Hi users,
Our PF deployed in office A and we have successfully use it to authenticate and
control devices in office B, via the routed network feature. It works well with
normal VLAN assignment and registration VLAN assignment and IP distribution.
But last night when we began to use PF in office A, the local PF network, it
came with strange issue. For safe devices PF can assign the correct employees
role to Aruba AC and the device can then get a normal IP via our online DHCP
server. For dangerous device we let PF assign registration role with some fix
steps in the redirecting url. All this works well in office B. But in office A,
where PF located, we found the user can't get correct registration IP from PF.
We are sure AC received PF's RADIUS accept packet and change the device role to
registration, and we find PF first give a DHCPOFFER and DHCPACK to registration
device but then suddenly give a DHCPNAK to take the IP back. This caused the
device in registration role can't get a correct registration IP.
Anyone met this issue during registration VLAN ? Really need your help.
Our some key config file is as below:
pf.conf:
[interface eth0]
ip=172.21.3.120
type=management,portal,high-availability
mask=255.255.255.0
[interface eth1.133]
enforcement=vlan
ip=172.21.132.1
type=internal
mask=255.255.255.0
[interface eth1.134]
enforcement=vlan
ip=172.21.136.1
type=internal
mask=255.255.255.0
networks.conf:
#office A local network
[172.21.132.0]
dns=172.21.132.1
dhcp_start=172.21.132.10
gateway=172.21.135.254 <--This is registration gateway in switch
domain-name=vlan-registration.cap.com
nat_enabled=disabled
named=enabled
dhcp_max_lease_time=1800
fake_mac_enabled=disabled
dhcpd=enabled
dhcp_end=172.21.135.246
type=vlan-registration
netmask=255.255.252.0
dhcp_default_lease_time=1500
[172.21.136.0]
dns=172.21.136.1
dhcp_start=172.21.136.10
gateway=172.21.136.254<--This is isolation gateway in switch
domain-name=vlan-isolation.cpa.com
nat_enabled=disabled
named=enabled
dhcp_max_lease_time=1800
fake_mac_enabled=disabled
dhcpd=enabled
dhcp_end=172.21.136.246
type=vlan-isolation
netmask=255.255.255.0
dhcp_default_lease_time=1500
#office B routed network
[172.23.10.0]
dns=172.21.132.1
next_hop=172.21.135.254<--This is registration gateway in switch in office A
gateway=172.23.10.254<--This is registration gateway in switch in office B
dhcp_start=172.23.10.10
domain-name=vlan-registration.cpa.com
nat_enabled=0
named=enabled
dhcp_max_lease_time=1800
dhcpd=enabled
fake_mac_enabled=0
netmask=255.255.255.0
type=vlan-registration
dhcp_end=172.23.10.246
dhcp_default_lease_time=1500
[172.23.11.0]
dns=172.21.136.1
next_hop=172.21.136.254<--This is isolation gateway in switch in office A
gateway=172.23.11.254<--This is isolation gateway in switch in office B
dhcp_start=172.23.11.10
domain-name=vlan-isolation.cpa.com
nat_enabled=0
named=enabled
dhcp_max_lease_time=1800
dhcpd=enabled
fake_mac_enabled=0
netmask=255.255.255.0
type=vlan-isolation
dhcp_end=172.23.11.246
dhcp_default_lease_time=1500
Routing table:
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 172.21.3.254 0.0.0.0 UG 0 0 0 eth0
172.23.10.0 172.21.135.254 255.255.255.0 UG 0 0 0 eth1.133
172.23.11.0 172.21.136.254 255.255.255.0 UG 0 0 0 eth1.134
169.254.0.0 0.0.0.0 255.255.255.252 U 0 0 0 didi-b
169.254.0.0 0.0.0.0 255.255.0.0 U 1002 0 0 eth0
169.254.0.0 0.0.0.0 255.255.0.0 U 1003 0 0 eth1
169.254.0.0 0.0.0.0 255.255.0.0 U 1066 0 0 eth1.133
169.254.0.0 0.0.0.0 255.255.0.0 U 1067 0 0 eth1.134
172.21.3.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
172.21.132.0 0.0.0.0 255.255.252.0 U 0 0 0 eth1.133
172.21.136.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1.134
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
