Header Only - DO NOT REMOVE - Extreme Networks

802.1x failing but radius authentication succeeded


Hello,

I'm testing 802.1x authentication on extreme XOS. I'm running XOS 16.2.4.5 patch1-5 on x440-8t switch. I've completed the setup based on the documentation provided by extreme. The problem is that I'm receiving Authentication failed for Network Login 802.1x user host/xxxxxx Mac xxxxxxx port x, although if I run a wireshark on my radius server, I see authentication successful for host/xxxxxx. I'm wondering why the switch is considering it as failed. My radius server is a Microsoft 2008R2 NPS server.

Thanks
Mario

13 replies

Userlevel 4
Mario
show radius screen shot may help as well as
show conf eaps
show config aaa
show config | include radius
Hi Jason,

X440-8t.7 # sh radius
Radius Default State: disabled
Radius Default Timeout: 3 seconds
Radius Algorithm: standard
Radius Retries: 20
Switch Management Radius: disabled
Switch Management Radius server connect time out: 120 seconds
Switch Management Radius Accounting: disabled
Switch Management Radius Accounting server connect time out: 3 seconds
Netlogin Radius: enabled
Netlogin Radius server connect time out: 120 seconds
Netlogin Radius Accounting: disabled
Netlogin Radius Accounting server connect time out: 3 seconds

Primary Netlogin Radius server: Status is Active
host name :
IP address : 172.21.192.162
Server IP Port: 1812
Client address: 172.21.192.222 (VR-Default)
Retries : 20 *
Timeout : 120 *
shared secret : (encrypted secret)
Access Requests : 0 Access Accepts : 0
Access Rejects : 0 Access Challenges : 0
Access Retransmits: 0 Client timeouts : 0
Bad authenticators: 0 Unknown types : 0
Round Trip Time : 0

Legend: An asterisk (*) indicates a global value is in use.
X440-8t.8 #
X440-8t.8 #
X440-8t.8 # restart ports 1
X440-8t.9 # sh radius
Radius Default State: disabled
Radius Default Timeout: 3 seconds
Radius Algorithm: standard
Radius Retries: 20
Switch Management Radius: disabled
Switch Management Radius server connect time out: 120 seconds
Switch Management Radius Accounting: disabled
Switch Management Radius Accounting server connect time out: 3 seconds
Netlogin Radius: enabled
Netlogin Radius server connect time out: 120 seconds
Netlogin Radius Accounting: disabled
Netlogin Radius Accounting server connect time out: 3 seconds

Primary Netlogin Radius server: Status is Active
host name :
IP address : 172.21.192.162
Server IP Port: 1812
Client address: 172.21.192.222 (VR-Default)
Retries : 20 *
Timeout : 120 *
shared secret : (encrypted secret)
Access Requests : 1 Access Accepts : 1
Access Rejects : 0 Access Challenges : 3
Access Retransmits: 0 Client timeouts : 0
Bad authenticators: 0 Unknown types : 0
Round Trip Time : 0

Legend: An asterisk (*) indicates a global value is in use.

X440-8t.11 # show conf eaps
#
# Module eaps configuration.
#
X440-8t.12 # show config aaa
#
# Module aaa configuration.
#
configure radius netlogin primary server 172.21.192.162 1812 client-ip 172.21.192.222 vr VR-Default
configure radius netlogin primary shared-secret encrypted "(encrypted secret)"
enable radius netlogin
configure radius mgmt-access timeout 120
configure radius netlogin timeout 120
configure radius retries 20
X440-8t.13 # show config | include radius
configure radius netlogin primary server 172.21.192.162 1812 client-ip 172.21.192.222 vr VR-Default
configure radius netlogin primary shared-secret encrypted "(encrypted secret)"
enable radius netlogin
configure radius mgmt-access timeout 120
configure radius netlogin timeout 120
configure radius retries 20
X440-8t.14 #

---
Edited by CM to remove the shared secret
Also it would be useful output of: sh netlogin port XX, where XX is port when netlogin is enabled and "successful".
Hi Stefan,

X440-8t.8 # sh netlogin port 1
Port : 1
Port Restart : Disabled
Allow Egress : None
Vlan : nt_login
Authentication : 802.1x
Port State : Enabled
Auth Failure Vlan : Disabled
Auth Service-Unavailable Vlan : Disabled
------------------------------------------------
802.1x Port Configuration
------------------------------------------------
Quiet Period : 60
Supplicant Response Timeout : 30
Re-authentication : On
Re-authentication period : 3600
Max Re-authentications : 3
RADIUS server timeout : 30
Guest Vlan : Disabled
------------------------------------------------
Netlogin Clients
------------------------------------------------

MAC IP address Authenticated Type ReAuth-Timer User
00:24:e8:d9:5d:ec 0.0.0.0 No 802.1x 0
-----------------------------------------------
(B) - Client entry Blackholed in FDB

Number of Clients Authenticated : 0
Interesting...Everything looks good. Could you please share output of this command:
show config | include netlogin (it is slightly different than sh config | include radius)
and
show vlan
Hi Stefan

X440-8t.1 # show config | include netlogin
configure radius netlogin primary server 172.21.192.162 1812 client-ip 172.21.192.222 vr VR-Default
configure radius netlogin primary shared-secret encrypted "#$cdHMN3kX1OgZyNlPvyzn0ZhwmNu23g=="
enable radius netlogin
configure radius netlogin timeout 120
configure netlogin vlan nt_login
enable netlogin dot1x
enable netlogin ports 1 dot1x
configure netlogin ports 1 mode port-based-vlans
configure netlogin ports 1 no-restart
X440-8t.2 # sh vlan
-----------------------------------------------------------------------------------------------
Name VID Protocol Addr Flags Proto Ports Virtual
Active router
/Total
-----------------------------------------------------------------------------------------------
Default 1 172.21.192.222 /20 ------------T---------------- ANY 2 /11 VR-Default
Mgmt 4095 ------------------------------------------------- ANY 0 /1 VR-Mgmt
nt_login 4094 ----------------------LN------------------------- ANY 0 /1 VR-Default
-----------------------------------------------------------------------------------------------
Flags : (B) BFD Enabled, (c) 802.1ad customer VLAN, (C) EAPS Control VLAN,
(d) Dynamically created VLAN, (D) VLAN Admin Disabled,
(e) CES Configured, (E) ESRP Enabled, (f) IP Forwarding Enabled,
(F) Learning Disabled, (h) TRILL Enabled, (i) ISIS Enabled,
(I) Inter-Switch Connection VLAN for MLAG, (k) PTP Configured,
(l) MPLS Enabled, (L) Loopback Enabled, (m) IPmc Forwarding Enabled,
(M) Translation Member VLAN or Subscriber VLAN, (n) IP Multinetting Enabled,
(N) Network Login VLAN, (o) OSPF Enabled, (O) Flooding Disabled,
(p) PIM Enabled, (P) EAPS protected VLAN, (r) RIP Enabled,
(R) Sub-VLAN IP Range Configured, (s) Sub-VLAN, (S) Super-VLAN,
(t) Translation VLAN or Network VLAN, (T) Member of STP Domain,
(v) VRRP Enabled, (V) VPLS Enabled, (W) VPWS Enabled, (Z) OpenFlow Enabled

Total number of VLAN(s) : 3
Hello again,

I have opened a case at the same time with extreme TAC. he advised to enable debug logs following the 2 commands:

configure log filter defaultFilter add events nl severity debug-verbose
enable log debug-mode

Once I have done that, I started to see the reason why it is failing.

Authentication failed for Network Login 802.1x user host/xxxxx Mac xxxxxxx port 1
Client[1, xxxxxxx] auth move result: Destination VLAN not supplied
Client[1, xxxxxxx] authVlans preprocessing result; Destination VLAN not supplied
802.1X received authentication result 1 for client xxxxxxxxx from AAA
An EAP packet was sent to RADIUS for client xxxxxxxx via AAA

I understood that the switch is expecting the destination vlan from the radius server. I configured it and now it works properly.

I may have wrongly understood the document, however the destination vlan part is put in the additional notes on the documentation, as if it was optional.
Mario Salhab wrote:

Hello again,

I have opened a case at the same time with extreme TAC. he advised to enable debug logs following the 2 commands:

configure log filter defaultFilter add events nl severity debug-verbose
enable log debug-mode

Once I have done that, I started to see the reason why it is failing.

Authentication failed for Network Login 802.1x user host/xxxxx Mac xxxxxxx port 1
Client[1, xxxxxxx] auth move result: Destination VLAN not supplied
Client[1, xxxxxxx] authVlans preprocessing result; Destination VLAN not supplied
802.1X received authentication result 1 for client xxxxxxxxx from AAA
An EAP packet was sent to RADIUS for client xxxxxxxx via AAA

I understood that the switch is expecting the destination vlan from the radius server. I configured it and now it works properly.

I may have wrongly understood the document, however the destination vlan part is put in the additional notes on the documentation, as if it was optional.

