Hello,
We managed to make PF process snmp links. However, the Netgear switch
doesn't support dynamic uplinks. We had to put the PF server port as an
uplink to make it work.
Registered machines are placed in their attributed VLAN and unregistred
ones in the registration VLAN. But when a machine (with an assigned
role) registers through the captive portal with a null source, this
shows up in the logs:
pfqueue(31167) INFO: [mac:] Username was NOT defined or unable to match
a role - returning node based role 'guest' (pf::role::getRegisteredRole)
pfqueue(31167) INFO: [mac:] PID: "default", Status: reg Returned VLAN:
(undefined), Role: guest (pf::role::fetchRoleForNode)
where "guest" is the role set in the null source action (but not in the
node params). We don't understand how to register a machine through the
captive portal with a role (VLAN) set on the 'Nodes' config panel and
not on the null source.
The next trouble is as we expected: our switches are not fully
supported. snmp traps are good but we always get this error when PF
modify VLANs:
pfqueue(31167) WARN: [mac:] couldn't get MAC at ifIndex 27. This is a
problem. (pf::Switch::_getMacAtIfIndex)
It happens with any ifIndex. The switch log tells it struggles to modify
VLANs even if it succeeds.
Also, when flipping VLAN, the switch randomly set the concerned port as
tagged, which make DHCP to fail. To make it work properly, I have to
untag the PF port, untag the node port, and tag the PF port again. And
sometimes, DHCP fails even with the node port untagged. I have to flip
the port to tagged and untagged to fix it. It is frustrating because we
can't figure if it's only caused by the switch or if PF is badly
configured somewhere.
Regards
On 27/11/2018 14:59, Ludovic Zammit wrote:
Hello Mehdi
Unfortunately those two feature, the test mode and Mac detection are
old feature so it will be normal that it’s not working correctly on
the previous versions.
Try to switch it to production mode and see if changed.
Has Fabrice said, you will need to enable the snmptrapd service and
you should see activity in the packetfence.log
Thanks,
On Nov 26, 2018, at 11:14 AM, Mehdi-Gabriel Mjahad via
PacketFence-users <[email protected]
<mailto:[email protected]>> wrote:
Hello again,
We enabled pfqueue workers and after putting the PF switch in testing
mode, it became more talkative in packetfence.log.
First we got:
pfqueue: pfqueue(19814) ERROR: [mac:unknown] WARNING ! Unknown
switch(es) 10.0.98.254 (pf::SwitchFactory::instantiate)
where 98 is the Mac detection vlan. So we changed the PF switch IP to
10.0.98.254 (was 10.0.97.254).
Then, we got:
pfqueue: pfqueue(21932) WARN: [mac:] Can't determine Uplinks for the
switch (10.0.98.254) -> do nothing (pf::role::doWeActOnThisTrap)
pfqueue: pfqueue(21932) INFO: [mac:] doWeActOnThisTrap returns false.
Stop down handling (pf::task::pfsnmp::handleTrap)
pfqueue: pfqueue(21932) WARN: [mac:] Warning: for switch 10.0.98.254,
'uplink = Dynamic' in config file but this is not supported !
(pf::Switch::getUpLinks)
So we disabled dynamic uplinks and manually entered the 9 first
switch ports (those are ones where test clients are often connected).
Then we got:
pfqueue: pfqueue(21929) INFO: [mac:] up trap received on
(10.0.98.254) ifindex 1 which is uplink and we don't manage uplinks
(pf::role::doWeActOnThisTrap)
pfqueue: pfqueue(21929) INFO: [mac:] doWeActOnThisTrap returns false.
Stop up handling (pf::task::pfsnmp::handleTrap)
Here's a log from snmptrapd.log:
2018-11-26|15:41:59|UDP:
[10.0.98.254]:51211->[10.0.98.252]:162|192.168.75.16|BEGIN TYPE 3 END
TYPE BEGIN SUBTYPE 0 END SUBTYPE BEGIN VARIABLEBINDINGS
.1.3.6.1.2.1.2.2.1.1.1 = INTEGER: 1|.1.3.6.1.2.1.2.2.1.7.1 = INTEGER:
up(1)|.1.3.6.1.2.1.2.2.1.8.1 = INTEGER: up(1) END VARIABLEBINDINGS
The up trap is on the correct port (#1).
