Thursday, 15 October 2015

PacketFense OPENWRT HOSTPAD installation

OpenWrt BarrierBreaker 14.07 with hostapd Quick Integration Guide
=================================================================
:encoding: UTF-8
:lang: en
:doctype: book

include::includes/global-attributes.asciidoc[]

About this Guide
----------------
This guide has been created in order to help sales engineers, product managers, or network specialists demonstrate the PacketFence capabilities on-site with an existing or potential customer.  It can also provide guidelines to setup a proof of concept for a potential PacketFence deployment using OpenWrt BarrierBreaker 14.07 with Hostapd.

Introduction
------------
This guide will provide an example for the configuration of an open SSID (not encrypted) and a secured SSID (802.1x). You will need to install wpad and hostapd. These two SSIDs will do RADIUS authentication against PacketFence.

Assumptions
-----------
* You have a configured PacketFence environment with working test equipment
* The management IP of PacketFence will be 192.168.1.10 and has s3cr3t as its RADIUS shared secret
* You have an acces point with OpenWrt BarrierBreaker 14.07 installed


Quick installation
------------------
Step 1: Packages installation
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
You can install the packages from the web interface of OpenWrt.

Go to *System -> Software*

First update the repos by clicking the button Update lists if it's not up to date.

Then you will have to install the packages of Hostapd and wpad.

Go to the tab 'Available packages' and then search for the package hostapd into the 'Filter:' field.

Click Install the hostapd package, the actual version is 2014-06-03.1-1.

Do the same process for the wpad package version 2014-06-03.1-1.

NOTE: You will need the packages hostapd-commun and wpad-mini if they are not installed by default.

Step 2: Dynamic VLAN Configuration

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Connect using SSH to the AP and create the file : /etc/config/hostapd.vlan
----
*           wlan0.#
----

Step 3: Hostapd configuration
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
You will need to modify the hostapd script that comes with the package that we previously installed.

Connect using SSH to the AP and run these commands:
----
cd /lib/netifd/
mv hostapd.sh hostapd.sh.old
opkg install curl
curl --insecure  https://github.com/inverse-inc/packetfence/tree/devel/addons/hostapd/hostapd-14.07.sh >  hostapd.sh
wifi
----

Step 4: Configure the SSIDs
~~~~~~~~~~~~~~~~~~~~~~~~~~~
To configure the PF-Open SSID, we will use UCI:

----
uci add_list wireless.@wifi-iface[0]="wifi-iface"
uci add_list wireless.@wifi-iface[0].device="radio0"
uci add_list wireless.@wifi-iface[0].mode="ap"
uci add_list wireless.@wifi-iface[0].ssid="PF-Open"
uci add_list wireless.@wifi-iface[0].network="lan"
uci add_list wireless.@wifi-iface[0].encryption="none"
uci add_list wireless.@wifi-iface[0].auth_server="192.168.1.10"
uci add_list wireless.@wifi-iface[0].auth_port="1812"
uci add_list wireless.@wifi-iface[0].auth_secret="s3cr3t"
uci add_list wireless.@wifi-iface[0].acct_server="192.168.1.10"
uci add_list wireless.@wifi-iface[0].acct_port="1813"
uci add_list wireless.@wifi-iface[0].acct_secret="s3cr3t"
uci add_list wireless.@wifi-iface[0].dynamic_vlan="2"
uci add_list wireless.@wifi-iface[0].vlan_file="/etc/config/hostapd.vlan"
uci add_list wireless.@wifi-iface[0].vlan_tagged_interface="eth0"
uci add_list wireless.@wifi-iface[0].dae_secret="s3cr3t"
uci add_list wireless.@wifi-iface[0].dae_client="192.168.1.10"
uci add_list wireless.@wifi-iface[0].dae_port="3799"
uci add_list wireless.@wifi-iface[0].macfilter="2"
uci add_list wireless.@wifi-iface[0].nasid="ubiquiti"
uci commit
----

Configure the PF-Secure SSID:

----
uci add_list wireless.@wifi-iface[0]="wifi-iface"
uci add_list wireless.@wifi-iface[0].device="radio0"
uci add_list wireless.@wifi-iface[0].mode="ap"
uci add_list wireless.@wifi-iface[0].ssid="PF-Secure"
uci add_list wireless.@wifi-iface[0].network="lan"
uci add_list wireless.@wifi-iface[0].encryption="wpa2"

uci add_list wireless.@wifi-iface[0].auth_server="192.168.1.10"
uci add_list wireless.@wifi-iface[0].auth_port="1812"
uci add_list wireless.@wifi-iface[0].auth_secret="s3cr3t"
uci add_list wireless.@wifi-iface[0].acct_server="192.168.1.10"
uci add_list wireless.@wifi-iface[0].acct_port="1813"
uci add_list wireless.@wifi-iface[0].acct_secret="s3cr3t"
uci add_list wireless.@wifi-iface[0].dynamic_vlan="2"
uci add_list wireless.@wifi-iface[0].vlan_file="/etc/config/hostapd.vlan"
uci add_list wireless.@wifi-iface[0].vlan_tagged_interface="eth0"
uci add_list wireless.@wifi-iface[0].dae_secret="s3cr3t"
uci add_list wireless.@wifi-iface[0].dae_client="192.168.1.10"
uci add_list wireless.@wifi-iface[0].dae_port="3799"
uci add_list wireless.@wifi-iface[0].macfilter="2"
uci add_list wireless.@wifi-iface[0].nasid="ubiquiti"
uci commit
----

In order to apply this configuration, when you are connected using SSH on the AP, run the command 'wifi'. It will reload the configuration and broadcast the SSID.

NOTE:  It's known that you can't put 2 SSIDs with the same dae server at the same time. The deauthentication will not work on the second SSID.

Step 5: PacketFence configuration
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Log in to the PacketFence administration web page and go under *Configuration -> Switches -> Add switch*.

Defenition:
[options="compact"]
* *IP Address/MAC Address/Range (CIDR)*: IP of your acces point
* *Type*: Hostapd
* *Mode*: production
* *Deauthentication Method*: RADIUS
* *Dynamic Uplinks*: Checked

Roles:
[options="compact"]
* *Role by VLAN ID*: Checked
* *Registration*: Your registration VLAN ID
* *Isolation*: Your isolation VLAN ID

RADIUS:
[options="compact"]
* *Secret Passphrase*: s3cr3t

Save this configuration by clicking the 'Save' button.

Step 6: Troubleshoot
~~~~~~~~~~~~~~~~~~~~

