Professional Documents
Culture Documents
GuideusingZEN
forPacketFenceversion5.6.0
PacketFenceInlineDeploymentQuickGuideusingZEN
byInverseInc.
Version5.6.0-Jan2016
Copyright2015Inverseinc.
Permissionisgrantedtocopy,distributeand/ormodifythisdocumentunderthetermsoftheGNUFreeDocumentationLicense,Version
1.2oranylaterversionpublishedbytheFreeSoftwareFoundation;withnoInvariantSections,noFront-CoverTexts,andnoBack-Cover
Texts.Acopyofthelicenseisincludedinthesectionentitled"GNUFreeDocumentationLicense".
ThefontsusedinthisguidearelicensedundertheSILOpenFontLicense,Version1.1.ThislicenseisavailablewithaFAQat:http://
scripts.sil.org/OFL
CopyrightukaszDziedzic,http://www.latofonts.com,withReservedFontName:"Lato".
CopyrightRaphLevien,http://levien.com/,withReservedFontName:"Inconsolata".
TableofContents
About this Guide ............................................................................................................... 1
Othersourcesofinformation......................................................................................1
Getting Started ................................................................................................................. 2
Virtual Machine ........................................................................................................ 2
Inline ....................................................................................................................... 2
Assumptions ..................................................................................................................... 3
Network Setup ......................................................................................................... 3
DHCP/DNS .............................................................................................................. 3
Installation ....................................................................................................................... 4
Importthevirtualmachine........................................................................................ 4
VirtualMachinepasswords................................................................................................ 5
Configuration ................................................................................................................... 6
Inlineenforcementconfiguration................................................................................ 6
PacketFenceconfigurationfiles.................................................................................. 9
Network Devices ...................................................................................................... 9
FreeRADIUS ........................................................................................................... 10
Inline Access .......................................................................................................... 10
OMAPI .................................................................................................................. 10
Traffic shaping ........................................................................................................ 11
Test ............................................................................................................................... 14
Registeradeviceininlineenforcement..................................................................... 14
Additional Information ..................................................................................................... 15
CommercialSupportandContactInformation................................................................... 16
GNUFreeDocumentationLicense................................................................................... 17
Copyright2015Inverseinc.
iii
Chapter1
AboutthisGuide
ThisguidewillwalkyouthroughtheinstallationandconfigurationofthePacketFenceZENsolution.
ItcoversInlineisolationsetup.
Theinstructionsarebasedonversion5.6.0ofPacketFence.
Thelatestversionofthisguideisavailableonlineathttp://www.packetfence.org/documentation/
guides.html
Othersourcesofinformation
We suggest that you also have a look in the PacketFence Administration Guide, and in
the PacketFence Network Devices Configuration Guide. Both are available online at http://
www.packetfence.org/documentation/guides.html
Copyright2015Inverseinc.
AboutthisGuide
Chapter2
GettingStarted
VirtualMachine
ThissetuphasbeentestedusingVMWareESXi4.0&5.0with8GBofRAMdedicatedtothevirtual
machine.Itmightworkusingothervirtualizationproducts.Youneedtohavea64-bitcapableCPU
onyourhost.
Inline
InordertobuildanInlinesetupyouneed:
2networkinterfacesfortheVM(1fortheInlineandanotheronetogoout).
aswitchportinthemanagementnetworkforthePacketFenceZENbox(foreth0).
aswitchportintheinlinenetworkforthePacketFenceZENbox(foreth1)whichneedstobe
configuredinaccessmodeandinthesameaccessVLANaseveryswitchportonwhichdevices
willbeconnected.
yourserverhasnet.ipv4.ip_forwardenable.Editthefollowingfile:
# /etc/sysctl.conf
Changenet.ipv4.ip_forwardfrom0to1
# net.ipv4.ip_forward = 1
Nowyouneedtomakethischangepermanent,applythefollowinginyourterminal:
# sysctl -p /etc/sysctl.conf
Copyright2015Inverseinc.
