Red Hat NETWORK 4.1.0 - Betriebsanweisung Seite 1

PacketFence Administration Guidefor version 4.1.0

Chapter 2Copyright © 2008-2013 Inverse inc.Introduction 6Components

Chapter 17Copyright © 2008-2013 Inverse inc.Manual FreeRADIUS 2 configuration 96authorize { preprocess eap { ok = return

Chapter 17Copyright © 2008-2013 Inverse inc.Manual FreeRADIUS 2 configuration 97eap { default_eap_type = peap timer_expire = 60

Chapter 3Copyright © 2008-2013 Inverse inc.System Requirements 7System RequirementsAssumptionsPacketFence reuses many components in an infrastructure.

Chapter 3Copyright © 2008-2013 Inverse inc.System Requirements 8∏ Intel or AMD CPU 3 GHz∏ 4 GB of RAM∏ 100 GB of disk space (RAID-1 recommended)∏ 1 Ne

Chapter 4Copyright © 2008-2013 Inverse inc.Installation 9InstallationThis section will guide you through the installation of PacketFence together with

Chapter 4Copyright © 2008-2013 Inverse inc.Installation 10# rpm -Uvh http://pkgs.repoforge.org/rpmforge-release/rpmforge-release-0.5.3-1.el6.rf.`uname

Chapter 4Copyright © 2008-2013 Inverse inc.Installation 11Software DownloadPacketFence provides a RPM repository for RHEL / CentOS instead of a single

Chapter 4Copyright © 2008-2013 Inverse inc.Installation 12Or when using Ubuntu 12.04 LTS:deb http://inverse.ca/downloads/PacketFence/ubuntu precise pr

Chapter 5Copyright © 2008-2013 Inverse inc.Configuration 13ConfigurationIn this section, you’ll learn how to configure PacketFence. PacketFence will u

Chapter 5Copyright © 2008-2013 Inverse inc.Configuration 14Web-based Administration InterfacePacketFence provides a web-based administration inte

Chapter 5Copyright © 2008-2013 Inverse inc.Configuration 15The other files in this directory are managed by PacketFence using templates, so it is easy

PacketFence Administration Guideby Inverse Inc.Version 4.1.0 - December 2013Copyright © 2008-2013 Inverse inc.Permission is granted to copy, distribut

Chapter 5Copyright © 2008-2013 Inverse inc.Configuration 16AuthenticationPacketFence can authenticate users that register devices via the captive port

Chapter 5Copyright © 2008-2013 Inverse inc.Configuration 17Now, we want to authenticate employees using Active Directory (over LDAP), and

Chapter 5Copyright © 2008-2013 Inverse inc.Configuration 18Network Devices Definition (switches.conf)This section applies only for VLAN enforcement. U

Chapter 5Copyright © 2008-2013 Inverse inc.Configuration 19From PacketFence to a switchEdit the switch config file (/usr/local/pf/conf/switches.conf)

Chapter 5Copyright © 2008-2013 Inverse inc.Configuration 20PackeFence needs sometimes to establish an interactive command-line session with a switch.

Chapter 5Copyright © 2008-2013 Inverse inc.Configuration 21The current format is the following:Format: <rolename>Role=<controller_role>And

Chapter 5Copyright © 2008-2013 Inverse inc.Configuration 22Inline enforcement uses ipset to mark nodes as registered, unregistered and isol

Chapter 5Copyright © 2008-2013 Inverse inc.Configuration 23dns PacketFence IP address in this network. Ininline type, set it to a valid DNS prod

Chapter 5Copyright © 2008-2013 Inverse inc.Configuration 24By default no DHCP Server should be running on that interface where you are sending the req

Chapter 5Copyright © 2008-2013 Inverse inc.Configuration 25[interface eth0.1010]mask=255.255.255.0type=dhcp-listenergateway=10.0.101.1ip=10.0.101.4Rep

Copyright © 2008-2013 Inverse inc.iiiTable of ContentsAbout this Guide ...

