Thank you Jake for the tips.
May I ask you one more question? Did you use Web UI or edit the PF config
file directly when changing the configuration?
Regards,
Jacky
On Tue, Jul 9, 2013 at 11:53 AM, Sallee, Stephen (Jake) <
[email protected]> wrote:
> I don’t think my pf.conf would help very much as it is almost default :
> ).****
>
> ** **
>
> For PF issues I have found that tackling them one at a time is the best
> route. Follow the admin guide for the vlan deployment and post to this
> list when you have a problem. Inverse (the people who make PF) are very
> active on this list and users like myself will also chime in if we think we
> can help.****
>
> ** **
>
> My switch config is set to deny access to the network if the RADIUS (aka
> PF) server is down, but depending on your needs you can configure a
> failover vlan to drop the users into should MAB fail. Also, should you get
> brave and in the future wish to tackle 802.1x, this config works well for
> that too, just enable 802.1x on the ports. You can even configure a 3 tier
> auth system where clients try 802.1x first, then fall back to MAB, and
> finally get put into a specific vlan as a last resort.****
>
> ** **
>
> Good luck! Please don’t hesitate to post to this list for help, but you
> may be able to save yourself some trouble if you search the archives before
> you post, many times someone else has had the same problem and you can find
> the solution immediately.****
>
> ** **
>
> http://sourceforge.net/mailarchive/forum.php?forum_name=packetfence-users*
> ***
>
> ** **
>
> Here are the important bits of the switch config:****
>
> ** **
>
> Global config:****
>
> aaa new-model****
>
> aaa authentication dot1x default group radius****
>
> aaa authorization network default group radius ****
>
> aaa accounting dot1x default start-stop group radius****
>
> aaa accounting system default start-stop group radius****
>
> ** **
>
> snmp-server community <your SNMP string here> RW****
>
> radius-server host <your RADIUS server IP> auth-port 1812 acct-port 1813
> key <your RADIUS secret here>****
>
> radius-server key 7 <your RADIUS secret here>****
>
> radius-server vsa send authentication****
>
> ** **
>
> Port config:****
>
> description NAC_Controlled****
>
> switchport mode access****
>
> switchport port-security maximum 2****
>
> switchport port-security maximum 1 vlan access****
>
> switchport port-security****
>
> authentication order mab****
>
> authentication port-control auto****
>
> mab ****
>
> mls qos trust cos****
>
> spanning-tree portfast****
>
> spanning-tree bpdufilter enable****
>
> spanning-tree bpduguard enable****
>
> spanning-tree guard loop****
>
> ** **
>
> Jake Sallee****
>
> Godfather of Bandwidth****
>
> System Engineer****
>
> University of Mary Hardin-Baylor****
>
> 900 College St.****
>
> Belton TX. 76513****
>
> Fone: 254-295-4658****
>
> Phax: 254-295-4221****
>
> HTTP://WWW.UMHB.EDU****
>
> ** **
>
> *From:* forbmsyn [mailto:[email protected]]
> *Sent:* Tuesday, July 09, 2013 9:53 AM
>
> *To:* [email protected]
> *Subject:* Re: [PacketFence-users] Swtich Port Security Violation issue***
> *
>
> ** **
>
> Hi Jake,****
>
> ** **
>
> This is my first time to configure PacketFence so I just followed the
> instruction to do the configuration. No specific reason why using SNMP
> traps. ****
>
> ** **
>
> Yes please send the config of your switch to me if it is convenience for
> you. Can you also send me the config file of the packet fence? I am
> struggling with PF to get it work. Much appreciated.****
>
> ** **
>
> Regards,****
>
> Jacky****
>
> ** **
>
> On Tue, Jul 9, 2013 at 10:23 AM, Sallee, Stephen (Jake) <
> [email protected]> wrote:****
>
> May I respectfully ask why you are using SNMP traps?****
>
> ****
>
> I ask only because I have about 100 of those switches and they work
> wonderfully with MAB which has been much more scalable and reliable in my
> experience.****
>
> ****
>
> MAB gives you the same results as SNMP traps with much finer grained
> control and more graceful error handling. ****
>
> ****
>
> I can send you the relevant config snippets from one of my switches if you
> would like.****
>
> ****
>
> Jake Sallee****
>
> Godfather of Bandwidth****
>
> System Engineer****
>
> University of Mary Hardin-Baylor****
>
> 900 College St.****
>
> Belton TX. 76513****
>
> Fone: 254-295-4658****
>
> Phax: 254-295-4221****
>
> HTTP://WWW.UMHB.EDU****
>
> ****
>
> *From:* Fabrice DURAND [mailto:[email protected]]
> *Sent:* Tuesday, July 09, 2013 9:09 AM
> *To:* [email protected]
> *Subject:* Re: [PacketFence-users] Swtich Port Security Violation issue***
> *
>
> ****
>
> Hello,
> add :
> snmp-server community public RO
> snmp-server community private RW
>
> in your switch config.
