cancel
Showing results for 
Search instead for 
Did you mean: 

NAC - 802.1x End-Systems IP missing, forward AAA

NAC - 802.1x End-Systems IP missing, forward AAA

tfsnetman
Contributor

Hello,

 

We have two Cisco WLCs 5500 using our Extreme NACs as Radius Authentication and Accounting servers.

  • While Authentication works nicely, I am missing some IP addresses from End-Systems while others are there.
    • Any idea why?
  • We would also like to forward the username / identity to a FortiGate firewall.
    • How would I do that?

Thank you,

 

Klaus

1 ACCEPTED SOLUTION

StephanH
Valued Contributor III

Hello Klaus,

maybe the ExtremeConnect integration for FortiGate is what you need. Check the manual here:

 

https://documentation.extremenetworks.com/netsight/8.5/XMC_8.5_ExtremeConnect_User_Guide.pdf?_ga=2.2...

 

If you need other information in you Fortigate. Maybe the XMC NBI-API can help you.

Regards Stephan

View solution in original post

11 REPLIES 11

tfsnetman
Contributor

Hi Stephan,

I guess, I will find out how well it works and let you know.

Any thoughts about how to forward user identity from the Extreme NACs to a FortiGate firewall?

Thank you,

Klaus

StephanH
Valued Contributor III

If the WLC care about the DHCP forwarding add the NAC ip as DHCP server on the WLC.

Regards Stephan

StephanH
Valued Contributor III

Hello Klaus,

the accounting settings should fit

 Regarding DHCP, I assume the DHCP server has no IP in the same network as your clients. Then there must be a router in your network that has a DHCP helper entry that contains the IP address of the DHCP server. Enter there also the NAC IP (additional), as if the NAC was a DHCP server.

Regards Stephan

tfsnetman
Contributor

Hi guys,

 

Accounting Called Station ID type is set o IP and there is no option for both MAC and IP - see attachment.

0b22bee4426944ada3b8f39bfdb8fc07_71b48a88-52d8-44c5-bd41-ffe869fddf89.png

We are talking about Wi-Fi and 802.1x authentication only where IP addresses are always assigned via DHCP.

@Stephan: not sure whether what you mean by registering NACs as a DHCP server and how those DHCP requests would flow.

 

Thank you,

Klaus

StephanH
Valued Contributor III

Switching on WLC accounting is not always sufficient depending on the sw version. To be sure you have to check if the transmission of MAC and IP under

Acct Called Station ID Type

is switched on. But guessing helps little here, it would be good to know how the address resolution runs in the installation Klaus mentioned.

Regards Stephan
GTM-P2G8KFN