Hi Antoine,
Thanks for your prompt response.
VLAN 260 is my Registration VLAN, and the VLAN 162 is my production VLAN (DHCP
provided by my DC).
Removing "role mapping by switch role" from the Switch configuration on PF made
the trick, the PC is assigned an IP from the registration VLAN DHCP and opens
the browser for authentication.
Once my AD credentials are entered, the PF shows this on the browser:
Enabling network access.
Then shows: Unable to detect network connectivity. Try restarting your browser
or opening a new tab to see if your access has been successfully granted
Here is the packetfence.log for this matter:
Jun 17 11:21:25 httpd.portal(3147) INFO: [mac:unknown] Instantiate profile
default (pf::Portal::ProfileFactory::_from_profile)Jun 17 11:21:25
httpd.portal(3147) INFO: [mac:28:d2:44:08:2c:68] Instantiate profile default
(pf::Portal::ProfileFactory::_from_profile)Jun 17 11:21:25 httpd.portal(3147)
INFO: [mac:28:d2:44:08:2c:68] Instantiate profile default
(pf::Portal::ProfileFactory::_from_profile)Jun 17 11:21:25 httpd.portal(3147)
INFO: [mac:28:d2:44:08:2c:68] Releasing device
(captiveportal::PacketFence::DynamicRouting::Module::Root::release)Jun 17
11:21:25 httpd.portal(3147) INFO: [mac:28:d2:44:08:2c:68] Instantiate a new
iptables modification method. pf::ipset (pf::inline::get_technique)Jun 17
11:21:25 httpd.portal(3147) INFO: [mac:28:d2:44:08:2c:68] Instantiate profile
default (pf::Portal::ProfileFactory::_from_profile)Jun 17 11:21:25
httpd.portal(3147) INFO: [mac:28:d2:44:08:2c:68] re-evaluating access
(manage_register called) (pf::enforcement::reevaluate_access)Jun 17 11:21:25
httpd.portal(3147) INFO: [mac:28:d2:44:08:2c:68] is currentlog connected at
(192.168.1.14) ifIndex 12 registration
(pf::enforcement::_should_we_reassign_vlan)Jun 17 11:21:25 httpd.portal(3147)
INFO: [mac:28:d2:44:08:2c:68] Instantiate profile default
(pf::Portal::ProfileFactory::_from_profile)Jun 17 11:21:25 httpd.portal(3147)
INFO: [mac:28:d2:44:08:2c:68] Connection type is WIRED_MAC_AUTH. Getting role
from node_info (pf::role::getRegisteredRole)Jun 17 11:21:25 httpd.portal(3147)
INFO: [mac:28:d2:44:08:2c:68] Username was defined "28d244082c68" - returning
role 'NL_Employees' (pf::role::getRegisteredRole)Jun 17 11:21:25
httpd.portal(3147) INFO: [mac:28:d2:44:08:2c:68] PID: "testuser1", Status: reg
Returned VLAN: (undefined), Role: NL_Employees (pf::role::fetchRoleForNode)Jun
17 11:21:25 httpd.portal(3147) INFO: [mac:28:d2:44:08:2c:68] VLAN reassignment
required (current VLAN = 260 but should be in VLAN 162)
(pf::enforcement::_should_we_reassign_vlan)Jun 17 11:21:25 httpd.portal(3147)
INFO: [mac:28:d2:44:08:2c:68] switch port is (192.168.1.14) ifIndex 12
connection type: Wired MAC Auth (pf::enforcement::_vlan_reevaluation)Jun 17
11:21:27 httpd.portal(3268) INFO: [mac:28:d2:44:08:2c:68] Instantiate a new
iptables modification method. pf::ipset (pf::inline::get_technique)Jun 17
11:21:28 httpd.portal(3142) INFO: [mac:28:d2:44:08:2c:68] Instantiate a new
iptables modification method. pf::ipset (pf::inline::get_technique)Jun 17
11:21:29 httpd.portal(3268) INFO: [mac:28:d2:44:08:2c:68] Instantiate a new
iptables modification method. pf::ipset (pf::inline::get_technique)Jun 17
11:21:29 httpd.portal(3326) INFO: [mac:28:d2:44:08:2c:68] Dealing with a
endpoint / browser with captive-portal detection capabilities while having a
self-signed SSL certificate. Using HTTP instead of HTTPS
(pf::web::dispatcher::handler)Jun 17 11:21:29 httpd.portal(3326) INFO:
[mac:28:d2:44:08:2c:68] Instantiate a new iptables modification method.
