+ Post New Thread
Page 1 of 2 12 LastLast
Results 1 to 15 of 16
Wireless Networks Thread, PacketFence in Technical; Hi all... We're playing with PacketFence at the moment for BYOD, as we've found that it's compatible with our Extricom ...
  1. #1
    OllieC's Avatar
    Join Date
    Jun 2009
    Location
    Derby/Birmingham
    Posts
    187
    Thank Post
    17
    Thanked 16 Times in 10 Posts
    Rep Power
    12

    PacketFence

    Hi all...

    We're playing with PacketFence at the moment for BYOD, as we've found that it's compatible with our Extricom wireless controllers and HP switches it seem like the ideal solution - it looks ace when running but we're struggling to get through the configuration. The documentation is a bit painful - it covers configuration options but gives very little actual guidance.

    Has anyone here had any experience with it? Any advice, tips? Is there anyone around the west mids who's already using it - would be fantastic to get a nosey of an operational system.

    Thanks

  2. #2

    plexer's Avatar
    Join Date
    Dec 2005
    Location
    Norfolk
    Posts
    12,995
    Thank Post
    590
    Thanked 1,498 Times in 1,344 Posts
    Rep Power
    398
    @Geoff has played with it I think.

    Ben

  3. #3

    Geoff's Avatar
    Join Date
    Jun 2005
    Location
    Fylde, Lancs, UK.
    Posts
    11,800
    Thank Post
    110
    Thanked 582 Times in 503 Posts
    Blog Entries
    1
    Rep Power
    223
    Yes I have deployed it in the past. I do not posses a working system at the moment as it isn't required (I just murder people if they BYOD instead). Ask away though, I can probably help.

  4. #4
    ceebster's Avatar
    Join Date
    May 2009
    Location
    The World
    Posts
    103
    Thank Post
    5
    Thanked 1 Time in 1 Post
    Rep Power
    0
    You're going to regret this! :P

    Okay, so we've got PacketFence installed. We've got a vague idea of VLANs and addressing although it's not exactly clear how we need to be using them...

    We've created VLAN 16 for registration and 17 for isolation then 18 for MacDetection.

    16 and 17 are identified in the interfaces config in PF along with the management interface.

    We've then initially configured an Extricom controller with SNMP and two ESSIDs - public and private, the public being no encryption but MAC authentication against the packetfence server (added as a radius server) and the (hidden) secure ESSID which has MAC authentication, WPA2 enterprise AES only and again authentication server pointing to radius on packetfence.

    We're just a bit confused about how the VLANs and addressing should work - do we need to do DHCP for registration and isolation, how do the switches know to mediate the connection once a user is registered etc.
    Does PacketFence deal with DHCP on registration and isolation... if so, how? And then I assume for our actual authenticated VLAN, it's dealt with by our own DHCP.. or are we completely off?

    The documentation is pretty useless so we're feeling a bit lost with all this... sorry for the utterly confused and hectic post.. I'm sure we're getting closer to a working system haha.

    Edit: whoops - didn't notice was signed in as the boss.. same person/problem! :P

  5. #5

    Geoff's Avatar
    Join Date
    Jun 2005
    Location
    Fylde, Lancs, UK.
    Posts
    11,800
    Thank Post
    110
    Thanked 582 Times in 503 Posts
    Blog Entries
    1
    Rep Power
    223
    Lets answer each question in turn.

    do we need to do DHCP for registration and isolation
    It depends on your equipment. If all your infrastructure supports 802.1X then no. If you have a mix of infrastructure that understands 802.1X or can be controlled via SNMP then no. Otherwise yes.

    how do the switches know to mediate the connection once a user is registered
    If it's an 802.1X supported switch it will change the port VLAN tagging over as soon as the RADIUS auth is accepted by packetfence. If it's a SNMP switch it will be told to change its port VLAN tagging when packetfence writes out the config change via SNMP.

