Hello Mehdi Unfortunately those two feature, the test mode and Mac detection are old feature so it will be normal that it’s not working correctly on the previous versions.
Try to switch it to production mode and see if changed. Has Fabrice said, you will need to enable the snmptrapd service and you should see activity in the packetfence.log Thanks, > On Nov 26, 2018, at 11:14 AM, Mehdi-Gabriel Mjahad via PacketFence-users > <packetfence-users@lists.sourceforge.net> wrote: > > Hello again, > > We enabled pfqueue workers and after putting the PF switch in testing mode, > it became more talkative in packetfence.log. > > First we got: > pfqueue: pfqueue(19814) ERROR: [mac:unknown] WARNING ! Unknown switch(es) > 10.0.98.254 (pf::SwitchFactory::instantiate) > where 98 is the Mac detection vlan. So we changed the PF switch IP to > 10.0.98.254 (was 10.0.97.254). > > Then, we got: > pfqueue: pfqueue(21932) WARN: [mac:] Can't determine Uplinks for the switch > (10.0.98.254) -> do nothing (pf::role::doWeActOnThisTrap) > pfqueue: pfqueue(21932) INFO: [mac:] doWeActOnThisTrap returns false. Stop > down handling (pf::task::pfsnmp::handleTrap) > pfqueue: pfqueue(21932) WARN: [mac:] Warning: for switch 10.0.98.254, 'uplink > = Dynamic' in config file but this is not supported ! (pf::Switch::getUpLinks) > So we disabled dynamic uplinks and manually entered the 9 first switch ports > (those are ones where test clients are often connected). > > Then we got: > pfqueue: pfqueue(21929) INFO: [mac:] up trap received on (10.0.98.254) > ifindex 1 which is uplink and we don't manage uplinks > (pf::role::doWeActOnThisTrap) > pfqueue: pfqueue(21929) INFO: [mac:] doWeActOnThisTrap returns false. Stop up > handling (pf::task::pfsnmp::handleTrap) > > Here's a log from snmptrapd.log: > 2018-11-26|15:41:59|UDP: > [10.0.98.254]:51211->[10.0.98.252]:162|192.168.75.16|BEGIN TYPE 3 END TYPE > BEGIN SUBTYPE 0 END SUBTYPE BEGIN VARIABLEBINDINGS .1.3.6.1.2.1.2.2.1.1.1 = > INTEGER: 1|.1.3.6.1.2.1.2.2.1.7.1 = INTEGER: up(1)|.1.3.6.1.2.1.2.2.1.8.1 = > INTEGER: up(1) END VARIABLEBINDINGS > The up trap is on the correct port (#1). > > And we're here, PF doesn't seem to react more. We can't figure if the switch > ports must be at first in Mac detection vlan (98) or not. We can manually > send SNMP queries and get responses from the switch with snmpwalk and > pfcmd_vlan. > > Also, packetfence.log is flooded with this error: > pfqueue: pfqueue(23658) ERROR: [mac:unknown] Error handling process_dhcpv6 : > length/code after end of string in unpack at > /usr/local/pf/lib/pf/util/dhcpv6.pm line 115. (pf::api::can_fork::notify) > We can't determine if it's related with our troubles. > > Regards, > > Mehdi > > On 15/11/2018 03:09, Durand fabrice via PacketFence-users wrote: >> Hello Mehdi, >> >> first you need to enable the service snmptrapd. >> >> Next step is to enable the pfsnmp queue, to do that edit pfqueue.conf and >> add that: >> >> # >> # pfsnmp queue configuration >> # >> [queue pfsnmp] >> # >> # The weight of queue among shared workers >> # >> weight=4 >> # >> # The number of dedicated workers for queue >> # >> workers=2 >> >> # >> # pfsnmp_parsing queue configuration >> # >> [queue pfsnmp_parsing] >> # >> # The weight of queue among shared workers >> # >> weight=2 >> # >> # The number of dedicated workers for queue >> # >> workers=2 >> >> >> >> Next do a pfcmd configreload hard then restart packetfence. >> >> Regards >> >> Fabrice >> >> >> >> Le 18-11-14 à 04 h 37, Mehdi-Gabriel Mjahad via PacketFence-users a écrit : >>> Hello again, >>> >>> We've setup a test network (one server, two clients and a Netgear GS748T >>> switch), installed PF and imported some nodes. The switch is configured to >>> send traps to a PF interface. However, they are never processed by PF. We >>> can see them arrive to the server with tshark or tcpdump but nothing else >>> happen. snmptrapd.log and packetfence.log are silent about any >>> traps-related event. snmptrapd is running and iptables is allowing port >>> 162. PF is running on CentOS 7. >>> >>> Maybe