HI folks,
I have been playing with setting up wired MAB in PF and have set up the
following switches and switch groups:-
[default]
type=Cisco::Catalyst_2960
registrationVlan=820
isolationVlan=999
voiceVlan=22
cliTransport=SSH
cliUser=XXX
cliPwd=XXX
cliEnablePwd=XXX
SNMPVersion=2c
SNMPCommunityRead=XXX
SNMPCommunityWrite=XXX
SNMPVersionTrap=2c
SNMPCommunityTrap=XXX
radiusSecret=XXX
StudentVlan=2
StaffVlan=2
Falmouth_GuestVlan=2
IT_StaffVlan=5
guestVlan=2
UoE_GuestVlan=2
always_trigger=1
Eduroam-userVlan=2
UOE-UserVlan=2
coaPort=1700
deauthMethod=RADIUS
VoIPEnabled=Y
[group OldHouse-Annex]
description=Switches located in Old House and Annex
StudentVlan=160
gamingVlan=2
IT_StaffVlan=70
[10.252.252.10]
description=OldHouse-CAB-C
group=OldHouse-Annex
To cover all general requirements across the campus we have default settings
from the ‘default’ switch group and a more specific group for a set of switches
in a specific location ‘OldHouse-Annex’ and finally a member switch specific
to that that group (10.252.252.10).
When a user authenticates on the specific switch (10.252.252.10) in a
particular role he is not getting the VLAN assigned from
the ‘parent’ group (aka OldHouse-Annex) but from the ‘default’ which is
incorrect since the specific VLAN that is assigned to that role
does not, in fact, exist on that particular switch.
Everything looks right in the GUI in that the screen shows the correct VLANs
being assigned to the correct roles but in reality the logs and the
end device are seeing something completely different:-
If I manually assign VLAN 70 to the role in the switch config (10.252.252.10)
then I get this:-
Aug 13 13:15:06 PacketFence-ZEN auth[6845]: [mac:10:7d:1a:18:71:33] Accepted
user: and returned VLAN 70
Aug 13 13:15:06 PacketFence-ZEN auth[6845]: (27) Login OK: [107d1a187133] (from
client 10.252.252.10 port 50347 cli 10:7d:1a:18:71:33)
But if I allow the switch to obtain its VLANs from the parent group
‘OldHouse-Annex’ I get:-
Aug 13 13:15:31 PacketFence-ZEN auth[6845]: [mac:10:7d:1a:18:71:33] Accepted
user: and returned VLAN 5
Aug 13 13:15:31 PacketFence-ZEN auth[6845]: (30) Login OK: [107d1a187133] (from
client 10.252.252.10 port 50347 cli 10:7d:1a:18:71:33)
Which is not correct since VLAN 5 does not exist on switches in the group.
Also I noticed that the COA port override (1700) from the default group is not
being inherited has to be manually entered in the switch settings or
else it uses the default value of 3799.
Am I making too many assumptions about the hierarchical nature of switch groups
and indeed cannot use the ‘default’ like this.
Any ideas – hopefully you can reproduce this.
Andrew
Andrew Torry
Senior Infrastructure Engineer
Tel: 01326 370760
Email: andrew.to...@fxplus.ac.uk
[cid:image1be0e6.PNG@e9095ef8.4d87e473]
[Falmouth Exeter Plus]
[cid:imageee55b6.PNG@430e207f.45ad3eb2]
[Twitter] <https://twitter.com/falmouthexeter> [Facebook]
<https://www.facebook.com/falmouthexeter> [Instagram]
<https://www.instagram.com/falmouthexeterplus/> [YouTube]
<https://www.youtube.com/channel/UC5-Jq4vTOhWgYoJJDYrZHWw>
[cid:image5ab37c.PNG@e3dc0631.4a8f79e6]
[Falmouth University]
Falmouth Exeter Plus is an exempt charity established by Falmouth University
and the University of Exeter to deliver their shared Higher Education services
in Cornwall.
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