Chapter 5Copyright © 2008-2013 Inverse inc.Configuration 26For dhcpd, make sure that the clients DHCP requests are correctly forwarded (IP Helpers in

Chapter 5Copyright © 2008-2013 Inverse inc.Configuration 27[192.168.3.0]netmask=255.255.255.0gateway=192.168.3.1next_hop=domain-name=isolation.example

Chapter 5Copyright © 2008-2013 Inverse inc.Configuration 28ip access-list extended PF_REGISTRATION permit ip any host 192.168.2.1 permit udp any any e

Chapter 5Copyright © 2008-2013 Inverse inc.Configuration 29mschap { use_mppe = yes require_encryption = yes require_strong = yes

Chapter 5Copyright © 2008-2013 Inverse inc.Configuration 30[logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server

Chapter 5Copyright © 2008-2013 Inverse inc.Configuration 31 [global] workgroup = DOMAIN server string = pf_server_name security = ads passdb back

Chapter 5Copyright © 2008-2013 Inverse inc.Configuration 32Note that for Debian and Ubuntu you will probably have this error:# kinit succeeded but ads

Chapter 5Copyright © 2008-2013 Inverse inc.Configuration 33# radtest dd9999 Abcd1234 localhost:18120 12 testing123Sending Access-Request of id 74 to 1

Chapter 5Copyright © 2008-2013 Inverse inc.Configuration 34Log filesHere are the most important PacketFence log files:/usr/local/pf/logs/packetfence.l

Chapter 5Copyright © 2008-2013 Inverse inc.Configuration 35Proxy InterceptionIn PacketFence you are now able to intercept proxy request and forward th

Copyright © 2008-2013 Inverse inc.ivSNMP Traps Limit ...

Chapter 6Copyright © 2008-2013 Inverse inc.Configuration by example 36Configuration by exampleHere is an end-to-end sample configuration of PacketFenc

Chapter 6Copyright © 2008-2013 Inverse inc.Configuration by example 37Network InterfacesHere are the NICs startup scripts on PacketFence./etc/sysconfi

Chapter 6Copyright © 2008-2013 Inverse inc.Configuration by example 38DEVICE=eth1ONBOOT=yesBOOTPROTO=noneTrap receiverPacketFence uses snmptrapd as th

Chapter 6Copyright © 2008-2013 Inverse inc.Configuration by example 39snmp-server enable traps port-securitysnmp-server enable traps port-security tra

Chapter 6Copyright © 2008-2013 Inverse inc.Configuration by example 40[default]SNMPCommunityRead = publicSNMPCommunityWrite = privateSNMPommunityTrap

Chapter 6Copyright © 2008-2013 Inverse inc.Configuration by example 41[general]domain=yourdomain.org#Put your External/Infra DNS servers herednsserver

Chapter 6Copyright © 2008-2013 Inverse inc.Configuration by example 42[interface eth0]mask=255.255.255.0type=managementgateway=192.168.1.1ip=192.168.1

Chapter 6Copyright © 2008-2013 Inverse inc.Configuration by example 43[192.168.2.0]netmask=255.255.255.0gateway=192.168.2.1next_hop=192.168.2.254domai

Chapter 6Copyright © 2008-2013 Inverse inc.Configuration by example 44In order to have the inline mode properly working, you need to enable IP forward

Chapter 7Copyright © 2008-2013 Inverse inc.Optional components 45Optional componentsBlocking malicious activities with violationsPolicy violations all

Chapter 1Copyright © 2008-2013 Inverse inc.AboutthisGuide 1AboutthisGuideThis guide will walk you through the installation and the day to day admi

Chapter 7Copyright © 2008-2013 Inverse inc.Optional components 46ConfigurationPacketFence will provide you with a basic suricata.yaml that you can mod

Chapter 7Copyright © 2008-2013 Inverse inc.Optional components 47trapIsolate the host and place them in violation. It opens a violationand leaves it o

Chapter 7Copyright © 2008-2013 Inverse inc.Optional components 48[defaults]priority=4max_enable=3actions=email,logauto_enable=Yenable=Ngrace=120mwindo

