Install Packetfence for outstanding network access control - gHacks Tech News

Install Packetfence for outstanding network access control

Network Access Control is a crucial aspect of medium to large scale networking. There are many tools to help you control who has access to your network; Some of these tools are quite pricey and some of them do not do what you need them to do.

There is one NAC tool that is open source and does an outstanding job. The tool? Packetfence. The only downside to this tool is that it can be fairly overwhelming to get up and running.

In a series of articles I plan on helping you to get Packetfence up and running. To do this you will need a running installation of Ubuntu Server. Using Ubuntu Server will help keep the amount of necessary package installations to a minimum.

Don't think, however, you will get away with a couple of simple commands for installation. It's not that easy. But, in the end, you will be glad you took the time to get this marvel of a tool working. With all of that said, let's begin this process.

What you are going to need installed is the following:

  • Snort
  • MySQL
  • Apache
  • PHP
  • Perl
  • Perl Modules
  • Packetfence

Some of the above will already be installed on your machine. If that's the case then you will only need to take a few steps for configuration.

Before you begin the installation of anything open up a terminal window and issue the command:

sudo apt-get update

This will make sure your sources are as up to date as the can be. NOTE: If, during any part of the installation, you get an error that a package was not found, go through your /etc/apt/sources.list file and make sure ALL of the repositories are uncommented. If you have to uncomment anything make sure you run the above command again.

The final step before you actually begin the installation of any of the software there is one more command to run. Issue this:

sudo apt-get install build-essential

Which will allow the Ubuntu server install to compile from source.

Now let's begin.

Snort

Snort is used for intrusion detection and is the defacto-standard for Linux. This package is installed with the command:

sudo apt-get install snort

After Snort is installed you have to stop it from running with the command:

sudo /etc/init.d/snort stop

You will also need to keep Snort from starting at boot with the command:

sudo update-rc.d -f snort remove

MySQL

Most likely MySQL is already installed. If not you can install it with:

sudo apt-get install mysql-server

Now things get a bit tricky. To make your life easier it is best to actually have a root password on your Ubuntu server. Do this with the command:

sudo passwd

and enter a password for the root user (You will have to verify this password as well.)

The next step is to change the MySQL administrator password. To do this issue the command:

mysql -u root -p

Since there is currently no MySQL password you should just hit enter and be at the MySQL prompt. Enter the following:

SET PASSWORD FOR [email protected]=PASSWORD('NEWPASSWORD');

Where NEWPASSWORD is the actual new password you want to use for MySQL.

Apache and PHP

If Apache is not installed, now's the time. But it's not just Apache you need to install. Packetfence requires a few of Apache's friend to come along for the ride. This is what you need to do. Issue the command:

sudo apt-get install apache2 libapache2-mod-proxy-html

Which will install Apache and the necessary proxy module. The next command:

sudo apt-get install libapache2-mod-php5 php-pear php5-mysql php5-gd

Will install all things necessary for PHP.

And just like we did with Snort, we are going to stop Apache and then prevent it from starting at boot with the following commands:

sudo /etc/init.d/apache2 stop

sudo update-rc.d -f apache2 remove

Perl and the Perl modules

There are two commands to run to get the necessary pieces of Perl installed:

sudo apt-get install perl-suid libterm-readkey-perl libconfig-inifiles-perl libnet-netmask-perl

sudo apt-get install libparse-recdescent-perl libnet-rawip-perl libtimedate-perl libwww-perl

Packetfence

Finally we are ready to install Packetfence itself. You will have to download the latest tar file from the Packetfence Download Page. Download the file and then move the file to /usr/local/. After the file has been moved, change to the /usr/local directory and issue this command to unpack the archive:

sudo tar xvzf packetfence-XXX.tar.gz

Where XXX is the actual release number.

Now you should have a new directory called pf. Change to the /usr/local/pf directory and issue the command:

sudo ./installer.pl

This is where the install actually takes some time. There are a LOT of questions for you to answer. Many of the defaults will work, but don't just blindly hit Enter - make sure you know what you're accepting. Here you will need that MySQL password you created. You will also want to allow Packetfence to create the database for you. Don't do this on your own or Packetfence will throw up enough errors to scare you away for good.

SSL Certificate

Before you complete your installation you will need to create an SSL certificate for security purposes. Do this with the following commands:

cd /tmp

openssl req -new > packetfence.csr

openssl rsa -in privkey.pem -out server.key

openssl x509 -in packetfence.csr -out server.crt -req -signkey server.key -days 365

mv server.crt /usr/local/pf/conf/ssl/

mv server.key /usr/local/pf/conf/ssl/

rm -f packetfence.csr privkey.pem

Final Steps

The final step is to run the command:

./configurator.pl

from within the pf directory. You will be offered a few options. For your first run you should run the Test Mode so you can get used to how Packetfence works. You will have to answer a few questions to complete the installation. Once you understand how this system works you can re-run the configurator script and choose one of the following modes:

  • Test mode

  • Registration

  • Detection

  • Registration & Detection

  • Registration, Detection & Scanning

  • Session-based Authentication

Some gotchas

Because you are installing this on Ubuntu, the Apache startup script is installed in /usr/bin/apache2 and not /usr/bin/httpd. Because of this a few modifications must be made. To do this open the file /usr/local/pf/conf/pf.conf and add the following lines to the end of that file:

[services]

httpd=/usr/sbin/apache2

The next step is to open the file /usr/local/pf/conf/templates/httpd.conf and add the following:

ServerRoot /usr/lib/apache2

Now, in the same file, modify the line:

LoadModule php4_module modules/libphp4.so

to reflect:

LoadModule php4_module /usr/lib/apache2/modules/libphp4.so

You might also find a few other lines that need to be modified. Go through the entire /usr/local/pf/conf/templates/httpd.conf file and change any module path references to reflect the:

/usr/lib/apache2/module

structure.

