Monday, August 27, 2012

PacketFence - 1.6.7

So I run a NAC solution called PacketFence. This is an Open-Source project. At the time I started using it, I had mainly used windows boxes, some VMS (scary), but very little Linux. The project was brought to my attention via a student employee, who was much more proficient with Linux than I. He setup a working copy on a desktop machine as a proof of concept. Seemed to work and was customisable and it was the right price, FREE.

The method used in PacketFence 1.6... was ARP Spoofing. Yes, I did just say arp spoofing. For the configuration/process:

  1. Trunk Vlan to server
  2. Give the PF server ip address on vlan
  3. Tell PF that it was trapping on that network
  4. Every 60 seconds it ran it's "Arp Gun"
  5. Inject mac address of PF server in as router of systems that were not registered
  6. Client would go to PF server as gateway 
  7. PF server display captive portal 
  8. User Registered with captive portal 
  9. PF would "release user" Giving them back the correct address of the Production Router
This method worked fairly well. Some problems with it:
  1.  Trapping/Registration didn't happen right away, could take hours.
  2.  Clients that had the mac of the router on their subnet could place static entry in their arp table and bypass registration/trapping. 
  3. A/V- Security suites would detect the mac change of the router and throw warnings. 
  4. Overhead of listening on several vlans
After running this for many years, I decided that some changes were in order for the design of the network, and trunking these vlans into the PF server would not be feasible. Also with the effectiveness of trapping lessening it was time for an upgrade. 

Next Post will be on the upgrade process and current version. Stay tuned. 

No comments:

Post a Comment