Академический Документы
Профессиональный Документы
Культура Документы
forPacketFenceversion4.5.1
NetworkDevicesConfigurationGuide
byInverseInc.
Version4.5.1-Nov2014
Copyright2014Inverseinc.
Permissionisgrantedtocopy,distributeand/ormodifythisdocumentunderthetermsoftheGNUFreeDocumentationLicense,Version
1.2oranylaterversionpublishedbytheFreeSoftwareFoundation;withnoInvariantSections,noFront-CoverTexts,andnoBack-Cover
Texts.Acopyofthelicenseisincludedinthesectionentitled"GNUFreeDocumentationLicense".
ThefontsusedinthisguidearelicensedundertheSILOpenFontLicense,Version1.1.ThislicenseisavailablewithaFAQat:http://
scripts.sil.org/OFL
CopyrightukaszDziedzic,http://www.latofonts.com,withReservedFontName:"Lato".
CopyrightRaphLevien,http://levien.com/,withReservedFontName:"Inconsolata".
TableofContents
About this Guide .............................................................................................................. 1
Othersourcesofinformation..................................................................................... 1
NoteonInlineenforcementsupport...................................................................................2
ListofsupportedNetworkDevices.................................................................................... 3
Switch configuration ......................................................................................................... 4
Assumptions ............................................................................................................. 4
3COM ..................................................................................................................... 4
AlliedTelesis ............................................................................................................ 10
Amer ..................................................................................................................... 11
Avaya .................................................................................................................... 11
Brocade ................................................................................................................. 12
Cisco ..................................................................................................................... 13
D-Link ................................................................................................................... 29
Dell ....................................................................................................................... 30
EdgecorE ............................................................................................................... 31
Enterasys ............................................................................................................... 32
Extreme Networks .................................................................................................. 34
Foundry ................................................................................................................. 36
Huawei .................................................................................................................. 37
H3C ...................................................................................................................... 41
HP ......................................................................................................................... 44
HP ProCurve .......................................................................................................... 44
Huawei .................................................................................................................. 48
Intel ....................................................................................................................... 49
Juniper ................................................................................................................... 49
LG-Ericsson ............................................................................................................ 52
Linksys ................................................................................................................... 54
Netgear ................................................................................................................. 54
Nortel .................................................................................................................... 57
SMC ...................................................................................................................... 58
WirelessControllersandAccessPointConfiguration.......................................................... 60
Assumptions ........................................................................................................... 60
UnsupportedEquipment..........................................................................................60
AeroHIVE ............................................................................................................... 61
Anyfi ..................................................................................................................... 63
Avaya .................................................................................................................... 66
Aruba .................................................................................................................... 67
BelairNetworks(nowEricsson)................................................................................ 70
Brocade ................................................................................................................. 71
Cisco ..................................................................................................................... 72
WirelessLANController(WLC)WebAuth................................................................ 79
D-Link ................................................................................................................... 84
Extricom ................................................................................................................ 85
Hostapd ................................................................................................................. 85
Mikrotik ................................................................................................................. 87
HP ......................................................................................................................... 89
Meru ..................................................................................................................... 89
Motorola ................................................................................................................ 92
Ruckus ................................................................................................................... 96
Trapeze .................................................................................................................. 98
Xirrus ..................................................................................................................... 99
Copyright2014Inverseinc. iii
Additional Information ................................................................................................... 101
CommercialSupportandContactInformation................................................................. 102
GNUFreeDocumentationLicense................................................................................. 103
Copyright2014Inverseinc. iv
Chapter1
AboutthisGuide
ThisguidecoverstheconfigurationofnetworkdevicesinordertointegratethemwithPacketFence
inVLANenforcement.Switches,wirelesscontrollersandwirelessaccesspointsareallconsidered
networkdevicesinPacketFencesterms.
Thelatestversionofthisguideisavailableathttp://www.packetfence.org/documentation/
Othersourcesofinformation
AdministrationGuide CoversPacketFenceinstallation,configuration
andadministration.
ChangeLog Coversallchangestothesourcecode.
Thesefilesareincludedinthepackageandreleasetarballs.
Copyright2014Inverseinc. AboutthisGuide 1
Chapter2
NoteonInlineenforcementsupport
There is no need to follow the instructions in this guide if you plan on deploying in inline
enforcement,exceptRADIUSinline.Inthiscaseallyouneedtodoistohaveaflatlayer2network
uptoPacketFencesinlineinterfacewithnoothergatewayavailablefordevicestoreachoutto
theInternet.
ThistechniqueisusuallyusedwhenyournetworkhardwaredoesntsupportVLANenforcement.
Copyright2014Inverseinc. NoteonInlineenforcementsupport 2
Chapter3
ListofsupportedNetworkDevices
PacketFencesupportsawholelotofdifferentwirelessandwirednetworkequipmentsfromvarious
vendorsrunningdifferentversions.Sincewewanttoprovidethemostaccurateinformationand
avoidduplicationofthatsameinformation,pleaserefertoourwebsitehttp://www.packetfence.org/
about/supported_switches_and_aps.html
Youll find on this page the enforcement modes supported by each and every single piece of
equipmentwetestedandworkedwith.
Copyright2014Inverseinc. ListofsupportedNetworkDevices 3
Chapter4
Switchconfiguration
Assumptions
Throughout this configuration example we use the following assumptions for our network
infrastructure:
PacketFenceisfullyconfiguredwithFreeRADIUSrunning(ifyouwant802.1XorMACAuth)
PacketFenceIPaddress:192.168.1.5
NormalVLAN:1
RegistrationVLAN:2
IsolationVLAN:3
MACDetectionVLAN:4
GuestVLAN:5
VoIP,VoiceVLAN:100
useSNMPv2c
SNMPReadcommunity:public
SNMPWritecommunity:private
SNMPTrapcommunity:public
RADIUSSecret:useStrongerSecret
3COM
SuperStack3Switch4200and4500
PacketFencesupportsthese3ComswitcheswithoutVoIPusingonetraptype:
linkUp/linkDown
PortSecurity(withstaticMACs)
Dontforgettoupdatethestartupconfig!
linkUp/linkDownonly
Globalconfigsettings:
Copyright2014Inverseinc. Switchconfiguration 4
Chapter4
snmp-agent
snmp-agent target-host trap address udp-domain 192.168.1.5 params securityname
public
snmp-agent trap enable standard linkup linkdown
Oneachinterface:
InPortSecurity
Globalconfigsettings:
snmp-agent
snmp-agent target-host trap address udp-domain 192.168.1.5 params securityname
public
snmp-agent trap enable
port-security enable
port-security trap addresslearned
port-security trap intrusion
Oneachinterface:
InMacAuth
Voice vlan : 6
Normal vlan : 1
Registration vlan : 2
Isolation vlan : 3
Globalconfigsettings:
lldp enable
lldp timer tx-interval 5
lldp compliance cdp
lldp compliance cdp
port-security enable
MAC-authentication domain packetfence
Copyright2014Inverseinc. Switchconfiguration 5
Chapter4
domain packetfence
authentication radius-scheme packetfence
accounting radius-scheme packetfence
vlan-assignment-mode string
accounting optional
domain system
OneachinterfacewithVoIP:
interface Ethernet1/0/1
stp edged-port enable
lldp compliance admin-status cdp txrx
port link-type hybrid
port hybrid vlan 6 tagged
port hybrid vlan 1 2 3 untagged
undo voice vlan mode auto
voice vlan enable
port-security max-mac-count 3
port-security port-mode mac-authentication
port-security intrusion-mode blockmac
undo enable snmp trap updown
E4800G
PacketFencesupportsthese3Comswitcheswiththefollowingtechniques:
802.1XwithMACAuthenticationfallback
linkUp/linkDown(notrecommended)
VoiceoverIPsupportwasnotexplicitlytestedduringimplementationhoweveritdoesnotmean
thatitwontwork.
Dontforgettoupdatethestartupconfig!
linkUp/linkDownonly
Globalconfigsettings:
Copyright2014Inverseinc. Switchconfiguration 6
Chapter4
snmp-agent
snmp-agent target-host trap address udp-domain 192.168.1.5 params securityname
public
snmp-agent trap enable standard linkup linkdown
Oneachinterface:
802.1XwithMACAuthenticationfallback
Globalconfigsettings:
system-view
radius scheme PacketFence
primary authentication 192.168.1.5 1812
primary accounting 192.168.1.5 1812
key authentication useStrongerSecret
user-name-format without-domain
quit
domain packetfence.local
authentication default radius-scheme PacketFence
authorization default radius-scheme PacketFence
quit
domain default enable packetfence.local
dot1x authentication-method eap
port-security enable
quit
Ifyourmanagementauthenticationonyourswitchisdefault,applyingtheconfigurationabovewill
haveyourauthenticationswitchtoaRADIUSbasedonewithPacketFenceastheauthentication
server.Itisalmostcertainthatyoudonotwantthat!
Below,wewilljustcreatealocalpasswordforvtyaccesses(telnet)andnothingontheconsole.In
ordertoavoidlockingyourselfout,makesuretoverifyyourconfiguration!
system-view
user-interface aux 0
authentication-mode none
user-interface vty 0 4
user privilege level 3
set authentication password simple useStrongerPassword
quit
quit
Oneachinterface:
Copyright2014Inverseinc. Switchconfiguration 7
Chapter4
system-view
interface gigabitEthernet 1/0/xx
port-security port-mode mac-else-userlogin-secure-ext
# userlogin-secure-or-mac-ext could be used below instead
# see the Switch_4200G's documentation for a discussion about it
undo enable snmp trap updown
quit
quit
wherexxstandsfortheinterfaceindex.
E5500GandSwitch4200G
PacketFencesupportsthese3Comswitcheswiththefollowingtechniques:
802.1XwithMACAuthenticationfallback
linkUp/linkDown(notrecommended)
VoiceoverIPsupportwasnotexplicitlytestedduringimplementationhoweveritdoesnotmean
thatitwontwork.
Dontforgettoupdatethestartupconfig!
linkUp/linkDownonly
Globalconfigsettings:
snmp-agent
snmp-agent target-host trap address udp-domain 192.168.1.5 params
securityname public
snmp-agent trap enable standard linkup linkdown
Oneachinterface:
802.1XwithMACAuthenticationfallback
Globalconfigsettings:
Copyright2014Inverseinc. Switchconfiguration 8
Chapter4
system-view
radius scheme PacketFence
server-type standard
primary authentication 192.168.1.5 1812
primary accounting 192.168.1.5 1812
accounting optional
key authentication useStrongerSecret
user-name-format without-domain
quit
domain packetfence.local
radius-scheme PacketFence
vlan-assignment-mode string
quit
domain default enable packetfence.local
dot1x authentication-method eap
port-security enable
quit
Ifyourmanagementauthenticationonyourswitchisdefault,applyingtheconfigurationabovewill
haveyourauthenticationswitchtoaRADIUSbasedonewithPacketFenceastheauthentication
server.Itisalmostcertainthatyoudonotwantthat!
Below,wewilljustcreatealocalpasswordforvtyaccesses(telnet)andnothingontheconsole.In
ordertoavoidlockingyourselfout,makesuretoverifyyourconfiguration!
system-view
user-interface aux 0
authentication-mode none
user-interface vty 0 4
user privilege level 3
set authentication password simple useStrongerPassword
quit
quit
Oneachinterface:
system-view
interface gigabitEthernet 1/0/xx
port-security port-mode mac-else-userlogin-secure-ext
# userlogin-secure-or-mac-ext could be used below instead
# see the Switch_4200G's documentation for a discussion about it
undo enable snmp trap updown
quit
quit
wherexxstandsfortheinterfaceindex
NJ220
Thisswitchdoesnotsupportport-security.
Toconfigure:usewebinterfacetosendthelinkUp/linkDowntrapstothePacketFenceserver.
Copyright2014Inverseinc. Switchconfiguration 9
Chapter4
AlliedTelesis
AT8000GS
PacketFencesupportstheAT8000GSswitchusing:
MacAuthentication(mac-only)
802.1X
VoIPsupportislimitedusing802.1X/MACauthentication.Wedohavealimitationwherethephone
needstobeonthesameVLANasthePC(novoiceVLANconcept).
MacAuthentication
First,activate802.1Xglobally:
dot1x system-auth-control
Next,configuretheRADIUSserverandAAAsettings:
Inordertogetmacauthentication,youneedtoenabletheguestVLANglobally:
interface vlan 5
name "Guest Vlan"
dot1x guest-vlan
exit
Finally,enablethenecessary802.1Xsettingsformac-onlyauthentication:
interface ethernet g1
dot1x mac-authentication mac-only
dot1x radius-attributes vlan
dot1x port-control auto
dot1x guest-vlan enable
802.1X
ThesettingsarealmostthesameastheMACAuthenticationwithsomesmalldifferences.
First,activate802.1Xglobally:
Copyright2014Inverseinc. Switchconfiguration 10
Chapter4
dot1x system-auth-control
Next,configuretheRADIUSserverandAAAsettings:
Finally,enablethenecessary802.1Xsettings:
interface ethernet g1
dot1x radius-attributes vlan
dot1x port-control auto
Amer
PacketFencesupportsAmerswitcheswithoutVoIPusingonetraptype:
linkUp/linkDown
Dontforgettoupdatethestartupconfig!
L2SwitchSS2R24i
Globalconfigsettings:
Oneachinterface:
wherexxstandsfortheinterfaceindex
Avaya
AvayaboughtNortelswirednetworksassets.SoAvayaswitchesare,ineffect,re-brandedNortels.
SeeNortelsectionofthisdocumentforconfigurationinstructions.
Copyright2014Inverseinc. Switchconfiguration 11
Chapter4
Brocade
ICX6400Series
Thoseswitchesaresupportedusing802.1XfornetworkswithorwithoutVoIP.
Globalconfigsettings:
WherexxandyyrepresenttherangeofportswhereyouwantPacketFenceenforcement.
MAC-AuthenticationwithoutVoIP
EnableMAC-Authenticationglobally
mac-authentication enable
mac-authentication mac-vlan-dyn-activation
EnableMAC-AuthenticationoneachinterfaceyouwantPacketFenceactive
mac-authentication enable
mac-authentication enable-dynamic-vlan
MAC-AuthenticationwithVoIP
Enablecdpglobally
cdp run
ApplythefollowingconfigurationoneachinterfaceyouwantPacketFenceactive
dual-mode
mac-authentication enable
mac-authentication enable-dynamic-vlan
voice-vlan 100
cdp enable
Copyright2014Inverseinc. Switchconfiguration 12
Chapter4
802.1X/MAC-Auth
Enable802.1Xglobally
dot1x-enable
re-authentication
enable ethe 1/1/xx
Wherexxistheswitchportnumber
ApplythefollowingconfigurationoneachinterfaceyouwantPacketFenceactive
Cisco
PacketFencesupportsCiscoswitcheswithVoIPusingthreedifferenttraptypes:
linkUp/linkDown
MACNotification
PortSecurity(withstaticMACs)
Onsomerecentmodels,wecanalsousemoresecureandrobustfeatureslike:
MACAuthentication(CiscosMACAuthenticationBypassorMAB)
802.1X(Multi-HostorMulti-Domain)
Dependingoftheswitchmodel,werecommendtheuseofthemostsecureandreliablefeature
first.Inotherwords,youshouldconsiderthefollowingorder:
1. 802.1X/MAB
2. Port-Security
3. linkUp/linkDown
2900XL/3500XLSeries
SNMP|linkUP/linkDown
Globalconfigsettings:
Copyright2014Inverseinc. Switchconfiguration 13
Chapter4
OneachinterfacewithoutVoIP:
OneachinterfacewithVoIP:
2950
Thoseswitchesarenowsupportedusing802.1XfornetworkswithorwithoutVoIP.Youcanalsouse
port-securitywithstaticMACaddressbutwecannotsecureaMAConthedataVLANspecifically
soenableitifthereisnoVoIP,uselinkUp/linkDownandMACnotificationotherwise.Soonsetup
thatneedstohandleVoIPwiththisswitch,gowitha802.1Xconfiguration.
802.1X
Warning
Makesurethatyouhavealocalaccount,becauseenabling802.1XorMABwillaskfor
ausernameandpasswordonthenextlogin.
Globalconfigsettings:
dot1x system-auth-control
AAAconfiguration:
aaa new-model
aaa group server radius packetfence
server 192.168.1.5 auth-port 1812 acct-port 1813
aaa authentication login default local
aaa authentication dot1x default group packetfence
aaa authorization network default group packetfence
Copyright2014Inverseinc. Switchconfiguration 14
Chapter4
RADIUSserverconfiguration:
OneachinterfacewithoutVoIP:
OneachinterfacewithVoIP:
Port-Security
Caution
Withport-security,ifnoMACisconnectedonportswhenactivatingport-security,we
needtosecurebogusMACaddressesonportsinorderfortheswitchtosendatrap
whenanewMACappearsonaport.Ontheotherhand,ifaMACisactuallyconnected
whenyouenableportsecurity,youmustsecurethisMACratherthanthebogusone.
OtherwisethisMACwillloseitsconnectivityinstantly.
GlobalconfigsettingswithoutVoIP:
OneachinterfacewithoutVoIP:
wherexxstandsfortheinterfaceifIndex.
Copyright2014Inverseinc. Switchconfiguration 15
Chapter4
ifIndexmapping
Use the following templates for interface IfIndex in bogus MAC addresses
(0200.0000.00xx):
Fa0/1,,Fa0/481,,48
Gi0/1,Gi0/249,50
GlobalconfigsettingswithVoIP:
OneachinterfacewithVoIP:
2960
Caution
For802.1XandMABconfigurations,refertothissectionbelow.
PortSecurityforIOSearlierthan12.2(46)SE
Globalconfigsettings:
OneachinterfacewithoutVoIP:
Copyright2014Inverseinc. Switchconfiguration 16
Chapter4
wherexxxxxstandsfortheinterfaceifIndex
OneachinterfacewithVoIP:
wherexxxxxstandsfortheinterfaceifIndex
ifIndexmapping
Use the following templates for interface IfIndex in bogus MAC addresses
(0200.000x.xxxx):
Fa0/1Fa0/481000110048
Gi0/1Gi0/481010110148
PortSecurityforIOS12.2(46)SEorgreater
Since version PacketFence 2.2.1, the way to handle VoIP when using port-security dramatically
changed.Ensurethatyoufollowtheinstructionsbelow.Tomakethestoryshort,insteadonrelying
onthedynamicMAClearningforVoIP,weuseastaticentryonthevoiceVLANsowecantrigger
anewsecurityviolation,andthenauthorizethephoneMACaddressonthenetwork.
Globalconfigsettings:
OneachinterfacewithoutVoIP:
Copyright2014Inverseinc. Switchconfiguration 17
Chapter4
wherexxxxxstandsfortheinterfaceifIndex
OneachinterfacewithVoIP:
wherexxxxxstandsfortheinterfaceifIndex
ifIndexmapping
Use the following templates for interface IfIndex in bogus MAC addresses
(0200.000x.xxxx):
Fa0/1Fa0/481000110048
Gi0/1Gi0/481010110148
2970,3560,3550,3750
Caution
TheCatalyst3550doesnotsupport802.1XwithMulti-Domain,itcanonlysupport
802.1XwithMABusingMulti-Host,MAB,andPort-Security.
802.1XwithMACAuthenticationbypass(MultiDomain)
Warning
Makesurethatyouhavealocalaccount,becauseenabling802.1XorMABwillaskfor
ausernameandpasswordonthenextlogin.
Globalconfigsettings:
dot1x system-auth-control
Oneachinterface:
Copyright2014Inverseinc. Switchconfiguration 18
Chapter4
AAAGroupsandConfiguration:
aaa new-model
aaa group server radius packetfence
server 192.168.1.5 auth-port 1812 acct-port 1813
aaa authentication login default local
aaa authentication dot1x default group packetfence
aaa authorization network default group packetfence
Radiusserverconfiguration:
CoAconfiguration
Activatethesnmpv1ontheswitch:
802.1XwithMACAuthenticationbypass(MultiHost)
Warning
Makesurethatyouhavealocalaccount,becauseenabling802.1XorMABwillaskfor
ausernameandpasswordonthenextlogin.
Globalconfigsettings:
Copyright2014Inverseinc. Switchconfiguration 19
Chapter4
dot1x system-auth-control
Oneachinterface:
AAAGroupsandConfiguration
aaa new-model
aaa group server radius packetfence
server 192.168.1.5 auth-port 1812 acct-port 1813
aaa authentication login default local
aaa authentication dot1x default group packetfence
aaa authorization network default group packetfence
Radiusserverconfiguration
CoAconfiguration
Activatethesnmpv1ontheswitch:
MACAuthenticationbypassonly
Warning
Makesurethatyouhavealocalaccount,becauseenabling802.1XorMABwillaskfor
ausernameandpasswordonthenextlogin.
Copyright2014Inverseinc. Switchconfiguration 20
Chapter4
Globalconfigsettings
dot1x system-auth-control
Oneachinterface
AAAGroupsandConfiguration
aaa new-model
aaa group server radius packetfence
server 192.168.1.5 auth-port 1812 acct-port 1813
aaa authentication login default local
aaa authentication dot1x default group packetfence
aaa authorization network default group packetfence
Radiusserverconfiguration
CoAconfiguration
Activatethesnmpv1ontheswitch:
802.1Xonvariousmodelsof2960
TheresalotofdifferentversionsoftheCatalyst2960serie.Someofthemmaynot
acceptthecommandstatedinthisguidefor802.1X.
WehavefoundacoupleofcommandsthatareworkinggreatorMAB:
Copyright2014Inverseinc. Switchconfiguration 21
Chapter4
Oneachinterface
But,asitisdifficultforustomaintainthewholelistofcommandstoconfigureeachand
everydifferentmodelof2960withdifferentIOS,pleaserefertoCiscodocumentation
forveryspecificcases.
Port-Security
Globalconfigsettings
OneachinterfacewithoutVoIP:
wherexxxxxstandsfortheinterfaceifIndex
OneachinterfacewithVoIP:
wherexxxxxstandsfortheinterfaceifIndex
ifIndexmapping
Use the following templates for interface IfIndex in bogus MAC addresses
(0200.000x.xxxx):
Fa0/1Fa0/481000110048
Copyright2014Inverseinc. Switchconfiguration 22
Chapter4
Gi0/1Gi0/481010110148
Webauth
TheCatalyst2960supportswebauthenticationfromIOS12.2.55SE3.Thisprocedurehasbeen
testedonIOS15.0.2SE5.
Inthisexample,theACLforregistrationisredirectandtheACLforregistereddevicesisregistered
ConfiguretheglobalconfigurationoftheswitchusingthesectionMACAuthenticationbypassonly
ofthe2960inthisdocument.
Thenaddthisadditionnalconfigurationonthegloballevel
ip dhcp snooping
ip device tracking
nmsp enable
udld enable
ip http server
ip http secure-server
snmp-server community public RO
snmp-server community private RW
Addtherequiredaccesslists
Thenoneachcontrolledinterface
PacketFenceswitchconfiguration
SelectthetypetoCiscoCatalyst2960withWebAuth
SetPortalURLtohttp://<your_captive_portal_ip>
SettheRegistrationroletoredirect
Setyourregisteredrolestoregistered
Copyright2014Inverseinc. Switchconfiguration 23
Chapter4
ScreenshotsofthisconfigurationareavailableintheCiscoWLCsectionofthisguide.
DownloadableACLs
The Catalyst 2960 supports RADIUS pushed ACLs which means that you can define the ACLs
centrallyinPacketFencewithoutconfiguringtheminyourswitchesandtheirruleswillbeapplied
totheswitchduringtheauthentication.
TheseACLsaredefinedbyroleliketheVLANswhichmeansyoucandefinedifferentACLsforyour
registrationVLAN,productionVLAN,guestVLAN,etc.
Beforecontinuing,configureyourswitchtobeinMACauthenticationbypassor802.1X.
NowinthePacketFenceinterfacegointheswitchconfigurationandintheRolestab.
CheckRolebyaccesslistandyoushouldnowbeabletoconfiguretheaccesslistsasbelow.
ForexampleifyouwanttheusersthatareintheregistrationVLANtoonlyuseHTTP,HTTPS,DNS
andDHCPyoucanconfigurethisACLintheregistrationcategory.
Copyright2014Inverseinc. Switchconfiguration 24
Chapter4
Nowifforexample,yournormalusersareplacedinthedefaultcategoryandyourguestsinthe
guestcategory.
Ifforexamplethedefaultcategoryusesthenetwork192.168.5.0/24andyourguestnetworkuses
thenetwork192.168.10.0/24.
Youcanpreventcommunicationsbetweenbothnetworksusingtheseaccesslists
Youcouldalsoonlypreventyourguestusersfromusingshareddirectories
Copyright2014Inverseinc. Switchconfiguration 25
Chapter4
OralsoyoucouldrestrictyouruserstouseonlyyourDNSserverwhere192.168.5.2isyourDNS
server
Copyright2014Inverseinc. Switchconfiguration 26
Chapter4
Stacked29xx,Stacked35xx,Stacked3750,4500
Series,6500Series
The4500Seriesandallthestackedswitchesworkexactlythesamewayasiftheywerenotstacked
sotheconfigurationisthesame:theysupportport-securitywithstaticMACaddressandallowus
tosecureaMAConthedataVLANsoweenableitwhetherthereisVoIPornot.
WeneedtosecurebogusMACaddressesonportsinorderfortheswitchtosendatrapwhena
newMACappearsonaport.
Globalconfigsettings
Copyright2014Inverseinc. Switchconfiguration 27
Chapter4
OneachinterfacewithoutVoIP:
OneachinterfacewithVoIP:
wherexxxxxstandsfortheinterfaceifIndex
ifIndexmapping
Use the following templates for interface IfIndex in bogus MAC addresses
(0200.000x.xxxx):
Fa1/0/1Fa1/0/481000110048
Gi1/0/1Gi1/0/481010110148
Fa2/0/1Fa2/0/481050110548
Gi2/0/1Gi2/0/481060110648
Fa3/0/1Fa3/0/481100111048
Gi3/0/1Gi3/0/481110111148
Fa4/0/1Fa4/0/481150111548
Gi4/0/1Gi4/0/481160111648
RouterISR1800Series
PacketFencesupportsthe1800seriesRouterwithlinkUp/linkDowntraps.Itcannotdoanything
abouttherouterinterfaces(ie:fa0andfa1ona1811).VLANinterfacesifIndexshouldalsobe
markedasuplinksinthePacketFenceswitchconfigurationastheygeneratetrapsbutareofno
interesttoPacketFence(layer3).
Globalconfigsettings:
Copyright2014Inverseinc. Switchconfiguration 28
Chapter4
Oneachinterface:
D-Link
PacketFencesupportsD-LinkswitcheswithoutVoIPusingtwodifferenttraptypes:
linkUp/linkDown
MACNotification
WerecommendtoenablelinkUp/linkDownandMACnotificationtogether.
Dontforgettoupdatethestartupconfig!
DES3526/3550
Globalconfigsettings
To be contributed...
Oneachinterface:
To be contributed...
DGS3100/3200
EnableMACnotification:
enable mac_notification
config mac_notification interval 1 historysize 1
config mac_notification ports 1:1-1:24 enable
Enablelinkup/linkdownnotification:
AddSNMPhost:
EnableMACbaseaccesscontrol:
Copyright2014Inverseinc. Switchconfiguration 29
Chapter4
enable mac_based_access_control
config mac_based_access_control authorization attributes radius enable local
disable
config mac_based_access_control method radius
config mac_based_access_control password useStrongerSecret
config mac_based_access_control password_type manual_string
config mac_based_access_control max_users no_limit
config mac_based_access_control trap state enable
config mac_based_access_control log state enable
Oneachinterface:
Dell
Force10
PacketFencesupportsthisswitchusingRADIUS,MAC-Authenticationand802.1Xx.
Globalconfigsettings
MABinterfaceconfiguration:
802.1Xinterfaceconfiguration:
Copyright2014Inverseinc. Switchconfiguration 30
Chapter4
PowerConnect3424
PacketFencesupportsthisswitchusinglinkUp/linkDowntraps.
Globalconfigsettings
To be contributed...
Oneachinterface:
To be contributed...
EdgecorE
PacketFencesupportsEdge-corEswitcheswithoutVoIPusinglinkUp/linkDowntraps.
PacketFencealsosupportsMACauthenticationontheEdge-corE4510
3526XAand3528M
Globalconfigsettings
4510
Basicconfiguration
network-access aging
snmp-server community private rw
snmp-server community public rw
Copyright2014Inverseinc. Switchconfiguration 31
Chapter4
Oneachcontrolledinterface
Enterasys
PacketFencesupportsEnterasysswitcheswithoutVoIPusingtwodifferenttraptypes:
linkUp/linkDown
MACLocking(PortSecuritywithstaticMACs)
WerecommendtoenableMAClockingonly.
Dontforgettoupdatethestartupconfig!
MatrixN3
linkUp/linkDowntrapsareenabledbydefaultsowedisablethemandenableMAClockingonly.
Also,bydefaultthisswitchdoesntdoanelectricallow-levellinkDownwhensettingtheportto
admindown.Soweneedtoactivateaglobaloptioncalledforcelinkdowntoenablethisbehaviour.
Withoutthisoption,clientsdontunderstandthattheylosttheirconnectionandtheyneverdoa
newDHCPonVLANchange.
Globalconfigsettings
Oneachinterface:
wherexxstandsfortheinterfaceindex.
Copyright2014Inverseinc. Switchconfiguration 32
Chapter4
SecureStackC2
linkUp/linkDowntrapsareenabledbydefaultsowedisablethemandenableMAClockingonly.
Globalconfigsettings
Oneachinterface:
wherexxstandsfortheinterfaceindex
SecureStackC3
ThisswitchhastheparticularfeatureofallowingmorethanoneuntaggedegressVLANperport.
ThismeansthatyoumustaddalltheVLANcreatedforPacketFenceasuntaggedegressVLANon
therelevantinterfaces.ThisiswhythereisaVLANcommandoneachinterfacebelow.
linkUp/linkDowntrapsareenabledbydefaultsowedisablethemandenableMAClockingonly.
Globalconfigsettings
Oneachinterface:
wherexxstandsfortheinterfaceindex
Copyright2014Inverseinc. Switchconfiguration 33
Chapter4
StandaloneD2
linkUp/linkDowntrapsareenabledbydefaultsowedisablethemandenableMAClockingonly.
Caution
ThisswitchSwitchacceptsmultipleuntaggedVLANperportwhenconfiguredthrough
SNMP.ThisisproblematicbecauseonsomeoccasionstheuntaggedVLANportlist
canbecomeinconsistentwiththeswitchsrunningconfig.Tofixthat,clearalluntagged
VLANsofaporteveniftheCLIinterfacedoesntshowthem.Todoso,use:clear
vlan egress <vlans> <ports>
Globalconfigsettings
Oneachinterface:
wherexxstandsfortheinterfaceindex
ExtremeNetworks
PacketFencesupportsExtremeNetworksswitchesusing:
linkUp/linkDown
MACAddressLockdown(PortSecurity)
Netlogin-MACAuthentication
Netlogin-802.1X
Dontforgettosavetheconfiguration!
Copyright2014Inverseinc. Switchconfiguration 34
Chapter4
AllExtremeXOSbasedswitches
InadditiontotheSNMPandVLANssettings,thisswitchneedstheWebServicestobeenabled
andanadministrativeusernameandpasswordprovidedinitsPacketFenceconfigurationforWeb
Services.
MACAddressLockdown(Port-Security)
linkUp/linkDown traps are enabled by default so we disable them and enable MAC Address
Lockdownonly.
GlobalconfigsettingswithoutVoiceoverIP(VoIP):
where<portlist>areportsyouwanttosecure.Itcanbeanindividualportoraport-rangewith
adash.
GlobalconfigsettingswithVoiceoverIP(VoIP):
where<portlist>areportsyouwanttosecure.Itcanbeanindividualportoraport-rangewith
adash.
MACAuthentication
AAAConfiguration
Netlogin(MacAuthentication)
Copyright2014Inverseinc. Switchconfiguration 35
Chapter4
802.1X
AAAConfiguration
Netlogin(802.1X)
Note
YoucanmixtheMACAuthenticationand802.1Xonthesameswitchport.Ifthedevice
fails802.1Xauthentication,itwillrollbacktotheMACAuthentication.
Foundry
FastIron4802
PacketFencesupportthisswitchwithoptionalVoIPusingtwodifferenttraptypes:
linkUp/linkDown
PortSecurity(withstaticMACs)
WerecommendtoenablePortSecurityonly.
Dontforgettoupdatethestartupconfig!
Copyright2014Inverseinc. Switchconfiguration 36
Chapter4
Thoseswitchessupportport-securitywithstaticMACaddressandallowustosecureaMACon
thedataVLANsoweenableitwhetherthereisVoIPornot.
WeneedtosecurebogusMACaddressesonportsinorderfortheswitchtosendatrapwhena
newMACappearsonaport.
Globalconfigsettings
OneachinterfacewithoutVoIP:
int eth xx
port security
enable
maximum 1
secure 0200.0000.00xx 0
violation restrict
wherexxstandsfortheinterfaceifIndex.
WithVoIPalittlemoreworkneedstobeperformed.Insteadoftheno-VoIP,putinthefollowing
config:
conf t
vlan <mac-detection-vlan>
untagged eth xx
vlan <voice-vlan>
tagged eth xx
int eth xx
dual-mode <mac-detection-vlan>
port security
maximum 2
secure 0200.00xx.xxxx <mac-detection-vlan>
secure 0200.01xx.xxxx <voice-vlan>
violation restrict
enable
wherexxxxxxstandsfortheinterfacenumber(filledwithzeros),<voice-vlan>withyourvoice-
VLANnumberand<mac-detection-vlan>withyourmac-detectionVLANnumber.
Huawei
AC6605Controller
PacketFencesupportsthiscontrollerwiththefollowingtechnologies:
Copyright2014Inverseinc. Switchconfiguration 37
Chapter4
Wireless802.1X
WirelessMACAuthentication
Controlleurconfiguration
SetupNTPserver:
<AC>system-view
[AC] ntp-service unicast-server 208.69.56.110
Setuptheradiusserveur(@IPofPacketFence)authentication+accounting:
Note
InthisconfigurationIwillusetheipaddressoftheVIPofPacketFence:192.168.1.2;
RegistrationVLAN:145,IsolationVLAN:146
<AC>system-view
[AC] radius-server template radius_packetfence
[AC-radius-radius_packetfence] radius-server authentication 192.168.1.2 1812
weight 80
[AC-radius-radius_packetfence] radius-server accounting 192.168.1.2 1813 weight
80
[AC-radius-radius_packetfence] radius-server shared-key cipher s3cr3t
[AC-radius-radius_packetfence] undo radius-server user-name domain-included
[AC-radius-radius_packetfence] quit
[AC] radius-server authorization 192.168.1.2 shared-key cipher s3cr3t server-
group radius_packetfence
[AC] aaa
[AC-aaa] authentication-scheme radius_packetfence
[AC-aaa-authen-radius_packetfence] authentication-mode radius
[AC-aaa-authen-radius_packetfence] quit
[AC-aaa] accounting-scheme radius_packetfence
[AC-aaa-accounting-radius_packetfence] accounting-mode radius
[AC-aaa-accounting-radius_packetfence] quit
CreateanSecuredot1xSSID
Activatethedotxglobaly:
<AC>system-view
[AC] dot1x enable
Copyright2014Inverseinc. Switchconfiguration 38
Chapter4
Createyoursecuredot1xssid:
ConfigureWLAN-ESS0interfaces:
ConfigureAPparameters:
ConfigureradiosforAPs:
[AC] wlan
[AC-wlan-view] wmm-profile name huawei-ap
[AC-wlan-wmm-prof-huawei-ap] quit
[AC-wlan-view] radio-profile name huawei-ap
[AC-wlan-radio-prof-huawei-ap] radio-type 80211gn
[AC-wlan-radio-prof-huawei-ap] wmm-profile name huawei-ap
[AC-wlan-radio-prof-huawei-ap] quit
[AC-wlan-view] ap 1 radio 0
[AC-wlan-radio-1/0] radio-profile name huawei-ap
Warning: Modify the Radio type may cause some parameters of Radio resume defaul
t value, are you sure to continue?[Y/N]: y
[AC-wlan-radio-1/0] quit
Configure a security profile named huawei-ap. Set the security policy to WPA authentication,
authenticationmethodto802.1X+PEAP,andencryptionmodetoCCMP:
Configureatrafficprofile:
ConfigureservicesetsforAPs,andsetthedataforwardingmodetodirectforwarding:
Thedirectforwardingmodeisusedbydefault.
Copyright2014Inverseinc. Switchconfiguration 39
Chapter4
ConfigureVAPsanddeliverconfigurationstotheAPs:
[AC-wlan-view] ap 1 radio 0
[AC-wlan-radio-1/0] service-set name PacketFence-dot1x
[AC-wlan-radio-1/0] quit
[AC-wlan-view] commit ap 1
CreateyourOpenssid
Activatethemac-authglobaly:
<AC>system-view
[AC] mac-authen
[AC] mac-authen username macaddress format with-hyphen
[AC] mac-authen domain your.domain.com
CreateyourOpenssid:
ConfigureWLAN-ESS1interfaces:
ConfigureAPparameters:
Configureasecurityprofilenamedhuawei-ap-wep.SetthesecuritypolicytoWEPauthentication.
[AC]wlan
[AC-wlan-view] security-profile name huawei-ap-wep
[AC-wlan-sec-prof-huawei-ap-wep] security-policy wep
[AC-wlan-sec-prof-huawei-ap-wep] quit
ConfigureservicesetsforAPs,andsetthedataforwardingmodetodirectforwarding:
Thedirectforwardingmodeisusedbydefault.
