topic RE: EOS NAC: What happen (in this config) when the RADIUS/NetSight Server (for MAC Auth Only) is not reachable? in ExtremeWireless (General)

EOS NAC: What happen (in this config) when the RADIUS/NetSight Server (for MAC Auth Only) is not reachable?

SchmuFoo — Thu, 30 Aug 2018 18:02:00 GMT

Hello Community,

I'm looking for details if Clients connected to "auth-reg" Ports will still have connectivity, If the Radius/NetSight Server is offline?

set multiauth mode multi
set multiauth precedence mac quarantine-agent dot1x pwa cep radius-snooping auto-tracking
set multiauth port mode force-auth ge.1.1
set multiauth port mode force-auth ge.1.2
set multiauth port mode auth-reqd ge.1.3
set multiauth port mode force-auth ge.1.4
set multiauth port mode auth-reqd ge.1.5
[..]

Thanks,

Jan

RE: EOS NAC: What happen (in this config) when the RADIUS/NetSight Server (for MAC Auth Only) is not reachable?

SchmuFoo — Thu, 30 Aug 2018 18:04:00 GMT

BTW, with regards to auth-reqd VS. force-auth:

https://gtacknowledge.extremenetworks.com/articles/How_To/How-to-disable-authentication-on-a-port-to...

RE: EOS NAC: What happen (in this config) when the RADIUS/NetSight Server (for MAC Auth Only) is not reachable?

Zdeněk_Pala — Fri, 31 Aug 2018 17:39:00 GMT

Force-auth = the port is authorized no authentication will happen
Auth-req = no traffic will pass until accept is received

the third option is authentication optional (auto) = if the auth is not successful then the default port config is used (vlan, default policy, QoS...)

You can have more radius servers = to accomplish HA

RE: EOS NAC: What happen (in this config) when the RADIUS/NetSight Server (for MAC Auth Only) is not reachable?

Shmulik — Fri, 31 Aug 2018 20:55:00 GMT

Just to add to Zdenek points. If you are using ExtremeControl for NAC, then you can deploy two ExtremeControl NAC Engines (there is no extra licensing cost) that sync-up from the XMC Server upstream so the switch will fail-over from primary RADIUS engine to secondary RADIUS engine without disruption to network access.

Shmulik

RE: EOS NAC: What happen (in this config) when the RADIUS/NetSight Server (for MAC Auth Only) is not reachable?

SchmuFoo — Thu, 06 Sep 2018 01:35:00 GMT

Thanks for clarification! As an follow-up: What happens on one auth-reg Port with an, lets asume, 5 Port SOHO Switch connected to it? Does the Enterasys Switch allow/dissallow connected Clients also seperately? Verbose: Multiple Clients connected through on single Enterasys Port through an additional unmanaged Switch. Does the NAC Access is still working on an individual Frame Level? Thanks, Jan

RE: EOS NAC: What happen (in this config) when the RADIUS/NetSight Server (for MAC Auth Only) is not reachable?

Zdeněk_Pala — Thu, 06 Sep 2018 21:16:00 GMT

you can limit the amount of concurrent authenticated MACs by CLI or XMC (NetSight) and there is also some hardware limit. different hardware limit for D2, B2, B3, C3, C5, XOS...

each MAC address is authenticated and can be authorized with different policy profile (VLAN, QOS, rules)

RE: EOS NAC: What happen (in this config) when the RADIUS/NetSight Server (for MAC Auth Only) is not reachable?

Shmulik — Fri, 07 Sep 2018 01:52:00 GMT

Depends if the switch is configured for single-auth or multi-auth on the port. If single-auth then only the first mac is authenticated and following mac will flow through untagged without authentication. If port is configured for multi-auth, then each mac will get authenticated and assigned its own specific VLAN even though it is coming from a SOHO switch connected to the port.

Thanks!

Shmulik