Re: [PacketFence-users] Adding switch to packet fence,

[sampath jayashantha]

Hi salee,

Any clue from above error. I'm totally strucked. :(


On Fri, Mar 14, 2014 at 11:18 AM, sampath jayashantha
<esampa...@gmail.com>wrote:

> Hi sallee,
>
> I have pointed out the issue. I am so embarrassed to tell what it is. I
> forgot to configure my switch up link port to packetfence in trunk mode. So
> dam. :(
> Any way now what i am facing  is, another problem.  Switch vlan is not
> getting activate. So confused.  I can't see the VLANS information on my
> newly added swicth. Is that normal ?
>
> Packetfence.log
>
> => 50004, username => 7845c4b5ac41 (pf::radius::authorize)
> Mar 14 11:13:27 pf::WebAPI(11847) INFO: Connection type is WIRED_MAC_AUTH.
> Getting role from node_info (pf::vlan::getNormalVlan)
> Mar 14 11:13:27 pf::WebAPI(11847) INFO: Username was defined
> '7845c4b5ac41' - returning user based role 'default'
> (pf::vlan::getNormalVlan)
> Mar 14 11:13:27 pf::WebAPI(11847) WARN: No parameter defaultVlan found in
> conf/switches.conf for the switch 192.168.13.45 (pf::SNMP::getVlanByName)
> Mar 14 11:13:27 pf::WebAPI(11847) INFO: MAC: 78:45:c4:b5:ac:41, PID:
> esampa...@gmail.com, Status: unreg. Returned VLAN: default
> (pf::vlan::fetchVlanForNode)
> Mar 14 11:13:27 pf::WebAPI(11847) WARN: new VLAN default is not a managed
> VLAN -> Returning FAIL. Is the target vlan in the vlans=... list?
> (pf::radius::authorize)
> Mar 14 11:13:56 pfmon(0) INFO: running expire check (main::cleanup)
> Mar 14 11:13:56 pfmon(0) INFO: checking registered nodes for expiration
> (main::cleanup)
>
>
> switch.conf
>
> [root@localhost ~]# cat /usr/local/pf/conf/switches.conf
> #
> # Copyright 2006-2008 Inverse inc.
> #
> # See the enclosed file COPYING for license information (GPL).
> # If you did not receive this file, see
> # http://www.fsf.org/licensing/licenses/gpl.html
> [default]
> description=Switches Default Values
> vlans=1,2,3,4,5
> normalVlan=1
> registrationVlan=2
> isolationVlan=3
> macDetectionVlan=4
> voiceVlan=5
> inlineVlan=6
> inlineTrigger=
> normalRole=normal
> registrationRole=registration
> isolationRole=isolation
> macDetectionRole=macDetection
> voiceRole=voice
> inlineRole=inline
> VoIPEnabled=no
> mode=testing
> macSearchesMaxNb=30
> macSearchesSleepInterval=2
> uplink=dynamic
> SNMPCommunityTrap= <<EOT
> public
> public
> EOT
> #
> # Command Line Interface
> #
> # cliTransport could be: Telnet, SSH or Serial
> cliTransport=Telnet
> cliUser=
> cliPwd=
> cliEnablePwd=
> #
> # SNMP section
> #
> # PacketFence -> Switch
> SNMPVersion=1
> SNMPCommunityRead=public
> SNMPCommunityWrite=private
> #SNMPEngineID = 0000000000000
> #SNMPUserNameRead = readUser
> #SNMPAuthProtocolRead = MD5
> #SNMPAuthPasswordRead = authpwdread
> #SNMPPrivProtocolRead = DES
> #SNMPPrivPasswordRead = privpwdread
> #SNMPUserNameWrite = writeUser
> #SNMPAuthProtocolWrite = MD5
> #SNMPAuthPasswordWrite = authpwdwrite
> #SNMPPrivProtocolWrite = DES
> #SNMPPrivPasswordWrite = privpwdwrite
> # Switch -> PacketFence
> SNMPVersionTrap=1
> #SNMPAuthProtocolTrap = MD5
> #SNMPAuthPasswordTrap = authpwdread
> #SNMPPrivProtocolTrap = DES
> #SNMPPrivPasswordTrap = privpwdread
> #
> # Web Services Interface
> #
> # wsTransport could be: http or https
> wsTransport=http
> wsUser=
> wsPwd=
> #
> # RADIUS NAS Client config
> #
> # RADIUS shared secret with switch
> radiusSecret=
>
> [192.168.13.45]
> mode=production
> description=Test Switch
> type=Cisco::Catalyst_2960
> cliPwd=coolBuddy123
> VoIPEnabled=N
> radiusSecret=abc123
> SNMPCommunityTrap=publicpublic
> #SNMPVersion = 3
> #SNMPEngineID = 0000000000000
> #SNMPUserNameRead = readUser
> #SNMPAuthProtocolRead = MD5
> #SNMPAuthPasswordRead = authpwdread
> #SNMPPrivProtocolRead = DES
> #SNMPPrivPasswordRead = privpwdread
> #SNMPUserNameWrite = writeUser
> #SNMPAuthProtocolWrite = MD5
> #SNMPAuthPasswordWrite = authpwdwrite
> #SNMPPrivProtocolWrite = DES
> #SNMPPrivPasswordWrite = privpwdwrite
> #SNMPVersionTrap = 3
> #SNMPUserNameTrap = readUser
> #SNMPAuthProtocolTrap = MD5
> #SNMPAuthPasswordTrap = authpwdread
> #SNMPPrivProtocolTrap = DES
> #SNMPPrivPasswordTrap = privpwdread
>
>
>
> On Wed, Mar 12, 2014 at 12:25 AM, Sallee, Jake <jake.sal...@umhb.edu>wrote:
>
>> I am actually out of the office this week, our campus is shut down for
>> spring break and I'm getting some time off! WOOT! However, I will try to
>> take some time to surf the list a bit.
>>
>> If your device is getting correctly placed into your registration vlan
>> then that is a very good sign.  If you are not getting a DHCP address
>> fixing that problem depends on how you are assigning the IPs.
>>
>> If you are using PF as your DHCP server you need to make sure that the
>> DHCP requests are making it to the server as well as the DHCP service is
>> started.
>>
>> Try disabling the firewall on your PF box to see if it is blocking the
>> requests.
>>
>> Verify the DHCP traffic to/from your DHCP server with tshark or wireshark.
>>
>> Also, it never hurts to reboot your PF box just to make sure all the
>> necessary services get restarted when you make any configuration changes.
>>
>> A good rule of thumb is to put your PF server into debugging or trace
>> level logging mode and follow log files like packetfence.log, radiusd.log,
>> etc.
>>
>> Be warned! Trace level logging can give you too much info and most of it
>> will not be helpful to anyone but a programmer.
>>
>> Jake Sallee
>> Godfather of Bandwidth
>> System Engineer
>> University of Mary Hardin-Baylor
>> WWW.UMHB.EDU
>>
>> 900 College St.
>> Belton, Texas
>> 76513
>>
>> Fone: 254-295-4658
>> Phax: 254-295-4221
>> ________________________________
>> From: sampath jayashantha [esampa...@gmail.com]
>> Sent: Monday, March 10, 2014 10:40 PM
>> To: packetfence-users@lists.sourceforge.net
>> Subject: Re: [PacketFence-users] Adding switch to packet fence,
>>
>> Hi sallee,
>>
>> Any updates if u don't mind. :)
>>
>> Regards,
>> Sampath Jayashantha
>>
>>
>> On Sat, Mar 8, 2014 at 5:35 PM, sampath jayashantha <esampa...@gmail.com
>> <mailto:esampa...@gmail.com>> wrote:
>> Hi sallee,
>>
>> First thank you very much for your reply. I did the configuration
>> according to your template. When i plug a new device switch goes to vlan 2.
>> But device dosent get a IP address from registration vlan. Wondering where
>> i should do the troubleshooting.
>>
>> Before i go more deeper into configuration stuff could you please help me
>> to understand the basic behavior of the pf. I have below few concerns.
>>
>> 1 ) When i plug a new device to wired port what is the process actually
>> gone through it. I just need to identify the steps which involve for device
>> registration. I know there is a radius authentication with MAB. And then
>> switch should go to registration vlan according to snmp traps. Registration
>> vlan ip should assign to the device and we should able to get the
>> registration portal through web. If registration is success switch should
>> go to production vlan. otherwise it should go to isolation vlan.
>> 2) Am i correct ? Other than pf switch configuration, do i need to do any
>> additional configuration on packet fence for device  ?
