https://community.extremenetworks.com/t5/extremecloud-iq-site-engine/mac-to-role-mapping-in-exos/m-p/21710#M1327 i figure it out:<BR /> <BR /> <A href="https://emc.extremenetworks.com/content/polman/docs/l_p_at_port_prop_gen.html#mappings" target="_blank" rel="nofollow noreferrer noopener">https://emc.extremenetworks.com/content/polman/docs/l_p_at_port_prop_gen.html#mappings</A><BR /> <BR /> configure policy profile 1 name "Innovaphone" pvid-status "enable" pvid 172 untagged-vlans 172<BR /> configure policy rule admin-profile macsource 00-90-33-00-00-00 mask 24 port-string 1 admin-pid 1<BR /> configure policy rule admin-profile macsource 00-90-33-00-00-00 mask 24 port-string 2 admin-pid 1Be aware this works not with EXOS 22.5 - 22.5-Patch-2-2 include a fix.<BR /> Tue, 04 Sep 2018 21:45:00 GMT M_Nees 2018-09-04T21:45:00Z https://community.extremenetworks.com/t5/extremecloud-iq-site-engine/mac-to-role-mapping-in-exos/m-p/21705#M1322 I have a client with EOS switches that uses MAC-To-Role Mapping from Policy Manager to allow certain devices to access the network with a different policy than the default when comunication between the switch and the NAC is interrupted.<BR /> <BR /> In EXOS, I can not do that, only VLAN to Role mapping works (not Mac to role or IP to role).<BR /> <BR /> The client is security-concious and is concerned that in remote offices, if the NAC is not available, everyone can get in. They want to still be able to apply certain security to certain devices.<BR /> <BR /> Is there a different method to make sure a local (inside the switch) autentication happens only if the NAC is not available for auhentication? Tue, 13 Jun 2017 20:39:00 GMT https://community.extremenetworks.com/t5/extremecloud-iq-site-engine/mac-to-role-mapping-in-exos/m-p/21705#M1322 jsoler 2017-06-13T20:39:00Z https://community.extremenetworks.com/t5/extremecloud-iq-site-engine/mac-to-role-mapping-in-exos/m-p/21706#M1323 Hello Jordi,<BR /> <BR /> For added security, you can configure your EXOS device for limited/locked MAC learning as per this article from our Knowledge Base:<BR /> <BR /> <A href="https://gtacknowledge.extremenetworks.com/articles/Q_A/How-to-enable-port-security-mac-learning-on-Summit-X460" target="_blank" rel="nofollow noreferrer noopener">https://gtacknowledge.extremenetworks.com/articles/Q_A/How-to-enable-port-security-mac-learning-on-S...</A><BR /> <BR /> Tue, 13 Jun 2017 20:57:00 GMT https://community.extremenetworks.com/t5/extremecloud-iq-site-engine/mac-to-role-mapping-in-exos/m-p/21706#M1323 Ash_Curtis 2017-06-13T20:57:00Z https://community.extremenetworks.com/t5/extremecloud-iq-site-engine/mac-to-role-mapping-in-exos/m-p/21707#M1324 Thanks for the reply, that this would not help if a new user/device wanted to enter the LAN after the NAC communication was interrupted. Tue, 13 Jun 2017 20:57:00 GMT https://community.extremenetworks.com/t5/extremecloud-iq-site-engine/mac-to-role-mapping-in-exos/m-p/21707#M1324 jsoler 2017-06-13T20:57:00Z https://community.extremenetworks.com/t5/extremecloud-iq-site-engine/mac-to-role-mapping-in-exos/m-p/21708#M1325 Yes, that is correct, your options here are limited to configuring the number of MAC addresses that can be learned or the specific MAC addresses that can use a given port. <BR /> <BR /> If you do not know a potential users MAC address that may wish to use a given port in the future, you will need to limit the number of MAC addresses that can be learned but of course this leaves the port open to learning ANY new MAC addresses up to the configured limit. Tue, 13 Jun 2017 20:57:00 GMT https://community.extremenetworks.com/t5/extremecloud-iq-site-engine/mac-to-role-mapping-in-exos/m-p/21708#M1325 Ash_Curtis 2017-06-13T20:57:00Z https://community.extremenetworks.com/t5/extremecloud-iq-site-engine/mac-to-role-mapping-in-exos/m-p/21709#M1326 On EXOS 22.2/22.3/22.4 MAC-to-Role Mapping seems to be possible but only at "port-level" not "device level".<BR /> Unfortunately i do not figured out how to configure that!<BR /> Tue, 04 Sep 2018 21:45:00 GMT https://community.extremenetworks.com/t5/extremecloud-iq-site-engine/mac-to-role-mapping-in-exos/m-p/21709#M1326 M_Nees 2018-09-04T21:45:00Z https://community.extremenetworks.com/t5/extremecloud-iq-site-engine/mac-to-role-mapping-in-exos/m-p/21710#M1327 i figure it out:<BR /> <BR /> <A href="https://emc.extremenetworks.com/content/polman/docs/l_p_at_port_prop_gen.html#mappings" target="_blank" rel="nofollow noreferrer noopener">https://emc.extremenetworks.com/content/polman/docs/l_p_at_port_prop_gen.html#mappings</A><BR /> <BR /> configure policy profile 1 name "Innovaphone" pvid-status "enable" pvid 172 untagged-vlans 172<BR /> configure policy rule admin-profile macsource 00-90-33-00-00-00 mask 24 port-string 1 admin-pid 1<BR /> configure policy rule admin-profile macsource 00-90-33-00-00-00 mask 24 port-string 2 admin-pid 1Be aware this works not with EXOS 22.5 - 22.5-Patch-2-2 include a fix.<BR /> Tue, 04 Sep 2018 21:45:00 GMT https://community.extremenetworks.com/t5/extremecloud-iq-site-engine/mac-to-role-mapping-in-exos/m-p/21710#M1327 M_Nees 2018-09-04T21:45:00Z