Network Architecture & Design

Expand all | Collapse all

Authentication Mode Optional - Older Code

  • 1.  Authentication Mode Optional - Older Code

    Posted 08-23-2018 09:36
    Hi,

    In the process of configuring MAC based Netlogin on some older switches, the configuration will look something like the following:

    create vlan nt_login
    configure netlogin vlan nt_login
    configure netlogin add mac-list ff:ff:ff:ff:ff:ff 48
    configure netlogin mac authentication database-order radius
    configure netlogin ports 20-22 mode port-based-vlans
    configure netlogin authentication failure vlan Default ports 20-22
    configure netlogin authentication service-unavailable vlan Default ports 20-22
    enable netlogin ports 20-22 mac
    enable netlogin mac

    What I would like to do is use the same function as the optional command:

    configure netlogin port 20-22 authentication mode optional

    Basically so that I'm not enforcing the authentication, just essentially putting it into monitoring mode, as the 'optional' command isnt available on the version being used.

    From what I understand the device will be put into the 'nt_login' VLAN whilst its being authenticated, but ideally I wouldn't want the device to be removed / disconnected from the network at any point or for any condition, just want to put the data into NAC.

    The other problem being I can't say replace the VLAN 'nt_login' in the 'configure netlogin vlan' command with the default VLAN the port is already configured for.

    Hopefully that makes sense, and appreciate any ideas.

    Many thanks in advance.


  • 2.  RE: Authentication Mode Optional - Older Code

    Posted 08-23-2018 09:42
    Martin, take a look at netlogin in ISP mode. Then the port does not move to another vlan. This happens when radius does not give a vlan with the accept and the port stays in the same vlan and use netlogin to only allow or disallow the client.


  • 3.  RE: Authentication Mode Optional - Older Code

    Posted 08-23-2018 19:32
    Thanks for getting back, and so quick again.

    Reading through the EXOS user guide it defines ISP Mode as the following:

    In ISP mode, the port and VLAN remain constant. Before the supplicant is authenticated, the port is in an unauthenticated state. After authentication, the port forwards packets.

    That reads to me that although the VLAN remains constant it still seems reliant on authentication in order to pass traffic, otherwise the port would remain locked. With 'authentication mode optional' if RADIUS becomes unavailable the port will still forward... not sure what happens if you get a RADIUS reject back though, assume it will block?

    Reading further I was wondering if the following command would achieve the same goal as optional:

    configure netlogin move-fail-action authenticate

    The discription for this is as follows:

    If network login fails to perform Campus mode login, you can configure the switch to authenticate the client in the original VLAN or deny authentication even if the user name and password are correct.

    The last bit of that sentence i'm not sure about though 'if the user name and password are correct', correct to what I wonder?

    So my configuration would look like the following:

    create vlan nt_login
    configure netlogin vlan nt_login
    configure netlogin add mac-list ff:ff:ff:ff:ff:ff 48 password NOPASSWORD
    configure netlogin mac authentication database-order radius
    configure netlogin ports 20-22 mode mac-based-vlans
    configure netlogin move-fail-action authenticate
    enable netlogin ports 20-22 mac
    enable netlogin mac

    There looks like other commands I could use like:

    configure netlogin authentication failure vlan Default ports 20-22
    configure netlogin authentication service-unavailable vlan Default ports 20-22

    So perhaps it just needs these?

    Anyway, any other feedback would be great. Thanks


  • 4.  RE: Authentication Mode Optional - Older Code

    Posted 08-24-2018 04:38
    Yes, ISP would block the mac until it becomes authenticated. The move fail action might work but I doubt we allow it to be the same as the already assigned one. You need to test to see if that works.


  • 5.  RE: Authentication Mode Optional - Older Code

    Posted 08-23-2018 11:29
    Hi,

    I've looked into the ISP mode and apparently the configuration is to use:

    enable netlogin ports vlan


  • 6.  RE: Authentication Mode Optional - Older Code

    Posted 08-23-2018 11:31
    From memory you just add a port to the vlan you want and then enable netlogin on that port/


  • 7.  RE: Authentication Mode Optional - Older Code

    Posted 08-23-2018 09:42
    Hi Oscar, thanks for the quick response and the pointer, much appreciated.

    I'll post back the config once I've looked it up and tested it.



  • 8.  RE: Authentication Mode Optional - Older Code

    Posted 08-23-2018 11:31
    Hi Oscar,

    Sure did this:

    enable netlogin ports 20-22

    It then complains that a netlogin VLAN hasn't been defined. I'll give it a go in a bit and let you know.

    Thanks


  • 9.  RE: Authentication Mode Optional - Older Code

    Posted 08-23-2018 11:31
    Indeed you need to create that netlogin vlan, but that could be just a bogus vlan.
    Assign the right vlan to the ports, then on netlogin authentication if the radius server only sends accept without vlan VSA it would work as ISP mode.