Header Only - DO NOT REMOVE - Extreme Networks

NAC: Avoid that end-systems aging out


Userlevel 2
In NAC-Manager, there is a setting via "Options" -> "NAC Manager" -> "Data Persistence" -> "Age end-systems older than XX days" (our setting is at 90 Days per default).
The problem is, that we have a few systems, running more than 90 days without any network-related events that are generated.

So for example a time-registration terminal will be disconnected after three month and is rejected from the network until a new import of the MAC is being triggered.

Is there a way to disable this setting or to exclùde specific end-system groups from it?

4 replies

Userlevel 7
How about a end-system group with the MACs that you'd like to allow.
Then copy the rule that you've used before and link it to that group - move the new rule on top of the other.

Userlevel 2
Hi Ronald,

no, the rules aren't the problem.
If a existing permitted device which netlogin passed access doesn't generate a event for more than 90 days, the end system is deleted from all connected end-system groups.
In addition the port will be reauthenticated and so the access will be denied
Userlevel 6
In NAC Manager go tools --> Options --> Data Persistence.

You can set the timer to 0, however this means that every end system that attaches to the system will never be purged, so eventually you'll end up with a large amount of old end systems.

What you can do is as Roland has said put these special end system into a group and make sure the option to "Remove Associated MAC locks and Occurrences in Groups" is NOT checked.

Once the end system ages out and re-authenticates it should authenticate back into it's end system group rule as the option to remove has been disabled.

Also, if you can get RADIUS accounting, or a DHCP packet from these devices it'll reset the last seen time and they'll never age out.

You can also set a session timeout or re-authentication timer on the port to have the device re-authenticate after a period of time, resetting the last seem timer so these devices don't age out either.

Thanks
-Ryan
Userlevel 2
Dear Ryan,

thanks for the feedback.
I never thought about the reauthentication - but now that you mention it, it seems to be a good idea.
I think we will set the reauth-timer to 1 month and give that a try.

Many thanks 🙂

Reply