https://community.extremenetworks.com/t5/security-access-control/fabric-engine-and-nac-for-per-user-acl/m-p/94571#M34 <P>Hi,</P><P>I've a XIQ-SE latest version ( 22.9.13.5) and a Fabric Engine switch also latest version (8.9).</P><P>I've problem with the Radius Attribute Extreme VOSS - Per-User-ACL and auto-sense feature on the access ports.</P><P>My configuration follow.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Antonio_Opromol_0-1675084187574.png" style="width: 400px;"><img src="https://community.extremenetworks.com/t5/image/serverpage/image-id/6343i9518B55D74C85399/image-size/medium?v=v2&amp;px=400" role="button" title="Antonio_Opromol_0-1675084187574.png" alt="Antonio_Opromol_0-1675084187574.png" /></span></P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Antonio_Opromol_1-1675084187581.png" style="width: 400px;"><img src="https://community.extremenetworks.com/t5/image/serverpage/image-id/6345i4C68DA7F780C25CB/image-size/medium?v=v2&amp;px=400" role="button" title="Antonio_Opromol_1-1675084187581.png" alt="Antonio_Opromol_1-1675084187581.png" /></span></P><P>&nbsp;</P><P><SPAN>&nbsp;</SPAN></P><P><SPAN>Client is connected to port 1/24 of this switch that is in auto-sense enable mode:</SPAN></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Antonio_Opromol_2-1675084187581.png" style="width: 400px;"><img src="https://community.extremenetworks.com/t5/image/serverpage/image-id/6344i4501E1AE3490FC9A/image-size/medium?v=v2&amp;px=400" role="button" title="Antonio_Opromol_2-1675084187581.png" alt="Antonio_Opromol_2-1675084187581.png" /></span></P><P>&nbsp;</P><P><SPAN>&nbsp;</SPAN></P><P><SPAN>&nbsp;The switch has auto-sense parameters configured:</SPAN></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Antonio_Opromol_3-1675084187584.png" style="width: 400px;"><img src="https://community.extremenetworks.com/t5/image/serverpage/image-id/6346i5794C9C37F55E3CC/image-size/medium?v=v2&amp;px=400" role="button" title="Antonio_Opromol_3-1675084187584.png" alt="Antonio_Opromol_3-1675084187584.png" /></span></P><P>&nbsp;</P><P><SPAN>And radius is configured:</SPAN></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Antonio_Opromol_4-1675084187586.png" style="width: 400px;"><img src="https://community.extremenetworks.com/t5/image/serverpage/image-id/6348i88DE3E4FCA31DC67/image-size/medium?v=v2&amp;px=400" role="button" title="Antonio_Opromol_4-1675084187586.png" alt="Antonio_Opromol_4-1675084187586.png" /></span></P><P>&nbsp;</P><P><SPAN>EAPOL is enabled at global level</SPAN></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Antonio_Opromol_5-1675084187587.png" style="width: 400px;"><img src="https://community.extremenetworks.com/t5/image/serverpage/image-id/6347iE6D1163F08268F00/image-size/medium?v=v2&amp;px=400" role="button" title="Antonio_Opromol_5-1675084187587.png" alt="Antonio_Opromol_5-1675084187587.png" /></span></P><P>&nbsp;</P><P><SPAN>&nbsp;</SPAN></P><P><SPAN>When client is connected to this port, the host is correctly authenticated by Radius</SPAN></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Antonio_Opromol_6-1675084187589.png" style="width: 400px;"><img src="https://community.extremenetworks.com/t5/image/serverpage/image-id/6351i96D56DCBAE830640/image-size/medium?v=v2&amp;px=400" role="button" title="Antonio_Opromol_6-1675084187589.png" alt="Antonio_Opromol_6-1675084187589.png" /></span></P><P>&nbsp;</P><P><SPAN>And policy seems to be applied </SPAN></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Antonio_Opromol_7-1675084187590.png" style="width: 400px;"><img src="https://community.extremenetworks.com/t5/image/serverpage/image-id/6350i007E1059D8D04815/image-size/medium?v=v2&amp;px=400" role="button" title="Antonio_Opromol_7-1675084187590.png" alt="Antonio_Opromol_7-1675084187590.png" /></span></P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Antonio_Opromol_8-1675084187596.png" style="width: 