Header Only - DO NOT REMOVE - Extreme Networks
Question

PC lost connection with network. using 802.1x authentication

  • 11 September 2019
  • 8 replies
  • 433 views

Userlevel 4
I’am configuring NAC on our switches and have created 802.1x rules for our AD PC’s and users.

We are testing this with 3 pc’s. The management access to the switch is based on AD (LDAP).

The ports of the switch are configured for 802.1.x and MAC authentication.

Now we experience that two pc’s lost the connection with the network. At that time I could not log in to the switch. 100% sure that I used the correct credintials.

In the end system events I noticed that the profile was changed form AD-user profile to the denny access profile.

After a while I can log in the switch an the pc got the access to the network back.

How can I troubleshoot this.

Switch: X440G2-48p-10G4 firmware version 22.4.1.4

8 replies

Userlevel 7
I'd use the evaluation tool to see why the 2xPCs skipped the AD-user rule.

https://gtacknowledge.extremenetworks.com/articles/How_To/How-to-use-configuration-evaluation-tool-with-Extreme-Management-Center
Userlevel 6
I would check to see what the result of the attempted login using 802.1x authentication was. Even if the port is in a deny all role I believe we still allow EAP to pass through. This wasn't always the case.

Was the 802.1x authentication rejected due to an issue that later cleared that allowed you to login?

The end system events should show 802.1x authentication attempts and what their result was.

Thanks
-Ryan
Userlevel 4
I will check my end system events
Userlevel 4
@Ryan Yacobucci After losing the connection, the evaluation tool showed me that the correct rule was hit but in the logging I saw that the connection was denied.

Userlevel 4
forgot to add the Screenshot of the evaluation tool and device event.


Userlevel 6
Well that does look a little funny.

The rule looks pretty straight forward, only an LDAP criteria.

Right click the NAC --> WebView --> diagnostics --> communication Diagnostics and test the LDAP. Are there LDAP issues occurring like timeouts?

The other thing you can do is in the webview --> diagnostics --> End System Diagnostics enable by MAC for your test device and have it fall through the rule. Attach the end system events and the /var/log/tag.log to a case with GTAC and we can take a look to see why it's falling though.

I would suspect LDAP communication issues based on what you've provided.

Thanks
-Ryan
Userlevel 4
Diagnostics and test the LDAP are oke. No time outs. did the test a few time during the day
Userlevel 4
@Ryan Yacobucci : Had a reaction form GTAC. There is a bug in 22.4.1.4 and is fixed from 22.5( CR xos0070452 )

Reply