Extreme Networks Access Control (NAC) – Supports Cisco?

You’re probably thinking why are we still talking about NAC? In my opinion, NAC is one of the bests ways to apply dynamic assignment of access control and gain visibility to where devices are connected to the network in real-time in an agent-less fashion. By the way, us networking folks hate agents. We don’t want to be in charge of one more application, especially if its deployed on thousands of machines.

I’ve come across situations where you may want to run Extreme Networks NAC with other vendor hardware (wired or wireless). Sometimes you don’t have the luxury to replace all of your networking gear. Don’t get me wrong; Extreme hardware works fantastic with its own NAC and NMS software along with its fantastic policy capabilities. However, it may be somewhat shocking to hear that Extreme’s solutions also works quite well with 3rd party vendor hardware. Yes, even Cisco.


The 3rd party hardware will require support for MAC/802.1x authentication. If you desire dynamically assigning different access roles to end systems, the device also needs to support receiving radius attributes to take action. Some things you can do with Cisco hardware in Extreme Control are assigning dynamic VLANs, web redirect, and per-user ACLs. I’ll demonstrate how you can accomplish applying web redirect, dynamic VLANs, and per-user ACLs to Cisco devices. You’ll also be able to force reauthentication to a Cisco switch using Extreme Control within Extreme Management Center.

Working in Extreme Control

When you add a device to an Extreme Control engine (radius server), you can assign custom attributes. These are the following vendor-specific attributes (VSA) that will be sent based on a match of a profile group or when a MAC/802.1x auth hits the default profile rule:







Make sure that you send a VLAN ID back to the Cisco device by making sure your profile has the following settings along with the custom fields set for devices that will require web redirect by editing the policy profile within Extreme Control.

The %CUSTOM2% radius attribute matches to cisco-avpair=url-redirect=

The custom2 attribute tells the Cisco switch what the url redirect web URL is when a user is assigned to the Quarantine policy profile.

The %CUSTOM3% radius attribute matches to cisco-avpair=url-redirect-acl=Quarantine

The custom3 attribute tells the Cisco switch that the ACL named Quarantine needs to be matched in order to apply the redirect URL.

Note: If you send the VLAN VSA attributes with a blank value, the Cisco device doesn’t like that and will not apply the dynamic ACLs, the web redirect URL, or the web redirect ACL. At least that’s what I found during my internal testing with a Cisco c3850.

Also, make sure you select the appropriate reauthentication (RFC 3576 – Cisco Wired) type to force a reauthentication of a device within Extreme Control.

For Extreme Control to send per user ACLs, you need to build a policy within Extreme Management Center Policy Manager. Policy manager works by defining policies with roles consisting of L2/L3/L4 rules. If you add a Cisco device within a policy domain and enforce policy, Extreme Control will recognize that the policies, roles, and rules will need to be converted to Cisco-based ACLs that can be dynamically sent to the Cisco switch on a MAC/802.1x auth.

With the following Cisco CLI command, you can see the specific attributes that are received from Extreme Control once the Cisco switch is set up for radius network access authentication.

Cisco-switch#show authentication sessions interface gigabitEthernet 3/0/1 details

Custom Scripts and Bonus Integration

If you need assistance with how to configure the Cisco switch for radius authentication to Extreme Control, head to the Extreme Networks Github scripts page here and download the Cisco IOS authentication script. The only ACL’s you’ll also have to create on the Cisco device are the ones that will match for the Web redirect VSA. There’s no need to create additional ACLs since you’ll be sending the dynamic ACLs from the policy conversion.

As a bonus, Extreme Management Center NAC can also integrate with firewall vendors, MDM solutions, and anti-virus software suites to dynamically assign access control. Again, check out the Extreme GitHub Integrations page here for some examples on Checkpoint integration, IBM Qradar, and FortiGate. You can even create your own custom workflow of activity based on a NAC event, such as opening up a ticket when a device is dynamically quarantined based on a set of events. The sky’s the limit.

Happy networking,


Peering into CHI-NOG 08


chinog-08 Javier Solis badge
I finally made it out to a CHI-NOG event, the Chicago network operators group. Experienced network engineers and architects put the group together to focus on all things network related. The yearly events concentrate on vendor-neutral topics and encourage other network enthusiasts to attend within the Chicago land region.  This year’s gathering had more than a dozen sessions and a lineup with some excellent guest speakers.  If you’re ever in the area and love networking with technology and people, I highly recommend you go. I attended quite a few of the sessions, but I’ll start with one of my favorites.

