VMPS support

Phil Mayers p.mayers at imperial.ac.uk
Wed Feb 27 13:00:47 CET 2008


Alan DeKok wrote:
> Phil Mayers wrote:
> 
>> The value of VQP-Error-Code may make a difference; the code in OpenVMPS
>> seems to work like this:
> 
>   Do you have some sample "unlang" config we can add to the server examples?

We're currently using something almost identical to this (minor edits to 
remove site-specific vlan assignment policy with a "switch/case"):

modules {
   $INCLUDE postgresql.conf
   exec logger {
     wait = no
     input_pairs = request
     shell_escape = yes
     output = none
     program = "/usr/bin/logger -t vmpsd -- ALLOW: %{MyMac} -> 
%{reply:VMPS-VLAN-Name}, switch %{VMPS-Client-IP-Address} port %
{VMPS-Port-Name}"
   }
}

server {
listen {
   ...
   type = vmps
}
vmps {
   # the mac address can be in several places...
   if ("%{VMPS-Ethernet-Frame}" =~ 
/0x............(..)(..)(..)(..)(..)(..).*/) {
     update request {
       MyMac = "%{1}:%{2}:%{3}:%{4}:%{5}:%{6}"
     }
   }
   else {
     update request {
       MyMac = "%{%{VMPS-Cookie}:-%{VMPS-MAC}}"
     }
   }

   # required VMPS reply attributes
   update reply {
     VMPS-Packet-Type = VMPS-Join-Response
     VMPS-Cookie = "%{MyMac}"
   }

   # lookup the zone in sql
   update reply {
     VMPS-VLAN-Name = "%{sql:select ... where mac='%{MyMac}'}"
   }

   # an instance of the exec module logging to a similar format
   # that openvmps used, for easy of operator transition :o)
   logger
}
}


> 
>>> What's the easiest way to get the MAC address out of these?
>> I used this in the end:
>>
>> # the mac address can be in several places...
>> if ("%{VMPS-Ethernet-Frame}" =~
>> /0x............(..)(..)(..)(..)(..)(..).*/) {
>>         update request {
>>                 MyMac = "%{1}:%{2}:%{3}:%{4}:%{5}:%{6}"
> 
>   Wow... I guess that works, but wow.  It's been a while since I used
> regular expressions to parse raw packets.

Yeah. It's pretty disgusting :o)

I originally tried:

/......(......).*/

...but of course the "octets" AVP is rendered to the hex 0xNN.. format 
prior to the regexp match being applied.

> 
>   Also, in 2.0.1, you don't need "%{..}" for VMPS-Ethernet-Frame.  You
> can just put the bare name before the =~ operator.

Yeah, I am waiting a change approval to update the software (sigh).



More information about the Freeradius-Users mailing list