User Guide: AMF Security Controller version 1.8.0

Creating Authentication Data from CSV

Creating Authentication Data from CSV

Creating Authentication Data for OpenFlow Switches
Exporting a List of OpenFlow Switches
Editing the List of Device MAC Addresses
Importing the CSV File
Creating Authentication Data for AMF Members
Exporting Active AMF Member List to a CSV File
Editing the List of Device MAC Addresses
Importing the CSV File
Creating Authentication Data for Devices
Selectively Auto-Detect Devices using the UnAuth Group
Exporting a List of Devices
Editing the List of Device MAC Addresses
Importing the CSV File

To introduce AT-SESC to an Existing network, you have to register large number of OpenFlow Switches and devices.
You can reduce the workload of this registration process by exporting lists of active devices and switches, editing them as required, then importing them to AT-SESC again.

This section covers the procedure to create whitelists from CSV files exported from the Device > Active Device List page or the Switches > Active OpenFlow Switch List page, which can be imported to AT-SESC as authentication data.

Note
If you need to create and import whitelists for both connected devices and OpenFlow Switches, Allied Telesis recommends that you create and import Whitelists from OpenFlow Switches.
By importing OpenFlow Switches and adding locations of the switches first, you can group devices according to the OpenFlow Switch which they connect to.

Creating Authentication Data for OpenFlow Switches

The Basic steps to register large number of OpenFlow Switches to AT-SESC's database are as follows:
  1. Exporting a List of OpenFlow Switches
  2. Editing the List of Device MAC Addresses
  3. Importing the CSV File

Exporting a List of OpenFlow Switches

To export a list of active OpenFlow Switches to a CSV file, perform the following procedure:
  1. Open the Switches > Active OpenFlow Switch List page.

  2. Click the "Export to CSV" button at the top right corner of the page to download a CSV file.
    The default filename of an exported list is "channel.csv".

Editing the List of Device MAC Addresses

To edit the downloaded CSV file with a text editor, perform the following steps:
Note
Take a backup of the CSV file if necessary.

  1. Open the CSV file with a text editor that can handle UTF-8 character encoding.
    Assume that the CSV file has the following content.
    Note
    In the following example, the arrow (↓) is displayed at the end of the line to distinguish the line wrapping on the screen display and the line break of the actual data, but the CSV file actually exported does not include the arrow at the end of the line.
    Importing a CSV file which contains data characters outside of double-quotes causes an error.
      "#","table","Switch ID","Note","Datapath ID","Upstream Port","Account Group ID","%status","IPv4 Address","Protocol Version","Status","Manufacturer","Hardware Info","Software Info","Serial Number","Datapath Description","%ofs-port","Number","Name","MAC Address"
      "+","channel","","","000000005e005380","eth0","","%status","192.168.1.230","4","ready","Allied Telesis, Inc.","AT-TQ4600","1.2.0-0.2","None","None","%ofs-port","1","eth0","00:00:5e:00:53:80","%ofs-port","2","wlan0","00:00:5e:00:53:80"
      "+","channel","","","000000005e005381","eth0","group1","%status","192.168.1.231","4","ready","Allied Telesis, Inc.","AT-TQ4600","1.2.0-0.2","None","None","%ofs-port","1","eth0","00:00:5e:00:53:81","%ofs-port","2","wlan0","00:00:5e:00:53:81"
  2. Delete the comment for brevity.
    The first line is a comment line. You do not have to edit the comment lines because they are ignored when imported. You can safely delete them.

      "#","table","Switch ID","Note","Datapath ID","Upstream Port","Account Group ID","%status","IPv4 Address","Protocol Version","Status","Manufacturer","Hardware Info","Software Info","Serial Number","Datapath Description","%ofs-port","Number","Name","MAC Address"
      "+","channel","","","000000005e005380","eth0","","%status","192.168.1.230","4","ready","Allied Telesis, Inc.","AT-TQ4600","1.2.0-0.2","None","None","%ofs-port","1","eth0","00:00:5e:00:53:80","%ofs-port","2","wlan0","00:00:5e:00:53:80"
      "+","channel","","","000000005e005381","eth0","group1","%status","192.168.1.231","4","ready","Allied Telesis, Inc.","AT-TQ4600","1.2.0-0.2","None","None","%ofs-port","1","eth0","00:00:5e:00:53:81","%ofs-port","2","wlan0","00:00:5e:00:53:81"
  3. The description after the eighth field ("%status") is ignored because it is not required for switch authentication data. You can safely delete them.
    Here, remove the field that contains the leading comma.

