Will do, thank you!
_____________________________
From: Durand fabrice <[email protected]>
Sent: Tuesday, June 28, 2016 7:36 PM
Subject: Re: [PacketFence-users] Odd behavior - Cisco Catalyst 2960-S -
Packetfence 6.1.0
To: <[email protected]>
Hi Vianney,
i am sure it will work, also you can add " authentication mac-move
permit" in global configuration.
http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2960x/software/15-0_2_EX/security/command_reference/b_sec_152ex_2960-x_cr/b_sec_152ex_2960-x_cr_chapter_010.html#wp1977723595
Regards
Fabrice
Le 2016-06-28 18:48, Vianney Amador a écrit :
Hi Fabrice,
Your suggestion makes sense, I will give it a shot
tomorrow.
According to the Cisco documentation:
This example shows how to configure an 802.1x-enabled port to remove
the current session and initiate authentication with a new device
when it connects to the port:
Switch(config-if)# authentication violation replace
I will keep you posted.
Thank you,
Vianney
To: [email protected]
From: [email protected]
Date: Tue, 28 Jun 2016 18:30:34 -0400
Subject: Re: [PacketFence-users] Odd behavior - Cisco
Catalyst 2960-S - Packetfence 6.1.0
Hi Vianney,
the issue is on the switch side, not in packetfence side.
Add that to your switch port config: authentication
violation replace
Regards
Fabrice
Le 2016-06-28 16:37, Vianney Amador a écrit :
Hi guys,
I just added a Cisco Catalyst 2960-S (running
latest IOS version) to my test environment
using 802.1X with MAC Authentication bypass (MultiDomain)
following the Packetfence official documentation.
I hooked up a Voice-IP phone (Cisco SPA514) on
one a switch port, the phone was successfully registered on
my voice VLAN, then I hooked up a PC on the phone's switch
port, went thru the registration process and got it
successfully registered on my production VLAN.
Everything was working as expected, until I
decided to connect another PC (never registered
before) to the phone's switch port....the phone went
completely off, then I checked the switch port status, here is the
result:
GigabitEthernet1/0/37 is down, line protocol
is down (err-disabled)
Port Name
Status Vlan Duplex Speed Type
Gi1/0/37 err-disabled 162 auto
auto 10/100/1000BaseTX
I re-plugged the phone to the switch port, but
it did not help at all, then I ran "shutdown" on the
interface and then "no shutdown", then everything
when back to normal and I was able to register this new PC.
I was able to reproduce
this issue twice.
I tested with both de-auth methods: SNMP and
RADIUS.
Anything showed up on the
packetfence.log
Here is my switch config on the device and
Packetfence:
[192.168.1.59]
description=SWITCH03 group=Cisco_Catalyst_2960
[group Cisco_Catalyst_2960]
RoleMap=N mode=production AD01Vlan=162
SNMPCommunityRead=SNMPpass useCoA=Y
SNMPCommunityWrite=SNMPpass VoIPCDPDetect=N
deauthMethod=RADIUS VoIPDHCPDetect=Y
AccessListMap=N description=Switch _01
type=Cisco::Catalyst_2960 VoIPLLDPDetect=N
VoIPEnabled=Y isolationVlan=360
radiusSecret=StrongRadius UrlMap=N
registrationVlan=260 voiceVlan=20
-----------------------------------------------------------------------------------------------------------------
dot1x
system-auth-control aaa new-model aaa group
server radius packetfence server name pfnac
aaa authentication login default local aaa authentication
dot1x default group packetfence aaa
authorization network default group packetfence
radius server pfnac
address ipv4 192.168.1.31 auth-port 1812 acct-port 1813
automate-tester username dummy ignore-acct-port
idle-time 3 key 0 StrongRadius
radius-server vsa send authentication
aaa server radius dynamic-author
client StrongRadius server-key StrongRadius port 3799
snmp-server community SNMPpass RO
snmp-server community SNMPpass RW
switchport mode access
switchport voice vlan 20 authentication host-mode multi-domain
authentication order dot1x mab authentication
priority dot1x mab authentication port-control auto
authentication periodic authentication timer restart
10800 authentication timer reauthenticate 10800
mab no snmp trap link-status dot1x pae
authenticator dot1x timeout quiet-period 2
dot1x timeout tx-period 3 spanning-tree portfast
Any thoughts?
Thank you.
------------------------------------------------------------------------------Attend
Shape: An AT&T Tech Expo July 15-16. Meet us at AT&T Park in SanFrancisco, CA
to explore cutting-edge tech and listen to tech luminariespresent their vision
of the future. This family event has something foreveryone, including kids. Get
more information and register today.http://sdm.link/attshape
_______________________________________________PacketFence-users
mailing
[email protected]https://lists.sourceforge.net/lists/listinfo/packetfence-users
------------------------------------------------------------------------------Attend
Shape: An AT&T Tech Expo July 15-16. Meet us at AT&T
Park in San Francisco, CA to explore cutting-edge tech and listen to
tech luminaries present their vision of the future. This
family event has something for everyone, including kids.
Get more information and register today.
http://sdm.link/attshape
_______________________________________________
PacketFence-users mailing list
[email protected]https://lists.sourceforge.net/lists/listinfo/packetfence-users
------------------------------------------------------------------------------Attend
Shape: An AT&T Tech Expo July 15-16. Meet us at AT&T Park in SanFrancisco, CA
to explore cutting-edge tech and listen to tech luminariespresent their vision
of the future. This family event has something foreveryone, including kids. Get
more information and register today.http://sdm.link/attshape
_______________________________________________PacketFence-users mailing
[email protected]https://lists.sourceforge.net/lists/listinfo/packetfence-users
------------------------------------------------------------------------------
Attend Shape: An AT&T Tech Expo July 15-16. Meet us at AT&T Park in San
Francisco, CA to explore cutting-edge tech and listen to tech luminaries
present their vision of the future. This family event has something for
everyone, including kids. Get more information and register today.
http://sdm.link/attshape
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
------------------------------------------------------------------------------
Attend Shape: An AT&T Tech Expo July 15-16. Meet us at AT&T Park in San
Francisco, CA to explore cutting-edge tech and listen to tech luminaries
present their vision of the future. This family event has something for
everyone, including kids. Get more information and register today.
http://sdm.link/attshape
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
