Hello Fabrice!
=> The port where I'm connecting my PF:
Fa0/1 : switchport trunk native vlan 1
=>my ifconfig output!:
eth0 Link encap:Ethernet HWaddr 00:0C:29:3A:D5:45
inet adr:192.168.0.1 Bcast:192.168.0.255 Masque:255.255.255.0
adr inet6: fe80::20c:29ff:fe3a:d545/64 Scope:Lien
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:41164 errors:0 dropped:0 overruns:0 frame:0
TX packets:658 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 lg file transmission:1000
RX bytes:33344466 (31.7 MiB) TX bytes:36889 (36.0 KiB)
eth0.2 Link encap:Ethernet HWaddr 00:0C:29:3A:D5:45
inet adr:192.168.2.1 Bcast:192.168.2.255 Masque:255.255.255.0
adr inet6: fe80::20c:29ff:fe3a:d545/64 Scope:Lien
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:10 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 lg file transmission:0
RX bytes:0 (0.0 b) TX bytes:636 (636.0 b)
eth0.3 Link encap:Ethernet HWaddr 00:0C:29:3A:D5:45
inet adr:192.168.3.1 Bcast:192.168.3.255 Masque:255.255.255.0
adr inet6: fe80::20c:29ff:fe3a:d545/64 Scope:Lien
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:10 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 lg file transmission:0
RX bytes:0 (0.0 b) TX bytes:636 (636.0 b)
=> and tcpdump doesn't show anything.... and I can't ping from my switch
to eth0.2
(using vmware (mode bridged) and tried in virtuakbox too)!
Regards!
On Tue, Jun 16, 2015 at 4:16 PM, Abdelghafour Rakhma <
[email protected]> wrote:
> Hello Again!
> in PF 5.1.0 when I plug a device in the switch where i've configured mab
> and 802.1X MAC auth! the port is set on VLAN 2 (registration) but Nothing
> happens after!
> like if the eth0.2 isn't listening or I don't know! no DHCP request is
> answered
>
> I've tried to set the port to vlan 2 manually and set a static ip address
> to the device in the, but it's stuck there, no captive portal no nothing...
>
> I'll attach the log files and the switch port config! hopping for a quick
> answer!
> And thanks in advance.
> Best regards
>
> pfdhcplistener.log:
>
> Jun 16 09:32:26 pfdhcplistener(3553) INFO: pfdhcplistener_eth0.2 starting
> and writing 3556 to /usr/local/pf/var/run/pfdhcplistener_eth0.2.pid
> (pf::services::util::createpid)
> Jun 16 09:32:26 pfdhcplistener(3553) INFO: DHCP detector on eth0.2 enabled
> (main::)
> Jun 16 09:32:27 pfdhcplistener(3560) INFO: pfdhcplistener_eth0.3 starting
> and writing 3563 to /usr/local/pf/var/run/pfdhcplistener_eth0.3.pid
> (pf::services::util::createpid)
> Jun 16 09:32:27 pfdhcplistener(3560) INFO: DHCP detector on eth0.3 enabled
> (main::)
> Jun 16 09:32:29 pfdhcplistener(3566) INFO: pfdhcplistener_eth0 starting
> and writing 3569 to /usr/local/pf/var/run/pfdhcplistener_eth0.pid
> (pf::services::util::createpid)
> Jun 16 09:32:29 pfdhcplistener(3566) WARN: Unable to open VLAN proc
> description for eth0: Aucun fichier ou dossier de ce type
> (pf::util::get_vlan_from_int)
> Jun 16 09:32:29 pfdhcplistener(3566) INFO: DHCP detector on eth0 enabled
> (main::)
> ===========================================================================
> packetfence.log:
> Jun 16 09:38:15 httpd.aaa(3479) INFO: [00:25:64:ab:a0:ac] handling radius
> autz request: from switch_ip => (192.168.0.254), connection_type =>
> WIRED_MAC_AUTH,switch_mac => (f4:7f:35:2d:55:0e), mac =>
> [00:25:64:ab:a0:ac], port => 10014, username => "002564aba0ac"
> (pf::radius::authorize)
> Jun 16 09:38:15 httpd.aaa(3479) INFO: [00:25:64:ab:a0:ac] is of status
> unreg; belongs into registration VLAN (pf::vlan::getRegistrationVlan)
> Jun 16 09:38:15 httpd.aaa(3479) WARN: Role-based Network Access Control is
> not supported on network device type pf::Switch::Cisco::Catalyst_2960.
