Académique Documents
Professionnel Documents
Culture Documents
forPacketFenceversion6.2.1
NetworkDevicesConfigurationGuide
byInverseInc.
Version6.2.1-Jul2016
Copyright2016Inverseinc.
Permissionisgrantedtocopy,distributeand/ormodifythisdocumentunderthetermsoftheGNUFreeDocumentationLicense,Version
1.2oranylaterversionpublishedbytheFreeSoftwareFoundation;withnoInvariantSections,noFront-CoverTexts,andnoBack-Cover
Texts.Acopyofthelicenseisincludedinthesectionentitled"GNUFreeDocumentationLicense".
ThefontsusedinthisguidearelicensedundertheSILOpenFontLicense,Version1.1.ThislicenseisavailablewithaFAQat:http://
scripts.sil.org/OFL
CopyrightukaszDziedzic,http://www.latofonts.com,withReservedFontName:"Lato".
CopyrightRaphLevien,http://levien.com/,withReservedFontName:"Inconsolata".
TableofContents
About this Guide .............................................................................................................. 1
Othersourcesofinformation..................................................................................... 1
NoteonInlineenforcementsupport...................................................................................2
ListofsupportedNetworkDevices.................................................................................... 3
Switch configuration ......................................................................................................... 4
Assumptions ............................................................................................................. 4
3COM ..................................................................................................................... 4
Alcatel ................................................................................................................... 10
AlliedTelesis ............................................................................................................ 13
Amer ..................................................................................................................... 16
Avaya .................................................................................................................... 16
Brocade ................................................................................................................. 18
Cisco ..................................................................................................................... 19
D-Link ................................................................................................................... 46
Dell ....................................................................................................................... 47
EdgecorE ............................................................................................................... 48
Enterasys ............................................................................................................... 49
Extreme Networks .................................................................................................. 52
Foundry ................................................................................................................. 54
Huawei .................................................................................................................. 55
H3C ...................................................................................................................... 59
HP ......................................................................................................................... 62
HP ProCurve .......................................................................................................... 62
Huawei .................................................................................................................. 66
IBM ....................................................................................................................... 68
Intel ....................................................................................................................... 69
Juniper ................................................................................................................... 69
LG-Ericsson ............................................................................................................ 73
Linksys ................................................................................................................... 75
Netgear ................................................................................................................. 75
Nortel .................................................................................................................... 78
SMC ...................................................................................................................... 80
WirelessControllersandAccessPointConfiguration.......................................................... 81
Assumptions ........................................................................................................... 81
UnsupportedEquipment..........................................................................................81
AeroHIVE ............................................................................................................... 82
Anyfi ..................................................................................................................... 84
Avaya .................................................................................................................... 87
Aruba .................................................................................................................... 88
BelairNetworks(nowEricsson)................................................................................ 91
Brocade ................................................................................................................. 92
Cisco ..................................................................................................................... 93
WirelessLANController(WLC)WebAuth.............................................................. 100
TroubleshootingignoredRADIUSreplies................................................................. 105
D-Link ................................................................................................................. 106
Extricom .............................................................................................................. 106
Hostapd ............................................................................................................... 107
Meraki ................................................................................................................. 108
Mikrotik ............................................................................................................... 116
HP ....................................................................................................................... 118
Meru ................................................................................................................... 118
Copyright2016Inverseinc.
iii
Copyright2016Inverseinc.
iv
Chapter1
AboutthisGuide
ThisguidecoverstheconfigurationofnetworkdevicesinordertointegratethemwithPacketFence
inVLANenforcement.Switches,wirelesscontrollersandwirelessaccesspointsareallconsidered
networkdevicesinPacketFencesterms.
Thelatestversionofthisguideisavailableathttp://www.packetfence.org/documentation/
Othersourcesofinformation
AdministrationGuide
CoversPacketFenceinstallation,configuration
andadministration.
DevelopersGuide
NEWS
UPGRADE
ChangeLog
Coversallchangestothesourcecode.
Thesefilesareincludedinthepackageandreleasetarballs.
Copyright2016Inverseinc.
AboutthisGuide
Chapter2
NoteonInlineenforcementsupport
There is no need to follow the instructions in this guide if you plan on deploying in inline
enforcement,exceptRADIUSinline.Inthiscaseallyouneedtodoistohaveaflatlayer2network
uptoPacketFencesinlineinterfacewithnoothergatewayavailablefordevicestoreachoutto
theInternet.
ThistechniqueisusuallyusedwhenyournetworkhardwaredoesntsupportVLANenforcement.
Copyright2016Inverseinc.
NoteonInlineenforcementsupport
Chapter3
ListofsupportedNetworkDevices
PacketFencesupportsawholelotofdifferentwirelessandwirednetworkequipmentsfromvarious
vendorsrunningdifferentversions.Sincewewanttoprovidethemostaccurateinformationand
avoidduplicationofthatsameinformation,pleaserefertoourwebsitehttp://www.packetfence.org/
about/supported_switches_and_aps.html
Youll find on this page the enforcement modes supported by each and every single piece of
equipmentwetestedandworkedwith.
Copyright2016Inverseinc.
ListofsupportedNetworkDevices
Chapter4
Switchconfiguration
Assumptions
Throughout this configuration example we use the following assumptions for our network
infrastructure:
PacketFenceisfullyconfiguredwithFreeRADIUSrunning(ifyouwant802.1XorMACAuth)
PacketFenceIPaddress:192.168.1.5
NormalVLAN:1
RegistrationVLAN:2
IsolationVLAN:3
MACDetectionVLAN:4
GuestVLAN:5
VoIP,VoiceVLAN:100
useSNMPv2c
SNMPReadcommunity:public
SNMPWritecommunity:private
SNMPTrapcommunity:public
RADIUSSecret:useStrongerSecret
3COM
SuperStack3Switch4200and4500
PacketFencesupportsthese3ComswitcheswithoutVoIPusingonetraptype:
linkUp/linkDown
PortSecurity(withstaticMACs)
Dontforgettoupdatethestartupconfig!
linkUp/linkDownonly
Globalconfigsettings:
Copyright2016Inverseinc.
Switchconfiguration
Chapter4
snmp-agent
snmp-agent target-host trap address udp-domain 192.168.1.5 params securityname
public
snmp-agent trap enable standard linkup linkdown
Oneachinterface:
port access vlan 4
InPortSecurity
Globalconfigsettings:
snmp-agent
snmp-agent target-host trap address udp-domain 192.168.1.5 params securityname
public
snmp-agent trap enable
port-security enable
port-security trap addresslearned
port-security trap intrusion
Oneachinterface:
port access vlan 4
port-security max-mac-count 1
port-security port-mode secure
port-security intrusion-mode blockmac
undo enable snmp trap updown
InMACAuth
Voice vlan : 6
Normal vlan : 1
Registration vlan : 2
Isolation vlan : 3
Globalconfigsettings:
lldp
lldp
lldp
lldp
enable
timer tx-interval 5
compliance cdp
compliance cdp
port-security enable
MAC-authentication domain packetfence
Copyright2016Inverseinc.
Switchconfiguration
Chapter4
E4800G
PacketFencesupportsthese3Comswitcheswiththefollowingtechniques:
802.1XwithMACAuthenticationfallback
linkUp/linkDown(notrecommended)
VoiceoverIPsupportwasnotexplicitlytestedduringimplementationhoweveritdoesnotmean
thatitwontwork.
Dontforgettoupdatethestartupconfig!
linkUp/linkDownonly
Globalconfigsettings:
Copyright2016Inverseinc.
Switchconfiguration
Chapter4
snmp-agent
snmp-agent target-host trap address udp-domain 192.168.1.5 params securityname
public
snmp-agent trap enable standard linkup linkdown
Oneachinterface:
port access vlan 4
802.1XwithMACAuthenticationfallback
Globalconfigsettings:
system-view
radius scheme PacketFence
primary authentication 192.168.1.5 1812
primary accounting 192.168.1.5 1812
key authentication useStrongerSecret
user-name-format without-domain
quit
domain packetfence.local
authentication default radius-scheme PacketFence
authorization default radius-scheme PacketFence
quit
domain default enable packetfence.local
dot1x authentication-method eap
port-security enable
quit
Ifyourmanagementauthenticationonyourswitchisdefault,applyingtheconfigurationabovewill
haveyourauthenticationswitchtoaRADIUSbasedonewithPacketFenceastheauthentication
server.Itisalmostcertainthatyoudonotwantthat!
Below,wewilljustcreatealocalpasswordforvtyaccesses(telnet)andnothingontheconsole.In
ordertoavoidlockingyourselfout,makesuretoverifyyourconfiguration!
system-view
user-interface aux 0
authentication-mode none
user-interface vty 0 4
user privilege level 3
set authentication password simple useStrongerPassword
quit
quit
Oneachinterface:
Copyright2016Inverseinc.
Switchconfiguration
Chapter4
system-view
interface gigabitEthernet 1/0/xx
port-security port-mode mac-else-userlogin-secure-ext
# userlogin-secure-or-mac-ext could be used below instead
# see the Switch_4200G's documentation for a discussion about it
undo enable snmp trap updown
quit
quit
wherexxstandsfortheinterfaceindex.
E5500GandSwitch4200G
PacketFencesupportsthese3Comswitcheswiththefollowingtechniques:
802.1XwithMACAuthenticationfallback
linkUp/linkDown(notrecommended)
VoiceoverIPsupportwasnotexplicitlytestedduringimplementationhoweveritdoesnotmean
thatitwontwork.
Dontforgettoupdatethestartupconfig!
linkUp/linkDownonly
Globalconfigsettings:
snmp-agent
snmp-agent target-host trap address udp-domain 192.168.1.5 params
securityname public
snmp-agent trap enable standard linkup linkdown
Oneachinterface:
port access vlan 4
802.1XwithMACAuthenticationfallback
Globalconfigsettings:
Copyright2016Inverseinc.
Switchconfiguration
Chapter4
system-view
radius scheme PacketFence
server-type standard
primary authentication 192.168.1.5 1812
primary accounting 192.168.1.5 1812
accounting optional
key authentication useStrongerSecret
user-name-format without-domain
quit
domain packetfence.local
radius-scheme PacketFence
vlan-assignment-mode string
quit
domain default enable packetfence.local
dot1x authentication-method eap
port-security enable
quit
Ifyourmanagementauthenticationonyourswitchisdefault,applyingtheconfigurationabovewill
haveyourauthenticationswitchtoaRADIUSbasedonewithPacketFenceastheauthentication
server.Itisalmostcertainthatyoudonotwantthat!
Below,wewilljustcreatealocalpasswordforvtyaccesses(telnet)andnothingontheconsole.In
ordertoavoidlockingyourselfout,makesuretoverifyyourconfiguration!
system-view
user-interface aux 0
authentication-mode none
user-interface vty 0 4
user privilege level 3
set authentication password simple useStrongerPassword
quit
quit
Oneachinterface:
system-view
interface gigabitEthernet 1/0/xx
port-security port-mode mac-else-userlogin-secure-ext
# userlogin-secure-or-mac-ext could be used below instead
# see the Switch_4200G's documentation for a discussion about it
undo enable snmp trap updown
quit
quit
wherexxstandsfortheinterfaceindex
NJ220
Thisswitchdoesnotsupportport-security.
Toconfigure:usewebinterfacetosendthelinkUp/linkDowntrapstothePacketFenceserver.
Copyright2016Inverseinc.
Switchconfiguration
Chapter4
Alcatel
OS6250,OS6450
PacketFencesupportsthisswitchusing802.1X,MacauthenticationandalsosupportsVoIP.
Globalconfiguration
FirstdefineanyVLANthatyouwanttouseontheswitch.
vlan
vlan
vlan
vlan
2
5
20
100
Next,configuretheRADIUSservertobePacketFence
aaa radius-server "packetfence" host 192.168.1.5 key useStrongerSecret
aaa authentication mac packetfence
aaa authentication 802.1X packetfence
Younowneedtoconfigureauserprofile(equivalentofarole)thatwilldeterminewhichVLANis
assignedtothedevice.Inthiscasetheprofilenamesareunreg,employeeandguest.
aaa user-network-profile name unreg vlan 2
aaa user-network-profile name guest vlan 5
aaa user-network-profile name employee vlan 20
Next,configuretheswitchinPacketFence.Inthecaseofthisexample,theuplinkisport1/1.
[192.168.1.10]
mode=production
description=alcatel
type=Alcatel
radiusSecret=useStrongerSecret
uplink_dynamic=0
uplink=1001
RoleMap=Y
VlanMap=N
registrationRole=unreg
isolationRole=unreg
defaultRole=employee
guestRole=guest
802.1X
First,makesureyoufollowedthestepsaboveinGlobalconfiguration
Copyright2016Inverseinc.
Switchconfiguration
10
Chapter4
Youwillneedtoconfiguretheportsyouwanttodoauthenticationon.
vlan port mobile 1/2
vlan port 1/2 802.1X enable
802.1X 1/2 supplicant policy authentication pass group-mobility block fail block
802.1X 1/2 non-supplicant policy authentication pass group-mobility block fail
block
MACAuthentication
First,makesureyoufollowedthestepsaboveinGlobalconfigurationand802.1X
Nextconfiguretheinterfacetobypass802.1Xauthentication
802.1X 1/2 supplicant bypass enable
VoIP
PacketFencesupportsVoIPonAlcatelbyhavingmultipledevicesusingmultipleuntaggedVLANs
onthesameport.
Firstconfiguretheuserprofileforvoice.InthisexampleitisonlyisolatingitonanotherVLANbut
anyuserprofileattributescanbeaddedtotheprofile.
aaa user-network-profile name voice vlan 3
Next, make sure you enable VoIP in the switch configuration in PacketFence and configure the
voiceRole.
[192.168.1.10]
VoIPEnabled=Y
voiceRole=voice
OS6860
PacketFencesupportsthisswitchusing802.1X,MacauthenticationandalsosupportsVoIP.
Note
ThisdocumentationismadeforAlcatelOS8.1+.Lowerversionsdonotsupportthis
configuration.
Globalconfiguration
FirstdefineanyVLANthatyouwanttouseontheswitch.
vlan
vlan
vlan
vlan
2 admin-state enable
5 admin-state enable
20 admin-state enable
100 admin-state enable
Copyright2016Inverseinc.
Switchconfiguration
11
Chapter4
Next,configuretheRADIUSservertobePacketFence
aaa radius-server "packetfence" host 192.168.1.5 key useStrongerSecret
aaa device-authentication mac packetfence
aaa device-authentication 802.1X packetfence
Younowneedtoconfigureanedgeprofile(equivalentofarole)thatwilldeterminewhichVLANis
assignedtothedevice.Inthiscasetheprofilenamesareunreg,employeeandguest.
unp
unp
unp
unp
edge-profile
edge-profile
edge-profile
vlan-mapping
unreg
unreg redirect enable
unreg authentication-flag enable
edge-profile unreg vlan 2
unp
unp
unp
unp
edge-profile
edge-profile
edge-profile
vlan-mapping
guest
guest redirect enable
guest authentication-flag enable
edge-profile guest vlan 5
unp
unp
unp
unp
edge-profile
edge-profile
edge-profile
vlan-mapping
employee
employee redirect enable
employee authentication-flag enable
edge-profile employee vlan 20
Caution
Makesureyouenabletheredirectonallyourrolesastheaccessreevaluationwillnot
workwithoutit.
Next,configuretheswitchinPacketFence.Inthecaseofthisexample,theuplinkisport1/1/1.
[192.168.1.10]
mode=production
description=alcatel
type=Alcatel
radiusSecret=useStrongerSecret
uplink_dynamic=0
uplink=1001
RoleMap=Y
VlanMap=N
registrationRole=unreg
isolationRole=unreg
defaultRole=employee
guestRole=guest
MACAuthentication
First,makesureyoufollowedthestepsaboveinGlobalconfiguration
Youwillneedtocreateanedgetemplateandapplyitontheportsyouwanttodoauthenticationon.
Copyright2016Inverseinc.
Switchconfiguration
12
Chapter4
unp
unp
unp
unp
unp
edge-template pf_mab
edge-template pf_mab mac-authentication enable
edge-template pf_mab classification enable
port 1/1/2 port-type edge
port 1/1/2 edge-template pf_mab
802.1X
First,makesureyoufollowedthestepsaboveinGlobalconfiguration
Youwillneedtocreateanedgetemplateandapplyitontheportsyouwanttodoauthenticationon.
unp edge-template pf_dot1x
unp edge-template pf_dot1x 802.1x-authentication enable
unp edge-template pf_dot1x mac-authentication enable
unp edge-template pf_dot1x 802.1x-authentication failure-policy macauthentication
unp port 1/1/2 port-type edge
unp port 1/1/2 edge-template pf_dot1x
VoIP
PacketFencesupportsVoIPonAlcatelbyhavingmultipledevicesusingmultipleuntaggedVLANs
onthesameport.
Firstconfiguretheedgeprofileforvoice.InthisexampleitisonlyisolatingitonanotherVLANbut
anyedgeprofileattributescanbeaddedtotheprofile.
unp
unp
unp
unp
edge-profile
edge-profile
edge-profile
vlan-mapping
voice
voice redirect enable
voice authentication-flag enable
edge-profile voice vlan 100
Next, make sure you enable VoIP in the switch configuration in PacketFence and configure the
voiceRole.
[192.168.1.10]
VoIPEnabled=Y
voiceRole=voice
AlliedTelesis
AT8000GS
PacketFencesupportstheAT8000GSswitchusing:
Copyright2016Inverseinc.
Switchconfiguration
13
Chapter4
MACAuthentication(mac-only)
802.1X
802.1X+VOIP
Assumptions
PacketFence management IP: 192.168.1.5
Switch management IP: 10.0.0.14
Guest VLAN (Internet): VLAN 1
MACAuthentication
First,enable802.1Xglobally:
dot1x system-auth-control
Next,configuretheRADIUSserverandAAAsettings:
radius-server host 192.168.1.5
radius-server key useStrongerSecret
radius-server source-ip 10.0.0.14
aaa authentication dot1x default radius
aaa accounting dot1x radius
Inordertogetmacauthentication,youneedtoenabletheguestVLANglobally:
interface vlan 1
name "Guest Vlan"
dot1x guest-vlan
exit
Finally,enablethenecessary802.1Xsettingsformac-onlyauthentication:
interface ethernet g1
dot1x mac-authentication mac-only
dot1x radius-attributes vlan
dot1x port-control auto
dot1x guest-vlan enable
802.1X
ThesettingsarealmostthesameastheMACAuthenticationwithsomesmalldifferences.
