packetfence administration guide-4.5.0

AdministrationGuideforPacketFenceversion4.5.0

AdministrationGuidebyInverseInc.Version4.5.0-Oct2014Copyright2014Inverseinc.

Permissionisgrantedtocopy,distributeand/ormodifythisdocumentunderthetermsoftheGNUFreeDocumentationLicense,Version1.2oranylaterversionpublishedbytheFreeSoftwareFoundation;withnoInvariantSections,noFront-CoverTexts,andnoBack-CoverTexts.Acopyofthelicenseisincludedinthesectionentitled"GNUFreeDocumentationLicense".

ThefontsusedinthisguidearelicensedundertheSILOpenFontLicense,Version1.1.ThislicenseisavailablewithaFAQat:http://scripts.sil.org/OFL

CopyrightukaszDziedzic,http://www.latofonts.com,withReservedFontName:"Lato".

CopyrightRaphLevien,http://levien.com/,withReservedFontName:"Inconsolata".

Copyright2014Inverseinc. iii

TableofContentsAbout thisGuide ............................................................................................................... 1

Othersourcesof information...................................................................................... 1Introduction ..................................................................................................................... 2

Features ................................................................................................................... 2Network Integration .................................................................................................. 5Components ............................................................................................................. 6

SystemRequirements ........................................................................................................ 7Assumptions ............................................................................................................. 7MinimumHardwareRequirements.............................................................................. 7OperatingSystemRequirements................................................................................ 8

Installation ....................................................................................................................... 9OS Installation .......................................................................................................... 9SoftwareDownload ................................................................................................ 10Software Installation ................................................................................................ 10

Configuration ................................................................................................................. 12FirstStep ............................................................................................................... 12Web-basedAdministrationInterface......................................................................... 13Globalconfigurationfile(pf.conf) .............................................................................. 13ApacheConfiguration .............................................................................................. 13SELinux .................................................................................................................. 14RolesManagement ................................................................................................. 14Authentication ........................................................................................................ 15NetworkDevicesDefinition(switches.conf)............................................................... 17DefaultVLAN/roleassignment................................................................................. 20Inlineenforcementconfiguration.............................................................................. 21Hybridmode .......................................................................................................... 21WebAuthmode ..................................................................................................... 22DHCPandDNSServerConfiguration(networks.conf)................................................ 22ProductionDHCPaccess ......................................................................................... 23RoutedNetworks .................................................................................................... 25FreeRADIUSConfiguration ...................................................................................... 28StartingPacketFenceServices.................................................................................. 35Log files ................................................................................................................. 35Passthrough ........................................................................................................... 35Proxy Interception ................................................................................................... 36

Configurationbyexample ................................................................................................ 37Assumptions ........................................................................................................... 37Network Interfaces ................................................................................................. 38SwitchSetup .......................................................................................................... 39switches.conf .......................................................................................................... 40pf.conf ................................................................................................................... 41networks.conf ......................................................................................................... 42Inlineenforcementspecifics ..................................................................................... 43

Optionalcomponents ...................................................................................................... 45Blockingmaliciousactivitieswithviolations............................................................... 45ComplianceChecks ................................................................................................. 49RADIUSAccounting ................................................................................................ 52Oinkmaster .............................................................................................................53FloatingNetworkDevices ....................................................................................... 53GuestsManagement ............................................................................................... 55StatementofHealth (SoH) ....................................................................................... 58

Copyright2014Inverseinc. iv

AppleandAndroidWirelessProvisioning.................................................................. 60SNMPTrapsLimit ................................................................................................... 61BillingEngine ......................................................................................................... 62PortalProfiles ......................................................................................................... 63OAuth2Authentication ........................................................................................... 64DevicesRegistration ................................................................................................ 66Eduroam ................................................................................................................ 66VLANFilterDefinition ............................................................................................ 71ActiveDirectoryIntegration ...................................................................................... 72

FirewallSSO ...................................................................................................................76Fortigate ................................................................................................................ 76PaloAlto ................................................................................................................. 77

OperatingSystemBestPractices...................................................................................... 79IPTables ................................................................................................................. 79LogRotations ......................................................................................................... 79HighAvailability ...................................................................................................... 79

Performanceoptimization ................................................................................................ 87MySQLoptimizations .............................................................................................. 87CaptivePortalOptimizations .................................................................................... 90

FrequentlyAskedQuestions ............................................................................................ 91TechnicalintroductiontoVLANenforcement.................................................................... 92

Introduction ........................................................................................................... 92VLANassignmenttechniques...................................................................................92MoreonSNMPtrapsVLANisolation....................................................................... 93

TechnicalintroductiontoInlineenforcement..................................................................... 96Introduction ........................................................................................................... 96Deviceconfiguration ............................................................................................... 96Accesscontrol ........................................................................................................ 96Limitations ............................................................................................................. 97

TechnicalintroductiontoHybridenforcement................................................................... 98Introduction ........................................................................................................... 98Deviceconfiguration ............................................................................................... 98

MoreonVoIP Integration ................................................................................................ 99CDPandLLDPareyourfriend................................................................................ 99VoIPandVLANassignmenttechniques..................................................................... 99WhatifCDP/LLDPfeatureismissing..................................................................... 100

Additional Information ................................................................................................... 101CommercialSupportandContactInformation................................................................. 102GNUFreeDocumentationLicense................................................................................. 103A.AdministrationTools .................................................................................................. 104

pfcmd .................................................................................................................. 104pfcmd_vlan ........................................................................................................... 106WebAdminGUI ................................................................................................... 108

B.ManualFreeRADIUS2configuration.......................................................................... 109Configuration ........................................................................................................109Optional:WiredorWireless802.1Xconfiguration................................................... 110

Chapter1

Copyright2014Inverseinc. AboutthisGuide 1

AboutthisGuide

This guide will walk you through the installation and the day to day administration of thePacketFencesolution.

Thelatestversionofthisguideisavailableathttp://www.packetfence.org/documentation/

OthersourcesofinformationNetworkDevicesConfigurationGuide Covers switch, controllers and access

pointsconfiguration.

DevelopersGuide Covers captive portal customization,VLAN management customization andinstructionsforsupportingnewhardware.

CREDITS Thisis,atleast,apartialfileofPacketFencecontributors.

NEWS.asciidoc Covers noteworthy features,improvementsandbugfixesbyrelease.

UPGRADE.asciidoc Covers compatibility related changes,manual instructions and general notesaboutupgrading.

ChangeLog Coversallchangestothesourcecode.

Thesefilesareincludedinthepackageandreleasetarballs.

Chapter2

Copyright2014Inverseinc. Introduction 2

Introduction

PacketFence isa fullysupported, trusted,FreeandOpenSourcenetworkaccesscontrol (NAC)system. Boosting an impressive feature set including a captive portal for registration andremediation, centralized wired and wireless management, 802.1X support, layer-2 isolation ofproblematicdevices,integrationwiththeSnort/SuricataIDSandtheNessusvulnerabilityscanner;PacketFencecanbeusedtoeffectivelysecurenetworks-fromsmalltoverylargeheterogeneousnetworks.

FeaturesOutofband(VLANEnforcement) PacketFencesoperationiscompletelyout

of band when using VLAN enforcementwhich allows the solution to scalegeographicallyandtobemoreresilienttofailures.

InBand(InlineEnforcement) PacketFence can also be configured tobe in-band, especially when you havenon-manageable network switches oraccesspoints.PacketFencecanalsoworkwith both VLAN and Inline enforcementactivated for maximum scalability andsecuritywhileallowingolderhardwaretostillbesecuredusingInlineenforcement.

Hybridsupport(InlineEnforcementwithRADIUSsupport)

PacketFence can also be configuredas hybrid, if you have a manageabledevice that supports 802.1X and/orMAC-authentication.This feature canbeenabled using a RADIUS attribute (MACaddress, SSID, port) or using full inlinemodeontheequipment.

Hotspotsupport(WebAuthEnforcement) PacketFence can also be configured ashotspot,ifyouhaveamanageabledevicethatsupportanexternalcaptiveportal(likeCiscoWLCorArubaIAP).

VoiceoverIP(VoIP)support Also called IP Telephony (IPT), VoIP isfully supported (even in heterogeneousenvironments)formultipleswitchvendors

Chapter2


(Cisco, Edge-Core, HP, LinkSys, NortelNetworksandmanymore).

802.1X 802.1X wireless and wired is supportedthroughaFreeRADIUSmodule.

Wirelessintegration PacketFence integrates perfectly withwirelessnetworksthroughaFreeRADIUSmodule. This allows you to secure yourwired and wireless networks the sameway using the same user database andusing the same captive portal, providinga consistent user experience. MixingAccessPoints (AP)vendorsandWirelessControllersissupported.

Registration PacketFence supports an optionalregistrationmechanismsimilarto"captiveportal"solutions.Contrarytomostcaptiveportal solutions,PacketFence remembersusers who previously registered andwillautomatically give them access withoutanotherauthentication.Ofcourse, this isconfigurable. An Acceptable Use Policycan be specified such that users cannotenable network access without firstacceptingit.

Detectionofabnormalnetworkactivities Abnormal network activities (computervirus, worms, spyware, traffic deniedby establishment policy, etc.) can bedetectedusinglocalandremoteSnortorSuricatasensors.Beyondsimpledetection,PacketFence layers its own alerting andsuppression mechanism on each alerttype.Asetofconfigurableactionsforeachviolationisavailabletoadministrators.

Proactivevulnerabilityscans Either Nessus or OpenVAS vulnerabilityscanscanbeperformeduponregistration,scheduled or on an ad-hoc basis.PacketFence correlates the scan enginevulnerability IDs of each scan tothe violation configuration, returningcontent specificweb pages aboutwhichvulnerabilitythehostmayhave.

Isolationofproblematicdevices PacketFence supports several isolationtechniques,includingVLANisolationwithVoIP support (even in heterogeneousenvironments)formultipleswitchvendors.

Remediationthroughacaptiveportal Once trapped, all network traffic isterminated by the PacketFence system.

Chapter2


Based on the nodes current status(unregistered,openviolation,etc),theuseris redirected to the appropriate URL. Inthe case of a violation, the user willbe presented with instructions for theparticular situation he/she is in reducingcostlyhelpdeskintervention.

Command-lineandWeb-basedmanagement Web-basedandcommand-line interfacesforallmanagementtasks.

GuestAccess PacketFence supports a special guestVLAN out of the box. You configureyour network so that the guest VLANonly goes out to the Internet and theregistrationVLANand the captiveportalarethecomponentsusedtoexplaintotheguesthowtoregisterforaccessandhowhisaccessworks.This isusuallybrandedby the organization offering the access.Several means of registering guests arepossible. PacketFence does also supportguestaccessbulkcreationsandimports.

Gamingdevicesregistration AregisteredusercanaccessaspecialWebpage to register a gaming device of hisown.Thisregistrationprocesswillrequireloginfromtheuserandthenwillregistergaming devices with pre-approvedMACOUIintoaconfigurablecategory.

PacketFenceisdevelopedbyacommunityofdeveloperslocatedmainlyinNorthAmerica.Moreinformationcanbefoundathttp://www.packetfence.org.

Chapter2


NetworkIntegration

VLANenforcementispicturedintheabovediagram.InlineenforcementshouldbeseenasasimpleflatnetworkwherePacketFenceactsasafirewall/gateway.

Chapter2


Components

Chapter3

Copyright2014Inverseinc. SystemRequirements 7

SystemRequirements

AssumptionsPacketFencereusesmanycomponentsinaninfrastructure.Thus,itrequiresthefollowingones:

Databaseserver(MySQLorMariaDB) Webserver(Apache)

Dependingonyoursetupyoumayhavetoinstalladditionalcomponentslike:

DHCPserver(ISCDHCP) RADIUSserver(FreeRADIUS) NIDS(Snort/Suricata)

Inthisguide,weassumethatallthosecomponentsarerunningonthesameserver(i.e.,"localhost"or"127.0.0.1")thatPacketFencewillbeinstalledon.

Good understanding of those underlying component and GNU/Linux is required to installPacketFence. If youmiss some of those required components, please refer to the appropriatedocumentationandproceedwiththeinstallationoftheserequirementsbeforecontinuingwiththisguide.

Thefollowingtableprovidesrecommendationsfortherequiredcomponents,togetherwithversionnumbers:

MySQLserver MySQL5.1Webserver Apache2.2DHCPserver DHCP4.1RADIUSserver FreeRADIUS2.2.0Snort Snort2.9.1Suricata Suricata1.4.1

Morerecentversionsofthesoftwarementionedabovecanalsobeused.

MinimumHardwareRequirementsThefollowingprovidesalistofserverhardwarerecommendations:

Chapter3

Copyright2014Inverseinc. SystemRequirements 8

IntelorAMDCPU3GHz 4GBofRAM 100GBofdiskspace(RAID-1recommended) 1Networkcard

+1forhigh-availability

+1forintrusiondetection

OperatingSystemRequirementsPacketFencesupportsthefollowingoperatingsystemsonthei386orx86_64architectures:

RedHatEnterpriseLinux6.xServer CommunityENTerpriseOperatingSystem(CentOS)6.x Debian7.0(Wheezy) Ubuntu12.04LTS

Makesurethatyoucaninstalladditionalpackagesfromyourstandarddistribution.Forexample,ifyouareusingRedHatEnterpriseLinux,youhavetobesubscribedtotheRedHatNetworkbeforecontinuingwiththePacketFencesoftwareinstallation.

OtherdistributionssuchasFedoraandGentooareknowntoworkbutthisdocumentdoesntcoverthem.

Servicesstart-upPacketFencetakescareofhandlingtheoperationofthefollowingservices:

Webserver(httpd) DHCPserver(dhcpd) FreeRADIUSserver(radiusd) Snort/SuricataNetworkIDS(snort/suricata) Firewall(iptables)

Makesurethatalltheotherservicesareautomaticallystartedbyyouroperatingsystem!

Chapter4

Copyright2014Inverseinc. Installation 9

Installation

ThissectionwillguideyouthroughtheinstallationofPacketFencetogetherwithitsdependencies.

OSInstallationInstallyourdistributionwithminimalinstallationandnoadditionalpackages.Then:

DisableFirewall DisableSELinux DisableAppArmor Disableresolvconf

Makesureyoursystemisuptodateandyouryumorapt-getdatabaseisupdated.OnaRHEL-basedsystem,do:

yum update

OnaDebianorUbuntusystem,do:

apt-get updateapt-get upgrade

RedHat-basedsystems

Note

IncludesCentOSandScientificLinux.Bothi386andx86_64architecturessupported.

RHEL6.x

Note

TheseareextrastepsarerequiredforRHEL6systemsonly.DerivativessuchasCentOSorScientificLinuxdontneedtotaketheextrasteps.

Chapter4


RedHatEnterpriseLinuxusersneedtotakeanadditionalsetupstep.IfyouarenotusingtheRHNSubscriptionManagementfromRedHatyouneedtoenabletheoptionalchannelbyrunningthefollowingasroot:

rhn-channel --add --channel=rhel-`uname -m`-server-optional-6

DebianandUbuntuAllthePacketFencedependenciesareavailablethroughtheofficialrepositories.

SoftwareDownloadPacketFenceprovidesaRPMrepositoryforRHEL/CentOSinsteadofasingleRPMfile.

ForDebianandUbuntu,PacketFencealsoprovidespackagerepositories.

TheserepositoriescontainallrequireddependenciestoinstallPacketFence.Thisprovidesnumerousadvantages:

easyinstallation everythingispackagedasRPM/deb(nomoreCPANhassle) easyupgrade

SoftwareInstallation

RHEL/CentOSInordertousethePacketFencerepository:

# rpm -Uvh http://packetfence.org/downloads/PacketFence/RHEL6/`uname -i`/RPMS/packetfence-release-1-1.el6.noarch.rpm

Once the repository is defined, you can install PacketFencewith all its dependencies, and therequiredexternalservices(Databaseserver,DHCPserver,RADIUSserver)using:

yum groupinstall --enablerepo=packetfence Packetfence-complete

Or,ifyouprefer,toinstallonlythecorePacketFencewithoutalltheexternalservices,youcanuse:

yum install --enablerepo=packetfence packetfence

Chapter4


DebianandUbuntuInordertousetherepository,createafilenamed/etc/apt/sources.list.d/packetfence.listwiththefollowingcontentwhenusingDebian7.0(Wheezy):

deb http://inverse.ca/downloads/PacketFence/debian wheezy wheezy

OrwhenusingUbuntu12.04LTS:

deb http://inverse.ca/downloads/PacketFence/ubuntu precise precise

Once the repository is defined, you can install PacketFencewith all its dependencies, and therequiredexternalservices(Databaseserver,DHCPserver,RADIUSserver)using:

sudo apt-key adv --keyserver keys.gnupg.net --recv-key 0x810273C4sudo apt-get updatesudo apt-get install packetfence

Chapter5

Copyright2014Inverseinc. Configuration 12

Configuration

Inthissection,youlllearnhowtoconfigurePacketFence.PacketFencewilluseMySQL,Apache,ISCDHCP,iptablesandFreeRADIUS.Aspreviouslymentioned,weassumethatthosecomponentsrunonthesameserveronwhichPacketFenceisbeinginstalled.

FirstStepThefirststepafterinstallingthenecessarypackagesistheconfigurationstep.PacketFenceprovidesanhelpfulanddetailedweb-basedconfigurator.

Likementionedattheendofthepackagesinstallation,fireupawebbrowserandgotohttps://@ip_of_packetfence:1443/configurator.Fromthere,theconfigurationprocessissplitedinsix(6)distinctivesteps,afterwhichyoullhaveaworkingPacketFencesetup.

Step1:Enforcementtechnique.YoullchooseeitherVLANenforcement,inlineenforcementorboth;

Step2:Networkconfiguration.Youllbeabletoconfigurethenetworkinterfacesofthesystemaswellasassigningthecorrectinterfacesforeachoftherequiredtypesofthechosenenforcementtechnique(s);

Step3:Databaseconfiguration.ThisstepwillcreatethePacketFencedatabaseandpopulateitwiththecorrectstructure.AMySQLuserwillalsobecreatedandassignedtothenewlycreateddatabase;

Step 4: General configuration. You will need to configure some of the basic PacketFenceconfigurationparameters;

Step5:Administrativeuser.Thisstepwillaskyoutocreateanadministrativeuserthatwillbeabletoaccesstheweb-basedadminsitrationinterfaceoncetheservicesarefunctionals;

Step6:Letsdothis!SeethestatusofyourconfigurationandstartyournewNAC!

Note

KeepinmindthattheresultingPacketFenceconfigurationwillbelocatedunder/usr/local/pf/conf/andtheconfigurationfilescanalwaysbeadjustedbyhandafterwardorfromPacketFencesWebGUI.

Chapter5


Web-basedAdministrationInterfacePacketFenceprovidesaweb-basedadministrationinterfaceforeasyconfigurationandoperationalmanagement.IfyouwentthroughPacketFencesweb-basedconfigurationtool,youshouldhavesetthepasswordfortheadminuser.Ifnot,thedefaultpasswordisalsoadmin.

Once PacketFence is started, the administration interface is available at: https://@ip_of_packetfence:1443/

Globalconfigurationfile(pf.conf)The /usr/local/pf/conf/pf.conf file contains the PacketFence general configuration. Forexample,thisistheplacewhereweinformPacketFenceitwillworkinVLANisolationmode.

All the default parameters and their descriptions are stored in /usr/local/pf/conf/pf.conf.defaults.

Inordertooverrideadefaultparameter,defineitandsetitinpf.conf.

/usr/local/pf/conf/documentation.confholdsthecompletelistofallavailableparameters.

Alltheseparametersarealsoaccessiblethroughtheweb-basedadministrationinterfaceundertheConfigurationtab.Itishighlyrecommendedthatyouusetheweb-basedadministrationinterfaceofPacketFenceforanyconfigurationchanges.

ApacheConfigurationThePacketFencesApacheconfigurationarelocatedin/usr/local/pf/conf/httpd.conf.d/.

Inthisdirectoryyouhavethreeimportantfiles:httpd.admin,httpd.portal,httpd.webservice.

httpd.adminisusedtomanagePacketFenceadmininterface

httpd.portalisusedtomanagePacketFencecaptiveportalinterface

httpd.webservicesisusedtomanagePacketFencewebservicesinterface

ThesefileshavebeenwrittenusingthePerllanguageandarecompletelydynamic-sotheyactivateservicesonlyonthenetworkinterfacesprovidedforthispurpose.

TheotherfilesinthisdirectoryaremanagedbyPacketFenceusingtemplates,soitiseasytomodifythesefilesbasedonyourconfiguration.SSLisenabledbydefaulttosecureaccess.

Chapter5


UponPacketFenceinstallation,self-signedcertificateswillbecreatedin/usr/local/pf/conf/ssl(server.key andserver.crt).Thosecertificates canbe replacedanytimebyyour3rd-partyorexistingwildcardcertificatewithoutproblems.PleasenotethattheCN(CommonName)needstobethesameastheonedefinedinthePacketFenceconfigurationfile(pf.conf).

CaptivePortalImportantparameterstoconfigureregardingthecaptiveportalarethefollowing:

RedirectURLunderConfigurationPortalProfilePortalName

Forsomebrowsers,isitpreferabletoredirecttheusertoaspecificURLinsteadoftheURLtheuseroriginallyintendedtovisit.Forthesebrowsers,theURLdefinedinredirecturlwillbetheonewheretheuserwillberedirected.AffectedbrowsersareFirefox3andlater.

IPunderConfigurationCaptiveportal

ThisIPisusedasthewebserverwhohoststhecommon/network-access-detection.gifwhichisusedtodetectifnetworkaccesswasenabled.Itcannotbeadomainnamesinceit isusedinregistrationorquarantinewhereDNSisblack-holed.ItisrecommendedthatyouallowyouruserstoreachyourPacketFenceserverandputyourLANsPacketFenceIP.BydefaultwewillmakethisreachPacketFenceswebsiteasaneasierandmoreaccessiblesolution.

