Re: [PacketFence-users] packetfence and cisco switches
Use RADIUS. Way better! Sent from my iPhone On Dec 14, 2016, at 4:03 PM, Tobias Friedewrote: Hi, I think that's not possible because Port Security creates a static entry in the Mac Table of the switch. That's how port security is working ;) You could enable aging. That means if the client is inactive, the mac adress is removed from the switch port (after a specific time) => http://packetlife.net/blog/2010/may/3/port-security/ Greetings Tobias 2016-12-14 19:57 GMT+01:00 Cuttler, Brian R (HEALTH) < brian.cutt...@health.ny.gov>: > Packetfence users, > > We are using PF 5.0.2 and have a variety of Cisco switches in place. > > We have the access ports (vs trunk ports) configured with “sticky mac” > addresses, and find (we per documentation) that when we make any changes to > the switch config and save those changes “write memory” that the dynamic > addresses of the end point devices get written into the switch boot config > file. > > Typical changes we’d want to save are things like adding vlans to the > trunk, adding a port description for a special end point device, adding a > new vlan to the switch, etc. > > The problem we are seeing is that if a device (typical PC or printer) is > moved to another port on the switch, then the MAC address of the device > which is “dynamic” on the port, conflicts with the now static address on > the old port. > > I am going to see if configuring a test switch with “dynamic secure” > rather than “sticky secure”, I think just a matter of unsetting “sticky” > for the interface. > > Does anyone have any experience with this? > > How do you prevent the learned MAC addresses from getting written into the > config file? > > Thank you, > > Brian > > > > > -- > Check out the vibrant tech community on one of the world's most > engaging tech sites, SlashDot.org! http://sdm.link/slashdot > ___ > PacketFence-users mailing list > PacketFence-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/packetfence-users > > -- Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users -- Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
Re: [PacketFence-users] packetfence and cisco switches
Hi, I think that's not possible because Port Security creates a static entry in the Mac Table of the switch. That's how port security is working ;) You could enable aging. That means if the client is inactive, the mac adress is removed from the switch port (after a specific time) => http://packetlife.net/blog/2010/may/3/port-security/ Greetings Tobias 2016-12-14 19:57 GMT+01:00 Cuttler, Brian R (HEALTH) < brian.cutt...@health.ny.gov>: > Packetfence users, > > We are using PF 5.0.2 and have a variety of Cisco switches in place. > > We have the access ports (vs trunk ports) configured with “sticky mac” > addresses, and find (we per documentation) that when we make any changes to > the switch config and save those changes “write memory” that the dynamic > addresses of the end point devices get written into the switch boot config > file. > > Typical changes we’d want to save are things like adding vlans to the > trunk, adding a port description for a special end point device, adding a > new vlan to the switch, etc. > > The problem we are seeing is that if a device (typical PC or printer) is > moved to another port on the switch, then the MAC address of the device > which is “dynamic” on the port, conflicts with the now static address on > the old port. > > I am going to see if configuring a test switch with “dynamic secure” > rather than “sticky secure”, I think just a matter of unsetting “sticky” > for the interface. > > Does anyone have any experience with this? > > How do you prevent the learned MAC addresses from getting written into the > config file? > > Thank you, > > Brian > > > > > -- > Check out the vibrant tech community on one of the world's most > engaging tech sites, SlashDot.org! http://sdm.link/slashdot > ___ > PacketFence-users mailing list > PacketFence-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/packetfence-users > > -- Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
Re: [PacketFence-users] Please verify the provided MAC address
Hello Morgan, The way how this works is you usually provide MAC vendor in the oui file. For instance you want to allow Xbox to register, add the following list inside conf/allowed_device_oui.txt: 00:12:5A # Microsoft-Xbox 00:0D:3A # Microsoft-Xbox 00:50:F2 # Microsoft-Xbox 00:17:FA # Microsoft-Xbox 00:1D:D8 # Microsoft-Xbox 00:22:48 # Microsoft-Xbox Example are available from conf/allowed_device_oui.txt.example As long as the first 6 digits of the MAC you are trying to register are in the file, then the device will be able to register via the device-registration page. Let us know is that help. Thanks On 12/08/2016 12:08 PM, Morgan, Joel P. wrote: > It looks like blanking the file /usr/local/pf/conf/allowed_device_oui.txt > doesn't allow any MAC to register. Renaming the file allows any MAC to > register. > > -Original Message- > From: Morgan, Joel P. > Sent: Thursday, December 8, 2016 10:01 AM > To: 'packetfence-users@lists.sourceforge.net' >> Subject: Please verify the provided MAC address > > I'm using PF version 6.2.1 on CentOS 6.8. > > When manually registering a device using the device-registration URL I get an > error when I submit the MAC address. > > "Please verify the provided MAC address." > > A tail of packetfence.log gives the following output. > > Dec 08 09:23:44 httpd.portal(2555) WARN: [mac:unknown] Unable to match MAC > address to IP '192.168.1.10' (pf::iplog::ip2mac) Dec 08 09:23:44 > httpd.portal(2555) INFO: [mac:unknown] Instantiate profile default > (pf::Portal::ProfileFactory::_from_profile) > Dec 08 09:23:44 httpd.portal(2555) WARN: [mac:unknown] Unable to match MAC > address to IP '192.168.1.10' (pf::iplog::ip2mac) Dec 08 09:23:44 > httpd.portal(2555) WARN: [mac:0] Unable to match MAC address to IP > '192.168.1.10' (pf::iplog::ip2mac) Dec 08 09:23:44 httpd.portal(2555) INFO: > [mac:0] Instantiate profile default > (pf::Portal::ProfileFactory::_from_profile) > Dec 08 09:23:44 httpd.portal(2555) WARN: [mac:0] Unable to match MAC address > to IP '192.168.1.10' (pf::iplog::ip2mac) Dec 08 09:23:44 httpd.portal(2555) > INFO: [mac:0] Instantiate profile default > (pf::Portal::ProfileFactory::_from_profile) > > The file /usr/local/pf/conf/allowed_device_oui.txt is empty. > > Does anyone have any suggestions for fixing this? > > -- > Developer Access Program for Intel Xeon Phi Processors > Access to Intel Xeon Phi processor-based developer platforms. > With one year of Intel Parallel Studio XE. > Training and support from Colfax. > Order your platform today.http://sdm.link/xeonphi > ___ > PacketFence-users mailing list > PacketFence-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/packetfence-users -- Antoine Amacher aamac...@inverse.ca :: www.inverse.ca +1.514.447.4918 x130 :: +1 (866) 353-6153 x130 Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (www.packetfence.org) -- Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
[PacketFence-users] packetfence and cisco switches
Packetfence users, We are using PF 5.0.2 and have a variety of Cisco switches in place. We have the access ports (vs trunk ports) configured with "sticky mac" addresses, and find (we per documentation) that when we make any changes to the switch config and save those changes "write memory" that the dynamic addresses of the end point devices get written into the switch boot config file. Typical changes we'd want to save are things like adding vlans to the trunk, adding a port description for a special end point device, adding a new vlan to the switch, etc. The problem we are seeing is that if a device (typical PC or printer) is moved to another port on the switch, then the MAC address of the device which is "dynamic" on the port, conflicts with the now static address on the old port. I am going to see if configuring a test switch with "dynamic secure" rather than "sticky secure", I think just a matter of unsetting "sticky" for the interface. Does anyone have any experience with this? How do you prevent the learned MAC addresses from getting written into the config file? Thank you, Brian -- Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
Re: [PacketFence-users] Adding roles from CLI
Hello Bob, The roles are not stored in a config files, they are store in the DB in the table "node_category". So you would need to add some SQL queries to add a new role. Thanks On 12/13/2016 11:29 AM, B McLellan wrote: Hi, I've been looking at creating a script to deploy multiple PacketFence instances. I have pretty much everything in place now there's just one thing that is still puzzling me. Is there away to create 'roles' from the CLI using pfcmd? In which config files are the roles stored? I can only see references to the roles which have associated rules in the authentication.conf file. Any hints gratefully received. ;) -- Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users -- Antoine Amacher aamac...@inverse.ca :: www.inverse.ca +1.514.447.4918 x130 :: +1 (866) 353-6153 x130 Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (www.packetfence.org) -- Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
Re: [PacketFence-users] How to create own billing source?
Hello Rolando, Documentation about the billing source is available here, https://packetfence.org/doc/PacketFence_Administration_Guide.html#_billing_engine There are examples on how to configure a PayPal, Stripe and Authorize.net source. Thanks On 12/14/2016 01:50 AM, Rolando Palencia wrote: > Hi, > > How to create own billing source? > > Regards, > > Rolando > > -- > Check out the vibrant tech community on one of the world's most > engaging tech sites, SlashDot.org! http://sdm.link/slashdot > ___ > PacketFence-users mailing list > PacketFence-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/packetfence-users -- Antoine Amacher aamac...@inverse.ca :: www.inverse.ca +1.514.447.4918 x130 :: +1 (866) 353-6153 x130 Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (www.packetfence.org) -- Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
[PacketFence-users] packetfence dhcp violations
Packetfence users, We are running PF 5.0.2 and use the ISC dhcp server on a linux platform. We are seeing that some of our (really really old) Jetdirect printers, while begin identified as jetdirect printers are also tripping our violation rule for "non-compliant OS" and begin put into our non-compliant vlan rather than dropping into the default_vlan as the rest of our printers do, as we want them to do. Is there a way to put the MAC on a white list or have its MAC identified so that it is assigned the correct vlan rather than falling into the trap and begin assign to the other vlan? Thanks in advance, Brian -- Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
[PacketFence-users] How to create own billing source?
Hi, How to create own billing source? Regards, Rolando -- Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
[PacketFence-users] PF and Juniper SRX SSO
Hi, Do you know how to integrate Juniper SRX with Packetfence in SSO? Do anyone have tried to do this? BR Tomasz Karczewski smime.p7s Description: S/MIME cryptographic signature -- Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users