First,enable802.1Xglobally:
dot1x system-auth-control
Copyright2016Inverseinc.
Switchconfiguration
14
Chapter4
Next,configuretheRADIUSserverandAAAsettings:
radius-server host 192.168.1.5
radius-server key useStrongerSecret
radius-server source-ip 10.0.0.14
aaa authentication dot1x default radius
aaa accounting dot1x radius
Finally,enablethenecessary802.1Xsettings:
interface ethernet g1
dot1x radius-attributes vlan
dot1x port-control auto
802.1X+VOIP
First,enable802.1Xglobally:
dot1x system-auth-control
Next,configuretheRADIUSserverconfigurationandAAAsettings:
radius-server host 192.168.1.5
radius-server key useStrongerSecret
radius-server source-ip 10.0.0.14
aaa authentication dot1x default radius
aaa accounting dot1x radius
Then,LLDPconfiguration:
hostname switch-name
ip domain-name domain.local
lldp med network-policy 1 voice vlan 100 vlan-type tagged dscp 34
lldp med network-policy 2 voice-signaling vlan 100 vlan-type tagged dscp 34
Finally,enablethenecessary802.1XandVOIPsettingsoneachinterface:
interface ethernet g1
dot1x port-control force-authorized
no dot1x guest-vlan enable
no dot1x mac-authentication
no dot1x radius-attributes vlan
no dot1x re-authentication
switchport mode trunk
switchport trunk native vlan 5
switchport trunk allowed vlan add 100
lldp med enable network-policy
lldp med network-policy add 1
lldp med network-policy add 2
Copyright2016Inverseinc.
Switchconfiguration
15
Chapter4
Amer
PacketFencesupportsAmerswitcheswithoutVoIPusingonetraptype:
linkUp/linkDown
Dontforgettoupdatethestartupconfig!
L2SwitchSS2R24i
Globalconfigsettings:
create snmp host 192.168.1.5 v2c public
create snmp user public ReadGroup
enable snmp traps
Oneachinterface:
config vlan default delete xx
config vlan mac-detection add untagged xx
wherexxstandsfortheinterfaceindex
Avaya
AvayaboughtNortelswirednetworksassets.SoAvayaswitchesare,ineffect,re-brandedNortels.
SeeNortelsectionofthisdocumentforconfigurationinstructions.
802.1XwithMACAuthenticationBypassandVoIP
Note
Theconfigurationbelowrequiresanntpserver.WeusethePacketFenceserverasthe
NTPserverbutanyotheronewilldo.IfyouwanttousethePacketFenceserverfor
NTP,makesureyouinstalltheappropriateserviceandopenport123in/usr/local/
pf/conf/iptables.conf
Globalconfigsettings:
Copyright2016Inverseinc.
Switchconfiguration
16
Chapter4
#Uplink configuration
vlan ports 24 tagging tagAll
vlan configcontrol autopvid
eapol multihost allow-non-eap-enable
eapol multihost radius-non-eap-enable
eapol multihost non-eap-phone-enable
eapol multihost use-radius-assigned-vlan
eapol multihost non-eap-use-radius-assigned-vlan
eapol multihost eap-packet-mode unicast
eapol multihost non-eap-reauthentication-enable
eapol multihost adac-non-eap-enable
no eapol multihost non-eap-pwd-fmt ip-addr
no eapol multihost non-eap-pwd-fmt port-number
eapol multihost voip-vlan 1 enable vid 100
adac
adac
adac
adac
voice-vlan 100
uplink-port 24
op-mode tagged-frames
enable
Copyright2016Inverseinc.
Switchconfiguration
17
Chapter4
Brocade
ICX6400Series
Thoseswitchesaresupportedusing802.1XfornetworkswithorwithoutVoIP.
Globalconfigsettings:
aaa authentication dot1x default radius
radius-server host 192.168.1.5 auth-port 1812 acct-port 1813 default
radius-server key useStrongerSecret
vlan 1 name DEFAULT-VLAN by port
!
vlan 100 by port
tagged ethe 1/1/xx ethe 1/1/yy
WherexxandyyrepresenttherangeofportswhereyouwantPacketFenceenforcement.
MAC-AuthenticationwithoutVoIP
EnableMAC-Authenticationglobally
mac-authentication enable
mac-authentication mac-vlan-dyn-activation
EnableMAC-AuthenticationoneachinterfaceyouwantPacketFenceactive
mac-authentication enable
mac-authentication enable-dynamic-vlan
Copyright2016Inverseinc.
Switchconfiguration
18
Chapter4
MAC-AuthenticationwithVoIP
Enablecdpglobally
cdp run
ApplythefollowingconfigurationoneachinterfaceyouwantPacketFenceactive
dual-mode
mac-authentication enable
mac-authentication enable-dynamic-vlan
voice-vlan 100
cdp enable
802.1X/MAC-Auth
Enable802.1Xglobally
dot1x-enable
re-authentication
enable ethe 1/1/xx
Wherexxistheswitchportnumber
ApplythefollowingconfigurationoneachinterfaceyouwantPacketFenceactive
dot1x port-control auto
dual-mode
mac-authentication enable
mac-authentication enable-dynamic-vlan
voice-vlan 100
Cisco
PacketFencesupportsCiscoswitcheswithVoIPusingthreedifferenttraptypes:
linkUp/linkDown
MACNotification
PortSecurity(withstaticMACs)
Youalsoneedtomakesurethatlldporcdpnotificationisconfiguredonallportsthatwillhandle
VoIP.
Onsomerecentmodels,wecanalsousemoresecureandrobustfeatureslike:
Copyright2016Inverseinc.
Switchconfiguration
19
Chapter4
MACAuthentication(CiscosMACAuthenticationBypassorMAB)
802.1X(Multi-HostorMulti-Domain)
Dependingoftheswitchmodel,werecommendtheuseofthemostsecureandreliablefeature
first.Inotherwords,youshouldconsiderthefollowingorder:
1. 802.1X/MAB
2. Port-Security
3. linkUp/linkDown
2900XL/3500XLSeries
SNMP|linkUP/linkDown
Globalconfigsettings:
snmp-server community public RO
snmp-server community private RW
snmp-server enable traps snmp linkdown linkup
snmp-server enable traps mac-notification
snmp-server host 192.168.1.5 trap version 2c public snmp mac-notification
mac-address-table notification interval 0
mac-address-table notification
mac-address-table aging-time 3600
OneachinterfacewithoutVoIP:
switchport mode access
switchport access vlan 4
snmp trap mac-notification added
OneachinterfacewithVoIP:
switchport trunk encapsulation dot1q
switchport trunk native vlan 4
switchport mode trunk
switchport voice vlan 100
snmp trap mac-notification added
snmp trap mac-notification removed
2950
Thoseswitchesarenowsupportedusing802.1XfornetworkswithorwithoutVoIP.Youcanalsouse
port-securitywithstaticMACaddressbutwecannotsecureaMAConthedataVLANspecifically
soenableitifthereisnoVoIP,uselinkUp/linkDownandMACnotificationotherwise.Soonsetup
thatneedstohandleVoIPwiththisswitch,gowitha802.1Xconfiguration.
Copyright2016Inverseinc.
Switchconfiguration
20
Chapter4
802.1X
Warning
Makesurethatyouhavealocalaccount,becauseenabling802.1XorMABwillaskfor
ausernameandpasswordonthenextlogin.
Globalconfigsettings:
dot1x system-auth-control
AAAconfiguration:
aaa new-model
aaa group server radius packetfence
server 192.168.1.5 auth-port 1812 acct-port 1813
aaa authentication login default local
aaa authentication dot1x default group packetfence
aaa authorization network default group packetfence
RADIUSserverconfiguration:
radius-server host 192.168.1.5 auth-port 1812 acct-port 1813 timeout 2
key useStrongerSecret
radius-server vsa send authentication
OneachinterfacewithoutVoIP:
switchport access vlan 4
switchport mode access
dot1x port-control auto
dot1x host-mode multi-host
dot1x reauthentication
OneachinterfacewithVoIP:
switchport access vlan 4
switchport mode access
switchport voice vlan 100
dot1x port-control auto
dot1x host-mode multi-host
dot1x reauthentication
Port-Security
Caution
Withport-security,ifnoMACisconnectedonportswhenactivatingport-security,we
needtosecurebogusMACaddressesonportsinorderfortheswitchtosendatrap
Copyright2016Inverseinc.
Switchconfiguration
21
Chapter4
whenanewMACappearsonaport.Ontheotherhand,ifaMACisactuallyconnected
whenyouenableportsecurity,youmustsecurethisMACratherthanthebogusone.
OtherwisethisMACwillloseitsconnectivityinstantly.
GlobalconfigsettingswithoutVoIP:
snmp-server enable traps port-security
snmp-server enable traps port-security trap-rate 1
snmp-server host 192.168.1.5 version 2c public port-security
OneachinterfacewithoutVoIP:
switchport
switchport
switchport
switchport
switchport
mode access
access vlan 4
port-security
port-security violation restrict
port-security mac-address 0200.0000.00xx
wherexxstandsfortheinterfaceifIndex.
ifIndexmapping
Use the following templates for interface IfIndex in bogus MAC addresses
(0200.0000.00xx):
Fa0/1,,Fa0/481,,48
Gi0/1,Gi0/249,50
GlobalconfigsettingswithVoIP:
snmp-server community public RO
snmp-server community private RW
snmp-server enable traps snmp linkdown linkup
snmp-server enable traps mac-notification
snmp-server host 192.168.1.5 trap version 2c public snmp mac-notification
mac-address-table notification interval 0
mac-address-table notification
mac-address-table aging-time 3600
OneachinterfacewithVoIP:
switchport voice vlan 100
switchport access vlan 4
switchport mode access
snmp trap mac-notification added
snmp trap mac-notification removed
Copyright2016Inverseinc.
Switchconfiguration
22
Chapter4
3550(802.1XwithMAB)
Caution
TheCatalyst3550doesnotsupport802.1XwithMulti-Domain,itcanonlysupport
802.1XwithMABusingMulti-Host,MAB,andportsecurity.
Globalsettings:
dot1x system-auth-control
aaa new-model
aaa group server radius packetfence
server 192.168.1.5 auth-port 1812 acct-port 1813
aaa authentication login default local
aaa authentication dot1x default group packetfence
aaa authorization network default group packetfence
RADIUSserverconfiguration:
radius-server host 192.168.1.5 auth-port 1812 acct-port 1813 timeout 2 key
useStrongerSecret
radius-server vsa send authentication
CoAconfiguration:
aaa server radius dynamic-author
client 192.168.1.5 server-key useStrongerSecret
port 3799
EnableSNMPv1ontheswitch:
snmp-server community public RO
Oneachinterface:
switchport mode access
dot1x mac-auth-bypass
dot1x pae authenticator
dot1x port-control auto
dot1x violation-mode protect
dot1x timeout quiet-period 2
dot1x timeout reauth-period 7200
dot1x timeout tx-period 3
dot1x reauthentication
Copyright2016Inverseinc.
Switchconfiguration
23
Chapter4
2960
Caution
For802.1XandMABconfigurations,refertothissectionbelow.
PortSecurityforIOSearlierthan12.2(46)SE
Globalconfigsettings:
snmp-server
snmp-server
snmp-server
snmp-server
snmp-server
community public RO
community private RW
enable traps port-security
enable traps port-security trap-rate 1
host 192.168.1.5 version 2c public port-security
OneachinterfacewithoutVoIP:
switchport
switchport
switchport
switchport
switchport
access vlan 4
port-security
port-security maximum 1 vlan access
port-security violation restrict
port-security mac-address 0200.000x.xxxx
wherexxxxxstandsfortheinterfaceifIndex
OneachinterfacewithVoIP:
switchport
switchport
switchport
switchport
switchport
switchport
switchport
wherexxxxxstandsfortheinterfaceifIndex
ifIndexmapping
Use the following templates for interface IfIndex in bogus MAC addresses
(0200.000x.xxxx):
Fa0/1Fa0/481000110048
Gi0/1Gi0/481010110148
Copyright2016Inverseinc.
Switchconfiguration
24
Chapter4
PortSecurityforIOS12.2(46)SEorgreater
Since version PacketFence 2.2.1, the way to handle VoIP when using port-security dramatically
changed.Ensurethatyoufollowtheinstructionsbelow.Tomakethestoryshort,insteadonrelying
onthedynamicMAClearningforVoIP,weuseastaticentryonthevoiceVLANsowecantrigger
anewsecurityviolation,andthenauthorizethephoneMACaddressonthenetwork.
Globalconfigsettings:
snmp-server
snmp-server
snmp-server
snmp-server
snmp-server
community public RO
community private RW
enable traps port-security
enable traps port-security trap-rate 1
host 192.168.1.5 version 2c public port-security
OneachinterfacewithoutVoIP:
switchport
switchport
switchport
switchport
switchport
access vlan 4
port-security
port-security maximum 1 vlan access
port-security violation restrict
port-security mac-address 0200.000x.xxxx
wherexxxxxstandsfortheinterfaceifIndex
OneachinterfacewithVoIP:
switchport
switchport
switchport
switchport
switchport
switchport
switchport
switchport
switchport
wherexxxxxstandsfortheinterfaceifIndex
ifIndexmapping
Use the following templates for interface IfIndex in bogus MAC addresses
(0200.000x.xxxx):
Fa0/1Fa0/481000110048
Gi0/1Gi0/481010110148
Copyright2016Inverseinc.
Switchconfiguration
25
Chapter4
2960,2970,3560,3750
Note
You shouldnt use any port-security features when doing 802.1X and/or Mac
Authentication.Thiscancauseunexpectedbehavior.
Warning
Makesurethatyouhavealocalaccount,becauseenabling802.1XorMABwillaskfor
ausernameandpasswordonthenextlogin.
Globalsettings:
dot1x system-auth-control
aaa new-model
aaa group server radius packetfence
server name pfnac
aaa authentication login default local
aaa authentication dot1x default group packetfence
aaa authorization network default group packetfence
RADIUSserverconfiguration:
radius server pfnac
address ipv4 192.168.1.5 auth-port 1812 acct-port 1813
automate-tester username dummy ignore-acct-port idle-time 3
key 0 useStrongerSecret
radius-server vsa send authentication
CoAconfiguration
aaa server radius dynamic-author
client 192.168.1.5 server-key useStrongerSecret
port 3799
ActivateSNMPv1ontheswitch:
snmp-server community public RO
802.1XwithMACAuthenticationbypass(MultiDomain)
Oneachinterface:
Copyright2016Inverseinc.
Switchconfiguration
26
Chapter4
802.1XwithMACAuthenticationbypass(MultiHost)
Oneachinterface:
switchport mode access
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer restart 10800
authentication timer reauthenticate 7200
mab
no snmp trap link-status
dot1x pae authenticator
dot1x timeout quiet-period 2
dot1x timeout tx-period 3
MACAuthenticationbypassonly
Oneachinterface:
switchport mode access
switchport voice vlan 100
dot1x mac-auth-bypass
dot1x pae authenticator
dot1x port-control auto
dot1x timeout tx-period 5
dot1x reauthentication
authentication periodic
authentication timer restart 10800
authentication timer reauthenticate 7200
mab
no snmp trap link-status
Copyright2016Inverseinc.
Switchconfiguration
27
Chapter4
802.1Xonvariousmodelsof2960
TheresalotofdifferentversionsoftheCatalyst2960serie.Someofthemmaynot
acceptthecommandstatedinthisguidefor802.1X.
WehavefoundacoupleofcommandsthatareworkinggreatorMAB:
Oneachinterface
switchport mode access
authentication order mab
authentication port-control auto
mab
dot1x pae authenticator
But,asitisdifficultforustomaintainthewholelistofcommandstoconfigureeachand
everydifferentmodelof2960withdifferentIOS,pleaserefertoCiscodocumentation
forveryspecificcases.
Port-Security
Globalconfigsettings
snmp-server
snmp-server
snmp-server
snmp-server
snmp-server
community public RO
community private RW
enable traps port-security
enable traps port-security trap-rate 1
host 192.168.1.5 version 2c public port-security
OneachinterfacewithoutVoIP:
switchport
switchport
switchport
switchport
switchport
access vlan 4
port-security
port-security maximum 1 vlan access
port-security violation restrict
port-security mac-address 0200.000x.xxxx
wherexxxxxstandsfortheinterfaceifIndex
OneachinterfacewithVoIP:
switchport
switchport
switchport
switchport
switchport
switchport
switchport
wherexxxxxstandsfortheinterfaceifIndex
Copyright2016Inverseinc.
Switchconfiguration
28
Chapter4
ifIndexmapping
Use the following templates for interface IfIndex in bogus MAC addresses
(0200.000x.xxxx):
Fa0/1Fa0/481000110048
Gi0/1Gi0/481010110148
Webauth
TheCatalyst2960supportswebauthenticationfromIOS12.2.55SE3.Thisprocedurehasbeen
testedonIOS15.0.2SE5.
Inthisexample,theACLthattriggerstheredirectiontotheportalforregistrationisregistration.
ConfiguretheglobalconfigurationoftheswitchusingthesectionMACAuthenticationbypassonly
ofthe2960inthisdocument.
Thenaddthisadditionnalconfigurationonthegloballevel
ip device tracking
ip http server
ip http secure-server
snmp-server community public RO
snmp-server community private RW
Addtherequiredaccesslists
ip access-list extended registration
deny ip any host <your captive portal ip>
permit tcp any any eq www
permit tcp any any eq 443
Thenoneachcontrolledinterface
switchport access vlan <vlan>
switchport mode access
authentication priority mab
authentication port-control auto
authentication periodic
mab
spanning-tree portfast
PacketFenceswitchconfiguration
SelectthetypetoCiscoCatalyst2960
SettheRegistrationroletoregistration(Ifleftemptythenitwillusetherolename)
SetRolebyWebAuthURLforregistrationtohttp://<your_captive_portal_ip>/$session_id
Copyright2016Inverseinc.
Switchconfiguration
29
Chapter4
TheURLcancontaindynamicparameters,liketheMACaddress($mac),theswitchIP($switch_ip),
theusername($user_name).
ScreenshotsofthisconfigurationareavailableintheCiscoWLCsectionofthisguide.
DownloadableACLs
The Catalyst 2960 supports RADIUS pushed ACLs which means that you can define the ACLs
centrallyinPacketFencewithoutconfiguringtheminyourswitchesandtheirruleswillbeapplied
totheswitchduringtheauthentication.
TheseACLsaredefinedbyroleliketheVLANswhichmeansyoucandefinedifferentACLsforyour
registrationVLAN,productionVLAN,guestVLAN,etc.
