Enterprise architecture: example

Introduction

The following is an example of integrating 'FreeNAC enterprise' into a live environment.

NAC Modules

This section defines what modules are planned for this installation. Note that modules can always be enabled at a future date; there is no additional license fee.
Enterprise modules planned for this installation (example):
1. MAC Address authentication
2. Windows GUI
3. Web Interface
4. Active Directory querying of user details, to be able to associate users with end devices.
5. Automatic detection and inventory of end-devices not actively managed by NAC, to ensure a complete inventory of End-Devices on the network
6. Scanning of open ports and identification of the Operating System on End Devices
7. Emergency ‘stop’ tool which can disable NAC and quickly configure static Vlans on switch ports (for disaster recovery in extreme situations)

Enterprise modules not planned for this installation:
8. 802.1x User Authentication
9. McAfee Epo Anti-Virus server queries
10. Microsoft SMS (Software package/system management) server queries
11. Microsoft WSUS (Windows Update) server queries.

Custom Modules

Are any Custom Modules planned? NAC is designed to allow open interfaces, however such interfaces need to be specified in detail and are subject to additional development/installation charge.

Example: A “static inventory program” already exists at the customer called XXXX. A read-only interface is to be created from NAC to this system that allows:
- NAC to query device ownership and display it in the GUI
- The Static inventory systems to query device location, IP address, Operating system, depending on Name or MAC-Address. An SQL view with appropriate field for a specific user/password is to be created.

Concept

Describe the aim of the installation, e.g.
1. Recognise all end devices that connect to the network and request their identification based on their MAC address. The switch access port configuration will be set to dynamic, and the NAC system will:
o Listen to incoming request from switches
o Send email alerts if new end devices are detected
o Dynamically Assign a Virtual LAN (Vlan) to the access ports of the following switches, based on the MAC address of end devices: (list the switch names)
2. VLAN assignment will be based on a MAC Address. The assigned VLAN will be as follows (define key vlan names & assignments, example):
o Normal access VLAN for Corporate End-User PCs
o Guest VLAN for visitors. This VLAN will have limited network access. Or all ‘unknowns’ to be denied?
o Ad-hoc VLAN for specific devices (printers, …)
3. Is 802.1x authentication of Users required?
If so in what domain, for which switches and ports? What is the expected use-case?
i.e. 802.1x is expected to be used with Windows XP, with user logon to the domain, and vlan assignment based on the MAC address of the end device.
4. End-devices will be documented in the NAC database,
o Through initial import?
o Through dynamic discovery upon connection of new devices
o Regularly scan the switches & routers using SNMP to discover non-managed devices?
o Information to be automatically documented per device (example): MAC address, IP address, Hostname, Operating System, open ports, Anti-Virus status, Windows patch status.
o Information to be automatically documented per device (example): Assigned Username

Requirements

This sections outlines information, connectivity and hardware that is to be provided by the customer.
Network Information
Network data that is required for NAC:
1. Switches, including their IP Address, SNMP Read-only & Read-write communities
2. A list of switch ports to be configured to use NAC.
3. Core routers, including their IP Address, SNMP Read-only community
4. VLANs, including their ID and Name as reported by the switches "show vlan" command
5. A network diagram showing vlans, switches, routers.
6. DNS server names, IP addresses and the domain name.
7. The proposed IP configuration of the NAC servers: IP address, net mask, default gateway, DNS name.
8. Email server name/IP, for the delivery of email alerts.
9. What email address, per switch, are alerts to be sent to?
10. Which Active Directory user group (exact names please) are to be allowed GUI access:

• Read-only
• Super-user
• Administrator.

Optional network data that would be useful: Cabling documentation: which switch/port leads to which office/user/PC.

Server Hardware / OS
1. How many servers are to be installed, where?
2. PC server hardware is to be supplied by the customer, or by Swisscom?
3. What is the HW specification of the servers?
4. Operating system to be installed is Suse Version 10 (Enterprise, or OpenSuse), or something else?
5. Who installs the OS?
o Swisscom
o The customer? Swisscom does not install the operating system, but maintains the NAC system and associated Linux services (Apache, MySQL, ..) on these servers.

Network Connectivity
For the deployment of NAC, the following information is required:
1. Switches :
o Switches must be able to send VMPS requests and receive answers (port 1589 udp) to the NAC master and slave servers.
o Management interface must be accessible using SNMP (udp port 161) and optionally telnet (port 23 tcp) or SSH (port 22 tcp) for the Disaster Recovery scripts from the NAC master.
2. Depending on the NAC modules requested by the customer (see 2.2), specific backend systems must allow access from NAC, for example:

o The McAfee ePO database (name, I.P. address, username and password) needs to answer Read-only MS-SQL queries from NAC.
o The WSUS database (name, I.P. address, username and password) needs to answer Read-only MS-SQL queries from NAC.
o The MS-SMS database (name, I.P. address, username and password) needs to answer Read-only MS-SQL queries from NAC.
o Static Inventory modules, if requested, require a dedicated interface.
o MS Active Directory (needed for 802.1x and user details syncing from Active Directory) requires the domain name and domain controller names. For details syncing, a username, password with AD rights and one or more DN (Distinguished Names) to synchronise are needed.
o The Windows GUI must be able to connect to port 3306 (mysql) on the NAC master server.
o To access the Web GUI, access is required to port 80 and 443 on the NAC master server.

3. Routers: Management interface must be accessible using SNMP from the NAC master
4. General

o DNS servers: should answer DNS requests (udp port 53)
o Email servers must accept emails from the NAC server (port 25).

5. Remote Access for Swisscom (Gold) support:
o During installation, and for updates later, the NAC servers will need HTTP/FTP access to internet (direct or via a proxy).
o SSH, IPsec or SSL VPN access from Swisscom Innovations to the server(s) for maintenance and support

Initial Data import
During an ‘initialisation period’, NAC can be configured to automatically allow all devices to a default Vlan and automatically document the MAC address, IP address and DNS name of devices found (and the switch/port).

If the customer has an exact inventory of machines, this can be imported into NAC. The data provided to Swisscom to initiate the setup must include:
• MAC Address: format is 0010.C61F.8DBF or 00:10:C6:1F:8D:BF (case insensitive)
• Hostname
• VLAN : This can be any descriptor (Lab XXX, Company Name, Network acronym, …)

It may also, ideally, contain
• Username
• Operating system, incl. patch level
• Classification (e.g. Server, Workstation, Printer)
• A static Inventory number
• A comment

The format is comma-separated value (CSV) text file.

Hubs and unmanaged switches
If more LAN access cables are needed in specific rooms, two alternatives to hubs exists:
• Pull more cables between the room and the existing switch
• Add a small managed switch in the room: the Cisco 2940-8TT is recommended as it is a smaller, fanless (noiseless) version of the Cisco 2950 switch.

However, NAC also offers optional support for hubs and unmanaged switches.
Are hubs or unmanaged switches to be used? If yes, please indicate and be aware of the limitations noted below

1. If multiple systems belonging to VLAN with the same security level use the same hub, they will be allowed access.
2. If systems belonging to VLAN with different security levels, the access will be blocked for the most recent or least numerous group.

Typically, the hub will be connected to an Internal Vlan if all connected systems belongs to the Customer, or a Guest VLAN if all connected computers are visitors. If there is a mix of Customer and visitor devices, there will be no access at all.

Database Architecture V3.0

Database schema: version 3.0 (see diagram).

The schema has changed a little bit since v2.2. We have added fields to store ports and switches' status, and the last time that the switch/port was monitored. In the systems table, we now have an index to indicate the health of a connecting device. Some other fields have been added to express what user last used the device, the last name of that device, or even to send an email whenever that device get connected to the network.

See also the DB migration script in contrib/migration_2.2_to_3.0.

For those who are interested, we have made these diagrams with a nice tool, Case Studio, now named Toad Data Modeler. They have a free version too. Here's the link to the Case Studio file.

Database Architecture V2.2

Database schema: version 2.2 (see diagram) This schema is much more improved in comparison to the one found in the version 2.1. It is now completely normalised, which helps a lot for future gui and extensions of the system.

For those who are interested, we have made these diagrams with a nice tool, Case Studio, now named Toad Data Modeler. They have a free version too. Here's the link to the Case Studio file.

Database architecture v2.1

For references purposes, the older v2.1 schema is as follows.

Server overview

Overview

vmpsd_external

This is an "external" program called by the original OpenVMPS daemon "vmpsd". This program decides what to do, in real time, when access is requested by a switch for a MAC address. Since it operates in 'real time', performance is important; so some jobs such as documenting what was last seen, where, or recognising PCs from external databases, is done in the vmps_lastseen script (which is asynchronous).

• If the MAC is active in the DB authorise it, and,
• Port check: If the MAC is active on a port where another system has been active within the last hour, try to use the Vlan last seen on the port, not the normal Vlan assigned to this system.
  This is to detect hubs and prevent 'flapping'. This feature is only allowed if the Vlan on the port and assigned to the MAC are in the same Vlan group (otherwise the new MAC is denied).
• Otherwise, if the MAC is unknown
  • check to see if a 'port default vlan' has been configured for that port and use it
  • else use the default vlan (which might be simply '0' meaning DENY)
  • and, do a ?port check? as noted above (check for active port/hub & vlan group).
• Log decisions to syslog, and key events to DB (visible in the GUI).

postconnect (vmps_lastseen v2.x)

Parse the syslog logs for 'vmpsd' entries and implement the postconnect policy, for example:

• Update the 'last seen' fields for the relevant Mac, if the system is known
• Or add a new entry with status 'inactive', if none yet exists in the systems table
• And add new switches to the switch table and new ports to the port table.
• And if the MAC found is registered in a Microsoft-SMS system (enterprise feature only), it is automatically added to a pre-defined vlan, a 'port check' done, authorised and the port restarted.

Performance measurement

A way to test performance, is to use vqpcli.pl to sent man requests.

set $count to 200 in ./vqpcli.pl

The adapt the IP addresses, VTP domain, and port name in the following example:

./vqpcli.pl -s 192.168.245.40 -v ctcs -w 192.168.245.71 -i '2/22' -m '0000.0000.9999' -c sec230

cron_restart_port.php

As of FreeNAC v3.0 we have modified the cron_restart_port.php to make it more functional.

In previous versions of FreeNAC, cron_restart_port was a wrapper around the restart_port script. This has changed now in this new version. Even though we still provide a restart_port.php script, we now don't fork a syscall for this script. Instead, we use SNMP functions to achieve the same results from inside the same script, saving thus both time and resources.

In the event that you want to experiment with the restart_port.php script from the command line, you should run it as follows:

restart_port.php port switch

where port is the port name, and switch is the switch's name or ip address. This script only supports one switch port at the time. To act upon more than one switch port at the same time, you have the cron_restart_port.php script at your disposal.

What this script does, is to go through the list of ports in the FreeNAC database whose restart_now flag equals 1. Obviously to interact with this script you need to do it through the Windows GUI. From the windows GUI you can choose not only to restart the port(s), but also to program them as static and assign a vlan to them, or as dynamic or even shut down the ports.

Everytime this script is run, it generates a PID file, thus ensuring that only one instance of the script will run at all times.

To restart a port, you should tick the restart box in the Windows GUI

In syslog you should get the following messages:

Oct 31 10:35:02 vmps1 cron_restart_port.php[3592]: Port Fa0/1 successfully restarted on switch 192.168.1.1(swdemo) 

To shutdown a port, you should tick the shutdown box in the Windows GUI

In syslog you should get the following messages:

Oct 31 10:38:01 vmps1 cron_restart_port.php[3655]: Port Fa0/1 on switch 192.168.1.1(swdemo) was successfully shutdown 

To program a port as static, you should select 'static' from the drop down list and also the vlan you want to assign to this port. In this example, we are assigning the 'default' vlan.

