topic Re: question on MAC auth using windows NPS in ExtremeSwitching (ERS)

question on MAC auth using windows NPS

kitkat0981 — Tue, 13 May 2025 17:53:26 GMT

hi all,

new when it comes to Avaya/Extreme. I have a ERS 4850GTS in my lab and trying to see how MAC auth using Windows NPS works in order to assign the port a specific vlan based on MAC manufacture OUI and Windows user laptops enables with 802.1x authentication. Is this even possible on theses switches? (running base software 5.8.0.3).

The purpose is to assign vlan 10 to non wuthenticated windows PC, vlan 15 to authenticated windows and vlan 20 to IOT's like printers and possibly other vlans for other purposes with the default vlan 2 as a quarantined initial vlan.

thanks

Re: question on MAC auth using windows NPS

EF — Thu, 15 May 2025 10:41:42 GMT

Hi,

It is possible using MultiHost MultiVlan, after configure RADIUS server:

eapol enable
eapol multihost allow-non-eap-enable
eapol multihost use-radius-assigned-vlan
eapol multihost non-eap-use-radius-assigned-vlan
eapol multihost multivlan enable
eapol multihost non-eap-pwd-fmt show

interface Ethernet ALL
eapol multihost port 1/ALL enable eap-mac-max 2 allow-non-eap-enable non-eap-mac-max 2 radius-non-eap-enable use-radius-assigned-vlan non-eap-use-radius-assigned-vlan mac-max 2
eapol status auto

If you got EAP and NON-EAP clients maybe and it's useful delay MAC auth to avoid unnessesary MAC auth from EAP clients:

eapol multihost radius-non-eap-delay <0-20>

About "to assign vlan 10 to non wuthenticated windows PC" maybe you can use "guest vlan" feature but I dont like much, cable for enterprise devices and wifi guest for...guests.

Cheers!!

Re: question on MAC auth using windows NPS

kitkat0981 — Thu, 15 May 2025 12:25:51 GMT

thanks for the reponse, i will try that.

Re: question on MAC auth using windows NPS

EF — Thu, 15 May 2025 12:31:21 GMT

Sorry "eapol multihost non-eap-pwd-fmt show" is "eapol multihost non-eap-pwd-fmt mac-addr"

Re: question on MAC auth using windows NPS

kitkat0981 — Tue, 20 May 2025 14:43:41 GMT

so how would this differ if what I need is when a user logs into the device (windows PC) he gets put on a specific VLAN? The VLAN comes from the Radius correct?

Re: question on MAC auth using windows NPS

EF — Wed, 21 May 2025 11:48:41 GMT

Hi, this is the config in the SW to enable EAPOL with multiple host multiple VLANs for EAPOL and NONEAPOL clients, then you must configure the RADIUS with the policies and returned atributes, for example VLANs.

Re: question on MAC auth using windows NPS

kitkat0981 — Wed, 21 May 2025 14:32:05 GMT

so I received more info; there is Avaya IP Phones and some users connect behind the phone and some users connect directly to a switchport.

How would this work in order to differentiate a phone to any other device on a port? as well as detecting the device that is connected behind the phone?

EAP would be configured for devices that support EAP like Windows Laptops and Chromebooks correct?

Re: question on MAC auth using windows NPS

kitkat0981 — Wed, 21 May 2025 18:50:13 GMT

so I added this configuration and it locked me out.

i guess it's because my port #1 is the trunk, so eap should not be setup on that port, but I don't know how to NOT include it.

Re: question on MAC auth using windows NPS

kitkat0981 — Wed, 21 May 2025 19:16:24 GMT

here is the config, not sure why it's seperated into multiple lines, it should apply to all ports from 2-48 since port1 is the trunk.

! *** EAP ***

eapol multihost allow-non-eap-enable

eapol multihost radius-non-eap-enable

eapol multihost use-radius-assigned-vlan

eapol multihost non-eap-use-radius-assigned-vlan

interface Ethernet ALL

eapol multihost port 2-14 enable eap-mac-max 2 allow-non-eap-enable non-eap-mac

-max 2 radius-non-eap-enable use-radius-assigned-vlan non-eap-use-radius-assign

ed-vlan mac-max 2

eapol multihost port 15 enable eap-mac-max 2 allow-non-eap-enable non-eap-mac-m

ax 2 radius-non-eap-enable non-eap-phone-enable use-radius-assigned-vlan non-ea

p-use-radius-assigned-vlan mac-max 2

eapol multihost port 16-34 enable eap-mac-max 2 allow-non-eap-enable non-eap-ma

c-max 2 radius-non-eap-enable use-radius-assigned-vlan non-eap-use-radius-assig

ned-vlan mac-max 2

eapol multihost port 35 enable eap-mac-max 2 allow-non-eap-enable non-eap-mac-m

ax 2 radius-non-eap-enable non-eap-phone-enable use-radius-assigned-vlan non-ea

p-use-radius-assigned-vlan mac-max 2

eapol multihost port 36-48 enable eap-mac-max 2 allow-non-eap-enable non-eap-ma

c-max 2 radius-non-eap-enable use-radius-assigned-vlan non-eap-use-radius-assig

ned-vlan mac-max 2

eapol multihost port 49-50 mac-max 2

no eapol multihost port 1 eap-protocol-enable

exit

interface Ethernet ALL

eapol port 2-48 status auto

exit

! *** EAP Guest VLAN ***

eapol guest-vlan enable vid 2204

! *** EAP Fail Open VLAN ***

! *** EAP Voip VLAN ***

eapol enable