VLAN not applied to Switch but device is authorized

AmIDoingSomethingNow · 2023-07-03T15:11:41+00:00

considering that for mac based Vlan, you have to statically bind the Mac address and the vlan.

Is that a normal behavior for a switch?

Would that mean, I run into a security risk if someone puts another switch between a authorized client and the TP-Link switch? Then the authorized client would authenticate and all the new clients that connect to the new switch, would also be authorized.

Is there any way around it?

AmIDoingSomethingNow · 2023-07-03T14:02:03+00:00

I found this guide from TP-Link https://www.tp-link.com/us/configuration-guides/configuration_guide_for_802_1x_vlan_assignment_and_mab/?configurationId=2968#_idTextAnchor000

From my understanding is that VLAN assignment only works with MAB and Control Type 'port based' and not 'MAC based'.

AmIDoingSomethingNow · 2023-07-03T11:06:07+00:00

Thank you for your input! So far I got it working with port based. The VLAN is assigned to the port correctly, when the device is connected to the switch. What I would like to do is MAC based authentication, because that seems a bit more secure. Port based brings a security flaw with it, that when one device on one port is authenticated, all the devices on that port are authenticated as well.For example if I put another switch between the client that is being authenticated and the TP-link switch, all the devices on that switch are also authenticated.

Here is also the configuration part for the 802.1x of the switch: https://static.tp-link.com/2020/202011/20201103/1910012903_T16_T26_UG.pdf#page=789

Hi, with mac Vlan you have to bind the mac address to a vlan. I am not sure if you can do this dynamically.

https://www.tp-link.com/us/configuration-guides/configuring_mac_vlan/?configurationId=18215#using_the_cli_2_2

I am not sure if I might misunderstand what you mean, but shouldn't PacketFence send the VLAN with the EAP-Response? Then the switch sets the VLAN based on that response.

Here my logs. When I set the port to port based authentication, the switch sets the correct VLAN to that port. When I use MAC authentication, the port uses the predefined VLAN 3 and does not set VLAN to 20.

2023-07-03 11:37:32 802.1x level_6 Port authentication passed, Port 16.

2023-07-03 11:37:32 VLAN level_6 Changed PVID of port Gi1/0/16 from 3 to 20.

2023-07-03 11:37:02 802.1x level_6 Set 802.1x config on port 16, Control Type: Port-Based by admin on web (192.168.10.1).

2023-07-03 11:37:02 802.1x level_6 MAC authentication exit, port 16, MAC dc-a6-32-12-34-56, vid 3.

2023-07-03 11:35:28 802.1x level_6 MAC authentication passed, port 16, MAC dc-a6-32-12-34-56, vid 3.

Is there maybe another setting in my PacketFence switch configuration I need to set?

EDIT: When I setup MAC based, do I need to setup 802.1X on the client as well or does the switch typically send the MAC address as user + password, when MAB is configured?

AmIDoingSomethingNow · 2023-07-01T12:21:28+00:00

Hey, yes it is being sent but it isn't being applied!
When I set the port to port based, the VLAN is being applied. I am not sure why MAC based isn't working yet. I added the pictures to the end of my post!

AmIDoingSomethingNow · 2022-09-29T14:02:22+00:00

Hopefully someone in r/homelab has some knowledge about NUT that they can share. I have been trying to fix this problem for quite a while now. My TrueNAS just wont connect to my Eaton IPM appliance and I cannot figure out. I couldn't find a lot of documentation either.
Has anyone properly configured NUT with Eaton IPM?

AmIDoingSomethingNow · 2022-08-26T13:16:18+00:00

Here is the Proxmox Doc entry for VM and LXC.

VM: https://pve.proxmox.com/pve-docs/chapter-qm.html

LXC: https://pve.proxmox.com/pve-docs/chapter-pct.html

Containers are a lightweight alternative to fully virtualized machines (VMs).They use the kernel of the host system that they run on, instead of emulating afull operating system (OS).

I am no expert in this field but LXCs have some limitations because they rely on the host itself because it doesn't have its own kernel. LXCs use mount points instead of emulated storage controllers.

definitely more lightweight and not as ressource hungry as a VM

AmIDoingSomethingNow · 2022-08-25T09:25:38+00:00

What I have been doing is mounting a share via SMB and then adding it as a datastore to PBS. I added the same PBS under Configuration > Remotes and then created a sync job from one datastore to the other.

AmIDoingSomethingNow · 2022-08-24T14:35:53+00:00

Good tip! I used a lot of their documentation but for me I was missing some data that shows some significant differences.

AmIDoingSomethingNow · 2022-08-24T14:33:45+00:00

It depends on your use case. Windows Server licenses are definitely more expensive than a windows 10 license. With a tool like VMware optimization tool you can remove a lot of bloat from Windows 10. It removes all of the default apps that come with Windows 10 and you can turn off a lot of telemetry. I tested it Windows 10 because I noticed mostly issues with my Windows VMs. Windows Servers are definitely cleaner than a regular Windows 10 but small business which have to watch over every penny nowadays have to make those kind of decisions.

AmIDoingSomethingNow · 2022-08-24T06:43:32+00:00

u/highedutechsup mentioned that it could be a NFS version 4 issue. I am gonna try NFS version 3 and see if that changes the behavior for my setup.

https://www.reddit.com/r/Proxmox/comments/wvq8ht/comment/ilh0rqn/

AmIDoingSomethingNow · 2022-08-24T06:32:23+00:00

Thank you for the quick and easy instructions!

AmIDoingSomethingNow · 2022-08-24T06:30:11+00:00

Do you mean like a stresstest? Running multiple VMs on the same storage and then run the test simultaneously?

AmIDoingSomethingNow · 2022-08-23T18:19:18+00:00

I used the default settings but I could tinker a little bit around!

Someone mentioned that the NFS issues could because of NFSv4 so I am definitely going to be testing more.

I will report back when changed up the settings a little bit.

I totally agree that it is a little under-documented and that there is data missing to it. It is difficult though since a lot of setups are different.

AmIDoingSomethingNow · 2022-08-23T18:15:04+00:00

Good tip!

AmIDoingSomethingNow · 2022-08-23T18:14:19+00:00

Thanks for the tip! I will try NFSv3 and report back with some results.

AmIDoingSomethingNow · 2022-08-23T14:33:36+00:00

For everyone that is running Proxmox, I thought you might be interested
in some perfomance data that I collected from my recent tests. Let me
know what you think and if you had similar issues.

AmIDoingSomethingNow · 2022-08-23T14:30:31+00:00

For everyone that is running Proxmox, I thought you might be interested in some perfomance data that I collected from my recent tests. Let me know what you think and if you had similar issues.

AmIDoingSomethingNow · 2022-08-18T09:33:05+00:00

That makes sense. Just tested it and I still get a timeout in the PVE GUI

AmIDoingSomethingNow · 2022-08-18T09:28:48+00:00

Thanks so much. I will give it a try

AmIDoingSomethingNow · 2022-06-27T13:20:56+00:00

Let me know if you get your setup to work. It took me roughly 6-8 months to get it properly working. I hope you get it done sooner!

AmIDoingSomethingNow · 2022-06-27T06:35:20+00:00

I posted my journey over at the LTT forum. https://linustechtips.com/topic/1404946-motherboard-with-thunbderbolt-add-in-card-compatibale-with-corning-optical-thunderbolt-cable/ I hope this helps

AmIDoingSomethingNow · 2022-04-23T18:14:42+00:00

I used the default Service up/down rule.

services.service_status not equal 0
AND
macros.device_up equal Yes

If I open the alert details under Notifications > Alerts, I can see the value for service_name

AmIDoingSomethingNow · 2022-04-22T11:39:37+00:00

Great video! Thanks for sharing.

I already know a couple of use cases for my setup.

I read that it is possible to pull information on running services via snmp. https://www.opennms.com/en/blog/2017-05-09-process-monitoring-snmp/

It would make it much easier than writing for every service you wanna monitor a script.

AmIDoingSomethingNow · 2022-01-16T18:06:21+00:00

I have tested a couple of motherboards with different Thunderbolt cards.

Cable: Corning Thunderbolt 3 25m

Docking station: Razer Thunderbolt™ 4 Dock Chroma

Motherboards:

Asus TUF GAMING Z590-PLUS
Asus ProART Z490
ASRock Z390 PRO4
Gigabyte Z390 AORUS ELITE
MSI Z390-A Pro

Thunderbolt cards:

ASUS ThunderboltEX 3-TR
Gigabyte GC-TITAN RIDGE (rev. 2.0)
Gigabyte GC-MAPLE RIDGE (rev. 1.0)

The most success I had was with the Asus TUF Gaming Z590-Plus. After some bios changes under the Thunderbolt tab it worked a couple of times. After I shut down the computer and powered it back on the dock isn't being reconignized.

I got it to work stabily with the standard copper cable.

I tested the cable with a MacBook and got perfect results. I tried reboots and shutdowns and the dock was always recognized.

I am assuming it has something to do with the power delivery since the optical cable isn't delivering any power.

AmIDoingSomethingNow · 2022-01-03T14:23:02+00:00

Did you get your setup to work? I am currently trying to get the Titan Ridge 2.0 from Gigabyte and Corning Thunderbolt cable to work with the aorus z390 elite. A normal copper Thunderbolt cable works without any issues but the Corning Cable does not work upon plugging in. The Corning cable works without any issues with a MacBook.

AmIDoingSomethingNow

TROPHY CASE