The same problem occurs with SNMP v2c; it does not add the MAC address unless the port is down during the MAC authorization/modification.
Here's the cisco configuration and the trace log with SNMP v3. interface FastEthernet1/0/1 switchport trunk encapsulation dot1q switchport mode trunk interface FastEthernet1/0/31 switchport access vlan 4 switchport mode access switchport port-security maximum 1 vlan access switchport port-security switchport port-security violation restrict switchport port-security mac-address 0200.0000.0031 vlan access authentication order dot1x mab authentication priority dot1x mab authentication port-control auto authentication periodic authentication timer restart 10800 authentication timer reauthenticate 7200 mab no snmp trap link-status dot1x pae authenticator dot1x timeout quiet-period 2 dot1x timeout tx-period 3 end dot1x system-auth-control aaa new-model aaa group server radius packetfence server 10.0.10.1 auth-port 1812 acct-port 1813 aaa authentication login default local aaa authorization exec default local aaa authentication dot1x default group packetfence aaa authorization network default group packetfence interface Vlan1 description Management ip address 10.0.10.10 255.255.255.0 interface Vlan2 description Registration ip address 192.168.2.254 255.255.255.0 interface Vlan3 description Isolation ip address 192.168.3.254 255.255.255.0 interface Vlan4 description Mac detection no ip address interface Vlan5 description Guest ip address 192.168.5.254 255.255.255.0 interface Vlan10 description Normal ip address 192.168.1.254 255.255.255.0 interface Vlan200 description Inline ip address 192.168.200.254 255.255.255.0 ip sla enable reaction-alerts snmp-server engineID local someid snmp-server group readGroup v3 priv snmp-server group writeGroup v3 priv read v1default write v1default snmp-server user readUser readGroup v3 auth md5 authpwdread priv des56 privpwdread snmp-server user writeUser writeGroup v3 auth md5 authpwdwrite priv des56 privpwdwrite snmp-server enable traps port-security snmp-server enable traps port-security trap-rate 1 snmp-server host 10.0.10.1 version 3 priv readUser port-security radius-server host 10.0.10.1 auth-port 1812 acct-port 1813 timeout 2 key mykey radius-server vsa send authentication spanning-tree mode pvst spanning-tree extend system-id vlan internal allocation policy ascending pfsetvlan(21) DEBUG: opening SNMP v3 read connection to 10.0.10.10 (pf::SNMP::connectRead) Oct 14 10:37:20 pfsetvlan(21) TRACE: SNMP get_request for sysLocation: 1.3.6.1.2.1.1.6.0 (pf::SNMP::connectRead) Oct 14 10:37:20 pfsetvlan(21) TRACE: SNMP get_request for cpsIfPortSecurityEnable: 1.3.6.1.4.1.9.9.315.1.2.1.1.1.10031 (pf::SNMP::Cisco::isPortSecurityEnabled) Oct 14 10:37:20 pfsetvlan(1) INFO: nb of items in queue: 1; nb of threads running: 0 (main::startTrapHandlers) Oct 14 10:37:20 pfsetvlan(1) DEBUG: opening SNMP v3 read connection to 10.0.10.10 (pf::SNMP::connectRead) Oct 14 10:37:20 pfsetvlan(1) TRACE: SNMP get_request for sysLocation: 1.3.6.1.2.1.1.6.0 (pf::SNMP::connectRead) Oct 14 10:37:20 pfsetvlan(1) TRACE: SNMP get_request for ifType: 1.3.6.1.2.1.2.2.1.3.10031 (pf::SNMP::getIfType) Oct 14 10:37:20 pfsetvlan(1) INFO: secureMacAddrViolation trap received on 10.0.10.10 ifIndex 10031 for 00:21:70:c2:b0:d9 (main::handleTrap) Oct 14 10:37:20 pfsetvlan(1) INFO: Will try to check on this node's previous switch if secured entry needs to be removed. Old Switch IP: 10.0.10.10 (main::do_port_security) Oct 14 10:37:20 pfsetvlan(1) TRACE: SNMP get_table for cpsSecureMacAddrRowStatus: 1.3.6.1.4.1.9.9.315.1.2.2.1.4 (pf::SNMP::Cisco::Catalyst_2950::getSecureMacAddresses) Oct 14 10:37:20 pfsetvlan(1) TRACE: SNMP get_request for vmVlan: 1.3.6.1.4.1.9.9.68.1.2.2.1.2.10031 (pf::SNMP::Cisco::getVlan) Oct 14 10:37:20 pfsetvlan(1) INFO: MAC not found on node's previous switch secure table or switch inaccessible. (main::do_port_security) Oct 14 10:37:20 pfsetvlan(1) TRACE: SNMP get_table for cpsSecureMacAddrRowStatus: 1.3.6.1.4.1.9.9.315.1.2.2.1.4 (pf::SNMP::Cisco::Catalyst_2950::getAllSecureMacAddresses) Oct 14 10:37:21 pfsetvlan(1) TRACE: SNMP get_request for vmVlan: 1.3.6.1.4.1.9.9.68.1.2.2.1.2.10031 (pf::SNMP::Cisco::getVlan) Oct 14 10:37:21 pfsetvlan(1) DEBUG: VoIP not enabled on switch 10.0.10.10 (pf::SNMP::isPhoneAtIfIndex) Oct 14 10:37:22 pfsetvlan(1) TRACE: SNMP get_table for cpsSecureMacAddrRowStatus: 1.3.6.1.4.1.9.9.315.1.2.2.1.4 (pf::SNMP::Cisco::Catalyst_2950::getSecureMacAddresses) Oct 14 10:37:22 pfsetvlan(1) TRACE: SNMP get_request for vmVlan: 1.3.6.1.4.1.9.9.68.1.2.2.1.2.10031 (pf::SNMP::Cisco::getVlan) Oct 14 10:37:22 pfsetvlan(1) TRACE: SNMP get_table for cpsSecureMacAddrRowStatus: 1.3.6.1.4.1.9.9.315.1.2.2.1.4 (pf::SNMP::Cisco::Catalyst_2950::getSecureMacAddresses) Oct 14 10:37:22 pfsetvlan(1) TRACE: SNMP get_request for vmVlan: 1.3.6.1.4.1.9.9.68.1.2.2.1.2.10031 (pf::SNMP::Cisco::getVlan) Oct 14 10:37:22 pfsetvlan(1) TRACE: SNMP get_request for vmVoiceVlanId: 1.3.6.1.4.1.9.9.68.1.5.1.1.1.10031 (pf::SNMP::Cisco::getVoiceVlan) Oct 14 10:37:22 pfsetvlan(1) DEBUG: VoIP not enabled on switch 10.0.10.10 (pf::SNMP::isPhoneAtIfIndex) Oct 14 10:37:22 pfsetvlan(1) INFO: MAC: 00:21:70:c2:b0:d9 is of status unreg; belongs into registration VLAN (pf::vlan::getRegistrationVlan) Oct 14 10:37:22 pfsetvlan(1) INFO: authorizing 00:21:70:c2:b0:d9 (old entry 02:00:00:00:00:31) at new location 10.0.10.10 ifIndex 10031 (main::handleTrap) Oct 14 10:37:22 pfsetvlan(1) TRACE: SNMP get_request for vmVlan: 1.3.6.1.4.1.9.9.68.1.2.2.1.2.10031 (pf::SNMP::Cisco::getVlan) Oct 14 10:37:22 pfsetvlan(1) DEBUG: opening SNMP v3 write connection to 10.0.10.10 (pf::SNMP::connectWriteTo) Oct 14 10:37:22 pfsetvlan(1) TRACE: SNMP get_request for sysLocation: 1.3.6.1.2.1.1.6.0 (pf::SNMP::connectWriteTo) Oct 14 10:37:22 pfsetvlan(1) TRACE: SNMP set_request for sysLocation: 1.3.6.1.2.1.1.6.0 to (pf::SNMP::connectWriteTo) Oct 14 10:37:22 pfsetvlan(1) TRACE: SNMP get_request for vmVoiceVlanId: 1.3.6.1.4.1.9.9.68.1.5.1.1.1.10031 (pf::SNMP::Cisco::getVoiceVlan) Oct 14 10:37:22 pfsetvlan(1) TRACE: SNMP set_request for cpsSecureMacAddrRowStatus (pf::SNMP::Cisco::Catalyst_2950::authorizeMAC) Oct 14 10:37:22 pfsetvlan(1) DEBUG: Bouncing port: 10031 (pf::SNMP::Cisco::Catalyst_2950::authorizeMAC) Oct 14 10:37:22 pfsetvlan(1) TRACE: SNMP get_request for vmVlan: 1.3.6.1.4.1.9.9.68.1.2.2.1.2.10031 (pf::SNMP::Cisco::getVlan) Oct 14 10:37:22 pfsetvlan(1) TRACE: SNMP get_request for vtpVlanName: 1.3.6.1.4.1.9.9.46.1.3.1.1.4.1.2 (pf::SNMP::Cisco::isDefinedVlan) Oct 14 10:37:22 pfsetvlan(1) INFO: setting VLAN at 10.0.10.10 ifIndex 10031 from 4 to 2 (pf::SNMP::setVlan) Oct 14 10:37:22 pfsetvlan(1) DEBUG: SNMP get_request for cmnMacAddrRemovedEnable: 1.3.6.1.4.1.9.9.215.1.2.1.1.2 (pf::SNMP::Cisco::isRemovedTrapsEnabled) Oct 14 10:37:22 pfsetvlan(1) TRACE: SNMP get_request for vlanTrunkPortDynamicState: 1.3.6.1.4.1.9.9.46.1.6.1.1.13 (pf::SNMP::Cisco::isTrunkPort) Oct 14 10:37:22 pfsetvlan(1) TRACE: SNMP set_request for vmVlan: 1.3.6.1.4.1.9.9.68.1.2.2.1.2 (pf::SNMP::Cisco::_setVlan) Oct 14 10:37:22 pfsetvlan(1) INFO: finished (main::cleanupAfterThread) Oct 14 10:37:22 pfsetvlan(1) DEBUG: closing SNMP v3 read connection to 10.0.10.10 (pf::SNMP::disconnectRead) Oct 14 10:37:22 pfsetvlan(1) DEBUG: closing SNMP v3 write connection to 10.0.10.10 (pf::SNMP::disconnectWriteTo) Oct 14 10:37:42 pfsetvlan(22) DEBUG: opening SNMP v3 read connection to 10.0.10.10 (pf::SNMP::connectRead) Oct 14 10:37:42 pfsetvlan(22) TRACE: SNMP get_request for sysLocation: 1.3.6.1.2.1.1.6.0 (pf::SNMP::connectRead) Oct 14 10:37:42 pfsetvlan(22) TRACE: SNMP get_request for vmVlan: 1.3.6.1.4.1.9.9.68.1.2.2.1.2.10031 (pf::SNMP::Cisco::getVlan) Oct 14 10:37:42 pfsetvlan(22) DEBUG: opening SNMP v3 read connection to 10.0.10.10 (pf::SNMP::connectRead) Oct 14 10:37:42 pfsetvlan(22) TRACE: SNMP get_request for sysLocation: 1.3.6.1.2.1.1.6.0 (pf::SNMP::connectRead) Oct 14 10:37:42 pfsetvlan(22) TRACE: SNMP get_request for cpsIfPortSecurityEnable: 1.3.6.1.4.1.9.9.315.1.2.1.1.1.10031 (pf::SNMP::Cisco::isPortSecurityEnabled) Oct 14 10:37:42 pfsetvlan(3) INFO: nb of items in queue: 1; nb of threads running: 0 (main::startTrapHandlers) Oct 14 10:37:42 pfsetvlan(3) DEBUG: opening SNMP v3 read connection to 10.0.10.10 (pf::SNMP::connectRead) Oct 14 10:37:42 pfsetvlan(3) TRACE: SNMP get_request for sysLocation: 1.3.6.1.2.1.1.6.0 (pf::SNMP::connectRead) Oct 14 10:37:42 pfsetvlan(3) TRACE: SNMP get_request for ifType: 1.3.6.1.2.1.2.2.1.3.10031 (pf::SNMP::getIfType) Oct 14 10:37:42 pfsetvlan(3) INFO: secureMacAddrViolation trap received on 10.0.10.10 ifIndex 10031 for 00:21:70:c2:b0:d9 (main::handleTrap) Oct 14 10:37:42 pfsetvlan(3) INFO: Will try to check on this node's previous switch if secured entry needs to be removed. Old Switch IP: 10.0.10.10 (main::do_port_security) Oct 14 10:37:42 pfsetvlan(3) TRACE: SNMP get_table for cpsSecureMacAddrRowStatus: 1.3.6.1.4.1.9.9.315.1.2.2.1.4 (pf::SNMP::Cisco::Catalyst_2950::getSecureMacAddresses) Oct 14 10:37:42 pfsetvlan(3) TRACE: SNMP get_request for vmVlan: 1.3.6.1.4.1.9.9.68.1.2.2.1.2.10031 (pf::SNMP::Cisco::getVlan) Oct 14 10:37:42 pfsetvlan(3) INFO: MAC not found on node's previous switch secure table or switch inaccessible. (main::do_port_security) Oct 14 10:37:42 pfsetvlan(3) TRACE: SNMP get_table for cpsSecureMacAddrRowStatus: 1.3.6.1.4.1.9.9.315.1.2.2.1.4 (pf::SNMP::Cisco::Catalyst_2950::getAllSecureMacAddresses) Oct 14 10:37:43 pfsetvlan(3) TRACE: SNMP get_request for vmVlan: 1.3.6.1.4.1.9.9.68.1.2.2.1.2.10031 (pf::SNMP::Cisco::getVlan) Oct 14 10:37:43 pfsetvlan(3) DEBUG: VoIP not enabled on switch 10.0.10.10 (pf::SNMP::isPhoneAtIfIndex) Oct 14 10:37:44 pfsetvlan(3) TRACE: SNMP get_table for cpsSecureMacAddrRowStatus: 1.3.6.1.4.1.9.9.315.1.2.2.1.4 (pf::SNMP::Cisco::Catalyst_2950::getSecureMacAddresses) Oct 14 10:37:44 pfsetvlan(3) TRACE: SNMP get_request for vmVlan: 1.3.6.1.4.1.9.9.68.1.2.2.1.2.10031 (pf::SNMP::Cisco::getVlan) Oct 14 10:37:44 pfsetvlan(3) TRACE: SNMP get_table for cpsSecureMacAddrRowStatus: 1.3.6.1.4.1.9.9.315.1.2.2.1.4 (pf::SNMP::Cisco::Catalyst_2950::getSecureMacAddresses) Oct 14 10:37:44 pfsetvlan(3) TRACE: SNMP get_request for vmVlan: 1.3.6.1.4.1.9.9.68.1.2.2.1.2.10031 (pf::SNMP::Cisco::getVlan) Oct 