ExtremeCloud A3

OscarK posted 07-20-2021 06:42

Hi,

 

I tested this and no problem using A3 for Mac auth.

I used my A3 setup that I use for dot1x and the mac auth hit the default rule. A3 did send an accept and vlan attributes.

Are you sure the EXOS config is right, did you add a netlogin mac-list (required). 

Depending if you use Onepolicy or vlan you need define the roles correctly in the device settings on A3. netlogin old style (with policy disabled) you need role by vlan-id and assign the vlan-id’s to each role you use.

 

in a3, check auditing for your client and check what role it hits. If there is no client seen check radius config on A3 and exos, possibly restart A3 services to activate any changes you made.

 

Yuki Nakamura posted 07-20-2021 07:06

Hi

Thank you for your help.
I confirmed that the EXOS config is ?correct and added a netlogin mac-list.

Please confirm about the vlan-id that you explained.
I used the Active Directory in my lab and the following information registered to Active Directory.
To which A3 orActive Directory does the vlan-id information belong?

Filter-Id = Guest,
Tunnel-Type = 13,
Tunnel-Medium-Type = 6,
Tunnel-Private-Group-Id = 101

Can you provide a sample configuration of A3 for MAC-based authentication?

Best Regards,
Yuki Nakamura.

OscarK posted 07-20-2021 07:13

 

Rien van Maurik posted 09-06-2021 10:25

Hello Yuki and/or Oscar
 

I'm now setting for the 1th time  a Exos switch with a A3 NAC applicance, equal to the case you descript.
to short my self training periode :), can you send me a copy of the exos config and a description of the A3 config

thank you

Rien van Maurik

Yuki Nakamura posted 09-06-2021 11:11

Hi Rien,

I am testing Web Authentication using A3 and EXOS switches.
EXOS configuration is as follows.

# Module devmgr configuration.

configure snmp sysName "X440G2-1"
configure snmp sysContact "https://www.extremenetworks.com/support/"
configure timezone name JST 540 noautodst

# Module vlan configuration.

create vlan "VLAN_0100"
configure vlan VLAN_0100 tag 100
create vlan "VLAN_0200"
configure vlan VLAN_200 tag 200
create vlan "VLAN_Netlogin"
configure vlan VLAN_0100 add ports 11-12,24 untagged
configure vlan VLAN_0200 add ports 24 tagged
configure vlan VLAN_0100 ipaddress <Management-IP>

# Module policy configuration.

configure policy captive-portal web-redirect 1 server 1 url "http://<A3-VIP>:80/Extreme::EXOS" enable
configure policy profile 1 name "Unregistered" pvid-status "enable" pvid 0 web-redirect 1
configure policy profile 2 name "Guest" pvid-status "enable" pvid 100 untagged-vlans 100
configure policy profile 3 name "Engineer" pvid-status "enable" pvid 200 untagged-vlans 200
configure policy rule 1 ipdestsocket <A3-VIP> mask 32 forward
configure policy rule 1 udpdestportIP 53 mask 16 forward
configure policy rule 1 udpdestportIP 67 mask 16 forward
configure policy rule 1 ether 0x0806 mask 16 forward
configure policy maptable response both
configure policy captive-portal listening 80
configure policy captive-portal listening 443
configure policy vlanauthorization enable
enable policy

# Module aaa configuration.

configure radius netlogin primary server <A3-VIP> client-ip <Management-IP> vr VR-Default
configure radius netlogin primary shared-secret encrypted <A3-Shared-Secret>
configure radius-accounting netlogin primary server <A3-VIP> client-ip <Management-IP> vr VR-Default
configure radius-accounting netlogin primary shared-secret encrypted <A3-Shared-Secret>
enable radius netlogin

# Module exsshd configuration.

enable ssh2

# Module iqagent configuration.

configure iqagent server vr VR-Default

# Module netLogin configuration.

enable netlogin mac web-based
configure netlogin mac authentication database-order radius
configure netlogin web-based authentication database-order radius
enable netlogin ports 11-23 mac
enable netlogin ports 11-23 web-based
configure netlogin add mac-list ff:ff:ff:ff:ff:ff 48

# Module netTools configuration.

configure dns-client add name-server <DNS-IP> vr VR-Default
configure bootprelay add <DHCP-IP> vr VR-Default
enable bootprelay ipv4 vlan VLAN_0100
enable bootprelay ipv4 vlan VLAN_0200

A3 configuration is as follows.

# Roles

Guest
Engineer
REJECT

# Active Directory Domain

Identifier: AD
Workgroup: EXTREME
DNS Name of the Domain: extreme.co.jp
Active Directory Server: <AD/LDAP-IP>
DNS Server(s): <AD/LDAP-IP>

# Authentication Sources

Name: LDAP
Description: LDAP Server
Host: <AD/LDAP-IP>/636/SSL
Base DN: CN=Users,DC=extreme,DC=co,DC=jp
Scope: Subtree
User Name Attribute: sAMAccountName
Bind DN: CN=Administrator,CN=Users,DC=extreme,DC=co,DC=jp
Password: <Password for Administrator>
Monitor: Enable
Associated Realms: Default, Null
Authentication Rules: Engineer, Catchall
Conditions: memberOf--equals--CN=Engineer,CN=Users,DC=extreme,DC=co,DC=jp
Actions: Role--Engineer
Access duration--5days
Authentication Rules: Catchall
Actions: Role--REJECT
Access duration--5days

# Device

IP Address/MAC Address/Range (CIDR): <Management-IP>
Description: X440-G2 Switch
Type: Exreme::EXOS
Mode: Production
External Portal Enforcement: Enable

# Connection Profile

Profile Name:  EXOS_Connection
EXOS_Connection: EXOS_Connection Profile
Sources: LDAP

<Topology>
[pc]-----(P12)[exos](P24)-----(P24)[exos](P1)-----[A3]

                                                                     (P2)-----[AD/LDAP with DNS/DHCP]

Yuki Nakamura posted 09-06-2021 11:12

///

Rien van Maurik posted 09-06-2021 11:39

Hello Yuki

Thank you for your quick answer
This is great

kind regards
 

Rien