    Does PacketFence deal with DHCP on registration and isolation
    This only matters in an 'inline' configuration. Which you only have to use if you have 'dumb' switches/APs. You basically put packetfence between your 'secure' network and everything else and route all traffic through it. It acts much like a firewall does on your Internet gateway but isolates clients by refusing them a DHCP lease/ARP poisioning/iptables rules.

    And then I assume for our actual authenticated VLAN, it's dealt with by our own DHCP.. or are we completely off?
    Indeed, in this case packetfence will control client access via the switch ports using 802.1X and/or SNMP commands. Indeed clients cannot even get a DHCP lease on the authorised vlan until packetfence has let them on.
    Last edited by Geoff; 19th July 2013 at 01:25 PM.

  6. Thanks to Geoff from:

    OllieC (5th August 2013)

  7. #6
    OllieC's Avatar
    Join Date
    Jun 2009
    Location
    Derby/Birmingham
    Posts
    187
    Thank Post
    17
    Thanked 16 Times in 10 Posts
    Rep Power
    12
    Thanks so far, Geoff.. just being able to confirm these basic points has been a huge help. Apologies for the late reply - have been on holiday.

    Here's what I've pieced together so far.

    Registration VLAN
    Isolation VLAN
    Authenticated VLAN

    Authenticated VLAN has an IP range on our DHCP.

    I'm a little hazy about the MAC detention VLAN that some people have mentioned.. is this something that we need and how does it tie in configuration-wise?..
    Also, is it something that needs adding to the interfaces page in the packetfence configuration... as with the three aforementioned.. should all of those be present in the interface configuration? - I ask because packetfence gives you the option for management, isolation, registration or "other" when adding a VLAN to an interface so not sure where our authenticated or this mysterious MAC detection would go?


    The Extricom wireless Controllers have an SNMP connection to packetfence.

    I've created a "secure" ESSID on the Extricom wireless controllers that uses WPA/2 Enterprise, AES only with packetfence configured as the Radius authentication server.
    In accordance with a guide found online I've also created a "public" ESSID that uses MAC Authentication, using the packetfence server for the radius authentication.

    The secure ESSID is hidden. I'm not entirely sure what the purpose of having two set up is, does packetfence mediate between the two or do they both essentially do the same, one connection just being encrypted?

    I also have left the VLAN assignment on the ESSIDs blank, assuming that packetfence deals with this entirely with SNMP.. is this correct or do they need attaching to a specific VLAN?

    Following previous searches on the internet we've added our packetfence server as an IP helper on the core switches for the above mentioned VLANs. Is there any SNMP communication required for these switches as we're only planning on controlling the wireless access.../is the IP helper configuration required in this setup?

    Thanks again,
    Ollie

  8. #7

    mac_shinobi's Avatar
    Join Date
    Aug 2005
    Posts
    9,235
    Thank Post
    2,775
    Thanked 937 Times in 877 Posts
    Rep Power
    343
    Just tagging @Geoff !!

  9. Thanks to mac_shinobi from:

    OllieC (5th August 2013)

  10. #8

    Geoff's Avatar
    Join Date
    Jun 2005
    Location
    Fylde, Lancs, UK.
    Posts
    11,800
    Thank Post
    110
    Thanked 582 Times in 503 Posts
    Blog Entries
    1
    Rep Power
    223
    I'm a little hazy about the MAC detention VLAN that some people have mentioned.. is this something that we need and how does it tie in configuration-wise?..
    This is only relevant if you have switches set to use Link Change SNMP Traps and MAC notification SNMP Traps. Basically there's a delay between the device being connected (Link Change) and the switch working out what the MAC address (MAC notification) of the device is. During that time packetfence will isolate the device in the MAC detection VLAN. The MAC detection VLAN should have absolutely nothing on it and be unroutable.

    I've created a "secure" ESSID on the Extricom wireless controllers that uses WPA/2 Enterprise, AES only with packetfence configured as the Radius authentication server.
    In accordance with a guide found online I've also created a "public" ESSID that uses MAC Authentication, using the packetfence server for the radius authentication.

