Is there a reason that you want to use a MAC detection vlan over RADIUS auth?
In my experience using Mac Authentication Bypass is superior to using a MAC Detection vlan in every way. Obviously, if your requirements necessitate the use of a MAC detection vlan then you must, but if you have not considered MAB I would highly, HIGHLY suggest it over a MAC detection vlan. Jake Sallee Godfather of Bandwidth System Engineer University of Mary Hardin-Baylor 900 College St. Belton, Texas 76513 Fone: 254-295-4658 Phax: 254-295-4221 ________________________________ From: forbmsyn [[email protected]] Sent: Friday, October 25, 2013 5:14 PM To: [email protected] Subject: [PacketFence-users] Why goes to "MAC detection VLAN 4" but not the default vlan 1? Hello experts, On PF I followed the instruction and created the following network: VLAN ID VLAN Name Subnet Gateway PacketFence Address 1 Normal 192.168.1.0/24<http://192.168.1.0/24> 192.168.1.1 192.168.1.5 2 Registration 192.168.2.0/24<http://192.168.2.0/24> 192.168.2.1 192.168.2.1 3 Isolation 192.168.3.0/24<http://192.168.3.0/24> 192.168.3.1 192.168.3.1 4 Mac Detection 5 Inline 192.168.5.0/24<http://192.168.5.0/24> 192.168.5.1 192.168.5.1 I have a Cisco 2960 (IP 192.168.1.254), with the same vlans created as PacketFence. On Fa0/3 I have the following config: interface FastEthernet0/3 switchport access vlan 4 switchport mode access switchport port-security maximum 1 vlan access switchport port-security switchport port-security violation restrict switchport port-security mac-address 0200.0001.0003 Then I plugged a laptop onto the port, the config was changed to as below, which looks good because it is now on registrion vlan (vlan ID 2) and obtained an IP 192.168.2.10 interface FastEthernet0/3 switchport access vlan 2 switchport mode access switchport port-security maximum 1 vlan access switchport port-security switchport port-security violation restrict switchport port-security mac-address 0015.c5cf.0f12 On PF I changed its status from unregistered to registered from PF WebUI, on the switch I found that port was switch back to MAC detection VLAN 4. interface FastEthernet0/3 switchport access vlan 4 switchport mode access switchport port-security maximum 1 vlan access switchport port-security switchport port-security violation restrict switchport port-security mac-address 0015.c5cf.0f12 Below is part of the log from packetfence.log May 28 00:49:46 httpd.admin(0) INFO: re-evaluating access for node 00:15:c5:cf:0f:12 (node_modify called) (pf::enforcement::reevaluate_access) May 28 00:49:46 httpd.admin(0) INFO: 00:15:c5:cf:0f:12 is currentlog connected at 192.168.1.254 ifIndex 10003 in VLAN 2 (pf::enforcement::_should_we_reass ign_vlan) May 28 00:49:46 httpd.admin(0) INFO: Username was NOT defined or unable to match a role - returning node based role 'default' (pf::vlan::getNormalVlan) May 28 00:49:46 httpd.admin(0) INFO: MAC: 00:15:c5:cf:0f:12, PID: admin, Status: reg. Returned VLAN: 1 (pf::vlan::fetchVlanForNode) May 28 00:49:46 httpd.admin(0) INFO: VLAN reassignment required for 00:15:c5:cf:0f:12 (current VLAN = 2 but should be in VLAN 1) (pf::enforcement::_should _we_reassign_vlan) May 28 00:49:46 httpd.admin(0) INFO: switch port for 00:15:c5:cf:0f:12 is 192.168.1.254 ifIndex 10003 connection type: Wired SNMP (pf::enforcement::_vlan_ reevaluation) May 28 00:49:49 pfsetvlan(25) INFO: local (127.0.0.1) trap for switch 192.168.1.254 (main::parseTrap) May 28 00:49:49 pfsetvlan(8) INFO: nb of items in queue: 1; nb of threads running: 0 (main::startTrapHandlers) May 28 00:49:49 pfsetvlan(8) INFO: reAssignVlan trap received on 192.168.1.254 ifIndex 10003 (main::handleTrap) May 28 00:49:49 pfsetvlan(8) INFO: security traps are configured on 192.168.1.254 ifIndex 10003. Re-assigning VLAN for 00:15:c5:cf:0f:12 (main::handleTrap ) May 28 00:49:49 pfsetvlan(8) INFO: Username was NOT defined or unable to match a role - returning