How can I use FilterID from Radius/Netlogin MAC-Auth to assign ACL on Port?

  • 0
  • 1
  • Question
  • Updated 2 weeks ago
Hello,

I have Netlogin running on a switch, the client gets authorized correctly and is put in the right vlan. Now I also want to apply an ACL to the clients port. I just can ́t get my head wrapped aroung how to do that. I ́m lacking the right keywords I guess.

I found the

configure policy maptable response both

command which kind of seems to be the right thing but I ́m still missing information for my/a complete understanding. We are using a FreeRadius-Server.

Can you guys point me towards the right direction or maybe even supply an example configuration?

Thanks in advance.


Photo of Paul Stange

Paul Stange

  • 80 Points 75 badge 2x thumb

Posted 3 weeks ago

  • 0
  • 1
Photo of Tomasz

Tomasz

  • 1,652 Points 1k badge 2x thumb
Hi Paul,

You have two options to enhance your edge-port security besides just VLAN separation with RFC 3580 operation:
- Policy, that is most likely configured in XMC GUI due to lot of capabilities, and enforced to all the devices at once, then in Radius you would want to assign additional attribute to your Access-Accept response, ie. Filter-id=<policy name>;
- UPM script, that would be a script trigerred upon user authentication, and in Radius you have to specify a Vendor-Specific Attribute that would call the script by its name; inside you can play with some authentication variables like user port or so and apply dynamic ACLs to it (more to do in CLI for that);

For Policy to be working, Filter-id should have it's value pointing to a policy name that exists on a device (like Filter-id=guest).

Please let us know what approach do you prefer and if you use XMC or not, then we could help you walk through relevant portions of configuration.
Also, your current config might be useful here.

Regards,
Tomasz

Photo of Paul Stange

Paul Stange

  • 80 Points 75 badge 2x thumb
Hi Tomasz,

the first option describes perfectly what I want/need to do here but we do not have XMC.

Our Radius already sends the FilterID in its response:
10/01/2018 11:46:07.86 <Summ:AAA.Trace> emsAAAServer:aaaGetAccInfo: Failed to send Accounting request
10/01/2018 11:46:07.86 <Summ:AAA.Trace> emsAAAServer: aaaGetAccInfo : read tlv
10/01/2018 11:46:07.86 <Summ:AAA.Trace> emsAAAServer:aaaGetAccInfo:
10/01/2018 11:46:07.86 <Summ:AAA.Trace> emsSmServer: aaaRecv got message 12
10/01/2018 11:46:07.86 <Summ:AAA.Trace> emsSmServer: aaaRecv: received 428 bytes from peer 10
10/01/2018 11:46:07.86 <Info:nl.ClientAuthenticated> Network Login MAC user 001C231D7CCD logged in MAC 00:1C:23:1D:7C:CD port 18 VLAN(s) "int", authentication Radius
10/01/2018 11:46:07.84 <Summ:AAA.Trace> _aaaRespondToClient-: sent message to client:peer 10
10/01/2018 11:46:07.84 <Summ:AAA.Trace> _aaaRespondToClient- :Peer 10
10/01/2018 11:46:07.84 <Summ:AAA.Trace> aaaRequestDequeueNO_LOCK() - queue 0x4c8724, request 0x5520b0 for peer 10, count 0, transId 147, authMethod 2
10/01/2018 11:46:07.84 <Summ:AAA.Trace> __aaaReqFindRadiusInQueue-:found by transId 147
10/01/2018 11:46:07.84 <Summ:AAA.Trace> __aaaReqFindRadiusInQueue-:pkt-id 147
10/01/2018 11:46:07.84 <Summ:AAA.RADIUS.Trace> rad_callback() - start - request 0x4c7340
10/01/2018 11:46:07.84 <Summ:AAA.RADIUS.SrvrRtrnAccessVal> Authorization values for 00-1C-23-1D-7C-CD(userName '001C231D7CCD') on port 18: Access level - unknown, Tunnel Type - VLAN, Tunnel Medium - 802, Tunnel Group Id - 20, Session Timeout - 4294967295, Idle Timeout - 4294967295, FilterId: ip.int_incoming.in. VrName: NsiType: 0 NsiId: 0
10/01/2018 11:46:07.84 <Info:AAA.RADIUS.RecvRspns> Received an access accept (packet length 56, destination UDP port 32769, id 147) from authentication server #primary netlogin for 00-1C-23-1D-7C-CD(userName '001C231D7CCD') on port 18.
10/01/2018 11:46:07.84 <Info:AAA.RADIUS.sendSuccess> Access Request(packet length 131, source UDP port 32769, id 147) sent to server #primary netlogin for user 00-1C-23-1D-7C-CD(userName '001C231D7CCD') for the macauthentication agent on port 18
10/01/2018 11:46:07.84 <Summ:AAA.Trace> aaaRequestUpdateEnqueue() - queue 0x4c8724, request 0x5520b0 for peer 10, count 1, transId 147, authMethod 2
10/01/2018 11:46:07.84 <Info:AAA.RADIUS.ApiReq> PAP request for 00-1C-23-1D-7C-CD(username '001C231D7CCD') on port 18.
10/01/2018 11:46:07.84 <Summ:AAA.Trace> Processing PAP request
10/01/2018 11:46:07.84 <Summ:AAA.Trace> Queuing a RADIUS authen pap request
10/01/2018 11:46:07.84 <Summ:AAA.Trace> aaaAuthenticate- Sending to radius for peer 10
10/01/2018 11:46:07.84 <Summ:AAA.Trace> _aaaGetReq[NETLOGIN]-:Authenticat using Radius, user data ptr 0x490bf0
10/01/2018 11:46:07.84 <Summ:AAA.usingRadius> Authenticate using RADIUS Server
10/01/2018 11:46:07.84 <Summ:AAA.RADIUS.Trace> aaa:radiusEnabled: SrvrSet: 2 realm:3 enabled? :1
10/01/2018 11:46:07.84 <Summ:AAA.reqFromPeer> Handle request from peer 10
10/01/2018 11:46:07.84 <Summ:AAA.Trace> emsSmServer: aaaRecv got message 10
10/01/2018 11:46:07.84 <Summ:AAA.Trace> emsSmServer: aaaRecv: received 716 bytes from peer 10
10/01/2018 11:46:02.02 <Info:vlan.msgs.portLinkStateUp> Port 18 link UP at speed 1 Gbps and full-duplex
So I somehow have to get the FilterID: ip.int_incoming.in into a policy.

Here is the switch-config:

ax3-a-4-6.2 # show conf
#
# Module devmgr configuration.
#
configure snmp sysName "ax3-a-4-6"
configure snmp sysLocation "mars"
configure snmp sysContact "iss@egal.de"
configure timezone name local 120 autodst begins every last sunday october at 2 0 ends every last sunday march at 2 0
configure sys-recovery-level switch reset

#
# Module vlan configuration.
#
configure vlan default delete ports all
configure vr VR-Default delete ports 1-52
configure vr VR-Default add ports 1-52
configure vlan default delete ports 1-7,16,18
create vlan "asa"
configure vlan asa tag 8
create vlan "bt"
configure vlan bt tag 21
create vlan "def"
configure vlan def tag 1
configure vlan Default tag 4000
create vlan "dmz"
configure vlan dmz tag 19
create vlan "fvb-inband"
configure vlan fvb-inband tag 84
create vlan "fvb-intra"
configure vlan fvb-intra tag 83
create vlan "in"
configure vlan in tag 13
create vlan "int"
configure vlan int tag 20
create vlan "lab"
configure vlan lab tag 100
create vlan "linux"
configure vlan linux tag 12
create vlan "ntl_unauth"
configure vlan ntl_unauth tag 38
create vlan "observe"
configure vlan observe tag 23
create vlan "prn"
configure vlan prn tag 130
create vlan "srv"
configure vlan srv tag 17
create vlan "sun"
configure vlan sun tag 15
create vlan "tesla"
configure vlan tesla tag 14
create vlan "test"
configure vlan test tag 4
create vlan "tkclient"
configure vlan tkclient tag 22
create vlan "tkmgmt"
configure vlan tkmgmt tag 6
create vlan "undef"
configure vlan undef tag 3333
create vlan "vpn_dmz"
configure vlan vpn_dmz tag 18
create vlan "wifi"
configure vlan wifi tag 1001
disable port 1
configure ports 51 auto off speed 10000 duplex full
configure ports 52 auto off speed 10000 duplex full
configure vlan asa add ports 49,51 tagged
configure vlan bt add ports 49,51 tagged
configure vlan def add ports 49,51 tagged
configure vlan def add ports 16 untagged
configure vlan Default add ports 8-15,17,19-52 untagged
configure vlan dmz add ports 49,51 tagged
configure vlan fvb-inband add ports 49,51 tagged
configure vlan fvb-intra add ports 49,51 tagged
configure vlan in add ports 49,51 tagged
configure vlan int add ports 49,51 tagged
configure vlan lab add ports 49,51 tagged
configure vlan linux add ports 49,51 tagged
configure vlan observe add ports 49,51 tagged
configure vlan prn add ports 49,51 tagged
configure vlan srv add ports 49,51 tagged
configure vlan sun add ports 49,51 tagged
configure vlan tesla add ports 49,51 tagged
configure vlan test add ports 49,51 tagged
configure vlan tkclient add ports 49,51 tagged
configure vlan tkmgmt add ports 49,51 tagged
configure vlan undef add ports 49,51 tagged
configure vlan undef add ports 1-7 untagged
configure vlan vpn_dmz add ports 49,51 tagged
configure vlan wifi add ports 49,51 tagged
configure vlan in ipaddress x.x.x.x x.x.x.x

