How can i limit maximum number of users authenticated on a native netlogin port ?

  • 0
  • 1
  • Question
  • Updated 2 years ago
  • Answered
i have several X440 (G1) Switches with recent EXOS 16.1.3.6 Firmware. There is NO OnePolicy Framework available because of G1 Hardware.

i want to limit maximum user (802.1x or MAC) to 8 per Port. How can i do that ?

I knew only the method via OnePolicy Framework.

First idea is limit mac learning via maclock first-arrival ? Is it possible to get a message via Trap ? But is that working good with netlogin process ?
Photo of M.Nees

M.Nees, Embassador

  • 9,262 Points 5k badge 2x thumb

Posted 2 years ago

  • 0
  • 1
Photo of OscarK

OscarK, ESE

  • 7,792 Points 5k badge 2x thumb
You can configure a limit of mac-addresses per port.
configure mac-locking ports port_list first-arrival limit-learning learn_limit <limit>
Photo of M.Nees

M.Nees, Embassador

  • 9,262 Points 5k badge 2x thumb
Hi Oscar,

can you tell me if there is a trap possible if the limit is reached ?
Are there a some negative effects if i want using netlogin for 802.1x and mac on that port ?

Regards,
Matthias
Photo of OscarK

OscarK, ESE

  • 7,792 Points 5k badge 2x thumb
Yes, see the command reference section.
http://documentation.extremenetworks.com/exos_commands_16/EXOS_16_2/EXOS_Commands_All/r_configure-ma...

I dont see problems using it together with netlogin but probably you could also limit the number of users per port in NAC although I dont know how.
Photo of M.Nees

M.Nees, Embassador

  • 9,262 Points 5k badge 2x thumb
Hi Oscar,

ok let try in my lab.

Limiting the number of users per port is NOT possible via NAC (RADIUS). On my wishlist is a feature that 802.1x users or system accounts can be used only one time - but this feature is currently NOT available - i hope in future versions.

On important aspect is coming from my co-worker:
(because edge port is never going down regarding some desktop switches)
configure mac-locking ports port_list first-arrival aging enable

When enabled, first-arrival MAC addresses that are aged out of the forwarding database are removed from the associated port MAC lock. New MAC addresses can be learned until the configured first-arrival limit is reached.
Photo of OscarK

OscarK, ESE

  • 7,792 Points 5k badge 2x thumb
That means when a mac address ages out of the fdb it frees up entries.