cancel
Showing results for 
Search instead for 
Did you mean: 

Auto-sense Fabric Attach AP ports doing NEAP authentication on wifi clients

Auto-sense Fabric Attach AP ports doing NEAP authentication on wifi clients

James_A
Valued Contributor

I have an XIQ AP410C connected to a 5420 running Fabric Engine with auto-sense enabled. Fabric Attach is working fine, and the AP is also put onto the right VLAN and authenticated. The AP drops the clients onto the correct I-SID via FA, but the switch is also doing NEAP authentication (MAC auth) on the clients too. This causes duplicate entries in the end-system events, but more importantly it means I'm hitting the eapol multihost limits, which are 2 for mac-max, eap-mac-max and neap-mac-max by default. I found this post on MHSA for ERS and AP Aware for EXOS but there's nothing similar for for VOSS as far I know. I know I could turn off auto-sense or increase mac-max and neap-mac-max on the AP ports, but is there a way where I don't have to do manual config for AP ports?

5 REPLIES 5

Ludovico_Steven
Extreme Employee

The Extreme-Dynamic-MHSA VSA was originally introduced on VOSS 8.3.

It was later also ported to ERS4900 7.9.1 and ERS3600 6.5.3

Ludovico_Steven
Extreme Employee

When you NEAP authenticate the AP initially, you must send back RADIUS VSA: Extreme-Dynamic-MHSA=1

This will turn the 5420 access port into MHSA mode (Multiple Host Single Authentication) and will not trigger any further RADIUS authentications on that port for additional (wireless) MACs seen arriving on it.

OK excellent, I wasn't sure if Extreme-Dynamic-MHSA was supported on VOSS as well. I've added that to my NAC policy and I think it's working. The PRI column in show eapol sessions neap has changed from 0 to 1, is there anything else I should look for? I'll check in the office in the morning.

It'd be nice to set this on the switch, perhaps an extension to auto-sense fa wap-type1 eapol status that sets MHSA too. I'll make a feature request for it.

James_A
Valued Contributor

So thanks past me, the only thing I forgot was to configure my custom RADIUS attribute configuration which has Extreme-Dynamic-MHSA=%LOGIN_LAT_PORT% in NAC for any new switches I deploy.

Here's how to check it's working https://extreme-networks.my.site.com/ExtrArticleDetail?an=000111025

GTM-P2G8KFN