Hi Simon, the top bandwidth consumers and bandwidth per operating system are based on the radius accounting. pfbandwidthd is use for inline accounting.
Regards Fabrice Le 2015-09-27 09:47, Simon Gottschlag a écrit : > > Hi! > > > > I was able to solve the issue by configuring the components like this: > > > > MSM760: > > · Normal IP-addresses on Internet and LAN > > · Created new “dummy vlan” and assigned it to LAN with the IP > 192.168.129.1/24 > > · Disabled NAT on internet and the dummy vlan > > · Disabled DNS interception > > · Configured the Address allocation to use DHCP relay agent > > o Only on the client data tunnel, didn’t check “Extend VSC egress > subnet to VSC ingress subnet” > > o Added packetfence (which is on the same VLAN as the internet > interface) as the primary DHCP relay > > · Created a NEW (this was important, can’t use the default one > or else dhcp relay configuration won’t be available) VSC – as I said > not the default one > > o Configured it for both authentication and access control > > o Checked “Always tunnel client traffic” > > o Configured MAC-based authentication with packetfence as the > radius authentication and accounting server > > o The important part: > > § Confgiured DHCP Relay agent on the VSC to “use the following > server” and pointed it to packetfence (on the internet subnet) > > § In subnet selection, I chose 192.168.129.0/24 > > > > PacketFence: > > · Configured it for inline and disabled DHCP on eth2 (same > subnet as the internet interface on HP MSM760) > > o Eth2 = inline layer 2 interface > > · Created a routed network > > o Network: 192.168.129.0 > > o Netmask: 255.255.255.0 > > o Network type: Inline Layer 3 > > o Enabled NATting > > o Didn’t enabled fake mac address > > o Starting IP: 192.168.129.50 > > o Ending IP address: 192.168.129.99 > > o Default Lease Time / Max Lease Time: 86400 > > o DNS Server: 8.8.8.8 (important that it’s not packetfence or MSM) > > o Client Gateway: 192.168.129.1 (the MSM, dummy network) > > o Router IP: <MSM’s internet interfaces IP) > > · Added the MSM as switch to get MAC based authentication to work > > > > Now violations on bandwidth work! J > > > > I haven’t been able to get bandwidth reports to work, but doesn’t > matter for me since the bandwidth violations work as expected. (Using: > Accounting::TOT200MBD) > > If anybody have any ideas regarding how to get top bandwidth consumers > and bandwidth per operanting system to work in the setup (if even > possible while using inline), feel free to answer. J > > > > Best regards, > Simon Gottschlag > > *From:*Simon Gottschlag > *Sent:* den 27 september 2015 01:48 > *To:* '[email protected]' > <[email protected]> > *Subject:* Inline accounting > > > > Hi everybody! > > > > I’ve gotten packetfence to work together with HP MSM760 in inline mode > and most stuff works as expected. > > > > One issue with the setup is that HP MSM760 won’t send accounting > correct (input/output will always be zero) if I’m not tunneling all > traffic to the controller. > > I’ve tried to get MSM to work without inline, but got stuck since I > had rewrite a lot with help from another thread in this mailinglist. I > was able to get deauthentication with SOAP to work, but never the > authentication part. > > > > Now when using inline (and not tunneling all traffic) both > authentication and deauthentication (deregister node / manually apply > bandwidth violation) works. The “last” thing I need, since this is why > I’m trying to use PacketFence, is to get bandwidth violations to work > when on inline mode. > > > > From what I’ve understood, the graphs are made from radius accounting > and so is the Accounting:: trigger. > > > > Since I’m not able to get accounting to work when not tunneling all > traffic to controller, and if I tunnel all taffic I can’t get inline > mode to work, the only two alternatives (as far as I can see it) are: > > · Make a violation trigger that uses the data from the > inline_accounting table. (maybe isn’t possible? Haven’t found anything > about it) > > · Make a script that magically exports inline_accounting to > radacct or something like that (see my “thoughts” below) > > SELECT * FROM inline_accounting GROUP BY ip ORDER BY lastmodified DESC; > > select mac from iplog WHERE ip LIKE "<ip>"; > > SELECT * FROM radacct WHERE callingstationid LIKE "<mac>" ORDER BY > radacctid DESC LIMIT 1; > > UPDATE radacct SET > acctinputoctets=<inbytes>,acctoutputoctets=<outbytes> WHERE radacctid > LIKE 18; > > · Get inline to work together with MSM when tunneling all > traffic to controller and then to PacketFence > > > > Any ideas are really appreciated! > > > > Best regards, > Simon Gottschlag > > > > ------------------------------------------------------------------------------ > > > _______________________________________________ > PacketFence-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/packetfence-users -- Fabrice Durand [email protected] :: +1.514.447.4918 (x135) :: www.inverse.ca Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence (http://packetfence.org)
0xF78F957E.asc
Description: application/pgp-keys
------------------------------------------------------------------------------
_______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