400px;"><img src="https://community.extremenetworks.com/t5/image/serverpage/image-id/6349i2BE950029E99DA38/image-size/medium?v=v2&amp;px=400" role="button" title="Antonio_Opromol_8-1675084187596.png" alt="Antonio_Opromol_8-1675084187596.png" /></span></P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Antonio_Opromol_9-1675084187598.png" style="width: 400px;"><img src="https://community.extremenetworks.com/t5/image/serverpage/image-id/6354iE1264931078947BD/image-size/medium?v=v2&amp;px=400" role="button" title="Antonio_Opromol_9-1675084187598.png" alt="Antonio_Opromol_9-1675084187598.png" /></span></P><P>&nbsp;</P><P><SPAN>But I don’t see the VLAN correctly applied to the port but only the auto-sense data vlan.</SPAN></P><P><SPAN>If now I try to login with a user and dynamically assign vlan id 50 and i-sid 2000050, I see in the switch console:</SPAN></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Antonio_Opromol_10-1675084187600.png" style="width: 400px;"><img src="https://community.extremenetworks.com/t5/image/serverpage/image-id/6352iEF92A5AC08690787/image-size/medium?v=v2&amp;px=400" role="button" title="Antonio_Opromol_10-1675084187600.png" alt="Antonio_Opromol_10-1675084187600.png" /></span></P><P>&nbsp;</P><P><SPAN>So seems that first is correctly authenticated, but immediately un-authenticated and then mac authenticated and in my policy must be assigned in this case vlan id :4 and i-sid: 2000004, as shown in the NAC:</SPAN></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Antonio_Opromol_11-1675084187602.png" style="width: 400px;"><img src="https://community.extremenetworks.com/t5/image/serverpage/image-id/6353i333D2542647B3B07/image-size/medium?v=v2&amp;px=400" role="button" title="Antonio_Opromol_11-1675084187602.png" alt="Antonio_Opromol_11-1675084187602.png" /></span></P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Antonio_Opromol_12-1675084187604.png" style="width: 400px;"><img src="https://community.extremenetworks.com/t5/image/serverpage/image-id/6356iE92DBA5E67D29EE3/image-size/medium?v=v2&amp;px=400" role="button" title="Antonio_Opromol_12-1675084187604.png" alt="Antonio_Opromol_12-1675084187604.png" /></span></P><P>&nbsp;</P><P><SPAN>But in reality nothing happens on the port of the switch:</SPAN></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Antonio_Opromol_13-1675084187606.png" style="width: 400px;"><img src="https://community.extremenetworks.com/t5/image/serverpage/image-id/6355i1C53AC4893BD12D2/image-size/medium?v=v2&amp;px=400" role="button" title="Antonio_Opromol_13-1675084187606.png" alt="Antonio_Opromol_13-1675084187606.png" /></span></P><P>&nbsp;</P><P><SPAN>I’ve also tried to enable trace debug of eapol in this port and use a different logon User (Insegnante1) with vlan id: 196 and i-sid: 2000196 (the same as applied from auto-sense data), but also the debug don’t point me in the right direction for solve the problem, I only see authenticated and un-authenticated messages and mac authentication that follow for this client.</SPAN></P><P>&nbsp;</P><P><SPAN>Instead with Switch engine and proper configurations all works well.</SPAN></P><P>As other test, Iv've tried n VOSS to use flex-uni instead of auo-sense configuration on the port, and in this case the 802.1x authentication works well, the problems are with the FILTER that give the following error when try to change the dynamic-acl-name from the previous one:<span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="1.PNG" style="width: 999px;"><img src="https://community.extremenetworks.com/t5/image/serverpage/image-id/6373i68EE39810FDF5359/image-size/large?v=v2&amp;px=999" role="button" title="1.PNG" alt="1.PNG" /></span></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="2.PNG" style="width: 999px;"><img src="https://community.extremenetworks.com/t5/image/serverpage/image-id/6375i090E29B3FE17A1C3/image-size/large?v=v2&amp;px=999" role="button" title="2.PNG" alt="2.PNG" /></span><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="3.PNG" style="width: 900px;"><img src="https://community.extremenetworks.com/t5/image/serverpage/image-id/6374iC83E42259C5F3AB3/image-size/large?v=v2&amp;px=999" role="button" title="3.PNG" alt="3.PNG" /></span><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="4.PNG" style="width: 999px;"><img src="https://community.extremenetworks.com/t5/image/serverpage/image-id/6376i9AA68EC6E158DE07/image-size/large?v=v2&amp;px=999" role="button" title="4.PNG" alt="4.PNG" /></span><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="5.PNG" style="width: 999px;"><img src="https://community.extremenetworks.com/t5/image/serverpage/image-id/6377i2C8CF4C49AACD1EF/image-size/large?v=v2&amp;px=999" role="button" title="5.PNG" alt="5.PNG" /></span><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="6.PNG" style="width: 391px;"><img src="https://community.extremenetworks.com/t5/image/serverpage/image-id/6378i4EA15807B37892DF/image-size/large?v=v2&amp;px=999" role="button" title="6.PNG" alt="6.PNG" /></span><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="7.PNG" style="width: 861px;"><img src="https://community.extremenetworks.com/t5/image/serverpage/image-id/6379i9B785CE3B3E4A323/image-size/large?v=v2&amp;px=999" role="button" title="7.PNG" alt="7.PNG" /></span></P><P>So the ACL rules are present on the switch but show me the previous acl name "Unregistered" instead of the ACL name applied to the user that is named "Insegnanti"</P><P>Why this happens and how solve?</P> Thu, 16 Feb 2023 14:07:24 GMT Antonio_Opromol 2023-02-16T14:07:24Z https://community.extremenetworks.com/t5/security-access-control/fabric-engine-and-nac-for-per-user-acl/m-p/94571#M34 <P>Hi,</P><P>I've a XIQ-SE latest version ( 22.9.13.5) and a Fabric Engine switch also latest version (8.9).</P><P>I've problem with the Radius Attribute Extreme VOSS - Per-User-ACL and auto-sense feature on the access ports.</P><P>My configuration follow.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Antonio_Opromol_0-1675084187574.png" style="width: 400px;"><img src="https://community.extremenetworks.com/t5/image/serverpage/image-id/6343i9518B55D74C85399/image-size/medium?v=v2&amp;px=400" role="button" title="Antonio_Opromol_0-1675084187574.png" alt="Antonio_Opromol_0-1675084187574.png" /></span></P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Antonio_Opromol_1-1675084187581.png" style="width: 400px;"><img src="https://community.extremenetworks.com/t5/image/serverpage/image-id/6345i4C68DA7F780C25CB/image-size/medium?v=v2&amp;px=400" role="button" title="Antonio_Opromol_1-1675084187581.png" alt="Antonio_Opromol_1-1675084187581.png" /></span></P><P>&nbsp;</P><P><SPAN>&nbsp;</SPAN></P><P><SPAN>Client is connected to port 1/24 of this switch that is in auto-sense enable mode:</SPAN></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Antonio_Opromol_2-1675084187581.png" style="width: 400px;"><img src="https://community.extremenetworks.com/t5/image/serverpage/image-id/6344i4501E1AE3490FC9A/image-size/medium?v=v2&amp;px=400" role="button" title="Antonio_Opromol_2-1675084187581.png" alt="Antonio_Opromol_2-1675084187581.png" /></span></P><P>&nbsp;</P><P><SPAN>&nbsp;</SPAN></P><P><SPAN>&nbsp;The switch has auto-sense parameters configured:</SPAN></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Antonio_Opromol_3-1675084187584.png" style="width: 400px;"><img src="https://community.extremenetworks.com/t5/image/serverpage/image-id/6346i5794C9C37F55E3CC/image-size/medium?v=v2&amp;px=400" role="button" title="Antonio_Opromol_3-1675084187584.png" alt="Antonio_Opromol_3-1675084187584.png" /></span></P><P>&nbsp;</P><P><SPAN>And