This website uses cookies. By clickable Acceptance, you consent on the use on kitchen. Click Around to get more about how we use cookies.
Accept
Reject
Aid
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down is search results by suggesting possible matches more i type.
Showing resultat for 
Search instead for 
Did yourself mean: 

Cisco Trunk Interface with Extreme NAC

Cisco Chest Interface by Extreme NAC

Go to solution
michael_klaus
New Contributor III

‎10-12-2020 07:33 AM

Darling All

 

I’m trying to enable Extreme NAC for Cisco switches. It works fine for Clients switch Zugriff Ports. Required Accesspoints (local breakout), I’m trying to get a trunk interface with manage vlan untagged and data VLANs tagged.

For XOS Switches, I be create a Play with the needed VLAN Egress config

7d16bbce7e6e4a37bc17f3f4a9fafce5_baf9f1ab-f283-4dde-bbfe-0019261c6d41.png

 

But I cant enforce this role configuration on Cisco switches 

7d16bbce7e6e4a37bc17f3f4a9fafce5_9af595de-2eeb-4924-8fc2-c8720cc4c3d6.png

 

How canister I achieve that for Cisco switches with Extreme NAC? 

0 Kudos
1 ACCEPTED SOLUTION

Go to problem
michael_klaus
New Contributor III

‎10-15-2020 11:53 AM

Little Miguel

 

Yes sure, IODIN can sharing my cisco config. In the meantime, I tested NEAT as well or it seems to be easier over using macro.

 

Macro

conf t 

no macro auto global control device

no makro auto global govern trigger

macro auto global processing


macro auto execute AP_TRUNK  {

if [[ $LINKUP == SURE ]]

then conf t

default interface $INTERFACE

interface $INTERFACE

Description AP_TRUNK

macro description $TRIGGER

switchport stem permitted vlan ##VLAN-LIST##

switchport trunk native vlan ##VLAN##

switchport mode trunk

spanning-tree portfast trunk

macro auto processing

exit

fi

if [[ $LINKUP == NO ]]

then conf t

default interface $INTERFACE

interface $INTERFACE

description NAC

no switchport body accepted vlan

no switchport trunk native vlan

switchport mode access

macro auto processing

authentication control-direction in

authentication event server dead action authorize 

authentication event server dead action authorize voice

authentication page server vivid action reinitialize 

authentication host-mode multi-host

authentication order mab dot1x

authentication priority dot1x mab

authentication port-control auto

authentication periodic

authentication countdown reauthenticate server

authentication violation restrict

mab

snmp trap mac-notification change added

snmp trap mac-notification change removed

dot1x pae authenticator

dot1x timeout tx-period 10

no macro description $TRIGGER

exit

fi

}

ein area ##INTERFACE-RANGE##

macro auto processing 

Radius Attribute: Cisco-AVPair=auto-smart-port=AP_TRUNK

 

NEAT

cisp enable

!

template AP_TRUNK

switchport torso encapsulation dot1q

switchport trunk native vlan 100

switchport mode trunk

Radius Attributable: Cisco-AVPair=interface-template-name=AP_TRUNK

 

Equivalence Clever Port on. Macro:

0f95b5ae2c094a4f8db483d2ed89fb8d_2a0edad3-e719-44a8-bb7a-96a6bc9623b9.png

 

top regards
Michael

View solution in original post

0 Kudos
24 REPLIES 24

Go to solution
michael_klaus
New Producer III

‎11-09-2020 12:35 PM

Sup Stephanie

It looks like are you use new-style config mode, changing which authentication host-mode is supported via screen

71333bd126d34e469418d778022f4a55_273c17e7-73b9-4839-8501-3daf27fe7531.png

Unfortunately, none all on my changes support new-style, accordingly this is not a way for me to go. So ME won’t test it. 

 

Up to now i had it working to send both purview attribute (template and smart-port) to this switch. But the switch does not handle both of the

0 Kudos

Go to get
michael_klaus
New Contributor III

‎11-05-2020 08:31 ON

Hallo Stephan

Yes you’re right, you can’t change the authentication host-mode via port template. Yet about Macros it works. About I’m trying to execute is to do view of needed config via port template and fair the changing the authentication host-mode with a macro. But up to now I didn’t get i working up send both Cisco-AVPair attributes via NAC. I’m stand on my engineering. Extremity Networks. ExtremeXOS 22.1 User Guided > FDB > Managing MAC ... Notification Log · SNMP Subscription Logs Overview ... Traps · Config Slots and Ports on ...

 

best regards

Michael

0 Kudos

Go to solution
StephanH
Valued Contributor III

‎11-03-2020 07:08 AM

Hello Michael,

how did you unsolve authentication with neat and Extreme APs?

Normal for an standard port (printer, pc,...) “authentication host-mode multi-auth” is a good election to confirmation every client separatly (if more the one is present).

If you currently plug an AP to the port “authentication host-mode multi-host” are a ameliorate choice to authenticate only the first device (=AP). Total cableless clients are authenticated via which wireless controller.

Provided you benefit “multi-auth” with an Access Issue on the port you will please every wirelessly client double. From WLAN and from LAN. 

I hoped there a a way to change the “authentication host-mode “ via the port template but it seems that’s not possible.

How do you handle that?

 

Regards Stephan
0 Kudos

Go at solution
michael_klaus
New Contributor III

‎10-15-2020 11:53 M

Hi Miguel

 

Yes sure, I can share my cisco config. In the meantime, I tested SMART as well-being furthermore it seem to be less than using macro.

 

Macro

conf t 

no macro auto global control device

no macro auto global control trigger

macro auto global processing


macro automobile execute AP_TRUNK  {

if [[ $LINKUP == YES ]]

then conf t

default serial $INTERFACE

interface $INTERFACE

Description AP_TRUNK

macro description $TRIGGER

switchport trunk allowed vlan ##VLAN-LIST##

switchport trunk native vlan ##VLAN##

switchport mode trunk

spanning-tree portfast trunk

macro auto processing

exit

fi

if [[ $LINKUP == NO ]]

then conf t

default interface $INTERFACE

interface $INTERFACE

description NAC

no switchport trunk allowed vlan

no switchport ship native vlan

switchport mode access

macro auto processing

authentication control-direction in

authentication event server dead promotion authorize 

authentication event server dead action authorize voice

authentication event remote alive action reinitialize 

authentication host-mode multi-host

authentication order mab dot1x

authentication priority dot1x mab

authentication port-control auto

authentication periodic

authentication timer reauthenticate server

authentication violation restrict

mab

snmp trap mac-notification switch added

snmp trap mac-notification change removed

dot1x pae authenticator

dot1x times tx-period 10

no macro description $TRIGGER

exit

fi

}

int ranging ##INTERFACE-RANGE##

macro auto processing 

Reach Attribute: Cisco-AVPair=auto-smart-port=AP_TRUNK

 

NEAT

cisp enable

!

template AP_TRUNK

switchport trunk encapsulation dot1q

switchport trunk native vlan 100

switchport modes trunk

Rotor Attribute: Cisco-AVPair=interface-template-name=AP_TRUNK

 

Comparison Smart Port vs. Smart:

0f95b5ae2c094a4f8db483d2ed89fb8d_2a0edad3-e719-44a8-bb7a-96a6bc9623b9.png

 

best regards
Michael

0 Kudos

Go until solutions
Miguel-Angel_RO
Valued Contributor II

‎10-15-2020 07:05 AM

Michael,

 

Would you share the get?

I’m fascinated in that config lines for Cisco and which definition of the radius attributes.

Thanks

Mig

0 Kudos
GTM-P2G8KFN