This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

NAC silent devices with EXOS and VOSS

NAC silent devices with EXOS and VOSS

Go to solution
Lukas99
New Contributor

‎07-03-2025 06:27 AM

Hi,

in our network, we have “silent devices” such as label printers and VoIP phones. These devices are physically connected to the network but do not initiate any active communication. They are intended to be authenticated via NAC.

However, after some time, they become unreachable, as the system considers them "offline"—even though the corresponding port remains active. In this state, the device can no longer be accessed.

As soon as we manually assign a static VLAN to the port, the device starts working properly again.

We are using both EXOS and VOSS. The reauthentication timer is set to 8 hours.

For EXOS, we tried to resolve the issue by setting idle-timeout 0 via NAC, but unfortunately, this did not solve the problem.

Has anyone encountered similar behavior or found a solution?

Thanks

0 Kudos
2 ACCEPTED SOLUTIONS

Go to solution
Chris_H
Extreme Employee

‎07-04-2025 05:27 AM

The problem here is most of the time the timeout of the FDB entry. 

If you haven't done so, you can check the following kb article with some options: https://extreme-networks.my.site.com/ExtrArticleDetail?an=000057116

View solution in original post

0 Kudos

Go to solution
rmu
Contributor

‎07-04-2025 06:24 AM

hi

you need to set the session-timeout to 0.

Try to send theses attributes in the radius accept:

Session-Timeout=0

Idle-Timeout=0

 

NR

rmu

 

View solution in original post

6 REPLIES 6

Go to solution
WillyHe
Contributor II
In response to Chris_H

‎07-07-2025 03:15 AM

Default FDB time-out is 300 sec or 6 min.
Default ARP time-out is 6 hours or 21.600 sec.

Can it help to

  • Make the FDB time-out e.g. 21.700 seconds?
    (is a common setting, applied on all VLAN's).
  • Change both to e.g. ARP 1 hour and FDB 3.660 sec.

regards
WillyHe

0 Kudos

Go to solution
WillyHe
Contributor II
In response to WillyHe

‎07-07-2025 05:25 AM

Some background for this idea.

In the past (suppose it is still the case) when on a L3 interface (VLAN or PORT) a MAC address entry aged, before removing the MAC address and ARP entry from the tables, a ARP request (RE-ARP) was send.
In some network setups, it was then advised to make the FDB time-out few seconds higher then the ARP time-out.

regards
WillyHe

0 Kudos
GTM-P2G8KFN