Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CLI support for PAC #3265

Open
wants to merge 3 commits into
base: master
Choose a base branch
from
Open

CLI support for PAC #3265

wants to merge 3 commits into from

Conversation

vijaya-ops
Copy link

What I did

The cli changes are implemented as per the HLD mentioned below.
sonic-net/SONiC#1655

How I did it

Implemented the below commands

Config commands

config dot1x system-auth-control enable
config interface authentication port-control Ethernet0 auto
config interface authentication host-mode Ethernet0 multi-auth
config interface authentication order Ethernet0 dot1x
config interface authentication priority Ethernet0 dot1x
config interface dot1x pae Ethernet0 authenticator
config interface authentication periodic Ethernet1 enable
config interface authentication reauth-period Ethernet1 120
config interface authentication max-users Ethernet1 6
config interface mab Ethernet1 enable -a pap

===============
Show commands

show authentication interface
show authentication clients
show mab interface
show dot1x

============
Clear commands

sonic-clear authentication sessions

How to verify it

This was referenced Apr 8, 2024
Open
Open
Merged
Open
@vijaya-ops vijaya-ops mentioned this pull request Apr 16, 2024
Merged
@adyeung adyeung mentioned this pull request Apr 16, 2024
Merged
@adyeung
Copy link

adyeung commented Aug 7, 2024

@jeff-yin @ridahanif96 pls help review

@vijaya-ops
Copy link
Author

/azpw run Azure

@mssonicbld
Copy link
Collaborator

/AzurePipelines run Azure

@azure-pipelines Azure Pipelines
Copy link

No pipelines are associated with this pull request.

ridahanif96
ridahanif96 reviewed Aug 15, 2024
View reviewed changes
Copy link
Contributor

@ridahanif96 ridahanif96 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good to me. Please cover code coverage. Add more test cases to cover coverage 100%

ridahanif96
ridahanif96 reviewed Aug 15, 2024
View reviewed changes
config/main.py
vlan_ports_data = config_db.get_table('VLAN_MEMBER')
for key in vlan_ports_data:
if key[1] == port:
return True
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Now We also have notation of switchport (access, trunk), what will be behavior of this. Will it work for both ports? Please revisit this as well.

sutharsansr
sutharsansr reviewed Sep 30, 2024
View reviewed changes
config/main.py
ctx.fail("Invalid ConfigDB. Error: {}".format(e))


def pac_is_port_any_vlan_member(config_db, port):
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

While a port is dot1X enabled, it should not be allowed to become a router-port. In other words, it should not be removed from all the vlans right. Is that taken care as part of seperate PR?

praveenraja1
praveenraja1 reviewed Oct 6, 2024
View reviewed changes
config/main.py
is_server = True
else:
val = int(status)
if val not in range(1,65535):
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Any reason why we have chose this upper and lower bound for range?

In most NOS i see the range as "60 to 7200"

1 --> would mean there would too frequent authentication request, this would cause load on radius server depending on the deployment/scale.
65535 --> conversely this range seems to high.

Also is there there a way to disable "reauth timer" ?

config/main.py
print(auth_type)
print(interface_name)
try:
config_db.mod_entry('MAB_PORT_CONFIG_TABLE', (interface_name), {'mab_enable': True if status == 'enable' else False})
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

When dot1x/mab is enabled on an interface, do we need to check for static MAC if it exists on that port and error out? Alternatively once PAC is enabled on a port, we should restrict any static MAC add on that port.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@praveenraja1 praveenraja1 praveenraja1 left review comments

@sutharsansr sutharsansr sutharsansr left review comments

@ridahanif96 ridahanif96 ridahanif96 left review comments

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@vijaya-ops @adyeung @mssonicbld @ridahanif96 @sutharsansr @praveenraja1