FG: how your AAA profiles look like?
aaa group server radius pf
aaa authentication dot1x default group pf
aaa authorization network default group pf
snmp-server user x x v1 access pf_snmp
snmp-server user x x v2c access pf_snmp
snmp-server community x RW pf_snmp
snmp-server community y RO
left out some obvious stuff here, but again, authentication is working
perfectly.
FG: do you see new RADIUS requests when you do the registration?
Not until I force re-authentication or the periodic re-authentication occurs
FG: Can you grab some logs from the packetfence.log for the registration part?
Yes.
Mar 22 11:47:33 pfcmd(0) INFO: pfcmd calling node_modify for
xx:xx:xx:xx:xx:xx(main::command_param)
Mar 22 11:47:33 pfcmd(0) INFO: VLAN isolation is enabled and node_modify is
part of adjustswitchportvlanreasons (main::vlan_reevaluation)
Mar 22 11:47:33 pfcmd(0) INFO: xx:xx:xx:xx:xx:xxis currentlog connected at
y.y.y.y ifIndex 154 in VLAN 800 (main::vlan_reevaluation)
Mar 22 11:47:33 pfcmd(0) INFO: MAC: 00:14:22:2b:44:5c, PID: 1, Status: reg.
Returned VLAN: 40 (pf::vlan::fetchVlanForNode)
Mar 22 11:47:33 pfcmd(0) INFO: calling /usr/local/pf/bin/flip.pl for node
xx:xx:xx:xx:xx:xx(current VLAN = 800 but should be in VLAN 40)
(main::vlan_reevaluation)
Mar 22 11:47:33 flip.pl(0) INFO: flip.pl called with xx:xx:xx:xx:xx:xx(main::)
Mar 22 11:47:33 flip.pl(0) INFO: switch port for xx:xx:xx:xx:xx:xxis y.y.y.y
ifIndex 154 connection type: Wired MAC Auth (main::)
Mar 22 11:47:37 pfsetvlan(25) INFO: local (127.0.0.1) trap for switch y.y.y.y
(main::parseTrap)
Mar 22 11:47:37 pfsetvlan(9) INFO: nb of items in queue: 1; nb of threads
running: 0 (main::startTrapHandlers)
Mar 22 11:47:37 pfsetvlan(9) INFO: reAssignVlan trap received on y.y.y.y
ifIndex 154 (main::handleTrap)
Mar 22 11:47:38 pfsetvlan(9) INFO: finished (main::cleanupAfterThread)
FG: Also, can you provide a status of the dot1x on the port when the devices
are plugged in?
#sh authentication int gi5/44
Client list:
Interface MAC Address Method Domain Status Session ID
Gi5/44 xxxx.xxxx.xxxx mab VOICE Authz Success
0ADB05290000017C0F3FE638
Gi5/44 xxxx.xxxx.xxxx mab DATA Authz Success
0ADB05290000017E141DC7F0
Available methods list:
Handle Priority Name
2 1 mab
Runnable methods list:
Handle Priority Name
2 0 mab
FG: My bet is that the re-authentication command sent to the switch by SNMP is
not working. In order to validate that assumption, please do the following :
FG: - unreg the devices
FG: - plugged the device into the switchport, you should have the registration
vlan assigned
FG: - register your device
FG: - bounce the port (either sh/no sh or unplug/plug the wire)
FG: - At this point you should be in the production network.
You are completely correct. This is the case. In fact all I have to do is
issue the command:
clear authentication sessions mac xxxx.xxxx.xxxx
Dumps confirm that the packetfence is trying to do something via SNMP at this
juncture, but none of the SNMP requests were using the RW SNMP community
string.
Thanks so much,
Brent
------------------------------------------------------------------------------
Enable your software for Intel(R) Active Management Technology to meet the
growing manageability and security demands of your customers. Businesses
are taking advantage of Intel(R) vPro (TM) technology - will your software
be a part of the solution? Download the Intel(R) Manageability Checker
today! http://p.sf.net/sfu/intel-dev2devmar
_______________________________________________
Packetfence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
