Thanks a lot for your outstanding support!
From: Durand fabrice <[email protected]>
Reply-To: <[email protected]>
Date: Thursday, July 7, 2016 at 7:35 PM
To: <[email protected]>
Subject: Re: [PacketFence-users] Odd behavior - Cisco Catalyst 2960-S -
Packetfence 6.1.0
yes
https://github.com/inverse-inc/packetfence/commit/7208c4a266de3812d8bc8b9d46149f810fce5f6c
Le 2016-07-07 16:47, Vianney Amador a écrit :
Are you guys including this fix on the next build?
To: [email protected]
From: [email protected]
Date: Thu, 7 Jul 2016 10:48:10 -0400
Subject: Re: [PacketFence-users] Odd behavior - Cisco Catalyst 2960-S -
Packetfence 6.1.0
In fact just the name of the phone.
On the other switches did you plug the same sort phone ?
Le 2016-07-07 10:41, Vianney Amador a écrit :
That made the trick, now the Cisco SPA514G are registered successfully!!! ;-)
So what was the root cause of this issue with this particular model?
Please advise,
Vianney
To: [email protected]
From: [email protected]
Date: Thu, 7 Jul 2016 09:36:40 -0400
Subject: Re: [PacketFence-users] Odd behavior - Cisco Catalyst 2960-S -
Packetfence 6.1.0
patch -p1 < CDP.diff
Le 2016-07-07 09:19, Vianney Amador a écrit :
I copied the CDP.diff on /usr/local/pf, then executed "patch -p1 CDP.diff" (it
didn't give any output regarding the operation status), then restarted the PF
Services.
It didn't seem to help, the issue is still reproducible.
To: [email protected]
From: [email protected]
Date: Thu, 7 Jul 2016 08:46:42 -0400
Subject: Re: [PacketFence-users] Odd behavior - Cisco Catalyst 2960-S -
Packetfence 6.1.0
Ok let's try that:
cd /usr/local/pf
patch -p1 CDP.diff
bin/pfcmd service pf restart
Regards
Le 2016-07-07 08:34, Vianney Amador a écrit :
Here you go:
[root@pfnac01 ~]# snmpwalk -v 2c -c SNMPRead 192.168.1.59
1.3.6.1.4.1.9.9.23.1.2.1.1.9
SNMPv2-SMI::enterprises.9.9.23.1.2.1.1.9.10101.13 = Hex-STRING: 00 00 00 90
SNMPv2-SMI::enterprises.9.9.23.1.2.1.1.9.10102.8 = Hex-STRING: 00 00 00 90
SNMPv2-SMI::enterprises.9.9.23.1.2.1.1.9.10103.12 = Hex-STRING: 00 00 00 90
SNMPv2-SMI::enterprises.9.9.23.1.2.1.1.9.10107.95 = Hex-STRING: 00 00 00 90
SNMPv2-SMI::enterprises.9.9.23.1.2.1.1.9.10109.14 = Hex-STRING: 00 00 00 90
SNMPv2-SMI::enterprises.9.9.23.1.2.1.1.9.10110.16 = Hex-STRING: 00 00 00 90
SNMPv2-SMI::enterprises.9.9.23.1.2.1.1.9.10111.3 = Hex-STRING: 00 00 00 90
SNMPv2-SMI::enterprises.9.9.23.1.2.1.1.9.10112.22 = Hex-STRING: 00 00 00 90
SNMPv2-SMI::enterprises.9.9.23.1.2.1.1.9.10113.109 = Hex-STRING: 00 00 00 90
SNMPv2-SMI::enterprises.9.9.23.1.2.1.1.9.10114.23 = Hex-STRING: 00 00 00 90
SNMPv2-SMI::enterprises.9.9.23.1.2.1.1.9.10116.86 = Hex-STRING: 00 00 00 90
SNMPv2-SMI::enterprises.9.9.23.1.2.1.1.9.10120.5 = Hex-STRING: 00 00 00 90
SNMPv2-SMI::enterprises.9.9.23.1.2.1.1.9.10126.11 = Hex-STRING: 00 00 00 90
SNMPv2-SMI::enterprises.9.9.23.1.2.1.1.9.10128.17 = Hex-STRING: 00 00 00 90
SNMPv2-SMI::enterprises.9.9.23.1.2.1.1.9.10130.10 = Hex-STRING: 00 00 00 90
SNMPv2-SMI::enterprises.9.9.23.1.2.1.1.9.10131.19 = Hex-STRING: 00 00 00 90
SNMPv2-SMI::enterprises.9.9.23.1.2.1.1.9.10132.7 = Hex-STRING: 00 00 00 90
SNMPv2-SMI::enterprises.9.9.23.1.2.1.1.9.10133.20 = Hex-STRING: 00 00 00 90
SNMPv2-SMI::enterprises.9.9.23.1.2.1.1.9.10134.21 = Hex-STRING: 00 00 00 90
SNMPv2-SMI::enterprises.9.9.23.1.2.1.1.9.10137.110 = Hex-STRING: 00 00 00 90
SNMPv2-SMI::enterprises.9.9.23.1.2.1.1.9.10142.6 = Hex-STRING: 00 00 00 90
SNMPv2-SMI::enterprises.9.9.23.1.2.1.1.9.10145.9 = Hex-STRING: 00 00 00 90
SNMPv2-SMI::enterprises.9.9.23.1.2.1.1.9.10146.18 = Hex-STRING: 00 00 00 90
SNMPv2-SMI::enterprises.9.9.23.1.2.1.1.9.10147.4 = Hex-STRING: 00 00 00 90
SNMPv2-SMI::enterprises.9.9.23.1.2.1.1.9.10148.1 = Hex-STRING: 00 00 00 29
To: [email protected]
From: [email protected]
Date: Thu, 7 Jul 2016 08:19:23 -0400
Subject: Re: [PacketFence-users] Odd behavior - Cisco Catalyst 2960-S -
Packetfence 6.1.0
Hello Vianney,
and what about 1.3.6.1.4.1.9.9.23.1.2.1.1.9 ?
