Hi, Good morning everyone,
We have a requirement in the company, about NAC access for applying to
users to get control about the connections to the resources that they
currently have.
We already set up our packet fence server withUbuntu Server12.04 LTE,
and it is partially working with the authentication and 802.1 Protocol
for VLAN assignment on the Switch, also We have the following
infrastructure:
-One server with all VLANs Trunking on it and it is connected to a
Switch Dell Force10 S50.
-One Laptop (On Client side) connected to a Gi 1/7.
-DHCP service is running on switch, per VLAN.
-VLANS created on the switch are: 800 Production with Internet access,
910 Registration, 911 Isolation and 913 MAC Detection.
-The Subnetworks for each VLAN are: 910 (192.168.210.0/24), 911
(192.168.211.0/24), 913 (192.168.213.0/24).
After all configuration, we are experience the following issues:
When we connect the laptop to a port configured with 801.1 X, the switch
allocates this on the VLAN 910 (Registration), and the captive portal
appears on the browser, then we can authenticate the user. However, in
the Switch log, the port doesn't flip to the production VLAN (800)
automatically, until we reconnected the port to the Switch or we
executed shut /no shut down portcommand.
Also, the Laptop which is on VLAN production, can work without any
problem.
To try to solve this problem, we thought that could be a sentence with
the vlan.pm, according to PF logs, or the modules that are used for our
switches, these are some S50 Dell Force 10, but we can't see the light
at the end of the tunnel, right now.Jeje
We appreciate a lot, your comments or opinions about this issue in order
to try to solve the problem.
Thank you.
Sincerely
--
/PF Logs:/
root@packetfence:~# tail -f /usr/local/pf/logs/packetfence.log
Aug 06 09:57:41 pfsetvlan(18) INFO: reAssignVlan trap received on
192.168.212.3 ifindex 1007 which is not ethernetCsmacd
(pf::vlan::doWeActOnT hisTrap)
Aug 06 09:57:41 pfsetvlan(18) INFO: doWeActOnThisTrap returns false.
Stop reAssignVlan handling (main::handleTrap)
Aug 06 09:57:41 pfsetvlan(18) INFO: finished (main::cleanupAfterThread)
Aug 06 10:16:57 pfsetvlan(21) INFO: local (127.0.0.1) trap for switch
192.168.212.3 (main::parseTrap)
Aug 06 10:16:57 pfsetvlan(20) INFO: nb of items in queue: 1; nb of
threads running: 0 (main::startTrapHandlers)
Aug 06 10:16:57 pfsetvlan(20) ERROR: Argument "noSuchInstance" isn't
numeric in numeric eq (==) at /usr/local/pf/lib/pf/vlan.pm line 139.
(pf::vlan::doWeActOnThisTrap)
Aug 06 10:16:57 pfsetvlan(20) INFO: reAssignVlan trap received on
192.168.212.3 ifindex 1007 which is not ethernetCsmacd
(pf::vlan::doWeActOnT hisTrap)
Aug 06 10:16:57 pfsetvlan(20) INFO: doWeActOnThisTrap returns false.
