autoMAC: A Tool for
Automating Network Moves,
Adds, and Changes
Christopher J. Tengi
Princeton University
<tengi@CS.Princeton.EDU>
What’s the problem?





Over 1500 hosts
Over 100 IP subnets/VLANs
672 user switch ports (currently)
388 wall boxes
1072 patch points
1072 Patch Points
Why subnets?




Why not a flat network?
Broadcast domains
User segregation
Access Control
How we used to do it




Email host registration requests
Manual host database entry
Manual patch installation
Switch re-configuration
So, what’s wrong with that?





Users never get it right the first time
Manual host entry is prone to errors
Patch panel diving is a pain
Did you remember to set the port
VLAN?
Did you save the switch config?
What we wanted




Automation!
Less user interaction :-)
Better accuracy
Static switch configuration
What we did



Automate the host database
Automate switch port VLAN
assignment
Keep everyone in the right place
Automating the host database



Move to a web-based registration
system
Use a daemon to process requests
Have the daemon rebuild all the
database extracts
Automating VLAN assignment




No more manual switch configuration
Any port, any VLAN, any time
Use the host MAC address as the key
Registration VLAN for unknown hosts
The nitty-gritty
Tools we used



Existing host database
FreeRADIUS
NetReg
Tools we used - Host DB




Originally only for administrators
Very little field validation
Input through a ‘vi’ -based interface
Extracts generated manually with
‘make’
Tools we used - FreeRADIUS



Config files generated from Host DB
Originally implemented for Cisco APs
Our user switches could “speak”
RADIUS
Tools we used - NetReg


Web-based data input
Two to choose from


Carnegie Mellon University
Southwestern University
Integration: Tying it all together
Integration - Host database



Web registration form
Field validation on the form
Automate request processing
Integration - RADIUS server



Use MAC address to lookup VLAN
Add “tunnel” A/V pairs to accept
response
Unknown MAC addresses are rejected
Integration - Hardware



First, get a vendor to write code for you
Why not 802.1X?
Known hosts always land on the right VLAN



Locally registered
Mobile IP
Unknown hosts land on the registration
VLAN
Integration - NetReg Server

Listening on the registration VLAN






Answers all DHCP requests
Specifies itself as DNS server/gateway
Answers any HTTP request
Requires a CS username/password
Presents the host registration form
Sends the completed form for
processing
Future Enhancements



Virus/patch scanning on the
registration VLAN
Automatic isolation of newly-infected
hosts
Expand registration VLAN concept to
802.11b
Conclusions



Automation is a good thing
Open Source Software is invaluable
Sometimes you can get what you want
Acknowledgements



Princeton CS Technical Staff
Jon Finke
Rob Kolstad
Availability

http://www.CS.Princeton.EDU/autoMAC/