Regards
Fabrice
Le 2016-07-07 08:08, Vianney Amador a écrit :
Good morning Fabrice,
Here is the output for the port 37 where the phone is hooked up:
SNMPv2-SMI::enterprises.9.9.23.1.2.1.1.6.10137.110 = STRING: "SIPA4934CFFDED9"
The line 1376 on the Cisco.pm looks the same as the one below.
Thank you,
Vianney
To: [email protected]
From: [email protected]
Date: Wed, 6 Jul 2016 21:11:16 -0400
Subject: Re: [PacketFence-users] Odd behavior - Cisco Catalyst 2960-S -
Packetfence 6.1.0
Ok, also check in Cisco.pm line 1376 =~
/^SEP([0-9A-Z]{2})([0-9A-Z]{2})([0-9A-Z]{2})([0-9A-Z]{2})([0-9A-Z]{2})([0-9A-Z]{2})$/i
you can see that SEP =! SIP
Regards
Fabrice
Le 2016-07-06 21:07, Vianney Amador a écrit :
You are right, there's nothing on that port 37 right now.
I am out of the office at the moment, I will get back to you tomorrow first
thing in the morning.
Regard,
Vianney
To: [email protected]
From: [email protected]
Date: Wed, 6 Jul 2016 20:55:22 -0400
Subject: Re: [PacketFence-users] Odd behavior - Cisco Catalyst 2960-S -
Packetfence 6.1.0
Looks like there is nothing on the 10137 ?
So let's say you plug something on the port 10102 do the same snmpwalk request
and this one too 1.3.6.1.4.1.9.9.23.1.2.1.1.9
And paste me the result.
Regards
Fabrice
Le 2016-07-06 20:48, Vianney Amador a écrit :
Hello,
Here is the output, I wonder this is what you asked for, otherwise let me know:
[root@pfnac01 ~]# snmpwalk -v 2c -c SNMPRead 192.168.1.59
1.3.6.1.4.1.9.9.23.1.2.1.1.6
SNMPv2-SMI::enterprises.9.9.23.1.2.1.1.6.10102.8 = STRING: "SIP001646682EAC"
SNMPv2-SMI::enterprises.9.9.23.1.2.1.1.6.10103.12 = STRING: "SIPCCEF485D2305"
SNMPv2-SMI::enterprises.9.9.23.1.2.1.1.6.10107.95 = STRING: "SIPA4934CFFB83A"
SNMPv2-SMI::enterprises.9.9.23.1.2.1.1.6.10109.14 = STRING: "SIPCCEF485E75F3"
SNMPv2-SMI::enterprises.9.9.23.1.2.1.1.6.10110.16 = STRING: "SIP10BD18AE4A90"
SNMPv2-SMI::enterprises.9.9.23.1.2.1.1.6.10111.3 = STRING: "SIP000E08DC5488"
SNMPv2-SMI::enterprises.9.9.23.1.2.1.1.6.10112.22 = STRING: "SIPA4934CFFDE6B"
SNMPv2-SMI::enterprises.9.9.23.1.2.1.1.6.10113.104 = STRING: "SIP000E08DE04C2"
SNMPv2-SMI::enterprises.9.9.23.1.2.1.1.6.10114.23 = STRING: "SIP10BD18AE4AA5"
SNMPv2-SMI::enterprises.9.9.23.1.2.1.1.6.10116.86 = STRING: "SIP10BD18AEA7C0"
SNMPv2-SMI::enterprises.9.9.23.1.2.1.1.6.10120.5 = STRING: "SIP00112189D21D"
SNMPv2-SMI::enterprises.9.9.23.1.2.1.1.6.10126.11 = STRING: "SIPCCEF485D23A8"
SNMPv2-SMI::enterprises.9.9.23.1.2.1.1.6.10128.17 = STRING: "SIPA4934CFFDF96"
SNMPv2-SMI::enterprises.9.9.23.1.2.1.1.6.10130.10 = STRING: "SIPCCEF485D235F"
SNMPv2-SMI::enterprises.9.9.23.1.2.1.1.6.10131.19 = STRING: "SIP10BD18AE70AD"
SNMPv2-SMI::enterprises.9.9.23.1.2.1.1.6.10132.7 = STRING: "SIP001121F1207D"
SNMPv2-SMI::enterprises.9.9.23.1.2.1.1.6.10133.20 = STRING: "SIPA4934CFFB844"
SNMPv2-SMI::enterprises.9.9.23.1.2.1.1.6.10134.21 = STRING: "SIPA4934CFF61B3"
SNMPv2-SMI::enterprises.9.9.23.1.2.1.1.6.10142.6 = STRING: "SIP001646682E82"
SNMPv2-SMI::enterprises.9.9.23.1.2.1.1.6.10145.9 = STRING: "SIP0011219E5A52"
SNMPv2-SMI::enterprises.9.9.23.1.2.1.1.6.10146.18 = STRING: "SIP10BD18AE7031"
SNMPv2-SMI::enterprises.9.9.23.1.2.1.1.6.10147.4 = STRING: "SIP000E08D4BE4C"
SNMPv2-SMI::enterprises.9.9.23.1.2.1.1.6.10148.1 = STRING: "CORESW01"
Thank you,
Vianney
To: [email protected]
From: [email protected]
Date: Wed, 6 Jul 2016 19:51:05 -0400
Subject: Re: [PacketFence-users] Odd behavior - Cisco Catalyst 2960-S -
Packetfence 6.1.0
It look like when we try to know if the device is a voip packetfence is too
quick.
