Thank you Jake. I got stuck with something else in the past two days and
did not get a chance to try it yet. I will test the setting later on and
let you know.
Regards,
Jacky
On Wed, Oct 30, 2013 at 11:28 AM, Sallee, Stephen (Jake) <
[email protected]> wrote:
> > When you get a chance, can you give me some idea on configuring MAB?
>
> No problem! First though, a disclaimer.
>
> <DISCLAIMER>
>
> Any MAC based authorization is NOT an acceptable security mechanism when
> used alone. It is absolutely trivial to spoof one's MAC address. MAB will
> stop the casual wifi / network hopper, but it will be of little to no use
> against a user with some modicum of security knowledge.
>
> Make sure to use other security measures in conjunction with MAC based
> auth. schemes.
>
> </DISCLAIMER>
>
> Luckily for you, using a MAC auth vlan has already gotten you most of the
> way to implementing MAB.
>
> First I would remove all the static MACs from the ports you want to use
> MAB on.
>
> Then get your global config setup for MAB, the important bits are:
>
> --------------------------------------------------------
> aaa new-model
> aaa authentication dot1x default group radius
> aaa authorization network default group radius
> aaa accounting dot1x default start-stop group radius
> aaa accounting system default start-stop group radius
> snmp-server community <SUPER SECRET> RW
> radius-server host <PFHostIP> auth-port 1812 acct-port 1813 key <SUPER
> SECRET>
> radius-server key <SUPER SECRET>
> radius-server vsa send authentication
> --------------------------------------------------------
>
> Then make your port configs look something like this:
>
> --------------------------------------------------------
> interface FastEthernet0/14
> description NAC_Controlled
> switchport mode access
> switchport port-security maximum 2
> switchport port-security maximum 1 vlan access
> switchport port-security
> authentication order mab
> authentication port-control auto
> mab
> mls qos trust cos
> spanning-tree portfast
> spanning-tree bpdufilter enable
> spanning-tree bpduguard enable
> spanning-tree guard loop
> --------------------------------------------------------
>
> You can leave off the spanning tree bits if you want, and I have VoIP so I
> allow 1 device / vlan hence the max of 2 MACs instead of 1.
>
> Change the deauth setting in PF to SNMP and you may have to bounce the
> services.
>
> Also, you may want to add the following global config directives:
>
> --------------------------------------------------------
> errdisable recovery cause udld
> errdisable recovery cause bpduguard
> errdisable recovery cause security-violation
> errdisable recovery cause pagp-flap
> errdisable recovery cause dtp-flap
> errdisable recovery cause link-flap
> errdisable recovery cause sfp-config-mismatch
> errdisable recovery cause gbic-invalid
> errdisable recovery cause psecure-violation
> errdisable recovery cause port-mode-failure
> errdisable recovery cause dhcp-rate-limit
> errdisable recovery cause mac-limit
> errdisable recovery cause vmps
> errdisable recovery cause storm-control
> errdisable recovery cause inline-power
> errdisable recovery cause arp-inspection
> errdisable recovery cause loopback
> errdisable recovery cause small-frame
> errdisable recovery interval 30
> --------------------------------------------------------
>
> Not necessary, but good for overall security.
>
> Give that a go, it is copied directly from one of my production 2960s.
> Hopefully it helps you out.
>
> Jake Sallee
> Godfather of Bandwidth
> System Engineer
> University of Mary Hardin-Baylor
>
> 900 College St.
> Belton, Texas
> 76513
>
> Fone: 254-295-4658
> Phax: 254-295-4221
> ________________________________
> From: forbmsyn [[email protected]]
> Sent: Tuesday, October 29, 2013 4:13 PM
> To: [email protected]
> Subject: Re: [PacketFence-users] Why goes to "MAC detection VLAN 4" but
> not the default vlan 1?
>
> Thank you Jake. Problem fixed after restarting the service and MySQL. For
> some reason PF failed to connect to MySQL so I restart the database as well.
