Hello all,
I am new to PF and also new to NAC in general. I have been trying to get a test
environment fully functional but I have encountered several obstacles. My test
environment is fairly straight-forward:
Client (laptop) <-> Cisco 3550 <-> PF (laptop)
My goal is to have PF set up in routed mode and, for now, just to have the
client authenticate via the captive portal and then have PF modify the
switchport from the registration vlan to the normal vlan. So far I am able to
authenticate the client via the captive portal by using radius but it does not
appear that PF does anything after authenticating the client. Here are my
networks:
Internal Vlan 490 with 192.168.1.0/24 (Network between Cisco 3550 and PF)
Registration = Vlan 410 with 192.168.20.0/24 (Network defined in PF)
Normal = Vlan 400
The client switchport is configured for the Registration Vlan and the client is
given an IP from the 192.168.20.0/24 network via DHCP from PF:
interface FastEthernet0/46
switchport access vlan 410
switchport mode access
spanning-tree portfast
end
I then open a browser and the client is redirected to the PF captive portal
where I am able to authenticate myself with the username/password defined in
the file /etc/raddb/users. It appears that no radius traffic is passed from the
PF server to the switch after this though. Here is my Cisco 3550 switch radius
configuration:
aaa new-model
aaa group server radius packetfence
server 192.168.1.50 auth-port 1812 acct-port 1813
!
aaa authentication dot1x default group packetfence
aaa authorization network default group packetfenc
!
radius-server host 192.168.1.50 auth-port 1812 acct-port 1813 timeout 2 key
testing123
radius-server source-ports 1645-1646
radius-server vsa send authentication
Here is my switches.conf config:
[192.168.1.1]
type=Cisco::Catalyst_3550
mode=production
uplink=23,24
vlans=400,410,420,430,490
normalVlan=400
registrationVlan=410
isolationVlan=420
macDetectionVlan=430
radiusSecret=testing123
Here is my networks.conf config:
[192.168.20.0]
type=vlan-registration
netmask=255.255.255.0
gateway=192.168.20.1
next_hop=192.168.1.1
named=enabled
dns=192.168.1.50
domain-name=registration.
dhcpd=enabled
dhcp_start=192.168.20.200
dhcp_end=192.168.20.220
dhcp_default_lease_time=20
dhcp_max_lease_time=20
Here is my pf.conf config:
[trapping]
range=192.168.1.0/24
registration=enabled
[registration]
auth=radius
range=192.168.20.0/24
[interface eth0]
ip=192.168.1.50
mask=255.255.255.0
gateway=192.168.1.1
type=internal,management
enforcement=vlan
My assumption is that, with the captive portal, after the client successfully
authenticates then PF would pass radius packets back to the switch to have the
switchport vlan changed from the Registration vlan to the Normal vlan. My
apologies for the long post but I wanted to provide as much info as possible.
Any assistance is greatly appreciated.
Thanks,
Gary
------------------------------------------------------------------------------
Keep Your Developer Skills Current with LearnDevNow!
The most comprehensive online learning library for Microsoft developers
is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
Metro Style Apps, more. Free future releases when you subscribe now!
http://p.sf.net/sfu/learndevnow-d2d
_______________________________________________
Packetfence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
