Professional Documents
Culture Documents
Cisco Switch Integration Guide Aug2017
Cisco Switch Integration Guide Aug2017
Center®
Cisco Switch Integration Guide
Abstract: This document describes how to use a Cisco switch as an edge enforcement point in Extreme
Management Center (formerly NetSight). The intended audience for this document is an Extreme
Networks employee or partner with an Extreme Management Center certification.
Contents
Overview .......................................................................................................................................................................................... 3
Test Environment.......................................................................................................................................................................... 3
Part 1: Configure the Cisco Switch ......................................................................................................................................... 4
Step 1: Configure SNMP ............................................................................................................................................................................................ 4
Step 2: Configure RADIUS ....................................................................................................................................................................................... 4
Step 3: Configure the VLANs and/or ACLs for Enforcement ...................................................................................................................5
Step 4: Configure the Interfaces for Authentication.................................................................................................................................... 6
Overview
There are five phases to integrating Cisco switches into Extreme Management Center (EMC, formerly NetSight):
1. All clients must authenticate to the Extreme Access Control (formerly NAC) engine using RADIUS. This can be
either 802.1X or MAC authentication. In a Cisco network, MAC authentication is called MAC Authentication
Bypass. This is a bare minimum to access the end system within EAC.
2. Enforcement must be applied via RADIUS attributes. The standard method for this is to use VLANs according to
RFC 3580. However, sometimes that can result in users having stale IP addresses after being moved between
VLANs. The other method used for the Cisco wireless LAN controller (WLC) is the passing of dynamic Access
Control Lists (ACLs) and Vendor Specific Attributes (VSAs), both of which can be used to provision users’
access dynamically.
3. A way is needed to re-authenticate devices on demand. The standards-based method of doing this is by using
RFC 3576 (also known as RFC 5176) to dynamically send a re-authentication via RADIUS. This is also known as a
CoA (Change of Authorization) or POD (Packet of Disconnect). EAC also has native support for Cisco’s
Reauthentication MIB, which can be used in place of RFC 3576.
4. A way is needed to redirect users’ web traffic in the case of registration or remediation. Typically, policy-based
routing is used if specific attributes can be set to single out an unregistered or quarantined user’s web traffic.
However, it hasn’t yet been discovered how to do this on Cisco. Instead, the DNS proxy redirection solution is
used. This solution spoofs DNS responses to the client when the user needs to be redirected. Note that this
functionality also requires a change to the DHCP scope to assign the EAC Gateway as a secondary DNS server.
5. Router SNMP queries need to be configured in order to verify an IP address of a connecting device. The IP
address will be discovered via DHCP snooping. However, it sometimes needs to be verified by querying the ARP
cache of the router.
Note
Test Environment
• Extreme Management Center (NetSight) and Extreme Access Control (EAC) version 4.4.0.95
• Cisco 2960 version 12.2(58)SE2
• Cisco 3750 version 12.2(55)SE2
• Cisco 3750G version 15.0(2)SE2
• Cisco 3750X version 12.2(58)SE2
The first set of commands create ‘aaa’ rules. These need to be carefully evaluated when applying them, as it is quite
easy to deny existing Telnet, SSH, or console access to the switch. Note if any of these commands are already
present and adjust the commands accordingly. If no ‘aaa’ commands are present, the following commands will need
to be added:
aaa new-model
aaa authentication login default local
aaa authentication enable default enable none
!Repeat this command for all EAC engines the switch will authenticate against.
radius-server host 192.168.200.35 auth-port 1812 acct-port 1813 test username test-
radius key ETS_TAG_SHARED_SECRET
After defining the EAC engines, add them to a group that can be used in the ‘aaa’ configuration:
aaa group server radius EAC
!Add any other EACEngines here
server 192.168.200.35 auth-port 1812 acct-port 1813
Define a few more RADIUS options for the switch to make the EAC process operate smoothly:
!Set the source interface for the RADIUS traffic to be the management interface
ip radius source-interface vlan 20
To preconfigure VLANs, enter the following commands for each applicable VLAN. Defining the VLAN ID and name
gives the option to use either the ID or name within EAC as well.
vlan 98
name Quarantine
To preconfigure the ACLs, enter the following commands for each applicable ACL. Note that the ACL names cannot
contain spaces.
ip access-list extended Unregistered
permit ip any host 192.168.200.35
deny udp any any eq domain
permit ip any any
Appendix A: Example ACLs for the Cisco Switch contains a list of example default ACLs that can be used as a
starting point.
