Overview

PacketFence is a fully supported, trusted, Free and Open Source network access control (NAC) solution. Boasting an impressive feature set including a captive-portal for registration and remediation, centralized wired and wireless management, 802.1X support, layer-2 isolation of problematic devices, integration with the Snort IDS and the Nessus vulnerability scanner; PacketFence can be used to effectively secure networks - from small to very large heterogeneous networks.

Components Architecture

Network Architecture

Enforcement

Out-of-band Deployment

PacketFence's operation is completely out-of-band which allows the solution to scale geographically and to be more resilient to failures. When using the right technology (like port security), a single PacketFence server can be used to secure hundreds of switches and many thousands nodes connected to them.

Inline Deployment

While out-of-band is the preferred way of deploying PacketFence, an inline mode is also supported for unmanageable wired or wireless equipment. Deploying PacketFence using the inline mode can also be accomplished in minutes! Note also that the inline mode can coexist very well together with an out-of-band deployment.

Authentication & Registration

802.1X Support

Wireless and wired 802.1X is supported through a FreeRADIUS module which is included in PacketFence. PEAP-TLS, EAP-PEAP and many more EAP mechanisms can be used.

Registration of Devices

PacketFence supports an optional registration mechanism similar to "captive portal" solutions. Contrary to most captive portal solutions, PacketFence remembers users who previously registered and will automatically give them access without another authentication. Of course, this is configurable. An Acceptable Use Policy can be specified such that users cannot enable network access without first accepting it.

Wireless Integration

PacketFence integrates perfectly with wireless networks through a FreeRADIUS module. This allows you to secure your wired and wireless networks the same way using the same user database and using the same captive portal, providing a consistent user experience. Mixing access points (AP) vendors and wireless controllers is supported.

Voice over IP (VoIP) Support

Also called IP Telephony (IPT), VoIP is fully supported (even in heterogeneous environments) for multiple switch vendors (Cisco, Edge-Core, HP, LinkSys, Nortel Networks and many more).

Compliance

Detection of Abnormal Network Activities

Abnormal network activities (computer virus, worms, spyware, traffic denied by establishment policy, etc.) can be detected using local and remote Snort, Suricata or commercial sensors. Content inspection is also possible with Suricata, and can be combined with malware hash databases such as OPSWAT Metadefender. Beyond simple detection, PacketFence layers its own alerting and suppression mechanism on each alert type. A set of configurable actions for each violation is available to administrators.

Windows Management Instrumentation (WMI)

WMI support in PacketFence allows an administrator to perform audits, execute commands and even more on any domain-joined Windows computers. For example, PacketFence can verify if some unauthorized software are installed and/or running before granting network access.

Statement of Health

While doing a 802.1X user authentication, PacketFence can perform a complete posture assessment of the connecting device using the TNC Statement of Health protocol. For example, PacketFence can verify if an antivirus is installed and up-to-date, if operating system patches are all applied and much more - all without any agent installed on the endpoint device!

Proactive Vulnerability Scans

Nessus or OpenVAS vulnerability scans can be performed upon registration, scheduled or on an ad-hoc basis. PacketFence correlates the Nessus/OpenVAS vulnerability ID's of each scan to the violation configuration, returning content specific web pages about which vulnerability the host may have.

Security Agents

PacketFence integrates with security agent solutions such as OPSWAT Metadefender Endpoint Management, Symantec SEPM and others. PacketFence can make sure the agent is always installed before granting network access. It can also check the endpoint's posture and isolate it from any other endpoints if non-compliant.

Remediation Through a Captive Portal

Once trapped, all network traffic is terminated by the PacketFence system. Based on the nodes current status (unregistered, open violation, etc), the user is redirected to the appropriate URL. In the case of a violation, the user will be presented with instructions for the particular situation he/she is in, reducing costly help desk intervention.

Isolation of Problematic Devices

PacketFence supports several isolation techniques, including VLAN isolation with VoIP support (even in heterogeneous environments) for multiple switch vendors.

