Re: [PacketFence-users] Wired VLAN switch from Registration LAN to Guest LAN not working?

Fri, 10 Mar 2017 15:13:23 -0800 

Oups, i saw this message after ;-) Coll if it works

Regards

Fabrice



Le 2017-03-10 à 03:44, Jes Kasper Klittum a écrit :
I solved it myself! It seems that the fact that SNMP location was empty made packetfence barf. 

I ran this on the HP 1920’s:

snmp-agent sys-info contact Jes Kasper Klittum

snmp-agent sys-info location Server room 1

Now deauth is working!

Br,

Jes

*Fra:*Jes Kasper Klittum
*Sendt:* 10. marts 2017 09:10
*Til:* 'packetfence-users@lists.sourceforge.net' <packetfence-users@lists.sourceforge.net> *Emne:* SV: [PacketFence-users] Wired VLAN switch from Registration LAN to Guest LAN not working? 

Hi Fabrice,

Okay, I checked and this is what happens:

pfqueue.log:
Mar 10 08:59:10 pfqueue(18346) ERROR: [mac:d0:67:e5:36:6f:79] error creating SNMP v2c write connection to xx.xx.xx.xx: Received wrongLength(8) error-status at error-index 1 it looks like you specified a read-only community instead of a read-write one (pf::Switch::connectWriteTo)
Mar 10 08:59:14 pfqueue(18346) ERROR: [mac:d0:67:e5:36:6f:79] error creating SNMP v2c write connection to xx.xx.xx.xx: Received wrongLength(8) error-status at error-index 1 it looks like you specified a read-only community instead of a read-write one (pf::Switch::connectWriteTo)
Mar 10 08:59:15 pfqueue(18353) WARN: [mac:d0:67:e5:36:6f:79] Until CoA is implemented we will bounce the port on VLAN re-assignment traps for MAC-Auth (pf::Switch::handleReAssignVlanTrapForWiredMacAuth)
Mar 10 08:59:16 pfqueue(18353) ERROR: [mac:d0:67:e5:36:6f:79] error creating SNMP v2c write connection to xx.xx.xx.xx: Received wrongLength(8) error-status at error-index 1 it looks like you specified a read-only community instead of a read-write one (pf::Switch::connectWriteTo)
Mar 10 08:59:19 pfqueue(18360) WARN: [mac:d0:67:e5:36:6f:79] Until CoA is implemented we will bounce the port on VLAN re-assignment traps for MAC-Auth (pf::Switch::handleReAssignVlanTrapForWiredMacAuth)
Mar 10 08:59:19 pfqueue(18360) ERROR: [mac:d0:67:e5:36:6f:79] error creating SNMP v2c write connection to xx.xx.xx.xx: Received wrongLength(8) error-status at error-index 1 it looks like you specified a read-only community instead of a read-write one (pf::Switch::connectWriteTo)
Mar 10 08:59:20 pfqueue(18353) ERROR: [mac:d0:67:e5:36:6f:79] error creating SNMP v2c write connection to xx.xx.xx.xx: Received wrongLength(8) error-status at error-index 1 it looks like you specified a read-only community instead of a read-write one (pf::Switch::connectWriteTo)
Mar 10 08:59:23 pfqueue(18360) ERROR: [mac:d0:67:e5:36:6f:79] error creating SNMP v2c write connection to xx.xx.xx.xx: Received wrongLength(8) error-status at error-index 1 it looks like you specified a read-only community instead of a read-write one (pf::Switch::connectWriteTo) 

And the SNMP capture shows:
08:55:59.522952 IP 10.4.100.11.snmp > pf.45173: C=readonlycommunity GetResponse(28) system.sysLocation.0=""
08:55:59.529316 IP 10.4.100.11.snmp > pf.45173: C=readonlycommunity GetResponse(32) 17.1.4.1.2.1=1
08:59:10.715242 IP 10.4.100.11.snmp > pf.51933: C=rwcommunity GetResponse(28) system.sysLocation.0=""
08:59:10.721720 IP 10.4.100.11.snmp > pf.51933: C=rwcommunity GetResponse(28) wrongLength@1 system.sysLocation.0=""
08:59:14.729103 IP 10.4.100.11.snmp > pf.35982: C=rwcommunity GetResponse(28) system.sysLocation.0=""
08:59:14.733464 IP 10.4.100.11.snmp > pf.35982: C=rwcommunity GetResponse(28) wrongLength@1 system.sysLocation.0=""
08:59:15.736802 IP 10.4.100.11.snmp > pf.58710: C=rwcommunity GetResponse(28) system.sysLocation.0=""
08:59:16.241273 IP 10.4.100.11.snmp > pf.58710: C=rwcommunity GetResponse(28) wrongLength@1 system.sysLocation.0=""
08:59:19.755135 IP 10.4.100.11.snmp > pf.37131: C=rwcommunity GetResponse(28) system.sysLocation.0=""
08:59:19.760231 IP 10.4.100.11.snmp > pf.37131: C=rwcommunity GetResponse(28) wrongLength@1 system.sysLocation.0="" 

The switch setup:

[HP-1920]display snmp-agent community write

   Community name: rwcommunity

       Group name: rwcommunity

       Storage-type: nonVolatile

[HP-1920]display snmp-agent community read

   Community name: readonlycommunity

       Group name: readonlycommunity

       Storage-type: nonvolatile

Packetfence switch definition:

[xx.xx.xx.xx]

description=HP-1920-1

cliAccess=Y

group=HP-ProCurve-1920

cliEnablePwd=Jinhuna1920unauthorized

mode=production

[group HP-ProCurve-1920]

mode=registration

SNMPCommunityRead=readonlycommunity

description=HP ProCurve 1920

User-authVlan=10

cliPwd=MyTelnetPassword

cliTransport=Telnet

PrinterVlan=5

registrationVlan=102

SNMPCommunityWrite=rwcommunity

guestVlan=105

cliUser=admin

defaultVlan=102

deauthMethod=SNMP

type=H3C::S5120

Machine-authVlan=10

isolationVlan=103

radiusSecret= MYRADIUSSECRET

SNMPVersion=2c

cliEnablePwd=Jinhua1920unauthorized

ServerLANVlan=1

TidsregistreringVlan=7

ManagementVlan=100

machineVlan=10
So, as far as I can see, the switch definition is correct, the switch setup is correct, but something goes wrong anyway…
I can do an snmpwalk -v2c -c rwcommunity xx.xx.xx.xx from the pf server with no issues. 

Any ideas?

Br,

Jes

*Fra:*Durand fabrice [mailto:fdur...@inverse.ca]
*Sendt:* 10. marts 2017 03:40
*Til:* packetfence-users@lists.sourceforge.net <mailto:packetfence-users@lists.sourceforge.net> *Emne:* Re: [PacketFence-users] Wired VLAN switch from Registration LAN to Guest LAN not working? 

Hello Jes,
what i can suggest is to use snmp for deauth and from the pf server capture snmp traffic to see what happen exactly (maybe community write issue).
Also check the log in pfqueue.log , this is the place where you will see error about the deauth. 

Regards

Fabrice

Le 2017-03-02 à 11:22, Jes Kasper Klittum a écrit :

    Hey folks,

    So I am almost there with my PF setup. Lodovic helped me on the
    way to get machine and AD user auth/switching working. Thank you
    very much. J

    Now, the thing I am now struggling with is the switch from
    registration vlan to guest network not functioning correctly.

    The only source I have in the default captive portal is email, so
    when I plug an unregistered device into the network, I am lead to
    the portal to register using email. I have set a 10 minute windows
    for accepting the registration.

    I get to the portal fine, on VLAN 102, and enter my email address,
    at which point I am told that the network access is being enabled.
    After waiting a while, I am told that it did not work, and I
    should try to refresh or open a new tab. No matter what I do, I
    stay in the registration VLAN?

    Packetfence.log shows this:

    Mar 02 17:13:03 httpd.portal(20242) INFO: [mac:unknown]
    Instantiate profile default
    (pf::Portal::ProfileFactory::_from_profile)

    Mar 02 17:13:03 httpd.portal(20242) INFO: [mac:d0:67:e5:36:6f:79]
    Instantiate profile default
    (pf::Portal::ProfileFactory::_from_profile)

    Mar 02 17:13:03 httpd.portal(20242) INFO: [mac:d0:67:e5:36:6f:79]
    Instantiate profile default
    (pf::Portal::ProfileFactory::_from_profile)

