Admin: Text replacement - "Category:Wiki" to "Category:Wiki '''''[https://it-arts.net/index.php/Category:Wiki Return to Wiki Index]''''' "

2026-01-17T07:04:41Z

Text replacement - "Category:Wiki" to "Category:Wiki '''''[https://it-arts.net/index.php/Category:Wiki Return to Wiki Index]''''' "

← Older revision		Revision as of 07:04, 17 January 2026
Line 1:		Line 1:
	[[Category:Wiki]]		[[Category:Wiki]]

			'''''[https://it-arts.net/index.php/Category:Wiki Return to Wiki Index]'''''


	== Internal Architecture and Core Components ==		== Internal Architecture and Core Components ==

Admin: Created page with "Category:Wiki == Internal Architecture and Core Components == === Service-Oriented Architecture === PacketFence is composed of multiple specialized services communicating locally and via RADIUS, HTTP(S), and database backends. Key services include: * '''pfconfig''' – Centralized configuration daemon * '''pf::radius''' – Authentication, authorization, and accounting * '''pf::snmp''' – Network device interaction * '''pfqueue''' – Asynchronous task processing..."

2025-12-20T16:33:55Z

Created page with "Category:Wiki == Internal Architecture and Core Components == === Service-Oriented Architecture === PacketFence is composed of multiple specialized services communicating locally and via RADIUS, HTTP(S), and database backends. Key services include: * '''pfconfig''' – Centralized configuration daemon * '''pf::radius''' – Authentication, authorization, and accounting * '''pf::snmp''' – Network device interaction * '''pfqueue''' – Asynchronous task processing..."

New page

[[Category:Wiki]]

== Internal Architecture and Core Components ==

=== Service-Oriented Architecture ===
PacketFence is composed of multiple specialized services communicating locally and via RADIUS, HTTP(S), and database backends.

Key services include:
* '''pfconfig''' – Centralized configuration daemon
* '''pf::radius''' – Authentication, authorization, and accounting
* '''pf::snmp''' – Network device interaction
* '''pfqueue''' – Asynchronous task processing
* '''pfdhcp''' – DHCP fingerprinting and enforcement
* '''pfdetect''' – Violation detection engine

Service control example:
<nowiki>
systemctl status packetfence
systemctl restart packetfence-config</nowiki>

=== Database Model ===
PacketFence uses:
* MariaDB/MySQL for persistent state
* Redis for queues, caching, and real-time decisions

Key tables:
* node – Endpoint identity and status
* violation – Active and historical violations
* locationlog – Switchport tracking
* auth_log – Authentication events

Query example:
<nowiki>
mysql -u pf -p pf -e "SELECT mac,status FROM node;"</nowiki>

== Authentication and Authorization Workflows ==

=== 802.1X Authentication Flow ===
1. Endpoint sends EAPOL
2. Switch forwards to PacketFence RADIUS
3. PacketFence evaluates:
* Identity source
* Role mapping
* Compliance state
4. RADIUS returns VLAN or ACL

Supported EAP methods:
* EAP-TLS
* PEAP-MSCHAPv2
* EAP-TTLS

Test RADIUS manually:
<nowiki>
radtest user password 127.0.0.1 0 testing123</nowiki>

=== MAC Authentication Bypass (MAB) ===
Used for:
* Printers
* IoT
* Headless devices

MAC normalization example:
<nowiki>
00:11:22:33:44:55 → 001122334455</nowiki>

Authorization rules can assign:
* Registration VLAN
* Isolation VLAN
* Production VLAN

== Enforcement Techniques ==

=== VLAN Enforcement ===
Dynamic VLAN assignment via RADIUS attributes:
* Tunnel-Type
* Tunnel-Medium-Type
* Tunnel-Private-Group-ID

Example RADIUS reply:
<nowiki>
Tunnel-Type = VLAN
Tunnel-Medium-Type = IEEE-802
Tunnel-Private-Group-ID = "20"</nowiki>

=== Inline Enforcement ===
PacketFence acts as Layer 2 bridge:
* Traffic inspection
* HTTP redirection
* Real-time blocking

Inline interfaces must be defined explicitly:
<nowiki>
pfcmd pfconfig show Inline</nowiki>

=== ACL and Downloadable ACLs (dACL) ===
Supported on advanced switches (Cisco, Aruba, Juniper)

