacketFenceserverYoursquollalsoneedtochangetheusernameandpasswordastheymustmatchthecredentialsdefinedintheWebadmininterfaceunderConfigurationrarrWebServices

Chapter13


Powershell script to unregister deleted Active Directory account based on the UserName

Get-EventLog -LogName Security -InstanceId 4726 | Select ReplacementStringsAccount name| $url = httpsIP_PACKETFENCE9090 $username = admin Username for the webservices $password = admin Password for the webservices [SystemNetServicePointManager]ServerCertificateValidationCallback = $true $command = jsonrpc 20 method unreg_node_for_pid params [pid +$_ReplacementStrings[0]+]

$bytes = [SystemTextEncoding]ASCIIGetBytes($command) $web = [SystemNetWebRequest]Create($url) $webMethod = POST $webContentLength = $bytesLength $webContentType = applicationjson-rpc $webCredentials = new-object SystemNetNetworkCredential($username $password) $stream = $webGetRequestStream() $streamWrite($bytes0$bytesLength) $streamclose()

$reader = New-Object SystemIOStreamreader -ArgumentList $webGetResponse()GetResponseStream() $readerReadToEnd() $readerClose()

CreatethescheduledtaskbasedonaneventIDStartrarrRunrarrTaskschdmsc

TaskSchedulerrarrTaskSchedulerLibraryrarrEventViewerTaskrarrCreateTask

General

Name PacketFence-Unreg_node-for-deleted-accountCheck Run whether user is logged on or notCheck Run with highest privileges

TriggersrarrNew

Begin on the task On an eventLog SecuritySource Microsoft Windows security auditingEvent ID 4726

ActionsrarrNew

Chapter13


Action Start a programProgramscript powershellexeAdd arguments (optional) Cscriptsunreg_node_deleted_accountps1

Settings

At the bottom select in the list Run a new instance in parallel in order to unregister multiple nodes at the same time

ValidatewithOkandgivetheaccountwhowillrunthistask(UsuallyDOMAINAdministrator)

DisabledAccountCreatethescriptunreg_node_disabled_accountps1ontheWindowsServerwiththefollowingcontentMakesuretochangeIP_PACKETFENCEtotheIPaddressofyourPacketFenceserverYoursquollalsoneedtochangetheusernameandpasswordastheymustmatchthecredentialsdefinedintheWebadmininterfaceunderConfigurationrarrWebServices

Powershell script to unregister disabled Active Directory account based on the UserName




Chapter13


CreatethescheduledtaskbasedonaneventID

StartrarrRunrarrTaskschdmsc


General

Name PacketFence-Unreg_node-for-disabled-accountCheck Run whether user is logged on or notCheck Run with highest privileges

TriggersrarrNew


ActionsrarrNew

Action Start a programProgramscript powershellexeAdd arguments (optional) Cscriptsunreg_node_disabled_accountps1

Settings

At the bottom select in the list Run a new instance in parallel


LockedAccountCreate the script unreg_node_locked_accountps1 on theWindows Serverwith the followingcontentMakesuretochangeIP_PACKETFENCEtotheIPaddressofyourPacketFenceserverYoursquollalsoneedtochangetheusernameandpasswordastheymustmatchthecredentialsdefinedintheWebadmininterfaceunderConfigurationrarrWebServices

Chapter13


Powershell script to unregister locked Active Directory account based on the UserName






General

Name PacketFence-Unreg_node-for-locked-accountCheck Run whether user is logged on or notCheck Run with highest privileges

TriggersrarrNew


Chapter13


ActionsrarrNew

Action Start a programProgramscript powershellexeAdd arguments (optional) Cscriptsunreg_node_locked_accountps1

Settings



DHCPremotesensor

TheDHCPremotesensorconsistsofalightweightbinarythatisinstalledonyourproductionDHCPserverinordertoreplicatetheDHCPtraffic1to1tothePacketFenceserverThissolutionismorereliablethantheDHCPrelayingsincePacketFencereceivesacopyofallyourDHCPtrafficandnotonlythebroadcastedDHCPtrafficSupportedDHCPserversareMicrosoftDHCPserverandCentOS6and7

ThesesensorsworkbycapturingthepacketsatthelowestlevelpossibleonyourDHCPserverandforwardthemtothePacketFencemanagementinterface

MicrosoftDHCPsensorYouwillfirstneedtodownloadandinstallWinPcapavailablefromhttpwwwwinpcaporginstall

YouwillalsoneedtodownloadandinstallMicrosoftVisualC++2010Redistributableavailablefromhttpwwwmicrosoftcomdownloaddetailsaspxid=5555

NoteYou absolutely need to install the 32-bit version of Microsoft Visual C++ 2010Redistributableevenifyouareusinga64-bitoperatingsystem

Then get the remote sensor from Inversersquos download website httpinversecadownloadsPacketFenceudp-reflectorudp_reflectorexe

CreatethedirectoryCudp-reflectorandmovethedownloadedfileinside

Nowwewillcreateaservicesothereflectorstartsonboot

Firstdownloadandunzipnssmfromhttpsnssmccdownload

NextcreateabatchfileudpreflectorbatinCudp-reflectorthatcontainCudp-reflectorudp_reflectorexe -s pcap067 -d 19216815767 -b 25000

Where pcap0 is the interface where your DHCP is listening (use Cudp-reflectorudp_reflectorexe -ltolistinterfaces)

Chapter13


Thenrunnssm install udpreflector

InApplication

InPathsetittoCudp-reflectorudpreflectorbat InStartupdirectorysetittoCudp-reflector InArgumentssetittonothing

InDetails

InStartuptypeselectAutomatic

InLogon

InLogonasselectLocalSystemaccount

ThenpressInstallservice

TheDHCPtrafficshouldnowbereflectedonyourPacketFenceserver

LinuxbasedsensorFirstdownloadtheRPMonyourDHCPserver

CentOS6and7serversForCentOS6

for x86_64 wget httpinversecadownloadsPacketFenceCentOS6extrax86_64RPMSudp-reflector-10-61x86_64rpm

ForCentOS7


Nowinstallthesensor

rpm -i udp-reflector-rpm

CompilingthesensorfromsourceonaLinuxsystemFirstmakesureyouhavethefollowingpackagesinstalled

libpcap libpcap-devel gcc-c++

Getthesourcecodeofthesensor

Chapter13


mkdir -p ~udp-reflector ampamp cd ~udp-reflector wget httpinversecadownloadsPacketFenceudp-reflectorudp_reflectorcpp g++ udp_reflectorcpp -o usrlocalbinudp_reflector -lpcap

ConfiguringthesensorPlacethefollowinglineinetcrclocal

where pcap0 is the pcap interface where your DHCP server listens on (List them usingudp_reflector -l)

where19216815isthemanagementIPofyourPacketFenceserver

usrlocalbinudp_reflector -s pcap067 -d 19216815767 -b 25000 amp

Startthesensor



Switchloginaccess

PacketFenceisabletoactasanauthenticationandauthorizationserviceforgrantingcommand-lineinterface(CLI)accesstoswitchesPacketFencecurrentlysupportsCiscoswitchesandthesemustbeconfiguredusingthefollowingguidehttpwwwciscocomcenussupportdocssecurity-vpnremote-authentication-dial-user-service-radius116291-configure-freeradius-00html From thePacketFencersquos web admin interface you must configure an Admin Access role(ConfigurationrarrAdminaccess)thatcontainstheactionSwitchesCLI-ReadorSwitchesCLI-WriteandassignthisroletoaninternaluserorinanAdministrationruleinaninternalsource

Chapter14

Copyrightcopy2016Inverseinc OperatingSystemBestPractices 118

OperatingSystemBestPractices

IPTables

IPTablesisnowentirelymanagedbyPacketFenceHoweverifyouneedtoperformsomecustomrules you canmodifyconfiptablesconf to yourownneedsHowever thedefault templateshouldworkformostusers

LogRotations

PacketFencecangeneratea lotof logentries inhugeproductionenvironmentsThis iswhywerecommendtouselogrotatetoperiodicallyrotateyourlogsAworkinglogrotatescriptisprovidedwiththePacketFencepackageThisscriptislocatedinusrlocalpfaddonsanditrsquosconfiguredto do aweekly log rotation and keeping old logswith compression It has been added duringPacketFenceinitialinstallation

Chapter15

Copyrightcopy2016Inverseinc Performanceoptimization 119

Performanceoptimization

SNMPTrapsLimit

PacketFencemainlyrelyonSNMPtrapstocommunicatewithequipmentDuetothefactthattrapscominginfromapproved(configured)devicesareallprocessedbythedaemonitispossibleforsomeonewhowanttogenerateacertainloadonthePacketFenceservertoforcethegenerationofnon-legitimateSNMPtrapsoraswitchcanrandomlygenerateahighquantityoftrapssenttoPacketFenceforanunknownreason

BecauseofthatitispossibletolimitthenumberofSNMPtrapscominginfromasingleswitchportandtakeactionifthatlimitisreachedForexampleifover100trapsarereceivedbyPacketFencefromthesameswitchportinaminutetheswitchportwillbeshutandanotificationemailwillbesent

HerersquosthedefaultconfigfortheSNMPtrapslimitfeatureAsyoucanseebydefaultPacketFencewill log the abnormal activity after 100 traps from the same switch port in a minute Theseconfigurationsareintheconfpfconffile

[vlan]trap_limit = enabledtrap_limit_threshold = 100trap_limit_action =

AlternativelyyoucanconfiguretheseparametersfromthePacketFenceWebadministrativeGUIintheConfigurationrarrSNMPsection

MySQLoptimizations

TuningMySQLIfyoursquorePacketFencesystemisactingveryslowthiscouldbeduetoyourMySQLconfigurationYoushoulddothefollowingtotuneperformance

Checkthesystemload

uptime113637 up 235 days 121 1 user load average 125 105 079

Chapter15


CheckiostatandCPU

iostat 5avg-cpu user nice sys iowait idle 060 000 320 2020 7600Device tps Blk_reads Blk_wrtns Blk_read Blk_wrtnccissc0d0 3240 000 156000 0 7800avg-cpu user nice sys iowait idle 060 000 220 920 8800Device tps Blk_reads Blk_wrtns Blk_read Blk_wrtnccissc0d0 780 000 7360 0 368avg-cpu user nice sys iowait idle 060 000 180 2380 7380Device tps Blk_reads Blk_wrtns Blk_read Blk_wrtnccissc0d0 3140 000 142720 0 7136avg-cpu user nice sys iowait idle 060 000 240 1816 7884Device tps Blk_reads Blk_wrtns Blk_read Blk_wrtnccissc0d0 2794 000 117365 0 5880

Asyoucanseetheloadis125andIOWaitispeakingat20-thisisnotgoodIfyourIOwaitislowbutyourMySQListaking+50CPUthisisalsonotgoodCheckyourMySQLinstallforthefollowingvariables

mysqlgt show variables| innodb_additional_mem_pool_size | 1048576 || innodb_autoextend_increment | 8 || innodb_buffer_pool_awe_mem_mb | 0 || innodb_buffer_pool_size | 8388608 |

PacketFencereliesheavilyonInnoDBsoyoushouldincreasethebuffer_poolsizefromthedefaultvalues

ShutdownPacketFenceandMySQL

etcinitdpacketfence stopShutting down PacketFence[] etcinitdmysql stopStopping MySQL [ OK ]

Editetcmycnf(oryourlocalmycnf)

Chapter15


[mysqld] Set buffer pool size to 50-80 of your computers memoryinnodb_buffer_pool_size=800Minnodb_additional_mem_pool_size=20Minnodb_flush_log_at_trx_commit=2innodb_file_per_table allow more connectionsmax_connections=700 set cache sizekey_buffer_size=900Mtable_cache=300query_cache_size=256M enable slow query loglog_slow_queries = ON

StartupMySQLandPacketFence

etcinitdmysqld startStarting MySQL [ OK ] etcinitdpacketfence startStarting PacketFence[]

Wait10minutesforPacketFencetoinitialthenetworkmapandre-checkiostatandCPU

uptime120158 up 235 days 146 1 user load average 015 039 052 iostat 5Device tps Blk_reads Blk_wrtns Blk_read Blk_wrtnccissc0d0 800 000 7520 0 376

avg-cpu user nice sys iowait idle 060 000 299 1337 8303

Device tps Blk_reads Blk_wrtns Blk_read Blk_wrtnccissc0d0 1497 000 43273 0 2168avg-cpu user nice sys iowait idle 020 000 260 660 9060

Device tps Blk_reads Blk_wrtns Blk_read Blk_wrtnccissc0d0 480 000 4800 0 240

MySQLoptimizationtoolWerecommendthatyouruntheMySQLTuneronyourdatabasesetupafteracoupleofweekstohelpyouidentifyMySQLconfigurationimprovementThetoolisbundledwithPacketFenceandcanberunfromthecommand-line

usrlocalbinpftest mysql

Chapter15


KeepingtablessmallOvertimesomeofthetableswillgrowlargeandthiswilldragdownperformance(thisisespeciallytrueonawirelesssetup)

OnesuchtableisthelocationlogtableWerecommendthatclosedentriesinthistablebemovedto the archive table locationlog_archive after some time A closed record is onewhere theend_timefieldissettoadate(stricklyspeakingitiswhenend_timeisnotnullandnotequalsto0)

Weprovideascriptcalleddatabase-backup-and-maintenanceshlocatedinaddonsthatperformsthiscleanupinadditiontooptimizetablesonSundayanddailybackups

AvoidToomanyconnectionsproblemsInawirelesscontexttheretendstobealotofconnectionsmadetothedatabasebyourfreeradiusmoduleThedefaultMySQLvalue tend tobe low (100) soweencourageyou to increase thatvaluetoatleast300Seehttpdevmysqlcomdocrefman50entoo-many-connectionshtmlfordetails

AvoidHostlthostnamegtisblockedproblemsInawirelesscontexttheretendtobealotofconnectionsmadetothedatabasebyourfreeradiusmoduleWhentheserverisloadedtheseconnectionattemptscantimeoutIfaconnectiontimesoutduringconnectionMySQLwillconsiderthisaconnectionerrorandafter10ofthese(bydefault)hewilllockthehostoutwitha

Host host_name is blocked because of many connection errors Unblock with mysqladmin flush-hosts

Thiswill grindPacketFence to a halt so youwant to avoid that at all costOneway to do soistoincreasethenumberofmaximumconnections(seeabove)toperiodicallyflushhostsortoallowmoreconnectionerrorsSeehttpdevmysqlcomdocrefman50enblocked-hosthtmlfordetails

CaptivePortalOptimizations

Avoidcaptiveportaloverloadduetonon-browserHTTPrequestsBydefaultwealloweveryquerytoberedirectedandreachPacketFencefor thecaptiveportaloperationInalotofcasesthismeansthatalotofnon-userinitiatedqueriesreachPacketFenceandwasteitsresourcesfornothingsincetheyarenotfrombrowsers(iTunesWindowsupdateMSNMessengerGoogleDesktophellip)

Chapter15


Sinceversion43ofPacketFenceyoucandefineHTTPfiltersforApachefromtheconfigurationofPacketFence

SomeruleshavebeenenabledbydefaultlikeonetorejectrequestswithnodefineduseragentAllrulesincludingsomeexamplesaredefinedintheconfigurationfileapache_filtersconf

FiltersaredefinedwithatleasttwoblocksFirstarethetestsForexample

[get_ua_is_dalvik]filter = user_agentmethod = GEToperator = matchvalue = Dalvik

[get_uri_not_generate204]filter = urimethod = GEToperator = match_notvalue = generate_204

ThelastblockdefinestherelationshipbetweenthetestsandthedesiredactionForexample

[block_dalvikget_ua_is_dalvikampget_uri_not_generate204]action = 501redirect_url =

Thisfilterwillreturnanerrorcode(501)iftheuseragentisDalvikandtheURIdoesnrsquotcontain_generate_204

DashboardOptimizations(statisticscollection)

The collection and aggregation of statistics in the whisper database can be IO intensive permomentThismeansthatitcanbebeneficialtoseperatethemonanotherdiskevenifitisavirtualdiskthatwillsharethesameunderlyingphysicaldisk

Firstaddadiskinyourvirtualmachineorbaremetalserverandreboot(thisexamplewillusedevsdbasthenewdevice

Makesurepacketfenceisstopped

service packetfence stop

Createanext4partition

mkfsext4 devsdb

Thenmovetheolddatabasestoabackuppoint

Chapter15


mv usrlocalpfvargraphite usrlocalpfvargraphitebak

Mountyournewdiskandcheckthatitismounted

echo devsdb usrlocalpfvargraphite ext4 defaults 1 1 gtgt etcfstab mkdir usrlocalpfvargraphite mount -a dh -h

