Packetfence

From RoseWiki
Revision as of 11:42, 28 October 2024 by Maeve (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

Packetfence is an open source Network Access Control solution developed by Inverse Inc. It provides a RADIUS server that pools together authentication sources from Active Directory, the Google suite, HTPasswd, another RADIUS server, generic LDAP, etc. It also has several supported methods, through its RADIUS server, of allowing authentication to client devices, including dot1x.

Installing Packetfence

A Debian-based installation ISO for Packetfence is available for download here. The stable release is recommended. This release comes with all of its main services pre-installed and given sane defaults. A minimum requirement of 200GB of storage and 16GB of ram. It is recommended to use multiple network interfaces, one for management and several for other purposes, but for documentation's sake we'll start with one network interface.

  1. Set the hostname.
  2. Specify the domain name if not autopopulated through DHCP.
  3. Set the root password.
  4. After setting the root password, the installer will take some time. It may appear stuck at some points, but it just takes a while. Up to an hour. Be patient.

UEFI fix

When you install Packetfence on Proxmox using the standard recommended configuration settings (Q35 machine type, OVMF bios) will result in some issues after the machine reboots. You'll be prompted with a yellow and black UEFI shell, requiring you to run fs0:\efi\debian\grubx64.efi every time the machine boots, which is obviously not going to work if the host loses power.

To fix this, on the first boot of this machine[1]:

  1. Press ESC immediately to get into the BIOS.
  2. Go to 'Boot Maintenance Manager'
  3. Go to 'Boot Option'
  4. Go to 'Add Boot Option'
  5. Press enter on the 'PciRoot' volume
  6. Select EFI and press enter
  7. Select the debian folder.
  8. Select grubx64.efi and press enter.
  9. Enter "Boot into Packetfence" as the description.
  10. Press F10 to save again.
  11. Go to 'Commit Changes and Exit'
  12. Select 'Change Boot Order'
  13. Press enter to get the listing of boot devices.
  14. Go to 'Boot into Packetfence'
  15. Press + until this boot option is on top of the list and press enter
  16. Press F10 to save (just to be sure)
  17. Select 'Commit Changes and Exit'

First time configuration

Packetfence most likely received a DHCP lease from your DHCP server. You can either check your DHCP server or run ip addr to determine the default IP address. Assuming a DHCP lease of 192.168.1.128, access the management interface from https://192.168.1.128:1443/. The first prompt will be a listing of network interfaces. Click the interface and it will take you to a submenu where you can specify the network settings for management. This will take effect immediately so you will need to navigate to the new address. The first few prompts are extremely straight forward, generating the admin user account and password, and selecting the management interface. Set your domain and hostname if you wish to change them from what was set during Debian installation. Also specify a timezone and log recipients.

Under the log recipients section, we recommend using the advanced settings context in the top right corner of the settings card so you can specify your SMTP server host settings.

You can skip the Fingerbank setting if you don't intend to use it.

Save the default passwords generated for the internal services somewhere safe as they can neither be retrieved again or altered. Reboot the machine after the configuration is done, for good measure. Not every source gets properly restarted after the wizard concludes.

Authentication and authorization flow preamble

This is where things get murky with the official documentation lacking clarity and specificity.

The flow of behavior is as follows:

  1. Device connects through Packetfence client device like a Cisco switch - this uses EAP between the port on the device and the NIC of the client machine.
  2. The switch then has a configuration that tells it to communicate to the Packetfence server using RADIUS, providing Packetfence with the credentials the user gave over EAP.
  3. Packetfence acts a grand arbiter between all of your unique authentication sources and configurations (which is what we will configure below) and determines what to tell the switch to do with that user's port. This response is over RADIUS.
  4. Once the user has authenticated, the port they're connected to is assigned a VLAN, which we will assume you have a properly configured DHCP server waiting on. Once Packetfence has taken care of the user's authentication and set the VLAN, the rest of your networking infrastructure is unchanged to accommodate the user.

The first thing we need to define is the connection point between your Packetfence server and your Active Directory Domain Controller.

