Hi Justin, Can you explain why you have port-security AND 802.1X/MAB enabled on the same port? For which use case?
We saw some bugs on Cisco 4500 when trying to do such config. You should use either port-security alone or 802.1X/Mab alone. On 11-10-14 4:06 PM, Justin Bailey wrote: > The same problem occurs with SNMP v2c; it does not add the MAC address unless > the port is down during the MAC authorization/modification. > > Here's the cisco configuration and the trace log with SNMP v3. > > interface FastEthernet1/0/1 > switchport trunk encapsulation dot1q > switchport mode trunk > > interface FastEthernet1/0/31 > switchport access vlan 4 > switchport mode access > switchport port-security maximum 1 vlan access > switchport port-security > switchport port-security violation restrict > switchport port-security mac-address 0200.0000.0031 vlan access > authentication order dot1x mab > authentication priority dot1x mab > authentication port-control auto > authentication periodic > authentication timer restart 10800 > authentication timer reauthenticate 7200 > mab > no snmp trap link-status > dot1x pae authenticator > dot1x timeout quiet-period 2 > dot1x timeout tx-period 3 > end > > dot1x system-auth-control > > aaa new-model > aaa group server radius packetfence server 10.0.10.1 auth-port 1812 acct-port > 1813 > aaa authentication login default local > aaa authorization exec default local > aaa authentication dot1x default group packetfence > aaa authorization network default group packetfence > > interface Vlan1 > description Management > ip address 10.0.10.10 255.255.255.0 > interface Vlan2 > description Registration > ip address 192.168.2.254 255.255.255.0 > interface Vlan3 > description Isolation > ip address 192.168.3.254 255.255.255.0 > interface Vlan4 > description Mac detection > no ip address > interface Vlan5 > description Guest > ip address 192.168.5.254 255.255.255.0 > interface Vlan10 > description Normal > ip address 192.168.1.254 255.255.255.0 > interface Vlan200 > description Inline > ip address 192.168.200.254 255.255.255.0 > > ip sla enable reaction-alerts > snmp-server engineID local someid > snmp-server group readGroup v3 priv > snmp-server group writeGroup v3 priv read v1default write v1default > snmp-server user readUser readGroup v3 auth md5 authpwdread priv des56 > privpwdread > snmp-server user writeUser writeGroup v3 auth md5 authpwdwrite priv des56 > privpwdwrite > snmp-server enable traps port-security > snmp-server enable traps port-security trap-rate 1 > snmp-server host 10.0.10.1 version 3 priv readUser port-security > > radius-server host 10.0.10.1 auth-port 1812 acct-port 1813 timeout 2 key mykey > radius-server vsa send authentication > > spanning-tree mode pvst > spanning-tree extend system-id > vlan internal allocation policy ascending > > > pfsetvlan(21) DEBUG: opening SNMP v3 read connection to 10.0.10.10 > (pf::SNMP::connectRead) > Oct 14 10:37:20 pfsetvlan(21) TRACE: SNMP get_request for sysLocation: > 1.3.6.1.2.1.1.6.0 (pf::SNMP::connectRead) > Oct 14 10:37:20 pfsetvlan(21) TRACE: SNMP get_request for > cpsIfPortSecurityEnable: 1.3.6.1.4.1.9.9.315.1.2.1.1.1.10031 > (pf::SNMP::Cisco::isPortSecurityEnabled) > Oct 14 10:37:20 pfsetvlan(1) INFO: nb of items in queue: 1; nb of threads > running: 0 (main::startTrapHandlers) > Oct 14 10:37:20 pfsetvlan(1) DEBUG: opening SNMP v3 read connection to > 10.0.10.10 (pf::SNMP::connectRead) > Oct 14 10:37:20 pfsetvlan(1) TRACE: SNMP get_request for sysLocation: > 1.3.6.1.2.1.1.6.0 (pf::SNMP::connectRead) > Oct 14 10:37:20 pfsetvlan(1) TRACE: SNMP get_request for ifType: > 1.3.6.1.2.1.2.2.1.3.10031 (pf::SNMP::getIfType) > Oct 14 10:37:20 pfsetvlan(1) INFO: secureMacAddrViolation trap received on > 10.0.10.10 ifIndex 10031 for 00:21:70:c2:b0:d9 (main::handleTrap) > Oct 14 10:37:20 pfsetvlan(1) INFO: Will try to check on this node's previous > switch if secured entry needs to be removed. Old Switch IP: 10.0.10.10 > (main::do_port_security) > Oct 14 10:37:20 pfsetvlan(1) TRACE: SNMP get_table for > cpsSecureMacAddrRowStatus: 1.3.6.1.4.1.9.9.315.1.2.2.1.4 > (pf::SNMP::Cisco::Catalyst_2950::getSecureMacAddresses) > Oct 14 10:37:20 pfsetvlan(1) TRACE: SNMP get_request for vmVlan: > 1.3.6.1.4.1.9.9.68.1.2.2.1.2.10031 (pf::SNMP::Cisco::getVlan) > Oct 14 10:37:20 pfsetvlan(1) INFO: MAC not found on node's previous switch > secure table or switch inaccessible. (main::do_port_security) > Oct 14 10:37:20 pfsetvlan(1) TRACE: SNMP get_table for > cpsSecureMacAddrRowStatus: 1.3.6.1.4.1.9.9.315.1.2.2.1.4 > (pf::SNMP::Cisco::Catalyst_2950::getAllSecureMacAddresses) > Oct 14 10:37:21 pfsetvlan(1) TRACE: SNMP get_request for vmVlan: > 1.3.6.1.4.1.9.9.68.1.2.2.1.2.10031 (pf::SNMP::Cisco::getVlan) > Oct 14 10:37:21 pfsetvlan(1) DEBUG: VoIP not enabled on switch 10.0.10.10 > (pf::SNMP::isPhoneAtIfIndex) > Oct 14 10:37:22 pfsetvlan(1) TRACE: SNMP get_table for > cpsSecureMacAddrRowStatus: 1.3.6.1.4.1.9.9.315.1.2.2.1.4 > (pf::SNMP::Cisco::Catalyst_2950::getSecureMacAddresses) > Oct 14 10:37:22 pfsetvlan(1) TRACE: SNMP get_request for vmVlan: > 1.3.6.1.4.1.9.9.68.1.2.2.1.2.10031 (pf::SNMP::Cisco::getVlan) > Oct 14 10:37:22 pfsetvlan(1) TRACE: SNMP get_table for > cpsSecureMacAddrRowStatus: 1.3.6.1.4.1.9.9.315.1.2.2.1.4 > (pf::SNMP::Cisco::Catalyst_2950::getSecureMacAddresses) > Oct 14 10:37:22 pfsetvlan(1) TRACE: SNMP get_request for vmVlan: > 1.3.6.1.4.1.9.9.68.1.2.2.1.2.10031 (pf::SNMP::Cisco::getVlan) > Oct 14 10:37:22 pfsetvlan(1) TRACE: SNMP get_request for vmVoiceVlanId: > 1.3.6.1.4.1.9.9.68.1.5.1.1.1.10031 (pf::SNMP::Cisco::getVoiceVlan) > Oct 14 10:37:22 pfsetvlan(1) DEBUG: VoIP not enabled on switch 10.0.10.10 > (pf::SNMP::isPhoneAtIfIndex) > Oct 14 10:37:22 pfsetvlan(1) INFO: MAC: 00:21:70:c2:b0:d9 is of status unreg; > belongs into registration VLAN (pf::vlan::getRegistrationVlan) > Oct 14 10:37:22 pfsetvlan(1) INFO: authorizing 00:21:70:c2:b0:d9 (old entry > 02:00:00:00:00:31) at new location 10.0.10.10 ifIndex 10031 (main::handleTrap) > Oct 14 10:37:22 pfsetvlan(1) TRACE: SNMP get_request for vmVlan: > 1.3.6.1.4.1.9.9.68.1.2.2.1.2.10031 (pf::SNMP::Cisco::getVlan) > Oct 14 10:37:22 pfsetvlan(1) DEBUG: opening SNMP v3 write connection to > 10.0.10.10 (pf::SNMP::connectWriteTo) > Oct 14 10:37:22 pfsetvlan(1) TRACE: SNMP get_request for sysLocation: > 1.3.6.1.2.1.1.6.0 (pf::SNMP::connectWriteTo) > Oct 14 10:37:22 pfsetvlan(1) TRACE: SNMP set_request for sysLocation: > 1.3.6.1.2.1.1.6.0 to (pf::SNMP::connectWriteTo) > Oct 14 10:37:22 pfsetvlan(1) TRACE: SNMP get_request for vmVoiceVlanId: > 1.3.6.1.4.1.9.9.68.1.5.1.1.1.10031 (pf::SNMP::Cisco::getVoiceVlan) > Oct 14 10:37:22 pfsetvlan(1) TRACE: SNMP set_request for > cpsSecureMacAddrRowStatus (pf::SNMP::Cisco::Catalyst_2950::authorizeMAC) > Oct 14 10:37:22 pfsetvlan(1) DEBUG: Bouncing port: 10031 > (pf::SNMP::Cisco::Catalyst_2950::authorizeMAC) > Oct 14 10:37:22 pfsetvlan(1) TRACE: SNMP get_request for vmVlan: > 1.3.6.1.4.1.9.9.68.1.2.2.1.2.10031 (pf::SNMP::Cisco::getVlan) > Oct 14 10:37:22 pfsetvlan(1) TRACE: SNMP get_request for vtpVlanName: > 1.3.6.1.4.1.9.9.46.1.3.1.1.4.1.2 (pf::SNMP::Cisco::isDefinedVlan) > Oct 14 10:37:22 pfsetvlan(1) INFO: setting VLAN at 10.0.10.10 ifIndex 10031 > from 4 to 2 (pf::SNMP::setVlan) > Oct 14 10:37:22 pfsetvlan(1) DEBUG: SNMP get_request for > cmnMacAddrRemovedEnable: 1.3.6.1.4.1.9.9.215.1.2.1.1.2 > (pf::SNMP::Cisco::isRemovedTrapsEnabled) > Oct 14 10:37:22 pfsetvlan(1) TRACE: SNMP get_request for > vlanTrunkPortDynamicState: 1.3.6.1.4.1.9.9.46.1.6.1.1.13 > (pf::SNMP::Cisco::isTrunkPort) > Oct 14 10:37:22 pfsetvlan(1) TRACE: SNMP set_request for vmVlan: > 1.3.6.1.4.1.9.9.68.1.2.2.1.2 (pf::SNMP::Cisco::_setVlan) > Oct 14 10:37:22 pfsetvlan(1) INFO: finished (main::cleanupAfterThread) > Oct 14 10:37:22 pfsetvlan(1) DEBUG: closing SNMP v3 read connection to > 10.0.10.10 (pf::SNMP::disconnectRead) > Oct 14 10:37:22 pfsetvlan(1) DEBUG: closing SNMP v3 write connection to > 10.0.10.10 (pf::SNMP::disconnectWriteTo) > Oct 14 10:37:42 pfsetvlan(22) DEBUG: opening SNMP v3 read connection to > 10.0.10.10 (pf::SNMP::connectRead) > Oct 14 10:37:42 pfsetvlan(22) TRACE: SNMP get_request for sysLocation: > 1.3.6.1.2.1.1.6.0 (pf::SNMP::connectRead) > Oct 14 10:37:42 pfsetvlan(22) TRACE: SNMP get_request for vmVlan: > 1.3.6.1.4.1.9.9.68.1.2.2.1.2.10031 (pf::SNMP::Cisco::getVlan) > Oct 14 10:37:42 pfsetvlan(22) DEBUG: opening SNMP v3 read connection to > 10.0.10.10 (pf::SNMP::connectRead) > Oct 14 10:37:42 pfsetvlan(22) TRACE: SNMP get_request for sysLocation: > 1.3.6.1.2.1.1.6.0 (pf::SNMP::connectRead) > Oct 14 10:37:42 pfsetvlan(22) TRACE: SNMP get_request for > cpsIfPortSecurityEnable: 1.3.6.1.4.1.9.9.315.1.2.1.1.1.10031 > (pf::SNMP::Cisco::isPortSecurityEnabled) > Oct 14 10:37:42 pfsetvlan(3) INFO: nb of items in queue: 1; nb of threads > running: 0 (main::startTrapHandlers) > Oct 14 10:37:42 pfsetvlan(3) DEBUG: opening SNMP v3 read connection to > 10.0.10.10 (pf::SNMP::connectRead) > Oct 14 10:37:42 pfsetvlan(3) TRACE: SNMP get_request for sysLocation: > 1.3.6.1.2.1.1.6.0 (pf::SNMP::connectRead) > Oct 14 10:37:42 pfsetvlan(3) TRACE: SNMP get_request for ifType: > 1.3.6.1.2.1.2.2.1.3.10031 (pf::SNMP::getIfType) > Oct 14 10:37:42 pfsetvlan(3) INFO: secureMacAddrViolation trap received on > 10.0.10.10 ifIndex 10031 for 00:21:70:c2:b0:d9 (main::handleTrap) > Oct 14 10:37:42 pfsetvlan(3) INFO: Will try to check on this