Upload
others
View
7
Download
0
Embed Size (px)
Citation preview
PacketFence – version 1.9.1
Administration Guide
Copyright © 2008-2010 Inverse inc. (http://inverse.ca)
Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation; with no Invariant Sections, no Front-Cover Texts, and no Back-Cover Texts. A copy of the license is included in the section entitled “GNU Free Documentation License”.
Version 1.9.1 – September 2010
Contents
Chapter 1 About this Guide ............................................................................................................... 3
Other sources of information .................................................................................... 3
Chapter 2 Introduction ........................................................................................................................4
Features ....................................................................................................................4
Network Integration ..................................................................................................6
Components ............................................................................................................. 7
Chapter 3 Administration Tools ........................................................................................................ 8
pfcmd ...................................................................................................................... 8
pfcmd_vlan .............................................................................................................. 9
Web Admin GUI .................................................................................................... 11
Chapter 4 VLAN isolation ............................................................................................................... 12
Introduction ........................................................................................................... 12
Supported Switches, Access points and Controllers ................................................. 14
Command-Line Interface: Telnet and SSH ............................................................... 15
Web Services Interface ........................................................................................... 16
SNMP v1, v2c and v3 ............................................................................................. 16
Switch Confguration .............................................................................................. 19
Routing, DHCPd and BIND .................................................................................... 39
Chapter 5 Integration with wireless networks ............................................................................. 43
MAC Authentication ............................................................................................... 43
802.1x ................................................................................................................... 51
Chapter 6 Floating Network Devices ............................................................................................. 62
Identifcation .......................................................................................................... 63
Chapter 7 Blocking malicious activities with violations ............................................................ 64
Chapter 8 Performance optimization ..............................................................................................67
Snort signatures ...................................................................................................... 67
MySQL optimizations ............................................................................................. 67
Chapter 9 High availability ..............................................................................................................72
Creation of the DRBD partition ...............................................................................73
DRBD and Linux-HA Installation ............................................................................ 73
DRBD Confguration and setup ...............................................................................73
MySQL Confguration ............................................................................................. 77
Heartbeat confguration .......................................................................................... 78
Chapter 10 Frequently Asked Questions ......................................................................................... 81
Services ..................................................................................................................81
Web interface ......................................................................................................... 81
Switches ................................................................................................................. 83
Troubleshooting ..................................................................................................... 84
Chapter 11 Additional Software ........................................................................................................86
Nessus ................................................................................................................... 86
Snort ...................................................................................................................... 87
Oinkmaster ............................................................................................................ 88
Chapter 12 Appendix A: Database Schema ..................................................................................... 90
Chapter 13 Appendix B: Confguration parameter reference ....................................................... 91
Chapter 14 Additional Information ................................................................................................ 112
Chapter 15 Commercial Support and Contact Information ........................................................ 113
Chapter 16 GNU Free Documentation License ............................................................................. 114
Chapter 1
1 About this Guide
This guide will walk you through the day to day administration of the PacketFence solution. It covers mainly VLAN isolation.
The instructions are based on version 1.9.1 of PacketFence.
The latest version of this guide is available at http://www.packetfence.org/download/documentation.html
Other sources of information
For the list of noteworthy changes since the last release see the NEWS fle.
For a list of compatibility related changes and notes about upgrading see the UPGRADE fle.
For more details and developer visible changes see the ChangeLog fle.
These fles are included in the package and tarball.
© 2008-2010 Inverse inc. About this Guide 3
Chapter 2
2 Introduction
PacketFence is a fully supported, trusted, Free and Open Source network access control (NAC) system. Boosting an impressive feature set including a captive-portal for registration and remediation, centralized wired and wireless management, 802.1X support, layer-2 isolation of problematic devices, integration with the Snort IDS and the Nessus vulnerability scanner; PacketFence can be used to effectively secure networks - from small to very large heterogeneous networks.
Features
❏ Out of band
PacketFence's operation is completely out of band which allows the solution to scale geographically and to be more resilient to failures.
❏ Voice over IP (VoIP) support.
Also called IP Telephony (IPT), VoIP is fully supported (even in heterogeneous environments) for multiple switch vendors (Cisco, Edge-Core, HP, LinkSys, Nortel Networks and many more).
❏ 802.1X
802.1X wireless and wired is supported through a FreeRADIUS module.
❏ Wireless integration
PacketFence integrates perfectly with wireless networks through a FreeRADIUS module. This allows you to secure your wired and wireless networks the same way using the same user database and using the same captive portal, providing a consistent user experience. Mixing Access Points (AP) vendors and Wireless Controllers is supported.
© 2008-2010 Inverse inc. Introduction 4
Chapter 2
❏ Registration
PacketFence supports an optional registration mechanism similar to "captive portal" solutions. Contrary to most captive portal solutions, PacketFence remembers users who previously registered and will automatically give them access without another authentication. Of course, this is confgurable. An Acceptable Use Policy can be specifed such that users cannot enable network access without frst accepting it.
❏ Detection of abnormal network activities
Abnormal network activities (computer virus, worms, spyware, traffc denied by establishment policy, etc.) can be detected using local and remote Snort sensors. Beyond simple detection, PacketFence layers its own alerting and suppression mechanism on each alert type. A set of confgurable actions for each violation is available to administrators.
❏ Proactive vulnerability scans
Nessus vulnerability scans can be performed upon registration, scheduled or on an ad-hoc basis. PacketFence correlates the Nessus vulnerability ID's of each scan to the violation confguration, returning content specifc web pages about which vulnerability the host may have.
❏ Isolation of problematic devices
PacketFence supports several isolation techniques, including VLAN isolation with VoIP support (even in heterogeneous environments) for multiple switch vendors.
❏ Remediation through a captive portal
Once trapped, all network traffc is terminated by the PacketFence system. Based on the node's current status (unregistered, open violation, etc), the user is redirected to the appropriate URL. In the case of a violation, the user will be presented with instructions for the particular situation he/she is in reducing costly help desk intervention.
❏ Command-line and Web-based management
Web-based and command-line interfaces for all management tasks.
PacketFence is developed by a community of developers located mainly in North America. More information can be found on http://www.packetfence.org
© 2008-2010 Inverse inc. Introduction 5
Chapter 2
Network Integration
© 2008-2010 Inverse inc. Introduction 6
Chapter 2
Components
© 2008-2010 Inverse inc. Introduction 7
Chapter 3
3 Administration Tools
pfcmd
pfcmd is the command line interface to most PacketFence functionalities.
When executed without any arguments pfcmd returns a basic help message with all main options:
# /usr/local/pf/bin/pfcmd
Usage: pfcmd <command> [options]
class | view violation classes
config | query, set, or get help on pf.conf configuration paramaters
configfiles | push or pull configfiles into/from database
fingerprint | view DHCP Fingerprints
graph | trending graphs
history | IP/MAC history
ifoctetshistorymac | accounting history
ifoctetshistoryswitch | accounting history
ifoctetshistoryuser | accounting history
interfaceconfig | query/modify interface configuration parameters
ipmachistory | IP/MAC history
locationhistorymac | Switch/Port history
locationhistoryswitch | Switch/Port history
lookup | node or pid lookup against local data store
manage | manage node entries
networkconfig | query/modify network configuration parameters
node | node manipulation
nodecategory | nodecategory manipulation
person | person manipulation
reload | rebuild fingerprint or violations tables without restart
report | current usage reports
© 2008-2010 Inverse inc. Administration Tools 8
Chapter 3
schedule | Nessus scan scheduling
service | start/stop/restart and get PF daemon status
switchconfig | query/modify switches.conf configuration parameters
switchlocation | view switchport description and location
traplog | update traplog RRD files and graphs or obtain switch IPs
trigger | view and throw triggers
ui | used by web UI to create menu hierarchies and dashboard
update | download canonical fingerprint or OUI data
version | get installed PF version and database MD5s
violation | violation manipulation
violationconfig | query/modify violations.conf configuration parameters
Please view "pfcmd help <command>" for details on each option
The node view option shows all information contained in the node database table for a specifed MAC address
# /usr/local/pf/bin/pfcmd node view 52:54:00:12:35:02
mac|pid|detect_date|regdate|unregdate|lastskip|status|user_agent|computername|notes|last_arp|last_dhcp|switch|port|vlan|dhcp_fingerprint
52:54:00:12:35:02|1|2008-10-23 17:32:16||||unreg||||2008-10-23 21:12:21|||||
pfcmd_vlan
pfcmd_vlan is the command line interface to most VLAN isolation related functionalitites.
Again, when executed without any arguments, a help screen is shown.
# /usr/local/pf/bin/pfcmd_vlan
Usage:
pfcmd_vlan command [options]
Command:
-deauthenticate de-authenticate a dot11 client
-getAlias show the description of the specified switch port
-getAllMACs show all MACS on all switch ports
© 2008-2010 Inverse inc. Administration Tools 9
Chapter 3
-getHubs show switch ports with several MACs
-getIfOperStatus show the operational status of the specified switch port
-getIfType show the ifType on the specified switch port
-getLocation show at which switch port the MAC is found
-getMAC show all MACs on the specified switch port
-getType show switch type
-getUpLinks show the upLinks of the specified switch
-getVersion show switch OS version
-getVlan show the VLAN on the specified switch port
-getVlanType show the type of the specified port
-help brief help message
-isolate set the switch port to the isolation VLAN
-man full documentation
-reAssignVlan re-assign a switch port VLAN
-resetVlanAllPort reset VLAN on all non-UpLink ports of the specified switch
-resetVlanNetwork reset VLAN on all non-UpLink ports of all managed switches
-setAlias set the description of the specified switch port
-setDefaultVlan set the switch port to the default VLAN
-setIfAdminStatus set the admin status of the specified switch port
-setVlan set VLAN on the specified switch port
-setVlanAllPort set VLAN on all non-UpLink ports of the specified switch
Options:
-alias switch port description
-ifAdminStatus ifAdminStatus
-ifIndex switch port ifIndex
-mac MAC address
-showMACVendor show the MAC vendor
-showPF show additional information available in PF
-switch switch description
-verbose log verbosity level
0 : fatal messages
1 : warn messages
2 : info messages
> 2 : full debug
-vlan VLAN
© 2008-2010 Inverse inc. Administration Tools 10
Chapter 3
Web Admin GUI
The Web Admin GUI, accessible using https on port 1443, shows the same information available using pfcmd.
© 2008-2010 Inverse inc. Administration Tools 11
Chapter 4
4 VLAN isolation
Introduction
The VLAN isolation is working through SNMP traps. All switch ports (on which VLAN isolation should be done) must be confgured to send SNMP traps to the PacketFence host. On PacketFence, we use snmptrapd as the SNMP trap receiver. As it receives traps, it reformats and writes them into a fat fle: /usr/local/pf/logs/snmptrapd.log. The multithreaded pfsetvlan daemon reads these traps from the fat fle and responds to them by setting the switch port to the correct VLAN. Currently, we support switches from Cisco, Edge-core, HP, Intel, Linksys and Nortel (adding support for switches from another vendor implies extending the pf::SNMP class). Depending on your switches capabilities, pfsetvlan will act on different types of SNMP traps.
You need to create a registration VLAN (with a DHCP server, but no routing to other VLANs) in which PacketFence will put unregistered devices. If you want to isolate computers which have open violations in a separate VLAN, an isolation VLAN needs also to be created.
© 2008-2010 Inverse inc. VLAN isolation 12
Chapter 4
❏ linkUp/linkDown traps
This is the most basic setup and it needs a third VLAN: the MAC detection VLAN. There should be nothing in this VLAN (no DHCP server) and it should not be routed anywhere; it is just an empty VLAN.
When a host connects to a switch port, the switch sends a linkUp trap to PacketFence. Since it takes some time before the switch learns the MAC address of the newly connected device, PacketFence immediately puts the port in the MAC detection VLAN in which the device will send DHCP requests (with no answer) in order for the switch to learn its MAC address. Then pfsetvlan will send periodical SNMP queries to the switch until the switch learns the MAC of the device. When the MAC address is known, pfsetvlan checks its status (existing ? registered ? any violations ?) in the database and puts the port in the appropriate VLAN. When a device is unplugged, the switch sends a 'linkDown' trap to PacketFence which puts the port into the MAC detection VLAN.
When a computer boots, the initialization of the NIC generates several link status changes. And every time the switch sends a linkUp and a linkDown trap to PacketFence. Since PacketFence has to act on each of these traps, this generates unfortunately some unnecessary load on pfsetvlan. In order to optimize the trap treatment, PacketFence stops every thread for a 'linkUp trap' when it receives a 'linkDown' trap on the same port. But using only linkUp/linkDown traps is not the most scalable option. For example in case of power failure, if hundreds of computers boot at the same time, PacketFence would receive a lot of traps almost instantly and this could result in network connection latency…
❏ MAC notifcation traps
If your switches support MAC notifcation traps (MAC learnt, MAC removed), we suggest that you activate them in addition to the linkUp/linkDown traps. This way, pfsetvlan does not need, after a linkUp trap, to query the switch continuously until the MAC has fnally been learned. When it receives a linkUp trap for a port on which MAC notifcation traps are also enabled, it only needs to put the port in the MAC detection VLAN and can then free the thread. When the switch learns the MAC address of the device it sends a MAC learnt trap (containing the MAC address) to PacketFence.
❏ Port Security traps
In its most basic form, the Port Security feature remembers the MAC address connected to the switch port and allows only that MAC address to communicate on that port. If any other MAC address tries to communicate through the port, port security will not allow it and send a port-security trap.
If your switches support this feature, we strongly recommend to use it rather than linkUp/linkDown and/or MAC notifcations. Why ? Because as long as a MAC address is authorized on a port and is the only one connected, the switch will send no trap whether the device reboots, plugs in or unplugs. This drastically reduces the SNMP interactions between the switches and PacketFence.
When you enable port security traps you should not enable linkUp/linkDown nor MAC notifcation traps.
