This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

NAC - 802.1x End-Systems IP missing, forward AAA

NAC - 802.1x End-Systems IP missing, forward AAA

Go to solution
tfsnetman
Contributor

‎05-28-2021 12:58 AM

Hello,

 

We have two Cisco WLCs 5500 using our Extreme NACs as Radius Authentication and Accounting servers.

  • While Authentication works nicely, I am missing some IP addresses from End-Systems while others are there.
    • Any idea why?
  • We would also like to forward the username / identity to a FortiGate firewall.
    • How would I do that?

Thank you,

 

Klaus

0 Kudos
1 ACCEPTED SOLUTION

Go to solution
StephanH
Valued Contributor III

‎05-31-2021 11:16 AM

Hello Klaus,

maybe the ExtremeConnect integration for FortiGate is what you need. Check the manual here:

 

https://documentation.extremenetworks.com/netsight/8.5/XMC_8.5_ExtremeConnect_User_Guide.pdf?_ga=2.2...

 

If you need other information in you Fortigate. Maybe the XMC NBI-API can help you.

Regards Stephan

View solution in original post

0 Kudos
11 REPLIES 11

Go to solution
tfsnetman
Contributor

‎05-30-2021 06:12 AM

Hi Stephan,

I guess, I will find out how well it works and let you know.

Any thoughts about how to forward user identity from the Extreme NACs to a FortiGate firewall?

Thank you,

Klaus

0 Kudos

Go to solution
StephanH
Valued Contributor III

‎05-30-2021 05:08 AM

If the WLC care about the DHCP forwarding add the NAC ip as DHCP server on the WLC.

Regards Stephan
0 Kudos

Go to solution
StephanH
Valued Contributor III

‎05-30-2021 05:07 AM

Hello Klaus,

the accounting settings should fit

 Regarding DHCP, I assume the DHCP server has no IP in the same network as your clients. Then there must be a router in your network that has a DHCP helper entry that contains the IP address of the DHCP server. Enter there also the NAC IP (additional), as if the NAC was a DHCP server.

Regards Stephan
0 Kudos

Go to solution
tfsnetman
Contributor

‎05-30-2021 04:58 AM

Hi guys,

 

Accounting Called Station ID type is set o IP and there is no option for both MAC and IP - see attachment.

0b22bee4426944ada3b8f39bfdb8fc07_71b48a88-52d8-44c5-bd41-ffe869fddf89.png

We are talking about Wi-Fi and 802.1x authentication only where IP addresses are always assigned via DHCP.

@Stephan: not sure whether what you mean by registering NACs as a DHCP server and how those DHCP requests would flow.

 

Thank you,

Klaus

0 Kudos

Go to solution
StephanH
Valued Contributor III

‎05-29-2021 08:58 PM

Switching on WLC accounting is not always sufficient depending on the sw version. To be sure you have to check if the transmission of MAC and IP under

Acct Called Station ID Type

is switched on. But guessing helps little here, it would be good to know how the address resolution runs in the installation Klaus mentioned.

Regards Stephan
0 Kudos
GTM-P2G8KFN