      "+","channel","","","000000005e005380","eth0","","%status","192.168.1.230","4","ready","Allied Telesis, Inc.","AT-TQ4600","1.2.0-0.2","None","None","%ofs-port","1","eth0","00:00:5e:00:53:80","%ofs-port","2","wlan0","00:00:5e:00:53:80"
      "+","channel","","","000000005e005381","eth0","group1","%status","192.168.1.231","4","ready","Allied Telesis, Inc.","AT-TQ4600","1.2.0-0.2","None","None","%ofs-port","1","eth0","00:00:5e:00:53:81","%ofs-port","2","wlan0","00:00:5e:00:53:81"
  4. Rewrite the second field in each line from "channel" to "switch".
      "+","switch","","","000000005e005380","eth0",""
      "+","switch","","","000000005e005381","eth0","group1"
  5. In the third field, enter a unique Switch ID (for example, "AT-TQ4600-1", "AT-TQ4600-2") that is already registered with AT-SESC.
      "+","switch","AT-TQ4600-1","","000000005e005380","eth0",""
      "+","switch","AT-TQ4600-2","","000000005e005381","eth0","group1"
  6. Enter notes in the fourth fields.
    Here, enter "added by whitelist on 20XX/11" in the Note.
      "+","switch","AT-TQ4600-1","20XX/11 Register by Whitelist","000000005e005380","eth0",""
      "+","switch","AT-TQ4600-2","20XX/11 Register by Whitelist","000000005e005381","eth0","group1"
  7. Now the content of the switch whitelist is complete.
    Save the file in UTF-8.

Importing the CSV File

Import the CSV file to AT-SESC by taking the following steps.
Note that the CSV file edited earlier contains Account Group ID "group1", so it must be set in advance.
Set Account Group on the System settings > Account Group List page.
  1. Open the System Settings > Maintenance page.

  2. Click the "Browse" button in the "Import authentication data" then specify the CSV file which you have edited.

  3. Import the downloaded data by next to the "Import the authentication data".
After AT-SESC confirms that the CSV is properly composed and its content is consistent with the existing authentication data, the new switches in the CSV file are added to AT-SESC's authentication database.

Creating Authentication Data for AMF Members

The Basic steps to register large number of AMF Members to AT-SESC's database are as follows:
  1. Exporting Active AMF Member List to a CSV File
  2. Editing the List of Device MAC Addresses
  3. Importing the CSV File

Exporting Active AMF Member List to a CSV File

To export a list of active AMF Members to a CSV file, perform the following procedure:
  1. Open the Switches > Active AMF Member List page.

  2. Click the "Export to CSV" button at the top right corner of the page to download a CSV file.
    The default filename of an exported CSV file is "amf_member_active.csv".

Editing the List of Device MAC Addresses

To edit the downloaded CSV file with a text editor, perform the following steps:
Note
Take a backup of the CSV file if necessary.
  1. Open the CSV file with a text editor that can handle UTF-8 character encoding.
    Assume that the CSV file has the following content.
    Note
    In the following example, the arrow (↓) is displayed at the end of the line to distinguish the line wrapping on the screen display and the line break of the actual data, but the CSV file actually exported does not include the arrow at the end of the line.
    Importing a CSV file which contains data characters outside of double-quotes causes an error.
      "#","table","Name","Domain Name","Datapath ID","","Account Group ID"
      "+","amf_member_active","AMF-Master","AMF-Master.local.AMF001.atmf","-","",""
      "+","amf_member_active","AMF-Member","AMF-Member.local.AMF001.atmf","-","","group1"
  2. Delete the comment for brevity.
    The first line is a comment line. You do not have to edit the comment lines because they are ignored when imported. You can safely delete them.

      "#","table","Name","Domain Name","Datapath ID","","Account Group ID"
      "+","amf_member_active","AMF-Master","AMF-Master.local.AMF001.atmf","-","",""
      "+","amf_member_active","AMF-Member","AMF-Member.local.AMF001.atmf","-","","group1"
  3. Rewrite the second field in each line from "amf_member_active" to "switch".
      "+","switch","AMF-Master","AMF-Master.local.AMF001.atmf","-","",""
      "+","switch","AMF-Member","AMF-Member.local.AMF001.atmf","-","","group1"
  4. Enter notes in the fourth fields.
    Here, enter "added by whitelist on 20XX/11" in the Note.
      "+","switch","AMF-Master","20XX/11 Register by Whitelist","-","",""
      "+","switch","AMF-Member","20XX/11 Register by Whitelist","-","","group1"
  5. Now the content of the switch whitelist is complete.
    Save the file in UTF-8.

Importing the CSV File

Import the CSV file to AT-SESC by taking the following steps.
Note that the CSV file edited earlier contains Account Group ID "group1", so it must be set in advance.
Set Account Group on the System settings > Account Group List page.
  1. Open the System Settings > Maintenance page.

