Hello everybody,
I have encountered a little problem over the vlans setting. I have
configured port-security and SNMP v2 (on cisco switch 3560G), following the
Network Device Configuration Guide and the Administration Guide. When I
connect a device in a switch port, an snmp trap is sent to PacketFence, and
after authentication in the Captive-Portal, a regular vlan is set to the
switch port. Then.. if I disconnect the device, the switch port remain in
the vlan that was setted, even if the bogus MAC is setted, and don't
return in the Registration VLAN (or MAC Detection VLAN). I have configured
SNMP for deauthentication method in the switch.conf file.. this seems not
work. This is strange.. because a computer can connect to the switch port,
set the bogus MAC address as his MAC Address.. being in a regular vlan,
bypassing Captive-Portal and authentication, so, bypassing PacketFence (I
have tested this in lab).
The problem is that the vlan on the switch port doesn't come back to the
registration vlan (or MAC Detection VLAN) after a computer disconnect his
ethernet cable.
In the
This is the output from the packetfence.log:
Feb 26 18:20:36 pfsetvlan(1) INFO: nb of items in queue: 1; nb of threads
running: 0 (main::startTrapHandlers)
Feb 26 18:20:36 pfsetvlan(1) INFO: secureMacAddrViolation trap received on
192.168.1.9 ifIndex 10108 for xx:xx:xx:xx:xx:xx(main::handleTrap)
Feb 26 18:20:37 pfsetvlan(1) INFO: node xx:xx:xx:xx:xx:xxdoes not yet exist
in PF database. Adding it now (main::node_update_PF)
Feb 26 18:20:37 pfsetvlan(1) INFO: [xx:xx:xx:xx:xx:xx] is of status unreg;
belongs into registration VLAN (pf::vlan::getRegistrationVlan)
Feb 26 18:20:37 pfsetvlan(1) INFO: authorizing xx:xx:xx:xx:xx:xx(old entry
02:00:00:01:01:08) at new location 192.168.1.9 ifIndex 10108
(main::handleTrap)
Feb 26 18:20:37 pfsetvlan(1) INFO: setting VLAN at 192.168.1.9 ifIndex
10108 from 4 to 2 (pf::Switch::setVlan)
Feb 26 18:20:37 pfsetvlan(1) INFO: finished (main::cleanupAfterThread)
Feb 26 18:20:37 pfsetvlan(8) INFO: secureMacAddrViolation trap already in
the queue for 192.168.1.9 ifIndex 10108. Won't add another one
(main::signalHandlerTrapListQueued)
Feb 26 18:20:37 pfsetvlan(3) INFO: nb of items in queue: 1; nb of threads
running: 0 (main::startTrapHandlers)
Feb 26 18:20:37 pfsetvlan(3) INFO: secureMacAddrViolation trap received on
192.168.1.9 ifIndex 10108 for xx:xx:xx:xx:xx:xx(main::handleTrap)
Feb 26 18:20:38 pfsetvlan(3) INFO: Will try to check on this node's
previous switch if secured entry needs to be removed. Old Switch IP:
192.168.1.9 (main::do_port_security)
Feb 26 18:20:38 pfsetvlan(3) INFO: MAC xx:xx:xx:xx:xx:xx is already
authorized on 192.168.1.9 ifIndex 10108. Stopping secureMacAddrViolation