#
# Module mcmgr configuration.
#

#
# Module fdb configuration.
#
configure mac-locking ports 16 first-arrival limit-learning 3
configure mac-locking ports 17 first-arrival limit-learning 3
configure mac-locking ports 18 first-arrival limit-learning 3
configure mac-locking ports 19 first-arrival limit-learning 3
configure mac-locking ports 20 first-arrival limit-learning 3
configure mac-locking ports 21 first-arrival limit-learning 3
configure mac-locking ports 22 first-arrival limit-learning 3
configure mac-locking ports 23 first-arrival limit-learning 3
configure mac-locking ports 24 first-arrival limit-learning 3
configure mac-locking ports 25 first-arrival limit-learning 3
configure mac-locking ports 26 first-arrival limit-learning 3
configure mac-locking ports 27 first-arrival limit-learning 3
configure mac-locking ports 28 first-arrival limit-learning 3
configure mac-locking ports 29 first-arrival limit-learning 3
configure mac-locking ports 30 first-arrival limit-learning 3
configure mac-locking ports 31 first-arrival limit-learning 3
configure mac-locking ports 32 first-arrival limit-learning 3

#
# Module rtmgr configuration.
#
configure iproute add default 10.6.24.1

#
# Module policy configuration.
#

configure policy maptable response both

#
# Module aaa configuration.
#

#
# Module acl configuration.
#




#
# Module bfd configuration.
#

#
# Module cfgmgr configuration.
#
enable cli-config-logging

#
# Module dosprotect configuration.
#

#
# Module dot1ag configuration.
#

#
# Module eaps configuration.
#

#
# Module edp configuration.
#

#
# Module elrp configuration.
#

#
# Module ems configuration.
#
enable log debug-mode
create log filter rad_logs
create log filter stp_logs
create log filter mac_logs
configure log filter DefaultFilter add events FDB.FdbNotice
configure log filter rad_logs add events nl
configure log filter rad_logs add events AAA severity debug-summary
configure log filter rad_logs add events vlan.msgs.portLinkStateUp
configure log filter rad_logs add events vlan.msgs.portLinkStateDown
configure log filter rad_logs add events vlan
configure log filter stp_logs add events STP.State.PortState match string "19"
configure log filter mac_logs add events vlan
configure log target memory-buffer filter rad_logs severity Debug-Data
configure log target console filter DefaultFilter severity Debug-Data

