Skip to main content
🚧ConfigForge is still under construction🚧
PacketFenceSecurityIntune

Step-by-Step Guide- Setting Up PacketFence for Enterprise Network Access Control

Introduction​

PacketFence is a powerful open-source Network Access Control (NAC) solution that provides robust security features for enterprise networks. It manages network access by enforcing authentication, authorization, and accounting while providing captive portal capabilities, BYOD registration, and network isolation for non-compliant devices. This comprehensive guide walks IT system engineers through the installation and configuration process, including setting up certificates, PKI integration, and Intune connectivity.

Initial Configuration​

Accessing the Configurator​

When you first boot up PacketFence, you'll be presented with a console interface. The default credentials are:

Username: root
Password: p@ck3tf3nc3

Changing the Root Password​

For security reasons, change the default root password immediately:

# as root
passwd

# follow prompts to set a new password

Network Configuration​

During initial setup, you'll need to configure your network settings. Make sure to properly configure your network adapter settings based on your environment requirements. PacketFence typically requires multiple network interfaces to separate management traffic from enforcement networks.

tip

Tip: Plan your network segmentation carefully before configuring PacketFence. The solution works best when you have clearly defined management, registration, isolation, and production networks. The management interface should be connected to your secure management VLAN, while additional interfaces handle registration and isolation functions.

When configuring network interfaces, you'll need to assign static IP addresses to your management interface and determine which interfaces will handle PacketFence's enforcement mechanisms. The configurator will guide you through setting up:

  • Management network (for administration)
  • Registration network (for device onboarding)
  • Isolation network (for quarantining non-compliant devices)
  • Production networks (for normal network access)

Finishing Basic Setup​

Complete the configurator by following the on-screen prompts. When asked about Fingerbank integration, you can skip this step as it's not required for basic functionality. Fingerbank provides device fingerprinting capabilities that enhance PacketFence's ability to identify device types, but this can be configured later.

Make sure to save all provided passwords during setup - you'll need them later! The configurator will generate several credentials for database access, admin portal, and various services that PacketFence uses internally.

After the initial configuration completes, you'll be able to access the PacketFence admin interface using the web browser. Login with the admin credentials provided during setup.

Setting Up Web Service Certificates​

Using properly signed SSL certificates is crucial for a production PacketFence deployment. We'll implement a public signed wildcard certificate for the web server. This ensures that users connecting to the captive portal don't receive certificate warnings, which improves security perception and prevents users from developing the habit of ignoring certificate warnings.

Converting Certificate Formats​

If you have a certificate in p12/pfx format, use these commands to extract the key components:

On macOS:​

# extract unencrypted RSA private key
openssl pkcs12 -in bundle.p12 -nocerts -nodes | tee tmp.key | openssl pkcs8 -topk8 -nocrypt -in /dev/stdin -out server.key

# extract server cert (includes SANs)
openssl pkcs12 -in bundle.p12 -clcerts -nokeys -out server.crt

# cleanup
rm -f tmp.key

These commands extract the private key and certificate from a PKCS#12 bundle. The intermediate step using tmp.key ensures that the key is properly formatted for PacketFence's requirements. The resulting server.key file contains an unencrypted private key in PKCS#8 format, while server.crt contains your certificate including any Subject Alternative Names (SANs).

tip
note

Important: The private key string needs to start with -----BEGIN RSA PRIVATE KEY----- and end with the corresponding footer. Also, make sure the intermediate certificate is added, otherwise the portal service over port 443 won't be available.

:::

Installing the Web Certificate​

  1. Navigate to System Configuration β†’ SSL Certificates β†’ Edit HTTP Certificates in the PacketFence admin portal

  2. Replace HTTP Server Certificate with the content of server.crt - copy the full text including BEGIN and END CERTIFICATE lines

  3. Optional: Deselect Find HTTPs Server intermediate CA(s) automatically and add your intermediate cert content manually. This ensures you have the exact certificate chain you want rather than relying on automatic discovery

  4. Replace HTTP Server Private Key with the content of server.key - include the full text with BEGIN and END PRIVATE KEY lines

  5. Click Save to apply changes

  6. IMPORTANT: Restart services to make HTTP/80 available by clicking on the "Restart" button in the confirmation dialog

note
tip

After making certificate changes, verify that both HTTP and HTTPS services are functioning correctly. Use browser tools to check certificate validity. If you access the management interface and see a valid HTTPS connection without warnings, your certificate installation was successful. Remember that the captive portal needs to work on both HTTP and HTTPS to handle various client redirections properly.

