PacketFence Network Devices Configuration Guide-4.7.0

NetworkDevicesConfigurationGuide
forPacketFenceversion4.7.0
NetworkDevicesConfigurationGuide
byInverseInc.
Version4.7.0-Mar2015
Copyright2015Inverseinc.
Permissionisgrantedtocopy,distributeand/ormodifythisdocumentunderthetermsoftheGNUFreeDocumentationLicense,Version
1.2oranylaterversionpublishedbytheFreeSoftwareFoundation;withnoInvariantSections,noFront-CoverTexts,andnoBack-Cover
Texts.Acopyofthelicenseisincludedinthesectionentitled"GNUFreeDocumentationLicense".
ThefontsusedinthisguidearelicensedundertheSILOpenFontLicense,Version1.1.ThislicenseisavailablewithaFAQat:http://
scripts.sil.org/OFL
CopyrightukaszDziedzic,http://www.latofonts.com,withReservedFontName:"Lato".
CopyrightRaphLevien,http://levien.com/,withReservedFontName:"Inconsolata".
TableofContents
About this Guide .............................................................................................................. 1
Othersourcesofinformation..................................................................................... 1
NoteonInlineenforcementsupport...................................................................................2
ListofsupportedNetworkDevices.................................................................................... 3
Switch configuration ......................................................................................................... 4
Assumptions ............................................................................................................. 4
3COM ..................................................................................................................... 4
AlliedTelesis ............................................................................................................ 10
Amer ..................................................................................................................... 11
Avaya .................................................................................................................... 11
Brocade ................................................................................................................. 12
Cisco ..................................................................................................................... 13
D-Link ................................................................................................................... 29
Dell ....................................................................................................................... 30
EdgecorE ............................................................................................................... 31
Enterasys ............................................................................................................... 32
Extreme Networks .................................................................................................. 34
Foundry ................................................................................................................. 36
Huawei .................................................................................................................. 37
H3C ...................................................................................................................... 41
HP ......................................................................................................................... 44
HP ProCurve .......................................................................................................... 44
Huawei .................................................................................................................. 48
Intel ....................................................................................................................... 50
Juniper ................................................................................................................... 50
LG-Ericsson ............................................................................................................ 54
Linksys ................................................................................................................... 56
Netgear ................................................................................................................. 56
Nortel .................................................................................................................... 59
SMC ...................................................................................................................... 61
WirelessControllersandAccessPointConfiguration.......................................................... 62
Assumptions ........................................................................................................... 62
UnsupportedEquipment..........................................................................................62
AeroHIVE ............................................................................................................... 63
Anyfi ..................................................................................................................... 65
Avaya .................................................................................................................... 68
Aruba .................................................................................................................... 69
BelairNetworks(nowEricsson)................................................................................ 72
Brocade ................................................................................................................. 73
Cisco ..................................................................................................................... 74
WirelessLANController(WLC)WebAuth................................................................ 81
D-Link ................................................................................................................... 86
Extricom ................................................................................................................ 87
Hostapd ................................................................................................................. 87
Mikrotik ................................................................................................................. 89
HP ......................................................................................................................... 91
Meru ..................................................................................................................... 91
Motorola ................................................................................................................ 94
Ruckus ................................................................................................................... 98
Trapeze ................................................................................................................ 100
Xirrus ................................................................................................................... 101
iii
Additional Information ................................................................................................... 103

CommercialSupportandContactInformation................................................................. 104
GNUFreeDocumentationLicense................................................................................. 105
iv
Chapter1
AboutthisGuide
ThisguidecoverstheconfigurationofnetworkdevicesinordertointegratethemwithPacketFence
inVLANenforcement.Switches,wirelesscontrollersandwirelessaccesspointsareallconsidered
networkdevicesinPacketFencesterms.
Thelatestversionofthisguideisavailableathttp://www.packetfence.org/documentation/
Othersourcesofinformation
AdministrationGuide
CoversPacketFenceinstallation,configuration
andadministration.
DevelopersGuide
Covers captive portal customization, VLAN

management customization and instructions
forsupportingnewhardware.
NEWS
Covers noteworthy features, improvements

andbugfixesbyrelease.
UPGRADE
Covers compatibility related changes, manual

instructions and general notes about
upgrading.
ChangeLog
Coversallchangestothesourcecode.
Thesefilesareincludedinthepackageandreleasetarballs.
AboutthisGuide
Chapter2
NoteonInlineenforcementsupport
There is no need to follow the instructions in this guide if you plan on deploying in inline
enforcement,exceptRADIUSinline.Inthiscaseallyouneedtodoistohaveaflatlayer2network
uptoPacketFencesinlineinterfacewithnoothergatewayavailablefordevicestoreachoutto
theInternet.
ThistechniqueisusuallyusedwhenyournetworkhardwaredoesntsupportVLANenforcement.
NoteonInlineenforcementsupport
Chapter3
ListofsupportedNetworkDevices
PacketFencesupportsawholelotofdifferentwirelessandwirednetworkequipmentsfromvarious
vendorsrunningdifferentversions.Sincewewanttoprovidethemostaccurateinformationand
avoidduplicationofthatsameinformation,pleaserefertoourwebsitehttp://www.packetfence.org/
about/supported_switches_and_aps.html
Youll find on this page the enforcement modes supported by each and every single piece of
equipmentwetestedandworkedwith.
ListofsupportedNetworkDevices
Chapter4
Switchconfiguration
Assumptions
Throughout this configuration example we use the following assumptions for our network
infrastructure:
PacketFenceisfullyconfiguredwithFreeRADIUSrunning(ifyouwant802.1XorMACAuth)
PacketFenceIPaddress:192.168.1.5
NormalVLAN:1
RegistrationVLAN:2
IsolationVLAN:3
MACDetectionVLAN:4
GuestVLAN:5
VoIP,VoiceVLAN:100
useSNMPv2c
SNMPReadcommunity:public
SNMPWritecommunity:private
SNMPTrapcommunity:public
RADIUSSecret:useStrongerSecret
3COM
SuperStack3Switch4200and4500
PacketFencesupportsthese3ComswitcheswithoutVoIPusingonetraptype:
linkUp/linkDown
PortSecurity(withstaticMACs)
Dontforgettoupdatethestartupconfig!
linkUp/linkDownonly
Globalconfigsettings:
Switchconfiguration
Chapter4
snmp-agent
snmp-agent target-host trap address udp-domain 192.168.1.5 params securityname
public
snmp-agent trap enable standard linkup linkdown
Oneachinterface:
port access vlan 4
InPortSecurity
snmp-agent
public
snmp-agent trap enable
port-security enable
port-security trap addresslearned
port-security trap intrusion
Oneachinterface:
port access vlan 4
port-security max-mac-count 1
port-security port-mode secure
port-security intrusion-mode blockmac
undo enable snmp trap updown
InMacAuth
Voice vlan : 6
Normal vlan : 1
Registration vlan : 2
Isolation vlan : 3
lldp
lldp
lldp
lldp
enable
timer tx-interval 5
compliance cdp
compliance cdp
MAC-authentication domain packetfence
Switchconfiguration
Chapter4
radius scheme system

radius scheme packetfence
server-type extended
primary authentication 192.168.1.5
primary accounting 1192.168.1.5
key authentication P@cketfence
key accounting cipher P@cketfence
user-name-format without-domain
domain packetfence
authentication radius-scheme packetfence
accounting radius-scheme packetfence
vlan-assignment-mode string
accounting optional
domain system
voice vlan mac-address f4ea-6700-0000 mask ffff-ff00-0000 description Cisco IP
Phone
undo voice vlan security enable
voice vlan 6 enable
OneachinterfacewithVoIP:
interface Ethernet1/0/1
stp edged-port enable
lldp compliance admin-status cdp txrx
port link-type hybrid
port hybrid vlan 6 tagged
port hybrid vlan 1 2 3 untagged
undo voice vlan mode auto
voice vlan enable
port-security port-mode mac-authentication
E4800G
PacketFencesupportsthese3Comswitcheswiththefollowingtechniques:
802.1XwithMACAuthenticationfallback
linkUp/linkDown(notrecommended)
VoiceoverIPsupportwasnotexplicitlytestedduringimplementationhoweveritdoesnotmean
thatitwontwork.
linkUp/linkDownonly
Switchconfiguration
Chapter4
snmp-agent
public
Oneachinterface:
port access vlan 4
system-view
radius scheme PacketFence
primary authentication 192.168.1.5 1812
primary accounting 192.168.1.5 1812
key authentication useStrongerSecret
quit
domain packetfence.local
authentication default radius-scheme PacketFence
authorization default radius-scheme PacketFence
quit
domain default enable packetfence.local
dot1x authentication-method eap
quit
Ifyourmanagementauthenticationonyourswitchisdefault,applyingtheconfigurationabovewill
haveyourauthenticationswitchtoaRADIUSbasedonewithPacketFenceastheauthentication
server.Itisalmostcertainthatyoudonotwantthat!
Below,wewilljustcreatealocalpasswordforvtyaccesses(telnet)andnothingontheconsole.In
ordertoavoidlockingyourselfout,makesuretoverifyyourconfiguration!
system-view
user-interface aux 0
authentication-mode none
user-interface vty 0 4
user privilege level 3
set authentication password simple useStrongerPassword
quit
quit
Oneachinterface:
Switchconfiguration
Chapter4
system-view
interface gigabitEthernet 1/0/xx
port-security port-mode mac-else-userlogin-secure-ext
# userlogin-secure-or-mac-ext could be used below instead
# see the Switch_4200G's documentation for a discussion about it
quit
quit
wherexxstandsfortheinterfaceindex.
E5500GandSwitch4200G
PacketFencesupportsthese3Comswitcheswiththefollowingtechniques:
linkUp/linkDown(notrecommended)
VoiceoverIPsupportwasnotexplicitlytestedduringimplementationhoweveritdoesnotmean
thatitwontwork.
linkUp/linkDownonly
snmp-agent
snmp-agent target-host trap address udp-domain 192.168.1.5 params
securityname public
Oneachinterface:
port access vlan 4
Switchconfiguration
Chapter4
system-view
radius scheme PacketFence
server-type standard
primary authentication 192.168.1.5 1812
primary accounting 192.168.1.5 1812
accounting optional
key authentication useStrongerSecret
quit
domain packetfence.local
radius-scheme PacketFence
vlan-assignment-mode string
quit
domain default enable packetfence.local
quit
Ifyourmanagementauthenticationonyourswitchisdefault,applyingtheconfigurationabovewill
haveyourauthenticationswitchtoaRADIUSbasedonewithPacketFenceastheauthentication
server.Itisalmostcertainthatyoudonotwantthat!
Below,wewilljustcreatealocalpasswordforvtyaccesses(telnet)andnothingontheconsole.In
ordertoavoidlockingyourselfout,makesuretoverifyyourconfiguration!
system-view
user-interface aux 0
authentication-mode none
user-interface vty 0 4
user privilege level 3
set authentication password simple useStrongerPassword
quit
quit
Oneachinterface:
system-view
interface gigabitEthernet 1/0/xx
port-security port-mode mac-else-userlogin-secure-ext
# userlogin-secure-or-mac-ext could be used below instead
# see the Switch_4200G's documentation for a discussion about it
quit
quit
wherexxstandsfortheinterfaceindex
NJ220
Thisswitchdoesnotsupportport-security.
Toconfigure:usewebinterfacetosendthelinkUp/linkDowntrapstothePacketFenceserver.
Switchconfiguration
Chapter4
AlliedTelesis
AT8000GS
PacketFencesupportstheAT8000GSswitchusing:
MacAuthentication(mac-only)
802.1X
VoIPsupportislimitedusing802.1X/MACauthentication.Wedohavealimitationwherethephone
needstobeonthesameVLANasthePC(novoiceVLANconcept).
MacAuthentication
First,activate802.1Xglobally:
dot1x system-auth-control
Next,configuretheRADIUSserverandAAAsettings:
radius-server host 10.0.0.100
radius-server key qwerty
radius-server source-ip 10.0.0.14
aaa authentication dot1x default radius
aaa accounting dot1x radius
Inordertogetmacauthentication,youneedtoenabletheguestVLANglobally:
interface vlan 5
name "Guest Vlan"
dot1x guest-vlan
exit
Finally,enablethenecessary802.1Xsettingsformac-onlyauthentication:
interface ethernet g1
dot1x mac-authentication mac-only
dot1x radius-attributes vlan
dot1x port-control auto
dot1x guest-vlan enable
802.1X
ThesettingsarealmostthesameastheMACAuthenticationwithsomesmalldifferences.
First,activate802.1Xglobally:
Switchconfiguration
10
Chapter4
Next,configuretheRADIUSserverandAAAsettings:
radius-server host 10.0.0.100
radius-server key qwerty
radius-server source-ip 10.0.0.14
aaa accounting dot1x radius
Finally,enablethenecessary802.1Xsettings:
interface ethernet g1
dot1x radius-attributes vlan
Amer
PacketFencesupportsAmerswitcheswithoutVoIPusingonetraptype:
linkUp/linkDown
L2SwitchSS2R24i
create snmp host 192.168.1.5 v2c public
create snmp user public ReadGroup
enable snmp traps
Oneachinterface:
config vlan default delete xx
config vlan mac-detection add untagged xx
Avaya
AvayaboughtNortelswirednetworksassets.SoAvayaswitchesare,ineffect,re-brandedNortels.
SeeNortelsectionofthisdocumentforconfigurationinstructions.
Switchconfiguration
11
Chapter4
Brocade
ICX6400Series
Thoseswitchesaresupportedusing802.1XfornetworkswithorwithoutVoIP.
radius-server host 192.168.1.5 auth-port 1812 acct-port 1813 default
radius-server key useStrongerSecret
vlan 1 name DEFAULT-VLAN by port
!
vlan 100 by port
tagged ethe 1/1/xx ethe 1/1/yy
WherexxandyyrepresenttherangeofportswhereyouwantPacketFenceenforcement.
MAC-AuthenticationwithoutVoIP
EnableMAC-Authenticationglobally
mac-authentication enable
mac-authentication mac-vlan-dyn-activation
EnableMAC-AuthenticationoneachinterfaceyouwantPacketFenceactive
mac-authentication enable-dynamic-vlan
MAC-AuthenticationwithVoIP
Enablecdpglobally
cdp run
ApplythefollowingconfigurationoneachinterfaceyouwantPacketFenceactive
dual-mode
voice-vlan 100
cdp enable
Switchconfiguration
12
Chapter4
802.1X/MAC-Auth
Enable802.1Xglobally
dot1x-enable
re-authentication
enable ethe 1/1/xx
Wherexxistheswitchportnumber
ApplythefollowingconfigurationoneachinterfaceyouwantPacketFenceactive
dual-mode
voice-vlan 100
Cisco
PacketFencesupportsCiscoswitcheswithVoIPusingthreedifferenttraptypes:
linkUp/linkDown
MACNotification
Youalsoneedtomakesurethatlldporcdpnotificationisconfiguredonallportsthatwillhandle
VoIP.
Onsomerecentmodels,wecanalsousemoresecureandrobustfeatureslike:
MACAuthentication(CiscosMACAuthenticationBypassorMAB)
802.1X(Multi-HostorMulti-Domain)
Dependingoftheswitchmodel,werecommendtheuseofthemostsecureandreliablefeature
first.Inotherwords,youshouldconsiderthefollowingorder:
1. 802.1X/MAB
2. Port-Security
3. linkUp/linkDown
2900XL/3500XLSeries
SNMP|linkUP/linkDown
Switchconfiguration
13
Chapter4
snmp-server community public RO

