PacketFence is fairly demanding to install, but once you get into the administration of the system via the Web-based administration tool, things become a whole lot easier. Jack Wallen guides you through installation of the tool.
PacketFence is one of the most difficult systems I've installed, while at the same time being one of the most valuable. PacketFence is the premier open source solution to Network Access Control (NAC). The system can work in an environment with any flavor of operating system or device, it's reliable, it's secure, and it's packed with tons of features.
One such feature is the Web-based administration tool. Sure, PacketFence is fairly demanding to install, and some of the tasks must be handled via command line. But once you get into the administration of the system, and do so via the Web-based tool, things become a whole lot easier.
For this article, we'll cover the PacketFence Web GUI on an Ubuntu Server 6.06 installation. If you have yet to install PacketFence, please refer to the original article for help. One of the nice aspects of using this software is that it does not have hefty requirements. In fact, the system I am using is installed on an older AMD 2075 MHz processor with 512 MB RAM. The machine is headless, so having SSH access will be required in my situation.
The requirements for the browser are nil; in fact, I was able to log into (and administer) the PacketFence GUI from my iPhone. So you shouldn't have any problem using the Web-based GUI, no matter what OS you're on.
Let's get started with the GUI.
Firing it up
The first thing you're going to need to do (after you have PacketFence up and running) is open up a browser on your internal network and point it to https://IP_OF_PacketFence_SERVER:1443. This will take you to the dashboard shown in Figure A.
You will log into the dashboard with the administrator username and password you set up during installation. Most likely, the username is admin.
Once inside the GUI, you will notice a number of tabs. The lower section of tabs is mostly reporting, whereas the upper row of tabs is for the actual maintenance.
Before I move on, I want to make note of one issue. There is currently a bug in the system with Active Reports. If you go to Reports and select Active, you will get this error:
Error: Problems executing 'PFCMD report active '
DBD::mysql::st execute failed: Unknown column 'n.dhcp_fingerprint' in 'on clause' at /usr/local/pf/lib/pf/db.pm line 96.
Can't use string ("0") as a HASH ref while "strict refs" in use at /usr/local/pf/bin/pfcmd line 653.
The problem occurs because of how MySQL 5 changed the way it handles joins. The developers are working on this and will have it fixed for the 1.6.4 release. Until then you will have to skip active reports.
Back to the Dashboard; from this window, you will instantly see some very important information:
- Disk Usage: This is the disk usage on the PacketFence server.
- Memory Usage: This is the memory usage on the PacketFence server.
- CPU Load: This is the CPU load on the PacketFence server.
- Recent Violations: All recent violations that have occurred within the network (according to PacketFence).
- Recent Registrations: All device registrations that have occurred within the system. (Note: This section will only list user-initiated registrations (not registrations handled by the administrator.)
You can customize your dashboard as well. This is handy when the standard dashboard doesn't offer you all of the information you want. To customize the dashboard, select the Customize This Page icon to reveal a simple interface allowing you to change or add reports (Figures B and C).
Once you have configured the dashboard the way you like it, select Submit Query and your dashboard will be exactly how you want. Of course, you might have to wait until some statistics start popping up before you actually see any difference.
Let's move on to the Reports section of the dashboard. This section offers up a lot of useful information. The main section, seen in Figure D, is accessed by selecting the Reports link to the left of the Dashboard link.
Let's say you want to see a list of the activity associated with a particular IP or MAC address. Select the History link and you will be able to enter either an IP or MAC address, as seen in Figure E, as well as a time frame to see all that devices activity.
Once you select Query History, you'll get a report of the time the IP or MAC address was active. Unfortunately, the data reported is really only useful if you are trying to pinpoint a time for certain activity. As you can see in Figure F, the only data reported is the MAC address, the IP address, the Start Time, and the End Time of the activity. It does not, unfortunately, list the type of activity.
One very nice feature is the Inactive Reports section. Select it to reveal a listing of each unregistered MAC address on your network. Figure G details the information given in this report.
As you can see, there is more information to be had in this report. Not only do you get all the information from the History report, you also get information regarding browser and OS type, DHCP licenses, and ARP reports.
The rest of the reporting should be self-explanatory. Now it's time to get into the actual administration of the system.
The Person tab allows you to handle the administration of users on your NAC. Don't get this confused with authentication because this has nothing to do with that area. The Person portion of this system is only to make the administrator's job easier. You can add, edit, or delete people on this system to associate them with devices. So instead of having to remember what MAC address is in what department or belongs to which user, you add People to the system and assign their names to the address.
Select the Person tab to see a listing of the currently available People on the system, as seen in Figure H.
Let's add a person. Say we need to add another user in Graphic Arts. Press the Add button to add a name. You'll see the screen shown in Figure I.
For this example, I am going to add the user Haversham Happenstance and include the note Graphics. Once I have that, I can then add that Identifier to the MAC address (in another screen).
This will keep your network far more manageable, because you'll have a better idea what MAC addresses belong to which users or departments.
Now let's associate our new user to a device.
A node, in PacketFence parlance, is basically a device. This device can be a PC, printer, router, or a hub — anything with a MAC address. Press on the Node tab and you will see a listing of every device on the network, as shown in Figure J.
Let's say you know that IP address 192.168.1.24 belongs to Haversham Happenstance and you want to add his name to the correct Node listing. Problem is, the Node listing only shows MAC addresses. The solution is simple: Go to Reports, select History, enter the IP address, and select Query History. The report will list the MAC address associated with the IP address. Now, with the MAC address in tow, head over to the Node tab, and find the MAC address you are looking for (in my case, 00:14:51:e3:89:61).
