Interesting discussion. Thank you all for this.
in ERS, there is a fail open config:
I was trying to find the same on EXOS and stumbled on this thread.
on exos 30.4, I guess the commands were removed:
configure netlogin authentication failure ….configure netlogin authentication service-unavailable ….
I can’t find them. So I guess this thread is the only method to get something similar to ERS Failopen.
My only question here is that the protocol-order was changed to MAC first… Wouldn’t that mean that MAC auth would be preferred over DOT1X? Wouldn’t we need to keep order as DOT1X then MAC so that if user has 802.1X, then it uses DOT1X first; If not, MAC auth would kick in and use default policy?
Thanks for any clarification on what I missed.
If I understood the thread well, isn’t these two bundled together what you may need?
Hope that helps,
Yes, your comment is accurate. But I also noticed in thread that the protocol auth order needed to change to MAC first, then dot1x? That part didn’t make too much sense to me.
Personally I didn’t consider that as a strong advice but some particular deployment example. I might be low on caffeine though. ;)
My favourite approach: dot1x > mac.
If something is dot1x capable, it will run through it.
If something is not dot1x capable, it will run solely through EAC authorization rules.
If something is to be treated well (e.g. a list of sanctioned printers’ MAC addresses), it will.
If something is falling down to default catch-all, I’d deny it. Have a list of devices that should be entitled to fail over with MAC-auth just above catch-all rule in case of backend issues (or use Failsafe Policy mapping within EAC profile).
If the switch is not even able to get to the NAC gateway and we still see such risk although multiple redundancy measures we could’ve already taken, I’d consider auth mode optional and some default VLAN+ACL or default Policy set to access ports. But please remember to span the least privilege approach over there as well. Otherwise, if dot1x and mac auth fails due to EAC communication issue, various kind of devices might end up in the same VLAN and so on. I strongly recommend to consider what is really needed for such devices and users. DHCP/DNS/ARP, HTTPS? What about surveillance cameras failover to such default role? Perhaps port isolation feature on EXOS or a rule that prevents the same subnet as destination is a must in the end.
Just some food for thoughts.
P.S. I saw the service-unavailable netlogin command in 31.2 User Guide but on my X440-G2 running 31.2 it doesn’t let the command thru currently...
Thanks … food well digested :)
I’ll check the new command in 31.2 at some point as it might have a good simpler option.
Thanks for the replies.
Contact Us:Sam PirokCommunity@extremenetworks.com