Hi Duran,
thanks for the prompt answer.
I will try this evening when I will reach my lab.
Anyway,, first the first thing.... Why Should I switch the port in access
vlan 100 in the beginning? Isn't the SNMP that it will write "vlan 100",
after the user registration from packetfence?
Regards
Matteo
2014-06-10 2:52 GMT+02:00 Durand fabrice <fdur...@inverse.ca>:
> Hi Matteo,
>
> comment bellow
>
> Le 2014-06-09 18:15, Matteo Pidalà a écrit :
>
> Hallo everybody,
> this is my first message about PacketFence world.
>
> I will involve the expert or the member of the list, in order to help me
> to leave this headache about the configuration that affect me from
> different weeks!
> Before involve you, I try a lot of configuration... nope...
> Then, I will explain all point of my project trying to keep all details in
> fast way:
>
> *---DESIGN----:*
> "normal lab..." Packet fence + Cisco 3560
> VLAN 100 guest (normal)
> VLAN 110 registration
> VLAN 120 isolation
>
> *----Ports configuration on 3560---:*
> interface FastEthernet0/23
> description GUEST-REGISTRATION
> switchport mode access
> no snmp trap link-status
> dot1x mac-auth-bypass
> dot1x pae authenticator
> dot1x port-control auto
> dot1x timeout tx-period 5
> dot1x reauthentication
> spanning-tree portfast
> *FIRST NOTE: Group of "authentication command on 3560 "not exist!!"*
>
> *It depend of the ios:*
> *http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3560/software/release/12-2_52_se/command/reference/3560cr/cli1.html
> <http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3560/software/release/12-2_52_se/command/reference/3560cr/cli1.html>*
>
> *----Switch.conf----*
> [10.0.1.4]
> mode=production
> cliUser=cisco
> #vlans=100,110,120
> defaultVlan=100
> #normalVlan=100
> deauthMethod=RADIUS
> description=core
> type=Cisco::Catalyst_3560
> cliPwd=cisco
> VoIPEnabled=N
> cliEnablePwd=cisco
> uplink=1,2,3,4,5,6,7,8,9,10
> radiusSecret=firstconf
> defaultRole=default
> guestVlan=100
> gamingRole=guest
> guestRole=guest
> gamingVlan=100
> wsPwd=cisco
> wsUser=cisco
> SNMPVersion=2c
> SNMPEngineID=AA5ED139B81D4A328D18ACD1
> SNMPUserNameRead=readUser
> SNMPUserNameWrite=writeUser
> SNMPVersionTrap=2c
>
> *---HOW WORKS AND HOW DOESN'T WORK---*
> 1) Guest pc successful redirect on packetfence portal to make
> self-registration.
> 2) In our example He choices to self-mail address
> 3) packetfence with radius and dot1x set correctly the registration vlan
> 4) now... the problem.
> after the registration, user could be switched to normal vlan (100),
> in order to browse and
> activate the user follow his mail.
> BUT... the vlan switch mode access 100... NEVER HAPPEND.
>
> There is no switch mode access vlan 100, let check logs/radius.log to
> see what has been return by packetfence for your mac address or use radiusd
> -d /usr/local/pf/raddb/ -X .
>
>
> *--HERE BELOVE SOME LOGS AND DEBUG--*
>
> ---Dot1x----debug----on--switch-----
> 00:43:07: dot1x-ev:RADIUS provided VLAN name 110 to interface
> FastEthernet0/21
> 00:43:07: dot1x-ev:dot1x_switch_pm_port_set_vlan: Setting vlan 110 on
> interface FastEthernet0/21
> 00:43:07: dot1x-ev:Successfully assigned VLAN 110 to interface
> FastEthernet0/21
> 00:43:07: dot1x-sm:Posting AUTHC_SUCCESS on Client=3246578
> 00:43:07: dot1x_auth Fa0: during state auth_authc_result, got event
> 22(authcSuccess)
> 00:43:07: @@@ dot1x_auth Fa0: auth_authc_result -> auth_authz_success
> 00:43:07: dot1x-sm:Fa0/21:0016.d49e.51b5:auth_authz_success_enter called
> *00:43:07: dot1x-ev:dot1x_switch_addr_add: Added MAC 0016.d49e.51b5 to
> vlan 110 on interface FastEthernet0/21*
> 00:43:07: dot1x-ev:dot1x_switch_is_dot1x_forwarding_enabled: Forwarding is
> disabled on Fa0/21
> 00:43:07: dot1x-registry:** dot1x_switch_vp_statechange:
> 00:43:07: dot1x-ev:vlan 110 vp is added on the interface FastEthernet0/21
> 00:43:07: dot1x-ev:dot1x_switch_is_dot1x_forwarding_enabled: Forwarding is
> disabled on Fa0/21
> 00:43:07: dot1x-ev:dot1x_switch_port_authorized: set dot1x ask handler on
> interface FastEthernet0/21
