autoMAC: A Tool for Automating Network Moves, Adds, and Changes Christopher J. Tengi Princeton University <[email protected]>
Jan 07, 2016
autoMAC: A Tool for Automating Network Moves, Adds, and Changes
Christopher J. Tengi
Princeton University
What’s the problem?
Over 1500 hosts Over 100 IP subnets/VLANs 672 user switch ports (currently) 388 wall boxes 1072 patch points
1072 Patch Points
Why subnets?
Why not a flat network? Broadcast domains User segregation Access Control
How we used to do it
Email host registration requests Manual host database entry Manual patch installation Switch re-configuration
So, what’s wrong with that?
Users never get it right the first time Manual host entry is prone to errors Patch panel diving is a pain Did you remember to set the port
VLAN? Did you save the switch config?
What we wanted
Automation! Less user interaction :-) Better accuracy Static switch configuration
What we did
Automate the host database Automate switch port VLAN
assignment Keep everyone in the right place
Automating the host database
Move to a web-based registration system
Use a daemon to process requests Have the daemon rebuild all the
database extracts
Automating VLAN assignment
No more manual switch configuration Any port, any VLAN, any time Use the host MAC address as the key Registration VLAN for unknown hosts
The nitty-gritty
Tools we used
Existing host database FreeRADIUS NetReg
Tools we used - Host DB
Originally only for administrators Very little field validation Input through a ‘vi’ -based interface Extracts generated manually with
‘make’
Tools we used - FreeRADIUS
Config files generated from Host DB Originally implemented for Cisco APs Our user switches could “speak”
RADIUS
Tools we used - NetReg
Web-based data input Two to choose from
Carnegie Mellon University Southwestern University
Integration: Tying it all together
Integration - Host database
Web registration form Field validation on the form Automate request processing
Integration - RADIUS server
Use MAC address to lookup VLAN Add “tunnel” A/V pairs to accept
response Unknown MAC addresses are rejected
Integration - Hardware
First, get a vendor to write code for you Why not 802.1X? Known hosts always land on the right VLAN
Locally registered Mobile IP
Unknown hosts land on the registration VLAN
Integration - NetReg Server
Listening on the registration VLAN Answers all DHCP requests Specifies itself as DNS server/gateway Answers any HTTP request
Requires a CS username/password Presents the host registration form Sends the completed form for
processing
Future Enhancements
Virus/patch scanning on the registration VLAN
Automatic isolation of newly-infected hosts
Expand registration VLAN concept to 802.11b
Conclusions
Automation is a good thing Open Source Software is invaluable Sometimes you can get what you want
Acknowledgements
Princeton CS Technical Staff Jon Finke Rob Kolstad
Availability
http://www.CS.Princeton.EDU/autoMAC/