Here few things you can do/check to see if you configuration is working.

To check the wireless configuration: uci show wireless or cat /etc/config/wireless



PacketFense Installation In Centos 6 X

Install PacketFence on CentOS 6.x



First do a standard install of CentOS 6.  After the standard install IP all the network cards to the proper IP addresses before you install Packetfence.  After that follow these steps-by-step instructions to install packetfence.

Update CentOS

1. yum update

Install Wget

2. yum install wget

Add RPMforge

3. wget http://packages.sw.be/rpmforge-release/rpmforge-release-0.5.2-2.el6.rf.x86_64.rpm

4. rpm --import http://apt.sw.be/RPM-GPG-KEY.dag.txt
or gpg –import http://apt.sw.be/RPM-GPG-KEY.dag.txt

5. rpm -i rpmforge-release-0.5.2-2.el6.rf.x86_64.rpm

Add EPEL software repository:

6. rpm -Uvh http://mirror.yourconnect.com/epel/6/i386/epel-release-6-8.noarch.rpm

Add Open Fusion RPM Repository

7.rpm -Uvh http://repo.openfusion.net/centos6-x86_64/openfusion-release-0.6.2-1.of.el6.noarch.rpm

Exclude perl-Apache-Test from rpmforge and openfusion repository

8. Vi /etc/yum.repos.d/rpmforge.repo

9. Add the line exclude = perl-Apache-Test* on the section [rpmforge]

10.Vi /etc/yum.repos.d/openfusion.repo

11. add the line exclude = perl-Apache-Test* on the section [of]

12. In order to use the repository, just create a file named /etc/yum.repos.d/PacketFence.repo with the following content

13. [PacketFence]

name=PacketFence Repository

baseurl=http://inverse.ca/downloads/PacketFence/RHEL$releasever/$basearch

gpgcheck=0

enabled=0

Install PacketFence with all its dependencies

14. yum groupinstall --enablerepo=PacketFence,rpmforge Packetfence-complete

Once packetfence is installed it can be configured at GUI interface

http://ipaddress:1444/configurator

The management interface will be

http://ipaddress:1443

If you can not get to the webpage, you will need to turn off the firewall on the server. To do this, type the following: service iptables stop

Step 1: Choose the type of Enforcement that you want. Either Inline Enforcement or VLAN Enforcement. For my situation, I have selected both.
     - Inline Enforcement means that the PacketFence server will sit between the computer and the network/internet.
     -  VLAN Enforcement means that the PacketFence server does not sit between the computer and the network/internet. It will change the config on the managed switch for each individual port on the switch.
Step 2: Networks. Add your networks.
If you are using VLAN Enforcement, make sure you specify your Management VLAN, Registration VLAN, and Isolation VLAN.
     - To add a VLAN, click on "Add VLAN" under Actions.
Step 3: Database Configuration
     -  Click on Test. You will be asked to set the MySQL admin password.
*Note: If you receive an error message when you click on test, make sure MySQL is running on the server.
     - Click on "Create the database".
     - Under "Create a PacketFence account" type in a password and then type it again to confirm it. Now click on "Create User".
Step 4: PacketFence Configuration
Type in your domain, the hostname of the server, any DHCP servers on your network under General.
Type in an email address under Alerting.
Step 5: Administration
Create a username and password for the administration interface.
Step 6: Start PacketFence
Click on "Start PacketFence"
Once PacketFence is started, you will be asked if you want to go to the Administration Interface, I clicked yes and then was taken to the admin page.