Hi Brent,
I am attempting to set up a proof-of-concept of Packetfence using MAC
Authentication only with a multi-domain setup (data VLAN and voice
VLAN on same port, authenticating separately). Initial authentication
itself is working, as both voice and data are initially assigned to
the correct VLANs (I have set the phones up to auto-register according
to their Vendor MAC prefix, and the computers end up in the
registration VLAN. Once I mark the node as registered, it attempts to
set the VLAN but this process fails to move the workstation into the
proper VLAN. I have tested this with pfcmd_vlan. The SNMP request
itself succeeds, and while the configuration of the port changes, it
does not affect the assignment of the existing MAC on the port.
Keep in mind that with MAB , VLANs are dynamically assigned by RADIUS,
so the VLAN change is a bit different. In fact, the port VLAN is not
set using the standard "switchport access vlan" line. So my question
is, how your AAA profiles look like? do you see new RADIUS requests when
you do the registration? Can you grab some logs from the
packetfence.log for the registration part?
Also, can you provide a status of the dot1x on the port when the devices
are plugged in?
My bet is that the re-authentication command sent to the switch by SNMP
is not working. In order to validate that assumption, please do the
following :
- unreg the devices
- plugged the device into the switchport, you should have the
registration vlan assigned
- register your device
- bounce the port (either sh/no sh or unplug/plug the wire)
- At this point you should be in the production network.
IOS version on the 4500 is 12.2(53)SG4. It is the (n-1) version.
Latest and greatest (54) has a bug with multi-domain authentication,
and version must be >= 12.2(50) for required features (hoping this
tidbit will help others).
Thanks for the input here. Do you know if Cisco is aware of this bug,
or if a new version is now available?
Thanks.
--
Francois Gaudreault, ing. jr
[email protected] :: +1.514.447.4918 (x130) :: www.inverse.ca
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence
(www.packetfence.org)
------------------------------------------------------------------------------
Enable your software for Intel(R) Active Management Technology to meet the
growing manageability and security demands of your customers. Businesses
are taking advantage of Intel(R) vPro (TM) technology - will your software
be a part of the solution? Download the Intel(R) Manageability Checker
today! http://p.sf.net/sfu/intel-dev2devmar
_______________________________________________
Packetfence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
