Header Only - DO NOT REMOVE - Extreme Networks

Redundancy between two NAC instances


Userlevel 4
Hello, everybody,

how could I set redundancy between two NAC instances?

I have set up MAC and 802.1x auth on my switches, but it works until NAC is alive, so it's kind of time bomb: when NAC is offline nothing works. I want to setup redundancy - is it possible?

Many thanks in advance

Ilya

13 replies

Userlevel 4
Install a second NAC Gateway an configure switches for two NAC-Gateways.

br
Volker
Userlevel 6
The switch will ask first radius server if it does not answer it will ask the second radius server. you can have HA.
Userlevel 5
Hi the best option would be to setup LSNat on a s series switch. This created a virtual address that almost works like nat. This virtual address load balances over a server pool. In your case the two or more nacs. You will then direct the radius server setting on the switch or wifi to this virtual address. You can choose the method to use for load balance across the server pool. Regards
Userlevel 4
Andre Brits Kannemeyer wrote:

Hi the best option would be to setup LSNat on a s series switch. This created a virtual address that almost works like nat. This virtual address load balances over a server pool. In your case the two or more nacs. You will then direct the radius server setting on the switch or wifi to this virtual address. You can choose the method to use for load balance across the server pool. Regards

Hi, Andre!

S-serie costs like a Boeing)
Userlevel 5
Andre Brits Kannemeyer wrote:

Hi the best option would be to setup LSNat on a s series switch. This created a virtual address that almost works like nat. This virtual address load balances over a server pool. In your case the two or more nacs. You will then direct the radius server setting on the switch or wifi to this virtual address. You can choose the method to use for load balance across the server pool. Regards

The s series is the best sdn switch around with the coreflow2 chip, not alot of switches can support all these features in one switch but yes not the price of a x440.....
Userlevel 4
Hi ,

please check below KB ,

https://gtacknowledge.extremenetworks.com/articles/How_To/How-to-add-NAC-gateway-per-switch-for-redu...

Let us know if this answers your questions.

Thanks,
Suresh.B
Userlevel 4
Thanks, gentlemen, so I make my question more specific. This is my radius configuration on the switch:

configure radius netlogin primary server 192.168.23.23 1812 client-ip 192.168.7.8 vr VR-Default
configure radius netlogin primary shared-secret encrypted "KOKOKO"
configure radius-accounting netlogin primary server 192.168.23.23 1813 client-ip 192.168.7.8 vr VR-Default
configure radius-accounting netlogin primary shared-secret encrypted "LOLOLO"
enable radius
disable radius mgmt-access
enable radius netlogin
configure radius timeout 15
configure radius mgmt-access timeout 15
configure radius netlogin timeout 15
enable radius-accounting
disable radius-accounting mgmt-access
enable radius-accounting netlogin

Would it be enough to add just two strings here:

configure radius netlogin secondary server 192.168.23.24 1812 client-ip 192.168.7.8 vr VR-Default
configure radius netlogin secondary shared-secret encrypted "KOKOKO"
configure radius-accounting netlogin secondary server 192.168.23.24 1813 client-ip 192.168.7.8 vr VR-Default
configure radius-accounting netlogin secondary shared-secret encrypted "LOLOLO"

where 192.168.23.24 is the secondary NAC? And add the switch to secondary NAC, for sure...
Userlevel 6
if you use up-to-art firmware and you specified cli credentials then the only thing you need to do is: Add second engine to the group. Add/modify the switch in the XMC (netsight) to referr to both engines, define vr, realm, accountig enable... Enforce the configuration. The engine will configure your switch throug the CLI properly. Just wait 2-5minutes. You do not need to add those two lines manually, but you can 🙂 Regards. Z.
Userlevel 4
Pala, Zdenek wrote:

if you use up-to-art firmware and you specified cli credentials then the only thing you need to do is: Add second engine to the group. Add/modify the switch in the XMC (netsight) to referr to both engines, define vr, realm, accountig enable... Enforce the configuration. The engine will configure your switch throug the CLI properly. Just wait 2-5minutes. You do not need to add those two lines manually, but you can 🙂 Regards. Z.

Hi, Zdenek,

what do you mean?))))

1) "use up-to-art firmware" - what are you talking about???????)

2) "Add second engine to the group" - What is the group? How to add there?

3 "Add/modify the switch in the XMC (netsight) to referr to both engines"

Now I have only:



Where 192.168.128.160 is the primary NAC. Interestingly, the only switch I've added to Primary appeared also on the Secondary (without my actions)

In my conf switch sends user data like IP, netbios name, MAC, AD account, OS version and family to Netsight. I want to populate this config to all my switches.

Many thanks to you!!!
Userlevel 6
Pala, Zdenek wrote:

if you use up-to-art firmware and you specified cli credentials then the only thing you need to do is: Add second engine to the group. Add/modify the switch in the XMC (netsight) to referr to both engines, define vr, realm, accountig enable... Enforce the configuration. The engine will configure your switch throug the CLI properly. Just wait 2-5minutes. You do not need to add those two lines manually, but you can 🙂 Regards. Z.

Hi Ilya.

1. I am sure it works with 22.x firmware I do not remember what version it started to work.

2. you can have Engines in groups. in your picture there is group called "all Access Control Engines".

on your screenshot please click on switches and send screenshot of the settings.
please investigate logs why the Access Control Engine is not able to configure your switch through the CLI. usually the issue is related to the firewall or credentials or old firmware.

Z.
Userlevel 4
Pala, Zdenek wrote:

if you use up-to-art firmware and you specified cli credentials then the only thing you need to do is: Add second engine to the group. Add/modify the switch in the XMC (netsight) to referr to both engines, define vr, realm, accountig enable... Enforce the configuration. The engine will configure your switch throug the CLI properly. Just wait 2-5minutes. You do not need to add those two lines manually, but you can 🙂 Regards. Z.

Thanks, Zdenek! I've got it(

80% of switches are x430 family which couldn't run EXOS's 22 code(

Will my configuration with manual addition of secondary NAC on switches work?
Userlevel 4
Hi,

Agreed ,
once you enforced from NAC switch will be conigured for both primary and secondary server.

Thanks,
Suresh.B
Userlevel 4
I've applied the configuration on Friday, January, 12th. On Tuesday, January, 16th there is no anyting related to Secondary NAC on the switch. So, it is no so easy.... Something doesn't work.

Reply