debug netlogin XOS


Userlevel 6
Hi Folks,
how can i debug the following error message regarding mac authentiication on recent XOS 15.5.4.2 (BD8810) and solving the problem?

Reboot of the end-system does not help. Shutting down netlogin - end-system running at once over the manually configured vlan.

[i] MSM-A: Authentication failed for Network Login MAC user 18A905BB9E50 Mac 18:A9:05:BB:9E:50 port 7:39

Here the show netlogin for this port:
show netlogin port 7:39

Port : 7:39
Port Restart : Disabled
Allow Egress : None
Vlan : Default
Authentication : mac-based
Port State : Enabled
Guest Vlan : Disabled
Auth Failure Vlan : Disabled
Auth Service-Unavailable Vlan : Disabled

MAC IP address Authenticated Type ReAuth-Timer User
18:a9:05🇧🇧9e:50 0.0.0.0 No MAC 0
-----------------------------------------------
(B) - Client entry Blackholed in FDB

Port : 7:39
Port Restart : Disabled
Allow Egress : None
Vlan : VTelefon
Authentication : mac-based
Port State : Enabled
Guest Vlan : Disabled
Auth Failure Vlan : Disabled
Auth Service-Unavailable Vlan : Disabled

MAC IP address Authenticated Type ReAuth-Timer User
-----------------------------------------------
(B) - Client entry Blackholed in FDB

Number of Clients Authenticated : 2

The is a very simple MAC Auth so i cannot understand why the netlogin should failed !

As a background information i run an update from XOS 12.6.2.10 to 15.5.4.2 yesterday evening.

7 replies

Userlevel 6
Does this article help ?
https://gtacknowledge.extremenetworks.com/articles/How_To/How-to-configure-Mac-based-Netlogin-with-t...
Userlevel 6
Hi OscarK,

this does not help because we use MAC auth with RADIUS.

Do you (or anybody else) know how i can debug this MAC Authentication process ?

Regards
Userlevel 6
you can debug everything on EXOS by adding events to the log filter with a lower severity, even severity debug-data/verbode/summary.For the debug severity you need to enable log debug-mode.
Userlevel 6
I just made this article for you. Hope this helps. If not, let me know.

https://gtacknowledge.extremenetworks.com/articles/How_To/How-to-configure-Mac-based-Netlogin-with-R...

I would also check to make sure the switch is sending "Acct Requests" and is receiving "Acct Responses" with the "show radius" command.
Userlevel 6
Hi William,
netlogin is running since several years without bigger problems. From Radius point of View Requests and Responses are OK!
Userlevel 6
I got the problem.

I turn on debug for netlogin:
enable log debug-mode
enable log display
configure log filter "DefaultFilter" add events nl severity debug-verbose
configure log filter "DefaultFilter" add events AAA.RADIUS severity debug-verbose

Then i can read the netlogin Framework have problems with binding the regarding vlan tagged AND untagged!
So because the used RFC3580 RADIUS communication does not specify tagged or untagged usage of the VLAN i switch over to Extreme netlogin VSAs which specify this (= T80 = VLAN 80 tagged)!

This solved my problem complettely!

Regards
Userlevel 6
Great! Thanks for sharing your solution with the community.

Sending the VSA with T adds the port tagged and U add the port as untagged.[/code]

Reply