PacketFence Revisited

The perfect NAC solution for both wired and wireless networks.
Example Installation

In this example, we configure a Cisco 1242 AP (IP address Configuration of other vendors' APs is similar. First, define the normal, isolation, registration and visitor VLANs on the AP, together with the appropriate wired and wireless interfaces as shown for the isolation VLAN:

dot11 vlan-name isolation vlan 2

interface FastEthernet0.2
 encapsulation dot1Q 2
 no ip route-cache
 bridge-group 253
 no bridge-group 253 source-learning
 bridge-group 253 spanning-disabled

interface Dot11Radio0.2
 encapsulation dot1Q 2
 no ip route-cache
 bridge-group 253
 bridge-group 253 subscriber-loop-control
 bridge-group 253 block-unknown-source
 no bridge-group 253 source-learning
 no bridge-group 253 unicast-flooding
 bridge-group 253 spanning-disabled

Then, create the two SSIDs:

dot11 ssid WPA2
   vlan 2 backup normal
   authentication open eap eap_methods
   authentication key-management wpa
   accounting acct-methods
   mbssid guest-mode

dot11 ssid MACauth
   vlan 3 backup visitor
   authentication open mac-address mac_methods
   accounting acct_methods
   mbssid guest-mode

Configure the RADIUS server (we assume here that the FreeRADIUS server and the PacketFence server are located on the same box):

radius-server host auth-port 1812 
 ↪acct-port 1813 key secretKey

aaa group server radius rad_eap
 server auth-port 1812 acct-port 1813
aaa authentication login eap_methods group rad_eap

aaa group server radius rad_mac
 server auth-port 1812 acct-port 1813
aaa authentication login mac_methods group rad_mac

Enable the SNMP deauthentication traps:

snmp-server enable traps deauthenticate
snmp-server host public deauthenticate

Finally, activate the SSIDs on the radio:

interface Dot11Radio0
 encryption vlan 1 mode ciphers aes-ccm
 encryption vlan 2 mode ciphers aes-ccm
 ssid WPA2
 ssid MACauth

Now, check with a Wi-Fi card that you actually can see the two new SSIDs. You can't connect to them yet because the RADIUS server is not up and running.

Start configuring the FreeRADIUS server by adding the following lines at the end of /etc/raddb/clients.conf:

client {
  secret = secretKey
  shortname = AP1242

In /etc/raddb/eap.conf, set the default eap type to peap at the beginning of the eap {} section:

default_eap_type = peap

And, set up your cryptographic keys in the tls {} section.

Then, update /etc/raddb/radiusd.conf, first by adding the following lines to the modules {} section:

perl {
    module = ${confdir}/

Then, add “perl” at the end of the authorize {} section. The script /etc/raddb/ uses the Calling-Station-Id RADIUS request attribute, containing the MAC of the wireless station to determine its registration and violation status. Based on this information, it sets the Tunnel-Medium-Type, Tunnel-Type and Tunnel-Private-Group-ID RADIUS reply attributes. The AP, upon reception of these three attributes, then confines the wireless station into the specified VLAN.

The last file to edit is /etc/raddb/users to define that non-EAP messages should, by default, lead to an authentication acceptance:

DEFAULT EAP-Message !* "", Auth-Type := Accept

Then, add a local test user with:

testUser User-Password == "testPwd"

Now, start FreeRADIUS in debug mode:

radiusd -x

Try to connect to one of the two new SSIDs with your Wi-Fi card, and you'll see the packets received by FreeRADIUS with the generated responses.

It also is noteworthy that the concepts you've learned here on using PacketFence with wireless networks are identical to using 802.1x on a wired network, which of course, is supported by PacketFence.

Extending to New Switches and APs

We designed the VLAN isolation feature from the beginning with extensibility in mind. All supported switches are represented through Perl objects, and we make extensive use of inheritance. For example:

  • At the highest level, you have the pf::SNMP object that defines general functions, such as SNMP session creation and deletion, database connections and some standardized SNMP queries.

  • At the next level are the vendor-specific objects, such as pf::SNMP::Cisco and pf::SNMP::Nortel. They include the necessary functions to parse SNMP traps and, most of the time, to read and write a port's VLAN assignment.

  • Finally, at the lowest level, are the model-specific objects, containing only the model-specific code.

This architecture simplifies adding the support for a new product from an already-supported vendor; it comes down to redefining only a very limited number of methods and can be done in a matter of hours.