>
> Regards
> Fabrice
>
> Le 2013-07-08 18:08, forbmsyn a écrit :****
>
> Hi, ****
>
> ****
>
> I have a Cisco 2960 switch. On port #3 I have a laptop plugged in. Then I
> have the following error message on Packet fence server and the switch.***
> *
>
> ****
>
> ****
>
> Error message from the packet fence serve:****
>
> ****
>
> Jul 08 14:00:05 pfsetvlan(24) INFO: secureMacAddrViolation trap on
> 192.168.1.12 ifIndex 10003. Port Security is no longer configured on the
> port. Flush the trap (main::signalHandlerTrapListQueued)****
>
> ****
>
> ****
>
> And the error message from the switch:****
>
> *Mar 4 01:21:08.599: %PORT_SECURITY-2-PSECURE_VIOLATION: Security
> violation occurred, caused by MAC address dc0e.a18a.d48f on port
> FastEthernet0/3.****
>
> ****
>
> Below is the config of the switch:****
>
> ****
>
> pfsw2960#show running-config****
>
> Building configuration...****
>
> ****
>
> Current configuration : 3992 bytes****
>
> !****
>
> ! Last configuration change at 23:26:42 UTC Wed Mar 3 1993****
>
> !****
>
> version 12.2****
>
> no service pad****
>
> service timestamps debug datetime msec****
>
> service timestamps log datetime msec****
>
> no service password-encryption****
>
> !****
>
> hostname pfsw2960****
>
> !****
>
> boot-start-marker****
>
> boot-end-marker****
>
> !****
>
> enable secret 5 $1$v6AY$CHpQRFjE5It5ggqY80s9Y0****
>
> !****
>
> username admin password 0 admin****
>
> no aaa new-model****
>
> system mtu routing 1500****
>
> !****
>
> !****
>
> !****
>
> !****
>
> crypto pki trustpoint TP-self-signed-3219086464****
>
> enrollment selfsigned****
>
> subject-name cn=IOS-Self-Signed-Certificate-3219086464****
>
> revocation-check none****
>
> rsakeypair TP-self-signed-3219086464****
>
> !****
>
> !****
>
> crypto pki certificate chain TP-self-signed-3219086464****
>
> certificate self-signed 01****
>
> 30820240 308201A9 A0030201 02020101 300D0609 2A864886 F70D0101 04050030*
> ***
>
> 31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274*
> ***
>
> 69666963 6174652D 33323139 30383634 3634301E 170D3933 30333031 30303030*
> ***
>
> 35385A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649*
> ***
>
> 4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 32313930*
> ***
>
> 38363436 3430819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281*
> ***
>
> 8100AF7D 853F4F63 33C9C1E7 67E19204 F6647E85 DE33E663 207935F3 169D50D3*
> ***
>
> D29CE944 47E12F9C E0F1F090 2FB5CF0B B33544ED B2643B58 63F4B441 DD5E4C07*
> ***
>
> 844278A6 F811497E B18F73B3 9F4B0418 5701CD26 F4CA985E 8C729706 E83886F9*
> ***
>
> 5311E7EB 4282AB4A 882AA3B0 66DFA19D E6F22371 4848B689 0F8B75AD 1A8C1A31*
> ***
>
> B16B0203 010001A3 68306630 0F060355 1D130101 FF040530 030101FF 30130603*
> ***
>
> 551D1104 0C300A82 08706673 77323936 30301F06 03551D23 04183016 80143711*
> ***
>
> 4F7C7DED 5B7AB254 2C8BA9E7 F9FBDCC9 3654301D 0603551D 0E041604 1437114F*
> ***
>
> 7C7DED5B 7AB2542C 8BA9E7F9 FBDCC936 54300D06 092A8648 86F70D01 01040500*
> ***
>
> 03818100 49D71241 3FC607E9 7D6CBFFC BBC7D710 10C622C8 42EF439B 1ABD6EED*
> ***
>
> 247B7D70 20DD2D96 E5C55399 768AD11D EE0A9553 A9EF4634 66C1C672 2BE90557*
> ***
>
> 58ED21C0 11D797F9 7F2BDAF9 0754AFE7 9B205531 FC76D6D8 2202348B 7CCDDED5*
> ***
>
> A5286F33 4BBF7AA2 4BFAC9EC F0F460CC 11487E48 EBBB5796 52DC5B31 A9E3C1DC
> 7AB2DAD0****
>
> quit****
>
> !****
>
> !****
>
> !****
>
> spanning-tree mode pvst****
>
> spanning-tree extend system-id****
>
> !****
>
> vlan internal allocation policy ascending****
>
> !****
>
> !****
>
> !****
>
> !****
>
> !****
>
> !****
>
> interface FastEthernet0/1****
>
> switchport access vlan 4****
>
> switchport port-security violation restrict****
>
> switchport port-security mac-address 0200.0001.0001****
>
> !****
>
> interface FastEthernet0/2****
>
> switchport access vlan 4****
>
> switchport mode access****
>
> switchport port-security maximum 2****
>
> switchport port-security maximum 1 vlan access****
>
> switchport port-security****
>
> switchport port-security violation restrict****
>
> switchport port-security mac-address 0200.0001.0002****
>
> !****
>
> interface FastEthernet0/3****
>
> switchport access vlan 4****
>
> switchport mode access****
>
> switchport port-security maximum 2****
>
