netlogin 802.1X authentication question

  • 0
  • 1
  • Question
  • Updated 3 years ago
  • Answered
I have the netlogin 802.1X  client authenticated with sucess, but why always I have immediately before a failed authentication mac address from the same client?

03/11/2016 16:40:31.77 <Info:nl.ClientAuthenticated> Network Login 802.1x user host/TDT34349.corporativo.pt logged in MAC 74:46:A0:XX:XX:XX port 3 VLAN(s) "DADOS", authentication Radius
03/11/2016 16:40:31.69 <Info:nl.ClientAuthFailure> Authentication failed for Network Login MAC user 7446A0XXXXXX Mac 74:46:A0:XX:XX:XX port 3
03/11/2016 16:40:31.67 <Info:vlan.msgs.portLinkStateUp> Port 3 link UP at speed 1 Gbps and full-duplex

Best Regards
Vitor Barreiro
Photo of Vitor Barreiro

Vitor Barreiro

  • 272 Points 250 badge 2x thumb

Posted 3 years ago

  • 0
  • 1
Photo of Stephen Williams

Stephen Williams, Employee

  • 9,076 Points 5k badge 2x thumb
Do you have MAC and DOT1x configured.  MAC authenticates first because it attempts to authenticate once the first frame is received.  Are you currently using MAC based authentication?  MAC authentication sends the MAC as the username and password in a radius request packet.
Photo of Vitor Barreiro

Vitor Barreiro

  • 272 Points 250 badge 2x thumb
Yes, i have MAC and DOT1X configured, because in most of the ports i have IPphone and a PC behind the phone. MAC autentication for the Phones and DOT1x pfor the PC. Configuration bellow:

configure netlogin vlan Authenable netlogin dot1x mac 
configure netlogin authentication protocol-order dot1x mac web-based
configure netlogin add mac-list ff:ff:ff:ff:ff:ff 48
enable netlogin ports 3-5,7,9,11-19 dot1x 
enable netlogin ports 3-5,7,9,11-19 mac 
configure netlogin ports 3 mode mac-based-vlans
configure netlogin ports 3 no-restart
Photo of Marcus Florido

Marcus Florido

  • 382 Points 250 badge 2x thumb
MAC authentication is enabled, and the MAC is not in the "allow" list, hence the Auth failure. To prevent this, change the order of the authentication mechanism. Likely the order is currently set to MAC-802.1x-WebAuth. Change the order in NetSight to authenticate 802.1x first, and your problem should go away.
Photo of Vitor Barreiro

Vitor Barreiro

  • 272 Points 250 badge 2x thumb
I have MAC and DOT1X configured, because in most of the ports i have IPphone and a PC behind the phone. MAC autentication for the Phones and DOT1x pfor the PC. NPS is the radius server and configuration is:

configure netlogin vlan Authenable netlogin dot1x mac 
configure netlogin authentication protocol-order dot1x mac web-based
configure netlogin add mac-list ff:ff:ff:ff:ff:ff 48
enable netlogin ports 3-5,7,9,11-19 dot1x 
enable netlogin ports 3-5,7,9,11-19 mac 
configure netlogin ports 3 mode mac-based-vlans
configure netlogin ports 3 no-restart
Photo of Stephen Williams

Stephen Williams, Employee

  • 9,076 Points 5k badge 2x thumb
Mac will still authenticate first, but the order will make sure it acts on what 802.1x tells it over MAC.