GettingStarted
Chapter3
Assumptions
Throughout this configuration example we use the following assumptions for our network
infrastructure:
NetworkSetup
eth0isonmanagementnetwork
eth1isoninlinenetwork
PleaserefertothefollowingtableforIPandsubnetinformation:
Network Name
Card
Subnet
Gateway
PacketFenceAddress
eth0
Management
192.168.1.0/24
192.168.1.1
192.168.1.5
eth1
Inline
192.168.2.0/24
192.168.2.1
192.168.2.1
DHCP/DNS
PacketFenceprovidesitsownDHCPservice.ItwilltakecareofIPaddressdistributioninour
Inlinenetwork.PacketFencewillnotprovideDHCPservicesonthemanagementnetwork-this
istheresponsibilityofyourowninfrastructure.
PacketFenceprovidesitsownDNSservice.HoweverfortheInlineversion,weneedtoprovide
theDNSofyourinfrastructure.
Copyright2015Inverseinc.
Assumptions
Chapter4
Installation
Importthevirtualmachine
PacketFence ZEN 5.6.0 comes in a pre-built virtual disk (OVA). If you are using an ESX-type
hypervisor,youneedtoimporttheOVAusingvSphereClient(orvCenter).Wearenotsupporting
anyXen-basedhypervisorsyet.
ImporttoESX
Make sure that there is two virtual network cards created. Assign the first card (eth0) to your
managementnetwork(Production)andassignthesecondone(eth1)totheInlinenetwork.
Copyright2015Inverseinc.
Installation
Chapter5
VirtualMachinepasswords
Management(SSH/Console)
Login:root
Password:p@ck3tf3nc3
CaptivePortalRegistrationUser
Login:demouser
Password:demouser
Copyright2015Inverseinc.
VirtualMachinepasswords
Chapter6
Configuration
Inlineenforcementconfiguration
Theinlineenforcementisaveryconvenientmethodforperformingaccesscontrolonoldernetwork
equipmentthatisnotcapableofdoingVLANenforcementorthatisnotsupportedbyPacketFence.
Animportantconfigurationparametertohaveinmindwhenconfiguringinlineenforcementisthat
theDNSreachedbytheseusersshouldbeyouractualproductionDNSserver-whichshouldntbe
inthesamebroadcastdomainasyourinlineusers.Thenextsectionshowsyouhowtoconfigurethe
properinlineinterfaceanditisinthissectionthatyoushouldrefertotheproperproductionDNS.
Inlineenforcementusesipsettomarknodesasregistered,unregisteredandisolated.Itisalsonow
possibletousemultipleinlineinterfaces.Anoderegisteredonthefirstinlineinterfaceismarked
withanIP:MACtuple(forL2,onlyipforL3),sowhenthenodetriestoregisteronanotherinline
interface,PacketFencedetectsthatthenodeisalreadyregisteredonthefirstinlinenetwork.Itis
alsopossibletoenableinline.should_reauth_on_vlan_changetoforceuserstoreauthenticatewhen
theychangeinlinenetwork.
Bydefaulttheinlinetrafficisforwardedthroughthemanagementnetworkinterfacebutitispossible
tospecifyanotheronebyaddinginpf.conftheoptioninterfaceSNATininlinesection.Itisacomma
delimitedlistofnetworkinterfaceslikeeth0,eth1.2.Itsalsopossibletospecifyanetworkthatwill
beroutedinsteadofusingNATbyaddinginconf/networks.confanoptionnat=nounderoneor
morenetworksections(takecareoftheroutingtableofthePacketFenceserver).
Another important setting is the gateway statement. Since it this the only way to get the
PacketFenceserverinlineinterfaceIPaddress,itismandatorytosetittothisIP(whichissupposed
tobethesameasintheipstatementoftheinlineinterfaceinconf/pf.conf).
ConfiguringyourPacketFenceenvironment
BeforebootingyourVM,makesurethatthePCiscorrectlyconnectedinthemanagementnetwork
andthatthelinkisup.