>
> When you get a chance, can you give me some idea on configuring MAB?
> Thanks again.
>
> Regards,
> Jacky
>
>
>
>
> On Mon, Oct 28, 2013 at 2:32 PM, Sallee, Stephen (Jake) <
> [email protected]<mailto:[email protected]>> wrote:
> > But for the time being I would like to know why PF is not working as it
> should be .
>
> Here is your error:
>
> > May 28 00:49:49 pfsetvlan(8) WARN: No parameter defaultVlan found in
> conf/switches.conf for the switch 192.168.1.254 (pf::SNMP::getVlanByName)
> > May 28 00:49:49 pfsetvlan(8) INFO: MAC: 00:15:c5:cf:0f:12, PID: admin,
> Status: reg. Returned VLAN: default (pf::vlan::fetchVlanForNode)
> > Argument "default" isn't numeric in numeric eq (==) at
> /usr/local/pf/lib/pf/SNMP.pm line 614.
> > May 28 00:49:49 pfsetvlan(8) WARN: new VLAN default is not a managed
> VLAN -> replacing VLAN default with MAC detection VLAN 4 (pf::SNMP::setVlan)
>
> That says that the var defaultVlan couldn't be found in your switches.conf
> for that switch. I can see that you did add it but did you restart the
> services afterward?
> Did you add a role called default?
> Did you assign a vlan number to the role in the admin GUI?
>
> Check your switch's config in the web admin gui if your role does not show
> up correctly in there then there is a mistake in your config somewhere.
>
> With PF v4.0+ you really dont need to play around in the config files very
> much as almost everything can be done in the web gui.
>
> > Argument "default" isn't numeric in numeric eq (==) at
> /usr/local/pf/lib/pf/SNMP.pm line 614.
> This is doubly important. somewhere you are passing the string "default"
> where you should be putting the vlan id. I suspect there is something
> missing in your role config and assignment.
>
> Also:
>
> Try to use SNMP as your de-auth mechanism. SSH is slow and should only be
> used as a last resort. You can use any version of SNMP you wish, I use v2c
> to great effect.
>
> Jake Sallee
> Godfather of Bandwidth
> System Engineer
> University of Mary Hardin-Baylor
>
> 900 College St.
> Belton, Texas
> 76513
>
> Fone: 254-295-4658<tel:254-295-4658>
> Phax: 254-295-4221<tel:254-295-4221>
> ________________________________
> From: forbmsyn [[email protected]<mailto:[email protected]>]
> Sent: Monday, October 28, 2013 11:25 AM
> To: [email protected]<mailto:
> [email protected]>
> Subject: Re: [PacketFence-users] Why goes to "MAC detection VLAN 4" but
> not the default vlan 1?
>
> Hi Jake,
>
> I have no idea about MAB yet. I will do some research on this and try it
> later on as you suggested. But for the time being I would like to know why
> PF is not working as it should be .
>
> Regards,
> Jacky
>
>
>
> On Mon, Oct 28, 2013 at 9:38 AM, Sallee, Stephen (Jake) <
> [email protected]<mailto:[email protected]><mailto:
> [email protected]<mailto:[email protected]>>> wrote:
> Is there a reason that you want to use a MAC detection vlan over RADIUS
> auth?
>
> In my experience using Mac Authentication Bypass is superior to using a
> MAC Detection vlan in every way.
>
> Obviously, if your requirements necessitate the use of a MAC detection
> vlan then you must, but if you have not considered MAB I would highly,
> HIGHLY suggest it over a MAC detection vlan.
>
> Jake Sallee
> Godfather of Bandwidth
> System Engineer
> University of Mary Hardin-Baylor
>
> 900 College St.
