Extreme Gen2 ACL Enforcement

In order to push ACL enforcement to a user during authentication the below VSA must be configured and used in ~~Clearpass~~Clearpass. You can substitute the example for any one policy name you have created to enforce that specific policy.

Radius:~~Extreme~~IETF ~~Extreme-Security-Profile~~Filter-Id = ~~Internet-Only-5M~~Data

Below is an example ~~script that can be used to provide internet only access with a limit~~ of ~~5mbps~~several ~~bandwidth~~one ~~limit.~~policy configurations. This example below was configured and pushed from Extreme XMC

~~create~~configure ~~upm~~policy captive-portal web-redirect 1 server 1 url "https://clearpass.designlogic.net:443/guest/cpguestwrd.php" enable
configure policy profile 1 name "Data" pvid-status "enable" pvid 1280 egress-vlans 100 untagged-vlans 1280
configure policy profile 2 name "Internet-~~Only-5M~~Only" pvid-status "enable" pvid 1280 untagged-vlans 1280
configure policy profile 3 name "Device-Profile" pvid-status "enable" pvid 1280 untagged-vlans 1280
configure policy profile 4 name "Guest-Portal" pvid-status "enable" pvid 1280 untagged-vlans 1280 web-redirect 1
configure policy profile 5 name "Deny" pvid-status "enable" pvid 0
configure policy profile 6 name "Voice" pvid-status "enable" pvid 1280 untagged-vlans 1280
configure policy profile 7 name "test" pvid-status "enable" pvid 20 untagged-vlans 20
configure policy rule 2 ipdestsocket 10.0.0.0 mask 8 drop
configure policy rule 2 ipdestsocket 10.21.0.10 mask 32 forward
configure policy rule 2 ipdestsocket 172.16.0.0 mask 12 drop
configure policy rule 2 ipdestsocket 192.168.0.0 mask 16 drop
configure policy rule 2 udpdestportIP 53 mask 16 forward
configure policy rule 2 udpdestportIP 67 mask 16 forward
configure policy rule 2 ether 0x0806 mask 16 forward
configure policy rule 3 udpdestportIP 53 mask 16 forward
configure policy rule 3 udpdestportIP 67 mask 16 forward
configure policy rule 3 ether 0x0806 mask 16 forward
configure policy rule 4 udpdestportIP 53 mask 16 forward
configure policy rule 4 udpdestportIP 67 mask 16 forward
configure policy rule 4 tcpdestportIP 80 mask 16 forward
configure policy rule 4 tcpdestportIP 443 mask 16 forward
configure policy rule 4 ether 0x0806 mask 16 forward
configure policy maptable response both
configure policy captive-portal listening 80
configure policy captive-portal listening 443
configure policy captive-portal listening 8080
enable ~~cli~~policy
~~scripting~~
~~set~~

~~var~~

This ~~namedPortId~~is ~~$TCL(regsub~~another ~~":"~~way ~~${EVENT.USER_PORT}~~to ~~"")~~
~~set~~push ~~var~~a ~~macv~~similar ~~$TCL(string~~configuration ~~range ${EVENT.USER_MAC} 6 end)~~
~~set var namedMACId $TCL(regsub -all ":" ${macv} "")~~
if ~~(!$match($EVENT.NAME,USER-AUTHENTICATED)~~you're ~~then~~not using XMC.

