Can you post your entire switch config (scrubbed of sensitive info) and your
/usr/local/pf/conf/switches.conf file?
Thanks,
Tim
Sent from mobile phone
> On Jan 4, 2018, at 07:19, André Scrivener <[email protected]> wrote:
>
> Timonthy,
>
> After I changed to radius, I no longer look these error logs. Thank you!
>
>
> But... the problem assign ip address vlan register...to be continued!
>
> I'm thinking it's some problem between the switch and packetfence. :(
>
> I am very excited for this solution, but I stop at this problem.
>
> I will still update the firmware of the switch!!
>
>
>
>
> 2018-01-03 19:24 GMT-03:00 Timothy Mullican <[email protected]>:
>> André,
>>
>> The message “Until CoA is implemented we will bounce the port on VLAN
>> re-assignment traps for MAC-Auth
>> (pf::Switch::handleReAssignVlanTrapForWiredMacAuth)” is thrown because your
>> deauthentication method for the Switch (in PacketFence) is set to SNMP (see
>> handleReAssignVlanTrapForWiredMacAuth in /usr/local/pf/lib/pf/Switch.pm and
>> /usr/local/pf/lib/pf/Switch/Dell/N1500.pm).
>>
>> Try changing your de-authentication method on the switch (under
>> Configuration) in PacketFence to RADIUS and specify the secret key. Please
>> let me know if this doesn’t work.
>>
>> Thanks,
>> Tim
>>
>> Sent from mobile phone
>>
>>> On Jan 3, 2018, at 14:59, André Scrivener via PacketFence-users
>>> <[email protected]> wrote:
>>>
>>> Fabrice,
>>>
>>> I used the configuration sent, still gave an error.
>>>
>>> I saw some new logs:
>>>
>>> Jan 3 18:41:44 packetfence pfqueue: pfqueue(25669) WARN:
>>> [mac:84:7b:eb:e3:84:42] Until CoA is implemented we will bounce the port on
>>> VLAN re-assignment traps for MAC-Auth
>>> (pf::Switch::handleReAssignVlanTrapForWiredMacAuth)
>>>
>>> You know, do you explain what it would be?
>>>
>>> Soon I will update the firmware of the switch, to see if it resolves.
>>>
>>> Is it also not a bug in the packetfence version? Did you hear from anyone
>>> else with this problem?
>>>
>>> Greetings!
>>>
>>>
>>>
>>> 2018-01-03 17:24 GMT-03:00 Fabrice Durand <[email protected]>:
>>>> Hello André,
>>>>
>>>> yes i did that a long time ago:
>>>>
>>>> https://github.com/inverse-inc/packetfence/commit/9d47649dd8d133b233d313d2c80e94421c38caaa#diff-53248f7bb6c533be6a5b55ec361b3238
>>>>
>>>> Also the note i took:
>>>>
>>>> 1 Enter global configuration mode and define the RADIUS server.
>>>>
>>>> console#configure
>>>> console(config)#radius-server host auth 10.34.200.30
>>>> console(Config-auth-radius)#name PacketFence
>>>> console(Config-auth-radius)#usage 802.1x
>>>> console(Config-auth-radius)#key s3cr3t
>>>> console(Config-auth-radius)#exit
>>>> console(Config)#aaa server radius dynamic-author
>>>> console(config-radius-da)#client 10.34.200.30 server-key s3cr3t
>>>> console(config-radius-da)#auth-type all
>>>> console(config-radius-da)#exit
>>>>
>>>>
>>>>
>>>>
>>>> 2 Enable authentication and globally enable 802.1x client authentication
>>>> via RADIUS:
>>>>
>>>> console(config)#authentication enable
>>>> console(config)#aaa authentication dot1x default radius
>>>> console(config)#aaa authorization network default radius
>>>> console(config)#dot1x system-auth-control
>>>>
>>>> (Optional)
>>>> console(Config)#dot1x dynamic-vlan enable
>>>>
>>>> 3 On the interface, enable MAC based authentication mode, enable MAB, and
>>>> set the order of authentication to 802.1X followed by MAC authentication.
>>>> Also enable periodic re-authentication.
>>>>
>>>> console(config)#interface te1/0/4
>>>> console(config-if-Te1/0/4)#dot1x port-control mac-based
>>>> console(config-if-Te1/0/4)#dot1x mac-auth-bypass
>>>> console(config-if-Te1/0/4)#authentication order dot1x mab
>>>> console(config-if-Te1/0/4)#dot1x reauthentication
>>>> console(config-if-Te1/0/4)#exit
>>>>
>>>> authentication order mab
>>>> authentication priority mab
>>>>
>>>>
>>>>
>>>>> Le 2018-01-03 à 09:18, André Scrivener a écrit :
>>>>> Hey,
>>>>>
>>>>> I configured interface 15 manually to use only vlan 2 (registry), and I
>>>>> was assigned registry address addressing (192.168.2.0/24)
>>>>>
>>>>> Following config switch:
>>>>>
>>>>> interface Gi1/0/15
>>>>> switchport access vlan 2
>>>>> dot1x port-control force-authorized
>>>>> exit
>>>>>
>>>>>
>>>>> Following logs packetfence:
>>>>>
>>>>> Jan 3 12:14:41 packetfence pfqueue: pfqueue(24777) INFO:
>>>>> [mac:84:7b:eb:e3:84:42] oldip (172.16.0.10) and newip (192.168.2.10) are
>>>>> different for 84:7b:eb:e3:84:42 - closing ip4log entry
>>>>> (pf::api::update_ip4log)
>>>>>
>>>>>
>>>>>
>>>>> console#show mac address-table vlan 2
>>>>>
>>>>> Aging time is 300 Sec
>>>>>
>>>>> Vlan Mac Address Type Port
>>>>> -------- --------------------- ----------- ---------------------
>>>>> 2 0800.2735.FCC4 Dynamic Gi1/0/11 - Packetfence
>>>>> 2 847B.EBE3.8442 Dynamic Gi1/0/15 - Test machine
>>>>>
>>>>>
>>>>> You may notice that now the mac address of packetfence is in vlan 2.
>>>>>
>>>>> Have you already configured dell switch switches?
>>>>>
>>>>> Any idea??
>>>>>
>>>>>
>>>>> 2018-01-03 10:59 GMT-03:00 Fabrice Durand <[email protected]>:
>>>>>> Hum strange.
>>>>>>
>>>>>> What you can try is to define an interface in the vlan 2 (manually on an
>>>>>> switch port) and plug your test machine in it. (you must receive an ip
>>>>>> from PacketFence).
>>>>>> If you receive an ip from the 172.16.0.0/24 then it mean that you have a
>>>>>> switch configuration issue. (any layer 3 interfaces defined in the vlan
>>>>>> 2 ?).
>>>>>>
>>>>>> Also what i can see is that there is no mac in the vlan 2 and the vlan 3
>>>>>> for the interface 11.
>>>>>>
>>>>>> You should have something like that too:
>>>>>>
>>>>>> 2 08:00:27:35:fc:c4 Dynamic Gi1/0/11 - PacketFence Reg
>>>>>>
>>>>>> 3 08:00:27:35:fc:c4 Dynamic Gi1/0/11 - PacketFence Isol
>>>>>>
>>>>>> Regards
>>>>>> Fabrice
>>>>>>
>>>>>>
>>>>>>> Le 2018-01-02 à 13:55, André Scrivener a écrit :
>>>>>>> Opss, Fabrice!
>>>>>>>
>>>>>>> I forgot an information, the MAC addresses on the switch.
>>>>>>>
>>>>>>> By the logs, it is in VLAN 2, the correct vlan.
>>>>>>>
>>>>>>> Right now I do not understand, because it does not assign the correct
>>>>>>> address
>>>>>>>
>>>>>>>
>>>>>>> console#show mac address-table
>>>>>>>
>>>>>>> Aging time is 300 Sec
>>>>>>>
>>>>>>> Vlan Mac Address Type Port
>>>>>>> -------- --------------------- ----------- ---------------------
>>>>>>> 1 0800.2700.58E2 Dynamic Gi1/0/11 - Windows Server
>>>>>>> 2008
>>>>>>> 1 0800.2735.FCC4 Dynamic Gi1/0/11 - PacketFence
>>>>>>> 1 1418.77EA.F0A3 Management Vl1 - Switch Dell
>>>>>>> 1 641C.XXXXXXXXX Dynamic Gi1/0/11 - My physical pc
>>>>>>> 2 847B.EBE3.8442 Dynamic Gi1/0/13 - My test machine
>>>>>>>
>>>>>>> Total MAC Addresses in use: 5
>>>>>>>
>>>>>>> console#show mac address-table interface Gi1/0/13
>>>>>>>
>>>>>>> Aging time is 300 Sec
>>>>>>>
>>>>>>> Vlan Mac Address Type Port
>>>>>>> -------- --------------------- ----------- ---------------------
>>>>>>> 2 847B.EBE3.8442 Dynamic Gi1/0/13 - My test machine
>>>>>>>
>>>>>>>
>>>>>>> console#
>>>>>>>
>>>>>>>
>>>>>>> 2018-01-02 15:22 GMT-03:00 André Scrivener <[email protected]>:
>>>>>>>> Hello Fabrice,
>>>>>>>>
>>>>>>>> I simplified the environment, I'm using only 1 interface!
>>>>>>>>
>>>>>>>>
>>>>>>>> enp0s3: Management - DHCP FROM WINDOWS SERVER
>>>>>>>> enp0s3 VLAN 2: Registration - DHCP ENABLE
>>>>>>>> enp0s3 VLAN 3: Isolation - DHCP ENABLE
>>>>>>>> enp0s3 VLAN 10: Normal - NO DHCP
>>>>>>>>
>>>>>>>> IP Address Switch Managed: 172.16.0.50
>>>>>>>> Interface 11: My physical machine, and virtual machine (virtualbox)
>>>>>>>> where is the PacketFence (interface mode bridge)
>>>>>>>> Interface 23: My client test Windows 8 (interface mode bridge)
>>>>>>>>
>>>>>>>>
>>>>>>>> Problem continue, in the logs it returns to vlan correct, but does not
>>>>>>>> assign to the computer, it stubborn in assigning the network
>>>>>>>> 172.16.0.0/24 (Management Network).
