Reset Search



How to configure NAC to handle Management Access from Switches

« Go Back


TitleHow to configure NAC to handle Management Access from Switches
How to configure NAC to handle Management Access from Switches
  • NetSight NAC Mananger
  • Extreme Switches

There are two essential parts to this configuration: 

  1. Configuration the NAC appliance to handle NAS type: Virtual (Management logins), create a rule to allow access to a specific LDAP group, and create a rule that will deny access to all other users.
  2. Configure the Switches to send management RADIUS requests to the NAC appliace.


  1. In NetSight NAC Manager click the Tools menu --> Management and configuration --> Advanced Configuration
  2. Dril into "AAA Configurations"
  3. Click on the AAA configuration in use
  4. Verify that you have an AAA configuration in place to handle management login. If not click the small green "Add a new mapping" icon to create an AAA rule to handle management configuration. You will need to have an Advanced AAA configuration in order to create this configuration. To make an AAA configuration advanced --> Right click the configuration and select "Make advanced". The entry should look similar to the following:
User-added image
  1. Click the OK button and move the new AAA mapping entry to the top of the list. 
User-added image
  1. Click the Save Button
  2. In the same window click the NAC configuration that is current in use
  3. Click the small green "Add new rule" icon
  4. Create a new rule that will accept authentication for management login with the LDAP usergroup desired. 
User-added image
  1. Set the "Profile" to administrator, as this pre-canned profile is already set to allow Super User access for management if used.
  2. Save the rule and move it to the top the the rules engine list
  3. Create a new rule with "Authentication Method" set to "Management login" and the profile set to "Reject". This rule is used for users who do not meet the ldap criteria. 
  4. Move this rule to the top of the list, but below the rule you created earlier
  5. Click the Save button and exit the Advanced Configuration window
  6. Click on the NAC that is being used to service RADIUS requests from the switch
  7. Click on the "Switches" tab
  8. Click the IP address of the switch in question and click the "Edit" button
  9. Click the "Edit Auth. Access Type" check box and change the drop down to "Any Access"
  10. Click the "OK" button
  11. Enforce the NAC appliance
  12. Verify LDAP credentials
Additional notes
  1. In this example the NAC is being set to use LDAP credentials from Microsoft Active directory. In Step 4 you can set the "Authentication Method" to Local Authentication and create users in the Password repository if you do not have an LDAP database to use.
  2. This guide can be used for 3rd party switches as well. The NAC configuration is the same, the difference would be that the 3rd Party switches would have to be configured to send RADIUS requests for management login per their specific configuration. They cannot be configuration through SNMP/CLI like the Extreme devices. The Profile created for the accept must also include the correct Attribute to allow management login per the vendor being used. For HP Management login see:  How to configure NAC to handle management RADIUS login with HP switches



Was this article helpful?



Please tell us how we can make this article more useful.

Characters Remaining: 255