Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎09-30-2019 02:15 PM
Good day,
I have recently inherited a project working with EXOS X440 switches in an enviroment moving toward DACL management through clearpass.
My current issue relates to the fact I canno seem to add traffic rules using standard IETF Deny IP NAS-Filter parameters. Here is the AAA Config in the switch:
configure radius mgmt-access primary server (IPADDRESS SERVER) 1812 client-ip (Switch) vr VR-Default
configure radius mgmt-access primary shared-secret encrypted "#$NCGjTl6wGExsOKZWj+w="
configure radius netlogin primary server (IPADDRESS SERVER) 1812 client-ip (Switch) vr VR-Default
configure radius netlogin primary shared-secret encrypted "#$RZcQlN6swEz8dL2eLKM="
configure radius-accounting mgmt-access primary server (IPADDRESS SERVER) 1812 client-ip (Switch) vr VR-Default
configure radius-accounting mgmt-access primary shared-secret encrypted "#$YR5fvd2yGlKR18vK23U="
enable radius mgmt-access
enable radius netlogin
enable radius-accounting mgmt-access
enable radius-accounting netlogin
Right now, I have no problems with Authentication via MAC, assigning a client VLAN etc, but when trying to apply ACL rules i cannot determine through logging or bashing my skull against it where exactly I am going off the rails.
Here are the basics of the ACL I am attempting to apply:
1.Radius:IETF | NAS-Filter-Rule = permit in udp from any to any 53,67
2.Radius:IETF | NAS-Filter-Rule = permit in ip from any to 10.0.0.0/8
3.Radius:IETF | NAS-Filter-Rule = deny in ip from any to any
None of these rules appear to have any impact, even though I can see them being applied in clearpass output.
TLDR; Can apply VLAN's in EXOS switch, but not ACL controls via Aruba Clearpass.
I have recently inherited a project working with EXOS X440 switches in an enviroment moving toward DACL management through clearpass.
My current issue relates to the fact I canno seem to add traffic rules using standard IETF Deny IP NAS-Filter parameters. Here is the AAA Config in the switch:
configure radius mgmt-access primary server (IPADDRESS SERVER) 1812 client-ip (Switch) vr VR-Default
configure radius mgmt-access primary shared-secret encrypted "#$NCGjTl6wGExsOKZWj+w="
configure radius netlogin primary server (IPADDRESS SERVER) 1812 client-ip (Switch) vr VR-Default
configure radius netlogin primary shared-secret encrypted "#$RZcQlN6swEz8dL2eLKM="
configure radius-accounting mgmt-access primary server (IPADDRESS SERVER) 1812 client-ip (Switch) vr VR-Default
configure radius-accounting mgmt-access primary shared-secret encrypted "#$YR5fvd2yGlKR18vK23U="
enable radius mgmt-access
enable radius netlogin
enable radius-accounting mgmt-access
enable radius-accounting netlogin
Right now, I have no problems with Authentication via MAC, assigning a client VLAN etc, but when trying to apply ACL rules i cannot determine through logging or bashing my skull against it where exactly I am going off the rails.
Here are the basics of the ACL I am attempting to apply:
1.Radius:IETF | NAS-Filter-Rule = permit in udp from any to any 53,67
2.Radius:IETF | NAS-Filter-Rule = permit in ip from any to 10.0.0.0/8
3.Radius:IETF | NAS-Filter-Rule = deny in ip from any to any
None of these rules appear to have any impact, even though I can see them being applied in clearpass output.
TLDR; Can apply VLAN's in EXOS switch, but not ACL controls via Aruba Clearpass.
Solved! Go to Solution.
1 ACCEPTED SOLUTION
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎10-02-2019 06:23 PM
Hey everyone -
Had to come up with a work around for this as the expected commands aren't working as expected.
Had to create a policy in EXOS device blocking an IP
configure policy profile 2 name "TEST"
configure policy rule 2 ipdestsocket 8.8.8.8 mask 32 drop
configure policy rule 2 ipdestsocket 4.2.2.2 mask 32 drop
enable policy
Once you have this policy in place, in Clearpass you need to push the following command:
Radius:IETF Filter-Id= Test
This enforces whatever IP policy you have in place on the EXOS device and can be pushed using any clearpass enforcement profile.
Had to come up with a work around for this as the expected commands aren't working as expected.
Had to create a policy in EXOS device blocking an IP
configure policy profile 2 name "TEST"
configure policy rule 2 ipdestsocket 8.8.8.8 mask 32 drop
configure policy rule 2 ipdestsocket 4.2.2.2 mask 32 drop
enable policy
Once you have this policy in place, in Clearpass you need to push the following command:
Radius:IETF Filter-Id= Test
This enforces whatever IP policy you have in place on the EXOS device and can be pushed using any clearpass enforcement profile.
1 REPLY 1
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎10-02-2019 06:23 PM
Hey everyone -
Had to come up with a work around for this as the expected commands aren't working as expected.
Had to create a policy in EXOS device blocking an IP
configure policy profile 2 name "TEST"
configure policy rule 2 ipdestsocket 8.8.8.8 mask 32 drop
configure policy rule 2 ipdestsocket 4.2.2.2 mask 32 drop
enable policy
Once you have this policy in place, in Clearpass you need to push the following command:
Radius:IETF Filter-Id= Test
This enforces whatever IP policy you have in place on the EXOS device and can be pushed using any clearpass enforcement profile.
Had to come up with a work around for this as the expected commands aren't working as expected.
Had to create a policy in EXOS device blocking an IP
configure policy profile 2 name "TEST"
configure policy rule 2 ipdestsocket 8.8.8.8 mask 32 drop
configure policy rule 2 ipdestsocket 4.2.2.2 mask 32 drop
enable policy
Once you have this policy in place, in Clearpass you need to push the following command:
Radius:IETF Filter-Id= Test
This enforces whatever IP policy you have in place on the EXOS device and can be pushed using any clearpass enforcement profile.