Addthefollowingconfigurationsettingonthegloballevel
ip device tracking
ForIOS12.2,youneedtocreatethisaclandassignittotheswitchportinterface:
ip access-list extended Auth-Default-ACL
permit udp any range bootps 65347 any range bootpc 65348
permit udp any any range bootps 65347
permit udp any any eq domain
deny
ip any any
interface GigabitEthernetx/y/z
...
ip access-group Auth-Default-ACL in
...
Beforecontinuing,configureyourswitchtobeinMACauthenticationbypassor802.1X.
NowinthePacketFenceinterfacegointheswitchconfigurationandintheRolestab.
CheckRolebyaccesslistandyoushouldnowbeabletoconfiguretheaccesslistsasbelow.
ForexampleifyouwanttheusersthatareintheregistrationVLANtoonlyuseHTTP,HTTPS,DNS
andDHCPyoucanconfigurethisACLintheregistrationcategory.
Copyright2016Inverseinc.
Switchconfiguration
30
Chapter4
Nowifforexample,yournormalusersareplacedinthedefaultcategoryandyourguestsinthe
guestcategory.
Ifforexamplethedefaultcategoryusesthenetwork192.168.5.0/24andyourguestnetworkuses
thenetwork192.168.10.0/24.
Youcanpreventcommunicationsbetweenbothnetworksusingtheseaccesslists
Copyright2016Inverseinc.
Switchconfiguration
31
Chapter4
Youcouldalsoonlypreventyourguestusersfromusingshareddirectories
Copyright2016Inverseinc.
Switchconfiguration
32
Chapter4
OralsoyoucouldrestrictyouruserstouseonlyyourDNSserverwhere192.168.5.2isyourDNS
server
Copyright2016Inverseinc.
Switchconfiguration
33
Chapter4
WebauthandDownloadableACLs
ItspossibletomixwebauthenticationanddownloadableACLsstartingfromversion12.2ofthe
IOS,eachrolescanbeconfiguredtoforwardthedevicetothecaptiveportalforanhttporanhttps
andonlyallowspecifictrafficwiththeACL.Todothat,youneedtoconfigurePacketFencewith
RolebyWebAuthURLandwithRolebyaccesslist(Foreachroleyouneed).Ontheswitchyou
needtochangetheAuth-Default-ACLtoaddtheportalIPaddress:
ForIOS12.2:
ip access-list extended Auth-Default-ACL
permit udp any range bootps 65347 any range bootpc 65348
permit udp any any range bootps 65347
permit ip any host ip_of_the_captiv_portal
permit udp any any eq domain
deny
ip any any
AndassignthisACLontheswitchportyowanttodoACLperport.
Copyright2016Inverseinc.
Switchconfiguration
34
Chapter4
interface GigabitEthernetx/y/z
...
ip access-group Auth-Default-ACL in
...
ForIOS15.0:
Extended IP access list Auth-Default-ACL
10 permit udp any range bootps 65347 any range bootpc 65348
20 permit udp any any range bootps 65347
30 deny ip any any
conf t
ip access-list extend Auth-Default-ACL
21 permit ip any host ip_of_the_captiv_portal
ForIOS15.2:
Extended IP access list Auth-Default-ACL
10 permit udp any any eq domain
20 permit tcp any any eq domain
30 permit udp any eq bootps any
40 permit udp any any eq bootpc
50 permit udp any eq bootpc any
60 deny ip any any
conf t
ip access-list extend Auth-Default-ACL
51 permit ip any host ip_of_the_captiv_portal
Stacked29xx,Stacked35xx,Stacked3750,4500
Series,6500Series
The4500Seriesandallthestackedswitchesworkexactlythesamewayasiftheywerenotstacked
sotheconfigurationisthesame:theysupportport-securitywithstaticMACaddressandallowus
tosecureaMAConthedataVLANsoweenableitwhetherthereisVoIPornot.
WeneedtosecurebogusMACaddressesonportsinorderfortheswitchtosendatrapwhena
newMACappearsonaport.
Globalconfigsettings
snmp-server
snmp-server
snmp-server
snmp-server
snmp-server
community public RO
community private RW
enable traps port-security
enable traps port-security trap-rate 1
host 192.168.1.5 version 2c public port-security
OneachinterfacewithoutVoIP:
Copyright2016Inverseinc.
Switchconfiguration
35
Chapter4
switchport
switchport
switchport
switchport
switchport
access vlan 4
port-security
port-security maximum 1 vlan access
port-security violation restrict
port-security mac-address 0200.000x.xxxx
OneachinterfacewithVoIP:
switchport
switchport
switchport
switchport
switchport
switchport
switchport
wherexxxxxstandsfortheinterfaceifIndex
ifIndexmapping
Use the following templates for interface IfIndex in bogus MAC addresses
(0200.000x.xxxx):
Fa1/0/1Fa1/0/481000110048
Gi1/0/1Gi1/0/481010110148
Fa2/0/1Fa2/0/481050110548
Gi2/0/1Gi2/0/481060110648
Fa3/0/1Fa3/0/481100111048
Gi3/0/1Gi3/0/481110111148
Fa4/0/1Fa4/0/481150111548
Gi4/0/1Gi4/0/481160111648
IOSXESwitches
PacketFence supports the IOS XE switches in MAC Authentication Bypass, 802.1X and web
authentication.
MACAuthenticationBypass
Globalconfigsettings:
dot1x system-auth-control
Copyright2016Inverseinc.
Switchconfiguration
36
Chapter4
Oneachinterface:
authentication host-mode multi-domain
authentication order mab
authentication priority mab
authentication port-control auto
authentication periodic
authentication timer restart 10800
authentication timer reauthenticate 10800
mab
no snmp trap link-status
dot1x pae authenticator
dot1x timeout quiet-period 2
dot1x timeout tx-period 3
AAAgroupsandconfiguration:
aaa new-model
aaa group server radius packetfence
server 192.168.1.5 auth-port 1812 acct-port 1813
aaa authentication login default local
aaa authentication dot1x default group packetfence
aaa authorization network default group packetfence
RADIUSserverconfiguration:
radius-server host 192.168.1.5 auth-port 1812 acct-port 1813 timeout 2 key
useStrongerSecret
radius-server vsa send authentication
CoAconfiguration:
aaa server radius dynamic-author
client 192.168.1.5 server-key useStrongerSecret
port 3799
ActivateSNMPontheswitch:
snmp-server community public RO
802.1Xonly
FollowthesameconfigurationasforMACAuthenticationBypassbutchangetheauthentication
prioritylinewiththefollowing:
authentication priority dot1x
802.1XwithMACAuthenticationfallback
FollowthesameconfigurationasforMACAuthenticationBypassbutchangetheauthentication
prioritylinewiththefollowing:
Copyright2016Inverseinc.
Switchconfiguration
37
Chapter4
Webauth
WebauthrequiresatleastMACAuthenticationBypasstobeactivatedontheswitchportbutcan
alsoworkwith802.1X.Configureyourswitchportsasyouwouldusuallydo,thenaddthefollowing
accesslists.
ip access-list extended redirect
deny
ip any host 192.168.1.5
deny
udp any any eq domain
deny
tcp any any eq domain
deny
udp any any eq bootpc
deny
udp any any eq bootps
permit tcp any any eq www
permit tcp any any eq 443
ip access-list extended registered
permit ip any any
Globalconfigsettings:
ip device tracking
PacketFenceswitchconfiguration:
SelectthetypetoCiscoCatalyst2960
SettheRegistrationroletoregistration(Ifleftemptythenitwillusetherolename)
SetRolebyWebAuthURLforregistrationtohttp://<your_captive_portal_ip>/$session_id
TheURLcancontaindynamicparameters,liketheMACaddress($mac),theswitchIP($switch_ip),
theusername($user_name).
ScreenshotsofthisconfigurationareavailableintheCiscoWLCsectionofthisguide.
Note
AAAauthenticationisslowtocomeupafterareloadoftheIOSXEswitches.This
makestherecoveryfromarebootlongertocomplete.ThisisduetoabuginIOSXE.A
workaroundistoexecutethefollowingcommandno aaa accounting system default
start-stop group tacacs+.
IdentityNetworkingPolicy
Starting from version 15.2(1)E (IOS) and 3.4.0E (IOSXE) , Cisco introduced the Identity Based
NetworkingServices.Itmeansthatyoucancreateanauthenticationworkflowontheswitchand
createinterfacestemplates.
Toenableit:
Copyright2016Inverseinc.
Switchconfiguration
38
Chapter4
Copyright2016Inverseinc.
Switchconfiguration
39
Chapter4
ServiceTemplate:
service-template DEFAULT_LINKSEC_POLICY_MUST_SECURE
service-template DEFAULT_LINKSEC_POLICY_SHOULD_SECURE
service-template DEFAULT_CRITICAL_VOICE_TEMPLATE
voice vlan
service-template CRITICAL_AUTH_VLAN
service-template CRITICAL-ACCESS
description *Fallback Policy on AAA Fail*
access-group ACL-CRITICAL-V4
!
Classmap:
class-map type control subscriber match-any IN_CRITICAL_AUTH
match activated-service-template DEFAULT_CRITICAL_VOICE_TEMPLATE
match activated-service-template CRITICAL_AUTH_VLAN
match activated-service-template CRITICAL-ACCESS
!
class-map type control subscriber match-none NOT_IN_CRITICAL_AUTH
match activated-service-template DEFAULT_CRITICAL_VOICE_TEMPLATE
match activated-service-template CRITICAL_AUTH_VLAN
match activated-service-template CRITICAL-ACCESS
!
class-map type control subscriber match-all AAA_SVR_DOWN_UNAUTHD_HOST
match result-type aaa-timeout
match authorization-status unauthorized
!
class-map type control subscriber match-all AAA_SVR_DOWN_AUTHD_HOST
match result-type aaa-timeout
match authorization-status authorized
!
class-map type control subscriber match-all DOT1X_NO_RESP
match method dot1x
match result-type method dot1x agent-not-found
!
class-map type control subscriber match-all MAB_FAILED
match method mab
match result-type method mab authoritative
!
class-map type control subscriber match-all DOT1X_FAILED
match method dot1x
match result-type method dot1x authoritative
Policymap:
On the 3 following configurations if the RADIUS server is down then we will apply
CRITICAL_AUTH_VLAN,DEFAULT_CRITICAL_VOICE_TEMPLATEandCRITICAL-ACCESSservice
template. If the RADIUS server goes up then it reinitializes the authentication if the port is in
IN_CRITICAL_VLAN.
for802.1XwithMACAuthenticationfallback:
Copyright2016Inverseinc.
Switchconfiguration
40
Chapter4
Copyright2016Inverseinc.
Switchconfiguration
41
Chapter4
Copyright2016Inverseinc.
Switchconfiguration
42
Chapter4
Copyright2016Inverseinc.
Switchconfiguration
43
Chapter4
template identity-template-mab
dot1x pae authenticator
spanning-tree portfast edge
switchport access vlan 1
switchport mode access
switchport voice vlan 100
mab
access-session host-mode multi-domain
access-session control-direction in
access-session closed
access-session port-control auto
authentication periodic
authentication timer reauthenticate server
service-policy type control subscriber DOT1X_MAB
InterfaceTemplate(MACAuthentication):
template identity-template-macauth
dot1x pae authenticator
spanning-tree portfast edge
switchport access vlan 1
switchport mode access
switchport voice vlan 100
mab
access-session host-mode single-host
access-session control-direction in
access-session closed
access-session port-control auto
authentication periodic
authentication timer reauthenticate server
service-policy type control subscriber MACAUTH
InterfaceTemplate(802.1X):
template identity-template-dot1x
dot1x pae authenticator
spanning-tree portfast edge
switchport access vlan 1
switchport mode access
switchport voice vlan 100
mab
access-session host-mode single-host
access-session control-direction in
access-session closed
access-session port-control auto
authentication periodic
authentication timer reauthenticate server
service-policy type control subscriber DOT1X
Oneachinterfacefor802.1XwithMACAuthentication:
Copyright2016Inverseinc.
Switchconfiguration
44
Chapter4
Vlan: 20
30 sec
State
Authc Success
Debugcommand:
InordertobeabletodebugtheIdentityNetworkingPolicyyoucanlaunchthefollowingcommand
intheswitchcli:
Copyright2016Inverseinc.
Switchconfiguration
45
Chapter4
term mon
debug pre all
RouterISR1800Series
PacketFencesupportsthe1800seriesRouterwithlinkUp/linkDowntraps.Itcannotdoanything
abouttherouterinterfaces(ie:fa0andfa1ona1811).VLANinterfacesifIndexshouldalsobe
markedasuplinksinthePacketFenceswitchconfigurationastheygeneratetrapsbutareofno
interesttoPacketFence(layer3).
Globalconfigsettings:
snmp-server enable traps snmp linkdown linkup
snmp-server host 192.168.1.5 trap version 2c public
Oneachinterface:
switchport mode access
switchport access vlan 4
D-Link
PacketFencesupportsD-LinkswitcheswithoutVoIPusingtwodifferenttraptypes:
linkUp/linkDown
MACNotification
WerecommendtoenablelinkUp/linkDownandMACnotificationtogether.
Dontforgettoupdatethestartupconfig!
DES3526/3550
Globalconfigsettings
To be contributed...
Oneachinterface:
To be contributed...
DGS3100/3200
EnableMACnotification:
Copyright2016Inverseinc.
Switchconfiguration
46
Chapter4
enable mac_notification
config mac_notification interval 1 historysize 1
config mac_notification ports 1:1-1:24 enable
Enablelinkup/linkdownnotification:
enable snmp traps
enable snmp linkchange_traps
AddSNMPhost:
create snmp host 192.168.1.5 v2c
public
EnableMACbaseaccesscontrol:
enable mac_based_access_control
config mac_based_access_control
disable
config mac_based_access_control
config mac_based_access_control
config mac_based_access_control
config mac_based_access_control
config mac_based_access_control
config mac_based_access_control
Oneachinterface:
config
config
config
config
config
mac_based_access_control
mac_based_access_control
mac_based_access_control
mac_based_access_control
mac_based_access_control
ports
ports
ports
ports
ports
1:1
1:1
1:1
1:1
1:1
state enable
max_users 128
aging_time 1440
block_time 300
mode host_based
Dell
Force10
PacketFencesupportsthisswitchusingRADIUS,MAC-Authenticationand802.1Xx.
Globalconfigsettings
radius-server host 192.168.1.5 key s3cr3t auth-port 1812
MABinterfaceconfiguration:
Copyright2016Inverseinc.
Switchconfiguration
47
Chapter4
PowerConnect3424
PacketFencesupportsthisswitchusinglinkUp/linkDowntraps.
Globalconfigsettings
To be contributed...
Oneachinterface:
To be contributed...
EdgecorE
PacketFencesupportsEdge-corEswitcheswithoutVoIPusinglinkUp/linkDowntraps.
PacketFencealsosupportsMACauthenticationontheEdge-corE4510
3526XAand3528M
Globalconfigsettings
SNMP-server host 192.168.1.5 public version 2c udp-port 162
Copyright2016Inverseinc.
Switchconfiguration
48
Chapter4
4510
Basicconfiguration
network-access aging
snmp-server community private rw
snmp-server community public rw
Oneachcontrolledinterface
interface ethernet 1/8
switchport allowed vlan add <your list of allowed vlans> untagged
network-access max-mac-count 1
network-access mode mac-authentication
!
Enterasys
PacketFencesupportsEnterasysswitcheswithoutVoIPusingtwodifferenttraptypes:
linkUp/linkDown
MACLocking(PortSecuritywithstaticMACs)
WerecommendtoenableMAClockingonly.
Dontforgettoupdatethestartupconfig!
MatrixN3
linkUp/linkDowntrapsareenabledbydefaultsowedisablethemandenableMAClockingonly.
Also,bydefaultthisswitchdoesntdoanelectricallow-levellinkDownwhensettingtheportto
admindown.Soweneedtoactivateaglobaloptioncalledforcelinkdowntoenablethisbehaviour.
Withoutthisoption,clientsdontunderstandthattheylosttheirconnectionandtheyneverdoa
newDHCPonVLANchange.
Globalconfigsettings
Copyright2016Inverseinc.
Switchconfiguration
49
Chapter4
set
set
set
set
set
set
Oneachinterface:
set
set
set
set
set
wherexxstandsfortheinterfaceindex.
SecureStackC2
linkUp/linkDowntrapsareenabledbydefaultsowedisablethemandenableMAClockingonly.
Globalconfigsettings
set
set
set
set
set
Oneachinterface:
set
set
set
set
wherexxstandsfortheinterfaceindex
SecureStackC3
ThisswitchhastheparticularfeatureofallowingmorethanoneuntaggedegressVLANperport.
ThismeansthatyoumustaddalltheVLANcreatedforPacketFenceasuntaggedegressVLANon
therelevantinterfaces.ThisiswhythereisaVLANcommandoneachinterfacebelow.
linkUp/linkDowntrapsareenabledbydefaultsowedisablethemandenableMAClockingonly.
Globalconfigsettings
Copyright2016Inverseinc.
Switchconfiguration
50
Chapter4
set
set
set
set
set
Oneachinterface:
set
set
set
set
set
set
wherexxstandsfortheinterfaceindex
StandaloneD2
linkUp/linkDowntrapsareenabledbydefaultsowedisablethemandenableMAClockingonly.
Caution
ThisswitchSwitchacceptsmultipleuntaggedVLANperportwhenconfiguredthrough
SNMP.ThisisproblematicbecauseonsomeoccasionstheuntaggedVLANportlist
canbecomeinconsistentwiththeswitchsrunningconfig.Tofixthat,clearalluntagged
VLANsofaporteveniftheCLIinterfacedoesntshowthem.Todoso,use:clear
vlan egress <vlans> <ports>
Globalconfigsettings
set
set
set
set
set
Oneachinterface:
set
set
set
set
set
wherexxstandsfortheinterfaceindex
Copyright2016Inverseinc.
Switchconfiguration
51
Chapter4
ExtremeNetworks
PacketFencesupportsExtremeNetworksswitchesusing:
linkUp/linkDown
MACAddressLockdown(PortSecurity)
Netlogin-MACAuthentication
Netlogin-802.1X
Dontforgettosavetheconfiguration!
AllExtremeXOSbasedswitches
InadditiontotheSNMPandVLANssettings,thisswitchneedstheWebServicestobeenabled
andanadministrativeusernameandpasswordprovidedinitsPacketFenceconfigurationforWeb
Services.
MACAddressLockdown(Port-Security)
linkUp/linkDown traps are enabled by default so we disable them and enable MAC Address
Lockdownonly.
