Thank you again Francois, much appreciated.
I have this setup now using radius but the switch isn't liking it for
somereason, the port is on the guest vlan as default and if the user
is registerd, I want radius to assign the vlan to vlan 300. Looking
over tcpdump it is indeed sending the vlan through radius with this:
11:46:53.038731 IP (tos 0x0, ttl 64, id 23542, offset 0, flags
[none], proto: UDP (17), length: 65) 192.168.23.5.radius >
192.168.23.51.49154: [bad udp cksum 2253!] RADIUS, length: 37
Access Accept (2), id: 0x00, Authenticator:
eed2cc463b3777e222557870639f9b0a
Tunnel Type Attribute (64), length: 6, Value: Tag[Unused]#13
0x0000: 0000 000d
Tunnel Medium Attribute (65), length: 6, Value: Tag[Unused]802
0x0000: 0000 0006
Tunnel Private Group Attribute (81), length: 5, Value: 300
0x0000: 3330 30
but for now some reason the switch is saying:
%SEC-W-SUPPLICANTUNAUTHORIZED: MAC 00:1e:37:8a:40:7C was rejected on
port 1:20 because Radius accept message does not contain VLAN ID
I have no clue what these DLINKS want and there seems to be no way to
find out...any thoughts?
On Tue, Jul 12, 2011 at 7:11 PM, Francois Gaudreault
<[email protected]> wrote:
> John,
>
> Port-Security has never been tested using DGS 3100. This module is only
> intended to work using MAC authentication or 802.1X. No SNMP is
> involved in those technologies, only RADIUS.
>
> You should definitely look to implement 802.1X or MAC Auth, not
> port-security unless you want to get your hand in the module code or
> sponsor the development of such feature... ;)
>
>
> On 11-07-12 4:08 PM, John Corps wrote:
>> Hey Francois,
>>
>> Thanks for the help. I can use pfcmd_vlan and it will assign the vlan
>> fine for me....it says when i try and set as the default one (#1)
>> this:
>> [user@pf-001 bin]$ ./pfcmd_vlan -setVlan -vlan 1 -ifIndex 2 -switch
>> 192.168.23.51 -verbose 3
>> DEBUG - instantiating new SwitchFactory object
>> DEBUG - reading config file /usr/local/pf/conf/switches.conf
>> DEBUG - creating new pf::SNMP::Dlink::DGS_3100 object
>> DEBUG - start handling 'setVlan' command
>> WARN - new VLAN 1 is not defined on switch 192.168.23.51 -> replacing
>> VLAN 1 with MAC detection VLAN 400
>> DEBUG - Database statements not prepared, preparing...
>> DEBUG - Preparing pf::locationlog database queries
>> DEBUG - function pf::db::get_db_handle is calling db_connect
>> DEBUG - checking handle
>> DEBUG - (Re)Connecting to MySQL (thread id: 0)
>> DEBUG - connected
>> DEBUG - latest locationlog entry is still accurate
>> DEBUG - Database statements not prepared, preparing...
>> DEBUG - Preparing pf::node database queries
>> new VLAN: 200
>> DEBUG - finished handling 'setVlan' command
>> [user@pf-001 bin]$
>>
>> > From packetfence.log when a user logs in and registers:
>>
>> Jul 12 10:41:39 pfcmd(0) INFO: pfcmd calling node_modify for
>> 00:1e:37:8a:40:7C (main::command_param)
>> Jul 12 10:41:39 pfcmd(0) INFO: VLAN isolation is enabled and
>> node_modify is part of adjustswitchportvlanreasons
>> (main::vlan_reevaluation)
>> Jul 12 10:41:39 pfcmd(0) INFO: 00:1e:37:8a:40:7C is currentlog
>> connected at 192.168.23.51 ifIndex 2 in VLAN 400
>> (main::vlan_reevaluation)
>> Jul 12 10:41:39 pfcmd(0) INFO: MAC: 00:1e:37:8a:40:7C is of status
>> unreg; belongs into registration VLAN (pf::vlan::getRegistrationVlan)
>> Jul 12 10:41:39 pfcmd(0) INFO: calling /usr/local/pf/bin/flip.pl for
>> node 00:1e:37:8a:40:7C (current VLAN = 400 but should be in VLAN 200)
>> (main::vlan_reevaluation)
>> Jul 12 10:41:39 flip.pl(0) INFO: flip.pl called with 00:1e:37:8a:40:7C
>> (main::)
>> Jul 12 10:41:39 flip.pl(0) INFO: switch port for 00:1e:37:8a:40:7C is
>> 192.168.23.51 ifIndex 2 connection type: Wired SNMP (main::)
>> Jul 12 10:41:41 pfsetvlan(23) INFO: local (127.0.0.1) trap for switch
>> 192.168.23.51 (main::parseTrap)
>> Jul 12 10:41:41 pfsetvlan(15) INFO: nb of items in queue: 1; nb of
>> threads running: 0 (main::startTrapHandlers)
>> Jul 12 10:41:41 pfsetvlan(15) INFO: reAssignVlan trap received on
>> 192.168.23.51 ifIndex 2 (main::handleTrap)
>> Jul 12 10:41:41 pfsetvlan(15) INFO: no security traps are configured
>> on 192.168.23.51 ifIndex 2. Flipping port admin status
>> (main::handleTrap)
>>
>> Weird how it says its in VLAN400 and should be in 200 but on the
>> switch its showing it as in 200 and getting dhcp ip from registration.
>>
>> On Tue, Jul 12, 2011 at 2:59 PM, Francois Gaudreault
>> <[email protected]> wrote:
>>> Hi John,
>>>
>>> Remember that with MAC Auth (or 802.1X) *everything* the magic is done
>>> by RADIUS. So do not change the port to another VLAN using SNMP, let
>>> RADIUS decides the VLAN. However, we need SNMP to do a port bounce,
>>> ensure that the write community string is properly setup and that the
>>> rights for that community on the switch is correct.
>>>
>>> Can you jump your log settings to DEBUG (conf/log.conf), restart
>>> packetfence, do your tests, and post your packetfence.log here?
>>>
>>> Thanks.
>>>
>>> On 11-07-12 2:46 PM, John Corps wrote:
>>>> Thank you Francois. I have got it working now beautifully. The only
>>>> issue I seem to be having is when in the registration VLAN, the user
>>>> registers etc and they are not put into the normal vlan...looking at
>>>> the packetfence.log file, it states that no security traps are
>>>> configured on the switch. Manually running the pfcmd to put the port
>>>> into a different vlan works fine, but if I tell it to put it in the
>>>> default vlan #1 it says that this vlan is not defined. Any ideas?
>>>>
>>>> Thanks
>>>>
>>>> On Mon, Jul 11, 2011 at 3:55 PM, Francois Gaudreault
>>>> <[email protected]> wrote:
>>>>> Hi John,
>>>>>
>>>>> Dlink 3100 module is only working (tested) using MAC Authentication or
>>>>> 802.1X running the latest available software. You need the latest to
>>>>> benefits from the Dynamic VLAN assignments.
>>>>> You should look in the DLINK configuration guide how to do it. In fact,
>>>>> the 3100 appears to be configured for MAC Auth using a variation of the
>>>>> 802.1X. Something like MAC Based authentication instead of port-based.
>>>>>
>>>>>
>>>>> On 11-07-11 3:27 PM, John Corps wrote:
>>>>>> Hello,
>>>>>>
>>>>>> Does anyone have examples on how to configure the 4 VLANS on a DLINK
>>>>>> 3100 switch? I am sure i am over thinking this but I can't seem to
>>>>>> wrap my head around on what exactly needs to be done on the switch
>>>>>> itself. I have created the 4 vlans i need, 2 - registration, 3 -
>>>>>> isolation, 4 - mac detect and 5 - guest. I am not to sure what else
>>>>>> has to be done now on the switch.....if anyone has some insight, that
>>>>>> would be great.
>>>>>>
>>>>>> ------------------------------------------------------------------------------
>>>>>> All of the data generated in your IT infrastructure is seriously
>>>>>> valuable.
>>>>>> Why? It contains a definitive record of application performance, security
>>>>>> threats, fraudulent activity, and more. Splunk takes this data and makes
>>>>>> sense of it. IT sense. And common sense.
>>>>>> http://p.sf.net/sfu/splunk-d2d-c2
>>>>>> _______________________________________________
>>>>>> Packetfence-users mailing list
>>>>>> [email protected]
>>>>>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>>>>>
>>>>> --
>>>>> Francois Gaudreault, ing. jr
>>>>> [email protected] :: +1.514.447.4918 (x130) :: www.inverse.ca
>>>>> Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence
>>>>> (www.packetfence.org)
>>>>>
>>>>>
>>>>> ------------------------------------------------------------------------------
>>>>> All of the data generated in your IT infrastructure is seriously valuable.
>>>>> Why? It contains a definitive record of application performance, security
>>>>> threats, fraudulent activity, and more. Splunk takes this data and makes
>>>>> sense of it. IT sense. And common sense.
>>>>> http://p.sf.net/sfu/splunk-d2d-c2
>>>>> _______________________________________________
>>>>> Packetfence-users mailing list
>>>>> [email protected]
>>>>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>>>>
>>>> ------------------------------------------------------------------------------
>>>> AppSumo Presents a FREE Video for the SourceForge Community by Eric
>>>> Ries, the creator of the Lean Startup Methodology on "Lean Startup
>>>> Secrets Revealed." This video shows you how to validate your ideas,
>>>> optimize your ideas and identify your business strategy.
>>>> http://p.sf.net/sfu/appsumosfdev2dev
>>>> _______________________________________________
>>>> Packetfence-users mailing list
>>>> [email protected]
>>>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>>>
>>>
>>> --
>>> Francois Gaudreault, ing. jr
>>> [email protected] :: +1.514.447.4918 (x130) :: www.inverse.ca
>>> Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence
>>> (www.packetfence.org)
>>>
>>>
>>> ------------------------------------------------------------------------------
>>> AppSumo Presents a FREE Video for the SourceForge Community by Eric
>>> Ries, the creator of the Lean Startup Methodology on "Lean Startup
>>> Secrets Revealed." This video shows you how to validate your ideas,
>>> optimize your ideas and identify your business strategy.
>>> http://p.sf.net/sfu/appsumosfdev2dev
>>> _______________________________________________
>>> Packetfence-users mailing list
>>> [email protected]
>>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>>
>> ------------------------------------------------------------------------------
>> AppSumo Presents a FREE Video for the SourceForge Community by Eric
>> Ries, the creator of the Lean Startup Methodology on "Lean Startup
>> Secrets Revealed." This video shows you how to validate your ideas,
>> optimize your ideas and identify your business strategy.
>> http://p.sf.net/sfu/appsumosfdev2dev
>> _______________________________________________
>> Packetfence-users mailing list
>> [email protected]
>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>
>
>
> --
> Francois Gaudreault, ing. jr
> [email protected] :: +1.514.447.4918 (x130) :: www.inverse.ca
> Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence
> (www.packetfence.org)
>
>
> ------------------------------------------------------------------------------
> AppSumo Presents a FREE Video for the SourceForge Community by Eric
> Ries, the creator of the Lean Startup Methodology on "Lean Startup
> Secrets Revealed." This video shows you how to validate your ideas,
> optimize your ideas and identify your business strategy.
> http://p.sf.net/sfu/appsumosfdev2dev
> _______________________________________________
> Packetfence-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
------------------------------------------------------------------------------
AppSumo Presents a FREE Video for the SourceForge Community by Eric
Ries, the creator of the Lean Startup Methodology on "Lean Startup
Secrets Revealed." This video shows you how to validate your ideas,
optimize your ideas and identify your business strategy.
http://p.sf.net/sfu/appsumosfdev2dev
_______________________________________________
Packetfence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
