Configuring the External NAC Server

Take the following steps to configure the External NAC server:

Extreme Management Center Console

  1. Navigate to ExtremeCloud IQ - Site Engine OneView page or launch the console.
  2. Add the external NAC server and the ExtremeCloud IQ Controller esa0 interface as devices to be managed by ExtremeCloud IQ - Site Engine.
    • Open NAC Manager using either OneView or the console.
    • Add the external NAC server as an appliance to be managed.
      1. Go to Switches > Add Switch.
      2. Select the ExtremeCloud IQ Controller esa0 interface
      3. Configure the following parameters:
        Primary Engine
        NAC server
        RADIUS Attributes to Send
        Edit RADIUS Attribute Settings
  3. To edit the RADIUS Attribute settings:
    • Select Add and provide the Attribute Group name.
    • In the Attribute field, enter the following:
      • Filter-Id=%FILTER_NAME%
      • Filter-Id=Enterasys:version=1:%MANAGEMENT%policy=%POLICY_NAME%
      • Login-LAT-Port=%LOGIN_LAT_PORT%
      • Service-Type=%MGMT_SERV_TYPE%
      Note

      Note

      The Attribute Group is configured to ensure that ExtremeWireless APs function with the appliance.
  4. Save the Attribute Group, then select this group as the option in the RADIUS Attributes to Send field.
  5. Press OK.

NAC Manager

  1. Go to Tools > Management
  2. Select Configuration > Advanced NAC Configurations > AAA Configurations > Local Password Repository > Default.
  3. Add a new user.
    Select Add and configure the following parameters:
    • Display Name
    • Username
    • Password
  4. Select Save.
  5. In the Advanced Configuration window, navigate to NAC Configurations > Rule Components > End-System Group.
  6. Add a new End-System Group.
    Add a new MAC entry for each MAC address of each client that should be successfully authenticated.
  7. Select Save.
  8. In the Advanced Configuration window, navigate to NAC Configurations > Default.
  9. Add a new rule.
    From the End-System Group drop-down list, select the End-System Group that you previously created.
  10. In the Profile drop-down list, select Default NAC Profile.
    Note

    Note

    Assuming no prior configuration changes have been made to the Default NAC Profile, it will send an Enterprise User Filter-ID.
  11. Save the rule and move it up the list, just after the Assessment Warning rule.
  12. Close the Advanced Configuration window and Enforce the NAC engine.
  13. Once the Enforce is successful, close the window.
9038919-00 Rev. AA