Wireless (General)

Expand all | Collapse all

EOS NAC: What happen (in this config) when the RADIUS/NetSight Server (for MAC Auth Only) is not reachable?

  • 1.  EOS NAC: What happen (in this config) when the RADIUS/NetSight Server (for MAC Auth Only) is not reachable?

    Posted 08-30-2018 11:02
    Hello Community,

    I'm looking for details if Clients connected to "auth-reg" Ports will still have connectivity, If the Radius/NetSight Server is offline?

    set multiauth mode multi
    set multiauth precedence mac quarantine-agent dot1x pwa cep radius-snooping auto-tracking
    set multiauth port mode force-auth ge.1.1
    set multiauth port mode force-auth ge.1.2
    set multiauth port mode auth-reqd ge.1.3
    set multiauth port mode force-auth ge.1.4
    set multiauth port mode auth-reqd ge.1.5
    [..]

    Thanks,

    Jan


  • 2.  RE: EOS NAC: What happen (in this config) when the RADIUS/NetSight Server (for MAC Auth Only) is not reachable?

    Posted 08-30-2018 11:04


  • 3.  RE: EOS NAC: What happen (in this config) when the RADIUS/NetSight Server (for MAC Auth Only) is not reachable?

    Posted 08-31-2018 10:39
    Force-auth = the port is authorized no authentication will happen
    Auth-req = no traffic will pass until accept is received

    the third option is authentication optional (auto) = if the auth is not successful then the default port config is used (vlan, default policy, QoS...)

    You can have more radius servers = to accomplish HA


  • 4.  RE: EOS NAC: What happen (in this config) when the RADIUS/NetSight Server (for MAC Auth Only) is not reachable?

    Posted 08-31-2018 13:55
    Just to add to Zdenek points. If you are using ExtremeControl for NAC, then you can deploy two ExtremeControl NAC Engines (there is no extra licensing cost) that sync-up from the XMC Server upstream so the switch will fail-over from primary RADIUS engine to secondary RADIUS engine without disruption to network access.

    Shmulik



  • 5.  RE: EOS NAC: What happen (in this config) when the RADIUS/NetSight Server (for MAC Auth Only) is not reachable?

    Posted 09-05-2018 18:35
    Thanks for clarification! As an follow-up: What happens on one auth-reg Port with an, lets asume, 5 Port SOHO Switch connected to it? Does the Enterasys Switch allow/dissallow connected Clients also seperately? Verbose: Multiple Clients connected through on single Enterasys Port through an additional unmanaged Switch. Does the NAC Access is still working on an individual Frame Level? Thanks, Jan


  • 6.  RE: EOS NAC: What happen (in this config) when the RADIUS/NetSight Server (for MAC Auth Only) is not reachable?

    Posted 09-06-2018 14:16
    you can limit the amount of concurrent authenticated MACs by CLI or XMC (NetSight) and there is also some hardware limit. different hardware limit for D2, B2, B3, C3, C5, XOS...

    each MAC address is authenticated and can be authorized with different policy profile (VLAN, QOS, rules)



  • 7.  RE: EOS NAC: What happen (in this config) when the RADIUS/NetSight Server (for MAC Auth Only) is not reachable?

    Posted 09-06-2018 18:52
    Depends if the switch is configured for single-auth or multi-auth on the port. If single-auth then only the first mac is authenticated and following mac will flow through untagged without authentication. If port is configured for multi-auth, then each mac will get authenticated and assigned its own specific VLAN even though it is coming from a SOHO switch connected to the port.

    Thanks!

    Shmulik