ExtremeSwitching (EXOS)

  • 1.  Netlogin MAC auth not triggering RADIUS

    Posted 04-11-2018 09:17
    Hi,

    Believe this was working at some point but can't workout where the issue is, but in summary when an end-system is connected to a MAC auth enabled port (22 in this case) its not triggering the RADIUS exchange. This is showing up in the RADIUS counters on the switch remaining 0, and a TCPDUMP on the RADIUS server (NAC) are showing nothing hitting it?

    Everything seems to be enabled and configured correctly from what I can tell, no messages are showing in the switch logs, and the switch has been rebooted?

    Here is the config:

    AAA Configuration:

    configure radius netlogin 1 server 10.23.23.142 1812 client-ip 10.255.5.13 vr VR-Default
    configure radius 1 shared-secret encrypted "#$IUJ6KZp7XE/QtheSL51gMgVphQvqTQtWtlcSTGc2"
    configure radius netlogin 2 server 10.23.23.12 1812 client-ip 10.255.5.13 vr VR-Default
    configure radius 2 shared-secret encrypted "#$6ruCKApEePMNVH5CaJp4MwIyg7tNkJpaqKVmet19"
    configure radius-accounting netlogin 1 server 10.23.23.142 1813 client-ip 10.255.5.13 vr VR-Default
    configure radius-accounting 1 shared-secret encrypted "#$9+bcdiIS9MEBn1zwdRrI+ROwhz0eYfhA6/dJq9ym"
    configure radius-accounting 1 timeout 10
    configure radius-accounting netlogin 2 server 10.23.23.12 1813 client-ip 10.255.5.13 vr VR-Default
    configure radius-accounting 2 shared-secret encrypted "#$p0z1KNo1/B+DgUPPirDnar+R7NScnzCxeonbJIkH"
    configure radius-accounting 2 timeout 10
    enable radius
    disable radius mgmt-access
    enable radius netlogin
    configure radius timeout 15
    enable radius-accounting
    disable radius-accounting mgmt-access
    enable radius-accounting netlogin
    configure account all password-policy min-length 8
    configure account all password-policy lockout-on-login-failures on
    configure account all password-policy lockout-time-period 5 minutes
    [/code]

    Netlogin Configuration:

    configure netlogin vlan nt_login
    enable netlogin mac
    configure netlogin mac authentication database-order radius
    configure netlogin add mac-list ff:ff:ff:ff:ff:ff 48
    enable netlogin ports 20-22 mac
    configure netlogin ports 20 mode port-based-vlans
    configure netlogin ports 20 no-restart
    configure netlogin ports 21 mode port-based-vlans
    configure netlogin ports 21 no-restart
    configure netlogin ports 22 mode port-based-vlans
    configure netlogin ports 22 no-restart
    configure netlogin authentication failure vlan Default ports 20-22
    configure netlogin authentication service-unavailable vlan Default ports 20-22[/code]

    Show Radius:

    Radius Default State: enabled
    Radius Default Timeout: 15 seconds
    Radius Algorithm: standard
    Radius Retries: 3
    Switch Management Radius: disabled
    Switch Management Radius server connect time out: 15 seconds *
    Switch Management Radius Accounting: disabled
    Switch Management Radius Accounting server connect time out: 3 seconds
    Netlogin Radius: enabled
    Netlogin Radius server connect time out: 15 seconds *
    Netlogin Radius Accounting: enabled
    Netlogin Radius Accounting server connect time out: 3 seconds
    Radius server : 1 Status is Active
    host name :
    IP address : 10.23.23.142
    Server IP Port: 1812
    Client address: 10.255.5.13 (VR-Default)
    Retries : 3 *
    Timeout : 15 *
    Realm : Netlogin
    shared secret : #$IUJ6KZp7XE/QtheSL51gMgVphQvqTQtWtlcSTGc2
    Access Requests : 0 Access Accepts : 0
    Access Rejects : 0 Access Challenges : 0
    Access Retransmits: 0 Client timeouts : 0
    Bad authenticators: 0 Unknown types : 0
    Round Trip Time : 0
    Radius server : 2 Status is Active
    host name :
    IP address : 10.23.23.12
    Server IP Port: 1812
    Client address: 10.255.5.13 (VR-Default)
    Retries : 3 *
    Timeout : 15 *
    Realm : Netlogin
    shared secret : #$6ruCKApEePMNVH5CaJp4MwIyg7tNkJpaqKVmet19
    Access Requests : 0 Access Accepts : 0
    Access Rejects : 0 Access Challenges : 0
    Access Retransmits: 0 Client timeouts : 0
    Bad authenticators: 0 Unknown types : 0
    Round Trip Time : 0
    Radius Acct server: 1 Status is Active
    host name :
    IP address : 10.23.23.142
    Server IP Port: 1813
    Client address: 10.255.5.13 (VR-Default)
    Retries : 3
    Timeout : 10
    Realm : Netlogin
    shared secret : #$9+bcdiIS9MEBn1zwdRrI+ROwhz0eYfhA6/dJq9ym
    Acct Requests : 0 Acct Responses : 0
    Acct Retransmits : 0 Timeouts : 0
    Radius Acct server: 2 Status is Active
    host name :
    IP address : 10.23.23.12
    Server IP Port: 1813
    Client address: 10.255.5.13 (VR-Default)
    Retries : 3
    Timeout : 10
    Realm : Netlogin
    shared secret : #$p0z1KNo1/B+DgUPPirDnar+R7NScnzCxeonbJIkH
    Acct Requests : 0 Acct Responses : 0
    Acct Retransmits : 0 Timeouts : 0
    Legend: An asterisk (*) indicates a global value is in use.

    Show netlogin port 22

    Port : 22
    Port Restart : Disabled
    Allow Egress : None
    Vlan : ELRP-Ctrl
    Authentication : mac-based
    Port State : Enabled
    Auth Failure Vlan : Disabled
    Auth Service-Unavailable Vlan : Disabled
    ------------------------------------------------
    MAC Mode Port Configuration
    ------------------------------------------------
    Re-authentication period : 3600
    Re-authentication : Off
    Authentication Delay : 0 seconds (Default)
    ------------------------------------------------
    Netlogin Clients
    ------------------------------------------------
    MAC IP address Authenticated Type ReAuth-Timer User
    -----------------------------------------------
    (B) - Client entry Blackholed in FDB
    Port : 22
    Port Restart : Disabled
    Allow Egress : None
    Vlan : Hitchin_VC_1st
    Authentication : mac-based
    Port State : Enabled
    Auth Failure Vlan : Disabled
    Auth Service-Unavailable Vlan : Disabled
    ------------------------------------------------
    MAC Mode Port Configuration
    ------------------------------------------------
    Re-authentication period : 3600
    Re-authentication : Off
    Authentication Delay : 0 seconds (Default)
    ------------------------------------------------
    Netlogin Clients
    ------------------------------------------------
    MAC IP address Authenticated Type ReAuth-Timer User
    -----------------------------------------------
    (B) - Client entry Blackholed in FDB

    Number of Clients Authenticated : 0

    Show port 22 information detail:

    Port: 22(ARE-RH-L1-10):
    Description String: "VC Reservered Ports"
    Virtual-router: VR-Default
    Type: UTP
    Redundant Type: NONE
    Random Early drop: Unsupported
    Admin state: Enabled
    Copper Medium Configuration: 100M full-duplex auto-polarity on
    Fiber Medium Configuration: auto-speed sensing auto-duplex
    Link State: Active, 100Mbps, full-duplex
    Link Ups: 2 Last: Wed Apr 11 10:35:30 2018
    Link Downs: 1 Last: Wed Apr 11 10:35:16 2018
    VLAN cfg:
    Name: ELRP-Ctrl, 802.1Q Tag = 3100, MAC-limit = No-limit, Virtual router: VR-Default
    Port-specific VLAN ID: 3100
    Name: Hitchin_VC_1st, Internal Tag = 1002, MAC-limit = No-limit, Virtual router: VR-Default
    STP cfg:
    Protocol:
    Name: Hitchin_VC_1st Protocol: ANY Match all protocols.
    Trunking: Load sharing is not enabled.
    EDP: Enabled
    EEE: Disabled
    ELSM: Disabled
    Ethernet OAM: Disabled
    Learning: Enabled
    Unicast Flooding: Enabled
    Multicast Flooding: Enabled
    Broadcast Flooding: Enabled
    Jumbo: Disabled
    Flow Control: Rx-Pause: Disabled Tx-Pause: Disabled
    Priority Flow Control: Disabled
    Reflective Relay: Disabled
    Link up/down SNMP trap filter setting: Disabled
    Egress Port Rate: No-limit
    Broadcast Rate: 300 packets-per-second
    Multicast Rate: No-limit
    Unknown Dest Mac Rate: No-limit
    QoS Profile: None configured
    Ingress Rate Shaping : Unsupported
    Ingress IPTOS Examination: Enabled
    Ingress 802.1p Examination: Disabled
    Ingress 802.1p Inner Exam: Disabled
    Ingress 802.1p Priority: 0
    Egress IPTOS Replacement: Disabled
    Egress 802.1p Replacement: Disabled
    NetLogin: Enabled
    NetLogin authentication mode: MAC based
    NetLogin port mode: Port based VLANs
    Smart redundancy: Enabled
    Software redundant port: Disabled
    IPFIX: Disabled Metering: Ingress, All Packets, All Traffic
    IPv4 Flow Key Mask: SIP: 255.255.255.255 DIP: 255.255.255.255
    IPv6 Flow Key Mask: SIP: ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
    DIP: ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
    auto-polarity: Enabled
    Preferred medium: Fiber
    Shared packet buffer: default
    VMAN CEP egress filtering: Disabled
    Isolation: Off
    PTP Configured: Disabled
    Time-Stamping Mode: None
    Synchronous Ethernet: Unsupported
    Dynamic VLAN Uplink: Disabled
    VM Tracking Dynamic VLANs: Disabled[/code]

    Verbose logs from NAC:

    2018-04-11 11:51:50,176 INFO [esd] Enabling verbose diagnostics for MAC: 00-13-FA-0B-19-11
    2018-04-11 11:51:57,811 DEBUG [esd] ESDMAC:0B-19-11 EndSystemActionRequestHandler - Processing action: (reauthentication) on end system: 00-13-FA-0B-19-11, IP: null, user: , reason: UserSpecified(USER_INITIATED_REAUTH), from appliance: false
    2018-04-11 11:51:57,813 DEBUG [esd] ESDMAC:0B-19-11 EndSystemActionRequestHandler - This NAC engine is the current appliance, so reauth.
    2018-04-11 11:51:57,813 DEBUG [esd] ESDMAC:0B-19-11 EndSystemActionRequestHandler - Reauthing end system: 00-13-FA-0B-19-11
    2018-04-11 11:51:57,813 DEBUG [esd] ESDMAC:0B-19-11 ReauthTask - Calculating if a re-authentication really needs to be performed for reason: USER_INITIATED_REAUTH.
    2018-04-11 11:51:57,813 DEBUG [esd] ESDMAC:0B-19-11 ReauthTask - The re-authentication request is being processed because the reauth reason: "USER_INITIATED_REAUTH" is not for a data change.
    2018-04-11 11:51:57,814 DEBUG [esd] ESDMAC:0B-19-11 ReauthTask - Re-authentication running for Switch: 10.255.5.13, Port : 1022, Port Name : 1:22, Port Alias: VC Reservered Ports, MAC: 00-13-FA-0B-19-11, Reason: USER_INITIATED_REAUTH
    2018-04-11 11:51:57,814 INFO [esd] ESDMAC:0B-19-11 ReauthSnmpTask - Executing Reauth for MAC: 00-13-FA-0B-19-11, IP: null for NAS switch 10.255.5.13 switchPort 1022 reason: USER_INITIATED_REAUTH all sessions
    2018-04-11 11:51:57,814 DEBUG [esd] ESDMAC:0B-19-11 ReauthSnmpTask - Not using toggle link for session: AUTH_MAC => Rejected: false shouldToggleLinkForRejectedEapTlsOnReauth: true ID: 2025282951
    2018-04-11 11:51:57,814 INFO [esd] ESDMAC:0B-19-11 ExtremeXosReauthenticationSnmpWorker - Starting Extreme Reauthentication for MAC: 00-13-FA-0B-19-11 on switch: 10.255.5.13 and port: 1022
    2018-04-11 11:51:57,814 DEBUG [esd] ESDMAC:0B-19-11 ExtremeXosReauthenticationSnmpWorker - *Not* using port initialization (Switch setting for: 1.3.6.1.4.1.1916.2.175 use initialize: false) & (Attributes to send: No Attributes use initialize: false)
    2018-04-11 11:51:57,814 INFO [esd] ESDMAC:0B-19-11 ExtremeXosReauthenticationSnmpWorker - Reauthenticating using Dot1X Auth Reauthenticate for MAC: 00-13-FA-0B-19-11
    2018-04-11 11:51:57,814 DEBUG [esd] ESDMAC:0B-19-11 ExtremeXosReauthenticationSnmpWorker - using OID: 1.0.8802.1.2.1.2.1.2.1.2.0.19.250.11.25.17
    2018-04-11 11:51:58,062 DEBUG [esd] ESDMAC:0B-19-11 ExtremeXosReauthenticationSnmpWorker - Unable set dot1xAuthReauthenticate2(1.0.8802.1.2.1.2.1.2.1.2.0.19.250.11.25.17) from switch: 10.255.5.13, with error: Error writting to OID: "1.0.8802.1.2.1.2.1.2.1.2.0.19.250.11.25.17", with value: 1", with SNMP error: SNMP_ERROR_COMMIT_FAILED.
    2018-04-11 11:51:58,062 DEBUG [esd] ESDMAC:0B-19-11 ExtremeXosReauthenticationSnmpWorker - Clearing of 802.1X sessions for entire port is *not* allowed, so skipping reauthenticating using dot1xPaePortReauth for switch port: 1022
    2018-04-11 11:51:58,062 INFO [esd] ESDMAC:0B-19-11 ExtremeXosReauthenticationSnmpWorker - Reauthenticating using Extreme MAC Auth Client Reauthenticate OID for MAC: 00-13-FA-0B-19-11
    2018-04-11 11:51:58,062 DEBUG [esd] ESDMAC:0B-19-11 ExtremeXosReauthenticationSnmpWorker - using OID: 1.3.6.1.4.1.1916.1.44.1.1.1.3.0.19.250.11.25.17
    2018-04-11 11:51:58,240 DEBUG [esd] ESDMAC:0B-19-11 ExtremeXosReauthenticationSnmpWorker - Unable set OID: (1.3.6.1.4.1.1916.1.44.1.1.1.3.0.19.250.11.25.17) for switch: 10.255.5.13, with error: Error writting to OID: "1.3.6.1.4.1.1916.1.44.1.1.1.3.0.19.250.11.25.17", with value: 1", with SNMP error: SNMP_ERROR_NOT_WRITEABLE.
    2018-04-11 11:51:58,240 DEBUG [esd] ESDMAC:0B-19-11 ExtremeXosReauthenticationSnmpWorker - *Not* falling back to toggle link because option is disabled.
    2018-04-11 11:51:58,240 DEBUG [esd] ESDMAC:0B-19-11 ExtremeXosReauthenticationSnmpWorker - 802.1X Reauthentication was: *not* successful
    2018-04-11 11:51:58,240 DEBUG [esd] ESDMAC:0B-19-11 ExtremeXosReauthenticationSnmpWorker - MAC Reauthentication was: *not* successful
    2018-04-11 11:51:58,240 INFO [esd] ESDMAC:0B-19-11 ExtremeXosReauthenticationSnmpWorker - Reauthentication was: *not* successful
    2018-04-11 11:51:58,240 DEBUG [esd] ESDMAC:0B-19-11 ReauthTask - Re-authentication failed. Switch: 10.255.5.13, Port : 1022, Port Name : 1:22, Port Alias: VC Reservered Ports, MAC: 00-13-FA-0B-19-11, Reason: USER_INITIATED_REAUTH [/code]
    The switch is a X440G1 running version 16.2.3.5 patch1-3

