This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forĀ
- Extreme Networks
- Community List
- Network Management & Authentication
- ExtremeCloud IQ- Site Engine Management Center
- Extreme Newbie - Question about NAC failure
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Extreme Newbie - Question about NAC failure
Extreme Newbie - Question about NAC failure
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
ā09-24-2016 06:39 AM
I am an Extreme newbie. My college just implemented a new Extreme Networks infrastructure - core, edge, wireless, with NAC and Netsight. I am a 20 year Cisco veteran and come from a port-based knowledge base.
NAC is completely new (and foreign) to me. I like what it can do, and I love the information I'm gleaning into my network from Netsight. However, i'm terrified of what will happen if the NAC controller goes down for any reason. My sales engineer told me that the switches could be configured to fail open so that things would continue to work in the event that NAC wasn't in the middle - authenticating every entry onto the network.
I need some pointers about where to go to configure this, and if it's possible. Right now things are working ok, but I want to put in that safeguard so that things will still continue to function (without the security of course) when the controller goes down.
I'm planning on taking training for all of the products - but my first class doesn't start until November - so I"m a little nervous in supporting this environment until I get some knowledge under my belt.
Any and all comments would be welcome.
Thank you.
Mark Allen
NAC is completely new (and foreign) to me. I like what it can do, and I love the information I'm gleaning into my network from Netsight. However, i'm terrified of what will happen if the NAC controller goes down for any reason. My sales engineer told me that the switches could be configured to fail open so that things would continue to work in the event that NAC wasn't in the middle - authenticating every entry onto the network.
I need some pointers about where to go to configure this, and if it's possible. Right now things are working ok, but I want to put in that safeguard so that things will still continue to function (without the security of course) when the controller goes down.
I'm planning on taking training for all of the products - but my first class doesn't start until November - so I"m a little nervous in supporting this environment until I get some knowledge under my belt.
Any and all comments would be welcome.
Thank you.
Mark Allen
7 REPLIES 7
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
ā09-26-2016 11:46 PM
Mark,
As Z mentioned above, you can add a redundant ExtremeControl (NAC) server to provide redundancy. This is highly recommended and does not affect your client licensing, as this will be pooled between the servers.
You can also leverage your existing RADIUS environment and add the RADIUS server(s) as a secondary or tertiary authentication source in your switch config. This will allow RADIUS to handle authentication in the event that the NAC server(s) are down, which would be a reeeeeally rare event, but a simple safety net. To that end, you'll probably want to configure VLAN containment using an Extreme VSA on the RADIUS server, so that devices are moved to the correct VLAN. You don't get full policy, but you get the devices access to the network. Generally, I'd default to a "data" VLAN for general network access and then leverage your service-specific VLAN's for easily identifiable devices, like VoIP phones. I believe the vendor-specific VSA for extended VLAN's is 211. This VSA allows you to specify which VLAN's should be tagged or untagged and you can use the 802.1q number or name. Name is particularly useful if you've standardized on a VLAN name per building/site, but have established a different tag number to segment the network. Adding a "u" before the label will add the VLAN as untagged and a "t" will add it as tagged. For example, "u201" would add VLAN 201 as untagged or "tvoice" would add VLAN "voice" as tagged to the authenticating port for that MAC address. You can use a delimiter to add multiple VLAN's to the port if needed, but generally clients are only configured for a single VLAN outside the data center.
These links on Extreme's support site may be useful.
https://gtacknowledge.extremenetworks.com/articles/How_To/How-to-assign-VLAN-to-a-MAC-based-netlogin...
https://gtacknowledge.extremenetworks.com/articles/How_To/How-to-configure-802-1x-based-Netlogin-wit...
Regards, Scott
As Z mentioned above, you can add a redundant ExtremeControl (NAC) server to provide redundancy. This is highly recommended and does not affect your client licensing, as this will be pooled between the servers.
You can also leverage your existing RADIUS environment and add the RADIUS server(s) as a secondary or tertiary authentication source in your switch config. This will allow RADIUS to handle authentication in the event that the NAC server(s) are down, which would be a reeeeeally rare event, but a simple safety net. To that end, you'll probably want to configure VLAN containment using an Extreme VSA on the RADIUS server, so that devices are moved to the correct VLAN. You don't get full policy, but you get the devices access to the network. Generally, I'd default to a "data" VLAN for general network access and then leverage your service-specific VLAN's for easily identifiable devices, like VoIP phones. I believe the vendor-specific VSA for extended VLAN's is 211. This VSA allows you to specify which VLAN's should be tagged or untagged and you can use the 802.1q number or name. Name is particularly useful if you've standardized on a VLAN name per building/site, but have established a different tag number to segment the network. Adding a "u" before the label will add the VLAN as untagged and a "t" will add it as tagged. For example, "u201" would add VLAN 201 as untagged or "tvoice" would add VLAN "voice" as tagged to the authenticating port for that MAC address. You can use a delimiter to add multiple VLAN's to the port if needed, but generally clients are only configured for a single VLAN outside the data center.
These links on Extreme's support site may be useful.
https://gtacknowledge.extremenetworks.com/articles/How_To/How-to-assign-VLAN-to-a-MAC-based-netlogin...
https://gtacknowledge.extremenetworks.com/articles/How_To/How-to-configure-802-1x-based-Netlogin-wit...
Regards, Scott
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
ā09-26-2016 05:44 AM
You can configure netlogin service unavailable vlan, that will put all new users in that vlan if the service (NAC) is unavailable.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
ā09-26-2016 05:44 AM
As Oscar stated there is also this option = if you do not use policy. So you can choose ļ
Regards
ZdenÄk Pala
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
ā09-24-2016 11:42 AM
That would be great Z. Thank you for the information. Ryan, we are using Summit X450 switches I believe, and the Identify wifi
