Packetfence is one of the most powerful network access control applications available. With this tool you can control who (what, and when) has access to your network. If you are concerned about network security, and you want the absolute most control, Packetfence is what you need.
This power comes with a price, that price being installation. Packetfence was built for the likes of Red Hat Enterprise Linux and CentOS, but that doesn’t prevent it from being installed on Ubuntu. Unfortunately, installing Packetfence on Ubunt is one of the single most challenging installation tasks I have ever attempted. After spending a weekend working out the process, I can finally bring to you an easy to follow (though time consuming) guide to help you bring incredible control over your network.
I want to share with you the process of installing Packetfence on Ubuntu and then how it can be used from the command line to create a powerful network access control system.
Note, although Packetfence has an outstanding Web-based administration tool, getting it to work with Ubuntu (due to to the use of apache2 over HTTP) has proved to be a bigger challenge than just getting the system installed. If you are working with Ubuntu 9.04 or earlier, you will be able to work with the Web-based system, but any release later than 9.04 and you are stuck with the command line.
The Setup
I am going to be demonstrating the installation of Packetfence on Ubuntu 10.10. I am installing on a Desktop instance, but the same steps will hold true for a server installation. You will need to walk through the process of install the numerous dependencies, all of the Perl modules, and then compiling and installing the actual Packetfence application. The Perl modules will take up the bulk of the installation time, so be prepared to type.
Installing the Dependencies
The very first thing you should do is open up a terminal window and run sudo apt-get update in order to make sure your sources are all up to date. Once you have done that you have two fairly lengthy commands to run. It’s best if you just copy and paste these commands into your terminal window. The first command to run is:
sudo apt-get install build-essential apache2 apache2.2-common apache2-utils openssl openssl-blacklist openssl-blacklist-extra php-log snort mysql-server libapache2-mod-proxy-html libapache2-mod-php5 php-pear php5-mysql php5-gd
Depending upon what is already installed on your system, you may receive warnings that various packages are “already installed and up to date”. That’s fine, just okay the installation when prompted.
After the first command runs to completion, it’s time to run the second command which will install as many of the Perl modules as possible. Some of these modules may not be found by apt-get, so they will have to be manually installed. The apt-get command to install the Perl modules is:
sudo apt-get install perl-suid libapache-htpasswd-perl libbit-vector-perl libcgi-session-serialize-yaml-perl libconfig-inifiles-perl libtimedate-perl libapache-dbi-perl libdbd-mysql-perl libfile-tail-perl libnetwork-ipv4addr-perl libiptables-parse-perl libiptables-chainmgr-perl liblist-moreutils-perl liblocale-gettext-perl liblog-log4perl-perl liblwp-useragent-determined-perl libnet-mac-vendor-perl libnet-mac-perl libnet-netmask-perl libnet-pcap-perl libnet-snmp-perl libsnmp-perl libnet-telnet-cisco-perl libparse-recdescent-perl libregexp-common-email-address-perl libregexp-common-time-perl libperl-critic-perl libreadonly-xs-perl libhtml-template-perl libterm-readkey-perl libtest-perl-critic-perl libtest-pod-perl libtest-pod-coverage-perl apache2-mpm-threadpool libthread-pool-simple-perl libuniversal-require-perl libuniversal-exports-perl libnet-rawip-perl libwww-perl
Finishing Up the Perl Modules
For any Perl module not installed using apt-get you will have to install with the CPAN tool. The CPAN tool is used like so:
sudo CPAN -MCPAN -e 'install MODULE'
Where MODULE is the name of the module you need to install. You can’t, however, simply use the same names used in the apt-get installation. Instead you have to install the modules using the following names:
Apache::Htpasswd
Bit::Vector
CGI::Session
Config::IniFiles
Date::Parse
DBI
DBD::mysql
File::Tail
Net::IPv4Addr
IPTables::Parse
IPTables::ChainMgr
List::MoreUtils
Locale::gettext
Log::Log4perl
LWP::UserAgent
Net::Appliance::Session
Net::IPv4Addr
Net::MAC
Net::MAC::Vendor
Net::Netmask
Net::Pcap
Net::Frame
Net::Frame::Simple
Net::Write Net::SNMP
Net::Telnet
Parse::Nessus::NBE
Parse::RecDescent
Regexp::Common
Readonly
Template
Term::ReadKey
Test::MockDBI
Test::Perl::Critic
Test::Pod
Test::Pod::Coverage
Thread::Pool
UNIVERSAL::require
Let’s say, for example, the apt-get install was unable to install Apache::Htpasswd. In order to install this module using CPAN the command would be:
sudo cpan -MCPAN -e 'install Apache::Htpasswd'
Each module installation process will vary. As a general rule you will have to okay various downloads and commands for each module installation. Now it’s time to install Packetfence.