Can you try a snmpwalk on 1.3.6.1.4.1.9.9.23.1.2.1.1.6 oid.
Regards
Fabrice
Le 2016-07-06 15:17, Vianney Amador a écrit :
I would appreciate any assistance with this issue please.
Anyone?
From: [email protected]
To: [email protected]
Subject: RE: [PacketFence-users] Odd behavior - Cisco Catalyst 2960-S -
Packetfence 6.1.0
Date: Tue, 5 Jul 2016 17:58:33 +0000
Hi Fabrice,
After further research I found out there is something funny going on with the
way this particular Cisco SPA514G model is being categorized by PF, this is the
only model I was testing with when I sent this email out.
Cisco SPA942 (legacy model) : Mac Address: 00:0e:08:dc:54:8d ===> working
perfectly
Cisco SPA504G (legacy model) : Mac Address: cc:ef:48:5d:95:68 ===> working
perfectly
Cisco SPA514G (new model): Mac Address: a4:93:4c:ff:b8:3a ===> not working
You can verify this on the packetfence.log:
Jul 05 13:21:46 httpd.aaa(1856) INFO: [mac:00:0e:08:dc:54:8d] handling radius
autz request: from switch_ip => (192.168.1.59), connection_type =>
WIRED_MAC_AUTH,switch_mac => (7c:95:f3:4d:6a:25), mac => [00:0e:08:dc:54:8d],
port => 10137, username => "000e08dc548d" (pf::radius::authorize)
Jul 05 13:21:46 httpd.aaa(1856) INFO: [mac:00:0e:08:dc:54:8d] Instantiate
profile default (pf::Portal::ProfileFactory::_from_profile)
Jul 05 13:21:47 httpd.aaa(1856) INFO: [mac:00:0e:08:dc:54:8d] autoregister a
node that is already registered, do nothing. (pf::node::node_register)
Jul 05 13:22:25 httpd.aaa(1856) INFO: [mac:00:0e:08:dc:54:8d] handling radius
autz request: from switch_ip => (192.168.1.59), connection_type =>
WIRED_MAC_AUTH,switch_mac => (7c:95:f3:4d:6a:25), mac => [00:0e:08:dc:54:8d],
port => 10137, username => "000e08dc548d" (pf::radius::authorize)
Jul 05 13:22:25 httpd.aaa(1856) INFO: [mac:00:0e:08:dc:54:8d] Instantiate
profile default (pf::Portal::ProfileFactory::_from_profile)
Jul 05 13:22:25 httpd.aaa(1856) INFO: [mac:00:0e:08:dc:54:8d] autoregister a
node that is already registered, do nothing. (pf::node::node_register)
Jul 05 13:29:26 httpd.aaa(1856) INFO: [mac:cc:ef:48:5d:95:68] handling radius
autz request: from switch_ip => (192.168.1.59), connection_type =>
WIRED_MAC_AUTH,switch_mac => (7c:95:f3:4d:6a:25), mac =>
cc:ef:48:5d:95:68[cc:ef:48:5d:95:68], port => 10137, username => "ccef485d9568"
(pf::radius::authorize)
Jul 05 13:29:26 httpd.aaa(1856) INFO: [mac:cc:ef:48:5d:95:68] Instantiate
profile default (pf::Portal::ProfileFactory::_from_profile)
Jul 05 13:29:26 httpd.aaa(1856) INFO: [mac:cc:ef:48:5d:95:68] Instantiate
profile default (pf::Portal::ProfileFactory::_from_profile)
Jul 05 13:35:13 httpd.aaa(1856) INFO: [mac:a4:93:4c:ff:b8:3a] handling radius
autz request: from switch_ip => (192.168.1.59), connection_type =>
WIRED_MAC_AUTH,switch_mac => (7c:95:f3:4d:6a:25), mac => [a4:93:4c:ff:b8:3a],
port => 10137, username => "a4934cffb83a" (pf::radius::authorize)
Jul 05 13:35:13 httpd.aaa(1856) WARN: [mac:a4:93:4c:ff:b8:3a] SNMP get_request
for 1.3.6.1.4.1.9.9.23.1.2.1.1.6 (pf::Switch::Cisco::getPhonesCDPAtIfIndex)
Jul 05 13:35:13 httpd.aaa(1856) INFO: [mac:a4:93:4c:ff:b8:3a] Could not find
any IP phones through discovery protocols for ifIndex 10137
(pf::Switch::getPhonesDPAtIfIndex)
Jul 05 13:35:13 httpd.aaa(1856) INFO: [mac:a4:93:4c:ff:b8:3a] Instantiate
profile default (pf::Portal::ProfileFactory::_from_profile)
Jul 05 13:35:14 httpd.aaa(1856) INFO: [mac:a4:93:4c:ff:b8:3a] Connection type
is WIRED_MAC_AUTH. Getting role from node_info (pf::role::getRegisteredRole)
Jul 05 13:35:14 httpd.aaa(1856) INFO: [mac:a4:93:4c:ff:b8:3a] Username was
defined "a4934cffb83a" - returning role 'voice' (pf::role::getRegisteredRole)
Jul 05 13:35:14 httpd.aaa(1856) INFO: [mac:a4:93:4c:ff:b8:3a] PID: "default",
Status: reg Returned VLAN: (undefined), Role: voice (pf::role::fetchRoleForNode)
Jul 05 13:35:14 httpd.aaa(1856) INFO: [mac:a4:93:4c:ff:b8:3a] (192.168.1.59)
Added VLAN 20 to the returned RADIUS Access-Accept
(pf::Switch::returnRadiusAccessAccept)
Also if you look into the Nodes section on the PF Webif, you will notice the
following for the SPA942 & SPA504G:
OS (DHCP): VoIP Phones/Adapters
Role: voice
But for the SPA514G: those fields are shown blank.
