Hi, > Hello, I am trying to convert our inline packetfence setup into VLAN > mode. I seem to be having trouble with SNMP traps being sent from our > Cisco 1131's to the PF server. Although I have it configured to send > all SNMP traps to PF, the only one that gets sent are DISASSOCIATE > traps... check out this debug output from the switch: > > The trap is sent fine for the DISASSOC, but not for the ASSOC... any > ideas why? Don't put too much effort on that... PF is not consuming either traps. Even if you send them, we will drop them :) PF talks only RADIUS or SSH/Telnet (to perform deauth) to those APs. You may also need a read community string setup, but that's basically it.
> > I also have some questions about this setup... can I do VLAN switching > just by using SNMP traps? Or do I need 802.1x/MAC-auth set up to get > that going? I don't believe that these switches support port-security. You need to use AAA (RADIUS). This is the only way of doing dynamic vlan assignment on aironets. > > Another issue I am having is with assigning VLAN's to be either > Registration or Normal VLAN's... here's my desired VLAN breakdown: > > 96: Guest VLAN (this works) > 95: Registration VLAN - hosts associate with an SSID with this VLAN, and > after they register, they should be switched to VLAN 94 > 94: Normal(?) VLAN - hosts will be in here after they pass registration > 93: this is my "native VLAN" for the switch, the switch has an IP > address in this VLAN and this is the management VLAN for PF > 92: MAC detect (?) > > So, using this scheme, I would put 96 as "Guest VLAN", and 92 as "Mac > Detect VLAN", but what about the others? 95 should be a "Registration > VLAN", obviously, but what about 94? Is that another "Registration > VLAN", or is that a "Normal VLAN"? And what would I set 93 to be? You assumptions are right. 94 would be the normal (aka Production) VLAN, and you don't need to configure VLAN 93 on the PF side. This is not a VLAN that you will return to the users. > Also, on the switch itself, I would like two SSID's: Open (for vlan 96), > and Internal (for 95/94). When I create the SSID on the switch, do I > just set Internal to VLAN 95? How does it know to use VLAN 94 instead > after people register? Ok here is the thing. Those APs will not allow you to use an encrypted VLAN on a open SSID. So you need to a) avoid registration on the secure SSID or b) have multiple registration vlans. Now the way it works is simple. If you refer to our network guide, you will see that you need to tell the SSID which VLANs will be used (see "vlan x backup y z" line). So let's take your VLANs, I would do : OPEN - vlan 95 backup 96 SECURE (802.1x w/ auto-reg for example) - vlan 94 You do not need the MAC detect VLAN on the wireless. I hope it helps. Feel free to ask more questions :) -- Francois Gaudreault, ing. jr [email protected] :: +1.514.447.4918 (x130) :: www.inverse.ca Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (www.packetfence.org) ------------------------------------------------------------------------------ Got visibility? Most devs has no idea what their production app looks like. Find out how fast your code is with AppDynamics Lite. http://ad.doubleclick.net/clk;262219671;13503038;y? http://info.appdynamics.com/FreeJavaPerformanceDownload.html _______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