Active Directory Domain Connection

Go to Configuration -> Policies and Access Control -> Active Directory Domains.

Press "New Domain".

  • Identifier is the name used throughout the rest of the Packetfence gui referencing this domain configuration,
  • Workgroup can be set to the name of the domain.
  • Set DNS name to the FQDN of your active directory domain.
  • Sticky DC can be left as *
  • Active Directory FQDN is the FQDN of the domain controller you're going to make queries against.
  • Active Directory IP and DNS Server(s) can both be set to the IP of your domain controller.
  • OU should be set to Computers or potentially something more specific. This is the OU that Packetfence will create its machine account under in AD.
  • The last two fields are Domain Administrator Username and Password. We recommend having a dedicated admin account for this, just to separate concerns.
    • Note that these credentials are only used when generating the machine account and storing its hashed password, and will not store these credentials permanently.
  • Set Allow on Registration to true.

After saving, return to the previous menu. You should see a green light under "domain joined" and a 200 HTTP status code in the top right corner.

Packetfence can now communicate to Active Directory. However at this stage, it's not been configured to actually use this communication. Let's add an Active Directory Authentication Source.

Active Directory Authentication Source

From the same configuration tab, let's go to Authentication Sources.

Press "New Internal Source" and select Active Directory from the drop down.

  • Give it a name, preferably that includes the domain itself, as well as a description.
  • Host should be set to the domain controller you specified in the previous step.
  • Base DN should be set to a string of the format "dc=domain,dc=local,dc=example,dc=com" - take the FQDN of your domain and take each element and prefix it with dc=. Use commas between them.
  • Bind DN is going to be set with a similar string detailing which user account Packetfence binds with. If you created your Packetfence admin in Active Directory under the Users OU, this will be something of the form "cn=packetfence,cn=users,dc=domain,dc=local,dc=example,dc=com".
  • Provide the password below.
  • Set "associated realms" to default and null.
  • Create an Authentication Rule:
    • Name: catchall
    • Description: catchall
    • Matches: any
    • Conditions: none
    • Actions:
      • Role: default
      • Access Duration: 12 hours
  • Save the source.

Now, when we configure our RADIUS client device, such as an AP or a switch, credentials will be acceptable from Active Directory, and authenticated users will be given 12 hours of access on a default VLAN.

Configuring the switch (Catalyst 2960)

The rest of the packetfence installation guides assumes a Catalyst 2960. Most modern IOS devices use the same syntax so we'll use their template.

dot1x system-auth-control
aaa new-model
aaa group server radius packetfence
 server PF_MANAGEMENT_IP auth-port 1812 acct-port 1813
aaa authentication login default local
aaa authentication dot1x default group packetfence
aaa authorization network default group packetfence
radius-server host PF_MANAGEMENT_IP auth-port 1812 acct-port 1813 timeout 2 key useStrongerSecret
radius-server vsa send authentication
snmp-server community public RO
snmp-server community private RW

Then on a port we wish to use dot1x on:

authentication host-mode single-host
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer restart 10800
authentication timer reauthenticate 10800
mab
no snmp trap link-status
dot1x pae authenticator
dot1x timeout quiet-period 2
dot1x timeout tx-period 3

Adding switch to Packetfence

We then navigate to Configuration -> Policies and Access Control -> Network Devices -> Switches.

Press "New Switch" and select default when prompted.

Enter the management IP of the switch and select "production".

Under Type, select Cisco Catalyst 2960.

In the Radius tab, enter the secret specified in the steps above.

Make sure VLAN by Role ID is enabled and that "default" has been set to a VLAN on your network that you wish to grant access to.

Connection profile

Lastly, let's go to Configuration -> Policies and Access Control -> Connection Profiles.

Click on "New Connection Profile".

  • Profile name: 8021x.
  • Profile description: 8021x wired connections
  • Enable the profile.
  • Automatically register devices: checked
  • FIlters:
    • Match any
    • Connection Type: Ethernet EAP
  • Add the ADDC source we created earlier

You can now test your workstation.