bizarre VMPS behaviour - different mac's being displayed - same switch, same client, different version of Freeradius
Keith Olsen
keith.r.olsen at gmail.com
Thu Jan 15 04:47:37 CET 2015
I just stood up Freeradius 3.0.4 on a Fedora system, and I have an older (2.1.12) one running on Ubuntu (doubt the OS makes any difference….)
On the 3x system, I am using mysql to provide the mac to vlan information, while on the 2x system it’s the mac2vlan flat file.
IN the 2x version, this is what is displayed for the VMPS -join-request
VMPS-Packet-Type = VMPS-Join-Request
VMPS-Error-Code = VMPS-No-Error
VMPS-Sequence-Number = 961
VMPS-Client-IP-Address = 192.168.30.11
VMPS-Port-Name = "Fa0/19"
VMPS-VLAN-Name = "--NONE--"
VMPS-Domain-Name = "seccom.ab.ca"
VMPS-Unknown = 0x00
VMPS-MAC = 00:25:bc:e1:5b:4a
This is the MAC of my client, and it’s consistent on each connection of the client, regardless of the port. This works fine.
In the 3x version, this is what I get
VMPS-Packet-Type = VMPS-Join-Request
VMPS-Error-Code = VMPS-No-Error
VMPS-Sequence-Number = 913
VMPS-Client-IP-Address = 192.168.30.11
VMPS-Port-Name = 'Fa0/19'
VMPS-VLAN-Name = '--NONE--'
VMPS-Domain-Name = 'seccom.ab.ca'
VMPS-Unknown = 0x00
VMPS-MAC = a0:f4:40:9b:a6:7f
Additionally, on the 3x version, each time I connect the client, a different mac is registered:
VMPS-Packet-Type = VMPS-Join-Request
VMPS-Error-Code = VMPS-No-Error
VMPS-Sequence-Number = 1009
VMPS-Client-IP-Address = 192.168.30.11
VMPS-Port-Name = 'Fa0/19'
VMPS-VLAN-Name = '--NONE--'
VMPS-Domain-Name = 'seccom.ab.ca'
VMPS-Unknown = 0x00
VMPS-MAC = 10:fb:40:9b:a6:7f
Here is the full output from the last VMPS query for 3.x:
(10) Cleaning up request packet ID 1057 with timestamp +4655
Waking up in 995474.9 seconds.
VMPS-Packet-Type = VMPS-Join-Request
VMPS-Error-Code = VMPS-No-Error
VMPS-Sequence-Number = 1073
VMPS-Client-IP-Address = 192.168.30.11
VMPS-Port-Name = 'Fa0/11'
VMPS-VLAN-Name = '--NONE--'
VMPS-Domain-Name = 'seccom.ab.ca'
VMPS-Unknown = 0x00
VMPS-MAC = 90:ff:40:9b:a6:7f
(11) Received Access-Request packet from host 192.168.30.11 port 57089, id=1073, length=81
(11) VMPS-Packet-Type = VMPS-Join-Request
(11) VMPS-Error-Code = VMPS-No-Error
(11) VMPS-Sequence-Number = 1073
(11) VMPS-Client-IP-Address = 192.168.30.11
(11) VMPS-Port-Name = 'Fa0/11'
(11) VMPS-VLAN-Name = '--NONE--'
(11) VMPS-Domain-Name = 'seccom.ab.ca'
(11) VMPS-Unknown = 0x00
(11) VMPS-MAC = 90:ff:40:9b:a6:7f
Doing VMPS
(11) vmps {
(11) if (!VMPS-Mac)
(11) if (!VMPS-Mac) -> FALSE
(11) update reply {
(11) VMPS-Packet-Type = VMPS-Join-Response
(11) EXPAND %{VMPS-Mac}
(11) --> 90:ff:40:9b:a6:7f
(11) VMPS-Cookie = 90:ff:40:9b:a6:7f
(11) VMPS-VLAN-Name = 'default'
(11) EXPAND %{User-Name}
(11) -->
(11) SQL-User-Name set to ''
rlm_sql (sql): Reserved connection (14)
rlm_sql (sql): Executing query: 'SELECT vlan FROM mac2vlan WHERE mac='90:ff:40:9b:a6:7f''
(11) SQL query returned no results
rlm_sql (sql): Released connection (14)
rlm_sql (sql): 0 of 2 connections in use. Need more spares
rlm_sql (sql): Opening additional connection (15)
