Re: [PacketFence-users] Adding switch to packet fence,

[Sallee, Jake]

Sorry, with being out for a week, things kind of pile up.

Check your vlan settings under the switch you added.

Go to the switch and select the roles tab, under "role mapping by vlan", make 
sure all the necessary roles have the correct vlan assigned.  Also, under that 
you will see "role mapping by role" make sure you have the correct roles 
assigned.  Usually this just means having the text box beside the role say the 
same things as the role name.  EX: Registration -> Registration, etc.

Also check your roles configuration.  With PF v4+ you assign roles to users 
which then determine the vlans they are assigned.

Try that and let us know how it goes.

Sorry I have been so slow to respond, a spanning tree loop took down half my 
network this morning.  Its been a long day.

Jake Sallee
Godfather of Bandwidth
System Engineer
University of Mary Hardin-Baylor
WWW.UMHB.EDU

900 College St.
Belton, Texas
76513

Fone: 254-295-4658
Phax: 254-295-4221
________________________________
From: sampath jayashantha [esampa...@gmail.com]
Sent: Monday, March 17, 2014 11:15 AM
To: packetfence-users@lists.sourceforge.net
Subject: Re: [PacketFence-users] Adding switch to packet fence,

Hi salee,

Any clue from above error. I'm totally strucked. :(


On Fri, Mar 14, 2014 at 11:18 AM, sampath jayashantha 
<esampa...@gmail.com<mailto:esampa...@gmail.com>> wrote:
Hi sallee,

I have pointed out the issue. I am so embarrassed to tell what it is. I forgot 
to configure my switch up link port to packetfence in trunk mode. So dam. :(
Any way now what i am facing  is, another problem.  Switch vlan is not getting 
activate. So confused.  I can't see the VLANS information on my newly added 
swicth. Is that normal ?

Packetfence.log

=> 50004, username => 7845c4b5ac41 (pf::radius::authorize)
Mar 14 11:13:27 pf::WebAPI(11847) INFO: Connection type is WIRED_MAC_AUTH. 
Getting role from node_info (pf::vlan::getNormalVlan)
Mar 14 11:13:27 pf::WebAPI(11847) INFO: Username was defined '7845c4b5ac41' - 
returning user based role 'default' (pf::vlan::getNormalVlan)
Mar 14 11:13:27 pf::WebAPI(11847) WARN: No parameter defaultVlan found in 
conf/switches.conf for the switch 192.168.13.45 (pf::SNMP::getVlanByName)
Mar 14 11:13:27 pf::WebAPI(11847) INFO: MAC: 78:45:c4:b5:ac:41, PID: 
esampa...@gmail.com<mailto:esampa...@gmail.com>, Status: unreg. Returned VLAN: 
default (pf::vlan::fetchVlanForNode)
Mar 14 11:13:27 pf::WebAPI(11847) WARN: new VLAN default is not a managed VLAN 
-> Returning FAIL. Is the target vlan in the vlans=... list? 
(pf::radius::authorize)
Mar 14 11:13:56 pfmon(0) INFO: running expire check (main::cleanup)
Mar 14 11:13:56 pfmon(0) INFO: checking registered nodes for expiration 
(main::cleanup)