trap handling here (main::handleTrap)
Feb 26 18:20:38 pfsetvlan(3) INFO: finished (main::cleanupAfterThread)
Feb 26 18:20:41 httpd.webservices(6264) INFO: oldmac (00:00:00:00:00:00)
and newmac (xx:xx:xx:xx:xx:xx) are different for 192.168.2.18 - closing
iplog entry (pf::api::update_iplog)
Feb 26 18:20:58 httpd.portal(6490) INFO: [xx:xx:xx:xx:xx:xx] Updating node
user_agent with useragent: 'Mozilla/5.0 (Windows NT 6.3; WOW64)
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.115 Safari/537.36'
(captiveportal::PacketFence::Controller::CaptivePortal::nodeRecordUserAgent)
Feb 26 18:20:59 httpd.portal(6490) INFO: Static User-Agent lookup data
initialized (pf::useragent::_init)
Feb 26 18:20:59 httpd.portal(6490) INFO: [xx:xx:xx:xx:xx:xx] redirected to
default
(captiveportal::PacketFence::Controller::CaptivePortal::checkIfNeedsToRegister)
Feb 26 18:20:59 httpd.portal(6490) INFO: [xx:xx:xx:xx:xx:xx] redirected to
authentication page
(captiveportal::PacketFence::Controller::CaptivePortal::checkIfNeedsToRegister)
Feb 26 18:21:13 httpd.portal(7472) INFO: Authentication successful for
fabius in source packetfence (RADIUS) (pf::authentication::authenticate)
Feb 26 18:21:13 httpd.portal(7472) INFO: Matched rule (Student) in source
packetfence, returning actions. (pf::Authentication::Source::match)
Feb 26 18:21:13 httpd.portal(7472) INFO: Matched rule (Student) in source
packetfence, returning actions. (pf::Authentication::Source::match)
Feb 26 18:21:14 httpd.portal(7472) INFO: person fabius modified to fabius
(pf::person::person_modify)
Feb 26 18:21:14 httpd.portal(7472) INFO: [xx:xx:xx:xx:xx:xx] re-evaluating
access (manage_register called) (pf::enforcement::reevaluate_access)
Feb 26 18:21:14 httpd.portal(7472) INFO: [xx:xx:xx:xx:xx:xx] switch port is
(192.168.1.9) ifIndex 10108 connection type: Wired SNMP
(pf::enforcement::_vlan_reevaluation)
Feb 26 18:21:15 httpd.webservices(6264) INFO: [xx:xx:xx:xx:xx:xx] security
traps are configured on (192.168.1.9) ifIndex 10108. Re-assigning VLAN
(pf::api::_reassignSNMPConnections)
Feb 26 18:21:15 httpd.webservices(6264) INFO: Can't find provisioner for
xx:xx:xx:xx:xx:xx(pf::vlan::getNormalVlan)
Feb 26 18:21:15 httpd.webservices(6264) INFO: [xx:xx:xx:xx:xx:xx]Username
was NOT defined or unable to match a role - returning node based role
'Student' (pf::vlan::getNormalVlan)
Feb 26 18:21:15 httpd.webservices(6264) INFO: [xx:xx:xx:xx:xx:xx]PID:
"fabius", Status: reg. Returned VLAN: 80 (pf::vlan::fetchVlanForNode)
Feb 26 18:21:15 httpd.webservices(6264) INFO: setting VLAN at 192.168.1.9
ifIndex 10108 from 2 to 80 (pf::Switch::setVlan)
Feb 26 18:21:15 httpd.webservices(6264) INFO: [xx:xx:xx:xx:xx:xx]Flipping
admin status on switch (192.168.1.9) ifIndex 10108.
