This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Extreme Networks
- Community List
- Switching & Routing
- ExtremeSwitching (EXOS/Switch Engine)
- identity-management for vlan selection on access p...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
identity-management for vlan selection on access port
identity-management for vlan selection on access port
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
07-21-2015 06:47 AM
Trying to setup summit x440 and x460 switches to authenticate users to AD groups. if a user is in group1, then set connected host to vlan X. if there is a link to this kind of setup. it would be much obliged because i'm having trouble getting this stuff to work.
4 REPLIES 4
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
09-15-2015 07:34 PM
ok, this is now solved.
We're not using identity management. because if you unplugg the network cable, then all kerberos packets will be encrypted. so you will be unable to get authenticated again because of the ttl on the kerberos handshake.
To solve this we instead used netlogin with dot1x, relaying all info to a Microsoft NPS server via radius.
The NPS server has all DHCP ranges and checks the AD for the username. if authenticated. the NPS server will then reply this along with a vlan tag for the host to be placed in.
after tweaking some timers n such everything works kinda well.
the auth process usually takes abut 1-2 seconds. i set the timeout to 5 seconds with max 3 attempts befor the user is placed in a guest vlan.
the main problem was the dot1x host and NPS server. the switch was configured within 30minutes or so.
And tweaking the timers was mainly done because the defualt timeout value was set to 2 minutes for user s missing dot1x, no valid cert or just not being able to reach the NPS server.
We're not using identity management. because if you unplugg the network cable, then all kerberos packets will be encrypted. so you will be unable to get authenticated again because of the ttl on the kerberos handshake.
To solve this we instead used netlogin with dot1x, relaying all info to a Microsoft NPS server via radius.
The NPS server has all DHCP ranges and checks the AD for the username. if authenticated. the NPS server will then reply this along with a vlan tag for the host to be placed in.
after tweaking some timers n such everything works kinda well.
the auth process usually takes abut 1-2 seconds. i set the timeout to 5 seconds with max 3 attempts befor the user is placed in a guest vlan.
the main problem was the dot1x host and NPS server. the switch was configured within 30minutes or so.
And tweaking the timers was mainly done because the defualt timeout value was set to 2 minutes for user s missing dot1x, no valid cert or just not being able to reach the NPS server.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
07-21-2015 07:48 AM
yes, exactly. What i want to achive is the following. if connected host cannot be authenticated, or is not in the domain --> will only get "default" for internet. mainly for guests and so om. if the host is in the Ad domain --> can be elected a range of VLANs depending on which group they are in on the AD. or if i can make this election based on other criterias? for example. on the active directory domain controller. OU=tech will have one vlan. OU=sales will have another vlan. and so on. //Per
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
07-21-2015 07:00 AM
Hi Per Lejon,
Let me make sure one thing here, do you want to deploy a switch as authentication device for a domain.
So whoever connects to that domain has to be authenticated via switch ? is this your requirement ?
Thanks,
Suresh.B
Let me make sure one thing here, do you want to deploy a switch as authentication device for a domain.
So whoever connects to that domain has to be authenticated via switch ? is this your requirement ?
Thanks,
Suresh.B
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
07-21-2015 06:56 AM
this is my current config configure identity-management kerberos snooping aging time 120 enable identity-management configure identity-management add ports 22 configure identity-management role-based-vlan add ports 22 configure identity-management role match-criteria inheritance on create ldap domain "intra.company.net" default configure ldap domain "intra.company.net" base-dn "DC=intra,DC=company,DC=net" configure ldap domain "intra.company.net" bind-user "user" encrypted "pass" configure ldap domain "intra.company.net" add server 192.168.85.3 389 create identity-management role "yyy" match-criteria "company==company;" priority 200 configure identity-management role "yyy" tag 102 vr VR-Default