SELinuxEven if this featuremaybewantedbysomeorganizations,PacketFencewillnotrunproperly ifSELinuxissettoenforced.Youwillneedtoexplicitlydisableitinthe/etc/selinux/configfile.

RolesManagementRolesinPacketFencecanbecreatedfromPacketFenceadministrativeGUI-fromtheConfigurationUsersRoles section. From this interface, you can also limit thenumberof devicesusersbelongingtocertainrolescanregister.

RolesaredynamicallycomputedbyPacketFence,basedontherules(ie.,asetofconditionsandactions)fromauthenticationsources,usingafirst-matchwinsalgorithm.RolesarethenmatchedtoVLANorinternalrolesonequipmentfromtheConfigurationNetworkSwitchesmodule.

Chapter5


AuthenticationPacketFence can authenticate users that register devices via the captive portal using variousmethods.Amongthesupportedmethods,thereare:

ActiveDirectory

Apachehtpasswdfile

Email

Facebook(OAuth2)

Github(OAuth2)

Google(OAuth2)

Kerberos

LDAP

LinkedIn(OAuth2)

Null

RADIUS

SMS

SponsoredEmail

WindowsLive(OAuth2)

Moreover, PacketFence can also authenticate users defined in its own internal SQL database.Authentication sources can be created from PacketFence administrative GUI - from theConfigurationUsersSourcessection.Alternatively(butnotrecommended),authenticationsources,rules,conditionsandactionscanbeconfiguredfromconf/authentication.conf.

Eachauthenticationsourcesyoudefinewillhaveasetofrules,conditionsandactions.

Multiple authentication sources canbedefined, andwill be tested in theorder specified (notethattheycanbereorderedfromtheGUIbydraggingitaround).Eachsourcecanhavemultiplerules,whichwillalsobetestedintheorderspecified.Rulescanalsobereordered,justlikesources.Finally,conditionscanbedefinedforaruletomatchcertaincriterias.Ifthecriteriasmatch(oneoremore),actionarethenappliedandrulestestingstop,acrossallsourcesasthisisa"firstmatchwins"operation.

Whennoconditionisdefined,therulewillbeconsideredasafallback.Whenafallbackisdefined,allactionswillbeappliedforyanyusersthatmatchintheauthenticationsource.

Onceasourceisdefined,itcanbeusedfromConfigurationPortalProfiles.Eachportalprofilehasalistofauthenticationsourcestouse.

Chapter5


ExampleLetssaywehavetworoles:guestandemployee.First,wedefinethemConfigurationUsersRoles.

Now,wewanttoauthenticateemployeesusingActiveDirectory (overLDAP),andguestsusingPacketFencesinternaldatabase-bothusingPacketFencescaptiveportal.FromtheConfigurationUsersSources,weselectAddsourceAD.Weprovidethefollowinginformation:

Name:ad1 Description:ActiveDirectoryforEmployees Host:192.168.1.2:389withoutSSL/TLS BaseDN:CN=Users,DC=acme,DC=local Scope:One-level UsernameAttribute:sAMAccountName BindDN:CN=Administrator,CN=Users,DC=acme,DC=local Password:acme123

Then,weaddarulebyclickingontheAddrulebuttonandprovidethefollowinginformation:

Name:employees Description:Ruleforallemployees Dontsetanycondition(asitsacatch-allrule) Setthefollowingactions:

Setroleemployee

SetunregistrationdateJanuary1st,2020

Test the connection and save everything. Using the newly defined source, any username thatactuallymatchesinthesource(usingthesAMAccountName)willhavetheemployeeroleandanunregistrationdatesettoJanuary1st,2020.

Now,sincewewanttoauthenticateguestsfromPacketFencesinternalSQLdatabase,accountsmustbeprovisionnedmanually.YoucandosofromtheConfigurationUsersCreatesection.Whencreatingguests,specify"guest"fortheSetroleaction,andsetanaccessdurationfor1day.

If youwould like to differentiate user authentication andmachine authentication using ActiveDirectory,onewaytodoitisbycreatingasecondauthenticationsources,formachines:

Name:ad1 Description:ActiveDirectoryforMachines Host:192.168.1.2:389withoutSSL/TLS BaseDN:CN=Computers,DC=acme,DC=local Scope:One-level UsernameAttribute:servicePrincipalName BindDN:CN=Administrator,CN=Users,DC=acme,DC=local Password:acme123

Then,weaddarule:

Name:machines

Chapter5


Description:Ruleforallmachines Dontsetanycondition(asitsacatch-allrule) Setthefollowingactions:

Setrolemachineauth

SetunregistrationdateJanuary1st,2020

Notethatwhenaruleisdefinedasacatch-all,itwillalwaysmatchiftheusernameattributematchesthequeriedone.ThisappliesforActiveDirectory,LDAPandApachehtpasswdfilesources.KerberosandRADIUSwillactastruecatch-all,andaccepteverything.

NetworkDevicesDefinition(switches.conf)ThissectionappliesonlyforVLANenforcement.Usersplanningtodoinlineenforcementonlycanskipthissection.

PacketFenceneedstoknowwhichswitches,accesspointsorcontrollersitmanages,theirtypeandconfiguration.Allthisinformationisstoredin/usr/local/pf/conf/switches.conf.Youcanmodifytheconfigurationdirectlyintheswitches.conffileoryoucandoitintheWebAdministrationpanelunderConfigurationNetworkSwitches.

Thisfilescontainsadefaultsectionincluding:

DefaultSNMPread/writecommunitiesfortheswitches Defaultworkingmode(seenoteaboutworkingmodebelow)

andaswitchsectionforeachswitch(managedbyPacketFence)including:

SwitchIP Switchvendor/type Switchuplinkports(trunksandnon-managedports) per-switchre-definitionoftheVLANs(ifrequired)

Noteswitches.confisloadedatstartup.Areloadisrequiredwhenchangesaremanuallymadetothisfile/usr/local/pf/bin/pfcmd configreload.

WorkingmodesTherearethreedifferentworkingmodes:

Testing pfsetvlanwritesinthelogfileswhatitwouldnormallydo,butitdoesntdoanything.

Registration pfsetvlan automatically-register allMAC addresses seenon theswitchports.Asintestingmode,noVLANchangesaredone.

Chapter5


Production pfsetvlan sends the SNMPwrites to change the VLAN on theswitchports.

SNMPv1,v2candv3PacketFenceusesSNMPtocommunicatewithmostswitches.Startingwith1.8,PacketFencenowsupportsSNMPv3.YoucanuseSNMPv3forcommunicationinbothdirections:fromtheswitchtoPacketFenceandfromPacketFencetotheswitch.

FromPacketFencetoaswitchEdittheswitchconfigfile(/usr/local/pf/conf/switches.conf)andsetthefollowingparameters:

SNMPVersion = 3SNMPUserNameRead = readUserSNMPAuthProtocolRead = MD5SNMPAuthPasswordRead = authpwdreadSNMPPrivProtocolRead = AESSNMPPrivPasswordRead = privpwdreadSNMPUserNameWrite = writeUserSNMPAuthProtocolWrite = MD5SNMPAuthPasswordWrite = authpwdwriteSNMPPrivProtocolWrite = AESSNMPPrivPasswordWrite = privpwdwrite

FromaswitchtoPacketFenceEdittheswitchconfigfile(/usr/local/pf/conf/switches.conf)andsetthefollowingparameters:

SNMPVersionTrap = 3SNMPUserNameTrap = readUserSNMPAuthProtocolTrap = MD5SNMPAuthPasswordTrap = authpwdreadSNMPPrivProtocolTrap = AESSNMPPrivPasswordTrap = privpwdread

SwitchConfigurationHereisaswitchconfigurationexampleinordertoenableSNMPv3inbothdirectionsonaCiscoSwitch.

snmp-server engineID local AA5ED139B81D4A328D18ACD1snmp-server group readGroup v3 privsnmp-server group writeGroup v3 priv read v1default write v1defaultsnmp-server user readUser readGroup v3 auth md5 authpwdread priv aes 128 privpwdreadsnmp-server user writeUser writeGroup v3 auth md5 authpwdwrite priv aes 128 privpwdwritesnmp-server enable traps port-securitysnmp-server enable traps port-security trap-rate 1snmp-server host 192.168.0.50 version 3 priv readUser port-security

Chapter5


Command-LineInterface:TelnetandSSH

WarningPrivilegedetectionisdisabledinthecurrentPacketFenceversionduetosomeissues(see#1370).SomakesurethatthecliUserandcliPwdyouprovidealwaysgetyouintoaprivilegedmode(exceptforTrapezehardware).

PackeFenceneedssometimestoestablishaninteractivecommand-linesessionwithaswitch.ThiscanbedoneusingTelnet.Startingwith1.8,youcannowuseSSH.Inordertodoso,edittheswitchconfigfile(/usr/local/pf/conf/switches.conf)andsetthefollowingparameters:

cliTransport = SSH (or Telnet)cliUser = admincliPwd = admin_pwdcliEnablePwd =

ItcanalsobedonethroughtheWebAdministrationInterfaceunderConfigurationSwitches.

WebServicesInterfacePackeFencesometimesneedstoestablishadialogwiththeWebServicescapabilitiesofaswitch.Inorder todo so,edit the switchconfig file (/usr/local/pf/conf/switches.conf) and set thefollowingparameters:

wsTransport = http (or https)wsUser = adminwsPwd = admin_pwd

Noteas of PacketFence1.9.1 few switches requireWebServices configuration in orderto work. It can also be done through the Web Administration Interface underConfigurationSwitches.

RadiusSecretForcertainauthenticationmechanism,suchas802.1XorMACAuthentication,theRADIUSserverneedstohavethenetworkdeviceinitsclientlist.AsofPacketFence3.0,wenowuseadatabasebackendtostoretheRADIUSclientinformation.Inordertodoso,edittheswitchconfigfile(/usr/local/pf/conf/switches.conf)andsetthefollowingparameters:

radiusSecret= secretPassPhrase

Also, startingwithPacketFence3.1, theRADIUS secret is required forour supportofRADIUSDynamicAuthentication(ChangeofauthorizationorDisconnect)asdefinedinRFC3576.

Chapter5


Role-basedenforcementsupportSomenetworkdevicessupporttheassignmentofaspecificsetofrules(firewallorACLs)toauser.The idea is that theserulescanbea lotmoreprecisetocontrolwhatausercanorcannotdocomparedtoVLANwhichhavealargernetworkmanagementoverhead.

PacketFence supports assigning roles on devices that supports it. The current role assignmentstrategyistoassignitalongwiththeVLAN(thatmaychangeinthefuture).Aspecialinternalroletoexternalroleassignmentmustbeconfiguredintheswitchconfigurationfile(/usr/local/pf/conf/switches.conf).

