NAC mappings does not distribute tagged vlans
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎12-09-2018 04:50 PM
Environment:
Extreme Management Center 8.1.5.22
Switches D2, B5, S-Serie, X-440, EOX-Stack
Switches configured with RFC3850, "set policy maptable response both and policy"
"RFC3850 vlan authorization enabled" and "Filter ID With VLAN Tunnel Attribute".
Symtoms:
no tagged vlan will distributed to the required port .
For instance D2:
show port egress
Port Vlan Egress Registration
Number Id Status Status
------------------------------------------------------------
ge.1.1 1 untagged static
ge.1.1 123 untagged etsysPolicyProfile
ge.1.7 1 untagged static
ge.1.7 250 untagged etsysPolicyProfile
ge.1.12 123 tagged static
ge.1.12 196 tagged static
ge.1.12 250 tagged static
Extreme Management Center 8.1.5.22
Switches D2, B5, S-Serie, X-440, EOX-Stack
Switches configured with RFC3850, "set policy maptable response both and policy"
"RFC3850 vlan authorization enabled" and "Filter ID With VLAN Tunnel Attribute".
Symtoms:
no tagged vlan will distributed to the required port .
For instance D2:
show port egress
Port Vlan Egress Registration
Number Id Status Status
------------------------------------------------------------
ge.1.1 1 untagged static
ge.1.1 123 untagged etsysPolicyProfile
ge.1.7 1 untagged static
ge.1.7 250 untagged etsysPolicyProfile
ge.1.12 123 tagged static
ge.1.12 196 tagged static
ge.1.12 250 tagged static
8 REPLIES 8
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎12-19-2018 10:47 AM
Hi Zdenek, Ronald and Tomasz,
I have now tried everything, without result and have now rolled out the policy planned for later and everything goes well.
Thanks again for your help and I wish you a merry christmas.
Best Bernd
I have now tried everything, without result and have now rolled out the policy planned for later and everything goes well.
Thanks again for your help and I wish you a merry christmas.
Best Bernd
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎12-14-2018 02:02 PM
the screenshot from Roland = it is policy configuration = you need to enforce and you have it in the switch config. in radius you just reply with policy assignment.
The screenshot from you (Bernd) with vlan 123 mdcvoip is radius attribute.
The screenshot from you (Bernd) with vlan 123 mdcvoip is radius attribute.
Regards
Zdeněk Pala
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎12-10-2018 09:20 PM
Hi Bernd,
There are two approaches how to get along with VLANs upon authentication. One is to configure default role VLAN or entire VLAN Egress list for a role, second is to use RFC 3580. The former needs just policy (role) name within policy mappings, the latter needs just VLAN ID within policy mappings (yes, you can combine both depending on switch vendor/capabilities you have).
If you plan to use RFC 3580 apart from Policy feature, policy mapping approach should also be alright (but just for a single VLAN, not an entire list if you want e.g. to prepare authenticated AP to serve its clients - this is feasible with role's VLAN Egress list). However, make sure that your switch is added to NAC Appliance with correct "RADIUS attributes to send" option (legacy GUI here but take a look: https://emc.extremenetworks.com/content/nachelp/docs/nac_at_edit_switch.html).
If it is set to RFC 3850 or some combination of RFC 3580 and else, you can easily confirm with tcpdump on NAC appliance that relevant RADIUS attributes are sent to the switch and if there are those three Tunnel attributes but it's still not working, I would go back to look at the switch config.
Hope that helps,
Tomasz
There are two approaches how to get along with VLANs upon authentication. One is to configure default role VLAN or entire VLAN Egress list for a role, second is to use RFC 3580. The former needs just policy (role) name within policy mappings, the latter needs just VLAN ID within policy mappings (yes, you can combine both depending on switch vendor/capabilities you have).
If you plan to use RFC 3580 apart from Policy feature, policy mapping approach should also be alright (but just for a single VLAN, not an entire list if you want e.g. to prepare authenticated AP to serve its clients - this is feasible with role's VLAN Egress list). However, make sure that your switch is added to NAC Appliance with correct "RADIUS attributes to send" option (legacy GUI here but take a look: https://emc.extremenetworks.com/content/nachelp/docs/nac_at_edit_switch.html).
If it is set to RFC 3850 or some combination of RFC 3580 and else, you can easily confirm with tcpdump on NAC appliance that relevant RADIUS attributes are sent to the switch and if there are those three Tunnel attributes but it's still not working, I would go back to look at the switch config.
Hope that helps,
Tomasz
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎12-14-2018 08:13 AM
Hi Bernd.
For D2 I would go with policy approach = more flexible.
For D2 I would go with policy approach = more flexible.
Regards
Zdeněk Pala
