Hello Vianney,
do you have any trace on pf side when you plug the device ?
Also what is the output on the switch ? (term mon).
Regards
Fabrice
Le 2016-06-29 12:09, Vianney Amador a écrit :
...also moving a registered PC to another port will not work either.
Thank you,
Vianney
------------------------------------------------------------------------
From: [email protected]
To: [email protected]
Date: Wed, 29 Jun 2016 13:16:27 +0000
Subject: Re: [PacketFence-users] Odd behavior - Cisco Catalyst 2960-S
- Packetfence 6.1.0
Hi Fabrice,
It worked wonders by adding the suggested commands on my Cisco switch,
I was able to register new computers on that phone switch port without
issues (no more phone shutting down).
_The new scenario I tested_: connect another phone on the switch port
where a phone was registered before. In this case the new Cisco SPA
phone will not fishing loading, it shows on its display: "Initializing
Network"
I tried disabling and enabling the switch port without success, I
noticed the switch port did not show any errors. Also I tried to
pre-register the new phones' mac addresses, but that did not help either.
Please advise.
Thank you,
Vianney
------------------------------------------------------------------------
Date: Tue, 28 Jun 2016 23:41:43 +0000
From: [email protected]
To: [email protected];
[email protected]
Subject: Re: [PacketFence-users] Odd behavior - Cisco Catalyst 2960-S
- Packetfence 6.1.0
Will do, thank you!
_____________________________
From: Durand fabrice <[email protected] <mailto:[email protected]>>
Sent: Tuesday, June 28, 2016 7:36 PM
Subject: Re: [PacketFence-users] Odd behavior - Cisco Catalyst 2960-S
- Packetfence 6.1.0
To: <[email protected]
<mailto:[email protected]>>
Hi Vianney,
i am sure it will work, also you can add " authentication mac-move
permit" in global configuration.
http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2960x/software/15-0_2_EX/security/command_reference/b_sec_152ex_2960-x_cr/b_sec_152ex_2960-x_cr_chapter_010.html#wp1977723595
Regards
Fabrice
Le 2016-06-28 18:48, Vianney Amador a écrit :
Hi Fabrice,
Your suggestion makes sense, I will give it a shot tomorrow.
According to the Cisco documentation:
This example shows how to configure an 802.1x-enabled port to
remove the current session and initiate authentication with a new
device when it connects to the port:
Switch(config-if)# authentication violation replace
I will keep you posted.
Thank you,
Vianney
------------------------------------------------------------------------
To: [email protected]
<mailto:[email protected]>
From: [email protected] <mailto:[email protected]>
Date: Tue, 28 Jun 2016 18:30:34 -0400
Subject: Re: [PacketFence-users] Odd behavior - Cisco Catalyst
2960-S - Packetfence 6.1.0
Hi Vianney,
the issue is on the switch side, not in packetfence side.
Add that to your switch port config: authentication violation replace
Regards
Fabrice
Le 2016-06-28 16:37, Vianney Amador a écrit :
Hi guys,
I just added a Cisco Catalyst 2960-S (running latest IOS
version) to my test environment using 802.1X with MAC
Authentication bypass (MultiDomain) following the Packetfence
official documentation.
I hooked up a Voice-IP phone (Cisco SPA514) on one a switch
port, the phone was successfully registered on my voice VLAN,
then I hooked up a PC on the phone's switch port, went thru
the registration process and got it successfully registered on
my production VLAN.
Everything was working as expected, until I decided to connect
another PC (never registered before) to the phone's switch
port....the phone went completely off, then I checked the
switch port status, here is the result:
GigabitEthernet1/0/37 is down, line protocol is down
(err-disabled)
Port Name Status Vlan Duplex Speed Type
Gi1/0/37 err-disabled 162 auto auto 10/100/1000BaseTX
I re-plugged the phone to the switch port, but it did not help
at all, then I ran "shutdown" on the interface and then "no
shutdown", then everything when back to normal and I was able
to register this new PC.
I was able to reproduce this issue twice.
I tested with both de-auth methods: SNMP and RADIUS.
