Header Only - DO NOT REMOVE - Extreme Networks
Solved

Netlogin: assign vlanid and isid via NAC

  • 22 October 2019
  • 6 replies
  • 756 views

We are implementing an Aruba Clearpass as a NAC-System with our 440G2-Switches. Assigning the vlan id via Clearpass works well so far. Since we want to use FA-Features in the future we need to also assign an isid along with the vlanid with clearpass, otherwise i would have to preconfigure every vlan on the exos switches.

whats the correct way to assign an isid with netlogin? In clearpass i use the attribute:

IETF:Radius - Tunnel-Private-Group-Id

to assign the vlan id.

icon

Best answer by Ludovico Stevens 23 October 2019, 14:55

So, this is XOS (not ERS). The VLAN creation should happen automatically if it did not already exist, though I have never tested this (I always use XMC Policies with XOS).

You can name the VLAN after it was dynamically created; by naming the VLAN you will make the VLAN static on the switch.

Likwise, if the VLAN already exists on the switch and is only named (a tag value will have been dynamically allocated), you can assign/change that tag value on it; then it will be used when the FA-VLAN-ISID attribute is received.

There is no way to pass a VLAN-name via the FA RADIUS attribute.

View original

6 replies

Userlevel 4

You can use the FA-VLAN-ISID attribute

 

thank you very much, that worked like a charm. is there a way to also define a name for the dynamic vlan? the attribute mentions that its possible to assign a VLAN Name instead of a VLANID. Does this vlan need to be created before it gets assigned or in which way does the switch know which vlan id the named vlan should get?!

Userlevel 4

So, this is XOS (not ERS). The VLAN creation should happen automatically if it did not already exist, though I have never tested this (I always use XMC Policies with XOS).

You can name the VLAN after it was dynamically created; by naming the VLAN you will make the VLAN static on the switch.

Likwise, if the VLAN already exists on the switch and is only named (a tag value will have been dynamically allocated), you can assign/change that tag value on it; then it will be used when the FA-VLAN-ISID attribute is received.

There is no way to pass a VLAN-name via the FA RADIUS attribute.

to clarify this:

  • we are using x440G2 with EXOS 30.2.2.17.
  • if the vlans are not present they get named SYS_VLAN_<VID> and get dynamically allocated.
  • if they are preconfigured with NSI they get automatically tagged to the uplink port, even if no other port is assigned to this vlan. i guess this would create some unneeded broadcast traffic on the uplink, which we don’t want.
  • maybe preconfiguring the vlans without nsi could solve my problem. i guess as soon as a connected device gets the vlanid:isid assigned by clearpass, the switch will most likely assign these to the preconfigured vlan with the same vlanid and probably tag the needed ports. this solution would still require me to preconfigure every vlan, which we want to avoid.

to keep it simple stupid i’ll just live with the ugly names. i’m glad that i can at least assign vlanid:isid with this and don’t have to maintain another script to preconfigure the vlans on the switch itself.

thanks again!

 

Userlevel 6
Badge

Is it possible to return more than one VLAN:I-SID Pair ?

 

For example if a WLAN Access-Point will be authenticated i can assign the needed VLANs (Bridge@AP) via OnePolicy. Unfortunately only one  NSI binding can be provided by XMC Policy Manager.

So the additional VLANs will not be assigned on the Uplink via Fabric Attach (beacuse of missed i-SID). i have to assign them manually via CLI command.

If i could return from NAC more than one VLAN:I-SID Pair back WLAN-APs authentication session this would solve this problem !

 

Did someone try that ? Should that be able with EXOS ?

(i heared that ERS can do that.) 

Userlevel 7

Hi Matthias.

please check “Add NSI After Policy Enforcement”. I believe it is exactly what you are looking for.

 

VLAN egress VLANs are automatically configured with NSI based on Services after policy enforce. You can leverage also Import L2VSNs to XMC workflow.

 

Z.

Reply