<<

NAME

pf::Switch::Aruba

SYNOPSIS

The pf::Switch::Aruba module implements an object oriented interface to access and manage Aruba Wireless Controllers.

STATUS

Developed and tested on Controller 200 running firmware 5.0.3.3

Tested on Controller 600 with RADIUS Disconnect running firmware 6.0.x

Supports
Deauthentication with RADIUS Disconnect (RFC3576)
Deauthentication with Telnet
Role-based access control

BUGS AND LIMITATIONS

Telnet deauthentication broken on firmware 6.x

We had reports that Telnet-based deauthentication is no longer working with the firmware 6 series.

Although this is not a PacketFence issue, upgrading PacketFence to 3.1.0 will work-around this situation since we use a new RADIUS-based technique to perform deauthentication on Aruba.

Reported on firmware 6.1.3.1. Let us know if you have a 6.x version and you are unaffected.

SUBROUTINES

TODO: this list is incomplete

getVersion - obtain image version information from switch
deauthenticateMacDefault

De-authenticate a MAC address from wireless network (including 802.1x).

New implementation using RADIUS Disconnect-Request.

_deauthenticateMacWithTelnet

DEPRECATED

De-authenticate a MAC address from wireless network (including 802.1x)

Here, we find out what submodule to call _dot1xDeauthenticateMAC or _deauthenticateMAC and call accordingly.

_dot1xDeauthenticateMAC

DEPRECATED

De-authenticate a MAC from controller when user is in 802.1x mode using Telnet.

* Private: don't call outside of same object, use _deauthenticateMacWithTelnet externally *

_deauthenticateMAC

DEPRECATED

De-authenticate a MAC from controller if user is not in 802.1x mode using Telnet

Here we used to specify MAC and IP in the OID but it doesn't work in a lot of cases. As soon as the client stops doing activity for a little while, the IP is forgotten but you can still access the good BSSID with 0.0.0.0 appended at the end of the OID (no IP).

What we are doing now is fetching the table instead of only one entry and issuing deauth on the matching MAC in OID format. Worked in my tests with and without an IP in the table.

* Private: don't call outside of same object, use _deauthenticateMacWithTelnet externally *

extractSsid

Find RADIUS SSID parameter out of RADIUS REQUEST parameters

Aruba specific parser. See pf::Switch for base implementation.

returnRadiusAccessAccept

Overloading pf::Switch's implementation because Aruba doesn't support assigning VLANs and Roles at the same time.

returnRoleAttribute

What RADIUS Attribute (usually VSA) should the role returned into.

deauthTechniques

Return the reference to the deauth technique or the default deauth technique.

radiusDisconnect

Sends a RADIUS Disconnect-Request to the NAS with the MAC as the Calling-Station-Id to disconnect.

Optionally you can provide other attributes as an hashref.

Uses pf::util::radius for the low-level RADIUS stuff.

extractVLAN

Extract VLAN from the radius attributes.

parseUrl

This is called when we receive a http request from the device and return specific attributes:

client mac address SSID client ip address redirect url grant url status code

AUTHOR

Inverse inc. <info@inverse.ca>

COPYRIGHT

Copyright (C) 2005-2015 Inverse inc.

LICENSE

This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version.

This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.

You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.

<<