PacketFence

How to set up and use the powerful open-source network access control solution.

and test the connection with NessusClient, which is available as a separate download.

Installation

Download the PacketFence RPM from the SourceForge repository, and install it using:

rpm -ivh packetfence-1.6.2-1.i386.rpm

In /usr/local/pf, you will find two Perl scripts that will help you with the necessary configuration steps: installer.pl and configurator.pl. Change your current directory to /usr/local/pf, and execute installer.pl. The script, among other things, sets up the PacketFence database, installs all the necessary Perl modules (which are quite a few) and creates a user account for the Web GUI.

Configuration Steps

Now, the real configuration work starts. First, execute configurator.pl, and you'll be offered several choices. Choose the template configuration based on the testing mode. You'll be asked to supply several network parameters (DHCP servers, DNS servers and so on), and a basic configuration file, /usr/local/pf/conf/pf.conf, will be created. This configuration file contains only the differences you apply to the default configuration parameters saved in /usr/local/pf/conf/pf.conf.defaults. Have a look at conf/pf.conf.defaults to get an idea of the available options. To help you see what's going on inside PacketFence, add the following lines to /usr/local/pf/conf/pf.conf to increase the logging level:

[logging]
verbosity=8
Basic Usage

Start PacketFence with service packetfence start. Have a look at /var/log/messages, and you should see that PacketFence started creating an inventory of all nodes on your network, as in the following example:

Jan  3 16:05:28 pf pf: update_hashes(5): UPDATE
 New node 00:07:e9:05:4c:f2 (192.168.0.1)
Jan  3 16:05:28 pf pf: update_hashes(5): UPDATE
 New node 00:90:27:6a:71:ea (192.168.0.2)

/usr/local/pf/bin/pfcmd is the PacketFence command-line interface. Executing it without any further parameters shows a help screen with the available options. In order to show all nodes in the database, execute:

#/usr/local/pf/bin/pfcmd node view
mac|pid|detect_date|regdate|lastskip|status|
user_agent|computername|last_arp|last_dhcp|switch|
port|vlan|dhcp_fingerprint
00:07:e9:05:4c:f2|1|2007-01-03 16:05:28|||unreg|||
2007-01-03 16:10:11|||||
00:90:27:6a:71:ea|1|2007-01-03 16:05:28|||unreg|||
2007-01-03 16:10:12|||||

Manually registering a node can be done with:

/usr/local/pf/bin/pfcmd
 ↪node edit 00:07:e9:05:4c:f2 status="reg",pid=1

You also can use pfcmd to access the documentation for every configuration parameter. To see the documentation for the logo parameter from the [general] section:

# /usr/local/pf/bin/pfcmd config help general.logo
GENERAL.LOGO
Default: /common/packetfence.gif
Logo displayed on Web pages.

Have a look at the available reports using:

/usr/local/pf/bin/pfcmd help report

The os and osclass reports use PacketFence's DHCP fingerprinting feature, which tries to determine the operating system of every DHCP request (including the ones made by printers, VoIP phones, switches and so on).

Running:

/usr/local/pf/bin/pfcmd report os

shows the number and percentage of nodes on your network for every detected operating system. Note that the DHCP fingerprinting feature easily can be used to disallow access to your network by computers running specific operating systems.

PacketFence also features an administrative Web GUI, which, by default, is available on the secured port 1443. Direct your browser to https://<pf-host>:1443/. Once you enter the login/password you defined during the installation, you can start monitoring and configuring PacketFence through the GUI.

When you start enforcing the registration of nodes with PacketFence, all nodes on the network have to be registered before they can gain complete network access. This registration requirement applies to all gear with network access, including wireless access points and printers. So, before actually activating this option in the configuration file, it is wise to preregister those types of devices manually.

For computers with Web browsers, on the other hand, the registration can be done by the user through the PacketFence captive portal. The portal can verify login/password information through a htaccess file, Radius or LDAP, which we use in our example. In order to do this, you need to adapt the provided template /usr/local/pf/conf/templates/ldap.conf to fit your LDAP structure.

Because all your users will be redirected to the registration screen, it also is wise at this point to change the default PacketFence logo, which is shown on the Web pages, to your own company logo. This can be done by adding logo=/common/mylogo.gif to the [default] section in /usr/local/pf/conf/pf.conf and copying the file mylogo.gif into the directory /usr/local/pf/html/common/.

To activate the registration, incorporate the following parameters into /usr/local/pf/conf/pf.conf:

[trapping]
testing=disabled
detection=disabled

[registration]
aup=disabled
auth=ldap

Now, restart PacketFence with service packetfence restart. You should see in /var/log/messages that PacketFence is trapping unregistered nodes by ARP-spoofing your network's gateway. From the client side, opening a Web browser and accessing any outside Web site should lead to a redirection to the PacketFence captive portal, which allows you to register the computer. You also can determine whether a client has been ARP-spoofed by executing arp -n -a (under Linux) on the client and checking which MAC is saved in the ARP cache for your network's gateway.

______________________

Comments

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

Thanks for the articles...

Kredi's picture

Thanks for the articles...

White Paper
Linux Management with Red Hat Satellite: Measuring Business Impact and ROI

Linux has become a key foundation for supporting today's rapidly growing IT environments. Linux is being used to deploy business applications and databases, trading on its reputation as a low-cost operating environment. For many IT organizations, Linux is a mainstay for deploying Web servers and has evolved from handling basic file, print, and utility workloads to running mission-critical applications and databases, physically, virtually, and in the cloud. As Linux grows in importance in terms of value to the business, managing Linux environments to high standards of service quality — availability, security, and performance — becomes an essential requirement for business success.

Learn More

Sponsored by Red Hat

White Paper
Private PaaS for the Agile Enterprise

If you already use virtualized infrastructure, you are well on your way to leveraging the power of the cloud. Virtualization offers the promise of limitless resources, but how do you manage that scalability when your DevOps team doesn’t scale? In today’s hypercompetitive markets, fast results can make a difference between leading the pack vs. obsolescence. Organizations need more benefits from cloud computing than just raw resources. They need agility, flexibility, convenience, ROI, and control.

Stackato private Platform-as-a-Service technology from ActiveState extends your private cloud infrastructure by creating a private PaaS to provide on-demand availability, flexibility, control, and ultimately, faster time-to-market for your enterprise.

Learn More

Sponsored by ActiveState