Solved

End Systems MACs collection

  • 8 January 2021
  • 5 replies
  • 79 views

Userlevel 2

I wonder what is your method to bring all end systems MAC addresses to XMC database? Do you just have EAP enabled on every port? 

I am asking because I want to have this data in XMC for visibility, but I also want to avoid having the NAC dependency in some areas of the network.

 

icon

Best answer by Miguel-Angel RODRIGUEZ-GARCIA 8 January 2021, 09:19

Dany,

The End-Systems database is a database with all devices having performed and authentication.

If you have a device that never did an authentication (EAP or MAC) it doesn’t appear in this database.

 

The easy way is to enable MAC auth on all your client’s switch ports and have a rule allowing the traffic in all cases.

It is a setup with all authentications approved…

Also set the DHCP relays in the routers to send the requests also to the NAC for the finger printing info.

Regards

Mig

View original

5 replies

Userlevel 6
Badge +1

Dany,

The End-Systems database is a database with all devices having performed and authentication.

If you have a device that never did an authentication (EAP or MAC) it doesn’t appear in this database.

 

The easy way is to enable MAC auth on all your client’s switch ports and have a rule allowing the traffic in all cases.

It is a setup with all authentications approved…

Also set the DHCP relays in the routers to send the requests also to the NAC for the finger printing info.

Regards

Mig

Userlevel 2

Hi Mig,

Thanks for sharing. Do you know how that works if you have several MACs behind a port for example on an uplink to an ESX Server? Will Control add all MACs to the End-Systems database?

I am also looking for a another feasible solution without actually doing authentication on the ports?

Regards

Userlevel 7
Badge +1

Hello Dany,

as Mig wrote authentication  is the key to get all MAC addresses. Extreme Control is a NAC solution and build for authentication. Only via authentication the database is filled.

You can authenticate several MACs on one port and all will be added to XMC. As Mig wrote if you create a permit all rule in Control this works fine without any impact to you network. The number of devices that can be authenticated per port depends on the switch model and vendor.

Userlevel 6

I use RADIUS with MAC auth, but there are ways to do it without that

https://extremeportal.force.com/ExtrArticleDetail?an=000080009

Bonus to feed from IDM to Netsight https://extremeportal.force.com/ExtrArticleDetail?an=000081388

Userlevel 2

Thank you for the hints!

Unfortunately we are in a ERS/VSP environment and there is no support for identity management :smirk:

Reply