3.2.2.4.3.2.2. UNAC plugins

This section presents UNAC plugins description and configuration.

../../../../../_images/unac_plugins.png


To enable plugins, use their corresponding flag and then click on the “engine” icon to open the configuration window.

3.2.2.4.3.2.2.1. ciscoprime

The plugin Cisco Prime allows us to obtain information about client devices connected to a WiFi network managed by the Cisco Prime infrastructure and converts it into user device tags. Cisco Prime infrastructure provides complete lifecycle management of converged wired and wireless networks and holds a wide range of information about connected client devices, which can be used for example, for query and reporting through ON Analytics.

The information provided by the plugin meets the need for complementary information that cannot be obtained from radius authentication or accounting packages sent by the WLC controller.

At this time, the Cisco Prime plugin extracts from the Cisco Prime infrastructure the following client information related to the access point through which the client connected to the WiFi network:

  • Access Point IP Address: The IP address of the access point.

  • Access Point Mac Address: The MAC address of the access point.

  • Access Point Name: The name of the access point.

This information is then converted into user device tags with the CPC prefix. This prefix means CISCO PRIME CLIENT.

The following fields must be configured to set up the plugin:

../../../../../_images/ciscoprime1.png


  • Cisco Prime Server: IP or dns name for Cisco Prime API server.

  • Enable HTTPS: Selector to use HTTPS or HTTP, default is set to Yes (HTTPS).

  • Cisco Prime API Base Path: Cisco Prime API base path which will be part of the URL. The default value is /webacs/api/v4. Modern versions of the API are v4. Change it only if a different version is used.

  • Cisco Prime Username: Username for Cisco Prime API access.

  • Cisco Prime Password: Password for Cisco Prime API access.

  • Execution TTL: During this period, indicated in minutes, no more executions are done over the same client.

After enabling this plugin in a policy, when a client managed by the Cisco Prime infrastructure authenticates and matches this policy, the plugin will query the API and assign the TAGs corresponding to the information obtained. The resulting TAGs for the device will be displayed in the advanced view of NAC > Sessions.

3.2.2.4.3.2.2.2. getADGroup

This plugin is responsible for obtaining the names of the groups in the Active Directory to which the device is connected, and adding these names with a defined tag prefix.

In a MAB connection where device MAC address is used as a user id in Active Directory, and member groups related with that user device.

  • If the device does not belong to any groups, it is labeled as <Tag prefix>_NOT_CONTAINED.

  • If the device is not defined in any Active Directory, it is labeled as <Tag prefix>_NOT_DEFINED.

Note

The proper functioning of SNMP or COA disconnection is essential for the plugin to operate effectively.

Initially, when the plugin first encounters the MAC address, it will be directed to an access VLAN. Upon execution of the plugin and the addition of tags, it will transition to the service VLAN. This transition necessitates seamless disconnection, underscoring the importance of smooth SNMP or COA disconnection.

../../../../../_images/getadgroup1.png


  • Tag prefix: Tag prefix to label the user device configuration in the Active Directory.

  • Execution TTL: During this period, indicated in minutes, no more executions are done over the same client.

3.2.2.4.3.2.2.3. maxMacConnected

The maxMacConnected plugin is designed to limit the maximum amount of MAC addresses connected on a switch port. It can also notify the administrator via mail when the limit is exceeded.

It works with the following TAGS:

  • MME_SWITCH: Only used if enabled the option Exclude tag (MME_SWITCH - MME_PORT_XX) in the plugin configuration. Its function is to avoid plugin execution for a switch, so it won’t matter the maximum amount of MACs.

  • MME_PORT_<switch-port>: Only used if enabled the option Exclude tag (MME_SWITCH - MME_PORT_XX) in the plugin configuration. Its function is to avoid plugin execution for a specific port in a switch. Therefore, on the port specified in the tag, the plugin will not run and will not check the maximum number of MAC connections.

For example:

MME_SWITCH
MME_PORT_50012

The following fields must be configured to set up the plugin:

../../../../../_images/maxmacconnected1.png


  • Max amount of MACs connected: The maximum amount of MACs connected to a switch port before an alert is sent. When this value is exceeded, then it will be notified by email. To receive this alert, it is important to know that the option Exclude tag (MME_SWITCH - MME_PORT_XX) must be deactivated and the device must not learn these tags, because the plugin would not execute and the maximum connections check would not be done.

  • Email to send alert: The email where the alert will be received when the maximum number of connections is exceeded for a switch port and the plugin exclusion is not used.

  • Exclude tag (MME_SWITCH - MME_PORT_XX): If the MME_ TAGS are used or not.

An alert will be sent if all of the following conditions are applied:

  1. Email is configured.

  2. Exclude tag option is disabled in the plugin configuration, or it is enabled but there are no exclude tags assigned to that switch or port of the connection.

  3. The new counter of MACs connected to the switch port is higher than the maximum number of MACs configured in the plugin configuration.

The following diagram shows the plugin flow:

../../../../../_images/maxmacconnected2.png


Firstly, the plugin checks if the exclude tag option is enabled in its configuration. If true, it will check if the network device where the connection has been received has any exclude tag that affects this switch or port. If there are, the plugin won’t be executed. If not, it will check for the alert.

If the network device doesn’t have any of the MME_TAGS, the next step is to check the alert. It will be sent if the email is configured in the plugin configuration, as we said before, and the number of actual MACs connected to that switch port is higher than the maximum MACs configured.

3.2.2.4.3.2.2.4. staticNetworkPortSync

The staticNetworkPortSync gives the possibility to disable device mobility, sticking a device to only be able to access the network through the determined port(s) of a switch. It can also notify the administrator via mail if VLAN enforcement is applied.

It works with the TAG:

SNP_<switch-ip>_<switch-port>

For example

SNP_10.10.36.47_50001.

The following fields must be configured to set up the plugin:

../../../../../_images/staticnetworkportsync1.png


  • Allow switch port learning: If there is no SNP tag matching the current connection, learn the current one if possible.

  • Max amount of connections to learn: Max amount of connections that a device can learn before getting blocked (if enforcement configured).

  • Vlan Id output, in not match case: VLAN Id to return when a connection switch port is different to tag related and cannot be learned.

  • Violation tag (SNV): Insert SNV tag when the connection switch port is different from to tag related.

  • Email to send alert if vlan enforcement applied: Send an alert to this email if VLAN enforcement is applied (VLAN configured is not 0).

  • Exclude tag (SNE): Activate exclude by tag. Use SNE tag to exclude user devices from plugin execution.

  • Execution order: Determines the order in which sync plugins are executed, with higher priority assigned to lower numerical values (0 being the lowest priority). In situations where multiple plugins share the same execution order value, the execution order will follow an alphabetical arrangement.

For more information about tags, see the Tags Table.