topic Re: How to apply Dynamic ACL on Switch Engine with NAC in ExtremeControl

How to apply Dynamic ACL on Switch Engine with NAC

Guilhem_Lejeune — Thu, 02 Oct 2025 21:30:41 GMT

Hi,

I'm trying to send the right RADIUS attributes to apply dynamic ACL on Switch Engine with ExtremeControl.

I've done this easily with Fabric Engine, using the %PER_USER_ACL_VOSS% parameter in "RADIUS Attributes to Send" configuration. Also, I created a role with a service. The default action is "Deny Traffic" and then, I add some protocols to be authorized.
It works fine ✅

❓My goal is to do the exact same thing with Switch Engine.
For now, I use policies with VLAN assignment (it works) but I would like to add dynamic ACL 😉.

Any ideas ?

💡I'm on the latest version of XIQ SE and Control (25.08.11.12) and the latest version of Switch Engine (33.4.1.15-patch1-1).

Kind regards,

Re: How to apply Dynamic ACL on Switch Engine with NAC

Ryan_Yacobucci — Fri, 03 Oct 2025 13:10:22 GMT

Hello,

I do not believe that we have support for dACLs for SwitchEngine.

Policy works in a very similar fashion. The only difference is that with policy the ACL is managed by policy manager through a "Policy" role construct, and the policy is invoked with a filter-ID instead of sending the entire ACL through the RADIUS access accept.

Is there something that is not operating as you'd like it to with Policy that has generated your investigating into dynamic ACLs with Switch Engine?

Thanks
-Ryan

Re: How to apply Dynamic ACL on Switch Engine with NAC

Guilhem_Lejeune — Fri, 03 Oct 2025 14:53:37 GMT

Hi Ryan,

Thank you for your feedback ! Yes, indeed, something is not operating and I think the ExtremeControl role configuration is involved.
After a succesful authentication, the Policy is pushed toward the switch but I did not manage to have :

Default Action : deny (+ VLAN egress untagged)
Some protocols to be authorized
❌ VLAN is not pushed (I see the FDB entry in VLAN 1...) and every traffic is blocked !

Very recently I managed to have :

Default action : Contain to VLAN (so basically permit with a VLAN ID)
Some protocols to be denied (for example : PING)
✅ The PING is actually blocked with this configuration and all other traffic is authorized.

But it is not exactly what I would like to implement. I would like to explicitly authorize traffic instead of denying traffic.

Kind regards,

Re: How to apply Dynamic ACL on Switch Engine with NAC

Bartek — Fri, 03 Oct 2025 15:33:24 GMT

You can send from NAC both VLAN ID and Policy name - you just need to enable this functionality on your switch from Device tab in PM (enable RFC 3580 and accept VLAN ID and Policy)

Re: How to apply Dynamic ACL on Switch Engine with NAC

Ryan_Yacobucci — Sat, 04 Oct 2025 16:48:35 GMT

It's important to note that during authentication, "Policy" is not pushed toward the switch.

The policy always exists on the switch, but the policy is applied to the end system once the correct filter-ID is presented in the RADIUS access-accept.

First check to see if the policy is configured on the switch by running the command: "show config policy"

Here is an example from the lab:

5320-16P-4XE-SwitchEngine.2 # show config policy
#
# Module policy configuration.
#
configure netlogin port 2 authentication mode optional
configure policy captive-portal web-redirect 1 server 1 url "http://192.168.1.227:80/static/index.jsp" enable
configure policy profile 1 name "Failsafe"
configure policy profile 2 name "Access Point" pvid-status "enable" pvid 4095 auth-override "enable"
configure policy profile 3 name "Administrator" pvid-status "enable" pvid 4095
configure policy profile 4 name "Deny Access" pvid-status "enable" pvid 0 web-redirect 1
configure policy profile 5 name "Guest Access" pvid-status "enable" pvid 0
configure policy profile 6 name "Quarantine" pvid-status "enable" pvid 0 web-redirect 1
configure policy profile 7 name "Server" pvid-status "enable" pvid 4095
configure policy profile 8 name "Printer" pvid-status "enable" pvid 0
configure policy profile 9 name "Unregistered" pvid-status "enable" pvid 0 web-redirect 1
configure policy profile 10 name "Enterprise User" pvid-status "enable" pvid 4095
configure policy profile 11 name "VoIP Phone" pvid-status "enable" pvid 4095
configure policy profile 12 name "Notification" pvid-status "enable" pvid 4095 web-redirect 1
configure policy profile 13 name "Assessing" pvid-status "enable" pvid 0 web-redirect 1
configure policy rule 4 udpdestportIP 53 mask 16 forward
configure policy rule 4 udpdestportIP 67 mask 16 forward
configure policy rule 4 tcpdestportIP 80 mask 16 forward
configure policy rule 4 tcpdestportIP 443 mask 16 forward
configure policy rule 4 ether 0x0806 mask 16 forward
configure policy rule 5 udpdestportIP 53 mask 16 forward
configure policy rule 5 udpdestportIP 67 mask 16 forward
configure policy rule 5 tcpdestportIP 80 mask 16 forward
configure policy rule 5 tcpdestportIP 110 mask 16 forward
configure policy rule 5 tcpdestportIP 143 mask 16 forward
configure policy rule 5 tcpdestportIP 443 mask 16 forward
configure policy rule 5 tcpdestportIP 465 mask 16 forward
configure policy rule 5 tcpdestportIP 587 mask 16 forward
configure policy rule 5 tcpdestportIP 993 mask 16 forward
configure policy rule 5 tcpdestportIP 995 mask 16 forward
configure policy rule 5 tcpdestportIP 1723 mask 16 forward
configure policy rule 5 ether 0x0806 mask 16 forward
configure policy rule 6 udpdestportIP 53 mask 16 forward
configure policy rule 6 udpdestportIP 67 mask 16 forward
configure policy rule 6 tcpdestportIP 80 mask 16 forward
configure policy rule 6 tcpdestportIP 443 mask 16 forward
configure policy rule 6 ether 0x0806 mask 16 forward
configure policy rule 8 udpdestportIP 53 mask 16 forward
configure policy rule 8 udpdestportIP 67 mask 16 forward
configure policy rule 8 ether 0x0806 mask 16 forward
configure policy rule 9 udpdestportIP 53 mask 16 forward
configure policy rule 9 udpdestportIP 67 mask 16 forward
configure policy rule 9 tcpdestportIP 80 mask 16 forward
configure policy rule 9 tcpdestportIP 443 mask 16 forward
configure policy rule 9 ether 0x0806 mask 16 forward
configure policy rule 12 udpdestportIP 53 mask 16 forward
configure policy rule 12 udpdestportIP 67 mask 16 forward
configure policy rule 12 tcpdestportIP 80 mask 16 forward
configure policy rule 12 tcpdestportIP 443 mask 16 forward
configure policy rule 12 ether 0x0806 mask 16 forward
configure policy rule 13 udpdestportIP 53 mask 16 forward
configure policy rule 13 udpdestportIP 67 mask 16 forward
configure policy rule 13 tcpdestportIP 80 mask 16 forward
configure policy rule 13 tcpdestportIP 443 mask 16 forward
configure policy rule 13 ether 0x0806 mask 16 forward
configure policy maptable response both
configure policy captive-portal listening 80
configure policy captive-portal listening 443
configure policy vlanauthorization enable
enable policy

The policy profile "Names" are the roles that are pushed from Extreme Policy:

Within each role are services, and services are collections of rules. These rules are shown within the policy configuration as "Rules" and the index number relates to the role:

When policy is enforced, these configurations exist on the switch.

The way to apply these policies to end systems is by sending the name of the policy in the Filter-ID in the RADIUS access-accept.

When the end system is authenticated check the "Authorization" column within Control. It should show something like :

When the switch receives the Filter-ID it applies the policy as configured within the switch to the end system connected.
You can see the session is applied by running the command:

show netlogin session

Check for Auth status "Success", agent type, session applied and "Policy Name". This shows you which policy is installed on when end system.

Let me know if you have any questions.

Thanks
-Ryan

Re: How to apply Dynamic ACL on Switch Engine with NAC

Guilhem_Lejeune — Wed, 08 Oct 2025 12:11:47 GMT

Hi Ryan,

I have carefully analyzed what you wrote earlier.
Everything is OK on my switch : the Policy is applied and I see the several sub-elements which are related to the service rules in XIQ SE / Extreme Control.

My exact problem is : I've defined a role with default action "DENY TRAFFIC" and, at the bottom of the page, I reference a service that only contains protocols to be authorized.

This configuration, as mentionned earlier, is well applied to the switch (policy and policy rules visible). But after authentication, I don't see the expected result !

Sometimes everything is blocked, sometimes everthing is permitted.
I'm expecting to have few protocols authorized, like PING (I've configured that in the service).

Kind regards,

Re: How to apply Dynamic ACL on Switch Engine with NAC

Guilhem_Lejeune — Thu, 09 Oct 2025 12:12:18 GMT

Hello everyone,

Obviously, I haven't read you right : I've forgotten the "configure policy maptable response both" command on my switch.
It works !

So, to summarize :

Radius Attributes to Send : Policy & RFC3580
NAC Authorization rule :
- Role (see below)
- VLAN ID
Role :
- Default Action : Deny Traffic
- Services : what I want to authorize (example : "Base Services" + custom "Permit PING")
- Potential tagged VLAN to configure in "Egress VLAN" tab
Switch configuration :
- Netlogin (mac & dot1x)
- Policy with maptable reponse both and vlan authorization

Sorry for this mistake and thank you very much for taking time to bring me some tips !

Kind regards,