27 November 2016

BGP Tips

Collection of BGP Tips and Tricks

BGP Error Handling;
BFD - http://wiki.nil.com/Bidirectional_Forwarding_Detection_(BFD)

  interface <uplink>
    bfd interval <timer> min_rx <timer> multiplier <n>
    !
    router bgp 65000
    neighbor <ip> remote-as <ISP-AS>
    neighbor <ip> fall-over bfd


* Fast External Neighbour Failover (beware 0/0) - http://wiki.nil.com/Fast_BGP_neighbor_loss_detection
  interface <uplink>
    ip bgp fast-external-fallover permit


    - * In networks using summary routes or default routing, you have to configure a route map which matches potential BGP next-hops to prevent the router from using a default-route or a summary route as the potential valid path toward BGP neighbour's peer IP!

BGP Next-Hop tracking (beware 0/0)
    - BGP next-hop tracking is enabled by default on Cisco IOS; you can adjust the tracking interval with the "bgp nexthop trigger delay" router configuration command.

    - In environments using default routing, you should limit the valid prefixes that can be used for BGP next hop tracking with the "bgp nexthop route-map" router configuration command.
    - Do not change the BGP next hop on IBGP updates. Do not use "next-hop-self" router configuration command.
    - Advertise the IP subnets of the directly-connected links towards the ISPs into IGP (example: OSPF redistribute connected).
    - Use a route-map to prevent the default route from being used as a valid path toward external BGP next hop.

Pre-installs backup paths in BGP RIB (BGP Best Ext) and FIB (PIC);
BGP best external paths
BGP Prefix Independant Convergence - http://blog.ipspace.net/2012/01/prefix-independent-convergence-pic.html


    - BGP PIC is a feature that allows a router to pre-install alternate routes to BGP destinations in its forwarding table. The drastic changes caused by external link failure or EBGP session failure are thus easier to implement in the forwarding table.



It’s impossible to document a generic one-size-fits-all BGP prefix filtering policy. Possibly always accepting prefixes originated by ISPs, their customers, and their peering partners is the best you can get. But even then you should filter for over padded prefixes. In most cases, filters based on AS-path lengths work well.


Some ISPs attach BGP communities to BGP prefixes they advertise to help their customers implement well-tuned filters (http://onesc.net/communities/).

    Any Single AS;

ip as-path access-list 100 permit ^[0-9]+$ (does not support AS path prepending)
    One or more specific Single AS; 

ip as-path access-list 100 permit ^65001(_65001)*$ (not always good to accept highly padded paths)
    One or more any single AS;

ip as-path access-list 100 permit ^([0-9]+)(_\1)*$ (not always good to accept highly padded paths)
    Block routes with AS path repeated more than 5 times;

ip as-path access-list 100 deny _([0-9]+)_\1_\1_\1_\1_

    You can use the show ip bgp regexp command to test a regular expression on the actual data stored in the BGP table

Choosing iBGP OR eBGP?
There are numerous differences between EBGP and IBGP and their nuances sometimes make it hard to decide whether to use EBGP or IBGP in a specific scenario.

However, you the following guidelines usually result in simple and stable designs:
- If you plan to use BGP as the sole routing protocol in (a part of) your network, use EBGP.
- If you’re using BGP in combination with another routing protocol that will advertise reachability of BGP next hops, use IBGP. You can also use IBGP between routers residing in a single subnet.
- It’s easier to implement routing policies with EBGP. Large IBGP deployments need route
reflectors for scalability and some BGP implementations don’t apply BGP routing policies on reflected routes.
- All routers in the same AS should have the same view of the network and the same routing policies.
- EBGP should be used between routers in different administrative (or trust) domains.
Default loop prevention filters built into BGP reject EBGP updates with local AS number in the AS path, making it impossible to pass routes between two remote sites when they use the same AS number.

