On 09/21/2012 10:25 AM, Jan Behrend wrote: > Hi Olivier, > > thanks for your quick answer. > > On 09/20/2012 05:10 PM, Olivier Bilodeau wrote: >> On 09/20/2012 04:53 AM, Jan Behrend wrote: >> You want port-security or MAC-Auth / 802.1X? We have been recommending >> the latter lately. > > I was going after port-security, because your guide favors that. I have > not but I am going to try MAC-Auth ifg you say so ;-) > >> Can you attach a few traps from the logs/snmptrapd.log file from that >> switch? I don't think the unrecognized one is the one we are after. > > I attached my complete packetfence.log and snmptrapd.logfor your > reference. I have been playing with all HP switch types but none seems > to work. I have been playing with "pfcmd_vlan" and I got this: > > root@packetfence:~/pf/bin# ./pfcmd_vlan -deauthenticate -mac > 00:15:58:81:79:b8 -switch 134.104.29.11 -verbose 4 > DEBUG - instantiating new SwitchFactory object > DEBUG - reading config file /usr/local/pf/conf/switches.conf > DEBUG - creating new pf::SNMP::HP::Procurve_2600 object > DEBUG - start handling 'deauthenticate' command > WARN - Unimplemented! First, make sure your configuration is ok. If it > is then we don't support your hardware. Open a bug report with your > hardware type. > DEBUG - finished handling 'deauthenticate' command
In MAC-Auth we bounce the port (shut / no shut), it's the most reliable way to get the client to re-issue DHCP, etc. You can emulate it with: ... -setIfAdminStatus -ifAdminStatus 2 -switch ... -ifIndex ... wait 5 seconds ... -setIfAdminStatus -ifAdminStatus 2 -switch ... -ifIndex ... For 802.1X, you need to do -deauthenticateDot1x -ifIndex <ifIndex> and not just -deauthenticate <mac>. This is mentionned in pfcmd_vlan's help: -deauthenticateDot1x de-authenticate a dot1x client (pass ifIndex for wired 802.1x and mac for wireless 802.1x) Regards, -- Olivier Bilodeau obilod...@inverse.ca :: +1.514.447.4918 *115 :: www.inverse.ca Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (www.packetfence.org) ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ PacketFence-devel mailing list PacketFence-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-devel
