Re: [PacketFence-users] Cisco Catalyst 3550 - Registration VLAN

[Antoine Amacher]

Vianney,

Did you configure your IP helpers?
Try looking at the following section 
https://packetfence.org/doc/PacketFence_Administration_Guide.html#_production_dhcp_access 
(12.9.1 particularly) that should do the trick for your issue.

Thanks

On 06/17/2016 11:31 AM, Vianney Amador wrote:
Hi Antoine,

Thanks for your prompt response.

VLAN 260 is my Registration VLAN, and the VLAN 162 is my production 
VLAN (DHCP provided by my DC).

Removing "role mapping by switch role" from the Switch configuration 
on PF made the trick, the PC is assigned an IP from the registration 
VLAN DHCP and opens the browser for authentication.

Once my AD credentials are entered, the PF shows this on the browser:

Enabling network access.

Then shows: Unable to detect network connectivity.  Try restarting 
your browser or opening a new tab to see if your access has been 
successfully granted

Here is the packetfence.log for this matter:


Jun 17 11:21:25 httpd.portal(3147) INFO: [mac:unknown] Instantiate 
profile default (pf::Portal::ProfileFactory::_from_profile)
Jun 17 11:21:25 httpd.portal(3147) INFO: [mac:28:d2:44:08:2c:68] 
Instantiate profile default (pf::Portal::ProfileFactory::_from_profile)
Jun 17 11:21:25 httpd.portal(3147) INFO: [mac:28:d2:44:08:2c:68] 
Instantiate profile default (pf::Portal::ProfileFactory::_from_profile)
Jun 17 11:21:25 httpd.portal(3147) INFO: [mac:28:d2:44:08:2c:68] 
Releasing device 
(captiveportal::PacketFence::DynamicRouting::Module::Root::release)
Jun 17 11:21:25 httpd.portal(3147) INFO: [mac:28:d2:44:08:2c:68] 
Instantiate a new iptables modification method. pf::ipset 
(pf::inline::get_technique)
Jun 17 11:21:25 httpd.portal(3147) INFO: [mac:28:d2:44:08:2c:68] 
Instantiate profile default (pf::Portal::ProfileFactory::_from_profile)
Jun 17 11:21:25 httpd.portal(3147) INFO: [mac:28:d2:44:08:2c:68] 
re-evaluating access (manage_register called) 
(pf::enforcement::reevaluate_access)
Jun 17 11:21:25 httpd.portal(3147) INFO: [mac:28:d2:44:08:2c:68] is 
currentlog connected at (192.168.1.14) ifIndex 12 registration 
(pf::enforcement::_should_we_reassign_vlan)
Jun 17 11:21:25 httpd.portal(3147) INFO: [mac:28:d2:44:08:2c:68] 
Instantiate profile default (pf::Portal::ProfileFactory::_from_profile)
Jun 17 11:21:25 httpd.portal(3147) INFO: [mac:28:d2:44:08:2c:68] 
Connection type is WIRED_MAC_AUTH. Getting role from node_info 
(pf::role::getRegisteredRole)
Jun 17 11:21:25 httpd.portal(3147) INFO: [mac:28:d2:44:08:2c:68] 
Username was defined "28d244082c68" - returning role 'NL_Employees' 
(pf::role::getRegisteredRole)
Jun 17 11:21:25 httpd.portal(3147) INFO: [mac:28:d2:44:08:2c:68] PID: 
"testuser1", Status: reg Returned VLAN: (undefined), Role: 
NL_Employees (pf::role::fetchRoleForNode)
Jun 17 11:21:25 httpd.portal(3147) INFO: [mac:28:d2:44:08:2c:68] VLAN 
reassignment required (current VLAN = 260 but should be in VLAN 162) 
(pf::enforcement::_should_we_reassign_vlan)
Jun 17 11:21:25 httpd.portal(3147) INFO: [mac:28:d2:44:08:2c:68] 
switch port is (192.168.1.14) ifIndex 12 connection type: Wired MAC 
Auth (pf::enforcement::_vlan_reevaluation)
Jun 17 11:21:27 httpd.portal(3268) INFO: [mac:28:d2:44:08:2c:68] 
Instantiate a new iptables modification method. pf::ipset 
(pf::inline::get_technique)
Jun 17 11:21:28 httpd.portal(3142) INFO: [mac:28:d2:44:08:2c:68] 
Instantiate a new iptables modification method. pf::ipset 
(pf::inline::get_technique)
Jun 17 11:21:29 httpd.portal(3268) INFO: [mac:28:d2:44:08:2c:68] 
Instantiate a new iptables modification method. pf::ipset 
(pf::inline::get_technique)
Jun 17 11:21:29 httpd.portal(3326) INFO: [mac:28:d2:44:08:2c:68] 
Dealing with a endpoint / browser with captive-portal detection 
capabilities while having a self-signed SSL certificate. Using HTTP 
instead of HTTPS (pf::web::dispatcher::handler)
Jun 17 11:21:29 httpd.portal(3326) INFO: [mac:28:d2:44:08:2c:68] 
Instantiate a new iptables modification method. pf::ipset 
(pf::inline::get_technique)
Jun 17 11:21:30 httpd.portal(3268) INFO: [mac:28:d2:44:08:2c:68] 
Dealing with a endpoint / browser with captive-portal detection 
capabilities while having a self-signed SSL certificate. Using HTTP 
instead of HTTPS (pf::web::dispatcher::handler)
Jun 17 11:21:30 httpd.portal(3268) INFO: [mac:28:d2:44:08:2c:68] 
Instantiate a new iptables modification method. pf::ipset 
(pf::inline::get_technique)
Jun 17 11:21:38 httpd.portal(3326) INFO: [mac:28:d2:44:08:2c:68] 
Instantiate a new iptables modification method. pf::ipset 
(pf::inline::get_technique)
Jun 17 11:21:48 httpd.portal(3147) INFO: [mac:28:d2:44:08:2c:68] 
Instantiate a new iptables modification method. pf::ipset 
(pf::inline::get_technique)
Jun 17 11:21:58 httpd.portal(3140) INFO: [mac:28:d2:44:08:2c:68] 
Instantiate a new iptables modification method. pf::ipset 
(pf::inline::get_technique)
Jun 17 11:21:59 httpd.portal(3144) INFO: [mac:28:d2:44:08:2c:68] 
Dealing with a endpoint / browser with captive-portal detection 
capabilities while having a self-signed SSL certificate. Using HTTP 
instead of HTTPS (pf::web::dispatcher::handler)
Jun 17 11:21:59 httpd.portal(3144) INFO: [mac:28:d2:44:08:2c:68] 
Instantiate a new iptables modification method. pf::ipset 
(pf::inline::get_technique)
Jun 17 11:22:00 httpd.portal(3142) INFO: [mac:28:d2:44:08:2c:68] 
Dealing with a endpoint / browser with captive-portal detection 
capabilities while having a self-signed SSL certificate. Using HTTP 
instead of HTTPS (pf::web::dispatcher::handler)
Jun 17 11:22:00 httpd.portal(3142) INFO: [mac:28:d2:44:08:2c:68] 
Instantiate a new iptables modification method. pf::ipset 
(pf::inline::get_technique).