:::

Setting Up PKI Infrastructure​

PacketFence includes an integrated PKI (Public Key Infrastructure) that allows you to create and manage certificates. This is particularly useful for certificate-based authentication with 802.1X, which provides stronger security than password-based methods.

Creating a Certificate Authority​

  1. Navigate to the PKI section and select New Certificate Authority to establish a Certificate Authority that will sign all certificates used in your environment

  2. Enter your organization's CA details and save. Include meaningful information in fields like Organization, Organizational Unit, and Common Name to identify your CA properly

  3. Copy and save the CA public cert as ca.crt - you'll need this file later for device configurations and RADIUS setup

The Certificate Authority is the foundation of your PKI. It's used to sign all certificates issued by PacketFence, and client devices must trust this CA for certificate-based authentication to work.

Configuring Microsoft Intune Integration​

Before creating certificate templates, we need to set up Intune integration to enable automated certificate enrollment for mobile devices:

  1. In Microsoft Entra ID (Azure AD), create a new app registration with appropriate permissions for device management

  2. Add the following permissions to the app registration:

    • DeviceManagementConfiguration.ReadWrite.All
    • DeviceManagementManagedDevices.ReadWrite.All
    • DeviceManagementServiceConfig.ReadWrite.All

  3. Create a client secret and copy its value - note that this secret will only be shown once during creation

  4. In PacketFence, go to Configuration β†’ Cloud Services β†’ New Cloud Service β†’ Intune

  5. Enter a profile name, tenant ID, client ID, and the secret created in the previous step. These values connect PacketFence to your Microsoft Intune environment, allowing it to push certificate profiles to devices

This integration allows PacketFence to communicate with Intune for certificate management, enabling automated distribution of certificates to managed devices, which streamlines the enrollment process and reduces administrative overhead.

Creating Certificate Templates​

We need to create two certificate templates with specific configurations:

1. RADIUS Server Certificate Template​

  • Maximum validity: 825 days (complies with industry standards for server certificates)
  • Purpose: Used for the RADIUS Server authentication
  • Key Usage: Digital Signature, Key Encipherment
  • Extended Key Usage: Server Authentication

This template is used to generate the certificate that secures communications between wireless clients and the RADIUS server during 802.1X authentication.

2. User Certificate Template​

  • Validity: 365 days (standard for user certificates to balance security and management overhead)

  • SCEP enabled (Simple Certificate Enrollment Protocol for automated deployment)

  • Cloud Intune Integration enabled (connects to the Intune profile created earlier)

  • Key Usage: Digital Signature

  • Extended Key Usage: Client Authentication

This template generates certificates for user authentication, enabling secure 802.1X connections without password prompts.

For the User Certificate template, make sure to:

  1. Enable SCEP in the SCEP tab to allow automated certificate enrollment
  2. Create a secure challenge password - this should be complex and randomly generated
  3. Enable Cloud Integration and select your Intune profile to link certificate enrollment with your MDM solution

SCEP allows devices to request certificates automatically without manual intervention, while the Intune integration ensures that only managed devices can obtain certificates.

Creating and Installing RADIUS Server Certificate​

For RADIUS to function properly, we need to create a certificate using the RADIUS Server template. This certificate secures the authentication process when clients connect to your network:

  1. Go to Integration β†’ PKI β†’ Certificates β†’ Certificates and create a new certificate with the RADIUS Server template

  2. Enter certificate details, using the FQDN of your RADIUS server for both Common Name and DNS Names. This ensures that clients can verify the server's identity during authentication

  3. If your RADIUS server has multiple DNS names or IP addresses that clients might use to connect, include them all as Subject Alternative Names (SANs)

  4. Download the certificate bundle after creation

tip
note

Note: The downloaded p12 file uses an older encryption format. When using OpenSSL to extract keys, you may need to add the -legacy parameter. Windows and macOS can generally import these files without issues. The p12 file contains both the certificate and private key in a password-protected format.

:::

Extract Certificate Components​

On macOS, use these commands to extract the necessary files from the certificate bundle:

# extract unencrypted RSA private key
openssl pkcs12 -in bundle.p12 -nocerts -nodes -legacy | tee tmp.key | openssl pkcs8 -topk8 -nocrypt -in /dev/stdin -out server.key

# extract server cert (includes SANs)
openssl pkcs12 -in bundle.p12 -clcerts -nokeys -out server.crt -legacy

# cleanup
rm -f tmp.key

The -legacy parameter is needed because PacketFence uses an older encryption format in its PKCS#12 files. The extracted files include server.key (the private key) and server.crt (the public certificate).

