Re: [PacketFence-users] Need help solving a problem with vlan enforcement

2018-01-17 Thread André Scrivener via PacketFence-users 
Hello Timonthy,

I will do that today and give you the answer.

Regards,
André

2018-01-11 17:47 GMT-03:00 Timothy Mullican :

> André,
> Try applying this patch. On the PacketFence box, do:
>
> # cd /usr/local/pf
> # wget https://patch-diff.githubusercontent.com/raw/
> inverse-inc/packetfence/pull/2872.diff
> # patch -p1 < 2872.diff
>
> Then try restarting and see if the RADIUS deauthentication works. If it
> doesn’t, please send the PacketFence log files.
>
> Thanks,
> Tim
>
> Sent from mobile phone
>
> On Jan 11, 2018, at 13:42, André Scrivener 
> wrote:
>
> Hi Timonthy,
>
> thx for feedback, but i noticed that if it is in radius modes the
> deauthentication does not work, if put HTTP for example it works.
>
> Regards,
> André
>
>
> 2018-01-10 22:12 GMT-03:00 Timothy Mullican :
>
>> André,
>> You can ignore that error. It is caused by a missing parameter in the
>> configuration code for the N1500 switch in PacketFence.
>>
>> I submitted an issue and pull request at https://github.com/inverse-inc
>> /packetfence/issues/2871
>>
>> Thanks,
>> Tim
>> On Friday, January 5, 2018, 12:48:00 PM EST, Timothy Mullican via
>> PacketFence-users  wrote:
>>
>>
>> Fabrice,
>> I’m not sure, but is his error due to the following?
>>
>> The function deauth_source_ip (lib/pf/Switch.pm) is expecting the IP
>> address to deauth, so it can determine the source interface to use in
>> PacketFence. It is present in the default radiusDisconnect function, but
>> lib/pf/Switch/Dell/N1500.pm overrides and leaves it out on the LocalAddr
>> line (286).
>>
>> Should “LocalAddr => $self->deauth_source_ip(),” in N1500.pm be changed
>> to “LocalAddr => $self->deauth_source_ip($send_disconnect_to),” ?
>>
>> Thanks,
>> Tim
>>
>> Sent from mobile phone
>>
>> On Jan 5, 2018, at 09:38, André Scrivener 
>> wrote:
>>
>> Hey Timonthy and Fabrice!
>>
>> Finally funcioning, the problem was on firmware, after update, is
>> changing the vlans successfully.
>>
>> Thank you so much for help!
>>
>> Now I will move forward.
>>
>>
>> One question, this log below, its because i dont implement a radius.
>> Correct? I only join packetfence on Active Directory.
>>
>> Jan  5 13:24:56 packetfence pfqueue: pfqueue(1063) INFO:
>> [mac:84:7b:eb:e3:84:42] deauthenticating (pf::Switch::Dell::N1500::radi
>> usDisconnect)
>> Jan  5 13:24:56 packetfence pfqueue: pfqueue(1063) ERROR:
>> [mac:84:7b:eb:e3:84:42] must specify key and code at
>> /usr/local/pf/lib/pf/Switch.pm line 3126.
>>  (pf::api::can_fork::notify)
>>
>>
>> --
>> Att
>> *André*
>>
>> 
>> --
>> Check out the vibrant tech community on one of the world's most
>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>> ___
>> PacketFence-users mailing list
>> PacketFence-users@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>
>
>
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Need help solving a problem with vlan enforcement

2018-01-11 Thread André Scrivener via PacketFence-users 
Hi Timonthy,

thx for feedback, but i noticed that if it is in radius modes the
deauthentication does not work, if put HTTP for example it works.

Regards,
André


2018-01-10 22:12 GMT-03:00 Timothy Mullican :

> André,
> You can ignore that error. It is caused by a missing parameter in the
> configuration code for the N1500 switch in PacketFence.
>
> I submitted an issue and pull request at https://github.com/inverse-
> inc/packetfence/issues/2871
>
> Thanks,
> Tim
> On Friday, January 5, 2018, 12:48:00 PM EST, Timothy Mullican via
> PacketFence-users  wrote:
>
>
> Fabrice,
> I’m not sure, but is his error due to the following?
>
> The function deauth_source_ip (lib/pf/Switch.pm) is expecting the IP
> address to deauth, so it can determine the source interface to use in
> PacketFence. It is present in the default radiusDisconnect function, but
> lib/pf/Switch/Dell/N1500.pm overrides and leaves it out on the LocalAddr
> line (286).
>
> Should “LocalAddr => $self->deauth_source_ip(),” in N1500.pm be changed
> to “LocalAddr => $self->deauth_source_ip($send_disconnect_to),” ?
>
> Thanks,
> Tim
>
> Sent from mobile phone
>
> On Jan 5, 2018, at 09:38, André Scrivener 
> wrote:
>
> Hey Timonthy and Fabrice!
>
> Finally funcioning, the problem was on firmware, after update, is changing
> the vlans successfully.
>
> Thank you so much for help!
>
> Now I will move forward.
>
>
> One question, this log below, its because i dont implement a radius.
> Correct? I only join packetfence on Active Directory.
>
> Jan  5 13:24:56 packetfence pfqueue: pfqueue(1063) INFO:
> [mac:84:7b:eb:e3:84:42] deauthenticating (pf::Switch::Dell::N1500::
> radiusDisconnect)
> Jan  5 13:24:56 packetfence pfqueue: pfqueue(1063) ERROR:
> [mac:84:7b:eb:e3:84:42] must specify key and code at
> /usr/local/pf/lib/pf/Switch.pm line 3126.
>  (pf::api::can_fork::notify)
>
>
> --
> Att
> *André*
>
> 
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Need help solving a problem with vlan enforcement

2018-01-05 Thread Timothy Mullican via PacketFence-users 
Fabrice,
I’m not sure, but is his error due to the following?

The function deauth_source_ip (lib/pf/Switch.pm) is expecting the IP address to 
deauth, so it can determine the source interface to use in PacketFence. It is 
present in the default radiusDisconnect function, but 
lib/pf/Switch/Dell/N1500.pm overrides and leaves it out on the LocalAddr line 
(286). 

Should “LocalAddr => $self->deauth_source_ip(),” in N1500.pm be changed to 
“LocalAddr => $self->deauth_source_ip($send_disconnect_to),” ?

Thanks,
Tim

Sent from mobile phone

> On Jan 5, 2018, at 09:38, André Scrivener  wrote:
> 
> Hey Timonthy and Fabrice!
> 
> Finally funcioning, the problem was on firmware, after update, is changing 
> the vlans successfully.
> 
> Thank you so much for help!
> 
> Now I will move forward.
> 
> 
> One question, this log below, its because i dont implement a radius. Correct? 
> I only join packetfence on Active Directory.
> 
> Jan  5 13:24:56 packetfence pfqueue: pfqueue(1063) INFO: 
> [mac:84:7b:eb:e3:84:42] deauthenticating 
> (pf::Switch::Dell::N1500::radiusDisconnect)
> Jan  5 13:24:56 packetfence pfqueue: pfqueue(1063) ERROR: 
> [mac:84:7b:eb:e3:84:42] must specify key and code at 
> /usr/local/pf/lib/pf/Switch.pm line 3126.
>  (pf::api::can_fork::notify)
> 
> 
> -- 
> Att
> André
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Need help solving a problem with vlan enforcement

2018-01-05 Thread André Scrivener via PacketFence-users 
Hey Timonthy and Fabrice!

Finally funcioning, the problem was on firmware, after update, is changing
the vlans successfully.

Thank you so much for help!

Now I will move forward.


One question, this log below, its because i dont implement a radius.
Correct? I only join packetfence on Active Directory.

Jan  5 13:24:56 packetfence pfqueue: pfqueue(1063) INFO:
[mac:84:7b:eb:e3:84:42] deauthenticating
(pf::Switch::Dell::N1500::radiusDisconnect)
Jan  5 13:24:56 packetfence pfqueue: pfqueue(1063) ERROR:
[mac:84:7b:eb:e3:84:42] must specify key and code at
/usr/local/pf/lib/pf/Switch.pm line 3126.
 (pf::api::can_fork::notify)


-- 
Att
*André*
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Need help solving a problem with vlan enforcement

2018-01-05 Thread André Scrivener via PacketFence-users 
Hey Timonthy,

Following my network.conf

[root@packetfence ~]# cat /usr/local/pf/conf/networks.conf
[192.168.3.0]
dns=192.168.3.2
dhcp_start=192.168.3.10
gateway=192.168.3.2
domain-name=vlan-isolation.scrivener.com.br
nat_enabled=disabled
named=enabled
dhcp_max_lease_time=30
fake_mac_enabled=disabled
dhcpd=enabled
dhcp_end=192.168.3.246
type=vlan-isolation
netmask=255.255.255.0
dhcp_default_lease_time=30

[192.168.2.0]
dns=192.168.2.2
dhcp_start=192.168.2.10
gateway=192.168.2.2
domain-name=vlan-registration.scrivener.com.br
nat_enabled=disabled
named=enabled
dhcp_max_lease_time=30
fake_mac_enabled=disabled
dhcpd=enabled
dhcp_end=192.168.2.246
type=vlan-registration
netmask=255.255.255.0
dhcp_default_lease_time=30
[root@packetfence ~]#


I applied a setting that you know but does not work.

