CDP device discovery in python

Today, I wrote a small python script to discover Ubiquiti Nanostation devices on the network using pacpy and dpkt. Since it is listening CDP packets, I guess it can also discover other kinds of devices, though not tested.

	#! /usr/bin/env python
	# A small script for cdp devices discovery
	import sys
	import pcapy
	import socket
	from dpkt import ethernet
	from dpkt import cdp
	from docopt import docopt
	__doc__ = """Usage: %s [-h] <interface>
	Listens on interface to discover devices emitting cdp packets.
	Arguments:
	interface network interface to listen
	Options:
	-h --help
	""" %sys.argv[0]
	def discover_neighbors (interface, timeout=100):
	def on_cdp_packet (header, data):
	ether_frame = ethernet.Ethernet (data)
	cdp_packet = ether_frame.cdp
	cdp_info = {}
	for info in cdp_packet.data:
	cdp_info.update ({ info.type: info.data })
	addresses = [socket.inet_ntoa (x.data) for x in cdp_info[cdp.CDP_ADDRESS]]
	print "Hey, %s is at %s." %(cdp_info[cdp.CDP_DEVID], ", ".join (addresses))
	try:
	pcap = pcapy.open_live (interface, 65535, 1, timeout)
	pcap.setfilter ('ether[20:2] == 0x2000') # CDP filter
	try:
	while True:
	# this is more responsive to keyboard interrupts
	pcap.dispatch (1, on_cdp_packet)
	except KeyboardInterrupt, e:
	pass
	except Exception, e:
	print e
	if __name__ == "__main__" :
	options = docopt(__doc__)
	discover_neighbors (options['<interface>'])

view raw cdp.py hosted with ❤ by GitHub

Limiting the active users/sessions in freeRADIUS

Here is how to limit the number of concurrent users/sessions in freeRADIUS. Let's say, you want to reject auth requests if there are already more than 50 active accounting sessions.

1. Add the following policy in your policy.conf
   

maximum_active_users = 50

check_active_users {
    if ("%{sql: SELECT COUNT (*) FROM  radacct WHERE acctstoptime IS NULL}" >= "%{config:policy.maximum_active_users}") {
        update reply {
             Reply-Message := "Too many users logged into the system. Please try again later."
        }
        reject
    }
}

2. Add check_active_users policy in your sites-enabled/default auth section.
   
   
3. Test it using radclient.
   
   

root @ ~ $ echo "User-Name=t1,User-Password=1234"  | radclient -x -d /etc/freeradius/ 192.168.100.108 auth testing123
Sending Access-Request of id 124 to 192.168.100.108 port 1812
        User-Name = "t1"
        User-Password = "1234"
rad_recv: Access-Reject packet from host 192.168.100.108 port 1812, id=124, length=84
        Reply-Message = "Too many users logged into the system. Please try again later."