Monday, November 26, 2012

PacketFence 4.0 Setup (VLAN)

If you are looking for a walk through on to install PacketFence, this is not the best place to start. I have another post Here with directions on how to install PacketFence on CentOS 6.3.

*I am in the process of updating this post for PacketFence 4.0

Let me start off with this, I am fairly new to PacketFence. I have known about it for several years and I even tried installing it on a server once or twice, but I have never been able to get it to a point where it was something usable. It always seemed I would ran into a hiccup and put it on the back burner. Anyway, on to my guide.

  • Your network uses VLANs
  • Your network is using HP Procurve 2500 & 2600 series switches
  • Your network already has a DHCP server in it

After you install PacketFence and log in to the administration interface and click through some of the tabs, you will notice that it is pretty empty. To start making information appear, there are some steps we need to take.

In order for PacketFence to do it's job, it needs to know MAC addresses. All of them on your network, in fact. If you followed my instructions from an earlier post, you had PacketFence do a complete install and a DHCP server was installed.

1. For PacketFence to start seeing devices on the network, we need to add an ip helper address to the switch that does all of the VLAN routing for your network. In my case, I have an HP Procurve 5300 switch doing that for me. In each VLAN, I added the line "ip helper-address X.X.X.X" where X.X.X.X is the ip address of my PacketFence server. Make sure that that your PacketFence server is the last one in the list, otherwise PacketFence may start handing out addresses and cause problems that you do not want.

Now, it may take a few minutes for devices to start showing up in Node section of the PacketFence Administration Console, but they will start showing up

2. For PacketFence to "talk" with the switches in your network, you will need to add the switches in PacketFence and you will need to add some commands to your switches. Where I work we do not use the standard "public" and "private" snmp communities.
     - PacketFence Config:
Step 1. Click on "Configuration". On the left hand side click on "Switches". At the bottom, click on "Add Switch". A window will popup.
Step 2.
  1. In "IP Address:" type in the ip address of your switch.
  2. Under "Type", select the type of switch you have. (In my setting, HP ProCurve 2600).
  3. Under "Mode:" select "Production"
  4. Under "Deauthentication Method" select Telnet. (This is the default)
  5. Under "Uplinks:" type in the port numbers that you use to connect to other switches. (In my setting, 25,26)
  6. Click on the "Roles" tab at the top
  7. Under "Registration" type in the VLAN that the device is put into when it needs to register with the PacketFence server. Repeat this step for "Isolation", "MAC Detection", "Inline", "Voice", and "Default".
  8. Click on the "SNMP" tab at the top
  9. For "Version:" select "2c" (This is the default.)
  10. For "Community Read" enter your SNMP community read name. If you are using the standard "public" and "private" communities, "public" goes here.
  11. For "Community Write" enter your SNMP community write name. If you are using the standard "public" and "private" communities, "private" goes here.
  12. For "Auth Password Write" enter your password for the switch.
  13. For "Priv Password Write" enter your password for the switch.
  14. For "Trap Version:" select "2c" (This is the default.)
  15. For "Community Trap" enter your SNMP community write name. If you are using the standard "public" and "private" communities, "private" goes here.
  16. Click on the "CLI" tab at the top
  17. For "Transport" select Telnet (This is the default)
  18. For "Password" and "Enable Password" enter your password for the switch. 
  19. Click on "Save" at the bottom.
     - Switch Config: (This info is also available in the PacketFence Network Devices Configuration Guide on the PacketFence website under Documentation.
Log into your switch. Make sure to do this using the command line and not the web interface. Enter the configuration mode on your switch. To do this on HP ProCurve switches, normally you can type "config" and then press enter. Now type the commands below:

snmp-server community public manager unrestricted

snmp-server host XXX.XXX.XXX.XXX "public" Not-INFO
no snmp-server enable traps link-change 1-24

port-security 1-24 learn-mode configured action send-alarm
--- Notes ---
* If you are not using the standard public/private snmp communities, make your changes as needed
* Change the XXX.XXX.XXX.XXX to the IP address of your PacketFence server
* I am using a 26 port switch and ports 25 and 26 are my uplink port, so adjust your numbers as needed. 
* Now is a good time to add the VLANs you specified for Registeration, Isolation, MAC Detection, and Guest.
* On the switches, I found that if you do not have the PacketFence server first in the list of snmp-server host XXX.XXX.XXX.XXX, it causes problems

Now, your switches and your PacketFence server should be communicating with one another.

1 comment:

  1. Did you ever get PacketFence up and running?
    I am having trouble getting packetfence to talk to my HP2520 procurve switch with snmp.

    Ron Frusher
    National Lloyds Insurance Company
    American Summit Insurance Company
    IT Team Lead Administrator
    (254) 981 - 7200