Thanks but when you say the switch was expecting the destination vlan from the radius, what configuration did you change as i have the same exact issue:
Mario Salhab wrote:

Hello again,

I have opened a case at the same time with extreme TAC. he advised to enable debug logs following the 2 commands:

configure log filter defaultFilter add events nl severity debug-verbose
enable log debug-mode

Once I have done that, I started to see the reason why it is failing.

Authentication failed for Network Login 802.1x user host/xxxxx Mac xxxxxxx port 1
Client[1, xxxxxxx] auth move result: Destination VLAN not supplied
Client[1, xxxxxxx] authVlans preprocessing result; Destination VLAN not supplied
802.1X received authentication result 1 for client xxxxxxxxx from AAA
An EAP packet was sent to RADIUS for client xxxxxxxx via AAA

I understood that the switch is expecting the destination vlan from the radius server. I configured it and now it works properly.

I may have wrongly understood the document, however the destination vlan part is put in the additional notes on the documentation, as if it was optional.

Hi Stephanos,

You should follow the Additional notes of the following documentation.
For example, if you want to add the successful authentication to vlan Default as untagged, you should add the following attribute value Udefault.
I don't know why they put it in additional notes while it should be a required configuration.
Mario Salhab wrote:

Hello again,

I have opened a case at the same time with extreme TAC. he advised to enable debug logs following the 2 commands:

configure log filter defaultFilter add events nl severity debug-verbose
enable log debug-mode

Once I have done that, I started to see the reason why it is failing.

Authentication failed for Network Login 802.1x user host/xxxxx Mac xxxxxxx port 1
Client[1, xxxxxxx] auth move result: Destination VLAN not supplied
Client[1, xxxxxxx] authVlans preprocessing result; Destination VLAN not supplied
802.1X received authentication result 1 for client xxxxxxxxx from AAA
An EAP packet was sent to RADIUS for client xxxxxxxx via AAA

I understood that the switch is expecting the destination vlan from the radius server. I configured it and now it works properly.

I may have wrongly understood the document, however the destination vlan part is put in the additional notes on the documentation, as if it was optional.

Thank you, ive done that already but still getting the error:

auth move result: Destination VLAN not supplied
authVlans preprocessing result; Destination VLAN not supplied

Vlan on switch is named: BR-STA-078

settings Radius Server see screenshot:

Mario Salhab wrote:

Hello again,

I have opened a case at the same time with extreme TAC. he advised to enable debug logs following the 2 commands:

configure log filter defaultFilter add events nl severity debug-verbose
enable log debug-mode

Once I have done that, I started to see the reason why it is failing.

Authentication failed for Network Login 802.1x user host/xxxxx Mac xxxxxxx port 1
Client[1, xxxxxxx] auth move result: Destination VLAN not supplied
Client[1, xxxxxxx] authVlans preprocessing result; Destination VLAN not supplied
802.1X received authentication result 1 for client xxxxxxxxx from AAA
An EAP packet was sent to RADIUS for client xxxxxxxx via AAA

I understood that the switch is expecting the destination vlan from the radius server. I configured it and now it works properly.

I may have wrongly understood the document, however the destination vlan part is put in the additional notes on the documentation, as if it was optional.

the config looks good. did you try to test with a vlan that doesn't contain dashes "-" in the name? Try for instance the default vlan first.
Mario Salhab wrote:

Hello again,

I have opened a case at the same time with extreme TAC. he advised to enable debug logs following the 2 commands:

configure log filter defaultFilter add events nl severity debug-verbose
enable log debug-mode

Once I have done that, I started to see the reason why it is failing.

Authentication failed for Network Login 802.1x user host/xxxxx Mac xxxxxxx port 1
Client[1, xxxxxxx] auth move result: Destination VLAN not supplied
Client[1, xxxxxxx] authVlans preprocessing result; Destination VLAN not supplied
802.1X received authentication result 1 for client xxxxxxxxx from AAA
An EAP packet was sent to RADIUS for client xxxxxxxx via AAA

I understood that the switch is expecting the destination vlan from the radius server. I configured it and now it works properly.

I may have wrongly understood the document, however the destination vlan part is put in the additional notes on the documentation, as if it was optional.

ive tried that and still nothing...
You must specify the very same vlan tag and name which was was previously defined in the radius server. This vlan must be present in switch as well. Also I would suggest to use configuration without no-restart port options (but it depends on your conditions). In previous version of XOS there were some serious issues with reauth process on the some port (e.g. plug in the same cable to the port) and it results in auth error. But it is true that this issues were succesfully repaired somewhere in 09-10/2017.

Reply