Press the Edit button (under the Actions column) that corresponds with the MAC address in question. You will now see an edit window — Figure K — that will allow you to enter information.
Here, you can enter plenty of information, but we want to limit it, right now, to user-information. Enter Haversham Happenstance as the Identifier and press the Edit Node button at the bottom right of the window. Now, when you take a look at the node, you will see Haversham Happenstance listed as the identifier attached to the MAC address.
Let's now take a look at some of the more meaty tasks of the Web-based administration tool. Select the Administration tab. Here, you will see the following sub-tabs:
- Configuration: Under this sub-tab are numerous system configurations.
- Services: This is where you can stop or start the PacketFence services.
- Add User: Add users to the system.
- UI Options: The look and feel of the Web-based GUI.
- Remediation: Configure the remediation screen the users see.
- Instructions: Configure the instruction screen the users see.
The configuration sub-tab is the most crucial component of the GUI. Here, you'll configure nearly every aspect of the system, including:
- Wins Server: Address of Wins server.
- E-mail Address: Address of administrator.
- SMTP Server: Outgoing mail server for system.
- Admin netbiosname: Netbios name of the PacketFence server.
- Log: Log file to be used for violations.
- DHCP Timeout: Hours and Minutes of ARP timeout.
- Clean Shutdown: Enable or disable.
- Interval: Seconds.
- Strobe: Enable or disable.
- GW Timeout: Enable or disable.
- ARP Timeout: Enable or disable.
- Heartbeat: Seconds.
- Stuffing: Enable or disable.
- Username: Database username.
- Password: Database password.,
- Port: Port for database use.
- Host: Database host.
- Registered lease: Hours.
- Unregistered lease time: Minutes.
- Isolation lease time: Minutes.
- Iplog: Days.
- Node: Days.
- Logo: Location of system logo.
- Caching: Enabled or disabled.
- Domain: Domain name.
- Dnsservers: Location of DNS servers.
- Hostname: Hostname of PacketFence server.
- Dhcpservers: Location of DHCP servers.
- IP address: IP of PacketFence server.
- Gateway: Gateway for PacketFence server.
- Type: Internal, Managed, or Monitored.
- Mask: Netmask of PacketFence server.
- Level: 0-8
- Priority: Debug, info, notice, warning, warn (same as warning), err, error (same as err), crit, alert, emerg, or panic (same as emerg).
- Facility: Auth, authpriv, cron, daemon, ftp, kern, lpr, mail, mark, news, security (same as auth), syslog, user, uucp, or local0 through local7.
- Rogueinterval: 1-10.
- Named: Enabled or disbled.
- Scan: Enabled or disabled.
- Nat: Enabled or disabled.
- DHCP detector: Enabled or disabled.
- Mode: Passive or Inline.
- DHCP: Enabled or disabled.
- Symantec Scanner: URL
- PacketFence: IP addresses of devices allowed to pass through system.
- Admin: Administration port
- Open: Open ports.
- Allowed: Ports allowed for use.
- Redirect: Ports that are redirected.
- Listeners: IMAP or POP3.
- Stinger.exe: Address of stinger.exe
- Expire Window: Days
- Detection: Enabled or disabled.
- Range: IP address range for registration.
- Registration: Enabled or disabled.
- Skip reminder: Days
- Immediate: Enabled or disabled.
- Expire deadline: Date.
- Auth: Local, ldap, mysql, radius, or harvard.
- Expire Session: Days
- Skip Mode: Window, Deadline, Disabled.
- Isolation: Enabled.
- Queuesize: Integer
- Expire Mode: Window, deadline, session, or disabled.
- AUP: Enabled or disabled.
- Complete Message: Enabled or disabled.
- Redirect URL: Address for redirection.
- Skip Deadline: Date.
- Skip Window: Seconds, minutes, hours, days, weeks.
- Button Text: Text to appear on registration button.
- Maxnodes: Maximum number of nodes allowed.
- Pass: Type of data to pass
- SSL: Enabled or disabled.
- Live TIDS: Plug in IDs allowed to live on the system.
- User: User allowed to scan.
- Port: Port number for scanning.
- Registration: Enabled or disabled.
- Host: Address of scanning host.
- Named: Location of named executable.
- DHCPD: Location of dhcpd executable.
- HTTP: Location of apache executable.
- Pfredirect: Location of pfredirect executable.
- Pfdetect: Location of pfdetect executable.
- Pfmon: Location of pfmon executable.
- Snort: location of snort executable.
- Isolation: Enabled or disabled.
- Testing: Enabled or disabled.
- Detection: Enabled or disabled.
- Blacklist: Location of blacklist.
- Range: IP range of trapping.
- Whitelist: Enabled or disabled.
- Trapping Registration: Enabled or disabled.
- Redirect URL: URL for trapping redirection.
- Immediate: Enabled or disabled.
- Redirtimer: Seconds
- Passthrough: IP tables or proxy.
It's a long list of configuration options, but most of them should be self-explanatory at this point.
Though not 100 percent perfect, the PacketFence Web-based administration takes a lot of the pains and efforts out of administering a PacketFence solution. There are still certain aspects of PacketFence that will require using the command line and some text-based editing; but, for the most part, once your system is up and running, you should be able to handle all the administration from the Web-based tool.
PacketFence is an amazing system for controlling access to your network. Although difficult to get up and running, it's certainly worth the effort.