Example:
<nowiki>
permit tcp any any eq 443
deny ip any any</nowiki>

== Policy Engine and Role Mapping ==

=== Role Evaluation Logic ===
Roles are computed using:
* Authentication source
* Device profiling
* Compliance state
* Location
* Time-based rules

Role priority example:
<nowiki>
if violation → isolation
else if unmanaged → registration
else → production</nowiki>

=== Policy Example: Contractor Access ===
Conditions:
* LDAP group = contractors
* Time = business hours

Result:
* Role: contractor_access
* VLAN: 30
* ACL: restricted_internet

== Device Profiling and Fingerprinting ==

=== DHCP Fingerprinting ===
PacketFence inspects:
* Option 55
* Vendor Class Identifier

Example fingerprint:
<nowiki>
MSFT 5.0 → Windows
android-dhcp-10 → Android</nowiki>

=== SNMP-Based Profiling ===
Used to:
* Discover switch port
* Bounce ports
* Apply VLAN changes

SNMP test:
<nowiki>
snmpwalk -v2c -c public switch-ip sysDescr</nowiki>

== High Availability and Scalability ==

=== Active/Active Clustering ===
Requirements:
* Shared database
* Redis replication
* Load balancer (LVS, HAProxy)

Node status:
<nowiki>
pfcmd cluster status</nowiki>

=== RADIUS Load Distribution ===
Best practices:
* Multiple PacketFence nodes
* Switch-side RADIUS failover
* Short RADIUS timeouts

== Security Concepts and Hardening ==

=== Trust Boundaries ===
PacketFence separates:
* Access layer enforcement
* Control plane decisions
* Management interfaces

=== Certificate Management ===
Critical for EAP-TLS:
* Internal CA or external PKI
* Certificate revocation
* Short-lived certs

Certificate validation:
<nowiki>
openssl x509 -in client.crt -text -noout</nowiki>

=== Least Privilege Administration ===
Admin roles:
* Super Admin
* Security Admin
* Helpdesk
* Read-only

CLI access should be restricted:
<nowiki>
chmod 750 /usr/local/pf/bin/*</nowiki>

== REST API and Automation ==

=== API Authentication ===
Uses token-based authentication.

Token creation:
<nowiki>
curl -X POST https://pf/api/v1/login \
-d 'username=admin&password=secret'</nowiki>

=== Common API Use Cases ===
* Register a node
* Trigger re-evaluation
* Query violations

Example node registration:
<nowiki>
curl -X POST https://pf/api/v1/node \
-H "Authorization: Bearer TOKEN" \
-d 'mac=00:11:22:33:44:55'</nowiki>

== Command-Line Operations ==

=== Node Management ===
<nowiki>
pfcmd node view 00:11:22:33:44:55
pfcmd node deregister 00:11:22:33:44:55</nowiki>

=== Violation Handling ===
<nowiki>
pfcmd violation list
pfcmd violation close --id 3</nowiki>

=== Service Diagnostics ===
<nowiki>
journalctl -u packetfence-radius
tail -f /usr/local/pf/logs/packetfence.log</nowiki>

== Troubleshooting ==

=== Authentication Failures ===
Check:
* RADIUS shared secret
* Time synchronization
* Certificate validity

Debug RADIUS:
<nowiki>
radiusd -X</nowiki>

=== Devices Stuck in Registration VLAN ===
Possible causes:
* Role mapping mismatch
* Violation not closed
* Switch ignoring RADIUS attributes

Verify role:
<nowiki>
pfcmd node view MAC</nowiki>

=== SNMP Enforcement Failures ===
Check:
* SNMP version mismatch
* Write community permissions
* Interface indexing

Test port bounce:
<nowiki>
pfcmd switch bounce --switch-id 1 --port 24</nowiki>

=== Web Interface Issues ===
Check:
* Apache/Nginx status
* SELinux
* Certificate chain

Logs:
<nowiki>
/usr/local/pf/logs/httpd_error.log</nowiki>

== Useful Links ==

* https://packetfence.org
* https://github.com/inverse-inc/packetfence
* https://packetfence.org/documentation/
* https://packetfence.org/support/
* https://www.freeradius.org
* https://en.wikipedia.org/wiki/Network_access_control

PACKETFENCE - Administration Documentation - Revision history

Admin: Text replacement - "Category:Wiki" to "Category:Wiki '''''[https://it-arts.net/index.php/Category:Wiki Return to Wiki Index]''''' "