PacketFence Revisited

The perfect NAC solution for both wired and wireless networks.
Example Installation

In this example, we configure a Cisco 1242 AP (IP address 192.168.0.4). Configuration of other vendors' APs is similar. First, define the normal, isolation, registration and visitor VLANs on the AP, together with the appropriate wired and wireless interfaces as shown for the isolation VLAN:

dot11 vlan-name isolation vlan 2

interface FastEthernet0.2
 encapsulation dot1Q 2
 no ip route-cache
 bridge-group 253
 no bridge-group 253 source-learning
 bridge-group 253 spanning-disabled

interface Dot11Radio0.2
 encapsulation dot1Q 2
 no ip route-cache
 bridge-group 253
 bridge-group 253 subscriber-loop-control
 bridge-group 253 block-unknown-source
 no bridge-group 253 source-learning
 no bridge-group 253 unicast-flooding
 bridge-group 253 spanning-disabled

Then, create the two SSIDs:

dot11 ssid WPA2
   vlan 2 backup normal
   authentication open eap eap_methods
   authentication key-management wpa
   accounting acct-methods
   mbssid guest-mode

dot11 ssid MACauth
   vlan 3 backup visitor
   authentication open mac-address mac_methods
   accounting acct_methods
   mbssid guest-mode

Configure the RADIUS server (we assume here that the FreeRADIUS server and the PacketFence server are located on the same box):

radius-server host 192.168.0.10 auth-port 1812 
 ↪acct-port 1813 key secretKey

aaa group server radius rad_eap
 server 192.168.0.10 auth-port 1812 acct-port 1813
aaa authentication login eap_methods group rad_eap

aaa group server radius rad_mac
 server 192.168.0.10 auth-port 1812 acct-port 1813
aaa authentication login mac_methods group rad_mac

Enable the SNMP deauthentication traps:

snmp-server enable traps deauthenticate
snmp-server host 192.168.0.10 public deauthenticate

Finally, activate the SSIDs on the radio:

interface Dot11Radio0
 encryption vlan 1 mode ciphers aes-ccm
 encryption vlan 2 mode ciphers aes-ccm
 ssid WPA2
 ssid MACauth

Now, check with a Wi-Fi card that you actually can see the two new SSIDs. You can't connect to them yet because the RADIUS server is not up and running.

Start configuring the FreeRADIUS server by adding the following lines at the end of /etc/raddb/clients.conf:

client 192.168.0.3 {
  secret = secretKey
  shortname = AP1242
}

In /etc/raddb/eap.conf, set the default eap type to peap at the beginning of the eap {} section:

default_eap_type = peap

And, set up your cryptographic keys in the tls {} section.

Then, update /etc/raddb/radiusd.conf, first by adding the following lines to the modules {} section:

perl {
    module = ${confdir}/rlm_perl_packetfence.pl
}

Then, add “perl” at the end of the authorize {} section. The script /etc/raddb/rlm_perl_packetfence.pl uses the Calling-Station-Id RADIUS request attribute, containing the MAC of the wireless station to determine its registration and violation status. Based on this information, it sets the Tunnel-Medium-Type, Tunnel-Type and Tunnel-Private-Group-ID RADIUS reply attributes. The AP, upon reception of these three attributes, then confines the wireless station into the specified VLAN.

The last file to edit is /etc/raddb/users to define that non-EAP messages should, by default, lead to an authentication acceptance:

DEFAULT EAP-Message !* "", Auth-Type := Accept

Then, add a local test user with:

testUser User-Password == "testPwd"

Now, start FreeRADIUS in debug mode:

radiusd -x

Try to connect to one of the two new SSIDs with your Wi-Fi card, and you'll see the packets received by FreeRADIUS with the generated responses.

It also is noteworthy that the concepts you've learned here on using PacketFence with wireless networks are identical to using 802.1x on a wired network, which of course, is supported by PacketFence.

Extending to New Switches and APs

We designed the VLAN isolation feature from the beginning with extensibility in mind. All supported switches are represented through Perl objects, and we make extensive use of inheritance. For example:

  • At the highest level, you have the pf::SNMP object that defines general functions, such as SNMP session creation and deletion, database connections and some standardized SNMP queries.

  • At the next level are the vendor-specific objects, such as pf::SNMP::Cisco and pf::SNMP::Nortel. They include the necessary functions to parse SNMP traps and, most of the time, to read and write a port's VLAN assignment.

  • Finally, at the lowest level, are the model-specific objects, containing only the model-specific code.

This architecture simplifies adding the support for a new product from an already-supported vendor; it comes down to redefining only a very limited number of methods and can be done in a matter of hours.

______________________

White Paper
Linux Management with Red Hat Satellite: Measuring Business Impact and ROI

Linux has become a key foundation for supporting today's rapidly growing IT environments. Linux is being used to deploy business applications and databases, trading on its reputation as a low-cost operating environment. For many IT organizations, Linux is a mainstay for deploying Web servers and has evolved from handling basic file, print, and utility workloads to running mission-critical applications and databases, physically, virtually, and in the cloud. As Linux grows in importance in terms of value to the business, managing Linux environments to high standards of service quality — availability, security, and performance — becomes an essential requirement for business success.

Learn More

Sponsored by Red Hat

White Paper
Private PaaS for the Agile Enterprise

If you already use virtualized infrastructure, you are well on your way to leveraging the power of the cloud. Virtualization offers the promise of limitless resources, but how do you manage that scalability when your DevOps team doesn’t scale? In today’s hypercompetitive markets, fast results can make a difference between leading the pack vs. obsolescence. Organizations need more benefits from cloud computing than just raw resources. They need agility, flexibility, convenience, ROI, and control.

Stackato private Platform-as-a-Service technology from ActiveState extends your private cloud infrastructure by creating a private PaaS to provide on-demand availability, flexibility, control, and ultimately, faster time-to-market for your enterprise.

Learn More

Sponsored by ActiveState