The Moose and Squirrel Files

September 24, 2008

Re-Imaging Computers in 802.1x Networks – Part 4

Filed under: Code, Network — Tags: , , , , — networknerd @ 9:13 am

Finding the interface index
The bridgeport number is converted to an interface index by concatenating it to
dot1dBasePortIfIndex and once again performing an snmp get operation.

G:\usr\bin>snmpget.exe -OnqU -v 2c -c public@100 192.168.36.11 .1.3.6.1.2.1.17.1.4.1.2.108
.1.3.6.1.2.1.17.1.4.1.2.108 11002

The interface index returned is 11002, and once again we can extract it from the output using a
regular expression as shown in the getIFIndex() function in listing 1.

Setting Dot1x port control
To allow the computer to connect to the network without a supplicant, the port is first placed into
forced authorised mode. The interface index is concatenated to
dot1xAuthAuthControlledPortControl and an snmp set operation is used with an integer
argument of 3 (FORCEAUTHORISED). The same process can be used to return the switch port
to normal operation by specifying an argument of 2 (AUTO). This operation is performed by the
setPortControl() function in listing 2.

G:\usr\bin>snmpset.exe -v 2c -c private 192.168.36.11 .1.0.8802.1.1.1.1.2.1.1.6.11002 i 3
iso.0.8802.1.1.1.1.2.1.1.6.11002 = INTEGER: 3
G:\usr\bin>snmpset.exe -v 2c -c private 192.168.36.11 .1.0.8802.1.1.1.1.2.1.1.6.11002 i 2
iso.0.8802.1.1.1.1.2.1.1.6.11002 = INTEGER: 2

Setting the vlan
Strictly speaking, changing the vlan is not required to perform the re-imaging operation.
Restricting access on the re-imaging vlan provides a small amount of protection against the risk
of leaving the switch port in the force authorised state if the re-imaging job fails or is cancelled.
This operation is performed by the setVlan() function in listing 3.

G:\usr\bin>snmpget -OnqUe -v 2c –c public 192.168.36.11 vmVlan.11002
.1.3.6.1.4.1.9.9.68.1.2.2.1.2.11002 100
G:\usr\bin>snmpset -OnqUe -v 2c –c private 192.168.36.11 vmVlan.11002 i 102
.1.3.6.1.4.1.9.9.68.1.2.2.1.2.11002 102
G:\usr\bin>snmpget -OnqUe -v 2c –c public 192.168.36.11 vmVlan.11002
.1.3.6.1.4.1.9.9.68.1.2.2.1.2.11002 102
G:\usr\bin>snmpset -OnqUe -v 2c -c private 192.168.36.11 vmVlan.11002 i 100
.1.3.6.1.4.1.9.9.68.1.2.2.1.2.11002 100

Listing 1


const DOT1DBASEPORTIFINDEX = " .1.3.6.1.2.1.17.1.4.1.2."
const SNMPGETCMD = "f:\usr\bin\snmpget.exe -OnqUe -v 2c -c "
const SNMPREADV = " public@" 'need community name and vlan for some info

'************************************************************************
'FUNCTION:                                                              *
' getIFIndex(strAgent, intVlan, intBridgePort)                          *
'                                                                       *
'Purpose:                                                               *
' convert a bridgeport value to an interface index suitable for         *
' use with the setvlan() and setportcontrol() functions                 *
'                                                                       *
'Inputs:                                                                *
' strAgent: management IP address of the switch                         *
' intVlan : the vlan specific instance of the forwarding table          *
' intBridgePort: bridgeport value returned from getBridgePort()         *
'                                                                       *
'Returns:                                                               *
' String containing the interface index, or an empty string on          *
' failure                                                               *
'                                                                       *
'Calls:                                                                 *
' SNMPGETCMD - constant defining the path to an external                *
' program and options used to perform an snmp get                       *
'                                                                       *
'Comments:                                                              *
' Uses community string indexing to reference the per vlan mib          *
' instance.                                                             *
' Reference cisco Document ID: 44800                                    *
' "Using SNMP to Find a Port Number from a MAC Address on a             *
' Catalyst Switch" viewed at                                            *
' http://www.cisco.com/en/US/tech/tk648/tk362/                          *
' technologies_tech_note09186a00801c9199.shtml                          *
' on 16/11/2006                                                         *
'************************************************************************
function getIFIndex(strAgent, intVlan, intBridgePort)
dim WshShell, oExec
dim re 'as regexp
dim matches
dim match
dim tempstr, stroutput
Set WshShell = CreateObject("WScript.Shell")
Set oExec = WshShell.Exec(SNMPGETCMD & SNMPREADV & intVlan & " " & _
strAgent & " " & DOT1DBASEPORTIFINDEX & intBridgePort)
Do while Not oExec.StdOut.AtEndOfStream
  stroutput = oExec.StdOut.readall
Loop
Do While oExec.Status <> 1
  WScript.Sleep 100
Loop
set re = new regexp
re.global = True
re.multiline = True
'Pattern to capture the last digits of the snmp output
'output lines from SNMPCMD should look like
' ".1.3.6.1.2.1.17.1.4.1.2.108 11002"
re.pattern = "^" & trim(DOT1DBASEPORTIFINDEX) & intBridgePort & _
                 "\s+(\d+)$"
tempstr = ""
set matches = re.execute(stroutput)
for each match in matches
  tempstr = match.submatches(0)
next
getIFIndex = tempstr
end function

