02-21-2024 01:01 PM
Have been working with an Extreme engineer regarding a Wireless Controller implementation. Since my new company is also running FortiNAC that is EOL and they want us to upgrade, we decided to roll the Extreme Control NAC implementation in to the same project as the wireless. Currently our FortiNAC solution is only doing basic MAC authorization.
The Extreme Engineer was able to build the NAC engines and begin creating rule sets. We were able to add one XOS stack of Extreme X440 G2 switches to NAC as a RADIUS client and saw the dynamic VLAN control working flawlessly. A few more days into implementation the Engineer introduced 802.1x rules. I explained we had not implemented 802.1x in the environment yet, but he insisted it was necessary for WiFi 6 and something we would want, so he configured AAA rules within Extreme control and some base 802.1x NAC policy rules.
We have attempted to add two more switch stacks as RADIUS clients to Extreme Control and both stacks are unable to process Dynamic VLAN control. Devices connected to these switches are seen by the Extreme Control End-Systems screen and the End-Systems screen even shows the appropriate policy is being applied based on MAC address, but the switches never seem to receive or process anything back. Looking at logs from the Switch side I can only see 802.1x failures on the port, but never successful MAC auths.
I have a GTAC case open, as well as the installation engineer reviewing configs, but no one has been able to explain why the first switch stack worked or why any other subsequent switches added as RADIUS clients are not processing MAC authorization appropriately. My thought was this had something to do with 802.1x implementation, but has anyone else experience this issue?
Running the command "Show netlogin session" on the switch stack that is working shows the sessions and authorizations, but running "show netlogin session" on any other switch added in NAC says there are no Netlogin entries.
Solved! Go to Solution.
02-22-2024 05:42 AM
Hello,
This error message looks a little suspect:
2/16/2024 15:26:44.52 <Erro:cm.sys.LoadApplCfgObjFail> "policy" application failed to load "etsPolicySystem" configuration object: Hardware resources were not reserved for Policy (count 3).
Can you try
disable policy
enable policy
Thanks
-Ryan
02-22-2024 11:51 AM
Just to follow up on this, GTAC got back to me regarding a missing line of config after the reboot, specifically the enable netlogin line. Once I ran that on the switch stack I could see the downstream devices making entries within the NAC End-Systems tab again. Certain devices like IP Cameras appear to hit the appropriate rules and dynamically assign the VLAN correctly and I can ping the downstream device and it is in the appropriate VLAN. Several Extreme 4000 WAPs connected to the stack hit the correct rule in NAC, get the correct policy assigned and switchport is configured to the correct VLAN, but the APs are not pingable with the IP address NAC receives (which would be correct for their VLAN) and they seem to just flash amber. A test workstation also fails to hit the appropriate NAC issues and keeps falling through to NAC Identify, but I am working with the Extreme Engineer that did our implementation regarding these issues. Thanks for all of your help everyone!
02-22-2024 05:42 AM
Hello,
This error message looks a little suspect:
2/16/2024 15:26:44.52 <Erro:cm.sys.LoadApplCfgObjFail> "policy" application failed to load "etsPolicySystem" configuration object: Hardware resources were not reserved for Policy (count 3).
Can you try
disable policy
enable policy
Thanks
-Ryan
02-22-2024 06:59 AM
Ryan,
This appeared to work to get MAC authorization working again, but NAC was still incorrectly processing a test laptop (all other devices connected to this switch stack functioned and received policy appropriately after the disable/enable). I rebooted the stack just to determine that wasn't an issue, disabled and re-enabled policy again. Now NAC shows contact established with the switch, but I can see no entries within End-Systems and it doesn't appear that this stack is passing any sort of traffic or authentication again..
02-22-2024 07:09 AM
Still waiting for an answer to my post, or am I just too blind to find it?