Extreme Management

Center®
Cisco Switch Integration Guide

Abstract: This document describes how to use a Cisco switch as an edge enforcement point in Extreme
Management Center (formerly NetSight). The intended audience for this document is an Extreme
Networks employee or partner with an Extreme Management Center certification.

Published: August 2017

Extreme Networks, Inc.

6480 Via Del Oro
San Jose, California 95119
Phone / +1 408.579.2800
Toll-free / +1 888.257.3000
www.extremenetworks.com

©2017 Extreme Networks, Inc. All rights reserved.

Extreme Networks and the Extreme Networks logo are trademarks or registered trademarks of Extreme Networks, Inc. in the United States and/or other countries. All other names
are the property of their respective owners. All other registered trademarks, trademarks, and service marks are property of their respective owners. For additional information on
Extreme Networks trademarks, see www.extremenetworks.com/company/legal/trademarks.
Extreme Management Center Cisco Switch Integration Guide

Contents
Overview .......................................................................................................................................................................................... 3
Test Environment.......................................................................................................................................................................... 3
Part 1: Configure the Cisco Switch ......................................................................................................................................... 4
Step 1: Configure SNMP ............................................................................................................................................................................................ 4
Step 2: Configure RADIUS ....................................................................................................................................................................................... 4
Step 3: Configure the VLANs and/or ACLs for Enforcement ...................................................................................................................5
Step 4: Configure the Interfaces for Authentication.................................................................................................................................... 6

Part 2: Configure EAC for the Cisco Switch ........................................................................................................................ 8

Step 1: Add the Cisco Switch to EAC .................................................................................................................................................................. 8
Step 2: Configure the EAC Policy Mappings .................................................................................................................................................. 16
Step 3: Configure Router Lookups for IP Resolution .................................................................................................................................. 19

Appendix A: Example ACLs for the Cisco Switch ........................................................................................................... 20

Appendix B: Considerations for VoIP Connections ......................................................................................................... 21
Appendix C: IP Resolution Options ...................................................................................................................................... 23
Appendix D: Troubleshooting ................................................................................................................................................ 24
Revision History ......................................................................................................................................................................... 25
Terms and Conditions for Use ............................................................................................................................................... 26

© Extreme Networks, Inc. All rights reserved. 2

Extreme Management Center Cisco Switch Integration Guide

Overview
There are five phases to integrating Cisco switches into Extreme Management Center (EMC, formerly NetSight):

1. All clients must authenticate to the Extreme Access Control (formerly NAC) engine using RADIUS. This can be
either 802.1X or MAC authentication. In a Cisco network, MAC authentication is called MAC Authentication
Bypass. This is a bare minimum to access the end system within EAC.

2. Enforcement must be applied via RADIUS attributes. The standard method for this is to use VLANs according to
RFC 3580. However, sometimes that can result in users having stale IP addresses after being moved between
VLANs. The other method used for the Cisco wireless LAN controller (WLC) is the passing of dynamic Access
Control Lists (ACLs) and Vendor Specific Attributes (VSAs), both of which can be used to provision users’
access dynamically.

3. A way is needed to re-authenticate devices on demand. The standards-based method of doing this is by using
RFC 3576 (also known as RFC 5176) to dynamically send a re-authentication via RADIUS. This is also known as a
CoA (Change of Authorization) or POD (Packet of Disconnect). EAC also has native support for Cisco’s
Reauthentication MIB, which can be used in place of RFC 3576.

4. A way is needed to redirect users’ web traffic in the case of registration or remediation. Typically, policy-based
routing is used if specific attributes can be set to single out an unregistered or quarantined user’s web traffic.
However, it hasn’t yet been discovered how to do this on Cisco. Instead, the DNS proxy redirection solution is
used. This solution spoofs DNS responses to the client when the user needs to be redirected. Note that this
functionality also requires a change to the DHCP scope to assign the EAC Gateway as a secondary DNS server.

5. Router SNMP queries need to be configured in order to verify an IP address of a connecting device. The IP
address will be discovered via DHCP snooping. However, it sometimes needs to be verified by querying the ARP
cache of the router.
Note

If VLAN-based enforcement is to be used, policy-based routing should be used. It is

still the best method for redirection.