> (pf::Switch::supportsRoleBasedEnforcement)
> Jun 16 09:38:15 httpd.aaa(3479) INFO: [00:25:64:ab:a0:ac] (192.168.0.254)
> Returning ACCEPT with VLAN 2 and role
> (pf::Switch::Cisco::Catalyst_2960::returnRadiusAccessAccept)
> Jun 16 09:41:23 httpd.aaa(3479) INFO: [00:25:64:ab:a0:ac] handling radius
> autz request: from switch_ip => (192.168.0.254), connection_type =>
> WIRED_MAC_AUTH,switch_mac => (f4:7f:35:2d:55:0e), mac =>
> [00:25:64:ab:a0:ac], port => 10014, username => "002564aba0ac"
> (pf::radius::authorize)
> Jun 16 09:41:23 httpd.aaa(3479) INFO: [00:25:64:ab:a0:ac] is of status
> unreg; belongs into registration VLAN (pf::vlan::getRegistrationVlan)
> Jun 16 09:41:23 httpd.aaa(3479) WARN: Role-based Network Access Control is
> not supported on network device type pf::Switch::Cisco::Catalyst_2960.
> (pf::Switch::supportsRoleBasedEnforcement)
> @
>
> ============================================================================
> /pf/var/conf/dhcpd.conf :
>
> omapi-port 7911;
> key pf_omapi_key {
> algorithm HMAC-MD5;
> secret "Zop2OvYAwVao7hTz+kBx/w==";
> };
> omapi-key pf_omapi_key;
>
>
>
>
> subnet 192.168.3.0 netmask 255.255.255.0 {
> option routers 192.168.3.1;
> option subnet-mask 255.255.255.0;
> option domain-name "vlan-isolation.fssm.local";
> option domain-name-servers 192.168.3.1;
> range 192.168.3.100 192.168.3.200;
> default-lease-time 30;
> max-lease-time 30;
> }
> subnet 192.168.2.0 netmask 255.255.255.0 {
> option routers 192.168.2.1;
> option subnet-mask 255.255.255.0;
> option domain-name "vlan-registration.fssm.local";
> option domain-name-servers 192.168.2.1;
> range 192.168.2.100 192.168.2.200;
> default-lease-time 30;
> max-lease-time 30;
> }
>
> ============================================================================
> networks.conf:
>
> [192.168.2.0]
> dns=192.168.2.1
> dhcp_start=192.168.2.100
> gateway=192.168.2.1
> domain-name=vlan-registration.fssm.local
> nat_enabled=disabled
> named=enabled
> dhcp_max_lease_time=30
> fake_mac_enabled=disabled
> dhcpd=enabled
> dhcp_end=192.168.2.200
> type=vlan-registration
> netmask=255.255.255.0
> dhcp_default_lease_time=30
>
> [192.168.3.0]
> dns=192.168.3.1
> dhcp_start=192.168.3.100
> gateway=192.168.3.1
> domain-name=vlan-isolation.fssm.local
> nat_enabled=disabled
> named=enabled
> dhcp_max_lease_time=30
> fake_mac_enabled=disabled
> dhcpd=enabled
> dhcp_end=192.168.3.200
> type=vlan-isolation
> netmask=255.255.255.0
> dhcp_default_lease_time=30
> ========================================================================
> My Cisco 2960 configuration:
>
> interface FastEthernet0/1
> switchport mode trunk
>
> !
> !
> interface FastEthernet0/12
> !
> interface FastEthernet0/13
> description NAC_controlled
> switchport mode access
> switchport port-security maximum 2
> switchport port-security maximum 1 vlan access
> switchport port-security
> authentication order mab dot1x
> authentication priority mab dot1x
> authentication port-control auto
> authentication periodic
> authentication timer restart 10800
> authentication timer reauthenticate 10800
> mab
> mls qos trust cos
> no snmp trap link-status
> dot1x pae authenticator
> dot1x timeout quiet-period 2
> dot1x timeout tx-period 3
> spanning-tree portfast
> spanning-tree bpdufilter enable
> spanning-tree bpduguard enable
> spanning-tree guard loop
> !
>
>
------------------------------------------------------------------------------
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