snmp-server community private RW
snmp-server enable traps snmp linkdown linkup
snmp-server enable traps mac-notification
snmp-server host 192.168.1.5 trap version 2c public snmp mac-notification
mac-address-table notification interval 0
mac-address-table notification
mac-address-table aging-time 3600
OneachinterfacewithoutVoIP:
switchport mode access
switchport access vlan 4
snmp trap mac-notification added
switchport trunk encapsulation dot1q
switchport trunk native vlan 4
switchport mode trunk
switchport voice vlan 100
snmp trap mac-notification removed
2950
Thoseswitchesarenowsupportedusing802.1XfornetworkswithorwithoutVoIP.Youcanalsouse
port-securitywithstaticMACaddressbutwecannotsecureaMAConthedataVLANspecifically
soenableitifthereisnoVoIP,uselinkUp/linkDownandMACnotificationotherwise.Soonsetup
thatneedstohandleVoIPwiththisswitch,gowitha802.1Xconfiguration.
802.1X
Warning
Makesurethatyouhavealocalaccount,becauseenabling802.1XorMABwillaskfor
ausernameandpasswordonthenextlogin.
AAAconfiguration:
aaa new-model
aaa group server radius packetfence
server 192.168.1.5 auth-port 1812 acct-port 1813
aaa authentication login default local
aaa authentication dot1x default group packetfence
aaa authorization network default group packetfence
Switchconfiguration
14
Chapter4
RADIUSserverconfiguration:
radius-server host 192.168.1.5 auth-port 1812 acct-port 1813 timeout 2
key useStrongerSecret
radius-server vsa send authentication
dot1x host-mode multi-host
dot1x reauthentication
dot1x host-mode multi-host
Port-Security
Caution
Withport-security,ifnoMACisconnectedonportswhenactivatingport-security,we
needtosecurebogusMACaddressesonportsinorderfortheswitchtosendatrap
whenanewMACappearsonaport.Ontheotherhand,ifaMACisactuallyconnected
whenyouenableportsecurity,youmustsecurethisMACratherthanthebogusone.
OtherwisethisMACwillloseitsconnectivityinstantly.
GlobalconfigsettingswithoutVoIP:
snmp-server enable traps port-security
snmp-server enable traps port-security trap-rate 1
snmp-server host 192.168.1.5 version 2c public port-security
switchport
switchport
switchport
switchport
switchport
mode access
access vlan 4
port-security
port-security violation restrict
port-security mac-address 0200.0000.00xx
wherexxstandsfortheinterfaceifIndex.
Switchconfiguration
15
Chapter4
ifIndexmapping
Use the following templates for interface IfIndex in bogus MAC addresses
(0200.0000.00xx):
Fa0/1,,Fa0/481,,48
Gi0/1,Gi0/249,50
GlobalconfigsettingswithVoIP:
snmp-server enable traps mac-notification
snmp-server host 192.168.1.5 trap version 2c public snmp mac-notification
mac-address-table notification interval 0
mac-address-table notification
mac-address-table aging-time 3600
snmp trap mac-notification removed
2960
Caution
For802.1XandMABconfigurations,refertothissectionbelow.
PortSecurityforIOSearlierthan12.2(46)SE
snmp-server
snmp-server
snmp-server
snmp-server
snmp-server
community public RO
community private RW
enable traps port-security
enable traps port-security trap-rate 1
host 192.168.1.5 version 2c public port-security
Switchconfiguration
16
Chapter4
switchport
switchport
switchport
switchport
switchport
access vlan 4
port-security
port-security maximum 1 vlan access
port-security mac-address 0200.000x.xxxx
wherexxxxxstandsfortheinterfaceifIndex
switchport
switchport
switchport
switchport
switchport
switchport
switchport
voice vlan 100

access vlan 4
port-security
port-security maximum 2
ifIndexmapping
(0200.000x.xxxx):
Fa0/1Fa0/481000110048
Gi0/1Gi0/481010110148
PortSecurityforIOS12.2(46)SEorgreater
Since version PacketFence 2.2.1, the way to handle VoIP when using port-security dramatically
changed.Ensurethatyoufollowtheinstructionsbelow.Tomakethestoryshort,insteadonrelying
onthedynamicMAClearningforVoIP,weuseastaticentryonthevoiceVLANsowecantrigger
anewsecurityviolation,andthenauthorizethephoneMACaddressonthenetwork.
snmp-server
snmp-server
snmp-server
snmp-server
snmp-server
community public RO
switchport
switchport
switchport
switchport
switchport
access vlan 4
port-security
Switchconfiguration
17
Chapter4
switchport
switchport
switchport
switchport
switchport
switchport
switchport
switchport
switchport
voice vlan 100

access vlan 4
port-security
port-security maximum 1 vlan voice
port-security mac-address 0200.010x.xxxx vlan voice
port-security mac-address 0200.000x.xxxx vlan access
ifIndexmapping
(0200.000x.xxxx):
Fa0/1Fa0/481000110048
Gi0/1Gi0/481010110148
2970,3560,3550,3750
Caution
TheCatalyst3550doesnotsupport802.1XwithMulti-Domain,itcanonlysupport
802.1XwithMABusingMulti-Host,MAB,andPort-Security.
802.1XwithMACAuthenticationbypass(MultiDomain)
Warning
Oneachinterface:
Switchconfiguration
18
Chapter4

authentication host-mode multi-domain
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer restart 10800
authentication timer reauthenticate 10800
mab
no snmp trap link-status
dot1x pae authenticator
dot1x timeout quiet-period 2
dot1x timeout tx-period 3
AAAGroupsandConfiguration:
aaa new-model
Radiusserverconfiguration:
radius-server host 192.168.1.5 auth-port 1812 acct-port 1813 timeout 2 key
useStrongerSecret
CoAconfiguration
aaa server radius dynamic-author
client 192.168.1.5 server-key useStrongerSecret
port 3799
Activatethesnmpv1ontheswitch:
802.1XwithMACAuthenticationbypass(MultiHost)
Warning
Switchconfiguration
19
Chapter4
Oneachinterface:
authentication order dot1x mab
authentication priority dot1x mab
mab
dot1x timeout quiet-period 2
AAAGroupsandConfiguration
aaa new-model
Radiusserverconfiguration
useStrongerSecret
CoAconfiguration
port 3799
MACAuthenticationbypassonly
Warning
Switchconfiguration
20
Chapter4
Globalconfigsettings
Oneachinterface
dot1x mac-auth-bypass
mab
AAAGroupsandConfiguration
aaa new-model
Radiusserverconfiguration
useStrongerSecret
CoAconfiguration
port 3799
802.1Xonvariousmodelsof2960
TheresalotofdifferentversionsoftheCatalyst2960serie.Someofthemmaynot
acceptthecommandstatedinthisguidefor802.1X.
WehavefoundacoupleofcommandsthatareworkinggreatorMAB:
Switchconfiguration
21
Chapter4
Oneachinterface
authentication order mab
mab
But,asitisdifficultforustomaintainthewholelistofcommandstoconfigureeachand
everydifferentmodelof2960withdifferentIOS,pleaserefertoCiscodocumentation
forveryspecificcases.
Port-Security
snmp-server
snmp-server
snmp-server
snmp-server
snmp-server
community public RO
switchport
switchport
switchport
switchport
switchport
access vlan 4
port-security
switchport
switchport
switchport
switchport
switchport
switchport
switchport
voice vlan 100

access vlan 4
port-security
ifIndexmapping
(0200.000x.xxxx):
Fa0/1Fa0/481000110048
Switchconfiguration
22
Chapter4
Gi0/1Gi0/481010110148
Webauth
TheCatalyst2960supportswebauthenticationfromIOS12.2.55SE3.Thisprocedurehasbeen
testedonIOS15.0.2SE5.
Inthisexample,theACLforregistrationisredirectandtheACLforregistereddevicesisregistered
ConfiguretheglobalconfigurationoftheswitchusingthesectionMACAuthenticationbypassonly
ofthe2960inthisdocument.
Thenaddthisadditionnalconfigurationonthegloballevel
ip dhcp snooping
ip device tracking
nmsp enable
udld enable
ip http server
ip http secure-server
Addtherequiredaccesslists
ip access-list extended redirect
deny ip any host <your captive portal ip>
permit tcp any any eq www
permit tcp any any eq 443
ip access-list extended registered
permit ip any any
Thenoneachcontrolledinterface
switchport access vlan <vlan>
authentication priority mab
mab
spanning-tree portfast
PacketFenceswitchconfiguration
SelectthetypetoCiscoCatalyst2960withWebAuth
SetPortalURLtohttp://<your_captive_portal_ip>
SettheRegistrationroletoredirect
Setyourregisteredrolestoregistered
Switchconfiguration
23
Chapter4
ScreenshotsofthisconfigurationareavailableintheCiscoWLCsectionofthisguide.
DownloadableACLs
The Catalyst 2960 supports RADIUS pushed ACLs which means that you can define the ACLs
centrallyinPacketFencewithoutconfiguringtheminyourswitchesandtheirruleswillbeapplied
totheswitchduringtheauthentication.
TheseACLsaredefinedbyroleliketheVLANswhichmeansyoucandefinedifferentACLsforyour
registrationVLAN,productionVLAN,guestVLAN,etc.
Beforecontinuing,configureyourswitchtobeinMACauthenticationbypassor802.1X.
NowinthePacketFenceinterfacegointheswitchconfigurationandintheRolestab.
CheckRolebyaccesslistandyoushouldnowbeabletoconfiguretheaccesslistsasbelow.
ForexampleifyouwanttheusersthatareintheregistrationVLANtoonlyuseHTTP,HTTPS,DNS
andDHCPyoucanconfigurethisACLintheregistrationcategory.
Switchconfiguration
24
Chapter4
Nowifforexample,yournormalusersareplacedinthedefaultcategoryandyourguestsinthe
guestcategory.
Ifforexamplethedefaultcategoryusesthenetwork192.168.5.0/24andyourguestnetworkuses
thenetwork192.168.10.0/24.
Youcanpreventcommunicationsbetweenbothnetworksusingtheseaccesslists
Youcouldalsoonlypreventyourguestusersfromusingshareddirectories
Switchconfiguration
25
Chapter4
OralsoyoucouldrestrictyouruserstouseonlyyourDNSserverwhere192.168.5.2isyourDNS
server
Switchconfiguration
26
Chapter4
Stacked29xx,Stacked35xx,Stacked3750,4500
Series,6500Series
The4500Seriesandallthestackedswitchesworkexactlythesamewayasiftheywerenotstacked
sotheconfigurationisthesame:theysupportport-securitywithstaticMACaddressandallowus
tosecureaMAConthedataVLANsoweenableitwhetherthereisVoIPornot.
WeneedtosecurebogusMACaddressesonportsinorderfortheswitchtosendatrapwhena
newMACappearsonaport.
snmp-server
snmp-server
snmp-server
snmp-server
snmp-server
community public RO
Switchconfiguration
27
Chapter4
switchport
switchport
switchport
switchport
switchport
access vlan 4
port-security
switchport
switchport
switchport
switchport
switchport
switchport
switchport
voice vlan 100

access vlan 4
port-security
ifIndexmapping
(0200.000x.xxxx):
Fa1/0/1Fa1/0/481000110048
Gi1/0/1Gi1/0/481010110148
Fa2/0/1Fa2/0/481050110548
Gi2/0/1Gi2/0/481060110648
Fa3/0/1Fa3/0/481100111048
Gi3/0/1Gi3/0/481110111148
Fa4/0/1Fa4/0/481150111548
Gi4/0/1Gi4/0/481160111648

