This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Extreme Networks
- Community List
- Network Management & Authentication
- ExtremeCloud IQ- Site Engine Management Center
- Extreme Newbie - Question about NAC failure
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Extreme Newbie - Question about NAC failure
Extreme Newbie - Question about NAC failure
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
09-24-2016 06:39 AM
I am an Extreme newbie. My college just implemented a new Extreme Networks infrastructure - core, edge, wireless, with NAC and Netsight. I am a 20 year Cisco veteran and come from a port-based knowledge base.
NAC is completely new (and foreign) to me. I like what it can do, and I love the information I'm gleaning into my network from Netsight. However, i'm terrified of what will happen if the NAC controller goes down for any reason. My sales engineer told me that the switches could be configured to fail open so that things would continue to work in the event that NAC wasn't in the middle - authenticating every entry onto the network.
I need some pointers about where to go to configure this, and if it's possible. Right now things are working ok, but I want to put in that safeguard so that things will still continue to function (without the security of course) when the controller goes down.
I'm planning on taking training for all of the products - but my first class doesn't start until November - so I"m a little nervous in supporting this environment until I get some knowledge under my belt.
Any and all comments would be welcome.
Thank you.
Mark Allen
NAC is completely new (and foreign) to me. I like what it can do, and I love the information I'm gleaning into my network from Netsight. However, i'm terrified of what will happen if the NAC controller goes down for any reason. My sales engineer told me that the switches could be configured to fail open so that things would continue to work in the event that NAC wasn't in the middle - authenticating every entry onto the network.
I need some pointers about where to go to configure this, and if it's possible. Right now things are working ok, but I want to put in that safeguard so that things will still continue to function (without the security of course) when the controller goes down.
I'm planning on taking training for all of the products - but my first class doesn't start until November - so I"m a little nervous in supporting this environment until I get some knowledge under my belt.
Any and all comments would be welcome.
Thank you.
Mark Allen
7 REPLIES 7
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
09-24-2016 11:42 AM
This is the config I use in my lab. see ports 1-5 => authentication is optional.
If the radius server is not responding or sends reject then port config is used.
If you want to not allow access then you need to send accept with specific policy profile 🙂
Image : ExtremeXOS version 21.1.1.4 21.1.1.4-patch1-5 by release-manager on Thu Jun 16 14:19:33 EDT 2016
BootROM : 1.0.2.1
Diagnostics : 5.4
Core-Lab-Network.5 # sh config policy#
# Module policy configuration.
#
enable policy
configure netlogin port 1 authentication mode optional
configure netlogin port 2 authentication mode optional
configure netlogin port 3 authentication mode optional
configure netlogin port 4 authentication mode optional
configure netlogin port 5 authentication mode optional
configure policy profile 1 name "DMZ" pvid-status "enable" pvid 3530
configure policy profile 2 name "MailServer" pvid-status "enable" pvid 3530 cos-status "enable" cos 1
configure policy profile 3 name "WebServer" pvid-status "enable" pvid 3530
configure policy profile 4 name "AD" pvid-status "enable" pvid 3530 cos-status "enable" cos 3
configure policy profile 5 name "Deny Access" pvid-status "enable" pvid 3530
configure policy profile 7 name "VDI" pvid-status "enable" pvid 3530 egress-vlans 3530
configure policy profile 8 name "DCMDemokit" pvid-status "enable" pvid 3540 egress-vlans 3540
