Reset Search
 

 

Article

How to configure switch for Phone + Data using Extreme Access Control

« Go Back

Information

 
TitleHow to configure switch for Phone + Data using Extreme Access Control
Objective
Configure switch to egress two different VLANs based on phone/data
 
Environment
  • Extreme Access Control
  • Policy Capable Switch (XoS G2, or EoS)
Procedure

Step 1: Configure Policy and Enable MAC Authentication globally/Per Port
 
  1. Create "Phone" policy in Extreme Management Center "Control" tab with "Contain to VLAN" Access Control and VLAN desired for phones
User-added image
  1. Create "Data" policy in Extreme Management Center "Control" tab with "Contain to VLAN" Access Control and desired VLAN for data
  2. Add the desired to the Policy Domain and Enforce the Domain
  3. Click on the "Devices" tab --> Click on Switch you are working with --> Click the "Authentication" tab --> Enable "MAC" authentication --> Click on "MAC Authentication" settings --> Set a MAC Authentication passwordUser-added image
  4. Right click the port you want to enable authentication on --> Port Authentication Wizard 
  5. Enable Port Mode "Active/Default" role and hit "Finish"

Step 2:  Configure NAC for MAC authentication
  1. In the "Access Control" tab click the Access Control Engine Group in use and add the switch to the "switches" tab
User-added image
  1. Configure the NAC rules to profile the "Phones" profile with the "Phones" policy mapping for devices that will be classified as "Phones". The policy mapping configured must exactly match the role create for the policy.User-added image
  2. Configure another role that will catch devices you want to put in the "Data" VLAN
  3. Enforce the NAC appliance

Process Flow of solution: 
  1. Authentication enabled switch will send a RADIUS authentication request to NAC
  2. NAC Rules engine will determine "Phone" or "Data" based on the rules engine
  3. NAC will return "Phone" or "Data' policy 
  4. Switch will use configured local rules and VLAN egress policies based on what was provided by NAC

To confirm successful operation: 
  1. Verify the policy manager enforce has configured the 2 necessary policies (Data and VLAN)
  2. Verify the NAC enforce has successfully configured the RADIUS server and enabled it
  3. Verify MAC authentication has been enabled globally
  4. Verify MAC authentication has been enabled per port
  5. Verify phone has received correct role (show multiauth session)
  6. Verify phone has received correct VLAN (show mac port xx and check the FID) (or show vlan portinfo port and look for dynamic egress)
  7. Verify End system has received “Data” role
  8. Verify End system has received Data VLAN
     
Additional notes
Note: This is one method to accomplish this behavior, there are other ways to accomplish the same behavior. This is an example of how to do it via NAC and dynamic policy

Feedback

 

Was this article helpful?


   

Feedback

Please tell us how we can make this article more useful.

Characters Remaining: 255