Note
According to Cisco’s documentation, “For any ACL configured for multiple-host mode, the source
portion of statement must be any. (For example, permit icmp any host 10.10.1.1.)” This is also
believed to be true for multi-auth mode as well. If this rule is not followed, authorization will fail.
These commands will most likely need to be merged with existing commands on each interface. The interface
range command can also be used to modify multiple interfaces at once.
!Re-authenticate periodically
authentication periodic
!If EAC fails, open access to the access VLAN listed above
authentication event server dead action authorize vlan 3
!If a device moves from one port to another, replace the existing session.
authentication violation replace
!Set 802.1X timeout to 10 seconds. This can be adjusted if 802.1X timeout is taking
!long. !If 802.1X is used in the network, though, be careful of making it too low.
dot1x timeout tx-period 10
spanning-tree portfast
1. Open Management Center and navigate to the Control > Access Control tab.
3. Select the engine you are using to monitor the Cisco switch in the Engines section.
The Engine panel displays in the right-panel.
6. Add the Cisco switch to the Management Center database, if the switch is not yet added.
• Click Add Device in the left-panel to add the switch to the Management Center database.
The Add Device window displays.
• Enter the IP Address of the switch and select the Profile with the appropriate SNMP credentials.
Note: Configure a new set of SNMP credentials on the Administration > Profiles tab.
• Click OK.
7. Select the device in the left-panel of the Add Switches to Access Control Engine Group window.
Some settings automatically populate in the right-panel based on the type of device selected.
9. Click Advanced.
The Advanced Switch Settings window displays.
11. Select the appropriate RADIUS Attributes to Send for your network.
i. Click the Menu icon ( ) in the Management Center top menu and select Legacy.
The NetSight Suite Home page displays.
iv. Select the engine you are using to monitor the switch in the left-panel and click the NAC
Configurations button ( ).
The NAC Configurations window displays.
vi. Select the appropriate authentication mapping in the table and click the Edit selected mapping
button.
vii. Expand the Inject Authentication Attrs drop-down menu and select Edit RADIUS Attribute
Settings.
viii. There are multiple ways to determine the format of the RADIUS attributes to send back to the
switch. One way is to use the custom field. For this method, the full RADIUS attribute and value
would be in the custom field
Another option is to create a new set of RADIUS attributes. Click Add and enter the correct RADIUS attributes
into the new window. The following example displays a dynamic ACL being applied from the Custom 4 field.
Another option is to assign both a VLAN and a dynamic ACL. The RADIUS attribute that assigns the ACL on the
Cisco switch is called Filter-Id. Create the following entries in the settings window. Note that the Filter-ID needs
to end with “.in” for the Cisco switch to know to assign this ACL as an inbound ACL.
Attribute Definition
Filter-Id=%CUSTOM4%.in
%CUSTOM2%
%CUSTOM3%
13. Select the new attribute in the drop-down list for RADIUS Attributes to Send when adding the switch. Press
OK to finish adding the wireless controller to EAC.
1. Navigate to the Policy Mapping Configuration panel by navigating to Configuration Profiles Policy
Mappings in the Access Control tab.
By default, the Policy Mappings Configuration screen shows the Basic view. This view shows only the
configurations that are being used by the switches added to EAC Manager. If both VLANs and dynamic ACLs
are used, there will be an additional column for VLAN. In this example, because Custom2, Custom3, and
Custom4 were used, they are the only additional fields to be shown for each dynamic ACL.
To modify an existing mapping, either click the Edit button or double-click an existing entry.
2. Enter the appropriate dynamic ACL name in the Custom4 field. Since the custom attribute created for the
switch was Filter-ID=%CUSTOM4%.in, the resulting attribute to be passed back from the example below will be
Filter-Id=GuestAccess.in. Leave the Custom2 and Custom3 fields empty.
To configure router lookups for IP resolution, open the Advanced EAC Configuration screen and navigate to
Appliance Configuration as shown previously. On the IP Resolution screen, select the appropriate SNMP profile for
the router. If one is not already created, create a set of SNMP credentials in Extreme Management Center (NetSight)
that can be used with the router. If the switch and router(s) share the same SNMP credentials, you can skip this step
because the default action is to use the same SNMP credentials as the switch.
Note
The ACLs are currently configured for a format that can be used in the Extreme Management Center (NetSight)
Console’s Command Script Utility. However, they could also be copied and pasted into a console session with the
wireless controller. If you use copy/paste, be sure to change the %EACIP% variable to the real IP address of the EAC
engine.
terminal length 0
enable
%ENABLEPSWD%
conf t
ip access-list extended Administrator
permit ip any any
ip access-list extended Assessing
permit ip any host %EACIP%
permit udp any any eq bootps
ip access-list extended DenyAccess
permit ip any host %EACIP%
permit udp any any eq bootps
ip access-list extended EnterpriseUser
permit ip any any
ip access-list extended Failsafe
permit ip any any
ip access-list extended GuestAccess
permit ip any any
ip access-list extended Notification
permit ip any host %EACIP%
permit udp any any eq bootps
ip access-list extended Quarantine
permit ip any host %EACIP%
permit udp any any eq bootps
ip access-list extended Unregistered
permit ip any host %EACIP%
permit udp any any eq bootps
deny icmp any any
end
Define the IP phone in an End Systems group within EAC, and have a EAC profile and policy assigned specifically to
the IP phone.
Create a dynamic ACL for the IP phone. In the switch configuration, each interface that a phone could be on should
have the following command, where the Voice VLAN being used is substituted appropriately:
switchport voice vlan 40
With that command on the interface, configure EAC to send back the following attributes in either the Custom2 or
Custom3 RADIUS attribute column:
cisco-avpair=device-traffic-class=voice
The policy mapping should be similar to this:
To enable DHCP snooping, first enable it on all VLANs that will be snooped. Then enable it globally.
ip dhcp snooping vlan 3-4,40,52,98
ip dhcp snooping
After DHCP snooping is enabled globally, add the following command for the uplink port from which the DHCP
server messages will arrive:
ip dhcp snooping trust
Use this command to show the DHCP snooping configuration:
show ip dhcp snooping
Use this command to show the DHCP snooping binding table:
show ip dhcp snooping binding
Appendix D: Troubleshooting
When troubleshooting a Cisco switch, a few commands can be used to verify what is happening on it.
The following command shows the output of the authenticated session. Note that the domain will be either VOICE
or DATA depending on whether the cisco-avpair attribute was passed back. Also note the Filter-Id that is
assigned.
Cisco2960#show authentication sessions interface fa 0/4
Interface: FastEthernet0/4
MAC Address: 0021.70aa.1d5f
IP Address: 192.168.3.151
User-Name: 002170aa1d5f
Status: Authz Success
Domain: DATA
Oper host mode: multi-auth
Oper control dir: in
Authorized By: Authentication Server
Vlan Group: N/A
Filter-Id: GuestAccess
Session timeout: N/A
Idle timeout: N/A
Common Session ID: C0A814180000000000F1DDCA
Acct Session ID: 0x00000005
Handle: 0xDA000001
Method State
You can use the following commands to enable debug logging on the switch.
Debug radius authentication
Revision History
Version Date Author Changes
0.1 April 15, 2012 Massimiliano Macri, Original draft.
Enterasys Networks
0.2 February 27, 2013 Tyler Marcotte, Changed format. Added more details around
Enterasys Networks functionality and integration to EAC.
0.3 March 7, 2013 Tyler Marcotte, Added note about restrictions of ACLs that are
Enterasys Networks defined.
0.4 August 10, 2017 Susan Verona, Larry Revised to update product brand names (NAC to
Kunz, John Moore EAC) and update procedures and screen shots to
Extreme Networks reflect product changes.
This document and the information contained herein are intended solely for informational use. Extreme Networks
makes no representation or warranties of any kind, whether expressed or implied, with respect to this information
and assumes no responsibility for its accuracy or completeness. Extreme Networks hereby disclaims all liability and
warranty for any information contained herein and all the material and information herein exists to be used only on
as “as is” basis. More specific information may be available on request. By your review and/or use of the information
contained herein, you expressly release Extreme Networks from any and all liability related in any way to this
information. A copy of the text of this section is an uncontrolled copy, and may lack important information or
contain factual errors.
All information herein is Copyright © Extreme Networks, Inc. All rights reserved. All information contained in this
document is subject to change without notice.
END OF DOCUMENT