Wireless

Introduction

PacketFence also integrates very well with wireless networks. As for its wired counterpart, the switch, a wireless Access Points (AP) needs to implement some specific features in order for the integration to work perfectly. In particular, the AP needs to support

  • several SSIDs with several VLANs inside each SSID
  • authentication against a RADIUS server
  • dynamic VLAN assignment (through RADIUS attributes)
  • SNMP deauthentication traps
  • the deauthentication of an associated station

We can then configure two SSIDs on the AP, the first one reserved for visitors and unregistered clients. In this SSID, communications will not be encrypted and users will connect either to the registration VLAN or the visitors VLAN (depending on their registration status). The second SSID will allow encrypted communications for registered users. The VLANs here are the "normal" VLAN and the isolation VLAN (if ever there are open violations for the MAC).

Installation example

In this example, we configure a Cisco 1242 AP (IP address 192.168.0.4). Configuration of other vendor's APs is similar.

First define the normal, isolation, registration and visitor VLANs on the AP, together with the appropriate wired and wireless interfaces as shown below for the isolation VLAN 

dot11 vlan-name isolation vlan 2

interface FastEthernet0.2
  encapsulation dot1Q 2
  no ip route-cache
  bridge-group 253
  no bridge-group 253 source-learning
  bridge-group 253 spanning-disabled

interface Dot11Radio0.2
  encapsulation dot1Q 2
  no ip route-cache
  bridge-group 253
  bridge-group 253 subscriber-loop-control
  bridge-group 253 block-unknown-source
  no bridge-group 253 source-learning
  no bridge-group 253 unicast-flooding
  bridge-group 253 spanning-disabled

Then create the two SSIDs 

dot11 ssid WPA2
  vlan 2 backup normal
  authentication open eap eap_methods
  authentication key-management wpa
   accounting acct-methods
  mbssid guest-mode

dot11 ssid MACauth
  vlan 3 backup visitor
  authentication open mac-address mac_methods
  accounting acct_methods
  mbssid guest-mode

Configure the RADIUS server (we assume here that the FreeRADIUS server and the PacketFence server are located on the same box) 

radius-server host 192.168.0.10 auth-port 1812 acct-port 1813 key secretKey

aaa group server radius rad_eap
  server 192.168.0.10 auth-port 1812 acct-port 1813
aaa authentication login eap_methods group rad_eap

aaa group server radius rad_mac
  server 192.168.0.10 auth-port 1812 acct-port 1813
aaa authentication login mac_methods group rad_mac

Enable the SNMP deauthentication traps 

snmp-server enable traps deauthenticate
snmp-server host 192.168.0.10 public deauthenticate

And finally activate the SSIDs on the radio 

interface Dot11Radio0
  encryption vlan 1 mode ciphers aes-ccm
  encryption vlan 2 mode ciphers aes-ccm
  ssid WPA2
  ssid MACauth

Now check with a Wi-Fi card that you can actually see the two new SSIDs. You can't connect to them yet since the RADIUS server is not up and running.

Start configuring the FreeRADIUS server by adding the following lines at the

end of /etc/raddb/clients.conf 

client 192.168.0.3 {
  secret = secretKey
  shortname = AP1242
}

In /etc/raddb/eap.conf set the default eap type to peap (at the beginning of the eap {} section) 

                default_eap_type = peap

and setup your cryptographic keys in the tls {} section.

Then update /etc/raddb/radiusd.conf by first adding the following lines to the modules {} section 

        perl {
            module = ${confdir}/rlm_perl_packetfence.pl
        }

and then add "perl" at the end of the authorize {} section. The script /etc/raddb/rlm_perl_packetshield.pl uses the Calling-Station-Id RADIUS request attribute, containing the MAC of the wireless station, to determine its registration and violation status. Based on this information, it sets the Tunnel-Medium-Type, Tunnel-Type and Tunnel-Private-Group-ID RADIUS reply attributes. The AP, upon reception of these three attributes, then confines the wireless station into the specified VLAN.

The last file to edit is /etc/raddb/users where we define that non EAP-messages should, by default, lead to an authentication acceptance 

DEFAULT EAP-Message !* "", Auth-Type := Accept

and then, we add our local test user with 

testUser User-Password == "testPwd"

Now start FreeRADIUS in debug mode 

radiusd -x

Try to connect to one of the two new SSIDs with your Wi-Fi card and you'll see the packets received by FreeRADIUS, and the generated responses.

802.1X on a wired network

It is noteworthy that the above concept is identical to using 802.1X on a wired network which of course, is supported by PacketShield.