Thecurrentformatisthefollowing:

Format: Role=

Andyouassignittotheglobalrolesparameterortheper-switchone.Forexample:

adminRole=full-accessengineeringRole=full-accesssalesRole=little-access

wouldreturnthefull-accessroletothenodescategorizedasadminorengineeringandtherolelittle-accesstonodescategorizedassales.

CautionMakesurethattherolesareproperlydefinedonthenetworkdevicespriortoassigningroles!

DefaultVLAN/roleassignmentThissectionappliesonlyforVLANenforcement.Usersplanningtodoinlineenforcementonlycanskipthissection.

ThedefaultVLANassignment techniqueused inPacketFence is aper-switchone.The correctdefaultVLANforagivenMACisdeterminedbasedonthecomputedrolebyPacketFenceduringtheregistrationprocessforthedevice,ordynamicallyduringan802.1Xauthentication.ThecomputedinternalrolewillthenbemappedtoeitheraVLANoranexternalroleforthespecificequipementtheuserisconnectedto.

Thisallowsyoutodoeasyper-buildingVLAN/rolesegmentation.

IfyouneedmoreflexibilitythanwhatcanbedefinedfromthePacketFencesauthenticationsources(rules/conditions/actions)takealookattheFAQentryCustomVLANassignmentbehavioravailableonline.

Chapter5


InlineenforcementconfigurationThissectionappliesonlyforInlineenforcement.UsersplanningtodoVLANenforcementonlycanskipthissection.

TheinlineenforcementisaveryconvenientmethodofperformingaccesscontrolonoldernetworkhardwarethatisnotcapableofdoingVLANenforcementorthatisnotsupportedbyPacketFence.Thistechniqueiscoveredindetailsinthe"TechnicalintroductiontoInlineenforcement"section.

AnimportantconfigurationparametertohaveinmindwhenconfiguringinlineenforcementisthattheDNSreachedbytheseusersshouldbeyouractualproductionDNSserver-whichshouldntbeinthesamebroadcastdomainasyourinlineusers.ThenextsectionshowsyouhowtoconfiguretheproperinlineinterfaceanditisinthissectionthatyoushouldrefertotheproperproductionDNS.

Inlineenforcementusesipset tomarknodesas registered,unregisteredand isolated. It isalsonowpossible tousemultiple inline interfaces.Anode registeredon the first inline interface ismarkedwithanip:mactuple(forL2,onlyipforL3),sowhenthenodetriestoregisteronanotherinlineinterface,PacketFencedetectsthatthenodeisalreadyregisteredonthefirstVLAN.Itisalsopossibletoenableinline.should_reauth_on_vlan_changetoforceuserstoreauthenticatewhentheychangeVLAN.

Theoutgoinginterfaceshouldbespecifiedbyaddinginpf.conftheoptioninterfaceSNATininlinesection.Itisacommadelimitedlistofnetworkinterfaceslikeeth0,eth0.100.ItsalsopossibletospecifyanetworkthatwillberoutedinsteadofusingNATbyaddinginconf/networks.confanoptionnat=nounderoneormorenetworksections.

Another important setting is the gateway statement. Since it this the only way to get thePacketFenceserverinlineinterfaceIPaddress,itismandatorytosetittothisIP(whichissupposedtobethesameasintheipstatementoftheinlineinterfaceinconf/pf.conf).

HybridmodeThissectionappliesforhybridsupportforthemanageabledevicesthatsupport802.1XorMAC-authentication.

HybridenforcementisamixedmethodthatofferstheuseofinlineenforcementmodewithVLANenforcementmode on the same device. This technique is covered in details in the "TechnicalintroductiontoHybridenforcement"section

Chapter5


WebAuthmodeThis section applies forweb authentication support formanageable devices that supportwebauthenticationwithanexternalcaptiveportal.

Webauthenticationisamethodontheswitchthatforwardshttptrafficofthedevicetothecaptiveportal.Withthismode,yourdevicewillneverchangeofVLANIDbutonlytheACLassociatedtoyourdevicewillchange.RefertotheNetworkDevicesConfigurationGuidetoseeasamplewebauthconfigurationonaCiscoWLC.

DHCPandDNSServerConfiguration(networks.conf)PacketFenceautomaticallygeneratestheDHCPconfigurationfilesforRegistration,IsolationandInlineVLANs.ThisisdonebyeditingthenetworkinterfacesfromtheconfigurationmoduleoftheadministrationWebinterface(seetheFirstStepsection).

network Networksubnet

netmask Networkmask

gateway PacketFenceIPaddressinthisnetwork

next_hop Used only with routed networks; IPaddressoftherouterinthisnetwork(Thisis used to locally create static routes tothe routed networks). See the RoutedNetworkssection)

domain-name DNSname

dns PacketFenceIPaddressinthisnetwork.Ininlinetype,setittoavalidDNSproductionserver

dhcp_start StartingIPaddressoftheDHCPscope

dhcp_end EndingIPaddressoftheDHCPscope

dhcp_default_lease_time DefaultDHCPleasetime

dhcp_max_lease_time MaximumDHCPleasetime

type vlan-registrationorvlan-isolationorinline

Chapter5


named IsPacketFencetheDNSforthisnetwork?(Enabled/Disabled)setittoenabled

dhcpd IsPacketFence theDHCPserver for thisnetwork ? (Enabled/Disabled) set it toenabled

nat IsPacketFencerouteorNATthetrafficforthis network ? (yes/no) NAT enabled bydefault,settonotoroute

WhenstartingPacketFencegenerates theDHCPconfiguration filesby reading the informationprovidedinnetworks.conf:

The DHCP configuration file is written to var/conf/dhcpd.conf using conf/dhcpd.conf as atemplate.

ProductionDHCPaccessInorder toperformallof itsaccesscontrolduties,PacketFenceneedstobeable tomapMACaddressesintoIPaddresses.

Forallthenetworks/VLANswhereyouwantPacketFencetohavetheabilitytoisolateanodeortohaveIPinformationaboutnodes,youwillneedtoperformoneofthetechniquesbelow.

Alsonotethatthisdoesntneedtobedonefortheregistration,isolationVLANsandinlineinterfacessincePacketFenceactsastheDHCPserverinthesenetworks.

IPHelpers(recommended)If you are already using IPHelpers for your productionDHCP in your production VLANs thisapproachisthesimplestoneandtheonethatworksthebest.

Add PacketFences management IP address as the last ip helper-address statement in yournetworkequipment.AtthispointPacketFencewillreceiveacopyofallDHCPrequestsforthatVLANandwillrecordwhatIPweredistributedtowhatnodeusingapfdhcplistenerdaemon.

BydefaultnoDHCPServershouldberunningonthatinterfacewhereyouaresendingtherequests.ThisisbydesignotherwisePacketFencewouldreplytotheDHCPrequestswhichwouldbeabadthing.

ObtainacopyoftheDHCPtrafficGetacopyofalltheDHCPTraffictoadedicatedphysicalinterfaceinthePacketFenceserverandrunpfdhcplisteneronthatinterface.Itwillinvolveconfiguringyourswitchproperlytoperformportmirroring(akanetworkspan)andaddinginPacketFencetheproperinterfacestatementattheoperatingsystemlevelandinpf.conf.

/etc/sysconfig/network-scripts/ifcfg-eth2:

Chapter5


DEVICE=eth2ONBOOT=yesBOOTPROTO=none

Addtopf.conf:(IPsarenotimportanttheyarethereonlysothatPacketFencewillstart)

[interface eth2]mask=255.255.255.0type=dhcp-listenergateway=192.168.1.5ip=192.168.1.1

RestartPacketFenceandyoushouldbegoodtogo.

InterfaceineveryVLANBecauseDHCPtrafficisbroadcasttraffic,analternativeforsmallnetworkswithfewlocalVLANsistoputaVLANinterfaceforeveryVLANonthePacketFenceserverandhaveapfdhcplistenerlistenonthatVLANinterface.

OnthenetworksideyouneedtomakesurethattheVLANtrulyreachesallthewayfromyourclienttoyourDHCPinfrastructureuptothePacketFenceserver.

OnthePacketFenceside,firstyouneedanoperatingsystemVLANinterfaceliketheonebelow.Storedin/etc/sysconfig/network-scripts/ifcfg-eth0.1010:

# Engineering VLANDEVICE=eth0.1010ONBOOT=yesBOOTPROTO=staticIPADDR=10.0.101.4NETMASK=255.255.255.0VLAN=yes

Thenyouneedtospecifyinpf.confthatyouareinterestedinthatVLANsDHCPbysettingtypetodhcp-listener.

[interface eth0.1010]mask=255.255.255.0type=dhcp-listenergateway=10.0.101.1ip=10.0.101.4

RepeattheaboveforallyourproductionVLANsthenrestartPacketFence.

HostproductionDHCPonPacketFenceItsanoption.Justmodifyconf/dhcpd.confsothat itwillhostyourproductionDHCPproperlyandmakesurethatapfdhcplistenerrunsonthesameinterfacewhereproductionDHCPruns.However,pleasenotethatthisisNOTrecommended.Seethistickettoseewhy.

Chapter5


RoutedNetworksIfyour isolationandregistrationnetworksarenot locally-reachable (at layer2)onthenetwork,but routed to the PacketFence server, youll have to let the PacketFence server know this.PacketFencecanevenprovideDHCPandDNSintheseroutednetworksandprovidesaneasytouseconfigurationinterface.

Fordhcpd,makesurethattheclientsDHCPrequestsarecorrectlyforwarded(IPHelpersintheremoterouters)tothePacketFenceserver.ThenmakesureyoufollowedtheinstructionsintheDHCPandDNSServerConfiguration(networks.conf)foryourlocallyaccessiblenetwork.

Ifweconsiderthenetworkarchitectureillustratedintheaboveschema,conf/pf.confwillincludethelocalregistrationandisolationinterfacesonly.

[interface eth0.2]enforcement=vlanip=192.168.2.1type=internalmask=255.255.255.0

Chapter5


[interface eth0.3]enforcement=vlanip=192.168.3.1type=internalmask=255.255.255.0

Note

PacketFencewillnotstartunlessyouhaveatleastoneinternalinterface,soyouneedtocreatelocalregistrationandisolationVLANsevenifyoudontintendtousethem.Also,theinternalinterfacesaretheonlyonesonwhichdhcpdlistens,sotheremoteregistrationandisolationsubnetsneedtopointtheirDHCPhelper-addresstothoseparticularIPs.

ThenyouneedtoprovidetheroutednetworksinformationtoPacketFence.YoucandoitthroughtheGUIinAdministrationNetworks(orinconf/networks.conf).

conf/networks.confwilllooklikethis:

[192.168.2.0]netmask=255.255.255.0gateway=192.168.2.1next_hop=domain-name=registration.example.comdns=192.168.2.1dhcp_start=192.168.2.10dhcp_end=192.168.2.200dhcp_default_lease_time=300dhcp_max_lease_time=600type=vlan-registrationnamed=enableddhcpd=enabled

[192.168.3.0]netmask=255.255.255.0gateway=192.168.3.1next_hop=domain-name=isolation.example.comdns=192.168.3.1dhcp_start=192.168.3.10dhcp_end=192.168.3.200dhcp_default_lease_time=300dhcp_max_lease_time=600type=vlan-isolationnamed=enableddhcpd=enabled

Chapter5


[192.168.20.0]netmask=255.255.255.0gateway=192.168.20.254next_hop=192.168.2.254domain-name=registration.example.comdns=192.168.2.1dhcp_start=192.168.20.10dhcp_end=192.168.20.200dhcp_default_lease_time=300dhcp_max_lease_time=600type=vlan-registrationnamed=enableddhcpd=enabled

[192.168.30.0]netmask=255.255.255.0gateway=192.168.30.254next_hop=192.168.3.254domain-name=isolation.example.comdns=192.168.3.1dhcp_start=192.168.30.10dhcp_end=192.168.30.200dhcp_default_lease_time=300dhcp_max_lease_time=600type=vlan-isolationnamed=enableddhcpd=enabled

DHCPclientsontheregistrationandisolationnetworksreceivethePFserverIPastheirDNSserver(dns=x.x.x.x),andPFspoofsDNSresponsestoforceclientsviatheportal.However,clientscouldmanuallyconfiguretheirDNSsettingstoescapetheportal.TopreventthisyouwillneedtoapplyanACLontheaccessrouternearesttheclients,permittingaccessonlytothePFserverandlocalDHCPbroadcasttraffic.

Forexample,fortheVLAN20remoteregistrationnetwork:

ip access-list extended PF_REGISTRATION permit ip any host 192.168.2.1 permit udp any any eq 67 deny ip any any loginterface vlan 20 ip address 192.168.20.254 255.255.255.0 ip helper-address 192.168.2.1 ip access-group PF_REGISTRATION in

Ifyouredgeswitchessupportvlan-isolationyoucanalsoapplytheACLthere.Thishastheadvantageofpreventingmachinesinisolationfromattemptingtoattackeachother.

Chapter5


FreeRADIUSConfigurationThissectionpresentstheFreeRADIUSconfigurationsteps. Insomeoccasions,aRADIUSserverismandatoryinordertogiveaccesstothenetwork.Forexample,theusageofWPA2-Enterprise(Wireless 802.1X), MAC authentication and Wired 802.1X all requires a RADIUS server toauthenticate the users and the devices, and then to push the proper VLAN to the networkequipment.

Option1:DynamicswitchconfigurationSincePacketFenceversion4.1youarenowbeabletoenabledynamicclients.ItmeanthatwhenyouaddanewswitchconfigurationinPacketFencesadministrationinterfaceyoudonthavetorestartradiusdservice.

Toenablethisfeaturemakeasymlinkin/usr/local/pf/raddb/site-enableddirectory:

ln -s ../sites-available/dynamic-clients dynamic-clients

andofcourserestartradiusd:

/usr/local/pf/bin/pfcmd service radiusd restart

Option2:AuthenticationagainstActiveDirectory(AD)Replace/usr/local/pf/raddb/modules/mschapwiththefollowingconfiguration:

mschap { use_mppe = yes require_encryption = yes require_strong = yes with_ntdomain_hack = yes ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{%{Stripped-User-Name}:-%{mschap:User-Name:-None}} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}"}

Samba/Kerberos/WinbindInstallSamba3andNOTSamba4.YoucaneitherusethesourcesorusethepackageforyourOS.ForRHEL/CentOS,do:

yum install samba krb5-workstation

ForDebianandUbuntu,do:

Chapter5


apt-get install samba winbind krb5-user

Note

IfyouhaveWindows7PCsinyournetwork,youneedtouseSambaversion3.5.0(orgreater).

WhendonewiththeSambainstall,modifyyour/etc/hosts inordertoaddtheFQDNofyourActiveDirectoryservers.Then,youneedtomodify/etc/krb5.conf.HereisanexamplefortheDOMAIN.NETdomainforCentos/RHEL:

[logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log

[libdefaults] default_realm = DOMAIN.NET dns_lookup_realm = false dns_lookup_kdc = false ticket_lifetime = 24h forwardable = yes

[realms] DOMAIN.NET = { kdc = adserver.domain.net:88 admin_server = adserver.domain.net:749 default_domain = domain.net }[domain_realm] .domain.net = DOMAIN.NET domain.net = DOMAIN.NET

[appdefaults] pam = { debug = false ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = false }

ForDebianandUbuntu:

Chapter5


[logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = DOMAIN.NET ticket_lifetime = 24h forwardable = yes [appdefaults] pam = { debug = false ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = false }

Next,edit/etc/samba/smb.conf.Again,hereisanexampleforourDOMAIN.NETforCentos/RHEL:

[global] workgroup = DOMAIN server string = %h security = ads passdb backend = tdbsam realm = DOMAIN.NET encrypt passwords = yes winbind use default domain = yes client NTLMv2 auth = yes preferred master = no domain master = no local master = no load printers = no log level = 1 winbind:5 auth:3 winbind max clients = 750 winbind max domain connections = 15

ForDebianandUbuntu:

Chapter5


[global] workgroup = DOMAIN server string = Samba Server Version %v security = ads realm = DOMAIN.NET password server = 192.168.1.1 domain master = no local master = no preferred master = no winbind separator = + winbind enum users = yes winbind enum groups = yes winbind use default domain = yes winbind nested groups = yes winbind refresh tickets = yes template homedir = /home/%D/%U template shell = /bin/bash client use spnego = yes client ntlmv2 auth = yes encrypt passwords = yes restrict anonymous = 2 log file = /var/log/samba/log.%m max log size = 50

IssueakinitandklistinordertogetandverifytheKerberostoken:

# kinit administrator# klist

Afterthat,youneedtostartsamba,andjointhemachinetothedomain:

# service smb start# chkconfig --level 345 smb on# net ads join -U administrator

NotethatforDebianandUbuntuyouwillprobablyhavethiserror:

# kinit succeeded but ads_sasl_spnego_krb5_bind failed: Invalid credentials# Join to domain is not valid: Invalid credentials

ForCentos/RHEL:

# usermod -a -G wbpriv pf

Finally,startwinbind,andtestthesetupusingntlm_authandradtest:

# service winbind start# chkconfig --level 345 winbind on

ForDebianandUbuntu:

Chapter5


# usermod -a -G winbindd_priv pf# ntlm_auth --username myDomainUser# radtest -t mschap -x myDomainUser myDomainPassword localhost:18120 12 testing123 Sending Access-Request of id 108 to 127.0.0.1 port 18120 User-Name = "myDomainUser" NAS-IP-Address = 10.0.0.1 NAS-Port = 12 Message-Authenticator = 0x00000000000000000000000000000000 MS-CHAP-Challenge = 0x79d62c9da4e55104 MS-CHAP-Response = 0x000100000000000000000000000000000000000000000000000091c843b420f0dec4228ed2f26bff07d5e49ad9a2974229e5 rad_recv: Access-Accept packet from host 127.0.0.1 port 18120, id=108, length=20

Option3:LocalAuthenticationAddyourusersentriesattheendofthe/usr/local/pf/raddb/usersfilewiththefollowingformat:

username Cleartext-Password := "password"

Option4:AuthenticationagainstOpenLDAP

To be contributed...

Option5:EAPGuestAuthenticationonemail,sponsorandsmsregistrationThegoalhereistobeabletousethecredentialPacketFencecreatedonguestaccessandusethisoneonasecureconnection.FirstcreateaguestSSIDwiththeguestaccessyouwanttouse(Email,SponsororSMS)andcheckAdduseronemailregistrationamd/orAdduseronsponsorregistrationinConfigurationSelfRegistrationsection.Attheendoftheguestregistration,PacketFencewillsendaanemailwiththecredentialsforEmailandSponsor.ForSMSuseyourphonenumberandthePINcode.

NotethatthisoptiondoesntcurrentlyworkwiththeReusedot1xcredentialsoptionofthecaptiveportal.

In/usr/local/pf/raddb/sites-available/packetfence-tunnelthereisanexampleonhowtoconfigureradiustoenablethisfeature(uncommenttomakeitwork).

In thisexampleweactivate this featureonaspecificSSIDname (Secure-Wireless),disabledbydefaultNTLMAuth,testemailcredential(pfguest),testsponsor(pfsponsor)andtestsms(pfsms).IfallfailledthenwereactivateNTLMAuth.

Chapter5


authorize { suffix ntdomain eap { ok = return } files####Activate local user eap authentication based on a specific SSID ###### Set Called-Station-SSID with the current SSID# set.called_station_ssid# if (Called-Station-SSID == 'Secure-Wireless') {## Disable ntlm_auth# update control {# MS-CHAP-Use-NTLM-Auth := No# }## Check temporary_password table with email and password for a sponsor registration# pfguest# if (fail || notfound) {## Check temporary_password table with email and password for a guest registration# pfsponsor# if (fail || notfound) {## Check activation table with phone number and PIN code# pfsms# if (fail || notfound) {# update control {# MS-CHAP-Use-NTLM-Auth := Yes# }# }# }# }# }

Option6:EAPLocaluserAuthenticationThegoalhereistousethelocaluseryoucreatedintheadminGUIforEAPauthentication.Thelogicisexactlythesamethaninoption5,thedifferenceisthatweuseanotherSSIDandweonlyuselocalaccounts.

Edit/usr/local/pf/raddb/sites-available/packetfence-tunnel

InthisexampleweactivatethisfeatureonaspecificSSIDname(Secure-local-Wireless),disabledbydefaultNTLMAuthandtestlocalaccount.IfitfailledthenwereactivateNTLMAuth.

Chapter5


####Activate local user eap authentication based on a specific SSID ###### Set Called-Station-SSID with the current SSID# set.called_station_ssid# if (Called-Station-SSID == 'Secure-local-Wireless') {## Disable ntlm_auth# update control {# MS-CHAP-Use-NTLM-Auth := No# }## Check temporary_password table for local user# pflocal# if (fail || notfound) {# update control {# MS-CHAP-Use-NTLM-Auth := Yes# }# }# }

TestsTestyoursetupwithradtestusingthefollowingcommandandmakesureyougetanAccess-Acceptanswer:

# radtest dd9999 Abcd1234 localhost:18120 12 testing123Sending Access-Request of id 74 to 127.0.0.1 port 18120 User-Name = "dd9999" User-Password = "Abcd1234" NAS-IP-Address = 255.255.255.255 NAS-Port = 12rad_recv: Access-Accept packet from host 127.0.0.1:18120, id=74, length=20

DebugFirst,checktheFreeRADIUSlogs.Thefileislocatedat/usr/local/pf/logs/radius.log.

Ifthisdidnthelp,runFreeRADIUSindebugmode.Todoso,startitusingthefollowingcommand:

# radiusd -X -d /usr/local/pf/raddb

Additionally there is a raddebug tool that can extract debug logs from a running FreeRADIUSdaemon.PacketFencesFreeRADIUSispreconfiguredwithsuchsupport.

