Skip to content

Feat(eos_designs): Add support for dot1x_settings.web_authentication.ipv4_standard_acl#7209

Open
laxmikantchintakindi wants to merge 15 commits into
aristanetworks:develfrom
laxmikantchintakindi:captive-portal-acl
Open

Feat(eos_designs): Add support for dot1x_settings.web_authentication.ipv4_standard_acl#7209
laxmikantchintakindi wants to merge 15 commits into
aristanetworks:develfrom
laxmikantchintakindi:captive-portal-acl

Conversation

@laxmikantchintakindi

@laxmikantchintakindi laxmikantchintakindi commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

Change Summary

Add support for dot1x_settings.web_authentication.ipv4_standard_acl. Presence of this ACL is mandatory in ipv4_standard_acls catalog.

Related Issue(s)

Partially Fixes #https://github.com/aristanetworks/avd-internal/issues/623

Component(s) name

arista.avd.eos_designs

Proposed changes

Add support for dot1x_settings.web_authentication.ipv4_standard_acl. Presence of this ACL is mandatory in ipv4_standard_acls catalog.

How to test

Checklist

User Checklist

  • N/A

Repository Checklist

  • My code has been rebased from devel before I start
  • I have read the CONTRIBUTING document.
  • My change requires a change to the documentation and documentation have been updated accordingly.
  • I have updated molecule CI testing accordingly. (check the box if not applicable)

Summary by CodeRabbit

  • New Features

    • Added support for linking 802.1X web authentication/captive portal to a standard IPv4 access list.
    • Generated configurations now include the referenced access list when configured.
  • Bug Fixes

    • Missing access list references are now handled consistently instead of being silently skipped.
  • Documentation

    • Updated 802.1X web authentication documentation to include the new IPv4 access list setting and its requirements.

@laxmikantchintakindi laxmikantchintakindi self-assigned this Jul 2, 2026
@coderabbitai

coderabbitai Bot commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: 65ba3bbf-3b4b-43fe-8f69-bfb052a412fa

📥 Commits

Reviewing files that changed from the base of the PR and between 8219c47 and df5df02.

📒 Files selected for processing (3)
  • ansible_collections/arista/avd/extensions/molecule/eos_designs_unit_tests/intended/configs/dot1x-settings-1.cfg
  • ansible_collections/arista/avd/extensions/molecule/eos_designs_unit_tests/intended/structured_configs/dot1x-settings-1.yml
  • ansible_collections/arista/avd/extensions/molecule/eos_designs_unit_tests/inventory/host_vars/dot1x-settings-1.yml

📝 Walkthrough

Walkthrough

This PR adds an ipv4_standard_acl option under dot1x_settings.web_authentication, allowing a standard IPv4 ACL to be bound to the captive-portal. It wires this into dot1x structured config generation, fixes standard ACL append logic, updates schemas/docs, and updates molecule test fixtures.

Changes

Dot1x captive portal IPv4 ACL support

Layer / File(s) Summary
Schema and documentation for ipv4_standard_acl field
python-avd/pyavd/_eos_designs/schema/eos_designs.schema.yml, python-avd/pyavd/_eos_designs/schema/schema_fragments/dot1x_settings.schema.yml, python-avd/pyavd/_eos_designs/schema/__init__.py, ansible_collections/arista/avd/roles/eos_designs/docs/tables/dot1x-settings.md
Adds the ipv4_standard_acl string field to web_authentication schema, generated Python model (WebAuthentication), and documentation tables/YAML samples.
Captive-portal ACL wiring and ACL append fix
python-avd/pyavd/_eos_designs/structured_config/base/dot1x.py, python-avd/pyavd/_eos_designs/structured_config/structured_config_utils/utils.py
Conditionally sets captive_portal.access_list_ipv4 and calls _set_ipv4_standard_acl when configured; _set_ipv4_standard_acl now always appends after the missing-variable check instead of only when the ACL exists.
Molecule test fixtures for dot1x-settings-1 and dot1x-settings-2
.../inventory/host_vars/dot1x-settings-2.yml, .../intended/structured_configs/dot1x-settings-2.yml, .../intended/configs/dot1x-settings-2.cfg, .../inventory/host_vars/dot1x-settings-1.yml, .../intended/structured_configs/dot1x-settings-1.yml, .../intended/configs/dot1x-settings-1.cfg
Adds web-acl standard ACL definitions and captive-portal ACL binding to test fixtures, and adds captive-portal/web_authentication enablement to dot1x-settings-1 fixtures.