> switchport port-security maximum 1 vlan access****
>
> switchport port-security****
>
> switchport port-security violation restrict****
>
> switchport port-security mac-address 0200.0000.0003****
>
> !****
>
> interface FastEthernet0/4****
>
> !****
>
> interface FastEthernet0/5****
>
> !****
>
> interface FastEthernet0/6****
>
> !****
>
> interface FastEthernet0/7****
>
> !****
>
> interface FastEthernet0/8****
>
> !****
>
> interface FastEthernet0/9****
>
> !****
>
> interface FastEthernet0/10****
>
> !****
>
> interface FastEthernet0/11****
>
> !****
>
> interface FastEthernet0/12****
>
> !****
>
> interface FastEthernet0/13****
>
> !****
>
> interface FastEthernet0/14****
>
> !****
>
> interface FastEthernet0/15****
>
> !****
>
> interface FastEthernet0/16****
>
> !****
>
> interface FastEthernet0/17****
>
> !****
>
> interface FastEthernet0/18****
>
> !****
>
> interface FastEthernet0/19****
>
> !****
>
> interface FastEthernet0/20****
>
> !****
>
> interface FastEthernet0/21****
>
> !****
>
> interface FastEthernet0/22****
>
> !****
>
> interface FastEthernet0/23****
>
> !****
>
> interface FastEthernet0/24****
>
> switchport mode trunk****
>
> !****
>
> interface GigabitEthernet0/1****
>
> !****
>
> interface GigabitEthernet0/2****
>
> !****
>
> interface Vlan1****
>
> ip address 192.168.1.12 255.255.255.0****
>
> !****
>
> ip http server****
>
> ip http secure-server****
>
> logging esm config****
>
> snmp-server enable traps snmp linkdown linkup****
>
> snmp-server enable traps port-security****
>
> snmp-server enable traps port-security trap-rate 1****
>
> snmp-server enable traps mac-notification change move threshold****
>
> snmp-server host 192.168.1.5 version 2c public port-security****
>
> !****
>
> line con 0****
>
> line vty 0 4****
>
> login****
>
> line vty 5 15****
>
> login****
>
> !****
>
> end****
>
> ****
>
> pfsw2960#****
>
> ****
>
> ****
>
> ****
>
> What's wrong with my configuration? ****
>
> ****
>
> Thank you!****
>
> ****
>
>
>
> ****
>
> ------------------------------------------------------------------------------****
>
> See everything from the browser to the database with AppDynamics****
>
> Get end-to-end visibility with application monitoring from AppDynamics****
>
> Isolate bottlenecks and diagnose root cause in seconds.****
>
> Start your free trial of AppDynamics Pro today!****
>
> http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk****
>
>
>
> ****
>
> _______________________________________________****
>
> PacketFence-users mailing list****
>
> [email protected]****
>
> https://lists.sourceforge.net/lists/listinfo/packetfence-users****
>
>
>
> ****
>
> -- ****
>
> Fabrice Durand****
>
> [email protected] :: +1.514.447.4918 (x135) :: www.inverse.ca****
>
> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence
> (http://packetfence.org) ****
>
>
>
> ------------------------------------------------------------------------------
> See everything from the browser to the database with AppDynamics
> Get end-to-end visibility with application monitoring from AppDynamics
> Isolate bottlenecks and diagnose root cause in seconds.
> Start your free trial of AppDynamics Pro today!
> http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk
> _______________________________________________
> PacketFence-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/packetfence-users****
>
> ** **
>
>
> ------------------------------------------------------------------------------
> See everything from the browser to the database with AppDynamics
> Get end-to-end visibility with application monitoring from AppDynamics
> Isolate bottlenecks and diagnose root cause in seconds.
> Start your free trial of AppDynamics Pro today!
> http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk
> _______________________________________________
> PacketFence-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>
------------------------------------------------------------------------------
See everything from the browser to the database with AppDynamics
Get end-to-end visibility with application monitoring from AppDynamics
Isolate bottlenecks and diagnose root cause in seconds.
Start your free trial of AppDynamics Pro today!
http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