Applytheproperuserrightsandrestoreyourdatabasefromyourbackup

chown pfpf usrlocalpfvargraphite cp -frp usrlocalpfvargraphitebak usrlocalpfvargraphite

StartpacketfenceandmakesureyourstatsarestillthereandbeingcollectedproperlyThenremovethebackupyoumaderm -fr usrlocalpfvargraphitebak

Chapter16

Copyrightcopy2016Inverseinc AdditionalInformation 125

AdditionalInformation

FormoreinformationpleaseconsultthemailingarchivesorpostyourquestionstoitFordetailssee

packetfence-announcelistssourceforgenet Public announcements (new releases securitywarningsetc)regardingPacketFence

packetfence-devellistssourceforgenetDiscussionofPacketFencedevelopment

packetfence-userslistssourceforgenetUserandusagediscussions

Chapter17

Copyrightcopy2016InverseincCommercialSupport

andContactInformation 126

CommercialSupportandContactInformation

For any questions or comments do not hesitate to contact us by writing an email tosupportinverseca

Inverse (httpinverseca)offersprofessional servicesaroundPacketFence tohelporganizationsdeploythesolutioncustomizemigrateversionsorfromanothersystemperformancetuningoraligningwithbestpractices

Hourlyratesorsupportpackagesareofferedtobestsuityourneeds

Pleasevisithttpinversecafordetails

Chapter18

Copyrightcopy2016Inverseinc GNUFreeDocumentationLicense 127

GNUFreeDocumentationLicense

Pleaserefertohttpwwwgnuorglicensesfdl-12txtforthefulllicense

Chapter18

Copyrightcopy2016Inverseinc AdministrationTools 128

AppendixAAdministrationTools

pfcmd

pfcmdisthecommandlineinterfacetomostPacketFencefunctionalities

Whenexecutedwithoutanyargumentspfcmdreturnsabasichelpmessagewithallmainoptions

Chapter18


Usage pfcmd ltcommandgt [options]

Commands cache | manage the cache subsystem checkup | perform a sanity checkup and report any problems class | view violation classes configfiles | push or pull configfiles intofrom database configreload | reload the configution floatingnetworkdeviceconfig | querymodify floating network devices configuration parameters help | show help for pfcmd commands ifoctetshistorymac | accounting history ifoctetshistoryswitch | accounting history ifoctetshistoryuser | accounting history import | bulk import of information into the database ipmachistory | IPMAC history locationhistorymac | SwitchPort history locationhistoryswitch | SwitchPort history networkconfig | querymodify network configuration parameters node | manipulate node entries pfconfig | interact with pfconfig portalprofileconfig | querymodify portal profile configuration parameters reload | rebuild fingerprint or violations tables without restart service | startstoprestart and get PF daemon status schedule | Nessus scan scheduling switchconfig | querymodify switchesconf configuration parameters version | output version information violationconfig | querymodify violationsconf configuration parameters

Please view pfcmd help ltcommandgt for details on each option

ThenodeviewoptionshowsallinformationcontainedinthenodedatabasetableforaspecifiedMACaddress

usrlocalpfbinpfcmd node view 525400123502mac|pid|detect_date|regdate|unregdate|lastskip|status|user_agent|computername|notes|last_arp|last_dhcp|switch|port|vlan|dhcp_fingerprint525400123502|1|2008-10-23 173216||||unreg||||2008-10-23 211221|||||

pfcmd_vlan

pfcmd_vlanisthecommandlineinterfacetomostVLANisolationrelatedfunctionality

Chapter18


Againwhenexecutedwithoutanyargumentsahelpscreenisshown

Usage pfcmd_vlan command [options]

Command -deauthenticate de-authenticate a dot11 client -deauthenticateDot1x de-authenticate a dot1x client (pass ifIndex for wired 8021x and mac for wireless 8021x) -getAlias show the description of the specified switch port -getAllMACs show all MACS on all switch ports -getHubs show switch ports with several MACs -getIfOperStatus show the operational status of the specified switch port -getIfType show the ifType on the specified switch port -getLocation show at which switch port the MAC is found -getSwitchLocation show SNMP location of specified switch -getMAC show all MACs on the specified switch port -getType show switch type -getUpLinks show the upLinks of the specified switch -getVersion show switch OS version -getVlan show the VLAN on the specified switch port -getVlanType show the VLAN type on the specified port -help brief help message -isolate set the switch port to the isolation VLAN -man full documentation -reAssignVlan re-assign a switch port VLAN -reevaluateAccess reevaluate the current VLAN or firewall rules of a given MAC -runSwitchMethod run a particular method call on a given switch (FOR ADVANCED PURPOSES) -setAlias set the description of the specified switch port -setDefaultVlan set the switch port to the default VLAN -setIfAdminStatus set the admin status of the specified switch port -setVlan set VLAN on the specified switch port -setVlanAllPort set VLAN on all non-UpLink ports of the specified switch

Options -alias switch port description -ifAdminStatus ifAdminStatus -ifIndex switch port ifIndex -mac MAC address -showPF show additional information available in PF -switch switch description -verbose log verbosity level 0 fatal messages 1 warn messages 2 info messages 3 debug 4 trace -vlan VLAN id -vlanName VLAN name (as in switchesconf)

AdministrationGuidebyInverseInc

Version603-Jun2016Copyrightcopy2016Inverseinc

PermissionisgrantedtocopydistributeandormodifythisdocumentunderthetermsoftheGNUFreeDocumentationLicenseVersion12oranylaterversionpublishedbytheFreeSoftwareFoundationwithnoInvariantSectionsnoFront-CoverTextsandnoBack-CoverTextsAcopyofthelicenseisincludedinthesectionentitledGNUFreeDocumentationLicense

ThefontsusedinthisguidearelicensedundertheSILOpenFontLicenseVersion11ThislicenseisavailablewithaFAQathttpscriptssilorgOFL

CopyrightcopyŁukaszDziedzichttpwwwlatofontscomwithReservedFontNameLato

CopyrightcopyRaphLevienhttpleviencomwithReservedFontNameInconsolata






















Chapter1


AboutthisGuide











Chapter2


Introduction


Features







Chapter2










Chapter2








Chapter2


NetworkIntegration


Components


Chapter2


Chapter3


SystemRequirements

Assumptions




NIDS(SnortSuricata)








Chapter3








Chapter4


Installation


OSInstallation




yum update




RedHat-basedsystems

Note


Chapter4


RHEL6x





SoftwareDownload









Chapter4




DebianForDebian7



ForDebian8





Chapter5







Chapter6



Introduction


Deviceconfiguration


Accesscontrol


Chapter6


Limitations






Chapter7



Introduction






Chapter7











Chapter7












Chapter7






Chapter7








Chapter8



Introduction


Deviceconfiguration


ALWAYSPORTMACSSID




Chapter9


Configuration









5 test


RolesManagement


Chapter9



Authentication


ActiveDirectory

Apachehtpasswdfile

Email

ExternalHTTPAPI

Facebook(OAuth2)

Github(OAuth2)

Google(OAuth2)

Kerberos

LDAP

LinkedIn(OAuth2)

Null

RADIUS

SMS

SponsoredEmail

Twitter(OAuth2)

WindowsLive(OAuth2)




Chapter9










Setroleemployee






Chapter9



Thenweaddarule


Setrolemachineauth


Note


Note








ExampleJSONresponse


Chapter9






Note








SAMLauthentication




Chapter9



Where






Chapter9









Note








Chapter9
















Chapter9










Chapter9















Chapter9



PortalProfiles













Chapter9



SSIDGuest-SSID

VLAN100



Caution













Chapter9



Caution






Note



Chapter9


Where








Chapter9





Note






Chapter9



Where






Chapter9








Note



Chapter9






ForDebianandUbuntu



Chapter9



ForDebianandUbuntu





Chapter9





ForCentosRHEL




ForDebianandUbuntu





Chapter9











Chapter9


Note





Note



Chapter9





Caution




PortalModules


Chapter9


Note


















Chapter9









Chapter9









Note









Chapter9



Chapter9









Chapter9









Chapter9











Chapter9



Chapter10


Debugging

Logfiles





RADIUSDebugging







Chapter10












Chapter11










Chapter11


Note




Note





Chapter12


Advancedtopics












Chapter12






BillingEngine




Billingsource(s)

Billingtier(s)


Paypal

Note



Chapter12


Sandboxaccount











Chapter12









Chapter12


Caution




Chapter12


Where



Stripe

Stripeaccount




Chapter12




Chapter12


Where



Authorizenet

Creatinganaccount






Chapter12





Chapter12


Where


Mirapay

To be contributed



Chapter12



Where


Note


Chapter12



Billingtier





Stripeconfiguration


Thencreateanewplan

Chapter12


Where









Chapter12




Where




DevicesRegistration


Chapter12








Note


Eduroam







clientsconfexample

Chapter12






proxyconfexample



proxyconfexample








Chapter12



proxyconfexample








Chapter12




eap ok = return




post-auth exec





Chapter12










Chapter12








Caution



Chapter12



















Chapter12
















Chapter12


















Chapter12










Passthrough






Chapter12















Chapter12










ProxyInterception



Chapter12



RoutedNetworks





Chapter12



Note






Chapter12








Chapter12















Chapter12





Note










Chapter12











Chapter12














Chapter12










Chapter12


DNSenforcement









Parkeddevices




Chapter12




Note









Chapter13


Optionalcomponents




Snort

Installation


yum install snort

Configuration


Suricata

Installation



Chapter13















Chapter13




















Chapter13







Note









Chapter13


















Violationdefinition


Chapter13


Where











Chapter13





Triggers







Remediation


Chapter13


Where






Chapter13





ComplianceChecks








Chapter13






Thenaddascan



SpecifictoNessus


SpecifictoOpenVAS


Chapter13


SpecifictoWMI


WMIRulesDefinition







Rules Actions







Chapter13


Rules Actions







Rules Actions





Rulessyntax




Chapter13






UsingNessus


UsingOpenVAS







Chapter13









RADIUSAccounting








AccountingIN50GB1M




Chapter13



Graceperiod


Oinkmaster










Chapter13


GuestsManagement






Usage



Chapter13






Chapter13







Caution


Note







Chapter13














Caution




Chapter13








General


TriggersrarrNew


ActionsrarrNew

Chapter13



Settings








Chapter13





General


TriggersrarrNew


ActionsrarrNew


Settings




Chapter13








General


TriggersrarrNew


Chapter13


ActionsrarrNew


Settings



DHCPremotesensor












Chapter13



InApplication


InDetails


InLogon







ForCentOS7


Nowinstallthesensor





Chapter13







Startthesensor



Switchloginaccess


Chapter14



IPTables


LogRotations


Chapter15



SNMPTrapsLimit






MySQLoptimizations


Checkthesystemload


Chapter15


CheckiostatandCPU








Chapter15












Chapter15











Chapter15
















mkfsext4 devsdb


Chapter15








Chapter16







Chapter17








Chapter18




Chapter18



pfcmd



Chapter18







pfcmd_vlan


Chapter18



























Chapter1


AboutthisGuide











Chapter2


Introduction


Features







Chapter2










Chapter2








Chapter2


NetworkIntegration


Components


Chapter2


Chapter3


SystemRequirements

Assumptions




NIDS(SnortSuricata)








Chapter3








Chapter4


Installation


OSInstallation




yum update




RedHat-basedsystems

Note


Chapter4


RHEL6x





SoftwareDownload









Chapter4




DebianForDebian7



ForDebian8





Chapter5







Chapter6



Introduction


Deviceconfiguration


Accesscontrol


Chapter6


Limitations






Chapter7



Introduction






Chapter7











Chapter7












Chapter7






Chapter7








Chapter8



Introduction


Deviceconfiguration


ALWAYSPORTMACSSID




Chapter9


Configuration









5 test


RolesManagement


Chapter9



Authentication


ActiveDirectory

Apachehtpasswdfile

Email

ExternalHTTPAPI

Facebook(OAuth2)

Github(OAuth2)

Google(OAuth2)

Kerberos

LDAP

LinkedIn(OAuth2)

Null

RADIUS

SMS

SponsoredEmail

Twitter(OAuth2)

WindowsLive(OAuth2)




Chapter9










Setroleemployee






Chapter9



Thenweaddarule


Setrolemachineauth


Note


Note








ExampleJSONresponse


Chapter9






Note








SAMLauthentication




Chapter9



Where






Chapter9









Note








Chapter9
















Chapter9










Chapter9















Chapter9



PortalProfiles













Chapter9



SSIDGuest-SSID

VLAN100



Caution













Chapter9



Caution






Note



Chapter9


Where








Chapter9





Note






Chapter9



Where






Chapter9








Note



Chapter9






ForDebianandUbuntu



Chapter9



ForDebianandUbuntu





Chapter9





ForCentosRHEL




ForDebianandUbuntu





Chapter9











Chapter9


Note





Note



Chapter9





Caution




PortalModules


Chapter9


Note


















Chapter9









Chapter9









Note









Chapter9



Chapter9









Chapter9









Chapter9











Chapter9



Chapter10


Debugging

Logfiles





RADIUSDebugging







Chapter10












Chapter11










Chapter11


Note




Note





Chapter12


Advancedtopics












Chapter12






BillingEngine




Billingsource(s)

Billingtier(s)


Paypal

Note



Chapter12


Sandboxaccount











Chapter12









Chapter12


Caution




Chapter12


Where



Stripe

Stripeaccount




Chapter12




Chapter12


Where



Authorizenet

Creatinganaccount






Chapter12





Chapter12


Where


Mirapay

To be contributed



Chapter12



Where


Note


Chapter12



Billingtier





Stripeconfiguration


Thencreateanewplan

Chapter12


Where









Chapter12




Where




DevicesRegistration


Chapter12








Note


Eduroam







clientsconfexample

Chapter12






proxyconfexample



proxyconfexample








Chapter12



proxyconfexample








Chapter12




eap ok = return




post-auth exec





Chapter12










Chapter12








Caution



Chapter12



















Chapter12
















Chapter12


















Chapter12










Passthrough






Chapter12















Chapter12










ProxyInterception



Chapter12



RoutedNetworks





Chapter12



Note






Chapter12








Chapter12















Chapter12





Note










Chapter12











Chapter12














Chapter12










Chapter12


DNSenforcement









Parkeddevices




Chapter12




Note









Chapter13


Optionalcomponents




Snort

Installation


yum install snort

Configuration


Suricata

Installation



Chapter13















Chapter13




















Chapter13







Note









Chapter13


















Violationdefinition


Chapter13


Where











Chapter13





Triggers







Remediation


Chapter13


Where






Chapter13





ComplianceChecks








Chapter13






Thenaddascan



SpecifictoNessus


SpecifictoOpenVAS


Chapter13


SpecifictoWMI


WMIRulesDefinition







Rules Actions







Chapter13


Rules Actions







Rules Actions





Rulessyntax




Chapter13






UsingNessus


UsingOpenVAS







Chapter13









RADIUSAccounting








AccountingIN50GB1M




Chapter13



Graceperiod


Oinkmaster










Chapter13


GuestsManagement






Usage



Chapter13






Chapter13







Caution


Note







Chapter13














Caution




Chapter13








General


TriggersrarrNew


ActionsrarrNew

Chapter13



Settings








Chapter13





General


TriggersrarrNew


ActionsrarrNew


Settings




Chapter13








General


TriggersrarrNew


Chapter13


ActionsrarrNew


Settings



DHCPremotesensor












Chapter13



InApplication


InDetails


InLogon







ForCentOS7


Nowinstallthesensor





Chapter13







Startthesensor



Switchloginaccess


Chapter14



IPTables


LogRotations


Chapter15



SNMPTrapsLimit






MySQLoptimizations


Checkthesystemload


Chapter15


CheckiostatandCPU








Chapter15












Chapter15











Chapter15
















mkfsext4 devsdb


Chapter15








Chapter16







Chapter17








Chapter18




Chapter18



pfcmd



Chapter18







pfcmd_vlan


Chapter18






Chapter2


Introduction


Features







Chapter2










Chapter2








Chapter2


NetworkIntegration


Components


Chapter2


Chapter3


SystemRequirements

Assumptions




NIDS(SnortSuricata)








Chapter3








Chapter4


Installation


OSInstallation




yum update




RedHat-basedsystems

Note


Chapter4


RHEL6x





SoftwareDownload









Chapter4




DebianForDebian7



ForDebian8





Chapter5







Chapter6



Introduction


Deviceconfiguration


Accesscontrol


Chapter6


Limitations






Chapter7



Introduction






Chapter7











Chapter7












Chapter7






Chapter7








Chapter8



Introduction


Deviceconfiguration


ALWAYSPORTMACSSID




Chapter9


Configuration









5 test


RolesManagement


Chapter9



Authentication


ActiveDirectory

Apachehtpasswdfile

Email

ExternalHTTPAPI

Facebook(OAuth2)