radius is configured:</SPAN></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Antonio_Opromol_4-1675084187586.png" style="width: 400px;"><img src="https://community.extremenetworks.com/t5/image/serverpage/image-id/6348i88DE3E4FCA31DC67/image-size/medium?v=v2&amp;px=400" role="button" title="Antonio_Opromol_4-1675084187586.png" alt="Antonio_Opromol_4-1675084187586.png" /></span></P><P>&nbsp;</P><P><SPAN>EAPOL is enabled at global level</SPAN></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Antonio_Opromol_5-1675084187587.png" style="width: 400px;"><img src="https://community.extremenetworks.com/t5/image/serverpage/image-id/6347iE6D1163F08268F00/image-size/medium?v=v2&amp;px=400" role="button" title="Antonio_Opromol_5-1675084187587.png" alt="Antonio_Opromol_5-1675084187587.png" /></span></P><P>&nbsp;</P><P><SPAN>&nbsp;</SPAN></P><P><SPAN>When client is connected to this port, the host is correctly authenticated by Radius</SPAN></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Antonio_Opromol_6-1675084187589.png" style="width: 400px;"><img src="https://community.extremenetworks.com/t5/image/serverpage/image-id/6351i96D56DCBAE830640/image-size/medium?v=v2&amp;px=400" role="button" title="Antonio_Opromol_6-1675084187589.png" alt="Antonio_Opromol_6-1675084187589.png" /></span></P><P>&nbsp;</P><P><SPAN>And policy seems to be applied </SPAN></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Antonio_Opromol_7-1675084187590.png" style="width: 400px;"><img src="https://community.extremenetworks.com/t5/image/serverpage/image-id/6350i007E1059D8D04815/image-size/medium?v=v2&amp;px=400" role="button" title="Antonio_Opromol_7-1675084187590.png" alt="Antonio_Opromol_7-1675084187590.png" /></span></P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Antonio_Opromol_8-1675084187596.png" style="width: 400px;"><img src="https://community.extremenetworks.com/t5/image/serverpage/image-id/6349i2BE950029E99DA38/image-size/medium?v=v2&amp;px=400" role="button" title="Antonio_Opromol_8-1675084187596.png" alt="Antonio_Opromol_8-1675084187596.png" /></span></P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Antonio_Opromol_9-1675084187598.png" style="width: 400px;"><img src="https://community.extremenetworks.com/t5/image/serverpage/image-id/6354iE1264931078947BD/image-size/medium?v=v2&amp;px=400" role="button" title="Antonio_Opromol_9-1675084187598.png" alt="Antonio_Opromol_9-1675084187598.png" /></span></P><P>&nbsp;</P><P><SPAN>But I don’t see the VLAN correctly applied to the port but only the auto-sense data vlan.</SPAN></P><P><SPAN>If now I try to login with a user and dynamically assign vlan id 50 and i-sid 2000050, I see in the switch console:</SPAN></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Antonio_Opromol_10-1675084187600.png" style="width: 400px;"><img src="https://community.extremenetworks.com/t5/image/serverpage/image-id/6352iEF92A5AC08690787/image-size/medium?v=v2&amp;px=400" role="button" title="Antonio_Opromol_10-1675084187600.png" alt="Antonio_Opromol_10-1675084187600.png" /></span></P><P>&nbsp;</P><P><SPAN>So seems that first is correctly authenticated, but immediately un-authenticated and then mac authenticated and in my policy must be assigned in this case vlan id :4 and i-sid: 2000004, as shown in the NAC:</SPAN></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Antonio_Opromol_11-1675084187602.png" style="width: 400px;"><img src="https://community.extremenetworks.com/t5/image/serverpage/image-id/6353i333D2542647B3B07/image-size/medium?v=v2&amp;px=400" role="button" title="Antonio_Opromol_11-1675084187602.png" alt="Antonio_Opromol_11-1675084187602.png" /></span></P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Antonio_Opromol_12-1675084187604.png" style="width: 