Question

How to configure dot1x auth with NAC and AD

  • 15 January 2019
  • 7 replies
  • 693 views

exos switch ip:10.10.1.254
nac ip:10.10.1.201
ad ip:10.10.1.204

exos config:
Netlogin
enable netlogin dot1x mac
configure netlogin authentication protocol-order dot1x mac web-based
enable netlogin ports 3-28 dot1x
enable netlogin ports 3-28 mac
configure netlogin add mac-list ff:ff:ff:ff:ff:ff 48
configure netlogin mac ports 3 timers reauthentication on
aaa
enable netlogin dot1x mac
configure netlogin authentication protocol-order dot1x mac web-based
enable netlogin ports 3-28 dot1x
enable netlogin ports 3-28 mac
configure netlogin add mac-list ff:ff:ff:ff:ff:ff 48
configure netlogin mac ports 3 timers reauthentication on
VLAN config
configure vlan Default add ports 1-28 untagged
configure vlan Default ipaddress 10.10.1.254 255.255.255.0
enable ipforwarding vlan Default
NAC CONFIG:







7 replies

Userlevel 7
Hi.

it seems you have two AAA configurations in your NAC. One is “basic” one is “advanced”.
i guess your NAC configurationnis using the basic one.

option 1: change the nac configuration to use the aaa configuration “advanced” with two rules you have there.
option 2: change the basic configuration to the “asvanced” (right click on the aaa configuration, make advanced).

do not forget to enforce. In your switch config I do not see AAA configuration. If you have CLI credentials working in Extreme Management Center and if the switch is assigned to the Access Control Engine and you leave the default values when you add the switch to the acceas control engine then the AAA will be configured for you. Otherwise you need to setup radius on the switch.
here aaa configuration

configure radius netlogin 1 server 10.10.1.201 1812 client-ip 10.10.1.254 vr VR-Default
configure radius 1 shared-secret encrypted "#$H6YKEMmpgZRQk4/3ZdZ92pVm5Hk/CXk/2HCOmoHAXF8aH95P9HI="
configure radius-accounting netlogin 1 server 10.10.1.201 1813 client-ip 10.10.1.254 vr VR-Default
configure radius-accounting 1 shared-secret encrypted "#$u/KlXkwtQYtxcaLzMBFRZNJ3P40ahHVoYZQKgn1moK1Q8R+3INg="
configure radius-accounting 1 timeout 10
enable radius
disable radius mgmt-access
enable radius netlogin
configure radius timeout 15
enable radius-accounting
disable radius-accounting mgmt-access
enable radius-accounting netlogin
i have deleted advance aaa on nac
i have change basic to advance
Userlevel 7
Questions:
1 = do you see radius request coming from the switch to your Access Control Engine?
2 = do you see dot1x in the radius request? or just MACauthentication?
3 = do you see end-system in the end-system table? how it looks like "accept / error"
4 = What is the supplicant (client) setting?
5 = anything in the logs?
do you got guide to do this?

Questions:
1 = do you see radius request coming from the switch to your Access Control Engine?
2 = do you see dot1x in the radius request? or just MACauthentication?
3 = do you see end-system in the end-system table? how it looks like "accept / error"
4 = What is the supplicant (client) setting?
5 = anything in the logs?

1=yes
2=both
3=error
4=enable dot1x login
5=no
Userlevel 7
Please share the error message you see in the end-system table.
Please share the supplicant config on your end system.
Hi

Did you manage to do configure dot1x auth with Nac and AD? Is there any documentation available?

I would appreciate your help

Regard
Justine

Reply