> Belton, Texas
> 76513
>
> Fone: 254-295-4658<tel:254-295-4658><tel:254-295-4658<tel:254-295-4658>>
> Phax: 254-295-4221<tel:254-295-4221><tel:254-295-4221<tel:254-295-4221>>
> ________________________________
> From: forbmsyn [[email protected]<mailto:[email protected]><mailto:
> [email protected]<mailto:[email protected]>>]
> Sent: Friday, October 25, 2013 5:14 PM
> To: [email protected]<mailto:
> [email protected]><mailto:
> [email protected]<mailto:
> [email protected]>>
> Subject: [PacketFence-users] Why goes to "MAC detection VLAN 4" but not
> the default vlan 1?
>
> Hello experts,
>
> On PF I followed the instruction and created the following network:
>
> VLAN ID VLAN Name Subnet Gateway PacketFence Address
> 1 Normal 192.168.1.0/24<http://192.168.1.0/24><
> http://192.168.1.0/24><http://192.168.1.0/24> 192.168.1.1 192.168.1.5
> 2 Registration 192.168.2.0/24<http://192.168.2.0/24><
> http://192.168.2.0/24><http://192.168.2.0/24> 192.168.2.1 192.168.2.1
> 3 Isolation 192.168.3.0/24<http://192.168.3.0/24><
> http://192.168.3.0/24><http://192.168.3.0/24> 192.168.3.1 192.168.3.1
> 4 Mac Detection
> 5 Inline 192.168.5.0/24<http://192.168.5.0/24><
> http://192.168.5.0/24><http://192.168.5.0/24> 192.168.5.1 192.168.5.1
>
>
> I have a Cisco 2960 (IP 192.168.1.254), with the same vlans created as
> PacketFence. On Fa0/3 I have the following config:
>
> interface FastEthernet0/3
> switchport access vlan 4
> switchport mode access
> switchport port-security maximum 1 vlan access
> switchport port-security
> switchport port-security violation restrict
> switchport port-security mac-address 0200.0001.0003
>
>
> Then I plugged a laptop onto the port, the config was changed to as below,
> which looks good because it is now on registrion vlan (vlan ID 2) and
> obtained an IP 192.168.2.10
>
> interface FastEthernet0/3
> switchport access vlan 2
> switchport mode access
> switchport port-security maximum 1 vlan access
> switchport port-security
> switchport port-security violation restrict
> switchport port-security mac-address 0015.c5cf.0f12
>
>
> On PF I changed its status from unregistered to registered from PF WebUI,
> on the switch I found that port was switch back to MAC detection VLAN 4.
>
> interface FastEthernet0/3
> switchport access vlan 4
> switchport mode access
> switchport port-security maximum 1 vlan access
> switchport port-security
> switchport port-security violation restrict
> switchport port-security mac-address 0015.c5cf.0f12
>
>
>
> Below is part of the log from packetfence.log
>
> May 28 00:49:46 httpd.admin(0) INFO: re-evaluating access for node
> 00:15:c5:cf:0f:12 (node_modify called) (pf::enforcement::reevaluate_access)
> May 28 00:49:46 httpd.admin(0) INFO: 00:15:c5:cf:0f:12 is currentlog
> connected at 192.168.1.254 ifIndex 10003 in VLAN 2
> (pf::enforcement::_should_we_reass ign_vlan)
> May 28 00:49:46 httpd.admin(0) INFO: Username was NOT defined or unable to
> match a role - returning node based role 'default' (pf::vlan::getNormalVlan)
> May 28 00:49:46 httpd.admin(0) INFO: MAC: 00:15:c5:cf:0f:12, PID: admin,
> Status: reg. Returned VLAN: 1 (pf::vlan::fetchVlanForNode)
> May 28 00:49:46 httpd.admin(0) INFO: VLAN reassignment required for
> 00:15:c5:cf:0f:12 (current VLAN = 2 but should be in VLAN 1)
> (pf::enforcement::_should _we_reassign_vlan)
> May 28 00:49:46 httpd.admin(0) INFO: switch port for 00:15:c5:cf:0f:12 is
