I figured it out... 12.2(44)SE6 version of IOS on the 2960 has bugs in port-security, I upgraded the switch to 12.2(55)SE1 and the problem went away completely. When collecting debug information as per your request, I did a capture and found the switch was not emitting port-security traps when it should....PacketFence can't react when the switch doesn't send the traps ;)
With that said...I continued testing and found two more problems: 1) Node registration change from reg to unreg in PF WebUI does not cause the station to be treated as unreg if the category is not also changed back to "no category". If I mark a station as unreg, but leave the category as something a registered device would use, the device is still allowed to use the port. 2) custom vlan settings via custom.pm on a per category basis didn't work, the error was: Apr 21 13:37:09 pfsetvlan(11) WARN: new VLAN is not a managed VLAN -> replacing VLAN with MAC detection VLAN 321 (pf::SNMP::setVlan) Apr 21 13:37:09 pfsetvlan(11) INFO: finished (main::cleanupAfterThread) The vlan specified in custom.pm is specified in the "Vlans" field of the switch in the WebUI. Do I need to add vlan id's somewhere else in addition so that PacketFence considers it a managed vlan? In switches.conf I have the vlans specified on two places: "vlans=" and customVlan entries. I noticed that the switch in am testing does not have these entries, but I assumed it was because the settings were taken from the default entry when they were missing. Here is a snippet of the switches.conf file (10.9.0.16 is the 2960 switch I am testing with.): [default] vlans=1,3,24,32,321 normalVlan=1 registrationVlan=321 isolationVlan=321 macDetectionVlan=321 guestVlan=321 customVlan1=24 customVlan2=2 customVlan3=3 customVlan4= customVlan5= VoIPEnabled=no voiceVlan=32 mode=testing macSearchesMaxNb=30 macSearchesSleepInterval=2 uplink=dynamic cliTransport=Telnet cliUser=<censored> cliPwd=<censored> cliEnablePwd=<censored> SNMPVersion=2c SNMPCommunityRead=<censored> SNMPCommunityWrite=<censored> SNMPVersionTrap=2c SNMPCommunityTrap=<censored> wsTransport=https wsUser=<censored> wsPwd=<censored> [10.9.0.16] type=Cisco::Catalyst_2960 mode=production cliTransport=SSH uplink=10101,10501 BTW - just one other note, although it does not appear to be causing a problem, I see the error in the packetfence.log: Apr 21 13:37:09 pfsetvlan(11) WARN: SNMP error tyring to add or remove secure rows in port-security table. This could be normal. Error message: Received noCreation(11) error-status at error-index 2 (pf::SNMP::Cisco::Catalyst_2960::authorizeMAC) -----Original Message----- From: [email protected] [mailto:[email protected]] Sent: Wednesday, April 20, 2011 7:15 PM To: [email protected] Subject: Re: [Packetfence-users] Cisco 2960 port-security porblem Can you give us some more lines in your packetfence.log? One line won't help. Maybe you should turn on debug logging as well. Otherwise, it will be hard to help. I am testing a Cisco 2960 with port-security and PF 2.1, and something > is happening that I think is not correct, so I will describe it below: > > > > 1) Cisco 2960 switch, running C2960-LANBASEK9-M 12.2(44)SE6 > > a. Configured with port-security per port > > i. > Global port-security settings: > > 1. snmp-server enable traps port-security > > 2. snmp-server enable traps port-security trap-rate 1 > > 3. mac address-table aging-time 3600 > > ii. > Interface level port-security settings: > > 1. switchport access vlan 321 > > 2. switchport mode access > > 3. switchport port-security maximum 1 vlan access > > 4. switchport port-security violation restrict > > 5. switchport port-security mac-address 0200.0001.0003 > > 6. spanning-tree portfast > > b. Vlan 321 is the isolation and mac-detection vlan. > > > > 2) When I connected an unregistered device to the port, the > packetfence log shows a port-security trap from the switch, and > packetfence added the MAC address to the database as an unregistered > device. > > 3) I edited the entry for the MAC address via the packetfence webUI > and set the entry to registered. > > 4) This entry then shows up in the packetfence log: > > a. pfcmd(0) WARN: Can't change VLAN for mac 34:15:9e:10:72:06 > because no open locationlog entry was found (main::vlan_reevaluation) > > 5) I disconnected the device, and reconnected it to the same port. > > 6) The packetfence log shows no port-security trap when the port > link comes up, but does show the dhcp requests that the device is making > > 7) The switchport the device is connected to is not changed to the > VLAN specified in packetfence > > 8) a "show run" on the switch shows the the interface level > settings have not changed at all > > 9) a "show port-security interface" on the switch for the port > shows: > > a. Port Security : Disabled > > b. Port Status : Secure-down > > c. Violation Mode : Restrict > > d. Aging Time : 0 mins > > e. Aging Type : Absolute > > f. SecureStatic Address Aging : Disabled > > g. Maximum MAC Addresses : 1 > > h. Total MAC Addresses : 1 > > i. Configured MAC Addresses : 1 > > j. Sticky MAC Addresses : 0 > > k. Last Source Address:Vlan : 0000.0000.0000:0 > > l. Security Violation Count : 0 > > > > So I have several questions: > > > > 1) After connecting the device the first time, packetfence did as > it should: learn the MAC address, set it to unreg, leave the port in the > unreg vlan. By why did it not go to the switch and set the vlan to the > registered devices vlan after I registered the device? > > 2) Why are subsequent clean connections by the same device to the > same port on the switch not generating any traps at all? > > > > I had expect to see a flow of operation such that when the device > connected, it would remain isolated, PF would learn the MAC, an admin > user in PF would set the device to registered, PF would then reconfigure > the switch port to reflect the registered state. > > > > What am I doing and/or understanding incorrectly? I am not using captive > portal, just PF admin manual reg state changes in the PF WebUI. > > > > ------------------------------------------------------------------------ ------ > Benefiting from Server Virtualization: Beyond Initial Workload > Consolidation -- Increasing the use of server virtualization is a top > priority.Virtualization can reduce costs, simplify management, and improve > application availability and disaster protection. Learn more about > boosting > the value of server virtualization. > http://p.sf.net/sfu/vmware-sfdev2dev____________________________________ ___________ > Packetfence-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/packetfence-users > ------------------------------------------------------------------------ ------ Benefiting from Server Virtualization: Beyond Initial Workload Consolidation -- Increasing the use of server virtualization is a top priority.Virtualization can reduce costs, simplify management, and improve application availability and disaster protection. Learn more about boosting the value of server virtualization. http://p.sf.net/sfu/vmware-sfdev2dev _______________________________________________ Packetfence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users ------------------------------------------------------------------------------ Fulfilling the Lean Software Promise Lean software platforms are now widely adopted and the benefits have been demonstrated beyond question. Learn why your peers are replacing JEE containers with lightweight application servers - and what you can gain from the move. http://p.sf.net/sfu/vmware-sfemails _______________________________________________ Packetfence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
