AdministrationGuide - PacketFence · Developer’sGuide ......

AdministrationGuideforPacketFenceversion6.2.1

AdministrationGuidebyInverseInc.

Version6.2.1-Jul2016Copyright2016Inverseinc.

Permissionisgrantedtocopy,distributeand/ormodifythisdocumentunderthetermsoftheGNUFreeDocumentationLicense,Version1.2oranylaterversionpublishedbytheFreeSoftwareFoundation;withnoInvariantSections,noFront-CoverTexts,andnoBack-CoverTexts.Acopyofthelicenseisincludedinthesectionentitled"GNUFreeDocumentationLicense".

ThefontsusedinthisguidearelicensedundertheSILOpenFontLicense,Version1.1.ThislicenseisavailablewithaFAQat:http://scripts.sil.org/OFL

CopyrightukaszDziedzic,http://www.latofonts.com,withReservedFontName:"Lato".

CopyrightRaphLevien,http://levien.com/,withReservedFontName:"Inconsolata".

http://scripts.sil.org/OFLhttp://scripts.sil.org/OFLhttp://www.latofonts.com/http://levien.com/

Copyright2016Inverseinc. iii

TableofContentsAbout thisGuide .............................................................................................................. 1

Othersourcesof information..................................................................................... 1Introduction ..................................................................................................................... 2

Features ................................................................................................................... 2Network Integration .................................................................................................. 5Components ............................................................................................................. 5

SystemRequirements ........................................................................................................ 7Assumptions ............................................................................................................. 7MinimumHardwareRequirements.............................................................................. 7OperatingSystemRequirements................................................................................ 7

Installation ....................................................................................................................... 9OS Installation .......................................................................................................... 9SoftwareDownload ................................................................................................ 10Software Installation ................................................................................................ 10

Getoffontherightfoot ................................................................................................. 12TechnicalintroductiontoInlineenforcement..................................................................... 13

Introduction ........................................................................................................... 13Deviceconfiguration ............................................................................................... 13Accesscontrol ........................................................................................................ 13Limitations ............................................................................................................. 14

TechnicalintroductiontoOut-of-bandenforcement........................................................... 15Introduction ........................................................................................................... 15VLANassignmenttechniques...................................................................................15MoreonSNMPtrapsVLANisolation....................................................................... 17

TechnicalintroductiontoHybridenforcement................................................................... 20Introduction ........................................................................................................... 20Deviceconfiguration ............................................................................................... 20

Configuration ................................................................................................................. 21RolesManagement ................................................................................................. 21Authentication ........................................................................................................ 22ExternalAPIauthentication ..................................................................................... 24SAMLauthentication ............................................................................................... 25NetworkDevicesDefinition(switches.conf)............................................................... 27PortalProfiles ......................................................................................................... 31FreeRADIUSConfiguration ...................................................................................... 32PortalModules ....................................................................................................... 43

Debugging ..................................................................................................................... 52Log files ................................................................................................................. 52RADIUSDebugging ................................................................................................ 52

MoreonVoIP Integration ................................................................................................ 54CDPandLLDPareyourfriend................................................................................ 54VoIPandVLANassignmenttechniques..................................................................... 54WhatifCDP/LLDPfeatureismissing....................................................................... 55

Advanced topics ............................................................................................................. 56AppleandAndroidWirelessProvisioning.................................................................. 56BillingEngine ......................................................................................................... 57DevicesRegistration ................................................................................................ 69Eduroam ................................................................................................................ 70Fingerbank integration ............................................................................................. 74FloatingNetworkDevices ....................................................................................... 75OAuth2Authentication ........................................................................................... 77

Copyright2016Inverseinc. iv

Passthrough ........................................................................................................... 79ProductionDHCPaccess ......................................................................................... 80Proxy Interception ................................................................................................... 81RoutedNetworks .................................................................................................... 82StatementofHealth (SoH) ....................................................................................... 85VLANFilterDefinition ............................................................................................ 86RADIUSFilterDefinition ......................................................................................... 88DNSenforcement ................................................................................................... 90Parkeddevices ....................................................................................................... 90

Optionalcomponents ...................................................................................................... 92Blockingmaliciousactivitieswithviolations............................................................... 92ComplianceChecks ............................................................................................... 100RADIUSAccounting .............................................................................................. 105Oinkmaster ........................................................................................................... 106GuestsManagement ............................................................................................. 107ActiveDirectoryIntegration.................................................................................... 110DHCPremotesensor ............................................................................................ 115Switch loginaccess ............................................................................................... 117

OperatingSystemBestPractices.................................................................................... 118IPTables ............................................................................................................... 118LogRotations ....................................................................................................... 118

Performanceoptimization .............................................................................................. 119SNMPTrapsLimit ................................................................................................. 119MySQLoptimizations ............................................................................................ 119CaptivePortalOptimizations.................................................................................. 122DashboardOptimizations(statisticscollection)......................................................... 123

Additional Information ................................................................................................... 125CommercialSupportandContactInformation................................................................. 126GNUFreeDocumentationLicense................................................................................. 127A.AdministrationTools .................................................................................................. 128

pfcmd .................................................................................................................. 128pfcmd_vlan ........................................................................................................... 129

Chapter1

Copyright2016Inverseinc. AboutthisGuide 1

AboutthisGuide

This guide will walk you through the installation and the day to day administration of thePacketFencesolution.

Thelatestversionofthisguideisavailableathttp://www.packetfence.org/documentation/

Othersourcesofinformation

Thefollowingdocumentsareincludedinthepackageandreleasetarballs.

NetworkDevicesConfigurationGuide(pdf) Covers switch, controllers and accesspointsconfiguration.

DevelopersGuide(pdf) Covers captive portal customization,VLAN management customization andinstructionsforsupportingnewhardware.

CREDITS Thisis,atleast,apartialfileofPacketFencecontributors.

NEWS.asciidoc Covers noteworthy features,improvementsandbugfixesbyrelease.

UPGRADE.asciidoc Covers compatibility related changes,manual instructions and general notesaboutupgrading.

ChangeLog Coversallchangestothesourcecode.

http://www.packetfence.org/documentation/

Chapter2

Copyright2016Inverseinc. Introduction 2

Introduction

PacketFence isa fullysupported, trusted,FreeandOpenSourcenetworkaccesscontrol (NAC)system. Boosting an impressive feature set including a captive portal for registration andremediation, centralized wired and wireless management, 802.1X support, layer-2 isolation ofproblematicdevices,integrationwithIDS,vulnerabilityscannersandfirewalls;PacketFencecanbeusedtoeffectivelysecurenetworks-fromsmalltoverylargeheterogeneousnetworks.

Features

Outofband(VLANEnforcement) PacketFencesoperationiscompletelyoutof band when using VLAN enforcementwhich allows the solution to scalegeographicallyandtobemoreresilienttofailures.

InBand(InlineEnforcement) PacketFence can also be configured tobe in-band, especially when you havenon-manageable network switches oraccesspoints.PacketFencecanalsoworkwith both VLAN and Inline enforcementactivated for maximum scalability andsecuritywhileallowingolderhardwaretostillbesecuredusing inlineenforcement.Bothlayer-2andlayer-3aresupportedforinlineenforcement.

Hybridsupport(InlineEnforcementwithRADIUSsupport)

PacketFence can also be configuredas hybrid, if you have a manageabledevice that supports 802.1X and/orMAC-authentication.This feature canbeenabled using a RADIUS attribute (MACaddress, SSID, port) or using full inlinemodeontheequipment.

Hotspotsupport(WebAuthEnforcement) PacketFence can also be configured ashotspot,ifyouhaveamanageabledevicethat supports an external captive portal(likeCiscoWLCorArubaIAP).

VoiceoverIP(VoIP)support Also called IP Telephony (IPT), VoIP isfully supported (even in heterogeneous

Chapter2


environments)formultipleswitchvendors(Cisco,Avaya,HPandmanymore).

802.1X 802.1X wireless and wired is supportedthroughourFreeRADIUSmodule.

Wirelessintegration PacketFence integrates perfectly withwireless networks through ourFreeRADIUS module. This allows youto secure your wired and wirelessnetworks the same way using the sameuser database and using the samecaptive portal, providing a consistentuser experience. Mixing Access Points(AP) vendors andWireless Controllers issupported.

Registration PacketFence supports an optionalregistrationmechanismsimilarto"captiveportal"solutions.Contrarytomostcaptiveportal solutions,PacketFence remembersusers who previously registered andwillautomatically give them access withoutanotherauthentication.Ofcourse, this isconfigurable. An Acceptable Use Policycan be specified such that users cannotenable network access without firstacceptingit.

Detectionofabnormalnetworkactivities Abnormal network activities (computervirus, worms, spyware, traffic deniedby establishment policy, etc.) can bedetectedusinglocalandremoteSnortorSuricatasensors.Beyondsimpledetection,PacketFence layers its own alerting andsuppression mechanism on each alerttype.Asetofconfigurableactionsforeachviolationisavailabletoadministrators.

Proactivevulnerabilityscans Either Nessus , OpenVAS or WMIvulnerabilityscanscanbeperformeduponregistration, scheduled or on an ad-hocbasis. PacketFence correlates the scanengine vulnerability IDs of each scanto the violation configuration, returningcontent specificweb pages aboutwhichvulnerabilitythehostmayhave.

Isolationofproblematicdevices PacketFence supports several isolationtechniques,includingVLANisolationwithVoIP support (even in heterogeneousenvironments)formultipleswitchvendors.

Remediationthroughacaptiveportal Once trapped, all network traffic isterminated by the PacketFence system.

http://www.freeradius.orghttp://www.freeradius.org/http://www.snort.org/http://suricata-ids.org/http://www.nessus.org/nessus/http://www.openvas.org

Chapter2


Based on the nodes current status(unregistered,openviolation,etc),theuseris redirected to the appropriate URL. Inthe case of a violation, the user willbe presented with instructions for theparticular situation he/she is in reducingcostlyhelpdeskintervention.

Firewallintegration PacketFence provides Single-Sign Onfeatures with many firewalls. Uponconnection on the wired or wirelessnetwork, PacketFence can dynamicallyupdatetheIP/userassociationonfirewallsforthemtoapply,ifrequired,per-userorper-groupfilteringpolicies.

Command-lineandWeb-basedmanagement Web-basedandcommand-line interfacesforallmanagementtasks.

GuestAccess PacketFence supports a special guestVLAN out of the box. You configureyour network so that the guest VLANonly goes out to the Internet and theregistrationVLANand the captiveportalarethecomponentsusedtoexplaintotheguesthowtoregisterforaccessandhowhisaccessworks.This isusuallybrandedby the organization offering the access.Several means of registering guests arepossible. PacketFence does also supportguestaccessbulkcreationsandimports.

Devicesregistration A registered user can access a specialWeb page to register a device of hisown.Thisregistrationprocesswillrequireloginfromtheuserandthenwillregisterdeviceswithpre-approvedMACOUIintoaconfigurablecategory.

PacketFenceisdevelopedbyacommunityofdeveloperslocatedmainlyinNorthAmerica.Moreinformationcanbefoundathttp://www.packetfence.org.

http://www.packetfence.org

Chapter2


NetworkIntegration

VLANenforcementispicturedintheabovediagram.InlineenforcementshouldbeseenasasimpleflatnetworkwherePacketFenceactsasafirewall/gateway.

