Well, it is interesting because I have set BPDU Guard in my test lab where I am testing PacketFence and have 802.1x and MAB going, and on a protected port I connect a cheap Dlink 10/100 switch and while it didn't appear active, when I connected a PC to Dlink, it all seemed to work just fine, authenticated and everything. I should have mentioned that I do have autoregistration active, but I would think I can stop a rogue switch even with that on... I would appreciate take a look at your port config as there might be something there I'm not aware of that I am missing, you never know. Thank you.
Robert Rhoads [email protected] -----Original Message----- From: Sallee, Jake [mailto:[email protected]] Sent: Thursday, July 02, 2015 9:47 AM To: [email protected] Subject: Re: [PacketFence-users] Rogue switches BPDU guard will work with any end point, not just the ones that use STP. The way BPDU works is that it will shutdown (errdisable) a port that is in portfast mode when a BPDU packet is seen on that port. All switches generate BPDU packets, even the cheap 5 port unmanaged off brand types. Hubs may not generate BPDUs but switches do, all of 'em. We make liberal use of BPDU Guard to stop students from using switches they bought at the local electronics stores and it works quite well. I can send you a copy of our port config if you like. Jake Sallee Godfather of Bandwidth System Engineer University of Mary Hardin-Baylor WWW.UMHB.EDU 900 College St. Belton, Texas 76513 Fone: 254-295-4658 Phax: 254-295-4221 ________________________________ From: Rhoads, Robert W. [[email protected]] Sent: Thursday, July 02, 2015 8:33 AM To: [email protected] Subject: [PacketFence-users] Rogue switches PacketFence experts, Is there a means or mechanism within PacketFence, when 802.1x/MAB is in use, that will prevent an access port under PF control from allowing another switch from working when connected to that port? I am aware I can use BPDU Guard on access ports to stop a switch by killing the port if it is talking Spanning-Tree, but I am more interested in stopping small, unmanaged switches that don't talk Spanning-Tree that people have a tendency to plug in without asking or getting permission. An earlier thread on this topic did not really shed that much light for me... I appreciate any help and guidance. Respectfully, Robert Rhoads [email protected]<mailto:[email protected]> ------------------------------------------------------------------------------ Don't Limit Your Business. Reach for the Cloud. GigeNET's Cloud Solutions provide you with the tools and support that you need to offload your IT needs and focus on growing your business. Configured For All Businesses. Start Your Cloud Today. https://www.gigenetcloud.com/ _______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users ------------------------------------------------------------------------------ Don't Limit Your Business. Reach for the Cloud. GigeNET's Cloud Solutions provide you with the tools and support that you need to offload your IT needs and focus on growing your business. Configured For All Businesses. Start Your Cloud Today. https://www.gigenetcloud.com/ _______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
