topic Re: How to configure dot1x auth with NAC and AD in ExtremeSwitching (EXOS/Switch Engine)

How to configure dot1x auth with NAC and AD

Ashraf — Tue, 15 Jan 2019 12:47:39 GMT

exos switch ip:10.10.1.254
nac ip:10.10.1.201
ad ip:10.10.1.204

exos config:
Netlogin
enable netlogin dot1x mac
configure netlogin authentication protocol-order dot1x mac web-based
enable netlogin ports 3-28 dot1x
enable netlogin ports 3-28 mac
configure netlogin add mac-list ff:ff:ff:ff:ff:ff 48
configure netlogin mac ports 3 timers reauthentication on
aaa
enable netlogin dot1x mac
configure netlogin authentication protocol-order dot1x mac web-based
enable netlogin ports 3-28 dot1x
enable netlogin ports 3-28 mac
configure netlogin add mac-list ff:ff:ff:ff:ff:ff 48
configure netlogin mac ports 3 timers reauthentication on
VLAN config
configure vlan Default add ports 1-28 untagged
configure vlan Default ipaddress 10.10.1.254 255.255.255.0
enable ipforwarding vlan Default
NAC CONFIG:

Re: How to configure dot1x auth with NAC and AD

Zdeněk_Pala — Tue, 15 Jan 2019 14:49:03 GMT

Hi.

it seems you have two AAA configurations in your NAC. One is “basic” one is “advanced”.
i guess your NAC configurationnis using the basic one.

option 1: change the nac configuration to use the aaa configuration “advanced” with two rules you have there.
option 2: change the basic configuration to the “asvanced” (right click on the aaa configuration, make advanced).

do not forget to enforce. In your switch config I do not see AAA configuration. If you have CLI credentials working in Extreme Management Center and if the switch is assigned to the Access Control Engine and you leave the default values when you add the switch to the acceas control engine then the AAA will be configured for you. Otherwise you need to setup radius on the switch.

Re: How to configure dot1x auth with NAC and AD

Ashraf — Tue, 15 Jan 2019 17:54:33 GMT

here aaa configuration

configure radius netlogin 1 server 10.10.1.201 1812 client-ip 10.10.1.254 vr VR-Default
configure radius 1 shared-secret encrypted "#$H6YKEMmpgZRQk4/3ZdZ92pVm5Hk/CXk/2HCOmoHAXF8aH95P9HI="
configure radius-accounting netlogin 1 server 10.10.1.201 1813 client-ip 10.10.1.254 vr VR-Default
configure radius-accounting 1 shared-secret encrypted "#$u/KlXkwtQYtxcaLzMBFRZNJ3P40ahHVoYZQKgn1moK1Q8R+3INg="
configure radius-accounting 1 timeout 10
enable radius
disable radius mgmt-access
enable radius netlogin
configure radius timeout 15
enable radius-accounting
disable radius-accounting mgmt-access
enable radius-accounting netlogin

Re: How to configure dot1x auth with NAC and AD

Ashraf — Tue, 15 Jan 2019 17:55:55 GMT

i have deleted advance aaa on nac
i have change basic to advance

Re: How to configure dot1x auth with NAC and AD

Zdeněk_Pala — Sat, 19 Jan 2019 21:36:30 GMT

Questions:
1 = do you see radius request coming from the switch to your Access Control Engine?
2 = do you see dot1x in the radius request? or just MACauthentication?
3 = do you see end-system in the end-system table? how it looks like "accept / error"
4 = What is the supplicant (client) setting?
5 = anything in the logs?

Re: How to configure dot1x auth with NAC and AD

Ashraf — Fri, 08 Feb 2019 15:22:59 GMT

do you got guide to do this?

Questions:
1 = do you see radius request coming from the switch to your Access Control Engine?
2 = do you see dot1x in the radius request? or just MACauthentication?
3 = do you see end-system in the end-system table? how it looks like "accept / error"
4 = What is the supplicant (client) setting?
5 = anything in the logs?

1=yes
2=both
3=error
4=enable dot1x login
5=no

Re: How to configure dot1x auth with NAC and AD

Zdeněk_Pala — Mon, 11 Feb 2019 15:59:05 GMT

Please share the error message you see in the end-system table.
Please share the supplicant config on your end system.

Re: How to configure dot1x auth with NAC and AD

Justine_Silbery — Wed, 19 Jun 2019 03:41:37 GMT

Hi

Did you manage to do configure dot1x auth with Nac and AD? Is there any documentation available?

I would appreciate your help

Regard
Justine