Install the RADIUS Certificate​

  1. Navigate to System Configuration β†’ SSL Certificates β†’ RADIUS β†’ Edit RADIUS Certificate
  2. Replace RADIUS Server Certificate with the content of server.crt
  3. Replace RADIUS Server Private Key with the content of server.key
  4. Replace Certification Authority certificate with the content of ca.crt saved earlier
  5. Click Save and verify the certificate details are correct in the confirmation dialog

These steps configure the RADIUS server to use your custom certificate for all 802.1X authentication transactions. This is critical for secure wireless deployments as it allows clients to verify the identity of the RADIUS server before sending credentials.

Publishing SCEP for Mobile Device Management​

To enable certificate enrollment for mobile devices, we need to publish the SCEP endpoint to the internet. This allows devices to request certificates regardless of their location. Microsoft Entra ID Application Proxy provides an easy method to accomplish this without exposing your entire PacketFence server.

tip

For security purposes, only publish the specific SCEP endpoint rather than exposing the entire server to the internet. Using a path-based approach (/scep/) ensures that only the certificate enrollment functionality is accessible externally.

Setting Up Application Proxy​

  1. Go to the Entra ID admin portal Application Proxy section at https://entra.microsoft.com/#view/Microsoft_AAD_IAM/AppProxyOverviewBlade

  2. Select Configure an app to create a new application proxy configuration

  3. For the Internal URL:

    • Use HTTP (not HTTPS) - PacketFence's SCEP endpoint runs on HTTP
    • Format should be: http://packetfence.yourdomain.com/scep/
    • Add /scep/ to the FQDN for security (limit exposure to only the SCEP endpoint)

  4. For the External URL:

    • Use a random, hard-to-guess name for better security (e.g., scep-r4nd0m-n4m3)
    • The default msappproxy.net domain can be used unless you have a custom domain configured
    • Configure with HTTP (not HTTPS) to match the internal configuration

  5. Set Pre-Authentication to Passthrough - this is critical as SCEP clients cannot handle interactive authentication

The Application Proxy creates a secure tunnel between your internal PacketFence server and the internet, allowing mobile devices to enroll for certificates while keeping your server protected.

Building and Using SSCEP for Testing​

To test your SCEP configuration, you can build and use the SSCEP tool, which allows you to test certificate enrollment against your PacketFence SCEP server:

Building SSCEP on macOS​

# 1) Xcode command-line tools (needed for clang & make)
xcode-select --install      # one-time on a fresh Mac

# 2) Runtime & build deps
brew install autoconf automake libtool pkg-config openssl

# 3) Grab the source or use GitHub Desktop
git clone https://github.com/certnanny/sscep.git
cd sscep

# 4) Regenerate Autotools files
glibtoolize          # GNU libtool on macOS is called 'glibtool'
aclocal
automake -a -c -f
autoreconf           # wraps autoconf & friends

# 5) Configure β€” tell it where Homebrew puts OpenSSL
export PKG_CONFIG_PATH="$(brew --prefix openssl@1.1)/lib/pkgconfig"
./configure

# 6) Compile and install
make
sudo make install    # installs to /usr/local/bin/sscep by default

Testing SCEP Enrollment​

Once SSCEP is installed, you can test your SCEP configuration with these commands:

# Generate a new key pair and CSR
openssl req -newkey rsa:2048 -keyout PRIVATEKEY.key -out MYCSR.csr

# Get the CA certificate 
sscep getca -u http://[your-app-proxy-url]/scep/UserCert -c ca.crt

# Attempt to enroll with the SCEP server
sscep enroll -c ./ca-prefix -k ./private.key -r ./MYCSR.csr -u http://[your-packetfence-server]/scep/UserCert -l cert.crt -d -v

This testing process helps verify that your SCEP endpoint is correctly configured and can issue certificates before deploying to actual devices.

Intune Configuration​

With the SCEP endpoint published, we now need to configure Microsoft Intune to distribute the CA certificate and SCEP profile to managed devices.

