Hi Guys, I recently move my configuration from port-security to MAB in a Cisco 2960. In the port-security area, SNMP and SNMP-TRAPS were involve in all the process to change the VLAN, now what I understand is that for MAB is only RADIUS and RADIUS CoA involve in the change of the VLAN.
However what I'm seeing from packetfence.log is that for an unknown reason Packetefence is trying to create a SNMP read connection, even if I specifically said that the deauthentication method for the switch is RADIUS. Here are the logs, Aug 12 16:48:47 httpd.portal(820) INFO: re-evaluating access for node 00:23:ae:10:d3:e8 (manage_register called) (pf::enforcement::reevaluate_access) Aug 12 16:48:47 httpd.portal(820) INFO: switch port for 00:23:ae:10:d3:e8 is 10.11.62.15 ifIndex 10003 connection type: Wired MAC Auth (pf::enforcement::_vlan_reevaluation) Aug 12 16:48:51 pfsetvlan(41) INFO: local (127.0.0.1) trap for switch 10.11.62.15 (main::parseTrap) Aug 12 16:48:52 pfsetvlan(1) INFO: nb of items in queue: 1; nb of threads running: 0 (main::startTrapHandlers) Aug 12 16:48:59 pfsetvlan(1) ERROR: error creating SNMP v3 read connection to 10.11.62.15: No response from remote host "10.11.62.15" (pf::Switch::connectRead) Aug 12 16:48:59 pfsetvlan(1) INFO: reAssignVlan trap received on 10.11.62.15 ifindex 10003 which is not ethernetCsmacd (pf::vlan::doWeActOnThisTrap) Aug 12 16:48:59 pfsetvlan(1) INFO: doWeActOnThisTrap returns false. Stop reAssignVlan handling (main::handleTrap) Aug 12 16:48:59 pfsetvlan(1) INFO: finished (main::cleanupAfterThread) Aug 12 16:49:03 httpd.portal(3307) INFO: mac : 00:23:ae:10:d3:e8 (captiveportal::PacketFence::Controller::CaptivePortal::validateMac) Aug 12 16:49:03 httpd.portal(3307) INFO: MAC 00:23:ae:10:d3:e8 shouldn't reach here. Calling access re-evaluation. Make sure your network device configuration is correct. (captiveportal::PacketFence::Controller::CaptivePortal::unknownState) Aug 12 16:49:03 httpd.portal(3307) INFO: re-evaluating access for node 00:23:ae:10:d3:e8 (redir.cgi called) (pf::enforcement::reevaluate_access) Aug 12 16:49:03 httpd.portal(3307) INFO: switch port for 00:23:ae:10:d3:e8 is 10.11.62.15 ifIndex 10003 connection type: Wired MAC Auth (pf::enforcement::_vlan_reevaluation) Aug 12 16:49:07 pfsetvlan(42) INFO: local (127.0.0.1) trap for switch 10.11.62.15 (main::parseTrap) Aug 12 16:49:08 pfsetvlan(3) INFO: nb of items in queue: 1; nb of threads running: 0 (main::startTrapHandlers) Aug 12 16:49:16 pfsetvlan(3) ERROR: error creating SNMP v3 read connection to 10.11.62.15: No response from remote host "10.11.62.15" (pf::Switch::connectRead) Aug 12 16:49:16 pfsetvlan(3) INFO: reAssignVlan trap received on 10.11.62.15 ifindex 10003 which is not ethernetCsmacd (pf::vlan::doWeActOnThisTrap) Aug 12 16:49:16 pfsetvlan(3) INFO: doWeActOnThisTrap returns false. Stop reAssignVlan handling (main::handleTrap) Aug 12 16:49:16 pfsetvlan(3) INFO: finished (main::cleanupAfterThread) I tough that maybe during the changes made to the configuration from SNMP to RADIUS there was something in the cache of the system, so I tryed several pfcmd commands to clear the cache of the system to be sure that is not something like that. The version that i'm running is 4.3.0 with the latest patches. So here are my questions, 1. Is packetfence alway going to create an SNMP connection even if the entire procedure relays on RADIUS only? 2. If not, where can I look if I have something wrong? 3. Is there any possibility something in the cache? 4. I saw the code for the 2960 and there a few lines that put the default method of deauthentication to SNMP, could be this the problem? (I changed and didnto work anyway) I hope if somebody can help me figure out what is going on Best Regards from Colombia Best Regards -- *“Choose a job you love, and you will never have to work a day in your life”*
------------------------------------------------------------------------------
_______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
