Hello community,
we are looking to set up ZTP+ Fabric, including Extreme Control (NAC), for one of our customers.
In this case, the customer wants to minimize the need for CLI-based switch configuration as much as possible.
In principle, the onboarding of the fabric switches via the workflow is working as intended.
However, we are having trouble getting NAC to work on the end-device ports.
The customer wishes to continue using their legacy Control configuration to pass the VLAN to the switch via RADIUS attributes (using the "Extreme VOSS" RADIUS template).
The rule set and mapping within Control appear to be correct, as the end-system logs clearly show the correct VLAN attributes being returned:
However, we observe that the switch port ignores the VLAN attribute, meaning the port is not authorized for the target VLAN.
Consequently, the port remains stuck in the onboarding VLAN (4048):
To check if the issue might be related to the legacy VLAN configuration, we also ran tests using the "Extreme VOSS - Fabric Attach" and "Extreme VOSS - Per-User-ACL" RADIUS templates, defining the corresponding policy roles in the policy domain.
The behavior, however, was exactly the same. The end-system logs showed that the correct policy role value was forwarded to the switch (FilterID=<Policy-Role>), but the switch ignored it, and the port remained stuck in the onboarding VLAN (4048).
To get NAC working, we had to enable "auto-sense" on the ports and configure eapol for the interfaces:
(Because we did a simple tests with MAC authentication we had to add the guest-vlan here)
Once that was done, the switch correctly recognized the RADIUS VLAN attribute and successfully moved the port into the appropriate VLAN:
I am now wondering whether it is even possible to get NAC working when "auto-sense" is enabled on the end-device ports.
I tried setting the "auto-sense wait-interval" to 2 seconds to rule out potential timeout issues, but that didn't help.
Can anyone assist me with this?
Best regards,
Joerg
