topic Re: EXOS | Extreme Control dynamic vlan assignment in ExtremeControl

EXOS | Extreme Control dynamic vlan assignment

csantos — Wed, 30 Dec 2020 18:46:06 GMT

Hi Hub Community,

We’re using the Extreme Control Policy (NAC) in one of our customers in the health care system to implement some security checks, regarding the devices that can connect to our network. In resume, in our EXOS stacks we have all the ports with the DATA vlan (untag) and VoIP vlan (tag) and we use 802.1X (dot1x - NAC and Microsoft AD) to authenticate our users. On the other hand, we have some NAC policies for special cases, like the printers and the medical devices. When this kind of devices is connected to one of the EXOS stacks, the NAC Engine dynamically assigns the proper vlan (we have a vlan for printers and a vlan for medical devices) on the switch port, using MAC authentication, not 802.1X. In most cases, this is working just fine. However, for some printers we’re facing a stange issue. Basically, from time to time, a printer just stops to communicate. I’m sharing the logs of the port where a printer with this symptom is connected.

As you can see, we can observe some 802.1X auth being rejected. The funny thing, is that the printer (Zebra G series) does not support 802.1X. So, how can I see these kind of logs? To workaround the issue, we need to reboot the printer and delete the DHCP lease that the printer acquires during the process of authentication on the DATA static vlan. Eventually, after 2 or 3 retries, the printer starts working on the proper vlan for quite some time.

So anyone can help?

Regards,

César Santos

Re: EXOS | Extreme Control dynamic vlan assignment

Miguel-Angel_RO — Wed, 30 Dec 2020 19:21:33 GMT

csantos,

I also have issues with Zebra printers on ERS switches when using 802.1X/MAC Auth on the ports.

We forced the MAC on the switch/port to limit the impact but sometimes we set the port without authentication.

I’m afraid those printers are the issue…

Mig

Re: EXOS | Extreme Control dynamic vlan assignment

csantos — Wed, 30 Dec 2020 19:30:39 GMT

Miguel,

Yeah, I’ve tried to disable the 802.1X on the port, only having MAC auth. With that, the issue does not appear again. The problem is that is some kind of an exception on the switch config and we loose the flexibility to connect the Printers in any port without any concern regarding the configuration of the port.

If the printer is the issue, I’ll have to talk to the customer about that. No magic here, I’m afraid.

Re: EXOS | Extreme Control dynamic vlan assignment

PeterK — Wed, 30 Dec 2020 21:51:52 GMT

I can confirm, that zebra printers are sometimes very special…

One of our customer hase sometimes very strange effects with these printers in a aruba wireless enviroment.

In your case, maybe you could try to disable 802.1x with upm-profile via a special radius-attribute. This should work in exos.

Re: EXOS | Extreme Control dynamic vlan assignment

Miguel-Angel_RO — Thu, 31 Dec 2020 23:35:59 GMT

Hi PeterK, Thanks for the tip.

@csantos ,

I’m thinking on adapting the timers of 802.1X/MAC Auth on the ports for the Zebra printers.

This could help on allowing the MAC Auth faster than today and still keeping the 802.1X operational.

I need this because some Zebra’s are behind an IP Phone doing 802.1X.

I’ll try after my holidays.

Miug

Re: EXOS | Extreme Control dynamic vlan assignment

csantos — Fri, 01 Jan 2021 01:21:23 GMT

@PeterK thanks for your tip. I’ll try, just in case. But I would prefer do not have any kind of exception, between the ports of my stacks, regarding the 802.1X auth process. I’ll let the end customer have the final decision about that, if my lab with upm-profile works fine.

@Miguel-Angel RODRIGUEZ-GARCIA that’s an interesting idea. After you try thak workaround, please let me know if the behaviour of these printers change.

Thanks a lot!