cancel
Showing results for 
Search instead for 
Did you mean: 

Cisco - Extreme NAC integration -multiauthentication, vlan, dot1x, mac

Cisco - Extreme NAC integration -multiauthentication, vlan, dot1x, mac

Tomasz_Lubas
New Contributor III
How to integrate cisco switches with Extreme NAC. You can pass vlan, acl's per user, authenticate mac or user even download acl's from NAC and even more - multiauthenticate up to 8 users on one cisco port...
7 REPLIES 7

Tomasz_Lubas
New Contributor III
Rainer pls read http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2960x/software/15-0_2_EX/security/configur...
section
Multi-auth Per User VLAN assignment

and sentence: "When a hub is connected to an access port, and the port is configured with an access VLAN (V0). The host (H1) is assigned to VLAN (V1) through the hub. The operational VLAN of the port is changed to V1. This behaviour is similar on a single-host or multi-domain-auth port.

When a second host (H2) is connected and gets assigned to VLAN ( V2), the port will have two operational VLANs (V1 and V2). If H1 and H2 sends untagged ingress traffic, H1 traffic is mapped to VLAN (V1) and H2 traffic to VLAN (V2), all egress traffic going out of the port on VLAN (V1) and VLAN (V2) are untagged."

Rainer_Adam
New Contributor III
You should know that it is NOT possible to authenticate more than ONE user per port in a different vlan exept if you use the one client as "voice vlan" on the Cisco.....

Michael_Kirchne
Contributor
Yes - against most config examples with current software, in my opinion it is best practice to set the order to mac than dot1x (to avoid timing issues) and priority to dot1x.

Thanks a lot 🙂

Michael

Tomasz_Lubas
New Contributor III
Thanks Michael. Order depends of what you want to do first 🙂 This config was modified many times for different ways of authentication.
Also there is one important thing. Instead of whatever you set there Cisco can ignore it. When you set order on ios <15.02 then this settings is inrelevant because cisco always tries dot1x first. Keep in mind right timouts then.
GTM-P2G8KFN