Sorry, I mistyped while I was copying and pasting from the webgui to the email. The mac addresses are formatted correct in the "node" tab.
I suspect it has something to do with our existing NAC device from Mirage networks, so I'm not to concerened about them. Another question, how should my switch be configured, for ARP poisoning mode to work correctly? Right now I have a mirror port going to one NIC on my packetfence machine, and just a regular switch port going to the other NIC. ARP poisoning doesn't seem to be working correctly though, unregistered devices never seem to be denied network access. ___________________________________________ Brett -----Original Message----- From: Olivier Bilodeau [mailto:obilod...@inverse.ca] Sent: Friday, August 13, 2010 10:27 AM To: packetfence-users@lists.sourceforge.net Subject: Re: [Packetfence-users] unknown mac addresses Hi Brett, Brett A. Karns wrote: > Our network has about 200 endpoints on it. However, under the 'node' > tab, I'm showing well over 1000 mac addresses. Does anybody know what > these mac addresses are? Most of the unknown ones begin with > 00:9e:0a:e8:01:e8:/xx:xx/ > Are you sure the MAC is properly formatted? It already has six groups before the xx:xx. Taking only the 00:9e:0a portion, you can see that it was not assigned by IEEE.. MAC address spoofing maybe? Are the node registered? Is the OS detected? If it is, is it the same for all the thousands of nodes? PacketFence is very aggressive about recording MAC addresses but this comes at a cost of sometime having a lot of weird entries in the node table. For example, it could be a special VPN client that uses MAC addresses like these for some reason. If a trap is sent or RADIUS is called, the MAC will be recorded. Another way to track it down would be to monitor according to detect_date and try to find in what AP or switch-port it happened and check MAC activated around that time or simply go on site and see who / what's there. Sorry I can't help more than that. Cheers! -- Olivier Bilodeau obilod...@inverse.ca :: +1.514.447.4918 *115 :: www.inverse.ca Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (www.packetfence.org) ---------------------------------------------------------------------------- -- This SF.net email is sponsored by Make an app they can't live without Enter the BlackBerry Developer Challenge http://p.sf.net/sfu/RIM-dev2dev _______________________________________________ Packetfence-users mailing list Packetfence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users ------------------------------------------------------------------------------ This SF.net email is sponsored by Make an app they can't live without Enter the BlackBerry Developer Challenge http://p.sf.net/sfu/RIM-dev2dev _______________________________________________ Packetfence-users mailing list Packetfence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
