Logs for Scenario #3:
When a registered PC is connected to another port on the switch:
Jun 29 16:55:15.889: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/38, changed
st
ate to upJun 29 16:55:16.891: %LINEPROTO-5-UPDOWN: Line protocol on Interface
GigabitEthe
rnet1/0/38, changed state to upJun 29 16:55:24.084: %DOT1X-5-FAIL:
Authentication failed for client (28d2.4408.
2c68) on Interface Gi1/0/38
AuditSessionID C0A8A03B000001314410D5A5
packetfence.log:
Jun 29 12:54:45 httpd.aaa(6905) INFO: [mac:28:d2:44:08:2c:68] handling radius
autz request: from switch_ip => (192.168.1.59), connection_type =>
WIRED_MAC_AUTH,switch_mac => (7c:95:f3:4d:6a:26), mac => [28:d2:44:08:2c:68],
port => 10138, username => "28d244082c68" (pf::radius::authorize)Jun 29
12:54:45 httpd.aaa(6905) INFO: [mac:28:d2:44:08:2c:68] Could not find any IP
phones through discovery protocols for ifIndex 10138
(pf::Switch::getPhonesDPAtIfIndex)Jun 29 12:54:45 httpd.aaa(6905) INFO:
[mac:28:d2:44:08:2c:68] Instantiate profile default
(pf::Portal::ProfileFactory::_from_profile)Jun 29 12:54:45 httpd.aaa(6905)
INFO: [mac:28:d2:44:08:2c:68] Connection type is WIRED_MAC_AUTH. Getting role
from node_info (pf::role::getRegisteredRole)Jun 29 12:54:45 httpd.aaa(6905)
INFO: [mac:28:d2:44:08:2c:68] Username was defined "28d244082c68" - returning
role 'AD01' (pf::role::getRegisteredRole)Jun 29 12:54:45 httpd.aaa(6905) INFO:
[mac:28:d2:44:08:2c:68] PID: "testuser", Status: reg Returned VLAN:
(undefined), Role: AD01 (pf::role::fetchRoleForNode)Jun 29 12:54:45
httpd.aaa(6905) INFO: [mac:28:d2:44:08:2c:68] (192.168.1.59) Added VLAN 162 to
the returned RADIUS Access-Accept (pf::Switch::returnRadiusAccessAccept)
To: [email protected]
From: [email protected]
Date: Wed, 29 Jun 2016 12:38:39 -0400
Subject: Re: [PacketFence-users] Odd behavior - Cisco Catalyst 2960-S -
Packetfence 6.1.0
Hello Vianney,
do you have any trace on pf side when you plug the device ?
Also what is the output on the switch ? (term mon).
Regards
Fabrice
Le 2016-06-29 12:09, Vianney Amador a
écrit :
...also moving a registered PC to another port will
not work either.
Thank you,
Vianney
From: [email protected]
To: [email protected]
Date: Wed, 29 Jun 2016 13:16:27 +0000
Subject: Re: [PacketFence-users] Odd behavior - Cisco
Catalyst 2960-S - Packetfence 6.1.0
Hi Fabrice,
It worked
wonders by adding the suggested commands on my Cisco
switch, I was able to register new computers on that
phone switch port without issues (no more phone
shutting down).
The
new scenario I tested: connect another phone
on the switch port where a phone was registered
before. In this case the new Cisco SPA phone will
not fishing loading, it shows on its display:
"Initializing Network"
I tried
disabling and enabling the switch port without
success, I noticed the switch port did not show any
errors. Also I tried to pre-register the new phones'
mac addresses, but that did not help either.
Please advise.
Thank you,
Vianney
Date: Tue, 28 Jun 2016
23:41:43 +0000
From: [email protected]
To: [email protected];
[email protected]
Subject: Re: [PacketFence-users] Odd behavior - Cisco
Catalyst 2960-S - Packetfence 6.1.0
Will
do, thank you!
_____________________________
From: Durand fabrice <[email protected]>
Sent: Tuesday, June 28, 2016 7:36 PM
Subject: Re: [PacketFence-users] Odd behavior -
Cisco Catalyst 2960-S - Packetfence 6.1.0
To: <[email protected]>
Hi Vianney,
i am sure it will work, also you can add "
authentication mac-move permit" in global
configuration.
http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2960x/software/15-0_2_EX/security/command_reference/b_sec_152ex_2960-x_cr/b_sec_152ex_2960-x_cr_chapter_010.html#wp1977723595
Regards
Fabrice
Le 2016-06-28 18:48,
Vianney Amador a écrit :
Hi Fabrice,
Your suggestion makes sense, I will give it
a shot tomorrow.
According to the Cisco documentation:
This example shows how to
configure an 802.1x-enabled port to remove
the current session and initiate
authentication with a new device when it
connects to the port:
Switch(config-if)#
authentication violation replace
I will keep you posted.
Thank you,
Vianney
To: [email protected]
From: [email protected]
Date: Tue, 28 Jun 2016 18:30:34 -0400
Subject: Re: [PacketFence-users] Odd
behavior - Cisco Catalyst 2960-S -
Packetfence 6.1.0
Hi Vianney,
the issue is on the switch side, not in
packetfence side.
Add that to your switch port config:
authentication violation replace
Regards
Fabrice
Le
2016-06-28 16:37, Vianney Amador a écrit :
Hi guys,
I just added a Cisco Catalyst
2960-S (running latest IOS version) to
my test environment using 802.1X with
MAC Authentication bypass
(MultiDomain) following the
Packetfence official documentation.
I hooked up a Voice-IP phone (Cisco
SPA514) on one a
switch port, the phone was
successfully registered on my voice
VLAN, then I hooked up a PC on the
phone's switch port, went thru the
registration process and got it
successfully registered on my
production VLAN.
Everything
was working as
expected, until I decided to connect
another PC (never registered before)
to the phone's switch port....the
phone went completely off, then I
checked the switch port
status, here is the result:
GigabitEthernet1/0/37 is down, line
protocol is down (err-disabled)
Port Name
Status Vlan Duplex
Speed Type
Gi1/0/37
err-disabled 162 auto
auto 10/100/1000BaseTX
I re-plugged the phone to the
switch port, but it did not help at
all, then I ran
"shutdown" on the interface and then
"no shutdown", then everything when
back to normal and I was able to
register this new PC.
I was
able to reproduce this issue twice.
I
tested with both de-auth
methods: SNMP and RADIUS.
Anything showed up on the
packetfence.log
Here is my switch config on the
device and Packetfence:
[192.168.1.59]
description=SWITCH03
group=Cisco_Catalyst_2960
[group Cisco_Catalyst_2960]
RoleMap=N
mode=production
AD01Vlan=162
SNMPCommunityRead=SNMPpass
useCoA=Y
SNMPCommunityWrite=SNMPpass
VoIPCDPDetect=N
deauthMethod=RADIUS
VoIPDHCPDetect=Y
AccessListMap=N
description=Switch _01
type=Cisco::Catalyst_2960
VoIPLLDPDetect=N
VoIPEnabled=Y
isolationVlan=360
radiusSecret=StrongRadius
UrlMap=N
registrationVlan=260
voiceVlan=20
-----------------------------------------------------------------------------------------------------------------
dot1x
system-auth-control
aaa new-model
aaa group server radius
packetfence
server name pfnac
aaa authentication login default
local
aaa authentication dot1x default
group packetfence
aaa authorization network default
group packetfence
radius server pfnac
address ipv4 192.168.1.31
auth-port 1812 acct-port 1813
automate-tester username dummy
ignore-acct-port idle-time 3
key 0 StrongRadius
radius-server vsa send
authentication
aaa server radius dynamic-author
client StrongRadius server-key
StrongRadius
port 3799
snmp-server community SNMPpass RO
snmp-server community SNMPpass RW
switchport mode access
switchport voice vlan 20
authentication host-mode
multi-domain
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer restart
10800
authentication timer
reauthenticate 10800
mab
no snmp trap link-status
dot1x pae authenticator
dot1x timeout quiet-period 2
dot1x timeout tx-period 3
spanning-tree portfast
Any
thoughts?
