Extreme XOS (Gen2) Layer 2 Switch Integration
Note: Assigning different VLANs per policy is only supported for initial VLAN assignment.
x
create vlan "Auth"configure policy captive-portal web-redirect 1 server 1 url https://x.x.x.x:8443/ enable (replace x.x.x.x with IP of NAC appliance and remove comment)configure policy profile 2 name "sc_compliant_policy" pvid•status "enable" pvid x untagged-vlans x (replace x with VLAN ID for compliant users and remove comment)configure policy profile 3 name "sc_guest_policy" pvid-status "enable" pvid x untagged-vlans x (replace x with VLAN ID for guest users and remove comment)configure policy profile 4 name "sc_quarantine_policy" pvid•status "enable" pvid x web-redirect 1 (replace x with VLAN ID for quarantined users and remove comment)configure policy profile 5 name "sc_initial_policy" pvid-status "enable" pvid x untagged-vlans 14 (replace x with VLAN ID users should be assigned when connecting for the first time and remove comment)Note – Below is an example of networks guest clients cannot access. Modify as necessary and remove this comment.configure policy rule 3 ipdestsocket 10.0.0.0 mask 8 dropconfigure policy rule 3 ipdestsocket 172.16.0.0 mask 20 dropconfigure policy rule 3 ipdestsocket 192.168.0.0 mask 16 dropNote – Do not remove any entries below.configure policy rule 4 udpdestportIP 67 mask 16 forwardconfigure policy rule 4 tcpdestportIP 53 mask 16 forwardconfigure policy rule 4 tcpdestportIP 80 mask 16 forwardconfigure policy rule 4 tcpdestportIP 443 mask 16 forwardconfigure policy rule 4 tcpdestportIP 8443 mask 16 forwardconfigure policy captive-portal listening 80configure policy captive-portal listening 8443configure policy captive-portal listening 443 enable policyconfigure radius netlogin primary server x.x.x.x 1812 client-ip y.y.y.y vr VR-Default (replace x.x.x.x with IP of NAC appliance and y.y.y.y with non-management IP of switch and if not using VR-Default replace with vr used, remove comment when done)configure radius netlogin primary shared-secret ***** (replace ***** with shared secret and remove comment)configure radius-accounting netlogin primary server x.x.x.x 1813 client-ip y.y.y.y vr VR-Default (replace x.x.x.x with IP of NAC appliance and y.y.y.y with non-management IP of switch and if not using VR-Default replace with vr used, remove comment when done)configure radius-accounting netlogin primary shared-secret ***** (replace ***** with shared secret and remove comment) configure radius dynamic-authorization 1 server x.x.x.x client•ip y.y.y.y vr VR-Default shared-secret ***** (replace x.x.x.x with IP of NAC appliance and y.y.y.y with non-management IP of switch and if not using VR-Default replace with vr used, remove comment when done)enable radius netloginenable radius-accounting netloginenable radius dynamic-authorizationenable netlogin dot1x macconfigure netlogin mac authentication database-order radiusconfigure netlogin add mac-list ff:ff:ff:ff:ff:ff 48enable netlogin ports x:x dot1x (replace x:x with test port and remove comment)enable netlogin ports x:x mac (replace x:x with test port and remove comment)configure sflow sample-rate 256configure sflow poll-interval 15enable sflowconfigure sflow collector x.x.x.x port 50001 vr "VR-Default" (replace x.x.x.x with IP of NAC appliance and remove comment)configure sflow agent ipaddress x.x.x.x (replace x.x.x.x with IP of NAC appliance and remove comment)configure sflow ports x:x sample-rate 256 (replace x:x with test port and remove comment)enable sflow ports x:x ingress (replace x:x with test port and remove comment)Was this page helpful?