    The secure ESSID is hidden. I'm not entirely sure what the purpose of having two set up is, does packetfence mediate between the two or do they both essentially do the same, one connection just being encrypted?
    Your 'public' (and optionally 'guest') ESSID should have no wifi authentication on it. Basically clients connect to the 'public' ESSID then packetfence allows them access to the 'private' ESSID on successful authentication (via captive portal). Your public ESSID should have minimal services available (just enough to get people to the captive portal and fix whatever 'issues' they might have preventing them from getting authorised). Packetfence will control the VLAN assignment for clients via RADIUS attributes. Packetfence will throw clients off with SNMP deauthentication traps. I would not recommend hiding ESSIDs, it doesn't help with security and will confound your users.

    is the IP helper configuration required in this setup?
    If you're using 802.1X then there is only really RADIUS/SNMP traffic involved. You will need to run some form of DHCP/DNS/etc for your public clients before they auth but this doesn't have to be packetfence.
    Last edited by Geoff; 5th August 2013 at 04:31 PM.

  11. #9
    ceebster's Avatar
    Join Date
    May 2009
    Location
    The World
    Posts
    103
    Thank Post
    5
    Thanked 1 Time in 1 Post
    Rep Power
    0
    Hi Geoff

    Appreciate your help so far. Another quick question, I assume once we have created the "Mac Detection VLAN" we still have to have this tagged on our switches between our trucks and the packet fence server?

    Thanks in advance

    Regards


    Chris

  12. #10

    Geoff's Avatar
    Join Date
    Jun 2005
    Location
    Fylde, Lancs, UK.
    Posts
    11,800
    Thank Post
    110
    Thanked 582 Times in 503 Posts
    Blog Entries
    1
    Rep Power
    223
    No, you shouldn't have the MAC detection VLAN be routable anywhere.

  13. #11
    ceebster's Avatar
    Join Date
    May 2009
    Location
    The World
    Posts
    103
    Thank Post
    5
    Thanked 1 Time in 1 Post
    Rep Power
    0
    Hi Geoff

    Thanks for clarifying that. In response to Ollies bit, regarding creation of the initial first ESSID which vlan do we assign this too.

    Would we initially start with the registration vlan then packet fence automatically moves users to authenticated or isolation as I don't think we can assign multiple VLANS to once ESSID

    Thanks

    Chris

  14. #12

    Geoff's Avatar
    Join Date
    Jun 2005
    Location
    Fylde, Lancs, UK.
    Posts
    11,800
    Thank Post
    110
    Thanked 582 Times in 503 Posts
    Blog Entries
    1
    Rep Power
    223
    It is a requirement for packetfence to function that you can assign multiple dynamic VLANs to an ESSID via 802.1X/RADIUS auth and/or SNMP.

  15. #13
    OllieC's Avatar
    Join Date
    Jun 2009
    Location
    Derby/Birmingham
    Posts
    187
    Thank Post
    17
    Thanked 16 Times in 10 Posts
    Rep Power
    12
    Thanks for your help so far, Geoff! We've decided to go inline mode for our bring-your-own-device and guest wifi access.

    We've got packetfence happily handing out IPs to nodes which are able to see the captive portal and then log in with their AD credentials.

    Our next hurdle is internet access. The packetfence server has a management interface on our server vlan that internet is accessible on, however as our inline interface for connected nodes is a 172.16 range which is outside of the BGFL network so it is not possible to carry eduproxy to it.

    From my understanding, what is needed here is a form of transparent proxy.

    Can Squid route between the two networks aaaaand deal with the proxy address that is required for internet access? (eduproxy.bgfl.org) meaning that connected nodes do not need to configure any proxy settings.

    Does anybody have any experience with this, particularly working with NAC.

    Thanks

  16. #14

    Geoff's Avatar
    Join Date
    Jun 2005
    Location
    Fylde, Lancs, UK.
    Posts
    11,800
    Thank Post
    110
    Thanked 582 Times in 503 Posts
    Blog Entries
    1
    Rep Power
    223
    Short answer is yes. In three easy steps:

    1. Make sure you basic routing works on the packetfence machine.
    2. IPTables to transparent proxy HTTP to squid.
    3. Setup squid to use your upstream proxy.