In syslog you should get the following messages:

Oct 31 10:39:02 vmps1 cron_restart_port.php[3665]: Port Fa0/1 on switch 192.168.1.1 successfully set to static with vlan default 

To program the port as dynamic, you should select 'dynamic' from the drop down list.

In syslog you should get the following messages:

Oct 31 10:41:01 vmps1 cron_restart_port.php[3725]: Port Fa0/1 on switch 192.168.1.1 successfully set to dynamic. 

Bugs and comments, please discuss them in the forums.

ping_switch.php

As of FreeNAC v3.0 we introduced the ping_switch.php script. The purpose of this script is to determine the status of the switch ports which are part of a FreeNAC system.

The status of a port is determined via SNMP, retrieving the IfAdminStatus object (OID: 1.3.6.1.2.1.2.2.1.7) from the switch. The states defined for this object are as follows:

1. up
2. down
3. testing

The testing state indicates that no operational packages can be passed.

Since this script makes extensive use of SNMP, make sure you adjust your SNMP communities in the etc/config.inc file.

ping_switch.php takes the list of switches to query from the FreeNAC database whose scan flag is set to 1. Then it performs two SNMP queries per switch in order to know if a port is up. The first query retrieves the list of ports available on the switch, and the second one retrieves their current status. Then, such a status is stored in the database to be later seen through the Windows GUI.

Also, the list of switches to query can be fed to ping_switch.php through the command line. To ping certain switches (assuming those switches exist in the FreeNAC database) do the following:

ping_switch.php switch1 switch2 ... 

Where switchN can be the switch's name (as defined in the FreeNAC database) or the switch's IP.

The optional switches for ping_switch.php are the following:

OPTIONS:
        -h              Display this help screen
        -s              Supress messages to standard output and redirect them to syslog
        -d              Activate debugging 

Timing measurements in tests conducted showed that for small switches (8 ports) it takes about one second to retrieve ports' status and in large switches (48 ports) it took aproximately 5 seconds.

This script can also be run from crontab. You should adapt the frequency to run this script taking into account how loaded your network is. The following crontab entry is an example, which runs this script every 10 minutes:

*/10 * * * *    /opt/nac/bin/ping_switch.php -s

Bugs and comments, please discuss them in the forums .

port_scan

Description:

This module is provided in order to give network administrators further knowledge about the systems that are part of their network, providing information about changes that computers connected to the network have suffered.

How does it work?

It grabs some allowed IPs from the OpenNAC database (more precisely from the systems table), and passes them to nmap, which is going to perform a scan. The results of this scan are saved to an XML file which is then parsed and these results are used to populate some tables which form part of the OpenNAC inventory system. The module logs to syslog if there are discrepancies between the current scan and information stored in the database. If there are differences it logs what has changed and makes the necessary corrections to the database. The tables used by port_scan are:

• nac_hostscanned
• nac_openports
• protocols
• services
• subnets

The tables protocols and services are lookup tables. They contain descriptions of protocols and services related to a certain port.
The table subnets contains definitions of subnetworks that port_scan is allowed to scan.
The table nac_hostscanned contains general information (IP address, hostname, OS) of scanned systems.
The table nac_openports contains information of the services present on each host which is in the nac_hostscanned table.

Dependencies:

OpenNAC
Nmap 4.11 or later

Modes of operation:

This script has 3 modes of operation:

1. When it is called with no arguments, it grabs IPs from the systems table and compares them against the networks defined in the subnets table. The final decision on what to scan is made through the LastSeen time threshold. With this, you say to scan only the hosts that were seen on the network within the lapse of 1 day, 1 month, 30 minutes, whatever.
2. When it is called with the "--scannow" parameter, it grabs IPs from the systems table, no matter if they are allowed or not, as long as in the systems table the flag "scannow" has the value "1". Then it checks these IPs against what you have specified in the subnets table.
3. IPs from the command line. You can call the script with something like port_scan x1.y1.z1.w1 ... xn.yn.zn.wn. In this way, the script will get the IPs from the command line and only those IPs which fall within the criteria specified in the subnets table will be scanned.

This script also has the switch "--verbose" to activate debugging. Please note that debugging of this script will be redirected to syslog.

About the subnets table and its use with port_scan:

Only those computers which fall within the criteria specified in the subnets table will become a strong candidate to be scanned. As said before, this table contains definitions of subnetworks that port_scan is allowed to scan. This was done so because maybe you have lots of subnets in your network, and some of them are behind a firewall, so they can't be accessed and scanning them would be a waste of time and resources. That's why, you need to specify in this table one register per subnet you want to take into account.

Files and directories required:

/opt/nac/bin/port_scan
/opt/nac/etc/port_scan.inc
/opt/nac/funcs.inc
/opt/nac/scan/

How to run it:

Important: You need to specify first in the subnets table the networks you want to scan.

• To scan all devices that are in the systems table, just type:
  

  	 /opt/nac/bin/port_scan &
  	

• To scan all devices in the systems table that have the flag scannow=1, do:
  

  	 /opt/nac/bin/port_scan --scannow
  	

  With the GUI you can set the flag for devices you want to scan now.

  If you prefer do it by hand, then

  	update systems set scannow=1 where ...;
  	

• To scan a list of IP addresses, do
  

  	/opt/nac/bin/port_scan 192.168.0.1 192.168.0.2 192.168.0.3 ... 192.168.0.254
  	

Features related to this module

Since Dec. 22 2008 the EndDevice class contains a new method called "PostScan". What this method does is to set the scannow flag of the system requesting access if and only if this system has not been scanned in the last 7 days.

In a proper configured system, port_scan in scannow mode will run every five minutes. Thus, every five minutes a port_scan will be run and the information about open ports will be up-to-date. 

Note that this method was planned to be used by postconnect. For an example of how to use it, please have a look at policy 11. 

Bugs:

Please report them in our Development forum:
http://www.freenac.net/phpBB2/viewforum.php?f=2

purge_not_seens.php

This script deletes all references to systems not seen during a certain period of time in the a FreeNAC system.

 The period of time is defined by the config variable delete_not_seen, which uses months as units of time.

For each system which has not been seen during the past delete_not_seen months, a cascade delete if performed, removing thus all references to this device from all tables in a FreeNAC system.

purge_unknowns.php

It may happen that unknown systems start filling up the database. In order to purge those unassigned systems sitting in the database, the script purge_unknowns.php was created. It deletes from the database unknown systems, defined by the config variable unknown_purge,  which are at least 10 days old.

For each unknown system older than unknown_purge days, a cascade delete is performed, removing all references to it from the database.

This script can be run from crontab as follows:

0   1    * * 1   /opt/nac/bin/purge_unknowns.php

This will purge unknowns from the database every Monday at 1:00AM.

report_old_users.php

If a user has not been seen during a certain amount of time, it would be desirable to disallow access to their systems until he reports back to the sysadmin.

The script report_old_users.php reports if a user hasn't been seen during a certain amount of time, defined by the config variables report_old_users_days_from and report_old_users_days_back, and for every user not seen during this time span, it sets their systems to the 'kill' status, forcing thus the user to report back to the sysadmin when she comes back.

As mentioned before, the time span is defined by the config variable report_old_users_days_from and report_old_users_days_back, which are given in days. For this script to work, the value defined for report_old_users_days_from has to be less than report_old_users_days_back.

snmp_set_port.php

As of FreeNAC 3.0 we introduced the snmp_set_port.php script. This script programs a switch port either as static of dynamic. Its usage is as follows:

snmp_set_port.php switch port [OPTIONS] 

Where switch is the switch's ip and port is the port name. This script supports the following options.

OPTIONS:
        -d              Set port to dynamic
        -s vlan_name    Set port to static and program vlan_name on that port
        -h              Display this help screen 

If no option is provided, it programs the port as dynamic. To program a port as static, you need to provide the vlan_name you want to program on the switch port. Such vlan_name must exist on the switch in order to be successfully programmed. Once the port has been programmed, it gets restarted.

Since this script makes extensive use of SNMP, make sure you adjust your SNMP communities in the etc/config.inc file.

This script is designed to be run from the command line. So, in order to interact with the Windows GUI, we have provided a companion script called cron_program_port.php

cron_program_port.php gets the list of ports whose set_authprofile field equals 1, and then issues an snmp_set_port command for every port that matched the criterion. Since this latter script is designed to be run from crontab, you should adjust the running frequency according to your needs.

Bugs and comments, please discuss them in the forums .

AD/LDAP user interface

DESCRIPTION

The purpose of this module is to query Microsoft's Active Directory to obtain user information which is then stored in the users table. The module should also work for other LDAP implementations, although some modifications may be necessary (attribute names). Optionally additional information from the Microsoft Exchange AD schema extension can be fetched as well.

HOW DOES IT WORK

The module fetches the attributes sAMAccountName, sn (surname) and GivenName of all objects of type person underneath all Distinguished Names (dn) defined in $ad_base_user_dn as configured in config.inc. Then it checks for each account name if it exists already in the database. If it does, the entry is updated, including the LastSeenDirex field. Otherwise a new entry is inserted into the database.

In case of querying addtional MS Exchange attributes, these are:

• department
• mail
• physicalDeliveryOfficeName
• telephoneNumber
• mobile

CONFIGURATION

There are five options in the global configuration.

• ad_server: The Domain controller where the AD is queried.
• ad_user: This is the DN of a user with sufficient privileges to read the necessary information from AD. The possible values for this setting should be in the form 'cn=User,cn=users,dc=domain,dc=com';
• ad_password: The password for ad_user
• ad_base_user_dn: The DNs (do not confuse with Domain Name Server) of the places underneath which users are stored. The possible values for this setting should be in the form 'cn=users,dc=test,dc=com'
• ad_port: The port where we should connect to.
  There are two ports related to LDAP. The port 389 is the standard port assigned to this service and the port 3268. The port 3268 is assigned to the Global catalog. A Global Catalog is a read only copy of selected attributes of all of the Active Directory servers whithin the AD forest. Querying the Global Catalog allows all the domains to be queried in a single query, without the query spanning servers over potentially slow links. It is recommended to use the Global Catalog since it is used only for searches and port 389 is used for read and write operations, and therefore it could be restricted.

HOW TO USE IT

First, setup the AD related parameters in config.inc. IMPORTANT: Once you have set the related parameters in config.inc, you need to import the config.inc file into the database. As of release V2.2 RC2, ad_user_snyc takes all the variables from the config table, so the config.inc file has to be imported into the database.

Do the following from the /opt/nac/contrib directory:

./config2db ../etc/config.inc

If you need to redefine some of these settings, you can do so through the Windows GUI.

Then run the module script from the command line with the paramter 'test'. This checks whether your LDAP server can be reached and dumps the user information obtained to stdout. If you want to fetch the addtional MS Exchange attributes launch the module with the addtional argument 'exchange'. Once your setup works, register the module in crontab.

crontab -e

add the next line

0 0 * * *    /opt/nac/bin/ldap

or

0 0 * * *    /opt/nac/bin/ldap exchange

This will run it every day at midnight.

DEPENDENCIES

OpenNac
PHP with LDAP support

FILES

bin/ad_user_sync
etc/config.inc
doc/README.ad_user_sync

802.1x components

The “802.1x” standard allows authentication of devices in LAN or Wireless networks, using cryptographic techniques to provides higher security. 802.1x can authenticate the user or the device.

FreeNAC includes 802.1x since V2.2.

802.1x and MAC address identification can be combined, by for example authenticating the user via Windows Domain Logon and using the end-device MAC address for Vlan assignment.

The following diagram shows the components involved in 802.1x authentication.

The VMPS/MAC based components (vmpsd_external, postconnect) are documented in the VMPS section.

rad2vmps

A Perl script 'rad2vmps' is called from FreeRadius, that accepts a MAC address and returns the Vlan to be assigned to the supplicant. This script queries the FreeNAC database of MAC addresses via the VMPS protocol.

802.1x problems

802.1x provides key advantages such as added security and a consensus that long term it is 'the way to go', but keep in mind some of the limitations when choosing 802.1x over VMPS in the short term.

• New(er) switches are usually required (e.g. 2006 or later)
• Vendor interoperability is a problem, each implements their own additional radius fields.
• Its a complex protocol: it is slower (due to the amount of data exchanges, the number of handshakes and encryption), difficult to analyse and support (due to the complexity of handshakes).
• Supplicants (the 802.1x client) are delivered with some Operating Systems but not with others. In Windows, depending on patch level/Service pack, it may work fine. 3rd party supplications are available but usually are not free and require configuration, suppport and distribution.
• Certificate (PKI) management: generating and checking signatures is normally easy enough, but how do you distribute, revoke and check for revoked certificates? How large are CRLs, how/where are they managed/downloaded?
• Interaction with Hubs, un-managed switches and Virtual Machines in bridged mode can be problematic, as 802.1x usually expects only one end-device per port.
• Cost: due to the above and the cost of a commercial Radius server (if you don't use a free alternative such as FreeRadius/FreeNAC)

Generation of computer certificates with a Winbugs CA

Generation of computer certificates with a Winbugs CA

If you want to deploy EAP-TLS in your network and require end-device certificates installed on your computers, this guide might be of help. In this guide we are going to generate computer certificates and configure the computer to perform EAP-TLS by using this certificate. Important: we won't be validating the users, only the device, so it means that any user can use the computer as long as the certificate is valid.

To generate the certificates, we will use a web server running Windows Server 2003 with the service of certification authority (CA) installed.

Open your favorite web browser and type in http://your_server/certsrv/, where your_server is the DNS name or IP address of your web server.

"Request a certificate", ask for an "advanced certificate request" and "Create and submit a certificate request to this CA".

In the Name field, type in the name of the computer for which you are requesting this certificate.

In Type of certificate needed, select "Client Authentiation Certificate"

Create a new key set and as Key Usage select "both".

Select the Mark Keys as exportable check box. Doing this saves the public and private key to a PKCS #12 file. This is useful if you want to copy a certificate for use on another computer.

Select the Store certificate in the local computer certificate store check box. This last option is actually important because it will save the certificate in the computer store, instead of the user store, which allows for TLS authentication to work.

Then you just need to wait for your CA to issue the certificate for you. Once you have your certificate, install it. By default it should be stored in the computer store.

Now, to allow EAP-TLS to work using this certificate as a computer certificate for all users, you need to modify the registry of the computer where you installed the certificate on. Go to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EAPOL\Parameters\General\Global and add a new DWORD-value called AuthMode with the value of 2. Note that for this you need to have Administrator privileges on the computer.

Now you need to restart either your computer or the Wireless Zero Configuration service and you are done. This will perform the magic needed to send the computer certificate to authenticate this computer regardless of what user is actually using it.

Generation of server certificates with OpenSSL and a Winbugs CA

Generation of certificates for FreeRadius (EAP-TLS) with a CA on a Winbugs box

When generating certificates to be used by FreeRadius with EAP-TLS, there is an extension which is to be added to the certificate in order to validate this certificate. This validation is performed by the client against a root CA certificate. If such extension is not present in your FreeRadius server certificate, the auth process will fail, because the client won't be able to validate it and stop communicating with your server. If you happen to have your CA running in a Winbugs box, then this might be of help. We are going to generate a request using openssl and issue the certificate with winbugs with the extension needed embeded into the cert file.

First of all, in the computer where you are going to generate the request, edit your openssl.cnf file and do the following modifications:

Find the v3_req stanza and change the following line:

keyUsage = nonRepudiation, digitalSignature, keyEncipherment

for this one

keyUsage = nonRepudiation, digitalSignature, keyEncipherment, dataEncipherment

and add the following line at the end of this stanza

extendedKeyUsage = 1.3.6.1.5.5.7.3.1

This will generate a request containing all needed attributes/extensions to be validated by the clients.

Your v3_req stanza should look like the following:

[ v3_req ]
 # Extensions to add to a certificate request
 basicConstraints = CA:FALSE
 keyUsage = nonRepudiation, digitalSignature, keyEncipherment, dataEncipherment
 extendedKeyUsage = 1.3.6.1.5.5.7.3.1

Bear in mind that you are modifying openssl's configuration file. That means that all future requests will have these attributes set. If you don't want all future request to be a server authentication request, comment the last line out from the v3_req stanza.

Now generate your request using openssl

openssl req -new -keyout server.key -out server.req

This generates two files. One where your private key is contained and another one with your actual request. OpenSSL will ask you for a pass phrase. The passphrase you enter here is important. Without it you won't be able to decode your private key.

Our CA is on a Win2k3 server. We need to send our request to the CA by using the Microsoft Certificate Services. Open your favorite browser, and type in http://your_server/certsrv/ and select "Request a certificate" and submit an "advanced certificate request" by using the base-64-encoded option.

Once the page is open, copy the contents of your server.req file and press submit. Then you just need to wait for your CA to issue the certificate for you.

If you need your certificate in PEM format and the certificate was exported as DER encoded there is a final step you have to perform.

openssl x509 -inform DER -in certificate.cer -outform PEM -out certificate.pem

If the certificate is Base-64 encoded and you need the PEM extension, then just rename the file.

mv certificate.cer certificate.pem

eap.conf

The eap.conf configuration file deals with the settings needed to perform cryptographic operations. The default eap.conf file that comes with your default installation provides enough information to help you configure your system properly, here we are presenting some common options, what they mean and how to configure them.

The tls section

This section holds configuration settings that affect your RADIUS server, so be careful when editting these settings.

private_key_password

The password you used to encode your private key when generating your certificate request. Comment it out if no password was set.

private_key_file

Path to your private key file. It has to be in PEM format

certificate_file

Path to your actual server certificate also in PEM format

If Private key & Certificate are located in the same file, then private_key_file & certificate_file must contain the same file name.

CA_file

Trusted Root CA list. To use a certificate chain, you need to append in this file all certificates of the CAs that take part in your certificate chain, starting with the one that is at the top of the chain and finishing with the one that signed your certificate. This file has to be in PEM format.

check_crl

Set it to yes if you are going to use revocation lists, or comment it out if you won't.

CA_path

Path to the directory where the revocation list is. If you are not using CRLs, comment this out.
Copy to this directory the RL and your trusted root CA list. Once you've done that, do a c_rehash to this directory, where c_rehash is an OpenSSL command. Remember that CRLs have an expiry date, so make sure to always refresh your CRLs otherwise your server will deny all requests.

check_cert_issuer 

If check_cert_issuer is set, the value will be checked against the DN of the issuer in the client certificate. If the values do not match, the cerficate verification will fail, rejecting the user.

check_cert_cn

If check_cert_cn is set, the value will be xlat'ed and checked against the CN in the client certificate. If the values do not match, the certificate verification will fail rejecting the user.

This check is done only if the previous "check_cert_issuer" is not set, or if the check succeeds.

If you are using computer certificates, the username is sent like 'host//pc001' and the verification might fail because of the 'host//' part. In such a case, you might want to strip that part by doing:

check_cert_cn = %{Stripped-User-Name:-%{User-Name}} 

MAC-Auth-Bypass

MAC authentication bypass is an alternative to 802.1X that allows network access to devices (such as printers and IP phones) that do not have the 802.1X supplicant capability. MAC authentication bypass uses the MAC address of the connecting device to grant or deny network access.

MAC-Authentication bypass in FreeRadius, using FreeNAC as backend works as follows:

• When a device connects to the switch, the connecting device normally sends an "Access-Request" packet to the switch, which is then forwarded to the Authentication Server, in our case, FreeRadius.
  Then the Authentication server asks for more information from the connecting device in form of Access-Challenges. This process continues until the Radius server has enough information (Radius attributes) to make a decision.
  After requesting all required Access-Challenges from the connecting device, FreeRadius will give back to the switch an Access-Accept or an Access-Reject response, where this decision will be enforced.
• An 802.1x capable device selects the authentication type that will be used to perform uthentication by means of a Radius attribute. Checking this Radius attribute, FreeRadius will know how to authenticate the username, for example, by using Samba, MySQL, LDAP, etc.
• When a non-802.1x-capable device connects to the switch, the switch detects that one of its links is up and waits for packets which will then be forwarded to FreeRadius. If during a certain amount of time the switch hasn't received any packets, it will start authentication of the connecting device using its MAC address as the username. FreeRadius will then generate a VMPS request for
  FreeNAC, and FreeNAC will say if the device is authorized or not and where to place it.

In FreeNAC, we use a module called rad2vmps which performs the translation of a RADIUS request into a VMPS request which is then sent to the VMPS server. rad2vmps is a modification to the original script vqpcli.pl part of the OpenVMPS distribution. Vqpcli.pl makes VMPS requests to a VMPS server and outputs the decision taken by the VMPS server.

In the authorize section of FreeRadius, rad2vmps retrieves the needed parameters from the RADIUS request to make a VMPS request, (e.g. Switch IP, MAC address, etc). When a request reaches FreeRadius and no authentication type has been specified, rad2vmps will output the required attributes to call for MAC-Authentication bypass.

In the Authentication section of FreeRadius, the authentication type corresponding to this request will be used. For example, if in the request the authentication type was specified to MSCHAP, MSCHAP authentication will be called. For MAC-Authentication bypass, it is here where we create our VMPS request and send it to the VMPS server.

After we know who the user is (authenticate section), we assign the device the vlan where it belongs to. For all authentication types but MAC-Authentication bypass, it is here where we create our VMPS request and send it to the VMPS server. If a MAC-Authentication bypass was done, the code in this section is ignored.

So, basically, the difference between a MAC-authentication bypass and the rest of the authentication types is where we send the VMPS request. For MAC-Authentication bypass, the request is sent in the Authenticate part, and for the rest in the Post-Auth section. This allows for authenticating the user before authenticating her device.

Authenticating both username and device is more secure than authenticating only the device, but in cases where this is not possible, MAC-Authentication bypass is used.

Links to 802.1x material on this website

Links to other Technical Guide Documentation

• Switch configuration: Cisco 802.1x tests

Links to the Install Guide:

• Building 802.1x components

VMPS parameters

Vlans

The Vlan names and number must be configured on switches exactly the same as in the Vlan table in FreeNAC. NAC does not configure this on the switches for you.

So for example, if NAC is going to attribute the Vlans 'Printer' and 'Workstation', these two must be defined exactly with the same name and number on the Switches, and in FreeNAC.

FreeNAC also allows 'location based vlans' i.e. the vlans names do not have to be the same on all switches, refer to the FreeNAC Users Guide >> Windows GUI >> Configuration: Vlans.

syslog

Its recommended to configure the switches to send a copy of their logs to the NAC server, helping in troubleshooting.

See also http://www.cisco.com/en/US/products/hw/switches/ps607/products_configura...

vmps server

CATOS:

  set vmps server   192.168.245.40

  clear vmps server 192.168.245.18

  reconfirm vmps

  sho vmps

IOS:

conf t   
vmps server     192.168.245.40  
no vmps server  192.168.245.18 
end
vmps reconfirm
sho vmps 

VMPS “retry” switch parameter

The following is an extract from "Troubleshooting Connectivity Between the VMPS Client and the VMPS server", http://www.cisco.com/warp/public/473/157.html#topic1-3

VMPS reconfirmation occurs when the VMPS client asks the VMPS if the dynamic port assignments are correct and if the correct MAC addresses have been assigned to the right ports. By default, this happens about every 60 minutes. Issue a show vmps command on the VMPS client to determine the VMPS reconfirmation time.
If the connectivity between the VMPS client and VMPS is intermittent (some data gets lost along the way) then you can try to increase the VMPS retry interval on the VMPS client, as a workaround. Issue the set vmps server retry command. By default, the VMPS client will try three times. In an environment with intermittent connectivity, when you increase the VMPS retry interval, you give the client more chances to connect to the VMPS before it gives up and VLAN membership fails.

Since Version 2.0, FreeNAC queries an SQL database in real time when authenticating end devices. There is also an optional "hub detection" feature which means it tries to detect and ping all devices already on a hub. Thus authentication can take seconds.

This can lead to the switch getting impatient, sending several requests and logging MACNOTRECONFIRMED messages to syslog, especially when reconfirming all ports each hour. One solution is to increase the vmps retry count from the standard 3, to say, 10.

When there is a loss of connectivity between a VMPS client and a VMPS, the VMPS reconfirmation might fail and produce the DVLAN-2-MACNOTRECONFIRMED error message. The port will lose its DVLAN assignment, as in this example:

     %DVLAN-2-MACNOTRECONFIRMED:Mac [00-00-f4-11-11-0f] is not reconfirmed
     %DVLAN-1-DENYHOST:Host 00-00-11-11-11-0f denied on port 3/10

Cam” timeouts on “silent” servers

After the end-device transmits and the switch receives a valid response from the VMPS server, the switch enables the interface in the correct VLAN. If the client sits idle for a while causing the bridge aging timer to expire for the entry, the Catalyst returns the port to an unassigned state.

Therefore

• 'silent' servers, (or printers for example) would be disconnected from the network if they did not transmit packets at least every 5 minutes.
• If the VMPS daemon died during the night, users would not be able to login in the morning. (Of course this can be mitigated by with redundnacy mechanisms).

The aging timer (or CAM: content addressable memory) can be viewed on CatOS switches with:

sh cam agingtime (The default value is 300 seconds).

This timeout can be increased to several hours. This increases the risk of arp flooding (we think), but this is a low risk on internal network hopefully. It is recommended to set a value like 12 hours for dynamic/VMPS ports. This is important for switches that have servers/printers that may not send out any packets for several minutes or hours.

Its also recommended to use logcheck or a similar tool, to watch for unusual Switch syslog entries, especially floods.

CatOS:
The value can be set in seconds and per vlan. It needs to be set for each VLAN, for example on VLAN 4:

 show cam agingtime VLAN_NR

set cam agingtime VLAN_NR XXX  (secs, e.g. 24h=86400, 12h=43200)

IOS:

arp mac-address-table aging-time XXX  (secs)

Other notes

A graphical example

Example of migrating Switches to use a new VMPS server

Assuming we had two previous VMPS servers 192.168.245.18 and 192.168.245.19, and we now wish to change the switches to use a new server 192.168.245.40. Then logon on to the switches and do the following.

Monitoring: watch the syslog entries on the vmps server, the updating of the “last seen” times and “Server log” in the Windows GUI.

CATOS:
set vmps server 192.168.245.40
clear vmps server 192.168.245.19
clear vmps server 192.168.245.18
reconfirm vmps
sho vmps

IOS:
conf t
vmps server 192.168.245.40
no vmps server 192.168.245.18
no vmps server 192.168.245.19
end
vmps reconfirm
sho vmps

Cisco CatOS configuration examples

CatOS

Initially, Switches must be configured to send a copy of syslog messages, and given the name of the vmps servers, where it can send requests for dynamic port assignment. See also http://www.cisco.com/en/US/products/hw/switches/ps607/products_configura....

# Setting up syslog servers

set logging server 192.168.245.40

# Set VMPS servers

set vmps  server 192.168.245.40

set vmps  server 192.168.245.19 primary

set vmps  server 192.168.245.18

# Remove a VMPS server & show status

clear vmps server 192.168.245.19

show vmps

# Lets make a port dynamic & ask the switch to re-authenticate all dyn ports, i.e. use VMPS

  set port membership 2/36 dynamic

  reconfirm vmps

# To switch a port back to static Vlan (if you had problems)

  set port membership 2/36 static

# To verify port

  show port status 2/36

# to disable/enable port (simulate cable being removed)

  set port disable 2/36

  set port enable 2/36

# The switch tries to contact a server 3 times by default, before stopping. This value can be programmed on the switch (to a maximum of 10):

  set vmps server retry 5

# The switch reconfirms by default every 60 minutes, set it to 120:

set vmps server reconfirminterval 120

# Other useful commands:

  show mac-address-table address 00:04:dd:b6:5c:c2

  show cdp neighbors

  show cdp neighbors Gi4/5

  show cdp neighbors Gi4/5 detail 

# Tag a name to a port (to document usage)

  set port name 2/32 webcam

# Look at the MAC table:

  show arp

ARP Aging time = 1200 sec
+ - Permanent Arp Entries
* - Static Arp Entries
192.168.1.19 at 00-03-ba-17-fa-bf port 2/49 on vlan 2
192.168.1.18 at 00-03-ba-18-06-4b port 2/49 on vlan 2

show port status 2/32

Port Name Status Vlan Level Duplex Speed Type
----- ------------------ ---------- ---------- ------ ------ ----- ------------
2/32 inactive dyn- normal auto auto 10/100BaseTX

show cam dynamic 2/43

* = Static Entry. + = Permanent Entry. # = System Entry. R = Router Entry.
X = Port Security Entry $ = Dot1x Security Entry
VLAN Dest MAC/Route Des [CoS] Destination Ports or VCs / [Protocol Type]
---- ------------------ ----- -------------------------------------------
3 00-04-76-15-48-30 2/43 [ALL]
Total Matching CAM Entries Displayed =1

show cam 00-04-76-15-48-30

* = Static Entry. + = Permanent Entry. # = System Entry. R = Router Entry.
X = Port Security Entry $ = Dot1x Security Entry
VLAN Dest MAC/Route Des [CoS] Destination Ports or VCs / [Protocol Type]
---- ------------------ ----- -------------------------------------------
3 00-04-76-15-48-30 2/43 [ALL]
570 00-04-76-15-48-30 2/49 [ALL]
Total Matching CAM Entries Displayed =2

Problems with “clear vmps server” on old CatOS

The command for removing vmps server “clear VMPS server” seems to be missing from older CatOS versions, there is no known workaround except either upgrading CatOS, or avoiding deleting the server IP address!

The offending Switches had the following version.
> (enable) show version
WS-C2948 Software, Version NmpSW: 6.3(1)
Copyright (c) 1995-2001 by Cisco Systems, Inc.
NMP S/W compiled on Jul 24 2001, 12:55:29
GSP S/W compiled on Jul 24 2001, 10:36:29
System Bootstrap Version: 4.4(1)
Hardware Version: 2.1 Model: WS-C2948

Cisco IOS SNMP v3 setup

Please note that this guide doesn't apply anymore to FreeNAC 3,In FreeNAC 3, the programming of the switches is done using PHP's SNMP libraries, instead of using the Linux utilities. This guide applies to prior versions of FreeNAC used along with SuSE Linux.

SNMP v3 setup

(contribution from 'immi')
To use authentication and encryption with SNMP and also restriction by access-list who can access my device.
For SNMP write I enabled only limited part of SNMP tree (.1.3.6.1.2), read is open.

1. Cisco Switch part in config mode:

snmp-server group secure v3 priv
snmp-server group secure v3 priv read secure-ro write secure-wr access 1
snmp-server view secure-ro internet included
snmp-server view secure-wr mgmt included
snmp-server user snmpusr secure v3 auth md5 cisco123 priv des56 cisco123

access-list 1 permit host x.x.x.x
access-list 1 deny any log

# then you can check
VMPSclient#sho run | incl snmp
snmp-server group secure v3 priv read secure-ro write secure-wr access 1
snmp-server view secure-ro internet included
snmp-server view secure-wr mgmt included
snmp-server location /CZ/PRG/ROOM249
snmp-server contact CallMe ext.: xxxx
VMPSclient

VMPSclient#sho snmp group
groupname: secure security model:v3 priv
readview : secure-ro writeview: secure-wr
notifyview: <no notifyview specified>
row status: active access-list: 1

VMPSclient#sho snmp user
User name: snmpusr
Engine ID: 8000000903000014A86637C0
storage-type: nonvolatile active
Authentication Protocol: MD5
Privacy Protocol: DES
Group-name: secure

# two examples for check if it is working:
snmpwalk -v 3 -u snmpusr -l authPriv -a MD5 -A cisco123 -x DES -X cisco123 172.16.1.1 system
snmpwalk -v 3 -u snmpusr -l authPriv -a MD5 -A cisco123 -x DES -X cisco123 172.16.1.1 sysUpTime

2. Then modify the default SNMP values on Freenac server, it is in /usr/share/snmp/snmp.conf:
vmpssrv:~ # cat /usr/share/snmp/snmp.conf
(comments are erased)
defversion 3
defsecurityname snmpusr
defsecuritylevel authPriv
defauthtype MD5
defauthpassphrase cisco123
defprivtype DES
defprivpassphrase cisco123

To test, snmpwalk 172.16.1.1 system

3. Modify /opt/nac/etc/config.inc
(just part for port reset)
## restart_port
# $snmpwalk="/usr/bin/snmpwalk -v 1 -c public"; # SNMP Read community
# $snmpset ="/usr/bin/snmpset -v 1 -c private"; # SNMP Write community
$snmpset ="/usr/bin/snmpset"; # SNMP Write community
$snmpwalk="/usr/bin/snmpwalk"; # SNMP Read community

Cisco IOS vmps configuration

Network Switch Configuration & Tips for Cisco IOS

Initially, Switches must be configured to send a copy of syslog messages, and given the name of the vmps servers, where it can send requests for dynamic port assignment. Relevantr Cisco docs:

• http://www.cisco.com/en/US/docs/switches/lan/catalyst2900xl_3500xl/relea...
• http://www.ciscosystems.com/en/US/tech/tk389/tk689/technologies_tech_not...

Configuring VMPS

conf t 
no vmps server 192.168.245.41
vmps server 192.168.245.40
vmps reconfirm 120
end
show vmps

Re-authenticate all current connections

vmps reconfirm

Re-authenticate all current connections, by emptying the MAC table. Note that the previous “vmps reconfirm” will not re-allow systems that were previously denied. For that we need to clear the MAC table.

clear mac-address-table dynamic

Enable VMPS on port fa0/2:

conf t
int fa0/2
switchport access vlan dynamic

(Re-)enable static Vlan 8 on port fa0/2:

conf t
int fa0/2
switchport access vlan 8

The switch tries to contact a server 3 times by default, before stopping. This value can be programmed on the switch (to a maximum of 10):

vmps retry 5

The switch reconfirms by default every 60 minutes, make it 2hrs :

vmps reconfirm 120

Other commands

show vmps stat
clear vmps statistics

show vlan
sh mac-address-table
sh mac-address-table | inc DYNAMIC
sh mac-address-table | inc BLOCKED

Debug the switches logic: when and how does it send queries and how does it interpret answers?

ter mon
debug vqpc all

Why to add a "clear_mac" feature?

