MAC authentication error on X440-G2

  • 0
  • 1
  • Question
  • Updated 1 year ago
  • Answered
Hello Guys !

I was trying to setup passive NAC (pass-through) with X440- G2-48p-10G4 switch.

I keep getting following error in the log:
02/14/2017 14:28:40.49 Authentication failed for Network Login MAC user 001AE87F49D2 Mac 00:1A:E8:7F:49:D2 port 5

Here is my netlogin config:

* X440G2-48p-10G4.100 # sh configuration "netlogin"
#
# Module netLogin configuration.
#
enable netlogin mac
configure netlogin mac authentication database-order local
configure netlogin authentication protocol-order mac dot1x web-based
configure netlogin add mac-list ff:ff:ff:ff:ff:ff 48 encrypted "}eqrthug"
enable netlogin ports 1-44 mac

and aaa config (NAC is my radius):

# Module aaa configuration.
#
configure radius netlogin 1 server 192.168.36.80 1812 client-ip 192.168.36.231 vr VR-Default
configure radius 1 shared-secret encrypted "#$fPXY767cV5/sPn3skPxEgMScJGlMOi9B7tKPIpB7"
configure radius-accounting netlogin 1 server 192.168.36.80 1813 client-ip 192.168.36.231 vr VR-Default
configure radius-accounting 1 shared-secret encrypted "#$MHHPB8XKQVHhmbrvq4Og9d3stHCRr9PE29nNW5Ev"
configure radius-accounting 1 timeout 10
enable radius
disable radius mgmt-access
enable radius netlogin
configure radius timeout 15
enable radius-accounting
disable radius-accounting mgmt-access
enable radius-accounting netlogin
configure account admin encrypted "$5$DDz7LO$enRGUuZ8/kFW74TqsMOXX2WrJhPZD1B1rxPuzhI4ifC"

On each access port I have:
configure netlogin port authentication mode optional

What is wrong ?
Beside, I cannot enter the command:
configure netlogin vlan
- CLI doesn't allow me to put this command (?).

EXOS version is 21.1.1.4
Photo of Robert Zdzieblo

Robert Zdzieblo

  • 1,144 Points 1k badge 2x thumb

Posted 1 year ago

  • 0
  • 1
Photo of Tyler Marcotte

Tyler Marcotte, Official Rep

  • 2,700 Points 2k badge 2x thumb
Hi Robert,

Have you tried configuring from NAC already? Also, the authentication configuration on the 440-G2 can be accomplished from enabling via Policy in Management Center as well.

The main item that I see that is problematic is: "configure netlogin mac authentication database-order local"

You want this to be sent to RADIUS (which is the NAC) so that it can authenticate it and pass back a response. 

Hope that helps.

Thanks,

Tyler
Photo of Ronald Dvorak

Ronald Dvorak, Embassador

  • 44,984 Points 20k badge 2x thumb
I'm not an XOS export but as far as I unterstand...

"configure netlogin mac authentication database-order local" will use the local user database and doesn't use the RADIUS=NAC for authentication

"configure netlogin add mac-list ff:ff:ff:ff:ff:ff 48 encrypted "}eqrthug"" the password will be used for all the MAC authentication clients - but I'd say they don't send one or the password is the MAC so I'd remove the "encrypted <pw>" option

Could you post a "show netlogin mac" from the switch,

I think you'd need to set the netlogin vlan before you enable netlogin.
Photo of Robert Zdzieblo

Robert Zdzieblo

  • 1,144 Points 1k badge 2x thumb
Nice try, Tyler and Ronald! You both were right -I changed "configure netlogin mac authentication database-order local" to "radius" and then I have in my log: 02/14/2017 15:39:01.51 Network Login MAC user 001AE87F49D2 logged in MAC 00:1A:E8:7F:49:D2 port 1 VLAN(s) "", authentication Radius. I can also see the end-system in NAC database. Thank you !