SONiC PAC Support HLD #1315
SONiC PAC Support HLD #1315
Conversation
samitabh
changed the title
samitabh
changed the title
samitabh
changed the title
|
community review recording https://zoom.us/rec/share/hKVG2-Z1G9UpYRYxUvZjNHWYCQnrvFHrcGQWTU6kVwjjDEN1N43DxD1tgBFVlekP.7KytGSkbmoJeAZAl |
|
|
As per the received update during HLD review meeting, whenever RADIUS server connectivity with Switch (i.e. Authenticator) is down (due to any issues), then no new supplicant's shall be allowed to get authenticated i.e. until connectivity with RADIUS server is restored, which results in a down-time w.r.t authentication functionality for new supplicants.
|
|
IEE802.1X defines the encapsulation of EAP over Wired networks and Wireless networks. Please confirm, what is the support provided/extended in your design w.r.t this note ? |
|
As per the received update during HLD review meeting i.e. 'On session-timeout', the static FDB MAC entry aging happens and entry will be removed. Please confirm, who manages (i.e. start/stop/run etc) this timer ? what is the role of SWITCH here ? |
For port Authentication option, we need to provide local authentication as an option |
Here when I say DOS attack, once client might be generating series of MAC address and fills FDB table. I am not saying MAC address as malicious or not. My point is that since you are creating FDB entry for MAC before client gets authenticated and hence FDB may get filled up. Instead logic should be you add MAC entry only after authentication. |
[Amitabha] Generally these clients are laptops, printers etc. and will not be sending STP and LACP packets. We will however make a note and come back on this in a further release. |
|
@thovikeerthi |
As discussed during community discussion we are going to have single HLD. Hence we need to update HLD with local authentication. Pl let me know how CG can do this? |
Let's have a separate HLD for Local Authentication with this HLD as a base reference HLD. |
|
Are theare any other code PRs for the feature opened? If not, is there any prediction when they will be opened? |
|
@msosyak feature contribution is planned for 202405, expect code PR posting in the next few weeks |
|
@adyeung please help to update the HLD with the code PRs, so that we can track the feature progress. Thanks. |
Done |
| Once a client is authenticated, authorization parameters from RADIUS can be sent for the client. The Authenticator switch processes these RADIUS attributes to apply to the client session. Following attributes are supported. | ||
|
|
||
| - *VLAN Id*: This is the VLAN ID sent by a RADIUS server for the authenticated client. This VLAN should be a pre-created VLAN on the switch. | ||
| - *Session Timeout*: This is the timeout attribute of the authenticated client session. |
There was a problem hiding this comment.
Do we have default session for un-authenticated clients as well?
For instance lets say if a MAB auth-request is rejected by Radius server and if we dont have a session timeout and immediately remove the client. Then the next packet from the client would trigger another Radius request, incase if the client is generating too many packets, the Radius connection might be overloaded.
One way to maintain a session timer for auth-failed clients as well. Please let me know if this was considered during the design
| | ||
|
|
||
| ### 2.2.5 VLAN | ||
| 1. PAC associates authenticated clients to a VLAN on the port. |
There was a problem hiding this comment.
Does this change involve writing to config_db?
What if the user does 'config save' while the PAC has authenticated the client and added a port to Radius specified VLAN, would this make the configuration persistent?
I'm assuming we only do 'Vlan member add' and not 'VLAN create' based on the radius response, what if the radius specified VLAN is not present in the system? Do we error out?
| 2. The pacd, mabd and hostapdmgrd gets notified about their respective configurations. | ||
| 3. hostapd being a standard Linux application gets its configuration from a hostapd.conf file. hostapdmgrd generates the hostapd.conf file based on the relevant CONFIG_DB tables. hostapdmgrd informs hostapd about the list of ports it needs to run on. This port list is dynamic as it depends of port link/admin state, port configuration etc. hostapdmgrd keeps hostapd updated about these changes. | ||
| 4. These modules communicate amongst themselves via socket messages. | ||
| 5. hostapd listens to EAPoL PDUs on the provided interface list. When it receives a PDU, it consults pacd and proceeds to authenticate the client. pacd also listens to "unknown src MAC" and triggers MAB, if configured on the port, to authenticate the client. |
There was a problem hiding this comment.
What is client sends a EAPOL pkt followed by regular ETH packet, im assuming there is a possibility that both dot1x (triggered by hostapd) & MAB authentication can happen concurrently.
How does pacd behave during this? Also how do we make we give higher priority to a specific auth-method lets say 'dot1x'?
| "port_control_mode": "auto", | ||
| "host_control_mode": "multi_auth", | ||
| "reauth_period": 60, | ||
| "reauth_enable": "true", |
There was a problem hiding this comment.
Just a suggestion, maybe consider removing this field and indicting disabled by setting reauth_period as 0. This would be inline with how its done in hostapd.conf
EAP reauthentication period in seconds (default: 3600 seconds; 0 = disable
reauthentication).
eap_reauth_period=3600
SONiC PAC Support HLD
The PAC functionality requires the changes to the below Repos. The associated PRs are listed below in merge sequence