Execute a script when a rule is used

  • 1
  • 1
  • Question
  • Updated 2 years ago
  • Answered
Hello,

 I'm working with NAC and so netlogin.

We have a need to have a switch plugged on another one without having to disable the netlogin but it looks like it's impossible.

We tried numerous setup, and the only one that is working, is to make the second switch linked with a trunk port.
As every port on the network has netlogin enabled by default, I would like to know if there is a way to disable it and make the edge port, a trunk port with all the VLANs on it.

I was wondering, is it possible to call a script and execute it when a specific rule / policy is used ?
This script would basically disable netlogin on that port and put all the VLANs, basically changing it from a end user type port, to a trunk type port.
I know we can do that by hand, through OneView and it works fine, but it's not very efficient in our setup.

Thanks
Gaspard
Photo of Gaspard W

Gaspard W

  • 424 Points 250 badge 2x thumb

Posted 2 years ago

  • 1
  • 1
Photo of André Herkenrath

André Herkenrath, Employee

  • 1,942 Points 1k badge 2x thumb
Hi Gaspard,

are all these switches that you are using EXOS-Switches ?

/André
Photo of Gaspard W

Gaspard W

  • 424 Points 250 badge 2x thumb
Yes, all of them
Photo of Matthew Helm

Matthew Helm, Employee

  • 1,852 Points 1k badge 2x thumb
I'll need to do some testing, and I'll script it up, but with EDP enabled by default, frames are generated by a connecting EXOS switch. These cause the connected EXOS switch to be MAC/RADIUS authenticated on the dot1x enabled port to which it is connected. By default, it fails:


MAC                      IP address       Authenticated     Type    ReAuth-Timer   User          
00:e0:2b:00:00:01  0.0.0.0             No                    802.1x     0

However, I should be able to create a MAC filter to pass only the OUI:00:00:00 as the credentials to the RADIUS server and then use VSAs to pass a UPM script name. The UPM script would then disable Dot1x and enable LACP and trunk the VLANs on that port. (If the port happens to be a member and not a master, the VLAN trunking commands would harmlessly fail).

Is this an approach you would like to explore?
Photo of Gaspard W

Gaspard W

  • 424 Points 250 badge 2x thumb
Ok, I worked on UPM today, and I think that making the netlogin disabled on that port then adding all the VLANs is pretty useful.

I have a question: on OneView, you can use scripts with $port which refers to the port, but how do you do that on an UPM script ?

$port won't be understood by the OS, and I don't know how I could get the port number to send the CLI command with the port number. Do you have an idea how I could do it ?

Now, your EDP technique, I see how you want to do it, and it looks pretty nice !
It would surely by useful to "cancel" the script when it's not a switch connected, but an end user device. Making an end user port become a trunk port would certainly be a problem haha
Photo of Matthew Helm

Matthew Helm, Employee

  • 1,852 Points 1k badge 2x thumb
So, the UPM process has environmental variables depending on the event. One of them is the port number. Here is a snippet of configuration from my testing:

create vlan user
create vlan nl

create upm profile in
disable netlogin port $(EVENT.USER_PORT) mac dot1x

.
create upm profile out
configure upm event user-authenticate profile in ports 1-7
configure upm event user-unauthenticated profile out ports 1-7


configure netlogin vlan nl
enable netlogin dot1x mac 
configure netlogin mac authentication database-order radius
configure netlogin authentication protocol-order mac dot1x web-based
configure netlogin add mac-list 00:e0:2b:00:00:00 24 password pass
enable netlogin ports 1-7 dot1x 
enable netlogin ports 1-7 mac 


#From the RADIUS users file:


00E02B000000    Cleartext-Password := "pass"
                Extreme-Security-Profile = "in QOS=QP1;LOGOFF-PROFILE=out;",
                Extreme-Netlogin-Extended-Vlan = "Uuser"


The above configuration disables netlogin on a port connected to an EXOS switch. You'll need to change the OUI in the username and mac-list filter as I was using EXOS VMs.

The "in" profile could easily be expanded to wait for a bit, then do a "show edp port $(EVENT.USER_PORT) detail" and parse the output in CLI.OUT for the VLAN information and create and tag the VLANs to the port. Or, if you just want to go through an take all local VLANs with a tag and add $(EVENT.USER_PORT) to them tagged, you could do that.
Photo of Gaspard W

Gaspard W

  • 424 Points 250 badge 2x thumb
Hello,

Very good explanation by the way :)

I was trying to use $port instead of $(EVENT.USER_PORT), which is why it couldn't work. Do you have a list of all the EVENT. tags ? That could be useful later also.

For the show edp, that's true, and I could then execute the script if it matches the OUI chosen

About the timer, I currently have one but do you have to have it ? or it would execute the script as soon as the event happens ?

I was trying to just print a message in the logs, to see how it works, and the message wasn't appearing each time I was plugging the device. It was appearing like 1/ 3 trials, on different ports that have the upm event activated on them. Is that normal ? like a timeout thing or something wasn't setup right ?

thanks
(Edited)
Photo of Matthew Helm

Matthew Helm, Employee

  • 1,852 Points 1k badge 2x thumb
Unfortunately all the environmental variables (EVENT.x) are not really documented in a way that is easy. I find the best way to find out which ones I have available for a particular event is to create an empty upm profile and trigger the event and then look at the upm history for that ex id. (show upm hist ex #).

I'm not sure I understand the question on the timer. I was referring to the after TCL function where I would use it to wait for EDP to discover the neighboring EXOS switch (it can take up to a minute by default, I think). The after function could be issued like this: set var wartime $TCL(after 60000)  -- introduces a 1 minute pause.

I suspect that there may be a timing issue regarding it launching only 1⁄3rd of the time, but I can't be sure.
Photo of Gaspard W

Gaspard W

  • 424 Points 250 badge 2x thumb
Hello,

I'll try to see with the empty profile, I also found in EXOS Concepts Guide for Release 15.3, page 337, most of the variables :D and I have to experience with them.

For the timer, I was asking about it's function. I'm not sure what it is used for, is it for executing the script after X seconds after the event trigger happens ? or it's something else?

For the 1/3, I found out that the LLDP packets were kinda glitched on the laptop, so I'm using switches with LLDP activated, and it works 100% of the time :)

thanks
Photo of Thomas, Frank

Thomas, Frank, Employee

  • 1,902 Points 1k badge 2x thumb
Another way to skin a cat,
Within Policy Rules

There are actions for either System Log or Trap when the rule is hit. You can read about policy rule hit accounting for a bit more details.

Anyways, from that event, you can use alarm manager to launch a script from the netsight server which could be ssh/telnet to your device and make the config changes.
Photo of Gaspard W

Gaspard W

  • 424 Points 250 badge 2x thumb
Hello, I wasn't able to find that menu :/
Can you tell me where it is ? :)
Photo of Thomas, Frank

Thomas, Frank, Employee

  • 1,902 Points 1k badge 2x thumb
It's a feature for any service rule if you're using Policy Manager and Nac in conjunction.

Policy Manager Thick Client

Netsight Oneview[6.3] / Extreme Management [Screenshot from 7.0]


Photo of Gaspard W

Gaspard W

  • 424 Points 250 badge 2x thumb
Our switches aren't compatible with the Policy Manager :/
Photo of Thomas, Frank

Thomas, Frank, Employee

  • 1,902 Points 1k badge 2x thumb
Hopefully some day, you'll have switches that are. :) Policy Manager really shines managing hundreds of switches, wireless controllers, integrating with Extreme Control.

The other employees have given some really great info about local scripts on the box to tackle this problem another way. Best of luck with solving your problem!
Photo of Gaspard W

Gaspard W

  • 424 Points 250 badge 2x thumb
The problem is that it isn't compatible with x250 with exos 15.3 or x400 with exos 15.6.

And yes, very useful :)

thanks
Photo of Kevin Kim

Kevin Kim, Employee

  • 2,266 Points 2k badge 2x thumb
If LLDP runs on the links between switches, you could use a device-detect and device-undetect profile/script where you can do whatever you want.

- device-detect profile is used to configure a port for the device that has just connected.

# configure upm event device-detect profile <upm_profile> ports <port_list>

- device-undetect profile is used to return the port to a default configuration after a device disconnects. 

# configure upm event device-undetect profile <upm_profile> ports <port_list>

Device triggers respond to the discovery protocols IEEE 802.1ab LLDP. A device-detect trigger occurs when an LLDP packet reaches a port that is assigned to a device-detect profile. A device-undetect trigger occurs when periodically transmitted LLDP packets are not received anymore. LLDP age-out occurs when a device has disconnected or an age-out time has been reached. LLDP must be enabled on ports that are configured for device-detect or device-undetect profiles. 

(Edited)
Photo of André Herkenrath

André Herkenrath, Employee

  • 1,942 Points 1k badge 2x thumb
Depending on the usecase you could use a combination of EDP and LLDP. LLDP as Kevin said to trigger an UPM-event, which removes .1x from the port and searches the downlink vlans via EDP.
Can you be a bit more precise about the usecase ?
Photo of Gaspard W

Gaspard W

  • 424 Points 250 badge 2x thumb
Hello everyone,

So my usecase currently is :

2 switches, I'll call them 1 and 2
the switch 1 has netlogin enabled on every port (not the trunk port)

We want to be able to connect the switch 2 (Netlogin enabled on every port also (not the trunk port)) on the switch 1, so it would be on a netlogin enabled port. mac-based-vlan

The problem is that Netlogin allows the switch 2 MAC address but it doesn't let him netlog the devices connected to it (every devices connected on the switch 2), that's normal because it's mac based.

The thing now is that we want to be able to have script run maybe, that would disable netlogin on the switch 1 on that specific port, and add all the VLANs that are needed to make the port a trunk port.
This script could be reverted also when the switch is unplugged from the port on the switch 1.
Photo of André Herkenrath

André Herkenrath, Employee

  • 1,942 Points 1k badge 2x thumb
this definetely looks like a LLDP thing. Have a look at the generic phone UPM in the User Guide.
this should be a good start to begin with
Photo of Gaspard W

Gaspard W

  • 424 Points 250 badge 2x thumb
I will look at it. The setup involves having a phone vlan, and two or three other vlans.
Photo of Gaspard W

Gaspard W

  • 424 Points 250 badge 2x thumb
Hello everyone,

I'm testing how to use UPM, and what are the problems that are related to it.

Is there a way to have the UPM script execute when netlogin is enabled on that port ? Seems like netlogin prevents the script from being executed, but when disabled, the UPM triggers correctly.

Thanks
(Edited)
Photo of Matthew Helm

Matthew Helm, Employee

  • 1,852 Points 1k badge 2x thumb
If you are using LLDP as the trigger, and you turn on netlogin on a port, if I remember correctly, LLDP is disabled (as is EDP) at least for the processing of PDUs ingress. So, under that circumstance, your trigger for UPM won't work. EDP packets do originate from a port with netlogin enabled.
Photo of Kevin Kim

Kevin Kim, Employee

  • 2,266 Points 2k badge 2x thumb
My apology. I figured that the previous upm profile had an error with brackets surrounding 'EVENT.DEVICE_MAC'. It should be surrounded by curly brackets.

set var m $TCL(lsearch -regex ${EVENT.DEVICE_MAC} "^00:04:96")
if ($m == 0) then
    disable netlogin port $(EVENT.USER_PORT) dot1x mac
    configure vlan "vlan_name_1" add ports $(EVENT.USER_PORT) tagged
    configure vlan "vlan_name_2" add ports $(EVENT.USER_PORT) tagged
endif 

If you want to put some lines in the 'else' clause, you can use as follows.

set var m $TCL(lsearch -regex ${EVENT.DEVICE_MAC} "^00:04:96")
if ($m == 0) then
    disable netlogin port $(EVENT.USER_PORT) dot1x mac
    configure vlan "vlan_name_1" add ports $(EVENT.USER_PORT) tagged
    configure vlan "vlan_name_2" add ports $(EVENT.USER_PORT) tagged
else
    command_1
    command_2
endif 

In case you want to associate a upm profile with the 'device-undetect' event (when an lldp neighbor disappears from a port), you can use the following command.

# configure upm event device-undetect profile <profile_name>

For your reference, below are the log messages generated when the upm profile gets triggered in my lab. 

