Opss, Fabrice!
I forgot an information, the MAC addresses on the switch.
By the logs, it is in VLAN 2, the correct vlan.
Right now I do not understand, because it does not assign the correct
address
console#show mac address-table
Aging time is 300 Sec
Vlan Mac Address Type Port
-------- --------------------- ----------- ---------------------
1 0800.2700.58E2 Dynamic Gi1/0/11 *- Windows Server 2008*
1 0800.2735.FCC4 Dynamic Gi1/0/11* - PacketFence*
1 1418.77EA.F0A3 Management Vl1 * - Switch Dell*
1 641C.XXXXXXXXX Dynamic Gi1/0/11 *- My physical pc*
2 847B.EBE3.8442 Dynamic Gi1/0/13 *- My test machine*
Total MAC Addresses in use: 5
console#show mac address-table interface Gi1/0/13
Aging time is 300 Sec
Vlan Mac Address Type Port
-------- --------------------- ----------- ---------------------
2 847B.EBE3.8442 Dynamic Gi1/0/13* - My test machine*
console#
2018-01-02 15:22 GMT-03:00 André Scrivener <[email protected]>:
> Hello Fabrice,
>
> I simplified the environment, I'm using only 1 interface!
>
>
> enp0s3: Management - DHCP FROM WINDOWS SERVER
> enp0s3 VLAN 2: Registration - DHCP ENABLE
> enp0s3 VLAN 3: Isolation - DHCP ENABLE
> enp0s3 VLAN 10: Normal - NO DHCP
>
> IP Address Switch Managed: 172.16.0.50
> Interface 11: My physical machine, and virtual machine (virtualbox) where
> is the PacketFence (interface mode bridge)
> Interface 23: My client test Windows 8 (interface mode bridge)
>
>
> Problem continue, in the logs it returns to vlan correct, but does not
> assign to the computer, it stubborn in assigning the network 172.16.0.0/24
> (Management Network).
>
>
> root@packetfence ~]# tailf /usr/local/pf/logs/packetfence.log
> Jan 2 14:03:10 packetfence packetfence_httpd.aaa: httpd.aaa(30935) INFO:
> [mac:84:7b:eb:e3:84:42] handling radius autz request: from switch_ip =>
> (172.16.0.50), connection_type => WIRED_MAC_AUTH,switch_mac =>
> (14:18:77:ea:f0:a2), mac => [84:7b:eb:e3:84:42], port => 13, username =>
> "847BEBE38442" (pf::radius::authorize)
> Jan 2 14:03:10 packetfence packetfence_httpd.aaa: httpd.aaa(30935) INFO:
> [mac:84:7b:eb:e3:84:42] Instantiate profile default (pf::Connection::
> ProfileFactory::_from_profile)
> Jan 2 14:03:10 packetfence packetfence_httpd.aaa: httpd.aaa(30935) INFO:
> [mac:84:7b:eb:e3:84:42] is of status unreg; belongs into registration VLAN
> (pf::role::getRegistrationRole)
> Jan 2 14:03:10 packetfence packetfence_httpd.aaa: httpd.aaa(30935) INFO:
> [mac:84:7b:eb:e3:84:42] (172.16.0.50) Added VLAN 2 to the returned RADIUS
> Access-Accept (pf::Switch::returnRadiusAccessAccept)
>
>
>
> [root@packetfence ~]# tailf /usr/local/pf/logs/radius.log
> Jan 2 14:03:10 packetfence auth[31813]: Need 1 more connections to reach
> min connections (3)
> Jan 2 14:03:10 packetfence auth[31813]: rlm_rest (rest): Opening
> additional connection (15), 1 of 62 pending slots used
> Jan 2 14:03:10 packetfence auth[31813]: Need 7 more connections to reach
> 10 spares
> Jan 2 14:03:10 packetfence auth[31813]: rlm_sql (sql): Opening additional
> connection (18), 1 of 61 pending slots used
> Jan 2 14:03:10 packetfence auth[31813]: [mac:84:7b:eb:e3:84:42] Accepted
> user: and returned VLAN 2
> Jan 2 14:03:10 packetfence auth[31813]: (32) Login OK: [847BEBE38442]
> (from client 172.16.0.50 port 13 cli 84:7b:eb:e3:84:42)
>
>
