On my PF 3.6 setup with wired Cisco switch ports, I do not believe
that PF puts the bogus MAC address back onto the port once a client
disconnects. If the same client that was connected powers on again,
the port is already set. If a new client is connected, the MAC
address doesn't match and it sends a trap to PF. At least this is
the way it appears to be working for me?
We all know that MAC address security is not foolproof, so my $0.02
(rounded down to zero in Canada?) is that you shouldn't be using MAB
on your network if you are worried about someone booting up Slackware
and probing a port to find a MAC address to spoof...
-Arthur
-------------------------------------------------------------------------
Arthur Emerson III Email:
[email protected]<mailto:[email protected]>
Network Administrator InterNIC: AE81
Mount Saint Mary College MaBell: (845) 561-0800 Ext. 3109
330 Powell Ave. Fax: (845) 562-6762
Newburgh, NY 12550 SneakerNet: Aquinas Hall Room 11
From: Rosario Ippolito
<[email protected]<mailto:[email protected]>>
Reply-To:
"[email protected]<mailto:[email protected]>"
<[email protected]<mailto:[email protected]>>
Date: Tuesday, March 3, 2015 at 3:56 AM
To:
"[email protected]<mailto:[email protected]>"
<[email protected]<mailto:[email protected]>>
Subject: [PacketFence-users] Port-Security and Violations Bug
Hello all,
I'm sorry to write again about this problem, but I thinks it is relevant.
I have configured PacketFence (ver 4.6) with Port-Security in a cisco switch
catalyst 3560g, and when I plug a device it works fine, that is, sending snmp
traps and setting the correct vlan after authentication. When I disconnect the
device, the switch port is setted with the bogus MAC address, but the vlan on
the switch port is not modified. It would be more accurate if the switch port
were set with the registrations vlan or MAC address detections vlan, is not it?
Because with a Slackware OS, that is silent, if I connect the device to the
port and sniff traffic, I see the cdp packets, and I discover the switch port
where I am connected. So, I know that PacketFence uses the bogus mac, then I
look the Guide, I read the bogus MAC and I set it in my Slackware device. The
Mac address is secure by configuration ..so .. I'm in the vlan that was setted
before, receiving a IP address by DHCP, or simply sniffing traffic in that vlan.
When do this.. I note that in the "Location" section of the node in Nodes (from
web interface) there is nothing! That is, PacketFence can't see that there is a
node connected that doing traffic.. so, even if I try to configure a violation
by MAC address in violations.conf, and the violation is detected, nothing is
done!
There is some output from log file:
###########################
packetfence.log
(The moment in which I have disconnected the device and is not setted the
registrations or MAC address detections vlan)
Feb 26 18:24:34 pfsetvlan(5) INFO: Will try to check on this node's previous
switch if secured entry needs to be removed. Old Switch IP: 192.168.1.9
(main::do_port_security)
Feb 26 18:24:34 pfsetvlan(5) INFO: de-authorizing xx:xx:xx:xx:xx:xx (new entry
02:00:00:01:01:08) at old location 192.168.1.9 ifIndex 10108
(main::do_port_security)
Feb 26 18:24:34 pfsetvlan(8) INFO: secureMacAddrViolation trap already in the
queue for 192.168.1.9 ifIndex 10113. Won't add another one
(main::signalHandlerTrapListQueued)
##############################
violation.log
2015-03-02 18:57:32: MAC bogus OUI (1100022) detected on node 02:00:00:01:01:07
(0)
2015-03-02 18:57:32: MAC bogus gi0/7 (1100023) detected on node
02:00:00:01:01:07 (0)
##############################
And this is my violations.conf
[1100022]
desc=MAC bogus OUI
template=banned_devices
trigger=VENDORMAC::131072
actions=trap,log,role
enabled=Y
auto_enable=N
target_category=Student
max_enable=0
[1100023]
desc=MAC bogus gi0/7
template=banned_devices
trigger=MAC::2199023321351
actions=trap,log,role
enabled=Y
auto_enable=N
target_category=Student
I also attach the picture of the configuration of the switch port after the
device disconnect.. (gi0/11)
Sorry again for my poor english..
Can anyone help me about this issue?
Thanks in advanced for any help..
Kind Regards,
Rosario Ippolito
------------------------------------------------------------------------------
Dive into the World of Parallel Programming The Go Parallel Website, sponsored
by Intel and developed in partnership with Slashdot Media, is your hub for all
things parallel software development, from weekly thought leadership blogs to
news, videos, case studies, tutorials and more. Take a look and join the
conversation now. http://goparallel.sourceforge.net/
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
