topic NAC Zones - design question in ExtremeCloud IQ- Site Engine Management Center

NAC Zones - design question

mp2014 — Fri, 02 Oct 2015 11:19:00 GMT

Hi,

i wanna setup NAC Zones, locations/switches being the selector. Got about 20 locations to reflect in Zones, and about 20 for dieferent endsystem classifications across all locations. Because the Zones are applied by NAC rules only, this would result in a very questionable amount of NAC rules. Ist there any other way to use zones just by switch location?

RE: NAC Zones - design question

Bharathiraja__S — Fri, 02 Oct 2015 13:17:00 GMT

Hi ,

I hope this below steps would help you to configure zones.

https://gtacknowledge.extremenetworks.com/articles/How_To/How-To-Configure-a-Location-in-NAC-For-Zon...

Thanks,
Suresh.B

RE: NAC Zones - design question

mp2014 — Fri, 02 Oct 2015 14:07:00 GMT

this article is regarding wireless zones. I'm refering to endsytem zones in nac, standard wired devices. My problem ist just the amount of NAC rules needed.
Goal is to use these zones to make only specific endsystems visible for administrator of a location.

RE: NAC Zones - design question

Rainer_Adam — Fri, 04 Mar 2016 16:36:00 GMT

This should not be a big problem. I currently have about 900 rule matrix entries in my customers NAC. We there also use zones for the same reason. But zones did NOT expand your rule matrix, you have to add the zone to the users and groups AND to the rule matrix entries. Users are only viewable there (in OneView) AFTER they are authenticated with a zones fittet rule matrix. No panic about a bigger count of rules in the Rulematrix 

RE: NAC Zones - design question

Rainer_Adam — Fri, 04 Mar 2016 16:46:00 GMT

At first you have to enable the row "zone" in the RuleMatrix to make it view and accessable.....

RE: NAC Zones - design question

Rainer_Adam — Fri, 04 Mar 2016 16:49:00 GMT

And then add "simply" the ID of your Zone, in this example "4", this makes the through this rule matrix line authenticated client viewable in Oneview....

RE: NAC Zones - design question

mp2014 — Fri, 11 Mar 2016 12:15:00 GMT

thanks for reply - this is like we do this now. But its a lot work to do so much rules. And on any new endsystem classification wishes, i need to adjust rules for any department...

RE: NAC Zones - design question

Rainer_Adam — Fri, 11 Mar 2016 14:21:00 GMT

I don't know what you really need, in my customers case there are departments all over there biggest location and there is no limit to witch switch they connect to, it depends on there end-system-group. So a client of end-system "A" will always be authenticated to the same vlan unequal to witch switch they are connected, execpt the switch is in a different location (where we have a different vlan infrastructure).

I would recommend you to create a excel sheet where you define witch user groups (end-system-groups) are allowed to move between location and to witch vlan they should be authenticated.

Per vlan you need one rule matrix entry, that is not depending on a zone management. Zone's can be add additionally to each rule matrix entry. You only have to create and define the zones and users / groups the should be able to manage and add this to the rule-matrix entry where they are authenticated.

Are you having different "managers" for clients within the same vlan? Then I would understand what you mean, but if different "managers" have to admit different vlan's this is really easy.

If you need more details please contact me directly. 🙂

RE: NAC Zones - design question

mp2014 — Fri, 11 Mar 2016 18:18:00 GMT

the only criteria for which end-system belongs to which manager is the switch/port location, not the vlan or end-system group. So this is why it looks tricky to me to achieve this...

RE: NAC Zones - design question

Rainer_Adam — Fri, 11 Mar 2016 19:33:00 GMT

I am sorry, I delete my last answer to you, I was wrong.

Are you having moving users that on some days are connected to switch A and on other days to Switch B or are the users static to there switches?

RE: NAC Zones - design question

Rainer_Adam — Fri, 11 Mar 2016 19:36:00 GMT

The point is that the Zones only works with end-system-groups. So therefor you had to create end-system-groups based on your switch locations. So these mac addresses you can easy get from the NAC Manager by using a filter to the switch ip, then export it and import the mac addresses to each end-system-group.

Best if you choose names that are likly for your switches.

Create your zone managers in the Zone management and then you have to edit your current rule Matrix entries and add the correct zone to each "manager" (=user).

The "managers" should now be able to add a user to his end-system-group if a client connects to his switch based on the entry in the rule matrix line for this.

RE: NAC Zones - design question

Rainer_Adam — Fri, 11 Mar 2016 20:16:00 GMT

But, what should this managers have to be done? Allow "unknown" MAC addresses? Whats the reason for you to involve theme for this job? For me there is somegthing missing for a fully understanding.

RE: NAC Zones - design question

mp2014 — Fri, 11 Mar 2016 21:14:00 GMT

the only purpose for this is to make local end systems visible to local admins (admins of the end systems, not networking) via oneview. All real network administration tasks are done by central IT departement admins.