cancel
Showing results for 
Search instead for 
Did you mean: 

Extreme Newbie - Question about NAC failure

Extreme Newbie - Question about NAC failure

Mark_Allen
New Contributor
I am an Extreme newbie. My college just implemented a new Extreme Networks infrastructure - core, edge, wireless, with NAC and Netsight. I am a 20 year Cisco veteran and come from a port-based knowledge base.

NAC is completely new (and foreign) to me. I like what it can do, and I love the information I'm gleaning into my network from Netsight. However, i'm terrified of what will happen if the NAC controller goes down for any reason. My sales engineer told me that the switches could be configured to fail open so that things would continue to work in the event that NAC wasn't in the middle - authenticating every entry onto the network.

I need some pointers about where to go to configure this, and if it's possible. Right now things are working ok, but I want to put in that safeguard so that things will still continue to function (without the security of course) when the controller goes down.

I'm planning on taking training for all of the products - but my first class doesn't start until November - so I"m a little nervous in supporting this environment until I get some knowledge under my belt.

Any and all comments would be welcome.

Thank you.

Mark Allen

7 REPLIES 7

Scott_Singer1
Extreme Employee
Mark,

As Z mentioned above, you can add a redundant ExtremeControl (NAC) server to provide redundancy. This is highly recommended and does not affect your client licensing, as this will be pooled between the servers.

You can also leverage your existing RADIUS environment and add the RADIUS server(s) as a secondary or tertiary authentication source in your switch config. This will allow RADIUS to handle authentication in the event that the NAC server(s) are down, which would be a reeeeeally rare event, but a simple safety net. To that end, you'll probably want to configure VLAN containment using an Extreme VSA on the RADIUS server, so that devices are moved to the correct VLAN. You don't get full policy, but you get the devices access to the network. Generally, I'd default to a "data" VLAN for general network access and then leverage your service-specific VLAN's for easily identifiable devices, like VoIP phones. I believe the vendor-specific VSA for extended VLAN's is 211. This VSA allows you to specify which VLAN's should be tagged or untagged and you can use the 802.1q number or name. Name is particularly useful if you've standardized on a VLAN name per building/site, but have established a different tag number to segment the network. Adding a "u" before the label will add the VLAN as untagged and a "t" will add it as tagged. For example, "u201" would add VLAN 201 as untagged or "tvoice" would add VLAN "voice" as tagged to the authenticating port for that MAC address. You can use a delimiter to add multiple VLAN's to the port if needed, but generally clients are only configured for a single VLAN outside the data center.

These links on Extreme's support site may be useful.

https://gtacknowledge.extremenetworks.com/articles/How_To/How-to-assign-VLAN-to-a-MAC-based-netlogin...

https://gtacknowledge.extremenetworks.com/articles/How_To/How-to-configure-802-1x-based-Netlogin-wit...

Regards, Scott

OscarK
Extreme Employee
You can configure netlogin service unavailable vlan, that will put all new users in that vlan if the service (NAC) is unavailable.

As Oscar stated there is also this option = if you do not use policy. So you can choose 
Regards Zdeněk Pala

Mark_Allen
New Contributor
That would be great Z. Thank you for the information. Ryan, we are using Summit X450 switches I believe, and the Identify wifi
GTM-P2G8KFN