XNV and MLAG
Starting with ExtremeXOS 15.7 as part of Extreme Management Center NAC integration, as long as MLAG peers have ISC connectivity, only one of the MLAG peers authenticates a VM that is learned on an MLAG port.
- When ISC connectivity between the MLAG peers is established, the peer with the highest IP address is chosen to be the authenticator. This peer will authenticate a VM based on the chosen authentication method.
- The result of the authentication is checkpointed by the authenticator to its peer so that the same VPP gets applied to the VM on both peers.
- When the MLAG peer that is the authenticator goes down, the other peer detects that the authenticator is down and re-authenticates the VM at the next authentication interval. Note that the peer that takes over as the authenticator does not re-authenticate the VMs immediately but waits for the re-authentication timer to expire.
- VMs learned on non-MLAG ports are authenticated by the detecting peer.
- All authentication-related configurations like RADIUS address, repository for VMMAP, local DB, etc. must be identical on both peers. This is an existing requirement and there is no change to this requirement.