Inordertohaveanoutputfromraddebug,youneedtoeither:

a. Makesureuserpfhasashellin/etc/passwd,add/usr/sbintoPATH(export PATH=/usr/sbin:$PATH)andexecuteraddebugaspf

b. Runraddebugasroot(lesssecure!)

Nowyoucanrunraddebugeasily:

raddebug -t 300 -d /usr/local/pf/raddb

Chapter5


TheabovewilloutputFreeRADIUS'debuglogsfor5minutes.Seeman raddebugforalltheoptions.

StartingPacketFenceServicesOncePacketFenceisfullyinstalledandconfigured,starttheservicesusingthefollowingcommand:

service packetfence start

YoumayverifyusingthechkconfigcommandthatthePacketFenceserviceisautomaticallystartedatboottime.

LogfilesHerearethemostimportantPacketFencelogfiles:

/usr/local/pf/logs/packetfence.logPacketFenceCoreLog /usr/local/pf/logs/portal_access_logApacheCaptivePortalAccessLog /usr/local/pf/logs/portal_error_logApacheCaptivePortalErrorLog /usr/local/pf/logs/admin_access_logApacheWebAdmin/ServicesAccessLog /usr/local/pf/logs/admin_error_logApacheWebAdmin/ServicesErrorLog /usr/local/pf/logs/admin_debug_logApacheWebAdminDebugLog /usr/local/pf/logs/webservices_access_logApacheWebservicesAccessLog /usr/local/pf/logs/webservices_error_logApacheWebservicesErrorLog

Thereareotherlogfilesin/usr/local/pf/logs/thatcouldberelevantdependingonwhatissueyouareexperiencing.Makesureyoutakealookatthem.

The logging systems configuration file is /usr/local/pf/conf/log.conf. It contains theconfigurationforthepacketfence.logfile(Log::Log4Perl)andyounormallydontneedtomodifyit.

PassthroughInorder tousethepassthroughfeature inPacketFence,youneedtoenable it fromtheGUI inConfigurationTrappingandcheckPassthrough.

Therearetwosolutionsforpassthroughs-oneusingDNSresolutionandiptablesandtheotheroneusingApachesmod_proxymodule.Whenenabled,PacketFencewillusepfdnsifyoudefinedPassthroughs,orApachemod-proxyifyoudefinedProxyPassthroughstoallowtrappeddevicestoreachwebsites.

Chapter5


*DNS passthrough: Add a new FQDN (should be a wildcard domain like *.google.com) in thePassthroughssection.WhenPacketFencereceivesaDNSrequestforthisdomain,itwillanswertherealIPaddressandpunchaholeinthefirewall(usingiptables)toallowaccess.Withthismethod,PacketFencemustbethedefaultgatewayofyourdevice.

*mod_proxypassthrough:AddanewFQDN(shouldbeawildcarddomainlike*.google.com)intheProxyPassthroughssection.ForthisFQDN,PacketFencewillanswertheIPaddressofthecaptiveportalandwhenadevicehitsthecaptiveportal,PacketFencewilldetectthatthisFQDNhasapassthroughconfigurationandwillforwardthetraffictomod_proxy.

ThesetwomethodscanbeusedtogetherbutDNS-basedpassthroughshavehigherpriority.

ProxyInterceptionPacketFenceenablesyoutointerceptproxyrequestsandforwardthemtothecaptiveportal.Itonlyworksinlayer2networkbecausePacketFencemustbethedefaultgateway.InordertousetheProxyInterceptionfeature,youneedtoenableitfromtheGUIinConfigurationTrappingandcheckProxyInterception.

Addtheportyouwanttointercept(like8080or3128)andaddanewentryinthe/etc/hostsfiletoresolvethefullyqualifieddomainname(fqdn)ofthecaptiveportaltotheIPaddressoftheregistration interface.Thismodification ismandatory inorder forApache to receives theproxyrequests.

Chapter6

Copyright2014Inverseinc. Configurationbyexample 37

Configurationbyexample

Hereisanend-to-endsampleconfigurationofPacketFencein"Hybrid"mode(VLANmodeandInlinemodeatthesametime).

AssumptionsThroughout this configuration example we use the following assumptions for our networkinfrastructure:

Therearetwodifferenttypesofmanageableswitchesinournetwork:CiscoCatalyst2900XLandCiscoCatalyst2960,andoneunmanageabledevice.

VLAN1isthe"normal"VLAN-userswiththe"default"rolewillbeassignedtoit VLAN2istheregistrationVLAN(unregistereddeviceswillbeputinthisVLAN) VLAN3istheisolationVLAN(isolateddeviceswillbeputinthisVLAN) VLANs2and3arespannedthroughoutthenetwork VLAN4istheinlineVLAN(In-Band,forunmanageabledevices) WewanttoisolatecomputersusingLimewire(peer-to-peersoftware) WeuseSnortasNIDS ThetrafficmonitoredbySnortisspannedoneth1 TheDHCPserveronthePacketFenceboxthatwilltakecareofIPaddressdistributioninVLANs2,3and4

TheDNSserveronthePacketFenceboxthatwilltakecareofdomainresolutioninVLANs2and3and4

Thenetworksetuplookslikethis:

VLANID

VLANName Subnet Gateway PacketFenceAddress

1 Normal 192.168.1.0/24 192.168.1.1 192.168.1.52 Registration 192.168.2.0/24 192.168.2.1 192.168.2.13 Isolation 192.168.3.0/24 192.168.3.1 192.168.3.14 Inline 192.168.4.0/24 192.168.4.1 192.168.4.1100 Voice

Chapter6


NetworkInterfacesHerearetheNICsstartupscriptsonPacketFence.

/etc/sysconfig/network-scripts/ifcfg-eth0:

DEVICE=eth0BROADCAST=192.168.1.255IPADDR=192.168.1.5NETMASK=255.255.255.0NETWORK=192.168.1.0ONBOOT=yesTYPE=Ethernet

/etc/sysconfig/network-scripts/ifcfg-eth0.2:

DEVICE=eth0.2ONBOOT=yesBOOTPROTO=staticIPADDR=192.168.2.1NETMASK=255.255.255.0VLAN=yes





/etc/sysconfig/network-scripts/ifcfg-eth1. This NIC is used for the mirror of the trafficmonitoredbySnort.

DEVICE=eth1ONBOOT=yesBOOTPROTO=none

Chapter6


TrapreceiverPacketFenceusessnmptrapdasthetrapreceiver.Itstoresthecommunitynameusedbytheswitchtosendtrapsintheswitchconfigfile(/usr/local/pf/conf/switches.conf):

[default]SNMPCommunityTrap = public

SwitchSetupIn our example, we enable inline on a Cisco 2900LX and Port Security on a Cisco Catalyst2960.PleaseconsulttheNetworkDevicesConfigurationGuideforthecompletelistofsupportedswitchesandconfigurationinstructions.

inlineOnthe2900XL.

oneachinterface

switchport mode accessswitchport access vlan 4

PortSecurityOnthe2960.

globalsetup

snmp-server community public ROsnmp-server community private RWsnmp-server enable traps port-securitysnmp-server enable traps port-security trap-rate 1snmp-server host 192.168.1.5 version 2c public port-security

Oneachinterface,youneedtoinitializetheportsecuritybyauthorizingafakeMACaddresswiththefollowingcommands

switchport access vlan 1switchport port-securityswitchport port-security maximum 2switchport port-security maximum 1 vlan accessswitchport port-security violation restrictswitchport port-security mac-address 0200.0000.00xx

Chapter6


wherexxstandsfortheinterfaceindex.

Note

Dontforgettoupdatethestartup-config.

switches.conf

Note

YoucanusetheWebAdministrationinterfaceinsteadofperformingtheconfigurationintheflatfiles.

Hereisthe/usr/local/pf/conf/switches.conffileforoursetup.SeeNetworkDeviceDefinitionformoreinformationaboutthecontentofthisfile.

[default]SNMPCommunityRead = publicSNMPCommunityWrite = privateSNMPommunityTrap = publicSNMPVersion = 1defaultVlan = 1registrationVlan = 2isolationVlan = 3macDetectionVlan = 5VoIPEnabled = no

[192.168.1.100]type = Cisco::Catalyst_2900XLmode = productionuplink = 24

[192.168.1.101]type = Cisco::Catalyst_2960mode = productionuplink = 25defaultVlan = 10radiusSecret=useStrongerSecret

Ifyouwanttohaveadifferentread/writecommunitiesnameforeachswitch,declareitineachswitchsection.

Chapter6


pf.confHereisthe/usr/local/pf/conf/pf.conffileforoursetup.Formoreinformationaboutpf.confseeGlobalconfigurationfile(pf.conf)section.

[general]domain=yourdomain.org#Put your External/Infra DNS servers herednsservers=4.2.2.2,4.2.2.1dhcpservers=192.168.2.1,192.168.3.1,192.168.5.1

[trapping]registration=enableddetection=enabledrange=192.168.2.0/24,192.168.3.0/24,192.168.4.0/24

[interface eth0]mask=255.255.255.0type=managementgateway=192.168.1.1ip=192.168.1.5

[interface eth0.2]mask=255.255.255.0type=internalenforcement=vlangateway=192.168.2.1ip=192.168.2.1

[interface eth0.3]mask=255.255.255.0type=internalenforcement=vlangateway=192.168.3.1ip=192.168.3.1

[interface eth0.4]mask=255.255.255.0type=internalenforcement=inlinegateway=192.168.4.1ip=192.168.4.1

[interface eth1]mask=255.255.255.0type=monitorgateway=192.168.1.5ip=192.168.1.1

Chapter6


Note

Ifyouarerunninginanhigh-availablesetup(withaclusterIP),makesuretoaddthevipparametertotheconfiguredmanagementinterfacesothatRADIUSdynamicauthmessagescanreachthenetworkequipmentcorrectly.

[interface eth0]mask=255.255.255.0type=managementgateway=192.168.1.1ip=192.168.1.5vip=192.168.1.6

networks.confHere is the/usr/local/pf/conf/networks.conf file foroursetup.Formore informationaboutnetworks.confseeDHCPandDNSServerconfiguration.

Chapter6


[192.168.2.0]netmask=255.255.255.0gateway=192.168.2.1next_hop=192.168.2.254domain-name=registration.example.comdns=192.168.2.1dhcp_start=192.168.2.10dhcp_end=192.168.2.200dhcp_default_lease_time=300dhcp_max_lease_time=600type=vlan-registrationnamed=enableddhcpd=enabled

[192.168.3.0]netmask=255.255.255.0gateway=192.168.3.1next_hop=192.168.3.254domain-name=isolation.example.comdns=192.168.3.1dhcp_start=192.168.3.10dhcp_end=192.168.3.200dhcp_default_lease_time=300dhcp_max_lease_time=600type=vlan-isolationnamed=enableddhcpd=enabled

[192.168.4.0]netmask=255.255.255.0gateway=192.168.4.1next_hop=domain-name=inline.example.comdns=4.2.2.2,4.2.2.1dhcp_start=192.168.4.10dhcp_end=192.168.4.254dhcp_default_lease_time=300dhcp_max_lease_time=600type=inlinenamed=enableddhcpd=enabled

InlineenforcementspecificsToseeanotherimportantoptionalparameterthatcanbealteredtodoinlineenforcementseetheInlineenforcementconfigurationsection.

