PacketFenceInlineDeploymentQuick

GuideusingZEN
forPacketFenceversion5.6.0

PacketFenceInlineDeploymentQuickGuideusingZEN
byInverseInc.

Version5.6.0-Jan2016
Copyright2015Inverseinc.
Permissionisgrantedtocopy,distributeand/ormodifythisdocumentunderthetermsoftheGNUFreeDocumentationLicense,Version
1.2oranylaterversionpublishedbytheFreeSoftwareFoundation;withnoInvariantSections,noFront-CoverTexts,andnoBack-Cover
Texts.Acopyofthelicenseisincludedinthesectionentitled"GNUFreeDocumentationLicense".
ThefontsusedinthisguidearelicensedundertheSILOpenFontLicense,Version1.1.ThislicenseisavailablewithaFAQat:http://
scripts.sil.org/OFL
CopyrightukaszDziedzic,http://www.latofonts.com,withReservedFontName:"Lato".
CopyrightRaphLevien,http://levien.com/,withReservedFontName:"Inconsolata".

TableofContents
About this Guide ............................................................................................................... 1
Othersourcesofinformation......................................................................................1
Getting Started ................................................................................................................. 2
Virtual Machine ........................................................................................................ 2
Inline ....................................................................................................................... 2
Assumptions ..................................................................................................................... 3
Network Setup ......................................................................................................... 3
DHCP/DNS .............................................................................................................. 3
Installation ....................................................................................................................... 4
Importthevirtualmachine........................................................................................ 4
VirtualMachinepasswords................................................................................................ 5
Configuration ................................................................................................................... 6
Inlineenforcementconfiguration................................................................................ 6
PacketFenceconfigurationfiles.................................................................................. 9
Network Devices ...................................................................................................... 9
FreeRADIUS ........................................................................................................... 10
Inline Access .......................................................................................................... 10
OMAPI .................................................................................................................. 10
Traffic shaping ........................................................................................................ 11
Test ............................................................................................................................... 14
Registeradeviceininlineenforcement..................................................................... 14
Additional Information ..................................................................................................... 15
CommercialSupportandContactInformation................................................................... 16
GNUFreeDocumentationLicense................................................................................... 17

Copyright2015Inverseinc.

iii

Chapter1

AboutthisGuide

ThisguidewillwalkyouthroughtheinstallationandconfigurationofthePacketFenceZENsolution.
ItcoversInlineisolationsetup.
Theinstructionsarebasedonversion5.6.0ofPacketFence.
Thelatestversionofthisguideisavailableonlineathttp://www.packetfence.org/documentation/
guides.html

Othersourcesofinformation
We suggest that you also have a look in the PacketFence Administration Guide, and in
the PacketFence Network Devices Configuration Guide. Both are available online at http://
www.packetfence.org/documentation/guides.html

Copyright2015Inverseinc.

AboutthisGuide

Chapter2

GettingStarted

VirtualMachine
ThissetuphasbeentestedusingVMWareESXi4.0&5.0with8GBofRAMdedicatedtothevirtual
machine.Itmightworkusingothervirtualizationproducts.Youneedtohavea64-bitcapableCPU
onyourhost.

Inline
InordertobuildanInlinesetupyouneed:
2networkinterfacesfortheVM(1fortheInlineandanotheronetogoout).
aswitchportinthemanagementnetworkforthePacketFenceZENbox(foreth0).
aswitchportintheinlinenetworkforthePacketFenceZENbox(foreth1)whichneedstobe
configuredinaccessmodeandinthesameaccessVLANaseveryswitchportonwhichdevices
willbeconnected.
yourserverhasnet.ipv4.ip_forwardenable.Editthefollowingfile:
# /etc/sysctl.conf
Changenet.ipv4.ip_forwardfrom0to1
# net.ipv4.ip_forward = 1
Nowyouneedtomakethischangepermanent,applythefollowinginyourterminal:
# sysctl -p /etc/sysctl.conf

Copyright2015Inverseinc.

GettingStarted

Chapter3

Assumptions

Throughout this configuration example we use the following assumptions for our network
infrastructure:

NetworkSetup
eth0isonmanagementnetwork
eth1isoninlinenetwork
PleaserefertothefollowingtableforIPandsubnetinformation:
Network Name
Card

Subnet

Gateway

PacketFenceAddress

eth0

Management

192.168.1.0/24

192.168.1.1

192.168.1.5

eth1

Inline

192.168.2.0/24

192.168.2.1

192.168.2.1

DHCP/DNS
PacketFenceprovidesitsownDHCPservice.ItwilltakecareofIPaddressdistributioninour
Inlinenetwork.PacketFencewillnotprovideDHCPservicesonthemanagementnetwork-this
istheresponsibilityofyourowninfrastructure.
PacketFenceprovidesitsownDNSservice.HoweverfortheInlineversion,weneedtoprovide
theDNSofyourinfrastructure.

Copyright2015Inverseinc.

Assumptions

Chapter4

Installation

Importthevirtualmachine
PacketFence ZEN 5.6.0 comes in a pre-built virtual disk (OVA). If you are using an ESX-type
hypervisor,youneedtoimporttheOVAusingvSphereClient(orvCenter).Wearenotsupporting
anyXen-basedhypervisorsyet.

ImporttoESX
Make sure that there is two virtual network cards created. Assign the first card (eth0) to your
managementnetwork(Production)andassignthesecondone(eth1)totheInlinenetwork.

Copyright2015Inverseinc.

Installation

Chapter5

VirtualMachinepasswords

Management(SSH/Console)
Login:root
Password:p@ck3tf3nc3

CaptivePortalRegistrationUser
Login:demouser
Password:demouser

Copyright2015Inverseinc.

VirtualMachinepasswords

Chapter6

Configuration

Inlineenforcementconfiguration
Theinlineenforcementisaveryconvenientmethodforperformingaccesscontrolonoldernetwork
equipmentthatisnotcapableofdoingVLANenforcementorthatisnotsupportedbyPacketFence.
Animportantconfigurationparametertohaveinmindwhenconfiguringinlineenforcementisthat
theDNSreachedbytheseusersshouldbeyouractualproductionDNSserver-whichshouldntbe
inthesamebroadcastdomainasyourinlineusers.Thenextsectionshowsyouhowtoconfigurethe
properinlineinterfaceanditisinthissectionthatyoushouldrefertotheproperproductionDNS.
Inlineenforcementusesipsettomarknodesasregistered,unregisteredandisolated.Itisalsonow
possibletousemultipleinlineinterfaces.Anoderegisteredonthefirstinlineinterfaceismarked
withanIP:MACtuple(forL2,onlyipforL3),sowhenthenodetriestoregisteronanotherinline
interface,PacketFencedetectsthatthenodeisalreadyregisteredonthefirstinlinenetwork.Itis
alsopossibletoenableinline.should_reauth_on_vlan_changetoforceuserstoreauthenticatewhen
theychangeinlinenetwork.
Bydefaulttheinlinetrafficisforwardedthroughthemanagementnetworkinterfacebutitispossible
tospecifyanotheronebyaddinginpf.conftheoptioninterfaceSNATininlinesection.Itisacomma
delimitedlistofnetworkinterfaceslikeeth0,eth1.2.Itsalsopossibletospecifyanetworkthatwill
beroutedinsteadofusingNATbyaddinginconf/networks.confanoptionnat=nounderoneor
morenetworksections(takecareoftheroutingtableofthePacketFenceserver).
Another important setting is the gateway statement. Since it this the only way to get the
PacketFenceserverinlineinterfaceIPaddress,itismandatorytosetittothisIP(whichissupposed
tobethesameasintheipstatementoftheinlineinterfaceinconf/pf.conf).

ConfiguringyourPacketFenceenvironment
BeforebootingyourVM,makesurethatthePCiscorrectlyconnectedinthemanagementnetwork
andthatthelinkisup.
Oncepowered,openabrowserandpointittotheconfigurationURLasstatedbytheVMlogin
prompt(ie.https://PF_IP:1443/configurator).Theconfigurationprocessisafivestepsprocessat
theendofwhich,theVMwillbeapersistentworkingPacketFenceenvironment.Ifyoucannot
reach the configurator, but you made sure that the connectivity is fine(ie. ping @PF_IP) and PF
httpd.adminisrunning(ie.ps-edf|grephttpd.admininyourterminalorservicepacketfencestatus),
thentrytodisableiptables.

Copyright2015Inverseinc.