If the Ethernet cable from the PC is unplugged and then plug back in 
or if its NIC is desabled/Enabled in Windows, then the PC is granted 
access to my produection VLAN (162).

Is this the expected behavior? if not, could you please help me out 
with this?


Thank you!

------------------------------------------------------------------------
To: packetfence-users@lists.sourceforge.net
From: aamac...@inverse.ca
Date: Fri, 17 Jun 2016 10:20:23 -0400
Subject: Re: [PacketFence-users] Cisco Catalyst 3550 - Registration VLAN

Hello Vianney,

First check out your switch configuration(tab roles) at the moment you 
have switch by role and switch by VLAN selected, you should remove 
"role mapping by switch role".

PacketFence seems to answer to the switch RADIUS request properly.

Is VLAN 260 your production VLAN, if yes it spanned to this port?

Remember that PacketFence IS NOT a DHCP server on your production 
VLAN, we assume that you have your own server for that.

Thank you

On 06/17/2016 09:38 AM, Vianney Amador wrote:

    Hi guys,

    I am pretty much new to this world of Packagefence, I am testing
    this using a Cisco Catalyst 3550 with the latest IOS available.

    I created my registration, isolation and normal VLANs on both the
    PF server interface and Switch.

    I added this switch on PF using the parameters specified on the
    official documentation, also set up the switch using the 3550
    (802.1x with MAB) configuration.

    Created a source for Active Directory authentication.

    I setup one of the ports on the switch with the parameters for the
    registration VLAN, the PC (Windows 10) automatically acquired an
    IP address from this subnet, so when I opened the browser forced
    me to authenticate, so I put it my AD credentials and got
    authenticated.

    When I connect the same PC on a port setup as specified on the
    official documentation, the PC WILL NOT get an IP address:

    switchport mode access
    dot1x mac-auth-bypass
    dot1x pae authenticator
    dot1x port-control auto
    dot1x violation-mode protect
    dot1x timeout quiet-period 2
    dot1x timeout reauth-period 7200
    dot1x timeout tx-period 3
    dot1x reauthentication


    Here is the log from the packetfense.log:

    Jun 17 09:50:05 httpd.aaa(2249) INFO: [mac:28:d2:44:08:2c:68]
    handling radius autz request: from switch_ip => (192.168.1.14),
    connection_type => WIRED_MAC_AUTH,switch_mac =>
    (00:11:92:b1:81:86), mac => [28:d2:44:08:2c:68], port => 6,
    username => "28d244082c68" (pf::radius::authorize)
    Jun 17 09:50:05 httpd.aaa(2249) INFO: [mac:28:d2:44:08:2c:68] is
    of status unreg; belongs into registration VLAN
    (pf::role::getRegistrationRole)
    Jun 17 09:50:05 httpd.aaa(2249) INFO: [mac:28:d2:44:08:2c:68]
    (192.168.1.14) Added VLAN 260 to the returned RADIUS Access-Accept
    (pf::Switch::returnRadiusAccessAccept)
    Jun 17 09:50:05 httpd.aaa(2249) INFO: [mac:28:d2:44:08:2c:68]
    (192.168.1.14) Added role registration to the returned RADIUS
    Access-Accept (pf::Switch::returnRadiusAccessAccept)
    Jun 17 09:50:20 httpd.aaa(2249) INFO: [mac:28:d2:44:08:2c:68]
    handling radius autz request: from switch_ip => (192.168.1.14),
    connection_type => WIRED_MAC_AUTH,switch_mac =>
    (00:11:92:b1:81:86), mac => [28:d2:44:08:2c:68], port => 6,
    username => "28d244082c68" (pf::radius::authorize)
    Jun 17 09:50:20 httpd.aaa(2249) INFO: [mac:28:d2:44:08:2c:68] is
    of status unreg; belongs into registration VLAN
    (pf::role::getRegistrationRole)
    Jun 17 09:50:20 httpd.aaa(2249) INFO: [mac:28:d2:44:08:2c:68]
    (192.168.1.14) Added VLAN 260 to the returned RADIUS Access-Accept
    (pf::Switch::returnRadiusAccessAccept)
    Jun 17 09:50:20 httpd.aaa(2249) INFO: [mac:28:d2:44:08:2c:68]
    (192.168.1.14) Added role registration to the returned RADIUS
    Access-Accept (pf::Switch::returnRadiusAccessAccept)
    Jun 17 09:50:29 httpd.aaa(2249) INFO: [mac:28:d2:44:08:2c:68]
    handling radius autz request: from switch_ip => (192.168.1.14),
    connection_type => WIRED_MAC_AUTH,switch_mac =>
    (00:11:92:b1:81:86), mac => [28:d2:44:08:2c:68], port => 6,
    username => "28d244082c68" (pf::radius::authorize)
    Jun 17 09:50:29 httpd.aaa(2249) INFO: [mac:28:d2:44:08:2c:68] is
    of status unreg; belongs into registration VLAN
    (pf::role::getRegistrationRole)
    Jun 17 09:50:29 httpd.aaa(2249) INFO: [mac:28:d2:44:08:2c:68]
    (192.168.1.14) Added VLAN 260 to the returned RADIUS Access-Accept
    (pf::Switch::returnRadiusAccessAccept)
    Jun 17 09:50:29 httpd.aaa(2249) INFO: [mac:28:d2:44:08:2c:68]
    (192.168.1.14) Added role registration to the returned RADIUS
    Access-Accept (pf::Switch::returnRadiusAccessAccept)




    Any thoughts?


    Please advise,
    Vianney







    
------------------------------------------------------------------------------
    What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic
    patterns at an interface-level. Reveals which users, apps, and protocols are
    consuming the most bandwidth. Provides multi-vendor support for NetFlow,
    J-Flow, sFlow and other flows. Make informed decisions using capacity 
planning
    reports.http://sdm.link/zohomanageengine



    _______________________________________________
    PacketFence-users mailing list
    PacketFence-users@lists.sourceforge.net
    <mailto:PacketFence-users@lists.sourceforge.net>
    https://lists.sourceforge.net/lists/listinfo/packetfence-users


--
Antoine Amacher
aamac...@inverse.ca <mailto:aamac...@inverse.ca>   ::  +1.514.447.4918 *130  
::www.inverse.ca <http://www.inverse.ca>
Inverse inc. :: Leaders behind SOGo (www.sogo.nu <http://www.sogo.nu>) and 
PacketFence (www.packetfence.org <http://www.packetfence.org>)

------------------------------------------------------------------------------ 
What NetFlow Analyzer can do for you? Monitors network bandwidth and 
traffic patterns at an interface-level. Reveals which users, apps, and 
protocols are consuming the most bandwidth. Provides multi-vendor 
support for NetFlow, J-Flow, sFlow and other flows. Make informed 
decisions using capacity planning reports. 
http://sdm.link/zohomanageengine
_______________________________________________ PacketFence-users 
mailing list PacketFence-users@lists.sourceforge.net 
https://lists.sourceforge.net/lists/listinfo/packetfence-users


------------------------------------------------------------------------------
What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic
patterns at an interface-level. Reveals which users, apps, and protocols are
consuming the most bandwidth. Provides multi-vendor support for NetFlow,
J-Flow, sFlow and other flows. Make informed decisions using capacity planning
reports. http://sdm.link/zohomanageengine


_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

--
Antoine Amacher
aamac...@inverse.ca  ::  +1.514.447.4918 *130  ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence 
(www.packetfence.org)

------------------------------------------------------------------------------
What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic
patterns at an interface-level. Reveals which users, apps, and protocols are 
consuming the most bandwidth. Provides multi-vendor support for NetFlow, 
J-Flow, sFlow and other flows. Make informed decisions using capacity planning
reports. http://sdm.link/zohomanageengine_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users