Hello Fabrice and all,
This is me again. A simple typo ended up being the problem.
So now the IP logging works but not the introduction of the "end time"
record when the port goes down, Looks like the switch communicates it just
fine but the PF server fails to acknowledge it for some reason.
And, once again, the question remains - what is the SOP for introducing the
changes like this into the mainline codebase? I think it makes sense to do
that - this is a useful feature to be able to use your RADIUS accounting to
keep track of where you are regardless of the state of your DHCP reporting.
Thanks again for all the help.
Cheers,
Boris.
On Thu, May 21, 2015 at 6:58 PM, Boris Epstein <[email protected]> wrote:
> Fabrice,
>
> I tried introducing this code line into different locations (before and
> after the other calls to send_rpc_request) but that so far has made no
> difference as my IP log is still nil. Likewise, in the location log the end
> time is never entered when I disconnect the cable (i.e., end the
> connection), only when I establish it again to a different port.
>
> Also, I have a question. I guess I am going to dig deeper into the code.
> What is the SOP for testing/validating/checking it in?
>
> Thanks again,
>
> Boris.
>
>
> On Wed, May 20, 2015 at 9:16 AM, Fabrice DURAND <[email protected]>
> wrote:
>
>> Hello Boris,
>>
>> so it wont be to complicate to update the iplog based on the accounting
>> data.
>> The magic will be there :
>> https://github.com/inverse-inc/packetfence/blob/devel/raddb/packetfence.pm#L321
>> with something like:
>> $data = send_rpc_request($config, " update_iplog", {mac => $mac, ip =>
>> $RAD_REQUEST{'Framed-IP-Address'}}) if ($RAD_REQUEST{'Framed-IP-Address'} );
>>
>>
>> Let me know if it works.
>>
>> Regards
>> Fabrice
>>
>>
>> Le 2015-05-19 19:20, Boris Epstein a écrit :
>>
>> Hello listmates,
>>
>> OK, as we previously discussed, it should be possible for the PF server
>> to record if the RADIUS accounting from the switch delivers the data. It
>> appears to do so just fine (see the slightly censored excerpt of a TCPDUMP
>> file):
>>
>> 18:36:44.550794 IP (tos 0x0, ttl 255, id 5884, offset 0, flags [none],
>> proto UDP (17), length 181)
>> 192.168.48.103.sa-msg-port > 192.168.48.100.radius-acct: RADIUS,
>> length: 153
>> Accounting Request (4), id: 0x3a, Authenticator: <censored>
>> Accounting Session ID Attribute (44), length: 10, Value:
>> 0000001C
>> Framed IP Address Attribute (8), length: 6, Value: 192.168.22.51
>> Username Attribute (1), length: 14, Value: 00256440e361
>> Accounting Authentication Attribute (45), length: 6, Value:
>> RADIUS
>> Accounting Status Attribute (40), length: 6, Value: Start
>> NAS Port Type Attribute (61), length: 6, Value: Ethernet
>> NAS Port Attribute (5), length: 6, Value: 50123
>> NAS Port ID Attribute (87), length: 23, Value:
>> GigabitEthernet1/0/23
>> Called Station Attribute (30), length: 19, Value:
>> 00-11-BB-68-B5-17
>> Calling Station Attribute (31), length: 19, Value:
>> 00-25-64-40-E3-61
>> Service Type Attribute (6), length: 6, Value: Framed
>> NAS IP Address Attribute (4), length: 6, Value: 192.168.48.103
>> Accounting Delay Attribute (41), length: 6, Value: 00 secs
>>
>> So now the question is, how do I get the PF server to read this data and
>> display it?
>>
>> Thanks again for any and all help.
>>
>> Cheers,
>>
>> Boris.
>>
>>
>> On Sun, May 17, 2015 at 12:22 PM, Boris Epstein <[email protected]>
>> wrote:
>>
>>> Hello all,
>>>
>>> Thanks again for all the input. Here is the basic diagram of the setup.
