Re: [PacketFence-users] Rogue switches

[Tyler Conrad]

I would disagree with the statement that bpduguard will detect unmanaged
switches. I run it on all my access ports, and the only time I get a hit in
the log is when someone loops the switch, or plugs in a switch/device that
supports spanning tree.

If you want a single device connected, use either multi-domain (if you have
ip phones that use voice vlan), or single-host. Multi-auth can be useful if
you have to allow those unmanaged switches, but things get interesting when
you mix mab/dot1x, and when you mix authenticated states.

On the interface: authentication host-mode [multi-auth | multi-domain |
multi-host | single-host]


On Thursday, July 2, 2015, Sallee, Jake <jake.sal...@umhb.edu> wrote:

> > And you have PacketFence working with this port config?
> Yip yip!
>
> >  It is different from the guidance in the Admin Guide.
> This is more fitting than you may know : )
>
> The Code is more what you call guidelines, than actual rules
> <https://www.youtube.com/watch?v=6GMkuPiIZ2k>
>
>
>
> Jake Sallee
> Godfather of Bandwidth
> System Engineer
> University of Mary Hardin-Baylor
> WWW.UMHB.EDU
>
> 900 College St.
> Belton, Texas
> 76513
>
> Fone: 254-295-4658
> Phax: 254-295-4221
>
> ________________________________________
> From: Rhoads, Robert W. [rhoa...@danvilleva.gov <javascript:;>]
> Sent: Thursday, July 02, 2015 9:34 AM
> To: packetfence-users@lists.sourceforge.net <javascript:;>
> Subject: Re: [PacketFence-users] Rogue switches
>
> And you have PacketFence working with this port config?  It is different
> from the guidance in the Admin Guide.  Thank you very much, I have some
> experimentation to do.
>
>
> Respectfully,
>
> Robert Rhoads
> rhoa...@danvilleva.gov <javascript:;>
>
>
>
>
> -----Original Message-----
> From: Sallee, Jake [mailto:jake.sal...@umhb.edu <javascript:;>]
> Sent: Thursday, July 02, 2015 10:25 AM
> To: packetfence-users@lists.sourceforge.net <javascript:;>
> Subject: Re: [PacketFence-users] Rogue switches
>
> Here is a port config that works for us:
>
> interface FastEthernet0/24
>  description NAC_Controlled
>  switchport mode access
>  switchport port-security maximum 2
>  switchport port-security maximum 1 vlan access  switchport port-security
> authentication order mab  authentication port-control auto  mab  mls qos
> trust cos  macro description NAC  spanning-tree portfast  spanning-tree
> bpdufilter enable  spanning-tree bpduguard enable  spanning-tree guard loop
> !
>
> Some global config stuffs:
>
> spanning-tree mode rapid-pvst
> spanning-tree loopguard default
> no spanning-tree optimize bpdu transmission spanning-tree extend system-id
>
> errdisable recovery cause bpduguard
> errdisable recovery cause security-violation errdisable recovery cause
> psecure-violation errdisable recovery interval 30
>
>
> Jake Sallee
> Godfather of Bandwidth
> System Engineer
> University of Mary Hardin-Baylor
> WWW.UMHB.EDU
>
> 900 College St.
> Belton, Texas
> 76513
>
> Fone: 254-295-4658
> Phax: 254-295-4221
>
> ________________________________________
> From: Rhoads, Robert W. [rhoa...@danvilleva.gov <javascript:;>]
> Sent: Thursday, July 02, 2015 9:09 AM
> To: packetfence-users@lists.sourceforge.net <javascript:;>
> Subject: Re: [PacketFence-users] Rogue switches
>
> Well, it is interesting because I have set BPDU Guard in my test lab where
> I am testing PacketFence and have 802.1x and MAB going, and on a protected
> port I connect a cheap Dlink 10/100 switch and while it didn't appear
> active, when I connected a PC to Dlink, it all seemed to work just fine,
> authenticated and everything.  I should have mentioned that I do have
> autoregistration active, but I would think I can stop a rogue switch even
> with that on...  I would appreciate take a look at your port config as
> there might be something there I'm not aware of that I am missing, you
> never know.  Thank you.
>
>
> Robert Rhoads
> rhoa...@danvilleva.gov <javascript:;>
>
>
>
>
> -----Original Message-----
> From: Sallee, Jake [mailto:jake.sal...@umhb.edu <javascript:;>]
> Sent: Thursday, July 02, 2015 9:47 AM
> To: packetfence-users@lists.sourceforge.net <javascript:;>
> Subject: Re: [PacketFence-users] Rogue switches
>
> BPDU guard will work with any end point, not just the ones that use STP.
>
> The way BPDU works is that it will shutdown (errdisable) a port that is in
> portfast mode when a BPDU packet is seen on that port.
>
> All switches generate BPDU packets, even the cheap 5 port unmanaged off
> brand types.
>
> Hubs may not generate BPDUs but switches do, all of 'em.
