This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

How to apply Dynamic ACL on Switch Engine with NAC

How to apply Dynamic ACL on Switch Engine with NAC

Go to solution
Guilhem_Lejeune
New Contributor III

‎10-02-2025 02:29 PM - edited ‎10-02-2025 02:30 PM

Hi,

I'm trying to send the right RADIUS attributes to apply dynamic ACL on Switch Engine with ExtremeControl.

I've done this easily with Fabric Engine, using the %PER_USER_ACL_VOSS% parameter in "RADIUS Attributes to Send" configuration. Also, I created a role with a service. The default action is "Deny Traffic" and then, I add some protocols to be authorized.
It works fine

My goal is to do the exact same thing with Switch Engine.
For now, I use policies with VLAN assignment (it works) but I would like to add dynamic ACL 😉.

Any ideas ?

💡I'm on the latest version of XIQ SE and Control (25.08.11.12) and the latest version of Switch Engine (33.4.1.15-patch1-1).

Kind regards,

0 Kudos
1 ACCEPTED SOLUTION

Go to solution
Ryan_Yacobucci
Extreme Employee

‎10-04-2025 09:48 AM

It's important to note that during authentication, "Policy" is not pushed toward the switch. 

The policy always exists on the switch, but the policy is applied to the end system once the correct filter-ID is presented in the RADIUS access-accept.

First check to see if the policy is configured on the switch by running the command: "show config policy"

Here is an example from the lab:


5320-16P-4XE-SwitchEngine.2 # show config policy
#
# Module policy configuration.
#
configure netlogin port 2 authentication mode optional
configure policy captive-portal web-redirect 1 server 1 url "http://192.168.1.227:80/static/index.jsp" enable
configure policy profile 1 name "Failsafe"
configure policy profile 2 name "Access Point" pvid-status "enable" pvid 4095 auth-override "enable"
configure policy profile 3 name "Administrator" pvid-status "enable" pvid 4095
configure policy profile 4 name "Deny Access" pvid-status "enable" pvid 0 web-redirect 1
configure policy profile 5 name "Guest Access" pvid-status "enable" pvid 0
configure policy profile 6 name "Quarantine" pvid-status "enable" pvid 0 web-redirect 1
configure policy profile 7 name "Server" pvid-status "enable" pvid 4095
configure policy profile 8 name "Printer" pvid-status "enable" pvid 0
configure policy profile 9 name "Unregistered" pvid-status "enable" pvid 0 web-redirect 1
configure policy profile 10 name "Enterprise User" pvid-status "enable" pvid 4095
configure policy profile 11 name "VoIP Phone" pvid-status "enable" pvid 4095
configure policy profile 12 name "Notification" pvid-status "enable" pvid 4095 web-redirect 1
configure policy profile 13 name "Assessing" pvid-status "enable" pvid 0 web-redirect 1
configure policy rule 4 udpdestportIP 53 mask 16 forward
configure policy rule 4 udpdestportIP 67 mask 16 forward
configure policy rule 4 tcpdestportIP 80 mask 16 forward
configure policy rule 4 tcpdestportIP 443 mask 16 forward
configure policy rule 4 ether 0x0806 mask 16 forward
configure policy rule 5 udpdestportIP 53 mask 16 forward
configure policy rule 5 udpdestportIP 67 mask 16 forward
configure policy rule 5 tcpdestportIP 80 mask 16 forward
configure policy rule 5 tcpdestportIP 110 mask 16 forward
configure policy rule 5 tcpdestportIP 143 mask 16 forward
configure policy rule 5 tcpdestportIP 443 mask 16 forward
configure policy rule 5 tcpdestportIP 465 mask 16 forward
configure policy rule 5 tcpdestportIP 587 mask 16 forward
configure policy rule 5 tcpdestportIP 993 mask 16 forward
configure policy rule 5 tcpdestportIP 995 mask 16 forward
configure policy rule 5 tcpdestportIP 1723 mask 16 forward
configure policy rule 5 ether 0x0806 mask 16 forward
configure policy rule 6 udpdestportIP 53 mask 16 forward
configure policy rule 6 udpdestportIP 67 mask 16 forward
configure policy rule 6 tcpdestportIP 80 mask 16 forward
configure policy rule 6 tcpdestportIP 443 mask 16 forward
configure policy rule 6 ether 0x0806 mask 16 forward
configure policy rule 8 udpdestportIP 53 mask 16 forward
configure policy rule 8 udpdestportIP 67 mask 16 forward
configure policy rule 8 ether 0x0806 mask 16 forward
configure policy rule 9 udpdestportIP 53 mask 16 forward
configure policy rule 9 udpdestportIP 67 mask 16 forward
configure policy rule 9 tcpdestportIP 80 mask 16 forward
configure policy rule 9 tcpdestportIP 443 mask 16 forward
configure policy rule 9 ether 0x0806 mask 16 forward
configure policy rule 12 udpdestportIP 53 mask 16 forward
configure policy rule 12 udpdestportIP 67 mask 16 forward
configure policy rule 12 tcpdestportIP 80 mask 16 forward
configure policy rule 12 tcpdestportIP 443 mask 16 forward
configure policy rule 12 ether 0x0806 mask 16 forward
configure policy rule 13 udpdestportIP 53 mask 16 forward
configure policy rule 13 udpdestportIP 67 mask 16 forward
configure policy rule 13 tcpdestportIP 80 mask 16 forward
configure policy rule 13 tcpdestportIP 443 mask 16 forward
configure policy rule 13 ether 0x0806 mask 16 forward
configure policy maptable response both
configure policy captive-portal listening 80
configure policy captive-portal listening 443
configure policy vlanauthorization enable
enable policy

The policy profile "Names" are the roles that are pushed from Extreme Policy: 

Ryan_Yacobucci_0-1759594620465.png



Within each role are services, and services are collections of rules. These rules are shown within the policy configuration as "Rules" and the index number relates to the role: 

Ryan_Yacobucci_1-1759594871920.png

 





Ryan_Yacobucci_2-1759595015350.png

 

 


When policy is enforced, these configurations exist on the switch.

The way to apply these policies to end systems is by sending the name of the policy in the Filter-ID in the RADIUS access-accept.

When the end system is authenticated check the "Authorization" column within Control. It should show something like :

Ryan_Yacobucci_4-1759595923235.png

When the switch receives the Filter-ID it applies the policy as configured within the switch to the end system connected. 
You can see the session is applied by running the command: 

show netlogin session

Ryan_Yacobucci_5-1759596257451.png


Check for Auth status "Success", agent type, session applied and "Policy Name". This shows you which policy is installed on when end system. 

Let me know if you have any questions.

Thanks
-Ryan

 




 

View solution in original post

0 Kudos
6 REPLIES 6

Go to solution
Guilhem_Lejeune
New Contributor III
In response to Ryan_Yacobucci

‎10-03-2025 07:53 AM

Hi Ryan,

Thank you for your feedback ! Yes, indeed, something is not operating and I think the ExtremeControl role configuration is involved.
After a succesful authentication, the Policy is pushed toward the switch but I did not manage to have :

  • Default Action : deny (+ VLAN egress untagged)
  • Some protocols to be authorized
    VLAN is not pushed (I see the FDB entry in VLAN 1...) and every traffic is blocked !

Very recently I managed to have :

  • Default action : Contain to VLAN (so basically permit with a VLAN ID)
  • Some protocols to be denied (for example : PING)
    The PING is actually blocked with this configuration and all other traffic is authorized.

But it is not exactly what I would like to implement. I would like to explicitly authorize traffic instead of denying traffic.

Kind regards,

0 Kudos

Go to solution
Bartek
Contributor
In response to Guilhem_Lejeune

‎10-03-2025 08:33 AM

You can send from NAC both VLAN ID and Policy name - you just need to enable this functionality on your switch from Device tab in PM (enable RFC 3580 and accept VLAN ID and Policy)

0 Kudos
GTM-P2G8KFN