Hello Fabrice
the registration interface is not directly connected to the swich, but
in vlan 302 (=macregistration, which spreads across the whole building).
the management interface of the switch is in another vlan and is allowed
to communicate with the packetfence-management-interface (and vice
versa)
networks.conf:
[10.4.202.0]
dns=10.4.202.250
dhcp_start=10.4.202.10
gateway=10.4.202.250
domain-name=vlan-registration.lan
named=enabled
dhcp_max_lease_time=30
dhcpd=enabled
type=vlan-registration
netmask=255.255.255.0
dhcp_end=10.4.202.246
dhcp_default_lease_time=30
[10.4.203.0]
dns=10.4.203.254
dhcp_start=10.4.203.10
gateway=10.4.203.254
domain-name=vlan-isolation.lan
named=enabled
dhcp_max_lease_time=30
dhcpd=enabled
type=vlan-isolation
netmask=255.255.255.0
dhcp_end=10.4.203.246
dhcp_default_lease_time=30
pf.conf (part of ...):
network_detection_ip=10.4.10.5
[interface bond0.52]
ip=10.4.10.5
type=management
mask=255.255.255.0
[interface bond0.302]
enforcement=vlan
ip=10.4.202.250
type=internal
mask=255.255.255.0
[interface bond0.300]
enforcement=vlan
ip=10.4.203.254
type=internal
mask=255.255.255.0
thank you
Mark
>>> Fabrice DURAND <[email protected]> 15.11.2013 21:31 >>>
>
Hello Mark,
where is connected the registration interface ?
Is the packetfence network interface card is directly connected to the
switch (like eth1 on a port access 302) ?
Regards
Fabrice
Le 2013-11-13 04:54, Mark Gmeiner a écrit :
So, I've got PacketFence up and running now - partly ...
My gear:
PF 4.0.6-2 on a Centos 6.4 x64 Server
Extreme Networks Summit X460-48t, XOS 15.3.1.4-patch19, all ports
configured into macregistration-vlan (tag 302)
PacketFence properly learns all the nodes on my network, I can manually
pre-register these nodes and they got dropped into the correct
role/vlan. So far so good ...
But ...
An directly attached, unregistered node (that stays in
macregistration-vlan) gets blackholed in the fdb and - ergo - can't
connect to the captive-portal for user-self-registration:
switch1 # show netlogin port 11
Port : 11
Port Restart : Disabled
Allow Egress : None
Vlan : macregistration
Authentication : mac-based
Port State : Enabled
Guest Vlan : Disabled
Auth Failure Vlan : Disabled
Auth Service-Unavailable Vlan : Disabled
MAC IP address Authenticated Type
ReAuth-Timer User
00:1b:78:3c:8f:99 0.0.0.0 Yes(B), Radius MAC 7106
001B783C8F99
-----------------------------------------------
(B) - Client entry Blackholed in FDB
while a virtual machine on a registered node or a node on a miniswitch
with some other registered node can properly connect to the
captive-portal, register and connect to its target vlan!
PF-Radius says:
Wed Nov 13 10:45:18 2013 : Auth: Login OK: [001B783C8F99] (from client
10.4.201.18 port 1011 cli 00-1B-78-3C-8F-99)
Wed Nov 13 10:45:18 2013 : Auth: rlm_perl: Returning vlan 302 to
request from 00:1b:78:3c:8f:99 port 1011
So, as far as I can see, the unregistered node is authenticated
correctly to the macregistration-vlan (302) and SHOULD get an ipaddress
for further proceeding. But instead I got no network connectivity at
all.
Am I missing something? Because configuration actually was pretty
straightforward (switch- and PF-side) ...
FYI: When I deselect the "force-registration"-checkbox in PF, the
unregistered nodes get a correct macregistration-ipaddress, but then
there is no captive-portal to register (works as designed, I guess).
Thanks in advance!
regards
Mark
------------------------------------------------------------------------------
DreamFactory - Open Source REST & JSON Services for HTML5 & Native
Apps
OAuth, Users, Roles, SQL, NoSQL, BLOB Storage and External API Access
Free app hosting. Or install the open source package on any LAMP
server.
Sign up and see examples for Angul
arJS, jQuery, Sencha Touch and
Native!http://pubads.g.doubleclick.net/gampad/clk?id=63469471&iu=/4140/ostg.clktrk
_______________________________________________
PacketFence-users mailing
[email protected]https://lists.sourceforge.net/lists/listinfo/packetfence-users
--
Fabrice [email protected] :: +1.514.447.4918 (x135) ::
www.inverse.caInverse inc. :: Leaders behind SOGo (http://www.sogo.nu)
and PacketFence (http://packetfence.org)
------------------------------------------------------------------------------
Shape the Mobile Experience: Free Subscription
Software experts and developers: Be at the forefront of tech innovation.
Intel(R) Software Adrenaline delivers strategic insight and game-changing
conversations that shape the rapidly evolving mobile landscape. Sign up now.
http://pubads.g.doubleclick.net/gampad/clk?id=63431311&iu=/4140/ostg.clktrk
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
