Header Only - DO NOT REMOVE - Extreme Networks

Execute a script when a rule is used


Hello,

I'm working with NAC and so netlogin.

We have a need to have a switch plugged on another one without having to disable the netlogin but it looks like it's impossible.

We tried numerous setup, and the only one that is working, is to make the second switch linked with a trunk port.
As every port on the network has netlogin enabled by default, I would like to know if there is a way to disable it and make the edge port, a trunk port with all the VLANs on it.

I was wondering, is it possible to call a script and execute it when a specific rule / policy is used ?
This script would basically disable netlogin on that port and put all the VLANs, basically changing it from a end user type port, to a trunk type port.
I know we can do that by hand, through OneView and it works fine, but it's not very efficient in our setup.

Thanks
Gaspard

38 replies

Userlevel 4
Hi Gaspard,

are all these switches that you are using EXOS-Switches ?

/André
André Herkenrath wrote:

Hi Gaspard,

are all these switches that you are using EXOS-Switches ?

/André

Yes, all of them
Userlevel 4
I'll need to do some testing, and I'll script it up, but with EDP enabled by default, frames are generated by a connecting EXOS switch. These cause the connected EXOS switch to be MAC/RADIUS authenticated on the dot1x enabled port to which it is connected. By default, it fails:

MAC IP address Authenticated Type ReAuth-Timer User
00:e0:2b:00:00:01 0.0.0.0 No 802.1x 0

However, I should be able to create a MAC filter to pass only the OUI:00:00:00 as the credentials to the RADIUS server and then use VSAs to pass a UPM script name. The UPM script would then disable Dot1x and enable LACP and trunk the VLANs on that port. (If the port happens to be a member and not a master, the VLAN trunking commands would harmlessly fail).

Is this an approach you would like to explore?
Matthew Helm wrote:

I'll need to do some testing, and I'll script it up, but with EDP enabled by default, frames are generated by a connecting EXOS switch. These cause the connected EXOS switch to be MAC/RADIUS authenticated on the dot1x enabled port to which it is connected. By default, it fails:

MAC IP address Authenticated Type ReAuth-Timer User
00:e0:2b:00:00:01 0.0.0.0 No 802.1x 0

However, I should be able to create a MAC filter to pass only the OUI:00:00:00 as the credentials to the RADIUS server and then use VSAs to pass a UPM script name. The UPM script would then disable Dot1x and enable LACP and trunk the VLANs on that port. (If the port happens to be a member and not a master, the VLAN trunking commands would harmlessly fail).

Is this an approach you would like to explore?

I have to check tomorrow with the team, I'll keep you updated 🙂
Matthew Helm wrote:

I'll need to do some testing, and I'll script it up, but with EDP enabled by default, frames are generated by a connecting EXOS switch. These cause the connected EXOS switch to be MAC/RADIUS authenticated on the dot1x enabled port to which it is connected. By default, it fails:

MAC IP address Authenticated Type ReAuth-Timer User
00:e0:2b:00:00:01 0.0.0.0 No 802.1x 0

However, I should be able to create a MAC filter to pass only the OUI:00:00:00 as the credentials to the RADIUS server and then use VSAs to pass a UPM script name. The UPM script would then disable Dot1x and enable LACP and trunk the VLANs on that port. (If the port happens to be a member and not a master, the VLAN trunking commands would harmlessly fail).

Is this an approach you would like to explore?

Ok, I worked on UPM today, and I think that making the netlogin disabled on that port then adding all the VLANs is pretty useful.

I have a question: on OneView, you can use scripts with $port which refers to the port, but how do you do that on an UPM script ?

$port won't be understood by the OS, and I don't know how I could get the port number to send the CLI command with the port number. Do you have an idea how I could do it ?

Now, your EDP technique, I see how you want to do it, and it looks pretty nice !
It would surely by useful to "cancel" the script when it's not a switch connected, but an end user device. Making an end user port become a trunk port would certainly be a problem haha
Userlevel 4
Matthew Helm wrote:

I'll need to do some testing, and I'll script it up, but with EDP enabled by default, frames are generated by a connecting EXOS switch. These cause the connected EXOS switch to be MAC/RADIUS authenticated on the dot1x enabled port to which it is connected. By default, it fails:

MAC IP address Authenticated Type ReAuth-Timer User
00:e0:2b:00:00:01 0.0.0.0 No 802.1x 0

However, I should be able to create a MAC filter to pass only the OUI:00:00:00 as the credentials to the RADIUS server and then use VSAs to pass a UPM script name. The UPM script would then disable Dot1x and enable LACP and trunk the VLANs on that port. (If the port happens to be a member and not a master, the VLAN trunking commands would harmlessly fail).

Is this an approach you would like to explore?

So, the UPM process has environmental variables depending on the event. One of them is the port number. Here is a snippet of configuration from my testing:

create vlan user
create vlan nl

create upm profile in
disable netlogin port $(EVENT.USER_PORT) mac dot1x

.
create upm profile out
configure upm event user-authenticate profile in ports 1-7
configure upm event user-unauthenticated profile out ports 1-7

configure netlogin vlan nl
enable netlogin dot1x mac
configure netlogin mac authentication database-order radius
configure netlogin authentication protocol-order mac dot1x web-based
configure netlogin add mac-list 00:e0:2b:00:00:00 24 password pass
enable netlogin ports 1-7 dot1x
enable netlogin ports 1-7 mac

#From the RADIUS users file:

00E02B000000 Cleartext-Password := "pass"
Extreme-Security-Profile = "in QOS=QP1;LOGOFF-PROFILE=out;",
Extreme-Netlogin-Extended-Vlan = "Uuser"

The above configuration disables netlogin on a port connected to an EXOS switch. You'll need to change the OUI in the username and mac-list filter as I was using EXOS VMs.

The "in" profile could easily be expanded to wait for a bit, then do a "show edp port $(EVENT.USER_PORT) detail" and parse the output in CLI.OUT for the VLAN information and create and tag the VLANs to the port. Or, if you just want to go through an take all local VLANs with a tag and add $(EVENT.USER_PORT) to them tagged, you could do that.
Matthew Helm wrote:

I'll need to do some testing, and I'll script it up, but with EDP enabled by default, frames are generated by a connecting EXOS switch. These cause the connected EXOS switch to be MAC/RADIUS authenticated on the dot1x enabled port to which it is connected. By default, it fails:

MAC IP address Authenticated Type ReAuth-Timer User
00:e0:2b:00:00:01 0.0.0.0 No 802.1x 0

However, I should be able to create a MAC filter to pass only the OUI:00:00:00 as the credentials to the RADIUS server and then use VSAs to pass a UPM script name. The UPM script would then disable Dot1x and enable LACP and trunk the VLANs on that port. (If the port happens to be a member and not a master, the VLAN trunking commands would harmlessly fail).

Is this an approach you would like to explore?

Hello,

Very good explanation by the way 🙂

I was trying to use $port instead of $(EVENT.USER_PORT), which is why it couldn't work. Do you have a list of all the EVENT. tags ? That could be useful later also.

For the show edp, that's true, and I could then execute the script if it matches the OUI chosen

About the timer, I currently have one but do you have to have it ? or it would execute the script as soon as the event happens ?

I was trying to just print a message in the logs, to see how it works, and the message wasn't appearing each time I was plugging the device. It was appearing like 1/ 3 trials, on different ports that have the upm event activated on them. Is that normal ? like a timeout thing or something wasn't setup right ?

thanks
Userlevel 4
Matthew Helm wrote:

I'll need to do some testing, and I'll script it up, but with EDP enabled by default, frames are generated by a connecting EXOS switch. These cause the connected EXOS switch to be MAC/RADIUS authenticated on the dot1x enabled port to which it is connected. By default, it fails:

MAC IP address Authenticated Type ReAuth-Timer User
00:e0:2b:00:00:01 0.0.0.0 No 802.1x 0

However, I should be able to create a MAC filter to pass only the OUI:00:00:00 as the credentials to the RADIUS server and then use VSAs to pass a UPM script name. The UPM script would then disable Dot1x and enable LACP and trunk the VLANs on that port. (If the port happens to be a member and not a master, the VLAN trunking commands would harmlessly fail).

Is this an approach you would like to explore?

Unfortunately all the environmental variables (EVENT.x) are not really documented in a way that is easy. I find the best way to find out which ones I have available for a particular event is to create an empty upm profile and trigger the event and then look at the upm history for that ex id. (show upm hist ex 😵.

I'm not sure I understand the question on the timer. I was referring to the after TCL function where I would use it to wait for EDP to discover the neighboring EXOS switch (it can take up to a minute by default, I think). The after function could be issued like this: set var wartime $TCL(after 60000) -- introduces a 1 minute pause.

I suspect that there may be a timing issue regarding it launching only ⅓rd of the time, but I can't be sure.
Matthew Helm wrote:

I'll need to do some testing, and I'll script it up, but with EDP enabled by default, frames are generated by a connecting EXOS switch. These cause the connected EXOS switch to be MAC/RADIUS authenticated on the dot1x enabled port to which it is connected. By default, it fails:

MAC IP address Authenticated Type ReAuth-Timer User
00:e0:2b:00:00:01 0.0.0.0 No 802.1x 0

However, I should be able to create a MAC filter to pass only the OUI:00:00:00 as the credentials to the RADIUS server and then use VSAs to pass a UPM script name. The UPM script would then disable Dot1x and enable LACP and trunk the VLANs on that port. (If the port happens to be a member and not a master, the VLAN trunking commands would harmlessly fail).

Is this an approach you would like to explore?

Hello,

I'll try to see with the empty profile, I also found in EXOS Concepts Guide for Release 15.3, page 337, most of the variables 😃 and I have to experience with them.

For the timer, I was asking about it's function. I'm not sure what it is used for, is it for executing the script after X seconds after the event trigger happens ? or it's something else?

For the 1/3, I found out that the LLDP packets were kinda glitched on the laptop, so I'm using switches with LLDP activated, and it works 100% of the time 🙂

thanks
Userlevel 4
Another way to skin a cat,
Within Policy Rules


There are actions for either System Log or Trap when the rule is hit. You can read about policy rule hit accounting for a bit more details.

Anyways, from that event, you can use alarm manager to launch a script from the netsight server which could be ssh/telnet to your device and make the config changes.
Thomas, Frank wrote:

Another way to skin a cat,
Within Policy Rules


There are actions for either System Log or Trap when the rule is hit. You can read about policy rule hit accounting for a bit more details.

Anyways, from that event, you can use alarm manager to launch a script from the netsight server which could be ssh/telnet to your device and make the config changes.

Hello, I wasn't able to find that menu 😕
Can you tell me where it is ? 🙂
Userlevel 4
Thomas, Frank wrote:

Another way to skin a cat,
Within Policy Rules


There are actions for either System Log or Trap when the rule is hit. You can read about policy rule hit accounting for a bit more details.

Anyways, from that event, you can use alarm manager to launch a script from the netsight server which could be ssh/telnet to your device and make the config changes.

It's a feature for any service rule if you're using Policy Manager and Nac in conjunction.

Policy Manager Thick Client


Netsight Oneview[6.3] / Extreme Management [Screenshot from 7.0]



Thomas, Frank wrote:

Another way to skin a cat,
Within Policy Rules


There are actions for either System Log or Trap when the rule is hit. You can read about policy rule hit accounting for a bit more details.

Anyways, from that event, you can use alarm manager to launch a script from the netsight server which could be ssh/telnet to your device and make the config changes.

Our switches aren't compatible with the Policy Manager 😕
Userlevel 4
Thomas, Frank wrote:

Another way to skin a cat,
Within Policy Rules


There are actions for either System Log or Trap when the rule is hit. You can read about policy rule hit accounting for a bit more details.

Anyways, from that event, you can use alarm manager to launch a script from the netsight server which could be ssh/telnet to your device and make the config changes.

Hopefully some day, you'll have switches that are. 🙂 Policy Manager really shines managing hundreds of switches, wireless controllers, integrating with Extreme Control.

The other employees have given some really great info about local scripts on the box to tackle this problem another way. Best of luck with solving your problem!
Thomas, Frank wrote:

Another way to skin a cat,
Within Policy Rules


There are actions for either System Log or Trap when the rule is hit. You can read about policy rule hit accounting for a bit more details.

Anyways, from that event, you can use alarm manager to launch a script from the netsight server which could be ssh/telnet to your device and make the config changes.

The problem is that it isn't compatible with x250 with exos 15.3 or x400 with exos 15.6.

And yes, very useful 🙂

thanks
Userlevel 4
If LLDP runs on the links between switches, you could use a device-detect and device-undetect profile/script where you can do whatever you want.

- device-detect profile is used to configure a port for the device that has just connected.

# configure upm event device-detect profile [u] ports

- device-undetect profile is used to return the port to a default configuration after a device disconnects.

# configure upm event device-undetect profile [u] ports

Device triggers respond to the discovery protocols IEEE 802.1ab LLDP. A device-detect trigger occurs when an LLDP packet reaches a port that is assigned to a device-detect profile. A device-undetect trigger occurs when periodically transmitted LLDP packets are not received anymore. LLDP age-out occurs when a device has disconnected or an age-out time has been reached. LLDP must be enabled on ports that are configured for device-detect or device-undetect profiles.
Userlevel 4
Depending on the usecase you could use a combination of EDP and LLDP. LLDP as Kevin said to trigger an UPM-event, which removes .1x from the port and searches the downlink vlans via EDP.
Can you be a bit more precise about the usecase ?
Hello everyone,

So my usecase currently is :

2 switches, I'll call them 1 and 2
the switch 1 has netlogin enabled on every port (not the trunk port)

We want to be able to connect the switch 2 (Netlogin enabled on every port also (not the trunk port)) on the switch 1, so it would be on a netlogin enabled port. mac-based-vlan

The problem is that Netlogin allows the switch 2 MAC address but it doesn't let him netlog the devices connected to it (every devices connected on the switch 2), that's normal because it's mac based.

The thing now is that we want to be able to have script run maybe, that would disable netlogin on the switch 1 on that specific port, and add all the VLANs that are needed to make the port a trunk port.
This script could be reverted also when the switch is unplugged from the port on the switch 1.
Userlevel 4
this definetely looks like a LLDP thing. Have a look at the generic phone UPM in the User Guide.
this should be a good start to begin with
André Herkenrath wrote:

this definetely looks like a LLDP thing. Have a look at the generic phone UPM in the User Guide.
this should be a good start to begin with

I will look at it. The setup involves having a phone vlan, and two or three other vlans.
Hello everyone,

I'm testing how to use UPM, and what are the problems that are related to it.

Is there a way to have the UPM script execute when netlogin is enabled on that port ? Seems like netlogin prevents the script from being executed, but when disabled, the UPM triggers correctly.

Thanks
Userlevel 4
If you are using LLDP as the trigger, and you turn on netlogin on a port, if I remember correctly, LLDP is disabled (as is EDP) at least for the processing of PDUs ingress. So, under that circumstance, your trigger for UPM won't work. EDP packets do originate from a port with netlogin enabled.
Userlevel 4
Matthew Helm wrote:

If you are using LLDP as the trigger, and you turn on netlogin on a port, if I remember correctly, LLDP is disabled (as is EDP) at least for the processing of PDUs ingress. So, under that circumstance, your trigger for UPM won't work. EDP packets do originate from a port with netlogin enabled.

I think it would work if netlogin authentication failure vlan or guest vlan is enabled/configured. Once authentication fails, a port will be moved to a quest vlan and LLDP or EDP neighbor would show up.
Userlevel 4
Matthew Helm wrote:

If you are using LLDP as the trigger, and you turn on netlogin on a port, if I remember correctly, LLDP is disabled (as is EDP) at least for the processing of PDUs ingress. So, under that circumstance, your trigger for UPM won't work. EDP packets do originate from a port with netlogin enabled.

That makes sense. However, I would consider using authentication/de-authentication as triggers and then set up MAC authentication in parallel with dot1x authentication whereby a MAC-list filter is used to authenticate Extreme switches (when receiving their first EDP packet). (Per my example above.) The complexity comes in determining if the port connecting to an Extreme switch should be a member or a master port of a LAG.
Matthew Helm wrote:

If you are using LLDP as the trigger, and you turn on netlogin on a port, if I remember correctly, LLDP is disabled (as is EDP) at least for the processing of PDUs ingress. So, under that circumstance, your trigger for UPM won't work. EDP packets do originate from a port with netlogin enabled.

I'm going to test with authentication instead of device detect, I'll keep you updated.

Reply