Question

NAC (ExtremeControl) - Don't see End-Systems Connected on my ERS Switch

  • 23 February 2021
  • 16 replies
  • 89 views

Hello every one, 

I tried to setup Extreme Control on my XMC in order to see what’s connected on our network.

The NAC appliance has been added to my XMC.

My Switch (ERS4900 Series) has been added in “Switches” on Access Control Tab. 

There are two IP Phones connected on the port 1 and 2 but I don’t see these devices in  “end-systems” on Access Control.

Does someone know what I have to do exactly (procedure?), maybe I missed something in my configuration...

I only need to use Access Control in “listen” mode, no authentication or security… only be able to see what’s connnected on my network in a first time.

It would be helpful if someone already have experience(s) about this. 


16 replies

Userlevel 6
Badge +1

Kevin,

Did you checked this?

Mig

Userlevel 6
Badge +1

Kevin,

 

Did you checked this?

Mig

 

Hi, 

 

Yes already checked this. No end-systems visible on Access Control but I can see this on my NAC appliance : 

 

 

Userlevel 6
Badge +1

Can you share the output of “show radius-server” on the ERS?

Mig

yes sure 

 

Userlevel 6
Badge +1

Kevin,

none reachable means “none reachable”…

 

You must double check the shared secret and the switch config in Control/Access Control/Engines/Engine Group/Switches

 

Also, the visibility mode is based on MAC auth and you didn’t defined a Radius server for this service (non-eap)

 

Regards,

Mig

Yes I noticed the status. 

Shared secret already checked and seems to be same on both side.

I defined a radius server on the non-eap service but have “none Reachable” too

Userlevel 6
Badge +1

Please share the output of the following:

“show run module radius”

Mig

SW_DUDELANGE#show run module radius

******************************************************************************
        Command Execution Time: 2021-02-23 14:07:04 GMT+01:00    UTC time: 2021-02-23 13:07:04
******************************************************************************
! Embedded ASCII Configuration Generator Script
! Model = Ethernet Routing Switch 4926GTS-PWR+
! Software version = v7.8.1.055
!
! Displaying only parameters different to default
!================================================
enable
configure terminal
!
! *** RADIUS ***
!
radius server host 192.168.201.211 acct-enable
radius server host 192.168.201.211 used-by eapol acct-enable
radius server host 192.168.201.211 used-by non-eapol acct-enable timeout 20
radius accounting interim-updates enable
!
! *** RADIUS Dynamic Server ***
!
radius dynamic-server replay-protection

radius dynamic-server client 192.168.201.211
radius dynamic-server client 192.168.201.211 port 3799
! radius dynamic-server client 192.168.201.211 secret ****************
! radius dynamic-server client 192.168.201.211 enable
radius dynamic-server client 192.168.201.211 process-change-of-auth-requests
radius dynamic-server client 192.168.201.211 process-disconnect-requests
radius dynamic-server client 192.168.201.211 process-reauthentication-requests

radius dynamic-server client 192.168.204.62
radius dynamic-server client 192.168.204.62 port 3799
! radius dynamic-server client 192.168.204.62 secret ****************

Userlevel 6
Badge +1

Clean it a little bit:

no radius server host 192.168.201.211 used-by eapol acct-enable
no radius server host 192.168.201.211 used-by non-eapol acct-enable timeout 20

no radius dynamic-server client 192.168.204.62

Removing the specific entry on eapol and non-eapol will force it to use the global one

 

Can the switch ping the radius?

Mig

Hi, 

Many thanks for your time. 

The host 192.168.201.211 is my NAC appliance and is reachable from my switch 192.168.204.62.

I think I will start from scratch, I did a lot of tests and it’s not very clean

Userlevel 6
Badge +1

Indeed, recheck now the NAC config.

Mig

Yes but I don’t find what can cause my issue. 

I only need the use my NAC in listen mode, on paper it’s a quick and light config 

In all Extreme TechTalks, Videos or documentation it’s just said to add the NAC appliance in XMC and the switch that you need to “listen”…. 

And the support are not able to help me, it's an endless loop...

Userlevel 6
Badge

Hi Kevin,

 

I don’t remember much of AAA config on ERS, but don’t you need non-EAP settings (in your output it’s 0.0.0.0) if MAC Auth is required? Assuming MAC Auth as you say you’d like to just see devices in NAC (no real authentication occurring?).

https://documentation.extremenetworks.com/ERS_Series/ERS49005900/SW/78x/ConfigSecERS49005900_7.8.1_CG.pdf (pages 197+?)

 

Hope that helps,

Tomasz

Hi Tomasz, 

 

Yes correct. I would like to see the end-devices in NAC.

My NAC is enabled in my XMC but not in use. So that’s why I don’t know if the issue come from NAC/XMC or my switch or both.

Will get a look on your documentation and thanks for your feedback.

After seeing a lot of Extreme TechTalks, Videos and e-learning on Dojo Web portal, I thought  I understood that it will a quick and easy configuration but seems to be not the case.

Userlevel 4
Badge

Because the radius rejects the the request from switch, it looks like there is a config missmatch.

if you have already checked the shared secret, Is your NAC-Config enforced to the control-engine?

This is one of the most mistakes...

Reply