cancel
Showing results for 
Search instead for 
Did you mean: 

Execute a script when a rule is used

Execute a script when a rule is used

Gaspard_W
New Contributor
Hello,

I'm working with NAC and so netlogin.

We have a need to have a switch plugged on another one without having to disable the netlogin but it looks like it's impossible.

We tried numerous setup, and the only one that is working, is to make the second switch linked with a trunk port.
As every port on the network has netlogin enabled by default, I would like to know if there is a way to disable it and make the edge port, a trunk port with all the VLANs on it.

I was wondering, is it possible to call a script and execute it when a specific rule / policy is used ?
This script would basically disable netlogin on that port and put all the VLANs, basically changing it from a end user type port, to a trunk type port.
I know we can do that by hand, through OneView and it works fine, but it's not very efficient in our setup.

Thanks
Gaspard

38 REPLIES 38

Thank you for that explanation !

I'm going to check it out and do some testing.

I'll get back to you after

My apology. I figured that the previous upm profile had an error with brackets surrounding 'EVENT.DEVICE_MAC'. It should be surrounded by curly brackets.

set var m $TCL(lsearch -regex ${EVENT.DEVICE_MAC} "^00:04:96")
if ($m == 0) then
disable netlogin port $(EVENT.USER_PORT) dot1x mac
configure vlan "vlan_name_1" add ports $(EVENT.USER_PORT) tagged
configure vlan "vlan_name_2" add ports $(EVENT.USER_PORT) tagged
endif

If you want to put some lines in the 'else' clause, you can use as follows.

set var m $TCL(lsearch -regex ${EVENT.DEVICE_MAC} "^00:04:96")
if ($m == 0) then
disable netlogin port $(EVENT.USER_PORT) dot1x mac
configure vlan "vlan_name_1" add ports $(EVENT.USER_PORT) tagged
configure vlan "vlan_name_2" add ports $(EVENT.USER_PORT) tagged
else
command_1
command_2
endif

In case you want to associate a upm profile with the 'device-undetect' event (when an lldp neighbor disappears from a port), you can use the following command.

# configure upm event device-undetect profile

For your reference, below are the log messages generated when the upm profile gets triggered in my lab.

06/15/2016 22:37:27.65 Network Login user cleared via CLI, Mac 00:E0:2B:00:00:01 port 23 VLAN(s) "vguest"06/15/2016 22:37:27.65 Network Login user cleared via CLI, Mac 00:04:96:37:54:2B port 23 VLAN(s) "vguest"
06/15/2016 22:37:27.64 (upm) UPM: disable netlogin port 23 dot1x mac
06/15/2016 22:37:27.63 (upm) UPM: if (0 == 0) then
06/15/2016 22:37:27.61 (upm) UPM: set var m $TCL(lsearch -regex ${EVENT.DEVICE_MAC} "^00:04:96")
06/15/2016 22:37:27.60 (upm) UPM: set var EVENT.PROFILE dn
06/15/2016 22:37:27.60 (upm) UPM: set var EVENT.NAME DEVICE-DETECT
06/15/2016 22:37:27.59 (upm) UPM: set var EVENT.DEVICE ROUTER
06/15/2016 22:37:27.57 (upm) UPM: set var EVENT.TIME 1466030247
06/15/2016 22:37:27.57 (upm) UPM: set var EVENT.USER_PORT 23
06/15/2016 22:37:27.56 (upm) UPM: set var EVENT.DEVICE_POWER 0
06/15/2016 22:37:27.55 (upm) UPM: set var EVENT.DEVICE_MAC 00:04:96:37:54:2b
06/15/2016 22:37:27.54 (upm) UPM: set var EVENT.DEVICE_MODEL " "
06/15/2016 22:37:27.53 (upm) UPM: set var EVENT.DEVICE_MANUFACTURER_NAME " "
06/15/2016 22:37:27.52 (upm) UPM: set var EVENT.DEVICE_IP 0.0.0.0
06/15/2016 22:37:27.51 (upm) UPM: configure cli mode non-persistent
06/15/2016 22:37:27.50 (upm) UPM: enable cli scripting
06/15/2016 22:37:27.50 (upm) UPM: enable cli scripting output
06/15/2016 22:37:27.31 Launched profile dn for the event device-detect
06/15/2016 22:37:27.31 LLDP Device detected. Mac is 00:04:96:37:54:2B, IP is 0.0.0.0, on port 23, device type is 20, max power is 0
06/15/2016 22:37:27.05 Network Login MAC user 00049637542B logged in MAC 00:04:96:37:54:2B port 23 VLAN(s) "vguest", authentication Locally
06/15/2016 22:37:25.35 Network Login MAC user 00E02B000001 logged in MAC 00:E0:2B:00:00:01 port 23 VLAN(s) "vguest", authentication Locally

I will check in the lab and get back to you.

Hi

I've tried your script and I have a little issue, the if condition does not work.
It works with any MAC address, do you know the synthax to how to do it ?
I tried adding en else statement, it runs the If and Else each time.

thanks

Thanks for the elaboration.

The above configurations are all you need to do to make a 'device detect' upm script work. You don't need to make any changes in a radius server or a NAC manager. And, a port doesn't need to be a member of any VLAN configured on a switch either.
When an authentication fails, a port will be automatically put into a configured authentication failure vlan and once it happens, a lldp neighbor will appear on the port, resulting in an associated upm profile executed.

In addition, the upm profile is a script which means you can make it work the way you want. You can add more lines in a upm script to check if a neighboring device is a switch or not. The following example is to check if a device MAC address of a LLDP neighbor has the Extreme OUI (00:04:96). Other than this way, you can also check other information like hostname, ip address or software name and version...

# create upm profile "dn"
set var m $TCL(lsearch -regex $(EVENT.DEVICE_MAC) "^00:04:96")
if ($m == 0) then
disable netlogin port $(EVENT.USER_PORT) dot1x mac
configure vlan "vlan_name_1" add ports $(EVENT.USER_PORT) tagged
configure vlan "vlan_name_2" add ports $(EVENT.USER_PORT) tagged
.
endif
GTM-P2G8KFN