ExtremeCloud IQ- Site Engine & Extreme Management Center

Expand all | Collapse all

Execute a script when a rule is used

Gaspard W

Gaspard W06-01-2016 13:33

  • 1.  Execute a script when a rule is used

    Posted 06-01-2016 13:06
    Hello,

    I'm working with NAC and so netlogin.

    We have a need to have a switch plugged on another one without having to disable the netlogin but it looks like it's impossible.

    We tried numerous setup, and the only one that is working, is to make the second switch linked with a trunk port.
    As every port on the network has netlogin enabled by default, I would like to know if there is a way to disable it and make the edge port, a trunk port with all the VLANs on it.

    I was wondering, is it possible to call a script and execute it when a specific rule / policy is used ?
    This script would basically disable netlogin on that port and put all the VLANs, basically changing it from a end user type port, to a trunk type port.
    I know we can do that by hand, through OneView and it works fine, but it's not very efficient in our setup.

    Thanks
    Gaspard



  • 2.  RE: Execute a script when a rule is used

    Posted 06-01-2016 13:33
    Hi Gaspard,

    are all these switches that you are using EXOS-Switches ?

    /André


  • 3.  RE: Execute a script when a rule is used

    Posted 06-02-2016 01:40
    If LLDP runs on the links between switches, you could use a device-detect and device-undetect profile/script where you can do whatever you want.

    - device-detect profile is used to configure a port for the device that has just connected.

    # configure upm event device-detect profile [u] ports

    - device-undetect profile is used to return the port to a default configuration after a device disconnects.

    # configure upm event device-undetect profile [u] ports

    Device triggers respond to the discovery protocols IEEE 802.1ab LLDP. A device-detect trigger occurs when an LLDP packet reaches a port that is assigned to a device-detect profile. A device-undetect trigger occurs when periodically transmitted LLDP packets are not received anymore. LLDP age-out occurs when a device has disconnected or an age-out time has been reached. LLDP must be enabled on ports that are configured for device-detect or device-undetect profiles.



  • 4.  RE: Execute a script when a rule is used

    Posted 06-02-2016 03:03
    Depending on the usecase you could use a combination of EDP and LLDP. LLDP as Kevin said to trigger an UPM-event, which removes .1x from the port and searches the downlink vlans via EDP.
    Can you be a bit more precise about the usecase ?



  • 5.  RE: Execute a script when a rule is used

    Posted 06-02-2016 05:17
    Hello everyone,

    So my usecase currently is :

    2 switches, I'll call them 1 and 2
    the switch 1 has netlogin enabled on every port (not the trunk port)

    We want to be able to connect the switch 2 (Netlogin enabled on every port also (not the trunk port)) on the switch 1, so it would be on a netlogin enabled port. mac-based-vlan

    The problem is that Netlogin allows the switch 2 MAC address but it doesn't let him netlog the devices connected to it (every devices connected on the switch 2), that's normal because it's mac based.

    The thing now is that we want to be able to have script run maybe, that would disable netlogin on the switch 1 on that specific port, and add all the VLANs that are needed to make the port a trunk port.
    This script could be reverted also when the switch is unplugged from the port on the switch 1.


  • 6.  RE: Execute a script when a rule is used

    Posted 06-02-2016 05:34
    this definetely looks like a LLDP thing. Have a look at the generic phone UPM in the User Guide.
    this should be a good start to begin with


  • 7.  RE: Execute a script when a rule is used

    Posted 06-01-2016 16:57
    I'll need to do some testing, and I'll script it up, but with EDP enabled by default, frames are generated by a connecting EXOS switch. These cause the connected EXOS switch to be MAC/RADIUS authenticated on the dot1x enabled port to which it is connected. By default, it fails:

    MAC IP address Authenticated Type ReAuth-Timer User
    00:e0:2b:00:00:01 0.0.0.0 No 802.1x 0

    However, I should be able to create a MAC filter to pass only the OUI:00:00:00 as the credentials to the RADIUS server and then use VSAs to pass a UPM script name. The UPM script would then disable Dot1x and enable LACP and trunk the VLANs on that port. (If the port happens to be a member and not a master, the VLAN trunking commands would harmlessly fail).

    Is this an approach you would like to explore?


  • 8.  RE: Execute a script when a rule is used

    Posted 06-01-2016 19:03
    Another way to skin a cat,
    Within Policy Rules


    There are actions for either System Log or Trap when the rule is hit. You can read about policy rule hit accounting for a bit more details.

