Authentication of network nodes and assginment of virtual LAN using the White Rabbit switches
1. Introduction
The 802.1x authentication standard is supported by the latest (non-official) software release of White Rabbit (WR) switch (WRS)
[1].
It is implemented by
radiusvlan utility and provides following features:
- authenticate a network node with their crendentials and
- set virtual LAN (VLAN) ID of a switch port depending on authentication result
However, the built-in utility has a few exceptions by default:
- monitoring only the access-mode ports
- rejected nodes can still receive all packet from WRS
- traffic with PTP and LLDP packets are not affected
The utility provides a set of configuration options that are integrated into WRS configuration (
dot-config).
This article presents different approaches on how WRS can be configured to enable 802.1x authentication for WR nodes and support VLAN assignment for its ports.
2. Configuration options of radiusvlan
All configuration options of
radiusvlan is listed below
[2]:
- CONFIG_RVLAN_ENABLE: The boolean option selects whether the tool is to be run or not. If disabled, the tool will not run and the related monit rule won’t be activated. No further config option has any effect if this flag is false.
- CONFIG_RVLAN_PMASK: A port mask. If any bit in the mask is 0, the associated port will not be monitored by the tool. Port wri1 is associated to bit 0, and so on until wri18 associated to bit 17. Bits 18-31 are ignored. The default value is all-1.
- CONFIG_RVLAN_AUTH_VLAN: A temporary vid to be used during port authorization. Defaults to 2589.
- CONFIG_RVLAN_NOAUTH_VLAN: The vid to be used for ports that are not authorized. Defaults to 2588.
- CONFIG_RVLAN_OBEY_DOTCONFIG: A boolean option. If set, radiusvlan will obey the vid value set forth in dot-config rather than what the Radius server returned. Thus, the Radius server’s reply is only used to authorize or not the port (if not, NOAUTH_VLAN is applied).
- CONFIG_RVLAN_RADIUS_SERVERS: A comma-separated list of the names or IP addresses of a set of Radius servers.
- CONFIG_RVLAN_RADIUS_SECRET: The string used to encrypt radius frames, called “secret” in radius documentation.
These options are contained in
/wr/etc/dot-config and can be edited with commands like
'make nconfig' or
'make config' [3].
In general,
radiusvlan listens any device connection to a host WRS. Once a WR node is connected, it then sends an access-request a remote RADIUS server to authenticate that WR node. If the request is accepted by the RADIUS server, then the server responds with an access-accept message that also specifies a designated VLAN ID (VID) for the WR node. Finally,
radiusvlan obtains this VID and set it to switch port, to which the accepted WR node is connected.
The concrete VID assignment by RADIUS is specified with following attributes in an access-accept message
[4]:
- IETF 64 (Tunnel Type): set this to VLAN
- IETF 65 (Tunnel Medium Type): set this to 802
- IETF 81 (Tunnel Private Group ID): set this to VLAN ID
An example given below presents authentication messages exchanged with a remote RADIUS server using built-in
radtest tool:
nwt0296m66#radtest 00267b0006c5 00267b0006c5 192.168.16.xyz 10 secret
Sending Access-Request of id 152 to 192.168.16.xyz port 1812 # request to a RADIUS server
User-Name = "00267b0006c5"
User-Password = "00267b0006c5"
NAS-IP-Address = 192.168.21.42
NAS-Port = 10
Message-Authenticator = 0x00000000000000000000000000000000
rad_recv: Access-Accept packet from host 192.168.16.xyz port 1812, id=152, length=50 # response with acceptence from the RADIUS server
Tunnel-Type:0 = 13 # type = VLAN
Tunnel-Medium-Type:0 = IEEE-802 # protocol = 802
Framed-Protocol = PPP
Service-Type = Framed-User
Tunnel-Private-Group-Id:0 = "2984" # VID = 2984
3. Virtual LAN (VLAN) assignment by radiusvlan and RADIUS
There are up to 10 VLANs organized in the GSI timing system based solely on VLAN mechanism provided by WRS
[5].
