Bob, Read about deploying PF in a routed network. We have many VLANs on our campus and have deployed PF on our wireless VLANS. In the switches.conf you specify the your PF vlans and the "normal" vlan. SEtup IP helpers on our router to forward to PF.
Thomas ----- Original Message ----- From: [email protected] To: [email protected] Sent: Wednesday, December 7, 2011 6:20:48 PM Subject: Packetfence-users Digest, Vol 44, Issue 23 Send Packetfence-users mailing list submissions to [email protected] To subscribe or unsubscribe via the World Wide Web, visit https://lists.sourceforge.net/lists/listinfo/packetfence-users or, via email, send a message with subject or body 'help' to [email protected] You can reach the person managing the list at [email protected] When replying, please edit your Subject line so it is more specific than "Re: Contents of Packetfence-users digest..." Today's Topics: 1. Re: 32 Internal Normal VLan (Bob L. Soderlund) 2. Re: PacketFence with Cisco Wireless Controller (Jordan Hinman) 3. Re: 32 Internal Normal VLan (Mark Holmes) ---------------------------------------------------------------------- Message: 1 Date: Wed, 7 Dec 2011 18:01:41 -0500 From: "Bob L. Soderlund" <[email protected]> Subject: Re: [Packetfence-users] 32 Internal Normal VLan To: <[email protected]> Message-ID: <93AFD1D253B4CE41AA35D0102CDC58F603318C3C@vm-exchange.personcounty.local> Content-Type: text/plain; charset="us-ascii" Mark, Thank you! I really appreciate your help. First I have to get to the interface. When I Mount my VM and watch it boot, I get a Failure when determining Eth0 IP config. I'm using a trunk to feed the PF VM. Admittedly I'm not a Linux or Perl pro, but I feel the benefits of this are well worth the learning curve. Currently I'm using some of the VLAN ID's already, so Ill have to transpose those first. VLAN 1 is my management VLAN, I was hoping to get access to PF on VLAN 1 and then build out from there. Bob Soderlund Network Engineer, MCP, MCSE [email protected] Person County Government Information Technology 329 S. Morgan St. Roxboro NC, 27573 Office 336-597-7810 Fax 336-597-7455 -----Original Message----- From: Mark Holmes [mailto:[email protected]] Sent: Wednesday, December 07, 2011 4:44 PM To: [email protected] Subject: Re: [Packetfence-users] 32 Internal Normal VLan Bob, Have a look in, /usr/local/pf/lib/pf/vlan/custom.pm around line 63: you have to change the code slightly to have PF to pass the 'Bypass' VLAN attribute. I # # custom example: enforce a node's bypass VLAN # If node record has a bypass_vlan prefer it over normalVlan # Note: It might be made the default behavior one day if (defined($node_info->{'bypass_vlan'}) && $node_info->{'bypass_vlan'} ne '') { return $node_info->{'bypass_vlan'}; } # I You will see in the code you can also assign devices to VLANS via other methods than using the Bypass attribute - eg by category - which would probably work better for you as you have quite a few VLANS in your setup. In my network I have a 'trusted' VLAN (vlan 1) and 'untrusted' (vlan 3) (set as the 'normal' VLAN in PF). When someone completes registered they get put in VLAN 3, we can then put them in VLAN 1 using the bypass VLAN attribute I described. My PF box has interfaces in the Trusted (VLAN1) set as management,dhcplistener,monitor,internal in PF , Untrusted(3) set as dhcplistener,internal,monitor in PF, Registration (50) set as registration in PF, and finally Isolation(60). You could use less interfaces by configuring 8021Q on them I think although as your running a VM (as am I) you probably won't mind having 4 NICS. I believe the PF box needs to be able to see DHCP traffic on all your VLANS -. In my method I set a dhcplistener on the two interfaces but as you have 32 that won't be practical (you won't want 32 interfaces!) see the admin guide (page 26)section on dhcp listeners, you'll want to use ip-helpers I would think. HTH, give me a shout if you need more help. Mark -----Original Message----- From: Bob L. Soderlund [mailto:[email protected]] Sent: 07 December 2011 18:27 To: [email protected] Subject: [Packetfence-users] 32 Internal Normal VLan Hey everyone, Newbie here. I have a large network with 32 vlans, Each VLAN is its own subnet, and DNS and DHCP are all handled