Monitor ExtremeControl Health in

Extreme Management Center

The following sections provide detailed information on how to use specific Extreme
Management Center reports and NAC Manager features to monitor ExtremeControl
health. These reports provide you with the information you need to monitor, analyze, and
troubleshoot ExtremeControl problems.
l Monitor ExtremeControl Engine Performance
l Monitor ExtremeControl Engine Memory Use
l View ExtremeControl Engine Historical Data
l Monitor ExtremeControl Critical Events
l Monitor ExtremeControl Engine Load
l Monitor ExtremeControl End-System Health
l Create Alerts with ExtremeControl Notifications
l Verify ExtremeControl RADIUS Configuration
l Extreme Management Center Custom Reports

Monitor ExtremeControl Engine Performance

The ExtremeControl engine Device Availability report provides a historical overview of
the engine status. The report shows at-a-glance when an engine is offline, or whether an
engine is consistently on and offline over time. The report lets you quickly determine the
specific date when an engine is unavailable without having to review log data to
determine the date.
For a backup engine, the report can provide a good indication of possible engine or
network issues that may go otherwise undetected until the moment when the engine is
needed.
If the report indicates a problem, review the ExtremeControl engine logs for the dates in
question (see ExtremeControl Engine Log Locations), to gain additional insight into the
possible root cause of the problem.
Access the Device Availability report from the Network tab. Right-click on an
ExtremeControl engine and select View Device Details > System > Device Availability,
as shown here.

1 of 32
 Monitor ExtremeControl Engine Memory Use

Accessing the Device Availability Report

The ExtremeControl engine Device Availability report is displayed in a new tab, as

shown below.
Device Availability Report

Monitor ExtremeControl Engine Memory Use

The Extreme Management Center Host Resources report lets you monitor physical,
virtual, and swap memory usage on an ExtremeControl engine.

2 of 32
 Monitor ExtremeControl Engine Memory Use

As you monitor an engine's physical and virtual memory, keep in mind that it is common
for Linux-based systems (such as the ExtremeControl engine) to show high memory
utilization. Once a process consumes memory, the memory remains allocated to the
process under the assumption it may be required in the future. If a different process calls
for that memory, and it is not in use, it is made available.
It is also important to monitor swap memory statistics for your ExtremeControl engines.
When an engine starts using swap memory, it indicates a potential issue, and more
active monitoring of the engine may be required. Running commands such as the "top"
command (see Linux "top" Command section under NAC Troubleshooting) provides
more accurate and up-to-date information on whether swap memory is actively being
used, and which processes are consuming the highest memory and CPU.
Use the Network tab to access the Host Resources report for an ExtremeControl engine.
Right-click on an ExtremeControl engine and select View Device Details > System >
Host Resources, as shown here.
Accessing the Host Resources Report

A Host Resources report for the ExtremeControl engine is displayed in a new tab, as
shown below.

3 of 32
 View ExtremeControl Engine Historical Data

Host Resources Report

View ExtremeControl Engine Historical Data

The NAC History report provides a detailed view of the overall ExtremeControl engine
load based on critical ExtremeControl functions including authentication requests,
captive portal statistics, and connected agents. The report displays the latest load data
as well as minimum, maximum, and average statistics for an overview of activity by
function. This provides a historical view for each individual engine and is similar to the
ExtremeControl Engine Load report, which presents current load data for all engines.
In Extreme Management Center, select the Network tab. Right-click on an
ExtremeControl engine and select View Device Details > NAC > NAC History, as shown
here.

