Monday, August 27, 2012

PacketFence - 1.6.7

So I run a NAC solution called PacketFence. This is an Open-Source project. At the time I started using it, I had mainly used windows boxes, some VMS (scary), but very little Linux. The project was brought to my attention via a student employee, who was much more proficient with Linux than I. He setup a working copy on a desktop machine as a proof of concept. Seemed to work and was customisable and it was the right price, FREE.

The method used in PacketFence 1.6... was ARP Spoofing. Yes, I did just say arp spoofing. For the configuration/process:

  1. Trunk Vlan to server
  2. Give the PF server ip address on vlan
  3. Tell PF that it was trapping on that network
  4. Every 60 seconds it ran it's "Arp Gun"
  5. Inject mac address of PF server in as router of systems that were not registered
  6. Client would go to PF server as gateway 
  7. PF server display captive portal 
  8. User Registered with captive portal 
  9. PF would "release user" Giving them back the correct address of the Production Router
This method worked fairly well. Some problems with it:
  1.  Trapping/Registration didn't happen right away, could take hours.
  2.  Clients that had the mac of the router on their subnet could place static entry in their arp table and bypass registration/trapping. 
  3. A/V- Security suites would detect the mac change of the router and throw warnings. 
  4. Overhead of listening on several vlans
After running this for many years, I decided that some changes were in order for the design of the network, and trunking these vlans into the PF server would not be feasible. Also with the effectiveness of trapping lessening it was time for an upgrade. 

Next Post will be on the upgrade process and current version. Stay tuned. 

Thursday, August 2, 2012

NAC - Sounds Scary - First Thoughts

So for the last 12 years that I have run the network at my University we have tried various methods to manage student devices on the network.

  • Paper Forms (Dumb ass Idea)
  • Port-Security (Static, goes in with above)
  • VMPS (If I remember correctly, you know the Cisco vlan switch-a-roo server) Kinda worked,. Custom Front-end written by a former student.
  • PacketFence 1.6 - (Ran that version for like 4 years)
  • PacketFence 3.5 - (Started at 3.2 testing, Prod today is at that version)

NAC can be hard and painful to implement. As you see from above I've used a couple of versions of PacketFence. I am happy with the product. I've been very pleased at the work the lead developers have done since giving the project a backing a few years ago.

I plan to run through the deployment that I have just about completed soon. So stay tuned. Just not to close, it is August and students are starting to return to campus, which mean if I wasn't busy before, I will be now.