netlogin 802.1X authentication question


I have the netlogin 802.1X client authenticated with sucess, but why always I have immediately before a failed authentication mac address from the same client?

03/11/2016 16:40:31.77 [i] Network Login 802.1x user host/TDT34349.corporativo.pt logged in MAC 74:46:A0:XX:XX:XX port 3 VLAN(s) "DADOS", authentication Radius
03/11/2016 16:40:31.69 [i] Authentication failed for Network Login MAC user 7446A0XXXXXX Mac 74:46:A0:XX:XX:XX port 3
03/11/2016 16:40:31.67 [i] Port 3 link UP at speed 1 Gbps and full-duplex

Best Regards
Vitor Barreiro

5 replies

Userlevel 6
Do you have MAC and DOT1x configured. MAC authenticates first because it attempts to authenticate once the first frame is received. Are you currently using MAC based authentication? MAC authentication sends the MAC as the username and password in a radius request packet.
Stephen Williams wrote:

Do you have MAC and DOT1x configured. MAC authenticates first because it attempts to authenticate once the first frame is received. Are you currently using MAC based authentication? MAC authentication sends the MAC as the username and password in a radius request packet.

Yes, i have MAC and DOT1X configured, because in most of the ports i have IPphone and a PC behind the phone. MAC autentication for the Phones and DOT1x pfor the PC. Configuration bellow:

configure netlogin vlan Authenable netlogin dot1x mac
configure netlogin authentication protocol-order dot1x mac web-based
configure netlogin add mac-list ff:ff:ff:ff:ff:ff 48
enable netlogin ports 3-5,7,9,11-19 dot1x
enable netlogin ports 3-5,7,9,11-19 mac
configure netlogin ports 3 mode mac-based-vlans
configure netlogin ports 3 no-restart
Userlevel 2
MAC authentication is enabled, and the MAC is not in the "allow" list, hence the Auth failure. To prevent this, change the order of the authentication mechanism. Likely the order is currently set to MAC-802.1x-WebAuth. Change the order in NetSight to authenticate 802.1x first, and your problem should go away.
Marcus Florido wrote:

MAC authentication is enabled, and the MAC is not in the "allow" list, hence the Auth failure. To prevent this, change the order of the authentication mechanism. Likely the order is currently set to MAC-802.1x-WebAuth. Change the order in NetSight to authenticate 802.1x first, and your problem should go away.

I have MAC and DOT1X configured, because in most of the ports i have IPphone and a PC behind the phone. MAC autentication for the Phones and DOT1x pfor the PC. NPS is the radius server and configuration is:

configure netlogin vlan Authenable netlogin dot1x mac
configure netlogin authentication protocol-order dot1x mac web-based
configure netlogin add mac-list ff:ff:ff:ff:ff:ff 48
enable netlogin ports 3-5,7,9,11-19 dot1x
enable netlogin ports 3-5,7,9,11-19 mac
configure netlogin ports 3 mode mac-based-vlans
configure netlogin ports 3 no-restart
Userlevel 6
Mac will still authenticate first, but the order will make sure it acts on what 802.1x tells it over MAC.

Reply