目录
一.安装 PacketFence 7.4.....................................................................................................3
1.关闭防火墙......................................................................................................................3
2.禁用 SEliux.......................................................................................................................... 3
3.更新系统.............................................................................................................................3
4.禁用 NetworkManager 修改 DNS 配置............................................................................. 4
5.安装 PacketFence............................................................................................................... 4
6.替换原有 haproxy...............................................................................................................4
7.bug fix..................................................................................................................................5
PacketFence 软件仓库.......................................................................................................... 5
二.PacketFence 7.4 集群安装............................................................................................... 5
1.前提条件.............................................................................................................................5
2.安装.....................................................................................................................................6
2.1 安装 database 复制工具............................................................................................6
2.2 安装你集群的第一台服务器.....................................................................................6
2.3 服务器配置.................................................................................................................7
2.4 基础 packetfence 配置...............................................................................................7
2.5 建立集群.....................................................................................................................8
2.6 加入其他两台服务器...............................................................................................12
三.配置示例..........................................................................................................................14
1.基于 PEAP-MSCHAR v2 认证示例....................................................................................14
1.1、packetfence 初使化配置........................................................................................15
1.2、packetfence 功能配置...........................................................................................19
1.3 “哑”终端白名单功能配置..................................................................................... 25
1.4、接入层交换机配置.................................................................................................27
2.基于 EAP-TLS 认证示例....................................................................................................28
2.1 搭建步骤....................................................................................................................29
2.2 验证............................................................................................................................45
3.华为 AC6605 web 认证.................................................................................................... 45
3.1 测试步骤....................................................................................................................46
3.2 测试客户端................................................................................................................52
3.3 认证原理....................................................................................................................55
四.PacketFence 常用功能.................................................................................................... 56
1.批量导入 switches............................................................................................................56
2.在 registration 网段的白名单..........................................................................................57
2.1 DNS passthrough........................................................................................................57
2.2 iptables 放行..............................................................................................................57
3.pf 的 api 接口....................................................................................................................58
4.https 合法证书导入......................................................................................................... 58
5. 添加自定义同步的文件.................................................................................................58
一.安装 PacketFence 7.4
1.关闭防火墙
查看防火墙运行状态:firewall-cmd --state
控制防火墙服务:systemctl restart/start/stop firewalld
禁止 firewall 开机启动:systemctl disable firewalld.service
查看防火墙规则:firewall-cmd --list-all
端口控制
# 查询端口是否开放
firewall-cmd --query-port=8080/tcp
# 开放 80 端口
firewall-cmd --permanent --add-port=80/tcp
# 移除端口
firewall-cmd --permanent --remove-port=8080/tcp
#重启防火墙(修改配置后要重启防火墙)
firewall-cmd --reload
# 参数解释
1、firwall-cmd:是 Linux 提供的操作 firewall 的一个工具;
2、--permanent:表示设置为持久;
3、--add-port:标识添加的端口;
2.禁用 SEliux
1.修改/etc/selinux/config 文件
将 SELINUX=enforcing 改为 SELINUX=disabled
需要重启才能生效
2.查看 SELinux 状态:/usr/sbin/sestatus -v
启状态
3.更新系统
1.查看操作系统版本
##如果 SELinux status 参数为 enabled 即为开
# cat /etc/redhat-release
CentOS Linux release 7.2.1511 (Core)
2.不想升级内核及系统版本,则在执行 yum update 之前在 /etc/yum.conf 的 [main] 后面添加以下
配置
exclude=kernel*
exclude=centos-release*
这样,执行 yum update 后
# cat /etc/redhat-release
CentOS Linux release 7.2.1511 (Core)
4.禁用 NetworkManager 修改 DNS 配置
echo "[main]
dns=none" > /etc/NetworkManager/conf.d/99-no-dns.conf
service NetworkManager restart
PS:如无此文件可不做
5.安装 PacketFence
安装 PacketFence 软件仓库
yum localinstall http://packetfence.org/downloads/PacketFence/RHEL7/`uname
-i`/RPMS/packetfence-release-1.2-6.el7.centos.noarch.rpm
安装 PacketFence 和相关组件
yum install --enablerepo=packetfence packetfence-7.4.0-3.el7
6.替换原有 haproxy
原有 haproxy 版本过高,PF7.4 生成的 haproxy 配置会出现问题
查询现有 haproxy:rpm -qa | grep haproxy
删除当前版本 haproxy:rpm -e --nodeps haproxy-1.8.9-2.1.x86_64
将指定版本 haproxy:rpm -ivh haproxy-1.6.11-1.2.x86_64.rpm
7.bug fix
先安装 git :yum intstall git
应用下面命令,对该版本 PacketFence 做 bug 修复
/usr/local/pf/addons/pf-maint.pl
PacketFence 软件仓库
http://packetfence.org/downloads/PacketFence/RHEL7/x86_64/RPMS/
二.PacketFence 7.4 集群安装
1.前提条件
至少 3 台安装 PacketFence 服务器
这些服务器都运行 RHEL / CentOS 7 / Debian Jessie
这些服务器网卡标识都一样(如 eth0)
这些服务器网络在同一 2 层网络
服务器禁用 IPv6
o 编辑文件 /etc/sysctl.conf
vim /etc/sysctl.cof
添加下面的行:
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
o 执行下面命令让设置生效
sysctl -p
2.安装
2.1 安装 database 复制工具
# yum install
http://www.percona.com/downloads/percona-release/redhat/0.1-3/percona-release-0.1-3.
