mac to role mapping in EXOS

  • 0
  • 1
  • Question
  • Updated 1 year ago
  • Answered
I have a client with EOS switches that uses MAC-To-Role Mapping from Policy Manager to allow certain devices to access the network with a different policy than the default when comunication between the switch and the NAC is interrupted.

In EXOS, I can not do that, only VLAN to Role mapping works (not Mac to role or IP to role).

The client is security-concious and is concerned that in remote offices, if the NAC is not available, everyone can get in. They want to still be able to apply certain security to certain devices.

Is there a different method to make sure a local (inside the switch) autentication happens only if the NAC is not available for auhentication?
Photo of Jordi Soler

Jordi Soler

  • 626 Points 500 badge 2x thumb

Posted 1 year ago

  • 0
  • 1
Photo of Ash Curtis

Ash Curtis, Employee

  • 582 Points 500 badge 2x thumb
Hello Jordi,

For added security, you can configure your EXOS device for limited/locked MAC learning as per this article from our Knowledge Base:

https://gtacknowledge.extremenetworks.com/articles/Q_A/How-to-enable-port-security-mac-learning-on-S...
Photo of Jordi Soler

Jordi Soler

  • 626 Points 500 badge 2x thumb
Thanks for the reply, that this would not help if a new user/device wanted to enter the LAN after the NAC communication was interrupted.
Photo of Ash Curtis

Ash Curtis, Employee

  • 582 Points 500 badge 2x thumb
Yes, that is correct, your options here are limited to configuring the number of MAC addresses that can be learned or the specific MAC addresses that can use a given port.

If you do not know a potential users MAC address that may wish to use a given port in the future, you will need to limit the number of MAC addresses that can be learned but of course this leaves the port open to learning ANY new MAC addresses up to the configured limit.