ā09-05-2024 09:03 AM - edited ā09-05-2024 09:04 AM
Hi,
I am trying to configure a policy for a group of users in the Access Control Engine but the actual policy that is being deployed to the switch does not correspond with what I am looking to achieve. Below you can see the exact policy.
configure policy profile 6 name "Enterprise Access" pvid-status "enable" pvid 4095 cos-status "enable" cos 3 untagged-vlans 2005
The behaviour that I am aiming for is that all users who are assigned to the Enterprise Access role based are assigned to VLAN 2005 (meaning that the port they are connected to is configured as untagged for VLAN 2005). The uplinks are manually configured with all the VLANs that could potentially be used in the switch. The configuration relevant to this is as follows:
What am I missing? The device connecting authenticates properly and appears in the end-system tab confirming that it is assigned to Enterprise access. However, it does not have connectivity and does not receive an IP address. By manually forcing the policy in the switch to use the PVID 2005:
configure policy profile 6 name "Enterprise Access" pvid-status "enable" pvid 2005 cos-status "enable" cos 3 untagged-vlans 2005
Then, it behaves as expected. What am I missing? Are any of the configurations I have followed redundant/unnecessary and is there anything that I may have overlooked?
I would also be grateful if you could provide more guidance on Policy VLAN Islands. The concept is clear to me yet I cannot wrap my head around how to configure them or the inner workings.
Thanks for your help,
Gerard
Solved! Go to Solution.
ā09-05-2024 10:45 AM
Hi @gerivives
you are probably just missing this setting here:
I guess it is set to "permit traffic", change it to "contain to VLAN" and choose VLAN2005 from the dropdown.
By the way, if you only want to do VLAN assignment without any specific roles/rules/services, you can simply rely on RFC3580 without the use of policies. Policy aissgnment is done via Policy Mappings in NAC. Make sure to change the radius attributes of the switch to "RFC 3580 - VLAN ID & Extreme Policy" to be able to use both RFC3580 and Policies. "configure maptable response both" also needs to be configured on the switch.
Best regards
Stefan
ā09-05-2024 10:45 AM
Hi @gerivives
you are probably just missing this setting here:
I guess it is set to "permit traffic", change it to "contain to VLAN" and choose VLAN2005 from the dropdown.
By the way, if you only want to do VLAN assignment without any specific roles/rules/services, you can simply rely on RFC3580 without the use of policies. Policy aissgnment is done via Policy Mappings in NAC. Make sure to change the radius attributes of the switch to "RFC 3580 - VLAN ID & Extreme Policy" to be able to use both RFC3580 and Policies. "configure maptable response both" also needs to be configured on the switch.
Best regards
Stefan
ā09-06-2024 05:54 AM
I would agree. The "VLAN Egress" tab is meant to allow configuration of VLANs on egress, but not for PVID.
"Contain to VLAN" should set pvid and egress of untagged.
Thanks
-Ryan