topic RE: NAC: Avoid that end-systems aging out in ExtremeSwitching (EXOS/Switch Engine)

NAC: Avoid that end-systems aging out

Chacko — Fri, 10 Feb 2017 21:40:00 GMT

In NAC-Manager, there is a setting via "Options" -> "NAC Manager" -> "Data Persistence" -> "Age end-systems older than XX days" (our setting is at 90 Days per default).
The problem is, that we have a few systems, running more than 90 days without any network-related events that are generated.

So for example a time-registration terminal will be disconnected after three month and is rejected from the network until a new import of the MAC is being triggered.

Is there a way to disable this setting or to exclùde specific end-system groups from it?

RE: NAC: Avoid that end-systems aging out

Ronald_Dvorak — Fri, 10 Feb 2017 21:49:00 GMT

How about a end-system group with the MACs that you'd like to allow.
Then copy the rule that you've used before and link it to that group - move the new rule on top of the other.

RE: NAC: Avoid that end-systems aging out

Chacko — Fri, 10 Feb 2017 21:58:00 GMT

Hi Ronald,

no, the rules aren't the problem.
If a existing permitted device which netlogin passed access doesn't generate a event for more than 90 days, the end system is deleted from all connected end-system groups.
In addition the port will be reauthenticated and so the access will be denied

RE: NAC: Avoid that end-systems aging out

Ryan_Yacobucci — Mon, 13 Feb 2017 03:48:00 GMT

In NAC Manager go tools --> Options --> Data Persistence.

You can set the timer to 0, however this means that every end system that attaches to the system will never be purged, so eventually you'll end up with a large amount of old end systems.

What you can do is as Roland has said put these special end system into a group and make sure the option to "Remove Associated MAC locks and Occurrences in Groups" is NOT checked.

Once the end system ages out and re-authenticates it should authenticate back into it's end system group rule as the option to remove has been disabled.

Also, if you can get RADIUS accounting, or a DHCP packet from these devices it'll reset the last seen time and they'll never age out.

You can also set a session timeout or re-authentication timer on the port to have the device re-authenticate after a period of time, resetting the last seem timer so these devices don't age out either.

Thanks
-Ryan

RE: NAC: Avoid that end-systems aging out

Chacko — Mon, 13 Feb 2017 14:59:00 GMT

Dear Ryan,

thanks for the feedback.
I never thought about the reauthentication - but now that you mention it, it seems to be a good idea.
I think we will set the reauth-timer to 1 month and give that a try.

Many thanks 