cancel
Showing results for 
Search instead for 
Did you mean: 

question on MAC auth using windows NPS

question on MAC auth using windows NPS

kitkat0981
New Contributor

hi all,

new when it comes to Avaya/Extreme. I have a ERS 4850GTS in my lab and trying to see how MAC auth using Windows NPS works in order to assign the port a specific vlan based on MAC manufacture OUI and Windows user laptops enables with 802.1x authentication. Is this even possible on theses switches? (running base software 5.8.0.3).

The purpose is to assign vlan 10 to non wuthenticated windows PC, vlan 15 to authenticated windows and vlan 20 to IOT's like printers and possibly other vlans for other purposes with the default vlan 2 as a quarantined initial vlan.

thanks

1 ACCEPTED SOLUTION

EF
Contributor III

Hi,

It is possible using MultiHost MultiVlan, after configure RADIUS server:

eapol enable
eapol multihost allow-non-eap-enable
eapol multihost use-radius-assigned-vlan
eapol multihost non-eap-use-radius-assigned-vlan
eapol multihost multivlan enable
eapol multihost non-eap-pwd-fmt show


interface Ethernet ALL
eapol multihost port 1/ALL enable eap-mac-max 2 allow-non-eap-enable non-eap-mac-max 2 radius-non-eap-enable use-radius-assigned-vlan non-eap-use-radius-assigned-vlan mac-max 2
eapol status auto

If you got EAP and NON-EAP clients maybe and it's useful delay MAC auth to avoid unnessesary MAC auth from EAP clients:

eapol multihost radius-non-eap-delay <0-20>

About "to assign vlan 10 to non wuthenticated windows PC" maybe you can use "guest vlan" feature but I dont like much, cable for enterprise devices and wifi guest for...guests.

Cheers!!

EF

View solution in original post

8 REPLIES 8

kitkat0981
New Contributor

thanks for the reponse, i will try that.

EF
Contributor III

Sorry "eapol multihost non-eap-pwd-fmt show" is "eapol multihost non-eap-pwd-fmt mac-addr"

kitkat0981
New Contributor

so I added this configuration and it locked me out. 

i guess it's because my port #1 is the trunk, so eap should not be setup on that port, but I don't know how to NOT include it.

kitkat0981
New Contributor

so I received more info; there is Avaya IP Phones and some users connect behind the phone and some users connect directly to a switchport.

How would this work in order to differentiate a phone to any other device on a port? as well as detecting the device that is connected behind the phone?

EAP would be configured for devices that support EAP like Windows Laptops and Chromebooks correct?

 

GTM-P2G8KFN