Security

Hi, 

I am trying to configure a Pica8 switch to work with CPPM's latest version for downloadable ACL feature. So that when an unknown client is detected in the incoming radius requst packet from the switch, CPPM will send an access accept, then the switch requests detailed ACL filter rule another radius request packet. So far its all good but I can't make the ACL rules enforcement profile work.

My specific question is, what to choose from the drop down list when configuring such a profile. The predefined lists contains Cisco Downloadable ACL Enforcement and it works fine but we would like to have a template for Pica8 here or alteast a generic one. Please advise on how to proceed, thanks.

Thank you for the response. No, we're not using the NAS Filter Rule attribute. What we're trying is to use vendor specific attribute to pass on the filter name then followed by the filter detailed rules. Something very simililar to how cisco does it using VSA. But one problem I see is that there is no way to add an enforcement template for Pica8, there is one cisco and other vendors.

Yeah we've been able to make it work. We added two dictionary attributes for Pica8 vendor, one for the ACL name and the other for detailed ACL rules, and thats what the switch expects and sent with access-accept. Tests show that everything works as expected.

I noticed couple of small issues though,

WARN Core.RadiusEnfProfileHelper - getSessionTimeoutInSecs: SessionTimeout attribute missing in output

It seems that I haven't set the SessionTimeout attribute on the server for this particular session and I dont know how and where to set this attribute. Maybe in the enforcement profile?

And two more log entries:

ERROR Core.PETaskEnforcement - classifyProfiles: Profile Id not an integer. Id=undefined

WARN Util.DatatypeUtils - Converting string undefined to UInt32 failed

Can you please point me in the right direction.

Thanks again.