cancel
Showing results for 
Search instead for 
Did you mean: 

How can I use FilterID from Radius/Netlogin MAC-Auth to assign ACL on Port?

How can I use FilterID from Radius/Netlogin MAC-Auth to assign ACL on Port?

Paul_Stange
New Contributor
Hello,

I have Netlogin running on a switch, the client gets authorized correctly and is put in the right vlan. Now I also want to apply an ACL to the clients port. I just can´t get my head wrapped aroung how to do that. I´m lacking the right keywords I guess.

I found the

configure policy maptable response both

command which kind of seems to be the right thing but I´m still missing information for my/a complete understanding. We are using a FreeRadius-Server.

Can you guys point me towards the right direction or maybe even supply an example configuration?

Thanks in advance.

6 REPLIES 6

Paul_Stange
New Contributor
Hi Tomasz,

the first option describes perfectly what I want/need to do here but we do not have XMC.

Our Radius already sends the FilterID in its response:
10/01/2018 11:46:07.86 emsAAAServer:aaaGetAccInfo: Failed to send Accounting request
10/01/2018 11:46:07.86 emsAAAServer: aaaGetAccInfo : read tlv
10/01/2018 11:46:07.86 emsAAAServer:aaaGetAccInfo:
10/01/2018 11:46:07.86 emsSmServer: aaaRecv got message 12
10/01/2018 11:46:07.86 emsSmServer: aaaRecv: received 428 bytes from peer 10
10/01/2018 11:46:07.86 Network Login MAC user 001C231D7CCD logged in MAC 00:1C:23:1D:7C:CD port 18 VLAN(s) "int", authentication Radius
10/01/2018 11:46:07.84 _aaaRespondToClient-: sent message to client:peer 10
10/01/2018 11:46:07.84 _aaaRespondToClient- :Peer 10
10/01/2018 11:46:07.84 aaaRequestDequeueNO_LOCK() - queue 0x4c8724, request 0x5520b0 for peer 10, count 0, transId 147, authMethod 2
10/01/2018 11:46:07.84 __aaaReqFindRadiusInQueue-:found by transId 147
10/01/2018 11:46:07.84 __aaaReqFindRadiusInQueue-:pkt-id 147
10/01/2018 11:46:07.84 rad_callback() - start - request 0x4c7340
10/01/2018 11:46:07.84 Authorization values for 00-1C-23-1D-7C-CD(userName '001C231D7CCD') on port 18: Access level - unknown, Tunnel Type - VLAN, Tunnel Medium - 802, Tunnel Group Id - 20, Session Timeout - 4294967295, Idle Timeout - 4294967295, FilterId: ip.int_incoming.in. VrName: NsiType: 0 NsiId: 0
10/01/2018 11:46:07.84 Received an access accept (packet length 56, destination UDP port 32769, id 147) from authentication server #primary netlogin for 00-1C-23-1D-7C-CD(userName '001C231D7CCD') on port 18.
10/01/2018 11:46:07.84 Access Request(packet length 131, source UDP port 32769, id 147) sent to server #primary netlogin for user 00-1C-23-1D-7C-CD(userName '001C231D7CCD') for the macauthentication agent on port 18
10/01/2018 11:46:07.84 aaaRequestUpdateEnqueue() - queue 0x4c8724, request 0x5520b0 for peer 10, count 1, transId 147, authMethod 2
10/01/2018 11:46:07.84 PAP request for 00-1C-23-1D-7C-CD(username '001C231D7CCD') on port 18.
10/01/2018 11:46:07.84 Processing PAP request
10/01/2018 11:46:07.84 Queuing a RADIUS authen pap request
10/01/2018 11:46:07.84 aaaAuthenticate- Sending to radius for peer 10
10/01/2018 11:46:07.84 _aaaGetReq[netlogin]-:Authenticat using Radius, user data ptr 0x490bf0
10/01/2018 11:46:07.84 Authenticate using RADIUS Server
10/01/2018 11:46:07.84 aaa:radiusEnabled: SrvrSet: 2 realm:3 enabled? :1
10/01/2018 11:46:07.84 Handle request from peer 10
10/01/2018 11:46:07.84 emsSmServer: aaaRecv got message 10
10/01/2018 11:46:07.84 emsSmServer: aaaRecv: received 716 bytes from peer 10
10/01/2018 11:46:02.02 Port 18 link UP at speed 1 Gbps and full-duplexSo I somehow have to get the FilterID: ip.int_incoming.in into a policy.

