Packetfence

From RoseWiki
Revision as of 23:30, 24 October 2024 by Maeve (talk | contribs) (Wrote all the introduction and clarification on booting issue)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

Packetfence is an open source Network Access Control solution developed by Inverse Inc. It provides a RADIUS server that pools together authentication sources from Active Directory, the Google suite, HTPasswd, another RADIUS server, generic LDAP, etc. It also has several supported methods, through its RADIUS server, of allowing authentication to client devices, including dot1x.

Installing Packetfence

A Debian-based installation ISO for Packetfence is available for download here. The stable release is recommended. This release comes with all of its main services pre-installed and given sane defaults. A minimum requirement of 200GB of storage and 16GB of ram. It is recommended to use multiple network interfaces, one for management and several for other purposes, but for documentation's sake we'll start with one network interface.

  1. Set the hostname.
  2. Specify the domain name if not autopopulated through DHCP.
  3. Set the root password.
  4. After setting the root password, the installer will take some time. It may appear stuck at some points, but it just takes a while. Up to an hour. Be patient.

UEFI fix

When you install Packetfence on Proxmox using the standard recommended configuration settings (Q35 machine type, OVMF bios) will result in some issues after the machine reboots. You'll be prompted with a yellow and black UEFI shell, requiring you to run fs0:\efi\debian\grubx64.efi every time the machine boots, which is obviously not going to work.

To fix this, on the first boot of this machine[1]:

  1. Press ESC immediately to get into the BIOS.
  2. Go to 'Boot Maintenance Manager'
  3. Go to 'Boot Option'
  4. Go to 'Add Boot Option'
  5. Press enter on the 'PciRoot' volume
  6. Select EFI and press enter
  7. Select the debian folder.
  8. Select grubx64.efi and press enter.
  9. Enter "Boot into Packetfence" as the description.
  10. Press F10 to save again.
  11. Go to 'Commit Changes and Exit'
  12. Select 'Change Boot Order'
  13. Press enter to get the listing of boot devices.
  14. Go to 'Boot into Packetfence'
  15. Press + until this boot option is on top of the list and press enter
  16. Press F10 to save (just to be sure)
  17. Select 'Commit Changes and Exit'

First time configuration

Packetfence most likely received a DHCP lease from your DHCP server. You can either check your DHCP server or run ip addr to determine the default IP address. Assuming a DHCP lease of 192.168.1.128, access the management interface from https://192.168.1.128:1443/. The first prompt will be a listing of network interfaces. Click the interface and it will take you to a submenu where you can specify the network settings for management. This will take effect immediately so you will need to navigate to the new address. The first few prompts are extremely straight forward, generating the admin user account and password, and selecting the management interface. Set your domain and hostname if you wish to change them from what was set during Debian installation. Also specify a timezone and log recipients.

Under the log recipients section, we recommend using the advanced settings context in the top right corner of the settings card so you can specify your SMTP server host settings.

You can skip the Fingerbank setting if you don't intend to use it.

Save the default passwords generated for the internal services somewhere safe as they can neither be retrieved again or altered. Reboot the machine after the configuration is done, for good measure. Not every source gets properly restarted after the wizard concludes.

Authentication and authorization flow preamble

This is where things get murky with the official documentation lacking clarity and specificity.

The flow of behavior is as follows:

  1. Device connects through Packetfence client device like a Cisco switch - this uses EAP between the port on the device and the NIC of the client machine.
  2. The switch then has a configuration that tells it to communicate to the Packetfence server using RADIUS, providing Packetfence with the credentials the user gave over EAP.
  3. Packetfence acts a grand arbiter between all of your unique authentication sources and configurations (which is what we will configure below) and determines what to tell the switch to do with that user's port. This response is over RADIUS.
  4. Once the user has authenticated, the port they're connected to is assigned a VLAN, which we will assume you have a properly configured DHCP server waiting on. Once Packetfence has taken care of the user's authentication and set the VLAN, the rest of your networking infrastructure is unchanged to accommodate the user.

The first thing we need to define is the connection point between your Packetfence server and your Active Directory Domain Controller.

Active Directory Domain source

  1. Paraphrased from this Proxmox Forum post
Retrieved from "https://www.rosemarknetworks.com/wiki/index.php?title=Packetfence&oldid=112"