Extreme Networks Access Control (NAC) – Supports Cisco?

You’re probably thinking why are we still talking about NAC? In my opinion, NAC is one of the bests ways to apply dynamic assignment of access control and gain visibility to where devices are connected to the network in real-time in an agent-less fashion. By the way, us networking folks hate agents. We don’t want to be in charge of one more application, especially if its deployed on thousands of machines.

I’ve come across situations where you may want to run Extreme Networks NAC with other vendor hardware (wired or wireless). Sometimes you don’t have the luxury to replace all of your networking gear. Don’t get me wrong; Extreme hardware works fantastic with its own NAC and NMS software along with its fantastic policy capabilities. However, it may be somewhat shocking to hear that Extreme’s solutions also works quite well with 3rd party vendor hardware. Yes, even Cisco.

Requirements

The 3rd party hardware will require support for MAC/802.1x authentication. If you desire dynamically assigning different access roles to end systems, the device also needs to support receiving radius attributes to take action. Some things you can do with Cisco hardware in Extreme Control are assigning dynamic VLANs, web redirect, and per-user ACLs. I’ll demonstrate how you can accomplish applying web redirect, dynamic VLANs, and per-user ACLs to Cisco devices. You’ll also be able to force reauthentication to a Cisco switch using Extreme Control within Extreme Management Center.

Working in Extreme Control

When you add a device to an Extreme Control engine (radius server), you can assign custom attributes. These are the following vendor-specific attributes (VSA) that will be sent based on a match of a profile group or when a MAC/802.1x auth hits the default profile rule:

Tunnel-Private-Group-Id=%VLAN_ID%:%VLAN_TUNNEL_TAG%

Tunnel-Type=13:%VLAN_TUNNEL_TAG%

Tunnel-Medium-Type=6:%VLAN_TUNNEL_TAG%

%CUSTOM2%

%CUSTOM3%

%PER_USER_ACL_CISCO%

Make sure that you send a VLAN ID back to the Cisco device by making sure your profile has the following settings along with the custom fields set for devices that will require web redirect by editing the policy profile within Extreme Control.

The %CUSTOM2% radius attribute matches to cisco-avpair=url-redirect=https://192.168.10.92/static/index.jsp

The custom2 attribute tells the Cisco switch what the url redirect web URL is when a user is assigned to the Quarantine policy profile.

The %CUSTOM3% radius attribute matches to cisco-avpair=url-redirect-acl=Quarantine

The custom3 attribute tells the Cisco switch that the ACL named Quarantine needs to be matched in order to apply the redirect URL.

Note: If you send the VLAN VSA attributes with a blank value, the Cisco device doesn’t like that and will not apply the dynamic ACLs, the web redirect URL, or the web redirect ACL. At least that’s what I found during my internal testing with a Cisco c3850.

Also, make sure you select the appropriate reauthentication (RFC 3576 – Cisco Wired) type to force a reauthentication of a device within Extreme Control.

For Extreme Control to send per user ACLs, you need to build a policy within Extreme Management Center Policy Manager. Policy manager works by defining policies with roles consisting of L2/L3/L4 rules. If you add a Cisco device within a policy domain and enforce policy, Extreme Control will recognize that the policies, roles, and rules will need to be converted to Cisco-based ACLs that can be dynamically sent to the Cisco switch on a MAC/802.1x auth.

With the following Cisco CLI command, you can see the specific attributes that are received from Extreme Control once the Cisco switch is set up for radius network access authentication.

Cisco-switch#show authentication sessions interface gigabitEthernet 3/0/1 details

Custom Scripts and Bonus Integration

If you need assistance with how to configure the Cisco switch for radius authentication to Extreme Control, head to the Extreme Networks Github scripts page here and download the Cisco IOS authentication script. The only ACL’s you’ll also have to create on the Cisco device are the ones that will match for the Web redirect VSA. There’s no need to create additional ACLs since you’ll be sending the dynamic ACLs from the policy conversion.

As a bonus, Extreme Management Center NAC can also integrate with firewall vendors, MDM solutions, and anti-virus software suites to dynamically assign access control. Again, check out the Extreme GitHub Integrations page here for some examples on Checkpoint integration, IBM Qradar, and FortiGate. You can even create your own custom workflow of activity based on a NAC event, such as opening up a ticket when a device is dynamically quarantined based on a set of events. The sky’s the limit.

Happy networking,

@javi_isolis

Leave a Reply

Your email address will not be published. Required fields are marked *