(pf::api::_reassignSNMPConnections)
Feb 26 18:22:34 httpd.webservices(6264) INFO: oldip (192.168.2.18) and
newip (192.168.80.11) are different for xx:xx:xx:xx:xx:xx- closing iplog
entry (pf::api::update_iplog)
Feb 26 18:24:33 pfsetvlan(5) INFO: nb of items in queue: 1; nb of threads
running: 0 (main::startTrapHandlers)
Feb 26 18:24:34 pfsetvlan(5) INFO: secureMacAddrViolation trap received on
192.168.1.9 ifIndex 10113 for xx:xx:xx:xx:xx:xx(main::handleTrap)
Feb 26 18:24:34 pfsetvlan(5) INFO: Will try to check on this node's
previous switch if secured entry needs to be removed. Old Switch IP:
192.168.1.9 (main::do_port_security)
Feb 26 18:24:34 pfsetvlan(5) INFO: de-authorizing xx:xx:xx:xx:xx:xx(new
entry 02:00:00:01:01:08) at old location 192.168.1.9 ifIndex 10108
(main::do_port_security)
Feb 26 18:24:34 pfsetvlan(8) INFO: secureMacAddrViolation trap already in
the queue for 192.168.1.9 ifIndex 10113. Won't add another one
(main::signalHandlerTrapListQueued)
Feb 26 18:24:34 pfsetvlan(2) INFO: nb of items in queue: 1; nb of threads
running: 1 (main::startTrapHandlers)
Feb 26 18:24:35 pfsetvlan(5) INFO: authorizing xx:xx:xx:xx:xx:xx(old entry
xx:xx:xx:xx:xx:xx) at new location 192.168.1.9 ifIndex 10113
(main::handleTrap)
Feb 26 18:24:35 pfsetvlan(5) INFO: Can't find provisioner for
xx:xx:xx:xx:xx:xx(pf::vlan::getNormalVlan)
Feb 26 18:24:35 pfsetvlan(5) INFO: [xx:xx:xx:xx:xx:xx]Username was NOT
defined or unable to match a role - returning node based role 'Student'
(pf::vlan::getNormalVlan)
Feb 26 18:24:35 pfsetvlan(5) INFO: [xx:xx:xx:xx:xx:xx]PID: "fabius",
Status: reg. Returned VLAN: 80 (pf::vlan::fetchVlanForNode)
Feb 26 18:24:36 pfsetvlan(5) INFO: setting VLAN at 192.168.1.9 ifIndex
10113 from 2 to 80 (pf::Switch::setVlan)
Feb 26 18:24:36 pfsetvlan(5) INFO: finished (main::cleanupAfterThread)
Feb 26 18:24:36 pfsetvlan(1) INFO: nb of items in queue: 1; nb of threads
running: 0 (main::startTrapHandlers)
Feb 26 18:24:36 pfsetvlan(1) INFO: secureMacAddrViolation trap received on
192.168.1.9 ifIndex 10113 for xx:xx:xx:xx:xx:xx(main::handleTrap)
Feb 26 18:24:36 pfsetvlan(1) INFO: Will try to check on this node's
previous switch if secured entry needs to be removed. Old Switch IP:
192.168.1.9 (main::do_port_security)
Feb 26 18:24:36 pfsetvlan(1) INFO: MAC xx:xx:xx:xx:xx:xxis already
authorized on 192.168.1.9 ifIndex 10113. Stopping secureMacAddrViolation
trap handling here (main::handleTrap)
Feb 26 18:24:36 pfsetvlan(1) INFO: finished (main::cleanupAfterThread)
Feb 26 18:24:37 pfsetvlan(3) INFO: nb of items in queue: 1; nb of threads
running: 0 (main::startTrapHandlers)
Feb 26 18:24:37 pfsetvlan(3) INFO: secureMacAddrViolation trap received on
192.168.1.9 ifIndex 10113 for xx:xx:xx:xx:xx:xx(main::handleTrap)
Feb 26 18:24:37 pfsetvlan(3) INFO: Will try to check on this node's
previous switch if secured entry needs to be removed. Old Switch IP:
192.168.1.9 (main::do_port_security)
Feb 26 18:24:37 pfsetvlan(3) INFO: MAC xx:xx:xx:xx:xx:xxis already
authorized on 192.168.1.9 ifIndex 10113. Stopping secureMacAddrViolation
trap handling here (main::handleTrap)
Feb 26 18:24:37 pfsetvlan(3) INFO: finished (main::cleanupAfterThread)
Feb 26 18:24:39 pfsetvlan(5) INFO: nb of items in queue: 1; nb of threads
running: 0 (main::startTrapHandlers)
Feb 26 18:24:39 pfsetvlan(5) INFO: secureMacAddrViolation trap received on
192.168.1.9 ifIndex 10113 for xx:xx:xx:xx:xx:xx(main::handleTrap)
Feb 26 18:24:39 pfsetvlan(5) INFO: Will try to check on this node's
previous switch if secured entry needs to be removed. Old Switch IP:
192.168.1.9 (main::do_port_security)
Feb 26 18:24:39 pfsetvlan(5) INFO: MAC xx:xx:xx:xx:xx:xxis already
authorized on 192.168.1.9 ifIndex 10113. Stopping secureMacAddrViolation
trap handling here (main::handleTrap)
Feb 26 18:24:39 pfsetvlan(5) INFO: finished (main::cleanupAfterThread)
Feb 26 18:37:56 pfsetvlan(1) INFO: nb of items in queue: 1; nb of threads
running: 0 (main::startTrapHandlers)
Feb 26 18:37:56 pfsetvlan(1) INFO: secureMacAddrViolation trap received on
192.168.1.9 ifIndex 10113 for xx:xx:xx:xx:xx:xx(main::handleTrap)
Feb 26 18:37:56 pfsetvlan(1) INFO: node xx:xx:xx:xx:xx:xxdoes not yet exist
in PF database. Adding it now (main::node_update_PF)
Feb 26 18:37:56 pfsetvlan(1) INFO: authorizing xx:xx:xx:xx:xx:xx(old entry
xx:xx:xx:xx:xx:xx) at new location 192.168.1.9 ifIndex 10113
(main::handleTrap)
Feb 26 18:37:56 pfsetvlan(1) INFO: [xx:xx:xx:xx:xx:xx]is of status unreg;
belongs into registration VLAN (pf::vlan::getRegistrationVlan)
Feb 26 18:37:57 pfsetvlan(1) INFO: setting VLAN at 192.168.1.9 ifIndex
10113 from 80 to 2 (pf::Switch::setVlan)
Feb 26 18:37:57 pfsetvlan(1) INFO: finished (main::cleanupAfterThread)
Feb 26 18:37:57 pfsetvlan(3) INFO: nb of items in queue: 1; nb of threads
running: 0 (main::startTrapHandlers)
Feb 26 18:37:57 pfsetvlan(3) INFO: secureMacAddrViolation trap received on
192.168.1.9 ifIndex 10113 for xx:xx:xx:xx:xx:xx(main::handleTrap)
Feb 26 18:37:57 pfsetvlan(3) INFO: Will try to check on this node's
previous switch if secured entry needs to be removed. Old Switch IP:
192.168.1.9 (main::do_port_security)
Feb 26 18:37:57 pfsetvlan(3) INFO: MAC xx:xx:xx:xx:xx:xxis already
authorized on 192.168.1.9 ifIndex 10113. Stopping secureMacAddrViolation
trap handling here (main::handleTrap)
Feb 26 18:37:57 pfsetvlan(3) INFO: finished (main::cleanupAfterThread)
Feb 26 18:37:57 pfsetvlan(5) INFO: nb of items in queue: 1; nb of threads
running: 0 (main::startTrapHandlers)
Feb 26 18:37:57 pfsetvlan(4) INFO: nb of items in queue: 0; nb of threads
running: 1 (main::startTrapHandlers)
Feb 26 18:37:57 pfsetvlan(5) INFO: secureMacAddrViolation trap received on
192.168.1.9 ifIndex 10113 for xx:xx:xx:xx:xx:xx(main::handleTrap)
Feb 26 18:37:57 pfsetvlan(5) INFO: Will try to check on this node's
previous switch if secured entry needs to be removed. Old Switch IP:
192.168.1.9 (main::do_port_security)
Feb 26 18:37:57 pfsetvlan(5) INFO: MAC xx:xx:xx:xx:xx:xx is already autho
I see only this log related to the fact:
Feb 26 18:24:34 pfsetvlan(5) INFO: de-authorizing xx:xx:xx:xx:xx:xx (new
entry 02:00:00:01:01:08) at old location 192.168.1.9 ifIndex 10108
(main::do_port_security)
but none vlan is set..
Thanks you in advance for any help..
Kind Regards,
Rosario Ippolito
------------------------------------------------------------------------------
Dive into the World of Parallel Programming The Go Parallel Website, sponsored
by Intel and developed in partnership with Slashdot Media, is your hub for all
things parallel software development, from weekly thought leadership blogs to
news, videos, case studies, tutorials and more. Take a look and join the
conversation now. http://goparallel.sourceforge.net/
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