Test Environment
• Extreme Management Center (NetSight) and Extreme Access Control (EAC) version 4.4.0.95
• Cisco 2960 version 12.2(58)SE2
• Cisco 3750 version 12.2(55)SE2
• Cisco 3750G version 15.0(2)SE2
• Cisco 3750X version 12.2(58)SE2

© Extreme Networks, Inc. All rights reserved. 3

Extreme Management Center Cisco Switch Integration Guide

Part 1: Configure the Cisco Switch

The first section covers configuring the Cisco switch to be monitored by Extreme Management Center (EMC,
formerly NetSight) and configuring EAC for use as a RADIUS server. All configurations are done by command line. It
is assumed that the console has access to the switch.

Step 1: Configure SNMP

For EMC to manage the switch, it needs to have SNMP read/write capabilities configured. We highly recommend
that, if possible, the Cisco switch be configured to use SNMPv3. SNMPv3 has many advantages over v1 and v2,
including security of communication and performance.

To configure SNMPv3 on a Cisco switch, enter the following commands:

snmp-server group V3Group v3 auth read V3Read write V3Write
snmp-server user snmpuser V3Group v3 auth md5 snmpauthcred priv des snmpprivcred
snmp-server view V3Read iso included
snmp-server view V3Write iso included

Step 2: Configure RADIUS

So that the Cisco switch can authenticate against EAC, the EAC engine must be configured as a RADIUS server on
the switch. This requires a few sets of commands on the switch.

The first set of commands create ‘aaa’ rules. These need to be carefully evaluated when applying them, as it is quite
easy to deny existing Telnet, SSH, or console access to the switch. Note if any of these commands are already
present and adjust the commands accordingly. If no ‘aaa’ commands are present, the following commands will need
to be added:
aaa new-model
aaa authentication login default local
aaa authentication enable default enable none

!Add a username to log into the switch locally

username admin privilege 15 password 0 MyPassword123
Use the following commands to add the EAC engine as a RADIUS sever. Note that the RADIUS shared secret will
always be ETS_TAG_SHARED_SECRET. The test username is used to verify that a EAC engine is still alive after a
default period of 60 minutes. This account does not need to exist; the switch is only looking for a response from the
server.
!Add a test account for RADIUS connectivity checks
username test-radius privilege 0 password 0 BadPass123

!Repeat this command for all EAC engines the switch will authenticate against.
radius-server host 192.168.200.35 auth-port 1812 acct-port 1813 test username test-
radius key ETS_TAG_SHARED_SECRET
After defining the EAC engines, add them to a group that can be used in the ‘aaa’ configuration:
aaa group server radius EAC
!Add any other EACEngines here
server 192.168.200.35 auth-port 1812 acct-port 1813
Define a few more RADIUS options for the switch to make the EAC process operate smoothly:
!Set the source interface for the RADIUS traffic to be the management interface
ip radius source-interface vlan 20

radius-server attribute nas-port format c

© Extreme Networks, Inc. All rights reserved. 4
Extreme Management Center Cisco Switch Integration Guide

radius-server vsa send authentication

radius-server vsa send accounting
radius-server dead-criteria time 30 tries 3
Add the ‘aaa’ rules for the switch to authenticate users against the EAC engines:
aaa authentication dot1x default group EAC
aaa authorization network default group EAC
aaa accounting dot1x default start-stop group EAC
aaa accounting update periodic 5
Add the following commands to enable RFC 3576 support. This is not required for EAC, but it can be useful if
problems arise with re-authentication:
!Time needs to be accurate for RFC 3576 to function properly.
ntp server 192.168.200.155

aaa server radius dynamic-author

!Add any other EAC engines here
server 192.168.200.35 server-key ETS_TAG_SHARED_SCRET
auth-type any
Add the following global commands to make the authentication process run a bit more smoothly:
!Time to wait in ms after the EAC comes back online
authentication critical recovery delay 1000!

!Allows a device to move between ports on a switch and still be authenticated

authentication mac-move permit

!Allows devices to connect to the network even if EAC is down

dot1x critical eapol

!Enables internal tracking of IP’s on the switch

ip device tracking

!Turns on logging for internal ‘policy’ functions

epm logging

Step 3: Configure the VLANs and/or ACLs for Enforcement

There are two enforcement methods for devices attaching to a Cisco switch: passing back dynamic VLANs or
passing back dynamic ACLs. Both the VLANs and the ACLs must exist on the switch before they can be dynamically
assigned.

To preconfigure VLANs, enter the following commands for each applicable VLAN. Defining the VLAN ID and name
gives the option to use either the ID or name within EAC as well.
vlan 98
name Quarantine
To preconfigure the ACLs, enter the following commands for each applicable ACL. Note that the ACL names cannot
contain spaces.
ip access-list extended Unregistered
permit ip any host 192.168.200.35
deny udp any any eq domain
permit ip any any
Appendix A: Example ACLs for the Cisco Switch contains a list of example default ACLs that can be used as a
starting point.

© Extreme Networks, Inc. All rights reserved. 5

Extreme Management Center Cisco Switch Integration Guide

Note

According to Cisco’s documentation, “For any ACL configured for multiple-host mode, the source
portion of statement must be any. (For example, permit icmp any host 10.10.1.1.)” This is also
believed to be true for multi-auth mode as well. If this rule is not followed, authorization will fail.

Step 4: Configure the Interfaces for Authentication

Each interface that will be connected to an end system should have authentication enabled in order to be visible in
EAC. Note that the commands below assume that both 802.1X and MAC authentication will be used on the wire. If
802.1X will not be used, it can be removed from the command list.

These commands will most likely need to be merged with existing commands on each interface. The interface
range command can also be used to modify multiple interfaces at once.

interface GigabitEthernet 1/0/10

switchport mode access
switchport access vlan 3

!Allows traffic before authentication is completed.

authentication open

!Printers seem to have issues without this command turned on.

authentication control-direction in

!Allow multiple devices to authenticate to a single port.

authentication host-mode multi-auth

!Re-authenticate periodically
authentication periodic

!Listen to session-timeout information from EAC.

authentication timer reauthenticate server

!If 802.1X fails, use MAC authentication

authentication event fail action next-method

!If EAC fails, open access to the access VLAN listed above
authentication event server dead action authorize vlan 3

!When EAC comes back online, re-authenticate.

authentication event server alive action reinitialize

!Use 802.1X first if available, then MAC authentication bypass.

authentication order dot1x mab
authentication priority dot1x mab

!If a device moves from one port to another, replace the existing session.
authentication violation replace

!Enable MAC authentication bypass and 802.1X.

mab
dot1x pae authenticator

!Set 802.1X timeout to 10 seconds. This can be adjusted if 802.1X timeout is taking
!long. !If 802.1X is used in the network, though, be careful of making it too low.
dot1x timeout tx-period 10

!Set port as an edge port for Spanning Tree.

© Extreme Networks, Inc. All rights reserved. 6

Extreme Management Center Cisco Switch Integration Guide

spanning-tree portfast

!Enable authentication on this port.

authentication port-control auto
After entering all of these commands an interface should look similar to this:
interface GigabitEthernet1/0/10
switchport access vlan 3
switchport mode access
authentication contro-direction in
authentication event fail action next-method
authentication event server dead action authorize vlan 3
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication open
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication violation replace
mab
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
end
If 802.1X will be used, enter one last command to globally enable 802.1X on the switch:
dot1x system-auth-control

© Extreme Networks, Inc. All rights reserved. 7

Extreme Management Center Cisco Switch Integration Guide

Part 2: Configure EAC for the Cisco Switch

This section describes how to configure Extreme Management Center (EMC, formerly NetSight) and Extreme
Access Control (EAC, formerly NAC) to monitor the Cisco switch and use it as an edge enforcement point for EAC.

Step 1: Add the Cisco Switch to EAC

The first step in the process of integrating the Cisco switch with EAC is to add it to the Extreme Management
Center’s EAC configuration with the RADIUS attributes that should be returned to it for enforcement.

1. Open Management Center and navigate to the Control > Access Control tab.

2. Expand the Engines section in the left-panel.

3. Select the engine you are using to monitor the Cisco switch in the Engines section.
The Engine panel displays in the right-panel.

4. Click the Switches tab in the right-panel.

5. Click Add Switches.

The Add Switches to Access Control Engine Group window displays.