  17. #15
    OllieC's Avatar
    Join Date
    Jun 2009
    Location
    Derby/Birmingham
    Posts
    187
    Thank Post
    17
    Thanked 16 Times in 10 Posts
    Rep Power
    12
    Hi Geoff,

    Thanks for getting back to me...


    Have installed squid and configured IP tables appropriately but seeing nothing different on the client end and nothing being written to squid log... not sure what I'm missing, pretty new to Squid.

    Here's my squid conf...

    eth0 is attached to the server vlan with internet access... the IP of this interface is 10.134.33.101
    eth1 is attached to the 22 inline VLAN for devices to connect to. IP range of this interface is 172.16.0.0/22
    Outgoing proxy is eduproxy.bgfl.org:80

    Code:
    http_port 3128 transparent
    hierarchy_stoplist cgi-bin ?
    acl QUERY urlpath_regex cgi-bin \?
    cache deny QUERY
    cache_peer eduproxy.bgfl.org parent 80 0  no-query no-digest
    acl apache rep_header Server ^Apache
    access_log /var/log/squid/access.log squid
    hosts_file /etc/hosts
    refresh_pattern ^ftp: 1440 20% 10080
    refresh_pattern ^gopher: 1440 0% 1440
    refresh_pattern . 0 20% 4320
    acl all src all
    acl manager proto cache_object
    acl localhost src 127.0.0.1/255.255.255.255
    acl to_localhost dst 127.0.0.0/8
    acl SSL_ports port 443 563 # https, snews
    acl SSL_ports port 873 # rsync
    acl Safe_ports port 80 # http
    acl Safe_ports port 21 # ftp
    acl Safe_ports port 443 563 # https, snews
    acl Safe_ports port 70 # gopher
    acl Safe_ports port 210 # wais
    acl Safe_ports port 1025-65535 # unregistered ports
    acl Safe_ports port 280 # http-mgmt
    acl Safe_ports port 488 # gss-http
    acl Safe_ports port 591 # filemaker
    acl Safe_ports port 777 # multiling http
    acl Safe_ports port 631 # cups
    acl Safe_ports port 873 # rsync
    acl Safe_ports port 901 # SWAT
    acl purge method PURGE
    acl CONNECT method CONNECT
    http_access allow manager localhost
    http_access deny manager
    http_access allow purge localhost
    http_access deny purge
    http_access deny !Safe_ports
    http_access deny CONNECT !SSL_ports
    http_access allow localhost
    acl lan src 10.134.33.101 172.16.0.0/22
    http_access allow localhost
    http_access allow lan
    http_access deny all
    http_reply_access allow all
    icp_access allow all
    visible_hostname ats-pf-squid
    never_direct allow all
    coredump_dir /var/spool/squid
    IP tables...
    Code:
    iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j DNAT --to 3128
    iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128
    Anything obvious that I've missed or done wrong? :/

    Thanks,
    Ollie
    Last edited by OllieC; 15th August 2013 at 02:05 PM.

SHARE:
+ Post New Thread
Page 1 of 2 12 LastLast

Similar Threads

  1. Packetfence
    By techie08 in forum How do you do....it?
    Replies: 3
    Last Post: 17th December 2012, 09:42 PM
  2. Packetfence - baffled
    By Simcfc73 in forum Wireless Networks
    Replies: 1
    Last Post: 26th November 2010, 11:22 AM
  3. Packetfence and Cisco Controller
    By dromero in forum Wireless Networks
    Replies: 1
    Last Post: 25th November 2010, 03:56 PM
  4. Replies: 16
    Last Post: 24th July 2009, 10:49 PM
  5. Wireless security - Packetfence advice etc
    By Fivetwelve in forum How do you do....it?
    Replies: 6
    Last Post: 18th May 2009, 11:12 AM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •