hi, How do I use this command? "snmpwalk -v -c 2c público 192.168.137.154 0,1" I'm using port-security, the problem is to authenticate the client... I changed the client state to unregistered, PF changes the vlan snmptrapd.log 2015-11-06|04:23:36|UDP: [192.168.137.254]:49634->[192.168.137.5]|192.168.137.254|BEGIN TYPE 6 END TYPE BEGIN SUBTYPE .1 END SUBTYPE BEGIN VARIABLEBINDINGS .1.3.6.1.2.1.2.2.1.1.20 = Wrong Type (should be INTEGER): Gauge32: 20|.1.3.6.1.2.1.2.2.1.2.20 = STRING: FastEthernet0/20|.1.3.6.1.4.1.9.9.315.1.2.1.1.10.20 = Hex-STRING: 50 B7 C3 8D 8E 1E END VARIABLEBINDINGS
packtfence.log Nov 06 04:23:39 pfsetvlan(1) INFO: nb of items in queue: 1; nb of threads running: 0 (main::startTrapHandlers)Nov 06 04:23:39 pfsetvlan(1) INFO: secureMacAddrViolation trap received on 192.168.137.254 ifIndex 20 for 50:b7:c3:8d:8e:1e (main::handleTrap)Nov 06 04:23:39 pfsetvlan(1) INFO: Instantiate profile default (pf::Portal::ProfileFactory::instantiate)Nov 06 04:23:40 pfsetvlan(1) INFO: [50:b7:c3:8d:8e:1e] Username was NOT defined or unable to match a role - returning node based role '' (pf::vlan::getNormalVlan)Nov 06 04:23:40 pfsetvlan(1) WARN: No parameter Vlan found in conf/switches.conf for the switch 192.168.137.254 (pf::Switch::getVlanByName)Nov 06 04:23:40 pfsetvlan(1) WARN: [50:b7:c3:8d:8e:1e] Resolved VLAN for node is not properly defined: Replacing with macDetectionVlan (pf::vlan::fetchVlanForNode)Nov 06 04:23:40 pfsetvlan(1) INFO: [50:b7:c3:8d:8e:1e] PID: "ismael", Status: reg Returned VLAN: 4, Role: (pf::vlan::fetchVlanForNode)Nov 06 04:23:40 pfsetvlan(1) INFO: authorizing 50:b7:c3:8d:8e:1e (old entry 00:0b:6a:78:5c:12) at new location 192.168.137.254 ifIndex 20 (main::handleTrap)Nov 06 04:23:40 pfsetvlan(1) INFO: Should set 192.168.137.254 ifIndex 20 to VLAN 4 but it is already in this VLAN -> Do nothing (pf::Switch::setVlan)Nov 06 04:23:40 pfsetvlan(1) INFO: finished (main::cleanupAfterThread)Nov 06 04:23:42 httpd.webservices(5807) INFO: Instantiate profile default (pf::Portal::ProfileFactory::instantiate)Nov 06 04:23:57 httpd.webservices(5807) INFO: Instantiate profile default (pf::Portal::ProfileFactory::instantiate)Nov 06 04:24:12 httpd.webservices(5807) INFO: Instantiate profile default (pf::Portal::ProfileFactory::instantiate)Nov 06 04:24:27 httpd.webservices(5807) INFO: Instantiate profile default (pf::Portal::ProfileFactory::instantiate)Nov 06 04:24:42 httpd.webservices(5807) INFO: Instantiate profile default (pf::Portal::ProfileFactory::instantiate)Nov 06 04:24:57 httpd.webservices(5807) INFO: Instantiate profile default (pf::Portal::ProfileFactory::instantiate)Nov 06 04:27:34 httpd.webservices(5807) INFO: [50:b7:c3:8d:8e:1e] security traps are configured on (192.168.137.254) ifIndex 20. Re-assigning VLAN (pf::api::_reassignSNMPConnections)Nov 06 04:27:36 httpd.webservices(5807) INFO: [50:b7:c3:8d:8e:1e] is of status unreg; belongs into registration VLAN (pf::vlan::getRegistrationVlan)Nov 06 04:27:36 httpd.webservices(5807) INFO: setting VLAN at 192.168.137.254 ifIndex 20 from 4 to 2 (pf::Switch::setVlan)Nov 06 04:27:36 httpd.webservices(5807) INFO: [50:b7:c3:8d:8e:1e] Flipping admin status on switch (192.168.137.254) ifIndex 20. (pf::api::_reassignSNMPConnections) Thanks To: [email protected] From: [email protected] Date: Thu, 5 Nov 2015 19:46:10 -0500 Subject: Re: [PacketFence-users] Doubt about radius There is no configuration about snmp on the pf side ! Are you able to do a snmpwalk -v 2c -c public 192.168.137.154 .1 ? Fabrice Le 2015-11-05 19:13, ismael flavio silva a écrit : Hi, Yes. I think the configuration is correct. Will I have any problem in the configuration GUI? attached images Configuration 2950 and configuration PF switch Configuration [192.168.137.254] mode=production cliUser=ismael AccessListMap=N description=cisco 2950 type=Cisco::Catalyst_2950 cliPwd=cisco VoIPEnabled=N uplink_dynamic=0 cliEnablePwd=cisco uplink=23,24 radiusSecret=testing Configuration Cisco 2950 Switch#show running-config Building configuration... Current configuration : 3261 bytes ! version 12.1 no service pad service timestamps debug uptime service timestamps log uptime no service password-encryption ! hostname Switch ! aaa new-model aaa group server radius packetfence server 192.168.137.5 auth-port 1812 acct-port 1813 ! aaa authentication login default local aaa authentication dot1x default group packetfence aaa authorization network default group packetfence enable password cisco ! username ismael password 0 cisco ip subnet-zero ! ip ssh time-out 120 ip ssh authentication-retries 3 ! spanning-tree mode pvst no spanning-tree optimize bpdu transmission spanning-tree extend system-id dot1x system-auth-control ! ! ! ! interface FastEthernet0/1 switchport trunk allowed vlan 1-4,50,70,200 switchport mode trunk ! interface FastEthernet0/2 ! interface FastEthernet0/3 ! interface FastEthernet0/4 ! interface FastEthernet0/5 ! interface FastEthernet0/6 ! interface FastEthernet0/7 ! interface FastEthernet0/8 ! interface FastEthernet0/9 ! interface FastEthernet0/10 switchport access vlan 4 switchport mode access dot1x port-control auto dot1x host-mode multi-host dot1x reauthentication spanning-tree portfast ! interface FastEthernet0/11 ! interface FastEthernet0/12 ! interface FastEthernet0/13 ! interface FastEthernet0/14 ! interface FastEthernet0/15 ! interface FastEthernet0/16 ! interface FastEthernet0/17 ! interface FastEthernet0/18 ! interface FastEthernet0/19 switchport access vlan 4 switchport mode access snmp trap mac-notification added spanning-tree portfast ! interface FastEthernet0/20 switchport access vlan 4 switchport mode access switchport port-security switchport port-security violation restrict switchport port-security mac-address 0200.0000.0020 snmp trap mac-notification added no snmp trap link-status spanning-tree portfast ! interface FastEthernet0/21 switchport access vlan 2 switchport mode access switchport port-security switchport port-security violation restrict switchport port-security mac-address 0200.0000.0021 ! interface FastEthernet0/22 ! interface FastEthernet0/23 ! interface FastEthernet0/24 ! interface FastEthernet0/25 ! interface FastEthernet0/26 ! interface Vlan1 ip address 192.168.137.254 255.255.255.0 no ip route-cache ! interface Vlan2 no ip address no ip route-cache shutdown ! interface Vlan3 no ip address no ip route-cache shutdown ! interface Vlan4 no ip address no ip route-cache shutdown ! interface Vlan50 no ip address no ip route-cache shutdown ! interface Vlan70 no ip address no ip route-cache shutdown ! interface Vlan200 no ip address no ip route-cache shutdown ! ip http server snmp-server community public RO snmp-server community private RW snmp-server enable traps port-security snmp-server enable traps port-security trap-rate 1 snmp-server host 192.168.137.5 public port-security radius-server host 192.168.137.5 auth-port 1812 acct-port 1813 timeout 2 key testing radius-server retransmit 3 radius-server vsa send authentication ! line con 0 line vty 0 4 password cisco line vty 5 15 password cisco ! mac-address-table notification interval 0 mac-address-table notification mac-address-table aging-time 3600 ! end Thanks To: [email protected] From: [email protected] Date: Thu, 5 Nov 2015 18:00:44 -0500 Subject: Re: [PacketFence-users] Doubt about radius Hi Ismael, did you configured snmp on the switch and in the packetfence's switch config ? Regards Fabrice