>
>
> Follow network settings:
>
> [root@packetfence ~]# ifconfig
> enp0s3: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
> inet 172.16.0.2 netmask 255.255.255.0 broadcast 172.16.0.255
> inet6 fe80::a00:27ff:fe35:fcc4 prefixlen 64 scopeid 0x20<link>
> ether 08:00:27:35:fc:c4 txqueuelen 1000 (Ethernet)
> RX packets 560936 bytes 711890423 (678.9 MiB)
> RX errors 0 dropped 0 overruns 0 frame 0
> TX packets 153523 bytes 23163746 (22.0 MiB)
> TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
>
> enp0s3.2: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
> inet 192.168.2.2 netmask 255.255.255.0 broadcast 192.168.2.255
> inet6 fe80::a00:27ff:fe35:fcc4 prefixlen 64 scopeid 0x20<link>
> ether 08:00:27:35:fc:c4 txqueuelen 1000 (Ethernet)
> RX packets 0 bytes 0 (0.0 B)
> RX errors 0 dropped 0 overruns 0 frame 0
> TX packets 10 bytes 732 (732.0 B)
> TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
>
> enp0s3.3: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
> inet 192.168.3.2 netmask 255.255.255.0 broadcast 192.168.3.255
> inet6 fe80::a00:27ff:fe35:fcc4 prefixlen 64 scopeid 0x20<link>
> ether 08:00:27:35:fc:c4 txqueuelen 1000 (Ethernet)
> RX packets 0 bytes 0 (0.0 B)
> RX errors 0 dropped 0 overruns 0 frame 0
> TX packets 10 bytes 732 (732.0 B)
> TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
>
> enp0s3.10: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
> inet 192.168.1.1 netmask 255.255.255.0 broadcast 192.168.1.255
> inet6 fe80::a00:27ff:fe35:fcc4 prefixlen 64 scopeid 0x20<link>
> ether 08:00:27:35:fc:c4 txqueuelen 1000 (Ethernet)
> RX packets 0 bytes 0 (0.0 B)
> RX errors 0 dropped 0 overruns 0 frame 0
> TX packets 10 bytes 732 (732.0 B)
> TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
>
> lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
> inet 127.0.0.1 netmask 255.0.0.0
> inet6 ::1 prefixlen 128 scopeid 0x10<host>
> loop txqueuelen 1 (Loopback Local)
> RX packets 1162494 bytes 167041449 (159.3 MiB)
> RX errors 0 dropped 0 overruns 0 frame 0
> TX packets 1162494 bytes 167041449 (159.3 MiB)
> TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
>
> [root@packetfence ~]#
>
>
>
> [root@packetfence ~]# cat /usr/local/pf/conf/networks.conf
> [192.168.3.0]
> dns=192.168.3.2
> dhcp_start=192.168.3.10
> gateway=192.168.3.2
> domain-name=vlan-isolation.scrivener.com.br
> nat_enabled=disabled
> named=enabled
> dhcp_max_lease_time=30
> fake_mac_enabled=disabled
> dhcpd=enabled
> dhcp_end=192.168.3.246
> type=vlan-isolation
> netmask=255.255.255.0
> dhcp_default_lease_time=30
>
> [192.168.2.0]
> dns=192.168.2.2
> dhcp_start=192.168.2.10
> gateway=192.168.2.2
> domain-name=vlan-registration.scrivener.com.br
> nat_enabled=disabled
> named=enabled
> dhcp_max_lease_time=30
> fake_mac_enabled=disabled
> dhcpd=enabled
> dhcp_end=192.168.2.246
> type=vlan-registration
> netmask=255.255.255.0
> dhcp_default_lease_time=30
> [root@packetfence ~]#
>
>
>
> [root@packetfence ~]# cat /usr/local/pf/conf/switches.conf
> [172.16.0.50]
> mode=production
> defaultVlan=10
> deauthMethod=RADIUS
> description=SWITCH DELL - 172.16.0.50
> type=Dell::N1500
> radiusSecret=useStrongerSecret
> SNMPVersion=2c
>
> #
> # Copyright (C) 2005-2017 Inverse inc.
> #
> # See the enclosed file COPYING for license information (GPL).
