Monday, July 1, 2013

PacketFence Active Directory Settings

If you have been following my posts, you know that I am working on creating some better documentation on how to setup PacketFence. Even though the guys over at Inverse have created a wonderful product that is free, I feel that there documentation on how to set it up is a little bit lacking, especially since portions of it still  refers to hand editing configuration files through the command line.

In this post, I will discuss how to setup PacketFence to work with Microsoft Active Directory.

First thing we need to do is log in to the PacketFence server, then click on "Configuration" at the top, then "Roles" on the left. When users are authenticated, they will need to be placed into a role. With that said, it is easier to create the role first. It saves a lot time going back and forth between the two screens.

On the "Roles" page, click on "Add Role" at the bottom. A window will appear in the screen.

Under "Name" enter the name you want to give the role, a brief description for the role and the max number of nodes per user. In my example, you can see that I enter "Employee" into the name field, "Company Employees" for the description, and 3 at the max number of nodes (devices) for each user. Don't forget to save. Repeat this step for each role that you want to create.

Now, it is time for the good part. Click on the "Sources" button on the left. At the bottom, click "Add Source" then "AD".
A "New Source" page will appear.
Every setting on this page will need to be filled in.
  • Name: Give the source a name. I just named it the same as my domain controller
  • Description: Give a brief description. "Company Employees" is my description
  • Host: This is the IP address of your Domain Controller. Enter "389" for the second box. (389 is the default port that AD and LDAP use) and select none for the last box.
  • Base DN: Enter the full path to your user accounts. Here is mine: "ou=Teachers,dc=School,dc=District,dc=k12,dc=State,dc=us".
    • Helpful Tip: OU stands for Orginization Unit, DC stands for Domain Controller, CN stands for Common Name
  • Scope: Select the type of scope you want. I selected "Subtree" because I have additional OUs in my Teacher OU
  • Username Attribute: This is the name of the field that PacketFence will use to authencate users with. If you want to use the AD username, type in "sAMAccountName".
  • Bind DN: Here you want to enter the full AD path of a user with domain admin rights. I used the administrator account: cn=administrator,ou=Domain Admins,ou=School,dc=District,dc=k12,dc=State,dc=us"
  • Password: Enter the password for the account that you used with Bind DN. 
Now, click on "Test". If you entered everything correctly, you will see a green bar across that says "Success". If not, double check everything you typed in. If you have nested OUs, you have to start with the deepest one and work backwards. So if your OUs are Company -> Department -> Sales, your Base DN and Bind DN should look like "ou=Sales,ou=Department,ou=Company,dc=Company,dc=com".

Once you have Success, click on "Add Rule". A window will appear.
Give the Rule a name. I entered "Employees". 
If you would like to, give a brief description like "Rule for all Employees".
Under "Perform the following actions", select "Set Role" and then select the role you created early (Employee).
To the right of the role you selected, click on the plus (+) sign. Select "Set Unregistration Date" and select a date. I choose Jan.1st, 2020 for testing purposes.

Remember to save everything.

And that is it. Your users can now use their Active Directory username and password to register nodes (devices) with PacketFence.

PacketFence 4 Config

As you have probably have seen, the guys over at Inverse have released PacketFence 4.0 and then shortly after 4.0.1.

My initial reaction was the new version looks completely different than the older versions and I wasn't sure if I would like it. Now that I have used the new version, I have to say that I like the new web interface. There are a few things that are missing that I found helpful (such as being able to see the logs from web interface), but hopefully they will add them back in soon.

Anyway, on to what you have been waiting for:

How to setup PacketFence 4.0

Before we get knee-deep in configuring PacketFence, we need a few things. First you will need to determine what VLANs you want to use for Registration, Isolation, Inline, and MAC Detection. Next you will need to know all of the IP addresses of your switches that you want PacketFence to manage. If you have an Active Directory and you want to use it, there are some settings that you will need to know. (I will tell you what you need either later in this post or in a separate post.)

Another thing you you will need is time. If you are not familiar with VLANs, switches, and/or Linux, give yourself at least a week or more to learn, setup, and understand this project. If you are familiar, give yourself a couple of days.

Here is my setup:
  • PacketFence 4.0.1 installed on a physical server. (I tried installing it on a Hyper-V server, but I had problems with a single NIC and the VLANs.)
    • Management IP address:
  • HP Procurve 2600 and 4100 series switches.
  • VLANs
    • Normal VLANs: 20-29
    • Registration VLAN: 75
    • Isolation VLAN: 76
    • Inline (Guest) VLAN: 80
    • MAC Detection VLAN: 77

Now, it is time to get our hands dirty. The first thing that I did after the initial install and config was to add the PacketFence server address to the end of ip-helper addresses in my HP 4100 switch. By doing this, the PacketFence server will start getting a copy of all the DHCP traffic and start populating its database. You can see this by logging on to your server and clicking on the Nodes tab. Just a personal note, I was surprised at some of the things that it found.
The switch command to add the PacketFence server is:
ip helper-address
What I did next was add all the switches into PacketFence and all the neccessary commands to the switches. Depending on the amount of switches you have, this may take you a while. Since I had almost 50 switches, it took me almost an entire day to complete this task. The directions on how to get the switches and the PacketFence communicating with each other can be found here. I would suggest having the switches in Registration mode until you are ready to put the server into full production on your network.

Now that most of the mundane grunt work is done, now it is time to start working on some of the finer details.

If you are not still in it, log into your PacketFence and click on the "Configuration" tab. Look on the menu on the left hand side and make sure "General" is highlighted. Most of these setting should already be set but you will have to fine tune them for your setup. I will give you an overview of each setting.

  • Domain: This is your domain name. In my case it is School.District.K12.State.US. Your domain may be as simple as
  • Hostname: This is the name of your server with the domain at the end. Example:
  • DNS Servers: This is where you enter your production DNS server(s) IP address(es). If you have more than one, make sure you have a comma between each address. Here is how mine is setup:,,
  • DHCP Servers: Same as the DNS servers, enter your production DHCP server(s) IP address(es). This will also help the PacketFence server determine if there is a rouge DCHP server on your network.
  • Locale: Click in the box and select the language you want PacketFence to use. Mine is set to "en_US". If you need more than one language, you can select more.
  • Timezone: I think this is self explanatory. A list can be found here. Just select a city in your timezone and paste it in to the textbox. My is set for "America/New_York"
  • Maintaince Interval: I did not change anything here.
  • Memcached Servers: I do not fully understand how memcached servers work yet. The idea is that you can have servers share their memory with one other.

After you have made all of your changes, make sure you click on the "Save" button. If you don't, all of your changes will be discarded.

Now, lets move on to the "Trapping" settings. I know there are a lot of settings here. I am just focusing on the ones that I have made changes in.

  • Addresses Ranges: Enter the IP address range that you want PacketFence to monitor/detect/trap. For my testing purposes, I just entered one range:
  • Registration: I checked this box. This will force the node to register with the server.
  • Whitelist: Enter the MAC addresses (with a comma separating each one) that you want PacketFence to allow through. At the moment, I am blocking all mobile devices and the whitelist allows the school administration iPads access.
  • Redirect URL: This is the website that you want user directed back to one they have registered the device with PacketFence.
Make sure to save the settings.