GlobalconfigsettingswithoutVoiceoverIP(VoIP):
enable snmp access
configure snmp add trapreceiver
enable web http
configure vlan "Default" delete
configure vlan registration add
configure ports <portlist> vlan
disable snmp traps port-up-down
where<portlist>areportsyouwanttosecure.Itcanbeanindividualportoraport-rangewith
adash.
GlobalconfigsettingswithVoiceoverIP(VoIP):
enable snmp access
configure snmp add trapreceiver 192.168.1.5 community public
enable web http
configure vlan "Default" delete ports <portlist>
configure vlan registration add ports <portlist> untagged
configure vlan voice add ports <portlist> tagged
configure ports <portlist> vlan registration lock-learning
configure ports <portlist> vlan voice limit-learning 1
disable snmp traps port-up-down ports <portlist>
Copyright2016Inverseinc.
Switchconfiguration
52
Chapter4
where<portlist>areportsyouwanttosecure.Itcanbeanindividualportoraport-rangewith
adash.
MACAuthentication
AAAConfiguration
configure radius netlogin primary server 192.168.1.5 1812 client-ip 10.0.0.8 vr
VR-Default
configure radius netlogin primary shared-secret 12345
enable radius netlogin
Netlogin(MACAuthentication)
configure netlogin vlan temp
enable netlogin mac
configure netlogin add mac-list default
configure netlogin dynamic-vlan enable
configure netlogin dynamic-vlan uplink-ports 50
configure netlogin mac authentication database-order radius
enable netlogin ports 1-48 mac
configure netlogin ports 1-48 mode port-based-vlans
configure netlogin ports 1-48 no-restart
802.1X
AAAConfiguration
configure radius netlogin primary server 192.168.1.5 1812 client-ip 10.0.0.8 vr
VR-Default
configure radius netlogin primary shared-secret 12345
enable radius netlogin
Netlogin(802.1X)
configure netlogin vlan temp
enable netlogin dot1x
configure netlogin dynamic-vlan enable
configure netlogin dynamic-vlan uplink-ports 50
enable netlogin ports 1-48 dot1x
configure netlogin ports 1-48 mode port-based-vlans
configure netlogin ports 1-48 no-restart
Note
YoucanmixtheMACAuthenticationand802.1Xonthesameswitchport.Ifthedevice
fails802.1Xauthentication,itwillrollbacktotheMACAuthentication.
Copyright2016Inverseinc.
Switchconfiguration
53
Chapter4
Foundry
FastIron4802
PacketFencesupportthisswitchwithoptionalVoIPusingtwodifferenttraptypes:
linkUp/linkDown
PortSecurity(withstaticMACs)
WerecommendtoenablePortSecurityonly.
Dontforgettoupdatethestartupconfig!
Thoseswitchessupportport-securitywithstaticMACaddressandallowustosecureaMACon
thedataVLANsoweenableitwhetherthereisVoIPornot.
WeneedtosecurebogusMACaddressesonportsinorderfortheswitchtosendatrapwhena
newMACappearsonaport.
Globalconfigsettings
snmp-server host 192.168.1.5 public
no snmp-server enable traps link-down
no snmp-server enable traps link-up
OneachinterfacewithoutVoIP:
int eth xx
port security
enable
maximum 1
secure 0200.0000.00xx 0
violation restrict
wherexxstandsfortheinterfaceifIndex.
WithVoIPalittlemoreworkneedstobeperformed.Insteadoftheno-VoIP,putinthefollowing
config:
Copyright2016Inverseinc.
Switchconfiguration
54
Chapter4
conf t
vlan <mac-detection-vlan>
untagged eth xx
vlan <voice-vlan>
tagged eth xx
int eth xx
dual-mode <mac-detection-vlan>
port security
maximum 2
secure 0200.00xx.xxxx <mac-detection-vlan>
secure 0200.01xx.xxxx <voice-vlan>
violation restrict
enable
wherexxxxxxstandsfortheinterfacenumber(filledwithzeros),<voice-vlan>withyourvoiceVLANnumberand<mac-detection-vlan>withyourmac-detectionVLANnumber.
Huawei
AC6605Controller
PacketFencesupportsthiscontrollerwiththefollowingtechnologies:
Wireless802.1X
WirelessMACAuthentication
Controlleurconfiguration
SetupNTPserver:
<AC>system-view
[AC] ntp-service unicast-server 208.69.56.110
Setuptheradiusserveur(@IPofPacketFence)authentication+accounting:
Note
InthisconfigurationIwillusetheipaddressoftheVIPofPacketFence:192.168.1.2;
RegistrationVLAN:145,IsolationVLAN:146
Copyright2016Inverseinc.
Switchconfiguration
55
Chapter4
<AC>system-view
[AC] radius-server template radius_packetfence
[AC-radius-radius_packetfence] radius-server authentication 192.168.1.2 1812
weight 80
[AC-radius-radius_packetfence] radius-server accounting 192.168.1.2 1813 weight
80
[AC-radius-radius_packetfence] radius-server shared-key cipher s3cr3t
[AC-radius-radius_packetfence] undo radius-server user-name domain-included
[AC-radius-radius_packetfence] quit
[AC] radius-server authorization 192.168.1.2 shared-key cipher s3cr3t servergroup radius_packetfence
[AC] aaa
[AC-aaa] authentication-scheme radius_packetfence
[AC-aaa-authen-radius_packetfence] authentication-mode radius
[AC-aaa-authen-radius_packetfence] quit
[AC-aaa] accounting-scheme radius_packetfence
[AC-aaa-accounting-radius_packetfence] accounting-mode radius
[AC-aaa-accounting-radius_packetfence] quit
[AC-aaa] domain your.domain.com
[AC-aaa-domain-your.domain.com]
[AC-aaa-domain-your.domain.com]
[AC-aaa-domain-your.domain.com]
[AC-aaa-domain-your.domain.com]
[AC-aaa] quit
authentication-scheme radius_packetfence
accounting-scheme radius_packetfence
radius-server radius_packetfence
quit
CreateanSecuredot1xSSID
Activatethedotxglobaly:
<AC>system-view
[AC] dot1x enable
Createyoursecuredot1xssid:
ConfigureWLAN-ESS0interfaces:
[AC] interface
[AC-Wlan-Ess0]
[AC-Wlan-Ess0]
[AC-Wlan-Ess0]
[AC-Wlan-Ess0]
[AC-Wlan-Ess0]
[AC-Wlan-Ess0]
[AC-Wlan-Ess0]
Wlan-Ess 0
port hybrid untagged vlan 145 to 146
dot1x enable
dot1x authentication-method eap
permit-domain name your.domain.com
force-domain name your.domain.com
default-domain your.domain.com
quit
ConfigureAPparameters:
ConfigureradiosforAPs:
Copyright2016Inverseinc.
Switchconfiguration
56
Chapter4
[AC] wlan
[AC-wlan-view] wmm-profile name huawei-ap
[AC-wlan-wmm-prof-huawei-ap] quit
[AC-wlan-view] radio-profile name huawei-ap
[AC-wlan-radio-prof-huawei-ap] radio-type 80211gn
[AC-wlan-radio-prof-huawei-ap] wmm-profile name huawei-ap
[AC-wlan-radio-prof-huawei-ap] quit
[AC-wlan-view] ap 1 radio 0
[AC-wlan-radio-1/0] radio-profile name huawei-ap
Warning: Modify the Radio type may cause some parameters of Radio resume defaul
t value, are you sure to continue?[Y/N]: y
[AC-wlan-radio-1/0] quit
Configure a security profile named huawei-ap. Set the security policy to WPA authentication,
authenticationmethodto802.1X+PEAP,andencryptionmodetoCCMP:
[AC-wlan-view] security-profile name huawei-ap-wpa2
[AC-wlan-sec-prof-huawei-ap-wpa2] security-policy wpa2
[AC-wlan-sec-prof-huawei-ap-wpa2] wpa-wpa2 authentication-method dot1x
encryption-method ccmp
[AC-wlan-sec-prof-huawei-ap-wpa2] quit
Configureatrafficprofile:
[AC-wlan-view] traffic-profile name huawei-ap
[AC-wlan-wmm-traffic-huawei-ap] quit
ConfigureservicesetsforAPs,andsetthedataforwardingmodetodirectforwarding:
Thedirectforwardingmodeisusedbydefault.
[AC-wlan-view] service-set name PacketFence-dot1x
[AC-wlan-service-set-PacketFence-dot1x] ssid PacketFence-Secure
[AC-wlan-service-set-PacketFence-dot1x] wlan-ess 0
[AC-wlan-service-set-PacketFence-dot1x] service-vlan 1
[AC-wlan-service-set-PacketFence-dot1x] security-profile name huawei-ap-wpa2
[AC-wlan-service-set-PacketFence-dot1x] traffic-profile name huawei-ap
[AC-wlan-service-set-PacketFence-dot1x] forward-mode tunnel
[AC-wlan-service-set-PacketFence-dot1x] quit
ConfigureVAPsanddeliverconfigurationstotheAPs:
[AC-wlan-view] ap 1 radio 0
[AC-wlan-radio-1/0] service-set name PacketFence-dot1x
[AC-wlan-radio-1/0] quit
[AC-wlan-view] commit ap 1
CreateyourOpenssid
Activatethemac-authglobaly:
Copyright2016Inverseinc.
Switchconfiguration
57
Chapter4
<AC>system-view
[AC] mac-authen
[AC] mac-authen username macaddress format with-hyphen
[AC] mac-authen domain your.domain.com
CreateyourOpenssid:
ConfigureWLAN-ESS1interfaces:
[AC] interface
[AC-Wlan-Ess1]
[AC-Wlan-Ess1]
[AC-Wlan-Ess1]
[AC-Wlan-Ess1]
[AC-Wlan-Ess1]
[AC-Wlan-Ess1]
[AC-Wlan-Ess1]
Wlan-Ess 1
port hybrid untagged vlan 145 to 146
mac-authen
mac-authen username macaddress format without-hyphen
permit-domain name your.domain.com
force-domain name your.domain.com
default-domain your.domain.com
quit
ConfigureAPparameters:
Configureasecurityprofilenamedhuawei-ap-wep.SetthesecuritypolicytoWEPauthentication.
[AC]wlan
[AC-wlan-view] security-profile name huawei-ap-wep
[AC-wlan-sec-prof-huawei-ap-wep] security-policy wep
[AC-wlan-sec-prof-huawei-ap-wep] quit
ConfigureservicesetsforAPs,andsetthedataforwardingmodetodirectforwarding:
Thedirectforwardingmodeisusedbydefault.
[AC-wlan-view] service-set name PacketFence-WEP
[AC-wlan-service-set-PacketFence-WEP] ssid PacketFence-Open
[AC-wlan-service-set-PacketFence-WEP] wlan-ess 1
[AC-wlan-service-set-PacketFence-WEP] service-vlan 1
[AC-wlan-service-set-PacketFence-WEP] security-profile name huawei-ap-wep
[AC-wlan-service-set-PacketFence-WEP] traffic-profile name huawei-ap (already
created before)
[AC-wlan-service-set-PacketFence-WEP] forward-mode tunnel
[AC-wlan-service-set-PacketFence-WEP] quit
ConfigureVAPsanddeliverconfigurationstotheAPs:
[AC-wlan-view] ap 1 radio 0
[AC-wlan-radio-1/0] service-set name PacketFence-WEP
[AC-wlan-radio-1/0] quit
[AC-wlan-view] commit ap 1
Copyright2016Inverseinc.
Switchconfiguration
58
Chapter4
H3C
S5120Switchseries
PacketFencesupportstheseswitcheswiththefollowingtechnologies:
802.1X(withorwithoutVoIP)
802.1XwithMACAuthenticationfallback(withorwithoutVoIP)
MACAuthentication(withorwithoutVoIP)
802.1X
RADIUSschemecreation:
radius scheme packetfence
primary authentication 192.168.1.5 1812 key useStrongerSecret
primary accounting 192.168.1.5 1813 key useStrongerSecret
user-name-format without-domain
ISP-Domaincreation:
domain packetfence
authentication default radius-scheme packetfence
authentication lan-access radius-scheme packetfence
authorization lan-access radius-scheme packetfence
SNMPsettings:
snmp-agent
snmp-agent community read public
snmp-agent community write private
snmp-agent sys-info version v2c
Globalconfiguration:
port-security enable
dot1x authentication-method eap
Globalconfiguration(withVoIP):
Addthefollowingtothepreviousglobalconfiguration.
undo voice vlan security enable
lldp compliance cdp
Copyright2016Inverseinc.
Switchconfiguration
59
Chapter4
Interfacesconfiguration:
port link-type hybrid
port hybrid vlan 5 untagged
port hybrid pvid vlan 5
mac-vlan enable
stp edged-port enable
port-security max-mac-count 1
port-security port-mode userlogin-secure
port-security intrusion-mode blockmac
dot1x re-authenticate
dot1x max-user 1
dot1x guest-vlan 5
undo dot1x handshake
dot1x mandatory-domain packetfence
undo dot1x multicast-trigger
Interfacesconfiguration(withVoIP):
Addthefollowingtothepreviousinterfacesconfiguration.
port hybrid vlan 100 tagged
undo voice vlan mode auto
voice vlan 100 enable
lldp compliance admin-status cdp txrx
port-security max-mac-count 3
dot1x max-user 2
802.1XwithMACAuthenticationfallback
SinceusingMACAuthenticationasafallbackof802.1X,usetheprevious802.1Xconfiguration
andaddthefollowings.
ThisconfigurationisthesamewithorwithoutVoIP.
Globalconfiguration:
mac-authentication domain packetfence
Interfacesconfiguration:
mac-authentication guest-vlan 5
port-security port-mode userlogin-secure-or-mac
MACAuthentication
RADIUSschemecreation:
radius scheme packetfence
primary authentication 192.168.1.5 1812 key useStrongerSecret
primary accounting 192.168.1.5 1813 key useStrongerSecret
user-name-format without-domain
Copyright2016Inverseinc.
Switchconfiguration
60
Chapter4
ISP-Domaincreation:
domain packetfence
authentication default radius-scheme packetfence
authentication lan-access radius-scheme packetfence
authorization lan-access radius-scheme packetfence
SNMPsettings:
snmp-agent
snmp-agent community read public
snmp-agent community write private
snmp-agent sys-info version v2c
Globalconfiguration:
port-security enable
mac-authentication domain packetfence
Globalconfiguration(withVoIP):
Addthefollowingtothepreviousglobalconfiguration.
undo voice vlan security enable
lldp compliance cdp
Interfacesconfiguration:
port link-type hybrid
port hybrid vlan 5 untagged
port hybrid pvid vlan 5
mac-vlan enable
stp edged-port enable
mac-authentication guest-vlan 5
port-security max-mac-count 1
port-security port-mode mac-authentication
port-security intrusion-mode blockmac
Interfacesconfiguration(withVoIP):
Addthefollowingtothepreviousinterfacesconfiguration.
port hybrid vlan 100 tagged
undo voice vlan mode auto
voice vlan 100 enable
lldp compliance admin-status cdp txrx
port-security max-mac-count 3
Copyright2016Inverseinc.
Switchconfiguration
61
Chapter4
HP
E4800GandE5500GSwitchseries
Thesearere-branded3Comswitches,seeunderthe3Comsectionfortheirdocumentation.
HPProCurve
PacketFencesupportsProCurveswitcheswithoutVoIPusingtwodifferenttraptypes:
linkUp/linkDown
PortSecurity(withstaticMACs)
WerecommendtoenablePortSecurityonly.
Dontforgettoupdatethestartupconfig!
Note
HP ProCurve only sends one security trap to PacketFence per security violation so
makesurePacketFencerunswhenyouconfigureport-security.Also,becauseofthe
above limitation, it is considered good practice to reset the intrusion flag as a first
troubleshootingstep.
If you want to learn more about intrusion flag and port-security, please refer to the ProCurve
documentation.
Caution
IfyouconfigureaswitchthatisalreadyinproductionbecarefulthatenablingportsecuritycausesactiveMACaddressestobeautomaticallyaddedtotheintrusionlist
withoutasecuritytrapsenttoPacketFence.ThisisundesiredbecausePacketFence
willnotbenotifiedthatitneedstoconfiguretheport.Asawork-around,unplugclients
beforeactivatingport-securityorremovetheintrusionflagafteryouenabledportsecuritywith:port-security <port> clear-intrusion-flag.
2500Series
linkUp/linkDowntrapsareenabledbydefaultsowedisablethemandenablePortSecurityonly.
On2500s,weneedtosecurebogusMACaddressesonportsinorderfortheswitchtosenda
trapwhenanewMACappearsonaport.
Copyright2016Inverseinc.
Switchconfiguration
62
Chapter4
Globalconfigsettings:
snmp-server community "public" Unrestricted
snmp-server host 192.168.1.5 "public" Not-INFO
no snmp-server enable traps link-change 1-26
Oneachinterface:
port-security xx learn-mode static action send-alarm mac-address 0200000000xx
wherexxstandsfortheinterfaceindex
2600Seriesand3400clSeries
Port-Security
linkUp/linkDowntrapsareenabledbydefaultsowedisablethemandenablePortSecurityonly.
On2600s,wedontneedtosecurebogusMACaddressesonportsinorderfortheswitchtosend
atrapwhenanewMACappearsonaport.
Globalconfigsettings
snmp-server community public manager unrestricted
snmp-server host 192.168.1.5 "public" Not-INFO
no snmp-server enable traps link-change 1-26
Oneachinterface:
port-security xx learn-mode configured action send-alarm
wherexxstandsfortheinterfaceindex
MACAuthentication(Firmware>11.72)
InordertoenableRADIUSmacauthenticationontheports,youfirstneedtojointheportstoeither
theregistrationorthemacdetectionvlan(asasecuritymeasure).
Next,definetheRADIUSserverhost:
radius-server host 192.168.1.5 key use_stong_secret
SinceHPnowsupportsserver-group,letscreateagroupfortheMACauthentication.Anotherone
canbeusedformanagementaccess:
aaa server-group radius "packetfence" host 192.168.1.5
aaa server-group radius "management" host 10.0.0.15
ConfiguretheAAAauthenticationforMACauthenticationtousetheproperserver-group:
aaa authentication mac-based chap-radius server-group "packetfence"
Copyright2016Inverseinc.