Estimated code review effort: 2 (Simple) | ~15 minutes

Sequence Diagram(s)

sequenceDiagram
  participant Dot1xMixin
  participant StructuredConfig
  participant StructuredConfigUtils
  Dot1xMixin->>StructuredConfig: set captive_portal.access_list_ipv4 = web-acl
  Dot1xMixin->>StructuredConfigUtils: _set_ipv4_standard_acl(web-acl)
  StructuredConfigUtils->>StructuredConfig: append standard_access_lists entry
Loading

Possibly related PRs

  • aristanetworks/avd#7054: Introduces the ipv4_standard_acls catalog that this PR's _set_ipv4_standard_acl and ipv4_standard_acl field depend on.
  • aristanetworks/avd#7189: Both PRs modify the shared structured_config_utils/utils.py logic for registering IPv4 standard ACLs into standard_access_lists.

Suggested labels: role: eos_designs, rn: Feat(eos_designs)

Suggested reviewers: alexeygorbunov, gmuloc

Poem

A rabbit hops through configs neat,
Binding portals with an ACL treat,
web-acl guards the gate with care,
Ten-dot-oh-oh-oh-one waits there,
Schemas hum and tests all cheer —
🐇 dot1x's ACL year!

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name Status Explanation Resolution
Docstring Coverage ⚠️ Warning Docstring coverage is 66.67% which is insufficient. The required threshold is 80.00%. Write docstrings for the functions missing them to satisfy the coverage threshold.
✅ Passed checks (4 passed)
Check name Status Explanation
Title check ✅ Passed The title accurately names the main change: adding support for dot1x_settings.web_authentication.ipv4_standard_acl.
Description check ✅ Passed All required sections are present and the description covers the change, with only the How to test section left as a placeholder.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@github-actions

github-actions Bot commented Jul 2, 2026

Copy link
Copy Markdown

Review docs on Read the Docs

To test this pull request:

# Create virtual environment for this testing below the current directory
python -m venv test-avd-pr-7209
# Activate the virtual environment
source test-avd-pr-7209/bin/activate
# Install all requirements including PyAVD
pip install "pyavd[ansible] @ git+https://github.com/laxmikantchintakindi/avd.git@captive-portal-acl#subdirectory=python-avd" --force
# Point Ansible collections path to the Python virtual environment
export ANSIBLE_COLLECTIONS_PATH=$VIRTUAL_ENV/ansible_collections
# Install Ansible collection
python -m ansible.cli.galaxy collection install git+https://github.com/laxmikantchintakindi/avd.git#/ansible_collections/arista/avd/,captive-portal-acl --force
cd test-avd-pr-7209
# Run your playbook using `python -m ansible.cli.playbook path/to/playbook.yml ...`

You can also test this PR using AVD playground:

  • Rebase your branch to makes sure it is up-to-date and has latest lab topologies for example inventories
  • Authenticate on labs.arista.com. Use your email! Not login.
  • Start the playground
  • In the lab selector UI pick "I want to use a specific AVD fork"
  • Enter following parameters:
GitHub org: laxmikantchintakindi
Repository name: avd
Branch: captive-portal-acl
  • Select an example inventory to test the PR
  • Once the AVD Playground setup will be finished, type make start and test anything once the lab is up

@github-actions github-actions Bot added state: CI Updated CI scenario have been updated in the PR state: Documentation role Updated role: eos_designs issue related to eos_designs role labels Jul 2, 2026
@codecov

codecov Bot commented Jul 2, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 92.08%. Comparing base (b1eecae) to head (3c58b17).

Additional details and impacted files

Impacted file tree graph

@@           Coverage Diff           @@
##            devel    #7209   +/-   ##
=======================================
  Coverage   92.08%   92.08%           
=======================================
  Files         775      775           
  Lines       42329    42331    +2     
  Branches    10204    10204           
=======================================
+ Hits        38978    38982    +4     
  Misses       1945     1945           
+ Partials     1406     1404    -2     
Components Coverage Δ
pyavd 93.92% <100.00%> (+<0.01%) ⬆️
schema_tools 68.67% <ø> (ø)
Ansible plugins 77.03% <ø> (ø)
Files with missing lines Coverage Δ
...pyavd/_eos_designs/structured_config/base/dot1x.py 100.00% <100.00%> (ø)
...structured_config/structured_config_utils/utils.py 100.00% <100.00%> (+4.16%) ⬆️

... and 1 file with indirect coverage changes

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@gmuloc gmuloc added this to the v6.4.0 milestone Jul 6, 2026
@github-actions

github-actions Bot commented Jul 6, 2026

Copy link
Copy Markdown

This pull request has conflicts, please resolve those before we can evaluate the pull request.

@github-actions github-actions Bot added the state: conflict PR with conflict label Jul 6, 2026
@github-actions github-actions Bot removed the state: conflict PR with conflict label Jul 6, 2026
@github-actions

github-actions Bot commented Jul 6, 2026

Copy link
Copy Markdown

Conflicts have been resolved. A maintainer will review the pull request shortly.

@github-actions github-actions Bot added the state: conflict PR with conflict label Jul 8, 2026
@github-actions

github-actions Bot commented Jul 8, 2026

Copy link
Copy Markdown

This pull request has conflicts, please resolve those before we can evaluate the pull request.

@github-actions github-actions Bot removed the state: conflict PR with conflict label Jul 8, 2026
@github-actions

github-actions Bot commented Jul 8, 2026

Copy link
Copy Markdown

Conflicts have been resolved. A maintainer will review the pull request shortly.

@vitthalmagadum vitthalmagadum marked this pull request as ready for review July 9, 2026 10:56
@vitthalmagadum vitthalmagadum requested review from a team as code owners July 9, 2026 10:56
Comment thread python-avd/pyavd/_eos_designs/structured_config/base/dot1x.py

@Shivani-gslab Shivani-gslab left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@sonarqubecloud

Copy link
Copy Markdown

Comment on lines +250 to +254
ipv4_standard_acl:
type: str
description: |-
Standard IPv4 ACL name.
This ACL must be present in `ipv4_standard_acls` catalog.

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We reference "standard ACL" here due to the existing eos_cli_config_gen model and output of the EOS CLI helper which states that it expects a standard ACL:

# 4.35.2F

ag-dc1-leaf1a(config-s-s46-dot1x)#captive-portal access-list ipv4 ?
  WORD  Standard access-list name

ag-dc1-leaf1a(config-s-s46-dot1x)#

In reality this seems like an EOS CLI bug to me.

EOS perfectly accepts references to either standard or extended ACL:

ag-dc1-leaf1a(config-s-s46)#show session-config diffs 
--- system:/running-config
+++ session:/s46-session-config
+ip access-list acl-for-test
+   10 permit ip any 20.20.1.0/24
+   20 deny tcp any any eq www copy captive-portal
+   30 deny tcp any any eq https copy captive-portal
+   40 deny ip any any
ag-dc1-leaf1a(config-s-s46)#dot1x 
ag-dc1-leaf1a(config-s-s46-dot1x)#captive-portal access-list ipv4 acl-for-test
ag-dc1-leaf1a(config-s-s46-dot1x)#exit
ag-dc1-leaf1a(config-s-s46)#show session-config diffs 
--- system:/running-config
+++ session:/s46-session-config
+dot1x
+   captive-portal access-list ipv4 acl-for-test
+!
+ip access-list acl-for-test
+   10 permit ip any 20.20.1.0/24
+   20 deny tcp any any eq www copy captive-portal
+   30 deny tcp any any eq https copy captive-portal
+   40 deny ip any any
ag-dc1-leaf1a(config-s-s46)#

but only extended ACL makes sense here.

By default (when no ACL is provided via captive-portal access-list ipv4 <ACL_NAME>) EOS implements implicit TCAM rules which permit DHCP, DNS, etc, and at the same time enforce redirection of all HTTP and HTTPS traffic to the IP address that Portal URL resolves to.

When ACL is explicitly specified by the user, those implicit redirects are not auto-configured and EOS instead applies what user asked (assuming ACL rules will cave copy captive-portal actions forcing portal redirect, like shown in https://www.arista.com/en/support/toi/eos-4-24-2f/14567-802-1x-on-arista-switches#typical-configuration-for-the-acl-for-test-statically-configured).

When we try to apply standard ACL - my understanding is that this will break redirect to the portal and this ACL will simply be applied in the ingress direction on the port (filtering ingress traffic based on the source IP).

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As we are now forcing the ACL referenced by captive-portal to be present in the standard IPv4 ACL catalogue - we may be forcing users to the incorrect configuration, as users now can not reference correct extended IPv4 ACL with correct copy captive-portal actions

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Agreed with Alexey. It looks like a cosmetic bug in the CLI definition. An extended ACL is required for the redirection to work properly. We need to do the following:

1- Update eos_cli_config_gen captive_portal.access_list_ipv4 description
2- Update eos_cli_config_gen ip_access_lists data model to support copy captive-portal
3- Update this PR to use ipv4_acls ACL catalog instead

1 and 2 in the same PR is fine.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

role: eos_designs issue related to eos_designs role state: CI Updated CI scenario have been updated in the PR state: Documentation role Updated

Projects

None yet

Development

Successfully merging this pull request may close these issues.

6 participants