Use this window to change a switch's primary and secondary Extreme Access Control (Access Control) Gateway, and also edit other switch parameters including the switch's authentication access type and the RADIUS attributes to send, if desired.
You can access this window by selecting an engine or engine group in the left-panel tree. Then, in the right-panel Switches tab, select the switches you wish to edit and click the Edit button.
Click areas in the window for more information.
- Edit Switch Type
- Use the drop-down menu to change the type of switch:
- Layer 2 Out-Of-Band - A switch that authenticates on layer 2 traffic via RADIUS to an out-of-band Access Control gateway.
- Layer 2 Out-Of-Band Data Center - A switch within a data center where virtualization and mobility are a factor. If an end-system changes location but does not move to a different Access Control engine, NAC Manager removes the end-system authentication from their prior port/switch. This allows VMs that quickly move from one server to another and then back again to still have their location updated in NAC Manager, because only one authenticated session is allowed per end-system within NAC Manager.
- Layer 2 RADIUS Only - In this mode, NAC Manager does not require any information from the switch other than the end-system MAC address (from Calling-Station-Id or User-Name). The NAS-Port does not need to be specified. If the switch supports RFC 3576, you can set the Reauthentication Behavior in the Advanced Switch Settings window. IP resolution and reauthentication may not work in this mode.
- VPN - A VPN concentrator being used in a NAC VPN deployment. In this case, you should specify one or more Policy Enforcement Points below. If you do not specify a Policy Enforcement Point, then NAC Manager is unable to apply policies to restrict access after the user is granted access.
- Edit Primary Gateway
- Use the drop-down menu to select the primary Access Control Gateway for the selected switches. If load balancing has been configured for the switch, this field does not display.
- Edit Secondary Gateway
- Use the drop-down menu to select the secondary Access Control Gateway for the selected switches. If load balancing has been configured for the switch, this field does not display.
| NOTE: | To configure additional redundant Access Control Gateways per switch (up to four), use the Display Counts option in the Display options panel (Tools > Options). |
|---|
- Edit Auth Access Type
- Use the drop-down menu to select the type of authentication access allowed for these
switches. This feature allows you to have one set of switches for authenticating
management access requests and a different set for authenticating
network access requests.
WARNING: For ExtremeXOS devices only. NAC Manager uses CLI access to perform configuration operations on ExtremeXOS devices. - Enabling an Auth type of "Any Access" or "Management Access" can restrict access to the switch after an enforce is performed. For management requests handled through NAC Manager, make sure that an appropriate administrative access configuration is in place by assigning a profile such as "Administrator NAC Profile" to grant proper access to users. Also, verify that the current switch CLI credentials for the admin user are defined in the database against which NAC Manager authenticates management login attempts.
- Switching from an Auth type of "Any Access" or "Management Access" back to "Network Access" can restrict access to the switch after an enforce is performed. Verify that the current switch CLI credentials for the admin user are defined locally on the switch.
- Any Access - the switch can authenticate users originating from any access type.
- Management Access - the switch can only authenticate users that have requested management access via the console, Telnet, SSH, or HTTP, etc.
- Network Access - the switch can only authenticate users that are accessing the network via the following authentication types: MAC, PAP, CHAP, and 802.1X. If RADIUS accounting is enabled, then the switch also monitors Auto Tracking, CEP (Convergence End Point), and Switch Quarantine sessions. If there are multiple sessions for a single end-system, the session with the highest precedence displays to provide the most accurate access control information for the user. The NAC authentication type precedence from highest to lowest is: Switch Quarantine, 802.1X, CHAP, PAP, Kerberos, MAC, CEP, RADIUS Snooping, Auto Tracking.
- Monitoring - RADIUS Accounting - the switch monitors Auto Tracking, CEP (Convergence End Point), and Switch Quarantine sessions. NAC Manager learns about these session via RADIUS accounting. This allows NAC Manager to be in a listen mode, and to display access control, location information, and identity information for end-systems without enabling authentication on the switch. If there are multiple sessions for a single end-system, the session with the highest precedence displays to provide the most accurate access control information for the user. The NAC authentication type precedence from highest to lowest is: Switch Quarantine, 802.1X, CHAP, PAP, Kerberos, MAC, CEP, RADIUS Snooping, Auto Tracking.
- Manual RADIUS Configuration - NAC Manager does not perform any RADIUS configurations on the switch. Select this option if you want to configure the switch manually using Policy Manager or CLI.
- Enabling an Auth type of "Any Access" or "Management Access" can restrict access to the switch after an enforce is performed. For management requests handled through NAC Manager, make sure that an appropriate administrative access configuration is in place by assigning a profile such as "Administrator NAC Profile" to grant proper access to users. Also, verify that the current switch CLI credentials for the admin user are defined in the database against which NAC Manager authenticates management login attempts.
- Edit Virtual Router Name
- Select the checkbox to enter the name of the Virtual Router. The default value for this field is VR-Default.
WARNING: For ExtremeXOS devices only. If Extreme Management Center has not detected and populated this field, enter the Virtual Router Name carefully. Incorrectly entering a value in this field causes the RADIUS configuration to fail, which is not reported when enforcing the configuration to the switch.
- Gateway RADIUS Attributes to Send
- Use the drop-down menu to select the RADIUS attributes settings included
as part of the RADIUS response from the Access Control engine to the switch. Use the button
to the right to open the RADIUS Attribute Settings window where you can define,
edit, or delete the available attributes. Use the Preview area to preview your attribute settings; click Show Variables to use sample values in the Preview. If you define a new custom attribute,
be sure to modify your policy mappings in the
Advanced Edit Policy Mapping view.
- RADIUS Accounting
- Use the drop-down menu to enable RADIUS accounting on the switch. RADIUS accounting can be used to determine the connection state of the end-system sessions on the Access Control engine, providing real-time connection status in NAC Manager. It also allows NAC Manager to monitor Auto Tracking, CEP (Convergence End Point), and Quarantine (anti-spoofing) sessions. For more information, see How to Enable RADIUS Accounting.
- RADIUS Servers
- Select this checkbox to allow editing of Management RADIUS Server and Network RADIUS Server options.
- Management RADIUS Server
- Use the drop-down menu to specify RADIUS servers used to authenticate requests for administrative access to the selected switches. Select from the RADIUS servers you have configured in NAC Manager, or select New or Manage RADIUS Servers to open the Add/Edit RADIUS Server or Manage RADIUS Servers windows.
- Network RADIUS Server
- This option lets you specify a backup RADIUS server to use for network authentication requests for the selected switches. This allows you to explicitly configure a network RADIUS server to use if there is only one Access Control engine. (This option is only available if a Secondary Gateway is not specified.) Select from the RADIUS servers you have configured in NAC Manager, or select New or Manage RADIUS Servers to open the Add/Edit RADIUS Server or Manage RADIUS Servers windows.
- Edit Policy Enforcement Points
- Select this option to configure the Policy Enforcement Points used to provide
authorization for the end-systems connecting to the VPN device that you are
editing. The list is populated from the N-Series, S-Series, and K-Series devices in your
Console device tree. If you do not specify a Policy Enforcement Point, then NAC Manager
is unable to apply policies to restrict end user access after the user is
granted access.
- Policy Domain
- Use this option to assign the switch to a Policy Manager domain and enforce the domain configuration to
the switch. The switch must be an Extreme Networks switch.
- Edit Advanced Settings
- Select this option and then click the Advanced Settings button to open the Advanced Switch Settings window.
For information on related windows:
