Overview

PacketFence is a fully supported, trusted, Free and Open Source network access control (NAC) solution. Boasting an impressive feature set including a captive-portal for registration and remediation, centralized wired and wireless management, 802.1X support, layer-2 isolation of problematic devices, integration with the Snort IDS and the Nessus vulnerability scanner; PacketFence can be used to effectively secure networks - from small to very large heterogeneous networks.

Components Architecture

Network Architecture

Enforcement

Out-of-band Deployment

PacketFence's operation is completely out-of-band which allows the solution to scale geographically and to be more resilient to failures. When using the right technology (like port security), a single PacketFence server can be used to secure hundreds of switches and many thousands nodes connected to them.

Inline Deployment

While out-of-band is the preferred way of deploying PacketFence, an inline mode is also supported for unmanageable wired or wireless equipment. Deploying PacketFence using the inline mode can also be accomplished in minutes! Note also that the inline mode can coexist very well together with an out-of-band deployment.

Authentication & Registration

802.1X Support

Wireless and wired 802.1X is supported through a FreeRADIUS module which is included in PacketFence. PEAP-TLS, EAP-PEAP and many more EAP mechanisms can be used.

Registration of Devices

PacketFence supports an optional registration mechanism similar to "captive portal" solutions. Contrary to most captive portal solutions, PacketFence remembers users who previously registered and will automatically give them access without another authentication. Of course, this is configurable. An Acceptable Use Policy can be specified such that users cannot enable network access without first accepting it.

Wireless Integration

PacketFence integrates perfectly with wireless networks through a FreeRADIUS module. This allows you to secure your wired and wireless networks the same way using the same user database and using the same captive portal, providing a consistent user experience. Mixing access points (AP) vendors and wireless controllers is supported.

Voice over IP (VoIP) Support

Also called IP Telephony (IPT), VoIP is fully supported (even in heterogeneous environments) for multiple switch vendors (Cisco, Edge-Core, HP, LinkSys, Nortel Networks and many more).

Compliance

Detection of Abnormal Network Activities

Abnormal network activities (computer virus, worms, spyware, traffic denied by establishment policy, etc.) can be detected using local and remote Snort, Suricata or commercial sensors. Content inspection is also possible with Suricata, and can be combined with malware hash databases such as OPSWAT Metadefender. Beyond simple detection, PacketFence layers its own alerting and suppression mechanism on each alert type. A set of configurable actions for each violation is available to administrators.

Windows Management Instrumentation (WMI)

WMI support in PacketFence allows an administrator to perform audits, execute commands and even more on any domain-joined Windows computers. For example, PacketFence can verify if some unauthorized software are installed and/or running before granting network access.

Statement of Health

While doing a 802.1X user authentication, PacketFence can perform a complete posture assessment of the connecting device using the TNC Statement of Health protocol. For example, PacketFence can verify if an antivirus is installed and up-to-date, if operating system patches are all applied and much more - all without any agent installed on the endpoint device!

Proactive Vulnerability Scans

Nessus or OpenVAS vulnerability scans can be performed upon registration, scheduled or on an ad-hoc basis. PacketFence correlates the Nessus/OpenVAS vulnerability ID's of each scan to the violation configuration, returning content specific web pages about which vulnerability the host may have.

Security Agents

PacketFence integrates with security agent solutions such as OPSWAT Metadefender Endpoint Management, Symantec SEPM and others. PacketFence can make sure the agent is always installed before granting network access. It can also check the endpoint's posture and isolate it from any other endpoints if non-compliant.

Remediation Through a Captive Portal

Once trapped, all network traffic is terminated by the PacketFence system. Based on the nodes current status (unregistered, open violation, etc), the user is redirected to the appropriate URL. In the case of a violation, the user will be presented with instructions for the particular situation he/she is in, reducing costly help desk intervention.

Isolation of Problematic Devices

PacketFence supports several isolation techniques, including VLAN isolation with VoIP support (even in heterogeneous environments) for multiple switch vendors.

Administration

Command-line and Web-based Management

Web-based and command-line interfaces for all management tasks. Web-based administration supports different permission-levels for users and authentication of users against LDAP or Microsoft Active Directory.

Advanced Features

In the following text, node is used to mean a network-aware device that is controlled and monitored by PacketFence. It can be a PC, a laptop, a printer, an IP phone, etc.

Flexible VLAN Management and Role-Based Access Control

The solution is built around the concept of network isolation through VLAN assignment. For more details on how this work see the Technical Introduction page. Because of its long experience and several deployments, the VLAN management of PacketFence grew to be very flexible over the years. Your VLAN topology can be kept as it is and only two new VLAN will need to be added throughout your network: registration VLAN and isolation VLAN. Moreover, PacketFence can also make use of roles support from many equipment vendors.

VLAN and roles can be assigned using the various means:

  • Per switch (default for VLAN)
  • Per client category (default for roles)
  • Per client
  • Using any arbitrary decision (if you use our perl extension points)

Also, the per-switch method can be combined with the others. For example, with a default PacketFence setup, a VLAN or a role can be assigned to your printers and your PCs (if categorized properly) based on what equipment they are connected to. This implies that you can easily have per-building per-device type VLANs.

Guest Access - Bring Your Own Device (BYOD)

Portal Profiles

More Built-in Violation Types

Automatic Registration

PKI and EAP-TLS Support

Expiration

Device Management

Firewall Integration

Bandwidth Accounting

Floating Network Devices

Flexible Authentication

Microsoft Active Directory Integration

Routed Networks

Gradual Deployment

Pass-Through

High-Availability

Supported Hardware

Standards-Based

Extensible / Easily Customizable

Something is Missing?

If something you require for Network Access Control is not on this list, first check if it is in our roadmap, otherwise there are good chances that someone in the community did what you are looking for so engage in the community and send an email to the packetfence-users mailing list. No one ever tried or wanted that feature? If you know Perl you can try to do it yourself or you can sponsor the development of the feature.

Introduction to
VLAN assignment techniques

VLAN assignment is currently performed using several different techniques. These techniques are compatible one to another but not on the same switch port. This means that you can use the more secure and modern techniques for your latest switches and another technique on the old switches that doesn't support latest techniques. As it's name implies, VLAN assignment means that PacketFence is the server that assigns the VLAN to a device. This VLAN can be one of your VLANs or it can be a special VLAN where PacketFence acts as a DHCP/DNS/HTTP server where it runs the captive portal.

Compared to PacketFence's legacy modes of operation (ARP and DHCP) VLAN assignment effectively isolate your hosts at the OSI Layer2 meaning that it is the trickiest method to bypass and is the one which adapts best to your environment since it glues into your current VLAN assignment methodology.

Wired: 802.1X + MAC Authentication Bypass (MAB)

802.1X provides port-based authentication, which involves communications between a supplicant, authenticator (known as NAS), and authentication server (known as AAA). The supplicant is often software on a client device, such as a laptop, the authenticator is a wired Ethernet switch or wireless access point, and the authentication server is generally a RADIUS database.

The supplicant (i.e., client device) is not allowed access through the authenticator to the network until the supplicant identity is authorized. With 802.1X port-based authentication, the supplicant provides credentials, such as user name / password or digital certificate, to the authenticator, and the authenticator forwards the credentials to the authentication server for verification. If the credentials are valid (in the authentication server database), the supplicant (client device) is allowed to access the network. The protocol for authentication is called Extensible Authentication Protocol (EAP) which have many variants. Both supplicant and authentication servers need to speak the same EAP protocol. Among popular ones are EAP-MD5, PEAP-MsCHAPv2 (used by Windows for authentication against Active Directory) or EAP-TLS.

In this context, PacketFence runs the authentication server (a FreeRADIUS instance) and will return the appropriate VLAN to the switch. A module that integrates in FreeRADIUS does a remote call to the PacketFence server to obtain that information. More and more devices have 802.1X supplicant which makes this approach more and more popular.

MAC authentication bypass (MAB) is a new mechanism introduced by some switch vendor to handle the cases where a 802.1X supplicant does not exist. After a timeout period, the switch will stop trying to perform 802.1X and will fallback to MAB. It has the advantage of using the same approach as 802.1X except that the MAC address is sent instead of the user name and that there is no end-to-end EAP conversation (no strong authentication). Using MAB, devices like network printer or non-802.1X capable IP Telephones (IPT) can still gain access to the network and the right VLAN.

