cancel
Showing results for 
Search instead for 
Did you mean: 

XMC 8.2.4.42 Policy enforce issue with MAC Auth'ed devices

XMC 8.2.4.42 Policy enforce issue with MAC Auth'ed devices

LeoP1
Contributor
Hi guys,

I got some odd behavior on a customer last night...

After the upgrade of XMC to 8.2.4.42 (from 8.1.6.20) on a network with about 60 switches, mixed with access switches like X440G2 (stacked and standalone), X450G2, S4, C5, B5, B3, B2 and G3), we issued an policy enforce in the long-time working policy domain.

Right after the enforce, ALL MAC authenticated devices stopped working, even showing the MAC Auth was restarted and the right policies applied to each port in the XMC and switches console, in ALL switches (EXOS and EOS)... The default role applied to all ports allow ICMP (as ALL roles), and not even it worked.

Terminating the MAC auth again doesn't solve the issue. Disabling and re-enabling ports don't solve the issue as well. Rebooting the connected devices (IPPhones, cameras, etc) have no effects too.

The only way to make things work again is to reboot the ENTIRE access network (leaving only the X690 core switches alone, because they don't use policy).

We had some issues like this in the past, but mostly with the EOS family (sounds odd, but we had no issued with EXOS until last night), but after this first enforce with 8.2 things gone wild. Maybe an XMC 8.2 issue?

Affected switches:

X450-G2-48p-10GE4 22.5.1.7-patch1-3
X440-G2-48p-10GE4 22.5.1.7-patch1-3
G3G124-24P 06.61.18.0001
B5G124-48P2 06.81.10.0001
C5G124-48P2 06.81.10.0001
S4 08.63.03.0003
B3G124-48 06.61.16.0002

Anyone had some issue like this?

Best regards,

-Leo
3 REPLIES 3

LeoP1
Contributor
Hi @HoneyBadger72 ,

The customer don't have any NAC deployed yet... Just Policy (long-term Enterasys customer) and authentication on MS NPS.

Best regards,

-Leo

HoneyBadger72
New Contributor
I wont be much help as I am preparing to upgrade myself, but I am looking for issues like this to be prepared for. I assume you also upgraded your NAC servers to the same version? From what I am reading, you upgrade the XMC first, then any NAC and Analytics servers you may have second? I assume you have done all that?

We have a similar setup:
XMC ver 8.1.3.65
A few NAC servers
Single Analyics server
8 x X440-G2 stacks in main office
11 x X450-G2 stacks, one in each of 11 remote offices
All using the same policy domain
94 APs spread across the company with two controllers at our data centers
All virtual servers on VMware

I am curious to see what others say. We use MAC auth for most ports. Some are hard setup to particular VLANs. After this upgrade, I am going to begin testing and deploying 802.1x auth (with MAC auth) to most ports. Good luck!

LeoP1
Contributor
Anyone?

Best regards,

-Leo
GTM-P2G8KFN