© 2008-2010 Inverse inc. VLAN isolation 13
Chapter 4
Supported Switches, Access points and Controllers
PacketFence supports the following devices:
Vendor Model PacketFence Type (used in switches.conf)
3COM NJ220 ThreeCom::NJ220
SuperStack 3 Switch 4200 ThreeCom::SS4200
SuperStack 3 Switch 4500 ThreeCom::SS4500
Switch 4200G ThreeCom::Switch_4200G
Amer L2 Switch SS2R24i Amer::SS2R24i
Aruba Controller 200 Aruba::Controller_200
Cisco Aironet 1130 AG Cisco::Aironet_1130
Aironet 1240 AG Cisco::Aironet_1242
Aironet 1250 Cisco::Aironet_1250
2100 Wireless Controller Cisco::WLC_2106
4400 Wireless Controller Cisco::WLC_4400
Catalyst 2900XL Series Cisco::Catalyst_2900XL
Catalyst 2950 Cisco::Catalyst_2950
Catalyst 2960 Cisco::Catalyst_2960
Catalyst 2970 Cisco::Catalyst_2970
Catalyst 3500XL Series Cisco::Catalyst_3500XL
Catalyst 3550 Cisco::Catalyst_3550
Catalyst 3560 Cisco::Catalyst_3560
Catalyst 3750 Cisco::Catalyst_3750
Catalyst 4500 Cisco::Catalyst_4500
Router ISR 1800 Series Cisco::ISR_1800
Wireless Services Module Cisco::WiSM
D-Link DES 3526 Dlink::DES_3526
DWS 3026 Dlink::DWS_3026
Dell PowerConnect 3424 Dell::PowerConnect3424
Edge-corE 3526XA Accton::ES3536XA
3528M Accton::ES3528M
© 2008-2010 Inverse inc. VLAN isolation 14
Chapter 4
Enterasys Matrix N3 Enterasys::Matrix_N3
SecureStack C2 Enterasys::SecureStack_C2
SecureStack C3 Enterasys::SecureStack_C3
Standalone D2 Enterasys::D2
Extreme Networks Summit Series Extreme::Summit
Foundry FastIron 4802 Foundry::FastIron_4802
HP ProCurve 2500 Series HP::Procurve_2500
ProCurve 2600 Series HP::Procurve_2600
ProCurve 3400cl Series HP::Procurve_3400cl
ProCurve 4100 Series HP::Procurve_4100
Intel Express 460 Intel::Express_460
Express 530 Intel::Express_530
Linksys SRW224G4 Linksys::SRW224G4
Nortel BPS2000 Nortel::BPS2000
ERS 2500 Series Nortel::ERS2500
ERS 4500 Series Nortel::ERS4500
ES325 Nortel::ES325
Baystack 470 Nortel::Baystack470
Baystack 4550 Nortel::Baystack4550
Baystack 5520 Nortel::Baystack5520
SMC TigerStack 6128 L2 SMC::TS6128L2
TigerStack 6224M SMC::TS6224M
TigerStack 8824-48M SMC::TS8800M
Command-Line Interface: Telnet and SSH
PackeFence needs sometimes to establish an interactive command-line session with a switch. This can be done using Telnet. Starting with 1.8, you can now use SSH. In order to do so, edit the switch confg fle (/usr/local/pf/conf/switches.conf) and set the following parameters :
cliTransport = SSH (or Telnet)cliUser = admincliPwd = admin_pwdcliEnablePwd =
© 2008-2010 Inverse inc. VLAN isolation 15
Chapter 4
Web Services Interface
PackeFence sometimes needs to establish a dialog with the Web Services capabilities of a switch. In order to do so, edit the switch confg fle (/usr/local/pf/conf/switches.conf) and set the following parameters :
wsTransport = http (or https)wsUser = adminwsPwd = admin_pwd
Note: as of PacketFence 1.9.1 few switches require Web Services confguration in order to work.
SNMP v1, v2c and v3
PacketFence uses SNMP to communicate with the switches. Starting with 1.8, PacketFence now supports SNMP v3. You can use SNMP v3 for communication in both directions: from the switch to PacketFence and from PacketFence to the switch.
From PacketFence to a switch
Edit the switch confg fle (/usr/local/pf/conf/switches.conf) and set the following parameters:
SNMPVersion = 3
SNMPUserNameRead = readUser
SNMPAuthProtocolRead = MD5
SNMPAuthPasswordRead = authpwdread
SNMPPrivProtocolRead = DES
SNMPPrivPasswordRead = privpwdread
SNMPUserNameWrite = writeUser
SNMPAuthProtocolWrite = MD5
SNMPAuthPasswordWrite = authpwdwrite
SNMPPrivProtocolWrite = DES
SNMPPrivPasswordWrite = privpwdwrite
© 2008-2010 Inverse inc. VLAN isolation 16
Chapter 4
© 2008-2010 Inverse inc. VLAN isolation 17
Chapter 4
From a switch to PacketFence
Edit the switch confg fle (/usr/local/pf/conf/switches.conf) and set the following parameters:
SNMPVersionTrap = 3
SNMPUserNameTrap = readUser
SNMPAuthProtocolTrap = MD5
SNMPAuthPasswordTrap = authpwdread
SNMPPrivProtocolTrap = DES
SNMPPrivPasswordTrap = privpwdread
Switch Confguration
Here is a switch confguration example in order to enable SNMP v3 in both directions on a Cisco Switch.
snmp-server engineID local AA5ED139B81D4A328D18ACD1
snmp-server group readGroup v3 priv
snmp-server group writeGroup v3 priv read v1default write v1default
snmp-server user readUser readGroup v3 auth md5 authpwdread priv des56 privpwdread
snmp-server user writeUser writeGroup v3 auth md5 authpwdwrite priv des56 privpwdwrite
snmp-server enable traps port-security
snmp-server enable traps port-security trap-rate 1
snmp-server host 192.168.0.50 version 3 priv readUser port-security
© 2008-2010 Inverse inc. VLAN isolation 18
Chapter 4
Switch Confguration
Assumptions
Throughout this confguration example we use the following assumptions for our network infrastructure:
❏ PacketFence IP address: 192.168.1.5
❏ Normal VLAN: 1
❏ Registration VLAN: 2
❏ Isolation VLAN: 3
❏ MAC Detection VLAN: 4
❏ VoIP, Voice VLAN: 100
❏ use SNMP v2c
❏ community name used by the switches to send traps to PacketFence: public
3COM
PacketFence supports 3Com switches with no VoIP using one trap type:
❏ linkUp/linkDown
❏ Port Security (with static MACs)
Don't forget to update the startup confg !
SuperStack 3 Switch 4200 and 4500, Switch 4200G in linkUp/linkDown
❏ Global confg settings
snmp-agent
snmp-agent target-host trap address udp-domain 192.168.1.5 params securityname public
snmp-agent trap enable standard linkup linkdown
❏ On each interface:
port access vlan 4
© 2008-2010 Inverse inc. VLAN isolation 19
Chapter 4
SuperStack 3 Switch 4200 and 4500, Switch 4200G in Port Security
❏ Global confg settings
snmp-agent
snmp-agent target-host trap address udp-domain 192.168.1.5 params securityname public
snmp-agent trap enable
port-security enable
port-security trap addresslearned
port-security trap intrusion
❏ On each interface:
port access vlan 4
port-security max-mac-count 1
port-security port-mode secure
port-security intrusion-mode blockmac
undo enable snmp trap updown
NJ220
This switch does not support port-security.
To confgure: use web interface to send the linkUp/linkDown traps to the PacketFence server.
Amer
PacketFence supports Amer switches with no VoIP using one trap type:
❏ linkUp/linkDown
Don't forget to update the startup confg !
L2 Switch SS2R24i
❏ Global confg settings:
create snmp host 192.168.1.60 v2c public
create snmp user public ReadGroup
enable snmp traps
© 2008-2010 Inverse inc. VLAN isolation 20
Chapter 4
❏ On each interface:
config vlan default delete xx
config vlan mac-detection add untagged xx
where xx stands for the interface index
Cisco
PacketFence supports Cisco switches with VoIP using three different trap types:
❏ linkUp/linkDown
❏ MAC Notifcation
❏ Port Security (with static MACs)
Enable either linkUp/linkDown and MAC notifcation together or Port Security only (When possible, we recommend Port Security), see below for details.
Don't forget to update the startup confg !
2900XL Series and 3500XL Series
Those switches do not support port-security with static MAC address so we enable linkUp/linkDown and MAC notifcation traps.
❏ Global confg settings:
snmp-server enable traps snmp linkdown linkup
snmp-server enable traps mac-notification
snmp-server host 192.168.1.5 trap version 2c public snmp mac-notification
mac-address-table notification interval 0mac-address-table notificationmac-address-table aging-time 3600
❏ On each interface with no VoIP:
switchport mode access
switchport access vlan 4
snmp trap mac-notification added
© 2008-2010 Inverse inc. VLAN isolation 21
Chapter 4
❏ On each interface with VoIP:
switchport trunk encapsulation dot1qswitchport trunk native vlan 4switchport mode trunkswitchport voice vlan 100snmp trap mac-notification addedsnmp trap mac-notification removed
2950
Those switches support port-security with static MAC address but we can not secure a MAC on the data VLAN specifcally so enable it if there is no VoIP, use linkUp/linkDown and MAC notifcation otherwise.
With port-security, if no MAC is connected on ports when activating port-security, we need to secure bogus MAC addresses on ports in order for the switch to send a trap when a new MAC appears on a port. On the other hand, if a MAC is actually connected when you enable port security, you must secure this MAC raher than the bogus one. Otherwise this MAC will lose its connectivity instantly.
❏ Global confg settings with no VoIP
snmp-server enable traps port-security
snmp-server enable traps port-security trap-rate 1
snmp-server host 192.168.1.5 version 2c public port-security
❏ On each interface with no VoIP
switchport mode access
switchport access vlan 4
switchport port-security
switchport port-security violation restrict
switchport port-security mac-address 0200.0000.00xx
where xxxxx stands for the interface ifIndex
❏ Use the following templates for interface IfIndex in bogus MAC addresses (0200.000x.xxxx):
Fa0/1...Fa0/48 -> 1...48Gi0/1, Gi0/2 -> 49, 50
© 2008-2010 Inverse inc. VLAN isolation 22
Chapter 4
❏ Global confg settings with VoIP:
snmp-server enable traps snmp linkdown linkup
snmp-server enable traps mac-notification
snmp-server host 192.168.1.5 trap version 2c public snmp mac-notification
mac-address-table notification interval 0
mac-address-table notification
mac-address-table aging-time 3600
❏ On each interface with VoIP
switchport voice vlan 100
switchport access vlan 4
switchport mode access
snmp trap mac-notification added
snmp trap mac-notification removed
2960, 2970, 3550, 3560, 3750
Those switches support port-security with static MAC address and allow us to secure a MAC on the data VLAN so we enable it whether there is VoIP or not.
We need to secure bogus MAC addresses on ports in order for the switch to send a trap when a new MAC appears on a port.
❏ Global confg settings
snmp-server enable traps port-securitysnmp-server enable traps port-security trap-rate 1snmp-server host 192.168.1.5 version 2c public port-security
❏ On each interface with no VoIP:
switchport access vlan 4switchport port-securityswitchport port-security maximum 1 vlan accessswitchport port-security violation restrictswitchport port-security mac-address 0200.000x.xxxx
where xxxxx stands for the interface ifIndex
© 2008-2010 Inverse inc. VLAN isolation 23
Chapter 4
❏ On each interface with VoIP:
switchport voice vlan 100switchport access vlan 4switchport port-securityswitchport port-security maximum 2switchport port-security maximum 1 vlan accessswitchport port-security violation restrictswitchport port-security mac-address 0200.000x.xxxx
where xxxxx stands for the interface ifIndex
❏ Use the following templates for interface IfIndex in bogus MAC addresses (0200.000x.xxxx):
Fa0/1...Fa0/48 -> 10001...10048Gi0/1...Gi0/48 -> 10101...10148
Stacked 2960, Stacked 2970, Stacked 3550, Stacked 3560, Stacked 3750, 4500 Series
The 4500 Series and all the stacked switches work exactly the same way as if they were not stacked so the confguration is the same: they support port-security with static MAC address and allow us to secure a MAC on the data VLAN so we enable it whether there is VoIP or not.
We need to secure bogus MAC addresses on ports in order for the switch to send a trap when a new MAC appears on a port.
❏ Global confg settings
snmp-server enable traps port-securitysnmp-server enable traps port-security trap-rate 1snmp-server host 192.168.1.5 version 2c public port-security
❏ On each interface with no VoIP:
switchport access vlan 4switchport port-securityswitchport port-security maximum 1 vlan accessswitchport port-security violation restrictswitchport port-security mac-address 0200.000x.xxxx
❏ On each interface with VoIP:
switchport voice vlan 100switchport access vlan 4switchport port-securityswitchport port-security maximum 2switchport port-security maximum 1 vlan accessswitchport port-security violation restrict
© 2008-2010 Inverse inc. VLAN isolation 24
Chapter 4
switchport port-security mac-address 0200.000x.xxxx
where xxxxx stands for the interface ifIndex
❏ Use the following templates for interface IfIndex in bogus MAC addresses (0200.000x.xxxx):
Fa1/0/1...Fa1/0/48 -> 10001...10048Gi1/0/1...Gi1/0/48 -> 10101...10148Fa2/0/1...Fa2/0/48 -> 10501...10548Gi2/0/1...Gi2/0/48 -> 10601...10648Fa3/0/1...Fa3/0/48 -> 11001...11048Gi3/0/1...Gi3/0/48 -> 11101...11148Fa4/0/1...Fa4/0/48 -> 11501...11548Gi4/0/1...Gi4/0/48 -> 11601...11648...
Router ISR 1800 Series
PacketFence supports the 1800 series Router with linkUp / linkDown traps. It cannot do anything about the router interfaces (ie: fa0 and fa1 on a 1811). VLAN interfaces ifIndex should also be marked as uplinks in the PacketFence switch confguration as they generate traps but are of no interest to PacketFence (layer 3).
❏ Global confg settings:
snmp-server enable traps snmp linkdown linkupsnmp-server host 192.168.1.5 trap version 2c public
❏ On each interface:
switchport mode accessswitchport access vlan 4
D-Link
PacketFence supports D-Link switches with no VoIP using two different trap types:
❏ linkUp/linkDown
❏ MAC Notifcation
We recommend to enable linkUp/linkDown and MAC notifcation together.
Don't forget to update the startup confg !
© 2008-2010 Inverse inc. VLAN isolation 25
Chapter 4
DES3526
❏ Global confg settings
To be contributed...
❏ On each interface:
To be contributed...
© 2008-2010 Inverse inc. VLAN isolation 26
Chapter 4
Dell
PowerConnect 3424
PacketFence supports this switch using linkUp/linkDown traps.
❏ Global confg settings
To be contributed...
❏ On each interface:
To be contributed...
Edge-corE
PacketFence supports Edge-corE switches with no VoIP using one trap type:
❏ linkUp/linkDown
Don't forget to update the startup confg !
3526XA and 3528M
❏ Global confg settings
SNMP-server host 192.168.1.5 public version 2c udp-port 162
© 2008-2010 Inverse inc. VLAN isolation 27
Chapter 4
Enterasys
PacketFence supports Enterasys switches with no VoIP using two different trap types:
❏ linkUp/linkDown
❏ MAC Locking (Port Security with static MACs)
We recommend to enable MAC locking only.
Don't forget to update the startup confg !
Matrix N3
linkUp/linkDown traps are enabled by default so we disable them and enable MAC locking only. Also, by default this switch doesn't do an electrical low-level linkDown when setting the port to admin down. So we need to activate a global option called forcelinkdown to enable this behaviour. Without this option, clients don't understand that they lost their connection and they never do a new DHCP on VLAN change.
❏ Global confg settings
set snmp community publicset snmp targetparams v2cPF user public security-model v2c message-processing v2c
set snmp notify entryPF tag TrapPFset snmp targetaddr tr 192.168.1.5 param v2cPF taglist TrapPFset maclock enableset forcelinkdown enable
❏ On each interface:
set port trap ge.1.xx disable
set maclock enable ge.1.xx
set maclock static ge.1.xx 1
set maclock firstarrival ge.1.xx 0
set maclock trap ge.1.xx enable
where xx stands for the interface index
© 2008-2010 Inverse inc. VLAN isolation 28
Chapter 4
SecureStack C2
linkUp/linkDown traps are enabled by default so we disable them and enable MAC locking only.
❏ Global confg settings
set snmp community publicset snmp targetparams v2cPF user public security-model v2c message-processing v2c
set snmp notify entryPF tag TrapPFset snmp targetaddr tr 192.168.1.5 param v2cPF taglist TrapPFset maclock enable
❏ On each interface:
set port trap fe.1.xx disable
set maclock enable fe.1.xx
set maclock static fe.1.xx 1
set maclock firstarrival fe.1.xx 0
where xx stands for the interface index
SecureStack C3
This switch has the particular “feature” of allowing more than one untagged egress VLAN per port. This means that you must add all the VLAN created for PacketFence as untagged egress VLAN on the relevant interfaces. This is why there is a VLAN command on each interface below.
linkUp/linkDown traps are enabled by default so we disable them and enable MAC locking only.
❏ Global confg settings
set snmp community publicset snmp targetparams v2cPF user public security-model v2c message-processing v2c
set snmp notify entryPF tag TrapPFset snmp targetaddr tr 192.168.1.5 param v2cPF taglist TrapPFset maclock enable
© 2008-2010 Inverse inc. VLAN isolation 29
Chapter 4
❏ On each interface:
set vlan egress 1,2,3 ge.1.xx untaggedset port trap ge.1.xx disableset maclock enable ge.1.xxset maclock static ge.1.xx 1set maclock firstarrival ge.1.xx 0set maclock trap ge.1.xx enable
where xx stands for the interface index
Standalone D2
linkUp/linkDown traps are enabled by default so we disable them and enable MAC locking only.
Warning: This switch Switch accepts multiple untagged VLAN per port when confgured through SNMP. This is problematic because on some occasions the untagged VLAN port list can become inconsistent with the switch’s running confg. To fx that, clear all untagged VLANs of a port even if the CLI interface doesn’t show them. To do so, use: clear vlan egress <vlans> <ports>
❏ Global confg settings
set snmp community publicset snmp targetparams v2cPF user public security-model v2c message-processing v2c
set snmp notify entryPF tag TrapPFset snmp targetaddr tr 192.168.1.5 param v2cPF taglist TrapPFset maclock enable
❏ On each interface:
set port trap ge.1.xx disable
set maclock enable ge.1.xx
set maclock static ge.1.xx 1
set maclock firstarrival ge.1.xx 0
set maclock trap ge.1.xx enable
where xx stands for the interface index
© 2008-2010 Inverse inc. VLAN isolation 30
Chapter 4
Extreme Networks
PacketFence supports Extreme Networks switches using two different trap types:
❏ linkUp/linkDown
❏ MAC Address Lockdown (Port Security)
We recommend to enable MAC Address Lockdown only.
Don't forget to save the confguration!
All Extreme XOS based switches
In addition to the SNMP and VLANs settings, this switch needs the Web Services to be enabled and an administrative username and password provided in its PacketFence confguration for Web Services.
linkUp/linkDown traps are enabled by default so we disable them and enable MAC Address Lockdown only.
❏ Global confg settings without Voice over IP (VoIP):
enable snmp accessconfigure snmp add trapreceiver 192.168.1.5 community publicenable web http
configure vlan "Default" delete ports <portlist>configure vlan registration add ports <portlist> untaggedconfigure ports <portlist> vlan registration lock-learningdisable snmp traps port-up-down ports <portlist>
where <portlist>: are ports you want to secure. It can be an individual port or a port-range with a dash.
❏ Global confg settings with Voice over IP (VoIP):
enable snmp accessconfigure snmp add trapreceiver 192.168.1.5 community publicenable web http
configure vlan "Default" delete ports <portlist>configure vlan registration add ports <portlist> untaggedconfigure vlan voice add ports <portlist> taggedconfigure ports <portlist> vlan registration lock-learningconfigure ports <portlist> vlan voice limit-learning 1disable snmp traps port-up-down ports <portlist>
where <portlist>: are ports you want to secure. It can be an individual port or a port-range with a dash.
© 2008-2010 Inverse inc. VLAN isolation 31
Chapter 4
Foundry
FastIron 4802
PacketFence support this switch with optional VoIP using two different trap types:
❏ linkUp/linkDown
❏ Port Security (with static MACs)
We recommend to enable Port Security only.
Don't forget to update the startup confg !
Those switches support port-security with static MAC address and allow us to secure a MAC on the data VLAN so we enable it whether there is VoIP or not.
We need to secure bogus MAC addresses on ports in order for the switch to send a trap when a new MAC appears on a port.
❏ Global confg settings
snmp-server host 192.168.1.5 publicno snmp-server enable traps link-downno snmp-server enable traps link-up
❏ On each interface with no VoIP:
int eth xx port security enable maximum 1 secure 0200.0000.00xx 0 violation restrict
where xx stands for the interface ifIndex.
© 2008-2010 Inverse inc. VLAN isolation 32
Chapter 4
❏ With VoIP a little more work needs to be performed. Instead of the no-VoIP, put in the following confg:
conf tvlan <mac-detection-vlan> untagged eth xxvlan <voice-vlan> tagged eth xx
int eth xx dual-mode <mac-detection-vlan> port security maximum 2 secure 0200.00xx.xxxx <mac-detection-vlan> secure 0200.01xx.xxxx <voice-vlan> violation restrict enable
where xxxxxx stands for the interface number (flled with zeros), <voice-vlan> with your voice-VLAN number and <mac-detection-vlan> with your mac-detection VLAN number.
HP ProCurve
PacketFence supports ProCurve switches with no VoIP using two different trap types:
❏ linkUp/linkDown
❏ Port Security (with static MACs)
We recommend to enable Port Security only.
Don't forget to update the startup confg !
Note: HP ProCurve only sends one security trap to PacketFence per security violation so make sure PacketFence runs when you confgure port-security. Also, because of the above limitation, it is considered good practice to reset the intrusion fag as a frst troubleshooting step.
If you want to learn more about intrusion fag and port-security, please refer to the ProCurve documentation.
Warning: If you confgure a switch that is already in production be careful that enabling port-security causes active MAC addresses to be automatically added to the intrusion list without a security trap sent to PacketFence. This is undesired because PacketFence will not be notifed that it needs to confgure the port. As a work-around, unplug clients before activating port-security or remove the intrusion fag after you enabled port-security with: port-security <port> clear-intrusion-flag.
© 2008-2010 Inverse inc. VLAN isolation 33
Chapter 4
2500 Series
linkUp/linkDown traps are enabled by default so we disable them and enable Port Security only.
On 2500's, we need to secure bogus MAC addresses on ports in order for the switch to send a trap when a new MAC appears on a port.
❏ Global confg settings
snmp-server community "public" Unrestrictedsnmp-server host 192.168.1.5 "public" Not-INFOno snmp-server enable traps link-change 1-26
❏ On each interface:
port-security xx learn-mode static action send-alarm mac-address 0200000000xx
where xx stands for the interface index
2600 Series and 3400cl Series
linkUp/linkDown traps are enabled by default so we disable them and enable Port Security only.
On 2600's, we don't need to secure bogus MAC addresses on ports in order for the switch to send a trap when a new MAC appears on a port.
❏ Global confg settings
snmp-server community public manager unrestrictedsnmp-server host 192.168.1.5 "public" Not-INFOno snmp-server enable traps link-change 1-26
❏ On each interface:
port-security xx learn-mode configured action send-alarm
where xx stands for the interface index
© 2008-2010 Inverse inc. VLAN isolation 34
Chapter 4
4100 Series
linkUp/linkDown traps are enabled by default and we have not found a way yet to disable them so do not forget to declare the trunk ports as uplinks in the switch confg fle.
On 4100's, we need to secure bogus MAC addresses on ports in order for the switch to send a trap when a new MAC appears on a port. The ports are indexed differently on 4100's: it is based on the number of modules you have in your 4100. Each module is indexed with a letter (A,B,C, ...)
❏ Global confg settings
snmp-server community "public" Unrestrictedsnmp-server host 192.168.1.5 "public" Not-INFOno snmp-server enable traps link-change 1-26
❏ You should confgure interfaces like this:
port-security A1 learn-mode static action send-alarm mac-address 020000000001
...
port-security A24 learn-mode static action send-alarm mac-address 020000000024
port-security B1 learn-mode static action send-alarm mac-address 020000000025
...
port-security B24 learn-mode static action send-alarm mac-address 020000000048
port-security C1 learn-mode static action send-alarm mac-address 020000000049
...
port-security C24 learn-mode static action send-alarm mac-address 020000000072
Intel
Express 460 and Express 530
PacketFence support these switches with no VoIP using one trap type:
❏ linkUp/linkDown
Exact command-line confguration to be contributed...
© 2008-2010 Inverse inc. VLAN isolation 35
Chapter 4
Linksys
PacketFence supports Linksys switches with no VoIP using one trap type:
❏ linkUp/linkDown
Don't forget to update the startup confg !
SRW224G4
❏ Global confg settings
no snmp-server trap authentication
snmp-server community CS_2000_le rw view Default
snmp-server community CS_2000_ls ro view Default
snmp-server host 192.168.1.5 public 2
❏ On each interface
switchport access vlan 4
Nortel
PacketFence supports Nortel switches with VoIP using one trap type:
❏ Mac Security
Don't forget to update the startup confg !
NOTE: if you are using a 5520 in a stack, you must declare it as a Nortel::BayStack5520Stacked in /usr/local/pf/conf/switches.conf. Indeed, when stacked, this switch refers to its ifIndex differently than when not stacked so there is some specifc code in a different perl module.
BayStack 470, ERS2500 Series, ERS4500 Series, 4550, 5520 and ES325
❏ Global confg settings
snmp-server authentication-trap disable
snmp-server host 192.168.1.5 "public"
snmp trap link-status port 1-24 disable
no mac-security mac-address-table
interface FastEthernet ALL
mac-security port ALL disable
© 2008-2010 Inverse inc. VLAN isolation 36
Chapter 4
mac-security port 1-24 enable
default mac-security auto-learning port ALL max-addrs
exit
mac-security enablemac-security snmp-lock disablemac-security intrusion-detect disablemac-security filtering enablemac-security snmp-trap enablemac-security auto-learning aging-time 60mac-security learning-ports NONEmac-security learning disable
BPS2000
You can only confgure this switch through menus.
❏ Enable “MAC Address Security”:
MAC Address Security: Enabled
MAC Address Security SNMP-Locked: Disabled
Partition Port on Intrusion Detected: Disabled
DA Filtering on Intrusion Detected: Enabled
Generate SNMP Trap on Intrusion: Enabled
Current Learning Mode: Disabled
Learn by Ports: NONE
Port Trunk Security
---- ----- --------
1 Enabled
...
24 Enabled
© 2008-2010 Inverse inc. VLAN isolation 37
Chapter 4
SMC
PacketFence supports these switches without VoIP using two different trap types:
❏ linkUp/linkDown on 6128L2, 6224M, 8824M and 8848M
❏ Port Security (with static MACs) on 6128L2, 8824M and 8848M
We recommend to enable Port Security only.
Don't forget to update the startup confg !
TigerStack 6128L2, 8824M and 8848M
PacketFence supports these switches without VoIP using two different trap types:
❏ linkUp/linkDown
❏ Port Security (with static MACs)
We recommend to enable Port Security only.
❏ Global confg settings
SNMP-server host 192.168.1.5 public version 2c udp-port 162no snmp-server enable traps link-up-down
❏ On each interface:
port security max-mac-count 1
port security
port security action trap
TigerStack 6224M
❏ linkUp/linkDown
❏ Global confg settings
SNMP-server host 192.168.1.5 public version 1
© 2008-2010 Inverse inc. VLAN isolation 38
Chapter 4
Routing, DHCPd and BIND
If your isolation and registration networks are not spanned on the network, but routed to the PacketFence server, you'll have to let the PacketFence server know this. PacketFence can even provide DHCP and Domain Name services in this case and provides an easy to use confguration interface.
For dhcpd, make sure that the clients DHCP requests are correctly forwarded (IP Helper in the remote routers) to the PacketFence server. Then enable DHCP and DNS in pf.conf
[vlan]dhcpd = enablednamed = enabled
© 2008-2010 Inverse inc. VLAN isolation 39
Chapter 4
Then you need to update the DNS templates fles as followed. In our example, conf/templates/named-isolation.ca would look like:
$TTL 3600. IN SOA %%hostname%%. %%incharge%% ( 2009020901 ; serial 10800 ; refresh 3600 ; retry 604800 ; expire 86400 ; default_ttl) IN NS %%hostname% .*. IN A 192.168.3.1 IN MX 5 %%hostname%%.1.3.168.192.in-addr.arpa. IN PTR %%hostname%%
conf/templates/named-registration.ca would look like:
$TTL 3600. IN SOA %%hostname%%. %%incharge%% ( 2009020901 ; serial 10800 ; refresh 3600 ; retry 604800 ; expire 86400 ; default_ttl) IN NS %%hostname% .*. IN A 192.168.2.1 IN MX 5 %%hostname%%.1.2.168.192.in-addr.arpa. IN PTR %%hostname%%
Now, edit conf/networks.conf by entering all your routed networks such as for example:
[192.168.2.0]netmask=255.255.255.0gateway=192.168.2.1pf_gateway=192.168.2.254domain-name=registration.example.comdns=192.168.2.1dhcp_start=192.168.2.10dhcp_end=192.168.2.200dhcp_default_lease_time=300dhcp_max_lease_time=600type=registrationnamed=enableddhcpd=enabled
© 2008-2010 Inverse inc. VLAN isolation 40
Chapter 4
[192.168.3.0]netmask=255.255.255.0gateway=192.168.3.1pf_gateway=192.168.3.254domain-name=isolation.example.comdns=192.168.3.1dhcp_start=192.168.3.10dhcp_end=192.168.3.200dhcp_default_lease_time=300dhcp_max_lease_time=600type=isolationnamed=enableddhcpd=enabled
[192.168.20.0]netmask=255.255.255.0gateway=192.168.20.254pf_gateway=192.168.2.254domain-name=registration.example.comdns=192.168.2.1dhcp_start=192.168.20.10dhcp_end=192.168.20.200dhcp_default_lease_time=300dhcp_max_lease_time=600type=registrationnamed=enableddhcpd=enabled
[192.168.30.0]netmask=255.255.255.0gateway=192.168.30.254pf_gateway=192.168.3.254domain-name=isolation.example.comdns=192.168.3.1dhcp_start=192.168.30.10dhcp_end=192.168.30.200dhcp_default_lease_time=300dhcp_max_lease_time=600type=isolationnamed=enableddhcpd=enabled
© 2008-2010 Inverse inc. VLAN isolation 41
Chapter 4
Once you have entered a frst section into conf/networks.conf, the PacketFence web admin GUI will present you with an interface to this confguration fle.
