Network Access Control is a crucial aspect of medium to large scale networking. There are many tools to help you control who has access to your network; Some of these tools are quite pricey and some of them do not do what you need them to do.
There is one NAC tool that is open source and does an outstanding job. The tool? Packetfence. The only downside to this tool is that it can be fairly overwhelming to get up and running.
In a series of articles I plan on helping you to get Packetfence up and running. To do this you will need a running installation of Ubuntu Server. Using Ubuntu Server will help keep the amount of necessary package installations to a minimum.
Don't think, however, you will get away with a couple of simple commands for installation. It's not that easy. But, in the end, you will be glad you took the time to get this marvel of a tool working. With all of that said, let's begin this process.
What you are going to need installed is the following:
Some of the above will already be installed on your machine. If that's the case then you will only need to take a few steps for configuration.
Before you begin the installation of anything open up a terminal window and issue the command:
sudo apt-get update
This will make sure your sources are as up to date as the can be. NOTE: If, during any part of the installation, you get an error that a package was not found, go through your /etc/apt/sources.list file and make sure ALL of the repositories are uncommented. If you have to uncomment anything make sure you run the above command again.
The final step before you actually begin the installation of any of the software there is one more command to run. Issue this:
sudo apt-get install build-essential
Which will allow the Ubuntu server install to compile from source.
Now let's begin.
Snort is used for intrusion detection and is the defacto-standard for Linux. This package is installed with the command:
sudo apt-get install snort
After Snort is installed you have to stop it from running with the command:
sudo /etc/init.d/snort stop
You will also need to keep Snort from starting at boot with the command:
sudo update-rc.d -f snort remove
Most likely MySQL is already installed. If not you can install it with:
sudo apt-get install mysql-server
Now things get a bit tricky. To make your life easier it is best to actually have a root password on your Ubuntu server. Do this with the command:
and enter a password for the root user (You will have to verify this password as well.)
The next step is to change the MySQL administrator password. To do this issue the command:
mysql -u root -p
Since there is currently no MySQL password you should just hit enter and be at the MySQL prompt. Enter the following:
SET PASSWORD FOR [email protected]=PASSWORD('NEWPASSWORD');
Where NEWPASSWORD is the actual new password you want to use for MySQL.
If Apache is not installed, now's the time. But it's not just Apache you need to install. Packetfence requires a few of Apache's friend to come along for the ride. This is what you need to do. Issue the command:
sudo apt-get install apache2 libapache2-mod-proxy-html
Which will install Apache and the necessary proxy module. The next command:
sudo apt-get install libapache2-mod-php5 php-pear php5-mysql php5-gd
Will install all things necessary for PHP.
And just like we did with Snort, we are going to stop Apache and then prevent it from starting at boot with the following commands:
sudo /etc/init.d/apache2 stop
sudo update-rc.d -f apache2 remove
There are two commands to run to get the necessary pieces of Perl installed:
sudo apt-get install perl-suid libterm-readkey-perl libconfig-inifiles-perl libnet-netmask-perl
sudo apt-get install libparse-recdescent-perl libnet-rawip-perl libtimedate-perl libwww-perl
Finally we are ready to install Packetfence itself. You will have to download the latest tar file from the Packetfence Download Page. Download the file and then move the file to /usr/local/. After the file has been moved, change to the /usr/local directory and issue this command to unpack the archive:
sudo tar xvzf packetfence-XXX.tar.gz
Where XXX is the actual release number.
Now you should have a new directory called pf. Change to the /usr/local/pf directory and issue the command:
This is where the install actually takes some time. There are a LOT of questions for you to answer. Many of the defaults will work, but don't just blindly hit Enter - make sure you know what you're accepting. Here you will need that MySQL password you created. You will also want to allow Packetfence to create the database for you. Don't do this on your own or Packetfence will throw up enough errors to scare you away for good.
Before you complete your installation you will need to create an SSL certificate for security purposes. Do this with the following commands:
openssl req -new > packetfence.csr
openssl rsa -in privkey.pem -out server.key
openssl x509 -in packetfence.csr -out server.crt -req -signkey server.key -days 365
mv server.crt /usr/local/pf/conf/ssl/
mv server.key /usr/local/pf/conf/ssl/
rm -f packetfence.csr privkey.pem
The final step is to run the command:
from within the pf directory. You will be offered a few options. For your first run you should run the Test Mode so you can get used to how Packetfence works. You will have to answer a few questions to complete the installation. Once you understand how this system works you can re-run the configurator script and choose one of the following modes:
Registration & Detection
Registration, Detection & Scanning
Because you are installing this on Ubuntu, the Apache startup script is installed in /usr/bin/apache2 and not /usr/bin/httpd. Because of this a few modifications must be made. To do this open the file /usr/local/pf/conf/pf.conf and add the following lines to the end of that file:
The next step is to open the file /usr/local/pf/conf/templates/httpd.conf and add the following:
Now, in the same file, modify the line:
LoadModule php4_module modules/libphp4.so
LoadModule php4_module /usr/lib/apache2/modules/libphp4.so
You might also find a few other lines that need to be modified. Go through the entire /usr/local/pf/conf/templates/httpd.conf file and change any module path references to reflect the:
Finally, uncomment out the line for the php5 module (around line 79) and comment out the line for php4 (around line 80).
To start Packetfence issue the command:
You should see the following output:
Checking configuration sanity...
Stop Packetfence with the command:
If you are sure the system is running the way you want it set it to start at boot with the following:
sudo cp /usr/local/pf/packetfence.init /etc/init.d/packetfence
sudo chmod 755 /etc/init.d/packetfence
sudo update-rc.d packetfence defaults
Restart Packetfence with the start command from above and you're ready to go.
The first thing you will do once installed is to log into the system. Do this by opening up a browser and point it to:
Where IP_TO_SERVER is the IP address of the server.
That's it for installation. In our next Packetfence article we will visit the web-based administration page.
Advertising revenue is falling fast across the Internet, and independently-run sites like Ghacks are hit hardest by it. The advertising model in its current form is coming to an end, and we have to find other ways to continue operating this site.
We are committed to keeping our content free and independent, which means no paywalls, no sponsored posts, no annoying ad formats (video ads) or subscription fees.
If you like our content, and would like to help, please consider making a contribution:
Ghacks is a technology news blog that was founded in 2005 by Martin Brinkmann. It has since then become one of the most popular tech news sites on the Internet with five authors and regular contributions from freelance writers.