pf::ipset (pf::inline::get_technique)Jun 17 11:21:30 httpd.portal(3268) INFO:
[mac:28:d2:44:08:2c:68] Dealing with a endpoint / browser with captive-portal
detection capabilities while having a self-signed SSL certificate. Using HTTP
instead of HTTPS (pf::web::dispatcher::handler)Jun 17 11:21:30
httpd.portal(3268) INFO: [mac:28:d2:44:08:2c:68] Instantiate a new iptables
modification method. pf::ipset (pf::inline::get_technique)Jun 17 11:21:38
httpd.portal(3326) INFO: [mac:28:d2:44:08:2c:68] Instantiate a new iptables
modification method. pf::ipset (pf::inline::get_technique)Jun 17 11:21:48
httpd.portal(3147) INFO: [mac:28:d2:44:08:2c:68] Instantiate a new iptables
modification method. pf::ipset (pf::inline::get_technique)Jun 17 11:21:58
httpd.portal(3140) INFO: [mac:28:d2:44:08:2c:68] Instantiate a new iptables
modification method. pf::ipset (pf::inline::get_technique)Jun 17 11:21:59
httpd.portal(3144) INFO: [mac:28:d2:44:08:2c:68] Dealing with a endpoint /
browser with captive-portal detection capabilities while having a self-signed
SSL certificate. Using HTTP instead of HTTPS (pf::web::dispatcher::handler)Jun
17 11:21:59 httpd.portal(3144) INFO: [mac:28:d2:44:08:2c:68] Instantiate a new
iptables modification method. pf::ipset (pf::inline::get_technique)Jun 17
11:22:00 httpd.portal(3142) INFO: [mac:28:d2:44:08:2c:68] Dealing with a
endpoint / browser with captive-portal detection capabilities while having a
self-signed SSL certificate. Using HTTP instead of HTTPS
(pf::web::dispatcher::handler)Jun 17 11:22:00 httpd.portal(3142) INFO:
[mac:28:d2:44:08:2c:68] Instantiate a new iptables modification method.
pf::ipset (pf::inline::get_technique).
If the Ethernet cable from the PC is unplugged and then plug back in or if its
NIC is desabled/Enabled in Windows, then the PC is granted access to my
produection VLAN (162).
Is this the expected behavior? if not, could you please help me out with this?
Thank you!
To: [email protected]
From: [email protected]
Date: Fri, 17 Jun 2016 10:20:23 -0400
Subject: Re: [PacketFence-users] Cisco Catalyst 3550 - Registration VLAN
Hello Vianney,
First check out your switch configuration(tab roles) at the moment
you have switch by role and switch by VLAN selected, you should
remove "role mapping by switch role".
PacketFence seems to answer to the switch RADIUS request properly.
Is VLAN 260 your production VLAN, if yes it spanned to this port?
Remember that PacketFence IS NOT a DHCP server on your production
VLAN, we assume that you have your own server for that.
Thank you
On 06/17/2016 09:38 AM, Vianney Amador
wrote:
Hi guys,
I am pretty much new to this world of Packagefence, I am
testing this using a Cisco Catalyst 3550 with the latest IOS
available.
I created my registration, isolation and normal VLANs on
both the PF server interface and Switch.
I added this switch on PF using the parameters specified
on the official documentation, also set up the switch using
the 3550 (802.1x with MAB)
configuration.
Created a source for
Active Directory authentication.
I setup one of the ports on the switch with the
parameters for the registration VLAN, the PC (Windows 10)
automatically acquired an IP address from this subnet, so
when I opened the browser forced me to authenticate, so I
put it my AD credentials and got authenticated.
