Hi, I forgot to mention, it is required that the default gateway for MSM is pointed to PacketFence via the "Internet" interface.
Best regards, Simon Gottschlag From: Simon Gottschlag Sent: den 27 september 2015 15:48 To: '[email protected]' <[email protected]> Subject: RE: Inline accounting Hi! I was able to solve the issue by configuring the components like this: MSM760: · Normal IP-addresses on Internet and LAN · Created new "dummy vlan" and assigned it to LAN with the IP 192.168.129.1/24 · Disabled NAT on internet and the dummy vlan · Disabled DNS interception · Configured the Address allocation to use DHCP relay agent o Only on the client data tunnel, didn't check "Extend VSC egress subnet to VSC ingress subnet" o Added packetfence (which is on the same VLAN as the internet interface) as the primary DHCP relay · Created a NEW (this was important, can't use the default one or else dhcp relay configuration won't be available) VSC - as I said not the default one o Configured it for both authentication and access control o Checked "Always tunnel client traffic" o Configured MAC-based authentication with packetfence as the radius authentication and accounting server o The important part: § Confgiured DHCP Relay agent on the VSC to "use the following server" and pointed it to packetfence (on the internet subnet) § In subnet selection, I chose 192.168.129.0/24 PacketFence: · Configured it for inline and disabled DHCP on eth2 (same subnet as the internet interface on HP MSM760) o Eth2 = inline layer 2 interface · Created a routed network o Network: 192.168.129.0 o Netmask: 255.255.255.0 o Network type: Inline Layer 3 o Enabled NATting o Didn't enabled fake mac address o Starting IP: 192.168.129.50 o Ending IP address: 192.168.129.99 o Default Lease Time / Max Lease Time: 86400 o DNS Server: 8.8.8.8 (important that it's not packetfence or MSM) o Client Gateway: 192.168.129.1 (the MSM, dummy network) o Router IP: <MSM's internet interfaces IP) · Added the MSM as switch to get MAC based authentication to work Now violations on bandwidth work! :) I haven't been able to get bandwidth reports to work, but doesn't matter for me since the bandwidth violations work as expected. (Using: Accounting::TOT200MBD) If anybody have any ideas regarding how to get top bandwidth consumers and bandwidth per operanting system to work in the setup (if even possible while using inline), feel free to answer. :) Best regards, Simon Gottschlag From: Simon Gottschlag Sent: den 27 september 2015 01:48 To: '[email protected]' <[email protected]<mailto:[email protected]>> Subject: Inline accounting Hi everybody! I've gotten packetfence to work together with HP MSM760 in inline mode and most stuff works as expected. One issue with the setup is that HP MSM760 won't send accounting correct (input/output will always be zero) if I'm not tunneling all traffic to the controller. I've tried to get MSM to work without inline, but got stuck since I had rewrite a lot with help from another thread in this mailinglist. I was able to get deauthentication with SOAP to work, but never the authentication part. Now when using inline (and not tunneling all traffic) both authentication and deauthentication (deregister node / manually apply bandwidth violation) works. The "last" thing I need, since this is why I'm trying to use PacketFence, is to get bandwidth violations to work when on inline mode. >From what I've understood, the graphs are made from radius accounting and so >is the Accounting:: trigger. Since I'm not able to get accounting to work when not tunneling all traffic to controller, and if I tunnel all taffic I can't get inline mode to work, the only two alternatives (as far as I can see it) are: · Make a violation trigger that uses the data from the inline_accounting table. (maybe isn't possible? Haven't found anything about it) · Make a script that magically exports inline_accounting to radacct or something like that (see my "thoughts" below) SELECT * FROM inline_accounting GROUP BY ip ORDER BY lastmodified DESC; select mac from iplog WHERE ip LIKE "<ip>"; SELECT * FROM radacct WHERE callingstationid LIKE "<mac>" ORDER BY radacctid DESC LIMIT 1; UPDATE radacct SET acctinputoctets=<inbytes>,acctoutputoctets=<outbytes> WHERE radacctid LIKE 18; · Get inline to work together with MSM when tunneling all traffic to controller and then to PacketFence Any ideas are really appreciated! Best regards, Simon Gottschlag
------------------------------------------------------------------------------
_______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
