Sample Configuration for Avaya
VoIP 802.1X
#********************************
# Last Updated: March 20, 2007
# Tested Phones: SW4610, SW4620
# Requirements: 802.1X authentication server, VSA 203 and VSA 212 from authentiication server. QP7 defined on the switch#
********************************
# @META_DATA_START
# @FileDescription "This is a template for configuring LLDP capable Avaya phones using the authentication trigger. This module will provision the phone with the following parameters: call server, file server, dot1q, dscp, power. Additionally the following network side configuration is done: enable SNMP traps and QOS assignment."
# @Description "Avaya phone call server IP address"
set var callserver 192.45.95.100
# @Description "Avaya phone file server IP address"
set var fileserver 192.45.10.250
# @Description "Send trap when LLDP event happens (true or false)"
set var sendTraps true
# @Description "Set QoS Profile (true or false)"
set var setQuality true
# @META_DATA_END
#
if (!$match($EVENT.NAME,USER-AUTHENTICATED)) then
create log message Starting_Avaya_VOIP_802.1X_AUTH_Module_Config
if (!$match($sendTraps,true)) then
enable snmp traps lldp ports $EVENT.USER_PORT
enable snmp traps lldp-med ports $EVENT.USER_PORT
else
disable snmp traps lldp ports $EVENT.USER_PORT
disable snmp traps lldp-med ports $EVENT.USER_PORT
endif
enable lldp port $EVENT.USER_PORT
configure lldp port $EVENT.USER_PORT advertise vendor-specific dot1 vlan-name
configure lldp port $EVENT.USER_PORT advertise vendor-specific avaya-extreme call-server $callserver
configure lldp port $EVENT.USER_PORT advertise vendor-specific avaya-extreme file-server $fileserver
configure lldp port $EVENT.USER_PORT advertise vendor-specific avaya-extreme dot1q-framing tag
if (!$match($setQuality,true)) then
configure port $EVENT.USER_PORT qosprofile qp7
endif
endif
#
if (!$match($EVENT.NAME,USER-UNAUTHENTICATED)) then
create log message Starting_Avaya_VOIP_802.1X_UNATUH_Module_Config
if (!$match($sendTraps,true)) then
enable snmp traps lldp ports $EVENT.USER_PORT
enable snmp traps lldp-med ports $EVENT.USER_PORT
else
disable snmp traps lldp ports $EVENT.USER_PORT
disable snmp traps lldp-med ports $EVENT.USER_PORT
endif
disable lldp port $EVENT.USER_PORT
if (!$match($setQuality,true)) then
unconfig qosprofile ports $EVENT.USER_PORT
endif
endif
create log message End_Avaya_VOIP_802.1X_Module_Config
Dynamic Security Policy
if (!$match($CLI_EVENT,USER-AUTHENTICATED) ) then
create access-list $(EVENT.DEVICE_MAC)_192_168_1_0 "ethernet-source-address $EVENT.DEVICE_MAC ;
destination-address 192.168.1.0/24 " "permit "
create access-list $(EVENT.DEVICE_MAC)_192_168_2_0 "ethernet-source-address $EVENT.DEVICE_MAC ;
destination-address 192.168.2.0/24 " "permit "
create access-list $(EVENT.DEVICE_MAC)_192_168_3_0 "ethernet-source-address $EVENT.DEVICE_MAC ;
destination-address 192.168.3.0/24 " "permit "
create access-list $(EVENT.DEVICE_MAC)_smtp "ethernet-source-address $EVENT.DEVICE_MAC ;
destination-address 192.168.100.125/32 ; protocol tcp ; destination-port 25" "permit "
create access-list $(EVENT.DEVICE_MAC)_http "ethernet-source-address $EVENT.DEVICE_MAC ; protocol tcp ; destination-port 80" "permit "
create access-list $(EVENT.DEVICE_MAC)_https "ethernet-source-address $EVENT.DEVICE_MAC ; protocol tcp ; destination-port 443" "permit "
create access-list $(EVENT.DEVICE_MAC)_dhcp "protocol udp; destination-port 67" "permit"
create access-list $(EVENT.DEVICE_MAC)_deny "destination-address 0.0.0.0/0" "deny "
configure access-list add $(EVENT.DEVICE_MAC)_192_168_1_0 first port $USER_PORT
configure access-list add $(EVENT.DEVICE_MAC)_192_168_2_0 first port $USER_PORT
configure access-list add $(EVENT.DEVICE_MAC)_192_168_3_0 first port $USER_PORT
configure access-list add $(EVENT.DEVICE_MAC)_smtp first port $USER_PORT
configure access-list add $(EVENT.DEVICE_MAC)_http last port $USER_PORT
configure access-list add $(EVENT.DEVICE_MAC)_https last port $USER_PORT
configure access-list add $(EVENT.DEVICE_MAC)_dhcp first port $USER_PORT
configure access-list add $(EVENT.DEVICE_MAC)_deny last port $USER_PORT
endif
if (!$match($CLI_EVENT,USER-UNAUTHENTICATED) ) then
# Clean up
configure access-list delete $(EVENT.DEVICE_MAC)_192_168_1_0 ports $USER_PORT
configure access-list delete $(EVENT.DEVICE_MAC)_192_168_2_0 ports $USER_PORT
configure access-list delete $(EVENT.DEVICE_MAC)_192_168_3_0 ports $USER_PORT
configure access-list delete $(EVENT.DEVICE_MAC)_smtp ports $USER_PORT
configure access-list delete $(EVENT.DEVICE_MAC)_http ports $USER_PORT
configure access-list delete $(EVENT.DEVICE_MAC)_https ports $USER_PORT
configure access-list delete $(EVENT.DEVICE_MAC)_dhcp ports $USER_PORT
configure access-list delete $(EVENT.DEVICE_MAC)_deny ports $USER_PORT
delete access-list $(EVENT.DEVICE_MAC)_192_168_1_0
delete access-list $(EVENT.DEVICE_MAC)_192_168_2_0
delete access-list $(EVENT.DEVICE_MAC)_192_168_3_0
delete access-list $(EVENT.DEVICE_MAC)_smtp
delete access-list $(EVENT.DEVICE_MAC)_http
delete access-list $(EVENT.DEVICE_MAC)_https
delete access-list $(EVENT.DEVICE_MAC)_dhcp
delete access-list $(EVENT.DEVICE_MAC)_deny
endif