configure policy rule-model access-list
configure ~~cli~~policy ~~mode~~captive-portal ~~non-persistent~~
~~create~~web-redirect ~~meter~~1 ~~NLM-P$namedPortId~~server 1 url "https://clearpass.designlogic.net:443/guest/cpguestwrd.php" enable
configure ~~meter~~policy ~~NLM-P$namedPortId~~profile ~~committed-rate~~1 5name ~~Mbps~~"Data" pvid-status "enable" pvid 1280 egress-vlans 100 untagged-vlans 1280
configure ~~ports~~policy ~~$EVENT.USER_PORT~~profile ~~rate-limit~~2 ~~egress~~name ~~5 Mbps max-burst-size 128 Kb~~
~~create~~"Internet-Only" access-list ~~$(namedMACId)_allow~~"Internet_Only" pvid-status "~~ethernet-source-address~~enable" ~~$(EVENT.USER_MAC);~~pvid ~~destination-address~~1280 ~~0.0.0.0/0"~~untagged-vlans 1280
configure policy profile 3 name "~~permit;meter NLM-P$(namedPortId)"~~
~~create~~Device-Profile" access-list ~~$(namedMACId)_10_0~~"Device_Profile" pvid-status "~~ethernet-source-address~~enable" ~~$(EVENT.USER_MAC);~~pvid ~~destination-address~~1280 untagged-vlans 1280
configure policy profile 4 name "Guest-Portal" access-list "Guest_Portal" pvid-status "enable" pvid 1280 untagged-vlans 1280 web-redirect 1
configure policy profile 5 name "Deny" pvid-status "enable" pvid 0
configure policy profile 6 name "Voice" pvid-status "enable" pvid 1280 untagged-vlans 1280
create policy access-list Internet_Only.Allow_DNS matches udpdestportIP 53 mask 16 actions forward
create policy access-list Internet_Only.Allow_DHCP matches udpdestportIP 67 mask 16 actions forward
create policy access-list Internet_Only.Deny_Tens matches ipdestsocket 10.0.0.~~0/8"~~0 ~~"deny"~~mask 8 actions drop
create policy access-list ~~$(namedMACId)_172_16~~Internet_Only.Deny_One_Sevens ~~"ethernet-source-address~~matches ~~$(EVENT.USER_MAC); destination-address~~ipdestsocket 172.16.0.~~0/12"~~0 ~~"deny"~~mask 12 actions drop
create policy access-list ~~$(namedMACId)_192_168~~Internet_Only.Deny_One_Nines ~~"ethernet-source-address~~matches ~~$(EVENT.USER_MAC); destination-address~~ipdestsocket 192.168.0.~~0/16"~~0 ~~"deny"~~mask 16 actions drop
create policy access-list ~~$(namedMACId)_dhcp~~Device_Profile.Allow_DNS ~~"protocol~~matches ~~udp;~~udpdestportIP ~~destination-port~~53 ~~67"~~mask ~~"permit"~~16 actions forward
create policy access-list ~~$(namedMACId)_dns~~Device_Profile.Allow_DHCP ~~"protocol~~matches ~~udp;~~udpdestportIP ~~destination-port~~67 ~~53"~~mask ~~"permit"~~16 actions forward
create policy access-list ~~$(namedMACId)_ntp~~Guest_Portal.Allow_DNS ~~"protocol~~matches ~~udp;~~udpdestportIP ~~destination-port~~53 ~~123"~~mask ~~"permit"~~16 actions forward
create policy access-list ~~$(namedMACId)_deny~~Guest_Portal.Allow_DHCP ~~"ethernet-source-address~~matches ~~$(EVENT.USER_MAC);~~udpdestportIP ~~destination-address~~67 ~~0.0.0.0/0"~~mask ~~"deny"~~16 actions forward
~~configure~~create policy access-list ~~add~~Guest_Portal.Allow_HTTP ~~$(namedMACId)_allow~~matches ~~first~~tcpdestportIP ~~port~~80 ~~$EVENT.USER_PORT~~mask 16 actions forward
~~configure~~create policy access-list ~~add~~Guest_Portal.Allow_HTTPS ~~$(namedMACId)_10_0~~matches ~~first~~tcpdestportIP ~~port~~443 ~~$EVENT.USER_PORT~~mask 16 actions forward
~~configure~~create policy access-list ~~add~~Guest_Portal.Allow_ARP ~~$(namedMACId)_172_16~~matches ~~first~~ether ~~port~~0x0806 ~~$EVENT.USER_PORT~~mask 16 actions forward
configure ~~access-list~~policy ~~add~~maptable ~~$(namedMACId)_192_168~~response ~~first port $EVENT.USER_PORT~~both
configure ~~access-list~~policy ~~add~~captive-portal ~~$(namedMACId)_dhcp~~listening ~~first port $EVENT.USER_PORT~~80
configure ~~access-list~~policy ~~add~~captive-portal ~~$(namedMACId)_dns~~listening ~~first port $EVENT.USER_PORT~~443
configure ~~access-list~~policy ~~add~~captive-portal ~~$(namedMACId)_ntp~~listening ~~first~~8080
enable ~~port $EVENT.USER_PORT~~
~~configure access-list add $(namedMACId)_deny last port $EVENT.USER_PORT~~
~~endif~~
~~if (!$match($EVENT.NAME,USER-UNAUTHENTICATED)) then~~
~~configure access-list delete $(namedMACId)_allow ports $EVENT.USER_PORT~~
~~configure access-list delete $(namedMACId)_10_0 ports $EVENT.USER_PORT~~
~~configure access-list delete $(namedMACId)_172_16 ports $EVENT.USER_PORT~~
~~configure access-list delete $(namedMACId)_192_168 ports $EVENT.USER_PORT~~
~~configure access-list delete $(namedMACId)_dhcp ports $EVENT.USER_PORT~~
~~configure access-list delete $(namedMACId)_dns ports $EVENT.USER_PORT~~
~~configure access-list delete $(namedMACId)_ntp ports $EVENT.USER_PORT~~
~~configure access-list delete $(namedMACId)_deny ports $EVENT.USER_PORT~~
~~delete access-list $(namedMACId)_allow~~
~~delete access-list $(namedMACId)_10_0~~
~~delete access-list $(namedMACId)_172_16~~
~~delete access-list $(namedMACId)_192_168~~
~~delete access-list $(namedMACId)_dhcp~~
~~delete access-list $(namedMACId)_dns~~
~~delete access-list $(namedMACId)_ntp~~
~~delete access-list $(namedMACId)_deny~~
~~delete meter NLM-P$namedPortId~~
~~configure ports $EVENT.USER_PORT rate-limit egress no-limit~~
~~endif~~
.

~~configure upm event user-authenticate profile "Internet-Only-5M" ports 1:1-24~~
~~configure upm event user-unauthenticated profile "Internet-Only-5M" ports 1:1-24~~policy