On Sep 14, 2012 4:51 AM, "Francois Gaudreault" <[email protected]>
wrote:
>
> Hi,
>
> > Hello, I am trying to convert our inline packetfence setup into VLAN
> > mode. I seem to be having trouble with SNMP traps being sent from our
> > Cisco 1131's to the PF server. Although I have it configured to send
> > all SNMP traps to PF, the only one that gets sent are DISASSOCIATE
> > traps... check out this debug output from the switch:
> >
> > The trap is sent fine for the DISASSOC, but not for the ASSOC... any
> > ideas why?
> Don't put too much effort on that... PF is not consuming either traps.
> Even if you send them, we will drop them :) PF talks only RADIUS or
> SSH/Telnet (to perform deauth) to those APs. You may also need a read
> community string setup, but that's basically it.
>
> >
> > I also have some questions about this setup... can I do VLAN switching
> > just by using SNMP traps? Or do I need 802.1x/MAC-auth set up to get
> > that going? I don't believe that these switches support port-security.
> You need to use AAA (RADIUS). This is the only way of doing dynamic
> vlan assignment on aironets.
>
Ahhh, OK, I will try to set that up. Is it OK to have radius on PF doing
VLAN stuff, and a different radius on another server for registration?
> >
> > Another issue I am having is with assigning VLAN's to be either
> > Registration or Normal VLAN's... here's my desired VLAN breakdown:
> >
> > 96: Guest VLAN (this works)
> > 95: Registration VLAN - hosts associate with an SSID with this VLAN, and
> > after they register, they should be switched to VLAN 94
> > 94: Normal(?) VLAN - hosts will be in here after they pass registration
> > 93: this is my "native VLAN" for the switch, the switch has an IP
> > address in this VLAN and this is the management VLAN for PF
> > 92: MAC detect (?)
> >
> > So, using this scheme, I would put 96 as "Guest VLAN", and 92 as "Mac
> > Detect VLAN", but what about the others? 95 should be a "Registration
> > VLAN", obviously, but what about 94? Is that another "Registration
> > VLAN", or is that a "Normal VLAN"? And what would I set 93 to be?
> You assumptions are right. 94 would be the normal (aka Production)
> VLAN, and you don't need to configure VLAN 93 on the PF side. This is
> not a VLAN that you will return to the users.
>
> > Also, on the switch itself, I would like two SSID's: Open (for vlan 96),
> > and Internal (for 95/94). When I create the SSID on the switch, do I
> > just set Internal to VLAN 95? How does it know to use VLAN 94 instead
> > after people register?
> Ok here is the thing. Those APs will not allow you to use an encrypted
> VLAN on a open SSID. So you need to a) avoid registration on the secure
> SSID or b) have multiple registration vlans.
>
> Now the way it works is simple. If you refer to our network guide, you
> will see that you need to tell the SSID which VLANs will be used (see
> "vlan x backup y z" line). So let's take your VLANs, I would do :
>
> OPEN
> - vlan 95 backup 96
>
> SECURE (802.1x w/ auto-reg for example)
> - vlan 94
>
> You do not need the MAC detect VLAN on the wireless.
>
> I hope it helps. Feel free to ask more questions :)
>
Are you sure the vlans you listed are correct for my setup? You put open
on 95 with 96 backup, but shouldn't OPEN just have 96, and Internal would
be maybe 95 with 94 backup? It is a little unclear to me what the backup
vlan is doing in this situation.
Thanks for your help!
> --
> Francois Gaudreault, ing. jr
> [email protected] :: +1.514.447.4918 (x130) :: www.inverse.ca
> Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence
> (www.packetfence.org)
>
>
------------------------------------------------------------------------------
> Got visibility?
> Most devs has no idea what their production app looks like.
> Find out how fast your code is with AppDynamics Lite.
> http://ad.doubleclick.net/clk;262219671;13503038;y?
> http://info.appdynamics.com/FreeJavaPerformanceDownload.html
> _______________________________________________
> PacketFence-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
------------------------------------------------------------------------------
Got visibility?
Most devs has no idea what their production app looks like.
Find out how fast your code is with AppDynamics Lite.
http://ad.doubleclick.net/clk;262219671;13503038;y?
http://info.appdynamics.com/FreeJavaPerformanceDownload.html
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
