cancel
Showing results for 
Search instead for 
Did you mean: 

No APs are displayed in NAC Extreme Control

No APs are displayed in NAC Extreme Control

DeoHeo
New Contributor III
Hello Community,
I'm a bit confused about why there are no APs displayed in Extreme Control, except for 2 APs. Maybe I am missing something. Here is some basic information for my case.

- 802.1x is enabled on the ports
- when I type "show netlogin" on the switch, the MAC address of the AP is also shown
- the two APs that are displayed are configured the same as the other APs, only difference is that they are still connected to Enterasys switches and the rest are connected to EXOS devices
- EMC version 8.5.7.28 Extreme Control Engine version 8.5.6.17

Example output show netlogin port 1

Port: 1, State: Enabled, Authentication: 802.1x, mac-based
------------------------------------------------
802.1x Port Configuration
------------------------------------------------
Quiet Period : 60
Supplicant Response Timeout : 30
Re-authentication : On
Re-authentication period : 3600
Max Re-authentications : 3
RADIUS server timeout : 30
------------------------------------------------
MAC Mode Port Configuration
------------------------------------------------
Re-authentication : Off
Re-authentication period : 3600
Authentication Delay : 0 seconds (Default)
------------------------------------------------
Netlogin Clients
------------------------------------------------

MAC IP address Authenticated Type ReAuth-Timer User
xx:xx:xx:xx:xx 0.0.0.0 No 802.1x 0
xx:xx:xx:xx:xx 0.0.0.0 No 802.1x 0
xx:xx:xx:xx:xx 0.0.0.0 No 802.1x 0
xx:xx:xx:xx:xx 0.0.0.0 No 802.1x 0
xx:xx:xx:xx:xx 0.0.0.0 No 802.1x 0
xx:xx:xx:xx:xx 0.0.0.0 No 802.1x 0
-----------------------------------------------
(B) - Client entry Blackholed in FDB

If you need any more information just ask.

Thanks in advance.
N. Schmidt
1 ACCEPTED SOLUTION

Ryan_Yacobucci
Valued Contributor

Hello,

If you do: 

show netlogin session port 1

Do you see any netlogin sessions active on the port?

485ad3ada65341d38968ca10fcb27f97.png

If disable/enable the port do you see anything in the "show log" that indicates if RADIUS authentication was successful?

05/08/2022 13:28:24.88 <Info:nl.ClientAuthenticated> Network Login MAC user 000C29B85639 logged in MAC 00:0C:29:B8:56:39 port 2 VLAN(s) "Default" policy "None", authentication Radius



If Control doesn't process the request it will not show up in the end systems tab. You can check the /var/log/radius/radius.log to see if the RADIUS request was dropped because it is not authorized. 

You can check the /opt/nac/radius/raddb/clients.conf file to see which switches are authorized. 

Switches must exist in the "Switches" tab to be considered authorized and Control will drop any RADIUS request from unauthorized switches.

Thanks
-Ryan

View solution in original post

3 REPLIES 3

DeoHeo
New Contributor III
Hello all,
here is an update and the solution to the problem.

I got the following error message in the logs:

Mac authentication was initiated, but mac-list for virtual router for VR is empty

I fixed it with the following instructions:

https://extremeportal.force.com/ExtrArticleDetail?an=000061757

@Ryan: Thanks again for the hint.

Many greetings

DeoHeo
New Contributor III
Thanks for the quick reply. I will look into it at my leisure.

Ryan_Yacobucci
Valued Contributor

Hello,

If you do: 

show netlogin session port 1

Do you see any netlogin sessions active on the port?

485ad3ada65341d38968ca10fcb27f97.png

If disable/enable the port do you see anything in the "show log" that indicates if RADIUS authentication was successful?

05/08/2022 13:28:24.88 <Info:nl.ClientAuthenticated> Network Login MAC user 000C29B85639 logged in MAC 00:0C:29:B8:56:39 port 2 VLAN(s) "Default" policy "None", authentication Radius



If Control doesn't process the request it will not show up in the end systems tab. You can check the /var/log/radius/radius.log to see if the RADIUS request was dropped because it is not authorized. 

You can check the /opt/nac/radius/raddb/clients.conf file to see which switches are authorized. 

Switches must exist in the "Switches" tab to be considered authorized and Control will drop any RADIUS request from unauthorized switches.

Thanks
-Ryan

GTM-P2G8KFN