Extreme Control – BOSS – MSCHAPv2

No Packetfence this time, but Extreme Control.

This little guide will explain how to add an ERS/BOSS switch to Extreme Control (a.k.a. NAC) and configure both to authenticate connected devices using MSCHAPv2.

Components used:

  • XMC 8.4.3.24
  • Control 8.4.3.24
  • ERS45XX switch running v5.7.3.031
  • Windows 10 PC or laptop

I’ll assume that you already have the following:

  • XMC basic setup
  • Control is added to XMC
  • Working Active Directory
  • Basic switch config

Add the switch to XMC

I won’t go into detail here, but you need to add the switch to XMC first, so you can add it to Control.

To add the switch to XMC, you need to configure SNMP and CLI credentials under Administration > Profiles, which off course match the credentials used on the ERS. Create a profile which uses the SNMP and CLI credentials, and to to Network > Devices. There you can manually add the device by entering it’s IP and profile, or in case you have more switches, you can configure discovery.

Add the switch to Control

Once the switch is added in XMC, you can also add it in Control. Go to Control > Engines, Default, and open the “Switches” tab:

Add switches to Control

Click “Add”, select your switch(es) from the list and fill in these required fields:

  • Switch type: Layer 2 Out-of-Band
  • Primary Engine: your Control engine
  • Auth. Access Type: Any Access
  • RADIUS Attributes to Send: Extreme BOSS

The other fields can be left empty/default. Click Save.

Now click Enforce to activate the configuration.

Configure the switch

Since XMC/Control cannot configure the RADIUS config for you like on EXOS devices, you’ll need to manually configure the switch:

 

Switch#conf t
Switch(config)#radius server host <Control-IP> key <radius-secret> used-by eapol acct-enable
Switch(config)#interface ethernet ALL
Switch(config-if)#eapol port <port-list> status auto traffic-control in re-authentication enable
Switch(config-if)#eapol port <uplink-port> status authorized
Switch(config-if)#exit
Switch(config)#eapol enable

 

The radius secret can be checked and/or edited via Egine Settings in Control:

Radius Secret

 

 

 

 

 

 

 

 

 

 

Configure LDAP

If not already done, now is the time to configure the LDAP setup in Control. Go to Control > Access Control > Configuration > AAA > LDAP Configurations, click Add and fill in the required fields. When done, make sure the test is successful, and click Save:

Configure LDAP

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

You can now create a new configuration under Configurations > Default, and add a new Authentication Rule. Make sure to set the Authentication Type to “802.1X” and LDAP Config to your LDAP configuration:

Authentication Rule

 

 

 

 

 

 

 

 

 

 

 

You’ll also want to create a new user group, based on an existing LDAP security group where all your users who will need to use dot1x are in. Go to Access Control > Group Editor > User Groups, and click Add. Add a group with “User: LDAP User Group” as the type, and add the “memberOf” attribute with the Distinguished Name of your actual AD security group as value:

LDAP User Group

 

 

 

 

 

 

 

 

 

 

Add Authorization rule

Finally, you’ll need to add a new rule under Access Control > Configuration > Configurations > Default > Rules. Give it a name, like “DOT1X User Auth”, set Authentication Method” to “802.1X”, set the “User Group” to the LDAP group you created in the previous step and set the Profile to “Enterprise Access NAC Profile”.

This should be it, time to test!

Testing

Before you connect your PC or laptop to a dot1x enabled port on the ERS, you’ll need to configure your NIC to act as DOT1X supplicant. Open up Network and Sharing Center > Change adapter settings. Right-click on your wired NIC, and choose Properties. Select the “Authentication” tab, check the “Enable IEEE 802.1X authentication” checkbox, set the method to “Microsoft: Protected EAP (PEAP)” and click Settings.

Uncheck “Verify the server’s identity…” and set the Authentication Method to “Secured password (EAP-MSCHAP v2). Click the Configure button, and uncheck the “Automatically use my Windows login name and password (and domain if any)” checkbox. Click OK twice, and click Additional Settings.

Select “Specify authentication mode” and set it to “User authentication”. Click “Replace credentials” and enter your LDAP username/password. Click OK until you’re back on the Network Connections page.

Now plug in the network cable into a dot1x enabled port on the ERS.

You can use the Control > End-Systems page to verify:

End-Systems

 

 

 

 

 

 

 

In case it does not work, Extreme Control has a very nice troubleshooting tool. Right-click the end-system and click “Configuration Evaluation Tool” and select your configuration. A new window pops up, with the correct settings already filled in. Click Run, and check the results of the Authentication and Authorization tabs to see where it failed.

Leave a Reply

Your email address will not be published.