Question

RADIUS ACL attributes

  • 8 November 2018
  • 7 replies
  • 814 views

How to assign ACL with RADIUS Access-Accept response? What attributes to use?
I'm interested in at least two options:
  1. Sending ACL id (ACL is configured on switch)
  2. Sending ACL rules (ACL is presented in RADIUS attribute)

7 replies

Userlevel 6
Hello,

Prior to OnePolicy as described above by Tomsaz we used to use UPM profiles to dynamically create ACLs on ports based Accept response and other AVPs from NAC.

Here's a document that explains the configuration heavy solution:

https://extremenetworks2com-my.sharepoint.com/:w:/g/personal/ryacobuc_extremenetworks_com/EYWDogjm5W...

This is not nearly as easy to set up as OnePolicy and is a legacy solution that we had prior to the development of OnePolicy, but it does explain how you can have an ACL configured/applied to a port based on RADIUS attributes.

I would highly recommend using OnePolicy as it is essentially a per port ACL (It's rule engine is precedence based instead of top down) that is invoked on a port based on RADIUS TLV response. Is there a limitation of OnePolicy that you're trying to work around by looking for another solution?

Thanks
-Ryan
Hi Ruslan, it depends on the vendor of the switch. What switch are you using? Gabriel Thank you very much! But still hope to find such approach
Userlevel 5
Hi Ruslan, it depends on the vendor of the switch. What switch are you using? Gabriel I might be wrong, but I didn't see such approach being used so far.
From EXOS User Guide I see a VSA 'Extreme-Shell-Command', I don't know what is this, it is not describet, from the table on page 939 of EXOS User Guide it seems it is only valid RADIUS response attribute for PAP requests, and somewhere on this forum I found a note that this shall be gone obsolete for a while (it's in the latest docs though).
Theoretically this could be introduced but you should talk with Extreme about feature request, as right now from development roadmap or marketing strategy it might be a minor case compared to enhancing the Policy capabilities perhaps. With XMC you don't have to configure the switch via CLI, BTW.

HTH,
Tomasz
Hi Ruslan, it depends on the vendor of the switch. What switch are you using? Gabriel Thanks a lot for extended answer! Maybe there is also an approach to send ACL rules via RADIUS response? I mean without any configuration on switch side.
Userlevel 5
Hi Ruslan, it depends on the vendor of the switch. What switch are you using? Gabriel Hello Ruslan,

Apparently, it's still not much accurate - in Extreme within five years (when it was just EXOS) right now you have EXOS, EOS, VOSS, BOSS, NOS, SLX-OS, NetIron (?) and something minor for ISW or 200 series... 😉 But okay, with EXOS and EOS you would most likely work with Policy concept.

It is based on a different attributes, with EOS it is Filter-ID of a shape like: Enterasys:version=1:policy=[role] For EXOS though, as you can see in ONEPolicy chapter in EXOS User Guide (https://documentation.extremenetworks.com/exos_22.5/EXOS_User_Guide_22_5.pdf), it is based on Filter-ID with just policy role name.
Those names need to match what's already configured on a switch and it contains most useful ACL-like stuff for a daily operation, briefly said (platform dependent for certain features).
Most likely you would configure Policy from Extreme Management Center (just click-out your security model, enforce and it's there on all your switches), but in case you want to do it by hand for some reason there is a nice example of an EXOS network with Policy in the User Guide.

If you are fine with EXOS ACL concept but it's too much hassle to translate your already created .pol files to Policy configuration, you can do some workaround. Vendor-Specific Attribute on RADIUS (see a full list in the guide or here: http://www.extremenetworks.guru/exos-802-1x/, Extreme-Security-Profile is useful here), and a UPM profile (script) on EXOS.
Once your device authenticate on a port, a UPM profile will be triggered by device-authenticated event, so the port will be configured with dynamic ACLs with use of some variables (port number, MAC address, username etc.). Another UPM profile would wipe out the dynamic ACL from a port upon device-deauthenticated event.

Please let us know what direction you wish to follow so we can assist you further.

Hope that helps,
Tomasz
Hi Ruslan, it depends on the vendor of the switch. What switch are you using? Gabriel Hi, Gabriel!
Extreme switch
Userlevel 1
Hi Ruslan, it depends on the vendor of the switch. What switch are you using? Gabriel

Reply