- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎05-05-2022 07:41 AM
I'm a bit confused about why there are no APs displayed in Extreme Control, except for 2 APs. Maybe I am missing something. Here is some basic information for my case.
- 802.1x is enabled on the ports
- when I type "show netlogin" on the switch, the MAC address of the AP is also shown
- the two APs that are displayed are configured the same as the other APs, only difference is that they are still connected to Enterasys switches and the rest are connected to EXOS devices
- EMC version 8.5.7.28 Extreme Control Engine version 8.5.6.17
Example output show netlogin port 1
Port: 1, State: Enabled, Authentication: 802.1x, mac-based
------------------------------------------------
802.1x Port Configuration
------------------------------------------------
Quiet Period : 60
Supplicant Response Timeout : 30
Re-authentication : On
Re-authentication period : 3600
Max Re-authentications : 3
RADIUS server timeout : 30
------------------------------------------------
MAC Mode Port Configuration
------------------------------------------------
Re-authentication : Off
Re-authentication period : 3600
Authentication Delay : 0 seconds (Default)
------------------------------------------------
Netlogin Clients
------------------------------------------------
MAC IP address Authenticated Type ReAuth-Timer User
xx:xx:xx:xx:xx 0.0.0.0 No 802.1x 0
xx:xx:xx:xx:xx 0.0.0.0 No 802.1x 0
xx:xx:xx:xx:xx 0.0.0.0 No 802.1x 0
xx:xx:xx:xx:xx 0.0.0.0 No 802.1x 0
xx:xx:xx:xx:xx 0.0.0.0 No 802.1x 0
xx:xx:xx:xx:xx 0.0.0.0 No 802.1x 0
-----------------------------------------------
(B) - Client entry Blackholed in FDB
If you need any more information just ask.
Thanks in advance.
N. Schmidt
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎05-08-2022 02:50 PM
Hello,
If you do:
show netlogin session port 1
Do you see any netlogin sessions active on the port?
If disable/enable the port do you see anything in the "show log" that indicates if RADIUS authentication was successful?
05/08/2022 13:28:24.88 <Info:nl.ClientAuthenticated> Network Login MAC user 000C29B85639 logged in MAC 00:0C:29:B8:56:39 port 2 VLAN(s) "Default" policy "None", authentication Radius
If Control doesn't process the request it will not show up in the end systems tab. You can check the /var/log/radius/radius.log to see if the RADIUS request was dropped because it is not authorized.
You can check the /opt/nac/radius/raddb/clients.conf file to see which switches are authorized.
Switches must exist in the "Switches" tab to be considered authorized and Control will drop any RADIUS request from unauthorized switches.
Thanks
-Ryan
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎05-11-2022 03:19 AM
here is an update and the solution to the problem.
I got the following error message in the logs:
Mac authentication was initiated, but mac-list for virtual router for VR is empty
I fixed it with the following instructions:
https://extremeportal.force.com/ExtrArticleDetail?an=000061757
@Ryan: Thanks again for the hint.
Many greetings
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎05-10-2022 10:48 AM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎05-08-2022 02:50 PM
Hello,
If you do:
show netlogin session port 1
Do you see any netlogin sessions active on the port?
If disable/enable the port do you see anything in the "show log" that indicates if RADIUS authentication was successful?
05/08/2022 13:28:24.88 <Info:nl.ClientAuthenticated> Network Login MAC user 000C29B85639 logged in MAC 00:0C:29:B8:56:39 port 2 VLAN(s) "Default" policy "None", authentication Radius
If Control doesn't process the request it will not show up in the end systems tab. You can check the /var/log/radius/radius.log to see if the RADIUS request was dropped because it is not authorized.
You can check the /opt/nac/radius/raddb/clients.conf file to see which switches are authorized.
Switches must exist in the "Switches" tab to be considered authorized and Control will drop any RADIUS request from unauthorized switches.
Thanks
-Ryan