>>>
>>> Picture the following setup.
>>>
>>> You have the main network - let us call it "Headquarters" (HQ). Then
>>> you have multiple Satelite offices/networks. We will call them SAT1, SAT2,
>>> etc. For the purposes of this discussion they are all equivalent to each
>>> other. The only networking that exists between HQ and the SAT networks is
>>> untagged IP hence it is not possible to have a VLAN that exists in more
>>> than one location (i.e. no VLAN can span accross those WAN links).
>>>
>>> You have a Cisco switch (or multiple switches) at each of these
>>> locations. The one at HQ we will call sw-hq, the one at SAT1 we will call
>>> sw-sat1, etc.
>>>
>>> We have a PF server - let us call if pf-serv
>>>
>>> So here is our HQ network:
>>>
>>> pf-serv <------> sw-hq <=========> node1, node2, node3
>>>
>>> Here is the SAT1 network:
>>>
>>> sw-sat1 <==============> node1, node2, etc.
>>>
>>>
>>> In this notation <----> denotes IP connection, <=====> denotes direct
>>> Level 2 connection (Ethernet connection of a node to a switch).
>>>
>>> All of the switches have VLAN's defined on you. I used a non-overlapping
>>> numbering schema:
>>>
>>> in HQ:
>>> registration - VLAN2
>>> isolation - VLAN3
>>> voice - VLAN6
>>> production - VLAN7
>>>
>>> in SAT1:
>>> registration - VLAN12
>>> isolation - VLAN13
>>> voice - VLAN16
>>> production - VLAN17
>>>
>>> in SAT2:
>>> registration - VLAN22
>>> isolation - VLAN23
>>> voice - VLAN26
>>> production - VLAN27
>>>
>>> So, once again: the only way pf-serv can communicate to any of the
>>> switches is pure IP (SNMP, radius, DHCP, whatever).
>>>
>>> I hope this makes sense.
>>>
>>> At this point, I can get my switches to switch VLAN's as directed by the
>>> pf-serv. One thing I can not get to do is get the switches to report the
>>> IP's to pf-serv.
>>>
>>> And this is the stumbling block at this point.
>>>
>>> Once again - thanks for the great input I already got and thanks in
>>> advance for any and all feedback to come.
>>>
>>> Cheers,
>>>
>>> Boris.
>>>
>>>
>>> On Fri, May 15, 2015 at 9:14 AM, Fabrice DURAND <[email protected]>
>>> wrote:
>>>
>>>> Hello Boris,
>>>>
>>>> in fact if you find a way to have a couple mac/ip then we will be able
>>>> to update iplog.
>>>>
>>>> In other setup we did it by:
>>>> arp traffic
>>>> udp reflector
>>>> radius accounting
>>>>
>>>> and it should probably possible to do it with netflow traffic.
>>>>
>>>> Regards
>>>> Fabrice
>>>>
>>>>
>>>> Le 2015-05-15 09:08, Boris Epstein a écrit :
>>>>
>>>> Hello Fabrice,
>>>>
>>>> Thanks very much for your response. Yes, I will put together a
>>>> diagram.
>>>>
>>>> I have looked into the RADIUS log and accounting packet content from
>>>> a tcpdump capture and couldn't immediately see data on IP addresses. Where
>>>> specifically should I be looking for?
>>>>
>>>> And this goes back to the question I raised earlier, the question
>>>> being, is it necessary to use DHCP to update the PF server on the nodes' IP
>>>> addresses? My thought was it shouldn't be as there are other ways to obtain
>>>> that information; sounds like you are basically backing up this idea.
>>>>
>>>> Once again, that you very much for your help.
>>>>
>>>> Cheers,
>>>>
>>>> Boris.
>>>>
>>>>
>>>> On Fri, May 15, 2015 at 8:29 AM, Fabrice DURAND <[email protected]>
>>>> wrote:
>>>>
>>>>> Hi,
>>>>>
>>>>> i take the discussion on the fly but did you check if in the radius
>>>>> accounting you have informations about the ip of the device ?
>>>>> Sometimes it's the case and we will probably be able to update the
>>>>> iplog in this way.
>>>>>
>>>>> Regards
>>>>> Fabrice
>>>>>
>>>>> Le 2015-05-15 06:25, Tim DeNike a écrit :
>>>>>
>>>>> Yeah, just a basic diagram so we can see what other options there
>>>>> might be.
>>>>>
>>>>> On Thu, May 14, 2015 at 12:20 PM, Boris Epstein <[email protected]>
>>>>> wrote:
>>>>>
>>>>>> Hello everyone,
>>>>>>
>>>>>> Thank you very much for your thoughtful responses.
>>>>>>
>>>>>> Tim, is there anything specific you mean by "Chicken scratch network
>>>>>> diagram" - or do you just mean any basic schematic outline? Let me work
>>>>>> on
>>>>>> that - that is a good idea to diagram it for sure.
>>>>>>
>>>>>> Cheers,
>>>>>>
>>>>>> Boris.
>>>>>>
>>>>>>
>>>>>> On Thu, May 14, 2015 at 11:34 AM, Tim DeNike <[email protected]>
>>>>>> wrote:
>>>>>>
>>>>>>> Your other option if you don't want to run a DHCP server outside of
>>>>>>> the switches is to run the remote arp sensor on a box attached to the
>>>>>>> switch (Ive never tried it), or setup a mirror port and mirror traffic
>>>>>>> to
>>>>>>> PF.
>>>>>>>
>>>>>>> I really don't know if the dhcp relay will work with the dhcp
>>>>>>> server enabled. Id guess not.
>>>>>>>
>>>>>>> Chicken scratch network diagram would be helpful.
>>>>>>>
>>>>>>> But seriously.. Look into running a couple central DHCP servers..
>>>>>>> much easier to maintain in the long run (IMHO).
>>>>>>>
>>>>>>> On Thu, May 14, 2015 at 11:21 AM, Derek Wuelfrath <
>>>>>>> [email protected]> wrote:
>>>>>>>
>>>>>>>> Hello Boris,
>>>>>>>>
>>>>>>>> Most of the time, iphelpers are doing the job. Can you explain
>>>>>>>> what is ‘not working’ ?
>>>>>>>>
>>>>>>>> In your current setup, the DHCP server is running on the switch
>>>>>>>> at the edge or is it on a ‘core switch’ ? Let’s say you have 3 access
>>>>>>>> switches, connected back to one core switch, but doing L3 (VLANs stays
>>>>>>>> at
>>>>>>>> the access switches level). DHCP server is on the access switches or
>>>>>>>> on the
>>>>>>>> core switch ?
>>>>>>>>
>>>>>>>> The things is, I’m unsure if, when the DHCP server running on the
>>>>>>>> same switch where the VLAN is ending (L2 connectivity), iphelpers can
>>>>>>>> do
>>>>>>>> the job.
>>>>>>>>
>>>>>>>> If you can share a network design, that’d be great… I guess… ;)
>>>>>>>>
>>>>>>>> (Sorry if it was part of a previous discussion, I clicked the
>>>>>>>> link which was leading me to another previous conversation, which was
>>>>>>>> also
>>>>>>>> leading me to another discussion… I’ve been lost in the Matrix while
>>>>>>>> trying
>>>>>>>> to figure out which conversation was the initial one!)
>>>>>>>>
>>>>>>>> Cheers!
>>>>>>>> dw.
>>>>>>>>
>>>>>>>> --
>>>>>>>> Derek Wuelfrath
>>>>>>>> [email protected] :: +1.514.447.4918 (x110) :: +1.866.353.6153
>>>>>>>> (x110)
>>>>>>>> Inverse inc. (www.inverse.ca) :: Leaders behind SOGo (www.sogo.nu)
>>>>>>>> and PacketFence (www.packetfence.org)
>>>>>>>>
>>>>>>>> On May 14, 2015 at 06:12:01, Boris Epstein ([email protected])
>>>>>>>> wrote:
>>>>>>>>
>>>>>>>> Hello all,
>>>>>>>>
>>>>>>>> I have raised the issue previously:
>>>>>>>>
>>>>>>>>
>>>>>>>> http://www.mail-archive.com/packetfence-users%40lists.sourceforge.net/msg08765.html
>>>>>>>>
>>>>>>>> Basically, the issue is that I am trying to run a DHCP server on
>>>>>>>> my Cisco IOS (Catalyst) switches while I run my PF server that only
>>>>>>>> has IP
>>>>>>>> connectivity to them (no VLAN connectivity as VLAN's are local to the
>>>>>>>> switches).
>>>>>>>>
>>>>>>>> The setup requires that IP update/status info for all nodes be
>>>>>>>> communicated back to the PF server. That is not happening for some
>>>>>>>> reason -
>>>>>>>> at least not via the Cisco's "ip helper-address" mechanism.
>>>>>>>>
>>>>>>>> So the question fundamentally is - how do I do that? What
>>>>>>>> implementations do any of you have out there that accomplish it? Sounds
>>>>>>>> like some people have DHCP servers separate from PF and switches. OK,
>>>>>>>> that
>>>>>>>> is an idea. What other implementations are out there?
>>>>>>>>
>>>>>>>> If you don't mind sharing that I will be very thankful.
>>>>>>>>
>>>>>>>> Cheers,
>>>>>>>>
>>>>>>>> Boris.
>>>>>>>>
>>>>>>>>
>>>>>>>> ------------------------------------------------------------------------------
>>>>>>>>
>>>>>>>> One dashboard for servers and applications across
>>>>>>>> Physical-Virtual-Cloud
>>>>>>>> Widest out-of-the-box monitoring support with 50+ applications
>>>>>>>> Performance metrics, stats and reports that give you Actionable
>>>>>>>> Insights
>>>>>>>> Deep dive visibility with transaction tracing using APM Insight.
>>>>>>>>
>>>>>>>> http://ad.doubleclick.net/ddm/clk/290420510;117567292;y_______________________________________________
>>>>>>>> PacketFence-users mailing list
>>>>>>>> [email protected]
>>>>>>>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> ------------------------------------------------------------------------------
>>>>>>>> One dashboard for servers and applications across
>>>>>>>> Physical-Virtual-Cloud
>>>>>>>> Widest out-of-the-box monitoring support with 50+ applications
>>>>>>>> Performance metrics, stats and reports that give you Actionable
>>>>>>>> Insights
>>>>>>>> Deep dive visibility with transaction tracing using APM Insight.
>>>>>>>> http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
>>>>>>>> _______________________________________________
>>>>>>>> PacketFence-users mailing list
>>>>>>>> [email protected]
>>>>>>>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> ------------------------------------------------------------------------------
>>>>>>> One dashboard for servers and applications across
>>>>>>> Physical-Virtual-Cloud
>>>>>>> Widest out-of-the-box monitoring support with 50+ applications
>>>>>>> Performance metrics, stats and reports that give you Actionable
>>>>>>> Insights
>>>>>>> Deep dive visibility with transaction tracing using APM Insight.
>>>>>>> http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
>>>>>>> _______________________________________________
>>>>>>> PacketFence-users mailing list
>>>>>>> [email protected]
>>>>>>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>>>>>>
>>>>>>>
>>>>>>
>>>>>>
>>>>>> ------------------------------------------------------------------------------
>>>>>> One dashboard for servers and applications across
>>>>>> Physical-Virtual-Cloud
>>>>>> Widest out-of-the-box monitoring support with 50+ applications
>>>>>> Performance metrics, stats and reports that give you Actionable
>>>>>> Insights
>>>>>> Deep dive visibility with transaction tracing using APM Insight.
>>>>>> http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
>>>>>> _______________________________________________
>>>>>> PacketFence-users mailing list
>>>>>> [email protected]
>>>>>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>> ------------------------------------------------------------------------------
>>>>> One dashboard for servers and applications across Physical-Virtual-Cloud
>>>>> Widest out-of-the-box monitoring support with 50+ applications
>>>>> Performance metrics, stats and reports that give you Actionable Insights
>>>>> Deep dive visibility with transaction tracing using APM
>>>>> Insight.http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
>>>>>
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> PacketFence-users mailing
>>>>> [email protected]https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> Fabrice [email protected] :: +1.514.447.4918 (x135) ::
>>>>> www.inverse.ca
>>>>> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence
>>>>> (http://packetfence.org)
>>>>>
>>>>>
>>>>>
>>>>> ------------------------------------------------------------------------------
>>>>> One dashboard for servers and applications across
>>>>> Physical-Virtual-Cloud
>>>>> Widest out-of-the-box monitoring support with 50+ applications
>>>>> Performance metrics, stats and reports that give you Actionable
>>>>> Insights
>>>>> Deep dive visibility with transaction tracing using APM Insight.
>>>>> http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
>>>>> _______________________________________________
>>>>> PacketFence-users mailing list
>>>>> [email protected]
>>>>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>>>>
>>>>>
>>>>
>>>>
>>>> ------------------------------------------------------------------------------
>>>> One dashboard for servers and applications across Physical-Virtual-Cloud
>>>> Widest out-of-the-box monitoring support with 50+ applications
>>>> Performance metrics, stats and reports that give you Actionable Insights
>>>> Deep dive visibility with transaction tracing using APM
>>>> Insight.http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> PacketFence-users mailing
>>>> [email protected]https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>>>
>>>>
>>>>
>>>> --
>>>> Fabrice [email protected] :: +1.514.447.4918 (x135) ::
>>>> www.inverse.ca
>>>> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence
>>>> (http://packetfence.org)
>>>>
>>>>
>>>>
>>>> ------------------------------------------------------------------------------
>>>> One dashboard for servers and applications across Physical-Virtual-Cloud
>>>> Widest out-of-the-box monitoring support with 50+ applications
>>>> Performance metrics, stats and reports that give you Actionable Insights
>>>> Deep dive visibility with transaction tracing using APM Insight.
>>>> http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
>>>> _______________________________________________
>>>> PacketFence-users mailing list
>>>> [email protected]
>>>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>>>
>>>>
>>>
>>
>>
>> ------------------------------------------------------------------------------
>> One dashboard for servers and applications across Physical-Virtual-Cloud
>> Widest out-of-the-box monitoring support with 50+ applications
>> Performance metrics, stats and reports that give you Actionable Insights
>> Deep dive visibility with transaction tracing using APM
>> Insight.http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
>>
>>
>>
>> _______________________________________________
>> PacketFence-users mailing
>> [email protected]https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>
>>
>>
>> --
>> Fabrice [email protected] :: +1.514.447.4918 (x135) ::
>> www.inverse.ca
>> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence
>> (http://packetfence.org)
>>
>>
>>
>> ------------------------------------------------------------------------------
>> One dashboard for servers and applications across Physical-Virtual-Cloud
>> Widest out-of-the-box monitoring support with 50+ applications
>> Performance metrics, stats and reports that give you Actionable Insights
>> Deep dive visibility with transaction tracing using APM Insight.
>> http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
>> _______________________________________________
>> PacketFence-users mailing list
>> [email protected]
>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>
>>
>
------------------------------------------------------------------------------
One dashboard for servers and applications across Physical-Virtual-Cloud
Widest out-of-the-box monitoring support with 50+ applications
Performance metrics, stats and reports that give you Actionable Insights
Deep dive visibility with transaction tracing using APM Insight.
http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
