This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

ExtremeControl - MAC to IP resolution question

ExtremeControl - MAC to IP resolution question

Guilhem_Lejeune
New Contributor II

‎09-30-2024 05:45 AM

Hi,

I have a pure theory question here.

It seems that MAC to IP resolution is mandatory to make ExtremeControl work properly.
The most popular technic is to relay DHCP messages toward ExtremeControl and that is what I use in production.

What about a new client ? It has never been seen on the network so its hypothetical IP address is not known. Or, the lease is expired.

MAC to IP resolution cannot be done and... neither does the authentication, right ?

I have this exact use case in production. We have to plug the PC in non-NACed port in order to get through the whole DHCP process. Then, the PC is plugged in the NAC port and it works.

If we plugged the PC in the NACed port first, it does not work.

Kind regards,

0 Kudos
9 REPLIES 9

Configterminal
New Contributor III

‎10-02-2024 04:07 AM

It sounds like your rules are based on profiling information of the end point which does not exist until DHCP profiling is complete.  Can you post a screenshot of the rules your endpoint is hitting ?

0 Kudos

Zdeněk_Pala
Extreme Employee

‎10-01-2024 12:59 PM - edited ‎10-01-2024 01:00 PM

The IP address resolution is needed in the following scenarios:

  • Captive portal based authentication/registration/remediation
  • Integration with 3rd party systems require that (e.g. Firewall integration)
  • Posture Assessment is needed (licensed feature)

I agree the IP address resolution is not required for MAC or 802.1X authentications.

good luck

Regards Zdeněk Pala

Stefan_K_
Valued Contributor

‎09-30-2024 12:35 PM

First you have to find more information before trying to find a root cause. "If we plugged the PC in the NACed port first, it does not work."
"it does not work" is not a description of problems. 

What switch do you use? Is it EXOS? What does "show log" and "show netlogin session port x" give you?
What is seen in the NAC End-System table? 

0 Kudos

Guilhem_Lejeune
New Contributor II

‎09-30-2024 09:30 AM

Hi,

Thank you for your feedback, Stefan 😉

Why shouldn't authentication be possible? Authentication shouldn't be based on the IP-Address. 802.1x is recommended, MAC-based is possible... After authentication DHCP is happening and the IP-Addressfield on NAC will be populated.
Yes, I totally agree ! Authentication process is completly agnostic of DHCP process. That's why I'm kind of lost...

 

The problem is, I observed that I must plug the PC in a non-NACed port before the NACed port.
This observation has lead me to a possible "MAC-to-IP resolution" issue but, as you said, I understand that should not be the problem.

Does anyone has already encountered this problem and the root cause ?

 

Kind regards,

0 Kudos

Stefan_K_
Valued Contributor

‎09-30-2024 07:18 AM

@Guilhem_Lejeune wrote:

Hi,

I have a pure theory question here.

It seems that MAC to IP resolution is mandatory to make ExtremeControl work properly.

Not really, it's more like a nice-to-have feature, to see the IP of the End-Systems.

 

What about a new client ? It has never been seen on the network so its hypothetical IP address is not known. Or, the lease is expired.

MAC to IP resolution cannot be done and... neither does the authentication, right ?

Why shouldn't authentication be possible? Authentication shouldn't be based on the IP-Address. 802.1x is recommended, MAC-based is possible... After authentication DHCP is happening and the IP-Addressfield on NAC will be populated.

0 Kudos
GTM-P2G8KFN