rlm_sql_mysql: Starting connect to MySQL server
(11) EXPAND %{sql:SELECT vlan FROM mac2vlan WHERE mac='%{VMPS-Mac}'}
(11) -->
(11) VMPS-VLAN-Name = ""
(11) } # update reply = noop
(11) if (VMPS-Packet-Type == VMPS-Reconfirm-Request)
(11) if (VMPS-Packet-Type == VMPS-Reconfirm-Request) -> FALSE
(11) } # vmps = noop
Done VMPS
(11) vmps {
(11) if (!VMPS-Mac)
(11) if (!VMPS-Mac) -> FALSE
(11) update reply {
(11) VMPS-Packet-Type = VMPS-Join-Response
(11) EXPAND %{VMPS-Mac}
(11) --> 90:ff:40:9b:a6:7f
(11) VMPS-Cookie = 90:ff:40:9b:a6:7f
(11) VMPS-VLAN-Name = 'default'
(11) EXPAND %{User-Name}
(11) -->
(11) SQL-User-Name set to ''
rlm_sql (sql): Reserved connection (15)
rlm_sql (sql): Executing query: 'SELECT vlan FROM mac2vlan WHERE mac='90:ff:40:9b:a6:7f''
(11) SQL query returned no results
rlm_sql (sql): Released connection (15)
(11) EXPAND %{sql:SELECT vlan FROM mac2vlan WHERE mac='%{VMPS-Mac}'}
(11) -->
(11) VMPS-VLAN-Name = ""
(11) } # update reply = noop
(11) if (VMPS-Packet-Type == VMPS-Reconfirm-Request)
(11) if (VMPS-Packet-Type == VMPS-Reconfirm-Request) -> FALSE
(11) } # vmps = noop
(11) Sending Access-Accept packet to host 192.168.30.11 port 57089, id=1073, length=0
(11) VMPS-Packet-Type = VMPS-Join-Response
(11) VMPS-Cookie = 90:ff:40:9b:a6:7f
(11) VMPS-VLAN-Name = 'default'
VMPS-VLAN-Name = 'default'
VMPS-Cookie = 90:ff:40:9b:a6:7f
(11) Finished request
Waking up in 0.3 seconds.
Waking up in 4.6 seconds.
(11) Cleaning up request packet ID 1073 with timestamp +4691
Waking up in 995438.1 seconds.
And the same from the v2.1.12 system:
Ready to process requests.
VMPS-Packet-Type = VMPS-Join-Request
VMPS-Error-Code = VMPS-No-Error
VMPS-Sequence-Number = 1105
VMPS-Client-IP-Address = 192.168.30.11
VMPS-Port-Name = "Fa0/11"
VMPS-VLAN-Name = "--NONE--"
VMPS-Domain-Name = "seccom.ab.ca"
VMPS-Unknown = 0x00
VMPS-MAC = 00:25:bc:e1:5b:4a
server vmps {
Doing VMPS
+- entering group vmps {...}
++? if (!VMPS-Mac)
? Evaluating !(VMPS-Mac) -> FALSE
++? if (!VMPS-Mac) -> FALSE
[mac2vlan] Added VMPS-VLAN-Name: 'ENMAX' to reply_items
++[mac2vlan] returns ok
expand: %{VMPS-Mac} -> 00:25:bc:e1:5b:4a
++[reply] returns ok
++? if (VMPS-Packet-Type == VMPS-Reconfirm-Request)
? Evaluating (VMPS-Packet-Type == VMPS-Reconfirm-Request) -> FALSE
++? if (VMPS-Packet-Type == VMPS-Reconfirm-Request) -> FALSE
[linelog] expand: /var/log/freeradius/vmps.log -> /var/log/freeradius/vmps.log
[linelog] expand: %S %C %{VMPS-Port-Name} %{VMPS-Mac} %{reply:VMPS-VLAN-Name} -> 2015-01-14 20:32:58 cisco Fa0/11 00:25:bc:e1:5b:4a ENMAX
++[linelog] returns ok
Done VMPS
} # server vmps
VMPS-VLAN-Name = "ENMAX"
VMPS-Cookie = 00:25:bc:e1:5b:4a
Finished request 3.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 3 ID 1105 with timestamp +1273
Ready to process requests.
I’m assuming that somehow the 3.0.4 system is parsing the packet incorrectly, and thus coming up with the wrong information for the MAC.
Any idea on what I can do to resolve?
Thanks!
Keith
More information about the Freeradius-Users
mailing list