Hi, > > *Just go into the Audit Log or Node Tab, select the device, set the State > to registered and choose the desired role :) * > *Reevaluate access or restart Switchport => You should got the specified > rule. * > > I had tried this before and it was not working. Maybe because it was a > VoIP device PacketFence did not assign the VLAN. When I tried it on another > device that is not VoIP, it worked. >
correct, if a device is detected as voice device, packetfence only sends the VSA and the switch put the device in the configured voice vlan. Thanks for the help! > You are welcome :) ------------------------------ > *From:* Tobias Friede <[email protected]> > *Sent:* Tuesday, December 11, 2018 12:39:20 AM > *To:* Anton Castelli > *Cc:* [email protected] > *Subject:* Re: [PacketFence-users] VLAN Assignment for MAB clients > > > > > Thanks for the information on the switch config. We are considering a > support subscription, however we are still in the demo/testing/evaluation > phase. > > > You are welcome :) > > Fabrice, > > > Thanks for the patch. > > > I think the critical part was the "getVoipVsa" function returning the > "device-traffic-class=voice" RADIUS attribute. I had also been in contact > with Dell support about the VoIP phone being assigned to the default (data) > VLAN. They suggested sending this attribute. Apparently it is supported > since the 6.5 version of DNOS. I was actually working on a pull request > with this added to the Dell::N1500 object. Should I continue with that pull > request or will the update be included in the next version of PacketFence? > Also, see issue 3479 > <https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_inverse-2Dinc_packetfence_issues_3479&d=DwMFaQ&c=jrLYy3FV6j9HoN3FfGW-SLJoSRpiMyAzztY4B1tagEk&r=1NeIC5lqzfQOl-pBhJnTLGgpT5VX6v10JHbD4O5t4oY&m=XjHnVomNNeKIfZ2SIXEDYOg-V3pu2OFALxsTAluEDvI&s=0hL-A2wIPHZv0g6wCssqiDzBfRIx1wSrJSDhZpRV0kI&e=> > on Github. I did not submit it, but it seems relevant. > > > I thought that this is already included in GutHub .... > It's my post..... > > > > Although this solves the issue with VoIP devices, we still would like to > be able to assign VLANs to other non-802.1x devices. There are many types > of devices that do not support 802.1x, but we still want to be able to > assign a VLAN to them, even if we have to set the role manually. For > example, printers/scanners/copiers, network TVs, game consoles, etc. > > > So, the question still remains: How do we assign a VLAN to a MAB device? > > > Just go into the Audit Log or Node Tab, select the device, set the State > to registered and choose the desired role :) > Reevaluate access or restart Switchport => You should got the specified > rule. > > > Tobias > > > > *From:* Tobias Friede via PacketFence-users < > [email protected]> > *Sent:* Saturday, December 8, 2018 3:47:48 AM > *To:* [email protected] > *Cc:* Tobias Friede > *Subject:* Re: [PacketFence-users] VLAN Assignment for MAB clients > > I can say that the N2000 Serie from DELL should work pretty well with > PacketFence. > We had tested exactly that switch model with packetfence and solved some > issues together with inverse a few month ago (Support Subscription is > pretty usefull ;) ) > > The config written in the PacketFence documentation doesn't fit to the > actually Dell OS... especially the MAB Config. > > *Here is my well tested DELL Config:* > aaa accounting dot1x default start-stop radius > authentication enable > dot1x system-auth-control > aaa authentication dot1x default radius > aaa authorization network default radius > dot1x dynamic-vlan enable > > aaa server radius dynamic-author > client <PF-IP> server-key 7 "XXX" > exit > > radius server auth <PF-IP> > name "PacketFence" > usage 802.1x > key 7 "XXX" > exit > > radius server acct <PF-IP> > name "Default-RADIUS-Server" > key 7 "XXX" > exit > > radius server vsa send authentication > ip ssh server > > *AND ON ALL NAC INTERFACES * > > switchport mode general > dot1x port-control mac-based > dot1x reauthentication > dot1x timeout guest-vlan-period 10 > dot1x unauth-vlan 931 > mab > default mab pap > authentication order dot1x mab > authentication priority dot1x > lldp tlv-select system-description system-capabilities > lldp notification > lldp med confignotification > switchport voice vlan 205 > > > > > Am Fr., 7. Dez. 2018 um 16:50 Uhr schrieb Anton Castelli via > PacketFence-users <[email protected]>: > > Fabrice, > > > I've attached the relevant part of the packetfence.log. Some of the > information has been masked. The MAC "35:aa" is a laptop with the 802.1x > supplicant configured with a username and password from our Active > Directory. The MAC "39:46" is a VoIP phone with no 802.1x capability that > is falling back to MAB authentication. > > > > Ludovic, > > In this case it is a Dell N2024P and I'm using the "Dell::N1500" type when > I added it to Packetfence. I also have a Cisco 2960 that I can test with. > > Thanks, > > > -- > ANTON CASTELLI > Network Engineer IV > > INFORMATION TECHNOLOGY > MAIL CODE 4622 > SOUTHERN ILLINOIS UNIVERSITY > 625 WHAM DRIVE > CARBONDALE, ILLINOIS 62901 > > [email protected] <[email protected]> > P: 618/453-6424 > OIT.SIU.EDU <http://oit.siu.edu/networkengineering> > ------------------------------ > *From:* Ludovic Zammit <[email protected]> > *Sent:* Friday, December 7, 2018 6:46:07 AM > *To:* Anton Castelli > *Cc:* [email protected] > *Subject:* Re: [PacketFence-users] VLAN Assignment for MAB clients > > Hello Anton, > > Which kind of switch / network equipment are you using for the > authentication ? > > Thanks, > > > Ludovic [email protected] :: +1.514.447.4918 (x145) :: > www.inverse.ca > <https://urldefense.proofpoint.com/v2/url?u=http-3A__www.inverse.ca&d=DwMFAg&c=jrLYy3FV6j9HoN3FfGW-SLJoSRpiMyAzztY4B1tagEk&r=1NeIC5lqzfQOl-pBhJnTLGgpT5VX6v10JHbD4O5t4oY&m=xHktulKr1ttJHdHBNDsii_Xnel1xaPJq8m6kbEu7JZw&s=AfwUE_8XXB6ecZ9iBn_O8K-QsYjZT_qKmorQrFs66es&e=> > Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu > <https://urldefense.proofpoint.com/v2/url?u=http-3A__www.sogo.nu&d=DwMFAg&c=jrLYy3FV6j9HoN3FfGW-SLJoSRpiMyAzztY4B1tagEk&r=1NeIC5lqzfQOl-pBhJnTLGgpT5VX6v10JHbD4O5t4oY&m=xHktulKr1ttJHdHBNDsii_Xnel1xaPJq8m6kbEu7JZw&s=jP7WC-EZZMrcqkttkFA7Ah8rQlEVsN-7N5AveGbDi4M&e=>) > and PacketFence (http://packetfence.org > <https://urldefense.proofpoint.com/v2/url?u=http-3A__packetfence.org&d=DwMFAg&c=jrLYy3FV6j9HoN3FfGW-SLJoSRpiMyAzztY4B1tagEk&r=1NeIC5lqzfQOl-pBhJnTLGgpT5VX6v10JHbD4O5t4oY&m=xHktulKr1ttJHdHBNDsii_Xnel1xaPJq8m6kbEu7JZw&s=0m-A3HXqeSvKmPaXjs16BrLSp4Y4BuX-5x-SXLrrbx4&e=>) > > > > > > On Dec 6, 2018, at 3:03 PM, Anton Castelli via PacketFence-users < > [email protected]> wrote: > > I'm pretty new to Packetfence. I have a demo server set up and working. It > authenticates 802.1x clients against our Active Directory, can assign them > a role based on their LDAP group, and can assign them a VLAN based on their > role. > > Non-802.1x devices that fall back to MAB can also authenticate once I've > manually registered the device. I can also set a role manually for the > device. However, the VLAN assignment for that role is not passed back to > the switch. > > I've confirmed that the VLAN assignment for that role is working. I put a > 802.1x client in that role and the VLAN assignment works. A MAB client in > the same role on the same switch will not have a VLAN assignment passed > back to the switch. > > RADIUS response for 802.1x client: > > <8021x.png> > > RADIUS response for MAB client: > > <mab.png> > > Is there a way to configure Packetfence to assign a VLAN on the switch for > a MAB client? > > Thanks, > > -- > ANTON CASTELLI > Network Engineer IV > > INFORMATION TECHNOLOGY > MAIL CODE 4622 > SOUTHERN ILLINOIS UNIVERSITY > 625 WHAM DRIVE > CARBONDALE, ILLINOIS 62901 > > [email protected] <[email protected]> > P: 618/453-6424 > OIT.SIU.EDU <http://oit.siu.edu/networkengineering> > _______________________________________________ > PacketFence-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/packetfence-users > <https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.sourceforge.net_lists_listinfo_packetfence-2Dusers&d=DwMFAg&c=jrLYy3FV6j9HoN3FfGW-SLJoSRpiMyAzztY4B1tagEk&r=1NeIC5lqzfQOl-pBhJnTLGgpT5VX6v10JHbD4O5t4oY&m=xHktulKr1ttJHdHBNDsii_Xnel1xaPJq8m6kbEu7JZw&s=-Lxn4fDJcg2E5fI_p0-u65wEMBwbrTMiQRgV05Hqr2E&e=> > > > _______________________________________________ > PacketFence-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/packetfence-users > <https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.sourceforge.net_lists_listinfo_packetfence-2Dusers&d=DwMFaQ&c=jrLYy3FV6j9HoN3FfGW-SLJoSRpiMyAzztY4B1tagEk&r=1NeIC5lqzfQOl-pBhJnTLGgpT5VX6v10JHbD4O5t4oY&m=-P_IqY8QejOFsgY3mabkl-zDUpaPQkZMMmA2BfG97F0&s=idIFXnbn1pht-di_c_0bq9Lpz1rdCLN0qfO3iEoZmyk&e=> > >
_______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
