Re: [PacketFence-users] VLAN Enforcement with MAC address authentication

2021-07-12 Thread Thapeli Matsabu via PacketFence-users 
Hi Nicolas,

I will install a new certificate. I thought when you install PF, it installs 
with certificate.

 

 

Kind regards,

Thapeli

 

 

From: Quiniou-Briand, Nicolas  
Sent: 12 July 2021 11:22 AM
To: Thapeli Matsabu ; 
packetfence-users@lists.sourceforge.net; 'Fabrice Durand' 
Subject: RE: [PacketFence-users] VLAN Enforcement with MAC address 
authentication

 

Hello Thapeli,

 

According to radius.log, it looks like you have a SSL issue.

Your node needs to have CA certificate that signed PacketFence RADIUS 
certificate in its certificate store or directly PacketFence RADIUS certificate.

 


Nicolas Quiniou-Briand
Product Support Engineer






Office: +33156696210

Akamai Technologies
145 Broadway
Cambridge, MA 02142




Connect with Us:

 <https://community.akamai.com/>   <http://blogs.akamai.com/>   
<https://twitter.com/akamai>   <http://www.facebook.com/AkamaiTechnologies>   
<http://www.linkedin.com/company/akamai-technologies>   
<http://www.youtube.com/user/akamaitechnologies?feature=results_main> 



 

___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] VLAN Enforcement with MAC address authentication

2021-07-12 Thread Quiniou-Briand, Nicolas via PacketFence-users 
Hello Thapeli,

According to radius.log, it looks like you have a SSL issue.
Your node needs to have CA certificate that signed PacketFence RADIUS 
certificate in its certificate store or directly PacketFence RADIUS certificate.

Nicolas Quiniou-Briand
Product Support Engineer

[cid:image001.png@01D77710.2615BD60]


Office: +33156696210

Akamai Technologies
145 Broadway
Cambridge, MA 02142


Connect with Us:

[cid:image002.jpg@01D77710.2615BD60] 
[cid:image003.png@01D77710.2615BD60]   
[cid:image004.png@01D77710.2615BD60]   
[cid:image005.png@01D77710.2615BD60] 
  
[cid:image006.png@01D77710.2615BD60] 
  
[cid:image007.png@01D77710.2615BD60] 



___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] VLAN Enforcement with MAC address authentication

2021-07-09 Thread Quiniou-Briand, Nicolas via PacketFence-users 
Hello,

In packetfence.log you provided, I didn’t see any RADIUS request processed.
Are you sure your PacketFence server received traffic from your switch ?

Nicolas Quiniou-Briand
Product Support Engineer

[cid:image002.png@01D774D1.CA2CCEC0]


Office: +33156696210

Akamai Technologies
145 Broadway
Cambridge, MA 02142


Connect with Us:

[cid:image003.jpg@01D774D1.CA2CCEC0] 
[cid:image004.png@01D774D1.CA2CCEC0]   
[cid:image005.png@01D774D1.CA2CCEC0]   
[cid:image006.png@01D774D1.CA2CCEC0] 
  
[cid:image007.png@01D774D1.CA2CCEC0] 
  
[cid:image008.png@01D774D1.CA2CCEC0] 



___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] VLAN Enforcement with MAC address authentication

2021-07-08 Thread Fabrice Durand via PacketFence-users 
Hello Thapeli,

i can see that you have multiples issues in your config.

First the switch config doesn't looks to be correct.

If the packetfence server is plugged on the port Fa/01 only the vlan 1 is
allowed.
Next you don't have to enable 802.1x on this port.

interface FastEthernet0/1
 switchport trunk allowed vlan 1
 switchport mode trunk dot1x port-control auto
 dot1x host-mode multi-host
 dot1x timeout quiet-period 2
 dot1x timeout tx-period 3
 dot1x reauthentication


Port where you plug your testing device should be like that:


switchport mode access
dot1x port-control auto
dot1x host-mode multi-host
dot1x reauthentication



Also on the pf side it looks that you have an interface interface
eno1636.1 which is useless since the native vlan looks to be 1 ,
so eno1636 is already in the vlan 1.



Other thing, you can't return the vlan id 1 if the native vlan on the
switchport is already the 1, you should return nothing.


[172.16.251.2]
description=Test Switch
guestVlan=
defaultVlan=
type=Cisco::Catalyst_2950
VoIPLLDPDetect=N
uplink=23,24
radiusSecret=useStrongerSecret
MachineVlan=
UserVlan=


 And verify that you are able to ping the switch ip from packetfence :
172.16.251.2


Regards

Fabrice



Le jeu. 8 juil. 2021 à 17:16, Thapeli Matsabu via PacketFence-users <
packetfence-users@lists.sourceforge.net> a écrit :

> Hi,
>
> Find the attached. I only have one server. It is also working as radius.
>
>
>
>
>
> Kind regards,
>
>
>
>
>
> *From:* Zammit, Ludovic 
> *Sent:* 08 July 2021 09:28 PM
> *To:* Thapeli Matsabu 
> *Cc:* packetfence-users@lists.sourceforge.net
> *Subject:* Re: [PacketFence-users] VLAN Enforcement with MAC address
> authentication
>
>
>
> Hello there,
>
>
>
> If your Radius audit log is empty it probably means that the radius
> authentication did not work properly or you are still cached from a
> previous authentication.
>
>
>
> Can you provide the /usr/local/pf/logs/packetfence.log and the
> /usr/local/pf/logs/radius.log of the server that does the authentication ?
>
>
>
> Thanks,
>
>
>
> *Ludovic Zammit*
> *Product Support Engineer Principal*
>
> [image: Image removed by sender.]
>
> *Cell:* +1.613.670.8432
>
> Akamai Technologies - Inverse
> 145 Broadway
> Cambridge, MA 02142
>
> Connect with Us:
>
> [image: Image removed by sender.] <https://community.akamai.com/>[image:
> Image removed by sender.] <http://blogs.akamai.com/>[image: Image removed
> by sender.] <https://twitter.com/akamai>[image: Image removed by sender.]
> <http://www.facebook.com/AkamaiTechnologies>[image: Image removed by
> sender.] <http://www.linkedin.com/company/akamai-technologies>[image:
> Image removed by sender.]
> <http://www.youtube.com/user/akamaitechnologies?feature=results_main>
>
>
>
> On Jul 8, 2021, at 3:25 PM, Thapeli Matsabu 
> wrote:
>
>
>
> Hi Ludovic,
>
> Apologies for delayed response. Due to covid restrictions I am working
> from home and my lab was still at the office. Today I went and got the
> equipment.
>
>
>
>1. My radius audit log is empty. What does that mean?
>2. Radius CoA. Is this on the switch configuration?
>
>
>
>
>
>
>
> *From:* Zammit, Ludovic 
> *Sent:* 06 July 2021 02:41 PM
> *To:* packetfence-users@lists.sourceforge.net
> *Cc:* Thapeli Matsabu 
> *Subject:* Re: [PacketFence-users] VLAN Enforcement with MAC address
> authentication
>
>
>
> Hello there,
>
>
>
> Multiple things that you can verify.
>
>
>
> 1. Make sure in Auditing that the radius reply for that Mac address
> contain the Tunnel-Private-Group-Id = “1"
>
>
>
> 2. Re-check if the radius CoA is correctly configured to disconnect user
> (radius dynamic authorization)
>
>
>
> 3. Show us your configuration / logs related to that authentication.
>
>
>
> Thanks,
>
>
>
> *Ludovic Zammit*
> *Product Support Engineer Principal*
>
> <~WRD0001.jpg>
>
> *Cell:* +1.613.670.8432
>
> Akamai Technologies - Inverse
> 145 Broadway
> Cambridge, MA 02142
>
> Connect with Us:
>
> <~WRD0001.jpg> <https://community.akamai.com/><~WRD0001.jpg>
> <http://blogs.akamai.com/><~WRD0001.jpg>
> <https://urldefense.com/v3/__https:/twitter.com/akamai__;!!GjvTz_vk!CzKvF6LHZ-ULrWu1EQAj8A4e-zOmElpAaiRlNcH4TpiafvtKJeTPrGgFsa0B5A$>
> <~WRD0001.jpg>
> <https://urldefense.com/v3/__http:/www.facebook.com/AkamaiTechnologies__;!!GjvTz_vk!CzKvF6LHZ-ULrWu1EQAj8A4e-zOmElpAaiRlNcH4TpiafvtKJeTPrGi_VB6f5w$>
> <~WRD0001.jpg>
> <https://urldefense.com/v3/__http:/www.linkedin.com/company/akamai-technologies__;!!Gj

