This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Roles not applied on 802.1x machine auth

Roles not applied on 802.1x machine auth

SkyGazer
New Contributor

‎01-24-2024 04:32 AM

I have configured a WPA2-Enterprise SSID on my ExtremeCloud IQ Controller with EAP-TLS machine authentication with a Windows NPS server for the RADIUS part. 

The Windows NPS server checks the group membership of the machine and returns the VLAN placement information to the controller. 

So far so good, everything works as expected. The machines are placed in their respective VLAN's and they receive IP's from their respective DHCP scopes. 

I have only the issue, that the roles are not applied like I want them to. On the SSID I've defined the Default Auth Role as "Quarantine" and this is the role that all the machines get, although I've created some Rules in the "OnBoard" page that should place them in other roles. 

SkyGazer_0-1706098859957.png

As I've already said, everything works fine, but I'm unsure why the roles are not applied correctly. Can someone point me to why my configuration behaves that way? 

Thank you. 

0 Kudos
1 REPLY 1

AntonScholz
New Contributor II

a week ago

Hi SkyGazer,

Hope my answer is not to late.

The Onboard-Tab is only needed, if you want to use the internal NAC.

You wrote about an NPS-Server. So you should contact them directly via an AAA-Policy. The NPS must send back the Attribute: Filter-ID

The Value needs to be the Role-Name. Attention: Case Sensitive

The returned Value will be assigned as Role. The role needs to be associated with the Device Group, where the Client and AP is connected.

The three Attributes Tunnel-Type, Tunnel-Medium-Type and Tunnel-PvID are not accepted. Only Tunnel-PvID could used to change the VLAN from the assigned Role for the authenticated Client.

Best Regards

Anton

0 Kudos
GTM-P2G8KFN