Execute a script when a rule is used



Show first post

38 replies

If you are using LLDP as the trigger, and you turn on netlogin on a port, if I remember correctly, LLDP is disabled (as is EDP) at least for the processing of PDUs ingress. So, under that circumstance, your trigger for UPM won't work. EDP packets do originate from a port with netlogin enabled.Worked on it, doesn't work unfortunately.
I guess I'll just disable netlogin on that port and then plug them in, would be easier probably.
Userlevel 4
If you are using LLDP as the trigger, and you turn on netlogin on a port, if I remember correctly, LLDP is disabled (as is EDP) at least for the processing of PDUs ingress. So, under that circumstance, your trigger for UPM won't work. EDP packets do originate from a port with netlogin enabled.I did a quick test with the following configurations.

SW1 and SW2 are connected through netlogin enabled ports. When an authentication failure makes the ports move to auth failure vlan and an LLDP neighbor show up, the switches run the upm script associated with 'LLDP device detect' to disable netlogin on the interswitch ports.

SW1 (port 23) ---- (port 47) SW2

configure netlogin vlan vnetlogin
enable netlogin dot1x mac
configure netlogin add mac-list ff:ff:ff:ff:ff:ff 48
enable netlogin ports 23 dot1x
enable netlogin ports 23 mac
enable netlogin authentication failure vlan ports 23
configure netlogin authentication failure vlan vguest ports 23
# enable netlogin authentication service-unavailable vlan ports 23
# configure netlogin authentication service-unavailable vlan vguest ports 23

create upm profile dn
disable netlogin port $(EVENT.USER_PORT) dot1x mac
.
configure upm event device-detect profile dn ports 23
If you are using LLDP as the trigger, and you turn on netlogin on a port, if I remember correctly, LLDP is disabled (as is EDP) at least for the processing of PDUs ingress. So, under that circumstance, your trigger for UPM won't work. EDP packets do originate from a port with netlogin enabled.Hello,

So this idea looks pretty nice, or I could use a rule in the manager to put everyone in one VLAN if not authenticated. The problem is that this would not differentiate from one VLAN to another, and so it would trigger everytime something is plugged into the slot.

A possible issue solver would be to test the device VLAN or only trigger when the user is in a specific vlan ?
Userlevel 4
If you are using LLDP as the trigger, and you turn on netlogin on a port, if I remember correctly, LLDP is disabled (as is EDP) at least for the processing of PDUs ingress. So, under that circumstance, your trigger for UPM won't work. EDP packets do originate from a port with netlogin enabled.Would you care to elaborate? I may miss something since I haven't followed the whole thread here..
If you are using LLDP as the trigger, and you turn on netlogin on a port, if I remember correctly, LLDP is disabled (as is EDP) at least for the processing of PDUs ingress. So, under that circumstance, your trigger for UPM won't work. EDP packets do originate from a port with netlogin enabled.Ok, so my case is that i want to plug a switch (with netlogin enabled on every non trunk port) on another switch that has also netlogin on every non trunk port. The thing is that I don't want to have to make the netlogin port become a trunk port manually, because the user that will plug the switch, won't have to contact me to do it.
Btw: the setup is Switch A trunk port connects to switch B netlogin port

I've been experimenting with UPM scripts, detection methods and stuff like that, not working well for now because the script doesn't execute when I want it, and how I want it.

UPM device detect works LLDP, which works but netlogin blocks it, so it's not possible to use it directly.
The thing would be to put every switch into a VLAN maybe (MAC based rule on NAC Manager), which would then let LLDP work and so trigger the script.
The problem is that you can't execute the script for a specific VLAN, and so it would trigger every time a user with LLDP enabled plugs in the switch.
The issue there, is that if a user actually has LLDP enabled, it's going to put him into a VLAN that he can't work from, and so create a network outage for him, not good.
Userlevel 4
If you are using LLDP as the trigger, and you turn on netlogin on a port, if I remember correctly, LLDP is disabled (as is EDP) at least for the processing of PDUs ingress. So, under that circumstance, your trigger for UPM won't work. EDP packets do originate from a port with netlogin enabled.Thanks for the elaboration.

