> When you get a chance, can you give me some idea on configuring MAB? No problem! First though, a disclaimer.
<DISCLAIMER> Any MAC based authorization is NOT an acceptable security mechanism when used alone. It is absolutely trivial to spoof one's MAC address. MAB will stop the casual wifi / network hopper, but it will be of little to no use against a user with some modicum of security knowledge. Make sure to use other security measures in conjunction with MAC based auth. schemes. </DISCLAIMER> Luckily for you, using a MAC auth vlan has already gotten you most of the way to implementing MAB. First I would remove all the static MACs from the ports you want to use MAB on. Then get your global config setup for MAB, the important bits are: -------------------------------------------------------- aaa new-model aaa authentication dot1x default group radius aaa authorization network default group radius aaa accounting dot1x default start-stop group radius aaa accounting system default start-stop group radius snmp-server community <SUPER SECRET> RW radius-server host <PFHostIP> auth-port 1812 acct-port 1813 key <SUPER SECRET> radius-server key <SUPER SECRET> radius-server vsa send authentication -------------------------------------------------------- Then make your port configs look something like this: -------------------------------------------------------- interface FastEthernet0/14 description NAC_Controlled switchport mode access switchport port-security maximum 2 switchport port-security maximum 1 vlan access switchport port-security authentication order mab authentication port-control auto mab mls qos trust cos spanning-tree portfast spanning-tree bpdufilter enable spanning-tree bpduguard enable spanning-tree guard loop -------------------------------------------------------- You can leave off the spanning tree bits if you want, and I have VoIP so I allow 1 device / vlan hence the max of 2 MACs instead of 1. Change the deauth setting in PF to SNMP and you may have to bounce the services. Also, you may want to add the following global config directives: -------------------------------------------------------- errdisable recovery cause udld errdisable recovery cause bpduguard errdisable recovery cause security-violation errdisable recovery cause pagp-flap errdisable recovery cause dtp-flap errdisable recovery cause link-flap errdisable recovery cause sfp-config-mismatch errdisable recovery cause gbic-invalid errdisable recovery cause psecure-violation errdisable recovery cause port-mode-failure errdisable recovery cause dhcp-rate-limit errdisable recovery cause mac-limit errdisable recovery cause vmps errdisable recovery cause storm-control errdisable recovery cause inline-power errdisable recovery cause arp-inspection errdisable recovery cause loopback errdisable recovery cause small-frame errdisable recovery interval 30 -------------------------------------------------------- Not necessary, but good for overall security. Give that a go, it is copied directly from one of my production 2960s. Hopefully it helps you out. Jake Sallee Godfather of Bandwidth System Engineer University of Mary Hardin-Baylor 900 College St. Belton, Texas 76513 Fone: 254-295-4658 Phax: 254-295-4221 ________________________________ From: forbmsyn [[email protected]] Sent: Tuesday, October 29, 2013 4:13 PM To: [email protected] Subject: Re: [PacketFence-users] Why goes to "MAC detection VLAN 4" but not the default vlan 1? Thank you Jake. Problem fixed after restarting the service and MySQL. For some reason PF failed to connect to MySQL so I restart the database as well. When you get a chance, can you give me some idea on configuring MAB? Thanks again. Regards, Jacky On Mon, Oct 28, 2013 at 2:32 PM, Sallee, Stephen (Jake) <[email protected]<mailto:[email protected]>> wrote: > But for the time being I would like to know why PF is not working as it > should be . Here is your error: > May 28 00:49:49 pfsetvlan(8) WARN: No parameter defaultVlan found in > conf/switches.conf for the switch 192.168.1.254 (pf::SNMP::getVlanByName) > May 28 00:49:49 pfsetvlan(8) INFO: MAC: 00:15:c5:cf:0f:12, PID: admin, > Status: reg. Returned VLAN: default (pf::vlan::fetchVlanForNode) > Argument "default" isn't numeric in numeric eq (==) at > /usr/local/pf/lib/pf/SNMP.pm line 614. > May 28 00:49:49 pfsetvlan(8) WARN: new VLAN default is not a managed VLAN -> > replacing VLAN default with MAC detection VLAN 4 (pf::SNMP::setVlan) That says that the var defaultVlan couldn't be found in your switches.conf for that switch. I can see that you did add it but did you restart the services afterward? Did you add a role called default? Did you assign a vlan number to the role in the admin GUI? Check your switch's config in the web admin gui if your role does not show up correctly in there then there is a mistake in your config somewhere. With PF v4.0+ you really dont need to play around in the config files very much as almost everything can be done in the web gui. > Argument "default" isn't numeric in numeric eq (==) at > /usr/local/pf/lib/pf/SNMP.pm line 614. This is doubly important. somewhere you are passing the string "default" where you should be putting the vlan id. I suspect there is something missing in your role config and assignment. Also: Try to use SNMP as your de-auth mechanism. SSH is slow and should only be used as a last resort. You can use any version of SNMP you wish, I use v2c to great effect. Jake Sallee Godfather of Bandwidth System Engineer University of Mary Hardin-Baylor 900 College St. Belton, Texas 76513 Fone: 254-295-4658<tel:254-295-4658> Phax: 254-295-4221<tel:254-295-4221> ________________________________ From: forbmsyn [[email protected]<mailto:[email protected]>] Sent: Monday, October 28, 2013 11:25 AM To: [email protected]<mailto:[email protected]> Subject: Re: [PacketFence-users] Why goes to "MAC detection VLAN 4" but not the default vlan 1? Hi Jake, I have no idea about MAB yet. I will do some research on this and try it later on as you suggested. But for the time being I would like to know why PF is not working as it should be . Regards, Jacky On Mon, Oct 28, 2013 at 9:38 AM, Sallee, Stephen (Jake) <[email protected]<mailto:[email protected]><mailto:[email protected]<mailto:[email protected]>>> wrote: Is there a reason that you want to use a MAC detection vlan over RADIUS auth? In my experience using Mac Authentication Bypass is superior to using a MAC Detection vlan in every way. Obviously, if your requirements necessitate the use of a MAC detection vlan then you must, but if you have not considered MAB I would highly, HIGHLY suggest it over a MAC detection vlan. Jake Sallee Godfather of Bandwidth System Engineer University of Mary Hardin-Baylor 900 College St. Belton, Texas 76513 Fone: 254-295-4658<tel:254-295-4658><tel:254-295-4658<tel:254-295-4658>> Phax: 254-295-4221<tel:254-295-4221><tel:254-295-4221<tel:254-295-4221>> ________________________________ From: forbmsyn [[email protected]<mailto:[email protected]><mailto:[email protected]<mailto:[email protected]>>] Sent: Friday, October 25, 2013 5:14 PM To: [email protected]<mailto:[email protected]><mailto:[email protected]<mailto:[email protected]>> Subject: [PacketFence-users] Why goes to "MAC detection VLAN 4" but not the default vlan 1? Hello experts, On PF I followed the instruction and created the following network: VLAN ID VLAN Name Subnet Gateway PacketFence Address 1 Normal 192.168.1.0/24<http://192.168.1.0/24><http://192.168.1.0/24><http://192.168.1.0/24> 192.168.1.1 192.168.1.5 2 Registration 192.168.2.0/24<http://192.168.2.0/24><http://192.168.2.0/24><http://192.168.2.0/24> 192.168.2.1 192.168.2.1 3 Isolation 192.168.3.0/24<http://192.168.3.0/24><http://192.168.3.0/24><http://192.168.3.0/24> 192.168.3.1 192.168.3.1 4 Mac Detection 5 Inline 192.168.5.0/24<http://192.168.5.0/24><http://192.168.5.0/24><http://192.168.5.0/24> 