> # If you did not receive this file, see
> # http://www.fsf.org/licensing/licenses/gpl.html
> [192.168.0.1]
> description=Test Switch
> type=Cisco::Catalyst_2900XL
> mode=production
> uplink=23,24
>
> #SNMPVersion = 3
> #SNMPEngineID = 0000000000000
> #SNMPUserNameRead = readUser
> #SNMPAuthProtocolRead = MD5
> #SNMPAuthPasswordRead = authpwdread
> #SNMPPrivProtocolRead = DES
> #SNMPPrivPasswordRead = privpwdread
> #SNMPUserNameWrite = writeUser
> #SNMPAuthProtocolWrite = MD5
> #SNMPAuthPasswordWrite = authpwdwrite
> #SNMPPrivProtocolWrite = DES
> #SNMPPrivPasswordWrite = privpwdwrite
> #SNMPVersionTrap = 3
> #SNMPUserNameTrap = readUser
> #SNMPAuthProtocolTrap = MD5
> #SNMPAuthPasswordTrap = authpwdread
> #SNMPPrivProtocolTrap = DES
> #SNMPPrivPasswordTrap = privpwdread
> [192.168.1.0/24]
> description=Test Range Switch
> type=Cisco::Catalyst_2900XL
> mode=production
> uplink=23,24
> [root@packetfence ~]#
>
>
> Follow switch configuration:
>
> Following the configuration of the manual, the model of my switch is DELL
> n1548. (https://packetfence.org/doc/PacketFence_Network_Devices_
> Configuration_Guide.html#_dell)
>
>
> console#show running-config
>
> !Current Configuration:
> !System Description "Dell Networking N1548, 6.2.6.6, Linux 3.6.5"
> !System Software Version 6.2.6.6
> !
> configure
> vlan 2-5,10,100
> exit
> vlan 2
> name "Registration"
> exit
> vlan 3
> name "Isolation"
> exit
> vlan 4
> name "Mac detection"
> exit
> vlan 5
> name "Guest"
> exit
> vlan 100
> name "VoIP"
> exit
> stack
> member 1 3 ! N1548
> exit
> interface vlan 1
> ip address 172.16.0.50 255.255.255.0
> exit
> authentication enable
> dot1x system-auth-control
> aaa authentication dot1x default radius
> aaa authorization network default radius
> dot1x dynamic-vlan enable
> voice vlan
> aaa server radius dynamic-author
> client 172.16.0.2 server-key "useStrongerSecret"
> exit
> radius-server host auth 172.16.0.2
> name "PacketFence"
> usage 802.1x
> key "useStrongerSecret"
> exit
> !
> interface Gi1/0/11
> switchport mode trunk
> switchport trunk allowed vlan 1-5,100
> dot1x port-control force-authorized
> exit
> !
> interface Gi1/0/13
> switchport voice detect auto
> switchport mode general
> switchport access vlan 10
> dot1x port-control mac-based
> dot1x reauthentication
> dot1x mac-auth-bypass
> authentication order mab
> authentication priority mab
> lldp transmit-tlv sys-desc sys-cap
> lldp transmit-mgmt
> lldp notification
> lldp med confignotification
> voice vlan 100
> exit
> snmp-server engineid local 800002a203141877eaf0a0
> snmp-server community "private" rw
> snmp-server community "public" ro
> exit
>
> console#
>
>
>
>
> I still do not understand where the error is. Any idea
>
>
> 2017-12-29 11:15 GMT-03:00 Fabrice Durand via PacketFence-users <
> [email protected]>:
>
>> Hello André,
>>
>> First you need to check on the switch side if the mac address of the
>> device is in the vlan 300.
>>
>> Next a registration vlan is a vlan managed by PacketFence, so you need to
>> enable dhcp on the vlan 300 and 600.
>> Another thing i can see is that the interface enp0s8.300 (vlan 300) use
>> the network 172.17.0.0/24 and it should be 172.16.0.0/24 ?! (but enp0s8
>> use this network).
>>
>> So i my opinion, you probably mess up the vlan/interface config.
>>
>> If enp0s8 interface is really on the vlan 300 then enp0s8.300 is useless
>> and you probably have to use the vlan 301 as the registration network.
>>
>> Last things, be sure that enp0s8 is plugged on a trunk port and be sure
>> that you define all the vlans in your switch configuration.
>>
>> Regards
>> Fabrice
>>
>>
>>
>>
>> Le 2017-12-29 à 08:50, André Scrivener via PacketFence-users a écrit :
>>
>> I'm configuring pf as vlan enforcement, but I'm having a problem, where
>> vlans with their respective IPs are not being assigned. In the logs it
>> returns the correct vlans, but does not apply to the station.
