cancel
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 

Device is displayed as rejected even though MAC auth was successful

Device is displayed as rejected even though MAC auth was successful

Joshua_DeltaNS
New Contributor II

Joshua_DeltaNS_1-1704473118783.png

I am currently working on deploying a NAC appliance for a customer and I am puzzled by this occurrence. We have disabled .1x authentication globally on phones for this customer, and have configured the switches to make mac auth take precedence over .1x auth; however, there are two phones that still seem to be attempting .1x authentication. The most confusing aspect of this is they maintain a rejected state when looking at end systems, but looking at the detailed authentication logs, it appears a successful mac authentication has occurred. I have attached a screen shot of the issue for clarity.

Does anyone have any insight as to why these will not move to an accepted state when looking at end systems?

 

Thank you

1 ACCEPTED SOLUTION

Ryan_Yacobucci
Extreme Employee

I would suggest starting a case with GTAC. 

XIQ-SE should not be displaying a rejected 802.1x state if an underlying successful MAC authentication has occurred. 

Thanks
-Ryan

View solution in original post

4 REPLIES 4

Ryan_Yacobucci
Extreme Employee

I would suggest starting a case with GTAC. 

XIQ-SE should not be displaying a rejected 802.1x state if an underlying successful MAC authentication has occurred. 

Thanks
-Ryan

Stefan_K_
Valued Contributor

Hi Joshua,

I can't really help you, I can just confirm that I saw this issue multiple times (but very rarely) in all kind of scenarios and version of XIQ-SE / Control. Never had the time to dig deeper into it or open a Case. Did you try to reload the distributed end-system cache? 

Thanks for your reply Stefan. It is interesting to know that this is a problem for others as well. It is a very isolated incident (2 devices out of >2000), but I would still like to better understand it. 

I have not attempted reloading the distributed end system cache, but will try it later today when the customer is not in production hours. I appreciate the suggestion.

Hi @Joshua_DeltaNS ,

did you already raise a case as suggested by @Ryan_Yacobucci 

I have it the other way round for one client at the moment: It's displayed as accepted in the End-System list, all information are up to date and look good. Last seen 10/01/2024 22:51, looks like correct 802.1x (EAP-TLS) auth, shows a username, client IP etc.

When I take a look at the End-System Events I see that the client has been rejected since yesterday. 

The important thing: On the switch the client is getting rejected, so the End-System Events are correct and the "main" entry in the End-System table is faulty.

Unfortunately I'm only able to raise a case on friday. Hope that problem is still present then. Or I have to find another affected client...

 

Best regards
Stefan

GTM-P2G8KFN