Wireless (General)

Expand all | Collapse all

Redundancy between two NAC instances

  • 1.  Redundancy between two NAC instances

    Posted 01-15-2018 13:57
    Hello, everybody,

    how could I set redundancy between two NAC instances?

    I have set up MAC and 802.1x auth on my switches, but it works until NAC is alive, so it's kind of time bomb: when NAC is offline nothing works. I want to setup redundancy - is it possible?

    Many thanks in advance

    Ilya


  • 2.  RE: Redundancy between two NAC instances

    Posted 01-15-2018 14:02
    Install a second NAC Gateway an configure switches for two NAC-Gateways.

    br
    Volker


  • 3.  RE: Redundancy between two NAC instances

    Posted 01-15-2018 14:14
    The switch will ask first radius server if it does not answer it will ask the second radius server. you can have HA.



  • 4.  RE: Redundancy between two NAC instances

    Posted 01-15-2018 14:57
    Hi the best option would be to setup LSNat on a s series switch. This created a virtual address that almost works like nat. This virtual address load balances over a server pool. In your case the two or more nacs. You will then direct the radius server setting on the switch or wifi to this virtual address. You can choose the method to use for load balance across the server pool. Regards


  • 5.  RE: Redundancy between two NAC instances

    Posted 01-16-2018 01:22
    Hi ,

    please check below KB ,

    https://gtacknowledge.extremenetworks.com/articles/How_To/How-to-add-NAC-gateway-per-switch-for-redu...

    Let us know if this answers your questions.

    Thanks,
    Suresh.B



  • 6.  RE: Redundancy between two NAC instances

    Posted 01-16-2018 05:56
    Thanks, gentlemen, so I make my question more specific. This is my radius configuration on the switch:

    configure radius netlogin primary server 192.168.23.23 1812 client-ip 192.168.7.8 vr VR-Default
    configure radius netlogin primary shared-secret encrypted "KOKOKO"
    configure radius-accounting netlogin primary server 192.168.23.23 1813 client-ip 192.168.7.8 vr VR-Default
    configure radius-accounting netlogin primary shared-secret encrypted "LOLOLO"
    enable radius
    disable radius mgmt-access
    enable radius netlogin
    configure radius timeout 15
    configure radius mgmt-access timeout 15
    configure radius netlogin timeout 15
    enable radius-accounting
    disable radius-accounting mgmt-access
    enable radius-accounting netlogin

    Would it be enough to add just two strings here:

    configure radius netlogin secondary server 192.168.23.24 1812 client-ip 192.168.7.8 vr VR-Default
    configure radius netlogin secondary shared-secret encrypted "KOKOKO"
    configure radius-accounting netlogin secondary server 192.168.23.24 1813 client-ip 192.168.7.8 vr VR-Default
    configure radius-accounting netlogin secondary shared-secret encrypted "LOLOLO"

    where 192.168.23.24 is the secondary NAC? And add the switch to secondary NAC, for sure...



  • 7.  RE: Redundancy between two NAC instances

    Posted 01-16-2018 06:07
    if you use up-to-art firmware and you specified cli credentials then the only thing you need to do is: Add second engine to the group. Add/modify the switch in the XMC (netsight) to referr to both engines, define vr, realm, accountig enable... Enforce the configuration. The engine will configure your switch throug the CLI properly. Just wait 2-5minutes. You do not need to add those two lines manually, but you can 🙂 Regards. Z.


  • 8.  RE: Redundancy between two NAC instances

    Posted 01-16-2018 06:12
    Hi,

    Agreed ,
    once you enforced from NAC switch will be conigured for both primary and secondary server.

    Thanks,
    Suresh.B



  • 9.  RE: Redundancy between two NAC instances

    Posted 01-16-2018 06:28
    I've applied the configuration on Friday, January, 12th. On Tuesday, January, 16th there is no anyting related to Secondary NAC on the switch. So, it is no so easy.... Something doesn't work.


  • 10.  RE: Redundancy between two NAC instances

    Posted 01-15-2018 14:57
    Hi, Andre!

    S-serie costs like a Boeing)


  • 11.  RE: Redundancy between two NAC instances

    Posted 01-15-2018 14:57
    The s series is the best sdn switch around with the coreflow2 chip, not alot of switches can support all these features in one switch but yes not the price of a x440.....


  • 12.  RE: Redundancy between two NAC instances

    Posted 01-16-2018 06:07
    Hi, Zdenek,

    what do you mean?))))

    1) "use up-to-art firmware" - what are you talking about???????)

    2) "Add second engine to the group" - What is the group? How to add there?

    3 "Add/modify the switch in the XMC (netsight) to referr to both engines"

    Now I have only:



    Where 192.168.128.160 is the primary NAC. Interestingly, the only switch I've added to Primary appeared also on the Secondary (without my actions)

    In my conf switch sends user data like IP, netbios name, MAC, AD account, OS version and family to Netsight. I want to populate this config to all my switches.

    Many thanks to you!!!



  • 13.  RE: Redundancy between two NAC instances

    Posted 01-16-2018 06:07
    Hi Ilya.

    1. I am sure it works with 22.x firmware I do not remember what version it started to work.

    2. you can have Engines in groups. in your picture there is group called "all Access Control Engines".

    on your screenshot please click on switches and send screenshot of the settings.
    please investigate logs why the Access Control Engine is not able to configure your switch through the CLI. usually the issue is related to the firewall or credentials or old firmware.

    Z.



  • 14.  RE: Redundancy between two NAC instances

    Posted 01-16-2018 06:07
    Thanks, Zdenek! I've got it(

    80% of switches are x430 family which couldn't run EXOS's 22 code(

    Will my configuration with manual addition of secondary NAC on switches work?