VPMS and logging

Thu Jan 12 16:25:16 CET 2012

Hi, all,

I have set up VMPS with FreeRADIUS 2.1.12 to use with our internal
Cisco switches. After finding the sample files and some documentation
with Google, I'm quite satisfied with the result. At least everything seems
to work as designed.

Besides … ;-) logging seems to be somewhat inconsistent. Here's what
radiusd -X outputs when I connect my personal workstation to the network:
(addresses anonymised)
--------------------------------------------------
	VMPS-Packet-Type = VMPS-Join-Request
	VMPS-Error-Code = VMPS-No-Error
	VMPS-Sequence-Number = 892
	VMPS-Client-IP-Address = 1.2.3.4
	VMPS-Port-Name = "Fa0/21"
	VMPS-VLAN-Name = "--NONE--"
	VMPS-Domain-Name = "Hausnetz"
	VMPS-Unknown = 0x00
	VMPS-Ethernet-Frame = 0x0050……
server vmps {
Doing VMPS
+- entering group vmps {...}
++? if (!VMPS-Mac)
? Evaluating !(VMPS-Mac) -> TRUE
++? if (!VMPS-Mac) -> TRUE
++- entering if (!VMPS-Mac) {...}
+++? if (VMPS-Ethernet-Frame =~ /0x.{12}(..)(..)(..)(..)(..)(..).*/)
? Evaluating (VMPS-Ethernet-Frame =~ /0x.{12}(..)(..)(..)(..)(..)(..).*/) -> TRUE
+++? if (VMPS-Ethernet-Frame =~ /0x.{12}(..)(..)(..)(..)(..)(..).*/) -> TRUE
+++- entering if (VMPS-Ethernet-Frame =~ /0x.{12}(..)(..)(..)(..)(..)(..).*/) {...}
	expand: %{1}:%{2}:%{3}:%{4}:%{5}:%{6} -> xx:xx:xx:xx:xx:xx
++++[request] returns noop
+++- if (VMPS-Ethernet-Frame =~ /0x.{12}(..)(..)(..)(..)(..)(..).*/) returns noop
+++ ... skipping else for request 0: Preceding "if" was taken
++- if (!VMPS-Mac) returns noop
[mac2vlan] Added VMPS-VLAN-Name: 'default' to reply_items 
++[mac2vlan] returns ok
	expand: %{VMPS-Mac} -> xx:xx:xx:xx:xx:xx
++[reply] returns ok
++? if (VMPS-Packet-Type == VMPS-Reconfirm-Request)
? Evaluating (VMPS-Packet-Type == VMPS-Reconfirm-Request) -> FALSE
++? if (VMPS-Packet-Type == VMPS-Reconfirm-Request) -> FALSE
[linelog] 	expand: /var/log/vmps.log -> /var/log/vmps.log
[linelog] 	expand: %S %C %{VMPS-Port-Name} %{VMPS-Mac} %{VMPS-VLAN-Name} -> 2012-01-12 16:06:34 Switch1 Fa0/21 xx:xx:xx:xx:xx:xx --NONE--
++[linelog] returns ok
Done VMPS
} # server vmps
	VMPS-VLAN-Name = "default"
	VMPS-Cookie = xx:xx:xx:xx:xx:xx
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 0 ID 892 with timestamp +11
Ready to process requests.
--------------------------------------------------

So, the last lines seem to imply that I am to be put into VLAN "default" which
is just the name of VLAN 1 on Cisco gear. And indeed the switch does precisely
that. So far, so good.

Then, why does FreeRADIUS log this?

"2012-01-12 16:06:34 Switch1 Fa0/21 xx:xx:xx:xx:xx:xx --NONE--"

Note the "--NONE--" for the VLAN name. I'm about to implement this throughout
our entire office and of course the log will be essential for daily administration
tasks, like adding/removing/fixing MAC address entries and the like. I get completely
inconsistent results here - for some workstations it's "default" and for some "--NONE--".

Here's the detailled config, "guests" is the name of the default VLAN for all
unknown MAC addresses. The rest is more or less copied from the examples.

I omitted all the basic radiusd config that I had already in place. We use
FreeRADIUS for Enterprise WPA2 in our WLAN. I added VMPS as a virtual
server.

--------------------------------------------------
mac2vlan:
xx:xx:xx:xx:xx:xx,default

radiusd.conf:
modules {
        passwd mac2vlan {
                filename = ${confdir}/mac2vlan
                format = "*VMPS-Mac:=VMPS-VLAN-Name"
                delimiter = ","
        }

        linelog { 
                filename = ${logdir}/vmps.log
                format = "%S %C %{VMPS-Port-Name} %{VMPS-Mac} %{VMPS-VLAN-Name}"
        } 
}

$INCLUDE vmps.conf

vmps.conf:
server vmps {
	listen {
		ipaddr = *
		port = 1589
		type = vmps
	}

	client 1.2.3.4 {
		secret          = dontmind
		shortname       = Switch1
	}

	vmps {
		if (!VMPS-Mac) {
			if (VMPS-Ethernet-Frame =~ /0x.{12}(..)(..)(..)(..)(..)(..).*/) {
        			update request {
					VMPS-Mac = "%{1}:%{2}:%{3}:%{4}:%{5}:%{6}"
				}
			}
			else {
				update request {
					VMPS-Mac = "%{VMPS-Cookie}"
				}
			}
		}

		mac2vlan

		update reply {
			VMPS-Packet-Type = VMPS-Join-Response
			VMPS-Cookie = "%{VMPS-Mac}"
			VMPS-VLAN-Name = "guests"
		}

		if (VMPS-Packet-Type == VMPS-Reconfirm-Request){
			update reply {
				VMPS-Packet-Type := VMPS-Reconfirm-Response
			}
		}

		linelog
	}
}
--------------------------------------------------

Thanks and kind regards
Patrick
-- 
punkt.de GmbH * Kaiserallee 13a * 76133 Karlsruhe
Tel. 0721 9109 0 * Fax 0721 9109 100
info at punkt.de       http://www.punkt.de
Gf: Jürgen Egeling      AG Mannheim 108285