PacketFence Revisited

The perfect NAC solution for both wired and wireless networks.
Example Installation

Install PacketFence 1.7 from If you are using Red Hat EL5 or CentOS5, the easiest way to do so is to install the official RPM.

In this example, we set up VLAN isolation on a Cisco Catalyst 2960 switch (IP address The PacketFence server's IP address is Let's further assume that you are using the following VLANs and that these already have been created on your switch:

  1. “normal” VLAN

  2. isolation VLAN

  3. registration VLAN

  4. MAC detection VLAN

Enable the SNMP traps globally on the switch with the following commands:

snmp-server enable traps snmp authentication linkdown linkup
snmp-server enable traps mac-notification
snmp-server host version 2c public mac-notification snmp
mac-address-table notification interval 0
mac-address-table notification
mac-address-table aging-time 300

Then, configure every access port PacketFence should be handling with the following:

switchport access vlan 4
switchport mode access
snmp trap mac-notification added
spanning-tree portfast

Edit the VLAN isolation configuration file /usr/local/pf/conf/switches.conf, so that it contains the correct SNMP community strings. Then, adjust the VLAN definition as follows:

vlans = 1,2,3,4
normalVlan = 1
isolationVlan = 2
registrationVlan = 3
macDetectionVlan = 4

And, finally, add a new section for your switch:

ip =
type = Cisco::Catalyst_2960
mode = production
uplink = 23,24

Next, you can do a communication test between PacketFence and the switch:

/usr/local/pf/bin/pfcmd_vlan -getVlan -switch -ifIndex 10001

The next test is to determine whether the switch can send SNMP traps to PacketFence. Start snmptrapd:

service snmptrapd start

and observe the log file:

tail -f /usr/local/pf/logs/snmptrapd.log

Every time a device connects to and disconnects from the network, you should see a new line in the log file.

Now, configure PacketFence's access to VLAN 1, 2 and 3. Set the configuration of the switch port that PacketFence plugs into to “trunk mode”, and allow packets in VLAN 1 to pass through the switch without tagging. On the PacketFence server, add two new NICs that read and write 802.1q tagged packets for VLAN 2 and 3. Don't forget to add these new NICs to your configuration file /usr/local/pf/conf/pf.conf.

To simplify the installation, configure a DHCP service on the PacketFence box for VLANs 2 and 3. The DHCP server should return its own (VLAN-specific) IP address as both the gateway and the DNS server. Last but not least, set up a “fake” DNS service for VLANs 2 and 3 that responds to all queries with its own IP address. Now, verify that a host connected to the registration VLAN is able to obtain an IP address and that whatever DNS query it sends, PacketFence answers with its own IP.

If all these tests work fine, you can start setVlanOnTrapd:

service setVlanOnTrapd start

and look at the log file to verify that your devices, upon connection to the switch, are assigned to the correct VLAN:

tail -f /usr/local/pf/logs/setvlanontrapd.log

This setup should be transparent for already-registered devices, because they end up in the “normal” VLAN; unregistered devices will be assigned to the registration VLAN where all they can access is the PacketFence server that will show the captive portal with the registration screen.

Introduction to Isolation in Wireless Networks

PacketFence also integrates very well with wireless networks. As for its wired counterpart, the switch, a wireless Access Point (AP) needs to implement some specific features in order for the integration to work perfectly. In particular, the AP needs to support the following:

  • Several SSIDs with several VLANs inside each SSID.

  • Authentication against a RADIUS server.

  • Dynamic VLAN assignment (through RADIUS attributes).

  • SNMP deauthentication traps.

  • The deauthentication of an associated station.

Figure 2. How PacketFence Integrates with Wireless Networks

We then can configure two SSIDs on the AP, the first one reserved for visitors and unregistered clients. In this SSID, communications will not be encrypted, and users will connect either to the registration VLAN or the visitor's VLAN (depending on their registration status). The second SSID will allow encrypted communications for registered users. The VLANs here are the “normal” VLAN and the isolation VLAN (if ever there are open violations for the MAC).