Gentlemen, Please do not cc the packetfence-devel or packetfence-announce lists on user support questions.
Those lists are reserved to development and release announcements related issues. Regards, -- Louis Munro [email protected] :: www.inverse.ca +1.514.447.4918 *125 :: +1 (866) 353-6153 Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (www.packetfence.org) On 2014-08-11, at 12:42 , Bryand Eduardo Sánchez Palacios <[email protected]> wrote: > Hi Juan, > > Thanks you for your quickly reply, > > We have tried with several deauthentication methods, on the web config page > (RADIUS, SSH, SNMP), without get any succesful result. However the port > authentication is succesful, because switch automatically allocate this in > the registration VLAN. > > Here is one print screen, about that. > > <packetfence_deathetincation_method.jpg> > > > Best regards. > > > > > Bryand Eduardo Sánchez Palacios. > MCP, CCNA, SCSA > Mobile: +57 300 666 37 33 > Bogotá, Colombia. > > > > > Date: Fri, 8 Aug 2014 15:23:24 -0500 > From: [email protected] > To: [email protected] > CC: [email protected]; > [email protected] > Subject: Re: [PacketFence-devel] ref. Problems with PF m Port is not flapping > automatically between VLANS. > > HI Bryand, > > I think that the root cause of your problem is based on the way that you are > doing the deauthentication method, what I see is that you are using SNMP, > however and if I'm not wrong the best method to do this is with Radius CoA, > you should see in the Network configuration Devices how to configure the > switch in order to send the authentication and deauth through Radius. I hope > if I'm wrong the guys at Inverse can correct what I'm saying. > > I hope that this can give you a start point. > > Best regards > > > On Fri, Aug 8, 2014 at 11:24 AM, Bryand <[email protected]> wrote: > > Hi, Good morning everyone, > > We have a requirement in the company, about NAC access for applying to users > to get control about the connections to the resources that they currently > have. > We already set up our packet fence server with Ubuntu Server 12.04 LTE, and > it is partially working with the authentication and 802.1 Protocol for VLAN > assignment on the Switch, also We have the following infrastructure: > - One server with all VLANs Trunking on it and it is connected to a > Switch Dell Force10 S50. > - One Laptop (On Client side) connected to a Gi 1/7. > - DHCP service is running on switch, per VLAN. > - VLANS created on the switch are: 800 Production with Internet access, > 910 Registration, 911 Isolation and 913 MAC Detection. > - The Subnetworks for each VLAN are: 910 (192.168.210.0/24), 911 > (192.168.211.0/24), 913 (192.168.213.0/24). > After all configuration, we are experience the following issues: > When we connect the laptop to a port configured with 801.1 X, the switch > allocates this on the VLAN 910 (Registration), and the captive portal appears > on the browser, then we can authenticate the user. However, in the Switch > log, the port doesn’t flip to the production VLAN (800) automatically, until > we reconnected the port to the Switch or we executed shut /no shut down port > command. > Also, the Laptop which is on VLAN production, can work without any > problem. > > To try to solve this problem, we thought that could be a sentence with the > vlan.pm, according to PF logs, or the modules that are used for our switches, > these are some S50 Dell Force 10, but we can't see the light at the end of > the tunnel, right now. Jeje > > We appreciate a lot, your comments or opinions about this issue in order to > try to solve the problem. > > Thank you. > Sincerely > > -- > <FirmaBryandSanchez.ok.png> > > > > PF Logs: > > root@packetfence:~# tail -f /usr/local/pf/logs/packetfence.log > Aug 06 09:57:41 pfsetvlan(18) INFO: reAssignVlan trap received on > 192.168.212.3 ifindex 1007 which is not ethernetCsmacd (pf::vlan::doWeActOnT > hisTrap) > Aug 06 09:57:41 pfsetvlan(18) INFO: doWeActOnThisTrap returns false. Stop > reAssignVlan handling (main::handleTrap) > Aug 06 09:57:41 pfsetvlan(18) INFO: finished (main::cleanupAfterThread) > Aug 06 10:16:57 pfsetvlan(21) INFO: local (127.0.0.1) trap for switch > 192.168.212.3 (main::parseTrap) > Aug 06 10:16:57 pfsetvlan(20) INFO: nb of items in queue: 1; nb of threads > running: 0 (main::startTrapHandlers) > Aug 06 10:16:57 pfsetvlan(20) ERROR: Argument "noSuchInstance" isn't numeric > in numeric eq (==) at /usr/local/pf/lib/pf/vlan.pm line 139. > (pf::vlan::doWeActOnThisTrap) > Aug 06 10:16:57 pfsetvlan(20) INFO: reAssignVlan trap received on > 192.168.212.3 ifindex 1007 which is not ethernetCsmacd (pf::vlan::doWeActOnT > hisTrap) > Aug 06 10:16:57 pfsetvlan(20) INFO: doWeActOnThisTrap returns false. Stop > reAssignVlan handling (main::handleTrap) > Aug 06 10:16:57 pfsetvlan(20) INFO: finished (main::cleanupAfterThread) > Aug 06 10:17:45 httpd.portal(12119) INFO: mac : 00:0c:29:61:62:fe > (captiveportal::PacketFence::Controller::CaptivePortal::validateMac) > Aug 