4 of 32
 View ExtremeControl Engine Historical Data

Accessing the NAC History Report

The NAC History report is displayed in a new tab, as shown below. Look at the
NAC Appliance Summary report for engine load data.
NAC History Report

5 of 32
 Monitor ExtremeControl Critical Events

Monitor ExtremeControl Critical Events

The ExtremeControl report on Most Severe ExtremeControl Events displays the 10 most
severe ExtremeControl events. If the most recent events indicate a current issue, further
in-depth review of the events may be required. A good place to start would be the
server.log on the Extreme Management Center server (see Accessing the Server Log
File in the Extreme Management Center Troubleshooting section of the Extreme
Management Center Technical Reference) and the tag.log on the ExtremeControl
engine (see ExtremeControl engine Log Locations). Depending on the error, additional
debug options may be required to obtain more in-depth log data. For more information,
see ExtremeControl Troubleshooting.
In Extreme Management Center, select the Reports tab. Expand the Identity and Access
- Health folder and select the report.
Most Severe NAC Events Report

Monitor ExtremeControl Appliance Load

The ExtremeControl Appliance Load report provides a summary of end-system usage for
each ExtremeControl engine on the network, including the number of active end-
systems on the engine, and the number of authentication and captive portal requests per
minute.
This report is useful for determining whether action may be required in order to more
evenly distribute the client load among available ExtremeControl engines. The report
shows which engine may have too many end-systems authenticating against it and
which engine may be underutilized and available to handle additional end-system
requests. The report also provides helpful information for capacity planning and
determining future needs for additional ExtremeControl hardware.

6 of 32
 Monitor ExtremeControl End-System Health

In Extreme Management Center, select the Control tab. Click on System to view the
Appliance Load report.

Monitor ExtremeControl End-System Health

The ExtremeControl Health reports provide information on overall end-system health.
The Risk Level report helps you quickly determine the overall status of threats and
vulnerabilities to the entire ExtremeControl environment. Select a specific section of the
chart to launch a report of all end-systems that meet that criteria. Select the "High"
portion of the chart to display a report of all end-systems that have a high-risk
vulnerability.
The Most Frequent Vulnerabilities report lists the top vulnerabilities detected and the
number of end-systems reporting that vulnerability. This report is useful in identifying
specific areas of the user environment that may need immediate attention, or in
determining the scale of a specific vulnerability.
In Extreme Management Center, select the Control tab. Click on Health to view the end-
system reports.

7 of 32
 Create Alerts with ExtremeControl Notifications

Create Alerts with ExtremeControl Notifications

Extreme Management Center lets you create alerts for when specific events or triggers
take place in ExtremeControl. Each notification can be defined for a specific type and
trigger. The notification type defines the source of the event that activates the notification,
such as end-system, end-system group, user group, or health result. The trigger
determines when a notification action is performed, based on filtering for a specific
event. For example, if you select end-system group as your type, the trigger may be
when entries in the group are added or removed.
Notifications can be further defined by specific conditions that, in addition to the trigger,
determine when actions are performed. For example, you can configure a condition that
filters notifications based on selected engines, user groups, and device groups, as well
as ExtremeControl profile, time, and location.
Notifications can have a variety of actions configured such as sending an email,
generating a syslog message, sending an SNMP trap, or launching a custom program or
script. Email notifications can be customized so that only certain groups are notified for
specific events based on the selected mailing list.
Use the Alarms & Events tab to configure ExtremeControl notifications.

8 of 32
 Extreme Management Center Custom Reports

Extreme Management Center Custom Reports

Extreme Management Center Custom Reports let you create specialized reports for
monitoring ExtremeControl engine performance. Create reports on a variety of
ExtremeControl engine statistics including CPU load, disk usage, memory usage, and
device availability. Individual reports of interest can be bookmarked for ease of use in
accessing the desired information.
On the Reports tab, expand the Custom folder and select Custom Report. Use the
Options panel to configure your custom report by selecting a report target (such as
ExtremeControl), the statistic to monitor (such as CPU utilization), and the time period
and date range to display. Click the Submit button to generate the report. An example
report on ExtremeControl engine CPU utilization is shown below.

TIP: CPU usage can be monitored more closely in real-time using diagnostic tools such as the
Linux "top" command.

7/2020
8.5 Revision -00
PN: 9036785-00
Contents Subject to Change Without Notice

9 of 32
 Configure RADIUS Clients to Monitor
ExtremeControl Engines in Extreme
Management Center (Legacy)
This Help topic tells you how to configure RADIUS monitoring tools to monitor
ExtremeControl engine performance and availability.
Use the following steps to create a list of RADIUS monitoring clients and configure a
special authentication mapping for your AAA configuration used to authenticate the
clients.

If you have multiple engine groups, you can use the same tools to monitor different
engine groups, but each engine group is configured separately.
1. Select the All Appliances group or an individual engine group in the NAC Manager
left-panel tree.
2. In the right-panel Configuration tab, click on the Edit button in the RADIUS Monitor
Clients field.

10 of 32
3. The Configure RADIUS Monitor Clients window opens.

4. Use this window to create a list of the monitoring tools (clients) used, and specify
the shared secret to be used for all of them.
a. Click the button. Enter the IP address for the first client and click OK.
Repeat for each client that you want to add.
b. Enter the Server Shared Secret used. This is a string of characters used to
encrypt and decrypt communications between the RADIUS Monitor clients
and the engines. This string must match the shared secret configured on the
client. Without the shared secret, the engines and clients will be unable to
communicate. The shared secret must be at least 6 characters long; 16
characters is recommended. Dashes are allowed in the string, but spaces are
not.
c. Re-enter the shared secret to verify it.
d. Click OK.

5. Use the NAC Manager toolbar button to open the NAC Configuration window
or use the Edit button in the Configuration tab.

11 of 32
6. Select the AAA configuration in the left panel.

7. In the right-panel mapping table, click the button to add a new mapping. (You
must be using an advanced AAA Configuration in order to see the mapping table. If
you are not, right-click on the AAA Configuration and select Make Advanced.)
8. The Add User to Authentication Mapping window opens.

a. Set the Authentication Type to RADIUS Monitor.

b. Set the Authentication Method to Local Authentication and select the
Password for all Authentications checkbox. Enter the desired password that

12 of 32
 will be used for all client authentications.
c. Click OK.
9. The new mapping will be listed in the mapping table. You can use the arrows to
adjust the position of the new mapping in the table. In the screen below you can
see that the RADIUS Monitor rule has been moved to the first row in the table
because it is more granular. Click Save to save your changes.

10. Click the Enforce toolbar button to enforce the new configuration to your engine
groups.
Any authentication request coming from an IP address that matches the list of RADIUS
monitor clients will be authenticated using the password you provided in the AAA
mapping. In these cases, the username does not matter. The password configured will
not be able to be used for authentication from any other part of the network. The
ExtremeControl engine responds back with a basic accept to any RADIUS monitor
client’s RADIUS request.

13 of 32
 ExtremeControl Performance Tuning in
Extreme Management Center
The following sections provide detailed information on how to use specific
ExtremeControl tools and features to monitor and improve ExtremeControl performance.
l Monitoring Active End-Systems
l Tuning Data Persistence
l Tuning ExtremeControl Capacity
l Using ExtremeControl Distributed Cache

Monitoring Active End-Systems

Monitoring the total number of active end-systems on the network, as well as the number
per engine, is useful in determining whether authentication load is distributed evenly
between available ExtremeControl engines. Some engines may be at or near capacity,
while others may be underutilized and available to handle additional end-systems. Use
this information to review your primary and secondary ExtremeControl engines and the
switches that authenticate against each engine, to determine whether adjustments can
be made to more evenly distribute the load. The goal is to evenly distribute the
authentication and captive portal load across all available ExtremeControl engines as
much as possible.
Engine capacity information also provides data points you can use for capacity planning
and determining future hardware needs based on current load and expected growth, as
well as targeting areas for design improvements such as implementing additional
redundancy and disaster recovery.
As you study the capacity information, keep in mind that an engine failure for any reason
means that end-systems authenticating against that engine now authenticates against
the designated backup engine. In an environment where there are two ExtremeControl
engines each responsible for authenticating 2,500 end-systems, a single engine outage
can mean that all 5,000 end-systems might possibly authenticate against the one
remaining engine. Depending on a variety of factors, oversubscribing an engine could
lead to scenarios such as failed or intermittent authentication responses, poor end-user
experience, or restricted access to the network.

14 of 32
 Monitoring Active End-Systems

NOTE: Any authentications previously performed by the unavailable primary engine remain
authenticated until the session is removed or times out. At that point, subsequent
authentication requests are sent to the backup engine. Whether authentication requests
automatically revert to the primary engine once it is deemed available is a function of
individual switch RADIUS operation.

Locating the End-System and Capacity Information

The Configuration tab in NAC Manager displays authenticated end-system and capacity
information for each ExtremeControl engine. To view this information, select an
ExtremeControl engine in the NAC Manager tree and then select the Configuration tab.
The Current Capacity field indicates the number of end-systems that have authenticated
to the ExtremeControl engine within the last 24 hours out of the total supported
authentication capacity for the ExtremeControl engine. For example, a current capacity
value of 1365/3000 indicates that 1,365 end-systems have authenticated against this
ExtremeControl engine within the last 24 hours, and this specific engine is rated to
handle 3,000 authentications. The total number of supported authentications may vary
depending on enginetype.
Configuration Tab - Current Capacity

To view capacity information for all ExtremeControl engines in one place, select the All
NAC Appliances folder in the tree and click on the NAC Appliances tab. The
authenticated user counts and engine capacity are displayed under the Capacity
column.
NAC Appliances Tab - Capacity

Engine load reporting is also available within Extreme Management Center. The NAC
Appliance Load report provides a summary of end-system usage for each

15 of 32
 Tuning Data Persistence

ExtremeControl engine on the network, including the number of active end-systems on

the engine, and the number of authentication and captive portal requests per minute.

Tuning Data Persistence

ExtremeControl Data Persistence options provide granular control for defining how long
end-system and end-system related information is retained and stored. These options let
you customize the aging of stale end-systems, as well as the length of time to retain end-
system events and end-system assessment health results.
Access Administration > Options > Access Control > Data Persistance to open the Data
Persistance options tab. The options included in the three sections of the window are
described below.

16 of 32
 Tuning Data Persistence

Age End-Systems
Retaining large amounts of stale end-system data can lead to Extreme Management
Center client performance issues as well as server performance degradation in larger
networks or on Extreme Management Center servers that may not have optimal
hardware. Reducing unnecessary stale data in the database leads to improved
performance, smaller (and faster) backup files, as well as reduced disk utilization on the
server. (Performance differences vary between individual ExtremeControl deployments.)
By default, stale end-systems are aged out after 90 days of inactivity. In high volume
networks with frequent short-term users (for example, an environment with a lot of
visitors or contractors), it might be appropriate to change the number of days to a lower
amount. Aging stale end-systems removes inactive and potentially one-time end-
systems from the database and NAC Manager tables, making it easier to monitor and
locate active end-systems on the network.
The option to remove associated MAC locks and occurrences in groups is disabled by
default. For networks with a large volume of short-term authentications, as well as users
who connect to the network infrequently but on a recurring basis, this ensures these end
users retain any assigned end-system group membership and are authorized against the
proper ExtremeControl rule the next time they authenticate to the network, should their
end-system age out. If this is not a concern, you may consider selecting this option to
remove group membership. Excessively large end-system groups can have an impact
on both the server and engine. This varies by deployment, but generally, networks
containing end-system groups with 30,000 to 35,000 end-systems should have this
option selected to ensure stale data is properly handled.
By default, end-system registration data associated with stale end-systems is also
removed when an end-system ages out. Even though registrations have an independent
expiration timer and removal option, this removes registrations associated with stale
end-systems prior to the defined registration expiration, maintaining active end-system
registrations in the database and keeping end-system and registration information in
sync.

End-System Event Persistence

End-system events track authentication and ExtremeControl related activity such as IP
and OS resolution, state changes, and assessment information. These events are
maintained in memory and are archived in log files on the Extreme Management Center
server. Due to the high volume of event activity, the option to persist non-critical events is
disabled by default, and certain non-critical end-system events are not retained.
(Examples of non-critical events include duplicate or unchanging events, such as events
tied to reauthentication where an end-system's state hasn't changed.) Removing events

17 of 32
 Tuning Data Persistence

that are redundant or show no change leaves more space to retain those events that do
indicate active changes, maintaining end-system event efficiency.
However, networks with fewer end-systems, or those not utilizing ExtremeControl
features that create additional events such as registration and assessment, could
choose to enable the option to persist non-critical events, since they can display events
maintained in memory for a longer period than those in a more dynamic environment.
End-system events are stored in log files on the Extreme Management Center server.
These logs are available in the <install directory>/Extreme_
Networks/NetSight/appdata/logs directory and are identified by the filename convention:
nacESE.date_version.log (for example, nacESE.2012_12_31_01.log, nacESE.2012_
12_31_02.log). Events are continuously saved in the nacESE files with each individual
file growing to about 5 MB before it is archived and a new log file is started for that day.
Each day, when the Data Persistence check runs, it removes all log files that are older
than the number of days specified (90 days by default). The length of time to retain the
log files depends on your security policy (how long records need to be kept), system
hardware limitations (disk availability), and the overall amount and type of activity
logged.
The number of end-systems and activity on the network directly impacts the number of
nacESE event log files generated on a daily basis. Monitoring the number of files
generated for a period of time provides a baseline of the amount of space being
consumed by these events and helps determine whether additional action may be
required to manage them.

Health Result Persistence

By default, a health result summary is saved for the last 30 assessments per end-system.
A full, detailed health result report is retained for the last five assessments for each
individual end-system. The number of summaries and detailed reports to save depends
on your company's security policy, and how long summary and detailed assessment
data is required.
For example, in an environment where end-systems are managed and generally
compliant, retaining extended detailed assessment results may not be necessary.
Whereas, in some environments, end-system monitoring is much more stringent and
specific guidelines specify the length of time this type of data must be retained. Other
factors to consider when reviewing these settings are the frequency, level (heavy versus
light), and type of scans (agent-less or agent-based) being performed.
If you select the option to only save health result details for quarantined end-systems, all
health result details resulting in an Accept State are discarded. This applies only to
agent-less assessment, as agent-based health result details are always saved for all

18 of 32
 Tuning ExtremeControl Capacity

end-systems, regardless of whether the result indicates an Accept or Quarantine state.

(The number of health result details saved is determined by the option described above.)
You can select an option to save duplicate health result summaries and details, if
desired. By default, duplicate health results are not saved. For example, if an end-
system is scanned five times during the week with identical assessment results each
time, the duplicate health results are not saved (with the exception of administrative scan
requests such as Force Reauth and Scan, which are always saved). This reduces the
number of health results saved to the database.

Tuning ExtremeControl Capacity

The NAC Capacity option in NAC Manager controls the configuration of internal Extreme
Management Center resources (server processing queues, timing, etc.) allocated to
ExtremeControl services. These resources are specifically targeted towards the
processing of incoming end-systems, end-system events, and health result data sent
from ExtremeControl engines to the server. The greater the number of end-systems and
engines in your ExtremeControl deployment, the more resources ExtremeControl
services require for processing the incoming information updates sent by each
ExtremeControl engine.
Indications that capacity settings may be insufficient can surface in the form of slower
processing of end-system information or possibly missing updates. Modifying the
capacity level upwards, incrementally allocates additional server resources dedicated to
the processing of this data. Each level provides increased queue sizes to handle the
greater volume of incoming data. In addition, changes are made in the frequency in
which data is saved, as well as the amount of data saved in each operation. The
changes allow Extreme Management Center to more efficiently process the larger
amount of data.

If insufficient resources is not the actual problem, the allocation of additional resources
may ultimately have little or no effect on performance. Because of this, it is important to
first verify that the Extreme Management Center server is installed on a system with
appropriate resources in terms of both hardware and role (a dedicated management
server versus one performing multiple roles) and that the resources are commensurate
with the size of the ExtremeControl deployment.
Insufficient server hardware could appear as an Extreme Management Center
performance issue, where in reality, the server hardware resources are not adequate for
the deployment.

19 of 32
 Using ExtremeControl Distributed Cache

To adjust ExtremeControl Capacity, access the NAC Manager options. From the NAC
Manager menu bar, select Tools > Options to open the Options window. Expand the
NAC Manager Options folder and select Advanced Settings.
Advanced Settings Options - NAC Capacity

Using ExtremeControl Distributed Cache

The ExtremeControl distributed end-system cache is an optimization recommended for
large enterprise environments as engine a way to improve response times when
handling end-system mobility. Enabling this option improves ExtremeControl
performance when discovering new end-systems as they connect, or when end-systems
move (and authenticate) from one location to another in the network.
Use of the distributed end-system cache feature requires that it is activated on both the
Extreme Management Center server and on all ExtremeControl engines in order to take
advantage of the optimized communications. (See the instructions below.)

NOTE: The Distributed end-system cache functionality must be enabled in environments using the
ExtremeControl DNS Proxy to redirect clients to the captive portal.

When this feature is enabled, end-system information similar to that in the end-systems
table is stored in memory on the Extreme Management Center server and
ExtremeControl engine. Each cache contains the same up-to-date information, allowing

20 of 32
 Using ExtremeControl Distributed Cache

the engine to perform lookups for end-system information in its local memory cache
instead of having to query the server for updated information. Any changes to end-
system information are propagated from each to the Extreme Management Center
server, which then replicates updates to each ExtremeControl engine so all have a
synchronized copy of real time end-system information.
Implementation of this feature is not recommended unless there is sufficient network
bandwidth available to handle the additional overhead in communicating updates, as
well as a fast connection between the Extreme Management Center server and the
ExtremeControl engine. Additional consideration should be taken prior to implementing
this functionality on engines that reside in a location where the data path traverses a
WAN link.

To enable on the Extreme Management Center server:

Select the Enable Distributed End-System Cache option on the Administration >
Options > Access Control > Advanced tab. Enabling this option requires an enforce of
the engine.

To enable on the ExtremeControl engine:

From the NAC Manager menu bar, select Tools > Options to open the Options window.
Expand the NAC Manager Options folder and select Advanced Settings. The option is in
the End-System Mobility section. When you enable or disable this option, you must click
the Reload button to reload the cache configuration on the Extreme Management Center
server.

21 of 32
 NAC Manager and
ExtremeControl Troubleshooting in
Extreme Management Center
The following sections provide information on tools used when troubleshooting
NAC Manager and ExtremeControl engine issues.
l NAC Manager Event Logging
l ExtremeControl Engine Real-time Status
l End-System Troubleshooting

NAC Manager Event Logging

The Event View at the bottom of the NAC Manager main window displays error and
informational messages about NAC Manager operations and provides information on
end-systems attempting to connect to the network through an ExtremeControl engine.
NAC Manager Event View

There are four tabs:

l NAC Manager Events – This tab displays error and informational messages about
NAC Manager system operations, including configuration changes and enforce
operations.

Use this tab when trying to locate forensic information such as when and who
made changes to the ExtremeControl configuration, and when and for how long
communication with an ExtremeControl engine was lost. This event log also
captures NAC Manager functional and security-related warnings that the system
issues when auditing its own configuration, as well as events tied to data
persistence checks, including which end-systems were removed and when.

Important system notification messages are also logged here, including when new

22 of 32
 ExtremeControl Engine Real-time Status

agent-less assessment updates are available and when certain system default
credentials should be changed.
l End-Systems Activity – This tab provides information on all the end-systems that
have attempted to connect to the network. It displays all end-system activity since
the client was launched.
l NAC Appliance Events – This tab provides information on ExtremeControl engine
system events including RADIUS configuration success or failure, completed
reauthentications, and management logins (such as Telnet or SSH configured for
external authentication). The event log displays engine activity since the NAC
Manager client was launched and like NAC Manager Events, is an excellent
source for historical information when performing a forensic investigation of a
recent event.
l Audit Events – This tab provides information on ExtremeControl Registration
events such as when a device or user is added during the registration process, or
an end-system is added, removed, or updated via the registration administration
web page. It displays all registration activity since the client was launched.

ExtremeControl Engine Real-time Status

Use the following tools to monitor ExtremeControl engine real-time statistics, as well as
view diagnostic information in the ExtremeControl engine Administration Web Page
(WebView), and ExtremeControl information in the Extreme Management Center
Administration tab.

NAC Appliances Tab

The NAC Appliances tab provides CPU and memory utilization statistics for all your
ExtremeControl engines. The CPU Load column shows the percentage of the engine's
CPU that is currently being used. This value gives you an indication of how busy the
engine is and helps you determine if your network needs additional engines, or if you
need to change your network configuration so that the load is more evenly distributed
among your existing engines.
NAC Appliances Tab

23 of 32
 ExtremeControl Engine Real-time Status

In addition to the information in the table, you can launch two FlexViews with CPU,
memory, and disk utilization information from the right-click menu off one or more engine
in the NAC Appliances tab.
Launch the CPU Utilization View (Host Processor Load FlexView).
Host Processor Load FlexView

Launch the Memory and Diskspace Utilization View (Host Storage FlexView).
Host Storage FlexView

24 of 32
 ExtremeControl Engine Real-time Status

ExtremeControl Engine Administration Web Page

(WebView)
To access status and diagnostic information for an individual ExtremeControl engine,
launch WebView by right-clicking on an ExtremeControl engine in the left-panel tree, as
shown below. (You can also access the administration web page using the following
URL: https://<ExtremeControlEngineIP>:8444/Admin.)
The default user name and password for access to this web page is
"admin/Extreme@pp." The username and password can be changed in NAC Manager
using the Advanced Configuration window (available from the Tools menu > Manage
Advanced Configurations) and selecting the Engine Settings > Miscellaneous Tab >
Web Service Credentials field.
Launch WebView

The Home web page provides resource details such as current CPU and memory
usage. Status details provide a Current and Maximum counter for many critical functions.
Excessive authentication requests or failures are easily identified, including when the
Max Reached value occurred. This helps to identify the severity of a current problem or
match information with prior events when performing a forensic review.

NOTES: Memory usage is normally close to 100% to allow for better performance.

25 of 32
 ExtremeControl Engine Real-time Status

Engine Administration Web Page

For more information, see the ExtremeControl Engine Administration Web Page section
of the ExtremeControl Deployment Guide, which is in the NAC Manager user guide.

ExtremeControl Switches and Routers

When troubleshooting issues involving authentication, IP resolution, and
reauthentication (etc.), the Switches & Routers page within WebView provides a variety
of useful real-time data.

At the top, current and historical information is displayed on a per-switch basis. This
provides insight into problems such as a single switch flooding the network with
authentication requests, as well as comparative data that can be used to spot
abnormalities such as a switch with a limited number of active end-systems showing an
excessive number of authentications over the last month.
The Switch Configuration section is an overview of all switches assigned to the
ExtremeControl engine, the RADIUS response attributes they are configured for, and the
SNMP credential the ExtremeControl engine is using to communicate with the switch.
This information can be used to identify whether the ExtremeControl engine is using the
current SNMP credentials to contact the switch. This can be confirmed under the Switch
Dynamic Information where SNMP Contact will show as Contact Lost.

26 of 32
 ExtremeControl Engine Real-time Status

More critical information here, although perhaps more useful for support technicians, are
the various workers assigned to each switch. These are dictated through the switch
discovery process and detail how the ExtremeControl engine performs various functions
such as using RFC 3576 or Toggle Link for reauthentication of an end-system. The
SNMP Contact is from the perspective of the ExtremeControl engine to the switch, which
may be different than from Extreme Management Center Console to the switch.
Engine Administration Web Page

Extreme Management Center Administration - Identity

and Access
The Administration tab in Extreme Management Center has an Identity and Access
section that provides detailed diagnostic and statistical information pertaining to
advanced ExtremeControl functions. Information on web service calls, events, and
distributed cache can be reviewed for signs of unexpected or failing processes.

Most of the information is useful to Engineering and Support technicians. More

information is available under System-Wide Extreme Management Center Server
Diagnostics in the Extreme Management Center Troubleshooting section of the Extreme
Management Center Technical Reference.

