ExtremeCloud IQ- Site Engine & Extreme Management Center

Expand all | Collapse all

Netlogin unwanted MAC is authenticated locally

  • 1.  Netlogin unwanted MAC is authenticated locally

    Posted 08-10-2017 11:43
    Hi,

    I'm a little bit confused:
    We are using netlogin for a year and it's working like you would expect it:
    A unknown MAC address shows up on the switch, is getting blocked and reported in EMS.

    But now, I have a unwanted MAC address, which is authenticated locally, but is reported as rejected in EMS - but the switch authenticates the user and assign to the granted VLAN.

    Here is the netlogin config:
    #
    # Module netLogin configuration.
    #
    configure netlogin vlan AUTH
    enable netlogin mac
    configure netlogin add mac-list ff:ff:ff:ff:ff:ff 48
    configure netlogin mac timers reauth-period 7200
    enable netlogin ports 1:10-48,2:10-2:48 mac
    configure netlogin ports 1:10-48,2:10-2:48 mode mac-based-vlans
    configure netlogin ports 1:10-48,2:10-2:48 no-restart
    enable netlogin authentication service-unavailable vlan ports 1:10-48,2:10-2:48
    configure netlogin authentication service-unavailable vlan office ports 1:10-48,2:10-2:48
    Radius is working, the switch is a X450e-48p (stacked) with EXOS 15.3.2.11

    I'm happy for feedback

    Best Regards
    Chacko


  • 2.  RE: Netlogin unwanted MAC is authenticated locally

    Posted 08-15-2017 04:50
    Hi Chacko,

    Can you post the "show netlogin port and "show log" which has the login success message?


  • 3.  RE: Netlogin unwanted MAC is authenticated locally

    Posted 08-15-2017 05:11
    Chacko,

    Is it possible to post the screenshot of the rejection message in the EMS?

    Can you check if this MAC address is not present as local user in the switch itself?
    The command is "show netlogin local-users"

    In case if you have a radius server configured can you pose the "show config aaa" and does the radius request passed before the switch decided to do a local authentication? you can see this from the "show log" in case if the radius requests are failing


  • 4.  RE: Netlogin unwanted MAC is authenticated locally

    Posted 08-15-2017 05:49
    Hi Chacko,

    If the MAC is authenticated by EMC then we will see a different log message but by looking at the log message which you have shared the authentication has been processed locally by the switch

    [i] Network Login MAC user 104FA8XXXXXX logged in MAC 10:4F:A8:XX:XX:XX port 2:20 VLAN(s) "office", authentication Locally

    I wanted to check if the local user database has this mac address or not and that can be checked using the command "show netlogin local-users" in the switch.



  • 5.  RE: Netlogin unwanted MAC is authenticated locally

    Posted 08-15-2017 06:10
    Hi Chacko,

    I would request you to pursue this issue with GTAC case as this needs further investigation.
    15.3 version has already reached end of engineering hence it would be best to upgrade to the latest patch in 15.3 (15.3.5.2-patch1-14) and check if the issue is getting resolved before opening up the ticket.



  • 6.  RE: Netlogin unwanted MAC is authenticated locally

    Posted 08-16-2017 06:04
    Hi Chacko,

    Thanks for getting back on this, good to see that the issue is not seen.



  • 7.  RE: Netlogin unwanted MAC is authenticated locally

    Posted 08-15-2017 04:50
    Hi Karthik,

    here is the output:
    # sh netlogin port 2:20
    Port : 2:20
    Port Restart : Disabled
    Allow Egress : None
    Vlan : AUTH
    Authentication : mac-based
    Port State : Enabled
    Guest Vlan : Disabled
    Auth Failure Vlan : Disabled
    Auth Service-Unavailable Vlan : Enabled
    MAC IP address Authenticated Type ReAuth-Timer User
    -----------------------------------------------
    (B) - Client entry Blackholed in FDB
    Port : 2:20
    Port Restart : Disabled
    Allow Egress : None
    Vlan : office
    Authentication : mac-based
    Port State : Enabled
    Guest Vlan : Disabled
    Auth Failure Vlan : Disabled
    Auth Service-Unavailable Vlan : Enabled
    MAC IP address Authenticated Type ReAuth-Timer User
    10:4f:a8:XX:XX:XX 0.0.0.0 Yes, Locally MAC 7197 104FA8XXXXXX
    -----------------------------------------------
    (B) - Client entry Blackholed in FDB [/code][/code]
    And the log
    [i] Network Login MAC user 104FA8XXXXXX logged in MAC 10:4F:A8:XX:XX:XX port 2:20 VLAN(s) "office", authentication Locally
    [i] Port 2:20 link UP at speed 100 Mbps and full-duplex[/code]


  • 8.  RE: Netlogin unwanted MAC is authenticated locally

    Posted 08-15-2017 05:11
    Hi,

    sorry, I misspelled it - I meant EMC (management center):



    First line is the configuration for our NAC appliances, so that policy is underneath the "allow if MAC and end-system group xxx"-policies.
    Second line is the output in access control -> rejected end systems.

    Radius is properly configured, the priority is default (radius, local), the local MAC users are empty.

    There are no other log-entries related to authentication as soon as the ports comes up.
    All the other netlogin devices are working fine on that switch and I can say to 100%, that the MAC address is not known in our Access Control database (first I built a script for checking it, and second, the right policy is chosen, so the MAC cannot be inside our end-system groups.

    BR
    Chacko


  • 9.  RE: Netlogin unwanted MAC is authenticated locally

    Posted 08-15-2017 05:49
    Hi,

    okay, I can follow you:
    Here is the output;
    Slot-1 sw # sh netlogin local-users
    Netlogin Local User Name Extended-VLAN VSA Security Profile
    ------------------------ ----------------------------- ----------------------
    Slot-1 sw #[/code]So the local database is empty.

    BR
    Chacko


  • 10.  RE: Netlogin unwanted MAC is authenticated locally

    Posted 08-15-2017 06:10
    Hi Karthik,

    I updated the switch over night and so far, the problem hasn't occured again.
    I hope there is no general netlogin problem in this software release - but the summit *50 will be out of contract next year anyway.

    Thanks for your help

    Best Regards
    Chacko


  • 11.  RE: Netlogin unwanted MAC is authenticated locally

    Posted 08-16-2017 06:04
    Okay, I revoke the last one.
    The issue is still active, even with 15.3.5.2-patch1-14.

    I will open up a GTAC case with our external partner

    BR
    Chacko