This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Cisco Trunk Interface with Extreme NAC

Cisco Trunk Interface with Extreme NAC

Go to solution
michael_klaus
New Contributor III

‎10-12-2020 07:33 AM

Dear All

 

I’m trying to enable Extreme NAC for Cisco switches. It works fine for Clients on Access Ports. For Accesspoints (local breakout), I’m trying to get a trunk interface with management vlan untagged and data VLANs tagged.

For XOS Switches, I would create a Role with the needed VLAN Egress config

7d16bbce7e6e4a37bc17f3f4a9fafce5_baf9f1ab-f283-4dde-bbfe-0019261c6d41.png

 

But I cant enforce this role configuration to Cisco switches 

7d16bbce7e6e4a37bc17f3f4a9fafce5_9af595de-2eeb-4924-8fc2-c8720cc4c3d6.png

 

How can I achieve that for Cisco switches with Extreme NAC? 

0 Kudos
1 ACCEPTED SOLUTION

Go to solution
michael_klaus
New Contributor III

‎10-15-2020 11:53 AM

Hi Miguel

 

Yes sure, I can share my cisco config. In the meantime, I tested NEAT as well and it seems to be easier than using macro.

 

Macro

conf t 

no macro auto global control device

no macro auto global control trigger

macro auto global processing


macro auto execute AP_TRUNK  {

if [[ $LINKUP == YES ]]

then conf t

default interface $INTERFACE

interface $INTERFACE

Description AP_TRUNK

macro description $TRIGGER

switchport trunk allowed vlan ##VLAN-LIST##

switchport trunk native vlan ##VLAN##

switchport mode trunk

spanning-tree portfast trunk

macro auto processing

exit

fi

if [[ $LINKUP == NO ]]

then conf t

default interface $INTERFACE

interface $INTERFACE

description NAC

no switchport trunk allowed vlan

no switchport trunk native vlan

switchport mode access

macro auto processing

authentication control-direction in

authentication event server dead action authorize 

authentication event server dead action authorize voice

authentication event server alive action reinitialize 

authentication host-mode multi-host

authentication order mab dot1x

authentication priority dot1x mab

authentication port-control auto

authentication periodic

authentication timer reauthenticate server

authentication violation restrict

mab

snmp trap mac-notification change added

snmp trap mac-notification change removed

dot1x pae authenticator

dot1x timeout tx-period 10

no macro description $TRIGGER

exit

fi

}

int range ##INTERFACE-RANGE##

macro auto processing 

Radius Attribute: Cisco-AVPair=auto-smart-port=AP_TRUNK

 

NEAT

cisp enable

!

template AP_TRUNK

switchport trunk encapsulation dot1q

switchport trunk native vlan 100

switchport mode trunk

Radius Attribute: Cisco-AVPair=interface-template-name=AP_TRUNK

 

Comparison Smart Port vs. Macro:

0f95b5ae2c094a4f8db483d2ed89fb8d_2a0edad3-e719-44a8-bb7a-96a6bc9623b9.png

 

best regards
Michael

View solution in original post

0 Kudos
24 REPLIES 24

Go to solution
michael_klaus
New Contributor III

‎10-15-2020 06:21 AM

Yes exactly, I use the radius attribute “uto-smart-port=event-trigger” if the mac address is in my Accesspoint End System group.

 

best regards

Michael

0 Kudos

Go to solution
StephanH
Valued Contributor III

‎10-15-2020 04:48 AM

Hello Michael,

 

nice to hear that you have found a solution. 

Do you tigger the macro with the radius attribute “auto-smart-port=event-trigger from NAC, if a appropriate device is authenticated on the access port?
Or how do you enable a macro on the specific port?

 

Best regards

Stephan Harrer

 

 

Regards Stephan
0 Kudos

Go to solution
michael_klaus
New Contributor III

‎10-15-2020 04:15 AM

I solved it with macros because NEATis not available on all switches. 

Many thanks for your help.

 

best regards

Michael

 

0 Kudos

Go to solution
StephanH
Valued Contributor III

‎10-13-2020 01:47 PM

Hello Stefan,

I did a quick web search, too. Here is another description regarding NEAT and templates:

https://community.cisco.com/t5/security-documents/ise-secure-wired-access-prescriptive-deployment-gu...

There are some hints in the net about disadvantages concerning the port configuration with NEAT.

for example here: https://community.cisco.com/t5/network-access-control/flexconnect-ap-ise-and-neat/td-p/3302383

It seems that Cisco still has problems to implement a function like "AP Aware" from Extreme.

 

Best regards

Stephan

Regards Stephan
0 Kudos

Go to solution
StephanH
Valued Contributor III

‎10-13-2020 01:35 PM

Hello Stefan,

I have searched my knowledge base again. 
Maybe a interface template is a good workaround.

 

https://community.cisco.com/t5/security-documents/neat-with-interface-template/ta-p/3642967

 

Regards

Stephan

 

 

 

Regards Stephan
0 Kudos
GTM-P2G8KFN