Right now this integration is not pleasant as it could be involving manual modification of our FreeRADIUS module but our latest unreleased code already handles 802.1X + MAB built into the PacketFence main configuration. If you are adventurous feel free to try it out.

Using SNMP Traps

All switch ports (on which VLAN isolation should be done) must be configured to send SNMP traps to the PacketFence host. On PacketFence, we use snmptrapd as the SNMP trap receiver. As it receives traps, it reformats and writes them into a flat file: /usr/local/pf/logs/snmptrapd.log. The multithreaded pfsetvlan daemon reads these traps from the flat file and responds to them by setting the switch port to the correct VLAN. Depending on your switches capabilities, pfsetvlan will act on different types of SNMP traps. You need to create a registration VLAN (with a DHCP server, but no routing to other VLANs) in which PacketFence will put unregistered devices. If you want to isolate computers which have open violations in a separate VLAN, an isolation VLAN needs also to be created.

Link Change Traps

This is the most basic setup and it needs a third VLAN: the MAC detection VLAN. There should be nothing in this VLAN (no DHCP server) and it should not be routed anywhere; it is just an empty VLAN.When a host connects to a switch port, the switch sends a linkUp trap to PacketFence. Since it takes some time before the switch learns the MAC address of the newly connected device, PacketFence immediately puts the port in the MAC detection VLAN in which the device will send DHCP requests (with no answer) in order for the switch to learn its MAC address. Then pfsetvlan will send periodical SNMP queries to the switch until the switch learns the MAC of the device. When the MAC address is known, pfsetvlan checks its status (existing ? registered ? any violations ?) in the database and puts the port in the appropriate VLAN.

When a device is unplugged, the switch sends a 'linkDown' trap to PacketFence which puts the port into the MAC detection VLAN.When a computer boots, the initialization of the NIC generates several link status changes. And every time the switch sends a linkUp and a linkDown trap to PacketFence. Since PacketFence has to act on each of these traps, this generates unfortunately some unnecessary load on pfsetvlan. In order to optimize the trap treatment, PacketFence stops every thread for a 'linkUp trap' when it receives a 'linkDown' trap on the same port. But using only linkUp/linkDown traps is not the most scalable option. For example in case of power failure, if hundreds of computers boot at the same time, PacketFence would receive a lot of traps almost instantly and this could result in network connection latency.

MAC notification traps

If your switches support MAC notification traps (MAC learnt, MAC removed), we suggest that you activate them in addition to the linkUp/linkDown traps. This way, pfsetvlan does not need, after a linkUp trap, to query the switch continuously until the MAC has finally been learned. When it receives a linkUp trap for a port on which MAC notification traps are also enabled, it only needs to pot the port in the MAC detection VLAN and can than free the thread. When the switch learns the MAC address of the device it sends a MAC learnt trap (containing the MAC address) to PacketFence.

Port Security Traps

In its most basic form, the Port Security feature remembers the MAC address connected to the switch port and allows only that MAC address to communicate on that port. If any other MAC address tries to communicate through the port, port security will not allow it and send a port-security trap.

If your switches support this feature, we strongly recommend to use it rather than linkUp/linkDown and/or MAC notifications. Why ? Because as long as a MAC address is authorized on a port and is the only one connected, the switch will send no trap whether the device reboots, plugs in or unplugs. This drastically reduces the SNMP interactions between the switches and PacketFence.

When you enable port security traps you should not enable linkUp/linkDown nor MAC notification traps.

Introduction to
Wireless Integration

Wireless 802.1X works pretty much like wired 802.1X and MAC authentication is like MAB. Where things change is that the 802.1X is used to setup the security keys for encrypted communication (WPA2-Enterprise) while MAC authentication is only used to authorize allow or disallow a MAC address on the wireless network.

PacketFence integrates very well with wireless networks. As for its wired counterpart, the switch, a wireless Access Points (AP) or wireless controller needs to implement some specific features in order for the integration to work perfectly. In particular, the access point or controller needs to support:

  • several SSIDs with several VLANs (at least 2) inside each SSID
  • authentication against a RADIUS server
  • dynamic VLAN assignment (through RADIUS attributes)
  • the deauthentication of an associated station
  • a mean to de-associate or de-authenticate a client through CLI (telnet or SSH), SNMP, RADIUS Dyn-Auth* or WebServices

Most of these features work out of the box on enterprise grade access points or wireless controllers. Where the situation starts to vary is for de-authentication support.

