Brent, Just looking back at your result, you should see 5 in the PAE state which is authenticated. Please walk the entire OID tree and look for which ifIndex you see 5.
On 11-03-23 1:41 PM, Brent Knotts wrote: > FG: Another thing, can you do a walk of the dot1xPaeState OIDs for your > ifIndex? (1.0.8802.1.1.1.1.2.1.1.1.[ifIndex]) > > FG: Give me the output. > snmpwalk -v 2c -c xxxx my_switch .1.0.8802.1.1.1.1.2.1.1.1.154 > iso.0.8802.1.1.1.1.2.1.1.1.154 = INTEGER: 2 > > > Ok...I figured out what was failing here, but it did not get me all that much > further. Since I am only using MAB, I did not have "dot1x pae authenticator" > set on the port. Once I added that, the errors went away, but it does not > actually seem to deauthenticate anything. Here is what I see: > > sh authentication sessions int gi5/44 > Interface: GigabitEthernet5/44 > MAC Address: xxxx.xxxx.xxxx > IP Address: Unknown > User-Name: xxxxxxxxxxxx > Status: Authz Success > Domain: DATA > Oper host mode: multi-domain > Oper control dir: both > Authorized By: Authentication Server > Vlan Policy: 40 > Session timeout: 10800s (local), Remaining: 10742s > Timeout action: Reauthenticate > Idle timeout: N/A > Common Session ID: 0ADB05290000034019113298 > Acct Session ID: 0x00000362 > Handle: 0x3F000341 > > Runnable methods list: > Method State > mab Authc Success > > ---------------------------------------- > Interface: GigabitEthernet5/44 > > MAC Address: xxxx.xxxx.xxxx > IP Address: Unknown > User-Name: xxxxxxxxxxxx > Status: Authz Success > Domain: VOICE > Oper host mode: multi-domain > Oper control dir: both > Authorized By: Authentication Server > Session timeout: 10800s (local), Remaining: 10737s > Timeout action: Reauthenticate > Idle timeout: N/A > Common Session ID: 0ADB05290000034319114AB8 > Acct Session ID: 0x00000365 > Handle: 0xE7000344 > > Runnable methods list: > Method State > mab Authc Success > > I then run the command: > #/usr/local/pf/bin/pfcmd_vlan -deauthenticateDot1x -switch my_switch-ifIndex > 154 -verbose 4 > DEBUG - instantiating new SwitchFactory object > DEBUG - reading config file /usr/local/pf/conf/switches.conf > DEBUG - creating new pf::SNMP::Cisco::Catalyst_4500 object > DEBUG - start handling 'deauthenticateDot1x' command > INFO - wired deauthentication of a 802.1x MAC > DEBUG - finished handling 'deauthenticateDot1x' command > > Here it is in the log: > > Mar 23 10:36:35 pfcmd_vlan(0) INFO: verbosity flag passed. Messages now > logged to stdout and logs but logged message priority will change for this > pfcmd_vlan run. (main::) > Mar 23 10:36:35 pfcmd_vlan(0) INFO: New loglevel: TRACE (main::) > Mar 23 10:36:35 pfcmd_vlan(0) DEBUG: instantiating new SwitchFactory object > (pf::SwitchFactory::new) > Mar 23 10:36:35 pfcmd_vlan(0) DEBUG: reading config file > /usr/local/pf/conf/switches.conf (pf::SwitchFactory::readConfig) > Mar 23 10:36:35 pfcmd_vlan(0) DEBUG: creating new > pf::SNMP::Cisco::Catalyst_4500 object (pf::SwitchFactory::instantiate) > Mar 23 10:36:35 pfcmd_vlan(0) DEBUG: start handling 'deauthenticateDot1x' > command (main::) > Mar 23 10:36:35 pfcmd_vlan(0) INFO: wired deauthentication of a 802.1x MAC > (main::) > Mar 23 10:36:35 pfcmd_vlan(0) DEBUG: finished handling 'deauthenticateDot1x' > command (main::) > > But the port is not deauthenticated: > > #sh authentication sessions int gi5/44 > Interface: GigabitEthernet5/44 > MAC Address: xxxx.xxxx.xxxx > IP Address: Unknown > User-Name: xxxxxxxxxxx > Status: Authz Success > Domain: DATA > Oper host mode: multi-domain > Oper control dir: both > Authorized By: Authentication Server > Vlan Policy: 40 > Session timeout: 10800s (local), Remaining: 10548s > ... > > > > > ------------------------------------------------------------------------------ > Enable your software for Intel(R) Active Management Technology to meet the > growing manageability and security demands of your customers. Businesses > are taking advantage of Intel(R) vPro (TM) technology - will your software > be a part of the solution? Download the Intel(R) Manageability Checker > today! http://p.sf.net/sfu/intel-dev2devmar > _______________________________________________ > Packetfence-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/packetfence-users -- Francois Gaudreault, ing. jr [email protected] :: +1.514.447.4918 (x130) :: www.inverse.ca Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (www.packetfence.org) ------------------------------------------------------------------------------ Enable your software for Intel(R) Active Management Technology to meet the growing manageability and security demands of your customers. Businesses are taking advantage of Intel(R) vPro (TM) technology - will your software be a part of the solution? Download the Intel(R) Manageability Checker today! http://p.sf.net/sfu/intel-dev2devmar _______________________________________________ Packetfence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
