This section covers diverse issues not presented in the main chapters.
-CONTRIBUTED TOOL-
Through the following scripts, it is possible to generate the "zone" files for bind (a.k.a. named), for a single domain.
See also the related ISC DHCP Configuration scripts.
The configuration options are in the freenac database and can be configured by the windows GUI
This script will generate the normal (forward) zone files from the systems table.
An 'A' record will be generated for each system and will point the 'hostname' field to the last known ip ('r_ip').
Aliases (CNAME records) will be generated from the (comma separated) 'dns_alias' field and will point to the 'A' record of the host.
This script will generate the reverse zone files from the sytems table.
For each subnet matching the '$dns_subnet' configuration option, reverse records (PTR) will be extracted from the systems table. The last known IP address wil point to the hostname.
The generated files will be named like '254.168.192.in-addr.arpa' for the 192.168.254.0 subnetwork.
This document explains the changes from v2.2 RC3 to v3, and the steps to upgrade to v3.
V3.0.2 is a small point release (SVN build 1233) gathering fixes to the stable branch since v3.0.0.
New Web GUI: See README.webnew which explains the new design, and CHANGES which lists progress.
Windows GUI: several small improvements.
Backend changes:
A substantial change in FreeNAC v3.0 is the introduction of an OO (objected oriented) policy interface, which provides greater flexibility and encapsulation of individual decisions regarding control of end-device access to the network.
The main programs have been rewritten using OO techniques, some others have been modified to work with our framework, and some others have been added to this new release. The aim of the OO change is to have a modularized system which would be easier to debug, troubleshoot, maintain and extend in the long run.
It's now a requirement to use PHP 5 (not PHP4) - we recommend using the latest PHP version.
Here is a summary of the changes in v3.0 (since v2.2):
See the Installation and User Guides.
If you have a previous FreeNAC installation and would like to update to 3.0, here is what you have to do:
Stop previous instances of vmps, last_seen and proctst (if you are using this latter)
/etc/init.d/vmps stop /etc/init.d/vmps_lastseen stop /etc/init.d/proctst stop
Checkout the latest stable release
mkdir /opt/nac3.0 svn co https://opennac.svn.sourceforget.net/svnroot/opennac/branches/3.0/ /opt/nac3.0
Then, copy over the config files or adapt the config.inc.template according to your needs.
Apply the changes to the database
cd /opt/nac3.0/contrib/migration_2.2_to_3.0/ mysql opennac < db_changes.sql
Add the extension .php to all php scripts you have in your crontab
Copy over the startup scripts
mv /etc/init.d/vmps /etc/init.d/vmps.$$ mv /etc/init.d/vmps_lastseen /etc/init.d/vmps_lastseen.$$ cp /opt/nac3.0/contrib/startup_init.d/vmps /etc/init.d/ cp /opt/nac3.0/contrib/startup_init.d/postconnect /etc/init.d/
Copy over the proctst configuration file (if you are using it)
mv /etc/proctst.conf /etc/proctst.$$ cp /opt/nac/contrib/etc/proctst.conf /etc
Activate the new directory
mv /opt/nac /opt/nac.$$ ln -s /opt/nac3.0/ nac
And finally start the daemons and watch syslog
/etc/init.d/vmps start /etc/init.d/postconnect start /etc/init.d/proctst start (only if you are using it)
All modules are configured via settings in the 'config' table. This was already the case in v2.2 RC3. If upgrading from an even earlier release (v2.1 for example), please read the relevant migration notes on config.inc. The contents of config.inc has not changed between v2.2 RC3 and V3.
As usual, any questions/remarks/queries can be posted in the forums .
See also the troubleshooting section of the user Guide, search the website, and serach the forum.
Is there are errors or omissions in this document, please login to the website and post a comment below.
Regards,
The FreeNAC Team
This is an appendix to keep track of where we made submissions, and possible issues.
-CONTRIBUTED TOOL-
The generate_dhcp.php script in the contrib section can be used to generate an configuration file for the ISC DHCP daemon.
See also the ISC Bind configuration script .
It uses the following parameters in the configuration database (editable using the windows GUI) :
The rest of the configuration will be taken from the FreeNAC database
The "web_showdhcp" configuration flag toggle the ability to edit the dhcp_fix and dhcp_ip field in the web interface.
If you configure the web interface of FreeNAC, you can also have a feed containing the last connections.
It is available as http://<hostname>/nac/rss.php and you can subscribe it using your favorite RSS reader.
