How can we help? 👋

Network Access Rules in Detail

An extension to Network Access Rules

Global definition of the Rule Engine

package com.xeox.pnac;
import com.xeox.dto.pnac.Device;
import com.xeox.dto.pnac.Authentication;
import com.xeox.dto.pnac.Attribute;
import java.util.Date;

dialect 'mvel'


rule 'hs2n Villach devices with vlan'
salience 99
activation-group 'execute-xor'
        $device : Device(mac != null, vlan != 0, site=='Villach')
        insertLogical(new Authentication($device.mac, $device.mac));
        insertLogical(new Attribute('Tunnel-Type', '13'));
        insertLogical(new Attribute('Tunnel-Medium-Type', '6'));
        insertLogical(new Attribute('Tunnel-Private-Group-Id', String.valueOf($device.vlan)));

Each Rule has following Components:

  • rule 'rulename': Just Enter a unique Name for better debugging purpose
  • salience 99: Priority of the rule. A higher value means higher priority.
  • lock-on-active and activation-group: Only one Rule should fire. Stop after the first rule (=rule with the highest salience).
  • when: Condition when the rule should fire
    • mac != null: Device has an MAC Address
    • vlan != null: VLAN has been set;
    • site == 'Villach': Only devices from Villach.
  • then: What RADIUS Attributes should be sent to the Switch
    • new Authentication: authenticate with MAC address, both for username and password.
    • new Attribute: Send additional Attributes to the switch. See below.

For the condition you can use following fields:

  • mac
  • vlan
  • site
  • hardwareClass
  • and many more fields from the CMDB.


Depending on your Switch hardware, you can send a List of Attributes. e.g.

  • Send VLAN Information: RFC3580
    • Tunnel-Type: Always 13 (=VLAN)
    • Tunnel-Medium-Type: Always 6 (=802)
    • Tunnel-Private-Group-Id: send here the VLAN ID
  • Send Cisco proprietor Attributes: Cisco Documentation
    • Cisco-AVPair for Voice VLAN: e.g. device-traffic-class=voice
    • Cisco-AVPair for Port ACL: e.g. ip:inacl#100=permit ip any

Best Practice

  • Always order the rules with salience
  • Don't forget the activation-group. Multiple rules firing for the same hardware could be error-prone.
  • Depending on your site, decide if you really need VLAN assignment or the basic authentication would be sufficient.
Did this answer your question?