ExtremeControl

 View Only
  • 1.  MAC Auth end-system not showing IP address or port information via HP switch, SNMPv3 working OK.

    Posted 06-01-2022 10:28
    Hi,

    Have a deployment using XMC / NAC just currently doing MAC auth at this time.

    End-systems are showing up as expected but 99% seem to be missing the IP address of the client, some, very few, are showing the odd IP address?

    DHCP relay has been configured to the NAC appliances and fingerprint information is being collated and end-systems are showing device family information. Which has lead me to to confusing element in that I believed the IP address of the client would be collected via the same mechanism?

    Equally the end-system is missing the switch port information, yet the switch is modelled in XMC, is configured with SNMPv3 and viewing the device shows all the port information as you would expect i.e. you are able to query the switch correctly via SNMP, and XMC is aware of the port information.



    Looking on the Webview of the NAC appliance I see the below on the switch dynamic information. All the switches show an SNMP timeout, yet there is no issue with SNMP as they show correctly in XMC and able to query. Wondered whether maybe this was related to needed a specific MIB, relevant or not?



    Many thanks in advance


  • 2.  RE: MAC Auth end-system not showing IP address or port information via HP switch, SNMPv3 working OK.

    Posted 06-04-2022 19:45

    Hey Martin,

    Control by default uses IpNetToMedia, IpNetToPhysical, CtAlias to actively discover IP addresses. In this case because Control cannot establish SNMP contact we don't know what worker to use for IP resolution, so likely we won't even try. 

    You can take a tcpdump on control, it's unlikely that the HP switches are responding, maybe they need to be configured with NAC as an SNMP server? 

    By default Control will NOT use DHCP requests for IP resolution. They are not trusted by default. If you go into Engine Settings --> IP resolution and set "Use DHCP Request IPs" to "Always". 

    This will have Control use the request IP's discovered as a last resort. 

    Even if you got contact to these switches with SNMP it's unlikely IP resolution would be any better as they are HP and don't support CtAlias.

    Thanks
    -Ryan




  • 3.  RE: MAC Auth end-system not showing IP address or port information via HP switch, SNMPv3 working OK.

    Posted 06-05-2022 11:23
    Hi Ryan,

    Thanks for getting back.

    Perfect. Had thought the MIB resolution for the end-systems was being carried out via XMC rather then directly from each of the ExtremeControl appliances, equally thought by default DHCP snooping is part of the stack of options that automatically tried to do the IP resolution.

    Appreciate the detail, really helpful.

    There could be some ACL's on the HP switches that might only be allowing SNMP communication from XMC, so looking into that query.

    Will post back findings.

    Cheers,

    Martin