This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 

Name based NAC L2VSN association

Name based NAC L2VSN association

AlexDE
New Contributor

ā€Ž05-27-2025 05:47 AM

Hi Guys,

I am currently trying to POC NAC with Fabric Engine and auto-sense in our enviroment. We are currently using EXOS at the Edge with NAC in our bigger locations, but we want to use fabric extend to connect to small branch offices where only a small amount of switches are required. We segment in different Networks by VLAN-Name, because one rule sould be applied for each category of device: Trusted-Clients, Printers, Cameras etc. but there are different L2VSN mapped to the EXOS Vlan per Location/Building/Floor etc. On top of that there are special purpose L2VSN which are dynamically configured onto the switch by providing vlan:isid mapping via radius.

With the Radius attributes listed below I already managed to map the special purpose L2VSNs to the ports, but I am struggeling with the more important named networks. With these attributes and the vlan in the vlan table i was able to map it by name but always tagged and it has to be untagged.

I think the best way for us would be to preconfigure the i-sid with a name and then have something like the "FA-VLAN-ISID=0:%CUSTOM1%" to create the S-UNI but with the Isid-Name insted of the real Isid.

Has anybody been to the same Problem yet?

FA-VLAN-ISID=0:%CUSTOM1%
Passport-Access-Priority=%MGMT_SERV_TYPE%
Tunnel-Private-Group-Id=%VLAN_NAME%:%VLAN_TUNNEL_TAG%
Tunnel-Type=13:%VLAN_TUNNEL_TAG%
Tunnel-Medium-Type=6:%VLAN_TUNNEL_TAG%

0 Kudos
1 REPLY 1

dora88flora
New Contributor

ā€Ž05-28-2025 01:17 AM

Hello,

You're hitting a common challenge with Extreme Networks Fabric Connect and NAC: dynamically assigning untagged VLANs (L2VSNs) based on device type and location, especially when you have named networks like "Trusted-Clients" or "Printers" that vary per building. While you've successfully used RADIUS to map tagged special-purpose L2VSNs, the difficulty lies in getting Fabric Attach to configure the port itself as an untagged access port for these named networks.

The core issue is that FA-VLAN-ISID=0:%CUSTOM1% tells the switch to associate untagged traffic entering the I-SID, but it doesn't automatically set the port to an untagged access mode. This is why your named networks appear tagged. To fix this, you'll likely need to combine Auto-Sense Service Types (which can assign untagged L2VSNs based on device type) with RADIUS attributes that explicitly configure the port as an access port and assign the correct I-SID. You can pre-configure I-SIDs with descriptive names in Fabric Engine. The key is ensuring your RADIUS policy can push both the specific I-SID and the untagged port mode based on your location-specific VLAN names.

Cat Translator Apps
0 Kudos
GTM-P2G8KFN