Installing the CA Certificate​

All devices must have the root CA certificate installed as trusted for authentication and SCEP enrollment to work. Create policies in Intune for each platform:

Windows Devices​

Create a Trusted Certificate profile using the ca.crt file:

  • Navigate to Devices > Configuration profiles > Create profile
  • Platform: Windows 10 and later
  • Profile type: Templates > Trusted certificate
  • Certificate file: Upload the ca.crt file
  • Certificate destination: Computer certificate store - Root
  • Target this profile to appropriate device groups

macOS Devices​

Create separate policies for User and Device certificates if you plan to use both authentication methods:

  • Navigate to Devices > Configuration profiles > Create profile
  • Platform: macOS
  • Profile type: Templates > Trusted certificate
  • Certificate file: Upload the ca.crt file
  • Create two profiles - one for User certificate store and one for System certificate store
  • Target these profiles to appropriate device groups

If you want to use User and Device certificates for authentication, you need to install the device certificate in both User and Device certificate stores using separate policies.

iOS Devices​

Create a Trusted Certificate profile specifically configured for iOS:

  • Navigate to Devices > Configuration profiles > Create profile
  • Platform: iOS/iPadOS
  • Profile type: Templates > Trusted certificate
  • Certificate file: Upload the ca.crt file
  • Target this profile to appropriate device groups

Creating SCEP Profiles​

Create SCEP certificate profiles for each platform, using your published SCEP URL. Replace the placeholder with your actual URL:

http://[your-unique-name].msappproxy.net/scep/UserCert

For Windows devices, configure a SCEP certificate profile with:

  • Certificate type: User

  • Subject name format: Common name as email or UPN

  • Certificate validity period: 1 year

  • Key usage: Digital signature

  • Extended key usage: Client Authentication

  • SCEP Server URLs: Your published SCEP URL

Similar configurations should be created for macOS and iOS devices, adjusting platform-specific settings as needed. Each platform requires its own SCEP profile tailored to the operating system's certificate handling capabilities.

Configure appropriate certificate settings for each platform (Windows, macOS, and iOS) according to your security requirements. Remember to target these profiles to the same groups that received the trusted certificate profiles.

Configuring RADIUS Clients​

The final step is to configure your network devices (switches, wireless controllers, access points) as RADIUS clients. These devices will forward authentication requests to PacketFence for validation.

PacketFence provides detailed documentation for dozens of vendors at: https://www.packetfence.org/doc/PacketFence_Network_Devices_Configuration_Guide.html

In PacketFence, you'll need to define each network device as a RADIUS client:

  • Navigate to Configuration > Policies and Access Control > Network Devices
  • Add each switch or wireless controller, specifying its IP address and RADIUS shared secret
  • Configure appropriate roles and access policies based on your security requirements

Example: Configuring an Ubiquiti Wireless Controller​

Follow these general steps to configure an Ubiquiti Controller:

  1. Access your Ubiquiti Controller management interface
  2. Navigate to the Settings > RADIUS section
  3. Add a new RADIUS server using your PacketFence server's IP address
  4. Configure the shared secret (must match exactly what you set in PacketFence)
  5. Set authentication ports (typically 1812 for authentication, 1813 for accounting)
  6. Under the Wireless Networks section, edit each SSID that will use 802.1X
  7. Set Security to "WPA Enterprise" and select your RADIUS profile
  8. Apply and test the configuration by attempting to connect with a properly configured client

Once configured, the wireless controller will forward all authentication requests to PacketFence, which will validate certificates and provide access decisions based on your security policies.

Testing 802.1X Authentication​

Before deploying to your entire network, it's critical to test your 802.1X authentication setup to ensure it's working correctly. The eapol_test utility is an excellent tool for this purpose as it allows you to simulate client authentication without actual hardware.

Using eapol_test.exe for Authentication Testing​

The eapol_test utility can be found in the FreeRADIUS project and is available for Windows as eapol_test.exe. This tool simulates a client attempting to authenticate via 802.1X using various EAP methods.

tip
note

You can download eapol_test from the following repository: https://github.com/janetuk/eapol_test

:::

Creating Test Configuration Files​

Before running tests, create configuration files for each authentication method you want to test. Here are examples for the most common scenarios:

1. Certificate-Based Authentication (EAP-TLS)​

Create a file named eapol.conf with the following content:

network={
    ssid="[NETWORK_NAME]"
    key_mgmt=WPA-EAP
    eap=TLS
    identity="[IDENTITY]"            # CN or UPN in client certificate
    ca_cert="[CA_CERT_PATH]"         # Root (and optionally intermediate) CA
    private_key="[PRIVATE_KEY_PATH]" # Client certificate + key in PKCS#12 format
    private_key_passwd="[PASSWORD]"  # Password set during certificate export
}

