If Nac is installed into your core network, it can affect the availability of critical workstations and servers. You may wish to have a way of deactivating NAC, in case of severe network problems (e.g. during the night, outside of support hours). This does not mean that NAC is unreliable, but planning for disaster is important.
The system is equipped with scripts to disable dynamic VLAN allocation, thus allowing recovery in emergency situation where the Network Administrator wishes to disable NAC device authentication, and force networks ports to use a static Vlan.
This feature (available in V3.0 and later) been tested on Cisco CatOS and IOS switches (only Cisco switches work with VMPS anyway).
Two vmps-mode scripts are provided in the enterprise version, one for disabling dynamic ports: by programming the last used vlan as a static vlan. The second script renables dynamic mode. These scripts can be run per switch, or for all switches.
This is the main script to deactivate NAC in your switches and configure switch ports as static. t does so by getting a list of ports from the NAC database, which were documented by snmp_scan.php as being 'dynamic'.
The vlan to be configured on the switch port is the last_vlan which was present on that port.
If sucessful, it writes a list of changes to a CSV file, saying which vlan has been configured on which port on a determined switch. This file can be used later on to undo the changes made by 'deactivate_vmps'. This file is normally stored as 'vmps-yyyy-mm-dd-hh:mm:ss'. The filestamp is automatically generated
when 'deactivate_vmps' is run.
To store changes in a different file, use the '-f' option, along with the filename you want to use. deactivate_vmps will create a new file each time is run, so if you specify a filename which is already in your system, it'll be overwritten.
'deactivate_vmps' uses the variable $snmp_rw extensively, which is defined in config.inc. If you want to use a different SNMP RW community, you can do so by providing the '-c' option along with
the SNMP RW community.
When 'deactivate_vmps' is called with no parameters, it will configure all switch ports which are present in the FreeNAC database as static . To deactivate NAC in certain switches, you need to provide either the IP address or the switch name of the switches you want to change.
For example, to deactivate NAC on switches switch_1 and 192.168.0.1:
deactivate_vmps switch_1 192.168.0.1
At the end of a run, 'deactivate_vmps' will display a short summary of how many ports and switches have been changed and where it has stored the changes file.
This same information is displayed in the standard output, syslog, and in the NAC GUI.
This is the script to reactivate NAC in your switches and configure switch ports as dynamic. It does so by getting a list of ports from the NAC database, which were documented by snmp_scan.php (usually run once per day) as 'dynamic'.
It is *highly* recommended that you use the file produced by 'deactivate_vmps' to restore your network to its previous state prior to 'deactivate_vmps'. Since 'activate_vmps' uses data reported by snmp_scan.php, some of the data stored in the database will be updated by snmp_scan.php, and ports which previously were reported as 'dynamic', might now be reported as 'static'.
To specify a file to be used instead of the data contained in the NAC database, use the '-f' option along with the filename. This file must be a CSV generated by a previous run of 'deactivate_vmps'.
'activate_vmps' uses the variable $snmp_rw extensively, which is defined in config.inc. If you want to use a different SNMP RW community, you can do so by providing the '-c' option along with the SNMP RW community.
When 'activate_vmps' is called with no parameters, it will configure as dynamic all switch ports which are present in the FreeNAC database. To reactivate NAC in certain switches, you need to provide either the IP address or the switch name of the switches you want to affect.
For example to activate NAC on switches switch_1 and 192.168.0.1:
activate_vmps switch_1 192.168.0.1
At the end of a run, 'activate_vmps' will display a short summary of how many ports and switches have been affected, and where it has read that data from.
This same information is displayed in the standard output, syslog, and in the NAC GUI.