Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,8 @@ radius-server host agni.arista.com vrf MGMT key 7 1404071B09166738212B2130365E0C
!
aaa authentication dot1x default group radius
aaa accounting dot1x default start-stop group radius
dot1x
captive-portal
!
interface Management1
description OOB_MANAGEMENT
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -35,13 +35,17 @@ dot1x
radius av-pair framed-mtu 1500
mac-based-auth radius av-pair user-name delimiter colon uppercase
captive-portal url https://captive.arista.com ssl profile captive-portal-ssl-profile
captive-portal access-list ipv4 web-acl
captive-portal start limit infinite
!
interface Management1
description OOB_MANAGEMENT
no shutdown
Comment thread
vitthalmagadum marked this conversation as resolved.
vrf MGMT
ip address 192.168.0.2/24
!
ip access-list standard web-acl
10 permit host 10.0.0.1
no ip routing vrf MGMT
!
ip radius vrf MGMT source-interface Management1
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,8 @@ dot1x:
protocol_lldp_bypass: true
protocol_bpdu_bypass: true
dynamic_authorization: true
captive_portal:
enabled: true
enable_password:
disabled: true
hostname: dot1x-settings-1
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -55,6 +55,7 @@ dot1x:
url: https://captive.arista.com
ssl_profile: captive-portal-ssl-profile
start_limit_infinite: true
access_list_ipv4: web-acl
enable_password:
disabled: true
hostname: dot1x-settings-2
Expand Down Expand Up @@ -85,6 +86,12 @@ radius_server:
- host: coa.arista.com
key: 0215114B0E144232494D1B1C115A190E15
service_routing_protocols_model: multi-agent
standard_access_lists:
- name: web-acl
entries:
- sequence: 10
action: permit
source: 10.0.0.1
transceiver_qsfp_default_mode_4x10: true
vlan_internal_order:
allocation: ascending
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -7,8 +7,11 @@ l2leaf:
- name: dot1x-settings-1
mgmt_ip: 192.168.0.2/24

# Added for coverage
dot1x_settings:
enabled: true
web_authentication:
enabled: true

aaa_settings:
radius:
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,14 @@ l2leaf:
nodes:
- name: dot1x-settings-2
mgmt_ip: 192.168.0.2/24

ipv4_standard_acls:
- name: web-acl
entries:
- sequence: 10
source: 10.0.0.1
action: permit

dot1x_settings:
enabled: true
authentication:
Expand Down Expand Up @@ -39,6 +47,7 @@ dot1x_settings:
web_authentication:
enabled: true
ssl_profile: captive-portal-ssl-profile
ipv4_standard_acl: web-acl
url: https://captive.arista.com
start_limit_infinite: true

Expand Down

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

17 changes: 16 additions & 1 deletion python-avd/pyavd/_eos_designs/schema/__init__.py

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

5 changes: 5 additions & 0 deletions python-avd/pyavd/_eos_designs/schema/eos_designs.schema.yml

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Original file line number Diff line number Diff line change
Expand Up @@ -247,6 +247,11 @@ keys:
SSL profile name, enabling HTTPS redirection on port 443.
Without this, only HTTP redirection is supported.
Can be used alone (when RADIUS provides the URL dynamically) or together with `url`.
ipv4_standard_acl:
type: str
description: |-
Standard IPv4 ACL name.
This ACL must be present in `ipv4_standard_acls` catalog.
Comment on lines +250 to +254

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We reference "standard ACL" here due to the existing eos_cli_config_gen model and output of the EOS CLI helper which states that it expects a standard ACL:

# 4.35.2F

ag-dc1-leaf1a(config-s-s46-dot1x)#captive-portal access-list ipv4 ?
  WORD  Standard access-list name

ag-dc1-leaf1a(config-s-s46-dot1x)#

In reality this seems like an EOS CLI bug to me.

