ZTP+ Fabric with NAC on edge ports not working (auto-sense enabled)

JPavel — Wed, 17 Jun 2026 10:20:30 GMT

Hello community,

we are looking to set up ZTP+ Fabric, including Extreme Control (NAC), for one of our customers.

In this case, the customer wants to minimize the need for CLI-based switch configuration as much as possible.

In principle, the onboarding of the fabric switches via the workflow is working as intended.

However, we are having trouble getting NAC to work on the end-device ports.

The customer wishes to continue using their legacy Control configuration to pass the VLAN to the switch via RADIUS attributes (using the "Extreme VOSS" RADIUS template).

The rule set and mapping within Control appear to be correct, as the end-system logs clearly show the correct VLAN attributes being returned:

However, we observe that the switch port ignores the VLAN attribute, meaning the port is not authorized for the target VLAN.

Consequently, the port remains stuck in the onboarding VLAN (4048):

To check if the issue might be related to the legacy VLAN configuration, we also ran tests using the "Extreme VOSS - Fabric Attach" and "Extreme VOSS - Per-User-ACL" RADIUS templates, defining the corresponding policy roles in the policy domain.

The behavior, however, was exactly the same. The end-system logs showed that the correct policy role value was forwarded to the switch (FilterID=<Policy-Role>), but the switch ignored it, and the port remained stuck in the onboarding VLAN (4048).

To get NAC working, we had to enable "auto-sense" on the ports and configure eapol for the interfaces:

(Because we did a simple tests with MAC authentication we had to add the guest-vlan here)

Once that was done, the switch correctly recognized the RADIUS VLAN attribute and successfully moved the port into the appropriate VLAN:

I am now wondering whether it is even possible to get NAC working when "auto-sense" is enabled on the end-device ports.

I tried setting the "auto-sense wait-interval" to 2 seconds to rule out potential timeout issues, but that didn't help.

Can anyone assist me with this?

Best regards,

Joerg

Re: ZTP+ Fabric with NAC on edge ports not working (auto-sense enabled)

Ludovico — Wed, 17 Jun 2026 15:44:28 GMT

The Tunnel-Private-Group-Id attribute (Template Extreme VOSS) is not designed to work on auto-sense / flex-uni access ports. It will only work if there is already a platform VLAN object on the switch.

Auto-sense is what you want to keep on access ports, and NAC uses flex-uni on auto-sense ports, which can be added to any I-SID (without any need for platform VLANs on the switch).

The correct RADIUS template is Extreme VOSS - Fabric Attach" if not using XIQ-SE Policy, or "Extreme VOSS - Per-User-ACL" if using XIQ-SE Policy.

There is a Sandbox that Extreme partners can reserve to understand how to deploy a fully zero-touch automated Fabric Edge with NAC; ask your Extreme sales rep to reserve it for you.

topic Re: ZTP+ Fabric with NAC on edge ports not working (auto-sense enabled) in ExtremeSwitching (VSP/Fabric Engine)

ZTP+ Fabric with NAC on edge ports not working (auto-sense enabled)

Re: ZTP+ Fabric with NAC on edge ports not working (auto-sense enabled)