RouterISR1800Series
PacketFencesupportsthe1800seriesRouterwithlinkUp/linkDowntraps.Itcannotdoanything
abouttherouterinterfaces(ie:fa0andfa1ona1811).VLANinterfacesifIndexshouldalsobe
markedasuplinksinthePacketFenceswitchconfigurationastheygeneratetrapsbutareofno
interesttoPacketFence(layer3).
snmp-server host 192.168.1.5 trap version 2c public
Switchconfiguration
28
Chapter4
Oneachinterface:
D-Link
PacketFencesupportsD-LinkswitcheswithoutVoIPusingtwodifferenttraptypes:
linkUp/linkDown
MACNotification
WerecommendtoenablelinkUp/linkDownandMACnotificationtogether.
DES3526/3550
To be contributed...
Oneachinterface:
DGS3100/3200
EnableMACnotification:
enable mac_notification
config mac_notification interval 1 historysize 1
config mac_notification ports 1:1-1:24 enable
Enablelinkup/linkdownnotification:
enable snmp traps
enable snmp linkchange_traps
AddSNMPhost:
create snmp host 192.168.1.5 v2c
public
EnableMACbaseaccesscontrol:
Switchconfiguration
29
Chapter4
enable mac_based_access_control
config mac_based_access_control
disable
authorization attributes radius enable local

method radius
password useStrongerSecret
password_type manual_string
max_users no_limit
trap state enable
log state enable
Oneachinterface:
config
config
config
config
config
mac_based_access_control
ports
ports
ports
ports
ports
1:1
1:1
1:1
1:1
1:1
state enable
max_users 128
aging_time 1440
block_time 300
mode host_based
Dell
Force10
PacketFencesupportsthisswitchusingRADIUS,MAC-Authenticationand802.1Xx.
radius-server host 192.168.1.5 key s3cr3t auth-port 1812
MABinterfaceconfiguration:
interface GigabitEthernet 0/1
no ip address
switchport
dot1x authentication
dot1x mac-auth-bypass
dot1x auth-type mab-only
no shutdown
802.1Xinterfaceconfiguration:
interface GigabitEthernet 0/1
no ip address
switchport
dot1x authentication
no shutdown
Switchconfiguration
30
Chapter4
PowerConnect3424
PacketFencesupportsthisswitchusinglinkUp/linkDowntraps.
Oneachinterface:
EdgecorE
PacketFencesupportsEdge-corEswitcheswithoutVoIPusinglinkUp/linkDowntraps.
PacketFencealsosupportsMACauthenticationontheEdge-corE4510
3526XAand3528M
SNMP-server host 192.168.1.5 public version 2c udp-port 162
4510
Basicconfiguration
network-access aging
snmp-server community private rw
snmp-server community public rw
radius-server 1 host 192.168.1.5 auth-port 1812 acct-port 1813 timeout 5

retransmit 2 key useStrongerSecret
radius-server key useStrongerSecret
Switchconfiguration
31
Chapter4
Oneachcontrolledinterface
interface ethernet 1/8
switchport allowed vlan add <your list of allowed vlans> untagged
network-access max-mac-count 1
network-access mode mac-authentication
!
Enterasys
PacketFencesupportsEnterasysswitcheswithoutVoIPusingtwodifferenttraptypes:
linkUp/linkDown
MACLocking(PortSecuritywithstaticMACs)
WerecommendtoenableMAClockingonly.
MatrixN3
linkUp/linkDowntrapsareenabledbydefaultsowedisablethemandenableMAClockingonly.
Also,bydefaultthisswitchdoesntdoanelectricallow-levellinkDownwhensettingtheportto
admindown.Soweneedtoactivateaglobaloptioncalledforcelinkdowntoenablethisbehaviour.
Withoutthisoption,clientsdontunderstandthattheylosttheirconnectionandtheyneverdoa
newDHCPonVLANchange.
set
set
set
set
set
set
snmp community public

snmp targetparams v2cPF user public security-model v2c message-processing v2c
snmp notify entryPF tag TrapPF
snmp targetaddr tr 192.168.1.5 param v2cPF taglist TrapPF
maclock enable
forcelinkdown enable
Oneachinterface:
set
set
set
set
set
port trap ge.1.xx disable

maclock enable ge.1.xx
maclock static ge.1.xx 1
maclock firstarrival ge.1.xx 0
maclock trap ge.1.xx enable
wherexxstandsfortheinterfaceindex.
Switchconfiguration
32
Chapter4
SecureStackC2
set
set
set
set
set

maclock enable
Oneachinterface:
set
set
set
set
port trap fe.1.xx disable

maclock enable fe.1.xx
maclock static fe.1.xx 1
maclock firstarrival fe.1.xx 0
SecureStackC3
ThisswitchhastheparticularfeatureofallowingmorethanoneuntaggedegressVLANperport.
ThismeansthatyoumustaddalltheVLANcreatedforPacketFenceasuntaggedegressVLANon
therelevantinterfaces.ThisiswhythereisaVLANcommandoneachinterfacebelow.
set
set
set
set
set

maclock enable
Oneachinterface:
set
set
set
set
set
set
vlan egress 1,2,3 ge.1.xx untagged

Switchconfiguration
33
Chapter4
StandaloneD2
Caution
ThisswitchSwitchacceptsmultipleuntaggedVLANperportwhenconfiguredthrough
SNMP.ThisisproblematicbecauseonsomeoccasionstheuntaggedVLANportlist
canbecomeinconsistentwiththeswitchsrunningconfig.Tofixthat,clearalluntagged
VLANsofaporteveniftheCLIinterfacedoesntshowthem.Todoso,use:clear
vlan egress <vlans> <ports>
set
set
set
set
set

maclock enable
Oneachinterface:
set
set
set
set
set

ExtremeNetworks
PacketFencesupportsExtremeNetworksswitchesusing:
linkUp/linkDown
MACAddressLockdown(PortSecurity)
Netlogin-MACAuthentication
Netlogin-802.1X
Dontforgettosavetheconfiguration!
Switchconfiguration
34
Chapter4
AllExtremeXOSbasedswitches
InadditiontotheSNMPandVLANssettings,thisswitchneedstheWebServicestobeenabled
andanadministrativeusernameandpasswordprovidedinitsPacketFenceconfigurationforWeb
Services.
MACAddressLockdown(Port-Security)
linkUp/linkDown traps are enabled by default so we disable them and enable MAC Address
Lockdownonly.
GlobalconfigsettingswithoutVoiceoverIP(VoIP):
enable snmp access
configure snmp add trapreceiver
enable web http
configure vlan "Default" delete
configure vlan registration add
configure ports <portlist> vlan
disable snmp traps port-up-down
192.168.1.5 community public

ports <portlist>
ports <portlist> untagged
registration lock-learning
ports <portlist>
where<portlist>areportsyouwanttosecure.Itcanbeanindividualportoraport-rangewith
adash.
GlobalconfigsettingswithVoiceoverIP(VoIP):
enable snmp access
configure snmp add trapreceiver 192.168.1.5 community public
enable web http
configure vlan "Default" delete ports <portlist>
configure vlan registration add ports <portlist> untagged
configure vlan voice add ports <portlist> tagged
configure ports <portlist> vlan registration lock-learning
configure ports <portlist> vlan voice limit-learning 1
disable snmp traps port-up-down ports <portlist>
where<portlist>areportsyouwanttosecure.Itcanbeanindividualportoraport-rangewith
adash.
MACAuthentication
AAAConfiguration
configure radius netlogin primary server 192.168.1.5 1812 client-ip 10.0.0.8 vr
VR-Default
configure radius netlogin primary shared-secret 12345
enable radius netlogin
Netlogin(MacAuthentication)
Switchconfiguration
35
Chapter4
configure netlogin vlan temp

enable netlogin mac
configure netlogin dynamic-vlan enable
configure netlogin dynamic-vlan uplink-ports 50
configure netlogin mac authentication database-order radius
enable netlogin ports 1-48 mac
configure netlogin ports 1-48 mode port-based-vlans
configure netlogin ports 1-48 no-restart
802.1X
AAAConfiguration
configure radius netlogin primary server 192.168.1.5 1812 client-ip 10.0.0.8 vr
VR-Default
configure radius netlogin primary shared-secret 12345
enable radius netlogin
Netlogin(802.1X)
configure netlogin vlan temp
enable netlogin dot1x
configure netlogin dynamic-vlan enable
configure netlogin dynamic-vlan uplink-ports 50
enable netlogin ports 1-48 dot1x
configure netlogin ports 1-48 mode port-based-vlans
configure netlogin ports 1-48 no-restart
Note
YoucanmixtheMACAuthenticationand802.1Xonthesameswitchport.Ifthedevice
fails802.1Xauthentication,itwillrollbacktotheMACAuthentication.
Foundry
FastIron4802
PacketFencesupportthisswitchwithoptionalVoIPusingtwodifferenttraptypes:
linkUp/linkDown
WerecommendtoenablePortSecurityonly.
Switchconfiguration
36
Chapter4
Thoseswitchessupportport-securitywithstaticMACaddressandallowustosecureaMACon
thedataVLANsoweenableitwhetherthereisVoIPornot.
WeneedtosecurebogusMACaddressesonportsinorderfortheswitchtosendatrapwhena
newMACappearsonaport.
snmp-server host 192.168.1.5 public
no snmp-server enable traps link-down
no snmp-server enable traps link-up
int eth xx
port security
enable
maximum 1
secure 0200.0000.00xx 0
violation restrict
wherexxstandsfortheinterfaceifIndex.
WithVoIPalittlemoreworkneedstobeperformed.Insteadoftheno-VoIP,putinthefollowing
config:
conf t
vlan <mac-detection-vlan>
untagged eth xx
vlan <voice-vlan>
tagged eth xx
int eth xx
dual-mode <mac-detection-vlan>
port security
maximum 2
secure 0200.00xx.xxxx <mac-detection-vlan>
secure 0200.01xx.xxxx <voice-vlan>
violation restrict
enable
wherexxxxxxstandsfortheinterfacenumber(filledwithzeros),<voice-vlan>withyourvoiceVLANnumberand<mac-detection-vlan>withyourmac-detectionVLANnumber.
Huawei
AC6605Controller
PacketFencesupportsthiscontrollerwiththefollowingtechnologies:
Switchconfiguration
37
Chapter4
Wireless802.1X
WirelessMACAuthentication
Controlleurconfiguration
SetupNTPserver:
<AC>system-view
[AC] ntp-service unicast-server 208.69.56.110
Setuptheradiusserveur(@IPofPacketFence)authentication+accounting:
Note
InthisconfigurationIwillusetheipaddressoftheVIPofPacketFence:192.168.1.2;
RegistrationVLAN:145,IsolationVLAN:146
<AC>system-view
[AC] radius-server template radius_packetfence
[AC-radius-radius_packetfence] radius-server authentication 192.168.1.2 1812
weight 80
[AC-radius-radius_packetfence] radius-server accounting 192.168.1.2 1813 weight
80
[AC-radius-radius_packetfence] radius-server shared-key cipher s3cr3t
[AC-radius-radius_packetfence] undo radius-server user-name domain-included
[AC-radius-radius_packetfence] quit
[AC] radius-server authorization 192.168.1.2 shared-key cipher s3cr3t servergroup radius_packetfence
[AC] aaa
[AC-aaa] authentication-scheme radius_packetfence
[AC-aaa-authen-radius_packetfence] authentication-mode radius
[AC-aaa-authen-radius_packetfence] quit
[AC-aaa] accounting-scheme radius_packetfence
[AC-aaa-accounting-radius_packetfence] accounting-mode radius
[AC-aaa-accounting-radius_packetfence] quit
[AC-aaa] domain your.domain.com
[AC-aaa-domain-your.domain.com]
[AC-aaa] quit
authentication-scheme radius_packetfence
accounting-scheme radius_packetfence
radius-server radius_packetfence
quit
CreateanSecuredot1xSSID
Activatethedotxglobaly:
<AC>system-view
[AC] dot1x enable
Switchconfiguration
38
Chapter4
Createyoursecuredot1xssid:
ConfigureWLAN-ESS0interfaces:
[AC] interface
[AC-Wlan-Ess0]
[AC-Wlan-Ess0]
[AC-Wlan-Ess0]
[AC-Wlan-Ess0]
[AC-Wlan-Ess0]
[AC-Wlan-Ess0]
[AC-Wlan-Ess0]
Wlan-Ess 0
port hybrid untagged vlan 145 to 146
dot1x enable
permit-domain name your.domain.com
force-domain name your.domain.com
default-domain your.domain.com
quit
ConfigureAPparameters:
ConfigureradiosforAPs:
[AC] wlan
[AC-wlan-view] wmm-profile name huawei-ap
[AC-wlan-wmm-prof-huawei-ap] quit
[AC-wlan-view] radio-profile name huawei-ap
[AC-wlan-radio-prof-huawei-ap] radio-type 80211gn
[AC-wlan-radio-prof-huawei-ap] wmm-profile name huawei-ap
[AC-wlan-radio-prof-huawei-ap] quit
[AC-wlan-view] ap 1 radio 0
[AC-wlan-radio-1/0] radio-profile name huawei-ap
Warning: Modify the Radio type may cause some parameters of Radio resume defaul
t value, are you sure to continue?[Y/N]: y
[AC-wlan-radio-1/0] quit
Configure a security profile named huawei-ap. Set the security policy to WPA authentication,
authenticationmethodto802.1X+PEAP,andencryptionmodetoCCMP:
[AC-wlan-view] security-profile name huawei-ap-wpa2
[AC-wlan-sec-prof-huawei-ap-wpa2] security-policy wpa2
[AC-wlan-sec-prof-huawei-ap-wpa2] wpa-wpa2 authentication-method dot1x
encryption-method ccmp
[AC-wlan-sec-prof-huawei-ap-wpa2] quit
Configureatrafficprofile:
[AC-wlan-view] traffic-profile name huawei-ap
[AC-wlan-wmm-traffic-huawei-ap] quit
ConfigureservicesetsforAPs,andsetthedataforwardingmodetodirectforwarding:
Thedirectforwardingmodeisusedbydefault.
Switchconfiguration
39
Chapter4
[AC-wlan-view] service-set name PacketFence-dot1x

[AC-wlan-service-set-PacketFence-dot1x] ssid PacketFence-Secure
[AC-wlan-service-set-PacketFence-dot1x] wlan-ess 0
[AC-wlan-service-set-PacketFence-dot1x] service-vlan 1
[AC-wlan-service-set-PacketFence-dot1x] security-profile name huawei-ap-wpa2
[AC-wlan-service-set-PacketFence-dot1x] traffic-profile name huawei-ap
[AC-wlan-service-set-PacketFence-dot1x] forward-mode tunnel
[AC-wlan-service-set-PacketFence-dot1x] quit
ConfigureVAPsanddeliverconfigurationstotheAPs:
[AC-wlan-radio-1/0] service-set name PacketFence-dot1x
[AC-wlan-view] commit ap 1
CreateyourOpenssid
Activatethemac-authglobaly:
<AC>system-view
[AC] mac-authen
[AC] mac-authen username macaddress format with-hyphen
[AC] mac-authen domain your.domain.com
CreateyourOpenssid:
ConfigureWLAN-ESS1interfaces:
[AC] interface
[AC-Wlan-Ess1]
[AC-Wlan-Ess1]
[AC-Wlan-Ess1]
[AC-Wlan-Ess1]
[AC-Wlan-Ess1]
[AC-Wlan-Ess1]
[AC-Wlan-Ess1]
Wlan-Ess 1
port hybrid untagged vlan 145 to 146
mac-authen
mac-authen username macaddress format without-hyphen
permit-domain name your.domain.com
force-domain name your.domain.com
default-domain your.domain.com
quit
ConfigureAPparameters:
Configureasecurityprofilenamedhuawei-ap-wep.SetthesecuritypolicytoWEPauthentication.
[AC]wlan
[AC-wlan-view] security-profile name huawei-ap-wep
[AC-wlan-sec-prof-huawei-ap-wep] security-policy wep
[AC-wlan-sec-prof-huawei-ap-wep] quit
ConfigureservicesetsforAPs,andsetthedataforwardingmodetodirectforwarding:
Thedirectforwardingmodeisusedbydefault.
Switchconfiguration
40
Chapter4
[AC-wlan-view] service-set name PacketFence-WEP