Rethinking BGP in the Data Center

Presented by Russ White

BGP the chosen EGP of the Internet has taken quite a hold in large-scale data centers across companies such as Facebook, Microsoft, LinkedIn, and Google. You can do all kinds of clever traffic engineering using BGP, but should it be the chosen IGP for data centers? The companies mentioned above are now looking into or are already deploying other technologies such as openR, openfabric, and firepath as a BGP replacement.  Russ challenged BGP deployment complexity and talked about some of the most significant hurdles being delay and jitter within the hyperscale arena. Flooding also becomes an issue along with autoconfiguration of devices.

I think it’s important not to try and over complicate existing protocols to make them fit what we want.  We need to become better engineers and try something different. That’s where white box switching and new protocols such as draft-white-openfabric come into play. White box allows for the deployment of newly developed routing protocols that are more appropriate for what we wish to accomplish. Automation is also critical for successful manageability. Russ talked about having a router or switch that you never have to configure or CLI into, a little tough to swallow for us network operators.

Closing Thoughts

I couldn’t help but think about wireless controllers. When’s the last time you ever ssh’d into your wireless access points? We couldn’t imagine going back to individually configuring access points, what a nightmare! Centralized automated management for our switches and routers makes complete sense. Are we ready for the transition? The thought of what will happen to our existing jobs always comes up. However, I say we can then transition into working on solving other problems that we never had time to complete. Overall CHI-NOG was an awesome experience. I have lots more notes, so hopefully I can come up with more stuff that you’ll enjoy reading.

A simple start to project management

Being able to track your work efficiently is a very useful skill. For years I completed my work but rarely tracked my work in a project management professional (PMP) sort of way. Sure, I’ve done the weekly reports, sticky notes, Outlook tasks, and Outlook calendar block scheduling, which are all useful. However, simple project management skills help create a consistent and straightforward approach to managing time, resources, and tasks. I’ve seen organizations take an all guns blazing PM approach to a nothing at all approach. Sometimes you’ll see IT subject matter experts resist PM due to the “I’m too busy” or “It takes too much time” statements, but in reality, basic fundamental project management is not that difficult.

project management board

Here’s an example of how you can model behavior and start to implement some basic PM skills. I recently had a team reach out to discuss a new project that would require infrastructure resources. The team pulled up a draft diagram, and we began our dialog. I started to ask peering questions, and the diagram began to transform. Once I was comfortable with understanding what we were trying to accomplish, I shared my screen with the team and opened up OneNote. I began typing each major task that needed to be completed and here’s Continue reading »

What does a Network Administrator do?

The Network Administrator

I wanted to share what a network administrator’s daily job duties, functions, and tasks may entail on a daily basis. For those new out there to the realm of IT, a network administrator typically interacts with the hardware/software components that transfer data to and from devices over a physical distance through some type of medium. Some of these devices include: personal computers, laptops, tablets, servers, switches, routers, firewalls, load balancers, wireless access points, and any other devices that rely on transmitting data. The components that are typically managed daily by a network administrator are switches, routers, wireless access points, DHCP/DNS servers, IP address provisioning, documenting/diagramming the network, monitoring bandwidth usage, and maintaining copper/fiber cable plants. Continue reading »

Cisco UC on UCS

One of our latest projects at work is moving from centrex to Cisco Unified Communications (UC). I was assigned to complete quite a few tasks for this project. One of the first tasks was getting our two UCS c240 rack mount servers going. Our purchase was part of a larger order, so our UCS rack mount servers are bare metal servers. No esxi or UC components were pre-installed. I originally wanted to install esxi on the cisco flexflash SD card, but then found out that UC on UCS doesn’t recommend that configuration. I also found out that Cisco recommends that 2 RAID 5 arrays should be created across the 16 drives that we have in our c240’s.

ucs 2u c240 server

If you want to stay on a Cisco tested reference configuration (TRC), then I would recommend that you check out this Cisco page for reference:


Extreme Networks Midwest Roundtable

Around the Table

I recently attended the Extreme Networks Midwest Roundtable event. These types of small events are good to attend as they promote great technical discussions, company vision, and product road-maps. It also gives current customers a chance to speak up about what features we are looking for in new products. It also allows interested potential customers to interact with real world current customers.

Here are some thoughts that I captured from the guest speakers:

How much do we as administrators spend on just maintaining our current infrastructure? – Dan Dulac
How can we use IT to drive business outcomes? – Dan Dulac
Here’s a good one. Netflix sucks when I tried using it on xyz’s network, therefore xyz sucks. Brand perception is highly important. – Dan Dulac

These discussions lead into Mike Lebovitz talking about Extreme Networks “Purview”.
Purview is classified as an application intelligence device that allows you to see analytic data from your network.

purview layer 7 visibility

Extreme Analytics Layer 7 Visibility

Application visibility

In a nutshell, you get layer 7 visibility across your entire network. Granted you will need a specific line of Extreme Network switches to use it, but if you currently use Extreme Network’s gear I can see this as being another really useful tool. I’m still waiting to see if you will be able to enforce bandwidth/traffic shaping policies to edge ports based on L7 traffic. Some environments out there can benefit greatly about knowing what’s being used on their networks which ties into answering some of Dan Dulac’s questions above. We would benefit from the ability to shape our traffic in our current environment. We currently use an Allot Netenforcer which works great. However, this device sits and enforces at the border of our network and will need a periodic hardware refresh from time to time. If we could leverage Extreme Analytics with our existing Extreme Networks equipment and enforce closer to the edge ports that would be great.

Unified Extreme Networks Operating System

A few side notes to add were that Extreme Networks will be moving to a unified OS which will be the current Extreme OS or XOS. For those of you who don’t know, Extreme Networks recently purchased Enterasys. I’m excited to see the product merging that’s currently going on. The Enterasys dynamic policy (L2-L4 dynamic ACL) features will also be migrated to the Extreme line of equipment that can support it. Extreme Networks will also be building upon Enterasys Netsight, which is what we currently use to manage our network gear.

Overall the roundtable was a pretty neat event. It’s typically held in the fall around the downtown Milwaukee area for those who are interested in attending next year.

To cert or not to cert…

I have been pondering the thought of gaining some additional certifications for quite some time now. My good friend Shane recently asked what my thoughts were on certifications. I currently hold only two certificates myself. The first is Enterasys Switch Specialist and ITIL foundation certification. Both tests and training were funded by my employer. If your employer offers to pay for classes and for the test, then by all means do not pass up the opportunity.

I think the real question in everyone’s mind is how much will a certificate help me out? This thought may come to us when we are thinking about seeking different career opportunities or maybe when we receive additional job responsibilities. Now as far as discussing the first scenario, I have been on both the hiring/seeking spectrums within the IT industry. Certifications definitely help solidify choices. Although I truly believe that experience trumps certificates. Here’s why. For instance, you can have someone that barely knows networking. They have tinkered around with home networks and possibly the one switch/router at work. They go home and study for 6 weeks straight. They practice hammering away at the cisco cli. They take the CCNA test and pass it. I’m not dismissing that accomplishment. It’s a difficult task and deserves recognition. I don’t even have CCNA status. Here’s my point, if you don’t use it, you lose it. If that person doesn’t work with cisco every day, chances are that they will lose it. Which one would you hire? The guy with 10 years of reputable experience or a guy with 1 year of experience and their CCNA?

Now I know I’m probably getting criticism on that one, but hey, that’s just my opinion. Ok, now you’re asking why doesn’t the guy with 10 years of reputable experience just go out and get the CCNA? Valid question. If you work with cisco all day long, then that’s probably a good idea. If you’re not a cisco shop, you’ll have to study a little. Bottom line is value. If you’re starting to look for another job, then getting your CCNA won’t hurt. If you’re crunched for time with work, family, and other things like me and are content with where you’re at, then maybe you don’t want to spend the extra money, time, and pressures of test taking going after your CCNA right now.

This same theory can be applied to other certificates. Now if your job is ramping up your responsibilities, then it never hurts to ask them to pay for a boot camp course. It will benefit both yourself and your company. If you’re feeling froggy, study the material a little more and go take the test. You can’t lose at that point. Your new job responsibilities will get you the solid experience you need. If you fail the test the first time, don’t get discouraged. You’ll at least know where to brush up and you’ll continue to build your skills at work.

In the meantime, have fun learning. It never hurts to learn or push yourself with a challenge of obtaining a cert. If you can’t afford those expensive books like me, then try using safaribooks. There are also lots of trial VM solutions out there now that can help you create a nice lab environment relatively cheap (F5 Virtual Edition/brocade vyatta/cisco csr1000v). GNS3 is also a nice tool to have, just remember to buy yourself a cheap router from ebay with an iso image. I’m not going to condone any illegal practices. Have fun!!!

Another round of great IT web resources

Check out the new list of great IT web resources below. I’ve also started to use twitter to get involved with the network/wifi community. I don’t really like how twitter works, but that’s where lots of tech enthusiasts are going. The user interface on my nexus 4 android is not very intuitive, but once you figure it out, it’s a great resource. The good thing is that there’s not too much to figure out.

The hardest thing is getting followers, but hey, start posting worthy comments and you might catch a few followers.


IT Resource list:
chinog.org Chicago Network Operators Group
http://packetpushers.net/ You can find some great podcasts here.
http://www.packetlife.net/ There’s an extensive list of tools in the armory section.
http://www.networkstatic.net/ Great info on SDN.
http://www.selil.com/ Purdue Prof, great insight.
http://www.shanekillen.com/ Shane blogs very often. Worth the visit.
http://www.revolutionwifi.net/ A great wifi gem.

Useful Network Administrator Tools

My boss asked me to submit a list of “inexpensive” network admin tools that would be of value to assist us in managing and maintaining the wired and wireless network on campus. Here are a few tools that would be nice to have:

Throwing star (passive ethernet) LAN tap admin tool

Check out the throwing star
The design allows for inline tapping at 10/100 speeds only. Capacitors within the circuit force the speed down to 100Mbps. Wireshark, here I come.

Cheap 2.4Ghz/5Ghz wireless CPE w/spectrum analyzer

nanostation wifi bridge/analyzer
The ubiquiti nanostation AP/Client wireless device will provide you with a full blown spectrum analyzer. You would have to create your own POE battery pack to be mobile, but the price is right, its cheap. Remember, you pay for what you get. If you can afford something more expensive, try metageek’s wifi chanalyzer pro software. These spectrum analyzers can help identify issues with wireless channel planning and possible wirless interference.

Raspberry Pi Remote Wifi Network Monitoring

wifi admin tool
Buy yourself a raspberry pi from adafruit. It comes with everything you need to deploy a remote monitoring agent. Load up smokeping and put it in client mode. Connect it back to your smokeping server and monitor stats like DNS,web, mail, and a host of other services. You could also load tshark and use your throwing star tap for a remote packet capturing device. You can also use the included wifi adapter to and test your wifi network in remote buildings. iPerf can also be installed to perform wired and wireless speed tests. This would make for a great wifi admin tool.

x86 based tablet

Everyone loves tablets, but in order to run wireshark effectively and a host of other applications natively, you need an x86 device running windows. There are a few nice tablet options out there. The MS surface pro 2 comes in at $899 plus the cost of the keyboard. The base model includes an i5, 64gb ssd, and 4gb ram coming in at 2lbs. HP just released the HP Pro x2 410 G1 tablet which comes in at $999 and includes a keyboard. You get the i5, 4gb ram, but a larger 128gb SSD. The weight without the keyboard comes in at 1.81lbs. The only downside is that your limited to 4gb of ram. I wish apple would come out with a tablet MacBook already. I would prefer apple because you can easily capture raw 802.11 frames without doing much work along with UNIX under the hood. Apple also gives you the ability to boot camp windows as well. They are just a tad bit expensive. We will most likely end up going with HP, as its our vendor of choice. Oh and don’t forget to buy an ethernet dongle as well.

Some great IT web resources…update

I figured that I would share with you a few sites that I typically check out through the week. One great site has a live video feed of their event going on, tech filed day. Check it out www.techfieldday.com

Here are some other great sites:






www.nanog.org/archives/presentations – search through the presentation archives to find some great presentation slides and videos.