To create a AAA network associated to a Pass-thru External RADIUS Accept Policy. Take the
following steps:
On ExtremeCloud IQ
Controller:
Use the IP address of the external NAC server as the primary RADIUS server.
-
Configure a RADIUS server for AAA
authentication.
- Log in to ExtremeCloud IQ
Controller
and go to and add a new RADIUS server.
- Configure the following
parameters:
- Radius Server IP Address
- Add the NAC IP address
- Shared Secret
- Provide the NAC Shared
Secret.
Note
To find the Shared
Secret of the NAC Manager, go to:
.
-
Create a new network.
Configure the following parameters:
- Auth Type
- WPA2 Enterprise w/ RADIUS
- Authentication Method
- RADIUS
- Primary RADIUS
- IP Address of the External NAC
added in Step 1.
- Default Auth Role
- Select a role other than Enterprise
User.
- Default VLAN
- Select a Default VLAN. B@AP VLAN ID
Note
Both B@AP and B@AC
are supported for NAC.
-
Select Save.
-
Create a policy rule.
Go to and configure the following parameters:
- Location Group
- Network: <name of your
network>
- Accept Policy
-
- To configure a Default Auth
Role Policy, select Use Default Auth Role.
- To configure a Pass-Through
External RADIUS Accept Policy, select Pass Through External
RADIUS.
-
Select Save.
On the NAC Manager:
-
Edit the rule you created on ExtremeCloud IQ
Controller
here.
Configure the following parameters:
- Authentication Method
- 802.1x
- End-System Group
- Any
-
Select Save and enforce the
NAC.
On ExtremeCloud IQ
Controller:
-
Assign the network created previously
and its Default Auth Role to a site and save.
- Go to and select a site.
- Select the Device Groups tab and
select a device group.
- Beside the Profile field, select
to
edit the device group profile.
- Go to the Networks tab and select
the configured network.
- Go to the Roles tab and select the
configured Default Auth Role.
Associate clients to the SSID of the Network, when prompted for the username and
password, use the username and password created with the New User. The external NAC server matches the rule you created under New Rule and upon successful authentication sends an Access-Accept and a
Filter-ID Enterprise User. The ExtremeCloud IQ
Controller Access Control engine applies the Enterprise User Role instead of the
Default Auth Role that was configured under Network Settings.Note
The
Enterprise User role must exist on
ExtremeCloud IQ
Controller and must be
assigned to the same device group as the client in order to be applied.