PACKETFENCE - Administration Documentation

From IT-Arts.net


Return to Wiki Index


Internal Architecture and Core Components

Service-Oriented Architecture

PacketFence is composed of multiple specialized services communicating locally and via RADIUS, HTTP(S), and database backends.

Key services include:

  • pfconfig – Centralized configuration daemon
  • pf::radius – Authentication, authorization, and accounting
  • pf::snmp – Network device interaction
  • pfqueue – Asynchronous task processing
  • pfdhcp – DHCP fingerprinting and enforcement
  • pfdetect – Violation detection engine

Service control example: 

systemctl status packetfence
systemctl restart packetfence-config

Database Model

PacketFence uses:

  • MariaDB/MySQL for persistent state
  • Redis for queues, caching, and real-time decisions

Key tables:

  • node – Endpoint identity and status
  • violation – Active and historical violations
  • locationlog – Switchport tracking
  • auth_log – Authentication events

Query example: 

mysql -u pf -p pf -e "SELECT mac,status FROM node;"

Authentication and Authorization Workflows

802.1X Authentication Flow

1. Endpoint sends EAPOL 2. Switch forwards to PacketFence RADIUS 3. PacketFence evaluates: 

  * Identity source
  * Role mapping
  * Compliance state

4. RADIUS returns VLAN or ACL

Supported EAP methods:

  • EAP-TLS
  • PEAP-MSCHAPv2
  • EAP-TTLS

Test RADIUS manually: 

radtest user password 127.0.0.1 0 testing123

MAC Authentication Bypass (MAB)

Used for:

  • Printers
  • IoT
  • Headless devices

MAC normalization example: 

00:11:22:33:44:55 → 001122334455

Authorization rules can assign:

  • Registration VLAN
  • Isolation VLAN
  • Production VLAN

Enforcement Techniques

VLAN Enforcement

Dynamic VLAN assignment via RADIUS attributes:

  • Tunnel-Type
  • Tunnel-Medium-Type
  • Tunnel-Private-Group-ID

Example RADIUS reply: 

Tunnel-Type = VLAN
Tunnel-Medium-Type = IEEE-802
Tunnel-Private-Group-ID = "20"

Inline Enforcement

PacketFence acts as Layer 2 bridge:

  • Traffic inspection
  • HTTP redirection
  • Real-time blocking

Inline interfaces must be defined explicitly: 

pfcmd pfconfig show Inline

ACL and Downloadable ACLs (dACL)

Supported on advanced switches (Cisco, Aruba, Juniper)

Example: 

permit tcp any any eq 443
deny ip any any

Policy Engine and Role Mapping

Role Evaluation Logic

Roles are computed using:

  • Authentication source
  • Device profiling
  • Compliance state
  • Location
  • Time-based rules

Role priority example: 

if violation → isolation
else if unmanaged → registration
else → production

Policy Example: Contractor Access

Conditions:

  • LDAP group = contractors
  • Time = business hours

Result:

  • Role: contractor_access
  • VLAN: 30
  • ACL: restricted_internet

Device Profiling and Fingerprinting

DHCP Fingerprinting

PacketFence inspects:

  • Option 55
  • Vendor Class Identifier

Example fingerprint: 

MSFT 5.0 → Windows
android-dhcp-10 → Android

SNMP-Based Profiling

Used to:

  • Discover switch port
  • Bounce ports
  • Apply VLAN changes

SNMP test: 

snmpwalk -v2c -c public switch-ip sysDescr

High Availability and Scalability

Active/Active Clustering

Requirements:

  • Shared database
  • Redis replication
  • Load balancer (LVS, HAProxy)

Node status: 

pfcmd cluster status

RADIUS Load Distribution

Best practices:

  • Multiple PacketFence nodes
  • Switch-side RADIUS failover
  • Short RADIUS timeouts

Security Concepts and Hardening

Trust Boundaries

PacketFence separates:

  • Access layer enforcement
  • Control plane decisions
  • Management interfaces

Certificate Management

Critical for EAP-TLS:

  • Internal CA or external PKI
  • Certificate revocation
  • Short-lived certs

Certificate validation: 

openssl x509 -in client.crt -text -noout

Least Privilege Administration

Admin roles:

  • Super Admin
  • Security Admin
  • Helpdesk
  • Read-only

CLI access should be restricted: 

chmod 750 /usr/local/pf/bin/*

REST API and Automation

API Authentication

Uses token-based authentication.

Token creation: 

curl -X POST https://pf/api/v1/login \
-d 'username=admin&password=secret'

Common API Use Cases

  • Register a node
  • Trigger re-evaluation
  • Query violations

Example node registration: 

curl -X POST https://pf/api/v1/node \
-H "Authorization: Bearer TOKEN" \
-d 'mac=00:11:22:33:44:55'

Command-Line Operations

Node Management

pfcmd node view 00:11:22:33:44:55
pfcmd node deregister 00:11:22:33:44:55

Violation Handling

pfcmd violation list
pfcmd violation close --id 3

Service Diagnostics

journalctl -u packetfence-radius
tail -f /usr/local/pf/logs/packetfence.log

Troubleshooting

Authentication Failures

Check:

  • RADIUS shared secret
  • Time synchronization
  • Certificate validity

Debug RADIUS: 

radiusd -X

Devices Stuck in Registration VLAN

Possible causes:

  • Role mapping mismatch
  • Violation not closed
  • Switch ignoring RADIUS attributes

Verify role: 

pfcmd node view MAC

SNMP Enforcement Failures

Check:

  • SNMP version mismatch
  • Write community permissions
  • Interface indexing

Test port bounce: 

pfcmd switch bounce --switch-id 1 --port 24

Web Interface Issues

Check:

  • Apache/Nginx status
  • SELinux
  • Certificate chain

Logs: 

/usr/local/pf/logs/httpd_error.log
Retrieved from "https://it-arts.net/index.php?title=PACKETFENCE_-_Administration_Documentation&oldid=858"