Phil Mayers wrote:
All,
I'm moving our legacy switches over to the VMPS support in FreeRadius 2
and I'm aware there are others on the list who have done this.
I'm seeing several different formats of VMPS request. The "easy" ones
are from older switches e.g. cisco 1900s:
VMPS-Packet-Type = VMPS-Join-Request
VMPS-Error-Code = VMPS-No-Error
VMPS-Sequence-Number = 2207055872
VMPS-Client-IP-Address = 172.28.72.65
VMPS-Port-Name = "22"
VMPS-VLAN-Name = "PROD"
VMPS-Domain-Name = "HOR-PG"
VMPS-Unknown = 0x00
VMPS-MAC = 00:01:4a:f8:93:e5
However, newer switches e.g. Cisco 3500XL are sending Reconfirm-Request
packets with no MAC (but with a cookie):
VMPS-Packet-Type = VMPS-Reconfirm-Request
VMPS-Error-Code = VMPS-No-Error
VMPS-Sequence-Number = 13320
VMPS-Client-IP-Address = 172.28.72.50
VMPS-Port-Name = "Fa0/1"
VMPS-VLAN-Name = "PROD"
VMPS-Unknown = 0x01
VMPS-Cookie = 00:1b:78:a5:96:e0
How do I need to respond to these? It seems that if I return a
Join-Response it will simply be obeyed, but I'm worried it will explode
All,
From what I can tell, the following is true:
The actual value of reply:VMPS-Packet-Type seems to be irrelevant - VMPS
replies do not contain anything to distinguish between Join and
Reconfirm responses
later. Do I need to return a Reconfirm-Reponse with a Deny if the
The value of VQP-Error-Code may make a difference; the code in OpenVMPS
seems to work like this:
* request comes in
* extract ethernet address from mac field (0xc06) other mac field
(0xc08, which FreeRadius calls VMPS-Cookie) or packet header
* lookup vlan for this ethernet address
* if lookup.vlan not defined:
fail
* if lookup.vlan=='' or lookup.vlan=='--NONE--':
fail
* if request.vlan!='' and request.vlan!='--NONE--' and
request.vlan!=lookup.vlan:
fail
else:
ok
So broadly, if there is a vlan in the request other than '' (empty
string) or '--NONE--' it must match the returned vlan; else a deny (vmps
mode == open) or shutdown (vmps mode == closed) error code is returned.
HOWEVER - at least on Cisco 3500XL running the IOS I have, returning a
permit with a different vlan than the request seems to work...
requested vlan is different to the desired on, or a permit otherwise?
We're also seeing from the newer switches join packets with no MAC or
cookie, but an ethernet header:
VMPS-Packet-Type = VMPS-Join-Request
VMPS-Error-Code = VMPS-No-Error
VMPS-Sequence-Number = 13329
VMPS-Client-IP-Address = 172.28.72.50
VMPS-Port-Name = "Fa0/3"
VMPS-VLAN-Name = "--NONE--"
VMPS-Unknown = 0x00
VMPS-Ethernet-Frame = 0xffffffffffff001636e46d1b08004500015...
What's the easiest way to get the MAC address out of these?
I used this in the end:
# the mac address can be in several places...
if ("%{VMPS-Ethernet-Frame}" =~
/0x............(..)(..)(..)(..)(..)(..).*/) {
update request {
MyMac = "%{1}:%{2}:%{3}:%{4}:%{5}:%{6}"
}
}
else {
update request {
MyMac = "%{%{VMPS-Cookie}:-%{VMPS-MAC}}"
}
}
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
