#1) PLEASE make sure to sanitize your emails before posting them ... decrypting a default password hash in cisco equipment is trivial these days. Hopefully the key you have chosen is not REALLY the "secret" you are using in production ; )
It looks from your config and log that you are returning vlan 1 as the normal vlan. However in your switch vlan 1 is shutdown and it is not included in the allowed vlans for the trunk port that the AP is plugged into. You also have vlan 10 as the native vlan for the AP but you do not have a vlan 10 defined on the AP...not a huge problem since the BVI1 interface is in the correct subnet You may also want to remove the "spanning-tree bpduguard enable" directive from the port as well, but that is your call. Jake Sallee Godfather of Bandwidth System Engineer University of Mary Hardin-Baylor 900 College St. Belton TX. 76513 Fone: 254-295-4658 Phax: 254-295-4221 HTTP://WWW.UMHB.EDU -----Original Message----- From: Marko Mrvelj [mailto:[email protected]] Sent: Tuesday, August 28, 2012 2:24 PM To: [email protected] Subject: [PacketFence-users] Help with Cisco 2960 and 1242 Hi, I am trying to get pf to work with catalyst 2960 and Aironet 1242AG. I managed to get wired configuration to work on catalyst but with WiFi i cannot get it right. When I try to access Wifi network, my windows client opens up dialog asking me username and password, but after that it fails. Does somebody has working configuration of these two devices to share with me? Or perhaps somebody can find error in my confiugration below: Switch: 10.28.10.191 Packetfence machine : 10.28.10.192 (on switch port 13) WiFi: 10.28.10.193 (on switch port 23) Internet gateway: 10.28.10.254 (on switch port 22) switches.conf [default] vlans=1,2,3,4,10 normalVlan=1 registrationVlan=2 isolationVlan=3 macDetectionVlan=4 guestVlan=5 VoIPEnabled=no mode=testing macSearchesMaxNb=30 macSearchesSleepInterval=2 cliTransport=Telnet uplink=dynamic SNMPVersion=2c SNMPCommunityRead=public SNMPCommunityWrite=private SNMPVersionTrap=2c SNMPCommunityTrap=public wsTransport=http [10.28.10.191] type=Cisco::Catalyst_2960 uplink=10023,10024 mode=production SNMPVersionTrap=2c SNMPVersion=2c [10.28.10.193] type=Cisco::Aironet_1242 mode=production pf.conf [registration] auth=local,radius Catalyst show run Building configuration... ! ! Last configuration change at 18:24:38 UTC Tue Aug 28 2012 ! version 12.2 no service pad service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname Switch ! boot-start-marker boot-end-marker ! no aaa new-model system mtu routing 1500 vtp domain MTN_VTP vtp mode transparent ! ! REMOVED some QoS and crypto stuff ! ! spanning-tree mode pvst spanning-tree extend system-id ! vlan internal allocation policy ascending ! vlan 2 name Registration ! vlan 3 name Isolation ! vlan 4 name MAC_Detection ! vlan 5 name Guest ! vlan 10,100 ! vlan 160 name DSI_MGMT ! ! ! ! ! ! interface FastEthernet0/1 switchport access vlan 4 switchport mode access switchport port-security maximum 1 vlan access switchport port-security switchport port-security violation restrict switchport port-security mac-address 0200.0001.0001 ! interface FastEthernet0/2 switchport access vlan 4 switchport mode access switchport port-security maximum 1 vlan access switchport port-security switchport port-security violation restrict switchport port-security mac-address 0200.0001.0002 ! interface FastEthernet0/3 switchport access vlan 4 switchport voice vlan 100 switchport port-security maximum 2 switchport port-security violation restrict switchport port-security mac-address 0200.0001.0003 switchport port-security mac-address 0200.0101.0003 spanning-tree portfast ! interface FastEthernet0/4 ! ! -> Packetfence host here interface FastEthernet0/13 switchport trunk native vlan 10 switchport mode trunk srr-queue bandwidth share 10 10 60 20 priority-queue out mls qos trust dscp macro description cisco-router auto qos voip trust spanning-tree portfast trunk spanning-tree bpduguard enable ! ! Internet gateway interface FastEthernet0/22 switchport access vlan 10 switchport trunk allowed vlan 1,10 switchport mode trunk ! Aironet 1242AG here interface FastEthernet0/23 switchport trunk native vlan 10 switchport trunk allowed vlan 2-5,10 switchport mode trunk switchport nonegotiate srr-queue bandwidth share 10 10 60 20 priority-queue out mls qos trust cos macro description cisco-wireless auto qos voip trust spanning-tree bpduguard enable ! interface FastEthernet0/24 switchport access vlan 10 switchport trunk allowed vlan 10 switchport mode trunk ! interface GigabitEthernet0/1 ! interface GigabitEthernet0/2 ! interface Vlan1 ip address 192.168.1.191 255.255.255.0 no ip route-cache shutdown ! interface Vlan2 ip address 10.2.10.191 255.255.255.0 ! interface Vlan3 ip address 10.3.10.191 255.255.255.0 ! interface Vlan10 description Control VLAN ip address 10.28.10.191 255.255.255.0 no ip route-cache ! ip default-gateway 10.28.10.254 ip http server ip http secure-server logging esm config snmp-server community public RO snmp-server community private RW snmp-server enable traps port-security snmp-server enable traps port-security trap-rate 1 snmp-server host 10.28.10.192 version 2c public port-security ! line con 0 exec-timeout 0 0 line vty 0 4 password cisco login length 0 line vty 5 15 password cisco login ! end 1242AG configuration ! version 12.4 no service pad service timestamps debug datetime msec service timestamps log datetime msec service password-encryption ! hostname Wifi ! aaa new-model ! ! aaa group server radius rad_eap server 10.28.10.192 auth-port 1812 acct-port 1813 ! aaa group server radius rad_mac server 10.28.10.192 auth-port 1812 acct-port 1813 ! aaa authentication login eap_methods group rad_eap aaa authentication login mac_methods group rad_mac ! aaa session-id common ! ! dot11 syslog dot11 vlan-name guest vlan 5 dot11 vlan-name isolation vlan 3 dot11 vlan-name normal vlan 1 dot11 vlan-name registration vlan 2 ! dot11 ssid AT-Public vlan 2 backup guest authentication open mac-address mac_methods guest-mode mbssid guest-mode ! dot11 ssid AT-Secure vlan 3 authentication open eap eap_methods ! ! ! ! bridge irb ! ! interface Dot11Radio0 no ip address no ip route-cache ! encryption vlan 2 mode ciphers aes-ccm ! encryption vlan 5 mode ciphers aes-ccm ! ssid AT-Public ! ssid AT-Secure ! mbssid station-role root bridge-group 1 bridge-group 1 block-unknown-source no bridge-group 1 source-learning no bridge-group 1 unicast-flooding bridge-group 1 spanning-disabled ! interface Dot11Radio0.2 encapsulation dot1Q 2 no ip route-cache bridge-group 253 bridge-group 253 subscriber-loop-control bridge-group 253 block-unknown-source no bridge-group 253 source-learning no bridge-group 253 unicast-flooding bridge-group 253 spanning-disabled ! interface Dot11Radio0.3 encapsulation dot1Q 3 no ip route-cache bridge-group 254 bridge-group 254 subscriber-loop-control bridge-group 254 block-unknown-source no bridge-group 254 source-learning no bridge-group 254 unicast-flooding