This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Auto-sense Fabric Attach AP ports doing NEAP authentication on wifi clients

Auto-sense Fabric Attach AP ports doing NEAP authentication on wifi clients

James_A
Valued Contributor

‎04-20-2023 12:40 AM

I have an XIQ AP410C connected to a 5420 running Fabric Engine with auto-sense enabled. Fabric Attach is working fine, and the AP is also put onto the right VLAN and authenticated. The AP drops the clients onto the correct I-SID via FA, but the switch is also doing NEAP authentication (MAC auth) on the clients too. This causes duplicate entries in the end-system events, but more importantly it means I'm hitting the eapol multihost limits, which are 2 for mac-max, eap-mac-max and neap-mac-max by default. I found this post on MHSA for ERS and AP Aware for EXOS but there's nothing similar for for VOSS as far I know. I know I could turn off auto-sense or increase mac-max and neap-mac-max on the AP ports, but is there a way where I don't have to do manual config for AP ports?

0 Kudos
5 REPLIES 5

Ludovico_Steven
Extreme Employee

‎04-21-2023 06:06 AM

The Extreme-Dynamic-MHSA VSA was originally introduced on VOSS 8.3.

It was later also ported to ERS4900 7.9.1 and ERS3600 6.5.3

0 Kudos

Ludovico_Steven
Extreme Employee

‎04-20-2023 05:57 AM

When you NEAP authenticate the AP initially, you must send back RADIUS VSA: Extreme-Dynamic-MHSA=1

This will turn the 5420 access port into MHSA mode (Multiple Host Single Authentication) and will not trigger any further RADIUS authentications on that port for additional (wireless) MACs seen arriving on it.

0 Kudos

James_A
Valued Contributor
In response to Ludovico_Steven

‎04-20-2023 08:30 AM

OK excellent, I wasn't sure if Extreme-Dynamic-MHSA was supported on VOSS as well. I've added that to my NAC policy and I think it's working. The PRI column in show eapol sessions neap has changed from 0 to 1, is there anything else I should look for? I'll check in the office in the morning.

It'd be nice to set this on the switch, perhaps an extension to auto-sense fa wap-type1 eapol status that sets MHSA too. I'll make a feature request for it.

0 Kudos

James_A
Valued Contributor
In response to James_A

‎03-04-2024 11:05 PM

So thanks past me, the only thing I forgot was to configure my custom RADIUS attribute configuration which has Extreme-Dynamic-MHSA=%LOGIN_LAT_PORT% in NAC for any new switches I deploy.

Here's how to check it's working https://extreme-networks.my.site.com/ExtrArticleDetail?an=000111025

0 Kudos
GTM-P2G8KFN