cancel
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 

debug netlogin XOS

debug netlogin XOS

M_Nees
Contributor III
Hi Folks,
how can i debug the following error message regarding mac authentiication on recent XOS 15.5.4.2 (BD8810) and solving the problem?

Reboot of the end-system does not help. Shutting down netlogin - end-system running at once over the manually configured vlan.

MSM-A: Authentication failed for Network Login MAC user 18A905BB9E50 Mac 18:A9:05:BB:9E:50 port 7:39

Here the show netlogin for this port:
show netlogin port 7:39

Port : 7:39
Port Restart : Disabled
Allow Egress : None
Vlan : Default
Authentication : mac-based
Port State : Enabled
Guest Vlan : Disabled
Auth Failure Vlan : Disabled
Auth Service-Unavailable Vlan : Disabled

MAC IP address Authenticated Type ReAuth-Timer User
18:a9:05??9e:50 0.0.0.0 No MAC 0
-----------------------------------------------
(B) - Client entry Blackholed in FDB

Port : 7:39
Port Restart : Disabled
Allow Egress : None
Vlan : VTelefon
Authentication : mac-based
Port State : Enabled
Guest Vlan : Disabled
Auth Failure Vlan : Disabled
Auth Service-Unavailable Vlan : Disabled

MAC IP address Authenticated Type ReAuth-Timer User
-----------------------------------------------
(B) - Client entry Blackholed in FDB

Number of Clients Authenticated : 2

The is a very simple MAC Auth so i cannot understand why the netlogin should failed !

As a background information i run an update from XOS 12.6.2.10 to 15.5.4.2 yesterday evening.

7 REPLIES 7

StephenW
Extreme Employee
Great! Thanks for sharing your solution with the community.

Sending the VSA with T adds the port tagged and U add the port as untagged.

M_Nees
Contributor III
I got the problem.

I turn on debug for netlogin:
enable log debug-mode
enable log display
configure log filter "DefaultFilter" add events nl severity debug-verbose
configure log filter "DefaultFilter" add events AAA.RADIUS severity debug-verbose

Then i can read the netlogin Framework have problems with binding the regarding vlan tagged AND untagged!
So because the used RFC3580 RADIUS communication does not specify tagged or untagged usage of the VLAN i switch over to Extreme netlogin VSAs which specify this (= T80 = VLAN 80 tagged)!

This solved my problem complettely!

Regards

M_Nees
Contributor III
Hi William,
netlogin is running since several years without bigger problems. From Radius point of View Requests and Responses are OK!

StephenW
Extreme Employee
I just made this article for you. Hope this helps. If not, let me know.

https://gtacknowledge.extremenetworks.com/articles/How_To/How-to-configure-Mac-based-Netlogin-with-R...

I would also check to make sure the switch is sending "Acct Requests" and is receiving "Acct Responses" with the "show radius" command.

GTM-P2G8KFN