Hi Guys, i think there is a misunderstood about pf work.
There is no need of mac-detection vlan for port-sec mac-auth and 802.1x. You can try first only port-security, this technique use only snmp to talk to the switch (so configure snmp community public private and snmptrap to pf, also configure snmp in the pf switch config). If a device plug in a port security enabled port then packetfence will receive a snmp trap and check if the device is reg or no (answer a role based vlan id or registration vlan) In case of unreg device, your device will be in the reg vlan and pf will give you ip configuration and your device will hit the portal. Once register in the portal pf will send a snmp write on the switch to change the vlan of the port where the device is. In the case of mac-auth, pf will receive a radius request and check if the device is reg or no and follow the same workflow as before (snmp + radius config to do on each side). In the case of 802.1x, radius will check your username and password and if it is ok then send ask packetfence for the vlan to return and follow the same workflow as before (snmp + radius config to do on each side). So try first port-sec (it´s really simple) and try after the other method and you will be able to understand how it work and you will be able to mix different method. regards Fabrice Le 2014-06-09 20:19, Ali Tekeoglu a écrit : > Hello Matteo, > > Thanks for your reply, > > >> Anyway: >> I saw that you specify the access vlan for this port. This is not needed I >> think. dot1x will make this work for you. >> Just to configure "Normal" vlan in packetfence switch configuration, in >> order to forward the correct information to the switch. >> Try to do this... > As far as I understand, by stating following in the switch > configuration for each port; > > interface FastEthernet0/33 > switchport access vlan 4 > switchport mode access > > we are using the "Mac Detection Vlan", as stated in the conf/switches.conf. > In the [default] section of conf/switches.conf, we define; > macDetectionVlan=4 > > This is an empty vlan, when a new user plugs-in to the switch its in > Mac Detection Vlan, > if it authenticates through 802.1X it goes to access VLAN, or if > 802.1X fails then it authenticates with Mac Access Bypass (MAB) and > gets into Registration VLAN. > After MAB succeeds, its supposed to access to Captive Portal and > register itself to be able to get into Access/Normal/Default VLAN. > > > >> Anyway, some other question that maybe will help me too: >> 1) I have also cisco 3560, but no possibility to perform commands that >> start with "authentication xxx" ...In which way were you able to do this? > If you mean the "authentication" command for each switchport on Cisco > 3560, it worked in my case. I did the following; > > Switch> enable > Switch# configure terminal > Switch(config)# interface FastEthernet 0/33 > Switch(config-if)# authentication order dot1x mab > > > If you can't get authentication when you are at (config-if) command > prompt in the switch, my guess is that you might have to configure the > global config commands for Authentication first. > > Commands like following might have to be issued in global config; > > aaa authentication login default local > aaa authentication dot1x default group packetfence > aaa authorization network default group packetfence > > > > > >> 2) Why do you wanna MAB? Isn't enough dot1x + SNMP in order to send and >> change port configuration? >> ok... in my case is not working at all... I able to see the portal... >> make the self registration... but the last and "dream" switch vlan is not >> working! :-S :-< > I decided to use 802.1x/MAB without PortSecurity (Static MAC addresses) > > >> NOTE: >> If Our configuration is similar.... what do you think to share the >> information and files configuration between us? > Definitely, we can exchange the configs, > > Regards... > > --ali > > ------------------------------------------------------------------------------ > HPCC Systems Open Source Big Data Platform from LexisNexis Risk Solutions > Find What Matters Most in Your Big Data with HPCC Systems > Open Source. Fast. Scalable. Simple. Ideal for Dirty Data. > Leverages Graph Analysis for Fast Processing & Easy Data Exploration > http://p.sf.net/sfu/hpccsystems > _______________________________________________ > PacketFence-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/packetfence-users ------------------------------------------------------------------------------ HPCC Systems Open Source Big Data Platform from LexisNexis Risk Solutions Find What Matters Most in Your Big Data with HPCC Systems Open Source. Fast. Scalable. Simple. Ideal for Dirty Data. Leverages Graph Analysis for Fast Processing & Easy Data Exploration http://p.sf.net/sfu/hpccsystems _______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