Components

PacketFencerequiresvariouscomponentstoworksuchasaWebserver,adatabaseserver,andaRADIUSserver.Itinteractswithexternaltoolstoextenditsfunctionalities.

Chapter2


Chapter3

Copyright2016Inverseinc. SystemRequirements 7

SystemRequirements

Assumptions

PacketFencereusesmanycomponentsinaninfrastructure.Thus,itrequiresthefollowingones:

Databaseserver(MySQLorMariaDB) Webserver(Apache) DHCPserver(ISCDHCP) RADIUSserver(FreeRADIUS)

Dependingonyoursetupyoumayhavetoinstalladditionalcomponentslike:

NIDS(Snort/Suricata)

Inthisguide,weassumethatallthosecomponentsarerunningonthesameserver(i.e.,"localhost"or"127.0.0.1")thatPacketFencewillbeinstalledon.

Good understanding of those underlying component and GNU/Linux is required to installPacketFence. If youmiss some of those required components, please refer to the appropriatedocumentationandproceedwiththeinstallationoftheserequirementsbeforecontinuingwiththisguide.

MinimumHardwareRequirements

Thefollowingprovidesalistoftheminimumserverhardwarerecommendations:

IntelorAMDCPU3GHz 8GBofRAM 100GBofdiskspace(RAID-1recommended) 1Networkcard(2recommended)

OperatingSystemRequirements

PacketFencesupportsthefollowingoperatingsystemsonthex86_64architectures:

Chapter3

Copyright2016Inverseinc. SystemRequirements 8

RedHatEnterpriseLinux6.xand7.xServer CommunityENTerpriseOperatingSystem(CentOS)6.xand7.x Debian7.0(Wheezy)and8.0(Jessie)

Makesurethatyoucaninstalladditionalpackagesfromyourstandarddistribution.Forexample,ifyouareusingRedHatEnterpriseLinux,youhavetobesubscribedtotheRedHatNetworkbeforecontinuingwiththePacketFencesoftwareinstallation.

OtherdistributionssuchasFedoraandGentooareknowntoworkbutthisdocumentdoesntcoverthem.

Servicesstart-upPacketFencetakescareofhandlingtheoperationofthefollowingservices:

Webserver(httpd) DHCPserver(dhcpd) FreeRADIUSserver(radiusd) Snort/SuricataNetworkIDS(snort/suricata) Firewall(iptables)

Makesurethatalltheotherservicesareautomaticallystartedbyyouroperatingsystem!

Chapter4

Copyright2016Inverseinc. Installation 9

Installation

ThissectionwillguideyouthroughtheinstallationofPacketFencetogetherwithitsdependencies.

OSInstallation

Installyourdistributionwithminimalinstallationandnoadditionalpackages.Then:

DisableFirewall DisableSELinux DisableAppArmor Disableresolvconf

Makesureyoursystemisuptodateandyouryumorapt-getdatabaseisupdated.OnaRHEL-basedsystem,do:

yum update

OnaDebianorUbuntusystem,do:

apt-get updateapt-get upgrade

RegardingSELinuxorAppArmor,even if these featuresmaybewantedbysomeorganizations,PacketFencewillnotrunproperlyifSELinuxorAppArmorareenabled.YouwillneedtoexplicitlydisableSELinuxinthe/etc/selinux/configfileandAppArmorwithupdate-rc.d-fapparmorstop,update-rc.d-fapparmorteardownandupdate-rc.d-fapparmorremove.Regardingresolvconf,youcanremovethesymlinktothatfileandsimplycreatethe/etc/resolv.conffilewiththecontentyouwant.

RedHat-basedsystems

Note

AppliestoCentOSandScientificLinuxbutonlythex86_64architectureissupported.

Chapter4


RHEL6.x

NoteTheseareextrastepsarerequiredforRHEL6systemsonly,excludingderivativessuchasCentOSorScientificLinux.

RedHatEnterpriseLinuxusersneedtotakeanadditionalsetupstep.IfyouarenotusingtheRHNSubscriptionManagementfromRedHatyouneedtoenabletheoptionalchannelbyrunningthefollowingasroot:

rhn-channel --add --channel=rhel-`uname -m`-server-optional-6

DebianAllthePacketFencedependenciesareavailablethroughtheofficialrepositories.

SoftwareDownload

PacketFenceprovidesaRPMrepositoryforRHEL/CentOSinsteadofasingleRPMfile.

ForDebian,PacketFencealsoprovidespackagerepositories.

TheserepositoriescontainallrequireddependenciestoinstallPacketFence.Thisprovidesnumerousadvantages:

easyinstallation everythingispackagedasRPM/deb(nomoreCPANhassle) easyupgrade

SoftwareInstallation

RHEL/CentOSInordertousethePacketFencerepository:

# yum localinstall http://packetfence.org/downloads/PacketFence/RHEL6/`uname -i`/RPMS/packetfence-release-1.2-5.1.noarch.rpm

Once the repository is defined, you can install PacketFencewith all its dependencies, and therequiredexternalservices(Databaseserver,DHCPserver,RADIUSserver)using:

Chapter4


yum install perlyum install --enablerepo=packetfence packetfence

Onceinstalled,theWeb-basedconfigurationinterfacewillautomaticallybestarted.Youcanaccessitfromhttps://@ip_of_packetfence:1443/configurator

DebianForDebian7:

Inordertousetherepository,createafilenamed/etc/apt/sources.list.d/packetfence.list:

echo 'deb http://inverse.ca/downloads/PacketFence/debian wheezy wheezy' > /etc/apt/sources.list.d/packetfence.list

ForDebian8:

Inordertousetherepository,createafilenamed/etc/apt/sources.list.d/packetfence.list:

echo 'deb http://inverse.ca/downloads/PacketFence/debian jessie jessie' > /etc/apt/sources.list.d/packetfence.list

Once the repository is defined, you can install PacketFencewith all its dependencies, and therequiredexternalservices(Databaseserver,DHCPserver,RADIUSserver)using:

sudo apt-key adv --keyserver keys.gnupg.net --recv-key 0x810273C4sudo apt-get updatesudo apt-get install packetfence

https://@ip_of_packetfence:1443/configurator

Chapter5

Copyright2016Inverseinc. Getoffontherightfoot 12

Getoffontherightfoot

PriorconfiguringPacketFence,youmustchoseanappropriateenforcementmodetobeusedbyPacketFencewithyournetworkingequipment.Theenforcementmodeisthetechniqueusedtoenforceregistrationandanysubsequentaccessofdevicesonyournetwork.PacketFencesupportsthefollowingenforcementmodes:

Inline Out-of-band Hybrid

It isalsopossibletocombineenforcementmodes.Forexample,youcouldusetheout-of-bandmodeonyourwiredswitches,whileusingtheinlinemodeonyouroldWiFiaccesspoints.

The following sections will explain these enforcement modes. If you decide to use the inlinemode,pleaserefertothePacketFenceInlineDeploymentQuickGuideusingZENforacompleteconfigurationexample.Ifyoudecidetousetheout-of-bandmode,pleaserefertothePacketFenceOut-of-BandDeploymentQuickGuideusingZEN

Chapter6

Copyright2016Inverseinc.TechnicalintroductiontoInlineenforcement 13

TechnicalintroductiontoInlineenforcement

Introduction

Beforetheversion3.0ofPacketFence,itwasnotpossibletosupportunmanageabledevicessuchasentry-levelconsumerswitchesoraccess-points.Now,withthenewinlinemode,PacketFencecanbeusein-bandforthosedevices.Soinotherwords,PacketFencewouldbecomethegatewayofthatinlinenetwork,andNATorroutethetrafficusingIPTables/IPSettotheInternet(ortoanothersectionofthenetwork).Letseehowitworks.

Deviceconfiguration

Nospecialconfigurationisneededontheunmanageabledevice.Thatsthebeautyofit.Youonlyneedtoensurethatthedeviceis"talking"ontheinlineVLAN.Atthispoint,allthetrafficwillbepassingthroughPacketFencesinceitisthegatewayforthisVLAN.

Accesscontrol

TheaccesscontrolreliesentirelyonIPTables/IPSet.Whenauserisnotregistered,andconnectsintheinlineVLAN,PacketFencewillgivehimanIPaddress.Atthispoint,theuserwillbemarkedasunregisteredintheipsetsession,andalltheWebtrafficwillberedirectedtothecaptiveportalandother trafficblocked.Theuserwill have to register through thecaptiveportal as inVLANenforcement.Whenheregisters,PacketFencechangesthedevicesipsetsessiontoallowtheusersmacaddresstogothroughit.

Chapter6

Copyright2016Inverseinc.TechnicalintroductiontoInlineenforcement 14

Limitations

Inlineenforcementbecauseofitsnaturehasseverallimitationsthatonemustbeawareof.

EveryonebehindaninlineinterfaceisonthesameLayer2LAN EverypacketofauthorizedusersgoesthroughthePacketFenceserverincreasingtheservers'loadconsiderably:Planaheadforcapacity

Everypacketofauthorizedusersgoes throughthePacketFenceserver: it isasinglepointoffailureforInternetaccess

Ipsetcanstoreupto65536entries,soitisnotpossibletohaveainlinenetworkclassupperthanB

Thisiswhyit isconsideredapoormanswayofdoingaccesscontrol.Wehaveavoideditforalongtimebecauseoftheabovementionedlimitations.Thatsaid,beingabletoperformbothinlineandVLANenforcementonthesameserveratthesametimeisarealadvantage:itallowsuserstomaintainmaximumsecuritywhiletheydeploynewandmorecapablenetworkhardwareprovidingacleanmigrationpathtoVLANenforcement.

Chapter7

Copyright2016Inverseinc.TechnicalintroductiontoOut-of-bandenforcement 15

TechnicalintroductiontoOut-of-bandenforcement

Introduction

VLANassignmentiscurrentlyperformedusingseveraldifferenttechniques.Thesetechniquesarecompatibleone toanotherbutnoton the sameswitchport.Thismeans thatyoucanuse themoresecureandmoderntechniquesforyour latestswitchesandanothertechniqueontheoldswitchesthatdoesntsupportlatesttechniques.Asitsnameimplies,VLANassignmentmeansthatPacketFenceistheserverthatassignstheVLANtoadevice.ThisVLANcanbeoneofyourVLANsoritcanbeaspecialVLANwherePacketFencepresentsthecaptiveportalforauthenticationorremediation.

VLANassignmenteffectivelyisolateyourhostsattheOSILayer2meaningthatitisthetrickiestmethodtobypassandistheonewhichadaptsbesttoyourenvironmentsinceitgluesintoyourcurrentVLANassignmentmethodology.

VLANassignmenttechniques

Wired:802.1X+MACAuthentication802.1Xprovidesport-basedauthentication,whichinvolvescommunicationsbetweenasupplicant,authenticator(knownasNAS),andauthenticationserver(knownasAAA).Thesupplicantisoftensoftwareonaclientdevice,suchasalaptop,theauthenticatorisawiredEthernetswitchorwirelessaccesspoint,andtheauthenticationserverisgenerallyaRADIUSserver.