Chapter 7Copyright © 2008-2013 Inverse inc.Optional components 49Noteviolations.conf is loaded at startup. A restart is required when changes are made

Chapter 7Copyright © 2008-2013 Inverse inc.Optional components 50It is important to get the correct scan config ID and NBE report format ID to populat

Chapter 7Copyright © 2008-2013 Inverse inc.Optional components 51Using Nessus:trigger=Nessus::<violationId>Using OpenVAS:trigger=OpenVAS::<vi

Chapter 7Copyright © 2008-2013 Inverse inc.Optional components 52∏ You just have to change the host value by the Nessus server IP.RADIUS AccountingRAD

Chapter 7Copyright © 2008-2013 Inverse inc.Optional components 53OinkmasterOinkmaster is a perl script that enables the possibility to update the diff

Chapter 7Copyright © 2008-2013 Inverse inc.Optional components 54CautionRight now PacketFence only supports floating network devices on Cisco

Chapter 7Copyright © 2008-2013 Inverse inc.Optional components 55trunkPort Yes/no. Should the port be configured as a muti-vlan port?pvid VLAN in whic

Chapter 2Copyright © 2008-2013 Inverse inc.Introduction 2IntroductionPacketFence is a fully supported, trusted, Free and Open Source network access co

Chapter 7Copyright © 2008-2013 Inverse inc.Optional components 56Managed guestsPart of the web administration interface, the guests management interfa

Chapter 7Copyright © 2008-2013 Inverse inc.Optional components 57ConfigurationGuest self-registrationIt is possible to modify the default values of th

Chapter 7Copyright © 2008-2013 Inverse inc.Optional components 58∏DURATION: a number corresponding to the period duration.∏DATETIME_UNIT: a character

Chapter 7Copyright © 2008-2013 Inverse inc.Optional components 59status, etc) to a RADIUS Server or a DHCP server. The section below explains you how

Chapter 7Copyright © 2008-2013 Inverse inc.Optional components 60NoteYou may also want to set other attributes such as auto_enable, grace, etc.When d

Chapter 7Copyright © 2008-2013 Inverse inc.Optional components 61Alternatively, you can configure these parameters from the PacketFence Web administra

Chapter 7Copyright © 2008-2013 Inverse inc.Optional components 62[default]billing_engine = enabled...Billing engine parameters are specified in conf/p

Chapter 7Copyright © 2008-2013 Inverse inc.Optional components 63OAuth2 AuthenticationThe captive portal of PacketFence allows a guest/user to registe

Chapter 7Copyright © 2008-2013 Inverse inc.Optional components 64GitHubTo use GitHub, you also need an API code and a secret key. To get one, you need

Chapter 8Copyright © 2008-2013 Inverse inc.Operating System Best Practices 65Operating System Best PracticesIptablesIPTables is now entirely managed b

Chapter 2Copyright © 2008-2013 Inverse inc.Introduction 3module. This allows you to secure yourwired and wireless networks the sameway usi

Chapter 8Copyright © 2008-2013 Inverse inc.Operating System Best Practices 66Once you downloaded those packages, you need to modify the logging config

Chapter 8Copyright © 2008-2013 Inverse inc.Operating System Best Practices 67∏ pf2 is the second PacketFence server∏ PacketFence is properly configure

Chapter 8Copyright © 2008-2013 Inverse inc.Operating System Best Practices 68global { usage-count yes;}common { protocol C;}resource mysql { sy

Chapter 8Copyright © 2008-2013 Inverse inc.Operating System Best Practices 69Make sure you see something like this in /proc/drbd:... 0: cs:Connected r

Chapter 8Copyright © 2008-2013 Inverse inc.Operating System Best Practices 70... 0: cs:Connected ro:Primary/Secondary ds:UpToDate/UpToDate C r----

Chapter 8Copyright © 2008-2013 Inverse inc.Operating System Best Practices 71∏eth0.z is the name of the NIC configuration file (/etc/sysconfig/network

Chapter 8Copyright © 2008-2013 Inverse inc.Operating System Best Practices 72Look at Heartbeat log file /var/log/ha-log to make sure that everything i