I do not understand why on the switch, it indicates that the MAC address is
in VLAN 2, but does not assign the address of vlan 2.


console#show mac address-table

Aging time is 300 Sec

Vlan Mac Address   TypePort
 - --- -
10800.2700.58E2Dynamic Gi1/0/11
10800.2735.FCC4Dynamic Gi1/0/11
11418.77EA.F0A3Management  Vl1
1641C.675E.738FDynamic Gi1/0/11
2847B.EBE3.8442Dynamic Gi1/0/13


If I set up an interface manually in vlan 2, it assigns the address of vlan
2 correct.

interface Gi1/0/15
switchport mode general
switchport general pvid 2
switchport general allowed vlan add 2-5,10,100
dot1x port-control mac-based
dot1x reauthentication
dot1x mac-auth-bypass
authentication order mab
authentication priority mab
exit
!


console#show mac address-table

Aging time is 300 Sec

Vlan Mac Address   TypePort
 - --- -
10800.2700.58E2Dynamic Gi1/0/11
10800.2735.FCC4Dynamic Gi1/0/11
11418.77EA.F0A3Management  Vl1
1641C.675E.738FDynamic Gi1/0/11
20800.2735.FCC4Dynamic Gi1/0/11
2847B.EBE3.8442Dynamic Gi1/0/15



Look a new ip address assign to client:

Jan  5 10:58:10 packetfence pfqueue: pfqueue(32349) INFO:
[mac:84:7b:eb:e3:84:42] oldip (172.16.0.10) and newip (192.168.2.10) are
different for 84:7b:eb:e3:84:42 - closing ip4log entry
(pf::api::update_ip4log)


To complete..follow my config interface packetfence:

interface Gi1/0/11
switchport mode trunk
switchport trunk allowed vlan 1-5,10,100
dot1x port-control force-authorized
exit


Greeatings!!


-- 
Att
*Andre*
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Need help solving a problem with vlan enforcement

2018-01-04 Thread André Scrivener via PacketFence-users 
Timonthy,

After I changed to radius, I no longer look these error logs. Thank you!


But... the problem assign ip address vlan register...to be continued!

I'm thinking it's some problem between the switch and packetfence.   :(

I am very excited for this solution, but I stop at this problem.

I will still update the firmware of the switch!!




2018-01-03 19:24 GMT-03:00 Timothy Mullican :

> André,
>
> The message “Until CoA is implemented we will bounce the port on VLAN
> re-assignment traps for MAC-Auth (pf::Switch::
> handleReAssignVlanTrapForWiredMacAuth)” is thrown because your
> deauthentication method for the Switch (in PacketFence) is set to SNMP (see
> handleReAssignVlanTrapForWiredMacAuth in /usr/local/pf/lib/pf/Switch.pm
> and /usr/local/pf/lib/pf/Switch/Dell/N1500.pm).
>
> Try changing your de-authentication method on the switch (under
> Configuration) in PacketFence to RADIUS and specify the secret key. Please
> let me know if this doesn’t work.
>
> Thanks,
> Tim
>
> Sent from mobile phone
>
> On Jan 3, 2018, at 14:59, André Scrivener via PacketFence-users <
> packetfence-users@lists.sourceforge.net> wrote:
>
> Fabrice,
>
> I used the configuration sent, still gave an error.
>
> I saw some new logs:
>
> Jan  3 18:41:44 packetfence pfqueue: pfqueue(25669) WARN:
> [mac:84:7b:eb:e3:84:42] Until CoA is implemented we will bounce the port on
> VLAN re-assignment traps for MAC-Auth (pf::Switch::
> handleReAssignVlanTrapForWiredMacAuth)
>
> You know, do you explain what it would be?
>
> Soon I will update the firmware of the switch, to see if it resolves.
>
> Is it also not a bug in the packetfence version? Did you hear from anyone
> else with this problem?
>
> Greetings!
>
>
>
> 2018-01-03 17:24 GMT-03:00 Fabrice Durand :
>
>> Hello André,
>>
>> yes i did that a long time ago:
>>
>> https://github.com/inverse-inc/packetfence/commit/9d47649dd8
>> d133b233d313d2c80e94421c38caaa#diff-53248f7bb6c533be6a5b55ec361b3238
>>
>> Also the note i took:
>>
>> 1 Enter global configuration mode and define the RADIUS server.
>>
>> console#configure
>> console(config)#radius-server host auth 10.34.200.30
>> console(Config-auth-radius)#name PacketFence
>> console(Config-auth-radius)#usage 802.1x
>> console(Config-auth-radius)#key s3cr3t
>> console(Config-auth-radius)#exit
>> console(Config)#aaa server radius dynamic-author
>> console(config-radius-da)#client 10.34.200.30 server-key s3cr3t
>> console(config-radius-da)#auth-type all
>> console(config-radius-da)#exit
>>
>>
>>
>>
>> 2 Enable authentication and globally enable 802.1x client authentication
>> via RADIUS:
>>
>> console(config)#authentication enable
>> console(config)#aaa authentication dot1x default radius
>> console(config)#aaa authorization network default radius
>> console(config)#dot1x system-auth-control
>>
>> (Optional)
>> console(Config)#dot1x dynamic-vlan enable
>>
>> 3 On the interface, enable MAC based authentication mode, enable MAB, and
>> set the order of authentication to 802.1X followed by MAC authentication.
>> Also enable periodic re-authentication.
>>
>> console(config)#interface te1/0/4
>> console(config-if-Te1/0/4)#dot1x port-control mac-based
>> console(config-if-Te1/0/4)#dot1x mac-auth-bypass
>> console(config-if-Te1/0/4)#authentication order dot1x mab
>> console(config-if-Te1/0/4)#dot1x reauthentication
>> console(config-if-Te1/0/4)#exit
>>
>> authentication order mab
>> authentication priority mab
>>
>>
>>
>> Le 2018-01-03 à 09:18, André Scrivener a écrit :
>>
>> Hey,
>>
>> I configured interface 15 manually to use only vlan 2 (registry), and I
>> was assigned registry address addressing (192.168.2.0/24)
>>
>> Following config switch:
>>
>> interface Gi1/0/15
>> switchport access vlan 2
>> dot1x port-control force-authorized
>> exit
>>
>>
>> Following logs packetfence:
>>
>> Jan  3 12:14:41 packetfence pfqueue: pfqueue(24777) INFO:
>> [mac:84:7b:eb:e3:84:42] oldip (172.16.0.10) and newip (192.168.2.10) are
>> different for 84:7b:eb:e3:84:42 - closing ip4log entry
>> (pf::api::update_ip4log)
>>
>>
>>
>> console#show mac address-table  vlan 2
>>
>> Aging time is 300 Sec
>>
>> Vlan Mac Address   TypePort
>>  - --- -
>> 20800.2735.FCC4Dynamic Gi1/0/11* - Packetfence*
>> 2847B.EBE3.8442Dynamic Gi1/0/15* - Test machine*
>>
>>
>> You may notice that now the mac address of packetfence is in vlan 2.
>>
>> Have you already configured dell switch switches?
>>
>> Any idea??
>>
>>
>> 2018-01-03 10:59 GMT-03:00 Fabrice Durand :
>>
>>> Hum strange.
>>>
>>> What you can try is to define an interface in the vlan 2 (manually on an
>>> switch port) and plug your test machine in it. (you must receive an ip from
>>> PacketFence).
>>>
>>> If you receive an ip from the 172.16.0.0/24 then it mean that you have
>>> a switch configuration issue. (any layer 3 interfaces defined in

Re: [PacketFence-users] Need help solving a problem with vlan enforcement

2018-01-04 Thread Timothy Mullican via PacketFence-users 
Can you post your entire switch config (scrubbed of sensitive info) and your 
/usr/local/pf/conf/switches.conf file?