Listing 2


const FORCEUNAUTHORISED = 1
const AUTO = 2
const FORCEAUTHORISED = 3
const dot1xAuthAuthControlledPortControl = ".1.0.8802.1.1.1.1.2.1.1.6."
const SNMPSETCMD = "f:\usr\bin\snmpset.exe -v 2c -c "
const SNMPWRITE = " private "

'************************************************************************
'FUNCTION:                                                              *
' setPortControl(strAgent,intIFIndex, intPortControl)                   *
'                                                                       *
'Purpose:                                                               *
' sets the PaeControlledPortControl value which controls whether        *
' dot1x authentication is required.                                     *
'                                                                       *
'Inputs:                                                                *
' strAgent: management IP address of the switch                         *
' intIFIndex: port interface index returned from getIFIndex()           *
' intPortControl : the control values of the authenticator PAE          *
' controlled port. Allowed values are                                   *
' forceUnauthorized(1), auto(2),forceAuthorized(3)                      *
'                                                                       *
'Returns:                                                               *
' Integer, 0 if successful or a positive value on failure.              *
'                                                                       *
'Calls:                                                                 *
' SNMPSETCMD - constant defining the path to an external                *
' program and options used to perform an snmp set                       *
'                                                                       *
'Comments:                                                              *
' Reference IEEE Std 802.1X-2001                                        *
' "IEEE Standard for Local and metropolitan area networks—              *
' Port-Based Network Access Control"                                    *
' viewed at                                                             *
' http://standards.ieee.org/getieee802/download/802.1X-2001.pdf         *
' on 16/11/2006                                                         *
'************************************************************************
function setPortControl(strAgent,intIFIndex, intPortControl)
dim WshShell, oExec
dim stroutput
if (intPortControl < FORCEUNAUTHORISED or _
  intPortControl > FORCEAUTHORISED) then
  setPortControl = 1
  exit function
end if
Set WshShell = CreateObject("WScript.Shell")
Set oExec = WshShell.Exec(SNMPSETCMD & SNMPWRITE & " " & strAgent & _
                                      " " & dot1xAuthAuthControlledPortControl & intIFIndex &_
                                      " i " & intPortControl)
Do while Not oExec.StdOut.AtEndOfStream
  stroutput = oExec.StdOut.readall
  Loop
Do While oExec.Status <> 1
  WScript.Sleep 100
Loop
setPortControl = instr(1, stroutput, "Error")
end function

Listing 3


const VMVLAN = ".1.3.6.1.4.1.9.9.68.1.2.2.1.2."
const SNMPSETCMD = "f:\usr\bin\snmpset.exe -v 2c -c "
const SNMPWRITE = " private "

'************************************************************************
'FUNCTION:                                                              *
' setVlan(strAgent,intIFIndex, intVlan)                                 *
'                                                                       *
'Purpose:                                                               *
' set the port specified by the interface index suitable to             *
' the specified vlan                                                    *
'                                                                       *
'Inputs:                                                                *
' strAgent: management IP address of the switch                         *
' intIFIndex: port interface index returned from getIFIndex()           *
' intVlan : the vlan to which the port should be configured             *
'                                                                       *
'Returns:                                                               *
' Integer, 0 if successful or a positive value on failure.              *
'                                                                       *
'Calls:                                                                 *
' SNMPSETCMD - constant defining the path to an external                *
' program and options used to perform an snmp set                       *
'                                                                       *
'Comments:                                                              *
' CISCO-VTP-MIB is cisco specific.                                      *
' Reference cisco Document ID: 45080                                    *
' "How To Add, Modify, and Remove VLANs on a Catalyst Using SNMP"       *
' viewed at                                                             *
' http://www.cisco.com/en/US/tech/tk648/tk362/                          *
' technologies_tech_note09186a00801c6035.shtml                          *
' on 16/11/2006                                                         *
'************************************************************************
function setVlan(strAgent,intIFIndex, intVlan)
dim WshShell, oExec
dim stroutput
Set WshShell = CreateObject("WScript.Shell")
Set oExec = WshShell.Exec(SNMPSETCMD & SNMPWRITE & " " & strAgent & _
" " & VMVLAN & intIFIndex & " i " & intVlan)
Do while Not oExec.StdOut.AtEndOfStream
  stroutput = oExec.StdOut.readall
Loop
Do While oExec.Status <> 1
  WScript.Sleep 100
Loop
setVlan = instr(1, stroutput, "Error")
end function
Advertisements

Leave a Comment »

No comments yet.

RSS feed for comments on this post. TrackBack URI

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Blog at WordPress.com.

%d bloggers like this: