Header Only - DO NOT REMOVE - Extreme Networks

MAC authentication error on X440-G2


Userlevel 2
Hello Guys ! I was trying to setup passive NAC (pass-through) with X440- G2-48p-10G4 switch. I keep getting following error in the log: 02/14/2017 14:28:40.49 [i] Authentication failed for Network Login MAC user 001AE87F49D2 Mac 00:1A:E8:7F:49:D2 port 5 Here is my netlogin config: * X440G2-48p-10G4.100 # sh configuration "netlogin" # # Module netLogin configuration. # enable netlogin mac configure netlogin mac authentication database-order local configure netlogin authentication protocol-order mac dot1x web-based configure netlogin add mac-list ff:ff:ff:ff:ff:ff 48 encrypted "}eqrthug" enable netlogin ports 1-44 mac and aaa config (NAC is my radius): # Module aaa configuration. # configure radius netlogin 1 server 192.168.36.80 1812 client-ip 192.168.36.231 vr VR-Default configure radius 1 shared-secret encrypted "#$fPXY767cV5/sPn3skPxEgMScJGlMOi9B7tKPIpB7" configure radius-accounting netlogin 1 server 192.168.36.80 1813 client-ip 192.168.36.231 vr VR-Default configure radius-accounting 1 shared-secret encrypted "#$MHHPB8XKQVHhmbrvq4Og9d3stHCRr9PE29nNW5Ev" configure radius-accounting 1 timeout 10 enable radius disable radius mgmt-access enable radius netlogin configure radius timeout 15 enable radius-accounting disable radius-accounting mgmt-access enable radius-accounting netlogin configure account admin encrypted "$5$DDz7LO$enRGUuZ8/kFW74TqsMOXX2WrJhPZD1B1rxPuzhI4ifC" On each access port I have: configure netlogin port authentication mode optional What is wrong ? Beside, I cannot enter the command: configure netlogin vlan - CLI doesn't allow me to put this command (?). EXOS version is 21.1.1.4

3 replies

Userlevel 4
Hi Robert,

Have you tried configuring from NAC already? Also, the authentication configuration on the 440-G2 can be accomplished from enabling via Policy in Management Center as well.

The main item that I see that is problematic is: "configure netlogin mac authentication database-order local"

You want this to be sent to RADIUS (which is the NAC) so that it can authenticate it and pass back a response.

Hope that helps.

Thanks,

Tyler
Userlevel 7
I'm not an XOS export but as far as I unterstand...

"configure netlogin mac authentication database-order local" will use the local user database and doesn't use the RADIUS=NAC for authentication

"configure netlogin add mac-list ff:ff:ff:ff:ff:ff 48 encrypted "}eqrthug"" the password will be used for all the MAC authentication clients - but I'd say they don't send one or the password is the MAC so I'd remove the "encrypted " option

Could you post a "show netlogin mac" from the switch,

I think you'd need to set the netlogin vlan before you enable netlogin.
Userlevel 2
Nice try, Tyler and Ronald! You both were right -I changed "configure netlogin mac authentication database-order local" to "radius" and then I have in my log: 02/14/2017 15:39:01.51 [i] Network Login MAC user 001AE87F49D2 logged in MAC 00:1A:E8:7F:49:D2 port 1 VLAN(s) "[u]", authentication Radius. I can also see the end-system in NAC database. Thank you !

Reply