Thesupplicant(i.e.,clientdevice)isnotallowedaccessthroughtheauthenticatortothenetworkuntilthesupplicantsidentityisauthorized.With802.1Xport-basedauthentication,thesupplicantprovides credentials, such as user name / password or digital certificate, to the authenticator,andtheauthenticatorforwardsthecredentialstotheauthenticationserverforverification.Ifthecredentialsarevalid(intheauthenticationserverdatabase),thesupplicant(clientdevice)isallowedtoaccessthenetwork.TheprotocolforauthenticationiscalledExtensibleAuthenticationProtocol(EAP)whichhavemanyvariants.Bothsupplicantandauthenticationserversneed tospeak thesameEAPprotocol.MostpopularEAPvariantisPEAP-MsCHAPv2(supportedbyWindows/MacOSX/LinuxforauthenticationagainstAD).

Chapter7


Inthiscontext,PacketFencerunstheauthenticationserver(aFreeRADIUSinstance)andwillreturntheappropriateVLANtotheswitch.AmodulethatintegratesinFreeRADIUSdoesaremotecalltothePacketFenceservertoobtainthatinformation.Moreandmoredeviceshave802.1Xsupplicantwhichmakesthisapproachmoreandmorepopular.

MACAuthenticationisanewmechanismintroducedbysomeswitchvendortohandlethecaseswherea802.1Xsupplicantdoesnotexist.Differentvendorshavedifferentnames for it.CiscocallsitMACAuthenticationBypass(MAB),JunipercallsitMACRADIUS,ExtremeNetworkscallsitNetlogin,etc.Afteratimeoutperiod,theswitchwillstoptryingtoperform802.1XandwillfallbacktoMACAuthentication.Ithastheadvantageofusingthesameapproachas802.1XexceptthattheMACaddressissentinsteadoftheusernameandthereisnoend-to-endEAPconversation(nostrongauthentication).UsingMACAuthentication,deviceslikenetworkprinterornon-802.1XcapableIPPhonescanstillgainaccesstothenetworkandtherightVLAN.

Wireless:802.1X+MACauthenticationWireless 802.1Xworks likewired802.1X andMAC authentication is the same aswiredMACAuthentication.Where things change is that the802.1X isused to setup the security keys forencryptedcommunication(WPA2-Enterprise)whileMACauthenticationisonlyusedtoauthorize(allowordisallow)aMAConthewirelessnetwork.

Onwirelessnetworks,theusualPacketFencesetupdictatethatyouconfiguretwoSSIDs:anopenoneandasecureone.Theopenoneisusedtohelpusersconfigurethesecureoneproperlyandrequiresauthenticationoverthecaptiveportal(whichrunsinHTTPS).

Thefollowingdiagramdemonstratestheflowbetweenamobileenpoint,aWiFiaccesspoint,aWiFicontrollerandPacketFence:

1. UserinitiatesassociationtoWLANAPandtransmitsMACaddress.IfuseraccessesnetworkviaaregistereddeviceinPacketFencegoto8

2. The WLAN controller transmits MAC address via RADIUS to the PacketFence server toauthenticate/authorizethatMACaddressontheAP

3. PacketFenceserverconductsaddressaudit in itsdatabase. If itdoesnotrecognizetheMACaddressgoto4.Ifitdoesgoto8.

4. PacketFenceserverdirectsWLANcontrollerviaRADIUS(RFC2868attributes)toputthedeviceinan"unauthenticatedrole(setofACLsthatwouldlimit/redirecttheusertothePacketFence

Chapter7


captiveportalforregistration,orwecanalsousearegistrationVLANinwhichPacketFencedoesDNSblackholingandistheDHCPserver)

5. TheusersdeviceissuesaDHCP/DNSrequesttoPacketFence(whichisaDHCP/DNSserveronthisVLANorforthisrole)whichsendstheIPandDNSinformation.Atthispoint,ACLsarelimiting/redirectingtheusertothePacketFencescaptiveportalforauthentication.PacketFencefingerprintsthedevice(user-agentattributes,DHCPinformation&MACaddresspatterns)towhichitcantakevariousactionsincluding:keepdeviceonregistrationportal,directtoalternatecaptive portal, auto-register thedevice, auto-block thedevice, etc. If thedevice remains ontheregistrationportaltheuserregistersbyprovidingtheinformation(username/password,cellphonenumber,etc.).At this timePacketFencecouldalsorequire thedevicetogothroughapostureassessment(usingNessus,OpenVAS,etc.)

6. Ifauthentication is required (username/password) througha loginform,thosecredentialsarevalidatedviatheDirectoryserver(oranyotherauthenticationsources-likeLDAP,SQL,RADIUS,SMS,Facebook,Google+,etc.)whichprovidesuserattributestoPacketFencewhichcreatesuser+devicepolicyprofileinitsdatabase.

7. PacketFenceperformsaChangeofAuthorization(RFC3576)onthecontrollerandtheusermustbere-authenticated/reauthorized,sowegobackto1

8. PacketFenceserverdirectsWLANcontrollerviaRADIUStoputthedeviceinan"authenticatedrole,orinthe"normal"VLAN

WebAuthmodeWebauthenticationisamethodontheswitchthatforwardshttptrafficofthedevicetothecaptiveportal.Withthismode,yourdevicewillneverchangeofVLANIDbutonlytheACLassociatedtoyourdevicewillchange.RefertotheNetworkDevicesConfigurationGuidetoseeasamplewebauthconfigurationonaCiscoWLC.

Port-securityandSNMPReliesontheport-securitySNMPTraps.AfakestaticMACaddressisassignedtoalltheportsthiswayanyMACaddresswillgenerateasecurityviolationandatrapwillbesenttoPacketFence.ThesystemwillauthorizetheMACandsettheportintherightVLAN.VoIPsupportispossiblebuttricky.Itvariesalotdependingontheswitchvendor.CiscoiswellsupportedbutisolationofaPCbehindanIPPhoneleadstoaninterestingdilemma:eitheryoushuttheport(andthephoneatthesametime)oryouchangethedataVLANbutthePCdoesntdoDHCP(didntdetectlinkwasdown)soitcannotreachthecaptiveportal.

AsidefromtheVoIPisolationdilemma,itisthetechniquethathasproventobereliableandthathasthemostswitchvendorsupport.

MoreonSNMPtrapsVLANisolation

WhentheVLANisolationisworkingthroughSNMPtrapsallswitchports(onwhichVLANisolationshouldbedone)mustbeconfiguredtosendSNMPtrapstothePacketFencehost.OnPacketFence,

Chapter7


weusesnmptrapdastheSNMPtrapreceiver.Asitreceivestraps,itreformatsandwritesthemintoaflatfile:/usr/local/pf/logs/snmptrapd.log.ThemultithreadedpfsetvlandaemonreadsthesetrapsfromtheflatfileandrespondstothembysettingtheswitchporttothecorrectVLAN.Currently,wesupportswitchesfromCisco,Edge-core,HP,Intel,LinksysandNortel(addingsupportfor switches fromanothervendor impliesextending thepf::Switch class).Dependingonyourswitchescapabilities,pfsetvlanwillactondifferenttypesofSNMPtraps.

YouneedtocreatearegistrationVLAN(withaDHCPserver,butnoroutingtootherVLANs)inwhichPacketFencewillputunregistereddevices.IfyouwanttoisolatecomputerswhichhaveopenviolationsinaseparateVLAN,anisolationVLANneedsalsotobecreated.

linkUp/linkDowntraps(deprecated)ThisisthemostbasicsetupanditneedsathirdVLAN:theMACdetectionVLAN.ThereshouldbenothinginthisVLAN(noDHCPserver)anditshouldnotberoutedanywhere;itisjustanvoidVLAN.

Whenahostconnectstoaswitchport,theswitchsendsalinkUptraptoPacketFence.SinceittakessometimebeforetheswitchlearnstheMACaddressofthenewlyconnecteddevice,PacketFenceimmediatelyputstheportintheMACdetectionVLANinwhichthedevicewillsendDHCPrequests(withnoanswer)inorderfortheswitchtolearnitsMACaddress.Thenpfsetvlanwillsendperiodical

Chapter7


SNMPqueriestotheswitchuntiltheswitchlearnstheMACofthedevice.WhentheMACaddressisknown,pfsetvlanchecksitsstatus(existing?registered?anyviolations?)inthedatabaseandputstheportintheappropriateVLAN.Whenadeviceisunplugged,theswitchsendsalinkDowntraptoPacketFencewhichputstheportintotheMACdetectionVLAN.

Whenacomputerboots,theinitializationoftheNICgeneratesseverallinkstatuschanges.AndeverytimetheswitchsendsalinkUpandalinkDowntraptoPacketFence.SincePacketFencehastoactoneachofthesetraps,thisgeneratesunfortunatelysomeunnecessaryloadonpfsetvlan.Inordertooptimizethetraptreatment,PacketFencestopseverythreadforalinkUptrapwhenitreceivesalinkDowntraponthesameport.ButusingonlylinkUp/linkDowntrapsisnotthemostscalableoption.Forexampleincaseofpowerfailure,ifhundredsofcomputersbootatthesametime,PacketFencewouldreceivea lotoftrapsalmost instantlyandthiscouldresult innetworkconnectionlatency.

MACnotificationtrapsIfyourswitchessupportMACnotificationtraps(MAClearnt,MACremoved),wesuggestthatyouactivatetheminadditiontothelinkUp/linkDowntraps.Thisway,pfsetvlandoesnotneed,afteralinkUptrap,toquerytheswitchcontinuouslyuntiltheMAChasfinallybeenlearned.WhenitreceivesalinkUptrapforaportonwhichMACnotificationtrapsarealsoenabled,itonlyneedstoputtheportintheMACdetectionVLANandcanthenfreethethread.WhentheswitchlearnstheMACaddressofthedeviceitsendsaMAClearnttrap(containingtheMACaddress)toPacketFence.

PortSecuritytrapsIn itsmostbasicform,thePortSecurityfeaturerememberstheMACaddressconnectedtotheswitchportandallowsonlythatMACaddresstocommunicateonthatport. IfanyotherMACaddress tries tocommunicate through theport,port securitywillnotallow itandsendaport-securitytrap.

Ifyourswitchessupportthisfeature,westronglyrecommendtouseitratherthanlinkUp/linkDownand/orMACnotifications.Why?BecauseaslongasaMACaddressisauthorizedonaportandistheonlyoneconnected,theswitchwillsendnotrapwhetherthedevicereboots,plugsinorunplugs.ThisdrasticallyreducestheSNMPinteractionsbetweentheswitchesandPacketFence.

WhenyouenableportsecuritytrapsyoushouldnotenablelinkUp/linkDownnorMACnotificationtraps.

Chapter8

Copyright2016Inverseinc.TechnicalintroductiontoHybridenforcement 20

TechnicalintroductiontoHybridenforcement

Introduction

In previous versions of PacketFence, it was not possible to have RADIUS enabled for inlineenforcementmode.Nowwiththenewhybridmode,allthedevicesthatsupports802.1XorMAC-authenticationcanworkwiththismode.Letsseehowitworks.

Deviceconfiguration

Youneedtoconfigure inlineenforcementmode inPacketFenceandconfigureyourswitch(es)/accesspoint(s)tousetheVLANassignementtechniques(802.1XorMAC-authentication).Youalsoneedtotakecareofaspecificparameterintheswitchconfigurationwindow,"Triggertoenableinlinemode".Thisparameterisworkinglikeatriggerandyouhavethepossibilitytodefinedifferentsortoftriggers:

ALWAYS,PORT,MAC,SSID

where ALWAYS means that the device is always in inline mode, PORTspecifytheifIndexoftheportwhichwilluseinlineenforcement,MACamacaddressthatwillbeputininlineenforcementtechniqueratherthanVLANenforcementandSSIDanssidname.Anexample:

SSID::GuestAccess,MAC::00:11:22:33:44:55

ThiswilltriggerallthenodesthatconnectstotheGuestAccessSSIDtouseinlineenforcementmode(PacketFencewillreturnavoidVLANortheinlineVlanifdefinedinswitchconfiguration)andtheMACaddress00:11:22:33:44:55clientifitconnectsonanotherSSID.

Chapter9

Copyright2016Inverseinc. Configuration 21

Configuration

Atthispointinthedocumentation,PacketFenceshouldbeinstalled.YouwouldalsohavechosentherightenforcementmethodforyouandcompletedtheinitialconfigurationofPacketFence.ThefollowingsectionpresentskeyconceptsandfeaturesinPacketFence.

PacketFenceprovidesaweb-basedadministrationinterfaceforeasyconfigurationandoperationalmanagement.IfyouwentthroughPacketFencesweb-basedconfigurationtool,youshouldhavesetthepasswordfortheadminuser.

Once PacketFence is started, the administration interface is available at: https://@ip_of_packetfence:1443/

ThenextkeystepsareimportanttounderstandhowPacketFenceworks.Inordertogetthesolutionworking, youmust first understand and configure the following aspects of the solution in thisspecificorder:

1. roles-aroleinPacketFencewillbeeventuallybemappedtoaVLAN,anACLoranexternalrole.Youmustdefinetherolestouseinyourorganizationfornetworkaccess

2. authentication-oncerolesaredefined,youmustcreateanappropraiteauthenticationsourceinPacketFence.ThatwillallowPacketFencetocomputetherightroletobeusedforanendpoint,ortheuserusingit

3. network devices - once your roles and authentication sources are defined, you must addswitches,WiFicontrollersorAPstobemananagedbyPacketFence.Whendoingso,youwillconfigurehowrolesarebeingmappedtoVLAN,ACLsorexternalroles

4. portal profiles - at this point, you are almost ready to test. You will need to set whichauthenticationsourcesaretobeusedonthedefaultcaptiveportal,orcreateanotheronetosuityourneeds

5. test!

NoteIfyouplantouse802.1X-pleaseseetheFreeRADIUSConfigurationsectionbelow.

RolesManagement

RolesinPacketFencecanbecreatedfromPacketFenceadministrativeGUI-fromtheConfigurationUsersRoles section. From this interface, you can also limit thenumberof devicesusersbelongingtocertainrolescanregister.

https://@ip_of_packetfence:1443/https://@ip_of_packetfence:1443/

Chapter9


RolesaredynamicallycomputedbyPacketFence,basedontherules(ie.,asetofconditionsandactions)fromauthenticationsources,usingafirst-matchwinsalgorithm.RolesarethenmatchedtoVLANorinternalrolesorACLonequipmentfromtheConfigurationNetworkSwitchesmodule.

Authentication

PacketFence can authenticate users that register devices via the captive portal using variousmethods.Amongthesupportedmethods,thereare:

ActiveDirectory

Apachehtpasswdfile

Email

ExternalHTTPAPI

Facebook(OAuth2)

Github(OAuth2)

Google(OAuth2)

Kerberos

LDAP

LinkedIn(OAuth2)

Null

RADIUS

SMS

SponsoredEmail

Twitter(OAuth2)

WindowsLive(OAuth2)

Moreover, PacketFence can also authenticate users defined in its own internal SQL database.Authentication sources can be created from PacketFence administrative GUI - from theConfigurationUsersSourcessection.Alternatively(butnotrecommended),authenticationsources,rules,conditionsandactionscanbeconfiguredfromconf/authentication.conf.

Eachauthenticationsourcesyoudefinewillhaveasetofrules,conditionsandactions.

Multipleauthenticationsourcescanbedefined,andwillbetestedintheorderspecified(notethattheycanbe reordered fromtheGUIbydragging themaround).Eachsourcecanhavemultiplerules,whichwillalsobetestedintheorderspecified.Rulescanalsobereordered,justlikesources.Finally,conditionscanbedefinedforaruletomatchcertaincriteria.Ifthecriteriamatch(oneor

Chapter9


more),actionarethenappliedandrulestestingstop,acrossallsourcesasthisisa"firstmatchwins"operation.

Whennoconditionisdefined,therulewillbeconsideredasacatch-all.Whenacatch-allisdefined,allactionswillbeappliedforanyusersthatmatchintheauthenticationsource.

Onceasourceisdefined,itcanbeusedfromConfigurationPortalProfiles.Eachportalprofilehasalistofauthenticationsourcestouse.

ExampleLetssaywehavetworoles:guestandemployee.First,wedefinethemConfigurationUsersRoles.

Now,wewanttoauthenticateemployeesusingActiveDirectory (overLDAP),andguestsusingPacketFencesinternaldatabase-bothusingPacketFencescaptiveportal.FromtheConfigurationUsersSources,weselectAddsourceAD.Weprovidethefollowinginformation:

Name:ad1 Description:ActiveDirectoryforEmployees Host:192.168.1.2:389withoutSSL/TLS BaseDN:CN=Users,DC=acme,DC=local Scope:One-level UsernameAttribute:sAMAccountName BindDN:CN=Administrator,CN=Users,DC=acme,DC=local Password:acme123

Then,weaddarulebyclickingontheAddrulebuttonandprovidethefollowinginformation:

Name:employees Description:Ruleforallemployees Dontsetanycondition(asitsacatch-allrule) Setthefollowingactions:

Setroleemployee

SetunregistrationdateJanuary1st,2020

Test the connection and save everything. Using the newly defined source, any username thatactuallymatchesinthesource(usingthesAMAccountName)willhavetheemployeeroleandanunregistrationdatesettoJanuary1st,2020.

Now,sincewewanttoauthenticateguestsfromPacketFencesinternalSQLdatabase,accountsmustbeprovisionnedmanually.YoucandosofromtheUsersCreatesection.Whencreatingguests,specify"guest"fortheSetroleaction,andsetanaccessdurationfor1day.

If youwould like to differentiate user authentication andmachine authentication using ActiveDirectory,onewaytodoitisbycreatingasecondauthenticationsources,formachines:

Name:ad1 Description:ActiveDirectoryforMachines Host:192.168.1.2:389withoutSSL/TLS BaseDN:CN=Computers,DC=acme,DC=local Scope:One-level

Chapter9


UsernameAttribute:servicePrincipalName BindDN:CN=Administrator,CN=Users,DC=acme,DC=local Password:acme123

Then,weaddarule:

Name:*machines Description:Ruleforallmachines Dontsetanycondition(asitsacatch-allrule) Setthefollowingactions:

Setrolemachineauth

SetunregistrationdateJanuary1st,2020

Note

Whenaruleisdefinedasacatch-all, itwillalwaysmatchiftheusernameattributematchesthequeriedone.ThisappliesforActiveDirectory,LDAPandApachehtpasswdfilesources.KerberosandRADIUSwillactastruecatch-all,andaccepteverything.

Note

IfyouwanttouseotherLDAPattributesinyourauthenticationsource,addtheminConfigurationAdvancedCustomLDAPattributes.Theywillthenbeavailableintherulesyoudefine.

ExternalAPIauthentication

PacketFencealsosupportscallinganexternalHTTPAPIasanauthenticationsource.TheexternalAPIneedstoimplementanauthenticationactionandanauthorizationaction.

AuthenticationThisshouldprovidetheinformationaboutwhetherornottheusername/passwordcombinationisvalid

TheseinformationareavailablethroughthePOSTfieldsoftherequest

TheservershouldreplywithtwoattributesinaJSONresponse

result:shouldbe1forsuccess,0forfailure message:shouldbethereasonitsucceededorfailed

ExampleJSONresponse:

{"result":1,"message":"Valid username and password"}

Chapter9


AuthorizationThisshouldprovidetheactionstoapplyonauserbasedonitsattributes

The following attributes are available for the reply : access_duration, access_level, sponsor,unregdate,category.

SampleJSONresponse,notethatnotallattributesarenecessary,onlysendbackwhatyouneed.

{"access_duration":"1D","access_level":"ALL","sponsor":1 ,"unregdate":"2030-01-01","category":"default"}

Note

See /usr/local/pf/addons/example_external_auth for an example implementationcompatiblewithPacketFence.

PacketFenceconfigurationInPacketFence,youneedtoconfigureanHTTPsourceinordertouseanexternalAPI.

Hereisabriefdescriptionofthefields:

Host :First, theprotocol, then the IPaddressorhostnameof theAPIand lastly theport toconnecttotheAPI.

APIusernameandpassword:IfyourAPIimplementsHTTPbasicauthentication(RFC2617)youcanaddtheminthesefields.LeavinganyofthosetwofieldsemptywillmakePacketFencedotherequestswithoutanyauthentication.

AuthenticationURL:URLrelativetothehosttocallwhendoingtheauthenticationofauser.Notethatitisautomaticallyprefixedbyaslash.

AuthorizationURL:URLrelativetothehosttocallwhendoingtheauthorizationofauser.Notethatitisautomaticallyprefixedbyaslash.

SAMLauthentication

PacketFence supports SAML authentication in the captive portal in combination with anotherinternalsourcetodefinethelevelofauthorizationoftheuser.

First,transfertheIdentityProvidermetadataonthePacketFenceserver.Inthisexample,itwillbeunderthepath/usr/local/pf/conf/idp-metadata.xml.

Then, transfer the certificate and CA certificate of the Identity provider on the server. In thisexample, theywill be under the paths /usr/local/pf/conf/ssl/idp.crt and /usr/local/pf/conf/ssl/idp-ca.crt.Ifitisaself-signedcertificate,thenyouwillbeabletouseitastheCAinthePacketFenceconfiguration.

Chapter9


Then, toconfigureSAML inPacketFence,go inConfigurationSourcesand thencreateanewInternalsourceofthetypeSAMLandconfigureit.

Where:

ServiceProviderentityIDistheidentifieroftheServiceProvider(PacketFence).MakesurethismatchesyourIdentityProviderconfiguration.

PathtoServiceProviderkeyisthepathtothekeythatwillbeusedbyPacketFencetosignitsmessagestotheIdentityProvider.Adefaultoneisprovidedunderthepath:/usr/local/pf/conf/ssl/server.key

PathtoServiceProvidercertisthepathtothecertificateassociatedtothekeyabove.Aself-signedoneisprovidedunderthepath:/usr/local/pf/conf/ssl/server.key

PathtoIdentityProvidermetadataisthepathtothemetadatafileyoutransferedabove(shouldbein/usr/local/pf/conf/idp-metadata.xml)

PathtoIdentityProvidercertisthepathtothecertificateoftheidentityprovideryoutransferedontheserverabove(shouldbein/usr/local/pf/conf/ssl/idp.crt).