Finally, uncomment out the line for the php5 module (around line 79) and comment out the line for php4 (around line 80).

Start Packetfence

To start Packetfence issue the command:

sudo /usr/local/pf/bin/start

You should see the following output:

Checking configuration sanity...

service|command

config files|start

iptables|start

httpd|start

pfmon|start

pfdetect|start

snort|start

Stop Packetfence with the command:

/usr/local/pf/bin/stop

If you are sure the system is running the way you want it set it to start at boot with the following:

sudo cp /usr/local/pf/packetfence.init /etc/init.d/packetfence

sudo chmod 755 /etc/init.d/packetfence

sudo update-rc.d packetfence defaults

Restart Packetfence with the start command from above and you're ready to go.

Logging in

The first thing you will do once installed is to log into the system. Do this by opening up a browser and point it to:

https://IP_TO_SERVER:1443

Where IP_TO_SERVER is the IP address of the server.

Next steps

That's it for installation. In our next Packetfence article we will visit the web-based administration page.

Summary
Article Name
Install Packetfence for outstanding network access control
Description
In a series of articles I plan on helping you to get Packetfence up and running. To do this you will need a running installation of Ubuntu Server.
Author
Publisher
Ghacks Technology News
Logo




  • We need your help

    Advertising revenue is falling fast across the Internet, and independently-run sites like Ghacks are hit hardest by it. The advertising model in its current form is coming to an end, and we have to find other ways to continue operating this site.

    We are committed to keeping our content free and independent, which means no paywalls, no sponsored posts, no annoying ad formats (video ads) or subscription fees.

    If you like our content, and would like to help, please consider making a contribution:

    Comments

    1. Munjal said on June 8, 2009 at 6:58 am
      Reply

      Was running the installer script for packetfence, when it died at installing net-pcap ?

      Now what?

    2. Managenet said on August 20, 2009 at 7:58 pm
      Reply

      Great stuff, but where is part two on using Packetfence?

    3. Les said on December 16, 2009 at 10:20 pm
      Reply

      A very helpful article, but it is not as in-depth as to be helpful. For instance, it is taken for granted that a user knows how to manipulate files when they are not root. Given that the beginning of the article is quite detailed, after the download of packetfence, the noob is lost…

    4. fabian said on February 23, 2010 at 12:17 am
      Reply

      i neeed help on packetfence from scratch!!!!!!!!!!!!!!!!!!!!!

    5. Joe said on February 23, 2010 at 12:23 am
      Reply

      Tried installing packetfence 1.87.tar.gz in ubuntu 9.10 desktop and it didnt work. Does it have to be installed in ubuntu server? Does it matter? Im contemplating suicide because of packetfence’s non-helpful installation guide.

    6. Roy said on February 23, 2010 at 12:47 am
      Reply

      i am installing packetfence on ubuntu desktop. i did the installations for snort, apache, etc. when i start packetfence, i get the following error:

      Can’t locate Readonly.pm in @INC (@INC contains: /etc/perl /usr/local/lib/perl/5.10.0 /usr/local/share/perl/5.10.0 /usr/lib/perl5 /usr/share/perl5 /usr/lib/perl/5.10 /usr/share/perl/5.10 /usr/local/lib/site_perl .) at /usr/local/pf/bin/pfcmd line 58.
      BEGIN failed–compilation aborted at /usr/local/pf/bin/pfcmd line 58.

      Any suggestions?

    7. Les said on February 23, 2010 at 3:20 pm
      Reply

      Packetfence did install on Ubuntu Server 9 but I gave up on the Ubuntu install and tried the Centos route because I stumbled all over the command line and RHLE or CentOS is what the PacketFence site said was the easiest, due to an rpm in their Yum repository…Not true, at least according to my experience. That rpm does not exist and when trying to install PF, all sorts of dependency issues are thrown and not all of those are available either so the install never happens. I am at a loss and would love a few kind pushes in the right direction. I want to install PF using VirtualBox on my Snow Leopard server. The ZEN version does not work there. Anyone? Thanks in advance. ~Les

      1. Louie said on March 9, 2010 at 5:09 am
        Reply

        Packetfence does work well on RHLE or Cent. Follow the guideline especially the part about adding additional repos. I believe in order to install properly the dag repo & packetfence repo has to be enabled. After, do a yum update followed by yum search packetfence. If all goes well you should see the package for packetfence.

        Good luck!

    8. Les said on March 10, 2010 at 2:55 pm
      Reply

      Louie, thanks for the post. I am still wrestling with finishing the install, but I have to admit to my 1D10T mistake of not paying attention to detail….YUM was tossing it back because I was using the 64bit CentOS instead of the 32bit.– Publicly admitting that will hopefully help somebody while giving others a chuckle.

    9. [email protected] said on April 9, 2010 at 12:52 pm
      Reply

      Done. everyhing is easy install.. but dificult to configure ..
      Can you give detail sampel exp registration and scanning .. how about the iptables dns and any network topology

      step by step instruction ..
      thanks

    Leave a Reply