Enterprise architecture: example

Introduction

The following is an example of integrating 'FreeNAC enterprise' into a live environment.

NAC Modules

This section defines what modules are planned for this installation. Note that modules can always be enabled at a future date; there is no additional license fee.
Enterprise modules planned for this installation (example):
1. MAC Address authentication
2. Windows GUI
3. Web Interface
4. Active Directory querying of user details, to be able to associate users with end devices.
5. Automatic detection and inventory of end-devices not actively managed by NAC, to ensure a complete inventory of End-Devices on the network
6. Scanning of open ports and identification of the Operating System on End Devices
7. Emergency ‘stop’ tool which can disable NAC and quickly configure static Vlans on switch ports (for disaster recovery in extreme situations)

Enterprise modules not planned for this installation:
8. 802.1x User Authentication
9. McAfee Epo Anti-Virus server queries
10. Microsoft SMS (Software package/system management) server queries
11. Microsoft WSUS (Windows Update) server queries.

Custom Modules

Are any Custom Modules planned? NAC is designed to allow open interfaces, however such interfaces need to be specified in detail and are subject to additional development/installation charge.

Example: A “static inventory program” already exists at the customer called XXXX. A read-only interface is to be created from NAC to this system that allows:
- NAC to query device ownership and display it in the GUI
- The Static inventory systems to query device location, IP address, Operating system, depending on Name or MAC-Address. An SQL view with appropriate field for a specific user/password is to be created.

Concept

Describe the aim of the installation, e.g.
1. Recognise all end devices that connect to the network and request their identification based on their MAC address. The switch access port configuration will be set to dynamic, and the NAC system will:
o Listen to incoming request from switches
o Send email alerts if new end devices are detected
o Dynamically Assign a Virtual LAN (Vlan) to the access ports of the following switches, based on the MAC address of end devices: (list the switch names)
2. VLAN assignment will be based on a MAC Address. The assigned VLAN will be as follows (define key vlan names & assignments, example):
o Normal access VLAN for Corporate End-User PCs
o Guest VLAN for visitors. This VLAN will have limited network access. Or all ‘unknowns’ to be denied?
o Ad-hoc VLAN for specific devices (printers, …)
3. Is 802.1x authentication of Users required?
If so in what domain, for which switches and ports? What is the expected use-case?
i.e. 802.1x is expected to be used with Windows XP, with user logon to the domain, and vlan assignment based on the MAC address of the end device.
4. End-devices will be documented in the NAC database,
o Through initial import?
o Through dynamic discovery upon connection of new devices
o Regularly scan the switches & routers using SNMP to discover non-managed devices?
o Information to be automatically documented per device (example): MAC address, IP address, Hostname, Operating System, open ports, Anti-Virus status, Windows patch status.
o Information to be automatically documented per device (example): Assigned Username

Requirements

This sections outlines information, connectivity and hardware that is to be provided by the customer.
Network Information
Network data that is required for NAC:
1. Switches, including their IP Address, SNMP Read-only & Read-write communities
2. A list of switch ports to be configured to use NAC.
3. Core routers, including their IP Address, SNMP Read-only community
4. VLANs, including their ID and Name as reported by the switches "show vlan" command
5. A network diagram showing vlans, switches, routers.
6. DNS server names, IP addresses and the domain name.
7. The proposed IP configuration of the NAC servers: IP address, net mask, default gateway, DNS name.
8. Email server name/IP, for the delivery of email alerts.
9. What email address, per switch, are alerts to be sent to?
10. Which Active Directory user group (exact names please) are to be allowed GUI access:

• Read-only
• Super-user
• Administrator.

Optional network data that would be useful: Cabling documentation: which switch/port leads to which office/user/PC.

Server Hardware / OS
1. How many servers are to be installed, where?
2. PC server hardware is to be supplied by the customer, or by Swisscom?
3. What is the HW specification of the servers?
4. Operating system to be installed is Suse Version 10 (Enterprise, or OpenSuse), or something else?
5. Who installs the OS?
o Swisscom
o The customer? Swisscom does not install the operating system, but maintains the NAC system and associated Linux services (Apache, MySQL, ..) on these servers.

Network Connectivity
For the deployment of NAC, the following information is required:
1. Switches :
o Switches must be able to send VMPS requests and receive answers (port 1589 udp) to the NAC master and slave servers.
o Management interface must be accessible using SNMP (udp port 161) and optionally telnet (port 23 tcp) or SSH (port 22 tcp) for the Disaster Recovery scripts from the NAC master.
2. Depending on the NAC modules requested by the customer (see 2.2), specific backend systems must allow access from NAC, for example:

o The McAfee ePO database (name, I.P. address, username and password) needs to answer Read-only MS-SQL queries from NAC.
o The WSUS database (name, I.P. address, username and password) needs to answer Read-only MS-SQL queries from NAC.
o The MS-SMS database (name, I.P. address, username and password) needs to answer Read-only MS-SQL queries from NAC.
o Static Inventory modules, if requested, require a dedicated interface.
o MS Active Directory (needed for 802.1x and user details syncing from Active Directory) requires the domain name and domain controller names. For details syncing, a username, password with AD rights and one or more DN (Distinguished Names) to synchronise are needed.
o The Windows GUI must be able to connect to port 3306 (mysql) on the NAC master server.
o To access the Web GUI, access is required to port 80 and 443 on the NAC master server.

3. Routers: Management interface must be accessible using SNMP from the NAC master
4. General

o DNS servers: should answer DNS requests (udp port 53)
o Email servers must accept emails from the NAC server (port 25).

5. Remote Access for Swisscom (Gold) support:
o During installation, and for updates later, the NAC servers will need HTTP/FTP access to internet (direct or via a proxy).
o SSH, IPsec or SSL VPN access from Swisscom Innovations to the server(s) for maintenance and support

Initial Data import
During an ‘initialisation period’, NAC can be configured to automatically allow all devices to a default Vlan and automatically document the MAC address, IP address and DNS name of devices found (and the switch/port).

If the customer has an exact inventory of machines, this can be imported into NAC. The data provided to Swisscom to initiate the setup must include:
• MAC Address: format is 0010.C61F.8DBF or 00:10:C6:1F:8D:BF (case insensitive)
• Hostname
• VLAN : This can be any descriptor (Lab XXX, Company Name, Network acronym, …)

It may also, ideally, contain
• Username
• Operating system, incl. patch level
• Classification (e.g. Server, Workstation, Printer)
• A static Inventory number
• A comment

The format is comma-separated value (CSV) text file.

Hubs and unmanaged switches
If more LAN access cables are needed in specific rooms, two alternatives to hubs exists:
• Pull more cables between the room and the existing switch
• Add a small managed switch in the room: the Cisco 2940-8TT is recommended as it is a smaller, fanless (noiseless) version of the Cisco 2950 switch.

However, NAC also offers optional support for hubs and unmanaged switches.
Are hubs or unmanaged switches to be used? If yes, please indicate and be aware of the limitations noted below

1. If multiple systems belonging to VLAN with the same security level use the same hub, they will be allowed access.
2. If systems belonging to VLAN with different security levels, the access will be blocked for the most recent or least numerous group.

Typically, the hub will be connected to an Internal Vlan if all connected systems belongs to the Customer, or a Guest VLAN if all connected computers are visitors. If there is a mix of Customer and visitor devices, there will be no access at all.

Database Architecture V3.0

Database schema: version 3.0 (see diagram).

The schema has changed a little bit since v2.2. We have added fields to store ports and switches' status, and the last time that the switch/port was monitored. In the systems table, we now have an index to indicate the health of a connecting device. Some other fields have been added to express what user last used the device, the last name of that device, or even to send an email whenever that device get connected to the network.

See also the DB migration script in contrib/migration_2.2_to_3.0.

For those who are interested, we have made these diagrams with a nice tool, Case Studio, now named Toad Data Modeler. They have a free version too. Here's the link to the Case Studio file.

Database Architecture V2.2

Database schema: version 2.2 (see diagram) This schema is much more improved in comparison to the one found in the version 2.1. It is now completely normalised, which helps a lot for future gui and extensions of the system.

For those who are interested, we have made these diagrams with a nice tool, Case Studio, now named Toad Data Modeler. They have a free version too. Here's the link to the Case Studio file.

Database architecture v2.1

For references purposes, the older v2.1 schema is as follows.

Server overview

Overview

vmpsd_external

This is an "external" program called by the original OpenVMPS daemon "vmpsd". This program decides what to do, in real time, when access is requested by a switch for a MAC address. Since it operates in 'real time', performance is important; so some jobs such as documenting what was last seen, where, or recognising PCs from external databases, is done in the vmps_lastseen script (which is asynchronous).

• If the MAC is active in the DB authorise it, and,
• Port check: If the MAC is active on a port where another system has been active within the last hour, try to use the Vlan last seen on the port, not the normal Vlan assigned to this system.
  This is to detect hubs and prevent 'flapping'. This feature is only allowed if the Vlan on the port and assigned to the MAC are in the same Vlan group (otherwise the new MAC is denied).
• Otherwise, if the MAC is unknown
  • check to see if a 'port default vlan' has been configured for that port and use it
  • else use the default vlan (which might be simply '0' meaning DENY)
  • and, do a ?port check? as noted above (check for active port/hub & vlan group).
• Log decisions to syslog, and key events to DB (visible in the GUI).

postconnect (vmps_lastseen v2.x)

Parse the syslog logs for 'vmpsd' entries and implement the postconnect policy, for example:

• Update the 'last seen' fields for the relevant Mac, if the system is known
• Or add a new entry with status 'inactive', if none yet exists in the systems table
• And add new switches to the switch table and new ports to the port table.
• And if the MAC found is registered in a Microsoft-SMS system (enterprise feature only), it is automatically added to a pre-defined vlan, a 'port check' done, authorised and the port restarted.

Performance measurement

A way to test performance, is to use vqpcli.pl to sent man requests.

set $count to 200 in ./vqpcli.pl

The adapt the IP addresses, VTP domain, and port name in the following example:

./vqpcli.pl -s 192.168.245.40 -v ctcs -w 192.168.245.71 -i '2/22' -m '0000.0000.9999' -c sec230

cron_restart_port.php

As of FreeNAC v3.0 we have modified the cron_restart_port.php to make it more functional.

In previous versions of FreeNAC, cron_restart_port was a wrapper around the restart_port script. This has changed now in this new version. Even though we still provide a restart_port.php script, we now don't fork a syscall for this script. Instead, we use SNMP functions to achieve the same results from inside the same script, saving thus both time and resources.

In the event that you want to experiment with the restart_port.php script from the command line, you should run it as follows:

restart_port.php port switch

where port is the port name, and switch is the switch's name or ip address. This script only supports one switch port at the time. To act upon more than one switch port at the same time, you have the cron_restart_port.php script at your disposal.

What this script does, is to go through the list of ports in the FreeNAC database whose restart_now flag equals 1. Obviously to interact with this script you need to do it through the Windows GUI. From the windows GUI you can choose not only to restart the port(s), but also to program them as static and assign a vlan to them, or as dynamic or even shut down the ports.

Everytime this script is run, it generates a PID file, thus ensuring that only one instance of the script will run at all times.

To restart a port, you should tick the restart box in the Windows GUI

In syslog you should get the following messages:

Oct 31 10:35:02 vmps1 cron_restart_port.php[3592]: Port Fa0/1 successfully restarted on switch 192.168.1.1(swdemo) 

To shutdown a port, you should tick the shutdown box in the Windows GUI

In syslog you should get the following messages:

Oct 31 10:38:01 vmps1 cron_restart_port.php[3655]: Port Fa0/1 on switch 192.168.1.1(swdemo) was successfully shutdown 

To program a port as static, you should select 'static' from the drop down list and also the vlan you want to assign to this port. In this example, we are assigning the 'default' vlan.

In syslog you should get the following messages:

Oct 31 10:39:02 vmps1 cron_restart_port.php[3665]: Port Fa0/1 on switch 192.168.1.1 successfully set to static with vlan default 

To program the port as dynamic, you should select 'dynamic' from the drop down list.

In syslog you should get the following messages:

Oct 31 10:41:01 vmps1 cron_restart_port.php[3725]: Port Fa0/1 on switch 192.168.1.1 successfully set to dynamic. 

Bugs and comments, please discuss them in the forums.

ping_switch.php

As of FreeNAC v3.0 we introduced the ping_switch.php script. The purpose of this script is to determine the status of the switch ports which are part of a FreeNAC system.

The status of a port is determined via SNMP, retrieving the IfAdminStatus object (OID: 1.3.6.1.2.1.2.2.1.7) from the switch. The states defined for this object are as follows:

1. up
2. down
3. testing

The testing state indicates that no operational packages can be passed.

Since this script makes extensive use of SNMP, make sure you adjust your SNMP communities in the etc/config.inc file.

ping_switch.php takes the list of switches to query from the FreeNAC database whose scan flag is set to 1. Then it performs two SNMP queries per switch in order to know if a port is up. The first query retrieves the list of ports available on the switch, and the second one retrieves their current status. Then, such a status is stored in the database to be later seen through the Windows GUI.

Also, the list of switches to query can be fed to ping_switch.php through the command line. To ping certain switches (assuming those switches exist in the FreeNAC database) do the following:

ping_switch.php switch1 switch2 ... 

Where switchN can be the switch's name (as defined in the FreeNAC database) or the switch's IP.

The optional switches for ping_switch.php are the following:

OPTIONS:
        -h              Display this help screen
        -s              Supress messages to standard output and redirect them to syslog
        -d              Activate debugging 

Timing measurements in tests conducted showed that for small switches (8 ports) it takes about one second to retrieve ports' status and in large switches (48 ports) it took aproximately 5 seconds.

This script can also be run from crontab. You should adapt the frequency to run this script taking into account how loaded your network is. The following crontab entry is an example, which runs this script every 10 minutes:

*/10 * * * *    /opt/nac/bin/ping_switch.php -s

Bugs and comments, please discuss them in the forums .

port_scan

Description:

This module is provided in order to give network administrators further knowledge about the systems that are part of their network, providing information about changes that computers connected to the network have suffered.

How does it work?

It grabs some allowed IPs from the OpenNAC database (more precisely from the systems table), and passes them to nmap, which is going to perform a scan. The results of this scan are saved to an XML file which is then parsed and these results are used to populate some tables which form part of the OpenNAC inventory system. The module logs to syslog if there are discrepancies between the current scan and information stored in the database. If there are differences it logs what has changed and makes the necessary corrections to the database. The tables used by port_scan are:

• nac_hostscanned
• nac_openports
• protocols
• services
• subnets

The tables protocols and services are lookup tables. They contain descriptions of protocols and services related to a certain port.
The table subnets contains definitions of subnetworks that port_scan is allowed to scan.
The table nac_hostscanned contains general information (IP address, hostname, OS) of scanned systems.
The table nac_openports contains information of the services present on each host which is in the nac_hostscanned table.

Dependencies:

OpenNAC
Nmap 4.11 or later

Modes of operation:

This script has 3 modes of operation:

1. When it is called with no arguments, it grabs IPs from the systems table and compares them against the networks defined in the subnets table. The final decision on what to scan is made through the LastSeen time threshold. With this, you say to scan only the hosts that were seen on the network within the lapse of 1 day, 1 month, 30 minutes, whatever.
2. When it is called with the "--scannow" parameter, it grabs IPs from the systems table, no matter if they are allowed or not, as long as in the systems table the flag "scannow" has the value "1". Then it checks these IPs against what you have specified in the subnets table.
3. IPs from the command line. You can call the script with something like port_scan x1.y1.z1.w1 ... xn.yn.zn.wn. In this way, the script will get the IPs from the command line and only those IPs which fall within the criteria specified in the subnets table will be scanned.

This script also has the switch "--verbose" to activate debugging. Please note that debugging of this script will be redirected to syslog.

About the subnets table and its use with port_scan:

Only those computers which fall within the criteria specified in the subnets table will become a strong candidate to be scanned. As said before, this table contains definitions of subnetworks that port_scan is allowed to scan. This was done so because maybe you have lots of subnets in your network, and some of them are behind a firewall, so they can't be accessed and scanning them would be a waste of time and resources. That's why, you need to specify in this table one register per subnet you want to take into account.

Files and directories required:

/opt/nac/bin/port_scan
/opt/nac/etc/port_scan.inc
/opt/nac/funcs.inc
/opt/nac/scan/

How to run it:

Important: You need to specify first in the subnets table the networks you want to scan.

• To scan all devices that are in the systems table, just type:

   /opt/nac/bin/port_scan &

• To scan all devices in the systems table that have the flag scannow=1, do:
  

   /opt/nac/bin/port_scan --scannow

  With the GUI you can set the flag for devices you want to scan now.

  If you prefer do it by hand, then

  update systems set scannow=1 where ...;

• To scan a list of IP addresses, do
  

  /opt/nac/bin/port_scan 192.168.0.1 192.168.0.2 192.168.0.3 ... 192.168.0.254

Bugs:

Please report them in our Development forum:
http://www.freenac.net/phpBB2/viewforum.php?f=2

snmp_set_port.php

As of FreeNAC 3.0 we introduced the snmp_set_port.php script. This script programs a switch port either as static of dynamic. Its usage is as follows:

snmp_set_port.php switch port [OPTIONS] 

Where switch is the switch's ip and port is the port name. This script supports the following options.

OPTIONS:
        -d              Set port to dynamic
        -s vlan_name    Set port to static and program vlan_name on that port
        -h              Display this help screen 

If no option is provided, it programs the port as dynamic. To program a port as static, you need to provide the vlan_name you want to program on the switch port. Such vlan_name must exist on the switch in order to be successfully programmed. Once the port has been programmed, it gets restarted.

Since this script makes extensive use of SNMP, make sure you adjust your SNMP communities in the etc/config.inc file.

This script is designed to be run from the command line. So, in order to interact with the Windows GUI, we have provided a companion script called cron_program_port.php

cron_program_port.php gets the list of ports whose set_authprofile field equals 1, and then issues an snmp_set_port command for every port that matched the criterion. Since this latter script is designed to be run from crontab, you should adjust the running frequency according to your needs.

Bugs and comments, please discuss them in the forums .

AD/LDAP user interface

DESCRIPTION

The purpose of this module is to query Microsoft's Active Directory to obtain user information which is then stored in the users table. The module should also work for other LDAP implementations, although some modifications may be necessary (attribute names). Optionally additional information from the Microsoft Exchange AD schema extension can be fetched as well.

HOW DOES IT WORK

The module fetches the attributes sAMAccountName, sn (surname) and GivenName of all objects of type person underneath all Distinguished Names (dn) defined in $ad_base_user_dn as configured in config.inc. Then it checks for each account name if it exists already in the database. If it does, the entry is updated, including the LastSeenDirex field. Otherwise a new entry is inserted into the database.

