cancel
Showing results for 
Search instead for 
Did you mean: 

VOSS EAPOL with NAC

VOSS EAPOL with NAC

ExtremeNorth
New Contributor III
Does anybody have a guide that shows how to configure a VSP (VOSS) to use EAPOL when using Extreme NAC?  We have many ERS switches installed and use EAPOL w/NAC, but I have not been able to get it working on a VSP.

I see that Ludo has posted a document on VSP Edge Deployment Guide, without NAC
but I guess I am looking for VSP Edge Deployment Guide WITH NAC.


Thanks,
Terrel Hobbs
3 REPLIES 3

XTRMUser
Contributor

Did you ever get a guide with NAC? Or did you figure out how to do this? I'm trying to accomplish the same thing. As you, we have a number of ERS doing EAPOL with NAC.

Thanks.

Mark

Ludovico_Steven
Extreme Employee
Terrel
So there is a NAC variant to that document, but was not authored by me, so I've asked for it to be posted also.
However, the approach with VOSS to the edge, is not to have to configure anything on the switch anymore, so not the same workflow as what you would have been used to with ERS.
VOSS will bootup and automatically joint the Fabric (ZTF = Zero Touch Fabric) and then if it can get an IP (inband over onboarding I-SID, or oob) it will then do ZTP+ into XIQ-SE.
XIQ-SE can then provide the final config touches to the VSP switch, such as flipping it to DVR-Leaf (if you so choose), setting certain auto-sense global parameters (e.g. voice I-SID) and if you need to do NAC on the switch, adding it to XIQ-SE's Control Engines and configuring RADIUS + Eapol globally on the VSP. As of XIQ-SE 22.3 the previous steps are automated, and can also be automated via an "Onboard VSP" workflow you can find on GitHub.
The point is there is no port level EAP/NEAP config to be done. All the VSP ports are auto-sense enabled, and it is enough for a RADIUS server to be configured on the switch and that EAPoL is globally enabled, and the auto-sense ports are ready to go for both EAP and NEAP.
If you really wanted to see that config, you can always let the auto-sense port settle into UNI-ONBOARDING state (by connecting a end station to the port) and then issue on the port "no auto-sense enable convert-to-config"; you will then get the current dynamic config of the port (with EAP/NEAP settings) frozen into the config file.
Some EAP config is not actually handled by auto-sense, and you can add it as a delta and it will operate with auto-sense; things like eapol re-authentication, eap max-macs, and fail-open. These can all be added during the ZTP+ onboarding.

Ludo,

Thanks for the reply, I would definitely be interested a document that discusses Fabric to the Edge with NAC which includes the Radius attributes that are sent from NAC. I tried some of the pre-defined VOSS/VSP templates but they didn't seem to work either, so I have been customizing the Radius attributes.

As one of the very early Fabric adopters and implementers of Fabric to the Edge, automation was not available so changing our deployments to use ZTP/ZTF is going to be difficult while still maintaining our overall design.  We have a fairly well established process to onboard new equipment, so I am not too worried about that.

I have enabled Auto-Sense on ports, and have had limited success where I can see the vlan:i-sid being assigned to the session, and even the user authentication but I cannot see beyond the local switch. (cannot see MACs or ARP entries on other switches)

Terrel.
GTM-P2G8KFN