The Inverse team is proud to announce that PacketFence now fully supports hostapd. This makes commodity equipment such has Ubiquity, Linksys and others fully interoperable with PacketFence using the out-of-band enforcement mode.
PacketFence now fully supports hostapd-based equipment. That means that equipment running standard Linux distributions, OpenWRT, DD-WRT and others using hostapd can now act as fully managed access points with PacketFence - using the out-of-band (VLAN) mode. This breakthrough allows the deployment of large-scale secured BYOD solutions using inexpensive yet reliable equipment - together with one of the best NAC solution available!
Stay tuned because Inverse will soon distribute custom firmware builds of OpenWRT ready to be used with PacketFence.
In the meantime, the instructions below can be used.
Hostapd is included in the OpenWRT firmware. To support PacketFence you will need to install the wpad package with dynamic VLAN support and make changes in the uci configuration file. Everything is covered below.
In order to install OpenWRT, download the latest firmware from the OpenWRT website. You will also soon be able to download one provided by Inverse for your specific access point.
Once the firmware has been installed, you can connect to the access point (192.168.1.1) using telnet. No password is required.
The first thing to do is to set a password for the root account (passwd root). Now you should be able to connect to the access point over ssh.
opkg install luci uhttpd
To support dynamic VLAN assignment you need to install a special version of wpad available from this web site:
http://rpc.one.pl/pliki/openwrt/backfire/10.03.x/atheros/hostapd/wpad_20100418-1-rpc_ar71xx.ipk
From the luci web GUI, go in System -> Software -> Download and install package, type in the link above and click Ok.
Finally, create the /etc/config/hostapd.vlan file with the following content:
wlan0.#</pre>
In the Inverse firmware image that will soon be available, this change will be done but if you use a firmware from the OpenWRT website, then you need to replace the /lib/wifi/hostapd.sh script file with the one included in the development version of PacketFence.
uci add_list wireless.@wifi-iface[0]=wifi-iface uci add_list wireless.@wifi-iface[0].device=radio0 uci add_list wireless.@wifi-iface[0].mode=ap uci add_list wireless.@wifi-iface[0].ssid=OpenWrt-OPEN uci add_list wireless.@wifi-iface[0].network=lan uci add_list wireless.@wifi-iface[0].encryption=none uci add_list wireless.@wifi-iface[0].auth_server=192.168.1.10 uci add_list wireless.@wifi-iface[0].auth_port=1812 uci add_list wireless.@wifi-iface[0].auth_secret=s3cr3t uci add_list wireless.@wifi-iface[0].dynamic_vlan=2 uci add_list wireless.@wifi-iface[0].vlan_file=/etc/config/hostapd.vlan uci add_list wireless.@wifi-iface[0].vlan_tagged_interface=eth0 uci add_list wireless.@wifi-iface[0].radius_das_port=3799 uci add_list wireless.@wifi-iface[0].radius_das_client=192.168.1.10 s3cr3t uci add_list wireless.@wifi-iface[0].macfilter=2
uci add_list wireless.@wifi-iface[0]=wifi-iface uci add_list wireless.@wifi-iface[0].device=radio0 uci add_list wireless.@wifi-iface[0].mode=ap uci add_list wireless.@wifi-iface[0].ssid=OpenWrt-SECURE uci add_list wireless.@wifi-iface[0].network=lan uci add_list wireless.@wifi-iface[0].auth_server=192.168.1.10 uci add_list wireless.@wifi-iface[0].auth_port=1812 uci add_list wireless.@wifi-iface[0].auth_secret=s3cr3t uci add_list wireless.@wifi-iface[0].dynamic_vlan=2 uci add_list wireless.@wifi-iface[0].vlan_file=/etc/config/hostapd.vlan uci add_list wireless.@wifi-iface[0].vlan_tagged_interface=eth0 uci add_list wireless.@wifi-iface[0].radius_das_port=3799 uci add_list wireless.@wifi-iface[0].radius_das_client=192.168.1.10 s3cr3t uci add_list wireless.@wifi-iface[0].encryption=wpa2 uci add_list wireless.@wifi-iface[0].acct_server=192.168.1.10 uci add_list wireless.@wifi-iface[0].acct_port=1813 uci add_list wireless.@wifi-iface[0].acct_secret=s3cr3t uci add_list wireless.@wifi-iface[0].nasid=ubiquiti
Note that you currently need to use the nightly builds of PacketFence to use this feature - which is upcoming in the 4.0.3 version.
Back to 2013