Re: [PacketFence-users] VLAN Enforcement with MAC address authentication

2021-07-08 Thread Thapeli Matsabu via PacketFence-users 
Hi Ludovic,

Apologies for delayed response. Due to covid restrictions I am working from 
home and my lab was still at the office. Today I went and got the equipment.

 

1.  My radius audit log is empty. What does that mean?
2.  Radius CoA. Is this on the switch configuration? 

 

 

 

From: Zammit, Ludovic  
Sent: 06 July 2021 02:41 PM
To: packetfence-users@lists.sourceforge.net
Cc: Thapeli Matsabu 
Subject: Re: [PacketFence-users] VLAN Enforcement with MAC address 
authentication

 

Hello there,

 

Multiple things that you can verify.

 

1. Make sure in Auditing that the radius reply for that Mac address contain the 
Tunnel-Private-Group-Id = “1"

 

2. Re-check if the radius CoA is correctly configured to disconnect user 
(radius dynamic authorization)

 

3. Show us your configuration / logs related to that authentication.

 

Thanks,

 


Ludovic Zammit
Product Support Engineer Principal






Cell: +1.613.670.8432

Akamai Technologies - Inverse
145 Broadway
Cambridge, MA 02142




Connect with Us:

 <https://community.akamai.com/>  <http://blogs.akamai.com/>  
<https://twitter.com/akamai>  <http://www.facebook.com/AkamaiTechnologies>  
<http://www.linkedin.com/company/akamai-technologies>  
<http://www.youtube.com/user/akamaitechnologies?feature=results_main> 







On Jul 6, 2021, at 3:51 AM, Thapeli Matsabu via PacketFence-users 
mailto:packetfence-users@lists.sourceforge.net> > wrote:

 

Hi all,

I have been through this mailing trying to find if someone had this problem 
before, but I could not find anything similar.

 

I am trying to configure VLAN Enforcement with MAC address authentication:

*   I am using Cisco 2950 with PF 10 on Centos 7
*   I have configured 4 networks: see network.conf attached

*   Management and Normal– default VLAN (1)
*   Registration – VLAN 2
*   Isolation – VLAN 3
*   MAC detection – VLAN 4 (no configured on PF, only on the router)

*   I have configured my router and PF can see  and manage the VLANs. See 
my router config attached
*   I have manually registered a device on PF
*   I want to manually register devices and all registered devices should 
go to VLAN 1 (Normal and management) and unregistered  devices to just sit in 
registration VLAN, and in future registered devices that does not meet the 
requirements to go to ISOLATION VLAN.

 

My problem is that when I connect a device to port 16, it get stuck in VLAN 2 
and it never gets moved to VLAN 1, which is my default VLAN, even though on PF 
the device is already registered. If I connect to any other port, it get moved 
to VLA 1 even if it’s not registered.

 

 

 

Regards,

 



 

 

 

 

___
PacketFence-users mailing list
 <mailto:PacketFence-users@lists.sourceforge.net> 
PacketFence-users@lists.sourceforge.net
 
<https://urldefense.com/v3/__https:/lists.sourceforge.net/lists/listinfo/packetfence-users__;!!GjvTz_vk!ACAuMID8HF8M7MWrECip8SKCJsDnEDPVqDheOMjtajjM5b2OVVoVmgtKHao_CfOi$>
 
https://urldefense.com/v3/__https://lists.sourceforge.net/lists/listinfo/packetfence-users__;!!GjvTz_vk!ACAuMID8HF8M7MWrECip8SKCJsDnEDPVqDheOMjtajjM5b2OVVoVmgtKHao_CfOi$

 

___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] VLAN Enforcement with MAC address authentication

2021-07-08 Thread Zammit, Ludovic via PacketFence-users 
Hello there,

If your Radius audit log is empty it probably means that the radius 
authentication did not work properly or you are still cached from a previous 
authentication.

Can you provide the /usr/local/pf/logs/packetfence.log and the 
/usr/local/pf/logs/radius.log of the server that does the authentication ?

Thanks,

Ludovic Zammit
Product Support Engineer Principal

Cell: +1.613.670.8432
Akamai Technologies - Inverse
145 Broadway
Cambridge, MA 02142
Connect with Us: <https://community.akamai.com/>  
<http://blogs.akamai.com/>  <https://twitter.com/akamai>  
<http://www.facebook.com/AkamaiTechnologies>  
<http://www.linkedin.com/company/akamai-technologies>  
<http://www.youtube.com/user/akamaitechnologies?feature=results_main>

