/opt/nac/bin/vmpsd_external

Long description for file: FUNCTION: "external" program called by the vmps daemon "vmpsd". This program decides what to do, in real time, when access is requested by a Switch for a MAC address. Since its is real time perfomance is important, so some jobs such as document what was last seen, where, or recognising Infnet PCs, is done in the vmps_lastseen script, which is not real time.

• If the MAC is active in the DB authorise it.
• If the mac is active on a port where another system has been active withein the last hour, try to use the vlan last seen on the port, nut the vlan assigned to this system. This is to detect hubs and prevent .flapping.. This feature is only allowed if the vlan on the port and assigned to the MAC are in the same vlan group (otherwise the new MAC is denied)
• If the MAC is unknown, check to see if a default vlan has been configured for that port and use it, otherwise use the default vlan.
• Log decisions to syslog, and key events to DB (visible in the GUI).

program input: <domain> <switch ip> <port> <lastvlan> <mac address> program output ALLOW <vlan name> DENY SHUTDOWN DOMAIN

Important: this script writes to stdout and is captured by vmpsd. So send debugging output to syslog, not stdout. Or just start directly from the commandline to check for classical PHP syntax problems. Do not log to the DB either (with log2db()), because this program can also run on a secondary and should NOT write to any other tables than vmpsauth, which is not replicated.

LICENSE: This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation.

• author: Thomas Seiler (Contributer)
• author: Sean Boran (FreeNAC Core Team)
• author: Hector Ortiz (FreeNAC Core Team)
• version: SVN: $Id$
• copyright: 2006 FreeNAC
• link: http://www.freenac.net
• filesource: Source Code for this file
• license: GNU Public License Version 2