#
# Module epm configuration.
#

#
# Module erps configuration.
#

#
# Module esrp configuration.
#

#
# Module ethoam configuration.
#

#
# Module etmon configuration.
#

#
# Module exsshd configuration.
#
enable ssh2
configure ssh2 dh-group minimum 1

#
# Module hal configuration.
#
configure iproute sharing max-gateways 4

#
# Module idMgr configuration.
#

#
# Module ipSecurity configuration.
#

#
# Module ipfix configuration.
#

#
# Module lldp configuration.
#
configure lldp management-address vlan in primary-ip
configure lldp port 1 advertise port-description
configure lldp port 1 advertise system-capabilities
configure lldp port 1 advertise management-address
configure lldp port 2 advertise port-description
configure lldp port 2 advertise system-capabilities
configure lldp port 2 advertise management-address
configure lldp port 3 advertise port-description
configure lldp port 3 advertise system-capabilities
configure lldp port 3 advertise management-address
configure lldp port 4 advertise port-description
configure lldp port 4 advertise system-capabilities
configure lldp port 4 advertise management-address
configure lldp port 5 advertise port-description
configure lldp port 5 advertise system-capabilities
configure lldp port 5 advertise management-address
configure lldp port 6 advertise port-description
configure lldp port 6 advertise system-capabilities
configure lldp port 6 advertise management-address
configure lldp port 7 advertise port-description
configure lldp port 7 advertise system-capabilities
configure lldp port 7 advertise management-address
configure lldp port 8 advertise port-description
configure lldp port 8 advertise system-capabilities
configure lldp port 8 advertise management-address
configure lldp port 9 advertise port-description
configure lldp port 9 advertise system-capabilities
configure lldp port 9 advertise management-address
configure lldp port 10 advertise port-description
configure lldp port 10 advertise system-capabilities
configure lldp port 10 advertise management-address
configure lldp port 11 advertise port-description
configure lldp port 11 advertise system-capabilities
configure lldp port 11 advertise management-address
configure lldp port 12 advertise port-description
configure lldp port 12 advertise system-capabilities
configure lldp port 12 advertise management-address
configure lldp port 13 advertise port-description
configure lldp port 13 advertise system-capabilities
configure lldp port 13 advertise management-address
configure lldp port 14 advertise port-description
configure lldp port 14 advertise system-capabilities
configure lldp port 14 advertise management-address
configure lldp port 15 advertise port-description
configure lldp port 15 advertise system-capabilities
configure lldp port 15 advertise management-address
configure lldp port 16 advertise port-description
configure lldp port 16 advertise system-capabilities
configure lldp port 16 advertise management-address
configure lldp port 17 advertise port-description
configure lldp port 17 advertise system-capabilities
configure lldp port 17 advertise management-address
configure lldp port 18 advertise port-description
configure lldp port 18 advertise system-capabilities
configure lldp port 18 advertise management-address
configure lldp port 19 advertise port-description
configure lldp port 19 advertise system-capabilities
configure lldp port 19 advertise management-address
configure lldp port 20 advertise port-description
configure lldp port 20 advertise system-capabilities
configure lldp port 20 advertise management-address
configure lldp port 21 advertise port-description
configure lldp port 21 advertise system-capabilities
configure lldp port 21 advertise management-address
configure lldp port 22 advertise port-description
configure lldp port 22 advertise system-capabilities
configure lldp port 22 advertise management-address
configure lldp port 23 advertise port-description
configure lldp port 23 advertise system-capabilities
configure lldp port 23 advertise management-address
configure lldp port 24 advertise port-description
configure lldp port 24 advertise system-capabilities
configure lldp port 24 advertise management-address
configure lldp port 25 advertise port-description
configure lldp port 25 advertise system-capabilities
configure lldp port 25 advertise management-address
configure lldp port 26 advertise port-description
configure lldp port 26 advertise system-capabilities
configure lldp port 26 advertise management-address
configure lldp port 27 advertise port-description
configure lldp port 27 advertise system-capabilities
configure lldp port 27 advertise management-address
configure lldp port 28 advertise port-description
configure lldp port 28 advertise system-capabilities
configure lldp port 28 advertise management-address
configure lldp port 29 advertise port-description
configure lldp port 29 advertise system-capabilities
configure lldp port 29 advertise management-address
configure lldp port 30 advertise port-description
configure lldp port 30 advertise system-capabilities
configure lldp port 30 advertise management-address
configure lldp port 31 advertise port-description
configure lldp port 31 advertise system-capabilities
configure lldp port 31 advertise management-address
configure lldp port 32 advertise port-description
configure lldp port 32 advertise system-capabilities
configure lldp port 32 advertise management-address
configure lldp port 33 advertise port-description
configure lldp port 33 advertise system-capabilities
configure lldp port 33 advertise management-address
configure lldp port 34 advertise port-description
configure lldp port 34 advertise system-capabilities
configure lldp port 34 advertise management-address
configure lldp port 35 advertise port-description
configure lldp port 35 advertise system-capabilities
configure lldp port 35 advertise management-address
configure lldp port 36 advertise port-description
configure lldp port 36 advertise system-capabilities
configure lldp port 36 advertise management-address
configure lldp port 37 advertise port-description
configure lldp port 37 advertise system-capabilities
configure lldp port 37 advertise management-address
configure lldp port 38 advertise port-description
configure lldp port 38 advertise system-capabilities
configure lldp port 38 advertise management-address
configure lldp port 39 advertise port-description
configure lldp port 39 advertise system-capabilities
configure lldp port 39 advertise management-address
configure lldp port 40 advertise port-description
configure lldp port 40 advertise system-capabilities
configure lldp port 40 advertise management-address
configure lldp port 41 advertise port-description
configure lldp port 41 advertise system-capabilities
configure lldp port 41 advertise management-address
configure lldp port 42 advertise port-description
configure lldp port 42 advertise system-capabilities
configure lldp port 42 advertise management-address
configure lldp port 43 advertise port-description
configure lldp port 43 advertise system-capabilities
configure lldp port 43 advertise management-address
configure lldp port 44 advertise port-description
configure lldp port 44 advertise system-capabilities
configure lldp port 44 advertise management-address
configure lldp port 45 advertise port-description
configure lldp port 45 advertise system-capabilities
configure lldp port 45 advertise management-address
configure lldp port 46 advertise port-description
configure lldp port 46 advertise system-capabilities
configure lldp port 46 advertise management-address
configure lldp port 47 advertise port-description
configure lldp port 47 advertise system-capabilities
configure lldp port 47 advertise management-address
configure lldp port 48 advertise port-description
configure lldp port 48 advertise system-capabilities
configure lldp port 48 advertise management-address
configure lldp port 49 advertise port-description
configure lldp port 49 advertise system-capabilities
configure lldp port 49 advertise management-address
configure lldp port 50 advertise port-description
configure lldp port 50 advertise system-capabilities
configure lldp port 50 advertise management-address
configure lldp port 51 advertise port-description
configure lldp port 51 advertise system-capabilities
configure lldp port 51 advertise management-address
configure lldp port 52 advertise port-description
configure lldp port 52 advertise system-capabilities
configure lldp port 52 advertise management-address