And we're here, PF doesn't seem to react more. We can't figure if the
switch ports must be at first in Mac detection vlan (98) or not. We
can manually send SNMP queries and get responses from the switch with
snmpwalk and pfcmd_vlan.
Also, packetfence.log is flooded with this error:
pfqueue: pfqueue(23658) ERROR: [mac:unknown] Error handling
process_dhcpv6 : length/code after end of string in unpack at
/usr/local/pf/lib/pf/util/dhcpv6.pm line 115. (pf::api::can_fork::notify)
We can't determine if it's related with our troubles.
Regards,
Mehdi
On 15/11/2018 03:09, Durand fabrice via PacketFence-users wrote:
Hello Mehdi,
first you need to enable the service snmptrapd.
Next step is to enable the pfsnmp queue, to do that edit
pfqueue.conf and add that:
#
# pfsnmp queue configuration
#
[queue pfsnmp]
#
# The weight of queue among shared workers
#
weight=4
#
# The number of dedicated workers for queue
#
workers=2
#
# pfsnmp_parsing queue configuration
#
[queue pfsnmp_parsing]
#
# The weight of queue among shared workers
#
weight=2
#
# The number of dedicated workers for queue
#
workers=2
Next do a pfcmd configreload hard then restart packetfence.
Regards
Fabrice
Le 18-11-14 à 04 h 37, Mehdi-Gabriel Mjahad via PacketFence-users a
écrit :
Hello again,
We've setup a test network (one server, two clients and a Netgear
GS748T switch), installed PF and imported some nodes. The switch is
configured to send traps to a PF interface. However, they are never
processed by PF. We can see them arrive to the server with tshark
or tcpdump but nothing else happen. snmptrapd.log and
packetfence.log are silent about any traps-related event. snmptrapd
is running and iptables is allowing port 162. PF is running on
CentOS 7.
Maybe the PF network configuration is wrong:
Interface VLAN Address Type
p4p1 switch VLAN99 10.0.99.100/24 Management -> where
traps should be received
p4p1.98 switch VLAN98 10.0.98.252/24 Mac Detection
p4p1.97 switch VLAN97 10.0.97.252/24 Registration
p4p1.96 switch VLAN96 10.0.96.252/24 Isolation
p4p1.30 switch VLAN30 10.0.30.252/24 for authorized clients
Maybe trap configuration is wrong:
public read-write 10.0.99.100/24
trap 10.0.99.100/24 port 162
Maybe the switch is not properly supported by PF. We're planning to
renew our switches next year.
Or are we totally missing something in the PF config ?
Regards
On 08/11/2018 19:52, Ludovic Zammit wrote:
Hello Mehdi,
Import all your Mac using a CSV file under Node > Create.
It will register all the Mac address and during the import you
will need to assign a role.
MAB, Mac authentication bypass is a RADIUS method. I think you
want to use SNMP which is most commonly call Port-Security using a
trap security event.
Thanks,
Ludovic Zammit
[email protected] <mailto:[email protected]> :: +1.514.447.4918 (x145)
::www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence
(http://packetfence.org)
On Nov 8, 2018, at 11:35 AM, mehdi.mjahad--- via
PacketFence-users <[email protected]
<mailto:[email protected]>> wrote:
Hi,
We're trying to setup a wired MAC-based authorization system to
dynamically assign VLANs. We don't want to use RADIUS (not
suitable for our needs), just MAB.
We don't have any AD but already a list of all MACs addresses,
which may be formatted to any format if needed.
We thought PacketFence would be a great solution. The website
(and the documentation) describes a perfect suitable solution for
our existing infrastructure: Link Change SNMP Traps:
https://packetfence.org/about.html#/vlan
Our switches are Netgear GS748T (no Cisco in our infra) which
only support LinkUp/Down Traps. And since they're the same family
than the documented GS110 switch, we thought they would be usable
with PF.
We installed PF in Bypass mode but we can't figure how to
implement the solution. The main trouble is we can't figure out
where to fill our MAC list into PF.
Do we need to create a VLAN filter for each MAC ? We're a bit
lost since wer'e PF beginners and we would be thankful for some help.
Regards
_______________________________________________
PacketFence-users mailing list
[email protected]
<mailto:[email protected]>
https://lists.sourceforge.net/lists/listinfo/packetfence-users
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
_______________________________________________
PacketFence-users mailing list
[email protected]
<mailto:[email protected]>
https://lists.sourceforge.net/lists/listinfo/packetfence-users
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
