Header Only - DO NOT REMOVE - Extreme Networks

I/G/C/B/A-Series f/w Firstarrival MacLocking can Fail with some Auth settings

Userlevel 3
Article ID: 14980

I-Series, firmware through
G-Series, firmware through
C5-Series; firmware through, through
C3-Series, firmware through
B5-Series; firmware through, through
B3-Series, firmware through
A4-Series; firmware through, through

Set up one or more ports for MAC Locking of the first MAC seen ("maclock firstarrival 1"), EAPOL for assumed authentication ("eapol auth-mode forced-auth"), and single-user pass-or-fail authentication ("multiauth mode strict")(10283).

For example:
set dot1x enable
set eapol enable
set eapol auth-mode forced-auth ge.1.1

set maclock enable
set maclock firstarrival ge.1.1 1
set maclock enable ge.1.1

set multiauth mode strict
Maclocked clients never connect to the network.
While a client is trying to connect, error message "Maca system disabled" is syslogged ('show support'); for example:
<167>Feb 6 15:09:25 MACA[121516080]: maca_api.c(289) 539 %
Maca system disabled[/code]Solution/Workaround
Upgrade to 6.61 firmware or higher.
Release notes state, in the 'Changes and Enhancements in' section:
Corrected the inability to access the network from a port in "force-auth" state, with multiauth mode set to strict, and maclocking firstarrival set to 1.

Also fixed as of C5/B5/A4-Series firmware (though not stated in release notes).

Pre-upgrade workaround: Change multiauth from strict mode to multi mode (12499), or enable maclock static and set maclock firstarrival 2 or greater.

0 replies

Be the first to reply!