From: Dell T. <con...@gm...> - 2013-10-15 13:43:00
|
So I'm having a really hard time getting PacketFence setup for VLAN Enforcement in my test network. PF Version: 4.0.6-2 Switch: Cisco 4506, IOS 12.2(54)SG1 I think I understand the concept; you assign your switchports to the MAC Detection VLAN (4) and when you plug in a computer it starts sending out DHCP requests which PF "hears" via ip-helper and configures the port to be in a "registration" VLAN (2) at which point the user opens a web-browser where they're met by a captive portal and they put in their username/password. If the u/p is accepted PF sets the port for the "Normal" VLAN (1? Default?) and if it's not accepted the port is put into the "Isolation" VLAN (3). Sounds great! Exactly what I want! So I install PF and I select "VLAN enforcement" ("Inline" left unselected). I configure eth0 to be the management interface and then add the VLANs as described above and in the admin guide, but there's no "Normal" or "MAC Detection" VLAN options - only "Registration", "Isolation", "Inline" and "Other". So I configure "Isolation", "Inline", "Registration" and "Other" VLANs. Later on, I configure Telnet for deuath and also configure SNMP on the switch/PF per page 19 in the admin guide. I configure the uplink via its ifIndex (how come that isn't in the admin guide??) and put it into "production" mode. So here's what happens (I'm tailing packetfence.log): - If the port is configured for the MAC Detect VLAN - nothing happens. PF doesn't "hear" the DHCP requests. - If the port is configure for the Registration VLAN PF will hear the DHCP requests and give the client an IP but that's it - no captive portal. - If the port is configure for the default VLAN it will get an IP from my test-DHCP server (Windows DC) and PF will add the computer to the "Nodes" section as unregistered, but still no captive portal. I'm still pretty certain that SNMP isn't working properly despite reconfiguring SNMP per the guide multiple times and triple checking my settings. The only way I can get the switch to send traps to PF is if I remove "port-security" from the snmp-host line. I feel like I have it almost working but I missed a crucial step or something and the absence of a "Normal" and "MAC Detect" VLANs still confuses me. Ideas? Suggestions? |