When I connect the same PC on a port setup as specified
on the official documentation, the PC WILL NOT get an IP
address:
switchport mode access
dot1x mac-auth-bypass
dot1x pae authenticator
dot1x port-control auto
dot1x violation-mode protect
dot1x timeout quiet-period 2
dot1x timeout reauth-period 7200
dot1x timeout tx-period 3
dot1x reauthentication
Here is the log from the packetfense.log:
Jun 17 09:50:05 httpd.aaa(2249) INFO:
[mac:28:d2:44:08:2c:68] handling radius autz request: from
switch_ip => (192.168.1.14), connection_type =>
WIRED_MAC_AUTH,switch_mac => (00:11:92:b1:81:86), mac
=> [28:d2:44:08:2c:68], port => 6, username =>
"28d244082c68" (pf::radius::authorize)
Jun 17 09:50:05 httpd.aaa(2249) INFO:
[mac:28:d2:44:08:2c:68] is of status unreg; belongs into
registration VLAN (pf::role::getRegistrationRole)
Jun 17 09:50:05 httpd.aaa(2249) INFO:
[mac:28:d2:44:08:2c:68] (192.168.1.14) Added VLAN 260 to
the returned RADIUS Access-Accept
(pf::Switch::returnRadiusAccessAccept)
Jun 17 09:50:05 httpd.aaa(2249) INFO:
[mac:28:d2:44:08:2c:68] (192.168.1.14) Added role
registration to the returned RADIUS Access-Accept
(pf::Switch::returnRadiusAccessAccept)
Jun 17 09:50:20 httpd.aaa(2249) INFO:
[mac:28:d2:44:08:2c:68] handling radius autz request: from
switch_ip => (192.168.1.14), connection_type =>
WIRED_MAC_AUTH,switch_mac => (00:11:92:b1:81:86), mac
=> [28:d2:44:08:2c:68], port => 6, username =>
"28d244082c68" (pf::radius::authorize)
Jun 17 09:50:20 httpd.aaa(2249) INFO:
[mac:28:d2:44:08:2c:68] is of status unreg; belongs into
registration VLAN (pf::role::getRegistrationRole)
Jun 17 09:50:20 httpd.aaa(2249) INFO:
[mac:28:d2:44:08:2c:68] (192.168.1.14) Added VLAN 260 to
the returned RADIUS Access-Accept
(pf::Switch::returnRadiusAccessAccept)
Jun 17 09:50:20 httpd.aaa(2249) INFO:
[mac:28:d2:44:08:2c:68] (192.168.1.14) Added role
registration to the returned RADIUS Access-Accept
(pf::Switch::returnRadiusAccessAccept)
Jun 17 09:50:29 httpd.aaa(2249) INFO:
[mac:28:d2:44:08:2c:68] handling radius autz request: from
switch_ip => (192.168.1.14), connection_type =>
WIRED_MAC_AUTH,switch_mac => (00:11:92:b1:81:86), mac
=> [28:d2:44:08:2c:68], port => 6, username =>
"28d244082c68" (pf::radius::authorize)
Jun 17 09:50:29 httpd.aaa(2249) INFO:
[mac:28:d2:44:08:2c:68] is of status unreg; belongs into
registration VLAN (pf::role::getRegistrationRole)
Jun 17 09:50:29 httpd.aaa(2249) INFO:
[mac:28:d2:44:08:2c:68] (192.168.1.14) Added VLAN 260 to
the returned RADIUS Access-Accept
(pf::Switch::returnRadiusAccessAccept)
Jun 17 09:50:29 httpd.aaa(2249) INFO:
[mac:28:d2:44:08:2c:68] (192.168.1.14) Added role
registration to the returned RADIUS Access-Accept
(pf::Switch::returnRadiusAccessAccept)
Any thoughts?
Please advise,
Vianney
------------------------------------------------------------------------------
What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic
patterns at an interface-level. Reveals which users, apps, and protocols are
consuming the most bandwidth. Provides multi-vendor support for NetFlow,
J-Flow, sFlow and other flows. Make informed decisions using capacity planning
reports. http://sdm.link/zohomanageengine
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
--
Antoine Amacher
[email protected] :: +1.514.447.4918 *130 :: www.inverse.ca
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence
(www.packetfence.org)
------------------------------------------------------------------------------
What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic
patterns at an interface-level. Reveals which users, apps, and protocols are
consuming the most bandwidth. Provides multi-vendor support for NetFlow,
J-Flow, sFlow and other flows. Make informed decisions using capacity planning
reports. http://sdm.link/zohomanageengine
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
------------------------------------------------------------------------------
What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic
patterns at an interface-level. Reveals which users, apps, and protocols are
consuming the most bandwidth. Provides multi-vendor support for NetFlow,
J-Flow, sFlow and other flows. Make informed decisions using capacity planning
reports. http://sdm.link/zohomanageengine
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
