VM Authentication Process

The XNV feature supports three methods of authentication:

The default VM authentication configuration uses all three methods in the following sequence: NMS server (first choice), network based VMMAP file (second choice), and finally, local database. If a service is not available, the switch tries the next authentication service in the sequence.

NMS Server Authentication

If NMS server authentication is enabled and a VM MAC address is detected on a VM-tracking enabled port, the software sends an Access-Request to the configured NMS server for authentication. When the switch receives a response, the switch does one of the following:
  • When an Access-Accept packet is received with an NVPP specified, the policies are applied on VM enabled port.

  • When an Access-Accept packet is received and no NVPP is specified, the port is authenticated and no policy is applied to the port.

  • When an Access-Reject packet is received, the port is unauthenticated and no policy is applied.

  • When an Access-Reject packet indicates that the NMS server timed-out or is not reachable, the switch tries to authenticate the VM MAC address based on the next authentication method configured, which can be either network authentication or local authentication.

The Access-Accept packet from the NMS server can include the following Vendor Specific Attributes (VSAs):
  • VM name

  • VM IP address

  • VPP configured for the VM

An Access-Reject packet contains no VSA.

Network (VMMAP) Authentication

If network (VMMAP) authentication is enabled and a VM MAC address is detected on a VM-tracking enabled port, the switch uses the VMMAP file to authenticate the VM and applies the appropriate VPP.

Local Authentication

If local authentication is enabled and a VM MAC address is detected on a VM-tracking enabled port, the switch uses the local database to authenticate the VM and apply the appropriate VPP.

Authentication Failure

If all configured authentication methods fail, EMS messages are logged and no VPP is applied.

Possible remedies include:
  • Fix the authentication process that failed. Look for misconfiguration or down segments.
  • Configure UPM to take action on the related EMS message.
  • If one or two authentication methods are configured, configure additional authentication methods.

Duplicate VM MAC Detected

Each VM MAC must be unique. If duplicate MAC addresses are detected on the switch, whether on the same VLAN or different VLANs, the switch supports only the last MAC detected.