Hello Ludovice,
Now I have changed switches config,but still can not immediately respond from
pf:
[192.168.1.4]
description=sg300-2f
isolationVlan=60
registrationVlan=50
SNMPVersionTrap=3
SNMPUserNameTrap=private
SNMPAuthProtocolWrite=MD5
SNMPUserNameWrite=private
SNMPUserNameRead=private
SNMPAuthPasswordWrite=password
SNMPAuthPasswordRead=password
SNMPAuthProtocolTrap=MD5
SNMPEngineID=800000090300af1f6efe59
SNMPPrivProtocolWrite=DES
SNMPPrivPasswordWrite=password
SNMPAuthPasswordTrap=password
SNMPPrivProtocolTrap=DES
SNMPPrivPasswordTrap=password
SNMPAuthProtocolRead=MD5
guestVlan=3
deauthMethod=SNMP
cliAccess=Y
ExternalPortalEnforcement=Y
qkm-si-labVlan=13
qkm-engVlan=11
qkm-siVlan=11
qkm-swVlan=12
qkm-finVlan=14
QKM-itVlan=16
qkm-2fVlan=15
radiusSecret=useStrongerSecret
mode=production
type=Cisco::SG300
cliPwd=admin123456@
cliUser=admin
cliEnablePwd=admin123456@
useCoA=N
------------------ ???????? ------------------
??????: "Ludovic Zammit";<lzam...@inverse.ca>;
????????: 2017??7??7??(??????) ????8:59
??????: "packetfence-users"<packetfence-users@lists.sourceforge.net>;
????: "????????"<lnh...@qq.com>;
????: Re: [PacketFence-users] The switch(sg300) does not immediately respond to
a pf client state change
Hello,
You have to put the deauth method to SNMP, you have set it to radius:
deauthMethod=RADIUS
The CoA is not supported on that switch modele. The PF will try to bounce the
port with an SNMP request (shut / no shut)
Thanks,
Ludovic Zammit lzam...@inverse.ca :: +1.514.447.4918 (x145) :: www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence
(http://packetfence.org)
On Jul 7, 2017, at 3:40 AM, ???????? via PacketFence-users
<packetfence-users@lists.sourceforge.net> wrote:
Hello,
I configured sg300 switches and pf,but I found it is not immediately possible
to update the client status change of pf,for example:
I never registered the status of computer A as registered,and computer A needs
to wait half an hour before the status is changed to register,This half hour is
the time when the switch is revalidated "dot1x timeout reauth-period
1800".How do you make pf's client status change effective immediately?
I have connected computer with gi20 port.
sg300 config as below:
switch6efe59#sh run
config-file-header
switch6efe59
v1.3.7.18 / R750_NIK_1_35_647_358
CLI v1.0
set system mode switch
file SSD indicator encrypted
@
ssd-control-start
ssd config
ssd file passphrase control unrestricted
no ssd file integrity control
ssd-control-end cb0a3fdb1f3a1af4e4430033719968c0
!
vlan database
vlan 3-4,11,14-16,50,60
exit
voice vlan oui-table add 0001e3 Siemens_AG_phone________
voice vlan oui-table add 00036b Cisco_phone_____________
voice vlan oui-table add 00096e Avaya___________________
voice vlan oui-table add 000fe2 H3C_Aolynk______________
voice vlan oui-table add 0060b9 Philips_and_NEC_AG_phone
voice vlan oui-table add 00d01e Pingtel_phone___________
voice vlan oui-table add 00e075 Polycom/Veritel_phone___
voice vlan oui-table add 00e0bb 3Com_phone______________
dot1x system-auth-control
hostname switch6efe59
encrypted radius-server key W5K9BRLcbxfj5NDlu3nHTlw0kOXjaL3ElMEFpkCXTsT1iuchvICQ
aRjE9EKiEa+3
encrypted radius-server host 192.168.1.30 key W5K9BRLcbxfj5NDlu3nHTlw0kOXjaL3ElM
EFpkCXTsT1iuchvICQaRjE9EKiEa+3 priority 3
aaa authentication login telnet local
aaa authentication login Console local radius
aaa authentication enable Console enable radius
aaa authentication dot1x default radius none
aaa accounting dot1x start-stop group radius
aaa accounting login start-stop group radius
line console
login authentication Console
enable authentication Console
password da39a3ee5e6b4b0d3255bfef95601890afd80709 encrypted
exit
username admin password encrypted 79a12a55b5d56faaef1a5a9ebccdf82fb637ae30 privi
lege 15
snmp-server engineID local 800000090300af1f6efe59
snmp-server community useStrongerSecret rw 192.168.1.30 view Default
snmp-server host 192.168.1.30 traps version 2c useStrongerSecret
snmp-server host 192.168.1.30 version 3 auth private
snmp-server group readgroup v3 auth notify Default read Default
snmp-server group readgroup v3 priv notify Default read Default
snmp-server group writegroup v3 auth notify Default read Default write Default
snmp-server group writegroup v3 priv notify Default read Default write Default
encrypted snmp-server user public readgroup v3 auth md5 RTfVftohWzkj+bRMkALik3t+
Q4iVSEEJ1VUolT4eOXk=
encrypted snmp-server user private writegroup v3 auth md5 RTfVftohWzkj+bRMkALik3
t+Q4iVSEEJ1VUolT4eOXk= priv RTfVftohWzkj+bRMkALik3t+Q4iVSEEJ1VUolT4eOXk=
clock timezone " " 8
sntp unicast client enable
sntp unicast client poll
sntp server 192.168.2.242
ip telnet server
!
interface vlan 1
ip address 192.168.1.4 255.255.255.0
!
interface vlan 3
name Guest
dot1x guest-vlan
!
interface vlan 4
name kaoqin
!
interface vlan 11
name si
!
interface vlan 16
name IT
!
interface vlan 50
name Registration
!
interface vlan 60
name Isolation
!
interface gigabitethernet1
dot1x host-mode multi-sessions
dot1x reauthentication
dot1x timeout quiet-period 10
dot1x timeout server-timeout 5
dot1x timeout supp-timeout 3
dot1x authentication 802.1x mac
dot1x radius-attributes vlan
dot1x port-control auto
spanning-tree portfast
switchport mode general
switchport general allowed vlan add 14,50,60 untagged
!
interface gigabitethernet2
dot1x host-mode multi-sessions
dot1x reauthentication
dot1x timeout quiet-period 10
dot1x timeout server-timeout 5
dot1x timeout supp-timeout 3
dot1x authentication 802.1x mac
dot1x radius-attributes vlan
dot1x port-control auto
spanning-tree portfast
switchport mode general
switchport general allowed vlan add 14,50,60 untagged
!
interface gigabitethernet3
dot1x host-mode multi-sessions
dot1x reauthentication
dot1x timeout quiet-period 10
dot1x timeout server-timeout 5
dot1x timeout supp-timeout 3
dot1x authentication 802.1x mac
dot1x radius-attributes vlan
dot1x port-control auto
spanning-tree portfast
switchport mode general
switchport general allowed vlan add 14,50,60 untagged
switchport general pvid 14
!
!
interface gigabitethernet18
dot1x host-mode multi-sessions
dot1x reauthentication
dot1x timeout quiet-period 10
dot1x timeout reauth-period 300
dot1x timeout server-timeout 5
dot1x timeout supp-timeout 3
dot1x authentication 802.1x mac
dot1x radius-attributes vlan
dot1x port-control auto
spanning-tree portfast
switchport mode access
!
interface gigabitethernet20
dot1x host-mode multi-sessions
dot1x reauthentication
dot1x timeout quiet-period 10
dot1x timeout reauth-period 1800
dot1x timeout server-timeout 5
dot1x timeout supp-timeout 3
dot1x authentication 802.1x mac
dot1x radius-attributes vlan
dot1x port-control auto
spanning-tree portfast
switchport mode general
switchport general allowed vlan add 3,60 tagged
switchport general allowed vlan add 14-16,50 untagged
!
!
interface gigabitethernet27
switchport trunk allowed vlan add 3-4,11,14-16,50,60
!
interface gigabitethernet28
switchport trunk allowed vlan add 3-4,11,14-16,50,60
!
exit
ip default-gateway 192.168.1.1
switch6efe59#
and pf switches config:
[192.168.1.4]
description=sg300-2f
isolationVlan=60
registrationVlan=50
SNMPVersionTrap=3
SNMPUserNameTrap=private
SNMPAuthProtocolWrite=MD5
SNMPUserNameWrite=private
SNMPUserNameRead=private
SNMPAuthPasswordWrite=password
SNMPAuthPasswordRead=password
SNMPAuthProtocolTrap=MD5
SNMPEngineID=800000090300af1f6efe59
SNMPPrivProtocolWrite=DES
SNMPPrivPasswordWrite=password
SNMPAuthPasswordTrap=password
SNMPPrivProtocolTrap=DES
SNMPPrivPasswordTrap=password
SNMPAuthProtocolRead=MD5
guestVlan=3
deauthMethod=RADIUS
cliAccess=Y
ExternalPortalEnforcement=Y
q-si-labVlan=13
q-engVlan=11
q-siVlan=11
q-swVlan=12
q-finVlan=14
Q-itVlan=16
q-2fVlan=15
radiusSecret=useStrongerSecret
mode=production
type=Cisco::SG300
cliPwd=admin1212@
cliUser=admin
cliEnablePwd=admin1212@
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org!
http://sdm.link/slashdot_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