Configuration

Chapter6

Step1:Enforcement
The first and most important step of the configuration process. This is where youll choose the
enforcementtechnique;eitherVLAN(out-of-band),INLINE(in-band)orbothofthem.
Thechoice(s)madeonthisstepwillinfluencethenextstepwhereyoullneedtoconfigurethe
differentnetworks.
Eachenforcementmodehasitsownrequiredinterfacetypesthatyoullhavetoconfigureonstep2.
InthisguidewewillshowyouhowtoconfiguretheINLINE(in-band)mode.Ifyouwanttoconfigure
the VLAN (out-of-band) mode please refer to the guide PacketFence Out of Band Deployment
QuickGuideZEN.

Step2:Networks
Thisstepwillaskyoutostaticallyconfigureyournetworkinterfaces(notethatDHCPinterfaces
configurationisnotsupported).
The web interface will list all currently installed network interfaces on the system. An IP and a
netmaskwillbevisibleifthenetworkinterfaceisconfigured(eitherbyDHCPoralreadymanually
configured).Youcaneditthoseones,create/deleteVLANsonphysicalinterfacesandenable/disable
aninterface.Notethattheseschangesareeffectiveonthemomentyoumakethem.Persistance
willbewrittenonlyforENABLEDinterfaces.Whichmeansthatifyouchangeyourmanagement
ipaddress,topursuetheconfigurator,youwillneedtogoonthisnewipaddressyousetup.
Inalltime,youllneedtosetaManagementinterface.
Requiredinterfacetypesforinlineenforcement:
Management
Inline layer 2
NotethatyoucanonlysetONE(1)managementinterface.Thisonewillworkforbothinthecase
youchoosebothmodes.
Inourcase,wewillusetwointerfaces,onewillbebeforthemanagement,theotheronewillbe
fortheinline.
FortheInlineinterface,weconnectthisnetworkcardinaswitchportintheInlinenetwork.
Heresasampleconfigurationforbothofthem:
eth0: Management
IP Address: 192.168.1.5
Netmask: 255.255.255.0
Gateway: 192.168.1.254
eth1: Inline Layer 2
IP Address: 192.168.2.1
Netmask: 255.255.255.0
DNS Servers: 192.168.1.10

Copyright2015Inverseinc.

Configuration

Chapter6
Thisconfigurationtakeintoaccountthatyouhaveanavailablemachineinthemanagementnetwork
toaccesstheadmininterfaceofPacketFence.
Makesurethatthose2interfacesareinanEnabledstateforthepersistancetooccur.
WealsoneedtosettheDefaultGatewaywhichwillgenerallybethegatewayofthemanagement
network.
NotethatifyouhavearoutednetworkthatneedstobetakenintoaccountbyPacketFenceasan
Inlinesubnet,youwillneedtoaddthisviaRouted NetworkandselectInlineL3.Thisconfiguration
isavailableonlyfromthePacketFencewebadministrativeGUIandnotfromtheconfigurator.
Onceeverythingsset,clickContinuetoproceedwiththenextstep.

Step3:DatabaseConfiguration
ThisstepwillconfiguretheMySQLserverneededbyPacketFence.Databaseandschemawillbe
createdaswellasthenecessaryuserforoperations.Rootaccountwillalsobesecuredifnecessary
(setapasswordanddisallowremotelogin).
StarttheMySQLdserviceifitisnotstarted.ClicktheMySQLStartbuttonatthetopofthewebpage
Warning!MySQLserverdoesnotseemstoberunning.Youshouldstartittoavoidanyproblems.
StartMySQL.
Then you will need to create the root password for MySQL database. Click on the Test button
andwriteacomplexpassword(recommended)twiceandsave.Whenyouaredonecreatingthe
password, put the new root password and click on Test to validate it. You should see Success!
Successfullyconnectedtothedatabasemysqlwithuserroot
Nextsectionwillcreatethedatabaseandloadthecorrectschemaonit.Simplyleavethedefault
databasenameandclickCreatedatabasesandtables.
ThelastsectionofthisstepisthePacketFenceuseraccountontheMySQLserver.Simplyleave
thedefaultpfusernamehereandchooseofapassword.Thisonewillautomaticallybesetinthe
PacketFenceconfigurationwhereyoullbeabletoretriveitinanycase.Oncethepasswordentered
twice,clickCreateuser.
IfyougotaSuccess!messageforthisallthreesections,clickContinue.

