Multisession on single port problem

  • 0
  • 1
  • Problem
  • Updated 1 year ago
  • Solved
Hi

i have problem to assing IP to MAC based authentication (printer) on a x440 single port.
situation looks like below:

computer---
computer--- desktop switch ----- x440 switch single port
printer-------

all dot1x sesions (users) are accepted and works fine but MAC session is not.

Port                          : 43
Authentication                : 802.1x, mac-based
Port State                    : Enabled
Authentication Mode           : Required (Policy Enabled only)
Max Supported Users           : 256 (Policy Enabled only)
Allowed Users                 : 128 (Policy Enabled only)
Current Users                 : 3 (Policy Enabled only)
------------------------------------------------
        802.1x Port Configuration
------------------------------------------------
Quiet Period                  : 300
Supplicant Response Timeout   : 120
Re-authentication             : On
Re-authentication period      : 0
Max Re-authentications        : 3
RADIUS server timeout         : 120
------------------------------------------------
        MAC Mode Port Configuration
------------------------------------------------
Re-authentication period      : 7200
Re-authentication             : On
Authentication Delay          : 120 seconds
------------------------------------------------
        Netlogin Clients
------------------------------------------------

MAC                IP address       Authenticated     Type    ReAuth-Timer   User
00:0f:fe:xx:xx:xx  0.0.0.0          Yes, Radius       802.1x  0              user
00:23:7d:xx:xx:xx  0.0.0.0          Yes, Radius       MAC     4385           00-23-7D-XX-XX-XX
94:de:80:xx:xx:xx  0.0.0.0          Yes, Radius       802.1x  0              user
-----------------------------------------------
(B) - Client entry Blackholed in FDB


On NAC manager i see that user (dot1x) sesions are resolving ip addresses using radius server which is visible in request (in table), but mac sessions are not.




when i switch printer direct to x440 port, all works fine.


Please help

Regards Mark
Photo of Marek Konopinski

Marek Konopinski

  • 468 Points 250 badge 2x thumb

Posted 1 year ago

  • 0
  • 1
Photo of Marek Konopinski

Marek Konopinski

  • 468 Points 250 badge 2x thumb
anybody ?
Photo of Patrick Koppen

Patrick Koppen

  • 750 Points 500 badge 2x thumb
Maybe you could post some more information...
Software version, show config netlogin, show config policy and show config aaa

Does it work if you only attach the printer behind the switch?
It could be a maximum user limit on the port?
Does the mac shows up in the fdb?
Did you enable logging?
What happend if you connect the printer (with logging enabled)?
(Edited)
Photo of Marek Konopinski

Marek Konopinski

  • 468 Points 250 badge 2x thumb
so :) this is what i've got:


show switch
SysName:          LOL
SysLocation:      LOL
SysContact:       Marek Konopinski
System MAC:       00:04:96:XX:XX:XX
System Type:      X440G2-48t-10G4

Current State:    OPERATIONAL
Image Selected:   primary
Image Booted:     primary
Primary ver:      21.1.1.4
                  patch1-3
Secondary ver:    21.1.1.4

Config Selected:  primary.cfg
Config Booted:    Factory Default

primary.cfg       Created by ExtremeXOS version 21.1.1.4
                  1225234 bytes saved on Thu Mar 16 09:39:51 2017

show version
Switch      : 800617-00-09 1634N-40777 Rev 9.0 BootROM: 1.0.1.8    IMG: 21.1.1.4
PSU-1       : Internal Power Supply
PSU-2       :

Image   : ExtremeXOS version 21.1.1.4 21.1.1.4-patch1-3 by release-manager
          on Wed May 4 16:47:32 EDT 2016
BootROM : 1.0.1.8
Diagnostics : 5.4



NETLOGIN conf

enable netlogin dot1x mac
configure netlogin mac authentication database-order radius
configure netlogin authentication protocol-order dot1x mac web-based
configure netlogin add mac-list ff:ff:ff:ff:ff:ff 48
enable netlogin ports 1-46 dot1x
enable netlogin ports 1-46 mac
configure netlogin dot1x ports 1-46 timers quiet-period 5

configure netlogin dot1x ports 47 timers reauth-period 30 reauth-max 4 - uplink (interswitch)
configure netlogin dot1x ports 48 timers reauth-period 30 reauth-max 4 - uplink (interswitch)
enable netlogin reauthenticate-on-refresh
configure netlogin session-refresh 30
configure netlogin allowed-refresh-failures 5
configure netlogin mac ports 1 timers reauthentication on



configure netlogin idle-timeout dot1x 0
configure netlogin idle-timeout web-based 0
configure netlogin idle-timeout mac 0
configure netlogin port 47 authentication mode optional
configure netlogin port 48 authentication mode optional


OTHER conf

enable radius
enable radius mgmt-access
enable radius netlogin
enable radius-accounting
enable radius-accounting mgmt-access
enable radius-accounting netlogin
enable log target syslog "IP":514 vr VR-Mgmt local4
enable log target syslog "IP":514 vr VR-Default local4
enable ssh2
enable netlogin dot1x mac
enable netlogin ports 1-46 dot1x
enable netlogin ports 1-46 mac
enable netlogin reauthenticate-on-refresh
enable stpd s0


Also i can not enable one option:

configure netlogin port (port number/range) mode mac-based-vlans

becouse after port (port number/range) there is no "mode" option


regards
Marek
(Edited)
Photo of Marek Konopinski

Marek Konopinski

  • 468 Points 250 badge 2x thumb
it aint that... i read it already but  my problem is different
Photo of Patrick Koppen

Patrick Koppen

  • 750 Points 500 badge 2x thumb
Hello Marek,

you have a G2 with software >=21 so you can choose between to different
versions of netlogin. The old one from EXOS or the even older one from EOS
which is implemented in version 16 and 21 on G2 hardware.

The EXOS can do dot1x and mac auth with multiple host one the same port.
There's single vlan and a multi vlan model. It's configured like this:

!aaa
configure radius primary server 10.0.0.1 client-ip 10.1.1.2 vr "VR-Default" shared-secret geheim
enable radius netlogin

!create a dummy vlan and attach it do the netlogin process
create vlan ZNETLOGIN_DUMMY
configure netlogin vlan "ZNETLOGIN_DUMMY"

!enable netlogin globally
enable netlogin mac dot1x

!enable netlogin per port
enable netlogin port 5 mac dot1x

!do mac-auth for all mac-addresses
configure netlogin add mac-list default

!test it and look for sessions:
show netlogin [port 5]
And the new (EOS) way....

!switch to policy mode (this make the world great again!)
enable policy

!mode optional on all ports
configure netlogin ports all authentication mode optional

!enable netlogin globally and per port
enable netlogin mac dot1x
enable netlogin por 5 mac dot1x

!do mac-auth for all mac-addresses
configure netlogin add mac-list default

!test it and look for sessions:
show netlogin sessions
classic netlogin vs. policy mode:

In policy mode you can authenticate and authorize each mac on a port
individually. Mac-authentication and dot1x run simultaneously and
the better method wins:

 Authentication Protocol Order: 802.1x, web-based, mac-based (default)

So one protocol is sufficient to get an valid netlogin session.

For each port EOS has four different configuration how packets are
handled:

 - Forced Authorized: netlogin disabled, packets always forwarded
 - Forced UnAuthorized: netlogin disabled, packets always dropped
 - Authentication Required: netlogin enable, unauthenticated packets
   dropped
 - Authentication Optional (with optional Policy/Filterlist):
   netlogin enabled, unauthenticated packets forwarded

EXOS implements only Required and Optional. You can disable netlogin
per port to get the 'forced' modes. See the policy course for
more detailed information...
Photo of Patrick Koppen

Patrick Koppen

  • 750 Points 500 badge 2x thumb
Hello Marek,

now your problem. It seems you used commands from both concepts. But your configuration
works. You see the session.

The missing ip in EAC is something totally different. After a successfull authentication
the EAC waits 10 second to start the resolving process. If it fails it waits 60 seconds, tries
again, waits 60 seconds and tries again. So after 2:10 it stopps the process and you
get 'ip resulution failed'.

There are about 5 ways to fix this:
  1. update to EXOS 22.2 and EMC/EAC 7.1 and enable nodealias
  2. forward dhcp packet from every router in every vlan to one or two EACE
  3. configure an ip address in every vlan in the switch
  4. tell EAC the default gateway for the vlan/switch combination
  5. ...
1 works always, 2 only with dhcp clients, 3 should work, 4 works only with one vlan
per switch, ....

In your case turn off the printer, plug it into the mini switch, and turn it on again. It
should work. If not enable endsystem diagnostics in the EACE.

See Extreme Access Control course for more information...