This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 

question on MAC auth using windows NPS

question on MAC auth using windows NPS

Go to solution
kitkat0981
New Contributor

ā€Ž05-13-2025 10:53 AM

hi all,

new when it comes to Avaya/Extreme. I have a ERS 4850GTS in my lab and trying to see how MAC auth using Windows NPS works in order to assign the port a specific vlan based on MAC manufacture OUI and Windows user laptops enables with 802.1x authentication. Is this even possible on theses switches? (running base software 5.8.0.3).

The purpose is to assign vlan 10 to non wuthenticated windows PC, vlan 15 to authenticated windows and vlan 20 to IOT's like printers and possibly other vlans for other purposes with the default vlan 2 as a quarantined initial vlan.

thanks

0 Kudos
1 ACCEPTED SOLUTION

Go to solution
EF
Contributor III

ā€Ž05-15-2025 03:41 AM

Hi,

It is possible using MultiHost MultiVlan, after configure RADIUS server:

eapol enable
eapol multihost allow-non-eap-enable
eapol multihost use-radius-assigned-vlan
eapol multihost non-eap-use-radius-assigned-vlan
eapol multihost multivlan enable
eapol multihost non-eap-pwd-fmt show


interface Ethernet ALL
eapol multihost port 1/ALL enable eap-mac-max 2 allow-non-eap-enable non-eap-mac-max 2 radius-non-eap-enable use-radius-assigned-vlan non-eap-use-radius-assigned-vlan mac-max 2
eapol status auto

If you got EAP and NON-EAP clients maybe and it's useful delay MAC auth to avoid unnessesary MAC auth from EAP clients:

eapol multihost radius-non-eap-delay <0-20>

About "to assign vlan 10 to non wuthenticated windows PC" maybe you can use "guest vlan" feature but I dont like much, cable for enterprise devices and wifi guest for...guests.

Cheers!!

EF

View solution in original post

8 REPLIES 8

Go to solution
kitkat0981
New Contributor
In response to EF

ā€Ž05-15-2025 05:25 AM

thanks for the reponse, i will try that.

0 Kudos

Go to solution
EF
Contributor III
In response to kitkat0981

ā€Ž05-15-2025 05:31 AM

Sorry "eapol multihost non-eap-pwd-fmt show" is "eapol multihost non-eap-pwd-fmt mac-addr"

0 Kudos

Go to solution
kitkat0981
New Contributor
In response to EF

ā€Ž05-21-2025 11:50 AM

so I added this configuration and it locked me out. 

i guess it's because my port #1 is the trunk, so eap should not be setup on that port, but I don't know how to NOT include it.

0 Kudos

Go to solution
kitkat0981
New Contributor
In response to EF

ā€Ž05-21-2025 07:31 AM - edited ā€Ž05-21-2025 07:32 AM

so I received more info; there is Avaya IP Phones and some users connect behind the phone and some users connect directly to a switchport.

How would this work in order to differentiate a phone to any other device on a port? as well as detecting the device that is connected behind the phone?

EAP would be configured for devices that support EAP like Windows Laptops and Chromebooks correct?

 

0 Kudos
GTM-P2G8KFN