I found it.
It was a stupid misconfiguration : uplink ports of the switch instead of 1,
set 10101 (cisco catalyst 3750g) ..
Maybe you should put more user validation input for the switches settings,
as nothing indicated an error relating the ports.
Thank you, it looks very nice from now .. !!
---------- Forwarded message ----------
From: Nicolas Gailly <[email protected]>
Date: 2015-04-13 13:01 GMT+02:00
Subject: VLAN enforcment : nothing after registration ...
To: [email protected]
Hello
I've been trying to install PacketFence in a lab to see its functionalities
(so no external authentifcation, only local for now).
I use a Catalyst3750G switch connected to the network ( & internet ) on
port 1 (GigabitEthernet1/0/1), and PacketFence is connected on port 24
(configured as trunk).
The thing when a new user connect to the switch, it is automatically
redirected on the PacketFence registration page . That is good.
BUT once registered, there is absolutly no change of configuration
happening (the page say Sorry, your network should be anbled bla bla bla).
It stays on the same vlan (registration).
It seems that packetfence is unable to tell the switch to change the vlan
of the connected port. But the snmp configuration seems to work
since I can see the device on the management web interface & I received the
traps and everything (tcpdump told me).
One thing to note though is that the uplink network has no dhcp, addresses
must be set manually. Does that change anything ?
i tried setting the ip configuration on the client after it has been
registered, it was still unable to ping for example (and the vlan
configuration stayed the same on the switch).
I dunno what is wrong ...
Thank you in advance
Ps: I have checked every other mails that had the same problems. Only one
said it has been resolved but the solution doesn't work for me. Other
problemes were in case of inline configuration (vs vlan enforcment).
*Here is my p*
*f.conf: *[interface eth0]
ip=10.31.32.124
type=management
mask=255.255.224.0
[interface eth0.20]
enforcement=vlan
ip=10.0.2.1
type=internal
mask=255.255.255.0
[interface eth0.30]
enforcement=vlan
ip=10.0.3.1
type=internal
mask=255.255.255.0
*H*
*ere is my switches.conf : *
[10.31.32.122]
RoleMap=N
SNMPCommunityRead=readme
SNMPCommunityWrite=writeme
AccessListMap=N
description=Test Switch Lab
SNMPVersionTrap=2c
type=Cisco::Catalyst_3750G
VoIPEnabled=N
isolationVlan=30
SNMPVersion=2c
registrationVlan=20
mode=production
cliUser=test
deauthMethod=SNMP
cliPwd=test
cliTransport=SSH
cliEnablePwd=test
uplink_dynamic=0
uplink=1
*Here is my packetfence.log (portion):*
Apr 13 11:39:14 httpd.portal(13461) INFO: [00:24:e8:df:b5:84] shouldn't
reach here. Calling access re-evaluation. Make sure your network device
configuration is correct.
(captiveportal::PacketFence::Controller::CaptivePortal::unknownState)
Apr 13 11:39:14 httpd.portal(13461) INFO: [00:24:e8:df:b5:84] re-evaluating
access (redir.cgi called) (pf::enforcement::reevaluate_access)
Apr 13 11:39:14 httpd.portal(13461) WARN: [00:24:e8:df:b5:84] Can't
re-evaluate access because no open locationlog entry was found
(pf::enforcement::reevaluate_access)
*Here is my running config* :
!
vlan internal allocation policy ascending
!
vlan 20
name registration
!
vlan 30
name isolation
...
interface GigabitEthernet1/0/15
switchport access vlan 20
switchport mode access
switchport port-security maximum 2
switchport port-security maximum 1 vlan access
switchport port-security
switchport port-security violation restrict
switchport port-security mac-address 0200.0001.0115
!
interface GigabitEthernet1/0/16
switchport access vlan 20
switchport mode access
switchport port-security maximum 2
switchport port-security maximum 1 vlan access
switchport port-security
switchport port-security violation restrict
!
interface GigabitEthernet1/0/17
switchport access vlan 20
switchport mode access
switchport port-security maximum 2
switchport port-security maximum 1 vlan access
switchport port-security
switchport port-security violation restrict
!
interface GigabitEthernet1/0/18
switchport access vlan 20
switchport mode access
switchport port-security maximum 2
switchport port-security maximum 1 vlan access
switchport port-security
switchport port-security violation restrict
!
interface GigabitEthernet1/0/19
switchport access vlan 20
switchport mode access
switchport port-security maximum 2
switchport port-security maximum 1 vlan access
switchport port-security
switchport port-security violation restrict
!
interface GigabitEthernet1/0/20
switchport access vlan 20
switchport mode access
switchport port-security maximum 2
switchport port-security maximum 1 vlan access
switchport port-security
switchport port-security violation restrict
!
interface GigabitEthernet1/0/21
switchport access vlan 20
switchport mode access
switchport port-security maximum 2
switchport port-security maximum 1 vlan access
switchport port-security
switchport port-security violation restrict
!
interface GigabitEthernet1/0/22
switchport access vlan 20
switchport mode access
switchport port-security maximum 2
switchport port-security maximum 1 vlan access
switchport port-security
switchport port-security violation restrict
!
interface GigabitEthernet1/0/23
switchport access vlan 20
switchport mode access
switchport port-security maximum 2
switchport port-security maximum 1 vlan access
switchport port-security
switchport port-security violation restrict
!
interface GigabitEthernet1/0/24
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface GigabitEthernet1/0/25
!
interface GigabitEthernet1/0/26
!
interface GigabitEthernet1/0/27
!
interface GigabitEthernet1/0/28
!
interface Vlan1
ip address 10.31.32.122 255.255.224.0
!
interface Vlan10
no ip address
!
interface Vlan20
ip address 10.0.2.1 255.255.255.0
!
interface Vlan30
ip address 10.0.3.1 255.255.255.0
!
ip default-gateway 10.31.32.1
ip http server
ip http secure-server
!
!
snmp-server community readme RO
snmp-server community writeme RW
snmp-server community test RW
snmp-server location testlab
snmp-server enable traps snmp authentication linkdown linkup coldstart
warmstart
...
snmp-server enable traps port-security
...
...
snmp-server enable traps mac-notification change move threshold
snmp-server enable traps vlan-membership
snmp-server enable traps errdisable
snmp-server enable traps vrfmib vrf-up vrf-down vnet-trunk-up
vnet-trunk-down
snmp-server host 10.31.32.124 version 2c public port-security
------------------------------------------------------------------------------
BPM Camp - Free Virtual Workshop May 6th at 10am PDT/1PM EDT
Develop your own process in accordance with the BPMN 2 standard
Learn Process modeling best practices with Bonita BPM through live exercises
http://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual- event?utm_
source=Sourceforge_BPM_Camp_5_6_15&utm_medium=email&utm_campaign=VA_SF
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
