PacketFence is the open source community’s answer to NAC.
Being a solid supporter of the open source community, I knew this was going to
be an interesting project to get up and running. Little did I know that
PacketFence would wind up being one of the single most difficult installations
I have done in over ten years of dealing with Linux. Granted,
part of the difficulty was in my resisting installing PacketFence on the recommended
environment. Why did I resist? Well, the recommended environments were outdated
— Fedora 4, for example.

But then I swallowed my nerd-pride and opted for the most
logical choice in Ubuntu 6.06 server. So be prepared: this installation will be
done completely by command line. And there will be a lot of commands to run.

First things first

The first thing you are going to need to do is install Ubuntu Server 6.06 LTS. The
good news is that this release is supported until 2011, so you won’t have to
worry about security fixes not being released as they arise. Once you have
downloaded the ISO image use K3B (or something similar) to burn the disk.
Install the server and prepare for the installation. (Warning: It’s a text-only installation.)

Because you will be using Ubuntu, you’ll be using the sudo command a lot. There will be no root
password, so the password you create for the created user (during installation)
will be the password you use. However, when I use Ubuntu and sudo, I always create a root
password because it bypasses a lot of problems created when trying to do
installations of certain applications (or configurations of MySQL, for instance).
To do this, run sudo passwd
and enter the new “root” password. Once this is done, you are
ready to rock.

The first thing you are going to do is set up remote
administration with SSH. In case this server will most likely wind up a
headless server (or in case you need to administer it remotely), you will want
this installed. To do this issue, the following command: sudo
apt-get install ssh openssh-server.
One of the main reasons I often do this
type of installation (via SSH)
is because if I need to google something I
don’t have to switch back and forth between machines. So now that you have ssh installed, move
over to a machine with access to the net and log into the Ubuntu server with SSH.
Now you can continue reading this article and install at the same time.

Prepping for
installation of software

You’ll use the apt-get command to install the
software for this installation. In order to do that, you’ll have to first edit
your sources to be able to find the proper software packages. To do this, issue
the following commands.

Backup your original sources list:

sudo cp /etc/apt/sources.list /etc/apt/sources.list.BACKUP

Now you have to go through the sources list and uncomment
all of the repositories listed in the sources.list
file. Go to /etc/apt, open up the sources.list
file, and remove all of the # to uncomment the sources. Or you could run the

sudo sed -i -e "s/# deb/deb/g" /etc/apt/sources.list

Now we must update the apt
sources with the command:

sudo apt-get update

One final step before you start installing applications: You
have to be able to compile from source. By default, Ubuntu 6.06 server cannot
do this. So to make the server capable of this necessary action, issue the

sudo apt-get
install build-essential

Once this is done, you’re ready to install.


The first thing you should do is install an intrusion
detection package. As Snort is the standard in Linux (as well as what
PacketFence suggests), we’ll use that. Issue the command:

sudo apt-get
install snort

Before you move on, you will need to stop Snort with the sudo /etc/init.d/snort
command. You will also need to make sure Snort does not start during
system boot (otherwise, PacketFence will not start up). To do this, use the update-rc.d command: sudo
update-rc.d -f snort remove.
Now Snort has been
removed from the rc.d
run list.


Because PacketFences uses a
database, you’ll have to install MySQL and take care of a few details with that

First, install MySQL with the command sudo
apt-get install mysql-server.
Now it gets a bit
tricky. This is where I like to have a “root” password. Issue the
command sudo passwd
and enter a “root” password twice. Now you can log on as a
pseudo-root user. What you need to do now is change the MySQL password. By
default, the password is blank. This is not secure and PacketFence requires you
to have a root MySQL password. So issue the command mysql
-u root -p
and hit [Enter] (there is currently no password). You should now
be at the mysql> command prompt. Now
enter the command:


where NEWPASSWORD is the new
password you’ll use for the root MySQL user.

Now MySQL is up.

Apache and PHP

The first thing you need to do is install
Apache and all of the necessary modules, bells, and whistles. Here are the

sudo apt-get
install apache2 libapache2-mod-proxy-html

This installs Apache and the Proxy module. Now install PHP:

sudo apt-get
install libapache2-mod-php5 php-pear php5-mysql

This will install everything necessary for PHP.

Now all you have to do is to stop the Apache server and
prevent Apache from starting at boot. First run:

sudo /etc/init.d/apache2 stop

To stop Apache, run sudo
update-rc.d -f apache2 remove
to remove Apache
from the rc.d
run list.

Perl and Perls’ modules

There are a number of Perl modules to install. To do so,
issue the following commands:

sudo apt-get
install perl-suid libterm-readkey-perl
libconfig-inifiles-perl libnet-netmask-perl


sudo apt-get
install libparse-recdescent-perl libnet-rawip-perl
libtimedate-perl libwww-perl

Perl is ready to go.


Finally, install the PacketFence application itself. You cannot
use apt-get to do the installation. You have to download the source,
unpack it, and run the enclosed installation. Download the latest stable
release (as of this writing, it is 1.6.2) with the wget
application. If wget doesn’t show up, you
might have to install with sudo apt-get
install wget

The download will come from Sourceforge.
The current release address is:,
so issue the commands:

sudo cd /usr/local/
sudo wget

Unpack the tar
file with the command:

sudo tar xvzf PacketFence-1.6.2.tar.gz

which will create the /usr/local/pf directory.
Change into the pf directory and issue
the command to start the installer:

sudo ./

You will now have to walk through a lot of questions
regarding the installation. Many of the defaults will work. Remember your MySQL
root user password. Also, allow the PacketFence installer to create the
necessary database for you. I tried many times to create the database with phpMyAdmin,
only to find the PacketFence system cannot then create the necessary tables for
the database.

Before you run the final step of the process, you will want
to create an SSL Certificate for security purposes. To do this, issue the

cd /tmp
openssl req -new > PacketFence.csr
openssl rsa -in privkey.pem
-out server.key
openssl x509 -in PacketFence.csr -out server.crt -req  signkey
server.key -days 365
mv server.crt /usr/local/pf/conf/ssl/
mv server.key /usr/local/pf/conf/ssl/
rm -f PacketFence.csr privkey.pem

This will install a unique certificate for your machine
(instead of the included default).

Once you have completed the installation, you will then have
to run the to complete the install. The configurator basically sets up the type of
system you want to run. When you run it, you’ll be offered the following:

  1. Test mode
  2. Registration
  3. Detection
  4. Registration &
  5. Registration, Detection
    & Scanning
  6. Session-based

I suggest running the system in Test mode at first. Finish
answering the questions to complete the installation.

A few modifications

One issue I had upon completing the installation was that
the PacketFence start script couldn’t find the Apache startup script,
because it was looking for /usr/bin/httpd instead of /usr/bin/apache2,
as is installed in an Ubuntu server. To change this, you have to add a [service]
entry in the pf.conf file. Open up the /usr/local/pf/conf/pf.conf file in your favorite editor and add the
following lines to the end of that file:


Now, open the file /usr/local/pf/conf/templates/httpd.conf and
add the following:

ServerRoot /usr/lib/apache2

and then modify the line:

LoadModule php4_module

to reflect:

LoadModule php4_module /usr/lib/apache2/modules/

There were a number of other lines that had to be
modified. Because of the installation of Apache on Ubuntu, the necessary
modules must all reflect the /usr/lib/apache2/module
structure. So go through the entire /usr/local/pf/conf/templates/httpd.conf file
and change the module paths to reflect this. You will also need to uncomment
out the line for the php5 module (around line 79) and comment out the line for
php4 (around line 80).

Starting PacketFence

You can first test to make sure PacketFence is starting up
properly by running the command /usr/local/pf/bin/start. You should see nothing more than the

Checking configuration sanity...
config files|start

Now stop the PacketFence system with the command /usr/local/pf/bin/stop.

Once you know this is starting properly you can then modify
the install so that the PacketFence startup script is installed and the rc.d system is
aware of it. To do this issue the following commands:

sudo cp /usr/local/pf/PacketFence.init
sudo chmod 755 /etc/init.d/PacketFence
sudo update-rc.d
PacketFence defaults

Restart the system with the command:

sudo /etc/init.d/PacketFence start

You are now up and running.

Logging in

Fire up a browser and point it to the IP address of the
PacketFence server with the 1443 port address added. So my address would be Note: This is secure HTTP. You will see
a log in screen where you’ll enter your administrator name (by default it is admin)
and the password you created for the administrator.

Once you are logged in, you’ll see the main administrator
screen (see Figure A below).

Figure A

This is where you
will finally be able to do all of your work.

From this point on, it’s all point and click.

A big job

PacketFence has been one of the more challenging
installations I have come across. Is it worth it? An old saying comes to mind:
“An ounce of prevention is better than a pound of a cure.” PacketFence
is the next big thing with network security and open source. This tool is huge,
and will gain popularity fast. And with the help of this article, you can
finally install the system with fewer headaches than I incurred.