192.168.5.1 192.168.5.1 I have a Cisco 2960 (IP 192.168.1.254), with the same vlans created as PacketFence. On Fa0/3 I have the following config: interface FastEthernet0/3 switchport access vlan 4 switchport mode access switchport port-security maximum 1 vlan access switchport port-security switchport port-security violation restrict switchport port-security mac-address 0200.0001.0003 Then I plugged a laptop onto the port, the config was changed to as below, which looks good because it is now on registrion vlan (vlan ID 2) and obtained an IP 192.168.2.10 interface FastEthernet0/3 switchport access vlan 2 switchport mode access switchport port-security maximum 1 vlan access switchport port-security switchport port-security violation restrict switchport port-security mac-address 0015.c5cf.0f12 On PF I changed its status from unregistered to registered from PF WebUI, on the switch I found that port was switch back to MAC detection VLAN 4. interface FastEthernet0/3 switchport access vlan 4 switchport mode access switchport port-security maximum 1 vlan access switchport port-security switchport port-security violation restrict switchport port-security mac-address 0015.c5cf.0f12 Below is part of the log from packetfence.log May 28 00:49:46 httpd.admin(0) INFO: re-evaluating access for node 00:15:c5:cf:0f:12 (node_modify called) (pf::enforcement::reevaluate_access) May 28 00:49:46 httpd.admin(0) INFO: 00:15:c5:cf:0f:12 is currentlog connected at 192.168.1.254 ifIndex 10003 in VLAN 2 (pf::enforcement::_should_we_reass ign_vlan) May 28 00:49:46 httpd.admin(0) INFO: Username was NOT defined or unable to match a role - returning node based role 'default' (pf::vlan::getNormalVlan) May 28 00:49:46 httpd.admin(0) INFO: MAC: 00:15:c5:cf:0f:12, PID: admin, Status: reg. Returned VLAN: 1 (pf::vlan::fetchVlanForNode) May 28 00:49:46 httpd.admin(0) INFO: VLAN reassignment required for 00:15:c5:cf:0f:12 (current VLAN = 2 but should be in VLAN 1) (pf::enforcement::_should _we_reassign_vlan) May 28 00:49:46 httpd.admin(0) INFO: switch port for 00:15:c5:cf:0f:12 is 192.168.1.254 ifIndex 10003 connection type: Wired SNMP (pf::enforcement::_vlan_ reevaluation) May 28 00:49:49 pfsetvlan(25) INFO: local (127.0.0.1) trap for switch 192.168.1.254 (main::parseTrap) May 28 00:49:49 pfsetvlan(8) INFO: nb of items in queue: 1; nb of threads running: 0 (main::startTrapHandlers) May 28 00:49:49 pfsetvlan(8) INFO: reAssignVlan trap received on 192.168.1.254 ifIndex 10003 (main::handleTrap) May 28 00:49:49 pfsetvlan(8) INFO: security traps are configured on 192.168.1.254 ifIndex 10003. Re-assigning VLAN for 00:15:c5:cf:0f:12 (main::handleTrap ) May 28 00:49:49 pfsetvlan(8) INFO: Username was NOT defined or unable to match a role - returning node based role 'default' (pf::vlan::getNormalVlan) May 28 00:49:49 pfsetvlan(8) WARN: No parameter defaultVlan found in conf/switches.conf for the switch 192.168.1.254 (pf::SNMP::getVlanByName) May 28 00:49:49 pfsetvlan(8) INFO: MAC: 00:15:c5:cf:0f:12, PID: admin, Status: reg. Returned VLAN: default (pf::vlan::fetchVlanForNode) Argument "default" isn't numeric in numeric eq (==) at /usr/local/pf/lib/pf/SNMP.pm line 614. May 28 00:49:49 pfsetvlan(8) WARN: new VLAN default is not a managed VLAN -> replacing VLAN default with MAC detection VLAN 4 (pf::SNMP::setVlan) May 28 00:49:49 pfsetvlan(8) INFO: no VoIP phone is currently connected at 192.168.1.254 ifIndex 10003. Flipping port admin status (main::handleTrap) May 28 00:49:53 pfsetvlan(8) INFO: finished (main::cleanupAfterThread) May 28 00:50:25 pfmon(0) INFO: running expire check (main::cleanup) I do have default vlan configure on switches.conf. Why the port was not set to vlan 1 but back to 4? Below is the config of switches.conf [root@packetfence conf]# more switches.conf # # Copyright 2006-2008 Inverse inc. # # See the enclosed file COPYING for license information (GPL). # If you did not receive this file, see # http://www.fsf.org/licensing/licenses/gpl.html [default] description=Switches Default Values vlans=1,2,3,4,5 normalVlan=1 registrationVlan=2 isolationVlan=3 macDetectionVlan=4 voiceVlan=5 inlineVlan=6 inlineTrigger= normalRole=normal registrationRole=registration isolationRole=isolation macDetectionRole=macDetection voiceRole=voice inlineRole=inline VoIPEnabled=no mode=testing macSearchesMaxNb=30 macSearchesSleepInterval=2 uplink=dynamic # # Command Line Interface # # cliTransport could be: Telnet, SSH or Serial cliTransport=Telnet cliUser= cliPwd= cliEnablePwd= # # SNMP section # # PacketFence -> Switch SNMPVersion=1 SNMPCommunityRead=public SNMPCommunityWrite=private #SNMPEngineID = 0000000000000 #SNMPUserNameRead = readUser #SNMPAuthProtocolRead = MD5 #SNMPAuthPasswordRead = authpwdread #SNMPPrivProtocolRead = DES #SNMPPrivPasswordRead = privpwdread #SNMPUserNameWrite = writeUser #SNMPAuthProtocolWrite = MD5 #SNMPAuthPasswordWrite = authpwdwrite #SNMPPrivProtocolWrite = DES #SNMPPrivPasswordWrite = privpwdwrite # Switch -> PacketFence SNMPVersionTrap=1 SNMPCommunityTrap=public #SNMPAuthProtocolTrap = MD5 #SNMPAuthPasswordTrap = authpwdread #SNMPPrivProtocolTrap = DES #SNMPPrivPasswordTrap = privpwdread # # Web Services Interface # # wsTransport could be: http or https wsTransport=http wsUser= wsPwd= # # RADIUS NAS Client config # # RADIUS shared secret with switch radiusSecret= [192.168.0.1] description=Test Switch type=Cisco::Catalyst_2900XL mode=production uplink=23,24 [192.168.1.254] mode=production deauthMethod=SSH description=C2960 type=Cisco::Catalyst_2960 VoIPEnabled=N radiusSecret=useStrongerSecret uplink=24 cliTransport=SSH SNMPVersion=2c defaultRole=default defaultVlan=1 #SNMPVersion = 3 #SNMPEngineID = 0000000000000 #SNMPUserNameRead = readUser #SNMPAuthProtocolRead = MD5 #SNMPAuthPasswordRead = authpwdread #SNMPPrivProtocolRead = DES #SNMPPrivPasswordRead = privpwdread #SNMPUserNameWrite = writeUser #SNMPAuthProtocolWrite = MD5 #SNMPAuthPasswordWrite = authpwdwrite #SNMPPrivProtocolWrite = DES #SNMPPrivPasswordWrite = privpwdwrite #SNMPVersionTrap = 3 #SNMPUserNameTrap = readUser #SNMPAuthProtocolTrap = MD5 #SNMPAuthPasswordTrap = authpwdread #SNMPPrivProtocolTrap = DES #SNMPPrivPasswordTrap = privpwdread Thank you! Regards, Jacky ------------------------------------------------------------------------------ October Webinars: Code for Performance Free Intel webinars can help you accelerate application performance. Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from the latest Intel processors and coprocessors. See abstracts and register > http://pubads.g.doubleclick.net/gampad/clk?id=60135991&iu=/4140/ostg.clktrk _______________________________________________ PacketFence-users mailing list [email protected]<mailto:[email protected]><mailto:[email protected]<mailto:[email protected]>> https://lists.sourceforge.net/lists/listinfo/packetfence-users ------------------------------------------------------------------------------ October Webinars: Code for Performance Free Intel webinars can help you accelerate application performance. Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from the latest Intel processors and coprocessors. See abstracts and register > http://pubads.g.doubleclick.net/gampad/clk?id=60135991&iu=/4140/ostg.clktrk _______________________________________________ PacketFence-users mailing list [email protected]<mailto:[email protected]> https://lists.sourceforge.net/lists/listinfo/packetfence-users ------------------------------------------------------------------------------ Android is increasing in popularity, but the open development platform that developers love is also attractive to malware creators. Download this white paper to learn more about secure code signing practices that can help keep Android apps secure. http://pubads.g.doubleclick.net/gampad/clk?id=65839951&iu=/4140/ostg.clktrk _______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
