VM Authentication Process
- NMS server authentication.
- Network authentication using a downloaded authentication database stored in the VMMAP file.
- Local authentication using a local database created with ExtremeXOS CLI commands.
The default VM authentication configuration uses all three methods in the following sequence: NMS server (first choice), network based VMMAP file (second choice), and finally, local database. If a service is not available, the switch tries the next authentication service in the sequence.
NMS Server Authentication
When an Access-Accept packet is received with an NVPP specified, the policies are applied on VM enabled port.
When an Access-Accept packet is received and no NVPP is specified, the port is authenticated and no policy is applied to the port.
When an Access-Reject packet is received, the port is unauthenticated and no policy is applied.
When an Access-Reject packet indicates that the NMS server timed-out or is not reachable, the switch tries to authenticate the VM MAC address based on the next authentication method configured, which can be either network authentication or local authentication.
VM IP address
VPP configured for the VM
An Access-Reject packet contains no VSA.
Network (VMMAP) Authentication
If network (VMMAP) authentication is enabled and a VM MAC address is detected on a VM-tracking enabled port, the switch uses the VMMAP file to authenticate the VM and applies the appropriate VPP.
If local authentication is enabled and a VM MAC address is detected on a VM-tracking enabled port, the switch uses the local database to authenticate the VM and apply the appropriate VPP.
If all configured authentication methods fail, EMS messages are logged and no VPP is applied.
- Fix the authentication process that failed. Look for misconfiguration or down segments.
- Configure UPM to take action on the related EMS message.
- If one or two authentication methods are configured, configure additional authentication methods.
Duplicate VM MAC Detected
Each VM MAC must be unique. If duplicate MAC addresses are detected on the switch, whether on the same VLAN or different VLANs, the switch supports only the last MAC detected.