Re: [PacketFence-users] Node Status Unknown

[Tim DeNike]

Brocade doesn't send radius accounting packets for Mac based VLANs.  TAC
says this feature is slated for the 8.0.50 release which should be out by
end of year.   I'm not sure why you are seeing "unknown" though.  Normally
what we see is that they always show "online" after a successful auth then
never show offline.  We've got about 90 of 250 ICX 7250s installed and they
work perfectly with packetfence otherwise.  I made a couple light
modifications to the pf module to add support for radius acls and Lldp
controlled voice vlan.

Sent from my iPhone

On May 27, 2016, at 9:52 PM, Guntharp, Jason W. 
wrote:

Hello,



I’m proposing PacketFence 6 for use at a local community college. In our
pilot, we are using Brocade switch gear and I have configured the NAC and
switch according to the admin document. We are using MAC authentication and
the VLAN steering is working well with SNMP as the DEAUTH method. We are
having an issue with the node status online/offline always displaying
“unknown” regardless of actual state. It will not update. I have configured
the Brocade gear to use PacketFence as both auth and acct radius.



Will this field update just using MAC authentication? If so, has anyone
else run into this or have any tips on getting the status to work right?
Interestingly, if I select “online nodes” it will display only the truly
online nodes. If I select “offline nodes” it will display all nodes,
including the ones it displayed online. Despite this,  all records indicate
“unknown”.



Thanks,





Jason Guntharp

Network Administrator

Itawamba Community College

Office: (662) 862-8106

Email: jwgunth...@iccms.edu







--
What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic
patterns at an interface-level. Reveals which users, apps, and protocols
are
consuming the most bandwidth. Provides multi-vendor support for NetFlow,
J-Flow, sFlow and other flows. Make informed decisions using capacity
planning reports. https://ad.doubleclick.net/ddm/clk/305295220;132659582;e

___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
--
What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic
patterns at an interface-level. Reveals which users, apps, and protocols are 
consuming the most bandwidth. Provides multi-vendor support for NetFlow, 
J-Flow, sFlow and other flows. Make informed decisions using capacity 
planning reports. https://ad.doubleclick.net/ddm/clk/305295220;132659582;e___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] Node Status Unknown

[Guntharp, Jason W.]

Hello,

I'm proposing PacketFence 6 for use at a local community college. In our pilot, 
we are using Brocade switch gear and I have configured the NAC and switch 
according to the admin document. We are using MAC authentication and the VLAN 
steering is working well with SNMP as the DEAUTH method. We are having an issue 
with the node status online/offline always displaying "unknown" regardless of 
actual state. It will not update. I have configured the Brocade gear to use 
PacketFence as both auth and acct radius.

Will this field update just using MAC authentication? If so, has anyone else 
run into this or have any tips on getting the status to work right? 
Interestingly, if I select "online nodes" it will display only the truly online 
nodes. If I select "offline nodes" it will display all nodes, including the 
ones it displayed online. Despite this,  all records indicate "unknown".

Thanks,


Jason Guntharp
Network Administrator
Itawamba Community College
Office: (662) 862-8106
Email: jwgunth...@iccms.edu



--
What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic
patterns at an interface-level. Reveals which users, apps, and protocols are 
consuming the most bandwidth. Provides multi-vendor support for NetFlow, 
J-Flow, sFlow and other flows. Make informed decisions using capacity 
planning reports. https://ad.doubleclick.net/ddm/clk/305295220;132659582;e___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] Node Status Unknown

[Guntharp, Jason W.]

Hello,

I'm proposing PacketFence 6 for use at a local community college. In our pilot, 
we are using Brocade switch gear and I have configured the NAC and switch 
according to the admin document. We are using MAC authentication and the VLAN 
steering is working well with SNMP as the DEAUTH method. We are having an issue 
with the node status online/offline always displaying "unknown" regardless of 
actual state. It will not update. I have configured the Brocade gear to use 
PacketFence as both auth and acct radius.

Will this field update just using MAC authentication? If so, has anyone else 
run into this or have any tips on getting the status to work right? 
Interestingly, if I select "online nodes" it will display only the truly online 
nodes. If I select "offline nodes" it will display all nodes, including the 
ones it displayed online. Despite this,  all records indicate "unknown".

Thanks,


Jason Guntharp
Network Administrator
Itawamba Community College
Office: (662) 862-8106
Email: jwgunth...@iccms.edu

--
What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic
patterns at an interface-level. Reveals which users, apps, and protocols are 
consuming the most bandwidth. Provides multi-vendor support for NetFlow, 
J-Flow, sFlow and other flows. Make informed decisions using capacity 
planning reports. https://ad.doubleclick.net/ddm/clk/305295220;132659582;e___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] ANN: PacketFence 6.0.2

[Louis Munro]

The Inverse team is pleased to announce the immediate availability of 
PacketFence 6.0.2. 

This is a minor release containing important bug fixes. 
This release is considered ready for production use and upgrading from previous 
versions is strongly advised.

This is strictly a bug fix release.
It corrects the following issues.

