This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Extreme Networks
- Community List
- Wireless
- ExtremeWireless (General)
- How can I use FilterID from Radius/Netlogin MAC-Au...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
How can I use FilterID from Radius/Netlogin MAC-Auth to assign ACL on Port?
How can I use FilterID from Radius/Netlogin MAC-Auth to assign ACL on Port?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
10-01-2018 05:36 AM
Hello,
I have Netlogin running on a switch, the client gets authorized correctly and is put in the right vlan. Now I also want to apply an ACL to the clients port. I just can´t get my head wrapped aroung how to do that. I´m lacking the right keywords I guess.
I found the
configure policy maptable response both
command which kind of seems to be the right thing but I´m still missing information for my/a complete understanding. We are using a FreeRadius-Server.
Can you guys point me towards the right direction or maybe even supply an example configuration?
Thanks in advance.
I have Netlogin running on a switch, the client gets authorized correctly and is put in the right vlan. Now I also want to apply an ACL to the clients port. I just can´t get my head wrapped aroung how to do that. I´m lacking the right keywords I guess.
I found the
configure policy maptable response both
command which kind of seems to be the right thing but I´m still missing information for my/a complete understanding. We are using a FreeRadius-Server.
Can you guys point me towards the right direction or maybe even supply an example configuration?
Thanks in advance.
6 REPLIES 6
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
01-22-2019 02:49 PM
Hello Tomasz,
thank you very much for putting so much effort and time in helping me. I went with the first aproach to bind the ACL to the VLAN and it works just fine. The Client is authenticated via Netlogin and gets the appropriate VLAN with the Radius-Response. Since the ACL is bound to the VLAN, this does the job perfectly.
But I think, I should put some more thought into the One Policy / UPM script approach too, it sounds quite powerful.
Thank you and best regards
Paul
thank you very much for putting so much effort and time in helping me. I went with the first aproach to bind the ACL to the VLAN and it works just fine. The Client is authenticated via Netlogin and gets the appropriate VLAN with the Radius-Response. Since the ACL is bound to the VLAN, this does the job perfectly.
But I think, I should put some more thought into the One Policy / UPM script approach too, it sounds quite powerful.
Thank you and best regards
Paul
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
01-21-2019 08:22 PM
Hello Paul,
what you did here, is an ACL. It's something different in EXOS than Policy, although the use case is similar.
If you would like to do policies, you should not use 'enable policy', but this instead:
However, this is a static approach. You could improve ACL scenario with UPM profiles, those are scripts that can be issued upon authentication (with script - UPM Profile - name sent from RADIUS server) and dynamically create ACLs on relevant port like it was inserted via command line by yourself. But is a lot of hassle.
Policy does not involve ACL files creation.
Please take a look at 'ONEPolicy Configuration Examples' in EXOS User Guide, page 812 most likely. You could see there, what is needed for you to play, like for example:
This is just a brief example. First command creates policy called guest (this is what would be received from RADIUS in Filter-ID; 1 is just index) with default action deny for all the user's traffic (pvid 0; pvid 4095 would be default permit and any other VLAN would be 'contain to VLAN' operation, but RFC 3580-based VLAN containment is better I think) and some CoS assigned. Then there is a single classification rule that permits UDP port 68 that is DHCP. For more information on how to use 'configure policy rule' (if you don't have Extreme Management Center) in EXOS Command Reference. But once you read entire deployment example in User Guide I think you'll be good to go.
After all the policy profile should be applied to someone authenticated with appropriate role, you could also put guest-user restrictions statically on a port:
For these features 'enable policy' is useful definitely. 😉
Regarding counters, unfortunately I don't see such for Policy behavior - it's about restrictions rather than statistics.
Hope that helps,
Tomasz
P.S. Greater/lower sign are filtered out when posting, that's why I thought of dashes in the 'code' section.
what you did here, is an ACL. It's something different in EXOS than Policy, although the use case is similar.
