Extreme Networks

NieeBieeski · ‎09-08-2021

Hello all,

We have some troubles with NAC configuration on our x440 switches. We’ve created service rule that deny traffic to some destination subnet. Let’s say 10.0.0.0/24, but when client is connected directly to the switch (via ethernet connection) rule doesn’t work! On WiFi everything works completely fine.

Command “show policy capabilities” issue on switch shows us that IP Destination Subnet is supported on this device.

Does anyone know how to resolve this problem?

Thanks in advance,

Marcin

NieeBieeski · ‎09-08-2021

I switch to “Permit traffic” works the same as contain to vlan. Switch is synced with domain, everything is applied, i also checked directly on the switch if rules are there, and everything looks fine.

Here is policy role, it’s create for testing purposes. I’ve try to block traffic also by IPDstSocket, doesn’t work either.

b7944cdec9da471c8c9353f0ac8e4120_f14e3de7-4027-4a62-851e-3a72d8f93210.png

Stefan_K_ · ‎09-08-2021

I’m not 100% sure if service rules are applied if you use “contain to vlan” instead of “Permit Traffic” or “Deny Traffic”. I only used one of the latter when denying access to certain subnets via service rules.

Can you maybe try to use “Permit Traffic”?

Can you go to Policy → Devices → Right-Click the switch and hit “Verify” to check if the policy is correctly applied?
Can you share a screenshot of the policy role?

NieeBieeski · ‎09-08-2021

Hi Stefan,

Yes and yes. Switch is part of the policy domain, and nac role is configured, proper service that supposed to block traffic is also added to role.

Role action is contain to VLAN

Stefan_K_ · ‎09-08-2021

Hi,

is the switch part of the Policy domain?
Is there a NAC rule configured that applies the correct Role?

Regards
Stefan

Extreme Networks

Extreme NAC - Service rule deny destination IP on switch

Extreme NAC - Service rule deny destination IP on switch