node based role 'default' (pf::vlan::getNormalVlan) May 28 00:49:49 pfsetvlan(8) WARN: No parameter defaultVlan found in conf/switches.conf for the switch 192.168.1.254 (pf::SNMP::getVlanByName) May 28 00:49:49 pfsetvlan(8) INFO: MAC: 00:15:c5:cf:0f:12, PID: admin, Status: reg. Returned VLAN: default (pf::vlan::fetchVlanForNode) Argument "default" isn't numeric in numeric eq (==) at /usr/local/pf/lib/pf/SNMP.pm line 614. May 28 00:49:49 pfsetvlan(8) WARN: new VLAN default is not a managed VLAN -> replacing VLAN default with MAC detection VLAN 4 (pf::SNMP::setVlan) May 28 00:49:49 pfsetvlan(8) INFO: no VoIP phone is currently connected at 192.168.1.254 ifIndex 10003. Flipping port admin status (main::handleTrap) May 28 00:49:53 pfsetvlan(8) INFO: finished (main::cleanupAfterThread) May 28 00:50:25 pfmon(0) INFO: running expire check (main::cleanup) I do have default vlan configure on switches.conf. Why the port was not set to vlan 1 but back to 4? Below is the config of switches.conf [root@packetfence conf]# more switches.conf # # Copyright 2006-2008 Inverse inc. # # See the enclosed file COPYING for license information (GPL). # If you did not receive this file, see # http://www.fsf.org/licensing/licenses/gpl.html [default] description=Switches Default Values vlans=1,2,3,4,5 normalVlan=1 registrationVlan=2 isolationVlan=3 macDetectionVlan=4 voiceVlan=5 inlineVlan=6 inlineTrigger= normalRole=normal registrationRole=registration isolationRole=isolation macDetectionRole=macDetection voiceRole=voice inlineRole=inline VoIPEnabled=no mode=testing macSearchesMaxNb=30 macSearchesSleepInterval=2 uplink=dynamic # # Command Line Interface # # cliTransport could be: Telnet, SSH or Serial cliTransport=Telnet cliUser= cliPwd= cliEnablePwd= # # SNMP section # # PacketFence -> Switch SNMPVersion=1 SNMPCommunityRead=public SNMPCommunityWrite=private #SNMPEngineID = 0000000000000 #SNMPUserNameRead = readUser #SNMPAuthProtocolRead = MD5 #SNMPAuthPasswordRead = authpwdread #SNMPPrivProtocolRead = DES #SNMPPrivPasswordRead = privpwdread #SNMPUserNameWrite = writeUser #SNMPAuthProtocolWrite = MD5 #SNMPAuthPasswordWrite = authpwdwrite #SNMPPrivProtocolWrite = DES #SNMPPrivPasswordWrite = privpwdwrite # Switch -> PacketFence SNMPVersionTrap=1 SNMPCommunityTrap=public #SNMPAuthProtocolTrap = MD5 #SNMPAuthPasswordTrap = authpwdread #SNMPPrivProtocolTrap = DES #SNMPPrivPasswordTrap = privpwdread # # Web Services Interface # # wsTransport could be: http or https wsTransport=http wsUser= wsPwd= # # RADIUS NAS Client config # # RADIUS shared secret with switch radiusSecret= [192.168.0.1] description=Test Switch type=Cisco::Catalyst_2900XL mode=production uplink=23,24 [192.168.1.254] mode=production deauthMethod=SSH description=C2960 type=Cisco::Catalyst_2960 VoIPEnabled=N radiusSecret=useStrongerSecret uplink=24 cliTransport=SSH SNMPVersion=2c defaultRole=default defaultVlan=1 #SNMPVersion = 3 #SNMPEngineID = 0000000000000 #SNMPUserNameRead = readUser #SNMPAuthProtocolRead = MD5 #SNMPAuthPasswordRead = authpwdread #SNMPPrivProtocolRead = DES #SNMPPrivPasswordRead = privpwdread #SNMPUserNameWrite = writeUser #SNMPAuthProtocolWrite = MD5 #SNMPAuthPasswordWrite = authpwdwrite #SNMPPrivProtocolWrite = DES #SNMPPrivPasswordWrite = privpwdwrite #SNMPVersionTrap = 3 #SNMPUserNameTrap = readUser #SNMPAuthProtocolTrap = MD5 #SNMPAuthPasswordTrap = authpwdread #SNMPPrivProtocolTrap = DES #SNMPPrivPasswordTrap = privpwdread Thank you! Regards, Jacky ------------------------------------------------------------------------------ October Webinars: Code for Performance Free Intel webinars can help you accelerate application performance. Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from the latest Intel processors and coprocessors. See abstracts and register > http://pubads.g.doubleclick.net/gampad/clk?id=60135991&iu=/4140/ostg.clktrk _______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
