PacketFence - BTS - PacketFence
View Issue Details
0001669PacketFencehardware modulespublic2013-07-11 07:442015-02-18 10:59
roadracer96 
 
normaltweakalways
closedopen 
4.0.1 
 
0001669: Extreme Role/ACL VSA
Extreme.pm can be modified to allow UPM scripts (Extreme terminology) passed via RADIUS attributes. The scripts can be passed variables in the RADIUS reply as well.

The changes shown in additional information have been tested to work properly on Extreme XOS 15.2.27, but should work on anything at least 12.5 and up.
Extreme.pm just needs the following added:

sub supportsRoleBasedEnforcement { return $TRUE; }

sub returnRoleAttribute {
    my ($this) = @_;

    return 'Extreme-Security-Profile';
}

Im not sure if it is required, but I added the following to the radius dictionary:

VENDOR Extreme 1916
ATTRIBUTE Extreme-CLI-Authorization 201 integer Extreme
ATTRIBUTE Extreme-Shell-Command 202 string Extreme
ATTRIBUTE Extreme-Netlogin-Vlan 203 string Extreme
ATTRIBUTE Extreme-Netlogin-Url 204 string Extreme
ATTRIBUTE Extreme-Netlogin-Url-Desc 205 string Extreme
ATTRIBUTE Extreme-Netlogin-Only 206 integer Extreme
ATTRIBUTE Extreme-User-Location 208 string Extreme
ATTRIBUTE Extreme-Netlogin-Vlan-Tag 209 integer Extreme
ATTRIBUTE Extreme-Netlogin-Extended-Vlan 211 string Extreme
ATTRIBUTE Extreme-Security-Profile 212 string Extreme
VALUE Extreme-CLI-Authorization Disabled 0
VALUE Extreme-CLI-Authorization Enabled 1
VALUE Extreme-Netlogin-Only Disabled 0
VALUE Extreme-Netlogin-Only Enabled 1


Example script to enable advertising lldp information if a voip phone is connected. The role for the voice network would be "voip"

create upm profile voip
if (!$match($EVENT.NAME,USER-AUTHENTICATED)) then
configure cli mode non-persistent
enable lldp port $EVENT.USER_PORT
configure lldp port $EVENT.USER_PORT advertise system-capabilities
configure lldp port $EVENT.USER_PORT advertise vendor-specific dot3 mac-phy
configure lldp port $EVENT.USER_PORT advertise vendor-specific med capabilities
configure lldp port $EVENT.USER_PORT advertise vendor-specific med power-via-mdi
configure lldp port $EVENT.USER_PORT advertise vendor-specific dot1 vlan-name vlan $EVENT.USER_VLAN
configure lldp port $EVENT.USER_PORT advertise vendor-specific med policy application voice vlan $EVENT.USER_VLAN dscp 46
configure lldp port $EVENT.USER_PORT advertise vendor-specific med policy application voice-signaling vlan $EVENT.USER_VLAN dscp 44
endif
if (!$match($EVENT.NAME,USER-UNAUTHENTICATED) ) then
unconfigure lldp port $EVENT.USER_PORT
configure lldp port $EVENT.USER_PORT no-advertise system-description
endif

All variables are automatically filled by the switch based on the device being authenticated. This particular instance would only advertise the voice vlan if an authenticated VOIP phone was attached.

This script will block all network access to a printer except from a couple subnets.
create upm profile printer
if (!$match($EVENT.NAME,USER-AUTHENTICATED) then
configure cli mode non-persistent
create access-list $(EVENT.USER_MAC)_10_35 "ethernet-source-address $(EVENT.USER_MAC); destination-address 10.35.0.0/16" "permit"
create access-list $(EVENT.USER_MAC)_10_128 "ethernet-source-address $(EVENT.USER_MAC); destination-address 10.128.0.0/16" "permit"
create access-list $(EVENT.USER_MAC)_10_8_1 "ethernet-source-address $(EVENT.USER_MAC); destination-address 10.8.1.0/24" "permit"
create access-list $(EVENT.USER_MAC)_dhcp "protocol udp; destination-port 67" "permit"
create access-list $(EVENT.USER_MAC)_ntp "protocol udp; destination-port 123" "permit"
create access-list $(EVENT.USER_MAC)_icmp "protocol icmp;" "permit"
create access-list $(EVENT.USER_MAC)_deny "ethernet-source-address $(EVENT.USER_MAC); destination-address 0.0.0.0/0" "deny"
configure access-list add $(EVENT.USER_MAC)_10_35 first port $EVENT.USER_PORT
configure access-list add $(EVENT.USER_MAC)_10_128 first port $EVENT.USER_PORT
configure access-list add $(EVENT.USER_MAC)_10_8_1 first port $EVENT.USER_PORT
configure access-list add $(EVENT.USER_MAC)_dhcp first port $EVENT.USER_PORT
configure access-list add $(EVENT.USER_MAC)_ntp first port $EVENT.USER_PORT
configure access-list add $(EVENT.USER_MAC)_icmp first port $EVENT.USER_PORT
configure access-list add $(EVENT.USER_MAC)_deny last port $EVENT.USER_PORT
endif
if (!$match($EVENT.NAME,USER-UNAUTHENTICATED)) then
configure access-list delete $(EVENT.USER_MAC)_10_35 ports $EVENT.USER_PORT
configure access-list delete $(EVENT.USER_MAC)_10_128 ports $EVENT.USER_PORT
configure access-list delete $(EVENT.USER_MAC)_10_8_1 ports $EVENT.USER_PORT
configure access-list delete $(EVENT.USER_MAC)_dhcp ports $EVENT.USER_PORT
configure access-list delete $(EVENT.USER_MAC)_ntp ports $EVENT.USER_PORT
configure access-list delete $(EVENT.USER_MAC)_icmp ports $EVENT.USER_PORT
configure access-list delete $(EVENT.USER_MAC)_deny ports $EVENT.USER_PORT
delete access-list $(EVENT.USER_MAC)_10_35
delete access-list $(EVENT.USER_MAC)_10_128
delete access-list $(EVENT.USER_MAC)_10_8_1
delete access-list $(EVENT.USER_MAC)_dhcp
delete access-list $(EVENT.USER_MAC)_ntp
delete access-list $(EVENT.USER_MAC)_icmp
delete access-list $(EVENT.USER_MAC)_deny
endif

No tags attached.
Issue History
2013-07-11 07:44roadracer96New Issue
2015-02-18 10:59lmunroNote Added: 0003946
2015-02-18 10:59lmunroStatusnew => closed

Notes
(0003946)
lmunro   
2015-02-18 10:59   
Obsolete bug tracker entries.
PF 4 introduced changes that either make these irrelevant or impossible to reproduce.

New issues are moving to github issues.