Oncepowered,openabrowserandpointittotheconfigurationURLasstatedbytheVMlogin
prompt(ie.https://PF_IP:1443/configurator).Theconfigurationprocessisafivestepsprocessat
theendofwhich,theVMwillbeapersistentworkingPacketFenceenvironment.Ifyoucannot
reach the configurator, but you made sure that the connectivity is fine(ie. ping @PF_IP) and PF
httpd.adminisrunning(ie.ps-edf|grephttpd.admininyourterminalorservicepacketfencestatus),
thentrytodisableiptables.
Copyright2015Inverseinc.
Configuration
Chapter6
Step1:Enforcement
The first and most important step of the configuration process. This is where youll choose the
enforcementtechnique;eitherVLAN(out-of-band),INLINE(in-band)orbothofthem.
Thechoice(s)madeonthisstepwillinfluencethenextstepwhereyoullneedtoconfigurethe
differentnetworks.
Eachenforcementmodehasitsownrequiredinterfacetypesthatyoullhavetoconfigureonstep2.
InthisguidewewillshowyouhowtoconfiguretheINLINE(in-band)mode.Ifyouwanttoconfigure
the VLAN (out-of-band) mode please refer to the guide PacketFence Out of Band Deployment
QuickGuideZEN.
Step2:Networks
Thisstepwillaskyoutostaticallyconfigureyournetworkinterfaces(notethatDHCPinterfaces
configurationisnotsupported).
The web interface will list all currently installed network interfaces on the system. An IP and a
netmaskwillbevisibleifthenetworkinterfaceisconfigured(eitherbyDHCPoralreadymanually
configured).Youcaneditthoseones,create/deleteVLANsonphysicalinterfacesandenable/disable
aninterface.Notethattheseschangesareeffectiveonthemomentyoumakethem.Persistance
willbewrittenonlyforENABLEDinterfaces.Whichmeansthatifyouchangeyourmanagement
ipaddress,topursuetheconfigurator,youwillneedtogoonthisnewipaddressyousetup.
Inalltime,youllneedtosetaManagementinterface.
Requiredinterfacetypesforinlineenforcement:
Management
Inline layer 2
NotethatyoucanonlysetONE(1)managementinterface.Thisonewillworkforbothinthecase
youchoosebothmodes.
Inourcase,wewillusetwointerfaces,onewillbebeforthemanagement,theotheronewillbe
fortheinline.
FortheInlineinterface,weconnectthisnetworkcardinaswitchportintheInlinenetwork.
Heresasampleconfigurationforbothofthem:
eth0: Management
IP Address: 192.168.1.5
Netmask: 255.255.255.0
Gateway: 192.168.1.254
eth1: Inline Layer 2
IP Address: 192.168.2.1
Netmask: 255.255.255.0
DNS Servers: 192.168.1.10
Copyright2015Inverseinc.
Configuration
Chapter6
Thisconfigurationtakeintoaccountthatyouhaveanavailablemachineinthemanagementnetwork
toaccesstheadmininterfaceofPacketFence.
Makesurethatthose2interfacesareinanEnabledstateforthepersistancetooccur.
WealsoneedtosettheDefaultGatewaywhichwillgenerallybethegatewayofthemanagement
network.
NotethatifyouhavearoutednetworkthatneedstobetakenintoaccountbyPacketFenceasan
Inlinesubnet,youwillneedtoaddthisviaRouted NetworkandselectInlineL3.Thisconfiguration
isavailableonlyfromthePacketFencewebadministrativeGUIandnotfromtheconfigurator.
Onceeverythingsset,clickContinuetoproceedwiththenextstep.
Step3:DatabaseConfiguration
ThisstepwillconfiguretheMySQLserverneededbyPacketFence.Databaseandschemawillbe
createdaswellasthenecessaryuserforoperations.Rootaccountwillalsobesecuredifnecessary
(setapasswordanddisallowremotelogin).
