Download ACL's from radius servers

  • 1
  • Question
  • Updated 4 years ago
  • Answered
Does Aerohive support downloading of ACL's from radius servers? I'm thinking specifically from Cisco ISE
Photo of gaasdal

gaasdal

  • 26 Posts
  • 1 Reply Like

Posted 4 years ago

  • 1
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
No, that is non-standard Cisco functionality that, in my opinion, would not have a place within HiveOS.

To achieve what you want, you have to define the ACLs within HiveManager and reference them in user profiles, then use a Filter-Id AVP in the RADIUS Access-Accept to match a user profile.

Photo of Crowdie

Crowdie, Champ

  • 972 Posts
  • 272 Reply Likes
The functionality you are describing is called, off the top of my head, dynamic ACLs and are only supported by specific Cisco switches.  If you are just wanting to use the dynamic ACLs and not use VLAN assignment via ISE you could purchase a Cisco switch (or switches) that support ISE (not all Cisco switches do) and placed them so all wireless traffic has to traverse them.  The ISE server will "push" the dynamic ACLs to the Cisco switch(es) as required and they will act as the enforcement point.

If the customer has not purchased the ISE server yet and require that type of functionality they would, IMHO, be much better off looking at Aruba's ClearPass server as it is designed to work with non-Aruba equipment including Aerohive.

As Aerohive access points have integrated layer seven stateful firewalls with deep packet inspection "handing off" enforcement to LAN devices, such as switches or firewalls, is not required.
(Edited)
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
Cisco's ISE as a RADIUS server and IOS as a RADIUS client support the Filter-Id method of ACL assignment, it just means you cannot define the ACLs within ISE and must do on on the device itself or within its management system.

As HiveOS offers more than just ACLs with its user profiles and they are centrally managed anyway from within HiveManager, it makes little to no sense to use, or want to use, downloadable ACLs via ISE.
(Edited)
Photo of Crowdie

Crowdie, Champ

  • 972 Posts
  • 272 Reply Likes
I have a couple of workmates who are ISE certified (LAN and wireless) and I have discussed with them several times how to get ISE working with non-Cisco equipment and the answer is generally "don't bother" as ISE is so "Cisco-centric" you lose huge amounts of its functionality when deployed with third party products.
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
Sure, I definitively agree with you that it would not be ideal - I just wanted to point out that it should be possible to get it working if needs must. Just a quick thought, I don't think applying ACLs to the switch port would work unless you expect the same ACLs to be applied to all wireless connections on the AP, and it would have to do so based on a MAC auth (MAB) of the APs MAC address and authenticate to an open state for other MAC addresses to pass.
(Edited)
Photo of gaasdal

gaasdal

  • 26 Posts
  • 1 Reply Like
Hi, and thanks for answering.
We already use the user profile assignment method (Tunnel Type/Tunnel Medium Type/Tunnel Private Group ID), which is a genius way to use multiple VLANS across multiple sites while still using just one SSID
Thank you for that. Cisco has noting like as far as I know.

So what you are saying is this:
If I make a ACL in Hivemanager called GUEST_ACCESS, I can just make a Radius Acceess Accept (in ISE) with Radius:Filter-ID=GUEST_ACCESS, and it will be
applied to all node getting that Access Accept?

If so, I would say that mission is accomplished.
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
If you are assigning profiles already via the Tunnel-Private-Group-Id attribute with the Tunnel-Type attribute set to GRE, you will not need to use the Filter-Id attribute and can associate the firewall rules you want to the profile. (This is the initial way that Aerohive supported setting the profile for a session via RADIUS and I consider it the legacy way.)

I always prefer to use the Tunnel-Private-Group-Id attribute to set the actual VLAN id for a session, with the Tunnel-Type attribute set instead to VLAN.

To set the profile then, you use the Filter-Id attribute. This is entirely RADIUS standards based and vendor agnostic , and it decouples the profile from the VLAN applied to the session giving you more configuration flexibility.

You reference the IP firewall rules (akin to ACLs) from a user profile. That profile will have a profile attribute number.

The Filter-Id attribute string will match a named user profile group, that group will then map to the chosen profile attribute number.

It is all documented in the image above.
(Edited)
Photo of gaasdal

gaasdal

  • 26 Posts
  • 1 Reply Like
I will try this out, and let you know how it goes.
Is there a way to get a bigger version of the picture? Blowing it up just makes it blurry.