PacketFence - BTS - PacketFence | |||||
| View Issue Details | |||||
| ID | Project | Category | View Status | Date Submitted | Last Update |
| 0001669 | PacketFence | hardware modules | public | 2013-07-11 07:44 | 2015-02-18 10:59 |
| Reporter | roadracer96 | ||||
| Assigned To | |||||
| Priority | normal | Severity | tweak | Reproducibility | always |
| Status | closed | Resolution | open | ||
| Platform | OS | OS Version | |||
| Product Version | 4.0.1 | ||||
| Target Version | Fixed in Version | ||||
| fixed in git revision | |||||
| fixed in mtn revision | |||||
| Summary | 0001669: Extreme Role/ACL VSA | ||||
| Description | Extreme.pm can be modified to allow UPM scripts (Extreme terminology) passed via RADIUS attributes. The scripts can be passed variables in the RADIUS reply as well. The changes shown in additional information have been tested to work properly on Extreme XOS 15.2.27, but should work on anything at least 12.5 and up. | ||||
| Steps To Reproduce | |||||
| Additional Information | Extreme.pm just needs the following added: sub supportsRoleBasedEnforcement { return $TRUE; } sub returnRoleAttribute { my ($this) = @_; return 'Extreme-Security-Profile'; } Im not sure if it is required, but I added the following to the radius dictionary: VENDOR Extreme 1916 ATTRIBUTE Extreme-CLI-Authorization 201 integer Extreme ATTRIBUTE Extreme-Shell-Command 202 string Extreme ATTRIBUTE Extreme-Netlogin-Vlan 203 string Extreme ATTRIBUTE Extreme-Netlogin-Url 204 string Extreme ATTRIBUTE Extreme-Netlogin-Url-Desc 205 string Extreme ATTRIBUTE Extreme-Netlogin-Only 206 integer Extreme ATTRIBUTE Extreme-User-Location 208 string Extreme ATTRIBUTE Extreme-Netlogin-Vlan-Tag 209 integer Extreme ATTRIBUTE Extreme-Netlogin-Extended-Vlan 211 string Extreme ATTRIBUTE Extreme-Security-Profile 212 string Extreme VALUE Extreme-CLI-Authorization Disabled 0 VALUE Extreme-CLI-Authorization Enabled 1 VALUE Extreme-Netlogin-Only Disabled 0 VALUE Extreme-Netlogin-Only Enabled 1 Example script to enable advertising lldp information if a voip phone is connected. The role for the voice network would be "voip" create upm profile voip if (!$match($EVENT.NAME,USER-AUTHENTICATED)) then configure cli mode non-persistent enable lldp port $EVENT.USER_PORT configure lldp port $EVENT.USER_PORT advertise system-capabilities configure lldp port $EVENT.USER_PORT advertise vendor-specific dot3 mac-phy configure lldp port $EVENT.USER_PORT advertise vendor-specific med capabilities configure lldp port $EVENT.USER_PORT advertise vendor-specific med power-via-mdi configure lldp port $EVENT.USER_PORT advertise vendor-specific dot1 vlan-name vlan $EVENT.USER_VLAN configure lldp port $EVENT.USER_PORT advertise vendor-specific med policy application voice vlan $EVENT.USER_VLAN dscp 46 configure lldp port $EVENT.USER_PORT advertise vendor-specific med policy application voice-signaling vlan $EVENT.USER_VLAN dscp 44 endif if (!$match($EVENT.NAME,USER-UNAUTHENTICATED) ) then unconfigure lldp port $EVENT.USER_PORT configure lldp port $EVENT.USER_PORT no-advertise system-description endif All variables are automatically filled by the switch based on the device being authenticated. This particular instance would only advertise the voice vlan if an authenticated VOIP phone was attached. This script will block all network access to a printer except from a couple subnets. create upm profile printer if (!$match($EVENT.NAME,USER-AUTHENTICATED) then configure cli mode non-persistent create access-list $(EVENT.USER_MAC)_10_35 "ethernet-source-address $(EVENT.USER_MAC); destination-address 10.35.0.0/16" "permit" create access-list $(EVENT.USER_MAC)_10_128 "ethernet-source-address $(EVENT.USER_MAC); destination-address 10.128.0.0/16" "permit" create access-list $(EVENT.USER_MAC)_10_8_1 "ethernet-source-address $(EVENT.USER_MAC); destination-address 10.8.1.0/24" "permit" create access-list $(EVENT.USER_MAC)_dhcp "protocol udp; destination-port 67" "permit" create access-list $(EVENT.USER_MAC)_ntp "protocol udp; destination-port 123" "permit" create access-list $(EVENT.USER_MAC)_icmp "protocol icmp;" "permit" create access-list $(EVENT.USER_MAC)_deny "ethernet-source-address $(EVENT.USER_MAC); destination-address 0.0.0.0/0" "deny" configure access-list add $(EVENT.USER_MAC)_10_35 first port $EVENT.USER_PORT configure access-list add $(EVENT.USER_MAC)_10_128 first port $EVENT.USER_PORT configure access-list add $(EVENT.USER_MAC)_10_8_1 first port $EVENT.USER_PORT configure access-list add $(EVENT.USER_MAC)_dhcp first port $EVENT.USER_PORT configure access-list add $(EVENT.USER_MAC)_ntp first port $EVENT.USER_PORT configure access-list add $(EVENT.USER_MAC)_icmp first port $EVENT.USER_PORT configure access-list add $(EVENT.USER_MAC)_deny last port $EVENT.USER_PORT endif if (!$match($EVENT.NAME,USER-UNAUTHENTICATED)) then configure access-list delete $(EVENT.USER_MAC)_10_35 ports $EVENT.USER_PORT configure access-list delete $(EVENT.USER_MAC)_10_128 ports $EVENT.USER_PORT configure access-list delete $(EVENT.USER_MAC)_10_8_1 ports $EVENT.USER_PORT configure access-list delete $(EVENT.USER_MAC)_dhcp ports $EVENT.USER_PORT configure access-list delete $(EVENT.USER_MAC)_ntp ports $EVENT.USER_PORT configure access-list delete $(EVENT.USER_MAC)_icmp ports $EVENT.USER_PORT configure access-list delete $(EVENT.USER_MAC)_deny ports $EVENT.USER_PORT delete access-list $(EVENT.USER_MAC)_10_35 delete access-list $(EVENT.USER_MAC)_10_128 delete access-list $(EVENT.USER_MAC)_10_8_1 delete access-list $(EVENT.USER_MAC)_dhcp delete access-list $(EVENT.USER_MAC)_ntp delete access-list $(EVENT.USER_MAC)_icmp delete access-list $(EVENT.USER_MAC)_deny endif | ||||
| Tags | No tags attached. | ||||
| Relationships | |||||
| Attached Files | |||||
| Issue History | |||||
| Date Modified | Username | Field | Change | ||
| 2013-07-11 07:44 | roadracer96 | New Issue | |||
| 2015-02-18 10:59 | lmunro | Note Added: 0003946 | |||
| 2015-02-18 10:59 | lmunro | Status | new => closed | ||
| Notes | |||||
|
|
|||||
|
|
||||