> On Jul 8, 2021, at 3:25 PM, Thapeli Matsabu  wrote:
> 
> Hi Ludovic,
> Apologies for delayed response. Due to covid restrictions I am working from 
> home and my lab was still at the office. Today I went and got the equipment.
>  
> My radius audit log is empty. What does that mean?
> Radius CoA. Is this on the switch configuration? 
>  
>  
>  
> From: Zammit, Ludovic mailto:luza...@akamai.com>> 
> Sent: 06 July 2021 02:41 PM
> To: packetfence-users@lists.sourceforge.net 
> <mailto:packetfence-users@lists.sourceforge.net>
> Cc: Thapeli Matsabu mailto:thap...@dataproof.co.za>>
> Subject: Re: [PacketFence-users] VLAN Enforcement with MAC address 
> authentication
>  
> Hello there,
>  
> Multiple things that you can verify.
>  
> 1. Make sure in Auditing that the radius reply for that Mac address contain 
> the Tunnel-Private-Group-Id = “1"
>  
> 2. Re-check if the radius CoA is correctly configured to disconnect user 
> (radius dynamic authorization)
>  
> 3. Show us your configuration / logs related to that authentication.
>  
> Thanks,
>  
> Ludovic Zammit
> Product Support Engineer Principal
> <~WRD0001.jpg>
> Cell: +1.613.670.8432
> Akamai Technologies - Inverse
> 145 Broadway
> Cambridge, MA 02142
> Connect with Us:
> <~WRD0001.jpg> <https://community.akamai.com/><~WRD0001.jpg> 
> <http://blogs.akamai.com/><~WRD0001.jpg> 
> <https://urldefense.com/v3/__https://twitter.com/akamai__;!!GjvTz_vk!CzKvF6LHZ-ULrWu1EQAj8A4e-zOmElpAaiRlNcH4TpiafvtKJeTPrGgFsa0B5A$><~WRD0001.jpg>
>  
> <https://urldefense.com/v3/__http://www.facebook.com/AkamaiTechnologies__;!!GjvTz_vk!CzKvF6LHZ-ULrWu1EQAj8A4e-zOmElpAaiRlNcH4TpiafvtKJeTPrGi_VB6f5w$><~WRD0001.jpg>
>  
> <https://urldefense.com/v3/__http://www.linkedin.com/company/akamai-technologies__;!!GjvTz_vk!CzKvF6LHZ-ULrWu1EQAj8A4e-zOmElpAaiRlNcH4TpiafvtKJeTPrGhG6wwm0w$><~WRD0001.jpg>
>  
> <https://urldefense.com/v3/__http://www.youtube.com/user/akamaitechnologies?feature=results_main__;!!GjvTz_vk!CzKvF6LHZ-ULrWu1EQAj8A4e-zOmElpAaiRlNcH4TpiafvtKJeTPrGhWd5JvhA$>
>  
> 
> 
>> On Jul 6, 2021, at 3:51 AM, Thapeli Matsabu via PacketFence-users 
>> > <mailto:packetfence-users@lists.sourceforge.net>> wrote:
>>  
>> Hi all,
>> I have been through this mailing trying to find if someone had this problem 
>> before, but I could not find anything similar.
>>  
>> I am trying to configure VLAN Enforcement with MAC address authentication:
>> I am using Cisco 2950 with PF 10 on Centos 7
>> I have configured 4 networks: see network.conf attached
>> Management and Normal– default VLAN (1)
>> Registration – VLAN 2
>> Isolation – VLAN 3
>> MAC detection – VLAN 4 (no configured on PF, only on the router)
>> I have configured my router and PF can see  and manage the VLANs. See my 
>> router config attached
>> I have manually registered a device on PF
>> I want to manually register devices and all registered devices should go to 
>> VLAN 1 (Normal and management) and unregistered  devices to just sit in 
>> registration VLAN, and in future registered devices that does not meet the 
>> requirements to go to ISOLATION VLAN.
>>  
>> My problem is that when I connect a device to port 16, it get stuck in VLAN 
>> 2 and it never gets moved to VLAN 1, which is my default VLAN, even though 
>> on PF the device is already registered. If I connect to any other port, it 
>> get moved to VLA 1 even if it’s not registered.
>>  
>>  
>>  
>> Regards,
>>  
>> 
>>  
>>  
>>  
>>  
>> > config.txt>___
>> PacketFence-users mailing list
>> PacketFence-users@lists.sourceforge.net 
>> <mailto:PacketFence-users@lists.sourceforge.net>
>> https://urldefense.com/v3/__https://lists.sourceforge.net/lists/listinfo/packetfence-users__;!!GjvTz_vk!ACAuMID8HF8M7MWrECip8SKCJsDnEDPVqDheOMjtajjM5b2OVVoVmgtKHao_CfOi$
>>  
>> <https://urldefense.com/v3/__https:/lists.sourceforge.net/lists/listinfo/packetfence-users__;!!GjvTz_vk!ACAuMID8HF8M7MWrECip8SKCJsDnEDPVqDheOMjtajjM5b2OVVoVmgtKHao_CfOi$>


smime.p7s
Description: S/MIME cryptographic signature
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] VLAN Enforcement with MAC address authentication

2021-07-06 Thread Zammit, Ludovic via PacketFence-users 
Hello there,

Multiple things that you can verify.

1. Make sure in Auditing that the radius reply for that Mac address contain the 
Tunnel-Private-Group-Id = “1"

2. Re-check if the radius CoA is correctly configured to disconnect user 
(radius dynamic authorization)

3. Show us your configuration / logs related to that authentication.

Thanks,

Ludovic Zammit
Product Support Engineer Principal

Cell: +1.613.670.8432
Akamai Technologies - Inverse
145 Broadway
Cambridge, MA 02142
Connect with Us:   
    
  
  


> On Jul 6, 2021, at 3:51 AM, Thapeli Matsabu via PacketFence-users 
>  wrote:
> 
> Hi all,
> I have been through this mailing trying to find if someone had this problem 
> before, but I could not find anything similar.
>  
> I am trying to configure VLAN Enforcement with MAC address authentication:
> I am using Cisco 2950 with PF 10 on Centos 7
> I have configured 4 networks: see network.conf attached
> Management and Normal– default VLAN (1)
> Registration – VLAN 2
> Isolation – VLAN 3
> MAC detection – VLAN 4 (no configured on PF, only on the router)
> I have configured my router and PF can see  and manage the VLANs. See my 
> router config attached
> I have manually registered a device on PF
> I want to manually register devices and all registered devices should go to 
> VLAN 1 (Normal and management) and unregistered  devices to just sit in 
> registration VLAN, and in future registered devices that does not meet the 
> requirements to go to ISOLATION VLAN.
>  
> My problem is that when I connect a device to port 16, it get stuck in VLAN 2 
> and it never gets moved to VLAN 1, which is my default VLAN, even though on 
> PF the device is already registered. If I connect to any other port, it get 
> moved to VLA 1 even if it’s not registered.
>  
>  
>  
> Regards,
>  
> 
>  
>  
>  
>  
>  config.txt>___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net 
> 
> https://urldefense.com/v3/__https://lists.sourceforge.net/lists/listinfo/packetfence-users__;!!GjvTz_vk!ACAuMID8HF8M7MWrECip8SKCJsDnEDPVqDheOMjtajjM5b2OVVoVmgtKHao_CfOi$
>  
> 


smime.p7s
Description: S/MIME cryptographic signature
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] VLAN Enforcement

2017-06-14 Thread Fabrice Durand via PacketFence-users 
Hello Rafael,

vlan 10 is for registration so it's normal that you don't have internet
access.

Regards

Fabrice



Le 2017-06-12 à 16:14, Diogo Rafael via PacketFence-users a écrit :
>
> Hi,
>
> Im trying to implement VLAN Enforcement on my environment but im
> having some troubles
>
> I have to interfaces eth0 that connects to the internet and eth1.
>
> On the interface eth1 i have 3 VLANs, VLAN 10 for registration, VLAN
> 20 for Isolation, and VLAN 30 is none.
>
> When a user try to register on VLAN10 he cant go throught the
> internet. Please help me.
>
>
>
>
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>
>
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users

-- 
Fabrice Durand
fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org) 

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Vlan enforcement mode deployment

2016-07-30 Thread Eloge Bapfunya 
Dear Damiano,
thank you for your reaction. I think so there is no possibility to deploy a
VLAN Enforcement with such topology.
Best Regards,

Eloge B

-Message d'origine-
De : Damiano Verzulli [mailto:dami...@verzulli.it] 
Envoyé : vendredi 29 juillet 2016 12:51
À : packetfence-users@lists.sourceforge.net
Objet : Re: [PacketFence-users] Vlan enforcement mode deployment

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Il 29/07/2016 03:14, Sallee, Jake ha scritto:
> Eloge:
> 
> I have been running PF in production for years with a very similar
> setup to the one you have described.