StarttheMySQLdserviceifitisnotstarted.ClicktheMySQLStartbuttonatthetopofthewebpage
Warning!MySQLserverdoesnotseemstoberunning.Youshouldstartittoavoidanyproblems.
StartMySQL.
Then you will need to create the root password for MySQL database. Click on the Test button
andwriteacomplexpassword(recommended)twiceandsave.Whenyouaredonecreatingthe
password, put the new root password and click on Test to validate it. You should see Success!
Successfullyconnectedtothedatabasemysqlwithuserroot
Nextsectionwillcreatethedatabaseandloadthecorrectschemaonit.Simplyleavethedefault
databasenameandclickCreatedatabasesandtables.
ThelastsectionofthisstepisthePacketFenceuseraccountontheMySQLserver.Simplyleave
thedefaultpfusernamehereandchooseofapassword.Thisonewillautomaticallybesetinthe
PacketFenceconfigurationwhereyoullbeabletoretriveitinanycase.Oncethepasswordentered
twice,clickCreateuser.
IfyougotaSuccess!messageforthisallthreesections,clickContinue.
Step4:PacketFenceConfiguration
ThisstepwillconfigurethegeneraloptionsofyourPacketFenceinstallation.Thesesareneeded
configurationsthatwillmostofthetimefitscustomerspecifications.
Almost all of the required information here are self-explanatory. The only one that could be
confusingistheDHCPServerssection.Inthisone,enteracomma-delimitedlistofalltheDHCP
ServeronthecustomernetworksowhenPacketFencewillseeDHCPtraficoriginatingfromthese
IPs,norogue-DHCPalertswillbetriggered.
PacketfencewillusethedomainandthehostnametogeneratetheURLtoredirectdevicesonthe
captiveportal.IfyouhaveaHTTPcertificateusethesamehostnameanddomainnametovalidate
theSSLconnectiononthecaptiveportal.
Inthelastsection,LocalDatabasePasswords,youwillhavetochosethepasswordencryptionfor
localaccounts(guestautomaticallygeneratedandmanualycreatedaccount).
Copyright2015Inverseinc.
Configuration
Chapter6
ClickContinueonceallthefieldsarecompleted.
Step5:Administration
ThisisthestepwherewecreatetheadministrativeusertoaccessthePacketFenceAdministration
WebInterface.
Simplyprovidethedesiredusernameandpassword,thenclickCreateuser.
Step6:Services-Confirmation
Thelastbutnottheleast.Here,westartthePacketFenceserveraccordingtotheconfigurations
madeintheprevioussteps.Ifeverythinggoesasexpected,youllbepromptedbyawindowinviting
youtocontinuetothewebadministrationinterface.
YoullbeabletologintothePacketFencewebadministrationinterfacewiththecredentialscreated
inStep5.
Servicesstatuswillhelpyoumonitorifeverythinggoesasexpected.Ifnot,youllseewhichservice
isintroubleandthelogoutputwillhelpyoudeterminetheproblemthatoccurs.
PacketFenceconfigurationfiles
Ifyouwanttocustomizetheconfiguration,wesuggestthatyoutakealookintothePacketFence
AdministrationGuidepriordoingso.Themainconfigurationfilesare:
conf/pf.conf:ConfigurationforthePacketFenceservices
conf/networks.conf:DefinitionoftheregistrationandisolationnetworkstobuildDNSandDHCP
configurations.Inourcase,weincludedtheregistrationandisolationnetworks.
Instandardinlineenforcementsetup,youshouldnothavetomodifyanyconfigurationfiletomake
thingswork.Everymodificationoftheconfigurationisnowdoneonlyviatheadmininterface,we
DONOTadvisecustomerstoedittheconfigurationfiles.
NetworkDevices
In an inline configuration, the required configurations for network devices (desktops, tablets,
printers,etc.)willbetomakesuretheycanallcommunicatewithPacketFence.Inotherwordsfora
switchyouwillneedtoconfigureeveryportsonwhichdeviceswillbeconnectedusingtheaccess
modewithalloftheminthesameinlinenetwork.Accesspointwillbeconnectedasdevicetobe
intheinlinesubnetwork.
ExemplewithaCiscoswitch:
Youshouldbeinmode#conf-tifnotexecuteconfigurationterminalinyourCLI.
Copyright2015Inverseinc.
Configuration
Chapter6
#
#
#
#
#
#
#
#
Nowyoucanconnectanydevicesthatyouwanttobeintheinlinenetworkinanyoftheportyou
havejustconfigured.
FreeRADIUS
PacketFenceZEN5.6.0comeswithapre-configuredFreeRADIUStodoWiredandWireless802.1X
withEAPaswellasMACAuthentication.Wecreatedalocaluserforthe802.1Xauthentication.
SincewedoaInlinemode,wewillnotuseradius.
InlineAccess
MakesurethattheInlineandmanagementcardareproperlyconfigured
connectadevicewithaDHCPIPintheInlinesubnetwork
makesurethedeviceareabletocommunicatewithPacketFenceontheInlinenetworkcardand
cannotaccessthemanagementnetwork
OMAPI
ConfiguringtheDHCPOMAPI(optional)
InordertospeeduptheIPaddressleaselookup,youcanconfiguretheDHCPOMAPIsothat
queriesforIPandMACassociationsaremadefaster.
First,executethefollowingcommandinanSSHsession.
# dd if=/dev/urandom bs=16 count=1 2>/dev/null | openssl enc -e -base64
Thisshouldproduceanoutputsimilartothis:
Copyright2015Inverseinc.
Configuration
10
Chapter6
m4NMkOKc9IxfWk8cL2fP4g==
NowpastetheoutputintheAdministrationinterfaceunderConfiguration/OMAPI/OMAPIbase64
keyandsave.
NowrestartthedhcpdserviceusingthefollowingcommandinanSSHsession.
# /usr/local/pf/bin/pfcmd service dhcpd restart
Trafficshaping
SincePacketFence5.2itsnowpossibletoshapetheinlinetrafficbasedontheroleofthedevice.
Howweclassify
Ifyoulaunch:
Copyright2015Inverseinc.
Configuration
11
Chapter6
# ipset -L
Name: PF-iL2_ID1_192.168.2.0
Type: bitmap:ip
Revision: 0
Header: range 192.168.2.0-192.168.2.255
Size in memory: 152
References: 2
Members:
Name: PF-iL2_ID2_192.168.2.0
Type: bitmap:ip
Revision: 0
Header: range 192.168.2.0-192.168.2.255
Size in memory: 152
References: 2
Members:
Name: PF-iL2_ID3_192.168.2.0
Type: bitmap:ip
Revision: 0
Header: range 192.168.2.0-192.168.2.255
Size in memory: 152
References: 2
Members:
YoucanseethatPacketFencecreated3newipsetsessionsbasedontheinlinenetworkipandon
theroleiddefinedinRolessection(ConfigurationRoles,toseetheidofeachrole).
So when a device will register on the captive portal, PacketFence will add the device in the
correspondingipsetsession(roleid,network).
Nextiptablesrulesinmangletablewillclassifythetrafficbasedontheipsetsession:
-A postrouting-int-inline-if
CLASSIFY --set-class 1:1
-A postrouting-int-inline-if
CLASSIFY --set-class 1:1
-A postrouting-int-inline-if
CLASSIFY --set-class 1:2
-A postrouting-int-inline-if
CLASSIFY --set-class 1:2
-A postrouting-int-inline-if
CLASSIFY --set-class 1:3
-A postrouting-int-inline-if
CLASSIFY --set-class 1:3
Soheretheroleid1willhavetheclass1:1.
ConfigureTrafficshaping
Here2examplesoftcrules,thefirstonewillapplyanupload/downloadof:1mb/1mbonroleid
12mb/2mbonroleid23mb/3mbonroleid3
Copyright2015Inverseinc.
Configuration
12
Chapter6
class
class
class
qdisc
qdisc
qdisc
add
add
add
add
add
add
dev
dev
dev
dev
dev
dev
eth0
eth0
eth0
eth0
eth0
eth0
parent
parent
parent
parent
parent
parent
1:0
1:0
1:0
1:1
1:2
1:3
class
class
class
qdisc
qdisc
qdisc
add
add
add
add
add
add
dev
dev
dev
dev
dev
dev
eth1
eth1
eth1
eth1
eth1
eth1
parent
parent
parent
parent
parent
parent
1:0
1:0
1:0
1:1
1:2
1:3
Thesecondonewillapplyanupload/downloadof:1mb/10mbonroleid12mb/20mbonroleid
23mb/30mbonroleid3
tc qdisc del dev eth0 root
tc qdisc add dev eth0 root handle 1:0 htb default 1
tc
tc
tc
tc
tc
tc
class
class
class
qdisc
qdisc
qdisc
add
add
add
add
add
add
dev
dev
dev
dev
dev
dev
eth0
eth0
eth0
eth0
eth0
eth0
parent
parent
parent
parent
parent
parent
1:0
1:0
1:0
1:1
1:2
1:3
class
class
class
qdisc
qdisc
qdisc
add
add
add
add
add
add
dev
dev
dev
dev
dev
dev
Copyright2015Inverseinc.
eth1
eth1
eth1
eth1
eth1
eth1
parent
parent
parent
parent
parent
parent
1:0
1:0
1:0
1:1
1:2
1:3
Configuration
13
Chapter7
Test
Registeradeviceininlineenforcement
Youcannowtesttheregistrationprocess.Inordertodoso:
connectanunregistereddeviceintotheswitch
makesurePacketFenceprovidesanIPaddresstothedevice.Lookintothefollowinglogfile:/usr/
local/pf/logs/packetfence.logorverifyonthecomputeryouobtainaniptherightsubnetrange
Fromthecomputer:
openawebbrowser
trytoconnecttoaHTTPsite(NotHTTPS,eg.http://www.google.com)
makesurethatwhateversiteyouwanttoconnectto,youhaveonlyaccesstotheregistration
page.
Registerthecomputerusingthefollowinginformations:
user:demouser
password:demouser
Onceacomputerhasbeenregistered:
makesurePacketFencechangesthefirewall(ipset-L)rulessothattheuserisauthorizedthrough.
LookintoPacketFencelogfile:/usr/local/pf/logs/packetfence.log
fromthewebadministrativeinterface,gounderNodesandmakesureyouseethecomputer
asRegistered.
thecomputerhasaccesstothenetworkandtheInternet.
Copyright2015Inverseinc.
Test
14
Chapter8
AdditionalInformation
Formoreinformation,pleaseconsultthemailingarchivesorpostyourquestionstoit.Fordetails,
see:
packetfence-announce@lists.sourceforge.net: Public announcements (new releases, security
warningsetc.)regardingPacketFence
packetfence-devel@lists.sourceforge.net:DiscussionofPacketFencedevelopment
packetfence-users@lists.sourceforge.net:Userandusagediscussions
Copyright2015Inverseinc.
AdditionalInformation
15
Chapter9
CommercialSupportandContact
Information
For any questions or comments, do not hesitate to contact us by writing an email to:
support@inverse.ca.
Inverse (http://inverse.ca) offers professional services around PacketFence to help organizations
deploythesolution,customize,migrateversionsorfromanothersystem,performancetuningor
aligningwithbestpractices.
Hourlyratesorsupportpackagesareofferedtobestsuityourneeds.
Pleasevisithttp://inverse.ca/fordetails.
Copyright2015Inverseinc.
CommercialSupport
andContactInformation
16
Chapter10
GNUFreeDocumentationLicense
Pleaserefertohttp://www.gnu.org/licenses/fdl-1.2.txtforthefulllicense.
Copyright2015Inverseinc.
GNUFreeDocumentationLicense
17