Hi,I try to follow the GTAC knowledge below:https://extremeportal.force.com/ExtrArticleDetail?an=000082958but its not working in my setup. what is "802.1x Placeholder" rule? based on the procedure it only the authentication is change to 802.1x. and no changes on other optionappreciate if someone have screenshots of this setting.thanks!
I have similar problems.
I also tried to follow the GTAC-advise, however I have no clue how to correctly configure
“user is in Domain Users AND end-system is in Domain Devices”
Can someone explain/show for dummies?
Note: This is an example that REQUIRES Machine + User authentication to work successfully. No BYOD 802.1x is considered either.
Here is an example set of 2 rules:
This represents:A user who has logged into a domain machine.A domain Machine who has booted up but nobody logged in.
Here is the configuration for Domain User and Machine:
End System Group:
To match this rule:
NAC learns hostnames from either DHCP fingerprinting or reverse DNS lookup of the IP address (IP address must be learned)
In order for NAC to receive DHCP information to determine hostname/IP address the client MUST be allowed on the network with a minimum level of access to gain an address and DHCP to occur.
Because this rule contains criteria requirements that are NOT available when the client first connects you must build a rule to catch them and allow that minimum level of access in order for the process to function normally. In our example this is the Domain Machine rule. NOTE: If you do not build rules this specific way a “Placeholder” rule is necessary to provide a minimum level of access to get an IP address. Without this “Placeholder” Control will never learn the hostname of the device in order to match the LDAP host group criteria.
Process flow for different types of logins seen:
Important Note: The hostname resolution in step 2 is a requirement. If NAC cannot learn hostname this will never be matched. This configuration assumes all domain machines will initially always start in a machine authenticated state in order for this learning process to occur.In some situations a “Placeholder” rule is necessary to provide temporary access in order to learn this information and match the rule. If you find you are not able to match the LDAP host group rule because the hostname is NOT learned this may be your issue.
There is also a variation on this configuration where “name” is used for “host search attribute” in your LDAP configuration and “Use Fully Qualified Domain Name” is de-selected instead of “dNSHostname” in order to not require the reverse DNS zone and reverse lookup functionality to obtain FQDN for dNSHostname attribute.
Contact Us:Sam PirokCommunity@extremenetworks.com