Hi Laurent, it's look a cache issue, let's do a pfcmd configreload hard and retry.
For the registration you will be able to use the device registration portal (Configuration -> captiv portal -> device registration), enable it and retart packetfence and you should be able to reach this portal on https://ip_mgmt/device-registration Regards Fabrice Le 2015-03-26 12:43, Laurent Bourqui a écrit : > Dear Fabrice, > > Many thanks for your very quick answer. Seems to be easy... I have tried the > configuration but I'm facing following problems (or challenges): > > 1. The switch keep replying in the radius answer that the switch is not in > production, even if the switch is configured as "Production", below the > information got from the configuration file switch.conf and a dump of the > radius request: > > > [10.52.15.28] > RoleMap=N > AccessListMap=N > description=ICH-E-A-SW-028 > type=Brocade > VoIPEnabled=N > radiusSecret=radius1234 > defaultVlan=-1 > labor-devicesVlan=110 > macDetectionVlan=-1 > isolationVlan=-1 > registrationVlan=-1 > voiceVlan=-1 > inlineVlan=-1 > mode=production > #SNMPVersion = 3 > #SNMPEngineID = 0000000000000 > #SNMPUserNameRead = readUser > #SNMPAuthProtocolRead = MD5 > #SNMPAuthPasswordRead = authpwdread > #SNMPPrivProtocolRead = DES > #SNMPPrivPasswordRead = privpwdread > #SNMPUserNameWrite = writeUser > #SNMPAuthProtocolWrite = MD5 > #SNMPAuthPasswordWrite = authpwdwrite > #SNMPPrivProtocolWrite = DES > #SNMPPrivPasswordWrite = privpwdwrite > #SNMPVersionTrap = 3 > #SNMPUserNameTrap = readUser > #SNMPAuthProtocolTrap = MD5 > #SNMPAuthPasswordTrap = authpwdread > #SNMPPrivProtocolTrap = DES > #SNMPPrivPasswordTrap = privpwdread > > > 17:31:57.267890 IP (tos 0x0, ttl 61, id 7465, offset 0, flags [none], proto > UDP (17), length 145) > 10.52.15.28.cplscrambler-in > 172.22.20.24.radius: [udp sum ok] RADIUS, > length: 117 > Access Request (1), id: 0x6c, Authenticator: > 1408c56424ed432d223e36e83b439168 > Username Attribute (1), length: 14, Value: 001ae8598517 > 0x0000: 3030 3161 6538 3539 3835 3137 > Password Attribute (2), length: 18, Value: > 0x0000: 0ee2 0327 a85b acda 0ed3 622a f568 2974 > Service Type Attribute (6), length: 6, Value: Framed > 0x0000: 0000 0002 > Framed MTU Attribute (12), length: 6, Value: 1500 > 0x0000: 0000 05dc > NAS IP Address Attribute (4), length: 6, Value: 10.52.15.28 > 0x0000: 0a34 0f1c > NAS Port Type Attribute (61), length: 6, Value: Ethernet > 0x0000: 0000 000f > NAS Port Attribute (5), length: 6, Value: 5 > 0x0000: 0000 0005 > NAS ID Attribute (32), length: 16, Value: ICH-E-A-SW-028 > 0x0000: 4943 482d 452d 412d 5357 2d30 3238 > Calling Station Attribute (31), length: 19, Value: > 00-1A-E8-59-85-17 > 0x0000: 3030 2d31 412d 4538 2d35 392d 3835 2d31 > 0x0010: 37 > 17:31:59.267162 IP (tos 0x0, ttl 64, id 1543, offset 0, flags [none], proto > UDP (17), length 103) > 172.22.20.24.radius > 10.52.15.28.cplscrambler-in: [bad udp cksum 68d8!] > RADIUS, length: 75 > Access Accept (2), id: 0x6c, Authenticator: > 359e6c58bb50e6115642443615ad70f2 > Reply Attribute (18), length: 55, Value: Switch is not in > production, so we allow this request > 0x0000: 5377 6974 6368 2069 7320 6e6f 7420 696e > 0x0010: 2070 726f 6475 6374 696f 6e2c 2073 6f20 > 0x0020: 7765 2061 6c6c 6f77 2074 6869 7320 7265 > 0x0030: 7175 6573 74 > > 2. For the "registration" of the MAC addresses. Does this need to be over the > admin interface or would it be possible to do it via a self service portal (I > would suppose the registration interface). If yes, I'm facing the problem > that because the registration VLAN is kind of a dummy VLAN which is not > reachable, I cannot reach the registration interface over the management > VLAN. Is there a solution to that? > > Many thanks for your help. > > Best regards > Laurent > > >> Date: Thu, 26 Mar 2015 09:15:33 -0400 >> From: Durand fabrice <[email protected]> >> Subject: Re: [PacketFence-users] Functionality question regarding MAC >> authentication and VLAN assignment >> To: [email protected] >> Message-ID: <[email protected]> >> Content-Type: text/plain; charset=utf-8; format=flowed >> >> Hello Laurent, >> >> yes it's possible to have this setup in packetfence. >> But when you configure packetfence by the configurator you must create a >> reg and isol interface (these will be never used) >> >> So the next steps are: >> - create all the roles you need (Staff, Student, VIP ...) >> - add the switch in packetfence (ip, radius secret, ...) and assign the >> correct vlan id to each role (role by vlan id only) and assign -1 for >> reg and isol role (it will reject connection for unknow devices). >> >> Then create all the node (mac address) in packetfence and assign them a >> role, and reg them. >> >> That's all. >> >> Regards >> Fabrice >> ------------------------------------------------------------------------------ Dive into the World of Parallel Programming The Go Parallel Website, sponsored by Intel and developed in partnership with Slashdot Media, is your hub for all things parallel software development, from weekly thought leadership blogs to news, videos, case studies, tutorials and more. Take a look and join the conversation now. http://goparallel.sourceforge.net/ _______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
