https://community.extremenetworks.com/t5/network-architecture-design/how-to-configure-nac-to-send-outbound-radius-attributes-for-dhcp/m-p/77017#M2606 <P>What configuratoin is required to setup NAC to send outbound radius attributes for configuring ERS4900 with FA radius attributes like:</P> <P>dhcp snooping</P> <P>bpdu filtering</P> <P>slpp guard</P> <P>IP-Source Guard</P> <P>All this should be possible in combination with NAC and ERS 4900.</P> <P>Thanks in advance</P> Tue, 19 May 2020 15:30:43 GMT Sacha_Brys 2020-05-19T15:30:43Z https://community.extremenetworks.com/t5/network-architecture-design/how-to-configure-nac-to-send-outbound-radius-attributes-for-dhcp/m-p/77017#M2606 <P>What configuratoin is required to setup NAC to send outbound radius attributes for configuring ERS4900 with FA radius attributes like:</P> <P>dhcp snooping</P> <P>bpdu filtering</P> <P>slpp guard</P> <P>IP-Source Guard</P> <P>All this should be possible in combination with NAC and ERS 4900.</P> <P>Thanks in advance</P> Tue, 19 May 2020 15:30:43 GMT https://community.extremenetworks.com/t5/network-architecture-design/how-to-configure-nac-to-send-outbound-radius-attributes-for-dhcp/m-p/77017#M2606 Sacha_Brys 2020-05-19T15:30:43Z https://community.extremenetworks.com/t5/network-architecture-design/how-to-configure-nac-to-send-outbound-radius-attributes-for-dhcp/m-p/77018#M2607 <P>Hi Sacha,</P> <P>&nbsp;</P> <P>Whatever is supported on ERS 4900 as RADIUS attributes (see here: <A href="https://documentation.extremenetworks.com/ERS_Series/ERS49005900/SW/78x/9036215-00_ConfigSecERS49005900_7.8_CG.pdf" target="_blank" rel="nofollow noreferrer noopener">https://documentation.extremenetworks.com/ERS_Series/ERS49005900/SW/78x/9036215-00_ConfigSecERS49005900_7.8_CG.pdf</A> and <A href="https://documentation.extremenetworks.com/ERS_Series/ERS49005900/SW/78x/9036216-00_ConfigFabConERS49005900_7.8_CG.pdf" target="_blank" rel="nofollow noreferrer noopener">https://documentation.extremenetworks.com/ERS_Series/ERS49005900/SW/78x/9036216-00_ConfigFabConERS49005900_7.8_CG.pdf)</A>, they can be configured under selected Policy Mapping in EAC configuration:</P> <P><A href="https://emc.extremenetworks.com/content/oneview/docs/control/access_control/docs/l_ov_ia_ht_setup_access_policies.html" target="_blank" rel="nofollow noreferrer noopener">https://emc.extremenetworks.com/content/oneview/docs/control/access_control/docs/l_ov_ia_ht_setup_access_policies.html</A></P> <P><A href="https://emc.extremenetworks.com/content/oneview/docs/control/access_control/docs/l_ov_ia_at_man_policy_mapping.html" target="_blank" rel="nofollow noreferrer noopener">https://emc.extremenetworks.com/content/oneview/docs/control/access_control/docs/l_ov_ia_at_man_policy_mapping.html</A></P> <P>&nbsp;</P> <P>On the other hand, when adding ERS to EAC engine Switches list (authenticators), you have to specify what RADIUS attributes are to be send back if an authenticating end-system is connected to this particular switch:</P> <P><A href="https://emc.extremenetworks.com/content/oneview/docs/control/access_control/docs/c_ov_ia_at_add_switch_window.html#top" target="_blank" rel="nofollow noreferrer noopener">https://emc.extremenetworks.com/content/oneview/docs/control/access_control/docs/c_ov_ia_at_add_switch_window.html#top</A></P> <P>&nbsp;</P> <P>For BOSS I see ready sets of RADIUS Attributes, e.g. “Extreme BOSS Fabric Attach”. It looks lke that:</P> <BLOCKQUOTE> <P>FA-VLAN-Create=1<BR /> FA-VLAN-ISID=%VLAN_ID%:%CUSTOM1%<BR /> FA-VLAN-PVID=%VLAN_ID%</P> </BLOCKQUOTE> <P>So in the Policy Mapping, VLAN ID should be set and ‘Custom 1’ field shall contain I-SID number.</P> <P>&nbsp;</P> <P>It will work the same for other switches and vendors. If some attribute sets are not there (like you would like to mix few attributes from different sets), you can create a new set on your own. If particular proprietary attributes are not defined (like I saw for WiNG), you can define just %CUSTOM1% and inside a Policy Mapping put entire attribute and value pair.</P> <P>&nbsp;</P> <P>If you need more guidance let us know.</P> <P>&nbsp;</P> <P>Hope that helps,</P> <P>Tomasz</P> Thu, 21 May 2020 02:28:23 GMT https://community.extremenetworks.com/t5/network-architecture-design/how-to-configure-nac-to-send-outbound-radius-attributes-for-dhcp/m-p/77018#M2607 Tomasz 2020-05-21T02:28:23Z