400px;"><img src="https://community.extremenetworks.com/t5/image/serverpage/image-id/6356iE92DBA5E67D29EE3/image-size/medium?v=v2&amp;px=400" role="button" title="Antonio_Opromol_12-1675084187604.png" alt="Antonio_Opromol_12-1675084187604.png" /></span></P><P>&nbsp;</P><P><SPAN>But in reality nothing happens on the port of the switch:</SPAN></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Antonio_Opromol_13-1675084187606.png" style="width: 400px;"><img src="https://community.extremenetworks.com/t5/image/serverpage/image-id/6355i1C53AC4893BD12D2/image-size/medium?v=v2&amp;px=400" role="button" title="Antonio_Opromol_13-1675084187606.png" alt="Antonio_Opromol_13-1675084187606.png" /></span></P><P>&nbsp;</P><P><SPAN>I’ve also tried to enable trace debug of eapol in this port and use a different logon User (Insegnante1) with vlan id: 196 and i-sid: 2000196 (the same as applied from auto-sense data), but also the debug don’t point me in the right direction for solve the problem, I only see authenticated and un-authenticated messages and mac authentication that follow for this client.</SPAN></P><P>&nbsp;</P><P><SPAN>Instead with Switch engine and proper configurations all works well.</SPAN></P><P>As other test, Iv've tried n VOSS to use flex-uni instead of auo-sense configuration on the port, and in this case the 802.1x authentication works well, the problems are with the FILTER that give the following error when try to change the dynamic-acl-name from the previous one:<span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="1.PNG" style="width: 999px;"><img src="https://community.extremenetworks.com/t5/image/serverpage/image-id/6373i68EE39810FDF5359/image-size/large?v=v2&amp;px=999" role="button" title="1.PNG" alt="1.PNG" /></span></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="2.PNG" style="width: 999px;"><img src="https://community.extremenetworks.com/t5/image/serverpage/image-id/6375i090E29B3FE17A1C3/image-size/large?v=v2&amp;px=999" role="button" title="2.PNG" alt="2.PNG" /></span><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="3.PNG" style="width: 900px;"><img src="https://community.extremenetworks.com/t5/image/serverpage/image-id/6374iC83E42259C5F3AB3/image-size/large?v=v2&amp;px=999" role="button" title="3.PNG" alt="3.PNG" /></span><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="4.PNG" style="width: 999px;"><img src="https://community.extremenetworks.com/t5/image/serverpage/image-id/6376i9AA68EC6E158DE07/image-size/large?v=v2&amp;px=999" role="button" title="4.PNG" alt="4.PNG" /></span><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="5.PNG" style="width: 999px;"><img src="https://community.extremenetworks.com/t5/image/serverpage/image-id/6377i2C8CF4C49AACD1EF/image-size/large?v=v2&amp;px=999" role="button" title="5.PNG" alt="5.PNG" /></span><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="6.PNG" style="width: 391px;"><img src="https://community.extremenetworks.com/t5/image/serverpage/image-id/6378i4EA15807B37892DF/image-size/large?v=v2&amp;px=999" role="button" title="6.PNG" alt="6.PNG" /></span><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="7.PNG" style="width: 861px;"><img src="https://community.extremenetworks.com/t5/image/serverpage/image-id/6379i9B785CE3B3E4A323/image-size/large?v=v2&amp;px=999" role="button" title="7.PNG" alt="7.PNG" /></span></P><P>So the ACL rules are present on the switch but show me the previous acl name "Unregistered" instead of the ACL name applied to the user that is named "Insegnanti"</P><P>Why this happens and how solve?</P> Thu, 16 Feb 2023 14:07:24 GMT https://community.extremenetworks.com/t5/security-access-control/fabric-engine-and-nac-for-per-user-acl/m-p/94571#M34 Antonio_Opromol 2023-02-16T14:07:24Z