In case of querying addtional MS Exchange attributes, these are:

• department
• mail
• physicalDeliveryOfficeName
• telephoneNumber
• mobile

CONFIGURATION

There are five options in the global configuration.

• ad_server: The Domain controller where the AD is queried.
• ad_user: This is the DN of a user with sufficient privileges to read the necessary information from AD. The possible values for this setting should be in the form 'cn=User,cn=users,dc=domain,dc=com';
• ad_password: The password for ad_user
• ad_base_user_dn: The DNs (do not confuse with Domain Name Server) of the places underneath which users are stored. The possible values for this setting should be in the form 'cn=users,dc=test,dc=com'
• ad_port: The port where we should connect to.
  There are two ports related to LDAP. The port 389 is the standard port assigned to this service and the port 3268. The port 3268 is assigned to the Global catalog. A Global Catalog is a read only copy of selected attributes of all of the Active Directory servers whithin the AD forest. Querying the Global Catalog allows all the domains to be queried in a single query, without the query spanning servers over potentially slow links. It is recommended to use the Global Catalog since it is used only for searches and port 389 is used for read and write operations, and therefore it could be restricted.

HOW TO USE IT

First, setup the AD related parameters in config.inc. IMPORTANT: Once you have set the related parameters in config.inc, you need to import the config.inc file into the database. As of release V2.2 RC2, ad_user_snyc takes all the variables from the config table, so the config.inc file has to be imported into the database.

Do the following from the /opt/nac/contrib directory:

./config2db ../etc/config.inc

If you need to redefine some of these settings, you can do so through the Windows GUI.

Then run the module script from the command line with the paramter 'test'. This checks whether your LDAP server can be reached and dumps the user information obtained to stdout. If you want to fetch the addtional MS Exchange attributes launch the module with the addtional argument 'exchange'. Once your setup works, register the module in crontab.

crontab -e

add the next line

0 0 * * *    /opt/nac/bin/ldap

or

0 0 * * *    /opt/nac/bin/ldap exchange

This will run it every day at midnight.

DEPENDENCIES

OpenNac
PHP with LDAP support

FILES

bin/ad_user_sync
etc/config.inc
doc/README.ad_user_sync

802.1x components

The “802.1x” standard allows authentication of devices in LAN or Wireless networks, using cryptographic techniques to provides higher security. 802.1x can authenticate the user or the device.

FreeNAC includes 802.1x since V2.2.

802.1x and MAC address identification can be combined, by for example authenticating the user via Windows Domain Logon and using the end-device MAC address for Vlan assignment.

The following diagram shows the components involved in 802.1x authentication.

The VMPS/MAC based components (vmpsd_external, postconnect) are documented in the VMPS section.

rad2vmps

A Perl script 'rad2vmps' is called from FreeRadius, that accepts a MAC address and returns the Vlan to be assigned to the supplicant. This script queries the FreeNAC database of MAC addresses via the VMPS protocol.

802.1x problems

802.1x provides key advantages such as added security and a consensus that long term it is 'the way to go', but keep in mind some of the limitations when choosing 802.1x over VMPS in the short term.

• New(er) switches are usually required (e.g. 2006 or later)
• Vendor interoperability is a problem, each implements their own additional radius fields.
• Its a complex protocol: it is slower (due to the amount of data exchanges, the number of handshakes and encryption), difficult to analyse and support (due to the complexity of handshakes).
• Supplicants (the 802.1x client) are delivered with some Operating Systems but not with others. In Windows, depending on patch level/Service pack, it may work fine. 3rd party supplications are available but usually are not free and require configuration, suppport and distribution.
• Certificate (PKI) management: generating and checking signatures is normally easy enough, but how do you distribute, revoke and check for revoked certificates? How large are CRLs, how/where are they managed/downloaded?
• Interaction with Hubs, un-managed switches and Virtual Machines in bridged mode can be problematic, as 802.1x usually expects only one end-device per port.
• Cost: due to the above and the cost of a commercial Radius server (if you don't use a free alternative such as FreeRadius/FreeNAC)

Generation of computer certificates with a Winbugs CA

Generation of computer certificates with a Winbugs CA

If you want to deploy EAP-TLS in your network and require end-device certificates installed on your computers, this guide might be of help. In this guide we are going to generate computer certificates and configure the computer to perform EAP-TLS by using this certificate. Important: we won't be validating the users, only the device, so it means that any user can use the computer as long as the certificate is valid.

To generate the certificates, we will use a web server running Windows Server 2003 with the service of certification authority (CA) installed.

Open your favorite web browser and type in http://your_server/certsrv/, where your_server is the DNS name or IP address of your web server.

"Request a certificate", ask for an "advanced certificate request" and "Create and submit a certificate request to this CA".

In the Name field, type in the name of the computer for which you are requesting this certificate.

In Type of certificate needed, select "Client Authentiation Certificate"

Create a new key set and as Key Usage select "both".

Select the Mark Keys as exportable check box. Doing this saves the public and private key to a PKCS #12 file. This is useful if you want to copy a certificate for use on another computer.

Select the Store certificate in the local computer certificate store check box. This last option is actually important because it will save the certificate in the computer store, instead of the user store, which allows for TLS authentication to work.

Then you just need to wait for your CA to issue the certificate for you. Once you have your certificate, install it. By default it should be stored in the computer store.

Now, to allow EAP-TLS to work using this certificate as a computer certificate for all users, you need to modify the registry of the computer where you installed the certificate on. Go to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EAPOL\Parameters\General\Global and add a new DWORD-value called AuthMode with the value of 2. Note that for this you need to have Administrator privileges on the computer.

Now you need to restart either your computer or the Wireless Zero Configuration service and you are done. This will perform the magic needed to send the computer certificate to authenticate this computer regardless of what user is actually using it.

Generation of server certificates with OpenSSL and a Winbugs CA

Generation of certificates for FreeRadius (EAP-TLS) with a CA on a Winbugs box

When generating certificates to be used by FreeRadius with EAP-TLS, there is an extension which is to be added to the certificate in order to validate this certificate. This validation is performed by the client against a root CA certificate. If such extension is not present in your FreeRadius server certificate, the auth process will fail, because the client won't be able to validate it and stop communicating with your server. If you happen to have your CA running in a Winbugs box, then this might be of help. We are going to generate a request using openssl and issue the certificate with winbugs with the extension needed embeded into the cert file.

First of all, in the computer where you are going to generate the request, edit your openssl.cnf file and do the following modifications:

Find the v3_req stanza and change the following line:

keyUsage = nonRepudiation, digitalSignature, keyEncipherment

for this one

keyUsage = nonRepudiation, digitalSignature, keyEncipherment, dataEncipherment

and add the following line at the end of this stanza

extendedKeyUsage = 1.3.6.1.5.5.7.3.1

This will generate a request containing all needed attributes/extensions to be validated by the clients.

Your v3_req stanza should look like the following:

[ v3_req ]
 # Extensions to add to a certificate request
 basicConstraints = CA:FALSE
 keyUsage = nonRepudiation, digitalSignature, keyEncipherment, dataEncipherment
 extendedKeyUsage = 1.3.6.1.5.5.7.3.1

Bear in mind that you are modifying openssl's configuration file. That means that all future requests will have these attributes set. If you don't want all future request to be a server authentication request, comment the last line out from the v3_req stanza.

Now generate your request using openssl

openssl req -new -keyout server.key -out server.req

This generates two files. One where your private key is contained and another one with your actual request. OpenSSL will ask you for a pass phrase. The passphrase you enter here is important. Without it you won't be able to decode your private key.

Our CA is on a Win2k3 server. We need to send our request to the CA by using the Microsoft Certificate Services. Open your favorite browser, and type in http://your_server/certsrv/ and select "Request a certificate" and submit an "advanced certificate request" by using the base-64-encoded option.

Once the page is open, copy the contents of your server.req file and press submit. Then you just need to wait for your CA to issue the certificate for you.

If you need your certificate in PEM format and the certificate was exported as DER encoded there is a final step you have to perform.

openssl x509 -inform DER -in certificate.cer -outform PEM -out certificate.pem

If the certificate is Base-64 encoded and you need the PEM extension, then just rename the file.

mv certificate.cer certificate.pem

eap.conf

The eap.conf configuration file deals with the settings needed to perform cryptographic operations. The default eap.conf file that comes with your default installation provides enough information to help you configure your system properly, here we are presenting some common options, what they mean and how to configure them.

The tls section

This section holds configuration settings that affect your RADIUS server, so be careful when editting these settings.

private_key_password

The password you used to encode your private key when generating your certificate request. Comment it out if no password was set.

private_key_file

Path to your private key file. It has to be in PEM format

certificate_file

Path to your actual server certificate also in PEM format

If Private key & Certificate are located in the same file, then private_key_file & certificate_file must contain the same file name.

CA_file

Trusted Root CA list. To use a certificate chain, you need to append in this file all certificates of the CAs that take part in your certificate chain, starting with the one that is at the top of the chain and finishing with the one that signed your certificate. This file has to be in PEM format.

check_crl

Set it to yes if you are going to use revocation lists, or comment it out if you won't.

CA_path

Path to the directory where the revocation list is. If you are not using CRLs, comment this out.
Copy to this directory the RL and your trusted root CA list. Once you've done that, do a c_rehash to this directory, where c_rehash is an OpenSSL command. Remember that CRLs have an expiry date, so make sure to always refresh your CRLs otherwise your server will deny all requests.

check_cert_issuer 

If check_cert_issuer is set, the value will be checked against the DN of the issuer in the client certificate. If the values do not match, the cerficate verification will fail, rejecting the user.

check_cert_cn

If check_cert_cn is set, the value will be xlat'ed and checked against the CN in the client certificate. If the values do not match, the certificate verification will fail rejecting the user.

This check is done only if the previous "check_cert_issuer" is not set, or if the check succeeds.

If you are using computer certificates, the username is sent like 'host//pc001' and the verification might fail because of the 'host//' part. In such a case, you might want to strip that part by doing:

check_cert_cn = %{Stripped-User-Name:-%{User-Name}} 

MAC-Auth-Bypass

MAC authentication bypass is an alternative to 802.1X that allows network access to devices (such as printers and IP phones) that do not have the 802.1X supplicant capability. MAC authentication bypass uses the MAC address of the connecting device to grant or deny network access.

MAC-Authentication bypass in FreeRadius, using FreeNAC as backend works as follows:

• When a device connects to the switch, the connecting device normally sends an "Access-Request" packet to the switch, which is then forwarded to the Authentication Server, in our case, FreeRadius.
  Then the Authentication server asks for more information from the connecting device in form of Access-Challenges. This process continues until the Radius server has enough information (Radius attributes) to make a decision.
  After requesting all required Access-Challenges from the connecting device, FreeRadius will give back to the switch an Access-Accept or an Access-Reject response, where this decision will be enforced.
• An 802.1x capable device selects the authentication type that will be used to perform uthentication by means of a Radius attribute. Checking this Radius attribute, FreeRadius will know how to authenticate the username, for example, by using Samba, MySQL, LDAP, etc.
• When a non-802.1x-capable device connects to the switch, the switch detects that one of its links is up and waits for packets which will then be forwarded to FreeRadius. If during a certain amount of time the switch hasn't received any packets, it will start authentication of the connecting device using its MAC address as the username. FreeRadius will then generate a VMPS request for
  FreeNAC, and FreeNAC will say if the device is authorized or not and where to place it.

In FreeNAC, we use a module called rad2vmps which performs the translation of a RADIUS request into a VMPS request which is then sent to the VMPS server. rad2vmps is a modification to the original script vqpcli.pl part of the OpenVMPS distribution. Vqpcli.pl makes VMPS requests to a VMPS server and outputs the decision taken by the VMPS server.

In the authorize section of FreeRadius, rad2vmps retrieves the needed parameters from the RADIUS request to make a VMPS request, (e.g. Switch IP, MAC address, etc). When a request reaches FreeRadius and no authentication type has been specified, rad2vmps will output the required attributes to call for MAC-Authentication bypass.

In the Authentication section of FreeRadius, the authentication type corresponding to this request will be used. For example, if in the request the authentication type was specified to MSCHAP, MSCHAP authentication will be called. For MAC-Authentication bypass, it is here where we create our VMPS request and send it to the VMPS server.

After we know who the user is (authenticate section), we assign the device the vlan where it belongs to. For all authentication types but MAC-Authentication bypass, it is here where we create our VMPS request and send it to the VMPS server. If a MAC-Authentication bypass was done, the code in this section is ignored.

