Categorygithub.com/autoalan/wilson
repositorypackage
0.0.0-20220420234705-0a061e744f2c
Repository: https://github.com/autoalan/wilson.git
Documentation: pkg.go.dev
Overview
Dependencies
8
Dependents
1

# Packages

No description provided by the author

# README

wilson

wilsonA Go (golang) dot1x server that runs locally on network switches as a secondary authentication server. When a switch becomes stranded from its primary dot1x server, wilson will authenticate endpoints by OUI using a flexible policy. Wilson was developed to provide supplemental policy-map type control support for an Arista EOS campus healthcare environment with colorless ports and a high up-time requirement.

TODO

This is effectively a prototype. While it servers the intended purpose, it needs tests and perhaps some refactoring. The goal of wilson is to be easily readable and maintainable.

Installation & Compilation

go get -u github.com/autoalan/wilson

Wilson will run once compiled without modification on most platforms. Simply clone this repository and compile wilson.go in the apps folder. For Arista EOS switches, use the 386 architecture.

# GOARCH=386 go build app/wilson.go

Usage

When executed for the first time, wilson expects to load its configuration from URL. Subsequent executions will use a defined configuration file (.wilson by default) automatically created in the directory containing the directory if the the server is unreachable or if the URL flag is omitted.

./wilson -url https://my-lb-site.internal.org/wilson.json

For implementations on Arista EOS, consider using an event-handler or even perhaps rc.eos.

Wilson expects the configuration to conform to a known JSON schema. Below is an example of a configuration file.

   {
   	"configFile": ".wilson",
   	"configRefresh": 5,
   	"configURL": "https://my-lb-site.internal.org/wilson.json",
   	"serverBinding": "127.0.0.1:1812",
   	"serverSecret": "127001",
   	"policies": [{
   			"comment": "Issue an access-accept for trusted Roche analyzers",
   			"clientOui": "B8:78:79",
   			"clientVlan": 5,
   			"radiusCode": 2
   		},
   		{
   			"comment": "Issue an access-reject for unauthorized TP-Link endpoints",
   			"clientOui": "d8-07-b6",
   			"clientVlan": 0,
   			"radiusCode": 3
   		},
   		{
   			"comment": "Ignore all other requestst; the default policy is the last policy",
   			"clientOui": "0000.00",
   			"clientVlanvlan": 0,
   			"radiusCode": 0
   		}
   	]
   }
ParameterDescription
configFileThis is the path to the configuration that will be saved locally if the the server hosting the URL config is unavailable.
configRefreshThe interval in seconds to poll the server for configuration updates.
configURLThe URL to the initial configuration file.
serverBindingThe server binding used for requests. Typically this will be localhost for obvious reasons.
serverSecretThe RADIUS secret to authenticate the NAS client.
commentIgnored by wilson. This is for humans.
clientOuiA 24-bit hexadecimal string representing the OUI of a MAC address. Delimiters (":", "-", ".") are ignored.
clientVlanThe VLAN to be assigned to the client on access-accept.
radiusCodeStandard RADIUS codes supported by the underlying radius library. A typical deployment would leverage 2 (Accept), 3 (Reject) and 0 (Ignore or discard the request).

License

MPL 2.0

Author

Alan Haynes ([email protected]).

Huge thanks to Tim Cooper for the superb radius implementation.