Chapter9


Path to Identity Provider CA cert is the path to the CA certificate of the identity provideryoutransferedontheserverabove(shouldbein/usr/local/pf/conf/ssl/ca-idp.crt).Ifthecertificateaboveisself-signed,putthesamepathasaboveinthisfield.

AttributeoftheusernameintheSAMLresponse istheattributethatcontainstheusernamein the SAML assertion returned by your Identity Provider. The default should fit at leastSimpleSAMLphp.

Authorizationsource isthesourcethatwillbeusedtomatchtheusernameagainsttherulesdefinedinit.Thisallowstosettheroleandaccessdurationoftheuser.TheAuthenticationsectionofthisdocumentcontainsexplanationsonhowtoconfigureanLDAPsourcewhichcanthenbeusedhere.

Oncethisisdone,savethesourceandyouwillbeabletodownloadtheServiceProvidermetadataforPacketFenceusingthelinkDownloadServiceProvidermetadataonthepage.

Configure your identity provider according to the generated metadata to complete the TrustbetweenPacketFenceandyourIdentityProvider.

In the case of SimpleSAMLPHP, the following configurationwas used inmetadata/saml20-sp-remote.php:

$metadata['PF_ENTITY_ID'] = array( 'AssertionConsumerService' => 'http://PORTAL_HOSTNAME/saml/assertion', 'SingleLogoutService' => 'http://PORTAL_HOSTNAME/saml/logoff',);

Note

PacketFencedoesnotsupportlogoffontheSAMLIdentityProvider.YoucanstilldefinetheURLinthemetadatabutitwillnotbeused.

PassthroughsInorderforyouruserstobeabletoaccesstheIdentityProviderloginpage,youwillneedtoactivatepassthroughsandaddtheIndentityProviderdomaintotheallowedpassthroughs.

Todoso,go inConfigurationTrapping, thencheckPassthrough andadd the IdentityProviderdomainnametothePasshtroughslist.

Next, restart iptables and pfdns to apply your new passthroughs. Also make surenet.ipv4.ip_forward = 1isconfiguredin/etc/sysctl.conf.

NetworkDevicesDefinition(switches.conf)

ThissectionappliesonlyforVLANenforcement.Usersplanningtodoinlineenforcementonlycanskipthissection.

PacketFenceneedstoknowwhichswitches,accesspointsorcontrollersitmanages,theirtypeandconfiguration.Allthisinformationisstoredin/usr/local/pf/conf/switches.conf.Youcanmodify

Chapter9


theconfigurationdirectlyintheswitches.conffileoryoucandoitfromtheWebAdministrationpanelunderConfigurationNetworkSwitches-whichisnowthepreferredway.

The/usr/local/pf/conf/switches.confconfigurationfilecontainsadefaultsectionincluding:

DefaultSNMPread/writecommunitiesfortheswitches Defaultworkingmode(seethenotebelowaboutpossibleworkingmodes)

andaswitchsectionforeachswitch(managedbyPacketFence)including:

SwitchIP/Mac/Range Switchvendor/type Switchuplinkports(trunksandnon-managedIfIndex) per-switchre-definitionoftheVLANs(ifrequired)

Noteswitches.confisloadedatstartup.Areloadisrequiredwhenchangesaremanuallymadetothisfile/usr/local/pf/bin/pfcmd configreload.

WorkingmodesTherearethreedifferentworkingmodesforaswitchinPacketFence:

Testing pfsetvlanwritesinthelogfileswhatitwouldnormallydo,butitdoesntdoanything.

Registration pfsetvlan automatically-register allMAC addresses seenon theswitchports.Asintestingmode,noVLANchangesaredone.

Production pfsetvlan sends the SNMPwrites to change the VLAN on theswitchports.

RADIUSTo set theRADIUS secret, set it from theWebadministrative interfacewhenadding a switch.Alternatively,edittheswitchconfigfile(/usr/local/pf/conf/switches.conf)andsetthefollowingparameters:

radiusSecret = secretPassPhrase

Moreover,theRADIUSsecretisrequiredtosupporttheRADIUSDynamicAuthentication(ChangeofauthorizationorDisconnect)asdefinedinRFC3576.

SNMPv1,v2candv3PacketFenceusesSNMPtocommunicatewithmostswitches.PacketFencealsosupportsSNMPv3.YoucanuseSNMPv3forcommunicationinbothdirections:fromtheswitchtoPacketFenceandfromPacketFencetotheswitch.SNMPusageisdiscouraged,youshouldnowuseRADIUS.However,evenifRADIUSisbeingused,someswitchesmightalsorequireSNMPtobeconfiguredtoworkproperlywithPacketFence.

Chapter9


FromPacketFencetoaswitchEdittheswitchconfigfile(/usr/local/pf/conf/switches.conf)andsetthefollowingparameters:

SNMPVersion = 3SNMPUserNameRead = readUserSNMPAuthProtocolRead = MD5SNMPAuthPasswordRead = authpwdreadSNMPPrivProtocolRead = AESSNMPPrivPasswordRead = privpwdreadSNMPUserNameWrite = writeUserSNMPAuthProtocolWrite = MD5SNMPAuthPasswordWrite = authpwdwriteSNMPPrivProtocolWrite = AESSNMPPrivPasswordWrite = privpwdwrite

FromaswitchtoPacketFenceEdittheswitchconfigfile(/usr/local/pf/conf/switches.conf)andsetthefollowingparameters:

SNMPVersionTrap = 3SNMPUserNameTrap = readUserSNMPAuthProtocolTrap = MD5SNMPAuthPasswordTrap = authpwdreadSNMPPrivProtocolTrap = AESSNMPPrivPasswordTrap = privpwdread

SwitchConfigurationHereisaswitchconfigurationexampleinordertoenableSNMPv3inbothdirectionsonaCiscoSwitch.

snmp-server engineID local AA5ED139B81D4A328D18ACD1snmp-server group readGroup v3 privsnmp-server group writeGroup v3 priv read v1default write v1defaultsnmp-server user readUser readGroup v3 auth md5 authpwdread priv aes 128 privpwdreadsnmp-server user writeUser writeGroup v3 auth md5 authpwdwrite priv aes 128 privpwdwritesnmp-server enable traps port-securitysnmp-server enable traps port-security trap-rate 1snmp-server host 192.168.0.50 version 3 priv readUser port-security

Command-LineInterface:TelnetandSSH

WarningPrivilegedetectionisdisabledinthecurrentPacketFenceversionduetosomeissues(see#1370).SomakesurethatthecliUserandcliPwdyouprovidealwaysgetyouintoaprivilegedmode(exceptforTrapezehardware).

http://www.packetfence.org/bugs/view.php?id=1370

Chapter9


PackeFenceneedssometimestoestablishaninteractivecommand-linesessionwithaswitch.ThiscanbedoneusingTelnet.YoucanalsouseSSH.Inordertodoso,edittheswitchconfigurationfile(/usr/local/pf/conf/switches.conf)andsetthefollowingparameters:

cliTransport = SSH (or Telnet)cliUser = admincliPwd = admin_pwdcliEnablePwd =

ItcanalsobedonethroughtheWebAdministrationInterfaceunderConfigurationSwitches.

WebServicesInterfacePackeFencesometimesneedstoestablishadialogwiththeWebServicescapabilitiesofaswitch.Inorder todo so,edit the switchconfig file (/usr/local/pf/conf/switches.conf) and set thefollowingparameters:

wsTransport = http (or https)wsUser = adminwsPwd = admin_pwd

ItcanalsobedonethroughtheWebAdministrationInterfaceunderConfigurationSwitches.

Role-basedenforcementsupportSomenetworkdevicessupporttheassignmentofaspecificsetofrules(firewallorACLs)toauser.TheideaisthattheserulescanbealotmoreaccuratetocontrolwhatausercanorcannotdocomparedtoVLANwhichhavealargernetworkmanagementoverhead.

PacketFencesupportsassigningrolesondevicesforswitchesandWiFicontrollers thatsupportit.ThecurrentroleassignmentstrategyistoassignitalongwiththeVLAN(thatmaychangeinthefuture).Aspecial internalroletoexternalroleassignmentmustbeconfigured intheswitchconfigurationfile(/usr/local/pf/conf/switches.conf).

Thecurrentformatisthefollowing:

Format: Role=

Andyouassignittotheglobalrolesparameterortheper-switchone.Forexample:

adminRole=full-accessengineeringRole=full-accesssalesRole=little-access

wouldreturnthefull-accessroletothenodescategorizedasadminorengineeringandtherolelittle-accesstonodescategorizedassales.ItcanalsobedonethroughtheWebAdministrationInterfaceunderConfigurationSwitches.

Chapter9


CautionMakesurethattherolesareproperlydefinedonthenetworkdevicespriortoassigningroles!

PortalProfiles

PacketFencecomeswithadefaultportalprofile.Thefollowparametersareimportanttoconfigurenomatterifyouusethedefaultportalprofileorcreateanewone:

RedirectURLunderConfigurationPortalProfilePortalName

Forsomebrowsers,itispreferabletoredirecttheusertoaspecificURLinsteadoftheURLtheuseroriginallyintendedtovisit.Forthesebrowsers,theURLdefinedinredirecturlwillbetheonewheretheuserwillberedirected.AffectedbrowsersareFirefox3andlater.

IPunderConfigurationCaptiveportal

ThisIPisusedasthewebserverwhohoststhecommon/network-access-detection.gifwhichisusedtodetectifnetworkaccesswasenabled.Itcannotbeadomainnamesinceit isusedinregistrationorquarantinewhereDNSisblack-holed.ItisrecommendedthatyouallowyouruserstoreachyourPacketFenceserverandputyourLANsPacketFenceIP.BydefaultwewillmakethisreachPacketFenceswebsiteasaneasierandmoreaccessiblesolution.

In somecases, youmaywant topresentadifferent captiveportal (seebelow for theavailablecustomizations)accordingtotheSSID,theVLAN,theswitchIP/MACortheURItheclientconnectsto.Todoso,PacketFencehastheconceptofportalprofileswhichgivesyouthispossibility.

Whenconfigured,portalprofileswilloverridedefaultvaluesforwhichitisconfigured.Whennovaluesareconfiguredintheprofile,PacketFencewilltakeitsdefaultones(accordingtothe"default"portalprofile).

Herearethedifferentconfigurationparametersthatcanbesetforeachportalprofiles.Theonlymandatoryparameteris"filter",otherwise,PacketFencewontbeabletocorrectlyapplytheportalprofile.Theparametersmustbesetinconf/profiles.conf:

[profilename1]description = the description of your portal profilefilter = the name of the SSID for which you'd like to apply the profile, or the VLAN numbersources = comma-separated list of authentications sources (IDs) to use

Portal profiles should be managed from PacketFences Web administrative GUI - from theConfigurationPortalProfilessection.Addingaportalprofilefromthatinterfacewillcorrectlycopytemplatesover-whichcanthenbemodifiedasyouwish.

FiltersunderConfigurationPortalProfilePortalNameFilters

PacketFenceoffersthefollowingfilters:ConnectionType,Network,NodeRole,Port,realm,SSID,Switch,SwitchPort,URI,VLANandTimeperiod.

