Hello Boris, so it wont be to complicate to update the iplog based on the accounting data. The magic will be there : https://github.com/inverse-inc/packetfence/blob/devel/raddb/packetfence.pm#L321 with something like: $data = send_rpc_request($config, " update_iplog", {mac => $mac, ip => $RAD_REQUEST{'Framed-IP-Address'}}) if ($RAD_REQUEST{'Framed-IP-Address'} );
Let me know if it works. Regards Fabrice Le 2015-05-19 19:20, Boris Epstein a écrit : > Hello listmates, > > OK, as we previously discussed, it should be possible for the PF > server to record if the RADIUS accounting from the switch delivers the > data. It appears to do so just fine (see the slightly censored excerpt > of a TCPDUMP file): > > 18:36:44.550794 IP (tos 0x0, ttl 255, id 5884, offset 0, flags [none], > proto UDP (17), length 181) > 192.168.48.103.sa-msg-port > 192.168.48.100.radius-acct: RADIUS, > length: 153 > Accounting Request (4), id: 0x3a, Authenticator: <censored> > Accounting Session ID Attribute (44), length: 10, Value: > 0000001C > Framed IP Address Attribute (8), length: 6, Value: 192.168.22.51 > Username Attribute (1), length: 14, Value: 00256440e361 > Accounting Authentication Attribute (45), length: 6, Value: > RADIUS > Accounting Status Attribute (40), length: 6, Value: Start > NAS Port Type Attribute (61), length: 6, Value: Ethernet > NAS Port Attribute (5), length: 6, Value: 50123 > NAS Port ID Attribute (87), length: 23, Value: > GigabitEthernet1/0/23 > Called Station Attribute (30), length: 19, Value: > 00-11-BB-68-B5-17 > Calling Station Attribute (31), length: 19, Value: > 00-25-64-40-E3-61 > Service Type Attribute (6), length: 6, Value: Framed > NAS IP Address Attribute (4), length: 6, Value: 192.168.48.103 > Accounting Delay Attribute (41), length: 6, Value: 00 secs > > So now the question is, how do I get the PF server to read this data > and display it? > > Thanks again for any and all help. > > Cheers, > > Boris. > > > On Sun, May 17, 2015 at 12:22 PM, Boris Epstein <[email protected] > <mailto:[email protected]>> wrote: > > Hello all, > > Thanks again for all the input. Here is the basic diagram of the > setup. > > Picture the following setup. > > You have the main network - let us call it "Headquarters" (HQ). > Then you have multiple Satelite offices/networks. We will call > them SAT1, SAT2, etc. For the purposes of this discussion they are > all equivalent to each other. The only networking that exists > between HQ and the SAT networks is untagged IP hence it is not > possible to have a VLAN that exists in more than one location > (i.e. no VLAN can span accross those WAN links). > > You have a Cisco switch (or multiple switches) at each of these > locations. The one at HQ we will call sw-hq, the one at SAT1 we > will call sw-sat1, etc. > > We have a PF server - let us call if pf-serv > > So here is our HQ network: > > pf-serv <------> sw-hq <=========> node1, node2, node3 > > Here is the SAT1 network: > > sw-sat1 <==============> node1, node2, etc. > > > In this notation <----> denotes IP connection, <=====> denotes > direct Level 2 connection (Ethernet connection of a node to a switch). > > All of the switches have VLAN's defined on you. I used a > non-overlapping numbering schema: > > in HQ: > registration - VLAN2 > isolation - VLAN3 > voice - VLAN6 > production - VLAN7 > > in SAT1: > registration - VLAN12 > isolation - VLAN13 > voice - VLAN16 > production - VLAN17 > > in SAT2: > registration - VLAN22 > isolation - VLAN23 > voice - VLAN26 > production - VLAN27 > > So, once again: the only way pf-serv can communicate to any of the > switches is pure IP (SNMP, radius, DHCP, whatever). > > I hope this makes sense. > > At this point, I can get my switches to switch VLAN's as directed > by the pf-serv. One thing I can not get to do is get the switches > to report the IP's to pf-serv. > > And this is the stumbling block at this point. > > Once again - thanks for the great input I already got and thanks > in advance for any and all feedback to come. > > Cheers, > > Boris. > > > On Fri, May 15, 2015 at 9:14 AM, Fabrice DURAND > <[email protected] <mailto:[email protected]>> wrote: > > Hello Boris, > > in fact if you find a way to have a couple mac/ip then we will > be able to update iplog. > > In other setup we did it by: > arp traffic > udp reflector > radius accounting > > and it should probably possible to do it with netflow traffic. > > Regards > Fabrice > > > Le 2015-05-15 09:08, Boris Epstein a écrit : >> Hello Fabrice, >> >> Thanks very much for your response. Yes, I will put together >> a diagram. >> >> I have looked into the RADIUS log and accounting packet >> content from a tcpdump capture and couldn't immediately see >> data on IP addresses. Where specifically should I be looking for? >> >> And this goes back to the question I raised earlier, the >> question being, is it necessary to use DHCP to update the PF >> server on the nodes' IP addresses? My thought was it >> shouldn't be as there are other ways to obtain that >> information; sounds like you are basically backing up this idea. >> >> Once again, that you very much for your help. >> >> Cheers, >> >> Boris. >> >> >> On Fri, May 15, 2015 at 8:29 AM, Fabrice DURAND >> <[email protected] <mailto:[email protected]>> wrote: >> >> Hi, >> >> i take the discussion on the fly but did you check if in >> the radius accounting you have informations about the ip >> of the device ? >> Sometimes it's the case and we will probably be able to >> update the iplog in this way. >> >> Regards >> Fabrice >> >> Le 2015-05-15 06:25, Tim DeNike a écrit : >>> Yeah, just a basic diagram so we can see what other >>> options there might be. >>> >>> On Thu, May 14, 2015 at 12:20 PM, Boris Epstein >>> <[email protected] <mailto:[email protected]>> wrote: >>> >>> Hello everyone, >>> >>> Thank you very much for your thoughtful responses. >>> >>> Tim, is there anything specific you mean by "Chicken >>> scratch network diagram" - or do you just mean any >>> basic schematic outline? Let me work on that - that >>> is a good idea to diagram it for sure. >>> >>> Cheers, >>> >>> Boris. >>> >>> >>> On Thu, May 14, 2015 at 11:34 AM, Tim DeNike >>> <[email protected] <mailto:[email protected]>> wrote: >>> >>> Your other option if you don't want to run a >>> DHCP server outside of the switches is to run >>> the remote arp sensor on a box attached to the >>> switch (Ive never tried it), or setup a mirror >>> port and mirror traffic to PF. >>> >>> I really don't know if the dhcp relay will work >>> with the dhcp server enabled. Id guess not. >>> >>> Chicken scratch network diagram would be helpful. >>> >>> But seriously.. Look into running a couple >>> central DHCP servers.. much easier to maintain >>> in the long run (IMHO). >>> >>> On Thu, May 14, 2015 at 11:21 AM, Derek >>> Wuelfrath <[email protected] >>> <mailto:[email protected]>> wrote: >>> >>> Hello Boris, >>> >>> Most of the time, iphelpers are doing the >>> job. Can you explain what is ‘not working’ ? >>> >>> In your current setup, the DHCP server is >>> running on the switch at the edge or is it >>> on a ‘core switch’ ? Let’s say you have 3 >>> access switches, connected back to one core >>> switch, but doing L3 (VLANs stays at the >>> access switches level). DHCP server is on >>> the access switches or on the core switch ? >>> >>> The things is, I’m unsure if, when the DHCP >>> server running on the same switch where the >>> VLAN is ending (L2 connectivity), iphelpers >>> can do the job. >>> >>> If you can share a network design, that’d be >>> great… I guess… ;) >>> >>> (Sorry if it was part of a previous >>> discussion, I clicked the link which was >>> leading me to another previous conversation, >>> which was also leading me to another >>> discussion… I’ve been lost in the Matrix >>> while trying to figure out which >>> conversation was the initial one!) >>> >>> Cheers! >>> dw. >>> >>> -- >>> Derek Wuelfrath >>> [email protected] >>> <mailto:[email protected]> :: +1.514.447.4918 >>> <tel:%2B1.514.447.4918> (x110) :: >>> +1.866.353.6153 <tel:%2B1.866.353.6153> (x110) >>> Inverse inc. (www.inverse.ca >>> <http://www.inverse.ca>) :: Leaders behind >>> SOGo (www.sogo.nu <http://www.sogo.nu>) and >>> PacketFence (www.packetfence.org >>> <http://www.packetfence.org>) >>> >>> On