Please advise,
Vianney
From: [email protected]
To: [email protected]
Subject: RE: [PacketFence-users] Odd behavior - Cisco Catalyst 2960-S -
Packetfence 6.1.0
Date: Fri, 1 Jul 2016 14:19:45 +0000
Hi again Fabrice,
I was able to resolve the issues with the PCs, at this point I am able to
register PCs by using Active Directory as a source, then I can connect any
registered PC one any port without issues, everything works as expected.
For some reason the MAB does not work with my Cisco Phones, which ironically
worked with the first phone I was testing with when I sent this email out
reporting some other issues. I have done my research and tried many different
things without success.
==> Extract form packetfence.log when a Cisco phone is connected on a port
setup for MAB w/ Multi-domain:
Jul 01 09:28:27 httpd.aaa(4139) INFO: [mac:10:bd:18:ae:a7:c0] handling radius
autz request: from switch_ip => (192.168.1.59), connection_type =>
WIRED_MAC_AUTH,switch_mac => (7c:95:f3:4d:6a:25), mac => [10:bd:18:ae:a7:c0],
port => 10137, username => "10bd18aea7c0" (pf::radius::authorize)
Jul 01 09:28:27 httpd.aaa(4139) WARN: [mac:10:bd:18:ae:a7:c0] SNMP get_request
for 1.3.6.1.4.1.9.9.23.1.2.1.1.6 (pf::Switch::Cisco::getPhonesCDPAtIfIndex)
Jul 01 09:28:27 httpd.aaa(4139) INFO: [mac:10:bd:18:ae:a7:c0] Could not find
any IP phones through discovery protocols for ifIndex 10137
(pf::Switch::getPhonesDPAtIfIndex)
Jul 01 09:28:27 httpd.aaa(4139) INFO: [mac:10:bd:18:ae:a7:c0] Instantiate
profile default (pf::Portal::ProfileFactory::_from_profile)
Jul 01 09:28:27 httpd.aaa(4139) INFO: [mac:10:bd:18:ae:a7:c0] Connection type
is WIRED_MAC_AUTH. Getting role from node_info (pf::role::getRegisteredRole)
Jul 01 09:28:27 httpd.aaa(4139) INFO: [mac:10:bd:18:ae:a7:c0] Username was NOT
defined or unable to match a role - returning node based role ''
(pf::role::getRegisteredRole)
Jul 01 09:28:27 httpd.aaa(4139) INFO: [mac:10:bd:18:ae:a7:c0] PID: "default",
Status: reg Returned VLAN: (undefined), Role: (pf::role::fetchRoleForNode)
Jul 01 09:28:27 httpd.aaa(4139) WARN: [mac:10:bd:18:ae:a7:c0] No parameter Vlan
found in conf/switches.conf for the switch 192.168.1.59
(pf::Switch::getVlanByName)
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------
SWITCH03#show authentication sessions ====> Only the Cisco Phone on the
Cisco Switch port
Interface MAC Address Method Domain Status Session ID
Gi1/0/37 10bd.18ae.a7c0 mab DATA Authz Success
C0A8A03B000000790265381D
SWITCH03#show authentication sessions ===> The Cisco Phone connected to the
Cisco switch port and a PC connected to the phone's switch port.
