Install Packetfence for outstanding network access control
Network Access Control is a crucial aspect of medium to large scale networking. There are many tools to help you control who has access to your network; Some of these tools are quite pricey and some of them do not do what you need them to do.
There is one NAC tool that is open source and does an outstanding job. The tool? Packetfence. The only downside to this tool is that it can be fairly overwhelming to get up and running.
In a series of articles I plan on helping you to get Packetfence up and running. To do this you will need a running installation of Ubuntu Server. Using Ubuntu Server will help keep the amount of necessary package installations to a minimum.
Don't think, however, you will get away with a couple of simple commands for installation. It's not that easy. But, in the end, you will be glad you took the time to get this marvel of a tool working. With all of that said, let's begin this process.
What you are going to need installed is the following:
- Snort
- MySQL
- Apache
- PHP
- Perl
- Perl Modules
- Packetfence
Some of the above will already be installed on your machine. If that's the case then you will only need to take a few steps for configuration.
Before you begin the installation of anything open up a terminal window and issue the command:
sudo apt-get update
This will make sure your sources are as up to date as the can be. NOTE: If, during any part of the installation, you get an error that a package was not found, go through your /etc/apt/sources.list file and make sure ALL of the repositories are uncommented. If you have to uncomment anything make sure you run the above command again.
The final step before you actually begin the installation of any of the software there is one more command to run. Issue this:
sudo apt-get install build-essential
Which will allow the Ubuntu server install to compile from source.
Now let's begin.
Snort
Snort is used for intrusion detection and is the defacto-standard for Linux. This package is installed with the command:
sudo apt-get install snort
After Snort is installed you have to stop it from running with the command:
sudo /etc/init.d/snort stop
You will also need to keep Snort from starting at boot with the command:
sudo update-rc.d -f snort remove
MySQL
Most likely MySQL is already installed. If not you can install it with:
sudo apt-get install mysql-server
Now things get a bit tricky. To make your life easier it is best to actually have a root password on your Ubuntu server. Do this with the command:
sudo passwd
and enter a password for the root user (You will have to verify this password as well.)
The next step is to change the MySQL administrator password. To do this issue the command:
mysql -u root -p
Since there is currently no MySQL password you should just hit enter and be at the MySQL prompt. Enter the following:
SET PASSWORD FOR root@localhost=PASSWORD('NEWPASSWORD');
Where NEWPASSWORD is the actual new password you want to use for MySQL.
Apache and PHP
If Apache is not installed, now's the time. But it's not just Apache you need to install. Packetfence requires a few of Apache's friend to come along for the ride. This is what you need to do. Issue the command:
sudo apt-get install apache2 libapache2-mod-proxy-html
Which will install Apache and the necessary proxy module. The next command:
sudo apt-get install libapache2-mod-php5 php-pear php5-mysql php5-gd
Will install all things necessary for PHP.
And just like we did with Snort, we are going to stop Apache and then prevent it from starting at boot with the following commands:
sudo /etc/init.d/apache2 stop
sudo update-rc.d -f apache2 remove
Perl and the Perl modules
There are two commands to run to get the necessary pieces of Perl installed:
sudo apt-get install perl-suid libterm-readkey-perl libconfig-inifiles-perl libnet-netmask-perl
sudo apt-get install libparse-recdescent-perl libnet-rawip-perl libtimedate-perl libwww-perl
Packetfence
Finally we are ready to install Packetfence itself. You will have to download the latest tar file from the Packetfence Download Page. Download the file and then move the file to /usr/local/. After the file has been moved, change to the /usr/local directory and issue this command to unpack the archive:
sudo tar xvzf packetfence-XXX.tar.gz
Where XXX is the actual release number.
Now you should have a new directory called pf. Change to the /usr/local/pf directory and issue the command:
sudo ./installer.pl
This is where the install actually takes some time. There are a LOT of questions for you to answer. Many of the defaults will work, but don't just blindly hit Enter - make sure you know what you're accepting. Here you will need that MySQL password you created. You will also want to allow Packetfence to create the database for you. Don't do this on your own or Packetfence will throw up enough errors to scare you away for good.
SSL Certificate
Before you complete your installation you will need to create an SSL certificate for security purposes. Do this with the following commands:
cd /tmp
openssl req -new > packetfence.csr
openssl rsa -in privkey.pem -out server.key
openssl x509 -in packetfence.csr -out server.crt -req -signkey server.key -days 365
mv server.crt /usr/local/pf/conf/ssl/
mv server.key /usr/local/pf/conf/ssl/
rm -f packetfence.csr privkey.pem
Final Steps
The final step is to run the command:
./configurator.pl
from within the pf directory. You will be offered a few options. For your first run you should run the Test Mode so you can get used to how Packetfence works. You will have to answer a few questions to complete the installation. Once you understand how this system works you can re-run the configurator script and choose one of the following modes:
-
Test mode
-
Registration
-
Detection
-
Registration & Detection
-
Registration, Detection & Scanning
-
Session-based Authentication
Some gotchas
Because you are installing this on Ubuntu, the Apache startup script is installed in /usr/bin/apache2 and not /usr/bin/httpd. Because of this a few modifications must be made. To do this open the file /usr/local/pf/conf/pf.conf and add the following lines to the end of that file:
[services]
httpd=/usr/sbin/apache2
The next step is to open the file /usr/local/pf/conf/templates/httpd.conf and add the following:
ServerRoot /usr/lib/apache2
Now, in the same file, modify the line:
LoadModule php4_module modules/libphp4.so
to reflect:
LoadModule php4_module /usr/lib/apache2/modules/libphp4.so
You might also find a few other lines that need to be modified. Go through the entire /usr/local/pf/conf/templates/httpd.conf file and change any module path references to reflect the:
/usr/lib/apache2/module
structure.
Finally, uncomment out the line for the php5 module (around line 79) and comment out the line for php4 (around line 80).
Start Packetfence
To start Packetfence issue the command:
sudo /usr/local/pf/bin/start
You should see the following output:
Checking configuration sanity...
service|command
config files|start
iptables|start
httpd|start
pfmon|start
pfdetect|start
snort|start
Stop Packetfence with the command:
/usr/local/pf/bin/stop
If you are sure the system is running the way you want it set it to start at boot with the following:
sudo cp /usr/local/pf/packetfence.init /etc/init.d/packetfence
sudo chmod 755 /etc/init.d/packetfence
sudo update-rc.d packetfence defaults
Restart Packetfence with the start command from above and you're ready to go.
Logging in
The first thing you will do once installed is to log into the system. Do this by opening up a browser and point it to:
https://IP_TO_SERVER:1443
Where IP_TO_SERVER is the IP address of the server.
Next steps
That's it for installation. In our next Packetfence article we will visit the web-based administration page.
Done. everyhing is easy install.. but dificult to configure ..
Can you give detail sampel exp registration and scanning .. how about the iptables dns and any network topology
step by step instruction ..
thanks
Louie, thanks for the post. I am still wrestling with finishing the install, but I have to admit to my 1D10T mistake of not paying attention to detail….YUM was tossing it back because I was using the 64bit CentOS instead of the 32bit.– Publicly admitting that will hopefully help somebody while giving others a chuckle.
Packetfence did install on Ubuntu Server 9 but I gave up on the Ubuntu install and tried the Centos route because I stumbled all over the command line and RHLE or CentOS is what the PacketFence site said was the easiest, due to an rpm in their Yum repository…Not true, at least according to my experience. That rpm does not exist and when trying to install PF, all sorts of dependency issues are thrown and not all of those are available either so the install never happens. I am at a loss and would love a few kind pushes in the right direction. I want to install PF using VirtualBox on my Snow Leopard server. The ZEN version does not work there. Anyone? Thanks in advance. ~Les
Packetfence does work well on RHLE or Cent. Follow the guideline especially the part about adding additional repos. I believe in order to install properly the dag repo & packetfence repo has to be enabled. After, do a yum update followed by yum search packetfence. If all goes well you should see the package for packetfence.
Good luck!
i am installing packetfence on ubuntu desktop. i did the installations for snort, apache, etc. when i start packetfence, i get the following error:
Can’t locate Readonly.pm in @INC (@INC contains: /etc/perl /usr/local/lib/perl/5.10.0 /usr/local/share/perl/5.10.0 /usr/lib/perl5 /usr/share/perl5 /usr/lib/perl/5.10 /usr/share/perl/5.10 /usr/local/lib/site_perl .) at /usr/local/pf/bin/pfcmd line 58.
BEGIN failed–compilation aborted at /usr/local/pf/bin/pfcmd line 58.
Any suggestions?
Tried installing packetfence 1.87.tar.gz in ubuntu 9.10 desktop and it didnt work. Does it have to be installed in ubuntu server? Does it matter? Im contemplating suicide because of packetfence’s non-helpful installation guide.
i neeed help on packetfence from scratch!!!!!!!!!!!!!!!!!!!!!
A very helpful article, but it is not as in-depth as to be helpful. For instance, it is taken for granted that a user knows how to manipulate files when they are not root. Given that the beginning of the article is quite detailed, after the download of packetfence, the noob is lost…
Great stuff, but where is part two on using Packetfence?
Was running the installer script for packetfence, when it died at installing net-pcap ?
Now what?