14 10:37:44 pfsetvlan(3) TRACE: SNMP get_request for vmVoiceVlanId: 1.3.6.1.4.1.9.9.68.1.5.1.1.1.10031 (pf::SNMP::Cisco::getVoiceVlan) Oct 14 10:37:44 pfsetvlan(3) DEBUG: VoIP not enabled on switch 10.0.10.10 (pf::SNMP::isPhoneAtIfIndex) Oct 14 10:37:44 pfsetvlan(3) INFO: MAC: 00:21:70:c2:b0:d9 is of status unreg; belongs into registration VLAN (pf::vlan::getRegistrationVlan) Oct 14 10:37:44 pfsetvlan(3) INFO: authorizing 00:21:70:c2:b0:d9 (old entry 02:00:00:00:00:31) at new location 10.0.10.10 ifIndex 10031 (main::handleTrap) Oct 14 10:37:44 pfsetvlan(3) TRACE: SNMP get_request for vmVlan: 1.3.6.1.4.1.9.9.68.1.2.2.1.2.10031 (pf::SNMP::Cisco::getVlan) Oct 14 10:37:44 pfsetvlan(3) DEBUG: opening SNMP v3 write connection to 10.0.10.10 (pf::SNMP::connectWriteTo) Oct 14 10:37:44 pfsetvlan(3) TRACE: SNMP get_request for sysLocation: 1.3.6.1.2.1.1.6.0 (pf::SNMP::connectWriteTo) Oct 14 10:37:44 pfsetvlan(3) TRACE: SNMP set_request for sysLocation: 1.3.6.1.2.1.1.6.0 to (pf::SNMP::connectWriteTo) Oct 14 10:37:44 pfsetvlan(3) TRACE: SNMP get_request for vmVoiceVlanId: 1.3.6.1.4.1.9.9.68.1.5.1.1.1.10031 (pf::SNMP::Cisco::getVoiceVlan) Oct 14 10:37:44 pfsetvlan(3) TRACE: SNMP set_request for cpsSecureMacAddrRowStatus (pf::SNMP::Cisco::Catalyst_2950::authorizeMAC) Oct 14 10:37:44 pfsetvlan(3) TRACE: SNMP get_request for vmVlan: 1.3.6.1.4.1.9.9.68.1.2.2.1.2.10031 (pf::SNMP::Cisco::getVlan) Oct 14 10:37:44 pfsetvlan(3) TRACE: SNMP get_request for vtpVlanName: 1.3.6.1.4.1.9.9.46.1.3.1.1.4.1.2 (pf::SNMP::Cisco::isDefinedVlan) Oct 14 10:37:44 pfsetvlan(3) INFO: Should set 10.0.10.10 ifIndex 10031 to VLAN 2 but it is already in this VLAN -> Do nothing (pf::SNMP::setVlan) Oct 14 10:37:44 pfsetvlan(3) INFO: finished (main::cleanupAfterThread) Oct 14 10:37:44 pfsetvlan(3) DEBUG: closing SNMP v3 read connection to 10.0.10.10 (pf::SNMP::disconnectRead) Oct 14 10:37:44 pfsetvlan(3) DEBUG: closing SNMP v3 write connection to 10.0.10.10 (pf::SNMP::disconnectWriteTo) -----Original Message----- From: Francois Gaudreault [mailto:[email protected]] Sent: Friday, October 14, 2011 1:55 PM To: [email protected] Subject: Re: [Packetfence-users] Cisco 3750 and SNMPv3 You can send us the config and the trace, it might help. Do you have the same problem in V2c? On 11-10-14 1:08 PM, Justin Bailey wrote: > I changed to the 3750 to use 2960 and no luck. The switch shows the > configured by snmp but the port security MAC does not change. The MAC cannot > be changed even through the console when the interface is up. I can paste > the trace logs and cisco global or interface configuration if it will help. > > > -----Original Message----- > From: Francois Gaudreault [mailto:[email protected]] > Sent: Friday, October 14, 2011 11:50 AM > To: [email protected] > Subject: Re: [Packetfence-users] Cisco 3750 and SNMPv3 > > This is quite weird. > > Can you try to change the : > use base ('pf::SNMP::Cisco::Catalyst_2950'); > to > use base ('pf::SNMP::Cisco::Catalyst_2960'); > > > On 11-10-14 10:49 AM, Justin Bailey wrote: >> Using a Cisco 3750 Switch and SNMPv3, Packetfence was unable to add the MAC >> to the port-security list. It did not work in all versions tested, 2.2, 3.0 >> and the latest snapshot (10/14). It would occasionally be added after >> unplugging the Ethernet cable and plugging it back in. >> >> In order to have the MAC properly added I had to setAdminStatus on the >> interface to down