Chapter9


Examplewiththemostcommonones:

SSID:Guest-SSID

VLAN:100

SwitchPort:-

Network:NetworkinCIDRformatoranIPaddress

Caution

Noderolewilltakeeffectonlywitha802.1XconnectionorifyouuseVLANfilters.

PacketFencereliesextensivelyonApacheforitscaptiveportal,administrativeinterfaceandWebservices.ThePacketFenceApacheconfigurationislocatedin/usr/local/pf/conf/httpd.conf.d/.

Inthisdirectoryyouhavethreeimportantfiles:httpd.admin,httpd.portal,httpd.webservices,httpd.aaa.

httpd.adminisusedtomanagePacketFenceadmininterface

httpd.portalisusedtomanagePacketFencecaptiveportalinterface

httpd.webservicesisusedtomanagePacketFencewebservicesinterface

httpd.aaaisusetomanageincomingRADIUSrequest

ThesefileshavebeenwrittenusingthePerllanguageandarecompletelydynamic-sotheyactivateservicesonlyonthenetworkinterfacesprovidedforthispurpose.

TheotherfilesinthisdirectoryaremanagedbyPacketFenceusingtemplates,soitiseasytomodifythesefilesbasedonyourconfiguration.SSLisenabledbydefaulttosecureaccess.

UponPacketFenceinstallation,self-signedcertificateswillbecreatedin/usr/local/pf/conf/ssl(server.key andserver.crt).Thosecertificates canbe replacedanytimebyyour3rd-partyorexistingwildcardcertificatewithoutproblems.PleasenotethattheCN(CommonName)needstobethesameastheonedefinedinthePacketFenceconfigurationfile(pf.conf).

FreeRADIUSConfiguration

ThissectionpresentstheFreeRADIUSconfigurationsteps. Insomeoccasions,aRADIUSserverismandatoryinordertogiveaccesstothenetwork.Forexample,theusageofWPA2-Enterprise(Wireless 802.1X), MAC authentication and Wired 802.1X all require a RADIUS server toauthenticatetheusersandthedevices,andthentopushtheproperrolesorVLANattributestothenetworkequipment.

Chapter9


Option1:AuthenticationagainstActiveDirectory(AD)

Caution

If you are using an Active/Active or Active/Passive cluster, please follow theinstructionsunderOption1bsincetheinstructionsbelowdonotcurrentlyworkinacluster.

Inordertohavedomainauthenticationworkingproperly,youneedtoenableIPforwardingonyourserver.Todoitpermanently,lookinthe/etc/sysctl.conf,andsetthefollowingline:

# Controls IP packet forwardingnet.ipv4.ip_forward = 1

Nowexecutesysctl -ptoapplytheconfiguration

Next,gointheAdministrationinterfaceunderConfigurationDomains.

Note

IfyoucantaccessthissectionandyouhavepreviouslyconfiguredyourservertobindtoadomainexternallytoPacketFence,makesureyourun/usr/local/pf/addons/AD/migrate.pl

ClickAddDomainandfillintheinformationsaboutyourdomain.

Chapter9


Where:

Identifierisauniqueidentifierforyourdomain.Itspurposeisonlyvisual.

Workgroupistheworkgroupofyourdomainintheoldsyntax(likeNT4).

DNSnameofthedomainistheFQDNofyourdomain.Theonethatsuffixesyouraccountnames.

ThisserversnameisthenamethattheserversaccountwillhaveinyourActiveDirectory.

DNSserveristheIPaddressoftheDNSserverofthisdomain.MakesurethattheserveryouputtherehastheproperDNSentriesforthisdomain.

Usernameistheusernamethatwillbeusedforbindingtotheserver.Thisaccountmustbeadomainadministrator.

Passwordisthepasswordfortheusernamedefinedabove.

Chapter9


Troubleshooting In order to troubleshoot unsuccessful binds, please refer to the following file : /chroots//var/log/samba/log.winbindd.Replacewiththeidentifieryousetinthedomainconfiguration.

Youcanvalidatethedomainbindusingthefollowingcommand:chroot /chroots/wbinfo -u

You can test the authentication process using the following command chroot /chroots/ ntlm_auth --username=administrator

Note

Undercertainconditions,thetestjoinmayshowasunsuccessfulintheAdministrationinterfacebut theauthenticationprocesswill stillworkproperly.Try the test abovebeforedoinganyadditionnaltroubleshooting

DefaultdomainconfigurationYoushouldnowdefinethedomainyouwanttouseasthedefaultonebycreatingthefollowingrealminConfigurationRealms

Next,restartPacketFenceinStatusServices

MultipledomainsauthenticationFirstconfigureyourdomainsinConfigurationDomains.

Oncetheyareconfigured,goinConfigurationRealms.

Chapter9


Createanewrealm thatmatches theDNSnameofyourdomainANDone thatmatchesyourworkgroup.Inthecaseofthisexample,itwillbeDOMAIN.NETandDOMAIN.

Where:

RealmiseithertheDNSname(FQDN)ofyourdomainortheworkgroup

RealmoptionsareanyrealmoptionsthatyouwanttoaddtotheFreeRADIUSconfiguration

Domainisthedomainwhichisassociatedtothisrealm

Nowcreatethetwootherrealmsassociatedtoyourotherdomains.

Youshouldnowhavethefollowingrealmconfiguration

Chapter9


Option1b:AuthenticationagainstActiveDirectory(AD)inacluster

Samba/Kerberos/Winbind

InstallSamba.YoucaneitherusethesourcesorusethepackageforyourOS.ForRHEL/CentOS,do:

yum install samba krb5-workstation

ForDebianandUbuntu,do:

apt-get install samba winbind krb5-user

Note

IfyouhaveWindows7PCsinyournetwork,youneedtouseSambaversion3.5.0(orgreater).

WhendonewiththeSambainstall,modifyyour/etc/hosts inordertoaddtheFQDNofyourActiveDirectoryservers.Then,youneedtomodify/etc/krb5.conf.HereisanexamplefortheDOMAIN.NETdomainforCentos/RHEL:

Chapter9


[logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log

[libdefaults] default_realm = DOMAIN.NET dns_lookup_realm = false dns_lookup_kdc = false ticket_lifetime = 24h forwardable = yes

[realms] DOMAIN.NET = { kdc = adserver.domain.net:88 admin_server = adserver.domain.net:749 default_domain = domain.net }[domain_realm] .domain.net = DOMAIN.NET domain.net = DOMAIN.NET

[appdefaults] pam = { debug = false ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = false }

ForDebianandUbuntu:

[logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = DOMAIN.NET ticket_lifetime = 24h forwardable = yes [appdefaults] pam = { debug = false ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = false }

Next,edit/etc/samba/smb.conf.Again,hereisanexampleforourDOMAIN.NETforCentos/RHEL:

Chapter9


[global] workgroup = DOMAIN server string = %h security = ads passdb backend = tdbsam realm = DOMAIN.NET encrypt passwords = yes winbind use default domain = yes client NTLMv2 auth = yes preferred master = no domain master = no local master = no load printers = no log level = 1 winbind:5 auth:3 winbind max clients = 750 winbind max domain connections = 15 machine password timeout = 0

ForDebianandUbuntu:

[global] workgroup = DOMAIN server string = Samba Server Version %v security = ads realm = DOMAIN.NET password server = 192.168.1.1 domain master = no local master = no preferred master = no winbind separator = + winbind enum users = yes winbind enum groups = yes winbind use default domain = yes winbind nested groups = yes winbind refresh tickets = yes template homedir = /home/%D/%U template shell = /bin/bash client use spnego = yes client ntlmv2 auth = yes encrypt passwords = yes restrict anonymous = 2 log file = /var/log/samba/log.%m max log size = 50 machine password timeout = 0

IssueakinitandklistinordertogetandverifytheKerberostoken:

# kinit administrator# klist

Afterthat,youneedtostartsamba,andjointhemachinetothedomain:

Chapter9


# service smb start# chkconfig --level 345 smb on# net ads join -U administrator

NotethatforDebianandUbuntuyouwillprobablyhavethiserror:

# kinit succeeded but ads_sasl_spnego_krb5_bind failed: Invalid credentials# Join to domain is not valid: Invalid credentials

ForCentos/RHEL:

# usermod -a -G wbpriv pf

Finally,startwinbind,andtestthesetupusingntlm_authandradtest:

# service winbind start# chkconfig --level 345 winbind on

ForDebianandUbuntu:

# usermod -a -G winbindd_priv pf# ntlm_auth --username myDomainUser# radtest -t mschap -x myDomainUser myDomainPassword localhost:18120 12 testing123 Sending Access-Request of id 108 to 127.0.0.1 port 18120 User-Name = "myDomainUser" NAS-IP-Address = 10.0.0.1 NAS-Port = 12 Message-Authenticator = 0x00000000000000000000000000000000 MS-CHAP-Challenge = 0x79d62c9da4e55104 MS-CHAP-Response = 0x000100000000000000000000000000000000000000000000000091c843b420f0dec4228ed2f26bff07d5e49ad9a2974229e5 rad_recv: Access-Accept packet from host 127.0.0.1 port 18120, id=108, length=20

Option2:LocalAuthenticationAddyourusersentriesattheendofthe/usr/local/pf/raddb/usersfilewiththefollowingformat:

username Cleartext-Password := "password"

Option3:EAPauthenticationagainstOpenLDAPToauthenticate802.1XconnectionagainstOpenLDAPyouneedtodefinetheLDAPconnectionin/usr/local/pf/raddb/modules/ldapandbesurethattheuserpasswordisdefineasaNTHASHorascleartext.

Chapter9


ldap openldap { server = "ldap.acme.com" identity = "uid=admin,dc=acme,dc=com" password = "password" basedn = "dc=district,dc=acme,dc=com" filter = "(uid=%{mschap:User-Name})" ldap_connections_number = 5 timeout = 4 timelimit = 3 net_timeout = 1 tls { } dictionary_mapping = ${confdir}/ldap.attrmap edir_account_policy_check = no

keepalive { # LDAP_OPT_X_KEEPALIVE_IDLE idle = 60

# LDAP_OPT_X_KEEPALIVE_PROBES probes = 3

# LDAP_OPT_X_KEEPALIVE_INTERVAL interval = 3 } }

Next in /usr/local/pf/raddb/sites-available/packetfence-tunnel add in the authorizesection:

authorize { suffix ntdomain eap { ok = return } files openldap }

Option4:EAPGuestAuthenticationonemail,sponsorandSMSregistrationThissectionwillallowlocalcredentialscreatedduringguestregistrationtobeusedin802.1XEAP-PEAPconnections.

FirstcreateaguestSSIDwiththeguestaccessyouwanttouse(Email,SponsororSMS,)andactivateCreatelocalaccountonthatsource.

Attheendoftheguestregistration,PacketFencewillsendanemailwiththecredentialsforEmailandSponsor.ForSMSthephonenumberandthePINcodeshouldbeused.

Chapter9


Note

ThisoptiondoesntcurrentlyworkwiththeReusedot1xcredentialsoptionofthecaptiveportal.

In /usr/local/pf/conf/radiusd/packetfence-tunnel uncomment the line # packetfence-local-authandrestartradiusd.

