Reset Search
 

 

Article

NAC reauthentication delayed or failed on EXOS switches

« Go Back

Information

 
TitleNAC reauthentication delayed or failed on EXOS switches
Symptoms
End-system (ES) authenticated (dot1x and/or MAC), three scenarios may follow from here:
  1. Operator uses NAC Manager or the browser to trigger ES reauthentication.
  2. ES will be assessed - using Assessment with the ES applied NAC profile or with Assessment's own NAC profile.
  3. based on NAC rules (e.g. LDAP) an ES may have to be reauthenticated a few times so a new NAC profile to be applied to it on the switch
In each case, if certain conditions are met, reauthentication will be delayed (duration is based on timers configured on switch) by 90 seconds, even more.
If "Assessment" is expected to start it will fail, agent-less or agent-based.
 
Environment
  • XMC/EAC:
  • version 6.3 or higher
  • EXOS   
  • any version using legacy netlogin (OnePolicy is not enabled)
Cause
With SNMP as a reauthentication mechanism, EXOS is included here, EAC (NAC) uses two SNMP OIDs for dot1x and MAC reauthentication:
dot1xAuthReauthenticate2=1.0.8802.1.2.1.2.1.2.1.2.<Instance>
extremeMacAuthClientReauthenticate=1.3.6.1.4.1.1916.1.44.1.1.1.3.<Instance>

For any EXOS switch using legacy netlogin to authenticate an ES successfully, the must have RADIUS attribute to be returned is Extreme-Netlogin-Extended-VLAN (VSA 211), be that VLAN ID or VLAN NAME.
EAC (NAC) has two built-in RADIUS profiles for that purpose, "Extreme NetLogin - VLAN ID" and "Extreme NetLogin - VLAN Name", each having the needed VSA 211 defined.
On the top of that each of the two RADIUS profiles has the following attribute defined, amongst others:

Extreme-Security-Profile=%PORT_PROFILE%

This attribute was added to deal with situations when UPM scripting is used in conjunction with netlogin (scripts to be triggered before & after authentication/reauthentication).

For UPM to succeed - when reauthentication is triggered - EAC must use "Initialise" instead of "Reauthenticate" for both OIDs as follows:
dot1xAuthInitialize2=1.0.8802.1.2.1.2.1.2.1.1.<Instance>
extremeMacAuthClientInitialize=1.3.6.1.4.1.1916.1.44.1.1.1.2.<Instance>
And the simple presence of Extreme-Security-Profile as RADIUS attribute will have that effect on EAC so "Initialise" will be used by default on EAC when using those built-in RADIUS profiles.

There are EXOS configurations where UPM scripting is not used at all in conjunction with netlogin. In that case no script will trigger and sending to an EXOS switch "Initialise" instead of "Reauthenticate" for those OIDs will simply wipe out the current netlogin state for a given MAC on the authenticated port and the ES will be in an undefined state (VLAN ID included) until the switch timers will kick in and dot1x/MAC authentication will start again. With default timers that delay can take up to 90 seconds.

This delay is long enough to have a negative impact on any EAC operation that needs to trigger immediate reauthentication of an ES (Assessment is only one example).
 
Resolution
Create new RADIUS profiles for EXOS NetLogin where Extreme-Security-Profile is not present.
Example:

The built-in "Extreme NetLogin - VLAN ID" has the following attributes defined:

Extreme-Netlogin-Extended-Vlan=%VLAN_EGRESS%%VLAN_ID%
Extreme-Security-Profile=%PORT_PROFILE%
Filter-Id=Enterasys:version=1:%MANAGEMENT%policy=%POLICY_NAME%
Extreme-CLI-Authorization=%CLI_AUTH%
Service-Type=%MGMT_SERV_TYPE%

Note the presence of Extreme-Security-Profile above.

Create a new RADIUS profile, called let's say "Extreme NetLogin - VLAN ID - no UPM", add the following attributes to it:

Extreme-Netlogin-Extended-Vlan=%VLAN_EGRESS%%VLAN_ID%
Filter-Id=Enterasys:version=1:%MANAGEMENT%policy=%POLICY_NAME%
Extreme-CLI-Authorization=%CLI_AUTH%
Service-Type=%MGMT_SERV_TYPE%

Note the absence of Extreme-Security-Profile.

In EAC apply this RADIUS profile to any existing EXOS switch (via Edit) or associate this new RADIUS profile when adding such a switch to EAC for authentication/authorisation purposes.
 
Additional notes

Feedback

 

Was this article helpful?


   

Feedback

Please tell us how we can make this article more useful.

Characters Remaining: 255