Re: [PacketFence-users] Need help solving a problem with vlan enforcement

[André Scrivener via PacketFence-users]

Hello Fabrice,

I simplified the environment, I'm using only 1 interface!


enp0s3:             Management - DHCP FROM WINDOWS SERVER
enp0s3 VLAN 2: Registration  - DHCP ENABLE
enp0s3 VLAN 3: Isolation       - DHCP ENABLE
enp0s3 VLAN 10: Normal       - NO DHCP

IP Address Switch Managed: 172.16.0.50
Interface 11: My physical machine, and virtual machine (virtualbox) where
is the PacketFence  (interface mode bridge)
Interface 23: My client test Windows 8 (interface mode bridge)


Problem continue, in the logs it returns to vlan correct, but does not
assign to the computer, it stubborn in assigning the network 172.16.0.0/24
(Management Network).


root@packetfence ~]# tailf  /usr/local/pf/logs/packetfence.log
Jan  2 14:03:10 packetfence packetfence_httpd.aaa: httpd.aaa(30935) INFO:
[mac:84:7b:eb:e3:84:42] handling radius autz request: from switch_ip =>
(172.16.0.50), connection_type => WIRED_MAC_AUTH,switch_mac =>
(14:18:77:ea:f0:a2), mac => [84:7b:eb:e3:84:42], port => 13, username =>
"847BEBE38442" (pf::radius::authorize)
Jan  2 14:03:10 packetfence packetfence_httpd.aaa: httpd.aaa(30935) INFO:
[mac:84:7b:eb:e3:84:42] Instantiate profile default
(pf::Connection::ProfileFactory::_from_profile)
Jan  2 14:03:10 packetfence packetfence_httpd.aaa: httpd.aaa(30935) INFO:
[mac:84:7b:eb:e3:84:42] is of status unreg; belongs into registration VLAN
(pf::role::getRegistrationRole)
Jan  2 14:03:10 packetfence packetfence_httpd.aaa: httpd.aaa(30935) INFO:
[mac:84:7b:eb:e3:84:42] (172.16.0.50) Added VLAN 2 to the returned RADIUS
Access-Accept (pf::Switch::returnRadiusAccessAccept)



[root@packetfence ~]# tailf  /usr/local/pf/logs/radius.log
Jan  2 14:03:10 packetfence auth[31813]: Need 1 more connections to reach
min connections (3)
Jan  2 14:03:10 packetfence auth[31813]: rlm_rest (rest): Opening
additional connection (15), 1 of 62 pending slots used
Jan  2 14:03:10 packetfence auth[31813]: Need 7 more connections to reach
10 spares
Jan  2 14:03:10 packetfence auth[31813]: rlm_sql (sql): Opening additional
connection (18), 1 of 61 pending slots used
Jan  2 14:03:10 packetfence auth[31813]: [mac:84:7b:eb:e3:84:42] Accepted
user:  and returned VLAN 2
Jan  2 14:03:10 packetfence auth[31813]: (32) Login OK: [847BEBE38442]
(from client 172.16.0.50 port 13 cli 84:7b:eb:e3:84:42)




Follow network settings:

[root@packetfence ~]# ifconfig
enp0s3: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 172.16.0.2  netmask 255.255.255.0  broadcast 172.16.0.255
        inet6 fe80::a00:27ff:fe35:fcc4  prefixlen 64  scopeid 0x20<link>
        ether 08:00:27:35:fc:c4  txqueuelen 1000  (Ethernet)
        RX packets 560936  bytes 711890423 (678.9 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 153523  bytes 23163746 (22.0 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

enp0s3.2: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.2.2  netmask 255.255.255.0  broadcast 192.168.2.255
        inet6 fe80::a00:27ff:fe35:fcc4  prefixlen 64  scopeid 0x20<link>
        ether 08:00:27:35:fc:c4  txqueuelen 1000  (Ethernet)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 10  bytes 732 (732.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

enp0s3.3: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.3.2  netmask 255.255.255.0  broadcast 192.168.3.255
        inet6 fe80::a00:27ff:fe35:fcc4  prefixlen 64  scopeid 0x20<link>
        ether 08:00:27:35:fc:c4  txqueuelen 1000  (Ethernet)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 10  bytes 732 (732.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

enp0s3.10: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.1.1  netmask 255.255.255.0  broadcast 192.168.1.255
        inet6 fe80::a00:27ff:fe35:fcc4  prefixlen 64  scopeid 0x20<link>
        ether 08:00:27:35:fc:c4  txqueuelen 1000  (Ethernet)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 10  bytes 732 (732.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1  (Loopback Local)
        RX packets 1162494  bytes 167041449 (159.3 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 1162494  bytes 167041449 (159.3 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

[root@packetfence ~]#



[root@packetfence ~]# cat /usr/local/pf/conf/networks.conf
[192.168.3.0]
dns=192.168.3.2
dhcp_start=192.168.3.10
gateway=192.168.3.2
domain-name=vlan-isolation.scrivener.com.br
nat_enabled=disabled
named=enabled
dhcp_max_lease_time=30
fake_mac_enabled=disabled
dhcpd=enabled
dhcp_end=192.168.3.246
type=vlan-isolation
netmask=255.255.255.0
dhcp_default_lease_time=30

[192.168.2.0]
dns=192.168.2.2
dhcp_start=192.168.2.10
gateway=192.168.2.2
domain-name=vlan-registration.scrivener.com.br
nat_enabled=disabled
named=enabled
dhcp_max_lease_time=30
fake_mac_enabled=disabled
dhcpd=enabled
dhcp_end=192.168.2.246
type=vlan-registration
netmask=255.255.255.0
dhcp_default_lease_time=30
[root@packetfence ~]#



[root@packetfence ~]# cat /usr/local/pf/conf/switches.conf
[172.16.0.50]
mode=production
defaultVlan=10
deauthMethod=RADIUS
description=SWITCH DELL - 172.16.0.50
type=Dell::N1500
radiusSecret=useStrongerSecret
SNMPVersion=2c

#
# Copyright (C) 2005-2017 Inverse inc.
#
# See the enclosed file COPYING for license information (GPL).
# If you did not receive this file, see
# http://www.fsf.org/licensing/licenses/gpl.html
[192.168.0.1]
description=Test Switch
type=Cisco::Catalyst_2900XL
mode=production
uplink=23,24

#SNMPVersion = 3
#SNMPEngineID = 0000000000000
#SNMPUserNameRead = readUser
#SNMPAuthProtocolRead = MD5
#SNMPAuthPasswordRead = authpwdread
#SNMPPrivProtocolRead = DES
#SNMPPrivPasswordRead = privpwdread
#SNMPUserNameWrite = writeUser
#SNMPAuthProtocolWrite = MD5
#SNMPAuthPasswordWrite = authpwdwrite
#SNMPPrivProtocolWrite = DES
#SNMPPrivPasswordWrite = privpwdwrite
#SNMPVersionTrap = 3
#SNMPUserNameTrap = readUser
#SNMPAuthProtocolTrap = MD5
#SNMPAuthPasswordTrap = authpwdread
#SNMPPrivProtocolTrap = DES
#SNMPPrivPasswordTrap = privpwdread
[192.168.1.0/24]
description=Test Range Switch
type=Cisco::Catalyst_2900XL
mode=production
uplink=23,24
[root@packetfence ~]#


Follow switch configuration:

Following the configuration of the manual, the model of my switch is DELL
n1548. (
https://packetfence.org/doc/PacketFence_Network_Devices_Configuration_Guide.html#_dell
)


console#show running-config

!Current Configuration:
!System Description "Dell Networking N1548, 6.2.6.6, Linux 3.6.5"
!System Software Version 6.2.6.6
!
configure
vlan 2-5,10,100
exit
vlan 2
name "Registration"
exit
vlan 3
name "Isolation"
exit
vlan 4
name "Mac detection"
exit
vlan 5
name "Guest"
exit
vlan 100
name "VoIP"
exit
stack
member 1 3    ! N1548
exit
interface vlan 1
ip address 172.16.0.50 255.255.255.0
exit
authentication enable
dot1x system-auth-control
aaa authentication dot1x default radius
aaa authorization network default radius
dot1x dynamic-vlan enable
voice vlan
aaa server radius dynamic-author
client 172.16.0.2 server-key "useStrongerSecret"
exit
radius-server host auth 172.16.0.2
name "PacketFence"
usage 802.1x
key "useStrongerSecret"
exit
!
interface Gi1/0/11
switchport mode trunk
switchport trunk allowed vlan 1-5,100
dot1x port-control force-authorized
exit
!
interface Gi1/0/13
switchport voice detect auto
switchport mode general
switchport access vlan 10
dot1x port-control mac-based
dot1x reauthentication
dot1x mac-auth-bypass
authentication order mab
authentication priority mab
lldp transmit-tlv sys-desc sys-cap
lldp transmit-mgmt
lldp notification
lldp med confignotification
voice vlan 100
exit
snmp-server engineid local 800002a203141877eaf0a0
snmp-server community "private" rw
snmp-server community "public" ro
exit

console#




I still do not understand where the error is. Any idea


2017-12-29 11:15 GMT-03:00 Fabrice Durand via PacketFence-users <
packetfence-users@lists.sourceforge.net>:

> Hello André,
>
> First you need to check on the switch side if the mac address of the
> device is in the vlan 300.
>
> Next a registration vlan is a vlan managed by PacketFence, so you need to
> enable dhcp on the vlan 300 and 600.
> Another thing i can see is that the interface enp0s8.300 (vlan 300) use
> the network 172.17.0.0/24 and it should be 172.16.0.0/24 ?! (but enp0s8
> use this network).
>
> So i my opinion, you probably mess up the vlan/interface config.
>
> If enp0s8 interface is really on the vlan 300 then enp0s8.300 is useless
> and you probably have to use the vlan 301 as the registration network.
>
> Last things, be sure that enp0s8 is plugged on a trunk port and be sure
> that you define all the vlans in your switch configuration.
>
> Regards
> Fabrice
>
>
>
>
> Le 2017-12-29 à 08:50, André Scrivener via PacketFence-users a écrit :
>
> I'm configuring pf as vlan enforcement, but I'm having a problem, where
> vlans with their respective IPs are not being assigned. In the logs it
> returns the correct vlans, but does not apply to the station.
>
>
> *Dec 29 11:36:54 packtfence packetfence_httpd.aaa: httpd.aaa(5185) INFO:
> [mac:64:1c:67:82:7d:f2] handling radius autz request: from switch_ip =>
> (172.16.0.50), connection_type => WIRED_MAC_AUTH,switch_mac =>
> (14:18:77:ea:f0:a2), mac => [64:1c:67:82:7d:f2], port => 41, username =>
> "641C67827DF2" (pf::radius::authorize)*
> *Dec 29 11:36:54 packtfence packetfence_httpd.aaa: httpd.aaa(5185) INFO:
> [mac:64:1c:67:82:7d:f2] Instantiate profile default
> (pf::Connection::ProfileFactory::_from_profile)*
> *Dec 29 11:36:54 packtfence packetfence_httpd.aaa: httpd.aaa(5185) INFO:
> [mac:64:1c:67:82:7d:f2] is of status unreg; belongs into registration VLAN
> (pf::role::getRegistrationRole)*
> *Dec 29 11:36:54 packtfence packetfence_httpd.aaa: httpd.aaa(5185) INFO:
> [mac:64:1c:67:82:7d:f2] (172.16.0.50) Added VLAN 300 to the returned RADIUS
> Access-Accept (pf::Switch::returnRadiusAccessAccept)*
>
>
> *Dec 29 11:36:54 packtfence auth[7662]: Need 1 more connections to reach
> min connections (3)*
> *Dec 29 11:36:54 packtfence auth[7662]: rlm_rest (rest): Opening
> additional connection (23), 1 of 62 pending slots used*
> *Dec 29 11:36:54 packtfence auth[7662]: Need 1 more connections to reach
> min connections (3)*
> *Dec 29 11:36:54 packtfence auth[7662]: rlm_sql (sql): Opening additional
> connection (25), 1 of 62 pending slots used*
> *Dec 29 11:36:54 packtfence auth[7662]: [mac:64:1c:67:82:7d:f2] Accepted
> user:  and returned VLAN 300*
> *Dec 29 11:36:54 packtfence auth[7662]: (44) Login OK: [641C67827DF2]
> (from client 172.16.0.50 port 41 cli 64:1c:67:82:7d:f2)*
>
>
> In the logs it returns to vlan correct, but does not assign to the
> computer, it stubborn in assigning the network 172.16.0.0/24.
>
> I did not configure DHCP in packetfence, when packetfence returns a vlan
> it is for it to get dhcp from my infrastructure. (So I imagine.)
>
> Follows some of my settings, it's okay to expose information since it's a
> lab.
>
>
> [root@packtfence ~]# ifconfig
> SCRIVENER-b: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
>         inet 169.254.0.2  netmask 255.255.255.252  broadcast 169.254.0.3
>         inet6 fe80::c8b5:5bff:febe:b1cc  prefixlen 64  scopeid 0x20<link>
>         ether ca:b5:5b:be:b1:cc  txqueuelen 1000  (Ethernet)
>         RX packets 8  bytes 648 (648.0 B)
>         RX errors 0  dropped 0  overruns 0  frame 0
>         TX packets 8  bytes 648 (648.0 B)
>         TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
>
> enp0s3: flags=4099<UP,BROADCAST,MULTICAST>  mtu 1500
>         ether 08:00:27:a3:36:2a  txqueuelen 1000  (Ethernet)
>         RX packets 5668  bytes 8119227 (7.7 MiB)
>         RX errors 0  dropped 0  overruns 0  frame 0
>         TX packets 1260  bytes 80253 (78.3 KiB)
>         TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
>
> enp0s8: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
>         inet 172.16.0.2  netmask 255.255.255.0  broadcast 172.16.0.255
>         inet6 fe80::a00:27ff:fef4:37f8  prefixlen 64  scopeid 0x20<link>
>         ether 08:00:27:f4:37:f8  txqueuelen 1000  (Ethernet)
>         RX packets 20960  bytes 4119093 (3.9 MiB)
>         RX errors 0  dropped 0  overruns 0  frame 0
>         TX packets 12227  bytes 21064744 (20.0 MiB)
>         TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
>
> enp0s8.300: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
>         inet 172.17.0.2  netmask 255.255.255.0  broadcast 172.17.0.255