06 10:17:45 httpd.portal(12119) INFO: Updating node 00:0c:29:61:62:fe > user_agent with useragent: 'Mozilla/5.0 (X11; Linux x86_64; rv:24.0) > Gecko/20140722 Firefox/24.0 Iceweasel/24.7.0' > (captiveportal::PacketFence::Controller::CaptivePortal::nodeRecordUserAgent) > Aug 06 10:17:45 httpd.portal(12119) INFO: Static User-Agent lookup data > initialized (pf::useragent::_init) > Aug 06 10:17:45 httpd.portal(12119) INFO: 00:0c:29:61:62:fe redirected to > default > (captiveportal::PacketFence::Controller::CaptivePortal::checkIfNeedsToRegister) > Aug 06 10:17:45 httpd.portal(12119) INFO: 00:0c:29:61:62:fe redirected to > authentication page > (captiveportal::PacketFence::Controller::CaptivePortal::checkIfNeedsToRegister) > Aug 06 10:18:56 httpd.portal(12128) INFO: mac : 00:0c:29:61:62:fe > (captiveportal::PacketFence::Controller::CaptivePortal::validateMac) > Aug 06 10:18:56 httpd.portal(12128) INFO: Authentication successful for > bsanchez in source local (SQL) (pf::authentication::authenticate) > Aug 06 10:18:56 httpd.portal(12128) INFO: person bsanchez modified to > bsanchez (pf::person::person_modify) > Aug 06 10:18:56 httpd.portal(12128) INFO: re-evaluating access for node > 00:0c:29:61:62:fe (manage_register called) > (pf::enforcement::reevaluate_access) > Aug 06 10:18:56 httpd.portal(12128) INFO: switch port for 00:0c:29:61:62:fe > is 192.168.212.3 ifIndex 1007 connection type: Wired MAC Auth > (pf::enforcement::_vlan_reevaluation) > Aug 06 10:18:59 pfsetvlan(22) INFO: local (127.0.0.1) trap for switch > 192.168.212.3 (main::parseTrap) > Aug 06 10:18:59 pfsetvlan(1) INFO: nb of items in queue: 1; nb of threads > running: 0 (main::startTrapHandlers) > Aug 06 10:18:59 pfsetvlan(1) ERROR: Argument "noSuchInstance" isn't numeric > in numeric eq (==) at /usr/local/pf/lib/pf/vlan.pm line 139. > (pf::vlan::doWeActOnThisTrap) > Aug 06 10:18:59 pfsetvlan(1) INFO: reAssignVlan trap received on > 192.168.212.3 ifindex 1007 which is not ethernetCsmacd > (pf::vlan::doWeActOnThisTrap) > Aug 06 10:18:59 pfsetvlan(1) INFO: doWeActOnThisTrap returns false. Stop > reAssignVlan handling (main::handleTrap) > Aug 06 10:18:59 pfsetvlan(1) INFO: finished (main::cleanupAfterThread) > > > > After user Authentication the user was moved to Production VLAN, when we > shut/no shut the port, it doesn't flipping autpmatically > > Aug 06 10:22:48 pfsetvlan(5) WARN: couldn't get MAC at ifIndex 69256450. This > is a problem. (pf::Switch::_getMacAtIfIndex) > Aug 06 10:22:49 pfsetvlan(5) WARN: couldn't get MAC at ifIndex 69256450. This > is a problem. (pf::Switch::_getMacAtIfIndex) > > > Swtich config: > > SW_RD_07#show running-config snmp > ! > snmp-server community > snmp-server community testing rw > snmp-server enable traps bgp > snmp-server enable traps snmp authentication coldstart linkdown linkup > snmp-server enable traps vrrp > snmp-server enable traps stp > snmp-server enable traps ecfm > snmp-server enable traps xstp > snmp-server enable traps envmon fan supply temperature > snmp-server enable traps eoam > snmp-server host 192.168.212.1 traps version 2c testing udp-port 162 > > SW_RD_07#show running-config interface gigabitethernet 1/7 > ! > interface GigabitEthernet 1/7 > no ip address > switchport > dot1x authentication > dot1x mac-auth-bypass > dot1x auth-type mab-only > no shutdown > SW_RD_07# > > SW_RD_07#show running-config radius > ! > radius-server host 192.168.212.1 key 7 a56fd6b9b796eb74 auth-port 1812 > SW_RD_07# > > > > > > > > > > > > > ------------------------------------------------------------------------------ > Want fast and easy access to all the code in your enterprise? Index and > search up to 200,000 lines of code with a free copy of Black Duck > Code Sight - the same software that powers the world's largest code > search on Ohloh, the Black Duck Open Hub! Try it now. > http://p.sf.net/sfu/bds > _______________________________________________ > PacketFence-devel mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/packetfence-devel > > > > > -- > > “Choose a job you love, and you will never have to work a day in your life” > > ------------------------------------------------------------------------------ > Want fast and easy access to all the code in your enterprise? Index and > search up to 200,000 lines of code with a free copy of Black Duck Code Sight > - the same software that powers the world's largest code search on Ohloh, the > Black Duck Open Hub! Try it now. http://p.sf.net/sfu/bds > _______________________________________________ PacketFence-devel mailing > list > [email protected]https://lists.sourceforge.net/lists/listinfo/packetfence-devel > ------------------------------------------------------------------------------ > _______________________________________________ > PacketFence-devel mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/packetfence-devel
------------------------------------------------------------------------------
_______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
