<insert standard screaming endorsement for Inverse's great work>
I'm evaluating PF for (at the moment), a simple captive portal registration
system.
We're a Juniper layer 2 shop, so I need to have MAC Auth working with the
Junipers. I believe I have this functioning ok, but I had to throw a hack into
Juniper.pm which I suspect is the wrong way around, so I'm hoping for help form
other Juniper knowledgeable folks.
The problem I'm seeing is that the switch is sending the index of it's logical
interface to PF, which fails a later test (not ethernetCsmacd). The fix I'm
working with is to subtract one from that reported index. This does work, at
least for the single data point I'm currently testing with. Oh, and this index
number is not the same as the SNMP index.
My question is – how are others making this work? I can't believe I'm the only
one to run into this, or that this hack is the right answer.
Log snippet for successful registration and failed vlan flip (without my hack
in place):
Jan 17 10:46:39 register.cgi(0) INFO: performing node registration MAC:
c4:2c:03:0e:3f:2f pid: tpalmer (pf::web::_sanitize_and_register)
Jan 17 10:46:39 register.cgi(0) INFO: re-evaluating access for node
c4:2c:03:0e:3f:2f (manage_register called) (pf::enforcement::reevaluate_access)
Jan 17 10:46:39 register.cgi(0) INFO: c4:2c:03:0e:3f:2f is currentlog connected
at 192.168.250.1 ifIndex 74 in VLAN 100
(pf::enforcement::_should_we_reassign_vlan)
Jan 17 10:46:39 register.cgi(0) INFO: MAC: c4:2c:03:0e:3f:2f, PID: tpalmer,
Status: reg. Returned VLAN: 10 (pf::vlan::fetchVlanForNode)
Jan 17 10:46:39 register.cgi(0) INFO: VLAN reassignment required for
c4:2c:03:0e:3f:2f (current VLAN = 100 but should be in VLAN 10)
(pf::enforcement::_should_we_reassign_vlan)
Jan 17 10:46:39 register.cgi(0) INFO: switch port for c4:2c:03:0e:3f:2f is
192.168.250.1 ifIndex 74 connection type: Wired MAC Auth
(pf::enforcement::_vlan_reevaluation)
Jan 17 10:46:39 register.cgi(0) INFO: 172.16.12.10 - c4:2c:03:0e:3f:2f on
registration page
(ModPerl::ROOT::ModPerl::PerlRun::usr_local_pf_html_captive_2dportal_register_2ecgi::handler)
Jan 17 10:46:40 pfdhcplistener(22649) INFO: c4:2c:03:0e:3f:2f requested an IP.
DHCP Fingerprint: OS::202 (Mac OS X Lion). Modified node with last_dhcp =
2013-01-17 10:46:40,computername = ,dhcp_fingerprint =
1,3,6,15,119,95,252,44,46 (main::listen_dhcp)
Jan 17 10:46:40 pfdhcplistener(22649) INFO: DHCPACK from 172.16.12.100
(00:15:17:db:78:22) to host c4:2c:03:0e:3f:2f (172.16.12.10) for 30 seconds
(main::parse_dhcp_ack)
Jan 17 10:46:43 pfsetvlan(21) INFO: local (127.0.0.1) trap for switch
192.168.250.1 (main::parseTrap)
Jan 17 10:46:43 pfsetvlan(1) INFO: nb of items in queue: 1; nb of threads
running: 0 (main::startTrapHandlers)
Use of uninitialized value $ifType in numeric eq (==) at
/usr/local/pf/lib/pf/vlan.pm line 127.
Use of uninitialized value $ifType in numeric eq (==) at
/usr/local/pf/lib/pf/vlan.pm line 127.
Jan 17 10:46:43 pfsetvlan(1) INFO: reAssignVlan trap received on 192.168.250.1
ifindex 74 which is not ethernetCsmacd (pf::vlan::doWeActOnThisTrap)
Jan 17 10:46:43 pfsetvlan(1) INFO: doWeActOnThisTrap returns false. Stop
reAssignVlan handling (main::handleTrap)
Jan 17 10:46:43 pfsetvlan(1) INFO: finished (main::cleanupAfterThread)
PacketFence 3.6.0 installed from Inverse PacketFence repo
CentOS 6.3 x86_64
Switch is in Production Mode
Trapping.registration and .detection both enabled
Switch is configured as per the Network Devices Configuration Guide 3.6.1 page
38
Thank you,
Tim
------------------------------------------------------------------------------
Master HTML5, CSS3, ASP.NET, MVC, AJAX, Knockout.js, Web API and
much more. Get web development skills now with LearnDevNow -
350+ hours of step-by-step video tutorials by Microsoft MVPs and experts.
SALE $99.99 this month only -- learn more at:
http://p.sf.net/sfu/learnmore_122812
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