2. Username/Password Authentication with AD (PEAP-MSCHAPv2)​

Create a file named eapolPEAP.conf with the following content:

network={
    ssid="[NETWORK_NAME]"
    key_mgmt=WPA-EAP
    eap=PEAP
    identity="[USERNAME]"
    password="[PASSWORD]"
    ca_cert="[CA_CERT_PATH]"
    phase2="auth=MSCHAPV2"
}

Running Authentication Tests​

With your configuration files prepared, you can now run tests against your PacketFence RADIUS server. Use the IP address of your RADIUS server (not hostname) and the shared secret configured for your test client:

# Test EAP-TLS certificate authentication
eapol_test -a [RADIUS IP ADDRESS] -p 1812 -s [PASSPHRASE] -M 00:11:22:33:44:55 -c eapol.conf

# Test PEAP-MSCHAPv2 username/password authentication
eapol_test -a [RADIUS IP ADDRESS] -p 1812 -s [PASSPHRASE] -M 00:11:22:33:44:55 -c eapolPEAP.conf

Parameter explanation:

  • -a: RADIUS server IP address
  • -p: RADIUS server port (typically 1812)
  • -s: Shared secret configured in PacketFence for this test client
  • -M: Simulated MAC address of the client device
  • -c: Path to configuration file

Analyzing Test Results​

A successful authentication will show "SUCCESS" in the output, while failures will show error messages that can help diagnose issues. If authentication fails, check the following:

  • Verify the RADIUS server is properly configured and running
  • Ensure the client certificate is valid and trusted by the CA
  • Check that the CA certificate is correctly installed on the RADIUS server
  • Confirm that the shared secret matches between eapol_test and PacketFence
  • For AD authentication, verify that the credentials are correct and the AD integration is working

For more detailed debugging, you can view the RADIUS server logs during testing:

sudo raddebug -t 300 -f /usr/local/pf/var/run/radiusd.sock

This command shows real-time authentication attempts and can be extremely helpful for troubleshooting complex authentication issues.

tip
note

Note: When reviewing logs, you may see some warning messages about "No EAP types configured". These can safely be ignored as they are not errors, but rather informational messages from the RADIUS server.Note: When reviewing logs, you may see some warning messages about "No EAP types configured". These can safely be ignored as they are not errors, but rather informational messages from the RADIUS server.

:::

Troubleshooting​

MySQL Database Permissions​

If you encounter errors related to database access, ensure the MySQL user has appropriate permissions:

mysql -u root -p       # or sudo mysql
GRANT ALL PRIVILEGES ON pf.* TO 'pf'@'localhost';
FLUSH PRIVILEGES;

Detailed RADIUS Logging​

To view detailed logs from the RADIUS server for troubleshooting authentication issues:

sudo raddebug -t 300 -f /usr/local/pf/var/run/radiusd.sock

This command shows real-time RADIUS authentication attempts, helping diagnose certificate or configuration problems.

Database Configuration​

If you need to change the database password or check the current configuration:

# Change MySQL password
ALTER USER 'pf'@'localhost' IDENTIFIED BY 'new_secure_password';
FLUSH PRIVILEGES;

# Update grants if needed
GRANT SELECT,INSERT,UPDATE,DELETE,EXECUTE,LOCK TABLES ON pf.* TO pf@'%' IDENTIFIED BY 'new_secure_password';
GRANT SELECT,INSERT,UPDATE,DELETE,EXECUTE,LOCK TABLES ON pf.* TO pf@'localhost' IDENTIFIED BY 'new_secure_password';
FLUSH PRIVILEGES;

# View database configuration
/usr/local/pf/bin/pfcmd pfconfig show resource::Database

# Reload configuration
/usr/local/pf/bin/pfcmd configreload hard

# Restart PacketFence services
sudo /usr/local/pf/bin/pfcmd service pf restart

After changing the database password, you'll need to reconfigure any secrets for integrated services like Entra ID App integration.

Conclusion​

You have now successfully set up PacketFence as a Network Access Control solution with PKI integration and Intune connectivity. This powerful setup allows for certificate-based authentication and secure device management across your enterprise network.

This configuration provides several key benefits:

  • Certificate-based authentication eliminates password-related vulnerabilities
  • Automated certificate deployment reduces administrative overhead
  • Integration with Intune ensures only managed devices receive certificates
  • Centralized policy enforcement improves security posture

Remember to regularly backup your PacketFence configuration and update the system to maintain security and access to the latest features. Consider implementing regular certificate rotation schedules and monitoring for any authentication failures that might indicate configuration issues.

