Question

EXOS | Extreme Control dynamic vlan assignment

  • 30 December 2020
  • 5 replies
  • 89 views

Hi Hub Community,

 

We’re using the Extreme Control Policy (NAC) in one of our customers in the health care system to implement some security checks, regarding the devices that can connect to our network. In resume, in our EXOS stacks we have all the ports with the DATA vlan (untag) and VoIP vlan (tag) and we use 802.1X (dot1x - NAC and Microsoft AD) to authenticate our users. On the other hand, we have some NAC policies for special cases, like the printers and the medical devices. When this kind of devices is connected to one of the EXOS stacks, the NAC Engine dynamically assigns the proper vlan (we have a vlan for printers and a vlan for medical devices) on the switch port, using MAC authentication, not 802.1X. In most cases, this is working just fine. However, for some printers we’re facing a stange issue. Basically, from time to time, a printer just stops to communicate. I’m sharing the logs of the port where a printer with this symptom is connected. 

As you can see, we can observe some 802.1X auth being rejected. The funny thing, is that the printer (Zebra G series) does not support 802.1X. So, how can I see these kind of logs? To workaround the issue, we need to reboot the printer and delete the DHCP lease that the printer acquires during the process of authentication on the DATA static vlan. Eventually, after 2 or 3 retries, the printer starts working on the proper vlan for quite some time.

So anyone can help?

Regards,

César Santos       


5 replies

Userlevel 6
Badge +1

csantos,

I also have issues with Zebra printers on ERS switches when using 802.1X/MAC Auth on the ports.

We forced the MAC on the switch/port to limit the impact but sometimes we set the port without authentication.

I’m afraid those printers are the issue…

Mig

 

Miguel,

Yeah, I’ve tried to disable the 802.1X on the port, only having MAC auth. With that, the issue does not appear again. The problem is that is some kind of an exception on the switch config and we loose the flexibility to connect the Printers in any port without any concern regarding the configuration of the port. 

If the printer is the issue, I’ll have to talk to the customer about that. No magic here, I’m afraid.  

Userlevel 4
Badge

I can confirm, that zebra printers are sometimes very special…

One of our customer hase sometimes very strange effects with these printers in a aruba wireless enviroment.

 

In your case, maybe you could try to disable 802.1x with upm-profile via a special radius-attribute. This should work in exos.

Userlevel 6
Badge +1

Hi PeterK, Thanks for the tip.

@csantos ,

I’m thinking on adapting the timers of 802.1X/MAC Auth on the ports for the Zebra printers.

This could help on allowing the MAC Auth faster than today and still keeping the 802.1X operational.

I need this because some Zebra’s are behind an IP Phone doing 802.1X.

I’ll try after my holidays.

Miug

@PeterK thanks for your tip. I’ll try, just in case. But I would prefer do not have any kind of exception, between the ports of my stacks, regarding the 802.1X auth process. I’ll let the end customer have the final decision about that, if my lab with upm-profile works fine. 

@Miguel-Angel RODRIGUEZ-GARCIA that’s an interesting idea. After you try thak workaround, please let me know if the behaviour of these printers change. 

Thanks a lot!

Reply