Tobias,
Just go into the Audit Log or Node Tab, select the device, set the State to registered and choose the desired role :) Reevaluate access or restart Switchport => You should got the specified rule. I had tried this before and it was not working. Maybe because it was a VoIP device PacketFence did not assign the VLAN. When I tried it on another device that is not VoIP, it worked. Thanks for the help! -- ANTON CASTELLI Network Engineer IV INFORMATION TECHNOLOGY MAIL CODE 4622 SOUTHERN ILLINOIS UNIVERSITY 625 WHAM DRIVE CARBONDALE, ILLINOIS 62901 [email protected]<mailto:[email protected]> P: 618/453-6424 OIT.SIU.EDU<http://oit.siu.edu/networkengineering> ________________________________ From: Tobias Friede <[email protected]> Sent: Tuesday, December 11, 2018 12:39:20 AM To: Anton Castelli Cc: [email protected] Subject: Re: [PacketFence-users] VLAN Assignment for MAB clients Thanks for the information on the switch config. We are considering a support subscription, however we are still in the demo/testing/evaluation phase. You are welcome :) Fabrice, Thanks for the patch. I think the critical part was the "getVoipVsa" function returning the "device-traffic-class=voice" RADIUS attribute. I had also been in contact with Dell support about the VoIP phone being assigned to the default (data) VLAN. They suggested sending this attribute. Apparently it is supported since the 6.5 version of DNOS. I was actually working on a pull request with this added to the Dell::N1500 object. Should I continue with that pull request or will the update be included in the next version of PacketFence? Also, see issue 3479<https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_inverse-2Dinc_packetfence_issues_3479&d=DwMFaQ&c=jrLYy3FV6j9HoN3FfGW-SLJoSRpiMyAzztY4B1tagEk&r=1NeIC5lqzfQOl-pBhJnTLGgpT5VX6v10JHbD4O5t4oY&m=XjHnVomNNeKIfZ2SIXEDYOg-V3pu2OFALxsTAluEDvI&s=0hL-A2wIPHZv0g6wCssqiDzBfRIx1wSrJSDhZpRV0kI&e=> on Github. I did not submit it, but it seems relevant. I thought that this is already included in GutHub .... It's my post..... Although this solves the issue with VoIP devices, we still would like to be able to assign VLANs to other non-802.1x devices. There are many types of devices that do not support 802.1x, but we still want to be able to assign a VLAN to them, even if we have to set the role manually. For example, printers/scanners/copiers, network TVs, game consoles, etc. So, the question still remains: How do we assign a VLAN to a MAB device? Just go into the Audit Log or Node Tab, select the device, set the State to registered and choose the desired role :) Reevaluate access or restart Switchport => You should got the specified rule. Tobias From: Tobias Friede via PacketFence-users <[email protected]<mailto:[email protected]>> Sent: Saturday, December 8, 2018 3:47:48 AM To: [email protected]<mailto:[email protected]> Cc: Tobias Friede Subject: Re: [PacketFence-users] VLAN Assignment for MAB clients I can say that the N2000 Serie from DELL should work pretty well with PacketFence. We had tested exactly that switch model with packetfence and solved some issues together with inverse a few month ago (Support Subscription is pretty usefull ;) ) The config written in the PacketFence documentation doesn't fit to the actually Dell OS... especially the MAB Config. Here is my well tested DELL Config: aaa accounting dot1x default start-stop radius authentication enable dot1x system-auth-control aaa authentication dot1x default radius aaa authorization network default radius dot1x dynamic-vlan enable aaa server radius dynamic-author client <PF-IP> server-key 7 "XXX" exit radius server auth <PF-IP> name "PacketFence" usage 802.1x key 7 "XXX" exit radius server acct <PF-IP> name "Default-RADIUS-Server" key 7 "XXX" exit radius server vsa send authentication ip ssh server AND ON ALL NAC INTERFACES switchport mode general dot1x port-control mac-based dot1x reauthentication dot1x timeout guest-vlan-period 10 dot1x unauth-vlan 931 mab default mab pap authentication order dot1x mab authentication priority dot1x lldp tlv-select system-description system-capabilities lldp notification lldp med confignotification switchport voice vlan 205 Am Fr., 7. Dez. 2018 um 16:50 Uhr schrieb Anton Castelli via PacketFence-users <[email protected]<mailto:[email protected]>>: Fabrice, I've attached the relevant