cancel
Showing results for 
Search instead for 
Did you mean: 

Netsight - Monitoring only

Netsight - Monitoring only

m18grunling
New Contributor
Hi @all,

Since two months we are using Netsight NAC. Before was our NAC managed by macmon (www.macmon.eu).

macmon procedere:
Macmon scan every minute the switch for a change. In this case macmon changed the vlan into the right one (authorized device) or into a quarantaene vlan (unauthorized device).
There was also possible to add switches into macmon for documentation. So macmon doesn't change anything on the switch. It was only in a "scanning mode". In this mode we added also Switches in the datacenter. So we have all mac-addresses in our company in one system!

In netsight we have our NAC as mac-based configured. And now we searched also for a solution to add some switches or ports in the scanning mode.

First for our datacenter switches, and the other problem is. That we have some audio devices in a vlan which is not routed. This devices are old and have the problem to publish his mac-address only by reboot the device. After a certain time it doesn't publish the mac address and the switch lost the address on the port and so it switch back to the naclogin-vlan.

THANKS for your ideas!
Marcus
3 REPLIES 3

Erik_Auerswald
Contributor II
Hi Marcus,

you configure authentication in NAC and the switch normally (without policy or VLAN assignment), but then you add the port configuration to not actually require authentication:

configure netlogin ports PORTS authentication mode optional

Note: This is supported for OnePolicy only (i.e., with enable policy as part of the configuration).

I would expect that this can be achieved using the XMC ("NAC") web frontend as well.

If authentication is successful and sends policy and / or VLAN information, those will be used. Thus you should configure NAC to not send any policy or VLAN assignment to those switches where you only need the visibility features of NAC.

Please test this before actually using it in production!

Thanks,
Erik

m18grunling
New Contributor
Hi Erik,

Thanks for your fast reply!!

1.) Can you give me your recommended (netlogin) config without authentication to see the devices with all information in NAC, please?

THANKS
marcus

Erik_Auerswald
Contributor II
Hi Marcus,

  1. You can configure the switch ports to use "optional authentication." The switch ports allow devices onto the network irrespective of authentication success or failure, but NAC has all the end-system information it learns from authentication.
  2. You have described the "silent device" problem, see https://community.extremenetworks.com/aaa-radius-230508/mac-authentication-dynamic-vlans-and-silent-... for a lot of info. I like the idea of monitoring the end-systems so that the MAC address is refreshed often enough.
Thanks,
Erik
GTM-P2G8KFN