>>
>>
>> *Dec 29 11:36:54 packtfence packetfence_httpd.aaa: httpd.aaa(5185) INFO:
>> [mac:64:1c:67:82:7d:f2] handling radius autz request: from switch_ip =>
>> (172.16.0.50), connection_type => WIRED_MAC_AUTH,switch_mac =>
>> (14:18:77:ea:f0:a2), mac => [64:1c:67:82:7d:f2], port => 41, username =>
>> "641C67827DF2" (pf::radius::authorize)*
>> *Dec 29 11:36:54 packtfence packetfence_httpd.aaa: httpd.aaa(5185) INFO:
>> [mac:64:1c:67:82:7d:f2] Instantiate profile default
>> (pf::Connection::ProfileFactory::_from_profile)*
>> *Dec 29 11:36:54 packtfence packetfence_httpd.aaa: httpd.aaa(5185) INFO:
>> [mac:64:1c:67:82:7d:f2] is of status unreg; belongs into registration VLAN
>> (pf::role::getRegistrationRole)*
>> *Dec 29 11:36:54 packtfence packetfence_httpd.aaa: httpd.aaa(5185) INFO:
>> [mac:64:1c:67:82:7d:f2] (172.16.0.50) Added VLAN 300 to the returned RADIUS
>> Access-Accept (pf::Switch::returnRadiusAccessAccept)*
>>
>>
>> *Dec 29 11:36:54 packtfence auth[7662]: Need 1 more connections to reach
>> min connections (3)*
>> *Dec 29 11:36:54 packtfence auth[7662]: rlm_rest (rest): Opening
>> additional connection (23), 1 of 62 pending slots used*
>> *Dec 29 11:36:54 packtfence auth[7662]: Need 1 more connections to reach
>> min connections (3)*
>> *Dec 29 11:36:54 packtfence auth[7662]: rlm_sql (sql): Opening additional
>> connection (25), 1 of 62 pending slots used*
>> *Dec 29 11:36:54 packtfence auth[7662]: [mac:64:1c:67:82:7d:f2] Accepted
>> user: and returned VLAN 300*
>> *Dec 29 11:36:54 packtfence auth[7662]: (44) Login OK: [641C67827DF2]
>> (from client 172.16.0.50 port 41 cli 64:1c:67:82:7d:f2)*
>>
>>
>> In the logs it returns to vlan correct, but does not assign to the
>> computer, it stubborn in assigning the network 172.16.0.0/24.
>>
>> I did not configure DHCP in packetfence, when packetfence returns a vlan
>> it is for it to get dhcp from my infrastructure. (So I imagine.)
>>
>> Follows some of my settings, it's okay to expose information since it's a
>> lab.
>>
>>
>> [root@packtfence ~]# ifconfig
>> SCRIVENER-b: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
>> inet 169.254.0.2 netmask 255.255.255.252 broadcast 169.254.0.3
>> inet6 fe80::c8b5:5bff:febe:b1cc prefixlen 64 scopeid 0x20<link>
>> ether ca:b5:5b:be:b1:cc txqueuelen 1000 (Ethernet)
>> RX packets 8 bytes 648 (648.0 B)
>> RX errors 0 dropped 0 overruns 0 frame 0
>> TX packets 8 bytes 648 (648.0 B)
>> TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
>>
>> enp0s3: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500
>> ether 08:00:27:a3:36:2a txqueuelen 1000 (Ethernet)
>> RX packets 5668 bytes 8119227 (7.7 MiB)
>> RX errors 0 dropped 0 overruns 0 frame 0
>> TX packets 1260 bytes 80253 (78.3 KiB)
>> TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
>>
>> enp0s8: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
>> inet 172.16.0.2 netmask 255.255.255.0 broadcast 172.16.0.255
>> inet6 fe80::a00:27ff:fef4:37f8 prefixlen 64 scopeid 0x20<link>
>> ether 08:00:27:f4:37:f8 txqueuelen 1000 (Ethernet)
>> RX packets 20960 bytes 4119093 (3.9 MiB)
>> RX errors 0 dropped 0 overruns 0 frame 0
>> TX packets 12227 bytes 21064744 (20.0 MiB)
>> TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
>>
>> enp0s8.300: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
>> inet 172.17.0.2 netmask 255.255.255.0 broadcast 172.17.0.255
>> inet6 fe80::a00:27ff:fef4:37f8 prefixlen 64 scopeid 0x20<link>
>> ether 08:00:27:f4:37:f8 txqueuelen 1000 (Ethernet)
>> RX packets 10 bytes 628 (628.0 B)
>> RX errors 0 dropped 0 overruns 0 frame 0
>> TX packets 14 bytes 900 (900.0 B)
>> TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
>>
>> enp0s8.301: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
>> inet 172.19.0.2 netmask 255.255.255.0 broadcast 172.19.0.255
>> inet6 fe80::a00:27ff:fef4:37f8 prefixlen 64 scopeid 0x20<link>
>> ether 08:00:27:f4:37:f8 txqueuelen 1000 (Ethernet)
>> RX packets 10 bytes 628 (628.0 B)
>> RX errors 0 dropped 0 overruns 0 frame 0
>> TX packets 14 bytes 900 (900.0 B)
>> TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
>>
>> enp0s8.600: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
>> inet 172.18.0.2 netmask 255.255.255.0 broadcast 172.18.0.255
>> inet6 fe80::a00:27ff:fef4:37f8 prefixlen 64 scopeid 0x20<link>
>> ether 08:00:27:f4:37:f8 txqueuelen 1000 (Ethernet)
>> RX packets 10 bytes 628 (628.0 B)
>> RX errors 0 dropped 0 overruns 0 frame 0
>> TX packets 14 bytes 900 (900.0 B)
>> TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
>>
>> lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
>> inet 127.0.0.1 netmask 255.0.0.0
>> inet6 ::1 prefixlen 128 scopeid 0x10<host>
>> loop txqueuelen 1 (Loopback Local)
>> RX packets 1567747 bytes 224694729 (214.2 MiB)
>> RX errors 0 dropped 0 overruns 0 frame 0
>> TX packets 1567747 bytes 224694729 (214.2 MiB)
>> TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
>>
>>
>>
>>
>> [root@packtfence ~]# cat /usr/local/pf/conf/networks.conf
>> [172.17.0.0]
>> dns=172.17.0.2
>> dhcp_start=172.17.0.10
>> gateway=172.17.0.2
>> domain-name=vlan-registration.scrivener.com.br
>> nat_enabled=disabled
>> named=enabled
>> dhcp_max_lease_time=30
>> fake_mac_enabled=disabled
>> dhcpd=disabled
>> dhcp_end=172.17.0.246
>> type=vlan-registration
>> netmask=255.255.255.0
>> dhcp_default_lease_time=30
>>
>> [172.18.0.0]
>> dns=172.18.0.2
>> dhcp_start=172.18.0.10
>> gateway=172.18.0.2
>> domain-name=vlan-isolation.scrivener.com.br
>> nat_enabled=disabled
>> named=enabled
>> dhcp_max_lease_time=30
>> fake_mac_enabled=disabled
>> dhcpd=disabled
>> dhcp_end=172.18.0.246
>> type=vlan-isolation
>> netmask=255.255.255.0
>> dhcp_default_lease_time=30
>>
>>
>>
>>
>>
>> [root@packtfence ~]# cat /usr/local/pf/conf/switches.conf
>> #
>> # Copyright (C) 2005-2017 Inverse inc.
>> #
>> # See the enclosed file COPYING for license information (GPL).
>> # If you did not receive this file, see
>> # http://www.fsf.org/licensing/licenses/gpl.html
>> [default]
>> type=Dell::N1500
>> registrationVlan=300
>> isolationVlan=600
>> uplink=5
>> cliUser=[secret]
>> cliPwd=[secret]
>> cliEnablePwd=[secret]
>> #
>> # SNMP section
>> #
>> # PacketFence -> Switch
>> SNMPVersion=2c
>> #
>> # RADIUS NAS Client config
>> #
>> # RADIUS shared secret with switch
>> radiusSecret=teste123
>> CORPORATIVOVlan=301
>> uplink_dynamic=0
>>
>> [172.16.0.50]
>> mode=production
>> description=172.16.0.50
>> ExternalPortalEnforcement=Y
>> deauthMethod=Telnet
>> cliAccess=Y
>> defaultVlan=301
>>
>>
>>
>> Any can help? Please! My Christmas present and New Year's Eve.
>>
>>
>>
>>
>> Att,
>> Andre Scrivener
>>
>>
>> ------------------------------------------------------------------------------
>> Check out the vibrant tech community on one of the world's most
>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>>
>>
>>
>> _______________________________________________
>> PacketFence-users mailing
>> [email protected]https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>
>>
>> --
>> Fabrice [email protected] :: +1.514.447.4918 (x135) ::
>> www.inverse.ca
>> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence
>> (http://packetfence.org)
>>
>>
>> ------------------------------------------------------------
>> ------------------
>> Check out the vibrant tech community on one of the world's most
>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>> _______________________________________________
>> PacketFence-users mailing list
>> [email protected]
>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>
>>
>
>
> --
> Att
> *Andre*
>
--
Att
*Andre*
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
