mac to role mapping in EXOS

  • 0
  • 1
  • Question
  • Updated 2 weeks ago
  • Answered
I have a client with EOS switches that uses MAC-To-Role Mapping from Policy Manager to allow certain devices to access the network with a different policy than the default when comunication between the switch and the NAC is interrupted.

In EXOS, I can not do that, only VLAN to Role mapping works (not Mac to role or IP to role).

The client is security-concious and is concerned that in remote offices, if the NAC is not available, everyone can get in. They want to still be able to apply certain security to certain devices.

Is there a different method to make sure a local (inside the switch) autentication happens only if the NAC is not available for auhentication?
Photo of Jordi Soler

Jordi Soler

  • 626 Points 500 badge 2x thumb

Posted 1 year ago

  • 0
  • 1
Photo of Ash Curtis

Ash Curtis, Employee

  • 588 Points 500 badge 2x thumb
Hello Jordi,

For added security, you can configure your EXOS device for limited/locked MAC learning as per this article from our Knowledge Base:

https://gtacknowledge.extremenetworks.com/articles/Q_A/How-to-enable-port-security-mac-learning-on-S...
Photo of Jordi Soler

Jordi Soler

  • 626 Points 500 badge 2x thumb
Thanks for the reply, that this would not help if a new user/device wanted to enter the LAN after the NAC communication was interrupted.
Photo of Ash Curtis

Ash Curtis, Employee

  • 588 Points 500 badge 2x thumb
Yes, that is correct, your options here are limited to configuring the number of MAC addresses that can be learned or the specific MAC addresses that can use a given port.

If you do not know a potential users MAC address that may wish to use a given port in the future, you will need to limit the number of MAC addresses that can be learned but of course this leaves the port open to learning ANY new MAC addresses up to the configured limit. 
Photo of M.Nees

M.Nees, Embassador

  • 9,414 Points 5k badge 2x thumb
On EXOS 22.2/22.3/22.4 MAC-to-Role Mapping seems to be possible but only at "port-level" not "device level".
Unfortunately i do not figured out how to configure that!
Photo of M.Nees

M.Nees, Embassador

  • 9,414 Points 5k badge 2x thumb
i figure it out:


https://emc.extremenetworks.com/content/polman/docs/l_p_at_port_prop_gen.html#mappings

configure policy profile 1 name "Innovaphone" pvid-status "enable" pvid 172 untagged-vlans 172
configure policy rule admin-profile macsource 00-90-33-00-00-00 mask 24 port-string 1 admin-pid 1
configure policy rule admin-profile macsource 00-90-33-00-00-00 mask 24 port-string 2 admin-pid 1
Be aware this works not with EXOS 22.5 - 22.5-Patch-2-2 include a fix.