cancel
Showing results for 
Search instead for 
Did you mean: 

MHSA/MHMA automation

MHSA/MHMA automation

Fijs
New Contributor III
Hi,

We're deploying NAC in an existing network of mainly ERS49XX and ERS48XX switches.

On these ERS switches, one needs to specify if a port needs to be in MHSA or MHMA mode.

For example:
  • our access points need MHSA (AP authenticates, connected clients do not since they're authenticated elsewhere)
  • IP phones need MHMA: both the phone and the connected PC need to authenticate
Is there a way to configure MHSA/MHMA dynamically, so can configure all access ports exactly the same, and we don't have to care where to connect AP's or phones?

Thanks!
1 ACCEPTED SOLUTION

Miguel-Angel_RO
Valued Contributor II
Fijs,
On ERS 4900 as from 7.9.1:
317a318d949e4da48719d96453fbb4e1.pngHere for the ZTC for ERS:
5a8eab328e4547a88eabc2e6aae0aecc.pngI suggest you to read the doc ConfigFabConERS49005900_7.8.1_CG.pdf
Mig

View solution in original post

6 REPLIES 6

Ludovico_Steven
Extreme Employee
Ah, yes, good point. Both approaches work with Extreme APs (Fabric Attach enabled) but if you have non-Extreme WLAN APs then you need the RADIUS MHSA attribute... or you do manual config...or even better you use Extreme WLAN !

Fijs
New Contributor III
Unfortunately the AP's in this case are not Extreme AP's.
So for the 49XX, an upgrade will do the trick.
For the 48XX, we'll have to manually change to MHSA for AP ports.

Ludovico_Steven
Extreme Employee
Got this unicast question: is this implemented also on the latest firmware for the ERS48xx series?
Replying on thread for everyone's benefit.
So the fa zero-touch-option auto-port-mode-fa-client client-type 6 is also available on ERS4800.


Whereas the new MHSA RADIUS attribute support is only on ERS5900/4900 & 3600:

ERS5900
7.9.1	SW	Extreme Dynamic MHSA RADIUS vendor specific attribute (VSA) Extreme-Dynamic-MHSA (vendor ID 1916 value 250)
ERS4900
7.9.1	SW	Extreme Dynamic MHSA RADIUS vendor specific attribute (VSA) Extreme-Dynamic-MHSA (vendor ID 1916 value 250)
ERS3600
6.5.3	SW	Extreme Dynamic MHSA RADIUS vendor specific attribute (VSA) Extreme-Dynamic-MHSA (vendor ID 1916 value 250)

Ludovico_Steven
Extreme Employee
So the answer above from Miguel is correct; as of 7.9.1 release you can now enable MHSA on the port via a RADIUS attribute (the same that VOSS uses).
However, for completeness, there is also the "old" ERS approach which is still possible, which is based around FA zero-touch-options.
If you enable this command for FA Client type 6 = (WAP-type1):
fa zero-touch-option auto-port-mode-fa-client client-type 6

  • auto-port-mode-fa-client: When this option is activated for certain FA Client types, whenever an FA client of that type is discovered on an access port, the access port is automatically pre-configured for EAP/NEAP in mode Multiple-Hosts-Single-Authentication (MHSA). The FA Client will thus need to authenticate against a RADIUS server using either EAPoL or RADIUS MAC-based authentication (NEAP).
GTM-P2G8KFN