Extreme Newbie - Question about NAC failure

  • 0
  • 1
  • Question
  • Updated 2 years ago
  • Answered
I am an Extreme newbie.  My college just implemented a new Extreme Networks infrastructure - core, edge, wireless, with NAC and Netsight.  I am a 20 year Cisco veteran and come from a port-based knowledge base.  

NAC is completely new (and foreign) to me.  I like what it can do, and I love the information I'm gleaning into my network from Netsight.  However, i'm terrified of what will happen if the NAC controller goes down for any reason.  My sales engineer told me that the switches could be configured to fail open so that things would continue to work in the event that NAC wasn't in the middle - authenticating every entry onto the network.

I need some pointers about where to go to configure this, and if it's possible.  Right now things are working ok, but I want to put in that safeguard so that things will still continue to function (without the security of course) when the controller goes down.

I'm planning on taking training for all of the products - but my first class doesn't start until November - so I"m a little nervous in supporting this environment until I get some knowledge under my belt.

Any and all comments would be welcome.

Thank you.

Mark Allen
Photo of Mark Allen

Mark Allen

  • 80 Points 75 badge 2x thumb

Posted 2 years ago

  • 0
  • 1
Photo of Pala, Zdenek

Pala, Zdenek, Employee

  • 8,474 Points 5k badge 2x thumb
Hi Mark.

Welcome to Extreme family. I am sure you will like it.

You can have more NAC-gateways (access control engine) so if one is not available the next will handle the request. All of those engines can be in active-active mode.

If there is no engine (radius server) available you can still define the behavior. The config of the port will apply. You need to define the netlogin mode as "optional" and you need to configure the port for the settings you would like to apply without radius available.

I can share some config examples with you later.

Regards.

Z.
Photo of Schmotter, Ryan

Schmotter, Ryan, Employee

  • 590 Points 500 badge 2x thumb
Mark, 
Which models of Extreme switches are you using?
Photo of Mark Allen

Mark Allen

  • 80 Points 75 badge 2x thumb
That would be great Z.  Thank you for the information.  Ryan, we are using Summit X450 switches I believe, and the Identify wifi
Photo of Pala, Zdenek

Pala, Zdenek, Employee

  • 8,474 Points 5k badge 2x thumb
This is the config I use in my lab. see ports 1-5 => authentication is optional.
If the radius server is not responding or sends reject then port config is used.
If you want to not allow access then you need to send accept with specific policy profile :)


Image   : ExtremeXOS version 21.1.1.4 21.1.1.4-patch1-5 by release-manager          on Thu Jun 16 14:19:33 EDT 2016
BootROM : 1.0.2.1
Diagnostics : 5.4



Core-Lab-Network.5 # sh config policy#
# Module policy configuration.
#
enable policy
configure netlogin port 1 authentication mode optional
configure netlogin port 2 authentication mode optional
configure netlogin port 3 authentication mode optional
configure netlogin port 4 authentication mode optional
configure netlogin port 5 authentication mode optional
configure policy profile 1 name "DMZ" pvid-status "enable" pvid 3530
configure policy profile 2 name "MailServer" pvid-status "enable" pvid 3530 cos-status "enable" cos 1
configure policy profile 3 name "WebServer" pvid-status "enable" pvid 3530
configure policy profile 4 name "AD" pvid-status "enable" pvid 3530 cos-status "enable" cos 3
configure policy profile 5 name "Deny Access" pvid-status "enable" pvid 3530
configure policy profile 7 name "VDI" pvid-status "enable" pvid 3530 egress-vlans 3530
configure policy profile 8 name "DCMDemokit" pvid-status "enable" pvid 3540 egress-vlans 3540
configure policy rule 1 udpsourceportIP 67 mask 16 drop
configure policy rule 1 tcpsourceportIP 3389 mask 16 cos 4
configure policy rule 1 ipproto 1 mask 8 drop
configure policy rule 2 udpsourceportIP 67 mask 16 drop
configure policy rule 2 tcpsourceportIP 80 mask 16 drop
configure policy rule 2 tcpsourceportIP 3389 mask 16 cos 4
configure policy rule 3 udpsourceportIP 67 mask 16 drop
configure policy rule 3 tcpsourceportIP 3389 mask 16 cos 4
configure policy rule 5 ipproto 1 mask 8 drop
configure policy rule 5 ipproto 6 mask 8 drop
configure policy rule 5 ipproto 17 mask 8 drop
Core-Lab-Network.5 # sh config netlogin
#
# Module netLogin configuration.
#
enable netlogin dot1x mac
configure netlogin add mac-list ff:ff:ff:ff:ff:ff 48 encrypted "ckr`ptplsa"
enable netlogin ports 1-6 mac
configure netlogin mac ports 1 timers reauthentication on
configure netlogin mac ports 2 timers reauthentication on
configure netlogin mac ports 3 timers reauthentication on
configure netlogin mac ports 4 timers reauthentication on
configure netlogin mac ports 5 timers reauthentication on
configure netlogin mac ports 6 timers reauthentication on
Core-Lab-Network.6 # sh config aaa
#
# Module aaa configuration.
#
configure radius netlogin 1 server 192.168.10.31 1812 client-ip 192.168.10.1 vr VR-Default
configure radius 1 shared-secret encrypted "#$KWL/jjCjiUsl/KlkJtR1Ag6ENmJDzLlN5CccJ4zm"
enable radius
disable radius mgmt-access
enable radius netlogin
configure radius timeout 15
(Edited)
Photo of OscarK

OscarK, ESE

  • 7,702 Points 5k badge 2x thumb
You can configure netlogin service unavailable vlan, that will put all new users in that vlan if the service (NAC) is unavailable. 
Photo of Pala, Zdenek

Pala, Zdenek, Employee

  • 8,474 Points 5k badge 2x thumb
As Oscar stated there is also this option = if you do not use policy.

So you can choose :)
Photo of Scott Singer

Scott Singer, Employee

  • 240 Points 100 badge 2x thumb
Mark,

As Z mentioned above, you can add a redundant ExtremeControl (NAC) server to provide redundancy.  This is highly recommended and does not affect your client licensing, as this will be pooled between the servers.

You can also leverage your existing RADIUS environment and add the RADIUS server(s) as a secondary or tertiary authentication source in your switch config.  This will allow RADIUS to handle authentication in the event that the NAC server(s) are down, which would be a reeeeeally rare event, but a simple safety net.  To that end, you'll probably want to configure VLAN containment using an Extreme VSA on the RADIUS server, so that devices are moved to the correct VLAN.   You don't get full policy, but you get the devices access to the network.  Generally, I'd default to a "data" VLAN for general network access and then leverage your service-specific VLAN's for easily identifiable devices, like VoIP phones.   I believe the vendor-specific VSA for extended VLAN's is 211. This VSA allows you to specify which VLAN's should be tagged or untagged and you can use the 802.1q number or name.  Name is particularly useful if you've standardized on a VLAN name per building/site, but have established a different tag number to segment the network.  Adding a "u" before the label will add the VLAN as untagged and a "t" will add it as tagged.  For example, "u201" would add VLAN 201 as untagged or "tvoice" would add VLAN "voice" as tagged to the authenticating port for that MAC address.  You can use a delimiter to add multiple VLAN's to the port if needed, but generally clients are only configured for a single VLAN outside the data center.

These links on Extreme's support site may be useful.

https://gtacknowledge.extremenetworks.com/articles/How_To/How-to-assign-VLAN-to-a-MAC-based-netlogin...

https://gtacknowledge.extremenetworks.com/articles/How_To/How-to-configure-802-1x-based-Netlogin-wit...

Regards, Scott
(Edited)