PacketFence 4.0 Setup (VLAN)

If you are looking for a walk through on to install PacketFence, this is not the best place to start. I have another post Here with directions on how to install PacketFence on CentOS 6.3.

-------------------------------------------------

*I am in the process of updating this post for PacketFence 4.0

-------------------------------------------------

Let me start off with this, I am fairly new to PacketFence. I have known about it for several years and I even tried installing it on a server once or twice, but I have never been able to get it to a point where it was something usable. It always seemed I would ran into a hiccup and put it on the back burner. Anyway, on to my guide.

Assumptions:

• Your network uses VLANs
• Your network is using HP Procurve 2500 & 2600 series switches
• Your network already has a DHCP server in it

After you install PacketFence and log in to the administration interface and click through some of the tabs, you will notice that it is pretty empty. To start making information appear, there are some steps we need to take.

In order for PacketFence to do it's job, it needs to know MAC addresses. All of them on your network, in fact. If you followed my instructions from an earlier post, you had PacketFence do a complete install and a DHCP server was installed.

1. For PacketFence to start seeing devices on the network, we need to add an ip helper address to the switch that does all of the VLAN routing for your network. In my case, I have an HP Procurve 5300 switch doing that for me. In each VLAN, I added the line "ip helper-address X.X.X.X" where X.X.X.X is the ip address of my PacketFence server. Make sure that that your PacketFence server is the last one in the list, otherwise PacketFence may start handing out addresses and cause problems that you do not want.

Now, it may take a few minutes for devices to start showing up in Node section of the PacketFence Administration Console, but they will start showing up

2. For PacketFence to "talk" with the switches in your network, you will need to add the switches in PacketFence and you will need to add some commands to your switches. Where I work we do not use the standard "public" and "private" snmp communities.
     - PacketFence Config:
Step 1. Click on "Configuration". On the left hand side click on "Switches". At the bottom, click on "Add Switch". A window will popup.
Step 2.

1. In "IP Address:" type in the ip address of your switch.
2. Under "Type", select the type of switch you have. (In my setting, HP ProCurve 2600).
3. Under "Mode:" select "Production"
4. Under "Deauthentication Method" select Telnet. (This is the default)
5. Under "Uplinks:" type in the port numbers that you use to connect to other switches. (In my setting, 25,26)
6. Click on the "Roles" tab at the top
7. Under "Registration" type in the VLAN that the device is put into when it needs to register with the PacketFence server. Repeat this step for "Isolation", "MAC Detection", "Inline", "Voice", and "Default".
8. Click on the "SNMP" tab at the top
9. For "Version:" select "2c" (This is the default.)
10. For "Community Read" enter your SNMP community read name. If you are using the standard "public" and "private" communities, "public" goes here.
11. For "Community Write" enter your SNMP community write name. If you are using the standard "public" and "private" communities, "private" goes here.
12. For "Auth Password Write" enter your password for the switch.
13. For "Priv Password Write" enter your password for the switch.
14. For "Trap Version:" select "2c" (This is the default.)
15. For "Community Trap" enter your SNMP community write name. If you are using the standard "public" and "private" communities, "private" goes here.
16. Click on the "CLI" tab at the top
17. For "Transport" select Telnet (This is the default)
18. For "Password" and "Enable Password" enter your password for the switch. 
19. Click on "Save" at the bottom.

     - Switch Config: (This info is also available in the PacketFence Network Devices Configuration Guide on the PacketFence website under Documentation.

Log into your switch. Make sure to do this using the command line and not the web interface. Enter the configuration mode on your switch. To do this on HP ProCurve switches, normally you can type "config" and then press enter. Now type the commands below:

snmp-server community public manager unrestricted
snmp-server host XXX.XXX.XXX.XXX "public" Not-INFO
no snmp-server enable traps link-change 1-24

port-security 1-24 learn-mode configured action send-alarm

--- Notes ---

* If you are not using the standard public/private snmp communities, make your changes as needed
* Change the XXX.XXX.XXX.XXX to the IP address of your PacketFence server
* I am using a 26 port switch and ports 25 and 26 are my uplink port, so adjust your numbers as needed. 