I Jake,

I was tempted to answer myself with a "yes, it's possible.
Definitely"
but then I re-read this sentence, in the original POST from Eloge:

- -
> [...] We have an hybrid network with WIFI and Wired connection with at
> some points CASCADED SWITCHES WITH MANAGED AND UNMANAGED EQUIPMENTS. 
> [...]
- -
(caps added by me)

As in my network environment there are "unmanaged" switches as well
(...unfortunately!), I believed that this is a definitely NO-NO for a
VLAN deployment of PF.

Am I wrong?

Thanks,
DV

- -- 
Damiano Verzulli
e-mail: dami...@verzulli.it
- ---
possible?ok:while(!possible){open_mindedness++}
- ---
"Technical people tend to fall into two categories: Specialists
and Generalists. The Specialist learns more and more about a
narrower and narrower field, until he eventually, in the limit,
knows everything about nothing. The Generalist learns less and
less about a wider and wider field, until eventually he knows
nothing about everything." - William Stucke - AfrISPA
  http://elists.isoc.org/mailman/private/pubsoft/2007-December/001935.html
-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.17 (GNU/Linux)

iEYEARECAAYFAlebNPcACgkQcwT9fsMT4Sy0qgCgodr+4gYxqZNE7H9MZBFxpaTA
KcgAoKEAcpQleWLMS5Z7rIPqMSBfX+8h
=fZhk
-END PGP SIGNATURE-


--
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


--
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Vlan enforcement mode deployment

2016-07-30 Thread Eloge Bapfunya 
Dear Alex and Jake,

thank you for your contributions. I think I have similar topology as yours and 
it seems vlan enforcement should be very difficult to deploy unless I mix with 
inline mode as I have Edge Switches which have been cascaded with unmanaged 
switch as mentioned in the attached topology.

Thank you Alex for connecting to someone at UCU, it should be very interesting 
to talk to him as he's already using it.

I have already setup my Packetfence in a test environment and I added my ldap 
directory as source of authentication and when I try to get connected to 
Internet, I type my login and password and it shows that I have been registered 
and after get this message "Your network should be enabled within a minute or 
two. If it is not reboot your computer."  and get stuck.

I tried to reboot the server, unregister my node and try again to login with 
same message.

 

Best Regards,

 

Eloge Bapfunya

Network and Systems Administrator

University of Burundi

 

 

De : Kisakye Alex [mailto:kisa...@gmail.com] 
Envoyé : vendredi 29 juillet 2016 03:34
À : packetfence-users@lists.sourceforge.net
Objet : Re: [PacketFence-users] Vlan enforcement mode deployment

 

Greetings Eloge,

I installed Packetfence at Uganda Christian University (UCU) around 2012 and is 
actually made of similar components PF, Ubiquiti Equipment at the time we used 
inline which worked beautifully. Similar to Jake's setup we were managing about 
8,000 devices.

That setup has since been improved to vlan enforcement. If you like I can point 
you to someone at UCU for assistance.

 

thanks

Alex

 

On Fri, Jul 29, 2016 at 11:14 AM, Sallee, Jake <jake.sal...@umhb.edu> wrote:

Eloge:


I have been running PF in production for years with a very similar setup to the 
one you have described.


Yes; PF can do what you are trying to do, if you have the correct equipment.


Check PF's compatibility list for your equipment to make sure it is supported.  
But just about any equipment that supports SNMP can be used by PF.


VLan enforcement is the best way to deploy PF in any environment with over a 
handful of users.  In InLine mode all the traffic from the users is sent 
through the PF box, even after the user is authenticated.


This can cause a bottleneck if you have users that are bandwidth hungry or you 
have more than a few users simultaneously.


With VLan enforcement the PF box is completely out of band and is able to 
service many times the number of users without any problems.


My box is not super impressive and I do not have any problems with 8,000+ 
simultaneous users.


If you could drop off a simple network diagram as well as exactly what you are 
trying to accomplish it would be very helpful.


You might be surprised at how versatile PF can be.



Jake Sallee
Godfather of Bandwidth
System Engineer
University of Mary Hardin-Baylor
WWW.UMHB.EDU

900 College St.
Belton, Texas
76513

Fone: 254-295-4658
Phax: 254-295-4221

From: Eloge Bapfunya <eloge.bapfu...@ub.edu.bi>
Sent: Thursday, July 28, 2016 2:57 AM
To: packetfence-users@lists.sourceforge.net
Subject: [PacketFence-users] Vlan enforcement mode deployment


Hi All,
I come to you for clarification about my project. We had started a project to 
deploy packetfence 3 years ago but I gave up as we found we were not ready for 
the big project.
This time we are about to revive the project for our institution which is a 
university.
We have an hybrid network with WIFI and Wired connection with at some points 
cascaded switches with managed and unmanaged equipments.
My worries is about to deploy the VLAN Enforcement mode with such network. Is 
there anyway a WIFI client can be switched from registration or isolation to 
data access within WIFI network controller which is connected to Ubiquiti Unifi 
AP. I think I miss some tips about how to manage such stuffs.
My understanding is that with my actual topology, there is no way I can deploy 
such Enforcement VLAN mode with my current network (WIFI and Wired).
If someone can give me clarification about how I can proceed to achieve my 
goal. I am aware about how inline mode works but I would like my Packetfence to 
controll access without being a gateway.
Thank you in advance,

Eloge B.
University of Burundi

--
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

 

--
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Vlan enforcement mode deployment

2016-07-29 Thread Damiano Verzulli 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Il 29/07/2016 03:14, Sallee, Jake ha scritto:
> Eloge:
> 
> I have been running PF in production for years with a very similar
> setup to the one you have described.


I Jake,

I was tempted to answer myself with a "yes, it's possible. Definitely"
but then I re-read this sentence, in the original POST from Eloge:

- -
> [...] We have an hybrid network with WIFI and Wired connection with at
> some points CASCADED SWITCHES WITH MANAGED AND UNMANAGED EQUIPMENTS. 
> [...]
- -
(caps added by me)

As in my network environment there are "unmanaged" switches as well
(...unfortunately!), I believed that this is a definitely NO-NO for a
VLAN deployment of PF.

Am I wrong?

