Skip to content
Projects
Groups
Snippets
Help
Loading...
Sign in
Toggle navigation
W
White Rabbit Switch - Software
Project
Project
Details
Activity
Cycle Analytics
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Charts
Issues
86
Issues
86
List
Board
Labels
Milestones
Merge Requests
4
Merge Requests
4
CI / CD
CI / CD
Pipelines
Schedules
Wiki
Wiki
image/svg+xml
Discourse
Discourse
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Charts
Create a new issue
Commits
Issue Boards
Open sidebar
Projects
White Rabbit Switch - Software
Commits
aa679b1e
Commit
aa679b1e
authored
Oct 14, 2020
by
Alessandro Rubini
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
doc/radiusvlan: update
Signed-off-by:
Alessandro Rubini
<
rubini@gnudd.com
>
parent
ae584eb1
Hide whitespace changes
Inline
Side-by-side
Showing
1 changed file
with
69 additions
and
30 deletions
+69
-30
radiusvlan.in
doc/radiusvlan.in
+69
-30
No files found.
doc/radiusvlan.in
View file @
aa679b1e
...
...
@@ -60,7 +60,9 @@
@top Introduction
This document describes a new feature of the White Rabbit Switch,
to be used in GSI. When a devices is detected on a port which is
to be used in GSI, which is a subset of IEEE 802.1X.
When a devices is detected on a port which is
configured as ``access'', a Radius server is queried for authorization.
The features is called @i
{
radiusvlan
}
or @i
{
rvlan
}
when a shorter name
...
...
@@ -69,6 +71,10 @@ to @i{buildroot} in a new @i{freeradius-utils} package. The package
installs @i
{
radtest
}
, @i
{
radclient
}
and a minimal dictionary (the full
dictionary is more than 1MB worth of data).
I chose to install an older version of radclient because the current
version requires a special allocator (libtalloc), that had to be added
to buildroot too.
@c ##########################################################################
@node Related Kconfig Items
@chapter Related Kconfig Items
...
...
@@ -111,13 +117,17 @@ of them has effects on the firmware build, they are only used at runtime.
value set forth in @i
{
dot-config
}
rather than what the Radius
server returned. Thus, the Radius server's reply is only used
to authorize or not the port (if not, @t
{
NOAUTH
_
VLAN
}
is applied).
@item RVLAN
_
RADIUS
_
SERVERS
A string listing the IP addresses of a set of Radius servers.
Currently, only the first address (or the only one) is used.
@item CONFIG
_
RVLAN
_
RADIUS
_
SECRET
The string used to encrypt radius frames, called ``secret''
in radius documentation.
@end table
...
...
@@ -168,6 +178,18 @@ port does not stop operation on other ports (the engine is based
on @i
{
select()
}
).
@table @code
@item RVLAN
_
GODOWN
This state is the default state for enumerated ports, and it
is entered whenever @i
{
netlink
}
reports that the
interface went down. This state turns the port to @i
{
vlan
_
auth
}
and forgets the peer's mac address it.
It also closes any open file descriptor and
kills the child process, if it exists. Thus, no remaining
garbage remains in the system even if the fiber is unplugged
and re-plugged quickly several times.
@item RVLAN
_
DOWN
The port is quietly down.
...
...
@@ -211,18 +233,10 @@ on @i{select()}).
The port is quietly running, no action is performed.
@item RVLAN
_
GODOWN
This state is entered whenever @i
{
netlink
}
reports that the
interface went down. It closes any open file descriptor and
kills the child process, if it exists. Thus, no remaining
garbage remains in the system even if the fiber is unplugged
and re-plugged quickly several times.
@item RVLAN
_
WAIT
Wait for the child process to terminate (
after we killed it).
A transient state that leads to @t
{
RVLAN
_
DOWN
}
.
Wait for the child process to terminate (
if we killed it
in @t
{
GODOWN
}
). This is a transient state that leads to @t
{
DOWN
}
.
@end table
...
...
@@ -239,7 +253,8 @@ so @i{wrs_vlans} is re-run if it fails, and so on. Failure in
reading replies from @i
{
radclient
}
turn the FSM to @i
{
GODOWN
}
, so
the procedure is started again -- because the port is up.
If the Radius server is not reachable @i
{
radclient
}
will time out
If the Radius server is not reachable @i
{
radclient
}
will time out,
so the state machine is not stuck.
The startup script uses @t
{
CONFIG
_
WRS
_
LOG
_
OTHER
}
as a destination for
its own output, and it is verified to work with my local @i
{
rsyslog
}
...
...
@@ -284,16 +299,6 @@ creates @i{/tmp/rvlan-status} with the above information. If
@i
{
radiusvlan
}
is not running, @i
{
rvlan-status
}
will report
``@t
{
radiusvlan: no process found
}
''.
@c ==========================================================================
@node Forcing Re-Authorizazion
@section Forcing Re-Authorizazion
By sending @i
{
SIGUSR2
}
to a running @i
{
radiusvlan
}
all state machines
are turned to @t
{
JUSTUP
}
so all authorization is retried. Please note
that this is pretty raw, and should only be run in a quiet system
where all interfaces are @i
{
configured
}
or @i
{
down
}
(the cleanup of
state @t
{
GODOWN
}
is not performed).
@c ==========================================================================
@node Looking at Authorization Strings
@section Looking at Authorization Strings
...
...
@@ -327,9 +332,12 @@ There are two example: a successful @i{wri17} authentication and a failed
@node Verbose Operation
@section Verbose Operation
Finally, i
f you set @t
{
RVLAN
_
VERBOSE
}
to a non-empty value in the
I
f you set @t
{
RVLAN
_
VERBOSE
}
to a non-empty value in the
tool's environment, initial enumeration and state machine changes are
reported to @i
{
stdout
}
. This is an example on a running switch where
reported to @i
{
stdout
}
.
This ``verbose'' mode can also be entered (or left) by seding @t
{
SIGUSR2
}
,
see below. This is an example on a running switch where
@i
{
radiusvlan
}
was already automatically run:
@smallexample
...
...
@@ -368,6 +376,38 @@ In the above example, two interface were up and authorization failed for
both (as seen, @i
{
radclient
}
did @t
{
exit(1)
}
). Both interfaces
are configured in vlan 4094.
@c ==========================================================================
@node Forcing Re-Authorizazion
@section Forcing Re-Authorizazion
By sending @i
{
SIGUSR2
}
to a running @i
{
radiusvlan
}
all state machines
are turned to @t
{
JUSTUP
}
so all authorization is retried, and verbose
mode is toggled. Please note
that this is pretty raw, and should only be run in a quiet system
where all interfaces are @i
{
configured
}
or @i
{
down
}
(the cleanup of
state @t
{
GODOWN
}
is not performed).
The simple script @t
{
rvlan-debug
}
can be used to send @t
{
SIGUR2
}
and check the new value of verbosity. This example is in a system
where @i
{
radiusvlan
}
was automatically started at boot:
@smallexample
wrs#rvlan-debug
radiusvlan verbose level is now 1
@end smallexample
Diagnostic messages are then sent to syslog, using my
@t
{
CONFIG
_
WRS
_
LOG
_
OTHER
}
and related configuration choices.
To turn off verbosity, run the command again:
@smallexample
wrs#rvlan-debug
radiusvlan verbose level is now 0
@end smallexample
Let me repeat this trivial diagnostic feature is not meant for
production use because it may leave some garbage in the system (e.g. a
zombie @i
{
radclient
}
process).
@c ##########################################################################
@node Bugs and Missing Features
...
...
@@ -381,14 +421,12 @@ A few, unfortunately
the servers found in @t
{
RVLAN
_
RADIUS
_
SERVERS
}
, moving to the next one
when a server is not replying (like in the @i
{
wri3
}
example above).
@item Currently a port is not moved to @i
{
vid
}
``auth'' during authorization.
The value is saved to the internal state but not enacted.
@item It is not expected that MAC addresses change. Both identification
of self frames and blessing of peers (for authorization) has an
ever-lasting effect. Clearly, if you change client in a port, the
link-down and link-up events will force authentication on the new mac
address.
address, but if you change the mac address of a PTP slave while
it runs, authorization is not re-run.
@item Vlan configuration only happens with @t
{
--pvid
}
configuration,
and no action is performed on the routing table.
...
...
@@ -402,6 +440,7 @@ sometimes cannot just be derived by the individual @i{vid} settings.
I was told that for the current application (an ``obey-dotconfig''
one) I should not touch the routing table, but I'm sure this is not
correct for a real multi-vlan setup (especially a dynamic
radius-driven environment). This should be investigated.
radius-driven environment). This should be investigated when new use
cases get real.
@bye
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment