FG: Another thing, can you do a walk of the dot1xPaeState OIDs for your
ifIndex? (1.0.8802.1.1.1.1.2.1.1.1.[ifIndex])
FG: Give me the output.
snmpwalk -v 2c -c xxxx my_switch .1.0.8802.1.1.1.1.2.1.1.1.154
iso.0.8802.1.1.1.1.2.1.1.1.154 = INTEGER: 2
Ok...I figured out what was failing here, but it did not get me all that much
further. Since I am only using MAB, I did not have "dot1x pae authenticator"
set on the port. Once I added that, the errors went away, but it does not
actually seem to deauthenticate anything. Here is what I see:
sh authentication sessions int gi5/44
Interface: GigabitEthernet5/44
MAC Address: xxxx.xxxx.xxxx
IP Address: Unknown
User-Name: xxxxxxxxxxxx
Status: Authz Success
Domain: DATA
Oper host mode: multi-domain
Oper control dir: both
Authorized By: Authentication Server
Vlan Policy: 40
Session timeout: 10800s (local), Remaining: 10742s
Timeout action: Reauthenticate
Idle timeout: N/A
Common Session ID: 0ADB05290000034019113298
Acct Session ID: 0x00000362
Handle: 0x3F000341
Runnable methods list:
Method State
mab Authc Success
----------------------------------------
Interface: GigabitEthernet5/44
MAC Address: xxxx.xxxx.xxxx
IP Address: Unknown
User-Name: xxxxxxxxxxxx
Status: Authz Success
Domain: VOICE
Oper host mode: multi-domain
Oper control dir: both
Authorized By: Authentication Server
Session timeout: 10800s (local), Remaining: 10737s
Timeout action: Reauthenticate
Idle timeout: N/A
Common Session ID: 0ADB05290000034319114AB8
Acct Session ID: 0x00000365
Handle: 0xE7000344
Runnable methods list:
Method State
mab Authc Success
I then run the command:
#/usr/local/pf/bin/pfcmd_vlan -deauthenticateDot1x -switch my_switch-ifIndex
154 -verbose 4
DEBUG - instantiating new SwitchFactory object
DEBUG - reading config file /usr/local/pf/conf/switches.conf
DEBUG - creating new pf::SNMP::Cisco::Catalyst_4500 object
DEBUG - start handling 'deauthenticateDot1x' command
INFO - wired deauthentication of a 802.1x MAC
DEBUG - finished handling 'deauthenticateDot1x' command
Here it is in the log:
Mar 23 10:36:35 pfcmd_vlan(0) INFO: verbosity flag passed. Messages now logged
to stdout and logs but logged message priority will change for this pfcmd_vlan
run. (main::)
Mar 23 10:36:35 pfcmd_vlan(0) INFO: New loglevel: TRACE (main::)
Mar 23 10:36:35 pfcmd_vlan(0) DEBUG: instantiating new SwitchFactory object
(pf::SwitchFactory::new)
Mar 23 10:36:35 pfcmd_vlan(0) DEBUG: reading config file
/usr/local/pf/conf/switches.conf (pf::SwitchFactory::readConfig)
Mar 23 10:36:35 pfcmd_vlan(0) DEBUG: creating new
pf::SNMP::Cisco::Catalyst_4500 object (pf::SwitchFactory::instantiate)
Mar 23 10:36:35 pfcmd_vlan(0) DEBUG: start handling 'deauthenticateDot1x'
command (main::)
Mar 23 10:36:35 pfcmd_vlan(0) INFO: wired deauthentication of a 802.1x MAC
(main::)
Mar 23 10:36:35 pfcmd_vlan(0) DEBUG: finished handling 'deauthenticateDot1x'
command (main::)
But the port is not deauthenticated:
#sh authentication sessions int gi5/44
Interface: GigabitEthernet5/44
MAC Address: xxxx.xxxx.xxxx
IP Address: Unknown
User-Name: xxxxxxxxxxx
Status: Authz Success
Domain: DATA
Oper host mode: multi-domain
Oper control dir: both
Authorized By: Authentication Server
Vlan Policy: 40
Session timeout: 10800s (local), Remaining: 10548s
...
------------------------------------------------------------------------------
Enable your software for Intel(R) Active Management Technology to meet the
growing manageability and security demands of your customers. Businesses
are taking advantage of Intel(R) vPro (TM) technology - will your software
be a part of the solution? Download the Intel(R) Manageability Checker
today! http://p.sf.net/sfu/intel-dev2devmar
_______________________________________________
Packetfence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
