Hi Matteo,
comment bellow
Le 2014-06-09 18:15, Matteo Pidalà a écrit :
Hallo everybody,
this is my first message about PacketFence world.
I will involve the expert or the member of the list, in order to help
me to leave this headache about the configuration that affect me from
different weeks!
Before involve you, I try a lot of configuration... nope...
Then, I will explain all point of my project trying to keep all
details in fast way:
*---DESIGN----:*
"normal lab..." Packet fence + Cisco 3560
VLAN 100 guest (normal)
VLAN 110 registration
VLAN 120 isolation
*----Ports configuration on 3560---:*
interface FastEthernet0/23
description GUEST-REGISTRATION
switchport mode access
no snmp trap link-status
dot1x mac-auth-bypass
dot1x pae authenticator
dot1x port-control auto
dot1x timeout tx-period 5
dot1x reauthentication
spanning-tree portfast
_FIRST NOTE: Group of "authentication command on 3560 "not exist!!"_
_
_
_It depend of the ios:_
_http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3560/software/release/12-2_52_se/command/reference/3560cr/cli1.html_
*----Switch.conf----*
[10.0.1.4]
mode=production
cliUser=cisco
#vlans=100,110,120
defaultVlan=100
#normalVlan=100
deauthMethod=RADIUS
description=core
type=Cisco::Catalyst_3560
cliPwd=cisco
VoIPEnabled=N
cliEnablePwd=cisco
uplink=1,2,3,4,5,6,7,8,9,10
radiusSecret=firstconf
defaultRole=default
guestVlan=100
gamingRole=guest
guestRole=guest
gamingVlan=100
wsPwd=cisco
wsUser=cisco
SNMPVersion=2c
SNMPEngineID=AA5ED139B81D4A328D18ACD1
SNMPUserNameRead=readUser
SNMPUserNameWrite=writeUser
SNMPVersionTrap=2c
*---HOW WORKS AND HOW DOESN'T WORK---*
1) Guest pc successful redirect on packetfence portal to make
self-registration.
2) In our example He choices to self-mail address
3) packetfence with radius and dot1x set correctly the registration vlan
4) now... the problem.
after the registration, user could be switched to normal vlan
(100), in order to browse and
activate the user follow his mail.
BUT... the vlan switch mode access 100... NEVER HAPPEND.
There is no switch mode access vlan 100, let check logs/radius.log to
see what has been return by packetfence for your mac address or use
radiusd -d /usr/local/pf/raddb/ -X .
*--HERE BELOVE SOME LOGS AND DEBUG--*
---Dot1x----debug----on--switch-----
00:43:07: dot1x-ev:RADIUS provided VLAN name 110 to interface
FastEthernet0/21
00:43:07: dot1x-ev:dot1x_switch_pm_port_set_vlan: Setting vlan 110 on
interface FastEthernet0/21
00:43:07: dot1x-ev:Successfully assigned VLAN 110 to interface
FastEthernet0/21
00:43:07: dot1x-sm:Posting AUTHC_SUCCESS on Client=3246578
00:43:07: dot1x_auth Fa0: during state auth_authc_result, got
event 22(authcSuccess)
00:43:07: @@@ dot1x_auth Fa0: auth_authc_result -> auth_authz_success
00:43:07: dot1x-sm:Fa0/21:0016.d49e.51b5:auth_authz_success_enter called
_00:43:07: dot1x-ev:dot1x_switch_addr_add: Added MAC 0016.d49e.51b5 to
vlan 110 on interface FastEthernet0/21_
00:43:07: dot1x-ev:dot1x_switch_is_dot1x_forwarding_enabled:
Forwarding is disabled on Fa0/21
00:43:07: dot1x-registry:** dot1x_switch_vp_statechange:
00:43:07: dot1x-ev:vlan 110 vp is added on the interface FastEthernet0/21
00:43:07: dot1x-ev:dot1x_switch_is_dot1x_forwarding_enabled:
Forwarding is disabled on Fa0/21
00:43:07: dot1x-ev:dot1x_switch_port_authorized: set dot1x ask handler
on interface FastEthernet0/21
00:43:07: dot1x-ev:Received successful Authz complete for 0016.d49e.51b5
00:43:07: dot1x-sm:Posting AUTHZ_SUCCESS on Client=3246578
00:43:07: dot1x_auth Fa0: during state auth_authz_success, got
event 25(authzSuccess)
00:43:07: @@@ dot1x_auth Fa0: auth_authz_success -> auth_authenticated
00:43:07: dot1x-sm:Fa0/21:0016.d49e.51b5:auth_authenticated_enter called
00:43:07: dot1x-sm:Fa0/21:0016.d49e.51b5:dot1x_auth_start_reauth_timer
called
00:43:07: dot1x-ev:Start REAUTHENTICATION timer
00:43:07: dot1x-ev:Using locally configured value of 3600 for
reauthentication timer
00:43:07: dot1x-ev:Nothing to send to the client 0016.d49e.51b5
----Packetfence.log----
Jun 10 03:02:20 pfcmd.pl <http://pfcmd.pl>(2785) INFO: generating
/usr/local/pf/var/conf/snmptrapd.conf
(pf::services::manager::snmptrapd::generateConfig)
Jun 10 03:02:20 pfcmd.pl <http://pfcmd.pl>(2785) INFO: Daemon
snmptrapd took 0.161 seconds to start.
(pf::services::manager::launchService)
Jun 10 03:02:22 pfsetvlan(2798) INFO: pfsetvlan starting and writing
2801 to /usr/local/pf/var/run/pfsetvlan.pid
(pf::services::util::createpid)
Jun 10 03:02:22 pfsetvlan(2798) INFO: Process started (main::)
Jun 10 03:02:22 pfcmd.pl <http://pfcmd.pl>(2785) INFO: Daemon
pfsetvlan took 1.905 seconds to start.
(pf::services::manager::launchService)
Jun 10 03:02:27 pfcmd.pl <http://pfcmd.pl>(2811) INFO: pidof -x
memcached returned 2586 (pf::services::manager::pidFromFile)
Jun 10 03:02:27 pfcmd.pl <http://pfcmd.pl>(2811) INFO: verifying
process 2586 (pf::services::manager::removeStalePid)
Jun 10 03:02:27 pfcmd.pl <http://pfcmd.pl>(2811) INFO: pidof -x
memcached returned 2586 (pf::services::manager::pidFromFile)
Jun 10 03:02:27 pfcmd.pl <http://pfcmd.pl>(2811) INFO: pidof -x
memcached returned 2586 (pf::services::manager::pidFromFile)
Jun 10 03:02:27 pfcmd.pl <http://pfcmd.pl>(2811) INFO: pidof -x
httpd.admin returned 2595 (pf::services::manager::pidFromFile)
Jun 10 03:02:27 pfcmd.pl <http://pfcmd.pl>(2811) INFO: verifying
process 2595 (pf::services::manager::removeStalePid)
Jun 10 03:02:27 pfcmd.pl <http://pfcmd.pl>(2811) INFO: pidof -x
httpd.admin returned 2595 (pf::services::manager::pidFromFile)
Jun 10 03:02:27 pfcmd.pl <http://pfcmd.pl>(2811) INFO: pidof -x
httpd.admin returned 2595 (pf::services::manager::pidFromFile)
Jun 10 03:02:32 pfcmd.pl <http://pfcmd.pl>(2811) INFO: Daemon radiusd
took 0.894 seconds to start. (pf::services::manager::launchService)
Jun 10 03:03:10 httpd.portal(2695) INFO: mac : 00:16:d4:9e:51:b5
(captiveportal::PacketFence::Controller::CaptivePortal::validateMac)
Jun 10 03:03:10 httpd.portal(2695) INFO: Updating node
00:16:d4:9e:51:b5 user_agent with useragent: 'Mozilla/5.0 (Windows NT
6.1; WOW64; Trident/7.0; rv:11.0) like Gecko'
(captiveportal::PacketFence::Controller::CaptivePortal::nodeRecordUserAgent)
Jun 10 03:03:10 httpd.portal(2695) INFO: Static User-Agent lookup data
initialized (pf::useragent::_init)
Jun 10 03:03:10 httpd.portal(2695) INFO: 00:16:d4:9e:51:b5 redirected
to authentication page
(captiveportal::PacketFence::Controller::CaptivePortal::checkIfNeedsToRegister)
Jun 10 03:03:14 httpd.portal(2695) INFO: mac : 00:16:d4:9e:51:b5
(captiveportal::PacketFence::Controller::CaptivePortal::validateMac)
Jun 10 03:03:30 httpd.portal(2638) INFO: mac : 00:16:d4:9e:51:b5
(captiveportal::PacketFence::Controller::CaptivePortal::validateMac)
Jun 10 03:03:30 httpd.portal(2638) INFO: registering 00:16:d4:9e:51:b5
guest by email
(captiveportal::PacketFence::Controller::Signup::doEmailSelfRegistration)
Jun 10 03:03:30 httpd.portal(2638) INFO: Matched rule (catchall) in
source email, returning actions. (pf::Authentication::Source::match)
Jun 10 03:03:30 httpd.portal(2638) INFO: person myemea...@gmail.com
<mailto:myemea...@gmail.com> modified to myem...@gmail.com
<mailto:myem...@gmail.com> (pf::person::person_modify)
Jun 10 03:03:30 httpd.portal(2638) INFO: re-evaluating access for node