27 of 32
 End-System Troubleshooting

Administration Tab

ExtremeControl Status
The NAC Status option (previously available from the NAC Appliances tab) has been
updated and replaced by the Extreme Management Center Show Support functionality
described in the Extreme Management Center Troubleshooting section of the Extreme
Management Center Technical Reference.
The nacstatus command is still available from the ExtremeControl engine CLI and can
be executed to provide detailed data regarding the ExtremeControl engine. However,
the Show Support function is the recommended data collection vehicle, as it provides a
comprehensive look into both the operation of the server as well as all active
ExtremeControl engines.

End-System Troubleshooting
Use the following tools to monitor and trouble-shoot end-system issues in NAC
Manager.

End-System Events in NAC Manager

Troubleshooting specific end-system issues starts with end-system events. Events
provide time-stamped logs of when specific events occurred. It is helpful to correlate

28 of 32
 End-System Troubleshooting

these events with diagnostic log data.

NAC Manager End-Systems Tab

Engine End-System Diagnostics

To access end-system diagnostic information for a specific ExtremeControl engine,
launch the ExtremeControl engine administration web page by right-clicking on an
ExtremeControl engine in the left-panel tree and selecting WebView, as shown below.
(You can also access the administration web page using the following URL:
https://<ExtremeControlengineIP>:8444/Admin.)
The default user name and password for access to this web page is
"admin/Extreme@pp." The username and password can be changed in NAC Manager
using the Advanced Configuration window (available from the Tools menu > Manage
Advanced Configurations) and selecting the Engine Settings > Miscellaneous Tab >
Web Service Credentials field.

29 of 32
 End-System Troubleshooting

Launch WebView

Expand the Diagnostics folder and select End System Diagnostics. Enable diagnostics
for both MAC and IP address.
Targeting diagnostics for a specific end-system enables a majority of the debug
diagnostics available on a global level, but only for the specific end-system. Therefore,
diagnostics can be enabled for an extended period of time without the concern of
generating the excessive log files that are possible when global diagnostics are
enabled.
The log data is saved to the same location as the global diagnostics, in the
/var/log/tag.log file of the ExtremeControl engine. A log entry is made in the tag.log
helping to locate the portion of the log from which to start a review.

2013-09-13 14:51:20,783 INFO [ESD] Enabling verbose diagnostics for MAC: 00-18-8B-
D6-E6-0C
2013-09-13 14:51:38,195 INFO [ESD] Enabling verbose diagnostics for IP: 10.20.87.100

30 of 32
 End-System Troubleshooting

Engine End-System Diagnostics

End-System Diagnostic Information

There are a variety of end-system troubleshooting tools available in NAC Manager by
right-clicking on an end-system.
Launch End-System Diagnostic Tools

31 of 32
 End-System Troubleshooting

l Configuration Evaluation Tool - Test the rules defined in your ExtremeControl

Configuration in order to determine what behavior an end-system will encounter
when it is authenticated on an ExtremeControl engine.
l Port Monitor - View detailed port and switch status information for the selected
end-system including: information from interface statistics, CoS and authentication
information, the Reauth Interval and Quiet Period, the interface PVID, and errors on
the port.
l PortView - View a variety of detailed port information and statistics presented in a
network topology view. PortView displays the end-system in a graphical view
based on how it connects to the network. From here, tabs are available that
provide interface statistics, switch resource data, detailed ExtremeControl end-
system information, as well as flow data, if enabled. A right-click on the switch
opens menu options to drill into more specific switch-related data. For wireless
end-systems, a Real Capture can be launched from this view providing real-time
packet capture of end-system communications.
l Telnet to Switch - Launches a Telnet session to the switch the end-system is
connected to.
l SSH to Switch - Launches a Secure Shell (SSH) session to the switch the end-
system is connected to.
l Ping End-System - Open a window where you can ping the end-system to
determine if it can be contacted. You can view the results of the ping in the log in
the window. You can also click Clear to enter another IP address or host name, if
you wish.
7/2020
8.5 Revision -00
Contents Subject to Change Without Notice

32 of 32