Re: [PacketFence-users] MAB on Cisco 2960

Wed, 13 Aug 2014 05:06:14 -0700 

Hi Juan,
Even though PacketFence will disconnect the device using RADIUS, it is still using SNMP to determine the type of the interface. That's why 'doWeActOnThisTrap' returns false. 


You will still need to configure SNMP at least for read-only when using 
RADIUS authentication/disconnection.


Regards,

On 14-08-12 06:17 PM, Juan Camilo Valencia wrote:

Hi Guys,


I recently move my configuration from port-security to MAB in a Cisco 
2960. In the port-security area, SNMP and SNMP-TRAPS were involve in 
all the process to change the VLAN, now what I understand is that for 
MAB is only RADIUS and RADIUS CoA involve in the change of the VLAN.



However what I'm seeing from packetfence.log is that for an unknown 
reason Packetefence is trying to create a SNMP read connection, even 
if I specifically said that the deauthentication method for the switch 
is RADIUS.


Here are the logs,



Aug 12 16:48:47 httpd.portal(820) INFO: re-evaluating access for node 
00:23:ae:10:d3:e8 (manage_register called) 
(pf::enforcement::reevaluate_access)
Aug 12 16:48:47 httpd.portal(820) INFO: switch port for 
00:23:ae:10:d3:e8 is 10.11.62.15 ifIndex 10003 connection type: Wired 
MAC Auth (pf::enforcement::_vlan_reevaluation)
Aug 12 16:48:51 pfsetvlan(41) INFO: local (127.0.0.1) trap for switch 
10.11.62.15 (main::parseTrap)
Aug 12 16:48:52 pfsetvlan(1) INFO: nb of items in queue: 1; nb of 
threads running: 0 (main::startTrapHandlers)
Aug 12 16:48:59 pfsetvlan(1) ERROR: error creating SNMP v3 read 
connection to 10.11.62.15 <http://10.11.62.15>: No response from 
remote host "10.11.62.15" (pf::Switch::connectRead)
Aug 12 16:48:59 pfsetvlan(1) INFO: reAssignVlan trap received on 
10.11.62.15 ifindex 10003 which is not ethernetCsmacd 
(pf::vlan::doWeActOnThisTrap)
Aug 12 16:48:59 pfsetvlan(1) INFO: doWeActOnThisTrap returns false. 
Stop reAssignVlan handling (main::handleTrap)

Aug 12 16:48:59 pfsetvlan(1) INFO: finished (main::cleanupAfterThread)

Aug 12 16:49:03 httpd.portal(3307) INFO: mac : 00:23:ae:10:d3:e8 
(captiveportal::PacketFence::Controller::CaptivePortal::validateMac)
Aug 12 16:49:03 httpd.portal(3307) INFO: MAC 00:23:ae:10:d3:e8 
shouldn't reach here. Calling access re-evaluation. Make sure your 
network device configuration is correct. 
(captiveportal::PacketFence::Controller::CaptivePortal::unknownState)
Aug 12 16:49:03 httpd.portal(3307) INFO: re-evaluating access for node 
00:23:ae:10:d3:e8 (redir.cgi called) (pf::enforcement::reevaluate_access)
Aug 12 16:49:03 httpd.portal(3307) INFO: switch port for 
00:23:ae:10:d3:e8 is 10.11.62.15 ifIndex 10003 connection type: Wired 
MAC Auth (pf::enforcement::_vlan_reevaluation)
Aug 12 16:49:07 pfsetvlan(42) INFO: local (127.0.0.1) trap for switch 
10.11.62.15 (main::parseTrap)
Aug 12 16:49:08 pfsetvlan(3) INFO: nb of items in queue: 1; nb of 
threads running: 0 (main::startTrapHandlers)
Aug 12 16:49:16 pfsetvlan(3) ERROR: error creating SNMP v3 read 
connection to 10.11.62.15 <http://10.11.62.15>: No response from 
remote host "10.11.62.15" (pf::Switch::connectRead)
Aug 12 16:49:16 pfsetvlan(3) INFO: reAssignVlan trap received on 
10.11.62.15 ifindex 10003 which is not ethernetCsmacd 
(pf::vlan::doWeActOnThisTrap)
Aug 12 16:49:16 pfsetvlan(3) INFO: doWeActOnThisTrap returns false. 
Stop reAssignVlan handling (main::handleTrap)

Aug 12 16:49:16 pfsetvlan(3) INFO: finished (main::cleanupAfterThread)


I tough that maybe during the changes made to the configuration from 
SNMP to RADIUS there was something in the cache of the system, so I 
tryed several pfcmd commands to clear the cache of the system to be 
sure that is not something like that. The version that i'm running is 
4.3.0 with the latest patches. So here are my questions,



1. Is packetfence alway going to create an SNMP connection even if the 
entire procedure relays on RADIUS only?


2. If not, where can I look if I have something wrong?

3. Is there any possibility something in the cache?


4. I saw the code for the 2960 and there a few lines that put the 
default method of deauthentication to SNMP, could be this the problem? 
(I changed and didnto work anyway)



I hope if somebody can help me figure out what is going on

Best Regards from Colombia
Best Regards
--


*"Choose a job you love, and you will never have to work a day in your 
life"*



------------------------------------------------------------------------------


_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users


--
Julien Semaan
[email protected]  ::  +1.514.447.4918 *155  ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence 
(www.packetfence.org)


------------------------------------------------------------------------------

_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users






















					Reply via email to