This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Local Administrator account and Extreme NAC

Local Administrator account and Extreme NAC

ExtremeNewbie
New Contributor II

4 weeks ago

Hello Community,

 

Apologies if this question is in the wrong section.

We are using XMC- SE and NAC control in our environment.  We are currently testing User and Machine Authentication via Certificates.  The User and Machine are domain joined and can authenticate as expected.

However, I am finding I cannot authenticate an end user device when I login with a local administrator account.  This makes sense as the settings are setup to use domain joined authentication.

My question is, can local administrator accounts on end user devices somehow be authenticated to give network access?  When I login with the local administrator account, the network drops off after a short time.  In XMC I can see for the local administrator account the message "Rejected NTLM Authentication".

Many thanks,

0 Kudos
17 REPLIES 17

Ryan_Yacobucci
Extreme Employee

3 weeks ago

Hello,

If you follow the guide I provided above, but instead of an "LDAP User Group" use a "Username" user group and define the users you want to login. 

0 Kudos

ExtremeNewbie
New Contributor II
In response to Ryan_Yacobucci

2 weeks ago

@Ryan_Yacobucci I have created the local user as per instructions please see below.

ExtremeNewbie_1-1759307026501.png

 

ExtremeNewbie_0-1759306953955.png

I have created a new AAA Rule for this and placed this at the top of the list - please see below.

ExtremeNewbie_2-1759307170649.png

I have created a new Rule for this as described - see below.

ExtremeNewbie_3-1759307299222.png

Profile is below.

ExtremeNewbie_4-1759307347570.png

ExtremeNewbie_5-1759307372327.png

ExtremeNewbie_6-1759307494989.png

Then the Reject Rule - this is what I am unsure about.  I have set this to Reject Authentication Requests - see below.

ExtremeNewbie_7-1759307610578.png

ExtremeNewbie_8-1759307647713.png

In total, it looks like this - see below.

ExtremeNewbie_9-1759307708316.png

I believe this is all that is needed from the AAA and Rule side.  Please correct me if I am wrong. 

If all the above is correct, the next step is to configure the switch in the NAC Engine to accept Any Access?  Will this then accept Radius and the new AAA/Rule created above?  The new Rule is not enabled at the moment as I have not completed the NAC side yet.

Many Thanks,

 

 

 

 

0 Kudos

Ryan_Yacobucci
Extreme Employee
In response to ExtremeNewbie

2 weeks ago

Hello,

This looks pretty good to me. 

Authentication is configured to handle the local users by the local password repository. 

Authorization is configured to send back an administrative response if it's an authorized user, and ANY other management logins will be rejected.

Some final considerations: 

1. When you add the switch you have to set the Auth Access type to "Any Access". This will have Control attempt to configure the device to send RADIUS requests for management access. As long as the device supports dynamic RADIUS configuration, when you enforce the NAC, NAC will reconfigure RADIUS to enable for the management realm/facility. 

Once you enforce, make sure the configuration is changed accordingly. 

2. When you add the switch, make sure the "RADIUS attributes to send" contains the necessary attributes for management access. 

Service-Type for EXOS
Service-Type or Passport-Access-Priority for VOSS depending on version
Service-Type for XIQ-C

Typically Service-Type=6 will get you read/write access.

0 Kudos

ExtremeNewbie
New Contributor II
In response to Ryan_Yacobucci

a week ago

@Ryan_Yacobucci - many thanks for checking and confirming the setup.  I will look at the switch side shortly.  One other item from me, when adding a username to the user group, does a wildcard for example .\name work for this?

Kind regards,

 

0 Kudos
GTM-P2G8KFN