[AC-wlan-service-set-PacketFence-WEP] ssid PacketFence-Open
[AC-wlan-service-set-PacketFence-WEP] wlan-ess 1
[AC-wlan-service-set-PacketFence-WEP] service-vlan 1
[AC-wlan-service-set-PacketFence-WEP] security-profile name huawei-ap-wep
[AC-wlan-service-set-PacketFence-WEP] traffic-profile name huawei-ap (already
created before)
[AC-wlan-service-set-PacketFence-WEP] forward-mode tunnel
[AC-wlan-service-set-PacketFence-WEP] quit
ConfigureVAPsanddeliverconfigurationstotheAPs:
[AC-wlan-radio-1/0] service-set name PacketFence-WEP
[AC-wlan-view] commit ap 1
H3C
S5120Switchseries
PacketFencesupportstheseswitcheswiththefollowingtechnologies:
802.1X(withorwithoutVoIP)
802.1XwithMACAuthenticationfallback(withorwithoutVoIP)
MACAuthentication(withorwithoutVoIP)
802.1X
Radiusschemecreation:
primary authentication 192.168.1.5 1812 key useStrongerSecret
primary accounting 192.168.1.5 1813 key useStrongerSecret
ISP-Domaincreation:
domain packetfence
authentication default radius-scheme packetfence
authentication lan-access radius-scheme packetfence
authorization lan-access radius-scheme packetfence
SNMPsettings:
Switchconfiguration
41
Chapter4
snmp-agent
snmp-agent community read public
snmp-agent community write private
snmp-agent sys-info version v2c
Globalconfiguration:
Globalconfiguration(withVoIP):
Addthefollowingtothepreviousglobalconfiguration.
lldp compliance cdp
Interfacesconfiguration:
port hybrid vlan 5 untagged
port hybrid pvid vlan 5
mac-vlan enable
port-security port-mode userlogin-secure
dot1x re-authenticate
dot1x max-user 1
dot1x guest-vlan 5
undo dot1x handshake
dot1x mandatory-domain packetfence
undo dot1x multicast-trigger
Interfacesconfiguration(withVoIP):
Addthefollowingtothepreviousinterfacesconfiguration.
voice vlan 100 enable
dot1x max-user 2
SinceusingMACAuthenticationasafallbackof802.1X,usetheprevious802.1Xconfiguration
andaddthefollowings.
Switchconfiguration
42
Chapter4
ThisconfigurationisthesamewithorwithoutVoIP.
mac-authentication domain packetfence
mac-authentication guest-vlan 5
port-security port-mode userlogin-secure-or-mac
MACAuthentication
Radiusschemecreation:
primary authentication 192.168.1.5 1812 key useStrongerSecret
primary accounting 192.168.1.5 1813 key useStrongerSecret
ISP-Domaincreation:
domain packetfence
authentication default radius-scheme packetfence
authentication lan-access radius-scheme packetfence
authorization lan-access radius-scheme packetfence
SNMPsettings:
snmp-agent
snmp-agent community read public
snmp-agent community write private
snmp-agent sys-info version v2c
mac-authentication domain packetfence
Globalconfiguration(withVoIP):
Addthefollowingtothepreviousglobalconfiguration.
lldp compliance cdp
Switchconfiguration
43
Chapter4

port hybrid vlan 5 untagged
port hybrid pvid vlan 5
mac-vlan enable
mac-authentication guest-vlan 5
port-security port-mode mac-authentication
Interfacesconfiguration(withVoIP):
Addthefollowingtothepreviousinterfacesconfiguration.
voice vlan 100 enable
HP
E4800GandE5500GSwitchseries
Thesearere-branded3Comswitches,seeunderthe3Comsectionfortheirdocumentation.
HPProCurve
PacketFencesupportsProCurveswitcheswithoutVoIPusingtwodifferenttraptypes:
linkUp/linkDown
Note
HP ProCurve only sends one security trap to PacketFence per security violation so
makesurePacketFencerunswhenyouconfigureport-security.Also,becauseofthe
above limitation, it is considered good practice to reset the intrusion flag as a first
troubleshootingstep.
Switchconfiguration
44
Chapter4
If you want to learn more about intrusion flag and port-security, please refer to the ProCurve
documentation.
Caution
IfyouconfigureaswitchthatisalreadyinproductionbecarefulthatenablingportsecuritycausesactiveMACaddressestobeautomaticallyaddedtotheintrusionlist
withoutasecuritytrapsenttoPacketFence.ThisisundesiredbecausePacketFence
willnotbenotifiedthatitneedstoconfiguretheport.Asawork-around,unplugclients
beforeactivatingport-securityorremovetheintrusionflagafteryouenabledportsecuritywith:port-security <port> clear-intrusion-flag.
2500Series
linkUp/linkDowntrapsareenabledbydefaultsowedisablethemandenablePortSecurityonly.
On2500s,weneedtosecurebogusMACaddressesonportsinorderfortheswitchtosenda
trapwhenanewMACappearsonaport.
snmp-server community "public" Unrestricted
snmp-server host 192.168.1.5 "public" Not-INFO
no snmp-server enable traps link-change 1-26
Oneachinterface:
port-security xx learn-mode static action send-alarm mac-address 0200000000xx
2600Seriesand3400clSeries
Port-Security
linkUp/linkDowntrapsareenabledbydefaultsowedisablethemandenablePortSecurityonly.
On2600s,wedontneedtosecurebogusMACaddressesonportsinorderfortheswitchtosend
atrapwhenanewMACappearsonaport.
snmp-server community public manager unrestricted
Oneachinterface:
port-security xx learn-mode configured action send-alarm
Switchconfiguration
45
Chapter4
MACAuthentication(Firmware>11.72)
InordertoenableRADIUSmacauthenticationontheports,youfirstneedtojointheportstoeither
theregistrationorthemacdetectionvlan(asasecuritymeasure).
Next,definetheRADIUSserverhost:
radius-server host 192.168.1.5 key use_stong_secret
SinceHPnowsupportsserver-group,letscreateagroupfortheMACauthentication.Anotherone
canbeusedformanagementaccess:
aaa server-group radius "packetfence" host 192.168.1.5
aaa server-group radius "management" host 10.0.0.15
ConfiguretheAAAauthenticationforMACauthenticationtousetheproperserver-group:
aaa authentication mac-based chap-radius server-group "packetfence"
Finally,enableMACauthenticationonallnecessaryports:
aaa port-access mac-based 1-24
Dontforgettopermitaddressmovesandthereauthperiod.xrepresentstheportindex:
aaa port-access mac-based x addr-moves
aaa port-access mac-based x reauth-period 14400
(ThankstoJean-FrancoisLaporteforthiscontribution)
2610
802.1X
DefinetheRADIUSserverhost:
radius-server host 192.168.1.5 key "useStrongerSecret"
radius-server host 192.168.1.5 acct-port 1813 key "useStrongerSecret"
DefinetheSNMPconfiguration:
snmp-server host 192.168.1.5 community "public" informs trap-level not-info
no snmp-server enable traps link-change C1
Configuretheserver-group:
Switchconfiguration
46
Chapter4
aaa server-group radius "packetfence" host 192.168.1.5

Configureauthentication:
aaa authentication port-access eap-radius server-group "packetfence"
aaa authentication mac-based chap-radius server-group "packetfence"
Configuretheport-security:
port-security C1 learn-mode port-access action send-alarm
Configurationoftheport:
aaa
aaa
aaa
aaa
aaa
aaa
aaa
port-access
port-access
port-access
port-access
port-access
port-access
port-access
authenticator C1
authenticator C1 client-limit 1
authenticator active
mac-based C1
mac-based C1 addr-moves
mac-based C1 reauth-period 14400
C1 controlled-direction in
(ThankstoDenisBonnenfantforthiscontribution)
4100,5300,5400Series
Port-Security
linkUp/linkDowntrapsareenabledbydefaultandwehavenotfoundawayyettodisablethemso
donotforgettodeclarethetrunkportsasuplinksintheswitchconfigfile.
On4100s,weneedtosecurebogusMACaddressesonportsinorderfortheswitchtosendatrap
whenanewMACappearsonaport.Theportsareindexeddifferentlyon4100s:itsbasedonthe
numberofmodulesyouhaveinyour4100,eachmoduleisindexedwithaletter.
snmp-server community "public" Unrestricted
Youshouldconfigureinterfaceslikethis:
port-security
...
port-security
port-security
...
port-security
port-security
...
A1 learn-mode static action send-alarm mac-address 020000000001

A24 learn-mode static action send-alarm mac-address 020000000024
B1 learn-mode static action send-alarm mac-address 020000000025
B24 learn-mode static action send-alarm mac-address 020000000048
C1 learn-mode static action send-alarm mac-address 020000000049
Switchconfiguration
47
Chapter4
MACAuthentication(withVoIP)
InordertohaveMACAuthenticationworkingwithVoIP,youneedtoensurethattheVoiceVLAN
istaggedonalltheportfirst.Youalsoneedtoactivatelldpnotificationonallportsthatwillhandle
VoIP.Finally,makesuretochangethevalueofthe$VOICEVLANAMEvariableintheProcurve
5400modulessourcecode.
RADIUSconfigurationradius-serverhost192.168.1.5keystrongKey
MACAuthentication
aaa
aaa
aaa
aaa
aaa
aaa
aaa
port-access
port-access
port-access
port-access
port-access
port-access
port-access
mac-based C5-C7
mac-based C5 addr-limit
C5 controlled-direction
2
2
2
in
in
in
802.1X(withVoIP)
SameasMACAuthentication,youneedtoensurethattheVoiceVLANistaggedonalltheport
firstifusing802.1X.YoualsoneedtoactivatelldpnotificationonallportsthatwillhandleVoIP.
Finally,makesuretochangethevalueofthe$VOICEVLANAMEvariableintheProcurve5400
modulessourcecode.
RADIUSconfiguration
radius-server host 192.168.1.5 key strongKey
802.1X
aaa
aaa
aaa
aaa
aaa
authentication port-access eap-radius

port-access authenticator C3-C4
port-access authenticator C3 client-limit 3
port-access authenticator C4 client-limit 3
port-access authenticator active
Huawei
PacketFencesupportstheS5710switchfromHuawei.
Switchconfiguration
48
Chapter4
Basicconfiguration
l2protocol-tunnel user-defined-protocol 802.1x protocol-mac 0180-c200-0003 groupmac 0100-0000-0002
domain pf
dot1x enable
dot1x dhcp-trigger
radius-server template packetfence
radius-server shared-key cipher <yourSecret>
radius-server authentication 192.168.1.5 1812
radius-server accounting 192.168.1.5 1813
radius-server retransmit 2
radius-server authorization 192.168.1.5 shared-key cipher <yourSecret>
aaa
authentication-scheme abc
authentication-mode radius
accounting-scheme abc
accounting-mode radius
domain pf
authentication-scheme abc
accounting-scheme abc
radius-server packetfence
snmp-agent
snmp-agent local-engineid 800007DB0304F9389D2360
snmp-agent community write cipher <privateKey>
snmp-agent sys-info version v2c v3
MACauthentication
interface GigabitEthernet0/0/8
dot1x mac-bypass mac-auth-first
dot1x mac-bypass
dot1x max-user 1
dot1x reauthenticate
802.1X
interface GigabitEthernet0/0/8
dot1x mac-bypass
dot1x max-user 1
dot1x reauthenticate
Switchconfiguration
49
Chapter4
Intel
Express460andExpress530
PacketFencesupporttheseswitcheswithoutVoIPusingonetraptype:
linkUp/linkDown
Exactcommand-lineconfigurationtobecontributed
Juniper
PacketFencesupportsJuniperswitchesinMACAuthentication(JunipersMACRADIUS)modeand
802.1X.PacketFencesupportsVoIPontheEX2200(JUNOS12.6)andEX4200(JUNOS13.2)
Switchconfiguration
50
Chapter4
# load replace terminal

[Type ^D at a new line to end input]
interfaces {
interface-range access-ports {
member-range ge-0/0/1 to ge-0/0/46;
unit 0 {
family ethernet-switching {
port-mode access;
}
}
}
}
protocols {
dot1x {
authenticator {
authentication-profile-name packetfence;
interface {
access-ports {
supplicant multiple;
mac-radius {
restrict;
flap-on-disconnect;
}
}
}
}
}
}
access {
radius-server {
192.168.1.5 {
port 1812;
secret "useStrongerSecret";
}
}
profile packetfence {
authentication-order radius;
radius {
authentication-server 192.168.1.5;
accounting-server 192.168.1.5;
}
accounting {
order radius;
accounting-stop-on-failure;
accounting-stop-on-access-deny;
}
}
}
ethernet-switching-options {
secure-access-port {
interface access-ports {
mac-limit 1 action drop;
}
Switchconfiguration
}
}
51
Chapter4
Changetheinterface-rangestatementtoreflecttheportsyouwanttosecurewithPacketFence.
VoIPconfiguration
protocols{
lldp {
advertisement-interval 5;
transmit-delay 1;
ptopo-configuration-trap-interval 1;
lldp-configuration-notification-interval 1;
interface all;
}
lldp-med {
interface all;
}
}
ethernet-switching-options {
secure-access-port {
mac-limit 2 action drop;
}
}
voip {
vlan voice;
forwarding-class voice;
}
}
}
}
vlans {
voice {
vlan-id 3;
}
}
Ctrl-D
# commit comment "packetfenced VoIP"
Switchconfiguration
52
Chapter4
802.1xconfiguration
protocols {
dot1x {
authenticator {
interface {
access-ports {
mac-radius;
}
}
}
}
}
Ctrl-D
# commit comment "packetfenced dot1x"
ConfigurationforMACauthenticationfloatingdevices
TosupportfloatingdevicesonaJuniperswitchyouneedtoconfiguretheflap-on-disconnectoption
oneachinterfaceindividuallyandremoveitfromtheaccess-portsgroup.
Switchconfiguration
53
Chapter4

protocols {
dot1x {
authenticator {
interface {
ge-0/0/1.0 {
mac-radius{
flap-on-disconnect;
}
}
ge-0/0/2.0 {
mac-radius{
flap-on-disconnect;
}
}
.....
access-ports {
mac-radius {
restrict;
}
}
}
}
}
}
Ctrl-D
# commit comment "configured for floating devices"
LG-Ericsson
PacketFencesupportsiPECSseriesswitcheswithoutVoIPusingtwodifferenttraptypes:
linkUp/linkDown
Onsomerecentmodels,wecanalsousemoresecureandrobustfeatures,like:
MACAuthentication
802.1X
Switchconfiguration
54
Chapter4
ES-4500GSeries
LinkUp/LinkDown
Firmware1.2.3.2isrequiredforlinkUp/linkDown
Priortoconfig,makesuretocreateallnecessariesVLANsandconfigtheappropriateuplinkport.
snmp-server
snmp-server
!
snmp-server
snmp-server
snmp-server
community public ro
community private rw
enable traps authentication
host 192.168.1.5 public version 2c udp-port 162
notify-filter traphost.192.168.1.5.public remote 192.168.1.5
FirmwareiskindabuggysoyoullneedtoenablelinkUp/linkDownusingtheWebInterfaceunder
AdministrationSNMP.
SomereportsshowsthattheswitchdoesntalwayssendlinkDowntraps.
Oneachinterface(exceptuplink)
switchport
switchport
switchport
switchport
allowed vlan add 4 untagged