> 192.168.1.254 ifIndex 10003 connection type: Wired SNMP
> (pf::enforcement::_vlan_ reevaluation)
> May 28 00:49:49 pfsetvlan(25) INFO: local (127.0.0.1) trap for switch
> 192.168.1.254 (main::parseTrap)
> May 28 00:49:49 pfsetvlan(8) INFO: nb of items in queue: 1; nb of threads
> running: 0 (main::startTrapHandlers)
> May 28 00:49:49 pfsetvlan(8) INFO: reAssignVlan trap received on
> 192.168.1.254 ifIndex 10003 (main::handleTrap)
> May 28 00:49:49 pfsetvlan(8) INFO: security traps are configured on
> 192.168.1.254 ifIndex 10003. Re-assigning VLAN for 00:15:c5:cf:0f:12
> (main::handleTrap )
> May 28 00:49:49 pfsetvlan(8) INFO: Username was NOT defined or unable to
> match a role - returning node based role 'default' (pf::vlan::getNormalVlan)
> May 28 00:49:49 pfsetvlan(8) WARN: No parameter defaultVlan found in
> conf/switches.conf for the switch 192.168.1.254 (pf::SNMP::getVlanByName)
> May 28 00:49:49 pfsetvlan(8) INFO: MAC: 00:15:c5:cf:0f:12, PID: admin,
> Status: reg. Returned VLAN: default (pf::vlan::fetchVlanForNode)
> Argument "default" isn't numeric in numeric eq (==) at
> /usr/local/pf/lib/pf/SNMP.pm line 614.
> May 28 00:49:49 pfsetvlan(8) WARN: new VLAN default is not a managed VLAN
> -> replacing VLAN default with MAC detection VLAN 4 (pf::SNMP::setVlan)
> May 28 00:49:49 pfsetvlan(8) INFO: no VoIP phone is currently connected at
> 192.168.1.254 ifIndex 10003. Flipping port admin status (main::handleTrap)
> May 28 00:49:53 pfsetvlan(8) INFO: finished (main::cleanupAfterThread)
> May 28 00:50:25 pfmon(0) INFO: running expire check (main::cleanup)
>
>
>
> I do have default vlan configure on switches.conf. Why the port was not
> set to vlan 1 but back to 4?
> Below is the config of switches.conf
>
> [root@packetfence conf]# more switches.conf
> #
> # Copyright 2006-2008 Inverse inc.
> #
> # See the enclosed file COPYING for license information (GPL).
> # If you did not receive this file, see
> # http://www.fsf.org/licensing/licenses/gpl.html
> [default]
> description=Switches Default Values
> vlans=1,2,3,4,5
> normalVlan=1
> registrationVlan=2
> isolationVlan=3
> macDetectionVlan=4
> voiceVlan=5
> inlineVlan=6
> inlineTrigger=
> normalRole=normal
> registrationRole=registration
> isolationRole=isolation
> macDetectionRole=macDetection
> voiceRole=voice
> inlineRole=inline
> VoIPEnabled=no
> mode=testing
> macSearchesMaxNb=30
> macSearchesSleepInterval=2
> uplink=dynamic
> #
> # Command Line Interface
> #
> # cliTransport could be: Telnet, SSH or Serial
> cliTransport=Telnet
> cliUser=
> cliPwd=
> cliEnablePwd=
> #
> # SNMP section
> #
> # PacketFence -> Switch
> SNMPVersion=1
> SNMPCommunityRead=public
> SNMPCommunityWrite=private
> #SNMPEngineID = 0000000000000
> #SNMPUserNameRead = readUser
> #SNMPAuthProtocolRead = MD5
> #SNMPAuthPasswordRead = authpwdread
> #SNMPPrivProtocolRead = DES
> #SNMPPrivPasswordRead = privpwdread
> #SNMPUserNameWrite = writeUser
> #SNMPAuthProtocolWrite = MD5
> #SNMPAuthPasswordWrite = authpwdwrite
> #SNMPPrivProtocolWrite = DES
> #SNMPPrivPasswordWrite = privpwdwrite
> # Switch -> PacketFence
> SNMPVersionTrap=1
> SNMPCommunityTrap=public
> #SNMPAuthProtocolTrap = MD5
> #SNMPAuthPasswordTrap = authpwdread
> #SNMPPrivProtocolTrap = DES
> #SNMPPrivPasswordTrap = privpwdread
> #
> # Web Services Interface
> #
> # wsTransport could be: http or https
