cancel
Showing results for 
Search instead for 
Did you mean: 

NAC - location based VLAN Assignment

NAC - location based VLAN Assignment

Thomas_Hilber
New Contributor II
We are using Extreme NAC as Proxy Radius with Microsoft NPS.
At the moments VLANs are assigned based on radius response from NPS which is working fine.

What we would like to do now is the following:

1. NPS responds with vlan name "client" if end system is successfully authenticated.
2. on switch1, if NPS response is "client" - vlan should be "client_1"
3. on switch2, if NPS response is "client" - vlan should be "client_2"
4. on switch3, if NPS response is "client" - vlan should be "client_3"
5. and so on

So based on switch location group we want modify the vlan information from NPS for the final assignment of the end system.
Is this possible to implement with Extreme NAC?
7 REPLIES 7

Ryan_Yacobucci
Valued Contributor

This is the way I would recommend to do it: 

1. NAC rule for Printers: 

ed6dbb36721940d9884fbfbcc4a8a6af.png
2 Policy Mapping for Printers has multiple mappings with location group per switch: 


55e62ad7df1640e4a8a5e47fe1c7213b.png

5fd64a39f9e64885b965d676b9d4b44e.png

All printers will hit the "Printer" rule and NAC will send different RFC 3580 VLAN authorizations based on the switch that sent the authentication request. 



Brian's solution is a one too. If Policy VLAN islands or policy isn't supported by the older or 3rd party devices as long as they can process an RFC 3580 VLAN authorization with VLAN name instead of VLAN ID you can configure the same VLAN name on all switches, and map it to a different VLAN ID per switch. 

So:
Switch 1 would would have "Printer" VLAN be VLAN 1
Switch 2 would would have "Printer" VLAN be VLAN 2
Switch 3 would would have "Printer" VLAN be VLAN 3

NAC would always send back RFC 3580 VLAN NAME (Printer), and the individual switch can provision the unique VLAN per switch accordingly. 

Policy VLAN Islands just makes it easy to deploy and manage this type of configuration. 

Ryan_Yacobucci
Valued Contributor

Hello,

Yes, NAC has the ability to provide a different authorization based on location group by utilizing location based policy mappings. 

You will have one rule that has one profile that mappings to a number of policy mappings that are used based on location criteria within the policy mapping itself.

For instance: 

Unregistered with "Map to Location" "Any"
f721a6f0885443adbbdb9a511b84d07c.png


Unregistered with "Map to location" "XCC". XCC being the IP address of the XCC controller. 

0368bd76b38746e2b5125f0ae7c57c06.png
So there are two policy mappings named "Unregistered", but if the XCC controller sends the RADIUS access request NAC will send a different policy named based on the policy mapping:

8f918fa76d2b478282e9847ad7c40d3c.png

So NAC would send "Unregistered role for BCS_WIRELESS" as the filter-id ONLY to the XCC. Any other switch would have the filter-id of "Unregistered" sent. 

So you would create a new policy mapping for each switch location group, and define the switches inside the location group.

You'll probably be working with RFC 3580 for VLAN authorization. There is no difference. Instead of filer-id you would send a different VLAN ID. 

So: 

policyMappingName - Location group: switch 1 - VLAN 1
policyMappingName - Location group: switch 2 - VLAN 2
policyMappingName - Location group: switch 3 - VLAN 3
policyMappingName - Location group: switch 4 - VLAN 4


They key is that the policy mapping name must all be the same, and you should leave one of the policy mappings set to location of "any" or NAC will throw an error on enforce saying that there is no default policy mapping. 

Thanks
-Ryan

Hi Ryan,

thank you this could be the way to go.

But is NAC also capable to evaluate the VLAN name returned with  RFC 3580 from NPS server.

Because we could also have the following situation when the end system is a printer:
1. NPS responds with vlan name "printer" if end system is successfully authenticated.
2. on switch1, if NPS response is "printer" - vlan should be "printer_1"
3. on switch2, if NPS response is "printer" - vlan should be "printer_2"
4. on switch3, if NPS response is "printer" - vlan should be "printer_3"
5. and so on

So it would be a two stage process:
first look into vlan returned by NPS
then assign the "new" vlan name based on switch location

why are you proxying the requests to the NPS? What values and sources uses the NPS for decision?

From my current point of view, it would be much easier for you, to only use the NAC.
I don't know if NAC is able to modify the vlan-tunnel-atribute received from the NPS.
GTM-P2G8KFN