Hello Fabrice,
Here is the ifconfig:
*[root@vmvnnetsec01 ~]# ifconfigeth0 Link encap:Ethernet HWaddr
00:50:56:AC:04:02 inet addr:10.126.122.27 Bcast:10.126.122.255
Mask:255.255.255.0 inet6 addr: fe80::250:56ff:feac:402/64
Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500
Metric:1 RX packets:1864289 errors:0 dropped:0 overruns:0
frame:0 TX packets:129495 errors:0 dropped:0 overruns:0
carrier:0 collisions:0 txqueuelen:1000 RX bytes:430291834
(410.3 MiB) TX bytes:37555587 (35.8 MiB)eth0.210 Link encap:Ethernet
HWaddr 00:50:56:AC:04:02 inet addr:10.126.210.1
Bcast:10.126.210.255 Mask:255.255.255.0 inet6 addr:
fe80::250:56ff:feac:402/64 Scope:Link UP BROADCAST RUNNING
MULTICAST MTU:1500 Metric:1 RX packets:0 errors:0 dropped:0
overruns:0 frame:0 TX packets:12 errors:0 dropped:0 overruns:0
carrier:0 collisions:0 txqueuelen:0 RX bytes:0 (0.0 b)
TX bytes:816 (816.0 b)eth0.220 Link encap:Ethernet HWaddr
00:50:56:AC:04:02 inet addr:10.126.220.1 Bcast:10.126.220.255
Mask:255.255.255.0 inet6 addr: fe80::250:56ff:feac:402/64
Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500
Metric:1 RX packets:0 errors:0 dropped:0 overruns:0
frame:0 TX packets:11 errors:0 dropped:0 overruns:0
carrier:0 collisions:0 txqueuelen:0 RX bytes:0 (0.0 b)
TX bytes:746 (746.0 b)eth0.230 Link encap:Ethernet HWaddr
00:50:56:AC:04:02 inet addr:10.126.230.1 Bcast:10.126.230.255
Mask:255.255.255.0 inet6 addr: fe80::250:56ff:feac:402/64
Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500
Metric:1 RX packets:0 errors:0 dropped:0 overruns:0
frame:0 TX packets:11 errors:0 dropped:0 overruns:0
carrier:0 collisions:0 txqueuelen:0 RX bytes:0 (0.0 b)
TX bytes:746 (746.0 b)lo Link encap:Local Loopback inet
addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128
Scope:Host UP LOOPBACK RUNNING MTU:65536 Metric:1 RX
packets:93562 errors:0 dropped:0 overruns:0 frame:0 TX
packets:93562 errors:0 dropped:0 overruns:0 carrier:0 collisions:0
txqueuelen:0 RX bytes:57933638 (55.2 MiB) TX bytes:57933638 (55.2
MiB)*
Best regards,
On 28 March 2015 at 17:32, Fabrice Durand <[email protected]> wrote:
> Hi Minh,
> Can you paste the result of:
> ifconfig
>
> Regards
> Fabrice
>
> Le 28 mars 2015 05:51:52 GMT-04:00, Minh Trung <[email protected]> a
> écrit :
>
>> Hello Fabrice,
>>
>> I already created manual Vlan210, 220 on both of L2 and L3 switches but i
>> am not able get IP address from DHCP's PF.
>>
>> Here are the log:
>>
>> *Radius.log:*
>>
>>
>> *Sat Mar 28 16:25:22 2015 : Auth: Login OK: [2c27d7c3c008] (from client
>> 10.126.123.10 port 50001 cli 2C-27-D7-C3-C0-08)Sat Mar 28 16:25:22 2015 :
>> Auth: rlm_perl: Returning vlan 210 to request from 2c:27:d7:c3:c0:08 port
>> 50001Sat Mar 28 16:25:23 2015 : Error: [sql] Couldn't insert SQL accounting
>> START record - PROCEDURE pf.acct_start does not exist*
>>
>> *Packetfence log:*
>>
>>
>>
>>
>>
>> *Mar 28 16:25:22 httpd.aaa(2132) INFO: [2c:27:d7:c3:c0:08] handling
>> radius autz request: from switch_ip => (10.126.123.10), connection_type =>
>> WIRED_MAC_AUTH,switch_mac => (Unknown), mac => [2c:27:d7:c3:c0:08], port =>
>> 10001, username => "2c27d7c3c008" (pf::radius::authorize)Mar 28 16:25:22
>> httpd.aaa(2132) INFO: Could not find any IP phones through discovery
>> protocols for ifIndex 10001 (pf::Switch::getPhonesDPAtIfIndex)Mar 28
>> 16:25:22 httpd.aaa(2132) INFO: [2c:27:d7:c3:c0:08] is of status unreg;
>> belongs into registration VLAN (pf::vlan::getRegistrationVlan)Mar 28
>> 16:25:22 httpd.aaa(2132) INFO: [2c:27:d7:c3:c0:08] (10.126.123.10)
>> Returning ACCEPT with VLAN 210 and role
>> (pf::Switch::Cisco::Catalyst_2960::returnRadiusAccessAccept)Mar 28 16:25:23
>> httpd.aaa(2132) INFO: Update of the locationlog based on accounting data is
>> not supported on network device type pf::Switch::Cisco::Catalyst_2960.