  2. Click the "Browse" button in the "Import authentication data" then specify the CSV file which you have edited.

  3. Import the downloaded data by next to the "Import the authentication data".
After AT-SESC confirms that the CSV is properly composed and its content is consistent with the existing authentication data, the new AMF Members in the CSV file are added to AT-SESC's authentication database.

Creating Authentication Data for Devices

The Basic steps to register large number of devices to AT-SESC are as follows:
  1. Selectively auto-detect devices using the UnAuth Group.
  2. To export a list of devices to a CSV file, perform the following procedure:
  3. Editing the List of Device MAC Addresses
  4. Importing the CSV File

Selectively Auto-Detect Devices using the UnAuth Group

From the Group > Add UnAuth Group page, the target device of the White List is detected as the UnAuth Group.
By using the UnAuth Group, you can get a list of devices which are in a particular location or schedule.
Refer to the Manually Adding Devices > Registering Location and Adding Devices from List > Detecting Devices Using the UnAuth Group in Quick Tour for the detailed instructions on how to add Locations and the UnAuth Groups.

Exporting a List of Devices

To export a list of Device MAC addresses to a CSV file, perform the following procedure:
Note
Searching or Filtering devices on the screen do not affect the content of an exported CSV file. All devices are exported to CSV even though some of them are filtered out and not displayed on a screen.
  1. Open the Device > Active Device List page.

  2. Click the "Export to CSV" button at the top right corner of the page to download a CSV file.
    The default filename of an exported device list is "client.csv".

Editing the List of Device MAC Addresses

To edit the downloaded CSV file with a text editor, perform the following steps:
Note
Take a backup of the CSV file if necessary.
  1. Open the CSV file with a text editor that can handle UTF-8 character encoding.
    Assume that the CSV file has the following content.
    Note
    In the following example, the arrow (↓) is displayed at the end of the line to distinguish the line wrapping on the screen display and the line break of the actual data, but the CSV file actually exported does not include the arrow at the end of the line.
    Importing a CSV file which contains data characters outside of double-quotes causes an error.
      "#","table","Device ID","Note","Tag","%ports","%port","MAC Address","Name","Note","%status","IPv4 Address","Action","Updated Date / Time","VLAN ID","Action Originator","Action Reason"
      "+","client","","","","%ports","%port","00:00:5e:00:53:30","","","%status","","Detected","20XX-11-22 17:32:29","No Connection","sesc.unauthGroup",""
      "+","client","","","","%ports","%port","00:00:5e:00:53:31","","","%status","","Detected","20XX-11-22 17:32:29","No Connection","sesc.unauthGroup",""
      "+","client","","","","%ports","%port","00:00:5e:00:53:32","","","%status","","Detected","20XX-11-22 17:32:29","No Connection","sesc.unauthGroup",""
  2. Delete the comment for brevity.
    The first line is a comment line. You do not have to edit the comment lines because they are ignored when imported. You can safely delete them.

      "#","table","Device ID","Note","Tag","%ports","%port","MAC Address","Name","Note","%status","IPv4 Address","Action","Updated Date / Time","VLAN ID","Action Originator","Action Reason"
      "+","client","","","","%ports","%port","00:00:5e:00:53:30","","","%status","","Detected","20XX-11-22 17:32:29","No Connection","sesc.unauthGroup",""
      "+","client","","","","%ports","%port","00:00:5e:00:53:31","","","%status","","Detected","20XX-11-22 17:32:29","No Connection","sesc.unauthGroup",""
      "+","client","","","","%ports","%port","00:00:5e:00:53:32","","","%status","","Detected","20XX-11-22 17:32:29","No Connection","sesc.unauthGroup",""
  3. Searching or Filtering devices on the Device > Active Device List page do not affect the content of an exported CSV file.
    If there are devices which do not belong to the UnAuth Group (i.e. Connected, Quarantined, Blocked and Authentication Failed), the exported CSV file contains those MAC Addresses. Those device status are written in the 12th field of CSV.
    Delete the line where the 12th field is anything other than "Detected".