Thank
you.
------------------------------------------------------------------------------Attend
Shape: An AT&T Tech Expo July 15-16. Meet us at AT&T Park in SanFrancisco, CA
to explore cutting-edge tech and listen to tech luminariespresent their vision
of the future. This family event has something foreveryone, including kids. Get
more information and register today.http://sdm.link/attshape
_______________________________________________PacketFence-users mailing
[email protected]https://lists.sourceforge.net/lists/listinfo/packetfence-users
------------------------------------------------------------------------------Attend
Shape: An AT&T Tech Expo July 15-16.
Meet us at AT&T Park in San Francisco,
CA to explore cutting-edge tech and listen
to tech luminaries present their vision of
the future. This family event has something
for everyone, including kids. Get more
information and register today.
http://sdm.link/attshape
_______________________________________________
PacketFence-users mailing list
[email protected]https://lists.sourceforge.net/lists/listinfo/packetfence-users
------------------------------------------------------------------------------Attend
Shape: An AT&T Tech Expo July 15-16. Meet us at AT&T Park in SanFrancisco, CA
to explore cutting-edge tech and listen to tech luminariespresent their vision
of the future. This family event has something foreveryone, including kids. Get
more information and register today.http://sdm.link/attshape
_______________________________________________PacketFence-users mailing
[email protected]https://lists.sourceforge.net/lists/listinfo/packetfence-users
------------------------------------------------------------------------------
Attend
Shape: An AT&T Tech Expo July 15-16. Meet us at
AT&T Park in San
Francisco, CA to explore cutting-edge tech and listen
to tech luminaries
present their vision of the future. This family event
has something for
everyone, including kids. Get more information and
register today.
http://sdm.link/attshape
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
------------------------------------------------------------------------------
Attend
Shape: An AT&T Tech Expo July 15-16. Meet us at
AT&T Park in San
Francisco, CA to explore cutting-edge tech and listen
to tech luminaries
present their vision of the future. This family event
has something for
everyone, including kids. Get more information and
register today.
http://sdm.link/attshape
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
------------------------------------------------------------------------------
Attend
Shape: An AT&T Tech Expo July 15-16. Meet us at AT&T
Park in San
Francisco, CA to explore cutting-edge tech and listen to
tech luminaries
present their vision of the future. This family event has
something for
everyone, including kids. Get more information and register
today.
http://sdm.link/attshape
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
------------------------------------------------------------------------------
Attend Shape: An AT&T Tech Expo July 15-16. Meet us at AT&T Park in San
Francisco, CA to explore cutting-edge tech and listen to tech luminaries
present their vision of the future. This family event has something for
everyone, including kids. Get more information and register today.
http://sdm.link/attshape
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
--
Fabrice Durand
[email protected] :: +1.514.447.4918 (x135) :: www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence
(http://packetfence.org)
------------------------------------------------------------------------------
Attend Shape: An AT&T Tech Expo July 15-16. Meet us at AT&T Park in San
Francisco, CA to explore cutting-edge tech and listen to tech luminaries
present their vision of the future. This family event has something for
everyone, including kids. Get more information and register today.
http://sdm.link/attshape
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
------------------------------------------------------------------------------
Attend Shape: An AT&T Tech Expo July 15-16. Meet us at AT&T Park in San
Francisco, CA to explore cutting-edge tech and listen to tech luminaries
present their vision of the future. This family event has something for
everyone, including kids. Get more information and register today.
http://sdm.link/attshape
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
