cancel
Showing results for 
Search instead for 
Did you mean: 

ExtremeControl - MAC to IP resolution question

ExtremeControl - MAC to IP resolution question

Guilhem_Lejeune
New Contributor II

Hi,

I have a pure theory question here.

It seems that MAC to IP resolution is mandatory to make ExtremeControl work properly.
The most popular technic is to relay DHCP messages toward ExtremeControl and that is what I use in production.

What about a new client ? It has never been seen on the network so its hypothetical IP address is not known. Or, the lease is expired.

MAC to IP resolution cannot be done and... neither does the authentication, right ?

I have this exact use case in production. We have to plug the PC in non-NACed port in order to get through the whole DHCP process. Then, the PC is plugged in the NAC port and it works.

If we plugged the PC in the NACed port first, it does not work.

Kind regards,

9 REPLIES 9

Configterminal
Contributor

It sounds like your rules are based on profiling information of the end point which does not exist until DHCP profiling is complete.  Can you post a screenshot of the rules your endpoint is hitting ?

Zdeněk_Pala
Extreme Employee

The IP address resolution is needed in the following scenarios:

  • Captive portal based authentication/registration/remediation
  • Integration with 3rd party systems require that (e.g. Firewall integration)
  • Posture Assessment is needed (licensed feature)

I agree the IP address resolution is not required for MAC or 802.1X authentications.

good luck

Regards Zdeněk Pala

Stefan_K_
Valued Contributor

First you have to find more information before trying to find a root cause. "If we plugged the PC in the NACed port first, it does not work."
"it does not work" is not a description of problems. 

What switch do you use? Is it EXOS? What does "show log" and "show netlogin session port x" give you?
What is seen in the NAC End-System table? 

Guilhem_Lejeune
New Contributor II

Hi,

Thank you for your feedback, Stefan 😉

Why shouldn't authentication be possible? Authentication shouldn't be based on the IP-Address. 802.1x is recommended, MAC-based is possible... After authentication DHCP is happening and the IP-Addressfield on NAC will be populated.
Yes, I totally agree ! Authentication process is completly agnostic of DHCP process. That's why I'm kind of lost...

 

The problem is, I observed that I must plug the PC in a non-NACed port before the NACed port.
This observation has lead me to a possible "MAC-to-IP resolution" issue but, as you said, I understand that should not be the problem.

Does anyone has already encountered this problem and the root cause ?

 

Kind regards,

Stefan_K_
Valued Contributor

@Guilhem_Lejeune wrote:

Hi,

I have a pure theory question here.

It seems that MAC to IP resolution is mandatory to make ExtremeControl work properly.

Not really, it's more like a nice-to-have feature, to see the IP of the End-Systems.

 

What about a new client ? It has never been seen on the network so its hypothetical IP address is not known. Or, the lease is expired.

MAC to IP resolution cannot be done and... neither does the authentication, right ?

Why shouldn't authentication be possible? Authentication shouldn't be based on the IP-Address. 802.1x is recommended, MAC-based is possible... After authentication DHCP is happening and the IP-Addressfield on NAC will be populated.

GTM-P2G8KFN