>> 3) And lets assume i need to put my new device to vlan 10 if the
>> authentication success. where should i configure that information on the
>> packet fence web portal ?
>>
>> I know this is kind a nerd question serious. But I i know i'm missing
>> something and i don't know what it is. Hope understating basics will guide
>> me to the exact problem. :)
>>
>> Thank you very much for your valuable time.
>>
>>
>>
>> On Wed, Mar 5, 2014 at 11:03 PM, Sallee, Jake <jake.sal...@umhb.edu
>> <mailto:jake.sal...@umhb.edu>> wrote:
>> I'm sorry, one of my users decided to start sending thousands of spam
>> messages and I got very busy cleaning up the mess :)
>>
>> Could you tell me again exactly what your question was?  You were wanting
>> to add a switch to PF and were asking the best method, right?
>>
>> If you are adding switches to PF in my opinion the best way is to use
>> VLan enforcement with MAB or 802.1x.  MAB is simpler by far to setup but is
>> less secure than 802.1x.
>>
>> I just re-posted the necessary config bits for a cisco switch using MAB
>> and the Admin guide explains how to add the switch into PF.
>>
>> I hope that helps, if you need more assistance just post your questions
>> to the list.  I will do what I can.
>>
>> Jake Sallee
>> Godfather of Bandwidth
>> System Engineer
>> University of Mary Hardin-Baylor
>>
>> 900 College St.
>> Belton, Texas
>> 76513
>>
>> Fone: 254-295-4658
>> Phax: 254-295-4221
>> ________________________________
>> From: sampath jayashantha [esampa...@gmail.com<mailto:esampa...@gmail.com
>> >]
>> Sent: Wednesday, March 05, 2014 10:29 AM
>> To: packetfence-users@lists.sourceforge.net<mailto:
>> packetfence-users@lists.sourceforge.net>
>> Subject: Re: [PacketFence-users] Adding switch to packet fence,
>>
>> Dear Users,
>>
>> Any updates :(
>>
>>
>> On Mon, Mar 3, 2014 at 10:13 PM, sampath jayashantha <esampa...@gmail.com
>> <mailto:esampa...@gmail.com><mailto:esampa...@gmail.com<mailto:
>> esampa...@gmail.com>>> wrote:
>> Hi sallee,
>>
>> This one ? Help with Cisco 2960 and 1242<
>> http://sourceforge.net/p/packetfence/mailman/message/29744760>
>>
>> Regards,
>> Sampath
>>
>>
>> On Mon, Mar 3, 2014 at 9:46 PM, Sallee, Jake <jake.sal...@umhb.edu
>> <mailto:jake.sal...@umhb.edu><mailto:jake.sal...@umhb.edu<mailto:
>> jake.sal...@umhb.edu>>> wrote:
>> Search for my name and 2960 in the archives, I posted the necessary
>> config bits to make PF work with MAB on just about any cisco switch.
>>
>> Jake Sallee
>> Godfather of Bandwidth
>> System Engineer
>> University of Mary Hardin-Baylor
>>
>> 900 College St.
>> Belton, Texas
>> 76513
>>
>> Fone: 254-295-4658
>> Phax: 254-295-4221
>> ________________________________
>> From: sampath jayashantha [esampa...@gmail.com<mailto:esampa...@gmail.com
>> ><mailto:esampa...@gmail.com<mailto:esampa...@gmail.com>>]
>> Sent: Monday, March 03, 2014 9:24 AM
>> To: packetfence-users@lists.sourceforge.net<mailto:
>> packetfence-users@lists.sourceforge.net><mailto:
>> packetfence-users@lists.sourceforge.net<mailto:
>> packetfence-users@lists.sourceforge.net>>
>> Subject: Re: [PacketFence-users] Adding switch to packet fence,
>>
>> Dear Jason,
>>
>>     I just followed the packet fence device configuration guide to
>> configure the switch. I can see there are lot of methods like, telnet, ssh,
>> snmp, radius etc on packet fence switch add GUI. But i'm little bit confuse
>> with those options Which are how to relate to each other. :(
>>     To make packet fence up and running with a vary basic configuration
>> could you please tell me which configuration i need to do in switch side
