This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

ExtremeControl - MAC to IP resolution question

ExtremeControl - MAC to IP resolution question

Guilhem_Lejeune
New Contributor II

‎09-30-2024 05:45 AM

Hi,

I have a pure theory question here.

It seems that MAC to IP resolution is mandatory to make ExtremeControl work properly.
The most popular technic is to relay DHCP messages toward ExtremeControl and that is what I use in production.

What about a new client ? It has never been seen on the network so its hypothetical IP address is not known. Or, the lease is expired.

MAC to IP resolution cannot be done and... neither does the authentication, right ?

I have this exact use case in production. We have to plug the PC in non-NACed port in order to get through the whole DHCP process. Then, the PC is plugged in the NAC port and it works.

If we plugged the PC in the NACed port first, it does not work.

Kind regards,

0 Kudos
9 REPLIES 9

Guilhem_Lejeune
New Contributor II

‎10-17-2024 11:11 PM

Hi,

The first rule I must match is down below. It's for host authentication (username field is used).
Here some anonymized screenshots :

Guilhem_Lejeune_0-1729231263292.png

Guilhem_Lejeune_1-1729231387250.png

 

 

 

 

 

 

 

 

 

 

 

I have also noticed that reverse DNS lookup doesn't work well so we are working on it.

 

For information, I'm trying to reproduce this configuration : Solved: Re: EAC - domain user over domain computer - Extreme Networks - 93807 because I'm exactly in the same case (PEAP with host and user authentication).

0 Kudos

Zdeněk_Pala
Extreme Employee
In response to Guilhem_Lejeune

‎10-19-2024 12:15 AM

If the PEAP or EAP-TLS is used then you should have name of the computer in USERname. That means you should use USERgroup test. Hostname-based end-system group requires the hostname resolution to be working.

Zdenk_Pala_0-1729321786317.png

if you want to check LDAP for the computer membership then you can:
1. define LDAP for computers:

Zdenk_Pala_1-1729322016934.png

2. define AAA rule for computers:

Zdenk_Pala_2-1729322112762.png

 

3. user the user rule with memberof

Regards Zdeněk Pala
0 Kudos

Guilhem_Lejeune
New Contributor II
In response to Zdeněk_Pala

‎10-19-2024 11:31 AM

Hi,

Thank you for your reply !

We use 802.1x PEAP MsCHAPv2 😉
We have a similar configuration except for the usergroup.

You use an attribute value "host/*" where we use "objectCategory" as attribute name and "CN=[...],CN=[...],[...],DC=[...],DC=[...]" as attribute value as shown on a previous screenshot.

 

I made a test by clicking "Attribute Lookup..." and by filling a existing host with the format "host/[...]".
I do have a positive result.

So I think the configuration is alright.

What I did not understand very well is your last sentence : "user the user rule with memberof".
Could you please tell me more ?

In the mean time, we are still investigating the DNS reverse resolution possible issue.

Kind regards

 

0 Kudos

Zdeněk_Pala
Extreme Employee
In response to Guilhem_Lejeune

‎10-20-2024 12:21 AM

Hi,

The autocorrect has changed "use the user rule with memberof" to "user...". The most common criteria is "memberOf" but "objectCategory" should work also.

  • the common error is that people are using end-system group instead of user group.
  • another common error is using the same AAA rule and the same LDAP config for user authentication and computer authentication

I recommend checking the format of the username with the LDAP search. Also Configuration Evaluation tool can help a lot.

 

Regards Zdeněk Pala
0 Kudos
GTM-P2G8KFN