  4. The 11th ("%status") and later fields are not used for importing because they are not required for authentication data. You can safely delete them.
    Here, remove the field that contains the leading comma.
      "+","client","","","","%ports","%port","00:00:5e:00:53:30","","","%status","","Detected","20XX-11-22 17:32:29","No Connection","sesc.unauthGroup",""
      "+","client","","","","%ports","%port","00:00:5e:00:53:31","","","%status","","Detected","20XX-11-22 17:32:29","No Connection","sesc.unauthGroup",""
      "+","client","","","","%ports","%port","00:00:5e:00:53:32","","","%status","","Detected","20XX-11-22 17:32:29","No Connection","sesc.unauthGroup",""
  5. Rewrite the second field in each line from "client" to "device".
      "+","device","","","","%ports","%port","00:00:5e:00:53:30","",""
      "+","device","","","","%ports","%port","00:00:5e:00:53:31","",""
      "+","device","","","","%ports","%port","00:00:5e:00:53:32","",""
  6. In the third field, enter Device ID that is not duplicated with one already registered in AT-SESC (e.g. "device1", "device2", "device3").
      "+","device","device1","","","%ports","%port","00:00:5e:00:53:30","",""
      "+","device","device2","","","%ports","%port","00:00:5e:00:53:31","",""
      "+","device","device3","","","%ports","%port","00:00:5e:00:53:32","",""
  7. Enter notes in the 4th fields and tags in the 5th fields depending on your needs.
    Here, enter "added by whitelist on 20XX/11" in the Note. Leave the tags blank.
      "+","device","device1","added by whitelist on 20XX/11","","%ports","%port","00:00:5e:00:53:30","",""
      "+","device","device2","added by whitelist on 20XX/11","","%ports","%port","00:00:5e:00:53:31","",""
      "+","device","device3","added by whitelist on 20XX/11","","%ports","%port","00:00:5e:00:53:32","",""
  8. Enter interface names in the ninth fields and notes on the interfaces in the tenth fields if necessary.
    Here, enter "(Device ID)-1" (example: device1-1) for Name. Leave the note blank.
      "+","device","device1","added by whitelist on 20XX/11","","%ports","%port","00:00:5e:00:53:30","device1-1",""
      "+","device","device2","added by whitelist on 20XX/11","","%ports","%port","00:00:5e:00:53:31","device2-1",""
      "+","device","device3","added by whitelist on 20XX/11","","%ports","%port","00:00:5e:00:53:32","device3-1",""
  9. If Device ID is already registered in AT-SESC or duplicates another line in CSV, only the last line is valid.
    If a device has more than one interfaces, repeat the 7th to 10th fields (i.e. "%port", "MAC Address", "Interface Name" and "Note").
    For example, when associating MAC Addresses “00:00:5e:00:53:30” and “00:00:5e:00:53:31” in the above example with Device ID “device1”. Format as follows:
      "+","device","device1","added by whitelist on 20XX/11","","%ports","%port","00:00:5e:00:53:30","device1-1","","%port","00:00:5e:00:53:31","device1-2",""
      "+","device","device3","added by whitelist on 20XX/11","","%ports","%port","00:00:5e:00:53:32","device3-1",""
  10. Now the content of the device whitelist is complete.
    When security policy is not required for the devices, save the CSV file in UTF-8 and proceed to "Importing the CSV File".

  11. If you want to attach security policies to the devices, put a rule record ("table" = "rule") right after each device record ("table" = "device").
    As an example, the following security policy is set for all devices.
    Note
    Elements referenced by the security policy should have been already registered in AT-SESC's database. For example, when you are uploading a CSV file containing device records, if any of Location ID, Schedule ID, Network ID, Switch ID and Switch Port referenced by the devices' security policies are missing in AT-SESC's database, the import fails and authentication data is not updated.

    Table 1: Security Policies
    Item Name Value
    Priority 10
    OpenFlow Switch AT-TQ4600-1
    Network Sales
    Refer to "CSV File/Exportable Information" section's "Device" for more details on the format.
      "+","device","device1","added by whitelist on 20XX/11","","%ports","%port","00:00:5e:00:53:30","device1-1",""
      "+","rule","device1","sesc.device","","pass","10","True","%options","m_ofs_name=AT-TQ4600-1","m_network_name=Sales"
      "+","device","device2","added by whitelist on 20XX/11","","%ports","%port","00:00:5e:00:53:31","device2-1",""
      "+","rule","device2","sesc.device","","pass","10","True","%options","m_ofs_name=AT-TQ4600-1","m_network_name=Sales"
      "+","device","device3","added by whitelist on 20XX/11","","%ports","%port","00:00:5e:00:53:32","device3-1",""
      "+","rule","device3","sesc.device","","pass","10","True","%options","m_ofs_name=AT-TQ4600-1","m_network_name=Sales"

  12. Now the content of the device whitelist with the security policy is complete.
    Save the file in UTF-8.

Importing the CSV File

Import the CSV file to AT-SESC by taking the following steps.
  1. Open the System Settings > Maintenance page.

  2. Click the "Browse" button in the "Import authentication data" then specify the CSV file which you have edited.

  3. Import the downloaded data by next to the "Import the authentication data".
After AT-SESC confirms that the CSV is properly composed and its content is consistent with the existing authentication data, the new devices in the CSV file are added to AT-SESC's authentication database.


(C) 2021 Allied Telesis, Inc. All rights reserved.

C613-04088-00 Rev B

14 Jun 2021 09:30