Hello Namjil,
the network config looks to be ok but i am not sure about the AP config.
Take care of the cisco AP without a controller, there is a caution in
the doc about that
(https://packetfence.org/doc/PacketFence_Network_Devices_Configuration_Guide.html#_cisco_2).
On the other hand, did you created a remote registration network in
PacketFence for the registration ?
Regards
Fabrice
Le 2017-01-25 à 23:41, Namjil a écrit :
>
> Hello Fabrice
>
>
>
> Thank you for your response.
>
>
>
> Radius Audit LOG is here:
>
> ===========================================
>
>
>
> MAC Address 34:4d:f7:4a:dc:5f
>
> Auth Status Accept
>
> Auth Type Accept
>
> Auto Registration no
>
> Calling Station ID 34:4d:f7:4a:dc:5f
>
> Computer name N/A
>
> EAP Type
>
> Event Type Radius-Access-Request
>
> IP Address
>
> Is a Phone no
>
> Node status unreg
>
> Domain
>
> Profile N/A
>
> Realm null
>
> Reason
>
> Role registration
>
> Source N/A
>
> Stripped User Name 344df74adc5f
>
> User Name 344df74adc5f
>
> Unique ID
>
>
>
> ===========================================
>
>
>
> Switch ID 10.0.0.2
>
> Switch MAC 00:3a:98:1e:c6:20
>
> Switch IP Address 10.0.0.2
>
> Called Station ID 00:3a:98:1e:c6:20
>
> Connection type Wireless-802.11-NoEAP
>
> IfIndex 296
>
> NAS identifier
>
> NAS IP Address 10.0.0.2
>
> NAS Port 296
>
> NAS Port ID 296
>
> NAS Port Type Wireless-802.11
>
> RADIUS Source IP Address 10.0.0.2
>
> Wi-Fi Network SSID PacketFence-Public
>
>
>
> ===========================================
>
>
>
> request_time 0
>
> RADIUS Request User-Name = "344df74adc5f"
>
> User-Password =
> "\265\230\346\224\356\"\327\340\004\031\332\337l\241\361\324"
>
> NAS-IP-Address = 10.0.0.2
>
> NAS-Port = 296
>
> Service-Type = Login-User
>
> Called-Station-Id = "00:3a:98:1e:c6:20"
>
> Calling-Station-Id = "34:4d:f7:4a:dc:5f"
>
> NAS-Port-Type = Wireless-802.11
>
> Event-Timestamp = "Jan 24 2017 23:28:46 EST"
>
> NAS-Port-Id = "296"
>
> Cisco-AVPair = "ssid=PacketFence-Public"
>
> Cisco-NAS-Port = "296"
>
> Stripped-User-Name = "344df74adc5f"
>
> Realm = "null"
>
> FreeRADIUS-Client-IP-Address = 10.0.0.2
>
> Called-Station-SSID = "PacketFence-Public"
>
> SQL-User-Name = "344df74adc5f"
>
> RADIUS Reply Tunnel-Type = VLAN
>
> Tunnel-Private-Group-Id = "130"
>
> Tunnel-Medium-Type = IEEE-802
>
> PacketFence-Authorization-Status = "allow"
>
>
>
> ===========================================
>
>
>
> What you think about my topology?
>
>
>
> | VMware |
>
> | PFence | <--trunk--> SW <--trunk--> RTR <--trunk--> SW <--trunk-->
> AIR-AP1242G-E-K9
>
>
>
> Here are my Router, Switch and AP configutrations. If you need PFence
> config, I will attach next time.
>
>
>
> PFence--SWITCH--ROUTER—SWITCH--AP config:
>
> === WMware SWITCH ===
>
> !
>
> interface TenGigabitEthernet2/2
>
> description ConnecTO_wmwarE
>
> switchport
>
> switchport trunk allowed vlan 1,140-143
>
> switchport mode trunk
>
> !