    Anyways, from that event, you can use alarm manager to launch a script from the netsight server which could be ssh/telnet to your device and make the config changes.


  • 9.  RE: Execute a script when a rule is used

    Posted 06-06-2016 07:10
    Hello everyone,

    I'm testing how to use UPM, and what are the problems that are related to it.

    Is there a way to have the UPM script execute when netlogin is enabled on that port ? Seems like netlogin prevents the script from being executed, but when disabled, the UPM triggers correctly.

    Thanks


  • 10.  RE: Execute a script when a rule is used

    Posted 06-06-2016 13:45
    If you are using LLDP as the trigger, and you turn on netlogin on a port, if I remember correctly, LLDP is disabled (as is EDP) at least for the processing of PDUs ingress. So, under that circumstance, your trigger for UPM won't work. EDP packets do originate from a port with netlogin enabled.


  • 11.  RE: Execute a script when a rule is used

    Posted 06-01-2016 13:33
    Yes, all of them


  • 12.  RE: Execute a script when a rule is used

    Posted 06-01-2016 16:57
    I have to check tomorrow with the team, I'll keep you updated 🙂


  • 13.  RE: Execute a script when a rule is used

    Posted 06-01-2016 16:57
    Ok, I worked on UPM today, and I think that making the netlogin disabled on that port then adding all the VLANs is pretty useful.

    I have a question: on OneView, you can use scripts with $port which refers to the port, but how do you do that on an UPM script ?

    $port won't be understood by the OS, and I don't know how I could get the port number to send the CLI command with the port number. Do you have an idea how I could do it ?

    Now, your EDP technique, I see how you want to do it, and it looks pretty nice !
    It would surely by useful to "cancel" the script when it's not a switch connected, but an end user device. Making an end user port become a trunk port would certainly be a problem haha


  • 14.  RE: Execute a script when a rule is used

    Posted 06-01-2016 16:57
    So, the UPM process has environmental variables depending on the event. One of them is the port number. Here is a snippet of configuration from my testing:

    create vlan user
    create vlan nl

    create upm profile in
    disable netlogin port $(EVENT.USER_PORT) mac dot1x

    .
    create upm profile out
    configure upm event user-authenticate profile in ports 1-7
    configure upm event user-unauthenticated profile out ports 1-7

    configure netlogin vlan nl
    enable netlogin dot1x mac
    configure netlogin mac authentication database-order radius
    configure netlogin authentication protocol-order mac dot1x web-based
    configure netlogin add mac-list 00:e0:2b:00:00:00 24 password pass
    enable netlogin ports 1-7 dot1x
    enable netlogin ports 1-7 mac

    #From the RADIUS users file:

    00E02B000000 Cleartext-Password := "pass"
    Extreme-Security-Profile = "in QOS=QP1;LOGOFF-PROFILE=out;",
    Extreme-Netlogin-Extended-Vlan = "Uuser"

    The above configuration disables netlogin on a port connected to an EXOS switch. You'll need to change the OUI in the username and mac-list filter as I was using EXOS VMs.

    The "in" profile could easily be expanded to wait for a bit, then do a "show edp port $(EVENT.USER_PORT) detail" and parse the output in CLI.OUT for the VLAN information and create and tag the VLANs to the port. Or, if you just want to go through an take all local VLANs with a tag and add $(EVENT.USER_PORT) to them tagged, you could do that.



  • 15.  RE: Execute a script when a rule is used

    Posted 06-01-2016 16:57
    Hello,

    Very good explanation by the way :)

    I was trying to use $port instead of $(EVENT.USER_PORT), which is why it couldn't work. Do you have a list of all the EVENT. tags ? That could be useful later also.

    For the show edp, that's true, and I could then execute the script if it matches the OUI chosen

    About the timer, I currently have one but do you have to have it ? or it would execute the script as soon as the event happens ?

    I was trying to just print a message in the logs, to see how it works, and the message wasn't appearing each time I was plugging the device. It was appearing like 1/ 3 trials, on different ports that have the upm event activated on them. Is that normal ? like a timeout thing or something wasn't setup right ?

    thanks


  • 16.  RE: Execute a script when a rule is used

    Posted 06-01-2016 16:57
    Unfortunately all the environmental variables (EVENT.x) are not really documented in a way that is easy. I find the best way to find out which ones I have available for a particular event is to create an empty upm profile and trigger the event and then look at the upm history for that ex id. (show upm hist ex 😵.