Github(OAuth2)

Google(OAuth2)

Kerberos

LDAP

LinkedIn(OAuth2)

Null

RADIUS

SMS

SponsoredEmail

Twitter(OAuth2)

WindowsLive(OAuth2)




Chapter9










Setroleemployee






Chapter9



Thenweaddarule


Setrolemachineauth


Note


Note








ExampleJSONresponse


Chapter9






Note








SAMLauthentication




Chapter9



Where






Chapter9









Note








Chapter9
















Chapter9










Chapter9















Chapter9



PortalProfiles













Chapter9



SSIDGuest-SSID

VLAN100



Caution













Chapter9



Caution






Note



Chapter9


Where








Chapter9





Note






Chapter9



Where






Chapter9








Note



Chapter9






ForDebianandUbuntu



Chapter9



ForDebianandUbuntu





Chapter9





ForCentosRHEL




ForDebianandUbuntu





Chapter9











Chapter9


Note





Note



Chapter9





Caution




PortalModules


Chapter9


Note


















Chapter9









Chapter9









Note









Chapter9



Chapter9









Chapter9









Chapter9











Chapter9



Chapter10


Debugging

Logfiles





RADIUSDebugging







Chapter10












Chapter11










Chapter11


Note




Note





Chapter12


Advancedtopics












Chapter12






BillingEngine




Billingsource(s)

Billingtier(s)


Paypal

Note



Chapter12


Sandboxaccount











Chapter12









Chapter12


Caution




Chapter12


Where



Stripe

Stripeaccount




Chapter12




Chapter12


Where



Authorizenet

Creatinganaccount






Chapter12





Chapter12


Where


Mirapay

To be contributed



Chapter12



Where


Note


Chapter12



Billingtier





Stripeconfiguration


Thencreateanewplan

Chapter12


Where









Chapter12




Where




DevicesRegistration


Chapter12








Note


Eduroam







clientsconfexample

Chapter12






proxyconfexample



proxyconfexample








Chapter12



proxyconfexample








Chapter12




eap ok = return




post-auth exec





Chapter12










Chapter12








Caution



Chapter12



















Chapter12
















Chapter12


















Chapter12










Passthrough






Chapter12















Chapter12










ProxyInterception



Chapter12



RoutedNetworks





Chapter12



Note






Chapter12








Chapter12















Chapter12





Note










Chapter12











Chapter12














Chapter12










Chapter12


DNSenforcement









Parkeddevices




Chapter12




Note









Chapter13


Optionalcomponents




Snort

Installation


yum install snort

Configuration


Suricata

Installation



Chapter13















Chapter13




















Chapter13







Note









Chapter13


















Violationdefinition


Chapter13


Where











Chapter13





Triggers







Remediation


Chapter13


Where






Chapter13





ComplianceChecks








Chapter13






Thenaddascan



SpecifictoNessus


SpecifictoOpenVAS


Chapter13


SpecifictoWMI


WMIRulesDefinition







Rules Actions







Chapter13


Rules Actions







Rules Actions





Rulessyntax




Chapter13






UsingNessus


UsingOpenVAS







Chapter13









RADIUSAccounting








AccountingIN50GB1M




Chapter13



Graceperiod


Oinkmaster










Chapter13


GuestsManagement






Usage



Chapter13






Chapter13







Caution


Note







Chapter13














Caution




Chapter13








General


TriggersrarrNew


ActionsrarrNew

Chapter13



Settings








Chapter13





General


TriggersrarrNew


ActionsrarrNew


Settings




Chapter13








General


TriggersrarrNew


Chapter13


ActionsrarrNew


Settings



DHCPremotesensor












Chapter13



InApplication


InDetails


InLogon







ForCentOS7


Nowinstallthesensor





Chapter13







Startthesensor



Switchloginaccess


Chapter14



IPTables


LogRotations


Chapter15



SNMPTrapsLimit






MySQLoptimizations


Checkthesystemload


Chapter15


CheckiostatandCPU








Chapter15












Chapter15











Chapter15
















mkfsext4 devsdb


Chapter15








Chapter16







Chapter17








Chapter18




Chapter18



pfcmd



Chapter18







pfcmd_vlan


Chapter18






Chapter2










Chapter2








Chapter2


NetworkIntegration


Components


Chapter2


Chapter3


SystemRequirements

Assumptions




NIDS(SnortSuricata)








Chapter3








Chapter4


Installation


OSInstallation




yum update




RedHat-basedsystems

Note


Chapter4


RHEL6x





SoftwareDownload









Chapter4




DebianForDebian7



ForDebian8





Chapter5







Chapter6



Introduction


Deviceconfiguration


Accesscontrol


Chapter6


Limitations






Chapter7



Introduction






Chapter7











Chapter7












Chapter7






Chapter7








Chapter8



Introduction


Deviceconfiguration


ALWAYSPORTMACSSID




Chapter9


Configuration









5 test


RolesManagement


Chapter9



Authentication


ActiveDirectory

Apachehtpasswdfile

Email

ExternalHTTPAPI

Facebook(OAuth2)

Github(OAuth2)

Google(OAuth2)

Kerberos

LDAP

LinkedIn(OAuth2)

Null

RADIUS

SMS

SponsoredEmail

Twitter(OAuth2)

WindowsLive(OAuth2)




Chapter9










Setroleemployee






Chapter9



Thenweaddarule


Setrolemachineauth


Note


Note








ExampleJSONresponse


Chapter9






Note








SAMLauthentication




Chapter9



Where






Chapter9









Note








Chapter9
















Chapter9










Chapter9















Chapter9



PortalProfiles













Chapter9



SSIDGuest-SSID

VLAN100



Caution













Chapter9



Caution






Note



Chapter9


Where








Chapter9





Note






Chapter9



Where






Chapter9








Note



Chapter9






ForDebianandUbuntu



Chapter9



ForDebianandUbuntu





Chapter9





ForCentosRHEL




ForDebianandUbuntu





Chapter9











Chapter9


Note





Note



Chapter9





Caution




PortalModules


Chapter9


Note


















Chapter9









Chapter9









Note









Chapter9



Chapter9









Chapter9









Chapter9











Chapter9



Chapter10


Debugging

Logfiles





RADIUSDebugging







Chapter10












Chapter11










Chapter11


Note




Note





Chapter12


Advancedtopics












Chapter12






BillingEngine




Billingsource(s)

Billingtier(s)


Paypal

Note



Chapter12


Sandboxaccount











Chapter12









Chapter12


Caution




Chapter12


Where



Stripe

Stripeaccount




Chapter12




Chapter12


Where



Authorizenet

Creatinganaccount






Chapter12





Chapter12


Where


Mirapay

To be contributed



Chapter12



Where


Note


Chapter12



Billingtier





Stripeconfiguration


Thencreateanewplan

Chapter12


Where









Chapter12




Where




DevicesRegistration


Chapter12








Note


Eduroam







clientsconfexample

Chapter12






proxyconfexample



proxyconfexample








Chapter12



proxyconfexample








Chapter12




eap ok = return




post-auth exec





Chapter12










Chapter12








Caution



Chapter12



















Chapter12
















Chapter12


















Chapter12










Passthrough






Chapter12















Chapter12










ProxyInterception



Chapter12



RoutedNetworks





Chapter12



Note






Chapter12








Chapter12















Chapter12





Note










Chapter12











Chapter12














Chapter12










Chapter12


DNSenforcement









Parkeddevices




Chapter12




Note









Chapter13


Optionalcomponents




Snort

Installation


yum install snort

Configuration


Suricata

Installation



Chapter13















Chapter13




















Chapter13







Note









Chapter13


















Violationdefinition


Chapter13


Where











Chapter13





Triggers







Remediation


Chapter13


Where






Chapter13





ComplianceChecks








Chapter13






Thenaddascan



SpecifictoNessus


SpecifictoOpenVAS


Chapter13


SpecifictoWMI


WMIRulesDefinition







Rules Actions







Chapter13


Rules Actions







Rules Actions





Rulessyntax




Chapter13






UsingNessus


UsingOpenVAS







Chapter13









RADIUSAccounting








AccountingIN50GB1M




Chapter13



Graceperiod


Oinkmaster










Chapter13


GuestsManagement






Usage



Chapter13






Chapter13







Caution


Note







Chapter13














Caution




Chapter13








General


TriggersrarrNew


ActionsrarrNew

Chapter13



Settings








Chapter13





General


TriggersrarrNew


ActionsrarrNew


Settings




Chapter13








General


TriggersrarrNew


Chapter13


ActionsrarrNew


Settings



DHCPremotesensor












Chapter13



InApplication


InDetails


InLogon







ForCentOS7


Nowinstallthesensor





Chapter13







Startthesensor



Switchloginaccess


Chapter14



IPTables


LogRotations


Chapter15



SNMPTrapsLimit






MySQLoptimizations


Checkthesystemload


Chapter15


CheckiostatandCPU








Chapter15












Chapter15











Chapter15
















mkfsext4 devsdb


Chapter15








Chapter16







Chapter17








Chapter18




Chapter18



pfcmd



Chapter18







pfcmd_vlan


Chapter18






Chapter2








Chapter2


NetworkIntegration


Components


Chapter2


Chapter3


SystemRequirements

Assumptions




NIDS(SnortSuricata)








Chapter3








Chapter4


Installation


OSInstallation




yum update




RedHat-basedsystems

Note


Chapter4


RHEL6x





SoftwareDownload









Chapter4




DebianForDebian7



ForDebian8





Chapter5







Chapter6



Introduction


Deviceconfiguration


Accesscontrol


Chapter6


Limitations






Chapter7



Introduction






Chapter7











Chapter7












Chapter7






Chapter7








Chapter8



Introduction


Deviceconfiguration


ALWAYSPORTMACSSID




Chapter9


Configuration









5 test


RolesManagement


Chapter9



Authentication


ActiveDirectory

Apachehtpasswdfile

Email

ExternalHTTPAPI

Facebook(OAuth2)

Github(OAuth2)

Google(OAuth2)

Kerberos

LDAP

LinkedIn(OAuth2)

Null

RADIUS

SMS

SponsoredEmail

Twitter(OAuth2)

WindowsLive(OAuth2)




Chapter9










Setroleemployee






Chapter9



Thenweaddarule


Setrolemachineauth


Note


Note








ExampleJSONresponse


Chapter9






Note








SAMLauthentication




Chapter9



Where






Chapter9









Note








Chapter9
















Chapter9










Chapter9















Chapter9



PortalProfiles













Chapter9



SSIDGuest-SSID

VLAN100



Caution













Chapter9



Caution






Note



Chapter9


Where








Chapter9





Note






Chapter9



Where






Chapter9








Note



Chapter9






ForDebianandUbuntu



Chapter9



ForDebianandUbuntu





Chapter9





ForCentosRHEL




ForDebianandUbuntu





Chapter9











Chapter9


Note





Note



Chapter9





Caution




PortalModules


Chapter9


Note


















Chapter9









Chapter9









Note









Chapter9



Chapter9









Chapter9









Chapter9











Chapter9



Chapter10


Debugging

Logfiles





RADIUSDebugging







Chapter10












Chapter11










Chapter11


Note




Note





Chapter12


Advancedtopics












Chapter12






BillingEngine




Billingsource(s)

Billingtier(s)


Paypal

Note



Chapter12


Sandboxaccount











Chapter12









Chapter12


Caution




Chapter12


Where



Stripe

Stripeaccount




Chapter12




Chapter12


Where



Authorizenet

Creatinganaccount






Chapter12





Chapter12


Where


Mirapay

To be contributed



Chapter12



Where


Note


Chapter12



Billingtier





Stripeconfiguration


Thencreateanewplan

Chapter12


Where









Chapter12




Where




DevicesRegistration


Chapter12








Note


Eduroam







clientsconfexample

Chapter12






proxyconfexample



proxyconfexample








Chapter12



proxyconfexample








Chapter12




eap ok = return




post-auth exec





Chapter12










Chapter12








Caution



Chapter12



















Chapter12
















Chapter12


















Chapter12










Passthrough






Chapter12















Chapter12










ProxyInterception



Chapter12



RoutedNetworks





Chapter12



Note






Chapter12








Chapter12















Chapter12





Note










Chapter12











Chapter12














Chapter12










Chapter12


DNSenforcement









Parkeddevices




Chapter12




Note









Chapter13


Optionalcomponents




Snort

Installation


yum install snort

Configuration


Suricata

Installation



Chapter13















Chapter13




















Chapter13







Note









Chapter13


















Violationdefinition


Chapter13


Where











Chapter13





Triggers







Remediation


Chapter13


Where






Chapter13





ComplianceChecks








Chapter13






Thenaddascan



SpecifictoNessus


SpecifictoOpenVAS


Chapter13


SpecifictoWMI


WMIRulesDefinition







Rules Actions







Chapter13


Rules Actions







Rules Actions





Rulessyntax




Chapter13






UsingNessus


UsingOpenVAS







Chapter13









RADIUSAccounting








AccountingIN50GB1M




Chapter13



Graceperiod


Oinkmaster










Chapter13


GuestsManagement






Usage



Chapter13






Chapter13







Caution


Note







Chapter13














Caution




Chapter13








General


TriggersrarrNew


ActionsrarrNew

Chapter13



Settings








Chapter13





General


TriggersrarrNew


ActionsrarrNew


Settings




Chapter13








General


TriggersrarrNew


Chapter13


ActionsrarrNew


Settings



DHCPremotesensor












Chapter13



InApplication


InDetails


InLogon







ForCentOS7


Nowinstallthesensor





Chapter13







Startthesensor



Switchloginaccess


Chapter14



IPTables


LogRotations


Chapter15



SNMPTrapsLimit






MySQLoptimizations


Checkthesystemload


Chapter15


CheckiostatandCPU








Chapter15












Chapter15











Chapter15
















mkfsext4 devsdb


Chapter15








Chapter16







Chapter17








Chapter18




Chapter18



pfcmd



Chapter18







pfcmd_vlan


Chapter18






Chapter2


NetworkIntegration


Components


Chapter2


Chapter3


SystemRequirements

Assumptions




NIDS(SnortSuricata)








Chapter3








Chapter4


Installation


OSInstallation




yum update




RedHat-basedsystems

Note


Chapter4


RHEL6x





SoftwareDownload









Chapter4




DebianForDebian7



ForDebian8





Chapter5







Chapter6



Introduction


Deviceconfiguration


Accesscontrol


Chapter6


Limitations






Chapter7



Introduction






Chapter7











Chapter7












Chapter7






Chapter7








Chapter8



Introduction


Deviceconfiguration


ALWAYSPORTMACSSID




Chapter9


Configuration









5 test


RolesManagement


Chapter9



Authentication


ActiveDirectory

Apachehtpasswdfile

Email

ExternalHTTPAPI

Facebook(OAuth2)

Github(OAuth2)

Google(OAuth2)

Kerberos

LDAP

LinkedIn(OAuth2)

Null

RADIUS

SMS

SponsoredEmail

Twitter(OAuth2)

WindowsLive(OAuth2)




Chapter9










Setroleemployee






Chapter9



Thenweaddarule


Setrolemachineauth


Note


Note








ExampleJSONresponse


Chapter9






Note








SAMLauthentication




Chapter9



Where






Chapter9









Note








Chapter9
















Chapter9










Chapter9















Chapter9



PortalProfiles













Chapter9



SSIDGuest-SSID

VLAN100



Caution













Chapter9



Caution






Note



Chapter9


Where








Chapter9





Note






Chapter9



Where






Chapter9








Note



Chapter9






ForDebianandUbuntu



Chapter9



ForDebianandUbuntu





Chapter9





ForCentosRHEL




ForDebianandUbuntu





Chapter9











Chapter9


Note





Note



Chapter9





Caution




PortalModules


Chapter9


Note


















Chapter9









Chapter9









Note









Chapter9



Chapter9









Chapter9









Chapter9











Chapter9



Chapter10


Debugging

Logfiles





RADIUSDebugging







Chapter10












Chapter11










Chapter11


Note




Note





Chapter12


Advancedtopics












Chapter12






BillingEngine




Billingsource(s)

Billingtier(s)


