Hello Boris, Le 2015-05-22 06:59, Boris Epstein a écrit : > Hello Fabrice and all, > > This is me again. A simple typo ended up being the problem. > > So now the IP logging works but not the introduction of the "end time" > record when the port goes down, Looks like the switch communicates it > just fine but the PF server fails to acknowledge it for some reason. > We just did an update_iplog if we have informations about mac and ip. Because there is no lease time in the radius accounting data we can't set a end time. But we can close the iplog entry on accounting stop.
> And, once again, the question remains - what is the SOP for > introducing the changes like this into the mainline codebase? I think > it makes sense to do that - this is a useful feature to be able to use > your RADIUS accounting to keep track of where you are regardless of > the state of your DHCP reporting. > We have to think about all the issue we can have and maybe make this feature optional (a configuration parameter like update iplog on accounting). But if you want to introduce this feature in the mainline codebase, you can do a pull request on github. Regards Fabrice > Thanks again for all the help. > > Cheers, > > Boris. > > > On Thu, May 21, 2015 at 6:58 PM, Boris Epstein <[email protected] > <mailto:[email protected]>> wrote: > > Fabrice, > > I tried introducing this code line into different locations > (before and after the other calls to send_rpc_request) but that so > far has made no difference as my IP log is still nil. Likewise, in > the location log the end time is never entered when I disconnect > the cable (i.e., end the connection), only when I establish it > again to a different port. > > Also, I have a question. I guess I am going to dig deeper into the > code. What is the SOP for testing/validating/checking it in? > > Thanks again, > > Boris. > > > On Wed, May 20, 2015 at 9:16 AM, Fabrice DURAND > <[email protected] <mailto:[email protected]>> wrote: > > Hello Boris, > > so it wont be to complicate to update the iplog based on the > accounting data. > The magic will be there : > > https://github.com/inverse-inc/packetfence/blob/devel/raddb/packetfence.pm#L321 > with something like: > $data = send_rpc_request($config, " update_iplog", {mac => > $mac, ip => $RAD_REQUEST{'Framed-IP-Address'}}) if > ($RAD_REQUEST{'Framed-IP-Address'} ); > > > Let me know if it works. > > Regards > Fabrice > > > Le 2015-05-19 19:20, Boris Epstein a écrit : >> Hello listmates, >> >> OK, as we previously discussed, it should be possible for the >> PF server to record if the RADIUS accounting from the switch >> delivers the data. It appears to do so just fine (see the >> slightly censored excerpt of a TCPDUMP file): >> >> 18:36:44.550794 IP (tos 0x0, ttl 255, id 5884, offset 0, >> flags [none], proto UDP (17), length 181) >> 192.168.48.103.sa-msg-port > 192.168.48.100.radius-acct: >> RADIUS, length: 153 >> Accounting Request (4), id: 0x3a, Authenticator: >> <censored> >> Accounting Session ID Attribute (44), length: 10, >> Value: 0000001C >> Framed IP Address Attribute (8), length: 6, Value: >> 192.168.22.51 >> Username Attribute (1), length: 14, Value: 00256440e361 >> Accounting Authentication Attribute (45), length: >> 6, Value: RADIUS >> Accounting Status Attribute (40), length: 6, Value: >> Start >> NAS Port Type Attribute (61), length: 6, Value: >> Ethernet >> NAS Port Attribute (5), length: 6, Value: 50123 >> NAS Port ID Attribute (87), length: 23, Value: >> GigabitEthernet1/0/23 >> Called Station Attribute (30), length: 19, Value: >> 00-11-BB-68-B5-17 >> Calling Station Attribute (31), length: 19, Value: >> 00-25-64-40-E3-61 >> Service Type Attribute (6), length: 6, Value: Framed >> NAS IP Address Attribute (4), length: 6, Value: >> 192.168.48.103 >> Accounting Delay Attribute (41), length: 6, Value: >> 00 secs >> >> So now the question is, how do I get the PF server to read >> this data and display it? >> >> Thanks again for any and all help. >> >> Cheers, >> >> Boris. >> >> >> On Sun, May 17, 2015 at 12:22 PM, Boris Epstein >> <[email protected] <mailto:[email protected]>> wrote: >> >> Hello all, >> >> Thanks again for all the input. Here is the basic diagram >> of the setup. >> >> Picture the following setup. >> >> You have the main network - let us call it "Headquarters" >> (HQ). Then you have multiple Satelite offices/networks. >> We will call them SAT1, SAT2, etc. For the purposes of >> this discussion they are all equivalent to each other. >> The only networking that exists between HQ and the SAT >> networks is untagged IP hence it is not possible to have >> a VLAN that exists in more than one location (i.e. no >> VLAN can span accross those WAN links). >> >> You have a Cisco switch (or multiple switches) at each of >> these locations. The one at HQ we will call sw-hq, the >> one at SAT1 we will call sw-sat1, etc. >> >> We have a PF server - let us call if pf-serv >> >> So here is our HQ network: >> >> pf-serv <------> sw-hq <=========> node1, node2, node3 >> >> Here is the SAT1 network: >> >> sw-sat1 <==============> node1, node2, etc. >> >> >> In this notation <----> denotes IP connection, <=====> >> denotes direct Level 2 connection (Ethernet connection of >> a node to a switch). >> >> All of the switches have VLAN's defined on you. I used a >> non-overlapping numbering schema: >> >> in HQ: >> registration - VLAN2 >> isolation - VLAN3 >> voice - VLAN6 >> production - VLAN7 >> >> in SAT1: >> registration - VLAN12 >> isolation - VLAN13 >> voice - VLAN16 >> production - VLAN17 >> >> in SAT2: >> registration - VLAN22 >> isolation - VLAN23 >> voice - VLAN26 >> production - VLAN27 >> >> So, once again: the only way pf-serv can communicate to >> any of the switches is pure IP (SNMP, radius, DHCP, >> whatever). >> >> I hope this makes sense. >> >> At this point, I can get my switches to switch VLAN's as >> directed by the pf-serv. One thing I can not get to do is >> get the switches to report the IP's to pf-serv. >> >> And this is the stumbling block at this point. >> >> Once again - thanks for the great input I already got and >> thanks in advance for any and all feedback to come. >> >> Cheers, >> >> Boris. >> >> >> On Fri, May 15, 2015 at 9:14 AM, Fabrice DURAND >> <[email protected] <mailto:[email protected]>> wrote: >> >> Hello Boris, >> >> in fact if you find a way to have a couple mac/ip >> then we will be able to update iplog. >> >> In other setup we did it by: >> arp traffic >> udp reflector >> radius accounting >> >> and it should probably possible to do it with netflow >> traffic. >> >> Regards >> Fabrice >> >> >> Le 2015-05-15 09:08, Boris Epstein a écrit : >>> Hello Fabrice, >>> >>> Thanks very much for your response. Yes, I will put >>> together a diagram. >>> >>> I have looked into the RADIUS log and accounting >>> packet content from a tcpdump capture and couldn't >>> immediately see data on IP addresses. Where >>> specifically should I be looking for? >>> >>> And this goes back to the question I raised earlier, >>> the question being, is it necessary to use DHCP to >>> update the PF server on the nodes' IP addresses? My >>> thought was it shouldn't be as there are other ways >>> to obtain that information; sounds like you are >>> basically backing up this idea. >>> >>> Once again, that you very much for your help. >>> >>> Cheers, >>> >>> Boris. >>> >>> >>> On Fri, May 15, 2015 at 8:29 AM, Fabrice DURAND >>> <[email protected] <mailto:[email protected]>> wrote: >>> >>> Hi, >>> >>> i take the discussion on the fly but did you >>> check if in the radius accounting you have >>> informations about the ip of the device ? >>> Sometimes it's the case and we will probably be >>> able to update the iplog in this way. >>> >>> Regards >>> Fabrice >>> >>> Le 2015-05-15 06:25, Tim DeNike a écrit : >>>> Yeah, just a basic diagram so we can see what >>>> other options there might be. >>>> >>>> On Thu, May 14, 2015 at 12:20 PM, Boris Epstein >>>> <[email protected] >>>> <mailto:[email protected]>> wrote: >>>> >>>> Hello everyone, >>>> >>>> Thank you very much for your thoughtful >>>> responses. >>>> >>>> Tim, is there anything specific you mean by >>>> "Chicken scratch network diagram" - or do >>>> you just mean any basic schematic outline? >>>> Let me work on that - that is a good idea >>>> to diagram it for