This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

NAC mappings does not distribute tagged vlans

NAC mappings does not distribute tagged vlans

Bernd_Gruetzke
New Contributor III

‎12-09-2018 04:50 PM

Environment:
Extreme Management Center 8.1.5.22
Switches D2, B5, S-Serie, X-440, EOX-Stack
Switches configured with RFC3850, "set policy maptable response both and policy"
"RFC3850 vlan authorization enabled" and "Filter ID With VLAN Tunnel Attribute".

Symtoms:
no tagged vlan will distributed to the required port .

For instance D2:

show port egress
Port Vlan Egress Registration
Number Id Status Status
------------------------------------------------------------
ge.1.1 1 untagged static
ge.1.1 123 untagged etsysPolicyProfile
ge.1.7 1 untagged static
ge.1.7 250 untagged etsysPolicyProfile
ge.1.12 123 tagged static
ge.1.12 196 tagged static
ge.1.12 250 tagged static
0 Kudos
8 REPLIES 8

Bernd_Gruetzke
New Contributor III

‎12-19-2018 10:47 AM

Hi Zdenek, Ronald and Tomasz,

I have now tried everything, without result and have now rolled out the policy planned for later and everything goes well.
Thanks again for your help and I wish you a merry christmas.

Best Bernd
0 Kudos

Zdeněk_Pala
Valued Contributor III

‎12-14-2018 02:02 PM

the screenshot from Roland = it is policy configuration = you need to enforce and you have it in the switch config. in radius you just reply with policy assignment.

The screenshot from you (Bernd) with vlan 123 mdcvoip is radius attribute.
Regards Zdeněk Pala
0 Kudos

Tomasz
Valued Contributor II

‎12-10-2018 09:20 PM

Hi Bernd,

There are two approaches how to get along with VLANs upon authentication. One is to configure default role VLAN or entire VLAN Egress list for a role, second is to use RFC 3580. The former needs just policy (role) name within policy mappings, the latter needs just VLAN ID within policy mappings (yes, you can combine both depending on switch vendor/capabilities you have).

If you plan to use RFC 3580 apart from Policy feature, policy mapping approach should also be alright (but just for a single VLAN, not an entire list if you want e.g. to prepare authenticated AP to serve its clients - this is feasible with role's VLAN Egress list). However, make sure that your switch is added to NAC Appliance with correct "RADIUS attributes to send" option (legacy GUI here but take a look: https://emc.extremenetworks.com/content/nachelp/docs/nac_at_edit_switch.html).
If it is set to RFC 3850 or some combination of RFC 3580 and else, you can easily confirm with tcpdump on NAC appliance that relevant RADIUS attributes are sent to the switch and if there are those three Tunnel attributes but it's still not working, I would go back to look at the switch config.

Hope that helps,
Tomasz
0 Kudos

Zdeněk_Pala
Valued Contributor III
In response to Tomasz

‎12-14-2018 08:13 AM

Hi Bernd.
For D2 I would go with policy approach = more flexible.
Regards Zdeněk Pala
0 Kudos
GTM-P2G8KFN