PacketFence

Powerful guest access solution

PacketFence is far more than guest access control, it can be used to effectively secure networks - from small to very large heterogeneous networks. PacketFence is a marketing leading and trusted Open Source network access control (NAC) solution.

Features

The solution is built around the concept of network isolation through VLAN assignment. Because of its long experience and several deployments, the VLAN management of PacketFence grew to be very flexible over the years. Your VLAN topology can be kept as it is and only two new VLAN's will need to be added throughout your network: registration VLAN and isolation VLAN. Moreover, PacketFence can also make use of roles support from many equipment vendors.

PacketFence supports a special guest VLAN or roles. If you use a guest VLAN, we configure your network so that the guest VLAN only goes out to the Internet and the registration VLAN and the captive portal are the components used to explain to the guest how to register for access and how his access works. The is branded as your organisation. Several means of user journeys for registering guests are possible:

You can define different portal profiles based on a VLAN or SSID attribute. That means, for example, that you could define different portal profiles for your wired and wireless networks. Or, you could define per-SSID portal profiles.

Looking at automatically blocking particular devices on your network? In addition to using Windows Management Instrumentation (WMI), Snort, Suricata, OpenVAS or Nessus as a source of information, PacketFence can combine DHCP Fingerprint, User-Agent and MAC address detection mechanisms to effectively block network access from those unwanted devices.

Automatically register by client or device.

PacketFence does support EAP-TLS for certificate-based authentication. PacketFence provides a small PKI solution that can be used to generate a TLS certificate for each device, or each user. PacketFence also integrates with Microsoft's PKI solution. PacketFence will make use of the Simple Certificate Exchange Protocol (SCEP) to talk to Microsoft's Network Device Enrollment Service (NDES) to create the appropriate certificate during an endpoint onboarding process.

The access duration to the network can be controlled with configuration parameters. It can either be an absolute date (eg. "Thu Jan 20 20:00:00 EST 2011"), a window (eg. "four weeks from first network access") or as soon as the device becomes inactive. On expiration registered devices become unregistered. With little customization it is also possible to do this on a device category basis. Expiration can also be manually edited on a per-node basis.

PacketFence provides device management and provisioning capabilities through its integration with complementary solutions.

PacketFence provides Single-Sign On features with many firewalls. Upon connection on the wired or wireless network, PacketFence can dynamically update the IP/user association on firewalls for them to apply, if required, per-user or per-group filtering policies.

PacketFence can automatically track the amount of bandwidth devices consume on the network. With its built-in violations support, it can quarantine or change access level of devices that are consuming too much bandwidth during a particular time window. PacketFence also has reports on bandwidth consumption.

A Floating Network Device is a Switch or Access Point (AP) that can be moved around your network and that is plugged into access ports. Once configured properly, PacketFence will recognize your Floating Network Devices and will configure the access ports appropriately usually allowing multiple VLANs and more MAC addresses. At this point, the Floating Network Device can also perform network access through PacketFence or not. Once the device is disconnected PacketFence will then re-configure back to its original configuration.

PacketFence can authenticate your users using several protocols/standards. This allows us to integrate PacketFence in your environment without requiring your users to remember yet another username and password. Supported authentication sources are LDAP, RADIUS, Local user file, OAuth2 and SAML. Alternatively PacketFence can use its internal database to authenticate locally-created users.

PacketFence integrates very well with Microsoft Active Directory and fully supports Windows Management Instrumentation (WMI). A PacketFence server can even be joined to multiple Active Directory domains - without needing to establish a trust between them.

PacketFence can automatically register endpoints based on WMI scan results. It can also perform WMI scans during the registration process, at scheduled intervals or upon every connections to the wired or WiFi network. Complex but effective WMI scans can be created directly from the PacketFence administrative interface.

Finally, PacketFence exposes Web services that can be used by Windows PowerShell scripts. PacketFence includes scripts to automatically unregister devices belonging to users being removed in Active Directory or for whom the account was locked.

PacketFence's architecture allows it to work over routed networks. The server can be located in your datacenter and can still effectively secure branch offices.

Because of the intrusive nature of network access control, PacketFence comes with finely-grained controls when it comes to deployment. As described elsewhere, we can automatically pre-register nodes but we can also control on a per-switch and per-port level wether or not should PacketFence perform its duties. This enables us to deploy at the speed you want, per-switch, per-floor, per-location, etc.

PacketFence can be configured to allow access to specified resources even when the node is in isolation. This allows you to give access to specific tools or patches through the captive portal.

PacketFence is built using open standards to avoid vendor lock-in. Among the standards supported are:

  • 802.1X
  • Simple Network Management Protocol (SNMP)
  • Standard SNMP management information base (MIB) like BRIDGE-MIB, Q-BRIDGE-MIB, IF-MIB, IEEE8021-PAE-MIB
  • RADIUS
  • Netflow / IPFIX
  • Wireless ISP Roaming (WISPR)

Don't miss a byte

Our wireless services are the best on the market.

If you are not looking for a managed solution from DigitalAir, and wish to operate PacketFence independently, you can download PacketFence here: https://packetfence.org/download.html.