This is all in my house... very simple network.... all clients are plugged into a Cisco 3550 (which is fully supported).. I don't have a VPN hub... I've got DHCP and SNORT on spanports so they can see all traffic (including all DHCP requests etc)... In my logs I'm seeing all the DHCP requests... I see the SNMP traps coming in... I've tested the switch and packetfence is successfully talking with the switch but... again the error I get is..
Mar 09 10:01:07 pfcmd(0) INFO: pfcmd calling node_modify for 00:e0:4c:07:51:a8 (main::command_param) Mar 09 10:01:08 pfcmd(0) INFO: VLAN isolation is enabled and node_modify is part of adjustswitchportvlanreasons (main::vlan_reevaluation) Mar 09 10:01:08 pfcmd(0) WARN: Can't change VLAN for mac 00:e0:4c:07:51:a8 because no open locationlog entry was found (main::vlan_reevaluation) Hence the ONLY think that's stopping it from changing VLAN's is this no open locationlog entry being found... So how do I get packetfence to put in a locationlog entry? Or better yet why isn't it putting in an entry in the first place? I see the nodes inside of packetfence... -Dan -----Original Message----- From: Francois Gaudreault [mailto:[email protected]] Sent: Wednesday, March 09, 2011 10:05 AM To: [email protected] Subject: Re: [Packetfence-users] Fwd: PF on vmware for site to site NAC (WAS: No subject) Hi, Are your clients plugged into local manageable switches? Are they supported in PF? I don't know what will be the behavior of the VPN hub, but I'll give you some hints about what we usually do in routed networks. Are you using VLANs at your locations? Basically, you'll need to have your PF servers in your central location. In each remote site, you'll need to create a registration/isolation VLAN with proper subnetting. In those subnet, PacketFence will act as the DHCP and DNS server. The DHCP traffic for the registration and isolation will be forwarded to PacketFence using ip helper-address on the first level 3 interface that the traffic hits. Furthermore, if you want to have isolation capabilities, you must forward a copy of the production DHCP as well. For SNORT and Nessus, I don't see issues there. As long as your internet traffic goes out at your central location, you'll only need one probe. We did a lot of routed network deployments, so I don't see why it couldn't work. Let me know if you need more information. > Hi, > > New to this forum - looking at PF as a possible solution to my NAC > needs for a number of remote offices. I have several remote offices > > that do not have IT staff and the computers are essentially unmanaged. > These computers connect through site-to-site VPN tunnels > > to a central hub that has resources used by the remote offices (email, > web proxy, etc). In some cases there are also resources behind the VPN > routers at the remote offices that other remote offices have access to > (PBX, file servers, etc). > > DHCP for the office computers is handled locally at each office by the > router. Another possible complication is that the central server > system is actually a VMware ESXi 4.x hypervisor-based system > > (one vm is the VPN hub, one is the web proxy, etc). > > What I would like to happen is if a computer from a remote office > (call it site A) connects through the VPN tunnel to the central system > (i.e. site B) the connection is intercepted by PF and a registration > is required. I would also like the Nessus and Snort- type capabilites > to be utilized and the registration/isolation VLANs to be on the > central system so that any unregistered, unpatched, or mis-behaving > systems don't get any farther than the VPN hub. > > Is this doable and does anyone have any examples on how they have done > it? > > Thanks a bunch... > -- Francois Gaudreault, ing. jr [email protected] :: +1.514.447.4918 (x130) :: www.inverse.ca Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (www.packetfence.org) ------------------------------------------------------------------------------ Colocation vs. Managed Hosting A question and answer guide to determining the best fit for your organization - today and in the future. http://p.sf.net/sfu/internap-sfd2d _______________________________________________ Packetfence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users ------------------------------------------------------------------------------ Colocation vs. Managed Hosting A question and answer guide to determining the best fit for your organization - today and in the future. http://p.sf.net/sfu/internap-sfd2d _______________________________________________ Packetfence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