* Now is a good time to add the VLANs you specified for Registeration, Isolation, MAC Detection, and Guest.
* On the switches, I found that if you do not have the PacketFence server first in the list of snmp-server host XXX.XXX.XXX.XXX, it causes problems

Now, your switches and your PacketFence server should be communicating with one another.

PHP Notes

I am trying to teach myself PHP and this post is just of my notes for PHP. I know a lot of this information is already out there on the web, but it helps me remember and learn when I write things down.

So, needless to say, this post will continue to grow over time.

---

Beginning and Ending Blocks

Standard Tag	<?php	?>
Short Tag	<?	?>
Script Tag	<script language="php">	</script>

---

Variables

Variables in PHP begin with a dollar ($) sign and either a letter or an _ (underscore).

Example:
$test
$_1234

Variables do not need to be declared as a type, the PHP engine decides the variable type based on type of data the variable holds.

Types of Variable:

Integer	Whole number
Double	Floating point number (Decimal Point)
String	Collection of characters
Boolean	True or false

---

Difference Between =, = =, and = = =

• = : Sets the value of a variable
• = = : Comparative operator; Means equivalent (Are variables X and Y apples?)
• = = = : Comparative operator; Means exactly the same (Are these apples exactly the same? Both have that green and dark red spot?)

---

Migrate Physical Linux to Hyper-V

This past weekend, I had successfully moved a physical Linux box to a Windows Server 2008 R2 Hyper-V.

I thought this might have been a long and very difficult process, but is wasn't with the help of Clonezilla. I will walk you through the process that I did below.

Items Needed:
Portable USB Hard Drive (I used a 1TB Drive)
CloneZilla ISO/CD

The first step in the process was to make sure that no one was using the server and then to shut the server down.

I then booted up the computer with CloneZilla and followed the on-screen instruction  under "Beginner". (I have a bootable flash with CloneZilla, if any one would like directions on how to do that, please let me know and I will post some.)

While Clonezilla was working on backing up the server, I created a Hyper-V virtual server.

Once I had an image file of the physical machine from CloneZilla, I plugged it in to the Server 2008 box.

Now, this was a tricky part for me: How do I get a Hyper-V guest to "see" a physical usb drive. This turned out to be simpler than I thought. If you go into "Disk Management" and right click on the usb drive and select "Offline", you can add it to a Hyper-V guest.

Once I added the usb drive to the guest, I booted the guest using Clonezilla ISO. From here, I followed the directions to restore the image. Once it finished, I ejected the ISO from the guest and booted the server.

Once the server finished booting, I made sure that the users could access it. The users have not noticed any difference.

I repeated this process on another server that had a raid card in it and CloneZilla had no problem with it.

How To Setup Wake On LAN With VLANs and HP ProCurve Switches

If you are in a VLAN environment where you have HP ProCurve switches and want to Wake-On-LAN or WOL packets to be forwarded to different VLANs

On the switch that is doing your routing, in my case, a ProCurve 5300 series switch, I typed the commands below.

ip directed-broadcast
ip udp-bcast-forward
vlan 2
     ip address 10.0.2.2 255.255.255.0
     ip forward-protocol udp 10.0.5.255 9
vlan 5
     ip address 10.0.5.2 255.255.255.0

VLAN 2 is where my FOG server sits and the WOL packets it sends out are forwarded to VLAN 5.

------------------------------------------------------
I was recently asked to give a little more detail on this post. (I also found a typo I made and fixed it too. I changed 10.0.16.255 to 10.0.5.255)

This post assumes that you are using virtual LANs or VLANs. If you are not using VLANs, you don't have to do this.

Here is the quick and dirty of VLANs.
- VLANs take your one physical network and breaks it up into multiple logical networks. The closest example I can give is a hard drive. You can have one physical hard drive but multiple partitions.
Please keep in mind that this is an over simplification VLANs and what they can do.