Here is the switch-config:

ax3-a-4-6.2 # show conf
#
# Module devmgr configuration.
#
configure snmp sysName "ax3-a-4-6"
configure snmp sysLocation "mars"
configure snmp sysContact "iss@egal.de"
configure timezone name local 120 autodst begins every last sunday october at 2 0 ends every last sunday march at 2 0
configure sys-recovery-level switch reset

#
# Module vlan configuration.
#
configure vlan default delete ports all
configure vr VR-Default delete ports 1-52
configure vr VR-Default add ports 1-52
configure vlan default delete ports 1-7,16,18
create vlan "asa"
configure vlan asa tag 8
create vlan "bt"
configure vlan bt tag 21
create vlan "def"
configure vlan def tag 1
configure vlan Default tag 4000
create vlan "dmz"
configure vlan dmz tag 19
create vlan "fvb-inband"
configure vlan fvb-inband tag 84
create vlan "fvb-intra"
configure vlan fvb-intra tag 83
create vlan "in"
configure vlan in tag 13
create vlan "int"
configure vlan int tag 20
create vlan "lab"
configure vlan lab tag 100
create vlan "linux"
configure vlan linux tag 12
create vlan "ntl_unauth"
configure vlan ntl_unauth tag 38
create vlan "observe"
configure vlan observe tag 23
create vlan "prn"
configure vlan prn tag 130
create vlan "srv"
configure vlan srv tag 17
create vlan "sun"
configure vlan sun tag 15
create vlan "tesla"
configure vlan tesla tag 14
create vlan "test"
configure vlan test tag 4
create vlan "tkclient"
configure vlan tkclient tag 22
create vlan "tkmgmt"
configure vlan tkmgmt tag 6
create vlan "undef"
configure vlan undef tag 3333
create vlan "vpn_dmz"
configure vlan vpn_dmz tag 18
create vlan "wifi"
configure vlan wifi tag 1001
disable port 1
configure ports 51 auto off speed 10000 duplex full
configure ports 52 auto off speed 10000 duplex full
configure vlan asa add ports 49,51 tagged
configure vlan bt add ports 49,51 tagged
configure vlan def add ports 49,51 tagged
configure vlan def add ports 16 untagged
configure vlan Default add ports 8-15,17,19-52 untagged
configure vlan dmz add ports 49,51 tagged
configure vlan fvb-inband add ports 49,51 tagged
configure vlan fvb-intra add ports 49,51 tagged
configure vlan in add ports 49,51 tagged
configure vlan int add ports 49,51 tagged
configure vlan lab add ports 49,51 tagged
configure vlan linux add ports 49,51 tagged
configure vlan observe add ports 49,51 tagged
configure vlan prn add ports 49,51 tagged
configure vlan srv add ports 49,51 tagged
configure vlan sun add ports 49,51 tagged
configure vlan tesla add ports 49,51 tagged
configure vlan test add ports 49,51 tagged
configure vlan tkclient add ports 49,51 tagged
configure vlan tkmgmt add ports 49,51 tagged
configure vlan undef add ports 49,51 tagged
configure vlan undef add ports 1-7 untagged
configure vlan vpn_dmz add ports 49,51 tagged
configure vlan wifi add ports 49,51 tagged
configure vlan in ipaddress x.x.x.x x.x.x.x

#
# Module mcmgr configuration.
#

#
# Module fdb configuration.
#
configure mac-locking ports 16 first-arrival limit-learning 3
configure mac-locking ports 17 first-arrival limit-learning 3
configure mac-locking ports 18 first-arrival limit-learning 3
configure mac-locking ports 19 first-arrival limit-learning 3
configure mac-locking ports 20 first-arrival limit-learning 3
configure mac-locking ports 21 first-arrival limit-learning 3
configure mac-locking ports 22 first-arrival limit-learning 3
configure mac-locking ports 23 first-arrival limit-learning 3
configure mac-locking ports 24 first-arrival limit-learning 3
configure mac-locking ports 25 first-arrival limit-learning 3
configure mac-locking ports 26 first-arrival limit-learning 3
configure mac-locking ports 27 first-arrival limit-learning 3
configure mac-locking ports 28 first-arrival limit-learning 3
configure mac-locking ports 29 first-arrival limit-learning 3
configure mac-locking ports 30 first-arrival limit-learning 3
configure mac-locking ports 31 first-arrival limit-learning 3
configure mac-locking ports 32 first-arrival limit-learning 3

