Hi Dan, ... > We are running in registration mode on Packetfence and on > the Cisco side we are using port-security. > > I am just in the early stages of deployment right now. I have 2 > production switches with port-security completed and pointing to my > Packetfence. My switches.conf are setup in registration mode and appear > correct. ... > > I am expecting the server to auto register the PC’s that get plugged in > but it doesn’t. I can get it to register if I throw them in the > registration VLAN and go through the captive portal, I have been success > with this in testing in my lab, but in production I would like to do all > the registration behind the scenes so the user never knows.
When a switch is in mode=registration, PacketFence will automatically register MAC addresses that it will see via SNMP. However, in this mode it will not manage the security of the ports or change VLANs (as it is not in production). This mode is to be used as a means to do a smooth transition to NAC. 1. Auto-register your users -- Enable mode=registration for a given switch -- Restart packetfence -- configure the switch to send link traps to PacketFence -- Leave your users' access ports in their normal VLAN 2. Wait while your users are being automatically registered by the system 3. Move to production -- Put the switch into mode=production -- Restart PacketFence -- Configure the switch to use port-security and deactivate link snmp traps You can perform these steps on a per-switch basis or more if required. Other approaches: - disable registration entirely - use pf::vlan::custom to automatically register every users (see pf::vlan's shouldAutoRegister() ) Be aware that allowing everyone in defeats a bit the purpose of access control. > On the switch I have setup the port-security mac-address line with > the PC’s mac address. No it will not have a desired effect. Port-security is used as a way to notify the switch of the presence of a given MAC. If you put the MAC in the entry then PacketFence will never be notified until another device connects there. I hope I clarified how things work. Have a nice day! -- Olivier Bilodeau [email protected] :: +1.514.447.4918 *115 :: www.inverse.ca Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (www.packetfence.org) ------------------------------------------------------------------------------ The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE: Pinpoint memory and threading errors before they happen. Find and fix more than 250 security defects in the development cycle. Locate bottlenecks in serial and parallel code that limit performance. http://p.sf.net/sfu/intel-dev2devfeb _______________________________________________ Packetfence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