>>>>>>>>
>>>>>>>>
>>>>>>>> root@packetfence ~]# tailf /usr/local/pf/logs/packetfence.log
>>>>>>>> Jan 2 14:03:10 packetfence packetfence_httpd.aaa: httpd.aaa(30935)
>>>>>>>> INFO: [mac:84:7b:eb:e3:84:42] handling radius autz request: from
>>>>>>>> switch_ip => (172.16.0.50), connection_type =>
>>>>>>>> WIRED_MAC_AUTH,switch_mac => (14:18:77:ea:f0:a2), mac =>
>>>>>>>> [84:7b:eb:e3:84:42], port => 13, username => "847BEBE38442"
>>>>>>>> (pf::radius::authorize)
>>>>>>>> Jan 2 14:03:10 packetfence packetfence_httpd.aaa: httpd.aaa(30935)
>>>>>>>> INFO: [mac:84:7b:eb:e3:84:42] Instantiate
>>>>>>>> profile default (pf::Connection::ProfileFactory::_from_profile)
>>>>>>>> Jan 2 14:03:10 packetfence packetfence_httpd.aaa: httpd.aaa(30935)
>>>>>>>> INFO: [mac:84:7b:eb:e3:84:42] is of status unreg; belongs into
>>>>>>>> registration VLAN (pf::role::getRegistrationRole)
>>>>>>>> Jan 2 14:03:10 packetfence packetfence_httpd.aaa: httpd.aaa(30935)
>>>>>>>> INFO: [mac:84:7b:eb:e3:84:42] (172.16.0.50) Added VLAN 2 to the
>>>>>>>> returned RADIUS Access-Accept (pf::Switch::returnRadiusAccessAccept)
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> [root@packetfence ~]# tailf /usr/local/pf/logs/radius.log
>>>>>>>> Jan 2 14:03:10 packetfence auth[31813]: Need 1 more connections to
>>>>>>>> reach min connections (3)
>>>>>>>> Jan 2 14:03:10 packetfence auth[31813]: rlm_rest (rest): Opening
>>>>>>>> additional connection (15), 1 of 62 pending slots used
>>>>>>>> Jan 2 14:03:10 packetfence auth[31813]: Need 7 more connections to
>>>>>>>> reach 10 spares
>>>>>>>> Jan 2 14:03:10 packetfence auth[31813]: rlm_sql (sql): Opening
>>>>>>>> additional connection (18), 1 of 61 pending slots used
>>>>>>>> Jan 2 14:03:10 packetfence auth[31813]: [mac:84:7b:eb:e3:84:42]
>>>>>>>> Accepted user: and returned VLAN 2
>>>>>>>> Jan 2 14:03:10 packetfence auth[31813]: (32) Login OK: [847BEBE38442]
>>>>>>>> (from client 172.16.0.50 port 13 cli 84:7b:eb:e3:84:42)
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> Follow network settings:
>>>>>>>>
>>>>>>>> [root@packetfence ~]# ifconfig
>>>>>>>> enp0s3: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
>>>>>>>> inet 172.16.0.2 netmask 255.255.255.0 broadcast 172.16.0.255
>>>>>>>> inet6 fe80::a00:27ff:fe35:fcc4 prefixlen 64 scopeid
>>>>>>>> 0x20<link>
>>>>>>>> ether 08:00:27:35:fc:c4 txqueuelen 1000 (Ethernet)
>>>>>>>> RX packets 560936 bytes 711890423 (678.9 MiB)
>>>>>>>> RX errors 0 dropped 0 overruns 0 frame 0
>>>>>>>> TX packets 153523 bytes 23163746 (22.0 MiB)
>>>>>>>> TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
>>>>>>>>
>>>>>>>> enp0s3.2: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
>>>>>>>> inet 192.168.2.2 netmask 255.255.255.0 broadcast
>>>>>>>> 192.168.2.255
>>>>>>>> inet6 fe80::a00:27ff:fe35:fcc4 prefixlen 64 scopeid
>>>>>>>> 0x20<link>
>>>>>>>> ether 08:00:27:35:fc:c4 txqueuelen 1000 (Ethernet)
>>>>>>>> RX packets 0 bytes 0 (0.0 B)
>>>>>>>> RX errors 0 dropped 0 overruns 0 frame 0
>>>>>>>> TX packets 10 bytes 732 (732.0 B)
