topic RE: NAC mappings does not distribute tagged vlans in Network Architecture & Design

NAC mappings does not distribute tagged vlans

Bernd_Gruetzke — Mon, 10 Dec 2018 00:50:00 GMT

Environment:
Extreme Management Center 8.1.5.22
Switches D2, B5, S-Serie, X-440, EOX-Stack
Switches configured with RFC3850, "set policy maptable response both and policy"
"RFC3850 vlan authorization enabled" and "Filter ID With VLAN Tunnel Attribute".

Symtoms:
no tagged vlan will distributed to the required port .

For instance D2:

show port egress
Port Vlan Egress Registration
Number Id Status Status
------------------------------------------------------------
ge.1.1 1 untagged static
ge.1.1 123 untagged etsysPolicyProfile
ge.1.7 1 untagged static
ge.1.7 250 untagged etsysPolicyProfile
ge.1.12 123 tagged static
ge.1.12 196 tagged static
ge.1.12 250 tagged static

RE: NAC mappings does not distribute tagged vlans

Zdeněk_Pala — Mon, 10 Dec 2018 01:11:00 GMT

I suggest to use policy to define if you want untagged or tagged vlan to be assigned to egress.
set policy profile....

RE: NAC mappings does not distribute tagged vlans

Ronald_Dvorak — Mon, 10 Dec 2018 03:25:00 GMT

Is the role set to VLAN egress tagged ?!

Result:
B5(su)->show port egress ge.1.1
Port Vlan Egress Registration
Number Id Status Status
------------------------------------------------------------
ge.1.1 1 untagged static
ge.1.1 100 tagged etsysPolicyProfile
B5(su)->

RE: NAC mappings does not distribute tagged vlans

Bernd_Gruetzke — Mon, 10 Dec 2018 15:11:00 GMT

Hello Zdenek,

thanks for your prompt answer. First I set the policy mapping as vlan tagged, only at access control, not at policy.....

Second I create the profile...

And third I create the rule....

At this moment I won´t use any Policy Roles, I will use it later if it is necessary. I this the wrong way or should I use already Policy Roles at this point too?

Best Bernd

RE: NAC mappings does not distribute tagged vlans

Tomasz — Tue, 11 Dec 2018 05:20:00 GMT

Hi Bernd,

There are two approaches how to get along with VLANs upon authentication. One is to configure default role VLAN or entire VLAN Egress list for a role, second is to use RFC 3580. The former needs just policy (role) name within policy mappings, the latter needs just VLAN ID within policy mappings (yes, you can combine both depending on switch vendor/capabilities you have).

If you plan to use RFC 3580 apart from Policy feature, policy mapping approach should also be alright (but just for a single VLAN, not an entire list if you want e.g. to prepare authenticated AP to serve its clients - this is feasible with role's VLAN Egress list). However, make sure that your switch is added to NAC Appliance with correct "RADIUS attributes to send" option (legacy GUI here but take a look: https://emc.extremenetworks.com/content/nachelp/docs/nac_at_edit_switch.html).
If it is set to RFC 3850 or some combination of RFC 3580 and else, you can easily confirm with tcpdump on NAC appliance that relevant RADIUS attributes are sent to the switch and if there are those three Tunnel attributes but it's still not working, I would go back to look at the switch config.

Hope that helps,
Tomasz

RE: NAC mappings does not distribute tagged vlans

Zdeněk_Pala — Fri, 14 Dec 2018 16:13:00 GMT

Hi Bernd.
For D2 I would go with policy approach = more flexible.

RE: NAC mappings does not distribute tagged vlans

Bernd_Gruetzke — Fri, 14 Dec 2018 21:07:00 GMT

Hi Tomasz and Zdenek,

thanks for your tips. I will check all that again. I only have one question left, is the vlan egress a radius attribute or is it provided by the policy mapping?

Best Bernd

RE: NAC mappings does not distribute tagged vlans

Zdeněk_Pala — Fri, 14 Dec 2018 22:02:00 GMT

the screenshot from Roland = it is policy configuration = you need to enforce and you have it in the switch config. in radius you just reply with policy assignment.

The screenshot from you (Bernd) with vlan 123 mdcvoip is radius attribute.

RE: NAC mappings does not distribute tagged vlans

Bernd_Gruetzke — Wed, 19 Dec 2018 18:47:00 GMT

Hi Zdenek, Ronald and Tomasz,

I have now tried everything, without result and have now rolled out the policy planned for later and everything goes well.
Thanks again for your help and I wish you a merry christmas.

Best Bernd