Install Packetfence for outstanding network access control

Network Access Control is a crucial aspect of medium to large scale networking. There are many tools to help you control who has access to your network; Some of these tools are quite pricey and some of them do not do what you need them to do.

There is one NAC tool that is open source and does an outstanding job. The tool? Packetfence. The only downside to this tool is that it can be fairly overwhelming to get up and running.

In a series of articles I plan on helping you to get Packetfence up and running. To do this you will need a running installation of Ubuntu Server. Using Ubuntu Server will help keep the amount of necessary package installations to a minimum.

Don't think, however, you will get away with a couple of simple commands for installation. It's not that easy. But, in the end, you will be glad you took the time to get this marvel of a tool working. With all of that said, let's begin this process.

What you are going to need installed is the following:

• Snort
• MySQL
• Apache
• PHP
• Perl
• Perl Modules
• Packetfence

Some of the above will already be installed on your machine. If that's the case then you will only need to take a few steps for configuration.

Before you begin the installation of anything open up a terminal window and issue the command:

sudo apt-get update

This will make sure your sources are as up to date as the can be. NOTE: If, during any part of the installation, you get an error that a package was not found, go through your /etc/apt/sources.list file and make sure ALL of the repositories are uncommented. If you have to uncomment anything make sure you run the above command again.

The final step before you actually begin the installation of any of the software there is one more command to run. Issue this:

sudo apt-get install build-essential

Which will allow the Ubuntu server install to compile from source.

Now let's begin.

Snort

Snort is used for intrusion detection and is the defacto-standard for Linux. This package is installed with the command:

sudo apt-get install snort

After Snort is installed you have to stop it from running with the command:

sudo /etc/init.d/snort stop

You will also need to keep Snort from starting at boot with the command:

sudo update-rc.d -f snort remove

MySQL

Most likely MySQL is already installed. If not you can install it with:

sudo apt-get install mysql-server

Now things get a bit tricky. To make your life easier it is best to actually have a root password on your Ubuntu server. Do this with the command:

sudo passwd

and enter a password for the root user (You will have to verify this password as well.)

The next step is to change the MySQL administrator password. To do this issue the command:

mysql -u root -p

Since there is currently no MySQL password you should just hit enter and be at the MySQL prompt. Enter the following:

SET PASSWORD FOR root@localhost=PASSWORD('NEWPASSWORD');

Where NEWPASSWORD is the actual new password you want to use for MySQL.

Apache and PHP

If Apache is not installed, now's the time. But it's not just Apache you need to install. Packetfence requires a few of Apache's friend to come along for the ride. This is what you need to do. Issue the command:

sudo apt-get install apache2 libapache2-mod-proxy-html

Which will install Apache and the necessary proxy module. The next command:

sudo apt-get install libapache2-mod-php5 php-pear php5-mysql php5-gd

Will install all things necessary for PHP.

And just like we did with Snort, we are going to stop Apache and then prevent it from starting at boot with the following commands:

sudo /etc/init.d/apache2 stop

sudo update-rc.d -f apache2 remove

Perl and the Perl modules

There are two commands to run to get the necessary pieces of Perl installed:

sudo apt-get install perl-suid libterm-readkey-perl libconfig-inifiles-perl libnet-netmask-perl

sudo apt-get install libparse-recdescent-perl libnet-rawip-perl libtimedate-perl libwww-perl

Packetfence

Finally we are ready to install Packetfence itself. You will have to download the latest tar file from the Packetfence Download Page. Download the file and then move the file to /usr/local/. After the file has been moved, change to the /usr/local directory and issue this command to unpack the archive:

sudo tar xvzf packetfence-XXX.tar.gz

Where XXX is the actual release number.

Now you should have a new directory called pf. Change to the /usr/local/pf directory and issue the command:

sudo ./installer.pl

This is where the install actually takes some time. There are a LOT of questions for you to answer. Many of the defaults will work, but don't just blindly hit Enter - make sure you know what you're accepting. Here you will need that MySQL password you created. You will also want to allow Packetfence to create the database for you. Don't do this on your own or Packetfence will throw up enough errors to scare you away for good.

SSL Certificate

Before you complete your installation you will need to create an SSL certificate for security purposes. Do this with the following commands:

cd /tmp

openssl req -new > packetfence.csr

openssl rsa -in privkey.pem -out server.key

openssl x509 -in packetfence.csr -out server.crt -req -signkey server.key -days 365

mv server.crt /usr/local/pf/conf/ssl/

mv server.key /usr/local/pf/conf/ssl/

rm -f packetfence.csr privkey.pem

Final Steps

The final step is to run the command:

./configurator.pl

from within the pf directory. You will be offered a few options. For your first run you should run the Test Mode so you can get used to how Packetfence works. You will have to answer a few questions to complete the installation. Once you understand how this system works you can re-run the configurator script and choose one of the following modes:

• Test mode

• Registration

• Detection

• Registration & Detection

• Registration, Detection & Scanning

• Session-based Authentication

Some gotchas

Because you are installing this on Ubuntu, the Apache startup script is installed in /usr/bin/apache2 and not /usr/bin/httpd. Because of this a few modifications must be made. To do this open the file /usr/local/pf/conf/pf.conf and add the following lines to the end of that file:

[services]

httpd=/usr/sbin/apache2

The next step is to open the file /usr/local/pf/conf/templates/httpd.conf and add the following:

ServerRoot /usr/lib/apache2

Now, in the same file, modify the line:

LoadModule php4_module modules/libphp4.so

to reflect:

LoadModule php4_module /usr/lib/apache2/modules/libphp4.so

You might also find a few other lines that need to be modified. Go through the entire /usr/local/pf/conf/templates/httpd.conf file and change any module path references to reflect the:

/usr/lib/apache2/module

structure.

Finally, uncomment out the line for the php5 module (around line 79) and comment out the line for php4 (around line 80).

Start Packetfence

To start Packetfence issue the command:

sudo /usr/local/pf/bin/start

You should see the following output:

Checking configuration sanity...

service|command

config files|start

iptables|start

httpd|start

pfmon|start

pfdetect|start

snort|start

Stop Packetfence with the command:

/usr/local/pf/bin/stop

If you are sure the system is running the way you want it set it to start at boot with the following:

sudo cp /usr/local/pf/packetfence.init /etc/init.d/packetfence

sudo chmod 755 /etc/init.d/packetfence

sudo update-rc.d packetfence defaults

Restart Packetfence with the start command from above and you're ready to go.

Logging in

The first thing you will do once installed is to log into the system. Do this by opening up a browser and point it to:

https://IP_TO_SERVER:1443

Where IP_TO_SERVER is the IP address of the server.

Next steps

That's it for installation. In our next Packetfence article we will visit the web-based administration page.

Advertisement