Skip to content

NAC check switch

Go to Automation

View in GitLab

Description

Provide an IP-address or name of the network switches you want to check. Gets information on the ports of every switch and the connected devices. After checking te required local VLANs are present on the switches, it produces an XML file per switch containing all ports, an action, port alias and description.

Possible Action values:

  • already NAC: the switch port is already configured for NAC
  • not to NAC:
    • Link to other switch.
    • Uplink.
    • Dedicated stacking/VFL or trunking port.
  • to NAC:
    • Port has been down for more than 30 days.
    • Port down longer than 90% of switch uptime.
    • DHCP lease in DATA VLAN for a managed PC found on port: client hostname starting with CP, PCGEN, NBOCG or Hybrid-.
    • Any device found on a port with a MAC Vendor of Dell Inc.
    • MAC address found on a port with a succesful MAC authentication test on FreeRADIUS.
  • to NAC for printer:
    • Printer found on port in DATA VLAN and a host record starting with PR or PRGEN: should be first migrated to Data-Devices VLAN.
  • to NAC for wifi:
    • Wifi AP found on the port. Alcatel-Lucent/Aruba APs should be first configured for 802.1x EAP-TLS before changing the port to NAC. Ruckus APs are out of scope and should be replaced before migrating to NAC.
  • needs checking:
    • Port has been up in the last 30 days but unsufficient information on any MAC address connected to it.
    • MAC address in VLAN 2202 seen on this port but not a Dell PC.
    • MAC address that failed the MAC authentication test on FreeRADIUS.
    • Ports not in any other Action category.

Possible failure scenarios

  • Switch model is not supported: OS6250, OS6900.
  • Switch was not up in the last 24 hours.
  • One or more of the required local VLANs are missing: 2201, 2202, 2203, 2204, 2205, 2206, 2207, 2209, 2210, 2211. In this case, the XML output will still be generated but the filename we be appended with _missing-VLANs-for-NAC.

Credentials

  • sys_alcatelwifi_bckp
  • sys_infoblox_sg
  • NAC FreeRADIUS
  • sys_omnivista_ro
  • OmniPCX ssh account
  • Ruckus WiFi Controller Credentials
  • sys_ansible_filecopy

Input

Variable Description
target IP, short hostname or FQDN of the switches you wish to run a pre-NAC check on. Specify one switch or multiple (separated by commas)

Output

Report in \stadgent\Digipolis\Protected\Netwerk\NAC\switch_check\

Dependencies

  • Python + pyrad module
  • srvovistadata.gentgrp.gent.be: get switch information from OmniVista 2500 Network Management System
  • f5internal248.gentgrp.gent.be: MAC authentication tests on FreeRADIUS for NAC
  • f5internalqa248.gentgrp.gent.be: MAC authentication tests on FreeRADIUS for NAC QA, only when target is cpf-sw02
  • wifi.gentgrp.gent.be: get wifi AP information from Alcatel-Lucent/Aruba wifi conductor
  • srvvscg01.gentgrp.gent.be: get wifi AP information from Ruckus Virtual SmartZone wifi
  • infoblox.gentgrp.gent.be: get DHCP leases and host records from Infoblox
  • srvteloxe.gentgrp.gent.be: get IP phone information from Alcatel-Lucent OmniPCX Enterprise PBX