Header Only - DO NOT REMOVE - Extreme Networks

Trying to setup the most basic MAC based Access Control but need help

  • 13 December 2018
  • 15 replies

Userlevel 2
We know that XMC and NAC can do a whole lot, but initially all we want to do is this:

1) A system will be plugged into a port and will show up in the end-systems tab
2) An administrator will then add that to the "Allowed Devices" group which we have created (for simplicity, this group uses the "Default NAC Profile" which uses the "Enterprise User" Accept Policy)
3) All other systems that have not been added to the "Allowed Devices" group are blocked from accessing the network.

I have an isolated non-production switch that I want to test this on, but I have a question about the config and the rules.
1) We have one Configuration (IMS) that is currently in use on all switches. I have made a secondary Configuration (IMS - MAC Auth) which I wanted to use for MAC auth testing, but I can't figure out how to apply that to just the one switch I want to test on (it has been a while since we first deployed XMC/NAC and I don't know if I am just forgetting where the option is or if a whole new Policy Domain is needed to make this happen)?
2) If the other configuration can be assigned to just a switch for testing, will the attached rules accomplish what we want?
  • Quarantine anything in the Blacklist group
  • Send a notification for anything in the Assessment Warning group
  • Allow anyone if the omni\XOS Administrators group to login to the switches (this currently works)
  • Quarantine any system from which a user attempts to login to a switch but they are not in the omni\XOS administrators group
  • Allow any system that is in the "Allowed Devices" group onto the network
  • Block all other devices
I know that this means that we will have enable identity management on all ports and add all systems to the "Allowed Devices" group before enforcing those rules.

I'm new to the NAC side of things and know that it can cause issues when configured incorrectly, so all the help (and clarification to ideas that I am not understanding correctly) you can provide is welcome.

15 replies

Userlevel 2
What kind of switches are you talking about implementing this config on?
Userlevel 2
That would help, wouldn't it. x460-G2 switches
Userlevel 7
My thoughts....

I don't think that the rule "Management Login" will ever hit.
The rule "Allow OMNI.." is hit for mgmt access and if the user put in a wrong user/pw you just get no login to the switch via e.g. telnet/ssh.
Even if it would hit what should happen - I'd access via telnet/ssh from 10 hops away so you are not able to put me in quarantine.... I'd even telnet/ssh from another switch > will you quarantine the whole switch !?

"default catchall" - how about you set that also to profile Default NAC Profile.
You'd configure anything without blocking anyone > add devices to the correct groups so they end up in Allowed Devices.
After you've put whatever you think should go into Allowed you'd take a closer look for the rest of devices that get catchall > make sure that this devices really should be in catchall = "bad" clients and then you'd turn catchall to unregistered profile and block them > could reduce the calls that you get from angry clients that can't access the network ;-)

To add a new domain go to the Policy tab > open/manage domain > create domain.

Userlevel 2
so you can only have one configuration 'live' at a time per domain? If i want to teat a new configuration, I have to assign it to a new domain, and assign that new domain to the single switch for testing?
Userlevel 7
The policy domain is only for policy (manager) = which roles/services/VLAN/portauth config you will upload to the switch.

The rules (e.g. from the screenshot you've provided) are for the whole NAC.

For testing I'd create a new one - you'd copy all settings from the old one > move the test switch to the new domain and then play around - I think that is better so you don't mess up the running domain.
Userlevel 2
makes sense. so the configuration that is the least restrictive is used when there is more than one configured i am assuming?
Userlevel 7
two options how you can accomplish what I understand you want (May be I do not understand it)...

Option 1 = more scalable more "human error resilient":
  • Create new configuration
  • Create new engine group
  • Assign your new configuration to new engine group
  • Deploy new Access Control Engine and assign it to your new engine group
  • connect your testing switch to the new Engine
now you can play with the switch and rules without affecting your production.

Option 2 = does need less resources
  • Create new location based on your testing switch
  • All your testing rules must have your new location in conditions
  • Rules are processed from top to the bottom = your testing rules must be on the top
your scenario seems to be quite easy.
Rule #1 = if location and end-system is in Allowed Devices then apply the proper profile with policy
Rule #2 = if location then apply Deny profile with deny policy or Reject profile (needs to be created). by default deny profile does assign deny policy what does allow DHCP, DNS, ARP = so fingerprinting will work for you for non-approved devices
Userlevel 2
@Ronald Dvorak , so you are saying that there can only be one "Access Control Configuration" for all of NAC? I guess the only reason we haven't run into any issues yet is because the "Default" and "IMS" configurations are basically the same (shown below). It sounds like we should disable all the rules in the "Default" configuration (if we want to leave it around for reference), delete it and stick with our "IMS" one, or just use the "Default" one and delete our "IMS" one.

Userlevel 7
There is one access control configuration for group of engines. You can have more groups and each group can have own access control configuration.

there is always maximum one configuration for engine.
Userlevel 2
Where is the option to change which configuration is assigned to the engine? I can see that the "IMS" configuration is applied to this engine, but I can't remember where to go to change that setting.

Userlevel 7
You can use NAC Manager to change the config:

Userlevel 2
Thanks. I know that I had not gone into the "legacy" NAC manager before to set it. I still wonder how I changed it previously in the "new" interface.
Userlevel 7
When you create new engine group you can define the configuration.
Userlevel 7
When you create new group, you can assign the configuration.
Userlevel 2
That must have been it.