>>>>>>>> TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
>>>>>>>>
>>>>>>>> enp0s3.3: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
>>>>>>>> inet 192.168.3.2 netmask 255.255.255.0 broadcast
>>>>>>>> 192.168.3.255
>>>>>>>> inet6 fe80::a00:27ff:fe35:fcc4 prefixlen 64 scopeid
>>>>>>>> 0x20<link>
>>>>>>>> ether 08:00:27:35:fc:c4 txqueuelen 1000 (Ethernet)
>>>>>>>> RX packets 0 bytes 0 (0.0 B)
>>>>>>>> RX errors 0 dropped 0 overruns 0 frame 0
>>>>>>>> TX packets 10 bytes 732 (732.0 B)
>>>>>>>> TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
>>>>>>>>
>>>>>>>> enp0s3.10: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
>>>>>>>> inet 192.168.1.1 netmask 255.255.255.0 broadcast
>>>>>>>> 192.168.1.255
>>>>>>>> inet6 fe80::a00:27ff:fe35:fcc4 prefixlen 64 scopeid
>>>>>>>> 0x20<link>
>>>>>>>> ether 08:00:27:35:fc:c4 txqueuelen 1000 (Ethernet)
>>>>>>>> RX packets 0 bytes 0 (0.0 B)
>>>>>>>> RX errors 0 dropped 0 overruns 0 frame 0
>>>>>>>> TX packets 10 bytes 732 (732.0 B)
>>>>>>>> TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
>>>>>>>>
>>>>>>>> lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
>>>>>>>> inet 127.0.0.1 netmask 255.0.0.0
>>>>>>>> inet6 ::1 prefixlen 128 scopeid 0x10<host>
>>>>>>>> loop txqueuelen 1 (Loopback Local)
>>>>>>>> RX packets 1162494 bytes 167041449 (159.3 MiB)
>>>>>>>> RX errors 0 dropped 0 overruns 0 frame 0
>>>>>>>> TX packets 1162494 bytes 167041449 (159.3 MiB)
>>>>>>>> TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
>>>>>>>>
>>>>>>>> [root@packetfence ~]#
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> [root@packetfence ~]# cat /usr/local/pf/conf/networks.conf
>>>>>>>> [192.168.3.0]
>>>>>>>> dns=192.168.3.2
>>>>>>>> dhcp_start=192.168.3.10
>>>>>>>> gateway=192.168.3.2
>>>>>>>> domain-name=vlan-isolation.scrivener.com.br
>>>>>>>> nat_enabled=disabled
>>>>>>>> named=enabled
>>>>>>>> dhcp_max_lease_time=30
>>>>>>>> fake_mac_enabled=disabled
>>>>>>>> dhcpd=enabled
>>>>>>>> dhcp_end=192.168.3.246
>>>>>>>> type=vlan-isolation
>>>>>>>> netmask=255.255.255.0
>>>>>>>> dhcp_default_lease_time=30
>>>>>>>>
>>>>>>>> [192.168.2.0]
>>>>>>>> dns=192.168.2.2
>>>>>>>> dhcp_start=192.168.2.10
>>>>>>>> gateway=192.168.2.2
>>>>>>>> domain-name=vlan-registration.scrivener.com.br
>>>>>>>> nat_enabled=disabled
>>>>>>>> named=enabled
>>>>>>>> dhcp_max_lease_time=30
>>>>>>>> fake_mac_enabled=disabled
>>>>>>>> dhcpd=enabled
>>>>>>>> dhcp_end=192.168.2.246
>>>>>>>> type=vlan-registration
>>>>>>>> netmask=255.255.255.0
>>>>>>>> dhcp_default_lease_time=30
>>>>>>>> [root@packetfence ~]#
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> [root@packetfence ~]# cat /usr/local/pf/conf/switches.conf
>>>>>>>> [172.16.0.50]
>>>>>>>> mode=production
>>>>>>>> defaultVlan=10
>>>>>>>> deauthMethod=RADIUS
>>>>>>>> description=SWITCH DELL - 172.16.0.50
>>>>>>>> type=Dell::N1500
>>>>>>>> radiusSecret=useStrongerSecret
>>>>>>>> SNMPVersion=2c
>>>>>>>>
>>>>>>>> #
>>>>>>>> # Copyright (C) 2005-2017 Inverse inc.
>>>>>>>> #
>>>>>>>> # See the enclosed file COPYING for license information (GPL).