Le 2015-11-05 15:02, ismael flavio silva a écrit : Hello I have a doubt I'm setting up the PF 5.4.0 with the service radius (dlink 2000 AP +) the manual says the process has to be done with the port-security. - It is necessary to add the AP in floating device. - The PF 5.4.0 know that is the floating device and automatically configures for port-security. but I have a problem, Cisco does not accept me devices due to the violation. As PF automatic configure what can I do to solve the problem? PF LOG Nov 05 18:49:59 pfsetvlan(2) WARN: couldn't get MAC at ifIndex 1. This is a problem. (pf::Switch::_getMacAtIfIndex) Nov 05 18:49:59 pfsetvlan(2) WARN: Tried to grab MAC address at ifIndex 1 on switch 192.168.137.254 for 2 minutes and failed (main::handleTrap) Nov 05 18:49:59 pfsetvlan(2) INFO: cannot find MAC (maybe we found a VoIP, but they don't count here). Do nothing (main::handleTrap) Nov 05 18:49:59 pfsetvlan(2) INFO: finished (main::cleanupAfterThread) Nov 05 18:50:09 pfsetvlan(1) INFO: nb of items in queue: 1; nb of threads running: 0 (main::startTrapHandlers) Nov 05 18:50:09 pfsetvlan(1) INFO: up trap received on 192.168.137.254 ifIndex 20 (main::handleTrap) Nov 05 18:50:09 pfsetvlan(1) INFO: The logs shows that the last device pluged was a floating network device. We may have missedthe LinkDown trap. Disabling floating network device configuration on the port. (main::handleTrap) Nov 05 18:50:09 pfsetvlan(1) INFO: Disabling LinkDown traps on port 20 (pf::floatingdevice::disablePortConfig) Nov 05 18:50:09 pfsetvlan(1) INFO: Setting port 20 to MAC detection Vlan. (pf::floatingdevice::disablePortConfig) Nov 05 18:50:09 pfsetvlan(1) INFO: There is a floating device on 192.168.137.254 port 20 (pf::floatingdevice::portHasFloatingDevice) Nov 05 18:50:09 pfsetvlan(1) ERROR: Use of uninitialized value $mac in concatenation (.) or string at /usr/local/pf/lib/pf/locationlog.pm line 502. (pf::locationlog::locationlog_synchronize) Nov 05 18:50:09 pfsetvlan(1) INFO: Not adding locationlog entry for mac because it's plugged in a floating device enabled port (pf::locationlog::locationlog_synchronize) Nov 05 18:50:09 pfsetvlan(1) INFO: Should set 192.168.137.254 ifIndex 20 to VLAN 4 but it is already in this VLAN -> Do nothing (pf::Switch::setVlan) Nov 05 18:50:09 pfsetvlan(1) INFO: Enabling access control on port 20 (pf::floatingdevice::disablePortConfig) Nov 05 18:50:10 pfsetvlan(1) WARN: couldn't get MAC at ifIndex 20. This is a problem. (pf::Switch::_getMacAtIfIndex) Nov 05 18:50:10 pfsetvlan(1) INFO: finished (main::cleanupAfterThread) Nov 05 18:50:15 pfsetvlan(4) INFO: nb of items in queue: 1; nb of threads running: 0 (main::startTrapHandlers) Nov 05 18:50:15 pfsetvlan(4) INFO: MAC 02:00:00:00:00:20 is a fake MAC. Stop mac handling (main::handleTrap) Nov 05 18:50:15 pfsetvlan(4) INFO: finished (main::cleanupAfterThread) CISCO LOG Switch# 00:05:29: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address c8f7.335f.975e on port FastEthernet0/20. Thanks ------------------------------------------------------------------------------ _______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users ------------------------------------------------------------------------------ _______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users ------------------------------------------------------------------------------ _______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users ------------------------------------------------------------------------------ _______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
------------------------------------------------------------------------------
_______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
