As someone who initially tried the MAC detection vlan route and then
switched to MAB, I can only agree with Jake. It is far easier to setup and
maintain. The Cisco 2960 should support MAB. If you are able to go that
route and need help configuring it, I'm happy to help.
On Mon, Oct 28, 2013 at 6:38 AM, Sallee, Stephen (Jake) <
[email protected]> wrote:
> Is there a reason that you want to use a MAC detection vlan over RADIUS
> auth?
>
> In my experience using Mac Authentication Bypass is superior to using a
> MAC Detection vlan in every way.
>
> Obviously, if your requirements necessitate the use of a MAC detection
> vlan then you must, but if you have not considered MAB I would highly,
> HIGHLY suggest it over a MAC detection vlan.
>
> Jake Sallee
> Godfather of Bandwidth
> System Engineer
> University of Mary Hardin-Baylor
>
> 900 College St.
> Belton, Texas
> 76513
>
> Fone: 254-295-4658
> Phax: 254-295-4221
> ________________________________
> From: forbmsyn [[email protected]]
> Sent: Friday, October 25, 2013 5:14 PM
> To: [email protected]
> Subject: [PacketFence-users] Why goes to "MAC detection VLAN 4" but not
> the default vlan 1?
>
> Hello experts,
>
> On PF I followed the instruction and created the following network:
>
> VLAN ID VLAN Name Subnet Gateway PacketFence Address
> 1 Normal 192.168.1.0/24<http://192.168.1.0/24>
> 192.168.1.1 192.168.1.5
> 2 Registration 192.168.2.0/24<http://192.168.2.0/24>
> 192.168.2.1 192.168.2.1
> 3 Isolation 192.168.3.0/24<http://192.168.3.0/24>
> 192.168.3.1 192.168.3.1
> 4 Mac Detection
> 5 Inline 192.168.5.0/24<http://192.168.5.0/24>
> 192.168.5.1 192.168.5.1
>
>
> I have a Cisco 2960 (IP 192.168.1.254), with the same vlans created as
> PacketFence. On Fa0/3 I have the following config:
>
> interface FastEthernet0/3
> switchport access vlan 4
> switchport mode access
> switchport port-security maximum 1 vlan access
> switchport port-security
> switchport port-security violation restrict
> switchport port-security mac-address 0200.0001.0003
>
>
> Then I plugged a laptop onto the port, the config was changed to as below,
> which looks good because it is now on registrion vlan (vlan ID 2) and
> obtained an IP 192.168.2.10
>
> interface FastEthernet0/3
> switchport access vlan 2
> switchport mode access
> switchport port-security maximum 1 vlan access
> switchport port-security
> switchport port-security violation restrict
> switchport port-security mac-address 0015.c5cf.0f12
>
>
> On PF I changed its status from unregistered to registered from PF WebUI,
> on the switch I found that port was switch back to MAC detection VLAN 4.
>
> interface FastEthernet0/3
> switchport access vlan 4
> switchport mode access
> switchport port-security maximum 1 vlan access
> switchport port-security
> switchport port-security violation restrict
> switchport port-security mac-address 0015.c5cf.0f12
>
>
>
> Below is part of the log from packetfence.log
>
> May 28 00:49:46 httpd.admin(0) INFO: re-evaluating access for node
> 00:15:c5:cf:0f:12 (node_modify called) (pf::enforcement::reevaluate_access)
> May 28 00:49:46 httpd.admin(0) INFO: 00:15:c5:cf:0f:12 is currentlog
> connected at 192.168.1.254 ifIndex 10003 in VLAN 2
> (pf::enforcement::_should_we_reass ign_vlan)
> May 28 00:49:46 httpd.admin(0) INFO: Username was NOT defined or unable to
> match a role - returning node based role 'default' (pf::vlan::getNormalVlan)
> May 28 00:49:46 httpd.admin(0) INFO: MAC: 00:15:c5:cf:0f:12, PID: admin,
> Status: reg. Returned VLAN: 1 (pf::vlan::fetchVlanForNode)
> May 28 00:49:46 httpd.admin(0) INFO: VLAN reassignment required for
> 00:15:c5:cf:0f:12 (current VLAN = 2 but should be in VLAN 1)
> (pf::enforcement::_should _we_reassign_vlan)
> May 28 00:49:46 httpd.admin(0) INFO: switch port for 00:15:c5:cf:0f:12 is
> 192.168.1.254 ifIndex 10003 connection type: Wired SNMP
> (pf::enforcement::_vlan_ reevaluation)
> May 28 00:49:49 pfsetvlan(25) INFO: local (127.0.0.1) trap for switch
> 192.168.1.254 (main::parseTrap)
> May 28 00:49:49 pfsetvlan(8) INFO: nb of items in queue: 1; nb of threads
> running: 0 (main::startTrapHandlers)
> May 28 00:49:49 pfsetvlan(8) INFO: reAssignVlan trap received on
> 192.168.1.254 ifIndex 10003 (main::handleTrap)
> May 28 00:49:49 pfsetvlan(8) INFO: security traps are configured on
> 192.168.1.254 ifIndex 10003. Re-assigning VLAN for 00:15:c5:cf:0f:12
> (main::handleTrap )
> May 28 00:49:49 pfsetvlan(8) INFO: Username was NOT defined or unable to
> match a role - returning node based role 'default' (pf::vlan::getNormalVlan)
> May 28 00:49:49 pfsetvlan(8) WARN: No parameter defaultVlan found in
> conf/switches.conf for the switch 192.168.1.254 (pf::SNMP::getVlanByName)
> May 28 00:49:49 pfsetvlan(8) INFO: MAC: 00:15:c5:cf:0f:12, PID: admin,
> Status: reg. Returned VLAN: default (pf::vlan::fetchVlanForNode)
> Argument "default" isn't numeric in numeric eq (==) at
> /usr/local/pf/lib/pf/SNMP.pm line 614.