© Extreme Networks, Inc. All rights reserved. 8

Extreme Management Center Cisco Switch Integration Guide

6. Add the Cisco switch to the Management Center database, if the switch is not yet added.

• Click Add Device in the left-panel to add the switch to the Management Center database.
The Add Device window displays.

© Extreme Networks, Inc. All rights reserved. 9

Extreme Management Center Cisco Switch Integration Guide

• Enter the IP Address of the switch and select the Profile with the appropriate SNMP credentials.
Note: Configure a new set of SNMP credentials on the Administration > Profiles tab.

• Enter a Nickname for the device, if necessary.

Note: If no Nickname is entered, the device IP address is used for its name in Management Center.

• Click OK.

7. Select the device in the left-panel of the Add Switches to Access Control Engine Group window.
Some settings automatically populate in the right-panel based on the type of device selected.

8. Ensure the following fields are configured properly:

• Switch Type – Layer 2 Out-of-Band

• Primary Engine – The EAC engine used to monitor the switch

• Secondary Engine – Secondary EAC engine, if one is to be used

• Auth. Access Type – Manual RADIUS Configuration

• RADIUS Accounting – Enabled

9. Click Advanced.
The Advanced Switch Settings window displays.

10. Ensure IP Subnet for IP Resolution is None and click OK.

11. Select the appropriate RADIUS Attributes to Send for your network.

• Select RFC 3580 – VLAN ID if using dynamic VLANs.

• Select Cisco Wired Dynamic ACL if using dynamic ACLs.

If this option is not available, configure the RADIUS attributes via the legacy NAC Manager java
application.

i. Click the Menu icon ( ) in the Management Center top menu and select Legacy.
The NetSight Suite Home page displays.

ii. Click NAC Manager to download the java application.

iii. Navigate to the download path and open NAC Manager.

iv. Select the engine you are using to monitor the switch in the left-panel and click the NAC
Configurations button ( ).
The NAC Configurations window displays.

© Extreme Networks, Inc. All rights reserved. 10

Extreme Management Center Cisco Switch Integration Guide

v. Select AAA: <NAC Configuration> in the left-panel.

vi. Select the appropriate authentication mapping in the table and click the Edit selected mapping
button.

© Extreme Networks, Inc. All rights reserved. 11

Extreme Management Center Cisco Switch Integration Guide

The Edit User to Authentication Mapping window displays.

vii. Expand the Inject Authentication Attrs drop-down menu and select Edit RADIUS Attribute
Settings.

© Extreme Networks, Inc. All rights reserved. 12

Extreme Management Center Cisco Switch Integration Guide

The RADIUS Attribute Settings window displays.

viii. There are multiple ways to determine the format of the RADIUS attributes to send back to the
switch. One way is to use the custom field. For this method, the full RADIUS attribute and value
would be in the custom field

© Extreme Networks, Inc. All rights reserved. 13

Extreme Management Center Cisco Switch Integration Guide

Another option is to create a new set of RADIUS attributes. Click Add and enter the correct RADIUS attributes
into the new window. The following example displays a dynamic ACL being applied from the Custom 4 field.

Another option is to assign both a VLAN and a dynamic ACL. The RADIUS attribute that assigns the ACL on the
Cisco switch is called Filter-Id. Create the following entries in the settings window. Note that the Filter-ID needs
to end with “.in” for the Cisco switch to know to assign this ACL as an inbound ACL.

Attribute Definition

Filter-Id=%CUSTOM4%.in
%CUSTOM2%
%CUSTOM3%

© Extreme Networks, Inc. All rights reserved. 14

Extreme Management Center Cisco Switch Integration Guide

© Extreme Networks, Inc. All rights reserved. 15

Extreme Management Center Cisco Switch Integration Guide

12. Restart Management Center after creating the new attribute.

13. Select the new attribute in the drop-down list for RADIUS Attributes to Send when adding the switch. Press
OK to finish adding the wireless controller to EAC.

Step 2: Configure the EAC Policy Mappings

The next step to integrating with the Cisco switch is to configure Extreme Access Control (EAC, formerly NAC) to
send back different dynamic ACLs or VLANs based on the determined state and policy of the end system.

© Extreme Networks, Inc. All rights reserved. 16

Extreme Management Center Cisco Switch Integration Guide

1. Navigate to the Policy Mapping Configuration panel by navigating to Configuration  Profiles  Policy
Mappings in the Access Control tab.

By default, the Policy Mappings Configuration screen shows the Basic view. This view shows only the
configurations that are being used by the switches added to EAC Manager. If both VLANs and dynamic ACLs
are used, there will be an additional column for VLAN. In this example, because Custom2, Custom3, and
Custom4 were used, they are the only additional fields to be shown for each dynamic ACL.

To modify an existing mapping, either click the Edit button or double-click an existing entry.

© Extreme Networks, Inc. All rights reserved. 17

Extreme Management Center Cisco Switch Integration Guide

2. Enter the appropriate dynamic ACL name in the Custom4 field. Since the custom attribute created for the
switch was Filter-ID=%CUSTOM4%.in, the resulting attribute to be passed back from the example below will be
Filter-Id=GuestAccess.in. Leave the Custom2 and Custom3 fields empty.

© Extreme Networks, Inc. All rights reserved. 18

Extreme Management Center Cisco Switch Integration Guide

Step 3: Configure Router Lookups for IP Resolution

The last step for integrating the Cisco switch with Extreme Access Control (EAC) is ensuring that IP resolution will
work properly. For this to happen, we highly recommend that SNMPv3 read-only credentials be configured on the
router through which users will connect. With these credentials configured, EAC can be set to do an SNMP lookup
of the ARP cache to determine whether the client has an entry there.

To configure router lookups for IP resolution, open the Advanced EAC Configuration screen and navigate to
Appliance Configuration as shown previously. On the IP Resolution screen, select the appropriate SNMP profile for
the router. If one is not already created, create a set of SNMP credentials in Extreme Management Center (NetSight)
that can be used with the router. If the switch and router(s) share the same SNMP credentials, you can skip this step
because the default action is to use the same SNMP credentials as the switch.

Note

We highly recommend that SNMPv3 be used instead of SNMPv1 or v2. SNMPv3

provides a much higher level of security and efficiency.

© Extreme Networks, Inc. All rights reserved. 19

Extreme Management Center Cisco Switch Integration Guide

Appendix A: Example ACLs for the Cisco Switch

This section contains example definitions for the ACLs that must be configured on the Cisco switch.

The ACLs are currently configured for a format that can be used in the Extreme Management Center (NetSight)
Console’s Command Script Utility. However, they could also be copied and pasted into a console session with the
wireless controller. If you use copy/paste, be sure to change the %EACIP% variable to the real IP address of the EAC
engine.
terminal length 0
enable
%ENABLEPSWD%
conf t
ip access-list extended Administrator
permit ip any any
ip access-list extended Assessing
permit ip any host %EACIP%
permit udp any any eq bootps
ip access-list extended DenyAccess
permit ip any host %EACIP%
permit udp any any eq bootps
ip access-list extended EnterpriseUser
permit ip any any
ip access-list extended Failsafe
permit ip any any
ip access-list extended GuestAccess
permit ip any any
ip access-list extended Notification
permit ip any host %EACIP%
permit udp any any eq bootps
ip access-list extended Quarantine
permit ip any host %EACIP%
permit udp any any eq bootps
ip access-list extended Unregistered
permit ip any host %EACIP%
permit udp any any eq bootps
deny icmp any any
end

© Extreme Networks, Inc. All rights reserved. 20

Extreme Management Center Cisco Switch Integration Guide

Appendix B: Considerations for VoIP Connections

When an IP phone is connected to a Cisco switch port that has Extreme Access Control (EAC) enabled, the
following considerations apply.

Define the IP phone in an End Systems group within EAC, and have a EAC profile and policy assigned specifically to
the IP phone.

Create a dynamic ACL for the IP phone. In the switch configuration, each interface that a phone could be on should
have the following command, where the Voice VLAN being used is substituted appropriately:
switchport voice vlan 40
With that command on the interface, configure EAC to send back the following attributes in either the Custom2 or
Custom3 RADIUS attribute column:
cisco-avpair=device-traffic-class=voice
The policy mapping should be similar to this:

© Extreme Networks, Inc. All rights reserved. 21

Extreme Management Center Cisco Switch Integration Guide

© Extreme Networks, Inc. All rights reserved. 22

Extreme Management Center Cisco Switch Integration Guide

Appendix C: IP Resolution Options

IP resolution for Cisco switches is typically done when a DHCP message is discovered via DHCP relay snooping.
Sometimes, however, this can be expedited by configuring DHCP snooping on the Cisco switch. There have been
problems in the past with DHCP snooping not working properly, so if an end system is not getting an IP even
though it should be, the first thing you should remove is DHCP snooping.

