[PacketFence-devel] Catalyst Role Support (4500, 6500, 2960, 3560, 3750) Patch

Wed, 20 Jun 2012 04:01:57 -0700 

Hi there,

I just made a quick patch to support "roles" on Cisco Catalyst switches.
I tried it with the latest IOS (15.0), and it is working.
The roles should be defined in the following way:

<acl number>:in

Then, on the switch, a ACL should be created with the same number. If the ACL 
is not found, the switch will try to download it from RADIUS. If you prefer, 
you can define the ACLs there.

On the switch:

ip access-list extended default_acl
 permit ip any any
!
interface FastEthernet0/7
 switchport mode access
 switchport voice vlan 706
 ip access-group default_acl in
 authentication host-mode multi-domain
 authentication order dot1x mab
 authentication priority dot1x mab
 authentication port-control auto
 authentication periodic
 authentication timer restart 10800
 authentication timer reauthenticate 10800
 mab
 no snmp trap link-status
 dot1x pae authenticator
 dot1x timeout quiet-period 2
 dot1x timeout tx-period 3
 spanning-tree portfast
end
!
access-list 2000 deny   ip any 10.211.200.0 0.0.0.255
access-list 2000 permit ip any any
!
radius-server vsa send authentication
aaa authorization network default group packetfence


Under switches.conf:
[my_switch_ip]
(...)
roles=admin=2000.in;



The patch:

--- packetfence-3.4.1/lib/pf/SNMP/Cisco/Catalyst_2960.pm        2012-06-18 
16:19:50.000000000 +0100
+++ packetfence-3.4.1-catalyst2960/lib/pf/SNMP/Cisco/Catalyst_2960.pm   
2012-06-20 11:09:04.973338402 +0100
@@ -126,6 +126,7 @@ use pf::util;
 # access technology supported
 sub supportsWiredMacAuth { return $TRUE; }
 sub supportsWiredDot1x { return $TRUE; }
+sub supportsRoleBasedEnforcement { return $TRUE; }
 # VoIP technology supported
 sub supportsRadiusVoip { return $TRUE; }
 # override 2950's FALSE
@@ -347,6 +348,19 @@ sub getVoipVsa {

 =back

+=item returnRoleAttribute
+
+What RADIUS Attribute (usually VSA) should the role returned into.
+
+=cut
+sub returnRoleAttribute {
+    my ($this) = @_;
+
+    return 'Framed-Filter-Id';
+}
+
+=back
+
 =head1 AUTHOR

 Dominik Gehl <dg...@inverse.ca>


Regards.
                                          
------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
PacketFence-devel mailing list
PacketFence-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-devel

Reply via email to