07-19-2021 02:37 PM
Hi All,
I have a question about MAC-based authentication via ExtremeCloud A3
I installed the following systems in my lab and tested the cooperation between ExtremeCloud A3 and EXOS Switch.
But MAC-Based authentication via ExtremeCloud A3 does not work on EXOS Switch.
1. X440-G2-24t-10GE4: Two client PC is connected to this switch.
2. ExtremeCloud A3 : Virtual machine(Standalone), ExtremeCloud A3 is connected to ExtremeCloud IQ and Active Directory.
Do you have a sample configuration of A3 for MAC-based authentication?
I confirmed the A3 Installation and Usage Guide Registration VLAN Version document but there is no?sample configuration.
Best Regards,
Yuki Nakamura.
Solved! Go to Solution.
07-20-2021 06:42 AM
Hi,
I tested this and no problem using A3 for Mac auth.
I used my A3 setup that I use for dot1x and the mac auth hit the default rule. A3 did send an accept and vlan attributes.
Are you sure the EXOS config is right, did you add a netlogin mac-list (required).
Depending if you use Onepolicy or vlan you need define the roles correctly in the device settings on A3. netlogin old style (with policy disabled) you need role by vlan-id and assign the vlan-id’s to each role you use.
in a3, check auditing for your client and check what role it hits. If there is no client seen check radius config on A3 and exos, possibly restart A3 services to activate any changes you made.
09-06-2021 11:39 AM
Hello Yuki
Thank you for your quick answer
This is great
kind regards
Rien
09-06-2021 11:12 AM
///
09-06-2021 11:11 AM
Hi Rien,
I am testing Web Authentication using A3 and EXOS switches.
EXOS configuration is as follows.
# Module devmgr configuration.
configure snmp sysName "X440G2-1"
configure snmp sysContact "https://www.extremenetworks.com/support/"
configure timezone name JST 540 noautodst
# Module vlan configuration.
create vlan "VLAN_0100"
configure vlan VLAN_0100 tag 100
create vlan "VLAN_0200"
configure vlan VLAN_200 tag 200
create vlan "VLAN_Netlogin"
configure vlan VLAN_0100 add ports 11-12,24 untagged
configure vlan VLAN_0200 add ports 24 tagged
configure vlan VLAN_0100 ipaddress <Management-IP>
# Module policy configuration.
configure policy captive-portal web-redirect 1 server 1 url "http://<A3-VIP>:80/Extreme::EXOS" enable
configure policy profile 1 name "Unregistered" pvid-status "enable" pvid 0 web-redirect 1
configure policy profile 2 name "Guest" pvid-status "enable" pvid 100 untagged-vlans 100
configure policy profile 3 name "Engineer" pvid-status "enable" pvid 200 untagged-vlans 200
configure policy rule 1 ipdestsocket <A3-VIP> mask 32 forward
configure policy rule 1 udpdestportIP 53 mask 16 forward
configure policy rule 1 udpdestportIP 67 mask 16 forward
configure policy rule 1 ether 0x0806 mask 16 forward
configure policy maptable response both
configure policy captive-portal listening 80
configure policy captive-portal listening 443
configure policy vlanauthorization enable
enable policy
# Module aaa configuration.
configure radius netlogin primary server <A3-VIP> client-ip <Management-IP> vr VR-Default
configure radius netlogin primary shared-secret encrypted <A3-Shared-Secret>
configure radius-accounting netlogin primary server <A3-VIP> client-ip <Management-IP> vr VR-Default
configure radius-accounting netlogin primary shared-secret encrypted <A3-Shared-Secret>
enable radius netlogin
# Module exsshd configuration.
enable ssh2
# Module iqagent configuration.
configure iqagent server vr VR-Default
# Module netLogin configuration.
enable netlogin mac web-based
configure netlogin mac authentication database-order radius
configure netlogin web-based authentication database-order radius
enable netlogin ports 11-23 mac
enable netlogin ports 11-23 web-based
configure netlogin add mac-list ff:ff:ff:ff:ff:ff 48
# Module netTools configuration.
configure dns-client add name-server <DNS-IP> vr VR-Default
configure bootprelay add <DHCP-IP> vr VR-Default
enable bootprelay ipv4 vlan VLAN_0100
enable bootprelay ipv4 vlan VLAN_0200
A3 configuration is as follows.
# Roles
Guest
Engineer
REJECT
# Active Directory Domain
Identifier: AD
Workgroup: EXTREME
DNS Name of the Domain: extreme.co.jp
Active Directory Server: <AD/LDAP-IP>
DNS Server(s): <AD/LDAP-IP>
# Authentication Sources
Name: LDAP
Description: LDAP Server
Host: <AD/LDAP-IP>/636/SSL
Base DN: CN=Users,DC=extreme,DC=co,DC=jp
Scope: Subtree
User Name Attribute: sAMAccountName
Bind DN: CN=Administrator,CN=Users,DC=extreme,DC=co,DC=jp
Password: <Password for Administrator>
Monitor: Enable
Associated Realms: Default, Null
Authentication Rules: Engineer, Catchall
Conditions: memberOf--equals--CN=Engineer,CN=Users,DC=extreme,DC=co,DC=jp
Actions: Role--Engineer
Access duration--5days
Authentication Rules: Catchall
Actions: Role--REJECT
Access duration--5days
# Device
IP Address/MAC Address/Range (CIDR): <Management-IP>
Description: X440-G2 Switch
Type: Exreme::EXOS
Mode: Production
External Portal Enforcement: Enable
# Connection Profile
Profile Name: EXOS_Connection
EXOS_Connection: EXOS_Connection Profile
Sources: LDAP
<Topology>
[pc]-----(P12)[exos](P24)-----(P24)[exos](P1)-----[A3]
(P2)-----[AD/LDAP with DNS/DHCP]
09-06-2021 10:25 AM
Hello Yuki and/or Oscar
I'm now setting for the 1th time a Exos switch with a A3 NAC applicance, equal to the case you descript.
to short my self training periode :), can you send me a copy of the exos config and a description of the A3 config
thank you
Rien van Maurik