> May 28 00:49:49 pfsetvlan(8) WARN: new VLAN default is not a managed VLAN
> -> replacing VLAN default with MAC detection VLAN 4 (pf::SNMP::setVlan)
> May 28 00:49:49 pfsetvlan(8) INFO: no VoIP phone is currently connected at
> 192.168.1.254 ifIndex 10003. Flipping port admin status (main::handleTrap)
> May 28 00:49:53 pfsetvlan(8) INFO: finished (main::cleanupAfterThread)
> May 28 00:50:25 pfmon(0) INFO: running expire check (main::cleanup)
>
>
>
> I do have default vlan configure on switches.conf. Why the port was not
> set to vlan 1 but back to 4?
> Below is the config of switches.conf
>
> [root@packetfence conf]# more switches.conf
> #
> # Copyright 2006-2008 Inverse inc.
> #
> # See the enclosed file COPYING for license information (GPL).
> # If you did not receive this file, see
> # http://www.fsf.org/licensing/licenses/gpl.html
> [default]
> description=Switches Default Values
> vlans=1,2,3,4,5
> normalVlan=1
> registrationVlan=2
> isolationVlan=3
> macDetectionVlan=4
> voiceVlan=5
> inlineVlan=6
> inlineTrigger=
> normalRole=normal
> registrationRole=registration
> isolationRole=isolation
> macDetectionRole=macDetection
> voiceRole=voice
> inlineRole=inline
> VoIPEnabled=no
> mode=testing
> macSearchesMaxNb=30
> macSearchesSleepInterval=2
> uplink=dynamic
> #
> # Command Line Interface
> #
> # cliTransport could be: Telnet, SSH or Serial
> cliTransport=Telnet
> cliUser=
> cliPwd=
> cliEnablePwd=
> #
> # SNMP section
> #
> # PacketFence -> Switch
> SNMPVersion=1
> SNMPCommunityRead=public
> SNMPCommunityWrite=private
> #SNMPEngineID = 0000000000000
> #SNMPUserNameRead = readUser
> #SNMPAuthProtocolRead = MD5
> #SNMPAuthPasswordRead = authpwdread
> #SNMPPrivProtocolRead = DES
> #SNMPPrivPasswordRead = privpwdread
> #SNMPUserNameWrite = writeUser
> #SNMPAuthProtocolWrite = MD5
> #SNMPAuthPasswordWrite = authpwdwrite
> #SNMPPrivProtocolWrite = DES
> #SNMPPrivPasswordWrite = privpwdwrite
> # Switch -> PacketFence
> SNMPVersionTrap=1
> SNMPCommunityTrap=public
> #SNMPAuthProtocolTrap = MD5
> #SNMPAuthPasswordTrap = authpwdread
> #SNMPPrivProtocolTrap = DES
> #SNMPPrivPasswordTrap = privpwdread
> #
> # Web Services Interface
> #
> # wsTransport could be: http or https
> wsTransport=http
> wsUser=
> wsPwd=
> #
> # RADIUS NAS Client config
> #
> # RADIUS shared secret with switch
> radiusSecret=
>
> [192.168.0.1]
> description=Test Switch
> type=Cisco::Catalyst_2900XL
> mode=production
> uplink=23,24
>
> [192.168.1.254]
> mode=production
> deauthMethod=SSH
> description=C2960
> type=Cisco::Catalyst_2960
> VoIPEnabled=N
> radiusSecret=useStrongerSecret
> uplink=24
> cliTransport=SSH
> SNMPVersion=2c
> defaultRole=default
> defaultVlan=1
> #SNMPVersion = 3
> #SNMPEngineID = 0000000000000
> #SNMPUserNameRead = readUser
> #SNMPAuthProtocolRead = MD5
> #SNMPAuthPasswordRead = authpwdread
> #SNMPPrivProtocolRead = DES
> #SNMPPrivPasswordRead = privpwdread
> #SNMPUserNameWrite = writeUser
> #SNMPAuthProtocolWrite = MD5
> #SNMPAuthPasswordWrite = authpwdwrite
> #SNMPPrivProtocolWrite = DES
> #SNMPPrivPasswordWrite = privpwdwrite
> #SNMPVersionTrap = 3
> #SNMPUserNameTrap = readUser
> #SNMPAuthProtocolTrap = MD5
> #SNMPAuthPasswordTrap = authpwdread
> #SNMPPrivProtocolTrap = DES
> #SNMPPrivPasswordTrap = privpwdread
>
>
> Thank you!
>
> Regards,
> Jacky
>
>
> ------------------------------------------------------------------------------
> October Webinars: Code for Performance
> Free Intel webinars can help you accelerate application performance.
> Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most
> from
> the latest Intel processors and coprocessors. See abstracts and register >
> http://pubads.g.doubleclick.net/gampad/clk?id=60135991&iu=/4140/ostg.clktrk
> _______________________________________________
> PacketFence-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
--
Fletcher Haynes <[email protected]>
Systems Administrator/Network Services Consultant
Willamette Integrated Technology Services
Willamette University, Salem, OR
Phone: 503.370.6016
------------------------------------------------------------------------------
October Webinars: Code for Performance
Free Intel webinars can help you accelerate application performance.
Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from
the latest Intel processors and coprocessors. See abstracts and register >
http://pubads.g.doubleclick.net/gampad/clk?id=60135991&iu=/4140/ostg.clktrk
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
