netdisco icon indicating copy to clipboard operation
netdisco copied to clipboard
verified publisher icon netdisco

Feature request - NAC info

Open kingtrw opened this issue 3 years ago • 4 comments

I don't know how feasible this is because I don't know what info is exposed over SNMP, but we're in the process of enabling NAC across our estate. It would be really handy if ND had some option for showing if NAC-related features (e.g. 8021x) were enabled on ports.

Edit: we've got Cisco ios 15, Cisco ios-xe 16, and Dell NOS 6.7 at the edge.

kingtrw avatar Jul 13 '22 14:07 kingtrw

hmm wonder if we need to add 1.0.8802.1.1 and 1.3.111.2.802 to the SNMP browser (which is only 1.3.6.1 today)

ollyg avatar Jul 13 '22 21:07 ollyg

@kingtrw there's CISCO-PAE-MIB but I'd be interested to see what your Dell implement if any for exposing that (btw not all vendors do ... I don't think Arista expose it via SNMP).

ollyg avatar Jul 13 '22 22:07 ollyg

Hi, please would you upgrade to latest Netdisco and take a snapshot of a device with NAC enabled and a logged in user. Could do Cisco and non Cisco both.

ollyg avatar Aug 03 '22 20:08 ollyg

I've merged rudimentary IEEE8021-PAE-MIB support in snmp-info: https://github.com/netdisco/snmp-info/pull/466

rc9000 avatar Aug 12 '22 06:08 rc9000

IRC chat about implementation:

15:48 < rc9000> I was thinking about how to implement NAC/PAE information in Netdisco. First I thought about just putting more columns into device_port_properties.
15:48 < rc9000> But since the information is quite dynamic it would be better to poll it at macsuck time and put it into node_...whatever.
15:49 < rc9000> Is it better if I make a new table like node_wireless/nbt? or just add columns to node? It would be around four, essentially all the snmp::info attributes added
15:49 < rc9000> in https://github.com/netdisco/snmp-info/blob/bac8a6e92f28fa9bf4858e77431f1215f54558a9/lib/SNMP/Info/PortAccessEntity.pm
15:50 < rc9000> pae_authconfig_state, pae_authconfig_port_status, pae_authsess_user, pae_authsess_mab (maybe)
15:50 < oliver> rc9000: so these are properties of individual nodes? a device port could have multiple of them? I too expected them to be device_port_properties, as in the current status of the port
15:52 < rc9000> hmm true is a set per port afaict.
15:52 < rc9000> but could I update device_port_properties once every macsuck?
15:53 < oliver> yes that's fine
15:53 < oliver> I think even device_port is updated, if the port is up because a node is there then the port is updated
15:53 < oliver> (from memory ... could be wrong)
15:55 < rc9000> ok I'll give it a shot soonish. Our NOC is transitioning to NAC and it would be really helpful if we could run a report showing where we are done and where stuff doesn't work as
                expected

rc9000 avatar Sep 27 '22 14:09 rc9000

@kingtrw This is already implemented since a while now, you can find the attributes in the Port properties.

I'm closing this, but let us know if you have any issues or input - I don't think there are many users so far except for me.

rc9000 avatar Apr 02 '23 01:04 rc9000