Fabrice,
I tried introducing this code line into different locations (before and
after the other calls to send_rpc_request) but that so far has made no
difference as my IP log is still nil. Likewise, in the location log the end
time is never entered when I disconnect the cable (i.e., end the
connection), only when I establish it again to a different port.
Also, I have a question. I guess I am going to dig deeper into the code.
What is the SOP for testing/validating/checking it in?
Thanks again,
Boris.
On Wed, May 20, 2015 at 9:16 AM, Fabrice DURAND <[email protected]> wrote:
> Hello Boris,
>
> so it wont be to complicate to update the iplog based on the accounting
> data.
> The magic will be there :
> https://github.com/inverse-inc/packetfence/blob/devel/raddb/packetfence.pm#L321
> with something like:
> $data = send_rpc_request($config, " update_iplog", {mac => $mac, ip =>
> $RAD_REQUEST{'Framed-IP-Address'}}) if ($RAD_REQUEST{'Framed-IP-Address'} );
>
>
> Let me know if it works.
>
> Regards
> Fabrice
>
>
> Le 2015-05-19 19:20, Boris Epstein a écrit :
>
> Hello listmates,
>
> OK, as we previously discussed, it should be possible for the PF server
> to record if the RADIUS accounting from the switch delivers the data. It
> appears to do so just fine (see the slightly censored excerpt of a TCPDUMP
> file):
>
> 18:36:44.550794 IP (tos 0x0, ttl 255, id 5884, offset 0, flags [none],
> proto UDP (17), length 181)
> 192.168.48.103.sa-msg-port > 192.168.48.100.radius-acct: RADIUS,
> length: 153
> Accounting Request (4), id: 0x3a, Authenticator: <censored>
> Accounting Session ID Attribute (44), length: 10, Value: 0000001C
> Framed IP Address Attribute (8), length: 6, Value: 192.168.22.51
> Username Attribute (1), length: 14, Value: 00256440e361
> Accounting Authentication Attribute (45), length: 6, Value:
> RADIUS
> Accounting Status Attribute (40), length: 6, Value: Start
> NAS Port Type Attribute (61), length: 6, Value: Ethernet
> NAS Port Attribute (5), length: 6, Value: 50123
> NAS Port ID Attribute (87), length: 23, Value:
> GigabitEthernet1/0/23
> Called Station Attribute (30), length: 19, Value:
> 00-11-BB-68-B5-17
> Calling Station Attribute (31), length: 19, Value:
> 00-25-64-40-E3-61
> Service Type Attribute (6), length: 6, Value: Framed
> NAS IP Address Attribute (4), length: 6, Value: 192.168.48.103
> Accounting Delay Attribute (41), length: 6, Value: 00 secs
>
> So now the question is, how do I get the PF server to read this data and
> display it?
>
> Thanks again for any and all help.
>
> Cheers,
>
> Boris.
>
>
> On Sun, May 17, 2015 at 12:22 PM, Boris Epstein <[email protected]>
> wrote:
>
>> Hello all,
>>
>> Thanks again for all the input. Here is the basic diagram of the setup.
>>
>> Picture the following setup.
>>
>> You have the main network - let us call it "Headquarters" (HQ). Then
>> you have multiple Satelite offices/networks. We will call them SAT1, SAT2,
>> etc. For the purposes of this discussion they are all equivalent to each
>> other. The only networking that exists between HQ and the SAT networks is
>> untagged IP hence it is not possible to have a VLAN that exists in more
>> than one location (i.e. no VLAN can span accross those WAN links).
>>
>> You have a Cisco switch (or multiple switches) at each of these
>> locations. The one at HQ we will call sw-hq, the one at SAT1 we will call
>> sw-sat1, etc.
>>
>> We have a PF server - let us call if pf-serv
>>
>> So here is our HQ network:
>>
>> pf-serv <------> sw-hq <=========> node1, node2, node3
>>
>> Here is the SAT1 network:
>>
>> sw-sat1 <==============> node1, node2, etc.
>>
>>
>> In this notation <----> denotes IP connection, <=====> denotes direct
>> Level 2 connection (Ethernet connection of a node to a switch).