>> (pf::Switch::supportsRoamingAccounting)*
>> *DHCP log:*
>>
>>
>>
>>
>>
>>
>> *[root@vmvnnetsec01 logs]# ps -edf|grep dhcproot 1975 1562 0 16:33
>> pts/0 00:00:00 grep dhcproot 2128 1 0 Mar21 ? 00:00:00
>> /usr/sbin/dhcpd -lf /usr/local/pf/var/dhcpd/dhcpd.leases -cf
>> /usr/local/pf/var/conf/dhcpd.conf -pf /usr/local/pf/var/run/dhcpd.pid
>> eth0.210 eth0.220root 2220 1 0 Mar21 ? 00:00:00
>> pfdhcplistener_eth0.210root 2226 1 0 Mar21 ? 00:00:00
>> pfdhcplistener_eth0.220root 2232 1 0 Mar21 ? 00:00:00
>> pfdhcplistener_eth0*
>> I also attached here with L2 switch config.
>>
>> Any help is very very appreciated,
>>
>> Best regards,
>>
>>
>> On 27 March 2015 at 23:25, Durand fabrice <[email protected]> wrote:
>>
>>> Hi Minh,
>>>
>>> keep stuff simple for now and keep layer 2 reg and isol vlan so you
>>> don't need ip helper.
>>> You already created a reg (210) and isol (220) vlan so these 2 vlan must
>>> be available on lan switches and core switches.
>>>
>>> Your goal now is to be able to have an ip address when your device is on
>>> the reg vlan, so let's configure a static switch port on the vlan 210 ,
>>> plug the device and check if you have an ip (provided by packetfence dhcp
>>> server).
>>>
>>> On the pf side let's do a:
>>> ps -edf|grep dhcp
>>>
>>> you will see the dhcpd process running on the reg and isol interface so
>>> it mean that the dhcp server is running.
>>> Don't forget to check packetfence.log and pfdhcplistener.log and check
>>> if the mac address of the device appear.
>>>
>>> Then if you are able to hit the portal the next step is to add switches
>>> in pf config and configure swicthes to be managed by pf.
>>>
>>>
>>> Regards
>>> Fabrice
>>>
>>>
>>>
>>>
>>>
>>> Le 2015-03-27 11:34, Trung minh a écrit :
>>>
>>> Hello Fabrice,
>>>
>>> With network diagram as my first posted, do i need to create vlan reg and
>>> iso or other vlan on Lan switches and Core switches?
>>> Which case i should use ip helper to point to pf?
>>>
>>> Best regards,
>>>
>>> -----Original Message-----
>>> From: "Durand fabrice" <[email protected]> <[email protected]>
>>>
>>> Sent: 3/26/2015 10:37 PM
>>> To: "[email protected]"
>>> <[email protected]>
>>> <[email protected]>
>>> <[email protected]>
>>> Subject: Re: [PacketFence-users] Apply to Vlan
>>>
>>> Hi Minh,
>>>
>>> If you already created a reg and isol interfaces then the dhcp will be
>>> enabled by default.
>>> Just plug a device on the vlan 210 to see if you have an ip address from pf
>>> and if you are able to hit the portal.
>>>
>>> FYI new version of Openvas are not supported yet in pf (we are currently
>>> working on it).
>>>
>>> Regards
>>> Fabrice
>>>
>>>
>>>
>>> Le 2015-03-26 10:46, Minh Trung a écrit :
>>>
>>> Hello Fabrice,
>>>
>>> It seem be working fine after used (mysql -u root -p pf -v <
>>> /usr/local/pf/db/upgrade-4.6.0-4.7.0.sql). But i think i installed PF from
>>> refresh so it included packet.
>>> So, what's next steps i have to do to supply DHCP for users which are Vlan
>>> 210, and 220?
>>> How to scan clients by Openvas(I installed openvas already).
>>> Any guide steps to make a network perfect with PF support is very
>>> appreciated,
>>>
>>> Best regards,
>>>
>>> On 23 March 2015 at 09:17, Durand fabrice <[email protected]>
>>> <[email protected]> wrote:
>>>
>>> Hi Minh,
>>>
>>> you have to update the schema because you have already updated packetfence
>>> so
>>> follow:https://github.com/inverse-inc/packetfence/blob/stable/UPGRADE.asciidoc#upgrading-from-a-version-prior-to-470
>>> ( mysql -u root -p pf -v < /usr/local/pf/db/upgrade-4.6.0-4.7.0.sql)
>>>
>>> Regards
>>> Fabrice
>>>
>>>
>>> Le 2015-03-22 21:34, Minh Trung a écrit :
>>>
>>> Hello Fabrice,
>>>
>>> Here is the log that i had try to upgrade:
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> *[root@vmvnnetsec01 ~]# yum update packetfence
>>> --enablerepo=packetfenceLoaded plugins: fastestmirror, securitySetting up
>>> Update ProcessLoading mirror speeds from cached hostfile *
>>> atomic:mir01.syntis.net <http://mir01.syntis.net> <http://mir01.syntis.net>
>>> <http://mir01.syntis.net> <http://mir01.syntis.net> * base:
>>> mirrors.fibo.vn<http://mirrors.fibo.vn> <http://mirrors.fibo.vn>
>>> <http://mirrors.fibo.vn> <http://mirrors.fibo.vn> * epel: ftp.cuhk.edu.hk
>>> <http://ftp.cuhk.edu.hk> <http://ftp.cuhk.edu.hk> <http://ftp.cuhk.edu.hk>
>>> <http://ftp.cuhk.edu.hk> *
>>> extras: mirrors.fibo.vn <http://mirrors.fibo.vn> <http://mirrors.fibo.vn>
>>> <http://mirrors.fibo.vn> <http://mirrors.fibo.vn> *
>>> rpmforge:mirrors.neterra.net <http://mirrors.neterra.net>
>>> <http://mirrors.neterra.net> <http://mirrors.neterra.net>
>>> <http://mirrors.neterra.net> * updates:
>>> mirrors.fibo.vn<http://mirrors.fibo.vn> <http://mirrors.fibo.vn>
>>> <http://mirrors.fibo.vn> <http://mirrors.fibo.vn>No Packages marked for
>>> Update*
>>>
>>> Any recommended is appreciated,
>>>
>>> Regards,
>>>
>>>
>>> On 22 March 2015 at 02:12, Durand fabrice <[email protected]>
>>> <[email protected]> <[email protected]> <[email protected]> wrote:
>>>
>>>
>>> Hi Minh,
>>>
>>> you are not trying to update the schema but to create a new one.
>>>
>>> Just follow these steps
>>> :https://github.com/inverse-inc/packetfence/blob/stable/UPGRADE.asciidoc
>>>
>>> Regards
>>> Fabrice
>>>
>>>
>>> Le 2015-03-20 21:59, Minh Trung a écrit :
>>>
>>> Hello Fabrice,
>>>
>>> I tried but still same error.
>>> Here is the log that i upgrade mysql schema:
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> *[root@vmvnnetsec01 pf]# mysql -u root -p pf -v <
>>> db/pf-schema-4.7.0.sqlEnter password:--------------CREATE TABLE class (
>>> vid int(11) NOT NULL, description varchar(255) NOT NULL default "none",
>>> auto_enable char(1) NOT NULL default "Y", max_enables int(11) NOT NULL
>>> default 0, grace_period int(11) NOT NULL, window varchar(255) NOT NULL
>>> default 0, vclose int(11), priority int(11) NOT NULL, template
>>> varchar(255), max_enable_url varchar(255), redirect_url varchar(255),
>>> button_text varchar(255), enabled char(1) NOT NULL default "N", vlan
>>> varchar(255), target_category varchar(255), delay_by int(11) NOT NULL
>>> default 0, PRIMARY KEY (vid)) ENGINE=InnoDB--------------
>>> ERROR 1050
>>> (42S01) at line 5: Table 'class' already exists*
>>> - All on my PF is refresh installed with version 4.7.0 on Cents 6.6.
>>>
>>> Please take a look switch config that i attached, do i misconfiguration
>>> something on these?
>>>
>>> Any help is appreciated,
>>>
>>> Regards,
>>>
>>>
>>>
>>> On 20 March 2015 at 17:17, Fabrice Durand <[email protected]>
>>> <[email protected]> <[email protected]> <[email protected]>
>>> <[email protected]> <[email protected]> <[email protected]>
>>> <[email protected]> wrote:
>>>
>>>
>>> Hello Minh,
>>> You have to update the mysql schema.
>>> Take a look at the upgrade file.
>>>
>>> Regards
>>> Fabrice
>>>
>>> Le 20 mars 2015 05:21:00 GMT-04:00, Minh Trung <[email protected]>
>>> <[email protected]> <[email protected]> <[email protected]>
>>> <[email protected]> <[email protected]> <[email protected]>
>>> <[email protected]> a
>>> écrit :
>>>
>>> Hello Fabrice,
>>>
>>> I did as you recommended but error appeared while i don't know how to
>>> resolved.
>>> These are some errors related that i look on radius.log and
>>> packetfence.log
>>>
>>> *#packetfence.log:*
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> *Mar 20 15:53:45 httpd.aaa(6337) INFO: [2c:27:d7:c3:c0:08] handling
>>> radius autz request: from switch_ip => (10.126.123.10), connection_type =>
>>> WIRED_MAC_AUTH,switch_mac => (Unknown), mac => [2c:27:d7:c3:c0:08], port =>
>>> 10001, username => "2c27d7c3c008" (pf::radius::authorize)Mar 20 15:53:45
>>> httpd.aaa(6337) WARN: database query failed with: Unknown column
>>> 'machine_account' in 'field list' (errno: 1054), will try again
>>> (pf::db::db_query_execute)Mar 20 15:53:45 httpd.aaa(6337) WARN: database
>>> query failed with: Unknown column 'machine_account' in 'field list' (errno:
>>> 1054), will try again (pf::db::db_query_execute)Mar 20 15:53:45
>>> httpd.aaa(6337) WARN: database query failed with: Unknown column
>>> 'machine_account' in 'field list' (errno: 1054), will try again
>>> (pf::db::db_query_execute)Mar 20 15:53:45 httpd.aaa(6337) ERROR: Database
>>> issue: We tried 3 times to serve query node_attributes_with_fingerprint_sql
>>> called from pf::node::node_attributes_with_fingerprint and we failed. Is
>>> the database running? (pf::db::db_query_execute)Mar 20 15:53:45
>>> httpd.aaa(6337) ERROR: radius authorize failed with error: Can't use string
>>> ("0") as a HASH ref while "strict refs" in use at
>>> /usr/local/pf/lib/pf/Switch.pm line 1562. (pf::api::radius_authorize)*
>>> *#radius.log:*
>>>
>>> *Fri Mar 20 15:53:45 2015 : Auth: Login OK: [2c27d7c3c008] (from client
>>> 10.126.123.10 port 50001 cli 2C-27-D7-C3-C0-08)Fri Mar 20 15:53:45 2015 :
>>> Error: rlm_perl: No or invalid reply in RPC communication with server.
>>> Check server side logs for details.*
>>>
>>> *Here is the switch.conf:*
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> *## Copyright (C) 2005-2015 Inverse inc.## See the enclosed file COPYING
>>> for license information (GPL).# If you did not receive this file,
>>> see#http://www.fsf.org/licensing/licenses/gpl.html<http://www.fsf.org/licensing/licenses/gpl.html>
>>> <http://www.fsf.org/licensing/licenses/gpl.html>
>>> <http://www.fsf.org/licensing/licenses/gpl.html>
>>> <http://www.fsf.org/licensing/licenses/gpl.html>
>>> <http://www.fsf.org/licensing/licenses/gpl.html>
>>> <http://www.fsf.org/licensing/licenses/gpl.html>
>>> <http://www.fsf.org/licensing/licenses/gpl.html>
>>> <http://www.fsf.org/licensing/licenses/gpl.html>[default]description=Switches
>>> Default
>>> Valuesvlans=1,2,3,4,5normalVlan=1registrationVlan=2isolationVlan=3macDetectionVlan=4voiceVlan=5inlineVlan=6inlineTrigger=normalRole=normalregistrationRole=registrationisolationRole=isolationmacDetectionRole=macDetectionvoiceRole=voiceinlineRole=inlineVoIPEnabled=noVlanMap=YRoleMap=Ymode=testingmacSearchesMaxNb=30macSearchesSleepInterval=2uplink=dynamic##
>>> Command Line Interface ## cliTransport could be: Telnet, SSH or
>>> SerialcliTransport=TelnetcliUser=cliPwd=cliEnablePwd=## SNMP section##
>>> PacketFence ->
>>> SwitchSNMPVersion=1SNMPCommunityRead=publicSNMPCommunityWrite=private#SNMPEngineID
>>> = 0000000000000#SNMPUserNameRead = readUser#SNMPAuthProtocolRead =
>>> MD5#SNMPAuthPasswordRead = authpwdread#SNMPPrivProtocolRead = DES
>>> #SNMPPrivPasswordRead = privpwdread#SNMPUserNameWrite =
>>> writeUser#SNMPAuthProtocolWrite = MD5#SNMPAuthPasswordWrite =
>>> authpwdwrite#SNMPPrivProtocolWrite = DES #SNMPPrivPasswordWrite =
>>> privpwdwrite# Switch ->
>>> PacketFenceSNMPVersionTrap=1SNMPCommunityTrap=public#SNMPAuthProtocolTrap =
>>> MD5#SNMPAuthPasswordTrap = authpwdread#SNMPPrivProtocolTrap =
>>> DES#SNMPPrivPasswordTrap = privpwdread## Web Services Interface ##
>>> wsTransport could be: http or httpswsTransport=httpwsUser=wsPwd=## RADIUS
>>> NAS Client config## RADIUS shared secret with
>>> switchradiusSecret=[10.126.123.10]RoleMap=Nmode=productionSNMPCommunityRead=kvpguestVlan=230SNMPCommunityWrite=kvpacliUser=minhdefaultVlan=123AccessListMap=Ndescription=KVP_R4_OA2type=Cisco::Catalyst_2960cliPwd=xxxxxVoIPEnabled=YisolationVlan=220radiusSecret=xxxxxxuplink_dynamic=0SNMPVersion=2ccliEnablePwd=xxxxxuplink=1001registrationVlan=210voiceVlan=124*
>>>
>>> *#pf.conf*
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> *[general]## general.domain## Domain name of PacketFence
>>> system.domain=KVP.global## general.hostname## Hostname of PacketFence
>>> system. This is concatenated with the domain in Apache rewriting rules and
>>> therefore must be resolvable by clients.hostname=vmvnnetsec01##
>>> general.dhcpservers## Comma-delimited list of DHCP servers. Passthroughs
>>> are created to allow DHCP transactions from even "trapped"
>>> nodes.dhcpservers=127.0.0.1,10.126.122.11,10.126.122.12##
>>> general.timezone## System's timezone in string format. Supported
>>> list:#http://www.php.net/manual/en/timezones.php<http://www.php.net/manual/en/timezones.php>
>>> <http://www.php.net/manual/en/timezones.php>
>>> <http://www.php.net/manual/en/timezones.php>
>>> <http://www.php.net/manual/en/timezones.php>
>>> <http://www.php.net/manual/en/timezones.php>
>>> <http://www.php.net/manual/en/timezones.php>
>>> <http://www.php.net/manual/en/timezones.php>
>>> <http://www.php.net/manual/en/timezones.php>timezone=Asia/Ho_Chi_Minh[alerting]##
>>> alerting.emailaddr## Email address to which notifications of rogue DHCP
>>> servers, violations with an action of "email", or any other #
>>> PacketFence-related message goes [email protected][scan]##
>>> scan.engine## Which scan engine to use to perform client-side policy
>>> compliance.engine=openvas[database]## database.pass## Password for the
>>> mysql database used by PacketFence.pass=xxxxx[interface
>>> eth0]ip=10.126.122.27type=managementmask=255.255.255.0[interface
>>> eth0.210]enforcement=vlanip=10.126.210.1type=internalmask=255.255.255.0[interface
>>> eth0.220]enforcement=vlanip=10.126.220.1type=internalmask=255.255.255.0*
>>> If i can provide you more information to solved this issue please let me
>>> know.
