Complete Network Access Control
Everything you need to secure your network
Access Control & Enforcement
Multiple enforcement modes give you flexibility to deploy NAC in any network topology—from fully managed switches to legacy equipment.
Out-of-Band Deployment
The preferred deployment mode. PacketFence controls network access via SNMP or RADIUS without traffic passing through it—minimizing latency and single points of failure.
- SNMP or RADIUS-based enforcement
- No traffic bottleneck
- Supports 60+ switch vendors
Inline Deployment
Perfect for unmanageable network equipment or legacy infrastructure. Can coexist with out-of-band mode for hybrid deployments.
- Layer 2 bridge or Layer 3 gateway
- Works with any network equipment
- Captive portal enforcement
VLAN & Role-Based Enforcement
Dynamic VLAN assignment based on user identity, device type, compliance status, or custom business logic. Full VoIP support across all major vendors.
- Per-switch, per-category, or per-client VLANs
- Custom VLAN assignment logic
- Voice VLAN support (Cisco, Avaya, Nortel)
Isolation & Remediation
Automatically isolate non-compliant or problematic devices to a quarantine network with captive portal guidance for self-remediation.
- Violation-specific remediation pages
- Pass-through for critical resources
- Reduces helpdesk burden
Authentication & Authorization
Comprehensive authentication options from 802.1X enterprise security to social login for guests.
802.1X / EAP
Full 802.1X support via integrated FreeRADIUS with PEAP-TLS, EAP-TLS, EAP-PEAP, and EAP-TTLS authentication methods.
LDAP / Active Directory
Native integration with Microsoft Active Directory and LDAP directories. Join multiple AD domains without trusts.
RADIUS
Built-in RADIUS server with proxy capabilities. Authenticate against external RADIUS infrastructure.
OAuth2 / Social Login
Allow guests to authenticate via Facebook, Google, GitHub, LinkedIn, Microsoft, or Twitter accounts.
SAML
Enterprise single sign-on support via SAML 2.0 for seamless integration with identity providers.
PKI / Certificates
EAP-TLS certificate-based authentication with internal PKI or Microsoft PKI via SCEP/NDES integration.
Guest Access & BYOD
Flexible guest registration workflows and comprehensive BYOD device onboarding for any environment.
Guest Management
Multiple registration methods for every scenario
Self-Registration
Guests register themselves via captive portal with customizable fields.
Sponsored Access
Employees sponsor guests with approval workflow via email.
Email/SMS Confirmation
Verify guest identity with email or SMS PIN confirmation.
Password of the Day
Simple daily rotating password for quick guest access.
Payment Integration
Monetize guest WiFi with Stripe, PayPal, or Authorize.net.
Bulk Import
Import guest lists via CSV for conferences and events.
BYOD & Device Onboarding
Seamless personal device enrollment
Automatic Device Provisioning
Self-service provisioning for iOS, Android, Windows, macOS, and ChromeOS devices with automatic 802.1X profile configuration.
Certificate Enrollment
Automatic certificate provisioning via SCEP for EAP-TLS authentication without manual IT intervention.
Device Profiling with Fingerbank
Identify devices automatically using Fingerbank's industry-leading fingerprinting database. DHCP fingerprints, User-Agent analysis, and network behavior combine to classify devices by manufacturer, model, OS, and type—enabling automatic policy assignment.
Acceptable Use Policy
Configurable AUP acceptance requirement with version tracking and re-acknowledgment on policy updates.
Compliance & Isolation
Verify endpoint posture before granting access. Automatically isolate non-compliant or compromised devices based on signals from your existing security tools.
Posture Assessment
Check antivirus status, OS patch level, and security agent presence before granting network access. Block or quarantine devices that don't meet policy.
Automatic Quarantine
Instantly isolate compromised or non-compliant devices to a quarantine VLAN. Contain threats while allowing access to remediation resources.
Compliance Verification
Query endpoint state via FleetDM and osquery to verify AV status, OS patches, and security configurations. Integrate with SentinelOne, CrowdStrike, Microsoft Defender, and other EDR platforms to receive compliance signals.
IDS/IPS Response
Act on alerts from Snort, Suricata, or commercial IDS/IPS systems. When your IDS flags a threat, PacketFence immediately isolates the device.
Scanner Integration
Integrate with Nessus, OpenVAS, or Rapid7 vulnerability scanners. Trigger violations and isolate devices based on scan results from your existing tools.
Self-Service Remediation
Guide quarantined users through remediation via captive portal. Provide instructions, links to updates, or agent downloads—reducing helpdesk tickets.
Enterprise Integrations
Seamless integration with firewalls, MDM platforms, and existing enterprise infrastructure.
Firewall SSO
Dynamic user-to-IP mapping for identity-based firewall policies. Real-time authentication state synchronization.
MDM Integration
Verify device enrollment and compliance status with leading MDM platforms before granting access.
Network Equipment
Extensive compatibility with switches, wireless controllers, and access points from all major vendors.
Administration & Operations
Powerful management tools, high availability, and extensibility for enterprise operations.
Web Administration
Modern web interface with LDAP/AD authentication for role-based admin access.
Command Line Tools
Comprehensive CLI for automation, scripting, and advanced configuration.
High Availability
Active/active clustering for fault tolerance and geographic distribution.
REST API
Complete REST API for integration with ITSM, SIEM, and automation platforms.
Custom Captive Portal
Template Toolkit-based customizable portal with HTML/CSS branding preserved on upgrades.
Extensibility
Perl-based extension points for custom authentication, VLAN logic, and workflows.
Gradual Rollout
Deploy per-switch, per-port, or per-location for controlled production rollout.
Access Expiration
Time-based access with absolute dates, windows, or inactivity-based expiration.
High Availability & Disaster Recovery
Active/active clustering with automatic failover, database replication, and geographic distribution for mission-critical NAC deployments.
Zero Downtime
Seamless failover with no service interruption during node failures
Galera Replication
Synchronous multi-master database with automatic conflict resolution
Geo-Distribution
Deploy across data centers for regional resilience and DR
Auto-Recovery
galera-autofix service automatically recovers failed nodes
Same-Subnet Cluster
All nodes on the same Layer 2 network segment with shared virtual IP via Keepalived VRRP.
- Automatic VIP failover in <3 seconds
- Synchronous database replication
- Simple setup for single-site HA
Multi-Site Cluster
Nodes across different subnets or data centers with DNS/load balancer distribution.
- Geographic disaster recovery
- Cross-datacenter replication
- Regional traffic distribution
Cluster Components
MariaDB Galera
Synchronous multi-master database cluster. Each node holds a complete copy, ensuring data availability even if nodes disconnect.
Keepalived
VRRP-based virtual IP failover. Automatic promotion ensures clients always reach an active node within seconds.
Redis Cluster
Distributed in-memory cache for session data and real-time state synchronization across all cluster nodes.
Config Sync
Automatic configuration synchronization ensures all nodes have identical settings without manual intervention.
Quorum Protection
Split-brain prevention with quorum-based decision making. Isolated nodes go read-only to protect data integrity.
galera-autofix
Automatic cluster recovery service that detects and resolves common Galera issues without manual intervention.
Standards-Based Architecture
Ready to Secure Your Network?
Deploy PacketFence self-hosted for free, or let us manage it for you with PacketFence Cloud.