Thanks,
DV

- -- 
Damiano Verzulli
e-mail: dami...@verzulli.it
- ---
possible?ok:while(!possible){open_mindedness++}
- ---
"Technical people tend to fall into two categories: Specialists
and Generalists. The Specialist learns more and more about a
narrower and narrower field, until he eventually, in the limit,
knows everything about nothing. The Generalist learns less and
less about a wider and wider field, until eventually he knows
nothing about everything." - William Stucke - AfrISPA
  http://elists.isoc.org/mailman/private/pubsoft/2007-December/001935.html
-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.17 (GNU/Linux)

iEYEARECAAYFAlebNPcACgkQcwT9fsMT4Sy0qgCgodr+4gYxqZNE7H9MZBFxpaTA
KcgAoKEAcpQleWLMS5Z7rIPqMSBfX+8h
=fZhk
-END PGP SIGNATURE-

--
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Vlan enforcement mode deployment

2016-07-28 Thread Kisakye Alex 
Greetings Eloge,
I installed Packetfence at Uganda Christian University (UCU) around 2012
and is actually made of similar components PF, Ubiquiti Equipment at the
time we used inline which worked beautifully. Similar to Jake's setup we
were managing about 8,000 devices.
That setup has since been improved to vlan enforcement. If you like I can
point you to someone at UCU for assistance.

thanks
Alex

On Fri, Jul 29, 2016 at 11:14 AM, Sallee, Jake  wrote:

> Eloge:
>
>
> I have been running PF in production for years with a very similar setup
> to the one you have described.
>
>
> Yes; PF can do what you are trying to do, if you have the correct
> equipment.
>
>
> Check PF's compatibility list for your equipment to make sure it is
> supported.  But just about any equipment that supports SNMP can be used by
> PF.
>
>
> VLan enforcement is the best way to deploy PF in any environment with over
> a handful of users.  In InLine mode all the traffic from the users is sent
> through the PF box, even after the user is authenticated.
>
>
> This can cause a bottleneck if you have users that are bandwidth hungry or
> you have more than a few users simultaneously.
>
>
> With VLan enforcement the PF box is completely out of band and is able to
> service many times the number of users without any problems.
>
>
> My box is not super impressive and I do not have any problems with 8,000+
> simultaneous users.
>
>
> If you could drop off a simple network diagram as well as exactly what you
> are trying to accomplish it would be very helpful.
>
>
> You might be surprised at how versatile PF can be.
>
>
>
> Jake Sallee
> Godfather of Bandwidth
> System Engineer
> University of Mary Hardin-Baylor
> WWW.UMHB.EDU
>
> 900 College St.
> Belton, Texas
> 76513
>
> Fone: 254-295-4658
> Phax: 254-295-4221
> 
> From: Eloge Bapfunya 
> Sent: Thursday, July 28, 2016 2:57 AM
> To: packetfence-users@lists.sourceforge.net
> Subject: [PacketFence-users] Vlan enforcement mode deployment
>
> Hi All,
> I come to you for clarification about my project. We had started a project
> to deploy packetfence 3 years ago but I gave up as we found we were not
> ready for the big project.
> This time we are about to revive the project for our institution which is
> a university.
> We have an hybrid network with WIFI and Wired connection with at some
> points cascaded switches with managed and unmanaged equipments.
> My worries is about to deploy the VLAN Enforcement mode with such network.
> Is there anyway a WIFI client can be switched from registration or
> isolation to data access within WIFI network controller which is connected
> to Ubiquiti Unifi AP. I think I miss some tips about how to manage such
> stuffs.
> My understanding is that with my actual topology, there is no way I can
> deploy such Enforcement VLAN mode with my current network (WIFI and Wired).
> If someone can give me clarification about how I can proceed to achieve my
> goal. I am aware about how inline mode works but I would like my
> Packetfence to controll access without being a gateway.
> Thank you in advance,
>
> Eloge B.
> University of Burundi
>
>
> --
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
--
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Vlan enforcement mode deployment

2016-07-28 Thread Sallee, Jake 
Eloge:


I have been running PF in production for years with a very similar setup to the 
one you have described.


Yes; PF can do what you are trying to do, if you have the correct equipment.


Check PF's compatibility list for your equipment to make sure it is supported.  
But just about any equipment that supports SNMP can be used by PF.


VLan enforcement is the best way to deploy PF in any environment with over a 
handful of users.  In InLine mode all the traffic from the users is sent 
through the PF box, even after the user is authenticated.


This can cause a bottleneck if you have users that are bandwidth hungry or you 
have more than a few users simultaneously.


With VLan enforcement the PF box is completely out of band and is able to 
service many times the number of users without any problems.


My box is not super impressive and I do not have any problems with 8,000+ 
simultaneous users.


If you could drop off a simple network diagram as well as exactly what you are 
trying to accomplish it would be very helpful.


You might be surprised at how versatile PF can be.



Jake Sallee
Godfather of Bandwidth
System Engineer
University of Mary Hardin-Baylor
WWW.UMHB.EDU

900 College St.
Belton, Texas
76513

Fone: 254-295-4658
Phax: 254-295-4221

From: Eloge Bapfunya 
Sent: Thursday, July 28, 2016 2:57 AM
To: packetfence-users@lists.sourceforge.net
Subject: [PacketFence-users] Vlan enforcement mode deployment

Hi All,
I come to you for clarification about my project. We had started a project to 
deploy packetfence 3 years ago but I gave up as we found we were not ready for 
the big project.
This time we are about to revive the project for our institution which is a 
university.
We have an hybrid network with WIFI and Wired connection with at some points 
cascaded switches with managed and unmanaged equipments.
My worries is about to deploy the VLAN Enforcement mode with such network. Is 
there anyway a WIFI client can be switched from registration or isolation to 
data access within WIFI network controller which is connected to Ubiquiti Unifi 
AP. I think I miss some tips about how to manage such stuffs.
My understanding is that with my actual topology, there is no way I can deploy 
such Enforcement VLAN mode with my current network (WIFI and Wired).
If someone can give me clarification about how I can proceed to achieve my 
goal. I am aware about how inline mode works but I would like my Packetfence to 
controll access without being a gateway.
Thank you in advance,

Eloge B.
University of Burundi

--
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] VLAN-Enforcement-Mode - works as designed?

2013-11-15 Thread Fabrice DURAND 

Hello Mark,

where is connected the registration interface ?

Is the packetfence network interface card is directly connected to the 
switch (like eth1 on a port access 302) ?


Regards
Fabrice

Le 2013-11-13 04:54, Mark Gmeiner a écrit :

So, I've got PacketFence up and running now - partly ...
My gear:
PF 4.0.6-2 on a Centos 6.4 x64 Server
Extreme Networks Summit X460-48t, XOS 15.3.1.4-patch19, all ports 
configured into macregistration-vlan (tag 302)
PacketFence properly learns all the nodes on my network, I can 
manually pre-register these nodes and they got dropped into the 
correct role/vlan. So far so good ...

But ...
An directly attached, unregistered node (that stays in 
macregistration-vlan) gets blackholed in the fdb and - ergo - can't 
connect to the captive-portal for user-self-registration:

switch1 # show netlogin port 11
Port  : 11
Port Restart  : Disabled
Allow Egress  : None
Vlan  : macregistration
Authentication: mac-based
Port State: Enabled
Guest Vlan: Disabled
Auth Failure Vlan : Disabled
Auth Service-Unavailable Vlan : Disabled
MACIP address   Authenticated Type 
ReAuth-Timer   User
00:1b:78:3c:8f:99  0.0.0.0  Yes(B), RadiusMAC 
7106   001B783C8F99

---
(B) - Client entry Blackholed in FDB
while a virtual machine on a registered node or a node on a miniswitch 
with some other registered node can properly connect to the 
captive-portal, register and connect to its target vlan!

PF-Radius says:
Wed Nov 13 10:45:18 2013 : Auth: Login OK: [001B783C8F99] (from client 
10.4.201.18 port 1011 cli 00-1B-78-3C-8F-99)
Wed Nov 13 10:45:18 2013 : Auth: rlm_perl: Returning vlan 302 to 
request from 00:1b:78:3c:8f:99 port 1011
So, as far as I can see, the unregistered node is authenticated 
correctly to the macregistration-vlan (302) and SHOULD get an 
ipaddress for further proceeding. But instead I got no network 
connectivity at all.
Am I missing something? Because configuration actually was pretty 
straightforward (switch- and PF-side) ...
FYI: When I deselect the force-registration-checkbox in PF, the 
unregistered nodes get a correct macregistration-ipaddress, but then 
there is no captive-portal to register (works as designed, I guess).

Thanks in advance!
regards
Mark


--
DreamFactory - Open Source REST  JSON Services for HTML5  Native Apps
OAuth, Users, Roles, SQL, NoSQL, BLOB Storage and External API Access
Free app hosting. Or install the open source package on any LAMP server.
Sign up and see examples for AngularJS, jQuery, Sencha Touch and Native!
http://pubads.g.doubleclick.net/gampad/clk?id=63469471iu=/4140/ostg.clktrk


___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users



--
Fabrice Durand
fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org)

--
DreamFactory - Open Source REST  JSON Services for HTML5  Native Apps
OAuth, Users, Roles, SQL, NoSQL, BLOB Storage and External API Access
Free app hosting. Or install the open source package on any LAMP server.
Sign up and see examples for AngularJS, jQuery, Sencha Touch and Native!
http://pubads.g.doubleclick.net/gampad/clk?id=63469471iu=/4140/ostg.clktrk___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Vlan enforcement

2013-05-23 Thread luis torres 

Hi Francis,

   thank you for your support.

   Im afraid its still doesnt work as expected..., same behavior. Heres
the packetfence.log.

   For a Reg or Unreg  Status:
   

May 23 09:40:21 httpd.admin(0) INFO: loading Net::MAC::Vendor cache from
/usr/local/pf/conf/oui.txt (pf::util::load_oui)
May 23 09:42:43 httpd.admin(0) INFO: loading Net::MAC::Vendor cache from
/usr/local/pf/conf/oui.txt (pf::util::load_oui)
May 23 09:42:50 httpd.admin(0) INFO: re-evaluating access for node
00:0b:5d:23:02:4d (manage_deregister called)
(pf::enforcement::reevaluate_access)
May 23 09:42:50 httpd.admin(0) INFO: 00:0b:5d:23:02:4d is currentlog
connected at 10.2.253.2 ifIndex 10115 in VLAN 223
(pf::enforcement::_should_we_reassign_vlan)
May 23 09:42:51 httpd.admin(0) INFO: MAC: 00:0b:5d:23:02:4d is of status
unreg; belongs into registration VLAN (pf::vlan::getRegistrationVlan)
May 23 09:42:51 httpd.admin(0) INFO: VLAN reassignment required for
00:0b:5d:23:02:4d (current VLAN = 223 but should be in VLAN 333)
(pf::enforcement::_should_we_reassign_vlan)
May 23 09:42:51 httpd.admin(0) INFO: switch port for 00:0b:5d:23:02:4d is
10.2.253.2 ifIndex 10115 connection type: Wired MAC Auth
(pf::enforcement::_vlan_reevaluation)
May 23 09:42:54 pfsetvlan(21) INFO: local (127.0.0.1) trap for switch
10.2.253.2 (main::parseTrap)
May 23 09:42:54 pfsetvlan(1) INFO: nb of items in queue: 1; nb of threads
running: 0 (main::startTrapHandlers)
May 23 09:42:54 pfsetvlan(1) INFO: reAssignVlan trap received on
10.2.253.2 ifIndex 10115 (main::handleTrap)
May 23 09:42:54 pfsetvlan(1) WARN: Until CoA is implemented we will bounce
the port on VLAN re-assignment traps for MAC-Auth
(pf::SNMP::handleReAssignVlanTrapForWiredMacAuth) 
May 23 09:42:59 pfsetvlan(1) INFO: finished (main::cleanupAfterThread)
May 23 09:43:16 pf::WebAPI(2466) INFO: handling radius autz request: from
switch_ip = 10.2.253.2, connection_type = Ethernet-NoEAP mac =
00:0b:5d:23:02:4d, port = 50015, username = 000b5d23024d
(pf::radius::authorize)
May 23 09:43:16 pf::WebAPI(2466) INFO: MAC: 00:0b:5d:23:02:4d is of status
unreg; belongs into registration VLAN (pf::vlan::getRegistrationVlan)
May 23 09:43:16 pf::WebAPI(2466) WARN: Role-based Network Access Control
is not supported on network device type pf::SNMP::Cisco::Catalyst_3560G.
 (pf::SNMP::supportsRoleBasedEnforcement) 
 
For Pending or Grace status:

Only this

 May 23 09:44:17 httpd.admin(0) INFO: loading Net::MAC::Vendor cache from
/usr/local/pf/conf/oui.txt (pf::util::load_oui) 

Cheers,
LT

Citando Francis Lachapelle flachape...@inverse.ca:  Hi Luis


  On 2013-05-20, at 7:03 AM, luis torres luistor...@netc.pt wrote:

trought the browser , in nodes section, I can only enforce vlans on
a specific node , between Register or Unregiste, Grace and Pending
doesnt do nothing..., however if I give the cmd
(/usr/local/pf/bin/pfcmd node edit 00:0b:5d:23:02:4d
pid=admin,status=grace)  on the linux with root user, it works
perfectly.

  I committed a fix yesterday :

https://github.com/inverse-inc/packetfence/commit/27ca8615999265099dc5e00b4fe5cd4c33991ddd

  It will be integrated to 4.0.2.

  Thanks,

  Francis

  --
flachape...@inverse.ca :: +1.514.755.3640 :: http://www.inverse.ca
  Inverse :: Leaders behind SOGo (http://sogo.nu) and PacketFence
(http://packetfence.org)



--
  Try New Relic Now  We'll Send You this Cool Shirt
  New Relic is the only SaaS-based application performance monitoring service
  that delivers powerful full stack analytics. Optimize and monitor your
  browser, app,  servers with just a few lines of code. Try New Relic
  and get this awesome Nerd Life shirt! http://p.sf.net/sfu/newrelic_d2d_may
  ___
  PacketFence-users mailing list
PacketFence-users@lists.sourceforge.nethttps://lists.sourceforge.net/lists/listinfo/packetfence-users
--
Try New Relic Now  We'll Send You this Cool Shirt
New Relic is the only SaaS-based application performance monitoring service 
that delivers powerful full stack analytics. Optimize and monitor your
browser, app,  servers with just a few lines of code. Try New Relic
and get this awesome Nerd Life shirt! http://p.sf.net/sfu/newrelic_d2d_may___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Vlan enforcement

2013-05-23 Thread luis torres 

Hi Francis,

   this is also what happen when change the Node Status from Grace to
Registered

May 23 11:56:57 httpd.admin(0) INFO: loading Net::MAC::Vendor cache from
/usr/local/pf/conf/oui.txt (pf::util::load_oui)
May 23 11:57:13 httpd.admin(0) INFO: grace expired on violation 121
for node 00:0b:5d:23:02:4d (pf::violation::violation_add)
May 23 11:57:13 httpd.admin(0) WARN: database query failed with: Cannot
add or update a child row: a foreign key constraint fails
(`pf`.`violation`, CONSTRAINT `0_61` FOREIGN KEY (`vid`) REFERENCES
`class` (`vid`) ON DELETE CASCADE ON UPDATE CASCADE). (errno: 1452), will
try again (pf::db::db_query_execute)
May 23 11:57:13 httpd.admin(0) WARN: database query failed with: Cannot
add or update a child row: a foreign key constraint fails
(`pf`.`violation`, CONSTRAINT `0_61` FOREIGN KEY (`vid`) REFERENCES
`class` (`vid`) ON DELETE CASCADE ON UPDATE CASCADE). (errno: 1452), will
try again (pf::db::db_query_execute)
May 23 11:57:13 httpd.admin(0) WARN: database query failed with: Cannot
add or update a child row: a foreign key constraint fails
(`pf`.`violation`, CONSTRAINT `0_61` FOREIGN KEY (`vid`) REFERENCES
`class` (`vid`) ON DELETE CASCADE ON UPDATE CASCADE). (errno: 1452), will
try again (pf::db::db_query_execute)
May 23 11:57:13 httpd.admin(0) ERROR: Database issue: We tried 3 times to
serve query violation_add_sql called from pf::violation::violation_add and
we failed. Is the database running? (pf::db::db_query_execute)
May 23 11:57:13 httpd.admin(0) INFO: re-evaluating access for node
00:0b:5d:23:02:4d (manage_register called)
(pf::enforcement::reevaluate_access)
May 23 11:57:13 httpd.admin(0) INFO: 00:0b:5d:23:02:4d is currentlog
connected at 10.2.253.2 ifIndex 10115 in VLAN 333
(pf::enforcement::_should_we_reassign_vlan)
May 23 11:57:13 httpd.admin(0) INFO: MAC: 00:0b:5d:23:02:4d, PID: admin,
Status: reg. Returned VLAN: 223 (pf::vlan::fetchVlanForNode)
May 23 11:57:13 httpd.admin(0) INFO: VLAN reassignment required for
00:0b:5d:23:02:4d (current VLAN = 333 but should be in VLAN 223)
(pf::enforcement::_should_we_reassign_vlan)
May 23 11:57:13 httpd.admin(0) INFO: switch port for 00:0b:5d:23:02:4d is
10.2.253.2 ifIndex 10115 connection type: Wired MAC Auth
(pf::enforcement::_vlan_reevaluation)
May 23 11:57:17 pfsetvlan(21) INFO: local (127.0.0.1) trap for switch
10.2.253.2 (main::parseTrap)
May 23 11:57:17 pfsetvlan(1) INFO: nb of items in queue: 1; nb of threads
running: 0 (main::startTrapHandlers)
May 23 11:57:17 pfsetvlan(1) INFO: reAssignVlan trap received on
10.2.253.2 ifIndex 10115 (main::handleTrap)
May 23 11:57:17 pfsetvlan(1) WARN: Until CoA is implemented we will bounce
the port on VLAN re-assignment traps for MAC-Auth
(pf::SNMP::handleReAssignVlanTrapForWiredMacAuth)
May 23 11:57:21 pfsetvlan(1) INFO: finished (main::cleanupAfterThread)
May 23 11:57:39 pf::WebAPI(3916) INFO: handling radius autz request: from
switch_ip = 10.2.253.2, connection_type = Ethernet-NoEAP mac =
00:0b:5d:23:02:4d, port = 50015, username = 000b5d23024d
(pf::radius::authorize)
May 23 11:57:39 pf::WebAPI(3916) INFO: MAC: 00:0b:5d:23:02:4d, PID: admin,
Status: reg. Returned VLAN: 223 (pf::vlan::fetchVlanForNode)
May 23 11:57:39 pf::WebAPI(3916) WARN: Role-based Network Access Control
is not supported on network device type pf::SNMP::Cisco::Catalyst_3560G.
 (pf::SNMP::supportsRoleBasedEnforcement)

   Cheers
   LT

Citando Francis Lachapelle flachape...@inverse.ca:  Hi Luis


  On 2013-05-20, at 7:03 AM, luis torres luistor...@netc.pt wrote:

trought the browser , in nodes section, I can only enforce vlans on
a specific node , between Register or Unregiste, Grace and Pending
doesnt do nothing..., however if I give the cmd
(/usr/local/pf/bin/pfcmd node edit 00:0b:5d:23:02:4d
pid=admin,status=grace)  on the linux with root user, it works
perfectly.

  I committed a fix yesterday :

https://github.com/inverse-inc/packetfence/commit/27ca8615999265099dc5e00b4fe5cd4c33991ddd

  It will be integrated to 4.0.2.

  Thanks,

  Francis

  --
flachape...@inverse.ca :: +1.514.755.3640 :: http://www.inverse.ca
  Inverse :: Leaders behind SOGo (http://sogo.nu) and PacketFence
(http://packetfence.org)



--
  Try New Relic Now  We'll Send You this Cool Shirt
  New Relic is the only SaaS-based application performance monitoring service
  that delivers powerful full stack analytics. Optimize and monitor your
  browser, app,  servers with just a few lines of code. Try New Relic
  and get this awesome Nerd Life shirt! http://p.sf.net/sfu/newrelic_d2d_may
  ___
  PacketFence-users mailing list
PacketFence-users@lists.sourceforge.nethttps://lists.sourceforge.net/lists/listinfo/packetfence-users
--
Try New Relic Now  We'll Send You this Cool Shirt
New Relic is the only SaaS-based application performance

Re: [PacketFence-users] Vlan enforcement

2013-05-23 Thread luis torres 

Francis,

   Ignore my two last messages ..., its working now. I did forgot to
remove the NodeBak.pm from the dir. 

   Cheers
   LT

   Citando luis torres luistor...@netc.pt:


Hi Francis,

   this is also what happen when change the Node Status from Grace
to Registered


    
May 23 11:56:57 httpd.admin(0) INFO: loading Net::MAC::Vendor cache
from /usr/local/pf/conf/oui.txt (pf::util::load_oui)
May 23 11:57:13 httpd.admin(0) INFO: grace expired on violation
121 for node 00:0b:5d:23:02:4d (pf::violation::violation_add)
May 23 11:57:13 httpd.admin(0) WARN: database query failed with:
Cannot add or update a child row: a foreign key constraint fails
(`pf`.`violation`, CONSTRAINT `0_61` FOREIGN KEY (`vid`) REFERENCES
`class` (`vid`) ON DELETE CASCADE ON UPDATE CASCADE). (errno: 1452),
will try again (pf::db::db_query_execute)
May 23 11:57:13 httpd.admin(0) WARN: database query failed with:
Cannot add or update a child row: a foreign key constraint fails
(`pf`.`violation`, CONSTRAINT `0_61` FOREIGN KEY (`vid`) REFERENCES
`class` (`vid`) ON DELETE CASCADE ON UPDATE CASCADE). (errno: 1452),
will try again (pf::db::db_query_execute)
May 23 11:57:13 httpd.admin(0) WARN: database query failed with:
Cannot add or update a child row: a foreign key constraint fails
(`pf`.`violation`, CONSTRAINT `0_61` FOREIGN KEY (`vid`) REFERENCES
`class` (`vid`) ON DELETE CASCADE ON UPDATE CASCADE). (errno: 1452),
will try again (pf::db::db_query_execute)
May 23 11:57:13 httpd.admin(0) ERROR: Database issue: We tried 3
times to serve query violation_add_sql called from
pf::violation::violation_add and we failed. Is the database running?
(pf::db::db_query_execute)
May 23 11:57:13 httpd.admin(0) INFO: re-evaluating access for node
00:0b:5d:23:02:4d (manage_register called)
(pf::enforcement::reevaluate_access)
May 23 11:57:13 httpd.admin(0) INFO: 00:0b:5d:23:02:4d is currentlog
connected at 10.2.253.2 ifIndex 10115 in VLAN 333
(pf::enforcement::_should_we_reassign_vlan)
May 23 11:57:13 httpd.admin(0) INFO: MAC: 00:0b:5d:23:02:4d, PID:
admin, Status: reg. Returned VLAN: 223 (pf::vlan::fetchVlanForNode)
May 23 11:57:13 httpd.admin(0) INFO: VLAN reassignment required for
00:0b:5d:23:02:4d (current VLAN = 333 but should be in VLAN 223)
(pf::enforcement::_should_we_reassign_vlan)
May 23 11:57:13 httpd.admin(0) INFO: switch port for
00:0b:5d:23:02:4d is 10.2.253.2 ifIndex 10115 connection type: Wired
MAC Auth (pf::enforcement::_vlan_reevaluation)
May 23 11:57:17 pfsetvlan(21) INFO: local (127.0.0.1) trap for
switch 10.2.253.2 (main::parseTrap)
May 23 11:57:17 pfsetvlan(1) INFO: nb of items in queue: 1; nb of
threads running: 0 (main::startTrapHandlers)
May 23 11:57:17 pfsetvlan(1) INFO: reAssignVlan trap received on
10.2.253.2 ifIndex 10115 (main::handleTrap)
May 23 11:57:17 pfsetvlan(1) WARN: Until CoA is implemented we will
bounce the port on VLAN re-assignment traps for MAC-Auth
(pf::SNMP::handleReAssignVlanTrapForWiredMacAuth)
May 23 11:57:21 pfsetvlan(1) INFO: finished (main::cleanupAfterThread)
May 23 11:57:39 pf::WebAPI(3916) INFO: handling radius autz request:
from switch_ip = 10.2.253.2, connection_type = Ethernet-NoEAP mac
= 00:0b:5d:23:02:4d, port = 50015, username = 000b5d23024d
(pf::radius::authorize)
May 23 11:57:39 pf::WebAPI(3916) INFO: MAC: 00:0b:5d:23:02:4d, PID:
admin, Status: reg. Returned VLAN: 223 (pf::vlan::fetchVlanForNode)
May 23 11:57:39 pf::WebAPI(3916) WARN: Role-based Network Access
Control is not supported on network device type
pf::SNMP::Cisco::Catalyst_3560G.
 (pf::SNMP::supportsRoleBasedEnforcement)


   Cheers
   LT



   Citando Francis Lachapelle flachape...@inverse.ca:


Hi Luis

On 2013-05-20, at 7:03 AM, luis torres luistor...@netc.pt wrote:


trought the browser , in nodes section, I can only enforce vlans
on a specific node , between Register or Unregiste, Grace and
Pending doesnt do nothing..., however if I give the cmd
(/usr/local/pf/bin/pfcmd node edit 00:0b:5d:23:02:4d
pid=admin,status=grace)  on the linux with root user, it works
perfectly.


   I committed a fix yesterday :

https://github.com/inverse-inc/packetfence/commit/27ca8615999265099dc5e00b4fe5cd4c33991ddd

   It will be integrated to 4.0.2.

   Thanks,

   Francis

   --
flachape...@inverse.ca :: +1.514.755.3640 :: http://www.inverse.ca
   Inverse :: Leaders behind SOGo (http://sogo.nu) and PacketFence
(http://packetfence.org)



--
   Try New Relic Now  We'll Send You this Cool Shirt
   New Relic is the only SaaS-based application performance
monitoring service
   that delivers powerful full stack analytics. Optimize and monitor your
   browser, app,  servers with just a few lines of code. Try New Relic
   and get this awesome Nerd Life shirt!
http://p.sf.net/sfu/newrelic_d2d_may
   ___
   PacketFence-users mailing list

Re: [PacketFence-users] Vlan enforcement

2013-05-22 Thread Francis Lachapelle 
Hi Luis

On 2013-05-20, at 7:03 AM, luis torres luistor...@netc.pt wrote:

 trought the browser , in nodes section, I can only enforce vlans on a 
 specific node , between Register or Unregiste, Grace and Pending doesnt do 
 nothing..., however if I give the cmd (/usr/local/pf/bin/pfcmd node edit 
 00:0b:5d:23:02:4d pid=admin,status=grace)  on the linux with root user, it 
 works perfectly. 

I committed a fix yesterday :

https://github.com/inverse-inc/packetfence/commit/27ca8615999265099dc5e00b4fe5cd4c33991ddd

It will be integrated to 4.0.2.

Thanks,

Francis

--
flachape...@inverse.ca :: +1.514.755.3640 :: http://www.inverse.ca
Inverse :: Leaders behind SOGo (http://sogo.nu) and PacketFence 
(http://packetfence.org)


--
Try New Relic Now  We'll Send You this Cool Shirt
New Relic is the only SaaS-based application performance monitoring service 
that delivers powerful full stack analytics. Optimize and monitor your
browser, app,  servers with just a few lines of code. Try New Relic
and get this awesome Nerd Life shirt! http://p.sf.net/sfu/newrelic_d2d_may
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Vlan Enforcement setup via Web Config

2012-10-05 Thread Brian Candler 
On Tue, Oct 02, 2012 at 10:46:46AM -0400, Carl Thomas Guething wrote:
Can someone point me in the direction of where to go for information
related to troubleshooting the Web Configurator
 
No matter what I do it seems to want to setup inline mode. If I click
vlan enforcement and click next it never gives me any options for vlan
enforcement only inline enforcement. I was having this problem trying
to change the setup on my working inline setup, so I decided to format,
start fresh, still having the same issue.

I found the same problem with Chrome and Safari, but it worked when I
changed to Firefox. Having said that, after building a new system I was
unable to replicate the problem with Chrome or Safari.

http://www.packetfence.org/bugs/view.php?id=1529

--
Don't let slow site performance ruin your business. Deploy New Relic APM
Deploy New Relic app performance management and know exactly
what is happening inside your Ruby, Python, PHP, Java, and .NET app
Try New Relic at no cost today and get our sweet Data Nerd shirt too!
http://p.sf.net/sfu/newrelic-dev2dev
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users