Extreme Networks

LeoP1 · ‎09-13-2021

Hi Guys,

I'm working on a customer deployment and got some issues using ExtremeControl and XCC (5.36.03).

If I send RFC3580 Vlan Attributes to XCC from the Control, the 802.1x session from the client can't authenticate, even with the VLAN created under Policy > Vlans and the same vlan associated to the Device Group's Profile.

Taking the "Guest Access" role as example, it is configured on the XCC to use the "Default Network VLAN" (as it is in sync with the policy domain, applied to the wired infrastructure too). I've created the VLAN 40 and marked as Bridge@AP Tagged and associated it with the Device Group's Profile (https://extremeportal.force.com/ExtrArticleDetail?an=000094691),

If I send only the FilterID 'policy=Guest Access' the client, the client get's authenticated, but still on the default WLAN VLAN (120). If I send the VTA attributes as follows, the same client can't authenticate:

Filter-Id=Enterasys:version=1:%MANAGEMENT%policy=%POLICY_NAME%
Login-LAT-Port=%LOGIN_LAT_PORT%
Service-Type=%MGMT_SERV_TYPE%
Tunnel-Private-Group-Id=%VLAN_ID%:%VLAN_TUNNEL_TAG%
Tunnel-Type=13:%VLAN_TUNNEL_TAG%
Tunnel-Medium-Type=6:%VLAN_TUNNEL_TAG%

The policy mapping is done on the Control for the dynamic vlan I want to apply.

Any ideas?

LeoP1 · ‎09-17-2021

Hi PeterK,

I've just posted the config where I got issues… In summary: B@AC works perfectly, B@AP don't work. Below follows more info...

As far as I discovered, the Dynamic VLAN assignment works without a "Role-to-VLAN pair" static creation on XCC, using RADIUS VLAN attributes, on B@AC topologies, but is not working o B@AP or FabricAttach topologies, even with the association of the VLANs to the Device Group's profile.

Creating the "Role-to-VLAN pairs" is not an option, as the customer is using a single Policy Domain for Wired and Wireless, and this solutions "would not fit" on the environment. Using B@AC solution is not an option as well.

Best regards,

-Leo

View solution in original post

Ovais_Qayyum · ‎09-13-2021

Leo,

How is your AAA configured on the XCC? You can either integrate with radius server/NAC directly without engaging the onboard XCC NAC OR go through the NAC radius client in XCC. If you have configured the AAA under Onboard > AAA it would engage the onboard NAC and there is additional configuration required to make either RFC3580 or RFC3576 work without which the CoA won’t work. Though, this method is no more recommended for NAC integration.

The XCC now supports direct integration with Radius/NAC when the AAA policy is created under Configuration > AAA Policy.

Also make sure the time on the NAC and XCC is in sync, I have seen it way too many times and it causes all sorts of authentication issues.

Regards,

Ovais

Miguel-Angel_RO · ‎09-13-2021

Leo,

The integration of XCC with Control requires a lot of steps.

Did you double checked the deployment guide?

d7ca3e79f37145389f074199eb2779bf_681a66c0-90bf-4160-aa8e-ad53de293a01.png

Mig

LeoP1 · ‎09-13-2021

Hi Mig,

I've tried this config, but no luck…

I see the device authenticated on Control, and the RADIUS attributes are sent, but it seems that XCC is not working as expected.

Best regards,

-Leo

Miguel-Angel_RO · ‎09-13-2021

Hi Leo,

For the re-authentication, I send the following: “RFC 3576 - Extreme IdentiFi Wireless”:

acf2e1e3d20147099766801b6608dd57_69a8e353-8b38-44c9-9439-c2dd58a5dc43.png

Mig

Extreme Networks

XCC Dynamic VLAN Assignment

XCC Dynamic VLAN Assignment