Configuring an VMPS server with FreeRadius

Note: this setup is probably the WORST documented peace of Open Source software I have come across and

all forums times I have found on it are of people struggling with it. So here goes.. “how do I use Freeradius as a VMPS server?”. Shouldn’t be hard right?…

  1. Make sure you have freeradius running, see my two earlier posts on FreeRadius and Dot1X authentication.
  2.  freeradius

-> make sure you allow UDP.1589 for VQP (=VMPS) – Clients requests from the Switch to come in.  (iptables!)

Don’t forget to allow the IOS devices to come in as clients (see my earlier posts about the RADIUS setup) in clients.conf:

client 192.168.3.0/24 {

secret = SECRET_KEY

shortname = R1

nastype = cisco

}

On your Linux server, create a “mac2vlan” file in the configuration directory:

# more /etc/freeradius/mac2vlan

10:dd:b1:99:c1:5b,VLAN0020

 

Note 1: The Vlan NAME, and NOT NUMBER is required.

Note 2: The configuration direcory may vary, see radiusd.conf.

Note 3: Contrary to many postings (and very confusing), the “users” file is used for Dot1X and NOT VMPS!

Note 4: Probably a silly remark.. but VMPS assigns a port to a VLAN but DOES NOT CREATE the VLAN.

(you can use VTP 1 or 2 for administering that.. but I wouldn’t recommend it)

So create the VLANs that you want to administer with VMPS prior to deploying VMPS.

 

Now “enable the virtual server that is part of FreeRadius” :

just create a link in /etc/freeradius/sites-enabled of a file called “vmps” that points to

/etc/freeradius/sites-available/vmps. Or.. just copy the file to /etc/freeradius/sites-enabled/vmps.

 

IMPORTANT in the file is:

server vmps {

listen {

ipaddr = *

port = 1589

type = vmps

interface = bond0 # adjust if need be.

}

vmps {

if (!VMPS-Mac) {

if (VMPS-Ethernet-Frame =~ /0x.{12}(..)(..)(..)(..)(..)(..).*/) {

update request {

VMPS-Mac = “%{1}:%{2}:%{3}:%{4}:%{5}:%{6}”

}

}

else {

update request {

VMPS-Mac = “%{VMPS-Cookie}”

}

}

}

mac2vlan # UNCOMMENTED!

update reply {

VMPS-Packet-Type = VMPS-Join-Response

VMPS-Cookie = “%{VMPS-Mac}”

VMPS-VLAN-Name = “VLAN0099″ # stub VLAN for fall through

}

if (VMPS-Packet-Type == VMPS-Reconfirm-Request){

update reply {

VMPS-Packet-Type := VMPS-Reconfirm-Response

}

}

}

}

 

—>>> MAKE SURE YOU UNCOMMENT THE LINE “mac2vlan” IF YOU DO NOT WANT TO STORE YOUR MAC ADDRESSES ELSEWHERE <<<—

The VMPS-VLAN-Name line is for unidentified MAC addresses, they will end up in VLAN99 in my case.

3. Test the bloody thing with “freeradius -X”. If it fails to load.. you know where to look.

4. On the switch:

(config) # vmps server 192.168.3.20 primary

(config-if)# switchport access vlan dynamic

 

Also on the switch, use :

debug vqpc all

 

5. Test..

By enabling / disabling an interface, you can initiaite the VQPC authentication.

Afterwards:

(config-if)#do sh int fa0/21 switchport

[...]

Access Mode VLAN: 20 (VLAN0020)

Pffff… say hallelujah if it works..

This entry was posted in Cisco Networking. Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *


nine − 7 =

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

IMPORTANT! To be able to proceed, you need to solve the following simple math (so we know that you are a human) :-)

What is 12 + 4 ?
Please leave these two fields as-is: