Security

Reply
Contributor I

Downloadable ACL for Pica8 switch

Hi, 

I am trying to configure a Pica8 switch to work with CPPM's latest version for downloadable ACL feature. So that when an unknown client is detected in the incoming radius requst packet from the switch, CPPM will send an access accept, then the switch requests detailed ACL filter rule another radius request packet. So far its all good but I can't make the ACL rules enforcement profile work.

My specific question is, what to choose from the drop down list when configuring such a profile. The predefined lists contains Cisco Downloadable ACL Enforcement and it works fine but we would like to have a template for Pica8 here or alteast a generic one. Please advise on how to proceed, thanks.

Guru Elite

Re: Downloadable ACL for Pica8 switch

If you’re just using a standard NAS Filter Rule, you’d use “RADIUS Based Enforcement”

| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Contributor I

Re: Downloadable ACL for Pica8 switch

Thank you for the response. No, we're not using the NAS Filter Rule attribute. What we're trying is to use vendor specific attribute to pass on the filter name then followed by the filter detailed rules. Something very simililar to how cisco does it using VSA. But one problem I see is that there is no way to add an enforcement template for Pica8, there is one cisco and other vendors.

Guru Elite

Re: Downloadable ACL for Pica8 switch

Do you have a reference to what the switch is expecting?

| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Contributor I

Re: Downloadable ACL for Pica8 switch

Yeah we've been able to make it work. We added two dictionary attributes for Pica8 vendor, one for the ACL name and the other for detailed ACL rules, and thats what the switch expects and sent with access-accept. Tests show that everything works as expected.

I noticed couple of small issues though,

 

WARN Core.RadiusEnfProfileHelper - getSessionTimeoutInSecs: SessionTimeout attribute missing in output

 

It seems that I haven't set the SessionTimeout attribute on the server for this particular session and I dont know how and where to set this attribute. Maybe in the enforcement profile?

 

And two more log entries:

 

ERROR Core.PETaskEnforcement - classifyProfiles: Profile Id not an integer. Id=undefined

WARN Util.DatatypeUtils - Converting string undefined to UInt32 failed

 

Can you please point me in the right direction.

 

Thanks again.

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: