Assign one untagged and several tagged ports thru 802.1x with MAC Authentication. (NAC)

  • 0
  • 1
  • Question
  • Updated 2 years ago
  • Answered
Hi,

I have an extreme NAC solution which has 802.1x-rules with MAC authentication configured.
In my network there are several VLAN's.
My goal is, to assign one untagged and several tagged VLANs to a port, if a access point is connected on the switch.
Currently, I can assign only the untagged VLAN (management VLAN of the AP).
Is there a way to assing tagged and untagged ports based on the MAC address?

Thanks for your feedback,
Yves
Photo of Yves Haslimann

Yves Haslimann

  • 848 Points 500 badge 2x thumb

Posted 2 years ago

  • 0
  • 1
Photo of Mike Thomas

Mike Thomas, Employee - GTAC - NMS

  • 7,476 Points 5k badge 2x thumb
What type of switch  you are connected to? How many devices will be connected to this port ultimately?
Photo of Yves Haslimann

Yves Haslimann

  • 848 Points 500 badge 2x thumb
I will connect only one access point per switchport. I have Cisco and Extreme Switches (x440).
Photo of Mike Thomas

Mike Thomas, Employee - GTAC - NMS

  • 7,476 Points 5k badge 2x thumb
So the following Net login rules apply, for the products below.


If you create a end systems group within NAC for the MAC  address or some other identifier for the AP's, then you can then add a specific egress policy as well. If that egress policy is just a VLAN for one physical node, than it can be modified accordingly.



So in the above, the policy can have a VLAN assigned discretely, or if multiple VLAN egress assignments need to be done (based on only one mac being added to the port), than a filter-id assignment would need to be provided here, and matched up with Policy Manager or policy to modify the egress tab with that software.

This assumes the X440-G2 is the product, and running fairly recent firmware with it as well.
So this is not a solution discussed above, merely guidance on the discussion.
Photo of Yves Haslimann

Yves Haslimann

  • 848 Points 500 badge 2x thumb
Hi Mike,

thank you for your answer. I will test this in my lab.
Br, Yves