A CLI-based (SSH or telnet) one is an error prone interface and requires preparation for the SSH access or is insecure for telnet. It is generally not recommended. SNMP de-authentication works well when available. However vendor support is not consistent and the OIDs to use are not standard. RADIUS Dynamic Authorization (RFC3576) also known as RADIUS Change of Authorization (CoA) or RADIUS Disconnect Messages is supported by PacketFence starting with version 3.1. When supported it is the preferred technique to perform de-authentication. It is standard and requires less configuration.

Finally, we can then configure two SSIDs on the AP, the first one reserved for visitors and unregistered clients. In this SSID, communications will not be encrypted and users will connect either to the registration VLAN or the guest VLAN (depending on their registration status). Users can register and get assistance to configure their access to the secure SSID using the captive portal which requires authentication and runs over HTTPS. The second SSID will allow encrypted communications for registered users.

Supported network devices

The following tables detail the wired and wireless equipment supported by PacketFence. This list is the most up-to-date one. Note that generally all wired switches supporting MAC authentication and/or 802.1X with RADIUS can be supported by PacketFence.

Bugs and limitations of the various modules can be found in the Network Devices documentation.

Wired support

Switch SNMP MAC Authentication 802.1X Web Auth
3COM NJ220 SNMP      
3COM SS4200 SNMP      
3COM SS4500 SNMP      
3COM 4200G SNMP MAC Auth 802.1X  
3COM E4800G SNMP MAC Auth 802.1X  
3COM E5500G SNMP MAC Auth 802.1X  
Accton ES3526XA SNMP      
Accton ES3528M SNMP      
Alcatel-Lucent 6250/5450/6860   MAC Auth 802.1X  
Allied Telisis AT8000GS   MAC Auth 802.1X  
Amer SS2R24i SNMP      
Avaya (see Nortels) SNMP      
Brocade ICX64XX   MAC Auth 802.1X  
Brocade ICX66XX   MAC Auth 802.1X  
Brocade FastIron 4802 SNMP      
Brocade FCXXXXX   MAC Auth 802.1X  
Brocade FI-SXXXX   MAC Auth 802.1X  
Cisco Catalyst iOS XE   MAC Auth 802.1X  
Cisco 2900XL SNMP      
Cisco 2900XL SNMP      
Cisco 2950 SNMP   802.1X  
Cisco 2960 / 2970 SNMP MAC Auth 802.1X Web Auth
Cisco 3500XL Series SNMP      
Cisco 3550 SNMP MAC Auth 802.1X  
Cisco 3560 SNMP MAC Auth 802.1X Web Auth
Cisco 3750 SNMP MAC Auth 802.1X Web Auth
Cisco 4500 SNMP MAC Auth 802.1X Web Auth
Cisco 6500 SNMP MAC Auth 802.1X Web Auth
Cisco ISR 1800 Series SNMP      
Cisco IOS XE (all switches)   MAC Auth 802.1X Web Auth
Dell PowerConnect 3424 SNMP      
Dell/Force 10   MAC Auth 802.1X  
D-Link DES3526 SNMP      
D-Link DES3550 SNMP      
D-Link DGS3100   MAC Auth 802.1X  
D-Link DGS3200   MAC Auth 802.1X  
Edge-corE 4510   MAC Auth    
Enterasys D2 SNMP MAC Auth    
Enterasys Matrix N3 SNMP      
Enterasys SecureStack C2 SNMP      
Enterasys SecureStack C3 SNMP      
Extreme Networks Summit (XOS) SNMP MAC Auth 802.1X  
Extreme Networks EAS   MAC Auth 802.1X  
HP E4800G SNMP MAC Auth 802.1X  
HP E5500G SNMP MAC Auth 802.1X  
HP Procurve 2500 Series SNMP MAC Auth 802.1X  
HP Procurve 2600 Series SNMP MAC Auth 802.1X  
HP Procurve 2920 Series   MAC Auth 802.1X  
HP Procurve 3400cl Series SNMP      
HP Procurve 4100 Series SNMP      
HP Procurve 5300 Series SNMP MAC Auth 802.1X  
HP Procurve 5400 Series SNMP MAC Auth 802.1X  
HP/H3C S5120   MAC Auth 802.1X  
Huawei S2700   MAC Auth 802.1X  
Huawei S3700   MAC Auth 802.1X  
Huawei S5700   MAC Auth 802.1X  
Huawei S6700   MAC Auth 802.1X  
Huawei S7700   MAC Auth 802.1X  
Huawei S9700   MAC Auth 802.1X  
IBM/Lenovo StackSwitch G8052     802.1X  
Intel Express 460 SNMP      
Intel Express 530 SNMP      
Juniper Networks EX Series   MAC Auth 802.1X  
LG iPecs Series SNMP MAC Auth 802.1X  
Linksys SRW224G4 SNMP      
Netgear FGS Series SNMP      
Nortel BayStack 470 SNMP      
Nortel BayStack 4550 SNMP      
Nortel BayStack 5500 Series SNMP      
Nortel ERS 2500 Series SNMP      
Nortel ERS 4000 Series   MAC Auth    
Nortel ERS 4500 Series SNMP      
Nortel ERS 5500 Series SNMP      
Nortel ES325 SNMP      
Nortel BPS2000 SNMP      
SMC TS6128L2 SNMP      
SMC TS6224M SNMP      
SMC SMC8824M - SMC8848M SNMP      

