EXOS 21 + Policy Manager + NAC + MultiAuth issues while Enterasys gear works smoothly

Userlevel 4
Greeting guys,

Sorry about the long post, but I need some help...

I'm setting up a PoC for a customer with a large installed base of the former Red line (Enterasys lover for ages) with several B5, G3, S, B2, ExtremeWireless and more...

The customer needs to upgrade / expand the network and want to try the new G2 family (x440-G2 and X460-G2). They use extensively the Enterasys Policy and Policy Manager and they are trying NAC in some departments for testing before they deploy on the entire network, on the upgrade project.

Everything runs smoothly in Enterasys gear (Authentication, MultiAuth [802.1x & Mac everywhere], Policy, NAC, Policy Manager, etc) but I'm having some issues with Summits.

When trying to integrate a X460-G2 (ExtremeXOS version at the customer's environment (NetSight I've run in some issues, and maybe someone already know how to fix it:

1) Enterasys gear uses Multiauth with 802.1x and MAC in every port working fine, but in the X460-G2, when both authentication methods are enabled, even setting the precedence to 802.1x, the MAC auth happens first and the 802.1x auth doesn't happen (in the test PC, it asks for the 802.1x user and password, but nothing happens) and MAC auth (and policy applied) remains. In Enterasys gear, even if the MAC auth happens first, if the PC start the 802.1x auth it happens and the proper policy is applied.

This is a FAD or maybe I'm missing something?

2) I've deployed the customer's policy domain in the testing area of the network (with Enterasys gear and the X460-G2) with some customization to allow the enforce to the X460-G2. The policies seems to work fine, but I'm in trouble with the CoS remarking for NAC Redirection on the X460-G2 (all Enterasys gear work fine). I've already configured the PM's Class of Service, role, rules for redirection, created the access-list for the PBR (https://gtacknowledge.extremenetworks.com/articles/How_To/How-to-configure-PBR-on-EXOS-switches-for-... as the X460-G2 will be the gateway for it's network segment) but it's not working... Even with the policy applied, the http packets aren't marked with DSCP CS2 as it should (in a sniffing mirror all packets still without the marking, while in the Enterasys gear they are ok).

I've already tried to enable TCI overwrite and everything that came to my mind, and I couldn't find out yet why it's not working... Any Ideas? Anyone have a working PM's .PMD file with the Class of Service working for EXOS?

3) The customer is trying NAC, but until the project finishes, they rely on the Policy Manager for network control. As I asked in another conversation, when authenticating on the X460-G2 the username (and other info) is missing for Port Usage. The production NAC deployment may take months while the project gets developed, the PoC phase is over and we close the deal, and as they need to rely on PM for a while, this could be a problem for them.

This is a FAD or there's any fix available/planned?

Best regards,


1 reply

Userlevel 2

In scenario 1 since the user is prompted for their 802.1x login credentials it would appear the requests reached the radius server and it's responding. Are there any messages from it? This should work.

CoS should also work and only requires that the role/rule that's applied has the CoS associated to it. We'll need to further troubleshoot. We'll need to know the versions of software and firmware and get an export of the policy domain and switch configuration.

Issue 3 may be a result of the first item not working as port usage uses 802.1x information for username.

All three of these would require more in-depth review and I would suggested creating on-line cases with the GTAC for follow-up.