native vlan 4
allowed vlan remove 1
mode access
Port-Security
Firmware1.2.3.2isrequiredforport-security.
Priortoconfig,makesuretocreateallnecessariesVLANsandconfigtheappropriateuplinkport.
snmp-server
snmp-server
!
snmp-server
snmp-server
snmp-server
community public ro
community private rw
enable traps authentication
host 192.168.1.5 public version 2c udp-port 162
notify-filter traphost.192.168.1.5.public remote 192.168.1.5
Oneachinterface(exceptuplink)
Switchconfiguration
55
Chapter4
port security max-mac-count 1

port security
port security action trap
switchport allowed vlan add 2 untagged
switchport native vlan 2
switchport allowed vlan remove 1
TheaboveportsecuritycommandmaynotworkusingtheCLI.Inthiscase,usetheWebInterface
undertheSecurityPortSecuritymenuandenableeachportsusingthecheckboxes.
Itisalsorecommended,whenusingport-security,todisablelink-change(UP/DOWN)traps.
Linksys
PacketFencesupportsLinksysswitcheswithoutVoIPusingonetraptype:
linkUp/linkDown
SRW224G4
no snmp-server trap authentication
snmp-server community CS_2000_le rw view Default
snmp-server community CS_2000_ls ro view Default
snmp-server host 192.168.1.5 public 2
Oneachinterface
Netgear
The"web-managedsmartswitch" modelsGS108Tv2/GS110/GS110TParesupportedwithLink
up/downtrapsonly.
Higher-end"fullymanaged"switchesincludingFSM726v1aresupportedinPortSecuritymode.
Switchconfiguration
56
Chapter4
FSM726/FSM726Sversion1
PacketFencesupportsFSM726/FSM726Sversion1switcheswithoutVoIPinPortSecuritymode
(withstaticMACs)calledTrustedMACtableonNetgearshardware.
UsingtheHTTPGUI,followthestepsbelowtoconfiguresuchfeature.Ofcourse,youmustcreate
allyourVLANsontheswitchaswell.
SNMPSettings
In Advanced SNMP Community Table, create a read-write community string and a trap
communitystring.Youcanusethesamecommunityforallthe3functions(Get,Set,Trap).
Next,underAdvancedSNMPHostTable,enabletheHostAuthorizationfeatureandaddthe
PacketFenceserverintotheallowedhostlist.
Finally,underAdvancedSNMPTrapSetting,enabletheauthenticationtrap.
TrustedMACSecurity
UnderAdvancedAdvancedSecurityTrustedMACAddress,createafakeMACaddressper
port(ie.02:00:00:00:00:xxwherexxistheportnumber).Thiswillhavetheeffectofsendinga
securitytraptoPacketFencewhenanewdeviceplugsontheport.
Dontforgettosavetheconfiguration!
GS108Tv2/GS110T/GS110TP
PacketFencesupportscertainlower-endNetgearswitchesinLinkUp/LinkDowntraps.These"webmanaged" switches have no command-line interface and only a subset of the port security and
802.1XfunctionnalityneededtointeroperatewithPacketFenceinthesemoreadvancedmodes.
Thereisnowaytosendatrapuponportsecurityviolation,andthereisonlypure802.1X,noMAC
AddressBypass.
SwitchConfiguration
ItcanbedifficulttofindtheadvancedfeaturesinthewebGUI.WerecommendusingtheGUI
"Maintenance"tabtoUploadtheconfigurationtoafile,andthenedititthere.
Hintsonfileupload/download:
FromtheFileTypemenu,chooseTextConfiguration.
IfyoureuploadingtotheTFTProotdirectory,leavePathblank.
Atthetopoftheconfigfile,youneed:
Switchconfiguration
57
Chapter4
vlan
vlan
vlan
vlan
vlan
vlan
vlan
exit
database
1,2,3,4,5
name 1 "Normal"
name 2 "Registration"
name 3 "Isolation"
name 4 "MAC Detection"
name 5 "Guest"
Inthesamesectionas"userspasswd",youneedtospecifyyourPacketFenceserversmanagement
address:
snmptrap useStrongerSecret ipaddr 192.168.1.5
Inthesamesectionasthe"voipoui"lines,youneedtoallowyourSNMPserver:
snmp-server community
no voip vlan
"public"
rw useStrongerSecret
ipaddr 192.168.1.5 public
ipmask 255.255.255.0 public
ipaddr 192.168.1.5 useStrongerSecret
ipmask 255.255.255.0 useStrongerSecret
Youshoulduseport1astheuplink.Ifyouconnectport1ofaGS108Tv2switchintoaPowerover
Ethernetswitch,thentheGS108Tv2doesnotneedACpower.IfyouboughtGS110T(P)switches,
presumablyitsfortheSFPuplinkoption.Youllwanttoconfigurebothport1andtheSFPports
9-10astrunks:
interface 0/1
ip dhcp filtering trust
vlan pvid 1
vlan ingressfilter
vlan participation include 1,2,3,4,5
vlan tagging 2,3,4,5
no auto-voip
exit
Eachuser-facing,PacketFence-managedportshouldbeconfiguredlike:
interface 0/2
vlan pvid 4
vlan ingressfilter
vlan participation include 4
no auto-voip
exit
MSeries
PacketFencesupportstheNetgearMseriesinwiredMACauthenticationwithoutVoIP.
Switchconfiguration
58
Chapter4
Switchconfiguration
--radiusserverhostauth192.168.1.5radiusserverkeyauth192.168.1.5(thenpressenterandinput
yoursecret)radiusserverprimary192.168.1.5radiusserverhostacct192.168.1.5radiusserver
keyacct192.168.1.5(thenpressenterandinputyoursecret)
aaa session-id unique dot1x system-auth-control aaa authentication dot1x default radius
authorizationnetworkradiusradiusaccountingmode
---
Onyouruplinks
--dot1xport-controlforce-authorized
---
Onyourinterfaces
--interface0/xdot1xport-controlmac-baseddot1xtimeoutguest-vlan-period1dot1xmac-authbypassexit
---
Nortel
PacketFencesupportsNortelswitcheswithVoIPusingonetraptype:
MacSecurity
Note
if you are using a 5500 series with a firmware version of 6 or above, you must
useadifferentmodulecalledNortel::BayStack5500_6xinyour/usr/local/pf/conf/
switches.conf.Indeed,Nortelintroducedanincompatiblechangeofbehaviorinthis
firmware.
Switchconfiguration
59
Chapter4
BayStack470,ERS2500Series,ERS4500Series,4550,
5500SeriesandES325
snmp-server authentication-trap disable
snmp-server host 192.168.1.5 "public"
snmp trap link-status port 1-24 disable
no mac-security mac-address-table
interface FastEthernet ALL
mac-security port ALL disable
mac-security port 1-24 enable
default mac-security auto-learning port ALL max-addrs
exit
mac-security enable
mac-security snmp-lock disable
mac-security intrusion-detect disable
mac-security filtering enable
mac-security snmp-trap enable
mac-security auto-learning aging-time 60
mac-security learning-ports NONE
mac-security learning disable
VoIPsupport
YouneedtoensurethatallyourportsaretaggedwiththevoiceVLAN.Theswitchshoulddothe
restforyou.
vlan create 6 name "Telephone" type port learning ivl
vlan members 6 1-20,23-24
BPS2000
Youcanonlyconfigurethisswitchthroughmenus.
EnableMACAddressSecurity:
Switchconfiguration
60
Chapter4
MAC Address Security: Enabled

MAC Address Security SNMP-Locked: Disabled
Partition Port on Intrusion Detected: Disabled
DA Filtering on Intrusion Detected: Enabled
Generate SNMP Trap on Intrusion: Enabled
Current Learning Mode: Disabled
Learn by Ports: NONE
Port
---1
...
24
Trunk
-----
Security
-------Enabled
Enabled
SMC
TigerStack6128L2,8824Mand8848M
PacketFencesupportstheseswitcheswithoutVoIPusingtwodifferenttraptypes:
linkUp/linkDown
SNMP-server host 192.168.1.5 public version 2c udp-port 162
no snmp-server enable traps link-up-down
Oneachinterface:
port security max-mac-count 1
port security
port security action trap
TigerStack6224M
SupportslinkUp/linkDownmode
SNMP-server host 192.168.1.5 public version 1
Switchconfiguration
61
Chapter5
WirelessControllersandAccessPoint
Configuration
Assumptions
Throughout this configuration example we use the following assumptions for our network
infrastructure:
PacketFenceisfullyconfiguredwithFreeRADIUSrunning
PacketFenceIPaddress:192.168.1.5
NormalVLAN:1
RegistrationVLAN:2
IsolationVLAN:3
MACDetectionVLAN:4
GuestVLAN:5
VoIP,VoiceVLAN:100
useSNMPv2c
SNMPcommunityname:public
RADIUSSecret:useStrongerSecret1
OpenSSID:PacketFence-Public
WPA-EnterpriseSSID:PacketFence-Secure
UnsupportedEquipment
Wirelessnetworkaccessconfigurationisalotmoreconsistentbetweenvendors.Thisisduetothe
factthatthesituationisalotmorestandardizedthanthewiredside:VLANassignmentisdone
centrallywithRADIUSandthattheclientprotocolisconsistent(MAC-Authenticationor802.1X).
Thisconsistencyhasthebenefitthatalotofthewirelessnetworkdevicestendtoworkout-of-theboxwithPacketFence.Theonlymissingpiecebeing,inmostcases,remotedeauthenticationofthe
clientwhichisusedforVLANassignment(deauthusersoitllreconnectandgetnewVLAN).
So,evenifyourwirelessequipmentisnotexplicitlysupportedbyPacketFence,itsrecommended
thatyougiveitatry.Thenextsectioncoverstheobjectivesthatyouwanttoaccomplishfortrying
outyourequipmentevenifwedonthaveconfigurationforit.
WirelessControllersand
AccessPointConfiguration
62
Chapter5
Herearethehigh-levelrequirementsforproperwirelessintegrationwithPacketFence
TheappropriateVLANsmustexist
AllowcontrollertohonorVLANassignmentsfromAAA(sometimescalledAAAoverride)
Put your open SSID (if any) in MAC-Authentication mode and authenticate against the
FreeRADIUShostedonPacketFence
PutyoursecureSSID(ifany)in802.1XmodeandauthenticateagainstFreeRADIUShostedon
PacketFence.
Onregistration/isolationVLANstheDHCPtrafficmustreachthePacketFenceserver
On your production VLANs a copy of the DHCP traffic must reach PacketFence where a
pfdhcplistenerlistens(configurableinpf.confunderinterfaces)
At this point, user registration with the captive-portal is possible and registered users should
have access to the appropriate VLANs. However, VLAN changes (like after a registration) wont
automatically happen, you will need to disconnect / reconnect. An explanation is provided in
introductionsectionaboveaboutthisbehavior.
Youcantrymodulessimilartoyourequipmentifany(readappropriateinstructions)oryoucantry
toseeifRFC3576issupported.RFC3576coversRADIUSPacketofDisconnect(PoD)alsoknown
asDisconnectMessages(DM)orChangeofAuthorization(CoA).YoucantrytheArubamoduleif
youwanttoverifyifRFC3576issupportedbyyourhardware.
If none of the above worked then you can fallback to inline enforcement or let us know what
equipmentyouareusingonthepacketfence-develmailinglist.
AeroHIVE
AeroHIVEproductsareabitdifferentcomparedtotheothervendors.Theysupporteitheralocal
HiveManager(kindofwirelesscontroller)oracloud-basedHVM.However,theconfigurationisthe
sameforthelocalandthecloud-basedcontroller.NotethatalltheconfigaremadeontheHVM
andthenpushedtotheAPs.
AAAClientSettings
IntheHVM,gotoConfigurationAAAAuthenticationAAAClientSettings,andinsertthe
properproperties:
GiveaRADIUSName
AddaRADIUSserverwithAuthenticationastheservertypeandprimaryastherole
MakesurePermitDynamicChangeofAuthorizationisticked(RFC3576)
PublicSSID
AgainintheHVM,gotoConfigurationSSIDs,andcreateanewSSIDwiththefollowing:
63
Chapter5
GiveaProfileNameandanSSIDName
ChooseOpenastheAccessSecurity
SelectEnableMacAuthentication
SelectyourRADIUSserverfromtheRADIUSServerdropdownlist
SecureSSID
IntheHVM,gotoConfigurationSSIDs,andcreateanewSSIDwiththefollowing:
ChooseWPA2EnterpriseastheAccessSecurity
SelectWPA2-802.1Xasthekeymanagement
SelectCCMPastheencryptionmethod
Roles(UserProfiles)
SincePacketFence3.3.0,wenowsupportuserprofilesontheAeroHIVEhardware.TobuildaUser
Profile,gotoConfigurationUserProfiles,andcreatewhatyouneed.Whenyoudefinetheswitch
definitioninPacketFence,therolewillmatchtheUserProfileattributenumber.Example
roles=CategoryStudent=1;CategoryStaff=2
AndintheAeroHIVEconfiguration,youhave:
StudentProfile attribute number 1
StaffProfile attribute number 2
LaststepistoallowtheUserProfiletobereturnedforaparticularSSID.GotoConfiguration
SSIDsYour_SSIDUserProfilesforTrafficManagement,andselecttheUserProfilesyouwill
returnforthedevices.
Note
TheVLANIDisNOTreturnedbyPacketFenceifaroleisavailableforagivencategory.
TheVLANIDneedstobeconfiguredintheUserProfiledefinitionontheAeroHIVE
side.
CachingandRoaming
AeroHIVEhaveasessionreplicationfeaturetoeasetheEAPsessionroamingbetweentwoaccess
points.However,thismaycauseproblemswhenyoubouncethewirelesscardofaclient,itwill
notdoanewRADIUSrequest.Twosettingscanbetweakedtoreducethecachingimpact,itis
theroamingcacheupdateintervalandroamingcacheageout.TheyarelocatedinConfiguration
64
Chapter5
SSIDs[SSIDName]OptionalSettingsAdvanced.TheotherwaytosupportRoamingisto
enablesnmptrapintheAeroHIVEconfigurationtoPacketFenceserver.PacketFencewillrecognise
theahConnectionChangeEventandwillchangethelocationofthenodeinhisbase.
Externalcaptiveportal
FirstconfiguretheAAAserverasdescribedinthesectionaboveintheHiveManager.
Portalconfiguration
GoinConfigurationAuthenticationCaptiveWebPortalsandcreateanewportal
SelectSelectRegistrationType=ExternalAuthentication
GointhesectionCaptiveWebPortalLoginPageSettingssettheLoginURLtohttp://pf_ip/and
PasswordEncryptiontoNoEncryption
ExternalportalSSID
AgainintheHiveManager,gotoConfigurationSSIDs,andcreateanewSSIDwiththefollowing:
ChooseOpenastheAccessSecurity
SelectEnableCaptiveWebPortal
IntheguidedconfigurationyounowbeabletoselectyournewSSID,thePortalyouwanttouse
andtheAAAserver.
Anyfi
Inthissection,wecoverthebasicconfigurationoftheAnyfiGatewaytocreateahotspotSSID
availableonallaccesspoints.
This does not cover the configuration of other Anyfi network elements such as the Controller.
PleaserefertoAnyfiNetworks'websiteforrelevantdocumentation.
Inthisconfigurationeth0willbethemanagementinterfaceoftheAnyfiGatewayandeth1willbe
theinterfacethatwillbridgethetaggedpacketstoyournetwork.
65
Chapter5
Interfacesconfiguration
interfaces {
bridge br0 {
...
}
ethernet eth0 {
description "Management network"
address 192.168.0.20/24
}
ethernet eth1 {
description "Wi-Fi client traffic"
bridge-group {
bridge br0
}
}
}
MACauthentication
ThissectionwillallowyoutoconfiguretheAnyfi-HotspotSSIDthatwilluseMACauthentication.
66
Chapter5
SSIDconfiguration
service {
anyfi {
gateway anyfi-hotspot {
accounting {
radius-server 192.168.0.5 {
port 1813
secret useStrongerSecret
}
}
authorization {
port 1812
}
}
bridge br0
controller <Anyfi Controller's IP or FQDN>
isolation
nas {
identifier anyfi
port 3799
}
ssid Anyfi-Hotspot
}
}
}
802.1X
This section will allow you to configure the Anyfi-Secure SSID that will authenticate users using
802.1X.
67
Chapter5
SSIDconfiguration
service {
anyfi {
gateway secure-gw {
accounting {
port 1813
}
}
authentication {
eap {
port 1812
}
}
}
bridge br0
controller <Anyfi Controller's IP or FQDN>
isolation
nas {
identifier anyfi
port 3799
}
ssid Anyfi-Secure
wpa2 {
}
}
}
}
Avaya
WirelessController(WC)
To be contributed....
68
Chapter5
Aruba
AllArubaOS
Inthissection,wecoverthebasicconfigurationoftheArubawirelesscontrollerforPacketFence
viathewebGUI.ItwasdoneonanArubaController200softwareversionArubaOS5.0.3.3,tested
onaController600withArubaOS6.0butitshouldapplytoallArubamodels.
Caution
IfyouarealreadyusingyourArubacontrollersanddontwanttoimpactyourusers
youshouldcreatenewAAAprofilesandapplythemtonewSSIDsinsteadofmodifying
thedefaultones.
Note
Starting with PacketFence 3.3, Aruba supports role-based access control. Read the
AdministrationGuideunder"Role-basedenforcementsupport"formoreinformation
abouthowtoconfigureitonthePacketFenceside.
AAASettings
IntheWebinterface,gotoConfigurationAuthenticationRADIUSServerandaddaRADIUS
servernamed"packetfence"theneditit:
SetHosttoPacketFencesIP(192.168.1.5)
SettheKeytoyourRADIUSsharedsecret(useStrongerSecret)
ClickApply
Under Configuration Authentication Server Group add a new Server Group named
"packetfence"theneditittoaddyourRADIUSServer"packetfence"tothegroup.ClickApply.
Under Configuration Authentication RFC3576 add a new server with PacketFences
IP (192.168.1.5) and your RADIUS shared secret (useStrongerSecret). Click Apply. Under
ConfigurationAuthenticationL2AuthenticationedittheMACAuthenticationProfilecalled
"default"theneditittochangetheDelimitertodash.ClickApply.
Under Configuration Authentication L2 Authentication edit the 802.1X Authentication
Profilecalled"default"theneditittounchecktheOpportunisticKeyCachingunderAdvanced.Click
Apply.
UnderConfigurationAuthenticationAAAProfilesclickonthe"default-mac-auth"profilethen
clickonMACAuthenticationServerGroupandchoosethe"packetfence"servergroup.ClickApply.
MovetotheRFC3576serversubitemandchoosePacketFencesIP(192.168.1.5)clickaddthen
apply.
69
Chapter5
UnderConfigurationAuthenticationAAAProfilesclickonthe"default-dot1x"profilethen
click on 802.1X Authentication Server Group and choose the "packetfence" server group. Click
Apply.MovetotheRFC3576serversubitemandchoosePacketFencesIP(192.168.1.5)clickadd
thenapply.
PublicSSID
IntheWebinterface,gotoConfigurationAPConfigurationtheneditthe"default"APGroup.
GoinWirelessLANVirtualAPcreateanewprofilewiththefollowing:
AAAProfile:default-mac-auth
SSIDProfile:SelectNEWthenaddanSSID(PacketFence-Public)andNetworkauthentication
settoNone
SecureSSID
IntheWebinterface,gotoConfigurationAPConfigurationtheneditthe"default"APGroup.
GoinWirelessLANVirtualAPcreateanewprofilewiththefollowing:
AAAProfile:default-dot1x
SSIDProfile:SelectNEWthenaddanSSID(PacketFence-Secure)andNetworkauthentication
settoWPA2
Roles
Since PacketFence 3.3.0, we now support roles for the Aruba hardware. To add roles, go in
ConfigurationAccessControlUserRolesAdd.YoudontneedtoforceaVLANusagein
theRolesincewesendalsotheVLANIDalongwiththeArubaUserRoleintheRADIUSrequest.
RefertotheArubaUserGuideformoreinformationabouttheRolecreation.
WIPS
InordertousetheWIPSfeatureinPacketFence,pleasefollowthosesimplestepstosendthetraps
toPacketFence.
First,configurePacketFencetobeatrapreceiver.UnderConfiguration>SNMP>TrapReceivers,
add an entry for the PF management IP. By default, all traps will be enabled. If you want to
disablesome,youwillneedtoconnectviaCLI,andrunthesnmp-servertrapdisable<trapname>
command.
ArubaController200
Inthissection,wecoverthebasicconfigurationoftheArubaController200forPacketFenceusing
thecommandlineinterface.WesuggestyoutousetheinstructionsabovefortheWebGUIinstead.
VLANdefinition
Here,wecreateourPacketFenceVLANs,andourAccessPointVLAN(VID66).Itisrecommended
toisolatethemanagementofthethinAPsinaseparateVLAN.
70
Chapter5
vlan
vlan
vlan
vlan
vlan
2
3
5
10
66
AAAAuthenticationServer
aaa authentication-server radius "PacketFence"
host 192.168.1.5
aaa server-group "Radius-Group"
auth-server PacketFence
AAAProfiles
aaa profile "default-dot1x"
authentication-dot1x "default"
dot1x-default-role "authenticated"
dot1x-server-group "Radius-Group"
radius-accounting "Radius-Group"
aaa profile "PacketFence"
authentication-mac "pf_mac_auth"
mac-server-group "Radius-Group"
radius-accounting "Radius-Group"
WLANSSIDs:profilesandvirtualAP
wlan ssid-profile "PacketFence-Public"
essid "PacketFence-Public"
wlan ssid-profile "PacketFence-Secure"
essid "PacketFence-Secure"
opmode wpa2-aes
wlan virtual-ap "Inverse-Guest"
aaa-profile "PacketFence"
ssid-profile "PacketFence-Public"
wlan virtual-ap "Inverse-Secure"
aaa-profile "default-dot1x"
ssid-profile "PacketFence-Secure"
ap-group "Inverse"
virtual-ap "Inverse-Guest"
virtual-ap "Inverse-Secure"
ids-profile "ids-disabled"
AllArubaInstantOS
Addyourpacketfenceinstancetoyourconfiguration:
wlanauth-serverpacketfence
71
Chapter5
ip 192.168.1.5
port 1812
acctport 1813
timeout 10
retry-count 5
nas-ip [Aruba Virtual Controller IP]
rfc3576
Adddynamicvlanrulesandmacauthtoyourssidprofile:
wlanssid-profileSSID
index 0
type employee
essid ESSID
wpa-passphrase WPA-Passphrase
opmode wpa2-psk-aes
max-authentication-failures 0
vlan 1
auth-server packetfence
set-vlan Tunnel-Private-Group-Id contains 1 1
set-vlan Tunnel-Private-Group-Id contains 4 4
rf-band all
captive-portal disable
mac-authentication
dtim-period 1
inactivity-timeout 1000
broadcast-filter none
radius-reauth-interval 5
dmo-channel-utilization-threshold 90
BelairNetworks(nowEricsson)
BE20
TheBelairNetworksBE20sarefairlyeasytoconfigure.
AddVLANs
OntheBE20WebInterface,clickonEth-1-1.Bydefault,therewillbenothinginthere.Youneed
tofirstcreateanuntaggedVLAN(VLAN0).Inordertodothat,youneedtosetthePVID,Reverse
PVID,andtheVLANfieldto0.Thenclickadd.
RepeatthatstepforeachofyourVLANsbyenteringtheproperVLANIDintheVLANfield.
72
Chapter5
AAAServers
OnceyouhavetheVLANssetup,youneedtoaddPacketFenceintotheAAAServerlist.Goto
SystemRadiusServers.ClickonAddserver,andfillouttheproperinformation.
EnsuretheEnabledcheckboxisselected
IPAddress:InserttheIPAddressofthePacketFenceManagementInterface
SharedSecret:InsertthesharedsecretforRADIUScommunication
Whendone,clickontheApplybutton.
SecureSSID
SincetheBE20doesntsupportOpenSSIDwithMacAuthentication,wewillonlydescribehowto
configureaWPA2-EnterpriseSSID.First,wewillconfigurethe5GHzantenna.
ClickonWifi-1-1AccessSSIDConfig.FromtheConfigurationforSSIDdropdown,selectthe
1entry.Modifythefieldslikethefollowing:
SSID:PutyourSSIDNameyouwouldlike
Type:Broadcast
UsePrivacyMode:WPA2(AES)withEAP/DOT1x
RADIUSNASIdentifier:YoucanputastringtoidentifyyourAP
RadiusAccountingEnabled:CheckboxSelected
RadiusStationIDDelimiter:dash
RadiusStationIdAppendSsid:CheckboxSelected
RADIUSServer1:SelecttheAAAServeryoucreatedearlier
WhendoneclickApply.Repeatthesameconfigurationforthe2.4GHzAntenna(Wifi-1-2).
Thatshouldconcludetheconfiguration.Youcannowsavetheconfigstotheflashbyhittingthe
ConfigSavebuttonontopoftheInterface.
Brocade
RFSwitches
SeetheMotorolaRFSwitchesdocumentation.
73
Chapter5
Cisco
Aironet1121,1130,1242,1250
Caution
Withthisequipment,thesameVLANcannotbesharedbetweentwoSSIDs.Havethis
inmindinyourdesign.Forexample,youneedtwoisolationVLANifyouwanttoisolate
hostsonthepublicandsecureSSIDs.
MAC-Authentication+802.1Xconfiguration
RadioInterfaces:
74
Chapter5
dot11
dot11
dot11
dot11
vlan-name
vlan-name
vlan-name
vlan-name
normal vlan 1
registration vlan 2
isolation vlan 3
guest vlan 5
interface Dot11Radio0
encryption vlan 1 mode ciphers aes-ccm
encryption vlan 2 mode ciphers aes-ccm
ssid PacketFence-Public
ssid PacketFence-Secure
interface Dot11Radio0.2
encapsulation dot1Q 2
no ip route-cache
bridge-group 253
bridge-group 253 subscriber-loop-control
bridge-group 253 block-unknown-source
no bridge-group 253 source-learning
no bridge-group 253 unicast-flooding
bridge-group 253 spanning-disabled
no ip route-cache
bridge-group 254
no ip route-cache
bridge-group 255
LANinterfaces:
75
Chapter5
interface FastEthernet0.2
no ip route-cache
bridge-group 253
no ip route-cache
bridge-group 254
no ip route-cache
bridge-group 255
ThencreatethetwoSSIDs:
dot11 ssid PacketFence-Secure
vlan 3 backup normal
authentication open eap eap_methods
authentication key-management wpa
dot11 ssid PacketFence-Public
vlan 2 backup guest
authentication open mac-address mac_methods
mbssid guest-mode
ConfiguretheRADIUSserver(weassumeherethattheFreeRADIUSserverandthePacketFence
serverarelocatedonthesamebox):
radius-server host 192.168.0.10 auth-port 1812 acct-port 1813 key
useStrongerSecret
aaa group server radius rad_eap
aaa authentication login eap_methods group rad_eap
aaa group server radius rad_mac
aaa authentication login mac_methods group rad_mac
Aironet(WDS)
76
Chapter5
WirelessLANController(WLC)orWirelessServices
Module(WiSM)
In this section, we cover the basic configuration of the WiSM for PacketFence using the web
interface.
First,globallydefinetheFreeRADIUSserverrunningonPacketFence(PacketFencesIP)andmake
sureSupportforRFC3576isenabled(ifnotpresentitisenabledbydefault)
ThenwecreatetwoSSIDs:
PacketFence-Public:non-securewithMACauthenticationonly
PacketFence-Secure:securewithWPA2EnterprisePEAP/MSCHAPv2
InthesecureSSID,makesure802.1Xisenabledandselecttheappropriateencryptionforyour
needs(recommended:WPA+WPA2)
77
Chapter5
Nolayer3security
WesettheIPoftheFreeRADIUSserver
78
Chapter5
VERYIMPORTANT:AllowAAAoverride(thisallowsVLANassignmentfromRADIUS)
Editthenon-secureSSID:EnableMACauthenticationatlevel2
Nothingatlevel3
79
Chapter5
WesettheIPoftheFreeRADIUSserver
VERYIMPORTANT:AllowAAAoverride(thisallowsVLANassignmentfromRADIUS)
Finally,inController>Interfacestab,createaninterfaceperVLANthatcouldassigned
80
Chapter5
Youaregoodtogo!
WirelessLANController(WLC)WebAuth
Inthissection,wecoverthebasicconfigurationoftheWLCWebAuthforPacketFenceusingthe
webinterface.TheideaistoforwardthedevicetothecaptiveportalwithanACLifthedeviceis
inanunregstateandallowthedevicetoreachInternet(orthenormalnetwork)bychangingthe
ACLonceregistered.Intheunregstate,theWLCwillintercepttheHTTPtrafficandforwardthe
devicetothecaptiveportal.
Inthissampleconfiguration,thecaptiveportalusestheIPaddress172.16.0.250,theadministration
interfaceusestheIPaddress172.16.0.249andtheWLCusestheIPaddress172.16.0.248.The
DHCPandDNSserversarenotmanagedbyPacketFence(WLCDHCPServer,ProductionDHCP
Server)
First, globally define the FreeRADIUS server running on PacketFence (PacketFences
Administration Interface) and make sure Support for RFC 3576 is enabled (if not present it is
enabledbydefault)
ThenwecreateaSSID:
OPENSSID:non-securewithMACauthenticationonly
81
Chapter5
82
Chapter5
83
Chapter5
ThenyouhavetocreatetwoACLs-onetodenyalltrafficexcepttherequiredonetohitthe
portal(Pre-Auth-For-WebRedirect)andtheotheronetoallowanything(Authorize_any).
ThenthelaststepistoconfiguretheWLCinPacketFence.PortalURLdefinition
84
Chapter5
Roledefinition
85
Chapter5
D-Link
DWLAccess-PointsandDWS3026
86
Chapter5
Extricom
EXSWWirelessSwitches(Controllers)
InordertohavetheExtricomcontrollerworkingwithPacketFence,youneedtodefinetwoESSID
definition,oneforthe"public"network,andoneforthe"secure"network.Thiscanbedoneunder
averyshorttimeperiodsinceExtricomsupportsRADIUSassignedVLANsoutofthebox.
You first need to configure you RADIUS server. This is done under the: WLAN Settings
RADIUStab.EnterthePacketFenceRADIUSserverinformation.FortheESSIDconfiguration.inthe
administrationUI,gotoWLANSettingsESSIDdefinitions.Createtheprofilesperthefollowing:
PublicSSID
MACAuthenticationmustbeticked
EncryptionmethodneedstobesettoNone
SelectPacketFenceastheMACAuthenticationRADIUSserver(previouslyadded)
SecureSSID
EncryptionmethodneedstobesettoWPAEnterprise/WPA2Enterprise
AESonlyneedstobeselected
SelectPacketFenceastheRADIUSserver(previouslyadded)
ThefinalstepistoenableSNMPAgentandSNMPTrapsonthecontroller.Thisisdoneunderthe
followingtabintheadministrativeUI:AdvancedSNMP.
Hostapd
OpenWRT
Inthissection,wecoverthebasicconfigurationoftheOpenWRTaccesspoint(Hostapdsoftware).
Hostapdmusthavebeencompiledwithdynamicvlansupportandyouneedtocreateafile/etc/
config/hostapd.vlanthatcontain:
wlan0.#
Andyouneedtoreplacethe/lib/wifi/hostapd.shscriptfilewiththeoneincludedin/usr/local/pf/
addons/hostapd
87
Chapter5
OpenSSID
ConfigureyourSSIDusingucicommand:
uci add_list wireless.@wifi-iface[0]=wifi-iface
uci add_list wireless.@wifi-iface[0].device=radio0
uci add_list wireless.@wifi-iface[0].mode=ap
uci add_list wireless.@wifi-iface[0].ssid=OpenWrt-OPEN
uci add_list wireless.@wifi-iface[0].network=lan
uci add_list wireless.@wifi-iface[0].encryption=none
uci add_list wireless.@wifi-iface[0].auth_server=192.168.1.5
uci add_list wireless.@wifi-iface[0].auth_port=1812
uci add_list wireless.@wifi-iface[0].auth_secret=useStrongerSecret
uci add_list wireless.@wifi-iface[0].dynamic_vlan=2
uci add_list wireless.@wifi-iface[0].vlan_file=/etc/config/hostapd.vlan
uci add_list wireless.@wifi-iface[0].vlan_tagged_interface=eth0
uci add_list wireless.@wifi-iface[0].radius_das_port=3799
uci add_list wireless.@wifi-iface[0].radius_das_client='192.168.1.5
useStrongerSecret'
uci add_list wireless.@wifi-iface[0].macfilter=2
SecureSSID
ConfigureyourSSIDusingucicommand:
uci add_list wireless.@wifi-iface[0]=wifi-iface
uci add_list wireless.@wifi-iface[0].device=radio0
uci add_list wireless.@wifi-iface[0].mode=ap
uci add_list wireless.@wifi-iface[0].ssid=OpenWrt-SECURE
uci add_list wireless.@wifi-iface[0].network=lan
uci add_list wireless.@wifi-iface[0].auth_server=192.168.1.5
uci add_list wireless.@wifi-iface[0].auth_port=1812
uci add_list wireless.@wifi-iface[0].auth_secret=useStrongerSecret
uci add_list wireless.@wifi-iface[0].dynamic_vlan=2
uci add_list wireless.@wifi-iface[0].vlan_file=/etc/config/hostapd.vlan
uci add_list wireless.@wifi-iface[0].vlan_tagged_interface=eth0
uci add_list wireless.@wifi-iface[0].radius_das_port=3799
uci add_list wireless.@wifi-iface[0].radius_das_client='192.168.1.5
useStrongerSecret'
uci add_list wireless.@wifi-iface[0].encryption=wpa2
uci add_list wireless.@wifi-iface[0].acct_server=192.168.1.5
uci add_list wireless.@wifi-iface[0].acct_port=1813
uci add_list wireless.@wifi-iface[0].acct_secret=s3cr3t
uci add_list wireless.@wifi-iface[0].nasid=ubiquiti
Thenlaunchucicommitwirelessandwificommandtoenableyourconfiguration
Hostapd(software)
To configure Hostapd software you can use the same configuration parameters above in the
configurationfile.
88
Chapter5
Mikrotik
ThisconfigurationhasbeentestedonAccessPointOmniTIKU-5hnDwithRouterOSv6.18and
onlyMAC-Authenticationisavailablenow.TheonlydeauthenticationmethodavailableisSSH,so
createanaccountintheMikrotikAPandfilltheinformationinPacketFenceswitchconfiguration.
AlsodontforgettousethepfaccounttosshontheAccessPointtoreceivethesshkey.
OpenSSID
In this setup we use the interface ether5 for the bridge (Trunk interface) and ether1 as the
managementinterface.
Configureyouraccesspointwiththefollowingconfiguration:
89
Chapter5
/interface wireless
# managed by CAPsMAN
# channel: 5180/20-Ce/an(17dBm), SSID: OPEN, local forwarding
set [ find default-name=wlan1 ] band=5ghz-a/n channel-width=20/40mhz-Ce
disabled=no l2mtu=1600 mode=ap-bridge ssid=MikroTik-05A64D
/interface ethernet
set [ find default-name=ether1 ] name=ether1-gateway
set [ find default-name=ether2 ] name=ether2-master-local
set [ find default-name=ether3 ] master-port=ether2-master-local name=ether3slave-local
set [ find default-name=ether4 ] master-port=ether2-master-local name=ether4slave-local
set [ find default-name=ether5 ] name=ether5-master-local
/interface vlan
add interface=BR-CAPS l2mtu=1594 name=default vlan-id=1
add interface=BR-CAPS l2mtu=1594 name=isolation vlan-id=3
add interface=BR-CAPS l2mtu=1594 name=registration vlan-id=2
/caps-man datapath
add bridge=BR-CAPS client-to-client-forwarding=yes local-forwarding=yes
name=datapath1
/caps-man interface
#
add arp=enabled configuration.mode=ap configuration.ssid=OPEN datapath=datapath1
disabled=no l2mtu=1600 mac-address=\
D4:CA:6D:05:A6:4D master-interface=none mtu=1500 name=cap1 radiomac=D4:CA:6D:05:A6:4D
/caps-man aaa
set interim-update=5m
/caps-man access-list
add action=query-radius interface=cap1 radius-accounting=yes signalrange=-120..120 time=0s-1d,sun,mon,tue,wed,thu,fri,sat
/caps-man manager
set enabled=yes
/interface bridge port
add bridge=bridge-local interface=ether2-master-local
add bridge=bridge-local interface=ether1-gateway
add bridge=BR-CAPS interface=ether5-master-local
/interface wireless cap
set bridge=BR-CAPS discovery-interfaces=BR-CAPS enabled=yes interfaces=wlan1
/ip accounting
set enabled=yes
/radius
add address=192.168.1.5 secret=useStrongerSecret service=wireless
/radius incoming
set accept=yes
90
Chapter5
HP
ProCurveControllerMSM710
Meru
MeruControllers(MC)
Inthissection,wecoverthebasicconfigurationoftheMeruwirelesscontrollerforPacketFence
viathewebGUI.
DisablePMKCaching
If you are running a WPA2 SSID, you may need to disable PMK caching in order to avoid
deauthenticationissues.ThisistrueifyouarerunningAP300susingany5.0versionsincluding
5.0-87,oranyversionsbelow4.0-160.
HerearethecommandstoruntodisablethePMKcachingattheAPlevel.First,logintheAP,and
runthiscommandtoseewhichradiosarebroadcastingyourSSID.vapdisplay
Second,disablethePMKcachingonthoseradios.radiopmkidradio00disable
YoucanalsoaddthosecommandstotheAPbootscript.ContactyourMerusupportrepresentative
forthatpart.
VLANDefinition
Here,wecreateourPacketFenceVLANsforclientuse.GotoConfigurationWiredVLAN,
andselectAdd.
VLANNameisthehumanreadablename(ie.RegistrationVLAN)
TagistheVLANID
FastEthernetInterfaceIndexreferstothecontrollersethernetinterface
IPAddressAnIPaddressforthiscontrolleronthisVLAN
NetmaskNetworkmaskforthisVLAN
IPAddressofthedefaultgatewayWiredIProuterforthisVLAN
SettheOverrideDefaultDHCPserverflagtooff
91
Chapter5
LeavetheDHCPserverIPaddressandtheDHCPrelayPass-Throughtodefault
ClickOKtoaddtheVLAN.
AAAAuthenticationServer
Here, we create our PacketFence RADIUS server for use. Under Configuration Security
Radius,selectAdd.
GivetheRADIUSProfileaname
Writeadescriptionoftheprofile
GivetheRADIUSIP,RADIUSSecretandtheRADIUSauthenticationport
SelectColonfortheMACaddressdelimiter
SelectMACAddressasthepasswordtype
ClickOKtoaddtheRADIUSprofile.
AAAAccountingServer
Here, we create our PacketFence RADIUS server for use. Under Configuration Security
Radius,selectAdd.
GivetheRADIUSProfileaname
Writeadescriptionoftheprofile
GivetheRADIUSIP,RADIUSSecretandtheRADIUSaccountingport
SelectColonfortheMACaddressdelimiter
SelectMACAddressasthepasswordtype
ClickOKtoaddtheRADIUSaccountingprofile.
AAAProfilesOpenSSID
Here,wecreateourwirelesssecurityprofilesforuse.UnderConfigurationSecurityProfile,
selectAdd.
Givethesecurityprofileaname
SelectClearastheL2ModesAllowed
LeaveDataEncryptempty
DisabletheCaptivePortal
EnabletheMacFiltering
ClickOKtosavetheprofile.
MACFiltering
WhenusingtheOpenSSID,youneedtoactivatethemacfiltering.UnderConfigurationMac
Filtering:
SetACLEnvironmentStatetoPermitlistenabled
92
Chapter5
SelectyourRADIUSprofile
AAAProfilesSecureSSID
Here,wecreateourwirelesssecurityprofilesforuse.UnderConfigurationSecurityProfile,
selectAdd.
Givethesecurityprofileaname
SelectWPA2astheL2ModesAllowed
SelectCCMP-AESforDataEncrypt
SelectyourPacketFenceRADIUSAuthenticationProfile
DisabletheCaptivePortal
Enablethe802.1Xnetworkinitiation
LeavetheMacFilteringtooff
ClickOKtosavetheprofile.
WLANSSIDs
Here,wecreateourSSIDandtieittoasecurityprofile.UnderConfigurationWirelessESS,
selectAdd.
GivetheESSprofileaname,andenableit
WriteanSSIDname
Selectyoursecurityprofilenamepreviouslycreated
SelectyourPacketFenceRADIUSAccountingProfile(ifyouwanttodoaccounting)
EnabletheSSIDBroadcast
MakethenewAPtojointheESS
SetthetunnelinterfacetypetoRADIUSandConfiguredVLAN
SelecttheregistrationVLANfortheVLANName
ClickOKtocreatetheSSID.RepeatthosestepsfortheopenandsecureSSIDbychoosingthe
rightsecurityprofile.
WLANSSIDsAddingtoaccesspoint
Here,wetieourSSIDstoaccesspoints.UnderConfigurationWirelessESS,selecttheSSID
youwanttoaddtoyouraps.Then,selecttheESS-APTable,andclickAdd.
SelecttheAPIDfromthedropdownlist
ClickOKtoassociatetheSSIDwiththisAP
Roles(Per-UserFirewall)
SincePacketFence3.3.0,wenowsupportroles(per-userfirwallrules)fortheMeruhardware.To
addfirewallrules,goinConfigurationQoSSystemSettingsQoSandFirewallRules.When
youaddarule,youhavetopayattentiontotwothings:
93
Chapter5
Theruleisappliedtothecontrollerphysicalinterfacerightaway,somakesureyouarenottoo
wideonyourACLtolockyouout!
TherulesaregroupedusingtheFirewallFilterID(WewillusethisIDfortheroles)
So, since the matching is done using the Firewall Filter ID configuration field, your roles line in
switches.confwouldlooklike:
roles=Guests=1;Staff=2
Note
YouneedtohavethePer-UserFirewalllicenseinordertobenefitthisfeature.
Motorola
InordertohavetheMotorolaRFScontrollerworkingwithPacketFence,youneedtodefinetwo
WirelessLANsdefinition,oneforthe"public"network,andoneforthe"secure"network.
WiNG(Firmware>=5.0)
AAAPolicy(RADIUSserver)
First,weneedtobuildtheAAAPolicy.UnderConfigurationWirelessAAAPolicy,clickon
theAddbuttonatthebottomright.ConfiguretheRADIUSprofilelikethefollowing:
Host:ChooseIPAddressinthedropdown,andputtheRADIUSserver(PF)IP
InsertaRADIUSsecretpassphrase
Select"ThroughWirelessController"RequestMode
Caution
SinceweareusingRADIUSDynamicAuthorization,weneedtoenabletheRADIUS
accounting. Under the RADIUS accounting tab, click the Add button at the bottom
right,andinsertthepropervalues.
OpenSSID
UnderConfigurationWirelessWirelessLANs,clickontheAddbuttonatthebottomright.
UnderBasicConfiguration:
ProfileName:Giveaconvenientname
SSID:ThisistheESSIDname
EnsurethattheWLANStatusissettoenable
SelectSingleVLANasVLANassignmenttechnique
94
Chapter5
Ensurethat"AllowRADIUSOverride"isselected
Securityconfiguration:
SelectMACasauthenticationtype
SelectyourAAAPolicypreviouslycreated
EnsurethatyouselectedOpenastheEncryption
Accountingconfiguration:
Makesureyouselect"EnableRADIUSAccounting"
SelectthepreviouslyconfiguredAAAPolicy
Advancedconfiguration:
MakesureyouselectRADIUSDynamicAuthorization
SecureSSID
UnderConfigurationWirelessWirelessLANs,clickontheAddbuttonatthebottomright.
UnderBasicConfiguration:
ProfileName:Giveaconvenientname
SSID:ThisistheESSIDname
EnsurethattheWLANStatusissettoenable
SelectSingleVLANasVLANassignmenttechnique
Ensurethat"AllowRADIUSOverride"isselected
Securityconfiguration:
SelectEAPasauthenticationtype
SelectyourAAAPolicypreviouslycreated
EnsurethatyouselectedWPA/WPA2-TKIPastheEncryption
UnselecteverythingunderFastRoaming(Disablecaching)
Accountingconfiguration:
Makesureyouselect"EnableRADIUSAccounting"
SelectthepreviouslyconfiguredAAAPolicy
Advancedconfiguration:
MakesureyouselectRADIUSDynamicAuthorization
Profile(WLANMapping)
Youhavemultipleoptionshere.Either,youcreateageneralAPprofile,andyouassignittoyour
Aps,oryoumodifytheAPdeviceconfigurationtomaptheWLANtotheradiointerfaces.Forthe
95
Chapter5
purpose of this document, we will modify the general profile. Under Profiles default-apXXX
(whereXXXisyourAPmodel),inInterfaceRadios,edittheexistingradiossettings.Gotothe
WLANMappingtab,selectthetwoSSIDsandclickonthe<<button.
Profile(Management)
Here,wecanconfigureourSNMPcommunitystrings.LocatedinConfigurationManagement
ManagementPolicy.Again,youcanmodifythedefaultone,oryoucancreateabrandnewPolicy.
VLANs
Youneedtoensurethattheuplinkinterfaceofthecontrollerisconfiguredasatrunk,andthatall
thenecessaryVLANsarecreatedonthedevice.ThisisconfiguredunderDevicerfsXXXX-MAC
(whereXXXXisyourcontrollerseries,andMACisthelatest3octetsofitsmacaddress).Editthe
deviceconfiguration,andgotoInterfaceEthernetPorts.Ensurethattheup1interfaceissetas
trunk,withalltheallowedVLANs.Next,createtheVLANunderInterfaceVirtualInterfaces.
Roles(Per-UserFirewall)
SincePacketFence3.3.0,wenowsupportrolesfortheMotorolahardwareusingWiNGS5.x.To
addroles,goinConfigurationSecurityWirelessClientRoles.Firstcreateaglobalpolicythat
willcontainyourroles.Next,createyourRolesbyclickingontheAddbuttononthebottomright.It
isimportanttoconfiguretheGroupConfigurationlineproperlybysettingthestringnamethatwe
willuseintheRADIUSpacket.Forexemple,foraGuestsRole,youcanputGroupConfiguration
Exact Guests, and for a Staff Roles, you can put Group Configuration Exact Staff. In the roles
configurationinswitches.conf,youwouldhavesomethinglike:
roles=CategoryGuests=Guests;CategoryStaff=Staff
Finally,dontforgettoconfiguretheappropriatefirewallrulesforyourRoles!Makesurealsoto
committheconfigurationuponyourchanges.
Note
YouneedtohaveanAdvancedSecuritylicensetoenablethePer-UserFirewallfeature.
WIPS
InordertoenabletheWIPSfunctionalityontheMotorola,youneedtofollowthisprocedure.The
stepshavebeendoneusingtheCLI.
First,Createawips-policy:
wips-policy Rogue-AP
history-throttle-duration 86400
event ap-anomaly airjack
event ap-anomaly null-probe-response
event ap-anomaly asleap
event ap-anomaly ad-hoc-violation
event ap-anomaly ap-ssid-broadcast-in-beacon
event ap-anomaly impersonation-attack
ap-detection
96
Chapter5
Next,createaneventpolicy:
event-system-policy PF-WIDS
event wips wips-event syslog off snmp on forward-to-switch off email off
Next,createoradjustyourmanagementpolicytoconfiguretheSNMPtraps.Hereisanexample
policy,pleasenotethetwolastlines:
management-policy default
no http server
https server
ssh
user admin password 1
e4c93663e3356787d451312eeb8d4704ef09f2331a20133764c3dc3121f13a5b role superuser
access all
user operator password 1
7c9b1fbb2ed7d5bb50dba0b563eac722b0676b45fed726d3e4e563b0c87d236d role monitor
access all
no snmp-server manager v3
snmp-server community public ro
snmp-server community private rw
snmp-server user snmpoperator v3 encrypted des auth md5 0 operator
snmp-server user snmptrap v3 encrypted des auth md5 0 motorola
snmp-server user snmpmanager v3 encrypted des auth md5 0 motorola
snmp-server enable traps
snmp-server host 10.0.0.100 v2c 162
Youthenneedtotellyourcontrollertousetheeventpolicy:
rfs6000 5C-0E-8B-17-F2-E3
...
use event-system-policy PF-WIDS
Finally,youneedtoconfigurearadiointerfaceonyourAPtoactasasensor.Hereisanexample
configurationforadual-radioAP650:
ap650 00-23-68-86-EB-BC
use profile default-ap650
use rf-domain default
hostname ap650-86EBBC
country-code ca
use wips-policy Rogue-AP
interface radio1
rf-mode sensor
channel smart
power smart
data-rates default
no preamble-short
radio-share-mode off
interface radio2
...
97
Chapter5
OlderFirmwares(<5.0)
OptionforPublicWirelessLAN
ChecktheDynamicAssignmentcheck-box
Select"MACAuthentication"underAuthentication
Click"Config"choosetheColondelimiterformat
Un-checkallencryptionoptions
UnderRADIUSputinPacketFencesRADIUSServerinformation
OptionforSecureWirelessLAN
ChecktheDynamicAssignmentcheck-box
Select"802.1XEAP"underAuthentication
CheckWPA/WPA2-TKIPencryptionoption
UnderRADIUSputinPacketFencesRADIUSServerinformation
SNMPGlobalconfiguration
AddthetwoRead-OnlyandRead-WriteusersunderManagementAccessSNMPAccess.
Ruckus
AAAServers
WeneedtodefinetheRADIUSandRADIUSaccounting(mandatory):
Under Configuration AAA Servers, click on the Create New button. Enter the proper
configuration:
Enteraservername
SelecteitherRADIUSorRADIUSaccountingasthetype
UsePAPastheAuthMethod
EntertheIPaddres,andsharedsecret.
HitOK
RepeatthestepsfortheRADIUSandRADIUSaccountingtypes.Weneed1definitionforeach
otherwiseRADIUSdynamicauthorizationwontwork.
98
Chapter5
WLANDefinitions
UnderConfigurationWLAN,clickontheCreateNewbutton.Entertheproperconfiguration:
OpenSSID
EnteraName/SSID
SelectStandardUsageastheType
SelectMACAddressastheauthenticationtype
SelectOpenastheencryptionmethod
SelecttheproperRADIUSserverastheauthenticationserver
SelecttheproperRADIUSserverastheaccountingserver
Note
TheOpenSSIDdoesNOTsupportdynamicVLANassignments(Firmware9.3.0.0.83)
SecureSSID
EnteraName/SSID
SelectStandardUsageastheType
SelectWPA2astheauthenticationtype
SelectAESastheencryptionmethod
SelecttheproperRADIUSserverastheauthenticationserver
SelecttheproperRADIUSserverastheaccountingserver
ChecktheEnableDynamicVLANcheckbox
WIPS
ToenabletheWIPSfeatureoftheRuckusinordertosendSNMPtrapstoPacketFence,thesetup
isfairlysimple.
First, configure the controller to send the traps to PacketFence. Under Configure > System >
NetworkManagement>SNMPTrap:
*Select"EnableSNMPTrap"*PutthePacketFenceManagementIPintheTrapServerIPfield
Note
Thetrapswillarrivewiththe"public"communitystring
Next,youneedtoconfiguretheAlarmSettings.UnderConfigure>AlarmSettings,makesurethe
followingareselected:
99
Chapter5
*RogueAPDetected*SSID-SpoofingAPDetected*MAC-SpoofingAPDetected*LANRogueAP
Detected
Finally,enabletheWIPSfeatureonthecontroller.UnderConfigure>WIPS>IntrusionDetection
andPrevention,makesurebothboxareselected,clickApply.
Trapeze
InordertohavetheTrapezecontrollerworkingwithPacketFence,youneedtodefinetheRADIUS
configurationandtheproperserviceprofiles.
RADIUSconfiguration
set radius server PF address 192.168.1.5 timeout 5 retransmit 3 deadtime 0 key
secret
set server group PF-RADIUS members PF
ServiceProfiles
Herewedefinetwoserviceprofiles,onefortheopenSSID(PacketFence-Public)andoneforthe
WPA2-EnterpriseSSID(PacketFence-Secure):
set
set
set
set
set
set
set
service-profile
service-profile
service-profile
service-profile
service-profile
service-profile
service-profile
PF-Open
PF-Open
PF-Open
PF-Open
PF-Open
PF-Open
PF-Open
ssid-name PacketFence-Public
ssid-type clear
auth-fallthru last-resort
cipher-tkip enable
auth-dot1x disable
11n mode-na required
attr vlan-name WLAN_REG
set
set
set
set
set
set
set
service-profile
service-profile
service-profile
service-profile
service-profile
service-profile
service-profile
PF-Secure
PF-Secure
PF-Secure
PF-Secure
PF-Secure
PF-Secure
PF-Secure
ssid-name PacketFence-Secure
cipher-tkip enable
cipher-ccmp enable
wpa-ie enable
rsn-ie enable
11n mode-na required
attr vlan-name Wlan
set radio-profile default service-profile PacketFence-Public

