This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 

Dedicated Guest NAC (IA-V) for GIM/guest: Add switch to more than two NAC Engines

Dedicated Guest NAC (IA-V) for GIM/guest: Add switch to more than two NAC Engines

Go to solution
htw
New Contributor III

ā€Ž06-28-2019 07:34 AM

Hi,
we want to deploy a 802.1x wifi and a guest network on APs which are controlled by an ECA HA pair.
Two NACs will handle 802.1x authentication for 802.1x wifi. In "NAC Manager" we have an appliance group with those two NACs and in "switches" tab both ECAs are configured as Switch with both NACs as primary and secondary engine and ECAs are using a RADIUS pasthrough rule. As a result authentication requests from those ECAs are processed by both NACs. This works so far.

Now we want to deploy a GIM guest network with external captive portal (from ECAs point of view) on a third dedicated NAC (Guest-NAC). Since Guest Users will have to communicate with this NAC (to see the login portal) this NAC needs a second user registration interface with an IP address reachable from user networks.

ExtremeCloud Appliance Deployment Guide, Section "Deploying XMC as External Captive Portal" describes the use of a NAC as portal provider. There you have to add the switch (our ECAs) to the Guest-NAC. But if I do this, the ECAs will be removed from the 802.1x appliance group?

Can't I add a switch (ECA) to more than two NAC-Engines?
0 Kudos
1 ACCEPTED SOLUTION

Go to solution
Rodney_Lacroix
Extreme Employee

ā€Ž06-28-2019 11:30 AM

If your goal is to simply SEE the end systems authenticating in XMC but use the XCAs captive portal then you'd simply have to add the XCA as a switch to the engine, create a location-based rule for end systems coming from that location (the XCA and/or SSID of the network(s)) that uses a profile that does NOT replace the policy attributes, and point to the engine as the RADIUS server for the XCA network in the XCA AAA configuration. Create a "dummy" policy in XCA that will be "assigned" to those end systems (at least from an XCA point of view). Again, the profile used in XCA should be set to use that policy and the checkbox for "Replace RADIUS attributes" on the profile should be disabled.

Set the default policy for the XCA network to Unregistered.

The end systems will authenticate to the engine, show up in the End Systems table of XMC, and should continue through the authorization/reauthentication processes on XCA. However, just keep in mind that in doing this, XMC/NAC will not provide policy or any other authentication processes to the XCA end systems.

View solution in original post

0 Kudos
5 REPLIES 5

Go to solution
Rodney_Lacroix
Extreme Employee

ā€Ž06-28-2019 10:04 AM

You can have switches on up to six gateways (I believe). The restriction of switches-to-gateways is having the switch added to a NAC that is in a different engine group.

What I think you will need to do, in this instance, is simply use pass through (as you are now) but include a location-based rule on your XMC config that states ā€œif coming from guest portal XCA/from guest SSID then use this profile (which includes a portal configuration).ā€

This is can be done using a location-based portal config (using NAC manager, location-based portal config s should be coming in a future 8.x XMC release) to auto-create the rules youā€™ll need.

You donā€™t need to add a third NAC engine for this. Seems like overkill unless you are planning a massive deployment of clients.
0 Kudos
GTM-P2G8KFN