OB: In MAB, the client doesn't speak EAPoL so there's no way to flip the VLAN in a dialog between the switch and the client.
OB: When a port is in MAB, PacketFence will bounce the port (shut, wait, OB: no-shut) instead of doing the PAE-Reauth you guys were talking about. Ahh...that makes the world make a bit more sense. OB: May I stress on the fact that you must *make sure* that your homemade NAS-Port to ifIndex works appropriately (by walking the IF-MIB and comparing with what's in pf's locationlog table). The translation is correct. Below the IfIndex is shown as 154. That is the port in question (Gi 5/44). OB: What do you have in the packetfence logs when PacketFence wants to change the user's VLAN? Sorry if you already sent it before.. I unregistered the node and re-registered: Mar 25 12:17:02 pfcmd(0) INFO: pfcmd calling node_modify for mac (main::command_param) Mar 25 12:17:02 pfcmd(0) INFO: VLAN isolation is enabled and node_modify is part of adjustswitchportvlanreasons (main::vlan_reevaluation) Mar 25 12:17:02 pfcmd(0) INFO: mac is currentlog connected at switchip ifIndex 154 in VLAN 40 (main::vlan_reevaluation) Mar 25 12:17:02 pfcmd(0) INFO: MAC: mac is of status unreg; belongs into registration VLAN (pf::vlan::getRegistrationVlan) Mar 25 12:17:02 pfcmd(0) INFO: calling /usr/local/pf/bin/flip.pl for node mac (current VLAN = 40 but should be in VLAN 800) (main::vlan_reevaluation) Mar 25 12:17:03 flip.pl(0) INFO: flip.pl called with mac (main::) Mar 25 12:17:03 flip.pl(0) INFO: switch port for mac is switchip ifIndex 154 connection type: Wired MAC Auth (main::) Mar 25 12:17:06 pfsetvlan(23) INFO: local (127.0.0.1) trap for switch switchip (main::parseTrap) Mar 25 12:17:07 pfsetvlan(5) INFO: nb of items in queue: 1; nb of threads running: 0 (main::startTrapHandlers) Mar 25 12:17:08 pfsetvlan(5) INFO: reAssignVlan trap received on switchip ifIndex 154 (main::handleTrap) Mar 25 12:17:08 pfsetvlan(5) INFO: finished (main::cleanupAfterThread) Mar 25 12:17:27 pfcmd(0) INFO: pfcmd calling node_modify for mac (main::command_param) Mar 25 12:17:27 pfcmd(0) INFO: VLAN isolation is enabled and node_modify is part of adjustswitchportvlanreasons (main::vlan_reevaluation) Mar 25 12:17:27 pfcmd(0) INFO: mac is currentlog connected at switchip ifIndex 154 in VLAN 40 (main::vlan_reevaluation) Mar 25 12:17:27 pfcmd(0) INFO: MAC:mac, PID: 1, Status: reg. Returned VLAN: 40 (pf::vlan::fetchVlanForNode) Nothing changes on the switch...the ports are not affected, and there is nothing in the switch's log.. A tcpdump shows SNMP gets to the switch port when I unregistered, but nothing read/write. There were no packets sent out to the switch whatsoever when I re-registered. Thanks, Brent ------------------------------------------------------------------------------ Enable your software for Intel(R) Active Management Technology to meet the growing manageability and security demands of your customers. Businesses are taking advantage of Intel(R) vPro (TM) technology - will your software be a part of the solution? Download the Intel(R) Manageability Checker today! http://p.sf.net/sfu/intel-dev2devmar _______________________________________________ Packetfence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
