1 Overview

You will install PacketFence and perform some basic configuration.

You will be working in groups; each group has a VM onto which PacketFence will be installed.

2 Installation

PacketFence used to be supported only under RHEL/CentOS. It is now supported under CentOS 6, Ubuntu 12.04 LTS, and Debian 7 (Wheezy). We'll use Ubuntu.

The full instructions are in the PacketFence Adminstration Guide

2.1 OS preparation

You should start with a minimal distribution of Ubuntu 12.04 LTS. If you've installed a full server or desktop edition, there may be some packages you need to remove:

# apt-get remove ufw
# apt-get remove apparmor
# apt-get remove resolvconf

After uninstalling resolvconf, you should edit /etc/resolv.conf to ensure it contains sensible settings:

search ws.nsrc.org
nameserver 10.10.0.241

Ensure your system is fully up to date:

# apt-get update
# apt-get dist-upgrade

If a new kernel version was installed by this step then reboot.

2.2 Install

Add the repository and package signing key, then install.

# echo "deb http://inverse.ca/downloads/PacketFence/ubuntu precise precise" >/etc/apt/sources.list.d/packetfence.list
# apt-key adv --keyserver keys.gnupg.net --recv-key 0x810273C4
# apt-get update
# apt-get install packetfence

This will install a large number of packages. Be patient!

When installing mysql, it will ask you to set a password for the mysql administrative "root" user. Enter the class password.

It will also set up the simple "nullmailer" mail system. It will ask for the system's mail name and the SMTP server name for sending outgoing mail. Accept the defaults.

A number of services are started automatically from the Debian packages. You can disable them because packetfence starts its own instances.

# service memcached stop
# update-rc.d memcached disable
# service apache2 stop
# update-rc.d apache2 disable

If you intend to use inline enforcement mode, then you also need to install and build some dependencies:

# apt-get install xtables-addons-source xtables-addons-common
# module-assistant auto-install xtables-addons

For inline enforcement you also need to enable IP forwarding:

# editor /etc/sysctl.conf
### Uncomment this line ###
net.ipv4.ip_forward=1

# sysctl -p

Note: PacketFence doesn't support IPv6 yet so don't enable IPv6 forwarding on inline enforcement.

3 Configuration

Initial configuration is via a web interface. Go to https://vmX.ws.nsrc.org:1443/configurator

This has a self-signed certificate, so you'll have to tell your browser to accept this untrusted certificate.

3.1 Step 1: Enforcement type

You now need to choose the enforcement type.

For this exercise, we will enable them both; ensure both boxes are ticked, then click Continue.

(This would be useful if your network has a mixture of managed and dumb switches, although is more tricky to keep track of all the VLANs)

3.2 Step 2: Interfaces

You now need to define interfaces.

In Inline mode, you need at least a Management interface and an Inline interface. The Management interface is where you connect to the PacketFence box to manage it, over SSH or HTTPS; and the Inline interface is the one which acts as default gateway for your internal network.

In VLAN mode, you need Management, Isolation and Registration interfaces.

Since we have enabled both, we will need Management, Inline, Isolation and Registration interfaces.

Since our PacketFence VM has only one interface (eth0), we will create some VLAN subinterfaces.

We won't have any client devices on vlans X5 and X6. However these interfaces will receive forwarded DHCP and DNS queries from the VLANs which are being managed, when using VLAN enforcement.

3.3 Step 3: mysql

Now you need to give the credentials for Mysql.

Under Enter the MySQL root account credentials, type the root password you gave before.

If you are not sure what the root password is, enter the password you think it might be and click the "Test" button.

Under Create the database, leave the name as "pf" and then click `Create database and tables"

Under Create a PacketFence account, leave the username as 'pf' and enter the class password twice, and click "Create user"

Then click Continue.

3.4 Step 4: PacketFence config

Domain: ws.nsrc.org

Hostname: enter your hostname (vmX) without the domain

DHCP servers: 10.10.0.241

Alerting: enter your E-mail address

3.5 Step 5: Administration

Enter the class password twice, then click "Modify the password". This sets up the default admin account for accessing the web interface.

Then click Continue.

3.6 Step 6: Start the services

Click "Start PacketFence" at the bottom of the screen. All services will change to orange and say "Starting".

If they don't update after a minute, click "Start PacketFence" again to refresh. When everything is working, you will get a "Congratulations!" message, with a button "Visit Administration Interface Now!" which you should click.