Thanks,
Tim

Sent from mobile phone

> On Jan 4, 2018, at 07:19, André Scrivener  wrote:
> 
> Timonthy, 
> 
> After I changed to radius, I no longer look these error logs. Thank you!
> 
> 
> But... the problem assign ip address vlan register...to be continued!
> 
> I'm thinking it's some problem between the switch and packetfence.   :(
> 
> I am very excited for this solution, but I stop at this problem.
> 
> I will still update the firmware of the switch!!
> 
> 
>  
> 
> 2018-01-03 19:24 GMT-03:00 Timothy Mullican :
>> André,
>> 
>> The message “Until CoA is implemented we will bounce the port on VLAN 
>> re-assignment traps for MAC-Auth 
>> (pf::Switch::handleReAssignVlanTrapForWiredMacAuth)” is thrown because your 
>> deauthentication method for the Switch (in PacketFence) is set to SNMP (see 
>> handleReAssignVlanTrapForWiredMacAuth in /usr/local/pf/lib/pf/Switch.pm and 
>> /usr/local/pf/lib/pf/Switch/Dell/N1500.pm).
>> 
>> Try changing your de-authentication method on the switch (under 
>> Configuration) in PacketFence to RADIUS and specify the secret key. Please 
>> let me know if this doesn’t work. 
>> 
>> Thanks,
>> Tim 
>> 
>> Sent from mobile phone
>> 
>>> On Jan 3, 2018, at 14:59, André Scrivener via PacketFence-users 
>>>  wrote:
>>> 
>>> Fabrice,
>>> 
>>> I used the configuration sent, still gave an error.
>>> 
>>> I saw some new logs:
>>> 
>>> Jan  3 18:41:44 packetfence pfqueue: pfqueue(25669) WARN: 
>>> [mac:84:7b:eb:e3:84:42] Until CoA is implemented we will bounce the port on 
>>> VLAN re-assignment traps for MAC-Auth 
>>> (pf::Switch::handleReAssignVlanTrapForWiredMacAuth)
>>> 
>>> You know, do you explain what it would be?
>>> 
>>> Soon I will update the firmware of the switch, to see if it resolves.
>>> 
>>> Is it also not a bug in the packetfence version? Did you hear from anyone 
>>> else with this problem?
>>> 
>>> Greetings!
>>> 
>>> 
>>> 
>>> 2018-01-03 17:24 GMT-03:00 Fabrice Durand :
 Hello André,
 
 yes i did that a long time ago:
 
 https://github.com/inverse-inc/packetfence/commit/9d47649dd8d133b233d313d2c80e94421c38caaa#diff-53248f7bb6c533be6a5b55ec361b3238
 
 Also the note i took:
 
 1 Enter global configuration mode and define the RADIUS server.
 
 console#configure
 console(config)#radius-server host auth 10.34.200.30
 console(Config-auth-radius)#name PacketFence
 console(Config-auth-radius)#usage 802.1x
 console(Config-auth-radius)#key s3cr3t
 console(Config-auth-radius)#exit
 console(Config)#aaa server radius dynamic-author
 console(config-radius-da)#client 10.34.200.30 server-key s3cr3t
 console(config-radius-da)#auth-type all
 console(config-radius-da)#exit
 
 
 
 
 2 Enable authentication and globally enable 802.1x client authentication 
 via RADIUS:
 
 console(config)#authentication enable
 console(config)#aaa authentication dot1x default radius
 console(config)#aaa authorization network default radius
 console(config)#dot1x system-auth-control
 
 (Optional)
 console(Config)#dot1x dynamic-vlan enable
 
 3 On the interface, enable MAC based authentication mode, enable MAB, and 
 set the order of authentication to 802.1X followed by MAC authentication. 
 Also enable periodic re-authentication.
 
 console(config)#interface te1/0/4
 console(config-if-Te1/0/4)#dot1x port-control mac-based
 console(config-if-Te1/0/4)#dot1x mac-auth-bypass
 console(config-if-Te1/0/4)#authentication order dot1x mab
 console(config-if-Te1/0/4)#dot1x reauthentication
 console(config-if-Te1/0/4)#exit
 
 authentication order mab
 authentication priority mab
 
 
 
> Le 2018-01-03 à 09:18, André Scrivener a écrit :
> Hey,
> 
> I configured interface 15 manually to use only vlan 2 (registry), and I 
> was assigned registry address addressing (192.168.2.0/24)
> 
> Following config switch:
> 
> interface Gi1/0/15
> switchport access vlan 2
> dot1x port-control force-authorized
> exit   
> 
> 
> Following logs packetfence:
> 
> Jan  3 12:14:41 packetfence pfqueue: pfqueue(24777) INFO: 
> [mac:84:7b:eb:e3:84:42] oldip (172.16.0.10) and newip (192.168.2.10) are 
> different for 84:7b:eb:e3:84:42 - closing ip4log entry 
> (pf::api::update_ip4log)
> 
> 
> 
> console#show mac address-table  vlan 2
> 
> Aging time is 300 Sec
> 
> Vlan Mac Address   TypePort
>  - --- -
> 20800.2735.FCC4Dynamic Gi1/0/11 - Packetfence
> 2847B.EBE3.8442Dynamic

Re: [PacketFence-users] Need help solving a problem with vlan enforcement

2018-01-03 Thread Timothy Mullican via PacketFence-users 
André,

The message “Until CoA is implemented we will bounce the port on VLAN 
re-assignment traps for MAC-Auth 
(pf::Switch::handleReAssignVlanTrapForWiredMacAuth)” is thrown because your 
deauthentication method for the Switch (in PacketFence) is set to SNMP (see 
handleReAssignVlanTrapForWiredMacAuth in /usr/local/pf/lib/pf/Switch.pm and 
/usr/local/pf/lib/pf/Switch/Dell/N1500.pm).

Try changing your de-authentication method on the switch (under Configuration) 
in PacketFence to RADIUS and specify the secret key. Please let me know if this 
doesn’t work. 

Thanks,
Tim 

Sent from mobile phone

> On Jan 3, 2018, at 14:59, André Scrivener via PacketFence-users 
>  wrote:
> 
> Fabrice,
> 
> I used the configuration sent, still gave an error.
> 
> I saw some new logs:
> 
> Jan  3 18:41:44 packetfence pfqueue: pfqueue(25669) WARN: 
> [mac:84:7b:eb:e3:84:42] Until CoA is implemented we will bounce the port on 
> VLAN re-assignment traps for MAC-Auth 
> (pf::Switch::handleReAssignVlanTrapForWiredMacAuth)
> 
> You know, do you explain what it would be?
> 
> Soon I will update the firmware of the switch, to see if it resolves.
> 
> Is it also not a bug in the packetfence version? Did you hear from anyone 
> else with this problem?
> 
> Greetings!
> 
> 
> 
> 2018-01-03 17:24 GMT-03:00 Fabrice Durand :
>> Hello André,
>> 
>> yes i did that a long time ago:
>> 
>> https://github.com/inverse-inc/packetfence/commit/9d47649dd8d133b233d313d2c80e94421c38caaa#diff-53248f7bb6c533be6a5b55ec361b3238
>> 
>> Also the note i took:
>> 
>> 1 Enter global configuration mode and define the RADIUS server.
>> 
>> console#configure
>> console(config)#radius-server host auth 10.34.200.30
>> console(Config-auth-radius)#name PacketFence
>> console(Config-auth-radius)#usage 802.1x
>> console(Config-auth-radius)#key s3cr3t
>> console(Config-auth-radius)#exit
>> console(Config)#aaa server radius dynamic-author
>> console(config-radius-da)#client 10.34.200.30 server-key s3cr3t
>> console(config-radius-da)#auth-type all
>> console(config-radius-da)#exit
>> 
>> 
>> 
>> 
>> 2 Enable authentication and globally enable 802.1x client authentication via 
>> RADIUS:
>> 
>> console(config)#authentication enable
>> console(config)#aaa authentication dot1x default radius
>> console(config)#aaa authorization network default radius
>> console(config)#dot1x system-auth-control
>> 
>> (Optional)
>> console(Config)#dot1x dynamic-vlan enable
>> 
>> 3 On the interface, enable MAC based authentication mode, enable MAB, and 
>> set the order of authentication to 802.1X followed by MAC authentication. 
>> Also enable periodic re-authentication.
>> 
>> console(config)#interface te1/0/4
>> console(config-if-Te1/0/4)#dot1x port-control mac-based
>> console(config-if-Te1/0/4)#dot1x mac-auth-bypass
>> console(config-if-Te1/0/4)#authentication order dot1x mab
>> console(config-if-Te1/0/4)#dot1x reauthentication
>> console(config-if-Te1/0/4)#exit
>> 
>> authentication order mab
>> authentication priority mab
>> 
>> 
>> 
>>> Le 2018-01-03 à 09:18, André Scrivener a écrit :
>>> Hey,
>>> 
>>> I configured interface 15 manually to use only vlan 2 (registry), and I was 
>>> assigned registry address addressing (192.168.2.0/24)
>>> 
>>> Following config switch:
>>> 
>>> interface Gi1/0/15
>>> switchport access vlan 2
>>> dot1x port-control force-authorized
>>> exit   
>>> 
>>> 
>>> Following logs packetfence:
>>> 
>>> Jan  3 12:14:41 packetfence pfqueue: pfqueue(24777) INFO: 
>>> [mac:84:7b:eb:e3:84:42] oldip (172.16.0.10) and newip (192.168.2.10) are 
>>> different for 84:7b:eb:e3:84:42 - closing ip4log entry 
>>> (pf::api::update_ip4log)
>>> 
>>> 
>>> 
>>> console#show mac address-table  vlan 2
>>> 
>>> Aging time is 300 Sec
>>> 
>>> Vlan Mac Address   TypePort
>>>  - --- -
>>> 20800.2735.FCC4Dynamic Gi1/0/11 - Packetfence
>>> 2847B.EBE3.8442Dynamic Gi1/0/15 - Test machine
>>> 
>>> 
>>> You may notice that now the mac address of packetfence is in vlan 2.
>>> 
>>> Have you already configured dell switch switches?
>>> 
>>> Any idea??
>>> 
>>> 
>>> 2018-01-03 10:59 GMT-03:00 Fabrice Durand :
 Hum strange.
 