Inordertohavetheinlinemodeproperlyworking,youneedtoenableIPforwardingonyourservers.Todoitpermanently,lookinthe/etc/sysctl.conf,andsetthefollowingline:

Chapter6


# Controls IP packet forwardingnet.ipv4.ip_forward = 1

Savethefile,andexecutesysctl -ptoreloadthekernelparameters.

Chapter7

Copyright2014Inverseinc. Optionalcomponents 45

Optionalcomponents

BlockingmaliciousactivitieswithviolationsPolicyviolationsallowyoutorestrictclientsystemaccessbasedonviolationsofcertainpolicies.Forexample,ifyoudonotallowP2Ptypetrafficonyournetwork,andyouarerunningtheappropriatesoftwaretodetectitandtriggeraviolationforagivenclient,PacketFencewillgivethatclienta"blocked"pagewhichcanbecustomizedtoyourwishes.

Inordertobeabletoblockmaliciousactivities,youneedtoinstallandconfiguretheSNORTorSuricataIDStotalkwithPacketFence.

SnortInstallationThe installation procedure is quite simple for SNORT.We maintain a working version on thePacketFencerepository.Toinstallit,simplyrunthefollowingcommand:

yum install snort

ConfigurationPacketFenceprovidesabasicsnort.conftemplatethatyoumayneedtoeditdependingoftheSnortversion.Thefileislocatedin/usr/local/pf/conf.ItisrarelynecessarytochangeanythinginthatfiletomakeSnortworkandtrapalerts.DONOTeditthesnort.conflocatedin/usr/local/pf/var/conf,allthemodificationwillbedestroyedoneachPacketFencerestart.

SuricataInstallationSincethesuricataIDSisnotpackagedwiththedistros(exceptmaybeFedora,whichwedonotofficiallysupport),youneedtobuilditthe"old"way.

The OISF provides a really well written how-to for that. Its available here: https://redmine.openinfosecfoundation.org/projects/suricata/wiki/CentOS5

Chapter7


ConfigurationPacketFencewillprovideyouwithabasicsuricata.yaml thatyoucanmodify tosuityouownneeds.Thefileislocatedin/usr/local/pf/conf.

ViolationsInordertomakePacketFencereacttotheSnortalerts,youneedtoexplicitlytellthesoftwaretodoso.Otherwise,thealertswillbediscarded.Thisisquitesimpletoaccomplish.Infact,youneedtocreateaviolationandaddtheSnortalertSIDinthetriggersectionofaViolation.

PacketFence policy violations are controlled using the /usr/local/pf/conf/violations.confconfigurationfile.Theviolationformatisasfollows:

[1234]desc=Your Violation Descriptionpriority=8template=enable=Ytrigger=Detect::2200032,Nessus::11808actions=email,log,trapvlan=isolationVlanwhitelisted_categories=

[1234] The violation ID. Any integer except 1200000-120099 which is reserved forrequiredadministrationviolations.

desc singlelinedescriptionofviolationpriority Range1-10,with1thehigestpriorityand10thelowest.Higherpriorityviolations

willbeaddressedfirstifahosthasmorethanone.template Templatenametousewhileinviolation.ItmustmatchaHTMLfilename(without

theextension)oftheviolationstemplatesdirectory.enable IfenableissettoN,thisviolationisdisabledandnoadditionalviolationsofthis

typewillbeadded.trigger Methodtoreferenceexternaldetectionmethods.Trigger isformattedasfollows

type::ID.ThetypecanbeDetect(Snort),Nessus,OpenVAS,OS(DHCPFingerprintDetection), UserAgent (Browser signature), VendorMAC (MAC address class), SoH(StatementofHealthfilter),Accounting,etc.Intheaboveexample,2000032istheSnortIDand11808istheNessuspluginnumber.TheSnortIDdoesNOThavetomatchtheviolationID.

actions Thisisthelistofactionsthatwillbeexecutedonaviolationaddition.Theactionscanbe:

log Logamessagetothefilespecifiedin[alerting].log

email Email the address specified in [alerting].emailaddr,using[alerting].smtpserver.Multipleemailaddrcanbesperatedbycomma.

trap Isolate the host and place them in violation. It opens aviolationandleavesitopen.Iftrapisnotthere,aviolationisopenedandthenautomaticallyclosed.

Chapter7


winpopup send a windows popupmessage. You need to configure[alerting].winserver, [alerting].netbiosname inpf.confwhenusingthisoption.

external execute an external command, specified in[paths].externalapi.

close closetheviolationIDspecifiedinthevclosefield.

role change the nodes role to the one specified in thetarget_categoryfield.

autoreg registerthenode.

unreg deregisterthenode.vlan DestinationVLANwherePacketFenceshouldputtheclientwhenaviolationofthis

typeisopen.TheVLANvaluecanbe:

isolationVlan Isolation VLAN as specifiedin switches.conf. This is therecommended value for most violationtypes.

registrationVlan Registration VLAN as specified inswitches.conf.

normalVlan Normal VLAN as specified inswitches.conf.Note:Itispreferablenotto trap than to trap and put in normalVLAN.Makesureyouunderstandwhatyouaredoing.

whitelisted_categoriesNodes in a category listed in whitelisted_categories wont be affected by aviolationofthistype.Formatisacommaseparatedlistofcategorynames.

Also includedinviolations.conf isthedefaultssection.Thedefaultssectionwillsetadefaultvalueforeveryviolationintheconfiguration.IfaconfigurationvalueisnotspecifiedinthespecificID,thedefaultwillbeused:

[defaults]priority=4max_enable=3actions=email,logauto_enable=Yenable=Ngrace=120mdelay_by=0window=0vclose=target_category=button_text=Enable Networksnort_rules=local.rules,bleeding-attack_response.rules,bleeding-exploit.rules,bleeding-p2p.rules,bleeding-scan.rules,bleeding-virus.rulesvlan=isolationVlanwhitelisted_categories=

Chapter7


max_enable Number of times a host will be able to try and selfremediatebeforetheyarelockedoutandhavetocallthehelp desk. This is useful for userswho just click throughviolationpages.

auto_enable Specifiesifahostcanselfremediatetheviolation(enablenetworkbutton)oriftheycannotandmustcallthehelpdesk.

grace Amountof timebefore theviolationcan reoccur.This isuseful toallowhosts time (in theexample2minutes) todownloadtoolstofixtheirissue,orshutofftheirpeer-to-peerapplication.

delay_by Amountoftimebeforetheviolationactionwillrun.

window Amount of time before a violation will be closedautomatically.Insteadofallowingpeopletoreactivatethenetwork,youmaywanttoopenaviolationforadefinedamount of time instead. You can use the allowed timemodifiersorthedynamickeyword.Notethatthedynamickeywordonlyworksforaccountingviolations.Dynamicwillopen the violation according to the time you set in theaccountingviolation(ie.Youhaveanaccountingviolationfor10GB/month.Ifyoubustthebandwidthafter3days,theviolationwillopenandthereleasedatewillbesetforthelastdayofthecurrentmonth.)

vclose Whenselectingthe"close"action,triggeringtheviolationwill close the one you select in the vclose field. This isanexperimentalworkflowforMobileDeviceManagement(MDM).

target_category When selecting the "role" action, triggering the violationwill change thenodes role to theoneyou select in thetarget_categoryfield.

button_text Textdisplayedontheviolationformtohosts.

snort_rules The Snort rules file is the administrators responsibility.Pleasechangethistopointtoyourviolationrulesfile(s).Ifyoudonotspecifyafullpath,thedefaultis/usr/local/pf/conf/snort.Ifyouneedtoincludemorethanonefile,justseparateeachfilenamewithacomma.

Noteviolations.conf is loadedatstartup.Arestart isrequiredwhenchangesaremadetothisfile.

ExampleviolationInourexamplewewanttoisolatepeopleusingLimewire.HereweassumeSnortisinstalledandconfiguredtosendalertstoPacketFence.NowweneedtoconfigurePacketFenceisolation.

Chapter7


EnableLimewireviolationin/usr/local/pf/conf/violations.confandconfigureittotrap.

[2001808]desc=P2P (Limewire)priority=8template=p2pactions=log,trapenable=Ymax_enable=1trigger=Detect::2001808

ComplianceChecksPacketFencesupportseitherNessusorOpenVASasascanningengineforcompliancechecks.

InstallationNessusPleasevisithttp://www.nessus.org/download/todownloadandinstalltheNessuspackageforyouroperatingsystem.YouwillalsoneedtoregisterfortheHomeFeed(ortheProfessionalFeed)inordertogettheplugins.

AfteryouinstalledNessus,followtheNessusdocumentationfortheconfigurationoftheNessusServer,andtocreateauserforPacketFence.

OpenVASPleasevisithttp://www.openvas.org/install-packages.html#openvas4_centos_atomic toconfigurethecorrectrepositorytobeabletoinstallthelatestOpenVASscanningengine.

Once installed, pleasemake sure to follow the instructions to correctly configure the scanningengineandcreateascanconfigurationthatwillfityourneeds.YoullalsoneedtocreateauserforPacketFencetobeabletocommunicatewiththeserver.

ItisimportanttogetthecorrectscanconfigIDandNBEreportformatIDtopopulatetheparametersinthePacketFenceconfigurationfile.TheeasiestwaytogettheseIDsisbydownloadingbothofthescanconfigurationandreportformatfromtheOpenVASwebguiandretrievetheIDsinthefilenames.

Forexamplereport-format-f5c2a364-47d2-4700-b21d-0a7693daddab.xmlgivesreportformatIDf5c2a364-47d2-4700-b21d-0a7693daddab.

ConfigurationIn order for the compliance checks to correctly work with PacketFence (communication andgenerateviolationsinsidePacketFence),youmustconfiguretwosections:

Chapter7


pf.confAdjust the settings in the scan section like the following: Dont hesitate to refer to thedocumentation.conffileforanyhelpontheseparamatersandwhichofthemtoconfigure.

UsingNessus:

[scan]engine=nessushost=127.0.0.1nessus_clientpolicy=basic-policypass=nessusUserPasswordregistration=enableduser=nessusUsername

Ofcoursethebasic-policymustexistonthenessusserver.Ifyouwanttouseadifferentnessuspolicybycategory,youhavetoadjustsettingslikethefollowing:

[nessus_category_policy]guest=guest_policywifi=wifi_policy

Anodewhoisregisterlikeaguestwillbescannedbytheguest_policy,etc

Youcanalsouseadifferentnessuspolicybasedonthedhcpfingerprint,youhavetoadjustsettingslikethefollowing:

[nessus_scan_by_fingerprint]Android=AndroidMac OS X=MACOSXMicrosoft Windows=WindowsiPhone=IOS

AnodewithafingerprintcontainAndroidwillbescannedbytheAndroidpolicy,etc

NoteifthereisnopolicybasedondhcpfingerprintthenPacketFencewilltrytousepolicybasedon category and if it does not exist then PacketFence will use the default policy defined bynessus_clientpolicy.

UsingOpenVAS:

[scan]engine=openvashost=127.0.0.1openvas_configid=openvasScanConfigIdopenvas_reportformatid=openvasNBEReportFormatIdpass=openvasUserPasswordregistration=enableduser=openvasUsername

violations.confYouneedtocreateanewviolationsectionandhavetospecify:

Chapter7


UsingNessus:

trigger=Nessus::

UsingOpenVAS:

trigger=OpenVAS::

WhereviolationIdiseithertheIDoftheNessuspluginortheOIDoftheOpenVASplugintocheckfor.Onceyouhavefinishedtheconfiguration,youneedtoreloadtheviolationrelateddatabasecontentsusing:

$ pfcmd reload violations

NoteViolationswilltriggerifthepluginishigherthanalowseverityvulnerability.

ScanonregistrationTo perform a system scan before giving access to a host on the network you need to enablethescan.registrationparameterinpf.conf.Ifyouwanttoscanadevicethathavebeenauto-registeredasa802.1Xconnection, youneed toenablescan.dot1x parameter inpf.conf.ThedefaultEAP-TypethatwillbescannedisMS-CHAP-V2butyoucanconfigureotherEAP-Type(suchasMD5-Challenge)byaddingthemtoscan.dot1x_typeasacomma-separatedlistofvalues(lookatdictionary.freeradius.internalfilebundledwithFreeRADIUSforthelistofEAP-Type).

Itisalsorecommendedtoadjustscan.durationtoreflecthowlongthescantakes.Aprogressbarofthisdurationwillbeshowntotheuserwhileheiswaiting.Bydefault,wesetthisvariableto60s.

HostingNessus/OpenVASremotelyBecauseoftheCPUintensivenatureofanautomatedvulnerabilityassessment,werecommendthatitishostedonaseparateserverforlargeenvironments.Todoso,acoupleofthingsarerequired:

PacketFence needs to be able to communicate to the server on the port specified by thevulnerabilityengineused

Thescanningserverneedtobeabletoaccessthetargets. Inotherwords,registrationVLANaccessisrequiredifscanonregistrationisenabled.

IfyouareusingtheOpenVASscanningengine:

ThescanningserverneedtobeabletoreachPacketFencesAdmininterface(onport1443bydefault)byitsDNSentry.OtherwisePacketFencewontbenotifiedofcompletedscans.

YoumusthaveavalidSSLcertificateonyourPacketFenceserver

IfyouareusingtheNessusscanningengine:

YoujusthavetochangethehostvaluebytheNessusserverIP.

Chapter7


RADIUSAccountingRADIUSAccountingisusuallyusedbyISPstobillclients.InPacketFence,weareabletousethisinformationtodetermineifthenodeisstillconnected,howmuchtimeithasbeenconnected,andhowmuchbandwitdhtheuserconsumed.

ViolationsUsingPacketFence, it ispossible toaddviolations to limitbandwidthabuse.The formatof thetriggerisverysimple:

Accounting::[DIRECTION][LIMIT][INTERVAL(optional)]

Letsexplaineachchunkproperly:

DIRECTION:Youcaneithersetalimittoinbound(IN),outbound(OUT),ortotal(TOT)bandwidth LIMIT: You can set a number of bytes(B), kilobytes(KB), megabytes(MB), gigabytes(GB), orpetabytes(PB)

INTERVAL:Thisisactuallythetimewindowwewilllookforpotentialabuse.Youcansetanumberofdays(D),weeks(W),months(M),oryears(Y).

Exampletriggers LookforIncoming(Download)trafficwitha50GB/month

Accounting::IN50GB1M

LookforOutgoing(Upload)trafficwitha500MB/day

Accounting::OUT500MB1D

LookforTotal(Download+Upload)trafficwitha200GBlimitinthelastweek

Accounting::TOT200GB1W

GraceperiodWhenusingsuchviolationfeature,settingthegraceperiodisreallyimportant.Youdontwanttoputittoolow(ie.Auserre-enablehisnetwork,andgetcaughtafter1bytesistranmitted!)ortoohigh.Werecommendthatyousetthegraceperiodtooneintervalwindow.

Chapter7


OinkmasterOinkmasterisaperlscriptthatenablesthepossibilitytoupdatethedifferentsnortrulesveryeasily.Itissimpletouse,andinstall.ThissectionwillshowyouhowtoimplementOinkmastertoworkwithPacketFenceandSnort.

Pleasevisithttp://oinkmaster.sourceforge.net/download.shtmltodownloadoinkmaster.Asampleoinkmasterconfigurationfileisprovidedat/usr/local/pf/addons/snort/oinkmaster.conf.

ConfigurationHerearethestepstomakeOinkmasterwork.Wewillassumethatyoualreadydownloadedthenewestoinkmasterarchive:

1. UntarthefreshlydownloadedOinkmaster

2. Copytherequiredperlscriptsinto/usr/local/pf/oinkmaster.Youneedtocopyovercontribandoinkmaster.pl

3. Copytheoinkmaster.confprovidedbyPacketFence(seethesectionabove)in/usr/local/pf/conf

4. Modifytheconfigurationtosuityourownneeds.Currently,theconfigurationfileissettofetchthebleedingrules.

RulesupdateInordertogetperiodicupdatesforPacketFenceSnortrules,wesimplyneedtocreateacrontabentrywiththerightinformation.Theexamplebelowshowsacrontabentrytofetchtheupdatesdailyat23:00PM:

0 23 * * * (cd /usr/local/pf; perl oinkmaster/oinkmaster.pl -C conf/oinkmaster.conf -o conf/snort/)

FloatingNetworkDevicesStartingwithversion1.9,PacketFencenowsupportsfloatingnetworkdevices.AFloatingnetworkdeviceisadeviceforwhichPacketFencehasadifferentbehaviourcomparedtoaregulardevice.ThisfunctionalitywasoriginallyaddedtosupportmobileAccessPoints.

Chapter7


CautionRightnowPacketFenceonlysupportsfloatingnetworkdevicesonCiscoandNortelswitchesconfiguredwithport-security.

For a regular device, PacketFence put it in theVLAN corresponding to its status (Registration,QuarantineorRegularVlan)andauthorizesitontheport(port-security).

AfloatingnetworkdeviceisadevicethatPacketFencedoesnotmanageasaregulardevice.

Whenafloatingnetworkdeviceisplugged,PacketFencewilllet/allowalltheMACaddressesthatwillbeconnectedtothisdevice(orappearontheport)andifnecessary,configuretheportasmulti-vlan(trunk)andsetPVIDandtaggedVLANsontheport.

Whenanfloatingnetworkdeviceisunplugged,PacketFencewillreconfiguretheportlikebeforeitwasplugged.

Hereishowitworks:Configuration

floatingnetworkdeviceshavetobeidentifiedusingtheirMACaddress. linkup/linkdowntrapsarenotenabledontheswitches,onlyport-securitytrapsare.

WhenPacketFencereceivesaport-securitytrapforafloatingnetworkdevice,itchangestheportconfigurationsothat:

itdisablesport-security itsetsthePVID iteventuallysetstheportasmulti-vlan(trunk)andsetsthetaggedVlans itenableslinkdowntraps

WhenPFreceivesa linkdowntraponaport inwhichafloatingnetworkdevicewasplugged, itchangestheportconfigurationsothat:

itenablesport-security itdisableslinkdowntraps

IdentificationAswementionedearlier,eachfloatingnetworkdevicehastobeidentified.Therearetwowaystodoit:

byeditingconf/floating_network_device.conf throughtheWebGUI,inConfigurationNetworkFloatingdevices

Herearethesettingsthatareavailable:

MACAddress MACaddressofthefloatingdevice

IPAddress IPaddressofthefloatingdevice(notrequired,forinformationonly)

Chapter7


trunkPort Yes/no.Shouldtheportbeconfiguredasamuti-vlanport?

pvid VLANinwhichPacketFenceshouldputtheport

taggedVlan CommaseparatedlistofVLANs.Iftheportisamulti-vlan,thesearetheVlansthathavetobetaggedontheport.

GuestsManagementPacketFencesupportstheabilitytomanageguestsbyestablishingexpiredatesandassigndifferentroleswhichwillpermitdifferentaccessestothenetworkresources.

Guestscanself-registerthemselvesusinganactivationcodesenttotheirmobilephoneortheycanusetheiremailaddressandreceiveandactivationlinktoactivatetheirnetworkaccess.

PacketFencehas theoption tohaveguestssponsored theiraccessby local staff.Onceaguestrequestsasponsoredaccessanemailissenttothesponsorandthesponsormustclickonalinkandauthenticateinordertoenablehisaccess.

Moreover, PacketFence also has the option for guests to request their access in advance.Confirmationbyemailandbyasponsorarethetwopre-registrationtechniquessupportedatthispoint.

TheadminGUIallowPacketFenceadministratorsorguestsmanagerstocreatesingleaccounts,multipleaccountsusingaprefix(ie.:guest1,guest2,guest3)orimportdatafromaCSVtocreateaccounts.Accessdurationandexpectedarrivaldatearealsocustomizable.

UsageGuestself-registrationSelf-registrationisenabledbydefault.ItispartofthecaptiveportalprofileandcanbeaccessedontheregistrationpagebyclickingtheSignuplink.

Chapter7


ManagedguestsPartofthewebadministrationinterface,theguestsmanagementinterfaceisenabledbydefault.ItisaccessiblethroughtheUsersCreatemenu.

Guestpre-registrationPre-registrationisdisabledbydefault.Onceenabled,PacketFencesfirewallandApacheACLsallowaccesstothe/signuppageontheportalevenfromaremotelocation.Allthatshouldberequiredfrom theadministrators is toopenup theirperimeter firewall toallowaccess toPacketFencesmanagementinterfaceIPonport443andmakesureadomainnametoreachsaidIPisconfigured(andthattheSSLcertmatchesit).Thenyoucanpromotethepre-registrationlinkfromyourextranetwebsite:https:///signup.

Caution

Pre-registrationincreasestheattacksurfaceofthePacketFencesystemsinceasubsetofitsfunctionnalityisexposedontheInternet.Makesureyouunderstandtherisks,applythecriticaloperatingsystemupdatesandapplyPacketFencessecurityfixes.

Chapter7


ConfigurationGuestself-registrationIt ispossibletomodifythedefaultvaluesoftheguestself-registrationfeaturebyediting/usr/local/pf/conf/pf.conf.

Defaultvaluesarelocatedin/usr/local/pf/conf/pf.conf.defaultsanddocumentationforeverysettingsisavailablein/usr/local/pf/conf/documentation.conf.

[guests_self_registration]guest_pid=emailpreregistration=disabledsponsorship_cc=

TheseparameterscanalsobeconfiguredfromtheConfigurationSelfRegistrationsectionoftheWebadmininterface.

Availableregistrationmodesaredefinedonaper-portal-profilebasis.Thesearec

packetfence administration guide-4.5.0

Documents