set radio-profile default service-profile PacketFence-Secure
AAAconfiguration
Finally,weneedtotietheserviceprofileswiththeproperAAAconfiguration.
set
set
set
set
accounting dot1x ssid PacketFence-Secure ** start-stop PF-RADIUS

accounting mac ssid PacketFence-Public * start-stop PF-RADIUS
authentication mac ssid PacketFence-Public * PF-RADIUS
authentication dot1x ssid PacketFence-Secure ** pass-through PF-RADIUS
100
Chapter5
Xirrus
XirrusWiFiArrays
Xirrus Access Points can be configured to work with PacketFence quickly since Xirrus supports
RADIUSassignedVLANsoutofthebox.
First,RADIUSserverconfiguration.SettheRADIUSservertobePacketFencesIP:
radius-server ! (global settings)
!
external
primary
server 192.168.1.5
primary
!
accounting
primary
server 192.168.1.5
primary
exit
exit
exit
EnableSNMPAgentontheaccesspoint:
snmp
!
v2
community read-write public
community read-only public
exit
!
exit
Finally,dontforgettocreatetheSSIDyouwantandtheproperbindingswiththeLAN.OpenSSID
shouldbeconfiguredtoperformMACAuthenticationandSecureSSIDshouldbeconfiguredto
perform802.1X(WPA-EnterpriseorWPA2-Enterprise).
ExternalportalSSID
SetEncryption/AuthenticationtoNone/Open
ThenchecktheWPRcheckbox
ThenininthesectionWebPageRedirectConfigurationsetServertoExternalLogin
SettheRedirectURLtohttp://192.168.1.5/Xirrus::AP_http
SettheRedirectSecrettoanypassphraseofyourchoice
101
Chapter5
IntheRADIUSConfigurationsectionsettheRADIUSservertopointtoyourPacketFenceserver
102
Chapter6
AdditionalInformation
Formoreinformation,pleaseconsultthemailingarchivesorpostyourquestionstoit.Fordetails,
see:
packetfence-announce@lists.sourceforge.net: Public announcements (new releases, security
warningsetc.)regardingPacketFence
packetfence-devel@lists.sourceforge.net:DiscussionofPacketFencedevelopment
packetfence-users@lists.sourceforge.net:Userandusagediscussions
AdditionalInformation
103
Chapter7
CommercialSupportandContact
Information
For any questions or comments, do not hesitate to contact us by writing an email to:
support@inverse.ca.
Inverse (http://inverse.ca) offers professional services around PacketFence to help organizations
deploythesolution,customize,migrateversionsorfromanothersystem,performancetuningor
aligningwithbestpractices.
Hourlyratesorsupportpackagesareofferedtobestsuityourneeds.
Pleasevisithttp://inverse.ca/support.htmlfordetails.
CommercialSupport
andContactInformation
104
Chapter8
GNUFreeDocumentationLicense
Pleaserefertohttp://www.gnu.org/licenses/fdl-1.2.txtforthefulllicense.
GNUFreeDocumentationLicense
105

PacketFence Network Devices Configuration Guide-4.7.0

Uploaded by

Copyright:

Available Formats

PacketFence Network Devices Configuration Guide-4.7.0

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

PacketFence Network Devices Configuration Guide-4.7.0

Uploaded by

Copyright:

Available Formats

NetworkDevicesConfigurationGuide

Additional Information ................................................................................................... 103

Covers captive portal customization, VLAN

Covers noteworthy features, improvements

Covers compatibility related changes, manual

radius scheme system

snmp-server community public RO

voice vlan 100

voice vlan 100

switchport mode access

voice vlan 100

voice vlan 100

authorization attributes radius enable local

radius-server 1 host 192.168.1.5 auth-port 1812 acct-port 1813 timeout 5

snmp community public

port trap ge.1.xx disable

snmp community public

port trap fe.1.xx disable

snmp community public

vlan egress 1,2,3 ge.1.xx untagged

snmp community public

port trap ge.1.xx disable

192.168.1.5 community public

configure netlogin vlan temp

[AC-wlan-view] service-set name PacketFence-dot1x

[AC-wlan-view] service-set name PacketFence-WEP

port link-type hybrid

aaa server-group radius "packetfence" host 192.168.1.5

A1 learn-mode static action send-alarm mac-address 020000000001

authentication port-access eap-radius

# load replace terminal

# load replace terminal

allowed vlan add 4 untagged

port security max-mac-count 1

MAC Address Security: Enabled

set radio-profile default service-profile PacketFence-Public

accounting dot1x ssid PacketFence-Secure ** start-stop PF-RADIUS

You might also like