Policies: testing

Posted October 1st, 2007 by hector

Introduction

The aim of this page is to demonstrate an example policy, and show how to verify that such a policy functions as expected.

This example should help understand log entries, in planning tests before going into production and in troubleshooting vmpsd_external: when it doesn't behave as you might expect.

These example covers FreeNAC v3.0 (in beta in Oct.07). Advanced policy features such as Patch or Anti-Virus status (Wsus, EPO or MS-SMS modules) are not yet covered here.

Policy

This test set uses the sample policy below. The Policy is a PHP program that is designed to be easy to understand. In this example

Expired or 'killed' hosts are either denied or put in the killed vlan.
Normal (active) hosts are assigned the vlan assigned in their record, which may also be changed depending on switch location.
Unmanaged hosts are just logged, and follow the port/global vlan defaults.
Finally unknown systems are either denied, or assigned port default vlan, or global default, if such defaults exist.

In the policy program below, REQUEST->host is the end device looking for access to the network, REQUEST->switch_port is the switch port where this end device is and REQUEST->conf is the global configuration for the entire system.

This is the policy used to create this test set.

if ($REQUEST->host->isExpired() || $REQUEST->host->isKilled())
{
   if ($REQUEST->conf->vlan_for_killed)
   {
      $this->logger->logit("Killed or expired system {$REQUEST->host->getMAC()}({$REQUEST->host->getHostName()}) on port {$REQUEST->switch_port->getPortInfo()}, switch {$REQUEST->switch_port->getSwitchInfo()}. Assigning vlan".vlanId2Name($REQUEST->conf->vlan_for_killed));
      ALLOW($REQUEST->conf->vlan_for_killed);
   }
   else
   {
      DENY("Expired or killed system and no vlan_for_killed defined");
   }
}
if ($REQUEST->host->isActive())
{
   if ($vlan=$REQUEST->switch_port->vlanBySwitchLocation())
   {
      $this->logger->logit("Exception. Assigning vlan by switch location");
      ALLOW($vlan);
   }
   else
      ALLOW($REQUEST->host->getVlanId());
}
else if ($REQUEST->host->isUnManaged())
{
   # Same as "unknown": use default, but alert
   $this->logger->logit("Unmanaged device {$REQUEST->host->getMAC()}({$REQUEST->host->getHostName()}) on port {$REQUEST->switch_port->getPortInfo()}, switch {$REQUEST->switch_port->getSwitchInfo()}",LOG_WARNING);
}

#UNKNOWN AND UNMANAGED SYSTEMS
#Check for VMs: special case, use vlan of VM host
if ($REQUEST->host->isVM())
{
   if ($vlan=$REQUEST->switch_port->getVMVlan())
   {
      $this->logger->logit("Device {$REQUEST->host->getMAC()} on port {$REQUEST->switch_port->getPortInfo()}, switch {$REQUEST->switch_port->getSwitchInfo()} is a VM. Assigning vlan of previous authenticated host");
      ALLOW($vlan); #Retrieve the vlan from the host device
   }
}

#Port has a default vlan
if ($vlan=$REQUEST->switch_port->getPortDefaultVlan())
{
   $this->logger->logit("Device {$REQUEST->host->getMAC()} on port {$REQUEST->switch_port->getPortInfo()}, switch {$REQUEST->switch_port->getSwitchInfo()} is unknown or unmanaged. Assigning port default vlan");
   ALLOW($vlan); #Retrieve the vlan from the host device
}
else if ($REQUEST->conf->default_vlan)
{
   $this->logger->logit("Device {$REQUEST->host->getMAC()} on port {$REQUEST->switch_port->getPortInfo()}, switch {$REQUEST->switch_port->getSwitchInfo()} is unknown or unmanaged. Assigning global default vlan");
   ALLOW($REQUEST->conf->default_vlan);
}

#Default policy
DENY('Default policy reached. Unknown or unmanaged device and no default_vlan specified');

Results

Now we'll run through all cases defined in this policy showing only the result from vmpsd_external. All these cases have been run twice. One without debugging information and another one with debugging level set to 2, which logs the function calls and the result of such calls.

Killed or expired devices

a) Normal logging when vlan_for_killed has been defined

Oct  2 23:59:32 freenac vmpsd_external.php[30938]: Killed or expired system 00b0.d00c.64b2(test_device) on port Fa0/2, switch 192.168.254.26 (sw26: Backup switch). Assigning vlan DevZone_203
Oct  2 23:59:32 freenac vmpsd: ALLOW: 00b0d00c64b2 -> DevZone_203, switch 192.168.254.26 port Fa0/2 <<

b) Detailed logging when vlan_for_killed has been defined

Oct  3 00:00:42 freenac vmpsd_external.php[31633]: Debug1: ----------------------------
Oct  3 00:00:42 freenac vmpsd_external.php[31633]: Debug1: domain 192.168.254.26 Fa0/2 ServerZone_201 00b0.d00c.64b2
Oct  3 00:00:42 freenac vmpsd_external.php[31633]: Debug2: EndDevice->isExpired() = 1
Oct  3 00:00:42 freenac vmpsd_external.php[31633]: Killed or expired system 00b0.d00c.64b2(test_device) on port Fa0/2, switch 192.168.254.26 (sw26: Backup switch). Assigning vlan DevZone_203
Oct  3 00:00:42 freenac vmpsd: ALLOW: 00b0d00c64b2 -> DevZone_203, switch 192.168.254.26 port Fa0/2 <<
Oct  3 00:00:42 freenac vmpsd_external.php[31633]: Debug1: ALLOW DevZone_203 (at vmpsd_external.php:150)
Oct  3 00:00:42 freenac vmpsd_external.php[31633]: Debug1: ----------------------------

c) Detailed logging when vlan_for_killed hasn't been defined.

Oct  3 00:05:51 freenac vmpsd_external.php[31721]: Debug1: ----------------------------
Oct  3 00:05:51 freenac vmpsd_external.php[31721]: Debug1: domain 192.168.254.26 Fa0/2 ServerZone_201 00b0.d00c.64b2
Oct  3 00:05:51 freenac vmpsd_external.php[31721]: Debug2: EndDevice->isExpired() = 1
Oct  3 00:05:51 freenac vmpsd: DENY: 00b0d00c64b2 -> , switch 192.168.254.26 port Fa0/2 <<
Oct  3 00:05:51 freenac vmpsd_external.php[31721]: Debug1: DENY: Expired or killed system and no vlan_for_killed defined (at vmpsd_external.php:148)
Oct  3 00:05:51 freenac vmpsd_external.php[31721]: Debug1: ----------------------------

Active systems

a) Normal logging

Oct  3 00:12:53 freenac vmpsd: ALLOW: 00b0d00c64b2 -> WorkZone_202, switch 192.168.254.26 port Fa0/2 <<

b) Detailed logging

Oct  3 00:13:59 freenac vmpsd_external.php[31853]: Debug1: ----------------------------
Oct  3 00:13:59 freenac vmpsd_external.php[31853]: Debug1: domain 192.168.254.26 Fa0/2 ServerZone_201 00b0.d00c.64b2
Oct  3 00:13:59 freenac vmpsd_external.php[31853]: Debug2: EndDevice->isExpired() =
Oct  3 00:13:59 freenac vmpsd_external.php[31853]: Debug2: EndDevice->isKilled() =
Oct  3 00:13:59 freenac vmpsd_external.php[31853]: Debug2: EndDevice->isActive() = 1
Oct  3 00:13:59 freenac vmpsd_external.php[31853]: Debug2: Port->vlanBySwitchLocation() =
Oct  3 00:13:59 freenac vmpsd_external.php[31853]: Debug2: EndDevice->getVlanId() = 5
Oct  3 00:13:59 freenac vmpsd: ALLOW: 00b0d00c64b2 -> WorkZone_202, switch 192.168.254.26 port Fa0/2 << 
Oct  3 00:13:59 freenac vmpsd_external.php[31853]: Debug1: ALLOW WorkZone_202 (at vmpsd_external.php:150)
Oct  3 00:13:59 freenac vmpsd_external.php[31853]: Debug1: ----------------------------

c) Detailed logging when we assign a Vlan by switch location

Oct  3 00:29:36 freenac vmpsd_external.php[32073]: Debug1: ----------------------------
Oct  3 00:29:36 freenac vmpsd_external.php[32073]: Debug1: domain 192.168.254.26 Fa0/2 ServerZone_201 00b0.d00c.64b2
Oct  3 00:29:36 freenac vmpsd_external.php[32073]: Debug2: EndDevice->isExpired() =
Oct  3 00:29:36 freenac vmpsd_external.php[32073]: Debug2: EndDevice->isKilled() =
Oct  3 00:29:36 freenac vmpsd_external.php[32073]: Debug2: EndDevice->isActive() = 1
Oct  3 00:29:36 freenac vmpsd_external.php[32073]: Debug2: Port->vlanBySwitchLocation() = 13
Oct  3 00:29:36 freenac vmpsd_external.php[32073]: Exception. Assigning vlan by switch location
Oct  3 00:29:36 freenac vmpsd: ALLOW: 00b0d00c64b2 -> GuardLink_198, switch 192.168.254.26 port Fa0/2 <<
Oct  3 00:29:36 freenac vmpsd_external.php[32073]: Debug1: ALLOW GuardLink_198 (at vmpsd_external.php:150)
Oct  3 00:29:36 freenac vmpsd_external.php[32073]: Debug1: ----------------------------

Unmanaged systems

In this example policy, unmanaged systems are treated the same as unknown systems. The only difference is that we generate a syslog message for an unknown device.

Oct  3 00:32:15 freenac vmpsd_external.php[32073]: Unmanaged device 00b0.d00c.64b2(test_device) on port Fa0/2, switch 192.168.254.26 (sw26: Backup switch)

To view the posible results, please see the part related to 'Unknown devices'

Unknown systems with a port default vlan

a) Normal logging

Oct  2 23:59:32 freenac vmpsd_external.php[30883]: Device 0123.4567.89ab on port Fa0/2, switch 192.168.254.26 (sw26: Backup switch) is unknown or unmanaged. Assigning port default vlan
Oct  2 23:37:33 freenac vmpsd: ALLOW: 0123456789ab -> External, switch 192.168.254.26 port Fa0/2 <<
Oct  2 23:37:33 freenac postconnect.php[30883]: NAC alert (Bloggs) port Fa0/2
Oct  2 23:37:33 freenac postconnect.php[30883]: New unknown 0123.4567.89ab(), switch 192.168.254.26 (sw26: Backup switch) Patch: (Bloggs)

b) Detailed logging

Oct  2 23:39:44 freenac vmpsd_external.php[31258]: Debug1: ----------------------------
Oct  2 23:39:44 freenac vmpsd_external.php[31258]: Debug1: domain 192.168.254.26 Fa0/2 ServerZone_201 0123.4567.89ab
Oct  2 23:39:44 freenac vmpsd_external.php[31258]: Debug2: EndDevice->isExpired() =
Oct  2 23:39:44 freenac vmpsd_external.php[31258]: Debug2: EndDevice->isKilled() =
Oct  2 23:39:44 freenac vmpsd_external.php[31258]: Debug2: EndDevice->isActive() =
Oct  2 23:39:44 freenac vmpsd_external.php[31258]: Debug2: EndDevice->isUnManaged() =
Oct  2 23:39:44 freenac vmpsd_external.php[31258]: Debug2: EndDevice->isVM() =
Oct  2 23:39:44 freenac vmpsd_external.php[31258]: Debug2: Port->getPortDefaultVlan() = 11
Oct  2 23:59:32 freenac vmpsd_external.php[31258]: Device 0123.4567.89ab on port Fa0/2, switch 192.168.254.26 (sw26: Backup switch) is unknown or unmanaged. Assigning port default vlan
Oct  2 23:39:44 freenac vmpsd: ALLOW: 0123456789ab -> External, switch 192.168.254.26 port Fa0/2 <<
Oct  2 23:39:44 freenac vmpsd_external.php[31258]: Debug1: ALLOW External (at vmpsd_external.php:150)
Oct  2 23:39:44 freenac vmpsd_external.php[31258]: Debug1: ----------------------------
Oct  2 23:39:45 freenac postconnect.php[30883]: NAC alert (Bloggs) port Fa0/2
Oct  2 23:39:45 freenac postconnect.php[30883]: New unknown 0123.4567.89ab(), switch 192.168.254.26 (sw26: Backup switch) Patch: (Bloggs)

Unknown systems with no port default vlan but with global default vlan

a) Normal logging

Oct  2 23:59:32 freenac vmpsd_external.php[31258]: Device 0123.4567.89ab on port Fa0/2, switch 192.168.254.26 (sw26: Backup switch) is unknown or unmanaged. Assigning global default vlan
Oct  2 23:44:04 freenac vmpsd: ALLOW: 0123456789ab -> SecOps_206, switch 192.168.254.26 port Fa0/2 <<
Oct  2 23:44:05 freenac postconnect.php[30883]: NAC alert (Bloggs) port Fa0/2
Oct  2 23:44:05 freenac postconnect.php[30883]: New unknown 0123.4567.89ab(), switch 192.168.254.26 (sw26: Backup switch) Patch: (Bloggs)

b) Detailed logging

Oct  2 23:44:49 freenac vmpsd_external.php[31340]: Debug1: ----------------------------
Oct  2 23:44:49 freenac vmpsd_external.php[31340]: Debug1: domain 192.168.254.26 Fa0/2 ServerZone_201 0123.4567.89ab
Oct  2 23:44:49 freenac vmpsd_external.php[31340]: Debug2: EndDevice->isExpired() =
Oct  2 23:44:49 freenac vmpsd_external.php[31340]: Debug2: EndDevice->isKilled() =
Oct  2 23:44:49 freenac vmpsd_external.php[31340]: Debug2: EndDevice->isActive() =
Oct  2 23:44:49 freenac vmpsd_external.php[31340]: Debug2: EndDevice->isUnManaged() =
Oct  2 23:44:49 freenac vmpsd_external.php[31340]: Debug2: EndDevice->isVM() =
Oct  2 23:44:49 freenac vmpsd_external.php[31340]: Debug2: Port->getPortDefaultVlan() = 0
Oct  2 23:59:32 freenac vmpsd_external.php[31340]: Device 0123.4567.89ab on port Fa0/2, switch 192.168.254.26 (sw26: Backup switch) is unknown or unmanaged. Assigning global default vlan
Oct  2 23:44:49 freenac vmpsd: ALLOW: 0123456789ab -> SecOps_206, switch 192.168.254.26 port Fa0/2 <<
Oct  2 23:44:49 freenac vmpsd_external.php[31340]: Debug1: ALLOW SecOps_206 (at vmpsd_external.php:150)
Oct  2 23:44:49 freenac vmpsd_external.php[31340]: Debug1: ----------------------------
Oct  2 23:44:50 freenac postconnect.php[30883]: NAC alert (Bloggs) port Fa0/2
Oct  2 23:44:50 freenac postconnect.php[30883]: New unknown 0123.4567.89ab(), switch 192.168.254.26 (sw26: Backup switch) Patch: (Bloggs)

Unknown systems with no port default vlan and no global default vlan defined

a) Detailed logging

Oct  2 23:53:31 freenac vmpsd_external.php[31480]: Debug1: ----------------------------
Oct  2 23:53:31 freenac vmpsd_external.php[31480]: Debug1: domain 192.168.254.26 Fa0/2 ServerZone_201 0123.4567.89ab
Oct  2 23:53:31 freenac vmpsd_external.php[31480]: Debug2: EndDevice->isExpired() =
Oct  2 23:53:31 freenac vmpsd_external.php[31480]: Debug2: EndDevice->isKilled() =
Oct  2 23:53:31 freenac vmpsd_external.php[31480]: Debug2: EndDevice->isActive() =
Oct  2 23:53:31 freenac vmpsd_external.php[31480]: Debug2: EndDevice->isUnManaged() =
Oct  2 23:53:31 freenac vmpsd_external.php[31480]: Debug2: EndDevice->isVM() =
Oct  2 23:53:31 freenac vmpsd_external.php[31480]: Debug2: Port->getPortDefaultVlan() = 0
Oct  2 23:53:31 freenac vmpsd: DENY: 0123456789ab -> , switch 192.168.254.26 port Fa0/2 <<
Oct  2 23:53:31 freenac vmpsd_external.php[31480]: Debug1: DENY: Default policy reached. Unknown or unmanaged device and no default_vlan specified (at vmpsd_external.php:148)
Oct  2 23:53:31 freenac vmpsd_external.php[31480]: Debug1: ----------------------------

Printer-friendly version
Login or register to post comments

Languages

Menu tree

Documentation

Policies: testing

Introduction

Policy

Results

Copyright © 2007 FreeNAC core team