> 00:43:07: dot1x-ev:Received successful Authz complete for 0016.d49e.51b5
> 00:43:07: dot1x-sm:Posting AUTHZ_SUCCESS on Client=3246578
> 00:43:07: dot1x_auth Fa0: during state auth_authz_success, got event
> 25(authzSuccess)
> 00:43:07: @@@ dot1x_auth Fa0: auth_authz_success -> auth_authenticated
> 00:43:07: dot1x-sm:Fa0/21:0016.d49e.51b5:auth_authenticated_enter called
> 00:43:07: dot1x-sm:Fa0/21:0016.d49e.51b5:dot1x_auth_start_reauth_timer
> called
> 00:43:07: dot1x-ev:Start REAUTHENTICATION timer
> 00:43:07: dot1x-ev:Using locally configured value of 3600 for
> reauthentication timer
> 00:43:07: dot1x-ev:Nothing to send to the client 0016.d49e.51b5
>
> ----Packetfence.log----
> Jun 10 03:02:20 pfcmd.pl(2785) INFO: generating
> /usr/local/pf/var/conf/snmptrapd.conf
> (pf::services::manager::snmptrapd::generateConfig)
> Jun 10 03:02:20 pfcmd.pl(2785) INFO: Daemon snmptrapd took 0.161 seconds
> to start. (pf::services::manager::launchService)
> Jun 10 03:02:22 pfsetvlan(2798) INFO: pfsetvlan starting and writing 2801
> to /usr/local/pf/var/run/pfsetvlan.pid (pf::services::util::createpid)
> Jun 10 03:02:22 pfsetvlan(2798) INFO: Process started (main::)
> Jun 10 03:02:22 pfcmd.pl(2785) INFO: Daemon pfsetvlan took 1.905 seconds
> to start. (pf::services::manager::launchService)
> Jun 10 03:02:27 pfcmd.pl(2811) INFO: pidof -x memcached returned 2586
> (pf::services::manager::pidFromFile)
> Jun 10 03:02:27 pfcmd.pl(2811) INFO: verifying process 2586
> (pf::services::manager::removeStalePid)
> Jun 10 03:02:27 pfcmd.pl(2811) INFO: pidof -x memcached returned 2586
> (pf::services::manager::pidFromFile)
> Jun 10 03:02:27 pfcmd.pl(2811) INFO: pidof -x memcached returned 2586
> (pf::services::manager::pidFromFile)
> Jun 10 03:02:27 pfcmd.pl(2811) INFO: pidof -x httpd.admin returned 2595
> (pf::services::manager::pidFromFile)
> Jun 10 03:02:27 pfcmd.pl(2811) INFO: verifying process 2595
> (pf::services::manager::removeStalePid)
> Jun 10 03:02:27 pfcmd.pl(2811) INFO: pidof -x httpd.admin returned 2595
> (pf::services::manager::pidFromFile)
> Jun 10 03:02:27 pfcmd.pl(2811) INFO: pidof -x httpd.admin returned 2595
> (pf::services::manager::pidFromFile)
> Jun 10 03:02:32 pfcmd.pl(2811) INFO: Daemon radiusd took 0.894 seconds to
> start. (pf::services::manager::launchService)
> Jun 10 03:03:10 httpd.portal(2695) INFO: mac : 00:16:d4:9e:51:b5
> (captiveportal::PacketFence::Controller::CaptivePortal::validateMac)
> Jun 10 03:03:10 httpd.portal(2695) INFO: Updating node 00:16:d4:9e:51:b5
> user_agent with useragent: 'Mozilla/5.0 (Windows NT 6.1; WOW64;
> Trident/7.0; rv:11.0) like Gecko'
> (captiveportal::PacketFence::Controller::CaptivePortal::nodeRecordUserAgent)
> Jun 10 03:03:10 httpd.portal(2695) INFO: Static User-Agent lookup data
> initialized (pf::useragent::_init)
> Jun 10 03:03:10 httpd.portal(2695) INFO: 00:16:d4:9e:51:b5 redirected to
> authentication page
> (captiveportal::PacketFence::Controller::CaptivePortal::checkIfNeedsToRegister)
> Jun 10 03:03:14 httpd.portal(2695) INFO: mac : 00:16:d4:9e:51:b5
> (captiveportal::PacketFence::Controller::CaptivePortal::validateMac)
> Jun 10 03:03:30 httpd.portal(2638) INFO: mac : 00:16:d4:9e:51:b5
> (captiveportal::PacketFence::Controller::CaptivePortal::validateMac)
> Jun 10 03:03:30 httpd.portal(2638) INFO: registering 00:16:d4:9e:51:b5
> guest by email
> (captiveportal::PacketFence::Controller::Signup::doEmailSelfRegistration)
> Jun 10 03:03:30 httpd.portal(2638) INFO: Matched rule (catchall) in source
> email, returning actions. (pf::Authentication::Source::match)
> Jun 10 03:03:30 httpd.portal(2638) INFO: person myemea...@gmail.com
> modified to myem...@gmail.com (pf::person::person_modify)
> Jun 10 03:03:30 httpd.portal(2638) INFO: re-evaluating access for node
> 00:16:d4:9e:51:b5 (manage_register called)
> (pf::enforcement::reevaluate_access)
> Jun 10 03:03:30 httpd.portal(2638) INFO: switch port for 00:16:d4:9e:51:b5
> is 10.0.1.4 ifIndex 10023 connection type: Wired MAC Auth
> (pf::enforcement::_vlan_reevaluation)
>
>
> Mac-Auth here, no dot1x.
