Hi Francois,
In all 3 VLAN switching scenarios below the Node (00:24:81:56:15:ea) is the
same, it's registered on PF, and it's Port-secured to the Cisco 3750X
interface. The only thing(s) changing between scenarios is what VLAN the
interface starts on and what VLAN it should switch to according to the
'Category' defined in PF for 00:24:81:56:15:ea.
The custom code is from PF 3.2's custom.pm exactly, I've only used and
uncommented the relevant lines for the 'category' definition:
sub getNormalVlan {
my ($this, $switch, $ifIndex, $mac, $node_info, $connection_type,
$user_name, $ssid) = @_;
my $logger = Log::Log4perl->get_logger();
if (defined($node_info->{'category'}) && lc($node_info->{'category'}) eq
"net-admin") {
return $switch->getVlanByName('customVlan5');
}
return $switch->getVlanByName('normalVlan');
}
=======================================
Here's what the switch port looks like:
interface GigabitEthernet1/0/46
switchport access vlan 425
switchport mode access
switchport port-security maximum 1 vlan access
switchport port-security
switchport port-security violation restrict
switchport port-security mac-address 0024.8156.15ea vlan access
end
=======================================
Here are my pf.conf and switches.conf (all defined values shown), please let me
know if you need something else:
[general]
domain=mines.edu
hostname=nac
dhcpservers=138.67.X.X,138.67.X.X,138.67.X.X
[trapping]
range=138.67.X.X/18,192.168.52.0/24,192.168.53.0/24
registration=enabled
redirecturl=http://inside.mines.edu
[captive_portal]
network_detection_ip=138.67.X.X
[registration]
auth=local,ldap
[alerting]
[email protected]
[services]
radiusd=disabled
[servicewatch]
restart=enabled
[interface eth0]
ip=138.67.X.X
mask=255.255.252.0
gateway=138.67.X.X
type=management
[interface eth0.10]
ip=138.67.X.X
mask=255.255.192.0
gateway=138.67.X.X
type=internal
enforcement=vlan
[interface eth0.52]
ip=192.168.52.1
mask=255.255.255.0
gateway=192.168.52.1
type=internal
enforcement=vlan
[interface eth0.53]
ip=192.168.53.1
mask=255.255.255.0
gateway=192.168.53.1
type=internal
enforcement=vlan
[interface eth0.425]
ip=192.168.X.X
mask=255.255.255.192
gateway=192.168.X.X
type=internal
enforcement=vlan
========================================
[default]
vlans = 10,52,53,54,425
normalVlan = 10
registrationVlan = 52
isolationVlan = 53
macDetectionVlan = 54
customVlan5 = 425
mode = production
macSearchesMaxNb = 30
macSearchesSleepInterval = 2
uplink = dynamic
cliTransport = Telnet
cliUser = xxx
cliPwd = xxx
cliEnablePwd =
# PacketFence -> Switch
SNMPVersion = 2c
SNMPCommunityRead = xxxxxx
SNMPCommunityWrite = xxxxxx
# Switch -> PacketFence
SNMPVersionTrap = 2c
SNMPCommunityTrap = xxx
wsTransport = http
radiusSecret=xxx
[127.0.0.1]
type = PacketFence
mode = production
uplink = dynamic
# SNMP Traps v1 are used for internal messages
SNMPVersionTrap=1