So, basically, the difference between a MAC-authentication bypass and the rest of the authentication types is where we send the VMPS request. For MAC-Authentication bypass, the request is sent in the Authenticate part, and for the rest in the Post-Auth section. This allows for authenticating the user before authenticating her device.

Authenticating both username and device is more secure than authenticating only the device, but in cases where this is not possible, MAC-Authentication bypass is used.

Links to 802.1x material on this website

Links to other Technical Guide Documentation

• Switch configuration: Cisco 802.1x tests

Links to the Install Guide:

• Building 802.1x components

VMPS parameters

Vlans

The Vlan names and number must be configured on switches exactly the same as in the Vlan table in FreeNAC. NAC does not configure this on the switches for you.

So for example, if NAC is going to attribute the Vlans 'Printer' and 'Workstation', these two must be defined exactly with the same name and number on the Switches, and in FreeNAC.

FreeNAC also allows 'location based vlans' i.e. the vlans names do not have to be the same on all switches, refer to the FreeNAC Users Guide >> Windows GUI >> Configuration: Vlans.

syslog

Its recommended to configure the switches to send a copy of their logs to the NAC server, helping in troubleshooting.

See also http://www.cisco.com/en/US/products/hw/switches/ps607/products_configura...

vmps server

CATOS:

  set vmps server   192.168.245.40

  clear vmps server 192.168.245.18

  reconfirm vmps

  sho vmps

IOS:

conf t   
vmps server     192.168.245.40  
no vmps server  192.168.245.18 
end
vmps reconfirm
sho vmps 

VMPS “retry” switch parameter

The following is an extract from "Troubleshooting Connectivity Between the VMPS Client and the VMPS server", http://www.cisco.com/warp/public/473/157.html#topic1-3

VMPS reconfirmation occurs when the VMPS client asks the VMPS if the dynamic port assignments are correct and if the correct MAC addresses have been assigned to the right ports. By default, this happens about every 60 minutes. Issue a show vmps command on the VMPS client to determine the VMPS reconfirmation time.
If the connectivity between the VMPS client and VMPS is intermittent (some data gets lost along the way) then you can try to increase the VMPS retry interval on the VMPS client, as a workaround. Issue the set vmps server retry command. By default, the VMPS client will try three times. In an environment with intermittent connectivity, when you increase the VMPS retry interval, you give the client more chances to connect to the VMPS before it gives up and VLAN membership fails.

Since Version 2.0, FreeNAC queries an SQL database in real time when authenticating end devices. There is also an optional "hub detection" feature which means it tries to detect and ping all devices already on a hub. Thus authentication can take seconds.

This can lead to the switch getting impatient, sending several requests and logging MACNOTRECONFIRMED messages to syslog, especially when reconfirming all ports each hour. One solution is to increase the vmps retry count from the standard 3, to say, 10.

When there is a loss of connectivity between a VMPS client and a VMPS, the VMPS reconfirmation might fail and produce the DVLAN-2-MACNOTRECONFIRMED error message. The port will lose its DVLAN assignment, as in this example:

     %DVLAN-2-MACNOTRECONFIRMED:Mac [00-00-f4-11-11-0f] is not reconfirmed
     %DVLAN-1-DENYHOST:Host 00-00-11-11-11-0f denied on port 3/10

Cam” timeouts on “silent” servers

After the end-device transmits and the switch receives a valid response from the VMPS server, the switch enables the interface in the correct VLAN. If the client sits idle for a while causing the bridge aging timer to expire for the entry, the Catalyst returns the port to an unassigned state.

Therefore

• 'silent' servers, (or printers for example) would be disconnected from the network if they did not transmit packets at least every 5 minutes.
• If the VMPS daemon died during the night, users would not be able to login in the morning. (Of course this can be mitigated by with redundnacy mechanisms).

The aging timer (or CAM: content addressable memory) can be viewed on CatOS switches with:

sh cam agingtime (The default value is 300 seconds).

This timeout can be increased to several hours. This increases the risk of arp flooding (we think), but this is a low risk on internal network hopefully. It is recommended to set a value like 12 hours for dynamic/VMPS ports. This is important for switches that have servers/printers that may not send out any packets for several minutes or hours.

Its also recommended to use logcheck or a similar tool, to watch for unusual Switch syslog entries, especially floods.

CatOS:
The value can be set in seconds and per vlan. It needs to be set for each VLAN, for example on VLAN 4:

 show cam agingtime VLAN_NR

set cam agingtime VLAN_NR XXX  (secs, e.g. 24h=86400, 12h=43200)

IOS:

arp mac-address-table aging-time XXX  (secs)

Other notes

A graphical example

Example of migrating Switches to use a new VMPS server

Assuming we had two previous VMPS servers 192.168.245.18 and 192.168.245.19, and we now wish to change the switches to use a new server 192.168.245.40. Then logon on to the switches and do the following.

Monitoring: watch the syslog entries on the vmps server, the updating of the “last seen” times and “Server log” in the Windows GUI.

CATOS:
set vmps server 192.168.245.40
clear vmps server 192.168.245.19
clear vmps server 192.168.245.18
reconfirm vmps
sho vmps

IOS:
conf t
vmps server 192.168.245.40
no vmps server 192.168.245.18
no vmps server 192.168.245.19
end
vmps reconfirm
sho vmps

Cisco CatOS configuration examples

CatOS

Initially, Switches must be configured to send a copy of syslog messages, and given the name of the vmps servers, where it can send requests for dynamic port assignment. See also http://www.cisco.com/en/US/products/hw/switches/ps607/products_configura....