bridge-group 254 spanning-disabled ! interface Dot11Radio0.5 encapsulation dot1Q 5 no ip route-cache bridge-group 255 bridge-group 255 subscriber-loop-control bridge-group 255 block-unknown-source no bridge-group 255 source-learning no bridge-group 255 unicast-flooding bridge-group 255 spanning-disabled ! interface Dot11Radio1 no ip address no ip route-cache shutdown dfs band 3 block channel dfs station-role root bridge-group 1 bridge-group 1 subscriber-loop-control bridge-group 1 block-unknown-source no bridge-group 1 source-learning no bridge-group 1 unicast-flooding bridge-group 1 spanning-disabled ! interface FastEthernet0 no ip address no ip route-cache duplex auto speed auto ! interface FastEthernet0.1 encapsulation dot1Q 1 native no ip route-cache bridge-group 1 no bridge-group 1 source-learning bridge-group 1 spanning-disabled ! interface FastEthernet0.2 encapsulation dot1Q 2 no ip route-cache bridge-group 253 no bridge-group 253 source-learning bridge-group 253 spanning-disabled ! interface FastEthernet0.3 encapsulation dot1Q 3 no ip route-cache bridge-group 254 no bridge-group 254 source-learning bridge-group 254 spanning-disabled ! interface FastEthernet0.5 encapsulation dot1Q 5 no ip route-cache bridge-group 255 no bridge-group 255 source-learning bridge-group 255 spanning-disabled ! interface BVI1 ip address 10.28.10.193 255.255.255.0 no ip route-cache ! ip default-gateway 10.28.10.254 ip http server no ip http secure-server ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag snmp-server community public RO snmp-server community private RW snmp-server enable traps disassociate snmp-server enable traps deauthenticate snmp-server enable traps aaa_server snmp-server host 10.28.10.192 public deauthenticate radius-server host 10.28.10.192 auth-port 1812 acct-port 1813 key 7 0215015819031B0A4957 radius-server vsa send accounting radius-server vsa send authentication bridge 1 route ip ! ! ! line con 0 line vty 0 4 ! end Log files: packetfence.log Aug 28 21:12:57 pf::WebAPI(7252) INFO: handling radius autz request: from switch_ip => 10.28.10.193, connection_type => Wireless-802.11-NoEAP mac => 9c:b7:0d:af:7f:d6, port => 490, username => 9cb70daf7fd6 (pf::radius::authorize) Aug 28 21:12:57 pf::WebAPI(7252) INFO: MAC: 9c:b7:0d:af:7f:d6, PID: 1, Status: reg. Returned VLAN: 1 (pf::vlan::fetchVlanForNode) Aug 28 21:12:57 pf::WebAPI(7252) WARN: Role-based Network Access Control is not supported on network device type pf::SNMP::Cisco::Aironet_1242. (pf::SNMP::supportsRoleBasedEnforcement) radius.log Tue Aug 28 21:12:57 2012 : Auth: rlm_perl: Returning vlan 1 to request from 9c:b7:0d:af:7f:d6 port 490 snmptrapd.log 2012-08-28|19:12:54|UDP: [10.28.10.193]:49836->[10.28.10.192]|10.28.10.193|BEGIN TYPE 6 END TYPE BEGIN SUBTYPE .2 END SUBTYPE BEGIN VARIABLEBINDINGS .1.2.840.10036.1.1.1.17.1 = INTEGER: 2|.1.2.840.10036.1.1.1.18.1 = Hex-STRING: 9C B7 0D AF 7F D6 END VARIABLEBINDINGS 2012-08-28|19:12:55|UDP: [10.28.10.193]:49836->[10.28.10.192]|10.28.10.193|BEGIN TYPE 6 END TYPE BEGIN SUBTYPE .2 END SUBTYPE BEGIN VARIABLEBINDINGS .1.2.840.10036.1.1.1.17.1 = INTEGER: 1|.1.2.840.10036.1.1.1.18.1 = Hex-STRING: 9C B7 0D AF 7F D6 END VARIABLEBINDINGS 2012-08-28|19:12:57|UDP: [10.28.10.193]:49836->[10.28.10.192]|10.28.10.193|BEGIN TYPE 6 END TYPE BEGIN SUBTYPE .2 END SUBTYPE BEGIN VARIABLEBINDINGS .1.2.840.10036.1.1.1.17.1 = INTEGER: 2|.1.2.840.10036.1.1.1.18.1 = Hex-STRING: 9C B7 0D AF 7F D6 END VARIABLEBINDINGS ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