Stop reAssignVlan handling (main::handleTrap)
Aug 06 10:16:57 pfsetvlan(20) INFO: finished (main::cleanupAfterThread)
Aug 06 10:17:45 httpd.portal(12119) INFO: mac : 00:0c:29:61:62:fe
(captiveportal::PacketFence::Controller::CaptivePortal::validateMac)
Aug 06 10:17:45 httpd.portal(12119) INFO: Updating node
00:0c:29:61:62:fe user_agent with useragent: 'Mozilla/5.0 (X11; Linux
x86_64; rv:24.0) Gecko/20140722 Firefox/24.0 Iceweasel/24.7.0'
(captiveportal::PacketFence::Controller::CaptivePortal::nodeRecordUserAgent)
Aug 06 10:17:45 httpd.portal(12119) INFO: Static User-Agent lookup data
initialized (pf::useragent::_init)
Aug 06 10:17:45 httpd.portal(12119) INFO: 00:0c:29:61:62:fe redirected
to default
(captiveportal::PacketFence::Controller::CaptivePortal::checkIfNeedsToRegister)
Aug 06 10:17:45 httpd.portal(12119) INFO: 00:0c:29:61:62:fe redirected
to authentication page
(captiveportal::PacketFence::Controller::CaptivePortal::checkIfNeedsToRegister)
Aug 06 10:18:56 httpd.portal(12128) INFO: mac : 00:0c:29:61:62:fe
(captiveportal::PacketFence::Controller::CaptivePortal::validateMac)
Aug 06 10:18:56 httpd.portal(12128) INFO: Authentication successful for
bsanchez in source local (SQL) (pf::authentication::authenticate)
Aug 06 10:18:56 httpd.portal(12128) INFO: person bsanchez modified to
bsanchez (pf::person::person_modify)
Aug 06 10:18:56 httpd.portal(12128) INFO: re-evaluating access for node
00:0c:29:61:62:fe (manage_register called)
(pf::enforcement::reevaluate_access)
Aug 06 10:18:56 httpd.portal(12128) INFO: switch port for
00:0c:29:61:62:fe is 192.168.212.3 ifIndex 1007 connection type: Wired
MAC Auth (pf::enforcement::_vlan_reevaluation)
Aug 06 10:18:59 pfsetvlan(22) INFO: local (127.0.0.1) trap for switch
192.168.212.3 (main::parseTrap)
Aug 06 10:18:59 pfsetvlan(1) INFO: nb of items in queue: 1; nb of
threads running: 0 (main::startTrapHandlers)
Aug 06 10:18:59 pfsetvlan(1) ERROR: Argument "noSuchInstance" isn't
numeric in numeric eq (==) at /usr/local/pf/lib/pf/vlan.pm line 139.
(pf::vlan::doWeActOnThisTrap)
Aug 06 10:18:59 pfsetvlan(1) INFO: reAssignVlan trap received on
192.168.212.3 ifindex 1007 which is not ethernetCsmacd
(pf::vlan::doWeActOnThisTrap)
Aug 06 10:18:59 pfsetvlan(1) INFO: doWeActOnThisTrap returns false. Stop
reAssignVlan handling (main::handleTrap)
Aug 06 10:18:59 pfsetvlan(1) INFO: finished (main::cleanupAfterThread)
*After user Authentication the user was moved to Production VLAN, when
we shut/no shut the port, it doesn't flipping autpmatically **
*
Aug 06 10:22:48 pfsetvlan(5) WARN: couldn't get MAC at ifIndex 69256450.
This is a problem. (pf::Switch::_getMacAtIfIndex)
Aug 06 10:22:49 pfsetvlan(5) WARN: couldn't get MAC at ifIndex 69256450.
This is a problem. (pf::Switch::_getMacAtIfIndex)
/
//Swtich config:/
SW_RD_07#show running-config snmp
!
snmp-server community
snmp-server community testing rw
snmp-server enable traps bgp
snmp-server enable traps snmp authentication coldstart linkdown linkup
snmp-server enable traps vrrp
snmp-server enable traps stp
snmp-server enable traps ecfm
snmp-server enable traps xstp
snmp-server enable traps envmon fan supply temperature
snmp-server enable traps eoam
snmp-server host 192.168.212.1 traps version 2c testing udp-port 162
SW_RD_07#show running-config interface gigabitethernet 1/7
!
interface GigabitEthernet 1/7
no ip address
switchport
dot1x authentication
dot1x mac-auth-bypass
dot1x auth-type mab-only
no shutdown
SW_RD_07#
SW_RD_07#show running-config radius
!
radius-server host 192.168.212.1 key 7 a56fd6b9b796eb74 auth-port 1812
SW_RD_07#
------------------------------------------------------------------------------
Want fast and easy access to all the code in your enterprise? Index and
search up to 200,000 lines of code with a free copy of Black Duck
Code Sight - the same software that powers the world's largest code
search on Ohloh, the Black Duck Open Hub! Try it now.
http://p.sf.net/sfu/bds
_______________________________________________
PacketFence-devel mailing list
PacketFence-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-devel
