bypass netlogin for some VLANs

  • 0
  • 1
  • Question
  • Updated 5 years ago
  • Answered
Create Date: May 10 2012 7:17AM

A port of an Extreme is configured with netlogin and mac-based-vlans. There are a number of (tagged) VLANs defined on this port. Now I want to bypass the netlogin authentication for devices on a specific VLAN. Is this possible with XOS?

(from Hans-Werner_Paulsen)
Photo of EtherNation User

EtherNation User, Employee

  • 20,350 Points 20k badge 2x thumb

Posted 5 years ago

  • 0
  • 1
Photo of EtherNation User

EtherNation User, Employee

  • 20,350 Points 20k badge 2x thumb
Create Date: May 11 2012 10:46AM

I am guessing this device is not enabled for 802.1X and does not have a MAC address that is mapped to a RADIUS policy. Therefore, you have a couple options:


  • Add a RADIUS policy for this MAC address.

  • Use the authentication failure feature to move the port into an authentication failure VLAN.

    • This VLAN should already exist on the switch.

    • The default mac-list should exist in the netlogin configuration. e.g. <span class="ComputerChar">Configure netlogin add mac-list ff:ff:ff:ff:ff:ff 48 </span>(The purpose of this is to send all unknown mac auth configured interfaces to the RADIUS server.

    • In order for the move to happen, the default aaa radius database order needs to be changed from the default of radius, local to local, radius. e.g. Configure netlogin mac authentication database-order local radius










    I guess there is a third option. This could be done with UPM scripting, but I don't recommend it. UPM for VLAN movement is slow and unreliable.



    (from john_padilla)
    Photo of EtherNation User

    EtherNation User, Employee

    • 20,350 Points 20k badge 2x thumb
    Create Date: May 14 2012 1:52AM

    Yes, I do not use 802.1X.
    But, I want to define different policies for unknown MAC addresses coming from different VLANs. An unknown MAC address coming from VLAN A should be denied, and an unknown MAC address coming from VLAN B should be allowed. If there is a method to tell the RADIUS server (with the Access-Request packet) that this MAC address is from VLAN A or B, I can set up the RADIUS server accordingly. Or is there simply a way to bypass/disable netlogin at all for one VLAN?

    (from Hans-Werner_Paulsen)
    Photo of EtherNation User

    EtherNation User, Employee

    • 20,350 Points 20k badge 2x thumb
    Create Date: May 14 2012 8:05AM

    I don't think so. The RADIUS server will not receive any VLAN information. Therefore, creating a match condition to map the unknown MAC to a specific VLAN is going to be impossible.

    However, you asked "... a way to bypass/disable netlogin at for one VLAN?"

    This should work as a workaround for one VLAN:


    1. disable netlogin dot1x mac

    2. unconfigure netlogin vlan

    3. delete vlan "temp" (where temp is the VLAN used to park netlogin ports)

    4. disable netlogin ports dot1x mac

    5. configure vlanB add ports untagged

    6. create vlan temp

    7. configure netlogin vlan temp

    8. enable netlogin ports dot1x mac

    9. enable netlogin dot1x mac

    10. Verify the ports are present in VLANB with:
      show vlan vlanB
      show fdb vlanB




    In summary, the port will be parked in the forwarding VLANB. However, the EAPOL packet will still be forwarded to the Authentication Server for Dot1X and MAC auth.

    This also solves the problem for WoL and PXE boot.





    (from john_padilla)
    Photo of EtherNation User

    EtherNation User, Employee

    • 20,350 Points 20k badge 2x thumb
    Create Date: May 15 2012 12:51AM

    Unfortunately this will not work for us. The VLAN which should authenticate MAC addresses (vlanA) is untagged, and the various MAC addresses on vlanA should be put on different VLANs with the help of the RADIUS server (this part is working fine). But, vlanB (which should go thru) is tagged and therefore cannot be used to park netlogin ports. In addition in the future there will be more than one tagged VLAN, which should bypass netlogin.
    The netlogin feature is activated with the help of ACLs. Isn't it possible to modify the ACLs to use netlogin only on a specified VLAN, or vice versa to bypass netlogin on specified VLAN(s)?

    (from Hans-Werner_Paulsen)

    This conversation is no longer open for comments or replies.