Switchconfiguration
63
Chapter4
Finally,enableMACauthenticationonallnecessaryports:
aaa port-access mac-based 1-24
Dontforgettopermitaddressmovesandthereauthperiod.xrepresentstheportindex:
aaa port-access mac-based x addr-moves
aaa port-access mac-based x reauth-period 14400
(ThankstoJean-FrancoisLaporteforthiscontribution)
2610
802.1X
DefinetheRADIUSserverhost:
radius-server host 192.168.1.5 key "useStrongerSecret"
radius-server host 192.168.1.5 acct-port 1813 key "useStrongerSecret"
DefinetheSNMPconfiguration:
snmp-server host 192.168.1.5 community "public" informs trap-level not-info
no snmp-server enable traps link-change C1
Configuretheserver-group:
aaa server-group radius "packetfence" host 192.168.1.5
Configureauthentication:
aaa authentication port-access eap-radius server-group "packetfence"
aaa authentication mac-based chap-radius server-group "packetfence"
Configuretheport-security:
port-security C1 learn-mode port-access action send-alarm
Configurationoftheport:
aaa
aaa
aaa
aaa
aaa
aaa
aaa
port-access
port-access
port-access
port-access
port-access
port-access
port-access
authenticator C1
authenticator C1 client-limit 1
authenticator active
mac-based C1
mac-based C1 addr-moves
mac-based C1 reauth-period 14400
C1 controlled-direction in
(ThankstoDenisBonnenfantforthiscontribution)
Copyright2016Inverseinc.
Switchconfiguration
64
Chapter4
4100,5300,5400Series
Port-Security
linkUp/linkDowntrapsareenabledbydefaultandwehavenotfoundawayyettodisablethemso
donotforgettodeclarethetrunkportsasuplinksintheswitchconfigfile.
On4100s,weneedtosecurebogusMACaddressesonportsinorderfortheswitchtosendatrap
whenanewMACappearsonaport.Theportsareindexeddifferentlyon4100s:itsbasedonthe
numberofmodulesyouhaveinyour4100,eachmoduleisindexedwithaletter.
Globalconfigsettings
snmp-server community "public" Unrestricted
snmp-server host 192.168.1.5 "public" Not-INFO
no snmp-server enable traps link-change 1-26
Youshouldconfigureinterfaceslikethis:
port-security
...
port-security
port-security
...
port-security
port-security
...
MACAuthentication(withVoIP)
InordertohaveMACAuthenticationworkingwithVoIP,youneedtoensurethattheVoiceVLAN
istaggedonalltheportfirst.Youalsoneedtoactivatelldpnotificationonallportsthatwillhandle
VoIP.Finally,makesuretochangethevalueofthe$VOICEVLANAMEvariableintheProcurve
5400modulessourcecode.
RADIUSconfigurationradius-serverhost192.168.1.5keystrongKey
MACAuthentication
aaa
aaa
aaa
aaa
aaa
aaa
aaa
port-access
port-access
port-access
port-access
port-access
port-access
port-access
mac-based C5-C7
mac-based C5 addr-limit
mac-based C6 addr-limit
mac-based C7 addr-limit
C5 controlled-direction
C6 controlled-direction
C7 controlled-direction
2
2
2
in
in
in
802.1X(withVoIP)
SameasMACAuthentication,youneedtoensurethattheVoiceVLANistaggedonalltheport
firstifusing802.1X.YoualsoneedtoactivatelldpnotificationonallportsthatwillhandleVoIP.
Copyright2016Inverseinc.
Switchconfiguration
65
Chapter4
Finally,makesuretochangethevalueofthe$VOICEVLANAMEvariableintheProcurve5400
modulessourcecode.
RADIUSconfiguration
radius-server host 192.168.1.5 key strongKey
802.1X
aaa
aaa
aaa
aaa
aaa
Huawei
PacketFencesupportstheS5710switchfromHuawei.
Copyright2016Inverseinc.
Switchconfiguration
66
Chapter4
Basicconfiguration
l2protocol-tunnel user-defined-protocol 802.1X protocol-mac 0180-c200-0003 groupmac 0100-0000-0002
domain pf
dot1x enable
dot1x dhcp-trigger
radius-server template packetfence
radius-server shared-key cipher <yourSecret>
radius-server authentication 192.168.1.5 1812
radius-server accounting 192.168.1.5 1813
radius-server retransmit 2
radius-server authorization 192.168.1.5 shared-key cipher <yourSecret>
aaa
authentication-scheme abc
authentication-mode radius
accounting-scheme abc
accounting-mode radius
domain pf
authentication-scheme abc
accounting-scheme abc
radius-server packetfence
snmp-agent
snmp-agent local-engineid 800007DB0304F9389D2360
snmp-agent community write cipher <privateKey>
snmp-agent sys-info version v2c v3
MACauthentication
interface GigabitEthernet0/0/8
dot1x mac-bypass mac-auth-first
dot1x mac-bypass
dot1x max-user 1
dot1x reauthenticate
dot1x authentication-method eap
802.1X
interface GigabitEthernet0/0/8
dot1x mac-bypass
dot1x max-user 1
dot1x reauthenticate
dot1x authentication-method eap
Copyright2016Inverseinc.
Switchconfiguration
67
Chapter4
IBM
RackSwitchG8052
PacketFencesupportsonly802.1Xauthentication.Ithasbeentestedonversion7.9.11.0.
RADIUSconfiguration
RS G8052(config)# radius-server primary-host 192.168.1.5
RS G8052(config)# radius-server enable
RS G8052(config)# radius-server primary-host 192.168.1.5 key useStrongerSecret
802.1X(dot1x)configuration
RS G8052(config)# dot1x enable
SNMPconfiguration
RS G8052(config)# snmp-server read-community packetfence
RS G8052(config)# snmp-server write-community packetfence
Portconfiguration
RS
RS
RS
RS
RS
RS
RS
RS
RS
PacketFenceconfiguration
In order to configure the IBM RackSwitch G8052 switch module, go in the PacketFence
administrationinterfaceunderConfigurationSwitchesAddswitch
Definition:
Copyright2016Inverseinc.
Switchconfiguration
68
Chapter4
IP: This will be the IP of the IBM StackSwitch G8052 switch on the management
network
Description: IBM StackSwitch G8052
Type: IBM RackSwitch G8052
Mode: Production
Deauthentication: SNMP
Dynamic Uplinks: Checked
Roles:
Role by VLAN ID: checked
registration VLAN: 2
isolation VLAN: 3
default: 10
Radius:
Secret Passphrase: useStrongerSecret
Snmp:
SNMP Version: 2c
SNMP Read Community: packetfence
SNMP Write Community: packetfence
ClickSavetoaddtheswitch
Intel
Express460andExpress530
PacketFencesupporttheseswitcheswithoutVoIPusingonetraptype:
linkUp/linkDown
Exactcommand-lineconfigurationtobecontributed
Juniper
PacketFencesupportsJuniperswitchesinMACAuthentication(JunipersMACRADIUS)modeand
802.1X.PacketFencesupportsVoIPontheEX2200(JUNOS12.6)andEX4200(JUNOS13.2)
Copyright2016Inverseinc.
Switchconfiguration
69
Chapter4
70
Chapter4
Changetheinterface-rangestatementtoreflecttheportsyouwanttosecurewithPacketFence.
VoIPconfiguration
# load replace terminal
[Type ^D at a new line to end input]
protocols{
lldp {
advertisement-interval 5;
transmit-delay 1;
ptopo-configuration-trap-interval 1;
lldp-configuration-notification-interval 1;
interface all;
}
lldp-med {
interface all;
}
}
ethernet-switching-options {
secure-access-port {
interface access-ports {
mac-limit 2 action drop;
}
}
voip {
interface access-ports {
vlan voice;
forwarding-class voice;
}
}
}
}
vlans {
voice {
vlan-id 3;
}
}
Ctrl-D
# commit comment "packetfenced VoIP"
Copyright2016Inverseinc.
Switchconfiguration
71
Chapter4
802.1Xconfiguration
protocols {
dot1x {
authenticator {
authentication-profile-name packetfence;
interface {
access-ports {
supplicant multiple;
mac-radius;
}
}
}
}
}
Ctrl-D
# commit comment "packetfenced dot1x"
ConfigurationforMACauthenticationfloatingdevices
TosupportfloatingdevicesonaJuniperswitchyouneedtoconfiguretheflap-on-disconnectoption
oneachinterfaceindividuallyandremoveitfromtheaccess-portsgroup.
Copyright2016Inverseinc.
Switchconfiguration
72
Chapter4
LG-Ericsson
PacketFencesupportsiPECSseriesswitcheswithoutVoIPusingtwodifferenttraptypes:
linkUp/linkDown
PortSecurity(withstaticMACs)
Onsomerecentmodels,wecanalsousemoresecureandrobustfeatures,like:
MACAuthentication
802.1X
Copyright2016Inverseinc.
Switchconfiguration
73
Chapter4
ES-4500GSeries
LinkUp/LinkDown
Firmware1.2.3.2isrequiredforlinkUp/linkDown
Priortoconfig,makesuretocreateallnecessariesVLANsandconfigtheappropriateuplinkport.
Globalconfigsettings
snmp-server
snmp-server
!
snmp-server
snmp-server
snmp-server
community public ro
community private rw
enable traps authentication
host 192.168.1.5 public version 2c udp-port 162
notify-filter traphost.192.168.1.5.public remote 192.168.1.5
FirmwareiskindabuggysoyoullneedtoenablelinkUp/linkDownusingtheWebInterfaceunder
AdministrationSNMP.
SomereportsshowsthattheswitchdoesntalwayssendlinkDowntraps.
Oneachinterface(exceptuplink)
switchport
switchport
switchport
switchport
Port-Security
Firmware1.2.3.2isrequiredforport-security.
Priortoconfig,makesuretocreateallnecessariesVLANsandconfigtheappropriateuplinkport.
Globalconfigsettings
snmp-server
snmp-server
!
snmp-server
snmp-server
snmp-server
community public ro
community private rw
enable traps authentication
host 192.168.1.5 public version 2c udp-port 162
notify-filter traphost.192.168.1.5.public remote 192.168.1.5
Oneachinterface(exceptuplink)
Copyright2016Inverseinc.
Switchconfiguration
74
Chapter4
Linksys
PacketFencesupportsLinksysswitcheswithoutVoIPusingonetraptype:
linkUp/linkDown
Dontforgettoupdatethestartupconfig!
SRW224G4
Globalconfigsettings
no snmp-server trap authentication
snmp-server community CS_2000_le rw view Default
snmp-server community CS_2000_ls ro view Default
snmp-server host 192.168.1.5 public 2
Oneachinterface
switchport access vlan 4
Netgear
The"web-managedsmartswitch" modelsGS108Tv2/GS110/GS110TParesupportedwithLink
up/downtrapsonly.
Higher-end"fullymanaged"switchesincludingFSM726v1aresupportedinPortSecuritymode.
Copyright2016Inverseinc.
Switchconfiguration
75
Chapter4
FSM726/FSM726Sversion1
PacketFencesupportsFSM726/FSM726Sversion1switcheswithoutVoIPinPortSecuritymode
(withstaticMACs)calledTrustedMACtableonNetgearshardware.
UsingtheHTTPGUI,followthestepsbelowtoconfiguresuchfeature.Ofcourse,youmustcreate
allyourVLANsontheswitchaswell.
SNMPSettings
In Advanced SNMP Community Table, create a read-write community string and a trap
communitystring.Youcanusethesamecommunityforallthe3functions(Get,Set,Trap).
Next,underAdvancedSNMPHostTable,enabletheHostAuthorizationfeatureandaddthe
PacketFenceserverintotheallowedhostlist.
Finally,underAdvancedSNMPTrapSetting,enabletheauthenticationtrap.
TrustedMACSecurity
UnderAdvancedAdvancedSecurityTrustedMACAddress,createafakeMACaddressper
port(ie.02:00:00:00:00:xxwherexxistheportnumber).Thiswillhavetheeffectofsendinga
securitytraptoPacketFencewhenanewdeviceplugsontheport.
Dontforgettosavetheconfiguration!
GS108Tv2/GS110T/GS110TP
PacketFencesupportscertainlower-endNetgearswitchesinLinkUp/LinkDowntraps.These"webmanaged" switches have no command-line interface and only a subset of the port security and
802.1XfunctionnalityneededtointeroperatewithPacketFenceinthesemoreadvancedmodes.
Thereisnowaytosendatrapuponportsecurityviolation,andthereisonlypure802.1X,noMAC
AddressBypass.
SwitchConfiguration
ItcanbedifficulttofindtheadvancedfeaturesinthewebGUI.WerecommendusingtheGUI
"Maintenance"tabtoUploadtheconfigurationtoafile,andthenedititthere.
Hintsonfileupload/download:
FromtheFileTypemenu,chooseTextConfiguration.
IfyoureuploadingtotheTFTProotdirectory,leavePathblank.
Atthetopoftheconfigfile,youneed:
Copyright2016Inverseinc.
Switchconfiguration
76
Chapter4
vlan
vlan
vlan
vlan
vlan
vlan
vlan
exit
database
1,2,3,4,5
name 1 "Normal"
name 2 "Registration"
name 3 "Isolation"
name 4 "MAC Detection"
name 5 "Guest"
Inthesamesectionas"userspasswd",youneedtospecifyyourPacketFenceserversmanagement
address:
snmptrap useStrongerSecret ipaddr 192.168.1.5
Inthesamesectionasthe"voipoui"lines,youneedtoallowyourSNMPserver:
snmp-server community
snmp-server community
snmp-server community
snmp-server community
snmp-server community
snmp-server community
no voip vlan
"public"
rw useStrongerSecret
ipaddr 192.168.1.5 public
ipmask 255.255.255.0 public
ipaddr 192.168.1.5 useStrongerSecret
ipmask 255.255.255.0 useStrongerSecret
Youshoulduseport1astheuplink.Ifyouconnectport1ofaGS108Tv2switchintoaPowerover
Ethernetswitch,thentheGS108Tv2doesnotneedACpower.IfyouboughtGS110T(P)switches,
presumablyitsfortheSFPuplinkoption.Youllwanttoconfigurebothport1andtheSFPports
9-10astrunks:
interface 0/1
no snmp trap link-status
ip dhcp filtering trust
vlan pvid 1
vlan ingressfilter
vlan participation include 1,2,3,4,5
vlan tagging 2,3,4,5
no auto-voip
exit
Eachuser-facing,PacketFence-managedportshouldbeconfiguredlike:
interface 0/2
vlan pvid 4
vlan ingressfilter
vlan participation include 4
no auto-voip
exit
MSeries
PacketFencesupportstheNetgearMseriesinwiredMACauthenticationwithoutVoIP.
Copyright2016Inverseinc.
Switchconfiguration
77
Chapter4
Switchconfiguration
--radiusserverhostauth192.168.1.5radiusserverkeyauth192.168.1.5(thenpressenterandinput
yoursecret)radiusserverprimary192.168.1.5radiusserverhostacct192.168.1.5radiusserver
keyacct192.168.1.5(thenpressenterandinputyoursecret)
aaa session-id unique dot1x system-auth-control aaa authentication dot1x default radius
authorizationnetworkradiusradiusaccountingmode
---
Onyouruplinks
--dot1xport-controlforce-authorized
---
Onyourinterfaces
--interface0/xdot1xport-controlmac-baseddot1xtimeoutguest-vlan-period1dot1xmac-authbypassexit
---
Nortel
PacketFencesupportsNortelswitcheswithVoIPusingonetraptype:
MacSecurity
Dontforgettoupdatethestartupconfig!
Note
if you are using a 5500 series with a firmware version of 6 or above, you must
useadifferentmodulecalledNortel::BayStack5500_6xinyour/usr/local/pf/conf/
switches.conf.Indeed,Nortelintroducedanincompatiblechangeofbehaviorinthis
firmware.
Copyright2016Inverseinc.
Switchconfiguration
78
Chapter4
BayStack470,ERS2500Series,ERS4500Series,4550,
5500SeriesandES325
Globalconfigsettings
snmp-server authentication-trap disable
snmp-server host 192.168.1.5 "public"
snmp trap link-status port 1-24 disable
no mac-security mac-address-table
interface FastEthernet ALL
mac-security port ALL disable
mac-security port 1-24 enable
default mac-security auto-learning port ALL max-addrs
exit
mac-security enable
mac-security snmp-lock disable
mac-security intrusion-detect disable
mac-security filtering enable
mac-security snmp-trap enable
mac-security auto-learning aging-time 60
mac-security learning-ports NONE
mac-security learning disable
VoIPsupport
YouneedtoensurethatallyourportsaretaggedwiththevoiceVLAN.Theswitchshoulddothe
restforyou.
vlan create 6 name "Telephone" type port learning ivl
vlan members 6 1-20,23-24
BPS2000
Youcanonlyconfigurethisswitchthroughmenus.
EnableMACAddressSecurity:
Copyright2016Inverseinc.
Switchconfiguration
79
Chapter4
Trunk
-----
Security
-------Enabled
Enabled
SMC
TigerStack6128L2,8824Mand8848M
PacketFencesupportstheseswitcheswithoutVoIPusingtwodifferenttraptypes:
linkUp/linkDown
PortSecurity(withstaticMACs)
WerecommendtoenablePortSecurityonly.
Globalconfigsettings
SNMP-server host 192.168.1.5 public version 2c udp-port 162
no snmp-server enable traps link-up-down
Oneachinterface:
port security max-mac-count 1
port security
port security action trap
TigerStack6224M
SupportslinkUp/linkDownmode
Globalconfigsettings
SNMP-server host 192.168.1.5 public version 1
Copyright2016Inverseinc.
Switchconfiguration
80
Chapter5
WirelessControllersandAccessPoint
Configuration
Assumptions
Throughout this configuration example we use the following assumptions for our network
infrastructure:
PacketFenceisfullyconfiguredwithFreeRADIUSrunning
PacketFenceIPaddress:192.168.1.5
NormalVLAN:1
RegistrationVLAN:2
IsolationVLAN:3
MACDetectionVLAN:4
GuestVLAN:5
VoIP,VoiceVLAN:100
useSNMPv2c
SNMPcommunityname:public
RADIUSSecret:useStrongerSecret1
OpenSSID:PacketFence-Public
WPA-EnterpriseSSID:PacketFence-Secure
UnsupportedEquipment
Wirelessnetworkaccessconfigurationisalotmoreconsistentbetweenvendors.Thisisduetothe
factthatthesituationisalotmorestandardizedthanthewiredside:VLANassignmentisdone
centrallywithRADIUSandthattheclientprotocolisconsistent(MAC-Authenticationor802.1X).
Thisconsistencyhasthebenefitthatalotofthewirelessnetworkdevicestendtoworkout-of-theboxwithPacketFence.Theonlymissingpiecebeing,inmostcases,remotedeauthenticationofthe
clientwhichisusedforVLANassignment(deauthusersoitllreconnectandgetnewVLAN).
So,evenifyourwirelessequipmentisnotexplicitlysupportedbyPacketFence,itsrecommended
thatyougiveitatry.Thenextsectioncoverstheobjectivesthatyouwanttoaccomplishfortrying
outyourequipmentevenifwedonthaveconfigurationforit.
Copyright2016Inverseinc.
WirelessControllersand
AccessPointConfiguration
81
Chapter5
Herearethehigh-levelrequirementsforproperwirelessintegrationwithPacketFence
TheappropriateVLANsmustexist
AllowcontrollertohonorVLANassignmentsfromAAA(sometimescalledAAAoverride)
Put your open SSID (if any) in MAC-Authentication mode and authenticate against the
FreeRADIUShostedonPacketFence
PutyoursecureSSID(ifany)in802.1XmodeandauthenticateagainstFreeRADIUShostedon
PacketFence.
Onregistration/isolationVLANstheDHCPtrafficmustreachthePacketFenceserver
On your production VLANs a copy of the DHCP traffic must reach PacketFence where a
pfdhcplistenerlistens(configurableinpf.confunderinterfaces)
At this point, user registration with the captive-portal is possible and registered users should
have access to the appropriate VLANs. However, VLAN changes (like after a registration) wont
automatically happen, you will need to disconnect / reconnect. An explanation is provided in
introductionsectionaboveaboutthisbehavior.
Youcantrymodulessimilartoyourequipmentifany(readappropriateinstructions)oryoucantry
toseeifRFC3576issupported.RFC3576coversRADIUSPacketofDisconnect(PoD)alsoknown
asDisconnectMessages(DM)orChangeofAuthorization(CoA).YoucantrytheArubamoduleif
youwanttoverifyifRFC3576issupportedbyyourhardware.
If none of the above worked then you can fallback to inline enforcement or let us know what
equipmentyouareusingonthepacketfence-develmailinglist.
AeroHIVE
AeroHIVEproductsareabitdifferentcomparedtotheothervendors.Theysupporteitheralocal
HiveManager(kindofwirelesscontroller)oracloud-basedHVM.However,theconfigurationisthe
sameforthelocalandthecloud-basedcontroller.NotethatalltheconfigaremadeontheHVM
andthenpushedtotheAPs.
AAAClientSettings
IntheHVM,gotoConfigurationAAAAuthenticationAAAClientSettings,andinsertthe
properproperties:
GiveaRADIUSName
AddaRADIUSserverwithAuthenticationastheservertypeandprimaryastherole
MakesurePermitDynamicChangeofAuthorizationisticked(RFC3576)
PublicSSID
AgainintheHVM,gotoConfigurationSSIDs,andcreateanewSSIDwiththefollowing:
Copyright2016Inverseinc.
WirelessControllersand
AccessPointConfiguration
82
Chapter5
GiveaProfileNameandanSSIDName
ChooseOpenastheAccessSecurity
SelectEnableMACAuthentication
SelectyourRADIUSserverfromtheRADIUSServerdropdownlist
SecureSSID
IntheHVM,gotoConfigurationSSIDs,andcreateanewSSIDwiththefollowing:
GiveaProfileNameandanSSIDName
ChooseWPA2EnterpriseastheAccessSecurity
SelectWPA2-802.1Xasthekeymanagement
SelectCCMPastheencryptionmethod
SelectyourRADIUSserverfromtheRADIUSServerdropdownlist
Roles(UserProfiles)
SincePacketFence3.3.0,wenowsupportuserprofilesontheAeroHIVEhardware.TobuildaUser
Profile,gotoConfigurationUserProfiles,andcreatewhatyouneed.Whenyoudefinetheswitch
definitioninPacketFence,therolewillmatchtheUserProfileattributenumber.Example
roles=CategoryStudent=1;CategoryStaff=2
AndintheAeroHIVEconfiguration,youhave:
StudentProfile attribute number 1
StaffProfile attribute number 2
LaststepistoallowtheUserProfiletobereturnedforaparticularSSID.GotoConfiguration
SSIDsYour_SSIDUserProfilesforTrafficManagement,andselecttheUserProfilesyouwill
returnforthedevices.
Note
TheVLANIDisNOTreturnedbyPacketFenceifaroleisavailableforagivencategory.
TheVLANIDneedstobeconfiguredintheUserProfiledefinitionontheAeroHIVE
side.
CachingandRoaming
AeroHIVEhaveasessionreplicationfeaturetoeasetheEAPsessionroamingbetweentwoaccess
points.However,thismaycauseproblemswhenyoubouncethewirelesscardofaclient,itwill
notdoanewRADIUSrequest.Twosettingscanbetweakedtoreducethecachingimpact,itis
theroamingcacheupdateintervalandroamingcacheageout.TheyarelocatedinConfiguration
Copyright2016Inverseinc.
WirelessControllersand
AccessPointConfiguration
83
Chapter5
SSIDs[SSIDName]OptionalSettingsAdvanced.TheotherwaytosupportRoamingisto
enablesnmptrapintheAeroHIVEconfigurationtoPacketFenceserver.PacketFencewillrecognise
theahConnectionChangeEventandwillchangethelocationofthenodeinhisbase.
Externalcaptiveportal
FirstconfiguretheAAAserverasdescribedinthesectionaboveintheHiveManager.
Portalconfiguration
GoinConfigurationAuthenticationCaptiveWebPortalsandcreateanewportal
SelectSelectRegistrationType=ExternalAuthentication
GointhesectionCaptiveWebPortalLoginPageSettingssettheLoginURLtohttp://pf_ip/and
PasswordEncryptiontoNoEncryption
ExternalportalSSID
AgainintheHiveManager,gotoConfigurationSSIDs,andcreateanewSSIDwiththefollowing:
GiveaProfileNameandanSSIDName
ChooseOpenastheAccessSecurity
SelectEnableCaptiveWebPortal
SelectyourRADIUSserverfromtheRADIUSServerdropdownlist
IntheguidedconfigurationyounowbeabletoselectyournewSSID,thePortalyouwanttouse
andtheAAAserver.
Anyfi
Inthissection,wecoverthebasicconfigurationoftheAnyfiGatewaytocreateahotspotSSID
availableonallaccesspoints.
This does not cover the configuration of other Anyfi network elements such as the Controller.
PleaserefertoAnyfiNetworks'websiteforrelevantdocumentation.
Inthisconfigurationeth0willbethemanagementinterfaceoftheAnyfiGatewayandeth1willbe
theinterfacethatwillbridgethetaggedpacketstoyournetwork.
Copyright2016Inverseinc.
WirelessControllersand
AccessPointConfiguration
84
Chapter5
Interfacesconfiguration
interfaces {
bridge br0 {
...
}
ethernet eth0 {
description "Management network"
address 192.168.0.20/24
}
ethernet eth1 {
description "Wi-Fi client traffic"
bridge-group {
bridge br0
}
}
}
MACauthentication
ThissectionwillallowyoutoconfiguretheAnyfi-HotspotSSIDthatwilluseMACauthentication.
Copyright2016Inverseinc.
WirelessControllersand
AccessPointConfiguration
85
Chapter5
SSIDconfiguration
service {
anyfi {
gateway anyfi-hotspot {
accounting {
radius-server 192.168.0.5 {
port 1813
secret useStrongerSecret
}
}
authorization {
radius-server 192.168.0.5 {
port 1812
secret useStrongerSecret
}
}
bridge br0
controller <Anyfi Controller's IP or FQDN>
isolation
nas {
identifier anyfi
port 3799
}
ssid Anyfi-Hotspot
}
}
}
802.1X
This section will allow you to configure the Anyfi-Secure SSID that will authenticate users using
802.1X.
Copyright2016Inverseinc.
WirelessControllersand
AccessPointConfiguration
86
Chapter5
SSIDconfiguration
service {
anyfi {
gateway secure-gw {
accounting {
radius-server 192.168.0.5 {
port 1813
secret useStrongerSecret
}
}
authentication {
eap {
radius-server 192.168.0.5 {
port 1812
secret useStrongerSecret
}
}
}
bridge br0
controller <Anyfi Controller's IP or FQDN>
isolation
nas {
identifier anyfi
port 3799
}
ssid Anyfi-Secure
wpa2 {
}
}
}
}
Avaya
WirelessController(WC)
To be contributed....
Copyright2016Inverseinc.
WirelessControllersand
AccessPointConfiguration
87
Chapter5
Aruba
AllArubaOS
Inthissection,wecoverthebasicconfigurationoftheArubawirelesscontrollerforPacketFence
viathewebGUI.ItwasdoneonanArubaController200softwareversionArubaOS5.0.3.3,tested
onaController600withArubaOS6.0butitshouldapplytoallArubamodels.
Caution
IfyouarealreadyusingyourArubacontrollersanddontwanttoimpactyourusers
youshouldcreatenewAAAprofilesandapplythemtonewSSIDsinsteadofmodifying
thedefaultones.
Note
Starting with PacketFence 3.3, Aruba supports role-based access control. Read the
AdministrationGuideunder"Role-basedenforcementsupport"formoreinformation
abouthowtoconfigureitonthePacketFenceside.
AAASettings
IntheWebinterface,gotoConfigurationAuthenticationRADIUSServerandaddaRADIUS
servernamed"packetfence"theneditit:
SetHosttoPacketFencesIP(192.168.1.5)
SettheKeytoyourRADIUSsharedsecret(useStrongerSecret)
ClickApply
Under Configuration Authentication Server Group add a new Server Group named
"packetfence"theneditittoaddyourRADIUSServer"packetfence"tothegroup.ClickApply.
Under Configuration Authentication RFC3576 add a new server with PacketFences
IP (192.168.1.5) and your RADIUS shared secret (useStrongerSecret). Click Apply. Under
ConfigurationAuthenticationL2AuthenticationedittheMACAuthenticationProfilecalled
"default"theneditittochangetheDelimitertodash.ClickApply.
Under Configuration Authentication L2 Authentication edit the 802.1X Authentication
Profilecalled"default"theneditittounchecktheOpportunisticKeyCachingunderAdvanced.Click
Apply.
UnderConfigurationAuthenticationAAAProfilesclickonthe"default-mac-auth"profilethen
clickonMACAuthenticationServerGroupandchoosethe"packetfence"servergroup.ClickApply.
MovetotheRFC3576serversubitemandchoosePacketFencesIP(192.168.1.5)clickaddthen
apply.
Copyright2016Inverseinc.
WirelessControllersand
AccessPointConfiguration
88
Chapter5
UnderConfigurationAuthenticationAAAProfilesclickonthe"default-dot1x"profilethen
click on 802.1X Authentication Server Group and choose the "packetfence" server group. Click
Apply.MovetotheRFC3576serversubitemandchoosePacketFencesIP(192.168.1.5)clickadd
thenapply.
PublicSSID
IntheWebinterface,gotoConfigurationAPConfigurationtheneditthe"default"APGroup.
GoinWirelessLANVirtualAPcreateanewprofilewiththefollowing:
AAAProfile:default-mac-auth
SSIDProfile:SelectNEWthenaddanSSID(PacketFence-Public)andNetworkauthentication
settoNone
SecureSSID
IntheWebinterface,gotoConfigurationAPConfigurationtheneditthe"default"APGroup.
GoinWirelessLANVirtualAPcreateanewprofilewiththefollowing:
AAAProfile:default-dot1x
SSIDProfile:SelectNEWthenaddanSSID(PacketFence-Secure)andNetworkauthentication
settoWPA2
Roles
Since PacketFence 3.3.0, we now support roles for the Aruba hardware. To add roles, go in
ConfigurationAccessControlUserRolesAdd.YoudontneedtoforceaVLANusagein
theRolesincewesendalsotheVLANIDalongwiththeArubaUserRoleintheRADIUSrequest.
RefertotheArubaUserGuideformoreinformationabouttheRolecreation.
WIPS
InordertousetheWIPSfeatureinPacketFence,pleasefollowthosesimplestepstosendthetraps
toPacketFence.
First,configurePacketFencetobeatrapreceiver.UnderConfiguration>SNMP>TrapReceivers,
add an entry for the PF management IP. By default, all traps will be enabled. If you want to
disablesome,youwillneedtoconnectviaCLI,andrunthesnmp-servertrapdisable<trapname>
command.
ArubaController200
Inthissection,wecoverthebasicconfigurationoftheArubaController200forPacketFenceusing
thecommandlineinterface.WesuggestyoutousetheinstructionsabovefortheWebGUIinstead.
VLANdefinition
Here,wecreateourPacketFenceVLANs,andourAccessPointVLAN(VID66).Itisrecommended
toisolatethemanagementofthethinAPsinaseparateVLAN.
Copyright2016Inverseinc.
WirelessControllersand
AccessPointConfiguration
89
Chapter5
vlan
vlan
vlan
vlan
vlan
2
3
5
10
66
AAAAuthenticationServer
aaa authentication-server radius "PacketFence"
host 192.168.1.5
key useStrongerSecret
aaa server-group "Radius-Group"
auth-server PacketFence
AAAProfiles
aaa profile "default-dot1x"
authentication-dot1x "default"
dot1x-default-role "authenticated"
dot1x-server-group "Radius-Group"
radius-accounting "Radius-Group"
aaa profile "PacketFence"
authentication-mac "pf_mac_auth"
mac-server-group "Radius-Group"
radius-accounting "Radius-Group"
WLANSSIDs:profilesandvirtualAP
wlan ssid-profile "PacketFence-Public"
essid "PacketFence-Public"
wlan ssid-profile "PacketFence-Secure"
essid "PacketFence-Secure"
opmode wpa2-aes
wlan virtual-ap "Inverse-Guest"
aaa-profile "PacketFence"
ssid-profile "PacketFence-Public"
wlan virtual-ap "Inverse-Secure"
aaa-profile "default-dot1x"
ssid-profile "PacketFence-Secure"
ap-group "Inverse"
virtual-ap "Inverse-Guest"
virtual-ap "Inverse-Secure"
ids-profile "ids-disabled"
AllArubaInstantOS
Addyourpacketfenceinstancetoyourconfiguration:
wlanauth-serverpacketfence
Copyright2016Inverseinc.
WirelessControllersand
AccessPointConfiguration
90
Chapter5
ip 192.168.1.5
port 1812
acctport 1813
timeout 10
retry-count 5
key useStrongerSecret
nas-ip [Aruba Virtual Controller IP]
rfc3576
Adddynamicvlanrulesandmacauthtoyourssidprofile:
wlanssid-profileSSID
index 0
type employee
essid ESSID
wpa-passphrase WPA-Passphrase
opmode wpa2-psk-aes
max-authentication-failures 0
vlan 1
auth-server packetfence
set-vlan Tunnel-Private-Group-Id contains 1 1
set-vlan Tunnel-Private-Group-Id contains 4 4
rf-band all
captive-portal disable
mac-authentication
dtim-period 1
inactivity-timeout 1000
broadcast-filter none
radius-reauth-interval 5
dmo-channel-utilization-threshold 90
BelairNetworks(nowEricsson)
BE20
TheBelairNetworksBE20sarefairlyeasytoconfigure.
AddVLANs
OntheBE20WebInterface,clickonEth-1-1.Bydefault,therewillbenothinginthere.Youneed
tofirstcreateanuntaggedVLAN(VLAN0).Inordertodothat,youneedtosetthePVID,Reverse
PVID,andtheVLANfieldto0.Thenclickadd.
RepeatthatstepforeachofyourVLANsbyenteringtheproperVLANIDintheVLANfield.
Copyright2016Inverseinc.
WirelessControllersand
AccessPointConfiguration
91
Chapter5
AAAServers
OnceyouhavetheVLANssetup,youneedtoaddPacketFenceintotheAAAServerlist.Goto
SystemRadiusServers.ClickonAddserver,andfillouttheproperinformation.
EnsuretheEnabledcheckboxisselected
IPAddress:InserttheIPAddressofthePacketFenceManagementInterface
SharedSecret:InsertthesharedsecretforRADIUScommunication
Whendone,clickontheApplybutton.
SecureSSID
SincetheBE20doesntsupportOpenSSIDwithMACAuthentication,wewillonlydescribehow
toconfigureaWPA2-EnterpriseSSID.First,wewillconfigurethe5GHzantenna.
ClickonWifi-1-1AccessSSIDConfig.FromtheConfigurationforSSIDdropdown,selectthe
1entry.Modifythefieldslikethefollowing:
SSID:PutyourSSIDNameyouwouldlike
Type:Broadcast
UsePrivacyMode:WPA2(AES)withEAP/DOT1x
RADIUSNASIdentifier:YoucanputastringtoidentifyyourAP
RadiusAccountingEnabled:CheckboxSelected
RadiusStationIDDelimiter:dash
RadiusStationIdAppendSsid:CheckboxSelected
RADIUSServer1:SelecttheAAAServeryoucreatedearlier
WhendoneclickApply.Repeatthesameconfigurationforthe2.4GHzAntenna(Wifi-1-2).
Thatshouldconcludetheconfiguration.Youcannowsavetheconfigstotheflashbyhittingthe
ConfigSavebuttonontopoftheInterface.
Brocade
RFSwitches
SeetheMotorolaRFSwitchesdocumentation.
Copyright2016Inverseinc.
WirelessControllersand
AccessPointConfiguration
92
Chapter5
Cisco
Aironet1121,1130,1242,1250,1600
Caution
Withthisequipment,thesameVLANcannotbesharedbetweentwoSSIDs.Havethis
inmindinyourdesign.Forexample,youneedtwoisolationVLANifyouwanttoisolate
hostsonthepublicandsecureSSIDs.
MAC-Authentication+802.1Xconfiguration
RadioInterfaces:
Copyright2016Inverseinc.
WirelessControllersand
AccessPointConfiguration
93
Chapter5
dot11
dot11
dot11
dot11
vlan-name
vlan-name
vlan-name
vlan-name
normal vlan 1
registration vlan 2
isolation vlan 3
guest vlan 5
interface Dot11Radio0
encryption vlan 1 mode ciphers aes-ccm
encryption vlan 2 mode ciphers aes-ccm
ssid PacketFence-Public
ssid PacketFence-Secure
interface Dot11Radio0.2
encapsulation dot1Q 2
no ip route-cache
bridge-group 253
bridge-group 253 subscriber-loop-control
bridge-group 253 block-unknown-source
no bridge-group 253 source-learning
no bridge-group 253 unicast-flooding
bridge-group 253 spanning-disabled
interface Dot11Radio0.3
encapsulation dot1Q 3
no ip route-cache
bridge-group 254
bridge-group 254 subscriber-loop-control
bridge-group 254 block-unknown-source
no bridge-group 254 source-learning
no bridge-group 254 unicast-flooding
bridge-group 254 spanning-disabled
interface Dot11Radio0.5
encapsulation dot1Q 5
no ip route-cache
bridge-group 255
bridge-group 255 subscriber-loop-control
bridge-group 255 block-unknown-source
no bridge-group 255 source-learning
no bridge-group 255 unicast-flooding
bridge-group 255 spanning-disabled
LANinterfaces:
Copyright2016Inverseinc.
WirelessControllersand
AccessPointConfiguration
94
Chapter5
interface FastEthernet0.2
encapsulation dot1Q 2
no ip route-cache
bridge-group 253
no bridge-group 253 source-learning
bridge-group 253 spanning-disabled
interface FastEthernet0.3
encapsulation dot1Q 3
no ip route-cache
bridge-group 254
no bridge-group 254 source-learning
bridge-group 254 spanning-disabled
interface FastEthernet0.5
encapsulation dot1Q 5
no ip route-cache
bridge-group 255
no bridge-group 255 source-learning
bridge-group 255 spanning-disabled
ThencreatethetwoSSIDs:
dot11 ssid PacketFence-Secure
vlan 3 backup normal
authentication open eap eap_methods
authentication key-management wpa
dot11 ssid PacketFence-Public
vlan 2 backup guest
authentication open mac-address mac_methods
mbssid guest-mode
ConfiguretheRADIUSserver(weassumeherethattheFreeRADIUSserverandthePacketFence
serverarelocatedonthesamebox):
radius-server host 192.168.1.5 auth-port 1812 acct-port 1813 key
useStrongerSecret
aaa group server radius rad_eap
server 192.168.1.5 auth-port 1812 acct-port 1813
aaa authentication login eap_methods group rad_eap
aaa group server radius rad_mac
server 192.168.1.5 auth-port 1812 acct-port 1813
aaa authentication login mac_methods group rad_mac
Aironet1600
CoAandradius:
Copyright2016Inverseinc.
WirelessControllersand
AccessPointConfiguration
95
Chapter5
Aironet(WDS)
To be contributed...
WirelessLANController(WLC)orWirelessServices
Module(WiSM)
In this section, we cover the basic configuration of the WiSM for PacketFence using the web
interface.
First,globallydefinetheFreeRADIUSserverrunningonPacketFence(PacketFencesIP)andmake
sureSupportforRFC3576isenabled(ifnotpresentitisenabledbydefault)
ThenwecreatetwoSSIDs:
PacketFence-Public:non-securewithMACauthenticationonly
PacketFence-Secure:securewithWPA2EnterprisePEAP/MSCHAPv2
Copyright2016Inverseinc.
WirelessControllersand
AccessPointConfiguration
96
Chapter5
InthesecureSSID,makesure802.1Xisenabledandselecttheappropriateencryptionforyour
needs(recommended:WPA+WPA2)
Nolayer3security
Copyright2016Inverseinc.
WirelessControllersand
AccessPointConfiguration
97
Chapter5
WesettheIPoftheFreeRADIUSserver
VERYIMPORTANT:AllowAAAoverride(thisallowsVLANassignmentfromRADIUS)
Editthenon-secureSSID:EnableMACauthenticationatlevel2
Nothingatlevel3
Copyright2016Inverseinc.
WirelessControllersand
AccessPointConfiguration
98
Chapter5
WesettheIPoftheFreeRADIUSserver
VERYIMPORTANT:AllowAAAoverride(thisallowsVLANassignmentfromRADIUS)
Finally,inController>Interfacestab,createaninterfaceperVLANthatcouldbeassigned
Copyright2016Inverseinc.
WirelessControllersand
AccessPointConfiguration
99
Chapter5
Youaregoodtogo!
WirelessLANController(WLC)WebAuth
Inthissection,wecoverthebasicconfigurationoftheWLCWebAuthforPacketFenceusingthe
webinterface.TheideaistoforwardthedevicetothecaptiveportalwithanACLifthedeviceis
inanunregstateandallowthedevicetoreachInternet(orthenormalnetwork)bychangingthe
ACLonceregistered.Intheunregstate,theWLCwillintercepttheHTTPtrafficandforwardthe
devicetothecaptiveportal.
Inthissampleconfiguration,thecaptiveportalusestheIPaddress172.16.0.250,theadministration
interfaceusestheIPaddress172.16.0.249andtheWLCusestheIPaddress172.16.0.248.The
DHCPandDNSserversarenotmanagedbyPacketFence(WLCDHCPServer,ProductionDHCP
Server)
First, globally define the FreeRADIUS server running on PacketFence (PacketFences
Administration Interface) and make sure Support for RFC 3576 is enabled (if not present it is
enabledbydefault)
ThenwecreateaSSID:
OPENSSID:non-securewithMACauthenticationonly
Copyright2016Inverseinc.
WirelessControllersand
AccessPointConfiguration
100
Chapter5
Copyright2016Inverseinc.
WirelessControllersand
AccessPointConfiguration
101
Chapter5
Copyright2016Inverseinc.
WirelessControllersand
AccessPointConfiguration
102
Chapter5
ThenyouhavetocreatetwoACLs-onetodenyalltrafficexcepttherequiredonetohitthe
portal(Pre-Auth-For-WebRedirect)andtheotheronetoallowanything(Authorize_any).
ThenthelaststepistoconfiguretheWLCinPacketFence.RolebyWebAuthURL
Copyright2016Inverseinc.
WirelessControllersand
AccessPointConfiguration
103
Chapter5
Roledefinition
Copyright2016Inverseinc.
WirelessControllersand
AccessPointConfiguration
104
Chapter5
TroubleshootingignoredRADIUSreplies
IntheeventtheWLCignorestheRADIUSrepliesfromPacketFence(youreceivemultiplerequests
butaccessisnevergranted),validatethefollowingelements:*RADIUSsecretisproperlyconfigured
inPacketFenceandtheWLCcontroller.*TheSSLcertificateusedbyPacketFenceisnotexpired.
Copyright2016Inverseinc.
WirelessControllersand
AccessPointConfiguration
105
Chapter5
D-Link
DWLAccess-PointsandDWS3026
To be contributed...
Extricom
EXSWWirelessSwitches(Controllers)
InordertohavetheExtricomcontrollerworkingwithPacketFence,youneedtodefinetwoESSID
definition,oneforthe"public"network,andoneforthe"secure"network.Thiscanbedoneunder
averyshorttimeperiodsinceExtricomsupportsRADIUSassignedVLANsoutofthebox.
You first need to configure you RADIUS server. This is done under the: WLAN Settings
RADIUStab.EnterthePacketFenceRADIUSserverinformation.FortheESSIDconfiguration.inthe
administrationUI,gotoWLANSettingsESSIDdefinitions.Createtheprofilesperthefollowing:
PublicSSID
MACAuthenticationmustbeticked
EncryptionmethodneedstobesettoNone
SelectPacketFenceastheMACAuthenticationRADIUSserver(previouslyadded)
SecureSSID
EncryptionmethodneedstobesettoWPAEnterprise/WPA2Enterprise
AESonlyneedstobeselected
SelectPacketFenceastheRADIUSserver(previouslyadded)
ThefinalstepistoenableSNMPAgentandSNMPTrapsonthecontroller.Thisisdoneunderthe
followingtabintheadministrativeUI:AdvancedSNMP.
Copyright2016Inverseinc.
WirelessControllersand
AccessPointConfiguration
106
Chapter5
Hostapd
OpenWRT
Inthissection,wecoverthebasicconfigurationoftheOpenWRTaccesspoint(Hostapdsoftware).
Hostapdmusthavebeencompiledwithdynamicvlansupportandyouneedtocreateafile/etc/
config/hostapd.vlanthatcontain:
wlan0.#
Andyouneedtoreplacethe/lib/wifi/hostapd.shscriptfilewiththeoneincludedin/usr/local/pf/
addons/hostapd
OpenSSID
ConfigureyourSSIDusingucicommand:
uci add_list wireless.@wifi-iface[0]=wifi-iface
uci add_list wireless.@wifi-iface[0].device=radio0
uci add_list wireless.@wifi-iface[0].mode=ap
uci add_list wireless.@wifi-iface[0].ssid=OpenWrt-OPEN
uci add_list wireless.@wifi-iface[0].network=lan
uci add_list wireless.@wifi-iface[0].encryption=none
uci add_list wireless.@wifi-iface[0].auth_server=192.168.1.5
uci add_list wireless.@wifi-iface[0].auth_port=1812
uci add_list wireless.@wifi-iface[0].auth_secret=useStrongerSecret
uci add_list wireless.@wifi-iface[0].dynamic_vlan=2
uci add_list wireless.@wifi-iface[0].vlan_file=/etc/config/hostapd.vlan
uci add_list wireless.@wifi-iface[0].vlan_tagged_interface=eth0
uci add_list wireless.@wifi-iface[0].radius_das_port=3799
uci add_list wireless.@wifi-iface[0].radius_das_client='192.168.1.5
useStrongerSecret'
uci add_list wireless.@wifi-iface[0].macfilter=2
SecureSSID
ConfigureyourSSIDusingucicommand:
Copyright2016Inverseinc.
WirelessControllersand
AccessPointConfiguration
107
Chapter5
Hostapd(software)
To configure Hostapd software you can use the same configuration parameters above in the
configurationfile.
Meraki
Inthissection,wewillcovertheconfigurationoftheMerakicontrollertouseWebauthentication.
Caution
ThereiscurrentlynowaytoreevaluatetheaccessofthedeviceusingPacketFence.
This means that there is no real-time action when trying to isolate a device. The
RADIUS reauthentication delay will determine the maximum response time of the
accessreevaluation.
FirstcreateanewSSIDandthenedititssettings.
Configureitasseeninthescreenshotbelow.
Copyright2016Inverseinc.
WirelessControllersand
AccessPointConfiguration
108
Chapter5
Note
MakesuretoconfigureyourRADIUSserversoitsaccessibleexternallyunderadomain
nameorapublicIPaddress.Replacepf.domain.netbywhatyouwillconfigure.The
onlyportneededis1812inUDP.RefertotheMerakidocumentationformoredetails.
Next,justbelow,configuretheoptionsfortheusersaccessasshowninthescreenshotbelow.
Where192.168.1.5istheIPaddressofyourPacketFenceserver.
Note
MakesureyouselectbridgemodesoyourusersarenotNATedthroughyourAP.If
youneedthedevicestobeonanotherVLAN,modifytheVLANtaggingoftheSSID.
Copyright2016Inverseinc.
WirelessControllersand
AccessPointConfiguration
109
Chapter5
NextgoinWirelessConfigureSplashpage.SelecttheCustomsplashURLandconfigurethe
URLpointingtoyourPacketFenceserver.
Note
Evenifyouenabledthebridgemodeontheaccesspoint,itwillstillsendaNATedIP
addressduringtheinitialHTTPrequest.Toworkaroundthisyouwillneedtoforward
theDHCPtrafficofthenetworkyournodesareconnectedtosoPacketFencehasthe
properIPinformationofthedevices.
RFC5176
WebAuth
Note
WhileusingtheWebAuthmodeontheMerakicontrollerwithaversionsuperiorto
X.X,youneedtouse"RolemappingbySwitchRole"and"RolebyWebAuthURL"in
thetabRolesfromtheswitchconfiguration.
ConfigureyourSSIDasshownbelow:
Copyright2016Inverseinc.
WirelessControllersand
AccessPointConfiguration
110
Chapter5
Copyright2016Inverseinc.
WirelessControllersand
AccessPointConfiguration
111
Chapter5
Note
ItismandatorythatyouusetheAirespace-ACL-Nameas"RADIUSattributespecifying
grouppolicyname".
Theswitchmoduletouseforthisconfigurationis"MerakicloudcontrollerV2".
Next,configuretherolesforthedevicesonyournetwork.GoinNetwork-wideGrouppolicies,then
youwillbeabletocreatepoliciesthatcanbeconfiguredasrolesintheswitchconfigurationof
PacketFence.CreationofthepolicyGuest:
Copyright2016Inverseinc.
WirelessControllersand
AccessPointConfiguration
112
Chapter5
Yourconfigurationforthetab"Roles"inPacketFencewilllooklikethefollowing:
Copyright2016Inverseinc.
WirelessControllersand
AccessPointConfiguration
113
Chapter5
Copyright2016Inverseinc.
WirelessControllersand
AccessPointConfiguration
114
Chapter5
VLANenforcement
Note
VLANassignmentinMACauthenticationdoesnotworkatthemoment,youcanlook
throughlib/pf/Switch/Meraki/AP_http_V2.pmintheBUGS AND LIMITATIONSpartor
use the following method. Note that this method will be considered as deprecated
whentheMerakifirmwareisfixed.
IfyouwanttoruntheMerakiinVLANassignment,youwillneedtousetheGrouppolicies,create
agrouppolicyunderNetwork-wideGrouppoliciesandchangethesettingVLANtoTag VLAN,insert
theVLANnumberofyourregistrationVLANandsavethepolicy.
IntheconfigurationofPacketFence,use"RolemappingbySwitchRole"insteadof"RolebyVLAN
ID".
Copyright2016Inverseinc.
WirelessControllersand
AccessPointConfiguration
115
Chapter5
Mikrotik
ThisconfigurationhasbeentestedonAccessPointOmniTIKU-5hnDwithRouterOSv6.18and
onlyMAC-Authenticationisavailablenow.TheonlydeauthenticationmethodavailableisSSH,so
createanaccountintheMikrotikAPandfilltheinformationinPacketFenceswitchconfiguration.
AlsodontforgettousethepfaccounttosshontheAccessPointtoreceivethesshkey.
OpenSSID
In this setup we use the interface ether5 for the bridge (Trunk interface) and ether1 as the
managementinterface.
Configureyouraccesspointwiththefollowingconfiguration:
Copyright2016Inverseinc.
WirelessControllersand
AccessPointConfiguration
116
Chapter5
/interface wireless
# managed by CAPsMAN
# channel: 5180/20-Ce/an(17dBm), SSID: OPEN, local forwarding
set [ find default-name=wlan1 ] band=5ghz-a/n channel-width=20/40mhz-Ce
disabled=no l2mtu=1600 mode=ap-bridge ssid=MikroTik-05A64D
/interface ethernet
set [ find default-name=ether1 ] name=ether1-gateway
set [ find default-name=ether2 ] name=ether2-master-local
set [ find default-name=ether3 ] master-port=ether2-master-local name=ether3slave-local
set [ find default-name=ether4 ] master-port=ether2-master-local name=ether4slave-local
set [ find default-name=ether5 ] name=ether5-master-local
/interface vlan
add interface=BR-CAPS l2mtu=1594 name=default vlan-id=1
add interface=BR-CAPS l2mtu=1594 name=isolation vlan-id=3
add interface=BR-CAPS l2mtu=1594 name=registration vlan-id=2
/caps-man datapath
add bridge=BR-CAPS client-to-client-forwarding=yes local-forwarding=yes
name=datapath1
/caps-man interface
#
add arp=enabled configuration.mode=ap configuration.ssid=OPEN datapath=datapath1
disabled=no l2mtu=1600 mac-address=\
D4:CA:6D:05:A6:4D master-interface=none mtu=1500 name=cap1 radiomac=D4:CA:6D:05:A6:4D
/caps-man aaa
set interim-update=5m
/caps-man access-list
add action=query-radius interface=cap1 radius-accounting=yes signalrange=-120..120 time=0s-1d,sun,mon,tue,wed,thu,fri,sat
/caps-man manager
set enabled=yes
/interface bridge port
add bridge=bridge-local interface=ether2-master-local
add bridge=bridge-local interface=ether1-gateway
add bridge=BR-CAPS interface=ether5-master-local
/interface wireless cap
set bridge=BR-CAPS discovery-interfaces=BR-CAPS enabled=yes interfaces=wlan1
/ip accounting
set enabled=yes
/radius
add address=192.168.1.5 secret=useStrongerSecret service=wireless
/radius incoming
set accept=yes
Copyright2016Inverseinc.
WirelessControllersand
AccessPointConfiguration
117
Chapter5
HP
ProCurveControllerMSM710
To be contributed...
Meru
MeruControllers(MC)
Inthissection,wecoverthebasicconfigurationoftheMeruwirelesscontrollerforPacketFence
viathewebGUI.
DisablePMKCaching
If you are running a WPA2 SSID, you may need to disable PMK caching in order to avoid
deauthenticationissues.ThisistrueifyouarerunningAP300susingany5.0versionsincluding
5.0-87,oranyversionsbelow4.0-160.
HerearethecommandstoruntodisablethePMKcachingattheAPlevel.First,logintheAP,and
runthiscommandtoseewhichradiosarebroadcastingyourSSID.vapdisplay
Second,disablethePMKcachingonthoseradios.radiopmkidradio00disable
YoucanalsoaddthosecommandstotheAPbootscript.ContactyourMerusupportrepresentative
forthatpart.
VLANDefinition
Here,wecreateourPacketFenceVLANsforclientuse.GotoConfigurationWiredVLAN,
andselectAdd.
VLANNameisthehumanreadablename(ie.RegistrationVLAN)
TagistheVLANID
FastEthernetInterfaceIndexreferstothecontrollersethernetinterface
IPAddressAnIPaddressforthiscontrolleronthisVLAN
NetmaskNetworkmaskforthisVLAN
IPAddressofthedefaultgatewayWiredIProuterforthisVLAN
SettheOverrideDefaultDHCPserverflagtooff
LeavetheDHCPserverIPaddressandtheDHCPrelayPass-Throughtodefault
Copyright2016Inverseinc.
WirelessControllersand
AccessPointConfiguration
118
Chapter5
ClickOKtoaddtheVLAN.
AAAAuthenticationServer
Here, we create our PacketFence RADIUS server for use. Under Configuration Security
Radius,selectAdd.
GivetheRADIUSProfileaname
Writeadescriptionoftheprofile
GivetheRADIUSIP,RADIUSSecretandtheRADIUSauthenticationport
SelectColonfortheMACaddressdelimiter
SelectMACAddressasthepasswordtype
ClickOKtoaddtheRADIUSprofile.
AAAAccountingServer
Here, we create our PacketFence RADIUS server for use. Under Configuration Security
Radius,selectAdd.
GivetheRADIUSProfileaname
Writeadescriptionoftheprofile
GivetheRADIUSIP,RADIUSSecretandtheRADIUSaccountingport
SelectColonfortheMACaddressdelimiter
SelectMACAddressasthepasswordtype
ClickOKtoaddtheRADIUSaccountingprofile.
AAAProfilesOpenSSID
Here,wecreateourwirelesssecurityprofilesforuse.UnderConfigurationSecurityProfile,
selectAdd.
Givethesecurityprofileaname
SelectClearastheL2ModesAllowed
LeaveDataEncryptempty
DisabletheCaptivePortal
EnabletheMacFiltering
ClickOKtosavetheprofile.
MACFiltering
WhenusingtheOpenSSID,youneedtoactivatethemacfiltering.UnderConfigurationMac
Filtering:
SetACLEnvironmentStatetoPermitlistenabled
SelectyourRADIUSprofile
Copyright2016Inverseinc.
WirelessControllersand
AccessPointConfiguration
119
Chapter5
AAAProfilesSecureSSID
Here,wecreateourwirelesssecurityprofilesforuse.UnderConfigurationSecurityProfile,
selectAdd.
Givethesecurityprofileaname
SelectWPA2astheL2ModesAllowed
SelectCCMP-AESforDataEncrypt
SelectyourPacketFenceRADIUSAuthenticationProfile
DisabletheCaptivePortal
Enablethe802.1Xnetworkinitiation
LeavetheMacFilteringtooff
ClickOKtosavetheprofile.
WLANSSIDs
Here,wecreateourSSIDandtieittoasecurityprofile.UnderConfigurationWirelessESS,
selectAdd.
GivetheESSprofileaname,andenableit
WriteanSSIDname
Selectyoursecurityprofilenamepreviouslycreated
SelectyourPacketFenceRADIUSAccountingProfile(ifyouwanttodoaccounting)
EnabletheSSIDBroadcast
MakethenewAPtojointheESS
SetthetunnelinterfacetypetoRADIUSandConfiguredVLAN
SelecttheregistrationVLANfortheVLANName
ClickOKtocreatetheSSID.RepeatthosestepsfortheopenandsecureSSIDbychoosingthe
rightsecurityprofile.
WLANSSIDsAddingtoaccesspoint
Here,wetieourSSIDstoaccesspoints.UnderConfigurationWirelessESS,selecttheSSID
youwanttoaddtoyouraps.Then,selecttheESS-APTable,andclickAdd.
SelecttheAPIDfromthedropdownlist
ClickOKtoassociatetheSSIDwiththisAP
Roles(Per-UserFirewall)
SincePacketFence3.3.0,wenowsupportroles(per-userfirwallrules)fortheMeruhardware.To
addfirewallrules,goinConfigurationQoSSystemSettingsQoSandFirewallRules.When
youaddarule,youhavetopayattentiontotwothings:
Theruleisappliedtothecontrollerphysicalinterfacerightaway,somakesureyouarenottoo
wideonyourACLtolockyouout!
Copyright2016Inverseinc.
WirelessControllersand
AccessPointConfiguration
120
Chapter5
TherulesaregroupedusingtheFirewallFilterID(WewillusethisIDfortheroles)
So, since the matching is done using the Firewall Filter ID configuration field, your roles line in
switches.confwouldlooklike:
roles=Guests=1;Staff=2
Note
YouneedtohavethePer-UserFirewalllicenseinordertobenefitthisfeature.
Motorola
InordertohavetheMotorolaRFScontrollerworkingwithPacketFence,youneedtodefinetwo
WirelessLANsdefinition,oneforthe"public"network,andoneforthe"secure"network.
WiNG(Firmware>=5.0)
AAAPolicy(RADIUSserver)
First,weneedtobuildtheAAAPolicy.UnderConfigurationWirelessAAAPolicy,clickon
theAddbuttonatthebottomright.ConfiguretheRADIUSprofilelikethefollowing:
Host:ChooseIPAddressinthedropdown,andputtheRADIUSserver(PF)IP
InsertaRADIUSsecretpassphrase
Select"ThroughWirelessController"RequestMode
Caution
SinceweareusingRADIUSDynamicAuthorization,weneedtoenabletheRADIUS
accounting. Under the RADIUS accounting tab, click the Add button at the bottom
right,andinsertthepropervalues.
OpenSSID
UnderConfigurationWirelessWirelessLANs,clickontheAddbuttonatthebottomright.
UnderBasicConfiguration:
ProfileName:Giveaconvenientname
SSID:ThisistheESSIDname
EnsurethattheWLANStatusissettoenable
SelectSingleVLANasVLANassignmenttechnique
Ensurethat"AllowRADIUSOverride"isselected
Copyright2016Inverseinc.
WirelessControllersand
AccessPointConfiguration
121
Chapter5
Securityconfiguration:
SelectMACasauthenticationtype
SelectyourAAAPolicypreviouslycreated
EnsurethatyouselectedOpenastheEncryption
Accountingconfiguration:
Makesureyouselect"EnableRADIUSAccounting"
SelectthepreviouslyconfiguredAAAPolicy
Advancedconfiguration:
MakesureyouselectRADIUSDynamicAuthorization
SecureSSID
UnderConfigurationWirelessWirelessLANs,clickontheAddbuttonatthebottomright.
UnderBasicConfiguration:
ProfileName:Giveaconvenientname
SSID:ThisistheESSIDname
EnsurethattheWLANStatusissettoenable
SelectSingleVLANasVLANassignmenttechnique
Ensurethat"AllowRADIUSOverride"isselected
Securityconfiguration:
SelectEAPasauthenticationtype
SelectyourAAAPolicypreviouslycreated
EnsurethatyouselectedWPA/WPA2-TKIPastheEncryption
UnselecteverythingunderFastRoaming(Disablecaching)
Accountingconfiguration:
Makesureyouselect"EnableRADIUSAccounting"
SelectthepreviouslyconfiguredAAAPolicy
Advancedconfiguration:
MakesureyouselectRADIUSDynamicAuthorization
Profile(WLANMapping)
Youhavemultipleoptionshere.Either,youcreateageneralAPprofile,andyouassignittoyour
Aps,oryoumodifytheAPdeviceconfigurationtomaptheWLANtotheradiointerfaces.Forthe
purpose of this document, we will modify the general profile. Under Profiles default-apXXX
(whereXXXisyourAPmodel),inInterfaceRadios,edittheexistingradiossettings.Gotothe
WLANMappingtab,selectthetwoSSIDsandclickonthe<<button.
Copyright2016Inverseinc.
WirelessControllersand
AccessPointConfiguration
122
Chapter5
Profile(Management)
Here,wecanconfigureourSNMPcommunitystrings.LocatedinConfigurationManagement
ManagementPolicy.Again,youcanmodifythedefaultone,oryoucancreateabrandnewPolicy.
VLANs
Youneedtoensurethattheuplinkinterfaceofthecontrollerisconfiguredasatrunk,andthatall
thenecessaryVLANsarecreatedonthedevice.ThisisconfiguredunderDevicerfsXXXX-MAC
(whereXXXXisyourcontrollerseries,andMACisthelatest3octetsofitsmacaddress).Editthe
deviceconfiguration,andgotoInterfaceEthernetPorts.Ensurethattheup1interfaceissetas
trunk,withalltheallowedVLANs.Next,createtheVLANunderInterfaceVirtualInterfaces.
Roles(Per-UserFirewall)
SincePacketFence3.3.0,wenowsupportrolesfortheMotorolahardwareusingWiNGS5.x.To
addroles,goinConfigurationSecurityWirelessClientRoles.Firstcreateaglobalpolicythat
willcontainyourroles.Next,createyourRolesbyclickingontheAddbuttononthebottomright.It
isimportanttoconfiguretheGroupConfigurationlineproperlybysettingthestringnamethatwe
willuseintheRADIUSpacket.Forexemple,foraGuestsRole,youcanputGroupConfiguration
Exact Guests, and for a Staff Roles, you can put Group Configuration Exact Staff. In the roles
configurationinswitches.conf,youwouldhavesomethinglike:
roles=CategoryGuests=Guests;CategoryStaff=Staff
Finally,dontforgettoconfiguretheappropriatefirewallrulesforyourRoles!Makesurealsoto
committheconfigurationuponyourchanges.
Note
YouneedtohaveanAdvancedSecuritylicensetoenablethePer-UserFirewallfeature.
WIPS
InordertoenabletheWIPSfunctionalityontheMotorola,youneedtofollowthisprocedure.The
stepshavebeendoneusingtheCLI.
First,Createawips-policy:
wips-policy Rogue-AP
history-throttle-duration 86400
event ap-anomaly airjack
event ap-anomaly null-probe-response
event ap-anomaly asleap
event ap-anomaly ad-hoc-violation
event ap-anomaly ap-ssid-broadcast-in-beacon
event ap-anomaly impersonation-attack
ap-detection
Next,createaneventpolicy:
event-system-policy PF-WIDS
event wips wips-event syslog off snmp on forward-to-switch off email off
Copyright2016Inverseinc.
WirelessControllersand
AccessPointConfiguration
123
Chapter5
Next,createoradjustyourmanagementpolicytoconfiguretheSNMPtraps.Hereisanexample
policy,pleasenotethetwolastlines:
management-policy default
no http server
https server
ssh
user admin password 1
e4c93663e3356787d451312eeb8d4704ef09f2331a20133764c3dc3121f13a5b role superuser
access all
user operator password 1
7c9b1fbb2ed7d5bb50dba0b563eac722b0676b45fed726d3e4e563b0c87d236d role monitor
access all
no snmp-server manager v3
snmp-server community public ro
snmp-server community private rw
snmp-server user snmpoperator v3 encrypted des auth md5 0 operator
snmp-server user snmptrap v3 encrypted des auth md5 0 motorola
snmp-server user snmpmanager v3 encrypted des auth md5 0 motorola
snmp-server enable traps
snmp-server host 10.0.0.100 v2c 162
Youthenneedtotellyourcontrollertousetheeventpolicy:
rfs6000 5C-0E-8B-17-F2-E3
...
use event-system-policy PF-WIDS
Finally,youneedtoconfigurearadiointerfaceonyourAPtoactasasensor.Hereisanexample
configurationforadual-radioAP650:
ap650 00-23-68-86-EB-BC
use profile default-ap650
use rf-domain default
hostname ap650-86EBBC
country-code ca
use wips-policy Rogue-AP
interface radio1
rf-mode sensor
channel smart
power smart
data-rates default
no preamble-short
radio-share-mode off
interface radio2
...
OlderFirmwares(<5.0)
OptionforPublicWirelessLAN
ChecktheDynamicAssignmentcheck-box
Copyright2016Inverseinc.
WirelessControllersand
AccessPointConfiguration
124
Chapter5
Select"MACAuthentication"underAuthentication
Click"Config"choosetheColondelimiterformat
Un-checkallencryptionoptions
UnderRADIUSputinPacketFencesRADIUSServerinformation
OptionforSecureWirelessLAN
ChecktheDynamicAssignmentcheck-box
Select"802.1XEAP"underAuthentication
CheckWPA/WPA2-TKIPencryptionoption
UnderRADIUSputinPacketFencesRADIUSServerinformation
SNMPGlobalconfiguration
AddthetwoRead-OnlyandRead-WriteusersunderManagementAccessSNMPAccess.
Ruckus
AAAServers
WeneedtodefinetheRADIUSandRADIUSaccounting(mandatory):
Under Configuration AAA Servers, click on the Create New button. Enter the proper
configuration:
Enteraservername
SelecteitherRADIUSorRADIUSaccountingasthetype
UsePAPastheAuthMethod
EntertheIPaddres,andsharedsecret.
HitOK
RepeatthestepsfortheRADIUSandRADIUSaccountingtypes.Weneed1definitionforeach
otherwiseRADIUSdynamicauthorizationwontwork.
WLANDefinitions
UnderConfigurationWLAN,clickontheCreateNewbutton.Entertheproperconfiguration:
OpenSSID
EnteraName/SSID
SelectStandardUsageastheType
Copyright2016Inverseinc.
WirelessControllersand
AccessPointConfiguration
125
Chapter5
SelectMACAddressastheauthenticationtype
SelectOpenastheencryptionmethod
SelecttheproperRADIUSserverastheauthenticationserver
SelecttheproperRADIUSserverastheaccountingserver
Note
TheOpenSSIDdoesNOTsupportdynamicVLANassignments(Firmware9.3.0.0.83)
SecureSSID
EnteraName/SSID
SelectStandardUsageastheType
SelectWPA2astheauthenticationtype
SelectAESastheencryptionmethod
SelecttheproperRADIUSserverastheauthenticationserver
SelecttheproperRADIUSserverastheaccountingserver
ChecktheEnableDynamicVLANcheckbox
WIPS
ToenabletheWIPSfeatureoftheRuckusinordertosendSNMPtrapstoPacketFence,thesetup
isfairlysimple.
First, configure the controller to send the traps to PacketFence. Under Configure > System >
NetworkManagement>SNMPTrap:
*Select"EnableSNMPTrap"*PutthePacketFenceManagementIPintheTrapServerIPfield
Note
Thetrapswillarrivewiththe"public"communitystring
Next,youneedtoconfiguretheAlarmSettings.UnderConfigure>AlarmSettings,makesurethe
followingareselected:
*RogueAPDetected*SSID-SpoofingAPDetected*MAC-SpoofingAPDetected*LANRogueAP
Detected
Finally,enabletheWIPSfeatureonthecontroller.UnderConfigure>WIPS>IntrusionDetection
andPrevention,makesurebothboxareselected,clickApply.
Webauthentication
InordertousePacketFenceasanexternalcaptiveportalforwebauthentication,youwillneedto
configurefirstyourRADIUSauthenticationandaccountingserver(seestepsabove).
Copyright2016Inverseinc.
WirelessControllersand
AccessPointConfiguration
126
Chapter5
Hotspotconfiguration
ConfiguretheHotspotserviceprofiletoredirectdevicestoyourPacketFenceportal.Goonthe
ZoneDirectoradministrationwebpagetothesectionConfigureHotspotServicesCreateNew
1
2
3
4
WirelessControllersand
AccessPointConfiguration
127
Chapter5
WLANconfiguration
GotoConfigureWLANsWLANsCreateNew
1
2
3
4
5
6
Saveyourconfiguration.
PacketFenceconfiguration
OntheZoneDirectorconfigurationinPacketFence,youwillneedtospecify-1astheregistration
vlaninordertodisplaythecaptiveportaltotheenddevice.
Copyright2016Inverseinc.
WirelessControllersand
AccessPointConfiguration
128
Chapter5
You will need to deactivate the force secure redirect on the captive portal under
ConfigurationCaptivePortalSecureredirectUnchecked
Thecaptiveportalneedstolistenonthemanagementinterface,soyouwillneedtoaddtheportal
daemontothemanagementinterfaceunderConfigurationInterfacesManagementInterface
Example:
[interface eth0]
ip=192.168.1.5
type=management,portal
mask=255.255.255.0
Toapplytheconfiguration,restartPacketFenceusingthefollowingcommand:servicepacketfence
restart
Trapeze
InordertohavetheTrapezecontrollerworkingwithPacketFence,youneedtodefinetheRADIUS
configurationandtheproperserviceprofiles.
RADIUSconfiguration
set radius server PF address 192.168.1.5 timeout 5 retransmit 3 deadtime 0 key
secret
set server group PF-RADIUS members PF
ServiceProfiles
Herewedefinetwoserviceprofiles,onefortheopenSSID(PacketFence-Public)andoneforthe
WPA2-EnterpriseSSID(PacketFence-Secure):
Copyright2016Inverseinc.
WirelessControllersand
AccessPointConfiguration
129
Chapter5
set
set
set
set
set
set
set
service-profile
service-profile
service-profile
service-profile
service-profile
service-profile
service-profile
PF-Open
PF-Open
PF-Open
PF-Open
PF-Open
PF-Open
PF-Open
ssid-name PacketFence-Public
ssid-type clear
auth-fallthru last-resort
cipher-tkip enable
auth-dot1x disable
11n mode-na required
attr vlan-name WLAN_REG
set
set
set
set
set
set
set
service-profile
service-profile
service-profile
service-profile
service-profile
service-profile
service-profile
PF-Secure
PF-Secure
PF-Secure
PF-Secure
PF-Secure
PF-Secure
PF-Secure
ssid-name PacketFence-Secure
cipher-tkip enable
cipher-ccmp enable
wpa-ie enable
rsn-ie enable
11n mode-na required
attr vlan-name Wlan
AAAconfiguration
Finally,weneedtotietheserviceprofileswiththeproperAAAconfiguration.
set
set
set
set
Xirrus
XirrusWiFiArrays
Xirrus Access Points can be configured to work with PacketFence quickly since Xirrus supports
RADIUSassignedVLANsoutofthebox.
First,RADIUSserverconfiguration.SettheRADIUSservertobePacketFencesIP:
Copyright2016Inverseinc.
WirelessControllersand
AccessPointConfiguration
130
Chapter5
ExternalportalSSID
SetEncryption/AuthenticationtoNone/Open
ThenchecktheWPRcheckbox
ThenininthesectionWebPageRedirectConfigurationsetServertoExternalLogin
SettheRedirectURLtohttp://192.168.1.5/Xirrus::AP_http
SettheRedirectSecrettoanypassphraseofyourchoice
IntheRADIUSConfigurationsectionsettheRADIUSservertopointtoyourPacketFenceserver
Copyright2016Inverseinc.
WirelessControllersand
AccessPointConfiguration
131
Chapter6
AdditionalInformation
Formoreinformation,pleaseconsultthemailingarchivesorpostyourquestionstoit.Fordetails,
see:
packetfence-announce@lists.sourceforge.net: Public announcements (new releases, security
warningsetc.)regardingPacketFence
packetfence-devel@lists.sourceforge.net:DiscussionofPacketFencedevelopment
packetfence-users@lists.sourceforge.net:Userandusagediscussions
Copyright2016Inverseinc.
AdditionalInformation
132
Chapter7
CommercialSupportandContact
Information
For any questions or comments, do not hesitate to contact us by writing an email to:
support@inverse.ca.
Inverse (http://inverse.ca) offers professional services around PacketFence to help organizations
deploythesolution,customize,migrateversionsorfromanothersystem,performancetuningor
aligningwithbestpractices.
Hourlyratesorsupportpackagesareofferedtobestsuityourneeds.
Pleasevisithttp://inverse.ca/fordetails.
Copyright2016Inverseinc.
CommercialSupport
andContactInformation
133
Chapter8
GNUFreeDocumentationLicense
Pleaserefertohttp://www.gnu.org/licenses/fdl-1.2.txtforthefulllicense.
Copyright2016Inverseinc.
GNUFreeDocumentationLicense
134