[PacketFence-users] Packet Fence with cisco 3560 switch... Headache experience

Mon, 09 Jun 2014 15:42:02 -0700 

Hallo everybody,
this is my first message about PacketFence world.

I will involve the expert or the member of the list, in order to help me to
leave this headache about the configuration that affect me from different
weeks!
Before involve you, I try a lot of configuration... nope...
Then, I will explain all point of my project trying to keep all details in
fast way:

*---DESIGN----:*
"normal lab..." Packet fence + Cisco 3560
VLAN 100 guest (normal)
VLAN 110 registration
VLAN 120 isolation

*----Ports configuration on 3560---:*
interface FastEthernet0/23
 description GUEST-REGISTRATION
 switchport mode access
 no snmp trap link-status
 dot1x mac-auth-bypass
 dot1x pae authenticator
 dot1x port-control auto
 dot1x timeout tx-period 5
 dot1x reauthentication
 spanning-tree portfast
*FIRST NOTE: Group of "authentication command on 3560 "not exist!!"*

*----Switch.conf----*
[10.0.1.4]
mode=production
cliUser=cisco
#vlans=100,110,120
defaultVlan=100
#normalVlan=100
deauthMethod=RADIUS
description=core
type=Cisco::Catalyst_3560
cliPwd=cisco
VoIPEnabled=N
cliEnablePwd=cisco
uplink=1,2,3,4,5,6,7,8,9,10
radiusSecret=firstconf
defaultRole=default
guestVlan=100
gamingRole=guest
guestRole=guest
gamingVlan=100
wsPwd=cisco
wsUser=cisco
SNMPVersion=2c
SNMPEngineID=AA5ED139B81D4A328D18ACD1
SNMPUserNameRead=readUser
SNMPUserNameWrite=writeUser
SNMPVersionTrap=2c

*---HOW WORKS AND HOW DOESN'T WORK---*
1) Guest pc successful redirect on packetfence portal to make
self-registration.
2) In our example He choices to self-mail address
3) packetfence with radius and dot1x set correctly the registration vlan
4) now... the problem.
    after the registration, user could be switched to normal vlan (100), in
order to browse and
    activate the user follow his mail.
    BUT... the vlan switch mode access 100... NEVER HAPPEND.

*--HERE BELOVE SOME LOGS AND DEBUG--*

---Dot1x----debug----on--switch-----
00:43:07: dot1x-ev:RADIUS provided VLAN name 110 to interface
FastEthernet0/21
00:43:07: dot1x-ev:dot1x_switch_pm_port_set_vlan: Setting vlan 110 on
interface FastEthernet0/21
00:43:07: dot1x-ev:Successfully assigned VLAN 110 to interface
FastEthernet0/21
00:43:07: dot1x-sm:Posting AUTHC_SUCCESS on Client=3246578
00:43:07:     dot1x_auth Fa0: during state auth_authc_result, got event
22(authcSuccess)
00:43:07: @@@ dot1x_auth Fa0: auth_authc_result -> auth_authz_success
00:43:07: dot1x-sm:Fa0/21:0016.d49e.51b5:auth_authz_success_enter called
*00:43:07: dot1x-ev:dot1x_switch_addr_add: Added MAC 0016.d49e.51b5 to vlan
110 on interface FastEthernet0/21*
00:43:07: dot1x-ev:dot1x_switch_is_dot1x_forwarding_enabled: Forwarding is
disabled on Fa0/21
00:43:07: dot1x-registry:** dot1x_switch_vp_statechange:
00:43:07: dot1x-ev:vlan 110 vp is added on the interface FastEthernet0/21
00:43:07: dot1x-ev:dot1x_switch_is_dot1x_forwarding_enabled: Forwarding is
disabled on Fa0/21
00:43:07: dot1x-ev:dot1x_switch_port_authorized: set dot1x ask handler on
interface FastEthernet0/21
00:43:07: dot1x-ev:Received successful Authz complete for 0016.d49e.51b5
00:43:07: dot1x-sm:Posting AUTHZ_SUCCESS on Client=3246578
00:43:07:     dot1x_auth Fa0: during state auth_authz_success, got event
25(authzSuccess)
00:43:07: @@@ dot1x_auth Fa0: auth_authz_success -> auth_authenticated
00:43:07: dot1x-sm:Fa0/21:0016.d49e.51b5:auth_authenticated_enter called
00:43:07: dot1x-sm:Fa0/21:0016.d49e.51b5:dot1x_auth_start_reauth_timer
called
00:43:07: dot1x-ev:Start REAUTHENTICATION timer
00:43:07: dot1x-ev:Using locally configured value of 3600 for
reauthentication timer
00:43:07: dot1x-ev:Nothing to send to the client 0016.d49e.51b5

----Packetfence.log----
Jun 10 03:02:20 pfcmd.pl(2785) INFO: generating
/usr/local/pf/var/conf/snmptrapd.conf
(pf::services::manager::snmptrapd::generateConfig)
Jun 10 03:02:20 pfcmd.pl(2785) INFO: Daemon snmptrapd took 0.161 seconds to
start. (pf::services::manager::launchService)
Jun 10 03:02:22 pfsetvlan(2798) INFO: pfsetvlan starting and writing 2801
to /usr/local/pf/var/run/pfsetvlan.pid (pf::services::util::createpid)
Jun 10 03:02:22 pfsetvlan(2798) INFO: Process started (main::)
Jun 10 03:02:22 pfcmd.pl(2785) INFO: Daemon pfsetvlan took 1.905 seconds to
start. (pf::services::manager::launchService)
Jun 10 03:02:27 pfcmd.pl(2811) INFO: pidof -x memcached returned 2586
(pf::services::manager::pidFromFile)
Jun 10 03:02:27 pfcmd.pl(2811) INFO: verifying process 2586
(pf::services::manager::removeStalePid)
Jun 10 03:02:27 pfcmd.pl(2811) INFO: pidof -x memcached returned 2586
(pf::services::manager::pidFromFile)
Jun 10 03:02:27 pfcmd.pl(2811) INFO: pidof -x memcached returned 2586
(pf::services::manager::pidFromFile)
Jun 10 03:02:27 pfcmd.pl(2811) INFO: pidof -x httpd.admin returned 2595
(pf::services::manager::pidFromFile)
Jun 10 03:02:27 pfcmd.pl(2811) INFO: verifying process 2595
(pf::services::manager::removeStalePid)
Jun 10 03:02:27 pfcmd.pl(2811) INFO: pidof -x httpd.admin returned 2595
(pf::services::manager::pidFromFile)
Jun 10 03:02:27 pfcmd.pl(2811) INFO: pidof -x httpd.admin returned 2595
(pf::services::manager::pidFromFile)
Jun 10 03:02:32 pfcmd.pl(2811) INFO: Daemon radiusd took 0.894 seconds to
start. (pf::services::manager::launchService)
Jun 10 03:03:10 httpd.portal(2695) INFO: mac : 00:16:d4:9e:51:b5
(captiveportal::PacketFence::Controller::CaptivePortal::validateMac)
Jun 10 03:03:10 httpd.portal(2695) INFO: Updating node 00:16:d4:9e:51:b5
user_agent with useragent: 'Mozilla/5.0 (Windows NT 6.1; WOW64;
Trident/7.0; rv:11.0) like Gecko'
(captiveportal::PacketFence::Controller::CaptivePortal::nodeRecordUserAgent)
Jun 10 03:03:10 httpd.portal(2695) INFO: Static User-Agent lookup data
initialized (pf::useragent::_init)
Jun 10 03:03:10 httpd.portal(2695) INFO: 00:16:d4:9e:51:b5 redirected to
authentication page
(captiveportal::PacketFence::Controller::CaptivePortal::checkIfNeedsToRegister)
Jun 10 03:03:14 httpd.portal(2695) INFO: mac : 00:16:d4:9e:51:b5
(captiveportal::PacketFence::Controller::CaptivePortal::validateMac)
Jun 10 03:03:30 httpd.portal(2638) INFO: mac : 00:16:d4:9e:51:b5
(captiveportal::PacketFence::Controller::CaptivePortal::validateMac)
Jun 10 03:03:30 httpd.portal(2638) INFO: registering 00:16:d4:9e:51:b5
guest by email
(captiveportal::PacketFence::Controller::Signup::doEmailSelfRegistration)
Jun 10 03:03:30 httpd.portal(2638) INFO: Matched rule (catchall) in source
email, returning actions. (pf::Authentication::Source::match)
Jun 10 03:03:30 httpd.portal(2638) INFO: person myemea...@gmail.com
modified to myem...@gmail.com (pf::person::person_modify)
Jun 10 03:03:30 httpd.portal(2638) INFO: re-evaluating access for node
00:16:d4:9e:51:b5 (manage_register called)
(pf::enforcement::reevaluate_access)
Jun 10 03:03:30 httpd.portal(2638) INFO: switch port for 00:16:d4:9e:51:b5
is 10.0.1.4 ifIndex 10023 connection type: Wired MAC Auth
(pf::enforcement::_vlan_reevaluation)
Jun 10 03:03:30 httpd.portal(2638) INFO: new activation code successfully
generated (pf::email_activation::create)
Jun 10 03:03:31 httpd.portal(2638) INFO: Email sent to
matteo.pid...@gmail.com (lab.pri: Email activation required)
(pf::email_activation::__ANON__)
Jun 10 03:03:34 pfsetvlan(21) INFO: local (127.0.0.1) trap for switch
10.0.1.4 (main::parseTrap)
Jun 10 03:03:34 pfsetvlan(1) INFO: nb of items in queue: 1; nb of threads
running: 0 (main::startTrapHandlers)
Jun 10 03:03:38 pfsetvlan(1) ERROR: error creating SNMP v2c read connection
to 10.0.1.4: No response from remote host "10.0.1.4"
(pf::Switch::connectRead)
Jun 10 03:03:38 pfsetvlan(1) INFO: reAssignVlan trap received on 10.0.1.4
ifindex 10023 which is not ethernetCsmacd (pf::vlan::doWeActOnThisTrap)
Jun 10 03:03:38 pfsetvlan(1) INFO: doWeActOnThisTrap returns false. Stop
reAssignVlan handling (main::handleTrap)
Jun 10 03:03:38 pfsetvlan(1) INFO: finished (main::cleanupAfterThread)


*----conclusion------*
Something wrong with SNMP switch -- packetfence: Jun 10 03:03:38
pfsetvlan(1) ERROR: error creating SNMP v2c read connection to 10.0.1.4: No
response from remote host "10.0.1.4" (pf::Switch::connectRead)
But really, I tried all! Also follow row by row the admin guide. but in my
case (i don't know why but I read also something like this in another
thread), on 3560 I can't manage AES encryption and v3 SNMP.
For now and in laboratory, is also not needed.
I need a good, clean, basic configuration for keep it works!


Thanks very much in advance,
your feedback and help will be for sure appreciated.

Regards

Matteo

------------------------------------------------------------------------------
HPCC Systems Open Source Big Data Platform from LexisNexis Risk Solutions
Find What Matters Most in Your Big Data with HPCC Systems
Open Source. Fast. Scalable. Simple. Ideal for Dirty Data.
Leverages Graph Analysis for Fast Processing & Easy Data Exploration
http://p.sf.net/sfu/hpccsystems
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Reply via email to