This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

ExtremeControl - Issue - Unexpected NEAP ReAuth

ExtremeControl - Issue - Unexpected NEAP ReAuth

Guilhem_Lejeune
New Contributor II

‎09-25-2024 12:47 PM

Hi,

Devices involved :

  • ExtremeCloud IQ Site Engine version 24.2.15.5
  • ExtremeControl version 24.2.15.5
  • Fabric-Engine 5420F-48P-4XE version 8.10.5
  • Windows PC

Windows PC first authentication is OK (we use 802.1x PEAP MSCHAPv2).

After 10 minutes, ExtremeControl sends RADIUS CoA Disconnect message to reauthenticate the PC.
The problem is, ExtremeControl receive NEAP Access-Request and the PC is placed in quarantine.

Of course, I expect EAP Reauth.

 

Troubleshoot actions done :

  • Deactivate NEAP auth on acces port (on the switch) : OK but we want to keep the port configuration as generic as possible.
  • Force Windows supplicant to do 802.1x EAP only : OK but there are some side effects when the PC is back on a non-NACed network.

 

Maybe CoA message sent from the NAC is malformed ?

Here the reauth parameters for the switch :

Guilhem_Lejeune_1-1727293608632.png

 

Do I have to fix something ?

Regards

0 Kudos
7 REPLIES 7

Guilhem_Lejeune
New Contributor II

‎10-10-2024 06:57 AM

Hi all,

I've some news... The problem was the RADIUS attributes configured on XIQ SE / ExtremeControl.
A custom preset was configued, based on "Extreme VOSS". A particular attribute which was added is %PER_USER_ACL%.

It caused the issue because at the moment of reauth, EAP trafic was simply blocked. So no reauth...

Support has seen that by using "show filter acl" command and the "deny all" counter was keeping incrementing !

 

The attribute has been deleted from the configuration and everyting seems OK now 😉

0 Kudos

Configterminal
New Contributor III

‎10-02-2024 04:11 AM

I’m curious as to why Control is issuing a CoA after 10 min?  Are you sure there isn’t a reauthentication timer configured directly on the switch? 

0 Kudos

Guilhem_Lejeune
New Contributor II
In response to Configterminal

‎10-10-2024 06:53 AM

Hi,

Support highlighted this point too. We have reconfigured ExtremeControl to disable it and we are now using timer from the switch 😉

0 Kudos

Guilhem_Lejeune
New Contributor II

‎09-30-2024 09:19 AM

Hi,

Thank you gentlemen for all your comments.
For now, I can tell that both NTP and Shared Secret are all right.

A troubleshoot session is scheduled next Friday. I will share with you what we will find.

See you soon !

Kind regards,

0 Kudos
GTM-P2G8KFN