https://community.extremenetworks.com/t5/extremeswitching-exos-switch/clearpass-dacl-management-exos-16/m-p/78797#M19765 Good day,<BR /> I have recently inherited a project working with EXOS X440 switches in an enviroment moving toward DACL management through clearpass.<BR /> <BR /> My current issue relates to the fact I canno seem to add traffic rules using standard IETF Deny IP NAS-Filter parameters. Here is the AAA Config in the switch:<BR /> <BR /> <B>configure radius mgmt-access primary server (IPADDRESS SERVER) 1812 client-ip (Switch) vr VR-Default</B><BR /> <B>configure radius mgmt-access primary shared-secret encrypted "#$NCGjTl6wGExsOKZWj+w="</B><BR /> <B>configure radius netlogin primary server (IPADDRESS SERVER) 1812 client-ip (Switch) vr VR-Default</B><BR /> <B>configure radius netlogin primary shared-secret encrypted "#$RZcQlN6swEz8dL2eLKM="</B><BR /> <B>configure radius-accounting mgmt-access primary server (IPADDRESS SERVER) 1812 client-ip (Switch) vr VR-Default</B><BR /> <B>configure radius-accounting mgmt-access primary shared-secret encrypted "#$YR5fvd2yGlKR18vK23U="</B><BR /> <B>enable radius mgmt-access</B><BR /> <B>enable radius netlogin</B><BR /> <B>enable radius-accounting mgmt-access</B><BR /> <B>enable radius-accounting netlogin</B><BR /> <BR /> Right now, I have no problems with Authentication via MAC, assigning a client VLAN etc, but when trying to apply ACL rules i cannot determine through logging or bashing my skull against it where exactly I am going off the rails.<BR /> <BR /> Here are the basics of the ACL I am attempting to apply:<BR /> <BR /> <B>1.Radius:IETF | NAS-Filter-Rule = permit in udp from any to any 53,67</B><BR /> <B>2.Radius:IETF | NAS-Filter-Rule = permit in ip from any to 10.0.0.0/8</B><BR /> <B>3.Radius:IETF | NAS-Filter-Rule = deny in ip from any to any</B><BR /> <BR /> None of these rules appear to have any impact, even though I can see them being applied in clearpass output.<BR /> <BR /> TLDR; Can apply VLAN's in EXOS switch, but not ACL controls via Aruba Clearpass. Mon, 30 Sep 2019 21:15:41 GMT EXOSNewb 2019-09-30T21:15:41Z https://community.extremenetworks.com/t5/extremeswitching-exos-switch/clearpass-dacl-management-exos-16/m-p/78797#M19765 Good day,<BR /> I have recently inherited a project working with EXOS X440 switches in an enviroment moving toward DACL management through clearpass.<BR /> <BR /> My current issue relates to the fact I canno seem to add traffic rules using standard IETF Deny IP NAS-Filter parameters. Here is the AAA Config in the switch:<BR /> <BR /> <B>configure radius mgmt-access primary server (IPADDRESS SERVER) 1812 client-ip (Switch) vr VR-Default</B><BR /> <B>configure radius mgmt-access primary shared-secret encrypted "#$NCGjTl6wGExsOKZWj+w="</B><BR /> <B>configure radius netlogin primary server (IPADDRESS SERVER) 1812 client-ip (Switch) vr VR-Default</B><BR /> <B>configure radius netlogin primary shared-secret encrypted "#$RZcQlN6swEz8dL2eLKM="</B><BR /> <B>configure radius-accounting mgmt-access primary server (IPADDRESS SERVER) 1812 client-ip (Switch) vr VR-Default</B><BR /> <B>configure radius-accounting mgmt-access primary shared-secret encrypted "#$YR5fvd2yGlKR18vK23U="</B><BR /> <B>enable radius mgmt-access</B><BR /> <B>enable radius netlogin</B><BR /> <B>enable radius-accounting mgmt-access</B><BR /> <B>enable radius-accounting netlogin</B><BR /> <BR /> Right now, I have no problems with Authentication via MAC, assigning a client VLAN etc, but when trying to apply ACL rules i cannot determine through logging or bashing my skull against it where exactly I am going off the rails.<BR /> <BR /> Here are the basics of the ACL I am attempting to apply:<BR /> <BR /> <B>1.Radius:IETF | NAS-Filter-Rule = permit in udp from any to any 53,67</B><BR /> <B>2.Radius:IETF | NAS-Filter-Rule = permit in ip from any to 10.0.0.0/8</B><BR /> <B>3.Radius:IETF | NAS-Filter-Rule = deny in ip from any to any</B><BR /> <BR /> None of these rules appear to have any impact, even though I can see them being applied in clearpass output.<BR /> <BR /> TLDR; Can apply VLAN's in EXOS switch, but not ACL controls via Aruba Clearpass. Mon, 30 Sep 2019 21:15:41 GMT https://community.extremenetworks.com/t5/extremeswitching-exos-switch/clearpass-dacl-management-exos-16/m-p/78797#M19765 EXOSNewb 2019-09-30T21:15:41Z https://community.extremenetworks.com/t5/extremeswitching-exos-switch/clearpass-dacl-management-exos-16/m-p/78798#M19766 Hey everyone -<BR /> <BR /> Had to come up with a work around for this as the expected commands aren't working as expected.<BR /> <BR /> Had to create a policy in EXOS device blocking an IP<BR /> configure policy profile 2 name "TEST"<BR /> configure policy rule 2 ipdestsocket 8.8.8.8 mask 32 drop<BR /> configure policy rule 2 ipdestsocket 4.2.2.2 mask 32 drop<BR /> enable policy<BR /> <BR /> Once you have this policy in place, in Clearpass you need to push the following command:<BR /> <BR /> <BR /> Radius:IETF Filter-Id= Test<BR /> <BR /> This enforces whatever IP policy you have in place on the EXOS device and can be pushed using any clearpass enforcement profile. Thu, 03 Oct 2019 01:23:02 GMT https://community.extremenetworks.com/t5/extremeswitching-exos-switch/clearpass-dacl-management-exos-16/m-p/78798#M19766 EXOSNewb 2019-10-03T01:23:02Z