Interface MAC Address Method Domain Status Session ID
Gi1/0/37 10bd.18ae.a7c0 dot1x UNKNOWN Running
C0A8A03B0000008002721F7F
Gi1/0/37 00e0.4c68.58d4 mab DATA Authz Success
C0A8A03B0000007F0271CAA6
Also here goes the Terminal Monitor output from the switch, uploaded here since
it's a lot info:
https://app.box.com/s/thkb4qac4o3tb0jl8eb1c1rxg99esn9p
Switch configuration:
dot1x system-auth-control
aaa new-model
aaa group server radius packetfence
server name pfnac
aaa authentication login default local
aaa authentication dot1x default group packetfence
aaa authorization network default group packetfence
radius server pfnac
address ipv4 192.168.1.31 auth-port 1812 acct-port 1813
automate-tester username dummy ignore-acct-port idle-time 3
key 0 StrongRadius
radius-server vsa send authentication
authentication mac-move permit
aaa server radius dynamic-author
client 192.168.1.31 server-key StrongRadius
port 3799
snmp-server community SNMPRead RO
snmp-server community SNMPWrite RW
interface GigabitEthernet1/0/37
switchport mode access
switchport voice vlan 20
authentication host-mode multi-domain
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer restart 10800
authentication timer reauthenticate 10800
authentication violation replace
mab
no snmp trap link-status
dot1x pae authenticator
dot1x timeout quiet-period 2
dot1x timeout tx-period 3
spanning-tree portfast
switches.conf:
[192.168.1.59]
description=SWITCH03
group=Cisco_Catalyst_2960
VoIPCDPDetect=Y
[group Cisco_Catalyst_2960]
RoleMap=N
mode=production
NL-AD01Vlan=162
SNMPCommunityRead=SNMPRead
useCoA=Y
SNMPCommunityWrite=SNMPWrite
VoIPCDPDetect=N
deauthMethod=RADIUS
VoIPDHCPDetect=Y
AccessListMap=N
description=HQ Office
type=Cisco::Catalyst_2960
VoIPLLDPDetect=N
VoIPEnabled=Y
isolationVlan=360
radiusSecret=StrongRadius
UrlMap=N
registrationVlan=260
voiceVlan=20
What am I doing wrong?
Thank you,
Vianney
To: [email protected]
From: [email protected]
Date: Thu, 30 Jun 2016 08:03:17 -0400
Subject: Re: [PacketFence-users] Odd behavior - Cisco Catalyst 2960-S -
Packetfence 6.1.0
Hello Vianney,
the issue seems to be on the switch side, not on PacketFence side.
So check on the switch with debug aaa ... command.
Regards
Fabrice
Le 2016-06-30 07:09, Vianney Amador a écrit :
Hi Fabrice,
Any update on this?
Thank so much,
Vianney
From: Vianney Amador <[email protected]>
Reply-To: <[email protected]>
Date: Wednesday, June 29, 2016 at 1:04 PM
To: "[email protected]"
<[email protected]>
Subject: Re: [PacketFence-users] Odd behavior - Cisco Catalyst 2960-S -
Packetfence 6.1.0
Logs for Scenario #3:
When a registered PC is connected to another port on the switch:
Jun 29 16:55:15.889: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/38, changed
st
ate to up
Jun 29 16:55:16.891: %LINEPROTO-5-UPDOWN: Line protocol on Interface
GigabitEthe
rnet1/0/38, changed state to up
Jun 29 16:55:24.084: %DOT1X-5-FAIL: Authentication failed for client
(28d2.4408.
2c68) on Interface Gi1/0/38 AuditSessionID C0A8A03B000001314410D5A5
packetfence.log:
Jun 29 12:54:45 httpd.aaa(6905) INFO: [mac:28:d2:44:08:2c:68] handling radius
autz request: from switch_ip => (192.168.1.59), connection_type =>
WIRED_MAC_AUTH,switch_mac => (7c:95:f3:4d:6a:26), mac => [28:d2:44:08:2c:68],
port => 10138, username => "28d244082c68" (pf::radius::authorize)
Jun 29 12:54:45 httpd.aaa(6905) INFO: [mac:28:d2:44:08:2c:68] Could not find
any IP phones through discovery protocols for ifIndex 10138
(pf::Switch::getPhonesDPAtIfIndex)
Jun 29 12:54:45 httpd.aaa(6905) INFO: [mac:28:d2:44:08:2c:68] Instantiate
profile default (pf::Portal::ProfileFactory::_from_profile)
Jun 29 12:54:45 httpd.aaa(6905) INFO: [mac:28:d2:44:08:2c:68] Connection type
is WIRED_MAC_AUTH. Getting role from node_info (pf::role::getRegisteredRole)
Jun 29 12:54:45 httpd.aaa(6905) INFO: [mac:28:d2:44:08:2c:68] Username was
defined "28d244082c68" - returning role 'AD01' (pf::role::getRegisteredRole)
Jun 29 12:54:45 httpd.aaa(6905) INFO: [mac:28:d2:44:08:2c:68] PID: "testuser",
Status: reg Returned VLAN: (undefined), Role: AD01 (pf::role::fetchRoleForNode)
Jun 29 12:54:45 httpd.aaa(6905) INFO: [mac:28:d2:44:08:2c:68] (192.168.1.59)
Added VLAN 162 to the returned RADIUS Access-Accept
(pf::Switch::returnRadiusAccessAccept)
To: [email protected]
From: [email protected]
Date: Wed, 29 Jun 2016 12:38:39 -0400
Subject: Re: [PacketFence-users] Odd behavior - Cisco Catalyst 2960-S -
Packetfence 6.1.0
Hello Vianney,
do you have any trace on pf side when you plug the device ?
Also what is the output on the switch ? (term mon).