part of the packetfence.log. Some of the information has been masked. The MAC "35:aa" is a laptop with the 802.1x supplicant configured with a username and password from our Active Directory. The MAC "39:46" is a VoIP phone with no 802.1x capability that is falling back to MAB authentication. Ludovic, In this case it is a Dell N2024P and I'm using the "Dell::N1500" type when I added it to Packetfence. I also have a Cisco 2960 that I can test with. Thanks, -- ANTON CASTELLI Network Engineer IV INFORMATION TECHNOLOGY MAIL CODE 4622 SOUTHERN ILLINOIS UNIVERSITY 625 WHAM DRIVE CARBONDALE, ILLINOIS 62901 [email protected]<mailto:[email protected]> P: 618/453-6424 OIT.SIU.EDU<http://oit.siu.edu/networkengineering> ________________________________ From: Ludovic Zammit <[email protected]<mailto:[email protected]>> Sent: Friday, December 7, 2018 6:46:07 AM To: Anton Castelli Cc: [email protected]<mailto:[email protected]> Subject: Re: [PacketFence-users] VLAN Assignment for MAB clients Hello Anton, Which kind of switch / network equipment are you using for the authentication ? Thanks, Ludovic Zammit [email protected]<mailto:[email protected]> :: +1.514.447.4918 (x145) :: www.inverse.ca<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.inverse.ca&d=DwMFAg&c=jrLYy3FV6j9HoN3FfGW-SLJoSRpiMyAzztY4B1tagEk&r=1NeIC5lqzfQOl-pBhJnTLGgpT5VX6v10JHbD4O5t4oY&m=xHktulKr1ttJHdHBNDsii_Xnel1xaPJq8m6kbEu7JZw&s=AfwUE_8XXB6ecZ9iBn_O8K-QsYjZT_qKmorQrFs66es&e=> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.sogo.nu&d=DwMFAg&c=jrLYy3FV6j9HoN3FfGW-SLJoSRpiMyAzztY4B1tagEk&r=1NeIC5lqzfQOl-pBhJnTLGgpT5VX6v10JHbD4O5t4oY&m=xHktulKr1ttJHdHBNDsii_Xnel1xaPJq8m6kbEu7JZw&s=jP7WC-EZZMrcqkttkFA7Ah8rQlEVsN-7N5AveGbDi4M&e=>) and PacketFence (http://packetfence.org<https://urldefense.proofpoint.com/v2/url?u=http-3A__packetfence.org&d=DwMFAg&c=jrLYy3FV6j9HoN3FfGW-SLJoSRpiMyAzztY4B1tagEk&r=1NeIC5lqzfQOl-pBhJnTLGgpT5VX6v10JHbD4O5t4oY&m=xHktulKr1ttJHdHBNDsii_Xnel1xaPJq8m6kbEu7JZw&s=0m-A3HXqeSvKmPaXjs16BrLSp4Y4BuX-5x-SXLrrbx4&e=>) On Dec 6, 2018, at 3:03 PM, Anton Castelli via PacketFence-users <[email protected]<mailto:[email protected]>> wrote: I'm pretty new to Packetfence. I have a demo server set up and working. It authenticates 802.1x clients against our Active Directory, can assign them a role based on their LDAP group, and can assign them a VLAN based on their role. Non-802.1x devices that fall back to MAB can also authenticate once I've manually registered the device. I can also set a role manually for the device. However, the VLAN assignment for that role is not passed back to the switch. I've confirmed that the VLAN assignment for that role is working. I put a 802.1x client in that role and the VLAN assignment works. A MAB client in the same role on the same switch will not have a VLAN assignment passed back to the switch. RADIUS response for 802.1x client: <8021x.png> RADIUS response for MAB client: <mab.png> Is there a way to configure Packetfence to assign a VLAN on the switch for a MAB client? Thanks, -- ANTON CASTELLI Network Engineer IV INFORMATION TECHNOLOGY MAIL CODE 4622 SOUTHERN ILLINOIS UNIVERSITY 625 WHAM DRIVE CARBONDALE, ILLINOIS 62901 [email protected]<mailto:[email protected]> P: 618/453-6424<tel:618/453-6424> OIT.SIU.EDU<http://oit.siu.edu/networkengineering> _______________________________________________ PacketFence-users mailing list [email protected]<mailto:[email protected]> https://lists.sourceforge.net/lists/listinfo/packetfence-users<https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.sourceforge.net_lists_listinfo_packetfence-2Dusers&d=DwMFAg&c=jrLYy3FV6j9HoN3FfGW-SLJoSRpiMyAzztY4B1tagEk&r=1NeIC5lqzfQOl-pBhJnTLGgpT5VX6v10JHbD4O5t4oY&m=xHktulKr1ttJHdHBNDsii_Xnel1xaPJq8m6kbEu7JZw&s=-Lxn4fDJcg2E5fI_p0-u65wEMBwbrTMiQRgV05Hqr2E&e=> _______________________________________________ PacketFence-users mailing list [email protected]<mailto:[email protected]> https://lists.sourceforge.net/lists/listinfo/packetfence-users<https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.sourceforge.net_lists_listinfo_packetfence-2Dusers&d=DwMFaQ&c=jrLYy3FV6j9HoN3FfGW-SLJoSRpiMyAzztY4B1tagEk&r=1NeIC5lqzfQOl-pBhJnTLGgpT5VX6v10JHbD4O5t4oY&m=-P_IqY8QejOFsgY3mabkl-zDUpaPQkZMMmA2BfG97F0&s=idIFXnbn1pht-di_c_0bq9Lpz1rdCLN0qfO3iEoZmyk&e=>
_______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
