You will install PacketFence and perform some basic configuration.
You will be working in groups; each group has a VM onto which PacketFence will be installed.
PacketFence used to be supported only under RHEL/CentOS. It is now supported under CentOS 6, Ubuntu 12.04 LTS, and Debian 7 (Wheezy). We'll use Ubuntu.
The full instructions are in the PacketFence Adminstration Guide
You should start with a minimal distribution of Ubuntu 12.04 LTS. If you've installed a full server or desktop edition, there may be some packages you need to remove:
# apt-get remove ufw
# apt-get remove apparmor
# apt-get remove resolvconf
After uninstalling resolvconf, you should edit /etc/resolv.conf
to ensure it contains sensible settings:
search ws.nsrc.org
nameserver 10.10.0.241
Ensure your system is fully up to date:
# apt-get update
# apt-get dist-upgrade
If a new kernel version was installed by this step then reboot.
Add the repository and package signing key, then install.
# echo "deb http://inverse.ca/downloads/PacketFence/ubuntu precise precise" >/etc/apt/sources.list.d/packetfence.list
# apt-key adv --keyserver keys.gnupg.net --recv-key 0x810273C4
# apt-get update
# apt-get install packetfence
This will install a large number of packages. Be patient!
When installing mysql, it will ask you to set a password for the mysql administrative "root" user. Enter the class password.
It will also set up the simple "nullmailer" mail system. It will ask for the system's mail name and the SMTP server name for sending outgoing mail. Accept the defaults.
A number of services are started automatically from the Debian packages. You can disable them because packetfence starts its own instances.
# service memcached stop
# update-rc.d memcached disable
# service apache2 stop
# update-rc.d apache2 disable
If you intend to use inline enforcement mode, then you also need to install and build some dependencies:
# apt-get install xtables-addons-source xtables-addons-common
# module-assistant auto-install xtables-addons
For inline enforcement you also need to enable IP forwarding:
# editor /etc/sysctl.conf
### Uncomment this line ###
net.ipv4.ip_forward=1
# sysctl -p
Note: PacketFence doesn't support IPv6 yet so don't enable IPv6 forwarding on inline enforcement.
Initial configuration is via a web interface. Go to https://vmX.ws.nsrc.org:1443/configurator
This has a self-signed certificate, so you'll have to tell your browser to accept this untrusted certificate.
You now need to choose the enforcement type.
For this exercise, we will enable them both; ensure both boxes are ticked, then click Continue.
(This would be useful if your network has a mixture of managed and dumb switches, although is more tricky to keep track of all the VLANs)
You now need to define interfaces.
In Inline mode, you need at least a Management interface and an Inline interface. The Management interface is where you connect to the PacketFence box to manage it, over SSH or HTTPS; and the Inline interface is the one which acts as default gateway for your internal network.
In VLAN mode, you need Management, Isolation and Registration interfaces.
Since we have enabled both, we will need Management, Inline, Isolation and Registration interfaces.
Since our PacketFence VM has only one interface (eth0), we will create some VLAN subinterfaces.
We won't have any client devices on vlans X5 and X6. However these interfaces will receive forwarded DHCP and DNS queries from the VLANs which are being managed, when using VLAN enforcement.
Now you need to give the credentials for Mysql.
Under Enter the MySQL root account credentials, type the root password you gave before.
If you are not sure what the root password is, enter the password you think it might be and click the "Test" button.
Under Create the database, leave the name as "pf" and then click `Create database and tables"
Under Create a PacketFence account, leave the username as 'pf' and enter the class password twice, and click "Create user"
Then click Continue.
Domain: ws.nsrc.org
Hostname: enter your hostname (vmX) without the domain
DHCP servers: 10.10.0.241
Alerting: enter your E-mail address
Enter the class password twice, then click "Modify the password". This sets up the default admin account for accessing the web interface.
Then click Continue.
Click "Start PacketFence" at the bottom of the screen. All services will change to orange and say "Starting".
If they don't update after a minute, click "Start PacketFence" again to refresh. When everything is working, you will get a "Congratulations!" message, with a button "Visit Administration Interface Now!" which you should click.
