To create the MBA network associated to a Default Auth Role accept policy. Take the
following steps:
-
Configure a RADIUS server for AAA
authentication.
- Log in to ExtremeCloud IQ
Controller and go to and add a new RADIUS server.
- Configure the following
parameters:
- Radius Server IP Address
- Add the NAC IP address
- Shared Secret
- Provide the NAC Shared
Secret.
Note
To find the Shared
Secret of the NAC Manager, go to:
.
-
Create a new network.
- Enable MAC-based
authentication (MBA) and choose an appropriate MBA Timeout Role.
- Clear the Authenticate
Locally for MAC check box.
- Choose RADIUS
as the Authentication Method and select the NAC added in Step 1 as the Primary
RADIUS.
- Select a Default VLAN.
- Click Save.
-
Add a new rule.
- From ExtremeCloud IQ
Controller,
navigate to .
- Click Add.
- In the Location Group drop-down menu,
select Network: <name of
your network>.
- From the Accept Policy field:
- To configure a Default Auth Role
Policy: select Use
Default Auth Role.
- To configure a Pass-thru External
RADIUS Accept Policy: select Pass Through External
RADIUS.
- Save the rule.
-
Assign the network created previously
and its Default Auth Role to a site and save. Take the following steps:
- Go to and select a site.
- Click the Device Groups tab and
select a device group.
- Beside the Profile field, click
to
edit the device group profile.
- Go to the Networks tab and select
the configured network.
- Go to the Roles tab and select the
configured Default Auth Role.
Finally, associate clients to the SSID of the network. The Access-Request is sent to
the external NAC server. The NAC server matches the MAC address of the user with one of the
MAC addresses in the End-System Group (that was created earlier) and sends an Access-Accept
with a Filter-ID Enterprise User. The ExtremeCloud IQ
Controller Access Control
engine ignores the Filter-ID and applies the Default Auth Role that was configured under
Network Settings.