    Thanks for any help in advance.


  • 2.  RE: Netlogin MAC auth not triggering RADIUS

    Posted 04-11-2018 09:51
    Hi
    What kind of end system did you connect? I had these problem, just end system didn't generate any traffic.

    Regards


  • 3.  RE: Netlogin MAC auth not triggering RADIUS

    Posted 04-11-2018 09:56
    It is a Video Conferencing device. Could possibly be due to that, but the solution was previously working and additionally works at another site.

    Nonetheless, you never know.... so a good call.

    I'll post back the results. Thanks


  • 4.  RE: Netlogin MAC auth not triggering RADIUS

    Posted 04-11-2018 10:36
    Hi,

    if this is a silent device then you need to make sure of two things:

    1- the vlan where the device should go must be added explicitly to the port before enabling netlogin.
    2- this command looks missing from your config :
    configure netlogin ports 22 allow egress-traffic all_cast


  • 5.  RE: Netlogin MAC auth not triggering RADIUS

    Posted 04-11-2018 12:54
    Thanks for the information.

    Adding a PC to the port seems to have triggered the RADIUS request, so the video conference unit is directly relational to the issue.

    Adding the command:

    configure netlogin ports 22 allow egress-traffic all_cast

    Seems to have effected the port where the LEDs have stayed green, whereas before they would consistently switch between green and amber.... but the VC unit still isn't triggering the netlogin / RADIUS process.

    Still experimenting at the moment so will post back if anything comes up.



  • 6.  RE: Netlogin MAC auth not triggering RADIUS

    Posted 04-16-2018 13:10
    Can you trigger netlogin of the VC unit by pinging it? Allowing all_cast to egress the port should enable the ARP request to reach the VC unit, which can then answer. The answer should trigger netlogin.

    Does the VC unit use DHCP, but the port/VLAN has spanning tree enabled without edge port configuration? It might not try DHCP often enough to trigger netlogin after STP puts the port into forwarding mode.