Can't find what you need?


• Ask the Community
• Create a Case
Reset Search
 

 

Article

When using MAC and 802.1x with policy the 802.1x user can't communicate in EXOS 22.5.

« Go Back

Information

 
TitleWhen using MAC and 802.1x with policy the 802.1x user can't communicate in EXOS 22.5.
Symptoms
After upgrading to EXOS 22.5 you will may see that a 802.1x supplicant can't communicate on their authenticated VLAN when also using MAC auth.
Environment
  • EXOS 22.5
  • OnePolicy
  • Policy
  • Netlogin
  • NAC
  • 802.1x (dot1x)
  • Extreme Access Control
  • XMC
Cause
The cause of this issue is a bug in EXOS.  It happens when a MAC, and Dot1x authentication happens for the same device, and the MAC auth is being applied when the "session applied" is set to false.  See below for the configuration, and authentication status that causes this issue.  You can see that the MAC authentication is using a different VLAN than Dot1x authentication in this case.

EXOS config:
#VLAN Config
create vlan "Corp" tag 2
create vlan "Unregistered" tag 100
conf vlan Corp add port 5 untagged

#Policy Config
configure policy profile 1 name "Corp" pvid-status "enable" pvid 4095
configure policy profile 2 name "Unregistered" pvid-status "enable" pvid 100 untagged-vlans 100
enable policy

#Netlogin config
enable netlogin dot1x mac 
enable netlogin ports 5 mac dot1x
configure netlogin add mac-list ff:ff:ff:ff:ff:ff 48


#NAC and radius configuration to provide this output in show Netlogin Sessions

Switch# show netlogin session port 5
Multiple authentication session entries
---------------------------------------

Port            : 5           Station address   : b8:ac:6f:35:88:1f 
Auth status     : success     Last attempt      : Wed Aug 22 12:39:36 2018      
Agent type      : dot1x       Session applied   : true
Server type     : radius      VLAN-Tunnel-Attr  : None
Policy index    : 1           Policy name       : Corp (active)
Session timeout : 0           Session duration  : 1:05:23                       
Idle timeout    : 0           Idle time         : 0:00:00                       
Auth-Override   : disabled    Termination time  : Not Terminated


Port            : 5           Station address   : b8:ac:6f:35:88:1f 
Auth status     : success     Last attempt      : Wed Aug 22 12:39:36 2018      
Agent type      : mac         Session applied   : false
Server type     : radius      VLAN-Tunnel-Attr  : None
Policy index    : 2           Policy name       : Unregistered (active)
Session timeout : 0           Session duration  : 1:05:23                       
Idle timeout    : 300         Idle time         : 0:00:00                       
Auth-Override   : disabled    Termination time  : Not Terminated

You can see if you are running into this issue by using the below command.  If the PVID is not the VLAN you expect the supplicant to be on then you are running into this issue.
 
Switch# debug policy show port 5 pvid
DEBUG: portInst:65541  port:1:5  PPRI:0 PVID:4095

 
Resolution
Downgrade to 22.4, or upgrade to 22.6 when it's available.
Additional notes

Feedback

 

Was this article helpful?


   

Feedback

Please tell us how we can make this article more useful.

Characters Remaining: 255