Search:  
Gentoo Wiki

Packetfence

Packetfence is a free/opsensource Network Access Control developed by Harvard. It uses SNMP traps for VLAN isolation (developed by Inverse). This HOWTO is taken from the PacketFence wiki .

Contents

Pre-Installation

Packetfence (PF) was written to run on Redhat-derived Linux distributions. Due to this, the installer assumes certain things that are not relevant to installing on Gentoo systems. To get around this, the installation process is manual.

This guide is based on a fresh gentoo installation. When in doubt, there’s always the gentoo forums for non-pf support and revdep-rebuild (part of the gentoolkit package). Make sure to include iptables in your kernel configuration

USE Flags

When building your PF base. These are the USE flags I use:

-berkdb ssl mysql ldap apache2 snmp perlsuid ithreads logrotate gd

You will be re-emerging perl and libperl to enable the suid support. It will complain at you, but you can ignore this.

Base Packages

PF is dependant on certain external packages. These need to be installed first.

Emerge the following packages:

emerge -atv perl libperl Time-HiRes Config-IniFiles Net-Netmask Parse-RecDescent Net-RawIP CGI DBD-mysql libwww-perl php iptables snort nessus

If the output looks good, type ‘yes’ and hit enter.

Install perl modules from the CPAN shell

If you wish to use Nessus, install the following perl modules as well

cpan -e

If this is the first time cpan has been run, follow the setup dialogs. If you find that you don’t have a particular utility, like gpg, ncftp, ftp, etc. it might be in your best interest to ^c out of there and emerge them accordingly. While not all of them are required, there’s a reason why it asks for them, better safe than sorry.

Then from the cpan shell, type install <packagename>.

PF Installation

Download the latest tarball of PF, and extract it. Place the extracted files into /usr/local/pf. [1]

Add group pf:

groupadd pf  

Add user pf:

useradd –g pf pf
passwd –l pf

MySQL will probably be in it’s default state (no DBs, not started). The following commands will set it up completely.

/usr/bin/mysql_install_db
/etc/init.d/mysql start
/usr/bin/mysqladmin –u root password ‘newpassword’
rc-update add mysql default
mysql –u root -p

You can also use:

emerge --config dev-db/mysql
rc-update add mysql default

Create the tables and privileges

mysql> CREATE DATABASE pf;
mysql> GRANT SELECT, INSERT, UPDATE, DELETE, LOCK TABLES on pf.* TO ‘pf’@’%’ IDENTIFIED BY ‘password’;
mysql> GRANT SELECT, INSERT, UPDATE, DELETE, LOCK TABLES on pf.* TO ‘pf’@’localhost’ IDENTIFIED BY ‘somepassword’;
mysql> exit

Import the table schema

cd /usr/local/pf/db
mysql –u root –p pf < pfschema.mysql

An easier way is to install phpmyadmin, and start apache2 on a different port. Then it can be used to administer the DB much more easily.

Create an administrative user for PF Admin, and set its password.

htpasswd2 –c /usr/local/pf/conf/admin.conf admin

Change line 14 of /usr/local/pf/packetfence.init to point to the correct file, and then copy it over to your init.d folder.

source /etc/init.d/functions.sh
cp /usr/local/pf/packetfence.init /etc/init.d/packetfence

Configure PacketFence

Run the PF configurator and follow the prompts

cd /usr/local/pf
./configurator.pl

Edit the generated pf.conf. Look for the lines referring to the binaries for snort and Aapache, and add the following lines or modify them to read:

[services]
snort = /usr/bin/snort
httpd = /usr/sbin/apache2

Edit /usr/local/pf/conf/templates/httpd.conf. In the first main server section, add the following line:

ServerRoot "/usr/lib/apache2"

If you have installed php 5, you will need to also modify the following lines to look like this:

<IfModule !sapi_apache2.c>
  LoadModule php5_module modules/libphp5.so
  #LoadModule php4_module modules/libphp4.so
</IfModule>

Remove the comment from the php5 line, and add one to the php4 line.

Further PHP Configuration

Make certain that in your /etc/php/apache2-php5/php.ini file you have the following set:

allow_url_fopen = On
date.timezone = YourArea/Zone

Packetfence should now be ready to be started! (avoid hitting your head against the wall. If you have iptables compiled as modules make certain the ip_tables module is loaded.)


See Also

The Official PacketFence Wiki (where this was taken from)

Retrieved from "http://www.gentoo-wiki.info/Packetfence"

Last modified: Fri, 05 Sep 2008 09:26:00 +0000 Hits: 1,438