cancel
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 

Execute a script when a rule is used

Execute a script when a rule is used

Gaspard_W
New Contributor
Hello,

I'm working with NAC and so netlogin.

We have a need to have a switch plugged on another one without having to disable the netlogin but it looks like it's impossible.

We tried numerous setup, and the only one that is working, is to make the second switch linked with a trunk port.
As every port on the network has netlogin enabled by default, I would like to know if there is a way to disable it and make the edge port, a trunk port with all the VLANs on it.

I was wondering, is it possible to call a script and execute it when a specific rule / policy is used ?
This script would basically disable netlogin on that port and put all the VLANs, basically changing it from a end user type port, to a trunk type port.
I know we can do that by hand, through OneView and it works fine, but it's not very efficient in our setup.

Thanks
Gaspard

38 REPLIES 38

Ok, so my case is that i want to plug a switch (with netlogin enabled on every non trunk port) on another switch that has also netlogin on every non trunk port. The thing is that I don't want to have to make the netlogin port become a trunk port manually, because the user that will plug the switch, won't have to contact me to do it.
Btw: the setup is Switch A trunk port connects to switch B netlogin port

I've been experimenting with UPM scripts, detection methods and stuff like that, not working well for now because the script doesn't execute when I want it, and how I want it.

UPM device detect works LLDP, which works but netlogin blocks it, so it's not possible to use it directly.
The thing would be to put every switch into a VLAN maybe (MAC based rule on NAC Manager), which would then let LLDP work and so trigger the script.
The problem is that you can't execute the script for a specific VLAN, and so it would trigger every time a user with LLDP enabled plugs in the switch.
The issue there, is that if a user actually has LLDP enabled, it's going to put him into a VLAN that he can't work from, and so create a network outage for him, not good.

Would you care to elaborate? I may miss something since I haven't followed the whole thread here..

Hello,

So this idea looks pretty nice, or I could use a rule in the manager to put everyone in one VLAN if not authenticated. The problem is that this would not differentiate from one VLAN to another, and so it would trigger everytime something is plugged into the slot.

A possible issue solver would be to test the device VLAN or only trigger when the user is in a specific vlan ?

I did a quick test with the following configurations.

SW1 and SW2 are connected through netlogin enabled ports. When an authentication failure makes the ports move to auth failure vlan and an LLDP neighbor show up, the switches run the upm script associated with 'LLDP device detect' to disable netlogin on the interswitch ports.

SW1 (port 23) ---- (port 47) SW2

configure netlogin vlan vnetlogin
enable netlogin dot1x mac
configure netlogin add mac-list ff:ff:ff:ff:ff:ff 48
enable netlogin ports 23 dot1x
enable netlogin ports 23 mac
enable netlogin authentication failure vlan ports 23
configure netlogin authentication failure vlan vguest ports 23
# enable netlogin authentication service-unavailable vlan ports 23
# configure netlogin authentication service-unavailable vlan vguest ports 23

create upm profile dn
disable netlogin port $(EVENT.USER_PORT) dot1x mac
.
configure upm event device-detect profile dn ports 23

Worked on it, doesn't work unfortunately.
I guess I'll just disable netlogin on that port and then plug them in, would be easier probably.
GTM-P2G8KFN