sure. >>>> >>>> Cheers, >>>> >>>> Boris. >>>> >>>> >>>> On Thu, May 14, 2015 at 11:34 AM, Tim >>>> DeNike <[email protected] >>>> <mailto:[email protected]>> wrote: >>>> >>>> Your other option if you don't want to >>>> run a DHCP server outside of the >>>> switches is to run the remote arp >>>> sensor on a box attached to the switch >>>> (Ive never tried it), or setup a mirror >>>> port and mirror traffic to PF. >>>> >>>> I really don't know if the dhcp relay >>>> will work with the dhcp server >>>> enabled. Id guess not. >>>> >>>> Chicken scratch network diagram would >>>> be helpful. >>>> >>>> But seriously.. Look into running a >>>> couple central DHCP servers.. much >>>> easier to maintain in the long run (IMHO). >>>> >>>> On Thu, May 14, 2015 at 11:21 AM, Derek >>>> Wuelfrath <[email protected] >>>> <mailto:[email protected]>> wrote: >>>> >>>> Hello Boris, >>>> >>>> Most of the time, iphelpers are >>>> doing the job. Can you explain what >>>> is ‘not working’ ? >>>> >>>> In your current setup, the DHCP >>>> server is running on the switch at >>>> the edge or is it on a ‘core >>>> switch’ ? Let’s say you have 3 >>>> access switches, connected back to >>>> one core switch, but doing L3 >>>> (VLANs stays at the access switches >>>> level). DHCP server is on the >>>> access switches or on the core switch ? >>>> >>>> The things is, I’m unsure if, when >>>> the DHCP server running on the same >>>> switch where the VLAN is ending (L2 >>>> connectivity), iphelpers can do the >>>> job. >>>> >>>> If you can share a network design, >>>> that’d be great… I guess… ;) >>>> >>>> (Sorry if it was part of a previous >>>> discussion, I clicked the link >>>> which was leading me to another >>>> previous conversation, which was >>>> also leading me to another >>>> discussion… I’ve been lost in the >>>> Matrix while trying to figure out >>>> which conversation was the initial >>>> one!) >>>> >>>> Cheers! >>>> dw. >>>> >>>> -- >>>> Derek Wuelfrath >>>> [email protected] >>>> <mailto:[email protected]> :: >>>> +1.514.447.4918 >>>> <tel:%2B1.514.447.4918> (x110) :: >>>> +1.866.353.6153 >>>> <tel:%2B1.866.353.6153> (x110) >>>> Inverse inc. (www.inverse.ca >>>> <http://www.inverse.ca>) :: Leaders >>>> behind SOGo (www.sogo.nu >>>> <http://www.sogo.nu>) and >>>> PacketFence (www.packetfence.org >>>> <http://www.packetfence.org>) >>>> >>>> On May 14, 2015 at 06:12:01, Boris >>>> Epstein ([email protected] >>>> <mailto:[email protected]>) wrote: >>>> >>>>> Hello all, >>>>> >>>>> I have raised the issue previously: >>>>> >>>>> >>>>> http://www.mail-archive.com/packetfence-users%40lists.sourceforge.net/msg08765.html >>>>> >>>>> Basically, the issue is that I am >>>>> trying to run a DHCP server on my >>>>> Cisco IOS (Catalyst) switches >>>>> while I run my PF server that only >>>>> has IP connectivity to them (no >>>>> VLAN connectivity as VLAN's are >>>>> local to the switches). >>>>> >>>>> The setup requires that IP >>>>> update/status info for all nodes >>>>> be communicated back to the PF >>>>> server. That is not happening for >>>>> some reason - at least not via the >>>>> Cisco's "ip helper-address" mechanism. >>>>> >>>>> So the question fundamentally is - >>>>> how do I do that? What >>>>> implementations do any of you have >>>>> out there that accomplish it? >>>>> Sounds like some people have DHCP >>>>> servers separate from PF and >>>>> switches. OK, that is an idea. >>>>> What other implementations are out >>>>> there? >>>>> >>>>> If you don't mind sharing that I >>>>> will be very thankful. >>>>> >>>>> Cheers, >>>>> >>>>> Boris. >>>>> >>>>> >>>>> ------------------------------------------------------------------------------ >>>>> >>>>> One dashboard for servers and >>>>> applications across >>>>> Physical-Virtual-Cloud >>>>> Widest out-of-the-box monitoring >>>>> support with 50+ applications >>>>> Performance metrics, stats and >>>>> reports that give you Actionable >>>>> Insights >>>>> Deep dive visibility with >>>>> transaction tracing using APM >>>>> Insight. >>>>> >>>>> http://ad.doubleclick.net/ddm/clk/290420510;117567292;y_______________________________________________ >>>>> >>>>> PacketFence-users mailing list >>>>> [email protected] >>>>> >>>>> <mailto:[email protected]> >>>>> >>>>> >>>>> https://lists.sourceforge.net/lists/listinfo/packetfence-users >>>>> >>>> >>>> >>>> ------------------------------------------------------------------------------ >>>> One dashboard for servers and >>>> applications across >>>> Physical-Virtual-Cloud >>>> Widest out-of-the-box monitoring >>>> support with 50+ applications >>>> Performance metrics, stats and >>>> reports that give you Actionable >>>> Insights >>>> Deep dive visibility with >>>> transaction tracing using APM Insight. >>>> >>>> http://ad.doubleclick.net/ddm/clk/290420510;117567292;y >>>> >>>> _______________________________________________ >>>> PacketFence-users mailing list >>>> [email protected] >>>> >>>> <mailto:[email protected]> >>>> >>>> https://lists.sourceforge.net/lists/listinfo/packetfence-users >>>> >>>> >>>> >>>> >>>> ------------------------------------------------------------------------------ >>>> One dashboard for servers and >>>> applications across Physical-Virtual-Cloud >>>> Widest out-of-the-box monitoring >>>> support with 50+ applications >>>> Performance metrics, stats and reports >>>> that give you Actionable Insights >>>> Deep dive visibility with transaction >>>> tracing using APM Insight. >>>> >>>> http://ad.doubleclick.net/ddm/clk/290420510;117567292;y >>>> _______________________________________________ >>>> PacketFence-users mailing list >>>> [email protected] >>>> >>>> <mailto:[email protected]> >>>> >>>> https://lists.sourceforge.net/lists/listinfo/packetfence-users >>>> >>>> >>>> >>>> >>>> ------------------------------------------------------------------------------ >>>> One dashboard for servers and applications >>>> across Physical-Virtual-Cloud >>>> Widest out-of-the-box monitoring support >>>> with 50+ applications >>>> Performance metrics, stats and reports that >>>> give you Actionable Insights >>>> Deep dive visibility with transaction >>>> tracing using APM Insight. >>>> >>>> http://ad.doubleclick.net/ddm/clk/290420510;117567292;y >>>> _______________________________________________ >>>> PacketFence-users mailing list >>>> [email protected] >>>> <mailto:[email protected]> >>>> >>>> https://lists.sourceforge.net/lists/listinfo/packetfence-users >>>> >>>> >>>> >>>> >>>> >>>> ------------------------------------------------------------------------------ >>>> One dashboard for servers and applications across >>>> Physical-Virtual-Cloud >>>> Widest out-of-the-box monitoring support with 50+ >>>> applications >>>> Performance metrics, stats and reports that give you >>>> Actionable Insights >>>> Deep dive visibility with transaction tracing using >>>> APM Insight. >>>> http://ad.doubleclick.net/ddm/clk/290420510;117567292;y >>>> >>>> >>>> _______________________________________________ >>>> PacketFence-users mailing list >>>> [email protected] >>>> <mailto:[email protected]> >>>> >>>> https://lists.sourceforge.net/lists/listinfo/packetfence-users >>> >>> >>> -- >>> Fabrice Durand >>> [email protected] <mailto:[email protected]> :: >>> +1.514.447.4918 <tel:%2B1.514.447.4918> (x135) :: www.inverse.ca >>> <http://www.inverse.ca> >>> Inverse inc. :: Leaders behind SOGo >>> (http://www.sogo.nu) and PacketFence (http://packetfence.org) >>> >>> >>> >>> ------------------------------------------------------------------------------ >>> One dashboard for servers and applications >>> across Physical-Virtual-Cloud >>> Widest out-of-the-box monitoring support with >>> 50+ applications >>> Performance metrics, stats and reports that give >>> you Actionable Insights >>> Deep dive visibility with transaction tracing >>> using APM Insight. >>> http://ad.doubleclick.net/ddm/clk/290420510;117567292;y >>> _______________________________________________ >>> PacketFence-users mailing list >>> [email protected] >>> <mailto:[email protected]> >>> >>> https://lists.sourceforge.net/lists/listinfo/packetfence-users >>> >>> >>> >>> >>> >>> ------------------------------------------------------------------------------ >>> One dashboard for servers and applications across >>> Physical-Virtual-Cloud >>> Widest out-of-the-box monitoring support with 50+ >>> applications >>> Performance metrics, stats and reports that give you >>> Actionable Insights >>> Deep dive visibility with transaction tracing using APM >>> Insight. >>> http://ad.doubleclick.net/ddm/clk/290420510;117567292;y >>> >>> >>> _______________________________________________ >>> PacketFence-users mailing list >>> [email protected] >>> <mailto:[email protected]> >>> >>> https://lists.sourceforge.net/lists/listinfo/packetfence-users >> >> >> -- >> Fabrice Durand >> [email protected] <mailto:[email protected]> :: >> +1.514.447.4918 <tel:%2B1.514.447.4918> (x135) :: www.inverse.ca >> <http://www.inverse.ca> >> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and >> PacketFence (http://packetfence.org) >> >> >> >> ------------------------------------------------------------------------------ >> One dashboard for servers and applications across >> Physical-Virtual-Cloud >> Widest out-of-the-box monitoring support with 50+ >> applications >> Performance metrics, stats and reports that give you >> Actionable Insights >> Deep dive visibility with transaction tracing using >> APM Insight. >> http://ad.doubleclick.net/ddm/clk/290420510;117567292;y >> _______________________________________________ >> PacketFence-users mailing list >> [email protected] >> <mailto:[email protected]> >> >> https://lists.sourceforge.net/lists/listinfo/packetfence-users >> >> >> >> >> >> >> ------------------------------------------------------------------------------ >> One dashboard for servers and applications across >> Physical-Virtual-Cloud >> Widest out-of-the-box monitoring support with 50+ applications >> Performance metrics, stats and reports that give you Actionable >> Insights >> Deep dive visibility with transaction tracing using APM Insight. >> http://ad.doubleclick.net/ddm/clk/290420510;117567292;y >> >> >> _______________________________________________ >> PacketFence-users mailing list >> [email protected] >> <mailto:[email protected]> >> https://lists.sourceforge.net/lists/listinfo/packetfence-users > > > -- > Fabrice Durand > [email protected] <mailto:[email protected]> :: +1.514.447.4918 > <tel:%2B1.514.447.4918> (x135) :: www.inverse.ca <http://www.inverse.ca> > Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and > PacketFence (http://packetfence.org) > > > > ------------------------------------------------------------------------------ > One dashboard for servers and applications across > Physical-Virtual-Cloud > Widest out-of-the-box monitoring support with 50+ applications > Performance metrics, stats and reports that give you > Actionable Insights > Deep dive visibility with transaction tracing using APM Insight. > http://ad.doubleclick.net/ddm/clk/290420510;117567292;y > _______________________________________________ > PacketFence-users mailing list > [email protected] > <mailto:[email protected]> > https://lists.sourceforge.net/lists/listinfo/packetfence-users > > > > > > ------------------------------------------------------------------------------ > One dashboard for servers and applications across Physical-Virtual-Cloud > Widest out-of-the-box monitoring support with 50+ applications > Performance metrics, stats and reports that give you Actionable Insights > Deep dive visibility with transaction tracing using APM Insight. > http://ad.doubleclick.net/ddm/clk/290420510;117567292;y > > > _______________________________________________ > PacketFence-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/packetfence-users -- Fabrice Durand [email protected] :: +1.514.447.4918 (x135) :: www.inverse.ca Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence (http://packetfence.org)
0xF78F957E.asc
Description: application/pgp-keys
------------------------------------------------------------------------------ One dashboard for servers and applications across Physical-Virtual-Cloud Widest out-of-the-box monitoring support with 50+ applications Performance metrics, stats and reports that give you Actionable Insights Deep dive visibility with transaction tracing using APM Insight. http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
_______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
