Extreme Networks

michael_klaus · ‎10-12-2020

Dear All

I’m trying to enable Extreme NAC for Cisco switches. It works fine for Clients on Access Ports. For Accesspoints (local breakout), I’m trying to get a trunk interface with management vlan untagged and data VLANs tagged.

For XOS Switches, I would create a Role with the needed VLAN Egress config

7d16bbce7e6e4a37bc17f3f4a9fafce5_baf9f1ab-f283-4dde-bbfe-0019261c6d41.png

But I cant enforce this role configuration to Cisco switches

7d16bbce7e6e4a37bc17f3f4a9fafce5_9af595de-2eeb-4924-8fc2-c8720cc4c3d6.png

How can I achieve that for Cisco switches with Extreme NAC?

michael_klaus · ‎10-15-2020

Hi Miguel

Yes sure, I can share my cisco config. In the meantime, I tested NEAT as well and it seems to be easier than using macro.

Macro

conf t no macro auto global control device no macro auto global control trigger macro auto global processing

macro auto execute AP_TRUNK { if [[ $LINKUP == YES ]] then conf t default interface $INTERFACE interface $INTERFACE Description AP_TRUNK macro description $TRIGGER switchport trunk allowed vlan ##VLAN-LIST## switchport trunk native vlan ##VLAN## switchport mode trunk spanning-tree portfast trunk macro auto processing exit fi if [[ $LINKUP == NO ]] then conf t default interface $INTERFACE interface $INTERFACE description NAC no switchport trunk allowed vlan no switchport trunk native vlan switchport mode access macro auto processing authentication control-direction in authentication event server dead action authorize authentication event server dead action authorize voice authentication event server alive action reinitialize authentication host-mode multi-host authentication order mab dot1x authentication priority dot1x mab authentication port-control auto authentication periodic authentication timer reauthenticate server authentication violation restrict mab snmp trap mac-notification change added snmp trap mac-notification change removed dot1x pae authenticator dot1x timeout tx-period 10 no macro description $TRIGGER exit fi }

int range ##INTERFACE-RANGE## macro auto processing

Radius Attribute: Cisco-AVPair=auto-smart-port=AP_TRUNK

NEAT

cisp enable ! template AP_TRUNK switchport trunk encapsulation dot1q switchport trunk native vlan 100 switchport mode trunk

Radius Attribute: Cisco-AVPair=interface-template-name=AP_TRUNK

Comparison Smart Port vs. Macro:

0f95b5ae2c094a4f8db483d2ed89fb8d_2a0edad3-e719-44a8-bb7a-96a6bc9623b9.png

best regards
Michael

View solution in original post

StephanH · ‎12-16-2020

Hello Michael,

unfortunately i didn't have time to look at it up to now.

Regards Stephan

michael_klaus · ‎12-16-2020

HI Stephan

Have you done a test with the new-style? What is your conclusion?

michael_klaus · ‎11-09-2020

Hi Stephan

If the following command exists it should support new-style. Mine is still in the legacy mode

SW#authentication display config-mode
Current configuration mode is legacy

I don’t now which firmware starts supporting new-style. My Test Switch WS-C2960CX-8PC-L with 15.2(4)E6 supports new style.

If you do the following, the switch asks you to convert to the new-style.

ITBZC099(config)#template test
ITBZC099(config-template)#access-session host-mode multi-host
This operation will permanently convert all relevant authentication commands to their CPL control-policy equivalents. As this conversion is irreversible and will disable the conversion CLI 'authentication display [legacy|new-style]', you are strongly advised to back up your current configuration before proceeding.
Do you wish to continue? [yes]:

StephanH · ‎11-09-2020

Hello Klaus,

do you know what switch types support the new-style? Maybe I have one for a test.

Regards Stephan

Extreme Networks

Cisco Trunk Interface with Extreme NAC

Cisco Trunk Interface with Extreme NAC

Macro

NEAT