Try to walk through ExtremeControl docs here:
I'll try to make this short for you, if anything needs more clarification just let us know or try to use the above resource.
Firstly add your managed devices to XMC with appropriate access (SSH, SNMPv3 most likely) profile. Among these devices there are your authenticating devices (RADIUS clients). Also Extreme Access Control should be there after initial appliance setup.
Once they are added and reachable, you can move to Control section of the XMC GUI.
Over there you have several things to consider:
- AAA Config - over there you precise LDAP connection or RADIUS server or Local credentials repository (or all), in advanced view you can specify rules to determine what type of background check should occur against a certain device that tries to enter the network,
- Policy Mappings - those are objects that store information about all possible RADIUS attributes that might be sent to any of your edge devices (e.g. Filter-ID with policy name, VLAN ID via RFC 3580 compliant attributes, script name and so on). Those will be used by NAC to pick relevant attributes to a device that is dealing with authentication request (e.g. Extreme switch might like to get policy name and VLAN ID, Cisco switch might like to pick VLAN ID and ACL number etc. from this bucket),
- NAC Profiles - those are about selecting a proper Policy Mapping (called just 'Policy' over there) for accepted authentication and failsafe (if NAC can't reach backend AAA). Besides, second part is about posture assessment that we may skip right now,
- Groups - those are criteria that you can use in the end to decide how to authorize an authenticated end-system: e.g. user groups (usernames or LDAP attributes or RADIUS attributes received from the backend RADIUS), end-system groups (MACs, MAC OUIs, IPs, subnets, hostnames), location groups (IPs, SSIDs, switch ports, ...) etc.
- Rules - NAC Rules is the thing that binds all together; they allow you to determine, based on authentication method and the groups, what NAC Profile should be assigned to the device. Thus, what Policy Mapping should be applied.
On the other hand you have to provide information about your access switches. So you add them in NAC engine configuration ('Switches' tab) and among all you have to take care of picking the valid attributes to send. Those will be taken from the relevant Policy Mapping upon end-system authentication so the switch gets what it supports. Besides, remember of course about pointing to EAC as RADIUS server from your access device perspective. If it's an EXOS switch for example, EAC will do it for you when you Enforce the EAC configuration.
If anything needs more clarification just let us know. I could also find some spare time to support you with a remote session next week.
Hope that helps,