ThiswillactivatethefeatureforanylocalaccountonthePacketFenceserver.Youcanrestrictwhichaccounts canbeusedby commenting the appropriate line in/usr/local/pf/raddb/policy.d/packetfence.Forexample,ifyouwouldwanttodeactivatethisfeatureforaccountscreatedviaSMS,youwouldhavethefollowing:

packetfence-local-auth { # Disable ntlm_auth update control { &MS-CHAP-Use-NTLM-Auth := No } # Check password table for local user pflocal if (fail || notfound) { # Check password table with email and password for a sponsor registration pfguest if (fail || notfound) { # Check password table with email and password for a guest registration pfsponsor if (fail || notfound) { # *Don't* check activation table with phone number and PIN code # pfsms

Chapter9


Edit/usr/local/pf/raddb/sites-available/packetfence-tunnel

InthisexampleweactivatethisfeatureonaspecificSSIDname(Secure-local-Wireless),disabledbydefaultNTLMAuthandtestlocalaccount.IfitfailledthenwereactivateNTLMAuth.

####Activate local user eap authentication based on a specific SSID ###### Set Called-Station-SSID with the current SSID# set.called_station_ssid# if (Called-Station-SSID == 'Secure-local-Wireless') {## Disable ntlm_auth# update control {# MS-CHAP-Use-NTLM-Auth := No# }## Check password table for local user# pflocal# if (fail || notfound) {# update control {# MS-CHAP-Use-NTLM-Auth := Yes# }# }# }

Caution

Youwillneedtodeasactivatepasswordhashinginthedatabaseforlocalauthenticationto work. In the administration interface, go in Configuration Advanced and setDatabasepasswordshashingmethodtoplaintext

TestsTestyoursetupwithradtestusingthefollowingcommandandmakesureyougetanAccess-Acceptanswer:

# radtest dd9999 Abcd1234 localhost:18120 12 testing123Sending Access-Request of id 74 to 127.0.0.1 port 18120 User-Name = "dd9999" User-Password = "Abcd1234" NAS-IP-Address = 255.255.255.255 NAS-Port = 12rad_recv: Access-Accept packet from host 127.0.0.1:18120, id=74, length=20

PortalModules

ThePacketFencecaptiveportalflowishighlycustomizable.ThissectionwillcoverthePortalModuleswhichareusedtodefinethebehaviorofthecaptiveportal.

Chapter9


NoteWhenupgradingfromaversionthatdoesnthavetheportalmodules,thePacketFencePortal Modules configuration already comes with defaults that will fit most casesand offers the same behavior as previous versions of PacketFence. Meaning, allthe available Portal Profile sources are used for authentication, then the availableprovisionerswillbeused.

First,abriefdescriptionoftheavailablePortalModules:

Root:This iswhereitallstarts,thismoduleisasimplecontainerthatdefinesallthemodulesthatneedtobeappliedinachainedwaytotheuser.OncetheuserhascompletedallmodulescontainedintheRoot,heisreleasedonthenetwork.

Choice: This allows to give a choice between multiple modules to the user. Thedefault_registration_policyisagoodexampleofachoicethatisofferedtotheuser.

Chained:Thisallowsyoutodefinealistofmodulesthatauserneedstogothroughintheorderthattheyaredefined-ex:youwantyouruserstoregisterviaGoogle+andpayfortheiraccessusingPayPal.

Message:Thisallowsyou todisplayamessage to theuser.Anexample isavailablebelow inDisplayingamessagetotheuseraftertheregistration

URL:ThisallowsyoutoredirecttheusertoalocalorexternalURLwhichcanthencomebacktotheportaltocontinue.AnexampleisavailablebelowinCallinganexternalwebsite.

Authentication:Theauthenticationmodulescanbeofalotoftypes.Youwouldwanttodefineoneofthesemodules,inordertooverridetherequiredfields,thesourcetouse,thetemplateoranyothermoduleattribute.

Billing:Allowstodefineamodulebasedononeormorebillingsources

Choice:Allows todefineamodulebasedonmultiple sourcesandmoduleswithadvancedfilteringoptions.SeethesectionAuthenticationChoicemodulebelowforadetailedexplanation.

Login:Allowsyoutodefineausername/passwordbasedmodulewithmultipleinternalsources(ActiveDirectory,LDAP,)

Othermodules:Theothermodulesareallbasedonthesourcetypetheyareassignedto,theyallowtoselectthesource,theAUPacceptance,andmandatoryfieldsifapplicable.

ExamplesThissectionwillcontainthefollowingexamples:

Promptingforfieldswithoutauthentication.

Promptingadditionnalfieldsduringtheauthentication.

Chainedauthentication.

MixingloginandSecureSSIDon-boardingontheportal.

Displayingamessagetotheuseraftertheregistration.

Chapter9


CreatingacustomrootmoduleFirst,createacustomrootmoduleforourexamples inordertonotaffectthedefaultpolicy. Inordertodoso,goinConfigurationPortalModules,thenclickAddPortalModuleandselectthetypeRoot.Giveittheidentifiermy_first_root_moduleandthedescriptionMy first root module,thenhitsave.

Next, head toConfiguration Portal Profiles, select the portal profile you use (most probablydefault)andthenunderRootPortalModule,assignMy first root modulethensaveyourprofile.Ifyouweretoaccessthecaptiveportalnow,anerrorwoulddisplaysincetheRootmoduleweconfigureddoesntcontainanything.

YoucouldaddsomeofthepreconfiguredmodulestothenewRootmoduleyoucreatedandthatwouldmaketheerrordisapear.

PromptingforfieldswithoutauthenticationInordertopromptfieldswithoutauthentication,youcanusetheNullsourcewiththeNullPortalModule.

PacketFencealreadycomeswithaNullsourcepreconfigured.Ifyouhaventmodifieditordeletedit,youcanuseitforthisexample.Otherwise,goinConfigurationSourcesandcreateanewNullsourcewithacatchallrulethatassignsaroleandaccessduration.

ThengoinConfigurationPortalModulesandclickAddPortalModuleandselectAuthenticationNull.SettheIdentifiertoprompt_fieldsandconfigurethemodulewiththeMandatoryfieldsyouwantanduncheckRequireAUPsothattheuserdoesnthavetoaccepttheAUPbeforesubmittingthesefields.

Next,addtheprompt_fieldsmoduleinmy_first_root_module(removinganypreviousmodules)andsave it.Nowwhenvisitingtheportal, itshouldpromptyouforthefieldsyoudefine inthe

Chapter9


module.Then,submittingtheseinformationswillassignyoutheroleandaccessdurationthatyoudefinedinthenullsource.

Promptingadditionnalfieldsduringtheauthentication

Ifyouwanttopromptadditionnalfieldsduringtheauthenticationprocessforamodule,youcandefineaModulebasedonthatsourcethatwillspecifytheadditionnalmandatoryfieldsforthissource.

Youcanalsoaddadditionnalmandatoryfieldstothedefaultpoliciesthatarealreadyconfigured.

Thisexamplewillmakethedefault_guest_policyrequiretheusertoenterafirstname,lastnameandaddresssothatguestshavetoenterthesethreeinformationsbeforeregistering.

Go in Configuration Portal Modules and click the default_guest_policy. Add firstname,lastnameandaddresstotheMandatoryfieldsandsave.

Next,addthedefault_guest_policytomy_first_root_module(removinganypreviousmodules).Nowwhenvisitingtheportal,selectinganyoftheguestsourceswillrequireyoutoenterboththemandatoryfieldsofthesource(ex:phone+mobileprovider)andthemandatoryfieldsyoudefinedinthedefault_guest_policy.

Note

Notallsourcessupportadditionnalmandatoryfields(ex:OAuthsourceslikeGoogle,Facebook,).

Chainedauthentication

Theportalmodulesallowyoutochaintwoormoremodulestogetherinordertomaketheuseraccomplishalloftheactionsinthemoduleinthedesiredsequence.

ThisexamplewillallowyoutoconfigureaChainedmodulethatwillrequiretheusertologinviaanyconfiguredOAuthsource(Github,Google+,)andthenvalidatehisphonenumberusingSMSregistration.

FortheOAuthloginwewillusethedefault_oauth_policy,sojustmakesureyouhaveanOAuthsourceconfiguredcorrectlyandavailableinyourPortalProfile.

Then,wewillcreateamodulethatwillcontainthedefinitionofourSMSregistration.

GoinConfigurationPortalModulesthenclickAddPortalModuleandselectAuthenticationSMS.

ConfiguretheportalmodulesothatitusesthesmssourceandunchecktheRequireAUPoptionsincetheuserwillhavealreadyacceptedtheAUPwhenregisteringusingOAuth.

Chapter9


Then,addanotherPortalModuleoftypeChained.Nameitchained_oauth_sms,assignarelevantdescriptionandthenadddefault_oauth_policyandsmstotheModulesfields

Chapter9


Next, add the chained_oauth_sms module in my_first_root_module (removing any previousmodules)andsaveit.Nowwhenvisitingtheportal,youshouldhavetoauthenticationusinganOAuthsourceandthenusingSMSbasedregistration.

MixingloginandSecureSSIDon-boardingontheportalThisexamplewillguideyouthroughconfiguringaportalflowthatwillallowfordevicestoaccessanopenSSIDusinganLDAPusername/passwordbutalsogivethechoicetoconfiguretheSecureSSIDdirectlyfromtheportal.

First,weneedtoconfiguretheprovisionersfortheSecureSSIDonboarding.RefertosectionAppleandAndroidWirelessProvisioningofthisguidetoconfigureyourprovisionersandaddthemtotheportalprofile.

CreateaprovisionerofthetypeDenyandadditwithyourotherprovisioners(puttinganyotherprovisionerbeforeit).Thiswillmakesurethatifthereisnomatchontheotherprovisioners,itwillnotallowthedevicethrough.

AlsointheportalprofileaddyourLDAPsourcetotheavailablesourcessoitstheonlyoneavailable.

Next,createaProvisioningportalmodulebygoinginConfigurationPortalModules.SettheIdentifiertosecure_boardingandthedescriptiontoBoard Secure SSID.AlsouncheckSkipablesotheuserisforcedtoboardtheSSIDshoulditchoosethisoption.

Then,stillinthePortalModules,createaChoicemodule.SettheIdentifiertologin_or_boardinganddescriptiontoLoginorBoarding.Addsecure_boardinganddefault_login_policytotheModulesfieldandsave.

Chapter9


Next, add the login_or_boarding module in my_first_root_module (removing any previousmodules)andsaveit.Nowwhenvisitingtheportal,youwillhavethechoicebetweenlogintotheLDAPsourceandgainaccesstothenetworkordirectlyuseprovisioninginordertoconfigureyourdeviceforaSecureSSID.

Displayingamessagetotheuseraftertheregistration=

UsingtheMessagemoduleyoucandisplayacustommessagetotheuser.Youcanalsocustomizethetemplatetodisplayinordertodisplayafullycustompage.

Go inConfigurationPortalModules, thenclickAddPortalModule and selectMessage. Set theIdentifiertohello_worldandthedescriptiontoHello World.

ThenputthefollowingintheMessagefield

Hello World !Click here to access the PacketFence website!

Next, add default_registration_policy and hello_world in the Modules ofmy_first_root_module(removinganypreviousmodules)andsaveit.Nowwhenvisitingtheportal,youshouldhavetoauthenticateusingthesourcesdefinedinyourportalprofileandyouwillthenseethehelloworldmessage.

