cancel
Showing results for 
Search instead for 
Did you mean: 

NAC: Avoid that end-systems aging out

NAC: Avoid that end-systems aging out

Chacko
Contributor
In NAC-Manager, there is a setting via "Options" -> "NAC Manager" -> "Data Persistence" -> "Age end-systems older than XX days" (our setting is at 90 Days per default).
The problem is, that we have a few systems, running more than 90 days without any network-related events that are generated.

So for example a time-registration terminal will be disconnected after three month and is rejected from the network until a new import of the MAC is being triggered.

Is there a way to disable this setting or to exclùde specific end-system groups from it?
4 REPLIES 4

Chacko
Contributor
Dear Ryan,

thanks for the feedback.
I never thought about the reauthentication - but now that you mention it, it seems to be a good idea.
I think we will set the reauth-timer to 1 month and give that a try.

Many thanks 

Ryan_Yacobucci
Extreme Employee
In NAC Manager go tools --> Options --> Data Persistence.

You can set the timer to 0, however this means that every end system that attaches to the system will never be purged, so eventually you'll end up with a large amount of old end systems.

What you can do is as Roland has said put these special end system into a group and make sure the option to "Remove Associated MAC locks and Occurrences in Groups" is NOT checked.

Once the end system ages out and re-authenticates it should authenticate back into it's end system group rule as the option to remove has been disabled.

Also, if you can get RADIUS accounting, or a DHCP packet from these devices it'll reset the last seen time and they'll never age out.

You can also set a session timeout or re-authentication timer on the port to have the device re-authenticate after a period of time, resetting the last seem timer so these devices don't age out either.

Thanks
-Ryan

Chacko
Contributor
Hi Ronald,

no, the rules aren't the problem.
If a existing permitted device which netlogin passed access doesn't generate a event for more than 90 days, the end system is deleted from all connected end-system groups.
In addition the port will be reauthenticated and so the access will be denied

Ronald_Dvorak
Honored Contributor
How about a end-system group with the MACs that you'd like to allow.
Then copy the rule that you've used before and link it to that group - move the new rule on top of the other.

13501fa9dbaa4c2083b7bc4600771c4d_RackMultipart20170210-53932-qf4dmz-NAC_endsys_group_inline.png



GTM-P2G8KFN