[PacketFence-users] Need help solving a problem with vlan enforcement

André Scrivener via PacketFence-users Fri, 29 Dec 2017 06:00:44 -0800

I'm configuring pf as vlan enforcement, but I'm having a problem, where
vlans with their respective IPs are not being assigned. In the logs it
returns the correct vlans, but does not apply to the station.



*Dec 29 11:36:54 packtfence packetfence_httpd.aaa: httpd.aaa(5185) INFO:
[mac:64:1c:67:82:7d:f2] handling radius autz request: from switch_ip =>
(172.16.0.50), connection_type => WIRED_MAC_AUTH,switch_mac =>
(14:18:77:ea:f0:a2), mac => [64:1c:67:82:7d:f2], port => 41, username =>
"641C67827DF2" (pf::radius::authorize)*
*Dec 29 11:36:54 packtfence packetfence_httpd.aaa: httpd.aaa(5185) INFO:
[mac:64:1c:67:82:7d:f2] Instantiate profile default
(pf::Connection::ProfileFactory::_from_profile)*
*Dec 29 11:36:54 packtfence packetfence_httpd.aaa: httpd.aaa(5185) INFO:
[mac:64:1c:67:82:7d:f2] is of status unreg; belongs into registration VLAN
(pf::role::getRegistrationRole)*
*Dec 29 11:36:54 packtfence packetfence_httpd.aaa: httpd.aaa(5185) INFO:
[mac:64:1c:67:82:7d:f2] (172.16.0.50) Added VLAN 300 to the returned RADIUS
Access-Accept (pf::Switch::returnRadiusAccessAccept)*


*Dec 29 11:36:54 packtfence auth[7662]: Need 1 more connections to reach
min connections (3)*
*Dec 29 11:36:54 packtfence auth[7662]: rlm_rest (rest): Opening additional
connection (23), 1 of 62 pending slots used*
*Dec 29 11:36:54 packtfence auth[7662]: Need 1 more connections to reach
min connections (3)*
*Dec 29 11:36:54 packtfence auth[7662]: rlm_sql (sql): Opening additional
connection (25), 1 of 62 pending slots used*
*Dec 29 11:36:54 packtfence auth[7662]: [mac:64:1c:67:82:7d:f2] Accepted
user:  and returned VLAN 300*
*Dec 29 11:36:54 packtfence auth[7662]: (44) Login OK: [641C67827DF2] (from
client 172.16.0.50 port 41 cli 64:1c:67:82:7d:f2)*


In the logs it returns to vlan correct, but does not assign to the
computer, it stubborn in assigning the network 172.16.0.0/24.

I did not configure DHCP in packetfence, when packetfence returns a vlan it
is for it to get dhcp from my infrastructure. (So I imagine.)

Follows some of my settings, it's okay to expose information since it's a
lab.


[root@packtfence ~]# ifconfig
SCRIVENER-b: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 169.254.0.2  netmask 255.255.255.252  broadcast 169.254.0.3
        inet6 fe80::c8b5:5bff:febe:b1cc  prefixlen 64  scopeid 0x20<link>
        ether ca:b5:5b:be:b1:cc  txqueuelen 1000  (Ethernet)
        RX packets 8  bytes 648 (648.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 8  bytes 648 (648.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

enp0s3: flags=4099<UP,BROADCAST,MULTICAST>  mtu 1500
        ether 08:00:27:a3:36:2a  txqueuelen 1000  (Ethernet)
        RX packets 5668  bytes 8119227 (7.7 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 1260  bytes 80253 (78.3 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

enp0s8: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 172.16.0.2  netmask 255.255.255.0  broadcast 172.16.0.255
        inet6 fe80::a00:27ff:fef4:37f8  prefixlen 64  scopeid 0x20<link>
        ether 08:00:27:f4:37:f8  txqueuelen 1000  (Ethernet)
        RX packets 20960  bytes 4119093 (3.9 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 12227  bytes 21064744 (20.0 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

enp0s8.300: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 172.17.0.2  netmask 255.255.255.0  broadcast 172.17.0.255
        inet6 fe80::a00:27ff:fef4:37f8  prefixlen 64  scopeid 0x20<link>
        ether 08:00:27:f4:37:f8  txqueuelen 1000  (Ethernet)
        RX packets 10  bytes 628 (628.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 14  bytes 900 (900.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

enp0s8.301: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 172.19.0.2  netmask 255.255.255.0  broadcast 172.19.0.255
        inet6 fe80::a00:27ff:fef4:37f8  prefixlen 64  scopeid 0x20<link>
        ether 08:00:27:f4:37:f8  txqueuelen 1000  (Ethernet)
        RX packets 10  bytes 628 (628.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 14  bytes 900 (900.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

enp0s8.600: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 172.18.0.2  netmask 255.255.255.0  broadcast 172.18.0.255
        inet6 fe80::a00:27ff:fef4:37f8  prefixlen 64  scopeid 0x20<link>
        ether 08:00:27:f4:37:f8  txqueuelen 1000  (Ethernet)
        RX packets 10  bytes 628 (628.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 14  bytes 900 (900.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1  (Loopback Local)
        RX packets 1567747  bytes 224694729 (214.2 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 1567747  bytes 224694729 (214.2 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0




[root@packtfence ~]# cat /usr/local/pf/conf/networks.conf
[172.17.0.0]
dns=172.17.0.2
dhcp_start=172.17.0.10
gateway=172.17.0.2
domain-name=vlan-registration.scrivener.com.br
nat_enabled=disabled
named=enabled
dhcp_max_lease_time=30
fake_mac_enabled=disabled
dhcpd=disabled
dhcp_end=172.17.0.246
type=vlan-registration
netmask=255.255.255.0
dhcp_default_lease_time=30

[172.18.0.0]
dns=172.18.0.2
dhcp_start=172.18.0.10
gateway=172.18.0.2
domain-name=vlan-isolation.scrivener.com.br
nat_enabled=disabled
named=enabled
dhcp_max_lease_time=30
fake_mac_enabled=disabled
dhcpd=disabled
dhcp_end=172.18.0.246
type=vlan-isolation
netmask=255.255.255.0
dhcp_default_lease_time=30





[root@packtfence ~]# cat /usr/local/pf/conf/switches.conf
#
# Copyright (C) 2005-2017 Inverse inc.
#
# See the enclosed file COPYING for license information (GPL).
# If you did not receive this file, see
# http://www.fsf.org/licensing/licenses/gpl.html
[default]
type=Dell::N1500
registrationVlan=300
isolationVlan=600
uplink=5
cliUser=[secret]
cliPwd=[secret]
cliEnablePwd=[secret]
#
# SNMP section
#
# PacketFence -> Switch
SNMPVersion=2c
#
# RADIUS NAS Client config
#
# RADIUS shared secret with switch
radiusSecret=teste123
CORPORATIVOVlan=301
uplink_dynamic=0

[172.16.0.50]
mode=production
description=172.16.0.50
ExternalPortalEnforcement=Y
deauthMethod=Telnet
cliAccess=Y
defaultVlan=301



Any can help? Please! My Christmas present and New Year's Eve.




Att,
Andre Scrivener

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot

_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] Need help solving a problem with vlan enforcement

Reply via email to