If not all daemons start successfully, the next section shows you where to find the log files.
All PacketFence's files are stored under /usr/local/pf
. The configuration files are under /usr/local/pf/conf/
, and the top-level one is /usr/local/pf/conf/pf.conf
Look in this file (e.g. using less
or cat
) and you'll see the interfaces you defined in the web interface.
Some temporary configuration files are written out for the daemons from templates. For example, to see the active dhcpd config file:
# cd /usr/local/pf
# cat var/conf/dhcpd.conf
At a shell prompt, type
# ifconfig -a
You should see that PacketFence has created the VLAN interfaces eth0.X1, eth0.X5 and eth0.X6 that you defined in the web interface (and which are also defined in pf.conf
)
Note also that it has updated /etc/network/interfaces
Have a look at the log files (-t
shows ordered by modification time, and -r
reverses the order so that the newest files are at the end)
# cd /usr/local/pf/logs
# ls -lrt
These are the places to look for errors. For errors in the admin interface, try:
# tail admin_error_log
For example, an error like this shows that you don't have enough RAM allocated to your VM:
[Mon Mar 24 18:03:45 2014] [error] (12)Cannot allocate memory: fork: Unable to fork new process
(The PacketFence documentation says you should have at least 4GB; for demo purposes a VM with 3GB may be sufficient)
The administration interface can be reached at https://vmX.ws.nsrc.org:1443/
Login using "admin" and the class password.
In the "network" section you can see the configuration options for "interfaces" (i.e. the local interfaces on the PacketFence server you already configured) and "switches" where you will enter the details of the managed switches you will use for VLAN enforcement.
Administration can also be done using command-line tools. For example, here is how to list all the services which might be running, and to check the status of one of them:
# cd /usr/local/pf
# bin/pfcmd service
# bin/pfcmd service pfsetvlan status
After configuration, you should have config files like this (where X is your group number)
auto lo
iface lo inet loopback
auto eth0
iface eth0 inet static
address 10.10.0.X
netmask 255.255.255.0
gateway 10.10.0.254
#post-up ethtool --offload eth0 tx off
auto eth0.X5
iface eth0.X5 inet static
address 10.X.5.1
netmask 255.255.255.0
auto eth0.X6
iface eth0.X6 inet static
address 10.X.6.1
netmask 255.255.255.0
[general]
#
# general.domain
#
# Domain name of PacketFence system.
domain=ws.nsrc.org
#
# general.hostname
#
# Hostname of PacketFence system. This is concatenated with the domain in Apache rewriting rules and therefore must be resolvable by clients.
hostname=vmX
#
# general.dhcpservers
#
# Comma-delimited list of DHCP servers. Passthroughs are created to allow DHCP transactions from even "trapped" nodes.
dhcpservers=10.10.0.241
[alerting]
#
# alerting.emailaddr
#
# Email address to which notifications of rogue DHCP servers, violations with an action of "email", or any other
# PacketFence-related message goes to.
emailaddr=yourname@example.com
[database]
#
# database.pass
#
# Password for the mysql database used by PacketFence.
pass=<class password>
[interface eth0.X5]
enforcement=vlan
ip=10.X.5.1
type=internal
mask=255.255.255.0
[interface eth0.X6]
enforcement=vlan
ip=10.X.6.1
type=internal
mask=255.255.255.0
[interface eth0]
ip=10.10.0.10
type=management
mask=255.255.255.0
[10.X.5.0]
dns=10.X.5.1
dhcp_start=10.X.5.10
gateway=10.X.5.254
domain-name=vlan-registration.ws.nsrc.org
named=enabled
dhcp_max_lease_time=30
dhcpd=enabled
type=vlan-registration
netmask=255.255.255.0
dhcp_end=10.X.5.246
dhcp_default_lease_time=30
[10.X.6.0]
dns=10.X.6.1
dhcp_start=10.X.6.10
gateway=10.X.6.254
domain-name=vlan-isolation.ws.nsrc.org
named=enabled
dhcp_max_lease_time=30
dhcpd=enabled
type=vlan-isolation
netmask=255.255.255.0
dhcp_end=10.X.6.246
dhcp_default_lease_time=30