Nicolas,
This is exactly what I thought when I saw your original email! I killed a
few days trying to decipher that - specifically, that the only way to
reference a port that PF seems to understand via SNMP is by its ifIndex.
Who is in charge of documentation? I don't think this point is reflected
clearly enough - and, IMO, it should be.
Cheers,
Boris.
On Mon, Apr 13, 2015 at 10:05 AM, Nicolas Gailly <[email protected]>
wrote:
> I found it.
> It was a stupid misconfiguration : uplink ports of the switch instead of
> 1, set 10101 (cisco catalyst 3750g) ..
> Maybe you should put more user validation input for the switches settings,
> as nothing indicated an error relating the ports.
> Thank you, it looks very nice from now .. !!
> ---------- Forwarded message ----------
> From: Nicolas Gailly <[email protected]>
> Date: 2015-04-13 13:01 GMT+02:00
> Subject: VLAN enforcment : nothing after registration ...
> To: [email protected]
>
>
> Hello
>
> I've been trying to install PacketFence in a lab to see its
> functionalities (so no external authentifcation, only local for now).
> I use a Catalyst3750G switch connected to the network ( & internet ) on
> port 1 (GigabitEthernet1/0/1), and PacketFence is connected on port 24
> (configured as trunk).
> The thing when a new user connect to the switch, it is automatically
> redirected on the PacketFence registration page . That is good.
> BUT once registered, there is absolutly no change of configuration
> happening (the page say Sorry, your network should be anbled bla bla bla).
> It stays on the same vlan (registration).
> It seems that packetfence is unable to tell the switch to change the vlan
> of the connected port. But the snmp configuration seems to work
> since I can see the device on the management web interface & I received
> the traps and everything (tcpdump told me).
> One thing to note though is that the uplink network has no dhcp, addresses
> must be set manually. Does that change anything ?
> i tried setting the ip configuration on the client after it has been
> registered, it was still unable to ping for example (and the vlan
> configuration stayed the same on the switch).
>
> I dunno what is wrong ...
>
> Thank you in advance
>
> Ps: I have checked every other mails that had the same problems. Only one
> said it has been resolved but the solution doesn't work for me. Other
> problemes were in case of inline configuration (vs vlan enforcment).
>
> *Here is my p*
>
> *f.conf: *[interface eth0]
> ip=10.31.32.124
> type=management
> mask=255.255.224.0
>
> [interface eth0.20]
> enforcement=vlan
> ip=10.0.2.1
> type=internal
> mask=255.255.255.0
>
> [interface eth0.30]
> enforcement=vlan
> ip=10.0.3.1
> type=internal
> mask=255.255.255.0
>
> *H*
> *ere is my switches.conf : *
> [10.31.32.122]
> RoleMap=N
> SNMPCommunityRead=readme
> SNMPCommunityWrite=writeme
> AccessListMap=N
> description=Test Switch Lab
> SNMPVersionTrap=2c
> type=Cisco::Catalyst_3750G
> VoIPEnabled=N
> isolationVlan=30
> SNMPVersion=2c
> registrationVlan=20
> mode=production
> cliUser=test
> deauthMethod=SNMP
> cliPwd=test
> cliTransport=SSH
> cliEnablePwd=test
> uplink_dynamic=0
> uplink=1
>
>
> *Here is my packetfence.log (portion):*
>
> Apr 13 11:39:14 httpd.portal(13461) INFO: [00:24:e8:df:b5:84] shouldn't
> reach here. Calling access re-evaluation. Make sure your network device
> configuration is correct.
> (captiveportal::PacketFence::Controller::CaptivePortal::unknownState)
> Apr 13 11:39:14 httpd.portal(13461) INFO: [00:24:e8:df:b5:84]
> re-evaluating access (redir.cgi called) (pf::enforcement::reevaluate_access)
> Apr 13 11:39:14 httpd.portal(13461) WARN: [00:24:e8:df:b5:84] Can't
> re-evaluate access because no open locationlog entry was found
> (pf::enforcement::reevaluate_access)
>
>
> *Here is my running config* :
> !
> vlan internal allocation policy ascending
> !
> vlan 20
> name registration
> !
> vlan 30
> name isolation
>
> ...