Administration

Command-line and Web-based Management

Web-based and command-line interfaces for all management tasks. Web-based administration supports different permission-levels for users and authentication of users against LDAP or Microsoft Active Directory.

Advanced Features

In the following text, node is used to mean a network-aware device that is controlled and monitored by PacketFence. It can be a PC, a laptop, a printer, an IP phone, etc.

Flexible VLAN Management and Role-Based Access Control

VLAN and roles can be assigned using the various means:

  • Per switch (default for VLAN)
  • Per client category (default for roles)
  • Per client
  • Using any arbitrary decision (if you use our perl extension points)

Also, the per-switch method can be combined with the others. For example, with a default PacketFence setup, a VLAN or a role can be assigned to your printers and your PCs (if categorized properly) based on what equipment they are connected to. This implies that you can easily have per-building per-device type VLANs.

Guest Access - Bring Your Own Device (BYOD)

Portal Profiles

More Built-in Violation Types

Automatic Registration

PKI and EAP-TLS Support

Expiration

Device Management

Firewall Integration

Bandwidth Accounting

Floating Network Devices

Flexible Authentication

Microsoft Active Directory Integration

Routed Networks

Gradual Deployment

Pass-Through

High-Availability

Supported Hardware

Standards-Based

Extensible / Easily Customizable

Something is Missing?

If something you require for Network Access Control is not on this list, first check if it is in our roadmap, otherwise there are good chances that someone in the community did what you are looking for so engage in the community and send an email to the packetfence-users mailing list. No one ever tried or wanted that feature? If you know Perl you can try to do it yourself or you can sponsor the development of the feature.

Supported network devices

The following tables detail the wired and wireless equipment supported by PacketFence. This list is the most up-to-date one. Note that generally all wired switches supporting MAC authentication and/or 802.1X with RADIUS can be supported by PacketFence.

Bugs and limitations of the various modules can be found in the Network Devices documentation.

means wireless device.
means wireless controller.
means wired device.
means VPN device.
means a template.

Wired Support

PacketFence supports a huge number of wired switches.

VPN Support

PacketFence supports some VPN.

Wireless Support

There are two approaches to wireless networks. One where a controller handles the Access Points (AP) and one where AP act individually. PacketFence supports both approaches.

Wireless Controllers

When using a controller, it does not matter to PacketFence what individual AP are supported or not. As long as the AP itself is supported by your controller and that your controller is supported by PacketFence it will work fine.

Access Points

Some Access Points behave the same if they are attached to a controller or not. Because of that you might want to try a controller module if a controller from the same vendor is supported in the list above.

