Configuring an MBA Network

To create the MBA network associated to a Pass-thru External RADIUS accept policy. Take the following steps:

  1. Configure a RADIUS server for AAA authentication.
    • Log in to ExtremeCloud IQ Controller and go to Onboard > AAA > Radius Server and add a new RADIUS server.
    • Configure the following parameters:
      Radius Server IP Address
      Add the NAC IP address
      Shared Secret
      Provide the NAC Shared Secret.
      Note

      Note

      To find the Shared Secret of the NAC Manager, go to:

      Advanced NAC Configuration Settings > Global and Appliance Settings > Appliance Settings.

  2. Create a new network.
    • Enable MAC-based authentication (MBA) and choose an appropriate MBA Timeout Role.
    • Clear the Authenticate Locally for MAC check box.
    • Choose RADIUS as the Authentication Method and select the NAC added in Step 1 as the Primary RADIUS.
    • Select a Default VLAN.
    • Click Save.
  3. Add a new rule.
    • From ExtremeCloud IQ Controller, navigate to Onboard > Rules.
    • Click Add.
    • In the Location Group drop-down menu, select Network: <name of your network>.
    • From the Accept Policy field:
      • To configure a Default Auth Role Policy: select Use Default Auth Role.
      • To configure a Pass-thru External RADIUS Accept Policy: select Pass Through External RADIUS.
    • Save the rule.
  4. Assign the network created previously and its Default Auth Role to a site and save. Take the following steps:
    • Go to Configure > Sites and select a site.
    • Click the Device Groups tab and select a device group.
    • Beside the Profile field, click to edit the device group profile.
    • Go to the Networks tab and select the configured network.
    • Go to the Roles tab and select the configured Default Auth Role.
Finally, associate clients to the SSID of the network. The Access-Request is sent to the external NAC server. The NAC server matches the MAC address of the user with one of the MAC addresses in the End-System Group (that was created earlier) and sends an Access-Accept with a Filter-ID Enterprise User. The ExtremeCloud IQ Controller applies the Enterprise User Role instead of the Default Auth Role that was configured under Network Settings.
Note

Note

The Enterprise User role must exist on ExtremeCloud IQ Controller and must be assigned to the same device group as the client in order to be applied.
9038919-00 Rev. AA