© 2008-2010 Inverse inc. VLAN isolation 42
Chapter 5
5 Integration with wireless networks
PacketFence integrates very well with wireless networks. As for its wired counterpart, the switch, a wireless Access Points (AP) needs to implement some specifc features in order for the integration to work perfectly. In particular, the AP needs to support
❏ several SSIDs with several VLANs inside each SSID
❏ authentication against a RADIUS server
❏ dynamic VLAN assignment (through RADIUS attributes)
❏ SNMP deauthentication traps
❏ the deauthentication of an associated station
MAC Authentication
In this frst example, we are going to build a setup in which MAC
WAP confguration
First defne the normal, isolation, registration and visitor VLANs on the AP, together with the appropriate wired and wireless interfaces as shown below for the isolation VLAN
dot11 vlan-name normal vlan 1
dot11 vlan-name registration vlan 2
dot11 vlan-name isolation vlan 3
dot11 vlan-name visitor vlan 5
interface Dot11Radio0
encryption vlan 1 mode ciphers aes-ccm
encryption vlan 2 mode ciphers aes-ccm
ssid WPA2
ssid MACauth
interface Dot11Radio0.2
encapsulation dot1Q 2
no ip route-cache
bridge-group 253
© 2008-2010 Inverse inc. Integration with wireless networks 43
Chapter 5
bridge-group 253 subscriber-loop-control
bridge-group 253 block-unknown-source
no bridge-group 253 source-learning
no bridge-group 253 unicast-flooding
bridge-group 253 spanning-disabled
interface Dot11Radio0.3
encapsulation dot1Q 3
no ip route-cache
bridge-group 254
bridge-group 254 subscriber-loop-control
bridge-group 254 block-unknown-source
no bridge-group 254 source-learning
no bridge-group 254 unicast-flooding
bridge-group 254 spanning-disabled
interface Dot11Radio0.5
encapsulation dot1Q 5
no ip route-cache
bridge-group 255
bridge-group 255 subscriber-loop-control
bridge-group 255 block-unknown-source
no bridge-group 255 source-learning
no bridge-group 255 unicast-flooding
bridge-group 255 spanning-disabled
interface FastEthernet0.2
encapsulation dot1Q 2
no ip route-cache
bridge-group 253
no bridge-group 253 source-learning
bridge-group 253 spanning-disabled
interface FastEthernet0.3
encapsulation dot1Q 3
no ip route-cache
bridge-group 254
no bridge-group 254 source-learning
bridge-group 254 spanning-disabled
interface FastEthernet0.5
© 2008-2010 Inverse inc. Integration with wireless networks 44
Chapter 5
encapsulation dot1Q 5
no ip route-cache
bridge-group 255
no bridge-group 255 source-learning
bridge-group 255 spanning-disabled
Then create the two SSIDs
dot11 ssid WPA2
vlan 3 backup normal
authentication open eap eap_methods
authentication key-management wpa
dot11 ssid MACauth
vlan 2 backup visitor
authentication open mac-address mac_methods
mbssid guest-mode
Confgure the RADIUS server (we assume here that the FreeRADIUS server and the PacketFence server are located on the same box)
radius-server host 192.168.0.10 auth-port 1812 acct-port 1813 key secretKey
aaa group server radius rad_eap
server 192.168.0.10 auth-port 1812 acct-port 1813
aaa authentication login eap_methods group rad_eap
aaa group server radius rad_mac
server 192.168.0.10 auth-port 1812 acct-port 1813
aaa authentication login mac_methods group rad_mac
Now check with a Wi-Fi card that you can actually see the two new SSIDs. You can't connect to them yet since the RADIUS server is not up and running.
© 2008-2010 Inverse inc. Integration with wireless networks 45
Chapter 5
FreeRADIUS 1.x Confguration
Make sure to install the following packages:
❏ freeradius
/etc/raddb/clients.conf
Add the following lines:
client 192.168.0.3 {
secret = secretKey
shortname = AP1242
}
/etc/raddb/radiusd.conf
Add the following lines to the modules{} section:
perl {
module = ${confdir}/rlm_perl_packetfence.pl
}
Make sure the authorize{} and post_auth{} sections look like this:
authorize {preprocesseapfiles
}
Make sure that the post-auth{} section looks like this:
post-auth {perl
}
© 2008-2010 Inverse inc. Integration with wireless networks 46
Chapter 5
/etc/raddb/users
Add the following lines where we defne that non EAP-messages should, by default, lead to an authentication acceptance
DEFAULT EAP-Message !* "", Auth-Type := Accept
/etc/raddb/rlm_perl_packetfence.pl
This perl script uses the Calling-Station-Id RADIUS request attribute, containing the MAC of the wireless station, to determine its registration and violation status. Based on this information, it sets the Tunnel-Medium-Type, Tunnel-Type and Tunnel-Private-Group-ID RADIUS reply attributes. The AP, upon reception of these three attributes, then confnes the wireless station into the specifed VLAN.
Make sure to set the required confguration parameters on top of the fle. Mainly, the VLAN tags used in your environment and PacketFence's database credentials.
# Database connection settingsDB_HOSTNAME => 'localhost',DB_NAME => 'pf',DB_USER => 'pf',DB_PASS => 'pf',
# VLAN configurationVLAN_GUEST => 5,VLAN_REGISTRATION => 2,VLAN_ISOLATION => 3,VLAN_NORMAL => 1
Tests
Test your setup with radtest using the following command and make sure you get an Access-Accept answer:
# radtest dd9999 Abcd1234 localhost 12 testing123
Sending Access-Request of id 74 to 127.0.0.1 port 1812
User-Name = "dd9999"
User-Password = "Abcd1234"
NAS-IP-Address = 255.255.255.255
NAS-Port = 12
rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=74, length=20
© 2008-2010 Inverse inc. Integration with wireless networks 47
Chapter 5
Debug
In order to start FreeRadius in debug mode, start it using the following command:
# radiusd -X
FreeRADIUS 2.x Confguration
Make sure to install the following packages:
❏ freeradius2
❏ freeradius2-perl
❏ freeradius2-utils
/etc/raddb/clients.conf
Add the following lines:
client AP1242 {
ipaddr = 192.168.0.3
netmask = 32
secret = secretKey
}
/etc/raddb/modules/perl
Add the following lines to the modules{} section:
perl {
module = ${confdir}/rlm_perl_packetfence.pl
}
© 2008-2010 Inverse inc. Integration with wireless networks 48
Chapter 5
/etc/raddb/sites-enabled/default
Make sure the authorize{} section looks like this:
authorize {preprocess
eapfiles
expiration logintime}
Make sure the post-auth{} section looks like this:
post-auth {perl
}
/etc/raddb/users
Add the following lines where we defne that non EAP-messages should, by default, lead to an authentication acceptance
DEFAULT EAP-Message !* "", Auth-Type := Accept
/etc/raddb/rlm_perl_packetfence.pl
This perl script uses the Calling-Station-Id RADIUS request attribute, containing the MAC of the wireless station, to determine its registration and violation status. Based on this information, it sets the Tunnel-Medium-Type, Tunnel-Type and Tunnel-Private-Group-ID RADIUS reply attributes. The AP, upon reception of these three attributes, then confnes the wireless station into the specifed VLAN.
Make sure to set the required confguration parameters on top of the fle. Mainly, the VLAN tags used in your environment and PacketFence's database credentials.
# Database connection settingsDB_HOSTNAME => 'localhost',DB_NAME => 'pf',DB_USER => 'pf',DB_PASS => 'pf',
# VLAN configurationVLAN_GUEST => 5,VLAN_REGISTRATION => 2,VLAN_ISOLATION => 3,VLAN_NORMAL => 1
© 2008-2010 Inverse inc. Integration with wireless networks 49
Chapter 5
Tests
Test your setup with radtest using the following command and make sure you get an Access-Accept answer:
# radtest dd9999 Abcd1234 localhost 12 testing123
Sending Access-Request of id 74 to 127.0.0.1 port 1812
User-Name = "dd9999"
User-Password = "Abcd1234"
NAS-IP-Address = 255.255.255.255
NAS-Port = 12
rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=74, length=20
Debug
In order to start FreeRadius in debug mode, start it using the following command:
# radiusd -X
© 2008-2010 Inverse inc. Integration with wireless networks 50
Chapter 5
802.1x
PacketFence can be used with 802.1X both on wired and on wireless networks. In both cases, you'll have to confgure FreeRADIUS.
WAP confguration
First defne the normal, isolation, registration and visitor VLANs on the AP, together with the appropriate wired and wireless interfaces as shown below for the isolation VLAN
dot11 vlan-name normal vlan 1
dot11 vlan-name registration vlan 2
dot11 vlan-name isolation vlan 3
dot11 vlan-name visitor vlan 5
interface Dot11Radio0
encryption vlan 1 mode ciphers aes-ccm
encryption vlan 2 mode ciphers aes-ccm
ssid WPA2
ssid MACauth
interface Dot11Radio0.2
encapsulation dot1Q 2
no ip route-cache
bridge-group 253
bridge-group 253 subscriber-loop-control
bridge-group 253 block-unknown-source
no bridge-group 253 source-learning
no bridge-group 253 unicast-flooding
bridge-group 253 spanning-disabled
interface Dot11Radio0.3
encapsulation dot1Q 3
no ip route-cache
bridge-group 254
bridge-group 254 subscriber-loop-control
bridge-group 254 block-unknown-source
no bridge-group 254 source-learning
no bridge-group 254 unicast-flooding
© 2008-2010 Inverse inc. Integration with wireless networks 51
Chapter 5
bridge-group 254 spanning-disabled
interface Dot11Radio0.5
encapsulation dot1Q 5
no ip route-cache
bridge-group 255
bridge-group 255 subscriber-loop-control
bridge-group 255 block-unknown-source
no bridge-group 255 source-learning
no bridge-group 255 unicast-flooding
bridge-group 255 spanning-disabled
interface FastEthernet0.2
encapsulation dot1Q 2
no ip route-cache
bridge-group 253
no bridge-group 253 source-learning
bridge-group 253 spanning-disabled
interface FastEthernet0.3
encapsulation dot1Q 3
no ip route-cache
bridge-group 254
no bridge-group 254 source-learning
bridge-group 254 spanning-disabled
interface FastEthernet0.5
encapsulation dot1Q 5
no ip route-cache
bridge-group 255
no bridge-group 255 source-learning
bridge-group 255 spanning-disabled
Then create the two SSIDs
dot11 ssid WPA2
vlan 3 backup normal
authentication open eap eap_methods
authentication key-management wpa
© 2008-2010 Inverse inc. Integration with wireless networks 52
Chapter 5
dot11 ssid MACauth
vlan 2 backup visitor
authentication open mac-address mac_methods
mbssid guest-mode
Confgure the RADIUS server (we assume here that the FreeRADIUS server and the PacketFence server are located on the same box)
radius-server host 192.168.0.10 auth-port 1812 acct-port 1813 key secretKey
aaa group server radius rad_eap
server 192.168.0.10 auth-port 1812 acct-port 1813
aaa authentication login eap_methods group rad_eap
aaa group server radius rad_mac
server 192.168.0.10 auth-port 1812 acct-port 1813
aaa authentication login mac_methods group rad_mac
Enable the SNMP deauthentication traps
snmp-server enable traps deauthenticate
snmp-server host 192.168.0.10 public deauthenticate
And fnally activate the SSIDs on the radio
interface Dot11Radio0
encryption vlan 1 mode ciphers aes-ccm
encryption vlan 2 mode ciphers aes-ccm
ssid WPA2
ssid MACauth
Now check with a Wi-Fi card that you can actually see the two new SSIDs. You can't connect to them yet since the RADIUS server is not up and running.
© 2008-2010 Inverse inc. Integration with wireless networks 53
Chapter 5
FreeRADIUS 1.x Confguration
Make sure to install the following packages:
❏ freeradius
/etc/raddb/clients.conf
Add the following lines:
client 192.168.0.3 {
secret = secretKey
shortname = AP1242
}
/etc/raddb/radiusd.conf
Add the following lines to the modules{} section:
perl {
module = ${confdir}/rlm_perl_packetfence.pl
}
Make sure the authorize{} section looks like this:
authorize {
preprocess
eap
files
perl
}
Make sure the post-auth{} section looks like this:
post-auth {perl
}
© 2008-2010 Inverse inc. Integration with wireless networks 54
Chapter 5
Make sure the mschap{} section looks like this:
mschap {
authtype = MS-CHAP
use_mppe = yes
require_encryption = yes
require_strong = yes
with_ntdomain_hack = yes
ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{mschap:User-Name:-None} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}"
}
/etc/raddb/eap.conf
Make sure this fle looks like:
eap {
default_eap_type = peap
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
md5 {
}
leap {
}
gtc {
auth_type = PAP
}
tls {
private_key_file = /usr/local/pf/conf/ssl/keyfile.key
certificate_file = /usr/local/pf/conf/ssl/certfile.crt
CA_file = /usr/local/pf/conf/ssl/CAfile.crt
dh_file = /dev/null
random_file = /dev/urandom
}
© 2008-2010 Inverse inc. Integration with wireless networks 55
Chapter 5
peap {
default_eap_type = mschapv2
}
mschapv2 {
}
}
/etc/raddb/users
Add the following lines where we defne that non EAP-messages should, by default, lead to an authentication acceptance
DEFAULT EAP-Message !* "", Auth-Type := Accept
/etc/raddb/rlm_perl_packetfence.pl
This perl script uses the Calling-Station-Id RADIUS request attribute, containing the MAC of the wireless station, to determine its registration and violation status. Based on this information, it sets the Tunnel-Medium-Type, Tunnel-Type and Tunnel-Private-Group-ID RADIUS reply attributes. The AP, upon reception of these three attributes, then confnes the wireless station into the specifed VLAN.
Make sure to set the required confguration parameters on top of the fle. Mainly, the VLAN tags used in your environment and PacketFence's database credentials.