Bug Fixes (bug Id is denoted with #id)

• Fixed pfdns to prevent pid file deletion when a child dies (#1444)
• PacketFence will now handle the case where a source in the session is 
not available anymore
• Fixed missing PID when using device registration (#1447)
• Fingerbank update will no longer sync all servers anymore
• VoIP detection flags default will now be undef in admin interface
• Suricata renamed to suricata_event in violations.conf.example
• The captive portal will now handle User Agent strings properly
• PacketFence will now delete the user (not device) session after 
activating sponsor
• Fixed incorrect MAC address formatting in the reporting section of 
the GUI
• Fixed "reuse dot1x credentials" in captive portal
• Fixed incorrect SNMP traps handling
• Fixed incorrect MAC address handling in radius accounting
• Added a check to database backup script for mariadb
• Fixed unregistration date handling when using email registration


If you are running 6.0.0 or 6.0.1 you can get that same bug fix by running the 
pf-maint.pl script without upgrading.

Best regards from Inverse,
--
Louis Munro
lmu...@inverse.ca  ::  www.inverse.ca 
+1.514.447.4918 x125  :: +1 (866) 353-6153 x125
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence 
(www.packetfence.org)

--
What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic
patterns at an interface-level. Reveals which users, apps, and protocols are 
consuming the most bandwidth. Provides multi-vendor support for NetFlow, 
J-Flow, sFlow and other flows. Make informed decisions using capacity 
planning reports. https://ad.doubleclick.net/ddm/clk/305295220;132659582;e___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] PKfence help for validate architecture (VLAN trunk, no Vlan assignement, No NAT)

[PROST pierrick]

Hi Antoine,

Ok thanks. We will not use « out of band » there will too much overload of work 
for us. Thanks for your help, I’ll try this architecture today.

Have a good day.

Pierrick

De : Antoine Amacher [mailto:aamac...@inverse.ca]
Envoyé : jeudi 26 mai 2016 17:44
À : packetfence-users@lists.sourceforge.net
Objet : Re: [PacketFence-users] PKfence help for validate architecture (VLAN 
trunk, no Vlan assignement, No NAT)

Pierrick,

I had in mind that you wanted to use out-of-band not Inline.

So you should not take it into account my comment about the second trunk.

Thank you
On 05/26/2016 10:51 AM, PROST pierrick wrote:
Fabrice and Antoine thanks for your help, we appreciate.
If I resume your mails, it will be something like that :


   Wireless AP Packet Fence

  XXX 
++  +-+ 
  +---+  XX XXX  XX
||  | | 
  |   |  X   XX
||  | | no routed 
network |   |     XX
||  |  <-+->  | (dedicated 
subnet)|   |  XX   XXX
|   multiple SSID|  ||| 
  |   |  X  internetX
|   one per VLAN +---Trunk+-eth1||
|eth0-fw-eth|FW +---+XX
||+ ||| 
  |   |X  XX
||  VLAN mngt | ||| 
  |   |X X
|   each SSID is |  VLAN employee | |  <-+--> |routed 
VLAN|   |XX   X  X
|   OPEN without |  VLAN guest| | |  
traffic  |   | XXX XXXX
|   authentication   |VLAN Eduroam| | | 
  |   |XX  XXX 
||| +-+ 
  +---+
|||
||+-->routing each
++|   VLAN with next_hop => FW eth
  |
  |
  +--> PacketFence internal DHCP 
server
  |One DHCP per VLAN
  |with gateway => packetfence
  |
  |
  +--> PacketFence Inline Level 2 
for each VLAN
   with dedicated portal




Fabrice, you write that our AP need to be compliant with web auth and 802.1x, 
but actually we use open SSID AND portal authentication on our POC (inline PF 
with two interfaces and NAT), it should works such or POC with multiple portal 
(one per VLAN) no ? We will not doing Vlan assignment.

Second (and easier) option, using NAT for each VLAN /SSID , not routing ?


Regards

Pierrick Prost

CNRS Rhones Alpes

France



De : Fabrice Durand [mailto:fdur...@inverse.ca]
Envoyé : jeudi 26 mai 2016 15:52
À : 
packetfence-users@lists.sourceforge.net
Objet : Re: [PacketFence-users] PKfence help for validate architecture (VLAN 
trunk, no Vlan assignement, No NAT)

Hello Pierrick,

yes it should be possible, in fact it will be inline network per vlan and you 
will have to play with ip route2 on the packetfence server.

Something like that:

vim /etc/iproute2/rt_tables

```
#
# reserved values
#
255 local
254 main
253 default
0   unspec
#
# local
#
#1  inr.ruhep
1   ISP2
```


ip route add 0.0.0.0/0 via 143.26.62.12 table ISP2
ou
ip route add 0.0.0.0/0 dev eth1 table 100


ip rule add iif eth0 lookup ISP2




Also it look like the AP is able to do web auth and 802.1x.

Regards
Fabrice

Le 2016-05-26 06:21, PROST pierrick a écrit :
Hi everyone,

We finished our test of packet fence .. this NAC is juste awesome good job ! (I 
came from aruba Clearpass …)

We need your help to validate a POC. Is it possible to implement the following 
architecture on packet fence ? We have a lot of Linksys LAPAC 1750 who support 
VLAN TRUNK and SSID/ VLAN assignation …and there are not compatible with 
openwrt.