EOS NAC: What happen (in this config) when the RADIUS/NetSight Server (for MAC Auth Only) is not reachable?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎08-30-2018 11:02 AM
Hello Community,
I'm looking for details if Clients connected to "auth-reg" Ports will still have connectivity, If the Radius/NetSight Server is offline?
set multiauth mode multi
set multiauth precedence mac quarantine-agent dot1x pwa cep radius-snooping auto-tracking
set multiauth port mode force-auth ge.1.1
set multiauth port mode force-auth ge.1.2
set multiauth port mode auth-reqd ge.1.3
set multiauth port mode force-auth ge.1.4
set multiauth port mode auth-reqd ge.1.5
[..]
Thanks,
Jan
I'm looking for details if Clients connected to "auth-reg" Ports will still have connectivity, If the Radius/NetSight Server is offline?
set multiauth mode multi
set multiauth precedence mac quarantine-agent dot1x pwa cep radius-snooping auto-tracking
set multiauth port mode force-auth ge.1.1
set multiauth port mode force-auth ge.1.2
set multiauth port mode auth-reqd ge.1.3
set multiauth port mode force-auth ge.1.4
set multiauth port mode auth-reqd ge.1.5
[..]
Thanks,
Jan
6 REPLIES 6
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎09-06-2018 06:52 PM
Depends if the switch is configured for single-auth or multi-auth on the port. If single-auth then only the first mac is authenticated and following mac will flow through untagged without authentication. If port is configured for multi-auth, then each mac will get authenticated and assigned its own specific VLAN even though it is coming from a SOHO switch connected to the port.
Thanks!
Shmulik
Thanks!
Shmulik
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎09-06-2018 02:16 PM
you can limit the amount of concurrent authenticated MACs by CLI or XMC (NetSight) and there is also some hardware limit. different hardware limit for D2, B2, B3, C3, C5, XOS...
each MAC address is authenticated and can be authorized with different policy profile (VLAN, QOS, rules)
each MAC address is authenticated and can be authorized with different policy profile (VLAN, QOS, rules)
Regards
Zdeněk Pala
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎09-05-2018 06:35 PM
Thanks for clarification! As an follow-up: What happens on one auth-reg Port with an, lets asume, 5 Port SOHO Switch connected to it? Does the Enterasys Switch allow/dissallow connected Clients also seperately? Verbose: Multiple Clients connected through on single Enterasys Port through an additional unmanaged Switch. Does the NAC Access is still working on an individual Frame Level? Thanks, Jan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎08-31-2018 01:55 PM
Just to add to Zdenek points. If you are using ExtremeControl for NAC, then you can deploy two ExtremeControl NAC Engines (there is no extra licensing cost) that sync-up from the XMC Server upstream so the switch will fail-over from primary RADIUS engine to secondary RADIUS engine without disruption to network access.
Shmulik
Shmulik