    I'm not sure I understand the question on the timer. I was referring to the after TCL function where I would use it to wait for EDP to discover the neighboring EXOS switch (it can take up to a minute by default, I think). The after function could be issued like this: set var wartime $TCL(after 60000) -- introduces a 1 minute pause.

    I suspect that there may be a timing issue regarding it launching only ⅓rd of the time, but I can't be sure.


  • 17.  RE: Execute a script when a rule is used

    Posted 06-01-2016 16:57
    Hello,

    I'll try to see with the empty profile, I also found in EXOS Concepts Guide for Release 15.3, page 337, most of the variables 😃 and I have to experience with them.

    For the timer, I was asking about it's function. I'm not sure what it is used for, is it for executing the script after X seconds after the event trigger happens ? or it's something else?

    For the 1/3, I found out that the LLDP packets were kinda glitched on the laptop, so I'm using switches with LLDP activated, and it works 100% of the time :)

    thanks


  • 18.  RE: Execute a script when a rule is used

    Posted 06-01-2016 19:03
    Hello, I wasn't able to find that menu :/
    Can you tell me where it is ? 🙂


  • 19.  RE: Execute a script when a rule is used

    Posted 06-01-2016 19:03
    It's a feature for any service rule if you're using Policy Manager and Nac in conjunction.

    Policy Manager Thick Client


    Netsight Oneview[6.3] / Extreme Management [Screenshot from 7.0]


    


  • 20.  RE: Execute a script when a rule is used

    Posted 06-01-2016 19:03
    Our switches aren't compatible with the Policy Manager 😕


  • 21.  RE: Execute a script when a rule is used

    Posted 06-01-2016 19:03
    Hopefully some day, you'll have switches that are. 🙂 Policy Manager really shines managing hundreds of switches, wireless controllers, integrating with Extreme Control.

    The other employees have given some really great info about local scripts on the box to tackle this problem another way. Best of luck with solving your problem!


  • 22.  RE: Execute a script when a rule is used

    Posted 06-01-2016 19:03
    The problem is that it isn't compatible with x250 with exos 15.3 or x400 with exos 15.6.

    And yes, very useful :)

    thanks



  • 23.  RE: Execute a script when a rule is used

    Posted 06-02-2016 05:34
    I will look at it. The setup involves having a phone vlan, and two or three other vlans.



  • 24.  RE: Execute a script when a rule is used

    Posted 06-06-2016 13:45
    I think it would work if netlogin authentication failure vlan or guest vlan is enabled/configured. Once authentication fails, a port will be moved to a quest vlan and LLDP or EDP neighbor would show up.


  • 25.  RE: Execute a script when a rule is used

    Posted 06-06-2016 13:45
    That makes sense. However, I would consider using authentication/de-authentication as triggers and then set up MAC authentication in parallel with dot1x authentication whereby a MAC-list filter is used to authenticate Extreme switches (when receiving their first EDP packet). (Per my example above.) The complexity comes in determining if the port connecting to an Extreme switch should be a member or a master port of a LAG.


  • 26.  RE: Execute a script when a rule is used

    Posted 06-06-2016 13:45
    I'm going to test with authentication instead of device detect, I'll keep you updated.


  • 27.  RE: Execute a script when a rule is used

    Posted 06-06-2016 13:45
    Worked on it, doesn't work unfortunately.
    I guess I'll just disable netlogin on that port and then plug them in, would be easier probably.


  • 28.  RE: Execute a script when a rule is used

    Posted 06-06-2016 13:45
    I did a quick test with the following configurations.

    SW1 and SW2 are connected through netlogin enabled ports. When an authentication failure makes the ports move to auth failure vlan and an LLDP neighbor show up, the switches run the upm script associated with 'LLDP device detect' to disable netlogin on the interswitch ports.

    SW1 (port 23) ---- (port 47) SW2

    configure netlogin vlan vnetlogin
    enable netlogin dot1x mac
    configure netlogin add mac-list ff:ff:ff:ff:ff:ff 48
    enable netlogin ports 23 dot1x
    enable netlogin ports 23 mac
    enable netlogin authentication failure vlan ports 23
    configure netlogin authentication failure vlan vguest ports 23
    # enable netlogin authentication service-unavailable vlan ports 23
    # configure netlogin authentication service-unavailable vlan vguest ports 23

    create upm profile dn
    disable netlogin port $(EVENT.USER_PORT) dot1x mac
    .
    configure upm event device-detect profile dn ports 23


  • 29.  RE: Execute a script when a rule is used

    Posted 06-06-2016 13:45
    Hello,

    So this idea looks pretty nice, or I could use a rule in the manager to put everyone in one VLAN if not authenticated. The problem is that this would not differentiate from one VLAN to another, and so it would trigger everytime something is plugged into the slot.

    A possible issue solver would be to test the device VLAN or only trigger when the user is in a specific vlan ?


  • 30.  RE: Execute a script when a rule is used

    Posted 06-06-2016 13:45
    Would you care to elaborate? I may miss something since I haven't followed the whole thread here..


  • 31.  RE: Execute a script when a rule is used

    Posted 06-06-2016 13:45
    Ok, so my case is that i want to plug a switch (with netlogin enabled on every non trunk port) on another switch that has also netlogin on every non trunk port. The thing is that I don't want to have to make the netlogin port become a trunk port manually, because the user that will plug the switch, won't have to contact me to do it.
    Btw: the setup is Switch A trunk port connects to switch B netlogin port

    I've been experimenting with UPM scripts, detection methods and stuff like that, not working well for now because the script doesn't execute when I want it, and how I want it.

    UPM device detect works LLDP, which works but netlogin blocks it, so it's not possible to use it directly.
    The thing would be to put every switch into a VLAN maybe (MAC based rule on NAC Manager), which would then let LLDP work and so trigger the script.
    The problem is that you can't execute the script for a specific VLAN, and so it would trigger every time a user with LLDP enabled plugs in the switch.
    The issue there, is that if a user actually has LLDP enabled, it's going to put him into a VLAN that he can't work from, and so create a network outage for him, not good.


  • 32.  RE: Execute a script when a rule is used

    Posted 06-06-2016 13:45
    Thanks for the elaboration.

    The above configurations are all you need to do to make a 'device detect' upm script work. You don't need to make any changes in a radius server or a NAC manager. And, a port doesn't need to be a member of any VLAN configured on a switch either.
    When an authentication fails, a port will be automatically put into a configured authentication failure vlan and once it happens, a lldp neighbor will appear on the port, resulting in an associated upm profile executed.

    In addition, the upm profile is a script which means you can make it work the way you want. You can add more lines in a upm script to check if a neighboring device is a switch or not. The following example is to check if a device MAC address of a LLDP neighbor has the Extreme OUI (00:04:96). Other than this way, you can also check other information like hostname, ip address or software name and version...

    # create upm profile "dn"
    set var m $TCL(lsearch -regex $(EVENT.DEVICE_MAC) "^00:04:96")
    if ($m == 0) then
    disable netlogin port $(EVENT.USER_PORT) dot1x mac
    configure vlan "vlan_name_1" add ports $(EVENT.USER_PORT) tagged
    configure vlan "vlan_name_2" add ports $(EVENT.USER_PORT) tagged
    .
    endif


  • 33.  RE: Execute a script when a rule is used

    Posted 06-06-2016 13:45
    Hi

    I've tried your script and I have a little issue, the if condition does not work.
    It works with any MAC address, do you know the synthax to how to do it ?
    I tried adding en else statement, it runs the If and Else each time.

    thanks


  • 34.  RE: Execute a script when a rule is used

    Posted 06-06-2016 13:45
    I will check in the lab and get back to you.


  • 35.  RE: Execute a script when a rule is used

    Posted 06-06-2016 13:45
    My apology. I figured that the previous upm profile had an error with brackets surrounding 'EVENT.DEVICE_MAC'. It should be surrounded by curly brackets.

    set var m $TCL(lsearch -regex ${EVENT.DEVICE_MAC} "^00:04:96")
    if ($m == 0) then
    disable netlogin port $(EVENT.USER_PORT) dot1x mac
    configure vlan "vlan_name_1" add ports $(EVENT.USER_PORT) tagged
    configure vlan "vlan_name_2" add ports $(EVENT.USER_PORT) tagged
    endif

    If you want to put some lines in the 'else' clause, you can use as follows.

    set var m $TCL(lsearch -regex ${EVENT.DEVICE_MAC} "^00:04:96")
    if ($m == 0) then
    disable netlogin port $(EVENT.USER_PORT) dot1x mac
    configure vlan "vlan_name_1" add ports $(EVENT.USER_PORT) tagged
    configure vlan "vlan_name_2" add ports $(EVENT.USER_PORT) tagged
    else
    command_1
    command_2
    endif

    In case you want to associate a upm profile with the 'device-undetect' event (when an lldp neighbor disappears from a port), you can use the following command.

    # configure upm event device-undetect profile

    For your reference, below are the log messages generated when the upm profile gets triggered in my lab.

    06/15/2016 22:37:27.65 [i] Network Login user cleared via CLI, Mac 00:E0:2B:00:00:01 port 23 VLAN(s) "vguest"06/15/2016 22:37:27.65 [i] Network Login user cleared via CLI, Mac 00:04:96:37:54:2B port 23 VLAN(s) "vguest"
    06/15/2016 22:37:27.64 [i] (upm) UPM: disable netlogin port 23 dot1x mac
    06/15/2016 22:37:27.63 [i] (upm) UPM: if (0 == 0) then
    06/15/2016 22:37:27.61 [i] (upm) UPM: set var m $TCL(lsearch -regex ${EVENT.DEVICE_MAC} "^00:04:96")
    06/15/2016 22:37:27.60 [i] (upm) UPM: set var EVENT.PROFILE dn
    06/15/2016 22:37:27.60 [i] (upm) UPM: set var EVENT.NAME DEVICE-DETECT
    06/15/2016 22:37:27.59 [i] (upm) UPM: set var EVENT.DEVICE ROUTER
    06/15/2016 22:37:27.57 [i] (upm) UPM: set var EVENT.TIME 1466030247
    06/15/2016 22:37:27.57 [i] (upm) UPM: set var EVENT.USER_PORT 23
    06/15/2016 22:37:27.56 [i] (upm) UPM: set var EVENT.DEVICE_POWER 0
    06/15/2016 22:37:27.55 [i] (upm) UPM: set var EVENT.DEVICE_MAC 00:04:96:37:54:2b
    06/15/2016 22:37:27.54 [i] (upm) UPM: set var EVENT.DEVICE_MODEL " "
    06/15/2016 22:37:27.53 [i] (upm) UPM: set var EVENT.DEVICE_MANUFACTURER_NAME " "
    06/15/2016 22:37:27.52 [i] (upm) UPM: set var EVENT.DEVICE_IP 0.0.0.0
    06/15/2016 22:37:27.51 [i] (upm) UPM: configure cli mode non-persistent
    06/15/2016 22:37:27.50 [i] (upm) UPM: enable cli scripting
    06/15/2016 22:37:27.50 [i] (upm) UPM: enable cli scripting output
    06/15/2016 22:37:27.31


  • 36.  RE: Execute a script when a rule is used

    Posted 06-06-2016 13:45
    Thank you for that explanation !

    I'm going to check it out and do some testing.

    I'll get back to you after


  • 37.  RE: Execute a script when a rule is used

    Posted 06-06-2016 13:45
    Hello,

    I did some testing, and it seems that it doesn't see the MAC with that OUI.
    I does the else statement, but not the if

    Does the " ^ " make the OUI not work ? Seems like it doesn't match the switch's MAC, which has this OUI.

    Thanks


  • 38.  RE: Execute a script when a rule is used

    Posted 06-06-2016 13:45
    It might work better to use the regexp function. e.g.:

    x205.35 # show var mac00:01:02:0A:0B:0C
    x205.36 # set var t $TCL(regexp ^00:01:02 $mac)
    x205.37 # show var t
    1
    x205.38 # set var t $TCL(regexp ^00:01:03 $mac)
    x205.39 # show var t
    0

    So the lines could be:

    set var m $TCL(regexp ^00:04:96 ${EVENT.DEVICE_MAC} )
    if ($m) then

    ...


  • 39.  RE: Execute a script when a rule is used

    Posted 06-06-2016 13:45
    "^' means the beginning of the string. It is used in regular expression to match the OUI of MAC address which is the first 24-bit number that uniquely identifes a vendor or manufacturer. Extreme switches have a MAC address that begins with "00:04:96".

    # set var EVENT.DEVICE_MAC 00:04:96:37:54:2B
    # set var m $TCL(lsearch -regex ${EVENT.DEVICE_MAC} "^00:04:96")
    # sh var m
    0
    # set var EVENT.DEVICE_MAC 00:04:00:37:54:2B
    # set var m $TCL(lsearch -regex ${EVENT.DEVICE_MAC} "^00:04:96")
    # sh var m
    -1

    In addition, I agree Matt that the "regexp" TCL function is more appropriate here since "EVENT.DEVICE_MAC" is not a list.