Network Access Rules in Detail
Global definition of the Rule Engine
rule 'hs2n Villach devices with vlan'
$device : Device(mac != null, vlan != 0, site=='Villach')
insertLogical(new Authentication($device.mac, $device.mac));
insertLogical(new Attribute('Tunnel-Type', '13'));
insertLogical(new Attribute('Tunnel-Medium-Type', '6'));
insertLogical(new Attribute('Tunnel-Private-Group-Id', String.valueOf($device.vlan)));
Each Rule has following Components:
- rule 'rulename': Just Enter a unique Name for better debugging purpose
- salience 99: Priority of the rule. A higher value means higher priority.
- lock-on-active and activation-group: Only one Rule should fire. Stop after the first rule (=rule with the highest salience).
- when: Condition when the rule should fire
- mac != null: Device has an MAC Address
- vlan != null: VLAN has been set;
- site == 'Villach': Only devices from Villach.
- then: What RADIUS Attributes should be sent to the Switch
- new Authentication: authenticate with MAC address, both for username and password.
- new Attribute: Send additional Attributes to the switch. See below.
For the condition you can use following fields:
- and many more fields from the CMDB.
Depending on your Switch hardware, you can send a List of Attributes. e.g.
- Send VLAN Information: RFC3580
- Tunnel-Type: Always 13 (=VLAN)
- Tunnel-Medium-Type: Always 6 (=802)
- Tunnel-Private-Group-Id: send here the VLAN ID
- Send Cisco proprietor Attributes: Cisco Documentation
- Cisco-AVPair for Voice VLAN: e.g. device-traffic-class=voice
- Cisco-AVPair for Port ACL: e.g.
ip:inacl#100=permit ip any xxx.xxx.xxx.xxx 255.255.255.0
- Always order the rules with salience
- Don't forget the activation-group. Multiple rules firing for the same hardware could be error-prone.
- Depending on your site, decide if you really need VLAN assignment or the basic authentication would be sufficient.