On 2012-10-03 7:40 PM, Gavin Pyle wrote: > Francois, (or anyone else willing to chime in) > > Thanks for the help. My replies to your questions/statements are below... > > Francois> Hmm... can you "manually" check into the locationlog table to see > the data? It sounds weird to me. Is it possible that the switch didn't send > any traps to PF, and just authorized the node to the new port because it was > already authorized somewhere else on the switch? Is your port configuration > aligned with what we have in the guide? > > I'm definitely receiving port-security traps. In fact this is for a student > housing complex, so on some ports I'm hitting the trap limit because they've > connected a WAP or Router to our switch port. For those ports does it make > sense (and is it okay) to increase the maximum secure addresses (ie - > switchport port-security maximum 10 vlan access)? I want every device to be > authorized, however, and I have trapping.registration set to disabled. I > think I've identified the port mapping issue as an issue with the ifIndex > values on the switch, and I thought reconfiguring the initial port security > "dummy" secure mac addresses on the switch with the proper corresponding > ifIndex values would solve the issue, but after implementing this I've found > that it helps only for the first MAC address detected on a port. Any other > way to fix this??? > > I've checked the locationlog table and it is definitely seeing traps... > here's an excerpt: > > '28:6a:ba:2c:30:b5', '10.101.12.181', '13', '108', 'SNMP-Traps', '', '', > '2012-09-28 16:20:43', '2012-09-28 16:20:46' > '08:86:3b:19:cb:75', '10.101.12.181', '13', '108', 'SNMP-Traps', '', '', > '2012-09-28 16:20:46', '2012-09-28 16:20:50' > '28:6a:ba:2c:30:b5', '10.101.12.181', '13', '108', 'SNMP-Traps', '', '', > '2012-09-28 16:20:50', '2012-09-28 16:20:54' > '08:86:3b:19:cb:75', '10.101.12.181', '13', '108', 'SNMP-Traps', '', '', > '2012-09-28 16:20:54', '2012-09-28 16:20:58' > > So this is one of the interfaces that has several MAC addresses hanging off > it (such as a WAP, switch or SOHO Router). In fact if you have allowed only 1 mac to connect, you will always get the latest seen, and it will always auth-deauth. So only one person will have access at the same time.
The only proper way to fix this problem is using 802.1X with Multiple Host on the port. The first pc will authorize (or even the WAP itself), and all other macs will be allowed. You *cannot* use port-security with maximum 10 for example with PF. > > Francois> Please let me know the IOS version, and switch model. > > One of the switch models having this issue is a WS-C3550-48-EMI, Cisco IOS > Software, C3550 Software (C3550-IPBASEK9-M), Version 12.2(50)SE, RELEASE > SOFTWARE (fc1). I don't seem to be having the issue with the HP Procurve > 2510 model switch that is also in use. We plan on replacing the Cisco > switches with the cheaper HP 2510's as budget allows (3yrs to completion). Is this the latest firmware available? You should try to update and retest. > > Francois> Ok so the rule have been triggered for an OUTSIDER IP (Tracker > response to a local client). We just validate outgoing traffic, not incoming. > > I want snort to validate the outgoing traffic, but it doesn't seem to be > catching that. Something wrong with my snort config? I haven't modified it > in any way from what was provided with PacketFence. Do I need to? Make sure your HOME_NET is properly set. The template is in conf/snort.conf, and the generated file is var/conf/snort.conf. > > Francois> To trap the user, you need the "trap" actions, and you also need > the proper trapping.range configured in pf.conf. trapping.range represents > the internal subnets in your network (ie. 10.0.0.0/8 will catch all 10 ips) > > I've not set the trap action yet because I'm not receiving any e-mail alerts, > nor seeing any violations in the violations.log yet. I have the trapping > parameters defined as follows: Fair enough :) > > [trapping] > detection=enabled > range=192.168.0.0/16,172.20.0.0/16,10.0.0.0/8,172.168.0.0/16 > registration=disabled > > We've got some Comcast modems that were incorrectly configured (by Comcast) > to hand out 172.168.x.x/24 addresses, so that is why I have the > 172.168.0.0/16 range defined. I plan on reconfiguring all the modems soon > and then they'll all fall into the 172.20.x.x/16 range. Do you see the alert coming from snort in packetfence.log? Thanks! -- Francois Gaudreault, ing. jr [email protected] :: +1.514.447.4918 (x130) :: www.inverse.ca Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (www.packetfence.org) ------------------------------------------------------------------------------ Don't let slow site performance ruin your business. Deploy New Relic APM Deploy New Relic app performance management and know exactly what is happening inside your Ruby, Python, PHP, Java, and .NET app Try New Relic at no cost today and get our sweet Data Nerd shirt too! http://p.sf.net/sfu/newrelic-dev2dev _______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
