Network Access Control dgn PacketFence

Dalam salah satu diskusi dengan client, tercetus keinginan untuk mengimplementasi Network Access Control. Meskipun sekarang ini BYOD telah menjamur, pendekatan dengan NAC masih dapat dilakukan, khususnya untuk jaringan enterprise.


Network Access Control (NAC) is a computer networking solution that uses a set of protocols to define and implement a policy that describes how to secure access to network nodes by devices when they initially attempt to access the network. NAC might integrate the automatic remediation process (fixing non-compliant nodes before allowing access) into the network systems, allowing the network infrastructure such as routers, switches and firewalls to work together with back office servers and end user computing equipment to ensure the information system is operating securely before interoperability is allowed.
Network Access Control aims to do exactly what the name implies—control access to a network with policies, including pre-admission endpoint security policy checks and post-admission controls over where users and devices can go on a network and what they can do.



PacketFence is a fully supported, trusted, Free and Open Source network access control (NAC) solution. Boasting an impressive feature set including a captive-portal for registration and remediation, centralized wired and wireless management, 802.1X support, layer-2 isolation of problematic devices, integration with the Snort IDS and the Nessus vulnerability scanner; PacketFence can be used to effectively secure networks - from small to very large heterogeneous networks.


Out-of-band Deployment

PacketFence's operation is completely out-of-band which allows the solution to scale geographically and to be more resilient to failures. When using the right technology (like port security), a single PacketFence server can be used to secure hundreds of switches and many thousands nodes connected to them.

Inline Deployment

While out-of-band is the preferred way of deploying PacketFence, an inline mode is also supported for unmanageable wired or wireless equipment. Deploying PacketFence using the inline mode can also be accomplished in minutes! Note also that the inline mode can coexist very well together with an out-of-band deployment.

Authentication & Registration

802.1X Support

Wireless and wired 802.1X is supported through a FreeRADIUS [External] module which is included in PacketFence.

Voice over IP (VoIP) Support

Also called IP Telephony (IPT), VoIP is fully supported (even in heterogeneous environments) for multiple switch vendors (Cisco, Edge-Core, HP, LinkSys, Nortel Networks and many more).

Wireless Integration

PacketFence integrates perfectly with wireless networks through a FreeRADIUS [External]module. This allows you to secure your wired and wireless networks the same way using the same user database and using the same captive portal, providing a consistent user experience. Mixing access points (AP) vendors and wireless controllers is supported.

Registration of Devices

PacketFence supports an optional registration mechanism similar to "captive portal" solutions. Contrary to most captive portal solutions, PacketFence remembers users who previously registered and will automatically give them access without another authentication. Of course, this is configurable. An Acceptable Use Policy can be specified such that users cannot enable network access without first accepting it.


Detection of Abnormal Network Activities

Abnormal network activities (computer virus, worms, spyware, traffic denied by establishment policy, etc.) can be detected using local and remote Snort [External] sensors. Beyond simple detection, PacketFence layers its own alerting and suppression mechanism on each alert type. A set of configurable actions for each violation is available to administrators.

Statement of Health

While doing a 802.1X user authentication, PacketFence can perform a complete posture assessment of the connecting device using the TNC Statement of Health protocol. For example, PacketFence can verify if an antivirus is installed and up-to-date, if operating system patches are all applied and much more - all without any agent installed on the endpoint device!

Proactive Vulnerability Scans

Nessus [External] or OpenVAS [External] vulnerability scans can be performed upon registration, scheduled or on an ad-hoc basis. PacketFence correlates the Nessus/OpenVAS vulnerability ID's of each scan to the violation configuration, returning content specific web pages about which vulnerability the host may have.

Remediation Through a Captive Portal

Once trapped, all network traffic is terminated by the PacketFence system. Based on the nodes current status (unregistered, open violation, etc), the user is redirected to the appropriate URL. In the case of a violation, the user will be presented with instructions for the particular situation he/she is in, reducing costly help desk intervention.