the PF network configuration is wrong: >>> Interface VLAN Address Type >>> p4p1 switch VLAN99 10.0.99.100/24 Management -> where traps >>> should be received >>> p4p1.98 switch VLAN98 10.0.98.252/24 Mac Detection >>> p4p1.97 switch VLAN97 10.0.97.252/24 Registration >>> p4p1.96 switch VLAN96 10.0.96.252/24 Isolation >>> p4p1.30 switch VLAN30 10.0.30.252/24 for authorized clients >>> >>> Maybe trap configuration is wrong: >>> public read-write 10.0.99.100/24 >>> trap 10.0.99.100/24 port 162 >>> >>> Maybe the switch is not properly supported by PF. We're planning to renew >>> our switches next year. >>> >>> Or are we totally missing something in the PF config ? >>> >>> Regards >>> >>> >>> >>> On 08/11/2018 19:52, Ludovic Zammit wrote: >>>> Hello Mehdi, >>>> >>>> Import all your Mac using a CSV file under Node > Create. >>>> >>>> It will register all the Mac address and during the import you will need >>>> to assign a role. >>>> >>>> MAB, Mac authentication bypass is a RADIUS method. I think you want to use >>>> SNMP which is most commonly call Port-Security using a trap security event. >>>> >>>> Thanks, >>>> Ludovic Zammit >>>> lzam...@inverse.ca <mailto:lzam...@inverse.ca> :: +1.514.447.4918 (x145) >>>> :: www.inverse.ca <http://www.inverse.ca/> >>>> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu >>>> <http://www.sogo.nu/>) and PacketFence (http://packetfence.org >>>> <http://packetfence.org/>) >>>> >>>> >>>> >>>> >>>>> On Nov 8, 2018, at 11:35 AM, mehdi.mjahad--- via PacketFence-users >>>>> <packetfence-users@lists.sourceforge.net >>>>> <mailto:packetfence-users@lists.sourceforge.net>> wrote: >>>>> >>>>> Hi, >>>>> >>>>> We're trying to setup a wired MAC-based authorization system to >>>>> dynamically assign VLANs. We don't want to use RADIUS (not suitable for >>>>> our needs), just MAB. >>>>> We don't have any AD but already a list of all MACs addresses, which may >>>>> be formatted to any format if needed. >>>>> We thought PacketFence would be a great solution. The website (and the >>>>> documentation) describes a perfect suitable solution for our existing >>>>> infrastructure: Link Change SNMP Traps: >>>>> https://packetfence.org/about.html#/vlan >>>>> <https://packetfence.org/about.html#/vlan> >>>>> Our switches are Netgear GS748T (no Cisco in our infra) which only >>>>> support LinkUp/Down Traps. And since they're the same family than the >>>>> documented GS110 switch, we thought they would be usable with PF. >>>>> We installed PF in Bypass mode but we can't figure how to implement the >>>>> solution. The main trouble is we can't figure out where to fill our MAC >>>>> list into PF. >>>>> Do we need to create a VLAN filter for each MAC ? We're a bit lost since >>>>> wer'e PF beginners and we would be thankful for some help. >>>>> >>>>> Regards >>>>> _______________________________________________ >>>>> PacketFence-users mailing list >>>>> PacketFence-users@lists.sourceforge.net >>>>> <mailto:PacketFence-users@lists.sourceforge.net> >>>>> https://lists.sourceforge.net/lists/listinfo/packetfence-users >>>>> <https://lists.sourceforge.net/lists/listinfo/packetfence-users> >>>> >>> >>> >>> >>> _______________________________________________ >>> PacketFence-users mailing list >>> PacketFence-users@lists.sourceforge.net >>> <mailto:PacketFence-users@lists.sourceforge.net> >>> https://lists.sourceforge.net/lists/listinfo/packetfence-users >>> <https://lists.sourceforge.net/lists/listinfo/packetfence-users> >> >> >> >> _______________________________________________ >> PacketFence-users mailing list >> PacketFence-users@lists.sourceforge.net >> <mailto:PacketFence-users@lists.sourceforge.net> >> https://lists.sourceforge.net/lists/listinfo/packetfence-users >> <https://lists.sourceforge.net/lists/listinfo/packetfence-users> > _______________________________________________ > PacketFence-users mailing list > PacketFence-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/packetfence-users
_______________________________________________ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