Wireless Support

There are two approaches to wireless networks. One where a controller handles the Access Points (AP) and one where AP act individually. PacketFence supports both approaches.

Wireless Controllers

When using a controller, it does not matter to PacketFence what individual AP are supported or not. As long as the AP itself is supported by your controller and that your controller is supported by PacketFence it will work fine.

PacketFence supports the following wireless controllers:

Controller MAC Authentication 802.1X Web Auth
AeroHIVE AP Series MAC Auth 802.1X Web Auth
Aruba Networks (200, 600, 800, 2400, 3000, 6000, 7000, 7200) MAC Auth 802.1X Web Auth
AnyFi Controller MAC Auth 802.1X  
Avaya Wireless controllers   802.1X  
BelAir Networks (Ericsson) MAC Auth 802.1X  
Brocade Mobility Wireless LAN controllers MAC Auth 802.1X  
Cisco Wireless Services Module (WiSM, WiSM2) MAC Auth 802.1X Web Auth
Cisco WLC (all models) MAC Auth 802.1X Web Auth
D-Link DWS 3026 MAC Auth 802.1X  
Enterasys V2110 wireless controller MAC Auth 802.1X  
Extreme Networks Summit Wireless controllers MAC Auth 802.1X  
Extricom EXSW Wireless Switches (controllers) MAC Auth 802.1X  
HP ProCurve MSM710 Mobility controller MAC Auth 802.1X  
Huawei AC6605 wireless controller MAC Auth 802.1X  
Juniper (Trapeze) Wireless controllers MAC Auth 802.1X  
Meraki MAC Auth 802.1X Web Auth
Meru Networks Wireless controllers MAC Auth 802.1X  
MikroTik MAC Auth    
Motorola/Zebra RF Switches (controllers) MAC Auth 802.1X  
Ruckus Wireless controllers MAC Auth 802.1X Web Auth
Xirrus WiFi Arrays MAC Auth 802.1X Web Auth

Access Points

Some Access Points behave the same if they are attached to a controller or not. Because of that you might want to try a controller module if a controller from the same vendor is supported in the list above.

PacketFence supports the following access points:

Access Point
AeroHIVE AP Series
Aruba Instant Access Points
Cisco 1130AG
Cisco 1240AG
Cisco 1250
D-Link DWL Access Points
HP ProCurve
OpenWRT with hostapd or CoovaChilli
Xirrus WiFi Arrays

Not on this list?

Your network hardware is not on this list? Chances are that it works with a similar module already. Try this first and if it does work, let us know what module you used on what hardware and your firmware version. You can communicate that information to us by filing a ticket.

Otherwise, we are always interested in adding new hardware support into PacketFence. Please contact us at info(at)inverse.ca or via our web form.