Even more progress!
So I have SNMP working - the switch is configuring the port for the
registration VLAN and the computer is getting a DHCP address from PF.
Awesome!
However PF doesn't appear to be intercepting DNS requests from the client
and redirecting to the captive portal. PF is setting the client's gateway
and DNS as the PF registration VLAN interface IP which I think is correct.
But pings to google.com (or whatever) don't resolve and web requests to any
domain just time out. Wireshark shows "Server failure" when making DNS
requests.
I've verified that the named service is running - however I'm not sure how
to check to see if it's listening on the correct interface.
I've noticed that there are options to specify IP ranges under Trapping and
Registration - do I need to put the registration DHCP IPs in those fields?
It turns out that the rules-saving thing is a bug in 4.0.6-2 (my version):
http://www.mail-archive.com/[email protected]/msg05405.html
I think once I get the captive portal working I'll have a firm grasp on
this whole thing :)
On Thu, Oct 17, 2013 at 11:15 AM, Sallee, Stephen (Jake) <
[email protected]> wrote:
> >>I've made some progress.
>
> Glad to hear you are making progress!
>
> I found an email with the same info as the one I mentioned earlier, it may
> not be of much use to your now as it sounds like you have already done most
> of the correct config but I will link it here for your viewing pleasure.
>
>
> http://sourceforge.net/mailarchive/forum.php?thread_name=3A9815D880FBAF41A523B3A35AF3C3DFCF7111D6%40AVATAR.umhb.edu&forum_name=packetfence-users
>
> As for your SNMP and MAB issues you want to make sure you have:
>
> radius-server host <your RADIUS server IP> auth-port 1812 acct-port 1813
> key <your RADIUS secret here>
> radius-server key 7 <your RADIUS secret here>
> radius-server vsa send authentication
>
> in your global config.
>
> And the following in your port config:
>
> authentication order mab
> authentication port-control auto
> mab
>
> All of this though depends crucially on how you configure the switch in
> PF. Here is the entry in my switches.conf for a typical switch that should
> work for just about any Cisco catalyst device.
>
> [10.XXX.XXX.XXX]
> type=Cisco::Catalyst_2960
> mode=production
> SNMPCommunityRead=[uber secret]
> guestVlan=112
> SNMPCommunityWrite=[uber secret]
> triggerInline=
> deauthMethod=SNMP
> SNMPVersionTrap=2c
> gamingRole=gaming
> UMHBVlan=111
> ForeignVlan=112
> isolationVlan=117
> ForeignRole=Foreign
> radiusSecret=[uber secret]
> SNMPVersion=2c
> guestRole=guest
> uplink=dynamic
> SNMPCommunityTrap=[uber secret]
> gamingVlan=112
> registrationVlan=113
> UMHBRole=UMHB
> voiceVlan=115
>
> We make heavy utilization of ROLES. In the Web admin GUI you set roles
> and then assign vlans to that role on a per switch basis. That is what
> tells PF what vlan you want to put the device in once it is registered. It
> is a very flexible way to assign vlans. When you create your
> authentication source you define RULES that then assign the device a ROLE
> ... confused yet : )
>
> >> Perhaps default==normal?
>
> Yes, but the role you define can override this.
>
> As for your rules not saving, check to make sure that when you are setting
> up your rules that the password for your auth source is in the password
> field when you attempt to save, if it is not I believe it will throw an
> error and not save your changes.
>
> Jake Sallee
> Godfather of Bandwidth
> System Engineer
> University of Mary Hardin-Baylor
>
> 900 College St.
> Belton, Texas
> 76513
>
> Fone: 254-295-4658
> Phax: 254-295-4221
> ________________________________
> From: Dell Thornhill [[email protected]]
> Sent: Wednesday, October 16, 2013 4:14 PM
> To: Sallee, Stephen (Jake)
> Subject: Re: [PacketFence-users] VLAN configuration for Enforcement
>
> Shoot, I just realized this went straight to you, I thought I was replying
> to the mailing list.
>
> I'll update the mailing list tomorrow.
>
> Thanks
> -Dell
>
>
> On Wed, Oct 16, 2013 at 5:13 PM, Dell Thornhill <
> [email protected]<mailto:[email protected]>>
> wrote:
> Thank you for the response, Jake.
>
> I've made some progress. I've configured MAB and RADIUS on PF per the
> Admin guide and judging by the debug output on my 4506 my test laptop is
> reaching the server and everything seems to be talking.
>
> Ok, so I need to get the following things working:
> 1) SNMP - I tried looking for the 2960 SNMP config but your name comes up
> with like 246 posts to the PacketFence-users mailing list :P I looked
> through some of them and I tried to narrow down the search using "2960" and
> "SNMP" but I didn't really find anything that looked like your 2960 config.
>
> So this is my current SNMP config:
> 4506:
> snmp-server community public RO
> snmp-server community private RW
> snmp-server enable traps port-security
> snmp-server host 10.100.100.56 version 2c public port-security
>
> Switches.conf
> [10.100.100.198]
> mode=production
> description=Cisco 4506 on top of table
> type=Cisco::Catalyst_4500
> VoIPEnabled=N
> uplink=82
> SNMPCommunityRead=public
> SNMPCommunityWrite=private
> macDetectionVlan=999
> isolationVlan=306
> registrationVlan=305
> inlineVlan=304
> cliUser=<username>
> deauthMethod=SNMP
> cliPwd=<password>
> macSearchesSleepInterval=1
> SNMPVersion=2c
> SNMPVersionTrap=2c
> radiusSecret=testing123
> (I know my secret is weak - it is just for testing).
>
> 2) MAC Authentication (?) - Obviously I need PF to do something when a new
> computer connects. I think that this is defined in your auth Sources. But
> whenever I attempt to save a rule it doesn't stick. Like if I go out of
> the Source and then back in the rule is gone. I've tried it with both my
> AD and RADIUS sources and the result is the same.
>
>
> I've confirmed the firewall is disabled.
>
> |The normal vlan is missing from the web configurator because that is
> defined on the managed switches individually in the Admin WebUI.
> Can you provide some specifics on this? Because in my Switches > |switch|
> > Roles screen I only see the following: Registration, Isolation,
> macDetection, Inline, voice, default, guest, gaming, test role.
> Perhaps default==normal?
>
>
> Thanks again!
>
>
------------------------------------------------------------------------------
October Webinars: Code for Performance
Free Intel webinars can help you accelerate application performance.
Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from
the latest Intel processors and coprocessors. See abstracts and register >
http://pubads.g.doubleclick.net/gampad/clk?id=60135031&iu=/4140/ostg.clktrk
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
