cancel
Showing results for 
Search instead for 
Did you mean: 

mac to role mapping in EXOS

mac to role mapping in EXOS

jsoler
New Contributor II
I have a client with EOS switches that uses MAC-To-Role Mapping from Policy Manager to allow certain devices to access the network with a different policy than the default when comunication between the switch and the NAC is interrupted.

In EXOS, I can not do that, only VLAN to Role mapping works (not Mac to role or IP to role).

The client is security-concious and is concerned that in remote offices, if the NAC is not available, everyone can get in. They want to still be able to apply certain security to certain devices.

Is there a different method to make sure a local (inside the switch) autentication happens only if the NAC is not available for auhentication?
5 REPLIES 5

M_Nees
Contributor III
On EXOS 22.2/22.3/22.4 MAC-to-Role Mapping seems to be possible but only at "port-level" not "device level".
Unfortunately i do not figured out how to configure that!

M_Nees
Contributor III
i figure it out:

https://emc.extremenetworks.com/content/polman/docs/l_p_at_port_prop_gen.html#mappings

configure policy profile 1 name "Innovaphone" pvid-status "enable" pvid 172 untagged-vlans 172
configure policy rule admin-profile macsource 00-90-33-00-00-00 mask 24 port-string 1 admin-pid 1
configure policy rule admin-profile macsource 00-90-33-00-00-00 mask 24 port-string 2 admin-pid 1Be aware this works not with EXOS 22.5 - 22.5-Patch-2-2 include a fix.

Ash_Curtis
Extreme Employee
Hello Jordi,

For added security, you can configure your EXOS device for limited/locked MAC learning as per this article from our Knowledge Base:

https://gtacknowledge.extremenetworks.com/articles/Q_A/How-to-enable-port-security-mac-learning-on-S...

Yes, that is correct, your options here are limited to configuring the number of MAC addresses that can be learned or the specific MAC addresses that can use a given port.

If you do not know a potential users MAC address that may wish to use a given port in the future, you will need to limit the number of MAC addresses that can be learned but of course this leaves the port open to learning ANY new MAC addresses up to the configured limit.
GTM-P2G8KFN