Network Access Rules in Detail

Global definition of the Rule Engine

package com.xeox.pnac;
import com.xeox.dto.pnac.Device;
import com.xeox.dto.pnac.Authentication;
import com.xeox.dto.pnac.Attribute;
import java.util.Date;

dialect 'mvel'

Rule

rule 'hs2n Villach devices with vlan'
salience 99
lock-on-active
activation-group 'execute-xor'
    when
        $device : Device(mac != null, vlan != 0, site=='Villach')
    then
        insertLogical(new Authentication($device.mac, $device.mac));
        insertLogical(new Attribute('Tunnel-Type', '13'));
        insertLogical(new Attribute('Tunnel-Medium-Type', '6'));
        insertLogical(new Attribute('Tunnel-Private-Group-Id', String.valueOf($device.vlan)));
end

Each Rule has following Components:

  • rule 'rulename': Just Enter a unique Name for better debugging purpose
  • salience 99: Priority of the rule. A higher value means higher priority.
  • lock-on-active and activation-group: Only one Rule should fire. Stop after the first rule (=rule with the highest salience).
  • when: Condition when the rule should fire
    • mac != null: Device has an MAC Address
    • vlan != null: VLAN has been set;
    • site == 'Villach': Only devices from Villach.
  • then: What RADIUS Attributes should be send to the Switch
    • new Authentication: authenticate with MAC address, both for username and password.
    • new Attribute: Send additional Attributes to the switch. See below.

For the condition you can use following fields:

  • mac
  • vlan
  • site
  • hardwareClass
  • and many more fields from the CMDB.

Attributes

Depending on your Switch hardware, you can send a List of Attributes. e.g.

  • Send VLAN Information: RFC3580
    • Tunnel-Type: Always 13 (=VLAN)
    • Tunnel-Medium-Type: Always 6 (=802)
    • Tunnel-Private-Group-Id: send here the VLAN ID
  • Send Cisco proprieter Attributes: Cisco Documentation
    • Cisco-AVPair for Voice VLAN: e.g. device-traffic-class=voice
    • Cisco-AVPair for Port ACL: e.g. ip:inacl#100=permit ip any xxx.xxx.xxx.xxx 255.255.255.0

Best Practice

  1. Always order the rules with salience
  2. Don't forget the activation-group. Multiple rules firing for the same hardware could be error prone.
  3. Depending on you size, decide if you really need VLAN assignment or the basic authentication would be sufficient.