# Database connection settingsDB_HOSTNAME => 'localhost',DB_NAME => 'pf',DB_USER => 'pf',DB_PASS => 'pf',
# VLAN configurationVLAN_GUEST => 5,VLAN_REGISTRATION => 2,VLAN_ISOLATION => 3,VLAN_NORMAL => 1
© 2008-2010 Inverse inc. Integration with wireless networks 56
Chapter 5
Tests
Test your setup with radtest using the following command and make sure you get an Access-Accept answer:
# radtest dd9999 Abcd1234 localhost 12 testing123
Sending Access-Request of id 74 to 127.0.0.1 port 1812
User-Name = "dd9999"
User-Password = "Abcd1234"
NAS-IP-Address = 255.255.255.255
NAS-Port = 12
rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=74, length=20
Debug
In order to start FreeRadius in debug mode, start it using the following command:
# radiusd -X
FreeRADIUS 2.x Confguration
Make sure to install the following packages:
❏ freeradius2
❏ freeradius2-perl
❏ freeradius2-utils
/etc/raddb/clients.conf
Add the following lines:
client AP1242 {
ipaddr = 192.168.0.3
netmask = 32
secret = secretKey
}
© 2008-2010 Inverse inc. Integration with wireless networks 57
Chapter 5
/etc/raddb/modules/perl
Add the following lines to the modules{} section:
perl {
module = ${confdir}/rlm_perl_packetfence.pl
}
/etc/raddb/eap.conf
Make sure this fle looks like:
eap {
default_eap_type = peap
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = 2048
md5 {
}
leap {
}
gtc {
auth_type = PAP
}
tls {
certdir = ${confdir}/certs
cadir = ${confdir}/certs
private_key_file = /usr/local/pf/conf/ssl/keyfile.key
certificate_file = /usr/local/pf/conf/ssl/certfile.crt
CA_file = /usr/local/pf/conf/ssl/CACert.crt
dh_file = ${certdir}/dh
random_file = ${certdir}/random
cipher_list = "DEFAULT"
make_cert_command = "${certdir}/bootstrap"
cache {
enable = no
© 2008-2010 Inverse inc. Integration with wireless networks 58
Chapter 5
lifetime = 24 # hours
max_entries = 255
}
}
ttls {
default_eap_type = md5
copy_request_to_tunnel = no
use_tunneled_reply = no
virtual_server = "inner-tunnel"
}
peap {
default_eap_type = mschapv2
copy_request_to_tunnel = no
use_tunneled_reply = no
virtual_server = "inner-tunnel"
}
mschapv2 {
}
}
/etc/raddb/modules/mschap
Make sure this fle looks like:
mschap {
use_mppe = yes
require_encryption = yes
require_strong = yes
with_ntdomain_hack = yes
ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{mschap:User-Name:-None} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}"
© 2008-2010 Inverse inc. Integration with wireless networks 59
Chapter 5
/etc/raddb/sites-enabled/default
Make sure the authorize{}, authenticate{} and post-auth{} sections look like this:
authorize {preprocess
eap { ok = return }
files expiration logintime}
authenticate {Auth-Type MS-CHAP {
mschap }
eap}
post-auth {
perl}
/etc/raddb/users
Add the following lines where we defne that non EAP-messages should, by default, lead to an authentication acceptance
DEFAULT EAP-Message !* "", Auth-Type := Accept
© 2008-2010 Inverse inc. Integration with wireless networks 60
Chapter 5
/etc/raddb/rlm_perl_packetfence.pl
This perl script uses the Calling-Station-Id RADIUS request attribute, containing the MAC of the wireless station, to determine its registration and violation status. Based on this information, it sets the Tunnel-Medium-Type, Tunnel-Type and Tunnel-Private-Group-ID RADIUS reply attributes. The AP, upon reception of these three attributes, then confnes the wireless station into the specifed VLAN.
Make sure to set the required confguration parameters on top of the fle. Mainly, the VLAN tags used in your environment and PacketFence's database credentials.
# Database connection settingsDB_HOSTNAME => 'localhost',DB_NAME => 'pf',DB_USER => 'pf',DB_PASS => 'pf',
# VLAN configurationVLAN_GUEST => 5,VLAN_REGISTRATION => 2,VLAN_ISOLATION => 3,VLAN_NORMAL => 1
Tests
Test your setup with radtest using the following command and make sure you get an Access-Accept answer:
# radtest dd9999 Abcd1234 localhost 12 testing123
Sending Access-Request of id 74 to 127.0.0.1 port 1812
User-Name = "dd9999"
User-Password = "Abcd1234"
NAS-IP-Address = 255.255.255.255
NAS-Port = 12
rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=74, length=20
Debug
In order to start FreeRadius in debug mode, start it using the following command:
# radiusd -X
© 2008-2010 Inverse inc. Integration with wireless networks 61
Chapter 6
6 Floating Network Devices
Starting with version 1.9, PacketFence now supports foating network devices. A Floating network device is a device for which PacketFence has a different behaviour compared to a regular device. This functionality was originally added to support mobile Access Points.
Right now PacketFence only supports foating network devices on Cisco switches confgured with port-security.
For a regular device, PacketFence puts it in the Vlan corresponding to its status (Registration, Quarantine or Regular Vlan) and authorizes it on the port (port-security).
A foating network device is a device that PacketFence does not manage as a regular device.
When a foating network device is plugged, PacketFence should let/allow all the MAC addresses that will be connected to this device (or appear on the port) and if necessary, confgure the port as multi-vlan (trunk) and set PVID and tagged VLANs on the port.
When an foating network device is unplugged, PacketFence should reconfgure the port like before it was plugged.
Here is how it works:
❏ foating network devices have to be identifed using their MAC address.
❏ linkup/linkdown traps are not enabled on the switches, only port-security traps are.
When PacketFence receives a port-security trap for a foating network device, it changes the port confguration so that:
❏ it disables port-security
❏ it sets the PVID
❏ it eventually sets the port as multi-vlan (trunk) and sets the tagged Vlans
❏ it enables linkdown traps
When PF receives a linkdown trap on a port in which a foating network device was plugged, it changes the port confguration so that:
❏ it enables port-security
❏ it disables linkdown traps
© 2008-2010 Inverse inc. Floating Network Devices 62
Chapter 6
Identifcation
As we mentioned ealier, each foating network device has to be identifed. Ther are two ways to do it:
❏ by editing conf/foating_network_device.conf
❏ through the Web GUI, in the Confguration -> Floating Network Device tab.
Here are the settings that are available:
❏ MAC address
❏ IP address (in case of a static IP)
❏ trunkPort: yes/no. Should the port be confgured as a muti-vlan port ?
❏ pvid: Vlan in which PacketFence should put the port
❏ taggedVlan: comma separated list of Vlans. If the port is a multi-vlan, these are the Vlans that have to be tagged on the port.
© 2008-2010 Inverse inc. Floating Network Devices 63
Chapter 7
7 Blocking malicious activities with violations
Policy violations allow you to restrict client system access based on violations of certain policies. For example, if you do not allow P2P type traffc on your network, and you are running the appropriate software to detect it and trigger a violation for a given client, PacketFence will give that client a “blocked” page which can be customized to your wishes.
PacketFence policy violations are controlled using the /usr/local/pf/conf/violations.conf confguration fle. The violation format is as follows:
[1234]
desc=Your Violation Description
priority=8
url=/content/index.php?template=<template>
redirect_url=/proxies/tools/stinger.exe
disable=N
trigger=Detect::2200032,Scan::11808
actions=email,log,trap
vlan=isolationVlan
whitelisted_categories=
❏ [1234]: violation ID. Any integer except 1200000-120099 which is reserved for required administration violations.
❏ desc: single line description of violation
❏ priority: range 1-10, with 1 the higest priority and 10 the lowest. Higher priority violations will be addressed frst if a host has more than one.
❏ url: HTML URL the host will be redirected to while in violation.
❏ disable: if disable is set to 'Y', this violation is disabled and no additional violations of this type will be added.
© 2008-2010 Inverse inc. Blocking malicious activities with violations 64
Chapter 7
❏ trigger: method to reference external detection methods such as Detect (snort), Scan (nessus), OS (DHCP Fingerprint Detection), USERAGENT (Browser signature), VENDORMAC (MAC address class), etc. Trigger is formatted as follows type::ID. in this example 2000032 is the snort id and 11808 is the Nessus plugin number. The Snort ID does NOT have to match the violation ID.
❏ actions: this is the list of actions that will be executed on a violation addition. The actions can be:
• log: log a message to the fle specifed in [alerting].log
• email: email the address specifed in [alerting].emailaddr, using [alerting].smtpserver. Multiple emailaddr can be sperated by comma.
• trap: isolate the host and place them in violation. It opens a violation and leaves it open. If trap is not there, a violation is opened and then automatically closed
• winpopup: send a windows popup message. You need to confgure [alerting].winserver, [alerting].netbiosname in pf.conf when using this option
• external: execute an external command, specifed in [paths].externalapi
❏ vlan: Destination VLAN where PacketFence should put the client when a violation of this type is open. The VLAN value can be:
• isolationVlan: Isolation VLAN as specifed in switches.conf. This is the recommended value for most violation types.
• registrationVlan: Registration VLAN as specifed in switches.conf.
• normalVlan: Normal VLAN as specifed in switches.conf. Note: It is preferable not to trap than to trap and put in normal VLAN. Make sure you understand what you are doing.
❏ whitelisted_categories: Nodes in a category listed in whitelisted_categories won't be affected by a violation of this type. Format is a comma separated list of category names.
Also included in violation.conf is the defaults section. The defaults section will set a default value for every violation in the confguration. If a confguration value is not specifed in the specifc ID, the default will be used:
[defaults]priority=4max_enable=3actions=email,logauto_enable=Ydisable=Ygrace=120button_text=Enable Network
snort_rules=local.rules,bleeding-attack_response.rules,bleeding-exploit.rules,bleeding-p2p.rules,bleeding-scan.rules,bleeding-virus.rules
vlan=isolationVlan
© 2008-2010 Inverse inc. Blocking malicious activities with violations 65
Chapter 7
whitelisted_categories=
❏ max_enable: number of times a host will be able to try and self remediate before they are locked out and have to call the help desk. This is useful for users who just 'click through' violation pages.
❏ auto_enable: specifes if a host can self remediate the violation (enable network button) or if they can not and must call the help desk.
❏ grace: number of minutes before the violation can reoccur. This is useful to allow hosts time (in the example 2 minutes) to download tools to fx their issue, or shutoff their peer-to-peer application.
❏ button_text: text displayed on the violation form to hosts.
❏ snort_rules: the Snort rules fle is the administrators responsibility. Please change this to point to your violation rules fle(s). If you do not specify a full path, the default is /usr/local/pf/conf/snort. If you need to include more than one fle, just separate each flename with a comma.
violations.conf is loaded at startup.
© 2008-2010 Inverse inc. Blocking malicious activities with violations 66
Chapter 8
8 Performance optimization
Snort signatures
PacketFence uses the Emerging Threats (http://www.emergingthreats.net/) rulesets as the basis of it's Snort-based detection. The rulesets consist of several hundred rules, most of which you may decide you do not need. We recommend using a tool such as Oinkmaster to keep your rules slim and trim. A sample oinkmaster.conf fle is included with PacketFence.
MySQL optimizations
Tuning MySQL itself
If you're PacketFence system is acting VERY SLOW, this could be due to your MySQL confguration. You should do the following to tune performance:
Check the system load
# uptime11:36:37 up 235 days, 1:21, 1 user, load average: 1.25, 1.05, 0.79
Check iostat and CPU
# iostat 5
avg-cpu: %user %nice %sys %iowait %idle 0.60 0.00 3.20 20.20 76.00Device: tps Blk_read/s Blk_wrtn/s Blk_read Blk_wrtncciss/c0d0 32.40 0.00 1560.00 0 7800
avg-cpu: %user %nice %sys %iowait %idle 0.60 0.00 2.20 9.20 88.00
© 2008-2010 Inverse inc. Performance optimization 67
Chapter 8
Device: tps Blk_read/s Blk_wrtn/s Blk_read Blk_wrtncciss/c0d0 7.80 0.00 73.60 0 368
avg-cpu: %user %nice %sys %iowait %idle 0.60 0.00 1.80 23.80 73.80Device: tps Blk_read/s Blk_wrtn/s Blk_read Blk_wrtncciss/c0d0 31.40 0.00 1427.20 0 7136
avg-cpu: %user %nice %sys %iowait %idle 0.60 0.00 2.40 18.16 78.84Device: tps Blk_read/s Blk_wrtn/s Blk_read Blk_wrtncciss/c0d0 27.94 0.00 1173.65 0 5880
As you can see, the load is 1.25 and IOWait is peaking at 20% - this is not good. If your IO wait is low but your MySQL is taking +%50 CPU this is also not good. Check your MySQL install for the following variables:
mysql> show variables;
| innodb_additional_mem_pool_size | 1048576 || innodb_autoextend_increment | 8 || innodb_buffer_pool_awe_mem_mb | 0 || innodb_buffer_pool_size | 8388608
PacketFence relies heavily on innodb, so you should increase the buffer_pool size from the default values.
Shutdown PacketFence and MySQL
# /etc/init.d/packetfence stop
Shutting down PacketFence...service|commandhttpd|stoppfmon|stop
# /etc/init.d/mysql stopStopping MySQL: [ OK ]
© 2008-2010 Inverse inc. Performance optimization 68
Chapter 8
Edit /etc/my.cnf (or your local my.cnf)
[mysqld]
# Set buffer pool size to 50-80% of your computer's memoryinnodb_buffer_pool_size=800Minnodb_additional_mem_pool_size=20Minnodb_flush_log_at_trx_commit=2
# allow more connectionsmax_connections=700
# set cache sizekey_buffer_size=900Mtable_cache=300query_cache_size=256M
# enable loglog=ONlog_slow_queries = ONlog-slow-queries=/var/log/mysql/slow-queries.loglong_query_time = 10log-long-format
Start up MySQL and PacketFence
# /etc/init.d/mysqld startStarting MySQL: [ OK ]
# /etc/init.d/packetfence startStarting PacketFence...Checking configuration sanity...service|commandconfig files|startiptables|starthttpd|startpfmon|start
Wait 10 minutes for PacketFence to initial the network map and re-check iostart and CPU
# uptime12:01:58 up 235 days, 1:46, 1 user, load average: 0.15, 0.39, 0.52
# iostat 5Device: tps Blk_read/s Blk_wrtn/s Blk_read Blk_wrtncciss/c0d0 8.00 0.00 75.20 0 376
avg-cpu: %user %nice %sys %iowait %idle 0.60 0.00 2.99 13.37 83.03Device: tps Blk_read/s Blk_wrtn/s Blk_read Blk_wrtncciss/c0d0 14.97 0.00 432.73 0 2168
© 2008-2010 Inverse inc. Performance optimization 69
Chapter 8
avg-cpu: %user %nice %sys %iowait %idle 0.20 0.00 2.60 6.60 90.60Device: tps Blk_read/s Blk_wrtn/s Blk_read Blk_wrtncciss/c0d0 4.80 0.00 48.00 0 240
Another interesting MySQL confguration instruction you might want to consider is innodb_fle_per_table.
