I'm working with NAC and so netlogin.
We have a need to have a switch plugged on another one without having to disable the netlogin but it looks like it's impossible.
We tried numerous setup, and the only one that is working, is to make the second switch linked with a trunk port.
As every port on the network has netlogin enabled by default, I would like to know if there is a way to disable it and make the edge port, a trunk port with all the VLANs on it.
I was wondering, is it possible to call a script and execute it when a specific rule / policy is used ?
This script would basically disable netlogin on that port and put all the VLANs, basically changing it from a end user type port, to a trunk type port.
I know we can do that by hand, through OneView and it works fine, but it's not very efficient in our setup.
MAC IP address Authenticated Type ReAuth-Timer User
00:e0:2b:00:00:01 0.0.0.0 No 802.1x 0
However, I should be able to create a MAC filter to pass only the OUI:00:00:00 as the credentials to the RADIUS server and then use VSAs to pass a UPM script name. The UPM script would then disable Dot1x and enable LACP and trunk the VLANs on that port. (If the port happens to be a member and not a master, the VLAN trunking commands would harmlessly fail).
Is this an approach you would like to explore?
Within Policy Rules
There are actions for either System Log or Trap when the rule is hit. You can read about policy rule hit accounting for a bit more details.
Anyways, from that event, you can use alarm manager to launch a script from the netsight server which could be ssh/telnet to your device and make the config changes.
- device-detect profile is used to configure a port for the device that has just connected.
# configure upm event device-detect profile <upm_profile> ports <port_list>
- device-undetect profile is used to return the port to a default configuration after a device disconnects.
# configure upm event device-undetect profile <upm_profile> ports <port_list>
Device triggers respond to the discovery protocols IEEE 802.1ab LLDP. A device-detect trigger occurs when an LLDP packet reaches a port that is assigned to a device-detect profile. A device-undetect trigger occurs when periodically transmitted LLDP packets are not received anymore. LLDP age-out occurs when a device has disconnected or an age-out time has been reached. LLDP must be enabled on ports that are configured for device-detect or device-undetect profiles.
So my usecase currently is :
2 switches, I'll call them 1 and 2
the switch 1 has netlogin enabled on every port (not the trunk port)
We want to be able to connect the switch 2 (Netlogin enabled on every port also (not the trunk port)) on the switch 1, so it would be on a netlogin enabled port. mac-based-vlan
The problem is that Netlogin allows the switch 2 MAC address but it doesn't let him netlog the devices connected to it (every devices connected on the switch 2), that's normal because it's mac based.
The thing now is that we want to be able to have script run maybe, that would disable netlogin on the switch 1 on that specific port, and add all the VLANs that are needed to make the port a trunk port.
This script could be reverted also when the switch is unplugged from the port on the switch 1.
I'm testing how to use UPM, and what are the problems that are related to it.
Is there a way to have the UPM script execute when netlogin is enabled on that port ? Seems like netlogin prevents the script from being executed, but when disabled, the UPM triggers correctly.