<<

NAME

pf::Switch - Object oriented module to access SNMP enabled network switches

DESCRIPTION

The pf::Switch module implements an object oriented interface to access SNMP enabled network switches. This module only contains some basic functionnality and is meant to be subclassed.

SUBROUTINES

supportsFloatingDevice

Returns 1 if switch type supports floating network devices

supportsExternalPortal

Returns 1 if switch type supports external captive portal

supportsWebFormRegistration

Returns 1 if switch type supports web form registration (for release of the external captive portal)

supportsWiredMacAuth

Returns 1 if switch type supports Wired MAC Authentication (Wired Access Authorization through RADIUS)

supportsWiredDot1x - Returns 1 if switch type supports Wired 802.1X
supportsWirelessMacAuth

Returns 1 if switch type supports Wireless MAC Authentication (RADIUS Authentication)

supportsWirelessDot1x - Returns 1 if switch type supports Wireless 802.1X (aka WPA-Enterprise)
supportsRadiusVoip
supportsRoleBasedEnforcement
supportsRoamingAccounting
supportsSaveConfig
supportsCdp

Does the network device supports Cisco Discovery Protocol (CDP)

supportsLldp

Does the network device supports Link-Layer Discovery Protocol (LLDP)

supportsRadiusDynamicVlanAssignment
inlineCapabilities
isUpLink - determine is a given ifIndex is connected to another switch
connectRead - establish read connection to switch
disconnectRead - closing read connection to switch
connectWriteTo

Establishes an SNMP Write connection to a given IP and installs the session object into this object's sessionKey. It performs a write test to make sure that the write actually works.

connectWrite

Establishes a default SNMP Write connection to the network device. Uses connectWriteTo with IP from configuration internally.

connectWriteToController

Establishes an SNMP write connection to the controller of the network device as defined in controllerIp.

disconnectWriteTo

Closes an SNMP Write connection. Requires sessionKey stored in object (as when calling connectWriteTo).

disconnectWrite

Closes the default SNMP connection to the network device's IP.

disconnectWriteToController

Closes the SNMP connection to the network device's controller.

setVlan

Set a port to a VLAN validating some rules first then calling the switch's _setVlan.

setVlanWithName - set the ifIndex VLAN to the VLAN name in the switch instead of vlan number

TODO: not implemented, currently only a nameholder

_setVlanByOnlyModifyingPvid
getRoleByName

Get the switch-specific role of a given global role in switches.conf

getVlanByName - get the VLAN number of a given name in switches.conf

Input: VLAN name (as in switches.conf)

setVlanByName - set the ifIndex VLAN to the VLAN identified by given name in switches.conf

Input: ifIndex, VLAN name (as in switches.conf), switch lock

getIfOperStatus - obtain the ifOperStatus of the specified switch port (1 indicated up, 2 indicates down)
setMacDetectionVlan - set the port VLAN to the MAC detection VLAN
getAlias - get the port description
getSwitchLocation - get the switch location string
setAlias - set the port description
getManagedIfIndexes - get the list of ifIndexes which are managed
isManagedVlan - is the VLAN in the list of VLANs managed by the switch?
getMode - get the mode
isTestingMode - return True if $switch->{_mode} eq 'testing'
isIgnoreMode - return True if $switch->{_mode} eq 'ignore'
isRegistrationMode - return True if $switch->{_mode} eq 'registration'
isProductionMode - return True if $switch->{_mode} eq 'production'
isDiscoveryMode - return True if $switch->{_mode} eq 'discovery'
isVoIPEnabled

Default implementation returns a false value and will log a warning if user configured it's switches.conf to do VoIP.

setVlanAllPort - set the port VLAN for all the non-UpLink ports of a switch
getMacAtIfIndex - obtain list of MACs at switch ifIndex
getSysName - return the administratively-assigned name of the switch. By convention, this is the switch's fully-qualified domain name
getIfDesc - return ifDesc given ifIndex
getIfName - return ifName given ifIndex
getIfNameIfIndexHash - return ifName => ifIndex hash
setAdminStatus - shutdown or enable port
bouncePort

Performs a shut / no-shut on the port. Usually used to force the operating system to do a new DHCP Request after a VLAN change.

setPortSecurityEnableByIfIndex

Will disable or enable port-security on a given ifIndex based on the $trueFalse value provided. $TRUE will enable, $FALSE will disable.

This version here is a fallback stub, provide your implementation in a switch module.

enablePortSecurityByIfIndex

Unless you require something more complex, this is usually a wrapper to setPortSecurityEnableByIfIndex($ifIndex, $TRUE)

disablePortSecurityByIfIndex

Unless you require something more complex, this is usually a wrapper to setPortSecurityEnableByIfIndex($ifIndex, $FALSE)

enableMABFloatingDevice

Connects to the switch and configures the specified port to be RADIUS floating device ready

disableMABFloatingDevice

Connects to the switch and removes the RADIUS floating device configuration

getPhonesDPAtIfIndex

Obtain phones from discovery protocol at ifIndex.

Polls from all supported sources and will filter out duplicates.

hasPhoneAtIfIndex

Is there at least one IP Phone on the given ifIndex.

authorizeCurrentMacWithNewVlan

Authorize MAC already in secure table on the new VLAN (and deauth from old VLAN). This is meant to be called in _setVlan on switches which have a VLAN aware port-security table. This is because _setVlan changes the underlying VLAN but doesn't authorize the MAC on the new VLAN.

This method was in the Foundry module first then duplicated in SMC. When the third implementation came that needed this feature I decided to extract it and have it sit here since it's quite generic.

_authorizeCurrentMacWithNewVlan

Actual implementation of authorizeCurrentMacWithNewVlan

getRegExpFromList - analyze a list and determine a regexp pattern from this list (used for show mac-address-table)
getBitAtPosition - returns the bit at the position specified

The input must be the untranslated raw result of an snmp get_table

modifyBitmask

Replaces the specified bit in a packed bitmask and returns the modified bitmask, re-packed

flipBits

Replaces the specified bits in a packed bitmask and returns the modified bitmask, re-packed

It's a multi flip version of modifyBitmask

createPortListWithOneItem - generate a PortList (Bitmask) with one bit turned on at the specified index value

The output is a packed binary representation useful to snmp::set_request

reverseBitmask - reverses all the bits (0 to 1, 1 to 0) from a packed bitmask and returns this new bitmask re-packed

Works on byte blocks since perl's bitewise not operates at the arithmetic level and some hardware have so many ports that I could overflow integers.

getSysUptime - returns the sysUpTime
getIfType - return the ifType
_getMacAtIfIndex - returns the list of MACs
getDot1dBasePortForThisIfIndex - returns the dot1dBasePort for a given ifIndex
getVoiceVlan - returns the port voice VLAN ID
getVlan - returns the port PVID
getVlans - returns the VLAN ID - name mapping
isDefinedVlan - determines if the VLAN is defined on the switch
getUpLinks - get the list of port marked as uplink in configuration

Returns an array of port ifIndex or -1 on failure

disableIfLinkUpDownTraps

Disables LinkUp / LinkDown SNMP traps on a given ifIndex

enableIfLinkUpDownTraps

Enables LinkUp / LinkDown SNMP traps on a given ifIndex

deauthenticateMac - performs wireless deauthentication

mac - mac address to deauthenticate

is_dot1x - set to 1 if special dot1x de-authentication is required

dot1xPortReauthenticate

Forces 802.1x re-authentication of a given ifIndex

ifIndex - ifIndex to force re-authentication on

_dot1xPortReauthenticate

Actual implementation. Allows callers to refer to this implementation even though someone along the way override the above call.

NasPortToIfIndex

Translate RADIUS NAS-Port into the physical port ifIndex

Default fallback implementation: we just return the NAS-Port as ifIndex.

handleReAssignVlanTrapForWiredMacAuth

Called when a ReAssignVlan trap is received for a switch-port in Wired MAC Authentication.

Default behavior is to bounce the port

extractSsid

Find RADIUS SSID parameter out of RADIUS REQUEST parameters

SSID are not provided by a standardized parameter name so we encapsulate that complexity here. If your AP is not supported look in /usr/share/freeradius/dictionary* for vendor specific attributes (VSA).

Most standard way we encountered is in Called-Station-Id in the format: "xx-xx-xx-xx-xx-xx:SSID".

We support also:

  "xx:xx:xx:xx:xx:xx:SSID"
  "xxxxxxxxxxxx:SSID"
getVoipVSA

Get Voice over IP RADIUS Vendor Specific Attribute (VSA).

enablePortConfigAsTrunk - sets port as multi-Vlan port
disablePortConfigAsTrunk - sets port as non multi-Vlan port
getDeauthSnmpConnectionKey

Handles if deauthentication should be performed against controller or actual network device. Performs the actual SNMP Write connection and returns sessionWrite hash key to use.

See pf::Switch::Dlink::DWS_3026 for a usage example.

radiusDisconnect

Sends a RADIUS Disconnect-Request to the NAS with the MAC as the Calling-Station-Id to disconnect.

Optionally you can provide other attributes as an hashref.

Uses pf::util::radius for the low-level RADIUS stuff.

returnRadiusAccessAccept

Prepares the RADIUS Access-Accept reponse for the network device.

Default implementation.

deauthTechniques

Return the reference to the deauth technique or the default deauth technique.

supporteddeauthTechniques

return Default Deauthentication Method

deauthenticateMacDefault

return Default Deauthentication Default technique

GetIfIndexByNasPortId

return IfIndexByNasPortId

wiredeauthTechniques

Return the reference to the deauth technique or the default deauth technique.

extractVLAN

Extract VLAN from the radius attributes.

parseRequest

Takes FreeRADIUS' RAD_REQUEST hash and process it to return NAS Port type (Ethernet, Wireless, etc.) Network Device IP EAP MAC NAS-Port (port) User-Name

parseUrl

Extract all the param from the url.

getAcceptForm

Get the accept form that will trigger the device registration on the switch

parseSwitchIdFromRequest

Extract the switch id from an http request (for the external portal). The object isn't created at that point

parseTrap

Unimplemented base method meant to be overriden in switches that support SNMP trap based methods.

identifyConnectionType

Used to override pf::Connection::identifyType behavior if needed on a per switch module basis.

disableMABByIfIndex

Disables mac authentication bypass on the specified port

enableMABByIfIndex

Enables mac authentication bypass on the specified port

AUTHOR

Inverse inc. <info@inverse.ca>

COPYRIGHT

Copyright (C) 2005-2015 Inverse inc.

LICENSE

This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version.

This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.

You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.

<<