There is no configuration about snmp on the pf side !
Are you able to do a snmpwalk -v 2c -c public 192.168.137.154 .1 ?
Fabrice
Le 2015-11-05 19:13, ismael flavio silva a écrit :
Hi,
Yes. I think the configuration is correct. Will I have any problem in
the configuration GUI?
attached images
Configuration 2950 and configuration PF switch
Configuration
[192.168.137.254]
mode=production
cliUser=ismael
AccessListMap=N
description=cisco 2950
type=Cisco::Catalyst_2950
cliPwd=cisco
VoIPEnabled=N
uplink_dynamic=0
cliEnablePwd=cisco
uplink=23,24
radiusSecret=testing
Configuration Cisco 2950
Switch#show running-config
Building configuration...
Current configuration : 3261 bytes
!
version 12.1
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname Switch
!
aaa new-model
aaa group server radius packetfence
server 192.168.137.5 auth-port 1812 acct-port 1813
!
aaa authentication login default local
aaa authentication dot1x default group packetfence
aaa authorization network default group packetfence
enable password cisco
!
username ismael password 0 cisco
ip subnet-zero
!
ip ssh time-out 120
ip ssh authentication-retries 3
!
spanning-tree mode pvst
no spanning-tree optimize bpdu transmission
spanning-tree extend system-id
dot1x system-auth-control
!
!
!
!
interface FastEthernet0/1
switchport trunk allowed vlan 1-4,50,70,200
switchport mode trunk
!
interface FastEthernet0/2
!
interface FastEthernet0/3
!
interface FastEthernet0/4
!
interface FastEthernet0/5
!
interface FastEthernet0/6
!
interface FastEthernet0/7
!
interface FastEthernet0/8
!
interface FastEthernet0/9
!
interface FastEthernet0/10
switchport access vlan 4
switchport mode access
dot1x port-control auto
dot1x host-mode multi-host
dot1x reauthentication
spanning-tree portfast
!
interface FastEthernet0/11
!
interface FastEthernet0/12
!
interface FastEthernet0/13
!
interface FastEthernet0/14
!
interface FastEthernet0/15
!
interface FastEthernet0/16
!
interface FastEthernet0/17
!
interface FastEthernet0/18
!
interface FastEthernet0/19
switchport access vlan 4
switchport mode access
snmp trap mac-notification added
spanning-tree portfast
!
interface FastEthernet0/20
switchport access vlan 4
switchport mode access
switchport port-security
switchport port-security violation restrict
switchport port-security mac-address 0200.0000.0020
snmp trap mac-notification added
no snmp trap link-status
spanning-tree portfast
!
interface FastEthernet0/21
switchport access vlan 2
switchport mode access
switchport port-security
switchport port-security violation restrict
switchport port-security mac-address 0200.0000.0021
!
interface FastEthernet0/22
!
interface FastEthernet0/23
!
interface FastEthernet0/24
!
interface FastEthernet0/25
!
interface FastEthernet0/26
!
interface Vlan1
ip address 192.168.137.254 255.255.255.0
no ip route-cache
!
interface Vlan2
no ip address
no ip route-cache
shutdown
!
interface Vlan3
no ip address
no ip route-cache
shutdown
!
interface Vlan4
no ip address
no ip route-cache
shutdown
!
interface Vlan50
no ip address
no ip route-cache
shutdown
!
interface Vlan70
no ip address
no ip route-cache
shutdown
!
interface Vlan200
no ip address
no ip route-cache
shutdown
!
ip http server
snmp-server community public RO
snmp-server community private RW
snmp-server enable traps port-security
snmp-server enable traps port-security trap-rate 1
snmp-server host 192.168.137.5 public port-security
radius-server host 192.168.137.5 auth-port 1812 acct-port 1813 timeout
2 key testing
radius-server retransmit 3
radius-server vsa send authentication
!
line con 0
line vty 0 4
password cisco
line vty 5 15
password cisco
!
mac-address-table notification interval 0
mac-address-table notification
mac-address-table aging-time 3600
!
end
Thanks
------------------------------------------------------------------------
To: [email protected]
From: [email protected]
Date: Thu, 5 Nov 2015 18:00:44 -0500
Subject: Re: [PacketFence-users] Doubt about radius
Hi Ismael,
did you configured snmp on the switch and in the packetfence's switch
config ?