EOS perfectly accepts references to either standard or extended ACL:

ag-dc1-leaf1a(config-s-s46)#show session-config diffs 
--- system:/running-config
+++ session:/s46-session-config
+ip access-list acl-for-test
+   10 permit ip any 20.20.1.0/24
+   20 deny tcp any any eq www copy captive-portal
+   30 deny tcp any any eq https copy captive-portal
+   40 deny ip any any
ag-dc1-leaf1a(config-s-s46)#dot1x 
ag-dc1-leaf1a(config-s-s46-dot1x)#captive-portal access-list ipv4 acl-for-test
ag-dc1-leaf1a(config-s-s46-dot1x)#exit
ag-dc1-leaf1a(config-s-s46)#show session-config diffs 
--- system:/running-config
+++ session:/s46-session-config
+dot1x
+   captive-portal access-list ipv4 acl-for-test
+!
+ip access-list acl-for-test
+   10 permit ip any 20.20.1.0/24
+   20 deny tcp any any eq www copy captive-portal
+   30 deny tcp any any eq https copy captive-portal
+   40 deny ip any any
ag-dc1-leaf1a(config-s-s46)#

but only extended ACL makes sense here.

By default (when no ACL is provided via captive-portal access-list ipv4 <ACL_NAME>) EOS implements implicit TCAM rules which permit DHCP, DNS, etc, and at the same time enforce redirection of all HTTP and HTTPS traffic to the IP address that Portal URL resolves to.

When ACL is explicitly specified by the user, those implicit redirects are not auto-configured and EOS instead applies what user asked (assuming ACL rules will cave copy captive-portal actions forcing portal redirect, like shown in https://www.arista.com/en/support/toi/eos-4-24-2f/14567-802-1x-on-arista-switches#typical-configuration-for-the-acl-for-test-statically-configured).

When we try to apply standard ACL - my understanding is that this will break redirect to the portal and this ACL will simply be applied in the ingress direction on the port (filtering ingress traffic based on the source IP).

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As we are now forcing the ACL referenced by captive-portal to be present in the standard IPv4 ACL catalogue - we may be forcing users to the incorrect configuration, as users now can not reference correct extended IPv4 ACL with correct copy captive-portal actions

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Agreed with Alexey. It looks like a cosmetic bug in the CLI definition. An extended ACL is required for the redirection to work properly. We need to do the following:

1- Update eos_cli_config_gen captive_portal.access_list_ipv4 description
2- Update eos_cli_config_gen ip_access_lists data model to support copy captive-portal
3- Update this PR to use ipv4_acls ACL catalog instead

1 and 2 in the same PR is fine.

start_limit_infinite:
type: bool
description: |-
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -128,6 +128,9 @@ def _configure_dot1x_web_authentication(self: AvdStructuredConfigBaseProtocol, w
ssl_profile=web_authentication.ssl_profile,
url=web_authentication.url,
)
if web_authentication.ipv4_standard_acl is not None:
self.structured_config_utils._set_ipv4_standard_acl(web_authentication.ipv4_standard_acl)
Comment thread
Shivani-gslab marked this conversation as resolved.
self.structured_config.dot1x.captive_portal.access_list_ipv4 = web_authentication.ipv4_standard_acl

def _configure_dot1x_device_profiling(
self: AvdStructuredConfigBaseProtocol,
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -48,5 +48,4 @@ def _set_ipv4_standard_acl(self: StructuredConfigUtilsProtocol, acl_name: str) -
if acl_name not in self.inputs.ipv4_standard_acls:
msg = f"ipv4_standard_acls[name={acl_name}]"
raise AristaAvdMissingVariableError(msg, host=self.shared_utils.hostname)
if acl_name in self.inputs.ipv4_standard_acls:
self.structured_config.standard_access_lists.append(self.inputs.ipv4_standard_acls[acl_name]._cast_as(EosCliConfigGen.StandardAccessListsItem))
self.structured_config.standard_access_lists.append(self.inputs.ipv4_standard_acls[acl_name]._cast_as(EosCliConfigGen.StandardAccessListsItem))
Loading