We're a MS shop so we've already got the infrastructure in place. NAC is already applying some filtering policies to edge switch ports. I just can't seem to make it untag a vlan on a given port. We do have a service contract with Enterasys so maybe I'll just let them walk me through it on a test policy domain.
On Fri, Dec 16, 2011 at 6:47 AM, Lou H. Goddard <[email protected]> wrote: > " > our NAC appliance can act as a RADIUS server and map LDAP/AD attributes > back to policies that get dynamically assigned." > > If you would like to save some money, FreeRADIUS combined with an OS such > as Linux can perform that task as well for free and you can obtain support > from RedHat for a very small fee. > > What OS does the NAC appliance run out of curiosity? > > > > Thanks, > Lou Goddard > Network Engineer > 302-552-8053 > [email protected] > > ------------------------------ > *From: *"Nispel, Markus" <[email protected]> > *Sent: *Thu, 12/15/2011 5:18pm > *To: *Enterasys Customer Mailing List <[email protected]> > *Subject: *RE: [enterasys] Setting VLAN egress based on AD group > membership > > > Ah – then still most of the ideas apply. If you use policy manager then > the roles are automatically distributed to the switches – at the role tab > level you can define the VLAN that should be assigned. This overrides the > PVID setting on the port. You need to turn on authentication on the port > and switch level and also enable RADIUS. All of this can be done via the > port config and device config wizards in policy manager.**** > > ** ** > > As said – our NAC appliance can act as a RADIUS server and map LDAP/AD > attributes back to policies that get dynamically assigned. They (the > policy) can included VLAN´s obviously to achieve this.**** > > ** ** > > See also > https://cp-enterasys.kb.net/al/12/3/article.aspx?aid=14317&tab=browse&bt=4&r=0.04827732 > **** > > ** ** > > Does this help more? You can also mail me directly**** > > ** ** > > Regards**** > > Markus**** > > ** ** > > *From:* [email protected] [mailto:[email protected]] *On Behalf Of > *VanArtsdalen, > Scott > *Sent:* Donnerstag, 15. Dezember 2011 22:17 > *To:* Enterasys Customer Mailing List > *Subject:* Re: [enterasys] Setting VLAN egress based on AD group > membership**** > > ** ** > > Thanks Markus. I should have been more clear. We currently use Netsight. > I am familiar with Policy Manager. We use policies to set COS up for > phones and for blocking certain services on end user ports. I'd like to > find a way to do this using Policy Manager. Also, VLANs are currently > staticly set on the edge. We'd like them to be completely dynamic based on > AD group membership (or the lack thereof.)**** > > On Thu, Dec 15, 2011 at 12:24 PM, Nispel, Markus < > [email protected]> wrote:**** > > Hi Scott**** > > **** > > You can use Policy and RADIUS attributes to return that – as part of the > policy you can modify the PVID incluing the egress as well as the VLAN > egress separately for untagged and tagged traffic (like a dynamic 1Q > trunk). You can use the decorated filter ID to return the policy or map > RFC3580 tunnel attributes back as well. What product do you use?**** > > **** > > Details can be found in the feature guide for policy: > https://extranet.enterasys.com/downloads/Pages/dms.ashx?download=96274944-52fa-4cc1-9bba-0744d5989703while > it is highly recommended to use the policy manager as part of the > Netsight Suite. For authentication > https://extranet.enterasys.com/downloads/Pages/dms.ashx?download=cf5b6f90-13a1-4253-add1-5d2a7a0cbb23 > **** > > **** > > CLI commands of interest to create the policy phoneFS with pvid 11:**** > > **** > > Fixed Switch(rw)->set policy profile 3 name phoneFS pvid-status enable > pvid 11 cos-status enable cos 10 – here there are also the options for > separate egress control**** > > **** > > Radius & authentication turned on and returning as the filter id “ > Enterasys:version=1:policy=*phoneFS”***** > > **** > > Does the job. Turn on auth & RADIUS**** > > **** > > System(rw)->*set multiauth mode multi***** > > System(rw)->*set multiauth port mode force-auth ge.1.5-7***** > > * ***** > > *For MAC auth***** > > * ***** > > System(rw)->*set macauthentication enable***** > > System(rw)->*set macauthentication password enterasys***** > > System(rw)->*set macauthentication port enable ge.1.5-7***** > > **** > > RADIUS**** > > **** > > System(rw)->*set radius server 1 10.20.10.01***** > > System(rw)->*set radius enable***** > > * ***** > > **** > > If you need AD support and RADIUS services then you could also use our NAC > solution for that.**** > > **** > > Hope this helps**** > > Markus**** > > **** > > *From:* [email protected] [mailto:[email protected]] *On Behalf Of > *VanArtsdalen, > Scott > *Sent:* Donnerstag, 15. Dezember 2011 19:26 > *To:* Enterasys Customer Mailing List > *Subject:* [enterasys] Setting VLAN egress based on AD group membership*** > * > > **** > > Can someone point me to a good resource on setting VLAN egress on a port > based on membership in a given group in Active Directory? > Any whitepapers out there or a place one one of the manuals I should check? > **** > > **** > > Michael, you have anything that would help? :-)**** > > - --To unsubscribe from enterasys, send email to [email protected] with > the body: unsubscribe enterasys [email protected] **** > > > - --To unsubscribe from enterasys, send email to [email protected] with > the body: unsubscribe enterasys [email protected] **** > > ** ** > > - --To unsubscribe from enterasys, send email to [email protected] with > the body: unsubscribe enterasys [email protected] **** > > > - --To unsubscribe from enterasys, send email to [email protected] with > the body: unsubscribe enterasys [email protected] > > ------------------ CONFIDENTIALITY NOTICE --------------- > > This message, including any attachments, is for the sole use of the > intended recipient(s) and may contain privileged confidential information > protected by law. Any unauthorized review, use, disclosure or distribution > of this message is prohibited. If you are not the intended recipient, > please > contact the sender by reply e-mail and destroy all copies of this message. > > ------------------ CONFIDENTIALITY NOTICE --------------- > > > - --To unsubscribe from enterasys, send email to [email protected] with > the body: unsubscribe enterasys [email protected] > > --- To unsubscribe from enterasys, send email to [email protected] with the body: unsubscribe enterasys [email protected]
