This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Extreme Networks
- Community List
- Network Management & Authentication
- ExtremeCloud IQ- Site Engine Management Center
- RE: Execute a script when a rule is used
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Execute a script when a rule is used
Execute a script when a rule is used
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
06-01-2016 01:06 PM
Hello,
I'm working with NAC and so netlogin.
We have a need to have a switch plugged on another one without having to disable the netlogin but it looks like it's impossible.
We tried numerous setup, and the only one that is working, is to make the second switch linked with a trunk port.
As every port on the network has netlogin enabled by default, I would like to know if there is a way to disable it and make the edge port, a trunk port with all the VLANs on it.
I was wondering, is it possible to call a script and execute it when a specific rule / policy is used ?
This script would basically disable netlogin on that port and put all the VLANs, basically changing it from a end user type port, to a trunk type port.
I know we can do that by hand, through OneView and it works fine, but it's not very efficient in our setup.
Thanks
Gaspard
I'm working with NAC and so netlogin.
We have a need to have a switch plugged on another one without having to disable the netlogin but it looks like it's impossible.
We tried numerous setup, and the only one that is working, is to make the second switch linked with a trunk port.
As every port on the network has netlogin enabled by default, I would like to know if there is a way to disable it and make the edge port, a trunk port with all the VLANs on it.
I was wondering, is it possible to call a script and execute it when a specific rule / policy is used ?
This script would basically disable netlogin on that port and put all the VLANs, basically changing it from a end user type port, to a trunk type port.
I know we can do that by hand, through OneView and it works fine, but it's not very efficient in our setup.
Thanks
Gaspard
38 REPLIES 38
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
06-01-2016 04:57 PM
I'll need to do some testing, and I'll script it up, but with EDP enabled by default, frames are generated by a connecting EXOS switch. These cause the connected EXOS switch to be MAC/RADIUS authenticated on the dot1x enabled port to which it is connected. By default, it fails:
MAC IP address Authenticated Type ReAuth-Timer User
00:e0:2b:00:00:01 0.0.0.0 No 802.1x 0
However, I should be able to create a MAC filter to pass only the OUI:00:00:00 as the credentials to the RADIUS server and then use VSAs to pass a UPM script name. The UPM script would then disable Dot1x and enable LACP and trunk the VLANs on that port. (If the port happens to be a member and not a master, the VLAN trunking commands would harmlessly fail).
Is this an approach you would like to explore?
MAC IP address Authenticated Type ReAuth-Timer User
00:e0:2b:00:00:01 0.0.0.0 No 802.1x 0
However, I should be able to create a MAC filter to pass only the OUI:00:00:00 as the credentials to the RADIUS server and then use VSAs to pass a UPM script name. The UPM script would then disable Dot1x and enable LACP and trunk the VLANs on that port. (If the port happens to be a member and not a master, the VLAN trunking commands would harmlessly fail).
Is this an approach you would like to explore?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
06-01-2016 04:57 PM
Hello,
I'll try to see with the empty profile, I also found in EXOS Concepts Guide for Release 15.3, page 337, most of the variables and I have to experience with them.
For the timer, I was asking about it's function. I'm not sure what it is used for, is it for executing the script after X seconds after the event trigger happens ? or it's something else?
For the 1/3, I found out that the LLDP packets were kinda glitched on the laptop, so I'm using switches with LLDP activated, and it works 100% of the time 🙂
thanks
I'll try to see with the empty profile, I also found in EXOS Concepts Guide for Release 15.3, page 337, most of the variables and I have to experience with them.
For the timer, I was asking about it's function. I'm not sure what it is used for, is it for executing the script after X seconds after the event trigger happens ? or it's something else?
For the 1/3, I found out that the LLDP packets were kinda glitched on the laptop, so I'm using switches with LLDP activated, and it works 100% of the time 🙂
thanks
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
06-01-2016 04:57 PM
Unfortunately all the environmental variables (EVENT.x) are not really documented in a way that is easy. I find the best way to find out which ones I have available for a particular event is to create an empty upm profile and trigger the event and then look at the upm history for that ex id. (show upm hist ex .
I'm not sure I understand the question on the timer. I was referring to the after TCL function where I would use it to wait for EDP to discover the neighboring EXOS switch (it can take up to a minute by default, I think). The after function could be issued like this: set var wartime $TCL(after 60000) -- introduces a 1 minute pause.
I suspect that there may be a timing issue regarding it launching only ⅓rd of the time, but I can't be sure.
I'm not sure I understand the question on the timer. I was referring to the after TCL function where I would use it to wait for EDP to discover the neighboring EXOS switch (it can take up to a minute by default, I think). The after function could be issued like this: set var wartime $TCL(after 60000) -- introduces a 1 minute pause.
I suspect that there may be a timing issue regarding it launching only ⅓rd of the time, but I can't be sure.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
06-01-2016 04:57 PM
Hello,
Very good explanation by the way 🙂
I was trying to use $port instead of $(EVENT.USER_PORT), which is why it couldn't work. Do you have a list of all the EVENT. tags ? That could be useful later also.
For the show edp, that's true, and I could then execute the script if it matches the OUI chosen
About the timer, I currently have one but do you have to have it ? or it would execute the script as soon as the event happens ?
I was trying to just print a message in the logs, to see how it works, and the message wasn't appearing each time I was plugging the device. It was appearing like 1/ 3 trials, on different ports that have the upm event activated on them. Is that normal ? like a timeout thing or something wasn't setup right ?
thanks
Very good explanation by the way 🙂
I was trying to use $port instead of $(EVENT.USER_PORT), which is why it couldn't work. Do you have a list of all the EVENT. tags ? That could be useful later also.
For the show edp, that's true, and I could then execute the script if it matches the OUI chosen
About the timer, I currently have one but do you have to have it ? or it would execute the script as soon as the event happens ?
I was trying to just print a message in the logs, to see how it works, and the message wasn't appearing each time I was plugging the device. It was appearing like 1/ 3 trials, on different ports that have the upm event activated on them. Is that normal ? like a timeout thing or something wasn't setup right ?
thanks
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
06-01-2016 04:57 PM
So, the UPM process has environmental variables depending on the event. One of them is the port number. Here is a snippet of configuration from my testing:
create vlan user
create vlan nl
create upm profile in
disable netlogin port $(EVENT.USER_PORT) mac dot1x
.
create upm profile out
configure upm event user-authenticate profile in ports 1-7
configure upm event user-unauthenticated profile out ports 1-7
configure netlogin vlan nl
enable netlogin dot1x mac
configure netlogin mac authentication database-order radius
configure netlogin authentication protocol-order mac dot1x web-based
configure netlogin add mac-list 00:e0:2b:00:00:00 24 password pass
enable netlogin ports 1-7 dot1x
enable netlogin ports 1-7 mac
#From the RADIUS users file:
00E02B000000 Cleartext-Password := "pass"
Extreme-Security-Profile = "in QOS=QP1;LOGOFF-PROFILE=out;",
Extreme-Netlogin-Extended-Vlan = "Uuser"
The above configuration disables netlogin on a port connected to an EXOS switch. You'll need to change the OUI in the username and mac-list filter as I was using EXOS VMs.
The "in" profile could easily be expanded to wait for a bit, then do a "show edp port $(EVENT.USER_PORT) detail" and parse the output in CLI.OUT for the VLAN information and create and tag the VLANs to the port. Or, if you just want to go through an take all local VLANs with a tag and add $(EVENT.USER_PORT) to them tagged, you could do that.
create vlan user
create vlan nl
create upm profile in
disable netlogin port $(EVENT.USER_PORT) mac dot1x
.
create upm profile out
configure upm event user-authenticate profile in ports 1-7
configure upm event user-unauthenticated profile out ports 1-7
configure netlogin vlan nl
enable netlogin dot1x mac
configure netlogin mac authentication database-order radius
configure netlogin authentication protocol-order mac dot1x web-based
configure netlogin add mac-list 00:e0:2b:00:00:00 24 password pass
enable netlogin ports 1-7 dot1x
enable netlogin ports 1-7 mac
#From the RADIUS users file:
00E02B000000 Cleartext-Password := "pass"
Extreme-Security-Profile = "in QOS=QP1;LOGOFF-PROFILE=out;",
Extreme-Netlogin-Extended-Vlan = "Uuser"
The above configuration disables netlogin on a port connected to an EXOS switch. You'll need to change the OUI in the username and mac-list filter as I was using EXOS VMs.
The "in" profile could easily be expanded to wait for a bit, then do a "show edp port $(EVENT.USER_PORT) detail" and parse the output in CLI.OUT for the VLAN information and create and tag the VLANs to the port. Or, if you just want to go through an take all local VLANs with a tag and add $(EVENT.USER_PORT) to them tagged, you could do that.