>>>>>>>> # If you did not receive this file, see
>>>>>>>> # http://www.fsf.org/licensing/licenses/gpl.html
>>>>>>>> [192.168.0.1]
>>>>>>>> description=Test Switch
>>>>>>>> type=Cisco::Catalyst_2900XL
>>>>>>>> mode=production
>>>>>>>> uplink=23,24
>>>>>>>>
>>>>>>>> #SNMPVersion = 3
>>>>>>>> #SNMPEngineID = 0000000000000
>>>>>>>> #SNMPUserNameRead = readUser
>>>>>>>> #SNMPAuthProtocolRead = MD5
>>>>>>>> #SNMPAuthPasswordRead = authpwdread
>>>>>>>> #SNMPPrivProtocolRead = DES
>>>>>>>> #SNMPPrivPasswordRead = privpwdread
>>>>>>>> #SNMPUserNameWrite = writeUser
>>>>>>>> #SNMPAuthProtocolWrite = MD5
>>>>>>>> #SNMPAuthPasswordWrite = authpwdwrite
>>>>>>>> #SNMPPrivProtocolWrite = DES
>>>>>>>> #SNMPPrivPasswordWrite = privpwdwrite
>>>>>>>> #SNMPVersionTrap = 3
>>>>>>>> #SNMPUserNameTrap = readUser
>>>>>>>> #SNMPAuthProtocolTrap = MD5
>>>>>>>> #SNMPAuthPasswordTrap = authpwdread
>>>>>>>> #SNMPPrivProtocolTrap = DES
>>>>>>>> #SNMPPrivPasswordTrap = privpwdread
>>>>>>>> [192.168.1.0/24]
>>>>>>>> description=Test Range Switch
>>>>>>>> type=Cisco::Catalyst_2900XL
>>>>>>>> mode=production
>>>>>>>> uplink=23,24
>>>>>>>> [root@packetfence ~]#
>>>>>>>>
>>>>>>>>
>>>>>>>> Follow switch configuration:
>>>>>>>>
>>>>>>>> Following the configuration of the manual, the model of my switch is
>>>>>>>> DELL n1548.
>>>>>>>> (https://packetfence.org/doc/PacketFence_Network_Devices_Configuration_Guide.html#_dell)
>>>>>>>>
>>>>>>>>
>>>>>>>> console#show running-config
>>>>>>>>
>>>>>>>> !Current Configuration:
>>>>>>>> !System Description "Dell Networking N1548, 6.2.6.6, Linux 3.6.5"
>>>>>>>> !System Software Version 6.2.6.6
>>>>>>>> !
>>>>>>>> configure
>>>>>>>> vlan 2-5,10,100
>>>>>>>> exit
>>>>>>>> vlan 2
>>>>>>>> name "Registration"
>>>>>>>> exit
>>>>>>>> vlan 3
>>>>>>>> name "Isolation"
>>>>>>>> exit
>>>>>>>> vlan 4
>>>>>>>> name "Mac detection"
>>>>>>>> exit
>>>>>>>> vlan 5
>>>>>>>> name "Guest"
>>>>>>>> exit
>>>>>>>> vlan 100
>>>>>>>> name "VoIP"
>>>>>>>> exit
>>>>>>>> stack
>>>>>>>> member 1 3 ! N1548
>>>>>>>> exit
>>>>>>>> interface vlan 1
>>>>>>>> ip address 172.16.0.50 255.255.255.0
>>>>>>>> exit
>>>>>>>> authentication enable
>>>>>>>> dot1x system-auth-control
>>>>>>>> aaa authentication dot1x default radius
>>>>>>>> aaa authorization network default radius
>>>>>>>> dot1x dynamic-vlan enable
>>>>>>>> voice vlan
>>>>>>>> aaa server radius dynamic-author
>>>>>>>> client 172.16.0.2 server-key "useStrongerSecret"
>>>>>>>> exit
>>>>>>>> radius-server host auth 172.16.0.2
>>>>>>>> name "PacketFence"
>>>>>>>> usage 802.1x
>>>>>>>> key "useStrongerSecret"
>>>>>>>> exit
>>>>>>>> !
>>>>>>>> interface Gi1/0/11
>>>>>>>> switchport mode trunk
>>>>>>>> switchport trunk allowed vlan 1-5,100
>>>>>>>> dot1x port-control force-authorized
>>>>>>>> exit
>>>>>>>> !
>>>>>>>> interface Gi1/0/13
>>>>>>>> switchport voice detect auto
>>>>>>>> switchport mode general
>>>>>>>> switchport access vlan 10
>>>>>>>> dot1x port-control mac-based
>>>>>>>> dot1x reauthentication
>>>>>>>> dot1x mac-auth-bypass
>>>>>>>> authentication order mab
>>>>>>>> authentication priority mab
>>>>>>>> lldp transmit-tlv sys-desc sys-cap
>>>>>>>> lldp transmit-mgmt
>>>>>>>> lldp notification
>>>>>>>> lldp med confignotification
>>>>>>>> voice vlan 100
>>>>>>>> exit
>>>>>>>> snmp-server engineid local 800002a203141877eaf0a0
>>>>>>>> snmp-server community "private" rw
>>>>>>>> snmp-server community "public" ro
>>>>>>>> exit
>>>>>>>>
>>>>>>>> console#
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> I still do not understand where the error is. Any idea
>>>>>>>>
>>>>>>>>
>>>>>>>> 2017-12-29 11:15 GMT-03:00 Fabrice Durand via PacketFence-users
>>>>>>>> <[email protected]>:
>>>>>>>>> Hello André,
>>>>>>>>>
>>>>>>>>> First you need to check on the switch side if the mac address of the
>>>>>>>>> device is in the vlan 300.
>>>>>>>>>
>>>>>>>>> Next a registration vlan is a vlan managed by PacketFence, so you
>>>>>>>>> need to enable dhcp on the vlan 300 and 600.
