Help Center
How can we help? 👋
All Categories
Port-Based NAC
Network Access Rules in Detail

Network Access Rules in Detail

An extension to Network Access Rules

Last updated on February 21, 2023

Global definition of the Rule Engine

package com.xeox.pnac;
import com.xeox.dto.pnac.Device;
import com.xeox.dto.pnac.Authentication;
import com.xeox.dto.pnac.Attribute;
import java.util.Date;

dialect 'mvel'

Rule

rule 'hs2n Villach devices with vlan'
salience 99
lock-on-active
activation-group 'execute-xor'
    when
        $device : Device(mac != null, vlan != 0, site=='Villach')
    then
        insertLogical(new Authentication($device.mac, $device.mac));
        insertLogical(new Attribute('Tunnel-Type', '13'));
        insertLogical(new Attribute('Tunnel-Medium-Type', '6'));
        insertLogical(new Attribute('Tunnel-Private-Group-Id', String.valueOf($device.vlan)));
end
 

Each Rule has following Components:

  • rule 'rulename': Just Enter a unique Name for better debugging purpose
  • salience 99: Priority of the rule. A higher value means higher priority.
  • lock-on-active and activation-group: Only one Rule should fire. Stop after the first rule (=rule with the highest salience).
  • when: Condition when the rule should fire
    • mac != null: Device has an MAC Address
    • vlan != null: VLAN has been set;
    • site == 'Villach': Only devices from Villach.
  • then: What RADIUS Attributes should be sent to the Switch
    • new Authentication: authenticate with MAC address, both for username and password.
    • new Attribute: Send additional Attributes to the switch. See below.

For the condition you can use following fields:

  • mac
  • vlan
  • site
  • hardwareClass
  • and many more fields from the CMDB.

Attributes

Depending on your Switch hardware, you can send a List of Attributes. e.g.

  • Send VLAN Information: RFC3580
    • Tunnel-Type: Always 13 (=VLAN)
    • Tunnel-Medium-Type: Always 6 (=802)
    • Tunnel-Private-Group-Id: send here the VLAN ID
  • Send Cisco proprietor Attributes: Cisco Documentation
    • Cisco-AVPair for Voice VLAN: e.g. device-traffic-class=voice
    • Cisco-AVPair for Port ACL: e.g. ip:inacl#100=permit ip any xxx.xxx.xxx.xxx 255.255.255.0

Best Practice

  • Always order the rules with salience
  • Don't forget the activation-group. Multiple rules firing for the same hardware could be error-prone.
  • Depending on your site, decide if you really need VLAN assignment or the basic authentication would be sufficient.
Did this answer your question?
😞
😐
🤩