ā05-13-2025 10:53 AM
hi all,
new when it comes to Avaya/Extreme. I have a ERS 4850GTS in my lab and trying to see how MAC auth using Windows NPS works in order to assign the port a specific vlan based on MAC manufacture OUI and Windows user laptops enables with 802.1x authentication. Is this even possible on theses switches? (running base software 5.8.0.3).
The purpose is to assign vlan 10 to non wuthenticated windows PC, vlan 15 to authenticated windows and vlan 20 to IOT's like printers and possibly other vlans for other purposes with the default vlan 2 as a quarantined initial vlan.
thanks
Solved! Go to Solution.
ā05-15-2025 03:41 AM
Hi,
It is possible using MultiHost MultiVlan, after configure RADIUS server:
eapol enable
eapol multihost allow-non-eap-enable
eapol multihost use-radius-assigned-vlan
eapol multihost non-eap-use-radius-assigned-vlan
eapol multihost multivlan enable
eapol multihost non-eap-pwd-fmt show
interface Ethernet ALL
eapol multihost port 1/ALL enable eap-mac-max 2 allow-non-eap-enable non-eap-mac-max 2 radius-non-eap-enable use-radius-assigned-vlan non-eap-use-radius-assigned-vlan mac-max 2
eapol status auto
If you got EAP and NON-EAP clients maybe and it's useful delay MAC auth to avoid unnessesary MAC auth from EAP clients:
eapol multihost radius-non-eap-delay <0-20>
About "to assign vlan 10 to non wuthenticated windows PC" maybe you can use "guest vlan" feature but I dont like much, cable for enterprise devices and wifi guest for...guests.
Cheers!!
EF
ā05-15-2025 05:25 AM
thanks for the reponse, i will try that.
ā05-15-2025 05:31 AM
Sorry "eapol multihost non-eap-pwd-fmt show" is "eapol multihost non-eap-pwd-fmt mac-addr"
ā05-21-2025 11:50 AM
so I added this configuration and it locked me out.
i guess it's because my port #1 is the trunk, so eap should not be setup on that port, but I don't know how to NOT include it.
ā05-21-2025 07:31 AM - edited ā05-21-2025 07:32 AM
so I received more info; there is Avaya IP Phones and some users connect behind the phone and some users connect directly to a switchport.
How would this work in order to differentiate a phone to any other device on a port? as well as detecting the device that is connected behind the phone?
EAP would be configured for devices that support EAP like Windows Laptops and Chromebooks correct?