#
# Module rtmgr configuration.
#
configure iproute add default 10.6.24.1

#
# Module policy configuration.
#

configure policy maptable response both

#
# Module aaa configuration.
#

#
# Module acl configuration.
#

#
# Module bfd configuration.
#

#
# Module cfgmgr configuration.
#
enable cli-config-logging

#
# Module dosprotect configuration.
#

#
# Module dot1ag configuration.
#

#
# Module eaps configuration.
#

#
# Module edp configuration.
#

#
# Module elrp configuration.
#

#
# Module ems configuration.
#
enable log debug-mode
create log filter rad_logs
create log filter stp_logs
create log filter mac_logs
configure log filter DefaultFilter add events FDB.FdbNotice
configure log filter rad_logs add events nl
configure log filter rad_logs add events AAA severity debug-summary
configure log filter rad_logs add events vlan.msgs.portLinkStateUp
configure log filter rad_logs add events vlan.msgs.portLinkStateDown
configure log filter rad_logs add events vlan
configure log filter stp_logs add events STP.State.PortState match string "19"
configure log filter mac_logs add events vlan
configure log target memory-buffer filter rad_logs severity Debug-Data
configure log target console filter DefaultFilter severity Debug-Data

#
# Module epm configuration.
#

#
# Module erps configuration.
#

#
# Module esrp configuration.
#

#
# Module ethoam configuration.
#

#
# Module etmon configuration.
#

#
# Module exsshd configuration.
#
enable ssh2
configure ssh2 dh-group minimum 1

#
# Module hal configuration.
#
configure iproute sharing max-gateways 4

#
# Module idMgr configuration.
#

#
# Module ipSecurity configuration.
#

#
# Module ipfix configuration.
#

#
# Module lldp configuration.
#
configure lldp management-address vlan in primary-ip
configure lldp port 1 advertise port-description
configure lldp port 1 advertise system-capabilities
configure lldp port 1 advertise management-address
configure lldp port 2 advertise port-description
configure lldp port 2 advertise system-capabilities
configure lldp port 2 advertise management-address
configure lldp port 3 advertise port-description
configure lldp port 3 advertise system-capabilities
configure lldp port 3 advertise management-address
configure lldp port 4 advertise port-description
configure lldp port 4 advertise system-capabilities
configure lldp port 4 advertise management-address
configure lldp port 5 advertise port-description
configure lldp port 5 advertise system-capabilities
configure lldp port 5 advertise management-address
configure lldp port 6 advertise port-description
configure lldp port 6 advertise system-capabilities
configure lldp port 6 advertise management-address
configure lldp port 7 advertise port-description
configure lldp port 7 advertise system-capabilities
configure lldp port 7 advertise management-address
configure lldp port 8 advertise port-description
configure lldp port 8 advertise system-capabilities
configure lldp port 8 advertise management-address
configure lldp port 9 advertise port-description
configure lldp port 9 advertise system-capabilities
configure lldp port 9 advertise management-address
configure lldp port 10 advertise port-description
configure lldp port 10 advertise system-capabilities
configure lldp port 10 advertise management-address
configure lldp port 11 advertise port-description
configure lldp port 11 advertise system-capabilities
configure lldp port 11 advertise management-address
configure lldp port 12 advertise port-description
configure lldp port 12 advertise system-capabilities
configure lldp port 12 advertise management-address
configure lldp port 13 advertise port-description
configure lldp port 13 advertise system-capabilities
configure lldp port 13 advertise management-address
configure lldp port 14 advertise port-description
configure lldp port 14 advertise system-capabilities
configure lldp port 14 advertise management-address
configure lldp port 15 advertise port-description
configure lldp port 15 advertise system-capabilities
configure lldp port 15 advertise management-address
configure lldp port 16 advertise port-description
configure lldp port 16 advertise system-capabilities
configure lldp port 16 advertise management-address
configure lldp port 17 advertise port-description
configure lldp port 17 advertise system-capabilities
configure lldp port 17 advertise management-address
configure lldp port 18 advertise port-description
configure lldp port 18 advertise system-capabilities

Tomasz
Valued Contributor II
Hi Paul,

You have two options to enhance your edge-port security besides just VLAN separation with RFC 3580 operation:
- Policy, that is most likely configured in XMC GUI due to lot of capabilities, and enforced to all the devices at once, then in Radius you would want to assign additional attribute to your Access-Accept response, ie. Filter-id=;
- UPM script, that would be a script trigerred upon user authentication, and in Radius you have to specify a Vendor-Specific Attribute that would call the script by its name; inside you can play with some authentication variables like user port or so and apply dynamic ACLs to it (more to do in CLI for that);

For Policy to be working, Filter-id should have it's value pointing to a policy name that exists on a device (like Filter-id=guest).

Please let us know what approach do you prefer and if you use XMC or not, then we could help you walk through relevant portions of configuration.
Also, your current config might be useful here.

Regards,
Tomasz

GTM-P2G8KFN