I am attempting to set up a proof-of-concept of Packetfence using MAC
Authentication only with a multi-domain setup (data VLAN and voice VLAN on same
port, authenticating separately). Initial authentication itself is working, as
both voice and data are initially assigned to the correct VLANs (I have set the
phones up to auto-register according to their Vendor MAC prefix, and the
computers end up in the registration VLAN. Once I mark the node as registered,
it attempts to set the VLAN but this process fails to move the workstation into
the proper VLAN. I have tested this with pfcmd_vlan. The SNMP request itself
succeeds, and while the configuration of the port changes, it does not affect
the assignment of the existing MAC on the port.
The switch is a Catalyst 4500, and I had to hack together a customized module
for it to work properly, but it is now associating the proper IfIndex to the
NasPort.
This is my starting point:
The port is at this point in VLAN 40, the normal VLAN for this workstation.
interface GigabitEthernet5/44
switchport access vlan 40
switchport mode access
switchport voice vlan 140
authentication host-mode multi-domain
authentication order mab
authentication port-control auto
authentication periodic
authentication timer restart 10800
authentication timer reauthenticate 10800
authentication violation restrict
mab
no snmp trap link-status
spanning-tree portfast
end
This is what I see in the MAC table:
Unicast Entries
vlan mac address type protocols port
-------+---------------+--------+---------------------+--------------------
40 xxxx.xxxx.xxxx dynamic ip,ipx,assigned,other GigabitEthernet5/44
140 xxxx.xxxx.xxxx dynamic ip,ipx,assigned,other GigabitEthernet5/44
I run this command (800 is the registration VLAN) :
/usr/local/pf/bin/pfcmd_vlan -verbose 4 -setvlan -switch x.x.x.x -ifIndex 154
-vlan 800
DEBUG - instantiating new SwitchFactory object
DEBUG - reading config file /usr/local/pf/conf/switches.conf
DEBUG - creating new pf::SNMP::Cisco::Catalyst_4500 object
DEBUG - start handling 'setVlan' command
TRACE - locationlog_synchronize called
TRACE - attempt #0 to run query locationlog_view_open_mac_sql from module
locationlog
DEBUG - Database statements not prepared, preparing...
DEBUG - Preparing pf::locationlog database queries
DEBUG - function pf::db::get_db_handle is calling db_connect
DEBUG - checking handle
DEBUG - (Re)Connecting to MySQL (thread id: 0)
DEBUG - connected
TRACE - existing open locationlog entry
TRACE - verifying if locationlog is accurate called
TRACE - latest locationlog entry is not accurate
DEBUG - closing old locationlog entry because something about this node changed
TRACE - attempt #0 to run query locationlog_update_end_mac_sql from module
locationlog
TRACE - attempt #0 to run query node_exist_sql from module node
DEBUG - Database statements not prepared, preparing...
DEBUG - Preparing pf::node database queries
TRACE - attempt #0 to run query locationlog_view_open_switchport_sql from
module locationlog
TRACE - attempt #0 to run query locationlog_insert_start_with_mac_sql from
module locationlog
new VLAN: 800
This does work in a sense, for here is the port config:
interface GigabitEthernet5/44
switchport access vlan 800
switchport mode access
switchport voice vlan 140
authentication host-mode multi-domain
authentication order mab
authentication port-control auto
authentication periodic
authentication timer restart 10800
authentication timer reauthenticate 10800
authentication violation restrict
mab
no snmp trap link-status
spanning-tree portfast
end
The VLAN has changed, but not actually:
sh mac address-table int gi5/44
Unicast Entries
vlan mac address type protocols port
-------+---------------+--------+---------------------+--------------------
40 xxxx.xxxx.xxxx dynamic ip,ipx,assigned,other GigabitEthernet5/44
140 xxxx.xxxx.xxxx dynamic ip,ipx,assigned,other GigabitEthernet5/44
The first entry, which is the workstation, is still in the old VLAN. So, is
there something that needs to be configured to cause this to properly change
the existing instances in this multi-domain setup?
Here is what I have in my hacked together module:
package pf::SNMP::Cisco::Catalyst_4500;
=head1 NAME
pf::SNMP::Cisco::Catalyst_4500 - Object oriented module to access and configure
Cisco Catalyst 4500 switches
=head1 STATUS
This module is currently only a placeholder, see pf::SNMP::Cisco::Catalyst_2960.
We do not know the minimum required firmware version.
=head1 CONFIGURATION AND ENVIRONMENT
F<conf/switches.conf>
=cut
use strict;
use warnings;
use diagnostics;
use Log::Log4perl;
use Net::SNMP;
use base ('pf::SNMP::Cisco::Catalyst_2960');
sub NasPortToIfIndex {
my ($this, $NAS_port) = @_;
my $logger = Log::Log4perl::get_logger(ref($this));
if ($NAS_port =~ /^(\d{3})\d{2}$/) {
# Translation is tricky for this router because ifIndex are
automatically incremented based on
# the slot configuration.
# Here's an example:
# NAS port is 50223 for Gi2/1.
# Remove 50200: 23
# Then add 48 multipled by slot # (502 being slot 0): so 23 + (48 *
0) = 23
# Then add 21 (number of ports in the supervisor slot #1): 23 + 21 =
44
# NAS port 50223 is ifIndex 44a
# Customized for 2 SUPs
# Remove 50x00.
my $ifIndex = $NAS_port - ($1."00");
# Add 48 multipled by slot # (503 being slot 0)
$ifIndex = $ifIndex + (48 * ($1-503));
# Add number of supervisor ports
$ifIndex = $ifIndex + 14;
return $ifIndex;
} else {
$logger->warn("Unknown NAS-Port format. ifIndex translation could have
failed. "
."VLAN re-assignment and switch/port accounting will be affected.");
}
return $NAS_port;
}
# Customized for 2 * SUP 6-E 10GE and 4 48-port modules
sub getSlotNumber {
my ($this, $ifIndex, $connection_type) = @_;
# ifIndex of slot #3 starts with 70
if ($ifIndex > 158) {
return 6;
} elsif ($ifIndex > 110) {
return 5;
} elsif ($ifIndex > 62) {
return 4;
} elsif ($ifIndex > 14) {
return 3;
} elsif ($ifIndex > 8) {
return 2;
} else {
return 1;
}
}
=head1 AUTHOR
Regis Balzard <[email protected]>
=head1 COPYRIGHT
Copyright (C) 2010,2011 Inverse inc.
This program is free software; you can redistribute it and/or
modify it under the terms of the GNU General Public License
as published by the Free Software Foundation; either version 2
of the License, or (at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301,
USA.
=cut
1;
# vim: set shiftwidth=4:
# vim: set expandtab:
# vim: set backspace=indent,eol,start:
IOS version on the 4500 is 12.2(53)SG4. It is the (n-1) version. Latest and
greatest (54) has a bug with multi-domain authentication, and version must be
>= 12.2(50) for required features (hoping this tidbit will help others).
Is anyone using packetfence with multi-domain 802.1x/MAB?
Thanks for your time.
Brent
------------------------------------------------------------------------------
Enable your software for Intel(R) Active Management Technology to meet the
growing manageability and security demands of your customers. Businesses
are taking advantage of Intel(R) vPro (TM) technology - will your software
be a part of the solution? Download the Intel(R) Manageability Checker
today! http://p.sf.net/sfu/intel-dev2devmar
_______________________________________________
Packetfence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
