> Apr 13 11:39:14 httpd.portal(13461) WARN: [00:24:e8:df:b5:84] Can't > re-evaluate access because no open locationlog entry was found > (pf::enforcement::reevaluate_access)
Most likely PF did not see the DHCP conversation between your client the the DHCP server. it is critical that PF see the DHCP request from the client, if you are in vlan mode and you are running Cisco gear you need to add your PF server as an IP-helper to the vlan. Jake Sallee Godfather of Bandwidth System Engineer University of Mary Hardin-Baylor WWW.UMHB.EDU 900 College St. Belton, Texas 76513 Fone: 254-295-4658 Phax: 254-295-4221 ________________________________ From: Nicolas Gailly [[email protected]] Sent: Monday, April 13, 2015 6:01 AM To: [email protected] Subject: [PacketFence-users] VLAN enforcment : nothing after registration ... Hello I've been trying to install PacketFence in a lab to see its functionalities (so no external authentifcation, only local for now). I use a Catalyst3750G switch connected to the network ( & internet ) on port 1 (GigabitEthernet1/0/1), and PacketFence is connected on port 24 (configured as trunk). The thing when a new user connect to the switch, it is automatically redirected on the PacketFence registration page . That is good. BUT once registered, there is absolutly no change of configuration happening (the page say Sorry, your network should be anbled bla bla bla). It stays on the same vlan (registration). It seems that packetfence is unable to tell the switch to change the vlan of the connected port. But the snmp configuration seems to work since I can see the device on the management web interface & I received the traps and everything (tcpdump told me). One thing to note though is that the uplink network has no dhcp, addresses must be set manually. Does that change anything ? i tried setting the ip configuration on the client after it has been registered, it was still unable to ping for example (and the vlan configuration stayed the same on the switch). I dunno what is wrong ... Thank you in advance Ps: I have checked every other mails that had the same problems. Only one said it has been resolved but the solution doesn't work for me. Other problemes were in case of inline configuration (vs vlan enforcment). Here is my pf.conf: [interface eth0] ip=10.31.32.124 type=management mask=255.255.224.0 [interface eth0.20] enforcement=vlan ip=10.0.2.1 type=internal mask=255.255.255.0 [interface eth0.30] enforcement=vlan ip=10.0.3.1 type=internal mask=255.255.255.0 Here is my switches.conf : [10.31.32.122] RoleMap=N SNMPCommunityRead=readme SNMPCommunityWrite=writeme AccessListMap=N description=Test Switch Lab SNMPVersionTrap=2c type=Cisco::Catalyst_3750G VoIPEnabled=N isolationVlan=30 SNMPVersion=2c registrationVlan=20 mode=production cliUser=test deauthMethod=SNMP cliPwd=test cliTransport=SSH cliEnablePwd=test uplink_dynamic=0 uplink=1 Here is my packetfence.log (portion): Apr 13 11:39:14 httpd.portal(13461) INFO: [00:24:e8:df:b5:84] shouldn't reach here. Calling access re-evaluation. Make sure your network device configuration is correct. (captiveportal::PacketFence::Controller::CaptivePortal::unknownState) Apr 13 11:39:14 httpd.portal(13461) INFO: [00:24:e8:df:b5:84] re-evaluating access (redir.cgi called) (pf::enforcement::reevaluate_access) Apr 13 11:39:14 httpd.portal(13461) WARN: [00:24:e8:df:b5:84] Can't re-evaluate access because no open locationlog entry was found (pf::enforcement::reevaluate_access) Here is my running config : ! vlan internal allocation policy ascending ! vlan 20 name registration ! vlan 30 name isolation ... interface GigabitEthernet1/0/15 switchport access vlan 20 switchport mode access switchport port-security maximum 2 switchport port-security maximum 1 vlan access switchport port-security switchport port-security violation restrict switchport port-security mac-address 0200.0001.0115 ! interface GigabitEthernet1/0/16 switchport access vlan 20 switchport mode access switchport port-security maximum 2 switchport port-security maximum 1 vlan access switchport port-security switchport port-security violation restrict ! interface GigabitEthernet1/0/17 switchport access vlan 20 switchport mode access switchport port-security maximum 2 switchport port-security maximum 1 vlan access switchport port-security switchport port-security violation restrict ! interface GigabitEthernet1/0/18 switchport access vlan 20 switchport mode access switchport port-security maximum 2 switchport port-security maximum 1 vlan access switchport port-security switchport port-security violation restrict ! interface GigabitEthernet1/0/19 switchport access vlan 20 switchport mode access switchport port-security maximum 2 switchport port-security maximum 1 vlan access switchport port-security switchport port-security violation restrict ! interface GigabitEthernet1/0/20 switchport access vlan 20 switchport mode access switchport port-security maximum 2 switchport port-security maximum 1 vlan access switchport port-security switchport port-security violation restrict ! interface GigabitEthernet1/0/21 switchport access vlan 20 switchport mode access switchport port-security maximum 2 switchport port-security maximum 1 vlan access switchport port-security switchport port-security violation restrict ! interface GigabitEthernet1/0/22 switchport access vlan 20 switchport mode access switchport port-security maximum 2 switchport port-security maximum 1 vlan access switchport port-security switchport port-security violation restrict ! interface GigabitEthernet1/0/23 switchport access vlan 20 switchport mode access switchport port-security maximum 2 switchport port-security maximum 1 vlan access switchport port-security switchport port-security violation restrict ! interface GigabitEthernet1/0/24 switchport trunk encapsulation dot1q switchport mode trunk ! interface GigabitEthernet1/0/25 ! interface GigabitEthernet1/0/26 ! interface GigabitEthernet1/0/27 ! interface GigabitEthernet1/0/28 ! interface Vlan1 ip address 10.31.32.122 255.255.224.0 ! interface Vlan10 no ip address ! interface Vlan20 ip address 10.0.2.1 255.255.255.0 ! interface Vlan30 ip address 10.0.3.1 255.255.255.0 ! ip default-gateway 10.31.32.1 ip http server ip http secure-server ! ! snmp-server community readme RO snmp-server community writeme RW snmp-server community test RW snmp-server location testlab snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart ... snmp-server enable traps port-security ... ... snmp-server enable traps mac-notification change move threshold snmp-server enable traps vlan-membership snmp-server enable traps errdisable snmp-server enable traps vrfmib vrf-up vrf-down vnet-trunk-up vnet-trunk-down snmp-server host 10.31.32.124 version 2c public port-security ------------------------------------------------------------------------------ BPM Camp - Free Virtual Workshop May 6th at 10am PDT/1PM EDT Develop your own process in accordance with the BPMN 2 standard Learn Process modeling best practices with Bonita BPM through live exercises http://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual- event?utm_ source=Sourceforge_BPM_Camp_5_6_15&utm_medium=email&utm_campaign=VA_SF _______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