May 14, 2015 at 06:12:01, Boris Epstein >>> ([email protected] >>> <mailto:[email protected]>) wrote: >>> >>>> Hello all, >>>> >>>> I have raised the issue previously: >>>> >>>> >>>> http://www.mail-archive.com/packetfence-users%40lists.sourceforge.net/msg08765.html >>>> >>>> Basically, the issue is that I am trying to >>>> run a DHCP server on my Cisco IOS >>>> (Catalyst) switches while I run my PF >>>> server that only has IP connectivity to >>>> them (no VLAN connectivity as VLAN's are >>>> local to the switches). >>>> >>>> The setup requires that IP update/status >>>> info for all nodes be communicated back to >>>> the PF server. That is not happening for >>>> some reason - at least not via the Cisco's >>>> "ip helper-address" mechanism. >>>> >>>> So the question fundamentally is - how do I >>>> do that? What implementations do any of you >>>> have out there that accomplish it? Sounds >>>> like some people have DHCP servers separate >>>> from PF and switches. OK, that is an idea. >>>> What other implementations are out there? >>>> >>>> If you don't mind sharing that I will be >>>> very thankful. >>>> >>>> Cheers, >>>> >>>> Boris. >>>> >>>> >>>> ------------------------------------------------------------------------------ >>>> >>>> One dashboard for servers and applications >>>> across Physical-Virtual-Cloud >>>> Widest out-of-the-box monitoring support >>>> with 50+ applications >>>> Performance metrics, stats and reports that >>>> give you Actionable Insights >>>> Deep dive visibility with transaction >>>> tracing using APM Insight. >>>> >>>> http://ad.doubleclick.net/ddm/clk/290420510;117567292;y_______________________________________________ >>>> >>>> PacketFence-users mailing list >>>> [email protected] >>>> <mailto:[email protected]> >>>> >>>> >>>> https://lists.sourceforge.net/lists/listinfo/packetfence-users >>>> >>> >>> >>> ------------------------------------------------------------------------------ >>> One dashboard for servers and applications >>> across Physical-Virtual-Cloud >>> Widest out-of-the-box monitoring support >>> with 50+ applications >>> Performance metrics, stats and reports that >>> give you Actionable Insights >>> Deep dive visibility with transaction >>> tracing using APM Insight. >>> >>> http://ad.doubleclick.net/ddm/clk/290420510;117567292;y >>> _______________________________________________ >>> PacketFence-users mailing list >>> [email protected] >>> <mailto:[email protected]> >>> >>> https://lists.sourceforge.net/lists/listinfo/packetfence-users >>> >>> >>> >>> >>> ------------------------------------------------------------------------------ >>> One dashboard for servers and applications >>> across Physical-Virtual-Cloud >>> Widest out-of-the-box monitoring support with >>> 50+ applications >>> Performance metrics, stats and reports that give >>> you Actionable Insights >>> Deep dive visibility with transaction tracing >>> using APM Insight. >>> http://ad.doubleclick.net/ddm/clk/290420510;117567292;y >>> _______________________________________________ >>> PacketFence-users mailing list >>> [email protected] >>> <mailto:[email protected]> >>> >>> https://lists.sourceforge.net/lists/listinfo/packetfence-users >>> >>> >>> >>> >>> ------------------------------------------------------------------------------ >>> One dashboard for servers and applications across >>> Physical-Virtual-Cloud >>> Widest out-of-the-box monitoring support with 50+ >>> applications >>> Performance metrics, stats and reports that give you >>> Actionable Insights >>> Deep dive visibility with transaction tracing using >>> APM Insight. >>> http://ad.doubleclick.net/ddm/clk/290420510;117567292;y >>> _______________________________________________ >>> PacketFence-users mailing list >>> [email protected] >>> <mailto:[email protected]> >>> >>> https://lists.sourceforge.net/lists/listinfo/packetfence-users >>> >>> >>> >>> >>> >>> ------------------------------------------------------------------------------ >>> One dashboard for servers and applications across >>> Physical-Virtual-Cloud >>> Widest out-of-the-box monitoring support with 50+ applications >>> Performance metrics, stats and reports that give you Actionable >>> Insights >>> Deep dive visibility with transaction tracing using APM Insight. >>> http://ad.doubleclick.net/ddm/clk/290420510;117567292;y >>> >>> >>> _______________________________________________ >>> PacketFence-users mailing list >>> [email protected] >>> <mailto:[email protected]> >>> https://lists.sourceforge.net/lists/listinfo/packetfence-users >> >> >> -- >> Fabrice Durand >> [email protected] <mailto:[email protected]> :: >> +1.514.447.4918 <tel:%2B1.514.447.4918> (x135) :: www.inverse.ca >> <http://www.inverse.ca> >> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and >> PacketFence (http://packetfence.org) >> >> >> >> ------------------------------------------------------------------------------ >> One dashboard for servers and applications across >> Physical-Virtual-Cloud >> Widest out-of-the-box monitoring support with 50+ >> applications >> Performance metrics, stats and reports that give you >> Actionable Insights >> Deep dive visibility with transaction tracing using APM >> Insight. >> http://ad.doubleclick.net/ddm/clk/290420510;117567292;y >> _______________________________________________ >> PacketFence-users mailing list >> [email protected] >> <mailto:[email protected]> >> https://lists.sourceforge.net/lists/listinfo/packetfence-users >> >> >> >> >> >> ------------------------------------------------------------------------------ >> One dashboard for servers and applications across >> Physical-Virtual-Cloud >> Widest out-of-the-box monitoring support with 50+ applications >> Performance metrics, stats and reports that give you Actionable >> Insights >> Deep dive visibility with transaction tracing using APM Insight. >> http://ad.doubleclick.net/ddm/clk/290420510;117567292;y >> >> >> _______________________________________________ >> PacketFence-users mailing list >> [email protected] >> <mailto:[email protected]> >> https://lists.sourceforge.net/lists/listinfo/packetfence-users > > > -- > Fabrice Durand > [email protected] <mailto:[email protected]> :: +1.514.447.4918 > <tel:%2B1.514.447.4918> (x135) :: www.inverse.ca <http://www.inverse.ca> > Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and > PacketFence (http://packetfence.org) > > > > ------------------------------------------------------------------------------ > One dashboard for servers and applications across > Physical-Virtual-Cloud > Widest out-of-the-box monitoring support with 50+ applications > Performance metrics, stats and reports that give you > Actionable Insights > Deep dive visibility with transaction tracing using APM Insight. > http://ad.doubleclick.net/ddm/clk/290420510;117567292;y > _______________________________________________ > PacketFence-users mailing list > [email protected] > <mailto:[email protected]> > https://lists.sourceforge.net/lists/listinfo/packetfence-users > > > > > > ------------------------------------------------------------------------------ > One dashboard for servers and applications across Physical-Virtual-Cloud > Widest out-of-the-box monitoring support with 50+ applications > Performance metrics, stats and reports that give you Actionable Insights > Deep dive visibility with transaction tracing using APM Insight. > http://ad.doubleclick.net/ddm/clk/290420510;117567292;y > > > _______________________________________________ > PacketFence-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/packetfence-users -- Fabrice Durand [email protected] :: +1.514.447.4918 (x135) :: www.inverse.ca Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence (http://packetfence.org)
0xF78F957E.asc
Description: application/pgp-keys
------------------------------------------------------------------------------ One dashboard for servers and applications across Physical-Virtual-Cloud Widest out-of-the-box monitoring support with 50+ applications Performance metrics, stats and reports that give you Actionable Insights Deep dive visibility with transaction tracing using APM Insight. http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
_______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