#
# Module mrp configuration.
#

#
# Module msdp configuration.
#

#
# Module netLogin configuration.
#
configure netlogin vlan ntl_unauth
enable netlogin mac
configure netlogin agingtime 1
configure netlogin mac authentication database-order radius
enable netlogin ports 17-32 mac
configure netlogin ports 17 mode port-based-vlans
configure netlogin ports 17 no-restart
configure netlogin ports 18 mode port-based-vlans
configure netlogin ports 18 no-restart
configure netlogin ports 19 mode port-based-vlans
configure netlogin ports 19 no-restart
configure netlogin ports 20 mode port-based-vlans
configure netlogin ports 20 no-restart
configure netlogin ports 21 mode port-based-vlans
configure netlogin ports 21 no-restart
configure netlogin ports 22 mode port-based-vlans
configure netlogin ports 22 no-restart
configure netlogin ports 23 mode port-based-vlans
configure netlogin ports 23 no-restart
configure netlogin ports 24 mode port-based-vlans
configure netlogin ports 24 no-restart
configure netlogin ports 25 mode port-based-vlans
configure netlogin ports 25 no-restart
configure netlogin ports 26 mode port-based-vlans
configure netlogin ports 26 no-restart
configure netlogin ports 27 mode port-based-vlans
configure netlogin ports 27 no-restart
configure netlogin ports 28 mode port-based-vlans
configure netlogin ports 28 no-restart
configure netlogin ports 29 mode port-based-vlans
configure netlogin ports 29 no-restart
configure netlogin ports 30 mode port-based-vlans
configure netlogin ports 30 no-restart
configure netlogin ports 31 mode port-based-vlans
configure netlogin ports 31 no-restart
configure netlogin ports 32 mode port-based-vlans
configure netlogin ports 32 no-restart
enable netlogin authentication failure vlan ports 17-32
configure netlogin authentication failure vlan def ports 17-32
configure netlogin add mac-list ff:ff:ff:ff:ff:ff 48