Regards
Fabrice
Le 2015-11-05 15:02, ismael flavio silva a écrit :
Hello
I have a doubt
I'm setting up the PF 5.4.0 with the service radius (dlink 2000 AP +)
the manual says the process has to be done with the port-security.
- It is necessary to add the AP in floating device.
- The PF 5.4.0 know that is the floating device and automatically
configures for port-security.
but I have a problem, Cisco does not accept me devices due to the
violation. As PF automatic configure what can I do to solve the
problem?
PF LOG
Nov 05 18:49:59 pfsetvlan(2) WARN: couldn't get MAC at ifIndex 1.
This is a problem. (pf::Switch::_getMacAtIfIndex)
Nov 05 18:49:59 pfsetvlan(2) WARN: Tried to grab MAC address at
ifIndex 1 on switch 192.168.137.254 for 2 minutes and failed
(main::handleTrap)
Nov 05 18:49:59 pfsetvlan(2) INFO: cannot find MAC (maybe we found
a VoIP, but they don't count here). Do nothing (main::handleTrap)
Nov 05 18:49:59 pfsetvlan(2) INFO: finished (main::cleanupAfterThread)
Nov 05 18:50:09 pfsetvlan(1) INFO: nb of items in queue: 1; nb of
threads running: 0 (main::startTrapHandlers)
Nov 05 18:50:09 pfsetvlan(1) INFO: up trap received on
192.168.137.254 ifIndex 20 (main::handleTrap)
Nov 05 18:50:09 pfsetvlan(1) INFO: The logs shows that the last
device pluged was a floating network device. We may have missedthe
LinkDown trap. Disabling floating network device configuration on
the port. (main::handleTrap)
Nov 05 18:50:09 pfsetvlan(1) INFO: Disabling LinkDown traps on
port 20 (pf::floatingdevice::disablePortConfig)
Nov 05 18:50:09 pfsetvlan(1) INFO: Setting port 20 to MAC
detection Vlan. (pf::floatingdevice::disablePortConfig)
Nov 05 18:50:09 pfsetvlan(1) INFO: There is a floating device on
192.168.137.254 port 20 (pf::floatingdevice::portHasFloatingDevice)
Nov 05 18:50:09 pfsetvlan(1) ERROR: Use of uninitialized value
$mac in concatenation (.) or string at
/usr/local/pf/lib/pf/locationlog.pm line 502.
(pf::locationlog::locationlog_synchronize)
Nov 05 18:50:09 pfsetvlan(1) INFO: Not adding locationlog entry
for mac because it's plugged in a floating device enabled port
(pf::locationlog::locationlog_synchronize)
Nov 05 18:50:09 pfsetvlan(1) INFO: Should set 192.168.137.254
ifIndex 20 to VLAN 4 but it is already in this VLAN -> Do nothing
(pf::Switch::setVlan)
Nov 05 18:50:09 pfsetvlan(1) INFO: Enabling access control on port
20 (pf::floatingdevice::disablePortConfig)
Nov 05 18:50:10 pfsetvlan(1) WARN: couldn't get MAC at ifIndex 20.
This is a problem. (pf::Switch::_getMacAtIfIndex)
Nov 05 18:50:10 pfsetvlan(1) INFO: finished (main::cleanupAfterThread)
Nov 05 18:50:15 pfsetvlan(4) INFO: nb of items in queue: 1; nb of
threads running: 0 (main::startTrapHandlers)
Nov 05 18:50:15 pfsetvlan(4) INFO: MAC 02:00:00:00:00:20 is a fake
MAC. Stop mac handling (main::handleTrap)
Nov 05 18:50:15 pfsetvlan(4) INFO: finished (main::cleanupAfterThread)
CISCO LOG
Switch#
00:05:29: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation
occurred, caused by MAC address c8f7.335f.975e on port
FastEthernet0/20.
Thanks
------------------------------------------------------------------------------
_______________________________________________
PacketFence-users mailing list
[email protected]
<mailto:[email protected]>
https://lists.sourceforge.net/lists/listinfo/packetfence-users
------------------------------------------------------------------------------
_______________________________________________ PacketFence-users
mailing list [email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
------------------------------------------------------------------------------
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
------------------------------------------------------------------------------
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