Chapter 9Copyright © 2008-2013 Inverse inc.Performance optimization 73Performance optimizationMySQL optimizationsTuning MySQL itselfIf you’re PacketFe

Chapter 9Copyright © 2008-2013 Inverse inc.Performance optimization 74mysql> show variables;| innodb_additional_mem_pool_size | 1048576 || inn

Chapter 9Copyright © 2008-2013 Inverse inc.Performance optimization 75# uptime12:01:58 up 235 days, 1:46, 1 user, load average: 0.15, 0.39, 0.52# io

Chapter 2Copyright © 2008-2013 Inverse inc.Introduction 4Guest Access PacketFence supports a special guest VLANout of the box. You configure your

Chapter 9Copyright © 2008-2013 Inverse inc.Performance optimization 76Host 'host_name' is blocked because of many connection errors. Unblock

Chapter 10Copyright © 2008-2013 Inverse inc.Frequently Asked Questions 77Frequently Asked QuestionsPacketFence FAQ is now available online. Please vis

Chapter 11Copyright © 2008-2013 Inverse inc.Technical introductionto VLAN enforcement 78Technical introduction to VLANenforcementIntroductionVLAN ass

Chapter 11Copyright © 2008-2013 Inverse inc.Technical introductionto VLAN enforcement 79The supplicant (i.e., client device) is not allowed access thr

Chapter 11Copyright © 2008-2013 Inverse inc.Technical introductionto VLAN enforcement 80You need to create a registration VLAN (with a DHCP server, bu

Chapter 11Copyright © 2008-2013 Inverse inc.Technical introductionto VLAN enforcement 81MAC notification trapsIf your switches support MAC notificatio

Chapter 12Copyright © 2008-2013 Inverse inc.Technical introductionto Inline enforcement 82Technical introduction to InlineenforcementIntroductionBefor

Chapter 12Copyright © 2008-2013 Inverse inc.Technical introductionto Inline enforcement 83∏ Everyone behind an inline interface is on the same Layer 2

Chapter 13Copyright © 2008-2013 Inverse inc.Technical introductionto Hybrid enforcement 84Technical introduction to HybridenforcementIntroductionBefor

Chapter 14Copyright © 2008-2013 Inverse inc.More on VoIP Integration 85More on VoIP IntegrationVoIP has been growing in popularity on enterprise netwo

Chapter 2Copyright © 2008-2013 Inverse inc.Introduction 5Network IntegrationVLAN enforcement is pictured in the above diagram. Inline enforcement shou

Chapter 14Copyright © 2008-2013 Inverse inc.More on VoIP Integration 86NoteNot all vendors support VoIP on port-security, please refer to the Network

Chapter 15Copyright © 2008-2013 Inverse inc.Additional Information 87Additional InformationFor more information, please consult the mailing archives o

Chapter 16Copyright © 2008-2013 Inverse inc.Commercial Supportand Contact Information 88Commercial Support and ContactInformationFor any questions or

Chapter 17Copyright © 2008-2013 Inverse inc.GNU Free Documentation License 89GNU Free Documentation LicensePlease refer to http://www.gnu.org/licenses

Chapter 17Copyright © 2008-2013 Inverse inc.Administration Tools 90AppendixA.Administration Toolspfcmdpfcmd is the command line interface to most Pa

Chapter 17Copyright © 2008-2013 Inverse inc.Administration Tools 91Usage: pfcmd.pl <command> [options]checkup | perform a s

Chapter 17Copyright © 2008-2013 Inverse inc.Administration Tools 92The node view option shows all information contained in the node database table for

Chapter 17Copyright © 2008-2013 Inverse inc.Administration Tools 93Usage: pfcmd_vlan command [options] Command: -deauthenticate de-a

Chapter 17Copyright © 2008-2013 Inverse inc.Administration Tools 94Web Admin GUIThe Web Admin GUI, accessible using https on port 1443, shows the same

Chapter 17Copyright © 2008-2013 Inverse inc.Manual FreeRADIUS 2 configuration 95AppendixB.Manual FreeRADIUS 2configurationSince we provide a working