On to the questions.

To expand on this example

• Lets say that the IP address of my FOG server is 10.0.2.50 and with a subnet mask of 255.255.255.0. 
• The server is sits in VLAN 2.
• VLAN 2 gateway address is 10.0.2.2
• VLAN 5 gateway address is 10.0.5.2
• The desktop computer that I want to image using FOG is in VLAN 5 and is setup to get an IP address from the DHCP server.
• The desktop computer is set up to boot from the network (PXE) first and has Wake-On-LAN (WOL) enabled

Wake-On-LAN (WOL) or "magic" packets send out a broadcast to wake up a computer. By design, VLANs keep any kind of broadcasts within it's own VLAN. (Back to the hard drive example, you can't save a 500mb file across two partitions of flash drives.) This prevents a user or someone else from taking down your entire network when they plug both ends of a network cable into the wall or switch, it will only take down that VLAN.

On HP switches (and I assume other manufactures as well), you can allow broadcasts to be passed on from one VLAN to another based on IP address and port number. This is where the command "ip forward-protocol udp 10.0.5.255 9" comes into play.

The WOL packet uses UDP port 9. The 10.0.5.255 is the broadcast address for VLAN 5. 

When my FOG server sends out a wake up broadcast (packet) using UDP port 9 in VLAN 2, my HP switch will forward that wake up broadcast (packet) on to VLAN 5.

I hope this clears up any confusion that you may have.

--Updated 3/18/13 9:20am

"The Windows Installer Service Could Not Be Accessed"

If you are getting the following message on a Windows XP machine:

The Windows Installer Service could not be accessed.
This can occur if you are running Windows in safe
mode, or if the Windows Installer is not correctly
installed. Contact your support personnel for assistance.

 To resolve this issue, follow these steps:

1. Log on to your computer as an administrator.
2. Click Start, and then click Run.
3. In the Open box, type cmd, and then click OK.
4. At the command prompt, type msiexec.exe /unregister, and then press ENTER.
5. Type msiexec /regserver, and then press ENTER.

If you are continuing to have problems, click on the Original Source Link below.

Original Source

http://support.microsoft.com/kb/315353

New Wireless Technology

Check out this new wireless technology that I found on one of our HP ProCurve PoE switches.

Do you need a hint? Look at ports 10 and 11. There is nothing plugged into them but the switch says they are active.

Needless to say, the fault light was lit on this switch and it got replaced.

PacketFence 3.5.1 / 3.6.0 / 4.0.1 Install

*If you have been following this post since the beginning, because I have been having so many problems with PacketFence and CentOS 5.8, I have decided to scrap what I have done so far CentOS 5.8 and go with CentOS 6.3. I have already made the changes below to reflect the 6.3 install.*

I have decided to write up some instructions on how to install PacketFence. If you don't know what PacketFence is, it provides Network Access Control or NAC. A NAC helps you control who can and can't have access your network.

You can go Here for more information on PacketFence.

The PacketFence Network Administration Guide, in my opinion, is really not laid out well. You have to jump around the guide to find what you are looking for.

PacketFence uses/requires:

- Web server (httpd)

- DHCP server (dhcpd)

- DNS server (named)

- FreeRADIUS server (radiusd)

- Snort/Suricata Network IDS (snort/suricata)

- Firewall (iptables)

-------------

Okay, on to the installation.
1. Install CentOS. I have installed the bare minimum for CentOS 6.3 32-Bit.
2. After install has completed, login and update the system with the command "yum update".

*At this point I started following PacketFence Administration Guide
3. Disable SELinux.

     - At the command line type "vi /etc/sysconfig/selinux" and press enter

     - Change SELINUX from enforced to disabled.

