Posted inNetworking

Deploying Network Access Control (NAC) with PacketFence: Automate Device Authentication on Wired and Wi-Fi Networks

Networking tutorial - IT technology blog
Networking tutorial - IT technology blog

The Problem: Anyone Can Plug In and Get Network Access

A few years back, I was called into a mid-sized company to help investigate a ransomware incident. The attacker had simply walked into a conference room, plugged a laptop into an open Ethernet port, and spent three days moving laterally across the network. No alert fired. Nobody noticed until file servers started encrypting themselves.

The root cause was embarrassingly simple: zero enforcement at the network edge. Any device — personal laptop, rogue Raspberry Pi, contractor tablet — could connect to any port and immediately reach internal resources. This is not unusual. Most corporate networks still run on implicit trust: if you can physically plug in, you’re in.

Network Access Control fixes this by making the network interrogate every device before granting access: Who are you? Are you compliant? Should you be here? PacketFence is the leading open-source NAC platform. It handles both wired 802.1X and wireless networks through RADIUS, VLAN assignment, and captive portal enforcement.

Quick Start: Get PacketFence Running in 5 Minutes

The fastest way to evaluate PacketFence is with their ZEN (Zero Effort NAC) virtual appliance. Download it from the official site and import it into VirtualBox or VMware. It boots into a pre-configured environment with a web GUI on port 1443 — no manual setup required.

Minimal Lab Setup

For a real deployment test, you need at minimum:

  • 1 PacketFence server (Ubuntu 22.04 or RHEL 9, 4 vCPU / 8 GB RAM minimum)
  • 1 managed switch supporting 802.1X and RADIUS (Cisco, HP Aruba, Juniper all work)
  • A test client machine (Windows or Linux)

Install PacketFence on Ubuntu 22.04:

# Add the PacketFence repository
curl -sSL https://packagecloud.io/inverse-inc/PacketFence/gpgkey | sudo gpg --dearmor -o /etc/apt/trusted.gpg.d/packetfence.gpg
echo "deb https://packagecloud.io/inverse-inc/PacketFence/ubuntu jammy main" | sudo tee /etc/apt/sources.list.d/packetfence.list

sudo apt update
sudo apt install -y packetfence

# Run the configurator
sudo /usr/local/pf/bin/pfcmd configurator run

The configurator steps through interface assignment, database setup, and initial admin credentials. When it finishes, access the GUI at https://<server-ip>:1443.

Deep Dive: How PacketFence Actually Controls Access

The RADIUS Flow

When a device connects to an 802.1X-enabled switch port or Wi-Fi SSID, here is exactly what happens:

  1. The switch sends an EAP-Request/Identity to the connecting device
  2. The device responds with credentials (certificate, username/password, or MAC address)
  3. The switch forwards the RADIUS Access-Request to PacketFence
  4. PacketFence checks its internal database, Active Directory, or LDAP
  5. PacketFence replies with Access-Accept or Access-Reject, plus VLAN assignment via RADIUS attributes
  6. The switch places the port in the correct VLAN accordingly

PacketFence uses FreeRADIUS internally, configured automatically. You almost never touch the FreeRADIUS config files directly.

Configure Your Switch as a Network Device

In the PacketFence GUI, go to Configuration → Network Devices → Switches and add your switch. Here is the equivalent minimal config for a Cisco IOS switch:

# On your Cisco switch
aaa new-model
aaa authentication dot1x default group radius
aaa authorization network default group radius

dot1x system-auth-control

radius server PACKETFENCE
 address ipv4 192.168.1.10 auth-port 1812 acct-port 1813
 key YourSharedSecret

interface GigabitEthernet0/1
 switchport mode access
 dot1x port-control auto
 authentication host-mode multi-auth
 spanning-tree portfast

Back in PacketFence, set the switch type (Cisco Catalyst), the RADIUS secret, and define which VLANs map to which roles. Vendor-specific attribute mappings are handled out of the box — PacketFence ships with built-in templates for Aruba, Juniper, Extreme, Meraki, and dozens more.

VLAN Roles: The Core of NAC Policy

PacketFence uses roles to assign network access levels. The default roles are:

  • registration — quarantine VLAN, redirects to captive portal
  • isolation — for non-compliant or suspicious devices
  • default — normal authenticated access
  • Custom roles (guest, contractor, IoT, etc.)

Map each role to a VLAN ID that already exists on your network infrastructure. The switch then dynamically places the port into the correct VLAN based on PacketFence’s RADIUS reply.

MAC Authentication Bypass for Non-802.1X Devices

Printers, IP cameras, and IoT sensors cannot perform 802.1X. PacketFence handles these through MAB (MAC Authentication Bypass). The switch sends the MAC address as the RADIUS username, and PacketFence checks it against an allow-list or auto-registers it into a dedicated role.

