Wireless (General)

Expand all | Collapse all

XOS: netlogin on sharing ports

  • 1.  XOS: netlogin on sharing ports

    Posted 09-08-2015 17:19
    Hi extreme-networks folks,

    i want to get some ideas and statements regarding the need of the following feature:

    "netlogin on sharing ports"

    currently this is not possible (on XOS, EOS support that)!

    To attach a server redundant to a switch i use sharing. To authenticate and for documentation issues i use Authentication (netlogin). So from my point of view is very clear to use both feature on the same port. But currently this is not possible.

    What do you think about that ?



  • 2.  RE: XOS: netlogin on sharing ports

    Posted 09-16-2015 07:54
    No other opinion? Nobody who agree with me that this is useful ?


  • 3.  RE: XOS: netlogin on sharing ports

    Posted 09-16-2015 10:18
    Matthias,

    Network login is a security feature thought to secure access to the network from ports accessible to normal employees and visitors, to make sure nobody can gain access to the network by simply plugging a device in an empty port.

    Servers, on the other hand, tend to be grouped in protected environments (datacenters) with ports not available to visitors or normal employees. Datacenters have their own security measures that don't include networks login.

    I imagine that network login would be disruptive in the current virtualized datacenter, where VMs can be moved from one physical server/network port to another without the VM knowing it is being moved. Because of this, the datacenter network has to include tools (e.g. Data Center Manager) to make sure that the destination port has the same configuration as the original port. If the VM is unaware of it being moved to a new port, how would it re-negotiate access through Network Login?

    I don't know how easy/difficult it is to enable this, but you can always work with GTAC and your local SE to make a feature request.



  • 4.  RE: XOS: netlogin on sharing ports

    Posted 09-16-2015 12:57
    Hi Daniel,
    we are using authentication not only for security reasons mostly the visibility effect is more important!

    Visibility means that through RADIUS Authentication i know immediately (Netsight DB) where which device (server and any other system) is connected. From that point of view it will be very useful that netlogin and sharing will not exclude each other.

    But it seems that nor very much other extreme customers using the existing featureset like we do.



  • 5.  RE: XOS: netlogin on sharing ports

    Posted 09-16-2015 13:30
    What about Identity Management? It can detect identities through:
    - FDB
    - IPARP
    - IPSecurity DHCP Snooping
    - LLDP
    - Netlogin
    - Kerberos

    This information can then be sent to NetSight to populate the user/host field in Identity and Access entries.

    There's a script in NetSight to do this:
    #######################################################################################
    ## The following configuration can be pushed from NetSight OneView Device IDM Script ##
    #######################################################################################
    enable identity-management
    configure identity-management add ports


  • 6.  RE: XOS: netlogin on sharing ports

    Posted 09-18-2015 11:53
    Hello !

    In case of future requirements for automation and SDN this funktion will be essential for all this activities. Using NAC/NMS für authentication of servers you can trigger there a lot of actions helping to get a platform for automation on the complete IT infrastructure like the SDN vision.
    There will be no difference between access and datacenter ports. It´s important to have the possibility to use all ports in the same way: authenticate, authorise and trigger actions based on the information from IT infrastructure (NMS, NAC, PV, 3rd-party, ...).

    br
    Volker


  • 7.  RE: XOS: netlogin on sharing ports

    Posted 12-19-2017 12:32
    Just a short update.

    Starting with EXOS 22.2 netlogin on sharing ports are possible:
    https://gtacknowledge.extremenetworks.com/articles/Q_A/Is-Netlogin-supported-on-lag-ports

    Starting with EXOS 22.4 netlogin on m-LAG ports are possible.



  • 8.  RE: XOS: netlogin on sharing ports

    Posted 01-05-2018 07:05
    Just a second short update!

    It is very important that sharing is enabled first! And after that netlogin as a second step (on the sharing master Port only!)

    My customer uses Default Policies on every port - so this have to be removed also and than bind after sharing is done to the master port only.

    If you wrap the sequence you get these errors: * 10.1.1.206.32 # enable sharing 1 grouping 1-2 algorithm address-based L3_L4 lacp
    Error: Load sharing cannnot be enabled on ports (1) configured for Network LogIn
    * 10.1.1.206.33 # [/code][/code]If there is a Policy bind to the ports: 10.1.1.206.19 # enable sharing 1 grouping 1-2 algorithm address-based L3_L4 lacp
    Error: Load sharing cannnot be enabled on ports (1) configured for Policy Convergence Endpoint (convergence-endpoint) or Admin Profile (admin-profile) rules
    10.1.1.206.20 #[/code] Regards


  • 9.  RE: XOS: netlogin on sharing ports

    Posted 09-16-2015 12:57
    Is the visibility information you need simply MAC address, and possibly IP address?


  • 10.  RE: XOS: netlogin on sharing ports

    Posted 09-16-2015 12:57
    To achieve simple visibility i need ip addresses or better usernames - a mac does not tell me easily which user or system is connected.


  • 11.  RE: XOS: netlogin on sharing ports

    Posted 09-16-2015 12:57
    Do you use LACP for the forming of sharing groups? What is the RADIUS server? Is it FreeRadius?


  • 12.  RE: XOS: netlogin on sharing ports

    Posted 09-16-2015 12:57
    Correct i use LACP! RADIUS is Enterasys NAC Gateway (= Freeradius Core)


  • 13.  RE: XOS: netlogin on sharing ports

    Posted 09-16-2015 13:30
    Daniel, I was thinking that myself, but the crux of the problem is that he can't get user ID except through Kerberos snooping as he can't enable 802.1x on an LACP enabled port. If this were a virtualized environment, he could use DCM to capture VM information in NS, but I'm not sure that it is. If IP address is sufficient, this should work.


  • 14.  RE: XOS: netlogin on sharing ports

    Posted 09-16-2015 13:30
    If the servers belong to an AD domain, he'll get user/host info. If not, he'll get IP addresses. And he said that IP addresses would do...





  • 15.  RE: XOS: netlogin on sharing ports

    Posted 09-16-2015 13:30
    Correct. I'm just trying to think of a way he could get user information where an AD domain is not present. Were LACP not used (but instead static load-sharing/nic-teaming were used), this might be possible.