Keeping tables small
Over time, some of the tables will grow large and this will drag down performance (this is especially true on a wireless setup).
One such table is the locationlog table. We recommend that closed entries in this table be moved to the archive table locationlog_history after some time. A closed record is one where the end_time feld is set to a date (strickly speaking it is when end_time is not null and not equals to 0).
We provide a script called database-backup-and-maintenance.sh located in addons/ that performs this cleanup in addition to optimize tables on Sunday and daily backups.
Avoid 'Too many connections' problems
In a wireless context, there tend to be a lot of connections made to the database by our freeradius module. The default MySQL value tend to be low (100) so we encourage you to increase that value to at least 700. See http://dev.mysql.com/doc/refman/5.0/en/too-many-connections.html for details.
Avoid 'Host <hostname> is blocked' problems
In a wireless context, there tend to be a lot of connections made to the database by our freeradius module. When the server is loaded, these connection attempts can timeout. If a connection times out during connection, MySQL will consider this a connection error and after 10 of these (by default) he will lock the host out with a:
Host 'host_name' is blocked because of many connection errors. Unblock with 'mysqladmin flush-hosts'
This will grind PacketFence to a halt so you want to avoid that at all cost. One way to do so is to increase the number of maximum connections (see above), to periodically fush hosts or to allow more connection errors. See http://dev.mysql.com/doc/refman/5.0/en/blocked-host.html for details.
© 2008-2010 Inverse inc. Performance optimization 70
Chapter 8
Avoid captive portal overload due to non-browser HTTP requests
By default we allow every query to be redirected and reach PacketFence for the captive portal operation. In a lot of cases, this means that a lot of non-user initiated queries reach PacketFence and waste its resources for nothing since they are not from browsers. (iTunes, Windows update, MSN Messenger, Google Desktop, ...).
So far, we blacklisted clients known to be misbehaving. However, a completely different approach can be taken: whitelist only known browsers.
This has the nasty side-effect of being unfriendly with (blocking) less popular browsers and devices so this is disabled by default.
If you want to enable this feature, edit /usr/local/pf/conf/templates/httpd.conf and uncomment the following lines in each virtual host section:
RewriteCond %{HTTP_USER_AGENT} !^Mozilla
RewriteCond %{HTTP_USER_AGENT} !^Opera
RewriteCond %{HTTP_USER_AGENT} !^BlackBerry
RewriteRule ^.*$ - [L,forbidden]
This will allow the following browsers to reach the captive portal:
❏ BlackBerry
❏ Firefox
❏ Google Chrome
❏ Internet Explorer
❏ Opera
❏ Safari
© 2008-2010 Inverse inc. Performance optimization 71
Chapter 9
9 High availability
A high availability setup (active/passive) for PacketFence can be created using two PacketFence servers and the following open source utilities:
◦ Linux-HA (www.linux-ha.org): a daemon that provides cluster infrastructure to its clients. Heartbeat would be responsible for starting the PacketFence services, eventually
◦ DRBD (www.drbd.org): A network based raid-1.
Since PacketFence stores most of its information in a MySQL database, the two PacketFence redundant servers need to share this database in a way or another.
There are different options to share the database between the two PacketFence servers:
◦ A local MySQL database server on each PacketFence box confgured to store its databases on a remote partition (a LUN on a SAN for example)
▪ You have to make sure that only one database server is running at each time (don't double-mount the partition)
◦ A local MySQL database server on each PacketFence box and replication of the database partition using DRBD
◦ A remote MySQL database server with its own high availability setup
In this document, we describe the second option that involves DRBD.
We assume that:
◦ you are using RedHat Enterprise 5 or CentOS 5.
◦ pf1 is the frst PacketFence server
◦ pf2 is the second PacketFence server
◦ PacketFence is properly confgured on each server
◦ the DRBD partition is 30G long
◦ we use HeartBeat v1
© 2008-2010 Inverse inc. High availability 72
Chapter 9
Creation of the DRBD partition
During the OS installation, reduce the size of the main partition and create a new one (that will be used for the replicated MySQL database) of 30G. In order to do so, on VolGroup00:
• reduce the size of LogVol00 of 30G
• create a new partition (ext3) called mysql: 30G. You'll be asked to specify where this new partition will mounted: enter /data (or anything else that is used by Linux).
• after the frst server reboot, edit /etc/fstab and delete the line for /data.
DRBD and Linux-HA Installation
yum install drbd83 kmod-drbd83 heartbeat heartbeat-pils heartbeat-stonith
DRBD Confguration and setup
Initializing and confguring DRBD is not straight forward !
We strongly recommend that you read the online documentation available on DRBD website so you have a better idea of how it works...
Here we assume the name of the partition is mysql.
Load the DRBD kernel module:
modprobe drbd
Edit /etc/drbd.conf and put the following content:
global { usage-count yes;}
common { protocol C;}
© 2008-2010 Inverse inc. High availability 73
Chapter 9
resource mysql { syncer { rate 100M; al-extents 257; }
startup { degr-wfc-timeout 120; # 2 minutes. }
disk { on-io-error detach; } device /dev/drbd0; disk /dev/VolGroup00/mysql; meta-disk internal;
on pf1_server_name { address x.x.x.x:7788; }
on pf2_server_name { address y.y.y.y:7788; }}
where:
• mysql is the name of the partition you created when installing the OS
• pf1_server_name and pf2_server_name by the real server names.
• x.x.x.x and y.y.y.y by the IP addresses dedicated to DRBD on each server (use a dedicated NIC for this, not the main one with all the IPs)
Try to initialize DRBD by creating the metadata for the mysql partition with the following command:
drbdadm create-md mysql
You could get this kind of message:
md_offset 31474053120al_offset 31474020352
© 2008-2010 Inverse inc. High availability 74
Chapter 9
bm_offset 31473057792
Found ext3 filesystem which uses 30736384 kBcurrent configuration leaves usable 30735408 kB
Device size would be truncated, whichwould corrupt data and result in'access beyond end of device' errors.You need to either * use external meta data (recommended) * shrink that filesystem first * zero out the device (destroy the filesystem)Operation refused.
Command 'drbdmeta 0 v08 /dev/VolGroup00/mysql internal create-md' terminated with exit code 40drbdadm create-md mysql: exited with code 40
If so, it means that you need to manually resize the partition like this:
root@pf1 ~]# resize2fs -p -f /dev/VolGroup00/mysql 30735408Kresize2fs 1.39 (29-May-2006)Resizing the filesystem on /dev/VolGroup00/mysql to 7683852 (4k) blocks.The filesystem on /dev/VolGroup00/mysql is now 7683852 blocks long.
Then initialize the partition:
[root@pf1 ~]# drbdadm create-md mysqlmd_offset 31474053120al_offset 31474020352bm_offset 31473057792
Found ext3 filesystem which uses 30735408 kBcurrent configuration leaves usable 30735408 kB
Even though it looks like this would place the new meta data intounused space, you still need to confirm, as this is only a guess.
Do you want to proceed?[need to type 'yes' to confirm] yes
Writing meta data...initializing activity logNOT initialized bitmap
© 2008-2010 Inverse inc. High availability 75
Chapter 9
New drbd meta data block successfully created.
Start DRBD on both servers:
/etc/init.d/drbd start
Make sure you see something like this in /proc/drbd:
...
0: cs:Connected ro:Secondary/Secondary ds:Inconsistent/Inconsistent C r---- ns:0 nr:0 dw:0 dr:0 al:0 bm:0 lo:0 pe:0 ua:0 ap:0 ep:1 wo:b oos:30702640
Synchronize the servers by forcing one to become the primary. So on pf1 do:
drbdadm -- --overwrite-data-of-peer primary mysql
After issuing this command, the initial full synchronization will start. You will be able to monitor its progress via /proc/drbd. It may take some time depending on the size of the device. Wait until complete.
Make sure DRBD is started at boot time:
chkconfig --level 2345 drbd on
Restart both servers.
When done, look in /proc/drbd and make sure you see:
... 0: cs:Connected ro:Secondary/Secondary ds:UpToDate/UpToDate C r--- ns:0 nr:0 dw:0 dr:0 al:0 bm:0 lo:0 pe:0 ua:0 ap:0 ep:1 wo:b oos:0
© 2008-2010 Inverse inc. High availability 76
Chapter 9
MySQL Confguration
By default MySQL puts its data in /var/lib/mysql. In order to replicate data between the two servers, we mount the DRBD partition under /var/lib/mysql.
When frst starting MySQL, the partition must be mounted.
In order to do so:
On the master server (the server you are working on), tell DRBD to become the primary node with:
drbdadm primary mysql
mysql being the name of the DRBD partition.
In /proc/drbd you should see something like:
... 0: cs:Connected ro:Primary/Secondary ds:UpToDate/UpToDate C r---- ns:145068 nr:4448 dw:149516 dr:10490 al:31 bm:14 lo:0 pe:0 ua:0 ap:0 ep:1 wo:d oos:0
Mount the partition with:
mount /dev/drbd0 /var/lib/mysql
Start MySQL
service mysqld start
Execute the secure installation script in order to set the root password, remove the test databases and anonymous user created by default:
/usr/bin/mysql_secure_installation
© 2008-2010 Inverse inc. High availability 77
Chapter 9
Make sure MySQL does NOT start at boot time:
chkconfig --level 2345 mysqld off
Heartbeat confguration
Create /etc/ha.d/ha.cf with the following content:
bcast eth0bcast eth1keepalive 2warntime 30deadtime 60auto_failback offinitdead 120node pf1.example.orgnode pf2.example.orguse_logd yes
Here we assume that the redundant connections for the Heartbeat between the 2 servers are on eth0 and eth1
Create /etc/ha.d/haresources with the following content:
pf1.example.com Ipaddr2::x.x.x.x IfUp::eth0.y IfUp::eth0.z drbddisk::mysql Filesystem::/dev/drbd0::/var/lib/mysql::ext3 mysqld packetfence
where
• x.x.x.x is PF admin virtual address
• eth0.y is the name of the NIC confguration fle (/etc/sysconfg/network-scripts/ifcfg_eth0.y) dedicated to IP address in vlan y (registration for example).
• eth0.z is the name of the NIC confguration fle (/etc/sysconfg/network-scripts/ifcfg_eth0.z) dedicated to IP address in vlan z (isolation for example).
Create the /etc/ha.d/resource.d/IfUp script that will mount IP addresses in Registration, Isolation, (eth0.y, etho0.z) with the following content:
© 2008-2010 Inverse inc. High availability 78
Chapter 9
case "$2" in start) echo -n "Mounting $1" /sbin/ifup $1 echo "." ;; stop) echo -n "Unmounting $1" /sbin/ifdown $1 echo "." ;; *) echo "Usage: $0 {start|stop}" exit 1 ;;esac
and make it executable:
chmod 755 /etc/ha.d/resource.d/IfUp
Create /etc/ha.d/authkeys with the following content:
auth 11 sha1 10b245aa92161294df5126abc5b3b71d
and change its rights like this
chmod 600 /etc/ha.d/authkeys
Create /etc/logd.cf with the following content:
debugfile /var/log/ha-debuglogfile /var/log/ha-loglogfacility daemon
Make sure port 694 is opened (through iptables) on both servers
© 2008-2010 Inverse inc. High availability 79
Chapter 9
Start Heartbeat:
service heartbeat start
Look at Heartbeat log fle /var/log/ha-log to make sure that everything is fne.
Enable HB automatic start
chkconfig --level 345 heartbeat on
© 2008-2010 Inverse inc. High availability 80
Chapter 10
10 Frequently Asked Questions
Services
How to restart PacketFence ?
service packetfence restart
How can I check that PacketFence is active ?
service packetfence status
Web interface
Where is the admin interface ?
The Web Administration GUI is available using https. Its default port is 1443.
How to change the admin password ?
You need to encrypt the new password in the admin.conf fle with htpasswd:
htpasswd /usr/local/pf/conf/admin.conf admin
Then enter the new password twice.
How to add a new person ?
Go in the Web Admin GUI to Person -> Add
Fill the 2 following felds:
❏ Identifer
❏ Notes
Click on the Add button to save it
© 2008-2010 Inverse inc. Frequently Asked Questions 81
Chapter 10
How can I provide different rights to users of the admin Web interface?
Starting with PacketFence 1.9.1 this is now possible. Have a look at the conf/admin.perm fle. A copy is provided below for reference:
; PacketFence Granular Access Control;; Users to roles definitions; Syntax:; <username>=<role>;; username MUST be an exact match to username in conf/admin.conf
[users]; if a user is not in this file he will be assigned default_roledefault_role=level1admin=adminobilodeau=level2
; Roles to permission-level definitions; Syntax:; <role>={1|2|3|4|5}[roles]admin=5level1=2level2=3
; Permission-level required for page; Syntax:; <pagename>={1|2|3|4|5}[permissions]status=1person=2node=2violation=3configuration=4administration=4scan=3
Basically, the permission control is using a users / role / permission level. You defne the permission required to access a certain page (default values provided), you defne the permission level of a role and you assign a role to users.
So, in the above example you will notice that obilodeau has a level2 access which allows him to access violation pages but not view or edit confguration or administration information. Also, by default users will be given a level1 access (see default_role entry under [users]).
Note: Users need to logout and re-login in order for permission changes to take effect.
© 2008-2010 Inverse inc. Frequently Asked Questions 82
Chapter 10
How can users authenticate using LDAP or Active Directory (AD) instead of using a local fat fle?
Have a look into the conf/admin_ldap.conf fle. By providing the right values your users should be able to log into the Web administration interface using their LDAP or AD credentials. The two followings settings are optional $ldap_group_member_key and $ldap_group_dn (use them in case of group membership)
Switches
How do I add a new switch ?
You have to defne the new switch in /usr/local/pf/conf/switches.conf
[10.0.0.xxx]
ip = 10.0.0.xxx
type = Cisco::Catalyst_2960
mode = production
uplink = 10101,10102
❏ ip: switch IP address
❏ mode
◦ testing: pfsetvlan writes in the log fles what it would normally do, but it doesn't react on the traps, it does not change any VLAN.
◦ registration: pfsetvlan automatically register all MAC addresses seen on the switch ports. As in testing mode, no VLAN changes are done.
◦ production: this is the regular working mode; pfsetvlan sends the SNMP writes to change the VLAN on the switch ports.
CAUTION: If [trapping.testing] (see pf.conf) is enabled, PacketFence will consider that all the switches are in test whatever the working mode is !
❏ uplink: list of ports that are NOT managed by PacketFence. All uplink ports must be defned here!
◦ Dynamic (default): PF queries the switch using CDP (Cisco only !!) to get the uplinks
◦ 1,2,10001,10002,... : uplink list if a hub is plugged in a port, this port must be declared as uplink !!!
❏ type: switch type. As defned in Supported Switches, Access points and Controllers. Could be for example:
◦ Cisco::Catalyst_2960
◦ Extreme::Summit_X250e
© 2008-2010 Inverse inc. Frequently Asked Questions 83
Chapter 10
I want to manage only some ports on a switch but not all the ports. How can I do that ?
You need to use the uplink parameter. All the ports declared as uplinks will be ignored and not managed by PacketFence. This parameter is defned in the [default] section of /usr/local/pf/conf/switches.conf. You can defne a different uplink list for each switch. You have to use the ifIndex of a port (not its port number) !
Troubleshooting
PacketFence does not start
Look at the error message either on the command line or in the logs fle to see what is the cause of the problem.
Where can I see PacketFence logs and errors ?
In /usr/local/pf/logs:
❏ admin_error_log
❏ error_log
❏ packetfence.log
When I plug a computer in a switch, it does not get a network access
❏ Make sure PF gets traps from that switch
❏ Make sure PF reacts when it receives traps from that switch: look into /usr/local/pf/logs/packetfence.log
How to make sure PacketFence gets traps from a switch ?
❏ Make sure network connectivity is fne between the switch and PF
❏ Make sure port 162 (UDP) is open on the PF server
❏ Make sure you defne PF as a trap receiver in the switch
❏ Make sure the switch uses the right snmp settings (community, snmp version,...) to send traps to PF. Checkout the SNMP settings in the switch
You could use tcpdump to see if PF receives traps: ''tcpdump -i ethx port 162''
© 2008-2010 Inverse inc. Frequently Asked Questions 84
Chapter 10
Where should I look to see what PacketFence does when it gets a trap ?
Look into /usr/local/pf/logs/packetfence.log: PacketFence logs there everything it does for every trap.
PacketFence receives traps but does not do anything
There could be many reasons mentioned in /usr/local/pf/logs/packetfence.log:
- Is the switch is in production mode ?
- Is the port defned as a uplink
- Is the actual Vlan of the port managed by PF ?
- Is the new Vlan ( i.e. the Vlan in which PF should put the port for the new device) managed by PF ?
- Is the new Vlan defned in the switch ?
© 2008-2010 Inverse inc. Frequently Asked Questions 85
Chapter 11
11 Additional Software
Nessus
If you plan on using Nessus to scan client systems, you need to install the following packages:
❏ openssl-devel
❏ perl-IO-Socket-SSL
❏ perl-Net-Nessus-Client
❏ perl-Net-Nessus-Message
❏ perl-Net-Nessus-ScanLite
Please visit http://www.nessus.org/download/ to download and install Nessus.
After you install Nessus, a new tab called “Scan” appears in the web interface. Use this tab to confgure and plan your Nessus scans.
Confguration
In order for a given Nessus Scan to generate a violation inside PacketFence, you have to confgure two sections:
❏ pf.confPut the Nessus plugin ID in the scan.live_tids variable.
❏ violations.confYou need to create a new violation section and have to specify
trigger=Scan::<violationId>
Where violationId is the Id of the Nessus plugin to check for. Once you have fnished the confguration, you need to reload the violation related database contents using:
pfcmd reload violations
NOTE: Violations will trigger only if the Nessus plugin is a high severity vulnerability
© 2008-2010 Inverse inc. Additional Software 86
Chapter 11
NessusClient Integration
New since 1.8.3 is the ability to directly use the nessus command line client and dot nessus fles. The NessusClient File format is documented at http://www.nessus.org/documentation/dot_nessus_fle_format.pdf and can easily be generated using the offcial Nessus Client.
You'll have to save your dot nessus fle in the /usr/local/pf/conf/nessus/ directory and specify its flename using the scan.nessusclient_file confguration setting. You'll also have to specify your policy name using the scan.nessusclient_policy setting. After that, you can execute your scan using
pfcmd schedule now <IP>
NOTE: If you provide credentials in the .nessus fle, you need to enable the “Store passwords as plain text” option in your Nessus Client.
Scan on registration
To perform a system scan before giving access to a host on the network you need to enable the scan.registration parameter in pf.conf.
It is also recommended to adjust scan.duration to refect how long the scan takes. A progress bar of this duration will be shown to the user while he is waiting.
Snort
If you plan on using Snort as a network intrusion prevention and detection system, we encourage the usage of Oinkmaster to manage your snort rules.
Please visit http://www.snort.org/dl/ to download and install Snort. We recommend that you use the package provided for your operating system rather than the source fles.
Confguration
PacketFence provides a basic snort.conf template that you may need to edit depending of the Snort version. The fle is located in /usr/local/pf/conf/templates. It is rarely necessary to change anything in that fle to make Snort work and trap alerts. DO NOT edit the snort.conf located in /usr/local/pf/conf, all the modifcation will be destroyed on each PacketFence restart.
© 2008-2010 Inverse inc. Additional Software 87
Chapter 11
Violations
In order to make PacketFence react to the Snort alerts, you need to explicitly tell the software to do so. Otherwise, the alerts will be discarded. This is quite simple to accomplish. In fact, you need to create a violation and add the Snort alert SID in the trigger section of a Violation.
In the example below, we defne a violation for Darknet Access using the Snort alert SID 1100009. This is accomplished by using the Detect:: keyword.
[1100009]
desc=Darknet Access
url=/content/index.php?template=darknet
trigger=Detect::1100009actions=email,log
disable=N
For more informations about violations, please refer to Chapter 7 of this guide.
Oinkmaster
Oinkmaster is a perl script that enables the possibility to update the different snort rules very easily. It is simple to use, and install. This section will show you how to implement Oinkmaster to work with PacketFence and Snort.
Please visit http://oinkmaster.sourceforge.net/download.shtml to download oinkmaster. A sample oinkmaster confguration fle is provided at /usr/local/pf/addons/snort/oinkmaster.conf
Confguration
Here are the steps to make Oinkmaster work. We will assume that you already downloaded the newest oinkmaster archive :
• Untar the freshly downloaded Oinkmaster
© 2008-2010 Inverse inc. Additional Software 88
Chapter 11
• Copy the required perl scripts into /usr/local/pf/oinkmaster. You need to copy over contrib and oinkmaster.pl
• Copy the oinkmaster.conf provided by PacketFence (see the section above) in /usr/local/pf/conf
• Modify the confguration to suit your own needs. Currently, the confguration fle is set to fetch the bleeding rules.
Rules update
In order to get periodic updates for PacketFence Snort rules, we simply need to create a crontab entry with the right information. The example below shows a crontab entry to fetch the updates daily at 23:00 PM :
0 23 * * * (cd /usr/local/pf; perl oinkmaster/oinkmaster.pl -C conf/oinkmaster.conf -o conf/snort/)
© 2008-2010 Inverse inc. Additional Software 89
Chapter 12
12 Appendix A: Database Schema
Note: This schema is outdated.
© 2008-2010 Inverse inc. Appendix A: Database Schema 90
Chapter 13
13 Appendix B: Confguration parameter reference
Alerting
[alerting.admin_netbiosname]
type: text
description: NetBIOS name of administrative workstation to send alerts with "winpopup" action assigned.(default: EXAMPLE)
[alerting.emailaddr]
type: text
description: Email address to which notifcations of rogue DHCP servers, violations with an action of "email", or any other PacketFence-related message goes to.(default: pf@localhost)
[alerting.fromaddr]
type: text
description: Email address from which notifcations of rogue DHCP servers, violations with an action of "email", or any other PacketFence-related message are sent.
[alerting.log]
type: text
description: Log fle where "log" actions are sent.(default: /usr/local/pf/logs/violation.log)
[alerting.smtpserver]
type: text
© 2008-2010 Inverse inc. Appendix B: Confguration parameter reference 91
Chapter 13
description: Server through which to send messages to the above emailaddr. (default: localhost)
[alerting.subjectprefx]
type: text
description: Subject prefx for email notifcations of rogue DHCP servers, violations with an action of "email", or any other PacketFence-related message.(default: “PF Alert:”)
[alerting.wins_server]
type: text
description: WINS server to resolve NetBIOS name of administrative workstation to IP address.(default: 192.168.0.100)
Arp
[arp.cleanshutdown]
type: toggle
options: enabled|disabled (default: enabled)
description: If enabled, ARPs are sent to all trapped systems to re-point them to the correct gateway device at shutdown.
[arp.dhcp_timeout]
type: time
description: Used in detection of systems with static IP addresses. Looks for broadcast DHCPDISCOVERs and fags a node as rogue if it fails to see one before timer is exceeded. This value should be greater than 50% of your DHCP lease time. (default: 8h)
[arp.gw_timeout]
type: time
description: Used in detection of systems with statically-defned gateway ARP entries. If a system has not ARPed for the gateway within this interval, it is removed from the IP->MAC mappings and should be fagged as rogue by the next probe. (default: 1d)
© 2008-2010 Inverse inc. Appendix B: Confguration parameter reference 92
Chapter 13
[arp.heartbeat]
type: time
description: To eliminate the negative effects of switch fooding of poisoned ARPs on some (cough...cough...Netgear MR814v2) routers, we must frst send a valid ARP to establish that the system is on-line. The heartbeat is the length of time between the initial "hello" and a poisoned "goodbye". (default: 30s)
[arp.interval]
type: time
description: Interval at which poisoned ARPs ("traps") are sent to infected/unregistered systems. (default: 60s)
[arp.listendevice]
type: text
description: Used to specify an alternative interface to use for ARP/DHCP monitoring. Useful when a local SPAN is present as monitoring DHCP without a SPAN may result in static DHCP false positives (DHCPRENEWs are unicast). This option will likely be deprecated in favor of an "arp" interface type in future versions.
[arp.strobe]
type: toggle
options: enabled|disabled (default: enabled)
description: If enabled, sends ARP request to all IP addresses within range immediately after startup. This allows for the internal MAC to IP mappings to be populated quickly.
[arp.stuffng]
type: toggle
options: enabled|disabled (default: disabled)
description: If enabled, forces PacketFence system to "stuff" router ARP cache with a bogus MAC for systems that are not responding. This option effectively increases the "stickiness" of traps by suppressing broadcast ARP traffc from the gateway. It is also somewhat dangerous in that it relies on systems to issue a GARP (gratuitous ARP) at boot to reclaim previously stuffed addresses.
© 2008-2010 Inverse inc. Appendix B: Confguration parameter reference 93
Chapter 13
[arp.timeout]
type: time
description: Length of time of inactivity after which an unresponsive system is aged out. Hello ARPs are sent at timeout/2 and timeout-interval to avoid prematurely timing out a system. (default: 8h)
Database
[database.db]
type: text
description: Name of the MySQL database used by PacketFence. (default: pf)
[database.host]
type: text
description: Server the MySQL server is running on. (default: localhost)
[database.pass]
type: text
description: Password for the MySQL database used by PacketFence. (default: packet)
[database.port]
type: numeric
description: Port the MySQL server is running on. (default: 3306)
[database.user]
type: text
description: Username of the account with access to the MySQL database used by PacketFence. (default: pf)
© 2008-2010 Inverse inc. Appendix B: Confguration parameter reference 94
Chapter 13
Dhcp
[dhcp.isolation_lease]
type: time
description: Optional lease time for the isolation scope. (default: 2m)
[dhcp.isolation_scopes]
type: text
description: List of scope defnitions that isolated clients are assigned to.
[dhcp.registered_lease]
type: time
description: Optional lease time for the registered scope.(default: 2h)
[dhcp.registered_scopes]
type: text
description: List of scope defnitions that registered (and non-isolated) clients are assigned to.
[dhcp.unregistered_lease]
type: time
description: Optional lease time for the unregistered scope.(default: 2m)
[dhcp.unregistered_scopes]
type: text
description: List of scope defnitions that unregistered clients are assigned to. This is the "default" scope for a new client.
© 2008-2010 Inverse inc. Appendix B: Confguration parameter reference 95
Chapter 13
Expire
[expire.iplog]
type: time
description: Time which you would like to keep logs on IP/MAC information A value of 0d disables expiration. (default: 0d)
[expire.locationlog]
type: time
description: Time which you would like to keep logs on location information. Please note that this table should not become too big since it could degrade pfsetvlan performance. A value of 0d disables expiration. (default: 0d)
[expire.node]
type: time
description: Time before a node is removed due to inactivity. A value of 0d disables expiration. (default: 0d)
[expire.traplog]
type: time
description: Time which you would like to keep logs on trap information
A value of 0d disables expiration. (default: 0d)
General
[general.caching]
type: toggle
options: enabled|disabled (default: enabled)
description: Enable caching of isinternal values as well as other fun stuff. Leave this enabled or suffer the performance consequences.
[general.dhcpservers]
type: text
description: Comma-delimited list of DHCP servers.
© 2008-2010 Inverse inc. Appendix B: Confguration parameter reference 96
Chapter 13
[general.dnsservers]
type: text
description: Comma-delimited list of DNS servers.
[general.domain]
type: text
description: Domain name of the PacketFence system (default: example.com)
[general.hostname]
type: text
description: Hostname of PacketFence system. This is concatenated with the domain in Apache rewriting rules and therefore must be resolvable by clients. (default: abc)
[general.locale]
type: multi
options: en_US|es_ES|fr_FR|it_IT|nl_NL (default: en_US)
description: Locale used for message translation. More than one can be specifed
[general.logo]
type: text
description: Logo displayed on web pages. (default: /common/packetfence.png)
[general.maintenance_interval]
type: time
description: Interval at which Packetfence runs its maintenance tasks. (default: 60s)
© 2008-2010 Inverse inc. Appendix B: Confguration parameter reference 97
Chapter 13
Interface
[interface.authorizedips]
type: text
description: (Optional) list of IPs/subnets to authorize on this interface. If not specifed, all IPs are authorized to connect. This can be used for example to limit access to the management interface to some specifc hosts.
[interface.gateway]
type: text
description: Gateway of the named interface.
[interface.ip]
type: text
description: IP address of the named interface - note that this should mirror the OS-level confguration but it does not make any OS-level changes.
[interface.mask]
type: text
description: Network mask of the named interface.
[interface.type]
type: multi
options: internal|managed|monitor|dhcplistener|isolation|registration
description: Describes "type" of named interface. Internal describes internal client networks, managed (aka external) interfaces have the administrative GUI running on them, monitor is the interface that snort listens on and dhcplistener is an interface connected to a SPAN of the DHCP traffc.
© 2008-2010 Inverse inc. Appendix B: Confguration parameter reference 98
Chapter 13
Network
[network.dhcpdetector]
type: toggle
options: enabled|disabled (default: enabled)
description: If enabled, PacketFence will monitor DHCP-specifc items such as rogue DHCP services, DHCP-based OS fngerprinting, computername/hostname resolution, and (optionnally) option-82 location-based information. The monitored DHCP packets are DHCPDISCOVERs and DHCPREQUESTs - both are broadcasts, meaning a span port is not necessary. This feature is highly recommended if the internal network is DHCP-based.
