Configure DHCP server on EXOS Switch enabled with Netlogin

  • 1
  • 1
  • Question
  • Updated 2 years ago
  • Answered
I have configured DHCP server on Extreme X440 G2 Switch and it is working as expected. Now i want to add the the Switch into NAC control engine which eventually enables netlogin session.

I believe the DHCP server will provide leases only on systems connected on particular vlan enabled ports. Below command for reference.

  • enable dhcp ports <port_list> vlan <vlan_name>

But netlogin session will have dynamic vlan assigned to the ports based on dot1x/mac and above mentioned command is a contradict to that. 

Can someone help me on this?
Photo of Alagesan Jeyaraman

Alagesan Jeyaraman

  • 160 Points 100 badge 2x thumb

Posted 2 years ago

  • 1
  • 1
Photo of Patrick Voss

Patrick Voss, Alum

  • 11,594 Points 10k badge 2x thumb
[Incorrect information - Removed]
(Edited)
Photo of Alagesan Jeyaraman

Alagesan Jeyaraman

  • 160 Points 100 badge 2x thumb
Hi Patrick, Thanks for your response. In that case what vlan I will mention on the below command or it is not necessary? Because netlogin will assign different vlans to users connect on that port.

  • enable dhcp ports <port_list> vlan <vlan_name>
Photo of Patrick Voss

Patrick Voss, Alum

  • 11,594 Points 10k badge 2x thumb
I apologize Alagesan, please ignore my last response. I did not fully understand what you were looking for. I deleted and updated my reply below.
(Edited)
Photo of Patrick Voss

Patrick Voss, Alum

  • 11,594 Points 10k badge 2x thumb
Hello Alagesan,

Unfortunately I believe the only way around this is to change the design. Would it be possible to configure DHCP on your core switch and then leave the edge switches to netlogin? This way the after the netlogin authentication the DHCP traffic will be sent through an uplink which will be enabled for DHCP on those VLANs.

As a side note the switch DHCP server wasn't inteded to be a full production DHCP server. A full fledged DHCP server is always recommended.
Photo of Alagesan Jeyaraman

Alagesan Jeyaraman

  • 160 Points 100 badge 2x thumb
Hello Patrick,

The thing is all my switches participate in Netlogin including Core switch. I would like to configure DHCP server on my switch because it will help me better on NAC IP resolution. Any other possible ways you would suggest?
Photo of Patrick Voss

Patrick Voss, Alum

  • 11,594 Points 10k badge 2x thumb
I do not believe there is another way.

Is netlogin enabled on the uplink ports on the core? This is the only port you would need to enable DHCP on and netlogin is typically not enabled on uplink ports.
Photo of Alagesan Jeyaraman

Alagesan Jeyaraman

  • 160 Points 100 badge 2x thumb
Netlogin is not enabled on the uplink ports 
Photo of Matthew Helm

Matthew Helm, Employee

  • 1,852 Points 1k badge 2x thumb
I'm investigating, but you should be able to use a UPM profile specified in a VSA associated with the account passed from the radius server through the NAC as a proxy.

You would have to configure the UPM user-authenticate event on every port where you want DHCP to be enabled. Here is an article on how to use UPM for authenticating clients.

I'm investigating if NAC as a proxy somehow interferes with the VSA being passed from the radius server, but I do not believe it does. I assume you are using NAC as a proxy to a radius server, right?
Photo of Matthew Helm

Matthew Helm, Employee

  • 1,852 Points 1k badge 2x thumb
I have confirmed that the extended-security VSA is supported by NAC either as a proxy or acting as a full radius server.
Photo of Alagesan Jeyaraman

Alagesan Jeyaraman

  • 160 Points 100 badge 2x thumb
Hi Mathew,

Thanks for your efforts. I would try that let you know if it works.

What i need to enter in below syntax for our DHCP requirement while creating profile

<CLI COMMANDS TO BE EXECUTED ON AUTHENTICATE>
Photo of Matthew Helm

Matthew Helm, Employee

  • 1,852 Points 1k badge 2x thumb
The command that I used in the UPM profile that launches when the client is authenticated and assigned a VLAN is as follows:

enable dhcp port $(EVENT.USER_PORT) vlan $(EVENT.USER_VLAN) 

Is this what you are after?

The UPM profile for un-authentication is "blank".