topic Re: ExtremeControl - MAC to IP resolution question in ExtremeControl

ExtremeControl - MAC to IP resolution question

Guilhem_Lejeune — Mon, 30 Sep 2024 12:45:26 GMT

Hi,

I have a pure theory question here.

It seems that MAC to IP resolution is mandatory to make ExtremeControl work properly.
The most popular technic is to relay DHCP messages toward ExtremeControl and that is what I use in production.

What about a new client ? It has never been seen on the network so its hypothetical IP address is not known. Or, the lease is expired.

MAC to IP resolution cannot be done and... neither does the authentication, right ?

I have this exact use case in production. We have to plug the PC in non-NACed port in order to get through the whole DHCP process. Then, the PC is plugged in the NAC port and it works.

If we plugged the PC in the NACed port first, it does not work.

Kind regards,

Re: ExtremeControl - MAC to IP resolution question

Stefan_K_ — Mon, 30 Sep 2024 14:18:46 GMT

@Guilhem_Lejeune wrote:
Hi,
I have a pure theory question here.
It seems that MAC to IP resolution is mandatory to make ExtremeControl work properly.

Not really, it's more like a nice-to-have feature, to see the IP of the End-Systems.

What about a new client ? It has never been seen on the network so its hypothetical IP address is not known. Or, the lease is expired.
MAC to IP resolution cannot be done and... neither does the authentication, right ?

Re: ExtremeControl - MAC to IP resolution question

Guilhem_Lejeune — Mon, 30 Sep 2024 16:30:28 GMT

Hi,

Thank you for your feedback, Stefan 😉

Why shouldn't authentication be possible? Authentication shouldn't be based on the IP-Address. 802.1x is recommended, MAC-based is possible... After authentication DHCP is happening and the IP-Addressfield on NAC will be populated.
Yes, I totally agree ! Authentication process is completly agnostic of DHCP process. That's why I'm kind of lost...

The problem is, I observed that I must plug the PC in a non-NACed port before the NACed port.
This observation has lead me to a possible "MAC-to-IP resolution" issue but, as you said, I understand that should not be the problem.

Does anyone has already encountered this problem and the root cause ?

Kind regards,

Re: ExtremeControl - MAC to IP resolution question

Stefan_K_ — Mon, 30 Sep 2024 19:35:21 GMT

First you have to find more information before trying to find a root cause. "If we plugged the PC in the NACed port first, it does not work."
"it does not work" is not a description of problems.

What switch do you use? Is it EXOS? What does "show log" and "show netlogin session port x" give you?
What is seen in the NAC End-System table?

Re: ExtremeControl - MAC to IP resolution question

Zdeněk_Pala — Tue, 01 Oct 2024 20:00:04 GMT

The IP address resolution is needed in the following scenarios:

Captive portal based authentication/registration/remediation
Integration with 3rd party systems require that (e.g. Firewall integration)
Posture Assessment is needed (licensed feature)

I agree the IP address resolution is not required for MAC or 802.1X authentications.

good luck

Re: ExtremeControl - MAC to IP resolution question

Configterminal — Wed, 02 Oct 2024 11:07:07 GMT

It sounds like your rules are based on profiling information of the end point which does not exist until DHCP profiling is complete. Can you post a screenshot of the rules your endpoint is hitting ?

Re: ExtremeControl - MAC to IP resolution question

Guilhem_Lejeune — Fri, 18 Oct 2024 06:11:15 GMT

Hi,

The first rule I must match is down below. It's for host authentication (username field is used).
Here some anonymized screenshots :

I have also noticed that reverse DNS lookup doesn't work well so we are working on it.

For information, I'm trying to reproduce this configuration : Solved: Re: EAC - domain user over domain computer - Extreme Networks - 93807 because I'm exactly in the same case (PEAP with host and user authentication).

Re: ExtremeControl - MAC to IP resolution question

Zdeněk_Pala — Sat, 19 Oct 2024 07:15:20 GMT

If the PEAP or EAP-TLS is used then you should have name of the computer in USERname. That means you should use USERgroup test. Hostname-based end-system group requires the hostname resolution to be working.

if you want to check LDAP for the computer membership then you can:
1. define LDAP for computers:

2. define AAA rule for computers:

3. user the user rule with memberof

Re: ExtremeControl - MAC to IP resolution question

Guilhem_Lejeune — Sat, 19 Oct 2024 18:31:20 GMT

Hi,

Thank you for your reply !

We use 802.1x PEAP MsCHAPv2 😉
We have a similar configuration except for the usergroup.

You use an attribute value "host/*" where we use "objectCategory" as attribute name and "CN=[...],CN=[...],[...],DC=[...],DC=[...]" as attribute value as shown on a previous screenshot.

I made a test by clicking "Attribute Lookup..." and by filling a existing host with the format "host/[...]".
I do have a positive result.

So I think the configuration is alright.

What I did not understand very well is your last sentence : "user the user rule with memberof".
Could you please tell me more ?

In the mean time, we are still investigating the DNS reverse resolution possible issue.

Kind regards

Re: ExtremeControl - MAC to IP resolution question

Zdeněk_Pala — Sun, 20 Oct 2024 07:21:46 GMT

Hi,

The autocorrect has changed "use the user rule with memberof" to "user...". The most common criteria is "memberOf" but "objectCategory" should work also.

the common error is that people are using end-system group instead of user group.
another common error is using the same AAA rule and the same LDAP config for user authentication and computer authentication

I recommend checking the format of the username with the LDAP search. Also Configuration Evaluation tool can help a lot.