Cisco - Extreme NAC integration -multiauthentication, vlan, dot1x, mac
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎04-20-2015 10:40 AM
How to integrate cisco switches with Extreme NAC. You can pass vlan, acl's per user, authenticate mac or user even download acl's from NAC and even more - multiauthenticate up to 8 users on one cisco port...
7 REPLIES 7
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎04-20-2015 12:14 PM
Rainer pls read http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2960x/software/15-0_2_EX/security/configur...
section
Multi-auth Per User VLAN assignment
and sentence: "When a hub is connected to an access port, and the port is configured with an access VLAN (V0). The host (H1) is assigned to VLAN (V1) through the hub. The operational VLAN of the port is changed to V1. This behaviour is similar on a single-host or multi-domain-auth port.
When a second host (H2) is connected and gets assigned to VLAN ( V2), the port will have two operational VLANs (V1 and V2). If H1 and H2 sends untagged ingress traffic, H1 traffic is mapped to VLAN (V1) and H2 traffic to VLAN (V2), all egress traffic going out of the port on VLAN (V1) and VLAN (V2) are untagged."
section
Multi-auth Per User VLAN assignment
and sentence: "When a hub is connected to an access port, and the port is configured with an access VLAN (V0). The host (H1) is assigned to VLAN (V1) through the hub. The operational VLAN of the port is changed to V1. This behaviour is similar on a single-host or multi-domain-auth port.
When a second host (H2) is connected and gets assigned to VLAN ( V2), the port will have two operational VLANs (V1 and V2). If H1 and H2 sends untagged ingress traffic, H1 traffic is mapped to VLAN (V1) and H2 traffic to VLAN (V2), all egress traffic going out of the port on VLAN (V1) and VLAN (V2) are untagged."
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎04-20-2015 12:05 PM
You should know that it is NOT possible to authenticate more than ONE user per port in a different vlan exept if you use the one client as "voice vlan" on the Cisco.....
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎04-20-2015 11:25 AM
Yes - against most config examples with current software, in my opinion it is best practice to set the order to mac than dot1x (to avoid timing issues) and priority to dot1x.
Thanks a lot 🙂
Michael
Thanks a lot 🙂
Michael
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎04-20-2015 11:25 AM
Thanks Michael. Order depends of what you want to do first 🙂 This config was modified many times for different ways of authentication.
Also there is one important thing. Instead of whatever you set there Cisco can ignore it. When you set order on ios <15.02 then this settings is inrelevant because cisco always tries dot1x first. Keep in mind right timouts then.
Also there is one important thing. Instead of whatever you set there Cisco can ignore it. When you set order on ios <15.02 then this settings is inrelevant because cisco always tries dot1x first. Keep in mind right timouts then.
