Hello Minh,
Le 2015-03-16 05:20, Minh Trung a écrit :
Hello Fabrice,
Thank you for your quick responded,
My LAN Cisco switches 2960 are almost using Version 12.2(44)SE6, does this
version enough condition to MAB configured?
And Core switches are 4500 model, Version 12.2(50)SG3.
2960 and 4500 support MAB but i don't have in mind which ios version
exactly support it (google it)
I did as you recommended but after configuration radius on switch then i
can not log in to switch again, it asked Username, while i don't know that
:( .
you probably changed:
aaa authentication login default local
How to use AD accounts to authenticate all users on Vlan123?(I own DNS, AD,
DHCP on windows server).
You have 2 options:
use mac-authentication and hit the portal to authenticate (create a AD
authentication source in packetfence)
use 802.1x authentication (you must join the windows domain) and
autoregister 802.1x users
In the 2 case create a portal profile and include the AD source you
created.
I also want to create a Vlan for guests with name Guest but can not change
type on web UI. This Vlan use for only guests when they come to work and
don't have account on our AD. Which is better method, condition, rules that
i have to look?
Register by email or by sms is the better choice i think.
I hope you can explain more detail about Radius, using AD to authenticate
to me more clearly.
Have a look here, it explain how to configure freeradius to authenticate
against AD
https://github.com/inverse-inc/packetfence/blob/devel/docs/PacketFence_Administration_Guide.asciidoc#option-2-authentication-against-active-directory-ad
Any help is appreciated,
Best regard,
On 14 March 2015 at 20:49, Durand fabrice <[email protected]> wrote:
Hello Minh,
your packetfence config looks ok, now next step is to configure your cisco
switch, so let's check the documentation:
https://github.com/inverse-inc/packetfence/blob/devel/docs/PacketFence_Network_Devices_Configuration_Guide.asciidoc#cisco
If your cisco switch support MAB then use it and let's configure only one
port for the test.
On the packetfence side add a new switch, select Voip enabled, configure
the role (registration: 210, isolation: 220, voip: 124, default: 123),
radius secret, snmp v2c and set the community read and write. (btw enable
snmp on the cisco switch too).
So now if you plug a device in the test switch port a radius request will
go on packetfence server (radius server 10.126.122.27) and pf will answer
the registration vlan (210).
You will hit the portal (you can create a portal profile base with a
filter like switch ip) and register on a authentication source and pf will
return the vlan id based on the role the authentication source set based on
the rules.
For iphone, if you plug it in the switch port then packetfence will try to
know if it's an ipphone by doing an snmp read on the cdp/lldp mib and if
the flag is on then packetfence will answer a specific radius attribute to
tell the switch to use the voip vlan configured on the switch port (switch
port voice vlan 124).
For printer you can create a violation based on the dhcp fingerprint, like
if packetfence detect that it's a printer then register the device and set
the role to printer (of course add a new category and assign the correct
vlan id to the role in the switch config).
For the wifi it's the same workflow (it depend of your AP) but if it
support Mac auth then folow the configuration and create a portal profile
with ssid filter = your ssid and add the sponsor source.
Btw you will probably have to add a Active Directory auth source and set
rule that will set a role as default , an access duration to 1W and add a
Mark as Sponsor (for wifi sponsor).
Regards
Fabrice
Le 2015-03-14 05:23, Minh Trung a écrit :
Hello experts,
I am newbie.
My network as attached file and i suggested i should use PF as Vlan
enforcement.
My infrastructure already has:
Vlan122: Servers (including PF server, pf is vmware)
Vlan123: Office Users (PCs, Desktops, IP Phone, Printer)
Vlan124: Telephone
Vlan:125 Firewall
Vlan126: Access Door
.........
I already own DNS, DHCP by Windows server
Vlan123 will be DHCP via Windows Server 2008
Now i want PF only apply for Vlan123, how to do that and which method i
should use to authenticate for all Users, IP phone, Printer (This Vlan used
wired)?
I also plan used wifi in case visitor come to work, which authenticate
method should i used in this case?
On PF server already created 2 Vlan Registration and Isolation.
These are config file that PF generated:
*#pf.conf:[interface eth0]ip=10.126.122.27 --> my IP address's PF server
type=managementmask=255.255.255.0[interface
eth0.210]enforcement=vlanip=10.126.210.1type=internalmask=255.255.255.0[interface
eth0.220]enforcement=vlanip=10.126.220.1type=internalmask=255.255.255.0*
*And
network.conf:[10.126.210.0]dns=10.126.210.1dhcp_start=10.126.210.10gateway=10.126.210.1domain-name=vlan-registration.globalnat_enabled=disablednamed=enableddhcp_max_lease_time=30fake_mac_enabled=disableddhcpd=enableddhcp_end=10.126.210.246type=vlan-registrationnetmask=255.255.255.0dhcp_default_lease_time=30[10.126.220.0]dns=10.126.220.1dhcp_start=10.126.220.10gateway=10.126.220.1domain-name=vlan-isolation.globalnat_enabled=disablednamed=enableddhcp_max_lease_time=30fake_mac_enabled=disableddhcpd=enableddhcp_end=10.126.220.246type=vlan-isolationnetmask=255.255.255.0dhcp_default_lease_time=30*
What are the next step i should to do to apply PF for Vlan123 while many
devices in this vlan.
How to configuration of my Cisco switches look like?
I have still many confused here.
Hope someone can make me clearly.
Any help is very very appreciated,
Best regards,
------------------------------------------------------------------------------
Dive into the World of Parallel Programming The Go Parallel Website, sponsored
by Intel and developed in partnership with Slashdot Media, is your hub for all
things parallel software development, from weekly thought leadership blogs to
news, videos, case studies, tutorials and more. Take a look and join the
conversation now. http://goparallel.sourceforge.net/
_______________________________________________
PacketFence-users mailing
[email protected]https://lists.sourceforge.net/lists/listinfo/packetfence-users
------------------------------------------------------------------------------
Dive into the World of Parallel Programming The Go Parallel Website,
sponsored
by Intel and developed in partnership with Slashdot Media, is your hub for
all
things parallel software development, from weekly thought leadership blogs
to
news, videos, case studies, tutorials and more. Take a look and join the
conversation now. http://goparallel.sourceforge.net/
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
------------------------------------------------------------------------------
Dive into the World of Parallel Programming The Go Parallel Website, sponsored
by Intel and developed in partnership with Slashdot Media, is your hub for all
things parallel software development, from weekly thought leadership blogs to
news, videos, case studies, tutorials and more. Take a look and join the
conversation now. http://goparallel.sourceforge.net/
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
------------------------------------------------------------------------------
Dive into the World of Parallel Programming The Go Parallel Website, sponsored
by Intel and developed in partnership with Slashdot Media, is your hub for all
things parallel software development, from weekly thought leadership blogs to
news, videos, case studies, tutorials and more. Take a look and join the
conversation now. http://goparallel.sourceforge.net/
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