# Setting up syslog servers

set logging server 192.168.245.40

# Set VMPS servers

set vmps  server 192.168.245.40

set vmps  server 192.168.245.19 primary

set vmps  server 192.168.245.18

# Remove a VMPS server & show status

clear vmps server 192.168.245.19

show vmps

# Lets make a port dynamic & ask the switch to re-authenticate all dyn ports, i.e. use VMPS

  set port membership 2/36 dynamic

  reconfirm vmps

# To switch a port back to static Vlan (if you had problems)

  set port membership 2/36 static

# To verify port

  show port status 2/36

# to disable/enable port (simulate cable being removed)

  set port disable 2/36

  set port enable 2/36

# The switch tries to contact a server 3 times by default, before stopping. This value can be programmed on the switch (to a maximum of 10):

  set vmps server retry 5

# The switch reconfirms by default every 60 minutes, set it to 120:

set vmps server reconfirminterval 120

# Other useful commands:

  show mac-address-table address 00:04:dd:b6:5c:c2

  show cdp neighbors

  show cdp neighbors Gi4/5

  show cdp neighbors Gi4/5 detail 

# Tag a name to a port (to document usage)

  set port name 2/32 webcam

# Look at the MAC table:

  show arp

ARP Aging time = 1200 sec
+ - Permanent Arp Entries
* - Static Arp Entries
192.168.1.19 at 00-03-ba-17-fa-bf port 2/49 on vlan 2
192.168.1.18 at 00-03-ba-18-06-4b port 2/49 on vlan 2

show port status 2/32

Port Name Status Vlan Level Duplex Speed Type
----- ------------------ ---------- ---------- ------ ------ ----- ------------
2/32 inactive dyn- normal auto auto 10/100BaseTX

show cam dynamic 2/43

* = Static Entry. + = Permanent Entry. # = System Entry. R = Router Entry.
X = Port Security Entry $ = Dot1x Security Entry
VLAN Dest MAC/Route Des [CoS] Destination Ports or VCs / [Protocol Type]
---- ------------------ ----- -------------------------------------------
3 00-04-76-15-48-30 2/43 [ALL]
Total Matching CAM Entries Displayed =1

show cam 00-04-76-15-48-30

* = Static Entry. + = Permanent Entry. # = System Entry. R = Router Entry.
X = Port Security Entry $ = Dot1x Security Entry
VLAN Dest MAC/Route Des [CoS] Destination Ports or VCs / [Protocol Type]
---- ------------------ ----- -------------------------------------------
3 00-04-76-15-48-30 2/43 [ALL]
570 00-04-76-15-48-30 2/49 [ALL]
Total Matching CAM Entries Displayed =2

Problems with “clear vmps server” on old CatOS

The command for removing vmps server “clear VMPS server” seems to be missing from older CatOS versions, there is no known workaround except either upgrading CatOS, or avoiding deleting the server IP address!

The offending Switches had the following version.
> (enable) show version
WS-C2948 Software, Version NmpSW: 6.3(1)
Copyright (c) 1995-2001 by Cisco Systems, Inc.
NMP S/W compiled on Jul 24 2001, 12:55:29
GSP S/W compiled on Jul 24 2001, 10:36:29
System Bootstrap Version: 4.4(1)
Hardware Version: 2.1 Model: WS-C2948

Cisco IOS configuration examples

Network Switch Configuration & Tips for Cisco IOS

Initially, Switches must be configured to send a copy of syslog messages, and given the name of the vmps servers, where it can send requests for dynamic port assignment. See also http://www.cisco.com/en/US/products/hw/switches/ps607/products_configura....

Configuring VMPS

conf t 
no vmps server 192.168.245.41
vmps server 192.168.245.40
vmps reconfirm 120
end
show vmps

Re-authenticate all current connections

vmps reconfirm

Re-authenticate all current connection, by emptying the MAC table. Note that the previous “vmps reconfirm” will not re-allow systems that were previously denied. For that we need to clear the MAC table.

clear mac-address-table dynamic

Enable VMPS on port fa0/2:

conf t
int fa0/2
switchport access vlan dynamic

(Re-)enable static Vlan 8 on port fa0/2:

conf t
int fa0/2
switchport access vlan 8

The switch tries to contact a server 3 times by default, before stopping. This value can be programmed on the switch (to a maximum of 10):

vmps retry 5

The switch reconfirms by default every 60 minutes, make it 2hrs :

vmps reconfirm 120

Other commands

show vmps stat

clear vmps statistics

show vlan

SNMP v3 setup

(contribution from 'immi')
To use authentication and encryption with SNMP and also restriction by access-list who can access my device.
For SNMP write I enabled only limited part of SNMP tree (.1.3.6.1.2), read is open.

1. Cisco Switch part in config mode:

snmp-server group secure v3 priv
snmp-server group secure v3 priv read secure-ro write secure-wr access 1
snmp-server view secure-ro internet included
snmp-server view secure-wr mgmt included
snmp-server user snmpusr secure v3 auth md5 cisco123 priv des56 cisco123

access-list 1 permit host x.x.x.x
access-list 1 deny any log

# then you can check
VMPSclient#sho run | incl snmp
snmp-server group secure v3 priv read secure-ro write secure-wr access 1
snmp-server view secure-ro internet included
snmp-server view secure-wr mgmt included
snmp-server location /CZ/PRG/ROOM249
snmp-server contact CallMe ext.: xxxx
VMPSclient

VMPSclient#sho snmp group
groupname: secure security model:v3 priv
readview : secure-ro writeview: secure-wr
notifyview: <no notifyview specified>
row status: active access-list: 1

VMPSclient#sho snmp user
User name: snmpusr
Engine ID: 8000000903000014A86637C0
storage-type: nonvolatile active
Authentication Protocol: MD5
Privacy Protocol: DES
Group-name: secure

# two examples for check if it is working:
snmpwalk -v 3 -u snmpusr -l authPriv -a MD5 -A cisco123 -x DES -X cisco123 172.16.1.1 system
snmpwalk -v 3 -u snmpusr -l authPriv -a MD5 -A cisco123 -x DES -X cisco123 172.16.1.1 sysUpTime

2. Then modify the default SNMP values on Freenac server, it is in /usr/share/snmp/snmp.conf:
vmpssrv:~ # cat /usr/share/snmp/snmp.conf
(comments are erased)
defversion 3
defsecurityname snmpusr
defsecuritylevel authPriv
defauthtype MD5
defauthpassphrase cisco123
defprivtype DES
defprivpassphrase cisco123

To test, snmpwalk 172.16.1.1 system

3. Modify /opt/nac/etc/config.inc
(just part for port reset)
## restart_port
# $snmpwalk="/usr/bin/snmpwalk -v 1 -c public"; # SNMP Read community
# $snmpset ="/usr/bin/snmpset -v 1 -c private"; # SNMP Write community
$snmpset ="/usr/bin/snmpset"; # SNMP Write community
$snmpwalk="/usr/bin/snmpwalk"; # SNMP Read community

Cisco 802.1x tests

Introduction

This sections contains results from some test with 802.1x on Cisco switches and FreeRadius.

Setup on an access point on port 2/22

Lets say there is an access point on port 22, first set it to static and assign a trunk with the appropriate vlans:

set port membership 2/22 static
Port 2/22 vlan assignment set to static.
Spantree port fast start option set to default for ports 2/22.

set trunk 2/22 on
clear trunk 2/22
Port(s) 2/22 trunk mode set to auto.
Port(s) 2/22 trunk type set to dot1q.

sw0503> (enable) set trunk 2/22 11-12,15
Vlan(s) 11-12,15 already allowed on the trunk
Please use the 'clear trunk' command to remove vlans from allowed list.

Setting up 802.1x on port 0/2

logging 192.168.245.40
aaa authentication dot1x default group radius
dot1x system-auth-control
radius-server host 192.168.245.40 auth-port 1812 acct-port 1813 key 7 141E1C040D14
radius-server retransmit 3

# a port with static Vlans:
interface FastEthernet0/2
switchport access vlan 15
switchport mode access
dot1x port-control auto
no cdp enable
spanning-tree portfast

# dynamic vlans: vlan is returned by the radius server
interface FastEthernet0/2
switchport access
switchport mode access
dot1x port-control auto
no cdp enable
spanning-tree portfast

## Option: reauthenticate every two hours
dot1x timeout reauth-period 7200
dot1x reauthentication

## Other options
#dot1x default
#dot1x guest-vlan 524
#dot1x auth-fail vlan 522

##Enabling MAC-auth-bypass in switches that allow this option
#dot1x mac-auth-bypass

##Timing options specially for MAC-auth-bypass
#dot1x max-reauth-req 3 #Number of EAP requests sent to the client before trying MAC-auth-bypass
#dot1x timeout quiet-period 5 #Number of seconds to retry auth after a failed auth
#dot1x tx-period 5 #Number of seconds to wait for an answer after an EAP request has been sent to the client

##aaa authorization network default group NAC

testing

#sh dot1x

Sysauthcontrol = Enabled
Supplicant Allowed In Guest Vlan = Disabled
Dot1x Protocol Version = 1

#sh dot1x interface fastEthernet 0/2

Supplicant MAC <Not Applicable>
AuthSM State = CONNECTING
BendSM State = IDLE
Posture = N/A
ReAuthPeriod = 3600 Seconds (Locally Configured)
ReAuthAction = Reauthenticate
TimeToNextReauth = N/A
PortStatus = UNAUTHORIZED
MaxReq = 2
MaxAuthReq = 2
HostMode = Single
Port Control = Auto
ControlDirection = Both
QuietPeriod = 60 Seconds
Re-authentication = Enabled
ReAuthPeriod = 3600 Seconds
ServerTimeout = 30 Seconds
SuppTimeout = 30 Seconds
TxPeriod = 30 Seconds
Guest-Vlan = 0
AuthFail-Vlan = 0
AuthFail-Max-Attempts = 3

debug dot1x ?
all All Dot1x debugging messages turned on
errors Error codes
events Events
packets Packets
registry Registries
state-machine State machine
undebug all

#debug dot1x errors
Dot1x Errors debugging is on

References

http://www.cisco.com/en/US/products/hw/switches/ps5213/products_configur...
http://wiki.freeradius.org/Rlm_perl
http://www.cisco.com/univercd/cc/td/doc/product/lan/cat3560/12225see/scg...

Mac bypass authentication: (note not all IOS switches have this..)
http://www.cisco.com/en/US/products/hw/switches/ps708/products_configura...

Notes

Note: For FreeRadius assigning VLANs dynamically, do a users file with:
> DEFAULT Auth-Type == MS-CHAP or
> NAS-IP-Address==x.y.z.w, NAS-Port = 50001
> Tunnel-Type = VLAN,
> Tunnel-Medium-Type = 6,
> Tunnel-Private-Group-ID = VLAN_number
>
> DEFAULT Auth-Type := Reject
>
> You need to keep this file for every vlan you want to return and the
> request attributes you want to check.
> In fact, the script I have does exactly this. It outputs just those
> values at the end of the authentification process (post_auth), and
> then the switch assigns the client the vlan that VMPS has returned.
> I think it is easier than maintaining the users file by ourselves

0008.7446.2aa5

------------------------------
/opt/nac/bin/rad2vmps

$request{server_ip}='freenac'
in the post_auth function

Then modify radiusd.conf accordingly
// Radiusd.conf in the modules section add
verify_mac {
module = "/opt/nac/bin/rad2vmps"
}
//Authorize section
authorize {
verify_mac
eap
}
// Add a post-auth section
post-auth {
verify_mac
}

Setting up the nas-port attribute
-----------------------------------------
conf t
radius-server attribute nas-port format X
where X can be

a Format is type, channel or port
b Either interface(16) or isdn(16), async(16)
c Data format(bits): shelf(2), slot(4), port(5), channel(5)
d Data format(bits): slot(4), module(1), port(3), vpi(8), vci(16)

Recommended for FreeNAC: a (default)

Reference: http://www.cisco.com/en/US/products/sw/iosswrel/ps5207/products_feature_...

Sending vendor specific attributes
------------------------------------------
conf t
radius-server vsa send authentication
end

Using 'ciscocmd'

Introduction

'ciscocmd' is a useful tool for remotely executing commands or querying cisco swithes. Is is briefly described here as it is useful when operating FreeNAC in a large environment.

Cisco-centric Open Source Initiative
http://sourceforge.net/projects/cosi-nms
http://cosi-nms.sourceforge.net/

This is a great tool for 'remote control' of Cisco switches. Some examples are below.

Download and extract, no compilation is needed.
These tests were done with v1.4, I installed in /opt/nac/ciscocmd-1.4.

Single switch example

Example switch is SWITCH1)
./ciscocmd -u USER -p MYPASS -t SWITCH1 -c "show vmps"
./ciscocmd -u USER -p MYPASS -t SWITCH1 -c "reconfirm vmps" -e -s MYPASS
./ciscocmd -u USER -p MYPASS -t SWITCH1 -c "ping 192.168.1.40" -e -s MYPASS

(change USER, MYPASS; and the enable password as needed..)

Several switches

# Get all CatOS switches from the FreeNAC DB (hw type 2948, store in catos.txt),
echo "select name from switch where hw like '%2948%' order by name;" | mysql opennac |egrep -v name > catos.txt

# and check their vmps status:
./ciscocmd -u USER -p MYPASS -T catos.txt -c "show vmps" | egrep "VMPS Action|VMPS Last Accessed|Last Reconfirmation|show vmps"