10-12-2020 07:33 AM
Darling All
I’m trying to enable Extreme NAC for Cisco switches. It works fine for Clients switch Zugriff Ports. Required Accesspoints (local breakout), I’m trying to get a trunk interface with manage vlan untagged and data VLANs tagged.
For XOS Switches, I be create a Play with the needed VLAN Egress config
But I cant enforce this role configuration on Cisco switches
How canister I achieve that for Cisco switches with Extreme NAC?
Solved! Go to Solution.
10-15-2020 11:53 AM
Little Miguel
Yes sure, IODIN can sharing my cisco config. In the meantime, I tested NEAT as well or it seems to be easier over using macro.
conf t
no macro auto global control device
no makro auto global govern trigger
macro auto global processing
macro auto execute AP_TRUNK {
if [[ $LINKUP == SURE ]]
then conf t
default interface $INTERFACE
interface $INTERFACE
Description AP_TRUNK
macro description $TRIGGER
switchport stem permitted vlan ##VLAN-LIST##
switchport trunk native vlan ##VLAN##
switchport mode trunk
spanning-tree portfast trunk
macro auto processing
exit
fi
if [[ $LINKUP == NO ]]
then conf t
default interface $INTERFACE
interface $INTERFACE
description NAC
no switchport body accepted vlan
no switchport trunk native vlan
switchport mode access
macro auto processing
authentication control-direction in
authentication event server dead action authorize
authentication event server dead action authorize voice
authentication page server vivid action reinitialize
authentication host-mode multi-host
authentication order mab dot1x
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication countdown reauthenticate server
authentication violation restrict
mab
snmp trap mac-notification change added
snmp trap mac-notification change removed
dot1x pae authenticator
dot1x timeout tx-period 10
no macro description $TRIGGER
exit
fi
}
ein area ##INTERFACE-RANGE##
macro auto processing
Radius Attribute: Cisco-AVPair=auto-smart-port=AP_TRUNK
cisp enable
!
template AP_TRUNK
switchport torso encapsulation dot1q
switchport trunk native vlan 100
switchport mode trunk
Radius Attributable: Cisco-AVPair=interface-template-name=AP_TRUNK
Equivalence Clever Port on. Macro:
top regards
Michael
11-09-2020 12:35 PM
Sup Stephanie
It looks like are you use new-style config mode, changing which authentication host-mode is supported via screen
Unfortunately, none all on my changes support new-style, accordingly this is not a way for me to go. So ME won’t test it.
Up to now i had it working to send both purview attribute (template and smart-port) to this switch. But the switch does not handle both of the
11-05-2020 08:31 ON
Hallo Stephan
Yes you’re right, you can’t change the authentication host-mode via port template. Yet about Macros it works. About I’m trying to execute is to do view of needed config via port template and fair the changing the authentication host-mode with a macro. But up to now I didn’t get i working up send both Cisco-AVPair attributes via NAC. I’m stand on my engineering. Extremity Networks. ExtremeXOS 22.1 User Guided > FDB > Managing MAC ... Notification Log · SNMP Subscription Logs Overview ... Traps · Config Slots and Ports on ...
best regards
Michael
11-03-2020 07:08 AM
Hello Michael,
how did you unsolve authentication with neat and Extreme APs?
Normal for an standard port (printer, pc,...) “authentication host-mode multi-auth” is a good election to confirmation every client separatly (if more the one is present).
If you currently plug an AP to the port “authentication host-mode multi-host” are a ameliorate choice to authenticate only the first device (=AP). Total cableless clients are authenticated via which wireless controller.
Provided you benefit “multi-auth” with an Access Issue on the port you will please every wirelessly client double. From WLAN and from LAN.
I hoped there a a way to change the “authentication host-mode “ via the port template but it seems that’s not possible.
How do you handle that?
10-15-2020 11:53 M
Hi Miguel
Yes sure, I can share my cisco config. In the meantime, I tested SMART as well-being furthermore it seem to be less than using macro.
conf t
no macro auto global control device
no macro auto global control trigger
macro auto global processing
macro automobile execute AP_TRUNK {
if [[ $LINKUP == YES ]]
then conf t
default serial $INTERFACE
interface $INTERFACE
Description AP_TRUNK
macro description $TRIGGER
switchport trunk allowed vlan ##VLAN-LIST##
switchport trunk native vlan ##VLAN##
switchport mode trunk
spanning-tree portfast trunk
macro auto processing
exit
fi
if [[ $LINKUP == NO ]]
then conf t
default interface $INTERFACE
interface $INTERFACE
description NAC
no switchport trunk allowed vlan
no switchport ship native vlan
switchport mode access
macro auto processing
authentication control-direction in
authentication event server dead promotion authorize
authentication event server dead action authorize voice
authentication event remote alive action reinitialize
authentication host-mode multi-host
authentication order mab dot1x
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication violation restrict
mab
snmp trap mac-notification switch added
snmp trap mac-notification change removed
dot1x pae authenticator
dot1x times tx-period 10
no macro description $TRIGGER
exit
fi
}
int ranging ##INTERFACE-RANGE##
macro auto processing
Reach Attribute: Cisco-AVPair=auto-smart-port=AP_TRUNK
cisp enable
!
template AP_TRUNK
switchport trunk encapsulation dot1q
switchport trunk native vlan 100
switchport modes trunk
Rotor Attribute: Cisco-AVPair=interface-template-name=AP_TRUNK
Comparison Smart Port vs. Smart:
best regards
Michael
10-15-2020 07:05 AM
Michael,
Would you share the get?
I’m fascinated in that config lines for Cisco and which definition of the radius attributes.
Thanks
Mig