Rules with Policy not working as intended

  • 0
  • 1
  • Question
  • Updated 3 months ago
  • Answered
  • (Edited)
I have the following setup for testing purposes which i am unable to get working properly. i might be doing something wrong but i dont see what.

I have a role in Policy which i named LAB-CORP-ROLE. Clients logging in with dot1x (LAN and WLAN) get the proper Role. With this role i have defined a few basic rules:

I am testing this with LAN, i know we have to manualy rearrange the rules in the EWC, which is realy stupid, but that's my honest opinion...

The role is Contain to vlan, I think this has a implicit permit at the bottom of the rules?
i then allow: Base Services, the predefined ones: Permit IP ARP, BootP Server and DNS.

I created another rules which i called deny RFC's. I want to block all traffic to internal IP adresses and allow DNS, DHCP and ARP.

The client does get an IP but is unable to resolve DNS to an internal DNS server, even while ill explicitly allow udp 53 (to all ip's i suppose) If i add a permit to the IP of the internal DNS server it works fine. This is not what i want to do. I hope i made myself clear and i also hope someone here might be able to tell me what i am doing wrong.

I also tried to change the Access control on this role to Permit and then add the vlan to vlan Egress tab (untagged ofcourse) I can then see the switchport does get the untagged vlan on that port but ni mac adresses are being learned... Seems like a bug as well? Am i doing something wrong?

Kind regards!
Photo of Akkertje

Akkertje

  • 256 Points 250 badge 2x thumb

Posted 3 months ago

  • 0
  • 1
Photo of Claudio D'Ascenzo

Claudio D'Ascenzo

  • 412 Points 250 badge 2x thumb
Hi
have you make a rule that permit TCP port 80, to go to the web?

Ciao CLaudio
Photo of Akkertje

Akkertje

  • 256 Points 250 badge 2x thumb
Hi Claudio,

Since there should be a implicit permit this should not be necessary. And i am testing with nslookup. Web works fine IP based.
Photo of Brian Anderson

Brian Anderson

  • 722 Points 500 badge 2x thumb
Wired policy has always been fun in trying to do a locked down policy, and having to block internal addresses and allow certain services internally.  It comes down to precedence.  A deny takes precedence over an allow.  However an IP address has higher precedence than a port.  So when you allow the ip address it works. Probably not the answer you are looking for, but that is what I've run into.  Would be nice to be able to sort the precedence like you can on a wireless controller.  

Here is a GTAC article on precedence.  https://gtacknowledge.extremenetworks.com/articles/Q_A/What-Are-the-OnePolicy-Rule-Precedences-for-E...
Photo of Akkertje

Akkertje

  • 256 Points 250 badge 2x thumb
Hi Brian,

I have seen the article and i must say that i understand such precedences must exist but i agree that we should be able to sort the rules with the Policy manager. I do however think that what i would like to accomplish is basic but i did some calls to other people i know which have more experience with NAC and they all tell me they do NOT use rules, they much rather use a firewall of sorts to get items like these sorted. We bought this product for this exact reason and it should not be so hard for us to implement rules... I already lost loads of time testing this stuff, it's getting frustrating really, working with this product.

Like the fact u have to manually change the rules in the EWC. This has been known for a long time but has yet to be resolve, i can't get my head around that...

Maybe others know how i can get this to work properly?
(Edited)
Photo of Brian Anderson

Brian Anderson

  • 722 Points 500 badge 2x thumb
Here is something I found that may help, specify the IP address with socket destination.  https://community.extremenetworks.com/extreme/topics/missing-policy-rule-precedence-for-classificati...
Photo of Akkertje

Akkertje

  • 256 Points 250 badge 2x thumb
I can try, but why would DHCP work then? Thats UDP as well just as DNS is? Does not make any sense if this would make any difference ;-)
Photo of Brian Anderson

Brian Anderson

  • 722 Points 500 badge 2x thumb
With wired policy the dhcp packet gets out before policy is applied, so the device gets an IP address regardless if you set dhcp to deny or not.  Been there, tried that ;)
Photo of Akkertje

Akkertje

  • 256 Points 250 badge 2x thumb
Hi Brian,

I tried this while adding the IP of the DNS server but to no avail.
Photo of Akkertje

Akkertje

  • 256 Points 250 badge 2x thumb
Is there any way to check these policy's on HITS (on the CLI) or see the precedence of the rules in the switch itself. That might help me understand and sort out the rules more efficient.
Photo of JS

JS, Employee

  • 630 Points 500 badge 2x thumb
Hello,


for the precedence of rules, you may have a look at the following on the switch

Get the list of profile with show policy profile and get the PID [example 2]

X440G2-12p-10G4.35 # sh policy profile

|PID |Name               |RS|PVID|CoS|MIR|STDOA|T U|prec |aSum |dSum |web|
[...]
|2   |Deny All           |A |0   |   |   |     |   |     |     |     |   |
[...]

