cancel
Showing results for 
Search instead for 
Did you mean: 

RADIUS ACL attributes

RADIUS ACL attributes

Ruslan
New Contributor II
How to assign ACL with RADIUS Access-Accept response? What attributes to use?
I'm interested in at least two options:
  1. Sending ACL id (ACL is configured on switch)
  2. Sending ACL rules (ACL is presented in RADIUS attribute)
7 REPLIES 7

Ryan_Yacobucci
Extreme Employee
Hello,

Prior to OnePolicy as described above by Tomsaz we used to use UPM profiles to dynamically create ACLs on ports based Accept response and other AVPs from NAC.

Here's a document that explains the configuration heavy solution:

https://extremenetworks2com-my.sharepoint.com/:w:/g/personal/ryacobuc_extremenetworks_com/EYWDogjm5W...

This is not nearly as easy to set up as OnePolicy and is a legacy solution that we had prior to the development of OnePolicy, but it does explain how you can have an ACL configured/applied to a port based on RADIUS attributes.

I would highly recommend using OnePolicy as it is essentially a per port ACL (It's rule engine is precedence based instead of top down) that is invoked on a port based on RADIUS TLV response. Is there a limitation of OnePolicy that you're trying to work around by looking for another solution?

Thanks
-Ryan

Ruslan
New Contributor II
Thank you very much! But still hope to find such approach

Tomasz
Valued Contributor II
I might be wrong, but I didn't see such approach being used so far.
From EXOS User Guide I see a VSA 'Extreme-Shell-Command', I don't know what is this, it is not describet, from the table on page 939 of EXOS User Guide it seems it is only valid RADIUS response attribute for PAP requests, and somewhere on this forum I found a note that this shall be gone obsolete for a while (it's in the latest docs though).
Theoretically this could be introduced but you should talk with Extreme about feature request, as right now from development roadmap or marketing strategy it might be a minor case compared to enhancing the Policy capabilities perhaps. With XMC you don't have to configure the switch via CLI, BTW.

HTH,
Tomasz

Ruslan
New Contributor II
Thanks a lot for extended answer! Maybe there is also an approach to send ACL rules via RADIUS response? I mean without any configuration on switch side.
GTM-P2G8KFN