 What you can try is to define an interface in the vlan 2 (manually on an 
 switch port) and plug your test machine in it. (you must receive an ip 
 from PacketFence).
 If you receive an ip from the 172.16.0.0/24 then it mean that you have a 
 switch configuration issue. (any layer 3 interfaces defined in the vlan 2 
 ?).
 
 Also what i can see is that there is no mac in the vlan 2 and the vlan 3 
 for the interface 11.
 
 You should have something like that too:
 
 2 08:00:27:35:fc:c4 Dynamic Gi1/0/11 - PacketFence Reg
 
 3 08:00:27:35:fc:c4 Dynamic Gi1/0/11 - PacketFence Isol
 
 Regards

Re: [PacketFence-users] Need help solving a problem with vlan enforcement

2018-01-03 Thread André Scrivener via PacketFence-users 
Fabrice,

I used the configuration sent, still gave an error.

I saw some new logs:

Jan  3 18:41:44 packetfence pfqueue: pfqueue(25669) WARN:
[mac:84:7b:eb:e3:84:42] Until CoA is implemented we will bounce the port on
VLAN re-assignment traps for MAC-Auth
(pf::Switch::handleReAssignVlanTrapForWiredMacAuth)

You know, do you explain what it would be?

Soon I will update the firmware of the switch, to see if it resolves.

Is it also not a bug in the packetfence version? Did you hear from anyone
else with this problem?

Greetings!



2018-01-03 17:24 GMT-03:00 Fabrice Durand :

> Hello André,
>
> yes i did that a long time ago:
>
> https://github.com/inverse-inc/packetfence/commit/
> 9d47649dd8d133b233d313d2c80e94421c38caaa#diff-
> 53248f7bb6c533be6a5b55ec361b3238
>
> Also the note i took:
>
> 1 Enter global configuration mode and define the RADIUS server.
>
> console#configure
> console(config)#radius-server host auth 10.34.200.30
> console(Config-auth-radius)#name PacketFence
> console(Config-auth-radius)#usage 802.1x
> console(Config-auth-radius)#key s3cr3t
> console(Config-auth-radius)#exit
> console(Config)#aaa server radius dynamic-author
> console(config-radius-da)#client 10.34.200.30 server-key s3cr3t
> console(config-radius-da)#auth-type all
> console(config-radius-da)#exit
>
>
>
>
> 2 Enable authentication and globally enable 802.1x client authentication
> via RADIUS:
>
> console(config)#authentication enable
> console(config)#aaa authentication dot1x default radius
> console(config)#aaa authorization network default radius
> console(config)#dot1x system-auth-control
>
> (Optional)
> console(Config)#dot1x dynamic-vlan enable
>
> 3 On the interface, enable MAC based authentication mode, enable MAB, and
> set the order of authentication to 802.1X followed by MAC authentication.
> Also enable periodic re-authentication.
>
> console(config)#interface te1/0/4
> console(config-if-Te1/0/4)#dot1x port-control mac-based
> console(config-if-Te1/0/4)#dot1x mac-auth-bypass
> console(config-if-Te1/0/4)#authentication order dot1x mab
> console(config-if-Te1/0/4)#dot1x reauthentication
> console(config-if-Te1/0/4)#exit
>
> authentication order mab
> authentication priority mab
>
>
>
> Le 2018-01-03 à 09:18, André Scrivener a écrit :
>
> Hey,
>
> I configured interface 15 manually to use only vlan 2 (registry), and I
> was assigned registry address addressing (192.168.2.0/24)
>
> Following config switch:
>
> interface Gi1/0/15
> switchport access vlan 2
> dot1x port-control force-authorized
> exit
>
>
> Following logs packetfence:
>
> Jan  3 12:14:41 packetfence pfqueue: pfqueue(24777) INFO:
> [mac:84:7b:eb:e3:84:42] oldip (172.16.0.10) and newip (192.168.2.10) are
> different for 84:7b:eb:e3:84:42 - closing ip4log entry
> (pf::api::update_ip4log)
>
>
>
> console#show mac address-table  vlan 2
>
> Aging time is 300 Sec
>
> Vlan Mac Address   TypePort
>  - --- -
> 20800.2735.FCC4Dynamic Gi1/0/11* - Packetfence*
> 2847B.EBE3.8442Dynamic Gi1/0/15* - Test machine*
>
>
> You may notice that now the mac address of packetfence is in vlan 2.
>
> Have you already configured dell switch switches?
>
> Any idea??
>
>
> 2018-01-03 10:59 GMT-03:00 Fabrice Durand :
>
>> Hum strange.
>>
>> What you can try is to define an interface in the vlan 2 (manually on an
>> switch port) and plug your test machine in it. (you must receive an ip from
>> PacketFence).
>>
>> If you receive an ip from the 172.16.0.0/24 then it mean that you have a
>> switch configuration issue. (any layer 3 interfaces defined in the vlan 2
>> ?).
>>
>> Also what i can see is that there is no mac in the vlan 2 and the vlan 3
>> for the interface 11.
>>
>> You should have something like that too:
>>
>> 2 08:00:27:35:fc:c4 Dynamic Gi1/0/11
>> * - PacketFence Reg *
>> 3 08:00:27:35:fc:c4 Dynamic Gi1/0/11* - PacketFence Isol*
>>
>> Regards
>> Fabrice
>>
>>
>> Le 2018-01-02 à 13:55, André Scrivener a écrit :
>>
>> Opss, Fabrice!
>>
>> I forgot an information, the MAC addresses on the switch.
>>
>> By the logs, it is in VLAN 2, the correct vlan.
>>
>> Right now I do not understand, because it does not assign the correct
>> address
>>
>>
>> console#show mac address-table
>>
>> Aging time is 300 Sec
>>
>> Vlan Mac Address   TypePort
>>  - --- -
>> 10800.2700.58E2Dynamic Gi1/0/11 *- Windows Server
>> 2008*
>> 10800.2735.FCC4Dynamic Gi1/0/11* - PacketFence*
>> 11418.77EA.F0A3Management  Vl1*  - Switch Dell*
>> 1641C.XDynamic Gi1/0/11 *- My physical pc*
>> 2847B.EBE3.8442Dynamic Gi1/0/13 *- My test machine*
>>
>> Total MAC Addresses in use: 5
>>
>> console#show mac address-table interface Gi1/0/13
>>
>> Aging time is 300 Sec
>>
>>

Re: [PacketFence-users] Need help solving a problem with vlan enforcement

2018-01-03 Thread Fabrice Durand via PacketFence-users 
Hello André,

yes i did that a long time ago:

https://github.com/inverse-inc/packetfence/commit/9d47649dd8d133b233d313d2c80e94421c38caaa#diff-53248f7bb6c533be6a5b55ec361b3238

Also the note i took:

1 Enter global configuration mode and define the RADIUS server.

console#configure
console(config)#radius-server host auth 10.34.200.30
console(Config-auth-radius)#name PacketFence
console(Config-auth-radius)#usage 802.1x
console(Config-auth-radius)#key s3cr3t
console(Config-auth-radius)#exit
console(Config)#aaa server radius dynamic-author
console(config-radius-da)#client 10.34.200.30 server-key s3cr3t
console(config-radius-da)#auth-type all
console(config-radius-da)#exit




2 Enable authentication and globally enable 802.1x client authentication
via RADIUS:

console(config)#authentication enable
console(config)#aaa authentication dot1x default radius
console(config)#aaa authorization network default radius
console(config)#dot1x system-auth-control

(Optional)
console(Config)#dot1x dynamic-vlan enable

3 On the interface, enable MAC based authentication mode, enable MAB,
and set the order of authentication to 802.1X followed by MAC
authentication. Also enable periodic re-authentication.

console(config)#interface te1/0/4
console(config-if-Te1/0/4)#dot1x port-control mac-based
console(config-if-Te1/0/4)#dot1x mac-auth-bypass
console(config-if-Te1/0/4)#authentication order dot1x mab
console(config-if-Te1/0/4)#dot1x reauthentication
console(config-if-Te1/0/4)#exit

authentication order mab
authentication priority mab



Le 2018-01-03 à 09:18, André Scrivener a écrit :
> Hey,
>
> I configured interface 15 manually to use only vlan 2 (registry), and
> I was assigned registry address addressing (192.168.2.0/24
> )
>
> Following config switch:
>
> interface Gi1/0/15
> switchport access vlan 2
> dot1x port-control force-authorized
> exit   
>
>
> Following logs packetfence:
>
> Jan  3 12:14:41 packetfence pfqueue: pfqueue(24777) INFO:
> [mac:84:7b:eb:e3:84:42] oldip (172.16.0.10) and newip (192.168.2.10)
> are different for 84:7b:eb:e3:84:42 - closing ip4log entry
> (pf::api::update_ip4log)
>
>
>
> console#show mac address-table  vlan 2
>
> Aging time is 300 Sec
>
> Vlan     Mac Address           Type        Port
>  - --- -
> 2        0800.2735.FCC4        Dynamic     Gi1/0/11/- Packetfence/
> 2        847B.EBE3.8442        Dynamic     Gi1/0/15/- Test machine/
>
>
> You may notice that now the mac address of packetfence is in vlan 2.
>
> Have you already configured dell switch switches?
>
> Any idea??
>
>
> 2018-01-03 10:59 GMT-03:00 Fabrice Durand  >:
>
> Hum strange.
>
> What you can try is to define an interface in the vlan 2 (manually
> on an switch port) and plug your test machine in it. (you must
> receive an ip from PacketFence).
>
> If you receive an ip from the 172.16.0.0/24 
> then it mean that you have a switch configuration issue. (any
> layer 3 interfaces defined in the vlan 2 ?).
>
> Also what i can see is that there is no mac in the vlan 2 and the
> vlan 3 for the interface 11.
>
> You should have something like that too:
>
> 2 08:00:27:35:fc:c4 Dynamic     Gi1/0/11/- PacketFence Reg
> /
>
> 3 08:00:27:35:fc:c4 Dynamic     Gi1/0/11/- PacketFence Isol/
>
> Regards
> Fabrice
>
>
> Le 2018-01-02 à 13:55, André Scrivener a écrit :
>> Opss, Fabrice!
>>
>> I forgot an information, the MAC addresses on the switch.
>>
>> By the logs, it is in VLAN 2, the correct vlan.
>>
>> Right now I do not understand, because it does not assign the
>> correct address
>>
>>
>> console#show mac address-table           
>>
>> Aging time is 300 Sec
>>
>> Vlan     Mac Address           Type        Port
>>  - --- -
>> 1        0800.2700.58E2        Dynamic     Gi1/0/11 /- Windows
>> Server 2008/
>> 1        0800.2735.FCC4        Dynamic     Gi1/0/11/- PacketFence/
>> 1        1418.77EA.F0A3        Management  Vl1    / - Switch Dell/
>> 1        641C.X        Dynamic     Gi1/0/11 /- My
>> physical pc/
>> 2        847B.EBE3.8442        Dynamic     Gi1/0/13 /- My test
>> machine/
>>
>> Total MAC Addresses in use: 5
>>
>> console#show mac address-table interface Gi1/0/13
>>
>> Aging time is 300 Sec
>>
>> Vlan     Mac Address           Type        Port
>>  - --- -
>> 2        847B.EBE3.8442        Dynamic     Gi1/0/13/- My test
>> machine/
>>
>>
>> console#
>>
>>
>> 2018-01-02 15:22 GMT-03:00 André Scrivener
>> >:
>>
>> Hello Fabrice, 
>>
>> I simplified the environment, I'm using only 1 interface!
>>
>>
>> enp0s3:  

Re: [PacketFence-users] Need help solving a problem with vlan enforcement

2018-01-03 Thread André Scrivener via PacketFence-users 
Hey,

I configured interface 15 manually to use only vlan 2 (registry), and I was
assigned registry address addressing (192.168.2.0/24)

Following config switch:

interface Gi1/0/15
switchport access vlan 2
dot1x port-control force-authorized
exit


Following logs packetfence:

Jan  3 12:14:41 packetfence pfqueue: pfqueue(24777) INFO:
[mac:84:7b:eb:e3:84:42] oldip (172.16.0.10) and newip (192.168.2.10) are
different for 84:7b:eb:e3:84:42 - closing ip4log entry
(pf::api::update_ip4log)



console#show mac address-table  vlan 2

Aging time is 300 Sec

Vlan Mac Address   TypePort
 - --- -
20800.2735.FCC4Dynamic Gi1/0/11* - Packetfence*
2847B.EBE3.8442Dynamic Gi1/0/15* - Test machine*


You may notice that now the mac address of packetfence is in vlan 2.

Have you already configured dell switch switches?

Any idea??


2018-01-03 10:59 GMT-03:00 Fabrice Durand :

> Hum strange.
>
> What you can try is to define an interface in the vlan 2 (manually on an
> switch port) and plug your test machine in it. (you must receive an ip from
> PacketFence).
>
> If you receive an ip from the 172.16.0.0/24 then it mean that you have a
> switch configuration issue. (any layer 3 interfaces defined in the vlan 2
> ?).
>
> Also what i can see is that there is no mac in the vlan 2 and the vlan 3
> for the interface 11.
>
> You should have something like that too:
>
> 2 08:00:27:35:fc:c4 Dynamic Gi1/0/11
> * - PacketFence Reg *
> 3 08:00:27:35:fc:c4 Dynamic Gi1/0/11* - PacketFence Isol*
>
> Regards
> Fabrice
>
>
> Le 2018-01-02 à 13:55, André Scrivener a écrit :
>
> Opss, Fabrice!
>
> I forgot an information, the MAC addresses on the switch.
>
> By the logs, it is in VLAN 2, the correct vlan.
>
> Right now I do not understand, because it does not assign the correct
> address
>
>
> console#show mac address-table
>
> Aging time is 300 Sec
>
> Vlan Mac Address   TypePort
>  - --- -
> 10800.2700.58E2Dynamic Gi1/0/11 *- Windows Server
> 2008*
> 10800.2735.FCC4Dynamic Gi1/0/11* - PacketFence*
> 11418.77EA.F0A3Management  Vl1*  - Switch Dell*
> 1641C.XDynamic Gi1/0/11 *- My physical pc*
> 2847B.EBE3.8442Dynamic Gi1/0/13 *- My test machine*
>
> Total MAC Addresses in use: 5
>
> console#show mac address-table interface Gi1/0/13
>
> Aging time is 300 Sec
>
> Vlan Mac Address   TypePort
>  - --- -
> 2847B.EBE3.8442Dynamic Gi1/0/13* - My test machine*
>
>
> console#
>
>
> 2018-01-02 15:22 GMT-03:00 André Scrivener :
>
>> Hello Fabrice,
>>
>> I simplified the environment, I'm using only 1 interface!
>>
>>
>> enp0s3: Management - DHCP FROM WINDOWS SERVER
>> enp0s3 VLAN 2: Registration  - DHCP ENABLE
>> enp0s3 VLAN 3: Isolation   - DHCP ENABLE
>> enp0s3 VLAN 10: Normal   - NO DHCP
>>
>> IP Address Switch Managed: 172.16.0.50
>> Interface 11: My physical machine, and virtual machine (virtualbox) where
>> is the PacketFence  (interface mode bridge)
>> Interface 23: My client test Windows 8 (interface mode bridge)
>>
>>
>> Problem continue, in the logs it returns to vlan correct, but does not
>> assign to the computer, it stubborn in assigning the network
>> 172.16.0.0/24 (Management Network).
>>
>>
>> root@packetfence ~]# tailf  /usr/local/pf/logs/packetfence.log
>> Jan  2 14:03:10 packetfence packetfence_httpd.aaa: httpd.aaa(30935) INFO:
>> [mac:84:7b:eb:e3:84:42] handling radius autz request: from switch_ip =>
>> (172.16.0.50), connection_type => WIRED_MAC_AUTH,switch_mac =>
>> (14:18:77:ea:f0:a2), mac => [84:7b:eb:e3:84:42], port => 13, username =>
>> "847BEBE38442" (pf::radius::authorize)
>> Jan  2 14:03:10 packetfence packetfence_httpd.aaa: httpd.aaa(30935) INFO:
>> [mac:84:7b:eb:e3:84:42] Instantiate profile default
>> (pf::Connection::ProfileFactory::_from_profile)
>> Jan  2 14:03:10 packetfence packetfence_httpd.aaa: httpd.aaa(30935) INFO:
>> [mac:84:7b:eb:e3:84:42] is of status unreg; belongs into registration VLAN
>> (pf::role::getRegistrationRole)
>> Jan  2 14:03:10 packetfence packetfence_httpd.aaa: httpd.aaa(30935) INFO:
>> [mac:84:7b:eb:e3:84:42] (172.16.0.50) Added VLAN 2 to the returned RADIUS
>> Access-Accept (pf::Switch::returnRadiusAccessAccept)
>>
>>
>>
>> [root@packetfence ~]# tailf  /usr/local/pf/logs/radius.log
>> Jan  2 14:03:10 packetfence auth[31813]: Need 1 more connections to reach
>> min connections (3)
>> Jan  2 14:03:10 packetfence auth[31813]: rlm_rest (rest): Opening
>> additional connection (15), 1 of 62 pending slots used
>> Jan  2 14:03:10 packetfence auth[31813]: Need 7 more connections to reach
>> 10 spares
>> Jan  2 14:03:10 packetfence

