NAC - location based VLAN Assignment
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎01-20-2022 04:42 AM
We are using Extreme NAC as Proxy Radius with Microsoft NPS.
At the moments VLANs are assigned based on radius response from NPS which is working fine.
What we would like to do now is the following:
1. NPS responds with vlan name "client" if end system is successfully authenticated.
2. on switch1, if NPS response is "client" - vlan should be "client_1"
3. on switch2, if NPS response is "client" - vlan should be "client_2"
4. on switch3, if NPS response is "client" - vlan should be "client_3"
5. and so on
So based on switch location group we want modify the vlan information from NPS for the final assignment of the end system.
Is this possible to implement with Extreme NAC?
At the moments VLANs are assigned based on radius response from NPS which is working fine.
What we would like to do now is the following:
1. NPS responds with vlan name "client" if end system is successfully authenticated.
2. on switch1, if NPS response is "client" - vlan should be "client_1"
3. on switch2, if NPS response is "client" - vlan should be "client_2"
4. on switch3, if NPS response is "client" - vlan should be "client_3"
5. and so on
So based on switch location group we want modify the vlan information from NPS for the final assignment of the end system.
Is this possible to implement with Extreme NAC?
7 REPLIES 7
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎01-26-2022 08:59 AM
Hello,
If NPS is already providing the correct RADIUS attributes you can configure the profile to just pass through what NPS has already provided. In the NAC profile deselect "Replace RADIUS response attributes" and it will pass to the client whatever NPS send to NAC.
1. NPS responds with vlan name "printer" if end system is successfully authenticated.
2. on switch1, if NPS response is "printer" - vlan should be "printer_1" --> NAC passes through RFC 3580 VLAN to client
3. on switch2, if NPS response is "printer" - vlan should be "printer_2" --> NAC passes through RFC 3580 VLAN to client
4. on switch3, if NPS response is "printer" - vlan should be "printer_3" --> NAC passes through RFC 3580 VLAN to client
5. and so on
NAC can also evaluate RADIUS AVPs and they can be used in the rule criteria to make a rule decision. There is a RADIUS user group criteria where you can define the AVP returned by NPS in order to hit a specific rule. Eg. If NPS returns RFC 3580 tunnel-private-group of 7 that can be used as a criteria to match a group.
If NPS is already providing the correct RADIUS attributes you can configure the profile to just pass through what NPS has already provided. In the NAC profile deselect "Replace RADIUS response attributes" and it will pass to the client whatever NPS send to NAC.
1. NPS responds with vlan name "printer" if end system is successfully authenticated.
2. on switch1, if NPS response is "printer" - vlan should be "printer_1" --> NAC passes through RFC 3580 VLAN to client
3. on switch2, if NPS response is "printer" - vlan should be "printer_2" --> NAC passes through RFC 3580 VLAN to client
4. on switch3, if NPS response is "printer" - vlan should be "printer_3" --> NAC passes through RFC 3580 VLAN to client
5. and so on
NAC can also evaluate RADIUS AVPs and they can be used in the rule criteria to make a rule decision. There is a RADIUS user group criteria where you can define the AVP returned by NPS in order to hit a specific rule. Eg. If NPS returns RFC 3580 tunnel-private-group of 7 that can be used as a criteria to match a group.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎01-21-2022 09:44 AM
Are you using policy with Extreme switches for the clients? If so Policy Vlan Islands may be your solution.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎01-26-2022 08:41 AM
Hi Brian! Unfortunately we have got a lot of older switches which are not policy capable, but we will have a look on this.
