Hello community,
we are looking to set up ZTP+ Fabric, including Extreme Control (NAC), for one of our customers.
In this case, the customer wants to minimize the need for CLI-based switch configuration as much as possible.
In principle, the onboarding of the fabric switches via the workflow is working as intended.
However, we are having trouble getting NAC to work on the end-device ports.
The customer wishes to continue using their legacy Control configuration to pass the VLAN to the switch via RADIUS attributes (using the "Extreme VOSS" RADIUS template).
The rule set and mapping within Control appear to be correct, as the end-system logs clearly show the correct VLAN attributes being returned:
However, we observe that the switch port ignores the VLAN attribute, meaning the port is not authorized for the target VLAN.
Consequently, the port remains stuck in the onboarding VLAN (4048):
To check if the issue might be related to the legacy VLAN configuration, we also ran tests using the "Extreme VOSS - Fabric Attach" and "Extreme VOSS - Per-User-ACL" RADIUS templates, defining the corresponding policy roles in the policy domain.
The behavior, however, was exactly the same. The end-system logs showed that the correct policy role value was forwarded to the switch (FilterID=<Policy-Role>), but the switch ignored it, and the port remained stuck in the onboarding VLAN (4048).
To get NAC working, we had to enable "auto-sense" on the ports and configure eapol for the interfaces:
(Because we did a simple tests with MAC authentication we had to add the guest-vlan here)
Once that was done, the switch correctly recognized the RADIUS VLAN attribute and successfully moved the port into the appropriate VLAN:
I am now wondering whether it is even possible to get NAC working when "auto-sense" is enabled on the end-device ports.
I tried setting the "auto-sense wait-interval" to 2 seconds to rule out potential timeout issues, but that didn't help.
Can anyone assist me with this?
Best regards,
Joerg
1 ACCEPTED SOLUTION
Hi Ludovico,
first of all, thanks for your feedback.
I actually manually created the corresponding platform VLAN on the test switch in our lab, so—in my opinion—the "Extreme VOSS" template should have worked.
Nevertheless, I also ran the same tests in our lab using the "Extreme VOSS - Fabric Attach" and "Extreme VOSS - Per-User-ACL" RADIUS templates which is illustrated in the “NAC in Campus Fabric Edge.pdf“ document.
The result was always the same. I never see the end-device port being pushed untagged into the correct C-VLAN (VLAN 10 in our case) after authentication; it always remains in the onboarding VLAN 4048.
Here the Control Rule Definition and the corresponding Radius Attribute Policy Mapping preview:
And the corresponding switch outputs:
But I probably just have a misunderstanding here, since I come from the EXOS world and am currently getting up to speed on Fabric Connect 😉
I would have expected the end-device port to be untagged in VLAN 10 at this point.
Regards, Joerg
Hi Ludovico,
first of all, thanks for your feedback.
I actually manually created the corresponding platform VLAN on the test switch in our lab, so—in my opinion—the "Extreme VOSS" template should have worked.
Nevertheless, I also ran the same tests in our lab using the "Extreme VOSS - Fabric Attach" and "Extreme VOSS - Per-User-ACL" RADIUS templates which is illustrated in the “NAC in Campus Fabric Edge.pdf“ document.
The result was always the same. I never see the end-device port being pushed untagged into the correct C-VLAN (VLAN 10 in our case) after authentication; it always remains in the onboarding VLAN 4048.
Here the Control Rule Definition and the corresponding Radius Attribute Policy Mapping preview:
And the corresponding switch outputs:
But I probably just have a misunderstanding here, since I come from the EXOS world and am currently getting up to speed on Fabric Connect 😉
I would have expected the end-device port to be untagged in VLAN 10 at this point.
Regards, Joerg
