This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Extreme Networks
- Community List
- Technical Discussions
- Network Architecture & Design
- How to configure NAC to send outbound radius attri...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
How to configure NAC to send outbound radius attributes for dhcp snooping, bpdu filtering, slpp guard
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
05-19-2020 08:30 AM
What configuratoin is required to setup NAC to send outbound radius attributes for configuring ERS4900 with FA radius attributes like:
dhcp snooping
bpdu filtering
slpp guard
IP-Source Guard
All this should be possible in combination with NAC and ERS 4900.
Thanks in advance
Solved! Go to Solution.
1 ACCEPTED SOLUTION
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
05-20-2020 07:28 PM
Hi Sacha,
Whatever is supported on ERS 4900 as RADIUS attributes (see here: https://documentation.extremenetworks.com/ERS_Series/ERS49005900/SW/78x/9036215-00_ConfigSecERS49005... and https://documentation.extremenetworks.com/ERS_Series/ERS49005900/SW/78x/9036216-00_ConfigFabConERS49..., they can be configured under selected Policy Mapping in EAC configuration:
On the other hand, when adding ERS to EAC engine Switches list (authenticators), you have to specify what RADIUS attributes are to be send back if an authenticating end-system is connected to this particular switch:
For BOSS I see ready sets of RADIUS Attributes, e.g. “Extreme BOSS Fabric Attach”. It looks lke that:
FA-VLAN-Create=1
FA-VLAN-ISID=%VLAN_ID%:%CUSTOM1%
FA-VLAN-PVID=%VLAN_ID%
So in the Policy Mapping, VLAN ID should be set and ‘Custom 1’ field shall contain I-SID number.
It will work the same for other switches and vendors. If some attribute sets are not there (like you would like to mix few attributes from different sets), you can create a new set on your own. If particular proprietary attributes are not defined (like I saw for WiNG), you can define just %CUSTOM1% and inside a Policy Mapping put entire attribute and value pair.
If you need more guidance let us know.
Hope that helps,
Tomasz
1 REPLY 1
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
05-20-2020 07:28 PM
Hi Sacha,
Whatever is supported on ERS 4900 as RADIUS attributes (see here: https://documentation.extremenetworks.com/ERS_Series/ERS49005900/SW/78x/9036215-00_ConfigSecERS49005... and https://documentation.extremenetworks.com/ERS_Series/ERS49005900/SW/78x/9036216-00_ConfigFabConERS49..., they can be configured under selected Policy Mapping in EAC configuration:
On the other hand, when adding ERS to EAC engine Switches list (authenticators), you have to specify what RADIUS attributes are to be send back if an authenticating end-system is connected to this particular switch:
For BOSS I see ready sets of RADIUS Attributes, e.g. “Extreme BOSS Fabric Attach”. It looks lke that:
FA-VLAN-Create=1
FA-VLAN-ISID=%VLAN_ID%:%CUSTOM1%
FA-VLAN-PVID=%VLAN_ID%
So in the Policy Mapping, VLAN ID should be set and ‘Custom 1’ field shall contain I-SID number.
It will work the same for other switches and vendors. If some attribute sets are not there (like you would like to mix few attributes from different sets), you can create a new set on your own. If particular proprietary attributes are not defined (like I saw for WiNG), you can define just %CUSTOM1% and inside a Policy Mapping put entire attribute and value pair.
If you need more guidance let us know.
Hope that helps,
Tomasz