SNMPCommunityTrap=public
[138.67.X.X]
type = Cisco::Catalyst_3750
mode = production
uplink = 48
========================================================================
Scenario 1
Interface VLAN change from Registration to CustomVLAN5, port secured MAC
0024.8156.15ea
OBSERVATION: REQUIRES BROWSER OPEN BEFORE VLAN IS SWITCHED
packetfence.log:
[root@nac logs]# tail -f packetfence.log | grep -i 00:24:81:56:15:ea
Mar 14 14:24:11 pfdhcplistener(2097) INFO: DHCPOFFER from 192.168.52.1
(00:0e:0c:09:31:7a) to host 00:24:81:56:15:ea (192.168.52.3)
(main::parse_dhcp_offer)
Mar 14 14:24:11 pfdhcplistener(2099) INFO: DHCPOFFER from 192.168.52.1
(00:0e:0c:09:31:7a) to host 00:24:81:56:15:ea (192.168.52.3)
(main::parse_dhcp_offer)
Mar 14 14:24:11 pfdhcplistener(2097) INFO: DHCPREQUEST from 00:24:81:56:15:ea
(192.168.52.3) (main::parse_dhcp_request)
Mar 14 14:24:11 pfdhcplistener(2099) INFO: DHCPREQUEST from 00:24:81:56:15:ea
(192.168.52.3) (main::parse_dhcp_request)
Mar 14 14:24:13 pfdhcplistener(2097) INFO: resolved 192.168.52.3 to mac
(00:24:81:56:15:ea) in ARP table (pf::iplog::ip2macinarp)
Mar 14 14:24:13 pfdhcplistener(2099) INFO: resolved 192.168.52.3 to mac
(00:24:81:56:15:ea) in ARP table (pf::iplog::ip2macinarp)
Mar 14 14:24:13 pfdhcplistener(2099) INFO: 00:24:81:56:15:ea requested an IP.
DHCP Fingerprint: OS::107 (Microsoft Windows Vista/7 or Server 2008). Modified
node with last_dhcp = 2012-03-14 14:24:13,computername =
Steve-MiniHP,dhcp_fingerprint = 1,15,3,6,44,46,47,31,33,121,249,43
(main::listen_dhcp)
Mar 14 14:24:13 pfdhcplistener(2097) INFO: 00:24:81:56:15:ea requested an IP.
DHCP Fingerprint: OS::107 (Microsoft Windows Vista/7 or Server 2008). Modified
node with last_dhcp = 2012-03-14 14:24:13,computername =
Steve-MiniHP,dhcp_fingerprint = 1,15,3,6,44,46,47,31,33,121,249,43
(main::listen_dhcp)
Mar 14 14:24:13 pfdhcplistener(2099) INFO: DHCPACK from 192.168.52.1
(00:0e:0c:09:31:7a) to host 00:24:81:56:15:ea (192.168.52.3) for 300 seconds
(main::parse_dhcp_ack)
Mar 14 14:24:13 pfdhcplistener(2097) INFO: DHCPACK from 192.168.52.1
(00:0e:0c:09:31:7a) to host 00:24:81:56:15:ea (192.168.52.3) for 300 seconds
(main::parse_dhcp_ack)
Mar 14 14:24:15 pfdhcplistener(2099) INFO: DHCPACK CIADDR from 192.168.52.1
(00:0e:0c:09:31:7a) to host 00:24:81:56:15:ea (192.168.52.3)
(main::parse_dhcp_ack)
Mar 14 14:24:15 pfdhcplistener(2097) INFO: DHCPACK CIADDR from 192.168.52.1
(00:0e:0c:09:31:7a) to host 00:24:81:56:15:ea (192.168.52.3)
(main::parse_dhcp_ack)
Mar 14 14:26:41 pfdhcplistener(2097) INFO: 00:24:81:56:15:ea requested an IP.
DHCP Fingerprint: OS::107 (Microsoft Windows Vista/7 or Server 2008). Modified
node with last_dhcp = 2012-03-14 14:26:41,computername =
Steve-MiniHP,dhcp_fingerprint = 1,15,3,6,44,46,47,31,33,121,249,43
(main::listen_dhcp)
Mar 14 14:26:41 pfdhcplistener(2099) INFO: 00:24:81:56:15:ea requested an IP.
DHCP Fingerprint: OS::107 (Microsoft Windows Vista/7 or Server 2008). Modified
node with last_dhcp = 2012-03-14 14:26:41,computername =
Steve-MiniHP,dhcp_fingerprint = 1,15,3,6,44,46,47,31,33,121,249,43
(main::listen_dhcp)
Mar 14 14:26:41 pfdhcplistener(2097) INFO: DHCPACK from 192.168.52.1
(00:0e:0c:09:31:7a) to host 00:24:81:56:15:ea (192.168.52.3) for 300 seconds
(main::parse_dhcp_ack)
Mar 14 14:26:41 pfdhcplistener(2099) INFO: DHCPACK from 192.168.52.1
(00:0e:0c:09:31:7a) to host 00:24:81:56:15:ea (192.168.52.3) for 300 seconds
(main::parse_dhcp_ack)
(BROWSER WAS OPENED HERE WHICH SWITCHES VLAN)
Mar 14 14:28:06 redir.cgi(0) INFO: 00:24:81:56:15:ea being redirected
(ModPerl::ROOT::ModPerl::PerlRun::usr_local_pf_html_captive_2dportal_redir_2ecgi::handler)
Mar 14 14:28:06 redir.cgi(0) INFO: Updating node 00:24:81:56:15:ea user_agent
with useragent: 'Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.11 (KHTML, like
Gecko) Chrome/17.0.963.79 Safari/535.11' (pf::web::web_node_record_user_agent)
Mar 14 14:28:07 redir.cgi(0) INFO: MAC 00:24:81:56:15:ea shouldn't reach here.
Calling access re-evaluation. Make sure your network device configuration is
correct.
(ModPerl::ROOT::ModPerl::PerlRun::usr_local_pf_html_captive_2dportal_redir_2ecgi::handler)
Mar 14 14:28:07 redir.cgi(0) INFO: re-evaluating access for node
00:24:81:56:15:ea (redir.cgi called) (pf::enforcement::reevaluate_access)
Mar 14 14:28:07 redir.cgi(0) INFO: 00:24:81:56:15:ea VLAN reassignment is
forced. (pf::enforcement::_should_we_reassign_vlan)
Mar 14 14:28:07 redir.cgi(0) INFO: switch port for 00:24:81:56:15:ea is
138.67.X.X ifIndex 10146 connection type: Wired SNMP
(pf::enforcement::_vlan_reevaluation)
Mar 14 14:28:10 pfsetvlan(1) INFO: security traps are configured on 138.67.X.X
ifIndex 10146. Re-assigning VLAN for 00:24:81:56:15:ea (main::handleTrap)
Mar 14 14:28:10 pfsetvlan(1) INFO: MAC: 00:24:81:56:15:ea, PID: swittstr,
Status: reg. Returned VLAN: 425 (pf::vlan::fetchVlanForNode)
========================================================================
Scenario 2
interface VLAN change from CustomVLAN5 to Normal, port secured MAC
0024.8156.15ea
OBSERVATION: I OWE AN APOLOGY FROM MY FIRST POSTING (BELOW), IN THIS SCENARIO
THE VLAN DOES NOT SWITCH, NOR ARE THERE ANY PACKETFENCE LOGS. I HAVE TO GUESS
MY EARLIER VLAN SWITCHING OBSERVATION WAS A RESULT OF CHANGING THE NODE'S
CATEGORY, I.E. PF WILL AUTOMATICALLY UPDATE THE CONNECTED NODE'S INTERFACE
VLAN. HOWEVER, THIS BEHAVIOR SEEMS INCONSISTENT WITH THE BEHAVOR OF SCENARIO 1
ABOVE. IN BOTH SCENARIOS, THE CONNECTING NODE'S MAC IS ALREADY PORT-SECURED TO
THE INTERFACE, SO THER IS NO PORT-SECURITY TRAP IN EITHER CASE, BUT SCENARIO 1
STILL RESULTS WITH A CATEGORY DEFINED VLAN CHANGE AFTER A BROWSER IS OPENED.
========================================================================
Scenario 3
interface VLAN change from Normal to CustomVLAN, port secured MAC 0024.8156.15ea
OBSERVATION: THE VLAN DOES NOT SWITCH. THERE ARE A FEW PACKETFENCE LOGS
RELATED TO NORMAL VLAN DHCP.
packetfence.log:
[root@nac logs]# tail -f packetfence.log | grep -i 00:24:81:56:15:ea
Mar 15 12:50:19 pfdhcplistener(2064) INFO: DHCPREQUEST from 00:24:81:56:15:ea
(138.67.11.112) (main::parse_dhcp_request)
Mar 15 12:50:19 pfdhcplistener(2059) INFO: DHCPREQUEST from 00:24:81:56:15:ea
(138.67.11.112) (main::parse_dhcp_request)
Mar 15 12:50:19 pfdhcplistener(2064) INFO: 00:24:81:56:15:ea requested an IP.
DHCP Fingerprint: OS::107 (Microsoft Windows Vista/7 or Server 2008). Modified
node with last_dhcp = 2012-03-15 12:50:19,computername =
Steve-MiniHP,dhcp_fingerprint = 1,15,3,6,44,46,47,31,33,121,249,43
(main::listen_dhcp)
Mar 15 12:50:19 pfdhcplistener(2059) INFO: 00:24:81:56:15:ea requested an IP.
DHCP Fingerprint: OS::107 (Microsoft Windows Vista/7 or Server 2008). Modified
node with last_dhcp = 2012-03-15 12:50:19,computername =
Steve-MiniHP,dhcp_fingerprint = 1,15,3,6,44,46,47,31,33,121,249,43
(main::listen_dhcp)
========================================================================
In summary, I'm guessing the already registered and port-secured MAC is
interferring with the switch interface changing VLANs except in the case where
the initial VLAN is the Registration VLAN. To me it shouldn't matter what the
initial VLAN is, i.e. if the Category VLAN is different, than the interface
VLAN should always change. Perhaps the port-secured MAC needs to be changed to
a generic MAC (0002.0001.0046) at disconnect to have this work as I'm
invisioning, but it does VLAN switch somewhat (with the browser's activation)
with a Registration initial VLAN.
Please let me know if you need something I've left out, there's something I've
done wrong, or do not understand correctly.
Thank you!
Steve
________________________________________
From: Francois Gaudreault [[email protected]]
Sent: Wednesday, March 14, 2012 10:38 AM
To: [email protected]
Subject: Re: [Packetfence-users] PF 3.2 Custom VLAN Category behavior
Hi,
> In each of the following scenarios my Cisco 3750X interface already has
> the PC's MAC secured (port security.)
>
> 1) Node is configured to use CustomVLAN5 and switch interface starts on
> the Registration VLAN: node successfully gets a Registration VLAN IP,
> but interface doesn't switch to Custom VLAN until a browser is opened.
> 2) Node is configured to use Normal VLAN ("no category") and switch
> interface starts on the CustomVLAN5: interface is immediately switched
> to Normal VLAN (no need to open browser as in above case.)
> 3) Node is configured to use CustomVLAN5 and switch interface starts on
> Normal VLAN: interface doesn't change to CustomVLAN5.
I can't help with just those. I don't know your config, I don't know
you custom code, I don't know if you got any errors in the logs, and I
don't know if the "node" is the same for all you tests. Get us more
info, and we will be able to help.
Thanks.
--
Francois Gaudreault, ing. jr
[email protected] :: +1.514.447.4918 (x130) :: www.inverse.ca
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence
(www.packetfence.org)
------------------------------------------------------------------------------
Virtualization & Cloud Management Using Capacity Planning
Cloud computing makes use of virtualization - but cloud computing
also focuses on allowing computing to be delivered as a service.
http://www.accelacomm.com/jaw/sfnl/114/51521223/
_______________________________________________
Packetfence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
------------------------------------------------------------------------------
This SF email is sponsosred by:
Try Windows Azure free for 90 days Click Here
http://p.sf.net/sfu/sfd2d-msazure
_______________________________________________
Packetfence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