[network.dhcpoption82logger]
type: toggle
options: enabled|disabled (default: disabled)
description: If enabled PacketFence will monitor DHCP option82 location-based information.
This feature is only available if the dhcpdetector is activated.
[network.mode]
type: toggle
options: arp|dhcp|vlan (default: arp)
description: Defnes the mode in which PacketFence will operate.
When deployed in arp mode, PacketFence uses ARP manipulation inject itself into the datastream trapped nodes. The major failing of arp mode is that it's not 100% in catching all traffc - spurious packets can and will occasionaly get through.
[network.rogueinterval]
type: numeric
description: When rogue DHCP server detection is enabled, this parameter defnes how often to email administrators. With its default setting of 10, it will email administrators the details of the previous 10 DHCP offers. (default: 10)
© 2008-2010 Inverse inc. Appendix B: Confguration parameter reference 99
Chapter 13
PassThroughs
[passthroughs]
description: This section allows you to create passthroughs to HTML content or remote addresses/networks. Here's an example:
packetfence=http://www.packetfence.org
The above will allow 80/tcp traffc to the resolved IP address (the LHS value is arbitrary). Passthroughs can also take the form of:
test=192.168.100.10/23
which would allow full IP to all 512 destination addresses.
(default: packetfence=http://www.packetfence.org symantec_scanner=http://security.symantec.com)
Ports
[ports.admin]
type: text
description: Port the administrative interface listens on.(default: 1443)
[ports.listeners]
type: multi
options: imap|pop3
description: Enables "bogus" IMAP and POP servers. These servers serve only to deliver a message (POP3) or send an alert (IMAP) to inform the user that he/she must register before connectivity is allowed. Content of the message is found at /usr/local/pf/conf/templates/listener.msg
[ports.redirect]
type: text
description: Ports to intercept and redirect for trapped and unregistered systems. IMAP and POP3 listeners must be enabled via the listeners parameter if the redirection is to be of any use. Redirecting 443/tcp (SSL) will work, although users will get ugly and confusing pop-ups as the common name will no longer match. Redirecting 53/udp (DNS) seems to have issues and is
© 2008-2010 Inverse inc. Appendix B: Confguration parameter reference 100
Chapter 13
also not recommended.(default: “80/tcp,110/tcp,143/tcp”)
Proxies
[proxies]
description: This section allows you to confgure locally proxied content. We typically use this to proxy tools like Stinger rather than having to continually download the latest version. (default: tools/stinger.exe=http://download.nai.com/products/mcafee-avert/stinger.exe)
The Stinger utility could then be accessed at https://pfhostname/proxies/tools/stinger.exe.
Registration
[registration.auth]
type: multi
options: local|ldap|radius (default: local)
description: Method or Methods by which registering nodes will be authenticated. Templates for LDAP and local are available at /usr/local/pf/conf/authentication/. If you wish to use a different authentication mechanism, simply create a f le called /usr/local/pf/conf/authentication/<authname>.pm, fll it with the necessary data, and set auth=<authname>. The default value local relies on a local access fle in /usr/local/pf/conf/user.conf.
[registration.button_text]
type: text
description: The button text will appear on the registration page submit button. (default: Register)
[registration.expire_deadline]
type: date
description: If expire_mode is set to "deadline", this is the date (formatted as returned by the "date" command) at which nodes revert to an unregistered state. This would typically be the end of a semester. (default: “Mon Nov 12 12:00:00 EST 2012”)
[registration.expire_mode]
© 2008-2010 Inverse inc. Appendix B: Confguration parameter reference 101
Chapter 13
type: toggle
options: window|deadline|session|disabled (default: disabled)
description: If set to "deadline", the expire_deadline option defnes the date at which a node reverts to an unregistered state. If set to "window", the window is used to determine the length of time after registration that a node remains registered. If set to "session", it specifes that a client should be unregistered as soon as its iplog entry closes (or with a bit of latency - check regitration.expire_session).
[registration.expire_session]
type: time
description: If expire_mode is set to "session", this is the amount of time after a node's iplog entry is closed that it reverts to an unregistered state. (default: 5m)
[registration.expire_window]
type: time
description: If expire_mode=window, this is length of time after registration that a node reverts to an unregistered state. (default: 52w)
[registration.maxnodes]
type: numeric
description: If defned, the maximum number of nodes that can be registered to a single PID. (default: 0)
[registration.nbregpages]
type: numeric
description: The number of registration pages to show to the user. If higher than
1, you'll have to create the pages
html/user/content/templates/register_2.html
...
html/user/content/templates/register_<nbregpages>.html
(default: 1)
© 2008-2010 Inverse inc. Appendix B: Confguration parameter reference 102
Chapter 13
[registration.queuesize]
type: numeric
description: Useful for passive deployments on very large networks, this defnes the number of nodes that PacketFence will simultaneously trap for registration (trappings due to violation always occur). If set to 0, this queue is disabled. (default: 0)
[registration.range]
type: text
description: Address ranges/CIDR blocks that PF will force registration on. Gateway, network, and broadcast addresses are ignored. If this is not defned the trapping.range will be used as the registration range. Comma-delimited entries should be of the from:a.b.c.0/24a.b.c.d.0-255a.b.c.0-a.b.c.255a.b.c.d
[registration.skip_deadline]
type: date
description: If skip_mode=deadline, this is the date at which the "skip registration" option is disabled. Date string is formatted as the output of the "date" command is. (default: “Mon Nov 12 12:00:00 EST 2012”)
[registration.skip_mode]
type: toggle
options: window|deadline|disabled (default: disabled)
description: If set to "deadline", the deadline option defnes the time at which skipping registration is no longer an option for clients. If set to "window", the window is used to determine the amount of time after frst network access that a node may skip registration.
[registration.skip_reminder]
type: time
description: Interval that a user is re-prompted to register after skipping. For example, if window=2w and reminder=1d, a user will be allowed to skip for two weeks but will be re-prompted every day. (default: 1d)
© 2008-2010 Inverse inc. Appendix B: Confguration parameter reference 103
Chapter 13
[registration.skip_window]
type: time
description: The length of time that a node may skip registration. For instance, setting it to 2880 minutes would allow students to skip registration for two days, giving them time to get a student ID, password, etc. (default: 14d)
Scan
[scan.host]
type: text
description: Host the nessus server is running on. For performance reasons, we recommend running the nessus server remotely. A passthrough will be automagically created. (default: 127.0.0.1)
[scan.live_tids]
type: text
description: If a host fails a scan AND the tid is listed in live_tids the corresponding violation will be added. If the tid is not listed here the event will be logged only. This is used to test Nessus plugins before going live. The tid is the Nessus plugin Id.
[scan.nessusclient_fle]
type: text
description: Name of the NessusClient fle; this fle must be found in conf/nessus (default: remotescan.nessus)
[scan.nessusclient_policy]
type: text
description: Name of the Policy inside the NessusClient fle which should be used during the scan. (default: RemoteScan)
[scan.pass]
© 2008-2010 Inverse inc. Appendix B: Confguration parameter reference 104
Chapter 13
type: text
description: Password to log into nessus server with. (default: packet)
[scan.port]
type: text
description: Port nessus server is running on. (default: 1241)
[scan.registration]
type: toggle
options: enabled|disabled (default: disabled)
description: If this option is enabled, the PacketFence system will scan each host after registration is complete with all nessusids.
[scan.duration]
type: time
description: Approximate duration of a scan. User being scanned on registration are presented a progress bar for this duration, afterwards the browser refreshes until scan is complete. (default: 60 seconds)
[scan.ssl]
type: toggle
options: enabled|disabled (default: enabled)
description: enable ssl communication with the nessus server.
[scan.user]
type: text
description: Username to log into nessus server with. (default: admin)
Scope
[scope.gateway]
© 2008-2010 Inverse inc. Appendix B: Confguration parameter reference 105
Chapter 13
type: text
description: Network gateway of scope.
[scope.network]
type: text
description: Network (in CIDR or prefx notation) of the subnet encompassing the DHCP ranges.
[scope.range]
type: text
description: Address range eligible for DHCP assignment. A comma-delimited list of networks of the form:
a.b.c.0/24
a.b.c.0-255
a.b.c.0-a.b.c.255
a.b.c.d
Services
[services.dhcpd]
type: text
description: Location of the dhcpd binary. Only necessary to change if you are not running the RPMed version. DHCP is not supported until PacketFence 1.6(default: /usr/sbin/dhcpd)
[services.httpd]
type: text
description: Location of the apache binary. Only necessary to change if you are not running the RPMed version.(default: /usr/sbin/httpd)
[services.named]
type: text
description: Location of the named binary. Only necessary to change if you are not running the RPMed version.
© 2008-2010 Inverse inc. Appendix B: Confguration parameter reference 106
Chapter 13
[services.snmptrapd]
type: text
description: Location of the snmptrapd binary. Only necessary to change if you are not running the RPMed version. (default: /usr/sbin/snmptrapd)
[services.snort]
type: text
description: Location of the snort binary. Only necessary to change if you are not running the RPMed version. (default: /usr/sbin/snort)
Servicewatch
[servicewatch.email]
type: toggle
options: enabled|disabled (default: enabled)
description: Should 'pfcmd service pf watch' send an email when services are not running
[servicewatch.restart]
type: toggle
options: enabled|disabled (default: disabled)
description: Should 'pfcmd service pf watch' restart PacketFence when services are not running
© 2008-2010 Inverse inc. Appendix B: Confguration parameter reference 107
Chapter 13
Trapping
[trapping.blacklist]
type: text
description: Comma-delimited list of MAC addresses that are not allowed to pass through the PacketFence system.
[trapping.detection]
type: toggle
options: enabled|disabled (default: disabled)
description: Enables snort-based worm detection. If you don't have a span interface available, don't bother enabling it. If you do, you'll most defnitely want this on.
[trapping.immediate]
type: toggle
options: enabled|disabled (default: disabled)
description: Enable this if you want to see lots of "IP confict boxes on Windows systems! On detection of a violation, a spoofed GARP (gratuitous ARP) is sent to the offending system. This causes it to think another system is using its IP address and, under Windows 2000, causes it to disable its IP stack. When the user manages to get the system back on the wire (ipconfg /release, reboot, etc) he/she will be assigned an address from the isolation scope.
[trapping.passthrough]
type: toggle
options: iptables|proxy (default: iptables)
description: Method by which content is delivered to trapped systems. When set to "proxy", PacketFence uses Apache's reverse proxy functionality and the mod_proxy_html module to rewrite links. Note that links external servers will not be properly rewritten. When set to "iptables", PacketFence creates passthroughs to the content for only those nodes trapped with the corresponding violation. Be aware that an iptables passthrough is based on IP address and clients will be able to get to ALL content on the destination site.
© 2008-2010 Inverse inc. Appendix B: Confguration parameter reference 108
Chapter 13
[trapping.range]
type: text
description: Address ranges/CIDR blocks that PacketFence will monitor/detect/trap on. Gateway, network, and broadcast addresses are ignored. Comma-delimited entries should be of the form:
a.b.c.0/24
a.b.c.0-255
a.b.c.0-a.b.c.255
a.b.c.d
(default: 192.168.0.0/24)
[trapping.redirecturl]
type: text
description: Default URL to redirect to on registration/mitigation release. This is only used if a per-violation redirecturl is not defned. (default: http://www.packetfence.org)
[trapping.redirtimer]
type: time
description: How long to display the progress bar during trap release. Setting it to a value of 5 or higher is recommended when in passive mode. Doing so allows the client time to receive and process the redirection ARP sent by PacketFence. (default: 10s)
[trapping.registration]
type: toggle
options: enabled|disabled (default: disabled)
description: If enabled, nodes will be required to register on frst network access. Further registration options are confgured in the registration section.
© 2008-2010 Inverse inc. Appendix B: Confguration parameter reference 109
Chapter 13
[trapping.testing]
type: toggle
options: enabled|disabled (default: enabled)
description: Disables sending of ARPs - note that this has implications on node detection and timeouts. If enabled in VLAN isolation, PacketFence will consider that all the switches are in test and therefore will not do anything.
[trapping.whitelist]
type: text
description: Comma-delimited list of MAC addresses that are immune to isolation. Additionally, in ARP mode no registration or trapping is performed so whitelisted hosts are always allowed to pass.
Vlan
[vlan.adjustswitchportvlanreasons]
type: multi
options: node_modify|manage_register|manage_deregister|manage_vclose|manage_vopen|violation_modify|violation_add|violation_delete
description: After which calls to pfcmd do we have to re-calculate and re-assign the switch port VLAN a node is connected to. (default: node_modify|manage_register|manage_deregister|manage_vclose|manage_vopen|violation_modify|violation_add|violation_delete)
[vlan.adjustswitchportvlanscript]
type: text
description: Script that adjusts the switch port VLAN. (default: /usr/local/pf/bin/fip.pl)
[vlan.closelocationlogonstop]
type: toggle
options: enabled|disabled (default: disabled)
description: Should open locationlog entries be closed when pfsetvlan is stopped
© 2008-2010 Inverse inc. Appendix B: Confguration parameter reference 110
Chapter 13
[vlan.dhcpd]
type: toggle
options: enabled|disabled (default: disabled)
description: Should DHCPd be started ?
[vlan.named]
type: toggle
options: enabled|disabled (default: disabled)
description: Should named be started ?
[vlan.nbtraphandlerthreads]
type: text
description: Number of trap handler threads pfsetvlan should start. (default: 20)
[vlan.nbtrapparserthreads]
type: text
description: Number of trap parser threads pfsetvlan should start. (default: 5)
© 2008-2010 Inverse inc. Appendix B: Confguration parameter reference 111
Chapter 14
14 Additional Information
For more information, please consult the mailing archives or post your questions to it. For details, see :
[email protected]: Public announcements (new releases, security warnings etc.) regarding PacketFence
[email protected]: Discussion of PacketFence development
[email protected]: User and usage discussions
© 2008-2010 Inverse inc. Additional Information 112
Chapter 15
15 Commercial Support and Contact Information
For any questions or comments, do not hesitate to contact us by writing an email to :
Inverse (http://inverse.ca) offers professional services around PacketFence to help organizations deploy the solution, customize, migrate versions or from another system, performance tuning or aligning with best practices.
Hourly rates or support packages are offered to best suit your needs.
Please visit http://inverse.ca/support.html for details.
© 2008-2010 Inverse inc. Commercial Support and Contact Information 113
Chapter 16
16 GNU Free Documentation License
Please refer to http://www.gnu.org/licenses/fdl-1.2.txt for the full license.
© 2008-2010 Inverse inc. GNU Free Documentation License 114