configure policy rule 1 udpsourceportIP 67 mask 16 drop
configure policy rule 1 tcpsourceportIP 3389 mask 16 cos 4
configure policy rule 1 ipproto 1 mask 8 drop
configure policy rule 2 udpsourceportIP 67 mask 16 drop
configure policy rule 2 tcpsourceportIP 80 mask 16 drop
configure policy rule 2 tcpsourceportIP 3389 mask 16 cos 4
configure policy rule 3 udpsourceportIP 67 mask 16 drop
configure policy rule 3 tcpsourceportIP 3389 mask 16 cos 4
configure policy rule 5 ipproto 1 mask 8 drop
configure policy rule 5 ipproto 6 mask 8 drop
configure policy rule 5 ipproto 17 mask 8 drop
Core-Lab-Network.5 # sh config netlogin
#
# Module netLogin configuration.
#
enable netlogin dot1x mac
configure netlogin add mac-list ff:ff:ff:ff:ff:ff 48 encrypted "ckr'ptplsa"
enable netlogin ports 1-6 mac
configure netlogin mac ports 1 timers reauthentication on
configure netlogin mac ports 2 timers reauthentication on
configure netlogin mac ports 3 timers reauthentication on
configure netlogin mac ports 4 timers reauthentication on
configure netlogin mac ports 5 timers reauthentication on
configure netlogin mac ports 6 timers reauthentication on
Core-Lab-Network.6 # sh config aaa
#
# Module aaa configuration.
#
configure radius netlogin 1 server 192.168.10.31 1812 client-ip 192.168.10.1 vr VR-Default
configure radius 1 shared-secret encrypted "#$KWL/jjCjiUsl/KlkJtR1Ag6ENmJDzLlN5CccJ4zm"
enable radius
disable radius mgmt-access
enable radius netlogin
configure radius timeout 15
If the radius server is not responding or sends reject then port config is used.
If you want to not allow access then you need to send accept with specific policy profile 🙂
Image : ExtremeXOS version 21.1.1.4 21.1.1.4-patch1-5 by release-manager on Thu Jun 16 14:19:33 EDT 2016
BootROM : 1.0.2.1
Diagnostics : 5.4
Core-Lab-Network.5 # sh config policy#
# Module policy configuration.
#
enable policy
configure netlogin port 1 authentication mode optional
configure netlogin port 2 authentication mode optional
configure netlogin port 3 authentication mode optional
configure netlogin port 4 authentication mode optional
configure netlogin port 5 authentication mode optional
configure policy profile 1 name "DMZ" pvid-status "enable" pvid 3530
configure policy profile 2 name "MailServer" pvid-status "enable" pvid 3530 cos-status "enable" cos 1
configure policy profile 3 name "WebServer" pvid-status "enable" pvid 3530
configure policy profile 4 name "AD" pvid-status "enable" pvid 3530 cos-status "enable" cos 3
configure policy profile 5 name "Deny Access" pvid-status "enable" pvid 3530
configure policy profile 7 name "VDI" pvid-status "enable" pvid 3530 egress-vlans 3530
configure policy profile 8 name "DCMDemokit" pvid-status "enable" pvid 3540 egress-vlans 3540
configure policy rule 1 udpsourceportIP 67 mask 16 drop
configure policy rule 1 tcpsourceportIP 3389 mask 16 cos 4
configure policy rule 1 ipproto 1 mask 8 drop
configure policy rule 2 udpsourceportIP 67 mask 16 drop
configure policy rule 2 tcpsourceportIP 80 mask 16 drop
configure policy rule 2 tcpsourceportIP 3389 mask 16 cos 4
configure policy rule 3 udpsourceportIP 67 mask 16 drop
configure policy rule 3 tcpsourceportIP 3389 mask 16 cos 4
configure policy rule 5 ipproto 1 mask 8 drop
configure policy rule 5 ipproto 6 mask 8 drop
configure policy rule 5 ipproto 17 mask 8 drop
Core-Lab-Network.5 # sh config netlogin
#
# Module netLogin configuration.
#
enable netlogin dot1x mac
configure netlogin add mac-list ff:ff:ff:ff:ff:ff 48 encrypted "ckr'ptplsa"
enable netlogin ports 1-6 mac
configure netlogin mac ports 1 timers reauthentication on
configure netlogin mac ports 2 timers reauthentication on
configure netlogin mac ports 3 timers reauthentication on
configure netlogin mac ports 4 timers reauthentication on
configure netlogin mac ports 5 timers reauthentication on
configure netlogin mac ports 6 timers reauthentication on
Core-Lab-Network.6 # sh config aaa
#
# Module aaa configuration.
#
configure radius netlogin 1 server 192.168.10.31 1812 client-ip 192.168.10.1 vr VR-Default
configure radius 1 shared-secret encrypted "#$KWL/jjCjiUsl/KlkJtR1Ag6ENmJDzLlN5CccJ4zm"
enable radius
disable radius mgmt-access
enable radius netlogin
configure radius timeout 15
Regards
Zdeněk Pala
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
09-24-2016 11:22 AM
Mark,
Which models of Extreme switches are you using?
Which models of Extreme switches are you using?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
09-24-2016 07:58 AM
Hi Mark. Welcome to Extreme family. I am sure you will like it. You can have more NAC-gateways (access control engine) so if one is not available the next will handle the request. All of those engines can be in active-active mode. If there is no engine (radius server) available you can still define the behavior. The config of the port will apply. You need to define the netlogin mode as "optional" and you need to configure the port for the settings you would like to apply without radius available. I can share some config examples with you later. Regards. Z.
Regards
Zdeněk Pala