     - Reboot the computer by typing "reboot"

4. There are some third party repositories (repo for short) that are required to get all the proper PacketFence dependencies; Repoforge (previously known as rpmforge), EPEL (Extra Packages for Enterprise Linux), OpenFusion 

• rpm -Uvh http://pkgs.repoforge.org/rpmforge-release/rpmforge-release-0.5.2-2.el6.rf.`uname -m`.rpm
• rpm -Uvh http://download.fedoraproject.org/pub/epel/6/`uname -i`/epel-release-6-8.noarch.rpm
• rpm -Uvh http://www.openfusion.com.au/mrepo/centos6-`uname -i`/RPMS.of/openfusion-release-0.5-1.of.el6.noarch.rpm

* If you are following along in the guide, you might miss a step or two like I did. There are some things that we need to do the repos like disabling them by default and excluding some packages.

5. At the command line type:

• vi /etc/yum.repos.d/rpmforge.repo
• Change Enabled in each section to 0.
• Add the line exclude = perl-Apache-Test* to the [rpmforge] section.
• vi /etc/yum.repos.d/epel.repo
  • Change Enabled in each section to 0.
• vi /etc/yum.repos.d/openfusion.repo
• Change Enabled in each section to 0.
• Add the line exclude = perl-Apache-Test* to the [of] section.

6. Since we have installed CentOS 6 as our OS, we need to take an extra step. RedHat doesn’t seem to provide  perl-Net-Telnet perl-XML-Simple perl-SOAP-Lite packages and PacketFence needs them to run properly.
     Type: yum install perl-Net-Telnet perl-XML-Simple perl-SOAP-Lite --enablerepo=rpmforge-extras,rpmforge

7. Now we need to add the PacketFence repo. Type vi /etc/yum.repos.d/PacketFence.repo and add the text below.

[PacketFence]

name=PacketFence Repository

baseurl=http://inverse.ca/downloads/PacketFence/RHEL$releasever/$basearch

gpgcheck=0

enabled=0

8. To install PacketFence, type yum groupinstall --enablerepo=PacketFence,epel,rpmforge,of Packetfence-complete
This will install all the services PacketFence needs to work properly.

9. Now we need to setup PacketFence for our network. On a different computer, open a web browser and go to http://x.x.x.x:3000/configurator.
*For Version 3.6.0, the address is http://x.x.x.x:1444/configurator
*For Version 4.0.1, the address is  http://x.x.x.x:1443/configurator

If you can not get to the webpage, you will need to turn off the firewall on the server. To do this, type the following: service iptables stop

• Step 1: Choose the type of Enforcement that you want. Either Inline Enforcement or VLAN Enforcement. For my situation, I have selected both.
       - Inline Enforcement means that the PacketFence server will sit between the computer and the network/internet.
       -  VLAN Enforcement means that the PacketFence server does not sit between the computer and the network/internet. It will change the config on the managed switch for each individual port on the switch.
• Step 2: Networks. Add your networks.
  If you are using VLAN Enforcement, make sure you specify your Management VLAN, Registration VLAN, and Isolation VLAN.
       - To add a VLAN, click on "Add VLAN" under Actions.
• Step 3: Database Configuration
       -  Click on Test. You will be asked to set the MySQL admin password.
  *Note: If you receive an error message when you click on test, make sure MySQL is running on the server.
       - Click on "Create the database".
       - Under "Create a PacketFence account" type in a password and then type it again to confirm it. Now click on "Create User".
• Step 4: PacketFence Configuration
  Type in your domain, the hostname of the server, any DHCP servers on your network under General.
  Type in an email address under Alerting.
• Step 5: Administration
  Create a username and password for the administration interface.
• Step 6: Start PacketFence
  Click on "Start PacketFence"

Once PacketFence is started, you will be asked if you want to go to the Administration Interface, I clicked yes and then was taken to the admin page.

This concluded how you setup a PacketFence Server. I will post more on how to do other things in PacketFence once I have a chance to fully set it up at my workplace.

*Update: EPEL has been updated from 6.7 to 6.8. I have changed it in the directions above.