HI folks, I have been playing with setting up wired MAB in PF and have set up the following switches and switch groups:-
[default] type=Cisco::Catalyst_2960 registrationVlan=820 isolationVlan=999 voiceVlan=22 cliTransport=SSH cliUser=XXX cliPwd=XXX cliEnablePwd=XXX SNMPVersion=2c SNMPCommunityRead=XXX SNMPCommunityWrite=XXX SNMPVersionTrap=2c SNMPCommunityTrap=XXX radiusSecret=XXX StudentVlan=2 StaffVlan=2 Falmouth_GuestVlan=2 IT_StaffVlan=5 guestVlan=2 UoE_GuestVlan=2 always_trigger=1 Eduroam-userVlan=2 UOE-UserVlan=2 coaPort=1700 deauthMethod=RADIUS VoIPEnabled=Y [group OldHouse-Annex] description=Switches located in Old House and Annex StudentVlan=160 gamingVlan=2 IT_StaffVlan=70 [10.252.252.10] description=OldHouse-CAB-C group=OldHouse-Annex To cover all general requirements across the campus we have default settings from the ‘default’ switch group and a more specific group for a set of switches in a specific location ‘OldHouse-Annex’ and finally a member switch specific to that that group (10.252.252.10). When a user authenticates on the specific switch (10.252.252.10) in a particular role he is not getting the VLAN assigned from the ‘parent’ group (aka OldHouse-Annex) but from the ‘default’ which is incorrect since the specific VLAN that is assigned to that role does not, in fact, exist on that particular switch. Everything looks right in the GUI in that the screen shows the correct VLANs being assigned to the correct roles but in reality the logs and the end device are seeing something completely different:- If I manually assign VLAN 70 to the role in the switch config (10.252.252.10) then I get this:- Aug 13 13:15:06 PacketFence-ZEN auth[6845]: [mac:10:7d:1a:18:71:33] Accepted user: and returned VLAN 70 Aug 13 13:15:06 PacketFence-ZEN auth[6845]: (27) Login OK: [107d1a187133] (from client 10.252.252.10 port 50347 cli 10:7d:1a:18:71:33) But if I allow the switch to obtain its VLANs from the parent group ‘OldHouse-Annex’ I get:- Aug 13 13:15:31 PacketFence-ZEN auth[6845]: [mac:10:7d:1a:18:71:33] Accepted user: and returned VLAN 5 Aug 13 13:15:31 PacketFence-ZEN auth[6845]: (30) Login OK: [107d1a187133] (from client 10.252.252.10 port 50347 cli 10:7d:1a:18:71:33) Which is not correct since VLAN 5 does not exist on switches in the group. Also I noticed that the COA port override (1700) from the default group is not being inherited has to be manually entered in the switch settings or else it uses the default value of 3799. Am I making too many assumptions about the hierarchical nature of switch groups and indeed cannot use the ‘default’ like this. Any ideas – hopefully you can reproduce this. Andrew Andrew Torry Senior Infrastructure Engineer Tel: 01326 370760 Email: andrew.to...@fxplus.ac.uk [cid:image1be0e6.PNG@e9095ef8.4d87e473] [Falmouth Exeter Plus] [cid:imageee55b6.PNG@430e207f.45ad3eb2] [Twitter] <https://twitter.com/falmouthexeter> [Facebook] <https://www.facebook.com/falmouthexeter> [Instagram] <https://www.instagram.com/falmouthexeterplus/> [YouTube] <https://www.youtube.com/channel/UC5-Jq4vTOhWgYoJJDYrZHWw> [cid:image5ab37c.PNG@e3dc0631.4a8f79e6] [Falmouth University] Falmouth Exeter Plus is an exempt charity established by Falmouth University and the University of Exeter to deliver their shared Higher Education services in Cornwall.
_______________________________________________ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users