ā06-28-2016 01:58 PM
Hi,
I try to follow the GTAC knowledge below:
https://extremeportal.force.com/ExtrArticleDetail?an=000082958
but its not working in my setup. what is "802.1x Placeholder" rule? based on the procedure it only the authentication is change to 802.1x. and no changes on other option
appreciate if someone have screenshots of this setting.
thanks!
ā02-06-2021 07:46 PM
Hello,
Note: This is an example that REQUIRES Machine + User authentication to work successfully. No BYOD 802.1x is considered either.
Here is an example set of 2 rules:
This represents:
A user who has logged into a domain machine.
A domain Machine who has booted up but nobody logged in.
Here is the configuration for Domain User and Machine:
User group:
End System Group:
To match this rule:
NAC learns hostnames from either DHCP fingerprinting or reverse DNS lookup of the IP address (IP address must be learned)
In order for NAC to receive DHCP information to determine hostname/IP address the client MUST be allowed on the network with a minimum level of access to gain an address and DHCP to occur.
Because this rule contains criteria requirements that are NOT available when the client first connects you must build a rule to catch them and allow that minimum level of access in order for the process to function normally. In our example this is the Domain Machine rule.
NOTE: If you do not build rules this specific way a āPlaceholderā rule is necessary to provide a minimum level of access to get an IP address. Without this āPlaceholderā Control will never learn the hostname of the device in order to match the LDAP host group criteria.
Process flow for different types of logins seen:
Important Note: The hostname resolution in step 2 is a requirement. If NAC cannot learn hostname this will never be matched. This configuration assumes all domain machines will initially always start in a machine authenticated state in order for this learning process to occur.
In some situations a āPlaceholderā rule is necessary to provide temporary access in order to learn this information and match the rule. If you find you are not able to match the LDAP host group rule because the hostname is NOT learned this may be your issue.
There is also a variation on this configuration where ānameā is used for āhost search attributeā in your LDAP configuration and āUse Fully Qualified Domain Nameā is de-selected instead of ādNSHostnameā in order to not require the reverse DNS zone and reverse lookup functionality to obtain FQDN for dNSHostname attribute.
Thanks
-Ryan
ā02-04-2021 03:11 PM
Hi,
I have similar problems.
I also tried to follow the GTAC-advise, however I have no clue how to correctly configure
āuser is in Domain Users AND end-system is in Domain Devicesā
Can someone explain/show for dummies?
Thank you!
ā02-13-2017 03:40 PM
ā07-03-2016 10:18 PM