>>>>>>>>> Another thing i can see is that the interface enp0s8.300 (vlan 300)
>>>>>>>>> use the network 172.17.0.0/24 and it should be 172.16.0.0/24 ?! (but
>>>>>>>>> enp0s8 use this network).
>>>>>>>>>
>>>>>>>>> So i my opinion, you probably mess up the vlan/interface config.
>>>>>>>>>
>>>>>>>>> If enp0s8 interface is really on the vlan 300 then enp0s8.300 is
>>>>>>>>> useless and you probably have to use the vlan 301 as the registration
>>>>>>>>> network.
>>>>>>>>>
>>>>>>>>> Last things, be sure that enp0s8 is plugged on a trunk port and be
>>>>>>>>> sure that you define all the vlans in your switch configuration.
>>>>>>>>>
>>>>>>>>> Regards
>>>>>>>>> Fabrice
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Le 2017-12-29 à 08:50, André Scrivener via PacketFence-users a écrit :
>>>>>>>>>> I'm configuring pf as vlan enforcement, but I'm having a problem,
>>>>>>>>>> where vlans with their respective IPs are not being assigned. In the
>>>>>>>>>> logs it returns the correct vlans, but does not apply to the station.
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> Dec 29 11:36:54 packtfence packetfence_httpd.aaa: httpd.aaa(5185)
>>>>>>>>>> INFO: [mac:64:1c:67:82:7d:f2] handling radius autz request: from
>>>>>>>>>> switch_ip => (172.16.0.50), connection_type =>
>>>>>>>>>> WIRED_MAC_AUTH,switch_mac => (14:18:77:ea:f0:a2), mac =>
>>>>>>>>>> [64:1c:67:82:7d:f2], port => 41, username => "641C67827DF2"
>>>>>>>>>> (pf::radius::authorize)
>>>>>>>>>> Dec 29 11:36:54 packtfence packetfence_httpd.aaa: httpd.aaa(5185)
>>>>>>>>>> INFO: [mac:64:1c:67:82:7d:f2] Instantiate profile default
>>>>>>>>>> (pf::Connection::ProfileFactory::_from_profile)
>>>>>>>>>> Dec 29 11:36:54 packtfence packetfence_httpd.aaa: httpd.aaa(5185)
>>>>>>>>>> INFO: [mac:64:1c:67:82:7d:f2] is of status unreg; belongs into
>>>>>>>>>> registration VLAN (pf::role::getRegistrationRole)
>>>>>>>>>> Dec 29 11:36:54 packtfence packetfence_httpd.aaa: httpd.aaa(5185)
>>>>>>>>>> INFO: [mac:64:1c:67:82:7d:f2] (172.16.0.50) Added VLAN 300 to the
>>>>>>>>>> returned RADIUS Access-Accept (pf::Switch::returnRadiusAccessAccept)
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> Dec 29 11:36:54 packtfence auth[7662]:
>>>>>>>>>> Need 1 more connections to reach min
>>>>>>>>>> connections (3)
>>>>>>>>>> Dec 29 11:36:54 packtfence auth[7662]:
>>>>>>>>>> rlm_rest (rest): Opening additional
>>>>>>>>>> connection (23), 1 of 62 pending slots used
>>>>>>>>>> Dec 29 11:36:54 packtfence auth[7662]:
>>>>>>>>>> Need 1 more connections to reach min
>>>>>>>>>> connections (3)
>>>>>>>>>> Dec 29 11:36:54 packtfence auth[7662]:
>>>>>>>>>> rlm_sql (sql): Opening additional
>>>>>>>>>> connection (25), 1 of 62 pending slots used
>>>>>>>>>> Dec 29 11:36:54 packtfence auth[7662]:
>>>>>>>>>> [mac:64:1c:67:82:7d:f2] Accepted user:
>>>>>>>>>> and returned VLAN 300
>>>>>>>>>> Dec 29 11:36:54 packtfence auth[7662]:
>>>>>>>>>> (44) Login OK: [641C67827DF2] (from
>>>>>>>>>> client 172.16.0.50 port 41 cli 64:1c:67:82:7d:f2)
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> In the logs it returns to vlan correct, but does not assign to the
>>>>>>>>>> computer, it stubborn in assigning the network 172.16.0.0/24.
>>>>>>>>>>
>>>>>>>>>> I did not configure DHCP in packetfence, when packetfence returns a
>>>>>>>>>> vlan it is for it to get dhcp from my infrastructure. (So I imagine.)
>>>>>>>>>>
>>>>>>>>>> Follows some of my settings, it's okay to expose information since
>>>>>>>>>> it's a lab.
