10-28-2024 03:25 AM - edited 10-28-2024 03:27 AM
We have an XIQ-SE and an XIQ-C instance and would like to mix some forms of dynamic VLAN assignment. Here's what we'd like to achieve:
1. The AP should be assigned it's management port in a VLAN untagged based on its MAC address.
2. The clients using EAP-TLS should be placed in a VLAN tagged according to their role in XIQ-SE.
3. The clients using WPA2-PSK should placed in a VLAN tagged according to the XIQ-C configuration.
Here's a diagram that should illustrate what I'd like to accomplish:
Is something like this possible? How would I "dynamically" assign the VLANs for the networks in the third authentication variant?
We'd like to be able to plug in the AP's like any other client, so that the port is configured using the correct VLANs, without having to manually assign them.
It's an environment with only extreme switches, access points, NAC, WLC, etc., no other vendors.
Thanks.
Solved! Go to Solution.
11-01-2024 01:56 AM
OK I made a dumb mistake. On the XIQ-C in the Auth Role I had the Default Action to deny. Now after setting it to allow it works.
There was also no need to create a rule for the PSK network on XIQ-SE. I've only configured the role with the Access Controle mode set to Contain to VLAN with the VLAN being the untagged VLAN of my AP and on the VLAN Egress tab the VLAN's that should be tagged and untagged.
So basically just this:
Then I create the rule to authenticate the AP via MAC and it works. The switches are EXOS and after authenticating via MAC I can see that the switch automatically tags the Client VLAN and untags the AP VLAN.
11-01-2024 01:56 AM
OK I made a dumb mistake. On the XIQ-C in the Auth Role I had the Default Action to deny. Now after setting it to allow it works.
There was also no need to create a rule for the PSK network on XIQ-SE. I've only configured the role with the Access Controle mode set to Contain to VLAN with the VLAN being the untagged VLAN of my AP and on the VLAN Egress tab the VLAN's that should be tagged and untagged.
So basically just this:
Then I create the rule to authenticate the AP via MAC and it works. The switches are EXOS and after authenticating via MAC I can see that the switch automatically tags the Client VLAN and untags the AP VLAN.
11-03-2024 04:27 PM
A key point that you have set here is that you have "AP Aware" enabled. This is required for Access Points or else there can be performance impacts on the network.
AP Aware makes it so if the switch port sees an AP Aware policy it won't attempt to authenticate any MAC addresses other than the Access Points on the port.
If AP Aware is not enabled you can start to see Switch ports authenticating Wireless Devices. Control is not designed to handle client authentications if they come from the wired switch port and the wireless AP at the same time. It can have negative impacts.
Always make sure AP aware is enabled for any policies that are configured for APs.
Policy uses "AP Aware"
Fabric Engine uses "MHSA" (Multi-host single authentication)
Thanks
-Ryan
10-28-2024 05:54 AM
Hello,
This is a common configuration for clients who have an Extreme Control appliance.
1. The switch will need have to have authentication enabled with a policy that will only authenticate the AP and not the underlying Wireless Clients.
In Extreme Control you would need to setup a policy with "AP aware" enabled, or set MSHA (Multi-host single authentication) for Fabric Engine. This policy would be applied to the AP when it's plugged in and will contain the VLAN schema for untagged management and tagged VLANs for client connectivity.
2. In Extreme Control/XIQ-C you create rules that have location based components, so the SSID for 802.1x could have rules for Active Directory criteria, or just a location criteria (SSID Name) that provides a specific policy that has the VLAN assignment desired.
3. In Extreme Control/XIQ-C you create rules that have location based components, so the SSID that has WPA2-PSK can have a location criteria (The SSID name) that sets a different policy that has a different VLAN assignment.
https://extreme-networks.my.site.com/ExtrArticleDetail?an=000081747
Thanks
-Ryan
10-28-2024 07:44 AM
Hi Ryan
thank you for your reply. So just to get it right, I would create three roles for each VLAN variation and set the AP aware feature to enabled for each of the roles.
Then I'd create the three rules, that check the different conditions (MAC, EAP-TLS AD membership, SSID name), with the associated profiles, roles and policy mappings, and that should be it right?
Thanks.