A problem in newer IOS Cisco switches has been detected.

When an unknown
computer connects, a DENY from FreeNAC is received and the switch port
blocks access. If later the properties of the connecting device are
modified in order to allow it access the vlan, the port will remain in
the blocked stated for that device, preventing any further VMPS
requests from reaching the FreeNAC server. The amount of time the port
remains in the blocked state is variable. A port restart doesn't change
the port status, neither does disconnection of the network cable from
the switch port.

After some analysis, it has been discovered that
removing the MAC address from the switch's CAM table will remove the
blocked state and the port will work as expected. Therefore such a 'clear mac'
function has been added to FreeNAC in V3.0.3 as a complement to
port_restart

See the thread in the forum where this problem was initially discussed.

Cisco 802.1x tests

Introduction

This sections contains results from some test with 802.1x on Cisco switches and FreeRadius.

Setup on an access point on port 2/22

Lets say there is an access point on port 22, first set it to static and assign a trunk with the appropriate vlans:

set port membership 2/22 static
Port 2/22 vlan assignment set to static.
Spantree port fast start option set to default for ports 2/22.

set trunk 2/22 on
clear trunk 2/22
Port(s) 2/22 trunk mode set to auto.
Port(s) 2/22 trunk type set to dot1q.

sw0503> (enable) set trunk 2/22 11-12,15
Vlan(s) 11-12,15 already allowed on the trunk
Please use the 'clear trunk' command to remove vlans from allowed list.

Setting up 802.1x on port 0/2

logging 192.168.245.40
aaa authentication dot1x default group radius
dot1x system-auth-control
radius-server host 192.168.245.40 auth-port 1812 acct-port 1813 key 7 141E1C040D14
radius-server retransmit 3

# a port with static Vlans:
interface FastEthernet0/2
switchport access vlan 15
switchport mode access
dot1x port-control auto
no cdp enable
spanning-tree portfast

# dynamic vlans: vlan is returned by the radius server
interface FastEthernet0/2
switchport access
switchport mode access
dot1x port-control auto
no cdp enable
spanning-tree portfast

## Option: reauthenticate every two hours
dot1x timeout reauth-period 7200
dot1x reauthentication

## Other options
#dot1x default
#dot1x guest-vlan 524
#dot1x auth-fail vlan 522

##Enabling MAC-auth-bypass in switches that allow this option
#dot1x mac-auth-bypass

##Timing options specially for MAC-auth-bypass
#dot1x max-reauth-req 3 #Number of EAP requests sent to the client before trying MAC-auth-bypass
#dot1x timeout quiet-period 5 #Number of seconds to retry auth after a failed auth
#dot1x tx-period 5 #Number of seconds to wait for an answer after an EAP request has been sent to the client

##aaa authorization network default group NAC

testing

#sh dot1x

Sysauthcontrol = Enabled
Supplicant Allowed In Guest Vlan = Disabled
Dot1x Protocol Version = 1

#sh dot1x interface fastEthernet 0/2

Supplicant MAC <Not Applicable>
AuthSM State = CONNECTING
BendSM State = IDLE
Posture = N/A
ReAuthPeriod = 3600 Seconds (Locally Configured)
ReAuthAction = Reauthenticate
TimeToNextReauth = N/A
PortStatus = UNAUTHORIZED
MaxReq = 2
MaxAuthReq = 2
HostMode = Single
Port Control = Auto
ControlDirection = Both
QuietPeriod = 60 Seconds
Re-authentication = Enabled
ReAuthPeriod = 3600 Seconds
ServerTimeout = 30 Seconds
SuppTimeout = 30 Seconds
TxPeriod = 30 Seconds
Guest-Vlan = 0
AuthFail-Vlan = 0
AuthFail-Max-Attempts = 3

debug dot1x ?
all All Dot1x debugging messages turned on
errors Error codes
events Events
packets Packets
registry Registries
state-machine State machine
undebug all

#debug dot1x errors
Dot1x Errors debugging is on

References

http://www.cisco.com/en/US/products/hw/switches/ps5213/products_configur...
http://wiki.freeradius.org/Rlm_perl
http://www.cisco.com/univercd/cc/td/doc/product/lan/cat3560/12225see/scg...

Mac bypass authentication: (note not all IOS switches have this..)
http://www.cisco.com/en/US/products/hw/switches/ps708/products_configura...

Notes

Note: For FreeRadius assigning VLANs dynamically, do a users file with:
> DEFAULT Auth-Type == MS-CHAP or
> NAS-IP-Address==x.y.z.w, NAS-Port = 50001
> Tunnel-Type = VLAN,
> Tunnel-Medium-Type = 6,
> Tunnel-Private-Group-ID = VLAN_number
>
> DEFAULT Auth-Type := Reject
>
> You need to keep this file for every vlan you want to return and the
> request attributes you want to check.
> In fact, the script I have does exactly this. It outputs just those
> values at the end of the authentification process (post_auth), and
> then the switch assigns the client the vlan that VMPS has returned.
> I think it is easier than maintaining the users file by ourselves

0008.7446.2aa5

------------------------------
/opt/nac/bin/rad2vmps

$request{server_ip}='freenac'
in the post_auth function

Then modify radiusd.conf accordingly
// Radiusd.conf in the modules section add
verify_mac {
module = "/opt/nac/bin/rad2vmps"
}
//Authorize section
authorize {
verify_mac
eap
}
// Add a post-auth section
post-auth {
verify_mac
}

Setting up the nas-port attribute
-----------------------------------------
conf t
radius-server attribute nas-port format X
where X can be

a Format is type, channel or port
b Either interface(16) or isdn(16), async(16)
c Data format(bits): shelf(2), slot(4), port(5), channel(5)
d Data format(bits): slot(4), module(1), port(3), vpi(8), vci(16)

Recommended for FreeNAC: a (default)

Reference: http://www.cisco.com/en/US/products/sw/iosswrel/ps5207/products_feature_...

Sending vendor specific attributes
------------------------------------------
conf t
radius-server vsa send authentication
end

Using 'ciscocmd'

Introduction

'ciscocmd' is a useful tool for remotely executing commands or querying cisco swithes. Is is briefly described here as it is useful when operating FreeNAC in a large environment.

Cisco-centric Open Source Initiative
http://sourceforge.net/projects/cosi-nms
http://cosi-nms.sourceforge.net/

This is a great tool for 'remote control' of Cisco switches. Some examples are below.

Download and extract, no compilation is needed.
These tests were done with v1.4, I installed in /opt/nac/ciscocmd-1.4.

Single switch example

Example switch is SWITCH1)
./ciscocmd -u USER -p MYPASS -t SWITCH1 -c "show vmps"
./ciscocmd -u USER -p MYPASS -t SWITCH1 -c "reconfirm vmps" -e -s MYPASS
./ciscocmd -u USER -p MYPASS -t SWITCH1 -c "ping 192.168.1.40" -e -s MYPASS

(change USER, MYPASS; and the enable password as needed..)

Several switches

# Get all CatOS switches from the FreeNAC DB (hw type 2948, store in catos.txt),
echo "select name from switch where hw like '%2948%' order by name;" | mysql opennac |egrep -v name > catos.txt

# and check their vmps status:
./ciscocmd -u USER -p MYPASS -T catos.txt -c "show vmps" | egrep "VMPS Action|VMPS Last Accessed|Last Reconfirmation|show vmps"

Bind DNS Configuration

-CONTRIBUTED TOOL-

Through the following scripts, it is possible to generate static "zone" files for bind (a.k.a. named), for a single domain.

See also the related ISC DHCP Configuration scripts.

There a separate set of scripts for manageing DNS via dynamic updates (TBD: ref)

Configuration options

The configuration options are in the freenac database and can be configured by the windows GUI 

• web_showdns (true/false) : show the dns-related fields in the web interface
• dns_domain = general domain
• dns_ns = comma separated list of name servers (no space).
  These servers must be resolvable.
• dns_mx = comma separated list of mail servers (no space).
  This is an ordered list (primary server first)
• dns_primary = primary name server where this host file will be used (used in SOA)
• dns_mail = email address for the DNS administrator (used in SOA)
• dns_outdir = directory where the zone files will be written (existing files will be overwritten without confirmation)
• dns_forwardzone = name of the generated zone file (forward).
• dns_subnet = subnet for which a reverse dns zone file will be generated

generate_dns.php

This script will generate the normal (forward) zone files from the systems table.
An 'A' record will be generated for each system and will point the 'hostname' field to the last known ip ('r_ip').

Aliases (CNAME records) will be generated from the (comma separated) 'dns_alias' field and will point to the 'A' record of the host.

generate_dns_reverse.php

This script will generate the reverse zone files from the sytems table.

For each subnet matching the '$dns_subnet' configuration option, reverse records (PTR) will be extracted from the systems table. The last known IP address wil point to the hostname.

The generated files will be named like '254.168.192.in-addr.arpa' for the 192.168.254.0 subnetwork. 

BIND DNS configuration #2

-CONTRIBUTED TOOL: ALPHA status-

Through the following scripts, it is possible to generate dynamic updates to bind (a.k.a. named), for a single domain.

There a separate set of scripts for managing DNS via static zones.

The 'ip' table contains a list of IP addresses with a reference to names in the systems table.Names are not stored in the'ip' table to avoid duplication. These means that if a hosts is to appear in DNS, but is not automatically detected by FreeNAC, it must be manualyl entered into the systems table.

| Field      | Type            | Comment
| id         | int(10) unsigned | index
| address    | int(10) unsigned | IP address, use INET_NTOA to convert
| subnet     | int(10) unsigned | Subnet adress
| status     | tinyint(4)       |
| comment    | varchar(255)     |
| system     | int(11)          | reference to an index in the systems table
| source     | varchar(32)      | ?
| dns_update | tinyint(4)       | ?
| lastupdate | timestamp        |
| lastchange | timestamp        |

So, next a query to pull an IP to name mapping:

SELECT ip.id as id, INET_NTOA(ip.address) as ip, systems.name as name, ip.dns_update as dns_update, systems.dns_alias as cname FROM ip LEFT JOIN systems ON ip.system = systems.id WHERE ip.system != 0; 

Configuration options

The configuration options are in the freenac database and can be configured by the windows GUI 

• web_showdns (true/false) : show the dns-related fields in the web interface
• ddns_server
• dns_domain = general domain
• ddns_ttl
• dns_ns = comma separated list of name servers (no space).
  These servers must be resolvable.
• dns_mx = comma separated list of mail servers (no space).
  This is an ordered list (primary server first)
• dns_primary = primary name server where this host file will be used (used in SOA)
• dns_mail = email address for the DNS administrator (used in SOA)
• dns_outdir = directory where the zone files will be written (existing files will be overwritten without confirmation)
• dns_forwardzone = name of the generated zone file (forward).
• dns_subnet = subnet for which a reverse dns zone file will be generated

generate_dns2.php

Using ip.address and systems.name from the FreeNAC 'ip' DB, generate a list of dynamic DNS updates. The DNS update commands are written to a temporary file, once the file has been written, the dns_update flag is reset for each field.

generate_dns_reverse2.php

Changelog and update notes

This document explains the changes since v2.2 RC3, and the steps to upgrade to v3.

What is new in V3.0.3?

V3.0.3 is a small pont release (SVN build 1582) gathering fixes to the stable branch since v3.0.0.

A new feature called "clear mac" has been added, which completes the port restarting mechanism. This is needed for newer IOS version where port restart does not work as expected.  See  clear_mac discussion in the technical guide.
The Windows GUI and Web GUI have been modified accordingly. Information about configuration of this new feature can be found in the Switch configuration part of the Install Guide.

Windows GUI: The source code (Delphi Pascal) been finally released under GPL, see the Windows GUI changelog.

Port_scan: A new policy and feature have been introduced which allow port scanning of systems upon connection. This enhances the quality of the inventory. An example of such a policy can be found here.

Systems Management Server: A new class has been added that will allow the integration between FreeNAC and a Microsoft SMS server.

What is new in V3.0.2?

V3.0.2 is a small point release (SVN build 1233) gathering fixes to the stable branch since v3.0.0.

New Web GUI: See README.webnew which explains the new design, and CHANGES which lists progress.

Windows GUI: several small improvements.

Backend changes:

• Many small fixes to dameons. A detailed list of changes is in doc/CHANGES.detailed
• DB changes are documented in contrib/migration_3.0_to_3.0.2/db_changes.sql
  • Clean up column defaults
  • Add switch: scan3 and vlan_id columns
  • Add several new rows to the config table.
  • Improve comments in the config table
• Layer 3 scanning of switches/routers is now controlled by the new 'scan3' field in the switches table, not the router list in the config table.
• Fixes to sample policies

What is new in V3.0.0?

A substantial change in FreeNAC v3.0 is the introduction of an OO (objected oriented) policy interface, which provides greater flexibility and encapsulation of individual decisions regarding control of end-device access to the network.

The main programs have been rewritten using OO techniques, some others have been modified to work with our framework, and some others have been added to this new release. The aim of the OO change is to have a modularized system which would be easier to debug, troubleshoot, maintain and extend in the long run.
It's now a requirement to use PHP 5 (not PHP4) - we recommend using the latest PHP version.

Here is a summary of the changes in v3.0 (since v2.2):

1. vmpsd_external has been completely rewritten. vmps_lastseen doesn't exist any more, it was written as the postconnect daemon.
2. Added the lib directory, which holds several class files that provide the framework for FreeNAC v3.0. In case you want to dig into the innards of FreeNAC, this is the place to start.
3. Creation of a policy file which allows the system administrator with light PHP skills to modify the decision process. Sample policy files are provided in /opt/nac/etc, see also the Policy chapters in the Technical Guide which describe writing, testing and trying the sample policies.
4. Emergency off scripts have been added. In case you want to quickly disable FreeNAC in your network (e.g. at 02:00 in the morning, when there is a problem on the network that is difficult to localise), you only need to run these scripts. Likewise, after disabling it, you can re-enable it (e.g. the next morning, serenely) using another script. See also the techguide chapter .
5. The Windows GUI has been improved and adapted to support the new features.
6. All the PHP scripts have now the extension '.php'. This is to allow phpDocumentor to better parse the scripts and thus get extra documentation auto magically generated.
7. SNMP functions have been added to funcs.inc.php. Thus we can perform some operations to the switches (like programming of VMPS parameters, learning ports' status, etc) from several scripts. One of those scripts is cron_restart_port.php, which besides restarting a port, it allows for programming of the switch ports from the Windows GUI. Another interesting script is ping_switch.php which tells if a switch port and the switch are up or down.
8. New interfaces for the integration of McAfee EPO anti virus and Windows update services (WSUS) have been added.
9. The Database schema has changed a little, new fields and tables have been added.
   We have added fields to store ports and switches' status and the last time that the switch/port was monitored. In the systems table, we now have an index to indicate the health of a connecting device. Some other fields have been added to express what user last used the device, the last name of that device, or even to send an email whenever that device get connected to the network. See also the DB migration script in contrib/migration_2.2_to_3.0.
10. The notion of health has been introduced. This allows quarantining of end-devices which do not meet the policy.
    Initially there is one module that uses this new health feature, using the port scan module: let's say that you know that a trojan opens the port 666 and if there is a system which is connecting to your network and its port 666 is open, you can decide what to do with it (notify, quarantine, kill it, etc).
    The policy health checking using the Wsus/Epo modules in still in beta status, example policies will be published in the coming weeks.

Installation & Configuration

See the Installation and User Guides.

Upgrading from V2.2 RC3

If you have a previous FreeNAC installation and would like to update to 3.0, here is what you have to do:

Stop previous instances of vmps, last_seen and proctst (if you are using this latter)

/etc/init.d/vmps stop
/etc/init.d/vmps_lastseen stop 
/etc/init.d/proctst stop

Checkout the latest stable release

mkdir /opt/nac3.0
svn co https://opennac.svn.sourceforget.net/svnroot/opennac/branches/3.0/ /opt/nac3.0

Then, copy over the config files or adapt the config.inc.template according to your needs.

Apply the changes to the database

cd /opt/nac3.0/contrib/migration_2.2_to_3.0/
mysql opennac < db_changes.sql

Add the extension .php to all php scripts you have in your crontab

Copy over the startup scripts

mv /etc/init.d/vmps /etc/init.d/vmps.$$
mv /etc/init.d/vmps_lastseen /etc/init.d/vmps_lastseen.$$
cp /opt/nac3.0/contrib/startup_init.d/vmps /etc/init.d/
cp /opt/nac3.0/contrib/startup_init.d/postconnect /etc/init.d/

Copy over the proctst configuration file (if you are using it)

mv /etc/proctst.conf /etc/proctst.$$
cp /opt/nac/contrib/etc/proctst.conf /etc

Activate the new directory

mv /opt/nac /opt/nac.$$
ln -s /opt/nac3.0/ nac 

And finally start the daemons and watch syslog

/etc/init.d/vmps start
/etc/init.d/postconnect start
/etc/init.d/proctst start (only if you are using it) 

All modules are configured via settings in the 'config' table. This was already the case in v2.2 RC3. If upgrading from an even earlier release (v2.1 for example), please read the relevant migration notes on config.inc. The contents of config.inc has not changed between v2.2 RC3 and V3.

Problems

As usual, any questions/remarks/queries can be posted in the forums .

See also the troubleshooting section of the user Guide, search the website, and serach the forum.

Is there are errors or omissions in this document, please login to the website and post a comment below.

Regards,

The FreeNAC Team

Internet sites/directories where FreeNAC is listed

This is an appendix to keep track of where we made submissions, and possible issues.

• Sourceforge: which houses the Subversion respository
  http://sourceforge.net/projects/opennac/
• WikiPedia (more time needs to be spend to improve article)
  http://en.wikipedia.org/wiki/FreeNAC
  http://en.wikipedia.org/wiki/VLAN_Management_Policy_Server
  http://en.wikipedia.org/wiki/VQP
• DMOZ: Open Source Direcoty project
  http://www.dmoz.org/Computers/Security/Products_and_Tools/Open_Source/
• Ohloh:
  Interesting SVN analysis, except the SQL/PHP sources/comments and timeline seem flawed.
  http://www.ohloh.net/projects/8572?p=FreeNAC
• Optaros Enterprise OpenSource Directory:
  www.eosdirectory.com
• The FreeNAC Development Forum has been added to Cisco Related Forums: (14/9/2006) http://www.bradreese.com/cisco-technical-newsgroups.htm#RELATED
• Blogs:
  • Stillsecure blog/Oct.06
    http://www.stillsecureafteralltheseyears.com/ashimmy/security_incite/ind...

ISC DHCP Configuration

-CONTRIBUTED TOOL-

The generate_dhcp.php script in the contrib section can be used to generate an configuration file for the ISC DHCP daemon.

See also the ISC Bind configuration script . 

It uses the following parameters in the configuration database (editable using the windows GUI) :

• dhcp_configfile : the file that this script will write - if it already exists, it will be overwritten without confirmation
• dhcp_defaults = the global defaults (currently : default-lease-time, max-lease-time, ddns-update-style, authoritative, use-host-decl-names

The rest of the configuration will be taken from the FreeNAC database

• Subnet and options from dhcp_options (subnet 0 = general options)
• Fixed ip addresses from systems (where dhcp_fix = 1, the assigned IP will be dhcp_ip)

The "web_showdhcp" configuration flag toggle the ability to edit the dhcp_fix and dhcp_ip field in the web interface.

RSS Feeds

If you configure the web interface of FreeNAC, you can also have a feed containing the last connections.

It is available as http://<hostname>/nac/rss.php and you can subscribe it using your favorite RSS reader.

SNMP tests performed on non Cisco switches

We have received some requests to support switches from fabricants other than Cisco, so we got our claws on some non-Cisco switches and performed some SNMP tests to see what could be done with them. The switches we tested on are an HP Procurve 2600 and a 3COM 3812 and here are the results of our experiments:

The file /opt/nac/snmp_defs.inc.php contains the OIDs we use to document switches in the system. The first tests performed were to see if we could retrieve switch's general information (description, name, location, contact, software, hardware) using the OIDs declared for this effect. With the OIDs we had we could successfully retrieve the same information, but in some cases we needed to perform some minor changes since the OIDs/functions we have are Cisco oriented and in some switches they don't apply 'as is'.

Also we found other new OIDs that could provide better results. For instance, in snmp_scan, to get the list of physical interfaces we check a certain OID that tells if an interface is physical or not, but in the 3COM switches that doesn't apply since all interfaces are marked as physical even though they are virtual. Also in snmp_scan, to get the SW and HW with the OIDs we have, we need to perform string comparisons. We found other OIDs that directly give the HW, SW and firmware versions without the need to perform string comparisons.

The restart_port script was successfully tested on all non-Cisco switches. Also, apparently we were able to assign a port to a determined vlan (port programming) but using other OIDs which are not listed in the snmp_defs.inc file. These new OIDs are still not committed to SVN, since they are still at an experimental stage.

Statistics collection (V3.0 beta)

The purpose of this module is to collect daily statistics and store them in a table.

TBD: we are in the design stage, this page is for getting feedback.

A table is to be created with three columns:

• id: autoincremented index
• Code: name of statics
• Value: a number/count
• datetime: timestamp

Entries to be generated each day:

• no. of ports, switches used
• no. of end-devices: for active, unmanaged, killed, unknown
• no. of end-devices per health: unknwown, transition, quarantine, ok, infected

Things to discuss:

• Do the above counters, also cumularive?
• What about patch, AV status? OS versions? NUm open ports (from scan module)?

Tips on working with subversion (SVN)

Make contributions

We welcome ideas and code contributions /fixes. you can make these in several ways:

1. Diffs to the forum or developer email list
2. committing code a subdirectory with your name in the contribs directory of the sources
3. changing and committing the core software.

The idea is to start with 1. and progress towards 3. For 2. and 3. you'll need a SourceForge account for subversion and to be on the developer emails list.

For two and 3, you should also create documentation of your module/contribution, for example as an appendix to the Technical guide . For that you'll need a website account, and request "content editor" rights.

The rest of this document gives some example on working with subversion.

