• lanwarden

LanWarden

N.B. this page is incomplete and in flux. LanWarden works though, I am just trying to find the time to document everything in the hope others can make use of it

LanWarden is a method to put workstation registrations in LDAP and use RADIUS to make policy decisions; QoS, VLAN assignment, mixed data/voice on the same cable, etc. The framework is focused around 802.1X on the wired and wireless (with a mindset to make sure eduroam is globally supported) but supports MAC-auth as well. As well as host networking, it also has a focus to place DNS and DHCP information in LDAP as well as recording RADIUS accounting date in SQL to provide a complete asset tracking system (that can be used via Microsoft Excel).

These pages describes the framework, collectively named LanWarden, and how it has been deployed and used at SOAS. Primarily focused as a solution for the education sector, most of the following would work just as well in a commerical enterprise environment.

lldp run
no lldp tlv-select management-address
no lldp tlv-select system-description
!
aaa new-model
!
aaa group server radius lanwarden
 server 192.0.2.1 auth-port 1812 acct-port 1813
 ip radius source-interface Loopback0
!
aaa authentication dot1x default group lanwarden
aaa authorization network default group lanwarden
aaa accounting dot1x default start-stop group lanwarden
!
ip dhcp snooping vlan 71-73,127-128
no ip dhcp snooping information option
ip dhcp snooping database flash:dhcp-snoop.db
ip dhcp snooping
ip multicast-routing distributed
ip arp inspection vlan 71-73,127-128
ip arp inspection validate src-mac dst-mac ip
ip arp inspection log-buffer entries 1024
ip arp inspection log-buffer logs 1024 interval 10
!
dot1x system-auth-control
dot1x guest-vlan supplicant
!
errdisable recovery cause bpduguard
errdisable recovery cause security-violation
errdisable recovery cause psecure-violation
errdisable recovery cause dhcp-rate-limit
errdisable recovery cause mac-limit
errdisable recovery cause arp-inspection
errdisable recovery cause loopback
!
spanning-tree loopguard default
spanning-tree portfast default
spanning-tree portfast bpduguard default
spanning-tree portfast bpdufilter default
!
vlan 71
 name purpose-one (voip)
!
vlan 72
 name purpose-two (managed workstations)
!
vlan 73
 name purpose-three (unmanaged workstations)
!
vlan 127
 name unauthorised
!
vlan 128
 name eduroam
!
interface Vlan71
 description voip
 ip address 10.XXX.71.1 255.255.255.0
 ip helper-address 192.0.2.53
 ! the following works around 'switchport protected'
 ip local-proxy-arp
 ! cisco automatically slip these two in when we local proxy arp
 !no ip redirects
 !ip route-cache same-interface
!
interface Vlan72
 description users-managed
 ip address 10.XXX.72.1 255.255.255.0
 ip helper-address 192.0.2.53
 no ip redirects
 no ip proxy-arp
 ip pim passive
 ip igmp version 3
!
interface Vlan73
 description users-unmanaged
 ip address 10.XXX.73.1 255.255.255.0
 ip helper-address 192.0.2.53
 no ip redirects
 no ip proxy-arp
 ip pim passive
 ip igmp version 3
!
interface FastEthernet1/0/1
 description example edge port
 switchport access vlan 127
 switchport mode access
 switchport protected
 switchport voice vlan 71
 authentication control-direction in
 authentication event fail retry 3 action next-method
 authentication event no-response action authorize vlan 127
 authentication host-mode multi-domain
 authentication open
 authentication order mab dot1x
 authentication priority dot1x mab
 authentication port-control auto
 authentication periodic
 authentication timer reauthenticate server
 authentication violation restrict
 mab
 dot1x pae authenticator
 storm-control broadcast level pps 125 40
 storm-control action trap
 no cdp enable
 no cdp tlv server-location
 no cdp tlv app
 spanning-tree portfast
 ip verify source port-security
 ip dhcp snooping limit rate 10
!
ip radius source-interface Loopback0
!
radius-server host 192.0.2.1 auth-port 1812 acct-port 1813 key <SECRET-HERE>
radius-server unique-ident 1
radius-server vsa send accounting
radius-server vsa send authentication

VoIP

post-auth {

  ...

  # Cisco MDA Voice VLAN support
  if (NAS-Port-Type == "Ethernet" && reply:Tunnel-Private-Group-Id == "voip") {
    update reply {
      Tunnel-Type             -= VLAN
      Tunnel-Medium-Type      -= IEEE-802
      Tunnel-Private-Group-Id !* ANY

      Cisco-AVPair            = "device-traffic-class=voice"
    }
  }

  ...

}

Caveats

Before going down the combined data/voice path, you should look out for the following support in the handsets you buy:

• LLDP support - power and VoIP VLAN discovery (LLDP-MED)
• Ethernet passthrough
• PoE - low power requirements with good idle statistics
• 802.1X support - EAP-MD5 at least, with support for '@soas.ac.uk' in the username. EAP-TLS, EAP-TTLS/(PAP|CHAP) would be nice too
• gatekeeper/pbx information from DNS SRV records (NAPTR for SIP discovery is a good and long standing standard that supports failover and can trivally work from outside SOAS), or multicast SLP, or at worst DHCP (in order of decending preference)
• SIP not H.323

• sends EAP-Proxy logoff when workstation unplugs to the switch - something must happen similarly for workstations using MAC-auth (failure to do so means WoL will not work, although you might be able to work around the problem with Intel's vPro McWhatsit)

• fast boot - a phone should not take two to five minutes to boot…should be in the order of seconds!

When you have a pile of handsets to test that meet your above requirements, you should test the following before commiting to a particular vendor/model:

• cold start, and already booted, EAP authentication on a workstation, unplug to see if there is a EAP-Proxy logoff acknowledged by the switch
• 'dot1x re-auth int FaX/0/Y' actually makes it to the workstation to reauthenticate (might do this automatically and have to be picked up
• MAC-auth on the workstation available
• 802.1X EAP-MD5 with '@soas.ac.uk' username works, do not compromise on MAC-auth for the handsets; implies it is unlikely to do EAP at the workstation end well which is important
• test that a re-auth of the workstation works, you will have to either crank down the RADIUS Session-Timeout or wait until multiple six hour (roughly 65536 seconds) periods have passed; to guarentee that it continues to work over a long term period
• useful and interesting things appear in 'show lldp neighbours' from the switch (Windows Vista/7 support LLDP too which might be interesting)
• do the whole dot1x phone and dot1x/mac-auth thing with one phone and a workstation. Unplug everything and then try with a different phone and/or workstation. Go through the full (tedious) set of combinations

Useful Links

• LanWarden - LDAP driven 802.1x and DHCP (Networkshop 36) - overview presentation