>> and the packet fence side.
>>     Same time what is the different between port-security method and
>>  full 802.1x with RADIUS de-auth. Little bit confused with those
>> terminologies.
>>     And what will be the role for SNMP traps ? What is actually does ?
>>
>> Note:
>> No need to explain in a very detail manner. Just briefing will be enough
>> to find the right path for me.
>>
>> Regards,
>> Sampath
>>
>>
>> On Mon, Mar 3, 2014 at 8:40 PM, Jason Frisvold <xenoph...@godshell.com
>> <mailto:xenoph...@godshell.com><mailto:xenoph...@godshell.com<mailto:
>> xenoph...@godshell.com>><mailto:xenoph...@godshell.com<mailto:
>> xenoph...@godshell.com><mailto:xenoph...@godshell.com<mailto:
>> xenoph...@godshell.com>>>> wrote:
>> sampath jayashantha wrote:
>> > Hi fellow people,
>> >
>> > After getting tired with old cisco 2950 old switch i found a new switch
>> > 2960 as my new packet fence switch. I have completed the switch
>> > configuration according to the support document. But the problem is when
>> > i plug in a device to switch port 4 nothing happen. I cant see any event
>> > on switch and packet fence side logs.
>>
>> Any particular reason you're using the port-security method?  The 2960
>> is fully capable of full 802.1x with RADIUS de-auth.
>>
>> For your current configuration, you need to make sure that traps from
>> the switch are making it to the server.  Is iptables on the packetfence
>> server open for incoming 162/udp connections?  Did you restart radiusd
>> after adding the new switch config?
>>
>> > Am i missing anything ?
>>
>> --
>> ---------------------------
>> Jason 'XenoPhage' Frisvold
>> xenoph...@godshell.com<mailto:xenoph...@godshell.com><mailto:
>> xenoph...@godshell.com<mailto:xenoph...@godshell.com>><mailto:
>> xenoph...@godshell.com<mailto:xenoph...@godshell.com><mailto:
>> xenoph...@godshell.com<mailto:xenoph...@godshell.com>>>
>> ---------------------------
>>
>> "Any sufficiently advanced magic is indistinguishable from technology.\"
>> - Niven's Inverse of Clarke's Third Law
>>
>>
>> ------------------------------------------------------------------------------
>> Subversion Kills Productivity. Get off Subversion & Make the Move to
>> Perforce.
>> With Perforce, you get hassle-free workflows. Merge that actually works.
>> Faster operations. Version large binaries.  Built-in WAN optimization and
>> the
>> freedom to use Git, Perforce or both. Make the move to Perforce.
>>
>> http://pubads.g.doubleclick.net/gampad/clk?id=122218951&iu=/4140/ostg.clktrk
>> _______________________________________________
>> PacketFence-users mailing list
>> PacketFence-users@lists.sourceforge.net<mailto:
>> PacketFence-users@lists.sourceforge.net><mailto:
>> PacketFence-users@lists.sourceforge.net<mailto:
>> PacketFence-users@lists.sourceforge.net>><mailto:
>> PacketFence-users@lists.sourceforge.net<mailto:
>> PacketFence-users@lists.sourceforge.net><mailto:
>> PacketFence-users@lists.sourceforge.net<mailto:
>> PacketFence-users@lists.sourceforge.net>>>
>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>
>>
>>
>> --
>>
>> ..........................................................................................
>>
>> There is always some one who know more Than us out there.
>>
>> Wê Lïvê †ð §hårê : Wê Lðvê †ð §hårê
>>
>>
>>
>> SAM
>>
>>
>> ------------------------------------------------------------------------------
>> Subversion Kills Productivity. Get off Subversion & Make the Move to
>> Perforce.
>> With Perforce, you get hassle-free workflows. Merge that actually works.
