Netlogin 802.1x with Radius - Help please

  • 0
  • 1
  • Problem
  • Updated 3 years ago
  • Not a Problem
Hi,

I have configured using this guide:

https://gtacknowledge.extremenetworks.com/articles/How_To/How-to-configure-802-1x-based-Netlogin-wit...


the NPS is configured as per above document.

This is the config in the switch:

create vlan AuthVLAN
configure vlan AuthVLAN tag 10

configure netlogin vlan AuthVLAN
enable netlogin dot1x
enable netlogin ports 3:33 dot1x
configure netlogin ports 3:33 mode port-based-vlans
configure netlogin ports 3:33 no-restart

configure radius netlogin primary server MYRADIUS 1812 client-ip MYSWITCH vr VR-Default
configure radius netlogin primary shared-secret encrypted PASSWORD
enable radius netlogin

But when I connect my cable on port 3:33 nothing happens, I got straight to the vlan that was configured on the port previously.

I confirm that the switch can see the radius and vice-versa. Show radius shows 0 packets sent, it looks like it does not care that I connect a cable to 3:33, it does not even try to look for the Radius.

Ideas?

thanks
Photo of Localhost

Localhost

  • 452 Points 250 badge 2x thumb

Posted 3 years ago

  • 0
  • 1
Photo of Bill Stritzinger

Bill Stritzinger, Alum

  • 6,036 Points 5k badge 2x thumb
With dot.1x enabled what type of client are you connecting? In this configuration you need a client that has a supplicant enabled. If not you will get nothing.... What is the client??
Photo of Localhost

Localhost

  • 452 Points 250 badge 2x thumb
wow thanks for the quick answer! A laptop with Windows 10.
Photo of Localhost

Localhost

  • 452 Points 250 badge 2x thumb
I see...I need to start a service on the Windows machine...now, you might be able to help. The reason behind this is that I need guests to get access to physical port in a shared venue. When they physically connect the cable I want them to get prompted with a user/pass that I control in Active Directory and after that they get placed in a certain VLAN. I cannot ask them to start a service as for most them won't be possible. Ideas?
Photo of Bill Stritzinger

Bill Stritzinger, Alum

  • 6,036 Points 5k badge 2x thumb
In Windows you need to enable the service for "wired auto config" and enable the service... For supplicant to be active
Photo of Bharathiraja, Suresh

Bharathiraja, Suresh, Employee

  • 3,536 Points 3k badge 2x thumb
Hi ,

Please find the step by step procedure to enable wired auto config in window 10.

Thanks,
Suresh.B
Photo of Daniel Flouret

Daniel Flouret, Employee

  • 7,470 Points 5k badge 2x thumb
Localhost, using 802.1x for guests may be problematic, as they may not have the supplicant enabled...

You can use Web-based Network login for guests that don't have 802.1x enabled. When guests open a browser they get a login screen where they can input the user/password to be validated.

Here's a document showing how to configure Web-based Netlogin:
https://www.dropbox.com/s/dnhja1paz9f4m7g/SVC%20Tech%20NI%20Tech%20Guide%20Switch%20Netlogin%20Web%2...
(Edited)
Photo of Localhost

Localhost

  • 452 Points 250 badge 2x thumb
thanks all. I have realized that now. When I enabled dot1x on the laptop through the service, it worked really beautifully but it will require users that we don't control to start a service=problems! Thanks again everyone these forums are really really helpful!.

Thanks Daniel, I will give that a try.
Photo of Localhost

Localhost

  • 452 Points 250 badge 2x thumb
Actually one thing Daniel. On the document you linked, it appears that when not authenticated, the client gets into a Temp vlan. Now, when the client gets authenticated, in the document is placed in the vlan Data, but there is no piece of configuration that says which vlan to use if the user is authenticated. Is it the same as for dot1x with the vendor specific attributes?
Photo of Daniel Flouret

Daniel Flouret, Employee

  • 7,470 Points 5k badge 2x thumb
Localhost,

Network Login works in two different ways: ISP mode and Campus mode.

In ISP mode, ports are pre-assigned to a vlan but user access to that vlan is restricted until the user is correctly authenticated. When this happens, the user can access the vlan configured for that port. The Radius server entry for that user should include an Extreme-Netlogin-Only = Enabled entry. This value in the Access-Accept response will indicate EXOS that the user should be allowed to access whatever vlan is configured for the port where the user is connecting.

In Campus mode, the vlan where the user will be placed is defined by the Radius response. The Radius server entry for that user should include an Extreme-Netlogin-Vlan = "<vlan_name>"
entry. This value in the Access-Accept response will indicate EXOS that
the port where the user has authenticated should be moved to the vlan included in the response.

For more detail, please look at chapter 28: Network Login in the EXOS User Guide.
Photo of Localhost

Localhost

  • 452 Points 250 badge 2x thumb
hi thanks.

I have tried that but the documentation is not very clear:

- After I configured everything, I connect the cable to the port configured for netlogin. I got an ip on that temporary vlan. I can resolve the switch dns name if I ping it

- I open browser, if i put a random url, nothing happens, i was expecting to get redirected to myswitch/login page

- if i manually specify the url (like myswitch/login) the custom webpage appears, i put user/pass, nothing happens, i cannot see user/pass sent to radius

basically i am stuck here.

thanks
Photo of Localhost

Localhost

  • 452 Points 250 badge 2x thumb
Update: i understand you won't be able to ping the Vlan interface if it is set to netlogin. I still don't get redirected automatically, but if i put the dns name of the switch (the one configured to the base url) i got to a screenplay page (which is blank). If i put /login nothing happens.

thanks
Photo of Localhost

Localhost

  • 452 Points 250 badge 2x thumb
Update: I gave up. Tried with GTAC as well, they couldn't figure it out either. Maybe changing the software might fix it, but this is not an option for me. I resolved moving the authentication to other devices. But thanks everybody.