Copyright2014Inverseinc. Switchconfiguration 40
Chapter4
ConfigureVAPsanddeliverconfigurationstotheAPs:
[AC-wlan-view] ap 1 radio 0
[AC-wlan-radio-1/0] service-set name PacketFence-WEP
[AC-wlan-radio-1/0] quit
[AC-wlan-view] commit ap 1
H3C
S5120Switchseries
PacketFencesupportstheseswitcheswiththefollowingtechnologies:
802.1X(withorwithoutVoIP)
802.1XwithMACAuthenticationfallback(withorwithoutVoIP)
MACAuthentication(withorwithoutVoIP)
802.1X
Radiusschemecreation:
ISP-Domaincreation:
domain packetfence
authentication default radius-scheme packetfence
authentication lan-access radius-scheme packetfence
authorization lan-access radius-scheme packetfence
SNMPsettings:
Copyright2014Inverseinc. Switchconfiguration 41
Chapter4
snmp-agent
snmp-agent community read public
snmp-agent community write private
snmp-agent sys-info version v2c
Globalconfiguration:
port-security enable
dot1x authentication-method eap
Globalconfiguration(withVoIP):
Addthefollowingtothepreviousglobalconfiguration.
Interfacesconfiguration:
Interfacesconfiguration(withVoIP):
Addthefollowingtothepreviousinterfacesconfiguration.
802.1XwithMACAuthenticationfallback
SinceusingMACAuthenticationasafallbackof802.1X,usetheprevious802.1Xconfiguration
andaddthefollowings.
Copyright2014Inverseinc. Switchconfiguration 42
Chapter4
ThisconfigurationisthesamewithorwithoutVoIP.
Globalconfiguration:
Interfacesconfiguration:
mac-authentication guest-vlan 5
port-security port-mode userlogin-secure-or-mac
MACAuthentication
Radiusschemecreation:
ISP-Domaincreation:
domain packetfence
authentication default radius-scheme packetfence
authentication lan-access radius-scheme packetfence
authorization lan-access radius-scheme packetfence
SNMPsettings:
snmp-agent
snmp-agent community read public
snmp-agent community write private
snmp-agent sys-info version v2c
Globalconfiguration:
port-security enable
mac-authentication domain packetfence
Globalconfiguration(withVoIP):
Addthefollowingtothepreviousglobalconfiguration.
Interfacesconfiguration:
Copyright2014Inverseinc. Switchconfiguration 43
Chapter4
Interfacesconfiguration(withVoIP):
Addthefollowingtothepreviousinterfacesconfiguration.
HP
E4800GandE5500GSwitchseries
Thesearere-branded3Comswitches,seeunderthe3Comsectionfortheirdocumentation.
HPProCurve
PacketFencesupportsProCurveswitcheswithoutVoIPusingtwodifferenttraptypes:
linkUp/linkDown
PortSecurity(withstaticMACs)
WerecommendtoenablePortSecurityonly.
Dontforgettoupdatethestartupconfig!
Note
HP ProCurve only sends one security trap to PacketFence per security violation so
makesurePacketFencerunswhenyouconfigureport-security.Also,becauseofthe
above limitation, it is considered good practice to reset the intrusion flag as a first
troubleshootingstep.
Copyright2014Inverseinc. Switchconfiguration 44
Chapter4
If you want to learn more about intrusion flag and port-security, please refer to the ProCurve
documentation.
Caution
Ifyouconfigureaswitchthatisalreadyinproductionbecarefulthatenablingport-
securitycausesactiveMACaddressestobeautomaticallyaddedtotheintrusionlist
withoutasecuritytrapsenttoPacketFence.ThisisundesiredbecausePacketFence
willnotbenotifiedthatitneedstoconfiguretheport.Asawork-around,unplugclients
beforeactivatingport-securityorremovetheintrusionflagafteryouenabledport-
securitywith:port-security <port> clear-intrusion-flag.
2500Series
linkUp/linkDowntrapsareenabledbydefaultsowedisablethemandenablePortSecurityonly.
On2500s,weneedtosecurebogusMACaddressesonportsinorderfortheswitchtosenda
trapwhenanewMACappearsonaport.
Globalconfigsettings:
Oneachinterface:
wherexxstandsfortheinterfaceindex
2600Seriesand3400clSeries
Port-Security
linkUp/linkDowntrapsareenabledbydefaultsowedisablethemandenablePortSecurityonly.
On2600s,wedontneedtosecurebogusMACaddressesonportsinorderfortheswitchtosend
atrapwhenanewMACappearsonaport.
Globalconfigsettings
Oneachinterface:
Copyright2014Inverseinc. Switchconfiguration 45
Chapter4
wherexxstandsfortheinterfaceindex
MACAuthentication(Firmware>11.72)
InordertoenableRADIUSmacauthenticationontheports,youfirstneedtojointheportstoeither
theregistrationorthemacdetectionvlan(asasecuritymeasure).
Next,definetheRADIUSserverhost:
SinceHPnowsupportsserver-group,letscreateagroupfortheMACauthentication.Anotherone
canbeusedformanagementaccess:
ConfiguretheAAAauthenticationforMACauthenticationtousetheproperserver-group:
Finally,enableMACauthenticationonallnecessaryports:
Dontforgettopermitaddressmovesandthereauthperiod.xrepresentstheportindex:
(ThankstoJean-FrancoisLaporteforthiscontribution)
4100,5300,5400Series
Port-Security
linkUp/linkDowntrapsareenabledbydefaultandwehavenotfoundawayyettodisablethemso
donotforgettodeclarethetrunkportsasuplinksintheswitchconfigfile.
On4100s,weneedtosecurebogusMACaddressesonportsinorderfortheswitchtosendatrap
whenanewMACappearsonaport.Theportsareindexeddifferentlyon4100s:itsbasedonthe
numberofmodulesyouhaveinyour4100,eachmoduleisindexedwithaletter.
Globalconfigsettings
Copyright2014Inverseinc. Switchconfiguration 46
Chapter4
Youshouldconfigureinterfaceslikethis:
MACAuthentication(withVoIP)
InordertohaveMACAuthenticationworkingwithVoIP,youneedtoensurethattheVoiceVLAN
istaggedonalltheportfirst.Youalsoneedtoactivatelldpnotificationonallportsthatwillhandle
VoIP.Finally,makesuretochangethevalueofthe$VOICEVLANAMEvariableintheProcurve
5400modulessourcecode.
RADIUSconfiguration
MACAuthentication
802.1X(withVoIP)
SameasMACAuthentication,youneedtoensurethattheVoiceVLANistaggedonalltheport
firstifusing802.1X.YoualsoneedtoactivatelldpnotificationonallportsthatwillhandleVoIP.
Finally,makesuretochangethevalueofthe$VOICEVLANAMEvariableintheProcurve5400
modulessourcecode.
RADIUSconfiguration
802.1X
Copyright2014Inverseinc. Switchconfiguration 47
Chapter4
Huawei
PacketFencesupportstheS5710switchfromHuawei.
Basicconfiguration
l2protocol-tunnel user-defined-protocol 802.1x protocol-mac 0180-c200-0003 group-
mac 0100-0000-0002
domain pf
dot1x enable
dot1x dhcp-trigger
aaa
authentication-scheme abc
authentication-mode radius
accounting-scheme abc
accounting-mode radius
domain pf
authentication-scheme abc
accounting-scheme abc
radius-server packetfence
snmp-agent
snmp-agent local-engineid 800007DB0304F9389D2360
snmp-agent community write cipher <privateKey>
snmp-agent sys-info version v2c v3
MACauthentication
interface GigabitEthernet0/0/8
dot1x mac-bypass mac-auth-first
dot1x mac-bypass
dot1x max-user 1
dot1x reauthenticate
dot1x authentication-method eap
Copyright2014Inverseinc. Switchconfiguration 48
Chapter4
802.1X
interface GigabitEthernet0/0/8
dot1x mac-bypass
dot1x max-user 1
dot1x reauthenticate
dot1x authentication-method eap
Intel
Express460andExpress530
PacketFencesupporttheseswitcheswithoutVoIPusingonetraptype:
linkUp/linkDown
Exactcommand-lineconfigurationtobecontributed
Juniper
PacketFencesupportsJuniperswitchesinMACAuthentication(JunipersMACRADIUS)modeand
802.1X.PacketFencesupportsVoIPontheEX2200(JUNOS12.6)andEX4200(JUNOS13.2)
Copyright2014Inverseinc. Switchconfiguration 49
Chapter4
protocols {
dot1x {
authenticator {
authentication-profile-name packetfence;
interface {
access-ports {
supplicant multiple;
mac-radius {
restrict;
flap-on-disconnect;
}
}
}
}
}
}
access {
radius-server {
192.168.1.5 {
port 1812;
secret "useStrongerSecret";
}
}
profile packetfence {
authentication-order radius;
radius {
authentication-server 192.168.1.5;
accounting-server 192.168.1.5;
}
accounting {
order radius;
accounting-stop-on-failure;
accounting-stop-on-access-deny;
}
}
}
ethernet-switching-options {
secure-access-port {
interface access-ports {
mac-limit 1 action drop;
}
Copyright2014Inverseinc.
} Switchconfiguration 50
}
Chapter4
Changetheinterface-rangestatementtoreflecttheportsyouwanttosecurewithPacketFence.
VoIPconfiguration
# load replace terminal
[Type ^D at a new line to end input]
protocols{
lldp {
advertisement-interval 5;
transmit-delay 1;
ptopo-configuration-trap-interval 1;
lldp-configuration-notification-interval 1;
interface all;
}
lldp-med {
interface all;
}
}
ethernet-switching-options {
secure-access-port {
interface access-ports {
mac-limit 2 action drop;
}
}
voip {
interface access-ports {
vlan voice;
forwarding-class voice;
}
}
}
}
vlans {
voice {
vlan-id 3;
}
}
Ctrl-D
# commit comment "packetfenced VoIP"
Copyright2014Inverseinc. Switchconfiguration 51
Chapter4
802.1xconfiguration
protocols {
dot1x {
authenticator {
authentication-profile-name packetfence;
interface {
access-ports {
supplicant multiple;
mac-radius;
}
}
}
}
}
Ctrl-D
# commit comment "packetfenced dot1x"
LG-Ericsson
PacketFencesupportsiPECSseriesswitcheswithoutVoIPusingtwodifferenttraptypes:
linkUp/linkDown
PortSecurity(withstaticMACs)
Onsomerecentmodels,wecanalsousemoresecureandrobustfeatures,like:
MACAuthentication
802.1X
ES-4500GSeries
LinkUp/LinkDown
Firmware1.2.3.2isrequiredforlinkUp/linkDown
Priortoconfig,makesuretocreateallnecessariesVLANsandconfigtheappropriateuplinkport.
Globalconfigsettings
Copyright2014Inverseinc. Switchconfiguration 52
Chapter4
FirmwareiskindabuggysoyoullneedtoenablelinkUp/linkDownusingtheWebInterfaceunder
AdministrationSNMP.
SomereportsshowsthattheswitchdoesntalwayssendlinkDowntraps.
Oneachinterface(exceptuplink)
Port-Security
Firmware1.2.3.2isrequiredforport-security.
Priortoconfig,makesuretocreateallnecessariesVLANsandconfigtheappropriateuplinkport.
Globalconfigsettings
Oneachinterface(exceptuplink)
TheaboveportsecuritycommandmaynotworkusingtheCLI.Inthiscase,usetheWebInterface
undertheSecurityPortSecuritymenuandenableeachportsusingthecheckboxes.
Itisalsorecommended,whenusingport-security,todisablelink-change(UP/DOWN)traps.
Dontforgettoupdatethestartupconfig!
Copyright2014Inverseinc. Switchconfiguration 53
Chapter4
Linksys
PacketFencesupportsLinksysswitcheswithoutVoIPusingonetraptype:
linkUp/linkDown
Dontforgettoupdatethestartupconfig!
SRW224G4
Globalconfigsettings
Oneachinterface
Netgear
The"web-managedsmartswitch" modelsGS108Tv2/GS110/GS110TParesupportedwithLink
up/downtrapsonly.
Higher-end"fullymanaged"switchesincludingFSM726v1aresupportedinPortSecuritymode.
FSM726/FSM726Sversion1
PacketFencesupportsFSM726/FSM726Sversion1switcheswithoutVoIPinPortSecuritymode
(withstaticMACs)calledTrustedMACtableonNetgearshardware.
UsingtheHTTPGUI,followthestepsbelowtoconfiguresuchfeature.Ofcourse,youmustcreate
allyourVLANsontheswitchaswell.
SNMPSettings
In Advanced SNMP Community Table, create a read-write community string and a trap
communitystring.Youcanusethesamecommunityforallthe3functions(Get,Set,Trap).
Next,underAdvancedSNMPHostTable,enabletheHostAuthorizationfeatureandaddthe
PacketFenceserverintotheallowedhostlist.
Copyright2014Inverseinc. Switchconfiguration 54
Chapter4
Finally,underAdvancedSNMPTrapSetting,enabletheauthenticationtrap.
TrustedMACSecurity
UnderAdvancedAdvancedSecurityTrustedMACAddress,createafakeMACaddressper
port(ie.02:00:00:00:00:xxwherexxistheportnumber).Thiswillhavetheeffectofsendinga
securitytraptoPacketFencewhenanewdeviceplugsontheport.
Dontforgettosavetheconfiguration!
GS108Tv2/GS110T/GS110TP
PacketFencesupportscertainlower-endNetgearswitchesinLinkUp/LinkDowntraps.These"web-
managed" switches have no command-line interface and only a subset of the port security and
802.1XfunctionnalityneededtointeroperatewithPacketFenceinthesemoreadvancedmodes.
Thereisnowaytosendatrapuponportsecurityviolation,andthereisonlypure802.1X,noMAC
AddressBypass.
SwitchConfiguration
ItcanbedifficulttofindtheadvancedfeaturesinthewebGUI.WerecommendusingtheGUI
"Maintenance"tabtoUploadtheconfigurationtoafile,andthenedititthere.
Hintsonfileupload/download:
FromtheFileTypemenu,chooseTextConfiguration.
IfyoureuploadingtotheTFTProotdirectory,leavePathblank.
Atthetopoftheconfigfile,youneed:
vlan database
vlan 1,2,3,4,5
vlan name 1 "Normal"
vlan name 2 "Registration"
vlan name 3 "Isolation"
vlan name 4 "MAC Detection"
vlan name 5 "Guest"
exit
Inthesamesectionas"userspasswd",youneedtospecifyyourPacketFenceserversmanagement
address:
Inthesamesectionasthe"voipoui"lines,youneedtoallowyourSNMPserver:
Copyright2014Inverseinc. Switchconfiguration 55
Chapter4
Youshoulduseport1astheuplink.Ifyouconnectport1ofaGS108Tv2switchintoaPowerover
Ethernetswitch,thentheGS108Tv2doesnotneedACpower.IfyouboughtGS110T(P)switches,
presumablyitsfortheSFPuplinkoption.Youllwanttoconfigurebothport1andtheSFPports
9-10astrunks:
interface 0/1
no snmp trap link-status
ip dhcp filtering trust
vlan pvid 1
vlan ingressfilter
vlan participation include 1,2,3,4,5
vlan tagging 2,3,4,5
no auto-voip
exit
Eachuser-facing,PacketFence-managedportshouldbeconfiguredlike:
interface 0/2
vlan pvid 4
vlan ingressfilter
vlan participation include 4
no auto-voip
exit
MSeries
PacketFencesupportstheNetgearMseriesinwiredMACauthenticationwithoutVoIP.
Switchconfiguration
---
radiusserverhostauth192.168.1.5radiusserverkeyauth192.168.1.5(thenpressenterandinput
yoursecret)radiusserverprimary192.168.1.5radiusserverhostacct192.168.1.5radiusserver
keyacct192.168.1.5(thenpressenterandinputyoursecret)
aaa session-id unique dot1x system-auth-control aaa authentication dot1x default radius
authorizationnetworkradiusradiusaccountingmode
---
Onyouruplinks
---
dot1xport-controlforce-authorized
---
Onyourinterfaces
---
Copyright2014Inverseinc. Switchconfiguration 56
Chapter4
interface0/xdot1xport-controlmac-baseddot1xtimeoutguest-vlan-period1dot1xmac-auth-
bypassexit
---
Nortel
PacketFencesupportsNortelswitcheswithVoIPusingonetraptype:
MacSecurity
Dontforgettoupdatethestartupconfig!
Note
if you are using a 5500 series with a firmware version of 6 or above, you must
useadifferentmodulecalledNortel::BayStack5500_6xinyour/usr/local/pf/conf/
switches.conf.Indeed,Nortelintroducedanincompatiblechangeofbehaviorinthis
firmware.
BayStack470,ERS2500Series,ERS4500Series,4550,
5500SeriesandES325
Globalconfigsettings
VoIPsupport
YouneedtoensurethatallyourportsaretaggedwiththevoiceVLAN.Theswitchshoulddothe
restforyou.
Copyright2014Inverseinc. Switchconfiguration 57
Chapter4
BPS2000
Youcanonlyconfigurethisswitchthroughmenus.
EnableMACAddressSecurity:
SMC
TigerStack6128L2,8824Mand8848M
PacketFencesupportstheseswitcheswithoutVoIPusingtwodifferenttraptypes:
linkUp/linkDown
PortSecurity(withstaticMACs)
WerecommendtoenablePortSecurityonly.
Globalconfigsettings
Oneachinterface:
Copyright2014Inverseinc. Switchconfiguration 58
Chapter4
TigerStack6224M
SupportslinkUp/linkDownmode
Globalconfigsettings
Copyright2014Inverseinc. Switchconfiguration 59
Chapter5
WirelessControllersandAccessPoint
Configuration
Assumptions
Throughout this configuration example we use the following assumptions for our network
infrastructure:
PacketFenceisfullyconfiguredwithFreeRADIUSrunning
PacketFenceIPaddress:192.168.1.5
NormalVLAN:1
RegistrationVLAN:2
IsolationVLAN:3
MACDetectionVLAN:4
GuestVLAN:5
VoIP,VoiceVLAN:100
useSNMPv2c
SNMPcommunityname:public
RADIUSSecret:useStrongerSecret1
OpenSSID:PacketFence-Public
WPA-EnterpriseSSID:PacketFence-Secure
UnsupportedEquipment
Wirelessnetworkaccessconfigurationisalotmoreconsistentbetweenvendors.Thisisduetothe
factthatthesituationisalotmorestandardizedthanthewiredside:VLANassignmentisdone
centrallywithRADIUSandthattheclientprotocolisconsistent(MAC-Authenticationor802.1X).
Thisconsistencyhasthebenefitthatalotofthewirelessnetworkdevicestendtoworkout-of-the-
boxwithPacketFence.Theonlymissingpiecebeing,inmostcases,remotedeauthenticationofthe
clientwhichisusedforVLANassignment(deauthusersoitllreconnectandgetnewVLAN).
So,evenifyourwirelessequipmentisnotexplicitlysupportedbyPacketFence,itsrecommended
thatyougiveitatry.Thenextsectioncoverstheobjectivesthatyouwanttoaccomplishfortrying
outyourequipmentevenifwedonthaveconfigurationforit.
WirelessControllersand
Copyright2014Inverseinc. AccessPointConfiguration 60
Chapter5
Herearethehigh-levelrequirementsforproperwirelessintegrationwithPacketFence
TheappropriateVLANsmustexist
AllowcontrollertohonorVLANassignmentsfromAAA(sometimescalledAAAoverride)
Put your open SSID (if any) in MAC-Authentication mode and authenticate against the
FreeRADIUShostedonPacketFence
PutyoursecureSSID(ifany)in802.1XmodeandauthenticateagainstFreeRADIUShostedon
PacketFence.
Onregistration/isolationVLANstheDHCPtrafficmustreachthePacketFenceserver
On your production VLANs a copy of the DHCP traffic must reach PacketFence where a
pfdhcplistenerlistens(configurableinpf.confunderinterfaces)
At this point, user registration with the captive-portal is possible and registered users should
have access to the appropriate VLANs. However, VLAN changes (like after a registration) wont
automatically happen, you will need to disconnect / reconnect. An explanation is provided in
introductionsectionaboveaboutthisbehavior.
Youcantrymodulessimilartoyourequipmentifany(readappropriateinstructions)oryoucantry
toseeifRFC3576issupported.RFC3576coversRADIUSPacketofDisconnect(PoD)alsoknown
asDisconnectMessages(DM)orChangeofAuthorization(CoA).YoucantrytheArubamoduleif
youwanttoverifyifRFC3576issupportedbyyourhardware.
If none of the above worked then you can fallback to inline enforcement or let us know what
equipmentyouareusingonthepacketfence-develmailinglist.
AeroHIVE
AeroHIVEproductsareabitdifferentcomparedtotheothervendors.Theysupporteitheralocal
HiveManager(kindofwirelesscontroller)oracloud-basedHVM.However,theconfigurationisthe
sameforthelocalandthecloud-basedcontroller.NotethatalltheconfigaremadeontheHVM
andthenpushedtotheAPs.
AAAClientSettings
IntheHVM,gotoConfigurationAAAAuthenticationAAAClientSettings,andinsertthe
properproperties:
GiveaRADIUSName
AddaRADIUSserverwithAuthenticationastheservertypeandprimaryastherole
MakesurePermitDynamicChangeofAuthorizationisticked(RFC3576)
PublicSSID
AgainintheHVM,gotoConfigurationSSIDs,andcreateanewSSIDwiththefollowing:
WirelessControllersand
Copyright2014Inverseinc. AccessPointConfiguration 61
Chapter5
GiveaProfileNameandanSSIDName
ChooseOpenastheAccessSecurity
SelectEnableMacAuthentication
SelectyourRADIUSserverfromtheRADIUSServerdropdownlist
SecureSSID
IntheHVM,gotoConfigurationSSIDs,andcreateanewSSIDwiththefollowing:
GiveaProfileNameandanSSIDName
ChooseWPA2EnterpriseastheAccessSecurity
SelectWPA2-802.1Xasthekeymanagement
SelectCCMPastheencryptionmethod
SelectyourRADIUSserverfromtheRADIUSServerdropdownlist
Roles(UserProfiles)
SincePacketFence3.3.0,wenowsupportuserprofilesontheAeroHIVEhardware.TobuildaUser
Profile,gotoConfigurationUserProfiles,andcreatewhatyouneed.Whenyoudefinetheswitch
definitioninPacketFence,therolewillmatchtheUserProfileattributenumber.Example
roles=CategoryStudent=1;CategoryStaff=2
AndintheAeroHIVEconfiguration,youhave:
LaststepistoallowtheUserProfiletobereturnedforaparticularSSID.GotoConfiguration
SSIDsYour_SSIDUserProfilesforTrafficManagement,andselecttheUserProfilesyouwill
returnforthedevices.
Note
TheVLANIDisNOTreturnedbyPacketFenceifaroleisavailableforagivencategory.
TheVLANIDneedstobeconfiguredintheUserProfiledefinitionontheAeroHIVE
side.
CachingandRoaming
AeroHIVEhaveasessionreplicationfeaturetoeasetheEAPsessionroamingbetweentwoaccess
points.However,thismaycauseproblemswhenyoubouncethewirelesscardofaclient,itwill
notdoanewRADIUSrequest.Twosettingscanbetweakedtoreducethecachingimpact,itis
theroamingcacheupdateintervalandroamingcacheageout.TheyarelocatedinConfiguration
WirelessControllersand
Copyright2014Inverseinc. AccessPointConfiguration 62
Chapter5
SSIDs[SSIDName]OptionalSettingsAdvanced.TheotherwaytosupportRoamingisto
enablesnmptrapintheAeroHIVEconfigurationtoPacketFenceserver.PacketFencewillrecognise
theahConnectionChangeEventandwillchangethelocationofthenodeinhisbase.
Externalcaptiveportal
FirstconfiguretheAAAserverasdescribedinthesectionaboveintheHiveManager.
Portalconfiguration
GoinConfigurationAuthenticationCaptiveWebPortalsandcreateanewportal
SelectSelectRegistrationType=ExternalAuthentication
GointhesectionCaptiveWebPortalLoginPageSettingssettheLoginURLtohttp://pf_ip/and
PasswordEncryptiontoNoEncryption
ExternalportalSSID
AgainintheHiveManager,gotoConfigurationSSIDs,andcreateanewSSIDwiththefollowing:
GiveaProfileNameandanSSIDName
ChooseOpenastheAccessSecurity
SelectEnableCaptiveWebPortal
SelectyourRADIUSserverfromtheRADIUSServerdropdownlist
IntheguidedconfigurationyounowbeabletoselectyournewSSID,thePortalyouwanttouse
andtheAAAserver.
Anyfi
Inthissection,wecoverthebasicconfigurationoftheAnyfiGatewaytocreateahotspotSSID
availableonallaccesspoints.
This does not cover the configuration of other Anyfi network elements such as the Controller.
PleaserefertoAnyfiNetworks'websiteforrelevantdocumentation.
Inthisconfigurationeth0willbethemanagementinterfaceoftheAnyfiGatewayandeth1willbe
theinterfacethatwillbridgethetaggedpacketstoyournetwork.
WirelessControllersand
Copyright2014Inverseinc. AccessPointConfiguration 63
Chapter5
Interfacesconfiguration
interfaces {
bridge br0 {
...
}
ethernet eth0 {
description "Management network"
address 192.168.0.20/24
}
ethernet eth1 {
description "Wi-Fi client traffic"
bridge-group {
bridge br0
}
}
}
MACauthentication
ThissectionwillallowyoutoconfiguretheAnyfi-HotspotSSIDthatwilluseMACauthentication.
WirelessControllersand
Copyright2014Inverseinc. AccessPointConfiguration 64
Chapter5
SSIDconfiguration
service {
anyfi {
gateway anyfi-hotspot {
accounting {
radius-server 192.168.0.5 {
port 1813
secret useStrongerSecret
}
}
authorization {
radius-server 192.168.0.5 {
port 1812
secret useStrongerSecret
}
}
bridge br0
controller <Anyfi Controller's IP or FQDN>
isolation
nas {
identifier anyfi
port 3799
}
ssid Anyfi-Hotspot
}
}
}
802.1X
This section will allow you to configure the Anyfi-Secure SSID that will authenticate users using
802.1X.
WirelessControllersand
Copyright2014Inverseinc. AccessPointConfiguration 65
Chapter5
SSIDconfiguration
service {
anyfi {
gateway secure-gw {
accounting {
radius-server 192.168.0.5 {
port 1813
secret useStrongerSecret
}
}
authentication {
eap {
radius-server 192.168.0.5 {
port 1812
secret useStrongerSecret
}
}
}
bridge br0
controller <Anyfi Controller's IP or FQDN>
isolation
nas {
identifier anyfi
port 3799
}
ssid Anyfi-Secure
wpa2 {
}
}
}
}
Avaya
WirelessController(WC)
To be contributed....
WirelessControllersand
Copyright2014Inverseinc. AccessPointConfiguration 66
Chapter5
Aruba
AllArubaOS
Inthissection,wecoverthebasicconfigurationoftheArubawirelesscontrollerforPacketFence
viathewebGUI.ItwasdoneonanArubaController200softwareversionArubaOS5.0.3.3,tested
onaController600withArubaOS6.0butitshouldapplytoallArubamodels.
Caution
IfyouarealreadyusingyourArubacontrollersanddontwanttoimpactyourusers
youshouldcreatenewAAAprofilesandapplythemtonewSSIDsinsteadofmodifying
thedefaultones.
Note
Starting with PacketFence 3.3, Aruba supports role-based access control. Read the
AdministrationGuideunder"Role-basedenforcementsupport"formoreinformation
abouthowtoconfigureitonthePacketFenceside.
AAASettings
IntheWebinterface,gotoConfigurationAuthenticationRADIUSServerandaddaRADIUS
servernamed"packetfence"theneditit:
SetHosttoPacketFencesIP(192.168.1.5)
SettheKeytoyourRADIUSsharedsecret(useStrongerSecret)
ClickApply
Under Configuration Authentication Server Group add a new Server Group named
"packetfence"theneditittoaddyourRADIUSServer"packetfence"tothegroup.ClickApply.
UnderConfigurationAuthenticationAAAProfilesclickonthe"default-mac-auth"profilethen
clickonMACAuthenticationServerGroupandchoosethe"packetfence"servergroup.ClickApply.
MovetotheRFC3576serversubitemandchoosePacketFencesIP(192.168.1.5)clickaddthen
apply.
WirelessControllersand
Copyright2014Inverseinc. AccessPointConfiguration 67
Chapter5
UnderConfigurationAuthenticationAAAProfilesclickonthe"default-dot1x"profilethen
click on 802.1X Authentication Server Group and choose the "packetfence" server group. Click
Apply.MovetotheRFC3576serversubitemandchoosePacketFencesIP(192.168.1.5)clickadd
thenapply.
PublicSSID
IntheWebinterface,gotoConfigurationAPConfigurationtheneditthe"default"APGroup.
GoinWirelessLANVirtualAPcreateanewprofilewiththefollowing:
AAAProfile:default-mac-auth
SSIDProfile:SelectNEWthenaddanSSID(PacketFence-Public)andNetworkauthentication
settoNone
SecureSSID
IntheWebinterface,gotoConfigurationAPConfigurationtheneditthe"default"APGroup.
GoinWirelessLANVirtualAPcreateanewprofilewiththefollowing:
AAAProfile:default-dot1x
SSIDProfile:SelectNEWthenaddanSSID(PacketFence-Secure)andNetworkauthentication
settoWPA2
Roles
Since PacketFence 3.3.0, we now support roles for the Aruba hardware. To add roles, go in
ConfigurationAccessControlUserRolesAdd.YoudontneedtoforceaVLANusagein
theRolesincewesendalsotheVLANIDalongwiththeArubaUserRoleintheRADIUSrequest.
RefertotheArubaUserGuideformoreinformationabouttheRolecreation.
WIPS
InordertousetheWIPSfeatureinPacketFence,pleasefollowthosesimplestepstosendthetraps
toPacketFence.
First,configurePacketFencetobeatrapreceiver.UnderConfiguration>SNMP>TrapReceivers,
add an entry for the PF management IP. By default, all traps will be enabled. If you want to
disablesome,youwillneedtoconnectviaCLI,andrunthesnmp-servertrapdisable<trapname>
command.
ArubaController200
Inthissection,wecoverthebasicconfigurationoftheArubaController200forPacketFenceusing
thecommandlineinterface.WesuggestyoutousetheinstructionsabovefortheWebGUIinstead.
VLANdefinition
Here,wecreateourPacketFenceVLANs,andourAccessPointVLAN(VID66).Itisrecommended
toisolatethemanagementofthethinAPsinaseparateVLAN.
WirelessControllersand
Copyright2014Inverseinc. AccessPointConfiguration 68
Chapter5
vlan 2
vlan 3
vlan 5
vlan 10
vlan 66
AAAAuthenticationServer
AAAProfiles
WLANSSIDs:profilesandvirtualAP
AllArubaInstantOS
Addyourpacketfenceinstancetoyourconfiguration:
wlanauth-serverpacketfence
WirelessControllersand
Copyright2014Inverseinc. AccessPointConfiguration 69
Chapter5
ip 192.168.1.5
port 1812
acctport 1813
timeout 10
retry-count 5
key useStrongerSecret
nas-ip [Aruba Virtual Controller IP]
rfc3576
Adddynamicvlanrulesandmacauthtoyourssidprofile:
wlanssid-profileSSID
index 0
type employee
essid ESSID
wpa-passphrase WPA-Passphrase
opmode wpa2-psk-aes
max-authentication-failures 0
vlan 1
auth-server packetfence
set-vlan Tunnel-Private-Group-Id contains 1 1
set-vlan Tunnel-Private-Group-Id contains 4 4
rf-band all
captive-portal disable
mac-authentication
dtim-period 1
inactivity-timeout 1000
broadcast-filter none
radius-reauth-interval 5
dmo-channel-utilization-threshold 90
BelairNetworks(nowEricsson)
BE20
TheBelairNetworksBE20sarefairlyeasytoconfigure.
AddVLANs
OntheBE20WebInterface,clickonEth-1-1.Bydefault,therewillbenothinginthere.Youneed
tofirstcreateanuntaggedVLAN(VLAN0).Inordertodothat,youneedtosetthePVID,Reverse
PVID,andtheVLANfieldto0.Thenclickadd.
RepeatthatstepforeachofyourVLANsbyenteringtheproperVLANIDintheVLANfield.
WirelessControllersand
Copyright2014Inverseinc. AccessPointConfiguration 70
Chapter5
AAAServers
OnceyouhavetheVLANssetup,youneedtoaddPacketFenceintotheAAAServerlist.Goto
SystemRadiusServers.ClickonAddserver,andfillouttheproperinformation.
EnsuretheEnabledcheckboxisselected
IPAddress:InserttheIPAddressofthePacketFenceManagementInterface
SharedSecret:InsertthesharedsecretforRADIUScommunication
Whendone,clickontheApplybutton.
SecureSSID
SincetheBE20doesntsupportOpenSSIDwithMacAuthentication,wewillonlydescribehowto
configureaWPA2-EnterpriseSSID.First,wewillconfigurethe5GHzantenna.
ClickonWifi-1-1AccessSSIDConfig.FromtheConfigurationforSSIDdropdown,selectthe
1entry.Modifythefieldslikethefollowing:
SSID:PutyourSSIDNameyouwouldlike
Type:Broadcast
UsePrivacyMode:WPA2(AES)withEAP/DOT1x
RADIUSNASIdentifier:YoucanputastringtoidentifyyourAP
RadiusAccountingEnabled:CheckboxSelected
RadiusStationIDDelimiter:dash
RadiusStationIdAppendSsid:CheckboxSelected
RADIUSServer1:SelecttheAAAServeryoucreatedearlier
WhendoneclickApply.Repeatthesameconfigurationforthe2.4GHzAntenna(Wifi-1-2).
Thatshouldconcludetheconfiguration.Youcannowsavetheconfigstotheflashbyhittingthe
ConfigSavebuttonontopoftheInterface.
Brocade
RFSwitches
SeetheMotorolaRFSwitchesdocumentation.
WirelessControllersand
Copyright2014Inverseinc. AccessPointConfiguration 71
Chapter5
Cisco
Aironet1121,1130,1242,1250
Caution
Withthisequipment,thesameVLANcannotbesharedbetweentwoSSIDs.Havethis
inmindinyourdesign.Forexample,youneedtwoisolationVLANifyouwanttoisolate
hostsonthepublicandsecureSSIDs.
MAC-Authentication+802.1Xconfiguration
RadioInterfaces:
WirelessControllersand
Copyright2014Inverseinc. AccessPointConfiguration 72
Chapter5
interface Dot11Radio0
encryption vlan 1 mode ciphers aes-ccm
encryption vlan 2 mode ciphers aes-ccm
ssid PacketFence-Public
ssid PacketFence-Secure
interface Dot11Radio0.2
encapsulation dot1Q 2
no ip route-cache
bridge-group 253
bridge-group 253 subscriber-loop-control
bridge-group 253 block-unknown-source
no bridge-group 253 source-learning
no bridge-group 253 unicast-flooding
bridge-group 253 spanning-disabled
interface Dot11Radio0.3
encapsulation dot1Q 3
no ip route-cache
bridge-group 254
bridge-group 254 subscriber-loop-control
bridge-group 254 block-unknown-source
no bridge-group 254 source-learning
no bridge-group 254 unicast-flooding
bridge-group 254 spanning-disabled
interface Dot11Radio0.5
encapsulation dot1Q 5
no ip route-cache
bridge-group 255
bridge-group 255 subscriber-loop-control
bridge-group 255 block-unknown-source
no bridge-group 255 source-learning
no bridge-group 255 unicast-flooding
bridge-group 255 spanning-disabled
LANinterfaces:
WirelessControllersand
Copyright2014Inverseinc. AccessPointConfiguration 73
Chapter5
interface FastEthernet0.2
encapsulation dot1Q 2
no ip route-cache
bridge-group 253
no bridge-group 253 source-learning
bridge-group 253 spanning-disabled
interface FastEthernet0.3
encapsulation dot1Q 3
no ip route-cache
bridge-group 254
no bridge-group 254 source-learning
bridge-group 254 spanning-disabled
interface FastEthernet0.5
encapsulation dot1Q 5
no ip route-cache
bridge-group 255
no bridge-group 255 source-learning
bridge-group 255 spanning-disabled
ThencreatethetwoSSIDs:
ConfiguretheRADIUSserver(weassumeherethattheFreeRADIUSserverandthePacketFence
serverarelocatedonthesamebox):
Aironet(WDS)
To be contributed...
WirelessControllersand
Copyright2014Inverseinc. AccessPointConfiguration 74
Chapter5
WirelessLANController(WLC)orWirelessServices
Module(WiSM)
In this section, we cover the basic configuration of the WiSM for PacketFence using the web
interface.
First,globallydefinetheFreeRADIUSserverrunningonPacketFence(PacketFencesIP)andmake
sureSupportforRFC3576isenabled(ifnotpresentitisenabledbydefault)
ThenwecreatetwoSSIDs:
PacketFence-Public:non-securewithMACauthenticationonly
PacketFence-Secure:securewithWPA2EnterprisePEAP/MSCHAPv2
InthesecureSSID,makesure802.1Xisenabledandselecttheappropriateencryptionforyour
needs(recommended:WPA+WPA2)
WirelessControllersand
Copyright2014Inverseinc. AccessPointConfiguration 75
Chapter5
Nolayer3security
WesettheIPoftheFreeRADIUSserver
WirelessControllersand
Copyright2014Inverseinc. AccessPointConfiguration 76
Chapter5
VERYIMPORTANT:AllowAAAoverride(thisallowsVLANassignmentfromRADIUS)
Editthenon-secureSSID:EnableMACauthenticationatlevel2
Nothingatlevel3
WirelessControllersand
Copyright2014Inverseinc. AccessPointConfiguration 77
Chapter5
WesettheIPoftheFreeRADIUSserver
VERYIMPORTANT:AllowAAAoverride(thisallowsVLANassignmentfromRADIUS)
Finally,inController>Interfacestab,createaninterfaceperVLANthatcouldassigned
WirelessControllersand
Copyright2014Inverseinc. AccessPointConfiguration 78
Chapter5
Youaregoodtogo!
WirelessLANController(WLC)WebAuth
Inthissection,wecoverthebasicconfigurationoftheWLCWebAuthforPacketFenceusingthe
webinterface.TheideaistoforwardthedevicetothecaptiveportalwithanACLifthedeviceis
inanunregstateandallowthedevicetoreachInternet(orthenormalnetwork)bychangingthe
ACLonceregistered.Intheunregstate,theWLCwillintercepttheHTTPtrafficandforwardthe
devicetothecaptiveportal.
Inthissampleconfiguration,thecaptiveportalusestheIPaddress172.16.0.250,theadministration
interfaceusestheIPaddress172.16.0.249andtheWLCusestheIPaddress172.16.0.248.The
DHCPandDNSserversarenotmanagedbyPacketFence(WLCDHCPServer,ProductionDHCP
Server)
ThenwecreateaSSID:
OPENSSID:non-securewithMACauthenticationonly
WirelessControllersand
Copyright2014Inverseinc. AccessPointConfiguration 79
Chapter5
WirelessControllersand
Copyright2014Inverseinc. AccessPointConfiguration 80
Chapter5
WirelessControllersand
Copyright2014Inverseinc. AccessPointConfiguration 81
Chapter5
ThenyouhavetocreatetwoACLs-onetodenyalltrafficexcepttherequiredonetohitthe
portal(Pre-Auth-For-WebRedirect)andtheotheronetoallowanything(Authorize_any).
ThenthelaststepistoconfiguretheWLCinPacketFence.PortalURLdefinition
WirelessControllersand
Copyright2014Inverseinc. AccessPointConfiguration 82
Chapter5
Roledefinition
WirelessControllersand
Copyright2014Inverseinc. AccessPointConfiguration 83
Chapter5
D-Link
DWLAccess-PointsandDWS3026
To be contributed...
WirelessControllersand
Copyright2014Inverseinc. AccessPointConfiguration 84
Chapter5
Extricom
EXSWWirelessSwitches(Controllers)
InordertohavetheExtricomcontrollerworkingwithPacketFence,youneedtodefinetwoESSID
definition,oneforthe"public"network,andoneforthe"secure"network.Thiscanbedoneunder
averyshorttimeperiodsinceExtricomsupportsRADIUSassignedVLANsoutofthebox.
You first need to configure you RADIUS server. This is done under the: WLAN Settings
RADIUStab.EnterthePacketFenceRADIUSserverinformation.FortheESSIDconfiguration.inthe
administrationUI,gotoWLANSettingsESSIDdefinitions.Createtheprofilesperthefollowing:
PublicSSID
MACAuthenticationmustbeticked
EncryptionmethodneedstobesettoNone
SelectPacketFenceastheMACAuthenticationRADIUSserver(previouslyadded)
SecureSSID
EncryptionmethodneedstobesettoWPAEnterprise/WPA2Enterprise
AESonlyneedstobeselected
SelectPacketFenceastheRADIUSserver(previouslyadded)
ThefinalstepistoenableSNMPAgentandSNMPTrapsonthecontroller.Thisisdoneunderthe
followingtabintheadministrativeUI:AdvancedSNMP.
Hostapd
OpenWRT
Inthissection,wecoverthebasicconfigurationoftheOpenWRTaccesspoint(Hostapdsoftware).
Hostapdmusthavebeencompiledwithdynamicvlansupportandyouneedtocreateafile/etc/
config/hostapd.vlanthatcontain:
wlan0.#
Andyouneedtoreplacethe/lib/wifi/hostapd.shscriptfilewiththeoneincludedin/usr/local/pf/
addons/hostapd
WirelessControllersand
Copyright2014Inverseinc. AccessPointConfiguration 85
Chapter5
OpenSSID
ConfigureyourSSIDusingucicommand:
SecureSSID
ConfigureyourSSIDusingucicommand:
Thenlaunchucicommitwirelessandwificommandtoenableyourconfiguration
Hostapd(software)
To configure Hostapd software you can use the same configuration parameters above in the
configurationfile.
WirelessControllersand
Copyright2014Inverseinc. AccessPointConfiguration 86
Chapter5
Mikrotik
ThisconfigurationhasbeentestedonAccessPointOmniTIKU-5hnDwithRouterOSv6.18and
onlyMAC-Authenticationisavailablenow.TheonlydeauthenticationmethodavailableisSSH,so
createanaccountintheMikrotikAPandfilltheinformationinPacketFenceswitchconfiguration.
AlsodontforgettousethepfaccounttosshontheAccessPointtoreceivethesshkey.
OpenSSID
In this setup we use the interface ether5 for the bridge (Trunk interface) and ether1 as the
managementinterface.
Configureyouraccesspointwiththefollowingconfiguration:
WirelessControllersand
Copyright2014Inverseinc. AccessPointConfiguration 87
Chapter5
/interface wireless
# managed by CAPsMAN
# channel: 5180/20-Ce/an(17dBm), SSID: OPEN, local forwarding
set [ find default-name=wlan1 ] band=5ghz-a/n channel-width=20/40mhz-Ce
disabled=no l2mtu=1600 mode=ap-bridge ssid=MikroTik-05A64D
/interface ethernet
set [ find default-name=ether1 ] name=ether1-gateway
set [ find default-name=ether2 ] name=ether2-master-local
set [ find default-name=ether3 ] master-port=ether2-master-local name=ether3-
slave-local
set [ find default-name=ether4 ] master-port=ether2-master-local name=ether4-
slave-local
set [ find default-name=ether5 ] name=ether5-master-local
/interface vlan
add interface=BR-CAPS l2mtu=1594 name=default vlan-id=1
add interface=BR-CAPS l2mtu=1594 name=isolation vlan-id=3
add interface=BR-CAPS l2mtu=1594 name=registration vlan-id=2
/caps-man datapath
add bridge=BR-CAPS client-to-client-forwarding=yes local-forwarding=yes
name=datapath1
/caps-man interface
#
add arp=enabled configuration.mode=ap configuration.ssid=OPEN datapath=datapath1
disabled=no l2mtu=1600 mac-address=\
D4:CA:6D:05:A6:4D master-interface=none mtu=1500 name=cap1 radio-
mac=D4:CA:6D:05:A6:4D
/caps-man aaa
set interim-update=5m
/caps-man access-list
add action=query-radius interface=cap1 radius-accounting=yes signal-
range=-120..120 time=0s-1d,sun,mon,tue,wed,thu,fri,sat
/caps-man manager
set enabled=yes
/interface bridge port
add bridge=bridge-local interface=ether2-master-local
add bridge=bridge-local interface=ether1-gateway
add bridge=BR-CAPS interface=ether5-master-local
/interface wireless cap
set bridge=BR-CAPS discovery-interfaces=BR-CAPS enabled=yes interfaces=wlan1
/ip accounting
set enabled=yes
/radius
add address=192.168.1.5 secret=useStrongerSecret service=wireless
/radius incoming
set accept=yes
WirelessControllersand
Copyright2014Inverseinc. AccessPointConfiguration 88
Chapter5
HP
ProCurveControllerMSM710
To be contributed...
Meru
MeruControllers(MC)
Inthissection,wecoverthebasicconfigurationoftheMeruwirelesscontrollerforPacketFence
viathewebGUI.
DisablePMKCaching
If you are running a WPA2 SSID, you may need to disable PMK caching in order to avoid
deauthenticationissues.ThisistrueifyouarerunningAP300susingany5.0versionsincluding
5.0-87,oranyversionsbelow4.0-160.
HerearethecommandstoruntodisablethePMKcachingattheAPlevel.First,logintheAP,and
runthiscommandtoseewhichradiosarebroadcastingyourSSID.vapdisplay
Second,disablethePMKcachingonthoseradios.radiopmkidradio00disable
YoucanalsoaddthosecommandstotheAPbootscript.ContactyourMerusupportrepresentative
forthatpart.
VLANDefinition
Here,wecreateourPacketFenceVLANsforclientuse.GotoConfigurationWiredVLAN,
andselectAdd.
VLANNameisthehumanreadablename(ie.RegistrationVLAN)
TagistheVLANID
FastEthernetInterfaceIndexreferstothecontrollersethernetinterface
IPAddressAnIPaddressforthiscontrolleronthisVLAN
NetmaskNetworkmaskforthisVLAN
IPAddressofthedefaultgatewayWiredIProuterforthisVLAN
SettheOverrideDefaultDHCPserverflagtooff
WirelessControllersand
Copyright2014Inverseinc. AccessPointConfiguration 89
Chapter5
LeavetheDHCPserverIPaddressandtheDHCPrelayPass-Throughtodefault
ClickOKtoaddtheVLAN.
AAAAuthenticationServer
Here, we create our PacketFence RADIUS server for use. Under Configuration Security
Radius,selectAdd.
GivetheRADIUSProfileaname
Writeadescriptionoftheprofile
GivetheRADIUSIP,RADIUSSecretandtheRADIUSauthenticationport
SelectColonfortheMACaddressdelimiter
SelectMACAddressasthepasswordtype
ClickOKtoaddtheRADIUSprofile.
AAAAccountingServer
Here, we create our PacketFence RADIUS server for use. Under Configuration Security
Radius,selectAdd.
GivetheRADIUSProfileaname
Writeadescriptionoftheprofile
GivetheRADIUSIP,RADIUSSecretandtheRADIUSaccountingport
SelectColonfortheMACaddressdelimiter
SelectMACAddressasthepasswordtype
ClickOKtoaddtheRADIUSaccountingprofile.
AAAProfilesOpenSSID
Here,wecreateourwirelesssecurityprofilesforuse.UnderConfigurationSecurityProfile,
selectAdd.
Givethesecurityprofileaname
SelectClearastheL2ModesAllowed
LeaveDataEncryptempty
DisabletheCaptivePortal
EnabletheMacFiltering
ClickOKtosavetheprofile.
MACFiltering
WhenusingtheOpenSSID,youneedtoactivatethemacfiltering.UnderConfigurationMac
Filtering:
SetACLEnvironmentStatetoPermitlistenabled
WirelessControllersand
Copyright2014Inverseinc. AccessPointConfiguration 90
Chapter5
SelectyourRADIUSprofile
AAAProfilesSecureSSID
Here,wecreateourwirelesssecurityprofilesforuse.UnderConfigurationSecurityProfile,
selectAdd.
Givethesecurityprofileaname
SelectWPA2astheL2ModesAllowed
SelectCCMP-AESforDataEncrypt
SelectyourPacketFenceRADIUSAuthenticationProfile
DisabletheCaptivePortal
Enablethe802.1Xnetworkinitiation
LeavetheMacFilteringtooff
ClickOKtosavetheprofile.
WLANSSIDs
Here,wecreateourSSIDandtieittoasecurityprofile.UnderConfigurationWirelessESS,
selectAdd.
GivetheESSprofileaname,andenableit
WriteanSSIDname
Selectyoursecurityprofilenamepreviouslycreated
SelectyourPacketFenceRADIUSAccountingProfile(ifyouwanttodoaccounting)
EnabletheSSIDBroadcast
MakethenewAPtojointheESS
SetthetunnelinterfacetypetoRADIUSandConfiguredVLAN
SelecttheregistrationVLANfortheVLANName
ClickOKtocreatetheSSID.RepeatthosestepsfortheopenandsecureSSIDbychoosingthe
rightsecurityprofile.
WLANSSIDsAddingtoaccesspoint
Here,wetieourSSIDstoaccesspoints.UnderConfigurationWirelessESS,selecttheSSID
youwanttoaddtoyouraps.Then,selecttheESS-APTable,andclickAdd.
SelecttheAPIDfromthedropdownlist
ClickOKtoassociatetheSSIDwiththisAP
Roles(Per-UserFirewall)
SincePacketFence3.3.0,wenowsupportroles(per-userfirwallrules)fortheMeruhardware.To
addfirewallrules,goinConfigurationQoSSystemSettingsQoSandFirewallRules.When
youaddarule,youhavetopayattentiontotwothings:
WirelessControllersand
Copyright2014Inverseinc. AccessPointConfiguration 91
Chapter5
Theruleisappliedtothecontrollerphysicalinterfacerightaway,somakesureyouarenottoo
wideonyourACLtolockyouout!
TherulesaregroupedusingtheFirewallFilterID(WewillusethisIDfortheroles)
So, since the matching is done using the Firewall Filter ID configuration field, your roles line in
switches.confwouldlooklike:
roles=Guests=1;Staff=2
Note
YouneedtohavethePer-UserFirewalllicenseinordertobenefitthisfeature.
Motorola
InordertohavetheMotorolaRFScontrollerworkingwithPacketFence,youneedtodefinetwo
WirelessLANsdefinition,oneforthe"public"network,andoneforthe"secure"network.
WiNG(Firmware>=5.0)
AAAPolicy(RADIUSserver)
First,weneedtobuildtheAAAPolicy.UnderConfigurationWirelessAAAPolicy,clickon
theAddbuttonatthebottomright.ConfiguretheRADIUSprofilelikethefollowing:
Host:ChooseIPAddressinthedropdown,andputtheRADIUSserver(PF)IP
InsertaRADIUSsecretpassphrase
Select"ThroughWirelessController"RequestMode
Caution
SinceweareusingRADIUSDynamicAuthorization,weneedtoenabletheRADIUS
accounting. Under the RADIUS accounting tab, click the Add button at the bottom
right,andinsertthepropervalues.
OpenSSID
UnderConfigurationWirelessWirelessLANs,clickontheAddbuttonatthebottomright.
UnderBasicConfiguration:
ProfileName:Giveaconvenientname
SSID:ThisistheESSIDname
EnsurethattheWLANStatusissettoenable
SelectSingleVLANasVLANassignmenttechnique
WirelessControllersand
Copyright2014Inverseinc. AccessPointConfiguration 92
Chapter5
Ensurethat"AllowRADIUSOverride"isselected
Securityconfiguration:
SelectMACasauthenticationtype
SelectyourAAAPolicypreviouslycreated
EnsurethatyouselectedOpenastheEncryption
Accountingconfiguration:
Makesureyouselect"EnableRADIUSAccounting"
SelectthepreviouslyconfiguredAAAPolicy
Advancedconfiguration:
MakesureyouselectRADIUSDynamicAuthorization
SecureSSID
UnderConfigurationWirelessWirelessLANs,clickontheAddbuttonatthebottomright.
UnderBasicConfiguration:
ProfileName:Giveaconvenientname
SSID:ThisistheESSIDname
EnsurethattheWLANStatusissettoenable
SelectSingleVLANasVLANassignmenttechnique
Ensurethat"AllowRADIUSOverride"isselected
Securityconfiguration:
SelectEAPasauthenticationtype
SelectyourAAAPolicypreviouslycreated
EnsurethatyouselectedWPA/WPA2-TKIPastheEncryption
UnselecteverythingunderFastRoaming(Disablecaching)
Accountingconfiguration:
Makesureyouselect"EnableRADIUSAccounting"
SelectthepreviouslyconfiguredAAAPolicy
Advancedconfiguration:
MakesureyouselectRADIUSDynamicAuthorization
Profile(WLANMapping)
Youhavemultipleoptionshere.Either,youcreateageneralAPprofile,andyouassignittoyour
Aps,oryoumodifytheAPdeviceconfigurationtomaptheWLANtotheradiointerfaces.Forthe
WirelessControllersand
Copyright2014Inverseinc. AccessPointConfiguration 93
Chapter5
purpose of this document, we will modify the general profile. Under Profiles default-apXXX
(whereXXXisyourAPmodel),inInterfaceRadios,edittheexistingradiossettings.Gotothe
WLANMappingtab,selectthetwoSSIDsandclickonthe<<button.
Profile(Management)
Here,wecanconfigureourSNMPcommunitystrings.LocatedinConfigurationManagement
ManagementPolicy.Again,youcanmodifythedefaultone,oryoucancreateabrandnewPolicy.
VLANs
Youneedtoensurethattheuplinkinterfaceofthecontrollerisconfiguredasatrunk,andthatall
thenecessaryVLANsarecreatedonthedevice.ThisisconfiguredunderDevicerfsXXXX-MAC
(whereXXXXisyourcontrollerseries,andMACisthelatest3octetsofitsmacaddress).Editthe
deviceconfiguration,andgotoInterfaceEthernetPorts.Ensurethattheup1interfaceissetas
trunk,withalltheallowedVLANs.Next,createtheVLANunderInterfaceVirtualInterfaces.
Roles(Per-UserFirewall)
SincePacketFence3.3.0,wenowsupportrolesfortheMotorolahardwareusingWiNGS5.x.To
addroles,goinConfigurationSecurityWirelessClientRoles.Firstcreateaglobalpolicythat
willcontainyourroles.Next,createyourRolesbyclickingontheAddbuttononthebottomright.It
isimportanttoconfiguretheGroupConfigurationlineproperlybysettingthestringnamethatwe
willuseintheRADIUSpacket.Forexemple,foraGuestsRole,youcanputGroupConfiguration
Exact Guests, and for a Staff Roles, you can put Group Configuration Exact Staff. In the roles
configurationinswitches.conf,youwouldhavesomethinglike:
roles=CategoryGuests=Guests;CategoryStaff=Staff
Finally,dontforgettoconfiguretheappropriatefirewallrulesforyourRoles!Makesurealsoto
committheconfigurationuponyourchanges.
Note
YouneedtohaveanAdvancedSecuritylicensetoenablethePer-UserFirewallfeature.
WIPS
InordertoenabletheWIPSfunctionalityontheMotorola,youneedtofollowthisprocedure.The
stepshavebeendoneusingtheCLI.
First,Createawips-policy:
wips-policy Rogue-AP
history-throttle-duration 86400
event ap-anomaly airjack
event ap-anomaly null-probe-response
event ap-anomaly asleap
event ap-anomaly ad-hoc-violation
event ap-anomaly ap-ssid-broadcast-in-beacon
event ap-anomaly impersonation-attack
ap-detection
WirelessControllersand
Copyright2014Inverseinc. AccessPointConfiguration 94
Chapter5
Next,createaneventpolicy:
event-system-policy PF-WIDS
event wips wips-event syslog off snmp on forward-to-switch off email off
Next,createoradjustyourmanagementpolicytoconfiguretheSNMPtraps.Hereisanexample
policy,pleasenotethetwolastlines:
management-policy default
no http server
https server
ssh
user admin password 1
e4c93663e3356787d451312eeb8d4704ef09f2331a20133764c3dc3121f13a5b role superuser
access all
user operator password 1
7c9b1fbb2ed7d5bb50dba0b563eac722b0676b45fed726d3e4e563b0c87d236d role monitor
access all
no snmp-server manager v3
snmp-server community public ro
snmp-server community private rw
snmp-server user snmpoperator v3 encrypted des auth md5 0 operator
snmp-server user snmptrap v3 encrypted des auth md5 0 motorola
snmp-server user snmpmanager v3 encrypted des auth md5 0 motorola
snmp-server enable traps
snmp-server host 10.0.0.100 v2c 162
Youthenneedtotellyourcontrollertousetheeventpolicy:
rfs6000 5C-0E-8B-17-F2-E3
...
use event-system-policy PF-WIDS
Finally,youneedtoconfigurearadiointerfaceonyourAPtoactasasensor.Hereisanexample
configurationforadual-radioAP650:
ap650 00-23-68-86-EB-BC
use profile default-ap650
use rf-domain default
hostname ap650-86EBBC
country-code ca
use wips-policy Rogue-AP
interface radio1
rf-mode sensor
channel smart
power smart
data-rates default
no preamble-short
radio-share-mode off
interface radio2
...
WirelessControllersand
Copyright2014Inverseinc. AccessPointConfiguration 95
Chapter5
OlderFirmwares(<5.0)
OptionforPublicWirelessLAN
ChecktheDynamicAssignmentcheck-box
Select"MACAuthentication"underAuthentication
Click"Config"choosetheColondelimiterformat
Un-checkallencryptionoptions
UnderRADIUSputinPacketFencesRADIUSServerinformation
OptionforSecureWirelessLAN
ChecktheDynamicAssignmentcheck-box
Select"802.1XEAP"underAuthentication
CheckWPA/WPA2-TKIPencryptionoption
UnderRADIUSputinPacketFencesRADIUSServerinformation
SNMPGlobalconfiguration
AddthetwoRead-OnlyandRead-WriteusersunderManagementAccessSNMPAccess.
Ruckus
AAAServers
WeneedtodefinetheRADIUSandRADIUSaccounting(mandatory):
Under Configuration AAA Servers, click on the Create New button. Enter the proper
configuration:
Enteraservername
SelecteitherRADIUSorRADIUSaccountingasthetype
UsePAPastheAuthMethod
EntertheIPaddres,andsharedsecret.
HitOK
RepeatthestepsfortheRADIUSandRADIUSaccountingtypes.Weneed1definitionforeach
otherwiseRADIUSdynamicauthorizationwontwork.
WirelessControllersand
Copyright2014Inverseinc. AccessPointConfiguration 96
Chapter5
WLANDefinitions
UnderConfigurationWLAN,clickontheCreateNewbutton.Entertheproperconfiguration:
OpenSSID
EnteraName/SSID
SelectStandardUsageastheType
SelectMACAddressastheauthenticationtype
SelectOpenastheencryptionmethod
SelecttheproperRADIUSserverastheauthenticationserver
SelecttheproperRADIUSserverastheaccountingserver
Note
TheOpenSSIDdoesNOTsupportdynamicVLANassignments(Firmware9.3.0.0.83)
SecureSSID
EnteraName/SSID
SelectStandardUsageastheType
SelectWPA2astheauthenticationtype
SelectAESastheencryptionmethod
SelecttheproperRADIUSserverastheauthenticationserver
SelecttheproperRADIUSserverastheaccountingserver
ChecktheEnableDynamicVLANcheckbox
WIPS
ToenabletheWIPSfeatureoftheRuckusinordertosendSNMPtrapstoPacketFence,thesetup
isfairlysimple.
First, configure the controller to send the traps to PacketFence. Under Configure > System >
NetworkManagement>SNMPTrap:
*Select"EnableSNMPTrap"*PutthePacketFenceManagementIPintheTrapServerIPfield
Note
Thetrapswillarrivewiththe"public"communitystring
Next,youneedtoconfiguretheAlarmSettings.UnderConfigure>AlarmSettings,makesurethe
followingareselected:
WirelessControllersand
Copyright2014Inverseinc. AccessPointConfiguration 97
Chapter5
*RogueAPDetected*SSID-SpoofingAPDetected*MAC-SpoofingAPDetected*LANRogueAP
Detected
Finally,enabletheWIPSfeatureonthecontroller.UnderConfigure>WIPS>IntrusionDetection
andPrevention,makesurebothboxareselected,clickApply.
Trapeze
InordertohavetheTrapezecontrollerworkingwithPacketFence,youneedtodefinetheRADIUS
configurationandtheproperserviceprofiles.
RADIUSconfiguration
ServiceProfiles
Herewedefinetwoserviceprofiles,onefortheopenSSID(PacketFence-Public)andoneforthe
WPA2-EnterpriseSSID(PacketFence-Secure):
AAAconfiguration
Finally,weneedtotietheserviceprofileswiththeproperAAAconfiguration.
WirelessControllersand
Copyright2014Inverseinc. AccessPointConfiguration 98
Chapter5
Xirrus
XirrusWiFiArrays
Xirrus Access Points can be configured to work with PacketFence quickly since Xirrus supports
RADIUSassignedVLANsoutofthebox.
First,RADIUSserverconfiguration.SettheRADIUSservertobePacketFencesIP:
EnableSNMPAgentontheaccesspoint:
snmp
!
v2
community read-write public
community read-only public
exit
!
exit
Finally,dontforgettocreatetheSSIDyouwantandtheproperbindingswiththeLAN.OpenSSID
shouldbeconfiguredtoperformMACAuthenticationandSecureSSIDshouldbeconfiguredto
perform802.1X(WPA-EnterpriseorWPA2-Enterprise).
ExternalportalSSID
SetEncryption/AuthenticationtoNone/Open
ThenchecktheWPRcheckbox
ThenininthesectionWebPageRedirectConfigurationsetServertoExternalLogin
SettheRedirectURLtohttp://192.168.1.5/Xirrus::AP_http
SettheRedirectSecrettoanypassphraseofyourchoice
WirelessControllersand
Copyright2014Inverseinc. AccessPointConfiguration 99
Chapter5
IntheRADIUSConfigurationsectionsettheRADIUSservertopointtoyourPacketFenceserver
WirelessControllersand
Copyright2014Inverseinc. AccessPointConfiguration 100
Chapter6
AdditionalInformation
Formoreinformation,pleaseconsultthemailingarchivesorpostyourquestionstoit.Fordetails,
see:
packetfence-devel@lists.sourceforge.net:DiscussionofPacketFencedevelopment
packetfence-users@lists.sourceforge.net:Userandusagediscussions
CommercialSupportandContact
Information
For any questions or comments, do not hesitate to contact us by writing an email to:
support@inverse.ca.
Hourlyratesorsupportpackagesareofferedtobestsuityourneeds.
Pleasevisithttp://inverse.ca/support.htmlfordetails.
CommercialSupport
Copyright2014Inverseinc. andContactInformation 102
Chapter8
GNUFreeDocumentationLicense
Pleaserefertohttp://www.gnu.org/licenses/fdl-1.2.txtforthefulllicense.