Regards
Fabrice
Le 2016-06-29 12:09, Vianney Amador a écrit :
...also moving a registered PC to another port will not work either.
Thank you,
Vianney
From: [email protected]
To: [email protected]
Date: Wed, 29 Jun 2016 13:16:27 +0000
Subject: Re: [PacketFence-users] Odd behavior - Cisco Catalyst 2960-S -
Packetfence 6.1.0
Hi Fabrice,
It worked wonders by adding the suggested commands on my Cisco switch, I was
able to register new computers on that phone switch port without issues (no
more phone shutting down).
The new scenario I tested: connect another phone on the switch port where a
phone was registered before. In this case the new Cisco SPA phone will not
fishing loading, it shows on its display: "Initializing Network"
I tried disabling and enabling the switch port without success, I noticed the
switch port did not show any errors. Also I tried to pre-register the new
phones' mac addresses, but that did not help either.
Please advise.
Thank you,
Vianney
Date: Tue, 28 Jun 2016 23:41:43 +0000
From: [email protected]
To: [email protected];
[email protected]
Subject: Re: [PacketFence-users] Odd behavior - Cisco Catalyst 2960-S -
Packetfence 6.1.0
Will do, thank you!
_____________________________
From: Durand fabrice <[email protected]>
Sent: Tuesday, June 28, 2016 7:36 PM
Subject: Re: [PacketFence-users] Odd behavior - Cisco Catalyst 2960-S -
Packetfence 6.1.0
To: <[email protected]>
Hi Vianney,
i am sure it will work, also you can add " authentication mac-move permit" in
global configuration.
http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2960x/software/15-0_2_EX/security/command_reference/b_sec_152ex_2960-x_cr/b_sec_152ex_2960-x_cr_chapter_010.html#wp1977723595
Regards
Fabrice
Le 2016-06-28 18:48, Vianney Amador a écrit :
Hi Fabrice,
Your suggestion makes sense, I will give it a shot tomorrow.
According to the Cisco documentation:
This example shows how to configure an 802.1x-enabled port to remove the
current session and initiate authentication with a new device when it connects
to the port:
Switch(config-if)# authentication violation replace
I will keep you posted.
Thank you,
Vianney
To: [email protected]
From: [email protected]
Date: Tue, 28 Jun 2016 18:30:34 -0400
Subject: Re: [PacketFence-users] Odd behavior - Cisco Catalyst 2960-S -
Packetfence 6.1.0
Hi Vianney,
the issue is on the switch side, not in packetfence side.
Add that to your switch port config: authentication violation replace
Regards
Fabrice
Le 2016-06-28 16:37, Vianney Amador a écrit :
Hi guys,
I just added a Cisco Catalyst 2960-S (running latest IOS version) to my test
environment using 802.1X with MAC Authentication bypass (MultiDomain)
following the Packetfence official documentation.
I hooked up a Voice-IP phone (Cisco SPA514) on one a switch port, the phone was
successfully registered on my voice VLAN, then I hooked up a PC on the phone's
switch port, went thru the registration process and got it successfully
registered on my production VLAN.
Everything was working as expected, until I decided to connect another PC
(never registered before) to the phone's switch port....the phone went
completely off, then I checked the switch port status, here is the result:
GigabitEthernet1/0/37 is down, line protocol is down (err-disabled)
Port Name Status Vlan Duplex Speed Type
Gi1/0/37 err-disabled 162 auto auto
10/100/1000BaseTX
I re-plugged the phone to the switch port, but it did not help at all, then I
ran "shutdown" on the interface and then "no shutdown", then everything when
back to normal and I was able to register this new PC.
I was able to reproduce this issue twice.
I tested with both de-auth methods: SNMP and RADIUS.
Anything showed up on the packetfence.log
Here is my switch config on the device and Packetfence:
[192.168.1.59]
description=SWITCH03
group=Cisco_Catalyst_2960
[group Cisco_Catalyst_2960]
RoleMap=N
mode=production
AD01Vlan=162
SNMPCommunityRead=SNMPpass
useCoA=Y
SNMPCommunityWrite=SNMPpass
VoIPCDPDetect=N
deauthMethod=RADIUS
VoIPDHCPDetect=Y
AccessListMap=N
description=Switch _01
type=Cisco::Catalyst_2960
VoIPLLDPDetect=N
VoIPEnabled=Y
isolationVlan=360
radiusSecret=StrongRadius
UrlMap=N
registrationVlan=260
voiceVlan=20
-----------------------------------------------------------------------------------------------------------------
dot1x system-auth-control
aaa new-model
aaa group server radius packetfence
server name pfnac
aaa authentication login default local
aaa authentication dot1x default group packetfence
aaa authorization network default group packetfence
radius server pfnac
address ipv4 192.168.1.31 auth-port 1812 acct-port 1813
automate-tester username dummy ignore-acct-port idle-time 3
key 0 StrongRadius
radius-server vsa send authentication
aaa server radius dynamic-author
client StrongRadius server-key StrongRadius
port 3799
snmp-server community SNMPpass RO
snmp-server community SNMPpass RW
switchport mode access
switchport voice vlan 20
authentication host-mode multi-domain
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer restart 10800
authentication timer reauthenticate 10800
mab
no snmp trap link-status
dot1x pae authenticator
dot1x timeout quiet-period 2
dot1x timeout tx-period 3
spanning-tree portfast
Any thoughts?
