Extreme Networks

Guilhem_Lejeune · a week ago

Hi,

I'm trying to send the right RADIUS attributes to apply dynamic ACL on Switch Engine with ExtremeControl.

I've done this easily with Fabric Engine, using the %PER_USER_ACL_VOSS% parameter in "RADIUS Attributes to Send" configuration. Also, I created a role with a service. The default action is "Deny Traffic" and then, I add some protocols to be authorized.
It works fine ✅

❓My goal is to do the exact same thing with Switch Engine.
For now, I use policies with VLAN assignment (it works) but I would like to add dynamic ACL 😉.

Any ideas ?

💡I'm on the latest version of XIQ SE and Control (25.08.11.12) and the latest version of Switch Engine (33.4.1.15-patch1-1).

Kind regards,

Guilhem_Lejeune · a week ago

Hi Ryan,

Thank you for your feedback ! Yes, indeed, something is not operating and I think the ExtremeControl role configuration is involved.
After a succesful authentication, the Policy is pushed toward the switch but I did not manage to have :

Default Action : deny (+ VLAN egress untagged)
Some protocols to be authorized
❌ VLAN is not pushed (I see the FDB entry in VLAN 1...) and every traffic is blocked !

Very recently I managed to have :

Default action : Contain to VLAN (so basically permit with a VLAN ID)
Some protocols to be denied (for example : PING)
✅ The PING is actually blocked with this configuration and all other traffic is authorized.

But it is not exactly what I would like to implement. I would like to explicitly authorize traffic instead of denying traffic.

Kind regards,

Bartek · a week ago

You can send from NAC both VLAN ID and Policy name - you just need to enable this functionality on your switch from Device tab in PM (enable RFC 3580 and accept VLAN ID and Policy)

Extreme Networks

How to apply Dynamic ACL on Switch Engine with NAC

How to apply Dynamic ACL on Switch Engine with NAC