Packetfence 4.0.1 - First load

As the summer window of working on projects before the day students return is rapidly shrinking, I needed to start on my Packetfence upgrade. If you read my blog before you may know I am a pretty big user of it.

As I wrote back in May it is a fresh install, no direct upgrade path. Getting started, I loaded up a vm with CentOS 6.4 and started down the PacketFence Admin Guide to install. The install guide is fairly straightforward to follow. There is a section on install which on RHEL/CentOS system you have to add additional repos to get things going.

Great been here, not sure I remember the last one from the last install. Ok no big deal, right? I hit a small roadblock with this one. There is only 1 copy of that repo, and it was down. Argh!

Read some more into the doc:

 Debian and Ubuntu
All the PacketFence dependencies are available through the official repositories.

Ok scrap the CentOS 6 install, load up Debian and lets rock. Everything went smooth after that.

PacketFence install within 15 minutes of Debian system being up.

Initial Impressions:

Web Configurator: Awesome to help get things setup.
New Admin Portal: Awesome, leaps and bounds better than 3.5x, the amount you can change inside the interface is great.  I was editing the AUP_Text and save and refreshing the captive portal with the changes live. (Couldn't do that before.)

System performance: Not in production yet so can't say.

The interface is snappy. The search is great with the ease that you can add on more rules to search for to narrow down the person/node that you are looking for.

Guest management is just what I was looking for.

This is NAC that Excites. Hats off to the Inverse.ca team for this work.

Certification - Where do I start from?

So I have been working in IT since 1996, did mostly PC work until 2000 when I started doing this network thing... We had all this Cisco gear, and I wanted to go get my Cisco certs. But it was clear that they were not going to help in my current employment (Financially). Put it on the back burner, kids came along, further back.... Less and less Cisco gear, some staleness in learning on my part, also additional responsibilities. Finally decided to get my Masters degree (price was right, working in EDU does have some perks).

Now after starting this blog, using twitter, connecting with others in the industry, I have decided that maybe it is time to move ahead with a certification. My goal is not too accumulate certs for the sake of doing so. It really is about learning and growing.

Daily tasks cover lots of topics not just networking. Server Admin, Telecom, Networking, PC, Database, Security, etc. The "All other duties as assigned" part of the job description fits quite well. This happens when working in a department of IT department of 7, err maybe 8 now.

On my goals in my review this year I put down obtain one certification. The $64,000 question is which one?
That is what I am asking, I would appreciate some feedback as to options?  Cisco, HP, Security related. Just looking for a place to start with, and the value of it.

So please leave a comment, send me a idea on twitter.

Thanks

PacketFence 4.0

Well, the Inverse team released a new version of PacketFence. Current release is 4.0. This is a jump up from 3.6.1. http://www.packetfence.org/news/2013/article/packetfence-40-released.html


Highlights from the news release:

New Features

• Brand new Perl-based Web administrative interface using the Catalyst framework
• New violation actions to set the node's role and deregister it
• Support for scanning dot1x connections for auto-registration by EAP-Type
• Support for auto registering dot1x node based of the EAP-Type
• New searchable MAC Addresses module to query all existing OUI prefixes
• New advanced search capabilities for nodes and users
• New memory object caching subsystem for configuration files
• Ubuntu packages

Enhancements

• Authentication sources can now be managed directly from the GUI
• Roles (previously called categories) are now computed dynamically using authentication sources
• Portal profiles and portal pages are now managed from the GUI
• Fingerprints and User Agents modules are now searchable
• Translated all remediation pages to French
• Updated Brazilian Portuguese and Spanish translations

Lots of good features listed. I am looking forward to the new admin ui. That is something in the current version which needed help. A heavily loaded system moved slow trying to admin it. 

New search is something which was needed. If you didn't get it quite right the first time you could be sitting a while when waiting for the results to load.

Overall the list of changes looks like a big step forward in usability for the system.

A big gotcha listed in the release notes is the recommendation to start with a fresh install. With the major rewrite it would be difficult to just upgrade in place. See UPGRADE document.

I will be starting my migration in the next month or so. I plan on posting a review once I get my system updated.

OpenDaylight SDN on Windows

So following the tutorial from @networkstatic found here: http://networkstatic.net/opendaylight-openflow-tutorial/ I was able to easily modify the steps and install/build OpenDaylight on Windows.

I used Windows Server 2008 R2 as my base system.
Components added:

• Git for Windows : http://code.google.com/p/msysgit/downloads/list
• Apache Maven: http://maven.apache.org/download.cgi
• Java JDK/JRE: http://www.oracle.com/technetwork/java/javase/downloads/jdk7-downloads-1880260.html

Install Git for Windows, I selected the option during install to use the windows command shell for git.

Extract Apache Maven from the zip file. Add the path of the extracted files to the system path so you can call maven from anywhere. Makes life a little easier when you get to the directory inside of the clone source.

Install the JDK/JRE and add an environmental variable: JAVA_HOME and the path to the JDK. Things don't go without it.

Once you have the prerequisites done you can pull down the source from git.opendaylight.org

From a command prompt:

git clone http://git.opendaylight.org/gerrit/p/controller.git
Next change directories into: controller\opendaylight\distribution\opendaylight\




Run the following command:

mvn clean install

If your path is correct Maven should start going. This is the long part. If you read through Brent's tutorial you can see this step is long and will be a possible trip up. It is possible that something doesn't build right, this is active code being changed by many all the time. 