Isolation of Problematic Devices

PacketFence supports several isolation techniques, including VLAN isolation with VoIP support (even in heterogeneous environments) for multiple switch vendors.


Command-line and Web-based Management

Web-based and command-line interfaces for all management tasks. Web-based administration supports different permission-levels for users and authentication of users against LDAP or Microsoft Active Directory.

Flexible VLAN Management and Role-Based Access Control

The solution is built around the concept of network isolation through VLAN assignment. For more details on how this work see the Technical Introduction page. Because of its long experience and several deployments, the VLAN management of PacketFence grew to be very flexible over the years. Your VLAN topology can be kept as it is and only two new VLAN will need to be added throughout your network: registration VLAN and isolation VLAN. Moreover, PacketFence can also make use of roles support from many equipment vendors.
VLAN and roles can be assigned using the various means:
  • Per switch (default for VLAN)
  • Per client category (default for roles)
  • Per client
  • Using any arbitrary decision (if you use our perl extension points)
Also, the per-switch method can be combined with the others. For example, with a default PacketFence setup, a VLAN or a role can be assigned to your printers and your PCs (if categorized properly) based on what equipment they are connected to. This implies that you can easily have per-building per-device type VLANs.

Guest Access - Bring Your Own Device (BYOD)

Nowadays, most organizations deal with a lot of consultants from various companies on-site that require Internet access for their work. In most cases, an access to the corporate network is given with little to no audit of the individual or device. Also, it is rarely required that they have access to the internal corporate infrastructure, it is done that way to avoid administrative burden (per-port VLAN management).

PacketFence supports a special guest VLAN or role out of the box. If you use a guest VLAN, you configure your network so that the guest VLAN only goes out to the Internet and the registration VLAN and the captive portal are the components used to explain to the guest how to register for access and how his access works. This is usually branded by the organization offering the access. Several means of registering guests are possible:
  • Manual registration of the guests (in advance or by)
  • Password of the day
  • Self-registration (with or without credentials)
  • Guest access sponsoring (employee vouching for a guest)
  • Guest access activated by email confirmation
  • Guest access activated by mobile phone confirmation (using SMS)
PacketFence does also support guest access bulk creations and imports. PacketFence also integrates with online billing solution such as [External]. Using this integration, you can handle online payments, required to get proper network access.

More Built-in Violation Types

Looking at automatically blocking particular devices on your network? PacketFence is for you. In addition to using Snort, OpenVAS or Nessus as a source of information, PacketFence can combine the following detection mechanisms to effectively block network access from those unwanted devices :
  • DHCP Fingerprint
    PacketFence can block devices based on their DHCP fingerprint. Nearly every operating systems out there have an unique DHCP fingerprint. PacketFence can make use of this information and block network access from those devices. Based on DHCP fingerprints, you could automatically block, for example :
    • Sony PlayStation devices or any other game consoles
    • Wireless access points (WAPs)
    • VoIP phones
  • User-Agent
    PacketFence can block devices based on the provided User-Agent when those particular devices perform network activity using their embedded Web browser. Using this, you could automatically block, for example :
    • Apple iPod or iPhone devices
    • Everyone using an old Microsoft Internet Explorer (IE) release
  • MAC addresses
    PacketFence can block network access to devices having a specific MAC address pattern. Using this, you could automatically block, for examples, all devices from a specific network vendor.

Automatic Registration

Because most networks in production are already very large and complex, PacketFence provides several means to automatically register a client or device.
  • By network device
    A network device (Switch, AP, Wireless Controller) can be set to automatically register all the MAC addresses that request access to the network. Very helpful for a transition into production.
  • By DHCP fingerprinting
    DHCP fingerprinting can be used to automatically register specific device types (eg. VoIP phones, printers).
  • By MAC address Vendor
    The vendor portion of a MAC address can be used to automatically register devices from a vendor. For example, all Apple products could be automatically registered using such a rule.
  • and more
    Snort, Nessus, OpenVAS, Browser User-Agent and even more techniques could also be used to automatically register devices.


