Dagnabbit! I didn't check the TO address ... oops. Here is a copy for the list archives.
Jake Sallee Godfather of Bandwidth System Engineer University of Mary Hardin-Baylor 900 College St. Belton, Texas 76513 Fone: 254-295-4658 Phax: 254-295-4221 ________________________________ From: Sallee, Stephen (Jake) Sent: Thursday, October 17, 2013 10:15 AM To: Dell Thornhill Subject: RE: [PacketFence-users] VLAN configuration for Enforcement >>I've made some progress. Glad to hear you are making progress! I found an email with the same info as the one I mentioned earlier, it may not be of much use to your now as it sounds like you have already done most of the correct config but I will link it here for your viewing pleasure. http://sourceforge.net/mailarchive/forum.php?thread_name=3A9815D880FBAF41A523B3A35AF3C3DFCF7111D6%40AVATAR.umhb.edu&forum_name=packetfence-users As for your SNMP and MAB issues you want to make sure you have: radius-server host <your RADIUS server IP> auth-port 1812 acct-port 1813 key <your RADIUS secret here> radius-server key 7 <your RADIUS secret here> radius-server vsa send authentication in your global config. And the following in your port config: authentication order mab authentication port-control auto mab All of this though depends crucially on how you configure the switch in PF. Here is the entry in my switches.conf for a typical switch that should work for just about any Cisco catalyst device. [10.XXX.XXX.XXX] type=Cisco::Catalyst_2960 mode=production SNMPCommunityRead=[uber secret] guestVlan=112 SNMPCommunityWrite=[uber secret] triggerInline= deauthMethod=SNMP SNMPVersionTrap=2c gamingRole=gaming UMHBVlan=111 ForeignVlan=112 isolationVlan=117 ForeignRole=Foreign radiusSecret=[uber secret] SNMPVersion=2c guestRole=guest uplink=dynamic SNMPCommunityTrap=[uber secret] gamingVlan=112 registrationVlan=113 UMHBRole=UMHB voiceVlan=115 We make heavy utilization of ROLES. In the Web admin GUI you set roles and then assign vlans to that role on a per switch basis. That is what tells PF what vlan you want to put the device in once it is registered. It is a very flexible way to assign vlans. When you create your authentication source you define RULES that then assign the device a ROLE ... confused yet : ) >> Perhaps default==normal? Yes, but the role you define can override this. As for your rules not saving, check to make sure that when you are setting up your rules that the password for your auth source is in the password field when you attempt to save, if it is not I believe it will throw an error and not save your changes. Jake Sallee Godfather of Bandwidth System Engineer University of Mary Hardin-Baylor 900 College St. Belton, Texas 76513 Fone: 254-295-4658 Phax: 254-295-4221 ________________________________ From: Dell Thornhill [[email protected]] Sent: Wednesday, October 16, 2013 4:14 PM To: Sallee, Stephen (Jake) Subject: Re: [PacketFence-users] VLAN configuration for Enforcement Shoot, I just realized this went straight to you, I thought I was replying to the mailing list. I'll update the mailing list tomorrow. Thanks -Dell On Wed, Oct 16, 2013 at 5:13 PM, Dell Thornhill <[email protected]<mailto:[email protected]>> wrote: Thank you for the response, Jake. I've made some progress. I've configured MAB and RADIUS on PF per the Admin guide and judging by the debug output on my 4506 my test laptop is reaching the server and everything seems to be talking. Ok, so I need to get the following things working: 1) SNMP - I tried looking for the 2960 SNMP config but your name comes up with like 246 posts to the PacketFence-users mailing list :P I looked through some of them and I tried to narrow down the search using "2960" and "SNMP" but I didn't really find anything that looked like your 2960 config. So this is my current SNMP config: 4506: snmp-server community public RO snmp-server community private RW snmp-server enable traps port-security snmp-server host 10.100.100.56 version 2c public port-security Switches.conf [10.100.100.198] mode=production description=Cisco 4506 on top of table type=Cisco::Catalyst_4500 VoIPEnabled=N uplink=82 SNMPCommunityRead=public SNMPCommunityWrite=private macDetectionVlan=999 isolationVlan=306 registrationVlan=305 inlineVlan=304 cliUser=<username> deauthMethod=SNMP cliPwd=<password> macSearchesSleepInterval=1 SNMPVersion=2c SNMPVersionTrap=2c radiusSecret=testing123 (I know my secret is weak - it is just for testing). 2) MAC Authentication (?) - Obviously I need PF to do something when a new computer connects. I think that this is defined in your auth Sources. But whenever I attempt to save a rule it doesn't stick. Like if I go out of the Source and then back in the rule is gone. I've tried it with both my AD and RADIUS sources and the result is the same. I've confirmed the firewall is disabled. |The normal vlan is missing from the web configurator because that is defined on the managed switches individually in the Admin WebUI. Can you provide some specifics on this? Because in my Switches > |switch| > Roles screen I only see the following: Registration, Isolation, macDetection, Inline, voice, default, guest, gaming, test role. Perhaps default==normal? Thanks again! ------------------------------------------------------------------------------ October Webinars: Code for Performance Free Intel webinars can help you accelerate application performance. Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from the latest Intel processors and coprocessors. See abstracts and register > http://pubads.g.doubleclick.net/gampad/clk?id=60135031&iu=/4140/ostg.clktrk _______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