Step4:PacketFenceConfiguration
ThisstepwillconfigurethegeneraloptionsofyourPacketFenceinstallation.Thesesareneeded
configurationsthatwillmostofthetimefitscustomerspecifications.
Almost all of the required information here are self-explanatory. The only one that could be
confusingistheDHCPServerssection.Inthisone,enteracomma-delimitedlistofalltheDHCP
ServeronthecustomernetworksowhenPacketFencewillseeDHCPtraficoriginatingfromthese
IPs,norogue-DHCPalertswillbetriggered.
PacketfencewillusethedomainandthehostnametogeneratetheURLtoredirectdevicesonthe
captiveportal.IfyouhaveaHTTPcertificateusethesamehostnameanddomainnametovalidate
theSSLconnectiononthecaptiveportal.
Inthelastsection,LocalDatabasePasswords,youwillhavetochosethepasswordencryptionfor
localaccounts(guestautomaticallygeneratedandmanualycreatedaccount).

Copyright2015Inverseinc.

Configuration

Chapter6
ClickContinueonceallthefieldsarecompleted.

Step5:Administration
ThisisthestepwherewecreatetheadministrativeusertoaccessthePacketFenceAdministration
WebInterface.
Simplyprovidethedesiredusernameandpassword,thenclickCreateuser.

Step6:Services-Confirmation
Thelastbutnottheleast.Here,westartthePacketFenceserveraccordingtotheconfigurations
madeintheprevioussteps.Ifeverythinggoesasexpected,youllbepromptedbyawindowinviting
youtocontinuetothewebadministrationinterface.
YoullbeabletologintothePacketFencewebadministrationinterfacewiththecredentialscreated
inStep5.
Servicesstatuswillhelpyoumonitorifeverythinggoesasexpected.Ifnot,youllseewhichservice
isintroubleandthelogoutputwillhelpyoudeterminetheproblemthatoccurs.

PacketFenceconfigurationfiles
Ifyouwanttocustomizetheconfiguration,wesuggestthatyoutakealookintothePacketFence
AdministrationGuidepriordoingso.Themainconfigurationfilesare:
conf/pf.conf:ConfigurationforthePacketFenceservices
conf/networks.conf:DefinitionoftheregistrationandisolationnetworkstobuildDNSandDHCP
configurations.Inourcase,weincludedtheregistrationandisolationnetworks.
Instandardinlineenforcementsetup,youshouldnothavetomodifyanyconfigurationfiletomake
thingswork.Everymodificationoftheconfigurationisnowdoneonlyviatheadmininterface,we
DONOTadvisecustomerstoedittheconfigurationfiles.

NetworkDevices
In an inline configuration, the required configurations for network devices (desktops, tablets,
printers,etc.)willbetomakesuretheycanallcommunicatewithPacketFence.Inotherwordsfora
switchyouwillneedtoconfigureeveryportsonwhichdeviceswillbeconnectedusingtheaccess
modewithalloftheminthesameinlinenetwork.Accesspointwillbeconnectedasdevicetobe
intheinlinesubnetwork.
ExemplewithaCiscoswitch:
Youshouldbeinmode#conf-tifnotexecuteconfigurationterminalinyourCLI.

Copyright2015Inverseinc.

Configuration

Chapter6

#
#
#
#
#
#
#
#

interface range [port-range]

switchport mode access vlan 1
no shutdown
interface [packetfence_eth1]
switchport mode access vlan 1
no shutdown
end
copy running-configuration startup-configuration

Nowyoucanconnectanydevicesthatyouwanttobeintheinlinenetworkinanyoftheportyou
havejustconfigured.

FreeRADIUS
PacketFenceZEN5.6.0comeswithapre-configuredFreeRADIUStodoWiredandWireless802.1X
withEAPaswellasMACAuthentication.Wecreatedalocaluserforthe802.1Xauthentication.
SincewedoaInlinemode,wewillnotuseradius.

InlineAccess
MakesurethattheInlineandmanagementcardareproperlyconfigured
connectadevicewithaDHCPIPintheInlinesubnetwork
makesurethedeviceareabletocommunicatewithPacketFenceontheInlinenetworkcardand
cannotaccessthemanagementnetwork

OMAPI
ConfiguringtheDHCPOMAPI(optional)
InordertospeeduptheIPaddressleaselookup,youcanconfiguretheDHCPOMAPIsothat
queriesforIPandMACassociationsaremadefaster.
First,executethefollowingcommandinanSSHsession.
# dd if=/dev/urandom bs=16 count=1 2>/dev/null | openssl enc -e -base64
Thisshouldproduceanoutputsimilartothis:

Copyright2015Inverseinc.

Configuration

10

Chapter6

m4NMkOKc9IxfWk8cL2fP4g==
NowpastetheoutputintheAdministrationinterfaceunderConfiguration/OMAPI/OMAPIbase64
keyandsave.

NowrestartthedhcpdserviceusingthefollowingcommandinanSSHsession.
# /usr/local/pf/bin/pfcmd service dhcpd restart

Trafficshaping
SincePacketFence5.2itsnowpossibletoshapetheinlinetrafficbasedontheroleofthedevice.

Howweclassify
Ifyoulaunch:

Copyright2015Inverseinc.

Configuration

11

Chapter6

# ipset -L
Name: PF-iL2_ID1_192.168.2.0
Type: bitmap:ip
Revision: 0
Header: range 192.168.2.0-192.168.2.255
Size in memory: 152
References: 2
Members:
Name: PF-iL2_ID2_192.168.2.0
Type: bitmap:ip
Revision: 0
Header: range 192.168.2.0-192.168.2.255
Size in memory: 152
References: 2
Members:
Name: PF-iL2_ID3_192.168.2.0
Type: bitmap:ip
Revision: 0
Header: range 192.168.2.0-192.168.2.255
Size in memory: 152
References: 2
Members:
YoucanseethatPacketFencecreated3newipsetsessionsbasedontheinlinenetworkipandon
theroleiddefinedinRolessection(ConfigurationRoles,toseetheidofeachrole).
So when a device will register on the captive portal, PacketFence will add the device in the
correspondingipsetsession(roleid,network).
Nextiptablesrulesinmangletablewillclassifythetrafficbasedontheipsetsession:
-A postrouting-int-inline-if
CLASSIFY --set-class 1:1
-A postrouting-int-inline-if
CLASSIFY --set-class 1:1
-A postrouting-int-inline-if
CLASSIFY --set-class 1:2
-A postrouting-int-inline-if
CLASSIFY --set-class 1:2
-A postrouting-int-inline-if
CLASSIFY --set-class 1:3
-A postrouting-int-inline-if
CLASSIFY --set-class 1:3

-m set --match-set PF-iL2_ID1_192.168.2.0 src -j

-m set --match-set PF-iL2_ID1_192.168.2.0 dst -j
-m set --match-set PF-iL2_ID2_192.168.2.0 src -j
-m set --match-set PF-iL2_ID2_192.168.2.0 dst -j
-m set --match-set PF-iL2_ID3_192.168.2.0 src -j
-m set --match-set PF-iL2_ID3_192.168.2.0 dst -j

Soheretheroleid1willhavetheclass1:1.

ConfigureTrafficshaping
Here2examplesoftcrules,thefirstonewillapplyanupload/downloadof:1mb/1mbonroleid
12mb/2mbonroleid23mb/3mbonroleid3

Copyright2015Inverseinc.

Configuration

12

Chapter6

tc qdisc del dev eth0 root

tc qdisc add dev eth0 root handle 1:0 htb default 1
tc
tc
tc
tc
tc
tc

class
class
class
qdisc
qdisc
qdisc

add
add
add
add
add
add

dev
dev
dev
dev
dev
dev

eth0
eth0
eth0
eth0
eth0
eth0

parent
parent
parent
parent
parent
parent

1:0
1:0
1:0
1:1
1:2
1:3

classid 1:1 htb rate 1mbit ceil 1mbit

classid 1:2 htb rate 2mbit ceil 2mbit
classid 1:3 htb rate 3mbit ceil 3mbit
sfq
sfq
sfq

tc qdisc del dev eth1 root

tc qdisc add dev eth1 root handle 1:0 htb default 1
tc
tc
tc
tc
tc
tc

class
class
class
qdisc
qdisc
qdisc

add
add
add
add
add
add

dev
dev
dev
dev
dev
dev

eth1
eth1
eth1
eth1
eth1
eth1

parent
parent
parent
parent
parent
parent

1:0
1:0
1:0
1:1
1:2
1:3

classid 1:1 htb rate 1mbit ceil 1mbit

classid 1:2 htb rate 2mbit ceil 2mbit
classid 1:3 htb rate 3mbit ceil 3mbit
sfq
sfq
sfq

Thesecondonewillapplyanupload/downloadof:1mb/10mbonroleid12mb/20mbonroleid
23mb/30mbonroleid3
tc qdisc del dev eth0 root
tc qdisc add dev eth0 root handle 1:0 htb default 1
tc
tc
tc
tc
tc
tc

class
class
class
qdisc
qdisc
qdisc

add
add
add
add
add
add

dev
dev
dev
dev
dev
dev

eth0
eth0
eth0
eth0
eth0
eth0

parent
parent
parent
parent
parent
parent

1:0
1:0
1:0
1:1
1:2
1:3

classid 1:1 htb rate 1mbit ceil 1mbit

classid 1:2 htb rate 2mbit ceil 2mbit
classid 1:3 htb rate 3mbit ceil 3mbit
sfq
sfq
sfq

tc qdisc del dev eth1 root

tc qdisc add dev eth1 root handle 1:0 htb default 1
tc
tc
tc
tc
tc
tc

class
class
class
qdisc
qdisc
qdisc

add
add
add
add
add
add

dev
dev
dev
dev
dev
dev

Copyright2015Inverseinc.

eth1
eth1
eth1
eth1
eth1
eth1

parent
parent
parent
parent
parent
parent

1:0
1:0
1:0
1:1
1:2
1:3

classid 1:1 htb rate 10mbit ceil 10mbit

classid 1:2 htb rate 20mbit ceil 20mbit
classid 1:3 htb rate 30mbit ceil 30mbit
sfq
sfq
sfq

Configuration

13

Chapter7

Test

Registeradeviceininlineenforcement
Youcannowtesttheregistrationprocess.Inordertodoso:
connectanunregistereddeviceintotheswitch
makesurePacketFenceprovidesanIPaddresstothedevice.Lookintothefollowinglogfile:/usr/
local/pf/logs/packetfence.logorverifyonthecomputeryouobtainaniptherightsubnetrange
Fromthecomputer:
openawebbrowser
trytoconnecttoaHTTPsite(NotHTTPS,eg.http://www.google.com)
makesurethatwhateversiteyouwanttoconnectto,youhaveonlyaccesstotheregistration
page.
Registerthecomputerusingthefollowinginformations:
user:demouser
password:demouser
Onceacomputerhasbeenregistered:
makesurePacketFencechangesthefirewall(ipset-L)rulessothattheuserisauthorizedthrough.
LookintoPacketFencelogfile:/usr/local/pf/logs/packetfence.log
fromthewebadministrativeinterface,gounderNodesandmakesureyouseethecomputer
asRegistered.
thecomputerhasaccesstothenetworkandtheInternet.

Copyright2015Inverseinc.

Test

14

Chapter8

AdditionalInformation

Formoreinformation,pleaseconsultthemailingarchivesorpostyourquestionstoit.Fordetails,
see:
packetfence-announce@lists.sourceforge.net: Public announcements (new releases, security
warningsetc.)regardingPacketFence
packetfence-devel@lists.sourceforge.net:DiscussionofPacketFencedevelopment
packetfence-users@lists.sourceforge.net:Userandusagediscussions

Copyright2015Inverseinc.

AdditionalInformation

15

Chapter9

CommercialSupportandContact
Information

For any questions or comments, do not hesitate to contact us by writing an email to:
support@inverse.ca.
Inverse (http://inverse.ca) offers professional services around PacketFence to help organizations
deploythesolution,customize,migrateversionsorfromanothersystem,performancetuningor
aligningwithbestpractices.
Hourlyratesorsupportpackagesareofferedtobestsuityourneeds.
Pleasevisithttp://inverse.ca/fordetails.

Copyright2015Inverseinc.

CommercialSupport
andContactInformation

16

Chapter10

GNUFreeDocumentationLicense

Pleaserefertohttp://www.gnu.org/licenses/fdl-1.2.txtforthefulllicense.

Copyright2015Inverseinc.

GNUFreeDocumentationLicense

17