We have received some requests to support switches from fabricants other than Cisco, so we got our claws on some non-Cisco switches and performed some SNMP tests to see what could be done with them. The switches we tested on are an HP Procurve 2600 and a 3COM 3812 and here are the results of our experiments:
The file /opt/nac/snmp_defs.inc.php contains the OIDs we use to document switches in the system. The first tests performed were to see if we could retrieve switch's general information (description, name, location, contact, software, hardware) using the OIDs declared for this effect. With the OIDs we had we could successfully retrieve the same information, but in some cases we needed to perform some minor changes since the OIDs/functions we have are Cisco oriented and in some switches they don't apply 'as is'.
Also we found other new OIDs that could provide better results. For instance, in snmp_scan, to get the list of physical interfaces we check a certain OID that tells if an interface is physical or not, but in the 3COM switches that doesn't apply since all interfaces are marked as physical even though they are virtual. Also in snmp_scan, to get the SW and HW with the OIDs we have, we need to perform string comparisons. We found other OIDs that directly give the HW, SW and firmware versions without the need to perform string comparisons.
The restart_port script was successfully tested on all non-Cisco switches. Also, apparently we were able to assign a port to a determined vlan (port programming) but using other OIDs which are not listed in the snmp_defs.inc file. These new OIDs are still not committed to SVN, since they are still at an experimental stage.
The purpose of this module is to collect daily statistics and store them in a table.
TBD: we are in the design stage, this page is for getting feedback.
A table is to be created with three columns:
Entries to be generated each day:
Things to discuss:
We welcome ideas and code contributions /fixes. you can make these in several ways:
The idea is to start with 1. and progress towards 3. For 2. and 3. you'll need a SourceForge account for subversion and to be on the developer emails list.
For two and 3, you should also create documentation of your module/contribution, for example as an appendix to the Technical guide . For that you'll need a website account, and request "content editor" rights.
The rest of this document gives some example on working with subversion.
Checkout a working copy:
svn co https://opennac.svn.sourceforge.net/svnroot/opennac/trunk
svn co https://opennac.svn.sourceforge.net/svnroot/opennac/branches/3.0
Check for changes:
svn update contrib bin etc doc
svn help update
Make changes:
svn add <filename|directory>
svn delete <filename|directory>
svn copy <filename|directory>
svn move <filename|directory>
svn help [ add | delete | copy | move ]
Examine your changes:
svn status doc bin etc contrib
svn status <filename|directory>
svn diff
svn diff > <patchfile>
svn revert <filename>
svn help [ blame | status | diff | revert ]
svn [ blame | praise ]
Commit your changes:
svn commit --username YOUR_SF_USER –m "your message" contrib
svn commit --username YOUR_SF_USER –m "your message" doc
svn commit --username YOUR_SF_USER –m "your message" bin
svn commit --username YOUR_SF_USER –m "your message" etc
svn help commit
For servers behind a proxy, edit ~/.subversion/servers and set
the proxy values:
[groups]
group1 = *svn.sourceforge.net
[group1]
http-proxy-host = proxy1.MYDOMAIN.COM
http-proxy-port = 80
Limit what files are checking into SVN, edit ~/.subversion/config
[miscellany]
global-ignores = *.o *.lo *.la #*# .*.rej *.rej .*~ *~ .#* .DS_Store *,v RCS config.inc
Specifically, we don't want RCS files, or the productive config.inc
(with passwords) checked in
cd /trunk
svn update
Find the revision where the branch was created
svn log --verbose --stop-on-copy https://opennac.svn.sourceforge.net/svnroot/opennac/branches/2.2
For this example, branch 2.2 was created in revision 548
svn merge -r 548:HEAD https://opennac.svn.sourceforge.net/svnroot/opennac/branches/2.2
svn commit -m "Back to trunk"
This section covers the creation and usage of the freenac ubuntu package. The package is still in an early state and mainly tries to ease installation of all required packages. Configuration of freenac is not yet included.
The package creation is still carried out all by hand. None of the debian provided tools were used so far.
First all the dependencies of the freenac package must be installed. Since the package is a simple deb and not embedded in a repository, dependency handling can not be done by apt. Hence the dependency list must be extracted from the deb and feeded to apt manually.
$ dpkg -f freenac_....deb depends | sed -e 's/,//g' | xargs sudo apt-get -qq install
Now the freenac package can be installed.
$ sudo dpkg -i freenac_....deb
To obtain all data (files to be installed as well as control files) from a package without installing it, proceed as follows.
To extract the files which would be installed,
$ dpkg-deb -x freenac_....deb dir-to-extract/
To extract the control files,
$ dpkg-deb -e freenac_....deb dit-to-extract/
To obtain the proper layout from which the package can be recreated again do the following. It's assumed that you created an empty directory freenac where everything will be extracted to.
$ dpkg-deb -x freenac_....deb freenac/
$ dpkg-deb -e freenac_....deb freenac/DEBIAN
To create the freenac package, proceed as follows.
$ svn co https://opennac.svn.sourceforge.net/svnroot/opennac/... freenac/opt/nac2.2/
Create the necessary files in freenac/DEBIAN (see next section)
Create the package
$ dpkg-deb -b freenac/ ./
The following files should be inside the DEBIAN directory.
For an example of what these files should contain, have a look at the contrib/package_files directory.
To do: lets compare products fairly... this probably need to be combined into MAC-based and 802.1x based products, and concentrate only on the key competitors, and differentiate between open source and commercial?
OpenVMPS works on a file basis, has no database, GUI, and is very intolant of errors on the configuration. FreeNAC is in fact an effort to make OpenVMPS enterprise-ready..
If you use the VMPS server on old catalysts already for limiting LAN access, what are the limitations?
TBD
TBD
TBD
What does FreeNAC *not* do?
The VLAN exception option (based on the vlanswitch table) is a feature allowing location dependant VLANs i.e. when VLAN naming is not consistent across switches, or not all VLANs are available on all switches.
Example: lets say there is an OfficeLAN and PrinterLAN in the main vlan table, but on switch 'sw101', there is only one LAN called 'LAN1'. This feature allows us to map the OfficeLAN and PrinterLAN on switch sw101, to the LAN1.
See also the Windows GUI user guide .
Well lets start by examining the SQL table:
mysql> describe vlanswitch;
+-----------+--------------+------+-----+---------+-------+
| Field | Type | Null | Key | Default | Extra |
+-----------+--------------+------+-----+---------+-------+
| vid | int(11) | NO | MUL | | |
| swid | int(11) | NO | MUL | | |
| vlan_id | int(11) | NO | | | |
| vlan_name | varchar(100) | NO | | | |
Going back to the example, lets say there is an OfficeLAN and PrinterLAN in the main vlan table, but on switch 'sw101', there is only one LAN called 'LAN1'. So both vlans need to be mapped to that.
First, create two entries in the VLAN exception table, using the Windows GUI:
sw101 OfficeLAN LAN1
sw101 PrinterLAN LAN1
In the table there would be entries like the following, assuming that swid=10 indexes to sw101, vid=100 indexes to OfficeLAN, and vid=101 to PrinterLAN:
swid=10, vid=100, vlan_name=LAN1
swid=10, vid=101, vlan_name=LAN1
If Ports.vlanBySwitchLocation() is called in the policy, and lan_by_switch_location is enabled in the config table, we then query vlanswitch table to find the appropriate vlan_name.
If there are many swicthes and vlans, then the number of rows in the vlanswitch table with le large and difficult to manage.
If there are several small/remote office with only one vlan (for example) and several main building with (say) 30 vlans, then an exception needs to be created for each vlan on each switch, which is alot. One solution for those simple 'one vlan' switches is the new proposed feature 'Vlan attribution by Switch, not by end-device '.
Comments/ideas are welcome.
FreeNAC attributes Vlans depending on a vlan value stored for that device.
There is also the "Vlan exception " feature, which allows the vlan attributed to be changed depending on the switch location. (See also the method Ports->getPortDefaultVlan() ). However if there are many "exceptions", i.e. many switches which do not have all Vlans, or vlan with different names, it can be difficult to manage.
There are sites who just need to attribute two vlans, allowed or denied. In this case, it is overkill to have a vlan per end-device, it would be simpler to just attribute a vlan per switch.
Lets say there is a Vlan "Internal" on all switches, but with different numbers. There is also a vlan "Guest".
Thats the concept. For the implementation a vlan_id field has been added to the V3.0 DB schema. The Windows GUI (build 164) can modify that column. A method getSwitchVlan has been added to the sample policies in V3.0.1.
[sb, 22nd Dec'07]
1. Two hosts (Mac address/Vlan pairs) were configured as being allowed in the VMPS database. When either of the allowed hosts were plugged into the switch, a VMPS request was generated and the server replies allowing the connection. No log messages are generated by the Switch.
2. Unplugging a PC causes no VMPS activity.
3. If a PC is connected with a MAC address that is not allowed, the switch logs an error and refuses access to the network:
DVLAN-1-DENYHOST:Host 00-03-ba-27-54-9b denied on port 2/1
Optionally, the server can tell the switch to shutdown the port, in which case it must be manually enabled again (this “secure” mode is perhaps useful for switches in physically exposed places).