    Mar 02 17:13:03 httpd.portal(20242) INFO: [mac:d0:67:e5:36:6f:79]
    Releasing device
    (captiveportal::PacketFence::DynamicRouting::Module::Root::release)

    Mar 02 17:13:03 httpd.portal(20242) INFO: [mac:d0:67:e5:36:6f:79]
    User default has authenticated on the portal.
    (Class::MOP::Class:::after)

    Mar 02 17:13:03 httpd.portal(20242) INFO: [mac:d0:67:e5:36:6f:79]
    Instantiate profile default
    (pf::Portal::ProfileFactory::_from_profile)

    Mar 02 17:13:03 httpd.portal(20242) INFO: [mac:d0:67:e5:36:6f:79]
    re-evaluating access (manage_register called)
    (pf::enforcement::reevaluate_access)

    Mar 02 17:13:03 httpd.portal(20242) INFO: [mac:d0:67:e5:36:6f:79]
    is currentlog connected at (10.4.100.11) ifIndex 23 registration
    (pf::enforcement::_should_we_reassign_vlan)

    Mar 02 17:13:03 httpd.portal(20242) INFO: [mac:d0:67:e5:36:6f:79]
    Instantiate profile default
    (pf::Portal::ProfileFactory::_from_profile)

    Mar 02 17:13:03 httpd.portal(20242) INFO: [mac:d0:67:e5:36:6f:79]
    Connection type is WIRED_MAC_AUTH. Getting role from node_info
    (pf::role::getRegisteredRole)

    Mar 02 17:13:03 httpd.portal(20242) INFO: [mac:d0:67:e5:36:6f:79]
    Username was defined "d067e5366f79" - returning role 'guest'
    (pf::role::getRegisteredRole)

    Mar 02 17:13:03 httpd.portal(20242) INFO: [mac:d0:67:e5:36:6f:79]
    PID: "j...@klittum.dk" <mailto:j...@klittum.dk>, Status: reg
    Returned VLAN: (undefined), Role: guest (pf::role::fetchRoleForNode)

    Mar 02 17:13:03 httpd.portal(20242) INFO: [mac:d0:67:e5:36:6f:79]
    VLAN reassignment required (current VLAN = 102 but should be in
    VLAN 105) (pf::enforcement::_should_we_reassign_vlan)

    Mar 02 17:13:03 httpd.portal(20242) INFO: [mac:d0:67:e5:36:6f:79]
    switch port is (10.4.100.11) ifIndex 23 connection type: Wired MAC
    Auth (pf::enforcement::_vlan_reevaluation)

    So packetfence knows it should switch to VLAN 105 – it just does
    not happen?

    The switch, an HP 1920, shows this in the console:

    %Apr 27 18:48:24:397 2000 GW-X1-1920-2
    PORTSEC/5/PORTSEC_VIOLATION:
    
-IfName=GigabitEthernet1/0/23-MACAddr=D0:67:E5:36:6F:79-VlanId=-102-IfStatus=Up;
    Intrusion detected.

    If I unplug the Ethernet cable, and plug it back in, then I get
    access, and VLAN is changed to 105.

    I have tried both radius and SNMP as deauth metod on the switch.

    By the way, I should not that VLAN switching on the switch works
    perfectly when using a domain joined computer, and logging in/out
    with users with different roles, so it seems the switch is able to
    get the information from packetfence under those circumstances.

    Hope someone is able to help me with this issue…

    Jes



    
------------------------------------------------------------------------------

    Check out the vibrant tech community on one of the world's most

    engaging tech sites, SlashDot.org!http://sdm.link/slashdot



    _______________________________________________

    PacketFence-users mailing list

    PacketFence-users@lists.sourceforge.net
    <mailto:PacketFence-users@lists.sourceforge.net>

    https://lists.sourceforge.net/lists/listinfo/packetfence-users



------------------------------------------------------------------------------
Announcing the Oxford Dictionaries API! The API offers world-renowned
dictionary content that is easy and intuitive to access. Sign up for an
account today to start using our lexical data to power your apps and
projects. Get started today and enter our developer competition.
http://sdm.link/oxford


_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users



------------------------------------------------------------------------------
Announcing the Oxford Dictionaries API! The API offers world-renowned
dictionary content that is easy and intuitive to access. Sign up for an
account today to start using our lexical data to power your apps and
projects. Get started today and enter our developer competition.
http://sdm.link/oxford
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Reply via email to