Re: [PacketFence-users] Need help solving a problem with vlan enforcement

2018-01-03 Thread André Scrivener via PacketFence-users 
Opss, Fabrice!

I forgot an information, the MAC addresses on the switch.

By the logs, it is in VLAN 2, the correct vlan.

Right now I do not understand, because it does not assign the correct
address


console#show mac address-table

Aging time is 300 Sec

Vlan Mac Address   TypePort
 - --- -
10800.2700.58E2Dynamic Gi1/0/11 *- Windows Server 2008*
10800.2735.FCC4Dynamic Gi1/0/11* - PacketFence*
11418.77EA.F0A3Management  Vl1*  - Switch Dell*
1641C.XDynamic Gi1/0/11 *- My physical pc*
2847B.EBE3.8442Dynamic Gi1/0/13 *- My test machine*

Total MAC Addresses in use: 5

console#show mac address-table interface Gi1/0/13

Aging time is 300 Sec

Vlan Mac Address   TypePort
 - --- -
2847B.EBE3.8442Dynamic Gi1/0/13* - My test machine*


console#


2018-01-02 15:22 GMT-03:00 André Scrivener :

> Hello Fabrice,
>
> I simplified the environment, I'm using only 1 interface!
>
>
> enp0s3: Management - DHCP FROM WINDOWS SERVER
> enp0s3 VLAN 2: Registration  - DHCP ENABLE
> enp0s3 VLAN 3: Isolation   - DHCP ENABLE
> enp0s3 VLAN 10: Normal   - NO DHCP
>
> IP Address Switch Managed: 172.16.0.50
> Interface 11: My physical machine, and virtual machine (virtualbox) where
> is the PacketFence  (interface mode bridge)
> Interface 23: My client test Windows 8 (interface mode bridge)
>
>
> Problem continue, in the logs it returns to vlan correct, but does not
> assign to the computer, it stubborn in assigning the network 172.16.0.0/24
> (Management Network).
>
>
> root@packetfence ~]# tailf  /usr/local/pf/logs/packetfence.log
> Jan  2 14:03:10 packetfence packetfence_httpd.aaa: httpd.aaa(30935) INFO:
> [mac:84:7b:eb:e3:84:42] handling radius autz request: from switch_ip =>
> (172.16.0.50), connection_type => WIRED_MAC_AUTH,switch_mac =>
> (14:18:77:ea:f0:a2), mac => [84:7b:eb:e3:84:42], port => 13, username =>
> "847BEBE38442" (pf::radius::authorize)
> Jan  2 14:03:10 packetfence packetfence_httpd.aaa: httpd.aaa(30935) INFO:
> [mac:84:7b:eb:e3:84:42] Instantiate profile default (pf::Connection::
> ProfileFactory::_from_profile)
> Jan  2 14:03:10 packetfence packetfence_httpd.aaa: httpd.aaa(30935) INFO:
> [mac:84:7b:eb:e3:84:42] is of status unreg; belongs into registration VLAN
> (pf::role::getRegistrationRole)
> Jan  2 14:03:10 packetfence packetfence_httpd.aaa: httpd.aaa(30935) INFO:
> [mac:84:7b:eb:e3:84:42] (172.16.0.50) Added VLAN 2 to the returned RADIUS
> Access-Accept (pf::Switch::returnRadiusAccessAccept)
>
>
>
> [root@packetfence ~]# tailf  /usr/local/pf/logs/radius.log
> Jan  2 14:03:10 packetfence auth[31813]: Need 1 more connections to reach
> min connections (3)
> Jan  2 14:03:10 packetfence auth[31813]: rlm_rest (rest): Opening
> additional connection (15), 1 of 62 pending slots used
> Jan  2 14:03:10 packetfence auth[31813]: Need 7 more connections to reach
> 10 spares
> Jan  2 14:03:10 packetfence auth[31813]: rlm_sql (sql): Opening additional
> connection (18), 1 of 61 pending slots used
> Jan  2 14:03:10 packetfence auth[31813]: [mac:84:7b:eb:e3:84:42] Accepted
> user:  and returned VLAN 2
> Jan  2 14:03:10 packetfence auth[31813]: (32) Login OK: [847BEBE38442]
> (from client 172.16.0.50 port 13 cli 84:7b:eb:e3:84:42)
>
>
>
>
> Follow network settings:
>
> [root@packetfence ~]# ifconfig
> enp0s3: flags=4163  mtu 1500
> inet 172.16.0.2  netmask 255.255.255.0  broadcast 172.16.0.255
> inet6 fe80::a00:27ff:fe35:fcc4  prefixlen 64  scopeid 0x20
> ether 08:00:27:35:fc:c4  txqueuelen 1000  (Ethernet)
> RX packets 560936  bytes 711890423 (678.9 MiB)
> RX errors 0  dropped 0  overruns 0  frame 0
> TX packets 153523  bytes 23163746 (22.0 MiB)
> TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
>
> enp0s3.2: flags=4163  mtu 1500
> inet 192.168.2.2  netmask 255.255.255.0  broadcast 192.168.2.255
> inet6 fe80::a00:27ff:fe35:fcc4  prefixlen 64  scopeid 0x20
> ether 08:00:27:35:fc:c4  txqueuelen 1000  (Ethernet)
> RX packets 0  bytes 0 (0.0 B)
> RX errors 0  dropped 0  overruns 0  frame 0
> TX packets 10  bytes 732 (732.0 B)
> TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
>
> enp0s3.3: flags=4163  mtu 1500
> inet 192.168.3.2  netmask 255.255.255.0  broadcast 192.168.3.255
> inet6 fe80::a00:27ff:fe35:fcc4  prefixlen 64  scopeid 0x20
> ether 08:00:27:35:fc:c4  txqueuelen 1000  (Ethernet)
> RX packets 0  bytes 0 (0.0 B)
> RX errors 0  dropped 0  overruns 0  frame 0
> TX packets 10  bytes 732 (732.0 B)
> TX errors 0  dropped

Re: [PacketFence-users] Need help solving a problem with vlan enforcement

2018-01-03 Thread Fabrice Durand via PacketFence-users 
Hum strange.

What you can try is to define an interface in the vlan 2 (manually on an
switch port) and plug your test machine in it. (you must receive an ip
from PacketFence).

If you receive an ip from the 172.16.0.0/24 then it mean that you have a
switch configuration issue. (any layer 3 interfaces defined in the vlan
2 ?).

Also what i can see is that there is no mac in the vlan 2 and the vlan 3
for the interface 11.

You should have something like that too:

2 08:00:27:35:fc:c4 Dynamic     Gi1/0/11/- PacketFence Reg
/

3 08:00:27:35:fc:c4 Dynamic     Gi1/0/11/- PacketFence Isol/

Regards
Fabrice

Le 2018-01-02 à 13:55, André Scrivener a écrit :
> Opss, Fabrice!
>
> I forgot an information, the MAC addresses on the switch.
>
> By the logs, it is in VLAN 2, the correct vlan.
>
> Right now I do not understand, because it does not assign the correct
> address
>
>
> console#show mac address-table           
>
> Aging time is 300 Sec
>
> Vlan     Mac Address           Type        Port
>  - --- -
> 1        0800.2700.58E2        Dynamic     Gi1/0/11 /- Windows Server
> 2008/
> 1        0800.2735.FCC4        Dynamic     Gi1/0/11/- PacketFence/
> 1        1418.77EA.F0A3        Management  Vl1    / - Switch Dell/
> 1        641C.X        Dynamic     Gi1/0/11 /- My physical pc/
> 2        847B.EBE3.8442        Dynamic     Gi1/0/13 /- My test machine/
>
> Total MAC Addresses in use: 5
>
> console#show mac address-table interface Gi1/0/13
>
> Aging time is 300 Sec
>
> Vlan     Mac Address           Type        Port
>  - --- -
> 2        847B.EBE3.8442        Dynamic     Gi1/0/13/- My test machine/
>
>
> console#
>
>
> 2018-01-02 15:22 GMT-03:00 André Scrivener  >:
>
> Hello Fabrice, 
>
> I simplified the environment, I'm using only 1 interface!
>
>
> enp0s3:             Management - DHCP FROM WINDOWS SERVER
> enp0s3 VLAN 2: Registration  - DHCP ENABLE
> enp0s3 VLAN 3: Isolation       - DHCP ENABLE
> enp0s3 VLAN 10: Normal       - NO DHCP
>
> IP Address Switch Managed: 172.16.0.50
> Interface 11: My physical machine, and virtual machine
> (virtualbox) where is the PacketFence  (interface mode bridge)
> Interface 23: My client test Windows 8 (interface mode bridge)
>
>
> Problem continue, in the logs it returns to vlan correct, but does
> not assign to the computer, it stubborn in assigning the network
> 172.16.0.0/24  (Management Network).
>
>
> root@packetfence ~]# tailf  /usr/local/pf/logs/packetfence.log
> Jan  2 14:03:10 packetfence packetfence_httpd.aaa:
> httpd.aaa(30935) INFO: [mac:84:7b:eb:e3:84:42] handling radius
> autz request: from switch_ip => (172.16.0.50), connection_type =>
> WIRED_MAC_AUTH,switch_mac => (14:18:77:ea:f0:a2), mac =>
> [84:7b:eb:e3:84:42], port => 13, username => "847BEBE38442"
> (pf::radius::authorize)
> Jan  2 14:03:10 packetfence packetfence_httpd.aaa:
> httpd.aaa(30935) INFO: [mac:84:7b:eb:e3:84:42] Instantiate profile
> default (pf::Connection::ProfileFactory::_from_profile)
> Jan  2 14:03:10 packetfence packetfence_httpd.aaa:
> httpd.aaa(30935) INFO: [mac:84:7b:eb:e3:84:42] is of status unreg;
> belongs into registration VLAN (pf::role::getRegistrationRole)
> Jan  2 14:03:10 packetfence packetfence_httpd.aaa:
> httpd.aaa(30935) INFO: [mac:84:7b:eb:e3:84:42] (172.16.0.50) Added
> VLAN 2 to the returned RADIUS Access-Accept
> (pf::Switch::returnRadiusAccessAccept)
>
>
>
> [root@packetfence ~]# tailf  /usr/local/pf/logs/radius.log 
> Jan  2 14:03:10 packetfence auth[31813]: Need 1 more connections
> to reach min connections (3)
> Jan  2 14:03:10 packetfence auth[31813]: rlm_rest (rest): Opening
> additional connection (15), 1 of 62 pending slots used
> Jan  2 14:03:10 packetfence auth[31813]: Need 7 more connections
> to reach 10 spares
> Jan  2 14:03:10 packetfence auth[31813]: rlm_sql (sql): Opening
> additional connection (18), 1 of 61 pending slots used
> Jan  2 14:03:10 packetfence auth[31813]: [mac:84:7b:eb:e3:84:42]
> Accepted user:  and returned VLAN 2
> Jan  2 14:03:10 packetfence auth[31813]: (32) Login OK:
> [847BEBE38442] (from client 172.16.0.50 port 13 cli 84:7b:eb:e3:84:42)
>
>
>
>
> Follow network settings:
>
> [root@packetfence ~]# ifconfig 
> enp0s3: flags=4163  mtu 1500
>         inet 172.16.0.2  netmask 255.255.255.0  broadcast 172.16.0.255
>         inet6 fe80::a00:27ff:fe35:fcc4  prefixlen 64  scopeid
> 0x20
>         ether 08:00:27:35:fc:c4  txqueuelen 1000  (Ethernet)
>         RX packets 560936  bytes 711890423 (678.9 MiB)
>         RX errors 0  dropped 0  overruns 0  frame 0
>         TX packets 153523  bytes

Re: [PacketFence-users] Need help solving a problem with vlan enforcement

2018-01-02 Thread André Scrivener via PacketFence-users 
Hello Fabrice,

I simplified the environment, I'm using only 1 interface!


enp0s3: Management - DHCP FROM WINDOWS SERVER
enp0s3 VLAN 2: Registration  - DHCP ENABLE
enp0s3 VLAN 3: Isolation   - DHCP ENABLE
enp0s3 VLAN 10: Normal   - NO DHCP

IP Address Switch Managed: 172.16.0.50
Interface 11: My physical machine, and virtual machine (virtualbox) where
is the PacketFence  (interface mode bridge)
Interface 23: My client test Windows 8 (interface mode bridge)


Problem continue, in the logs it returns to vlan correct, but does not
assign to the computer, it stubborn in assigning the network 172.16.0.0/24
(Management Network).


root@packetfence ~]# tailf  /usr/local/pf/logs/packetfence.log
Jan  2 14:03:10 packetfence packetfence_httpd.aaa: httpd.aaa(30935) INFO:
[mac:84:7b:eb:e3:84:42] handling radius autz request: from switch_ip =>
(172.16.0.50), connection_type => WIRED_MAC_AUTH,switch_mac =>
(14:18:77:ea:f0:a2), mac => [84:7b:eb:e3:84:42], port => 13, username =>
"847BEBE38442" (pf::radius::authorize)
Jan  2 14:03:10 packetfence packetfence_httpd.aaa: httpd.aaa(30935) INFO:
[mac:84:7b:eb:e3:84:42] Instantiate profile default
(pf::Connection::ProfileFactory::_from_profile)
Jan  2 14:03:10 packetfence packetfence_httpd.aaa: httpd.aaa(30935) INFO:
[mac:84:7b:eb:e3:84:42] is of status unreg; belongs into registration VLAN
(pf::role::getRegistrationRole)
Jan  2 14:03:10 packetfence packetfence_httpd.aaa: httpd.aaa(30935) INFO:
[mac:84:7b:eb:e3:84:42] (172.16.0.50) Added VLAN 2 to the returned RADIUS
Access-Accept (pf::Switch::returnRadiusAccessAccept)



[root@packetfence ~]# tailf  /usr/local/pf/logs/radius.log
Jan  2 14:03:10 packetfence auth[31813]: Need 1 more connections to reach
min connections (3)
Jan  2 14:03:10 packetfence auth[31813]: rlm_rest (rest): Opening
additional connection (15), 1 of 62 pending slots used
Jan  2 14:03:10 packetfence auth[31813]: Need 7 more connections to reach
10 spares
Jan  2 14:03:10 packetfence auth[31813]: rlm_sql (sql): Opening additional
connection (18), 1 of 61 pending slots used
Jan  2 14:03:10 packetfence auth[31813]: [mac:84:7b:eb:e3:84:42] Accepted
user:  and returned VLAN 2
Jan  2 14:03:10 packetfence auth[31813]: (32) Login OK: [847BEBE38442]
(from client 172.16.0.50 port 13 cli 84:7b:eb:e3:84:42)




Follow network settings:

[root@packetfence ~]# ifconfig
enp0s3: flags=4163  mtu 1500
inet 172.16.0.2  netmask 255.255.255.0  broadcast 172.16.0.255
inet6 fe80::a00:27ff:fe35:fcc4  prefixlen 64  scopeid 0x20
ether 08:00:27:35:fc:c4  txqueuelen 1000  (Ethernet)
RX packets 560936  bytes 711890423 (678.9 MiB)
RX errors 0  dropped 0  overruns 0  frame 0
TX packets 153523  bytes 23163746 (22.0 MiB)
TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

enp0s3.2: flags=4163  mtu 1500
inet 192.168.2.2  netmask 255.255.255.0  broadcast 192.168.2.255
inet6 fe80::a00:27ff:fe35:fcc4  prefixlen 64  scopeid 0x20
ether 08:00:27:35:fc:c4  txqueuelen 1000  (Ethernet)
RX packets 0  bytes 0 (0.0 B)
RX errors 0  dropped 0  overruns 0  frame 0
TX packets 10  bytes 732 (732.0 B)
TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

enp0s3.3: flags=4163  mtu 1500
inet 192.168.3.2  netmask 255.255.255.0  broadcast 192.168.3.255
inet6 fe80::a00:27ff:fe35:fcc4  prefixlen 64  scopeid 0x20
ether 08:00:27:35:fc:c4  txqueuelen 1000  (Ethernet)
RX packets 0  bytes 0 (0.0 B)
RX errors 0  dropped 0  overruns 0  frame 0
TX packets 10  bytes 732 (732.0 B)
TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

enp0s3.10: flags=4163  mtu 1500
inet 192.168.1.1  netmask 255.255.255.0  broadcast 192.168.1.255
inet6 fe80::a00:27ff:fe35:fcc4  prefixlen 64  scopeid 0x20
ether 08:00:27:35:fc:c4  txqueuelen 1000  (Ethernet)
RX packets 0  bytes 0 (0.0 B)
RX errors 0  dropped 0  overruns 0  frame 0
TX packets 10  bytes 732 (732.0 B)
TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73  mtu 65536
inet 127.0.0.1  netmask 255.0.0.0
inet6 ::1  prefixlen 128  scopeid 0x10
loop  txqueuelen 1  (Loopback Local)
RX packets 1162494  bytes 167041449 (159.3 MiB)
RX errors 0  dropped 0  overruns 0  frame 0
TX packets 1162494  bytes 167041449 (159.3 MiB)
TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

[root@packetfence ~]#



[root@packetfence ~]# cat /usr/local/pf/conf/networks.conf
[192.168.3.0]
dns=192.168.3.2
dhcp_start=192.168.3.10
gateway=192.168.3.2
domain-name=vlan-isolation.scrivener.com.br
nat_enabled=disabled
named=enabled
dhcp_max_lease_time=30
fake_mac_enabled=disabled
dhcpd=enabled
dhcp_end=192.168.3.246

Re: [PacketFence-users] Need help solving a problem with vlan enforcement

2017-12-29 Thread Fabrice Durand via PacketFence-users 
Hello André,

First you need to check on the switch side if the mac address of the
device is in the vlan 300.

Next a registration vlan is a vlan managed by PacketFence, so you need
to enable dhcp on the vlan 300 and 600.

Another thing i can see is that the interface enp0s8.300 (vlan 300) use
the network 172.17.0.0/24 and it should be 172.16.0.0/24 ?! (but enp0s8
use this network).

So i my opinion, you probably mess up the vlan/interface config.

If enp0s8 interface is really on the vlan 300 then enp0s8.300 is useless
and you probably have to use the vlan 301 as the registration network.

Last things, be sure that enp0s8 is plugged on a trunk port and be sure
that you define all the vlans in your switch configuration.

Regards
Fabrice



Le 2017-12-29 à 08:50, André Scrivener via PacketFence-users a écrit :
> I'm configuring pf as vlan enforcement, but I'm having a problem,
> where vlans with their respective IPs are not being assigned. In the
> logs it returns the correct vlans, but does not apply to the station.
>
> /
> /
> /Dec 29 11:36:54 packtfence packetfence_httpd.aaa: httpd.aaa(5185)
> INFO: [mac:64:1c:67:82:7d:f2] handling radius autz request: from
> switch_ip => (172.16.0.50), connection_type =>
> WIRED_MAC_AUTH,switch_mac => (14:18:77:ea:f0:a2), mac =>
> [64:1c:67:82:7d:f2], port => 41, username => "641C67827DF2"
> (pf::radius::authorize)/
> /Dec 29 11:36:54 packtfence packetfence_httpd.aaa: httpd.aaa(5185)
> INFO: [mac:64:1c:67:82:7d:f2] Instantiate profile default
> (pf::Connection::ProfileFactory::_from_profile)/
> /Dec 29 11:36:54 packtfence packetfence_httpd.aaa: httpd.aaa(5185)
> INFO: [mac:64:1c:67:82:7d:f2] is of status unreg; belongs into
> registration VLAN (pf::role::getRegistrationRole)/
> /Dec 29 11:36:54 packtfence packetfence_httpd.aaa: httpd.aaa(5185)
> INFO: [mac:64:1c:67:82:7d:f2] (172.16.0.50) Added VLAN 300 to the
> returned RADIUS Access-Accept (pf::Switch::returnRadiusAccessAccept)/
>
>
> /Dec 29 11:36:54 packtfence auth[7662]: Need 1 more connections to
> reach min connections (3)/
> /Dec 29 11:36:54 packtfence auth[7662]: rlm_rest (rest): Opening
> additional connection (23), 1 of 62 pending slots used/
> /Dec 29 11:36:54 packtfence auth[7662]: Need 1 more connections to
> reach min connections (3)/
> /Dec 29 11:36:54 packtfence auth[7662]: rlm_sql (sql): Opening
> additional connection (25), 1 of 62 pending slots used/
> /Dec 29 11:36:54 packtfence auth[7662]: [mac:64:1c:67:82:7d:f2]
> Accepted user:  and returned VLAN 300/
> /Dec 29 11:36:54 packtfence auth[7662]: (44) Login OK: [641C67827DF2]
> (from client 172.16.0.50 port 41 cli 64:1c:67:82:7d:f2)/
>
>
> In the logs it returns to vlan correct, but does not assign to the
> computer, it stubborn in assigning the network 172.16.0.0/24
> .
>
> I did not configure DHCP in packetfence, when packetfence returns a
> vlan it is for it to get dhcp from my infrastructure. (So I imagine.)
>
> Follows some of my settings, it's okay to expose information since
> it's a lab.
>
>
> [root@packtfence ~]# ifconfig 
> SCRIVENER-b: flags=4163  mtu 1500
>         inet 169.254.0.2  netmask 255.255.255.252  broadcast 169.254.0.3
>         inet6 fe80::c8b5:5bff:febe:b1cc  prefixlen 64  scopeid 0x20
>         ether ca:b5:5b:be:b1:cc  txqueuelen 1000  (Ethernet)
>         RX packets 8  bytes 648 (648.0 B)
>         RX errors 0  dropped 0  overruns 0  frame 0
>         TX packets 8  bytes 648 (648.0 B)
>         TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
>
> enp0s3: flags=4099  mtu 1500
>         ether 08:00:27:a3:36:2a  txqueuelen 1000  (Ethernet)
>         RX packets 5668  bytes 8119227 (7.7 MiB)
>         RX errors 0  dropped 0  overruns 0  frame 0
>         TX packets 1260  bytes 80253 (78.3 KiB)
>         TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
>
> enp0s8: flags=4163  mtu 1500
>         inet 172.16.0.2  netmask 255.255.255.0  broadcast 172.16.0.255
>         inet6 fe80::a00:27ff:fef4:37f8  prefixlen 64  scopeid 0x20
>         ether 08:00:27:f4:37:f8  txqueuelen 1000  (Ethernet)
>         RX packets 20960  bytes 4119093 (3.9 MiB)
>         RX errors 0  dropped 0  overruns 0  frame 0
>         TX packets 12227  bytes 21064744 (20.0 MiB)
>         TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
>
> enp0s8.300: flags=4163  mtu 1500
>         inet 172.17.0.2  netmask 255.255.255.0  broadcast 172.17.0.255
>         inet6 fe80::a00:27ff:fef4:37f8  prefixlen 64  scopeid 0x20
>         ether 08:00:27:f4:37:f8  txqueuelen 1000  (Ethernet)
>         RX packets 10  bytes 628 (628.0 B)
>         RX errors 0  dropped 0  overruns 0  frame 0
>         TX packets 14  bytes 900 (900.0 B)
>         TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
>
> enp0s8.301: flags=4163  mtu 1500
>         inet 172.19.0.2  netmask