debug netlogin XOS

  • 0
  • 1
  • Question
  • Updated 3 years ago
  • Answered
Hi Folks,
how can i debug the following error message regarding mac authentiication on recent XOS 15.5.4.2 (BD8810) and solving the problem?

Reboot of the end-system does not help. Shutting down netlogin - end-system running at once over the manually configured vlan.

<Info:nl.ClientAuthFailure> MSM-A: Authentication failed for Network Login MAC user 18A905BB9E50 Mac 18:A9:05:BB:9E:50 port 7:39

Here the show netlogin for this port:
show netlogin port 7:39

Port                          : 7:39
Port Restart                  : Disabled
Allow Egress                  : None
Vlan                          : Default
Authentication                : mac-based
Port State                    : Enabled
Guest Vlan                    : Disabled
Auth Failure Vlan             : Disabled
Auth Service-Unavailable Vlan : Disabled

MAC                IP address       Authenticated     Type    ReAuth-Timer   User         
18:a9:05:bb:9e:50  0.0.0.0          No                MAC     0             
-----------------------------------------------
(B) - Client entry Blackholed in FDB

Port                          : 7:39
Port Restart                  : Disabled
Allow Egress                  : None
Vlan                          : VTelefon
Authentication                : mac-based
Port State                    : Enabled
Guest Vlan                    : Disabled
Auth Failure Vlan             : Disabled
Auth Service-Unavailable Vlan : Disabled

MAC                IP address       Authenticated     Type    ReAuth-Timer   User         
-----------------------------------------------
(B) - Client entry Blackholed in FDB


Number of Clients Authenticated  : 2


The is a very simple MAC Auth so i cannot understand why the netlogin should failed !

As a background information i run an update from XOS 12.6.2.10 to 15.5.4.2 yesterday evening.
Photo of M.Nees

M.Nees, Embassador

  • 9,414 Points 5k badge 2x thumb

Posted 3 years ago

  • 0
  • 1
Photo of OscarK

OscarK, ESE

  • 7,912 Points 5k badge 2x thumb
Photo of M.Nees

M.Nees, Embassador

  • 9,414 Points 5k badge 2x thumb
Hi OscarK,

this does not help because we use MAC auth with RADIUS.

Do you (or anybody else) know how i can debug this MAC Authentication process ?

Regards
Photo of OscarK

OscarK, ESE

  • 7,912 Points 5k badge 2x thumb
you can debug everything on EXOS by adding events to the log filter with a lower severity, even severity debug-data/verbode/summary.For the debug severity you need to enable log debug-mode.
Photo of Stephen Williams

Stephen Williams, Employee

  • 9,034 Points 5k badge 2x thumb
I just made this article for you.  Hope this helps.  If not, let me know.

https://gtacknowledge.extremenetworks.com/articles/How_To/How-to-configure-Mac-based-Netlogin-with-R...

I would also check to make sure the switch is sending "Acct Requests" and is receiving  "Acct Responses" with the "show radius" command.
Photo of M.Nees

M.Nees, Embassador

  • 9,414 Points 5k badge 2x thumb
Hi William,
netlogin is running since several years without bigger problems. From Radius point of View Requests and Responses are OK!
Photo of M.Nees

M.Nees, Embassador

  • 9,414 Points 5k badge 2x thumb
I got the problem.

I turn on debug for netlogin:
enable log debug-mode
enable log display
configure log filter "DefaultFilter" add events nl severity debug-verbose
configure log filter "DefaultFilter" add events AAA.RADIUS severity debug-verbose

Then i can read the netlogin Framework have problems with binding the regarding vlan tagged AND untagged!
So because the used RFC3580 RADIUS communication does not specify tagged or untagged usage of  the VLAN i switch over to Extreme netlogin VSAs which specify this (= T80 = VLAN 80 tagged)!

This solved my problem complettely!

Regards
Photo of Stephen Williams

Stephen Williams, Employee

  • 9,034 Points 5k badge 2x thumb
Great!  Thanks for sharing your solution with the community. 

Sending the VSA with T adds the port tagged and U<vlan> add the port as untagged.
(Edited)