VMPS support

Phil Mayers p.mayers at imperial.ac.uk
Tue Feb 26 19:05:02 CET 2008 

Phil Mayers wrote:
> All,
> 
> I'm moving our legacy switches over to the VMPS support in FreeRadius 2 
> and I'm aware there are others on the list who have done this.
> 
> I'm seeing several different formats of VMPS request. The "easy" ones 
> are from older switches e.g. cisco 1900s:
> 
> VMPS-Packet-Type = VMPS-Join-Request
> VMPS-Error-Code = VMPS-No-Error
> VMPS-Sequence-Number = 2207055872
> VMPS-Client-IP-Address = 172.28.72.65
> VMPS-Port-Name = "22"
> VMPS-VLAN-Name = "PROD"
> VMPS-Domain-Name = "HOR-PG"
> VMPS-Unknown = 0x00
> VMPS-MAC = 00:01:4a:f8:93:e5
> 
> However, newer switches e.g. Cisco 3500XL are sending Reconfirm-Request 
> packets with no MAC (but with a cookie):
> 
> VMPS-Packet-Type = VMPS-Reconfirm-Request
> VMPS-Error-Code = VMPS-No-Error
> VMPS-Sequence-Number = 13320
> VMPS-Client-IP-Address = 172.28.72.50
> VMPS-Port-Name = "Fa0/1"
> VMPS-VLAN-Name = "PROD"
> VMPS-Unknown = 0x01
> VMPS-Cookie = 00:1b:78:a5:96:e0
> 
> How do I need to respond to these? It seems that if I return a 
> Join-Response it will simply be obeyed, but I'm worried it will explode 

All,

 From what I can tell, the following is true:

The actual value of reply:VMPS-Packet-Type seems to be irrelevant - VMPS 
replies do not contain anything to distinguish between Join and 
Reconfirm responses

> later. Do I need to return a Reconfirm-Reponse with a Deny if the 

The value of VQP-Error-Code may make a difference; the code in OpenVMPS 
seems to work like this:

  * request comes in
  * extract ethernet address from mac field (0xc06) other mac field 
(0xc08, which FreeRadius calls VMPS-Cookie) or packet header
  * lookup vlan for this ethernet address
  * if lookup.vlan not defined:
     fail
  * if lookup.vlan=='' or lookup.vlan=='--NONE--':
     fail
  * if request.vlan!='' and request.vlan!='--NONE--' and 
request.vlan!=lookup.vlan:
     fail
    else:
     ok

So broadly, if there is a vlan in the request other than '' (empty 
string) or '--NONE--' it must match the returned vlan; else a deny (vmps 
mode == open) or shutdown (vmps mode == closed) error code is returned.

HOWEVER - at least on Cisco 3500XL running the IOS I have, returning a 
permit with a different vlan than the request seems to work...

> requested vlan is different to the desired on, or a permit otherwise?
> 
> We're also seeing from the newer switches join packets with no MAC or 
> cookie, but an ethernet header:
> 
> VMPS-Packet-Type = VMPS-Join-Request
> VMPS-Error-Code = VMPS-No-Error
> VMPS-Sequence-Number = 13329
> VMPS-Client-IP-Address = 172.28.72.50
> VMPS-Port-Name = "Fa0/3"
> VMPS-VLAN-Name = "--NONE--"
> VMPS-Unknown = 0x00
> VMPS-Ethernet-Frame = 0xffffffffffff001636e46d1b08004500015...
> 
> What's the easiest way to get the MAC address out of these?

I used this in the end:

# the mac address can be in several places...
if ("%{VMPS-Ethernet-Frame}" =~ 
/0x............(..)(..)(..)(..)(..)(..).*/) {
         update request {
                 MyMac = "%{1}:%{2}:%{3}:%{4}:%{5}:%{6}"
         }
}
else {
         update request {
                 MyMac = "%{%{VMPS-Cookie}:-%{VMPS-MAC}}"
         }
}

More information about the Freeradius-Users mailing list