EOS NAC: What happen (in this config) when the RADIUS/NetSight Server (for MAC Auth Only) is not reachable?


Userlevel 3
Hello Community,

I'm looking for details if Clients connected to "auth-reg" Ports will still have connectivity, If the Radius/NetSight Server is offline?

set multiauth mode multi
set multiauth precedence mac quarantine-agent dot1x pwa cep radius-snooping auto-tracking
set multiauth port mode force-auth ge.1.1
set multiauth port mode force-auth ge.1.2
set multiauth port mode auth-reqd ge.1.3
set multiauth port mode force-auth ge.1.4
set multiauth port mode auth-reqd ge.1.5
[..]

Thanks,

Jan

6 replies

Userlevel 3
BTW, with regards to auth-reqd VS. force-auth:

https://gtacknowledge.extremenetworks.com/articles/How_To/How-to-disable-authentication-on-a-port-to...
Userlevel 6
Force-auth = the port is authorized no authentication will happen
Auth-req = no traffic will pass until accept is received

the third option is authentication optional (auto) = if the auth is not successful then the default port config is used (vlan, default policy, QoS...)

You can have more radius servers = to accomplish HA
Userlevel 2
Just to add to Zdenek points. If you are using ExtremeControl for NAC, then you can deploy two ExtremeControl NAC Engines (there is no extra licensing cost) that sync-up from the XMC Server upstream so the switch will fail-over from primary RADIUS engine to secondary RADIUS engine without disruption to network access.

Shmulik
Userlevel 3
Thanks for clarification! As an follow-up: What happens on one auth-reg Port with an, lets asume, 5 Port SOHO Switch connected to it? Does the Enterasys Switch allow/dissallow connected Clients also seperately? Verbose: Multiple Clients connected through on single Enterasys Port through an additional unmanaged Switch. Does the NAC Access is still working on an individual Frame Level? Thanks, Jan
Userlevel 6
you can limit the amount of concurrent authenticated MACs by CLI or XMC (NetSight) and there is also some hardware limit. different hardware limit for D2, B2, B3, C3, C5, XOS...

each MAC address is authenticated and can be authorized with different policy profile (VLAN, QOS, rules)
Userlevel 2
Depends if the switch is configured for single-auth or multi-auth on the port. If single-auth then only the first mac is authenticated and following mac will flow through untagged without authentication. If port is configured for multi-auth, then each mac will get authenticated and assigned its own specific VLAN even though it is coming from a SOHO switch connected to the port.

Thanks!

Shmulik

Reply