> interface GigabitEthernet1/0/15
> switchport access vlan 20
> switchport mode access
> switchport port-security maximum 2
> switchport port-security maximum 1 vlan access
> switchport port-security
> switchport port-security violation restrict
> switchport port-security mac-address 0200.0001.0115
> !
> interface GigabitEthernet1/0/16
> switchport access vlan 20
> switchport mode access
> switchport port-security maximum 2
> switchport port-security maximum 1 vlan access
> switchport port-security
> switchport port-security violation restrict
> !
> interface GigabitEthernet1/0/17
> switchport access vlan 20
> switchport mode access
> switchport port-security maximum 2
> switchport port-security maximum 1 vlan access
> switchport port-security
> switchport port-security violation restrict
> !
> interface GigabitEthernet1/0/18
> switchport access vlan 20
> switchport mode access
> switchport port-security maximum 2
> switchport port-security maximum 1 vlan access
> switchport port-security
> switchport port-security violation restrict
> !
> interface GigabitEthernet1/0/19
> switchport access vlan 20
> switchport mode access
> switchport port-security maximum 2
> switchport port-security maximum 1 vlan access
> switchport port-security
> switchport port-security violation restrict
> !
> interface GigabitEthernet1/0/20
> switchport access vlan 20
> switchport mode access
> switchport port-security maximum 2
> switchport port-security maximum 1 vlan access
> switchport port-security
> switchport port-security violation restrict
> !
> interface GigabitEthernet1/0/21
> switchport access vlan 20
> switchport mode access
> switchport port-security maximum 2
> switchport port-security maximum 1 vlan access
> switchport port-security
> switchport port-security violation restrict
> !
> interface GigabitEthernet1/0/22
> switchport access vlan 20
> switchport mode access
> switchport port-security maximum 2
> switchport port-security maximum 1 vlan access
> switchport port-security
> switchport port-security violation restrict
> !
> interface GigabitEthernet1/0/23
> switchport access vlan 20
> switchport mode access
> switchport port-security maximum 2
> switchport port-security maximum 1 vlan access
> switchport port-security
> switchport port-security violation restrict
> !
> interface GigabitEthernet1/0/24
> switchport trunk encapsulation dot1q
> switchport mode trunk
> !
> interface GigabitEthernet1/0/25
> !
> interface GigabitEthernet1/0/26
> !
> interface GigabitEthernet1/0/27
> !
> interface GigabitEthernet1/0/28
> !
> interface Vlan1
> ip address 10.31.32.122 255.255.224.0
> !
> interface Vlan10
> no ip address
> !
> interface Vlan20
> ip address 10.0.2.1 255.255.255.0
> !
> interface Vlan30
> ip address 10.0.3.1 255.255.255.0
> !
> ip default-gateway 10.31.32.1
> ip http server
> ip http secure-server
> !
> !
> snmp-server community readme RO
> snmp-server community writeme RW
> snmp-server community test RW
> snmp-server location testlab
> snmp-server enable traps snmp authentication linkdown linkup coldstart
> warmstart
> ...
> snmp-server enable traps port-security
> ...
> ...
> snmp-server enable traps mac-notification change move threshold
> snmp-server enable traps vlan-membership
> snmp-server enable traps errdisable
> snmp-server enable traps vrfmib vrf-up vrf-down vnet-trunk-up
> vnet-trunk-down
> snmp-server host 10.31.32.124 version 2c public port-security
>
>
>
>
> ------------------------------------------------------------------------------
> BPM Camp - Free Virtual Workshop May 6th at 10am PDT/1PM EDT
> Develop your own process in accordance with the BPMN 2 standard
> Learn Process modeling best practices with Bonita BPM through live
> exercises
> http://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual-
> event?utm_
> source=Sourceforge_BPM_Camp_5_6_15&utm_medium=email&utm_campaign=VA_SF
> _______________________________________________
> PacketFence-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>
------------------------------------------------------------------------------
BPM Camp - Free Virtual Workshop May 6th at 10am PDT/1PM EDT
Develop your own process in accordance with the BPMN 2 standard
Learn Process modeling best practices with Bonita BPM through live exercises
http://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual- event?utm_
source=Sourceforge_BPM_Camp_5_6_15&utm_medium=email&utm_campaign=VA_SF
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
