Header Only - DO NOT REMOVE - Extreme Networks

NAC mappings does not distribute tagged vlans

  • 9 December 2018
  • 8 replies

Extreme Management Center
Switches D2, B5, S-Serie, X-440, EOX-Stack
Switches configured with RFC3850, "set policy maptable response both and policy"
"RFC3850 vlan authorization enabled" and "Filter ID With VLAN Tunnel Attribute".

no tagged vlan will distributed to the required port .

For instance D2:

show port egress
Port Vlan Egress Registration
Number Id Status Status
ge.1.1 1 untagged static
ge.1.1 123 untagged etsysPolicyProfile
ge.1.7 1 untagged static
ge.1.7 250 untagged etsysPolicyProfile
ge.1.12 123 tagged static
ge.1.12 196 tagged static
ge.1.12 250 tagged static

8 replies

Userlevel 7
I suggest to use policy to define if you want untagged or tagged vlan to be assigned to egress.
set policy profile....
Userlevel 7
Is the role set to VLAN egress tagged ?!

B5(su)->show port egress ge.1.1
Port Vlan Egress Registration
Number Id Status Status
ge.1.1 1 untagged static
ge.1.1 100 tagged etsysPolicyProfile

Hello Zdenek,

thanks for your prompt answer. First I set the policy mapping as vlan tagged, only at access control, not at policy.....

Second I create the profile...

And third I create the rule....

At this moment I won´t use any Policy Roles, I will use it later if it is necessary. I this the wrong way or should I use already Policy Roles at this point too?

Best Bernd
Userlevel 5
Hi Bernd,

There are two approaches how to get along with VLANs upon authentication. One is to configure default role VLAN or entire VLAN Egress list for a role, second is to use RFC 3580. The former needs just policy (role) name within policy mappings, the latter needs just VLAN ID within policy mappings (yes, you can combine both depending on switch vendor/capabilities you have).

If you plan to use RFC 3580 apart from Policy feature, policy mapping approach should also be alright (but just for a single VLAN, not an entire list if you want e.g. to prepare authenticated AP to serve its clients - this is feasible with role's VLAN Egress list). However, make sure that your switch is added to NAC Appliance with correct "RADIUS attributes to send" option (legacy GUI here but take a look: https://emc.extremenetworks.com/content/nachelp/docs/nac_at_edit_switch.html).
If it is set to RFC 3850 or some combination of RFC 3580 and else, you can easily confirm with tcpdump on NAC appliance that relevant RADIUS attributes are sent to the switch and if there are those three Tunnel attributes but it's still not working, I would go back to look at the switch config.

Hope that helps,
Userlevel 7
Hi Bernd.
For D2 I would go with policy approach = more flexible.
Hi Tomasz and Zdenek,

thanks for your tips. I will check all that again. I only have one question left, is the vlan egress a radius attribute or is it provided by the policy mapping?

Best Bernd
Userlevel 7
the screenshot from Roland = it is policy configuration = you need to enforce and you have it in the switch config. in radius you just reply with policy assignment.

The screenshot from you (Bernd) with vlan 123 mdcvoip is radius attribute.
Hi Zdenek, Ronald and Tomasz,

I have now tried everything, without result and have now rolled out the policy planned for later and everything goes well.
Thanks again for your help and I wish you a merry christmas.

Best Bernd