Integration CISCO Switches into Enterasys NAC

  • 0
  • 4
  • Question
  • Updated 1 year ago
  • Answered

We have a customer who has a small network with 20 Cisco Switches, 2960 & 3560 and the customer want to switchover to Enterasys / Extrem.

We have as a first step a new SSA150 System and the whole software Suite with NMS and NAC on the customer site.

Now my Job is to integrate the Cisco Switches into the Enterasys NAC Solution.

Is there any kind of Material or how to ́s .. how to integrate a Cisco Switch into a NAC manager ?  I know that I have to configure the ports on the Cisco ́s to Mac Authentification and the NAC Solution ist the Server... but it would be great to see an example from the real world.

I have already integrated all the ciscos into the Netsight with SNMP V2 and actually i can monitor traffic and port actions on the Cisco ́s

On the first step I want to configure the NAC Solution that it ́s only listen to MAC Auth requests without doing any action on the ports of the Switch ... to build up a NAC Database.

Later I want to change the NAC Solution to allow the traffic for all mac addresses on a white list and to block all new addresses.

Some Questions for the Future :

- is it possible that Enterasys NAC with Netsight  also can switch VLAN on a ciso switch to bring a device with a new mac into a Isolation VLAN ??

- i have a SSA 150 as a core device .. can i configure all the ciscos to act as dumb forwarding NAC Requests to this SSA and make there on the port also multiple Request with MAC Auth and 802.3 Auth and WEB Auth ?  because the SSA 150 can have multiple Kind of authenthification on one port.

i could connect every cisco Switch on one port of the ssa 150 and acctivate the multile Auth on this Port ... to use the Ciscos only as dumb forwarders...  ( i this right ? )  

As I understood this feature of multiple policys on one port is only valid for Enterasys B-Series and above but would it work if a Cisco switch with 24 Ports will connect to one port of a SSA150 ?

Regards

Christian



Photo of info@systemhaus-genthin.de

Posted 4 years ago

  • 0
  • 4
Photo of Michael Kirchner

Michael Kirchner

  • 1,846 Points 1k badge 2x thumb
Official Response
Hi Christian,

I hope this answer comes not to late. 

I do not know any official Cisco integration documents. But I did it several times. 

It is possible to do MAC Authentication (MAB), assign VLANs, ACLs, do Guest Authentication (LAN/WLAN) all triggered by NAC.

The cisco switch configuration is the biggest step. This depends on the firmware you are running.
See: http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2960/software/release/12-2_53_se/configuration/guide/2960scg/sw8021x.html

On the NAC side you have to do some Config
1. NAC Switch Configuration



You need the CIsco-AVPair=%CUSTOM1% only if you use the client behind phone construct.
Or you choose "RFC 3850 - VLAN ID"

2. Policy Mapping

See: Custom1=device-traffic-class=voice.
You have to assign this policy to you VoIP Phones.

To your future questions:
- is it possible that Enterasys NAC with Netsight  also can switch VLAN on a ciso switch to bring a device with a new mac into a Isolation VLAN ??
-> Yes see above
- i have a SSA 150 as a core device .. can i configure all the ciscos to act as dumb forwarding NAC Requests to this SSA and make there on the port also multiple Request with MAC Auth and 802.3 Auth and WEB Auth ?  because the SSA 150 can have multiple Kind of authenthification on one port.i could connect every cisco Switch on one port of the ssa 150 and acctivate the multile Auth on this Port ... to use the Ciscos only as dumb forwarders...  ( i this right ? )  

-> For MAC Authentication yes. You get a problem if you want to use IEEE 802.1X because in this case the EAPoL Protocol works just from Access Switch to Client and not between the SSA and the Client if there is another switch in between.

As I understood this feature of multiple policys on one port is only valid for Enterasys B-Series and above but would it work if a Cisco switch with 24 Ports will connect to one port of a SSA150 ?
The SSA can assign more than 24 individual Policys per port -> so yes you can :) B-Series is limited to 8 individual Authentications. It depends on the Switch type.

Best Regards