>
> interface GigabitEthernet3/3
>
> description ConnecTO_routeR
>
> switchport
>
> switchport trunk allowed vlan 1,140-143
>
> switchport mode trunk
>
>
>
> === ROUTER ===
>
> !
>
> interface GigabitEthernet1/1.140
>
> description Packetfence_Management
>
> encapsulation dot1Q 140
>
> ip address 192.168.140.2 255.255.255.0
>
> ip nat inside
>
> !
>
> interface GigabitEthernet1/1.141
>
> description Packetfence_Registration
>
> encapsulation dot1Q 141
>
> ip address 192.168.141.2 255.255.255.0
>
> !
>
> interface GigabitEthernet1/1.142
>
> description Packetfence_Isolation
>
> encapsulation dot1Q 142
>
> ip address 192.168.142.2 255.255.255.0
>
> !
>
> interface GigabitEthernet1/7
>
> description Manage_Aironet1142
>
> ip address 10.0.0.1 255.255.255.240
>
> !
>
> interface GigabitEthernet1/7.130
>
> description C3750_Registration
>
> encapsulation dot1Q 130
>
> ip address 192.168.130.1 255.255.255.0
>
> ip helper-address 192.168.141.1
>
> !
>
> interface GigabitEthernet1/7.131
>
> description C3750_Isolation
>
> encapsulation dot1Q 131
>
> ip address 192.168.131.1 255.255.255.0
>
> ip helper-address 192.168.142.1
>
>
>
> === AP SWITCH ===
>
> !
>
> interface GigabitEthernet1/0/2
>
> description ConnecTO_routeR
>
> switchport trunk encapsulation dot1q
>
> switchport trunk allowed vlan 1,130-132
>
> switchport mode trunk
>
> !
>
> interface FastEthernet1/0/20
>
> description ConnectTO_Aironet1142
>
> switchport trunk encapsulation dot1q
>
> switchport trunk allowed vlan 1,130-132
>
> switchport mode trunk
>
> no cdp enable
>
>
>
> === AIR-AP1242G-E-K9 ===
>
> !
>
> ap#sh run
>
> Building configuration...
>
>
>
> Current configuration : 5801 bytes
>
> !
>
> version 12.4
>
> no service pad
>
> !
>
> aaa new-model
>
> !
>
> !
>
> aaa group server radius rad_eap
>
> server 192.168.140.1 auth-port 1812 acct-port 1813
>
> !
>
> aaa group server radius rad_mac
>
> server 192.168.140.1 auth-port 1812 acct-port 1813
>
> !
>
> aaa authentication login mac_methods group rad_mac
>
> aaa authentication login eap_methods group rad_eap
>
> !
>
> aaa session-id common
>
> ip name-server 192.168.120.51
>
> !
>
> !
>
> dot11 mbssid
>
> dot11 syslog
>
> dot11 vlan-name guest vlan 132
>
> dot11 vlan-name isolation vlan 131
>
> dot11 vlan-name normal vlan 1
>
> dot11 vlan-name registration vlan 130
>
> !
>
> dot11 ssid PacketFence-Public
>
> vlan 131 backup guest
>
> authentication open mac-address mac_methods
>
> mbssid guest-mode
>
> !
>
> dot11 ssid PacketFence-Secure
>
> vlan 130 backup normal
>
> authentication open eap eap_methods
>
> authentication key-management wpa
>
> !
>
> interface Dot11Radio0
>
> no ip address
>
> no ip route-cache
>
> !
>
> encryption vlan 1 mode ciphers aes-ccm
>
> !
>
> encryption vlan 130 mode ciphers aes-ccm
>
> !
>
> ssid PacketFence-Public
>
> !
>
> ssid PacketFence-Secure
>
> !
>
> station-role root
>
> !
>
> interface Dot11Radio0.1
>
> encapsulation dot1Q 1 native
>
> no ip route-cache
>
> bridge-group 1
>
> bridge-group 1 subscriber-loop-control
>
> bridge-group 1 block-unknown-source
>
> no bridge-group 1 source-learning
>
> no bridge-group 1 unicast-flooding
>
> bridge-group 1 spanning-disabled
>
> !
>
> interface Dot11Radio0.130
>
> encapsulation dot1Q 130
>
> no ip route-cache
>
> bridge-group 130
>
> bridge-group 130 subscriber-loop-control
>
> bridge-group 130 block-unknown-source
>
> no bridge-group 130 source-learning
>
> no bridge-group 130 unicast-flooding
>
> bridge-group 130 spanning-disabled
>
> !
>
> interface Dot11Radio0.131
>
> encapsulation dot1Q 131
>
> no ip route-cache
>
> bridge-group 131
>
> bridge-group 131 subscriber-loop-control
>
> bridge-group 131 block-unknown-source
>
> no bridge-group 131 source-learning
>
> no bridge-group 131 unicast-flooding
>
> bridge-group 131 spanning-disabled
>
> !
>
> interface Dot11Radio0.132
>
> encapsulation dot1Q 132
>
> no ip route-cache
>
> bridge-group 132
>
> bridge-group 132 subscriber-loop-control
>
> bridge-group 132 block-unknown-source
>
> no bridge-group 132 source-learning
>
> no bridge-group 132 unicast-flooding
>
> bridge-group 132 spanning-disabled
>
> !
>
> interface FastEthernet0
>
> no ip address
>
> no ip route-cache
>
> duplex auto
>
> speed auto
>
> !
>
> interface FastEthernet0.1
>
> encapsulation dot1Q 1 native
>
> no ip route-cache
>
> bridge-group 1
>
> no bridge-group 1 source-learning
>
> bridge-group 1 spanning-disabled
>
> !
>
> interface FastEthernet0.130
>
> encapsulation dot1Q 130
>
> no ip route-cache
>
> bridge-group 130
>
> no bridge-group 130 source-learning
>
> bridge-group 130 spanning-disabled
>
> !
>
> interface FastEthernet0.131
>
> encapsulation dot1Q 131
>
> no ip route-cache
>
> bridge-group 131
>
> no bridge-group 131 source-learning
>
> bridge-group 131 spanning-disabled
>
> !
>
> interface FastEthernet0.132
>
> encapsulation dot1Q 132
>
> no ip route-cache
>
> bridge-group 132
>
> no bridge-group 132 source-learning
>
> bridge-group 132 spanning-disabled
>
> !
>
> interface BVI1
>
> ip address 10.0.0.2 255.255.255.240
>
> no ip route-cache
>
> !
>
> ip default-gateway 10.0.0.1
>
> ip http server
>
> ip http authentication aaa
>
> ip http secure-server
>
> ip http help-path
> http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
>
> snmp-server community public RO
>
> snmp-server community private RW
>
> snmp-server trap link ietf
>
> snmp-server enable traps snmp authentication
>
> snmp-server enable traps disassociate
>
> snmp-server enable traps deauthenticate
>
> snmp-server enable traps authenticate-fail
>
> snmp-server enable traps dot11-qos
>
> snmp-server enable traps switch-over
>
> snmp-server enable traps rogue-ap
>
> snmp-server enable traps wlan-wep
>
> snmp-server enable traps config-copy
>
> snmp-server enable traps config
>
> snmp-server enable traps aaa_server
>
> snmp-server host 192.168.140.1 version 2c public
>
> radius-server host 192.168.140.1 auth-port 1812 acct-port 1813 key 7
> 10481B1C0005130F051139
>
> radius-server vsa send cisco-nas-port
>
> radius-server vsa send accounting
>
> radius-server vsa send authentication
>
> line con 0
>
> line vty 0 4
>
> !
>
> end
>
>
>
> ap#
>
>
>
> Best Regards,
>
>
>
> Namjil
>
>
>
>
>
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
>
>
> _______________________________________________
> PacketFence-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
--
Fabrice Durand
[email protected] :: +1.514.447.4918 (x135) :: www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence
(http://packetfence.org)
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
