cancel
Showing results for 
Search instead for 
Did you mean: 

5420F and macmon

5420F and macmon

FranzR
New Contributor
Dear community,

we have one problem with our new Switches from Extreme an macmon nac. All of the new Switches doesn't show the correct 802.1X Status in macmon. They show "unauthorized" although they are authorized. It seems as if the 802.1X MAC Bypass isn't correct. The 802.1X radius looks good.

Any idea? Any experiences with this topic?

Thanks an kind regards

Franz
15 REPLIES 15

FranzR
New Contributor
OK, i asked the macmon support too. They answered:

The manufacturer probably does not implement a MAC bypass authentication as a Radius status and only sets the status correctly for a pure Radius (certificate or user/host) authentication.
You should ask the manufacturer about this.
Is there a mib table in exos which shows the status of the mac auth session? Possibly macmon can implement this mib table entry a additionally column.

OscarK
Extreme Employee
So this is an EXOS switch, if a mac authentication happens it will try a dot1x authentication also. If there is a device behind that does not do dot1x it will show this log entry. And show netlogin session will show a success mac auth session and a failed dot1x session.
This is normal behavior for EXOS.

FranzR
New Contributor
This is a log from yesterday with a printer on the port:

08/01/2022 12:08:14.14 <Noti:nl.ClientAuthFailure> Authentication failed for Network Login 802.1x user Mac 17:22:c7:12:ea:bd port 3
08/01/2022 12:08:14.14 <Noti:nl.Dot1xClientAuthFail> Authentication failed for Network Login 802.1x user Mac 17:22:c7:12:ea:bd port 3 because either the supplicant does not support dot1X or the supplicant has not responded to the EAPOL PDUs.

Stefan_K_
Valued Contributor
Okay, that's strange. Is 802.1x configured on those 4950GTS (they are Avaya btw)? Maybe the clients only do MAC-Auth there?
What does "show log" displays, when you connect the client on the 5420?

Viele Grüße
Stefan

FranzR
New Contributor
OK, i understand and it sounds logical.

But we have exact the same end-systems on older extreme switches, eg. 4950GTS (i think this is EOS) and this works fine. macmon shows the correct status. So i think this is not a client problem.
GTM-P2G8KFN