RADIUS ACL attributes

  • 0
  • 1
  • Question
  • Updated 2 days ago
How to assign ACL with RADIUS Access-Accept response? What attributes to use?
I`m interested in at least two options:
  1. Sending ACL id (ACL is configured on switch)
  2. Sending ACL rules (ACL is presented in RADIUS attribute)
Photo of Ruslan

Ruslan

  • 102 Points 100 badge 2x thumb

Posted 5 days ago

  • 0
  • 1
Photo of Gabriel Bagita

Gabriel Bagita

  • 560 Points 500 badge 2x thumb
Hi Ruslan,
it depends on the vendor of the switch. What switch are you using?

Gabriel
Photo of Ruslan

Ruslan

  • 102 Points 100 badge 2x thumb
Hi, Gabriel!
Extreme switch
Photo of Tomasz

Tomasz

  • 2,314 Points 2k badge 2x thumb
Hello Ruslan,

Apparently, it's still not much accurate - in Extreme within five years (when it was just EXOS) right now you have EXOS, EOS, VOSS, BOSS, NOS, SLX-OS, NetIron (?) and something minor for ISW or 200 series... ;) But okay, with EXOS and EOS you would most likely work with Policy concept.

It is based on a different attributes, with EOS it is Filter-ID of a shape like: Enterasys:version=1:policy=[role] For EXOS though, as you can see in ONEPolicy chapter in EXOS User Guide (https://documentation.extremenetworks.com/exos_22.5/EXOS_User_Guide_22_5.pdf), it is based on Filter-ID with just policy role name.
Those names need to match what's already configured on a switch and it contains most useful ACL-like stuff for a daily operation, briefly said (platform dependent for certain features).
Most likely you would configure Policy from Extreme Management Center (just click-out your security model, enforce and it's there on all your switches), but in case you want to do it by hand for some reason there is a nice example of an EXOS network with Policy in the User Guide.

If you are fine with EXOS ACL concept but it's too much hassle to translate your already created .pol files to Policy configuration, you can do some workaround. Vendor-Specific Attribute on RADIUS (see a full list in the guide or here: http://www.extremenetworks.guru/exos-802-1x/, Extreme-Security-Profile is useful here), and a UPM profile (script) on EXOS.
Once your device authenticate on a port, a UPM profile will be triggered by device-authenticated event, so the port will be configured with dynamic ACLs with use of some variables (port number, MAC address, username etc.). Another UPM profile would wipe out the dynamic ACL from a port upon device-deauthenticated event.

Please let us know what direction you wish to follow so we can assist you further.

Hope that helps,
Tomasz
Photo of Ruslan

Ruslan

  • 102 Points 100 badge 2x thumb
Thanks a lot for extended answer! Maybe there is also an approach to send ACL rules via RADIUS response? I mean without any configuration on switch side.
Photo of Tomasz

Tomasz

  • 2,314 Points 2k badge 2x thumb
I might be wrong, but I didn't see such approach being used so far.
From EXOS User Guide I see a VSA 'Extreme-Shell-Command', I don't know what is this, it is not describet, from the table on page 939 of EXOS User Guide it seems it is only valid RADIUS response attribute for PAP requests, and somewhere on this forum I found a note that this shall be gone obsolete for a while (it's in the latest docs though).
Theoretically this could be introduced but you should talk with Extreme about feature request, as right now from development roadmap or marketing strategy it might be a minor case compared to enhancing the Policy capabilities perhaps. With XMC you don't have to configure the switch via CLI, BTW.

HTH,
Tomasz
Photo of Ruslan

Ruslan

  • 102 Points 100 badge 2x thumb
Thank you very much! But still hope to find such approach
Photo of Yacobucci, Ryan

Yacobucci, Ryan, Multi-Tier Technical Support Engineer

  • 5,714 Points 5k badge 2x thumb
Hello,

Prior to OnePolicy as described above by Tomsaz we used to use UPM profiles to dynamically create ACLs on ports based Accept response and other AVPs from NAC. 

Here's a document that explains the configuration heavy solution: 

https://extremenetworks2com-my.sharepoint.com/:w:/g/personal/ryacobuc_extremenetworks_com/EYWDogjm5W...

This is not nearly as easy to set up as OnePolicy and is a legacy solution that we had prior to the development of OnePolicy, but it does explain how you can have an ACL configured/applied to a port based on RADIUS attributes.

I would highly recommend using OnePolicy as it is essentially a per port ACL (It's rule engine is precedence based instead of top down) that is invoked on a port based on RADIUS TLV response. Is there a limitation of OnePolicy that you're trying to work around by looking for another solution?

Thanks
-Ryan