# Add a MAB exception in PacketFence CLI
/usr/local/pf/bin/pfcmd node add 00:1A:2B:3C:4D:5E category=iot status=reg

# Or use the REST API
curl -k -X POST https://localhost:9090/api/v1/nodes \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"mac": "00:1a:2b:3c:4d:5e", "category": "iot", "status": "reg"}'

Advanced Usage: Active Directory Integration and Compliance Checks

Connecting PacketFence to Active Directory

Most enterprise environments already run Active Directory. PacketFence can join your domain directly — go to Configuration → Active Directory Domains, then define which AD groups map to which PacketFence roles under Configuration → Sources.

# Join the AD domain (run on PacketFence server)
/usr/local/pf/bin/pfcmd domain add EXAMPLE.COM \
  --server dc1.example.com \
  --username Administrator \
  --password 'YourPassword'

Once joined, Windows machines using EAP-TLS or PEAP-MSCHAPv2 authenticate transparently with their domain credentials. No captive portal. Domain-joined machines just connect and land in the right VLAN automatically.

Endpoint Compliance Scanning

PacketFence integrates with Nessus and OpenVAS to scan devices before granting full access. A device connects and gets placed in a scan VLAN. PacketFence triggers a Nessus scan. Based on the result, the device either moves to the normal VLAN or gets quarantined in isolation.

Configure a scan engine at Configuration → Compliance → Scan Engines, then create a scan on registration profile to apply it automatically when new devices first appear.

Wi-Fi Integration with Cisco WLC or Aruba

For wireless, PacketFence acts as a RADIUS server for your WLC (Wireless LAN Controller). Point RADIUS authentication on the controller to PacketFence’s IP. PacketFence then returns a Tunnel-Private-Group-ID RADIUS attribute telling the controller which VLAN to assign the client.

# Example: RADIUS reply attributes PacketFence returns for tunnel VLAN assignment
# /usr/local/pf/conf/radiusd/packetfence-tunnel.conf
reply {
    Tunnel-Type = VLAN
    Tunnel-Medium-Type = IEEE-802
    Tunnel-Private-Group-ID := "%{reply:PacketFence-Vlan}"
}

PacketFence also supports dynamic VLAN assignment per SSID and per user group — guests get one VLAN, employees get another, all from the same physical AP infrastructure.

Practical Tips from the Field

Start with Monitor Mode, Not Enforcement

The biggest mistake I see is flipping 802.1X enforcement on across the entire network overnight. Devices break, the help desk gets flooded, and management pulls the plug on the whole project.

Start with PacketFence in monitor mode instead. It logs what it would have done without actually enforcing VLAN changes. Run this for two to four weeks. You will surface problem devices — printers, VoIP phones, old workstations running XP — and build your exception list before a single port goes live.

Use DHCP Fingerprinting to Auto-Classify Devices

PacketFence inspects DHCP option 55 (parameter request list) to fingerprint device types automatically. An iPhone looks different from a Windows 11 laptop, which looks different from a Cisco 8800 series IP phone. Enable DHCP listening on the management interface so PacketFence classifies new devices without manual intervention:

# Enable DHCP listener in pf.conf
[interface eth0]
type=management,dhcplistener
ip=192.168.1.10
mask=255.255.255.0

Alerts and Rogue Device Detection

Unknown MAC address on the network? PacketFence can catch it. Set up a security event at Configuration → Security Events with a detect trigger on unknown MAC, then wire up email or a Slack webhook for notifications. This turns PacketFence from a passive gatekeeper into an active layer-2 intrusion detection point.

Backup and HA Considerations

Production deployments need a secondary node. The built-in clustering uses Corosync/Pacemaker with a shared MariaDB Galera cluster. At bare minimum, run a daily database backup:

# Backup PacketFence database
mysqldump -u pf -p pf | gzip > /backups/pf_$(date +%F).sql.gz

# Backup configuration directory
tar czf /backups/pf_conf_$(date +%F).tar.gz /usr/local/pf/conf/

When a single PacketFence node goes down, existing sessions keep running — but new connections and re-authentications will fail. Design your deployment with that failure mode in mind from day one.

From Flat Network to Enforced Perimeter

NAC rarely appears on security checklists until after an incident. It should come first. The conference room attack I described at the start would have been stopped cold by even a basic PacketFence deployment — the device would have landed in the registration VLAN, triggered an unknown-MAC alert, and gotten nowhere near the file servers.

The learning curve is steeper than writing a firewall rule, but PacketFence’s documentation is solid and the community forum is active. Start with the ZEN appliance in a lab. Get comfortable with VLAN roles and RADIUS flows. Then roll out to production switches one segment at a time. A few weeks of careful rollout and you will have replaced a fully flat, trust-everyone network with one that actively questions every device that tries to connect.

Share:
Tags: