This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

EXOS | Extreme Control dynamic vlan assignment

EXOS | Extreme Control dynamic vlan assignment

csantos
New Contributor III

‎12-30-2020 10:46 AM

Hi Hub Community,

 

We’re using the Extreme Control Policy (NAC) in one of our customers in the health care system to implement some security checks, regarding the devices that can connect to our network. In resume, in our EXOS stacks we have all the ports with the DATA vlan (untag) and VoIP vlan (tag) and we use 802.1X (dot1x - NAC and Microsoft AD) to authenticate our users. On the other hand, we have some NAC policies for special cases, like the printers and the medical devices. When this kind of devices is connected to one of the EXOS stacks, the NAC Engine dynamically assigns the proper vlan (we have a vlan for printers and a vlan for medical devices) on the switch port, using MAC authentication, not 802.1X. In most cases, this is working just fine. However, for some printers we’re facing a stange issue. Basically, from time to time, a printer just stops to communicate. I’m sharing the logs of the port where a printer with this symptom is connected. 

37ea0ac272414c66ae365520812e081b_37d699b7-7216-474d-9f36-02b28f2a6a56.png

As you can see, we can observe some 802.1X auth being rejected. The funny thing, is that the printer (Zebra G series) does not support 802.1X. So, how can I see these kind of logs? To workaround the issue, we need to reboot the printer and delete the DHCP lease that the printer acquires during the process of authentication on the DATA static vlan. Eventually, after 2 or 3 retries, the printer starts working on the proper vlan for quite some time.

So anyone can help?

Regards,

César Santos       

0 Kudos
5 REPLIES 5

csantos
New Contributor III

‎12-31-2020 05:21 PM

@PeterK thanks for your tip. I’ll try, just in case. But I would prefer do not have any kind of exception, between the ports of my stacks, regarding the 802.1X auth process. I’ll let the end customer have the final decision about that, if my lab with upm-profile works fine. 

@Miguel-Angel RODRIGUEZ-GARCIA that’s an interesting idea. After you try thak workaround, please let me know if the behaviour of these printers change. 

Thanks a lot!

0 Kudos

Miguel-Angel_RO
Valued Contributor II

‎12-31-2020 03:35 PM

Hi PeterK, Thanks for the tip.

@csantos ,

I’m thinking on adapting the timers of 802.1X/MAC Auth on the ports for the Zebra printers.

This could help on allowing the MAC Auth faster than today and still keeping the 802.1X operational.

I need this because some Zebra’s are behind an IP Phone doing 802.1X.

I’ll try after my holidays.

Miug

0 Kudos

PeterK
Contributor III

‎12-30-2020 01:51 PM

I can confirm, that zebra printers are sometimes very special…

One of our customer hase sometimes very strange effects with these printers in a aruba wireless enviroment.

 

In your case, maybe you could try to disable 802.1x with upm-profile via a special radius-attribute. This should work in exos.

0 Kudos

csantos
New Contributor III

‎12-30-2020 11:30 AM

Miguel,

Yeah, I’ve tried to disable the 802.1X on the port, only having MAC auth. With that, the issue does not appear again. The problem is that is some kind of an exception on the switch config and we loose the flexibility to connect the Printers in any port without any concern regarding the configuration of the port. 

If the printer is the issue, I’ll have to talk to the customer about that. No magic here, I’m afraid.  

0 Kudos
GTM-P2G8KFN