Once built you can change directories to: target\distribution.opendaylight-0.1.0-SNAPSHOT-osgipackage\

As you can see the path is pretty long, but there is a run.bat. Call that file and you can then browse to: http://localhost:8080 , on the machine in which you just built the project.

You can login using username: admin password: admin

And there you have it. 

From there it is up to you. I am still working down this journey as are lots of us. Thanks for following along.

Starting with OpenFlow

So after about 8 months of having Openflow code running on a switch, I was able to get a controller up and going. This is because using Openflow is not a business necessary project.

So why Openflow?

There are a few reasons in which I would like to use it.

• Redirecting a copy of user flows for analysis- Remote packet capture
• Traffic Engineering - Using different paths for flows based on policy
• Management Abstraction 

Now some will say that there are other ways to do these things, yes that is true. When you are using switches  that support Openflow it makes send to look into using it. 

My university is connected to Regional Optical Network - Ilight, which is managed by Indiana University. There will be a day when Openflow services will be sitting at my campus wan edge from them. It would be nice to be able to take advantage of them and also to inter-operate with them. If you look at Brocade's presentation at Network Field Day 5 you will see projects in which Indiana University is involved with OpenFlow.

I will probably post somethings about what I am doing with it as they happen. But I do have a lot of business critical project and task that are higher on the priority list. 

Currently looking at the following:

• Controller: Floodlight
• Switches: HP 6200yl currently running OF code K.15.06.5008 , 5400zl in production without OF code. Have 2 5406zl's in staging.
• Avior - GUI for adding flows to controller. 

For more OpenFlow info look to the Open Networking Foundation and OpenFlowHub.org
Check out Brent Salisbury's blog listed in the blog roll to the right, Brent has some tutorials on getting started, with some code snippets as well.

Complexity & Change Management - A Lesson for the Week

Complexity in IT is common place. No matter how hard we try to reduce complexity some solutions are complex. Sometime over the life-cycle of a system, changes cause the once simple solution to be complex.

Change Management - "Change management is an approach to shifting/transitioning individuals, teams, and organizations from a current state to a desired future " - from wikipedia. Every organization has different practices ranging from the formal to the informal.

My organization has a fairly informal change management process, outside of certain changes going through a form in the help desk system, changes are on the less documented side. Now let me be clear with 7 members of the IT department, most of us are all aware of the changes that are happening. Yes there is room for improvement into the process.

So to the lesson this week, needing to elevate the Windows Domain and Forest to 2008 level instead of the mixed mode we have been in. Being in mixed mode is now limiting us in GPO tasks and other important projects moving forward.  Server admin's task was to demote 6 DC's across two domains this week.

This started off by consulting the Department's - Jedi Holocrons

Image from moddb.com

That starts by yelling over the cube walls "Hey Dave! If we are going to do this what are we going to break? " I rattle off the things that I know that will be effected plus a couple more that are maybes.

Demotion of DC's start, and are moving a quick clip. Server Admin works with our developer to make sure some custom user provisioning process get moved.

Bump number one - Several web apps point at the demoted dc's for authentication. Fix for one was change in web.config and iisreset. Other was a bit more complex as in change authentication.config then push that into the app.

Bump number two - Custom user provisioning code is hard coded to specific DC's. Stood over the developer's shoulder to verify changes were correct, then install all the dependencies for it to run on the server that we moved the code to.

So hopefully the last DC will get demoted this weekend without any trouble and we can move forward.

Luckily only one set of our users were affected by these bumps, and yes that was faculty/staff opposed to students.

So what seems to be a simple process turns into a bigger one with the lack of complete documentation and change management processes. I am not an advocate of ITIL or a strict rigid change management process, but having a process will help.

In this situation we could have avoided the bumps if some more documentation was kept and read through. But by understanding the overall picture and knowing what we needed to get through we were able to work through the bumps.

PacketFence 3.5

So back in August of last year, I wrote about the previous version of PacketFence that I ran for many years, version 1.6.7 [See Here]

In that post I stated that I would write more about the newer version, well months have past, going to change plans about that post due to the fact that version 3.6.1 is out.

So I will highlight some of the big differences between the versions.

• No more ARP spoofing - Multiple options, including use of snmp traps and port-security, to 802.1x mac security.
• Effectiveness of trapping - Once a client has been identified they are switched to a vlan, instead of having the router address spoofed. It works fast and with less overhead.
• Scale of server - Due to the fact that traffic is not all trunked into the server the server can handle more tasks and is more responsive to the admin requests.
• 3.5 has included many of the components under the control of the PacketFence processes- freeradius being a big one.

Problems that still are being addressed: Xbox 360's dhcp fingerprint is not detected correctly, so that they do not auto-register. Some of the reports still need work as they take a long time to run (some of these have been fixed in 3.6.x)

Features that I still need to try or want to implement:

• Guest Access - PacketFence has a guest portal, this would be ideal to the separate SSID/system currently used on my campus.
• Game system registration form - In 3.6.x there is a self-service form to register Xbox's and other systems that my not auto-register. This would help the manual process done now. 

So this is a quick follow-up to the post from August on my PacketFence install.