4. If the primary VMPS does not reply, the switch retries with the secondary.
5. The switch tries to contact a server 3 times by default, before stopping. This value can be programmed on the switch (to a maximum of 10), on CatOS:
set vmps server retry XX, on IOS vmps retry XX
6. Reconfirmation:
The switch reconfirms (by default every 60 minutes, Cat OS: set vmps server reconfirminterval XX, IOS in ‘con t’ mode: vmps reconfirm XX) if the port is authorised.
If a host was previously enabled and the VMPS server was updated to disable this host, then this will be noticed by the switch on the next reconfirmation interval. On reconfirmation it blocks the ports and logs an appropriate message: "DVLAN-1-DENYHOST:Host 00-03-ba-27-54-9b denied on port 2/1"
If the primary and secondary are not available, the switch logs an error, but does not disconnect the PC/port (this is important to prevent cascaded network failures): "DVLAN-2-MACNOTRECONFIRMED:Mac [00-03-ba-27-54-9b] is not reconfirmed"
If the switch cannot contact a VMPS server, show vmps (IOS: sho vmps stat) displays No Host but does not log a message. The time of the last reconfirmation and the IP address of the server accessed.
VMPS Action: No Host
VMPS Last Accessed: 192.168.245.19
Last Reconfirmation: Fri Sep 10 2004, 08:30:02
Reconfirmation can be manually activated on the switch (Cat OS): reconfirm vmps (IOS: vmps reconfirm on IOS). During the confirmation show vmps shows a status or “In Progress” and then “Success” with the timestamp of the last reconfirmation updated.
To clear vmps statistics (IOS): clear vmps status
7. If two PCs define their MAC address to the same value then the switch authenticates on each packet, thus some packets are allowed from each PC. This would cause disruption to both PCs. It is not noted as an error by the switch, but can be detected by analysing the logs for frequent authentication of a specific MAC address within a short period of time.
8. If two PCs are connected to a hub (or unmanaged switch), which is connected to one (vmps) Switch port, then:
• If both PCs are authorised on the same VLAN they can both communicate.
• If only one is authorised, the traffic from the second is blocked. The authorised PC continues to work fine.
• If both are authorised, but in different VLANs, the switch changes the port constantly between the two VLAN, causing havoc, some packets pass from each machine. No errors are logged by the switch or VMPS server, since the authentications are successful. To detect this scenario, a monitoring would have to detect a VMPS “authentication storm” from one port and notify the network administrator.
9. If a PC is disabled in the VMPS database, and VMPS is restarted, there is no immediate effect. The PC continues to have access until the cable is added/removed or, the next VMPS reconfirmation (every 60 minutes).
10. If a PC’s MAC is added to the VMPS database, and VMPS is restarted, there is no immediate effect. The PC continues to be forced to the defaultvlan until the cable is added/removed or, the next VMPS reconfirmation (every 60 minutes).
Several “VMWARE” virtual machines were running on the network, each looking like a real PC, with its own address. This usage is not really a risk; it allows tests to be conducted on virtual machines, but does confuse network management.
Some laptops have a docking station, which has a MAC different address from the built in Laptop MAC address.
Several users were used Wireless rather than Fixed Lan.
User acceptance was high (all problems were solved quickly).
A change/authorisation/expiry process needs to be developed/written and adhered to. What happens when a user leaves and a new user come, taking over an already authorised PC?
There is no noticeable delay when using the network.
If a user is refused access, and then added to the VMPS DB to allow access, he must either wait one hour, or re-authenticate. To ere-authenticate, there are several options
• disable and re-enable the network connection in the connections control panel (this is the quickest method)
• unplug/plug in his network cable, it takes some time for windows to realize it is on another network
• click on the network icon -> support -> "repair": it first tries to release its old address, but can't as the DHCP server is not here anymore, this may take 5 minutes
The Windwos Server Update Services
Program file headers:
/**
* filename.php
*
* Long description for file:
* Some words about the functionality the file provides, it's dependencies and so on
*
* PHP version 5
*
* LICENSE: This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License as published
* by the Free Software Foundation.
*
* @package FreeNAC
* @author XX (FreeNAC Core Team)
* @copyright 2007 FreeNAC
* @license http://www.gnu.org/copyleft/gpl.html GNU Public License Version 2
* @version SVN: $Id$
* @link http://freenac.net
*
*/
Other coding conventions:
The latest release of the VM (3.02) has Ubuntu 8.04 (Hardy Heron) as its base OS.
The FreeRadius package provided for this version of Ubuntu is still broken when using perl, so this VM has FreeRadius and perl compiled from the sources, this way it is possible to use the rad2vmps module to provide for 802.1x authentication in conjuntion with FreeNAC.
Other issues to have in mind:
Have you found any more issues? Please report them in the forums or post a comment to this page.
This page is used as a sort of bug tracking
system for known issues, next fixes, what is done etc. to the new WebGUI to be released with v3.0.2 (9.May'08: to be released in the next week). The new version is a complete re-write, see README.webnew for a description and CHANGES for progess.
If you want to have something moved up to priority, or submit a new entry, please use the Support forum, or better, post comments below.
- Aside from these notes, see the svn (subversion) changelog in the v3 branch, CHANGES in the web directory and README.webnew.
Add MAC Vendor column to unknowns.php
I can only delete a record (using the "delete" option to the left) if I
first "edit" a record. It can be any record in any query. If the first
thing I try to do is delete a record I get "Invalid Argument".
"/etc/logrotate.d/syslog-ng" not setting permissions correctly
ls -al /var/log/messages
-rw-r----- 1 root adm 24550093 2008-02-26 06:53 /var/log/messages
(ADapt the syslog-ng config file, or set a cron entry after log rotation: 'chgrp freenac /var/log/messages /var/log/debug').
See also the forum thread http://freenac.net/phpBB2/viewtopic.php?p=1348
Fix used id=2 Edit device: restart port option
Port comment containing "<>" are stipped and not visible in the WebGUI
Security: escaping of output.
Add helpdesk role.
This page is used as a sort of bug tracking system for known issues, next fixes, what is done etc. to the Windows FreeNAC GUI. It tracks changes since V3.0. Bugzilla is not used because its consider slow and clunky. We may use a trac later, but for now...
If you want to have something moved up to priority, or submit a new entry, please use the Support forum, or the comments below.
See the CHANGELOG file in the repository directory where vmps.exe and vmps.xml are stored, e.g.
http://opennac.svn.sourceforge.net/viewvc/opennac/branches/3.0/WindowsGUI/CHANGELOG.txt?view=markup
__
To do: start off by providing links to the currect relevant FreeNAC docs, and to the Uni Hannover papers, current diagrams and brainstorm ideas we documented...
TCG:
https://www.trustedcomputinggroup.org/groups/network/
Hannover:
http://www.inform.fh-hannover.de/de/forschung/forschungsprojekte/tnc/
Microsft links: (where are the API definitions etc.??
http://www.microsoft.com/presspass/press/2007/may07/05-21NAPTNCPR.mspx
https://www.trustedcomputinggroup.org/news/Industry_Data/TNC_NAP_white_p...
This section contains diverse notes & links. Its a good place to paste summaries of Forum discussions for example.
Some users have used WoL, (see http://freenac.net/phpBB2/viewtopic.php?t=78& ) but a request to Cisco explained the following.
WoL and Dynamic VLANs are not compatible because when the PC is shut down, the NIC will be powered down for a split second. This causes the switch to detect the link-down event and to un-assign the port. When the NIC comes back online, the port does not belong to any VLAN and since no frames are received by the port, it would never initiate VMPS queries or forward broadcast/multicast to the device connected to it.
You can verify this on the logs of the switch, you connect a computer to one port of the switch, shut down the computer and you will see a log on the switch that show that the port went down and then back up, make sure you to enable the link-status log on the interface for the switch to show when it goes up/down, the command to enable it is ?logging event link-status? and it is apply on the interface configuration.
Through the use of snmp_scan.php we can document the systems which are on a switch and how the port has been configured (static, dynamic, trunk). If a device is on a static port, snmp_scan will document it as an unmanaged system. This system is supposed to always use the same port and therefore the same vlan.
But what happens when we move an unmanaged system to a dynamic port?
When such a case arises, the device is not connected to the network. In the FreeNAC server we don't see any requests coming when we plug the unmanaged device into the dynamic port. On the switch we see that the port goes down and up, but it doesn't generate a VMPS request. So far we can say that "Nothing happens" which is odd, but it is what we've gotten. More tests need to be carried out.
These tests were carried out using a Cisco Catalyst 2940 switch and a Linux machine.
Another experimental feature which we are not going to implement is the following:
When we have FreeRadius using the rad2vmps script, we wanted to know if it was possible to somehow pass user information contained in a RADIUS request to the FreeNAC database, using the field "VTP domain" which is part of any VMPS request.
In tests performed, we were able to get the username from the VTP domain, but we wanted to gather more information, such as:
Since the VTP domain only has space to hold 33 characters, this solution is neither practical, nor elegant, nor adequate.