Complete Step-by-Step PacketFence ZEN Configuration Guide (2024)

Author: Kiran Kumar K
Category: Network Security, NAC, Sysadmin
Tags: PacketFence, Network Access Control, Active Directory, BYOD, FreeRADIUS

---

Introduction

PacketFence is a powerful open-source Network Access Control (NAC) solution suitable for securing wired and wireless networks in enterprise and educational environments. However, configuring it properly can be complex due to the multiple components involved.

This guide provides a clear, professional step-by-step tutorial to configure PacketFence ZEN (version 5.4.0 or later) for production use, including Active Directory integration, RADIUS setup, email configuration, and portal customization.

---

Prerequisites

Before starting, ensure the following are in place:

• A freshly installed PacketFence ZEN server (version 5.4.0 or later)

• Shell access to the server (e.g., through PuTTY or terminal)

• Active Directory credentials (preferably a dedicated service account)

• Access to network switches and routers for DHCP relay configuration

• Administrative access to DNS and DHCP infrastructure

---

Step 1: Initial Configuration

1. Access the PacketFence web interface:
   https://<PacketFence_IP>:1443/admin/

2. Login with your admin credentials.

3. Navigate to Configuration > General and verify:

   • Hostname and domain settings

   • Timezone and NTP servers

   • Network interfaces

   • DHCP Relay IPs (add all relevant relays to avoid rogue DHCP alerts)

---

Step 2: Define User Roles

1. Navigate to Configuration > Users > Roles

2. Click on "Add Role" and define roles such as:

   • Staff

   • StudentBYOD

   • Guest

3. Set maximum allowed nodes per role as required.

Note: Roles cannot be renamed once created. Delete and recreate if needed.

---

Step 3: Active Directory Integration

A. Create a Dedicated AD User

Create a dedicated service account in AD (e.g., pfsvc@yourdomain.com) with read privileges. Domain Admin rights are recommended during setup.

B. Add AD as an Authentication Source

1. Go to Configuration > Users > Sources > Add Source > Internal > AD

2. Configure the following fields:

   • Host: FQDN or IP of the Domain Controller

   • Port: 389 (LDAP)

   • Base DN: e.g., OU=Users,DC=domain,DC=com

   • Username Attribute: sAMAccountName

   • Bind DN: Distinguished name of the AD user (e.g., CN=pfsvc,...)

   • Password: The service account password

3. Test the connection and save the source.

---

Step 4: Create AD Security Groups

Create AD Security Groups corresponding to the roles defined in PacketFence.

Examples:

• StaffWiFi

• StudentBYOD

• GuestAccess

Add users to the appropriate groups. This allows access control by group membership.

---

Step 5: Create Authentication Rules

1. Edit the AD source under Configuration > Users > Sources

2. Click "Add Rule" to define rules such as:

• If memberOf equals full DN of CN=StaffWiFi,...

• Then assign Role: StaffWiFi

• Set an access expiration duration (e.g., 365 days)

Repeat for other groups. Add a fallback "Guest" rule at the end.

Rules are processed top to bottom. The first match is applied.

---

Step 6: Configure DHCP Relay

Configure DHCP relay (IP helper) on all relevant network switches or routers.

For example, on a Cisco switch:

interface vlan 10
 ip helper-address <PacketFence_IP>

This allows PacketFence to see MAC addresses from other VLANs.

---

Step 7: Email Configuration (Optional)

A. Configure Gmail SMTP Relay (Postfix)

1. Create credentials file:

echo "[smtp.gmail.com]:587 user@gmail.com:password" > /etc/postfix/sasl_passwd
postmap hash:/etc/postfix/sasl_passwd

2. Edit /etc/postfix/main.cf and add:

relayhost = [smtp.gmail.com]:587
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options = noanonymous
smtp_use_tls = yes
smtp_tls_security_level = secure

3. Restart postfix:

service postfix restart

---

Step 8: Customize Captive Portal

1. Go to Configuration > Portal Profiles

2. Customize existing profiles or create new ones for specific SSIDs or VLANs.

Portal HTML files are located at:
/usr/local/pf/html/captive-portal/profile-templates/register/

Edit files using a CLI editor like vim or nano.

---

Step 9: Setup FreeRADIUS with Active Directory

A. Install Required Packages

yum install samba krb5-workstation

B. Configure Kerberos

Edit /etc/krb5.conf with your domain and KDC settings.

C. Join Domain

kinit pfsvc
net ads join -U administrator

D. Start and Enable Winbind

service winbind start
chkconfig winbind on

E. Test Authentication

ntlm_auth --username=testuser --domain=YOURDOMAIN --request-nt-key

A success message confirms proper integration.

---

Step 10: Configure RADIUS Realm

1. Edit /usr/local/pf/raddb/proxy.conf

2. Add or modify the following:

realm yourdomain.com {
    type = auth+acct
    authhost = LOCAL
    accthost = LOCAL
}

3. Restart services:

service radiusd restart
service packetfence restart

---

Step 11: Configure Passthrough URLs (Optional)

Allow users in isolation or registration VLANs to access specific websites:

1. Go to Configuration > Network > Passthrough

2. Add domains such as:

   • microsoft.com

   • google.com

   • school.edu

---

Step 12: Troubleshooting and Logs

A. View Logs

tail -F /usr/local/pf/logs/packetfence.log

B. Debug RADIUS

radiusd -X -d /usr/local/pf/raddb -n auth

C. Test Authentication

/usr/local/pf/bin/pftest authentication <username> <password> <source>

---

Conclusion

This guide covers a full configuration workflow to set up PacketFence ZEN in a production environment. With Active Directory integration, role-based access, custom captive portals, and RADIUS authentication, you now have a scalable NAC system ready for enterprise or institutional use.

For ongoing success, ensure logs are monitored, rules are reviewed periodically, and backups of configuration files are maintained.