Header Only - DO NOT REMOVE - Extreme Networks
Solved

NAC authentication and mgmt authentication with the same radius servers

  • 1 August 2019
  • 7 replies
  • 557 views

Userlevel 4
In my test environment I have a switch (X440G2 22.7.1.2) configured for NAC with two radius servers.

In the AAA configuration I see two netlogin radius entry’s and the radius mgmt.-access is disabled and the policy works fine.

As expansion on the configuration I want also that management requests are done by the radius servers.
So I configure the same radius server as for authentication .

Now I see in the AAA configuration that the netlogin rules are replaced by mgmt.-access rules and that the radius netlogin is disabled.

Cann’t I use the same radius servers for mgmt. as for authentication?
icon

Best answer by Johan Hendrikx 6 August 2019, 07:56

Ryan,

I will test it
View original

7 replies

Userlevel 6
Hello,

You can use the same RADIUS server fore mgmt and network authentication. You must set the Au

Make sure that the X440G2 is set to "Any Access":

Userlevel 4
When I change the auth Access type to any access, the only configuration rule are the radius mgmt-access rules .
radius mgmt-access and radius netlogin are enabled.
There are no config rules for netlogin.
Userlevel 6
Hello Johan,

I'm not sure what you mean by config rules for netlogin.

Are you referring to XMC control rules that determine authorization levels?

Are you referring to switch configuration to enable netlogin for mac/802.1x auth on a per port or global basis?


Thanks
-Ryan
Userlevel 4
I'm refering to th switch configuration of the AAA section.

At the moment I configure the management radius the config of the primairy and secondary engin are gone.

Config exaples:

Switch is configured for only primairy and secondary engins.

configure radius 1 server 1812 client-ip vr VR-Default
configure radius 1 shared-secret encrypted "#$QHoAV1JRHL25Psky9286ihA/eQb5twIipuhGzDsLDrL3fId9ua4zlQA6tElrf8XmjmCsk55g"
configure radius 2 server 1812 client-ip vr VR-Default
configure radius 2 shared-secret encrypted "#$3YuouBFWEkEJ3aeHDxVM+YcELVg0sPdr67z3lZouVh/r+QyCfaG/bfQ7GI1MPpu/X5ed7Xc1"
configure radius-accounting 1 server 10.2.112.2 1813 client-ip 10.2.112.209 vr VR-Default
configure radius-accounting 1 shared-secret encrypted "#$qdZB1R6z+Up25O4vjfhESlE3MvJhBdSaOdCuaG/stlu6uNlfXpNJbAdUMTFwdifnKnPlmCFc"
configure radius-accounting 1 timeout 10
configure radius-accounting 2 server 10.2.113.2 1813 client-ip 10.2.112.209 vr VR-Default
configure radius-accounting 2 shared-secret encrypted "#$6ygkfu3I9oANOxxLOXakeFXo1/6A38wnFhe1gWuENAqkCzjZI158UJ/UNs3XviNa0DnZ/Xrw"
configure radius-accounting 2 timeout 10
enable radius
enable radius mgmt-access
enable radius netlogin

Switch is configured for the both engins and both management radius:

configure radius mgmt-access 1 server 1812 client-ip vr VR-Default
configure radius 1 shared-secret encrypted "#$fipO29phKcl+o6SgtbPEZ6unyZrmd6sZ+nT58kRLJJFVq1lx0QXIXO5QyxHrm5y6rzWgp7H6"
configure radius mgmt-access 2 server 1812 client-ip vr VR-Default
configure radius 2 shared-secret encrypted "#$la/QbhlmQf2p7xkkNHgaE2pR9SWjFaQ7cGCbBbr3BueEieI5Iy65o7XwAqNXx2DLlECTwJBp"
enable radius
enable radius mgmt-access
enable radius netlogin
configure radius timeout 15
enable radius-accounting
enable radius-accounting mgmt-access
enable radius-accounting netlogin

Userlevel 6
Hello,

Remove the "Management RADIUS server" and "Management RADIUS server 2" servers. Set them to none.

If you identify Primary Engine and Secondary Engine as the NAC appliances you only need to set the "Auth Access Type" to any. This will identify them to be used for netlogin and mgmt access and configure the switch accordingly.

That should configure the AAA to use the NAC appliances for both netlogin and mgmt login.

Thanks
-Ryan
Userlevel 4
Ryan,

I will test it
Userlevel 4
Ryan,

it works.

Thanks for your support.

Reply