The VLAN mechanism is implemented in WRSs by two components:
- port functionality and
- frame forwarding rule
The assignment of VLAN ID (VID) by
radiusvlan affects only to the port functionalities.
In the GSI timing system an access-layer WRS is only interface that connects any Timing Receiver (TR) to the WR timing and control network. VLANs are set up by setting VLAN ID (VID) to switch ports that are reserved for TRs of different nodes (FECs, gateways,
B2B nodes) and configured to operate in the
access mode: a WR port in this mode accepts only untagged ingress frames, set VID to ingress frames, removes any VLAN tag from egress frames.
Hence, with use of
radiusvlan VLANs can be set up dynamically based on authentication result. According to
[5] an access-mode port can be set one of following VIDs:
- 2601 (up-stream service): if a TR of normal node (FEC) is accepted
- control VID (2590-2594): if a TR of special node (gateway, B2B) is accepted
- 2588 (unauthenticated): if a TR is rejected
- 2589 (default): if nothing is detected
Therefore, considering VLAN features of WRS there are three possibilities to set VID to an
access-mode WR port: static, dynamic and mixed.
3.1. Static assignment
This is current settings applied to the GSI timing system (as of 10.3.2022). VIDs are set to each port according to VLAN configuration in
dot-config (CONFIG_VLANS_PORT[nn]_VID, nn=01-18) ignoring assignment provided by a RADIUS server. The role of
radiusvlan is here limited only for node authentication. In case of rejection by RADIUS, the VID specified in CONFIG_RVLAN_NOAUTH_VLAN is applied.
The key configuration options of
radiusvlan are presented in Table 3.1.
Table 3.1. Configuration options used to assign VIDs statically for all WR ports
Option |
Value |
Description |
CONFIG_RVLAN_ENABLE |
y |
radiusvlan is enabled and run |
CONFIG_RVLAN_PMASK |
"ffffffff" |
all access-mode ports are monitored by radiusvlan |
CONFIG_RVLAN_OBEY_DOTCONFIG |
y |
radiusvlan will apply the VID value set in dot-config rather than what a RADIUS server provides. Thus, the RADIUS server’s reply is only used to authenticate WR node. |
CONFIG_VLANS_PORT[nn]_VID |
"2601" |
If WR node at port [nn] is accepted, then port gets this VID. Otherwise, VID specified in CONFIG_RVLAN_NOAUTH_VLAN=2588 is set. This is VLAN configuration option and does not belong to radiusvlan configuration. |
3.2. Dynamic assignment
This method was initially desired to be used, but has not been applied because of inconsistency in the present network management: unfortunately, all registered WR nodes (Data Masters, FECs, gateways,
B2B nodes) are allocated in a large VLAN (IP sub-network).
In this case, a RADIUS server would specify the same VID for all WR nodes and it will cause that all access-mode ports will get the same VID resulting in a single, large VLAN in the timing system.
3.3. Mixed assignment
The idea here is to assign VIDs:
- statically for those ports that are reserved for special WR nodes (Data Masters, gateways, B2B nodes and other sender nodes) and
- dynamically for ports that are reserved only for normal WR nodes (FECs)
Exception: this will force that all special WR nodes are definitely excluded from 802.1x authentication.
As an example, Table 3.2 presents the configuration options of
radiusvlan, in which VIDs are dynamically assigned to ports wri2-9 only.
