Header Only - DO NOT REMOVE - Extreme Networks

XOS: netlogin on sharing ports

  • 8 September 2015
  • 14 replies
  • 342 views

Userlevel 6
Hi extreme-networks folks,

i want to get some ideas and statements regarding the need of the following feature:

"netlogin on sharing ports"

currently this is not possible (on XOS, EOS support that)!

To attach a server redundant to a switch i use sharing. To authenticate and for documentation issues i use Authentication (netlogin). So from my point of view is very clear to use both feature on the same port. But currently this is not possible.

What do you think about that ?

14 replies

Userlevel 6
No other opinion? Nobody who agree with me that this is useful ?
Userlevel 6
Matthias,

Network login is a security feature thought to secure access to the network from ports accessible to normal employees and visitors, to make sure nobody can gain access to the network by simply plugging a device in an empty port.

Servers, on the other hand, tend to be grouped in protected environments (datacenters) with ports not available to visitors or normal employees. Datacenters have their own security measures that don't include networks login.

I imagine that network login would be disruptive in the current virtualized datacenter, where VMs can be moved from one physical server/network port to another without the VM knowing it is being moved. Because of this, the datacenter network has to include tools (e.g. Data Center Manager) to make sure that the destination port has the same configuration as the original port. If the VM is unaware of it being moved to a new port, how would it re-negotiate access through Network Login?

I don't know how easy/difficult it is to enable this, but you can always work with GTAC and your local SE to make a feature request.
Userlevel 6
Hi Daniel,
we are using authentication not only for security reasons mostly the visibility effect is more important!

Visibility means that through RADIUS Authentication i know immediately (Netsight DB) where which device (server and any other system) is connected. From that point of view it will be very useful that netlogin and sharing will not exclude each other.

But it seems that nor very much other extreme customers using the existing featureset like we do.
Userlevel 4
Hi Daniel,
we are using authentication not only for security reasons mostly the visibility effect is more important!

Visibility means that through RADIUS Authentication i know immediately (Netsight DB) where which device (server and any other system) is connected. From that point of view it will be very useful that netlogin and sharing will not exclude each other.

But it seems that nor very much other extreme customers using the existing featureset like we do.

Is the visibility information you need simply MAC address, and possibly IP address?
Userlevel 6
Hi Daniel,
we are using authentication not only for security reasons mostly the visibility effect is more important!

Visibility means that through RADIUS Authentication i know immediately (Netsight DB) where which device (server and any other system) is connected. From that point of view it will be very useful that netlogin and sharing will not exclude each other.

But it seems that nor very much other extreme customers using the existing featureset like we do.

To achieve simple visibility i need ip addresses or better usernames - a mac does not tell me easily which user or system is connected.
Userlevel 4
Hi Daniel,
we are using authentication not only for security reasons mostly the visibility effect is more important!

Visibility means that through RADIUS Authentication i know immediately (Netsight DB) where which device (server and any other system) is connected. From that point of view it will be very useful that netlogin and sharing will not exclude each other.

But it seems that nor very much other extreme customers using the existing featureset like we do.

Do you use LACP for the forming of sharing groups? What is the RADIUS server? Is it FreeRadius?
Userlevel 6
Hi Daniel,
we are using authentication not only for security reasons mostly the visibility effect is more important!

Visibility means that through RADIUS Authentication i know immediately (Netsight DB) where which device (server and any other system) is connected. From that point of view it will be very useful that netlogin and sharing will not exclude each other.

But it seems that nor very much other extreme customers using the existing featureset like we do.

Correct i use LACP! RADIUS is Enterasys NAC Gateway (= Freeradius Core)
Userlevel 6
What about Identity Management? It can detect identities through:
- FDB
- IPARP
- IPSecurity DHCP Snooping
- LLDP
- Netlogin
- Kerberos

This information can then be sent to NetSight to populate the user/host field in Identity and Access entries.

There's a script in NetSight to do this:
#######################################################################################
## The following configuration can be pushed from NetSight OneView Device IDM Script ##
#######################################################################################
enable identity-management
configure identity-management add ports
create xml-notification target netsight-target_ url https:// IP>:8443/axis/services/event vr VR-Mgmt
configure xml-notification target netsight-target_ user root
enable xml-notification netsight-target_
configure xml-notification target netsight-target_ add idMgr
#######################################################################################[/code]
Userlevel 4
What about Identity Management? It can detect identities through:
- FDB
- IPARP
- IPSecurity DHCP Snooping
- LLDP
- Netlogin
- Kerberos

This information can then be sent to NetSight to populate the user/host field in Identity and Access entries.

There's a script in NetSight to do this:
#######################################################################################
## The following configuration can be pushed from NetSight OneView Device IDM Script ##
#######################################################################################
enable identity-management
configure identity-management add ports
create xml-notification target netsight-target_ url https:// IP>:8443/axis/services/event vr VR-Mgmt
configure xml-notification target netsight-target_ user root
enable xml-notification netsight-target_
configure xml-notification target netsight-target_ add idMgr
#######################################################################################[/code]

Daniel, I was thinking that myself, but the crux of the problem is that he can't get user ID except through Kerberos snooping as he can't enable 802.1x on an LACP enabled port. If this were a virtualized environment, he could use DCM to capture VM information in NS, but I'm not sure that it is. If IP address is sufficient, this should work.
Userlevel 6
What about Identity Management? It can detect identities through:
- FDB
- IPARP
- IPSecurity DHCP Snooping
- LLDP
- Netlogin
- Kerberos

This information can then be sent to NetSight to populate the user/host field in Identity and Access entries.

There's a script in NetSight to do this:
#######################################################################################
## The following configuration can be pushed from NetSight OneView Device IDM Script ##
#######################################################################################
enable identity-management
configure identity-management add ports
create xml-notification target netsight-target_ url https:// IP>:8443/axis/services/event vr VR-Mgmt
configure xml-notification target netsight-target_ user root
enable xml-notification netsight-target_
configure xml-notification target netsight-target_ add idMgr
#######################################################################################[/code]

If the servers belong to an AD domain, he'll get user/host info. If not, he'll get IP addresses. And he said that IP addresses would do...

Userlevel 4
What about Identity Management? It can detect identities through:
- FDB
- IPARP
- IPSecurity DHCP Snooping
- LLDP
- Netlogin
- Kerberos

This information can then be sent to NetSight to populate the user/host field in Identity and Access entries.

There's a script in NetSight to do this:
#######################################################################################
## The following configuration can be pushed from NetSight OneView Device IDM Script ##
#######################################################################################
enable identity-management
configure identity-management add ports
create xml-notification target netsight-target_ url https:// IP>:8443/axis/services/event vr VR-Mgmt
configure xml-notification target netsight-target_ user root
enable xml-notification netsight-target_
configure xml-notification target netsight-target_ add idMgr
#######################################################################################[/code]

Correct. I'm just trying to think of a way he could get user information where an AD domain is not present. Were LACP not used (but instead static load-sharing/nic-teaming were used), this might be possible.
Userlevel 4
Hello !

In case of future requirements for automation and SDN this funktion will be essential for all this activities. Using NAC/NMS für authentication of servers you can trigger there a lot of actions helping to get a platform for automation on the complete IT infrastructure like the SDN vision.
There will be no difference between access and datacenter ports. It´s important to have the possibility to use all ports in the same way: authenticate, authorise and trigger actions based on the information from IT infrastructure (NMS, NAC, PV, 3rd-party, ...).

br
Volker
Userlevel 6
Just a short update.

Starting with EXOS 22.2 netlogin on sharing ports are possible:
https://gtacknowledge.extremenetworks.com/articles/Q_A/Is-Netlogin-supported-on-lag-ports

Starting with EXOS 22.4 netlogin on m-LAG ports are possible.
Userlevel 6
Just a second short update!

It is very important that sharing is enabled first! And after that netlogin as a second step (on the sharing master Port only!)

My customer uses Default Policies on every port - so this have to be removed also and than bind after sharing is done to the master port only.

If you wrap the sequence you get these errors: * 10.1.1.206.32 # enable sharing 1 grouping 1-2 algorithm address-based L3_L4 lacp
Error: Load sharing cannnot be enabled on ports (1) configured for Network LogIn
* 10.1.1.206.33 # [/code][/code]If there is a Policy bind to the ports: 10.1.1.206.19 # enable sharing 1 grouping 1-2 algorithm address-based L3_L4 lacp
Error: Load sharing cannnot be enabled on ports (1) configured for Policy Convergence Endpoint (convergence-endpoint) or Admin Profile (admin-profile) rules
10.1.1.206.20 #[/code] Regards

Reply