wilson
A Go (golang) dot1x server that runs locally on network switches as a secondary authentication server. When a switch becomes stranded from its primary dot1x server, wilson will authenticate endpoints by OUI using a flexible policy. Wilson was developed to provide supplemental policy-map type control support for an Arista EOS campus healthcare environment with colorless ports and a high up-time requirement.
TODO
This is effectively a prototype. While it servers the intended purpose, it needs tests and perhaps some refactoring. The goal of wilson is to be easily readable and maintainable.
Installation & Compilation
go get -u github.com/autoalan/wilson
Wilson will run once compiled without modification on most platforms. Simply clone this repository and compile wilson.go in the apps folder. For Arista EOS switches, use the 386 architecture.
# GOARCH=386 go build app/wilson.go
Usage
When executed for the first time, wilson expects to load its configuration from URL. Subsequent executions will use a defined configuration file (.wilson by default) automatically created in the directory containing the directory if the the server is unreachable or if the URL flag is omitted.
./wilson -url https://my-lb-site.internal.org/wilson.json
For implementations on Arista EOS, consider using an event-handler or even perhaps rc.eos.
Wilson expects the configuration to conform to a known JSON schema. Below is an example of a configuration file.
{
"configFile": ".wilson",
"configRefresh": 5,
"configURL": "https://my-lb-site.internal.org/wilson.json",
"serverBinding": "127.0.0.1:1812",
"serverSecret": "127001",
"policies": [{
"comment": "Issue an access-accept for trusted Roche analyzers",
"clientOui": "B8:78:79",
"clientVlan": 5,
"radiusCode": 2
},
{
"comment": "Issue an access-reject for unauthorized TP-Link endpoints",
"clientOui": "d8-07-b6",
"clientVlan": 0,
"radiusCode": 2
},
{
"comment": "Ignore all other requestst; the default policy is the last policy",
"clientOui": "0000.00",
"clientVlanvlan": 0,
"radiusCode": 0
}
]
}| Parameter | Description |
|---|---|
| configFile | This is the path to the configuration that will be saved locally if the the server hosting the URL config is unavailable. |
| configRefresh | The interval in seconds to poll the server for configuration updates. |
| configURL | The URL to the initial configuration file. |
| serverBinding | The server binding used for requests. Typically this will be localhost for obvious reasons. |
| serverSecret | The RADIUS secret to authenticate the NAS client. |
| comment | Ignored by wilson. This is for humans. |
| clientOui | A 24-bit hexadecimal string representing the OUI of a MAC address. Delimiters (":", "-", ".") are ignored. |
| clientVlan | The VLAN to be assigned to the client on access-accept. |
| radiusCode | Standard RADIUS codes supported by the underlying radius library. A typical deployment would leverage 2 (Accept), 3 (Reject) and 0 (Ignore or discard the request). |
License
MPL 2.0
Author
Alan Haynes (alan@networkautomation.engineer).
Huge thanks to Tim Cooper for the superb radius implementation.