Paypal

Note



Chapter12


Sandboxaccount











Chapter12









Chapter12


Caution




Chapter12


Where



Stripe

Stripeaccount




Chapter12




Chapter12


Where



Authorizenet

Creatinganaccount






Chapter12





Chapter12


Where


Mirapay

To be contributed



Chapter12



Where


Note


Chapter12



Billingtier





Stripeconfiguration


Thencreateanewplan

Chapter12


Where









Chapter12




Where




DevicesRegistration


Chapter12








Note


Eduroam







clientsconfexample

Chapter12






proxyconfexample



proxyconfexample








Chapter12



proxyconfexample








Chapter12




eap ok = return




post-auth exec





Chapter12










Chapter12








Caution



Chapter12



















Chapter12
















Chapter12


















Chapter12










Passthrough






Chapter12















Chapter12










ProxyInterception



Chapter12



RoutedNetworks





Chapter12



Note






Chapter12








Chapter12















Chapter12





Note










Chapter12











Chapter12














Chapter12










Chapter12


DNSenforcement









Parkeddevices




Chapter12




Note









Chapter13


Optionalcomponents




Snort

Installation


yum install snort

Configuration


Suricata

Installation



Chapter13















Chapter13




















Chapter13







Note









Chapter13


















Violationdefinition


Chapter13


Where











Chapter13





Triggers







Remediation


Chapter13


Where






Chapter13





ComplianceChecks








Chapter13






Thenaddascan



SpecifictoNessus


SpecifictoOpenVAS


Chapter13


SpecifictoWMI


WMIRulesDefinition







Rules Actions







Chapter13


Rules Actions







Rules Actions





Rulessyntax




Chapter13






UsingNessus


UsingOpenVAS







Chapter13









RADIUSAccounting








AccountingIN50GB1M




Chapter13



Graceperiod


Oinkmaster










Chapter13


GuestsManagement






Usage



Chapter13






Chapter13







Caution


Note







Chapter13














Caution




Chapter13








General


TriggersrarrNew


ActionsrarrNew

Chapter13



Settings








Chapter13





General


TriggersrarrNew


ActionsrarrNew


Settings




Chapter13








General


TriggersrarrNew


Chapter13


ActionsrarrNew


Settings



DHCPremotesensor












Chapter13



InApplication


InDetails


InLogon







ForCentOS7


Nowinstallthesensor





Chapter13







Startthesensor



Switchloginaccess


Chapter14



IPTables


LogRotations


Chapter15



SNMPTrapsLimit






MySQLoptimizations


Checkthesystemload


Chapter15


CheckiostatandCPU








Chapter15












Chapter15











Chapter15
















mkfsext4 devsdb


Chapter15








Chapter16







Chapter17








Chapter18




Chapter18



pfcmd



Chapter18







pfcmd_vlan


Chapter18






Chapter2


Chapter3


SystemRequirements

Assumptions




NIDS(SnortSuricata)








Chapter3








Chapter4


Installation


OSInstallation




yum update




RedHat-basedsystems

Note


Chapter4


RHEL6x





SoftwareDownload









Chapter4




DebianForDebian7



ForDebian8





Chapter5







Chapter6



Introduction


Deviceconfiguration


Accesscontrol


Chapter6


Limitations






Chapter7



Introduction






Chapter7











Chapter7












Chapter7






Chapter7








Chapter8



Introduction


Deviceconfiguration


ALWAYSPORTMACSSID




Chapter9


Configuration









5 test


RolesManagement


Chapter9



Authentication


ActiveDirectory

Apachehtpasswdfile

Email

ExternalHTTPAPI

Facebook(OAuth2)

Github(OAuth2)

Google(OAuth2)

Kerberos

LDAP

LinkedIn(OAuth2)

Null

RADIUS

SMS

SponsoredEmail

Twitter(OAuth2)

WindowsLive(OAuth2)




Chapter9










Setroleemployee






Chapter9



Thenweaddarule


Setrolemachineauth


Note


Note








ExampleJSONresponse


Chapter9






Note








SAMLauthentication




Chapter9



Where






Chapter9









Note








Chapter9
















Chapter9










Chapter9















Chapter9



PortalProfiles













Chapter9



SSIDGuest-SSID

VLAN100



Caution













Chapter9



Caution






Note



Chapter9


Where








Chapter9





Note






Chapter9



Where






Chapter9








Note



Chapter9






ForDebianandUbuntu



Chapter9



ForDebianandUbuntu





Chapter9





ForCentosRHEL




ForDebianandUbuntu





Chapter9











Chapter9


Note





Note



Chapter9





Caution




PortalModules


Chapter9


Note


















Chapter9









Chapter9









Note









Chapter9



Chapter9









Chapter9









Chapter9











Chapter9



Chapter10


Debugging

Logfiles





RADIUSDebugging







Chapter10












Chapter11










Chapter11


Note




Note





Chapter12


Advancedtopics












Chapter12






BillingEngine




Billingsource(s)

Billingtier(s)


Paypal

Note



Chapter12


Sandboxaccount











Chapter12









Chapter12


Caution




Chapter12


Where



Stripe

Stripeaccount




Chapter12




Chapter12


Where



Authorizenet

Creatinganaccount






Chapter12





Chapter12


Where


Mirapay

To be contributed



Chapter12



Where


Note


Chapter12



Billingtier





Stripeconfiguration


Thencreateanewplan

Chapter12


Where









Chapter12




Where




DevicesRegistration


Chapter12








Note


Eduroam







clientsconfexample

Chapter12






proxyconfexample



proxyconfexample








Chapter12



proxyconfexample








Chapter12




eap ok = return




post-auth exec





Chapter12










Chapter12








Caution



Chapter12



















Chapter12
















Chapter12


















Chapter12










Passthrough






Chapter12















Chapter12










ProxyInterception



Chapter12



RoutedNetworks





Chapter12



Note






Chapter12








Chapter12















Chapter12





Note










Chapter12











Chapter12














Chapter12










Chapter12


DNSenforcement









Parkeddevices




Chapter12




Note









Chapter13


Optionalcomponents




Snort

Installation


yum install snort

Configuration


Suricata

Installation



Chapter13















Chapter13




















Chapter13







Note









Chapter13


















Violationdefinition


Chapter13


Where











Chapter13





Triggers







Remediation


Chapter13


Where






Chapter13





ComplianceChecks








Chapter13






Thenaddascan



SpecifictoNessus


SpecifictoOpenVAS


Chapter13


SpecifictoWMI


WMIRulesDefinition







Rules Actions







Chapter13


Rules Actions







Rules Actions





Rulessyntax




Chapter13






UsingNessus


UsingOpenVAS







Chapter13









RADIUSAccounting








AccountingIN50GB1M




Chapter13



Graceperiod


Oinkmaster










Chapter13


GuestsManagement






Usage



Chapter13






Chapter13







Caution


Note







Chapter13














Caution




Chapter13








General


TriggersrarrNew


ActionsrarrNew

Chapter13



Settings








Chapter13





General


TriggersrarrNew


ActionsrarrNew


Settings




Chapter13








General


TriggersrarrNew


Chapter13


ActionsrarrNew


Settings



DHCPremotesensor












Chapter13



InApplication


InDetails


InLogon







ForCentOS7


Nowinstallthesensor





Chapter13







Startthesensor



Switchloginaccess


Chapter14



IPTables


LogRotations


Chapter15



SNMPTrapsLimit






MySQLoptimizations


Checkthesystemload


Chapter15


CheckiostatandCPU








Chapter15












Chapter15











Chapter15
















mkfsext4 devsdb


Chapter15








Chapter16







Chapter17








Chapter18




Chapter18



pfcmd



Chapter18







pfcmd_vlan


Chapter18






Chapter3


SystemRequirements

Assumptions




NIDS(SnortSuricata)








Chapter3








Chapter4


Installation


OSInstallation




yum update




RedHat-basedsystems

Note


Chapter4


RHEL6x





SoftwareDownload









Chapter4




DebianForDebian7



ForDebian8





Chapter5







Chapter6



Introduction


Deviceconfiguration


Accesscontrol


Chapter6


Limitations






Chapter7



Introduction






Chapter7











Chapter7












Chapter7






Chapter7








Chapter8



Introduction


Deviceconfiguration


ALWAYSPORTMACSSID




Chapter9


Configuration









5 test


RolesManagement


Chapter9



Authentication


ActiveDirectory

Apachehtpasswdfile

Email

ExternalHTTPAPI

Facebook(OAuth2)

Github(OAuth2)

Google(OAuth2)

Kerberos

LDAP

LinkedIn(OAuth2)

Null

RADIUS

SMS

SponsoredEmail

Twitter(OAuth2)

WindowsLive(OAuth2)




