Header Only - DO NOT REMOVE - Extreme Networks

I/G/C/B/A-Series f/w 6.61.08.0013 Firstarrival MacLocking can Fail with some Auth settings


Userlevel 3
Article ID: 14980

Products
I-Series, firmware 6.42.09.0005 through 6.61.08.0013
G-Series, firmware 6.42.09.0005 through 6.61.08.0013
C5-Series; firmware 6.42.09.0005 through 6.61.08.0013, 6.71.01.0067 through 6.71.02.0008
C3-Series, firmware 6.42.09.0005 through 6.61.08.0013
B5-Series; firmware 6.42.09.0005 through 6.61.08.0013, 6.71.01.0067 through 6.71.02.0008
B3-Series, firmware 6.42.09.0005 through 6.61.08.0013
A4-Series; firmware 6.61.02.0007 through 6.61.08.0013, 6.71.01.0067 through 6.71.02.0008

Changes
Set up one or more ports for MAC Locking of the first MAC seen ("maclock firstarrival 1"), EAPOL for assumed authentication ("eapol auth-mode forced-auth"), and single-user pass-or-fail authentication ("multiauth mode strict")(10283).

For example:
#eapol
set dot1x enable
set eapol enable
set eapol auth-mode forced-auth ge.1.1
!

#maclock
set maclock enable
set maclock firstarrival ge.1.1 1
set maclock enable ge.1.1
!

#multiauth
set multiauth mode strict
!
[/code]Symptoms
Maclocked clients never connect to the network.
While a client is trying to connect, error message "Maca system disabled" is syslogged ('show support'); for example:
<167>Feb 6 15:09:25 10.26.1.92-1 MACA[121516080]: maca_api.c(289) 539 %
Maca system disabled[/code]Solution/Workaround
Upgrade to 6.61 firmware 6.61.09.0012 or higher.
Release notes state, in the 'Changes and Enhancements in 6.61.09.0012' section:
code:
18194
code:
Corrected the inability to access the network from a port in "force-auth" state, with multiauth mode set to strict, and maclocking firstarrival set to 1.


Also fixed as of C5/B5/A4-Series firmware 6.71.03.0025 (though not stated in release notes).

Pre-upgrade workaround: Change multiauth from strict mode to multi mode (12499), or enable maclock static and set maclock firstarrival 2 or greater.

0 replies

Be the first to reply!

Reply