PacketFence - An Open Source Network Access Control System

PacketFence is a trusted, free and open source network access control (NAC) solution. It boasts an impressive set of features such as the captive portal for registration and remediation, centralized wired and wireless management, 802.1X support, layer-2 isolation of problematic devices, integration with IDS, vulnerability scanners and firewalls.


  • Out of band (VLAN Enforcement): PacketFence's operation is completely out of band when using VLAN enforcement which allows the solution to scale geographically and to be more resilient to failures.
  • In Band (Inline Enforcement): PacketFence can also be configured to be in-band, especially when you have non-manageable network switches or access points. PacketFence can also work with both VLAN and Inline enforcement activated for maximum scalability and security while allowing older hardware to still be secured using inline enforcement. Both layer-2 and layer-3 are supported for inline enforcement.
  • Hybrid support (Inline Enforcement with RADIUS support): PacketFence can also be configured as hybrid, if you have a manageable device that supports 802.1X and/or MAC-authentication. This feature can be enabled using a RADIUS attribute (MAC address, SSID, port) or using full inline mode on the equipment.
  • Hotspot support (Web Auth Enforcement): PacketFence can also be configured as hotspot, if you have a manageable device that supports an external captive portal (like Cisco WLC or Aruba IAP).
  • Voice over IP (VoIP) support: Also called IP Telephony (IPT), VoIP is fully supported (even in heterogeneous environments) for multiple switch vendors (Cisco, Avaya, HP and many more).
  • 802.1X: 802.1X wireless and wired is supported through our FreeRADIUS module.
  • Wireless integration: PacketFence integrates perfectly with wireless networks through our FreeRADIUS module. This allows you to secure your wired and wireless networks the same way using the same user database and using the same captive portal, providing a consistent user experience. Mixing Access Points (AP) vendors and Wireless Controllers is supported.
  • Registration: PacketFence supports an optional registration mechanism similar to "captive portal" solutions. Contrary to most captive portal solutions, PacketFence remembers users who previously registered and will automatically give them access without another authentication. Of course, this is configurable. An Acceptable Use Policy can be specified such that users cannot enable network access without first accepting it.
  • Detection of abnormal network activities: Abnormal network activities (computer virus, worms, spyware, traffic denied by establishment policy, etc.) can be detected using local and remote Snort or Suricata sensors. Beyond simple detection, PacketFence layers its own alerting and suppression mechanism on each alert type. A set of configurable actions for each violation is available to administrators.
  • Proactive vulnerability scans: Either Nessus , OpenVAS or WMI vulnerability scans can be performed upon registration, scheduled or on an ad-hoc basis. PacketFence correlates the scan engine vulnerability ID’s of each scan to the violation configuration, returning content specific web pages about which vulnerability the host may have.
  • Isolation of problematic devices: PacketFence supports several isolation techniques, including VLAN isolation with VoIP support (even in heterogeneous environments) for multiple switch vendors.
  • Remediation through a captive portal: Once trapped, all network traffic is terminated by the PacketFence system. Based on the node’s current status (unregistered, open violation, etc), the user is redirected to the appropriate URL. In the case of a violation, the user will be presented with instructions for the particular situation he/she is in reducing costly help desk intervention.
  • Firewall integration: PacketFence provides Single-Sign On features with many firewalls. Upon connection on the wired or wireless network, PacketFence can dynamically update the IP/user association on firewalls for them to apply, if required, per-user or per-group filtering policies.
  • Command-line and Web-based management: Web-based and command-line interfaces for all management tasks.
  • Guest Access: PacketFence supports a special guest VLAN out of the box. You configure your network so that the guest VLAN only goes out to the Internet and the registration VLAN and the captive portal are the components used to explain to the guest how to register for access and how his access works. This is usually branded by the organization offering the access. Several means of registering guests are possible. PacketFence does also support guest access bulk creations and imports.
  • Devices registration: A registered user can access a special Web page to register a device of his own. This registration process will require login from the user and then will register devices with pre-approved MAC OUI into a configurable category.

PacketFence Configurator Snapshot


PacketFence reuses many components in an infrastructure. Thus, it requires the following ones:
  • Database server (MySQL or MariaDB)
  • Web server (Apache)
  • DHCP server (ISC DHCP)
  • RADIUS server (FreeRADIUS)

Depending on your setup you may have to install additional components like:
  • NIDS (Snort/Suricata)

PacketFence supports the following operating systems on the x86_64 architectures:
  • Red Hat Enterprise Linux 6.x and 7.x Server
  • Community ENTerprise Operating System (CentOS) 6.x and 7.x
  • Debian 7.0 (Wheezy) and 8.0 (Jessie)

List of the minimum server hardware recommendations:

No comments

Powered by Blogger.