For ongoing management, familiarize yourself with PacketFence's reporting capabilities to monitor authentication trends and identify potential security incidents.

TESt

Complete Setup Guide: PacketFence Network Security System​

What You'll Learn​

This guide walks you through setting up PacketFence, a security system that controls who can access your organization's network. By the end, you'll have a secure network where only authorized devices with proper certificates can connect.

Estimated Time: 4-6 hours

Difficulty: Intermediate

Prerequisites: Basic understanding of network concepts

What is PacketFence?​

PacketFence is like a digital security guard for your network. It:

  • Controls Access: Only allows authorized devices to connect
  • Issues Certificates: Provides digital IDs to trusted devices
  • Monitors Activity: Tracks who's on your network and what they're doing
  • Enforces Policies: Automatically applies your security rules

Screenshot Placeholder: [PacketFence Dashboard Overview]

Getting Started: Initial Setup​

Step 1: First Time Login​

When you first start PacketFence, you'll see a text-based setup screen.

Default Login Credentials:

  • Username: root
  • Password: p@ck3tf3nc3

Screenshot Placeholder: [Initial Login Screen]

⚠️ Security Note: Change this password immediately! Using default passwords is a major security risk.

To Change Your Password:

  1. After logging in, type: passwd
  2. Follow the prompts to create a strong, unique password
  3. Store this password in your organization's password manager

Step 2: Network Setup Planning​

Before configuring PacketFence, plan your network layout. PacketFence works best with separate network segments for different purposes:

Screenshot Placeholder: [Network Diagram Example]

Network Segments Needed:

  • Management Network: For administrators to access PacketFence
  • Registration Network: Where new devices get registered
  • Isolation Network: For quarantining suspicious devices
  • Production Networks: For normal business operations

πŸ’‘ Planning Tip: Document your IP address ranges and VLAN assignments before starting. This will save time later and prevent configuration errors.

Step 3: Complete Basic Configuration​

Follow the on-screen setup wizard:

  1. Network Interfaces: Assign IP addresses to each network segment
  2. DNS Settings: Configure your organization's DNS servers
  3. Time Settings: Set timezone and time synchronization
  4. Database: The system will create necessary databases automatically

Optional Settings to Skip Initially:

  • Fingerbank Integration: Can be configured later for device identification
  • Advanced Features: Focus on core functionality first

⚑ Important: Save all passwords and settings provided during setup. You'll need these later!

Setting Up Security Certificates​

Certificates are like digital ID cards that prove devices are authorized to access your network. This section covers setting up your certificate system.

Why Certificates Matter​

Without proper certificates:

  • Users see scary security warnings
  • Devices might refuse to connect
  • Your security can be compromised

With proper certificates:

  • Seamless, secure connections
  • No user warnings or confusion
  • Strong protection against unauthorized access

Step 4: Install Your Web Certificates​

If you have certificates from a trusted provider (like DigiCert, Let's Encrypt, etc.):

On Mac/Linux Systems:

# Extract your certificate files
openssl pkcs12 -in your-certificate.p12 -nocerts -nodes | \
openssl pkcs8 -topk8 -nocrypt -out server.key

openssl pkcs12 -in your-certificate.p12 -clcerts -nokeys -out server.crt

In PacketFence Web Interface:

  1. Go to System Configuration β†’ SSL Certificates β†’ Edit HTTP Certificates
  2. Replace HTTP Server Certificate with contents of server.crt
  3. Replace HTTP Server Private Key with contents of server.key
  4. Click Save
  5. CRITICAL: Click Restart when prompted to apply changes

Screenshot Placeholder: [SSL Certificate Configuration Screen]

Creating Your Certificate Authority (PKI)​

PacketFence can create and manage certificates for your devices. Think of this as setting up your own "ID card printing office."

Step 5: Create a Certificate Authority​

Screenshot Placeholder: [PKI Setup Screen]

  1. Navigate to Integration β†’ PKI β†’ Certificate Authorities
  2. Click New Certificate Authority
  3. Fill in your organization details:
    • Organization: Your company name
    • Country: Two-letter country code (US, CA, etc.)
    • Common Name: Something like "YourCompany Root CA"
  4. Click Save
  5. Important: Copy and save the CA certificate as ca.crt - you'll need this file multiple times

πŸ“‹ Documentation Tip: Create a secure document listing all certificate details, passwords, and file locations. This will be essential for future maintenance.

