HI Bryand,
I think that the root cause of your problem is based on the way that you
are doing the deauthentication method, what I see is that you are using
SNMP, however and if I'm not wrong the best method to do this is with
Radius CoA, you should see in the Network configuration Devices how to
configure the switch in order to send the authentication and deauth through
Radius. I hope if I'm wrong the guys at Inverse can correct what I'm saying.
I hope that this can give you a start point.
Best regards
On Fri, Aug 8, 2014 at 11:24 AM, Bryand <bsanc...@grupoasd.com.co> wrote:
>
> Hi, Good morning everyone,
>
>
> We have a requirement in the company, about NAC access for applying to
> users to get control about the connections to the resources that they
> currently have.
>
> We already set up our packet fence server with Ubuntu Server 12.04 LTE,
> and it is partially working with the authentication and 802.1 Protocol for
> VLAN assignment on the Switch, also We have the following infrastructure:
>
> - One server with all VLANs Trunking on it and it is connected to a
> Switch Dell Force10 S50.
>
> - One Laptop (On Client side) connected to a Gi 1/7.
>
> - DHCP service is running on switch, per VLAN.
>
> - VLANS created on the switch are: 800 Production with Internet
> access, 910 Registration, 911 Isolation and 913 MAC Detection.
>
> - The Subnetworks for each VLAN are: 910 (192.168.210.0/24), 911 (
> 192.168.211.0/24), 913 (192.168.213.0/24).
>
> After all configuration, we are experience the following issues:
>
> When we connect the laptop to a port configured with 801.1 X, the switch
> allocates this on the VLAN 910 (Registration), and the captive portal
> appears on the browser, then we can authenticate the user. However, in the
> Switch log, the port doesn’t flip to the production VLAN (800)
> automatically, until we reconnected the port to the Switch or we executed
> shut /no shut down port command.
> Also, the Laptop which is on VLAN production, can work without any
> problem.
>
>
>
> To try to solve this problem, we thought that could be a sentence with the
> vlan.pm, according to PF logs, or the modules that are used for our
> switches, these are some S50 Dell Force 10, but we can't see the light at
> the end of the tunnel, right now. Jeje
>
>
>
> We appreciate a lot, your comments or opinions about this issue in order
> to try to solve the problem.
>
>
>
> Thank you.
>
> Sincerely
>
>
> --
>
>
>
>
> *PF Logs:*
>
> root@packetfence:~# tail -f /usr/local/pf/logs/packetfence.log
> Aug 06 09:57:41 pfsetvlan(18) INFO: reAssignVlan trap received on
> 192.168.212.3 ifindex 1007 which is not ethernetCsmacd
> (pf::vlan::doWeActOnT hisTrap)
> Aug 06 09:57:41 pfsetvlan(18) INFO: doWeActOnThisTrap returns false. Stop
> reAssignVlan handling (main::handleTrap)
> Aug 06 09:57:41 pfsetvlan(18) INFO: finished (main::cleanupAfterThread)
> Aug 06 10:16:57 pfsetvlan(21) INFO: local (127.0.0.1) trap for switch
> 192.168.212.3 (main::parseTrap)
> Aug 06 10:16:57 pfsetvlan(20) INFO: nb of items in queue: 1; nb of threads
> running: 0 (main::startTrapHandlers)
> Aug 06 10:16:57 pfsetvlan(20) ERROR: Argument "noSuchInstance" isn't
> numeric in numeric eq (==) at /usr/local/pf/lib/pf/vlan.pm line 139.
> (pf::vlan::doWeActOnThisTrap)
> Aug 06 10:16:57 pfsetvlan(20) INFO: reAssignVlan trap received on
> 192.168.212.3 ifindex 1007 which is not ethernetCsmacd
> (pf::vlan::doWeActOnT hisTrap)
> Aug 06 10:16:57 pfsetvlan(20) INFO: doWeActOnThisTrap returns false. Stop
> reAssignVlan handling (main::handleTrap)
> Aug 06 10:16:57 pfsetvlan(20) INFO: finished (main::cleanupAfterThread)
> Aug 06 10:17:45 httpd.portal(12119) INFO: mac : 00:0c:29:61:62:fe
> (captiveportal::PacketFence::Controller::CaptivePortal::validateMac)
> Aug 06 10:17:45 httpd.portal(12119) INFO: Updating node 00:0c:29:61:62:fe
> user_agent with useragent: 'Mozilla/5.0 (X11; Linux x86_64; rv:24.0)
> Gecko/20140722 Firefox/24.0 Iceweasel/24.7.0'
> (captiveportal::PacketFence::Controller::CaptivePortal::nodeRecordUserAgent)
> Aug 06 10:17:45 httpd.portal(12119) INFO: Static User-Agent lookup data
> initialized (pf::useragent::_init)
> Aug 06 10:17:45 httpd.portal(12119) INFO: 00:0c:29:61:62:fe redirected to
> default
> (captiveportal::PacketFence::Controller::CaptivePortal::checkIfNeedsToRegister)
> Aug 06 10:17:45 httpd.portal(12119) INFO: 00:0c:29:61:62:fe redirected to
> authentication page
> (captiveportal::PacketFence::Controller::CaptivePortal::checkIfNeedsToRegister)
> Aug 06 10:18:56 httpd.portal(12128) INFO: mac : 00:0c:29:61:62:fe
> (captiveportal::PacketFence::Controller::CaptivePortal::validateMac)
> Aug 06 10:18:56 httpd.portal(12128) INFO: Authentication successful for
> bsanchez in source local (SQL) (pf::authentication::authenticate)
> Aug 06 10:18:56 httpd.portal(12128) INFO: person bsanchez modified to
> bsanchez (pf::person::person_modify)
> Aug 06 10:18:56 httpd.portal(12128) INFO: re-evaluating access for node
> 00:0c:29:61:62:fe (manage_register called)
> (pf::enforcement::reevaluate_access)
> Aug 06 10:18:56 httpd.portal(12128) INFO: switch port for
> 00:0c:29:61:62:fe is 192.168.212.3 ifIndex 1007 connection type: Wired MAC
> Auth (pf::enforcement::_vlan_reevaluation)
> Aug 06 10:18:59 pfsetvlan(22) INFO: local (127.0.0.1) trap for switch
> 192.168.212.3 (main::parseTrap)
> Aug 06 10:18:59 pfsetvlan(1) INFO: nb of items in queue: 1; nb of threads
> running: 0 (main::startTrapHandlers)
> Aug 06 10:18:59 pfsetvlan(1) ERROR: Argument "noSuchInstance" isn't
> numeric in numeric eq (==) at /usr/local/pf/lib/pf/vlan.pm line 139.
> (pf::vlan::doWeActOnThisTrap)
> Aug 06 10:18:59 pfsetvlan(1) INFO: reAssignVlan trap received on
> 192.168.212.3 ifindex 1007 which is not ethernetCsmacd
> (pf::vlan::doWeActOnThisTrap)
> Aug 06 10:18:59 pfsetvlan(1) INFO: doWeActOnThisTrap returns false. Stop
> reAssignVlan handling (main::handleTrap)
> Aug 06 10:18:59 pfsetvlan(1) INFO: finished (main::cleanupAfterThread)
>
>
>
> *After user Authentication the user was moved to Production VLAN, when we
> shut/no shut the port, it doesn't flipping autpmatically *
>
> Aug 06 10:22:48 pfsetvlan(5) WARN: couldn't get MAC at ifIndex 69256450.
> This is a problem. (pf::Switch::_getMacAtIfIndex)
> Aug 06 10:22:49 pfsetvlan(5) WARN: couldn't get MAC at ifIndex 69256450.
> This is a problem. (pf::Switch::_getMacAtIfIndex)
>
>
> *Swtich config:*
>
> SW_RD_07#show running-config snmp
> !
> snmp-server community
> snmp-server community testing rw
> snmp-server enable traps bgp
> snmp-server enable traps snmp authentication coldstart linkdown linkup
> snmp-server enable traps vrrp
> snmp-server enable traps stp
> snmp-server enable traps ecfm
> snmp-server enable traps xstp
> snmp-server enable traps envmon fan supply temperature
> snmp-server enable traps eoam
> snmp-server host 192.168.212.1 traps version 2c testing udp-port 162
>
> SW_RD_07#show running-config interface gigabitethernet 1/7
> !
> interface GigabitEthernet 1/7
> no ip address
> switchport
> dot1x authentication
> dot1x mac-auth-bypass
> dot1x auth-type mab-only
> no shutdown
> SW_RD_07#
>
> SW_RD_07#show running-config radius
> !
> radius-server host 192.168.212.1 key 7 a56fd6b9b796eb74 auth-port 1812
> SW_RD_07#
>
>
>
>
>
>
>
>
>
>
>
>
>
> ------------------------------------------------------------------------------
> Want fast and easy access to all the code in your enterprise? Index and
> search up to 200,000 lines of code with a free copy of Black Duck
> Code Sight - the same software that powers the world's largest code
> search on Ohloh, the Black Duck Open Hub! Try it now.
> http://p.sf.net/sfu/bds
> _______________________________________________
> PacketFence-devel mailing list
> PacketFence-devel@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-devel
>
>
--
*“Choose a job you love, and you will never have to work a day in your
life”*
------------------------------------------------------------------------------
Want fast and easy access to all the code in your enterprise? Index and
search up to 200,000 lines of code with a free copy of Black Duck
Code Sight - the same software that powers the world's largest code
search on Ohloh, the Black Duck Open Hub! Try it now.
http://p.sf.net/sfu/bds
_______________________________________________
PacketFence-devel mailing list
PacketFence-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-devel
