topic Re: Netsight - Monitoring only in ExtremeCloud IQ- Site Engine Management Center

Netsight - Monitoring only

m18grunling — Thu, 12 Sep 2019 17:16:13 GMT

Hi @all,

Since two months we are using Netsight NAC. Before was our NAC managed by macmon (www.macmon.eu).

macmon procedere:
Macmon scan every minute the switch for a change. In this case macmon changed the vlan into the right one (authorized device) or into a quarantaene vlan (unauthorized device).
There was also possible to add switches into macmon for documentation. So macmon doesn't change anything on the switch. It was only in a "scanning mode". In this mode we added also Switches in the datacenter. So we have all mac-addresses in our company in one system!

In netsight we have our NAC as mac-based configured. And now we searched also for a solution to add some switches or ports in the scanning mode.

First for our datacenter switches, and the other problem is. That we have some audio devices in a vlan which is not routed. This devices are old and have the problem to publish his mac-address only by reboot the device. After a certain time it doesn't publish the mac address and the switch lost the address on the port and so it switch back to the naclogin-vlan.

THANKS for your ideas!
Marcus

Re: Netsight - Monitoring only

Erik_Auerswald — Thu, 12 Sep 2019 18:51:46 GMT

Hi Marcus,

You can configure the switch ports to use "optional authentication." The switch ports allow devices onto the network irrespective of authentication success or failure, but NAC has all the end-system information it learns from authentication.
You have described the "silent device" problem, see https://community.extremenetworks.com/aaa-radius-230508/mac-authentication-dynamic-vlans-and-silent-devices-7612836 for a lot of info. I like the idea of monitoring the end-systems so that the MAC address is refreshed often enough.

Thanks,
Erik

Re: Netsight - Monitoring only

m18grunling — Thu, 12 Sep 2019 19:00:55 GMT

Hi Erik,

Thanks for your fast reply!!

1.) Can you give me your recommended (netlogin) config without authentication to see the devices with all information in NAC, please?

THANKS
marcus

Re: Netsight - Monitoring only

Erik_Auerswald — Thu, 12 Sep 2019 19:23:19 GMT

Hi Marcus,

you configure authentication in NAC and the switch normally (without policy or VLAN assignment), but then you add the port configuration to not actually require authentication:

configure netlogin ports PORTS authentication mode optional

Note: This is supported for OnePolicy only (i.e., with enable policy as part of the configuration).

I would expect that this can be achieved using the XMC ("NAC") web frontend as well.

If authentication is successful and sends policy and / or VLAN information, those will be used. Thus you should configure NAC to not send any policy or VLAN assignment to those switches where you only need the visibility features of NAC.

Please test this before actually using it in production!

Thanks,
Erik