Extreme Networks

Ilya_Semenov · ‎01-15-2018

Hello, everybody,

how could I set redundancy between two NAC instances?

I have set up MAC and 802.1x auth on my switches, but it works until NAC is alive, so it's kind of time bomb: when NAC is offline nothing works. I want to setup redundancy - is it possible?

Many thanks in advance

Ilya

Zdeněk_Pala · ‎01-16-2018

Hi Ilya.

1. I am sure it works with 22.x firmware I do not remember what version it started to work.

2. you can have Engines in groups. in your picture there is group called "all Access Control Engines".

on your screenshot please click on switches and send screenshot of the settings.
please investigate logs why the Access Control Engine is not able to configure your switch through the CLI. usually the issue is related to the firewall or credentials or old firmware.

Z.

Regards Zdeněk Pala

Ilya_Semenov · ‎01-16-2018

Hi, Zdenek,

what do you mean?))))

1) "use up-to-art firmware" - what are you talking about???????)

2) "Add second engine to the group" - What is the group? How to add there?

3 "Add/modify the switch in the XMC (netsight) to referr to both engines"

Now I have only:

Where 192.168.128.160 is the primary NAC. Interestingly, the only switch I've added to Primary appeared also on the Secondary (without my actions)

In my conf switch sends user data like IP, netbios name, MAC, AD account, OS version and family to Netsight. I want to populate this config to all my switches.

Many thanks to you!!!

Ilya_Semenov · ‎01-16-2018

Thanks, gentlemen, so I make my question more specific. This is my radius configuration on the switch:

configure radius netlogin primary server 192.168.23.23 1812 client-ip 192.168.7.8 vr VR-Default
configure radius netlogin primary shared-secret encrypted "KOKOKO"
configure radius-accounting netlogin primary server 192.168.23.23 1813 client-ip 192.168.7.8 vr VR-Default
configure radius-accounting netlogin primary shared-secret encrypted "LOLOLO"
enable radius
disable radius mgmt-access
enable radius netlogin
configure radius timeout 15
configure radius mgmt-access timeout 15
configure radius netlogin timeout 15
enable radius-accounting
disable radius-accounting mgmt-access
enable radius-accounting netlogin

Would it be enough to add just two strings here:

configure radius netlogin secondary server 192.168.23.24 1812 client-ip 192.168.7.8 vr VR-Default
configure radius netlogin secondary shared-secret encrypted "KOKOKO"
configure radius-accounting netlogin secondary server 192.168.23.24 1813 client-ip 192.168.7.8 vr VR-Default
configure radius-accounting netlogin secondary shared-secret encrypted "LOLOLO"

where 192.168.23.24 is the secondary NAC? And add the switch to secondary NAC, for sure...

Bharathiraja__S · ‎01-16-2018

Hi ,

please check below KB ,

https://gtacknowledge.extremenetworks.com/articles/How_To/How-to-add-NAC-gateway-per-switch-for-redu...

Let us know if this answers your questions.

Thanks,
Suresh.B

Andre_Brits_Kan · ‎01-15-2018

Hi the best option would be to setup LSNat on a s series switch. This created a virtual address that almost works like nat. This virtual address load balances over a server pool. In your case the two or more nacs. You will then direct the radius server setting on the switch or wifi to this virtual address. You can choose the method to use for load balance across the server pool. Regards

Extreme Networks

Redundancy between two NAC instances

Redundancy between two NAC instances