The access duration to the network can be controlled with configuration parameters. It can either be an absolute date (eg. "Thu Jan 20 20:00:00 EST 2011"), a window (eg. "four weeks from first network access") or as soon as the device becomes inactive. On expiration registered devices become unregistered. With little customization it is also possible to do this on a device category basis. Expiration can also be manually edited on a per-node basis.

Bandwidth Accounting

PacketFence can automatically track the amount of bandwidth devices consume on the network. With its built-in violations support, it can quarantine or change access level of devices that are consuming too much bandwidth during a particular time window. PacketFence also has reports on bandwidth consumption.

Floating Network Devices

A Floating Network Device is a Switch or Access Point (AP) that can be moved around your network and that is plugged into access ports. Once configured properly, PacketFence will recognize your Floating Network Devices and will configure the access ports appropriately usually allowing multiple VLANs and more MAC addresses. At this point, the Floating Network Device can also perform network access through PacketFence or not. Once the device is disconnected PacketFence will then re-configure back to its original configuration.

Flexible Authentication

PacketFence can authenticate your users using several protocols/standards. This allows you to integrate PacketFence in your environment without requiring your users to remember yet another username and password. Known to work authentication sources are:
  • Microsoft Active Directory
  • Novell eDirectory
  • OpenLDAP
  • Cisco ACS
  • RADIUS (FreeRADIUS, Radiator, etc.)
  • Local user file

Routed Networks

PacketFence's architecture allows it to work over routed networks. The server can be located in your datacenter and can still effectively secure branch offices.

Gradual Deployment

Because of the intrusive nature of network access control, PacketFence comes with finely-grained controls when it comes to deployment. As described elsewhere, you can automatically pre-register nodes but you can also control on a per-switch and per-port level wether or not should PacketFence perform its duties. This enables you to deploy at the speed you want, per-switch, per-floor, per-location, etc.

The same level of control is also available on the isolation features. At first, you can only log on violation events. Then, as you feel more familiar with who would be isolated and validated against false-positive, you can enable VLAN isolation.

Together, these two features makes the deployment of a PacketFence as easy as it could be.


PacketFence can be configured to allow access to specified resources even when the node is in isolation. This allows you to give access to specific tools or patches through the captive portal.


PacketFence is developed with high-availability in mind. All our deployments are made using active-passive high-availability so the solution is proven in that regard. Information on how to configure PacketFence in that mode of operation is available in our Administration Guide.

Supported Hardware

PacketFence supports hardware from several network vendors all in an integrated fashion. See the Supported Switches and AP page for the whole list. If you are a vendor and you would like to see your hardware supported contact us.


PacketFence is built using open standards to avoid vendor lock-in. Among the standards we support and use, there are:
  • 802.1X
  • Simple Network Management Protocol (SNMP)
  • Standard SNMP management information base (MIB) like BRIDGE-MIB, Q-BRIDGE-MIB, IF-MIB, IEEE8021-PAE-MIB
  • Netflow / IPFIX
  • Wireless ISP Roaming (WISPR)

Extensible / Easily Customizable

PacketFence has a couple of extension points where you can override PacketFence's default behavior with a little bit of Perl code. The API has been designed to be easy to understand with only a couple of high-level entry points. Several examples are already there in the source code but commented. Also, when upgrading, PacketFence doesn't replace the files in the extensions points, this way you keep your modified behavior on upgrades.

The captive portal templates are also easily customizable with HTML and CSS knowledge. They are built using Perl's Template Toolkit [External].

Something is Missing?

If something you require for Network Access Control is not on this list, first check if it is in ourRoadmap, otherwise there are good chances that someone in the community did what you are looking for so engage in the community and send an email to the packetfence-users mailing list. No one ever tried or wanted that feature? If you know Perl you can try to do it yourself or you can sponsor the development of the feature.