This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

NAC - location based VLAN Assignment

NAC - location based VLAN Assignment

Thomas_Hilber
New Contributor II

‎01-20-2022 04:42 AM

We are using Extreme NAC as Proxy Radius with Microsoft NPS.
At the moments VLANs are assigned based on radius response from NPS which is working fine.

What we would like to do now is the following:

1. NPS responds with vlan name "client" if end system is successfully authenticated.
2. on switch1, if NPS response is "client" - vlan should be "client_1"
3. on switch2, if NPS response is "client" - vlan should be "client_2"
4. on switch3, if NPS response is "client" - vlan should be "client_3"
5. and so on

So based on switch location group we want modify the vlan information from NPS for the final assignment of the end system.
Is this possible to implement with Extreme NAC?
0 Kudos
7 REPLIES 7

Ryan_Yacobucci
Extreme Employee
In response to Thomas_Hilber

‎01-26-2022 08:59 AM

Hello, 

If NPS is already providing the correct RADIUS attributes you can configure the profile to just pass through what NPS has already provided. In the NAC profile deselect "Replace RADIUS response attributes" and it will pass to the client whatever NPS send to NAC.

1. NPS responds with vlan name "printer" if end system is successfully authenticated.
2. on switch1, if NPS response is "printer" - vlan should be "printer_1" --> NAC passes through RFC 3580 VLAN to client
3. on switch2, if NPS response is "printer" - vlan should be "printer_2" --> NAC passes through RFC 3580 VLAN to client
4. on switch3, if NPS response is "printer" - vlan should be "printer_3" --> NAC passes through RFC 3580 VLAN to client
5. and so on


NAC can also evaluate RADIUS AVPs and they can be used in the rule criteria to make a rule decision. There is a RADIUS user group criteria where you can define the AVP returned by NPS in order to hit a specific rule. Eg. If NPS returns RFC 3580 tunnel-private-group of 7 that can be used as a criteria to match a group. 
0 Kudos

Brian_Anderson1
Contributor

‎01-21-2022 09:44 AM

Are you using policy with Extreme switches for the clients?  If so Policy Vlan Islands may be your solution.
0 Kudos

Thomas_Hilber
New Contributor II
In response to Brian_Anderson1

‎01-26-2022 08:41 AM

Hi Brian! Unfortunately we have got a lot of older switches which are not policy capable, but we will have a look on this.
0 Kudos
GTM-P2G8KFN