If not all daemons start successfully, the next section shows you where to find the log files.

4 Verify configuration

4.1 Files

All PacketFence's files are stored under /usr/local/pf. The configuration files are under /usr/local/pf/conf/, and the top-level one is /usr/local/pf/conf/pf.conf

Look in this file (e.g. using less or cat) and you'll see the interfaces you defined in the web interface.

Some temporary configuration files are written out for the daemons from templates. For example, to see the active dhcpd config file:

# cd /usr/local/pf
# cat var/conf/dhcpd.conf

4.2 Interfaces

At a shell prompt, type

# ifconfig -a

You should see that PacketFence has created the VLAN interfaces eth0.X1, eth0.X5 and eth0.X6 that you defined in the web interface (and which are also defined in pf.conf)

Note also that it has updated /etc/network/interfaces

4.3 Logs

Have a look at the log files (-t shows ordered by modification time, and -r reverses the order so that the newest files are at the end)

# cd /usr/local/pf/logs
# ls -lrt

These are the places to look for errors. For errors in the admin interface, try:

# tail admin_error_log

For example, an error like this shows that you don't have enough RAM allocated to your VM:

[Mon Mar 24 18:03:45 2014] [error] (12)Cannot allocate memory: fork: Unable to fork new process

(The PacketFence documentation says you should have at least 4GB; for demo purposes a VM with 3GB may be sufficient)

5 Administration interface

5.1 Web interface

The administration interface can be reached at https://vmX.ws.nsrc.org:1443/

Login using "admin" and the class password.

In the "network" section you can see the configuration options for "interfaces" (i.e. the local interfaces on the PacketFence server you already configured) and "switches" where you will enter the details of the managed switches you will use for VLAN enforcement.

5.2 Command line

Administration can also be done using command-line tools. For example, here is how to list all the services which might be running, and to check the status of one of them:

# cd /usr/local/pf
# bin/pfcmd service
# bin/pfcmd service pfsetvlan status

6 Configuration reference

After configuration, you should have config files like this (where X is your group number)

6.1 /etc/network/interfaces

auto lo
iface lo inet loopback

auto eth0
iface eth0 inet static
    address 10.10.0.X
    netmask 255.255.255.0
    gateway 10.10.0.254
    #post-up ethtool --offload eth0 tx off

auto eth0.X5
iface eth0.X5 inet static
    address 10.X.5.1
    netmask 255.255.255.0

auto eth0.X6
iface eth0.X6 inet static
    address 10.X.6.1
    netmask 255.255.255.0

6.2 /usr/local/pf/conf/pf.conf

[general]
#
# general.domain
#
# Domain name of PacketFence system.
domain=ws.nsrc.org
#
# general.hostname
#
# Hostname of PacketFence system.  This is concatenated with the domain in Apache rewriting rules and therefore must be resolvable by clients.
hostname=vmX
#
# general.dhcpservers
#
# Comma-delimited list of DHCP servers.  Passthroughs are created to allow DHCP transactions from even "trapped" nodes.
dhcpservers=10.10.0.241

[alerting]
#
# alerting.emailaddr
#
# Email address to which notifications of rogue DHCP servers, violations with an action of "email", or any other
# PacketFence-related message goes to.
emailaddr=yourname@example.com

[database]
#
# database.pass
#
# Password for the mysql database used by PacketFence.
pass=<class password>

[interface eth0.X5]
enforcement=vlan
ip=10.X.5.1
type=internal
mask=255.255.255.0

[interface eth0.X6]
enforcement=vlan
ip=10.X.6.1
type=internal
mask=255.255.255.0

[interface eth0]
ip=10.10.0.10
type=management
mask=255.255.255.0

6.3 /usr/local/pf/conf/networks.conf

[10.X.5.0]
dns=10.X.5.1
dhcp_start=10.X.5.10
gateway=10.X.5.254
domain-name=vlan-registration.ws.nsrc.org
named=enabled
dhcp_max_lease_time=30
dhcpd=enabled
type=vlan-registration
netmask=255.255.255.0
dhcp_end=10.X.5.246
dhcp_default_lease_time=30

[10.X.6.0]
dns=10.X.6.1
dhcp_start=10.X.6.10
gateway=10.X.6.254
domain-name=vlan-isolation.ws.nsrc.org
named=enabled
dhcp_max_lease_time=30
dhcpd=enabled
type=vlan-isolation
netmask=255.255.255.0
dhcp_end=10.X.6.246
dhcp_default_lease_time=30