>>>
>>> Thank and Best regards,
>>>
>>> On 17 March 2015 at 08:59, Durand fabrice <[email protected]>
>>> <[email protected]> <[email protected]> <[email protected]>
>>> <[email protected]> <[email protected]> <[email protected]>
>>> <[email protected]> wrote:
>>>
>>>
>>> Hello Minh,
>>>
>>>
>>> Le 2015-03-16 05:20, Minh Trung a écrit :
>>>
>>> Hello Fabrice,
>>>
>>> Thank you for your quick responded,
>>>
>>> My LAN Cisco switches 2960 are almost using Version 12.2(44)SE6, does this
>>> version enough condition to MAB configured?
>>> And Core switches are 4500 model, Version 12.2(50)SG3.
>>>
>>> 2960 and 4500 support MAB but i don't have in mind which ios version
>>> exactly support it (google it)
>>>
>>> I did as you recommended but after configuration radius on switch then i
>>> can not log in to switch again, it asked Username, while i don't know that
>>> :( .
>>>
>>> you probably changed:
>>> aaa authentication login default local
>>>
>>> How to use AD accounts to authenticate all users on Vlan123?(I own DNS, AD,
>>> DHCP on windows server).
>>>
>>> You have 2 options:
>>>
>>> use mac-authentication and hit the portal to authenticate (create a AD
>>> authentication source in packetfence)
>>>
>>> use 802.1x authentication (you must join the windows domain) and
>>> autoregister 802.1x users
>>>
>>> In the 2 case create a portal profile and include the AD source you
>>> created.
>>>
>>> I also want to create a Vlan for guests with name Guest but can not change
>>> type on web UI. This Vlan use for only guests when they come to work and
>>> don't have account on our AD. Which is better method, condition, rules that
>>> i have to look?
>>>
>>> Register by email or by sms is the better choice i think.
>>>
>>> I hope you can explain more detail about Radius, using AD to authenticate
>>> to me more clearly.
>>>
>>> Have a look here, it explain how to configure freeradius to
>>> authenticate against
>>> ADhttps://github.com/inverse-inc/packetfence/blob/devel/docs/PacketFence_Administration_Guide.asciidoc#option-2-authentication-against-active-directory-ad
>>>
>>>
>>> Any help is appreciated,
>>>
>>> Best regard,
>>>
>>> On 14 March 2015 at 20:49, Durand fabrice <[email protected]>
>>> <[email protected]> <[email protected]> <[email protected]>
>>> <[email protected]> <[email protected]> <[email protected]>
>>> <[email protected]> <[email protected]> <[email protected]>
>>> <[email protected]> <[email protected]> <[email protected]>
>>> <[email protected]> <[email protected]> <[email protected]> wrote:
>>>
>>>
>>> Hello Minh,
>>>
>>> your packetfence config looks ok, now next step is to configure your cisco
>>> switch, so let's check the
>>> documentation:https://github.com/inverse-inc/packetfence/blob/devel/docs/PacketFence_Network_Devices_Configuration_Guide.asciidoc#cisco
>>>
>>> If your cisco switch support MAB then use it and let's configure only one
>>> port for the test.
>>>
>>> On the packetfence side add a new switch, select Voip enabled, configure
>>> the role (registration: 210, isolation: 220, voip: 124, default: 123),
>>> radius secret, snmp v2c and set the community read and write. (btw enable
>>> snmp on the cisco switch too).
>>>
>>> So now if you plug a device in the test switch port a radius request will
>>> go on packetfence server (radius server 10.126.122.27) and pf will answer
>>> the registration vlan (210).
>>> You will hit the portal (you can create a portal profile base with a
>>> filter like switch ip) and register on a authentication source and pf will
>>> return the vlan id based on the role the authentication source set based on
>>> the rules.
>>>
>>> For iphone, if you plug it in the switch port then packetfence will try to
>>> know if it's an ipphone by doing an snmp read on the cdp/lldp mib and if
>>> the flag is on then packetfence will answer a specific radius attribute to
>>> tell the switch to use the voip vlan configured on the switch port (switch
>>> port voice vlan 124).
>>>
>>> For printer you can create a violation based on the dhcp fingerprint, like
>>> if packetfence detect that it's a printer then register the device and set
>>> the role to printer (of course add a new category and assign the correct
>>> vlan id to the role in the switch config).
