topic Re: Local Administrator account and Extreme NAC in ExtremeCloud IQ- Site Engine Management Center

Local Administrator account and Extreme NAC

ExtremeNewbie — Tue, 16 Sep 2025 10:44:11 GMT

Hello Community,

Apologies if this question is in the wrong section.

We are using XMC- SE and NAC control in our environment. We are currently testing User and Machine Authentication via Certificates. The User and Machine are domain joined and can authenticate as expected.

However, I am finding I cannot authenticate an end user device when I login with a local administrator account. This makes sense as the settings are setup to use domain joined authentication.

My question is, can local administrator accounts on end user devices somehow be authenticated to give network access? When I login with the local administrator account, the network drops off after a short time. In XMC I can see for the local administrator account the message "Rejected NTLM Authentication".

Many thanks,

Re: Local Administrator account and Extreme NAC

Ryan_Yacobucci — Tue, 16 Sep 2025 12:09:41 GMT

Hello,

You can set up a username/password in the local password repository that can be used with local admin accounts. The "LDAP Authentication" or "Local Authentication" authentication method in your AAA should both also check the local password repository during the authentication. I don't believe you'll need any additional rules, just add the credentials into the local password repository which can be found in the AAA configurations.

Thanks

-Ryan

Re: Local Administrator account and Extreme NAC

Bartek — Tue, 16 Sep 2025 12:10:00 GMT

You can configure specific NAC AAA rule for handling authentication for those local accounts (perhaps you need to change AAA from Basic to Advanced configuration first)

Re: Local Administrator account and Extreme NAC

ExtremeNewbie — Tue, 16 Sep 2025 12:15:45 GMT

@RyanS @Bartek - thanks both. I did see the document for adding the account to the local password repository. However, the document was dated 2019 and involved setting son the NAC side too. Is there a more up to date document per chance?

Many thanks,

Re: Local Administrator account and Extreme NAC

ExtremeNewbie — Tue, 16 Sep 2025 13:39:54 GMT

Hello All,

I have added in the credentials as stated in the comments above. This is coming back with Rejected NTLM Authentication.

With User/Machine Authentication the end device is allocated a subnet due to it's location. If no Rules are met as in this case - local administrator account, there is a fall back subnet the end device is allocated.

Is a new rule needed for this? Ideally, I would the end device to keep the subnet IP like when this is logged in as a domain user.

The message I have are:

Username: Local Admin, Auth Type: 802.1X, Reason: Rejected NTLM Authentication

Then the session is no longer active due to: Lost Carrier.

Many thanks,

Re: Local Administrator account and Extreme NAC

Ryan_Yacobucci — Wed, 17 Sep 2025 15:40:18 GMT

Hello,

I was incorrect in my first response.

In addition to the Local Password Repository account you'll need to create an AAA account to look to the local password repository.

For example:

The AAA line should be set to look for "Authentication Type" of "Management Login" with a pattern defined as the local user that is attempting to authenticate.

Authentication Method should be set to Local Authentication.

Make sure the placement of this new AAA rule will be used. The AAA runs like an ACL, first match wins, so if you put this rule at the bottom and a rule in the AAA higher up is a match, this new rule will not be used.

Once this is in place, you should be able to get authentication to succeed.

Thanks

-Ryan

Re: Local Administrator account and Extreme NAC

ExtremeNewbie — Thu, 18 Sep 2025 10:37:57 GMT

@Ryan_Yacobucci - thanks for the reply. Is the AAA account added in in the option below?

I also have AAA Rules under configuration please see below.

Which option is the best place for this? I also have other AAA Rules and like you have said need to ensure this is placed correctly.

Many thanks,

Re: Local Administrator account and Extreme NAC

ExtremeNewbie — Thu, 18 Sep 2025 14:41:08 GMT

Hello All,

I have created the AAA Rule as suggested please see below. This does not match the rule and goes straight to CatchAll when trying to login as the local administrator account. I have tried with and without the Password Authentication option as in the screenshot below.

To confirm, the local administrator account has been added to the Local Password Repository under the Default option and the rule has been created as below.

Any other suggestions?

Thanks,

Re: Local Administrator account and Extreme NAC

Ryan_Yacobucci — Sat, 20 Sep 2025 22:11:04 GMT

Hello,

You need an AAA rule to handle the authentication, and you need a rules engine rule to handle the authorization.

See this article for an example:
https://extreme-networks.my.site.com/ExtrArticleDetail?an=000081977

Thanks
-Ryan

Re: Local Administrator account and Extreme NAC

ExtremeNewbie — Mon, 22 Sep 2025 13:59:48 GMT

@Ryan_Yacobucci - Thanks for the reply. I have gone though the document. One item to note is that the local administrator account is not a domain account. The link in your reply above refers to a domain administrator account. I set this up as Local Authentication - see screenshot below.

As such, I don't believe NTLM Authentication will work as LDAP Authentication Type needs to be local as in the screenshot above. If I have misread this I apologise. To re-iterate, the account needed is a Local Administrator account (end user device) and this is not a domain account.

Many Thanks,

Re: Local Administrator account and Extreme NAC

Ryan_Yacobucci — Mon, 22 Sep 2025 15:18:56 GMT

You are correct, since there is no LDAP integration you cannot utilize an LDAP criteria in order to match a rule to provide mgmt RADIUS attributes.

Instead, you would need to define a "username" user group with the users you want to allow access.

There are two main concepts that need to be considered here:
1. The authentication from the switch needs to be processed.
This is the AAA with local password authentication.

This will only perform the "Accept" or "Reject" based on user password. To gain access to switches, you need to provide a RADIUS attribute to provide an authorization level, which leads us to #2.

2. The Control appliance needs to send a RADIUS attribute to allow management access, and at which level the user is authorized. (Read only versus Read/Write)

This is the purpose of the rule in Control rules engine. There needs to be a rule that matches on management authentication to provide the appropriate RADIUS attribute (Server-Type=6 usually) to gain read/write management access.

While you do not have the ability to do an LDAP look, you need a rule to provide the "Service-Type=6" attribute for management access.

In turn, you also need a rule to Reject users that are NOT allowed. With switch engine/EXOS an "Accept" is enough to get ready-only access, so a reject needs to be returned to prevent anyone hitting the "catch-all" rule and getting an "accept".

Thanks
-Ryan

Re: Local Administrator account and Extreme NAC

ExtremeNewbie — Mon, 22 Sep 2025 15:24:54 GMT

@Ryan_Yacobucci - thanks for the reply. Is there documentation showing how to put this in place?

Many thanks,

Re: Local Administrator account and Extreme NAC

Ryan_Yacobucci — Mon, 22 Sep 2025 15:38:29 GMT

Hello,

If you follow the guide I provided above, but instead of an "LDAP User Group" use a "Username" user group and define the users you want to login.

Re: Local Administrator account and Extreme NAC

ExtremeNewbie — Wed, 01 Oct 2025 08:39:06 GMT

@Ryan_Yacobucci I have created the local user as per instructions please see below.

I have created a new AAA Rule for this and placed this at the top of the list - please see below.

I have created a new Rule for this as described - see below.

Profile is below.

Then the Reject Rule - this is what I am unsure about. I have set this to Reject Authentication Requests - see below.

In total, it looks like this - see below.

I believe this is all that is needed from the AAA and Rule side. Please correct me if I am wrong.

If all the above is correct, the next step is to configure the switch in the NAC Engine to accept Any Access? Will this then accept Radius and the new AAA/Rule created above? The new Rule is not enabled at the moment as I have not completed the NAC side yet.

Many Thanks,

Re: Local Administrator account and Extreme NAC

Ryan_Yacobucci — Wed, 01 Oct 2025 20:31:12 GMT

Hello,

This looks pretty good to me.

Authentication is configured to handle the local users by the local password repository.

Authorization is configured to send back an administrative response if it's an authorized user, and ANY other management logins will be rejected.

Some final considerations:

1. When you add the switch you have to set the Auth Access type to "Any Access". This will have Control attempt to configure the device to send RADIUS requests for management access. As long as the device supports dynamic RADIUS configuration, when you enforce the NAC, NAC will reconfigure RADIUS to enable for the management realm/facility.

Once you enforce, make sure the configuration is changed accordingly.

2. When you add the switch, make sure the "RADIUS attributes to send" contains the necessary attributes for management access.

Service-Type for EXOS
Service-Type or Passport-Access-Priority for VOSS depending on version
Service-Type for XIQ-C

Typically Service-Type=6 will get you read/write access.

Re: Local Administrator account and Extreme NAC

ExtremeNewbie — Thu, 02 Oct 2025 08:14:10 GMT

@Ryan_Yacobucci - many thanks for checking and confirming the setup. I will look at the switch side shortly. One other item from me, when adding a username to the user group, does a wildcard for example .\name work for this?

Kind regards,

Re: Local Administrator account and Extreme NAC

Ryan_Yacobucci — Sat, 04 Oct 2025 19:07:04 GMT

Hello,

You should be able to use * for a wildcard for username usergroups.

The user/host/pattern matching within the AAA itself has a more fully feature regex capability, but within usergroups there is only very limited capability. * will work for wildcards within usergroups.

Thanks
-Ryan

Re: Local Administrator account and Extreme NAC

ExtremeNewbie — Mon, 06 Oct 2025 12:47:18 GMT

Hello Ryan - I have tried as suggested and have a couple of issues.

1. The setup as it is, the Rule created for this is not hit and the Authentication attempted is 802.1X see below.

2. When I run the Evaluation Tool for this, it comes back as OK and no issues - see below.

AAA Rule

Access Rule

I also have an issue where the Reject Rule is applied across the board and is leading to Authentication rejections. I have turned the Reject Rule off for now - see below.

The Reject Rule is directly below the Accept Rule. Something I believe is wrong with the setup/placement of this Rule.

Many thanks,