topic NAC - 802.1x End-Systems IP missing, forward AAA in ExtremeControl

NAC - 802.1x End-Systems IP missing, forward AAA

tfsnetman — Fri, 28 May 2021 07:58:37 GMT

Hello,

We have two Cisco WLCs 5500 using our Extreme NACs as Radius Authentication and Accounting servers.

While Authentication works nicely, I am missing some IP addresses from End-Systems while others are there.
- Any idea why?
We would also like to forward the username / identity to a FortiGate firewall.
- How would I do that?

Thank you,

Klaus

Re: NAC - 802.1x End-Systems IP missing, forward AAA

StephanH — Fri, 28 May 2021 22:13:59 GMT

Hello,

typically the NAC gets the MAC IP mapping information by reading DHCP requests and responses.
For this purpose, NAC is registered as a DHCP server on the routers that forward DHCP requests (=DHCP relays).
This does not work with static IP addresses on the end devices.

So my question: Is the difference between the devices for which the ip addresses are displayed and for the devices for which they are not displayed that one uses DHCP and the other not?

Re: NAC - 802.1x End-Systems IP missing, forward AAA

Stefan_K_ — Sun, 30 May 2021 03:13:26 GMT

This is one of several possibilites. Other options are for example:

radius accounting (as tfsnetman stated)
nodealias (not possible here)

I had the problem once that NAC couldn’t display end-system IP-addresses. DHCP was configured correctly and Radius accounting was also enabled. Maybe tfsnetman has the same problem. Only solution was nodealias.

Re: NAC - 802.1x End-Systems IP missing, forward AAA

StephanH — Sun, 30 May 2021 03:58:08 GMT

Switching on WLC accounting is not always sufficient depending on the sw version. To be sure you have to check if the transmission of MAC and IP under

Acct Called Station ID Type

is switched on. But guessing helps little here, it would be good to know how the address resolution runs in the installation Klaus mentioned.

Re: NAC - 802.1x End-Systems IP missing, forward AAA

tfsnetman — Sun, 30 May 2021 11:58:39 GMT

Hi guys,

Accounting Called Station ID type is set o IP and there is no option for both MAC and IP - see attachment.

We are talking about Wi-Fi and 802.1x authentication only where IP addresses are always assigned via DHCP.

@Stephan: not sure whether what you mean by registering NACs as a DHCP server and how those DHCP requests would flow.

Thank you,

Klaus

Re: NAC - 802.1x End-Systems IP missing, forward AAA

StephanH — Sun, 30 May 2021 12:07:34 GMT

Hello Klaus,

the accounting settings should fit

Regarding DHCP, I assume the DHCP server has no IP in the same network as your clients. Then there must be a router in your network that has a DHCP helper entry that contains the IP address of the DHCP server. Enter there also the NAC IP (additional), as if the NAC was a DHCP server.

Re: NAC - 802.1x End-Systems IP missing, forward AAA

StephanH — Sun, 30 May 2021 12:08:47 GMT

If the WLC care about the DHCP forwarding add the NAC ip as DHCP server on the WLC.

Re: NAC - 802.1x End-Systems IP missing, forward AAA

tfsnetman — Sun, 30 May 2021 13:12:00 GMT

Hi Stephan,

I guess, I will find out how well it works and let you know.

Any thoughts about how to forward user identity from the Extreme NACs to a FortiGate firewall?

Thank you,

Klaus

Re: NAC - 802.1x End-Systems IP missing, forward AAA

StephanH — Mon, 31 May 2021 18:16:18 GMT

Hello Klaus,

maybe the ExtremeConnect integration for FortiGate is what you need. Check the manual here:

https://documentation.extremenetworks.com/netsight/8.5/XMC_8.5_ExtremeConnect_User_Guide.pdf?_ga=2.251304518.1913999325.1622458672-913789110.1618568265

If you need other information in you Fortigate. Maybe the XMC NBI-API can help you.

Re: NAC - 802.1x End-Systems IP missing, forward AAA

tfsnetman — Tue, 01 Jun 2021 07:16:43 GMT

Hi Stephan,

Adding the Extreme NACs as a secondary DHCP on the Cisco WLCs is providing additional information such as Device Type and hostname but doesn’t help with further IP addresses.

Thank you for pointing me to the manual. I will have my black belt / PhD in XMC, Control after applying that knowledge.

Cheers, Klaus

Re: NAC - 802.1x End-Systems IP missing, forward AAA

StephanH — Tue, 01 Jun 2021 13:31:55 GMT

Hello Klaus,

because of the additional information you metioned, you know your helper setting is correct.

To see what's goung wrong with your ip resolution, follow that guide for debugging and check the output in the log file:

https://extremeportal.force.com/ExtrArticleDetail?an=000082183&q=mac%20to%20ip%20resolution%20failed

Re: NAC - 802.1x End-Systems IP missing, forward AAA

tfsnetman — Wed, 02 Jun 2021 09:15:17 GMT

Thank you Stephan,

Added the NACs as a secondary DHCP server on all WLC interfaces which increased the accuracy for MAC IP address resolution.

Since both the NACs and the DHCP server are in the same subnet I would have expected this to work based on DHCP multicast messages alone.

I was also able to use the FortiGate SSO module in the XMC Connect which is now forwarding Radius accounting information. The sender IP of the Radius data is the XMC and not the NAC.

All the best,

Klaus