If you would like to do policies, you should not use 'enable policy', but this instead:
code:
configure access-list ip.int_incoming.in [any | ports -portlist- | vlan -vlanname- ]
However, this is a static approach. You could improve ACL scenario with UPM profiles, those are scripts that can be issued upon authentication (with script - UPM Profile - name sent from RADIUS server) and dynamically create ACLs on relevant port like it was inserted via command line by yourself. But is a lot of hassle.
Policy does not involve ACL files creation.
Please take a look at 'ONEPolicy Configuration Examples' in EXOS User Guide, page 812 most likely. You could see there, what is needed for you to play, like for example:
code:
configure policy profile 1 name guest pvid-status enable pvid 0 cos-status enable cos 4
configure policy rule 1 udpsourceport 68 mask 16 forward
This is just a brief example. First command creates policy called guest (this is what would be received from RADIUS in Filter-ID; 1 is just index) with default action deny for all the user's traffic (pvid 0; pvid 4095 would be default permit and any other VLAN would be 'contain to VLAN' operation, but RFC 3580-based VLAN containment is better I think) and some CoS assigned. Then there is a single classification rule that permits UDP port 68 that is DHCP. For more information on how to use 'configure policy rule' (if you don't have Extreme Management Center) in EXOS Command Reference. But once you read entire deployment example in User Guide I think you'll be good to go.
After all the policy profile should be applied to someone authenticated with appropriate role, you could also put guest-user restrictions statically on a port:
code:
configure policy port -portlist- -profileindex-
For these features 'enable policy' is useful definitely. 😉
Regarding counters, unfortunately I don't see such for Policy behavior - it's about restrictions rather than statistics.
Hope that helps,
Tomasz
P.S. Greater/lower sign are filtered out when posting, that's why I thought of dashes in the 'code' section.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
10-01-2018 07:49 AM
Paul Stange wrote:
Hi Tomasz,
the first option describes perfectly what I want/need to do here but we do not have XMC.
Our Radius already sends the FilterID in its response:
10/01/2018 11:46:07.86 emsAAAServer:aaaGetAccInfo: Failed to send Accounting request
10/01/2018 11:46:07.86 emsAAAServer: aaaGetAccInfo : read tlv
10/01/2018 11:46:07.86 emsAAAServer:aaaGetAccInfo:
10/01/2018 11:46:07.86 emsSmServer: aaaRecv got message 12
10/01/2018 11:46:07.86 emsSmServer: aaaRecv: received 428 bytes from peer 10
10/01/2018 11:46:07.86 Network Login MAC user 001C231D7CCD logged in MAC 00:1C:23:1D:7C:CD port 18 VLAN(s) "int", authentication Radius
10/01/2018 11:46:07.84 _aaaRespondToClient-: sent message to client:peer 10
10/01/2018 11:46:07.84 _aaaRespondToClient- :Peer 10
10/01/2018 11:46:07.84 aaaRequestDequeueNO_LOCK() - queue 0x4c8724, request 0x5520b0 for peer 10, count 0, transId 147, authMethod 2
10/01/2018 11:46:07.84 __aaaReqFindRadiusInQueue-:found by transId 147
10/01/2018 11:46:07.84 __aaaReqFindRadiusInQueue-:pkt-id 147
10/01/2018 11:46:07.84 rad_callback() - start - request 0x4c7340
10/01/2018 11:46:07.84 Authorization values for 00-1C-23-1D-7C-CD(userName '001C231D7CCD') on port 18: Access level - unknown, Tunnel Type - VLAN, Tunnel Medium - 802, Tunnel Group Id - 20, Session Timeout - 4294967295, Idle Timeout - 4294967295, FilterId: ip.int_incoming.in. VrName: NsiType: 0 NsiId: 0
10/01/2018 11:46:07.84 Received an access accept (packet length 56, destination UDP port 32769, id 147) from authentication server #primary netlogin for 00-1C-23-1D-7C-CD(userName '001C231D7CCD') on port 18.
10/01/2018 11:46:07.84 Access Request(packet length 131, source UDP port 32769, id 147) sent to server #primary netlogin for user 00-1C-23-1D-7C-CD(userName '001C231D7CCD') for the macauthentication agent on port 18
10/01/2018 11:46:07.84 aaaRequestUpdateEnqueue() - queue 0x4c8724, request 0x5520b0 for peer 10, count 1, transId 147, authMethod 2
10/01/2018 11:46:07.84 PAP request for 00-1C-23-1D-7C-CD(username '001C231D7CCD') on port 18.
