FreeNAC Technical Guide

There are three key documents available on http://FreeNAC.net/en/community, the User's, Technical and Installation Guide. FreeNAC administrators will need to read all three. Each is divided into several subpages, if you wish to see it all on one page, click the "Printer-friendly version" link below.

The 'Technical Guide' aims to delve into the technical innards of FreeNAC.

See the table of contents below, each section is a single page.

This is a work in progress and is open for contributions (articles/comments/corrections) by the community!

Introduction

LAN Access Control Overview

The basic principal behind MAC-mode access control is quite simple.

Simple overview

 

What is VMPS?

“With VMPS (Dynamic Port VLAN Membership with VLAN Management Policy Server), you can assign switch ports to VLANs dynamically, based on the source Media Access Control (MAC) address of the device connected to the port. When you move a host from a port on one switch in the network to a port on another switch in the network, the switch assigns the new port to the proper VLAN for that host dynamically.

.. VMPS opens a User Datagram Protocol (UDP) socket to communicate and listen to client requests. When the VMPS server receives a valid request from a client, it searches its database for a MAC address-to-VLAN mapping.

..If the VLAN is allowed on the port, the VLAN name is returned to the client. If the VLAN is not allowed on the port and VMPS is not in secure mode, the host receives an "access denied" response. If VMPS is in secure mode, the port is shut down.”

OpenVMPS is a GPL implementation of VMPS, that is easier to use than Cisco’s (see http://vmps.sourceforge.net). FreeNAC uses OpenVMPS with some small logging modifications, and by using the "external" interface to provide custom logic.

Note the original sources to OpenVMPS are provided in the 'contrib' directory of FreeNAC.

How does VMPS work in FreeNAC?

In the case of FreeNAC, vmps works as follows:

Simple Overview

Going into more detail, the sequence of events in VMPS-mode is as follows.

VMPS-mode sequence diagram

Architecture

This section presents the overall architecture and the Database layout.

Enterprise architecture: example

Introduction

The following is an example of integrating 'FreeNAC enterprise' into a live environment.

Enterprise Integration

NAC Modules

This section defines what modules are planned for this installation. Note that modules can always be enabled at a future date; there is no additional license fee.
Enterprise modules planned for this installation (example):
1. MAC Address authentication
2. Windows GUI
3. Web Interface
4. Active Directory querying of user details, to be able to associate users with end devices.
5. Automatic detection and inventory of end-devices not actively managed by NAC, to ensure a complete inventory of End-Devices on the network
6. Scanning of open ports and identification of the Operating System on End Devices
7. Emergency ‘stop’ tool which can disable NAC and quickly configure static Vlans on switch ports (for disaster recovery in extreme situations)

Enterprise modules not planned for this installation:
8. 802.1x User Authentication
9. McAfee Epo Anti-Virus server queries
10. Microsoft SMS (Software package/system management) server queries
11. Microsoft WSUS (Windows Update) server queries.

Custom Modules

Are any Custom Modules planned? NAC is designed to allow open interfaces, however such interfaces need to be specified in detail and are subject to additional development/installation charge.

Example: A “static inventory program” already exists at the customer called XXXX. A read-only interface is to be created from NAC to this system that allows:
- NAC to query device ownership and display it in the GUI
- The Static inventory systems to query device location, IP address, Operating system, depending on Name or MAC-Address. An SQL view with appropriate field for a specific user/password is to be created.

Concept

Describe the aim of the installation, e.g.
1. Recognise all end devices that connect to the network and request their identification based on their MAC address. The switch access port configuration will be set to dynamic, and the NAC system will:
o Listen to incoming request from switches
o Send email alerts if new end devices are detected
o Dynamically Assign a Virtual LAN (Vlan) to the access ports of the following switches, based on the MAC address of end devices: (list the switch names)
2. VLAN assignment will be based on a MAC Address. The assigned VLAN will be as follows (define key vlan names & assignments, example):
o Normal access VLAN for Corporate End-User PCs
o Guest VLAN for visitors. This VLAN will have limited network access. Or all ‘unknowns’ to be denied?
o Ad-hoc VLAN for specific devices (printers, …)
3. Is 802.1x authentication of Users required?
If so in what domain, for which switches and ports? What is the expected use-case?
i.e. 802.1x is expected to be used with Windows XP, with user logon to the domain, and vlan assignment based on the MAC address of the end device.
4. End-devices will be documented in the NAC database,
o Through initial import?
o Through dynamic discovery upon connection of new devices
o Regularly scan the switches & routers using SNMP to discover non-managed devices?
o Information to be automatically documented per device (example): MAC address, IP address, Hostname, Operating System, open ports, Anti-Virus status, Windows patch status.
o Information to be automatically documented per device (example): Assigned Username

Requirements

This sections outlines information, connectivity and hardware that is to be provided by the customer.
Network Information
Network data that is required for NAC:
1. Switches, including their IP Address, SNMP Read-only & Read-write communities
2. A list of switch ports to be configured to use NAC.
3. Core routers, including their IP Address, SNMP Read-only community
4. VLANs, including their ID and Name as reported by the switches "show vlan" command
5. A network diagram showing vlans, switches, routers.
6. DNS server names, IP addresses and the domain name.
7. The proposed IP configuration of the NAC servers: IP address, net mask, default gateway, DNS name.
8. Email server name/IP, for the delivery of email alerts.
9. What email address, per switch, are alerts to be sent to?
10. Which Active Directory user group (exact names please) are to be allowed GUI access:

• Read-only
• Super-user
• Administrator.

Optional network data that would be useful: Cabling documentation: which switch/port leads to which office/user/PC.

Server Hardware / OS
1. How many servers are to be installed, where?
2. PC server hardware is to be supplied by the customer, or by Swisscom?
3. What is the HW specification of the servers?
4. Operating system to be installed is Suse Version 10 (Enterprise, or OpenSuse), or something else?
5. Who installs the OS?
o Swisscom
o The customer? Swisscom does not install the operating system, but maintains the NAC system and associated Linux services (Apache, MySQL, ..) on these servers.

Network Connectivity
For the deployment of NAC, the following information is required:
1. Switches :
o Switches must be able to send VMPS requests and receive answers (port 1589 udp) to the NAC master and slave servers.
o Management interface must be accessible using SNMP (udp port 161) and optionally telnet (port 23 tcp) or SSH (port 22 tcp) for the Disaster Recovery scripts from the NAC master.
2. Depending on the NAC modules requested by the customer (see 2.2), specific backend systems must allow access from NAC, for example:

o The McAfee ePO database (name, I.P. address, username and password) needs to answer Read-only MS-SQL queries from NAC.
o The WSUS database (name, I.P. address, username and password) needs to answer Read-only MS-SQL queries from NAC.
o The MS-SMS database (name, I.P. address, username and password) needs to answer Read-only MS-SQL queries from NAC.
o Static Inventory modules, if requested, require a dedicated interface.
o MS Active Directory (needed for 802.1x and user details syncing from Active Directory) requires the domain name and domain controller names. For details syncing, a username, password with AD rights and one or more DN (Distinguished Names) to synchronise are needed.
o The Windows GUI must be able to connect to port 3306 (mysql) on the NAC master server.
o To access the Web GUI, access is required to port 80 and 443 on the NAC master server.

3. Routers: Management interface must be accessible using SNMP from the NAC master
4. General

o DNS servers: should answer DNS requests (udp port 53)
o Email servers must accept emails from the NAC server (port 25).

5. Remote Access for Swisscom (Gold) support:
o During installation, and for updates later, the NAC servers will need HTTP/FTP access to internet (direct or via a proxy).
o SSH, IPsec or SSL VPN access from Swisscom Innovations to the server(s) for maintenance and support

 

Initial Data import
During an ‘initialisation period’, NAC can be configured to automatically allow all devices to a default Vlan and automatically document the MAC address, IP address and DNS name of devices found (and the switch/port).

If the customer has an exact inventory of machines, this can be imported into NAC. The data provided to Swisscom to initiate the setup must include:
• MAC Address: format is 0010.C61F.8DBF or 00:10:C6:1F:8D:BF (case insensitive)
• Hostname
• VLAN : This can be any descriptor (Lab XXX, Company Name, Network acronym, …)

It may also, ideally, contain
• Username
• Operating system, incl. patch level
• Classification (e.g. Server, Workstation, Printer)
• A static Inventory number
• A comment

The format is comma-separated value (CSV) text file.

Hubs and unmanaged switches
If more LAN access cables are needed in specific rooms, two alternatives to hubs exists:
• Pull more cables between the room and the existing switch
• Add a small managed switch in the room: the Cisco 2940-8TT is recommended as it is a smaller, fanless (noiseless) version of the Cisco 2950 switch.

However, NAC also offers optional support for hubs and unmanaged switches.
Are hubs or unmanaged switches to be used? If yes, please indicate and be aware of the limitations noted below

1. If multiple systems belonging to VLAN with the same security level use the same hub, they will be allowed access.
2. If systems belonging to VLAN with different security levels, the access will be blocked for the most recent or least numerous group.

Typically, the hub will be connected to an Internal Vlan if all connected systems belongs to the Customer, or a Guest VLAN if all connected computers are visitors. If there is a mix of Customer and visitor devices, there will be no access at all.

Database Architecture V3.0

Database schema: version 3.0 (see diagram).

The schema has changed a little bit since v2.2. We have added fields to store ports and switches' status, and the last time that the switch/port was monitored. In the systems table, we now have an index to indicate the health of a connecting device. Some other fields have been added to express what user last used the device, the last name of that device, or even to send an email whenever that device get connected to the network.

See also the DB migration script in contrib/migration_2.2_to_3.0.

For those who are interested, we have made these diagrams with a nice tool, Case Studio, now named Toad Data Modeler. They have a free version too. Here's the link to the Case Studio file.

Database Architecture V2.2

Database schema: version 2.2 (see diagram) This schema is much more improved in comparison to the one found in the version 2.1. It is now completely normalised, which helps a lot for future gui and extensions of the system.

For those who are interested, we have made these diagrams with a nice tool, Case Studio, now named Toad Data Modeler. They have a free version too. Here's the link to the Case Studio file.

Database architecture v2.1

For references purposes, the older v2.1 schema is as follows.

DB Schema v2.1

FreeNAC components

 

Server overview

Overview

VMPS components

vmpsd_external

This is an "external" program called by the original OpenVMPS daemon "vmpsd". This program decides what to do, in real time, when access is requested by a switch for a MAC address. Since it operates in 'real time', performance is important; so some jobs such as documenting what was last seen, where, or recognising PCs from external databases, is done in the vmps_lastseen script (which is asynchronous).

  • If the MAC is active in the DB authorise it, and,
  • Port check: If the MAC is active on a port where another system has been active within the last hour, try to use the Vlan last seen on the port, not the normal Vlan assigned to this system.
    This is to detect hubs and prevent 'flapping'. This feature is only allowed if the Vlan on the port and assigned to the MAC are in the same Vlan group (otherwise the new MAC is denied).
  • Otherwise, if the MAC is unknown
    • check to see if a 'port default vlan' has been configured for that port and use it
    • else use the default vlan (which might be simply '0' meaning DENY)
    • and, do a ?port check? as noted above (check for active port/hub & vlan group).
  • Log decisions to syslog, and key events to DB (visible in the GUI).

postconnect (vmps_lastseen v2.x)

Parse the syslog logs for 'vmpsd' entries and implement the postconnect policy, for example:

  • Update the 'last seen' fields for the relevant Mac, if the system is known
  • Or add a new entry with status 'inactive', if none yet exists in the systems table
  • And add new switches to the switch table and new ports to the port table.
  • And if the MAC found is registered in a Microsoft-SMS system (enterprise feature only), it is automatically added to a pre-defined vlan, a 'port check' done, authorised and the port restarted.

Performance measurement

A way to test performance, is to use vqpcli.pl to sent man requests.

set $count to 200 in ./vqpcli.pl

The adapt the IP addresses, VTP domain, and port name in the following example:

./vqpcli.pl -s 192.168.245.40 -v ctcs -w 192.168.245.71 -i '2/22' -m '0000.0000.9999' -c sec230

 

cron_restart_port.php

As of FreeNAC v3.0 we have modified the cron_restart_port.php to make it more functional.

In previous versions of FreeNAC, cron_restart_port was a wrapper around the restart_port script. This has changed now in this new version. Even though we still provide a restart_port.php script, we now don't fork a syscall for this script. Instead, we use SNMP functions to achieve the same results from inside the same script, saving thus both time and resources.

In the event that you want to experiment with the restart_port.php script from the command line, you should run it as follows:

restart_port.php port switch

where port is the port name, and switch is the switch's name or ip address. This script only supports one switch port at the time. To act upon more than one switch port at the same time, you have the cron_restart_port.php script at your disposal.

What this script does, is to go through the list of ports in the FreeNAC database whose restart_now flag equals 1. Obviously to interact with this script you need to do it through the Windows GUI. From the windows GUI you can choose not only to restart the port(s), but also to program them as static and assign a vlan to them, or as dynamic or even shut down the ports.

Everytime this script is run, it generates a PID file, thus ensuring that only one instance of the script will run at all times.

To restart a port, you should tick the restart box in the Windows GUI

Restart port screenshot

In syslog you should get the following messages:

Oct 31 10:35:02 vmps1 cron_restart_port.php[3592]: Port Fa0/1 successfully restarted on switch 192.168.1.1(swdemo) 

 

To shutdown a port, you should tick the shutdown box in the Windows GUI

Shutdown port screenshot

In syslog you should get the following messages:

Oct 31 10:38:01 vmps1 cron_restart_port.php[3655]: Port Fa0/1 on switch 192.168.1.1(swdemo) was successfully shutdown 

 

To program a port as static, you should select 'static' from the drop down list and also the vlan you want to assign to this port. In this example, we are assigning the 'default' vlan.

Static port screenshot

In syslog you should get the following messages:

Oct 31 10:39:02 vmps1 cron_restart_port.php[3665]: Port Fa0/1 on switch 192.168.1.1 successfully set to static with vlan default 

 

To program the port as dynamic, you should select 'dynamic' from the drop down list.

Dynamic port screenshot

In syslog you should get the following messages:

Oct 31 10:41:01 vmps1 cron_restart_port.php[3725]: Port Fa0/1 on switch 192.168.1.1 successfully set to dynamic. 

Bugs and comments, please discuss them in the forums.

ping_switch.php

As of FreeNAC v3.0 we introduced the ping_switch.php script. The purpose of this script is to determine the status of the switch ports which are part of a FreeNAC system.

The status of a port is determined via SNMP, retrieving the IfAdminStatus object (OID: 1.3.6.1.2.1.2.2.1.7) from the switch. The states defined for this object are as follows:

  1. up
  2. down
  3. testing

The testing state indicates that no operational packages can be passed.

Since this script makes extensive use of SNMP, make sure you adjust your SNMP communities in the etc/config.inc file.

ping_switch.php takes the list of switches to query from the FreeNAC database whose scan flag is set to 1. Then it performs two SNMP queries per switch in order to know if a port is up. The first query retrieves the list of ports available on the switch, and the second one retrieves their current status. Then, such a status is stored in the database to be later seen through the Windows GUI.

Also, the list of switches to query can be fed to ping_switch.php through the command line. To ping certain switches (assuming those switches exist in the FreeNAC database) do the following:

ping_switch.php switch1 switch2 ... 

Where switchN can be the switch's name (as defined in the FreeNAC database) or the switch's IP.

The optional switches for ping_switch.php are the following:

OPTIONS:
-h Display this help screen
-s Supress messages to standard output and redirect them to syslog
-d Activate debugging

Timing measurements in tests conducted showed that for small switches (8 ports) it takes about one second to retrieve ports' status and in large switches (48 ports) it took aproximately 5 seconds.

This script can also be run from crontab. You should adapt the frequency to run this script taking into account how loaded your network is. The following crontab entry is an example, which runs this script every 10 minutes:

*/10 * * * *    /opt/nac/bin/ping_switch.php -s

Bugs and comments, please discuss them in the forums .

port_scan

Description:

This module is provided in order to give network administrators further knowledge about the systems that are part of their network, providing information about changes that computers connected to the network have suffered.

How does it work?

It grabs some allowed IPs from the OpenNAC database (more precisely from the systems table), and passes them to nmap, which is going to perform a scan. The results of this scan are saved to an XML file which is then parsed and these results are used to populate some tables which form part of the OpenNAC inventory system. The module logs to syslog if there are discrepancies between the current scan and information stored in the database. If there are differences it logs what has changed and makes the necessary corrections to the database. The tables used by port_scan are:

  • nac_hostscanned
  • nac_openports
  • protocols
  • services
  • subnets

The tables protocols and services are lookup tables. They contain descriptions of protocols and services related to a certain port.
The table subnets contains definitions of subnetworks that port_scan is allowed to scan.
The table nac_hostscanned contains general information (IP address, hostname, OS) of scanned systems.
The table nac_openports contains information of the services present on each host which is in the nac_hostscanned table.

Dependencies:

OpenNAC
Nmap 4.11 or later

Modes of operation:

This script has 3 modes of operation:

  1. When it is called with no arguments, it grabs IPs from the systems table and compares them against the networks defined in the subnets table. The final decision on what to scan is made through the LastSeen time threshold. With this, you say to scan only the hosts that were seen on the network within the lapse of 1 day, 1 month, 30 minutes, whatever.
  2. When it is called with the "--scannow" parameter, it grabs IPs from the systems table, no matter if they are allowed or not, as long as in the systems table the flag "scannow" has the value "1". Then it checks these IPs against what you have specified in the subnets table.
  3. IPs from the command line. You can call the script with something like port_scan x1.y1.z1.w1 ... xn.yn.zn.wn. In this way, the script will get the IPs from the command line and only those IPs which fall within the criteria specified in the subnets table will be scanned.

This script also has the switch "--verbose" to activate debugging. Please note that debugging of this script will be redirected to syslog.

About the subnets table and its use with port_scan:

Only those computers which fall within the criteria specified in the subnets table will become a strong candidate to be scanned. As said before, this table contains definitions of subnetworks that port_scan is allowed to scan. This was done so because maybe you have lots of subnets in your network, and some of them are behind a firewall, so they can't be accessed and scanning them would be a waste of time and resources. That's why, you need to specify in this table one register per subnet you want to take into account.

Files and directories required:

/opt/nac/bin/port_scan
/opt/nac/etc/port_scan.inc
/opt/nac/funcs.inc
/opt/nac/scan/

 

How to run it:

Important: You need to specify first in the subnets table the networks you want to scan.

  • To scan all devices that are in the systems table, just type:
    	 /opt/nac/bin/port_scan &
    	
  • To scan all devices in the systems table that have the flag scannow=1, do:
    	 /opt/nac/bin/port_scan --scannow
    	

    With the GUI you can set the flag for devices you want to scan now.

    If you prefer do it by hand, then

    	update systems set scannow=1 where ...;
    	
  • To scan a list of IP addresses, do
    	/opt/nac/bin/port_scan 192.168.0.1 192.168.0.2 192.168.0.3 ... 192.168.0.254
    	

 

Features related to this module

Since Dec. 22 2008 the EndDevice class contains a new method called "PostScan". What this method does is to set the scannow flag of the system requesting access if and only if this system has not been scanned in the last 7 days.

In a proper configured system, port_scan in scannow mode will run every five minutes. Thus, every five minutes a port_scan will be run and the information about open ports will be up-to-date. 

Note that this method was planned to be used by postconnect. For an example of how to use it, please have a look at policy 11

Bugs:

Please report them in our Development forum:
http://www.freenac.net/phpBB2/viewforum.php?f=2

 

 

purge_not_seens.php

This script deletes all references to systems not seen during a certain period of time in the a FreeNAC system.

 The period of time is defined by the config variable delete_not_seen, which uses months as units of time.

For each system which has not been seen during the past delete_not_seen months, a cascade delete if performed, removing thus all references to this device from all tables in a FreeNAC system.

purge_unknowns.php

It may happen that unknown systems start filling up the database. In order to purge those unassigned systems sitting in the database, the script purge_unknowns.php was created. It deletes from the database unknown systems, defined by the config variable unknown_purge,  which are at least 10 days old.

For each unknown system older than unknown_purge days, a cascade delete is performed, removing all references to it from the database.

This script can be run from crontab as follows:

0   1    * * 1   /opt/nac/bin/purge_unknowns.php

This will purge unknowns from the database every Monday at 1:00AM.

report_old_users.php

If a user has not been seen during a certain amount of time, it would be desirable to disallow access to their systems until he reports back to the sysadmin.

The script report_old_users.php reports if a user hasn't been seen during a certain amount of time, defined by the config variables report_old_users_days_from and report_old_users_days_back, and for every user not seen during this time span, it sets their systems to the 'kill' status, forcing thus the user to report back to the sysadmin when she comes back.

As mentioned before, the time span is defined by the config variable report_old_users_days_from and report_old_users_days_back, which are given in days. For this script to work, the value defined for report_old_users_days_from has to be less than report_old_users_days_back.

 

snmp_set_port.php

As of FreeNAC 3.0 we introduced the snmp_set_port.php script. This script programs a switch port either as static of dynamic. Its usage is as follows:

snmp_set_port.php switch port [OPTIONS] 

Where switch is the switch's ip and port is the port name. This script supports the following options.

OPTIONS:
-d Set port to dynamic
-s vlan_name Set port to static and program vlan_name on that port
-h Display this help screen

If no option is provided, it programs the port as dynamic. To program a port as static, you need to provide the vlan_name you want to program on the switch port. Such vlan_name must exist on the switch in order to be successfully programmed. Once the port has been programmed, it gets restarted.

Since this script makes extensive use of SNMP, make sure you adjust your SNMP communities in the etc/config.inc file.

This script is designed to be run from the command line. So, in order to interact with the Windows GUI, we have provided a companion script called cron_program_port.php

cron_program_port.php gets the list of ports whose set_authprofile field equals 1, and then issues an snmp_set_port command for every port that matched the criterion. Since this latter script is designed to be run from crontab, you should adjust the running frequency according to your needs.

Bugs and comments, please discuss them in the forums .

 

AD/LDAP user interface

DESCRIPTION

The purpose of this module is to query Microsoft's Active Directory to obtain user information which is then stored in the users table. The module should also work for other LDAP implementations, although some modifications may be necessary (attribute names). Optionally additional information from the Microsoft Exchange AD schema extension can be fetched as well.

HOW DOES IT WORK

The module fetches the attributes sAMAccountName, sn (surname) and GivenName of all objects of type person underneath all Distinguished Names (dn) defined in $ad_base_user_dn as configured in config.inc. Then it checks for each account name if it exists already in the database. If it does, the entry is updated, including the LastSeenDirex field. Otherwise a new entry is inserted into the database.

In case of querying addtional MS Exchange attributes, these are:

  • department
  • mail
  • physicalDeliveryOfficeName
  • telephoneNumber
  • mobile

CONFIGURATION

There are five options in the global configuration.

  • ad_server: The Domain controller where the AD is queried.
  • ad_user: This is the DN of a user with sufficient privileges to read the necessary information from AD. The possible values for this setting should be in the form 'cn=User,cn=users,dc=domain,dc=com';
  • ad_password: The password for ad_user
  • ad_base_user_dn: The DNs (do not confuse with Domain Name Server) of the places underneath which users are stored. The possible values for this setting should be in the form 'cn=users,dc=test,dc=com'
  • ad_port: The port where we should connect to.
    There are two ports related to LDAP. The port 389 is the standard port assigned to this service and the port 3268. The port 3268 is assigned to the Global catalog. A Global Catalog is a read only copy of selected attributes of all of the Active Directory servers whithin the AD forest. Querying the Global Catalog allows all the domains to be queried in a single query, without the query spanning servers over potentially slow links. It is recommended to use the Global Catalog since it is used only for searches and port 389 is used for read and write operations, and therefore it could be restricted.

HOW TO USE IT

First, setup the AD related parameters in config.inc. IMPORTANT: Once you have set the related parameters in config.inc, you need to import the config.inc file into the database. As of release V2.2 RC2, ad_user_snyc takes all the variables from the config table, so the config.inc file has to be imported into the database.

Do the following from the /opt/nac/contrib directory:

./config2db ../etc/config.inc

If you need to redefine some of these settings, you can do so through the Windows GUI.

Then run the module script from the command line with the paramter 'test'. This checks whether your LDAP server can be reached and dumps the user information obtained to stdout. If you want to fetch the addtional MS Exchange attributes launch the module with the addtional argument 'exchange'. Once your setup works, register the module in crontab.

crontab -e

add the next line

0 0 * * *    /opt/nac/bin/ldap

or

0 0 * * *    /opt/nac/bin/ldap exchange

This will run it every day at midnight.

DEPENDENCIES

OpenNac
PHP with LDAP support

FILES

bin/ad_user_sync
etc/config.inc
doc/README.ad_user_sync

Mysql Master-Master architecture

UPDATE: The FreeNAC documentation was re-written to use the master-master architecture on 11.Dec.2007. This is now the default way to install FreeNAC.

Introduction

If you install FreeNAC according to the standard instructions in the current Install Guide, then one master and optionally slave servers are installed. The database is stored on the master, which is replicated to (one or more) slaves.

We'll discuss some issues with this setup, and describe an alternative setup used (in production) by a Scott LeFevre.

Please comment/improvements on this to help find an optimal solution going forward.

The current design

The Master replicates all SQL changes to the slaves, the slaves answer requests, reading from their local database, but do not do any SQL changes or inserts.

Disadvantages: All scans, housekeeping functions, and postconnect must run on the master, since they need to be able to make DB changes. Postconnect can only run on slaves, if the policy does not require DB changes.

Advantages: Slaves are very simple: a trivial mysql replication, one daemon (vmpsd_external), and very few cron entries. Slaves are easy to setup, and there can be many of them. If replication breaks its easy to setup again.

Slaves communicate with the master via syslog. Syslog is simple, standard, non connectionless and works well. However it does not (easily) allow transfer of structure data and it not a really queuing mechanism.

The key disadvantage going forward is that postconnect cannot run on slaves.

Multiple master

The idea is that each server can insert data locally, changes are replicated to other servers and the changes do not conflict.

The mysql servers are configured to do a circular replication. Datasets must be configured with autoincrement keys, and the autoincrement value set differently on each server - thus avoiding replication conflicts.

The following is a example with two master servers nac03 and nac04, used with FreeNAC v2.2 in production. Note especially the auto_increment_increment and auto_increment_offset values.

nac03 - my.cnf:

[mysqld] 
datadir=/var/lib/mysql
socket=/var/lib/mysql/mysql.sock
# Default to using old password format for compatibility with mysql 3.x
# clients (those using the mysqlclient10 compatibility package).
old_passwords=1
log-bin=mysql-bin
server-id = 1
master-host = nac04.MYDOMAIN.com
master-user = opennac-repl
master-password = yourpasswordhere
replicate-do-db = opennac
replicate-ignore-table = opennac.vmpsauth
log-warnings
expire_logs_days = 1
max_binlog_size = 52428800
report-host = nac03
relay-log = nac03-relay-bin
#
auto_increment_increment= 5
auto_increment_offset = 1
#
# Uncomment for cascading replication
#log-slave-updates
#replicate-same-server-id = 0

nac04 - my.cnf:

[mysqld] 
datadir=/var/lib/mysql
socket=/var/lib/mysql/mysql.sock
# Default to using old password format for compatibility with mysql 3.x
# clients (those using the mysqlclient10 compatibility package).
old_passwords=1
log-bin=mysql-bin
server-id=4
master-host = nac03.MYDOMAIN.com
master-user = opennac-repl
master-password = yourpasswordhere
replicate-do-db = opennac
replicate-ignore-table=opennac.vmpsauth
log-warnings
expire_logs_days= 1
max_binlog_size = 268435456
relay-log = nac04-relay-bin
#
auto_increment_increment= 5
auto_increment_offset = 2
#
# Uncomment for cascading replication
#log-slave-updates
#replicate-same-server-id = 0

Analysis

This is used in production with v2.2 since the autoincrement key structure in v2.2. would seem fine. V3.0 has few keys changes, it should work fine two.

There is question of what happens when there are 3 or 4 servers in circular replication, i.e. for lareg sites. We don't yet have a reference site with cascaded replication. How difficult would it be to fix replications if it breaks?

Its probably important that the Web/Windows GUI only point to one master, to concentrate those updates/deletes in one place. Other if the same field in changes in two masters from two GUIs, which one wins.

Perhaps we also need to look at MySQL cluster? What are the pros/cons? I've no experience, but on mysql.com I read "There are some cases where the MySQL Cluster is the perfect solution, but for the vast majority, replication is still the best choice."

It would be useful to have a production installation with FreeNAC V3 and 3 masters in circular replication ...

Further reading

http://dev.mysql.com/tech-resources/articles/advanced-mysql-replication....

http://www.onlamp.com/pub/a/onlamp/2006/04/20/advanced-mysql-replication...

http://www.mysql.com/news-and-events/newsletter/2003-05/a0000000127.html

http://forums.mysql.com/read.php?26,162270,162270

http://dev.mysql.com/doc/refman/5.1/en/mysql-cluster-replication-issues....

http://www.mysql.com/news-and-events/web-seminars/display-77.html

http://mysqlha.blogspot.com/2007/11/how-to-keep-mysql-replication-in-syn...

 

Redundancy and failover

[draft:some initial notes]

FreeNAc was designed with Redundancy and load sharing, for high service availability.

In VMPS mode several FreeNAC servers can be defined, if one fails to answer, the switch queries the next FreeNAC server on the list. This does not affect end-devices.

In FreeNAC, there is a concept of a 'main' and 'secondary' server, both of which have mysql adtabases that are synchronised in a multi-master architecture.

Services critical to end-device authenticatiion run on both servers (vmpsd_external, postconnect), allowing seamless failover / redundnacy frojm a service point of view.

Non critical functions and housekeeping tools are run only on the main server, and will not work if the main server fails:

See also 

  1. 'Emergency off' too : Planning for disaster.
  2. Mysql Master-Master architecture

Prior to V3.0.1 (1.Dec.07):

vmpsd_external runs on replicas, and this does not update the DB, it just queries it, and can thus run even if the master dies.

Now on the main we have syslog, vmps_lastseen, nmap /snmp scanning and the SQL queries from the Windows or Web GUI etc. All of these dies of course if the master dies, but that is less critical: end-devices will continue to be authenticated by the replicas.

t is important that no process on the replica/slave server try to insert or change data. Any information they wish to transmit to the master must be sent via syslog.

There is a script monitor_mysql_slave in /bin that should be run often in the slave cron, it alerts you if replication is no longer working.

802.1x

Introduction

EEE 802.1X is an IEEE standard for port-based Network Access Control; it is part of the IEEE 802 (802.1) group of protocols. It provides authentication to devices attached to a LAN port, establishing a point-to-point connection or preventing access from that port if authentication fails. It is used for certain closed wireless access points, and is based on the EAP, Extensible Authentication Protocol.

This section of the Technical Guide is a discussion of several 802.1x uses and technology. See also the chapter Installing 802.1X authentication in the Installation guide for more practical help on how to get up and running. 

Sections 

802.1x components

The “802.1x” standard allows authentication of devices in LAN or Wireless networks, using cryptographic techniques to provides higher security. 802.1x can authenticate the user or the device.

FreeNAC includes 802.1x since V2.2.

802.1x and MAC address identification can be combined, by for example authenticating the user via Windows Domain Logon and using the end-device MAC address for Vlan assignment.

The following diagram shows the components involved in 802.1x authentication.

802.1x Components

The VMPS/MAC based components (vmpsd_external, postconnect) are documented in the VMPS section.

rad2vmps

A Perl script 'rad2vmps' is called from FreeRadius, that accepts a MAC address and returns the Vlan to be assigned to the supplicant. This script queries the FreeNAC database of MAC addresses via the VMPS protocol.

802.1x problems

802.1x provides key advantages such as added security and a consensus that long term it is 'the way to go', but keep in mind some of the limitations when choosing 802.1x over VMPS in the short term.

  • New(er) switches are usually required (e.g. 2006 or later)
  • Vendor interoperability is a problem, each implements their own additional radius fields.
  • Its a complex protocol: it is slower (due to the amount of data exchanges, the number of handshakes and encryption), difficult to analyse and support (due to the complexity of handshakes).
  • Supplicants (the 802.1x client) are delivered with some Operating Systems but not with others. In Windows, depending on patch level/Service pack, it may work fine. 3rd party supplications are available but usually are not free and require configuration, suppport and distribution.
  • Certificate (PKI) management: generating and checking signatures is normally easy enough, but how do you distribute, revoke and check for revoked certificates? How large are CRLs, how/where are they managed/downloaded?
  • Interaction with Hubs, un-managed switches and Virtual Machines in bridged mode can be problematic, as 802.1x usually expects only one end-device per port.
  • Cost: due to the above and the cost of a commercial Radius server (if you don't use a free alternative such as FreeRadius/FreeNAC)

Generation of computer certificates with a Winbugs CA

Generation of computer certificates with a Winbugs CA

If you want to deploy EAP-TLS in your network and require end-device certificates installed on your computers, this guide might be of help. In this guide we are going to generate computer certificates and configure the computer to perform EAP-TLS by using this certificate. Important: we won't be validating the users, only the device, so it means that any user can use the computer as long as the certificate is valid.

To generate the certificates, we will use a web server running Windows Server 2003 with the service of certification authority (CA) installed.

Open your favorite web browser and type in http://your_server/certsrv/, where your_server is the DNS name or IP address of your web server.

"Request a certificate", ask for an "advanced certificate request" and "Create and submit a certificate request to this CA".

In the Name field, type in the name of the computer for which you are requesting this certificate.

In Type of certificate needed, select "Client Authentiation Certificate"

Create a new key set and as Key Usage select "both".

Select the Mark Keys as exportable check box. Doing this saves the public and private key to a PKCS #12 file. This is useful if you want to copy a certificate for use on another computer.

