This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forÂ
- Extreme Networks
- Community List
- Switching & Routing
- ExtremeSwitching (ERS)
- question on MAC auth using windows NPS
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
question on MAC auth using windows NPS
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎05-13-2025 10:53 AM
hi all,
new when it comes to Avaya/Extreme. I have a ERS 4850GTS in my lab and trying to see how MAC auth using Windows NPS works in order to assign the port a specific vlan based on MAC manufacture OUI and Windows user laptops enables with 802.1x authentication. Is this even possible on theses switches? (running base software 5.8.0.3).
The purpose is to assign vlan 10 to non wuthenticated windows PC, vlan 15 to authenticated windows and vlan 20 to IOT's like printers and possibly other vlans for other purposes with the default vlan 2 as a quarantined initial vlan.
thanks
Solved! Go to Solution.
1 ACCEPTED SOLUTION
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎05-15-2025 03:41 AM
Hi,
It is possible using MultiHost MultiVlan, after configure RADIUS server:
eapol enable
eapol multihost allow-non-eap-enable
eapol multihost use-radius-assigned-vlan
eapol multihost non-eap-use-radius-assigned-vlan
eapol multihost multivlan enable
eapol multihost non-eap-pwd-fmt show
interface Ethernet ALL
eapol multihost port 1/ALL enable eap-mac-max 2 allow-non-eap-enable non-eap-mac-max 2 radius-non-eap-enable use-radius-assigned-vlan non-eap-use-radius-assigned-vlan mac-max 2
eapol status auto
If you got EAP and NON-EAP clients maybe and it's useful delay MAC auth to avoid unnessesary MAC auth from EAP clients:
eapol multihost radius-non-eap-delay <0-20>
About "to assign vlan 10 to non wuthenticated windows PC" maybe you can use "guest vlan" feature but I dont like much, cable for enterprise devices and wifi guest for...guests.
Cheers!!
EF
8 REPLIES 8
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎05-15-2025 03:41 AM
Hi,
It is possible using MultiHost MultiVlan, after configure RADIUS server:
eapol enable
eapol multihost allow-non-eap-enable
eapol multihost use-radius-assigned-vlan
eapol multihost non-eap-use-radius-assigned-vlan
eapol multihost multivlan enable
eapol multihost non-eap-pwd-fmt show
interface Ethernet ALL
eapol multihost port 1/ALL enable eap-mac-max 2 allow-non-eap-enable non-eap-mac-max 2 radius-non-eap-enable use-radius-assigned-vlan non-eap-use-radius-assigned-vlan mac-max 2
eapol status auto
If you got EAP and NON-EAP clients maybe and it's useful delay MAC auth to avoid unnessesary MAC auth from EAP clients:
eapol multihost radius-non-eap-delay <0-20>
About "to assign vlan 10 to non wuthenticated windows PC" maybe you can use "guest vlan" feature but I dont like much, cable for enterprise devices and wifi guest for...guests.
Cheers!!
EF
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎05-20-2025 07:43 AM
so how would this differ if what I need is when a user logs into the device (windows PC) he gets put on a specific VLAN? The VLAN comes from the Radius correct?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎05-21-2025 04:48 AM
Hi, this is the config in the SW to enable EAPOL with multiple host multiple VLANs for EAPOL and NONEAPOL clients, then you must configure the RADIUS with the policies and returned atributes, for example VLANs.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎05-21-2025 12:16 PM
here is the config, not sure why it's seperated into multiple lines, it should apply to all ports from 2-48 since port1 is the trunk.
! *** EAP ***
!
eapol multihost allow-non-eap-enable
eapol multihost radius-non-eap-enable
eapol multihost use-radius-assigned-vlan
eapol multihost non-eap-use-radius-assigned-vlan
interface Ethernet ALL
eapol multihost port 2-14 enable eap-mac-max 2 allow-non-eap-enable non-eap-mac
-max 2 radius-non-eap-enable use-radius-assigned-vlan non-eap-use-radius-assign
ed-vlan mac-max 2
eapol multihost port 15 enable eap-mac-max 2 allow-non-eap-enable non-eap-mac-m
ax 2 radius-non-eap-enable non-eap-phone-enable use-radius-assigned-vlan non-ea
p-use-radius-assigned-vlan mac-max 2
eapol multihost port 16-34 enable eap-mac-max 2 allow-non-eap-enable non-eap-ma
c-max 2 radius-non-eap-enable use-radius-assigned-vlan non-eap-use-radius-assig
ned-vlan mac-max 2
eapol multihost port 35 enable eap-mac-max 2 allow-non-eap-enable non-eap-mac-m
ax 2 radius-non-eap-enable non-eap-phone-enable use-radius-assigned-vlan non-ea
p-use-radius-assigned-vlan mac-max 2
eapol multihost port 36-48 enable eap-mac-max 2 allow-non-eap-enable non-eap-ma
c-max 2 radius-non-eap-enable use-radius-assigned-vlan non-eap-use-radius-assig
ned-vlan mac-max 2
eapol multihost port 49-50 mac-max 2
no eapol multihost port 1 eap-protocol-enable
exit
interface Ethernet ALL
eapol port 2-48 status auto
exit
!
! *** EAP Guest VLAN ***
!
eapol guest-vlan enable vid 2204
!
! *** EAP Fail Open VLAN ***
!
!
! *** EAP Voip VLAN ***
!
eapol enable
!