switch.conf

[root@localhost ~]# cat /usr/local/pf/conf/switches.conf
#
# Copyright 2006-2008 Inverse inc.
#
# See the enclosed file COPYING for license information (GPL).
# If you did not receive this file, see
# http://www.fsf.org/licensing/licenses/gpl.html
[default]
description=Switches Default Values
vlans=1,2,3,4,5
normalVlan=1
registrationVlan=2
isolationVlan=3
macDetectionVlan=4
voiceVlan=5
inlineVlan=6
inlineTrigger=
normalRole=normal
registrationRole=registration
isolationRole=isolation
macDetectionRole=macDetection
voiceRole=voice
inlineRole=inline
VoIPEnabled=no
mode=testing
macSearchesMaxNb=30
macSearchesSleepInterval=2
uplink=dynamic
SNMPCommunityTrap= <<EOT
public
public
EOT
#
# Command Line Interface
#
# cliTransport could be: Telnet, SSH or Serial
cliTransport=Telnet
cliUser=
cliPwd=
cliEnablePwd=
#
# SNMP section
#
# PacketFence -> Switch
SNMPVersion=1
SNMPCommunityRead=public
SNMPCommunityWrite=private
#SNMPEngineID = 0000000000000
#SNMPUserNameRead = readUser
#SNMPAuthProtocolRead = MD5
#SNMPAuthPasswordRead = authpwdread
#SNMPPrivProtocolRead = DES
#SNMPPrivPasswordRead = privpwdread
#SNMPUserNameWrite = writeUser
#SNMPAuthProtocolWrite = MD5
#SNMPAuthPasswordWrite = authpwdwrite
#SNMPPrivProtocolWrite = DES
#SNMPPrivPasswordWrite = privpwdwrite
# Switch -> PacketFence
SNMPVersionTrap=1
#SNMPAuthProtocolTrap = MD5
#SNMPAuthPasswordTrap = authpwdread
#SNMPPrivProtocolTrap = DES
#SNMPPrivPasswordTrap = privpwdread
#
# Web Services Interface
#
# wsTransport could be: http or https
wsTransport=http
wsUser=
wsPwd=
#
# RADIUS NAS Client config
#
# RADIUS shared secret with switch
radiusSecret=

[192.168.13.45]
mode=production
description=Test Switch
type=Cisco::Catalyst_2960
cliPwd=coolBuddy123
VoIPEnabled=N
radiusSecret=abc123
SNMPCommunityTrap=publicpublic
#SNMPVersion = 3
#SNMPEngineID = 0000000000000
#SNMPUserNameRead = readUser
#SNMPAuthProtocolRead = MD5
#SNMPAuthPasswordRead = authpwdread
#SNMPPrivProtocolRead = DES
#SNMPPrivPasswordRead = privpwdread
#SNMPUserNameWrite = writeUser
#SNMPAuthProtocolWrite = MD5
#SNMPAuthPasswordWrite = authpwdwrite
#SNMPPrivProtocolWrite = DES
#SNMPPrivPasswordWrite = privpwdwrite
#SNMPVersionTrap = 3
#SNMPUserNameTrap = readUser
#SNMPAuthProtocolTrap = MD5
#SNMPAuthPasswordTrap = authpwdread
#SNMPPrivProtocolTrap = DES
#SNMPPrivPasswordTrap = privpwdread



On Wed, Mar 12, 2014 at 12:25 AM, Sallee, Jake 
<jake.sal...@umhb.edu<mailto:jake.sal...@umhb.edu>> wrote:
I am actually out of the office this week, our campus is shut down for spring 
break and I'm getting some time off! WOOT! However, I will try to take some 
time to surf the list a bit.

If your device is getting correctly placed into your registration vlan then 
that is a very good sign.  If you are not getting a DHCP address fixing that 
problem depends on how you are assigning the IPs.

If you are using PF as your DHCP server you need to make sure that the DHCP 
requests are making it to the server as well as the DHCP service is started.

Try disabling the firewall on your PF box to see if it is blocking the requests.

Verify the DHCP traffic to/from your DHCP server with tshark or wireshark.

Also, it never hurts to reboot your PF box just to make sure all the necessary 
services get restarted when you make any configuration changes.

A good rule of thumb is to put your PF server into debugging or trace level 
logging mode and follow log files like packetfence.log, radiusd.log, etc.

Be warned! Trace level logging can give you too much info and most of it will 
not be helpful to anyone but a programmer.

Jake Sallee
Godfather of Bandwidth
System Engineer
University of Mary Hardin-Baylor
WWW.UMHB.EDU<http://WWW.UMHB.EDU>

900 College St.
Belton, Texas
76513

Fone: 254-295-4658
Phax: 254-295-4221
________________________________
From: sampath jayashantha [esampa...@gmail.com<mailto:esampa...@gmail.com>]
Sent: Monday, March 10, 2014 10:40 PM
To: 
packetfence-users@lists.sourceforge.net<mailto:packetfence-users@lists.sourceforge.net>
Subject: Re: [PacketFence-users] Adding switch to packet fence,

Hi sallee,

Any updates if u don't mind. :)

Regards,
Sampath Jayashantha


On Sat, Mar 8, 2014 at 5:35 PM, sampath jayashantha 
<esampa...@gmail.com<mailto:esampa...@gmail.com><mailto:esampa...@gmail.com<mailto:esampa...@gmail.com>>>
 wrote:
Hi sallee,

First thank you very much for your reply. I did the configuration according to 
your template. When i plug a new device switch goes to vlan 2. But device 
dosent get a IP address from registration vlan. Wondering where i should do the 
troubleshooting.

