Read test parameters form config (faucetsdn#817)

config/modules/all.conf

@@ -8,3 +8,4 @@ include ${DAQ_LIB}/subset/security/build.conf
 include ${DAQ_LIB}/subset/cloud/build.conf
 include ${DAQ_LIB}/subset/manual/build.conf
 include ${DAQ_LIB}/subset/network/build.conf
+include ${DAQ_LIB}/subset/dot1x/build.conf

daq/topology.py

@@ -166,6 +166,10 @@ def direct_port_traffic(self, device, port_no, target):
         interface = self.topology['dps'][self.sec_name]['interfaces'][port_no]
         interface['native_vlan'] = self._port_set_vlan(port_set)
 
+    def _get_port_vlan(self, port_no):
+        port_set = self._port_targets.get(port_no, {}).get('port_set')
+        return self._port_set_vlan(port_set)
+
     def _ensure_entry(self, root, key, value):
         if key not in root:
             root[key] = value
@@ -417,24 +421,33 @@ def _add_dhcp_reflectors(self, acl_list):
         self._add_acl_rule(acl_list, dl_type='0x800', allow=False,
                            nw_proto=17, udp_src=67, udp_dst=68)
 
+    def _add_dot1x_incoming_rule(self, incoming_acl, secondary_acl):
+        for devices in self._set_devices.values():
+            for device in devices:
+                if device and device.gateway:
+                    vlan = self._get_port_vlan(device.port.port_no)
+                    test_ports = device.gateway.get_possible_test_ports()
+                    if test_ports:
+                        self._add_dot1x_allow_rule(incoming_acl, test_ports, vlan_vid=vlan)
+                    device_port = device.port.port_no
+                    if device_port:
+                        self._add_dot1x_allow_rule(secondary_acl, [device_port], vlan_vid=vlan)
+
+    def _add_dot1x_allow_rule(self, acl, ports, vlan_vid=None, out_vlan=None):
+        """Add dot1x reflection rule to acl"""
+        if vlan_vid:
+            self._add_acl_rule(acl, eth_type=self._DOT1X_ETH_TYPE, ports=ports, vlan_vid=vlan_vid)
+        elif out_vlan:
+            self._add_acl_rule(acl, eth_type=self._DOT1X_ETH_TYPE, ports=ports, out_vlan=out_vlan)
+
     def _generate_main_acls(self):
         incoming_acl = []
         portset_acls = {}
         secondary_acl = []
         local_acl = []
         acls = {}
 
-        dot1x_pri_ports = []
-
-        for devices in self._set_devices.values():
-            for device in devices:
-                if device and device.gateway:
-                    dot1x_pri_ports.extend(device.gateway.get_possible_test_ports())
-
-        self._add_acl_rule(incoming_acl, eth_type=self._DOT1X_ETH_TYPE, ports=dot1x_pri_ports)
-
-        self._add_acl_rule(secondary_acl, eth_type=self._DOT1X_ETH_TYPE,
-                           ports=list(range(1, self.sec_port)))
+        self._add_dot1x_incoming_rule(incoming_acl, secondary_acl)
 
         for port_set in range(1, self.sec_port):
             portset_acls[port_set] = []
@@ -453,8 +466,8 @@ def _generate_main_acls(self):
         acls[self.INCOMING_ACL_FORMAT % self.sec_name] = secondary_acl
 
         for port_set in range(1, self.sec_port):
-            self._add_acl_rule(portset_acls[port_set],
-                               eth_type=self._DOT1X_ETH_TYPE, ports=[self.PRI_TRUNK_PORT])
+            vlan = self._port_set_vlan(port_set)
+            self._add_dot1x_allow_rule(portset_acls[port_set], [self.PRI_TRUNK_PORT], out_vlan=vlan)
             self._add_acl_rule(portset_acls[port_set], allow=1)
             acls[self.PORTSET_ACL_FORMAT % (self.pri_name, port_set)] = portset_acls[port_set]
 
@@ -532,7 +545,8 @@ def _generate_port_acl(self, port):
         target_mac = None
         rules = []
 
-        self._add_acl_rule(rules, eth_type=self._DOT1X_ETH_TYPE, ports=[self.sec_port])
+        vlan = self._get_port_vlan(port)
+        self._add_dot1x_allow_rule(rules, [self.sec_port], out_vlan=vlan)
 
         if self._device_specs and port in self._port_targets:
             target = self._port_targets[port]

docker/include/bin/start_faux

@@ -194,7 +194,9 @@ if [ -n "${options[ntp_pass]}" -o -n "${options[ntp_fail]}" ]; then
 fi
 
 if [ -n "${options[wpa]}" ]; then
-    wpa_supplicant -dd -c/tmp/wpasupplicant/wired-peap.conf -ifaux-eth0 -Dwired &
+    wpa_supplicant -dd -c/etc/wpasupplicant/wired-peap.conf -ifaux-eth0 -Dwired &
+elif [ -n "${options[wpawrong]}" ]; then
+    wpa_supplicant -dd -c/etc/wpasupplicant/wired-peap-wrong.conf -ifaux-eth0 -Dwired &
 fi
 
 if [ -n "${options[broadcast_client]}" ]; then

docker/include/etc/wpasupplicant/wired-peap-wrong.conf

@@ -0,0 +1,15 @@
+ctrl_interface=/etc/wpa_supplicant
+ctrl_interface_group=0
+ap_scan=0
+
+network={
+ key_mgmt=IEEE8021X
+ eap=PEAP
+ ca_cert="/etc/wpasupplicant/cert/ca.pem"
+ eapol_flags=0
+ auth_alg=OPEN
+ phase1="peaplabel=1"
+ phase2="auth=MSCHAPV2"
+ identity="user"
+ password="m!cr0ph0ne"
+}

docker/include/network/scripts/start_networking

@@ -52,6 +52,9 @@ fi
 # Start the NTP server
 service ntp start
 
+# Start radius server
+freeradius -xx -l /tmp/radius_log
+
 # For cloud-based provisioning tests.
 GCP_CRED_FILE=/config/inst/gcp_service_account.json
 SITE_MODEL=$PWD/test_site

docker/modules/Dockerfile.networking

@@ -15,7 +15,7 @@ RUN curl https://packages.cloud.google.com/apt/doc/apt-key.gpg \
     | apt-key --keyring /usr/share/keyrings/cloud.google.gpg add -
 
 RUN $AG update && $AG install dnsmasq ethtool iptables netcat ntp \
-    python3 python3-pip python3-setuptools gnupg google-cloud-sdk
+    python3 python3-pip python3-setuptools gnupg google-cloud-sdk freeradius
 
 COPY docker/include/network/scripts/* ./
 RUN mkdir -p /etc
@@ -33,4 +33,9 @@ COPY docker/include/security/nginxfail.conf /root/nginx/
 COPY docker/include/security/nginx-site /var/www/nginx-site
 COPY docker/include/security/tlsfaux tlsfaux/
 
+COPY misc/freeradius/users /etc/freeradius/3.0/users
+COPY misc/freeradius/certs /etc/freeradius/3.0/certs
+COPY misc/freeradius/default/eap /etc/freeradius/3.0/mods-enabled/eap
+COPY misc/freeradius/clients.conf /etc/freeradius/3.0/clients.conf
+
 ENTRYPOINT ["./start_networking"]

docs/device_report.md

@@ -69,7 +69,7 @@ Syntax: Pass / Fail / Skip
 |Required Pass for BACnet Devices|0|1|2|0|
 |Required Pass for IoT Devices|0|0|1|0|
 |Recommended Pass|0|0|2|0|
-|Other|0|0|4|2|
+|Other|1|0|4|2|
 
 |Result|Test|Category|Expectation|Notes|
 |---|---|---|---|---|
@@ -95,6 +95,7 @@ Syntax: Pass / Fail / Skip
 |skip|connection.switch.port_link|Connection|Required Pass|No local IP has been set, check system config|
 |skip|connection.switch.port_speed|Connection|Required Pass|No local IP has been set, check system config|
 |skip|dns.network.hostname_resolution|DNS|Required Pass|Device did not send any DNS requests|
+|pass|dot1x.dot1x|Other|Other|Authentication for 9a:02:57:1e:8f:01 succeeded.|
 |pass|ntp.network.ntp_support|NTP|Required Pass|Using NTPv4.|
 |pass|ntp.network.ntp_update|NTP|Required Pass|Device clock synchronized.|
 |skip|poe.switch.power|PoE|Required Pass for PoE Devices|No local IP has been set, check system config|
@@ -678,5 +679,28 @@ RESULT skip dns.network.hostname_resolution Device did not send any DNS requests
 |---|---|
 |enabled|True|
 
+## Module dot1x
+
+
+#### Report
+
+```
+--------------------
+dot1x.dot1x
+--------------------
+Dot1x authentication tests
+--------------------
+n/a
+--------------------
+RESULT pass dot1x.dot1x Authentication for 9a:02:57:1e:8f:01 succeeded.
+
+```
+
+#### Module Config
+
+|Attribute|Value|
+|---|---|
+|enabled|True|
+
 ## Report complete
 

resources/test_site/mac_addrs/3c5ab41e8f0b/device_config.json

@@ -4,6 +4,15 @@
     "serial": "28491384"
   },
   "modules": {
+    "dot1x": {
+      "enabled": true,
+      "radius_server": {
+          "radius_socket_info": {
+              "remote_ip": "10.20.0.3",
+              "remote_port": 1812
+          }
+      }
+    },
     "hold": {
       "enabled": true
     }

subset/dot1x/Dockerfile.test_dot1x

@@ -1,12 +1,12 @@
 FROM daqf/aardvark:latest
 
 RUN apt-get update && \
-    apt-get install -y freeradius git gcc python3-dev musl-dev g++
+    apt-get install -y freeradius git gcc python3-dev musl-dev g++ python3-yaml
 
-COPY subset/dot1x/freeradius/users /etc/freeradius/3.0/users
-COPY subset/dot1x/freeradius/certs /etc/freeradius/3.0/certs
-COPY subset/dot1x/freeradius/default/eap /etc/freeradius/3.0/mods-enabled/eap
-COPY subset/dot1x/freeradius/clients.conf /etc/freeradius/3.0/clients.conf
+COPY misc/freeradius/users /etc/freeradius/3.0/users
+COPY misc/freeradius/certs /etc/freeradius/3.0/certs
+COPY misc/freeradius/default/eap /etc/freeradius/3.0/mods-enabled/eap
+COPY misc/freeradius/clients.conf /etc/freeradius/3.0/clients.conf
 
 
 COPY subset/dot1x/authenticator/ authenticator/