No Packetfence this time, but Extreme Control.
This little guide will explain how to add an ERS/BOSS switch to Extreme Control (a.k.a. NAC) and configure both to authenticate connected devices using MSCHAPv2.
- XMC 220.127.116.11
- Control 18.104.22.168
- ERS45XX switch running v5.7.3.031
- Windows 10 PC or laptop
I’ll assume that you already have the following:
- XMC basic setup
- Control is added to XMC
- Working Active Directory
- Basic switch config
Add the switch to XMC
I won’t go into detail here, but you need to add the switch to XMC first, so you can add it to Control.
To add the switch to XMC, you need to configure SNMP and CLI credentials under Administration > Profiles, which off course match the credentials used on the ERS. Create a profile which uses the SNMP and CLI credentials, and to to Network > Devices. There you can manually add the device by entering it’s IP and profile, or in case you have more switches, you can configure discovery.
Add the switch to Control
Once the switch is added in XMC, you can also add it in Control. Go to Control > Engines, Default, and open the “Switches” tab:
Click “Add”, select your switch(es) from the list and fill in these required fields:
- Switch type: Layer 2 Out-of-Band
- Primary Engine: your Control engine
- Auth. Access Type: Any Access
- RADIUS Attributes to Send: Extreme BOSS
The other fields can be left empty/default. Click Save.
Now click Enforce to activate the configuration.
Configure the switch
Since XMC/Control cannot configure the RADIUS config for you like on EXOS devices, you’ll need to manually configure the switch:
Switch#conf t Switch(config)#radius server host <Control-IP> key <radius-secret> used-by eapol acct-enable Switch(config)#interface ethernet ALL Switch(config-if)#eapol port <port-list> status auto traffic-control in re-authentication enable Switch(config-if)#eapol port <uplink-port> status authorized Switch(config-if)#exit Switch(config)#eapol enable
The radius secret can be checked and/or edited via Egine Settings in Control:
If not already done, now is the time to configure the LDAP setup in Control. Go to Control > Access Control > Configuration > AAA > LDAP Configurations, click Add and fill in the required fields. When done, make sure the test is successful, and click Save:
You can now create a new configuration under Configurations > Default, and add a new Authentication Rule. Make sure to set the Authentication Type to “802.1X” and LDAP Config to your LDAP configuration:
You’ll also want to create a new user group, based on an existing LDAP security group where all your users who will need to use dot1x are in. Go to Access Control > Group Editor > User Groups, and click Add. Add a group with “User: LDAP User Group” as the type, and add the “memberOf” attribute with the Distinguished Name of your actual AD security group as value:
Add Authorization rule
Finally, you’ll need to add a new rule under Access Control > Configuration > Configurations > Default > Rules. Give it a name, like “DOT1X User Auth”, set Authentication Method” to “802.1X”, set the “User Group” to the LDAP group you created in the previous step and set the Profile to “Enterprise Access NAC Profile”.
This should be it, time to test!
Before you connect your PC or laptop to a dot1x enabled port on the ERS, you’ll need to configure your NIC to act as DOT1X supplicant. Open up Network and Sharing Center > Change adapter settings. Right-click on your wired NIC, and choose Properties. Select the “Authentication” tab, check the “Enable IEEE 802.1X authentication” checkbox, set the method to “Microsoft: Protected EAP (PEAP)” and click Settings.
Uncheck “Verify the server’s identity…” and set the Authentication Method to “Secured password (EAP-MSCHAP v2). Click the Configure button, and uncheck the “Automatically use my Windows login name and password (and domain if any)” checkbox. Click OK twice, and click Additional Settings.
Select “Specify authentication mode” and set it to “User authentication”. Click “Replace credentials” and enter your LDAP username/password. Click OK until you’re back on the Network Connections page.
Now plug in the network cable into a dot1x enabled port on the ERS.
You can use the Control > End-Systems page to verify:
In case it does not work, Extreme Control has a very nice troubleshooting tool. Right-click the end-system and click “Configuration Evaluation Tool” and select your configuration. A new window pops up, with the correct settings already filled in. Click Run, and check the results of the Authentication and Authorization tabs to see where it failed.