[PacketFence-users] Help with Cisco 2960 and 1242

Tue, 28 Aug 2012 12:43:48 -0700 

Hi,

I am trying to get pf to work with catalyst 2960 and Aironet 1242AG. I 
managed to get wired configuration to work on catalyst but with WiFi i 
cannot get it right. When I try to access Wifi network, my windows client 
opens up dialog asking me username and password, but after that it fails.

Does somebody has working configuration of these two devices to share with 
me?

Or perhaps somebody can find error in my confiugration below:

Switch: 10.28.10.191
Packetfence machine : 10.28.10.192 (on switch port 13)
WiFi: 10.28.10.193 (on switch port 23)
Internet gateway: 10.28.10.254 (on switch port 22)

switches.conf

[default]
vlans=1,2,3,4,10
normalVlan=1
registrationVlan=2
isolationVlan=3
macDetectionVlan=4
guestVlan=5
VoIPEnabled=no
mode=testing
macSearchesMaxNb=30
macSearchesSleepInterval=2
cliTransport=Telnet
uplink=dynamic
SNMPVersion=2c
SNMPCommunityRead=public
SNMPCommunityWrite=private
SNMPVersionTrap=2c
SNMPCommunityTrap=public
wsTransport=http
[10.28.10.191]
type=Cisco::Catalyst_2960
uplink=10023,10024
mode=production
SNMPVersionTrap=2c
SNMPVersion=2c
[10.28.10.193]
type=Cisco::Aironet_1242
mode=production

pf.conf

[registration]
auth=local,radius


Catalyst

show run
Building configuration...

!
! Last configuration change at 18:24:38 UTC Tue Aug 28 2012
!
version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Switch
!
boot-start-marker
boot-end-marker
!
no aaa new-model
system mtu routing 1500
vtp domain MTN_VTP
vtp mode transparent
!
! REMOVED some QoS and crypto stuff
!
!
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
vlan 2
 name Registration
!
vlan 3
 name Isolation
!
vlan 4
 name MAC_Detection
!
vlan 5
 name Guest
!
vlan 10,100
!
vlan 160
 name DSI_MGMT
!
!
!
!
!
!
interface FastEthernet0/1
 switchport access vlan 4
 switchport mode access
 switchport port-security maximum 1 vlan access
 switchport port-security
 switchport port-security violation restrict
 switchport port-security mac-address 0200.0001.0001
!
interface FastEthernet0/2
 switchport access vlan 4
 switchport mode access
 switchport port-security maximum 1 vlan access
 switchport port-security
 switchport port-security violation restrict
 switchport port-security mac-address 0200.0001.0002
!
interface FastEthernet0/3
 switchport access vlan 4
 switchport voice vlan 100
 switchport port-security maximum 2
 switchport port-security violation restrict
 switchport port-security mac-address 0200.0001.0003
 switchport port-security mac-address 0200.0101.0003
 spanning-tree portfast
!
interface FastEthernet0/4
!
!  -> Packetfence host here
interface FastEthernet0/13
 switchport trunk native vlan 10
 switchport mode trunk
 srr-queue bandwidth share 10 10 60 20
 priority-queue out
 mls qos trust dscp
 macro description cisco-router
 auto qos voip trust
 spanning-tree portfast trunk
 spanning-tree bpduguard enable
!
! Internet gateway
interface FastEthernet0/22
 switchport access vlan 10
 switchport trunk allowed vlan 1,10
 switchport mode trunk
! Aironet 1242AG here
interface FastEthernet0/23
 switchport trunk native vlan 10
 switchport trunk allowed vlan 2-5,10
 switchport mode trunk
 switchport nonegotiate
 srr-queue bandwidth share 10 10 60 20
 priority-queue out
 mls qos trust cos
 macro description cisco-wireless
 auto qos voip trust
 spanning-tree bpduguard enable
!
interface FastEthernet0/24
 switchport access vlan 10
 switchport trunk allowed vlan 10
 switchport mode trunk
!
interface GigabitEthernet0/1
!
interface GigabitEthernet0/2
!
interface Vlan1
 ip address 192.168.1.191 255.255.255.0
 no ip route-cache
 shutdown
!
interface Vlan2
 ip address 10.2.10.191 255.255.255.0
!
interface Vlan3
 ip address 10.3.10.191 255.255.255.0
!
interface Vlan10
 description Control VLAN
 ip address 10.28.10.191 255.255.255.0
 no ip route-cache
!
ip default-gateway 10.28.10.254
ip http server
ip http secure-server
logging esm config
snmp-server community public RO
snmp-server community private RW
snmp-server enable traps port-security
snmp-server enable traps port-security trap-rate 1
snmp-server host 10.28.10.192 version 2c public  port-security
!
line con 0
 exec-timeout 0 0
line vty 0 4
 password cisco
 login
 length 0
line vty 5 15
 password cisco
 login
!
end


