When troubleshooting PacketFence's controlled VLANs (reg / isol) try to follow basic network troubleshooting recommendations:
- is VLAN 2 assigned by packetfence? if not, switch config or pf config is wrong - did the station get an IP? if not, could be VLAN not reaching up to the server or pf config - if no IP, hardcode an IP, can you ping 192.168.2.10? if not, VLAN not reaching pf - if you have an IP through dhcp - can you ping 2.10? can you ping the VLAN interface IP in the switch (if there's one)? After look for http / https problems (telnet). pfredirect isn't useful, it's mostly a leftover from the 1.6 and before era. On 09/16/2012 06:27 AM, Ruben R wrote: > > Hello all, > > I have Cisco 2960 and my DHCP server linked in to Vlan 2 (resgistration) for > giving some IPs for unregistered people, but when I link for Vlan2 I dont > have access for the Packetfence unregistered page and I dont know why. the > service pfredirect is stopped and maybe its because that or some lack > configuration. > These are my configs: > > ______pf.conf_______ > > [general] > # > # general.domain > # > # Domain name of PacketFence system. > domain=packetfence > # > # > # general.hostname > # > # Hostname of PacketFence system. This is concatenated with the domain in > Apache rewriting rules and therefore must be resolvable by clients. > hostname=pf > # > # general.dnsservers > # > # Comma-delimited list of DNS servers. Passthroughs are created to allow > queries to these servers from even "trapped" nodes. > dnsservers=4.2.2.1, 4.2.2.2 > # > # general.dhcpservers > # > # Comma-delimited list of DHCP servers. Passthroughs are created to allow > DHCP transactions from even "trapped" nodes. > dhcpservers=192.168.10.10,192.168.2.10,192.168.3.10,192.168.5.10,192.168.200.10,192.168.1.10 > locale=pt_BR > > [trapping] > # trapping.range > # > # Comma-delimited list of address ranges/CIDR blocks that PacketFence will > monitor/detect/trap on. Gateway, network, and > # broadcast addresses are ignored. > range=192.168.2.0/24,192.168.3.0/24,192.168.5.0/24,192.168.10.0/24,192.168.200.0/24,192.168.1.0/24 > # > # > # trapping.registration > # > # If enabled, nodes will be required to register on first network access. > Further registration options are configured in the > # registration section. > registration=enabled > redirecturl=https://www.pf.packetfence > # > # trapping.detection > # > # Enables snort-based worm detection. If you don't have a span interface > available, don't bother enabling it. If you do, > # you'll most definately want this on. > detection=enabled > > [database] > # > # database.pass > # > # Password for the mysql database used by PacketFence. > pass=root > > [servicewatch] > # > # servicewatch.restart > # > # Should pfcmd service pf watch restart PF if services are not running? > # You must make sure to call the watch command. Installing it in the cron is > the > # recommended approach: > # */5 * * * * /usr/local/pf/bin/pfcmd service pf watch > restart=enabled > > [registration] > # > # registration.auth > # > # Method by which registering nodes will be authenticated. Templates for > LDAP, RADIUS, Kerberos, local and guests are > # available at <conf_dir>/authentication. If you wish to use a different > authentication mechanism, simply create > # a file called <conf_dir>/authentication/<authname>.pm, fill it with the > necessary data, and set > # auth=<authname>. The default value, local, relies on a local access file > in <conf_dir>/user.conf. > auth=radius > default_auth=radius > > [interface eth0] > ip=192.168.1.10 > mask=255.255.255.0 > type=management > gateway=192.168.1.10 > > # > [interface eth0.200] > ip=192.168.200.10 > mask=255.255.255.0 > type=internal,monitor > enforcement=inline > gateway=192.168.200.10 > > [guests_self_registration] > modes=email,sponsor > category = guest > email_activation_timeout = 10m > allow_localdomain = enabled > mandatory_fields = firstname, lastname, phone, email > guest_pid = email > sponsors_only_from_localdomain=yes > sponsor_authentication = local > preregistration = enabled > > > # REMOVE COMMENTS TO ENABLE VLAN MODE > [interface eth0.2] > ip=192.168.2.10 > mask=255.255.255.0 > type=internal > enforcement=vlan > gateway=192.168.2.1 > > [interface eth0.3] > ip=192.168.3.10 > mask=255.255.255.0 > type=internal > enforcement=vlan > gateway=192.168.3.1 > > [interface eth0.5] > ip=192.168.5.10 > mask=255.255.255.0 > type=internal > enforcement=vlan > gateway=192.168.5.1 > > [interface eth0.10] > ip=192.168.10.10 > mask=255.255.255.0 > type=internal > enforcement=vlan > gateway=192.168.10.1 > > [captive_portal] > network_detection_ip=192.168.8.10 > > > [vlan] > trap_limit = enabled > trap_limit_threshold = 100 > trap_limit_action = > > > [scan] > engine=nessus > host=127.0.0.1 > nessus_clientfile= basic-policy.nessus > nessus_clientpolicy = basic-policy > pass = nessusUserPassword > registration = enabled > user = nessusUsername > > > > > > _____networks.conf______ > > [192.168.200.0] > type=inline > netmask=255.255.255.0 > gateway=192.168.200.10 > dns=192.168.200.1 > dhcp_start=192.168.200.10 > dhcp_end=192.168.200.254 > dhcp_default_lease_time=300 > dhcp_max_lease_time=600 > named=enabled > dhcpd=enabled > next_hop= > domain-name=nac.zen.packetfence.org > > # REMOVE COMMENTS TO ENABLE DHCP IN VLAN MODE > [192.168.2.0] > type=vlan-registration > netmask=255.255.255.0 > gateway=192.168.2.10 > next_hop= > named=enabled > domain-name=registration.packetfence.local > dns=192.168.2.10 > dhcpd=enabled > dhcp_start=192.168.2.10 > dhcp_end=192.168.2.254 > dhcp_default_lease_time=300 > dhcp_max_lease_time=300 > > [192.168.3.0] > type=vlan-idn > netmask=255.255.255.0 > gateway=192.168.3.10 > next_hop= > named=enabled > domain-name=isolation.packetfence.local > dns=192.168.3.10 > dhcpd=enabled > dhcp_start=192.168.3.10 > dhcp_end=192.168.3.254 > dhcp_default_lease_time=300 > dhcp_max_lease_time=300 > > [192.168.5.0] > type=vlan-registration > netmask=255.255.255.0 > gateway=192.168.5.10 > pf_gateway= > named=disabled > domain-name=guests.packetfence.local > dns=192.168.5.10 > dhcpd=enabled > dhcp_start=192.168.5.10 > dhcp_end=192.168.5.254 > dhcp_default_lease_time=300 > dhcp_max_lease_time=300 > > > # REMOVE COMMENTS TO ENABLE DHCP IN PROD NETWORK > [192.168.10.0] > type=vlan-registration > netmask=255.255.255.0 > gateway=192.168.10.10 > pf_gateway= > named=disabled > domain-name=production.packetfence.local > dns=192.168.10.10 > dhcpd=enabled > dhcp_start=192.168.10.10 > dhcp_end=192.168.10.254 > dhcp_default_lease_time=300 > dhcp_max_lease_time=300 > > > > > > _____switches.conf_____ > > [default] > vlans = 1,2,3,4,5,10,200 > managementVlan = 1 > registrationVlan = 2 > isolationVlan = 3 > macDetectionVlan = 4 > guestVlan = 5 > normalVlan = 10 > customVlan1 = > customVlan2 = > customVlan3 = > customVlan4 = > customVlan5 = > VoIPEnabled = no > voiceVlan = > > SNMPCommunityTrap=public > > mode = testing > macSearchesMaxNb = 30 > macSearchesSleepInterval = 2 > uplink = dynamic > > # > # Command Line Interface > # > # cliTransport could be: Telnet, SSH or Serial > cliTransport = Telnet > cliUser = > cliPwd = > cliEnablePwd = > > # > # SNMP section > # > > # PacketFence -> Switch > SNMPVersion = 3 > SNMPCommunityRead = public > SNMPCommunityWrite = private > #SNMPEngineID = 0000000000000 > SNMPUserNameRead = readUser > SNMPAuthProtocolRead = MD5 > SNMPAuthPasswordRead = authpwdread > SNMPPrivProtocolRead = AES > SNMPPrivPasswordRead = privpwdread > SNMPUserNameWrite = writeUser > SNMPAuthProtocolWrite = MD5 > SNMPAuthPasswordWrite = authpwdwrite > SNMPPrivProtocolWrite = AES > SNMPPrivPasswordWrite = privpwdwrite > > # Switch -> PacketFence > SNMPVersionTrap = 3 > SNMPUserNameRead = readUser > SNMPCommunityTrap = public > SNMPAuthProtocolTrap = MD5 > SNMPAuthPasswordTrap = authpwdread > SNMPPrivProtocolTrap = AES > SNMPPrivPasswordTrap = privpwdread > > # > # Web Services Interface > # > # wsTransport could be: http or https > wsTransport = http > wsUser = admin > wsPwd = admin_pwd > # > # RADIUS NAS Client config > # > # RADIUS shared secret with switch > radiusSecret= secretPassPhrase > # > # Roles support > # > # This controls the ability to assign roles along with VLANs when accepting > # a node. This is experimental for now and the format is meant to change. > # Format: > <category_name1>=<controller_role1>;<category_name2>=<controller_role2>;... > roles= > > [127.0.0.1] > type = PacketFence > mode = production > uplink = dynamic > # SNMP Traps v1 are used for internal messages > SNMPVersionTrap=1 > SNMPCommunityTrap=public > > [192.168.0.1] > type = Cisco::Catalyst_2900XL > mode = production > uplink = 23,24 > SNMPVersion = 3 > SNMPEngineID = 0000000000000 > SNMPUserNameRead = readUser > SNMPAuthProtocolRead = MD5 > SNMPAuthPasswordRead = authpwdread > SNMPPrivProtocolRead = DES > SNMPPrivPasswordRead = privpwdread > SNMPUserNameWrite = writeUser > SNMPAuthProtocolWrite = MD5 > SNMPAuthPasswordWrite = authpwdwrite > SNMPPrivProtocolWrite = DES > SNMPPrivPasswordWrite = privpwdwrite > SNMPVersionTrap = 3 > SNMPUserNameTrap = readUser > SNMPAuthProtocolTrap = MD5 > SNMPAuthPasswordTrap = authpwdread > SNMPPrivProtocolTrap = DES > SNMPPrivPasswordTrap = privpwdread > > > > ------------------------------------------------------------------------------ > Live Security Virtual Conference > Exclusive live event will cover all the ways today's security and > threat landscape has changed and how IT managers can respond. Discussions > will include endpoint security, mobile security and the latest in malware > threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ > _______________________________________________ > PacketFence-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/packetfence-users > -- Olivier Bilodeau [email protected] :: +1.514.447.4918 *115 :: www.inverse.ca Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (www.packetfence.org) ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