>
> We make liberal use of BPDU Guard to stop students from using switches
> they bought at the local electronics stores and it works quite well.
>
> I can send you a copy of our port config if you like.
>
> Jake Sallee
> Godfather of Bandwidth
> System Engineer
> University of Mary Hardin-Baylor
> WWW.UMHB.EDU
>
> 900 College St.
> Belton, Texas
> 76513
>
> Fone: 254-295-4658
> Phax: 254-295-4221
> ________________________________
> From: Rhoads, Robert W. [rhoa...@danvilleva.gov <javascript:;>]
> Sent: Thursday, July 02, 2015 8:33 AM
> To: packetfence-users@lists.sourceforge.net <javascript:;>
> Subject: [PacketFence-users] Rogue switches
>
> PacketFence experts,
>
>
>      Is there a means or mechanism within PacketFence, when 802.1x/MAB is
> in use, that will prevent an access port under PF control from allowing
> another switch from working when connected to that port?  I am aware I can
> use BPDU Guard on access ports to stop a switch by killing the port if it
> is talking Spanning-Tree, but I am more interested in stopping small,
> unmanaged switches that don't talk Spanning-Tree that people have a
> tendency to plug in without asking or getting permission.  An earlier
> thread on this topic did not really shed that much light for me...  I
> appreciate any help and guidance.
>
> Respectfully,
>
> Robert Rhoads
> rhoa...@danvilleva.gov <javascript:;><mailto:rhoa...@danvilleva.gov
> <javascript:;>>
>
>
>
> ------------------------------------------------------------------------------
> Don't Limit Your Business. Reach for the Cloud.
> GigeNET's Cloud Solutions provide you with the tools and support that you
> need to offload your IT needs and focus on growing your business.
> Configured For All Businesses. Start Your Cloud Today.
> https://www.gigenetcloud.com/
> _______________________________________________
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net <javascript:;>
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>
> ------------------------------------------------------------------------------
> Don't Limit Your Business. Reach for the Cloud.
> GigeNET's Cloud Solutions provide you with the tools and support that you
> need to offload your IT needs and focus on growing your business.
> Configured For All Businesses. Start Your Cloud Today.
> https://www.gigenetcloud.com/
> _______________________________________________
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net <javascript:;>
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>
> ------------------------------------------------------------------------------
> Don't Limit Your Business. Reach for the Cloud.
> GigeNET's Cloud Solutions provide you with the tools and support that you
> need to offload your IT needs and focus on growing your business.
> Configured For All Businesses. Start Your Cloud Today.
> https://www.gigenetcloud.com/
> _______________________________________________
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net <javascript:;>
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>
> ------------------------------------------------------------------------------
> Don't Limit Your Business. Reach for the Cloud.
> GigeNET's Cloud Solutions provide you with the tools and support that
> you need to offload your IT needs and focus on growing your business.
> Configured For All Businesses. Start Your Cloud Today.
> https://www.gigenetcloud.com/
> _______________________________________________
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net <javascript:;>
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>
> ------------------------------------------------------------------------------
> Don't Limit Your Business. Reach for the Cloud.
> GigeNET's Cloud Solutions provide you with the tools and support that
> you need to offload your IT needs and focus on growing your business.
> Configured For All Businesses. Start Your Cloud Today.
> https://www.gigenetcloud.com/
> _______________________________________________
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net <javascript:;>
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>

------------------------------------------------------------------------------
Don't Limit Your Business. Reach for the Cloud.
GigeNET's Cloud Solutions provide you with the tools and support that
you need to offload your IT needs and focus on growing your business.
Configured For All Businesses. Start Your Cloud Today.
https://www.gigenetcloud.com/
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users