1242AG configuration

!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname Wifi
!
aaa new-model
!
!
aaa group server radius rad_eap
 server 10.28.10.192 auth-port 1812 acct-port 1813
!
aaa group server radius rad_mac
 server 10.28.10.192 auth-port 1812 acct-port 1813
!
aaa authentication login eap_methods group rad_eap
aaa authentication login mac_methods group rad_mac
!
aaa session-id common
!
!
dot11 syslog
dot11 vlan-name guest vlan 5
dot11 vlan-name isolation vlan 3
dot11 vlan-name normal vlan 1
dot11 vlan-name registration vlan 2
!
dot11 ssid AT-Public
   vlan 2 backup guest
   authentication open mac-address mac_methods
   guest-mode
   mbssid guest-mode
!
dot11 ssid AT-Secure
   vlan 3
   authentication open eap eap_methods
!
!
!
!
bridge irb
!
!
interface Dot11Radio0
 no ip address
 no ip route-cache
 !
 encryption vlan 2 mode ciphers aes-ccm
 !
 encryption vlan 5 mode ciphers aes-ccm
 !
 ssid AT-Public
 !
 ssid AT-Secure
 !
 mbssid
 station-role root
 bridge-group 1
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
 bridge-group 1 spanning-disabled
!
interface Dot11Radio0.2
 encapsulation dot1Q 2
 no ip route-cache
 bridge-group 253
 bridge-group 253 subscriber-loop-control
 bridge-group 253 block-unknown-source
 no bridge-group 253 source-learning
 no bridge-group 253 unicast-flooding
 bridge-group 253 spanning-disabled
!
interface Dot11Radio0.3
 encapsulation dot1Q 3
 no ip route-cache
 bridge-group 254
 bridge-group 254 subscriber-loop-control
 bridge-group 254 block-unknown-source
 no bridge-group 254 source-learning
 no bridge-group 254 unicast-flooding
 bridge-group 254 spanning-disabled
!
interface Dot11Radio0.5
 encapsulation dot1Q 5
 no ip route-cache
 bridge-group 255
 bridge-group 255 subscriber-loop-control
 bridge-group 255 block-unknown-source
 no bridge-group 255 source-learning
 no bridge-group 255 unicast-flooding
 bridge-group 255 spanning-disabled
!
interface Dot11Radio1
 no ip address
 no ip route-cache
 shutdown
 dfs band 3 block
 channel dfs
 station-role root
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
 bridge-group 1 spanning-disabled
!
interface FastEthernet0
 no ip address
 no ip route-cache
 duplex auto
 speed auto
!
interface FastEthernet0.1
 encapsulation dot1Q 1 native
 no ip route-cache
 bridge-group 1
 no bridge-group 1 source-learning
 bridge-group 1 spanning-disabled
!
interface FastEthernet0.2
 encapsulation dot1Q 2
 no ip route-cache
 bridge-group 253
 no bridge-group 253 source-learning
 bridge-group 253 spanning-disabled
!
interface FastEthernet0.3
 encapsulation dot1Q 3
 no ip route-cache
 bridge-group 254
 no bridge-group 254 source-learning
 bridge-group 254 spanning-disabled
!
interface FastEthernet0.5
 encapsulation dot1Q 5
 no ip route-cache
 bridge-group 255
 no bridge-group 255 source-learning
 bridge-group 255 spanning-disabled
!
interface BVI1
 ip address 10.28.10.193 255.255.255.0
 no ip route-cache
!
ip default-gateway 10.28.10.254
ip http server
no ip http secure-server
ip http help-path 
http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
snmp-server community public RO
snmp-server community private RW
snmp-server enable traps disassociate
snmp-server enable traps deauthenticate
snmp-server enable traps aaa_server
snmp-server host 10.28.10.192 public  deauthenticate
radius-server host 10.28.10.192 auth-port 1812 acct-port 1813 key 7 
0215015819031B0A4957
radius-server vsa send accounting
radius-server vsa send authentication
bridge 1 route ip
!
!
!
line con 0
line vty 0 4
!
end

Log files:

packetfence.log
Aug 28 21:12:57 pf::WebAPI(7252) INFO: handling radius autz request: from 
switch_ip => 10.28.10.193, connection_type => Wireless-802.11-NoEAP mac => 
9c:b7:0d:af:7f:d6, port => 490, username => 9cb70daf7fd6 
(pf::radius::authorize)
Aug 28 21:12:57 pf::WebAPI(7252) INFO: MAC: 9c:b7:0d:af:7f:d6, PID: 1, 
Status: reg. Returned VLAN: 1 (pf::vlan::fetchVlanForNode)
Aug 28 21:12:57 pf::WebAPI(7252) WARN: Role-based Network Access Control is 
not supported on network device type pf::SNMP::Cisco::Aironet_1242. 
(pf::SNMP::supportsRoleBasedEnforcement)

radius.log
Tue Aug 28 21:12:57 2012 : Auth: rlm_perl: Returning vlan 1 to request from 
9c:b7:0d:af:7f:d6 port 490

snmptrapd.log
2012-08-28|19:12:54|UDP: 
[10.28.10.193]:49836->[10.28.10.192]|10.28.10.193|BEGIN TYPE 6 END TYPE 
BEGIN SUBTYPE .2 END SUBTYPE BEGIN VARIABLEBINDINGS 
.1.2.840.10036.1.1.1.17.1 = INTEGER: 2|.1.2.840.10036.1.1.1.18.1 = 
Hex-STRING: 9C B7 0D AF 7F D6  END VARIABLEBINDINGS
2012-08-28|19:12:55|UDP: 
[10.28.10.193]:49836->[10.28.10.192]|10.28.10.193|BEGIN TYPE 6 END TYPE 
BEGIN SUBTYPE .2 END SUBTYPE BEGIN VARIABLEBINDINGS 
.1.2.840.10036.1.1.1.17.1 = INTEGER: 1|.1.2.840.10036.1.1.1.18.1 = 
Hex-STRING: 9C B7 0D AF 7F D6  END VARIABLEBINDINGS
2012-08-28|19:12:57|UDP: 
[10.28.10.193]:49836->[10.28.10.192]|10.28.10.193|BEGIN TYPE 6 END TYPE 
BEGIN SUBTYPE .2 END SUBTYPE BEGIN VARIABLEBINDINGS 
.1.2.840.10036.1.1.1.17.1 = INTEGER: 2|.1.2.840.10036.1.1.1.18.1 = 
Hex-STRING: 9C B7 0D AF 7F D6  END VARIABLEBINDINGS



------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Reply via email to