NAC is not registering switch/port change on EXOS devices

  • 0
  • 1
  • Problem
  • Updated 2 years ago
  • Solved
Hello,

We just got ourselves some Extreme NAC appliances. We're just in the testing phase now and I'm having some issues with the x460G2 switches. In my testing, I'm using a C5 and two x460G2s. When I connect my laptop to the C5, Oneview see it right away, with the correct switch IP/port. It also works when I move to another port on the C5. However when I move the laptop to one of the x460G2,  it registers the IP address change in NAC Manager/Oneview, but it keeps the C5 IP address and port.

Is there something I'm missing in the NAC manager or a setting on the x460G2 themselves?

Thanks for all the help,
Jay
Photo of Jason Graves

Jason Graves

  • 80 Points 75 badge 2x thumb

Posted 2 years ago

  • 0
  • 1
Photo of Keene, Scott

Keene, Scott, Employee NMS/GTAC

  • 1,348 Points 1k badge 2x thumb
Hello,

Port Information is determined from RADIUS Requests to the NAC (from the switch) and SNMP queries from NAC to the switch, in some cases.

You can use this article to troubleshoot then open a case with GTAC if necessary.

https://gtacknowledge.extremenetworks.com/articles/How_To/NAC-Troubleshooting-Tips-Debug-Methodology...


Regards,

Scott Keene
(Edited)
Photo of Rainer Adam

Rainer Adam

  • 874 Points 500 badge 2x thumb
We had the same issue. You have to configure the Extreme Switch that he sends the authentication requests. Therefor you have to configure the Radius server settings manually AND you have to configure:

create upm profile ENT_USERif (!$match($EVENT.NAME,USER-AUTHENTICATED)) then
create log entry Config_ACL
create access-list $(EVENT.USER_MAC)_ENT_USER "ethernet-sourceaddress
($EVENT.USER_MAC); protocol icmp; icmp-type echo-request;"
"deny"
configure access-list add $(EVENT.USER_MAC)_ENT_USER first port
$EVENT.USER_PORT
endif
if (!$match($EVENT.NAME,USER-UNAUTHENTICATED)) then
configure access-list delete $(EVENT.USER_MAC)_ENT_USER port
$EVENT.USER_PORT
delete access-list $(EVENT.USER_MAC)_ENT_USER
endif

.
configure upm event user-authenticate profile ENT_USER ports 2-48
configure upm event user-unauthenticated profile ENT_USER ports 2-48

#

Without that, the ExtremeSwitch does NOT send and authentication requests to the radius servers (NAC Gateways).
Photo of Jason Graves

Jason Graves

  • 80 Points 75 badge 2x thumb
Hello,

Thanks for all the help! I was able to dig into this some more with some extra eyes and was able to find a simple solution.

We determined that the x460G2s was not sending any authentication requests for the netlogin side, but was sending RADIUS requests for management-access directly to our RADIUS servers (which is fine). Looking at the configuration on the test switches, we saw that the netlogin wasn't fully enabled. They were missing 'enable netlogin dot1x mac'. Not sure why this happen, it was in our config template....anyways everything is working great with the NAC now.


@Rainer Adam: That solution seems overly complicated to get a Extreme brand switch, to work with their NAC solution.

Thanks,
Jay