node's previous > switch if secured entry needs to be removed. Old Switch IP: 10.0.10.10 > (main::do_port_security) > Oct 14 10:37:42 pfsetvlan(3) TRACE: SNMP get_table for > cpsSecureMacAddrRowStatus: 1.3.6.1.4.1.9.9.315.1.2.2.1.4 > (pf::SNMP::Cisco::Catalyst_2950::getSecureMacAddresses) > Oct 14 10:37:42 pfsetvlan(3) TRACE: SNMP get_request for vmVlan: > 1.3.6.1.4.1.9.9.68.1.2.2.1.2.10031 (pf::SNMP::Cisco::getVlan) > Oct 14 10:37:42 pfsetvlan(3) INFO: MAC not found on node's previous switch > secure table or switch inaccessible. (main::do_port_security) > Oct 14 10:37:42 pfsetvlan(3) TRACE: SNMP get_table for > cpsSecureMacAddrRowStatus: 1.3.6.1.4.1.9.9.315.1.2.2.1.4 > (pf::SNMP::Cisco::Catalyst_2950::getAllSecureMacAddresses) > Oct 14 10:37:43 pfsetvlan(3) TRACE: SNMP get_request for vmVlan: > 1.3.6.1.4.1.9.9.68.1.2.2.1.2.10031 (pf::SNMP::Cisco::getVlan) > Oct 14 10:37:43 pfsetvlan(3) DEBUG: VoIP not enabled on switch 10.0.10.10 > (pf::SNMP::isPhoneAtIfIndex) > Oct 14 10:37:44 pfsetvlan(3) TRACE: SNMP get_table for > cpsSecureMacAddrRowStatus: 1.3.6.1.4.1.9.9.315.1.2.2.1.4 > (pf::SNMP::Cisco::Catalyst_2950::getSecureMacAddresses) > Oct 14 10:37:44 pfsetvlan(3) TRACE: SNMP get_request for vmVlan: > 1.3.6.1.4.1.9.9.68.1.2.2.1.2.10031 (pf::SNMP::Cisco::getVlan) > Oct 14 10:37:44 pfsetvlan(3) TRACE: SNMP get_table for > cpsSecureMacAddrRowStatus: 1.3.6.1.4.1.9.9.315.1.2.2.1.4 > (pf::SNMP::Cisco::Catalyst_2950::getSecureMacAddresses) > Oct 14 10:37:44 pfsetvlan(3) TRACE: SNMP get_request for vmVlan: > 1.3.6.1.4.1.9.9.68.1.2.2.1.2.10031 (pf::SNMP::Cisco::getVlan) > Oct 14 10:37:44 pfsetvlan(3) TRACE: SNMP get_request for vmVoiceVlanId: > 1.3.6.1.4.1.9.9.68.1.5.1.1.1.10031 (pf::SNMP::Cisco::getVoiceVlan) > Oct 14 10:37:44 pfsetvlan(3) DEBUG: VoIP not enabled on switch 10.0.10.10 > (pf::SNMP::isPhoneAtIfIndex) > Oct 14 10:37:44 pfsetvlan(3) INFO: MAC: 00:21:70:c2:b0:d9 is of status unreg; > belongs into registration VLAN (pf::vlan::getRegistrationVlan) > Oct 14 10:37:44 pfsetvlan(3) INFO: authorizing 00:21:70:c2:b0:d9 (old entry > 02:00:00:00:00:31) at new location 10.0.10.10 ifIndex 10031 (main::handleTrap) > Oct 14 10:37:44 pfsetvlan(3) TRACE: SNMP get_request for vmVlan: > 1.3.6.1.4.1.9.9.68.1.2.2.1.2.10031 (pf::SNMP::Cisco::getVlan) > Oct 14 10:37:44 pfsetvlan(3) DEBUG: opening SNMP v3 write connection to > 10.0.10.10 (pf::SNMP::connectWriteTo) > Oct 14 10:37:44 pfsetvlan(3) TRACE: SNMP get_request for sysLocation: > 1.3.6.1.2.1.1.6.0 (pf::SNMP::connectWriteTo) > Oct 14 10:37:44 pfsetvlan(3) TRACE: SNMP set_request for sysLocation: > 1.3.6.1.2.1.1.6.0 to (pf::SNMP::connectWriteTo) > Oct 14 10:37:44 pfsetvlan(3) TRACE: SNMP get_request for vmVoiceVlanId: > 1.3.6.1.4.1.9.9.68.1.5.1.1.1.10031 (pf::SNMP::Cisco::getVoiceVlan) > Oct 14 10:37:44 pfsetvlan(3) TRACE: SNMP set_request for > cpsSecureMacAddrRowStatus (pf::SNMP::Cisco::Catalyst_2950::authorizeMAC) > Oct 14 10:37:44 pfsetvlan(3) TRACE: SNMP get_request for vmVlan: > 1.3.6.1.4.1.9.9.68.1.2.2.1.2.10031 (pf::SNMP::Cisco::getVlan) > Oct 14 10:37:44 pfsetvlan(3) TRACE: SNMP get_request for vtpVlanName: > 1.3.6.1.4.1.9.9.46.1.3.1.1.4.1.2 (pf::SNMP::Cisco::isDefinedVlan) > Oct 14 10:37:44 pfsetvlan(3) INFO: Should set 10.0.10.10 ifIndex 10031 to > VLAN 2 but it is already in this VLAN -> Do nothing (pf::SNMP::setVlan) > Oct 14 10:37:44 pfsetvlan(3) INFO: finished (main::cleanupAfterThread) > Oct 14 10:37:44 pfsetvlan(3) DEBUG: closing SNMP v3 read connection to > 10.0.10.10 (pf::SNMP::disconnectRead) > Oct 14 10:37:44 pfsetvlan(3) DEBUG: closing SNMP v3 write connection to > 10.0.10.10 (pf::SNMP::disconnectWriteTo) > > -----Original Message----- > From: Francois Gaudreault [mailto:[email protected]] > Sent: Friday, October 14, 2011 1:55 PM > To: [email protected] > Subject: Re: [Packetfence-users] Cisco 3750 and SNMPv3 > > You can send us the config and the trace, it might help. > > Do you have the same problem in V2c? > > On 11-10-14 1:08 PM, Justin Bailey wrote: >> I changed to the 3750 to use 2960 and no luck. The switch shows the >> configured by snmp but the port security MAC does not change. The MAC >> cannot be changed even through the console when the interface is up. I can >> paste the trace logs and cisco global or interface configuration if it will >> help. >> >> >> -----Original Message----- >> From: Francois Gaudreault [mailto:[email protected]] >> Sent: Friday, October 14, 2011 11:50 AM >> To: [email protected] >> Subject: Re: [Packetfence-users] Cisco 3750 and SNMPv3 >> >> This is quite weird. >> >> Can you try to change the : >> use base ('pf::SNMP::Cisco::Catalyst_2950'); >> to >> use base ('pf::SNMP::Cisco::Catalyst_2960'); >> >> >> On 11-10-14 10:49 AM, Justin Bailey wrote: >>> Using a Cisco 3750 Switch and SNMPv3, Packetfence was unable to add the MAC >>> to the port-security list. It did not work in all versions tested, 2.2, >>> 3.0 and the latest snapshot (10/14). It would occasionally be added after >>> unplugging the Ethernet cable and plugging it back in. >>> >>> In order to have the MAC properly added I had to setAdminStatus on the >>> interface to down in the beginning of the authorizeMac function in the >>> Catalyst_2950 module and bring it back up before returning. I do not know >>> if this will have any adverse effects in the other areas but it seems to be >>> functioning properly now with the 3750. >>> The Cisco OS version is 12.2(55)SE3 . >>> If this was not necessary and I have something misconfigured somewhere or >>> if there is any other information that may help please let me know. >>> >>> >>> --------------------------------------------------------------------- >>> - >>> -------- All the data continuously generated in your IT >>> infrastructure contains a definitive record of customers, application >>> performance, security threats, fraudulent activity and more. Splunk >>> takes this data and makes sense of it. Business sense. IT sense. Common >>> sense. >>> http://p.sf.net/sfu/splunk-d2d-oct >>> _______________________________________________ >>> Packetfence-users mailing list >>> [email protected] >>> https://lists.sourceforge.net/lists/listinfo/packetfence-users >>> >> -- >> Francois Gaudreault, ing. jr >> [email protected] :: +1.514.447.4918 (x130) :: www.inverse.ca >> Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence >> (www.packetfence.org) >> >> >> ---------------------------------------------------------------------- >> -------- All the data continuously generated in your IT infrastructure >> contains a definitive record of customers, application performance, >> security threats, fraudulent activity and more. Splunk takes this data >> and makes sense of it. Business sense. IT sense. Common sense. >> http://p.sf.net/sfu/splunk-d2d-oct >> _______________________________________________ >> Packetfence-users mailing list >> [email protected] >> https://lists.sourceforge.net/lists/listinfo/packetfence-users >> >> ---------------------------------------------------------------------- >> -------- All the data continuously generated in your IT infrastructure >> contains a definitive record of customers, application performance, >> security threats, fraudulent activity and more. Splunk takes this data >> and makes sense of it. Business sense. IT sense. Common sense. >> http://p.sf.net/sfu/splunk-d2d-oct >> _______________________________________________ >> Packetfence-users mailing list >> [email protected] >> https://lists.sourceforge.net/lists/listinfo/packetfence-users >> > > -- > Francois Gaudreault, ing. jr > [email protected] :: +1.514.447.4918 (x130) :: www.inverse.ca Inverse > inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence > (www.packetfence.org) > > > ------------------------------------------------------------------------------ > All the data continuously generated in your IT infrastructure contains a > definitive record of customers, application performance, security > threats, fraudulent activity and more. Splunk takes this data and makes > sense of it. Business sense. IT sense. Common sense. > http://p.sf.net/sfu/splunk-d2d-oct > _______________________________________________ > Packetfence-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/packetfence-users > > ------------------------------------------------------------------------------ > All the data continuously generated in your IT infrastructure contains a > definitive record of customers, application performance, security > threats, fraudulent activity and more. Splunk takes this data and makes > sense of it. Business sense. IT sense. Common sense. > http://p.sf.net/sfu/splunk-d2d-oct > _______________________________________________ > Packetfence-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/packetfence-users > -- Francois Gaudreault, ing. jr [email protected] :: +1.514.447.4918 (x130) :: www.inverse.ca Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (www.packetfence.org) ------------------------------------------------------------------------------ All the data continuously generated in your IT infrastructure contains a definitive record of customers, application performance, security threats, fraudulent activity and more. Splunk takes this data and makes sense of it. Business sense. IT sense. Common sense. http://p.sf.net/sfu/splunk-d2d-oct _______________________________________________ Packetfence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
