Reset Search
 

 

Article

Allowing management access to Avaya switches via NAC / access control setup

« Go Back

Information

 
TitleAllowing management access to Avaya switches via NAC / access control setup
Objective
To allow access to a Avaya switch to login to the Extreme Networks Access Control Appliance.
Environment
  • Avaya
  • NAC
  • Access Control
Procedure
Currently, with the release of 8.1.2.X there is no specific switch setting specific for Avaya switch/routers. Although some work with the default "Extreme Policy"

Setting up the switch settings to add in a "Radius Attributes to send" to a specific group.

Click on Control Tab->Access Control->Select Access Control Appliance
Select a Switch, Click Edit
Add a new Radius attributes to send
User-added image
Name, and add in the following.

Filter-Id=Enterasys:version=1:%MANAGEMENT%policy=%POLICY_NAME%
Service-Type=%MGMT_SERV_TYPE%
Passport-Access-Priority=%CUSTOM1%

Sample below:
User-added image

The Passport-Access-Priority is the variable of concern, the rest is added from the default "Extreme Policy"
--
Now we must alter the assigned policy that is assigned, so it adds the Passport-Access-Priority value

Click on Control->Click on Access Control->Configuration->Click on Profiles->Select Profile that you use for management access to switches
Select the Accept Policy and modify (using gear symbol, or Manage Policy Roles)
User-added image
Switch to advanced mode
User-added image
Add in the Custom 1 value to 6 (which is full read/write/admin access)

Here are the other values:
0=no access
1=Read Only
2,4,5 = Not used
6=Read, Write Administative
User-added image

For Legacy ERS devices (such as the 5520) also scroll down to the Management section and set the Access to User Defined.  
Mgmt Service Type set to 6 (RW) or 7 (RO):

User-added image


 
Additional notes
To see if the user is hitting the correct rule change to the Alarm and Events > Events.  Set the Type to All.  Attempt the management login again.  Look for the management login event.  Check to see if NAC is matching the right rule and assigning the proper policy logic that gleans out the attributes in question.  The event might not show the rule but it should show the NAC Profile etc that is associated to the rule hit.

A trace can also be taken to see what RADIUS attributes are being sent back to the switch.

Initial steps for setup can be found at:  How to configure NAC to handle Management Access from Switches
.

Feedback

 

Was this article helpful?


   

Feedback

Please tell us how we can make this article more useful.

Characters Remaining: 255