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> [root@packtfence ~]# ifconfig
>>>>>>>>>> SCRIVENER-b: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
>>>>>>>>>> inet 169.254.0.2 netmask 255.255.255.252 broadcast
>>>>>>>>>> 169.254.0.3
>>>>>>>>>> inet6 fe80::c8b5:5bff:febe:b1cc prefixlen 64 scopeid
>>>>>>>>>> 0x20<link>
>>>>>>>>>> ether ca:b5:5b:be:b1:cc txqueuelen 1000 (Ethernet)
>>>>>>>>>> RX packets 8 bytes 648 (648.0 B)
>>>>>>>>>> RX errors 0 dropped 0 overruns 0 frame 0
>>>>>>>>>> TX packets 8 bytes 648 (648.0 B)
>>>>>>>>>> TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
>>>>>>>>>>
>>>>>>>>>> enp0s3: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500
>>>>>>>>>> ether 08:00:27:a3:36:2a txqueuelen 1000 (Ethernet)
>>>>>>>>>> RX packets 5668 bytes 8119227 (7.7 MiB)
>>>>>>>>>> RX errors 0 dropped 0 overruns 0 frame 0
>>>>>>>>>> TX packets 1260 bytes 80253 (78.3 KiB)
>>>>>>>>>> TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
>>>>>>>>>>
>>>>>>>>>> enp0s8: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
>>>>>>>>>> inet 172.16.0.2 netmask 255.255.255.0 broadcast
>>>>>>>>>> 172.16.0.255
>>>>>>>>>> inet6 fe80::a00:27ff:fef4:37f8 prefixlen 64 scopeid
>>>>>>>>>> 0x20<link>
>>>>>>>>>> ether 08:00:27:f4:37:f8 txqueuelen 1000 (Ethernet)
>>>>>>>>>> RX packets 20960 bytes 4119093 (3.9 MiB)
>>>>>>>>>> RX errors 0 dropped 0 overruns 0 frame 0
>>>>>>>>>> TX packets 12227 bytes 21064744 (20.0 MiB)
>>>>>>>>>> TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
>>>>>>>>>>
>>>>>>>>>> enp0s8.300: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
>>>>>>>>>> inet 172.17.0.2 netmask 255.255.255.0 broadcast
>>>>>>>>>> 172.17.0.255
>>>>>>>>>> inet6 fe80::a00:27ff:fef4:37f8 prefixlen 64 scopeid
>>>>>>>>>> 0x20<link>
>>>>>>>>>> ether 08:00:27:f4:37:f8 txqueuelen 1000 (Ethernet)
>>>>>>>>>> RX packets 10 bytes 628 (628.0 B)
>>>>>>>>>> RX errors 0 dropped 0 overruns 0 frame 0
>>>>>>>>>> TX packets 14 bytes 900 (900.0 B)
>>>>>>>>>> TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
>>>>>>>>>>
>>>>>>>>>> enp0s8.301: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
>>>>>>>>>> inet 172.19.0.2 netmask 255.255.255.0 broadcast
>>>>>>>>>> 172.19.0.255
>>>>>>>>>> inet6 fe80::a00:27ff:fef4:37f8 prefixlen 64 scopeid
>>>>>>>>>> 0x20<link>
>>>>>>>>>> ether 08:00:27:f4:37:f8 txqueuelen 1000 (Ethernet)
>>>>>>>>>> RX packets 10 bytes 628 (628.0 B)
>>>>>>>>>> RX errors 0 dropped 0 overruns 0 frame 0
>>>>>>>>>> TX packets 14 bytes 900 (900.0 B)
>>>>>>>>>> TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
>>>>>>>>>>
>>>>>>>>>> enp0s8.600: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
>>>>>>>>>> inet 172.18.0.2 netmask 255.255.255.0 broadcast
>>>>>>>>>> 172.18.0.255
>>>>>>>>>> inet6 fe80::a00:27ff:fef4:37f8 prefixlen 64 scopeid
>>>>>>>>>> 0x20<link>
>>>>>>>>>> ether 08:00:27:f4:37:f8 txqueuelen 1000 (Ethernet)
>>>>>>>>>> RX packets 10 bytes 628 (628.0 B)
>>>>>>>>>> RX errors 0 dropped 0 overruns 0 frame 0
>>>>>>>>>> TX packets 14 bytes 900 (900.0 B)
>>>>>>>>>> TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
>>>>>>>>>>
>>>>>>>>>> lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
>>>>>>>>>> inet 127.0.0.1 netmask 255.0.0.0
>>>>>>>>>> inet6 ::1 prefixlen 128 scopeid 0x10<host>
>>>>>>>>>> loop txqueuelen 1 (Loopback Local)
>>>>>>>>>> RX packets 1567747 bytes 224694729 (214.2 MiB)
>>>>>>>>>> RX errors 0 dropped 0 overruns 0 frame 0
>>>>>>>>>> TX packets 1567747 bytes 224694729 (214.2 MiB)
>>>>>>>>>> TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> [root@packtfence ~]# cat /usr/local/pf/conf/networks.conf
>>>>>>>>>> [172.17.0.0]
>>>>>>>>>> dns=172.17.0.2
>>>>>>>>>> dhcp_start=172.17.0.10
>>>>>>>>>> gateway=172.17.0.2
>>>>>>>>>> domain-name=vlan-registration.scrivener.com.br
>>>>>>>>>> nat_enabled=disabled
>>>>>>>>>> named=enabled
>>>>>>>>>> dhcp_max_lease_time=30
>>>>>>>>>> fake_mac_enabled=disabled
>>>>>>>>>> dhcpd=disabled
>>>>>>>>>> dhcp_end=172.17.0.246
>>>>>>>>>> type=vlan-registration
>>>>>>>>>> netmask=255.255.255.0
>>>>>>>>>> dhcp_default_lease_time=30
>>>>>>>>>>
>>>>>>>>>> [172.18.0.0]
>>>>>>>>>> dns=172.18.0.2
>>>>>>>>>> dhcp_start=172.18.0.10
>>>>>>>>>> gateway=172.18.0.2
>>>>>>>>>> domain-name=vlan-isolation.scrivener.com.br
>>>>>>>>>> nat_enabled=disabled
>>>>>>>>>> named=enabled
>>>>>>>>>> dhcp_max_lease_time=30
>>>>>>>>>> fake_mac_enabled=disabled
>>>>>>>>>> dhcpd=disabled
>>>>>>>>>> dhcp_end=172.18.0.246
>>>>>>>>>> type=vlan-isolation
>>>>>>>>>> netmask=255.255.255.0
>>>>>>>>>> dhcp_default_lease_time=30
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> [root@packtfence ~]# cat /usr/local/pf/conf/switches.conf
>>>>>>>>>> #
>>>>>>>>>> # Copyright (C) 2005-2017 Inverse inc.
>>>>>>>>>> #
>>>>>>>>>> # See the enclosed file COPYING for license information (GPL).
>>>>>>>>>> # If you did not receive this file, see
>>>>>>>>>> # http://www.fsf.org/licensing/licenses/gpl.html
>>>>>>>>>> [default]
>>>>>>>>>> type=Dell::N1500
>>>>>>>>>> registrationVlan=300
>>>>>>>>>> isolationVlan=600
>>>>>>>>>> uplink=5
>>>>>>>>>> cliUser=[secret]
>>>>>>>>>> cliPwd=[secret]
>>>>>>>>>> cliEnablePwd=[secret]
>>>>>>>>>> #
>>>>>>>>>> # SNMP section
>>>>>>>>>> #
>>>>>>>>>> # PacketFence -> Switch
>>>>>>>>>> SNMPVersion=2c
>>>>>>>>>> #
>>>>>>>>>> # RADIUS NAS Client config
>>>>>>>>>> #
>>>>>>>>>> # RADIUS shared secret with switch
>>>>>>>>>> radiusSecret=teste123
>>>>>>>>>> CORPORATIVOVlan=301
>>>>>>>>>> uplink_dynamic=0
>>>>>>>>>>
>>>>>>>>>> [172.16.0.50]
>>>>>>>>>> mode=production
>>>>>>>>>> description=172.16.0.50
>>>>>>>>>> ExternalPortalEnforcement=Y
>>>>>>>>>> deauthMethod=Telnet
>>>>>>>>>> cliAccess=Y
>>>>>>>>>> defaultVlan=301
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> Any can help? Please! My Christmas present and New Year's Eve.
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> Att,
>>>>>>>>>> Andre Scrivener
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> ------------------------------------------------------------------------------
>>>>>>>>>> Check out the vibrant tech community on one of the world's most
>>>>>>>>>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> _______________________________________________
>>>>>>>>>> PacketFence-users mailing list
>>>>>>>>>> [email protected]
>>>>>>>>>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>>>>>>>>
>>>>>>>>> --
>>>>>>>>> Fabrice Durand
>>>>>>>>> [email protected] :: +1.514.447.4918 (x135) :: www.inverse.ca
>>>>>>>>> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and
>>>>>>>>> PacketFence (http://packetfence.org)
>>>>>>>>>
>>>>>>>>> ------------------------------------------------------------------------------
>>>>>>>>> Check out the vibrant tech community on one of the world's most
>>>>>>>>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>>>>>>>>> _______________________________________________
>>>>>>>>> PacketFence-users mailing list
>>>>>>>>> [email protected]
>>>>>>>>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> --
>>>>>>>> Att
>>>>>>>> Andre
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> --
>>>>>>> Att
>>>>>>> Andre
>>>>>>
>>>>>> --
>>>>>> Fabrice Durand
>>>>>> [email protected] :: +1.514.447.4918 (x135) :: www.inverse.ca
>>>>>> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence
>>>>>> (http://packetfence.org)
>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> Att
>>>>> Andre Scrivener
>>>>
>>>> --
>>>> Fabrice Durand
>>>> [email protected] :: +1.514.447.4918 (x135) :: www.inverse.ca
>>>> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence
>>>> (http://packetfence.org)
>>>
>>>
>>>
>>> --
>>> Att,
>>> Andre Scrivener
>>> ------------------------------------------------------------------------------
>>> Check out the vibrant tech community on one of the world's most
>>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>>> _______________________________________________
>>> PacketFence-users mailing list
>>> [email protected]
>>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>
>
> --
> Att
> Andre
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