Checking out, committing changes

Checkout a working copy:
svn co https://opennac.svn.sourceforge.net/svnroot/opennac/trunk
svn co https://opennac.svn.sourceforge.net/svnroot/opennac/branches/3.0

Check for changes:
svn update contrib bin etc doc
svn help update

Make changes:
svn add <filename|directory>
svn delete <filename|directory>
svn copy <filename|directory>
svn move <filename|directory>
svn help [ add | delete | copy | move ]

Examine your changes:
svn status doc bin etc contrib
svn status <filename|directory>
svn diff
svn diff > <patchfile>
svn revert <filename>
svn help [ blame | status | diff | revert ]
svn [ blame | praise ]

Commit your changes:
svn commit --username YOUR_SF_USER –m "your message" contrib
svn commit --username YOUR_SF_USER –m "your message" doc
svn commit --username YOUR_SF_USER –m "your message" bin
svn commit --username YOUR_SF_USER –m "your message" etc
svn help commit

Subversion client settings

For servers behind a proxy, edit ~/.subversion/servers and set
the proxy values:
[groups]
group1 = *svn.sourceforge.net
[group1]
http-proxy-host = proxy1.MYDOMAIN.COM
http-proxy-port = 80

Limit what files are checking into SVN, edit ~/.subversion/config
[miscellany]
global-ignores = *.o *.lo *.la #*# .*.rej *.rej .*~ *~ .#* .DS_Store *,v RCS config.inc
Specifically, we don't want RCS files, or the productive config.inc
(with passwords) checked in

Merging a branch back to trunk

cd /trunk
svn update

Find the revision where the branch was created
svn log --verbose --stop-on-copy https://opennac.svn.sourceforge.net/svnroot/opennac/branches/2.2
For this example, branch 2.2 was created in revision 548

svn merge -r 548:HEAD https://opennac.svn.sourceforge.net/svnroot/opennac/branches/2.2

svn commit -m "Back to trunk"

Ubuntu Package

Synopsis

This section covers the creation and usage of the freenac ubuntu package. The package is still in an early state and mainly tries to ease installation of all required packages. Configuration of freenac is not yet included.

The package creation is still carried out all by hand. None of the debian provided tools were used so far.

Install the package

First all the dependencies of the freenac package must be installed. Since the package is a simple deb and not embedded in a repository, dependency handling can not be done by apt. Hence the dependency list must be extracted from the deb and feeded to apt manually.

$ dpkg -f freenac_....deb depends | sed -e 's/,//g' | xargs sudo apt-get -qq install

Now the freenac package can be installed.

$ sudo dpkg -i freenac_....deb

Extract a Package

To obtain all data (files to be installed as well as control files) from a package without installing it, proceed as follows.

To extract the files which would be installed,

$ dpkg-deb -x freenac_....deb dir-to-extract/

To extract the control files,

$ dpkg-deb -e freenac_....deb dit-to-extract/

To obtain the proper layout from which the package can be recreated again do the following. It's assumed that you created an empty directory freenac where everything will be extracted to.

$ dpkg-deb -x freenac_....deb freenac/

$ dpkg-deb -e freenac_....deb freenac/DEBIAN

Create a Package

To create the freenac package, proceed as follows.

• Start with an empty directory, e.g. freenac/
• Create two subdirectories, DEBIAN/ and opt/
• Check out the freenac version to package from subversion

$ svn co https://opennac.svn.sourceforge.net/svnroot/opennac/... freenac/opt/nac2.2/

• Create the necessary files in freenac/DEBIAN (see next section)

• Create the package

$ dpkg-deb -b freenac/ ./

The Files in DEBIAN/

The following files should be inside the DEBIAN directory.

• changelog
  Contains a high level changelog for this package
• control
  Specifies the package name, version, architecture, dependencies and a short description about this package.
• copyright
  License issues
• rules

For an example of what these files should contain, have a look at the contrib/package_files directory.

Vendor comparison

To do: lets compare products fairly... this probably need to be combined into MAC-based and 802.1x based products, and concentrate only on the key competitors, and differentiate between open source and commercial?

OpenVMPS limitations

OpenVMPS works on a file basis, has no database, GUI, and is very intolant of errors on the configuration. FreeNAC is in fact an effort to make OpenVMPS enterprise-ready..

Problems With Cisco “VMPS” and “MAC Port” Authentication.

If you use the VMPS server on old catalysts already for limiting LAN access, what are the limitations?

• Lack of management features
• Monitoring
• Alerting
• Ease of use
• GUI
• User & device DB integration
• Lack of support from Cisco

Cisco NAC

TBD

Microsoft NAP

TBD

Juniper

TBD

What does FreeNAC *not* do?

• Layer 3 access control (for example offerning an automated web page with logon, but allowing layer 2 access with an IP address via DHCP..)
• VPN or firewall access control
• Remediation / quarantine vlans (planned)
• MAC authentication on non-cisco switches

Vlan attribution: for single-vlan switches, not by end-device

Background

FreeNAC attributes Vlans depending on a vlan value stored for that device.

There is also the "Vlan exception " feature, which allows the vlan attributed to be changed depending on the switch location. (See also the method Ports->getPortDefaultVlan() ). However if there are many "exceptions", i.e. many switches which do not have all Vlans, or vlan with different names, it can be difficult to manage.

Aim

There are sites who just need to attribute two vlans, allowed or denied. In this case, it is overkill to have a vlan per end-device, it would be simpler to just attribute a vlan per switch.

Lets say there is a Vlan "Internal" on all switches, but with different numbers. There is also a vlan "Guest".

• The idea is to allow all known end-device (state=active) automaticallyonto "Internal", and unknowns onto "Guest".
• So set the global default vlan to be "Guest".
• In the policy file, write a policy that says:
  a) if device=active set vlan=getSwitchVlan
  b) if device=unknown set vlan=Gllobal default

Implementation

Thats the concept. For the implementation a vlan_id field has been added to the V3.0 DB schema. The Windows GUI (build 164) can modify that column.  A method getSwitchVlan has been added to the sample policies in V3.0.1.

[sb, 22nd Dec'07]

VlanByLocation attribution: 'switch exceptions' feature

Introduction

The VLAN exception option (based on the vlanswitch table) is a feature allowing location dependant VLANs i.e. when VLAN naming is not consistent across switches, or not all VLANs are available on all switches.

Example: lets say there is an OfficeLAN and PrinterLAN in the main vlan table, but on switch 'sw101', there is only one LAN called 'LAN1'. This feature allows us to map the OfficeLAN and PrinterLAN on switch sw101, to the LAN1.

See also the Windows GUI user guide .

How does it work?

Well lets start by examining the SQL table:

mysql> describe vlanswitch;
+-----------+--------------+------+-----+---------+-------+
| Field     | Type         | Null | Key | Default | Extra |
+-----------+--------------+------+-----+---------+-------+
| vid       | int(11)      | NO   | MUL |         |       |
| swid      | int(11)      | NO   | MUL |         |       |
| vlan_id   | int(11)      | NO   |     |         |       |
| vlan_name | varchar(100) | NO   |     |         |       | 

• The swid field is a lookup/index into the switch table, and tells us to which switch the vlan exception is relevant.
• The vid field is a lookup/index into the vlan table, and is the vlan that was attributed so far, i.e. usually the valn stored in the systems table for the end-device being authenticated.
• The vlan_name is a text field containing the name of the VLAN to be assigned to end-devices that connect to this switch. So it is a valid vlan name on the switch swid.
• vlan_id is the vlan number corresponding to lan_name, but it is not used. It is only for documentation purposes.

Going back to the example, lets say there is an OfficeLAN and PrinterLAN in the main vlan table, but on switch 'sw101', there is only one LAN called 'LAN1'. So both vlans need to be mapped to that.

First, create two entries in the VLAN exception table, using the Windows GUI:

sw101 OfficeLAN LAN1  
sw101 PrinterLAN LAN1

In the table there would be entries like the following, assuming that swid=10 indexes to sw101, vid=100 indexes to OfficeLAN, and vid=101 to PrinterLAN:

swid=10, vid=100, vlan_name=LAN1
swid=10, vid=101, vlan_name=LAN1 

If Ports.vlanBySwitchLocation() is called in the policy, and lan_by_switch_location is enabled in the config table, we then query vlanswitch table to find the appropriate vlan_name.

• We know the switch IP address, so lookup its index (swid)
• For the end-device connecting, look up its assigned vlan index (vid)
• now query vlanswitch to see if there is a row with swid and vid as above, if yes return vlan_name (the text name of the vlan to be sent back to the switch).

Issues

If there are many swicthes and vlans, then the number of rows in the vlanswitch table with le large and difficult to manage.

If there are several small/remote office with only one vlan (for example) and several main building with (say) 30 vlans, then an exception needs to be created for each vlan on each switch, which is alot. One solution for those simple 'one vlan' switches is the new proposed feature 'Vlan attribution by Switch, not by end-device '.

Comments/ideas are welcome.

VMPS Tests Conducted

1. Two hosts (Mac address/Vlan pairs) were configured as being allowed in the VMPS database. When either of the allowed hosts were plugged into the switch, a VMPS request was generated and the server replies allowing the connection. No log messages are generated by the Switch.

2. Unplugging a PC causes no VMPS activity.

3. If a PC is connected with a MAC address that is not allowed, the switch logs an error and refuses access to the network:
DVLAN-1-DENYHOST:Host 00-03-ba-27-54-9b denied on port 2/1
Optionally, the server can tell the switch to shutdown the port, in which case it must be manually enabled again (this “secure” mode is perhaps useful for switches in physically exposed places).

4. If the primary VMPS does not reply, the switch retries with the secondary.

5. The switch tries to contact a server 3 times by default, before stopping. This value can be programmed on the switch (to a maximum of 10), on CatOS:
set vmps server retry XX, on IOS vmps retry XX

6. Reconfirmation:

The switch reconfirms (by default every 60 minutes, Cat OS: set vmps server reconfirminterval XX, IOS in ‘con t’ mode: vmps reconfirm XX) if the port is authorised.

If a host was previously enabled and the VMPS server was updated to disable this host, then this will be noticed by the switch on the next reconfirmation interval. On reconfirmation it blocks the ports and logs an appropriate message: "DVLAN-1-DENYHOST:Host 00-03-ba-27-54-9b denied on port 2/1"

If the primary and secondary are not available, the switch logs an error, but does not disconnect the PC/port (this is important to prevent cascaded network failures): "DVLAN-2-MACNOTRECONFIRMED:Mac [00-03-ba-27-54-9b] is not reconfirmed"

If the switch cannot contact a VMPS server, show vmps (IOS: sho vmps stat) displays No Host but does not log a message. The time of the last reconfirmation and the IP address of the server accessed.
VMPS Action: No Host
VMPS Last Accessed: 192.168.245.19
Last Reconfirmation: Fri Sep 10 2004, 08:30:02

Reconfirmation can be manually activated on the switch (Cat OS): reconfirm vmps (IOS: vmps reconfirm on IOS). During the confirmation show vmps shows a status or “In Progress” and then “Success” with the timestamp of the last reconfirmation updated.

To clear vmps statistics (IOS): clear vmps status

7. If two PCs define their MAC address to the same value then the switch authenticates on each packet, thus some packets are allowed from each PC. This would cause disruption to both PCs. It is not noted as an error by the switch, but can be detected by analysing the logs for frequent authentication of a specific MAC address within a short period of time.

8. If two PCs are connected to a hub (or unmanaged switch), which is connected to one (vmps) Switch port, then:
• If both PCs are authorised on the same VLAN they can both communicate.
• If only one is authorised, the traffic from the second is blocked. The authorised PC continues to work fine.
• If both are authorised, but in different VLANs, the switch changes the port constantly between the two VLAN, causing havoc, some packets pass from each machine. No errors are logged by the switch or VMPS server, since the authentications are successful. To detect this scenario, a monitoring would have to detect a VMPS “authentication storm” from one port and notify the network administrator.

9. If a PC is disabled in the VMPS database, and VMPS is restarted, there is no immediate effect. The PC continues to have access until the cable is added/removed or, the next VMPS reconfirmation (every 60 minutes).