00:16:d4:9e:51:b5 (manage_register called)
(pf::enforcement::reevaluate_access)
Jun 10 03:03:30 httpd.portal(2638) INFO: switch port for
00:16:d4:9e:51:b5 is 10.0.1.4 ifIndex 10023 connection type: Wired MAC
Auth (pf::enforcement::_vlan_reevaluation)
Mac-Auth here, no dot1x.
Jun 10 03:03:30 httpd.portal(2638) INFO: new activation code
successfully generated (pf::email_activation::create)
Jun 10 03:03:31 httpd.portal(2638) INFO: Email sent to
matteo.pid...@gmail.com <mailto:matteo.pid...@gmail.com> (lab.pri:
Email activation required) (pf::email_activation::__ANON__)
Jun 10 03:03:34 pfsetvlan(21) INFO: local (127.0.0.1) trap for switch
10.0.1.4 (main::parseTrap)
Jun 10 03:03:34 pfsetvlan(1) INFO: nb of items in queue: 1; nb of
threads running: 0 (main::startTrapHandlers)
Jun 10 03:03:38 pfsetvlan(1) ERROR: error creating SNMP v2c read
connection to 10.0.1.4 <http://10.0.1.4>: No response from remote host
"10.0.1.4" (pf::Switch::connectRead)
Did you configure SNMP on the switch, are you able to do snmpread and
snmpwrite from the server to your switch ?
Jun 10 03:03:38 pfsetvlan(1) INFO: reAssignVlan trap received on
10.0.1.4 ifindex 10023 which is not ethernetCsmacd
(pf::vlan::doWeActOnThisTrap)
Jun 10 03:03:38 pfsetvlan(1) INFO: doWeActOnThisTrap returns false.
Stop reAssignVlan handling (main::handleTrap)
Jun 10 03:03:38 pfsetvlan(1) INFO: finished (main::cleanupAfterThread)
*----conclusion------*
Something wrong with SNMP switch -- packetfence: Jun 10 03:03:38
pfsetvlan(1) ERROR: error creating SNMP v2c read connection to
10.0.1.4 <http://10.0.1.4>: No response from remote host "10.0.1.4"
(pf::Switch::connectRead)
But really, I tried all! Also follow row by row the admin guide. but
in my case (i don't know why but I read also something like this in
another thread), on 3560 I can't manage AES encryption and v3 SNMP.
For now and in laboratory, is also not needed.
I need a good, clean, basic configuration for keep it works!
snmp-server community public RO
snmp-server community private RW
Thanks very much in advance,
your feedback and help will be for sure appreciated.
Regards
Matteo
------------------------------------------------------------------------------
HPCC Systems Open Source Big Data Platform from LexisNexis Risk Solutions
Find What Matters Most in Your Big Data with HPCC Systems
Open Source. Fast. Scalable. Simple. Ideal for Dirty Data.
Leverages Graph Analysis for Fast Processing & Easy Data Exploration
http://p.sf.net/sfu/hpccsystems
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
------------------------------------------------------------------------------
HPCC Systems Open Source Big Data Platform from LexisNexis Risk Solutions
Find What Matters Most in Your Big Data with HPCC Systems
Open Source. Fast. Scalable. Simple. Ideal for Dirty Data.
Leverages Graph Analysis for Fast Processing & Easy Data Exploration
http://p.sf.net/sfu/hpccsystems
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users