The Installation
Now we get to the fun part. The first step here is to download the source for Packetfence. Make sure you download the latest release. With the file downloaded you want to move it to the /usr/local/ directory (You will need to use sudo do to this.) Now, before you get to the unpacking and installation process there is one thing you should do before you continue on. Although the installation process includes the routines for creating the necessary MySQL database, I have found this can fail. However, you should try the default install process first and, if that fails to complete, use this simple “work around”. To get around this (should the install fail on the database for you) use a tool like MySQL Workbench to create the pf database. For more information on MySQL Workbench see “Get to Know MySQL Workbench“. Once that has been created you can start the installation process.
With the packetfence archive in /usr/local/ change to that directory and issue the command tar -xvzf packetfence-XXX.tar.gz (Where XXX is the release number) which will create the new directory /usr/local/pf. Change into that newly created directory and then issue the command sudo ./installer.pl. This installation process will require you accept a license and then enter the details for the database as well as the admin user. It is one of the more straight-forward components of the installation and will not take long to complete.
When this process does complete you will then need to run the configuration tool by issuing the command sudo ./configurator.pl. This section of the installation is actually configuring your Packetfence installation. You will need to walk through the following steps:
- Select if this will be a template or custom setup (I highly recommend selecting template for your first attempt).
- The type of template you want to use (there are two types – ARP and VLAN – for Testing, Registration, Registration/Detection, and more). For your first installation select a Testing mode only.
- DNS Domain Name. Enter the domain name for your network.
- Host name. This the host name Packetfence is installed on.
- DNS Servers. The DNS servers for your network.
- DHCP Server. The DHCP server for your network.
- Management interface. This is the network interface used for management purposes.
- IP Address. This is the IP address of the machine Packetfence is installed on.
- Netmask. The netmask for your network.
- Gateway. The gateway address for your network.
- Trapping configuration. The network device for network trapping.
- Alerting configuration. What email address would you like alerts to go to.
- SMTP relay. What address should be used for SMTP relay. The default is localhost and should work fine.
- Database configuration. The location of the MySQL server, MySQL port, database name, database username, database username password.
That’s it. Packetfence is now installed…but not ready. There is one Apache issue that must be fixed.
Changing Apache Configuration
By default Packetfence will assume that the Apache daemon is in /usr/sbin/httpd. In Ubuntu, however, that daemon is actually /usr/sbin/apache2. To overcome this you need to replace the /usr/local/pf/lib/services.pm file with this file. Make a backup of the original services.pm file before you move the new file into its place. After you have that file in place, there are two more changes that must be made.
In your terminal window open up the file /usr/local/pf/conf/pf.conf and add the following to the bottom of the file:
[services]
httpd=/usr/sbin/apache2
The final change is to replace the Packetfence Apache configuration file with one that is meant for Apache2. To do this issue the following commands:
sudo mv /usr/local/pf/conf/templates/httpd.conf /usr/local/pf/conf/templates/httpd.conf.BAK
sudo mv /usr/local/pf/conf/templates/httpd.conf.apache22 /usr/local/pf/conf/templates/httpd.conf
You are now ready to test your installation.
Testing Packetfence
Now that the everything is installed installed, let’s test Packetfence out. The first step is to start the system by issuing the command:
sudo /usr/local/pf/bin/pfcmd service pf start
You should see a number of services start at the command line. After they have all started, you can now see if all of the machines on your network are seen by Packetfence with the command:
sudo /usr/local/pf/bin/pfcmd node view all
The above command will output a listing for each machine on your network like so:
00:1c:25:32:13:8b|1|2010-12-03 14:08:01||||unreg||JACK-PC||2010-12-06 15:32:27|2010-12-06 15:24:03||||1,15,3,6,44,46,47,31,33,121,249,43|0
What’s important in the above output is the unreg entry. This means the machine has not been registered with Packetfence. To register the machine you must edit the entry like so:
sudo /usr/local/pf/bin/pfcmd node edit MAC_ADDRESS status="reg", pid=1
Where MAC_ADDRESS is the actual MAC addres of the machine (taken from the output of the previous command).
You can set up Packetfence to only allow registered users to be able to use your network. To do this you need to edit the pf.conf file. But before you enable registering, make sure you actually register things like routers, switches, and such. If you do not do this first, you might not have access to your network because the routers and switches will not be registered and will, therefore, not be able to use the network.
Once you’ve registered your devices, open up the /usr/local/pf/conf/pf.conf file and add the following:
[trapping]
testing=disabled
detection=disabled
[registration]
aup=disabled
auth=local
Once you have that in place, restart Packetfence and now you should find that all machines that are not registered, will not be able to access the network.
Final Thoughts
Packetfence is an vast and powerful tool that can help you gain very granular control over your network. We have only scratched the surface of its power here. In my next article on the subject, we’ll look at how the Web interface can make this entire process much, much easier.