>
>
> Jun 10 03:03:30 httpd.portal(2638) INFO: new activation code
> successfully generated (pf::email_activation::create)
> Jun 10 03:03:31 httpd.portal(2638) INFO: Email sent to
> matteo.pid...@gmail.com (lab.pri: Email activation required)
> (pf::email_activation::__ANON__)
> Jun 10 03:03:34 pfsetvlan(21) INFO: local (127.0.0.1) trap for switch
> 10.0.1.4 (main::parseTrap)
> Jun 10 03:03:34 pfsetvlan(1) INFO: nb of items in queue: 1; nb of threads
> running: 0 (main::startTrapHandlers)
> Jun 10 03:03:38 pfsetvlan(1) ERROR: error creating SNMP v2c read
> connection to 10.0.1.4: No response from remote host "10.0.1.4"
> (pf::Switch::connectRead)
>
>
> Did you configure SNMP on the switch, are you able to do snmpread and
> snmpwrite from the server to your switch ?
>
>
> Jun 10 03:03:38 pfsetvlan(1) INFO: reAssignVlan trap received on
> 10.0.1.4 ifindex 10023 which is not ethernetCsmacd
> (pf::vlan::doWeActOnThisTrap)
> Jun 10 03:03:38 pfsetvlan(1) INFO: doWeActOnThisTrap returns false. Stop
> reAssignVlan handling (main::handleTrap)
> Jun 10 03:03:38 pfsetvlan(1) INFO: finished (main::cleanupAfterThread)
>
>
> *----conclusion------*
> Something wrong with SNMP switch -- packetfence: Jun 10 03:03:38
> pfsetvlan(1) ERROR: error creating SNMP v2c read connection to 10.0.1.4:
> No response from remote host "10.0.1.4" (pf::Switch::connectRead)
> But really, I tried all! Also follow row by row the admin guide. but in my
> case (i don't know why but I read also something like this in another
> thread), on 3560 I can't manage AES encryption and v3 SNMP.
> For now and in laboratory, is also not needed.
> I need a good, clean, basic configuration for keep it works!
>
> snmp-server community public RO
> snmp-server community private RW
>
> Thanks very much in advance,
> your feedback and help will be for sure appreciated.
>
> Regards
>
> Matteo
>
>
>
>
>
> ------------------------------------------------------------------------------
> HPCC Systems Open Source Big Data Platform from LexisNexis Risk Solutions
> Find What Matters Most in Your Big Data with HPCC Systems
> Open Source. Fast. Scalable. Simple. Ideal for Dirty Data.
> Leverages Graph Analysis for Fast Processing & Easy Data
> Explorationhttp://p.sf.net/sfu/hpccsystems
>
>
>
> _______________________________________________
> PacketFence-users mailing
> listPacketFence-users@lists.sourceforge.nethttps://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>
>
>
> ------------------------------------------------------------------------------
> HPCC Systems Open Source Big Data Platform from LexisNexis Risk Solutions
> Find What Matters Most in Your Big Data with HPCC Systems
> Open Source. Fast. Scalable. Simple. Ideal for Dirty Data.
> Leverages Graph Analysis for Fast Processing & Easy Data Exploration
> http://p.sf.net/sfu/hpccsystems
> _______________________________________________
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>
------------------------------------------------------------------------------
HPCC Systems Open Source Big Data Platform from LexisNexis Risk Solutions
Find What Matters Most in Your Big Data with HPCC Systems
Open Source. Fast. Scalable. Simple. Ideal for Dirty Data.
Leverages Graph Analysis for Fast Processing & Easy Data Exploration
http://p.sf.net/sfu/hpccsystems
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
