Note: this setup is probably the WORST documented peace of Open Source software I have come across and
all forums times I have found on it are of people struggling with it. So here goes.. “how do I use Freeradius as a VMPS server?”. Shouldn’t be hard right?…
- Make sure you have freeradius running, see my two earlier posts on FreeRadius and Dot1X authentication.
- freeradius
-> make sure you allow UDP.1589 for VQP (=VMPS) – Clients requests from the Switch to come in. (iptables!)
Don’t forget to allow the IOS devices to come in as clients (see my earlier posts about the RADIUS setup) in clients.conf:
client 192.168.3.0/24 {
secret = SECRET_KEY
shortname = R1
nastype = cisco
}
On your Linux server, create a “mac2vlan” file in the configuration directory:
# more /etc/freeradius/mac2vlan
10:dd:b1:99:c1:5b,VLAN0020
Note 1: The Vlan NAME, and NOT NUMBER is required.
Note 2: The configuration direcory may vary, see radiusd.conf.
Note 3: Contrary to many postings (and very confusing), the “users” file is used for Dot1X and NOT VMPS!
Note 4: Probably a silly remark.. but VMPS assigns a port to a VLAN but DOES NOT CREATE the VLAN.
(you can use VTP 1 or 2 for administering that.. but I wouldn’t recommend it)
So create the VLANs that you want to administer with VMPS prior to deploying VMPS.
Now “enable the virtual server that is part of FreeRadius” :
just create a link in /etc/freeradius/sites-enabled of a file called “vmps” that points to
/etc/freeradius/sites-available/vmps. Or.. just copy the file to /etc/freeradius/sites-enabled/vmps.
IMPORTANT in the file is:
server vmps {
listen {
ipaddr = *
port = 1589
type = vmps
interface = bond0 # adjust if need be.
}
vmps {
if (!VMPS-Mac) {
if (VMPS-Ethernet-Frame =~ /0x.{12}(..)(..)(..)(..)(..)(..).*/) {
update request {
VMPS-Mac = “%{1}:%{2}:%{3}:%{4}:%{5}:%{6}”
}
}
else {
update request {
VMPS-Mac = “%{VMPS-Cookie}”
}
}
}
mac2vlan # UNCOMMENTED!
update reply {
VMPS-Packet-Type = VMPS-Join-Response
VMPS-Cookie = “%{VMPS-Mac}”
VMPS-VLAN-Name = “VLAN0099” # stub VLAN for fall through
}
if (VMPS-Packet-Type == VMPS-Reconfirm-Request){
update reply {
VMPS-Packet-Type := VMPS-Reconfirm-Response
}
}
}
}
—>>> MAKE SURE YOU UNCOMMENT THE LINE “mac2vlan” IF YOU DO NOT WANT TO STORE YOUR MAC ADDRESSES ELSEWHERE <<<—
The VMPS-VLAN-Name line is for unidentified MAC addresses, they will end up in VLAN99 in my case.
3. Test the bloody thing with “freeradius -X”. If it fails to load.. you know where to look.
4. On the switch:
(config) # vmps server 192.168.3.20 primary
(config-if)# switchport access vlan dynamic
Also on the switch, use :
# debug vqpc all
5. Test..
By enabling / disabling an interface, you can initiaite the VQPC authentication.
Afterwards:
(config-if)#do sh int fa0/21 switchport
[…]
Access Mode VLAN: 20 (VLAN0020)
Pffff… say hallelujah if it works..
