doc/radiusvlan: update

Signed-off-by: Alessandro Rubini <rubini@gnudd.com>

doc/radiusvlan: update
Signed-off-by: Alessandro Rubini <rubini@gnudd.com>
aa679b1e · Alessandro Rubini · ae584eb1 · aa679b1e
Commit aa679b1e authored Oct 14, 2020 by Alessandro Rubini
Hide whitespace changes
Inline Side-by-side

Showing with 69 additions and 30 deletions

radiusvlan.in doc/radiusvlan.in +69 -30

No files found.
--- a/doc/radiusvlan.in
+++ b/doc/radiusvlan.in
@@ -60,7 +60,9 @@
 @top Introduction

 This document describes a new feature of the White Rabbit Switch,
-to be used in GSI.  When a devices is detected on a port which is
+to be used in GSI, which is a subset of IEEE 802.1X.
+
+When a devices is detected on a port which is
 configured as ``access'', a Radius server is queried for authorization.

 The features is called @i{radiusvlan} or @i{rvlan} when a shorter name
@@ -69,6 +71,10 @@ to @i{buildroot} in a new @i{freeradius-utils} package. The package
 installs @i{radtest}, @i{radclient} and a minimal dictionary (the full
 dictionary is more than 1MB worth of data).

+I chose to install an older version of radclient because the current
+version requires a special allocator (libtalloc), that had to be added
+to buildroot too.
+
 @c ##########################################################################
 @node Related Kconfig Items
 @chapter Related Kconfig Items
@@ -111,13 +117,17 @@ of them has effects on the firmware build, they are only used at runtime.
        value set forth in @i{dot-config} rather than what the Radius
        server returned. Thus, the Radius server's reply is only used
        to authorize or not the port (if not, @t{NOAUTH_VLAN} is applied).
-        

 @item RVLAN_RADIUS_SERVERS

 	A string listing the IP addresses of a set of Radius servers.
        Currently, only the first address (or the only one) is used.

+@item CONFIG_RVLAN_RADIUS_SECRET
+
+	The string used to encrypt radius frames, called ``secret''
+        in radius documentation.
+
 @end table


@@ -168,6 +178,18 @@ port does not stop operation on other ports (the engine is based
 on @i{select()}).

 @table @code
+
+@item RVLAN_GODOWN
+
+	This state is the default state for enumerated ports, and it
+        is entered whenever @i{netlink} reports that the
+        interface went down. This state turns the port to @i{vlan_auth}
+        and forgets the peer's mac address it.
+        It also closes any open file descriptor and
+        kills the child process, if it exists.  Thus, no remaining
+        garbage remains in the system even if the fiber is unplugged
+        and re-plugged quickly several times.
+
 @item RVLAN_DOWN

 	The port is quietly down.
@@ -211,18 +233,10 @@ on @i{select()}).

 	The port is quietly running, no action is performed.

-@item RVLAN_GODOWN
-
-	This state is entered whenever @i{netlink} reports that the
-        interface went down. It closes any open file descriptor and
-        kills the child process, if it exists.  Thus, no remaining
-        garbage remains in the system even if the fiber is unplugged
-        and re-plugged quickly several times.
-             
 @item RVLAN_WAIT

-	Wait for the child process to terminate (after we killed it).
-        A transient state that leads to @t{RVLAN_DOWN}.
+	Wait for the child process to terminate (if we killed it
+        in @t{GODOWN}). This is a transient state that leads to @t{DOWN}.

 @end table

@@ -239,7 +253,8 @@ so @i{wrs_vlans} is re-run if it fails, and so on.  Failure in
 reading replies from @i{radclient} turn the FSM to @i{GODOWN}, so
 the procedure is started again -- because the port is up.

-If the Radius server is not reachable @i{radclient} will time out
+If the Radius server is not reachable @i{radclient} will time out,
+so the state machine is not stuck.

 The startup script uses @t{CONFIG_WRS_LOG_OTHER} as a destination for
 its own output, and it is verified to work with my local @i{rsyslog}
@@ -284,16 +299,6 @@ creates @i{/tmp/rvlan-status} with the above information.  If
 @i{radiusvlan} is not running, @i{rvlan-status} will report
 ``@t{radiusvlan: no process found}''.

-@c ==========================================================================
-@node Forcing Re-Authorizazion
-@section Forcing Re-Authorizazion
-
-By sending @i{SIGUSR2} to a running @i{radiusvlan} all state machines
-are turned to @t{JUSTUP} so all authorization is retried.  Please note
-that this is pretty raw, and should only be run in a quiet system
-where all interfaces are @i{configured} or @i{down} (the cleanup of
-state @t{GODOWN} is not performed).
-
 @c ==========================================================================
 @node Looking at Authorization Strings
 @section Looking at Authorization Strings
@@ -327,9 +332,12 @@ There are two example: a successful @i{wri17} authentication and a failed
 @node Verbose Operation
 @section Verbose Operation

-Finally, if you set @t{RVLAN_VERBOSE} to a non-empty value in the
+If you set @t{RVLAN_VERBOSE} to a non-empty value in the
 tool's environment, initial enumeration and state machine changes are
-reported to @i{stdout}. This is an example on a running switch where
+reported to @i{stdout}.
+
+This ``verbose'' mode can also be entered (or left) by seding @t{SIGUSR2},
+see below.  This is an example on a running switch where
 @i{radiusvlan} was already automatically run:

 @smallexample
@@ -368,6 +376,38 @@ In the above example, two interface were up and authorization failed for
 both (as seen, @i{radclient} did @t{exit(1)}).  Both interfaces
 are configured in vlan 4094.

+@c ==========================================================================
+@node Forcing Re-Authorizazion
+@section Forcing Re-Authorizazion
+
+By sending @i{SIGUSR2} to a running @i{radiusvlan} all state machines
+are turned to @t{JUSTUP} so all authorization is retried, and verbose
+mode is toggled.  Please note
+that this is pretty raw, and should only be run in a quiet system
+where all interfaces are @i{configured} or @i{down} (the cleanup of
+state @t{GODOWN} is not performed).
+
+The simple script @t{rvlan-debug} can be used to send @t{SIGUR2}
+and check the new value of verbosity. This example is in a system
+where @i{radiusvlan} was automatically started at boot:
+
+@smallexample
+   wrs#rvlan-debug
+   radiusvlan verbose level is now 1
+@end smallexample
+
+Diagnostic messages are then sent to syslog, using my
+@t{CONFIG_WRS_LOG_OTHER} and related configuration choices.
+To turn off verbosity, run the command again:
+
+@smallexample
+   wrs#rvlan-debug
+   radiusvlan verbose level is now 0
+@end smallexample
+
+Let me repeat this trivial diagnostic feature is not meant for
+production use because it may leave some garbage in the system (e.g. a
+zombie @i{radclient} process).

 @c ##########################################################################
 @node Bugs and Missing Features
@@ -381,14 +421,12 @@ A few, unfortunately
 the servers found in @t{RVLAN_RADIUS_SERVERS}, moving to the next one
 when a server is not replying (like in the @i{wri3} example above).

-@item Currently a port is not moved to @i{vid} ``auth'' during authorization.
-The value is saved to the internal state but not enacted.
-
 @item It is not expected that MAC addresses change. Both identification
 of self frames and blessing of peers (for authorization) has an
 ever-lasting effect. Clearly, if you change client in a port, the
 link-down and link-up events will force authentication on the new mac
-address.
+address, but if you change the mac address of a PTP slave while
+it runs, authorization is not re-run.

 @item Vlan configuration only happens with @t{--pvid} configuration,
 and no action is performed on the routing table.
@@ -402,6 +440,7 @@ sometimes cannot just be derived by the individual @i{vid} settings.
 I was told that for the current application (an ``obey-dotconfig''
 one) I should not touch the routing table, but I'm sure this is not
 correct for a real multi-vlan setup (especially a dynamic
-radius-driven environment).  This should be investigated.
+radius-driven environment).  This should be investigated when new use
+cases get real.

 @bye