Anything showed up on the packetfence.log
Here is my switch config on the device and Packetfence:
[192.168.1.59]
description=SWITCH03
group=Cisco_Catalyst_2960
[group Cisco_Catalyst_2960]
RoleMap=N
mode=production
AD01Vlan=162
SNMPCommunityRead=SNMPpass
useCoA=Y
SNMPCommunityWrite=SNMPpass
VoIPCDPDetect=N
deauthMethod=RADIUS
VoIPDHCPDetect=Y
AccessListMap=N
description=Switch _01
type=Cisco::Catalyst_2960
VoIPLLDPDetect=N
VoIPEnabled=Y
isolationVlan=360
radiusSecret=StrongRadius
UrlMap=N
registrationVlan=260
voiceVlan=20
-----------------------------------------------------------------------------------------------------------------
dot1x system-auth-control
aaa new-model
aaa group server radius packetfence
server name pfnac
aaa authentication login default local
aaa authentication dot1x default group packetfence
aaa authorization network default group packetfence
radius server pfnac
address ipv4 192.168.1.31 auth-port 1812 acct-port 1813
automate-tester username dummy ignore-acct-port idle-time 3
key 0 StrongRadius
radius-server vsa send authentication
aaa server radius dynamic-author
client StrongRadius server-key StrongRadius
port 3799
snmp-server community SNMPpass RO
snmp-server community SNMPpass RW
switchport mode access
switchport voice vlan 20
authentication host-mode multi-domain
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer restart 10800
authentication timer reauthenticate 10800
mab
no snmp trap link-status
dot1x pae authenticator
dot1x timeout quiet-period 2
dot1x timeout tx-period 3
spanning-tree portfast
Any thoughts?
Thank you.
------------------------------------------------------------------------------Attend
Shape: An AT&T Tech Expo July 15-16. Meet us at AT&T Park in SanFrancisco, CA
to explore cutting-edge tech and listen to tech luminariespresent their vision of the
future. This family event has something foreveryone, including kids. Get more
information and register today.http://sdm.link/attshape
_______________________________________________PacketFence-users
mailing [email protected]
<mailto:[email protected]>https://lists.sourceforge.net/lists/listinfo/packetfence-users
------------------------------------------------------------------------------Attend
Shape: An AT&T Tech Expo July 15-16. Meet us at AT&T Park in San
Francisco, CA to explore cutting-edge tech and listen to tech
luminaries present their vision of the future. This family event
has something for everyone, including kids. Get more information
and register today. http://sdm.link/attshape
_______________________________________________ PacketFence-users
mailing list [email protected]
<mailto:[email protected]>https://lists.sourceforge.net/lists/listinfo/packetfence-users
------------------------------------------------------------------------------Attend
Shape: An AT&T Tech Expo July 15-16. Meet us at AT&T Park in SanFrancisco, CA
to explore cutting-edge tech and listen to tech luminariespresent their vision of the
future. This family event has something foreveryone, including kids. Get more
information and register today.http://sdm.link/attshape
_______________________________________________PacketFence-users mailing
[email protected]
<mailto:[email protected]>https://lists.sourceforge.net/lists/listinfo/packetfence-users
------------------------------------------------------------------------------
Attend Shape: An AT&T Tech Expo July 15-16. Meet us at AT&T Park in
San Francisco, CA to explore cutting-edge tech and listen to tech
luminaries present their vision of the future. This family event has
something for everyone, including kids. Get more information and
register today. http://sdm.link/attshape
_______________________________________________ PacketFence-users
mailing list [email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
------------------------------------------------------------------------------
Attend Shape: An AT&T Tech Expo July 15-16. Meet us at AT&T Park in
San Francisco, CA to explore cutting-edge tech and listen to tech
luminaries present their vision of the future. This family event has
something for everyone, including kids. Get more information and
register today. http://sdm.link/attshape
_______________________________________________ PacketFence-users
mailing list [email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
------------------------------------------------------------------------------
Attend Shape: An AT&T Tech Expo July 15-16. Meet us at AT&T Park in
San Francisco, CA to explore cutting-edge tech and listen to tech
luminaries present their vision of the future. This family event has
something for everyone, including kids. Get more information and
register today. http://sdm.link/attshape
_______________________________________________ PacketFence-users
mailing list [email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
------------------------------------------------------------------------------
Attend Shape: An AT&T Tech Expo July 15-16. Meet us at AT&T Park in San
Francisco, CA to explore cutting-edge tech and listen to tech luminaries
present their vision of the future. This family event has something for
everyone, including kids. Get more information and register today.
http://sdm.link/attshape
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
--
Fabrice Durand
[email protected] :: +1.514.447.4918 (x135) :: www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence
(http://packetfence.org)
------------------------------------------------------------------------------
Attend Shape: An AT&T Tech Expo July 15-16. Meet us at AT&T Park in San
Francisco, CA to explore cutting-edge tech and listen to tech luminaries
present their vision of the future. This family event has something for
everyone, including kids. Get more information and register today.
http://sdm.link/attshape
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
