6. Switch integration

Introduction

Switches are integrated in five ways:

1. 'passive' scanning of mac addresses visible on all ports
2. Querying of port status
3. Port control (stop/start/restart/set static vlan/set vmps mode)
4. Answering of vmps queries.
5. Answering of 802.1x/radius queries.

1. Passive scanning of MAC tables via SNMP

FreeNAC (v2.2 RC2 and later) includes the snmp_scan.php tool which queries the information from switches:

• Switch's hardware, software version
• Discover new Ports.
• Update port names, status (up or down), auth profile (static vlan,  dynamic/vmps or trunk)
• Update the last vlan on a port, for static ports
• For each MAC address found its LastSeen, LastVlan and LastPort fields are
  updated, or for new MACs a new entry is added with the name 'unknown'.

The script only scans switches which have the flag scan=1 in the switch table.

Settings are configured in two places, etc/config.inc and the 'config' DB table.

Configuration: switch

SNMP needs to be enabled, and ACLs set so that queries are allowed from the FreeNAC server IP address. If there is a firewall between FreeNAC and the switches, the SNMP port (udp/161) needs to be open.

Configuration: config.inc

This file, created from config.inc.template and stored in /opt/nac, contains sensitive data such as passwords. Please set the SNMP community string for reading switch settings:

$snmp_ro 

Configuration: Config table

The parameters in the 'config' table can be set either from the mysql command line (use 'describe config' and 'select * from config' if you are at ease with SQL), or more easily, from the Windows GUI (See Users Guide -> Windows GUI -> Administration tab and the Windows GUI installation page).

The snmp_dryrun setting should be false (=0).

Configuration: switch table

You need to first declare which switches are going to be scanned, either via Windows GUI (Users Guide-> Windows GUI-> Switches) or via the MySQL commandline:

insert into switch set ip='1.2.3.4', name='swXX', location='1';

For a switch to be automatically scanned, set the 'scan' flag to 1:

update switch set scan='1' where ip='1.2.3.4';

Change the values according to your system.

Activating snmp_scan

Once configured, run it from the command line to test:

cd /opt/nac/bin
./snmp_scan.php

Look at syslog to see how the tool is progressing. This tool can take some time, depending on the number of switches of your network and their age. If it times-out or take a long long time it probably mean that SNMP is not correctly configured on the switch, or the community is not correct in config.inc.

To run regularly, for example at 11:05 daily, add an entry to the root cron:

3 11 * * 1-5     /opt/nac/bin/snmp_scan.php | logger 

Note: scheduling of such scans cannot be configured yet from the Windows GUI.

2. Querying of switch port status

As of FreeNAC v3.0, we introduced the tool ping_switch.php which queries the switch port status (up/down), that can be seen in the GUI.

To activate, add the switch to freenac, set the 'scan' flag to 1 (see the previous section), and add an entry to root crontab, to scan every hour for example:

10   8-17   * * 1-5 /opt/nac/bin/ping_switch.php 2>&1   | logger -t ping_switch.php 

Note: scheduling of such scans cannot be configured yet from the Windows GUI.

3. Port control

The active programming of certain parameters is possible from the Windows GUI. These parameters are stored in the database, and then written to switches by the tool cron_restart_port.php on the server.

For each port the parameters that can be set are as follows, see also the Switches section of the Windows GUI User Guide:

• restart
• clear_mac
• shutdown
• static or dynamic vlan attribution
• if static, the valn can be defined

Configuration: Set the snmp write community ($snmp_rw) in config.inc. Test cron_restart_port.php on the command line and verify results by reviewing the syslog and the 'server log' in the Windows GUI. Then activate in the root crontab e.g. every minute:

* * * * * /opt/nac/bin/cron_restart_port.php

Configuring clear_mac (new in V3.0.2): Refer to the tech guide for a description this feature. It is needed as a supplement to port_restart for Switches with more recent IOS versions. You need to do the following to activate it.

1. Configure the values for $sw_user, $sw_pass and $sw_en_pass in config.inc.
   These variables are needed to access the switch via telnet and call the IOS command to clean the MAC address from the switch.
   The commands to the switch are send in clear-text (via) telnet. If a dedicated switch management network is not available, this may increase security risks.
   For additional security, one can restrict the commands that the sw_user can perform on the switch e.g. only to the "clear mac" command. Such restricted user access is typically done on a TACACS server such as Cisco ACS.
   If you don't want to create a dedicated restricted user, your admin username should work, as well as the enable password.
2. Activate this feature: Set the value of the config variable check_clear_mac from false to true (via the Windows GUI of the mysql command line).
3. Select the IOS switches where clear_mac will be used.
   This can be done from
   A) the Windows GUI: Switch configuration page, set the'switch_type' to '1'.
   B) or in MySQL by issuing the following query:

   		mysql> UPDATE switch SET switch_type='1' WHERE name='mysuperswitch';
   	

4. Answering of vmps queries.

The main feature of FreeNAC was to originally answer VMPS requests, and answer with an ALLOW or DENY (with an associated Vlan). The answering is done by the vmpsd_external daemon in accordance with the configured policy (see the policy chapters of the Technical Guide ).

Although individual ports can be set to static or dynamic (vmps) mode, from the Windows GUI (see previous section), key VMPS parameters such as the following must be programmed directly on each switch manually (via telnet or SSH).

• vmps server IP addresses
• timeouts
• reconfirmation intervals

These Parameters and how to set them for Cisco CatOS and IOS switches is covered in the FreeNAC Techincal Guide, 'Configuring Network Switches ' chapter.

5. Answering of 802.1x/radius queries

the 802.1x answers requests to authenticate end-devices based on the 802.1x protocol, typically either a User's Windows Domain logon, or a Certificate.

This involved the FreeRadius and Samba modules, and also requires manual port programming (via SSH or telnet) on the switches.

Please refer to the 802.1x section of the Technical Guide.