Ok...I am currently testing the 2.2.1 update process on my network. Thanks Olivier.
-----Original Message----- From: Olivier Bilodeau [mailto:[email protected]] Sent: Tuesday, June 21, 2011 11:13 AM To: [email protected] Subject: Re: [Packetfence-users] Cisco 2960 8 port and PF error Hi Nicholas, > Running PacketFence 2.2.0 on CentOS 5.5 Switch is a Cisco 2960, > specifically a WS-C2960-8TC-L running > c2960-lanbasek9-mz.122-55.SE1 - 55.SE1 with VoIP was problematic with PacketFence before 2.2.1 - 55.SE1 without VoIP should work fine AFAIK > > The only problem I am having is that the port is authorized for a MAC > address attached to it, but not completely. The correct VLAN is > configured, but the MAC address is not put on the interface, but the > computer attached seems to be working. > snip > > The resulting config on the switch port is: > > interface FastEthernet0/1 > switchport access vlan 3 > switchport mode access > switchport port-security maximum 1 vlan access switchport > port-security switchport port-security violation restrict > spanning-tree portfast > > The switchport port-security mac-address <mac address> vlan access > command is missing. When I do a "sh port-security interface > FastEthernet0/1" command, the port shows as up and not restricted, and > authorized for the correct mac address. Without the mac-address ... statement you are allowing MACs to be learned dynamically before port-security traps are being sent to PacketFence. So, it seems like it works for the user but as a NAC it doesn't because an untrusted - unauthorized user would get network access on that port. With PacketFence MACs should be pinned to ports all the time. It seems that there is a problem with that IOS or with the configuration. > > I mention all of this just to make you aware of the behavior. I know > from earlier traffic on the list that this IOS version may be buggy, > but I was not sure if anyone knew exactly what it was doing. > The 55.SE is identified as being buggy for port-security but 55.SE1 is not. Are you 100% sure this problem is reproducible? Also, can you try to reproduce with 55.SE3 and let us know how it goes? If you can't reproduce with 55.SE3 (it works fine in our lab we haven't tested SE1) then we will mark 55.SE1 as buggy in the documentation. Thanks, -- Olivier Bilodeau [email protected] :: +1.514.447.4918 *115 :: www.inverse.ca Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (www.packetfence.org) ------------------------------------------------------------------------ ------ EditLive Enterprise is the world's most technically advanced content authoring tool. Experience the power of Track Changes, Inline Image Editing and ensure content is compliant with Accessibility Checking. http://p.sf.net/sfu/ephox-dev2dev _______________________________________________ Packetfence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users ------------------------------------------------------------------------------ EditLive Enterprise is the world's most technically advanced content authoring tool. Experience the power of Track Changes, Inline Image Editing and ensure content is compliant with Accessibility Checking. http://p.sf.net/sfu/ephox-dev2dev _______________________________________________ Packetfence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