Thank you.
------------------------------------------------------------------------------Attend
Shape: An AT&T Tech Expo July 15-16. Meet us at AT&T Park in SanFrancisco, CA
to explore cutting-edge tech and listen to tech luminariespresent their vision
of the future. This family event has something foreveryone, including kids. Get
more information and register today.http://sdm.link/attshape
_______________________________________________PacketFence-users mailing
[email protected]https://lists.sourceforge.net/lists/listinfo/packetfence-users
------------------------------------------------------------------------------Attend
Shape: An AT&T Tech Expo July 15-16. Meet us at AT&T Park in San Francisco, CA
to explore cutting-edge tech and listen to tech luminaries present their vision
of the future. This family event has something for everyone, including kids.
Get more information and register today. http://sdm.link/attshape
_______________________________________________ PacketFence-users mailing list
[email protected]https://lists.sourceforge.net/lists/listinfo/packetfence-users
------------------------------------------------------------------------------Attend
Shape: An AT&T Tech Expo July 15-16. Meet us at AT&T Park in SanFrancisco, CA
to explore cutting-edge tech and listen to tech luminariespresent their vision
of the future. This family event has something foreveryone, including kids. Get
more information and register today.http://sdm.link/attshape
_______________________________________________PacketFence-users mailing
[email protected]https://lists.sourceforge.net/lists/listinfo/packetfence-users
------------------------------------------------------------------------------
Attend Shape: An AT&T Tech Expo July 15-16. Meet us at AT&T Park in San
Francisco, CA to explore cutting-edge tech and listen to tech luminaries
present their vision of the future. This family event has something for
everyone, including kids. Get more information and register today.
http://sdm.link/attshape
_______________________________________________ PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
------------------------------------------------------------------------------
Attend Shape: An AT&T Tech Expo July 15-16. Meet us at AT&T Park in San
Francisco, CA to explore cutting-edge tech and listen to tech luminaries
present their vision of the future. This family event has something for
everyone, including kids. Get more information and register today.
http://sdm.link/attshape
_______________________________________________ PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
------------------------------------------------------------------------------
Attend Shape: An AT&T Tech Expo July 15-16. Meet us at AT&T Park in San
Francisco, CA to explore cutting-edge tech and listen to tech luminaries
present their vision of the future. This family event has something for
everyone, including kids. Get more information and register today.
http://sdm.link/attshape
_______________________________________________ PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
------------------------------------------------------------------------------
Attend Shape: An AT&T Tech Expo July 15-16. Meet us at AT&T Park in San
Francisco, CA to explore cutting-edge tech and listen to tech luminaries
present their vision of the future. This family event has something for
everyone, including kids. Get more information and register today.
http://sdm.link/attshape
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
--
Fabrice Durand
[email protected] :: +1.514.447.4918 (x135) :: www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence
(http://packetfence.org)
------------------------------------------------------------------------------
Attend Shape: An AT&T Tech Expo July 15-16. Meet us at AT&T Park in San
Francisco, CA to explore cutting-edge tech and listen to tech luminaries
present their vision of the future. This family event has something for
everyone, including kids. Get more information and register today.
http://sdm.link/attshape
_______________________________________________ PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
------------------------------------------------------------------------------
Attend Shape: An AT&T Tech Expo July 15-16. Meet us at AT&T Park in San
Francisco, CA to explore cutting-edge tech and listen to tech luminaries
present their vision of the future. This family event has something for
everyone, including kids. Get more information and register today.
http://sdm.link/attshape_______________________________________________
PacketFence-users mailing list [email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
------------------------------------------------------------------------------
Attend Shape: An AT&T Tech Expo July 15-16. Meet us at AT&T Park in San
Francisco, CA to explore cutting-edge tech and listen to tech luminaries
present their vision of the future. This family event has something for
everyone, including kids. Get more information and register today.
http://sdm.link/attshape
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
--
Fabrice Durand
[email protected] :: +1.514.447.4918 (x135) :: www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence
(http://packetfence.org)
------------------------------------------------------------------------------
Attend Shape: An AT&T Tech Expo July 15-16. Meet us at AT&T Park in San
Francisco, CA to explore cutting-edge tech and listen to tech luminaries
present their vision of the future. This family event has something for
everyone, including kids. Get more information and register today.
http://sdm.link/attshape
_______________________________________________ PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
------------------------------------------------------------------------------
Attend Shape: An AT&T Tech Expo July 15-16. Meet us at AT&T Park in San
Francisco, CA to explore cutting-edge tech and listen to tech luminaries
present their vision of the future. This family event has something for
everyone, including kids. Get more information and register today.
http://sdm.link/attshape
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
------------------------------------------------------------------------------
Attend Shape: An AT&T Tech Expo July 15-16. Meet us at AT&T Park in San
Francisco, CA to explore cutting-edge tech and listen to tech luminaries
present their vision of the future. This family event has something for
everyone, including kids. Get more information and register today.
http://sdm.link/attshape
_______________________________________________ PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
------------------------------------------------------------------------------
Attend Shape: An AT&T Tech Expo July 15-16. Meet us at AT&T Park in San
Francisco, CA to explore cutting-edge tech and listen to tech luminaries
present their vision of the future. This family event has something for
everyone, including kids. Get more information and register today.
