NAC and hosts with static IP issue

  • 0
  • 1
  • Problem
  • Updated 8 months ago
  • Solved
Hi Everyone,

I have NMS+NAC version 8.0.5.18 with environment where almost all end systems are using static IP addresses (there is no DHCP service enabled) and most of them are not supporting 802.1x protocol (so I can't use RADIUS Accounting packets to check the end system IP addresses). I know that the "last resort" method for such case is to use the switch SNMP query to it's ipNetToMediaTable. Unfortunately access switches don't have L3 interfaces in hosts VLANs so this solution doesn't work (their ARP tables are empty). When I make manual query to ipNetToMediaTable on a default gateway device I can find MAC to IP mapping for such hosts

In NAC Manager there is an option to enable IP Router Discovery but as I understand this GTAC case article:

https://gtacknowledge.extremenetworks.com/articles/How_To/How-to-configure-Router-IP-discovery

this method only works with DHCP service enabled networks:
EAC uses these (DHCP) packets to obtain device type information, and for Router IP discovery it uses the gateway address in the DHCP request to identify the router that will have ARP information for the client.
All end systems networks have their default gateway L3 interfaces on one device. Is it possible to configure NAC to query each time this device when a new end system is authenticating on NAC? I know that this solution is not efficient but those devices are most of the time on-line so authentication queries to NAC would be not so often. If you have any other idea how to fix this problem please feel free to share :)

Thanks in advance for a help
Photo of Bartek

Bartek

  • 150 Points 100 badge 2x thumb

Posted 8 months ago

  • 0
  • 1
Photo of Bastian Sprotte

Bastian Sprotte, Employee

  • 1,660 Points 1k badge 2x thumb
Hello,
what type switches do you use.
In EXOS/EOS we support the Node-Alias MIB.

enable nodealias ports (user-ports)

this allow NAC as well to read IP/MAC mappings,

regards
Bastian
-
Photo of Bartek

Bartek

  • 150 Points 100 badge 2x thumb
Hi,

Thanks for nice tip, I've never heard about it. Unfortunately this environment is based on Alcatel switches
Photo of Yacobucci, Ryan

Yacobucci, Ryan, Multi-Tier Technical Support Engineer

  • 5,470 Points 5k badge 2x thumb
Hello,

It's recommended to use the Static MAC to IP bindings. 

In NAC Manager go Tools --> management and configuration -> Advanced Configurations

Then go into appliance settings and click MAC to IP mapping and you can configure them statically.

The other option you have is to find the global IP subnets in combination with rfc 3576 VLAN IDs. 

When you configure the global IP subnets you can configured a VLAN ID. Any end system that has received a policy mapping that has a VLAN ID configured NAC will attempt to query the configured gateway router per the IP Subnet configuration that has the same VLAD ID for IP resolution.

Thanks
Ryan