10. If a PC’s MAC is added to the VMPS database, and VMPS is restarted, there is no immediate effect. The PC continues to be forced to the defaultvlan until the cable is added/removed or, the next VMPS reconfirmation (every 60 minutes).

Other findings

Several “VMWARE” virtual machines were running on the network, each looking like a real PC, with its own address. This usage is not really a risk; it allows tests to be conducted on virtual machines, but does confuse network management.

Some laptops have a docking station, which has a MAC different address from the built in Laptop MAC address.

Several users were used Wireless rather than Fixed Lan.

User acceptance was high (all problems were solved quickly).

A change/authorisation/expiry process needs to be developed/written and adhered to. What happens when a user leaves and a new user come, taking over an already authorised PC?

There is no noticeable delay when using the network.

If a user is refused access, and then added to the VMPS DB to allow access, he must either wait one hour, or re-authenticate. To ere-authenticate, there are several options
• disable and re-enable the network connection in the connections control panel (this is the quickest method)
• unplug/plug in his network cable, it takes some time for windows to realize it is on another network
• click on the network icon -> support -> "repair": it first tries to release its old address, but can't as the DHCP server is not here anymore, this may take 5 minutes

WSUS Integration

WSUS - Integration

Abstract

The Windwos Server Update Services

FreeNAC programming conventions

Program file headers:

/**
 * filename.php
 *
 * Long description for file:
 * Some words about the functionality the file provides, it's dependencies and so on
 *
 * PHP version 5
 *
 * LICENSE: This program is free software; you can redistribute it and/or
 * modify it under the terms of the GNU General Public License as published
 * by the Free Software Foundation.
 *
 * @package                 FreeNAC
 * @author                    XX (FreeNAC Core Team)
 * @copyright                2007 FreeNAC
 * @license                   http://www.gnu.org/copyleft/gpl.html   GNU Public License Version 2
 * @version                   SVN: $Id$
 * @link                        http://freenac.net
 *
 */

Other coding conventions:

• use two spaces when indenting
• comment your code
• always use version control, preferable SVN
• style: do not mix styles in the same source file, follow the style of the original author
• use PHP documentor tags in headers and comments

Pending issues: Virtual machine

The latest release of the VM (3.02) has Ubuntu 8.04 (Hardy Heron) as its base OS.

The FreeRadius package provided for this version of Ubuntu is still broken when using perl, so this VM has FreeRadius and perl compiled from the sources, this way it is possible to use the rad2vmps module to provide for 802.1x authentication in conjuntion with FreeNAC.

Other issues to have in mind:

• flap_detect is running every 4 minutes. Maybe set it to run every 20 minutes?

Have you found any more issues? Please report them in the forums or post a comment to this page.

Pending issues: Web GUI

Introduction

This page is used as a sort of bug tracking
system for known issues, next fixes, what is done etc. to the new WebGUI to be released with v3.0.2 (9.May'08: to be released in the next week). The new version is a complete re-write, see README.webnew for a description and CHANGES for progess.

If you want to have something moved up to priority, or submit a new entry, please use the Support forum, or better, post comments below.

Issues: priority

• Log out does not do an apache logout (move to Zend framework for authentication & session mgt?)
• Ports down/up: Show interface status: Can we show disabled or error disbled, Not connected? (different SNMP OID)
• GuiList1:
  sort/search fields not being remembered?
• Need an Advanced search page (search through all fields with drop downlists, or accross multiple fields)
• More Cross-site scripting /security analysis

Issues: others

1. Edit device: show last change user/date
2. GuiList1 grid: add up/down arrow/icon for sorting
3. logtail exclude pattern in config table
4. option to scan a switch after adding it
5. Enable an snmp-scan of all switches
6. When deleting, do a cascaded delete
7. EditDevice_more.inc.php move to mysqli, review
9. Only one AD server can be configured for Domain WebGUI logon?
10. Add & update device: no validation checking i.e. for a properly formed MAC address (there is security validation/cleaning though).
11. CSS:
    • Are we using consistent class names everywhere?
    • increase font size in the logtail screens
    • make a nice header, do we still need the links?
12. exceptions.inc: review integrate with /lib/exceptions.inc
13. webfuncs.inc: remove unneeded stuff
14. throw (more) exceptions where possible
15. logtail:
    // TBD: catch error if file cannot be read, or non existant.
    // TBD: test if ad_auth=false
    throw exception
16. Allow Administrators to edit config tables
17. phpinfo:
    non standard header/footer, how we will we handle updates?
18. footer: What else to add?
19. index.php: File does not exist: /opt/nac/web/favicon.ico
20. Sql auth (login/logout.php, GuiUserManager)
21. Drupal auth
22. ADGROUP auth
    we need to define the groups who'll be using each of these interfaces. In MySQL, you modify the table guirights to define the rights associated to each group. To declare a group, you use its full DN. For example:
    update guirights set ad_group='CN=FreeNAC_write,DC=domain,DC=com' where code=99;
    update guirights set ad_group='CN=FreeNAC_read,DC=domain,DC=com' where code=1;
23. Multiple languages
24. Switch to a PHP framework such as Zend, Symfony or php-cake?
25. Demo WebGUI: graphs not working (HO)
26. Dot in Edit end device
27. config $auth mode from the config table, not from web1.config.inc

Done (issues fixed, for references purposes)

- Aside from these notes, see the svn (subversion) changelog in the v3 branch, CHANGES in the web directory and README.webnew.

1. View Guilog and serverlog tables
2. Show vlan and other config tables.
3. Add graph GUI's: make the OO oriented
4. GuiEditDevice
   • On update/delete, insert into guilog
   • Add more under 'Admin information'
5. Left align fields?
6. If there is no 'action', hide that column
7. Test that all functions in the old GUI also working in the new one

Add MAC Vendor column to unknowns.php

I can only delete a record (using the "delete" option to the left) if I
first "edit" a record. It can be any record in any query. If the first
thing I try to do is delete a record I get "Invalid Argument".

"/etc/logrotate.d/syslog-ng" not setting permissions correctly
ls -al /var/log/messages
-rw-r----- 1 root adm 24550093 2008-02-26 06:53 /var/log/messages
(ADapt the syslog-ng config file, or set a cron entry after log rotation: 'chgrp freenac /var/log/messages /var/log/debug').

See also the forum thread http://freenac.net/phpBB2/viewtopic.php?p=1348

Fix used id=2 Edit device: restart port option

Port comment containing "<>" are stipped and not visible in the WebGUI

Security: escaping of output.

Add helpdesk role. 

Pending issues: Windows interface

Introduction

This page is used as a sort of bug tracking system for known issues, next fixes, what is done etc. to the Windows FreeNAC GUI. It tracks changes since V3.0. Bugzilla is not used because its consider slow and clunky. We may use a trac later, but for now...

If you want to have something moved up to priority, or submit a new entry, please use the Support forum, or the comments below.

Issues: priority

• None

Issues: others

1. Lookups: don't allow location 1 (default) to be changed
2. Overview: Right click *several* rows to set status or vlan.
3. if you add a new vlan to the windows gui, you need to close the gui and restart it in order for the vlan to show up under the "edit devices" section
   http://freenac.net/phpBB2/viewtopic.php?t=258
4. New Wsus tab: list systems & expand to list of patches. Right click to edit end device.
5. Edit:
   • user lookups: need to post for details to appear.
   • User drop down list only shows Username
   • vlan colour by lookup, not just INO
6. Admin: Add snmp scan-now button?
7. Config: tick boxes to enable modules
8. Vlans: Allow colour to be changed in GUI?
9. Edit cabletype table
10. Users: Add search or lookup. Sync with user for this device from the edit tab
11. Ports:
    • Ports page sometime slow to load
    • copy/move popup from ports to switches, ports -> pop patch
    • right click to get patch details, or add office & users
    • right click to delete several selected ports?
    • you can change switch name & port name (even though these are normally documented automatically), which allows for a manipulation error. We need to be able to change these fields to insert new ports though.
12. Switches
    • The 'shutdown' field in the sub-port list is not displaying correctly. (An analysis of the configuration of the grid element has not explained why).
13. Reporting:
    • OS versions, end-device security.
    • autosize columns, they are too big.
    • New statistics window?
    • Create reporting directory with some standard layouts?
14. Patchcable: show etage01
15. Performance:
    • Unknowns don't appear fast enough in the GUI?
    • Load the 'Computer users in office' query on startup, only once, and save in memory?
    • What else can be done to improve speed?
16. Delphi: clean-up & publish sources? We need several, proprietary libraries anyway (MyDac, cxgrid), so will GPL'ing it help much?
17. The ChangeDate field in the systems table is a string instead of a datetime field.

Done

See the CHANGELOG file in the repository directory where vmps.exe and vmps.xml are stored, e.g.

http://opennac.svn.sourceforge.net/viewvc/opennac/branches/3.0/WindowsGUI/CHANGELOG.txt?view=markup

__

TNC notes

To do: start off by providing links to the currect relevant FreeNAC docs, and to the Uni Hannover papers, current diagrams and brainstorm ideas we documented...

TCG:
https://www.trustedcomputinggroup.org/groups/network/

Hannover:

http://www.inform.fh-hannover.de/de/forschung/forschungsprojekte/tnc/

Microsft links: (where are the API definitions etc.??

http://www.microsoft.com/presspass/press/2007/may07/05-21NAPTNCPR.mspx

https://www.trustedcomputinggroup.org/news/Industry_Data/TNC_NAP_white_p...

Diverse notes & Frequently asked questions

Notes

This section contains diverse notes & links. Its a good place to paste summaries of Forum discussions for example.

Wake on LAN (WoL)

Some users have used WoL, (see http://freenac.net/phpBB2/viewtopic.php?t=78& ) but a request to Cisco explained the following.

WoL and Dynamic VLANs are not compatible because when the PC is shut down, the NIC will be powered down for a split second. This causes the switch to detect the link-down event and to un-assign the port. When the NIC comes back online, the port does not belong to any VLAN and since no frames are received by the port, it would never initiate VMPS queries or forward broadcast/multicast to the device connected to it.

You can verify this on the logs of the switch, you connect a computer to one port of the switch, shut down the computer and you will see a log on the switch that show that the port went down and then back up, make sure you to enable the link-status log on the interface for the switch to show when it goes up/down, the command to enable it is ?logging event link-status? and it is apply on the interface configuration.

Unmanaged systems on dynamic ports?

Through the use of snmp_scan.php we can document the systems which are on a switch and how the port has been configured (static, dynamic, trunk). If a device is on a static port, snmp_scan will document it as an unmanaged system. This system is supposed to always use the same port and therefore the same vlan.

But what happens when we move an unmanaged system to a dynamic port?

When such a case arises, the device is not connected to the network. In the FreeNAC server we don't see any requests coming when we plug the unmanaged device into the dynamic port. On the switch we see that the port goes down and up, but it doesn't generate a VMPS request. So far we can say that "Nothing happens" which is odd, but it is what we've gotten. More tests need to be carried out.

These tests were carried out using a Cisco Catalyst 2940 switch and a Linux machine.

Store user information in VTP domain?

Another experimental feature which we are not going to implement is the following:

When we have FreeRadius using the rad2vmps script, we wanted to know if it was possible to somehow pass user information contained in a RADIUS request to the FreeNAC database, using the field "VTP domain" which is part of any VMPS request.

In tests performed, we were able to get the username from the VTP domain, but we wanted to gather more information, such as:

• Username
• Domain
• Radius port
• Authentication mechanism
• Commentary

Since the VTP domain only has space to hold 33 characters, this solution is neither practical, nor elegant, nor adequate.