>> Ideas? Suggestions?
Yes.
A word of caution. Like many complex things PacketFence can become bewildering
and extremely confusing if you do not take care.
First, you will want to NOT use a MAC detection vlan. It is clunky, and it
doesn’t scale well. Since you are on a Cisco 4506 you should be able to use
RADIUS with MAC Authentication Bypass (MAB). This has the same net effect as a
MAC vlan but it is MUCH easier to implement and maintain and much less prone to
failure.
Also, since all of your vlan switching will be done on such a nice switch you
will want to use SNMP NOT ssh or http. Generate a good long cryptic SNMP
string and go to town. You can use SNMPv3 if you want but we are using v2c
with great success.
Search the list archives for my name and you will find a post that gives you
the exact config I am using on my Cisco 2960s, it should translate to your 4506
nicely.
Also, check your firewall on the PF box! For some reason mine was not allowing
traffic when it should have been. Make sure you can get the your PF box on TCP
22,80, and 443. The switch will need port 1812 and 1813 for RADIUS too.
The normal vlan is missing from the web configurator because that is defined on
the managed switches individually in the Admin WebUI. And the MAC detection
vlan is strictly on the switch and communicates with the PF box via the same
interface as the registration interface. But that shouldn’t matter because you
really shouldn’t use it unless you HAVE to.
Give that a go and let us know how it went!
Jake Sallee
Godfather of Bandwidth
System Engineer
University of Mary Hardin-Baylor
900 College St.
Belton TX. 76513
Fone: 254-295-4658
Phax: 254-295-4221
HTTP://WWW.UMHB.EDU
From: Dell Thornhill [mailto:[email protected]]
Sent: Tuesday, October 15, 2013 8:43 AM
To: [email protected]
Subject: [PacketFence-users] VLAN configuration for Enforcement
So I'm having a really hard time getting PacketFence setup for VLAN Enforcement
in my test network.
PF Version: 4.0.6-2
Switch: Cisco 4506, IOS 12.2(54)SG1
I think I understand the concept; you assign your switchports to the MAC
Detection VLAN (4) and when you plug in a computer it starts sending out DHCP
requests which PF "hears" via ip-helper and configures the port to be in a
"registration" VLAN (2) at which point the user opens a web-browser where
they're met by a captive portal and they put in their username/password. If
the u/p is accepted PF sets the port for the "Normal" VLAN (1? Default?) and if
it's not accepted the port is put into the "Isolation" VLAN (3).
Sounds great! Exactly what I want!
So I install PF and I select "VLAN enforcement" ("Inline" left unselected). I
configure eth0 to be the management interface and then add the VLANs as
described above and in the admin guide, but there's no "Normal" or "MAC
Detection" VLAN options - only "Registration", "Isolation", "Inline" and
"Other".
So I configure "Isolation", "Inline", "Registration" and "Other" VLANs.
Later on, I configure Telnet for deuath and also configure SNMP on the
switch/PF per page 19 in the admin guide. I configure the uplink via its
ifIndex (how come that isn't in the admin guide??) and put it into "production"
mode.
So here's what happens (I'm tailing packetfence.log):
- If the port is configured for the MAC Detect VLAN - nothing happens. PF
doesn't "hear" the DHCP requests.
- If the port is configure for the Registration VLAN PF will hear the DHCP
requests and give the client an IP but that's it - no captive portal.
- If the port is configure for the default VLAN it will get an IP from my
test-DHCP server (Windows DC) and PF will add the computer to the "Nodes"
section as unregistered, but still no captive portal.
I'm still pretty certain that SNMP isn't working properly despite reconfiguring
SNMP per the guide multiple times and triple checking my settings. The only
way I can get the switch to send traps to PF is if I remove "port-security"
from the snmp-host line.
I feel like I have it almost working but I missed a crucial step or something
and the absence of a "Normal" and "MAC Detect" VLANs still confuses me.
Ideas? Suggestions?
------------------------------------------------------------------------------
October Webinars: Code for Performance
Free Intel webinars can help you accelerate application performance.
Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from
the latest Intel processors and coprocessors. See abstracts and register >
http://pubads.g.doubleclick.net/gampad/clk?id=60135031&iu=/4140/ostg.clktrk
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