>> Faster operations. Version large binaries.  Built-in WAN optimization and
>> the
>> freedom to use Git, Perforce or both. Make the move to Perforce.
>>
>> http://pubads.g.doubleclick.net/gampad/clk?id=122218951&iu=/4140/ostg.clktrk
>> _______________________________________________
>> PacketFence-users mailing list
>> PacketFence-users@lists.sourceforge.net<mailto:
>> PacketFence-users@lists.sourceforge.net><mailto:
>> PacketFence-users@lists.sourceforge.net<mailto:
>> PacketFence-users@lists.sourceforge.net>>
>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>
>>
>>
>> --
>>
>> ..........................................................................................
>>
>> There is always some one who know more Than us out there.
>>
>> Wê Lïvê †ð §hårê : Wê Lðvê †ð §hårê
>>
>>
>>
>> SAM
>>
>>
>>
>> --
>>
>> ..........................................................................................
>>
>> There is always some one who know more Than us out there.
>>
>> Wê Lïvê †ð §hårê : Wê Lðvê †ð §hårê
>>
>>
>>
>> SAM
>>
>>
>> ------------------------------------------------------------------------------
>> Subversion Kills Productivity. Get off Subversion & Make the Move to
>> Perforce.
>> With Perforce, you get hassle-free workflows. Merge that actually works.
>> Faster operations. Version large binaries.  Built-in WAN optimization and
>> the
>> freedom to use Git, Perforce or both. Make the move to Perforce.
>>
>> http://pubads.g.doubleclick.net/gampad/clk?id=122218951&iu=/4140/ostg.clktrk
>> _______________________________________________
>> PacketFence-users mailing list
>> PacketFence-users@lists.sourceforge.net<mailto:
>> PacketFence-users@lists.sourceforge.net>
>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>
>>
>>
>> --
>>
>> ..........................................................................................
>>
>> There is always some one who know more Than us out there.
>>
>> Wê Lïvê †ð §hårê : Wê Lðvê †ð §hårê
>>
>>
>>
>> SAM
>>
>>
>>
>> --
>>
>> ..........................................................................................
>>
>> There is always some one who know more Than us out there.
>>
>> Wê Lïvê †ð §hårê : Wê Lðvê †ð §hårê
>>
>>
>>
>> SAM
>>
>>
>> ------------------------------------------------------------------------------
>> Learn Graph Databases - Download FREE O'Reilly Book
>> "Graph Databases" is the definitive new guide to graph databases and their
>> applications. Written by three acclaimed leaders in the field,
>> this first edition is now available. Download your free book today!
>> http://p.sf.net/sfu/13534_NeoTech
>> _______________________________________________
>> PacketFence-users mailing list
>> PacketFence-users@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>
>
>
>
> --
>
> ..........................................................................................
>
> There is always some one who know more Than us out there.
>
> Wê Lïvê †ð §hårê : Wê Lðvê †ð §hårê
>
>
>
> SAM
>



-- 
..........................................................................................

There is always some one who know more Than us out there.

Wê Lïvê †ð §hårê : Wê Lðvê †ð §hårê



SAM

------------------------------------------------------------------------------
Learn Graph Databases - Download FREE O'Reilly Book
"Graph Databases" is the definitive new guide to graph databases and their
applications. Written by three acclaimed leaders in the field,
this first edition is now available. Download your free book today!
http://p.sf.net/sfu/13534_NeoTech
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users