Chapter9










Setroleemployee






Chapter9



Thenweaddarule


Setrolemachineauth


Note


Note








ExampleJSONresponse


Chapter9






Note








SAMLauthentication




Chapter9



Where






Chapter9









Note








Chapter9
















Chapter9










Chapter9















Chapter9



PortalProfiles













Chapter9



SSIDGuest-SSID

VLAN100



Caution













Chapter9



Caution






Note



Chapter9


Where








Chapter9





Note






Chapter9



Where






Chapter9








Note



Chapter9






ForDebianandUbuntu



Chapter9



ForDebianandUbuntu





Chapter9





ForCentosRHEL




ForDebianandUbuntu





Chapter9











Chapter9


Note





Note



Chapter9





Caution




PortalModules


Chapter9


Note


















Chapter9









Chapter9









Note









Chapter9



Chapter9









Chapter9









Chapter9











Chapter9



Chapter10


Debugging

Logfiles





RADIUSDebugging







Chapter10












Chapter11










Chapter11


Note




Note





Chapter12


Advancedtopics












Chapter12






BillingEngine




Billingsource(s)

Billingtier(s)


Paypal

Note



Chapter12


Sandboxaccount











Chapter12









Chapter12


Caution




Chapter12


Where



Stripe

Stripeaccount




Chapter12




Chapter12


Where



Authorizenet

Creatinganaccount






Chapter12





Chapter12


Where


Mirapay

To be contributed



Chapter12



Where


Note


Chapter12



Billingtier





Stripeconfiguration


Thencreateanewplan

Chapter12


Where









Chapter12




Where




DevicesRegistration


Chapter12








Note


Eduroam







clientsconfexample

Chapter12






proxyconfexample



proxyconfexample








Chapter12



proxyconfexample








Chapter12




eap ok = return




post-auth exec





Chapter12










Chapter12








Caution



Chapter12



















Chapter12
















Chapter12


















Chapter12










Passthrough






Chapter12















Chapter12










ProxyInterception



Chapter12



RoutedNetworks





Chapter12



Note






Chapter12








Chapter12















Chapter12





Note










Chapter12











Chapter12














Chapter12










Chapter12


DNSenforcement









Parkeddevices




Chapter12




Note









Chapter13


Optionalcomponents




Snort

Installation


yum install snort

Configuration


Suricata

Installation



Chapter13















Chapter13




















Chapter13







Note









Chapter13


















Violationdefinition


Chapter13


Where











Chapter13





Triggers







Remediation


Chapter13


Where






Chapter13





ComplianceChecks








Chapter13






Thenaddascan



SpecifictoNessus


SpecifictoOpenVAS


Chapter13


SpecifictoWMI


WMIRulesDefinition







Rules Actions







Chapter13


Rules Actions







Rules Actions





Rulessyntax




Chapter13






UsingNessus


UsingOpenVAS







Chapter13









RADIUSAccounting








AccountingIN50GB1M




Chapter13



Graceperiod


Oinkmaster










Chapter13


GuestsManagement






Usage



Chapter13






Chapter13







Caution


Note







Chapter13














Caution




Chapter13








General


TriggersrarrNew


ActionsrarrNew

Chapter13



Settings








Chapter13





General


TriggersrarrNew


ActionsrarrNew


Settings




Chapter13








General


TriggersrarrNew


Chapter13


ActionsrarrNew


Settings



DHCPremotesensor












Chapter13



InApplication


InDetails


InLogon







ForCentOS7


Nowinstallthesensor





Chapter13







Startthesensor



Switchloginaccess


Chapter14



IPTables


LogRotations


Chapter15



SNMPTrapsLimit






MySQLoptimizations


Checkthesystemload


Chapter15


CheckiostatandCPU








Chapter15












Chapter15











Chapter15
















mkfsext4 devsdb


Chapter15








Chapter16







Chapter17








Chapter18




Chapter18



pfcmd



Chapter18







pfcmd_vlan


Chapter18






Chapter3








Chapter4


Installation


OSInstallation




yum update




RedHat-basedsystems

Note


Chapter4


RHEL6x





SoftwareDownload









Chapter4




DebianForDebian7



ForDebian8





Chapter5







Chapter6



Introduction


Deviceconfiguration


Accesscontrol


Chapter6


Limitations






Chapter7



Introduction






Chapter7











Chapter7












Chapter7






Chapter7








Chapter8



Introduction


Deviceconfiguration


ALWAYSPORTMACSSID




Chapter9


Configuration









5 test


RolesManagement


Chapter9



Authentication


ActiveDirectory

Apachehtpasswdfile

Email

ExternalHTTPAPI

Facebook(OAuth2)

Github(OAuth2)

Google(OAuth2)

Kerberos

LDAP

LinkedIn(OAuth2)

Null

RADIUS

SMS

SponsoredEmail

Twitter(OAuth2)

WindowsLive(OAuth2)




Chapter9










Setroleemployee






Chapter9



Thenweaddarule


Setrolemachineauth


Note


Note








ExampleJSONresponse


Chapter9






Note








SAMLauthentication




Chapter9



Where






Chapter9









Note








Chapter9
















Chapter9










Chapter9















Chapter9



PortalProfiles













Chapter9



SSIDGuest-SSID

VLAN100



Caution













Chapter9



Caution






Note



Chapter9


Where








Chapter9





Note






Chapter9



Where






Chapter9








Note



Chapter9






ForDebianandUbuntu



Chapter9



ForDebianandUbuntu





Chapter9





ForCentosRHEL




ForDebianandUbuntu





Chapter9











Chapter9


Note





Note



Chapter9





Caution




PortalModules


Chapter9


Note


















Chapter9









Chapter9









Note









Chapter9



Chapter9









Chapter9









Chapter9











Chapter9



Chapter10


Debugging

Logfiles





RADIUSDebugging







Chapter10












Chapter11










Chapter11


Note




Note





Chapter12


Advancedtopics












Chapter12






BillingEngine




Billingsource(s)

Billingtier(s)


Paypal

Note



Chapter12


Sandboxaccount











Chapter12









Chapter12


Caution




Chapter12


Where



Stripe

Stripeaccount




Chapter12




Chapter12


Where



Authorizenet

Creatinganaccount






Chapter12





Chapter12


Where


Mirapay

To be contributed



Chapter12



Where


Note


Chapter12



Billingtier





Stripeconfiguration


Thencreateanewplan

Chapter12


Where









Chapter12




Where




DevicesRegistration


Chapter12








Note


Eduroam







clientsconfexample

Chapter12






proxyconfexample



proxyconfexample








Chapter12



proxyconfexample








Chapter12




eap ok = return




post-auth exec





Chapter12










Chapter12








Caution



Chapter12



















Chapter12
















Chapter12


















Chapter12










Passthrough






Chapter12















Chapter12










ProxyInterception



Chapter12



RoutedNetworks





Chapter12



Note






Chapter12








Chapter12















Chapter12





Note










Chapter12











Chapter12














Chapter12










Chapter12


DNSenforcement









Parkeddevices




Chapter12




Note









Chapter13


Optionalcomponents




Snort

Installation


yum install snort

Configuration


Suricata

Installation



Chapter13















Chapter13




















Chapter13







Note









Chapter13


















Violationdefinition


Chapter13


Where











Chapter13





Triggers







Remediation


Chapter13


Where






Chapter13





ComplianceChecks








Chapter13






Thenaddascan



SpecifictoNessus


SpecifictoOpenVAS


Chapter13


SpecifictoWMI


WMIRulesDefinition







Rules Actions







Chapter13


Rules Actions







Rules Actions





Rulessyntax




Chapter13






UsingNessus


UsingOpenVAS







Chapter13









RADIUSAccounting








AccountingIN50GB1M




Chapter13



Graceperiod


Oinkmaster










Chapter13


GuestsManagement






Usage



Chapter13






Chapter13







Caution


Note







Chapter13














Caution




Chapter13








General


TriggersrarrNew


ActionsrarrNew

Chapter13



Settings








Chapter13





General


TriggersrarrNew


ActionsrarrNew


Settings




Chapter13








General


TriggersrarrNew


Chapter13


ActionsrarrNew


Settings



DHCPremotesensor












Chapter13



InApplication


InDetails


InLogon







ForCentOS7


Nowinstallthesensor





Chapter13







Startthesensor



Switchloginaccess


Chapter14



IPTables


LogRotations


Chapter15



SNMPTrapsLimit






MySQLoptimizations


Checkthesystemload


Chapter15


CheckiostatandCPU








Chapter15












Chapter15











Chapter15
















mkfsext4 devsdb


Chapter15








Chapter16







Chapter17








Chapter18




Chapter18



pfcmd



Chapter18







pfcmd_vlan


Chapter18






administrationguide - packetfence

Documents