>>>
>>> For the wifi it's the same workflow (it depend of your AP) but if it
>>> support Mac auth then folow the configuration and create a portal profile
>>> with ssid filter = your ssid and add the sponsor source.
>>>
>>> Btw you will probably have to add a Active Directory auth source and set
>>> rule that will set a role as default , an access duration to 1W and add a
>>> Mark as Sponsor (for wifi sponsor).
>>>
>>>
>>> Regards
>>> Fabrice
>>>
>>>
>>> Le 2015-03-14 05:23, Minh Trung a écrit :
>>>
>>> Hello experts,
>>>
>>> I am newbie.
>>>
>>> My network as attached file and i suggested i should use PF as Vlan
>>> enforcement.
>>>
>>> My infrastructure already has:
>>>
>>> Vlan122: Servers (including PF server, pf is vmware)
>>> Vlan123: Office Users (PCs, Desktops, IP Phone, Printer)
>>> Vlan124: Telephone
>>> Vlan:125 Firewall
>>> Vlan126: Access Door
>>> .........
>>>
>>> I already own DNS, DHCP by Windows server
>>> Vlan123 will be DHCP via Windows Server 2008
>>> Now i want PF only apply for Vlan123, how to do that and which method i
>>> should use to authenticate for all Users, IP phone, Printer (This Vlan used
>>> wired)?
>>> I also plan used wifi in case visitor come to work, which authenticate
>>> method should i used in this case?
>>>
>>> On PF server already created 2 Vlan Registration and Isolation.
>>>
>>> These are config file that PF generated:
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> *#pf.conf:[interface eth0]ip=10.126.122.27 --> my IP address's PF server
>>> type=managementmask=255.255.255.0[interface
>>> eth0.210]enforcement=vlanip=10.126.210.1type=internalmask=255.255.255.0[interface
>>> eth0.220]enforcement=vlanip=10.126.220.1type=internalmask=255.255
>>>
>>> [The entire original message is not included.]
>>>
>>>
>>>
>>> ------------------------------------------------------------------------------
>>> Dive into the World of Parallel Programming The Go Parallel Website,
>>> sponsored
>>> by Intel and developed in partnership with Slashdot Media, is your hub for
>>> all
>>> things parallel software development, from weekly thought leadership blogs
>>> to
>>> news, videos, case studies, tutorials and more. Take a look and join the
>>> conversation now. http://goparallel.sourceforge.net/
>>>
>>>
>>>
>>> _______________________________________________
>>> PacketFence-users mailing
>>> [email protected]https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>>
>>>
>>>
>>>
>>> ------------------------------------------------------------------------------
>>> Dive into the World of Parallel Programming The Go Parallel Website,
>>> sponsored
>>> by Intel and developed in partnership with Slashdot Media, is your hub
>>> for all
>>> things parallel software development, from weekly thought leadership
>>> blogs to
>>> news, videos, case studies, tutorials and more. Take a look and join the
>>> conversation now. http://goparallel.sourceforge.net/
>>> _______________________________________________
>>> PacketFence-users mailing list
>>> [email protected]
>>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>>
>>>
>> ------------------------------
>>
>> Dive into the World of Parallel Programming The Go Parallel Website,
>> sponsored
>> by Intel and developed in partnership with Slashdot Media, is your hub for
>> all
>> things parallel software development, from weekly thought leadership blogs to
>> news, videos, case studies, tutorials and more. Take a look and join the
>> conversation now. http://goparallel.sourceforge.net/
>>
>> ------------------------------
>>
>> PacketFence-users mailing list
>> [email protected]
>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>
>>
> --
> Envoyé de mon téléphone Android avec K-9 Mail. Excusez la brièveté.
>
>
> ------------------------------------------------------------------------------
> Dive into the World of Parallel Programming The Go Parallel Website,
> sponsored
> by Intel and developed in partnership with Slashdot Media, is your hub for
> all
> things parallel software development, from weekly thought leadership blogs
> to
> news, videos, case studies, tutorials and more. Take a look and join the
> conversation now. http://goparallel.sourceforge.net/
> _______________________________________________
> PacketFence-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>
------------------------------------------------------------------------------
Dive into the World of Parallel Programming The Go Parallel Website, sponsored
by Intel and developed in partnership with Slashdot Media, is your hub for all
things parallel software development, from weekly thought leadership blogs to
news, videos, case studies, tutorials and more. Take a look and join the
conversation now. http://goparallel.sourceforge.net/
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
