PacketFence Gateway

PacketFence is an open-source network access control (NAC) solution. It provides you with a wide range of features such as a captive portal for registration and remediation, centralized wired and wireless management, and 802.1X support that let effectively secure networks from small to very large heterogeneous networks.

The PacketFence Gateway is a software component that you can install in your environment to provide integration between VPN servers and other network devices. The integration uses Radius (Remote Authentication Dial-In User Service), LDAP (Lightweight Directory Access Protocol), or AD (Active Directory) for primary authentication and the ​Akamai MFA​ service as the secondary authenticator.
By integrating ​Akamai MFA​ with PacketFence Gateway you establish secure communication between users who are off-premise and use the VPN server or other network elements such as firewall and the corporate network.

This integration supports different use cases depending on the VPN server that you may use. As the capabilities offered by VPN servers differ, there might be different parties involved in the authentication process.
See these diagrams that present a conceptual model of the authentication process. For clarity reasons, some traffic flows are not covered.

📘

The authentication process refers to users who are enrolled in ​​Akamai MFA​.

This diagram describes the authentication process for the following two use cases:

  • VPN server configured as a Radius client only

  • VPN server configured as a Radius client only that supports sending passcode via Radius

ag-pf-radius-only-diagramag-pf-radius-only-diagram

  1. The user logs in to the VPN server using their username and password.
  2. The VPN server acting as Radius client sends an authentication request to PacketFence Gateway.
  3. PacketFence Gateway validates the user’s credentials against the local AD or LDAP directory.
  4. AD or LDAP confirms that the primary authentication succeeded.
  5. PacketFence Gateway sends a Radius accept reply-message to ​Akamai MFA​.
  6. ​Akamai MFA​ sends the authentication challenge to the user.
  7. The user confirms their identity using the selected authentication method.
  8. The successful authentication message is forwarded to PacketFence Gateway.
  9. The successful authentication message is forwarded to the VPN server.
  10. A secure communication tunnel is established between the user’s machine and the VPN server. The user gains access to the VPN server.

The following diagram describes the authentication process for this use case:

  • VPN server that supports an external login page or can use the PacketFence captive portal

ag-pf-captive-portal-diagramag-pf-captive-portal-diagram

  1. The user logs in to the VPN server using their username and password.
  2. The VPN server acting as Radius client sends the authentication request to PacketFence Gateway.
  3. PacketFence Gateway validates the user’s credentials against the local AD or LDAP directory.
  4. AD or LDAP confirms that the authentication succeeded.
  5. PacketFence Gateway sends a Radius accept reply-message to the VPN server.
  6. The VPN server redirects the user to the PacketFence captive portal. In the captive portal login screen, the user is prompted for their username and password. PacketFence revalidates user credentials against the local AD or LDAP directory.
  7. After a successful AD or LDAP authentication, PacketFence Gateway forwards the user’s browser to ​Akamai MFA​.
  8. ​Akamai MFA​ sends the authentication challenge to the user.
  9. The user confirms their identity using the selected secondary authentication method.
  10. Upon successful secondary authentication ​Akamai MFA​ redirects the user's browser to the PacketFence captive portal.
  11. PacketFence Gateway reevaluates the access of the device.
  12. The VPN server establishes a secure communication tunnel. The user gains access to the VPN server.

Did this page help you?