Loading
PacketFence Revisited
The perfect NAC solution for both wired and wireless networks.
In this example, we configure a Cisco 1242 AP (IP address 192.168.0.4). Configuration of other vendors' APs is similar. First, define the normal, isolation, registration and visitor VLANs on the AP, together with the appropriate wired and wireless interfaces as shown for the isolation VLAN:
dot11 vlan-name isolation vlan 2 interface FastEthernet0.2 encapsulation dot1Q 2 no ip route-cache bridge-group 253 no bridge-group 253 source-learning bridge-group 253 spanning-disabled interface Dot11Radio0.2 encapsulation dot1Q 2 no ip route-cache bridge-group 253 bridge-group 253 subscriber-loop-control bridge-group 253 block-unknown-source no bridge-group 253 source-learning no bridge-group 253 unicast-flooding bridge-group 253 spanning-disabled
Then, create the two SSIDs:
dot11 ssid WPA2 vlan 2 backup normal authentication open eap eap_methods authentication key-management wpa accounting acct-methods mbssid guest-mode dot11 ssid MACauth vlan 3 backup visitor authentication open mac-address mac_methods accounting acct_methods mbssid guest-mode
Configure the RADIUS server (we assume here that the FreeRADIUS server and the PacketFence server are located on the same box):
radius-server host 192.168.0.10 auth-port 1812 ↪acct-port 1813 key secretKey aaa group server radius rad_eap server 192.168.0.10 auth-port 1812 acct-port 1813 aaa authentication login eap_methods group rad_eap aaa group server radius rad_mac server 192.168.0.10 auth-port 1812 acct-port 1813 aaa authentication login mac_methods group rad_mac
Enable the SNMP deauthentication traps:
snmp-server enable traps deauthenticate snmp-server host 192.168.0.10 public deauthenticate
Finally, activate the SSIDs on the radio:
interface Dot11Radio0 encryption vlan 1 mode ciphers aes-ccm encryption vlan 2 mode ciphers aes-ccm ssid WPA2 ssid MACauth
Now, check with a Wi-Fi card that you actually can see the two new SSIDs. You can't connect to them yet because the RADIUS server is not up and running.
Start configuring the FreeRADIUS server by adding the following lines at the end of /etc/raddb/clients.conf:
client 192.168.0.3 {
secret = secretKey
shortname = AP1242
}
In /etc/raddb/eap.conf, set the default eap type to peap at the beginning of the eap {} section:
default_eap_type = peap
And, set up your cryptographic keys in the tls {} section.
Then, update /etc/raddb/radiusd.conf, first by adding the following lines to the modules {} section:
perl {
module = ${confdir}/rlm_perl_packetfence.pl
}
Then, add “perl” at the end of the authorize {} section. The script /etc/raddb/rlm_perl_packetfence.pl uses the Calling-Station-Id RADIUS request attribute, containing the MAC of the wireless station to determine its registration and violation status. Based on this information, it sets the Tunnel-Medium-Type, Tunnel-Type and Tunnel-Private-Group-ID RADIUS reply attributes. The AP, upon reception of these three attributes, then confines the wireless station into the specified VLAN.
The last file to edit is /etc/raddb/users to define that non-EAP messages should, by default, lead to an authentication acceptance:
DEFAULT EAP-Message !* "", Auth-Type := Accept
Then, add a local test user with:
testUser User-Password == "testPwd"
Now, start FreeRADIUS in debug mode:
radiusd -x
Try to connect to one of the two new SSIDs with your Wi-Fi card, and you'll see the packets received by FreeRADIUS with the generated responses.
It also is noteworthy that the concepts you've learned here on using PacketFence with wireless networks are identical to using 802.1x on a wired network, which of course, is supported by PacketFence.
We designed the VLAN isolation feature from the beginning with extensibility in mind. All supported switches are represented through Perl objects, and we make extensive use of inheritance. For example:
At the highest level, you have the pf::SNMP object that defines general functions, such as SNMP session creation and deletion, database connections and some standardized SNMP queries.
At the next level are the vendor-specific objects, such as pf::SNMP::Cisco and pf::SNMP::Nortel. They include the necessary functions to parse SNMP traps and, most of the time, to read and write a port's VLAN assignment.
Finally, at the lowest level, are the model-specific objects, containing only the model-specific code.
This architecture simplifies adding the support for a new product from an already-supported vendor; it comes down to redefining only a very limited number of methods and can be done in a matter of hours.
______________________
Webcast
How to Build an Optimal Hadoop Cluster to Store and Maintain Unlimited Amounts of Data Using Microservers
Realizing the promise of Apache® Hadoop® requires the effective deployment of compute, memory, storage and networking to achieve optimal results. With its flexibility and multitude of options, it is easy to over or under provision the server infrastructure, resulting in poor performance and high TCO. Join us for an in depth, technical discussion with industry experts from leading Hadoop and server companies who will provide insights into the key considerations for designing and deploying an optimal Hadoop cluster.
Sponsored by AMD
White Paper
Red Hat White Paper: Using an Open Source Framework to Catch the Bad Guy
Built-in forensics, incident response, and security with Red Hat Enterprise Linux 6
Every security policy provides guidance and requirements for ensuring adequate protection of information and data, as well as high-level technical and administrative security requirements for a system in a given environment. Traditionally, providing security for a system focuses on the confidentiality of the information on it. However, protecting the data integrity and system and data availability is just as important. For example, when processing United States intelligence information, there are three attributes that require protection: confidentiality, integrity, and availability.
Learn more about catching the bad guy in this free white paper.
Sponsored by DLT Solutions
- New Products
- Linux Systems Administrator
- Senior Perl Developer
- Technical Support Rep
- UX Designer
- Web & UI Developer (JavaScript & j Query)
- Designing Electronics with Linux
- Dynamic DNS—an Object Lesson in Problem Solving
- Making Linux and Android Get Along (It's Not as Hard as It Sounds)
- Using Salt Stack and Vagrant for Drupal Development
Free Webinar: Hadoop
How to Build an Optimal Hadoop Cluster to Store and Maintain Unlimited Amounts of Data Using Microservers
Realizing the promise of Apache® Hadoop® requires the effective deployment of compute, memory, storage and networking to achieve optimal results. With its flexibility and multitude of options, it is easy to over or under provision the server infrastructure, resulting in poor performance and high TCO. Join us for an in depth, technical discussion with industry experts from leading Hadoop and server companies who will provide insights into the key considerations for designing and deploying an optimal Hadoop cluster.
Some of key questions to be discussed are:
- What is the “typical” Hadoop cluster and what should be installed on the different machine types?
- Why should you consider the typical workload patterns when making your hardware decisions?
- Are all microservers created equal for Hadoop deployments?
- How do I plan for expansion if I require more compute, memory, storage or networking?
27 min 35 sec ago
11 hours 8 min ago
16 hours 54 min ago
17 hours 11 min ago
19 hours 4 min ago
20 hours 57 min ago
1 day 3 hours ago
1 day 4 hours ago
1 day 5 hours ago
1 day 11 hours ago