Chapter9


CallinganexternalwebsiteUsing theURLmodule, youcan redirect theuser to a localor externalURL (as longas it is inthepassthroughs).Thenyoucanmakeitsotheportalacceptsacallbackinorderfortheflowtocontinue.

Inthisexample,theportalwillredirecttoanexternalyhostedPHPscriptthatwillgivearandomtokentotheuserandthencallbacktheportaltocompletetheregistrationprocess.

Theexample script is located inaddons/example_external_auth/token.php and aREADME isavailableinthatdirectorytosetitup.

Onceyouhavethescript installedandworkingonURL:http://YOUR_PORTAL_HOSTNAME:10000/token.php,youcanconfigurewhatyouneedonthePacketFenceside.

Go in Configuration Portal Modules, then click Add Portal Module and select URL. Setthe Identifier to token_system, the Description to Token system and the URL to http://YOUR_PORTAL_HOSTNAME:10000/token.php.

Next, add default_registration_policy and token_system in the Modules ofmy_first_root_module(removinganypreviousmodules)andsaveit.Nowwhenvisitingtheportal,youshouldhavetoauthenticateusingthesourcesdefinedinyourportalprofileandthenyouwillberedirectedtoexampletokensystem.Clickingthecontinuelinkonthatsystemwillbringyoubacktotheportalandcompletetheregistrationprocess.

AuthenticationChoicemodule(advanced)The Authentication Choice module allows to define a choice between multiple sources usingadvancedfilteringrules,manualselectionofthesourcesandselectionofPortalModules.

Chapter9


AllthesourcesthataredefinedintheSourcesfieldwillbeavailableforusagebytheuser.SamegoesforthemodulesdefinedinModules.

Youcanalsodefinewhichmandatoryfieldsyouwanttopromptfortheseauthenticationchoices.AlthoughyoucanstillconfigurethemonanyAuthenticationChoicemodule,theywillonlybeshowniftheyareapplicabletothesource.

InadditiontothemanualselectionaboveyoucandynamicallyselectsourcespartofthePortalProfilebasedontheirobjectattribute(ObjectClass,Authenticationtype,AuthenticationClass).

Note

Youcanfindalltheauthenticationobjectsinlib/pf/Authentication/Source

Sourcesbyclass:Allowsyoutospecifytheperlclassnameofthesourcesyouwantavailable

ex: pf::Authentication::Source::SMSSource will select all the SMS sources.pf::Authentication::Source::BillingSourcewillselectallthebillingsources(Paypal,Stripe,)

Sourcesbytype:AllowsyoutofilteroutsourcesusingthetypeattributeoftheAuthenticationobject

Sources by Auth Class: Allows you to filter our sources using the class attribute of theAuthenticationobject.

Youcanseethedefault_guest_policyanddefault_oauth_policyforexamplesofthismodule.

Chapter10

Copyright2016Inverseinc. Debugging 52

Debugging

Logfiles

HerearethemostimportantPacketFencelogfiles:

/usr/local/pf/logs/packetfence.logPacketFenceCoreLog /usr/local/pf/logs/httpd.portal.accessApacheCaptivePortalAccessLog /usr/local/pf/logs/httpd.portal.errorApacheCaptivePortalErrorLog /usr/local/pf/logs/httpd.admin.accessApacheWebAdmin/ServicesAccessLog /usr/local/pf/logs/httpd.admin.errorApacheWebAdmin/ServicesErrorLog /usr/local/pf/logs/httpd.webservices.accessApacheWebservicesAccessLog /usr/local/pf/logs/httpd.webservices.errorApacheWebservicesErrorLog /usr/local/pf/logs/httpd.aaa.accessApacheAAAAccessLog /usr/local/pf/logs/httpd.aaa.errorApacheAAAErrorLog

Thereareotherlogfilesin/usr/local/pf/logs/thatcouldberelevantdependingonwhatissueyouareexperiencing.Makesureyoutakealookatthem.

Themainloggingconfigurationfileis/usr/local/pf/conf/log.conf.Itcontainstheconfigurationforthepacketfence.logfile(Log::Log4Perl)andyounormallydontneedtomodifyit.Theloggingconfigurationfilesforeveryservicearelocatedunder/usr/local/pf/conf/log.conf.d/.

RADIUSDebugging

First,checktheFreeRADIUSlogs.Thefileislocatedat/usr/local/pf/logs/radius.log.

Ifthisdidnthelp,runFreeRADIUSindebugmode.Todoso,startitusingthefollowingcommands.

Fortheauthenticationradiusprocess:

# radiusd -X -d /usr/local/pf/raddb -n auth

Fortheaccountingradiusprocess:

# radiusd -X -d /usr/local/pf/raddb -n acct

Chapter10

Copyright2016Inverseinc. Debugging 53

Additionally there is a raddebug tool that can extract debug logs from a running FreeRADIUSdaemon.PacketFencesFreeRADIUSispreconfiguredwithsuchsupport.

Inordertohaveanoutputfromraddebug,youneedtoeither:

a. Makesureuserpfhasashellin/etc/passwd,add/usr/sbintoPATH(export PATH=/usr/sbin:$PATH)andexecuteraddebugaspf

b. Runraddebugasroot(lesssecure!)

Nowyoucanrunraddebugeasily:

raddebug -t 300 -f /usr/local/pf/var/run/radiusd.sock

TheabovewilloutputFreeRADIUS'authenticationdebuglogsfor5minutes.

Usethefollowingtodebugradiusaccounting:

raddebug -t 300 -f /usr/local/pf/var/run/radiusd-acct.sock

Seeman raddebugforalltheoptions.

Chapter11

Copyright2016Inverseinc. MoreonVoIPIntegration 54

MoreonVoIPIntegration

VoIPhasbeengrowinginpopularityonenterprisenetworks.Atfirstsight,theITadministratorsthinkthatdeployingVoIPwithaNACposesahugecomplicatedchallengetoresolve.Infact,dependingofthehardwareyouhave,notreally.Inthissection,wewillseewhy.

CDPandLLDPareyourfriend

ForthoseofyouwhoareunawareoftheexistenceofCDPorLLDP(orLLDP-MED), Isuggestyoustartreadingonthistopic.CiscoDiscoveryProtocol(CDP)isdevice-discoveryprotocolthatrunsonallCisco-manufacturedequipmentincludingrouters,accessservers,bridges,andswitches.UsingCDP,adevicecanadvertise itsexistencetootherdevicesandreceive informationaboutotherdevicesonthesameLANorontheremotesideofaWAN.IntheworldofVoIP,CDPisabletodetermineiftheconnectingdeviceisanIPPhoneornot,andtelltheIPPhonetotagitsethernetframeusingtheconfiguredvoiceVLANontheswitchport.

Onmanyothervendors,youarelikelytofindLLDPorLLDP-MEDsupport.LinkLayerDiscoveryProtocol (LLDP) is a vendor-neutral Link Layer protocol in the Internet Protocol Suite used bynetworkdevicesforadvertisingtheiridentity,capabilities,andneighbors.SameasCDP,LLDPcantellanIPPhonewhichVLANidisthevoiceVLAN.

VoIPandVLANassignmenttechniques

As you already know, PacketFence supportsmanyVLAN assignment techniques such as port-security,macauthenticationor802.1X.LetsseehowVoIPisdoingwitheachofthose.

Port-securityUsing port-security, the VoIP device rely on CDP/LLDP to tag its ethernet frame using theconfiguredvoiceVLANontheswitchport.Afterthat,weensurethatasecuritytrapissentfromthevoiceVLANsothatPacketFencecanauthorizethemacaddressontheport.WhenthePCconnects,anothersecuritytrapwillbesent,butfromthedataVLAN.Thatway,wewillhave1macaddressauthorizedonthevoiceVLAN,and1ontheaccessVLAN.

Chapter11

Copyright2016Inverseinc. MoreonVoIPIntegration 55

Note

Not all vendors support VoIP on port-security, please refer to the NetworkConfigurationGuide.

MACAuthenticationand802.1XCiscohardwareOnCiscoswitches,wearelookingatthemulti-domainconfiguration.Themulti-domainmeansthatwecanhaveonedeviceontheVOICEdomain,andonedeviceontheDATAdomain.ThedomainassignmentisdoneusingaCiscoVendor-SpecificAttributes(VSA).Whenthephoneconnectstotheswitchport,PacketFencewillrespondwiththeproperVSAonly,noRADIUStunneledattributes.CDPthentellsthephonetotagitsethernetframesusingtheconfiguredvoiceVLANontheport.WhenaPCconnects,theRADIUSserverwillreturntunneledattributes,andtheswitchwillplacetheportintheprovidedaccessVLAN.

Non-CiscohardwareOnothervendorhardware,itispossibletomakeVoIPworkusingRADIUSVSAs.Whenaphoneconnectstoaswitchport,PacketFenceneedstoreturntheproperVSAtotelltheswitchtoallowtagged frames from thisdevice.When thePCwill connect,wewill be able to return standardRADIUStunnelattributestotheswitch,thatwillbetheuntaggedVLAN.

Note

Again,refertotheNetworkConfigurationGuidetoseeifVoIPissupportedonyourswitchhardware.

WhatifCDP/LLDPfeatureismissing

ItispossiblethatyourphonedoesntsupportCDPorLLDP.Ifitsthecase,youareprobablylookingatthe"DHCPway"ofprovisionningyourphonewithavoiceVLAN.SomemodelswillaskforaspecificDHCPoptionsothattheDHCPservercangivethephoneavoiceVLANid.Thephonewillthenreboot,andtagitsethernetframeusingtheprovidedVLANtag.

Inorder tomake this scenarioworkwithPacketFence,youneed toensure thatyou tweak theregistrationandyourproductionDHCPservertoprovidetheDHCPoption.Youalsoneedtomakesure there isavoiceVLANproperlyconfiguredontheport,andthatyouauto-registeryour IPPhones(Onthefirstconnect,thephonewillbeassignedontheregistrationVLAN).

Chapter12

Copyright2016Inverseinc. Advancedtopics 56

Advancedtopics

This section covers advanced topics in PacketFence. Note that it is also possible to configurePacketFencemanuallyusingitsconfigurationfilesinsteadofitsWebadministrativeinterface.ItisstillrecommendedtousetheWebinterface.

Inanycase,the/usr/local/pf/conf/pf.conffilecontainsthePacketFencegeneralconfiguration.Forexample,thisistheplacewhereweinformPacketFenceitwillworkinVLANisolationmode.

All the default parameters and their descriptions are stored in /usr/local/pf/conf/pf.conf.defaults.

Inordertooverrideadefaultparameter,defineitandsetitinpf.conf.

/usr/local/pf/conf/documentation.confholdsthecompletelistofallavailableparameters.

Alltheseparametersarealsoaccessiblethroughtheweb-basedadministrationinterfaceundertheConfigurationtab.Itishighlyrecommendedthatyouusetheweb-basedadministrationinterfaceofPacketFenceforanyconfigurationchanges.

AppleandAndroidWirelessProvisioning

Apple devices such as iPhones, iPads, iPods and Mac OS X (10.7+) support wireless prof

AdministrationGuide - PacketFence · Developer’sGuide ......

Documents

Transcript of AdministrationGuide - PacketFence · Developer’sGuide ......