cancel
Showing results for 
Search instead for 
Did you mean: 

Netlogin for NAC not working on Extreme x440 and x430 Switches

Netlogin for NAC not working on Extreme x440 and x430 Switches

Sandeep_Sriniva
New Contributor II
We have deployed NAC and applied the rules and enabled Netlogin on x430 and x440 switches with ExtremeXOS version 16.2.1.6. The MAC authentication shows passed in Netsight and in switch however its not applied in reality if the switch doesnt have the ports configured to the repective vlan.
We are lost in this are we missing something in the configuration.

Here is the configuration on the switch.

create vlan NACauth
configure netlogin vlan NACauth
enable netlogin dot1x mac
configure netlogin authentication protocol-order dot1x mac web-based
configure netlogin add mac-list ff:ff:ff:ff:ff:ff 48 password voxmac
enable netlogin ports 1-23 dot1x
enable netlogin ports 1-23 mac
configure netlogin ports 1-23 mode mac-based-vlans
configure netlogin ports 1-23 no-restart
8 REPLIES 8

Sandeep_Sriniva
New Contributor II
Finally found out the mistake, which applying policy on the switch I had selected VLAN_Name instead of VLAN_ID after changing it, enforced the policy and tested. Its working !!! 🙂

Sandeep_Sriniva
New Contributor II
Here are logs...
12/22/2016 10:24:53.41 Port=47: No associated STP port fo r STP Domain tag 1 (Rate-limited)12/22/2016 10:24:47.43 Authentication failed for Net work Login 802.1x user host/TRYNTA02 Mac 6C:0B:84:08:B7:DE port 12
12/22/2016 10:24:45.40 Login passed for user admin through t elnet (10.210.1.241)
12/22/2016 10:24:41.41 Port=47: No associated STP port fo r STP Domain tag 1 (Rate-limited)
12/22/2016 10:24:29.84 Authentication failed for Net work Login 802.1x user host/CANNTA05 Mac 6C:AE:8B:0B:DF:51 port 14
12/22/2016 10:24:29.41 Port=47: No associated STP port fo r STP Domain tag 1 (Rate-limited)
12/22/2016 10:24:23.14 Authentication failed for Net work Login 802.1x user host/VGNTA02 Mac 6C:AE:8B:0B:DF:C5 port 3 3
12/22/2016 10:24:17.41 Port=47: No associated STP port fo r STP Domain tag 1 (Rate-limited)
12/22/2016 10:24:05.40 Port=47: No associated STP port fo r STP Domain tag 1 (Rate-limited)
12/22/2016 10:24:04.37 Authentication failed for Net work Login 802.1x user host/CANNTA03 Mac 6C:AE:8B:0B:E5:05 port 4
12/22/2016 10:24:01.71 Authentication failed for Net work Login 802.1x user host/CANNTA02 Mac 6C:AE:8B:0B:E3:DE port 25
12/22/2016 10:23:58.83 Authentication failed for Net work Login 802.1x user host/CANNTA08 Mac 6C:AE:8B:0B:E3:B3 port 26

Ronald_Dvorak
Honored Contributor
That should do the trick...

http://documentation.extremenetworks.com/exos_22.1/exos_21_1/netlogin/c_configuring-dynamic-vlans-fo...

# enable the switch to create/delete VLANs d
configure netlogin dynamic-vlan enable

# enable the switch to create/delete the VLAN tagged on the uplink - in this example on port#1
# only needed if you'd like to have the VLAN also on the uplink
configure netlogin dynamic-vlan uplink-ports 1

* X430-48t.62 # sh log12/21/2016 23:55:28.49 Network Login MAC user 14DAE9EC029F logged in MAC 14:DA:E9:EC:02:9F port 33 VLAN(s) "SYS_VLAN_0234", authentication Radius
12/21/2016 23:55:28.26 Port 33 link UP at speed 1 Gbps and full-duplex

Ronald_Dvorak
Honored Contributor
Did you see a error message like the below one in the switch...

# show log

12/21/2016 23:25:18.73 VLAN Tag 234 specified in Radius VSA does not exist on the switch or cannot be created. Please verify RADIUS configuration

GTM-P2G8KFN