>>
>> All of the switches have VLAN's defined on you. I used a non-overlapping
>> numbering schema:
>>
>> in HQ:
>> registration - VLAN2
>> isolation - VLAN3
>> voice - VLAN6
>> production - VLAN7
>>
>> in SAT1:
>> registration - VLAN12
>> isolation - VLAN13
>> voice - VLAN16
>> production - VLAN17
>>
>> in SAT2:
>> registration - VLAN22
>> isolation - VLAN23
>> voice - VLAN26
>> production - VLAN27
>>
>> So, once again: the only way pf-serv can communicate to any of the
>> switches is pure IP (SNMP, radius, DHCP, whatever).
>>
>> I hope this makes sense.
>>
>> At this point, I can get my switches to switch VLAN's as directed by the
>> pf-serv. One thing I can not get to do is get the switches to report the
>> IP's to pf-serv.
>>
>> And this is the stumbling block at this point.
>>
>> Once again - thanks for the great input I already got and thanks in
>> advance for any and all feedback to come.
>>
>> Cheers,
>>
>> Boris.
>>
>>
>> On Fri, May 15, 2015 at 9:14 AM, Fabrice DURAND <[email protected]>
>> wrote:
>>
>>> Hello Boris,
>>>
>>> in fact if you find a way to have a couple mac/ip then we will be able
>>> to update iplog.
>>>
>>> In other setup we did it by:
>>> arp traffic
>>> udp reflector
>>> radius accounting
>>>
>>> and it should probably possible to do it with netflow traffic.
>>>
>>> Regards
>>> Fabrice
>>>
>>>
>>> Le 2015-05-15 09:08, Boris Epstein a écrit :
>>>
>>> Hello Fabrice,
>>>
>>> Thanks very much for your response. Yes, I will put together a diagram.
>>>
>>> I have looked into the RADIUS log and accounting packet content from a
>>> tcpdump capture and couldn't immediately see data on IP addresses. Where
>>> specifically should I be looking for?
>>>
>>> And this goes back to the question I raised earlier, the question being,
>>> is it necessary to use DHCP to update the PF server on the nodes' IP
>>> addresses? My thought was it shouldn't be as there are other ways to obtain
>>> that information; sounds like you are basically backing up this idea.
>>>
>>> Once again, that you very much for your help.
>>>
>>> Cheers,
>>>
>>> Boris.
>>>
>>>
>>> On Fri, May 15, 2015 at 8:29 AM, Fabrice DURAND <[email protected]>
>>> wrote:
>>>
>>>> Hi,
>>>>
>>>> i take the discussion on the fly but did you check if in the radius
>>>> accounting you have informations about the ip of the device ?
>>>> Sometimes it's the case and we will probably be able to update the
>>>> iplog in this way.
>>>>
>>>> Regards
>>>> Fabrice
>>>>
>>>> Le 2015-05-15 06:25, Tim DeNike a écrit :
>>>>
>>>> Yeah, just a basic diagram so we can see what other options there might
>>>> be.
>>>>
>>>> On Thu, May 14, 2015 at 12:20 PM, Boris Epstein <[email protected]>
>>>> wrote:
>>>>
>>>>> Hello everyone,
>>>>>
>>>>> Thank you very much for your thoughtful responses.
>>>>>
>>>>> Tim, is there anything specific you mean by "Chicken scratch network
>>>>> diagram" - or do you just mean any basic schematic outline? Let me work on
>>>>> that - that is a good idea to diagram it for sure.
>>>>>
>>>>> Cheers,
>>>>>
>>>>> Boris.
>>>>>
>>>>>
>>>>> On Thu, May 14, 2015 at 11:34 AM, Tim DeNike <[email protected]>
>>>>> wrote:
>>>>>
>>>>>> Your other option if you don't want to run a DHCP server outside of
>>>>>> the switches is to run the remote arp sensor on a box attached to the
>>>>>> switch (Ive never tried it), or setup a mirror port and mirror traffic to
>>>>>> PF.
>>>>>>
>>>>>> I really don't know if the dhcp relay will work with the dhcp
>>>>>> server enabled. Id guess not.
>>>>>>
>>>>>> Chicken scratch network diagram would be helpful.
>>>>>>
>>>>>> But seriously.. Look into running a couple central DHCP servers..
>>>>>> much easier to maintain in the long run (IMHO).
>>>>>>
>>>>>> On Thu, May 14, 2015 at 11:21 AM, Derek Wuelfrath <
>>>>>> [email protected]> wrote:
>>>>>>
>>>>>>> Hello Boris,
>>>>>>>
>>>>>>> Most of the time, iphelpers are doing the job. Can you explain
>>>>>>> what is ‘not working’ ?
>>>>>>>
>>>>>>> In your current setup, the DHCP server is running on the switch at
>>>>>>> the edge or is it on a ‘core switch’ ? Let’s say you have 3 access
>>>>>>> switches, connected back to one core switch, but doing L3 (VLANs stays
>>>>>>> at
>>>>>>> the access switches level). DHCP server is on the access switches or on
>>>>>>> the
>>>>>>> core switch ?
>>>>>>>
>>>>>>> The things is, I’m unsure if, when the DHCP server running on the
>>>>>>> same switch where the VLAN is ending (L2 connectivity), iphelpers can do
>>>>>>> the job.
>>>>>>>
>>>>>>> If you can share a network design, that’d be great… I guess… ;)
>>>>>>>
>>>>>>> (Sorry if it was part of a previous discussion, I clicked the link
>>>>>>> which was leading me to another previous conversation, which was also
>>>>>>> leading me to another discussion… I’ve been lost in the Matrix while
>>>>>>> trying
>>>>>>> to figure out which conversation was the initial one!)
>>>>>>>
>>>>>>> Cheers!
>>>>>>> dw.
>>>>>>>
>>>>>>> --
>>>>>>> Derek Wuelfrath
>>>>>>> [email protected] :: +1.514.447.4918 (x110) :: +1.866.353.6153
>>>>>>> (x110)
>>>>>>> Inverse inc. (www.inverse.ca) :: Leaders behind SOGo (www.sogo.nu)
>>>>>>> and PacketFence (www.packetfence.org)
>>>>>>>
>>>>>>> On May 14, 2015 at 06:12:01, Boris Epstein ([email protected])
>>>>>>> wrote:
>>>>>>>
>>>>>>> Hello all,
>>>>>>>
>>>>>>> I have raised the issue previously:
>>>>>>>
>>>>>>>
>>>>>>> http://www.mail-archive.com/packetfence-users%40lists.sourceforge.net/msg08765.html
>>>>>>>
>>>>>>> Basically, the issue is that I am trying to run a DHCP server on
>>>>>>> my Cisco IOS (Catalyst) switches while I run my PF server that only has
>>>>>>> IP
>>>>>>> connectivity to them (no VLAN connectivity as VLAN's are local to the
>>>>>>> switches).
>>>>>>>
>>>>>>> The setup requires that IP update/status info for all nodes be
>>>>>>> communicated back to the PF server. That is not happening for some
>>>>>>> reason -
>>>>>>> at least not via the Cisco's "ip helper-address" mechanism.
>>>>>>>
>>>>>>> So the question fundamentally is - how do I do that? What
>>>>>>> implementations do any of you have out there that accomplish it? Sounds
>>>>>>> like some people have DHCP servers separate from PF and switches. OK,
>>>>>>> that
>>>>>>> is an idea. What other implementations are out there?
>>>>>>>
>>>>>>> If you don't mind sharing that I will be very thankful.
>>>>>>>
>>>>>>> Cheers,
>>>>>>>
>>>>>>> Boris.
>>>>>>>
>>>>>>>
>>>>>>> ------------------------------------------------------------------------------
>>>>>>>
>>>>>>> One dashboard for servers and applications across
>>>>>>> Physical-Virtual-Cloud
>>>>>>> Widest out-of-the-box monitoring support with 50+ applications
>>>>>>> Performance metrics, stats and reports that give you Actionable
>>>>>>> Insights
>>>>>>> Deep dive visibility with transaction tracing using APM Insight.
>>>>>>>
>>>>>>> http://ad.doubleclick.net/ddm/clk/290420510;117567292;y_______________________________________________
>>>>>>> PacketFence-users mailing list
>>>>>>> [email protected]
>>>>>>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> ------------------------------------------------------------------------------
>>>>>>> One dashboard for servers and applications across
>>>>>>> Physical-Virtual-Cloud
>>>>>>> Widest out-of-the-box monitoring support with 50+ applications
>>>>>>> Performance metrics, stats and reports that give you Actionable
>>>>>>> Insights
>>>>>>> Deep dive visibility with transaction tracing using APM Insight.
>>>>>>> http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
>>>>>>> _______________________________________________
>>>>>>> PacketFence-users mailing list
>>>>>>> [email protected]
>>>>>>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>>>>>>
>>>>>>>
>>>>>>
>>>>>>
>>>>>> ------------------------------------------------------------------------------
>>>>>> One dashboard for servers and applications across
>>>>>> Physical-Virtual-Cloud
>>>>>> Widest out-of-the-box monitoring support with 50+ applications
>>>>>> Performance metrics, stats and reports that give you Actionable
>>>>>> Insights
>>>>>> Deep dive visibility with transaction tracing using APM Insight.
