> And you have PacketFence working with this port config? Yip yip! > It is different from the guidance in the Admin Guide. This is more fitting than you may know : )
https://www.youtube.com/watch?v=6GMkuPiIZ2k Jake Sallee Godfather of Bandwidth System Engineer University of Mary Hardin-Baylor WWW.UMHB.EDU 900 College St. Belton, Texas 76513 Fone: 254-295-4658 Phax: 254-295-4221 ________________________________________ From: Rhoads, Robert W. [[email protected]] Sent: Thursday, July 02, 2015 9:34 AM To: [email protected] Subject: Re: [PacketFence-users] Rogue switches And you have PacketFence working with this port config? It is different from the guidance in the Admin Guide. Thank you very much, I have some experimentation to do. Respectfully, Robert Rhoads [email protected] -----Original Message----- From: Sallee, Jake [mailto:[email protected]] Sent: Thursday, July 02, 2015 10:25 AM To: [email protected] Subject: Re: [PacketFence-users] Rogue switches Here is a port config that works for us: interface FastEthernet0/24 description NAC_Controlled switchport mode access switchport port-security maximum 2 switchport port-security maximum 1 vlan access switchport port-security authentication order mab authentication port-control auto mab mls qos trust cos macro description NAC spanning-tree portfast spanning-tree bpdufilter enable spanning-tree bpduguard enable spanning-tree guard loop ! Some global config stuffs: spanning-tree mode rapid-pvst spanning-tree loopguard default no spanning-tree optimize bpdu transmission spanning-tree extend system-id errdisable recovery cause bpduguard errdisable recovery cause security-violation errdisable recovery cause psecure-violation errdisable recovery interval 30 Jake Sallee Godfather of Bandwidth System Engineer University of Mary Hardin-Baylor WWW.UMHB.EDU 900 College St. Belton, Texas 76513 Fone: 254-295-4658 Phax: 254-295-4221 ________________________________________ From: Rhoads, Robert W. [[email protected]] Sent: Thursday, July 02, 2015 9:09 AM To: [email protected] Subject: Re: [PacketFence-users] Rogue switches Well, it is interesting because I have set BPDU Guard in my test lab where I am testing PacketFence and have 802.1x and MAB going, and on a protected port I connect a cheap Dlink 10/100 switch and while it didn't appear active, when I connected a PC to Dlink, it all seemed to work just fine, authenticated and everything. I should have mentioned that I do have autoregistration active, but I would think I can stop a rogue switch even with that on... I would appreciate take a look at your port config as there might be something there I'm not aware of that I am missing, you never know. Thank you. Robert Rhoads [email protected] -----Original Message----- From: Sallee, Jake [mailto:[email protected]] Sent: Thursday, July 02, 2015 9:47 AM To: [email protected] Subject: Re: [PacketFence-users] Rogue switches BPDU guard will work with any end point, not just the ones that use STP. The way BPDU works is that it will shutdown (errdisable) a port that is in portfast mode when a BPDU packet is seen on that port. All switches generate BPDU packets, even the cheap 5 port unmanaged off brand types. Hubs may not generate BPDUs but switches do, all of 'em. We make liberal use of BPDU Guard to stop students from using switches they bought at the local electronics stores and it works quite well. I can send you a copy of our port config if you like. Jake Sallee Godfather of Bandwidth System Engineer University of Mary Hardin-Baylor WWW.UMHB.EDU 900 College St. Belton, Texas 76513 Fone: 254-295-4658 Phax: 254-295-4221 ________________________________ From: Rhoads, Robert W. [[email protected]] Sent: Thursday, July 02, 2015 8:33 AM To: [email protected] Subject: [PacketFence-users] Rogue switches PacketFence experts, Is there a means or mechanism within PacketFence, when 802.1x/MAB is in use, that will prevent an access port under PF control from allowing another switch from working when connected to that port? I am aware I can use BPDU Guard on access ports to stop a switch by killing the port if it is talking Spanning-Tree, but I am more interested in stopping small, unmanaged switches that don't talk Spanning-Tree that people have a tendency to plug in without asking or getting permission. An earlier thread on this topic did not really shed that much light for me... I appreciate any help and guidance. Respectfully, Robert Rhoads [email protected]<mailto:[email protected]> ------------------------------------------------------------------------------ Don't Limit Your Business. Reach for the Cloud. GigeNET's Cloud Solutions provide you with the tools and support that you need to offload your IT needs and focus on growing your business. Configured For All Businesses. Start Your Cloud Today. https://www.gigenetcloud.com/ _______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users ------------------------------------------------------------------------------ Don't Limit Your Business. Reach for the Cloud. GigeNET's Cloud Solutions provide you with the tools and support that you need to offload your IT needs and focus on growing your business. Configured For All Businesses. Start Your Cloud Today. https://www.gigenetcloud.com/ _______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users ------------------------------------------------------------------------------ Don't Limit Your Business. Reach for the Cloud. GigeNET's Cloud Solutions provide you with the tools and support that you need to offload your IT needs and focus on growing your business. Configured For All Businesses. Start Your Cloud Today. https://www.gigenetcloud.com/ _______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users ------------------------------------------------------------------------------ Don't Limit Your Business. Reach for the Cloud. GigeNET's Cloud Solutions provide you with the tools and support that you need to offload your IT needs and focus on growing your business. Configured For All Businesses. Start Your Cloud Today. https://www.gigenetcloud.com/ _______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users ------------------------------------------------------------------------------ Don't Limit Your Business. Reach for the Cloud. GigeNET's Cloud Solutions provide you with the tools and support that you need to offload your IT needs and focus on growing your business. Configured For All Businesses. Start Your Cloud Today. https://www.gigenetcloud.com/ _______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