Before i go more deeper into configuration stuff could you please help me to 
understand the basic behavior of the pf. I have below few concerns.

1 ) When i plug a new device to wired port what is the process actually gone 
through it. I just need to identify the steps which involve for device 
registration. I know there is a radius authentication with MAB. And then switch 
should go to registration vlan according to snmp traps. Registration vlan ip 
should assign to the device and we should able to get the registration portal 
through web. If registration is success switch should go to production vlan. 
otherwise it should go to isolation vlan.
2) Am i correct ? Other than pf switch configuration, do i need to do any 
additional configuration on packet fence for device  ?
3) And lets assume i need to put my new device to vlan 10 if the authentication 
success. where should i configure that information on the packet fence web 
portal ?

I know this is kind a nerd question serious. But I i know i'm missing something 
and i don't know what it is. Hope understating basics will guide me to the 
exact problem. :)

Thank you very much for your valuable time.



On Wed, Mar 5, 2014 at 11:03 PM, Sallee, Jake 
<jake.sal...@umhb.edu<mailto:jake.sal...@umhb.edu><mailto:jake.sal...@umhb.edu<mailto:jake.sal...@umhb.edu>>>
 wrote:
I'm sorry, one of my users decided to start sending thousands of spam messages 
and I got very busy cleaning up the mess :)

Could you tell me again exactly what your question was?  You were wanting to 
add a switch to PF and were asking the best method, right?

If you are adding switches to PF in my opinion the best way is to use VLan 
enforcement with MAB or 802.1x.  MAB is simpler by far to setup but is less 
secure than 802.1x.

I just re-posted the necessary config bits for a cisco switch using MAB and the 
Admin guide explains how to add the switch into PF.

I hope that helps, if you need more assistance just post your questions to the 
list.  I will do what I can.

Jake Sallee
Godfather of Bandwidth
System Engineer
University of Mary Hardin-Baylor

900 College St.
Belton, Texas
76513

Fone: 254-295-4658
Phax: 254-295-4221
________________________________
From: sampath jayashantha 
[esampa...@gmail.com<mailto:esampa...@gmail.com><mailto:esampa...@gmail.com<mailto:esampa...@gmail.com>>]
Sent: Wednesday, March 05, 2014 10:29 AM
To: 
packetfence-users@lists.sourceforge.net<mailto:packetfence-users@lists.sourceforge.net><mailto:packetfence-users@lists.sourceforge.net<mailto:packetfence-users@lists.sourceforge.net>>
Subject: Re: [PacketFence-users] Adding switch to packet fence,

Dear Users,

Any updates :(


On Mon, Mar 3, 2014 at 10:13 PM, sampath jayashantha 
<esampa...@gmail.com<mailto:esampa...@gmail.com><mailto:esampa...@gmail.com<mailto:esampa...@gmail.com>><mailto:esampa...@gmail.com<mailto:esampa...@gmail.com><mailto:esampa...@gmail.com<mailto:esampa...@gmail.com>>>>
 wrote:
Hi sallee,

This one ? Help with Cisco 2960 and 
1242<http://sourceforge.net/p/packetfence/mailman/message/29744760>

Regards,
Sampath


On Mon, Mar 3, 2014 at 9:46 PM, Sallee, Jake 
<jake.sal...@umhb.edu<mailto:jake.sal...@umhb.edu><mailto:jake.sal...@umhb.edu<mailto:jake.sal...@umhb.edu>><mailto:jake.sal...@umhb.edu<mailto:jake.sal...@umhb.edu><mailto:jake.sal...@umhb.edu<mailto:jake.sal...@umhb.edu>>>>
 wrote:
Search for my name and 2960 in the archives, I posted the necessary config bits 
to make PF work with MAB on just about any cisco switch.

Jake Sallee
Godfather of Bandwidth
System Engineer
University of Mary Hardin-Baylor

900 College St.
Belton, Texas
76513

Fone: 254-295-4658
Phax: 254-295-4221
________________________________
From: sampath jayashantha 
[esampa...@gmail.com<mailto:esampa...@gmail.com><mailto:esampa...@gmail.com<mailto:esampa...@gmail.com>><mailto:esampa...@gmail.com<mailto:esampa...@gmail.com><mailto:esampa...@gmail.com<mailto:esampa...@gmail.com>>>]
Sent: Monday, March 03, 2014 9:24 AM
To: 
packetfence-users@lists.sourceforge.net<mailto:packetfence-users@lists.sourceforge.net><mailto:packetfence-users@lists.sourceforge.net<mailto:packetfence-users@lists.sourceforge.net>><mailto:packetfence-users@lists.sourceforge.net<mailto:packetfence-users@lists.sourceforge.net><mailto:packetfence-users@lists.sourceforge.net<mailto:packetfence-users@lists.sourceforge.net>>>
Subject: Re: [PacketFence-users] Adding switch to packet fence,

Dear Jason,

    I just followed the packet fence device configuration guide to configure 
the switch. I can see there are lot of methods like, telnet, ssh, snmp, radius 
etc on packet fence switch add GUI. But i'm little bit confuse with those 
options Which are how to relate to each other. :(
    To make packet fence up and running with a vary basic configuration could 
you please tell me which configuration i need to do in switch side and the 
packet fence side.
    Same time what is the different between port-security method and  full 
802.1x with RADIUS de-auth. Little bit confused with those terminologies.
    And what will be the role for SNMP traps ? What is actually does ?

Note:
No need to explain in a very detail manner. Just briefing will be enough to 
find the right path for me.

Regards,
Sampath


On Mon, Mar 3, 2014 at 8:40 PM, Jason Frisvold 
<xenoph...@godshell.com<mailto:xenoph...@godshell.com><mailto:xenoph...@godshell.com<mailto:xenoph...@godshell.com>><mailto:xenoph...@godshell.com<mailto:xenoph...@godshell.com><mailto:xenoph...@godshell.com<mailto:xenoph...@godshell.com>>><mailto:xenoph...@godshell.com<mailto:xenoph...@godshell.com><mailto:xenoph...@godshell.com<mailto:xenoph...@godshell.com>><mailto:xenoph...@godshell.com<mailto:xenoph...@godshell.com><mailto:xenoph...@godshell.com<mailto:xenoph...@godshell.com>>>>>
 wrote:
sampath jayashantha wrote:
> Hi fellow people,
>
> After getting tired with old cisco 2950 old switch i found a new switch
> 2960 as my new packet fence switch. I have completed the switch
> configuration according to the support document. But the problem is when
> i plug in a device to switch port 4 nothing happen. I cant see any event
> on switch and packet fence side logs.

Any particular reason you're using the port-security method?  The 2960
is fully capable of full 802.1x with RADIUS de-auth.

For your current configuration, you need to make sure that traps from
the switch are making it to the server.  Is iptables on the packetfence
server open for incoming 162/udp connections?  Did you restart radiusd
after adding the new switch config?

> Am i missing anything ?

--
---------------------------
Jason 'XenoPhage' Frisvold
xenoph...@godshell.com<mailto:xenoph...@godshell.com><mailto:xenoph...@godshell.com<mailto:xenoph...@godshell.com>><mailto:xenoph...@godshell.com<mailto:xenoph...@godshell.com><mailto:xenoph...@godshell.com<mailto:xenoph...@godshell.com>>><mailto:xenoph...@godshell.com<mailto:xenoph...@godshell.com><mailto:xenoph...@godshell.com<mailto:xenoph...@godshell.com>><mailto:xenoph...@godshell.com<mailto:xenoph...@godshell.com><mailto:xenoph...@godshell.com<mailto:xenoph...@godshell.com>>>>
---------------------------

"Any sufficiently advanced magic is indistinguishable from technology.\"
- Niven's Inverse of Clarke's Third Law

