4 weeks ago - last edited 4 weeks ago
We have an XIQ-SE and an XIQ-C instance and would like to mix some forms of dynamic VLAN assignment. Here's what we'd like to achieve:
1. The AP should be assigned it's management port in a VLAN untagged based on its MAC address.
2. The clients using EAP-TLS should be placed in a VLAN tagged according to their role in XIQ-SE.
3. The clients using WPA2-PSK should placed in a VLAN tagged according to the XIQ-C configuration.
Here's a diagram that should illustrate what I'd like to accomplish:
Is something like this possible? How would I "dynamically" assign the VLANs for the networks in the third authentication variant?
We'd like to be able to plug in the AP's like any other client, so that the port is configured using the correct VLANs, without having to manually assign them.
It's an environment with only extreme switches, access points, NAC, WLC, etc., no other vendors.
Thanks.
Solved! Go to Solution.
3 weeks ago
OK I made a dumb mistake. On the XIQ-C in the Auth Role I had the Default Action to deny. Now after setting it to allow it works.
There was also no need to create a rule for the PSK network on XIQ-SE. I've only configured the role with the Access Controle mode set to Contain to VLAN with the VLAN being the untagged VLAN of my AP and on the VLAN Egress tab the VLAN's that should be tagged and untagged.
So basically just this:
Then I create the rule to authenticate the AP via MAC and it works. The switches are EXOS and after authenticating via MAC I can see that the switch automatically tags the Client VLAN and untags the AP VLAN.
3 weeks ago
No, you'd create a rule and role for APs with AP aware/MHSA enabled (you have to create a custom thing to send Extreme-Dynamic-MHSA for VOSS/Fabric Engine). For the clients you just send the appropriate profile/role/policy mapping and the AP places it in the appropriate VLAN. IE you don't authenticate the clients on the switch, only at the AP, because the switch doesn't know anything about the client's use of EAP-TLS or PSK on wifi.
3 weeks ago - last edited 3 weeks ago
Hi James
thank you for your reply. I still haven't figured out how to get it to work.
These are the steps that I have applied:
1. Created a role with the AP aware function active and VLAN egress with the VLANs, that should be allowed implicitely:
2. VLAN
The VLANs have only the Names and VID's configured. None of the other options.
3. End-System Group
My EndPoint System Group looks like this:
4. My Access Control Profile looks like this:
5. My Policy Mapping looks like this:
6. And finally my rule looks like this:
I've tried to set the Default Action of the Access Control to "permit traffic", but then the AP is placed in the default VLAN and not the VLAN that I set as Untagged in the Egress VLAN list.
Do you have an idea what I might have done wrong?
Edit: And my access switches are all EXOS, so no VOSS/Fabric Engine that I could configure.