How to set BGP Local Preference or OSPF Metric (IGP metric is copied in BGP MED attribute) of received routes according to received Community


Eg; EBGP routes with BGP community 65000:1 (Backup route) will get local preference 50. These
 routes will be redistributed into OSPF as external type 2 routes with metric 10000.
- EBGP routes with BGP community 65000:2 (Primary route) will get local preference 150. These routes will be redistributed into OSPF as external type 1 routes with metric 1.

ip community-list 1 permit 65000:1
ip community-list 2 permit 65000:2
route-map Peer-R3 permit 10
 match community 1
 set local-preference 50
 set metric 10000
 set metric-type 2
 match community 2
 set local-preference 150
 set metric 1
 set metric-type 1


References; IPSpace.net, Cisco's Running an IXP, myself

(To be finished)

19 November 2016

Working with Logical Volumes

  • Physical Volume = pv
  • Volume Group = vg
  • Logical Volume = lv

 A Physical Volumne is a physical disk.
Volume Groups are made up of Physical Disk.
And Logical Volumes are created using a portion of a Volume Group

LVM is like an abstraction layer for storage, between your OS and the physical drives.

All these commands are "root" commands as we are changing system wide stuff here..

All the following commands can be preceeded with with pv or lv
s
display
create
rename
change
move
extend
reduce
resize
split
merge
convert
import
export
importclone
cfgbackup
cfgrestore
ck
scan
mknodes
remove
dump

E.g.
pvdisplay
pvs

Show Logical Volumes
lvdisplay
lvs


Setting up a new VLM
Setup Physical Disk(s)
fdisk -l
fdisk /dev/sdb

n = create new partition
p = create primary partition
1 = makes partition first on disk
t = change parition type
8e = changes to LVM
p = verify partition setup
w = write changes to disk

Create "LVM Physical Volume" on the new partition
pvcreate /dev/sdb1

Create "Volume Group" named vgroup1 made up of "Physical Volume" /dev/sdb1
vgcreate vgroup1 /dev/sdb1

Create Logical Volume on VG vgroup1, of size 10GB, named lvm1
lvcreate -L 10G -n lvm1 vgroup1

Format the new volume
mkfs -t ext3 /dev/vgroup1/lvm1

Mount it
mkdir /mnt/lvm1
mount -t ext3 /dev/vgroup1/lvm1 /mnt/lvm1


Resizing LVMs

  • resize – can shrink or expand physical volumes and logical volumes but not volume groups
  • extend – can make volume groups and logical volumes bigger but not smaller
  • reduce – can make volume groups and logical volumes smaller but not bigger


Grow Logical Volume
Add new drive to Volume Group to increase the VG free space (disks joined linearly, N-1 redundancy!)
vgextend vgroup1 /dev/sdc1

Extend a Logical Volume within a VG (ensure to use + otherwise will resize)
lvextend -L+100G /dev/vgroup1/lvm1






Extend filesystem within expanded Logical Volume
resize2fs /dev/vgroup1/lvm1

Shrink Logical Volume
Follow the same procedure to increase the size of the VM, in reverse, using vgreduce and lvreduce instead of XXextend.


Backup a Logical Volume Snapshot (online)
First add an additional temporary logical volume using the "-s" flag to the "lvm1" LV, to store all the tracked reads and writes made to the LVM since the snapshot, whilst the snapshot is being backed up. After backed up, you can remove this temp volume.
 lvcreate -L512M -s -n lvbackup /dev/vgroup1/lvm1

Mount Tmp Snapshot
mkdir /mnt/lvbackup
mount /dev/vgroup1/lvbackup /mnt/lvbackup

Copy Snapshot and Delete Temp LVM
  tar -cf /usbpath/lvm1-ss /mnt/lvbackup
Whilst the tar job is running, all the reads/writes that would be written to lvm1 are being tracked in lvbackup.

Clean up
umount /mnt/lvbackup
lvremove /dev/vgroup1/lvbackup 

Delete Logical Volume, Volume Group and Physical Volume
umount /mnt/lvm1
lvremove /dev/vgroup1/lvm
vgremove vgroup1 
pvremove /dev/sdb1 /dev/sdc1
 
  http://www.howtogeek.com/howto/40702/how-to-manage-and-use-lvm-logical-volume-management-in-ubuntu/



(To be finished)

6 November 2016

BGP Route Reflectors

NB; All Route Reflectors must be clients of each other so they replicate

1) Routes from a nonclient peer—Reflects to all the clients within the cluster.
2) Routes from a client peer—Reflects to all the nonclient peers and also to the client peers.
3) Routes from an eBGP peer—Sends the update to all client and nonclient peers.

neighbor route-reflector-client

The router with this command is the RR, and the neighbors at which the command points are the clients of that RR. The combination of the RR and the clients is a "cluster".

An AS can have more than one RR (more than one cluster, e.g. large AS with RR's in different countries). In this situation, an RR treats other RRs just like any other iBGP speaker.

Other RRs can belong to the same cluster (client group) or to other clusters. In a simple configuration, you can divide the AS into multiple clusters. You configure each RR with other RRs as nonclient peers in a fully meshed topology (when each RR is in its own cluster). Clients should never peer with iBGP speakers outside the client cluster.


The RR scheme has a few methods to avoid loops:
1) 'originator-id' - This is an optional, nontransitive BGP attribute that is 4 bytes long. An RR creates this attribute. The attribute carries the router ID (RID) for the originator of the prefix in the local AS. If, due to poor configuration, the routing information comes back to the originator, the information is ignored.
2) 'cluster-list' - A single cluster can have more than one RR. You need to configure all RRs in the same cluster with a 4-byte cluster ID so that an RR can recognize updates from other RRs in the same cluster.

If a cluster of clients has a single RR. In this case, the router ID of the RR identifies the cluster.

A cluster list is a sequence of cluster IDs that the route has passed. When an RR reflects a route from the RR clients to nonclients outside of the cluster, the RR appends the local cluster ID to the cluster list. If this update has an empty cluster list, the RR creates one. With this attribute, an RR can identify if the routing information has looped back to the same cluster due to poor configuration. If the local cluster ID is found in the cluster list, the advertisement is ignored.


Important Note: This configuration does not use peer groups. Do not use peer groups if all the clients inside a do not have direct iBGP peers among one another, and the clients only  exchange updates through the RR. If you configure peer groups, a potential withdrawal of the source of a route on the RR transmits to all clients inside the cluster. This transmission can cause problems. I.e. withdrawals are tracked at the peer group level, and not per peer.

The router subcommand bgp client-to-client reflection is enabled by default on the RR. If you turn off BGP client-to-client reflection on the RR and you make redundant BGP peering between the clients, you can safely use peer groups. Refer to Limitations of Peer Groups for more information.

RR Node;

interface loop1
ip add 10.10.10.10 255.255.255.255

router bgp 60868
template peer-session RR
  remote-as 64512
  update-source loop1
template peer-policy RR
  route-reflector-client

neighbour 1.1.1.1 inherit peer-session RR
address-family ipv4
  neighbor 1.1.1.1 activate
  neighbor 1.1.1.1 inherit peer-policy

neighbour 10.10.10.12 inherit peer-session RR
address-family ipv4
  neighbor 10.10.10.12 activate
  neighbor 10.10.10.12 inherit peer-policy

The configuration on the BGP Client peer is exactly the same as if it was a normal full mesh peer. The Route-Reflector-Client command is all that is required to change the rules of operations and implement the Reflector function, and all that comes with it.

To be finished..

15 October 2016

Linux Tips

Network Transfers
Copying files from one machine to another machine using stdin/stdout tar -cf - /backup/dir | ssh <remotehost> "cat -> backupfile.tar"

LVM/Block devices
dd if=/dev/blkdevice | ssh <remotehost> dd of=/dev/blkdevice

Without SSH
Reciever;
nc -l -p 5000 > /path/backupfile.tar
Sender;
tar -cf - /backup/dir | nc remotehost 5000




Disk Performance
Test disk read / write performance

hdparm -Tt /dev/sda

dd if=/dev/urandom of=/var/tmp/testout conv=fdatasync bs=8k count=10k; rm -f /var/tmp/testout
/dev/urandom performs badly, but gives a better measure for SSD performance. If disk speed > urandom, pre-load a file (in RAM) with urandom.

dd if=/dev/zero of=/var/tmp/testout conv=fdatasync bs=8k count=10k; rm -f /var/tmp/testout

Monitor disk read/write utilisation

sar -dp 1 3
iotop





Oracle Java.. (Replace OpenJDK)

Easy Method
echo "deb http://ppa.launchpad.net/webupd8team/java/ubuntu trusty main
deb-src http://ppa.launchpad.net/webupd8team/java/ubuntu trusty main" > /etc/apt/sources.list.d/java-8-debian.list

 

apt-key adv --keyserver keyserver.ubuntu.com --recv-keys EEA14886
apt-get update
apt-get install oracle-java8-installer
apt-get install oracle-java8-set-default

Manual method
apt-get purge openjdk*

Download JRK/JDK onto the server
http://www.oracle.com/technetwork/java/javase/downloads/index.html

mkdir -p /usr/local/java

cp ./jdk-8u102-linux-x64.tar.gz /usr/local/java
cd /usr/local/java/
tar -zxvf jdk-8u102-linux-x64.tar.gz
chown root:root jdk1.8.0_102 * -R
cd jdk1.8.0_102

echo "JAVA_HOME=`pwd`" >> ~/.profile
echo "PATH=$PATH:$HOME/bin:$JAVA_HOME/bin" >> ~/.profile
echo "export JAVA_HOME" >> ~/.profile
echo "export PATH" >> ~/.profile
source ~/.profile

update-alternatives --install "/usr/bin/java" "java" "/usr/local/java/jdk1.8.0_102/bin/java" 1

update-alternatives --install "/usr/bin/javac" "javac" "/usr/local/java/jdk1.8.0_102/bin/javac" 1
update-alternatives --install "/usr/bin/javaws" "javaws" "/usr/local/java/jdk1.8.0_102/bin/javaws" 1 <- NB; javaws does not exist in server java package

update-alternatives --set java /usr/local/java/jdk1.8.0_102/bin/java

update-alternatives --set javac /usr/local/java/jdk1.8.0_102/bin/javac
update-alternatives --set javaws /usr/local/java/jdk1.8.0_102/bin/javaws

reboot


Verify with 
java -version


Multiple Architectures (i386/i686 & 64)
Their is still a significant amount of software out there that is compiled as only 32bit! :(
This means you need to install 32bit libraries onto your 64bit Kernel and OS.

Debian/Ubuntu;
dpkg --print-architecture
dpkg --print-foreign-architectures

If NULL, enable multi-arch with;
dpkg --add-architecture i386
apt-get update





(To be finished)..


13 October 2016

HP Procurve 802.1X OpenLDAP and freeRADIUS - Dynamic VLANs

802.1X is one of those technologies you know you need, but the entry barrier can be quite high and RADIUS is anything but simple.

But once you have it working, the time it will save you on OpEx, and the number of security incidents you will reduce, makes it a no-brainer

802.1X works a lot better on many other switch Vendors, but HP has a massive foot print in SMB's and remote offices, and those are the locations where you really need it.

802.1X can be deployed in a few different ways depending on what you want to do.
This guide discusses setting up 802.1X for MAC Address Authentication to dynamically configure the Access port with the correct tagged and untagged VLANs, and port CoS priority based on the MAC address the switch receives.

Web/SSH Client Authentication, is not discussed here but the idea is to authenticate the User, where MAC Auth is for the hardware. If you want to get serious you can do both.. (recommended)

NB; With the advent of USB and Thunderbolt plugable NIC adaptors, MAC based auth is not a secure method, but it can still be used for managing VLAN assignment, and helping with general port level security.


  • Provides a centralised MAC<->VLAN management (OpenLDAP).
  • Requires communication with central store via RADIUS (FreeRADIUS).
  • Utilises standards based RADIUS ‘auth’ and implements the standards based VLAN assignment policies.
  • RFC3580 for untagged VLAN assignment and RFC4675 for tagged VLAN assignment.
  • Supports per-port CoS assignment via LDAP for QoS (RFC4675).
  • Supports many other features including configuring per-port ACLs and rate limiting.


Setup LDAP

LDAP is just one of many data storage back ends which RADIUS supports.


Install OpenLDAP;
aptitude install dkms
aptitude install slapd
aptitude install ldap-utils
We are going to backup and restore a production system into the lab for testing.

On new server move default /etc/ldap/slapd.d out of the way to /etc/ldap/slapd.d.orig

Copy LDAP schema's, certs and slapd.conf (/etc/ldap/*) from the existing OpenLDAP server (/etc/ldap/) to the new one. NB; set permissions to root:openldap on copied files


slapcat > /tmp/my.ldif (on existing LDAP server, dump backup)

slapadd -l /tmp/my.ldif (on new LDAP server LAB CLONE, dump import)



Test the new LDAP server
ldapsearch -x -b '' -s base '(objectclass=*)' namingContexts

  • You should now have a standalone Cloned Copy of the current LDAP tree
For production at least 2 LDAP servers need to be setup as replicated members of the existing LDAP infrastructure.

 



Setup RADIUS with LDAP

FreeRADIUS provides encryption, and a standardised interface for authentication. LDAP is just the back end, and so we will later connect RADIUS to LDAP, so that RADIUS is doing nothing more than providing the auth protocols for the Switches. RADIUS also has its own data stores, but these are not recommended unless you know what you are doing.

Install FreeRADIUS;
aptitude install freeradius
aptitude install freeradius-ldap

Configure OpenLDAP for FreeRADIUS;

cp /usr/share/doc/freeradius/examples/openldap.schema /etc/ldap/schema/radius-openldap.schema
Copy the default ‘freeradius’ LDAP schema into OpenLDAP for inclusion (to provide RADIUS elements to your LDAP objects);



Enable the new schema;
edit /etc/ldap/slapd.conf adding;
include /etc/ldap/schema/radius-openldap.schema

Now lets add some custom HP Specific attributes to the main LDAP schema with the correct data types, so that we can use tokens which fit more nicely with HP's interpretation of the RFC's.


Ensure the attributes ‘radiusHPCoS’ and ‘radiusMacAddress’ are defined and referenced in the local.schema file;
attributetype ( 1.3.6.1.4.1.37556.1.1.3.17 NAME 'radiusHPCoS'
       DESC '802.1p CoS mapping'
       EQUALITY integerMatch
       SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )


attributetype ( 1.3.6.1.4.1.37556.1.1.3.16 NAME 'radiusMacAddress'

       DESC 'MAC Address'

       EQUALITY caseIgnoreIA5Match
       SUBSTR caseIgnoreSubstringsMatch
       SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
.
.
MAY ( radiusHPCoS $ radiusMacAddress $ …..


Notice that you need to addradiusHPCoS $ radiusMacAddress $not replace the line starting MAY.

service slapd restart
You should now have an LDAP schema which can support many new RADIUS related attributes/properties which can be defined in the LDAP objects.

Configure FreeRadius;

Edit /etc/freeradius/modules/ldap and configure FreeRadius to connect to OpenLDAP on localhost
server = "localhost"
identity = "cn=root,dc=base,dc=runtime-collective,dc=com"
password = <!LDAP Password!>
basedn = "dc=base,dc=runtime-collective,dc=com"
filter = "(radiusMacAddress=%{%{Stripped-User-Name}:-%{User-Name}})"
base_filter = "(objectclass=radiusprofile)"

ldap_connections_number = 10



Remove the default ldap connection if present;
rm /etc/freeradius/modules/ldap.dpkg-dist
NB; the "filter" statement ensures that the ‘User-Name’ RADIUS attribute maps to the new ‘radiusMacAddress’ LDAP attribute for the LDAP search.


Edit /etc/freeradius/sites-enabled/default uncomment ‘ldap
Edit /etc/freeradius/sites-enabled/inner-tunnel uncomment ‘ldap


Edit /etc/freeradius/clients.conf and define all the network clients (Wireless APs, Switches, any devices which need to authorise users/machines);

client 10.0.0.242 {

       ipaddr = 10.0.0.242
       secret = testing123
       shortname = 10.0.0.242
       nastype = "other"
}
Configure the RFC3580 Radius attributes, to map onto the new custom LDAP attributes as per local.schema (NB; When running MAC driven AAA port-based authentication, the MAC address of the conencting computer is used for both the User and Pass);

edit /etc/freeradius/ldap.attrmap and add the following lines;
checkItem User-Name radiusMacAddress
checkItem Cleartext-Password radiusMacAddress
replyItem HP-COS radiusHPCoS

service freeradius restart

 

Configure LDAP Objects


Configure the LDAP client object adding the new attributes with desired VLAN and CoS values;

objectClass: hardwareClass <- Required
objectClass: radiusprofile <- Required
dialupAccess: access_attr <- Required
radiusHPCoS: 3 <- Optional - CoS queue (see table below)
radiusMacAddress: 6805ca07e4ef <- Required - MAC Address (Must be lower-case without any special chars (if you want ":" formatted etc, add commands to the switch))
radiusTunnelMediumType: "IEEE-802" <- Required
radiusTunnelPrivateGroupId: 11 <- Required - Desired VLAN (Decimal) (VLAN must already exist on switches)
radiusTunnelType: VLAN <- Required

 Table 1: radiusHPCoS values (optional);
 
802.1p Value
Traffic Class
Queue (W firmware)
Queue (K firmware)
Priority
1
Background
1
1
Low
2
Spare
1
2
Low
0
Best Effort
2
3
Normal
3
Excellent Effort
2
4
Normal
4
Controlled Load
3
5
High
5
Video
3
6
High
6
Voice
4
7
Critical
7
Network Control
4
8
Critical

 


Setup HP Procurve Switches

Configure HP Procurve switches to use RADIUS for Dynamic VLAN assignment;

(DO NOT ENABLE MAC AUTH ON TRUNK PORTS, ONLY ACCESS PORTS)

max-vlans 256 <- Set as high as switch allows

crypto key generate cert 1024
crypto host-cert generate self-signed
radius-server host 10.0.0.100 <- Define multiple times for multiple Radius servers
radius-server key "testing123" <- Radius server encryption key (clients.conf)


aaa accounting update periodic 15 <- Optional - Radius Accounting

aaa accounting exec start-stop radius <- Optional - Radius Accounting

aaa accounting network start-stop radius <- Optional - Radius Accounting
aaa accounting system start-stop radius <- Optional - Radius Accounting

aaa port-access mac-based 1-48 <- Enable MAC based RADIUS auth on ports 1-48
aaa port-access mac-based 1-48 auth-vid 1 <- Set untagged VLAN=1 if auth success, but no VLAN ID provided by RADIUS.
aaa port-access mac-based 1-48 unauth-vid 1
aaa port-access mac-based 1-48 logoff-period 9999999
aaa port-access mac-based 1-48 quiet-period 30
aaa port-access mac-based 1-48 addr-limit 32
aaa port-access mac-based 1-48 addr-moves
aaa port-access 1-48 controlled-direction in
spanning-tree 1-48 bpdu-protection <- Shut port if BPDU received
spanning-tree 1-48 admin-edge-port <- Important to ensure port works properly, but enables immediate port forwarding (port-fast equivalent).


Config rules;
The RADIUS connection timeout must be less than the authentication server timeout for the switch to authenticate automatically when the RADIUS server is unavailable.


Ensure all VLANs set in LDAP are manually defined in switch running config, and north-bound trunk ports to spine/core allow tagged packets for all the VLANs.


  • Ports are now assigned to Untagged VLAN IDs by RADIUS, or defaults to Untagged VLAN 1

Configure IPMI and iLO2 hosts;


Reset to defaults and ensure DHCP enabled.
Ensure IPMI failover mode is set to dedicated in the BIOS (do not use IPMI failover with Supermicro to share the port as does not fail-back).
VLAN tagging with BCM systems normally does not work. We solved this by running VLAN tags on all servers, and running IPMI untagged. This way when a race occurs, the port is simply setup for both tagged X (for Linux) and untagged Y (for the BMC) thus resolving the race.


Configure Linux hosts (Optional);

By default Linux sends only a single GARP on Ethernet carrier up (link up), and so ifplugd is sometimes needed to send enough frames to ensure the switch port is fully configured by 802.1X (For example, if the host sends no frames, the host will be unreachable by other hosts until this host sends at least one frame). DHCP client would achieve the same effect.
install ifplugd

edit /etc/default/ifplugd;

INTERFACES="eth0 eth1"
ARGS="-q -f -u0 -d0 -w -I"
edit /etc/ifplugd/ifplugd.action
Change up and down actions to be simply ping <ip-of-gateway> -c 6

/etc/init.d/ifplugd start

Alternatively see my other post regarding configuring robust Debian networking.




Useful show / debug commands;

Procurve Commands;
show port-access mac-based <- MACAUTHED ports
show port-access mac-based clients
show port-access mac-based clients 1-48 detailed
show port-access config
show port-access mac-based 1 config


show vlans ports 1-48

show qos port-priority

show authentication

show port-access authenticator <- 802.11X Authed ports
show port-access authenticator clients <- 802.11X Authed ports








radiusx -D
radtest 0cc47a16da00 0cc47a16da00 127.0.0.1 0 testing123

Debugging;


Log into manager@coreswitch{0/1} to find access switch connected to MAC;
show mac-address [MAC]
show arp

DEBUG on ACCESS SWITCHES;
Enable debug
debug destination session
debug event
debug security
debug security port-access mac-based include port 1
or
debug security
debug security port-access mac-based include port all
Release port to stimulate new auth
aaa port-access mac-based 1 reauthenticate

no debug all

IF STILL ISSUE STILL NOT CLEAR - RESTART freeRADIUS in debug mode
service freeradius stop
freeradius -X
(Remember to stop freeRADIUS on other server)
 




Extras

LDAP based users logging into the switches can also be authenticated! However due to the LDAP search filter defined above, the "User-Name" RADIUS attribute is being mapped to "radiusMacAddress" and NOT "uid", therefore authenticating users via RADIUS/LDAP is mutulally exclusive to MAC based authenticatiuon.

Solved this previously by running multiple instances of freeRADIUS on different listening ports (each with appropraite LDAP mappings) all using the same LDAP back end. This allows Web based 802.1X, MAC based 802.1X and Also provides the framework for two factor authentication.

aaa authentication console login radius local    <- Enable RADIUS for console login
aaa authentication console enable radius local   <- Enable RADIUS for console enable
aaa authentication ssh login radius local        <- Enable RADIUS for ssh login
aaa authentication ssh enable radius local       <- Enable RADIUS for ssh enable
aaa authentication login privilege-mode          <- Force require radiusServiceType attribute for user privileges


User LDAP object;
objectClass: radiusprofile
radiusServiceType: Administrative-User    <- Give user enable privileges
radiusServiceType: NAS-Prompt-User        <- Give user login only privileges
WARNING; If switch config does not include ‘aaa authentication login privilege-mode’ ALL LDAP users have full enable privileges!




Alternative Solution

Assign the VLANs for each access-port dynamically.

Option 1 - Dynamic GVRP VLAN assignment (not recommended)

Overview

Whilst this is initially a very simple setup whereby Linux is responsible for negotiating required VLANs with the switch using GVRP, so the switch can assign the connected port to said VLAN, there are some caveats;
  • GVRP support is NOT widely deployed - severity = Minor
  • GVRP support has only just come into kernel 3.2 - severity = Minor
  • Enabling GVRP VLANs requires significant research and testing as GVRP has been warned against by HP when using advanced functions like active-active distributed trunks, VRRP, MSTP (all of which we use) - severity = Major
  • Due to the challenges with enabling GVRP it is not advisable to implement short term if a move to static VLANs is desired - severity = Critical
  • Can only implement using the ‘ip link’ command, not /etc/network/interfaces - severity = Major
  • GVRP is not widely used as it allows end-nodes to have control over the network configuration.
  • Buy its very nature of being dynamic, GVRP (1999) has various limitations and issues with scale and was superseded by MVRP (2011) to address these limitations - severity = Major
  • If there are problems, downtime will be experienced whilst GVRP re-converges - severity = Major
  • Will only work on Linux ports, so will not work for IPMI interfaces - severity = Blocker

Implementation

on switch;

gvrp

on Linux;

ip link add link eth1 name vlan6 type vlan id 6 gvrp on loose_binding on
ip link set vlan6 up
NB; no /etc/network/interfaces support




http://evilrouters.net/2008/11/19/configuring-freeradius-to-support-cisco-aaa-clients/