The above configurations are all you need to do to make a 'device detect' upm script work. You don't need to make any changes in a radius server or a NAC manager. And, a port doesn't need to be a member of any VLAN configured on a switch either.
When an authentication fails, a port will be automatically put into a configured authentication failure vlan and once it happens, a lldp neighbor will appear on the port, resulting in an associated upm profile executed.

In addition, the upm profile is a script which means you can make it work the way you want. You can add more lines in a upm script to check if a neighboring device is a switch or not. The following example is to check if a device MAC address of a LLDP neighbor has the Extreme OUI (00:04:96). Other than this way, you can also check other information like hostname, ip address or software name and version...

# create upm profile "dn"
set var m $TCL(lsearch -regex $(EVENT.DEVICE_MAC) "^00:04:96")
if ($m == 0) then
disable netlogin port $(EVENT.USER_PORT) dot1x mac
configure vlan "vlan_name_1" add ports $(EVENT.USER_PORT) tagged
configure vlan "vlan_name_2" add ports $(EVENT.USER_PORT) tagged
.
endif
If you are using LLDP as the trigger, and you turn on netlogin on a port, if I remember correctly, LLDP is disabled (as is EDP) at least for the processing of PDUs ingress. So, under that circumstance, your trigger for UPM won't work. EDP packets do originate from a port with netlogin enabled.Hi

I've tried your script and I have a little issue, the if condition does not work.
It works with any MAC address, do you know the synthax to how to do it ?
I tried adding en else statement, it runs the If and Else each time.

thanks
Userlevel 4
If you are using LLDP as the trigger, and you turn on netlogin on a port, if I remember correctly, LLDP is disabled (as is EDP) at least for the processing of PDUs ingress. So, under that circumstance, your trigger for UPM won't work. EDP packets do originate from a port with netlogin enabled.I will check in the lab and get back to you.
Userlevel 4
If you are using LLDP as the trigger, and you turn on netlogin on a port, if I remember correctly, LLDP is disabled (as is EDP) at least for the processing of PDUs ingress. So, under that circumstance, your trigger for UPM won't work. EDP packets do originate from a port with netlogin enabled.My apology. I figured that the previous upm profile had an error with brackets surrounding 'EVENT.DEVICE_MAC'. It should be surrounded by curly brackets.

set var m $TCL(lsearch -regex ${EVENT.DEVICE_MAC} "^00:04:96")
if ($m == 0) then
disable netlogin port $(EVENT.USER_PORT) dot1x mac
configure vlan "vlan_name_1" add ports $(EVENT.USER_PORT) tagged
configure vlan "vlan_name_2" add ports $(EVENT.USER_PORT) tagged
endif

If you want to put some lines in the 'else' clause, you can use as follows.

set var m $TCL(lsearch -regex ${EVENT.DEVICE_MAC} "^00:04:96")
if ($m == 0) then
disable netlogin port $(EVENT.USER_PORT) dot1x mac
configure vlan "vlan_name_1" add ports $(EVENT.USER_PORT) tagged
configure vlan "vlan_name_2" add ports $(EVENT.USER_PORT) tagged
else
command_1
command_2
endif

In case you want to associate a upm profile with the 'device-undetect' event (when an lldp neighbor disappears from a port), you can use the following command.

# configure upm event device-undetect profile

For your reference, below are the log messages generated when the upm profile gets triggered in my lab.

06/15/2016 22:37:27.65 [i] Network Login user cleared via CLI, Mac 00:E0:2B:00:00:01 port 23 VLAN(s) "vguest"06/15/2016 22:37:27.65 [i] Network Login user cleared via CLI, Mac 00:04:96:37:54:2B port 23 VLAN(s) "vguest"
06/15/2016 22:37:27.64 [i] (upm) UPM: disable netlogin port 23 dot1x mac
06/15/2016 22:37:27.63 [i] (upm) UPM: if (0 == 0) then
06/15/2016 22:37:27.61 [i] (upm) UPM: set var m $TCL(lsearch -regex ${EVENT.DEVICE_MAC} "^00:04:96")
06/15/2016 22:37:27.60 [i] (upm) UPM: set var EVENT.PROFILE dn
06/15/2016 22:37:27.60 [i] (upm) UPM: set var EVENT.NAME DEVICE-DETECT
06/15/2016 22:37:27.59 [i] (upm) UPM: set var EVENT.DEVICE ROUTER
06/15/2016 22:37:27.57 [i] (upm) UPM: set var EVENT.TIME 1466030247
06/15/2016 22:37:27.57 [i] (upm) UPM: set var EVENT.USER_PORT 23
06/15/2016 22:37:27.56 [i] (upm) UPM: set var EVENT.DEVICE_POWER 0
06/15/2016 22:37:27.55 [i] (upm) UPM: set var EVENT.DEVICE_MAC 00:04:96:37:54:2b
06/15/2016 22:37:27.54 [i] (upm) UPM: set var EVENT.DEVICE_MODEL " "
06/15/2016 22:37:27.53 [i] (upm) UPM: set var EVENT.DEVICE_MANUFACTURER_NAME " "
06/15/2016 22:37:27.52 [i] (upm) UPM: set var EVENT.DEVICE_IP 0.0.0.0
06/15/2016 22:37:27.51 [i] (upm) UPM: configure cli mode non-persistent
06/15/2016 22:37:27.50 [i] (upm) UPM: enable cli scripting
06/15/2016 22:37:27.50 [i] (upm) UPM: enable cli scripting output
06/15/2016 22:37:27.31 Launched profile dn for the event device-detect
06/15/2016 22:37:27.31 LLDP Device detected. Mac is 00:04:96:37:54:2B, IP is 0.0.0.0, on port 23, device type is 20, max power is 0
06/15/2016 22:37:27.05 [i] Network Login MAC user 00049637542B logged in MAC 00:04:96:37:54:2B port 23 VLAN(s) "vguest", authentication Locally
06/15/2016 22:37:25.35 [i] Network Login MAC user 00E02B000001 logged in MAC 00:E0:2B:00:00:01 port 23 VLAN(s) "vguest", authentication Locally
If you are using LLDP as the trigger, and you turn on netlogin on a port, if I remember correctly, LLDP is disabled (as is EDP) at least for the processing of PDUs ingress. So, under that circumstance, your trigger for UPM won't work. EDP packets do originate from a port with netlogin enabled.Thank you for that explanation !

I'm going to check it out and do some testing.

I'll get back to you after
If you are using LLDP as the trigger, and you turn on netlogin on a port, if I remember correctly, LLDP is disabled (as is EDP) at least for the processing of PDUs ingress. So, under that circumstance, your trigger for UPM won't work. EDP packets do originate from a port with netlogin enabled.Hello,

I did some testing, and it seems that it doesn't see the MAC with that OUI.
I does the else statement, but not the if

Does the " ^ " make the OUI not work ? Seems like it doesn't match the switch's MAC, which has this OUI.

Thanks
Userlevel 4
If you are using LLDP as the trigger, and you turn on netlogin on a port, if I remember correctly, LLDP is disabled (as is EDP) at least for the processing of PDUs ingress. So, under that circumstance, your trigger for UPM won't work. EDP packets do originate from a port with netlogin enabled.It might work better to use the regexp function. e.g.:

x205.35 # show var mac00:01:02:0A:0B:0C
x205.36 # set var t $TCL(regexp ^00:01:02 $mac)
x205.37 # show var t
1
x205.38 # set var t $TCL(regexp ^00:01:03 $mac)
x205.39 # show var t
0

So the lines could be:

set var m $TCL(regexp ^00:04:96 ${EVENT.DEVICE_MAC} )
if ($m) then

...
Userlevel 4
If you are using LLDP as the trigger, and you turn on netlogin on a port, if I remember correctly, LLDP is disabled (as is EDP) at least for the processing of PDUs ingress. So, under that circumstance, your trigger for UPM won't work. EDP packets do originate from a port with netlogin enabled."^' means the beginning of the string. It is used in regular expression to match the OUI of MAC address which is the first 24-bit number that uniquely identifes a vendor or manufacturer. Extreme switches have a MAC address that begins with "00:04:96".

# set var EVENT.DEVICE_MAC 00:04:96:37:54:2B
# set var m $TCL(lsearch -regex ${EVENT.DEVICE_MAC} "^00:04:96")
# sh var m
0
# set var EVENT.DEVICE_MAC 00:04:00:37:54:2B
# set var m $TCL(lsearch -regex ${EVENT.DEVICE_MAC} "^00:04:96")
# sh var m
-1

In addition, I agree Matt that the "regexp" TCL function is more appropriate here since "EVENT.DEVICE_MAC" is not a list.

Reply