Redundancy between two NAC instances

  • 0
  • 1
  • Question
  • Updated 9 months ago
  • Answered
Hello, everybody,

how could I set redundancy between two NAC instances?

I have set up MAC and 802.1x auth on my switches, but it works until NAC is alive, so it's kind of time bomb: when NAC is offline nothing works. I want to setup redundancy - is it possible?

Many thanks in advance

Ilya
Photo of Ilya Semenov

Ilya Semenov

  • 4,610 Points 4k badge 2x thumb

Posted 9 months ago

  • 0
  • 1
Photo of Volker Kull

Volker Kull

  • 1,862 Points 1k badge 2x thumb
Install a second NAC Gateway an configure switches for two NAC-Gateways.

br
Volker
Photo of Pala, Zdenek

Pala, Zdenek, Employee

  • 9,854 Points 5k badge 2x thumb
The switch will ask first radius server if it does not answer it will ask the second radius server. you can have HA.
Photo of Andre Brits Kannemeyer

Andre Brits Kannemeyer

  • 5,288 Points 5k badge 2x thumb
Hi the best option would be to setup LSNat on a s series switch. This created a virtual address that almost works like nat. This virtual address load balances over a server pool. In your case the two or more nacs.

You will then direct the radius server setting on the switch or wifi to this virtual address. You can choose the method to use for load balance across the server pool.

Regards
Photo of Ilya Semenov

Ilya Semenov

  • 4,610 Points 4k badge 2x thumb
Hi, Andre!

S-serie costs like a Boeing)
Photo of Andre Brits Kannemeyer

Andre Brits Kannemeyer

  • 5,288 Points 5k badge 2x thumb
The s series is the best sdn switch around with the coreflow2 chip, not alot of switches can support all these features in one switch but yes not the price of a x440.....
Photo of Bharathiraja, Suresh

Bharathiraja, Suresh, Employee

  • 3,536 Points 3k badge 2x thumb
Hi ,

please check below KB ,

https://gtacknowledge.extremenetworks.com/articles/How_To/How-to-add-NAC-gateway-per-switch-for-redu...

Let  us know if this answers your questions.

Thanks,
Suresh.B
Photo of Ilya Semenov

Ilya Semenov

  • 4,610 Points 4k badge 2x thumb
Thanks, gentlemen, so I make my question more specific. This is my radius configuration on the switch:

configure radius netlogin primary server 192.168.23.23 1812 client-ip 192.168.7.8 vr VR-Default
configure radius netlogin primary shared-secret encrypted "KOKOKO"
configure radius-accounting netlogin primary server 192.168.23.23 1813 client-ip 192.168.7.8 vr VR-Default
configure radius-accounting netlogin primary shared-secret encrypted "LOLOLO"
enable radius
disable radius mgmt-access
enable radius netlogin
configure radius timeout 15
configure radius mgmt-access timeout 15
configure radius netlogin timeout 15
enable radius-accounting
disable radius-accounting mgmt-access
enable radius-accounting netlogin


Would it be enough to add just two strings here: 


configure radius netlogin secondary server 192.168.23.24 1812 client-ip 192.168.7.8 vr VR-Default
configure radius netlogin secondary shared-secret encrypted "KOKOKO"
configure radius-accounting netlogin secondary server 192.168.23.24 1813 client-ip 192.168.7.8 vr VR-Default
configure radius-accounting netlogin secondary shared-secret encrypted "LOLOLO"

where 192.168.23.24 is the secondary NAC? And add the switch to secondary NAC, for sure...
Photo of Pala, Zdenek

Pala, Zdenek, Employee

  • 9,854 Points 5k badge 2x thumb
if you use up-to-art firmware and you specified cli credentials then the only thing you need to do is:
Add second engine to the group.
Add/modify the switch in the XMC (netsight) to referr to both engines, define vr, realm, accountig enable...
Enforce the configuration.

The engine will configure your switch throug the CLI properly. Just wait 2-5minutes. You do not need to add those two lines manually, but you can :)

Regards.

Z.
Photo of Ilya Semenov

Ilya Semenov

  • 4,610 Points 4k badge 2x thumb
Hi, Zdenek,

what do you mean?))))

1) "use up-to-art firmware" - what are you talking about???????) 

2) "Add second engine to the group" - What is the group? How to add there?

3 "Add/modify the switch in the XMC (netsight) to referr to both engines"

Now I have only:



Where 192.168.128.160 is the primary NAC. Interestingly, the only switch I've added to Primary appeared also on the Secondary (without my actions)

In my conf switch sends user data like IP, netbios name, MAC, AD account, OS version and family to Netsight. I want to populate this config to all my switches.

Many thanks to you!!!
Photo of Pala, Zdenek

Pala, Zdenek, Employee

  • 9,854 Points 5k badge 2x thumb
Hi Ilya.

1. I am sure it works with 22.x firmware I do not remember what version it started to work.

2. you can have Engines in groups. in your picture there is group called "all Access Control Engines".

on your screenshot please click on switches and send screenshot of the settings.
please investigate logs why the Access Control Engine is not able to configure your switch through the CLI. usually the issue is related to the firewall or credentials or old firmware.

Z.
Photo of Ilya Semenov

Ilya Semenov

  • 4,610 Points 4k badge 2x thumb
Thanks, Zdenek! I've got it(

80% of switches are x430 family which couldn't run EXOS's 22 code(

Will my configuration with manual addition of secondary NAC on switches work? 
Photo of Bharathiraja, Suresh

Bharathiraja, Suresh, Employee

  • 3,536 Points 3k badge 2x thumb
Hi,

Agreed ,
once you enforced from NAC switch will be conigured for both primary and secondary server.

Thanks,
Suresh.B
 
Photo of Ilya Semenov

Ilya Semenov

  • 4,610 Points 4k badge 2x thumb
I've applied the configuration on Friday, January, 12th. On Tuesday, January, 16th there is no anyting related to Secondary NAC on the switch. So, it is no so easy.... Something doesn't work.