Step 6: Set Up Microsoft Integration (Optional but Recommended)​

If your organization uses Microsoft systems, this integration allows automatic certificate distribution to managed devices.

In Microsoft Entra ID (Azure AD):

  1. Create a new app registration
  2. Add required permissions for device management
  3. Create a client secret (save this securely!)

In PacketFence:

  1. Go to Configuration β†’ Cloud Services β†’ New Cloud Service β†’ Intune
  2. Enter:
    • Profile name (descriptive name)
    • Tenant ID (from Azure)
    • Client ID (from Azure)
    • Client Secret (created above)

Screenshot Placeholder: [Intune Integration Setup]

Certificate Templates: Digital ID Formats​

Templates define what information goes on certificates and how they can be used. You need two types:

Step 7: Create RADIUS Server Template​

This certificate secures communication between devices and your authentication server.

Settings:

  • Maximum Validity: 825 days (industry standard)
  • Purpose: Server authentication
  • Key Usage: Digital Signature, Key Encipherment
  • Extended Key Usage: Server Authentication

Screenshot Placeholder: [RADIUS Certificate Template]

Step 8: Create User Certificate Template​

This template creates certificates for individual users/devices.

Settings:

  • Validity: 365 days (balances security and management)
  • SCEP Enabled: βœ… (allows automatic distribution)
  • Intune Integration: βœ… (if using Microsoft)
  • Key Usage: Digital Signature
  • Extended Key Usage: Client Authentication

Important Configuration Steps:

  1. Go to the SCEP tab and enable SCEP
  2. Create a strong challenge password (save this securely!)
  3. In Cloud Integration tab, select your Intune profile

Screenshot Placeholder: [User Certificate Template Configuration]

Creating and Installing Server Certificates​

Step 9: Generate Your RADIUS Server Certificate​

  1. Go to Integration β†’ PKI β†’ Certificates β†’ Certificates
  2. Click New Certificate
  3. Select your RADIUS Server template
  4. Enter certificate details:
    • Common Name: Your server's domain name (e.g., radius.company.com)
    • DNS Names: Add all names devices might use to connect
  5. Click Create
  6. Download the certificate bundle when complete

Screenshot Placeholder: [Certificate Creation Screen]

Step 10: Extract and Install Certificate Files​

On Mac/Linux:

# Extract the server certificate and key
openssl pkcs12 -in bundle.p12 -nocerts -nodes -legacy | \
openssl pkcs8 -topk8 -nocrypt -out server.key

openssl pkcs12 -in bundle.p12 -clcerts -nokeys -out server.crt -legacy

In PacketFence:

  1. Navigate to System Configuration β†’ SSL Certificates β†’ RADIUS β†’ Edit RADIUS Certificate
  2. Replace RADIUS Server Certificate with contents of server.crt
  3. Replace RADIUS Server Private Key with contents of server.key
  4. Replace Certification Authority certificate with contents of ca.crt
  5. Click Save

Screenshot Placeholder: [RADIUS Certificate Installation]

Making Certificates Available to Mobile Devices​

To allow phones, tablets, and laptops to automatically get certificates, you need to publish your certificate service to the internet securely.

Step 11: Set Up Microsoft Application Proxy​

This creates a secure tunnel so devices can get certificates from anywhere.

  1. Go to Microsoft Entra ID Admin Portal β†’ Application Proxy
  2. Click Configure an app
  3. Configure settings:
    • Internal URL: https://your-packetfence-server/scep/UserCert
    • External URL: (Microsoft will provide this)
    • Pre-Authentication: Passthrough (important for automated systems)

Screenshot Placeholder: [Application Proxy Configuration]

πŸ”’ Security Note: Only publish the specific certificate enrollment endpoint, not your entire server. This limits exposure while enabling functionality.

Distributing Certificates via Microsoft Intune​

Step 12: Install Root Certificate on All Devices​

Every device needs to trust your certificate authority. Create policies for each device type:

For Windows Devices:

  1. Devices β†’ Configuration profiles β†’ Create profile
  2. Platform: Windows 10 and later
  3. Profile type: Templates β†’ Trusted certificate
  4. Certificate file: Upload your ca.crt file
  5. Destination: Computer certificate store - Root
  6. Target to appropriate device groups

For Mac Devices:

  • Create similar profiles for both User and System certificate stores
  • This ensures compatibility with different authentication methods

For iOS/iPad Devices:

  • Create iOS-specific trusted certificate profiles
  • These will automatically install on managed devices

Screenshot Placeholder: [Intune Certificate Policy Configuration]

