cancel
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 

NAC (ExtremeControl) i dont see End-Systems

NAC (ExtremeControl) i dont see End-Systems

DeoHeo
New Contributor III

Hello Community,
I am in the process of testing Extreme Control and am stuck.

Setup
All servers and clients are running on one ESXi server
EMC 192.168.1.1 (switch port 1)
ExtremeControl Engine 192.168.1.2 (I want to use the engine as radius)
Switch X440 G2 192.168.1.6
Windows 10 Client 192.168.1.100 (Switch Port 11)


Config Switch

#
# Module aaa configuration.
#
configure radius netlogin 1 server 192.168.1.2 1812 client-ip 192.168.1.6 vr VR-Default
configure radius 1 shared-secret encrypted "#$3YWys9K/gnkYTAtcnoc0j/sVILnGlBmsBojzhCKu5klcQGu850E="
configure radius mgmt-access primary server 192.168.1.2 1812 client-ip 192.168.1.6 vr VR-Default
configure radius mgmt-access primary shared-secret encrypted "#$q3McX2ey3ZY3eNTYPu8B/14NYPTeJEwEnbZyHR4QoVrwtq3T1a0="
configure radius netlogin primary server 192.168.1.2 1812 client-ip 192.168.1.6 vr VR-Default
configure radius netlogin primary shared-secret encrypted "#$+BrzjOm9EGeBUFdYfHDStLMDGl3Zq2uZ/iFgqbFmQjO49XwptwY="
enable radius
enable radius mgmt-access
enable radius netlogin
configure radius timeout 15

Config Engine
I left everything on default and only entered an IP subnet under IP Address Resolution: 192.168.1.0-192.168.1.254.

Config EMC
Switch added (can also be seen under Control/Access Control/Engines/Default/Switches)

Logs Switch
sh radius
- shows that it is connected
show log severity debug-data | include RADIUS
- does not show error messages

Logs Engine
/var/log/radius/radius.log
- for me not understandable found what I should change

I can still write all needed information in case I forgot something. I would be grateful for any help.

1 ACCEPTED SOLUTION

StephanH
Valued Contributor III

One further hint:

To check if authentications happen on your switch use:

show netlogin session 

on you switch

Regards Stephan

View solution in original post

7 REPLIES 7

DeoHeo
New Contributor III

In the test environment I do not use DHCP.

I will try the latter.

A colleague said that it might be the ESXi environment. I'll have a look.

StephanH
Valued Contributor III

Does your client use DHCP? If yes add an dhcp helper entry on you switch pointing to the NAC GW.

This way, the NAC receives all DHCP packets. In addition you can enable node alias on the ports, to improve the IP triggering of the NAC.

Regards Stephan

DeoHeo
New Contributor III

The client can authenticate itself. But in different time intervals comes "MAC to IP Resolution Failed". To me it looks like a timer value is set too small, but I can't find it. But maybe it is something else.

GTM-P2G8KFN