You can define two radius servers/NACs. If first is unreachable then second is used...
And yes you can define "default policy" as you wrote. Then you should choose what will happen. Good luck. Zdenek Pala Sent from BYOD device 14. 11. 2013 v 0:03, Marki <[email protected]>: > > > Zdenek Pala <zpala <at> enterasys.com> writes: > >> >> You can configure more policy profiles. >> >> Based on mac authentication the radius server will send accept with >> the filter-id attribute containing the policy profile name. Then the >> switch will apply correct policy profile (including the vlan >> assignment) on the traffic ingressing the port with authenticated >> source mac. > > Hi, > > Ok, so if I understood correctly (also writing this in case I will need to > look it up in the future, hehe): > > When the NAC is used, the policy profile will not contain a rule with a > specific MAC address or prefix but only a simple VLAN mapping. > > So, I create a policy for each VLAN that I potentially want to apply to a > port. > > Depending on the NAC's feedback upon authentication (using the MAC address) > the switch will apply the corresponding policy (in this case VLAN) to the > *port*. > > That sounds good too. > > Now I see a problem with the failsafes. Say you have PCs and printers on > dedicated VLANs. You have a list of MAC adresses of printers and PCs and you > assign them using the NAC. When a PC is put into a printer port and the NAC > is not reachable, there can be no real VLAN assignment in a failsafe policy. > Well you may probably define it, but it wouldn't make any sense since you > would have to know in advance whether it's a PC or printer... chicken & egg. > > You could probably set a failsafe policy by site, e.g. putting the ports in > the site's PC VLAN in case the NAC fails. But then the printers would be > offline. Hmmm... > > > Bye, > > Marki > > > --- > To unsubscribe from enterasys, send email to [email protected] with the body: > unsubscribe enterasys [email protected] --- To unsubscribe from enterasys, send email to [email protected] with the body: unsubscribe enterasys [email protected]
