Extreme Networks

darvid · ‎11-09-2022

Hi all

I've a strange issue with my settings. When ERS stack is just starting all my FA Binding with x435 are ok, but if I plug an x435, FA dosen't bind ! I must disable eap and fa on the interface and re-enable to get it running !

I've these attibutes in my NAC policy
Extreme-Dynamic-MHSA=1
FA-CLIENT-TRUST=1

Exos 31.7.1.4 patch1-36
Boss v6.5.4.013

Running-config modul fa

! *** Fabric Attach ***
!
fa uplink trunk 1
fa extended-logging
fa zero-touch-option auto-port-mode-fa-client client-type 8
fa zero-touch-option auto-trusted-mode-fa-client client-type 8
i-sid 12020202 vlan 202
! i-sid 12020213 vlan 213 ==> created by FA Client
! i-sid 12020234 vlan 234 ==> created by FA Client
! i-sid 12020500 vlan 500 ==> created by FA Client
! i-sid 12021001 vlan 1001 ==> created by FA Client

Logs

I 3 2022-11-09 18:39:01 GMT+01:00 59 EAP: Authentication mode changed to MHSA No-Limit, port 3/35, MAC 00:04:96:fa:81:00
I 1 2022-11-09 18:39:31 GMT+01:00 289 Fabric Attach: device discovered (Auth Pass - element 8 port 3/35)
I 1 2022-11-09 18:39:01 GMT+01:00 283 Link Up Trap for Unit/Port: 3/35

SWITCH-LAB#show fa elements

===============================================================================
Fabric Attach Discovered Elements
===============================================================================
UNIT/ MGMT ELEM ASGN
PORT TYPE VLAN STATE SYSTEM ID AUTH AUTH
-------------------------------------------------------------------------------
MLT1 Server 202 T / S 02:c0:33:06:04:ff:30:88:00:88 AP AP
3/35 Client 202 T / D 00:04:96:fa:81:00:00:01:00:0c AP N

===============================================================================
Fabric Attach Authentication Detail
===============================================================================
UNIT/ ELEM OPER ASGN OPER
PORT EXPANDED TYPE AUTH STATUS AUTH STATUS
-------------------------------------------------------------------------------
MLT1 Server (Auth) successAuth successAuth
3/35 switch successAuth none

State Legend: (Tagging/AutoConfig)
T=Tagged, U=UntaggedPvid, O=UntaggedOnly, D=Disabled, S=Spbm, V=Vlan, I=Invalid

Auth Legend:
AP=Authentication Pass, AF=Authentication Fail, NA=Not Authenticated, N=None

-------------------------------------------------------------------------------
2 out of 2 total number of Fabric Attach discovered elements displayed
-------------------------------------------------------------------------------

SWITCH-LAB#show fa ass
SWITCH-LAB#show fa assignment

I-SID VLAN Source Status
-------- ---- ----------------------------- --------
12020202 202 Proxy Active
12020213 213 Radius Active
12020234 234 Radius Active
12020500 500 Radius Active
12021001 1001 Radius Active

Binding Count: 5

On the x435 side, Fa assignments stay "pending"

* X435-LAB.3 # show fabric attach assignments
Fabric Attach Mode: Client
Port VLAN VLAN Name Type ISID/NSI Status
------- ---- -------------------------------- ------- -------- --------
202 ADM_MGMT Static 12020202 Pending
1001 TELEPHONIE Dynamic 12021001 Pending

Thanks in avance

David

darvid · ‎07-04-2023

This was finally resolved by removing attribut Extreme-Dynamic-MHSA=1 from the rule

Switchs firmware was updated but not sure it has an impact

Exos v32.3.1.11
Boss v6.5.5.011

View solution in original post

darvid · ‎07-04-2023

This was finally resolved by removing attribut Extreme-Dynamic-MHSA=1 from the rule

Switchs firmware was updated but not sure it has an impact

Exos v32.3.1.11
Boss v6.5.5.011

tv · ‎04-27-2023

Same here. Has anyone found a solution yet?

Rachel69 · ‎11-13-2022

I'm currently experiencing the exact same thing.
GMGlobalConnect

Melli22nger · ‎11-12-2022

I'm having the same problem and unable to find a solution for it.

www.pmflogin.com

Extreme Networks

NAC to Fabric attach ERS 3600 and x435

NAC to Fabric attach ERS 3600 and x435