Reset Search
 

 

Article

KB41034 - How to configure Pulse Policy Secure (PPS) to apply ACLs or firewall filters to the switches

« Go Back

Information

 
Last Modified Date11/15/2017 3:14 PM
Synopsis
This article provides information on how Pulse Policy Secure (PPS) can push ACLs/firewall filters to the Cisco, Juniper and HP switches.
Problem or Goal
How to configure Pulse Policy Secure (PPS) to apply ACLs (Cisco/HP terminology) or Firewall filters (Juniper terminology) to the switch. This is also known as downloadable Access Lists (dACL) in Cisco.

A dACL is a Cisco Access List which can be downloaded by a switch and be assigned to a switch port.
Juniper also has the option to apply access lists on a switch port. In juniper terms, it is called as 'Firewall Filters’.
Cause
Solution

PPS can apply the ACL/firewall filters on the switch port in following ways:
  1. By using “filter-ID” radius attribute which is common for Cisco, Juniper and HP switches: In case of “filter-ID” attribute ACL/firewall filter policy needs to be configured in the switch. PPS will send the ACL/firewall filter name to the switch using this attribute.
  2. By using Vender-specific attributes (VSAs): In case of  VSA, we do not have to configure any ACL/Firewall Filter in the switch. Instead it will be configured in the PPS device under Radius Attribute policy and will be applied to the switch after successful User Authentication. 

Using “filter-id” standard RADIUS attribute

ACLs needs to be pre-configured in the switch. PPS will directly send the ACL name to the switches and it will be applied to the interface with 802.1x authentication enabled.

To configure PPS for "filter-id" radius attribute:
  1. Login to the PPS as an admin
  2. Navigate to Endpoint Policy > Network Access > Radius Attributes policy
  3. Select the policy you want to modify for "filter-id" attribute
  4. Under RADIUS Attributes tab select the check box for Return Attribute. Select Filter-Id as Return Attribute and Value as "ACL/Firewall filter name configured in the switch".
  5. Example of "filter-id" Radius Attribute policy is shown in below screenshots where Allow-DNS-Access is the ACL/Firewall filter name configured in the switch.
For Juniper switches:

            User-added image
For Cisco and HP Switches while defining the value, we need to add “.in” with the ACL policy name as shown below:

           User-added image
Radius Attribute policy output example:
User-added image

Using Vendor specific attributes (VSAs)

When using VSAs there is no need to configure ACL/Firewall filters in the switches. These are managed by PPS and access control entries (ACEs) will be applied on the switches after User Authentication.

To configure PPS for "Vendor specific attributes" radius attribute:
  1. Login to the PPS as an admin
  2. Navigate to Endpoint Policy > Network Access > Radius Attributes policy
  3. Select the policy you want to modify for "Vendor specific attributes" attribute
  4. Under RADIUS Attributes tab, select the check box for Return Attribute. Select appropriate Vendor Specific Attribute as Return Attribute. In the Value filed, we have to define the ACL/Firewall Filter.
  5. Example of Vendor Specific Radius Attribute policy is shown in below screenshots:
  • Juniper-Switching-Filter radius attribute policy example for Juniper Switches:
           User-added image

           Reference link:

           https://www.juniper.net/documentation/en_US/junos/topics/task/configuration/802-1x-filtering-with-radius-attributes-ex-series.html
  • Cisco-AVPAIR radius attribute policy example for Cisco switches:
  • HP-nas-filter-rule radius attribute policy example for HP switches:
User-added image
 
           Reference Link:

           http://h22208.www2.hpe.com/eginfolib/networking/docs/switches/RA/15-18/5998-8151_ra_2620_asg/content/ch07s04.html

Radius Attribute policy output example:

                         User-added image
 
Related Links
Attachment 1 
Created ByKshitij Gupta

Feedback

 

Was this article helpful?


   

Feedback

Please tell us how we can make this article more useful.

Characters Remaining: 255