Solved: Python script to deploy NAC commands

Zakitis · ‎04-22-2024

Hi All!

I am currently deploying NAC in my organisation's switches and was wondering if there is a Python script to help ease this task.

The commands are almost the same on all the ports, except for the dot1x/mab priority one when there's a device connected via mab:

authentication event fail action authorize vlan NAC-VLAN

authentication event server alive action reinitialize

authentication event server dead action authorize

authentication event server dead action authorize voice

authentication event no-response action authorize vlan NAC-VLAN

authentication host-mode multi-domain

authentication control-direction in

authentication port-control auto

authentication priority dot1x mab ### or authentication priority mab dot1x ###

authentication periodic

authentication timer reauthenticate server

authentication timer inactivity 600

authentication timer unauthorized 60

authentication violation replace

no snmp trap link-status

mab

dot1x pae authenticator

dot1x timeout tx-period 5

Ideally, I would like to automate where the priority variance is applied, based on the device too, but if anyone has anything that could help me go in the right direction, I would highly appreciate it.

Thank you

bigevilbeard · ‎04-22-2024

You can do this yes, i used to do this based on model of ASR router or its role in the network. Adjustments may be needed based on your specific network environment and requirements, but you would use the priority variance, which is a dictionary that maps the device IP address to the appropriate dot1x and mab priority setting, this can be used to handle the priority variance based on your device type.

devices = [
    {'device_type': 'cisco_ios', 'ip': 'switch1.example.com', 'username': 'username', 'password': 'password'},
    {'device_type': 'cisco_ios', 'ip': 'switch2.example.com', 'username': 'username', 'password': 'password'},
    # Add more devices as needed
]

# Define NAC configuration
nac_config = [
    "authentication event fail action authorize vlan NAC-VLAN",
    "authentication event server alive action reinitialize",
    "authentication event server dead action authorize",
    "authentication event server dead action authorize voice",
    "authentication event no-response action authorize vlan NAC-VLAN",
    "authentication host-mode multi-domain",
    "authentication control-direction in",
    "authentication port-control auto",
    "authentication timer reauthenticate server",
    "authentication timer inactivity 600",
    "authentication timer unauthorized 60",
    "authentication violation replace",
    "no snmp trap link-status",
    "mab",
    "dot1x pae authenticator",
    "dot1x timeout tx-period 5"
]

# Define priority variance based on device
priorities = {
    'switch1.example.com': 'dot1x mab',
    'switch2.example.com': 'mab dot1x'
}

Please mark this as helpful or solution accepted to help others
Connect with me https://bigevilbeard.github.io

View solution in original post

bigevilbeard · ‎04-22-2024

You can do this yes, i used to do this based on model of ASR router or its role in the network. Adjustments may be needed based on your specific network environment and requirements, but you would use the priority variance, which is a dictionary that maps the device IP address to the appropriate dot1x and mab priority setting, this can be used to handle the priority variance based on your device type.

devices = [
    {'device_type': 'cisco_ios', 'ip': 'switch1.example.com', 'username': 'username', 'password': 'password'},
    {'device_type': 'cisco_ios', 'ip': 'switch2.example.com', 'username': 'username', 'password': 'password'},
    # Add more devices as needed
]

# Define NAC configuration
nac_config = [
    "authentication event fail action authorize vlan NAC-VLAN",
    "authentication event server alive action reinitialize",
    "authentication event server dead action authorize",
    "authentication event server dead action authorize voice",
    "authentication event no-response action authorize vlan NAC-VLAN",
    "authentication host-mode multi-domain",
    "authentication control-direction in",
    "authentication port-control auto",
    "authentication timer reauthenticate server",
    "authentication timer inactivity 600",
    "authentication timer unauthorized 60",
    "authentication violation replace",
    "no snmp trap link-status",
    "mab",
    "dot1x pae authenticator",
    "dot1x timeout tx-period 5"
]

# Define priority variance based on device
priorities = {
    'switch1.example.com': 'dot1x mab',
    'switch2.example.com': 'mab dot1x'
}

Please mark this as helpful or solution accepted to help others
Connect with me https://bigevilbeard.github.io

Zakitis · ‎04-24-2024

Thank you! this is something that I can start with