Packetfence is an Open Source Network Access Control server. It is open, free, and very advanced.
On the other hand, it has been quite a challenge for me to set it up. They also provide a virtual machine based ZEN, which stand for Zero Effort NAC, but I chose to install it manually on Debian.
Based on Freeradius, it should be able to integrate easily with Microsoft Active Directory for dot1x, but again, I chose to not use AD, but OpenLDAP. This part has been difficult, since it is not that well documented.
Enable LDAP auth source
Setting up an LDAP Authentication Source on the web gui is not enought. You’ll also need to manually enter your LDAP connection settings in /usr/local/raddb/mods-available/ldap (this step is well documented on the above mentioned link), and create a soft link to /usr/local/raddb/mods-enabled:
cd /usr/local/pf/raddb ln -s mods-available/ldap mods-enabled/ldap
Next, you’ll need to “activate” LDAP as an authorization source. Edit /usr/local/pf/conf/radiusd/packetfence-tunnel and uncomment “-ldap” in the authorization section:
# # The ldap module reads passwords from the LDAP database. -ldap
Just below that line, you’ll need to add these lines:
-ldap
update control {
MS-CHAP-Use-NTLM-Auth := No
}
Without “MS-CHAP-Use-NTLM-Auth := No”, Freeradius will use the ntlm_auth module, which is needed for Active Directory (as far as I know) and does not work for OpenLDAP.
Restart radius:
service packetfence-radiusd-auth restart
Use plain-text passwords in OpenLDAP
This may sound unsecure, but it is a requirement for Freeradius to work with OpenLDAP. I highly recommend to use ldaps instead of plain ldap, and if you use any gui such as phpldapadmin, you’ll also want to set up https.
Create a new connection profile
As a last step, you need to create a new connection profile under Configuration > Policies and Access Control > Connection Profiles.
The new profile should contain one or more dot1x related filters, I used “Connection Type : Ethernet-EAP” and “Connection Type: Wireless-802.11-EAP”.
Troubleshooting
raddebug -f /usr/local/pf/var/run/radiusd.sock -t 3000 tail -f /usr/local/pf/logs/radius.log
Sources:
- Packetfence doc
- freeradius mailing list
- https://sourceforge.net/p/packetfence/mailman/message/36433000/
i am wondering if this will work for ad/ldap without ntlm authentication (on my network ntlm auth on ad is disabled by nps). will write back after testing
hi bro thanks for your tutorial.
do you have configuration for divided some users from openLDAP which bandwidth management using captive portal on packetfence?
i’ve search on installation guide and asking on github inverse but no one is answer.
hopefully you will answer my question.
thank you
regards,
haikal
Hi,
Sorry, this is something I haven’t tried yet.
Rgds
Fijs
Hi Fijs.
Ok sure, how about using RADIUS with OpenLDAP?
Is it must configured of Realm?
But it can’t be pairing with any domain right since it must using AD for attach that domain?
Any suggest?
Thanks
Regards,
Haikal