topic ExtremeControl PVID misconfiguration for a role - not assigned to correct VLAN in ExtremeCloud IQ- Site Engine Management Center

ExtremeControl PVID misconfiguration for a role - not assigned to correct VLAN

gerivives — Thu, 05 Sep 2024 16:04:39 GMT

Hi,

I am trying to configure a policy for a group of users in the Access Control Engine but the actual policy that is being deployed to the switch does not correspond with what I am looking to achieve. Below you can see the exact policy.

configure policy profile 6 name "Enterprise Access" pvid-status "enable" pvid 4095 cos-status "enable" cos 3 untagged-vlans 2005

The behaviour that I am aiming for is that all users who are assigned to the Enterprise Access role based are assigned to VLAN 2005 (meaning that the port they are connected to is configured as untagged for VLAN 2005). The uplinks are manually configured with all the VLANs that could potentially be used in the switch. The configuration relevant to this is as follows:

In Policy -> Roles/Services -> Enterprise Access -> VLAN egress. Configured VID 2005 as untagged.
As a result of this, in Policy -> Roles/Services -> Enterprise Access -> Mappings, the value 2005 is configured with type VLAN (RFC 3580).
In Policy -> VLANs I have created the global VLAN VLAN_Enterprise with VID 2005 and mapped it to the role Enterprise access, configuring to always write the VLAN to the device.

What am I missing? The device connecting authenticates properly and appears in the end-system tab confirming that it is assigned to Enterprise access. However, it does not have connectivity and does not receive an IP address. By manually forcing the policy in the switch to use the PVID 2005:

configure policy profile 6 name "Enterprise Access" pvid-status "enable" pvid 2005 cos-status "enable" cos 3 untagged-vlans 2005

Then, it behaves as expected. What am I missing? Are any of the configurations I have followed redundant/unnecessary and is there anything that I may have overlooked?

I would also be grateful if you could provide more guidance on Policy VLAN Islands. The concept is clear to me yet I cannot wrap my head around how to configure them or the inner workings.

Thanks for your help,

Gerard

Re: ExtremeControl PVID misconfiguration for a role - not assigned to correct VLAN

Stefan_K_ — Thu, 05 Sep 2024 17:45:56 GMT

Hi @gerivives

you are probably just missing this setting here:

I guess it is set to "permit traffic", change it to "contain to VLAN" and choose VLAN2005 from the dropdown.

By the way, if you only want to do VLAN assignment without any specific roles/rules/services, you can simply rely on RFC3580 without the use of policies. Policy aissgnment is done via Policy Mappings in NAC. Make sure to change the radius attributes of the switch to "RFC 3580 - VLAN ID & Extreme Policy" to be able to use both RFC3580 and Policies. "configure maptable response both" also needs to be configured on the switch.

Best regards
Stefan

Re: ExtremeControl PVID misconfiguration for a role - not assigned to correct VLAN

Ryan_Yacobucci — Fri, 06 Sep 2024 12:54:04 GMT

I would agree. The "VLAN Egress" tab is meant to allow configuration of VLANs on egress, but not for PVID.

"Contain to VLAN" should set pvid and egress of untagged.

Thanks
-Ryan