NAC - VSP/ERS switch management using LDAP credentials

  • 0
  • 1
  • Question
  • Updated 2 months ago
  • Answered
I am trying to use NAC to allow switch management access (SSH/Telnet/Web) for an LDAP group. 
Currently the VSP/ERS switches have been added to XMC NAC and I am able to backup configs, use scripts, etc. I am also able to assign VLANs to the ports via LDAP authentication.
Does anyone have instructions on how to configure NAC Policy to send the correct values to the VSP/ERS switches to allow management access?
Photo of James Drennan

James Drennan, Employee

  • 186 Points 100 badge 2x thumb

Posted 2 months ago

  • 0
  • 1
Photo of Yacobucci, Ryan

Yacobucci, Ryan, Multi-Tier Technical Support Engineer

  • 5,192 Points 5k badge 2x thumb
Hello James,

Give this article a shot: 

https://gtacknowledge.extremenetworks.com/articles/How_To/allowing-mangement-access-to-Avaya-switche...


:edit: you'll need to create a rule with an LDAP user group criteria, but this article details the AVP that should work for management login :edit:

Thanks
-Ryan
(Edited)
Photo of James Drennan

James Drennan, Employee

  • 186 Points 100 badge 2x thumb
Ryan,
Thank you. This is what I was looking for.
Is there a way we can append an article to add the VSP/ERS RADIUS commands?
Photo of Yacobucci, Ryan

Yacobucci, Ryan, Multi-Tier Technical Support Engineer

  • 5,192 Points 5k badge 2x thumb
Hello James,

It can be appended, do you have a working configuration I can use to add content to the article?

Thanks
-Ryan
Photo of James Drennan

James Drennan, Employee

  • 186 Points 100 badge 2x thumb
Yes, Below are the commands for VSP8284 v7.0.
enable
config terminal
radius server host <NAC IP> key <shared secret> used-by cli enable
(optional) radius reachability mode status-server
radius enable
Photo of ar

ar

  • 558 Points 500 badge 2x thumb
Hi,
I guess the RADIUS server has to send back the RADIUS Attribute "Filter-ID" with the following information (for Enterasys switches):
Enterasys:version=1:mgmt=su:
Detailed information may be availabe if you search for "filter-id" in the knowledge base (i.e.:
https://gtacknowledge.extremenetworks.com/articles/Q_A/What-filter-id-is-required-for-administrative...

Hope this will be helpful.
Regards,
Axel