Hello Amanda,
with a 3750 switch you can use port-security or MAB.
Don´t try linkup/linkdown , you waste your time.
With port security you must follow the instruction in the network device
configuration, like:
snmp-server enable traps port-security
snmp-server enable traps port-security trap-rate 1
snmp-server host 192.168.1.5 version 2c public port-security
switchport access vlan 4
switchport port-security
switchport port-security maximum 1 vlan access
switchport port-security violation restrict
switchport port-security mac-address 0200.000x.xxxx
After you have to verify that you receive snmp trap from the switch,
look at /usr/local/pf/logs/snmptrapd.log
Your problem is that PacketFence doesn´t know where your node is, so it
can´t take actions to change the vlan.
Regards
Fabrice
Le 2013-03-19 08:48, Berlin, Amanda - Information Systems a écrit :
Hey all,
Any help would be appreciated. I'm currently setting up Packetfence
for the first time, and I've never setup a NAC before. I've used the
ZEN installation and I'm stuck. I have a VM with 2 NICs. One is on a
management VLAN (eth1) and the other is the trunk port for the other 5
packetfence VLANs I've created (eth0.310 -- eth0.314). I can
successfully put a PC on my registration VLAN (311) and login locally
with the demo user account. After that I get "Unable to detect network
connectivity" and then "Sorry! Your network should be enabled within a
minute or two". I think the problem might be with the snmp between the
switch and packetfence, but I'm not positive. I've tried setting
port-security snmp traps and up/down link traps and neither seem to
work. I've also tried SNMP 1, 2c, and 3. I can do an snmpwalk from the
packetfence server to the switch.
The only thing of use that I get in my packetfence.log is:
Mar 19 08:37:47 redir.cgi(0) INFO: Static User-Agent lookup data
initialized (pf::useragent::_init)
Mar 19 08:37:47 redir.cgi(0) INFO: MAC 18:a9:05:xx:xx:xx shouldn't
reach here. Calling access re-evaluation. Make sure your network
device configuration is correct.
(ModPerl::ROOT::ModPerl::PerlRun::usr_loc$
Mar 19 08:37:47 redir.cgi(0) INFO: re-evaluating access for node
18:a9:05:cd:05:1c (redir.cgi called) (pf::enforcement::reevaluate_access)
Mar 19 08:37:47 redir.cgi(0) WARN: Can't re-evaluate access for mac
18:a9:05:xx:xx:xx because no open locationlog entry was found
(pf::enforcement::reevaluate_access)
Here is a portion of switches.conf:
[172.16.25.41]
type=Cisco::Catalyst_3750
vlans=310,311,312,313,314
normalVlan=310
registrationVlan=311
isolationVlan=312
macDetectionVlan=313
guestVlan=314
uplink=1
deauthMethod=SSH
SNMPVersionTrap=3
SNMPUserNameTrap=PACKETFENCE_READ_USER
SNMPAuthProtocolTrap=MD5
SNMPAuthPasswordTrap=READPASSWORD
SNMPPrivProtocolTrap=AES
SNMPPrivPasswordTrap=READPASSWORD2
SNMPCommunityWrite=PACKETFENCE
SNMPEngineID=1234000000000000
SNMPUserNameRead=PACKETFENCE_READ_USER
SNMPAuthProtocolRead=MD5
SNMPAuthPasswordRead= READPASSWORD
SNMPPrivProtocolRead=AES
SNMPPrivPasswordRead= READPASSWORD2
SNMPUserNameWrite=PACKETFENCE_WRITE_USER
SNMPAuthProtocolWrite=MD5
SNMPAuthPasswordWrite=WRITEPASSWORD
SNMPPrivProtocolWrite=AES
SNMPPrivPasswordWrite= WRITEPASSWORD 2
controllerIp=
cliTransport=SSH
cliUser=packetfence
cliPwd=CLIPASSWORD
cliEnablePwd=CLIENABLE
mode=production
SNMPVersion=3
SNMPCommunityTrap=PACKETFENCESNMPTRAP
SNMPCommunityRead= PACKETFENCESNMPTRAP2
Switch config (the one setup for link up/down):
snmp trap mac-notification change added
snmp-server engineID local 123450000000000000000000
snmp-server group PFREADGROUP v3 priv notify
*tv.00000001.00000000.00000020.000000000F
snmp-server group PFWRITEGROUP v3 priv read PFREADVIEW write PFWRITEVIEW
snmp-server community PACKETFENCESNMPTRAP RW
snmp-server community PACKETFENCESNMPTRAP2 RO
snmp-server enable traps snmp linkdown linkup
snmp-server enable traps mac-notification change move threshold
snmp-server host 172.16.250.16 version 3 priv PFREADUSER
mac-notification snmp
Thanks again!
Amanda Berlin, MCSA, MCDST, A+
Network Analyst
Information Systems
Firelands Regional Medical Center
419-557-6772
------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_d2d_mar
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
--
Fabrice Durand
[email protected] :: +1.514.447.4918 (x135) :: www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence
(http://packetfence.org)
------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_d2d_mar
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
