Hello,
You have to put the deauth method to SNMP, you have set it to radius:
deauthMethod=RADIUS
The CoA is not supported on that switch modele. The PF will try to bounce the
port with an SNMP request (shut / no shut)
Thanks,
Ludovic Zammit
[email protected] <mailto:[email protected]> :: +1.514.447.4918 (x145) ::
www.inverse.ca <http://www.inverse.ca/>
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu <http://www.sogo.nu/>)
and PacketFence (http://packetfence.org <http://packetfence.org/>)
> On Jul 7, 2017, at 3:40 AM, 沧海云帆 via PacketFence-users
> <[email protected]> wrote:
>
> Hello,
> I configured sg300 switches and pf,but I found it is not immediately possible
> to update the client status change of pf,for example:
> I never registered the status of computer A as registered,and computer A
> needs to wait half an hour before the status is changed to register,This half
> hour is the time when the switch is revalidated "dot1x timeout
> reauth-period 1800".How do you make pf's client status change effective
> immediately?
> I have connected computer with gi20 port.
> sg300 config as below:
>
> switch6efe59#sh run
> config-file-header
> switch6efe59
> v1.3.7.18 / R750_NIK_1_35_647_358
> CLI v1.0
> set system mode switch
>
> file SSD indicator encrypted
> @
> ssd-control-start
> ssd config
> ssd file passphrase control unrestricted
> no ssd file integrity control
> ssd-control-end cb0a3fdb1f3a1af4e4430033719968c0
> !
> vlan database
> vlan 3-4,11,14-16,50,60
> exit
> voice vlan oui-table add 0001e3 Siemens_AG_phone________
> voice vlan oui-table add 00036b Cisco_phone_____________
> voice vlan oui-table add 00096e Avaya___________________
> voice vlan oui-table add 000fe2 H3C_Aolynk______________
> voice vlan oui-table add 0060b9 Philips_and_NEC_AG_phone
> voice vlan oui-table add 00d01e Pingtel_phone___________
> voice vlan oui-table add 00e075 Polycom/Veritel_phone___
> voice vlan oui-table add 00e0bb 3Com_phone______________
> dot1x system-auth-control
> hostname switch6efe59
> encrypted radius-server key
> W5K9BRLcbxfj5NDlu3nHTlw0kOXjaL3ElMEFpkCXTsT1iuchvICQ
> aRjE9EKiEa+3
> encrypted radius-server host 192.168.1.30 key
> W5K9BRLcbxfj5NDlu3nHTlw0kOXjaL3ElM
> EFpkCXTsT1iuchvICQaRjE9EKiEa+3 priority 3
> aaa authentication login telnet local
> aaa authentication login Console local radius
> aaa authentication enable Console enable radius
> aaa authentication dot1x default radius none
> aaa accounting dot1x start-stop group radius
> aaa accounting login start-stop group radius
> line console
> login authentication Console
> enable authentication Console
> password da39a3ee5e6b4b0d3255bfef95601890afd80709 encrypted
> exit
> username admin password encrypted 79a12a55b5d56faaef1a5a9ebccdf82fb637ae30
> privi
> lege 15
> snmp-server engineID local 800000090300af1f6efe59
> snmp-server community useStrongerSecret rw 192.168.1.30 view Default
> snmp-server host 192.168.1.30 traps version 2c useStrongerSecret
> snmp-server host 192.168.1.30 version 3 auth private
> snmp-server group readgroup v3 auth notify Default read Default
> snmp-server group readgroup v3 priv notify Default read Default
> snmp-server group writegroup v3 auth notify Default read Default write Default
> snmp-server group writegroup v3 priv notify Default read Default write Default
> encrypted snmp-server user public readgroup v3 auth md5
> RTfVftohWzkj+bRMkALik3t+
> Q4iVSEEJ1VUolT4eOXk=
> encrypted snmp-server user private writegroup v3 auth md5
> RTfVftohWzkj+bRMkALik3
> t+Q4iVSEEJ1VUolT4eOXk= priv RTfVftohWzkj+bRMkALik3t+Q4iVSEEJ1VUolT4eOXk=
> clock timezone " " 8
> sntp unicast client enable
> sntp unicast client poll
> sntp server 192.168.2.242
> ip telnet server
> !
> interface vlan 1
> ip address 192.168.1.4 255.255.255.0
> !
> interface vlan 3
> name Guest
> dot1x guest-vlan
> !
> interface vlan 4
> name kaoqin
> !
> interface vlan 11
> name si
> !
> interface vlan 16
> name IT
> !
> interface vlan 50
> name Registration
> !
> interface vlan 60
> name Isolation
> !
> interface gigabitethernet1
> dot1x host-mode multi-sessions
> dot1x reauthentication
> dot1x timeout quiet-period 10
> dot1x timeout server-timeout 5
> dot1x timeout supp-timeout 3
> dot1x authentication 802.1x mac
> dot1x radius-attributes vlan
> dot1x port-control auto
> spanning-tree portfast
> switchport mode general
> switchport general allowed vlan add 14,50,60 untagged
> !
> interface gigabitethernet2
> dot1x host-mode multi-sessions
> dot1x reauthentication
> dot1x timeout quiet-period 10
> dot1x timeout server-timeout 5
> dot1x timeout supp-timeout 3
> dot1x authentication 802.1x mac
> dot1x radius-attributes vlan
> dot1x port-control auto
> spanning-tree portfast
> switchport mode general
> switchport general allowed vlan add 14,50,60 untagged
> !
> interface gigabitethernet3
> dot1x host-mode multi-sessions
> dot1x reauthentication
> dot1x timeout quiet-period 10
> dot1x timeout server-timeout 5
> dot1x timeout supp-timeout 3
> dot1x authentication 802.1x mac
> dot1x radius-attributes vlan
> dot1x port-control auto
> spanning-tree portfast
> switchport mode general
> switchport general allowed vlan add 14,50,60 untagged
> switchport general pvid 14
> !
> !
> interface gigabitethernet18
> dot1x host-mode multi-sessions
> dot1x reauthentication
> dot1x timeout quiet-period 10
> dot1x timeout reauth-period 300
> dot1x timeout server-timeout 5
> dot1x timeout supp-timeout 3
> dot1x authentication 802.1x mac
> dot1x radius-attributes vlan
> dot1x port-control auto
> spanning-tree portfast
> switchport mode access
> !
> interface gigabitethernet20
> dot1x host-mode multi-sessions
> dot1x reauthentication
> dot1x timeout quiet-period 10
> dot1x timeout reauth-period 1800
> dot1x timeout server-timeout 5
> dot1x timeout supp-timeout 3
> dot1x authentication 802.1x mac
> dot1x radius-attributes vlan
> dot1x port-control auto
> spanning-tree portfast
> switchport mode general
> switchport general allowed vlan add 3,60 tagged
> switchport general allowed vlan add 14-16,50 untagged
> !
> !
> interface gigabitethernet27
> switchport trunk allowed vlan add 3-4,11,14-16,50,60
> !
> interface gigabitethernet28
> switchport trunk allowed vlan add 3-4,11,14-16,50,60
> !
> exit
> ip default-gateway 192.168.1.1
> switch6efe59#
> and pf switches config:
> [192.168.1.4]
> description=sg300-2f
> isolationVlan=60
> registrationVlan=50
> SNMPVersionTrap=3
> SNMPUserNameTrap=private
> SNMPAuthProtocolWrite=MD5
> SNMPUserNameWrite=private
> SNMPUserNameRead=private
> SNMPAuthPasswordWrite=password
> SNMPAuthPasswordRead=password
> SNMPAuthProtocolTrap=MD5
> SNMPEngineID=800000090300af1f6efe59
> SNMPPrivProtocolWrite=DES
> SNMPPrivPasswordWrite=password
> SNMPAuthPasswordTrap=password
> SNMPPrivProtocolTrap=DES
> SNMPPrivPasswordTrap=password
> SNMPAuthProtocolRead=MD5
> guestVlan=3
> deauthMethod=RADIUS
> cliAccess=Y
> ExternalPortalEnforcement=Y
> q-si-labVlan=13
> q-engVlan=11
> q-siVlan=11
> q-swVlan=12
> q-finVlan=14
> Q-itVlan=16
> q-2fVlan=15
> radiusSecret=useStrongerSecret
> mode=production
> type=Cisco::SG300
> cliPwd=admin1212@
> cliUser=admin
> cliEnablePwd=admin1212@
>
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org!
> http://sdm.link/slashdot_______________________________________________
> PacketFence-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
