Header Only - DO NOT REMOVE - Extreme Networks

Authentication VLAN failure - Not working?

  • 29 August 2019
  • 1 reply

Evening everyone,

I seem to have an issue with the authentication VLAN on our X440-G2 switches but not all.

Comparing config side by side there doesn't seem to be any difference.

Netlogin is enabled and configured on the majority of ports 802.1x & mac based (not fully working for some devices but that's mainly a radius issue so we'll ignore that for now)

Netlogin set up to use a vlan 'Login VLAN' default which is just a bank vlan
Netlogin authentication enabled on ports
Netlogin authentication VLAN set to a working 'data vlan'.

This works on the majority of our network but there's a few stacks that seems to stick to the 'Login VLAN' and doesn't authenticate not fail authentication onto the 'data vlan' straight away.

I've checked the status of a port i know that has the issue, see code below.

Once the PC connected has booted up it either authenticates or does actually drop onto the failure 'data vlan' but not straight away.

This may not be the major issue and probably working correctly for the 802.1x part but the problem it seems to cause us is (and ignore my ignorance here, i have inherited this network and not had any major dealings with networks until now) as the machine sits on the 'Login VLAN' at boot it's unable to communicate with one of the bootprelay configured servers on the swich of our SCCM server and unable to talk to or obtain an address to be able to ipv4 boot to deploy/image via SCCM.

There maybe something i am missing here but like i said i've not any major understandings of the set up but managing quite well for the most, comparing switch config between working stacks without the issue and this one doesn't seem to show up any differences in this part.

Thank You.

Port                          : 1:21
Port Restart : Disabled
Allow Egress : None
Vlan : LoginVLAN
Authentication : 802.1x, mac-based
Port State : Enabled
Authentication Mode : Required (Policy Enabled only)
Max Supported Users : 1536 (Policy Enabled only)
Allowed Users : 128 (Policy Enabled only)
Current Users : 0 (Policy Enabled only)
Auth Failure Vlan : Enabled
Auth Service-Unavailable Vlan : Disabled
802.1x Port Configuration
Quiet Period : 60
Supplicant Response Timeout : 30
Re-authentication : On
Re-authentication period : 3600
Max Re-authentications : 3
RADIUS server timeout : 30
Guest Vlan : Disabled
MAC Mode Port Configuration
Re-authentication period : 3600
Re-authentication : Off
Authentication Delay : 0 seconds (Default)
Netlogin Clients

MAC IP address Authenticated Type ReAuth-Timer User
(B) - Client entry Blackholed in FDB

Number of Clients Authenticated : 91

1 reply

Just adding to this,

We have X670 'core' switches where the VLANs reside and the bootprelay is set up.

Checking the bootprelay configuration on a switch that doesn't have an issue in terms of allowing connection to our SCCM server the status is 'disabled'

Checking it on the switch i used in the example above where i have the issue it is 'enabled' and set to two IP addresses as on our core switching (DHCP server + SCCM server)

Could this be the issue and i'm just being impatient in terms of authentication failure for the ports (as writing it out it makes sense not to fail straight away until the client attemps to authenticate with radius / mac)