PacketFence

How to set up and use the powerful open-source network access control solution.

and test the connection with NessusClient, which is available as a separate download.

Installation

Download the PacketFence RPM from the SourceForge repository, and install it using:

rpm -ivh packetfence-1.6.2-1.i386.rpm

In /usr/local/pf, you will find two Perl scripts that will help you with the necessary configuration steps: installer.pl and configurator.pl. Change your current directory to /usr/local/pf, and execute installer.pl. The script, among other things, sets up the PacketFence database, installs all the necessary Perl modules (which are quite a few) and creates a user account for the Web GUI.

Configuration Steps

Now, the real configuration work starts. First, execute configurator.pl, and you'll be offered several choices. Choose the template configuration based on the testing mode. You'll be asked to supply several network parameters (DHCP servers, DNS servers and so on), and a basic configuration file, /usr/local/pf/conf/pf.conf, will be created. This configuration file contains only the differences you apply to the default configuration parameters saved in /usr/local/pf/conf/pf.conf.defaults. Have a look at conf/pf.conf.defaults to get an idea of the available options. To help you see what's going on inside PacketFence, add the following lines to /usr/local/pf/conf/pf.conf to increase the logging level:

[logging]
verbosity=8
Basic Usage

Start PacketFence with service packetfence start. Have a look at /var/log/messages, and you should see that PacketFence started creating an inventory of all nodes on your network, as in the following example:

Jan  3 16:05:28 pf pf: update_hashes(5): UPDATE
 New node 00:07:e9:05:4c:f2 (192.168.0.1)
Jan  3 16:05:28 pf pf: update_hashes(5): UPDATE
 New node 00:90:27:6a:71:ea (192.168.0.2)

/usr/local/pf/bin/pfcmd is the PacketFence command-line interface. Executing it without any further parameters shows a help screen with the available options. In order to show all nodes in the database, execute:

#/usr/local/pf/bin/pfcmd node view
mac|pid|detect_date|regdate|lastskip|status|
user_agent|computername|last_arp|last_dhcp|switch|
port|vlan|dhcp_fingerprint
00:07:e9:05:4c:f2|1|2007-01-03 16:05:28|||unreg|||
2007-01-03 16:10:11|||||
00:90:27:6a:71:ea|1|2007-01-03 16:05:28|||unreg|||
2007-01-03 16:10:12|||||

Manually registering a node can be done with:

/usr/local/pf/bin/pfcmd
 ↪node edit 00:07:e9:05:4c:f2 status="reg",pid=1

You also can use pfcmd to access the documentation for every configuration parameter. To see the documentation for the logo parameter from the [general] section:

# /usr/local/pf/bin/pfcmd config help general.logo
GENERAL.LOGO
Default: /common/packetfence.gif
Logo displayed on Web pages.

Have a look at the available reports using:

/usr/local/pf/bin/pfcmd help report

The os and osclass reports use PacketFence's DHCP fingerprinting feature, which tries to determine the operating system of every DHCP request (including the ones made by printers, VoIP phones, switches and so on).

Running:

/usr/local/pf/bin/pfcmd report os

shows the number and percentage of nodes on your network for every detected operating system. Note that the DHCP fingerprinting feature easily can be used to disallow access to your network by computers running specific operating systems.

PacketFence also features an administrative Web GUI, which, by default, is available on the secured port 1443. Direct your browser to https://<pf-host>:1443/. Once you enter the login/password you defined during the installation, you can start monitoring and configuring PacketFence through the GUI.

When you start enforcing the registration of nodes with PacketFence, all nodes on the network have to be registered before they can gain complete network access. This registration requirement applies to all gear with network access, including wireless access points and printers. So, before actually activating this option in the configuration file, it is wise to preregister those types of devices manually.

For computers with Web browsers, on the other hand, the registration can be done by the user through the PacketFence captive portal. The portal can verify login/password information through a htaccess file, Radius or LDAP, which we use in our example. In order to do this, you need to adapt the provided template /usr/local/pf/conf/templates/ldap.conf to fit your LDAP structure.

Because all your users will be redirected to the registration screen, it also is wise at this point to change the default PacketFence logo, which is shown on the Web pages, to your own company logo. This can be done by adding logo=/common/mylogo.gif to the [default] section in /usr/local/pf/conf/pf.conf and copying the file mylogo.gif into the directory /usr/local/pf/html/common/.

To activate the registration, incorporate the following parameters into /usr/local/pf/conf/pf.conf:

[trapping]
testing=disabled
detection=disabled

[registration]
aup=disabled
auth=ldap

Now, restart PacketFence with service packetfence restart. You should see in /var/log/messages that PacketFence is trapping unregistered nodes by ARP-spoofing your network's gateway. From the client side, opening a Web browser and accessing any outside Web site should lead to a redirection to the PacketFence captive portal, which allows you to register the computer. You also can determine whether a client has been ARP-spoofed by executing arp -n -a (under Linux) on the client and checking which MAC is saved in the ARP cache for your network's gateway.

______________________

Comments

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

Thanks for the articles...

Kredi's picture

Thanks for the articles...

Webinar
One Click, Universal Protection: Implementing Centralized Security Policies on Linux Systems

As Linux continues to play an ever increasing role in corporate data centers and institutions, ensuring the integrity and protection of these systems must be a priority. With 60% of the world's websites and an increasing share of organization's mission-critical workloads running on Linux, failing to stop malware and other advanced threats on Linux can increasingly impact an organization's reputation and bottom line.

Learn More

Sponsored by Bit9

Webinar
Linux Backup and Recovery Webinar

Most companies incorporate backup procedures for critical data, which can be restored quickly if a loss occurs. However, fewer companies are prepared for catastrophic system failures, in which they lose all data, the entire operating system, applications, settings, patches and more, reducing their system(s) to “bare metal.” After all, before data can be restored to a system, there must be a system to restore it to.

In this one hour webinar, learn how to enhance your existing backup strategies for better disaster recovery preparedness using Storix System Backup Administrator (SBAdmin), a highly flexible bare-metal recovery solution for UNIX and Linux systems.

Learn More

Sponsored by Storix