This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Extreme Networks
- Community List
- Hero Community
- Hero Product Suggestions
- 802.1X supplicant on access switches for uplink au...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
802.1X supplicant on access switches for uplink authentication (for security & automation)
802.1X supplicant on access switches for uplink authentication (for security & automation)
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
11-11-2020 10:58 AM
APs are mostly authenticated at a switchport to use an automatic configuration of switchport behaviours (VLANs, port authentication, ..) like I mentioned in my “AP-Aware” idea. We need this function as well for authentication and automation to connect access switches to core/distribution/fabric switches. This ist for security reasons in case of using distributed switches in office, production, IOT/OT, … to prevent unauthorized usage uf the uplink ports as well as a basic function to use automation in a distributed environment.
This is not new to use a 802.1X supplicant on access devices (like APs) to connect to switchports and use automation for on-/offboarding.
More and more small devices in production, healthcare, education environments for headless devices, IOT/OT force us to deliver an easy to deploy and use environment.
br
Volker
12 REPLIES 12
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
12-14-2020 04:16 PM
Roger,
this is all about single features. We need to have an end-to-end solution no matter what features will be used. The customer want to connect a switch, AP, server, what ever to an uplink and requires a complete on- and offboarding process: Port, LAG, VLANs, Authentication, ACL, QoS, ….
On- and offboarding means not only to provide a valid port configuration via script or workflow, it means a reconfiguration of the port after disconnect in default state.
FA is a feature for limited products supporting FA. It´s a possibility but what to do without FA on the uplink?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
12-14-2020 08:52 AM
VOSS 8.3 will introduce Auto-Sense Port capabilities. A switch that is booted from default will have all ports automatically auto-sense enabled (or one can turn on auto-sense manually).
On an Auto-Sense port APs that are Fabric Attach (FA) capable (FA is also coming to AH APs)will be automatically authenticated through FA and will automatically put into an onboarding ISID, such that the AP can reach its management infrastructure. At that point FA will be used to signal SSID to VLAN/ISID mappings.
This is all without any NAC in place.
What I described here is supported for any FA capable device and similarly works for IP Phones.
Auto-sense is expandable, if we see additional value add that we could be providing, we certainly be open to look into it.
Roger
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
12-11-2020 08:09 PM
Roger,
we need both. Using standards (802.1X) this would not be a problem.
With NAC, we have nearly all features we need.
Without NAC it´s a thing on the switch. With UPM we have good tools on EXOS. VSP ? nothing I know…
Issues: Deployment of UPM scripts from XIQ is a switch by switch operation via manual SSH setup per switch (You will not do this for >50 switches). Deployment of python scrips is not possible because it´s a separate file and not supported with XiQ. XMC could do everything of that and much more ..
But remember it´s not only about authentication! As I mentioned in the AP-Aware feature it is more to prepare a Port for uplink use and back to start after disconnecting the uplink. It`s not quite easy and we need to change the view and focus and end-to-end approach and not getting stuck in an endless per feature discussion. Think in use cases...and what customer will love to be and stay at Extreme...
br
Volker
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
12-10-2020 03:25 PM
Volker, we agree with that statement, the thought is to bring those auto-sense concepts also to EXOS (no committment yet). Would you think most of those deployments use some sort of NAC, or are you looking for a solution without NAC in place?
Roger
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
12-04-2020 05:05 PM
We are working on getting fabric into the field as much as possible. But sometimes the field of application is very static and two completely contrary OS completely overwhelm the customer.
We want a continuous functional parity over the whole product portfolio, therefore this is not only limited to EXOS.
All switches or APs (AH, WING7) should be combinable with all switches and should be connected and the environment should be configured automatically. This should be uniformly configurable from the XMC/XIQ.
Volker
