PacketFence now supports hostapd!
July 17, 2013

The Inverse team is proud to announce that PacketFence now fully supports hostapd. This makes commodity equipment such has Ubiquity, Linksys and others fully interoperable with PacketFence using the out-of-band enforcement mode.

PacketFence now fully supports hostapd-based equipment. That means that equipment running standard Linux distributions, OpenWRT, DD-WRT and others using hostapd can now act as fully managed access points with PacketFence - using the out-of-band (VLAN) mode. This breakthrough allows the deployment of large-scale secured BYOD solutions using inexpensive yet reliable equipment - together with one of the best NAC solution available!

Stay tuned because Inverse will soon distribute custom firmware builds of OpenWRT ready to be used with PacketFence.

In the meantime, the instructions below can be used.

Introduction

Hostapd is included in the OpenWRT firmware. To support PacketFence you will need to install the wpad package with dynamic VLAN support and make changes in the uci configuration file. Everything is covered below.

Installation

In order to install OpenWRT, download the latest firmware from the OpenWRT website. You will also soon be able to download one provided by Inverse for your specific access point.

Once the firmware has been installed, you can connect to the access point (192.168.1.1) using telnet. No password is required.

The first thing to do is to set a password for the root account (passwd root). Now you should be able to connect to the access point over ssh.

AP Configuration

Web Admin Interface

First, install the web administrative interface of OpenWRT with the following command:

opkg install luci uhttpd

Alternatively, you can follow the instructions here: http://wiki.openwrt.org/doc/howto/luci.essentials

Dynamic VLAN Configuration

First, make sure your access point supports VLAN. The kmod-8021q kernel module should be loaded and available for your access point. If it doesn’t support VLAN, you can stop reading right now and use the inline enforcement available in PacketFence.

To support dynamic VLAN assignment you need to install a special version of wpad available from this web site:

http://rpc.one.pl/pliki/openwrt/backfire/10.03.x/atheros/hostapd/wpad_20100418-1-rpc_ar71xx.ipk

From the luci web GUI, go in System -> Software -> Download and install package, type in the link above and click Ok.

Finally, create the /etc/config/hostapd.vlan file with the following content:

  • wlan0.#

    Using uci

    By default, the uci command line tool doesn’t include all the parameters we need to configure SSIDs.

In the Inverse firmware image that will soon be available, this change will be done but if you use a firmware from the OpenWRT website, then you need to replace the /lib/wifi/hostapd.sh script file with the one included in the development version of PacketFence.

Configuring MAC Authentication

For now, you can’t configure specific parameters from the GUI to enable dynamic VLAN assignment, so you need to configure your SSID using the uci command:

uci add_list wireless.@wifi-iface[0]=wifi-iface uci add_list wireless.@wifi-iface[0].device=radio0 uci add_list wireless.@wifi-iface[0].mode=ap uci add_list wireless.@wifi-iface[0].ssid=OpenWrt-OPEN uci add_list wireless.@wifi-iface[0].network=lan uci add_list wireless.@wifi-iface[0].encryption=none uci add_list wireless.@wifi-iface[0].auth_server=192.168.1.10 uci add_list wireless.@wifi-iface[0].auth_port=1812 uci add_list wireless.@wifi-iface[0].auth_secret=s3cr3t uci add_list wireless.@wifi-iface[0].dynamic_vlan=2 uci add_list wireless.@wifi-iface[0].vlan_file=/etc/config/hostapd.vlan uci add_list wireless.@wifi-iface[0].vlan_tagged_interface=eth0 uci add_list wireless.@wifi-iface[0].radius_das_port=3799 uci add_list wireless.@wifi-iface[0].radius_das_client=192.168.1.10 s3cr3t uci add_list wireless.@wifi-iface[0].macfilter=2

Configuring 802.1X

For now, we also configure the 802.1X portion using the uci command:

uci add_list wireless.@wifi-iface[0]=wifi-iface uci add_list wireless.@wifi-iface[0].device=radio0 uci add_list wireless.@wifi-iface[0].mode=ap uci add_list wireless.@wifi-iface[0].ssid=OpenWrt-SECURE uci add_list wireless.@wifi-iface[0].network=lan uci add_list wireless.@wifi-iface[0].auth_server=192.168.1.10 uci add_list wireless.@wifi-iface[0].auth_port=1812 uci add_list wireless.@wifi-iface[0].auth_secret=s3cr3t uci add_list wireless.@wifi-iface[0].dynamic_vlan=2 uci add_list wireless.@wifi-iface[0].vlan_file=/etc/config/hostapd.vlan uci add_list wireless.@wifi-iface[0].vlan_tagged_interface=eth0 uci add_list wireless.@wifi-iface[0].radius_das_port=3799 uci add_list wireless.@wifi-iface[0].radius_das_client=192.168.1.10 s3cr3t uci add_list wireless.@wifi-iface[0].encryption=wpa2 uci add_list wireless.@wifi-iface[0].acct_server=192.168.1.10 uci add_list wireless.@wifi-iface[0].acct_port=1813 uci add_list wireless.@wifi-iface[0].acct_secret=s3cr3t uci add_list wireless.@wifi-iface[0].nasid=ubiquiti

PacketFence Configuration

From the PacketFence’s Web GUI, you can simply add a new hostapd switch and set the RADIUS secret. You’ll then now be able to fully benefit from all the PacketFence features, using the out-of-band (VLAN) enforcement mode with your OpenWRT-based access point!

Note that you currently need to use the nightly builds of PacketFence to use this feature - which is upcoming in the 4.0.3 version.

Back to 2013