PacketFence 2.0.1 released

PacketFence is a fully supported, trusted, Free and Open Source network access control (NAC) system. Boasting an impressive feature set including a captive-portal for registration and remediation, centralized wired and wireless management, 802.1X support, layer-2 isolation of problematic devices, integration with the Snort IDS and the Nessus vulnerability scanner; PacketFence can be used to effectively secure networks – from small to very large heterogeneous networks.

PacketFence provides an impressive list of supported features. Among them, there are :

  • Out-of-band
    PacketFence’s operation is completely out of band which allows the solution to scale geographically and to be more resilient to failures. When using the right technology (like port security), a single PacketFence server can be used to secure hundreds of switches and many thousands nodes connected to them.
  • Voice over IP (VoIP) support
    Also called IP Telephony (IPT), VoIP is fully supported (even in heterogeneous environments) for multiple switch vendors (Cisco, Edge-Core, HP, LinkSys, Nortel Networks and many more).
  • 802.1X
    Wireless and wired 802.1X is supported through a FreeRADIUS [External] module.
  • Wireless integration
    PacketFence integrates perfectly with wireless networks through a FreeRADIUS [External] module. This allows you to secure your wired and wireless networks the same way using the same user database and using the same captive portal, providing a consistent user experience. Mixing Access Points (AP) vendors and Wireless Controllers is supported.
  • Registration
    PacketFence supports an optional registration mechanism similar to “captive portal” solutions. Contrary to most captive portal solutions, PacketFence remembers users who previously registered and will automatically give them access without another authentication. Of course, this is configurable. An Acceptable Use Policy can be specified such that users cannot enable network access without first accepting it.
  • Detection of abnormal network activities
    Abnormal network activities (computer virus, worms, spyware, traffic denied by establishment policy, etc.) can be detected using local and remote Snort [External] sensors. Beyond simple detection, PacketFence layers its own alerting and suppression mechanism on each alert type. A set of configurable actions for each violation is available to administrators.
  • Proactive vulnerability scans
    Nessus [External] vulnerability scans can be performed upon registration, scheduled or on an ad-hoc basis. PacketFence correlates the Nessus vulnerability ID’s of each scan to the violation configuration, returning content specific web pages about which vulnerability the host may have.
  • Isolation of problematic devices
    PacketFence supports several isolation techniques, including VLAN isolation with VoIP support (even in heterogeneous environments) for multiple switch vendors.
  • Remediation through a captive portal
    Once trapped, all network traffic is terminated by the PacketFence system. Based on the nodes current status (unregistered, open violation, etc), the user is redirected to the appropriate URL. In the case of a violation, the user will be presented with instructions for the particular situation he/she is in, reducing costly help desk intervention.
  • Command-line and Web-based management
    Web-based and command-line interfaces for all management tasks. Web-based administration supports different permission-levels for users and authentication of users against Active Directory (AD).

Here are the noteworthy changes since 2.0.0:

New Hardware Support

  • Xirrus WiFi Arrays support (feature sponsored by the University of Mary Hardin-Baylor)
  • Broaden Meru Controllers support
  • Extricom EXSW Wireless Switches (Controllers) support


  • Minor improvement to command-line and Web Admin help
  • Improvements to SSID lookups
  • Cisco WiSM and WLC SSID now recorded (#994)

Bug fixes

  • Fixed pfcmd initiated VLAN re-evaluation (#1160)
  • pfdhcplistener is better at updating node IP information (#1149)
  • Fixed dot11Deauthentication traps issues with pfsetvlan (#1157)
  • Add missing variable in snort.conf template (#1138)
  • Fixed authorized MAC method in Cisco Catalyst 2960 (#987)
  • Improved error handling in pfdhcplistener (#1150)
  • Fixed problems with generating erroneous configuration (#1148)
  • now warns on empty MySQL root password (#1146)
  • Fixed node view database queries that were reporting wrong values under unknown circumstances (#1162)
  • Removed some unnecessary warnings (#1065)

… and more. See the ChangeLog file for the complete list of changes and the UPGRADE file for notes about upgrading. Both files are in the PacketFence distribution.



NJ Ouchn

"Passion is needed for any great work, and for the revolution, passion and audacity are required in big doses"