>>>>>> http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
>>>>>> _______________________________________________
>>>>>> PacketFence-users mailing list
>>>>>> [email protected]
>>>>>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>> ------------------------------------------------------------------------------
>>>>> One dashboard for servers and applications across
>>>>> Physical-Virtual-Cloud
>>>>> Widest out-of-the-box monitoring support with 50+ applications
>>>>> Performance metrics, stats and reports that give you Actionable
>>>>> Insights
>>>>> Deep dive visibility with transaction tracing using APM Insight.
>>>>> http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
>>>>> _______________________________________________
>>>>> PacketFence-users mailing list
>>>>> [email protected]
>>>>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>>>>
>>>>>
>>>>
>>>>
>>>> ------------------------------------------------------------------------------
>>>> One dashboard for servers and applications across Physical-Virtual-Cloud
>>>> Widest out-of-the-box monitoring support with 50+ applications
>>>> Performance metrics, stats and reports that give you Actionable Insights
>>>> Deep dive visibility with transaction tracing using APM
>>>> Insight.http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> PacketFence-users mailing
>>>> [email protected]https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>>>
>>>>
>>>>
>>>> --
>>>> Fabrice [email protected] :: +1.514.447.4918 (x135) ::
>>>> www.inverse.ca
>>>> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence
>>>> (http://packetfence.org)
>>>>
>>>>
>>>>
>>>> ------------------------------------------------------------------------------
>>>> One dashboard for servers and applications across Physical-Virtual-Cloud
>>>> Widest out-of-the-box monitoring support with 50+ applications
>>>> Performance metrics, stats and reports that give you Actionable Insights
>>>> Deep dive visibility with transaction tracing using APM Insight.
>>>> http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
>>>> _______________________________________________
>>>> PacketFence-users mailing list
>>>> [email protected]
>>>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>>>
>>>>
>>>
>>>
>>> ------------------------------------------------------------------------------
>>> One dashboard for servers and applications across Physical-Virtual-Cloud
>>> Widest out-of-the-box monitoring support with 50+ applications
>>> Performance metrics, stats and reports that give you Actionable Insights
>>> Deep dive visibility with transaction tracing using APM
>>> Insight.http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
>>>
>>>
>>>
>>> _______________________________________________
>>> PacketFence-users mailing
>>> [email protected]https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>>
>>>
>>>
>>> --
>>> Fabrice [email protected] :: +1.514.447.4918 (x135) ::
>>> www.inverse.ca
>>> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence
>>> (http://packetfence.org)
>>>
>>>
>>>
>>> ------------------------------------------------------------------------------
>>> One dashboard for servers and applications across Physical-Virtual-Cloud
>>> Widest out-of-the-box monitoring support with 50+ applications
>>> Performance metrics, stats and reports that give you Actionable Insights
>>> Deep dive visibility with transaction tracing using APM Insight.
>>> http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
>>> _______________________________________________
>>> PacketFence-users mailing list
>>> [email protected]
>>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>>
>>>
>>
>
>
> ------------------------------------------------------------------------------
> One dashboard for servers and applications across Physical-Virtual-Cloud
> Widest out-of-the-box monitoring support with 50+ applications
> Performance metrics, stats and reports that give you Actionable Insights
> Deep dive visibility with transaction tracing using APM
> Insight.http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
>
>
>
> _______________________________________________
> PacketFence-users mailing
> [email protected]https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>
>
> --
> Fabrice [email protected] :: +1.514.447.4918 (x135) :: www.inverse.ca
> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence
> (http://packetfence.org)
>
>
>
> ------------------------------------------------------------------------------
> One dashboard for servers and applications across Physical-Virtual-Cloud
> Widest out-of-the-box monitoring support with 50+ applications
> Performance metrics, stats and reports that give you Actionable Insights
> Deep dive visibility with transaction tracing using APM Insight.
> http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
> _______________________________________________
> PacketFence-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>
------------------------------------------------------------------------------
One dashboard for servers and applications across Physical-Virtual-Cloud
Widest out-of-the-box monitoring support with 50+ applications
Performance metrics, stats and reports that give you Actionable Insights
Deep dive visibility with transaction tracing using APM Insight.
http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