in the beginning of the authorizeMac function in the >> Catalyst_2950 module and bring it back up before returning. I do not know >> if this will have any adverse effects in the other areas but it seems to be >> functioning properly now with the 3750. >> The Cisco OS version is 12.2(55)SE3 . >> If this was not necessary and I have something misconfigured somewhere or if >> there is any other information that may help please let me know. >> >> >> --------------------------------------------------------------------- >> - >> -------- All the data continuously generated in your IT >> infrastructure contains a definitive record of customers, application >> performance, security threats, fraudulent activity and more. Splunk >> takes this data and makes sense of it. Business sense. IT sense. Common >> sense. >> http://p.sf.net/sfu/splunk-d2d-oct >> _______________________________________________ >> Packetfence-users mailing list >> [email protected] >> https://lists.sourceforge.net/lists/listinfo/packetfence-users >> > > -- > Francois Gaudreault, ing. jr > [email protected] :: +1.514.447.4918 (x130) :: www.inverse.ca > Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence > (www.packetfence.org) > > > ---------------------------------------------------------------------- > -------- All the data continuously generated in your IT infrastructure > contains a definitive record of customers, application performance, > security threats, fraudulent activity and more. Splunk takes this data > and makes sense of it. Business sense. IT sense. Common sense. > http://p.sf.net/sfu/splunk-d2d-oct > _______________________________________________ > Packetfence-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/packetfence-users > > ---------------------------------------------------------------------- > -------- All the data continuously generated in your IT infrastructure > contains a definitive record of customers, application performance, > security threats, fraudulent activity and more. Splunk takes this data > and makes sense of it. Business sense. IT sense. Common sense. > http://p.sf.net/sfu/splunk-d2d-oct > _______________________________________________ > Packetfence-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/packetfence-users > -- Francois Gaudreault, ing. jr [email protected] :: +1.514.447.4918 (x130) :: www.inverse.ca Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (www.packetfence.org) ------------------------------------------------------------------------------ All the data continuously generated in your IT infrastructure contains a definitive record of customers, application performance, security threats, fraudulent activity and more. Splunk takes this data and makes sense of it. Business sense. IT sense. Common sense. http://p.sf.net/sfu/splunk-d2d-oct _______________________________________________ Packetfence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users ------------------------------------------------------------------------------ All the data continuously generated in your IT infrastructure contains a definitive record of customers, application performance, security threats, fraudulent activity and more. Splunk takes this data and makes sense of it. Business sense. IT sense. Common sense. http://p.sf.net/sfu/splunk-d2d-oct _______________________________________________ Packetfence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
