Hi experts,
My PacketFence vlan design are as below:
vlan 2 : registration vlan
vlan 3: Isolation vlan
vlan 9: employee vlan
When a new device plugged into the switch port, the port was assigned to
vlan 2 - registration vlan, which is good. After entering
username/password, the new device was scanned by Nessus, then an violation
was triggered, and the device was put into vlan 3 - isolation vlan. There
was also a pop-up window on the client device saying "Quarantine
Established! Winodws Patches Are Not Up-to-date....". Everything is working
fine as I expected, so far.
However after about10 minutes, the switch port which the device was plugged
in was changed to vlan 9 automatically. I did not make any changes on
PacketFence, and did not get a chance to update the client device yet. I
think the device should still stay at vlan 3 until the problem is fixed.
How come the vlan of the switch port was changed?
Below is part of the packetfence.log. Anyone can please shed me a light
on this? Thank you in advance for the help.
Mar 04 14:53:45 pfdhcplistener(1894) INFO: DHCPACK from 192.168.23.1
(00:0c:29:04:c5:74) to host dc:0e:a1:8a:d4:8f (192.168.23.10) for 30
seconds (main::parse_dhcp_ack)
Mar 04 14:53:46 pfmon(0) INFO: running expire check (main::cleanup)
Mar 04 14:53:46 pfmon(0) INFO: checking registered nodes for expiration
(main::cleanup)
Mar 04 14:53:46 pfmon(0) INFO: checking violations for expiration
(main::cleanup)
Mar 04 14:53:46 pfmon(0) INFO: violation 1100001 force-closed for
dc:0e:a1:8a:d4:8f (pf::violation::violation_force_close)
Mar 04 14:53:46 pfmon(0) INFO: re-evaluating access for node
dc:0e:a1:8a:d4:8f (manage_vclose called)
(pf::enforcement::reevaluate_access)
Mar 04 14:53:46 pfmon(0) INFO: dc:0e:a1:8a:d4:8f is currentlog connected at
172.16.123.22 ifIndex 10101 in VLAN 3
(pf::enforcement::_should_we_reassign_vlan)
Mar 04 14:53:56 pfmon(0) INFO: Connection type is WIRED_MAC_AUTH. Getting
role from node_info (pf::vlan::getNormalVlan)
Mar 04 14:53:56 pfmon(0) INFO: Username was defined 'dc0ea18ad48f' -
returning user based role 'Inf_employee_role' (pf::vlan::getNormalVlan)
Mar 04 14:53:56 pfmon(0) INFO: MAC: dc:0e:a1:8a:d4:8f, PID: inf_user1,
Status: reg. Returned VLAN: 9 (pf::vlan::fetchVlanForNode)
Mar 04 14:53:56 pfmon(0) INFO: VLAN reassignment required for
dc:0e:a1:8a:d4:8f (current VLAN = 3 but should be in VLAN 9)
(pf::enforcement::_should_we_reassign_vlan)
Mar 04 14:53:56 pfmon(0) INFO: switch port for dc:0e:a1:8a:d4:8f is
172.16.123.22 ifIndex 10101 connection type: Wired MAC Auth
(pf::enforcement::_vlan_reevaluation)
Mar 04 14:53:56 pfmon(0) INFO: checking accounting data for potential
bandwidth abuse (main::cleanup)
Mar 04 14:53:56 pfmon(0) INFO: getting violations triggers for accounting
cleanup (pf::accounting::acct_maintenance)
Mar 04 14:53:56 pfmon(0) INFO: Calling node acct maintenance total with
monthly and 1 for 21474836480 (pf::accounting::acct_maintenance)
Mar 04 14:54:00 pfsetvlan(24) INFO: local (127.0.0.1) trap for switch
172.16.123.22 (main::parseTrap)
Mar 04 14:54:00 pfsetvlan(7) INFO: nb of items in queue: 1; nb of threads
running: 0 (main::startTrapHandlers)
Mar 04 14:54:00 pfsetvlan(7) INFO: reAssignVlan trap received on
172.16.123.22 ifIndex 10101 (main::handleTrap)
Mar 04 14:54:00 pfsetvlan(7) WARN: Until CoA is implemented we will bounce
the port on VLAN re-assignment traps for MAC-Auth
(pf::SNMP::handleReAssignVlanTrapForWiredMacAuth)
Mar 04 14:54:04 pfsetvlan(7) INFO: finished (main::cleanupAfterThread)
Mar 04 14:54:09 pf::WebAPI(1772) INFO: handling radius autz request: from
switch_ip => 172.16.123.22, connection_type => WIRED_MAC_AUTH mac =>
dc:0e:a1:8a:d4:8f, port => 50001, username => dc0ea18ad48f
(pf::radius::authorize)
Mar 04 14:54:09 pf::WebAPI(1772) INFO: Connection type is WIRED_MAC_AUTH.
Getting role from node_info (pf::vlan::getNormalVlan)
Mar 04 14:54:09 pf::WebAPI(1772) INFO: Username was defined 'dc0ea18ad48f'
- returning user based role 'Inf_employee_role' (pf::vlan::getNormalVlan)
Mar 04 14:54:09 pf::WebAPI(1772) INFO: MAC: dc:0e:a1:8a:d4:8f, PID:
inf_user1, Status: reg. Returned VLAN: 9 (pf::vlan::fetchVlanForNode)
Mar 04 14:54:09 pf::WebAPI(1772) WARN: Role-based Network Access Control is
not supported on network device type pf::SNMP::Cisco::Catalyst_3560G.
(pf::SNMP::supportsRoleBasedEnforcement)
------------------------------------------------------------------------------
Subversion Kills Productivity. Get off Subversion & Make the Move to Perforce.
With Perforce, you get hassle-free workflows. Merge that actually works.
Faster operations. Version large binaries. Built-in WAN optimization and the
freedom to use Git, Perforce or both. Make the move to Perforce.
http://pubads.g.doubleclick.net/gampad/clk?id=122218951&iu=/4140/ostg.clktrk
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
