Pages

Monday, July 1, 2013

PacketFence 4 Config

As you have probably have seen, the guys over at Inverse have released PacketFence 4.0 and then shortly after 4.0.1.

My initial reaction was the new version looks completely different than the older versions and I wasn't sure if I would like it. Now that I have used the new version, I have to say that I like the new web interface. There are a few things that are missing that I found helpful (such as being able to see the logs from web interface), but hopefully they will add them back in soon.

Anyway, on to what you have been waiting for:

How to setup PacketFence 4.0

Before we get knee-deep in configuring PacketFence, we need a few things. First you will need to determine what VLANs you want to use for Registration, Isolation, Inline, and MAC Detection. Next you will need to know all of the IP addresses of your switches that you want PacketFence to manage. If you have an Active Directory and you want to use it, there are some settings that you will need to know. (I will tell you what you need either later in this post or in a separate post.)

Another thing you you will need is time. If you are not familiar with VLANs, switches, and/or Linux, give yourself at least a week or more to learn, setup, and understand this project. If you are familiar, give yourself a couple of days.

Here is my setup:
  • PacketFence 4.0.1 installed on a physical server. (I tried installing it on a Hyper-V server, but I had problems with a single NIC and the VLANs.)
    • Management IP address: 10.10.10.10
  • HP Procurve 2600 and 4100 series switches.
  • VLANs
    • Normal VLANs: 20-29
    • Registration VLAN: 75
    • Isolation VLAN: 76
    • Inline (Guest) VLAN: 80
    • MAC Detection VLAN: 77

Now, it is time to get our hands dirty. The first thing that I did after the initial install and config was to add the PacketFence server address to the end of ip-helper addresses in my HP 4100 switch. By doing this, the PacketFence server will start getting a copy of all the DHCP traffic and start populating its database. You can see this by logging on to your server and clicking on the Nodes tab. Just a personal note, I was surprised at some of the things that it found.
The switch command to add the PacketFence server is:
ip helper-address 10.10.10.10
What I did next was add all the switches into PacketFence and all the neccessary commands to the switches. Depending on the amount of switches you have, this may take you a while. Since I had almost 50 switches, it took me almost an entire day to complete this task. The directions on how to get the switches and the PacketFence communicating with each other can be found here. I would suggest having the switches in Registration mode until you are ready to put the server into full production on your network.

Now that most of the mundane grunt work is done, now it is time to start working on some of the finer details.

If you are not still in it, log into your PacketFence and click on the "Configuration" tab. Look on the menu on the left hand side and make sure "General" is highlighted. Most of these setting should already be set but you will have to fine tune them for your setup. I will give you an overview of each setting.

  • Domain: This is your domain name. In my case it is School.District.K12.State.US. Your domain may be as simple as Company.com.
  • Hostname: This is the name of your server with the domain at the end. Example: PacketFence.Company.com
  • DNS Servers: This is where you enter your production DNS server(s) IP address(es). If you have more than one, make sure you have a comma between each address. Here is how mine is setup: 10.10.10.5,10.10.10.6,127.0.0.1
  • DHCP Servers: Same as the DNS servers, enter your production DHCP server(s) IP address(es). This will also help the PacketFence server determine if there is a rouge DCHP server on your network.
  • Locale: Click in the box and select the language you want PacketFence to use. Mine is set to "en_US". If you need more than one language, you can select more.
  • Timezone: I think this is self explanatory. A list can be found here. Just select a city in your timezone and paste it in to the textbox. My is set for "America/New_York"
  • Maintaince Interval: I did not change anything here.
  • Memcached Servers: I do not fully understand how memcached servers work yet. The idea is that you can have servers share their memory with one other.

After you have made all of your changes, make sure you click on the "Save" button. If you don't, all of your changes will be discarded.

Now, lets move on to the "Trapping" settings. I know there are a lot of settings here. I am just focusing on the ones that I have made changes in.

  • Addresses Ranges: Enter the IP address range that you want PacketFence to monitor/detect/trap. For my testing purposes, I just entered one range: 10.10.11.0/24.
  • Registration: I checked this box. This will force the node to register with the server.
  • Whitelist: Enter the MAC addresses (with a comma separating each one) that you want PacketFence to allow through. At the moment, I am blocking all mobile devices and the whitelist allows the school administration iPads access.
  • Redirect URL: This is the website that you want user directed back to one they have registered the device with PacketFence.
Make sure to save the settings.










3 comments:

  1. It is great that a single tool can provides you such a large number of services.

    Thanks
    Silvester Norman

    Change Mac Address




    ReplyDelete
  2. How can you use PF effectively without the server being inline. I'd like to use vlan enforcement, but how would you present the registration page to an user when the server is out of band?

    I'm assuming to mitigate things like p2p traffic it would drop them in a different VLAN which can be done SNMP and doesn't need to be inline. However I don't see how the registration process would work.

    ReplyDelete
    Replies
    1. I am not sure if my setup is the most efficient way to do it but I have the registration vlan setup to be inline.

      When using vlan enforcement, I had to enable port security on my HP Procurve switches. When a device is plugged into a switch that is new to it, the switch sends an snmp message with the device MAC address and the switch port it is connected to to the PacketFence server. PacketFence compares that address with what is already in its database. If the device is already registered and allowed, PacketFence will log in and configure the switch port to the correct vlan.

      If the device is not in the database or is in the database but not registered, PacketFence will log in the the switch and configure the switch port for your registration vlan.

      All of this takes place in less than a second.

      When the device is in the registration vlan, in order for PacketFence to present the registration page, the gateway on the device should be the PacketFence server. This is where sub-interfaces come in to play (or additional interfaces if you are using Hyper-V).

      I hope this helps you understand how PacketFence works.

      Delete