10/01/2018 11:46:07.84 Processing PAP request
10/01/2018 11:46:07.84 Queuing a RADIUS authen pap request
10/01/2018 11:46:07.84 aaaAuthenticate- Sending to radius for peer 10
10/01/2018 11:46:07.84 _aaaGetReq[netlogin]-:Authenticat using Radius, user data ptr 0x490bf0
10/01/2018 11:46:07.84 Authenticate using RADIUS Server
10/01/2018 11:46:07.84 aaa:radiusEnabled: SrvrSet: 2 realm:3 enabled? :1
10/01/2018 11:46:07.84 Handle request from peer 10
10/01/2018 11:46:07.84 emsSmServer: aaaRecv got message 10
10/01/2018 11:46:07.84 emsSmServer: aaaRecv: received 716 bytes from peer 10
10/01/2018 11:46:02.02 Port 18 link UP at speed 1 Gbps and full-duplexSo I somehow have to get the FilterID: ip.int_incoming.in into a policy.
Here is the switch-config:
ax3-a-4-6.2 # show conf
#
# Module devmgr configuration.
#
configure snmp sysName "ax3-a-4-6"
configure snmp sysLocation "mars"
configure snmp sysContact "iss@egal.de"
configure timezone name local 120 autodst begins every last sunday october at 2 0 ends every last sunday march at 2 0
configure sys-recovery-level switch reset
#
# Module vlan configuration.
#
configure vlan default delete ports all
configure vr VR-Default delete ports 1-52
configure vr VR-Default add ports 1-52
configure vlan default delete ports 1-7,16,18
create vlan "asa"
configure vlan asa tag 8
create vlan "bt"
configure vlan bt tag 21
create vlan "def"
configure vlan def tag 1
configure vlan Default tag 4000
create vlan "dmz"
configure vlan dmz tag 19
create vlan "fvb-inband"
configure vlan fvb-inband tag 84
create vlan "fvb-intra"
configure vlan fvb-intra tag 83
create vlan "in"
configure vlan in tag 13
create vlan "int"
configure vlan int tag 20
create vlan "lab"
configure vlan lab tag 100
create vlan "linux"
configure vlan linux tag 12
create vlan "ntl_unauth"
configure vlan ntl_unauth tag 38
create vlan "observe"
configure vlan observe tag 23
create vlan "prn"
configure vlan prn tag 130
create vlan "srv"
configure vlan srv tag 17
create vlan "sun"
configure vlan sun tag 15
create vlan "tesla"
configure vlan tesla tag 14
create vlan "test"
configure vlan test tag 4
create vlan "tkclient"
configure vlan tkclient tag 22
create vlan "tkmgmt"
configure vlan tkmgmt tag 6
create vlan "undef"
configure vlan undef tag 3333
create vlan "vpn_dmz"
configure vlan vpn_dmz tag 18
create vlan "wifi"
