This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Redundancy between two NAC instances

Redundancy between two NAC instances

Ilya_Semenov
Contributor

‎01-15-2018 01:57 PM

Hello, everybody,

how could I set redundancy between two NAC instances?

I have set up MAC and 802.1x auth on my switches, but it works until NAC is alive, so it's kind of time bomb: when NAC is offline nothing works. I want to setup redundancy - is it possible?

Many thanks in advance

Ilya
0 Kudos
13 REPLIES 13

Zdeněk_Pala
Extreme Employee
In response to Zdeněk_Pala

‎01-16-2018 06:07 AM

Hi Ilya.

1. I am sure it works with 22.x firmware I do not remember what version it started to work.

2. you can have Engines in groups. in your picture there is group called "all Access Control Engines".

on your screenshot please click on switches and send screenshot of the settings.
please investigate logs why the Access Control Engine is not able to configure your switch through the CLI. usually the issue is related to the firewall or credentials or old firmware.

Z.

Regards Zdeněk Pala
0 Kudos

Ilya_Semenov
Contributor
In response to Zdeněk_Pala

‎01-16-2018 06:07 AM

Hi, Zdenek,

what do you mean?))))

1) "use up-to-art firmware" - what are you talking about???????)

2) "Add second engine to the group" - What is the group? How to add there?

3 "Add/modify the switch in the XMC (netsight) to referr to both engines"

Now I have only:

047049da2e504c339be519b20f34c5c6_RackMultipart20180116-128138-162eq2q-sss_inline.jpg



Where 192.168.128.160 is the primary NAC. Interestingly, the only switch I've added to Primary appeared also on the Secondary (without my actions)

In my conf switch sends user data like IP, netbios name, MAC, AD account, OS version and family to Netsight. I want to populate this config to all my switches.

Many thanks to you!!!

0 Kudos

Ilya_Semenov
Contributor

‎01-16-2018 05:56 AM

Thanks, gentlemen, so I make my question more specific. This is my radius configuration on the switch:

configure radius netlogin primary server 192.168.23.23 1812 client-ip 192.168.7.8 vr VR-Default
configure radius netlogin primary shared-secret encrypted "KOKOKO"
configure radius-accounting netlogin primary server 192.168.23.23 1813 client-ip 192.168.7.8 vr VR-Default
configure radius-accounting netlogin primary shared-secret encrypted "LOLOLO"
enable radius
disable radius mgmt-access
enable radius netlogin
configure radius timeout 15
configure radius mgmt-access timeout 15
configure radius netlogin timeout 15
enable radius-accounting
disable radius-accounting mgmt-access
enable radius-accounting netlogin

Would it be enough to add just two strings here:

configure radius netlogin secondary server 192.168.23.24 1812 client-ip 192.168.7.8 vr VR-Default
configure radius netlogin secondary shared-secret encrypted "KOKOKO"
configure radius-accounting netlogin secondary server 192.168.23.24 1813 client-ip 192.168.7.8 vr VR-Default
configure radius-accounting netlogin secondary shared-secret encrypted "LOLOLO"

where 192.168.23.24 is the secondary NAC? And add the switch to secondary NAC, for sure...

0 Kudos

Bharathiraja__S
Extreme Employee

‎01-16-2018 01:22 AM

Hi ,

please check below KB ,

https://gtacknowledge.extremenetworks.com/articles/How_To/How-to-add-NAC-gateway-per-switch-for-redu...

Let us know if this answers your questions.

Thanks,
Suresh.B

0 Kudos

Andre_Brits_Kan
Contributor II

‎01-15-2018 02:57 PM

Hi the best option would be to setup LSNat on a s series switch. This created a virtual address that almost works like nat. This virtual address load balances over a server pool. In your case the two or more nacs. You will then direct the radius server setting on the switch or wifi to this virtual address. You can choose the method to use for load balance across the server pool. Regards
0 Kudos
li.common.scroll-to.top
GTM-P2G8KFN