Netlogin for NAC not working on Extreme x440 and x430 Switches

  • 1
  • 1
  • Problem
  • Updated 1 year ago
  • Solved
We have deployed NAC and applied the rules and enabled Netlogin on x430 and x440 switches with ExtremeXOS version 16.2.1.6. The MAC authentication shows passed in Netsight and in switch however its not applied in reality if the switch doesnt have the ports configured to the repective vlan. 
We are lost in this are we missing something in the configuration.

Here is the configuration on the switch.

create vlan NACauth
configure netlogin vlan NACauth
enable netlogin dot1x mac 
configure netlogin authentication protocol-order dot1x mac web-based
configure netlogin add mac-list ff:ff:ff:ff:ff:ff 48 password voxmac
enable netlogin ports 1-23 dot1x 
enable netlogin ports 1-23 mac 
configure netlogin ports 1-23 mode mac-based-vlans
configure netlogin ports 1-23 no-restart
Photo of Sandeep Srinivasa

Sandeep Srinivasa

  • 312 Points 250 badge 2x thumb

Posted 1 year ago

  • 1
  • 1
Photo of Jeremy

Jeremy, Embassador

  • 9,788 Points 5k badge 2x thumb
Are you enabling authentication on the ports? 

configure netlogin port 1-23 authentication mode optional
Photo of Ilya Semenov

Ilya Semenov

  • 4,384 Points 4k badge 2x thumb
There is no such command in EXOS 16.x

Is there any analog for it?

Thanks
Photo of Sandeep Srinivasa

Sandeep Srinivasa

  • 312 Points 250 badge 2x thumb
Yes, we are enabling the authentication on the Ports we have 5 vlans and once the MAC address is reflected on the Netsight we move them to particular group.

Example - I have connected laptop on port 20 and vlan 20 has to assigned after I move it to the group in Netsight, this is not working until the vlan 20 is configured on the switch.

Netsight should override the switch configuration, we have G2 switches which are working perfectly fine.
Photo of Keith Obermeier

Keith Obermeier

  • 430 Points 250 badge 2x thumb
I'm using a 460G2, but the config should be the same.

In the end I added the switches to nac mgr as manual switches and did the following config in cli:

# Module netLogin configuration.
#
enable netlogin dot1x mac
configure netlogin authentication protocol-order dot1x mac web-based
enable netlogin ports 1:1-48 dot1x
enable netlogin ports 1:1-48 mac
configure netlogin add mac-list ff:ff:ff:ff:ff:ff 48 encrypted
configure netlogin mac timers reauth-period 90
configure netlogin mac username format hyphenated

# Module aaa configuration.
#

configure radius netlogin primary server 1812 client-ip vr VR-Default
configure radius netlogin primary shared-secret encrypted
configure radius netlogin secondary server 1812 client-ip vr VR-Default
configure radius netlogin secondary shared-secret encrypted
configure radius-accounting netlogin primary server 1813 client-ip vr VR-Default
configure radius-accounting netlogin primary shared-secret encrypted
configure radius-accounting netlogin secondary server 1813 client-ip
configure radius timeout 20
configure radius mgmt-access timeout 20
configure radius netlogin timeout 20
enable radius-accounting
disable radius-accounting mgmt-access
enable radius-accounting netlogin
Photo of Ronald Dvorak

Ronald Dvorak, Embassador

  • 45,086 Points 20k badge 2x thumb
Did you see a error message like the below one in the switch...

# show log

12/21/2016 23:25:18.73 <Warn:nl.InvalidVlanTagVSA> VLAN Tag 234 specified in Radius VSA does not exist on the switch or cannot be created. Please verify RADIUS configuration
Photo of Ronald Dvorak

Ronald Dvorak, Embassador

  • 45,086 Points 20k badge 2x thumb
That should do the trick...

http://documentation.extremenetworks.com/exos_22.1/exos_21_1/netlogin/c_configuring-dynamic-vlans-fo...

# enable the switch to create/delete VLANs d
configure netlogin dynamic-vlan enable

# enable the switch to create/delete the VLAN tagged on the uplink - in this example on port#1
# only needed if you'd like to have the VLAN also on the uplink
configure netlogin dynamic-vlan uplink-ports 1


* X430-48t.62 # sh log12/21/2016 23:55:28.49 <Info:nl.ClientAuthenticated> Network Login MAC user 14DAE9EC029F logged in MAC 14:DA:E9:EC:02:9F port 33 VLAN(s) "SYS_VLAN_0234", authentication Radius
12/21/2016 23:55:28.26 <Info:vlan.msgs.portLinkStateUp> Port 33 link UP at speed 1 Gbps and full-duplex
Photo of Sandeep Srinivasa

Sandeep Srinivasa

  • 312 Points 250 badge 2x thumb
Here are logs...
12/22/2016 10:24:53.41 <Erro:STP.InBPDU.Drop> Port=47: No associated STP port fo                                                                                        r STP Domain tag 1 (Rate-limited)12/22/2016 10:24:47.43 <Info:nl.ClientAuthFailure> Authentication failed for Net                                                                                        work Login 802.1x user host/TRYNTA02                           Mac 6C:0B:84:08:B7:DE port                                                                                         12
12/22/2016 10:24:45.40 <Info:AAA.authPass> Login passed for user admin through t                                                                                        elnet (10.210.1.241)
12/22/2016 10:24:41.41 <Erro:STP.InBPDU.Drop> Port=47: No associated STP port fo                                                                                        r STP Domain tag 1 (Rate-limited)
12/22/2016 10:24:29.84 <Info:nl.ClientAuthFailure> Authentication failed for Net                                                                                        work Login 802.1x user host/CANNTA05                           Mac 6C:AE:8B:0B:DF:51 port                                                                                         14
12/22/2016 10:24:29.41 <Erro:STP.InBPDU.Drop> Port=47: No associated STP port fo                                                                                        r STP Domain tag 1 (Rate-limited)
12/22/2016 10:24:23.14 <Info:nl.ClientAuthFailure> Authentication failed for Net                                                                                        work Login 802.1x user host/VGNTA02                           Mac 6C:AE:8B:0B:DF:C5 port 3                                                                                        3
12/22/2016 10:24:17.41 <Erro:STP.InBPDU.Drop> Port=47: No associated STP port fo                                                                                        r STP Domain tag 1 (Rate-limited)
12/22/2016 10:24:05.40 <Erro:STP.InBPDU.Drop> Port=47: No associated STP port fo                                                                                        r STP Domain tag 1 (Rate-limited)
12/22/2016 10:24:04.37 <Info:nl.ClientAuthFailure> Authentication failed for Net                                                                                        work Login 802.1x user host/CANNTA03                           Mac 6C:AE:8B:0B:E5:05 port                                                                                         4
12/22/2016 10:24:01.71 <Info:nl.ClientAuthFailure> Authentication failed for Net                                                                                        work Login 802.1x user host/CANNTA02                           Mac 6C:AE:8B:0B:E3:DE port                                                                                         25
12/22/2016 10:23:58.83 <Info:nl.ClientAuthFailure> Authentication failed for Net                                                                                        work Login 802.1x user host/CANNTA08                           Mac 6C:AE:8B:0B:E3:B3 port                                                                                         26
Photo of Sandeep Srinivasa

Sandeep Srinivasa

  • 312 Points 250 badge 2x thumb
Finally found out the mistake, which applying policy on the switch I had selected VLAN_Name instead of VLAN_ID after changing it, enforced the policy and tested. Its working !!! :)