Open Source

SolutionBase: Installing and configuring Network Access Control with PacketFence

PacketFence is the next big thing with network security and open source. Jack Wallen shows you how to run this installation completely by command line.

PacketFence is the open source community's answer to NAC. Being a solid supporter of the open source community, I knew this was going to be an interesting project to get up and running. Little did I know that PacketFence would wind up being one of the single most difficult installations I have done in over ten years of dealing with Linux. Granted, part of the difficulty was in my resisting installing PacketFence on the recommended environment. Why did I resist? Well, the recommended environments were outdated — Fedora 4, for example.

But then I swallowed my nerd-pride and opted for the most logical choice in Ubuntu 6.06 server. So be prepared: this installation will be done completely by command line. And there will be a lot of commands to run.

First things first

The first thing you are going to need to do is install Ubuntu Server 6.06 LTS. The good news is that this release is supported until 2011, so you won't have to worry about security fixes not being released as they arise. Once you have downloaded the ISO image use K3B (or something similar) to burn the disk. Install the server and prepare for the installation. (Warning: It's a text-only installation.)

Because you will be using Ubuntu, you'll be using the sudo command a lot. There will be no root password, so the password you create for the created user (during installation) will be the password you use. However, when I use Ubuntu and sudo, I always create a root password because it bypasses a lot of problems created when trying to do installations of certain applications (or configurations of MySQL, for instance). To do this, run sudo passwd and enter the new "root" password. Once this is done, you are ready to rock.

The first thing you are going to do is set up remote administration with SSH. In case this server will most likely wind up a headless server (or in case you need to administer it remotely), you will want this installed. To do this issue, the following command: sudo apt-get install ssh openssh-server. One of the main reasons I often do this type of installation (via SSH) is because if I need to google something I don't have to switch back and forth between machines. So now that you have ssh installed, move over to a machine with access to the net and log into the Ubuntu server with SSH. Now you can continue reading this article and install at the same time.

Prepping for installation of software

You'll use the apt-get command to install the software for this installation. In order to do that, you'll have to first edit your sources to be able to find the proper software packages. To do this, issue the following commands.

Backup your original sources list:

sudo cp /etc/apt/sources.list /etc/apt/sources.list.BACKUP

Now you have to go through the sources list and uncomment all of the repositories listed in the sources.list file. Go to /etc/apt, open up the sources.list file, and remove all of the # to uncomment the sources. Or you could run the command:

sudo sed -i -e "s/# deb/deb/g" /etc/apt/sources.list

Now we must update the apt sources with the command:

sudo apt-get update

One final step before you start installing applications: You have to be able to compile from source. By default, Ubuntu 6.06 server cannot do this. So to make the server capable of this necessary action, issue the command:

sudo apt-get install build-essential

Once this is done, you're ready to install.

Snort

The first thing you should do is install an intrusion detection package. As Snort is the standard in Linux (as well as what PacketFence suggests), we'll use that. Issue the command:

sudo apt-get install snort

Before you move on, you will need to stop Snort with the sudo /etc/init.d/snort stop command. You will also need to make sure Snort does not start during system boot (otherwise, PacketFence will not start up). To do this, use the update-rc.d command: sudo update-rc.d -f snort remove. Now Snort has been removed from the rc.d run list.

MySQL

Because PacketFences uses a database, you'll have to install MySQL and take care of a few details with that installation.

First, install MySQL with the command sudo apt-get install mysql-server. Now it gets a bit tricky. This is where I like to have a "root" password. Issue the command sudo passwd and enter a "root" password twice. Now you can log on as a pseudo-root user. What you need to do now is change the MySQL password. By default, the password is blank. This is not secure and PacketFence requires you to have a root MySQL password. So issue the command mysql -u root -p and hit [Enter] (there is currently no password). You should now be at the mysql> command prompt. Now enter the command:

SET PASSWORD FOR root@localhost=PASSWORD('NEWPASSWORD');

where NEWPASSWORD is the new password you'll use for the root MySQL user.

Now MySQL is up.

Apache and PHP

The first thing you need to do is install Apache and all of the necessary modules, bells, and whistles. Here are the steps:

sudo apt-get install apache2 libapache2-mod-proxy-html

This installs Apache and the Proxy module. Now install PHP:

sudo apt-get install libapache2-mod-php5 php-pear php5-mysql php5-gd

This will install everything necessary for PHP.

Now all you have to do is to stop the Apache server and prevent Apache from starting at boot. First run:

sudo /etc/init.d/apache2 stop

To stop Apache, run sudo update-rc.d -f apache2 remove to remove Apache from the rc.d run list.

Perl and Perls' modules

There are a number of Perl modules to install. To do so, issue the following commands:

sudo apt-get install perl-suid libterm-readkey-perl libconfig-inifiles-perl libnet-netmask-perl

and

sudo apt-get install libparse-recdescent-perl libnet-rawip-perl libtimedate-perl libwww-perl

Perl is ready to go.

PacketFence

Finally, install the PacketFence application itself. You cannot use apt-get to do the installation. You have to download the source, unpack it, and run the enclosed installation. Download the latest stable release (as of this writing, it is 1.6.2) with the wget application. If wget doesn't show up, you might have to install with sudo apt-get install wget.

The download will come from Sourceforge. The current release address is: http://downloads.sourceforge.net/PacketFence/PacketFence-1.6.2.tar.gz, so issue the commands:

sudo cd /usr/local/
sudo wget http://downloads.sourceforge.net/PacketFence/PacketFence-1.6.2.tar.gz

Unpack the tar file with the command:

sudo tar xvzf PacketFence-1.6.2.tar.gz

which will create the /usr/local/pf directory. Change into the pf directory and issue the command to start the installer:

sudo ./installer.pl

You will now have to walk through a lot of questions regarding the installation. Many of the defaults will work. Remember your MySQL root user password. Also, allow the PacketFence installer to create the necessary database for you. I tried many times to create the database with phpMyAdmin, only to find the PacketFence system cannot then create the necessary tables for the database.

Before you run the final step of the process, you will want to create an SSL Certificate for security purposes. To do this, issue the commands:

cd /tmp
openssl req -new > PacketFence.csr
openssl rsa -in privkey.pem -out server.key
openssl x509 -in PacketFence.csr -out server.crt -req  signkey
server.key -days 365
mv server.crt /usr/local/pf/conf/ssl/
mv server.key /usr/local/pf/conf/ssl/
rm -f PacketFence.csr privkey.pem

This will install a unique certificate for your machine (instead of the included default).

Once you have completed the installation, you will then have to run the configurator.pl to complete the install. The configurator basically sets up the type of system you want to run. When you run it, you'll be offered the following:

  1. Test mode
  2. Registration
  3. Detection
  4. Registration & Detection
  5. Registration, Detection & Scanning
  6. Session-based Authentication

I suggest running the system in Test mode at first. Finish answering the questions to complete the installation.

A few modifications

One issue I had upon completing the installation was that the PacketFence start script couldn't find the Apache startup script, because it was looking for /usr/bin/httpd instead of /usr/bin/apache2, as is installed in an Ubuntu server. To change this, you have to add a [service] entry in the pf.conf file. Open up the /usr/local/pf/conf/pf.conf file in your favorite editor and add the following lines to the end of that file:

[services]
httpd=/usr/sbin/apache2

Now, open the file /usr/local/pf/conf/templates/httpd.conf and add the following:

ServerRoot /usr/lib/apache2

and then modify the line:

LoadModule php4_module modules/libphp4.so

to reflect:

LoadModule php4_module /usr/lib/apache2/modules/libphp4.so

There were a number of other lines that had to be modified. Because of the installation of Apache on Ubuntu, the necessary modules must all reflect the /usr/lib/apache2/module structure. So go through the entire /usr/local/pf/conf/templates/httpd.conf file and change the module paths to reflect this. You will also need to uncomment out the line for the php5 module (around line 79) and comment out the line for php4 (around line 80).

Starting PacketFence

You can first test to make sure PacketFence is starting up properly by running the command /usr/local/pf/bin/start. You should see nothing more than the following:

Checking configuration sanity...
service|command
config files|start
iptables|start
httpd|start
pfmon|start
pfdetect|start
snort|start

Now stop the PacketFence system with the command /usr/local/pf/bin/stop.

Once you know this is starting properly you can then modify the install so that the PacketFence startup script is installed and the rc.d system is aware of it. To do this issue the following commands:

sudo cp /usr/local/pf/PacketFence.init /etc/init.d/PacketFence
sudo chmod 755 /etc/init.d/PacketFence
sudo update-rc.d PacketFence defaults

Restart the system with the command:

sudo /etc/init.d/PacketFence start

You are now up and running.

Logging in

Fire up a browser and point it to the IP address of the PacketFence server with the 1443 port address added. So my address would be https://192.168.1.29:1443. Note: This is secure HTTP. You will see a log in screen where you'll enter your administrator name (by default it is admin) and the password you created for the administrator.

Once you are logged in, you'll see the main administrator screen (see Figure A below).

Figure A

This is where you will finally be able to do all of your work.

From this point on, it's all point and click.

A big job

PacketFence has been one of the more challenging installations I have come across. Is it worth it? An old saying comes to mind: "An ounce of prevention is better than a pound of a cure." PacketFence is the next big thing with network security and open source. This tool is huge, and will gain popularity fast. And with the help of this article, you can finally install the system with fewer headaches than I incurred.

About Jack Wallen

Jack Wallen is an award-winning writer for TechRepublic and Linux.com. He’s an avid promoter of open source and the voice of The Android Expert. For more news about Jack Wallen, visit his website jackwallen.com.

Editor's Picks

Free Newsletters, In your Inbox