Devices

Name
SNMP
Wired MAC Auth
Wired 802.1x
Wireless MAC Auth
Wireless 802.1x
Web Auth
RADIUS Dynamic VLAN
RADIUS Dynamic ACL
RADIUS Dynamic Role
RADIUS VOIP
MAB Floating Device
Floating Device
Accton ES3526XA
Accton ES3528M
AeroHIVE AP
AeroHive - Extreme Access Point
AeroHive BR100
Alcatel switch
AlliedTelesis AT8000GS
Allied Telesis GS950
Amer SS2R24i
Anyfi Gateway
Aruba Networks
Aruba 2930M Series
Aruba 5400 Switch
Aruba Switch NG
Aruba CX Switch
Aruba 200 Controller
Aruba Instant Access
Aruba Wireless Controller
Aruba Switches
Avaya Switch Module
Avaya ERS 2500 Series
Avaya ERS 3500 Series
Avaya ERS 4000 Series
Avaya ERS 5000 Series
Avaya ERS 5000 Series w/ firmware 6.x
Avaya Wireless Controller
Belair Networks AP
Bluesocket
Brocade Switches
Brocade RF Switches
Brocade Standard Switch (template based)
Cambium
Cisco ASA Firewall
Cisco Aironet 1130
Cisco Aironet 1242
Cisco Aironet 1250
Cisco Aironet 1600
Cisco Aironet (WDS)
Cisco Catalyst 2900XL Series
Cisco Catalyst 2950
Cisco Catalyst 2960
Cisco Catalyst 2960G
Cisco Catalyst 2970
Cisco Catalyst 3500XL Series
Cisco Catalyst 3550
Cisco Catalyst 3560
Cisco Catalyst 3560G
Cisco Catalyst 3750
Cisco Catalyst 3750G
Cisco Catalyst 4500 Series
Cisco Catalyst 6500 Series
Cisco ISR 1800 Series
Cisco SG300
Standard Cisco Switch (template based)
Cisco Wireless Controller (WLC)
Cisco Wireless (WLC) 2100 Series
Cisco Wireless (WLC) 2100 Series
Cisco Wireless (WLC) 2500 Series
Cisco Wireless (WLC) 4400 Series
Cisco Wireless (WLC) 5500 Series
Cisco WiSM
Cisco WiSM2
CoovaChilli
Dell Force 10
N1500 Series
Dell PowerConnect 3424
D-Link DES 3028
D-Link DES 3526
D-Link DES 3550
D-Link DGS 3100
D-Link DGS 3200
D-Link DWL Access-Point
D-Link DWS 3026
EdgeCore
Enterasys Standalone D2
Enterasys Matrix N3
Enterasys SecureStack C2
Enterasys SecureStack C3
Enterasys V2110
Extreme EXOS
ExtremeNet Summit series
ExtremeNet Summit X250e
Extricom EXSW Controllers
F5 VPN
FortiGate Firewall with web auth + 802.1X
FortiSwitch
Foundry FastIron 4802
Generic
H3C S5120 (HP/3Com)
HP ProCurve MSM710 Mobility Controller
HP E4800G (3Com)
HP E5500G (3Com)
HP ProCurve MSM Access Point
HP ProCurve 2500 Series
HP ProCurve 2600 Series
HP ProCurve 2920 Series
HP ProCurve 3400cl Series
HP ProCurve 4100 Series
HP ProCurve 5300 Series
HP ProCurve 5400 Series
Standard HP Switch (template based)
Hostapd
Hostapd (template based)
Huawei AC6605
Huawei S5710
Huawei S5720
IBM RackSwitch G8052
Intel Express 460
Intel Express 530
Juniper EX Series
Juniper EX 2200 Series
Juniper EX 2200 Series running Junos 15
Juniper EX 2300 Series
Mist AP
LG-Ericsson iPECS ES-4500G
Linksys SRW224G4
Meraki cloud controller
Meraki cloud controller V2
Meraki switch MS220_8
Meru MC
Meru Controller v2
Mikrotik
Mojo Networks AP
Motorola RF Switches
Netgear FSM726v1
Netgear FSM7328S
Netgear GS110
Netgear M series
Nortel BPS 2000
Nortel BayStack 4550
Nortel BayStack 470
Nortel BayStack 5500 Series
Nortel BayStack 5500 w/ firmware 6.x
Nortel ERS 2500 Series
Nortel ERS 4000 Series
Nortel ERS 5000 Series
Nortel ERS 5000 Series w/ firmware 6.x
Nortel ES325
PacketFence
SNMP Switch
Standard Switch (template based)
Pica8
Ruckus Wireless Controllers
Ruckus Wireless Controllers - Legacy
Ruckus SmartZone Wireless Controllers
Ruckus SmartZone v2
Ruckus SmartZone
SMC TigerStack 6128L2
SMC TigerStack 6224M
SMC TigerStack 8800 Series
3COM E4800G
3COM E5500G
3COM NJ220
3COM SS4200
3COM SS4500
3COM 4200G
Trapeze Wireless Controller
EdgeSwitch
Unifi Controller
Xirrus WiFi Arrays
No device match your filter.

Not on this list?

Your network hardware is not on this list? Chances are that it works with a similar module already. Try this first and if it does work, let us know what module you used on what hardware and your firmware version. You can communicate that information to us by filing a ticket.

Otherwise, we are always interested in adding new hardware support into PacketFence. Please contact us.