ExtremeSwitching (VSP)

 View Only
  • 1.  VOSS EAPOL with NAC

    Posted 04-07-2022 14:04
    Edited by ExtremeNorth 04-07-2022 14:07
    Does anybody have a guide that shows how to configure a VSP (VOSS) to use EAPOL when using Extreme NAC?  We have many ERS switches installed and use EAPOL w/NAC, but I have not been able to get it working on a VSP.

    I see that Ludo has posted a document on VSP Edge Deployment Guide, without NAC
    but I guess I am looking for VSP Edge Deployment Guide WITH NAC.


    Thanks,
    Terrel Hobbs


  • 2.  RE: VOSS EAPOL with NAC

    Posted 04-08-2022 06:41
    Terrel
    So there is a NAC variant to that document, but was not authored by me, so I've asked for it to be posted also.
    However, the approach with VOSS to the edge, is not to have to configure anything on the switch anymore, so not the same workflow as what you would have been used to with ERS.
    VOSS will bootup and automatically joint the Fabric (ZTF = Zero Touch Fabric) and then if it can get an IP (inband over onboarding I-SID, or oob) it will then do ZTP+ into XIQ-SE.
    XIQ-SE can then provide the final config touches to the VSP switch, such as flipping it to DVR-Leaf (if you so choose), setting certain auto-sense global parameters (e.g. voice I-SID) and if you need to do NAC on the switch, adding it to XIQ-SE's Control Engines and configuring RADIUS + Eapol globally on the VSP. As of XIQ-SE 22.3 the previous steps are automated, and can also be automated via an "Onboard VSP" workflow you can find on GitHub.
    The point is there is no port level EAP/NEAP config to be done. All the VSP ports are auto-sense enabled, and it is enough for a RADIUS server to be configured on the switch and that EAPoL is globally enabled, and the auto-sense ports are ready to go for both EAP and NEAP.
    If you really wanted to see that config, you can always let the auto-sense port settle into UNI-ONBOARDING state (by connecting a end station to the port) and then issue on the port "no auto-sense enable convert-to-config"; you will then get the current dynamic config of the port (with EAP/NEAP settings) frozen into the config file.
    Some EAP config is not actually handled by auto-sense, and you can add it as a delta and it will operate with auto-sense; things like eapol re-authentication, eap max-macs, and fail-open. These can all be added during the ZTP+ onboarding.


  • 3.  RE: VOSS EAPOL with NAC

    Posted 04-13-2022 18:18
    Ludo,

    Thanks for the reply, I would definitely be interested a document that discusses Fabric to the Edge with NAC which includes the Radius attributes that are sent from NAC. I tried some of the pre-defined VOSS/VSP templates but they didn't seem to work either, so I have been customizing the Radius attributes.

    As one of the very early Fabric adopters and implementers of Fabric to the Edge, automation was not available so changing our deployments to use ZTP/ZTF is going to be difficult while still maintaining our overall design.  We have a fairly well established process to onboard new equipment, so I am not too worried about that.

    I have enabled Auto-Sense on ports, and have had limited success where I can see the vlan:i-sid being assigned to the session, and even the user authentication but I cannot see beyond the local switch. (cannot see MACs or ARP entries on other switches)

    Terrel.


  • 4.  RE: VOSS EAPOL with NAC

    Posted 3 days ago
    Edited by Harold Rodriguez 2 days ago
    The VSP 7024 is basically an ERS switch despite the naming convention. The CLI used by the ERS and (actual) VSP products is similar but different. If you have someone that is familiar with both CLIs it shouldn't take them more than an hour to port it over. If that 7024 is a part of a IST pair then you would need to replace both boxes as a 7024 can not peer with any other VSP product.
    mymilestonecard