This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

EOS NAC: What happen (in this config) when the RADIUS/NetSight Server (for MAC Auth Only) is not reachable?

EOS NAC: What happen (in this config) when the RADIUS/NetSight Server (for MAC Auth Only) is not reachable?

SchmuFoo
Contributor

‎08-30-2018 11:02 AM

Hello Community,

I'm looking for details if Clients connected to "auth-reg" Ports will still have connectivity, If the Radius/NetSight Server is offline?

set multiauth mode multi
set multiauth precedence mac quarantine-agent dot1x pwa cep radius-snooping auto-tracking
set multiauth port mode force-auth ge.1.1
set multiauth port mode force-auth ge.1.2
set multiauth port mode auth-reqd ge.1.3
set multiauth port mode force-auth ge.1.4
set multiauth port mode auth-reqd ge.1.5
[..]

Thanks,

Jan
0 Kudos
6 REPLIES 6

Shmulik
Extreme Employee

‎09-06-2018 06:52 PM

Depends if the switch is configured for single-auth or multi-auth on the port. If single-auth then only the first mac is authenticated and following mac will flow through untagged without authentication. If port is configured for multi-auth, then each mac will get authenticated and assigned its own specific VLAN even though it is coming from a SOHO switch connected to the port.

Thanks!

Shmulik
0 Kudos

Zdeněk_Pala
Extreme Employee

‎09-06-2018 02:16 PM

you can limit the amount of concurrent authenticated MACs by CLI or XMC (NetSight) and there is also some hardware limit. different hardware limit for D2, B2, B3, C3, C5, XOS...

each MAC address is authenticated and can be authorized with different policy profile (VLAN, QOS, rules)

Regards Zdeněk Pala
0 Kudos

SchmuFoo
Contributor

‎09-05-2018 06:35 PM

Thanks for clarification! As an follow-up: What happens on one auth-reg Port with an, lets asume, 5 Port SOHO Switch connected to it? Does the Enterasys Switch allow/dissallow connected Clients also seperately? Verbose: Multiple Clients connected through on single Enterasys Port through an additional unmanaged Switch. Does the NAC Access is still working on an individual Frame Level? Thanks, Jan
0 Kudos

Shmulik
Extreme Employee

‎08-31-2018 01:55 PM

Just to add to Zdenek points. If you are using ExtremeControl for NAC, then you can deploy two ExtremeControl NAC Engines (there is no extra licensing cost) that sync-up from the XMC Server upstream so the switch will fail-over from primary RADIUS engine to secondary RADIUS engine without disruption to network access.

Shmulik

0 Kudos
GTM-P2G8KFN