Menu
▾
▴
Re: [PacketFence-users] Why goes to "MAC detection VLAN 4" but not the default vlan 1?
|
From: forbmsyn <for...@gm...> - 2013-10-28 18:05:59
|
Hi Fletcher, Great to hear that. Can you please shed me a light on this? Thank you very much in advance. Regards, Jacky On Mon, Oct 28, 2013 at 11:04 AM, Fletcher Haynes <fh...@wi...>wrote: > As someone who initially tried the MAC detection vlan route and then > switched to MAB, I can only agree with Jake. It is far easier to setup and > maintain. The Cisco 2960 should support MAB. If you are able to go that > route and need help configuring it, I'm happy to help. > > > On Mon, Oct 28, 2013 at 6:38 AM, Sallee, Stephen (Jake) < > Jak...@um...> wrote: > >> Is there a reason that you want to use a MAC detection vlan over RADIUS >> auth? >> >> In my experience using Mac Authentication Bypass is superior to using a >> MAC Detection vlan in every way. >> >> Obviously, if your requirements necessitate the use of a MAC detection >> vlan then you must, but if you have not considered MAB I would highly, >> HIGHLY suggest it over a MAC detection vlan. >> >> Jake Sallee >> Godfather of Bandwidth >> System Engineer >> University of Mary Hardin-Baylor >> >> 900 College St. >> Belton, Texas >> 76513 >> >> Fone: 254-295-4658 >> Phax: 254-295-4221 >> ________________________________ >> From: forbmsyn [for...@gm...] >> Sent: Friday, October 25, 2013 5:14 PM >> To: pac...@li... >> Subject: [PacketFence-users] Why goes to "MAC detection VLAN 4" but not >> the default vlan 1? >> >> Hello experts, >> >> On PF I followed the instruction and created the following network: >> >> VLAN ID VLAN Name Subnet Gateway PacketFence Address >> 1 Normal 192.168.1.0/24<http://192.168.1.0/24> >> 192.168.1.1 192.168.1.5 >> 2 Registration 192.168.2.0/24<http://192.168.2.0/24> >> 192.168.2.1 192.168.2.1 >> 3 Isolation 192.168.3.0/24<http://192.168.3.0/24> >> 192.168.3.1 192.168.3.1 >> 4 Mac Detection >> 5 Inline 192.168.5.0/24<http://192.168.5.0/24> >> 192.168.5.1 192.168.5.1 >> >> >> I have a Cisco 2960 (IP 192.168.1.254), with the same vlans created as >> PacketFence. On Fa0/3 I have the following config: >> >> interface FastEthernet0/3 >> switchport access vlan 4 >> switchport mode access >> switchport port-security maximum 1 vlan access >> switchport port-security >> switchport port-security violation restrict >> switchport port-security mac-address 0200.0001.0003 >> >> >> Then I plugged a laptop onto the port, the config was changed to as >> below, which looks good because it is now on registrion vlan (vlan ID 2) >> and obtained an IP 192.168.2.10 >> >> interface FastEthernet0/3 >> switchport access vlan 2 >> switchport mode access >> switchport port-security maximum 1 vlan access >> switchport port-security >> switchport port-security violation restrict >> switchport port-security mac-address 0015.c5cf.0f12 >> >> >> On PF I changed its status from unregistered to registered from PF WebUI, >> on the switch I found that port was switch back to MAC detection VLAN 4. >> >> interface FastEthernet0/3 >> switchport access vlan 4 >> switchport mode access >> switchport port-security maximum 1 vlan access >> switchport port-security >> switchport port-security violation restrict >> switchport port-security mac-address 0015.c5cf.0f12 >> >> >> >> Below is part of the log from packetfence.log >> >> May 28 00:49:46 httpd.admin(0) INFO: re-evaluating access for node >> 00:15:c5:cf:0f:12 (node_modify called) (pf::enforcement::reevaluate_access) >> May 28 00:49:46 httpd.admin(0) INFO: 00:15:c5:cf:0f:12 is currentlog >> connected at 192.168.1.254 ifIndex 10003 in VLAN 2 >> (pf::enforcement::_should_we_reass ign_vlan) >> May 28 00:49:46 httpd.admin(0) INFO: Username was NOT defined or unable >> to match a role - returning node based role 'default' >> (pf::vlan::getNormalVlan) >> May 28 00:49:46 httpd.admin(0) INFO: MAC: 00:15:c5:cf:0f:12, PID: admin, >> Status: reg. Returned VLAN: 1 (pf::vlan::fetchVlanForNode) >> May 28 00:49:46 httpd.admin(0) INFO: VLAN reassignment required for >> 00:15:c5:cf:0f:12 (current VLAN = 2 but should be in VLAN 1) >> (pf::enforcement::_should _we_reassign_vlan) >> May 28 00:49:46 httpd.admin(0) INFO: switch port for 00:15:c5:cf:0f:12 is >> 192.168.1.254 ifIndex 10003 connection type: Wired SNMP >> (pf::enforcement::_vlan_ reevaluation) >> May 28 00:49:49 pfsetvlan(25) INFO: local (127.0.0.1) trap for switch >> 192.168.1.254 (main::parseTrap) >> May 28 00:49:49 pfsetvlan(8) INFO: nb of items in queue: 1; nb of threads >> running: 0 (main::startTrapHandlers) >> May 28 00:49:49 pfsetvlan(8) INFO: reAssignVlan trap received on >> 192.168.1.254 ifIndex 10003 (main::handleTrap) >> May 28 00:49:49 pfsetvlan(8) INFO: security traps are configured on >> 192.168.1.254 ifIndex 10003. Re-assigning VLAN for 00:15:c5:cf:0f:12 >> (main::handleTrap ) >> May 28 00:49:49 pfsetvlan(8) INFO: Username was NOT defined or unable to >> match a role - returning node based role 'default' (pf::vlan::getNormalVlan) >> May 28 00:49:49 pfsetvlan(8) WARN: No parameter defaultVlan found in >> conf/switches.conf for the switch 192.168.1.254 (pf::SNMP::getVlanByName) >> May 28 00:49:49 pfsetvlan(8) INFO: MAC: 00:15:c5:cf:0f:12, PID: admin, >> Status: reg. Returned VLAN: default (pf::vlan::fetchVlanForNode) >> Argument "default" isn't numeric in numeric eq (==) at >> /usr/local/pf/lib/pf/SNMP.pm line 614. >> May 28 00:49:49 pfsetvlan(8) WARN: new VLAN default is not a managed VLAN >> -> replacing VLAN default with MAC detection VLAN 4 (pf::SNMP::setVlan) >> May 28 00:49:49 pfsetvlan(8) INFO: no VoIP phone is currently connected >> at 192.168.1.254 ifIndex 10003. Flipping port admin status >> (main::handleTrap) >> May 28 00:49:53 pfsetvlan(8) INFO: finished (main::cleanupAfterThread) >> May 28 00:50:25 pfmon(0) INFO: running expire check (main::cleanup) >> >> >> >> I do have default vlan configure on switches.conf. Why the port was not >> set to vlan 1 but back to 4? >> Below is the config of switches.conf >> >> [root@packetfence conf]# more switches.conf >> # >> # Copyright 2006-2008 Inverse inc. >> # >> # See the enclosed file COPYING for license information (GPL). >> # If you did not receive this file, see >> # http://www.fsf.org/licensing/licenses/gpl.html >> [default] >> description=Switches Default Values >> vlans=1,2,3,4,5 >> normalVlan=1 >> registrationVlan=2 >> isolationVlan=3 >> macDetectionVlan=4 >> voiceVlan=5 >> inlineVlan=6 >> inlineTrigger= >> normalRole=normal >> registrationRole=registration >> isolationRole=isolation >> macDetectionRole=macDetection >> voiceRole=voice >> inlineRole=inline >> VoIPEnabled=no >> mode=testing >> macSearchesMaxNb=30 >> macSearchesSleepInterval=2 >> uplink=dynamic >> # >> # Command Line Interface >> # >> # cliTransport could be: Telnet, SSH or Serial >> cliTransport=Telnet >> cliUser= >> cliPwd= >> cliEnablePwd= >> # >> # SNMP section >> # >> # PacketFence -> Switch >> SNMPVersion=1 >> SNMPCommunityRead=public >> SNMPCommunityWrite=private >> #SNMPEngineID = 0000000000000 >> #SNMPUserNameRead = readUser >> #SNMPAuthProtocolRead = MD5 >> #SNMPAuthPasswordRead = authpwdread >> #SNMPPrivProtocolRead = DES >> #SNMPPrivPasswordRead = privpwdread >> #SNMPUserNameWrite = writeUser >> #SNMPAuthProtocolWrite = MD5 >> #SNMPAuthPasswordWrite = authpwdwrite >> #SNMPPrivProtocolWrite = DES >> #SNMPPrivPasswordWrite = privpwdwrite >> # Switch -> PacketFence >> SNMPVersionTrap=1 >> SNMPCommunityTrap=public >> #SNMPAuthProtocolTrap = MD5 >> #SNMPAuthPasswordTrap = authpwdread >> #SNMPPrivProtocolTrap = DES >> #SNMPPrivPasswordTrap = privpwdread >> # >> # Web Services Interface >> # >> # wsTransport could be: http or https >> wsTransport=http >> wsUser= >> wsPwd= >> # >> # RADIUS NAS Client config >> # >> # RADIUS shared secret with switch >> radiusSecret= >> >> [192.168.0.1] >> description=Test Switch >> type=Cisco::Catalyst_2900XL >> mode=production >> uplink=23,24 >> >> [192.168.1.254] >> mode=production >> deauthMethod=SSH >> description=C2960 >> type=Cisco::Catalyst_2960 >> VoIPEnabled=N >> radiusSecret=useStrongerSecret >> uplink=24 >> cliTransport=SSH >> SNMPVersion=2c >> defaultRole=default >> defaultVlan=1 >> #SNMPVersion = 3 >> #SNMPEngineID = 0000000000000 >> #SNMPUserNameRead = readUser >> #SNMPAuthProtocolRead = MD5 >> #SNMPAuthPasswordRead = authpwdread >> #SNMPPrivProtocolRead = DES >> #SNMPPrivPasswordRead = privpwdread >> #SNMPUserNameWrite = writeUser >> #SNMPAuthProtocolWrite = MD5 >> #SNMPAuthPasswordWrite = authpwdwrite >> #SNMPPrivProtocolWrite = DES >> #SNMPPrivPasswordWrite = privpwdwrite >> #SNMPVersionTrap = 3 >> #SNMPUserNameTrap = readUser >> #SNMPAuthProtocolTrap = MD5 >> #SNMPAuthPasswordTrap = authpwdread >> #SNMPPrivProtocolTrap = DES >> #SNMPPrivPasswordTrap = privpwdread >> >> >> Thank you! >> >> Regards, >> Jacky >> >> >> ------------------------------------------------------------------------------ >> October Webinars: Code for Performance >> Free Intel webinars can help you accelerate application performance. >> Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most >> from >> the latest Intel processors and coprocessors. See abstracts and register > >> >> http://pubads.g.doubleclick.net/gampad/clk?id=60135991&iu=/4140/ostg.clktrk >> _______________________________________________ >> PacketFence-users mailing list >> Pac...@li... >> https://lists.sourceforge.net/lists/listinfo/packetfence-users >> > > > > -- > Fletcher Haynes <fh...@wi...> > Systems Administrator/Network Services Consultant > Willamette Integrated Technology Services > Willamette University, Salem, OR > Phone: 503.370.6016 > > > ------------------------------------------------------------------------------ > October Webinars: Code for Performance > Free Intel webinars can help you accelerate application performance. > Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most > from > the latest Intel processors and coprocessors. See abstracts and register > > http://pubads.g.doubleclick.net/gampad/clk?id=60135991&iu=/4140/ostg.clktrk > _______________________________________________ > PacketFence-users mailing list > Pac...@li... > https://lists.sourceforge.net/lists/listinfo/packetfence-users > > |