configure vlan wifi tag 1001
disable port 1
configure ports 51 auto off speed 10000 duplex full
configure ports 52 auto off speed 10000 duplex full
configure vlan asa add ports 49,51 tagged
configure vlan bt add ports 49,51 tagged
configure vlan def add ports 49,51 tagged
configure vlan def add ports 16 untagged
configure vlan Default add ports 8-15,17,19-52 untagged
configure vlan dmz add ports 49,51 tagged
configure vlan fvb-inband add ports 49,51 tagged
configure vlan fvb-intra add ports 49,51 tagged
configure vlan in add ports 49,51 tagged
configure vlan int add ports 49,51 tagged
configure vlan lab add ports 49,51 tagged
configure vlan linux add ports 49,51 tagged
configure vlan observe add ports 49,51 tagged
configure vlan prn add ports 49,51 tagged
configure vlan srv add ports 49,51 tagged
configure vlan sun add ports 49,51 tagged
configure vlan tesla add ports 49,51 tagged
configure vlan test add ports 49,51 tagged
configure vlan tkclient add ports 49,51 tagged
configure vlan tkmgmt add ports 49,51 tagged
configure vlan undef add ports 49,51 tagged
configure vlan undef add ports 1-7 untagged
configure vlan vpn_dmz add ports 49,51 tagged
configure vlan wifi add ports 49,51 tagged
configure vlan in ipaddress x.x.x.x x.x.x.x
#
# Module mcmgr configuration.
#
#
# Module fdb configuration.
#
configure mac-locking ports 16 first-arrival limit-learning 3
configure mac-locking ports 17 first-arrival limit-learning 3
configure mac-locking ports 18 first-arrival limit-learning 3
configure mac-locking ports 19 first-arrival limit-learning 3
configure mac-locking ports 20 first-arrival limit-learning 3
configure mac-locking ports 21 first-arrival limit-learning 3
configure mac-locking ports 22 first-arrival limit-learning 3
configure mac-locking ports 23 first-arrival limit-learning 3
configure mac-locking ports 24 first-arrival limit-learning 3
configure mac-locking ports 25 first-arrival limit-learning 3
configure mac-locking ports 26 first-arrival limit-learning 3
configure mac-locking ports 27 first-arrival limit-learning 3
configure mac-locking ports 28 first-arrival limit-learning 3
configure mac-locking ports 29 first-arrival limit-learning 3
configure mac-locking ports 30 first-arrival limit-learning 3
configure mac-locking ports 31 first-arrival limit-learning 3
configure mac-locking ports 32 first-arrival limit-learning 3
#
# Module rtmgr configuration.
#
configure iproute add default 10.6.24.1
#
# Module policy configuration.
#
configure policy maptable response both
#
# Module aaa configuration.
#
#
# Module acl configuration.
#
#
# Module bfd configuration.
#
#
# Module cfgmgr configuration.
#
enable cli-config-logging
#
# Module dosprotect configuration.
#
#
# Module dot1ag configuration.
#
#
# Module eaps configuration.
#
#
# Module edp configuration.
#
#
# Module elrp configuration.
#
#
# Module ems configuration.
#
enable log debug-mode
create log filter rad_logs
create log filter stp_logs
create log filter mac_logs
configure log filter DefaultFilter add events FDB.FdbNotice
configure log filter rad_logs add events nl
configure log filter rad_logs add events AAA severity debug-summary
configure log filter rad_logs add events vlan.msgs.portLinkStateUp
configure log filter rad_logs add events vlan.msgs.portLinkStateDown
configure log filter rad_logs add events vlan
configure log filter stp_logs add events STP.State.PortState match string "19"
configure log filter mac_logs add events vlan
configure log target memory-buffer filter rad_logs severity Debug-Data
configure log target console filter DefaultFilter severity Debug-Data
#
# Module epm configuration.
#
#
# Module erps configuration.
#
#
# Module esrp configuration.
#
#
# Module ethoam configuration.
#
#
# Module etmon configuration.
#
#
# Module exsshd configuration.
#
enable ssh2
configure ssh2 dh-group minimum 1
#
# Module hal configuration.
#
configure iproute sharing max-gateways 4
#
# Module idMgr configuration.
#
#
# Module ipSecurity configuration.
#
#
# Module ipfix configuration.
#
#
# Module lldp configuration.
#
configure lldp management-address vlan in primary-ip
configure lldp port 1 advertise port-description
configure lldp port 1 advertise system-capabilities
configure lldp port 1 advertise management-address
configure lldp port 2 advertise port-description
configure lldp port 2 advertise system-capabilities
configure lldp port 2 advertise management-address
configure lldp port 3 advertise port-description
configure lldp port 3 advertise system-capabilities
configure lldp port 3 advertise management-address
configure lldp port 4 advertise port-description
configure lldp port 4 advertise system-capabilities
configure lldp port 4 advertise management-address
configure lldp port 5 advertise port-description
configure lldp port 5 advertise system-capabilities
configure lldp port 5 advertise management-address
configure lldp port 6 advertise port-description
configure lldp port 6 advertise system-capabilities
configure lldp port 6 advertise management-address
configure lldp port 7 advertise port-description
configure lldp port 7 advertise system-capabilities
configure lldp port 7 advertise management-address
configure lldp port 8 advertise port-description
configure lldp port 8 advertise system-capabilities
configure lldp port 8 advertise management-address
configure lldp port 9 advertise port-description
configure lldp port 9 advertise system-capabilities
configure lldp port 9 advertise management-address
configure lldp port 10 advertise port-description
configure lldp port 10 advertise system-capabilities
configure lldp port 10 advertise management-address
configure lldp port 11 advertise port-description
configure lldp port 11 advertise system-capabilities
configure lldp port 11 advertise management-address
configure lldp port 12 advertise port-description
configure lldp port 12 advertise system-capabilities
configure lldp port 12 advertise management-address
configure lldp port 13 advertise port-description
configure lldp port 13 advertise system-capabilities
configure lldp port 13 advertise management-address
configure lldp port 14 advertise port-description
configure lldp port 14 advertise system-capabilities
configure lldp port 14 advertise management-address
configure lldp port 15 advertise port-description
configure lldp port 15 advertise system-capabilities
configure lldp port 15 advertise management-address
configure lldp port 16 advertise port-description
configure lldp port 16 advertise system-capabilities
configure lldp port 16 advertise management-address
configure lldp port 17 advertise port-description
configure lldp port 17 advertise system-capabilities
configure lldp port 17 advertise management-address
configure lldp port 18 advertise port-description
configure lldp port 18 advertise system-capabilities
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
01-21-2019 03:18 PM
Hello Tomasz,
I started reading the documentation you recommended but I can´t get the components quite together.
I configured a policy (just for testing purposes).
vi ip.int_incoming.in.pol
entry one {
if match all {
destination-address 9.9.9.9/32 ;
} then {
count one ;
permit ;
}
entry two {
if match all {
destination-address 8.8.8.8/32 ;
} then {
count two ;
deny ;
}
}
I did an "enable policy" and checked, if I lost any netlogin config due to this (still not quite shure). The name of the ACL in the radius-server is just int_incoming, the rest is somehow added on the way.
I also activated the
configure policy maptable response policy
But still get no result.
ax3-a-4-6.69 # sh netlogin session
Multiple authentication session entries
---------------------------------------
Port : 3 Station address : 00:1c:23:1d:7c:cd
Auth status : success Last attempt : Mon Jan 21 17:56:48 2019
Agent type : mac Session applied : true
Server type : radius VLAN-Tunnel-Attr : 20
Policy index : 0 Policy name : No Policy applied
Session timeout : 0 Session duration : 0:09:38
Idle timeout : 300 Idle time : 0:00:00
Auth-Override : disabled Termination time : Not Terminated
What am I missing?
Thank you and best regards
Paul
I started reading the documentation you recommended but I can´t get the components quite together.
I configured a policy (just for testing purposes).
vi ip.int_incoming.in.pol
entry one {
if match all {
destination-address 9.9.9.9/32 ;
} then {
count one ;
permit ;
}
entry two {
if match all {
destination-address 8.8.8.8/32 ;
} then {
count two ;
deny ;
}
}
I did an "enable policy" and checked, if I lost any netlogin config due to this (still not quite shure). The name of the ACL in the radius-server is just int_incoming, the rest is somehow added on the way.
I also activated the
configure policy maptable response policy
But still get no result.
ax3-a-4-6.69 # sh netlogin session
Multiple authentication session entries
---------------------------------------
Port : 3 Station address : 00:1c:23:1d:7c:cd
Auth status : success Last attempt : Mon Jan 21 17:56:48 2019
Agent type : mac Session applied : true
Server type : radius VLAN-Tunnel-Attr : 20
Policy index : 0 Policy name : No Policy applied
Session timeout : 0 Session duration : 0:09:38
Idle timeout : 300 Idle time : 0:00:00
Auth-Override : disabled Termination time : Not Terminated
What am I missing?
Thank you and best regards
Paul