>         inet6 fe80::a00:27ff:fef4:37f8  prefixlen 64  scopeid 0x20<link>
>         ether 08:00:27:f4:37:f8  txqueuelen 1000  (Ethernet)
>         RX packets 10  bytes 628 (628.0 B)
>         RX errors 0  dropped 0  overruns 0  frame 0
>         TX packets 14  bytes 900 (900.0 B)
>         TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
>
> enp0s8.301: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
>         inet 172.19.0.2  netmask 255.255.255.0  broadcast 172.19.0.255
>         inet6 fe80::a00:27ff:fef4:37f8  prefixlen 64  scopeid 0x20<link>
>         ether 08:00:27:f4:37:f8  txqueuelen 1000  (Ethernet)
>         RX packets 10  bytes 628 (628.0 B)
>         RX errors 0  dropped 0  overruns 0  frame 0
>         TX packets 14  bytes 900 (900.0 B)
>         TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
>
> enp0s8.600: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
>         inet 172.18.0.2  netmask 255.255.255.0  broadcast 172.18.0.255
>         inet6 fe80::a00:27ff:fef4:37f8  prefixlen 64  scopeid 0x20<link>
>         ether 08:00:27:f4:37:f8  txqueuelen 1000  (Ethernet)
>         RX packets 10  bytes 628 (628.0 B)
>         RX errors 0  dropped 0  overruns 0  frame 0
>         TX packets 14  bytes 900 (900.0 B)
>         TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
>
> lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
>         inet 127.0.0.1  netmask 255.0.0.0
>         inet6 ::1  prefixlen 128  scopeid 0x10<host>
>         loop  txqueuelen 1  (Loopback Local)
>         RX packets 1567747  bytes 224694729 (214.2 MiB)
>         RX errors 0  dropped 0  overruns 0  frame 0
>         TX packets 1567747  bytes 224694729 (214.2 MiB)
>         TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
>
>
>
>
> [root@packtfence ~]# cat /usr/local/pf/conf/networks.conf
> [172.17.0.0]
> dns=172.17.0.2
> dhcp_start=172.17.0.10
> gateway=172.17.0.2
> domain-name=vlan-registration.scrivener.com.br
> nat_enabled=disabled
> named=enabled
> dhcp_max_lease_time=30
> fake_mac_enabled=disabled
> dhcpd=disabled
> dhcp_end=172.17.0.246
> type=vlan-registration
> netmask=255.255.255.0
> dhcp_default_lease_time=30
>
> [172.18.0.0]
> dns=172.18.0.2
> dhcp_start=172.18.0.10
> gateway=172.18.0.2
> domain-name=vlan-isolation.scrivener.com.br
> nat_enabled=disabled
> named=enabled
> dhcp_max_lease_time=30
> fake_mac_enabled=disabled
> dhcpd=disabled
> dhcp_end=172.18.0.246
> type=vlan-isolation
> netmask=255.255.255.0
> dhcp_default_lease_time=30
>
>
>
>
>
> [root@packtfence ~]# cat /usr/local/pf/conf/switches.conf
> #
> # Copyright (C) 2005-2017 Inverse inc.
> #
> # See the enclosed file COPYING for license information (GPL).
> # If you did not receive this file, see
> # http://www.fsf.org/licensing/licenses/gpl.html
> [default]
> type=Dell::N1500
> registrationVlan=300
> isolationVlan=600
> uplink=5
> cliUser=[secret]
> cliPwd=[secret]
> cliEnablePwd=[secret]
> #
> # SNMP section
> #
> # PacketFence -> Switch
> SNMPVersion=2c
> #
> # RADIUS NAS Client config
> #
> # RADIUS shared secret with switch
> radiusSecret=teste123
> CORPORATIVOVlan=301
> uplink_dynamic=0
>
> [172.16.0.50]
> mode=production
> description=172.16.0.50
> ExternalPortalEnforcement=Y
> deauthMethod=Telnet
> cliAccess=Y
> defaultVlan=301
>
>
>
> Any can help? Please! My Christmas present and New Year's Eve.
>
>
>
>
> Att,
> Andre Scrivener
>
>
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>
>
>
> _______________________________________________
> PacketFence-users mailing 
> listPacketFence-users@lists.sourceforge.nethttps://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>
> --
> Fabrice durandfdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
> (http://packetfence.org)
>
>
> ------------------------------------------------------------
> ------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>


-- 
Att
*André Scrivener <https://www.linkedin.com/in/andr3scrivener>*
Skype: andr3.scrivener
https://www.linkedin.com/in/andr3scrivener
Fone: (98) 98801-2020

*Esta mensagem, incluindo seus anexos, pode conter informações
privilegiadas e/ou de caráter confidencial, não podendo ser retransmitida
sem autorização do remetente. Se você não é o destinatário ou pessoa
autorizada a recebê-la, informamos que o seu uso, divulgação, cópia ou
arquivamento são proibidos. Portanto, se você recebeu esta mensagem por
engano, por favor, me informe respondendo imediatamente a este e-mail e em
seguida apague-a. *

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users