http://sdm.link/attshape
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
------------------------------------------------------------------------------
Attend Shape: An AT&T Tech Expo July 15-16. Meet us at AT&T Park in San
Francisco, CA to explore cutting-edge tech and listen to tech luminaries
present their vision of the future. This family event has something for
everyone, including kids. Get more information and register today.
http://sdm.link/attshape
_______________________________________________ PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
------------------------------------------------------------------------------
Attend Shape: An AT&T Tech Expo July 15-16. Meet us at AT&T Park in San
Francisco, CA to explore cutting-edge tech and listen to tech luminaries
present their vision of the future. This family event has something for
everyone, including kids. Get more information and register today.
http://sdm.link/attshape
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
------------------------------------------------------------------------------
Attend Shape: An AT&T Tech Expo July 15-16. Meet us at AT&T Park in San
Francisco, CA to explore cutting-edge tech and listen to tech luminaries
present their vision of the future. This family event has something for
everyone, including kids. Get more information and register today.
http://sdm.link/attshape
_______________________________________________ PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
------------------------------------------------------------------------------
Attend Shape: An AT&T Tech Expo July 15-16. Meet us at AT&T Park in San
Francisco, CA to explore cutting-edge tech and listen to tech luminaries
present their vision of the future. This family event has something for
everyone, including kids. Get more information and register today.
http://sdm.link/attshape
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
--
Fabrice Durand
[email protected] :: +1.514.447.4918 (x135) :: www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence
(http://packetfence.org)
------------------------------------------------------------------------------
Attend Shape: An AT&T Tech Expo July 15-16. Meet us at AT&T Park in San
Francisco, CA to explore cutting-edge tech and listen to tech luminaries
present their vision of the future. This family event has something for
everyone, including kids. Get more information and register today.
http://sdm.link/attshape
_______________________________________________ PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
------------------------------------------------------------------------------
Attend Shape: An AT&T Tech Expo July 15-16. Meet us at AT&T Park in San
Francisco, CA to explore cutting-edge tech and listen to tech luminaries
present their vision of the future. This family event has something for
everyone, including kids. Get more information and register today.
http://sdm.link/attshape
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
--
Fabrice Durand
[email protected] :: +1.514.447.4918 (x135) :: www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence
(http://packetfence.org)
------------------------------------------------------------------------------
Attend Shape: An AT&T Tech Expo July 15-16. Meet us at AT&T Park in San
Francisco, CA to explore cutting-edge tech and listen to tech luminaries
present their vision of the future. This family event has something for
everyone, including kids. Get more information and register today.
http://sdm.link/attshape
_______________________________________________ PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
------------------------------------------------------------------------------
Attend Shape: An AT&T Tech Expo July 15-16. Meet us at AT&T Park in San
Francisco, CA to explore cutting-edge tech and listen to tech luminaries
present their vision of the future. This family event has something for
everyone, including kids. Get more information and register today.
http://sdm.link/attshape
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
--
Fabrice Durand
[email protected] :: +1.514.447.4918 (x135) :: www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence
(http://packetfence.org)
------------------------------------------------------------------------------
Attend Shape: An AT&T Tech Expo July 15-16. Meet us at AT&T Park in San
Francisco, CA to explore cutting-edge tech and listen to tech luminaries
present their vision of the future. This family event has something for
everyone, including kids. Get more information and register today.
http://sdm.link/attshape
_______________________________________________ PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
------------------------------------------------------------------------------
Attend Shape: An AT&T Tech Expo July 15-16. Meet us at AT&T Park in San
Francisco, CA to explore cutting-edge tech and listen to tech luminaries
present their vision of the future. This family event has something for
everyone, including kids. Get more information and register today.
http://sdm.link/attshape
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
--
Fabrice Durand
[email protected] :: +1.514.447.4918 (x135) :: www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence
(http://packetfence.org)
------------------------------------------------------------------------------
Attend Shape: An AT&T Tech Expo July 15-16. Meet us at AT&T Park in San
Francisco, CA to explore cutting-edge tech and listen to tech luminaries
present their vision of the future. This family event has something for
everyone, including kids. Get more information and register today.
http://sdm.link/attshape
_______________________________________________ PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
------------------------------------------------------------------------------
Attend Shape: An AT&T Tech Expo July 15-16. Meet us at AT&T Park in San
Francisco, CA to explore cutting-edge tech and listen to tech luminaries
present their vision of the future. This family event has something for
everyone, including kids. Get more information and register today.
http://sdm.link/attshape
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
------------------------------------------------------------------------------
Attend Shape: An AT&T Tech Expo July 15-16. Meet us at AT&T Park in San
Francisco, CA to explore cutting-edge tech and listen to tech luminaries
present their vision of the future. This family event has something for
everyone, including kids. Get more information and register today.
http://sdm.link/attshape_______________________________________________
PacketFence-users mailing list [email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
------------------------------------------------------------------------------
Attend Shape: An AT&T Tech Expo July 15-16. Meet us at AT&T Park in San
Francisco, CA to explore cutting-edge tech and listen to tech luminaries
present their vision of the future. This family event has something for
everyone, including kids. Get more information and register today.
http://sdm.link/attshape
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
