pf::Switch - Object oriented module to access SNMP enabled network switches
The pf::Switch module implements an object oriented interface to access SNMP enabled network switches. This module only contains some basic functionnality and is meant to be subclassed.
Returns 1 if switch type supports floating network devices
Returns 1 if switch type supports external captive portal
Returns 1 if switch type supports web form registration (for release of the external captive portal)
Returns 1 if switch type supports Wired MAC Authentication (Wired Access Authorization through RADIUS)
Returns 1 if switch type supports Wireless MAC Authentication (RADIUS Authentication)
Does the network device supports Cisco Discovery Protocol (CDP)
Does the network device supports Link-Layer Discovery Protocol (LLDP)
Establishes an SNMP Write connection to a given IP and installs the session object into this object's sessionKey. It performs a write test to make sure that the write actually works.
Establishes a default SNMP Write connection to the network device. Uses connectWriteTo with IP from configuration internally.
Establishes an SNMP write connection to the controller of the network device as defined in controllerIp.
Closes an SNMP Write connection. Requires sessionKey stored in object (as when calling connectWriteTo).
Closes the default SNMP connection to the network device's IP.
Closes the SNMP connection to the network device's controller.
Set a port to a VLAN validating some rules first then calling the switch's _setVlan.
TODO: not implemented, currently only a nameholder
Get the switch-specific role of a given global role in switches.conf
Input: VLAN name (as in switches.conf)
Input: ifIndex, VLAN name (as in switches.conf), switch lock
Default implementation returns a false value and will log a warning if user configured it's switches.conf to do VoIP.
Performs a shut / no-shut on the port. Usually used to force the operating system to do a new DHCP Request after a VLAN change.
Will disable or enable port-security on a given ifIndex based on the $trueFalse value provided. $TRUE will enable, $FALSE will disable.
This version here is a fallback stub, provide your implementation in a switch module.
Unless you require something more complex, this is usually a wrapper to setPortSecurityEnableByIfIndex($ifIndex, $TRUE)
Unless you require something more complex, this is usually a wrapper to setPortSecurityEnableByIfIndex($ifIndex, $FALSE)
Connects to the switch and configures the specified port to be RADIUS floating device ready
Connects to the switch and removes the RADIUS floating device configuration
Obtain phones from discovery protocol at ifIndex.
Polls from all supported sources and will filter out duplicates.
Is there at least one IP Phone on the given ifIndex.
Authorize MAC already in secure table on the new VLAN (and deauth from old VLAN). This is meant to be called in _setVlan on switches which have a VLAN aware port-security table. This is because _setVlan changes the underlying VLAN but doesn't authorize the MAC on the new VLAN.
This method was in the Foundry module first then duplicated in SMC. When the third implementation came that needed this feature I decided to extract it and have it sit here since it's quite generic.
Actual implementation of authorizeCurrentMacWithNewVlan
The input must be the untranslated raw result of an snmp get_table
Replaces the specified bit in a packed bitmask and returns the modified bitmask, re-packed
Replaces the specified bits in a packed bitmask and returns the modified bitmask, re-packed
It's a multi flip version of modifyBitmask
The output is a packed binary representation useful to snmp::set_request
Works on byte blocks since perl's bitewise not operates at the arithmetic level and some hardware have so many ports that I could overflow integers.
Returns an array of port ifIndex or -1 on failure
Disables LinkUp / LinkDown SNMP traps on a given ifIndex
Enables LinkUp / LinkDown SNMP traps on a given ifIndex
mac - mac address to deauthenticate
is_dot1x - set to 1 if special dot1x de-authentication is required
Forces 802.1x re-authentication of a given ifIndex
ifIndex - ifIndex to force re-authentication on
Actual implementation. Allows callers to refer to this implementation even though someone along the way override the above call.
Translate RADIUS NAS-Port into the physical port ifIndex
Default fallback implementation: we just return the NAS-Port as ifIndex.
Called when a ReAssignVlan trap is received for a switch-port in Wired MAC Authentication.
Default behavior is to bounce the port
Find RADIUS SSID parameter out of RADIUS REQUEST parameters
SSID are not provided by a standardized parameter name so we encapsulate that complexity here. If your AP is not supported look in /usr/share/freeradius/dictionary* for vendor specific attributes (VSA).
Most standard way we encountered is in Called-Station-Id in the format: "xx-xx-xx-xx-xx-xx:SSID".
We support also:
"xx:xx:xx:xx:xx:xx:SSID" "xxxxxxxxxxxx:SSID"
Get Voice over IP RADIUS Vendor Specific Attribute (VSA).
Handles if deauthentication should be performed against controller or actual network device. Performs the actual SNMP Write connection and returns sessionWrite hash key to use.
See pf::Switch::Dlink::DWS_3026 for a usage example.
Sends a RADIUS Disconnect-Request to the NAS with the MAC as the Calling-Station-Id to disconnect.
Optionally you can provide other attributes as an hashref.
Uses pf::util::radius for the low-level RADIUS stuff.
Prepares the RADIUS Access-Accept reponse for the network device.
Default implementation.
Return the reference to the deauth technique or the default deauth technique.
return Default Deauthentication Method
return Default Deauthentication Default technique
return IfIndexByNasPortId
Return the reference to the deauth technique or the default deauth technique.
Extract VLAN from the radius attributes.
Takes FreeRADIUS' RAD_REQUEST hash and process it to return NAS Port type (Ethernet, Wireless, etc.) Network Device IP EAP MAC NAS-Port (port) User-Name
Extract all the param from the url.
Get the accept form that will trigger the device registration on the switch
Extract the switch id from an http request (for the external portal). The object isn't created at that point
Unimplemented base method meant to be overriden in switches that support SNMP trap based methods.
Used to override pf::Connection::identifyType behavior if needed on a per switch module basis.
Disables mac authentication bypass on the specified port
Enables mac authentication bypass on the specified port
Inverse inc. <info@inverse.ca>
Copyright (C) 2005-2015 Inverse inc.
This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version.
This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.