Did you enable 802.1x auto register? Also some info about the WLC platform with PF:
SNMP with WLCs is borked after version 7.0 (I think), we switched over to using RADIUS-COA and it worked much better for client de-auth. Also, currently there is a "feature" in the WLCs that caches the user's session for 72 hours and will allow a user to re-establish that session without honoring the new RADIUS attributes that the WLC gets from PF. TAC has gone on record telling me that this is a hard coded feature and cannot be changed. I am working with my Cisco rep to see what we can do but for now we are forced to manually kick users off through the GUI on the WLC and that seems to close the session so when the user re-associates they are correctly assigned the new vlan. It is really only a huge problem when the user registers though the captive portal. I don't know if this is the same problem you are having, but you can test by taking an unregistered host and doing the following: Associate to the AP on the WLC Go through the registration process Wait for the user to reconnect after getting kicked Check their vlan in the WLC, it is most likely still the registration vlan even though PF sent the correct vlan ID to the WLC which you can verify in the logs on PF. Jake Sallee Godfather of Bandwidth System Engineer University of Mary Hardin-Baylor WWW.UMHB.EDU 900 College St. Belton, Texas 76513 Fone: 254-295-4658 Phax: 254-295-4221 ________________________________ From: Tim Tyndall [[email protected]] Sent: Thursday, March 06, 2014 11:22 AM To: [email protected] Subject: [PacketFence-users] VLAN registration Hello, I'm a newbie to PacketFence and I'm setting up a test environment with a single Cisco 2960 switch and a test WLAN on a Cisco 2504 WLC. I'm working on the wired 802.1x authentication. The 8021.1x authentication is working, but I'm not getting the correct VLAN assignment based on the rule I created. I've got PacketFence set to query our AD servers and test reveals that is working. I've defined a default vlan and and engineering vlan on the switch configuration. The port gets authenticated but is getting put in the registration vlan. I look under nodes and my test computer shows up and under 802.1x it has my AD username. If I select register and then assign it to either default or engineering for role then Packetfence will send the snmp trap to the switch to modify the VLAN but I'm not getting that same behavior based on the rule I've created under Configuration\Sources\Rule. For now I just have a rule with connection type Ethernet-EAP and place in the default vlan. Is there so mething I'm missing here? Tim Tyndall This e-mail, including attachments, contains confidential and/or proprietary information, and may be used only by the person or entity to which it is addressed. The reader is hereby notified that any dissemination, distribution or copying of this e-mail is prohibited. If you have received this e-mail in error, please notify the sender by replying to this message and delete this e-mail immediately. ------------------------------------------------------------------------------ Subversion Kills Productivity. Get off Subversion & Make the Move to Perforce. With Perforce, you get hassle-free workflows. Merge that actually works. Faster operations. Version large binaries. Built-in WAN optimization and the freedom to use Git, Perforce or both. Make the move to Perforce. http://pubads.g.doubleclick.net/gampad/clk?id=122218951&iu=/4140/ostg.clktrk _______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