#
# Module netTools configuration.
#

#
# Module nodealias configuration.
#
enable nodealias ports 1
enable nodealias ports 2
enable nodealias ports 3
enable nodealias ports 4
enable nodealias ports 5
enable nodealias ports 6
enable nodealias ports 7
enable nodealias ports 8
enable nodealias ports 9
enable nodealias ports 10
enable nodealias ports 11
enable nodealias ports 12
enable nodealias ports 13
enable nodealias ports 14
enable nodealias ports 15
enable nodealias ports 16
enable nodealias ports 17
enable nodealias ports 18
enable nodealias ports 19
enable nodealias ports 20
enable nodealias ports 21
enable nodealias ports 22
enable nodealias ports 23
enable nodealias ports 24
enable nodealias ports 25
enable nodealias ports 26
enable nodealias ports 27
enable nodealias ports 28
enable nodealias ports 29
enable nodealias ports 30
enable nodealias ports 31
enable nodealias ports 32
enable nodealias ports 33
enable nodealias ports 34
enable nodealias ports 35
enable nodealias ports 36
enable nodealias ports 37
enable nodealias ports 38
enable nodealias ports 39
enable nodealias ports 40
enable nodealias ports 41
enable nodealias ports 42
enable nodealias ports 43
enable nodealias ports 44
enable nodealias ports 45
enable nodealias ports 46
enable nodealias ports 47
enable nodealias ports 48
enable nodealias ports 49
enable nodealias ports 50
enable nodealias ports 51
enable nodealias ports 52

#
# Module ntp configuration.
#
enable ntp vr VR-Default
enable ntp vlan in


#
# Module poe configuration.
#

#
# Module rip configuration.
#

#
# Module ripng configuration.
#

#
# Module snmpMaster configuration.
#

#
# Module stp configuration.
#
configure mstp region MBI_REG_1
configure mstp revision 1
enable stpd s0 auto-bind vlan asa
enable stpd s0 auto-bind vlan bt
enable stpd s0 auto-bind vlan def
enable stpd s0 auto-bind vlan dmz
enable stpd s0 auto-bind vlan fvb-inband
enable stpd s0 auto-bind vlan fvb-intra
enable stpd s0 auto-bind vlan in
enable stpd s0 auto-bind vlan int
enable stpd s0 auto-bind vlan lab
enable stpd s0 auto-bind vlan linux
enable stpd s0 auto-bind vlan observe
enable stpd s0 auto-bind vlan prn
enable stpd s0 auto-bind vlan srv
enable stpd s0 auto-bind vlan sun
enable stpd s0 auto-bind vlan tesla
enable stpd s0 auto-bind vlan test
enable stpd s0 auto-bind vlan tkclient
enable stpd s0 auto-bind vlan tkmgmt
enable stpd s0 auto-bind vlan undef
enable stpd s0 auto-bind vlan vpn_dmz
enable stpd s0 auto-bind vlan wifi
configure stpd s0 ports link-type edge 19

#
# Module techSupport configuration.
#

#
# Module telnetd configuration.
#

#
# Module tftpd configuration.
#

#
# Module thttpd configuration.
#

#
# Module twamp configuration.
#

#
# Module vmt configuration.
#

#
# Module vsm configuration.
#


Thank you and best regards
Paul


(Edited)
Photo of Tomasz

Tomasz

  • 1,410 Points 1k badge 2x thumb
Paul,

I think there's a lot of things you should put in the config, As you can see, no policy entry for ip.int_incoming.in, what you would have to create with 'configure policy rule' command. 'Enable policy' is essential as well.

First, please take a look here in the Policy chapter (no. 28, starting on page 781): https://documentation.extremenetworks.com/exos_22.5/EXOS_User_Guide_22_5.pdf
I believe it will be the best starting point to understand how does that work in EXOS.

From page 807 in the guide there is some kind of a cheatsheet what steps shall be taken. Later, you have some scenario configuration example. If you want to use Policy without XMC, brace yourself as there is a lot of lines in config if we are talkng about more complex policy scenarios (each policy role has its own set of traffic classification rules...).

Hope that helps,
Tomasz