ExtremeSwitching (ERS)

 View Only

 MHSA/MHMA automation

Jump to Best Answer
Fijs's profile image
Fijs posted 04-04-2022 06:09
Hi,

We're deploying NAC in an existing network of mainly ERS49XX and ERS48XX switches.

On these ERS switches, one needs to specify if a port needs to be in MHSA or MHMA mode.

For example:
  • our access points need MHSA (AP authenticates, connected clients do not since they're authenticated elsewhere)
  • IP phones need MHMA: both the phone and the connected PC need to authenticate
Is there a way to configure MHSA/MHMA dynamically, so can configure all access ports exactly the same, and we don't have to care where to connect AP's or phones?

Thanks!
Miguel-Angel RODRIGUEZ-GARCIA's profile image
Miguel-Angel RODRIGUEZ-GARCIA Best Answer
Fijs,
On ERS 4900 as from 7.9.1:
Here for the ZTC for ERS:
I suggest you to read the doc ConfigFabConERS49005900_7.8.1_CG.pdf
Mig
Fijs's profile image
Fijs
Thanks Mig! I'll give it a try.
Ludovico Stevens's profile image
Ludovico Stevens
So the answer above from Miguel is correct; as of 7.9.1 release you can now enable MHSA on the port via a RADIUS attribute (the same that VOSS uses).
However, for completeness, there is also the "old" ERS approach which is still possible, which is based around FA zero-touch-options.
If you enable this command for FA Client type 6 = (WAP-type1):
fa zero-touch-option auto-port-mode-fa-client client-type 6

  • auto-port-mode-fa-client: When this option is activated for certain FA Client types, whenever an FA client of that type is discovered on an access port, the access port is automatically pre-configured for EAP/NEAP in mode Multiple-Hosts-Single-Authentication (MHSA). The FA Client will thus need to authenticate against a RADIUS server using either EAPoL or RADIUS MAC-based authentication (NEAP).
Ludovico Stevens's profile image
Ludovico Stevens
Got this unicast question: is this implemented also on the latest firmware for the ERS48xx series?
Replying on thread for everyone's benefit.
So the fa zero-touch-option auto-port-mode-fa-client client-type 6 is also available on ERS4800.


Whereas the new MHSA RADIUS attribute support is only on ERS5900/4900 & 3600:

ERS5900
7.9.1	SW	Extreme Dynamic MHSA RADIUS vendor specific attribute (VSA) Extreme-Dynamic-MHSA (vendor ID 1916 value 250)
ERS4900
7.9.1	SW	Extreme Dynamic MHSA RADIUS vendor specific attribute (VSA) Extreme-Dynamic-MHSA (vendor ID 1916 value 250)
ERS3600
6.5.3	SW	Extreme Dynamic MHSA RADIUS vendor specific attribute (VSA) Extreme-Dynamic-MHSA (vendor ID 1916 value 250)
Fijs's profile image
Fijs
Unfortunately the AP's in this case are not Extreme AP's.
So for the 49XX, an upgrade will do the trick.
For the 48XX, we'll have to manually change to MHSA for AP ports.
Ludovico Stevens's profile image
Ludovico Stevens
Ah, yes, good point. Both approaches work with Extreme APs (Fabric Attach enabled) but if you have non-Extreme WLAN APs then you need the RADIUS MHSA attribute... or you do manual config...or even better you use Extreme WLAN !