To enable DHCP snooping, first enable it on all VLANs that will be snooped. Then enable it globally.
ip dhcp snooping vlan 3-4,40,52,98
ip dhcp snooping
After DHCP snooping is enabled globally, add the following command for the uplink port from which the DHCP
server messages will arrive:
ip dhcp snooping trust
Use this command to show the DHCP snooping configuration:
show ip dhcp snooping
Use this command to show the DHCP snooping binding table:
show ip dhcp snooping binding

© Extreme Networks, Inc. All rights reserved. 23

Extreme Management Center Cisco Switch Integration Guide

Appendix D: Troubleshooting
When troubleshooting a Cisco switch, a few commands can be used to verify what is happening on it.

The following command shows the output of the authenticated session. Note that the domain will be either VOICE
or DATA depending on whether the cisco-avpair attribute was passed back. Also note the Filter-Id that is
assigned.
Cisco2960#show authentication sessions interface fa 0/4
Interface: FastEthernet0/4
MAC Address: 0021.70aa.1d5f
IP Address: 192.168.3.151
User-Name: 002170aa1d5f
Status: Authz Success
Domain: DATA
Oper host mode: multi-auth
Oper control dir: in
Authorized By: Authentication Server
Vlan Group: N/A
Filter-Id: GuestAccess
Session timeout: N/A
Idle timeout: N/A
Common Session ID: C0A814180000000000F1DDCA
Acct Session ID: 0x00000005
Handle: 0xDA000001

Runnable methods list:

Method State

dot1x Failed over

mab Authc Success

You can use the following commands to enable debug logging on the switch.
Debug radius authentication

debug dot1x all

debug dot1x events
debug dot1x errors

debug epm all

debug authentication all

You can use the following command to verify the port VLAN, both statically and dynamically assigned.
show interfaces GigabitEthernet1/0/10 switchport

© Extreme Networks, Inc. All rights reserved. 24

Extreme Management Center Cisco Switch Integration Guide

Revision History
Version Date Author Changes
0.1 April 15, 2012 Massimiliano Macri, Original draft.
Enterasys Networks
0.2 February 27, 2013 Tyler Marcotte, Changed format. Added more details around
Enterasys Networks functionality and integration to EAC.
0.3 March 7, 2013 Tyler Marcotte, Added note about restrictions of ACLs that are
Enterasys Networks defined.
0.4 August 10, 2017 Susan Verona, Larry Revised to update product brand names (NAC to
Kunz, John Moore EAC) and update procedures and screen shots to
Extreme Networks reflect product changes.

© Extreme Networks, Inc. All rights reserved. 25

Extreme Management Center Cisco Switch Integration Guide

Terms and Conditions for Use

Extreme Networks reserves all rights to its materials and the content of the materials. No material provided by
Extreme Networks to a Partner (or Customer, etc.) may be reproduced or transmitted in any form or by any means,
electronic or mechanical, including photocopying and recording, or by any information storage or retrieval system,
or incorporated into any other published work, except for internal use by the Parnter and except as may be
expressly permitted in writing by Extreme Networks.

This document and the information contained herein are intended solely for informational use. Extreme Networks
makes no representation or warranties of any kind, whether expressed or implied, with respect to this information
and assumes no responsibility for its accuracy or completeness. Extreme Networks hereby disclaims all liability and
warranty for any information contained herein and all the material and information herein exists to be used only on
as “as is” basis. More specific information may be available on request. By your review and/or use of the information
contained herein, you expressly release Extreme Networks from any and all liability related in any way to this
information. A copy of the text of this section is an uncontrolled copy, and may lack important information or
contain factual errors.

All information herein is Copyright © Extreme Networks, Inc. All rights reserved. All information contained in this
document is subject to change without notice.

For additional information refer to http://www.extremenetworks.com/company/legal/terms/

END OF DOCUMENT

© Extreme Networks, Inc. All rights reserved. 26