Select the Store certificate in the local computer certificate store check box. This last option is actually important because it will save the certificate in the computer store, instead of the user store, which allows for TLS authentication to work.

Then you just need to wait for your CA to issue the certificate for you. Once you have your certificate, install it. By default it should be stored in the computer store.

Now, to allow EAP-TLS to work using this certificate as a computer certificate for all users, you need to modify the registry of the computer where you installed the certificate on. Go to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EAPOL\Parameters\General\Global and add a new DWORD-value called AuthMode with the value of 2. Note that for this you need to have Administrator privileges on the computer.

Now you need to restart either your computer or the Wireless Zero Configuration service and you are done. This will perform the magic needed to send the computer certificate to authenticate this computer regardless of what user is actually using it.

Generation of server certificates with OpenSSL and a Winbugs CA

Generation of certificates for FreeRadius (EAP-TLS) with a CA on a Winbugs box

When generating certificates to be used by FreeRadius with EAP-TLS, there is an extension which is to be added to the certificate in order to validate this certificate. This validation is performed by the client against a root CA certificate. If such extension is not present in your FreeRadius server certificate, the auth process will fail, because the client won't be able to validate it and stop communicating with your server. If you happen to have your CA running in a Winbugs box, then this might be of help. We are going to generate a request using openssl and issue the certificate with winbugs with the extension needed embeded into the cert file.

First of all, in the computer where you are going to generate the request, edit your openssl.cnf file and do the following modifications:

Find the v3_req stanza and change the following line:

keyUsage = nonRepudiation, digitalSignature, keyEncipherment

for this one

keyUsage = nonRepudiation, digitalSignature, keyEncipherment, dataEncipherment

and add the following line at the end of this stanza

extendedKeyUsage = 1.3.6.1.5.5.7.3.1

This will generate a request containing all needed attributes/extensions to be validated by the clients.

Your v3_req stanza should look like the following:

[ v3_req ]
# Extensions to add to a certificate request
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment, dataEncipherment
extendedKeyUsage = 1.3.6.1.5.5.7.3.1

Bear in mind that you are modifying openssl's configuration file. That means that all future requests will have these attributes set. If you don't want all future request to be a server authentication request, comment the last line out from the v3_req stanza.

Now generate your request using openssl

openssl req -new -keyout server.key -out server.req

This generates two files. One where your private key is contained and another one with your actual request. OpenSSL will ask you for a pass phrase. The passphrase you enter here is important. Without it you won't be able to decode your private key.

Our CA is on a Win2k3 server. We need to send our request to the CA by using the Microsoft Certificate Services. Open your favorite browser, and type in http://your_server/certsrv/ and select "Request a certificate" and submit an "advanced certificate request" by using the base-64-encoded option.

Once the page is open, copy the contents of your server.req file and press submit. Then you just need to wait for your CA to issue the certificate for you.

If you need your certificate in PEM format and the certificate was exported as DER encoded there is a final step you have to perform.

openssl x509 -inform DER -in certificate.cer -outform PEM -out certificate.pem

If the certificate is Base-64 encoded and you need the PEM extension, then just rename the file.

mv certificate.cer certificate.pem

eap.conf

The eap.conf configuration file deals with the settings needed to perform cryptographic operations. The default eap.conf file that comes with your default installation provides enough information to help you configure your system properly, here we are presenting some common options, what they mean and how to configure them.

The tls section

This section holds configuration settings that affect your RADIUS server, so be careful when editting these settings.

private_key_password

The password you used to encode your private key when generating your certificate request. Comment it out if no password was set.

private_key_file

Path to your private key file. It has to be in PEM format

certificate_file

Path to your actual server certificate also in PEM format

If Private key & Certificate are located in the same file, then private_key_file & certificate_file must contain the same file name.

CA_file

Trusted Root CA list. To use a certificate chain, you need to append in this file all certificates of the CAs that take part in your certificate chain, starting with the one that is at the top of the chain and finishing with the one that signed your certificate. This file has to be in PEM format.

check_crl

Set it to yes if you are going to use revocation lists, or comment it out if you won't.

CA_path

Path to the directory where the revocation list is. If you are not using CRLs, comment this out.
Copy to this directory the RL and your trusted root CA list. Once you've done that, do a c_rehash to this directory, where c_rehash is an OpenSSL command. Remember that CRLs have an expiry date, so make sure to always refresh your CRLs otherwise your server will deny all requests.

check_cert_issuer 

If check_cert_issuer is set, the value will be checked against the DN of the issuer in the client certificate. If the values do not match, the cerficate verification will fail, rejecting the user.

check_cert_cn

If check_cert_cn is set, the value will be xlat'ed and checked against the CN in the client certificate. If the values do not match, the certificate verification will fail rejecting the user.

This check is done only if the previous "check_cert_issuer" is not set, or if the check succeeds.

If you are using computer certificates, the username is sent like 'host//pc001' and the verification might fail because of the 'host//' part. In such a case, you might want to strip that part by doing:

check_cert_cn = %{Stripped-User-Name:-%{User-Name}} 

 

MAC-Auth-Bypass

MAC authentication bypass is an alternative to 802.1X that allows network access to devices (such as printers and IP phones) that do not have the 802.1X supplicant capability. MAC authentication bypass uses the MAC address of the connecting device to grant or deny network access.

MAC-Authentication bypass in FreeRadius, using FreeNAC as backend works as follows:

  • When a device connects to the switch, the connecting device normally sends an "Access-Request" packet to the switch, which is then forwarded to the Authentication Server, in our case, FreeRadius.
    Then the Authentication server asks for more information from the connecting device in form of Access-Challenges. This process continues until the Radius server has enough information (Radius attributes) to make a decision.
    After requesting all required Access-Challenges from the connecting device, FreeRadius will give back to the switch an Access-Accept or an Access-Reject response, where this decision will be enforced.
  • An 802.1x capable device selects the authentication type that will be used to perform uthentication by means of a Radius attribute. Checking this Radius attribute, FreeRadius will know how to authenticate the username, for example, by using Samba, MySQL, LDAP, etc.
  • When a non-802.1x-capable device connects to the switch, the switch detects that one of its links is up and waits for packets which will then be forwarded to FreeRadius. If during a certain amount of time the switch hasn't received any packets, it will start authentication of the connecting device using its MAC address as the username. FreeRadius will then generate a VMPS request for
    FreeNAC, and FreeNAC will say if the device is authorized or not and where to place it.

In FreeNAC, we use a module called rad2vmps which performs the translation of a RADIUS request into a VMPS request which is then sent to the VMPS server. rad2vmps is a modification to the original script vqpcli.pl part of the OpenVMPS distribution. Vqpcli.pl makes VMPS requests to a VMPS server and outputs the decision taken by the VMPS server.

In the authorize section of FreeRadius, rad2vmps retrieves the needed parameters from the RADIUS request to make a VMPS request, (e.g. Switch IP, MAC address, etc). When a request reaches FreeRadius and no authentication type has been specified, rad2vmps will output the required attributes to call for MAC-Authentication bypass.

In the Authentication section of FreeRadius, the authentication type corresponding to this request will be used. For example, if in the request the authentication type was specified to MSCHAP, MSCHAP authentication will be called. For MAC-Authentication bypass, it is here where we create our VMPS request and send it to the VMPS server.

After we know who the user is (authenticate section), we assign the device the vlan where it belongs to. For all authentication types but MAC-Authentication bypass, it is here where we create our VMPS request and send it to the VMPS server. If a MAC-Authentication bypass was done, the code in this section is ignored.

So, basically, the difference between a MAC-authentication bypass and the rest of the authentication types is where we send the VMPS request. For MAC-Authentication bypass, the request is sent in the Authenticate part, and for the rest in the Post-Auth section. This allows for authenticating the user before authenticating her device.

Authenticating both username and device is more secure than authenticating only the device, but in cases where this is not possible, MAC-Authentication bypass is used.

Links to 802.1x material on this website

Links to other Technical Guide Documentation

Links to the Install Guide:

'Emergency off' feature: Planning for disaster

Introduction

If Nac is installed into your core network, it can affect the availability of critical workstations and servers. You may wish to have a way of deactivating NAC, in case of severe network problems (e.g. during the night, outside of support hours). This does not mean that NAC is unreliable, but planning for disaster is important.

The system is equipped with scripts to disable dynamic VLAN allocation, thus allowing recovery in emergency situation where the Network Administrator wishes to disable NAC device authentication, and force networks ports to use a static Vlan.

This feature (available in V3.0 and later) been tested on Cisco CatOS and IOS switches (only Cisco switches work with VMPS anyway).

Two vmps-mode scripts are provided in the enterprise version, one for disabling dynamic ports: by programming the last used vlan as a static vlan. The second script renables dynamic mode. These scripts can be run per switch, or for all switches.

deactivate_vmps

This is the main script to deactivate NAC in your switches and configure switch ports as static. t does so by getting a list of ports from the NAC database, which were documented by snmp_scan.php as being 'dynamic'.

The vlan to be configured on the switch port is the last_vlan which was present on that port.

If sucessful, it writes a list of changes to a CSV file, saying which vlan has been configured on which port on a determined switch. This file can be used later on to undo the changes made by 'deactivate_vmps'. This file is normally stored as 'vmps-yyyy-mm-dd-hh:mm:ss'. The filestamp is automatically generated
when 'deactivate_vmps' is run.

To store changes in a different file, use the '-f' option, along with the filename you want to use. deactivate_vmps will create a new file each time is run, so if you specify a filename which is already in your system, it'll be overwritten.

'deactivate_vmps' uses the variable $snmp_rw extensively, which is defined in config.inc. If you want to use a different SNMP RW community, you can do so by providing the '-c' option along with
the SNMP RW community.

When 'deactivate_vmps' is called with no parameters, it will configure all switch ports which are present in the FreeNAC database as static . To deactivate NAC in certain switches, you need to provide either the IP address or the switch name of the switches you want to change.

For example, to deactivate NAC on switches switch_1 and 192.168.0.1:

deactivate_vmps switch_1 192.168.0.1

At the end of a run, 'deactivate_vmps' will display a short summary of how many ports and switches have been changed and where it has stored the changes file.
This same information is displayed in the standard output, syslog, and in the NAC GUI.

activate_vmps

This is the script to reactivate NAC in your switches and configure switch ports as dynamic. It does so by getting a list of ports from the NAC database, which were documented by snmp_scan.php (usually run once per day) as 'dynamic'.

It is *highly* recommended that you use the file produced by 'deactivate_vmps' to restore your network to its previous state prior to 'deactivate_vmps'. Since 'activate_vmps' uses data reported by snmp_scan.php, some of the data stored in the database will be updated by snmp_scan.php, and ports which previously were reported as 'dynamic', might now be reported as 'static'.

To specify a file to be used instead of the data contained in the NAC database, use the '-f' option along with the filename. This file must be a CSV generated by a previous run of 'deactivate_vmps'.

'activate_vmps' uses the variable $snmp_rw extensively, which is defined in config.inc. If you want to use a different SNMP RW community, you can do so by providing the '-c' option along with the SNMP RW community.

When 'activate_vmps' is called with no parameters, it will configure as dynamic all switch ports which are present in the FreeNAC database. To reactivate NAC in certain switches, you need to provide either the IP address or the switch name of the switches you want to affect.

For example to activate NAC on switches switch_1 and 192.168.0.1:

activate_vmps switch_1 192.168.0.1

At the end of a run, 'activate_vmps' will display a short summary of how many ports and switches have been affected, and where it has read that data from.
This same information is displayed in the standard output, syslog, and in the NAC GUI.

Configuring Network Switches

Introduction

This document aims to explain how to configure Switches for use with FreeNAC, and how to troubleshoot. Focus is currently on Cisco.

This document is divided into several subpages, if you wish to see it all in one page, please click the "Printer-friendly version" link below.

Contents

 

VMPS parameters

Vlans

The Vlan names and number must be configured on switches exactly the same as in the Vlan table in FreeNAC. NAC does not configure this on the switches for you.

So for example, if NAC is going to attribute the Vlans 'Printer' and 'Workstation', these two must be defined exactly with the same name and number on the Switches, and in FreeNAC.

FreeNAC also allows 'location based vlans' i.e. the vlans names do not have to be the same on all switches, refer to the FreeNAC Users Guide >> Windows GUI >> Configuration: Vlans.

syslog

Its recommended to configure the switches to send a copy of their logs to the NAC server, helping in troubleshooting.

See also http://www.cisco.com/en/US/products/hw/switches/ps607/products_configura...

vmps server

CATOS:

  set vmps server   192.168.245.40
  clear vmps server 192.168.245.18
  reconfirm vmps
  sho vmps

IOS:

conf t   
vmps server 192.168.245.40
no vmps server 192.168.245.18
end
vmps reconfirm
sho vmps

VMPS “retry” switch parameter

The following is an extract from "Troubleshooting Connectivity Between the VMPS Client and the VMPS server", http://www.cisco.com/warp/public/473/157.html#topic1-3

VMPS reconfirmation occurs when the VMPS client asks the VMPS if the dynamic port assignments are correct and if the correct MAC addresses have been assigned to the right ports. By default, this happens about every 60 minutes. Issue a show vmps command on the VMPS client to determine the VMPS reconfirmation time.
If the connectivity between the VMPS client and VMPS is intermittent (some data gets lost along the way) then you can try to increase the VMPS retry interval on the VMPS client, as a workaround. Issue the set vmps server retry command. By default, the VMPS client will try three times. In an environment with intermittent connectivity, when you increase the VMPS retry interval, you give the client more chances to connect to the VMPS before it gives up and VLAN membership fails.

Since Version 2.0, FreeNAC queries an SQL database in real time when authenticating end devices. There is also an optional "hub detection" feature which means it tries to detect and ping all devices already on a hub. Thus authentication can take seconds.

This can lead to the switch getting impatient, sending several requests and logging MACNOTRECONFIRMED messages to syslog, especially when reconfirming all ports each hour. One solution is to increase the vmps retry count from the standard 3, to say, 10.

When there is a loss of connectivity between a VMPS client and a VMPS, the VMPS reconfirmation might fail and produce the DVLAN-2-MACNOTRECONFIRMED error message. The port will lose its DVLAN assignment, as in this example:

     %DVLAN-2-MACNOTRECONFIRMED:Mac [00-00-f4-11-11-0f] is not reconfirmed
%DVLAN-1-DENYHOST:Host 00-00-11-11-11-0f denied on port 3/10

Cam” timeouts on “silent” servers

After the end-device transmits and the switch receives a valid response from the VMPS server, the switch enables the interface in the correct VLAN. If the client sits idle for a while causing the bridge aging timer to expire for the entry, the Catalyst returns the port to an unassigned state.

Therefore

  • 'silent' servers, (or printers for example) would be disconnected from the network if they did not transmit packets at least every 5 minutes.
  • If the VMPS daemon died during the night, users would not be able to login in the morning. (Of course this can be mitigated by with redundnacy mechanisms).

The aging timer (or CAM: content addressable memory) can be viewed on CatOS switches with:

sh cam agingtime (The default value is 300 seconds).

This timeout can be increased to several hours. This increases the risk of arp flooding (we think), but this is a low risk on internal network hopefully. It is recommended to set a value like 12 hours for dynamic/VMPS ports. This is important for switches that have servers/printers that may not send out any packets for several minutes or hours.

Its also recommended to use logcheck or a similar tool, to watch for unusual Switch syslog entries, especially floods.

CatOS:
The value can be set in seconds and per vlan. It needs to be set for each VLAN, for example on VLAN 4:

 show cam agingtime VLAN_NR
set cam agingtime VLAN_NR XXX  (secs, e.g. 24h=86400, 12h=43200)

IOS:

arp mac-address-table aging-time XXX  (secs)

Other notes

A graphical example

IOS example1

 

Example of migrating Switches to use a new VMPS server

Assuming we had two previous VMPS servers 192.168.245.18 and 192.168.245.19, and we now wish to change the switches to use a new server 192.168.245.40. Then logon on to the switches and do the following.

Monitoring: watch the syslog entries on the vmps server, the updating of the “last seen” times and “Server log” in the Windows GUI.

CATOS:
set vmps server 192.168.245.40
clear vmps server 192.168.245.19
clear vmps server 192.168.245.18
reconfirm vmps
sho vmps

IOS:
conf t
vmps server 192.168.245.40
no vmps server 192.168.245.18
no vmps server 192.168.245.19
end
vmps reconfirm
sho vmps

Cisco CatOS configuration examples

CatOS

Initially, Switches must be configured to send a copy of syslog messages, and given the name of the vmps servers, where it can send requests for dynamic port assignment. See also http://www.cisco.com/en/US/products/hw/switches/ps607/products_configura....

# Setting up syslog servers

set logging server 192.168.245.40

# Set VMPS servers

set vmps  server 192.168.245.40
set vmps  server 192.168.245.19 primary
set vmps  server 192.168.245.18

# Remove a VMPS server & show status

clear vmps server 192.168.245.19
show vmps

# Lets make a port dynamic & ask the switch to re-authenticate all dyn ports, i.e. use VMPS

  set port membership 2/36 dynamic
  reconfirm vmps

# To switch a port back to static Vlan (if you had problems)

  set port membership 2/36 static

# To verify port

  show port status 2/36

# to disable/enable port (simulate cable being removed)

  set port disable 2/36
  set port enable 2/36

# The switch tries to contact a server 3 times by default, before stopping. This value can be programmed on the switch (to a maximum of 10):

  set vmps server retry 5

# The switch reconfirms by default every 60 minutes, set it to 120:

set vmps server reconfirminterval 120

# Other useful commands:

  show mac-address-table address 00:04:dd:b6:5c:c2
  show cdp neighbors
  show cdp neighbors Gi4/5
  show cdp neighbors Gi4/5 detail 

# Tag a name to a port (to document usage)

  set port name 2/32 webcam

# Look at the MAC table:

  show arp

ARP Aging time = 1200 sec
+ - Permanent Arp Entries
* - Static Arp Entries
192.168.1.19 at 00-03-ba-17-fa-bf port 2/49 on vlan 2
192.168.1.18 at 00-03-ba-18-06-4b port 2/49 on vlan 2


show port status 2/32

Port Name Status Vlan Level Duplex Speed Type
----- ------------------ ---------- ---------- ------ ------ ----- ------------
2/32 inactive dyn- normal auto auto 10/100BaseTX

show cam dynamic 2/43

* = Static Entry. + = Permanent Entry. # = System Entry. R = Router Entry.
X = Port Security Entry $ = Dot1x Security Entry
VLAN Dest MAC/Route Des [CoS] Destination Ports or VCs / [Protocol Type]
---- ------------------ ----- -------------------------------------------
3 00-04-76-15-48-30 2/43 [ALL]
Total Matching CAM Entries Displayed =1

show cam 00-04-76-15-48-30

* = Static Entry. + = Permanent Entry. # = System Entry. R = Router Entry.
X = Port Security Entry $ = Dot1x Security Entry
VLAN Dest MAC/Route Des [CoS] Destination Ports or VCs / [Protocol Type]
---- ------------------ ----- -------------------------------------------
3 00-04-76-15-48-30 2/43 [ALL]
570 00-04-76-15-48-30 2/49 [ALL]
Total Matching CAM Entries Displayed =2

Problems with “clear vmps server” on old CatOS

The command for removing vmps server “clear VMPS server” seems to be missing from older CatOS versions, there is no known workaround except either upgrading CatOS, or avoiding deleting the server IP address!

The offending Switches had the following version.
> (enable) show version
WS-C2948 Software, Version NmpSW: 6.3(1)
Copyright (c) 1995-2001 by Cisco Systems, Inc.
NMP S/W compiled on Jul 24 2001, 12:55:29
GSP S/W compiled on Jul 24 2001, 10:36:29
System Bootstrap Version: 4.4(1)
Hardware Version: 2.1 Model: WS-C2948

Cisco IOS SNMP v3 setup

Please note that this guide doesn't apply anymore to FreeNAC 3,In FreeNAC 3, the programming of the switches is done using PHP's SNMP libraries, instead of using the Linux utilities. This guide applies to prior versions of FreeNAC used along with SuSE Linux.

SNMP v3 setup

(contribution from 'immi')
To use authentication and encryption with SNMP and also restriction by access-list who can access my device.
For SNMP write I enabled only limited part of SNMP tree (.1.3.6.1.2), read is open.

1. Cisco Switch part in config mode:

snmp-server group secure v3 priv
snmp-server group secure v3 priv read secure-ro write secure-wr access 1
snmp-server view secure-ro internet included
snmp-server view secure-wr mgmt included
snmp-server user snmpusr secure v3 auth md5 cisco123 priv des56 cisco123

access-list 1 permit host x.x.x.x
access-list 1 deny any log

# then you can check
VMPSclient#sho run | incl snmp
snmp-server group secure v3 priv read secure-ro write secure-wr access 1
snmp-server view secure-ro internet included
snmp-server view secure-wr mgmt included
snmp-server location /CZ/PRG/ROOM249
snmp-server contact CallMe ext.: xxxx
VMPSclient

VMPSclient#sho snmp group
groupname: secure security model:v3 priv
readview : secure-ro writeview: secure-wr
notifyview: <no notifyview specified>
row status: active access-list: 1

VMPSclient#sho snmp user
User name: snmpusr
Engine ID: 8000000903000014A86637C0
storage-type: nonvolatile active
Authentication Protocol: MD5
Privacy Protocol: DES
Group-name: secure

# two examples for check if it is working:
snmpwalk -v 3 -u snmpusr -l authPriv -a MD5 -A cisco123 -x DES -X cisco123 172.16.1.1 system
snmpwalk -v 3 -u snmpusr -l authPriv -a MD5 -A cisco123 -x DES -X cisco123 172.16.1.1 sysUpTime

2. Then modify the default SNMP values on Freenac server, it is in /usr/share/snmp/snmp.conf:
vmpssrv:~ # cat /usr/share/snmp/snmp.conf
(comments are erased)
defversion 3
defsecurityname snmpusr
defsecuritylevel authPriv
defauthtype MD5
defauthpassphrase cisco123
defprivtype DES
defprivpassphrase cisco123

To test, snmpwalk 172.16.1.1 system

3. Modify /opt/nac/etc/config.inc
(just part for port reset)
## restart_port
# $snmpwalk="/usr/bin/snmpwalk -v 1 -c public"; # SNMP Read community
# $snmpset ="/usr/bin/snmpset -v 1 -c private"; # SNMP Write community
$snmpset ="/usr/bin/snmpset"; # SNMP Write community
$snmpwalk="/usr/bin/snmpwalk"; # SNMP Read community

Cisco IOS vmps configuration

Network Switch Configuration & Tips for Cisco IOS

Initially, Switches must be configured to send a copy of syslog messages, and given the name of the vmps servers, where it can send requests for dynamic port assignment. Relevantr Cisco docs:

Configuring VMPS

conf t 
no vmps server 192.168.245.41
vmps server 192.168.245.40
vmps reconfirm 120
end
show vmps

Re-authenticate all current connections

vmps reconfirm

Re-authenticate all current connections, by emptying the MAC table. Note that the previous “vmps reconfirm” will not re-allow systems that were previously denied. For that we need to clear the MAC table.

clear mac-address-table dynamic

Enable VMPS on port fa0/2:

conf t
int fa0/2
switchport access vlan dynamic

(Re-)enable static Vlan 8 on port fa0/2:

conf t
int fa0/2
switchport access vlan 8

The switch tries to contact a server 3 times by default, before stopping. This value can be programmed on the switch (to a maximum of 10):

vmps retry 5

The switch reconfirms by default every 60 minutes, make it 2hrs :

vmps reconfirm 120

Other commands

show vmps stat
clear vmps statistics
show vlan
sh mac-address-table
sh mac-address-table | inc DYNAMIC
sh mac-address-table | inc BLOCKED

Debug the switches logic: when and how does it send queries and how does it interpret answers?

ter mon
debug vqpc all

Why to add a "clear_mac" feature?

A problem in newer IOS Cisco switches has been detected.

When an unknown
computer connects, a DENY from FreeNAC is received and the switch port
blocks access. If later the properties of the connecting device are
modified in order to allow it access the vlan, the port will remain in
the blocked stated for that device, preventing any further VMPS
requests from reaching the FreeNAC server. The amount of time the port
remains in the blocked state is variable. A port restart doesn't change
the port status
, neither does disconnection of the network cable from
the switch port.

After some analysis, it has been discovered that
removing the MAC address from the switch's CAM table will remove the
blocked state and the port will work as expected. Therefore such a 'clear mac'
function has been added to FreeNAC in V3.0.3
as a complement to
port_restart

See the thread in the forum where this problem was initially discussed.

Cisco 802.1x tests

Introduction

This sections contains results from some test with 802.1x on Cisco switches and FreeRadius.

Setup on an access point on port 2/22

Lets say there is an access point on port 22, first set it to static and assign a trunk with the appropriate vlans:

set port membership 2/22 static
Port 2/22 vlan assignment set to static.
Spantree port fast start option set to default for ports 2/22.

set trunk 2/22 on
clear trunk 2/22
Port(s) 2/22 trunk mode set to auto.
Port(s) 2/22 trunk type set to dot1q.

sw0503> (enable) set trunk 2/22 11-12,15
Vlan(s) 11-12,15 already allowed on the trunk
Please use the 'clear trunk' command to remove vlans from allowed list.

Setting up 802.1x on port 0/2

logging 192.168.245.40
aaa authentication dot1x default group radius
dot1x system-auth-control
radius-server host 192.168.245.40 auth-port 1812 acct-port 1813 key 7 141E1C040D14
radius-server retransmit 3

# a port with static Vlans:
interface FastEthernet0/2
switchport access vlan 15
switchport mode access
dot1x port-control auto
no cdp enable
spanning-tree portfast

# dynamic vlans: vlan is returned by the radius server
interface FastEthernet0/2
switchport access
switchport mode access
dot1x port-control auto
no cdp enable
spanning-tree portfast

## Option: reauthenticate every two hours
dot1x timeout reauth-period 7200
dot1x reauthentication

## Other options
#dot1x default
#dot1x guest-vlan 524
#dot1x auth-fail vlan 522

##Enabling MAC-auth-bypass in switches that allow this option
#dot1x mac-auth-bypass

##Timing options specially for MAC-auth-bypass
#dot1x max-reauth-req 3 #Number of EAP requests sent to the client before trying MAC-auth-bypass
#dot1x timeout quiet-period 5 #Number of seconds to retry auth after a failed auth
#dot1x tx-period 5 #Number of seconds to wait for an answer after an EAP request has been sent to the client

##aaa authorization network default group NAC

testing

#sh dot1x

Sysauthcontrol = Enabled
Supplicant Allowed In Guest Vlan = Disabled
Dot1x Protocol Version = 1

#sh dot1x interface fastEthernet 0/2

Supplicant MAC <Not Applicable>
AuthSM State = CONNECTING
BendSM State = IDLE
Posture = N/A
ReAuthPeriod = 3600 Seconds (Locally Configured)
ReAuthAction = Reauthenticate
TimeToNextReauth = N/A
PortStatus = UNAUTHORIZED
MaxReq = 2
MaxAuthReq = 2
HostMode = Single
Port Control = Auto
ControlDirection = Both
QuietPeriod = 60 Seconds
Re-authentication = Enabled
ReAuthPeriod = 3600 Seconds
ServerTimeout = 30 Seconds
SuppTimeout = 30 Seconds
TxPeriod = 30 Seconds
Guest-Vlan = 0
AuthFail-Vlan = 0
AuthFail-Max-Attempts = 3

debug dot1x ?
all All Dot1x debugging messages turned on
errors Error codes
events Events
packets Packets
registry Registries
state-machine State machine
undebug all

#debug dot1x errors
Dot1x Errors debugging is on

References

http://www.cisco.com/en/US/products/hw/switches/ps5213/products_configur...
http://wiki.freeradius.org/Rlm_perl
http://www.cisco.com/univercd/cc/td/doc/product/lan/cat3560/12225see/scg...

Mac bypass authentication: (note not all IOS switches have this..)
http://www.cisco.com/en/US/products/hw/switches/ps708/products_configura...

Notes

Note: For FreeRadius assigning VLANs dynamically, do a users file with:
> DEFAULT Auth-Type == MS-CHAP or
> NAS-IP-Address==x.y.z.w, NAS-Port = 50001
> Tunnel-Type = VLAN,
> Tunnel-Medium-Type = 6,
> Tunnel-Private-Group-ID = VLAN_number
>
> DEFAULT Auth-Type := Reject
>
> You need to keep this file for every vlan you want to return and the
> request attributes you want to check.
> In fact, the script I have does exactly this. It outputs just those
> values at the end of the authentification process (post_auth), and
> then the switch assigns the client the vlan that VMPS has returned.
> I think it is easier than maintaining the users file by ourselves

0008.7446.2aa5

------------------------------
/opt/nac/bin/rad2vmps

$request{server_ip}='freenac'
in the post_auth function

Then modify radiusd.conf accordingly
// Radiusd.conf in the modules section add
verify_mac {
module = "/opt/nac/bin/rad2vmps"
}
//Authorize section
authorize {
verify_mac
eap
}
// Add a post-auth section
post-auth {
verify_mac
}

Setting up the nas-port attribute
-----------------------------------------
conf t
radius-server attribute nas-port format X
where X can be

a Format is type, channel or port
b Either interface(16) or isdn(16), async(16)
c Data format(bits): shelf(2), slot(4), port(5), channel(5)
d Data format(bits): slot(4), module(1), port(3), vpi(8), vci(16)

Recommended for FreeNAC: a (default)

Reference: http://www.cisco.com/en/US/products/sw/iosswrel/ps5207/products_feature_...

Sending vendor specific attributes
------------------------------------------
conf t
radius-server vsa send authentication
end

Using 'ciscocmd'

Introduction

'ciscocmd' is a useful tool for remotely executing commands or querying cisco swithes. Is is briefly described here as it is useful when operating FreeNAC in a large environment.

Cisco-centric Open Source Initiative
http://sourceforge.net/projects/cosi-nms
http://cosi-nms.sourceforge.net/

This is a great tool for 'remote control' of Cisco switches. Some examples are below.

Download and extract, no compilation is needed.
These tests were done with v1.4, I installed in /opt/nac/ciscocmd-1.4.

Single switch example

Example switch is SWITCH1)
./ciscocmd -u USER -p MYPASS -t SWITCH1 -c "show vmps"
./ciscocmd -u USER -p MYPASS -t SWITCH1 -c "reconfirm vmps" -e -s MYPASS
./ciscocmd -u USER -p MYPASS -t SWITCH1 -c "ping 192.168.1.40" -e -s MYPASS

(change USER, MYPASS; and the enable password as needed..)

Several switches

# Get all CatOS switches from the FreeNAC DB (hw type 2948, store in catos.txt),
echo "select name from switch where hw like '%2948%' order by name;" | mysql opennac |egrep -v name > catos.txt

# and check their vmps status:
./ciscocmd -u USER -p MYPASS -T catos.txt -c "show vmps" | egrep "VMPS Action|VMPS Last Accessed|Last Reconfirmation|show vmps"

Policies: introduction

Introduction

A key improvement in FreeNAC version 3.0 is the introduction of an OO (objected oriented) policy interface, which provides greater flexibility and encapsulation of individual decisions regarding control of end-device access to the network.

The policy file allows the system administrator with light PHP skills to modify the decision process.

Policy 'objects'

Policy objects included with FreeNAC can be inherited and extended for site-specific usage, or replaced or removed. This flexibility should make customising and creation of add-on modules easier.

FreeNAC allows all properties of end-devices, ports and switches to be used in the policy decision. Sample policy files are provided covering typical scenarios, but the aim is to allow the flexibility to develop very specific custom policies, without changing the core software.

Pre- and post-connect phases

There is a pre-connect and post-connect phase, and policy decisions can be taken in either.

The 'pre-connect phase' is when a device is recognised by the switch and authentication is requests. This phase needs to be fast, since it is in real time - the end-user is waiting for LAN access. The result is a vlan and health status being assigned, or access being denied.
vmpsd_external is the module that currently handles pre-connect.

During the post-connect phase, and end-device has already gone through pre-connect and been allowed access and granted a vlan, or denied. When pre-connect does this, the decision taken is logged. The post-connection constantly monitors messages from pre-connect, analyses and takes actions based on those messages. Post-connect does not need to be in real time (although it should be as fast as possible too).
Examples of post-connect are update the 'last seen' status of devices and ports, checking for unknown end-devices in a remote database, perhaps looking up patch/anti-virus status (if these are too slow during pre-connect, or are only going to generate warning, not quarantine a system).
postconnect.php is the module that handles post-connect, it receives messages from pre-connect via syslog.

End-device 'health'

The notion of 'health' has been introduced in version 3 also.

Further reading

See also the following Technical Guide chapters:

Policies: examples

Sample policies

There are sample policies included with FreeNAC to give an idea of how to build a custom policy. The examples are described on this page.

Each example is more complex than the previous, and demonstrates specific policy functions. These (working) policies are in the etc/ directory.
See also the chapters writing a custom policy and policy testing .

  1. policy1.php

    Allows access to known devices (host->isActive) into the network and will place them in the global default vlan defined in the config table. If an unknown device connects to the network, it will be denied.

  2. policy2.php

    As policy1, but in addition:
    - In postconnect: information for the EndDevice and the port where the EndDevice connected are stored into the database (switch_port->update, host->update). If the EndDevice or the port are not known, they are inserted into the database (switch_port->insertIfUnknown, host->insertIfUnknown).

  3. policy3.php

    - Allows access to known devices into the network and will place them in the vlan assigned to the end device (host->getVlanId).
    - If an unknown device connects to the network, it will be denied.
    - postconnect: same as policy2.

  4. policy4.php

    - Allows access to known devices into the network and will place them in the vlan assigned to the end device.
    - If an unknown device connects to the network, assign the global default vlan if defined. If such a global default vlan hasn't been defined, the connecting device will be denied.
    - postconnect: same as policy2.

  5. policy5.php

    - Allows access to known devices into the network and will place them in the vlan assigned to the end device.
    - If an unknown device connects to the network, assign the port default vlan, if the switch port where the device is connecting to has a default vlan assigned to it.
    - If the device is unknown, and there is no port default vlan, then assign the global default vlan.
    - If neither a port vlan or a global default vlan have been defined, the connecting device will be denied.
    - postconnect: same as policy2.

  6. policy6.php

    - Allows access to known devices into the network and will place them in the vlan assigned to the end device.
    - If an unknown device connects and it is a virtual machine, assign the same vlan used by its 'mother' device, already active on that port (host->isVM, switch_port->getVMVlan)
    - If the device is still unknown, assign a port default vlan, a global default vlan, or deny - as in policy 5.

    - postconnect: same as policy2.

  7. policy7.php

    - If an end-device is in the killed state, or its expiry date is due, assign the isolation vlan, or deny access if that isolation vlan is zero (host->isKilled, host->isExpired, conf_vlan_for_killed)
    - then apply the same rules as policy 6.

  8. policy8.php

    In this policy the 'health' status assigned to every connecting device is verified. If the end-device has its health status set to QUARANTINE, it'll be placed in the quarantine vlan. For a health status other than QUARANTINE and OK, log a warning to syslog.

    Let's say that for example, there is a worm spreading the internal network, through port 135:
    - The policy checks for end-devices with port 135 open ($port_scan->isPortOpen).
    - If that port is open on the EndDevice, we'll place it in the quarantine vlan (quarantine_vlan).
    - Otherwise, apply the same rules as policy 5.

    In postconnect, besides applying the same rules as policy5, also:
    - checkto see if port 135 is open. If it is, then set the device's health status to QUARANTINE.
    - If a connecting device no longer has port 135 open, then set back its status to OK and restart the port in order put the end-device pack in its usual vlan.

    In the quaratine vlan, a captive dhcp/dns/web portal would need to be installed to inform the use of the quarantine and how to remediate.
    An alternative to quarantining would be to send a warning email, if the open port posed a low risk.

  9. policy9.php

    This policy file allows access to known devices into the network. The vlan assigned to the connecting the device will be assigned as follows:
    - If the switch has a vlan associated to it, that vlan will be used.
    - If there is an exception vlan declared in the vlanswitch table, use that vlan
    - Otherwise, assign the vlan assigned to this end device.
    If there is an unmanaged system trying to connect, log an alert.
    For unknown and unmanaged systems, if the switch port where the device is connecting to
    has a vlan assigned to it, the EndDevice will be placed in that vlan.
    If no port default vlan has been assigned, use the global default vlan if defined.
    If neither a port vlan or a global default vlan have been defined, the connecting device will be denied.

    - postconnect: Same as policy2

  10. policy10.php

    The aim of this policy file is to demonstrate that vlan names can also be specified when allowing access.
    For active devices, if the connecting device is the manager's system(MAC: cc00.ffee.eeee), place it right away in the vlan 'MANAGER_VLAN'.
    For the rest of active devices (not manager's ones), place them in the vlan assigned to them. If an unknown device connects to the network, it will be denied.

    - postconnect: Same as policy 3

  11. policy11.php

    This policy shows how to use the new method postScan in the EndDevice class. This will set the flag scannow for systems requesting access to the network, only if they haven't been scanned in the last 7 days. Note, that for this to work, you must activate from crontab the scans in scannow mode. See port_scan for more information.

    This policy is the same as policy1.php in the preconnect part, but in the postconnect part the postScan method is being used. This method is planned to be used only in this part of the policy, but it can also be used in preconnect.

To use these policies, you need to create a symbolic link from 'policy.inc.php' to the policy file you want to use:

cd /opt/nac/etc
rm policy.inc.php
ln -s policyX.php policy.inc.php

 

Policies: writing a custom policy

Introduction

This document explains in some detail how to write custom policies to be used in FreeNAC v3.0. It is assumes that you have some knowledge of PHP and OOP (object oriented programming).

Please read the chapters Sample Policies and introduction to policies first. The pre-defined examples can be copied and modified: its recommended to read and experiment with those first, before creating your own here.

In this document, we create a new policy from scratch called 'My_Policy' which allows active devices into a default vlan, and denies access to unknown devices.

To see the classes, methods and functions used in the FreeNAC framework, please see the source code phpDocumentor page .

Policy: How it works

When pre-connect is started, it searches the config table for the name of a policy. If this policy (which is a PHP file) is available, it is loaded. The policy contains a preconnect() function, which is called once a request has been received. This function calls specific checks and finishes by calling the ALLOW() or DENY() function to attribute a vlan and health status.

Likewise the postconnect() function decides what do do after a device has been authenticated in the pre-connect phase.

These functions have access to REQUEST data, which contains the original Switch request, with a sub-object HOST containing information / methods relevant to that end-device and a sub-object PORT containing information / methods relevant to that switch/port.

Creating the new Policy

In order to create a policy file, create a PHP file containing a class which extends the Policy class. The Policy class defines two methods that you must override in your new class, preconnect and postconnect. These methods are used by the vmpsd_external and postconnect methods respectively. The reason why you must override those methods in your new class, is because its default behaviour in the Policy class is to deny everything. So, to start then creating our policy class, create the file My_Policy.php in the /opt/nac/etc directory with the following contents:

<?php
class My_Policy extends Policy
{

}
?>

Now, in order to override the preconnect and postconnect methods, add the definition for those two methods as shown below:

<?php
class My_Policy extends Policy
{
public function preconnect($REQUEST)
{

}

public function postconnect($REQUEST)
{

}
}
?>

The parameter $REQUEST is the request you'll be receiving either by the vmpsd_external or the postconnect daemon. With this object you can access properties of the connecting device through the $host object or the port where this device is connecting to, by using the $switch_port object. Also, $REQUEST has access to the configuration settings through the $conf object.

The $host variable is an object of the EndDevice class. The $switch_port object is an object of the Port class. These objects allow information about the host, switch or port to be examined, and used to make a policy decision. They are accessed as follows:

$REQUEST->switch_port->method();
$REQUEST->host->method();

The list of standard methods available in each object is visible in the phpDocumentor page. Methods are ways of asking questions about objects, or taking action.

Each object also has a set of properties, which correspond to fields in the database. For example a port has a name, comment, last used time, up/down status. The list of properties can be retrieve use getAllProps(), e.g. to see all host properties try this:

print_r( $REQUEST->host->getAllProps() );

Preconnection policy

The pre-connection function is called when a device initially connects to the network, requesting access.

The EndDevice class defines the isActive() method. With this method we test if the connecting device is already in the database with an 'active' status. For a list of available methods and how to use them, please have a look at the phpDocumentor page. The isActive() method is the one that we'll use to write this simple policy file.

#Check if the connecting device is in the DB and is active.
if ($REQUEST->host->isActive())
{
#If so, allow it into the global default vlan

}

Once a decision has been reached on wthere to allow or deny access to a host, this decision is communicated by to the network switch by 'throwing exceptions'. The exceptions are abstracted in two functions, which are

ALLOW($vlan_id);
DENY($message);

The ALLOW() function throws an AllowException and the DENY function throws a DenyException.

Now, what we need is to allow the active systems into the global default vlan, so we add this code to the if-block we previously had.

ALLOW($REQUEST->conf->default_vlan);

Make sure you have defined this default vlan in your config table first. You can do this easily through the Windows GUI. When we throw the exception, control returns to vmpsd_external which will return back to the switch the vlan name where this device should be placed.

Now, we need to write the part to deny unknown systems. After the 'if' block, add the following code:

DENY('Denying access to unknown systems');

Postconnection policy

The postconnect function is called after a device has passed the preconnect phase and has been allowed or refused access. Postconnect is used for documentation, and additional policy check that are too slow to occur in real time.

Now, in the postconnect part for this example, we'll be inserting unknown systems into the database. The devices inserted into the database will have an 'unknown' status, so if they reconnect to the network they'll have their access blocked. You need to modify this status in the Windows GUI for the systems you want to allow.

In postconnect, add the following code to insert unknown devices.

$REQUEST->host->insertIfUnknown();

To update device information (time of connection, port this device was connected to, etc), call the update method.

$REQUEST->host->update();

The order here is important. Make sure you always call the insertIfUnknown() method before any update, otherwise you'll get errors trying to update a device which is not yet in the database.

Now, let's update the switch port information (last time this port was used, what vlan was last assigned, etc).

$REQUEST->switch_port->update();

Your final policy file should look like the following.

<?php
class My_Policy extends Policy
{
public function preconnect($REQUEST)
{
#Check if the connecting device is in the DB and is active.
if ($REQUEST->host->isActive())
{
#If so, allow it into the global default vlan
ALLOW($REQUEST->conf->default_vlan);
}
#Deny access to unknown or inactive systems
DENY('Denying access to unknown systems');
}

public function postconnect($REQUEST)
{
#Insert this device in the database if it doesn't exist
$REQUEST->host->insertIfUnknown();
#Update this device's information
$REQUEST->host->update();

#Update switch port information
$REQUEST->switch_port->update();
}
}
?>

Activating the policy

Now, in order to activate this policy, modify the value of the default_policy field in your config table to contain My_Policy. Now go to the /opt/nac/etc directory, and delete the policy.inc.php symlink and create a new one pointing to your newly created policy file.

rm /opt/nac/etc/policy.inc.php
ln -s /opt/nac/etc/My_Policy.php /opt/nac/etc/policy.inc.php

And restart the daemons (vmps and postconnect). Your newly created policy should now be loaded. See syslog to check if your policy was successfully loaded.

See also the sample policies and the policy testing sections.

Advanced administration: If you want to rename the policy class, in the config table you need to register the name of the policy (class name) you want to load.

update config set value='BasicPolicy' where name='default_policy'; 

Please leave your comments at the end of this guide, or if you prefer to discuss, visit the developer forum.

Policies: testing

Introduction

The aim of this page is to demonstrate an example policy, and show how to verify that such a policy functions as expected.

This example should help understand log entries, in planning tests before going into production and in troubleshooting vmpsd_external: when it doesn't behave as you might expect.

These example covers FreeNAC v3.0 (in beta in Oct.07). Advanced policy features such as Patch or Anti-Virus status (Wsus, EPO or MS-SMS modules) are not yet covered here.

Policy

This test set uses the sample policy below. The Policy is a PHP program that is designed to be easy to understand. In this example

  1. Expired or 'killed' hosts are either denied or put in the killed vlan.
  2. Normal (active) hosts are assigned the vlan assigned in their record, which may also be changed depending on switch location.
  3. Unmanaged hosts are just logged, and follow the port/global vlan defaults.
  4. Finally unknown systems are either denied, or assigned port default vlan, or global default, if such defaults exist.

In the policy program below, REQUEST->host is the end device looking for access to the network, REQUEST->switch_port is the switch port where this end device is and REQUEST->conf is the global configuration for the entire system.

This is the policy used to create this test set.

if ($REQUEST->host->isExpired() || $REQUEST->host->isKilled())
{
if ($REQUEST->conf->vlan_for_killed)
{
$this->logger->logit("Killed or expired system {$REQUEST->host->getMAC()}({$REQUEST->host->getHostName()}) on port {$REQUEST->switch_port->getPortInfo()}, switch {$REQUEST->switch_port->getSwitchInfo()}. Assigning vlan".vlanId2Name($REQUEST->conf->vlan_for_killed));
ALLOW($REQUEST->conf->vlan_for_killed);
}
else
{
DENY("Expired or killed system and no vlan_for_killed defined");
}
}
if ($REQUEST->host->isActive())
{
if ($vlan=$REQUEST->switch_port->vlanBySwitchLocation())
{
$this->logger->logit("Exception. Assigning vlan by switch location");
ALLOW($vlan);
}
else
ALLOW($REQUEST->host->getVlanId());
}
else if ($REQUEST->host->isUnManaged())
{
# Same as "unknown": use default, but alert
$this->logger->logit("Unmanaged device {$REQUEST->host->getMAC()}({$REQUEST->host->getHostName()}) on port {$REQUEST->switch_port->getPortInfo()}, switch {$REQUEST->switch_port->getSwitchInfo()}",LOG_WARNING);
}

#UNKNOWN AND UNMANAGED SYSTEMS
#Check for VMs: special case, use vlan of VM host
if ($REQUEST->host->isVM())
{
if ($vlan=$REQUEST->switch_port->getVMVlan())
{
$this->logger->logit("Device {$REQUEST->host->getMAC()} on port {$REQUEST->switch_port->getPortInfo()}, switch {$REQUEST->switch_port->getSwitchInfo()} is a VM. Assigning vlan of previous authenticated host");
ALLOW($vlan); #Retrieve the vlan from the host device
}
}

#Port has a default vlan
if ($vlan=$REQUEST->switch_port->getPortDefaultVlan())
{
$this->logger->logit("Device {$REQUEST->host->getMAC()} on port {$REQUEST->switch_port->getPortInfo()}, switch {$REQUEST->switch_port->getSwitchInfo()} is unknown or unmanaged. Assigning port default vlan");
ALLOW($vlan); #Retrieve the vlan from the host device
}
else if ($REQUEST->conf->default_vlan)
{
$this->logger->logit("Device {$REQUEST->host->getMAC()} on port {$REQUEST->switch_port->getPortInfo()}, switch {$REQUEST->switch_port->getSwitchInfo()} is unknown or unmanaged. Assigning global default vlan");
ALLOW($REQUEST->conf->default_vlan);
}

#Default policy
DENY('Default policy reached. Unknown or unmanaged device and no default_vlan specified');

Results

Now we'll run through all cases defined in this policy showing only the result from vmpsd_external. All these cases have been run twice. One without debugging information and another one with debugging level set to 2, which logs the function calls and the result of such calls.

Killed or expired devices

a) Normal logging when vlan_for_killed has been defined

Oct  2 23:59:32 freenac vmpsd_external.php[30938]: Killed or expired system 00b0.d00c.64b2(test_device) on port Fa0/2, switch 192.168.254.26 (sw26: Backup switch). Assigning vlan DevZone_203
Oct 2 23:59:32 freenac vmpsd: ALLOW: 00b0d00c64b2 -> DevZone_203, switch 192.168.254.26 port Fa0/2 <<

b) Detailed logging when vlan_for_killed has been defined

Oct  3 00:00:42 freenac vmpsd_external.php[31633]: Debug1: ----------------------------
Oct 3 00:00:42 freenac vmpsd_external.php[31633]: Debug1: domain 192.168.254.26 Fa0/2 ServerZone_201 00b0.d00c.64b2
Oct 3 00:00:42 freenac vmpsd_external.php[31633]: Debug2: EndDevice->isExpired() = 1
Oct 3 00:00:42 freenac vmpsd_external.php[31633]: Killed or expired system 00b0.d00c.64b2(test_device) on port Fa0/2, switch 192.168.254.26 (sw26: Backup switch). Assigning vlan DevZone_203
Oct 3 00:00:42 freenac vmpsd: ALLOW: 00b0d00c64b2 -> DevZone_203, switch 192.168.254.26 port Fa0/2 <<
Oct 3 00:00:42 freenac vmpsd_external.php[31633]: Debug1: ALLOW DevZone_203 (at vmpsd_external.php:150)
Oct 3 00:00:42 freenac vmpsd_external.php[31633]: Debug1: ----------------------------

c) Detailed logging when vlan_for_killed hasn't been defined.

Oct  3 00:05:51 freenac vmpsd_external.php[31721]: Debug1: ----------------------------
Oct 3 00:05:51 freenac vmpsd_external.php[31721]: Debug1: domain 192.168.254.26 Fa0/2 ServerZone_201 00b0.d00c.64b2
Oct 3 00:05:51 freenac vmpsd_external.php[31721]: Debug2: EndDevice->isExpired() = 1
Oct 3 00:05:51 freenac vmpsd: DENY: 00b0d00c64b2 -> , switch 192.168.254.26 port Fa0/2 <<
Oct 3 00:05:51 freenac vmpsd_external.php[31721]: Debug1: DENY: Expired or killed system and no vlan_for_killed defined (at vmpsd_external.php:148)
Oct 3 00:05:51 freenac vmpsd_external.php[31721]: Debug1: ----------------------------

Active systems

a) Normal logging

Oct  3 00:12:53 freenac vmpsd: ALLOW: 00b0d00c64b2 -> WorkZone_202, switch 192.168.254.26 port Fa0/2 <<

b) Detailed logging

Oct  3 00:13:59 freenac vmpsd_external.php[31853]: Debug1: ----------------------------
Oct 3 00:13:59 freenac vmpsd_external.php[31853]: Debug1: domain 192.168.254.26 Fa0/2 ServerZone_201 00b0.d00c.64b2
Oct 3 00:13:59 freenac vmpsd_external.php[31853]: Debug2: EndDevice->isExpired() =
Oct 3 00:13:59 freenac vmpsd_external.php[31853]: Debug2: EndDevice->isKilled() =
Oct 3 00:13:59 freenac vmpsd_external.php[31853]: Debug2: EndDevice->isActive() = 1
Oct 3 00:13:59 freenac vmpsd_external.php[31853]: Debug2: Port->vlanBySwitchLocation() =
Oct 3 00:13:59 freenac vmpsd_external.php[31853]: Debug2: EndDevice->getVlanId() = 5
Oct 3 00:13:59 freenac vmpsd: ALLOW: 00b0d00c64b2 -> WorkZone_202, switch 192.168.254.26 port Fa0/2 <<
Oct 3 00:13:59 freenac vmpsd_external.php[31853]: Debug1: ALLOW WorkZone_202 (at vmpsd_external.php:150)
Oct 3 00:13:59 freenac vmpsd_external.php[31853]: Debug1: ----------------------------

c) Detailed logging when we assign a Vlan by switch location

Oct  3 00:29:36 freenac vmpsd_external.php[32073]: Debug1: ----------------------------
Oct 3 00:29:36 freenac vmpsd_external.php[32073]: Debug1: domain 192.168.254.26 Fa0/2 ServerZone_201 00b0.d00c.64b2
Oct 3 00:29:36 freenac vmpsd_external.php[32073]: Debug2: EndDevice->isExpired() =
Oct 3 00:29:36 freenac vmpsd_external.php[32073]: Debug2: EndDevice->isKilled() =
Oct 3 00:29:36 freenac vmpsd_external.php[32073]: Debug2: EndDevice->isActive() = 1
Oct 3 00:29:36 freenac vmpsd_external.php[32073]: Debug2: Port->vlanBySwitchLocation() = 13
Oct 3 00:29:36 freenac vmpsd_external.php[32073]: Exception. Assigning vlan by switch location
Oct 3 00:29:36 freenac vmpsd: ALLOW: 00b0d00c64b2 -> GuardLink_198, switch 192.168.254.26 port Fa0/2 <<
Oct 3 00:29:36 freenac vmpsd_external.php[32073]: Debug1: ALLOW GuardLink_198 (at vmpsd_external.php:150)
Oct 3 00:29:36 freenac vmpsd_external.php[32073]: Debug1: ----------------------------

Unmanaged systems

In this example policy, unmanaged systems are treated the same as unknown systems. The only difference is that we generate a syslog message for an unknown device.

Oct  3 00:32:15 freenac vmpsd_external.php[32073]: Unmanaged device 00b0.d00c.64b2(test_device) on port Fa0/2, switch 192.168.254.26 (sw26: Backup switch)

To view the posible results, please see the part related to 'Unknown devices'

Unknown systems with a port default vlan

a) Normal logging

Oct  2 23:59:32 freenac vmpsd_external.php[30883]: Device 0123.4567.89ab on port Fa0/2, switch 192.168.254.26 (sw26: Backup switch) is unknown or unmanaged. Assigning port default vlan
Oct 2 23:37:33 freenac vmpsd: ALLOW: 0123456789ab -> External, switch 192.168.254.26 port Fa0/2 <<
Oct 2 23:37:33 freenac postconnect.php[30883]: NAC alert (Bloggs) port Fa0/2
Oct 2 23:37:33 freenac postconnect.php[30883]: New unknown 0123.4567.89ab(), switch 192.168.254.26 (sw26: Backup switch) Patch: (Bloggs)

b) Detailed logging

Oct  2 23:39:44 freenac vmpsd_external.php[31258]: Debug1: ----------------------------
Oct 2 23:39:44 freenac vmpsd_external.php[31258]: Debug1: domain 192.168.254.26 Fa0/2 ServerZone_201 0123.4567.89ab
Oct 2 23:39:44 freenac vmpsd_external.php[31258]: Debug2: EndDevice->isExpired() =
Oct 2 23:39:44 freenac vmpsd_external.php[31258]: Debug2: EndDevice->isKilled() =
Oct 2 23:39:44 freenac vmpsd_external.php[31258]: Debug2: EndDevice->isActive() =
Oct 2 23:39:44 freenac vmpsd_external.php[31258]: Debug2: EndDevice->isUnManaged() =
Oct 2 23:39:44 freenac vmpsd_external.php[31258]: Debug2: EndDevice->isVM() =
Oct 2 23:39:44 freenac vmpsd_external.php[31258]: Debug2: Port->getPortDefaultVlan() = 11
Oct 2 23:59:32 freenac vmpsd_external.php[31258]: Device 0123.4567.89ab on port Fa0/2, switch 192.168.254.26 (sw26: Backup switch) is unknown or unmanaged. Assigning port default vlan
Oct 2 23:39:44 freenac vmpsd: ALLOW: 0123456789ab -> External, switch 192.168.254.26 port Fa0/2 <<
Oct 2 23:39:44 freenac vmpsd_external.php[31258]: Debug1: ALLOW External (at vmpsd_external.php:150)
Oct 2 23:39:44 freenac vmpsd_external.php[31258]: Debug1: ----------------------------
Oct 2 23:39:45 freenac postconnect.php[30883]: NAC alert (Bloggs) port Fa0/2
Oct 2 23:39:45 freenac postconnect.php[30883]: New unknown 0123.4567.89ab(), switch 192.168.254.26 (sw26: Backup switch) Patch: (Bloggs)

Unknown systems with no port default vlan but with global default vlan

a) Normal logging

Oct  2 23:59:32 freenac vmpsd_external.php[31258]: Device 0123.4567.89ab on port Fa0/2, switch 192.168.254.26 (sw26: Backup switch) is unknown or unmanaged. Assigning global default vlan
Oct 2 23:44:04 freenac vmpsd: ALLOW: 0123456789ab -> SecOps_206, switch 192.168.254.26 port Fa0/2 <<
Oct 2 23:44:05 freenac postconnect.php[30883]: NAC alert (Bloggs) port Fa0/2
Oct 2 23:44:05 freenac postconnect.php[30883]: New unknown 0123.4567.89ab(), switch 192.168.254.26 (sw26: Backup switch) Patch: (Bloggs)

b) Detailed logging

Oct  2 23:44:49 freenac vmpsd_external.php[31340]: Debug1: ----------------------------
Oct 2 23:44:49 freenac vmpsd_external.php[31340]: Debug1: domain 192.168.254.26 Fa0/2 ServerZone_201 0123.4567.89ab
Oct 2 23:44:49 freenac vmpsd_external.php[31340]: Debug2: EndDevice->isExpired() =
Oct 2 23:44:49 freenac vmpsd_external.php[31340]: Debug2: EndDevice->isKilled() =
Oct 2 23:44:49 freenac vmpsd_external.php[31340]: Debug2: EndDevice->isActive() =
Oct 2 23:44:49 freenac vmpsd_external.php[31340]: Debug2: EndDevice->isUnManaged() =
Oct 2 23:44:49 freenac vmpsd_external.php[31340]: Debug2: EndDevice->isVM() =
Oct 2 23:44:49 freenac vmpsd_external.php[31340]: Debug2: Port->getPortDefaultVlan() = 0
Oct 2 23:59:32 freenac vmpsd_external.php[31340]: Device 0123.4567.89ab on port Fa0/2, switch 192.168.254.26 (sw26: Backup switch) is unknown or unmanaged. Assigning global default vlan
Oct 2 23:44:49 freenac vmpsd: ALLOW: 0123456789ab -> SecOps_206, switch 192.168.254.26 port Fa0/2 <<
Oct 2 23:44:49 freenac vmpsd_external.php[31340]: Debug1: ALLOW SecOps_206 (at vmpsd_external.php:150)
Oct 2 23:44:49 freenac vmpsd_external.php[31340]: Debug1: ----------------------------
Oct 2 23:44:50 freenac postconnect.php[30883]: NAC alert (Bloggs) port Fa0/2
Oct 2 23:44:50 freenac postconnect.php[30883]: New unknown 0123.4567.89ab(), switch 192.168.254.26 (sw26: Backup switch) Patch: (Bloggs)

Unknown systems with no port default vlan and no global default vlan defined

a) Detailed logging

Oct  2 23:53:31 freenac vmpsd_external.php[31480]: Debug1: ----------------------------
Oct 2 23:53:31 freenac vmpsd_external.php[31480]: Debug1: domain 192.168.254.26 Fa0/2 ServerZone_201 0123.4567.89ab
Oct 2 23:53:31 freenac vmpsd_external.php[31480]: Debug2: EndDevice->isExpired() =
Oct 2 23:53:31 freenac vmpsd_external.php[31480]: Debug2: EndDevice->isKilled() =
Oct 2 23:53:31 freenac vmpsd_external.php[31480]: Debug2: EndDevice->isActive() =
Oct 2 23:53:31 freenac vmpsd_external.php[31480]: Debug2: EndDevice->isUnManaged() =
Oct 2 23:53:31 freenac vmpsd_external.php[31480]: Debug2: EndDevice->isVM() =
Oct 2 23:53:31 freenac vmpsd_external.php[31480]: Debug2: Port->getPortDefaultVlan() = 0
Oct 2 23:53:31 freenac vmpsd: DENY: 0123456789ab -> , switch 192.168.254.26 port Fa0/2 <<
Oct 2 23:53:31 freenac vmpsd_external.php[31480]: Debug1: DENY: Default policy reached. Unknown or unmanaged device and no default_vlan specified (at vmpsd_external.php:148)
Oct 2 23:53:31 freenac vmpsd_external.php[31480]: Debug1: ----------------------------

 

Voip phones: 802.1x

Introduction

802.1x has been limited to one device per port, which has created problems for Voip phones.

The purpose of this page is to gather information and experience on the topic of authenticating a voip phone and the PC that might be attached to it, via 802.1x.

Aya

The Aya phones look interesting:
http://support.avaya.com/elmodocs2/security/802_1x-LLDP.pdf

Apparently you can do 802.1x for the phone and/or PC .. however:
" as of August 2006 only the following vendors are known to have released support for Multi Supplicant mode: Avaya, Extreme, Hewlett Packard (Pro Curve), and Cisco..."

Cisco

“The switch supports multidomain authentication (MDA), which allows both a data device and voice device, such as an IP phone (Cisco or non-Cisco), to authenticate on the same switch port. The port is divided into a data domain and a voice domain. “

Cisco switches like the 3560) support that
http://www.cisco.com/en/US/tech/tk389/tk814/technologies_configuration_e...
http://www.cisco.com/en/US/products/hw/switches/ps5528/products_configur...

Voip Phones: VMPS mode

Introduction

To do: The topic of IP Phones and VMPS has come up for discussion many times, it would be useful to have a document with our knowledge to date.

Tests have been done several times since 2006, but we don't yet have a productive installion with a Voip phone population to documents tests in detail.

In principle, Cisco Phones on recent IOS switches should work.

Some links to relevant Forum topics on using Cisco Voip phone with a Voice Vlan for the phone, and VMPS for the PC connected to the phone

Switchport VOICE vlan..
http://www.freenac.net/phpBB2/viewtopic.php?t=113

(this thread that is two pages long)

1. Initial tests

Cisco IP Phone 7960

Firmware version: 7.4
Application Load ID: POS3-07-4-00
Boot Load ID: PC03A300
DSP Load IP: PS03AT45

Tests done:

In the switch, the port where the ip phone is connecting to was configured to have a voice vlan=524.

When plugging in the IP phone, VMPS detects the phone and says DENY, but the IP phone is able to get an IP address because in the switch the voice vlan is set to 524.

If we remove the voice vlan from that port, then the phone can't get any IP address.

Then, modifying the database, telling VMPS to return the VLAN 524 when the IP is connected to the switch we get:

vmpsd: ==================================
vmpsd: VQP Request
vmpsd: Unknown: 1
vmpsd: Request Type: 1
vmpsd: Response: 0
vmpsd: No. Data Items: 6
vmpsd: Sequence No.: 38
vmpsd: Client IP address: 192.168.254.26
vmpsd: Port name: Fa0/2
vmpsd: Vlan name: --NONE--
vmpsd: Domain name: seclab2
vmpsd: MAC address: 0007eb18390d
vmpsd_external[5218]: decide: Request for (192.168.254.26,Fa0/2) unknown(0007.eb18.390d), KEINE, vlan=524
vmpsd_external[5218]: Debug1: decide: Check for hubs..
vmpsd_external[5218]: get_port_status: found 00b0.d00c.64b2, vlan=521, 2006-10-25 10:16:51
vmpsd_external[5218]: ping 192.168.201.226 - 00b0.d00c.64b2 <----- IP and MAC of the device that was connected prior to the connection of the IP phone.
vmpsd_external[5218]: Ping Error no answer: PING 192.168.201.226 (192.168.201.226) 56(84) bytes of data. --- 192.168.201.226 ping statistics --- 2 packets transmitted, 0 received, 100% packet loss, time 1001ms
vmpsd_external[5218]: Debug1: get_port_status: no conflict since IP is invalid or cannot be pinged. Flap is still a risk..
vmpsd_external[5218]: decide: unknown, KEINE, vlan result=524 on switch 192.168.254.26 Fa0/2
vmpsd_external[5218]: Debug1: DecidedVlan=524
vmpsd: External prog says: ALLOW IP_Phone
vmpsd: ALLOW: 0007eb18390d -> IP_Phone, switch 192.168.254.26 port Fa0/2

The phone can't get any IP address. Voice Vlan has to be configured on the port.

Configuring again the voice VLAN on the port, next we do some tests with the IP phone's port that connects to the PC.

When connecting the laptop to the IP phone's port, VMPS works as usual and the connecting laptop can get access depending on its rights in the database.

If an authorized laptop connects to the phone's port, a request is sent to VMPS and VMPS returns the VLAN and the computer gets an IP. Then, if we unplug that laptop and connect a unauthorized laptop to the phone's port, there are no more requests coming to VMPS and the unauthorized laptop can use the network because the switch's port is opened due to the previous successful VMPS request.

The status of the switch's port will be the one of the first connection to the phone's port. Further connections to the phone's port doesn't generate VMPS requests and therefore the switch port status will be always the same as the first VMPS request.

The only way to generate more VMPS requests is shutting down the phone.

Next. Shut down the phone, connect the laptop to the phone's port and turn the phone on. The laptop connected to the IP phone is allowed in the VMPS db. Then, plug the phone to the switch port. This generates one VMPS request per device, one for the IP phone and another one for the laptop.

Now, if we just shut down the phone and shut it on again without unpluging the phone from the switch, it generates only one VMPS request for the laptop, but it does not generate one for the IP Phone.

2. Comments from Dago

Made some first tests to have Cisco 79x0 phones with VMPS

The objective was to have the phone on the voice vlan & the pc connecting
through the phone on a vmps-assigned VLAN.

With the configuration below, it is possible to have that working correctly. The phone goes automagically on VLAN 521 (with the CDP hack) while the pc goes on vmps-assigned vlan. If you look into the DB, VMPS doesn't see the phone while the connecting PC is authenticated trough VMPS each time it reconnects.

- switch configuration :
!
cdp run
!
interface GigabitEthernet1/0/2
 description 5.076_5.12_dago_test
 switchport access vlan dynamic
 switchport mode access
 switchport voice vlan 521
 cdp enable
 spanning-tree portfast
!

- phone configuration : network port 2 type = PC (not Switch/Hub !)

3: Comments from Erich

Cisco

Nortel

Siemens

Hier weiss ich nicht einmal wie ich zu einer Referenz-Installation komme, ebenso habe ich da wenig Know How über die IP Phone Registrierung.

[Sean Note]: I only expect Cisco phones to work, since VMPS is Cisco proprietary.

Appendix

This section covers diverse issues not presented in the main chapters.

Bind DNS Configuration

-CONTRIBUTED TOOL-

Through the following scripts, it is possible to generate static "zone" files for bind (a.k.a. named), for a single domain.

See also the related ISC DHCP Configuration scripts.

There a separate set of scripts for manageing DNS via dynamic updates (TBD: ref)

Configuration options

The configuration options are in the freenac database and can be configured by the windows GUI 

  • web_showdns (true/false) : show the dns-related fields in the web interface
  • dns_domain = general domain
  • dns_ns = comma separated list of name servers (no space).
    These servers must be resolvable.
  • dns_mx = comma separated list of mail servers (no space).
    This is an ordered list (primary server first)
  • dns_primary = primary name server where this host file will be used (used in SOA)
  • dns_mail = email address for the DNS administrator (used in SOA)
  • dns_outdir = directory where the zone files will be written (existing files will be overwritten without confirmation)
  • dns_forwardzone = name of the generated zone file (forward).
  • dns_subnet = subnet for which a reverse dns zone file will be generated

generate_dns.php

This script will generate the normal (forward) zone files from the systems table.
An 'A' record will be generated for each system and will point the 'hostname' field to the last known ip ('r_ip').

Aliases (CNAME records) will be generated from the (comma separated) 'dns_alias' field and will point to the 'A' record of the host.

generate_dns_reverse.php

This script will generate the reverse zone files from the sytems table.

For each subnet matching the '$dns_subnet' configuration option, reverse records (PTR) will be extracted from the systems table. The last known IP address wil point to the hostname.

The generated files will be named like '254.168.192.in-addr.arpa' for the 192.168.254.0 subnetwork. 

BIND DNS configuration #2

-CONTRIBUTED TOOL: ALPHA status-

Through the following scripts, it is possible to generate dynamic updates to bind (a.k.a. named), for a single domain.

There a separate set of scripts for managing DNS via static zones.

The 'ip' table contains a list of IP addresses with a reference to names in the systems table.Names are not stored in the'ip' table to avoid duplication. These means that if a hosts is to appear in DNS, but is not automatically detected by FreeNAC, it must be manualyl entered into the systems table.

| Field      | Type            | Comment
| id         | int(10) unsigned | index
| address    | int(10) unsigned | IP address, use INET_NTOA to convert
| subnet     | int(10) unsigned | Subnet adress
| status     | tinyint(4)       |
| comment    | varchar(255)     |
| system     | int(11)          | reference to an index in the systems table
| source     | varchar(32)      | ?
| dns_update | tinyint(4)       | ?
| lastupdate | timestamp        |
| lastchange | timestamp        |

So, next a query to pull an IP to name mapping:

SELECT ip.id as id, INET_NTOA(ip.address) as ip, systems.name as name, ip.dns_update as dns_update, systems.dns_alias as cname FROM ip LEFT JOIN systems ON ip.system = systems.id WHERE ip.system != 0; 

Configuration options

The configuration options are in the freenac database and can be configured by the windows GUI 

  • web_showdns (true/false) : show the dns-related fields in the web interface
  • ddns_server
  • dns_domain = general domain
  • ddns_ttl
  • dns_ns = comma separated list of name servers (no space).
    These servers must be resolvable.
  • dns_mx = comma separated list of mail servers (no space).
    This is an ordered list (primary server first)
  • dns_primary = primary name server where this host file will be used (used in SOA)
  • dns_mail = email address for the DNS administrator (used in SOA)
  • dns_outdir = directory where the zone files will be written (existing files will be overwritten without confirmation)
  • dns_forwardzone = name of the generated zone file (forward).
  • dns_subnet = subnet for which a reverse dns zone file will be generated

generate_dns2.php

Using ip.address and systems.name from the FreeNAC 'ip' DB, generate a list of dynamic DNS updates. The DNS update commands are written to a temporary file, once the file has been written, the dns_update flag is reset for each field.

generate_dns_reverse2.php

Changelog and update notes

This document explains the changes since v2.2 RC3, and the steps to upgrade to v3.

What is new in V3.0.3?

V3.0.3 is a small pont release (SVN build 1582) gathering fixes to the stable branch since v3.0.0.

A new feature called "clear mac" has been added, which completes the port restarting mechanism. This is needed for newer IOS version where port restart does not work as expected.  See  clear_mac discussion in the technical guide.
The Windows GUI and Web GUI have been modified accordingly. Information about configuration of this new feature can be found in the Switch configuration part of the Install Guide.

Windows GUI: The source code (Delphi Pascal) been finally released under GPL, see the Windows GUI changelog.

Port_scan: A new policy and feature have been introduced which allow port scanning of systems upon connection. This enhances the quality of the inventory. An example of such a policy can be found here.

Systems Management Server: A new class has been added that will allow the integration between FreeNAC and a Microsoft SMS server.

 

What is new in V3.0.2?

V3.0.2 is a small point release (SVN build 1233) gathering fixes to the stable branch since v3.0.0.

New Web GUI: See README.webnew which explains the new design, and CHANGES which lists progress.

Windows GUI: several small improvements.

Backend changes:

  • Many small fixes to dameons. A detailed list of changes is in doc/CHANGES.detailed
  • DB changes are documented in contrib/migration_3.0_to_3.0.2/db_changes.sql
    • Clean up column defaults
    • Add switch: scan3 and vlan_id columns
    • Add several new rows to the config table.
    • Improve comments in the config table
  • Layer 3 scanning of switches/routers is now controlled by the new 'scan3' field in the switches table, not the router list in the config table.
  • Fixes to sample policies

What is new in V3.0.0?

A substantial change in FreeNAC v3.0 is the introduction of an OO (objected oriented) policy interface, which provides greater flexibility and encapsulation of individual decisions regarding control of end-device access to the network.

The main programs have been rewritten using OO techniques, some others have been modified to work with our framework, and some others have been added to this new release. The aim of the OO change is to have a modularized system which would be easier to debug, troubleshoot, maintain and extend in the long run.
It's now a requirement to use PHP 5 (not PHP4) - we recommend using the latest PHP version.

Here is a summary of the changes in v3.0 (since v2.2):

  1. vmpsd_external has been completely rewritten. vmps_lastseen doesn't exist any more, it was written as the postconnect daemon.
  2. Added the lib directory, which holds several class files that provide the framework for FreeNAC v3.0. In case you want to dig into the innards of FreeNAC, this is the place to start.
  3. Creation of a policy file which allows the system administrator with light PHP skills to modify the decision process. Sample policy files are provided in /opt/nac/etc, see also the Policy chapters in the Technical Guide which describe writing, testing and trying the sample policies.
  4. Emergency off scripts have been added. In case you want to quickly disable FreeNAC in your network (e.g. at 02:00 in the morning, when there is a problem on the network that is difficult to localise), you only need to run these scripts. Likewise, after disabling it, you can re-enable it (e.g. the next morning, serenely) using another script. See also the techguide chapter .
  5. The Windows GUI has been improved and adapted to support the new features.
  6. All the PHP scripts have now the extension '.php'. This is to allow phpDocumentor to better parse the scripts and thus get extra documentation auto magically generated.
  7. SNMP functions have been added to funcs.inc.php. Thus we can perform some operations to the switches (like programming of VMPS parameters, learning ports' status, etc) from several scripts. One of those scripts is cron_restart_port.php, which besides restarting a port, it allows for programming of the switch ports from the Windows GUI. Another interesting script is ping_switch.php which tells if a switch port and the switch are up or down.
  8. New interfaces for the integration of McAfee EPO anti virus and Windows update services (WSUS) have been added.
  9. The Database schema has changed a little, new fields and tables have been added.
    We have added fields to store ports and switches' status and the last time that the switch/port was monitored. In the systems table, we now have an index to indicate the health of a connecting device. Some other fields have been added to express what user last used the device, the last name of that device, or even to send an email whenever that device get connected to the network. See also the DB migration script in contrib/migration_2.2_to_3.0.
  10. The notion of health has been introduced. This allows quarantining of end-devices which do not meet the policy.
    Initially there is one module that uses this new health feature, using the port scan module: let's say that you know that a trojan opens the port 666 and if there is a system which is connecting to your network and its port 666 is open, you can decide what to do with it (notify, quarantine, kill it, etc).
    The policy health checking using the Wsus/Epo modules in still in beta status, example policies will be published in the coming weeks.

Installation & Configuration

See the Installation and User Guides.

Upgrading from V2.2 RC3

If you have a previous FreeNAC installation and would like to update to 3.0, here is what you have to do:

Stop previous instances of vmps, last_seen and proctst (if you are using this latter)

/etc/init.d/vmps stop
/etc/init.d/vmps_lastseen stop 
/etc/init.d/proctst stop

Checkout the latest stable release

mkdir /opt/nac3.0
svn co https://opennac.svn.sourceforget.net/svnroot/opennac/branches/3.0/ /opt/nac3.0

Then, copy over the config files or adapt the config.inc.template according to your needs.

Apply the changes to the database

cd /opt/nac3.0/contrib/migration_2.2_to_3.0/
mysql opennac < db_changes.sql

Add the extension .php to all php scripts you have in your crontab

Copy over the startup scripts

mv /etc/init.d/vmps /etc/init.d/vmps.$$
mv /etc/init.d/vmps_lastseen /etc/init.d/vmps_lastseen.$$
cp /opt/nac3.0/contrib/startup_init.d/vmps /etc/init.d/
cp /opt/nac3.0/contrib/startup_init.d/postconnect /etc/init.d/

Copy over the proctst configuration file (if you are using it)

mv /etc/proctst.conf /etc/proctst.$$
cp /opt/nac/contrib/etc/proctst.conf /etc

Activate the new directory

mv /opt/nac /opt/nac.$$
ln -s /opt/nac3.0/ nac 

And finally start the daemons and watch syslog

/etc/init.d/vmps start
/etc/init.d/postconnect start
/etc/init.d/proctst start (only if you are using it) 

All modules are configured via settings in the 'config' table. This was already the case in v2.2 RC3. If upgrading from an even earlier release (v2.1 for example), please read the relevant migration notes on config.inc. The contents of config.inc has not changed between v2.2 RC3 and V3.

Problems

As usual, any questions/remarks/queries can be posted in the forums .

See also the troubleshooting section of the user Guide, search the website, and serach the forum.

Is there are errors or omissions in this document, please login to the website and post a comment below.

Regards,

The FreeNAC Team

Internet sites/directories where FreeNAC is listed

This is an appendix to keep track of where we made submissions, and possible issues.

ISC DHCP Configuration

-CONTRIBUTED TOOL-

The generate_dhcp.php script in the contrib section can be used to generate an configuration file for the ISC DHCP daemon.

See also the ISC Bind configuration script

It uses the following parameters in the configuration database (editable using the windows GUI) :

  • dhcp_configfile : the file that this script will write - if it already exists, it will be overwritten without confirmation
  • dhcp_defaults = the global defaults (currently : default-lease-time, max-lease-time, ddns-update-style, authoritative, use-host-decl-names

The rest of the configuration will be taken from the FreeNAC database

  • Subnet and options from dhcp_options (subnet 0 = general options)
  • Fixed ip addresses from systems (where dhcp_fix = 1, the assigned IP will be dhcp_ip)

The "web_showdhcp" configuration flag toggle the ability to edit the dhcp_fix and dhcp_ip field in the web interface.

RSS Feeds

If you configure the web interface of FreeNAC, you can also have a feed containing the last connections.

It is available as http://<hostname>/nac/rss.php and you can subscribe it using your favorite RSS reader.

SNMP tests performed on non Cisco switches

We have received some requests to support switches from fabricants other than Cisco, so we got our claws on some non-Cisco switches and performed some SNMP tests to see what could be done with them. The switches we tested on are an HP Procurve 2600 and a 3COM 3812 and here are the results of our experiments:

The file /opt/nac/snmp_defs.inc.php contains the OIDs we use to document switches in the system. The first tests performed were to see if we could retrieve switch's general information (description, name, location, contact, software, hardware) using the OIDs declared for this effect. With the OIDs we had we could successfully retrieve the same information, but in some cases we needed to perform some minor changes since the OIDs/functions we have are Cisco oriented and in some switches they don't apply 'as is'.

Also we found other new OIDs that could provide better results. For instance, in snmp_scan, to get the list of physical interfaces we check a certain OID that tells if an interface is physical or not, but in the 3COM switches that doesn't apply since all interfaces are marked as physical even though they are virtual. Also in snmp_scan, to get the SW and HW with the OIDs we have, we need to perform string comparisons. We found other OIDs that directly give the HW, SW and firmware versions without the need to perform string comparisons.

The restart_port script was successfully tested on all non-Cisco switches. Also, apparently we were able to assign a port to a determined vlan (port programming) but using other OIDs which are not listed in the snmp_defs.inc file. These new OIDs are still not committed to SVN, since they are still at an experimental stage.

Statistics collection (V3.0 beta)

The purpose of this module is to collect daily statistics and store them in a table.

TBD: we are in the design stage, this page is for getting feedback.

A table is to be created with three columns:

  • id: autoincremented index
  • Code: name of statics
  • Value: a number/count
  • datetime: timestamp

Entries to be generated each day:

  • no. of ports, switches used
  • no. of end-devices: for active, unmanaged, killed, unknown
  • no. of end-devices per health: unknwown, transition, quarantine, ok, infected

Things to discuss:

  • Do the above counters, also cumularive?
  • What about patch, AV status? OS versions? NUm open ports (from scan module)?

Tips on working with subversion (SVN)

Make contributions

We welcome ideas and code contributions /fixes. you can make these in several ways:

  1. Diffs to the forum or developer email list
  2. committing code a subdirectory with your name in the contribs directory of the sources
  3. changing and committing the core software.

The idea is to start with 1. and progress towards 3. For 2. and 3. you'll need a SourceForge account for subversion and to be on the developer emails list.

For two and 3, you should also create documentation of your module/contribution, for example as an appendix to the Technical guide . For that you'll need a website account, and request "content editor" rights.

The rest of this document gives some example on working with subversion.

Checking out, committing changes

Checkout a working copy:
svn co https://opennac.svn.sourceforge.net/svnroot/opennac/trunk
svn co https://opennac.svn.sourceforge.net/svnroot/opennac/branches/3.0

Check for changes:
svn update contrib bin etc doc
svn help update

Make changes:
svn add <filename|directory>
svn delete <filename|directory>
svn copy <filename|directory>
svn move <filename|directory>
svn help [ add | delete | copy | move ]

Examine your changes:
svn status doc bin etc contrib
svn status <filename|directory>
svn diff
svn diff > <patchfile>
svn revert <filename>
svn help [ blame | status | diff | revert ]
svn [ blame | praise ]

Commit your changes:
svn commit --username YOUR_SF_USER –m "your message" contrib
svn commit --username YOUR_SF_USER –m "your message" doc
svn commit --username YOUR_SF_USER –m "your message" bin
svn commit --username YOUR_SF_USER –m "your message" etc
svn help commit

Subversion client settings

For servers behind a proxy, edit ~/.subversion/servers and set
the proxy values:
[groups]
group1 = *svn.sourceforge.net
[group1]
http-proxy-host = proxy1.MYDOMAIN.COM
http-proxy-port = 80

Limit what files are checking into SVN, edit ~/.subversion/config
[miscellany]
global-ignores = *.o *.lo *.la #*# .*.rej *.rej .*~ *~ .#* .DS_Store *,v RCS config.inc
Specifically, we don't want RCS files, or the productive config.inc
(with passwords) checked in

Merging a branch back to trunk

cd /trunk
svn update

Find the revision where the branch was created
svn log --verbose --stop-on-copy https://opennac.svn.sourceforge.net/svnroot/opennac/branches/2.2
For this example, branch 2.2 was created in revision 548

svn merge -r 548:HEAD https://opennac.svn.sourceforge.net/svnroot/opennac/branches/2.2

svn commit -m "Back to trunk"

 

Vendor comparison

To do: lets compare products fairly... this probably need to be combined into MAC-based and 802.1x based products, and concentrate only on the key competitors, and differentiate between open source and commercial?

 

OpenVMPS limitations

OpenVMPS works on a file basis, has no database, GUI, and is very intolant of errors on the configuration. FreeNAC is in fact an effort to make OpenVMPS enterprise-ready..

Problems With Cisco “VMPS” and “MAC Port” Authentication.

If you use the VMPS server on old catalysts already for limiting LAN access, what are the limitations?

  • Lack of management features
  • Monitoring
  • Alerting
  • Ease of use
  • GUI
  • User & device DB integration
  • Lack of support from Cisco

Cisco NAC

TBD

Microsoft NAP

TBD

Juniper

TBD

What does FreeNAC *not* do?

  • Layer 3 access control (for example offerning an automated web page with logon, but allowing layer 2 access with an IP address via DHCP..)
  • VPN or firewall access control
  • Remediation / quarantine vlans (planned)
  • MAC authentication on non-cisco switches

 

Vlan attribution: for single-vlan switches, not by end-device

Background

FreeNAC attributes Vlans depending on a vlan value stored for that device.

There is also the "Vlan exception " feature, which allows the vlan attributed to be changed depending on the switch location. (See also the method Ports->getPortDefaultVlan() ). However if there are many "exceptions", i.e. many switches which do not have all Vlans, or vlan with different names, it can be difficult to manage.

Aim

There are sites who just need to attribute two vlans, allowed or denied. In this case, it is overkill to have a vlan per end-device, it would be simpler to just attribute a vlan per switch.

Lets say there is a Vlan "Internal" on all switches, but with different numbers. There is also a vlan "Guest".

  • The idea is to allow all known end-device (state=active) automaticallyonto "Internal", and unknowns onto "Guest".
  • So set the global default vlan to be "Guest".
  • In the policy file, write a policy that says:
    a) if device=active set vlan=getSwitchVlan
    b) if device=unknown set vlan=Gllobal default

Implementation

Thats the concept. For the implementation a vlan_id field has been added to the V3.0 DB schema. The Windows GUI (build 164) can modify that column.  A method getSwitchVlan has been added to the sample policies in V3.0.1.

[sb, 22nd Dec'07]

 

VlanByLocation attribution: 'switch exceptions' feature

Introduction

The VLAN exception option (based on the vlanswitch table) is a feature allowing location dependant VLANs i.e. when VLAN naming is not consistent across switches, or not all VLANs are available on all switches.

Example: lets say there is an OfficeLAN and PrinterLAN in the main vlan table, but on switch 'sw101', there is only one LAN called 'LAN1'. This feature allows us to map the OfficeLAN and PrinterLAN on switch sw101, to the LAN1.

See also the Windows GUI user guide .

How does it work?

Well lets start by examining the SQL table:

mysql> describe vlanswitch;
+-----------+--------------+------+-----+---------+-------+
| Field     | Type         | Null | Key | Default | Extra |
+-----------+--------------+------+-----+---------+-------+
| vid       | int(11)      | NO   | MUL |         |       |
| swid      | int(11)      | NO   | MUL |         |       |
| vlan_id   | int(11)      | NO   |     |         |       |
| vlan_name | varchar(100) | NO   |     |         |       | 
  • The swid field is a lookup/index into the switch table, and tells us to which switch the vlan exception is relevant.
  • The vid field is a lookup/index into the vlan table, and is the vlan that was attributed so far, i.e. usually the valn stored in the systems table for the end-device being authenticated.
  • The vlan_name is a text field containing the name of the VLAN to be assigned to end-devices that connect to this switch. So it is a valid vlan name on the switch swid.
  • vlan_id is the vlan number corresponding to lan_name, but it is not used. It is only for documentation purposes.

Going back to the example, lets say there is an OfficeLAN and PrinterLAN in the main vlan table, but on switch 'sw101', there is only one LAN called 'LAN1'. So both vlans need to be mapped to that.

First, create two entries in the VLAN exception table, using the Windows GUI:

sw101 OfficeLAN LAN1  
sw101 PrinterLAN LAN1

In the table there would be entries like the following, assuming that swid=10 indexes to sw101, vid=100 indexes to OfficeLAN, and vid=101 to PrinterLAN:

swid=10, vid=100, vlan_name=LAN1
swid=10, vid=101, vlan_name=LAN1 

If Ports.vlanBySwitchLocation() is called in the policy, and lan_by_switch_location is enabled in the config table, we then query vlanswitch table to find the appropriate vlan_name.

  • We know the switch IP address, so lookup its index (swid)
  • For the end-device connecting, look up its assigned vlan index (vid)
  • now query vlanswitch to see if there is a row with swid and vid as above, if yes return vlan_name (the text name of the vlan to be sent back to the switch).

Issues

If there are many swicthes and vlans, then the number of rows in the vlanswitch table with le large and difficult to manage.

If there are several small/remote office with only one vlan (for example) and several main building with (say) 30 vlans, then an exception needs to be created for each vlan on each switch, which is alot. One solution for those simple 'one vlan' switches is the new proposed feature 'Vlan attribution by Switch, not by end-device '.

Comments/ideas are welcome.

VMPS Tests Conducted

1. Two hosts (Mac address/Vlan pairs) were configured as being allowed in the VMPS database. When either of the allowed hosts were plugged into the switch, a VMPS request was generated and the server replies allowing the connection. No log messages are generated by the Switch.

2. Unplugging a PC causes no VMPS activity.

3. If a PC is connected with a MAC address that is not allowed, the switch logs an error and refuses access to the network:
DVLAN-1-DENYHOST:Host 00-03-ba-27-54-9b denied on port 2/1
Optionally, the server can tell the switch to shutdown the port, in which case it must be manually enabled again (this “secure” mode is perhaps useful for switches in physically exposed places).

4. If the primary VMPS does not reply, the switch retries with the secondary.

5. The switch tries to contact a server 3 times by default, before stopping. This value can be programmed on the switch (to a maximum of 10), on CatOS:
set vmps server retry XX, on IOS vmps retry XX

6. Reconfirmation:

The switch reconfirms (by default every 60 minutes, Cat OS: set vmps server reconfirminterval XX, IOS in ‘con t’ mode: vmps reconfirm XX) if the port is authorised.

If a host was previously enabled and the VMPS server was updated to disable this host, then this will be noticed by the switch on the next reconfirmation interval. On reconfirmation it blocks the ports and logs an appropriate message: "DVLAN-1-DENYHOST:Host 00-03-ba-27-54-9b denied on port 2/1"

If the primary and secondary are not available, the switch logs an error, but does not disconnect the PC/port (this is important to prevent cascaded network failures): "DVLAN-2-MACNOTRECONFIRMED:Mac [00-03-ba-27-54-9b] is not reconfirmed"

If the switch cannot contact a VMPS server, show vmps (IOS: sho vmps stat) displays No Host but does not log a message. The time of the last reconfirmation and the IP address of the server accessed.
VMPS Action: No Host
VMPS Last Accessed: 192.168.245.19
Last Reconfirmation: Fri Sep 10 2004, 08:30:02

Reconfirmation can be manually activated on the switch (Cat OS): reconfirm vmps (IOS: vmps reconfirm on IOS). During the confirmation show vmps shows a status or “In Progress” and then “Success” with the timestamp of the last reconfirmation updated.

To clear vmps statistics (IOS): clear vmps status

7. If two PCs define their MAC address to the same value then the switch authenticates on each packet, thus some packets are allowed from each PC. This would cause disruption to both PCs. It is not noted as an error by the switch, but can be detected by analysing the logs for frequent authentication of a specific MAC address within a short period of time.

8. If two PCs are connected to a hub (or unmanaged switch), which is connected to one (vmps) Switch port, then:
• If both PCs are authorised on the same VLAN they can both communicate.
• If only one is authorised, the traffic from the second is blocked. The authorised PC continues to work fine.
• If both are authorised, but in different VLANs, the switch changes the port constantly between the two VLAN, causing havoc, some packets pass from each machine. No errors are logged by the switch or VMPS server, since the authentications are successful. To detect this scenario, a monitoring would have to detect a VMPS “authentication storm” from one port and notify the network administrator.

9. If a PC is disabled in the VMPS database, and VMPS is restarted, there is no immediate effect. The PC continues to have access until the cable is added/removed or, the next VMPS reconfirmation (every 60 minutes).

10. If a PC’s MAC is added to the VMPS database, and VMPS is restarted, there is no immediate effect. The PC continues to be forced to the defaultvlan until the cable is added/removed or, the next VMPS reconfirmation (every 60 minutes).

Other findings

Several “VMWARE” virtual machines were running on the network, each looking like a real PC, with its own address. This usage is not really a risk; it allows tests to be conducted on virtual machines, but does confuse network management.

Some laptops have a docking station, which has a MAC different address from the built in Laptop MAC address.

Several users were used Wireless rather than Fixed Lan.

User acceptance was high (all problems were solved quickly).

A change/authorisation/expiry process needs to be developed/written and adhered to. What happens when a user leaves and a new user come, taking over an already authorised PC?

There is no noticeable delay when using the network.

If a user is refused access, and then added to the VMPS DB to allow access, he must either wait one hour, or re-authenticate. To ere-authenticate, there are several options
• disable and re-enable the network connection in the connections control panel (this is the quickest method)
• unplug/plug in his network cable, it takes some time for windows to realize it is on another network
• click on the network icon -> support -> "repair": it first tries to release its old address, but can't as the DHCP server is not here anymore, this may take 5 minutes

FreeNAC programming conventions

Program file headers:

/**
* filename.php
*
* Long description for file:
* Some words about the functionality the file provides, it's dependencies and so on
*
* PHP version 5
*
* LICENSE: This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License as published
* by the Free Software Foundation.
*
* @package FreeNAC
* @author XX (FreeNAC Core Team)
* @copyright 2007 FreeNAC
* @license http://www.gnu.org/copyleft/gpl.html GNU Public License Version 2
* @version SVN: $Id$
* @link http://freenac.net
*
*/

Other coding conventions:

  • use two spaces when indenting
  • comment your code
  • always use version control, preferable SVN
  • style: do not mix styles in the same source file, follow the style of the original author
  • use PHP documentor tags in headers and comments

Pending issues: Virtual machine

The latest release of the VM (3.02) has Ubuntu 8.04 (Hardy Heron) as its base OS.

The FreeRadius package provided for this version of Ubuntu is still broken when using perl, so this VM has FreeRadius and perl compiled from the sources, this way it is possible to use the rad2vmps module to provide for 802.1x authentication in conjuntion with FreeNAC.

Other issues to have in mind:

  • flap_detect is running every 4 minutes. Maybe set it to run every 20 minutes?

Have you found any more issues? Please report them in the forums or post a comment to this page.

Pending issues: Web GUI

Introduction

This page is used as a sort of bug tracking
system for known issues, next fixes, what is done etc. to the new WebGUI to be released with v3.0.2 (9.May'08: to be released in the next week). The new version is a complete re-write, see README.webnew for a description and CHANGES for progess.

If you want to have something moved up to priority, or submit a new entry, please use the Support forum, or better, post comments below.

Issues: priority

  • Log out does not do an apache logout (move to Zend framework for authentication & session mgt?)
  • Ports down/up: Show interface status: Can we show disabled or error disbled, Not connected? (different SNMP OID)
  • GuiList1:
    sort/search fields not being remembered?
  • Need an Advanced search page (search through all fields with drop downlists, or accross multiple fields)
  • More Cross-site scripting /security analysis

Issues: others

  1. Edit device: show last change user/date
  2. GuiList1 grid: add up/down arrow/icon for sorting
  3. logtail exclude pattern in config table
  4. option to scan a switch after adding it
  5. Enable an snmp-scan of all switches
  6. When deleting, do a cascaded delete
  7. EditDevice_more.inc.php move to mysqli, review
  8. Only one AD server can be configured for Domain WebGUI logon?
  9. Add & update device: no validation checking i.e. for a properly formed MAC address (there is security validation/cleaning though).
  10. CSS:
    • Are we using consistent class names everywhere?
    • increase font size in the logtail screens
    • make a nice header, do we still need the links?
  11. exceptions.inc: review integrate with /lib/exceptions.inc
  12. webfuncs.inc: remove unneeded stuff
  13. throw (more) exceptions where possible
  14. logtail:
    // TBD: catch error if file cannot be read, or non existant.
    // TBD: test if ad_auth=false
    throw exception
  15. Allow Administrators to edit config tables
  16. phpinfo:
    non standard header/footer, how we will we handle updates?
  17. footer: What else to add?
  18. index.php: File does not exist: /opt/nac/web/favicon.ico
  19. Sql auth (login/logout.php, GuiUserManager)
  20. Drupal auth
  21. ADGROUP auth
    we need to define the groups who'll be using each of these interfaces. In MySQL, you modify the table guirights to define the rights associated to each group. To declare a group, you use its full DN. For example:
    update guirights set ad_group='CN=FreeNAC_write,DC=domain,DC=com' where code=99;
    update guirights set ad_group='CN=FreeNAC_read,DC=domain,DC=com' where code=1;
  22. Multiple languages
  23. Switch to a PHP framework such as Zend, Symfony or php-cake?
  24. Demo WebGUI: graphs not working (HO)
  25. Dot in Edit end device
  26. config $auth mode from the config table, not from web1.config.inc

 

Done (issues fixed, for references purposes)

- Aside from these notes, see the svn (subversion) changelog in the v3 branch, CHANGES in the web directory and README.webnew.

  1. View Guilog and serverlog tables
  2. Show vlan and other config tables.
  3. Add graph GUI's: make the OO oriented
  4. GuiEditDevice
    • On update/delete, insert into guilog
    • Add more under 'Admin information'
  5. Left align fields?
  6. If there is no 'action', hide that column
  7. Test that all functions in the old GUI also working in the new one

Add MAC Vendor column to unknowns.php


I can only delete a record (using the "delete" option to the left) if I
first "edit" a record. It can be any record in any query. If the first
thing I try to do is delete a record I get "Invalid Argument".

"/etc/logrotate.d/syslog-ng" not setting permissions correctly
ls -al /var/log/messages
-rw-r----- 1 root adm 24550093 2008-02-26 06:53 /var/log/messages
(ADapt the syslog-ng config file, or set a cron entry after log rotation: 'chgrp freenac /var/log/messages /var/log/debug').

See also the forum thread http://freenac.net/phpBB2/viewtopic.php?p=1348

Fix used id=2 Edit device: restart port option

Port comment containing "<>" are stipped and not visible in the WebGUI

Security: escaping of output.

Add helpdesk role. 

Pending issues: Windows interface

Introduction

This page is used as a sort of bug tracking system for known issues, next fixes, what is done etc. to the Windows FreeNAC GUI. It tracks changes since V3.0. Bugzilla is not used because its consider slow and clunky. We may use a trac later, but for now...

If you want to have something moved up to priority, or submit a new entry, please use the Support forum, or the comments below.

Issues: priority

  • None

Issues: others

  1. Lookups: don't allow location 1 (default) to be changed
  2. Overview: Right click *several* rows to set status or vlan.
  3. if you add a new vlan to the windows gui, you need to close the gui and restart it in order for the vlan to show up under the "edit devices" section
    http://freenac.net/phpBB2/viewtopic.php?t=258
  4. New Wsus tab: list systems & expand to list of patches. Right click to edit end device.
  5. Edit:
    • user lookups: need to post for details to appear.
    • User drop down list only shows Username
    • vlan colour by lookup, not just INO
  6. Admin: Add snmp scan-now button?
  7. Config: tick boxes to enable modules
  8. Vlans: Allow colour to be changed in GUI?
  9. Edit cabletype table
  10. Users: Add search or lookup. Sync with user for this device from the edit tab
  11. Ports:
    • Ports page sometime slow to load
    • copy/move popup from ports to switches, ports -> pop patch
    • right click to get patch details, or add office & users
    • right click to delete several selected ports?
    • you can change switch name & port name (even though these are normally documented automatically), which allows for a manipulation error. We need to be able to change these fields to insert new ports though.
  12. Switches
    • The 'shutdown' field in the sub-port list is not displaying correctly. (An analysis of the configuration of the grid element has not explained why).
  13. Reporting:
    • OS versions, end-device security.
    • autosize columns, they are too big.
    • New statistics window?
    • Create reporting directory with some standard layouts?
  14. Patchcable: show etage01
  15. Performance:
    • Unknowns don't appear fast enough in the GUI?
    • Load the 'Computer users in office' query on startup, only once, and save in memory?
    • What else can be done to improve speed?
  16. Delphi: clean-up & publish sources? We need several, proprietary libraries anyway (MyDac, cxgrid), so will GPL'ing it help much?
  17. The ChangeDate field in the systems table is a string instead of a datetime field.

 

Done

See the CHANGELOG file in the repository directory where vmps.exe and vmps.xml are stored, e.g.

http://opennac.svn.sourceforge.net/viewvc/opennac/branches/3.0/WindowsGUI/CHANGELOG.txt?view=markup

__

TNC notes

To do: start off by providing links to the currect relevant FreeNAC docs, and to the Uni Hannover papers, current diagrams and brainstorm ideas we documented...

TCG:
https://www.trustedcomputinggroup.org/groups/network/

Hannover:

http://www.inform.fh-hannover.de/de/forschung/forschungsprojekte/tnc/

 

Microsft links: (where are the API definitions etc.??

http://www.microsoft.com/presspass/press/2007/may07/05-21NAPTNCPR.mspx

https://www.trustedcomputinggroup.org/news/Industry_Data/TNC_NAP_white_p...

Diverse notes & Frequently asked questions

Notes

This section contains diverse notes & links. Its a good place to paste summaries of Forum discussions for example.

Wake on LAN (WoL)

Some users have used WoL, (see http://freenac.net/phpBB2/viewtopic.php?t=78& ) but a request to Cisco explained the following.

WoL and Dynamic VLANs are not compatible because when the PC is shut down, the NIC will be powered down for a split second. This causes the switch to detect the link-down event and to un-assign the port. When the NIC comes back online, the port does not belong to any VLAN and since no frames are received by the port, it would never initiate VMPS queries or forward broadcast/multicast to the device connected to it.

You can verify this on the logs of the switch, you connect a computer to one port of the switch, shut down the computer and you will see a log on the switch that show that the port went down and then back up, make sure you to enable the link-status log on the interface for the switch to show when it goes up/down, the command to enable it is ?logging event link-status? and it is apply on the interface configuration.

Unmanaged systems on dynamic ports?

Through the use of snmp_scan.php we can document the systems which are on a switch and how the port has been configured (static, dynamic, trunk). If a device is on a static port, snmp_scan will document it as an unmanaged system. This system is supposed to always use the same port and therefore the same vlan.

But what happens when we move an unmanaged system to a dynamic port?

When such a case arises, the device is not connected to the network. In the FreeNAC server we don't see any requests coming when we plug the unmanaged device into the dynamic port. On the switch we see that the port goes down and up, but it doesn't generate a VMPS request. So far we can say that "Nothing happens" which is odd, but it is what we've gotten. More tests need to be carried out.

These tests were carried out using a Cisco Catalyst 2940 switch and a Linux machine.

Store user information in VTP domain?

Another experimental feature which we are not going to implement is the following:

When we have FreeRadius using the rad2vmps script, we wanted to know if it was possible to somehow pass user information contained in a RADIUS request to the FreeNAC database, using the field "VTP domain" which is part of any VMPS request.

In tests performed, we were able to get the username from the VTP domain, but we wanted to gather more information, such as:

  • Username
  • Domain
  • Radius port
  • Authentication mechanism
  • Commentary

Since the VTP domain only has space to hold 33 characters, this solution is neither practical, nor elegant, nor adequate.