------------------------------------------------------------------------------
Subversion Kills Productivity. Get off Subversion & Make the Move to Perforce.
With Perforce, you get hassle-free workflows. Merge that actually works.
Faster operations. Version large binaries.  Built-in WAN optimization and the
freedom to use Git, Perforce or both. Make the move to Perforce.
http://pubads.g.doubleclick.net/gampad/clk?id=122218951&iu=/4140/ostg.clktrk
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net<mailto:PacketFence-users@lists.sourceforge.net><mailto:PacketFence-users@lists.sourceforge.net<mailto:PacketFence-users@lists.sourceforge.net>><mailto:PacketFence-users@lists.sourceforge.net<mailto:PacketFence-users@lists.sourceforge.net><mailto:PacketFence-users@lists.sourceforge.net<mailto:PacketFence-users@lists.sourceforge.net>>><mailto:PacketFence-users@lists.sourceforge.net<mailto:PacketFence-users@lists.sourceforge.net><mailto:PacketFence-users@lists.sourceforge.net<mailto:PacketFence-users@lists.sourceforge.net>><mailto:PacketFence-users@lists.sourceforge.net<mailto:PacketFence-users@lists.sourceforge.net><mailto:PacketFence-users@lists.sourceforge.net<mailto:PacketFence-users@lists.sourceforge.net>>>>
https://lists.sourceforge.net/lists/listinfo/packetfence-users



--
..........................................................................................

There is always some one who know more Than us out there.

Wê Lïvê †ð §hårê : Wê Lðvê †ð §hårê



SAM

------------------------------------------------------------------------------
Subversion Kills Productivity. Get off Subversion & Make the Move to Perforce.
With Perforce, you get hassle-free workflows. Merge that actually works.
Faster operations. Version large binaries.  Built-in WAN optimization and the
freedom to use Git, Perforce or both. Make the move to Perforce.
http://pubads.g.doubleclick.net/gampad/clk?id=122218951&iu=/4140/ostg.clktrk
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net<mailto:PacketFence-users@lists.sourceforge.net><mailto:PacketFence-users@lists.sourceforge.net<mailto:PacketFence-users@lists.sourceforge.net>><mailto:PacketFence-users@lists.sourceforge.net<mailto:PacketFence-users@lists.sourceforge.net><mailto:PacketFence-users@lists.sourceforge.net<mailto:PacketFence-users@lists.sourceforge.net>>>
https://lists.sourceforge.net/lists/listinfo/packetfence-users



--
..........................................................................................

There is always some one who know more Than us out there.

Wê Lïvê †ð §hårê : Wê Lðvê †ð §hårê



SAM



--
..........................................................................................

There is always some one who know more Than us out there.

Wê Lïvê †ð §hårê : Wê Lðvê †ð §hårê



SAM

------------------------------------------------------------------------------
Subversion Kills Productivity. Get off Subversion & Make the Move to Perforce.
With Perforce, you get hassle-free workflows. Merge that actually works.
Faster operations. Version large binaries.  Built-in WAN optimization and the
freedom to use Git, Perforce or both. Make the move to Perforce.
http://pubads.g.doubleclick.net/gampad/clk?id=122218951&iu=/4140/ostg.clktrk
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net<mailto:PacketFence-users@lists.sourceforge.net><mailto:PacketFence-users@lists.sourceforge.net<mailto:PacketFence-users@lists.sourceforge.net>>
https://lists.sourceforge.net/lists/listinfo/packetfence-users



--
..........................................................................................

There is always some one who know more Than us out there.

Wê Lïvê †ð §hårê : Wê Lðvê †ð §hårê



SAM



--
..........................................................................................

There is always some one who know more Than us out there.

Wê Lïvê †ð §hårê : Wê Lðvê †ð §hårê



SAM

------------------------------------------------------------------------------
Learn Graph Databases - Download FREE O'Reilly Book
"Graph Databases" is the definitive new guide to graph databases and their
applications. Written by three acclaimed leaders in the field,
this first edition is now available. Download your free book today!
http://p.sf.net/sfu/13534_NeoTech
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net<mailto:PacketFence-users@lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/packetfence-users



--
..........................................................................................

There is always some one who know more Than us out there.

Wê Lïvê †ð §hårê : Wê Lðvê †ð §hårê



SAM



--
..........................................................................................

There is always some one who know more Than us out there.

Wê Lïvê †ð §hårê : Wê Lðvê †ð §hårê



SAM

------------------------------------------------------------------------------
Learn Graph Databases - Download FREE O'Reilly Book
"Graph Databases" is the definitive new guide to graph databases and their
applications. Written by three acclaimed leaders in the field,
this first edition is now available. Download your free book today!
http://p.sf.net/sfu/13534_NeoTech
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users