Table 3.2. Configuration options used to assign VIDs dynamically for WR ports 2-9 (assume port 1 is set to trunk-mode)
Option |
Value |
Description |
CONFIG_RVLAN_ENABLE |
y |
radiusvlan is enabled and run |
CONFIG_RVLAN_PMASK |
"000001fe" |
only ports wri2-9 are monitored by radiusvlan, no authentication for ports wri10-18 |
CONFIG_RVLAN_OBEY_DOTCONFIG |
n |
radiusvlan will apply the VID value provided by a RADIUS server |
CONFIG_VLANS_PORT[mm]_VID |
"2601" |
This VID is for ports wri2-9, mm=2-9 |
CONFIG_VLANS_PORT[nn]_VID |
"2595" |
This VID will be applied ports wri10-18, nn=10-18 |
4. Test on the mixed assignment of VIDs
4.1. Setup
The mixed assignment of VIDs is tested in following setup:
- RADIUS server (IP=192.168.2.1, secret=secret)
- access-layer WRS (configured according to Table 3.2)
- 2 registered WR nodes (TRs), connections to WRS is labeled as '<===> port'
- dev/wbm0 (MAC=00:26:7b:00:04:da) <===> wri12
- dev/wbm2 (MAC=70:b3:d5:63:52:25) <===> wri2
- 2 unregistered WR nodes (Data Master and TR)
- dev/wbm1 (MAC=00:26:7b:00:04:dc) <===> wri15
- dev/ttyUSB0 (MAC=70:b3:d5:63:52:28) <===> wri4
User configuration of the RADIUS server is given below (/etc/freeradius/3.0/users)
00267b0004da Cleartext-Password :="00267b0004da"
Auth-Type := Accept,
Reply-Message := "Hello, %{User-Name} - timing receiver (dev/wbm0)",
Service-Type := Framed-User,
Tunnel-Private-Group-Id:0 = "2984" # VID = 2984
70b3d5635225 Cleartext-Password :="70b3d5635225"
Auth-Type := Accept,
Reply-Message := "Hello, %{User-Name} - timing receiver (dev/wbm2)",
Service-Type := Framed-User,
Tunnel-Private-Group-Id:0 = "2985" # VID = 2985
4.2. Result
Expected results are:
- WRS timing status: all WR nodes are locked and TRACK_PHASE
- WRS VLAN status: VIDs for ports wri2-9 depend on authentication result, VID for ports wri10-18 is set to "2595"
- ports wri2-9 are monitored by radiusvlan
The WRS status below show that all expected results achieved:
nwt0298m66#wr_mon
WR Switch Sync Monitor WP3a-wrpc_fixes-24-gf313343b [q = quit]
WR time (TAI) : 2022-03-10 12:18:37.002523 Leap seconds: 37
Switch time (UTC): 2022-03-10 12:18:00.002483 TAI-UTC : +37.000040
TimingMode: BC PLL locking state: LOCKED
----- HAL ---|---------------------------------- PPSI --------------------------------------------------------
Iface| Freq |Inst| Name | Config | MAC of peer port | PTP/EXT/PDETECT States | Pro | VLANs
------+------+----+--------------+------------+-------------------+------------------------------+-----+------
wri1 | Lock | 0 |wri1-1-wr-raw |slave | 70:b3:d5:91:e3:0e | SLAVE /IDLE /EXT_ON | V-W | 2601
wri2 | | 1 |wri2-1-wr-raw |master | 70:b3:d5:63:52:25 | MASTER /IDLE /EXT_ON | R-W | # dev/wbm2 is locked
*wri3 | | 2 |wri3-1-wr-raw |master | 00:00:00:00:00:00 | DISABLED /IDLE /NONE | R-W |
wri4 | | 3 |wri4-1-wr-raw |master | 70:b3:d5:63:52:28 | MASTER /IDLE /EXT_ON | R-W | # dev/ttyUSB0 is locked
*wri5 | | 4 |wri5-1-wr-raw |master | 00:00:00:00:00:00 | DISABLED /IDLE /NONE | R-W |
*wri6 | | 5 |wri6-1-wr-raw |master | 00:00:00:00:00:00 | DISABLED /IDLE /NONE | R-W |
*wri7 | | 6 |wri7-1-wr-raw |master | 00:00:00:00:00:00 | DISABLED /IDLE /NONE | R-W |
*wri8 | | 7 |wri8-1-wr-raw |master | 00:00:00:00:00:00 | DISABLED /IDLE /NONE | R-W |
*wri9 | | 8 |wri9-1-wr-raw |master | 00:00:00:00:00:00 | DISABLED /IDLE /NONE | R-W |
*wri10| | 9 |wri10-1-wr-raw|master | 00:00:00:00:00:00 | DISABLED /IDLE /NONE | R-W |
*wri11| | 10 |wri11-1-wr-raw|master | 00:00:00:00:00:00 | DISABLED /IDLE /NONE | R-W |
wri12| | 11 |wri12-1-wr-raw|master | 00:26:7b:00:04:da | MASTER /IDLE /EXT_ON | R-W | # dev/wbm0 is locked
*wri13| | 12 |wri13-1-wr-raw|master | 00:00:00:00:00:00 | DISABLED /IDLE /NONE | R-W |
*wri14| | 13 |wri14-1-wr-raw|master | 00:00:00:00:00:00 | DISABLED /IDLE /NONE | R-W |
wri15| | 14 |wri15-1-wr-raw|master | 00:26:7b:00:04:dc | MASTER /IDLE /EXT_ON | R-W | # dev/wbm1 is locked
*wri16| | 15 |wri16-1-wr-raw|master | 00:00:00:00:00:00 | DISABLED /IDLE /NONE | R-W |
*wri17| | 16 |wri17-1-wr-raw|master | 00:00:00:00:00:00 | DISABLED /IDLE /NONE | R-W |
*wri18| | 16 |wri17-1-wr-raw|master | 00:00:00:00:00:00 | DISABLED /IDLE /NONE | R-W |
nwt0298m66#wrs_vlans --plist
#------------------------------------------------------------
# HP mask: 0x00
#------------------------------------------------------------
# QMODE FIX_PRIO PRIO PVID MAC UNTAG
#------------------------------------------------------------
wri1 1 TRUNK 0 0 0 000000000000 0
wri2 0 ACCESS 0 0 2984 000000000000 1 # wri2 gets VID = 2984 (dynamic assignment)
wri3 0 ACCESS 0 0 2589 000000000000 1 # wri3 gets VID = 2589 by default
wri4 0 ACCESS 0 0 2588 000000000000 1 # wri4 gets VID = 2588 (dynamic assignment)
wri5 0 ACCESS 0 0 2589 000000000000 1
wri6 0 ACCESS 0 0 2589 000000000000 1
wri7 0 ACCESS 0 0 2589 000000000000 1
wri8 0 ACCESS 0 0 2589 000000000000 1
wri9 0 ACCESS 0 0 2589 000000000000 1
wri10 0 ACCESS 0 0 2595 000000000000 1 # wri10-18 gets VID = 2595 (static assignment)
wri11 0 ACCESS 0 0 2595 000000000000 1
wri12 0 ACCESS 0 0 2595 000000000000 1
wri13 0 ACCESS 0 0 2595 000000000000 1
wri14 0 ACCESS 0 0 2595 000000000000 1
wri15 0 ACCESS 0 0 2595 000000000000 1
wri16 0 ACCESS 0 0 2595 000000000000 1
wri17 0 ACCESS 0 0 2595 000000000000 1
wri18 0 ACCESS 0 0 2595 000000000000 1
nwt0298m66#rvlan-status
wri2 (70b3d591e56d <-> 70b3d5635225): state configured, vlan 2984, pid 0, fd -1 # dev/wbm2 is accepted, wri2 is set VID = 2984
wri3 (70b3d591e56e <-> ): state down, vlan 2589, pid 0, fd -1
wri4 (70b3d591e56f <-> 70b3d5635228): state configured, vlan 2588, pid 0, fd -1 # dev/ttyUSB0 is rejected, wri4 is set VID = 2588
wri5 (70b3d591e570 <-> ): state down, vlan 2589, pid 0, fd -1
wri6 (70b3d591e571 <-> ): state down, vlan 2589, pid 0, fd -1
wri7 (70b3d591e572 <-> ): state down, vlan 2589, pid 0, fd -1
wri8 (70b3d591e573 <-> ): state down, vlan 2589, pid 0, fd -1
wri9 (70b3d591e574 <-> ): state down, vlan 2589, pid 0, fd -1
Source
[1] White Rabbit Switch 802.1X MAC Authentication,
link
[2] Documentation of radiusvlan,
pdf
[3] White Rabbit switch: user's manual,
pdf
[4] Dynamic VLAN Assignment with RADIUS Server,
link
[5] GSI Timing system infrastructure,
link
--
EnkhboldOchirsuren - 10 Mar 2022