Then you can look at the precedence of rules for that profile [same across a switch]

X440G2-12p-10G4.34 # sh policy profile 2
Profile Index           :2
[...]
Rule Precedence         :1-2,10,12-18,20-22,25,31
                        :MACSource (1), MACDest (2), IPv6Dest (10),
                        :IPSource (12), IPDest (13), IPFrag (14),
                        :UDPSrcPort (15), UDPDestPort (16), TCPSrcPort (17),
                        :TCPDestPort (18), TTL (20), IPTOS (21), IPProto (22),
                        :Ether (25), Port (31)


then you can see the policy rule associated with that profile [2] and you can see they are ordered [following the precedence rule - indenpendently of the order you use in policy manager]

X440G2-12p-10G4.32 # sh policy rule
Admn|Rule Type   |Rule Data            |Msk|PortStr  |RS|ST|STDO|dPID|aPID|Mir|U|
admn|MACSource   |D8-84-66-79-A0-87    | 48|5        | A| V|    |   4|    |   |?|
PID |Rule Type   |Rule Data            |Msk|PortStr  |RS|ST|STDO|VLAN|CoS |Mir|U|
2   |IPSource    |192.168.10.1         | 32|All      | A|NV|    |drop|    |   |?|
2   |UDPSrcPort  |1000                 | 13|All      | A|NV|    |drop|    |   |?|
2   |UDPSrcPort  |1008                 | 12|All      | A|NV|    |drop|    |   |?|
2   |UDPSrcPort  |1024                 |  7|All      | A|NV|    |drop|    |   |?|
2   |UDPSrcPort  |1500                 | 16|All      | A|NV|    |fwrd|    |   |?|
2   |UDPSrcPort  |1536                 |  8|All      | A|NV|    |drop|    |   |?|
2   |UDPSrcPort  |1792                 |  9|All      | A|NV|    |drop|    |   |?|
2   |UDPSrcPort  |1920                 | 10|All      | A|NV|    |drop|    |   |?|
2   |UDPSrcPort  |1984                 | 12|All      | A|NV|    |drop|    |   |?|
2   |UDPSrcPort  |2000                 | 16|All      | A|NV|    |drop|    |   |?|
2   |IPProto     |1 (0x1)              |  8|All      | A|NV|    |drop|    |   |?|
3   |IPProto     |58 (0x3a)            |  8|All      | A|NV|    |drop|    |   |?|
Photo of Akkertje

Akkertje

  • 256 Points 250 badge 2x thumb
Hi JS,

Thanks for this, does help. I get the following:

PID |Rule Type   |Rule Data            |Msk|PortStr  |RS|ST|STDO|VLAN|CoS |Mir|U|
2   |IPDest      |10.0.0.0             |  8|All      | A|NV|    |drop|    |   |?|
2   |IPDest      |172.16.0.0           | 12|All      | A|NV|    |drop|    |   |?|
2   |IPDest      |192.168.0.0          | 16|All      | A|NV|    |drop|    |   |?|
2   |UDPDestPort |53:10.77.248.10      | 48|All      | A|NV|    |fwrd|    |   |?|
2   |UDPDestPort |67                   | 16|All      | A|NV|    |fwrd|    |   |?|
2   |Ether       |2054 (0x806)         | 16|All      | A|NV|    |fwrd|    |   |?|

So it seems that any traffic destined to any of the RFC adresses gets blocked. As the DNS and the DHCP are below those drop rules. Why would DHCP work then and DNS not? Is there any other way i can reach my configuration?
Photo of Brian Anderson

Brian Anderson

  • 722 Points 500 badge 2x thumb
I've been thinking about this.  Should have taken screenshots of the sites I've setup.  Most of the time in a situation like this for wired policy, if they don't want to allow any traffic to internal (like you, only want to do DNS to internal server and nothing else) they are open to using an external DNS, like OpenDNS or Google and therefore able to block everything internal.  Would that be an option for you?

As I mentioned before, DHCP deny doesn't work on wired policy.  
Photo of Akkertje

Akkertje

  • 256 Points 250 badge 2x thumb
Hi Brian,

This wont be possible i'm afraid. This institution is kind of keen on the security of their network for particular reasons and suggesting a public DNS would not fit in their security plan t.b.h. And for now this is only a test. They want to be able to allow specific ports to specific server in there internal network. Depending on the role u get the right to do RDP etc or nothing at all. So we do need this to work.

Thanks again for thinking with me on this one. I have already created a case because i think this product should be able to do basic stuff like this. This is what the customer bought it for. I just didn't think this would be such a big issue...
Photo of Brian Anderson

Brian Anderson

  • 722 Points 500 badge 2x thumb
Would be good to know the outcome of the case when it is resolved.  Keep us up to date, always something to add to toolbox if there is a solution.
Photo of Akkertje

Akkertje

  • 256 Points 250 badge 2x thumb
Shameless bump as i am still pondering if there is noone here that has seen this. Or if i am doing something wrong, or even a other better suggestion which works is also greatly appreciated!