Global definition of the Rule Engine
package com.xeox.pnac; import com.xeox.dto.pnac.Device; import com.xeox.dto.pnac.Authentication; import com.xeox.dto.pnac.Attribute; import java.util.Date; dialect 'mvel'
rule 'hs2n Villach devices with vlan' salience 99 lock-on-active activation-group 'execute-xor' when $device : Device(mac != null, vlan != 0, site=='Villach') then insertLogical(new Authentication($device.mac, $device.mac)); insertLogical(new Attribute('Tunnel-Type', '13')); insertLogical(new Attribute('Tunnel-Medium-Type', '6')); insertLogical(new Attribute('Tunnel-Private-Group-Id', String.valueOf($device.vlan))); end
Each Rule has following Components:
- rule 'rulename': Just Enter a unique Name for better debugging purpose
- salience 99: Priority of the rule. A higher value means higher priority.
- lock-on-active and activation-group: Only one Rule should fire. Stop after the first rule (=rule with the highest salience).
- when: Condition when the rule should fire
- mac != null: Device has an MAC Address
- vlan != null: VLAN has been set;
- site == 'Villach': Only devices from Villach.
- then: What RADIUS Attributes should be sent to the Switch
- new Authentication: authenticate with MAC address, both for username and password.
- new Attribute: Send additional Attributes to the switch. See below.
For the condition you can use following fields:
- and many more fields from the CMDB.
Depending on your Switch hardware, you can send a List of Attributes. e.g.
- Send VLAN Information: RFC3580
- Tunnel-Type: Always 13 (=VLAN)
- Tunnel-Medium-Type: Always 6 (=802)
- Tunnel-Private-Group-Id: send here the VLAN ID
- Send Cisco proprietor Attributes: Cisco Documentation
- Cisco-AVPair for Voice VLAN: e.g. device-traffic-class=voice
- Cisco-AVPair for Port ACL: e.g.
ip:inacl#100=permit ip any xxx.xxx.xxx.xxx 255.255.255.0
- Always order the rules with salience
- Don't forget the activation-group. Multiple rules firing for the same hardware could be error-prone.
- Depending on your site, decide if you really need VLAN assignment or the basic authentication would be sufficient.