Hello Vianney,
First check out your switch configuration(tab roles) at the moment you
have switch by role and switch by VLAN selected, you should remove "role
mapping by switch role".
PacketFence seems to answer to the switch RADIUS request properly.
Is VLAN 260 your production VLAN, if yes it spanned to this port?
Remember that PacketFence IS NOT a DHCP server on your production VLAN,
we assume that you have your own server for that.
Thank you
On 06/17/2016 09:38 AM, Vianney Amador wrote:
Hi guys,
I am pretty much new to this world of Packagefence, I am testing this
using a Cisco Catalyst 3550 with the latest IOS available.
I created my registration, isolation and normal VLANs on both the PF
server interface and Switch.
I added this switch on PF using the parameters specified on the
official documentation, also set up the switch using the 3550 (802.1x
with MAB) configuration.
Created a source for Active Directory authentication.
I setup one of the ports on the switch with the parameters for the
registration VLAN, the PC (Windows 10) automatically acquired an IP
address from this subnet, so when I opened the browser forced me to
authenticate, so I put it my AD credentials and got authenticated.
When I connect the same PC on a port setup as specified on the
official documentation, the PC WILL NOT get an IP address:
switchport mode access
dot1x mac-auth-bypass
dot1x pae authenticator
dot1x port-control auto
dot1x violation-mode protect
dot1x timeout quiet-period 2
dot1x timeout reauth-period 7200
dot1x timeout tx-period 3
dot1x reauthentication
Here is the log from the packetfense.log:
Jun 17 09:50:05 httpd.aaa(2249) INFO: [mac:28:d2:44:08:2c:68] handling
radius autz request: from switch_ip => (192.168.1.14), connection_type
=> WIRED_MAC_AUTH,switch_mac => (00:11:92:b1:81:86), mac =>
[28:d2:44:08:2c:68], port => 6, username => "28d244082c68"
(pf::radius::authorize)
Jun 17 09:50:05 httpd.aaa(2249) INFO: [mac:28:d2:44:08:2c:68] is of
status unreg; belongs into registration VLAN
(pf::role::getRegistrationRole)
Jun 17 09:50:05 httpd.aaa(2249) INFO: [mac:28:d2:44:08:2c:68]
(192.168.1.14) Added VLAN 260 to the returned RADIUS Access-Accept
(pf::Switch::returnRadiusAccessAccept)
Jun 17 09:50:05 httpd.aaa(2249) INFO: [mac:28:d2:44:08:2c:68]
(192.168.1.14) Added role registration to the returned RADIUS
Access-Accept (pf::Switch::returnRadiusAccessAccept)
Jun 17 09:50:20 httpd.aaa(2249) INFO: [mac:28:d2:44:08:2c:68] handling
radius autz request: from switch_ip => (192.168.1.14), connection_type
=> WIRED_MAC_AUTH,switch_mac => (00:11:92:b1:81:86), mac =>
[28:d2:44:08:2c:68], port => 6, username => "28d244082c68"
(pf::radius::authorize)
Jun 17 09:50:20 httpd.aaa(2249) INFO: [mac:28:d2:44:08:2c:68] is of
status unreg; belongs into registration VLAN
(pf::role::getRegistrationRole)
Jun 17 09:50:20 httpd.aaa(2249) INFO: [mac:28:d2:44:08:2c:68]
(192.168.1.14) Added VLAN 260 to the returned RADIUS Access-Accept
(pf::Switch::returnRadiusAccessAccept)
Jun 17 09:50:20 httpd.aaa(2249) INFO: [mac:28:d2:44:08:2c:68]
(192.168.1.14) Added role registration to the returned RADIUS
Access-Accept (pf::Switch::returnRadiusAccessAccept)
Jun 17 09:50:29 httpd.aaa(2249) INFO: [mac:28:d2:44:08:2c:68] handling
radius autz request: from switch_ip => (192.168.1.14), connection_type
=> WIRED_MAC_AUTH,switch_mac => (00:11:92:b1:81:86), mac =>
[28:d2:44:08:2c:68], port => 6, username => "28d244082c68"
(pf::radius::authorize)
Jun 17 09:50:29 httpd.aaa(2249) INFO: [mac:28:d2:44:08:2c:68] is of
status unreg; belongs into registration VLAN
(pf::role::getRegistrationRole)
Jun 17 09:50:29 httpd.aaa(2249) INFO: [mac:28:d2:44:08:2c:68]
(192.168.1.14) Added VLAN 260 to the returned RADIUS Access-Accept
(pf::Switch::returnRadiusAccessAccept)
Jun 17 09:50:29 httpd.aaa(2249) INFO: [mac:28:d2:44:08:2c:68]
(192.168.1.14) Added role registration to the returned RADIUS
Access-Accept (pf::Switch::returnRadiusAccessAccept)
Any thoughts?
Please advise,
Vianney
------------------------------------------------------------------------------
What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic
patterns at an interface-level. Reveals which users, apps, and protocols are
consuming the most bandwidth. Provides multi-vendor support for NetFlow,
J-Flow, sFlow and other flows. Make informed decisions using capacity planning
reports. http://sdm.link/zohomanageengine
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
--
Antoine Amacher
[email protected] :: +1.514.447.4918 *130 :: www.inverse.ca
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence
(www.packetfence.org)
------------------------------------------------------------------------------
What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic
patterns at an interface-level. Reveals which users, apps, and protocols are
consuming the most bandwidth. Provides multi-vendor support for NetFlow,
J-Flow, sFlow and other flows. Make informed decisions using capacity planning
reports. http://sdm.link/zohomanageengine
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
