This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Extreme Networks
- Community List
- Network Management & Authentication
- ExtremeCloud IQ- Site Engine Management Center
- RE: Execute a script when a rule is used
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Execute a script when a rule is used
Execute a script when a rule is used
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
06-01-2016 01:06 PM
Hello,
I'm working with NAC and so netlogin.
We have a need to have a switch plugged on another one without having to disable the netlogin but it looks like it's impossible.
We tried numerous setup, and the only one that is working, is to make the second switch linked with a trunk port.
As every port on the network has netlogin enabled by default, I would like to know if there is a way to disable it and make the edge port, a trunk port with all the VLANs on it.
I was wondering, is it possible to call a script and execute it when a specific rule / policy is used ?
This script would basically disable netlogin on that port and put all the VLANs, basically changing it from a end user type port, to a trunk type port.
I know we can do that by hand, through OneView and it works fine, but it's not very efficient in our setup.
Thanks
Gaspard
I'm working with NAC and so netlogin.
We have a need to have a switch plugged on another one without having to disable the netlogin but it looks like it's impossible.
We tried numerous setup, and the only one that is working, is to make the second switch linked with a trunk port.
As every port on the network has netlogin enabled by default, I would like to know if there is a way to disable it and make the edge port, a trunk port with all the VLANs on it.
I was wondering, is it possible to call a script and execute it when a specific rule / policy is used ?
This script would basically disable netlogin on that port and put all the VLANs, basically changing it from a end user type port, to a trunk type port.
I know we can do that by hand, through OneView and it works fine, but it's not very efficient in our setup.
Thanks
Gaspard
38 REPLIES 38
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
06-06-2016 01:45 PM
Ok, so my case is that i want to plug a switch (with netlogin enabled on every non trunk port) on another switch that has also netlogin on every non trunk port. The thing is that I don't want to have to make the netlogin port become a trunk port manually, because the user that will plug the switch, won't have to contact me to do it.
Btw: the setup is Switch A trunk port connects to switch B netlogin port
I've been experimenting with UPM scripts, detection methods and stuff like that, not working well for now because the script doesn't execute when I want it, and how I want it.
UPM device detect works LLDP, which works but netlogin blocks it, so it's not possible to use it directly.
The thing would be to put every switch into a VLAN maybe (MAC based rule on NAC Manager), which would then let LLDP work and so trigger the script.
The problem is that you can't execute the script for a specific VLAN, and so it would trigger every time a user with LLDP enabled plugs in the switch.
The issue there, is that if a user actually has LLDP enabled, it's going to put him into a VLAN that he can't work from, and so create a network outage for him, not good.
Btw: the setup is Switch A trunk port connects to switch B netlogin port
I've been experimenting with UPM scripts, detection methods and stuff like that, not working well for now because the script doesn't execute when I want it, and how I want it.
UPM device detect works LLDP, which works but netlogin blocks it, so it's not possible to use it directly.
The thing would be to put every switch into a VLAN maybe (MAC based rule on NAC Manager), which would then let LLDP work and so trigger the script.
The problem is that you can't execute the script for a specific VLAN, and so it would trigger every time a user with LLDP enabled plugs in the switch.
The issue there, is that if a user actually has LLDP enabled, it's going to put him into a VLAN that he can't work from, and so create a network outage for him, not good.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
06-06-2016 01:45 PM
Would you care to elaborate? I may miss something since I haven't followed the whole thread here..
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
06-06-2016 01:45 PM
Hello,
So this idea looks pretty nice, or I could use a rule in the manager to put everyone in one VLAN if not authenticated. The problem is that this would not differentiate from one VLAN to another, and so it would trigger everytime something is plugged into the slot.
A possible issue solver would be to test the device VLAN or only trigger when the user is in a specific vlan ?
So this idea looks pretty nice, or I could use a rule in the manager to put everyone in one VLAN if not authenticated. The problem is that this would not differentiate from one VLAN to another, and so it would trigger everytime something is plugged into the slot.
A possible issue solver would be to test the device VLAN or only trigger when the user is in a specific vlan ?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
06-06-2016 01:45 PM
I did a quick test with the following configurations.
SW1 and SW2 are connected through netlogin enabled ports. When an authentication failure makes the ports move to auth failure vlan and an LLDP neighbor show up, the switches run the upm script associated with 'LLDP device detect' to disable netlogin on the interswitch ports.
SW1 (port 23) ---- (port 47) SW2
configure netlogin vlan vnetlogin
enable netlogin dot1x mac
configure netlogin add mac-list ff:ff:ff:ff:ff:ff 48
enable netlogin ports 23 dot1x
enable netlogin ports 23 mac
enable netlogin authentication failure vlan ports 23
configure netlogin authentication failure vlan vguest ports 23
# enable netlogin authentication service-unavailable vlan ports 23
# configure netlogin authentication service-unavailable vlan vguest ports 23
create upm profile dn
disable netlogin port $(EVENT.USER_PORT) dot1x mac
.
configure upm event device-detect profile dn ports 23
SW1 and SW2 are connected through netlogin enabled ports. When an authentication failure makes the ports move to auth failure vlan and an LLDP neighbor show up, the switches run the upm script associated with 'LLDP device detect' to disable netlogin on the interswitch ports.
SW1 (port 23) ---- (port 47) SW2
configure netlogin vlan vnetlogin
enable netlogin dot1x mac
configure netlogin add mac-list ff:ff:ff:ff:ff:ff 48
enable netlogin ports 23 dot1x
enable netlogin ports 23 mac
enable netlogin authentication failure vlan ports 23
configure netlogin authentication failure vlan vguest ports 23
# enable netlogin authentication service-unavailable vlan ports 23
# configure netlogin authentication service-unavailable vlan vguest ports 23
create upm profile dn
disable netlogin port $(EVENT.USER_PORT) dot1x mac
.
configure upm event device-detect profile dn ports 23
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
06-06-2016 01:45 PM
Worked on it, doesn't work unfortunately.
I guess I'll just disable netlogin on that port and then plug them in, would be easier probably.
I guess I'll just disable netlogin on that port and then plug them in, would be easier probably.
