Header Only - DO NOT REMOVE - Extreme Networks

NAC - VSP/ERS switch management using LDAP credentials


I am trying to use NAC to allow switch management access (SSH/Telnet/Web) for an LDAP group.
Currently the VSP/ERS switches have been added to XMC NAC and I am able to backup configs, use scripts, etc. I am also able to assign VLANs to the ports via LDAP authentication.
Does anyone have instructions on how to configure NAC Policy to send the correct values to the VSP/ERS switches to allow management access?

5 replies

Userlevel 6
Hello James,

Give this article a shot:

https://gtacknowledge.extremenetworks.com/articles/How_To/allowing-mangement-access-to-Avaya-switche...

:edit: you'll need to create a rule with an LDAP user group criteria, but this article details the AVP that should work for management login :edit:

Thanks
-Ryan
Yacobucci, Ryan wrote:

Hello James,

Give this article a shot:

https://gtacknowledge.extremenetworks.com/articles/How_To/allowing-mangement-access-to-Avaya-switche...

:edit: you'll need to create a rule with an LDAP user group criteria, but this article details the AVP that should work for management login :edit:

Thanks
-Ryan

Ryan,
Thank you. This is what I was looking for.
Is there a way we can append an article to add the VSP/ERS RADIUS commands?
Userlevel 6
Yacobucci, Ryan wrote:

Hello James,

Give this article a shot:

https://gtacknowledge.extremenetworks.com/articles/How_To/allowing-mangement-access-to-Avaya-switche...

:edit: you'll need to create a rule with an LDAP user group criteria, but this article details the AVP that should work for management login :edit:

Thanks
-Ryan

Hello James,

It can be appended, do you have a working configuration I can use to add content to the article?

Thanks
-Ryan
Yacobucci, Ryan wrote:

Hello James,

Give this article a shot:

https://gtacknowledge.extremenetworks.com/articles/How_To/allowing-mangement-access-to-Avaya-switche...

:edit: you'll need to create a rule with an LDAP user group criteria, but this article details the AVP that should work for management login :edit:

Thanks
-Ryan

Yes, Below are the commands for VSP8284 v7.0.
enable
config terminal
radius server host key used-by cli enable
(optional) radius reachability mode status-server
radius enable
Userlevel 1
Hi,
I guess the RADIUS server has to send back the RADIUS Attribute "Filter-ID" with the following information (for Enterasys switches):
Enterasys:version=1:mgmt=su:[/code]Detailed information may be availabe if you search for "filter-id" in the knowledge base (i.e.:
https://gtacknowledge.extremenetworks.com/articles/Q_A/What-filter-id-is-required-for-administrative...

Hope this will be helpful.
Regards,
Axel

Reply