> wsTransport=http
> wsUser=
> wsPwd=
> #
> # RADIUS NAS Client config
> #
> # RADIUS shared secret with switch
> radiusSecret=
>
> [192.168.0.1]
> description=Test Switch
> type=Cisco::Catalyst_2900XL
> mode=production
> uplink=23,24
>
> [192.168.1.254]
> mode=production
> deauthMethod=SSH
> description=C2960
> type=Cisco::Catalyst_2960
> VoIPEnabled=N
> radiusSecret=useStrongerSecret
> uplink=24
> cliTransport=SSH
> SNMPVersion=2c
> defaultRole=default
> defaultVlan=1
> #SNMPVersion = 3
> #SNMPEngineID = 0000000000000
> #SNMPUserNameRead = readUser
> #SNMPAuthProtocolRead = MD5
> #SNMPAuthPasswordRead = authpwdread
> #SNMPPrivProtocolRead = DES
> #SNMPPrivPasswordRead = privpwdread
> #SNMPUserNameWrite = writeUser
> #SNMPAuthProtocolWrite = MD5
> #SNMPAuthPasswordWrite = authpwdwrite
> #SNMPPrivProtocolWrite = DES
> #SNMPPrivPasswordWrite = privpwdwrite
> #SNMPVersionTrap = 3
> #SNMPUserNameTrap = readUser
> #SNMPAuthProtocolTrap = MD5
> #SNMPAuthPasswordTrap = authpwdread
> #SNMPPrivProtocolTrap = DES
> #SNMPPrivPasswordTrap = privpwdread
>
>
> Thank you!
>
> Regards,
> Jacky
>
>
> ------------------------------------------------------------------------------
> October Webinars: Code for Performance
> Free Intel webinars can help you accelerate application performance.
> Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most
> from
> the latest Intel processors and coprocessors. See abstracts and register >
> http://pubads.g.doubleclick.net/gampad/clk?id=60135991&iu=/4140/ostg.clktrk
> _______________________________________________
> PacketFence-users mailing list
> [email protected]<mailto:
> [email protected]><mailto:
> [email protected]<mailto:
> [email protected]>>
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>
>
> ------------------------------------------------------------------------------
> October Webinars: Code for Performance
> Free Intel webinars can help you accelerate application performance.
> Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most
> from
> the latest Intel processors and coprocessors. See abstracts and register >
> http://pubads.g.doubleclick.net/gampad/clk?id=60135991&iu=/4140/ostg.clktrk
> _______________________________________________
> PacketFence-users mailing list
> [email protected]<mailto:
> [email protected]>
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>
>
> ------------------------------------------------------------------------------
> Android is increasing in popularity, but the open development platform that
> developers love is also attractive to malware creators. Download this white
> paper to learn more about secure code signing practices that can help keep
> Android apps secure.
> http://pubads.g.doubleclick.net/gampad/clk?id=65839951&iu=/4140/ostg.clktrk
> _______________________________________________
> PacketFence-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
------------------------------------------------------------------------------
Android is increasing in popularity, but the open development platform that
developers love is also attractive to malware creators. Download this white
paper to learn more about secure code signing practices that can help keep
Android apps secure.
http://pubads.g.doubleclick.net/gampad/clk?id=65839951&iu=/4140/ostg.clktrk
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
