Solved

Can I use XMC/Control as Radius

  • 5 October 2020
  • 9 replies
  • 77 views

Badge

Deploying XMC, Analytics, EAC, all at same time, essentially. Place did have a radius server in place yet. I thought, maybe I’m wrong, or previous version, XMC/NAC can be set as radius server. Trying to keep things has simple as possible for staff to manage, and just get some detection going in NAC.

Firmware is 8.4.2.38 across all three virtual appliances. Is enable eth1 in NAC best practice? Thanks for any guidance on my first question.

(random, badges here don’t pull from Dojo?)

icon

Best answer by Ovais Qayyum 5 October 2020, 05:21

Hi,

You can use NAC as a Radius server. Please check out the following article:

https://community.extremenetworks.com/aaa-radius-230508/how-to-configure-nac-as-radius-to-authorize-ad-users-7670722

 

Regards,

Ovais 

View original

9 replies

Userlevel 2

Hi,

You can use NAC as a Radius server. Please check out the following article:

https://community.extremenetworks.com/aaa-radius-230508/how-to-configure-nac-as-radius-to-authorize-ad-users-7670722

 

Regards,

Ovais 

Badge

Hi,

You can use NAC as a Radius server. Please check out the following article:

https://community.extremenetworks.com/aaa-radius-230508/how-to-configure-nac-as-radius-to-authorize-ad-users-7670722

 

Regards,

Ovais 

 

 

Thanks!! Thought so, but still can’t see if I have to do anything in this version, java being phased on. Transfer of knowledge will be solely web based. Appreciate the help! 

Userlevel 2

Apart from the help pages, there are not many documents out there based on the new HTML UI. 

1- What is the user authentication scenario? you wanna use NAC as Radius Proxy (sending incoming auth. request to the AD)

2- Or you want NAC to be the Radius as well as the user database?

3- wired or wireless or a combination of both?

these questions will help guide you in the right direction, Meanwhile, I am checking if we have any documents that are based on new HTML UI. Please do check the help section, It provides pretty good examples.  

 

Regards,

Ovais

 

Badge

For now, just passive device detection. Ultimately will pass via LDAP.

 

This is being deployed in a 4k device environment, that had very little security/management. Using EAC as Radius was the plan for now, and only wired. CloudIQ Pilot will ultimately be deployed for wireless.

I just want to get the switches in the end systems to start, that can’t even happen. Ha. The ACL slices are full, the access edge is mostly v400’s, so extended control bridges are doing too much already on some ancient fiber. I’m popping in 450g2’s 590’s where budget allows. Normally this is the easy part, now the hard part will be beyond easy, once that easy, now hard part is done. Yes these budget restrictions imposed on whoever set this up is driving me mad.

Userlevel 2

I found some useful NAC and XMC How to configuration videos that one of our SEs recorded while rebuilding his lab. This should help you add switches and enable MAC auth on the switches for endpoints, for endpoint visibility you only need MAC auth which is handled by the NAC itself, you won’t need to integrate NAC with the AD at this stage.

You would need Radius configuration on the NAC for 802.1x authentication. As far as I understand your case, you need to setup NAC for 802.1X LDAP Authentication (NAC as Radius would perform auth. using AD)

Its a series of short videos and pretty much starts from the installation of XMC to all the way enabling authentication, analytics, etc. Here is the link:

https://www.youtube.com/playlist?list=PLSDFZrhuKRrgc34oJT3si-so4wa-kFMJx

<<Credit: Branden Henner>>

Let me know how it goes.

 

Regards,

Ovais

Badge

I found some useful NAC and XMC How to configuration videos that one of our SEs recorded while rebuilding his lab. This should help you add switches and enable MAC auth on the switches for endpoints, for endpoint visibility you only need MAC auth which is handled by the NAC itself, you won’t need to integrate NAC with the AD at this stage.

You would need Radius configuration on the NAC for 802.1x authentication. As far as I understand your case, you need to setup NAC for 802.1X LDAP Authentication (NAC as Radius would perform auth. using AD)

Its a series of short videos and pretty much starts from the installation of XMC to all the way enabling authentication, analytics, etc. Here is the link:

https://www.youtube.com/playlist?list=PLSDFZrhuKRrgc34oJT3si-so4wa-kFMJx

<<Credit: Branden Henner>>

Let me know how it goes.

 

Regards,

Ovais

 

Thanks, really appreciate it! I know I’m missing something stupid. Cascade/VPex mode switches I’m not evening worrying about now, all end up traversing non-VPEX 670-g2. V400’s do nothing, very slow, but in a very nice purple box. Ha

Applying LDAP via NAC isn’t allowing me to save and write. Again, likely missing one check box. My Window of time to do this is limited and rushed. Without going into detail, no idea how a place such as this was allowed for lack of more obvious word or words like required audits. lol

Userlevel 2

What have you done so far to configure LDAP on the NAC? please take some configuration snapshots including enforce failure error and post here so we know where you are at.

 

Regards,

Ovais

Badge

What have you done so far to configure LDAP on the NAC? please take some configuration snapshots including enforce failure error and post here so we know where you are at.

 

Regards,

Ovais

 

Thanks! Issue is the VPEX/Cascade environment this company was sold. Honestly this vendor should not have sold all this, in the way it sounds. Roughly 67 v400’s at access, v400’s TOR servers, with 1 590x layer 2 only running extended bridge for two building. “Core”/Control Bridge pair of 670’s only one is VPEX. The other has all policies applied, rules, ACLs, authentication protocols. Slices filled up, database for identity-management was full. Nodealias. They were sold a solution that is already limited, and isn’t ideal at all. Everything was good to, was about to test in training area. One of campus buildings partially went offline, then online. A redirect.pol just went missing. Slice use was maxed out, 

Now they’re about to rollout VOIP/and updated security with DVR, as well as HVAC controller.  

 

Have you ever used VPEX or cascades? I’ll have to check the forums. These would be ideal for testing stuff. Ha

Userlevel 4

Hello,

we are using VPEX but in a much smaller scale. But it works like a charm.

How did you connect 67 BPEs to one X590? This shouldn’t be possible.

Reply