noarch.rpm
# sed -i 's/enabled = 1/enabled = 0/g' /etc/yum.repos.d/percona-release.repo
# yum install percona-xtrabackup socat --enablerepo=percona-release-x86_64
保证你在/usr/local/pf/conf/cluster.conf 没有配置任何东西。
2.2 安装你集群的第一台服务器
在第一台服务器上,开启 packetfence-mariadb,并确保在 standalone mode 开
启
# systemctl start packetfence-mariadb
开启安全安装
# mysql_secure_installation
新建一个用户用于 packetfence 数据库复制
# mysql -u root -p
mysql> CREATE USER 'pfcluster'@'%' IDENTIFIED BY 'aMuchMoreSecurePassword';
mysql> GRANT PROCESS, RELOAD, LOCK TABLES, REPLICATION CLIENT, SUPER ON *.* TO
'pfcluster'@'%';
mysql> CREATE USER 'pfcluster'@'localhost' IDENTIFIED BY 'aMuchMoreSecurePassword';
mysql> GRANT PROCESS, RELOAD, LOCK TABLES, REPLICATION CLIENT, SUPER ON *.* TO
'pfcluster'@'localhost';
mysql> FLUSH PRIVILEGES;
'aMuchMoreSecurePassword' 只是一个示例,你需要自己定义自己的密码
移除数据库中的空用户
# mysql -u root -p
mysql> delete from mysql.user where user = '' ;
mysql> flush privileges;
2.3 服务器配置
确保所有服务器上的接口名字一样
在每台服务器上配置使得服务器能够绑定它们现在还没有配置的 ip 地址,这样能快
速 failover。在所有服务器的/etc/sysctl.conf 添加下面内容,然后 sysctl -p 重载。
net.ipv4.ip_nonlocal_bind = 1
取消 mariadb 默认系统服务,因为 packetfence 已经提供了
# systemctl disable mariadb
2.4 基础 packetfence 配置
在第一台服务器上,你应该在配置向导上配置到第 7 步(Service),保持所有服务
stop 状态
在配置 Network interfaces 时,保证在 management interface 上勾选 high availablility
在第一台服务器上重启 packetfence 的 mariadb
# systemctl restart packetfence-mariadb
在其他服务器上,你只需要配置向导到第 2 步(network interface)。以 vlan
enforcement 模式为例,每台服务器的网络接口必须配置,你可以在每台服务器上
看到:
在 /etc/sysconfig/network-scr
ipts/
header 2
One Management Interface
ifcfg-YourFirstInterfaceName
One Registration Interface
VLANID
ifcfg-YourFirstInterfaceName.YourRegistration
One Isolation Interface
NID
ifcfg-YourFirstInterfaceName.YourIsolationVLA
2.5 建立集群
2.5.1 PacketFence 配置改变
在第一台服务器上配置更改,在 /usr/local/pf/conf/pf.conf :
[database]
host=127.0.0.1
[graphite]
db_host=127.0.0.1
[active_active]
# Change these 2 values by the credentials you've set when configuring MariaDB above
galera_replication_username=pfcluster