by our Sonic wall NSA. I would like to use Packet Fence for NAC. The documentation refers to several vlans, manage, Registration, Isolation, Mac Detection, Guest, and Normal. I already have a management VLAN, and have no problem creating the other 4. My question is the 'Normal" vlan. I would have 32 of these correct? I sure someone has done this, and is documented it here. I just need someone to point me in right direction. I'm using the Newest Version of PF in a VM. I have 3Comm 5500 switches. Thanks for your help. Bob Soderlund Network Engineer, MCP, MCSE [email protected] <blocked::mailto:[email protected]> Person County Government Description: PCITInformation Technology 329 S. Morgan St. Roxboro NC, 27573 Office 336-597-7810 Fax 336-597-7455 Nuffield College is a Registered Charity No. 1137506. Registered Office: Nuffield College, New Road, Oxford, OX1 1NF ------------------------------------------------------------------------ ------ Cloud Services Checklist: Pricing and Packaging Optimization This white paper is intended to serve as a reference, checklist and point of discussion for anyone considering optimizing the pricing and packaging model of a cloud services business. Read Now! http://www.accelacomm.com/jaw/sfnl/114/51491232/ _______________________________________________ Packetfence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users ------------------------------ Message: 2 Date: Wed, 7 Dec 2011 16:06:24 -0700 From: Jordan Hinman <[email protected]> Subject: Re: [Packetfence-users] PacketFence with Cisco Wireless Controller To: [email protected] Message-ID: <canj-yfr5tb3dbkiieopro9zfaqqjq8syzyjq_thcnnycl1n...@mail.gmail.com> Content-Type: text/plain; charset="iso-8859-1" Hey thanks pointing me to radius -X. After more playing I was able to get the wireless controller to talk to PacketFence. My problem now is the controller seems to be caching the clients vlan. When I connect a new client to the ssid I get placed on the appropriated registration vlan, and I can then register in PacketFence. But after I reboot the computer I am then placed back onto the registration vlan not onto the regular vlan. When watching radiusd -X I see the controller perform an authentication request the first time I connect but not after. I have to "remove" the client from the controller, then re join the appropriate ssid, then the controller will do another radius authentication request and put me on the correct vlan. Is there any way to force my cisco wireless controller to do a radius authentication request every time a client connects to the ssid? Should I be looking somewhere else? Thanks for the help! Jordan On Tue, Dec 6, 2011 at 8:32 AM, Francois Gaudreault <[email protected]>wrote: > ** > Hi, > > How the RADIUS debug looks like (radiusd -X) ? > > > On 11-12-05 5:11 PM, Jordan Hinman wrote: > > Hi there, > > I am trying to get my Cisco WLC 2112 controller working with my new > 3.0.3 PacketFence ZEN installation but I can't seem to get a response from > PacketFence. When ever I try and join the appropriate SSID I get the > following error on my controller. > > > RADIUS server x.x.x.x:1812 failed to respond to request (ID 29) for > client xx:xx:xx:xx:xx:xx / user 'unknown' > > When I look in the PacketFence logs I get the following that looks like > things are working. > > > INFO: handling radius autz request: from switch_ip => x.x.x.x, > connection_type => Wireless-802.11-NoEAP mac => xx:xx:xx:xx:xx:xx, port => > 7, username => xxxxxxxxxxxx (pf::radius::authorize) > > Dec 05 14:08:05 pf::WebAPI(3249) INFO: MAC: xx:xx:xx:xx:xx:xx, PID: > demouser, Status: reg. Returned VLAN: 15 (pf::vlan::fetchVlanForNode) > > Dec 05 14:08:05 pf::WebAPI(3249) INFO: Returning ACCEPT with VLAN: 15 > (pf::radius::authorize) > > When I do a TCPDUMP of the whole transaction I see > the controller perform the radius authorization request but I don't see the > authorization response from PacketFence. I have turned off iptables to see > if that would help but no such luck. Anyone else have any ideas? Thanks for > any guidance! > > -- > *Jordan Hinman* > Network Analyst | Technology Services | Elk Island Catholic Schools > T: (780) 449-6484 ext. 222 | E: [email protected] > > > ------------------------------------------------------------------------------ > Cloud Services Checklist: Pricing and Packaging Optimization > This white paper is intended to serve as a reference, checklist and point of > discussion for anyone considering optimizing the pricing and packaging model > of a cloud services business. Read > Now!http://www.accelacomm.com/jaw/sfnl/114/51491232/ > > > _______________________________________________ > Packetfence-users mailing > [email protected]https://lists.sourceforge.net/lists/listinfo/packetfence-users > > > > -- > Francois Gaudreault, ing. [email protected] :: +1.514.447.4918 > (x130) :: www.inverse.ca > Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence > (www.packetfence.org) > > > > ------------------------------------------------------------------------------ > Cloud Services Checklist: Pricing and Packaging Optimization > This white paper is intended to serve as a reference, checklist and point > of > discussion for anyone considering optimizing the pricing and packaging > model > of a cloud services business. Read Now! > http://www.accelacomm.com/jaw/sfnl/114/51491232/ > _______________________________________________ > Packetfence-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/packetfence-users > > -- *Jordan Hinman* Network Analyst | Technology Services | Elk Island Catholic Schools T: (780) 449-6484 ext. 222 | E: [email protected] -------------- next part -------------- An HTML attachment was scrubbed... ------------------------------ Message: 3 Date: Wed, 7 Dec 2011 23:44:58 +0000 From: Mark Holmes <[email protected]> Subject: Re: [Packetfence-users] 32 Internal Normal VLan To: "[email protected]" <[email protected]> Message-ID: <[email protected]> Content-Type: text/plain; charset="utf-8" Hi Bob, Are you using ZEN (the Zero Effort NAC) pre-built VM? Or your own What is the exact error you get with eth0? What does running this command:- cat /etc/sysconfig/network-scripts/ifcfg-eth0 show you? Regards, Mark VLAN 1 is my management VLAN, I was hoping to get access to PF on VLAN 1 and then build out from there. Yes, that will be fine. So you'll want to have eth0 on vlan 1 and set it as management in PF. On 7 Dec 2011, at 23:03, "Bob L. Soderlund" <[email protected]<mailto:[email protected]>> wrote: Mark, Thank you! I really appreciate your help. First I have to get to the interface. When I Mount my VM and watch it boot, I get a Failure when determining Eth0 IP config. I'm using a trunk to feed the PF VM. Admittedly I'm not a Linux or Perl pro, but I feel the benefits of this are well worth the learning curve. Currently I'm using some of the VLAN ID's already, so Ill have to transpose those first. VLAN 1 is my management VLAN, I was hoping to get access to PF on VLAN 1 and then build out from there. Bob Soderlund Network Engineer, MCP, MCSE [email protected]<mailto:[email protected]> Person County Government Information Technology 329 S. Morgan St. Roxboro NC, 27573 Office 336-597-7810 Fax 336-597-7455 -----Original Message----- From: Mark Holmes [mailto:[email protected]] Sent: Wednesday, December 07, 2011 4:44 PM To: [email protected]<mailto:[email protected]> Subject: Re: [Packetfence-users] 32 Internal Normal VLan Bob, Have a look in, /usr/local/pf/lib/pf/vlan/custom.pm around line 63: you have to change the code slightly to have PF to pass the 'Bypass' VLAN attribute. I # # custom example: enforce a node's bypass VLAN # If node record has a bypass_vlan prefer it over normalVlan # Note: It might be made the default behavior one day if (defined($node_info->{'bypass_vlan'}) && $node_info->{'bypass_vlan'} ne '') { return $node_info->{'bypass_vlan'}; } # I You will see in the code you can also assign devices to VLANS via other methods than using the Bypass attribute - eg by category - which would probably work better for you as you have quite a few VLANS in your setup. In my network I have a 'trusted' VLAN (vlan 1) and 'untrusted' (vlan 3) (set as the 'normal' VLAN in PF). When someone completes registered they get put in VLAN 3, we can then put them in VLAN 1 using the bypass VLAN attribute I described. My PF box has interfaces in the Trusted (VLAN1) set as management,dhcplistener,monitor,internal in PF , Untrusted(3) set as dhcplistener,internal,monitor in PF, Registration (50) set as registration in PF, and finally Isolation(60). You could use less interfaces by configuring 8021Q on them I think although as your running a VM (as am I) you probably won't mind having 4 NICS. I believe the PF box needs to be able to see DHCP traffic on all your VLANS -. In my method I set a dhcplistener on the two interfaces but as you have 32 that won't be practical (you won't want 32 interfaces!) see the admin guide (page 26)section on dhcp listeners, you'll want to use ip-helpers I would think. HTH, give me a shout if you need more help. Mark -----Original Message----- From: Bob L. Soderlund [mailto:[email protected]] Sent: 07 December 2011 18:27 To: [email protected]<mailto:[email protected]> Subject: [Packetfence-users] 32 Internal Normal VLan Hey everyone, Newbie here. I have a large network with 32 vlans, Each VLAN is its own subnet, and DNS and DHCP are all handled by our Sonic wall NSA. I would like to use Packet Fence for NAC. The documentation refers to several vlans, manage, Registration, Isolation, Mac Detection, Guest, and Normal. I already have a management VLAN, and have no problem creating the other 4. My question is the 'Normal" vlan. I would have 32 of these correct? I sure someone has done this, and is documented it here. I just need someone to point me in right direction. I'm using the Newest Version of PF in a VM. I have 3Comm 5500 switches. Thanks for your help. Bob Soderlund Network Engineer, MCP, MCSE [email protected]<mailto:[email protected]> <blocked::mailto:[email protected]> Person County Government Description: PCITInformation Technology 329 S. Morgan St. Roxboro NC, 27573 Office 336-597-7810 Fax 336-597-7455 Nuffield College is a Registered Charity No. 1137506. Registered Office: Nuffield College, New Road, Oxford, OX1 1NF ------------------------------------------------------------------------ ------ Cloud Services Checklist: Pricing and Packaging Optimization This white paper is intended to serve as a reference, checklist and point of discussion for anyone considering optimizing the pricing and packaging model of a cloud services business. Read Now! http://www.accelacomm.com/jaw/sfnl/114/51491232/ _______________________________________________ Packetfence-users mailing list [email protected]<mailto:[email protected]> https://lists.sourceforge.net/lists/listinfo/packetfence-users ------------------------------------------------------------------------------ Cloud Services Checklist: Pricing and Packaging Optimization This white paper is intended to serve as a reference, checklist and point of discussion for anyone considering optimizing the pricing and packaging model of a cloud services business. Read Now! http://www.accelacomm.com/jaw/sfnl/114/51491232/ _______________________________________________ Packetfence-users mailing list [email protected]<mailto:[email protected]> https://lists.sourceforge.net/lists/listinfo/packetfence-users ________________________________ Nuffield College is a Registered Charity No. 1137506. Registered Office: Nuffield College, New Road, Oxford, OX1 1NF ------------------------------ ------------------------------------------------------------------------------ Cloud Services Checklist: Pricing and Packaging Optimization This white paper is intended to serve as a reference, checklist and point of discussion for anyone considering optimizing the pricing and packaging model of a cloud services business. Read Now! http://www.accelacomm.com/jaw/sfnl/114/51491232/ ------------------------------ _______________________________________________ Packetfence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users End of Packetfence-users Digest, Vol 44, Issue 23 ************************************************* ------------------------------------------------------------------------------ Cloud Services Checklist: Pricing and Packaging Optimization This white paper is intended to serve as a reference, checklist and point of discussion for anyone considering optimizing the pricing and packaging model of a cloud services business. Read Now! http://www.accelacomm.com/jaw/sfnl/114/51491232/ _______________________________________________ Packetfence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