Step 13: Create Automatic Certificate Enrollment​

Set up profiles that automatically request and install user certificates:

Configuration for All Platforms:

  • Certificate type: User
  • Subject name format: Common name as email or UPN
  • Validity: 1 year
  • Key usage: Digital signature
  • Extended key usage: Client Authentication
  • SCEP Server URL: Your published endpoint from Step 11

Screenshot Placeholder: [SCEP Profile Configuration]

Testing Your Setup​

Step 14: Verify Certificate Distribution​

Before going live, test that certificates are being distributed correctly:

  1. Check Device Policies: Ensure devices are receiving certificate policies
  2. Verify Certificate Installation: Check that both root CA and user certificates are installed
  3. Test Network Access: Try connecting to your 802.1X network

Common Issues and Solutions:

ProblemSolution
Devices not getting certificatesCheck Intune policy targeting and device enrollment
Certificate errorsVerify SCEP URL is accessible and challenge password is correct
Authentication failuresEnsure RADIUS clients are configured with correct shared secrets

Network Device Configuration​

Step 15: Configure Your Network Equipment​

Your wireless controllers, switches, and access points need to be configured to use PacketFence for authentication.

In PacketFence:

  1. Go to Configuration β†’ Policies and Access Control β†’ Network Devices
  2. Add each network device with:
    • Device IP address
    • RADIUS shared secret (create strong, unique secrets)
    • Device type and model

Example: Ubiquiti Controller Setup

  1. Access controller web interface
  2. Go to Settings β†’ RADIUS
  3. Add RADIUS server:
    • Server: PacketFence IP address
    • Port: 1812 (authentication), 1813 (accounting)
    • Secret: Match what you configured in PacketFence
  4. Configure wireless networks:
    • Security: WPA Enterprise
    • RADIUS Profile: Select your configured profile

Screenshot Placeholder: [Network Device Configuration]

Testing and Troubleshooting​

Step 16: Verify Everything Works​

Testing Checklist:

  • Can devices get certificates automatically?
  • Do certificates install without user intervention?
  • Can devices connect to 802.1X networks successfully?
  • Are authentication logs showing successful connections?

Common Troubleshooting Steps:

  1. Check PacketFence Logs:
    • Location: Status β†’ System Logs
    • Look for authentication attempts and errors
  2. Verify Network Device Communication:
    • Test RADIUS connectivity between PacketFence and network devices
    • Confirm shared secrets match exactly
  3. Certificate Validation:
    • Ensure client devices have both root CA and user certificates
    • Check certificate expiration dates

Screenshot Placeholder: [Log Analysis Screen]

Maintenance and Best Practices​

Ongoing Tasks​

Weekly:

  • Review authentication logs for anomalies
  • Check certificate expiration warnings
  • Monitor system performance

Monthly:

  • Update network device shared secrets
  • Review and update security policies
  • Check for PacketFence software updates

Quarterly:

  • Audit user access and device compliance
  • Review certificate templates and validity periods
  • Test backup and recovery procedures

Security Best Practices​

  1. Regular Password Updates: Change all system passwords quarterly
  2. Certificate Monitoring: Set up alerts for expiring certificates
  3. Access Reviews: Regularly audit who has administrative access
  4. Backup Strategy: Maintain secure backups of all certificates and configurations
  5. Documentation: Keep all procedures and configurations documented and current

Quick Reference​

Key File Locations​

  • Root CA Certificate: ca.crt (distribute to all devices)
  • RADIUS Server Certificate: server.crt
  • RADIUS Server Key: server.key

Important URLs​

  • PacketFence Admin: https://your-server-ip:1443
  • SCEP Enrollment: http://your-app-proxy-url/scep/UserCert

Emergency Contacts​

  • PacketFence Support: [Your support contract information]
  • Network Team: [Internal team contact]
  • Security Team: [Internal security contact]

Getting Help​

When You Need Assistance:

  1. Check the Logs First: Most issues can be diagnosed from system logs
  2. Review This Guide: Many questions are answered in previous sections
  3. PacketFence Documentation: Visit official documentation for detailed technical information
  4. Community Support: Active community forums for peer assistance
  5. Professional Support: Consider professional services for complex deployments

Before Contacting Support:

  • Note exact error messages
  • Document steps that led to the issue
  • Have your system configuration details ready
  • Check system resource usage (CPU, memory, disk space)

This guide provides a comprehensive foundation for PacketFence deployment. Remember that network security is an ongoing process requiring regular attention and updates.