06/15/2016 22:37:27.65 <Info:nl.ClientReset> Network Login user  cleared via CLI, Mac 00:E0:2B:00:00:01 port 23 VLAN(s) "vguest"06/15/2016 22:37:27.65 <Info:nl.ClientReset> Network Login user  cleared via CLI, Mac 00:04:96:37:54:2B port 23 VLAN(s) "vguest"
06/15/2016 22:37:27.64 <Info:cli.logRemoteCmd>  (upm) UPM:     disable netlogin port 23 dot1x mac
06/15/2016 22:37:27.63 <Info:cli.logRemoteCmd>  (upm) UPM: if (0 == 0) then
06/15/2016 22:37:27.61 <Info:cli.logRemoteCmd>  (upm) UPM: set var m $TCL(lsearch -regex ${EVENT.DEVICE_MAC} "^00:04:96")
06/15/2016 22:37:27.60 <Info:cli.logRemoteCmd>  (upm) UPM: set var EVENT.PROFILE dn
06/15/2016 22:37:27.60 <Info:cli.logRemoteCmd>  (upm) UPM: set var EVENT.NAME DEVICE-DETECT
06/15/2016 22:37:27.59 <Info:cli.logRemoteCmd>  (upm) UPM: set var EVENT.DEVICE ROUTER
06/15/2016 22:37:27.57 <Info:cli.logRemoteCmd>  (upm) UPM: set var EVENT.TIME 1466030247
06/15/2016 22:37:27.57 <Info:cli.logRemoteCmd>  (upm) UPM: set var EVENT.USER_PORT 23
06/15/2016 22:37:27.56 <Info:cli.logRemoteCmd>  (upm) UPM: set var EVENT.DEVICE_POWER 0
06/15/2016 22:37:27.55 <Info:cli.logRemoteCmd>  (upm) UPM: set var EVENT.DEVICE_MAC 00:04:96:37:54:2b
06/15/2016 22:37:27.54 <Info:cli.logRemoteCmd>  (upm) UPM: set var EVENT.DEVICE_MODEL  " "
06/15/2016 22:37:27.53 <Info:cli.logRemoteCmd>  (upm) UPM: set var EVENT.DEVICE_MANUFACTURER_NAME  " "
06/15/2016 22:37:27.52 <Info:cli.logRemoteCmd>  (upm) UPM: set var EVENT.DEVICE_IP 0.0.0.0
06/15/2016 22:37:27.51 <Info:cli.logRemoteCmd>  (upm) UPM: configure cli mode non-persistent
06/15/2016 22:37:27.50 <Info:cli.logRemoteCmd>  (upm) UPM: enable cli scripting
06/15/2016 22:37:27.50 <Info:cli.logRemoteCmd>  (upm) UPM: enable cli scripting output
06/15/2016 22:37:27.31 <Noti:UPM.Msg.upmMsgExshLaunch> Launched profile dn for the event device-detect
06/15/2016 22:37:27.31 <Noti:UPM.Msg.LLDPDevDetected> LLDP Device detected. Mac is 00:04:96:37:54:2B, IP is 0.0.0.0, on port 23, device type is 20, max power is 0
06/15/2016 22:37:27.05 <Info:nl.ClientAuthenticated> Network Login MAC user 00049637542B logged in MAC 00:04:96:37:54:2B port 23 VLAN(s) "vguest", authentication Locally
06/15/2016 22:37:25.35 <Info:nl.ClientAuthenticated> Network Login MAC user 00E02B000001 logged in MAC 00:E0:2B:00:00:01 port 23 VLAN(s) "vguest", authentication Locally
(Edited)
Photo of Gaspard W

Gaspard W

  • 424 Points 250 badge 2x thumb
Thank you for that explanation !

I'm going to check it out and do some testing. 

I'll get back to you after
Photo of Gaspard W

Gaspard W

  • 424 Points 250 badge 2x thumb
Hello,

I did some testing, and it seems that it doesn't see the MAC with that OUI.
I does the else statement, but not the if

Does the " ^ " make the OUI not work ? Seems like it doesn't match the switch's MAC, which has this OUI.

Thanks
Photo of Matthew Helm

Matthew Helm, Employee

  • 1,852 Points 1k badge 2x thumb
It might work better to use the regexp function. e.g.:


x205.35 # show var mac00:01:02:0A:0B:0C               
x205.36 # set var t $TCL(regexp ^00:01:02 $mac)
x205.37 # show var t
1                               
x205.38 # set var t $TCL(regexp ^00:01:03 $mac)
x205.39 # show var t
0   

So the lines could be:

set var m $TCL(regexp ^00:04:96 ${EVENT.DEVICE_MAC} )
if ($m) then

  ...
Photo of Kevin Kim

Kevin Kim, Employee

  • 2,266 Points 2k badge 2x thumb
"^' means the beginning of the string. It is used in regular expression to match the OUI of MAC address which is the first 24-bit number that uniquely identifes a vendor or manufacturer. Extreme switches have a MAC address that begins with "00:04:96".

# set var EVENT.DEVICE_MAC 00:04:96:37:54:2B
# set var m $TCL(lsearch -regex ${EVENT.DEVICE_MAC} "^00:04:96")
# sh var m
0                               
# set var EVENT.DEVICE_MAC 00:04:00:37:54:2B
# set var m $TCL(lsearch -regex ${EVENT.DEVICE_MAC} "^00:04:96")
# sh var m
-1                              

In addition, I agree Matt that the "regexp" TCL function is more appropriate here since "EVENT.DEVICE_MAC" is not a list.