Jason, > In order to get around this limitation I am toying with idea of using > "Last DHCP" as the indicator for inactive clients. > > > I had to remove the piece of code that will not let you delete the > clients if there is an active location present. So far my testing > has not shown any problems with doing this. Port-security and MAC > de/auth is still working fine with the node deleted. You are right, it will work 95% of the time, but you will someday delete an inactive node, and the next day the device will try to plug in a switchport on the same switch it was before (the mac still authorized on the old switchport), and it won't work (some switches are picky about that), the switch won't send any security traps since the mac is already authorized on another port. This is why we always tell people to avoid deleting the nodes when using port-security even for the 5% edge cases. If you were using MAC authentication or 802.1X on wired and/or on wireless, deleting a node would have much less effect.
-- Francois Gaudreault, ing. jr [email protected] :: +1.514.447.4918 (x130) :: www.inverse.ca Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (www.packetfence.org) ------------------------------------------------------------------------------ Got Input? Slashdot Needs You. Take our quick survey online. Come on, we don't ask for help often. Plus, you'll get a chance to win $100 to spend on ThinkGeek. http://p.sf.net/sfu/slashdot-survey _______________________________________________ Packetfence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
